Match either from the allwinner,pipeline entry in the simple-framebuffer
fdt entry, or from console= from the command line.
console=fb0 and console=fb1 selects display backend unit 0 or 1 respectively;
console=fb selects the first activated display backend.
13 March 2018. Summary of changes for version 20180313:
1) ACPICA kernel-resident subsystem:
Implemented various improvements to the GPE support:
1) Dispatch all active GPEs at initialization time so that no GPEs are
lost.
2) Enable runtime GPEs earlier. Some systems expect GPEs to be enabled
before devices are enumerated.
3) Don't unconditionally clear ACPI IRQs during suspend/resume, so that
IRQs are not lost.
4) Add parallel GPE handling to eliminate the possibility of dispatching
the same GPE twice.
5) Dispatch any pending GPEs after enabling for the first time.
AcpiGetObjectInfo - removed support for the _STA method. This was causing
problems on some platforms.
Added a new _OSI string, "Windows 2017.2".
Cleaned up and simplified the module-level code support. These changes
are in preparation for the eventual removal of the legacy MLC support
(deferred execution), replaced by the new MLC architecture which executes
the MLC as a table is loaded (DSDT/SSDTs).
Changed a compile-time option to a runtime option. Changes the option to
ignore ACPI table load-time package resolution errors into a runtime
option. Used only for platforms that generate many AE_NOT_FOUND errors
during boot. AcpiGbl_IgnorePackageResolutionErrors.
Fixed the ACPI_ERROR_NAMESPACE macro. This change involves putting some
ACPI_ERROR_NAMESPACE parameters inside macros. By doing so, we avoid
compilation errors from unused variables (seen with some compilers).
2) iASL Compiler/Disassembler and Tools:
ASLTS: parallelized execution in order to achieve an (approximately) 2X
performance increase.
ASLTS: Updated to use the iASL __LINE__ and __METHOD__ macros. Improves
error reporting.
----------------------------------------
09 February 2018. Summary of changes for version 20180209:
1) ACPICA kernel-resident subsystem:
Completed the final integration of the recent changes to Package Object
handling and the module-level AML code support. This allows forward
references from individual package elements when the package object is
declared from within module-level code blocks. Provides compatibility
with other ACPI implementations.
The new architecture for the AML module-level code has been completed and
is now the default for the ACPICA code. This new architecture executes
the module-level code in-line as the ACPI table is loaded/parsed instead
of the previous architecture which deferred this code until after the
table was fully loaded. This solves some ASL code ordering issues and
provides compatibility with other ACPI implementations. At this time,
there is an option to fallback to the earlier architecture, but this
support is deprecated and is planned to be completely removed later this
year.
Added a compile-time option to ignore AE_NOT_FOUND exceptions during
resolution of named reference elements within Package objects. Although
this is potentially a serious problem, it can generate a lot of
noise/errors on platforms whose firmware carries around a bunch of unused
Package objects. To disable these errors, define
ACPI_IGNORE_PACKAGE_RESOLUTION_ERRORS in the OS-specific header. All
errors are always reported for ACPICA applications such as AcpiExec.
Fixed a regression related to the explicit type-conversion AML operators
(ToXXXX). The regression was introduced early in 2017 but was not seen
until recently because these operators are not fully supported by other
ACPI implementations and are thus rarely used by firmware developers. The
operators are defined by the ACPI specification to not implement the
"implicit result object conversion". The regression incorrectly
introduced this object conversion for the following explicit conversion
operators:
ToInteger
ToString
ToBuffer
ToDecimalString
ToHexString
ToBCD
FromBCD
2) iASL Compiler/Disassembler and Tools:
iASL: Fixed a problem with the compiler constant folding feature as
related to the ToXXXX explicit conversion operators. These operators do
not support the "implicit result object conversion" by definition. Thus,
ASL expressions that use these operators cannot be folded to a simple
Store operator because Store implements the implicit conversion. This
change uses the CopyObject operator for the ToXXXX operator folding
instead. CopyObject is defined to not implement implicit result
conversions and is thus appropriate for folding the ToXXXX operators.
iASL: Changed the severity of an error condition to a simple warning for
the case where a symbol is declared both locally and as an external
symbol. This accommodates existing ASL code.
AcpiExec: The -ep option to enable the new architecture for module-level
code has been removed. It is replaced by the -dp option which instead has
the opposite effect: it disables the new architecture (the default) and
enables the legacy architecture. When the legacy code is removed in the
future, the -dp option will be removed also.
----------------------------------------
05 January 2018. Summary of changes for version 20180105:
1) ACPICA kernel-resident subsystem:
Updated all copyrights to 2018. This affects all source code modules.
Fixed a possible build error caused by an unresolved reference to the
AcpiUtSafeStrncpy function.
Removed NULL pointer arithmetic in the various pointer manipulation
macros. All "(void *) NULL" constructs are converted to "(void *) 0".
This eliminates warnings/errors in newer C compilers. Jung-uk Kim.
Added support for A32 ABI compilation, which uses the ILP32 model. Anuj
Mittal.
2) iASL Compiler/Disassembler and Tools:
ASLTS: Updated all copyrights to 2018.
Tools: Updated all signon copyrights to 2018.
AcpiXtract: Fixed a regression related to ACPI table signatures where the
signature was truncated to 3 characters (instead of 4).
AcpiExec: Restore the original terminal mode after the use of the -v and
-vd options.
ASLTS: Deployed the iASL __METHOD__ macro across the test suite.
----------------------------------------
14 December 2017. Summary of changes for version 20171214:
1) ACPICA kernel-resident subsystem:
Fixed a regression in the external (public) AcpiEvaluateObjectTyped
interface where the optional "pathname" argument had inadvertently become
a required argument returning an error if omitted (NULL pointer
argument).
Fixed two possible memory leaks related to the recently developed "late
resolution" of reference objects within ASL Package Object definitions.
Added two recently defined _OSI strings: "Windows 2016" and "Windows
2017". Mario Limonciello.
Implemented and deployed a safer version of the C library function
strncpy: AcpiUtSafeStrncpy. The intent is to at least prevent the
creation of unterminated strings as a possible result of a standard
strncpy.
Cleaned up and restructured the global variable file (acglobal.h). There
are many changes, but no functional changes.
2) iASL Compiler/Disassembler and Tools:
iASL Table Compiler: Fixed a problem with the DBG2 ACPI table where the
optional OemData field at the end of the table was incorrectly required
for proper compilation. It is now correctly an optional field.
ASLTS: The entire suite was converted from standard ASL to the ASL+
language, using the ASL-to-ASL+ converter which is integrated into the
iASL compiler. A binary compare of all output files has verified the
correctness of the conversion.
iASL: Fixed the source code build for platforms where "char" is unsigned.
This affected the iASL lexer only. Jung-uk Kim.
nbuf_cksum_barrier returns true when the direction is PFIL_OUT and TSO is
active; that is to say, it returns true when the checksum was already
recomputed by the function.
The check should be !nbuf_cksum_barrier, because otherwise we're wrongfully
checksumming twice, and it causes the packet to be kicked later in
tcp_input.
This can be seen with a configuration of the type:
procedure "norm" {
normalize: "max-mss" 15000
}
group default {
pass all apply "norm"
}
The packets systematically get dropped because the checksum validation in
tcp_input fails. With this patch in place, it works.
* Instead of doing several nbuf_advance/nbuf_ensure_contig and
playing with gotos, fetch the TCP options only once, and iterate over
the (safe) area. The code is similar to tcp_dooptions.
* When handling TCPOPT_MAXSEG and TCPOPT_WINDOW, ensure the length is
the one we're expecting. If it isn't, then skip the option. This
wasn't done before, and not doing it allowed a packet to bypass the
max-mss clamping procedure. Discussed on tech-net@.
* [Sec 3454] Unauthenticated packet can reset authenticated interleave
associations. HStenn.
* [Sec 3453] Interleaved symmetric mode cannot recover from bad state. HStenn.
* [Sec 3415] Permit blocking authenticated symmetric/passive associations.
Implement ippeerlimit. HStenn, JPerlinger.
* [Sec 3414] ntpq: decodearr() can write beyond its 'buf' limits
- initial patch by <stenn@ntp.org>, extended by <perlinger@ntp.org>
* [Sec 3412] ctl_getitem(): Don't compare names past NUL. <perlinger@ntp.org>
* [Sec 3012] Sybil vulnerability: noepeer support. HStenn, JPerlinger.
* [Bug 3457] OpenSSL FIPS mode regression <perlinger@ntp.org>
* [Bug 3455] ntpd doesn't use scope id when binding multicast <perlinger@ntp.org>
- applied patch by Sean Haugh
* [Bug 3452] PARSE driver prints uninitialized memory. <perlinger@ntp.org>
* [Bug 3450] Dubious error messages from plausibility checks in get_systime()
- removed error log caused by rounding/slew, ensured postcondition <perlinger@ntp.org>
* [Bug 3447] AES-128-CMAC (fixes) <perlinger@ntp.org>
- refactoring the MAC code, too
* [Bug 3441] Validate the assumption that AF_UNSPEC is 0. stenn@ntp.org
* [Bug 3439] When running multiple commands / hosts in ntpq... <perlinger@ntp.org>
- applied patch by ggarvey
* [Bug 3438] Negative values and values > 999 days in... <perlinger@ntp.org>
- applied patch by ggarvey (with minor mods)
* [Bug 3437] ntpd tries to open socket with AF_UNSPEC domain
- applied patch (with mods) by Miroslav Lichvar <perlinger@ntp.org>
* [Bug 3435] anchor NTP era alignment <perlinger@ntp.org>
* [Bug 3433] sntp crashes when run with -a. <stenn@ntp.org>
* [Bug 3430] ntpq dumps core (SIGSEGV) for "keytype md2"
- fixed several issues with hash algos in ntpd, sntp, ntpq,
ntpdc and the test suites <perlinger@ntp.org>
* [Bug 3424] Trimble Thunderbolt 1024 week millenium bug <perlinger@ntp.org>
- initial patch by Daniel Pouzzner
* [Bug 3423] QNX adjtime() implementation error checking is
wrong <perlinger@ntp.org>
* [Bug 3417] ntpq ifstats packet counters can be negative
made IFSTATS counter quantities unsigned <perlinger@ntp.org>
* [Bug 3411] problem about SIGN(6) packet handling for ntp-4.2.8p10
- raised receive buffer size to 1200 <perlinger@ntp.org>
* [Bug 3408] refclock_jjy.c: Avoid a wrong report of the coverity static
analysis tool. <abe@ntp.org>
* [Bug 3405] update-leap.in: general cleanup, HTTPS support. Paul McMath.
* [Bug 3404] Fix openSSL DLL usage under Windows <perlinger@ntp.org>
- fix/drop assumptions on OpenSSL libs directory layout
* [Bug 3399] NTP: linker error in 4.2.8p10 during Linux cross-compilation
- initial patch by timeflies@mail2tor.com <perlinger@ntp.org>
* [Bug 3398] tests fail with core dump <perlinger@ntp.org>
- patch contributed by Alexander Bluhm
* [Bug 3397] ctl_putstr() asserts that data fits in its buffer
rework of formatting & data transfer stuff in 'ntp_control.c'
avoids unecessary buffers and size limitations. <perlinger@ntp.org>
* [Bug 3394] Leap second deletion does not work on ntpd clients
- fixed handling of dynamic deletion w/o leap file <perlinger@ntp.org>
* [Bug 3391] ntpd segfaults on startup due to small warmup thread stack size
- increased mimimum stack size to 32kB <perlinger@ntp.org>
* [Bug 3367] Faulty LinuxPPS NMEA clock support in 4.2.8 <perlinger@ntp.org>
- reverted handling of PPS kernel consumer to 4.2.6 behavior
* [Bug 3365] Updates driver40(-ja).html and miscopt.html <abe@ntp.org>
* [Bug 3358] Spurious KoD log messages in .INIT. phase. HStenn.
* [Bug 3016] wrong error position reported for bad ":config pool"
- fixed location counter & ntpq output <perlinger@ntp.org>
* [Bug 2900] libntp build order problem. HStenn.
* [Bug 2878] Tests are cluttering up syslog <perlinger@ntp.org>
* [Bug 2737] Wrong phone number listed for USNO. ntp-bugs@bodosom.net,
perlinger@ntp.org
* [Bug 2557] Fix Thunderbolt init. ntp-bugs@bodosom.net, perlinger@ntp.
* [Bug 948] Trustedkey config directive leaks memory. <perlinger@ntp.org>
* Use strlcpy() to copy strings, not memcpy(). HStenn.
* Typos. HStenn.
* test_ntp_scanner_LDADD needs ntpd/ntp_io.o. HStenn.
* refclock_jjy.c: Add missing "%s" to an msyslog() call. HStenn.
* Build ntpq and libntpq.a with NTP_HARD_*FLAGS. perlinger@ntp.org
* Fix trivial warnings from 'make check'. perlinger@ntp.org
* Fix bug in the override portion of the compiler hardening macro. HStenn.
* record_raw_stats(): Log entire packet. Log writes. HStenn.
* AES-128-CMAC support. BInglis, HStenn, JPerlinger.
* sntp: tweak key file logging. HStenn.
* sntp: pkt_output(): Improve debug output. HStenn.
* update-leap: updates from Paul McMath.
* When using pkg-config, report --modversion. HStenn.
* Clean up libevent configure checks. HStenn.
* sntp: show the IP of who sent us a crypto-NAK. HStenn.
* Allow .../N to specify subnet bits for IPs in ntp.keys. HStenn, JPerlinger.
* authistrustedip() - use it in more places. HStenn, JPerlinger.
* New sysstats: sys_lamport, sys_tsrounding. HStenn.
* Update ntp.keys .../N documentation. HStenn.
* Distribute testconf.yml. HStenn.
* Add DPRINTF(2,...) lines to receive() for packet drops. HStenn.
* Rename the configuration flag fifo variables. HStenn.
* Improve saveconfig output. HStenn.
* Decode restrict flags on receive() debug output. HStenn.
* Decode interface flags on receive() debug output. HStenn.
* Warn the user if deprecated "driftfile name WanderThreshold" is used. HStenn.
* Update the documentation in ntp.conf.def . HStenn.
* restrictions() must return restrict flags and ippeerlimit. HStenn.
* Update ntpq peer documentation to describe the 'p' type. HStenn.
* Rename restrict 'flags' to 'rflags. Use an enum for the values. HStenn.
* Provide dump_restricts() for debugging. HStenn.
* Use consistent 4th arg type for [gs]etsockopt. JPerlinger.
* Some tests might need LIBM. HStenn.
* update-leap: Allow -h/--help early. HStenn.
Constructed ASN.1 types with a recursive definition (such as can be found
in PKCS7) could eventually exceed the stack given malicious input with
excessive recursion. This could result in a Denial Of Service attack. There
are no such structures used within SSL/TLS that come from untrusted sources
so this is considered safe.
This issue was reported to OpenSSL on 4th January 2018 by the OSS-fuzz
project.
(CVE-2018-0739)
[Matt Caswell]
*) Incorrect CRYPTO_memcmp on HP-UX PA-RISC
Because of an implementation bug the PA-RISC CRYPTO_memcmp function is
effectively reduced to only comparing the least significant bit of each
byte. This allows an attacker to forge messages that would be considered as
authenticated in an amount of tries lower than that guaranteed by the
security claims of the scheme. The module can only be compiled by the
HP-UX assembler, so that only HP-UX PA-RISC targets are affected.
This issue was reported to OpenSSL on 2nd March 2018 by Peter Waltenberg
(IBM).
(CVE-2018-0733)
[Andy Polyakov]
*) Add a build target 'build_all_generated', to build all generated files
and only that. This can be used to prepare everything that requires
things like perl for a system that lacks perl and then move everything
to that system and do the rest of the build there.
[Richard Levitte]
*) Backport SSL_OP_NO_RENGOTIATION
OpenSSL 1.0.2 and below had the ability to disable renegotiation using the
(undocumented) SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS flag. Due to the opacity
changes this is no longer possible in 1.1.0. Therefore the new
SSL_OP_NO_RENEGOTIATION option from 1.1.1-dev has been backported to
1.1.0 to provide equivalent functionality.
Note that if an application built against 1.1.0h headers (or above) is run
using an older version of 1.1.0 (prior to 1.1.0h) then the option will be
accepted but nothing will happen, i.e. renegotiation will not be prevented.
[Matt Caswell]
*) Removed the OS390-Unix config target. It relied on a script that doesn't
exist.
[Rich Salz]
*) rsaz_1024_mul_avx2 overflow bug on x86_64
There is an overflow bug in the AVX2 Montgomery multiplication procedure
used in exponentiation with 1024-bit moduli. No EC algorithms are affected.
Analysis suggests that attacks against RSA and DSA as a result of this
defect would be very difficult to perform and are not believed likely.
Attacks against DH1024 are considered just feasible, because most of the
work necessary to deduce information about a private key may be performed
offline. The amount of resources required for such an attack would be
significant. However, for an attack on TLS to be meaningful, the server
would have to share the DH1024 private key among multiple clients, which is
no longer an option since CVE-2016-0701.
This only affects processors that support the AVX2 but not ADX extensions
like Intel Haswell (4th generation).
This issue was reported to OpenSSL by David Benjamin (Google). The issue
was originally found via the OSS-Fuzz project.
(CVE-2017-3738)
[Andy Polyakov]
mirrors listed at http://www.openssh.com/ shortly.
OpenSSH is a 100% complete SSH protocol 2.0 implementation and
includes sftp client and server support.
Once again, we would like to thank the OpenSSH community for their
continued support of the project, especially those who contributed
code or patches, reported bugs, tested snapshots or donated to the
project. More information on donations may be found at:
http://www.openssh.com/donations.html
Potentially-incompatible changes
================================
This release includes a number of changes that may affect existing
configurations:
* ssh(1)/sshd(8): Drop compatibility support for some very old SSH
implementations, including ssh.com <=2.* and OpenSSH <= 3.*. These
versions were all released in or before 2001 and predate the final
SSH RFCs. The support in question isn't necessary for RFC-compliant
SSH implementations.
Changes since OpenSSH 7.6
=========================
This is primarily a bugfix release.
New Features
------------
* All: Add experimental support for PQC XMSS keys (Extended Hash-
Based Signatures) based on the algorithm described in
https://tools.ietf.org/html/draft-irtf-cfrg-xmss-hash-based-signatures-12
The XMSS signature code is experimental and not compiled in by
default.
* sshd(8): Add a "rdomain" criteria for the sshd_config Match keyword
to allow conditional configuration that depends on which routing
domain a connection was received on (currently supported on OpenBSD
and Linux).
* sshd_config(5): Add an optional rdomain qualifier to the
ListenAddress directive to allow listening on different routing
domains. This is supported only on OpenBSD and Linux at present.
* sshd_config(5): Add RDomain directive to allow the authenticated
session to be placed in an explicit routing domain. This is only
supported on OpenBSD at present.
* sshd(8): Add "expiry-time" option for authorized_keys files to
allow for expiring keys.
* ssh(1): Add a BindInterface option to allow binding the outgoing
connection to an interface's address (basically a more usable
BindAddress)
* ssh(1): Expose device allocated for tun/tap forwarding via a new
%T expansion for LocalCommand. This allows LocalCommand to be used
to prepare the interface.
* sshd(8): Expose the device allocated for tun/tap forwarding via a
new SSH_TUNNEL environment variable. This allows automatic setup of
the interface and surrounding network configuration automatically on
the server.
* ssh(1)/scp(1)/sftp(1): Add URI support to ssh, sftp and scp, e.g.
ssh://user@host or sftp://user@host/path. Additional connection
parameters described in draft-ietf-secsh-scp-sftp-ssh-uri-04 are not
implemented since the ssh fingerprint format in the draft uses the
deprecated MD5 hash with no way to specify the any other algorithm.
* ssh-keygen(1): Allow certificate validity intervals that specify
only a start or stop time (instead of both or neither).
* sftp(1): Allow "cd" and "lcd" commands with no explicit path
argument. lcd will change to the local user's home directory as
usual. cd will change to the starting directory for session (because
the protocol offers no way to obtain the remote user's home
directory). bz#2760
* sshd(8): When doing a config test with sshd -T, only require the
attributes that are actually used in Match criteria rather than (an
incomplete list of) all criteria.
Bugfixes
--------
* ssh(1)/sshd(8): More strictly check signature types during key
exchange against what was negotiated. Prevents downgrade of RSA
signatures made with SHA-256/512 to SHA-1.
* sshd(8): Fix support for client that advertise a protocol version
of "1.99" (indicating that they are prepared to accept both SSHv1 and
SSHv2). This was broken in OpenSSH 7.6 during the removal of SSHv1
support. bz#2810
* ssh(1): Warn when the agent returns a ssh-rsa (SHA1) signature when
a rsa-sha2-256/512 signature was requested. This condition is possible
when an old or non-OpenSSH agent is in use. bz#2799
* ssh-agent(1): Fix regression introduced in 7.6 that caused ssh-agent
to fatally exit if presented an invalid signature request message.
* sshd_config(5): Accept yes/no flag options case-insensitively, as
has been the case in ssh_config(5) for a long time. bz#2664
* ssh(1): Improve error reporting for failures during connection.
Under some circumstances misleading errors were being shown. bz#2814
* ssh-keyscan(1): Add -D option to allow printing of results directly
in SSHFP format. bz#2821
* regress tests: fix PuTTY interop test broken in last release's SSHv1
removal. bz#2823
* ssh(1): Compatibility fix for some servers that erroneously drop the
connection when the IUTF8 (RFC8160) option is sent.
* scp(1): Disable RemoteCommand and RequestTTY in the ssh session
started by scp (sftp was already doing this.)
* ssh-keygen(1): Refuse to create a certificate with an unusable
number of principals.
* ssh-keygen(1): Fatally exit if ssh-keygen is unable to write all the
public key during key generation. Previously it would silently
ignore errors writing the comment and terminating newline.
* ssh(1): Do not modify hostname arguments that are addresses by
automatically forcing them to lower-case. Instead canonicalise them
to resolve ambiguities (e.g. ::0001 => ::1) before they are matched
against known_hosts. bz#2763
* ssh(1): Don't accept junk after "yes" or "no" responses to hostkey
prompts. bz#2803
* sftp(1): Have sftp print a warning about shell cleanliness when
decoding the first packet fails, which is usually caused by shells
polluting stdout of non-interactive startups. bz#2800
* ssh(1)/sshd(8): Switch timers in packet code from using wall-clock
time to monotonic time, allowing the packet layer to better function
over a clock step and avoiding possible integer overflows during
steps.
* Numerous manual page fixes and improvements.
Portability
-----------
* sshd(8): Correctly detect MIPS ABI in use at configure time. Fixes
sandbox violations on some environments.
* sshd(8): Remove UNICOS support. The hardware and software are literal
museum pieces and support in sshd is too intrusive to justify
maintaining.
* All: Build and link with "retpoline" flags when available to mitigate
the "branch target injection" style (variant 2) of the Spectre
branch-prediction vulnerability.
* All: Add auto-generated dependency information to Makefile.
* Numerous fixed to the RPM spec files.
Checksums:
==========
- SHA1 (openssh-7.7.tar.gz) = 24812e05fa233014c847c7775748316e7f8a836c
- SHA256 (openssh-7.7.tar.gz) = T4ua1L/vgAYqwB0muRahvnm5ZUr3PLY9nPljaG8egvo=
- SHA1 (openssh-7.7p1.tar.gz) = 446fe9ed171f289f0d62197dffdbfdaaf21c49f2
- SHA256 (openssh-7.7p1.tar.gz) = 1zvn5oTpnvzQJL4Vowv/y+QbASsvezyQhK7WIXdea48=
Please note that the SHA256 signatures are base64 encoded and not
hexadecimal (which is the default for most checksum tools). The PGP
key used to sign the releases is available as RELEASE_KEY.asc from
the mirror sites.
Reporting Bugs:
===============
- Please read http://www.openssh.com/report.html
Security bugs should be reported directly to openssh@openssh.com
reading fits the table we allocated. Linux does the same.
I have a laptop which, for some reason, reports a table size of 62 bytes.
Clearly that's incorrect, it should be 60 (44 + 16). Because of the stray
+2, here the kernel reads past the end of the allocated buffer, hits an
unmapped VA, and panics at boot time. So the laptop can't boot.
Now it boots fine.
The change avoids setting an IP address tentative on initializing it when the
IPv4 DAD is disabled (net.inet.ip.dad_count=0), which allows a GARP packet to be
sent (see arpannounce). This is the same behavior of NetBSD 7, i.e., before
introducing the IPv4 DAD.
Additionally do the same change to IPv6 DAD for consistency.
The change is suggested by roy@
* dhcp6: fix a null termination overflow on status messages
* options: static routes can be setup in global context again
* routes: dhcpcd added host routes are now reported correctly
Here is an example of the operation which causes this problem.
# ifconfig ipsec0 create link0
# ifconfig ipsec0 tunnel fc00:1001::2,4500 fc00:1001::1,4501
# ifconfig ipsec0 tunnel fc00:1001::2,4500 fc00:1001::1,4502
This modification reduces packet loss of fragmented packets on a
network where reordering occurs.
Alghough this modification has been applied, IPv4 ID is not set for
the packet smaller then IP_MINFRAGSIZE. According to RFC 6864, that
must not cause problems.
XXX pullup-8
This fix allows that a GARP packet is sent when adding an IP address to an
interface with IFF_UP on a kernel with IPv4 DAD is disabled
(net.inet.ip.dad_count=0), which is the same behavior of NetBSD 7, i.e.,
before introducing the IPv4 DAD.
