PR/59511 CVS commit: [netbsd-11] src/usr.sbin/npf

["Martin Husemann" <martin%netbsd.org@localhost>]

The following reply was made to PR bin/59511; it has been noted by GNATS.

From: "Martin Husemann" <martin%netbsd.org@localhost>
To: gnats-bugs%gnats.NetBSD.org@localhost
Cc: 
Subject: PR/59511 CVS commit: [netbsd-11] src/usr.sbin/npf
Date: Fri, 5 Dec 2025 12:56:23 +0000

 Module Name:	src
 Committed By:	martin
 Date:		Fri Dec  5 12:56:23 UTC 2025
 
 Modified Files:
 	src/usr.sbin/npf/npfctl [netbsd-11]: npf_build.c npf_var.c npf_var.h
 	src/usr.sbin/npf/npftest [netbsd-11]: npftest.conf
 	src/usr.sbin/npf/npftest/libnpftest [netbsd-11]: npf_rule_test.c
 
 Log Message:
 Pull up following revision(s) (requested by joe in ticket #112):
 
 	usr.sbin/npf/npftest/npftest.conf: revision 1.18
 	usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.26
 	usr.sbin/npf/npfctl/npf_var.c: revision 1.16
 	usr.sbin/npf/npfctl/npf_var.h: revision 1.14
 	usr.sbin/npf/npfctl/npf_build.c: revision 1.62
 
 PR bin/59511
 
 when extracting variables for filtering in NPF, allow the handler to
 recursively extract all variables that might be present in the parent variable
 to fully get all the filter elements present in them. this issue poses a  security risk
 as intruders can find their way into your machine if you intend to block them
 but have their IPs in a nested variable with other IPs as well.
 
 
 To generate a diff of this commit:
 cvs rdiff -u -r1.59.2.2 -r1.59.2.3 src/usr.sbin/npf/npfctl/npf_build.c
 cvs rdiff -u -r1.15 -r1.15.2.1 src/usr.sbin/npf/npfctl/npf_var.c
 cvs rdiff -u -r1.13 -r1.13.2.1 src/usr.sbin/npf/npfctl/npf_var.h
 cvs rdiff -u -r1.16 -r1.16.2.1 src/usr.sbin/npf/npftest/npftest.conf
 cvs rdiff -u -r1.24 -r1.24.2.1 \
     src/usr.sbin/npf/npftest/libnpftest/npf_rule_test.c
 
 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.