summaryrefslogtreecommitdiffstats
path: root/sbin
AgeCommit message (Collapse)AuthorFilesLines
2021-04-01Tweak log_debug() verbiage to reduce repetitive infokrw1-21/+44
(ACK/NAK), add details (DISCOVER/REQUEST) and provide before/after info for SSID/LLADDR/MTU changes.
2021-04-01Also immediately accept the *first* OFFER if it matches the requested address,krw1-2/+5
rather than waiting for select_timeout to expire before accepting the same OFFER.
2021-03-31Set 'select_timeout' to 'now' when an OFFER is received for the IP addresskrw1-1/+2
requested in the DISCOVER. i.e. immediately accept the OFFER rather than waiting for select_timeout to expire before accepting the same OFFER. A corner case since select-timeout is 0 by default.
2021-03-31Add two missing checks for strdup() returning NULL.krw1-1/+5
2021-03-31Fix some debug output when running in foreground.krw1-4/+8
Call tick_msg() at startup so it knows if the link is up. Don't emit 'link timeout expired' messages after the link has been up.
2021-03-28Now that the real time and monotonic time streams don'tkrw3-22/+22
cross flip CLOCK_REALTIME to CLOCK_MONOTONIC. Suggested by cheloha@, millert@, otto@ at various stages in the time_t -> timespec conversion.
2021-03-28Convert remaining timers (lease renew, rebind, expiry) tokrw2-54/+60
timespec values. Translate from the epoch values in leases to timespec values in one place. Final step to allow CLOCK_REALTIME -> CLOCK_MONOTONIC time accounting for the active lease.
2021-03-27If we want to configure default routes over multiple interfaces weflorian1-4/+19
need to provide the address of the interface behind which the default router is in case they are on the same subnet otherwise the kernel can't figure out which route we are talking about This happens for example when your wifi and wired networks are bridged. Pointed out by claudio some time ago.
2021-03-25Sync correct ROUNDUP() from net/route.ctobhe1-3/+2
2021-03-24More timespec conversions. Less 'seconds' arithmetic.krw2-58/+75
2021-03-23Don't send DELETE notify if IKE SA is replaced because oftobhe1-2/+2
'enforcesingleikesa'. Fixes an interop problem with strongswan if make-before-break is enabled. ok patrick@
2021-03-22BOOTP has a minimum packet length of 300 bytes. Since DHCP isflorian1-2/+10
interoperable with BOOTP we should also send packets that have a minimum size of 300. I haven't seen a DHCP server that actually enforces this except the one in vmd(8), but it doesn't cost us much and prevents hair pulling later on when we find one in the wild. OK deraadt
2021-03-22Avoid overflow by writing x = (y * 7) / 8 as x = y - (y / 8); ok florianotto1-2/+2
2021-03-21The tag comes after iface in iked.conf(5).tobhe1-4/+4
2021-03-21Use new terminology of RFC 8981 and (mechanically) replace "privacy"florian5-43/+44
with "temporary".
2021-03-21Don't warn that we can't form a temporary address when a routerflorian1-5/+6
deprecates a prefix by sending a pltime of 0, this is normal. Continue warning when the pltime is smaller than 5 as this is almost certainly a configuration error. Found the hard way by & OK otto.
2021-03-20RFC 8981 allows the configuration of only temporary IPv6 addresses.florian1-3/+6
Keep "temporary" the default when setting inet6 autoconf but make it possible to disable the "autoconf" flag but keep "temporary" enabled. The normal usecase to only have temporary autoconf addresses would be "inet6 temporary" in hostname.if OK kn
2021-03-20RFC 8981 allows the configuration of only temporary IPv6 addresses.florian3-8/+21
Track autoconf and temporary flag individually to be able to support this. OK kn
2021-03-20Fix SMALL build when done from sbin/slaacdkn4-7/+15
distrib/special/slaccd is the actual SMALL user but having it build from here is useful, too; in fact, it showed some more unused variables under SMALL. OK florian
2021-03-19Edit wireguard for concision. Remove some background covered by wg(4).procter1-85/+74
Swap -wgpeerall and wgpeer in synopsis to ease parsing. "I'm good" - Matt Dunwoodie. "just commit" - jmc suggestions and ok sthen@
2021-03-19Fix function name in warningkn1-2/+2
2021-03-19RTM_IFINFO is providing the mac address now, no need to go throughflorian1-44/+16
getifaddrs on every route message. This also allows us to drop the route pledge since we only need to fetch the interface state with getifaddrs on startup.
2021-03-18Document "-tunneldomain" and "-mplslabel", complete MPLS synopsiskn1-5/+9
OK claudio
2021-03-17Split off init_ifaces from update_iface. init_ifaces discovers theflorian1-76/+152
state of the machine on startup using ioctl(2) and getifaddrs(3). We can then update this state with information provided by route messages. We still need getifaddrs(3) to check if the layer 2 address has changed. This simplifies error handling (what should we do if ioctl(2) fails?), reduces kernel round trips (no need to ask the kernel again for information RTM_IFINFO provided already) and prevents a theoretical race between RTM_IFINFO and getaddrinfo(3). In a fast link state UP -> DOWN -> UP transition RTM_IFINFO informs us that the link went down but we were not using this information but rather looked at getifaddrs(3) information which might see the link as already up again. We would then do nothing while we should try to get a new lease. By storing all interface information in the frontend process we can skip imsgs to the engine process if we get an RTM_IFINFO without relevant changes for us.
2021-03-16Add 'grp31' alias for curve25519 as documented in iked.conf(5).tobhe1-1/+2
2021-03-16Nuke unused time_t variable.krw1-5/+2
2021-03-16Move setifrtlabel() and *keepalive() prototypes out of SMALLkn1-4/+4
Those commands are not supported under SMALL; unless I overlooked others, this should be the last bit to declare all prototypes correctly wrt. SMALL (the overall unsorted order of both prototypes and commands makes this hard to spot). No object change, with and without SMALL.
2021-03-16sync to unbound 1.13.1; heavy lifting by sthenflorian36-2726/+3371
2021-03-16Don't (try to) deconfigure an interface that was never configured.florian1-1/+4
2021-03-16We can't learn anything interesting from RTM_NEWADDR, stop handlingflorian2-11/+3
it.
2021-03-15We makes sure that a dh group is required if the local proposaltobhe1-3/+13
contains an explicit group transform. Override requiredh if one of the local options is 'none' so that a proposal with no DH group and on with explicit group 'none' result in a match. ok patrick@
2021-03-15Ignore msg_ke in CREATE_CHILD_SA if DH negotiation results in grouptobhe1-3/+7
'none' (disabling PFS). Fixes a bug when the initiator sends a KE payload but the negotiation results in DH group "none". For other DH group mismatches we send an INVALID_KE notify, for 'none' we can just ignore the KE payload. ok patrick@
2021-03-14Log errors with log level info and SPI.tobhe1-12/+17
2021-03-14Since we are doing getifaddrs() anyway we can get the rdomain out offlorian1-49/+33
AF_LINK and skip one ioctl. OK benno
2021-03-13Remove "deletetunnel" (deprecated with 6.4)kn1-3/+1
OK deraadt
2021-03-13Move all rdomain bits under SMALLkn1-4/+6
"[-]rdomain" commands are ignored under SMALL but their prototypes, the global and therefore dead print logic are still in. OK deraadt
2021-03-13Move MPLS related function prototypes under SMALLkn1-16/+16
OK deraadt
2021-03-12INET6_NOPRIVACY is called AUTOCONF6TEMP now, missed during rename.florian1-2/+2
2021-03-12Add deprecation warning for autoconfprivacy.florian1-5/+27
While here check address family for 'temporary' option, only inet6 is allowed. OK kn
2021-03-11fix a double space and a macro error;jmc1-3/+3
2021-03-11When RFC 8981 obsoleted RFC 4941 the terminology changed fromflorian3-15/+18
"privacy extensions" to "temporary address extensions" Change ifconfig(8) to output temporary after temporary addresses and add "temporary" option which is an alias for autoconfprivacy for now. Also make AUTOCONF6TEMP a positiv flag that is set by default. Previously the negative flag "INET6_NOPRIVACY" was set when privacy addresses were disabled. This makes the flags output less ugly and will allow us to disable autoconf addresses while having temporary addresses enabled in the future. More work is needed in slaacd. input benno, jmc, deraadt previous verison OK benno OK jmc, kn
2021-03-11Use timespec timers to determine when select-timeout and timeout intervalskrw2-14/+35
are exceeded. Feedback from otto@, cheloha@
2021-03-11Remove unhelpful sentence from TPMRkn1-3/+1
with dlg
2021-03-11Document veb(4)kn1-2/+99
All text is copied from other already existing sections, i.e. link flag handling from TPMR and the rest from BIDGE. Contrary to BRIDGE, add a synopsis for VEB such that there's a simple overwiew, especially since veb(4) currently does not explain *how* to use the described features. NB: While TPMR and VEB use the same wording for link flags, their semantics are different, i.e. both different flags and swapped polarity for those flags. Feedback jmc dlg OK dlg
2021-03-09Also log transforms on IKE SA rekey.tobhe1-3/+10
2021-03-09Zap stray Xrkn1-2/+1
2021-03-09Fix TRUNK synopsis alignmentkn1-2/+6
2021-03-09Replace time_t startup_time with struct timespec link_timeout.krw3-12/+19
Feedback from otto@
2021-03-09Do not adjust (uhm.. zero) the swap 'b' partition size if physmem isderaadt1-2/+2
zero (should not happen, but did), because the auto-allocate code will put a filesystem on that partition. ok otto kurt
2021-03-08dhclient relationship with "inet autoconf" is incorrect, it activatedderaadt1-5/+5
dhcpleased.