| #
7d1e5903 |
| 15-Feb-2019 |
Dan McDonald <danmcd@joyent.com> |
10409 ipf sometimes freezes RFC 1323 transfers
Reviewed by: Jason King <jbk@joyent.com>
Reviewed by: Andy Fiddaman <andy@omniosce.org>
Reviewed by: Cody Peter Mello <melloc@writev.io>
Reviewed by: Ge
10409 ipf sometimes freezes RFC 1323 transfers
Reviewed by: Jason King <jbk@joyent.com>
Reviewed by: Andy Fiddaman <andy@omniosce.org>
Reviewed by: Cody Peter Mello <melloc@writev.io>
Reviewed by: Gergő Doma <domag02@gmail.com>
Approved by: Robert Mustacchi <rm@joyent.com>
(cherry picked from commit 7df2681d192fcee541a58a00719b32f8e72ca29a)
show more ...
|
| #
94bdecd9 |
| 19-Sep-2014 |
Rob Gulewich <robert.gulewich@joyent.com> |
5198 Want alternate global zone rule set for each ipf netstack
5197 Global zone should be able to manage NGZ ipf state
Reviewed by: Jerry Jelinek <jerry.jelinek@joyent.com>
Reviewed by: Robert Mustac
5198 Want alternate global zone rule set for each ipf netstack
5197 Global zone should be able to manage NGZ ipf state
Reviewed by: Jerry Jelinek <jerry.jelinek@joyent.com>
Reviewed by: Robert Mustacchi <rm@joyent.com>
Reviewed by: Dan McDonald <danmcd@omniti.com>
Reviewed by: Darren Reed <darrenr@fastmail.net>
Approved by: Richard Lowe <richlowe@richlowe.net>
show more ...
|
| #
0b9f2168 |
| 30-Oct-2013 |
Rob Gulewich <robert.gulewich@joyent.com> |
5199 "bad pkt state alloc" kstats due to echo replies
Reviewed by: Dan McDonald <danmcd@omniti.com>
Reviewed by: Darren Reed <darrenr@fastmail.net>
Approved by: Richard Lowe <richlowe@richlowe.net>
|
| #
6a634c9d |
| 19-Aug-2010 |
Richard Lowe <richlowe@richlowe.net> |
merge with onnv_147
Reviewed by: garrett@nexenta.com
Approved by: garrett@nexenta.com
|
| #
d3edf6ac |
| 13-Aug-2010 |
Jan Parcel <Jan.Parcel@Sun.COM> |
6935086 IPFilter state module cannot handle ip options correctly.
|
| #
231bdc74 |
| 25-Feb-2010 |
Zdenek Kotala <Zdenek.Kotala@Sun.COM> |
6900850 Limit for number of states in the state table is too low by default
6910994 fr_checkstate function does not release ipf_state mutex in some cases
|
| #
e8d569f4 |
| 19-Nov-2009 |
Alexandr Nedvedicky <Alexandr.Nedvedicky@Sun.COM> |
6772643 Packets dropped at ipfil_sendpkt if interface index is set at plumb time
6891782 ipftest fails to run
6897532 Race condition window arround fr_enable_active is still opened
6897632 nic_event_
6772643 Packets dropped at ipfil_sendpkt if interface index is set at plumb time
6891782 ipftest fails to run
6897532 Race condition window arround fr_enable_active is still opened
6897632 nic_event_v* hook should check if IPF is running before it will proceed further
show more ...
|
| #
6ccacea7 |
| 17-Jun-2009 |
Alexandr Nedvedicky <Alexandr.Nedvedicky@Sun.COM> |
6845913 fr_make_icmp_*() uses TH_SYN/TH_FIN for testing fin_flx - it's not the intention
6827271 ipfilter TCP state emulation ends up in 5/0 state (Established/Closed)
6562745 Adapt a better TCP stat
6845913 fr_make_icmp_*() uses TH_SYN/TH_FIN for testing fin_flx - it's not the intention
6827271 ipfilter TCP state emulation ends up in 5/0 state (Established/Closed)
6562745 Adapt a better TCP statemachine emulation (fr_tcp_age()) from upstream version
show more ...
|
| #
33f2fefd |
| 27-Jan-2009 |
Darren Reed <Darren.Reed@Sun.COM> |
5008943 /etc/init.d/ipfboot pause/resume functionality broken
5010756 "\" in configuration file does not work correctly
6181489 ipfilter sends out confusing messages.
6449288 Makefiles in usr/src/cmd
5008943 /etc/init.d/ipfboot pause/resume functionality broken
5010756 "\" in configuration file does not work correctly
6181489 ipfilter sends out confusing messages.
6449288 Makefiles in usr/src/cmd/ipf are missing CDDL
6449291 package prototype files in usr/src/pkgdefs/SUNWipfh missing CDDL
6508325 stale pfil-related rules in Makefile.rules
6661948 ipmon.pid file can be rendered invisible
6714319 IPFilter causes failure of IPv6 compliance tests.
6766614 fin_state costs more than it is worth
6767239 fin_nat causes more trouble than it is worth
6788299 Array overrun in ipfilter
6789766 ipfs usage output is misleading
6792026 ipnat panics in Divide zero exception
show more ...
|
| #
43412a42 |
| 29-Dec-2008 |
Darren Reed <Darren.Reed@Sun.COM> |
6749429 printing out of fragment information is confused
6749445 ipfstat -f does not show ttl but rather expiration tick
6783820 IPF preauth crash
6730356 legacy test regressions: i2, i4, i11
|
| #
ea8244dc |
| 20-Nov-2008 |
John Ojemann <John.Ojemann@Sun.COM> |
6677460 ipfilter automatic flushing of state table entries needs to work the same as it does for NAT
6566976 state limit check works when limit is reached only
6566982 state limit is not check when i
6677460 ipfilter automatic flushing of state table entries needs to work the same as it does for NAT
6566976 state limit check works when limit is reached only
6566982 state limit is not check when inserting states via IOCTL
show more ...
|
| #
40cdc2e8 |
| 26-Sep-2008 |
Alexandr Nedvedicky <Alexandr.Nedvedicky@Sun.COM> |
6743637 ipfstat prints certain certain counters two times
6744095 fix c-style in ip_state.c in fr_matchstate() et. al.
6744100 add a comment for CR 6653172 to fil.c
6725139 OOW problem still present
6743637 ipfstat prints certain certain counters two times
6744095 fix c-style in ip_state.c in fr_matchstate() et. al.
6744100 add a comment for CR 6653172 to fil.c
6725139 OOW problem still present after a patch 127888-09 has been applied
6657378 IPF address pools does not match addresses reliably for IPv6
6726717 IPF persistent tunables still don't work with stack instances
6743002 ipf_property_update() is too picky
6731974 incorrect calculation in fr_pullup
6749974 IPF does not know whether packet comes from local client (loopback) or from NIC interface
show more ...
|
| #
dc0749f3 |
| 15-Sep-2008 |
John Ojemann <John.Ojemann@Sun.COM> |
6744741 IPfilter: fr_movequeue() should be made more efficient to improve performance
|
| #
bb1d9de5 |
| 28-Aug-2008 |
John Ojemann <John.Ojemann@Sun.COM> |
6723135 IPfilter: It's possible for tcp fragments to be mishandled when nat is involved.
6716698 ipfilter: SIOCSTLCK ioctls call fr_lock() function without any error checking
6528022 IPfilter does no
6723135 IPfilter: It's possible for tcp fragments to be mishandled when nat is involved.
6716698 ipfilter: SIOCSTLCK ioctls call fr_lock() function without any error checking
6528022 IPfilter does not handle any bcopy failures correctly (if at all).
6714976 ipfilter: keep state doesn't interact properly with multicast
show more ...
|
| #
5b48165c |
| 28-Aug-2008 |
John Ojemann <John.Ojemann@Sun.COM> |
6713984 if a nat entry is created, but the packet gets blocked, the entry should be removed
6718524 ipfilter incorrectly tracks and handles orphan state table and nat table entries
6742115 IPfilter:
6713984 if a nat entry is created, but the packet gets blocked, the entry should be removed
6718524 ipfilter incorrectly tracks and handles orphan state table and nat table entries
6742115 IPfilter: NAT entries added with SIOCSTPUT are ignored if no rules exist.
6528443 ipnat -l shows more sessions than ipf_nattable_max
show more ...
|
| #
90907f62 |
| 14-Aug-2008 |
John Ojemann <John.Ojemann@Sun.COM> |
6644693 ipf panics because fnew.fin_qfm is not initialized in fr_send_ip()
6715082 ipfilter: can't delete a state entry using SIOCDELST ioctl
6732960 with a bit of massaging, a couple more NAT locks
6644693 ipf panics because fnew.fin_qfm is not initialized in fr_send_ip()
6715082 ipfilter: can't delete a state entry using SIOCDELST ioctl
6732960 with a bit of massaging, a couple more NAT locks can be unlocked
show more ...
|
| #
ab073b32 |
| 01-Aug-2008 |
dr146992 <none@none> |
6726575 ipfilter needs to be able to do randomised port mapping
6730614 random port numbers are in the wrong range of numbers
|
| #
cbded9ae |
| 19-Jul-2008 |
dr146992 <none@none> |
6719268 enabling ipfilter causes up to 80% or more drop in packet throughput for multi-stream workloads
6721215 ipfilter panic in ipf:fr_derefrule after restoring state table
6723213 IPfilter: NAT su
6719268 enabling ipfilter causes up to 80% or more drop in packet throughput for multi-stream workloads
6721215 ipfilter panic in ipf:fr_derefrule after restoring state table
6723213 IPfilter: NAT suffers performance hit by holding exclusive locks longer than required
show more ...
|
| #
f17d2b41 |
| 15-May-2008 |
an207044 <none@none> |
6505685 Problems with applying "to" rule in IP Filter
6562635 TCP options are not processed correctly
6562648 IPF may drop connection, which chooses to scale window
6562721 IPF should also check SACK
6505685 Problems with applying "to" rule in IP Filter
6562635 TCP options are not processed correctly
6562648 IPF may drop connection, which chooses to scale window
6562721 IPF should also check SACK when doing stateful inspection
6595876 state timer should be reset when retransmission is seen
6651775 ipf does not handle half estab. connections well (conn. hangs with connection match result 4/0)
show more ...
|
| #
786c7074 |
| 30-Apr-2008 |
jojemann <none@none> |
6685076 ippool and other ipf utilities have possible race condition
6685092 ipfilter list processing function(s) have unsafe edge case(s)
|
| #
44aaa2b6 |
| 25-Mar-2008 |
jojemann <none@none> |
6658611 ipfilter / panic rw_enter: bad rwlock
6675192 fr_timeoutstate stumbles over freed timeout (causing system panic) if state has age information
|
| #
52239d04 |
| 21-Mar-2008 |
an207044 <none@none> |
6599779 two state entries might be created for single TCP connection
|
| #
90b0a856 |
| 06-Nov-2007 |
jojemann <none@none> |
6603271 ipnat -l demonstrates inconsistent behavior and can cause system to hang or panic
|
| #
0e01ff8b |
| 15-Sep-2007 |
dr146992 <none@none> |
6588495 IP can use the wrong interface for filtering/qos
6599516 locking in fr_natderef causes lock contention and performance drop
|
| #
1e6b25a4 |
| 11-Jun-2007 |
an207044 <none@none> |
6531894 IPF blocks TCP SYN packets for connections in TIME_WAIT state -> some clients can't reconnect
|