14630 ipf return-rst does not work without IP forwarding
Reviewed by: Dan McDonald <danmcd@mnx.io>
Approved by: Robert Mustacchi <rm@fingolfin.org>

12679 want viona driver for bhyve
Portions contributed by: Ryan Zezeski <rpz@joyent.com>
Portions contributed by: John Levon <john.levon@joyent.com>
Portions contributed by: Jason King <j

12679 want viona driver for bhyve
Portions contributed by: Ryan Zezeski <rpz@joyent.com>
Portions contributed by: John Levon <john.levon@joyent.com>
Portions contributed by: Jason King <jason.king@joyent.com>
Portions contributed by: Robert Mustacchi <rm@joyent.com>
Portions contributed by: Bryan Cantrill <bryan@joyent.com>
Reviewed by: Ryan Zezeski <ryan@zinascii.com>
Approved by: Dan McDonald <danmcd@joyent.com>

show more ...

12671 hcksum routines are too verbose
12672 want mac_hcksum_clone function
Reviewed by: Robert Mustacchi <rm@joyent.com>
Reviewed by: Ryan Zezeski <rpz@joyent.com>
Approved by: Robert

12671 hcksum routines are too verbose
12672 want mac_hcksum_clone function
Reviewed by: Robert Mustacchi <rm@joyent.com>
Reviewed by: Ryan Zezeski <rpz@joyent.com>
Approved by: Robert Mustacchi <rm@fingolfin.org>

show more ...

5733 ipf should only forward when forwarding is enabled
Reviewed by: Dan McDonald <danmcd@omniti.com>
Approved by: Garrett D'Amore <garrett@damore.org>

5198 Want alternate global zone rule set for each ipf netstack
5197 Global zone should be able to manage NGZ ipf state
Reviewed by: Jerry Jelinek <jerry.jelinek@joyent.com>
Reviewed by: R

5198 Want alternate global zone rule set for each ipf netstack
5197 Global zone should be able to manage NGZ ipf state
Reviewed by: Jerry Jelinek <jerry.jelinek@joyent.com>
Reviewed by: Robert Mustacchi <rm@joyent.com>
Reviewed by: Dan McDonald <danmcd@omniti.com>
Reviewed by: Darren Reed <darrenr@fastmail.net>
Approved by: Richard Lowe <richlowe@richlowe.net>

show more ...

5200 ipf_stack_destroy error messages when halting zones
Reviewed by: Robert Mustacchi <rm@joyent.com>
Reviewed by: Igor Kozhukhov <ikozhukhov@gmail.com>
Reviewed by: Dan McDonald <danmcd

5200 ipf_stack_destroy error messages when halting zones
Reviewed by: Robert Mustacchi <rm@joyent.com>
Reviewed by: Igor Kozhukhov <ikozhukhov@gmail.com>
Reviewed by: Dan McDonald <danmcd@omniti.com>
Reviewed by: Darren Reed <darrenr@fastmail.net>
Approved by: Richard Lowe <richlowe@richlowe.net>

show more ...

4787 ipf: remove rate_limit_message
Reviewed by: Hans Rosenfeld <hans.rosenfeld@nexenta.com>
Reviewed by: Robert Mustacchi <rm@joyent.com>
Reviewed by: David H&#246;ppner <0xffea@gmail.com>

4787 ipf: remove rate_limit_message
Reviewed by: Hans Rosenfeld <hans.rosenfeld@nexenta.com>
Reviewed by: Robert Mustacchi <rm@joyent.com>
Reviewed by: David H&#246;ppner <0xffea@gmail.com>
Approved by: Richard Lowe <richlowe@richlowe.net>

show more ...

6912962 Need to compute chksum for packet duped on loopback interface
6929403 IPF should discard packet silently on OOW event

PSARC 2009/542 Increase the maximum value of NGROUPS_MAX to 1024
4088757 Customer would like to increase ngroups_max more than 32
6853435 Many files incorrectly include the private <sys/cred_

PSARC 2009/542 Increase the maximum value of NGROUPS_MAX to 1024
4088757 Customer would like to increase ngroups_max more than 32
6853435 Many files incorrectly include the private <sys/cred_impl.h>

show more ...

6772643 Packets dropped at ipfil_sendpkt if interface index is set at plumb time
6891782 ipftest fails to run
6897532 Race condition window arround fr_enable_active is still opened
689763

6772643 Packets dropped at ipfil_sendpkt if interface index is set at plumb time
6891782 ipftest fails to run
6897532 Race condition window arround fr_enable_active is still opened
6897632 nic_event_v* hook should check if IPF is running before it will proceed further

show more ...

6859313 large number of rules in ipfilter decreases throughput performance

6845913 fr_make_icmp_*() uses TH_SYN/TH_FIN for testing fin_flx - it's not the intention
6827271 ipfilter TCP state emulation ends up in 5/0 state (Established/Closed)
6562745 Adapt a better

6845913 fr_make_icmp_*() uses TH_SYN/TH_FIN for testing fin_flx - it's not the intention
6827271 ipfilter TCP state emulation ends up in 5/0 state (Established/Closed)
6562745 Adapt a better TCP statemachine emulation (fr_tcp_age()) from upstream version

show more ...

6688940 ipf module panicked in get_unit() on NULL pointer
6806909 panic[cpu1]/thread=c9089dc0: assertion failed: zoneid != ALL_ZONES, file: ../../common/inet/ip/ip.c
6770007 certain IPv6 NAT

6688940 ipf module panicked in get_unit() on NULL pointer
6806909 panic[cpu1]/thread=c9089dc0: assertion failed: zoneid != ALL_ZONES, file: ../../common/inet/ip/ip.c
6770007 certain IPv6 NAT rules send out packets with link-local address
6744109 incorrect processing of IPv6 fragments in IPfilter NAT v6
6807986 fin_flen serves no purpose.
6808921 some comments describing what cvwaitlock_t would be nice
6829227 ipfil_sendpkt() may trigger panic
6813307 memory leaks at frrequest

show more ...

6747420 ipfilter fr_send_reset()/fr_send_icmp() does not work for loopback clients

5008943 /etc/init.d/ipfboot pause/resume functionality broken
5010756 "\" in configuration file does not work correctly
6181489 ipfilter sends out confusing messages.
6449288 Makefiles in

5008943 /etc/init.d/ipfboot pause/resume functionality broken
5010756 "\" in configuration file does not work correctly
6181489 ipfilter sends out confusing messages.
6449288 Makefiles in usr/src/cmd/ipf are missing CDDL
6449291 package prototype files in usr/src/pkgdefs/SUNWipfh missing CDDL
6508325 stale pfil-related rules in Makefile.rules
6661948 ipmon.pid file can be rendered invisible
6714319 IPFilter causes failure of IPv6 compliance tests.
6766614 fin_state costs more than it is worth
6767239 fin_nat causes more trouble than it is worth
6788299 Array overrun in ipfilter
6789766 ipfs usage output is misleading
6792026 ipnat panics in Divide zero exception

show more ...

6743637 ipfstat prints certain certain counters two times
6744095 fix c-style in ip_state.c in fr_matchstate() et. al.
6744100 add a comment for CR 6653172 to fil.c
6725139 OOW problem st

6743637 ipfstat prints certain certain counters two times
6744095 fix c-style in ip_state.c in fr_matchstate() et. al.
6744100 add a comment for CR 6653172 to fil.c
6725139 OOW problem still present after a patch 127888-09 has been applied
6657378 IPF address pools does not match addresses reliably for IPv6
6726717 IPF persistent tunables still don't work with stack instances
6743002 ipf_property_update() is too picky
6731974 incorrect calculation in fr_pullup
6749974 IPF does not know whether packet comes from local client (loopback) or from NIC interface

show more ...

PSARC/2008/219 Committed API for packet interception
PSARC/2008/335 Corrections for Committed API for packet interception
PSARC/2008/557 Revision to net instance notification API
4844507

PSARC/2008/219 Committed API for packet interception
PSARC/2008/335 Corrections for Committed API for packet interception
PSARC/2008/557 Revision to net instance notification API
4844507 Solaris needs stable interface for packet filtering software
6705155 ipf_stack_init() assumes kmem_alloc with KM_NOSLEEP never fails

show more ...

6723135 IPfilter: It's possible for tcp fragments to be mishandled when nat is involved.
6716698 ipfilter: SIOCSTLCK ioctls call fr_lock() function without any error checking
6528022 IPfilter

6723135 IPfilter: It's possible for tcp fragments to be mishandled when nat is involved.
6716698 ipfilter: SIOCSTLCK ioctls call fr_lock() function without any error checking
6528022 IPfilter does not handle any bcopy failures correctly (if at all).
6714976 ipfilter: keep state doesn't interact properly with multicast

show more ...

6644693 ipf panics because fnew.fin_qfm is not initialized in fr_send_ip()
6715082 ipfilter: can't delete a state entry using SIOCDELST ioctl
6732960 with a bit of massaging, a couple more NA

6644693 ipf panics because fnew.fin_qfm is not initialized in fr_send_ip()
6715082 ipfilter: can't delete a state entry using SIOCDELST ioctl
6732960 with a bit of massaging, a couple more NAT locks can be unlocked

show more ...

PSARC 2008/250 ipv6 NAT for IPFilter
6600474 RFE: Need ipv6 support on NAT

6719268 enabling ipfilter causes up to 80% or more drop in packet throughput for multi-stream workloads
6721215 ipfilter panic in ipf:fr_derefrule after restoring state table
6723213 IPfilter

6719268 enabling ipfilter causes up to 80% or more drop in packet throughput for multi-stream workloads
6721215 ipfilter panic in ipf:fr_derefrule after restoring state table
6723213 IPfilter: NAT suffers performance hit by holding exclusive locks longer than required

show more ...

6685044 enabling ipf more than once could cause iplattach() to be called multiple times

6658611 ipfilter / panic rw_enter: bad rwlock
6675192 fr_timeoutstate stumbles over freed timeout (causing system panic) if state has age information

6499463 need ill-specific hook_nic_event_t creation and destruction routines
6513410 memory allocated in ip_sioctl_removeif() leaks
6606816 ipf_expiretokens is not called to free up tokens

6499463 need ill-specific hook_nic_event_t creation and destruction routines
6513410 memory allocated in ip_sioctl_removeif() leaks
6606816 ipf_expiretokens is not called to free up tokens
6622346 ipftuneable_alloc doesn't set fr_defnatipage or ipf_loopback

show more ...

PSARC/2007/666 Broadcast/multicast packet notification through pfhooks
6633786 ipfilter with no mbcast not working as expected
6645812 GLD packets are not flagged correctly as multicast/broad

PSARC/2007/666 Broadcast/multicast packet notification through pfhooks
6633786 ipfilter with no mbcast not working as expected
6645812 GLD packets are not flagged correctly as multicast/broadcast

show more ...