OBSOLETE Patch-ID# 141506-10

Download this patch from My Oracle Support

Your use of the firmware, software and any other materials contained in this update is subject to My Oracle Support Terms of Use, which may be viewed at My Oracle Support.
For further information on patching best practices and resources, please see the following links:
Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.

Keywords: security panic frpr_icmp dblk
Synopsis: Obsoleted by: 143592-05 SunOS 5.10: ipf patch
Date: Jul/09/2010

Install Requirements: After installing this patch on an active boot environment, the system will be in a potentially inconsistent state until a reboot is performed. Unless
otherwise specified in the Special Install Instructions below, it is normally safe to apply further patches prior to initiating the reboot due to the relatively small footprint of the patch utilities. Normal operations must not be resumed until after the reboot is performed.

Solaris Release: 10

SunOS Release: 5.10

Unbundled Product:

Unbundled Release:

Xref: This patch available for x86 as patch 141505

Topic: SunOS 5.10: ipf patch

Relevant Architectures: sparc

Bugs fixed with this patch:

Sun CR # Bug #

Changes incorporated in this version: 6918206 6918859 6921174

Patches accumulated and obsoleted by this patch: 141020-03

Patches which conflict with this patch:

Patches required with this patch: 118833-36 120011-14 137137-09 139555-08 (or greater)

Obsoleted by: 143592-05

Files included with this patch:


Problem Description:

6918206 packets double-counted with "call now" rules
6918859 pools should track bytes as well as packets for better usability
6921174 ippool -ld crashes if nodes are inserted with ioctl and policy rules not in place
(from 141506-09)
6900850 limit for number of states in the state table is too low by default
6910994 fr_checkstate function does not release ipf_state mutex in some cases
(from 141506-08)
6772643 packets dropped at ipfil_sendpkt if interface index is set at plumb time
6897632 nic_event_v* hook should check if IPF is running before it will proceed further
(from 141506-07)
6879740 ipnat rules can't be added into IP NAT because of regression of 6792026
6910106 state entry is->is_ref count must be set to 1 on creation/cloning
6911469 errata for backport of 'fin_nat causes more trouble than it is worth'
(from 141506-06)
6859313 large number of rules in ipfilter decreases throughput performance
6891782 ipftest fails to run
(from 141506-05)
6688940 ipf module panicked in get_unit() on NULL pointer
6766614 fin_state costs more than it is worth
6767239 fin_nat causes more trouble than it is worth
(from 141506-04)
	This revision accumulates generic Sustaining patch 141020-03
	into Solaris S10U8 update.
(from 141506-03)
	This revision accumulates generic Sustaining patch 141020-02
	into Solaris S10U8 update.
(from 141506-02)
	This revision accumulates generic Sustaining patch 141020-01
	into Solaris S10U8 update.
(from 141506-01)
6792026 ipnat panics in Divide zero exception
(from 141020-03)
6562745 adapt a better TCP statemachine emulation (fr_tcp_age()) from upstream version
6827271 ipfilter TCP state emulation ends up in 5/0 state (Established/Closed)
(from 141020-02)
6747420 ipfilter fr_send_reset()/fr_send_icmp() does not work for loopback clients
6845913 fr_make_icmp_*() uses TH_SYN/TH_FIN for testing fin_flx - it's not the intention
(from 141020-01)
6681520 panic in frpr_icmp() when trying to access dblk previously freed in fr_coalesce()

Patch Installation Instructions:
Please refer to the man pages for instructions on using 'patchadd'
and 'patchrm' commands provided with Solaris.
The following example installs a patch to a standalone machine:
       example# patchadd /var/spool/patch/123456-07
The following example removes a patch from a standalone system:
       example# patchrm 123456-07
For additional examples please see the appropriate man pages. Any
other special or non-generic installation instructions should be
described below as special instructions.

Special Install Instructions:

README -- Last modified date: Saturday, November 10, 2012