summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Merge fix from FreeBSD for fragment states not being removed. Ticket #6499RELENG_2_3_1Chris Buechler2016-06-221-1/+1
|
* pf: Fix more ICMP mistranslationkp2016-05-231-1/+1
| | | | | | | | | | In the default case fix the substitution of the destination address. PR: 201519 Submitted by: Max <maximos@als.nnov.ru> MFC after: 1 week (cherry picked from commit 7ddccc27cd3b8cf9bef3dd5b7b71c8b82e914386)
* pf: Fix ICMP translationkp2016-05-231-10/+5
| | | | | | | | | | Fix ICMP source address rewriting in rdr scenarios. PR: 201519 Submitted by: Max <maximos@als.nnov.ru> MFC after: 1 week (cherry picked from commit e155a36ec0418be0b8147484b0644e5e50ab7d25)
* Merge remote-tracking branch 'origin/releng/10.3' into RELENG_2_3_1Renato Botelho2016-05-174-2/+12
|\
| * - Use unsigned version of min() when handling arguments of SETFKEY ioctl.glebius2016-05-174-2/+12
| | | | | | | | | | | | | | | | | | | | | | | | - Validate that user supplied control message length in sendmsg(2) is not negative. Security: SA-16:18 Security: CVE-2016-1886 Security: SA-16:19 Security: CVE-2016-1887 Submitted by: C Turt <cturt hardenedbsd.org> Approved by: so
* | Point repo to RELEASE to lead users direct to 2.3.1Renato Botelho2016-05-161-2/+2
| |
* | MFC r298676:Luiz Otavio O Souza2016-05-121-0/+1
| | | | | | | | | | | | | | | | | | | | | | netipsec: Don't leak memory when deep copy fails Reported by: Coverity CID: 1331693 Sponsored by: EMC / Isilon Storage Division TAG: IPSEC-HEAD (cherry picked from commit 736b7527cfdc5c4f0f0a91ddfaef07ea86ea0e58)
* | MFC r298535, r298536 and r298549:Luiz Otavio O Souza2016-05-124-18/+233
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Handle non-compressed packets for IPComp in tunnel mode. RFC3173 says that the IP datagram MUST be sent in the original non-compressed form, when the total size of a compressed payload and the IPComp header is not smaller than the size of the original payload. In tunnel mode for small packets IPComp will send encapsulated IP datagrams without IPComp header. Add ip_encap handler for IPPROTO_IPV4 and IPPROTO_IPV6 to handle these datagrams. The handler does lookup for SA related to IPComp protocol and given from mbuf source and destination addresses as tunnel endpoints. It decapsulates packets only when corresponding SA is found. Reported by: gnn Reviewed by: gnn Differential Revision: https://reviews.freebsd.org/D6062 r298536: Use ipsec_address() function to print IP addresses. r298549: Fix build for NOINET and NOINET6 kernels. Use own protosw structures for both address families. Check proto in encapcheck function and use -1 as proto argument in encap_attach_func(), both address families can have IPPROTO_IPV4 and IPPROTO_IPV6 protocols. Reported by: bz TAG: IPSEC-HEAD (cherry picked from commit a1d2523e7f503ed719420848cc61de12bdf8ab4f)
* | MFC r298399:Luiz Otavio O Souza2016-05-121-2/+0
| | | | | | | | | | | | | | Remove stale function declaration TAG: IPSEC-HEAD (cherry picked from commit 7ff0706b79fc0d3f97d53c00e0cbd6e90a9c4204)
* | MFC r298398:Luiz Otavio O Souza2016-05-127-49/+55
| | | | | | | | | | | | | | Constify mbuf pointer for IPSEC functions where mbuf isn't modified. TAG: IPSEC-HEAD (cherry picked from commit 9570d79d4a30dcd428dd55f2f996c1090c777c52)
* | MFC r298332:Luiz Otavio O Souza2016-05-120-0/+0
| | | | | | | | | | | | | | | | | | | | | | aesni(4): Initialize error before use Reported by: Coverity CID: 1331554 Sponsored by: EMC / Isilon Storage Division TAG: IPSEC-HEAD (cherry picked from commit 0bfe8f207817729d5666bdea8fee38f24eacf67e)
* | MFC r298332:Luiz Otavio O Souza2016-05-121-0/+1
| | | | | | | | | | | | | | | | | | | | | | aesni(4): Initialize error before use Reported by: Coverity CID: 1331554 Sponsored by: EMC / Isilon Storage Division TAG: IPSEC-HEAD (cherry picked from commit 0bfe8f207817729d5666bdea8fee38f24eacf67e)
* | MFC r297014:Luiz Otavio O Souza2016-05-121-1/+1
| | | | | | | | | | | | | | | | | | Fix handling of net.inet.ipsec.dfbit=2 variable. IP_DF macro is in host bytes order, but ip_off field is in network bytes order. So, use htons() for correct check. TAG: IPSEC-HEAD (cherry picked from commit a7ce017c2848df1f6ccac912b14d32c38a74c3b8)
* | MFC r296806:Luiz Otavio O Souza2016-05-121-1/+2
| | | | | | | | | | | | | | | | | | Put IPSec's anouncement of its successful intialisation under bootverbose: now that it's a default kernel option, we don't really need to tell the world about it on every boot, especially as it won't be used by most users. TAG: IPSEC-HEAD (cherry picked from commit 16348e7e1c1d4fb0de01bf45b6646f8a258b613b)
* | MFC r296303:Luiz Otavio O Souza2016-05-121-0/+1
| | | | | | | | | | | | | | | | | | | | | | Set tres to NULL to avoid a double free if the m_pullup() below fails. Reviewed by: glebius MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D5497 TAG: IPSEC-HEAD (cherry picked from commit b2f9e794c95db742bed25781e3287d5f53111edb)
* | MFC r292963:Luiz Otavio O Souza2016-05-1224-969/+2112
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Break up opencrypto/xform.c so it can be reused piecemeal Keep xform.c as a meta-file including the broken out bits existing code that includes xform.c continues to work as normal Individual algorithms can now be reused elsewhere, including outside of the kernel Reviewed by: bapt (previous version), gnn, delphij Approved by: secteam MFC after: 1 week Sponsored by: ScaleEngine Inc. Differential Revision: https://reviews.freebsd.org/D4674 TAG: IPSEC-HEAD (cherry picked from commit 271bb86c6bc2052797fce3ea16d42b3a60ec388c)
* | MFC r290982:Luiz Otavio O Souza2016-05-123-8/+32
| | | | | | | | | | | | | | | | | | | | | | | | Implement the sadb_x_policy_priority field as it is done in Linux: lower priority policies are inserted first. Submitted by: Emeric Poupon <emeric.poupon@stormshield.eu> Reviewed by: ae Sponsored by: Stormshield TAG: IPSEC-HEAD (cherry picked from commit 25996276a907484d8fc26a6a9a79827367bfcfc0)
* | MFC r290924:Luiz Otavio O Souza2016-05-123-9/+3
| | | | | | | | | | | | | | | | | | | | | | | | Use explicitly specified ivsize instead of blocksize when we mean IV size. Set zero ivsize for enc_xform_null and remove special handling from xform_esp.c. Reviewed by: gnn Differential Revision: https://reviews.freebsd.org/D1503 TAG: IPSEC-HEAD (cherry picked from commit c23a05e2de0834d542caafe185dcb440b47051a5)
* | MFC r288418:Luiz Otavio O Souza2016-05-126-20/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Take extra reference to security policy before calling crypto_dispatch(). Currently we perform crypto requests for IPSEC synchronous for most of crypto providers (software, aesni) and only VIA padlock calls crypto callback asynchronous. In synchronous mode it is possible, that security policy will be removed during the processing crypto request. And crypto callback will release the last reference to SP. Then upon return into ipsec[46]_process_packet() IPSECREQUEST_UNLOCK() will be called to already freed request. To prevent this we will take extra reference to SP. PR: 201876 Sponsored by: Yandex LLC TAG: IPSEC-HEAD (cherry picked from commit 3e1742ed6cd844d82787f2fa5cd57652805c6b34)
* | MFC r282047:Luiz Otavio O Souza2016-05-122-6/+2
| | | | | | | | | | | | | | | | | | | | Remove now unneded KEY_FREESP() for case when ipsec[46]_process_packet() returns EJUSTRETURN. Sponsored by: Yandex LLC TAG: IPSEC-HEAD (cherry picked from commit 197b7eb2f8155f5426a8399ee2316bc6363484bc)
* | Correct repo descr. Ticket #6136Chris Buechler2016-05-052-2/+2
| |
* | Merge remote-tracking branch 'origin/releng/10.3' into RELENG_2_3Renato Botelho2016-05-0412-28/+81
|\ \ | |/
| * Fix multiple OpenSSL vulnerabilitites. [SA-16:17]delphij2016-05-0412-28/+81
| | | | | | | | | | | | | | | | | | | | Fix performance regression in libc hash(3). [EN-16:06] Fix excessive latency in x86 IPI delivery. [EN-16:07] Fix memory leak in ZFS. [EN-16:08] Approved by: so
* | Revive the sysctl net.inet.ip.fastforward to control the tryforward use.Luiz Otavio O Souza2016-05-031-2/+7
| | | | | | | | | | | | | | | | This is mainly provided for debug aid and should not be used in common cases. The fastforward sysctl is enabled by default. (cherry picked from commit 15f18a5ce3e8c7bc5a9604d5378609441f680b10)
* | Merge remote-tracking branch 'origin/releng/10.3' into RELENG_2_3Renato Botelho2016-05-03187-1243/+4544
|\ \ | |/
| * Fix ntp multiple vulnerabilities.delphij2016-04-29187-1243/+4544
| | | | | | | | Approved by: so
* | Change default repo to point to 2.3.1-devel for nowRenato Botelho2016-05-031-2/+2
| |
* | Fix devel repo conf syntaxRenato Botelho2016-05-031-2/+2
| |
* | Revert "Handle non-compressed packets for IPComp in tunnel mode."Renato Botelho2016-04-263-201/+1
| | | | | | | | This reverts commit c718f329f435eb15fb3939ce5c2c1777a009abe6.
* | Handle non-compressed packets for IPComp in tunnel mode.ae2016-04-253-1/+201
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | RFC3173 says that the IP datagram MUST be sent in the original non-compressed form, when the total size of a compressed payload and the IPComp header is not smaller than the size of the original payload. In tunnel mode for small packets IPComp will send encapsulated IP datagrams without IPComp header. Add ip_encap handler for IPPROTO_IPV4 and IPPROTO_IPV6 to handle these datagrams. The handler does lookup for SA related to IPComp protocol and given from mbuf source and destination addresses as tunnel endpoints. It decapsulates packets only when corresponding SA is found. Reported by: gnn Reviewed by: gnn Differential Revision: https://reviews.freebsd.org/D6062 (cherry picked from commit dcf50398ab66cfcba0ae4484efe3b5ce40fb9824)
* | cryptostats is failing to build and this was the only recent change, trying ↵Chris Buechler2016-04-243-201/+1
| | | | | | | | | | | | without. Revert "Import patch from https://reviews.freebsd.org/D6062 Ticket #6167" This reverts commit e683099e983e453c350827e0a31c3d6da2feaa2b.
* | Import patch from https://reviews.freebsd.org/D6062 Ticket #6167Chris Buechler2016-04-223-1/+201
| |
* | Fix a bug in divert.RELENG_10.diff.Luiz Otavio O Souza2016-04-171-1/+1
| | | | | | | | | | | | Found during the patch reviews for 2.4. (cherry picked from commit ea9ba1a51b165fe4540662a900bb800f501bdf74)
* | Fixup repos URLs for stable and develRenato Botelho2016-04-112-4/+4
| |
* | Revert "Temporary change to final place so users running RC can see it"Renato Botelho2016-04-111-2/+2
| | | | | | | | This reverts commit 6166da65c07e77e3234251f68519ab717e18db77.
* | Temporary change to final place so users running RC can see itRenato Botelho2016-04-111-2/+2
| |
* | Use signature_type fingerprints for this repo too.Chris Buechler2016-04-091-2/+4
| |
* | Remove unused filesRenato Botelho2016-04-062-32/+0
| | | | | | | | (cherry picked from commit 29bdadd74852ef850c4bac57b73c8216146c56cc)
* | Add new repo conf templates that will be used soonRenato Botelho2016-04-054-0/+34
| |
* | Merge remote-tracking branch 'origin/releng/10.3' into RELENG_2_3Renato Botelho2016-03-2510-150/+237
|\ \ | |/
| * Update releng/10.3 to -RELEASE status in preparation for the finalmarius2016-03-251-1/+1
| | | | | | | | | | | | 10.3-RELEASE builds. Approved by: re (implicit)
| * Anticipate the expected 10.3-RELEASE date.marius2016-03-251-0/+3
| | | | | | | | Approved by: re (implicit)
| * Set the static abitag to the current value of __FreeBSD_version.marius2016-03-251-1/+1
| | | | | | | | Approved by: re (implicit)
| * Prune empty sections.gjb2016-03-251-107/+0
| | | | | | | | | | Approved by: re (implicit) Sponsored by: The FreeBSD Foundation
| * - Update relnotes items:hrs2016-03-241-4/+57
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | grdc(6) 12-hour mode fixed, inetd(8) crash with IPv6 address fixed, netstat(1) statistics counter divided by 1024 fixed, rc.d/netif now updates only static routes, vt(4) kern.vt.bell_enable, puc(4) MSI support, epair(4) and lagg(4) cloner vnet jail support, epair(4) panic fixed, lagg(4) per-interface sysctl nodes replaced with ifconfig flags, lagg(4) panic fixed, SIOCGDRLST_IN6 and SIOCGPRLST_IN6 ioctls removed. Approved by: re (implicit)
| * - Update relnotes items:hrs2016-03-241-4/+32
| | | | | | | | | | | | | | | | | | | | | | reword description about ar -D/-U option, camcontrol(8) fwdonwload improvements, pkill -j jailname support, timeout(1) added, ypinit(8) eui64 NIS map, kern.features.invariants sysctl added. Approved by: re (implicit)
| * - Update relnotes items:hrs2016-03-241-6/+61
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | last reboot now works again, mv(1) return value has been fixed, mkimg(1) dynamic VHD format fixed, pw(8) userdel/usermod -y option, watchdogd(8) -x option added, rc.firewall now uses ipfw tables when firewall_type="SIMPLE", imxwdt driver fixed, uart(4) PPS polarity fixed, user(4) dev.uart.pps_mode added, uftdi(4) new ioctls to read/write eeprom, legacy ata(4) drivers removed. Approved by: re (implicit)
| * Fix FPIs.hrs2016-03-244-12/+18
| | | | | | | | Approved by: re (implicit)
| * - Fix FPIs and catalog entries.hrs2016-03-242-27/+77
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | - Fix typos. - Update relnotes items: ctladm(8) return value bugfix, ifconfig -v now displays SFP/SFP+ data, add updstream changeset id to the libarchive(3) improvement, vt(4) ALT_BREAK_TO_DEBUGGER support added, thread_create() API added, pms(4) removed from GENERIC for amd64/i386, kern.racct.enable fixed, cxgbe(4) firmware updated to 1.14.4.0, pf(4) logging issue fixed, LLENTRY_DELETED event in NDP fixed. - Edit items: s/Timezone data files/Time zone database/, -manage-gids flag is for nfsuserd, not nfsd. Approved by: re (implicit)
| * In preparation for 10.3-RELEASE, revert r296976, i. e. the merge ofmarius2016-03-231-1/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | r296416 (head) and r296969 (stable/10) respectively. With SAVESIGVEC enabled, csh(1) and tcsh(1) leak signal masks after spawning external commands. This causes strange effects like for example SIGTERM not being delivered to rc(8) scripts on shutdown albeit these use sh(1), if csh(1) or tcsh(1) are used as login shell of root. As such r296976 causes way more problems than it solves. It is anticipated that a proper changeset for the original problem will be issued as an Errata Notice post-10.3-RELEASE. PR: 208132 Approved by: re (gjb)
OpenPOWER on IntegriCloud