summaryrefslogtreecommitdiff
path: root/usr.sbin/bgpd
AgeCommit message (Collapse)Author
2004-05-08with manual keyed ipsec, we need keys and spis for both directions -Henning Brauer
enforce that
2004-05-08as bloody attempt to document neighbor cloningHenning Brauer
2004-05-08a bloody attempt at documenting the ipsec fluff.Henning Brauer
this needs to be fleshed out and polished, but at least it is somewhat documented now...
2004-05-08KNFHenning Brauer
2004-05-08break out the consistency checking for neighbors in its own function,Henning Brauer
and verify that peers with ipsec have local-address specified (needed to set up the flows...)
2004-05-08do not omit the IPv6 listening addressHenning Brauer
2004-05-08provide log_sockaddr, which uses getnameinfo(), and use it inHenning Brauer
log_conn_attempt
2004-05-08allow for neighbor statements without { parameters } block; everythingHenning Brauer
can be inherited from the group
2004-05-08add support for ipsec ah with manual keys, pfkey part already does so, andHenning Brauer
flesh parser out a bit. also add support for printing ipsec ah with manual keys in printconf
2004-05-08factor out the string -> key conversion code used for md5sig and twice for ipsecHenning Brauer
2004-05-08remove unused argument to control_dispatch_msg(), lintHenning Brauer
2004-05-08implement and use prefixlen2mask() instead of doing it by hand 3 timesHenning Brauer
2004-05-07add a filter option to dump prefixes learned in UPDATEs into a PF table,Damien Miller
intended for building realtime BGP blacklists (e.g. with spamd); ok claudio & henning
2004-05-06actually reset p->auth_established to 0 in pfkey_[md5sig|ipsec]_removeHenning Brauer
2004-05-06we need a seperate field for the md5 key len, can't use strlen, noticedHenning Brauer
by markus some time ago
2004-05-06oups, spacesHenning Brauer
2004-05-06the Address Family Identifier field in the capability announcement isHenning Brauer
2 octets, thus we need to transform it from/to network byte order... fixes capability announcement and -parsing
2004-05-06do not punish the peer (by holding him in IDLE for IdleHoldTime seconds) whenHenning Brauer
receiving a "unsupported capabilities" notification. Speeds capability negotiation up quite a bit with peers that like to whine about caoabilities they don't understand
2004-05-06improve logging in teh capabilities parserHenning Brauer
2004-05-06scale socket buffer sizes (and thus window size) up to up to 64k,Henning Brauer
but only of tcp md5sig or ipsec is in use. excellent idea by ryan some time ago, claudio and theo agree
2004-05-06there's a little race condition: a session is taken down and its associatedHenning Brauer
write buffers are cleared, but there could be imsgs from the RDE for that peer (e. g. UPDATEs) in the read buffers for the pipe to the RDE or buffered in the RDE or somesuch. Thus, in session_update(), explicitely check for the session state and just drop the message if the session is not in state ESTABLISHED. claudio ok
2004-05-04remove unused var; henning okTheo de Raadt
2004-05-04Correctly plug the memory leak and fix a error message.Claudio Jeker
2004-05-03little KNF issueHenning Brauer
2004-04-30remove MAX_PREFIX_PER_AS debug gunk, claudio djm okHenning Brauer
2004-04-30plug memory leaks; henning okTheo de Raadt
2004-04-30spellingTheo de Raadt
2004-04-29sock -> fd; ok henningTheo de Raadt
2004-04-28rename sock to fdTheo de Raadt
2004-04-28Pointer that are used later in the code should be initalized. Fixes a crashClaudio Jeker
noticed by Henning. OK henning@
2004-04-28if a peer follows the extremely misgiuded path that the RFCs just barely allowHenning Brauer
to send a NOTIFICATION and thus ternminating the session when it sees a capability it doesn't support (who would guess: zebra does so), parse the data section of the notifcication to find out what what capabilties it didn't like and do not advertise them the next time the session gets up. In case we get a notification about unsupported capabilities with an empty data part (don't ask for RFCs... and guess who does that), disable capabilty announcement alltogether. claudio ok
2004-04-28FILE * leak; henning ja ja ja jaTheo de Raadt
2004-04-28support for AH flows and SAsMarkus Friedl
2004-04-28Unbreak the stuff that I commited first that was totaly broken. OK henning@Claudio Jeker
2004-04-28allow ah/esp spec with IKE, markus okHenning Brauer
2004-04-28do not give up on ESRCH, someone might have mucked with ipsecadm behindHenning Brauer
our back, markus ok
2004-04-28make this at least compileHenning Brauer
2004-04-28make sure send and reply are in sync; ok henningMarkus Friedl
2004-04-28Enable route refresh in the RDE. Now peer can request route refreshes.Claudio Jeker
OK henning@
2004-04-28keep track of which ipsec/md5 SAs we inserted - ESRCH on blind removalHenning Brauer
otherwise, markus ok
2004-04-28prevent multiple auth methods to be specifiedHenning Brauer
2004-04-28spacingTheo de Raadt
2004-04-28remove XXX that is wrongTheo de Raadt
2004-04-28spacingHenning Brauer
2004-04-28don't load SAs into the kernel if IKE is used.Markus Friedl
2004-04-28prefix the auth related defines by AUTH_, we had a name clash, markus okHenning Brauer
2004-04-27teach printconf about all this shiny new ipsec stuffHenning Brauer
2004-04-27set conf.auth.methodod for md5, tooMarkus Friedl
2004-04-27ike before inHenning Brauer
2004-04-27rename the ipsec struct to auth, move all tcpmd5 related fields in there, andHenning Brauer
add a generic "method" field that expresses what method (none/md5sig/ipsec manual/ipsec ike) is in use markus ok
generated by cgit v1.2.3 (git 2.25.1) at 2025-01-25 04:10:48 +0000