5733 ipf should only forward when forwarding is enabled Reviewed by: Dan McDonald <danmcd@omniti.com> Approved by: Garrett D'Amore <garrett@damore.org>

5198 Want alternate global zone rule set for each ipf netstack 5197 Global zone should be able to manage NGZ ipf state Reviewed by: Jerry Jelinek <jerry.jelinek@joyent.com> Reviewed by: Robert Mustacchi <rm@joyent.com> Reviewed by: Dan McDonald <danmcd@omniti.com> Reviewed by: Darren Reed <darrenr@fastmail.net> Approved by: Richard Lowe <richlowe@richlowe.net>

5200 ipf_stack_destroy error messages when halting zones Reviewed by: Robert Mustacchi <rm@joyent.com> Reviewed by: Igor Kozhukhov <ikozhukhov@gmail.com> Reviewed by: Dan McDonald <danmcd@omniti.com> Reviewed by: Darren Reed <darrenr@fastmail.net> Approved by: Richard Lowe <richlowe@richlowe.net>

4787 ipf: remove rate_limit_message Reviewed by: Hans Rosenfeld <hans.rosenfeld@nexenta.com> Reviewed by: Robert Mustacchi <rm@joyent.com> Reviewed by: David Höppner <0xffea@gmail.com> Approved by: Richard Lowe <richlowe@richlowe.net>

6912962 Need to compute chksum for packet duped on loopback interface 6929403 IPF should discard packet silently on OOW event

PSARC 2009/542 Increase the maximum value of NGROUPS_MAX to 1024 4088757 Customer would like to increase ngroups_max more than 32 6853435 Many files incorrectly include the private <sys/cred_impl.h>

6772643 Packets dropped at ipfil_sendpkt if interface index is set at plumb time 6891782 ipftest fails to run 6897532 Race condition window arround fr_enable_active is still opened 6897632 nic_event_v* hook should check if IPF is running before it will proceed further

6859313 large number of rules in ipfilter decreases throughput performance

6845913 fr_make_icmp_*() uses TH_SYN/TH_FIN for testing fin_flx - it's not the intention 6827271 ipfilter TCP state emulation ends up in 5/0 state (Established/Closed) 6562745 Adapt a better TCP statemachine emulation (fr_tcp_age()) from upstream version

6688940 ipf module panicked in get_unit() on NULL pointer 6806909 panic[cpu1]/thread=c9089dc0: assertion failed: zoneid != ALL_ZONES, file: ../../common/inet/ip/ip.c 6770007 certain IPv6 NAT rules send out packets with link-local address 6744109 incorrect processing of IPv6 fragments in IPfilter NAT v6 6807986 fin_flen serves no purpose. 6808921 some comments describing what cvwaitlock_t would be nice 6829227 ipfil_sendpkt() may trigger panic 6813307 memory leaks at frrequest

6747420 ipfilter fr_send_reset()/fr_send_icmp() does not work for loopback clients

5008943 /etc/init.d/ipfboot pause/resume functionality broken 5010756 "\" in configuration file does not work correctly 6181489 ipfilter sends out confusing messages. 6449288 Makefiles in usr/src/cmd/ipf are missing CDDL 6449291 package prototype files in usr/src/pkgdefs/SUNWipfh missing CDDL 6508325 stale pfil-related rules in Makefile.rules 6661948 ipmon.pid file can be rendered invisible 6714319 IPFilter causes failure of IPv6 compliance tests. 6766614 fin_state costs more than it is worth 6767239 fin_nat causes more trouble than it is worth 6788299 Array overrun in ipfilter 6789766 ipfs usage output is misleading 6792026 ipnat panics in Divide zero exception

6743637 ipfstat prints certain certain counters two times 6744095 fix c-style in ip_state.c in fr_matchstate() et. al. 6744100 add a comment for CR 6653172 to fil.c 6725139 OOW problem still present after a patch 127888-09 has been applied 6657378 IPF address pools does not match addresses reliably for IPv6 6726717 IPF persistent tunables still don't work with stack instances 6743002 ipf_property_update() is too picky 6731974 incorrect calculation in fr_pullup 6749974 IPF does not know whether packet comes from local client (loopback) or from NIC interface

PSARC/2008/219 Committed API for packet interception PSARC/2008/335 Corrections for Committed API for packet interception PSARC/2008/557 Revision to net instance notification API 4844507 Solaris needs stable interface for packet filtering software 6705155 ipf_stack_init() assumes kmem_alloc with KM_NOSLEEP never fails

6723135 IPfilter: It's possible for tcp fragments to be mishandled when nat is involved. 6716698 ipfilter: SIOCSTLCK ioctls call fr_lock() function without any error checking 6528022 IPfilter does not handle any bcopy failures correctly (if at all). 6714976 ipfilter: keep state doesn't interact properly with multicast

6644693 ipf panics because fnew.fin_qfm is not initialized in fr_send_ip() 6715082 ipfilter: can't delete a state entry using SIOCDELST ioctl 6732960 with a bit of massaging, a couple more NAT locks can be unlocked

PSARC 2008/250 ipv6 NAT for IPFilter 6600474 RFE: Need ipv6 support on NAT

6719268 enabling ipfilter causes up to 80% or more drop in packet throughput for multi-stream workloads 6721215 ipfilter panic in ipf:fr_derefrule after restoring state table 6723213 IPfilter: NAT suffers performance hit by holding exclusive locks longer than required

6685044 enabling ipf more than once could cause iplattach() to be called multiple times

6658611 ipfilter / panic rw_enter: bad rwlock 6675192 fr_timeoutstate stumbles over freed timeout (causing system panic) if state has age information

6499463 need ill-specific hook_nic_event_t creation and destruction routines 6513410 memory allocated in ip_sioctl_removeif() leaks 6606816 ipf_expiretokens is not called to free up tokens 6622346 ipftuneable_alloc doesn't set fr_defnatipage or ipf_loopback

PSARC/2007/666 Broadcast/multicast packet notification through pfhooks 6633786 ipfilter with no mbcast not working as expected 6645812 GLD packets are not flagged correctly as multicast/broadcast

6538379 PBR and explicit forwarding and HW checksum mangles UDP checksums 6554129 Policy-based routing leaks IPSEC_OUT mblks when IPsec policy is involved on the PBR-affected packets 6564974 upgrade(s10hw2->s10u4_08) - bad link /dev/pfil

6565376 NULL pointer panic in fr_authexpire

6544307 ipfilter does not handle address changes correctly 6544673 dynamic network interfaces don't work with IP Filter

6483377 ipfilter option reply-to not working

PSARC 2006/366 IP Instances 6289221 RFE: Need virtualized ip-stack for each local zone 6512601 panic in ipsec_in_tag - allocation failure 6514637 error message from dhcpagent: add_pkt_opt: option type 60 is missing required value 6364643 RFE: allow persistent setting of interface flags per zone 6307539 RFE: Invalid network address causes zone boot failure 5041214 Allow IPMP configuration with zones 5005887 RFE: zoneadmd should support plumbing an interface via DHCP 4991139 RFE: zones should provide a mechanism to configure a defaultrouter for a zone 6218378 zoneadmd doesn't set the netmask for non-loopback addresses hosted on lo0 4963280 zones: need to virtualize the IPv6 default address selection mechanism 4963285 zones: need support of stateless address autoconfiguration for IPv6 5048068 zones don't boot if one of its interfaces has failed 5057154 RFE: ability to change interface status from within a zone 4963287 zones should support the plumbing of the first (and only) logical interface 4978517 TCP privileged port space should be partitioned per zone 5023347 zones don't work well with network routes other than default 4963372 investigate whether global zone can act as a router for local zones 6378364 RFE: Allow each zone to have its own virtual IPFilter

6493109 pfil SMF service isn't removed on an upgrade 6498408 fr_slowtimer is inactive 6498986 ipfilter complains bad l4 checksum for loopback packets which hit ftp proxy rules

6343157 svcadm disable ipfilter does not flush the rules 6484763 PFHOOKS breaks post-ACQUIRE ESP processing 6485599 msgpullup/pullupmsg now implies either M_DATA or M_MULTIDATA 6485731 panic in fil.c trying to release ipf_mutex while not held 6485761 ipfilter kernel module always enables itself on load 6485781 mutex_enter: bad mutex in ipflog_read 6485943 MSG_FWCOOKED_* survived attempted genocide 6486513 too much of a good thing can be bad 6486575 use ipf -D twice will panic the system 6487360 physical_in hook inserted twice into ip_input() for onnv putback

PSARC/2005/334 Packet Filtering Hooks PSARC/2006/321 ARP packet filtering Hooks 6401219 use of pullupmsg() considered destructive - clears h/w checksum flags 6418698 PSARC/2005/334 - Packet Filtering Hooks API 6449290 package prototype files in usr/src/pkgdefs/SUNWipfr missing CDDL 6449292 package prototype files in usr/src/pkgdefs/SUNWipfu missing CDDL 6449296 Makefiles for ipf kernel module building missing CDDL 6473996 "fastroute" + "nat" packets cause memory leaks in ipfilter --HG-- rename : usr/src/cmd/ipf/etc/pfil.ap.sh => deleted_files/usr/src/cmd/ipf/etc/pfil.ap.sh rename : usr/src/cmd/ipf/pfild/Makefile => deleted_files/usr/src/cmd/ipf/pfild/Makefile rename : usr/src/cmd/ipf/pfild/pfild.c => deleted_files/usr/src/cmd/ipf/pfild/pfild.c rename : usr/src/cmd/ipf/pfild/vas.c => deleted_files/usr/src/cmd/ipf/pfild/vas.c rename : usr/src/cmd/ipf/svc/pfil => deleted_files/usr/src/cmd/ipf/svc/pfil rename : usr/src/cmd/ipf/svc/pfil.xml => deleted_files/usr/src/cmd/ipf/svc/pfil.xml rename : usr/src/uts/common/inet/pfil/compat.h => deleted_files/usr/src/uts/common/inet/pfil/compat.h rename : usr/src/uts/common/inet/pfil/ndd.c => deleted_files/usr/src/uts/common/inet/pfil/ndd.c rename : usr/src/uts/common/inet/pfil/os.h => deleted_files/usr/src/uts/common/inet/pfil/os.h rename : usr/src/uts/common/inet/pfil/pfil.c => deleted_files/usr/src/uts/common/inet/pfil/pfil.c rename : usr/src/uts/common/inet/pfil/pfil.conf => deleted_files/usr/src/uts/common/inet/pfil/pfil.conf rename : usr/src/uts/common/inet/pfil/pfil.h => deleted_files/usr/src/uts/common/inet/pfil/pfil.h rename : usr/src/uts/common/inet/pfil/pfild.h => deleted_files/usr/src/uts/common/inet/pfil/pfild.h rename : usr/src/uts/common/inet/pfil/pfildrv.c => deleted_files/usr/src/uts/common/inet/pfil/pfildrv.c rename : usr/src/uts/common/inet/pfil/pfilstream.c => deleted_files/usr/src/uts/common/inet/pfil/pfilstream.c rename : usr/src/uts/common/inet/pfil/pkt.c => deleted_files/usr/src/uts/common/inet/pfil/pkt.c rename : usr/src/uts/common/inet/pfil/qif.c => deleted_files/usr/src/uts/common/inet/pfil/qif.c rename : usr/src/uts/common/inet/pfil/qif.h => deleted_files/usr/src/uts/common/inet/pfil/qif.h rename : usr/src/uts/intel/pfil/Makefile => deleted_files/usr/src/uts/intel/pfil/Makefile rename : usr/src/uts/sparc/pfil/Makefile => deleted_files/usr/src/uts/sparc/pfil/Makefile rename : usr/src/uts/common/inet/pfil/misc.c => usr/src/uts/common/inet/ipf/misc.c

6457432 wrong icmp packet replied when combining rdr rules and block return-icmp-as-dest(port-unr)

PSARC 2005/707 Surya: Forwarding Performance Enhancement 6385609 Solaris has poor V4 forwarding throughput --HG-- rename : usr/src/uts/common/inet/ipf/radix.c => usr/src/common/net/patricia/radix.c rename : deleted_files/usr/src/uts/common/inet/ipf/radix.h => usr/src/uts/common/net/radix.h

6453470 packet cannot be sent out with policy based routing and NAT

PSARC 2006/082 IP Filter Code Merge on ip_fil4.1.9 4912568 ipftest ipf ipfstat ipnat ippool need a non-name resolution flag 5040248 ipfs -W fails to save kernel state tables 5081834 syntax parser reports wrong error position and line number 5094575 keyword "netmask" is un-supported in ipnat.conf (4) 6181751 ipf parser fails on wrong subnet notations 6181773 ipf parser fails on wrong port ranges 6248745 ipnat drops packets if the IP header is not 32 bit aligned 6340621 RFE: IP Filter code merge on ip_fil4.1.9 6359805 ipf command incorrectly check options in rules and core dumps 6395837 ipnat tcpudp parsing is incomplete 6426469 IPFilter rejects IPv6 neighbour discovery packets 6447872 usr/src/common/ipf/ip_compat.h should not be CDDL --HG-- rename : usr/src/common/ipf/bpf-ipf.h => usr/src/uts/common/inet/ipf/bpf-ipf.h rename : usr/src/common/ipf/fil.c => usr/src/uts/common/inet/ipf/fil.c rename : usr/src/common/ipf/ip_auth.c => usr/src/uts/common/inet/ipf/ip_auth.c rename : usr/src/common/ipf/ip_fil_solaris.c => usr/src/uts/common/inet/ipf/ip_fil_solaris.c rename : usr/src/common/ipf/ip_frag.c => usr/src/uts/common/inet/ipf/ip_frag.c rename : usr/src/common/ipf/ip_htable.c => usr/src/uts/common/inet/ipf/ip_htable.c rename : usr/src/common/ipf/ip_log.c => usr/src/uts/common/inet/ipf/ip_log.c rename : usr/src/common/ipf/ip_lookup.c => usr/src/uts/common/inet/ipf/ip_lookup.c rename : usr/src/common/ipf/ip_nat.c => usr/src/uts/common/inet/ipf/ip_nat.c rename : usr/src/common/ipf/ip_pool.c => usr/src/uts/common/inet/ipf/ip_pool.c rename : usr/src/common/ipf/ip_proxy.c => usr/src/uts/common/inet/ipf/ip_proxy.c rename : usr/src/common/ipf/ip_state.c => usr/src/uts/common/inet/ipf/ip_state.c rename : usr/src/common/ipf/ipf.h => usr/src/uts/common/inet/ipf/ipf.h rename : usr/src/common/ipf/ipmon.h => usr/src/uts/common/inet/ipf/ipmon.h rename : usr/src/common/ipf/ipt.h => usr/src/uts/common/inet/ipf/ipt.h rename : usr/src/common/ipf/Makefile => usr/src/uts/common/inet/ipf/netinet/Makefile rename : usr/src/common/ipf/ip_auth.h => usr/src/uts/common/inet/ipf/netinet/ip_auth.h rename : usr/src/common/ipf/ip_compat.h => usr/src/uts/common/inet/ipf/netinet/ip_compat.h rename : usr/src/common/ipf/ip_fil.h => usr/src/uts/common/inet/ipf/netinet/ip_fil.h rename : usr/src/common/ipf/ip_frag.h => usr/src/uts/common/inet/ipf/netinet/ip_frag.h rename : usr/src/common/ipf/ip_ftp_pxy.c => usr/src/uts/common/inet/ipf/netinet/ip_ftp_pxy.c rename : usr/src/common/ipf/ip_h323_pxy.c => usr/src/uts/common/inet/ipf/netinet/ip_h323_pxy.c rename : usr/src/common/ipf/ip_htable.h => usr/src/uts/common/inet/ipf/netinet/ip_htable.h rename : usr/src/common/ipf/ip_ipsec_pxy.c => usr/src/uts/common/inet/ipf/netinet/ip_ipsec_pxy.c rename : usr/src/common/ipf/ip_irc_pxy.c => usr/src/uts/common/inet/ipf/netinet/ip_irc_pxy.c rename : usr/src/common/ipf/ip_lookup.h => usr/src/uts/common/inet/ipf/netinet/ip_lookup.h rename : usr/src/common/ipf/ip_nat.h => usr/src/uts/common/inet/ipf/netinet/ip_nat.h rename : usr/src/common/ipf/ip_netbios_pxy.c => usr/src/uts/common/inet/ipf/netinet/ip_netbios_pxy.c rename : usr/src/common/ipf/ip_pool.h => usr/src/uts/common/inet/ipf/netinet/ip_pool.h rename : usr/src/common/ipf/ip_proxy.h => usr/src/uts/common/inet/ipf/netinet/ip_proxy.h rename : usr/src/common/ipf/ip_raudio_pxy.c => usr/src/uts/common/inet/ipf/netinet/ip_raudio_pxy.c rename : usr/src/common/ipf/ip_rcmd_pxy.c => usr/src/uts/common/inet/ipf/netinet/ip_rcmd_pxy.c rename : usr/src/common/ipf/ip_rpcb_pxy.c => usr/src/uts/common/inet/ipf/netinet/ip_rpcb_pxy.c rename : usr/src/common/ipf/ip_state.h => usr/src/uts/common/inet/ipf/netinet/ip_state.h rename : usr/src/common/ipf/ipl.h => usr/src/uts/common/inet/ipf/netinet/ipl.h rename : usr/src/common/ipf/opts.h => usr/src/uts/common/inet/ipf/opts.h rename : usr/src/common/ipf/radix.c => usr/src/uts/common/inet/ipf/radix.c rename : usr/src/common/ipf/radix.h => usr/src/uts/common/inet/ipf/radix.h rename : usr/src/common/ipf/solaris.c => usr/src/uts/common/inet/ipf/solaris.c rename : usr/src/uts/common/inet/ipf/compat.h => usr/src/uts/common/inet/pfil/compat.h rename : usr/src/uts/common/inet/ipf/misc.c => usr/src/uts/common/inet/pfil/misc.c rename : usr/src/uts/common/inet/ipf/ndd.c => usr/src/uts/common/inet/pfil/ndd.c rename : usr/src/uts/common/inet/ipf/os.h => usr/src/uts/common/inet/pfil/os.h rename : usr/src/uts/common/inet/ipf/pfil.c => usr/src/uts/common/inet/pfil/pfil.c rename : usr/src/uts/common/inet/ipf/pfil.conf => usr/src/uts/common/inet/pfil/pfil.conf rename : usr/src/uts/common/inet/ipf/pfil.h => usr/src/uts/common/inet/pfil/pfil.h rename : usr/src/common/ipf/pfild.h => usr/src/uts/common/inet/pfil/pfild.h rename : usr/src/uts/common/inet/ipf/pfildrv.c => usr/src/uts/common/inet/pfil/pfildrv.c rename : usr/src/uts/common/inet/ipf/pfilstream.c => usr/src/uts/common/inet/pfil/pfilstream.c rename : usr/src/uts/common/inet/ipf/pkt.c => usr/src/uts/common/inet/pfil/pkt.c rename : usr/src/uts/common/inet/ipf/qif.c => usr/src/uts/common/inet/pfil/qif.c rename : usr/src/uts/common/inet/ipf/qif.h => usr/src/uts/common/inet/pfil/qif.h