summaryrefslogtreecommitdiff
path: root/sys/netinet
AgeCommit message (Collapse)Author
2000-05-04Bypass routes only worked for one packet, then they effectively became aNiklas Hallqvist
filter.
2000-05-01Update to ipfilter 3.3.13. This should be the last of the 3.3.x releases.Kjell Wooding
This patch fixes mostly ICMP timeout problems, as the ftp proxy changes were imported previously.
2000-04-28actually m_adj tries to drop tcp header part. it is better toJun-ichiro itojun Hagino
touch tcp header before m_adj, than the other way around. (no behavior change with the current m_adj code, new code is safer against any future m_adj changes)
2000-04-27mbuf is freed by sbappend(), move the references to th up. found by art@Niels Provos
2000-04-27add TCP port 587 to default list of reserved ports not to allocate ↵Todd C. Miller
dynamically in order to reserve it for sendmail.
2000-04-27avoid infinite loop in in{6,}_pcbnotify (can occurs on family mismatch)Jun-ichiro itojun Hagino
2000-04-26add ARCTYPE_INET6Jakob Schlyter
2000-04-25Avoid divide-by-zero; from FreeBSD PR/8990 and NetBSD PR/6541. Use the same fixAaron Campbell
for now, at least until we determine if there is a more correct one.
2000-04-25when fixing up the header, copy from the right sized datatype (fixes IPsecJason Wright
on big-endian machines)
2000-04-21NRL pcb issue; inp_{f,l}addr{,6} is a union so we need to be sure aboutJun-ichiro itojun Hagino
af match. - do not touch IPv4 pcb entries on in6_pcbnotify. - do not touch IPv6 pcb entries on in_pcbnotify.
2000-04-19tdb_ref should be signed, this avoid a problem with flushing the TDBAngelos D. Keromytis
table causing repeated allocations of bypass TDBs.
2000-04-18Remove the ethernet header from the mbuf before passing it on toAngelos D. Keromytis
bridge_input()
2000-04-14make "option TCPDEBUG" kernel compile.Jun-ichiro itojun Hagino
PR1186 from "Robert Mooney" <rjmooney@atl.mediaone.net>. (printf format change is not bringed in - i'm unsure about it)
2000-04-14for layer 3 protocols that does not support path MTU discoveryJun-ichiro itojun Hagino
(I mean, IPv4) do not try to use rmx_mtu on routing table. this symptom was introduced by rmx_mtu initialization (necessary for IPv6 path MTU discovery) in net/route.c. now prior behavior is recovered. From: Hugh Graham <hugh@openbsd.org> there are several question about mssdflt semantics, though: Question 1: with the current code, mssdflt does not override rmx_mtu value (mssdflt overrides interface mtu only). should we override rmx_mtu by mssdflt as well? Question 2: with the current code, mssdflt overrides mss computed from if mtu, only when the destination is IPv4 non-local. is it safe enough? we may want to use mssdflt, whenever we are uncertain. mss = if mtu - hdrsiz; if (IPv4 non-local destination) mss = min(mss, mssdflt);
2000-04-13When fragmenting a packet, inherit the multicast and broadcast flags so thatArtur Grabowski
the link layer can choose the right address.
2000-04-13#ifndef the definitions of IPSTATE_MAX and IPSTATE_SIZEKjell Wooding
This allows the redefinition of these constants in mk.conf, for example. mep@netset.net
2000-04-12bump ipf version (3.3.12a) to go with last commitKjell Wooding
2000-04-12FTP Proxy changes introduced in 3.3.12 were too agressive. Tone downKjell Wooding
a bit. posted to ipf list by darrenr@pobox.com
2000-04-11Don't add an extra 20 bytes to ip_len, m_pkthdr.len is already updatedAngelos D. Keromytis
by M_PREPEND.
2000-04-10Oops on sanity logic.Angelos D. Keromytis
2000-04-09Pass ip_off and ip_len in the correct byte order to icmp_error(); thisAngelos D. Keromytis
should fix the crash problems with isic, reported last week.
2000-04-06only call get_random_bytes() once in m_pad()Theo de Raadt
2000-04-05Update to ipf 3.3.12. Most fixes relate to hardening ofKjell Wooding
in-kernel ftp proxy. See sbin/ipf/HISTORY for details.
2000-04-04Verbiage fix.Angelos D. Keromytis
2000-03-30Only allocate space for a copy of the authenticator if authenticationAngelos D. Keromytis
is in use.
2000-03-30Set re_rt to NULL, so we don't double free.Angelos D. Keromytis
2000-03-29Be consistent about packet properties.Angelos D. Keromytis
2000-03-29Fix problem with TCP/UDP and ACLs.Angelos D. Keromytis
2000-03-29Minor cleanup.Angelos D. Keromytis
2000-03-29Note to self: test before committing.Angelos D. Keromytis
2000-03-29Conform to crypto framework changes for IVs.Angelos D. Keromytis
2000-03-28Allow authentication-only ESP (must have broken it in the previousAngelos D. Keromytis
round of commits).
2000-03-28Set the protocol family in the destination address of bypass flows.Angelos D. Keromytis
2000-03-27As I threatened a while ago, ingress IPsec ACL-checking is turned onAngelos D. Keromytis
by default. Read the ipsecadm(8) man page for more details on how to specify ingress filters with manual keying. isakmpd has been doing this for a while now.
2000-03-25Fix typo causing crash if ESP was used with only authentication orAngelos D. Keromytis
encryption (not both). Problem noted by jason@openbsd.org
2000-03-22comment out ifconfig undo code. they are necessary to avoid memoryJun-ichiro itojun Hagino
leakage, however, was too strict that they disallow multiple address from same prefix to be assigned (when rtinit returns EEXIST). we'll need to improve it.
2000-03-21Fix casting so it compiles on alphas (testing by janjaap@stack.nl,Angelos D. Keromytis
closing pr #1150)
2000-03-21Fix function to comply with prototype. Kind of moot, as tcp signaturesAngelos D. Keromytis
don't work yet anyhow, so there's no point compiling them in.
2000-03-17remove multiple function declarations.Artur Grabowski
2000-03-17Cryptographic services framework, and software "device driver". TheAngelos D. Keromytis
idea is to support various cryptographic hardware accelerators (which may be (detachable) cards, secondary/tertiary/etc processors, software crypto, etc). Supports session migration between crypto devices. What it doesn't (yet) support: - multiple instances of the same algorithm used in the same session - use of multiple crypto drivers in the same session - asymmetric crypto No support for a userland device yet. IPsec code path modified to allow for asynchronous cryptography (callbacks used in both input and output processing). Some unrelated code simplification done in the process (especially for AH). Development of this code kindly supported by Network Security Technologies (NSTI). The code was writen mostly in Greece, and is being committed from Montreal.
2000-03-13Import of Darren Reed's IPFilter 3.3.11. See sbin/ipf/HISTORY for detailedKjell Wooding
changelog. Documentation changes are now way behind. Volunteers?
2000-03-12undo interface address addition, if in_ifinit fails.Jun-ichiro itojun Hagino
2000-03-10cleared wrong amount of memory in skipjack zerokey, causes bigtime crashesTheo de Raadt
2000-03-09change struct icmp6_filter member name: s/icmp6_filter/icmp6_filt/,Jun-ichiro itojun Hagino
to be compliant with RFC2292. From: Francis Dupont
2000-03-07add ETHERTYPE_8021QChris Cappuccio
2000-03-03remove WIDE's experimental ip reass code, mistakingly merged in partially.Jun-ichiro itojun Hagino
NetBSD PR: 9412 Fix from: ho@crt.se
2000-02-29ensure tcp window size does not overflow (16bit unsigned after window scale).Jun-ichiro itojun Hagino
FreeBSD PR: 16914
2000-02-28move crypto codeTheo de Raadt
2000-02-28upgrade node information query protocol support from 04 draft toJun-ichiro itojun Hagino
draft-ietf-ipngwg-icmp-name-lookups-05.txt. NOTE: 04 and 05 has no interoperability, in terms of "ping6 -a".
2000-02-28bring in recent KAME changes (only important and stable ones, as usual).Jun-ichiro itojun Hagino
- remove net.inet6.ip6.nd6_proxyall. introduce proxy NDP code works just like "arp -s". - revise source address selection. be more careful about use of yet-to-be-valid addresses as source. - as router, transmit ICMP6_DST_UNREACH_BEYONDSCOPE against out-of-scope packet forwarding attempt. - path MTU discovery takes care of routing header properly. - be more strict about mbuf chain parsing. - nuke xxCTL_VARS #define, they are for BSDI. - disable SIOCSIFDSTADDR_IN6/SIOCSIFNETMASK_IN6 ioctl, they do not fit IPv6 model where multiple address on interface is normal. (kernel side supports them for a while for backward compat, the support will be nuked shortly) - introduce "default outgoing interface" (for spec conformance in very rare case)