[Swan-commit] Changes to ref refs/heads/matt-testing

Paul Wouters paul at vault.libreswan.fi
Wed Jul 17 21:54:05 EEST 2013


New commits:
commit eab19fa5a5888e294f110138f8c2f50c638cacd3
Merge: 4d00853 01a73a7
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Jul 17 14:53:45 2013 -0400

    Merge branch 'master' into matt-testing

commit 01a73a765d7c65c13d9cbe44be157ff79a32ac7a
Merge: 1d491ad 325d967
Author: Tuomo Soini <tis at foobar.fi>
Date:   Mon Jul 15 22:14:36 2013 +0300

    Merge branch 'lswbz130'

commit 325d967599bbdfc245f33dd5f7d6b0846830e4d0
Author: Tuomo Soini <tis at foobar.fi>
Date:   Mon Jul 15 22:14:09 2013 +0300

    update CHANGES for bug#130

commit d9d09c86e44639a89cb6709d1dc01101e9e5611e
Author: Marc-Christian Petersen <m.c.p at gmz.de>
Date:   Mon Jul 15 22:07:40 2013 +0300

    packaging: debian debuild creates a deb with /usr/libexec contents (bug #130)
    
    Signed-off-by: Tuomo Soini <tis at foobar.fi>

commit 1d491adc75a5f8ba924dbc0b69928b2e8471e8c2
Merge: f71e403 05f01b1
Author: Paul Wouters <pwouters at redhat.com>
Date:   Mon Jul 15 13:49:23 2013 -0400

    Merge branch 'master' of vault.libreswan.fi:/srv/src/libreswan

commit f71e403a15bc2d40c59937535032cfcbd7dbc1ae
Author: Paul Wouters <pwouters at redhat.com>
Date:   Mon Jul 15 13:48:35 2013 -0400

    systemd: Add an alias for 'pluto' so "systemctl start pluto.service" works

commit 05f01b1d76dd49f3fe47b276c21c301daa05c698
Author: Tuomo Soini <tis at foobar.fi>
Date:   Sun Jul 14 21:27:23 2013 +0300

    CHANGES: update for sysvinit status

commit 9b721e00d5c7f9a6d6a93379052e373ef07b542a
Author: Tuomo Soini <tis at foobar.fi>
Date:   Sun Jul 14 21:25:03 2013 +0300

    sysvinit: status function used incorrect variable for pid file location

commit e302100a2211c1ce703b2e5ac5707544411fa177
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sun Jul 14 13:28:48 2013 -0400

    updated changes

commit 08f735e881d314f5b38b55cbc8a9d7abdb9b18f8
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sun Jul 14 13:27:39 2013 -0400

    pluto: work around for Cisco VPN clients sending extraneous bytes

commit aba60a4fcc11765ecd2fb9352427c722a704bd8a
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sat Jul 13 15:51:56 2013 -0400

    fix typo in changes

commit 85fd0992929f3d230dae2cb13fd2e105b83a5eae
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sat Jul 13 15:47:32 2013 -0400

    updated changes

commit 2a1023c68659ceb831e3a41a16844884b7cb1ce9
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sat Jul 13 15:11:00 2013 -0400

    fix #128 entry in CHANGES

commit 869bb128670ef5ad8d96cad50d0d0681a4cf5c9f
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sat Jul 13 15:09:06 2013 -0400

    updated changes

commit 87101c5ad2a44e67c1e7b050ec27e02e52e8e213
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sat Jul 13 15:05:51 2013 -0400

    updated changes

commit 0438445d58db20c9a545a30dedf2040bc151a19f
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sat Jul 13 14:59:03 2013 -0400

    pluto: prevent curl from sending confusing signals crashing pluto (lsbz#128)
    
    This would manifest itself when you need a CRL to bring up the tunnel,
    but the CRL fetch location is on the other end of the tunnel (or otherwise
    resolving fails)
    
    See also: https://bugzilla.redhat.com/show_bug.cgi?id=539809
    
    	libcurl built without an asynchronous resolver library uses
    	alarm() to time out DNS lookups. When a timeout occurs,
    	this causes libcurl to jump from the signal handler back
    	into the library with a sigsetjmp, which effectively
    	causes libcurl to continue running within the signal
    	handler. This is non-portable and could cause problems on
    	some platforms. A discussion on the problem is available at
    	http://curl.haxx.se/mail/lib-2008-09/0197.html
    
    	Also, alarm() provides timeout resolution only to the nearest
    	second. alarm ought to be replaced by setitimer on systems that
    	support it.
    
    Note this seems to have happened in Fedora, but not yet in RHEL6

commit 438606cf1157d547d80712cd210dab198c9b5ff9
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Jul 11 15:24:50 2013 -0400

    update changes

commit 69b0da9e70d4efdb019029af2916ecc3d03daaf3
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Jul 11 15:23:40 2013 -0400

    look: Don't cause loading of iptables kernel modules (rhbz#954249)

commit c1b8876c2cde4b95129fe7e2d0c90c21e15f7020
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Jul 10 19:03:18 2013 -0400

    testing: generate CRL with leading zero byte for testing rhbz#958969

commit a78fff2479a9f6c17c6c3e403e213aeefef914e6
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Jul 10 14:30:26 2013 -0400

    updated changes

commit 733b11759b3a5bdc740c525f0a6a6375d2da5b10
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Jul 10 14:28:13 2013 -0400

    barf: We could still cause ip_tables kernel modules to load (rhbz#954249)

commit 1ecf9f5dfc544aaee4fc804929ea2f7279d6411d
Author: Paul Wouters <pwouters at redhat.com>
Date:   Mon Jul 8 13:02:34 2013 -0400

    packaging: Fix systemd script Alias target (rhbz#982166)

commit 72fa77b4deb891ec83c270b047dda12b4c4be306
Author: Paul Wouters <pwouters at redhat.com>
Date:   Fri Jun 28 16:57:09 2013 -0400

    packaging: Update spec file for fedora 18, and add one for fedora 17
    
    The difference between the two is minor, only systemd macros

commit a70448dd66760fa047af9902e233504ceb620a1a
Author: Paul Wouters <pwouters at redhat.com>
Date:   Fri Jun 28 16:10:41 2013 -0400

    update changes

commit 2296c4934a294b40c0b3f36302f7a1222e6f1cc6
Author: Paul Wouters <pwouters at redhat.com>
Date:   Fri Jun 28 10:39:21 2013 -0400

    newhostkey: help the user when nssdb is not initialized yet

commit e4f416e3f6ebb1a813d31c99e5b92cc4c24cdb17
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Jun 27 17:41:30 2013 -0400

    updated changes

commit 95bf6c54be76fbca6b675bcca5ff96225993bd70
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Jun 27 17:37:19 2013 -0400

    _stackmanager: re-add support for hidetos=
    
    This support was lost when _realsetup/_start* was merged into
    _stackmanager

commit df94c9eebd942762a0cb9a6b680963cf3f81b458
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Jun 27 17:32:42 2013 -0400

    KLIPS: change default for hidetos (quality of service) to yes
    
    The ToS field was supposed to be hidden per default using the hidetos=yes
    default in "config setup". This was read by _realsetup to set the ipsec.ko
    option via /proc/sys/net/ipsec/tos. At least since openswan 2.0.0, and
    probably earlier, this was no longer being set.
    
    The default upon loading the KLIPS kernel module is now to enable it.
    A separate commit will re-add support to _stackmanager to disable this
    when the user specifies hidetos=no in "config setup"

commit 1c7695d0fdfb793f20e791651001389ba72189ac
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Jun 27 16:37:58 2013 -0400

    _stackmanager: add support back for overridemtu=

commit 8998e906fb0ac5156b8c95589d92d424b12bd7a4
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Jun 27 16:22:32 2013 -0400

    _stackmanager: add support back for fragicmp= and fix man page
    
    _stackmanager did not support the fragicmp= option that _realsetup
    did. This commit fixes that.
    
    Although the man page said fragicmp defaults to yes, and the parser
    set it to yes as well, I cannot find any openswan 2.x version that
    actually defaulted it to yes. Although there was a comment in _realsetup.in
    saying IPSECfragicmp = yes, the KLIPS code actually has:
    
    	int sysctl_ipsec_icmp = 0;
    
    (in ipsec_xmit.c in older versions, ipsec_proc.c in newer versions)
    
    So while the parser would claim fragicmp=yes, the KLIPS option actually has
    it disabled, as can be seen from performing a modprobe ipsec, and running
    cat /proc/sys/net/ipsec/icmp
    
    I changed the parser to set it to "no" per default, and _stackmanager will
    only set the proc value to 1 when it sees fragicmp=yes (the non-default)
    
    I also updated the man page.
    
    I opted for changing the man page instead of the code, because as far as I
    tracked it down (to openswan 2.3.1) it was already disabled in KLIPS and
    _realsetup.in.

commit fcfa2b59885c0b9d20f26e127e2011a3062bab9c
Merge: 90408e0 f147035
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Jun 27 10:28:09 2013 -0400

    Merge branch 'master' of vault.libreswan.fi:/srv/src/libreswan

commit 90408e0c76d69f24f86143d852cbd470ef10829f
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Jun 27 10:27:53 2013 -0400

    updated changes

commit bd22428c1ce73dbccc26398020966218c179cf70
Author: Paul Wouters <pwouters at redhat.com>
Date:   Thu Jun 27 10:26:51 2013 -0400

    _stackmanager: bring mast0 up even if module was already loaded [neoXite]
    
    The module load creates mast0, but does not neccessarilly set the interface
    to up.

commit f147035ae1369a37b537969c38c2e4e0b99c0435
Author: Tuomo Soini <tis at foobar.fi>
Date:   Wed Jun 26 21:32:36 2013 +0300

    _stackmanager: fix shellscript syntax - line continuation must be marked

commit b61d4fc97894d1b3239851fba0a7f7923ed78c24
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Jun 26 12:22:54 2013 -0400

    scripts: Don't load nat/mangle kernel modules just for listing (rhbz#954249)
    
    If the tables are not loaded already, don't load them just to list
    empty tables.

commit 3cb96613cced50defd4c0fa41233737ae7d0834c
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Jun 26 12:22:15 2013 -0400

    MAST: Add support for IPv6 iptables mangle table in updown.mast

commit 9bcaeafb4725ccacba6e00af04b27e41b826ba2f
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Jun 26 12:21:25 2013 -0400

    _stackmanager: modprobe for timeriomem-rng and tpm-rng at startup

commit 1435838ecc51872c1d9f735c3dea185913f5c3f8
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed Jun 26 12:20:15 2013 -0400

    _stackmanager: Move iptables mangle rules to MAST only section
    
    Also only try to clear when the mangle table is actually loaded.
    Add support for IPv6 mangle tables

commit 714b066cdf327e5875e55b2df6b81506207bead7
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Jun 25 22:40:02 2013 -0400

    testing: Converted the loopback/labeled ipsec testcases to KVM
    
    They are still showing a problem of not being able to find the PSK
    for localhost in the secrets file.



More information about the Swan-commit mailing list