| Commit message (Collapse) | Author | Files | Lines |
|---|
|
|
|
ifconfig(8) shows in its display of interface information.
ok bluhm@
|
|
this will allow for a lot of special casing in places like vlan and
bridge to go away since mpw will do all the same things as any other
ethernet tunnel. another benefit is you can run stuff directly on
the mpw interface to interact with the pseudowire, rather than
requiring a bridge and vether interface. this is like what juniper
calls Pseudowire Service Interfaces.
the caveat is that the implicit vlan or svlan tagging that mpw did
in ethernet-tagged mode now has to be done by hand. however, there
is some indication that different vendors pick different types of
tags, ie, one uses vlan tags and another uses svlan, so being able
to configure the right one has value. it is also possible you would
want to bridge the entire tag stack to another site, so being able
to bridge mpw without it playing with the tags can be useful.
because the if_type on mpw changes from IFT_MPLSTUNNEL to IFT_ETHER,
the semantic used to handle incoming packets in mpls_input is
changed. instead of mpls_input pushing the packets into mpw based
on the if_type being IFT_MPLSTUNNEL, mpw now adds an RTF_LOCAL route
to the mpls table. mpls_input falls through to "outputting" the
packet to mpw_output, which then uses the RTF_LOCAL flag to decide
to input to mpw_input and then ether_input. this semantic will be
applied to mpe soon, which removes all the interface special casing
in mpls_input. the if_type change also means mpw implements the
SIOCGPWE3 ioctl so ldpd can still figure out that the interface is
a pseudowire.
ok claudio@
|
|
cleaner, but should be no functional change.
from Lauri Tirkkonen
|
|
level up.
ok guenther mpi visa
|
|
|
|
ok bcook@ jsing@
|
|
ok phessler@
|
|
|
|
host/port was added in 2001 as an alternative to host:port syntax for
the benefit of IPv6 users. These days there are establised standards
for this like [::1]:22 and the slash syntax is easily mistaken for CIDR
notation, which OpenSSH now supports for some things. Remove the slash
notation from ListenAddress and PermitOpen. bz#2335, patch from jjelen
at redhat.com, ok markus@
|
|
|
|
|
|
- Make a separate sigalgs list for TLS 1.3 including only modern
algorithm choices which we use when the handshake will not negotiate
TLS 1.2.
- Modify the legacy sigalgs for TLS 1.2 to include the RSA PSS algorithms as
mandated by RFC8446 when the handshake will permit negotiation of TLS 1.2
from a 1.3 handshake.
ok jsing@ tb@
|
|
to the one I intended to commit
|
|
- Make a separate sigalgs list for TLS 1.3 including only modern
algorithm choices which we use when the handshake will not negotiate
TLS 1.2
- Modify the legacy sigalgs for TLS 1.2 to include the RSA PSS algorithms as
mandated by RFC8446 when the handshake will permit negotiation of TLS 1.2
ok jsing@ tb@
|
|
|
|
ok kn@, claudio@, visa@
|
|
ok claudio@, kn@, visa@
|
|
"toss it in man" deraadt@
|
|
unwind(8) is a hybrid validating stub & recursive resolver.
It actively observes the local net to decide how to best resolve
names. It can chose to recurse on it's own or talk to dhcp
provided forwardes or statically defined forwarders in the
config file.
The intention is to be able to run it on localhost on every machine.
"toss it in man" deraadt@
|
|
This is probably too much but allows us to keep in sync with
usr.sbin/unbound to be able to easily apply updates.
|
|
This sorts the valid handshakes with respect to ascending flags
value instead of the ad-hoc order produced by the algorithm.
ok jsing
|
|
net80211 and drivers in general. Add ratesets for 'short guard interval'
(SGI) rates, and add SGI support to MiRA. SGI is currently only used by
iwm(4), and of course internally by bwfm(4) firmware.
Ratesets for 11n 40 MHz channels and 11ac will come later.
ok mpi@ phessler@
|
|
OK jsg@
|
|
OK jsg@
|
|
previous version OK deraadt@ patrick@
OK jsg@
|
|
previous version OK deraadt@ patrick@
OK jsg@
|
|
NB: acpi(4) is not hooked up to this yet.
previous version OK deraadt@ patrick@
OK jsg@
|
|
It's not mentioned in RFC4419 and it's not possible for Sophie-Germain
primes greater than 5. bz#2330, from Christian Wittenhorst , ok djm@ tb@
|
|
this makes ldpd open the ioctl socket early so the config parser
can run the SIOCGPWE3 ioctl against the requested interface.
ok claudio@
|
|
|
|
|
|
im going to turn mpw into an ethernet interface, which includes
changing its if_type to IFT_ETHER. currently ldpd looks for if_type
IFT_MPLSTUNNEL to decide if an interface is a pseudowire, ie, it's
going to break. the ioctl will let ldpd ask the interface if it is
pseudowire capable as an alternative.
ok claudio@
|
|
progressmeter formatting outside of signal handler context and have
the atomicio callback called for EINTR too. bz#2434 with contributions
from djm and jjelen at redhat.com, ok djm@
|
|
in a single commandline.
|
|
from graph information and cross-checks it against the state
table in tls13_handshake.c.
with help from jsing
|
|
ok bcook
|
|
|
|
this way we do the inet_aton and bad address check in one place,
and just reuse it in the router-id, neighbor, and pseudowire bits.
ok claudio@
|
|
previously ldpd only allowed tcp md5 to be configured against a
neighbor (by ldp router id), but other vendors supported configuring
tcp md5sig by prefix as well as neighbor. this reworks the config
so auth is maintained globally as a list of prefixes that you do
and do not want to do tcp md5sig auth with.
the config statements look more like what is in bgpd.conf now too.
an example of the new config for interoperating with my baby cisco
test network:
on ios:
mpls ldp password required for MPLS
mpls ldp password option 1 for MPLS key-chain LDPAUTH
key chain LDPAUTH
key 1
key-string secret
interface Loopback0
ip address 192.168.0.0 255.255.255.255
end
ip prefix-list MPLS seq 5 permit 192.168.0.0/24
ip access-list standard MPLS
mpls ldp router-id Loopback0 force
and in ldpd.conf:
router-id 192.168.0.25
tcp md5sig password secret 192.168.0.0/24
address-family ipv4 { interface vmx1 }
this still supports specifying tcp md5sig on neighbors, but that
is syntactic sugar around adding entries to the list of auths.
ok (and lots of help from) claudio@
|
|
|
|
ok bcook
|
|
Currently we validate time input for all four of these syscalls in the
workhorse function dovutimens(). This is bad because both futimes(2)
and utimes(2) have input as timevals that need to be converted to
timespecs. This multiplication can overflow to create a "valid"
input, e.g. if tv_usec is equal to 2^61 (invalid value) on a platform
with 64-bit longs, the resulting tv_nsec is equal to zero (valid value).
This is also a bit wasteful. We aquire a vnode and do other work
under KERNEL_LOCK only to release the vnode when the time input is
invalid.
So, duplicate a bit of code to validate the time inputs before we do
any conversions or real VFS work.
probably still ok tedu@ deraadt@
|
|
than pointer+length; ok markus@
|
|
ok guenther@
|
|
is too full to read one, or if the output buffer is too full to enqueue
a response; feedback & ok dtucker@
|
|
A malicious rpc.bootparamd could corrupt memory, but the kernel has
to trust the local network anyway in a diskless environment. Now
in case of an RPC error, the kernel will stop booting with a specific
panic.
OK claudio@ beck@
|
|
diff from Oscar Endre Edvardsen via misc@ a long time ago.
ok sthen@ dlg@
|
|
|
|
ok beck
Reported-by: syzbot+cc59412ed8429450a1ae@syzkaller.appspotmail.com
|
dlg
krw
tedu
jsg
beck
cheloha
dtucker
anton
mpi
florian
tb
stsp
phessler
djm
bluhm