OBSOLETE Patch-ID# 148380-11


Download this patch from My Oracle Support

Your use of the firmware, software and any other materials contained in this update is subject to My Oracle Support Terms of Use, which may be viewed at My Oracle Support.
For further information on patching best practices and resources, please see the following links:
Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.

Keywords: ippool ipf
Synopsis: Obsoleted by: 148380-12 SunOS 5.10_x86: ippool patch
Date: Apr/14/2014


Install Requirements: Reboot after installing this patch to activate the changes delivered. An alternative may be specified in the Special Install Instructions.

Solaris Release: 10_x86

SunOS Release: 5.10_x86

Unbundled Product:

Unbundled Release:

Xref: This patch available for SPARC as patch 148379

Topic: SunOS 5.10_x86: ippool patch

Relevant Architectures: i386

Bugs fixed with this patch:

Sun CR # Bug #
703637015709147
713042015766564
719821215815851
720198015819422
17008193
17056912
671431915487220
681330715546607
685760015573901
689753215600848
703342915706858
704132615712967
705740915723550
705834315724097
706994515730719
708478115738603
713274415768200
715351715778746
715482115779830
717146515793884


Changes incorporated in this version: 17008193

Patches accumulated and obsoleted by this patch: 148331-07

Patches which conflict with this patch:

Patches required with this patch: 118855-36 120012-14 137138-09 139556-08 144501-19 (or greater)

Obsoleted by:

Files included with this patch:

/usr/include/netinet/ip_auth.h
/usr/include/netinet/ip_nat.h
/usr/include/netinet/ipf_stack.h
/usr/kernel/drv/amd64/ipf
/usr/kernel/drv/ipf
/usr/lib/ipf/amd64/auth_test
/usr/lib/ipf/amd64/ipftest
/usr/lib/ipf/i86/auth_test
/usr/lib/ipf/i86/ipftest
/usr/sbin/amd64/ipf
/usr/sbin/amd64/ipfs
/usr/sbin/amd64/ipfstat
/usr/sbin/amd64/ipmon
/usr/sbin/amd64/ipnat
/usr/sbin/amd64/ippool
/usr/sbin/i86/ipf
/usr/sbin/i86/ipfs
/usr/sbin/i86/ipfstat
/usr/sbin/i86/ipmon
/usr/sbin/i86/ipnat
/usr/sbin/i86/ippool

Problem Description:

17008193 logsize tunable is ignored by IPF
 
(from 148380-10)
 
17056912 ipfilter may block valid ICMP echo replies
 
(from 148380-09)
 
15709147 Bad Trap panic in fr_fraglookup - probable bad ipfr_hnext pointer
15815851 IPF is a traffic load disbalancer using round-robin for rdr NAT rules
15819422 ipf fr_fraglookup loops in fragments table
 
(from 148380-08)
 
15766564 panic in ip_wput_local() ipha_src and ipha_dst are reversed
 
(from 148380-07)
 
        This revision accumulates generic Sustaining patch 148331-07
        into Solaris S10U11 update.
 
(from 148380-06)
 
        This revision accumulates generic Sustaining patch 148331-06
        into Solaris S10U11 update.
 
(from 148380-05)
 
        This revision accumulates generic Sustaining patch 148331-05
        into Solaris S10U11 update.
 
(from 148380-04)
 
        This revision accumulates generic Sustaining patch 148331-04
        into Solaris S10U11 update.
 
(from 148380-03)
 
        This revision accumulates generic Sustaining patch 148331-03
        into Solaris S10U11 update.
 
(from 148380-02)
 
        This revision accumulates generic Sustaining patch 148331-02
        into Solaris S10U11 update.
 
(from 148380-01)
 
        This revision accumulates generic Sustaining patch 148331-01
        into Solaris S10U11 update.
 
(from 148331-07)
 
7153517 adding some rules to ipf.conf, kernel panic in ipf module
7171465 ipnat -FC command always reports 4 entries flushed
 
(from 148331-06)
 
7132744 ipfstat -io doesn't show subgrouped rules after applying kernel patch
 
(from 148331-05)
 
7154821 auth for outbound packets - backport delta needed
 
(from 148331-04)
 
7041326 IPF auth does not work for outbound packets
 
(from 148331-03)
 
7057409 /dev/ipauth must not harm other devices
 
(from 148331-02)
 
6714319 IPFilter causes failure of IPv6 compliance tests
6813307 memory leaks at frrequest
6857600 IPFilter parser chokes on short IPv6 fragments
6897532 race condition window around fr_enable_active still opened
7033429 "keep state" directive in IPFilter rule(s) is now dropping multicast packets (UDP) randomly
7058343 IPF panic when disabled
7069945 "ipf" module seems to have triggered system panic
 
(from 148331-01)
 
7084781 ippool does not accept IPv6 addresses


Patch Installation Instructions:
--------------------------------
 
Please refer to the man pages for instructions on using 'patchadd'
and 'patchrm' commands provided with Solaris.
 
The following example installs a patch to a standalone machine:
 
       example# patchadd /var/spool/patch/123456-07
 
The following example removes a patch from a standalone system:
 
       example# patchrm 123456-07
 
For additional examples please see the appropriate man pages. Any
other special or non-generic installation instructions should be
described below as special instructions.


Special Install Instructions:
-----------------------------
 
NOTE 1:  For anyone using the round-robin feature in an ipnat configuration,
         it is now possible to specify a round-robin id number after the
         round-robin keyword in NAT rules as follows:
 
rdr net1 203.1.2.3/32 port 80 -> 203.1.2.3,203.1.2.4 port 80 tcp round-robin 1
rdr net1 203.1.2.3/32 port 80 -> 203.1.2.5 port 80 tcp round-robin 1
 
         The trailing "1" is considered the round-robin id.  Supplying an id
         number forces the round-robin rules with same id to act together, and
         prevents other rules that match the same packets (whether or not they
         are part of any load balancing) from inadvertently impacting the
         round-robin operation for the specific group of rules."


README -- Last modified date: Thursday, July 10, 2014