Age | Commit message (Collapse) | Author | |
---|---|---|---|
2000-09-29 | Make sure there's enough data on the mbuf for the TCP/UDP ports (if | Angelos D. Keromytis | |
applicable) -- bug located thanks to a crashdump from HJungheim@vpnet.com | |||
2000-09-29 | Outgoing packets that hit IPsec will be IPF/IPNAT processed as well on | Angelos D. Keromytis | |
the enc* interface, usually enc0; cedric@wireless-networks.com | |||
2000-09-27 | Fix checking for incoming packets when the remote gateway has been | Angelos D. Keromytis | |
fully specified in the flow. | |||
2000-09-26 | Update to previous fix on ICMP messages coming on unnumbered | Angelos D. Keromytis | |
interfaces: rather than picking *some* non-loopback IP address, do a routing lookup and use as source IP address the address of the outgoing interface. A nice side effect of this is that ICMPs generated as a result of packets received over IPsec will, in the common case, end up going back over IPsec (depends on what the SPD looks like of course). Thanks to fcusack@fcusack.com for testing and commenting on this. | |||
2000-09-25 | on expiry of pmtu route, retry higher mtu. okay angelos@ | Niels Provos | |
2000-09-23 | Angelos you forgot this one !! | Chris Cappuccio | |
2000-09-22 | Move the PI_MAGIC define outside the INET6 ifdef block (doh!) | Angelos D. Keromytis | |
2000-09-22 | fix my bug dating back to february the 14th of 1998, | Michael Shalayeff | |
when those wildcard interfaces came up, which were usefull at the times. on the other hand here it is, one cannot bind to the broadcast address, and angelos says ok. | |||
2000-09-21 | calculate maxopd at the right place | Niels Provos | |
2000-09-20 | Add IDENTITY payloads to flow establishment (and cleanup accordingly) | Angelos D. Keromytis | |
-- this will address one of itojun's question on how are IDs for IKE to be determined (need to add support for this to ipsecadm). | |||
2000-09-20 | Don't use LOOPBACK addresses when trying to determine source address | Angelos D. Keromytis | |
to use in locally-generated ICMP messages (thanks to fcusack@fcusack.com) | |||
2000-09-20 | remove unused code | Niels Provos | |
2000-09-20 | correctly calculate mss | Niels Provos | |
2000-09-20 | fix in_pcbrtentry | Niels Provos | |
2000-09-19 | only free tdbi if IPSEC | Theo de Raadt | |
2000-09-19 | SA bundles. | Angelos D. Keromytis | |
2000-09-19 | Lots and lots of changes. | Angelos D. Keromytis | |
2000-09-18 | fix compilation problem on systems w/o inet6. | Federico G. Schwindt | |
2000-09-18 | Path MTU discovery based on NetBSD but with the decision to use the DF | Niels Provos | |
flag delayed to ip_output(). That halves the code and reduces most of the route lookups. okay deraadt@ | |||
2000-09-17 | Drop dubious ESP/AH packets without crashing (thanks to dr@kyx.net and | Angelos D. Keromytis | |
mfranz@cisco.com for finding the problem). | |||
2000-09-07 | New timeouts. | Artur Grabowski | |
2000-09-05 | various fixes to SACK and FACK from adesai@cisco.com, tomh@tomh.org and | Niels Provos | |
osuga@mml.yrp.nttdocomo.co.jp | |||
2000-08-19 | - upgrade icmp6 node information query support to 06 draft. | Jun-ichiro itojun Hagino | |
- pedant: possible alignment issue in ALIGN > 8 arch (should be okay for now) (sync with kame) | |||
2000-08-10 | Whoops. Reapply Aaron's detach code fix. inadvertantly whacked in the | Kjell Wooding | |
3.3.18 import. | |||
2000-08-10 | Import ipf 3.3.18. Fixes more problems with the in-kernel FTP proxy, | Kjell Wooding | |
some nat state bugs, and ups the default state table size. See sbin/ipf/HISTORY for details. | |||
2000-08-04 | One parenthesis too many. | Angelos D. Keromytis | |
2000-08-04 | Worked out the logic (thanks to pt98asp@student.hk-r.se and | Angelos D. Keromytis | |
pt98kfr@student.hk-r.se -- I still don't know why rev1.5 didn't work). | |||
2000-08-03 | Back to the submitted patch -- this needs more investigation. | Angelos D. Keromytis | |
2000-08-03 | typo in #define. ICMP6_NI_SUCESS -> SUCCESS. | Jun-ichiro itojun Hagino | |
2000-08-03 | Don't even need to reset ip_sum, if we're not going to compute it here | Angelos D. Keromytis | |
but in ip_output() | |||
2000-08-03 | Avoid unnecessary call to in_cksum(). | Angelos D. Keromytis | |
2000-08-03 | In fact, this is the correct behaviour (or I'm going crazy). | Angelos D. Keromytis | |
2000-08-03 | Careful with ip_off | Angelos D. Keromytis | |
2000-08-03 | Zeroize ip_sum before computing checksum (just general paranoia). | Angelos D. Keromytis | |
2000-08-03 | Correct handling of ip_off (askk@rsn.hk-r.se) | Angelos D. Keromytis | |
2000-07-29 | Don't set the source IP address if doing multicast; this is a quick | Angelos D. Keromytis | |
fix -- the logic has to be reworked to allow for multicast-over-IPsec. Patch from gene@lucky.net. | |||
2000-07-27 | raw6/udp6 sockets are okay with :: in src. | Jun-ichiro itojun Hagino | |
2000-07-27 | be proactive about unspecified IPv6 source address. pcb layer uses | Jun-ichiro itojun Hagino | |
unspecified address (::) to mean "unbounded" or "unconnected", and can be confused by packets from outside. use of :: as source is not documented well in IPv6 specification. not sure if it presents a real threat. the worst case scenario is a DoS against TCP listening socket: - outsider transmit TCP SYN with :: as IPv6 source - receiving side creates TCP control block with: local address = my addres remote address = :: (meaning "unconnected") state = SYN_RCVD note that SYN ACK will not be sent due to ip6_output() filter. this stays until it timeouts. - the TCP control block prevents listening TCP control block from being contacted (DoS). | |||
2000-07-12 | remove m_pulldown statistics, which is highly experimental | Jun-ichiro itojun Hagino | |
2000-07-11 | Correctly handle ip_off; angelos@ | Todd C. Miller | |
2000-07-11 | forgot to reset rscale | Niels Provos | |
2000-07-11 | compute correct window scale when recvpipe option is set in route; based | Niels Provos | |
on diff from "Pete Kazmier" <pete@kazmier.com> | |||
2000-07-09 | be more cautious about tcp option length field. drop bogus ones earlier. | Jun-ichiro itojun Hagino | |
not sure if there is a real threat or not, but it seems that there's possibility for overrun/underrun (like non-NOP option with optlen > cnt). | |||
2000-07-06 | Move domain.h above so this compiles again. | Federico G. Schwindt | |
Remove netinet.h within ifdef INET6; this is already included. | |||
2000-07-06 | - more icmp6/ip6 stats. | Jun-ichiro itojun Hagino | |
- protect IPv6 ND from being hosed (due to neighbor unreachability detection hint) by wrong tcp traffic. still not sure if there's real attack, but it is good to be cautious. - avoid bitfield for router renumbering header decl. - implement packet-per-sec limitation for icmp6 errors, turn interval limit off (it is not very useful due to unix timer resolution). | |||
2000-07-06 | completely remove ipv4 mapped cases from tcp_input(). | Jun-ichiro itojun Hagino | |
cleanup (indentation, v4-or-v6 conditions) | |||
2000-07-05 | more cleanup for IPv4 mapped address support. there seem to be some | Jun-ichiro itojun Hagino | |
inconsistency in corner cases (from NRL I believe). todd (fries) and I have seen panic, with the following call chain: ip6_input -> tcp_input -> tcp_respond -> ip_input -> bang! more cleanups should be done, to decrease complexity. for example, INP_IPV6_MAPPED should be nuked. | |||
2000-07-03 | Make nat_ifdetach() actually work; beck@ ok | Aaron Campbell | |
2000-06-26 | Make the definition of tcpstat in tcp_var.h extern. | Artur Grabowski | |
2000-06-22 | Convert arptimer to new timeouts. | Artur Grabowski | |