| Age | Commit message (Collapse) | Author |
|---|
|
|
|
cases as well and all receivers cope
|
|
condition happened. fatal()s from subsystems used by all 3 processes like
the imsg subsystem were hard to track down without knowing in which process
the condition happened.
|
|
|
|
becoming negative. this was logically impossible already but this way gcc
has the chance to notice that as well.
together with the last commit this makes bgod -Wsign-compare clean
|
|
|
|
|
|
|
|
|
|
pfsync packets recieved on the wire. Prevents printing of giberish states
with snaplen smaller than the mtu of syncif on the sender, and probably
other ungoodness.
|
|
of course the holdtime has to be _smaller_ than the minimal allowed holdtime
from the new configuration for the session needing a reinitialisation....
it beeing bigger is the normal case and no reason to reinit.
|
|
Additionaly the keepalive timer is automaticaly restarted by
session_keepalive(). help & OK hungry henning :)
|
|
|
|
and suberr code into the message... really
|
|
much earlier, on RECONF_CONF, and not on RECONF_DONE, to prevent an unneeded
session down/up cycle for already established sessions.
|
|
was specified in teh config file. this was done correctly in the
reconfiguration process...
use a new function init_conf() to set defaults where needed; currently only
holdtime, and call it both in the startup and the reconf case.
ok claudio@
|
|
|
|
where newer up. OK henning@
|
|
misbehaviour found by claudio
|
|
- sort options
- -p and -P also show salt
- expand IV
- remove -salt from the examples which decrypt
- remove an example which doesn't work, and is not really helpful
help from markus@
|
|
this collides with multiviews (which we don't have yet) and will have to
be changed then, but allows us to progress much faster now.
ok claudio@
|
|
is at best pointless and usually just causes a fatal() when we try to send it
as the pipe is already closed by the RDE then. this way we can at least finish
the cleanup work, including notifications to the peers about us leaving.
|
|
|
|
|
|
|
|
a free(p) inside that for loop...
|
|
Most importantly, put all the state information into the created object,
so that the actual archive can be closed, later reopened, and scanned
until the correct file is found.
This will be used to allow retrieving packages through ftp without keeping
loads of connections opened because of dependency resolving.
Approved by fries and naddy.
|
|
work correctly because the peer id changes on config reload. The code in
the RDE per se should be OK.
|
|
|
|
|
|
IPPROTO_PFSYNC -> 240
INADDR_PFSYNC_GROUP -> 224.0.0.240
ok deraadt@
|
|
data with RIB missing
use same message in RDE and SE for consistency
|
|
|
|
noticed by Dries Schellekens <gwyllion@ace.ulyssis.org>
|
|
started by me some time ago with moral support from theo, the proceeded up to
the point where the session engine worked correctly. claudio jeker joined
then and did a lot of work in the RDE.
it is not particulary usefull as application right now as parts are still
missing but is imported to enable more people to work on it.
status:
BGP sessions get established fine, OPEN messages and then KEEPALIVEs
exchanged etc. session FSM works fine; NOTIFICATIONs are handled fine, and
all connection drops etc I provoked get handled fine.
Incoming UPDATE messgages are parsed well and the data entered to the RIB,
the decision process is not yet there, neither is outgoing UPDATEs or sync
to the kernel routing table.
not connected to the builds yet.
|
|
|
|
testing by beck, hin, jose, fries. ok deraadt@
|
|
|
|
Implemented as an in-kernel multicast IP protocol.
Turn it on like this:
# ifconfig pfsync0 up syncif fxp0
There is not yet any authentication on this protocol, so the syncif
must be on a trusted network. ie, a crossover cable between the two
firewalls.
NOTABLE CHANGES:
- A new index based on a unique (creatorid, stateid) tuple has been
added to the state tree.
- Updates now appear on the pfsync(4) interface; multiple updates may
be compressed into a single update.
- Applications which use bpf on pfsync(4) will need modification;
packets on pfsync no longer contains regular pf_state structs,
but pfsync_state structs which contain no pointers.
Much more to come.
ok deraadt@
|
|
|
|
Noticed by jmc@
|
|
|
|
okay sturm@
|
|
Help resolution by stripping away .tgz.
|
|
Pick up DISPLAY from staging area, so that it gets found even if -n.
|
|
- add username to added ruleset names when possible
- add much needed example to man page showing how to use NAT with tagging
to track NATed authpfed connections.
ok henning@ dhartmei@, man page cleanup by jmc@
|
|
to proceed correctly in case of dependencies.
|
|
is less confusing.
|
|
|
|
|
