| Age | Commit message (Collapse) | Author | |
|---|---|---|---|
| 2000-05-25 | net.inet.ip.gif_ttl (and IPv6 counterpart) is never used. | Jun-ichiro itojun Hagino | |
| enforce type checking on IN6_ARE_ADDR_EQUAL. | |||
| 2000-05-24 | Update to ipf 3.3.16. among other things, this addresses a security issue | Kjell Wooding | |
| with certain rule configurations: * don't add TCP state if it is an RST packet and (attempt) to send out RST/ICMP packets in a manner that bypasses IP Filter. | |||
| 2000-05-15 | parse IPv4 options more carefully. make boundary checks against every | Jun-ichiro itojun Hagino | |
| steps (including option type/length field - there were no checks, seems to me 4.4BSD bug) | |||
| 2000-05-15 | Add comment on input MSS calculation based on previous PMTUD results, | Angelos D. Keromytis | |
| as per TCP-imply IETF WG draft(s). The correct approach is to just use the relevant interface's MTU. | |||
| 2000-05-15 | Fix sanity check that caused really short packets (ICMPs with less | Angelos D. Keromytis | |
| than 8 bytes of payload) to be dropped. Did not affect TCP/UDP packets and most ICMP packets. | |||
| 2000-05-10 | ipf 3.3.14, fixes an ipnat problem and ip option mishandling, which the ↵ | Theo de Raadt | |
| bridge code cares about | |||
| 2000-05-10 | make sure ip_timestamp is aligned correctly | Jason Wright | |
| 2000-05-06 | avoid underflow on unsigned value arithmetic (when optlen < 4). | Jun-ichiro itojun Hagino | |
| 2nd half of NetBSD Security Advisory 2000-002. | |||
| 2000-05-06 | avoid unaligned access in timestamp; ↵ | Theo de Raadt | |
| http://www.newhackcity.net/advisories/20000504a_0.txt; checked by provos and itojun | |||
| 2000-05-04 | Bypass routes only worked for one packet, then they effectively became a | Niklas Hallqvist | |
| filter. | |||
| 2000-05-01 | Update to ipfilter 3.3.13. This should be the last of the 3.3.x releases. | Kjell Wooding | |
| This patch fixes mostly ICMP timeout problems, as the ftp proxy changes were imported previously. | |||
| 2000-04-28 | actually m_adj tries to drop tcp header part. it is better to | Jun-ichiro itojun Hagino | |
| touch tcp header before m_adj, than the other way around. (no behavior change with the current m_adj code, new code is safer against any future m_adj changes) | |||
| 2000-04-27 | mbuf is freed by sbappend(), move the references to th up. found by art@ | Niels Provos | |
| 2000-04-27 | add TCP port 587 to default list of reserved ports not to allocate ↵ | Todd C. Miller | |
| dynamically in order to reserve it for sendmail. | |||
| 2000-04-27 | avoid infinite loop in in{6,}_pcbnotify (can occurs on family mismatch) | Jun-ichiro itojun Hagino | |
| 2000-04-26 | add ARCTYPE_INET6 | Jakob Schlyter | |
| 2000-04-25 | Avoid divide-by-zero; from FreeBSD PR/8990 and NetBSD PR/6541. Use the same fix | Aaron Campbell | |
| for now, at least until we determine if there is a more correct one. | |||
| 2000-04-25 | when fixing up the header, copy from the right sized datatype (fixes IPsec | Jason Wright | |
| on big-endian machines) | |||
| 2000-04-21 | NRL pcb issue; inp_{f,l}addr{,6} is a union so we need to be sure about | Jun-ichiro itojun Hagino | |
| af match. - do not touch IPv4 pcb entries on in6_pcbnotify. - do not touch IPv6 pcb entries on in_pcbnotify. | |||
| 2000-04-19 | tdb_ref should be signed, this avoid a problem with flushing the TDB | Angelos D. Keromytis | |
| table causing repeated allocations of bypass TDBs. | |||
| 2000-04-18 | Remove the ethernet header from the mbuf before passing it on to | Angelos D. Keromytis | |
| bridge_input() | |||
| 2000-04-14 | make "option TCPDEBUG" kernel compile. | Jun-ichiro itojun Hagino | |
| PR1186 from "Robert Mooney" <rjmooney@atl.mediaone.net>. (printf format change is not bringed in - i'm unsure about it) | |||
| 2000-04-14 | for layer 3 protocols that does not support path MTU discovery | Jun-ichiro itojun Hagino | |
| (I mean, IPv4) do not try to use rmx_mtu on routing table. this symptom was introduced by rmx_mtu initialization (necessary for IPv6 path MTU discovery) in net/route.c. now prior behavior is recovered. From: Hugh Graham <hugh@openbsd.org> there are several question about mssdflt semantics, though: Question 1: with the current code, mssdflt does not override rmx_mtu value (mssdflt overrides interface mtu only). should we override rmx_mtu by mssdflt as well? Question 2: with the current code, mssdflt overrides mss computed from if mtu, only when the destination is IPv4 non-local. is it safe enough? we may want to use mssdflt, whenever we are uncertain. mss = if mtu - hdrsiz; if (IPv4 non-local destination) mss = min(mss, mssdflt); | |||
| 2000-04-13 | When fragmenting a packet, inherit the multicast and broadcast flags so that | Artur Grabowski | |
| the link layer can choose the right address. | |||
| 2000-04-13 | #ifndef the definitions of IPSTATE_MAX and IPSTATE_SIZE | Kjell Wooding | |
| This allows the redefinition of these constants in mk.conf, for example. mep@netset.net | |||
| 2000-04-12 | bump ipf version (3.3.12a) to go with last commit | Kjell Wooding | |
| 2000-04-12 | FTP Proxy changes introduced in 3.3.12 were too agressive. Tone down | Kjell Wooding | |
| a bit. posted to ipf list by darrenr@pobox.com | |||
| 2000-04-11 | Don't add an extra 20 bytes to ip_len, m_pkthdr.len is already updated | Angelos D. Keromytis | |
| by M_PREPEND. | |||
| 2000-04-10 | Oops on sanity logic. | Angelos D. Keromytis | |
| 2000-04-09 | Pass ip_off and ip_len in the correct byte order to icmp_error(); this | Angelos D. Keromytis | |
| should fix the crash problems with isic, reported last week. | |||
| 2000-04-06 | only call get_random_bytes() once in m_pad() | Theo de Raadt | |
| 2000-04-05 | Update to ipf 3.3.12. Most fixes relate to hardening of | Kjell Wooding | |
| in-kernel ftp proxy. See sbin/ipf/HISTORY for details. | |||
| 2000-04-04 | Verbiage fix. | Angelos D. Keromytis | |
| 2000-03-30 | Only allocate space for a copy of the authenticator if authentication | Angelos D. Keromytis | |
| is in use. | |||
| 2000-03-30 | Set re_rt to NULL, so we don't double free. | Angelos D. Keromytis | |
| 2000-03-29 | Be consistent about packet properties. | Angelos D. Keromytis | |
| 2000-03-29 | Fix problem with TCP/UDP and ACLs. | Angelos D. Keromytis | |
| 2000-03-29 | Minor cleanup. | Angelos D. Keromytis | |
| 2000-03-29 | Note to self: test before committing. | Angelos D. Keromytis | |
| 2000-03-29 | Conform to crypto framework changes for IVs. | Angelos D. Keromytis | |
| 2000-03-28 | Allow authentication-only ESP (must have broken it in the previous | Angelos D. Keromytis | |
| round of commits). | |||
| 2000-03-28 | Set the protocol family in the destination address of bypass flows. | Angelos D. Keromytis | |
| 2000-03-27 | As I threatened a while ago, ingress IPsec ACL-checking is turned on | Angelos D. Keromytis | |
| by default. Read the ipsecadm(8) man page for more details on how to specify ingress filters with manual keying. isakmpd has been doing this for a while now. | |||
| 2000-03-25 | Fix typo causing crash if ESP was used with only authentication or | Angelos D. Keromytis | |
| encryption (not both). Problem noted by jason@openbsd.org | |||
| 2000-03-22 | comment out ifconfig undo code. they are necessary to avoid memory | Jun-ichiro itojun Hagino | |
| leakage, however, was too strict that they disallow multiple address from same prefix to be assigned (when rtinit returns EEXIST). we'll need to improve it. | |||
| 2000-03-21 | Fix casting so it compiles on alphas (testing by janjaap@stack.nl, | Angelos D. Keromytis | |
| closing pr #1150) | |||
| 2000-03-21 | Fix function to comply with prototype. Kind of moot, as tcp signatures | Angelos D. Keromytis | |
| don't work yet anyhow, so there's no point compiling them in. | |||
| 2000-03-17 | remove multiple function declarations. | Artur Grabowski | |
| 2000-03-17 | Cryptographic services framework, and software "device driver". The | Angelos D. Keromytis | |
| idea is to support various cryptographic hardware accelerators (which may be (detachable) cards, secondary/tertiary/etc processors, software crypto, etc). Supports session migration between crypto devices. What it doesn't (yet) support: - multiple instances of the same algorithm used in the same session - use of multiple crypto drivers in the same session - asymmetric crypto No support for a userland device yet. IPsec code path modified to allow for asynchronous cryptography (callbacks used in both input and output processing). Some unrelated code simplification done in the process (especially for AH). Development of this code kindly supported by Network Security Technologies (NSTI). The code was writen mostly in Greece, and is being committed from Montreal. | |||
| 2000-03-13 | Import of Darren Reed's IPFilter 3.3.11. See sbin/ipf/HISTORY for detailed | Kjell Wooding | |
| changelog. Documentation changes are now way behind. Volunteers? | |||
 |
index : src | |
| OpenBSD base system |
| summaryrefslogtreecommitdiff |