| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
| |
diff originally by stsp@
"please commit it" deraadt@
"don't care" stsp@
"don't like" bluhm@
|
| |
|
|
|
|
|
| |
can use this to select the IPsec tunnel for sending L2TP packets.
this fixes Windows (always binding to 1701) and Android clients
(negotiating wildcard flows); feedback mpf@ and yasuoka@;
ok henning@ and yasuoka@; ok jmc@ for the manpage
|
| |
|
|
|
|
| |
Also fix a memory management problem that was made obvious by this diff.
ok bluhm@, previous version ok @stsp
|
| |
|
|
|
|
|
| |
three things that it needed from there: INET_ADDRSTRLEN, INET6_ADDRSTRLEN,
and struct in_addr. Add protecting #ifndefs to netinet6?/in6?.h for those.
ok deraadt@
|
| |
|
|
|
| |
ifatoia6(). No binary diff.
OK henning@
|
| |
|
|
|
|
|
|
| |
all the symbols that POSIX says they must and fewer that they can't and,
most importantly, to not require a specific ordering of headers.
ports testing by naddy@
ok millert@ deraadt@
|
| |
|
|
|
|
|
|
|
|
| |
not only CONNECTED ones. It should also be called when RA with
a RouterLifetime set to 0 is sent to clear a redirect.
While here make sure we use correct priorities when installing
routes acquired via redirects.
comments & ok bluhm
|
| |
|
|
|
| |
with a neighbour advertisment sent to a multicast address;
nits & ok bluhm
|
| | |
|
| |
|
|
|
|
|
| |
should be sent in response to an IPv6 packet with RH0. Improve this a
bit further by filling in an icmp error pointer.
With sperreault, ok sperreault, sthen
|
| |
|
|
| |
expensive checks; ok sperreault, todd, sthen
|
| |
|
|
|
|
|
| |
input routine allowing us to bridge two IPv4 networks over an IPv6
link with gif(4).
ok henning, sthen, ok and tests phessler, "lets get this in!" todd
|
| | |
|
| |
|
|
|
|
| |
immediately and not go through the fragment queue.
See draft-gont-6man-ipv6-atomic-fragments-00.txt.
tested and ok sperreault@
|
| |
|
|
|
| |
and IPv6 stack.
ok sperreault@
|
| |
|
|
|
|
|
|
| |
than the autoconfprivacy bit, as per by RFC3484. Prevents privacy addresses
from being erroneously used as source address if the destination address is
in a different scope. Privacy addresses are still preferred over other source
addresses from the same scope.
Problem found by sthen, fix suggested by sperreault; ok sperreault
|
| |
|
|
|
| |
Fix a white space bug while there. No functional change.
ok mikeb@ robert@ henning@
|
| |
|
|
|
| |
packet with overlapping fragments.
ok henning@
|
| |
|
|
|
|
|
|
| |
wrong checks for local addresses and wrong packet forwarding in
environments with only one communication partner and changing
addresses or routes. Remove the #if 0 around the existing code to
make IPv6 behave like IPv4.
ok henning@
|
| |
|
|
|
|
| |
was already #if 0 and will never come back. Remove unused fragment
struct fields and sort the others.
ok henning@
|
| |
|
|
| |
ok henning@
|
| |
|
|
| |
from FreeBSD; ok henning@
|
| |
|
|
| |
I forgot the header file containing struct ip6q in the last commit.
|
| |
|
|
| |
ok henning@
|
| |
|
|
|
|
| |
cleaner to access the first member via ia_ifa instead of casting.
No binary change.
ok henning@ krw@
|
| |
|
|
|
|
| |
and TAILQ_EMPTY for accessing the nd_defrouter list. No funtional
change.
ok stsp@
|
| |
|
|
| |
ok claudio@ henning@ mikeb@
|
| |
|
|
| |
ok mikeb
|
| |
|
|
| |
OK sthend@
|
| |
|
|
|
|
| |
addresses. Fixes "duplicate IP6 address" warnings, appearing since we started
accepting IPv6 neighbour discovery packets on carp interfaces.
ok henning
|
| |
|
|
|
|
|
|
| |
"af-to" a generic IP version translator for pf(4).
Not everything perfect yet but lets fix these things in the tree.
Insane amount of work done by sperreault@, mikeb@ and reyk@.
Looked over by mcbride@ henning@ and myself at eurobsdcon.
OK mcbride@ and general put it in from deraadt@
|
| |
|
|
|
|
|
| |
with the same prefix, neighbor discovery did not work. When comparing
two carp interfaces in in6_ifpprefix(), assume they share the prefix
if they have the same parent.
sure deraadt@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Verify that the address in the in6_pktinfo structure included
in the control message is unicast and configured on the local
host. Additional checks prevent from using non-routable
addresses and inactive interfaces.
Embed the scope identifier into the link local addresses as
required by the stack. Do not force users to provide valid
interface index in the ipi6_ifindex but look it up in place
if needed.
ok bluhm, waived by deraadt for the release.
|
| |
|
|
|
|
|
|
| |
the route to be at the corresponding carp or physical interface or
at an interface belonging to a common bridge. This fixes IPv6
neighbor discovery with carp.
bug report and tested by Florian Fuessl
put it in deraadt@
|
| |
|
|
|
|
|
|
| |
Otherwise pf could reroute or redirect such a packet. KAME moved
it in rev 1.189 of their ip6_input.c. This also allows rdr or nat
to ::1 in pf.
bug report and test camield@
ok mikeb@; go for it deraadt@
|
| |
|
|
|
|
|
|
| |
which we have a cloning or cloned route. The old check was based
on configured interface addresses, now we use a route lookup. This
allows us to use prefixes for the local network that ospf6d has
added.
ok claudio@
|
| | |
|
| |
|
|
|
|
| |
The functions were 95% identical anyway. While there use struct pf_addr
in struct pf_divert instead of some union which is the same.
OK bluhm@ mcbride@ and most probably henning@ as well
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
1) Allocating with M_WAITOK, checking for NULL, and calling panic() is
pointless (malloc() will panic if it can't allocate) so remove the check
and the call.
2) Allocating with M_WAITOK, checking for NULL, and then gracefully
handling failure to allocate is pointless. Instead also pass M_CANFAIL
so malloc() doesn't panic so we can actually handle it gracefully.
1) was done using Coccinelle.
Input from oga.
ok miod.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
at least krw@, pirofti@ and todd@ have been seeing panics (todd and krw
with xxxterm not sure about pirofti) involving pool corruption while
using this commit.
krw and todd confirm that this backout fixes the problem.
ok blambert@ krw@, todd@ henning@ and kettenis@
Double link between pf states and sockets. Henning has
already implemented half of it. The additional part is: -
The pf state lookup for outgoing packets is optimized by
using mbuf->inp->state.
- For incomming tcp, udp, raw, raw6 packets the socket
lookup always is optimized by using mbuf->state->inp.
- All protocols establish the link for incomming packets.
- All protocols set the inp in the mbuf for outgoing packets.
This allows the linkage beginning with the first packet
for outgoing connections.
- In case of divert states, delete the state when the socket
closes. Otherwise new connections could match on old
states instead of being diverted to the listen socket.
ok henning@
|
| |
|
|
|
|
| |
Found by LLVM/Clang Static Analyzer.
ok henning@ claudio@ krw@
|
| |
|
|
|
|
| |
Found by LLVM/Clang Static Analyzer.
ok claudio@ henning@
|
| |
|
|
| |
discussed with and ok claudio
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
implemented half of it. The additional part is:
- The pf state lookup for outgoing packets is optimized by using
mbuf->inp->state.
- For incomming tcp, udp, raw, raw6 packets the socket lookup always
is optimized by using mbuf->state->inp.
- All protocols establish the link for incomming packets.
- All protocols set the inp in the mbuf for outgoing packets.
This allows the linkage beginning with the first packet for
outgoing connections.
- In case of divert states, delete the state when the socket closes.
Otherwise new connections could match on old states instead of
being diverted to the listen socket.
ok henning@
|
| |
|
|
|
|
| |
Found by LLVM/Clang Static Analyzer.
ok claudio@
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
the caller and the function that the function will not fail to allocate
memory and return a NULL pointer. However, m_dup_pkthdr() violates
this contract, making it possible for functions that pass M_WAITOK to
be surprised in ways that hurt.
Fix this by passing the wait flag all the way down the functions that
actually do the allocation for m_dup_pkthdr() so that we won't be
surprised.
man page update forthcoming
ok claudio@
|
| |
|
|
| |
functions. OK blambert@
|
| |
|
|
| |
ok deraadt henning sthen thib (though thib says he can't spell)
|
| |
|
|
|
| |
anymore so the allocation in in6_update_ifa() can now wait.
ok deraadt henning
|
sperreault
markus
guenther
bluhm
mikeb
deraadt
sthen
stsp
haesbaert
nigel
claudio
henning
mk
oga
chl
blambert