| Age | Commit message (Collapse) | Author |
|---|
|
is valid and usable (reject and blackholes are not conidered usable).
TCP has this nasty behaviour to clone routes to disable PMTU and this combined
with dynamic routing resulted in dead sessions when there was a default reject
route installed.
OK henning@, sthen@
|
|
|
|
Found by LLVM/Clang Static Analyzer.
ok krw@ henning@
|
|
With input from oga@ and krw@
ok oga@ krw@ thib@ markus@ mk@
|
|
|
|
1996 with no way to enable but kernel config or code mods and is bound to
classful adressing anyway.
|
|
more here either
|
|
4.3BSD (anno 1986) supported the host part bits all one for broadcast as
well, since that's what everybody agreed on and RFC919 (anno 1984) proposed.
now, roughly a quarter decade later, we can really stop supporting the all
zero variant. sorry to you guys still running 4.2BSD. ok theo ryan
|
|
subnet of the classful network. at least, not since 1992.
ok mpf dlg bob
|
|
we now correctly broadcast packets to all local ports.
OK deraadt@
|
|
many places create a proper API (ifa_add / ifa_del) and use it.
ok theo ryan dlg
|
|
that router vendor doesn't default to classful routing any more, and there
really is no point in having a classful netmask and a subnetmask to split
it. we still do classful guesses on the netmask if it isn't supplied by
userland, but that's about it.
i decided to keep ia_netmask and kill ia_subnetmask which makes this diff
bigish, the classful ia_netmask wasn't really used all that much. the real
changes are in in.c, the rest is mostly s/ia_subnetmask/ia_netmask.
ok claudio dlg ryan
|
|
ok @dlg
|
|
is safe for both hardware devices and virtual devices
ok mpf, kettenis, moaning and groaning and slow acceptance from mcbride
XXX should loop checking for uniqueness after new henning diff goes in
|
|
The demote counter can handle that.
This lets carp hosts with an identical demote count still know which
one is the designated master and prevents them from failing over
asymmetrically.
Since there is a demote handling bug in all releases prior to 4.6,
symmetric failover will only work against 4.6 (and newer) from now on.
OK henning@
|
|
queue length of one - i.e. vlans with the forthcoming change from dlg.
this allows fragmented frames to be sent on such an interface, hoping
that the interface underneath copes correctly - A better fix for this
will be forthcoming soon, but this is good enough for now, and will
allow the change for vlans to use an ifq length of 1.
tested by me and dlg@, ok dlg@, claudio@, deraadt@
|
|
From Gleydson Soares, OK beck@
|
|
(1) use correct (message) block size of 128 byte (instead of 64
bytes) for HMAC-SHA512/384 (RFC4634).
(2) RFC4868 specifies that HMAC-SHA-{256,384,512} is truncated to
nnn/2 bits, while we still use 96 bits. 96 bits have been
specified in draft-ietf-ipsec-ciph-sha-256-00 while
draft-ietf-ipsec-ciph-sha-256-01 changed it to 128 bits.
WARNING: this change makes IPsec with SHA-256 (the default)
incompatible with older OpenBSD versions and other IPsec-implementations
that share this bug.
ok+tests naddy, fries; requested by reyk/deraadt
|
|
|
|
so put it in struct process instead of struct proc. While at it,
move the p_emul member inside struct proc so that it gets copied
automatically instead of requiring manual assignment.
ok deraadt@
|
|
ok claudio@
|
|
ok claudio@
|
|
Fixes PR6274.
ok claudio@
|
|
kernel stack content instead of proper information; found by Clement LECIGNE
|
|
ok henning@, claudio@ "I think this should go in"
|
|
catch the libc major bump per request from deraadt@
Diff by reyk.
ok guenther@
|
|
different rdomain than the default one. This allows to do MPLS VPNs
without the MPLS madness. OK deraadt@, henning@
|
|
localhost DoS everywhere. To help minimize further issues, make the
mbuf != NULL test explicit instead of implicit in a length test.
Suggestions and initial work by mpf@ and miod@
ok henning@, mpf@, claudio@,
|
|
a twist; ok millert@ kettenis@
|
|
needed so that the route and inp lookups done in TCP and UDP know where
to look. Additionally in_pcbnotifyall() and tcp_respond() got a rdomain
argument as well for similar reasons. With this tcp seems to be now
fully rdomain save and no longer leaks single packets into the main domain.
Looks good markus@, henning@
|
|
original packet or they will trigger the diagnostic check in the interface
output routines. OK jsg@
|
|
tables on top of a rdomain) but until now our code was a crazy mix so that
it was impossible to correctly use rtables in that case. Additionally pf(4)
only knows about rtables and not about rdomains. This is especially bad when
tracking (possibly conflicting) states in various domains.
This diff fixes all or most of these issues. It adds a lookup function to
get the rdomain id based on a rtable id. Makes pf understand rdomains and
allows pf to move packets between rdomains (it is similar to NAT).
Because pf states now track the rdomain id as well it is necessary to modify
the pfsync wire format. So old and new systems will not sync up.
A lot of help by dlg@, tested by sthen@, jsg@ and probably more
OK dlg@, mpf@, deraadt@
|
|
IP_IPCOMP_LEVEL found by Clement LECIGNE, localhost root exploitable on
userland/kernel shared vm machines (ie. i386, amd64, arm, sparc (but not
sparc64), sh, ...) on OpenBSD 4.3 or older
ok claudio
|
|
`if it is unused nuke it' claudio
|
|
link-route points over the carp interface. (IP-less carpdev)
The descision whether to drop an ARP query is now expressed with
a goto out; rather than a second check later, which prevented
the carpdev case to work. Also add some comments to make
in_arpinput() easier to understand.
OK henning, markus.
|
|
destination of a packet was changed by pf. This allows for some evil
games with rdr-to or nat-to but is mostly needed for better rdomain/rtable
support. This is a first step and more work and cleanup is needed.
Here a list of what works and what does not (needs a patched pfctl):
pass out rdr-to:
from local rdr-to local addr works (if state tracking on lo0 is done)
from remote rdr-to local addr does NOT work
from local rdr-to remote works
from remote rdr-to remote works
pass in nat-to:
from remote nat-to local addr does NOT work
from remote nat-to non-local addr works
non-local is an IP that is routed to the FW but is not assigned on the FW.
The non working cases need some magic to correctly rewrite the incomming
packet since the rewriting would happen outbound which is too late.
"time to get it in" deraadt@
|
|
- queue packets from pf(4) to a userspace application
- reinject packets from the application into the kernel stack.
The divert socket can be bound to a special "divert port" and will
receive every packet diverted to that port by pf(4).
The pf syntax is pretty simple, e.g.:
pass on em0 inet proto tcp from any to any port 80 divert-packet port 1
A lot of discussion have happened since my last commit that resulted
in many changes and improvements.
I would *really* like to thank everyone who took part in the discussion
especially canacar@ who spotted out which are the limitations of this approach.
OpenBSD divert(4) is meant to be compatible with software running on
top of FreeBSD's divert sockets even though they are pretty different and will
become even more with time.
discusses with many, but mainly reyk@ canacar@ deraadt@ dlg@ claudio@ beck@
tested by reyk@ and myself
ok reyk@ claudio@ beck@
manpage help and ok by jmc@
|
|
Sorry.
|
|
- queue packets from pf(4) to a userspace application
- reinject packets from the application into the kernel stack.
The divert socket can be bound to a special "divert port" and will
receive every packet diverted to that port by pf(4).
The pf syntax is pretty simple, e.g.:
pass on em0 inet proto tcp from any to any port 80 divert-packet port 8000
test, bugfix and ok by reyk@
manpage help and ok by jmc@
no objections from many others.
|
|
seems to be causing some kind of memory corruption after several
hours of heavy IPsec traffic. connections start becoming very slow
eventually leading to all IPsec packets being lost. a reboot solves
the issue for several more hours before it appears again.
|
|
no binary change; ok grunk@
|
|
|
|
#if 1
reasonable
#else
bullshit required by some committee
#endif
are enough. theo ok
|
|
|
|
-m_copydata istead of straight bcopy. noticed by damien
-handle the pretty much impossible case that the packet header grows so
much that MHLEN < 68. i bet this had been the least of our worries, in that
case, but code oughta be correct anyway.
ok theo and dlg
|
|
forwarded packet in case ip_output returns an error and we have to quote
some of it back in an icmp error message.
this implementation done from scratch:
place an mbuf on the stack. copy the pkthdr from the forwarded packet and
the first 68 bytes of payload.
if we need to send an icmp error, just m_copym our mbuf-on-the-stack into
a real one that icmp_error can fuck with and eat as it desires.
ok theo dlg
|
|
therefore. Inherit the rdomain through the syncache.
There are some interactions that need some more work (ctlinput) so this
can be improved but is good enough for now.
OK markus@
|
|
recycling an mbuf tag and changing its type. just always get a new one.
theo ok
|
|
ok michele@ claudio@
|
|
some greater care must be taken to ensure the mbuf generated for icmp
errors is a good copy.
|
