src - OpenBSD base system

Age	Commit message (Collapse)	Author
2000-08-04	One parenthesis too many.	Angelos D. Keromytis

2000-08-04	Worked out the logic (thanks to pt98asp@student.hk-r.se and	Angelos D. Keromytis
	pt98kfr@student.hk-r.se -- I still don't know why rev1.5 didn't work).
2000-08-03	Back to the submitted patch -- this needs more investigation.	Angelos D. Keromytis

2000-08-03	typo in #define. ICMP6_NI_SUCESS -> SUCCESS.	Jun-ichiro itojun Hagino

2000-08-03	Don't even need to reset ip_sum, if we're not going to compute it here	Angelos D. Keromytis
	but in ip_output()
2000-08-03	Avoid unnecessary call to in_cksum().	Angelos D. Keromytis

2000-08-03	In fact, this is the correct behaviour (or I'm going crazy).	Angelos D. Keromytis

2000-08-03	Careful with ip_off	Angelos D. Keromytis

2000-08-03	Zeroize ip_sum before computing checksum (just general paranoia).	Angelos D. Keromytis

2000-08-03	Correct handling of ip_off (askk@rsn.hk-r.se)	Angelos D. Keromytis

2000-07-29	Don't set the source IP address if doing multicast; this is a quick	Angelos D. Keromytis
	fix -- the logic has to be reworked to allow for multicast-over-IPsec. Patch from gene@lucky.net.
2000-07-27	raw6/udp6 sockets are okay with :: in src.	Jun-ichiro itojun Hagino

2000-07-27	be proactive about unspecified IPv6 source address. pcb layer uses	Jun-ichiro itojun Hagino
	unspecified address (::) to mean "unbounded" or "unconnected", and can be confused by packets from outside. use of :: as source is not documented well in IPv6 specification. not sure if it presents a real threat. the worst case scenario is a DoS against TCP listening socket: - outsider transmit TCP SYN with :: as IPv6 source - receiving side creates TCP control block with: local address = my addres remote address = :: (meaning "unconnected") state = SYN_RCVD note that SYN ACK will not be sent due to ip6_output() filter. this stays until it timeouts. - the TCP control block prevents listening TCP control block from being contacted (DoS).
2000-07-12	remove m_pulldown statistics, which is highly experimental	Jun-ichiro itojun Hagino

2000-07-11	Correctly handle ip_off; angelos@	Todd C. Miller

2000-07-11	forgot to reset rscale	Niels Provos

2000-07-11	compute correct window scale when recvpipe option is set in route; based	Niels Provos
	on diff from "Pete Kazmier" <pete@kazmier.com>
2000-07-09	be more cautious about tcp option length field. drop bogus ones earlier.	Jun-ichiro itojun Hagino
	not sure if there is a real threat or not, but it seems that there's possibility for overrun/underrun (like non-NOP option with optlen > cnt).
2000-07-06	Move domain.h above so this compiles again.	Federico G. Schwindt
	Remove netinet.h within ifdef INET6; this is already included.
2000-07-06	- more icmp6/ip6 stats.	Jun-ichiro itojun Hagino
	- protect IPv6 ND from being hosed (due to neighbor unreachability detection hint) by wrong tcp traffic. still not sure if there's real attack, but it is good to be cautious. - avoid bitfield for router renumbering header decl. - implement packet-per-sec limitation for icmp6 errors, turn interval limit off (it is not very useful due to unix timer resolution).
2000-07-06	completely remove ipv4 mapped cases from tcp_input().	Jun-ichiro itojun Hagino
	cleanup (indentation, v4-or-v6 conditions)
2000-07-05	more cleanup for IPv4 mapped address support. there seem to be some	Jun-ichiro itojun Hagino
	inconsistency in corner cases (from NRL I believe). todd (fries) and I have seen panic, with the following call chain: ip6_input -> tcp_input -> tcp_respond -> ip_input -> bang! more cleanups should be done, to decrease complexity. for example, INP_IPV6_MAPPED should be nuked.
2000-07-03	Make nat_ifdetach() actually work; beck@ ok	Aaron Campbell

2000-06-26	Make the definition of tcpstat in tcp_var.h extern.	Artur Grabowski

2000-06-22	Convert arptimer to new timeouts.	Artur Grabowski

2000-06-21	Fix gateway function; ok angelos@	Oleg Safiullin
	angelos, be more careful :)
2000-06-20	Remove static from arptimer so that "show callout" in ddb shows the right	Artur Grabowski
	function.
2000-06-20	do not play with rcvif, if the traffic is non-IPv4.	Jun-ichiro itojun Hagino
	by setting rcvif to enc*, we break IPv6 scope considerations.
2000-06-20	try to cope with AH6 with scoped address case better.	Jun-ichiro itojun Hagino

2000-06-20	Big oops on my previous commit, broke gateway function; patch from	Angelos D. Keromytis
	form@openbsd.ru
2000-06-19	correct header chasing code. take care of AH length.	Jun-ichiro itojun Hagino

2000-06-19	IPv6 IPsec, outbound direction.	Jun-ichiro itojun Hagino
	restriction: if there's any extension header (except fragment) and outbound packet matches tdb, we can't encrypt it. packet will not go out of the node (dropped).
2000-06-18	Oops on checking inp_tdb etc. (itojun@)	Angelos D. Keromytis

2000-06-18	Correct function declaration.	Angelos D. Keromytis

2000-06-18	Arguments.	Angelos D. Keromytis

2000-06-18	Pull in the right header for ip6_sprintf(), fix argument.	Angelos D. Keromytis

2000-06-18	Use ip6_sprintf() rather than the home-cooked inet6_ntoa4()	Angelos D. Keromytis

2000-06-18	sync with KAME udp6_output(). udp output logic is very different between	Jun-ichiro itojun Hagino
	IPv4/v6 so the separation should make more sense. TODO: remove IPv6 case from udp_output() TODO: remove/comment out/#if 0 IPv4 mapped address cases
2000-06-18	permit compilation of non-V6 kernels	Theo de Raadt

2000-06-18	Use M_NOWAIT instead of M_DONTWAIT in MALLOC() (even though they're	Angelos D. Keromytis
	defined to be the same in mbuf.h)
2000-06-18	sanity check: panic if AF_INET6 inpcb is passed to ip_output	Jun-ichiro itojun Hagino

2000-06-18	remove obsolete IP_DF handling from KAME tree (#if 0'ed all the time)	Jun-ichiro itojun Hagino

2000-06-18	for mcdonald-simple-ipsec-api get/setsockopt, variable size was mixed up.	Jun-ichiro itojun Hagino
	in some place sizeof(u_char), and in some place sizeof(int) were used. previous code can cause problem in big endian machines. now it always uses "int" (isakmpd uses int, so it should be okay) set m_len properly on mcdonald-simple-ipsec-api getsockopt.
2000-06-18	IPv6 AH/ESP support, inbound side only. tested with KAME.	Jun-ichiro itojun Hagino

2000-06-18	Print++	Angelos D. Keromytis

2000-06-18	support ipv6 for tcp_ident	Bob Beck

2000-06-18	The callbacks need to set the appropriate spl level now.	Angelos D. Keromytis

2000-06-18	for setsockopt/getsockopt, don't assume non-PF_INET6 address family as	Jun-ichiro itojun Hagino
	PF_INET. we may see other family in the future... (pedant)
2000-06-18	Remove outdated comment.	Angelos D. Keromytis

2000-06-17	Change processing sequence:	Angelos D. Keromytis
	- if the source IP address if unset (INADDR_ANY) - if higher level protocol has cached the SA to use, and the SA specifies the source address, use that - otherwise, do a routing lookup to determine our outgoing interface and fix the source address - do an SPD lookup (which is why we needed the source address) - if no IPsec is needed, proceed to multicast processing (if necessary), IPF, etc. -- transmit the packet as usual; use the routing information from before (if routing lookup was performed), or do a routing lookup at this point. - if IPsec is needed, do multicast processing (if needed), then do IPsec processing, then call ip_output() recursively. Currently, the second invocation does not do another SPD lookup (it will be changed to do so in the near future, to support independent nested tunnels without infinite loops). Note that if the inner packet (the one that will have IPsec applied to) is multicast or broadcast, the interface flags are not checked (since it's not clear what their meaning is in this case). If the IPsec destination address is multicast/broadcast, the interface flags are checked of course. It is no longer necessary to have routing entries for private networks on IPsec gateways (or default routing entries if they're not needed, for that matter). Finally, this patch solves a problem with ever-increasing reference counts on routing entries when doing IPsec processing.