| Age | Commit message (Collapse) | Author |
|---|
|
|
|
figured out by and ok guenther
|
|
While there change IP_RTABLE to SO_RTABLE. IP_RTABLE will die soon.
With and OK guenther@
|
|
It could not use the destination address properly, so it failed to
find the pipex session. This bug caused LCP keepalive failures on some
clients.
found and tested by sebastia@ and mxb at alumni.chalmers.se.
ok sthen
|
|
don't have a MTU to announce in the icmp need fragment packet.
this fixes PMTU-discovery for TCP over IPsec; ok mpf@, fries@
|
|
no objection from mcbride@ krw@ markus@ deraadt@
|
|
- ipip_input() recalculate the IP header checksum if the tos bits
are changed after decapsulation. Otherwise these packets are
dropped later in the stack.
- ip_ecn_egress(): do not drop packets for IPsec if the outter
packet of a Tunnel has the ECN-CE bit set (Congestion Experienced)
and the inner packet does not indicate support ECN.
- remove unused ip6_ecn_ingress(), ip6_ecn_egress() code
ok mikeb@
|
|
draft-ietf-tcpm-initcwnd. net.inet.tcp.rfc3390 defaults to 2 now which
uses the 10*MSS, setting it back to 1 brings back the old default of 4*MSS.
OK sperreault@, henning@, sthen@, markus@
|
|
While there make sure we do the lookup in the correct routing table.
OK mikeb, henning and phessler
|
|
from Tobias Ulmer (tobiasu at tmux.org); ok jmc@, krw@
|
|
ok mikeb@
|
|
cleaner to access the first member via ia_ifa instead of casting.
No binary change.
ok henning@ krw@
|
|
a socket that has an inp but tp is NULL. The call stack for that
is tcp_input() tcp_close() soisdisconnected() sorwakeup() somove()
tcp_usrreq(PRU_RCVD). To avoid a NULL dereference, just return in
that case.
ok henning@
|
|
already done for UDP/TCP/ICMP. This fixes a problem where checksumming
would not be computed if you have a bridge with at least one interface
with hardware checksumming and another without.
Discussed with sthen@ and henning@, this is somewhat a temporary fix,
we should not have these special bridge cases in ip_output, as Henning
said, the bridge must behave. But for that to work we need to poke the
bridge harder, this problem has been seen by at least two users at:
http://marc.info/?l=openbsd-misc&m=132391433319512&w=2
http://marc.info/?l=openbsd-misc&m=132234363030132&w=2
I promised to work on a better diff :-).
ok henning@ sthen@ mikeb@
|
|
spotted by bluhm@, ok yasuoka@
|
|
ok yasuoka@ bluhm@
|
|
transport mode IPsec NAT-T.
ok markus
|
|
ok claudio@ henning@ mikeb@
|
|
to connect to the carp address when the carpdev interface has
an ip address too in the non-default rdomain.
ok claudio
|
|
the advskew as the master down timeout.
OK henning.
|
|
1.175.
ok henning mpf
|
|
in the v6 input path. IP6_EXTHDR_GET() internally uses m_pulldown(),
which might return a pointer to a different mbuf in the chain.
In this case, carp_cksum() will be called with the wrong mbuf.
This fixes occasional checksum mismatches.
Problem found and initial fix by stsp@
OK stsp@
|
|
IPv6.
ok claudio@
|
|
"af-to" a generic IP version translator for pf(4).
Not everything perfect yet but lets fix these things in the tree.
Insane amount of work done by sperreault@, mikeb@ and reyk@.
Looked over by mcbride@ henning@ and myself at eurobsdcon.
OK mcbride@ and general put it in from deraadt@
|
|
variables being processed.
ok bluhm@ henning@
|
|
This lets carp delete IFF_PROMISC on its carpdev upon destroy.
Fix from Stefan Rinkes.
OK sthen, bluhm, deraadt.
|
|
|
|
mkay? ok ryan
|
|
`net.pipex.enable' to enable PIPEX. By default, pipex is disabled
and it will not process packets from wire. Update man pages and
update HOWTO_PIPEX_NPPPD.txt for testers.
discussed with dlg@, ok deraadt@ mcbride@ claudio@
|
|
code. Missing chunks of the API are imported from the libc version,
with a few #ifdef's to port it into the kernel environment.
The bootblocks already used the newer code, and should encounter no
surprises since there are so few changes to the existing files. In
the kernel, ipcomp and kernel ppp are changed to the new API.
ipcomp has been tested.
ok tedu the brave
|
|
behaves as if SO_KEEPALIVE was set on all TCP sockets, forcing keepalives
to be sent every net.inet.tcp.keepidle half-seconds.
In conjunction with a keepidle value greatly reduced from the default,
this can be useful for keeping sessions open if you are stuck on a network
with short NAT or firewall timeouts.
Feedback from various people, ok henning@ claudio@
|
|
|
|
the issue in our kernel was the broadcast address calculated on the /31
caused a ton of checks for use of broadcast addresses to kick in and
prevent one of the two addresses on the /31 from being used.
this diff basically detects if a /31 has been configured and doesnt
configure a broadcast address for it, which makes the ips usable
for normal traffic.
i wrote this so i could interoperate with "carrier" network gear
better, and sthen wants it so he can conserve address space use.
the further special casing of broadcast address handling was from claudio@
ok claudio@ markus@ sthen@ henning@
|
|
again makes assumptions of the ifqueue internals, ok ryan claudio
|
|
ok claudio@
|
|
fix two typos (protcol -> protocol)
|
|
1.54.
ok claudio@ sosososo henning@
|
|
The functions were 95% identical anyway. While there use struct pf_addr
in struct pf_divert instead of some union which is the same.
OK bluhm@ mcbride@ and most probably henning@ as well
|
|
that are not up. OK henning.
|
|
with advertisement intervals of less than a second.
This is needed in setups where takover times < 3s are needed.
Don't use this unless you really need it. Running with
too agressive timeouts might lead to false positive
takeovers.
OK mcbride, claudio.
|
|
OK claudio@
|
|
a special meaning and should only be set if the link state is not known
because it is considered as being up. Use LINK_STATE_INVALID instead.
OK mpf@ mcbride@ henning@
|
|
while reading.
ok henning@ jsing@ tedu@ marco@ bluhm@ krw@
|
|
ok henning@ deraadt@
|
|
Fixes a case in bridge_output() where ARP requests are not broadcast
on interfaces without the discovery flag.
ok claudio deraadt
|
|
ok deraadt@
|
|
level that allows one to retrieve the original routing domain
of UDP datagrams diverted by the pf via "divert-to" with a
recvmsg(2).
ok claudio
|
|
|
|
specify the outgoing interface with a multicast option up. Doing
this before the route lookup allows multicast traffic to work even
when the default 224/4 reject route is installed. Raw IP and IPv6
already had this behaviour.
Based on work by Christiano F. Haesbaert. OK sthen@
|
|
this is not allowed according to Stevens and RFCs 5735 and 1122.
Suggestion to use ENETUNREACH from claudio.
OK phessler@, claudio@
|
