| Age | Commit message (Collapse) | Author |
|---|
|
family checks before calling ifatoia/ifatoia6.
ok deraadt@, dlg@, mcbride@
|
|
|
|
timingsafe_bcmp().
ok deraadt@; committed over WPA.
|
|
This allows to run isakmpd/iked/ipsecctl in multiple rdomains
independently (with "route exec"); the kernel will pickup the rdomain
from the process context of the pfkey socket and load the flows and
SAs into the matching rdomain encap routing table. The network stack
also needs to pass the rdomain to the ipsec stack to lookup the
correct rdomain that belongs to an interface/mbuf/... You can now run
individual IPsec configs per rdomain or create IPsec VPNs between
multiple rdomains on the same machine ;). Note that a primary enc(4)
in addition to enc0 interface is required per rdomain, eg. enc1 rdomain 1.
Test by some people, mostly on existing "rdomain 0" setups. Was in
snaps for some days and people didn't complain.
ok claudio@ naddy@
|
|
the callback functions. This fixes a problem where dynamic routes in
different tables would not get deleted because the callback was doing
the remove on the wrong table.
OK henning@
|
|
like time exceeded messages. This will allow to add additional information
to those messges like the incomming MPLS label.
OK deraadt@, dhill@
|
|
and make it possible to bind sockets (including listening sockets!)
to rtables and not just rdomains. This changes the name of the
system calls, socket option, and ioctl. After building with this
you should remove the files /usr/share/man/cat2/[gs]etrdomain.0.
Since this removes the existing [gs]etrdomain() system calls, the
libc major is bumped.
Written by claudio@, criticized^Wcritiqued by me
|
|
an 8 year old bug exposed by recent uvm changes
ok thib@ tedu@ deraadt@
|
|
are required to detect that.
Change the function to take a wait argument (used in nfs server, but
M_NOWAIT everywhere else for now) and to return an error
ok claudio@ henning@ krw@
|
|
traffic for this SA will appear on the specified enc interface instead
of enc0 and can be filtered and monitored separately. This will allow
to group individual ipsec policies to virtual interfaces and
simplifies monitoring and pf filtering with many ipsec policies a lot.
This diff includes the following changes:
- Store the enc interface unit (default 0) in the TDB of an SA and pass
it to the enc_getif() lookup when running the bpf or pf_test() handlers.
- Add the pfkey SADB_X_EXT_TAP extension to communicate the encX
interface unit for a specified SA between userland and kernel.
- Update enc(4) again to use an allocate array instead of the TAILQ to
lookup the matching enc interface in enc_getif() quickly.
Discussed with many, tested by a few, will need more testing & review.
ok deraadt@
|
|
create enc0 by default, but it is possible to add additional enc
interfaces. This will be used later to allow alternative encs per
policy or to have an enc per rdomain when IPsec becomes rdomain-aware.
manpage bits ok jmc@
input from henning@ deraadt@ toby@ naddy@
ok henning@ claudio@
|
|
rt_if_remove_rtdelete() need to know the table id to be able to correctly
remove nodes.
Problem found by Andrea Parazzini and analyzed by Martin Pelikán.
OK henning@
|
|
the one used by Cisco. It sends a return gre packet inside a gre packet
to the other side and expects it to return.
OK deraadt, reyk additional testing by sthen
|
|
netboot methods using rarp, thus only learning their IP address without
mask. And of course the next step is a broadcast - which goes to the
broadcast address calculated classful. *sigh*. PR6382
instead of storing a second broadcast address per ifaddr as we used to
figure out wether we're dealing with a classful broadcast on the fly. the
math is extremely cheap and all my previous profilings showed that cpu
cycles are basically free, we're constrained by memory access.
excellent analysis by Pascal Lalonde <plalonde at overnet.qc.ca> who also
submitted the PR. claudio ok
|
|
connect() calls. Our network stack does not allow any v4 mapped addresses
so there is no need to allow them in connect(). Found after discussion with
Henning. OK deraadt@
|
|
rt_timer_queue_destroy() did not actually destroy, leading to a potential
memory leak due to misleading nomenclature. Change it to actually destroy,
not just clean, the the rt_timer_queue passed to it and adjust the correct
caller accordingly (i.e., no need to free the mem on our own now).
As a bonus, this gets rid of one of the ridiculous R_Malloc/Bzero/Free
cycles, and lets us sneak another bzero -> M_ZERO conversion in.
ok claudio@
|
|
aligned, otherwise we lose on strict alignment architecture. Should fix
problems with gcc4 compiled bsd.rd's that people see on sparc64.
ok millert@, beck@, jsing@
|
|
where it is not necessary to guess protocols by looking at the first nibble.
in_gif_output() will encapsulate the packet but not send it. Because of
etherip support and the way the bridge works a minimal hack is needed in
gif_start() to ensure that the bridged packets are encapsulated as well.
This actually started with the idea to add MPLS support but that turned out
to be not as simple as in the gre(4) case.
Tested by myself (IP, IPv6, etherip, MPLS), sthen@ (IP, IPv6), naddy (IPv6)
OK sthen@
|
|
OK sthen@
|
|
is defined.
|
|
accept flags for report and nocloning. Move the rtableid into struct route
(with a minor twist for now) and make a few more codepathes rdomain aware.
Appart from the pf.c and route.c bits the diff is mostly mechanical.
More to come...
OK michele, henning
|
|
removed. Extend carp demote logging to also show the reason for
the demote. Return EINVAL instead of ERANGE if a carpdemote request
is out range. Requested from otto.
OK mcbride, henning.
|
|
sysctl.h was reliant on this particular include, and many drivers included
sysctl.h unnecessarily. remove sysctl.h or add proc.h as needed.
ok deraadt
|
|
|
|
|
|
faith 1", noticed by Andris Kadar. ok kettenis@ beck@
|
|
ok claudio@ "approved" deraadt@
|
|
address lookups. Found whilst investigating address lookup failures.
ok michele@
|
|
is valid and usable (reject and blackholes are not conidered usable).
TCP has this nasty behaviour to clone routes to disable PMTU and this combined
with dynamic routing resulted in dead sessions when there was a default reject
route installed.
OK henning@, sthen@
|
|
|
|
Found by LLVM/Clang Static Analyzer.
ok krw@ henning@
|
|
With input from oga@ and krw@
ok oga@ krw@ thib@ markus@ mk@
|
|
|
|
1996 with no way to enable but kernel config or code mods and is bound to
classful adressing anyway.
|
|
more here either
|
|
4.3BSD (anno 1986) supported the host part bits all one for broadcast as
well, since that's what everybody agreed on and RFC919 (anno 1984) proposed.
now, roughly a quarter decade later, we can really stop supporting the all
zero variant. sorry to you guys still running 4.2BSD. ok theo ryan
|
|
subnet of the classful network. at least, not since 1992.
ok mpf dlg bob
|
|
we now correctly broadcast packets to all local ports.
OK deraadt@
|
|
many places create a proper API (ifa_add / ifa_del) and use it.
ok theo ryan dlg
|
|
that router vendor doesn't default to classful routing any more, and there
really is no point in having a classful netmask and a subnetmask to split
it. we still do classful guesses on the netmask if it isn't supplied by
userland, but that's about it.
i decided to keep ia_netmask and kill ia_subnetmask which makes this diff
bigish, the classful ia_netmask wasn't really used all that much. the real
changes are in in.c, the rest is mostly s/ia_subnetmask/ia_netmask.
ok claudio dlg ryan
|
|
ok @dlg
|
|
is safe for both hardware devices and virtual devices
ok mpf, kettenis, moaning and groaning and slow acceptance from mcbride
XXX should loop checking for uniqueness after new henning diff goes in
|
|
The demote counter can handle that.
This lets carp hosts with an identical demote count still know which
one is the designated master and prevents them from failing over
asymmetrically.
Since there is a demote handling bug in all releases prior to 4.6,
symmetric failover will only work against 4.6 (and newer) from now on.
OK henning@
|
|
queue length of one - i.e. vlans with the forthcoming change from dlg.
this allows fragmented frames to be sent on such an interface, hoping
that the interface underneath copes correctly - A better fix for this
will be forthcoming soon, but this is good enough for now, and will
allow the change for vlans to use an ifq length of 1.
tested by me and dlg@, ok dlg@, claudio@, deraadt@
|
|
From Gleydson Soares, OK beck@
|
|
(1) use correct (message) block size of 128 byte (instead of 64
bytes) for HMAC-SHA512/384 (RFC4634).
(2) RFC4868 specifies that HMAC-SHA-{256,384,512} is truncated to
nnn/2 bits, while we still use 96 bits. 96 bits have been
specified in draft-ietf-ipsec-ciph-sha-256-00 while
draft-ietf-ipsec-ciph-sha-256-01 changed it to 128 bits.
WARNING: this change makes IPsec with SHA-256 (the default)
incompatible with older OpenBSD versions and other IPsec-implementations
that share this bug.
ok+tests naddy, fries; requested by reyk/deraadt
|
|
|
|
so put it in struct process instead of struct proc. While at it,
move the p_emul member inside struct proc so that it gets copied
automatically instead of requiring manual assignment.
ok deraadt@
|
|
ok claudio@
|
|
ok claudio@
|
