| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
| |
|
|
|
|
|
|
|
|
|
|
|
| |
thanks to Matt Dunwoodie and Jason A. Donenfeld for their effort.
it's at least as functional as the go implementation, and maybe
more so since this one works on more architectures.
i'm sure there's further development that can be done, but you can
say that about anything and everything that's in the tree.
ok deraadt@
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
gif used its mbuf tag to store it's interface index so it could
detect loops. gre also did this, and i cut most of the drivers
(including gif) over to using the gre tag. so the gif tag is unused.
wireguard uses the tag to store peer information between different
contexts the packet is processed in. it also needs a bit more space
to do that.
from Matt Dunwoodie and Jason A. Donenfeld
ok deraadt@
|
|
|
|
|
|
|
|
|
| |
i feel like i should add IFT_L3IPVLAN here so mgre(4) can take
advantage of this too.
from Matt Dunwoodie and Jason A. Donenfeld
ok deraadt@
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
i'm still not a fan of the peer semantics of wireguard interfaces
where each interface can have multiple peers and each peer has a
set of the allowed ips configurred, aka cryptokey routing. traditionally
we would use a tunnel (IFT_TUNNEL) style interface per peer, which
means there's a 1:1 mapping between a peer and an interface. in
turn that means you can apply policy with things like pf to the
interface and it implies policy on the peer.
so allowed ips inside a wg interface feels like a bandaid for a
self inflicted wound to some degree. however, deraadt@ points out
that the boat has sailed, and being compatible with the larger
ecosystem has benefits. admins can choose to setup an interface per
peer if they want too, so we get the best of both worlds.
i will admit an interface per peer sucks in a concentrator situation
though. that's why we still have pppac(4) as well as pppx(4). i
also don't have any better ideas for how to scale or even express
this kind of policy in a concentrator setting either.
apologies for the teary.
from Matt Dunwoodie and Jason A. Donenfeld
ok deraadt@
|
|
|
|
|
|
| |
from Matt Dunwoodie and Jason A. Donenfeld
ok deraadt@
|
|
|
|
|
|
|
|
|
|
| |
i think we should turn the chacha code into an actual c file at
some point to reduce duplication of object code, but that can happen
later.
from Matt Dunwoodie and Jason A. Donenfeld
ok deraadt@
|
|
|
|
|
|
| |
via Matt Dunwoodie and Jason A. Donenfeld
ok deraadt@
|
|
|
|
|
|
| |
via Matt Dunwoodie and Jason A. Donenfeld
ok deraadt@
|
| |
|
| |
|
| |
|
|
|
|
| |
from Matt Dunwoodie and Jason A. Donenfeld
|
| |
|
|
|
|
|
| |
i wrote the original version of this, but it was tweaked by Matt
Dunwoodie and Jason A. Donenfeld for use with wireguard.
|
|
|
|
|
|
|
| |
for themselves, so use the "local-mac-address" Open Firmware property
instead, as done in ix(4).
ok dlg@
|
| |
|
|
|
|
|
|
|
|
|
| |
this is so protocols (eg, udp) can let things (eg, kernel support
for wireguard or vxlan or geneve) look at and possibly steal packets
before they get added to a socket buffer.
i wrote the original version of this, but it was tweaked by Matt
Dunwoodie and Jason A. Donenfeld for use with wireguard.
|
|
|
|
| |
from Matt Dunwoodie and Jason A. Donenfeld
|
| |
|
| |
|
|
|
|
| |
from Matt Dunwoodie and Jason A. Donenfeld
|
| |
|
|
|
|
| |
.An author Aq Mt address
|
| |
|
|
|
|
| |
Written by Alastair Poole.
|
|
|
|
|
|
| |
COVERITY 1491295
ok kettenis@
|
|
|
|
|
|
|
|
|
|
|
|
| |
than always returning 0. bktr0..bktr15 should now 'work'.
COVERITY 1452865
COVERITY 1452956
COVERITY 1453025
COVERITY 1453186
COVERITY 1453231
ian@'s bktr still works as well as it did before.
|
| |
|
|
|
|
| |
avoid \*(Gt and \*(Lt, .Dv NULL, .Cm for pledge promises
|
|
|
|
|
| |
and a few other wording and markup improvements while here;
OK jmc@ ratchov@
|
|
|
|
|
|
|
| |
ncg * ipg calcualtion can overflow if signed types are used. Move
to uint32_t for the relevant values. Aligned with FreeBSD changes.
Also make sure newfs refuses to create an fs with more that 2^32-1
inodes. ok millert@
|
|
|
|
| |
ok kettenis@
|
|
|
|
|
|
|
|
|
| |
avoidance. The problem and fix is noted in RFC5681 section 3.1, page 7.
Report, diff and testing from Brian Brombacher, thanks!
Testing and a cosmetic tweak by myself.
ok claudio
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
missed a subsequent fix for an off-by-one in that code. If the first
byte of a CBC padding of length 255 is mangled, we don't detect that.
Adam Langley's BoringSSL commit 80842bdb44855dd7f1dde64a3fa9f4e782310fc7
Fixes the failing tlsfuzzer lucky 13 test case.
ok beck inoguchi
|
| |
|
|
|
|
|
|
|
|
|
| |
on the RockPro64 WiFi module.
Note that there is no fiirmware for this chip in the bwfm-firmware package
at the moment.
ok patrick@
|
| |
|
|
|
|
| |
trapframe.
|
|
|
|
|
| |
and point to UI_UTIL_read_pw(3) instead;
tb@ agrees with the general direction
|
| |
|
| |
|
|
|
|
|
|
| |
correct the description of X509_get_X509_PUBKEY(3),
document error handling of the read accessors,
and mention the relevant STANDARDS
|
| |
|
|
|
|
| |
which is still under a free license. Wording tweaked by me.
|
|
|
|
|
|
|
|
|
|
|
| |
This fixes a "fatal firmware error" at run-time.
Thanks again to Sara Sharon who provided the hint that the error trace
I was looking at indicated that the firmware was running into a problem
while trying to flush its Tx queues, and that this could be related to
the Tx byte count table not being maintained properly.
Tested by sven falempin and myself.
|