levels by which they are used. On a typical production setting (no
debug or filter logging) this will save an open/read/close system
call sequence per packet, approximately halving the system overhead
and reducing the overall overhead by 38%.
dd bs=1k count=512 if=/usr/share/dict/web2 |
ssh ppp-linked-host dd of=/dev/null
# time original-ppp -nat -foreground connection
Working in foreground mode
Using interface: tun0
2.822u 2.404s 2:00.31 4.3% 392+496k 8+18io 3pf+0w
# time new-ppp -nat -foreground connection
Working in foreground mode
Using interface: tun0
2.082u 1.173s 1:26.06 3.7% 379+450k 0+18io 0pf+0w
MFC after: 3 weeks
constants NG_*SIZ that include the trailing NUL byte. This change
is mostly mechanical except for the replacement of a couple of snprintf()
and sprintf() calls with strlcpy.
Skinny is the protocol used by Cisco IP phones to talk to Cisco Call
Managers. With this code, one can use a Cisco IP phone behind a FreeBSD
NAT gateway.
Currently, having the Call Manager behind the NAT gateway is not supported.
More information on enabling Skinny support in libalias, natd, and ppp
can be found in those applications' manpages.
PR: 55843
Reviewed by: ru
Approved by: ru
MFC after: 30 days
error) on amd64 when doing pointer subtraction. This bug is already
fixed in gcc-3.3 (waiting for after the branch), and the hack will be
backed out at the first opportunity. This is in the ipv6 code path.
Approved by: re (scottl)
time_t. Deal with the possibility that time_t != int32_t. This boils
down to this sort of thing:
- time(&ut.ut_time);
+ ut.ut_time = time(NULL);
and similar for ctime(3) etc. I've kept it minimal for the stuff
that may need to be portable (or 3rd party code), but used Matt's time32
stuff for cases where that isn't as much of a concern.
Approved by: re (jhb)
it as being in range.
set ifaddr 1.2.3.4/0 5.6.7.8/0
no longer allows 0.0.0.0 as a valid IP.
Reported/tested by: Bohdan Horst <nexus@hoth.amu.edu.pl>
MFC after: 3 days
contributor)
- support ipv6cpretry and ipv6cpretries, which are IPv6 versions
of ipcpretry and ipcpretries.
- improve handling of IPv6 link-local addresses
Submitted by: JINMEI Tatuya <jinmei@isl.rdc.toshiba.co.jp>
called <machine/_types.h>.
o <machine/ansi.h> will continue to live so it can define MD clock
macros, which are only MD because of gratuitous differences between
architectures.
o Change all headers to make use of this. This mainly involves
changing:
#ifdef _BSD_FOO_T_
typedef _BSD_FOO_T_ foo_t;
#undef _BSD_FOO_T_
#endif
to:
#ifndef _FOO_T_DECLARED
typedef __foo_t foo_t;
#define _FOO_T_DECLARED
#endif
Concept by: bde
Reviewed by: jake, obrien
Objected to by: Andre Oppermann <oppermann@pipeline.ch>
After Andre's objection, I've re-examined rfc 2759 and noted that it
says that the domain name shouldn't be used when generating the
NT-Response field. So it looks like the bug is in freeradius rather
than in ppp.
This removes a bad latency problem during initial setup where we
end up waiting for too long before reading the connected message
and time the connection out.
Problem figured out by: Andre Albsmeier <andre@albsmeier.net>
path... after we've talked to any RADIUS servers involved, so that we
haven't touched the data before it gets to the server.
Make it clearer in the code that this compensation is done by setting
a flag to a value of zero, a flag which rfc2759 says *MUST* be zero.
While we're here, don't bother passing the peer challenge into
radius_Authenticate(). It's already part of the key we're passing in
(this becomes obvious now that I've structured that data...).
This ``fix'' doesn't help to authenticate Win98/WinME users in my test
environment as ports/net/freeradius seems to ignore the flag
completely anyway, but it may help with other RADIUS servers.
RAD_MICROSOFT_MS_CHAP_ERROR and RAD_MICROSOFT_MS_CHAP2_SUCCESS
messages, and remove the hack in chap.c to ignore that ident field
on the client side.
This anomoly was hacked around during development, and I forgot to
go back and fix it properly.
Spotted by: Sergey Korolew <ds@rt.balakovo.ru>
RAD_MICROSOFT_MS_MPPE_ENCRYPTION_POLICY
RAD_MICROSOFT_MS_MPPE_ENCRYPTION_TYPES
RAD_MICROSOFT_MS_MPPE_RECV_KEY
RAD_MICROSOFT_MS_MPPE_SEND_KEY
These attributes may be supplied by a RADIUS server when MSCHAPv2 is
used to authenticate.
It *should* now be possible to build ppp with -DNODES and still support
CHAP/MSCHAP/MSCHAPv2/MPPE via a RADIUS server, but the code isn't yet
smart enough to do that (building with -DNODES just looses these
facilities).
Sponsored by: Monzoon
sufficient.
In fact, using both breaks the radiator RADIUS daemon when used with
a db as it maps both attributes to the same field value and then
fails the insert.
I decided to remove RAD_NAS_IP_ADDRESS on the basis that rfc2138 says:
An Access-Request MUST contain a User-Name attribute. It SHOULD
contain either a NAS-IP-Address attribute or NAS-Identifier
attribute (or both, although that is not recommended). It MUST
despite the fact that this not recommended bit was removed from the
updated rfc.
configured).
Handle internal failures in radius_Authenticate() correctly.
Bump the ppp version number.
This doesn't yet work with MPPE. More will follow.
Sponsored by: Mozoon
o Bump version number to 3.0.4
o When talking to a RADIUS server, provide a NAS-Port-Type.
When the NAS-Port-Type is Ethernet, provide a NAS-Port value equal
to the SESSIONID from the environment in direct mode or the
NGM_PPPOE_SESSIONID message in other modes. If no SESSIONID is found,
default to the interface index in client mode or zero in server mode.
When the NAS-Port-Type is ISDN, set the NAS-Port to the minor number
of the physical device (ie, the N in /dev/i4brbchN).
This makes it easier for the RADIUS server to identify the client
WRT accounting data etc.
Prompted by: lsz8425 <lsz8425@mail.cd.hn.cn>
just send PROTO_IP packets when we've got only one link up in multi-link
mode.
Problem noted by: Adrian Close <adrian@fernhilltec.com.au>
MFC after: 1 week
instead of u_char *.
The changes are cosmetic except:
RecvConfigAck() now displays the options that are being ACK'd
Huge (bogus) options sent from the peer won't cause an infinite loop
SendIdent and ReceiveIdent are displayed consistenlty with other FSM data
LCP AUTHPROTO options that aren't understood are NAK'd, not REJ'd
discipline to do the async escaping, but no other benefits are available yet.
Change ``ifdef HAVE_DES'' to ``ifndef NODES'' for consistency.
Make the Makefile a little more sane WRT RELEASE_CRUNCH.
deprecated in favor of the POSIX-defined lowercase variants.
o Change all occurrences of NTOHL() and associated marcros in the
source tree to use the lowercase function variants.
o Add missing license bits to sparc64's <machine/endian.h>.
Approved by: jake
o Clean up <machine/endian.h> files.
o Remove unused __uint16_swap_uint32() from i386's <machine/endian.h>.
o Remove prototypes for non-existent bswapXX() functions.
o Include <machine/endian.h> in <arpa/inet.h> to define the
POSIX-required ntohl() family of functions.
o Do similar things to expose the ntohl() family in libstand, <netinet/in.h>,
and <sys/param.h>.
o Prepend underscores to the ntohl() family to help deal with
complexities associated with having MD (asm and inline) versions, and
having to prevent exposure of these functions in other headers that
happen to make use of endian-specific defines.
o Create weak aliases to the canonical function name to help deal with
third-party software forgetting to include an appropriate header.
o Remove some now unneeded pollution from <sys/types.h>.
o Add missing <arpa/inet.h> includes in userland.
Tested on: alpha, i386
Reviewed by: bde, jake, tmm
using the part after the ``\'' if the original name is not found.
This allows M$ clients to use domain\user as their authname.
Reviewed by: Ian West <ian@niw.com.au>
to the routing socket.
The local address on a point-to-point interface is not actually a
gateway address - despite it appearing in the second column of
netstat -r's output. Providing a gateway to an RTM_CHANGE will
currently change the route's interface so that it's using the
specified gateway - not what we want.
Patiently explained to me by: ru
up in the same way that we expect them to be when we read them.
This is a no-op on i386 and probably on alphas, as we currently
only support AF_INET and AF_INET6.
of 0.0.0.0.
The OpenBSD PF_ROUTE/NET_RT_DUMP sysctl is sending back routes with
RTAX_NETMASK set, but the corresponding sockaddr being 4 zero bytes
(with an address family of zero). ppp was getting confused by this
and ending up interpreting it as a 0.0.0.0/32 routing table
destination and subsequently failing to do anything with the route.
Specifically, after this fix, ppp under OpenBSD can successfully
change and delete the default route again !
ncprange structure.
Don't write() the netmask for IPv6 sockaddrs to the routing socket if
the prefixlen is 128.
It seems that messages written to the routing socket with the scopeid
set for link local addresses are not understood. Instead, we have to
put the scopeid in the 5th and 6th bytes of the address (see
adjust_linklocal() in ncpaddr.c). I think this may be a bug in the
KAME implementation - it should really understand both forms.
Add an ``UPTIME'' variable to indicate the bundle uptime.
It's now possible to put something like this in ppp.linkdown
for a server setup:
MYADDR:
log Session closing: User USER, address HISADDR, up UPTIME
Fixed some memory leakage with commands that expand words.
Made some functions static.
Fixed a diagnostic bug (iface add .... SIOCDIFADDR)
not setting any timer. Instead, set a 1 millisecond timer.
This ensures that ppp will come out of it's select() call after
losing carrier in -ddial mode with a reconnect period of 0 and
going to ST_OPENING, rather than waiting indefinitely for some
other event to wake ppp up.
Bump the ppp version number to indicate the event.
MFC after: 3 days