| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
|
|
|
|
|
|
|
| |
Only the initiator can use 'msg_policy' to determine if the policy is supposed
to be transport mode, the responder has to check for a received USE_TRANSPORT
notify to find a matching policy during the lookup.
ok markus@
|
|
|
|
|
|
| |
memcpy the address into a local var before comparing it with code
that reads ints using int *. at least sparc64 and landisk suffer from this.
with and ok jca@
|
|
|
|
| |
ok markus@
|
|
|
|
| |
No intentional functional change.
|
|
|
|
|
| |
Fixes a crash on landisk (strict alignement arch) reported by otto@
ok deraadt@ otto@
|
|
|
|
|
|
| |
does the same thing.
ok patrick@
|
|
|
|
| |
to avoid setting interface mtu.
|
| |
|
|
|
|
|
|
|
| |
is compared to one received via PFKEY which results in garbage.
Found by Rene Ammerlaan <rj (dot) ammerlaan (at) sungai (dot) nl>
ok patrick@
|
|
|
|
|
|
|
| |
DH group (as negotiated by IKE_SA_INIT) instead of one from the configured
policy. Not doing so may result in INVALID_KE errors.
ok patrick@
|
|
|
|
|
|
| |
interact with the per-policy active/passive options.
ok kn@
|
|
|
|
| |
ok sthen@, patrick@
|
| |
|
| |
|
|
|
|
|
|
|
|
|
| |
This flag restricts a wireless driver to MCS0 - MCS7 for both transmission
and reception. It can be set to work around packet loss in 11n mode caused
by unused antenna connectors on a MIMO-capable wireless network device.
man page tweak from tracey@
ok deraadt@
|
|
|
|
|
|
|
|
| |
'key->pol_proposals' should be the peer proposal as it is derived from
a received SA payload, 'p->p_proposal' comes from a locally configured
policy.
ok patrick@
|
|
|
|
|
|
|
|
| |
groups are not recommended to use and are only supported for backwards
compatibility.
Feedback from sthen@
ok kn@
|
| |
|
| |
|
|
|
|
|
|
|
| |
stop trying to get an ACK from that server after 'timeout'
seconds. Give up and try to get another lease.
Possible infinite loop pointed out by Alexander Markert on tech@.
|
|
|
|
| |
ok markus@
|
|
|
|
| |
not be printed.
|
|
|
|
|
|
|
|
|
| |
discarded. Update leases file when active lease is discarded. Discard
NAK'ed offers even if there is no active lease. Always transition to
INIT.
Issues discovered after inappropriate behaviour resported by
Alexander Markert and Pierre Emeriaud.
|
|
|
|
|
|
|
|
|
|
| |
1.
This increases the number of volumes that can be created on a single disk
from 7 to 15. i.e. a disk can be sliced into a maximum of 225
(15 * 15) filesystems instead of a mere 105 (7 * 15).
ok deraadt@
|
|
|
|
| |
ok patrick@
|
|
|
|
|
|
| |
debugging and fill up the logs.
ok patrick@ kn@
|
| |
|
|
|
|
| |
while here, combine two Ar lines into one;
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It can be configured per policy with the new 'rdomain' option
(see iked.conf(5)).
Only the unencrypted (inner) rdomain has to be configured, the
encrypted rdomain is always the one the responsible iked instance
is running in.
The configured rdomain must exist before iked activates the IPsec SAs,
otherwise pfkey will return an error.
ok markus@, patrick@
|
|
|
|
| |
ok markus@, patrick@
|
|
|
|
| |
ok markus@
|
|
|
|
| |
ok markus@
|
|
|
|
|
|
|
|
| |
closes its service port when resolving is not working to give asr(3) a
chance (because it falls back to asr(3) internally)
Therefore it is ok to only list 127.0.0.1 in /etc/resolv.conf.
Triggered by a question from Frantisek Holop.
OK benno
|
|
|
|
|
|
|
| |
Should fix '-r' (a.k.a. release a lease) for leases without a valid
DHCP_SERVER_IDENTIFIER.
Spotted by Alexander Markert. Thanks!
|
|
|
|
| |
ok markus@
|
| |
|
|
|
|
| |
ok markus@
|
|
|
|
| |
OK tohe
|
|
|
|
| |
ok markus@
|
|
|
|
|
|
|
|
|
| |
That way, when slaacd gets started in a different rdomain with
route exec things just work, no need to provide an alternative
control socket.
Pointed out by claudio
Original diff by benno, but I like my bikeshed purple.
OK benno, claudio
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
sends router solicitations and receives router advertisements only
from interfaces that are in its own rdomain.
It also only sees interfaces arriving, or departing in its own
rdomain.
However, for the default route there is rdomain cross-talk because
slaacd configures the default route in the default rdomain (and
fails).
Make slaacd honour the rdomain it's running in as well.
OK denis, phessler, benno
|
|
|
|
|
|
|
| |
This way the peer can delete its SAs and eventually reestablish the
connection without having to wait for a timeout.
ok markus@
|
|
|
|
| |
specifier (e.g. 'FQDN/').
|
| |
|
| |
|
|
|
|
|
|
|
| |
time, make sure to send a DPD packet to him so that we break up
the connection faster if it's dead.
ok patrick@
|
|
|
|
|
|
|
| |
'/etc/iked', otherwise certs with SubjAltNames containing uppercase
letters are not found.
ok markus@
|