OBSOLETE Patch-ID# 148380-15


Download this patch from My Oracle Support

Your use of the firmware, software and any other materials contained in this update is subject to My Oracle Support Terms of Use, which may be viewed at My Oracle Support.
For further information on patching best practices and resources, please see the following links:
Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.

Keywords: security ippool ipf
Synopsis: Obsoleted by: 148380-16 SunOS 5.10_x86: ippool patch
Date: Jul/16/2018


Install Requirements: Reboot after installing this patch to activate the changes delivered. An alternative may be specified in the Special Install Instructions.

Solaris Release: 10_x86

SunOS Release: 5.10_x86

Unbundled Product:

Unbundled Release:

Xref: This patch available for SPARC as patch 148379

Topic: SunOS 5.10_x86: ippool patch

Relevant Architectures: i386

Bugs fixed with this patch:

Sun CR # Bug #
703637015709147
713042015766564
719821215815851
720198015819422
17008193
17016187
17056912
17399539
18029984
18341264
18726170
19211002
19280169
19525575
19525625
19573567
19573608
19574834
19789979
19790350
20089360
20109674
20415531
20561561
671431915487220
681330715546607
685760015573901
689753215600848
703342915706858
704132615712967
705740915723550
705834315724097
706994515730719
708478115738603
713274415768200
715351715778746
715482115779830
717146515793884


Changes incorporated in this version: 17399539 20415531

Patches accumulated and obsoleted by this patch: 148331-07

Patches which conflict with this patch:

Patches required with this patch: 118855-36 120012-14 137138-09 139556-08 144501-19 (or greater)

Obsoleted by:

Files included with this patch:

/usr/include/netinet/ip_auth.h
/usr/include/netinet/ip_fil.h
/usr/include/netinet/ip_nat.h
/usr/include/netinet/ip_state.h
/usr/include/netinet/ipf_stack.h
/usr/include/netinet/ipl.h
/usr/kernel/drv/amd64/ipf
/usr/kernel/drv/ipf
/usr/lib/ipf/amd64/auth_test
/usr/lib/ipf/amd64/ipftest
/usr/lib/ipf/i86/auth_test
/usr/lib/ipf/i86/ipftest
/usr/sbin/amd64/ipf
/usr/sbin/amd64/ipfs
/usr/sbin/amd64/ipfstat
/usr/sbin/amd64/ipmon
/usr/sbin/amd64/ipnat
/usr/sbin/amd64/ippool
/usr/sbin/i86/ipf
/usr/sbin/i86/ipfs
/usr/sbin/i86/ipfstat
/usr/sbin/i86/ipmon
/usr/sbin/i86/ipnat
/usr/sbin/i86/ippool

Problem Description:

17399539 Problem with kernel/ipfilter
20415531 DHCP DISCOVER not seen by isc-dhcp server for x86 UEFI clients
 
(from 148380-14)
 
18029984 memory corruption during strs3 stress run
20089360 panic: page fault in nat_addnat redux
20109674 ipnat -r does not work
20561561 panic: page fault in fr_checknatout redux
 
(from 148380-13)
 
18726170 panic in ipf nat_delrdr
19211002 ipfilter forgot to check round-robin rules stored in rrlist
19280169 all fixes for ipfilter round-robin rules should also be applied to IPv6
19525575 panic: page fault in fr_checknatout
19525625 panic: page fault in nat_addnat
19573567 ipnat parser should be able to detect duplicate bimap rules
19573608 ipfilter should use separate pointers for RDR and MAP rules
19574834 ipfilter rule survives VNIC deletion
19789979 ipfilter should not update mask value when deleting NAT rules
19790350 ipnat doesn't print usage
 
(from 148380-12)
 
17016187 buffer overrun in fac_toname of facpri.c
18341264 ipfstat not reporting log level correctly
 
(from 148380-11)
 
17008193 logsize tunable is ignored by IPF
 
(from 148380-10)
 
17056912 ipfilter may block valid ICMP echo replies
 
(from 148380-09)
 
15709147 Bad Trap panic in fr_fraglookup - probable bad ipfr_hnext pointer
15815851 IPF is a traffic load disbalancer using round-robin for rdr NAT rules
15819422 ipf fr_fraglookup loops in fragments table
 
(from 148380-08)
 
15766564 panic in ip_wput_local() ipha_src and ipha_dst are reversed
 
(from 148380-07)
 
        This revision accumulates generic Sustaining patch 148331-07
        into Solaris S10U11 update.
 
(from 148380-06)
 
        This revision accumulates generic Sustaining patch 148331-06
        into Solaris S10U11 update.
 
(from 148380-05)
 
        This revision accumulates generic Sustaining patch 148331-05
        into Solaris S10U11 update.
 
(from 148380-04)
 
        This revision accumulates generic Sustaining patch 148331-04
        into Solaris S10U11 update.
 
(from 148380-03)
 
        This revision accumulates generic Sustaining patch 148331-03
        into Solaris S10U11 update.
 
(from 148380-02)
 
        This revision accumulates generic Sustaining patch 148331-02
        into Solaris S10U11 update.
 
(from 148380-01)
 
        This revision accumulates generic Sustaining patch 148331-01
        into Solaris S10U11 update.
 
(from 148331-07)
 
7153517 adding some rules to ipf.conf, kernel panic in ipf module
7171465 ipnat -FC command always reports 4 entries flushed
 
(from 148331-06)
 
7132744 ipfstat -io doesn't show subgrouped rules after applying kernel patch
 
(from 148331-05)
 
7154821 auth for outbound packets - backport delta needed
 
(from 148331-04)
 
7041326 IPF auth does not work for outbound packets
 
(from 148331-03)
 
7057409 /dev/ipauth must not harm other devices
 
(from 148331-02)
 
6714319 IPFilter causes failure of IPv6 compliance tests
6813307 memory leaks at frrequest
6857600 IPFilter parser chokes on short IPv6 fragments
6897532 race condition window around fr_enable_active still opened
7033429 "keep state" directive in IPFilter rule(s) is now dropping multicast packets (UDP) randomly
7058343 IPF panic when disabled
7069945 "ipf" module seems to have triggered system panic
 
(from 148331-01)
 
7084781 ippool does not accept IPv6 addresses


Patch Installation Instructions:
--------------------------------
 
Please refer to the man pages for instructions on using 'patchadd'
and 'patchrm' commands provided with Solaris.
 
The following example installs a patch to a standalone machine:
 
       example# patchadd /var/spool/patch/123456-07
 
The following example removes a patch from a standalone system:
 
       example# patchrm 123456-07
 
For additional examples please see the appropriate man pages. Any
other special or non-generic installation instructions should be
described below as special instructions.


Special Install Instructions:
-----------------------------
 
NOTE 1:  For anyone using the round-robin feature in an ipnat configuration,
         it is now possible to specify a round-robin id number after the
         round-robin keyword in NAT rules as follows:
 
rdr net1 203.1.2.3/32 port 80 -> 203.1.2.3,203.1.2.4 port 80 tcp round-robin 1
rdr net1 203.1.2.3/32 port 80 -> 203.1.2.5 port 80 tcp round-robin 1
 
         The trailing "1" is considered the round-robin id.  Supplying an id
         number forces the round-robin rules with same id to act together, and
         prevents other rules that match the same packets (whether or not they
         are part of any load balancing) from inadvertently impacting the
         round-robin operation for the specific group of rules."


README -- Last modified date: Thursday, January 14, 2021