| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
instead of allocating a new mbuf. This is a third or fourth
attempt to incorporate a change like this meaning a handful of
people have lost their hair trying to make it work, namely dlg@,
henning@, deraadt@, and thib@. Unfortunately the fixed version
was never put back which is exceptionally unfortunate since the
impact on performance is huge: it nearly doubles the forwarding
performance on selected hardware in simple setups.
So after being beaten in test and production environments on
several architectures it's ready to be put back again. We're
doing it early in the release cycle so that it will receive a
good test exposure.
ok derradt, henning
|
| |
|
|
|
|
| |
L2TP packets.
ok markus henning
|
| |
|
|
|
|
|
| |
can use this to select the IPsec tunnel for sending L2TP packets.
this fixes Windows (always binding to 1701) and Android clients
(negotiating wildcard flows); feedback mpf@ and yasuoka@;
ok henning@ and yasuoka@; ok jmc@ for the manpage
|
| |
|
|
| |
OK henning@
|
| |
|
|
|
| |
since it may already been gone. Fixes panic seen by stsp@ when unplugging
a used USB interface. Tested and OK stsp@
|
| |
|
|
|
|
|
| |
three things that it needed from there: INET_ADDRSTRLEN, INET6_ADDRSTRLEN,
and struct in_addr. Add protecting #ifndefs to netinet6?/in6?.h for those.
ok deraadt@
|
| |
|
|
|
|
| |
added in 1.40). This fixes a pathological case where in_scrubprefix would
do the wrong thing. Found and reported by glebius@FreeBSD
OK bluhm@
|
| |
|
|
|
| |
and ifatoia(). No binary diff.
OK blambert@ henning@ claudio@
|
| |
|
|
|
|
|
|
| |
advertisements, according to RFC 6106.
original diff from Stephane A. Sezer on tech@, many thanks!
OK phessler@, todd@
|
| |
|
|
|
|
|
|
|
|
|
|
| |
in RFC4302 and RFC4303. Right now only software crypto engine is
capable of doing it.
Replay check was rewritten to implement algorithm described in the
Appendix A of RFC4303 and the window size was increased to 64.
Tested against OpenBSD, Linux (strongswan) and Windows.
No objection from the usual suspects.
|
| |
|
|
|
|
|
|
| |
all the symbols that POSIX says they must and fewer that they can't and,
most importantly, to not require a specific ordering of headers.
ports testing by naddy@
ok millert@ deraadt@
|
| |
|
|
|
|
| |
bpf_mtap() needs to be called without the etherip_header.
Idea to use a forward declaration for struct tdb by claudio.
OK claudio@
|
| | |
|
| |
|
|
| |
figured out by and ok guenther
|
| |
|
|
|
| |
While there change IP_RTABLE to SO_RTABLE. IP_RTABLE will die soon.
With and OK guenther@
|
| |
|
|
|
|
|
|
|
| |
It could not use the destination address properly, so it failed to
find the pipex session. This bug caused LCP keepalive failures on some
clients.
found and tested by sebastia@ and mxb at alumni.chalmers.se.
ok sthen
|
| |
|
|
|
| |
don't have a MTU to announce in the icmp need fragment packet.
this fixes PMTU-discovery for TCP over IPsec; ok mpf@, fries@
|
| |
|
|
| |
no objection from mcbride@ krw@ markus@ deraadt@
|
| |
|
|
|
|
|
|
|
|
|
| |
- ipip_input() recalculate the IP header checksum if the tos bits
are changed after decapsulation. Otherwise these packets are
dropped later in the stack.
- ip_ecn_egress(): do not drop packets for IPsec if the outter
packet of a Tunnel has the ECN-CE bit set (Congestion Experienced)
and the inner packet does not indicate support ECN.
- remove unused ip6_ecn_ingress(), ip6_ecn_egress() code
ok mikeb@
|
| |
|
|
|
|
| |
draft-ietf-tcpm-initcwnd. net.inet.tcp.rfc3390 defaults to 2 now which
uses the 10*MSS, setting it back to 1 brings back the old default of 4*MSS.
OK sperreault@, henning@, sthen@, markus@
|
| |
|
|
|
| |
While there make sure we do the lookup in the correct routing table.
OK mikeb, henning and phessler
|
| |
|
|
| |
from Tobias Ulmer (tobiasu at tmux.org); ok jmc@, krw@
|
| |
|
|
| |
ok mikeb@
|
| |
|
|
|
|
| |
cleaner to access the first member via ia_ifa instead of casting.
No binary change.
ok henning@ krw@
|
| |
|
|
|
|
|
|
| |
a socket that has an inp but tp is NULL. The call stack for that
is tcp_input() tcp_close() soisdisconnected() sorwakeup() somove()
tcp_usrreq(PRU_RCVD). To avoid a NULL dereference, just return in
that case.
ok henning@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
already done for UDP/TCP/ICMP. This fixes a problem where checksumming
would not be computed if you have a bridge with at least one interface
with hardware checksumming and another without.
Discussed with sthen@ and henning@, this is somewhat a temporary fix,
we should not have these special bridge cases in ip_output, as Henning
said, the bridge must behave. But for that to work we need to poke the
bridge harder, this problem has been seen by at least two users at:
http://marc.info/?l=openbsd-misc&m=132391433319512&w=2
http://marc.info/?l=openbsd-misc&m=132234363030132&w=2
I promised to work on a better diff :-).
ok henning@ sthen@ mikeb@
|
| |
|
|
| |
spotted by bluhm@, ok yasuoka@
|
| |
|
|
| |
ok yasuoka@ bluhm@
|
| |
|
|
|
|
| |
transport mode IPsec NAT-T.
ok markus
|
| |
|
|
| |
ok claudio@ henning@ mikeb@
|
| |
|
|
|
|
|
| |
to connect to the carp address when the carpdev interface has
an ip address too in the non-default rdomain.
ok claudio
|
| |
|
|
|
| |
the advskew as the master down timeout.
OK henning.
|
| |
|
|
| |
ok henning mpf
|
| |
|
|
|
|
|
|
|
| |
in the v6 input path. IP6_EXTHDR_GET() internally uses m_pulldown(),
which might return a pointer to a different mbuf in the chain.
In this case, carp_cksum() will be called with the wrong mbuf.
This fixes occasional checksum mismatches.
Problem found and initial fix by stsp@
OK stsp@
|
| |
|
|
|
|
| |
IPv6.
ok claudio@
|
| |
|
|
|
|
|
|
| |
"af-to" a generic IP version translator for pf(4).
Not everything perfect yet but lets fix these things in the tree.
Insane amount of work done by sperreault@, mikeb@ and reyk@.
Looked over by mcbride@ henning@ and myself at eurobsdcon.
OK mcbride@ and general put it in from deraadt@
|
| |
|
|
|
| |
variables being processed.
ok bluhm@ henning@
|
| |
|
|
|
|
| |
This lets carp delete IFF_PROMISC on its carpdev upon destroy.
Fix from Stefan Rinkes.
OK sthen, bluhm, deraadt.
|
| | |
|
| |
|
|
| |
mkay? ok ryan
|
| |
|
|
|
|
|
|
| |
`net.pipex.enable' to enable PIPEX. By default, pipex is disabled
and it will not process packets from wire. Update man pages and
update HOWTO_PIPEX_NPPPD.txt for testers.
discussed with dlg@, ok deraadt@ mcbride@ claudio@
|
| |
|
|
|
|
|
|
|
|
|
|
| |
code. Missing chunks of the API are imported from the libc version,
with a few #ifdef's to port it into the kernel environment.
The bootblocks already used the newer code, and should encounter no
surprises since there are so few changes to the existing files. In
the kernel, ipcomp and kernel ppp are changed to the new API.
ipcomp has been tested.
ok tedu the brave
|
| |
|
|
|
|
|
|
|
|
|
| |
behaves as if SO_KEEPALIVE was set on all TCP sockets, forcing keepalives
to be sent every net.inet.tcp.keepidle half-seconds.
In conjunction with a keepidle value greatly reduced from the default,
this can be useful for keeping sessions open if you are stuck on a network
with short NAT or firewall timeouts.
Feedback from various people, ok henning@ claudio@
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
the issue in our kernel was the broadcast address calculated on the /31
caused a ton of checks for use of broadcast addresses to kick in and
prevent one of the two addresses on the /31 from being used.
this diff basically detects if a /31 has been configured and doesnt
configure a broadcast address for it, which makes the ips usable
for normal traffic.
i wrote this so i could interoperate with "carrier" network gear
better, and sthen wants it so he can conserve address space use.
the further special casing of broadcast address handling was from claudio@
ok claudio@ markus@ sthen@ henning@
|
| |
|
|
| |
again makes assumptions of the ifqueue internals, ok ryan claudio
|
| |
|
|
| |
ok claudio@
|
| |
|
|
| |
fix two typos (protcol -> protocol)
|
| |
|
|
|
|
| |
1.54.
ok claudio@ sosososo henning@
|
| |
|
|
|
|
| |
The functions were 95% identical anyway. While there use struct pf_addr
in struct pf_divert instead of some union which is the same.
OK bluhm@ mcbride@ and most probably henning@ as well
|
mikeb
yasuoka
markus
claudio
guenther
bluhm
phessler
mpf
deraadt
dlg
haesbaert
sperreault
camield
miod
henning
sthen
dhill