#
13097:babcda726f5a |
|
12-Aug-2010 |
Jan Parcel <Jan.Parcel@Sun.COM> |
6935086 IPFilter state module cannot handle ip options correctly.
|
#
11761:199d73518c96 |
|
25-Feb-2010 |
Zdenek Kotala <Zdenek.Kotala@Sun.COM> |
6900850 Limit for number of states in the state table is too low by default 6910994 fr_checkstate function does not release ipf_state mutex in some cases
|
#
11105:398a2edaa773 |
|
19-Nov-2009 |
Alexandr Nedvedicky <Alexandr.Nedvedicky@Sun.COM> |
6772643 Packets dropped at ipfil_sendpkt if interface index is set at plumb time 6891782 ipftest fails to run 6897532 Race condition window arround fr_enable_active is still opened 6897632 nic_event_v* hook should check if IPF is running before it will proceed further
|
#
9888:3d27daea2cbf |
|
17-Jun-2009 |
Alexandr Nedvedicky <Alexandr.Nedvedicky@Sun.COM> |
6845913 fr_make_icmp_*() uses TH_SYN/TH_FIN for testing fin_flx - it's not the intention 6827271 ipfilter TCP state emulation ends up in 5/0 state (Established/Closed) 6562745 Adapt a better TCP statemachine emulation (fr_tcp_age()) from upstream version
|
#
8624:0c81faef90eb |
|
27-Jan-2009 |
Darren Reed <Darren.Reed@Sun.COM> |
5008943 /etc/init.d/ipfboot pause/resume functionality broken 5010756 "\" in configuration file does not work correctly 6181489 ipfilter sends out confusing messages. 6449288 Makefiles in usr/src/cmd/ipf are missing CDDL 6449291 package prototype files in usr/src/pkgdefs/SUNWipfh missing CDDL 6508325 stale pfil-related rules in Makefile.rules 6661948 ipmon.pid file can be rendered invisible 6714319 IPFilter causes failure of IPv6 compliance tests. 6766614 fin_state costs more than it is worth 6767239 fin_nat causes more trouble than it is worth 6788299 Array overrun in ipfilter 6789766 ipfs usage output is misleading 6792026 ipnat panics in Divide zero exception
|
#
8463:a5df9cefde5c |
|
28-Dec-2008 |
Darren Reed <Darren.Reed@Sun.COM> |
6749429 printing out of fragment information is confused 6749445 ipfstat -f does not show ttl but rather expiration tick 6783820 IPF preauth crash 6730356 legacy test regressions: i2, i4, i11
|
#
8170:daf52af21f03 |
|
20-Nov-2008 |
John Ojemann <John.Ojemann@Sun.COM> |
6677460 ipfilter automatic flushing of state table entries needs to work the same as it does for NAT 6566976 state limit check works when limit is reached only 6566982 state limit is not check when inserting states via IOCTL
|
#
7704:c2487b19c177 |
|
26-Sep-2008 |
Alexandr Nedvedicky <Alexandr.Nedvedicky@Sun.COM> |
6743637 ipfstat prints certain certain counters two times 6744095 fix c-style in ip_state.c in fr_matchstate() et. al. 6744100 add a comment for CR 6653172 to fil.c 6725139 OOW problem still present after a patch 127888-09 has been applied 6657378 IPF address pools does not match addresses reliably for IPv6 6726717 IPF persistent tunables still don't work with stack instances 6743002 ipf_property_update() is too picky 6731974 incorrect calculation in fr_pullup 6749974 IPF does not know whether packet comes from local client (loopback) or from NIC interface
|
#
7591:123d9d5b34e2 |
|
15-Sep-2008 |
John Ojemann <John.Ojemann@Sun.COM> |
6744741 IPfilter: fr_movequeue() should be made more efficient to improve performance
|
#
7433:bad57c69bd98 |
|
28-Aug-2008 |
John Ojemann <John.Ojemann@Sun.COM> |
6723135 IPfilter: It's possible for tcp fragments to be mishandled when nat is involved. 6716698 ipfilter: SIOCSTLCK ioctls call fr_lock() function without any error checking 6528022 IPfilter does not handle any bcopy failures correctly (if at all). 6714976 ipfilter: keep state doesn't interact properly with multicast
|
#
7432:62d106a2f652 |
|
28-Aug-2008 |
John Ojemann <John.Ojemann@Sun.COM> |
6713984 if a nat entry is created, but the packet gets blocked, the entry should be removed 6718524 ipfilter incorrectly tracks and handles orphan state table and nat table entries 6742115 IPfilter: NAT entries added with SIOCSTPUT are ignored if no rules exist. 6528443 ipnat -l shows more sessions than ipf_nattable_max
|
#
7333:46f2f942dcc8 |
|
14-Aug-2008 |
John Ojemann <John.Ojemann@Sun.COM> |
6644693 ipf panics because fnew.fin_qfm is not initialized in fr_send_ip() 6715082 ipfilter: can't delete a state entry using SIOCDELST ioctl 6732960 with a bit of massaging, a couple more NAT locks can be unlocked
|
#
7259:eb414b676b9b |
|
01-Aug-2008 |
dr146992 |
6726575 ipfilter needs to be able to do randomised port mapping 6730614 random port numbers are in the wrong range of numbers
|
#
7131:cad142a71123 |
|
18-Jul-2008 |
dr146992 |
6719268 enabling ipfilter causes up to 80% or more drop in packet throughput for multi-stream workloads 6721215 ipfilter panic in ipf:fr_derefrule after restoring state table 6723213 IPfilter: NAT suffers performance hit by holding exclusive locks longer than required
|
#
6647:ad79605305d0 |
|
15-May-2008 |
an207044 |
6505685 Problems with applying "to" rule in IP Filter 6562635 TCP options are not processed correctly 6562648 IPF may drop connection, which chooses to scale window 6562721 IPF should also check SACK when doing stateful inspection 6595876 state timer should be reset when retransmission is seen 6651775 ipf does not handle half estab. connections well (conn. hangs with connection match result 4/0)
|
#
6518:b2f372728678 |
|
30-Apr-2008 |
jojemann |
6685076 ippool and other ipf utilities have possible race condition 6685092 ipfilter list processing function(s) have unsafe edge case(s)
|
#
6274:87c8e1e732a2 |
|
25-Mar-2008 |
jojemann |
6658611 ipfilter / panic rw_enter: bad rwlock 6675192 fr_timeoutstate stumbles over freed timeout (causing system panic) if state has age information
|
#
6252:75bbf3e02e16 |
|
21-Mar-2008 |
an207044 |
6599779 two state entries might be created for single TCP connection
|
#
5417:904056aefc49 |
|
05-Nov-2007 |
jojemann |
6603271 ipnat -l demonstrates inconsistent behavior and can cause system to hang or panic
|
#
5055:7a15930aae3c |
|
14-Sep-2007 |
dr146992 |
6588495 IP can use the wrong interface for filtering/qos 6599516 locking in fr_natderef causes lock contention and performance drop
|
#
4431:b47b47492c95 |
|
11-Jun-2007 |
an207044 |
6531894 IPF blocks TCP SYN packets for connections in TIME_WAIT state -> some clients can't reconnect
|
#
4251:fe838d5af480 |
|
16-May-2007 |
an207044 |
6552365 setting ipfilter state timeout values is not possible
|
#
3894:7c0146a89509 |
|
26-Mar-2007 |
jojemann |
6483377 ipfilter option reply-to not working
|
#
3607:288ca557ca70 |
|
06-Feb-2007 |
zf203873 |
6520662 ipfilter panic'ed repatedly in b57
|
#
3448:aaf16568054b |
|
19-Jan-2007 |
dh155122 |
PSARC 2006/366 IP Instances 6289221 RFE: Need virtualized ip-stack for each local zone 6512601 panic in ipsec_in_tag - allocation failure 6514637 error message from dhcpagent: add_pkt_opt: option type 60 is missing required value 6364643 RFE: allow persistent setting of interface flags per zone 6307539 RFE: Invalid network address causes zone boot failure 5041214 Allow IPMP configuration with zones 5005887 RFE: zoneadmd should support plumbing an interface via DHCP 4991139 RFE: zones should provide a mechanism to configure a defaultrouter for a zone 6218378 zoneadmd doesn't set the netmask for non-loopback addresses hosted on lo0 4963280 zones: need to virtualize the IPv6 default address selection mechanism 4963285 zones: need support of stateless address autoconfiguration for IPv6 5048068 zones don't boot if one of its interfaces has failed 5057154 RFE: ability to change interface status from within a zone 4963287 zones should support the plumbing of the first (and only) logical interface 4978517 TCP privileged port space should be partitioned per zone 5023347 zones don't work well with network routes other than default 4963372 investigate whether global zone can act as a router for local zones 6378364 RFE: Allow each zone to have its own virtual IPFilter
|
#
3187:f801da2c3e1e |
|
27-Nov-2006 |
dr146992 |
6489821 Functions ip_nexthop and ip_nexthop_route should be removed 6489978 Local IPv6 connections with IPv6 extensions headers fail 6490546 Panic when creating a 6to4 tunnel 6492882 wrong error text in /lib/svc/method/ipfilter for IPv6 6493833 assert failed due to unloading ipf with populated state table
|
#
3007:60c094c28394 |
|
28-Oct-2006 |
dr146992 |
6343157 svcadm disable ipfilter does not flush the rules 6484763 PFHOOKS breaks post-ACQUIRE ESP processing 6485599 msgpullup/pullupmsg now implies either M_DATA or M_MULTIDATA 6485731 panic in fil.c trying to release ipf_mutex while not held 6485761 ipfilter kernel module always enables itself on load 6485781 mutex_enter: bad mutex in ipflog_read 6485943 MSG_FWCOOKED_* survived attempted genocide 6486513 too much of a good thing can be bad 6486575 use ipf -D twice will panic the system 6487360 physical_in hook inserted twice into ip_input() for onnv putback
|
#
2958:98aa41c076f5 |
|
20-Oct-2006 |
dr146992 |
PSARC/2005/334 Packet Filtering Hooks PSARC/2006/321 ARP packet filtering Hooks 6401219 use of pullupmsg() considered destructive - clears h/w checksum flags 6418698 PSARC/2005/334 - Packet Filtering Hooks API 6449290 package prototype files in usr/src/pkgdefs/SUNWipfr missing CDDL 6449292 package prototype files in usr/src/pkgdefs/SUNWipfu missing CDDL 6449296 Makefiles for ipf kernel module building missing CDDL 6473996 "fastroute" + "nat" packets cause memory leaks in ipfilter
|
#
2944:77169ac14224 |
|
18-Oct-2006 |
jojemann |
6479209 IPfilter keep state limit can cause system panic
|
#
2393:76e0289ce525 |
|
19-Jul-2006 |
yz155240 |
PSARC 2006/082 IP Filter Code Merge on ip_fil4.1.9 4912568 ipftest ipf ipfstat ipnat ippool need a non-name resolution flag 5040248 ipfs -W fails to save kernel state tables 5081834 syntax parser reports wrong error position and line number 5094575 keyword "netmask" is un-supported in ipnat.conf (4) 6181751 ipf parser fails on wrong subnet notations 6181773 ipf parser fails on wrong port ranges 6248745 ipnat drops packets if the IP header is not 32 bit aligned 6340621 RFE: IP Filter code merge on ip_fil4.1.9 6359805 ipf command incorrectly check options in rules and core dumps 6395837 ipnat tcpudp parsing is incomplete 6426469 IPFilter rejects IPv6 neighbour discovery packets 6447872 usr/src/common/ipf/ip_compat.h should not be CDDL
|
#
13097:babcda726f5a |
|
12-Aug-2010 |
Jan Parcel <Jan.Parcel@Sun.COM> |
6935086 IPFilter state module cannot handle ip options correctly.
|
#
11761:199d73518c96 |
|
25-Feb-2010 |
Zdenek Kotala <Zdenek.Kotala@Sun.COM> |
6900850 Limit for number of states in the state table is too low by default 6910994 fr_checkstate function does not release ipf_state mutex in some cases
|
#
11105:398a2edaa773 |
|
19-Nov-2009 |
Alexandr Nedvedicky <Alexandr.Nedvedicky@Sun.COM> |
6772643 Packets dropped at ipfil_sendpkt if interface index is set at plumb time 6891782 ipftest fails to run 6897532 Race condition window arround fr_enable_active is still opened 6897632 nic_event_v* hook should check if IPF is running before it will proceed further
|
#
9888:3d27daea2cbf |
|
17-Jun-2009 |
Alexandr Nedvedicky <Alexandr.Nedvedicky@Sun.COM> |
6845913 fr_make_icmp_*() uses TH_SYN/TH_FIN for testing fin_flx - it's not the intention 6827271 ipfilter TCP state emulation ends up in 5/0 state (Established/Closed) 6562745 Adapt a better TCP statemachine emulation (fr_tcp_age()) from upstream version
|
#
8624:0c81faef90eb |
|
27-Jan-2009 |
Darren Reed <Darren.Reed@Sun.COM> |
5008943 /etc/init.d/ipfboot pause/resume functionality broken 5010756 "\" in configuration file does not work correctly 6181489 ipfilter sends out confusing messages. 6449288 Makefiles in usr/src/cmd/ipf are missing CDDL 6449291 package prototype files in usr/src/pkgdefs/SUNWipfh missing CDDL 6508325 stale pfil-related rules in Makefile.rules 6661948 ipmon.pid file can be rendered invisible 6714319 IPFilter causes failure of IPv6 compliance tests. 6766614 fin_state costs more than it is worth 6767239 fin_nat causes more trouble than it is worth 6788299 Array overrun in ipfilter 6789766 ipfs usage output is misleading 6792026 ipnat panics in Divide zero exception
|
#
8463:a5df9cefde5c |
|
28-Dec-2008 |
Darren Reed <Darren.Reed@Sun.COM> |
6749429 printing out of fragment information is confused 6749445 ipfstat -f does not show ttl but rather expiration tick 6783820 IPF preauth crash 6730356 legacy test regressions: i2, i4, i11
|
#
8170:daf52af21f03 |
|
20-Nov-2008 |
John Ojemann <John.Ojemann@Sun.COM> |
6677460 ipfilter automatic flushing of state table entries needs to work the same as it does for NAT 6566976 state limit check works when limit is reached only 6566982 state limit is not check when inserting states via IOCTL
|
#
7704:c2487b19c177 |
|
26-Sep-2008 |
Alexandr Nedvedicky <Alexandr.Nedvedicky@Sun.COM> |
6743637 ipfstat prints certain certain counters two times 6744095 fix c-style in ip_state.c in fr_matchstate() et. al. 6744100 add a comment for CR 6653172 to fil.c 6725139 OOW problem still present after a patch 127888-09 has been applied 6657378 IPF address pools does not match addresses reliably for IPv6 6726717 IPF persistent tunables still don't work with stack instances 6743002 ipf_property_update() is too picky 6731974 incorrect calculation in fr_pullup 6749974 IPF does not know whether packet comes from local client (loopback) or from NIC interface
|
#
7591:123d9d5b34e2 |
|
15-Sep-2008 |
John Ojemann <John.Ojemann@Sun.COM> |
6744741 IPfilter: fr_movequeue() should be made more efficient to improve performance
|
#
7433:bad57c69bd98 |
|
28-Aug-2008 |
John Ojemann <John.Ojemann@Sun.COM> |
6723135 IPfilter: It's possible for tcp fragments to be mishandled when nat is involved. 6716698 ipfilter: SIOCSTLCK ioctls call fr_lock() function without any error checking 6528022 IPfilter does not handle any bcopy failures correctly (if at all). 6714976 ipfilter: keep state doesn't interact properly with multicast
|
#
7432:62d106a2f652 |
|
28-Aug-2008 |
John Ojemann <John.Ojemann@Sun.COM> |
6713984 if a nat entry is created, but the packet gets blocked, the entry should be removed 6718524 ipfilter incorrectly tracks and handles orphan state table and nat table entries 6742115 IPfilter: NAT entries added with SIOCSTPUT are ignored if no rules exist. 6528443 ipnat -l shows more sessions than ipf_nattable_max
|
#
7333:46f2f942dcc8 |
|
14-Aug-2008 |
John Ojemann <John.Ojemann@Sun.COM> |
6644693 ipf panics because fnew.fin_qfm is not initialized in fr_send_ip() 6715082 ipfilter: can't delete a state entry using SIOCDELST ioctl 6732960 with a bit of massaging, a couple more NAT locks can be unlocked
|
#
7259:eb414b676b9b |
|
01-Aug-2008 |
dr146992 |
6726575 ipfilter needs to be able to do randomised port mapping 6730614 random port numbers are in the wrong range of numbers
|
#
7131:cad142a71123 |
|
18-Jul-2008 |
dr146992 |
6719268 enabling ipfilter causes up to 80% or more drop in packet throughput for multi-stream workloads 6721215 ipfilter panic in ipf:fr_derefrule after restoring state table 6723213 IPfilter: NAT suffers performance hit by holding exclusive locks longer than required
|
#
6647:ad79605305d0 |
|
15-May-2008 |
an207044 |
6505685 Problems with applying "to" rule in IP Filter 6562635 TCP options are not processed correctly 6562648 IPF may drop connection, which chooses to scale window 6562721 IPF should also check SACK when doing stateful inspection 6595876 state timer should be reset when retransmission is seen 6651775 ipf does not handle half estab. connections well (conn. hangs with connection match result 4/0)
|
#
6518:b2f372728678 |
|
30-Apr-2008 |
jojemann |
6685076 ippool and other ipf utilities have possible race condition 6685092 ipfilter list processing function(s) have unsafe edge case(s)
|
#
6274:87c8e1e732a2 |
|
25-Mar-2008 |
jojemann |
6658611 ipfilter / panic rw_enter: bad rwlock 6675192 fr_timeoutstate stumbles over freed timeout (causing system panic) if state has age information
|
#
6252:75bbf3e02e16 |
|
21-Mar-2008 |
an207044 |
6599779 two state entries might be created for single TCP connection
|
#
5417:904056aefc49 |
|
05-Nov-2007 |
jojemann |
6603271 ipnat -l demonstrates inconsistent behavior and can cause system to hang or panic
|
#
5055:7a15930aae3c |
|
14-Sep-2007 |
dr146992 |
6588495 IP can use the wrong interface for filtering/qos 6599516 locking in fr_natderef causes lock contention and performance drop
|
#
4431:b47b47492c95 |
|
11-Jun-2007 |
an207044 |
6531894 IPF blocks TCP SYN packets for connections in TIME_WAIT state -> some clients can't reconnect
|
#
4251:fe838d5af480 |
|
16-May-2007 |
an207044 |
6552365 setting ipfilter state timeout values is not possible
|
#
3894:7c0146a89509 |
|
26-Mar-2007 |
jojemann |
6483377 ipfilter option reply-to not working
|
#
3607:288ca557ca70 |
|
06-Feb-2007 |
zf203873 |
6520662 ipfilter panic'ed repatedly in b57
|
#
3448:aaf16568054b |
|
19-Jan-2007 |
dh155122 |
PSARC 2006/366 IP Instances 6289221 RFE: Need virtualized ip-stack for each local zone 6512601 panic in ipsec_in_tag - allocation failure 6514637 error message from dhcpagent: add_pkt_opt: option type 60 is missing required value 6364643 RFE: allow persistent setting of interface flags per zone 6307539 RFE: Invalid network address causes zone boot failure 5041214 Allow IPMP configuration with zones 5005887 RFE: zoneadmd should support plumbing an interface via DHCP 4991139 RFE: zones should provide a mechanism to configure a defaultrouter for a zone 6218378 zoneadmd doesn't set the netmask for non-loopback addresses hosted on lo0 4963280 zones: need to virtualize the IPv6 default address selection mechanism 4963285 zones: need support of stateless address autoconfiguration for IPv6 5048068 zones don't boot if one of its interfaces has failed 5057154 RFE: ability to change interface status from within a zone 4963287 zones should support the plumbing of the first (and only) logical interface 4978517 TCP privileged port space should be partitioned per zone 5023347 zones don't work well with network routes other than default 4963372 investigate whether global zone can act as a router for local zones 6378364 RFE: Allow each zone to have its own virtual IPFilter
|
#
3187:f801da2c3e1e |
|
27-Nov-2006 |
dr146992 |
6489821 Functions ip_nexthop and ip_nexthop_route should be removed 6489978 Local IPv6 connections with IPv6 extensions headers fail 6490546 Panic when creating a 6to4 tunnel 6492882 wrong error text in /lib/svc/method/ipfilter for IPv6 6493833 assert failed due to unloading ipf with populated state table
|
#
3007:60c094c28394 |
|
28-Oct-2006 |
dr146992 |
6343157 svcadm disable ipfilter does not flush the rules 6484763 PFHOOKS breaks post-ACQUIRE ESP processing 6485599 msgpullup/pullupmsg now implies either M_DATA or M_MULTIDATA 6485731 panic in fil.c trying to release ipf_mutex while not held 6485761 ipfilter kernel module always enables itself on load 6485781 mutex_enter: bad mutex in ipflog_read 6485943 MSG_FWCOOKED_* survived attempted genocide 6486513 too much of a good thing can be bad 6486575 use ipf -D twice will panic the system 6487360 physical_in hook inserted twice into ip_input() for onnv putback
|
#
2958:98aa41c076f5 |
|
20-Oct-2006 |
dr146992 |
PSARC/2005/334 Packet Filtering Hooks PSARC/2006/321 ARP packet filtering Hooks 6401219 use of pullupmsg() considered destructive - clears h/w checksum flags 6418698 PSARC/2005/334 - Packet Filtering Hooks API 6449290 package prototype files in usr/src/pkgdefs/SUNWipfr missing CDDL 6449292 package prototype files in usr/src/pkgdefs/SUNWipfu missing CDDL 6449296 Makefiles for ipf kernel module building missing CDDL 6473996 "fastroute" + "nat" packets cause memory leaks in ipfilter
|
#
2944:77169ac14224 |
|
18-Oct-2006 |
jojemann |
6479209 IPfilter keep state limit can cause system panic
|
#
2393:76e0289ce525 |
|
19-Jul-2006 |
yz155240 |
PSARC 2006/082 IP Filter Code Merge on ip_fil4.1.9 4912568 ipftest ipf ipfstat ipnat ippool need a non-name resolution flag 5040248 ipfs -W fails to save kernel state tables 5081834 syntax parser reports wrong error position and line number 5094575 keyword "netmask" is un-supported in ipnat.conf (4) 6181751 ipf parser fails on wrong subnet notations 6181773 ipf parser fails on wrong port ranges 6248745 ipnat drops packets if the IP header is not 32 bit aligned 6340621 RFE: IP Filter code merge on ip_fil4.1.9 6359805 ipf command incorrectly check options in rules and core dumps 6395837 ipnat tcpudp parsing is incomplete 6426469 IPFilter rejects IPv6 neighbour discovery packets 6447872 usr/src/common/ipf/ip_compat.h should not be CDDL
|