[Swan-commit] Changes to ref refs/heads/matt-testing
Paul Wouters
paul at vault.libreswan.fi
Wed Jul 17 21:54:05 EEST 2013
New commits:
commit eab19fa5a5888e294f110138f8c2f50c638cacd3
Merge: 4d00853 01a73a7
Author: Paul Wouters <pwouters at redhat.com>
Date: Wed Jul 17 14:53:45 2013 -0400
Merge branch 'master' into matt-testing
commit 01a73a765d7c65c13d9cbe44be157ff79a32ac7a
Merge: 1d491ad 325d967
Author: Tuomo Soini <tis at foobar.fi>
Date: Mon Jul 15 22:14:36 2013 +0300
Merge branch 'lswbz130'
commit 325d967599bbdfc245f33dd5f7d6b0846830e4d0
Author: Tuomo Soini <tis at foobar.fi>
Date: Mon Jul 15 22:14:09 2013 +0300
update CHANGES for bug#130
commit d9d09c86e44639a89cb6709d1dc01101e9e5611e
Author: Marc-Christian Petersen <m.c.p at gmz.de>
Date: Mon Jul 15 22:07:40 2013 +0300
packaging: debian debuild creates a deb with /usr/libexec contents (bug #130)
Signed-off-by: Tuomo Soini <tis at foobar.fi>
commit 1d491adc75a5f8ba924dbc0b69928b2e8471e8c2
Merge: f71e403 05f01b1
Author: Paul Wouters <pwouters at redhat.com>
Date: Mon Jul 15 13:49:23 2013 -0400
Merge branch 'master' of vault.libreswan.fi:/srv/src/libreswan
commit f71e403a15bc2d40c59937535032cfcbd7dbc1ae
Author: Paul Wouters <pwouters at redhat.com>
Date: Mon Jul 15 13:48:35 2013 -0400
systemd: Add an alias for 'pluto' so "systemctl start pluto.service" works
commit 05f01b1d76dd49f3fe47b276c21c301daa05c698
Author: Tuomo Soini <tis at foobar.fi>
Date: Sun Jul 14 21:27:23 2013 +0300
CHANGES: update for sysvinit status
commit 9b721e00d5c7f9a6d6a93379052e373ef07b542a
Author: Tuomo Soini <tis at foobar.fi>
Date: Sun Jul 14 21:25:03 2013 +0300
sysvinit: status function used incorrect variable for pid file location
commit e302100a2211c1ce703b2e5ac5707544411fa177
Author: Paul Wouters <pwouters at redhat.com>
Date: Sun Jul 14 13:28:48 2013 -0400
updated changes
commit 08f735e881d314f5b38b55cbc8a9d7abdb9b18f8
Author: Paul Wouters <pwouters at redhat.com>
Date: Sun Jul 14 13:27:39 2013 -0400
pluto: work around for Cisco VPN clients sending extraneous bytes
commit aba60a4fcc11765ecd2fb9352427c722a704bd8a
Author: Paul Wouters <pwouters at redhat.com>
Date: Sat Jul 13 15:51:56 2013 -0400
fix typo in changes
commit 85fd0992929f3d230dae2cb13fd2e105b83a5eae
Author: Paul Wouters <pwouters at redhat.com>
Date: Sat Jul 13 15:47:32 2013 -0400
updated changes
commit 2a1023c68659ceb831e3a41a16844884b7cb1ce9
Author: Paul Wouters <pwouters at redhat.com>
Date: Sat Jul 13 15:11:00 2013 -0400
fix #128 entry in CHANGES
commit 869bb128670ef5ad8d96cad50d0d0681a4cf5c9f
Author: Paul Wouters <pwouters at redhat.com>
Date: Sat Jul 13 15:09:06 2013 -0400
updated changes
commit 87101c5ad2a44e67c1e7b050ec27e02e52e8e213
Author: Paul Wouters <pwouters at redhat.com>
Date: Sat Jul 13 15:05:51 2013 -0400
updated changes
commit 0438445d58db20c9a545a30dedf2040bc151a19f
Author: Paul Wouters <pwouters at redhat.com>
Date: Sat Jul 13 14:59:03 2013 -0400
pluto: prevent curl from sending confusing signals crashing pluto (lsbz#128)
This would manifest itself when you need a CRL to bring up the tunnel,
but the CRL fetch location is on the other end of the tunnel (or otherwise
resolving fails)
See also: https://bugzilla.redhat.com/show_bug.cgi?id=539809
libcurl built without an asynchronous resolver library uses
alarm() to time out DNS lookups. When a timeout occurs,
this causes libcurl to jump from the signal handler back
into the library with a sigsetjmp, which effectively
causes libcurl to continue running within the signal
handler. This is non-portable and could cause problems on
some platforms. A discussion on the problem is available at
http://curl.haxx.se/mail/lib-2008-09/0197.html
Also, alarm() provides timeout resolution only to the nearest
second. alarm ought to be replaced by setitimer on systems that
support it.
Note this seems to have happened in Fedora, but not yet in RHEL6
commit 438606cf1157d547d80712cd210dab198c9b5ff9
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Jul 11 15:24:50 2013 -0400
update changes
commit 69b0da9e70d4efdb019029af2916ecc3d03daaf3
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Jul 11 15:23:40 2013 -0400
look: Don't cause loading of iptables kernel modules (rhbz#954249)
commit c1b8876c2cde4b95129fe7e2d0c90c21e15f7020
Author: Paul Wouters <pwouters at redhat.com>
Date: Wed Jul 10 19:03:18 2013 -0400
testing: generate CRL with leading zero byte for testing rhbz#958969
commit a78fff2479a9f6c17c6c3e403e213aeefef914e6
Author: Paul Wouters <pwouters at redhat.com>
Date: Wed Jul 10 14:30:26 2013 -0400
updated changes
commit 733b11759b3a5bdc740c525f0a6a6375d2da5b10
Author: Paul Wouters <pwouters at redhat.com>
Date: Wed Jul 10 14:28:13 2013 -0400
barf: We could still cause ip_tables kernel modules to load (rhbz#954249)
commit 1ecf9f5dfc544aaee4fc804929ea2f7279d6411d
Author: Paul Wouters <pwouters at redhat.com>
Date: Mon Jul 8 13:02:34 2013 -0400
packaging: Fix systemd script Alias target (rhbz#982166)
commit 72fa77b4deb891ec83c270b047dda12b4c4be306
Author: Paul Wouters <pwouters at redhat.com>
Date: Fri Jun 28 16:57:09 2013 -0400
packaging: Update spec file for fedora 18, and add one for fedora 17
The difference between the two is minor, only systemd macros
commit a70448dd66760fa047af9902e233504ceb620a1a
Author: Paul Wouters <pwouters at redhat.com>
Date: Fri Jun 28 16:10:41 2013 -0400
update changes
commit 2296c4934a294b40c0b3f36302f7a1222e6f1cc6
Author: Paul Wouters <pwouters at redhat.com>
Date: Fri Jun 28 10:39:21 2013 -0400
newhostkey: help the user when nssdb is not initialized yet
commit e4f416e3f6ebb1a813d31c99e5b92cc4c24cdb17
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Jun 27 17:41:30 2013 -0400
updated changes
commit 95bf6c54be76fbca6b675bcca5ff96225993bd70
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Jun 27 17:37:19 2013 -0400
_stackmanager: re-add support for hidetos=
This support was lost when _realsetup/_start* was merged into
_stackmanager
commit df94c9eebd942762a0cb9a6b680963cf3f81b458
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Jun 27 17:32:42 2013 -0400
KLIPS: change default for hidetos (quality of service) to yes
The ToS field was supposed to be hidden per default using the hidetos=yes
default in "config setup". This was read by _realsetup to set the ipsec.ko
option via /proc/sys/net/ipsec/tos. At least since openswan 2.0.0, and
probably earlier, this was no longer being set.
The default upon loading the KLIPS kernel module is now to enable it.
A separate commit will re-add support to _stackmanager to disable this
when the user specifies hidetos=no in "config setup"
commit 1c7695d0fdfb793f20e791651001389ba72189ac
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Jun 27 16:37:58 2013 -0400
_stackmanager: add support back for overridemtu=
commit 8998e906fb0ac5156b8c95589d92d424b12bd7a4
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Jun 27 16:22:32 2013 -0400
_stackmanager: add support back for fragicmp= and fix man page
_stackmanager did not support the fragicmp= option that _realsetup
did. This commit fixes that.
Although the man page said fragicmp defaults to yes, and the parser
set it to yes as well, I cannot find any openswan 2.x version that
actually defaulted it to yes. Although there was a comment in _realsetup.in
saying IPSECfragicmp = yes, the KLIPS code actually has:
int sysctl_ipsec_icmp = 0;
(in ipsec_xmit.c in older versions, ipsec_proc.c in newer versions)
So while the parser would claim fragicmp=yes, the KLIPS option actually has
it disabled, as can be seen from performing a modprobe ipsec, and running
cat /proc/sys/net/ipsec/icmp
I changed the parser to set it to "no" per default, and _stackmanager will
only set the proc value to 1 when it sees fragicmp=yes (the non-default)
I also updated the man page.
I opted for changing the man page instead of the code, because as far as I
tracked it down (to openswan 2.3.1) it was already disabled in KLIPS and
_realsetup.in.
commit fcfa2b59885c0b9d20f26e127e2011a3062bab9c
Merge: 90408e0 f147035
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Jun 27 10:28:09 2013 -0400
Merge branch 'master' of vault.libreswan.fi:/srv/src/libreswan
commit 90408e0c76d69f24f86143d852cbd470ef10829f
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Jun 27 10:27:53 2013 -0400
updated changes
commit bd22428c1ce73dbccc26398020966218c179cf70
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Jun 27 10:26:51 2013 -0400
_stackmanager: bring mast0 up even if module was already loaded [neoXite]
The module load creates mast0, but does not neccessarilly set the interface
to up.
commit f147035ae1369a37b537969c38c2e4e0b99c0435
Author: Tuomo Soini <tis at foobar.fi>
Date: Wed Jun 26 21:32:36 2013 +0300
_stackmanager: fix shellscript syntax - line continuation must be marked
commit b61d4fc97894d1b3239851fba0a7f7923ed78c24
Author: Paul Wouters <pwouters at redhat.com>
Date: Wed Jun 26 12:22:54 2013 -0400
scripts: Don't load nat/mangle kernel modules just for listing (rhbz#954249)
If the tables are not loaded already, don't load them just to list
empty tables.
commit 3cb96613cced50defd4c0fa41233737ae7d0834c
Author: Paul Wouters <pwouters at redhat.com>
Date: Wed Jun 26 12:22:15 2013 -0400
MAST: Add support for IPv6 iptables mangle table in updown.mast
commit 9bcaeafb4725ccacba6e00af04b27e41b826ba2f
Author: Paul Wouters <pwouters at redhat.com>
Date: Wed Jun 26 12:21:25 2013 -0400
_stackmanager: modprobe for timeriomem-rng and tpm-rng at startup
commit 1435838ecc51872c1d9f735c3dea185913f5c3f8
Author: Paul Wouters <pwouters at redhat.com>
Date: Wed Jun 26 12:20:15 2013 -0400
_stackmanager: Move iptables mangle rules to MAST only section
Also only try to clear when the mangle table is actually loaded.
Add support for IPv6 mangle tables
commit 714b066cdf327e5875e55b2df6b81506207bead7
Author: Paul Wouters <pwouters at redhat.com>
Date: Tue Jun 25 22:40:02 2013 -0400
testing: Converted the loopback/labeled ipsec testcases to KVM
They are still showing a problem of not being able to find the PSK
for localhost in the secrets file.
More information about the Swan-commit
mailing list