#127889-11: Obsoleted by: 137138-09 SunOS 5.10

Obsoleted by: 137138-09 SunOS 5.10_x86: ipf patch

Disclaimer:

Please note: Although OBSOLETED patches are available on SunSolve, Sun recommends using the most recent patches and the most recent revision of those patches. OBSOLETED patches do not include the latest bug fixes and/or product enhancements, and may require the installation of additional patches as a corrective measure.

Status: OBSOLETE

Patch Id: 127889-11

***********************************************************************
READ THE TERMS OF THE AGREEMENT ("AGREEMENT") IN THE LEGAL_LICENSE.TXT
FILE CAREFULLY BEFORE USING THIS SOFTWARE. BY USING THE SOFTWARE, YOU
AGREE TO THE TERMS OF THIS AGREEMENT. IF YOU DO NOT AGREE TO ALL OF THE
TERMS, PROMPTLY DESTROY THE UNUSED SOFTWARE.
***********************************************************************

Summary: Obsoleted by: 137138-09 SunOS 5.10_x86: ipf patch

Date:  Nov/06/2008

Installation Requirements:

Reboot immediately after installing this patch on an active boot environment to bring the system to a consistent state. An alternative may be in specified in the Special Install Instructions.

Solaris Release: 10_x86

Sun OS Release: 5.10_x86

Unbundled Product:

Unbundled Release:

Xref: This patch available for SPARC as patch 127888

Topic:

SunOS 5.10_x86: ipf patch

Relevant Architecture: i386

BugId's fixed with this patch:

6231883 6354418 6500393 6505444 6505685 6528018 6528419 6528552 6528779 6531894 6532393 6544673 6552365 6561278 6562635 6562648 6562721 6564748 6565376 6575084 6595876 6599516 6599779 6603271 6606816 6622346 6629154 6641267 6651114 6651775 6653172 6658611 6675192 6685076 6685092 6726575 6730614

Changes incorporated in this version:


6726575 6730614

Patches accumulated and obsoleted by this patch:

127887-06 128409-01 128494-01

Patches which conflict with this patch:

Required Patches:

118855-36 120012-14 125504-02 (or greater)

Obsoleted by:

Files Included in this Patch:

/usr/include/netinet/ip_fil.h
/usr/include/netinet/ip_nat.h
/usr/include/netinet/ip_state.h
/usr/include/netinet/ipf_stack.h
/usr/kernel/drv/amd64/ipf
/usr/kernel/drv/ipf
/usr/lib/ipf/amd64/ipftest
/usr/lib/ipf/i86/ipftest
/usr/sbin/amd64/ipf
/usr/sbin/amd64/ipfs
/usr/sbin/amd64/ipfstat
/usr/sbin/amd64/ipmon
/usr/sbin/amd64/ipnat
/usr/sbin/amd64/ippool
/usr/sbin/i86/ipf
/usr/sbin/i86/ipfs
/usr/sbin/i86/ipfstat
/usr/sbin/i86/ipmon
/usr/sbin/i86/ipnat
/usr/sbin/i86/ippool
/var/svc/manifest/network/ipfilter.xml

Problem Description:

6726575 IPfilter needs to be able to do randomised port mapping
6730614 random port numbers are in the wrong range of numbers
 
(from 127889-10)
 
6622346 ipftuneable_alloc doesn't set fr_defnatipage or ipf_loopback
 
(from 127889-09)
 
6505685 problems with applying "to" rule in IPfilter
6562635 TCP options are not processed correctly
6562648 IPF may drop connection which chooses to scale window
6562721 IPF should also check SACK when doing stateful inspection
6595876 state timer should be reset when retransmission is seen
6599779 two state entries might be created for single TCP connection
6651775 IPF does not handle half estab. connections well 
        (connection hangs with connection match result 4/0)
 
(from 127889-08)
 
6528779 mdb findleaks reports memory leak in IPfilter
6544673 dynamic network interfaces don't work with IPfilter
6565376 NULL pointer panic in fr_authexpire
6606816 ipf_expiretokens is not called to free up tokens
6629154 IPF NAT checksum evergreen - TCP hdr checksum is broken on ce NICs
6641267 race condition nat_flushtable() and fr_check()
6651114 fragment table size is ignored, hardwired limit is used instead
6658611 IPfilter/panic rw_enter: bad rwlock
6675192 fr_timeoutstate stumbles over freed timeout (causing system panic) 
        if state has age information
6685076 ippool and other IPF utilities have possible race condition
6685092 IPfilter list processing function(s) have unsafe edge case(s)
 
(from 127889-07)
 
6500393 IPfilter should detect connection mix ups as result of redirection
6505444 ipnat doesn't accept multiple rdr rules with the same "ipmask dport -> ip" and different rdrports
 
(from 127889-06)
 
        This patch revision accumulates generic patch 127887-06
        into Solaris Update S10U5 release.
 
(from 127889-05)
 
        This patch revision accumulates generic patch 127887-05
        into Solaris Update S10U5 release.
 
(from 127889-04)
 
        This patch revision accumulates generic patch 127887-04
        into Solaris Update S10U5 release.
 
(from 127889-03)
 
        This patch revision accumulates generic patch 127887-03
        into Solaris Update S10U5 release.
 
(from 127889-02)
 
        This patch revision accumulates generic patch 127887-02
        into Solaris Update S10U5 release.
 
(from 127889-01)
 
        This patch revision accumulates generic patch 127887-01
        into Solaris Update S10U5 release.
 
(from 127887-06)
 
6653172 "ifconfig plumb" interferes with IP filter rules
 
(from 127887-05)
 
6603271 ipnat -l demonstrates inconsistent behavior and can cause system to hang or panic
 
(from 127887-04)
 
6531894 IPF blocks TCP SYN packets for connections in TIME_WAIT state -> some clients 
        can't reconnect
6575084 IPfilter's disguise with self-NAT: the return packets are dropped
 
(from 127887-03)
 
6599516 locking in fr_natderef causes lock contention and performance drop
 
(from 127887-02)
 
6354418 ??? entries hang around for long time
6552365 setting IPfilter state timeout values is not possible
 
(from 127887-01)
 
6528018 for SIOCSTPUT, can grab ipf_nat lock even if specified not to
6528419 IPfilter with nat can leak memory
6528552 IPfilter SIOCSTPUT doesn't initialize filter rule state properly
6532393 IPfilter NAT rules with bad proxy labels will get loaded anyway
6564748 fragments can be mishandled by IPfilter when using a custom NAT proxy
 
(from 128409-01)
 
        This patch revision accumulates generic patch 128494-01
        into Solaris Update S10U5 release.
 
(from 128494-01)
 
6231883 IPfilter service lacks refresh method
6561278 'q' to quit ipfstat -t causes underlying bash, tcsh to terminate but not ksh

Revision History:

127889-10 127889-09 127889-06 127889-07 128494-01 127889-08 127887-06

Patch Installation Instructions:

--------------------------------
Please refer to the man pages for instructions on using 'patchadd'
and 'patchrm' scripts provided with Solaris.
 
The following example installs a patch to a standalone machine:
 
        example# patchadd 127889-11
 
The following example removes a patch from a standalone system:
 
        example# patchrm 127889-11
 
For additional examples please see the appropriate man pages. Any other
special or non-generic installation instructions should be described
below as special instructions.

Special Install Instructions:

-----------------------------
 
NOTE 1:  Reboot the system after patch installation.
 
NOTE 2:  Before installing this patch, please be sure to install the
         latest patch utilities patches for your OS. This list of
         patches is defined at - http://sunsolve.sun.com
 
         Please use the pull down list which appears after the text:
         "Latest Patch Update: To ensure the correct functioning of
         the patching utilities on your system, stay up to date on
         the following patches"

README -- Last modified date:  Monday, November 10, 2008

Login Required

Login Required