Re: Solaris 10, ipnat/bimap address corruption issue
This is a discussion on Re: Solaris 10, ipnat/bimap address corruption issue within the IPFilter forums, part of the System Security and Security Related category; > Jason Lingohr wrote: >> Strange bimap problem here. The strangeness is compounded by the fact >> that ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
07-09-2007
|
|||
|
|||
Re: Solaris 10, ipnat/bimap address corruption issue
> Jason Lingohr wrote: >> Strange bimap problem here. The strangeness is compounded by the fact >> that I've never needed to use bimap before. >> >> Version details: >> >> Solaris 10, 11/06 >> SunOS host1 5.10 Generic_118855-33 i86pc i386 i86pc >> ipf: IP Filter: v4.0.3 (500) >> Kernel: IP Filter: v4.0.3 >> ... >> I found this post from 2004... >> http://www.netbsd.org/cgi-bin/query-...l?number=25999. Darren >> speaks in there about 4.1.2. Is this my issue, I need to upgrade to a >> newer ipfiler? >> > > Yes. See if you can get the patch that updates IPFilter to 4.1.9 for > Solaris 10 Update 3. > Here is the info on that : ( assume x86 ) # ls -lap /var/sadm/patch/125014-03/ total 26 drwxr-xr-- 2 root root 512 Jun 21 01:43 ./ drwxr-xr-x 236 root root 5120 Jun 21 01:59 ../ -rw-r--r-- 1 root root 5494 Apr 30 11:22 README.125014-03 -rw-r--r-- 1 root root 968 Jun 21 01:43 log # # cat /var/sadm/patch/125014-03/README.125014-03 Patch-ID# 125014-03 NOTE: ************************************************** ********************* READ THE TERMS OF THE AGREEMENT ("AGREEMENT") IN THE LEGAL_LICENSE.TXT FILE CAREFULLY BEFORE USING THIS SOFTWARE. BY USING THE SOFTWARE, YOU AGREE TO THE TERMS OF THIS AGREEMENT. IF YOU DO NOT AGREE TO ALL OF THE TERMS, PROMPTLY DESTROY THE UNUSED SOFTWARE. ************************************************** ********************* Keywords: ip filter icmp error nat Synopsis: SunOS 5.10: IP filter patch Date: Apr/30/2007 Install Requirements: Reboot immediately after patch is installed Solaris Release: 10 SunOS Release: 5.10 Unbundled Product: Unbundled Release: Xref: This patch available for x86 as patch 125015 Topic: SunOS 5.10: IP filter patch Relevant Architectures: sparc BugId's fixed with this patch: 4912568 5009112 5040248 5049946 5081834 5094575 5094589 6181751 6181773 6188656 6231450 6248745 6266978 6269200 6307498 6307568 6334512 6340621 6343157 6359805 6370137 6373357 6378979 6395837 6426469 6457432 6458962 6473996 6479209 6483377 6485731 6485761 6485781 6486575 6498408 6511600 6523130 Changes incorporated in this version: 6483377 6498408 6511600 6523130 Patches accumulated and obsoleted by this patch: Patches which conflict with this patch: Patches required with this patch: 118833-36 (or greater) Obsoleted by: Files included with this patch: /kernel/drv/sparcv9/pfil /kernel/strmod/sparcv9/pfil /lib/svc/method/ipfilter /usr/include/netinet/ip_compat.h /usr/include/netinet/ip_fil.h /usr/include/netinet/ip_nat.h /usr/include/netinet/ip_proxy.h /usr/include/netinet/ip_state.h /usr/include/netinet/ipl.h /usr/kernel/drv/sparcv9/ipf /usr/lib/ipf/sparcv9/ipftest /usr/sbin/pfild /usr/sbin/sparcv9/ipf /usr/sbin/sparcv9/ipfs /usr/sbin/sparcv9/ipfstat /usr/sbin/sparcv9/ipmon /usr/sbin/sparcv9/ipnat /usr/sbin/sparcv9/ippool Problem Description: 6483377 ipfilter option reply-to not working 6498408 fr_slowtimer is inactive 6511600 ipfilter causes panic when using ipmp interface group in ruleset 6523130 ipfilter does not apply rules when network interfaces are plumbed after ipfilter starts (from 125014-02) 4912568 ipftest ipf ipfstat ipnat ippool need a non-name resolution flag 5009112 two (or several) ipf config files should be merged by using multi "-f" 5040248 ipfs -W fails to save kernel state tables 5049946 ipfstat statistics should be available via kstat 5081834 syntax parser reports wrong error position and line number 5094575 keyword "netmask" is un-supported in ipnat.conf (4) 5094589 "mssclamp" keyword is not supported so far in ipnat.conf (4) 6181751 ipf parser fails on wrong subnet notations 6181773 ipf parser fails on wrong port ranges 6188656 "port > " and "port <=" are not correctly intepreted by ipnat parser 6231450 consider moving ipmon.pid to /var/run 6248745 ipnat drops packets if the IP header is not 32-bit aligned 6266978 ip_off, ip_len byte order problem in fr_fastroute() 6269200 "ipnat -l" can not print "mssclamp" keyword 6307498 ipf/ipfstat doesn't print out mbcast option when used in rules 6307568 ipfstat -t doesn't display the idle time correctly 6334512 ipfilter wrongly reports pool statistics 6340621 RFE: IP Filter code merge on ip_fil4.1.9 6343157 svcadm disable ipfilter does not flush the rules 6359805 ipf command incorrectly checks options in rules and core dumps 6370137 pfil.ap is missing an entry for e1000g interfaces on sparc machines 6373357 ipfilter tools need to check return values from memory allocation 6395837 ipnat tcpudp parsing is incomplete 6426469 IPFilter rejects IPv6 neighbour discovery packets 6457432 wrong icmp packet replied when combining rdr rules and block return-icmp-as-dest(port-unr) 6458962 several ipfilter source files are "obsolete" and can be deleted 6473996 "fastroute" + "nat" packets cause memory leaks in ipfilter 6479209 ipfilter keep state limit can cause system panic 6485731 panic in fil.c trying to release ipf_mutex while not held 6485761 ipfilter kernel module always enables itself on load 6485781 mutex_enter: bad mutex in ipflog_read 6486575 use ipf -D twice will panic the system (from 125014-01) 6378979 ICMP Type 3/Code 4 traffic is not handled properly if a dynamic MAP rule is used Dennis Clarke 
|
Linear Mode
