summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* Start implementing conditionals for filters.mpi2021-02-013-36/+97
| | | | | | | | | | | | | | | | | Allows to check the existence of a variable in predicates, making it possible to trace syscall latency, as follow: syscall:select:entry { @start[pid] = nsecs; } syscall:select:return /@start[pid]/ { @usecs = hist((nsecs - @start[pid]) / 1000); delete(@start[pid]); }
* Align the mixed naming for the variables used to reference tomglocker2021-02-014-31/+31
| | | | | | | | | bInterfaceNumber and bAlternateSetting as following: ifaceidx -> ifaceno altidx -> altno Suggested and ok mpi@
* Add a no-detached choice to detach-on-destroy which detaches only ifnicm2021-02-013-10/+35
| | | | | there are no other detached sessions to switch to, from Sencer Selcuk in GitHub issue 2553.
* Netlock should be grabbed before pppx_if_find() call in pppxwrite().mvs2021-02-011-3/+5
| | | | | | | Otherwise this `pxi' can be killed by concurrent thread after context switch caused by following netlock. ok yasuoka@
* Remove dummy TUNSIFMODE ioctl(2) call from pppac(4) and npppd(8). Sincemvs2021-02-012-23/+3
| | | | | | OpenBSD 6.7 npppd(8) can't work over tun(4). ok yasuoka@
* ifunit() was fully replaced by if_unit(9) and should go away.mvs2021-02-012-20/+8
| | | | ok bluhm@ dlg@
* update the pathname for the control socket path; from daniel jakotsjmc2021-02-011-8/+12
| | | | | | clean up FILES while here ok claudio for the former
* update currency exchange rates;jmc2021-02-011-37/+37
|
* some article fixes; from eddie youseph and grepjmc2021-02-013-9/+9
|
* a regular function decl collides with an inline, due to C99 inline rules.deraadt2021-02-011-1/+2
| | | | | | | We are never updating this sub-tree. Knock out the collision in the simplest way. diff from mortimer. This is the last change required for -fno-common on all architectures, thanks to mortimer for starting the effort and encouraging others.
* syncderaadt2021-02-011-6/+0
|
* Switch dispatch loop to ppoll() and protocol timeouts to struct timespec.krw2021-02-012-24/+20
| | | | | | Reduces spurious packet transmissions in situations with short timings. Suggestions millert@, further suggestions & ok cheloha@
* change route-to so it sends packets to IPs instead of interfaces.dlg2021-02-016-324/+140
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | this is a significant (and breaking) reworking of the policy based routing that pf can do. the intention is to make it as easy as nat/rdr to use, and more robust when it's operating. the main reasons for this change are: - route-to, reply-to, and dup-to do not work with pfsync this is because the information about where to route-to is stored in rules, and it is hard to have a ruleset synced between firewalls, and impossible to have them synced 100% of the time. - i can make my boxes panic in certain situations using route-to yeah... - the configuration and syntax for route-to rules are confusing. the argument to route-to and co is an interace name with an optional ip address. there are several problems with this. one is that people tend to think about routing as sending packets to peers by their address, not by the interface they're reachable on. another is that we currently have no way to synchronise interface topology information between firewalls, so using an interface to say where packets go means we can't do failover of these states with pfsync. another is that a change in routing topology means a host may become reachable over a different interface. tying routing policy to interfaces gets in the way of failover and load balancing. this change does the following: - stores the route info in the state instead of the pf rule this allows route-to to keep working when the ruleset changes, and allows route-to info to be sent over pfsync. there's enough spare bits in pfsync messages that the protocol doesnt break. the caveat is that route-to becomes tied to pass rules that create state, like rdr-to and nat-to. - the argument to route-to etc is a destination ip address it's not limited to a next-hop address (thought a next-hop can be a destination address). this allows for the failover and load balancing referred to above. - deprecates the address@interface host syntax in pfctl because routing is done entirely by IPs, the interface is derived from the route lookup, not pf. any attempt to use the @interface syntax will fail now in all contexts. there's enthusiasm from proctor@ jmatthew@ and others ok sashan@ bluhm@
* more strictly enforce KEX state-machine by banning packet typesdjm2021-01-315-9/+25
| | | | | | | | once they are received. Fixes memleak caused by duplicate SSH2_MSG_KEX_DH_GEX_REQUEST (spotted by portable OpenSSH kex_fuzz via oss-fuzz #30078). ok markus@
* Spacing.mglocker2021-01-311-2/+2
|
* Ignore addresses that are not 0/32 (dynamic) in ikev2_cp_fixaddr()tobhe2021-01-311-3/+3
| | | | | | | instead of throwing an error. Fixes a bug where flows without 'dynamic' were skipped when 'config/request address' is used. ok patrick@
* Don't leak flows if ikev2_cp_fixflow() fails.tobhe2021-01-311-3/+8
| | | | ok patrick@
* Make progress when stepping through rdns proposals even when skippingflorian2021-01-311-3/+3
| | | | localhost.
* turns out STDOUT may have been redirected, in which case tcgetpgrp willespie2021-01-311-2/+5
| | | | | | return -1, in which case we never need to suppress output. noticed by Mark Patruck
* replace fgetln(3) with getline(3) in fdisknaddy2021-01-311-11/+9
| | | | ok millert@
* replace fgetln(3) with getline(3) in sednaddy2021-01-311-16/+11
| | | | | Partly from Johann Oskarsson for Illumos/FreeBSD. ok millert@
* fix mistaken operator precedence in a pointer dereference in disklabelnaddy2021-01-311-3/+3
| | | | ok millert@
* Add basic support for BCM4378 as found on the Apple M1 SoCs. There's apatrick2021-01-313-3/+12
| | | | little bit more to do though before it can be enabled.
* regenpatrick2021-01-312-2/+7
|
* Add Broadcom BCM4378.patrick2021-01-311-1/+2
|
* Set linesize returned by getline to zero when freeing and NULLing thedtucker2021-01-311-1/+3
| | | | | returned string. OpenBSD's getline handles this just fine, but some implementations used by -portable do not. ok djm@
* last pieces of satisfying -fno-commonderaadt2021-01-312-4/+5
|
* Don't print an empty line at the end of `route sourceaddr`danj2021-01-301-2/+1
| | | | ok denis
* satisfy -fno-commonderaadt2021-01-302-4/+4
|
* Remove duplicate hvmd declerationkn2021-01-301-2/+1
| | | | | Already declared "extern" in ldomctl.h; required for "-fno-common". OK kettenis
* Move global domain declaration to parse.ykn2021-01-302-3/+4
| | | | | This is the only object that uses it; required for "-fno-common". OK kettenis
* Add dhclient.conf back to list of "installed network configurationkrw2021-01-301-2/+2
| | | | | | files during upgrade". Mistakenly removed during dhclient.conf cleanup of r1.1050.
* Make editing GPT easier/safer by defaulting offet to beginning of largestkrw2021-01-303-19/+149
| | | | | | free space and preventing the creation of overlapping partitions. Prompted & tested by landry@
* Add AMAP flag description.rob2021-01-301-1/+4
| | | | OK deraadt@
* Remove ACOMPAT.rob2021-01-301-5/+2
| | | | OK deraadt@
* document that sizes in fdisk can be input and printed in terabytesnaddy2021-01-301-6/+10
|
* Abstract octeon board handling a littlevisa2021-01-306-39/+75
| | | | | | | Detect octeon board model in one place, and replace firmware-supplied board_type with an abstract model identifier in driver code. This makes it easier to manage with different products, and board flavours, that happen to use the same model information, such as board_type.
* satisfy -fno-commonderaadt2021-01-302-4/+4
|
* do not print to STDOUT if we're in background, as requested by Theoespie2021-01-303-16/+36
| | | | who pointed at ssh code for process group handling. Thanks
* I'm such a doofus, of course I have to call base method as wellespie2021-01-301-1/+2
|
* missing word in commenttb2021-01-301-3/+3
|
* switch ProgressMeter to clearer APIespie2021-01-303-9/+18
|
* rework API slightly, so that handle_continue is an explicit methodespie2021-01-302-3/+14
| | | | (to be overrideen by subclasses when needed)
* Re-try to open DNSSEC trust anchor file if /var is not mounted yet.florian2021-01-303-16/+62
| | | | | | This is a step towards starting unwind earlier, before the network is up and partitions are mounted. OK kn
* for now, do not try to install quirks in case we're running "not"espie2021-01-301-2/+2
| | | | | the better thing to do would be to pseudo-install it under /tmp so we can run it, but it requires way more changes
* Fix delay parsing by stealing from strtonum and returning a proper error tomartijn2021-01-301-12/+64
| | | | | | | | | | | | | | the user when an invalid value is entered instead of silently falling back to the default 5s. While here I also capped the upper limit to UINT32_MAX / 1000000 to prevent useconds_t overflow. This hard limits us to 4294s, instead of the current soft limit which just make systat go berserk if you go over it. Reported and original diff by Nick Gasson nick <at> nickg <dot> me <dot> uk OK cheloha@ Tweaks and OK bluhm@
* add a SK_DUMMY_INTEGRATE define that allows the dummy security keydjm2021-01-301-0/+7
| | | | middleware to be directly linked; useful for writing fuzzers, etc.
* Add proper padding for pfkey messages. Use ROUNDUP() for auth andtobhe2021-01-291-22/+95
| | | | | | enc keys. ok patrick@
* Some libunbound configuration changes can change the quality of aflorian2021-01-291-11/+17
| | | | | resolver so we have to schedule a re-check. OK kn
* Don't filter by address family on the route socket.florian2021-01-291-4/+4
| | | | While here also set SOCK_NONBLOCK on the frontend routesock.
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.