be sure to dummy read the packet if memory allocation is failed. XXX more sanity check
implement high/low watermark on pmtud host route entries. create up to hiwat host route entries, if icmp6 too big messages is validated. create up to lowat host route entries, if too big message is not validated (= traffic is from non-connected pcb). XXX hiwat/lowat default values
allow non-validated too big message, if we are < lowat. allow validated too big message, if we are < hiwat. XXX pick a victim and allow validated too big message, if we are in lowat < x < hiwat.
results. it is up to icmp6_mtudisc_update, whether to install the pmtu result into the routing table, or to ignore it. this is to allow non-validated icmp6 too big messages to be installed if # of pmtud-generated routing entry is small enough.
…isabling miP6 stuff...
* kame/sys/netinet6/ipsec.c (ipsec6_output_trans): when an ipsec SA cannot be found while ipsec is required, send an icmp6 dst_unreach_admin error (instead of silent discard). NOTE: Please be sure to update icmp6.c as well.
send an icmp6 dst_unreach_admin error (instead of silent discard). XXX should be blocked by an ifdef?
* kame/sys/netinet6/icmp6.c (icmp6_reflect): - processed scoped addresses in a generic manner. - used in6_selectsrc to determine the source address of the reflected packet.
* kame/sys/netkey/key.c (key_cmpspidx_withmask): compared sin6_scope_id values only when both two values were non-zero. Without this fix, ::/0 would not match fe80::1%ne0, which could be a security hole. TODO: there seem to be additional misuse about scope in this file. We'll have to fix them eventually.
the acquire message, and if 1. its state is less than PHASE2ST_ESTABLISHED, then racoon should ignore such a acquire message becuase the phase 2 is just negotiating. 2. its state is equal to PHASE2ST_ESTABLISHED, then racoon has to prcesss such a acquire message becuase racoon may lost the expire message.
non zero. I'm not sure this is the best fix, but without this, ::/0 would never matches a scoped address...
for userland, old name is available via #define
It will remain until snap users will confirm to remove them.
…e SA without the mode. Because SA can be distinguished by only the destination address and protocol, SPI at local system. Note that a mode is just optional information of SA. The original problem was that there was a bug in key_add().
the destination address and protocol, SPI at local system.