OBSOLETE Patch-ID# 127888-11

Download this patch from My Oracle Support

Your use of the firmware, software and any other materials contained in this update is subject to My Oracle Support Terms of Use, which may be viewed at My Oracle Support.

For further information on patching best practices and resources, please see the following links:

Keywords: security nat ipf leak ipfstat ipfilter
Synopsis: Obsoleted by: 137137-09 SunOS 5.10: ipf patch
Date: Nov/06/2008

Install Requirements: After installing this patch on an active boot environment, the system will be in a potentially inconsistent state until a reboot is performed. Unless
otherwise specified in the Special Install Instructions below, it is normally safe to apply further patches prior to initiating the reboot due to the relatively small footprint of the patch utilities. Normal operations must not be resumed until after the reboot is performed.

Solaris Release: 10

SunOS Release: 5.10

Unbundled Product:

Unbundled Release:

Xref: This patch available for x86 as patch 127889

Topic: SunOS 5.10: ipf patch

Relevant Architectures: sparc

Bugs fixed with this patch:

Sun CR #	Bug #
6231883	15250448
6354418	15299402
6500393	15364816
6505444	15367578
6505685	15367691
6528018	15380534
6528419	15380742
6528552	15380815
6528779	15380947
6531894	15382521
6532393	15382780
6544673	15389642
6552365	15394016
6561278	15399259
6562635	15400032
6562648	15400040
6562721	15400074
6564748	15401172
6565376	15401512
6575084	15406726
6595876	15418342
6599516	15420465
6599779	15420620
6603271	15422521
6606816	15424489
6622346	15434190
6629154	15438157
6641267	15445537
6651114	15450928
6651775	15451323
6653172	15452255
6658611	15455475
6675192	15464917
6685076	15470802
6685092	15470813
6726575	15494914
6730614	15497501

Changes incorporated in this version: 6726575 6730614

Patches accumulated and obsoleted by this patch: 127886-06 128408-01 128493-01

Patches which conflict with this patch:

Patches required with this patch: 118833-36 120011-14 125503-02 (or greater)

Obsoleted by: 137137-09

Files included with this patch:

/usr/include/netinet/ip_fil.h
/usr/include/netinet/ip_nat.h
/usr/include/netinet/ip_state.h
/usr/include/netinet/ipf_stack.h
/usr/kernel/drv/sparcv9/ipf
/usr/lib/ipf/sparcv9/ipftest
/usr/sbin/sparcv9/ipf
/usr/sbin/sparcv9/ipfs
/usr/sbin/sparcv9/ipfstat
/usr/sbin/sparcv9/ipmon
/usr/sbin/sparcv9/ipnat
/usr/sbin/sparcv9/ippool
/var/svc/manifest/network/ipfilter.xml

Problem Description:

6726575 IPfilter needs to be able to do randomised port mapping
6730614 random port numbers are in the wrong range of numbers
 
(from 127888-10)
 
6622346 ipftuneable_alloc doesn't set fr_defnatipage or ipf_loopback
 
(from 127888-09)
 
6505685 problems with applying "to" rule in IP Filter
6562635 TCP options are not processed correctly
6562648 IPF may drop connection which chooses to scale window
6562721 IPF should also check SACK when doing stateful inspection
6595876 state timer should be reset when retransmission is seen
6599779 two state entries might be created for single TCP connection
6651775 ipf does not handle half estab. connections well 
        (connection hangs with connection match result 4/0)
 
(from 127888-08)
 
6528779 mdb findleaks reports memory leak in IPfilter
6544673 dynamic network interfaces don't work with IP Filter
6565376 NULL pointer panic in fr_authexpire
6606816 ipf_expiretokens is not called to free up tokens
6629154 IPF NAT checksum evergreen - TCP hdr checksum is broken on ce NICs
6641267 race condition nat_flushtable() and fr_check()
6651114 fragment table size ignored, hardwired limit is used instead
6658611 IPfilter/panic rw_enter: bad rwlock
6675192 fr_timeoutstate stumbles over freed timeout (causing system panic) 
        if state has age information
6685076 ippool and other IPF utilities have possible race condition
6685092 IPfilter list processing function(s) have unsafe edge case(s)
 
(from 127888-07)
 
6500393 IPfilter should detect connection mix-ups as result of redirection
6505444 ipnat doesn't accept multiple rdr rules with same "ipmask dport -> ip" 
        and different rdrports
 
(from 127888-06)
 
        This patch revision accumulates generic patch 127886-06
        into Solaris Update S10U5 release.
 
(from 127888-05)
 
        This patch revision accumulates generic patch 127886-05
        into Solaris Update S10U5 release.
 
(from 127888-04)
 
        This patch revision accumulates generic patch 127886-04
        into Solaris Update S10U5 release.
 
(from 127888-03)
 
        This patch revision accumulates generic patch 127886-03
        into Solaris Update S10U5 release.
 
(from 127888-02)
 
        This patch revision accumulates generic patch 127886-02
        into Solaris Update S10U5 release.
 
(from 127888-01)
 
        This patch revision accumulates generic patch 127886-01
        into Solaris Update S10U5 release.
 
(from 127886-06)
 
6653172 "ifconfig plumb" interferes with IP filter rules
 
(from 127886-05)
 
6603271 ipnat -l demonstrates inconsistent behavior and can cause system to hang or panic
 
(from 127886-04)
 
6531894 IPF blocks TCP SYN packets for connections in TIME_WAIT state -> some clients 
        can't reconnect
6575084 IPfilter's disguise with self-NAT: the return packets are dropped
 
(from 127886-03)
 
6599516 locking in fr_natderef causes lock contention and performance drop
 
(from 127886-02)
 
6354418 ??? entries hang around for long time
6552365 setting IPfilter state timeout values is not possible
 
(from 127886-01)
 
6528018 for SIOCSTPUT, can grab ipf_nat lock even if specified not to
6528419 IPfilter with nat can leak memory
6528552 IPfilter SIOCSTPUT doesn't initialize filter rule state properly
6532393 IPfilter NAT rules with bad proxy labels will get loaded anyway
6564748 fragments can be mishandled by IPfilter when using a custom NAT proxy
 
(from 128408-01)
 
        This patch revision accumulates generic patch 128493-01
        into Solaris Update S10U5 release.
 
(from 128493-01)
 
6231883 IPfilter service lacks refresh method
6561278 'q' to quit ipfstat -t causes underlying bash, tcsh to terminate but not ksh

Patch Installation Instructions:

--------------------------------
Please refer to the man pages for instructions on using 'patchadd'
and 'patchrm' scripts provided with Solaris.
 
The following example installs a patch to a standalone machine:
 
        example# patchadd 127888-11
 
The following example removes a patch from a standalone system:
 
        example# patchrm 127888-11
 
For additional examples please see the appropriate man pages. Any other
special or non-generic installation instructions should be described
below as special instructions.

Special Install Instructions:

-----------------------------
 
NOTE 1:  Reboot the system after patch installation.
 
NOTE 2:  Before installing this patch, please be sure to install 
         the latest patch utilities patches for your OS. This list 
         of patches is defined at - http://sunsolve.sun.com
 
         Please use the pull down list which appears after the text:
         "Latest Patch Update: To ensure the correct functioning of
         the patching utilities on your system, stay up to date on
         the following patches"

README -- Last modified date: Saturday, November 10, 2012