[pkgsrc/trunk]: pkgsrc/security/pflkm Update to 20050118.

[peter <peter%pkgsrc.org@localhost>]

details:   https://anonhg.NetBSD.org/pkgsrc/rev/989fa3db0462
branches:  trunk
changeset: 487680:989fa3db0462
user:      peter <peter%pkgsrc.org@localhost>
date:      Tue Jan 18 17:35:27 2005 +0000

description:
Update to 20050118.

Changes:
* Updated the ALTQ patch, now works correctly on NetBSD 2.0 release.
  Thanks to Miles Nordin for helping and testing.

* Write struct "pcap_sf_pkthdr" instead of "pcap_pkthdr". Fixes
  an LP64 specific problem with reading the pflog with tcpdump(8).

* Applied patch to pf.c from OPENBSD_3_6 branch:
  ICMP state entries use the ICMP ID as port for the unique state key. When
  checking for a usable key, construct the key in the same way. Otherwise,
  a colliding key might be missed or a state insertion might be refused even
  though it could be inserted. The second case triggers the endless loop
  fixed by 1.474, possibly allowing a NATed LAN client to lock up the kernel.
  Report and test data by Srebrenko Sehic.

* Applied patch to pf_lkm.c from NetBSD HEAD:
  pfil4_wrapper: clear M_CANFASTFWD which is not compatible with pf.

* Applied patch to pf_ioctl.c from OPENBSD_3_6 branch:
  replace finer-grained spl locking in pfioctl() with a single broad lock
  around the entire body. this resolves the (misleading) panics in
  pf_tag_packet() during heavy ioctl operations (like when using authpf)
  that occur because softclock can interrupt ioctl on i386 since SMP.

* Applied patch to pf.c from OPENBSD_3_6 branch:
  IPv6 packets can contain headers (like options) before the TCP/UDP/ICMP6
  header. pf finds the first TCP/UDP/ICMP6 header to filter by traversing
  the header chain. In the case where headers are skipped, the protocol
  checksum verification used the wrong length (included the skipped headers),
  leading to incorrectly mismatching checksums. Such IPv6 packets with
  headers were silently dropped. Reported by Bernhard Schmidt.

* Applied patch to pfctl_optimize.c from OPENBSD_3_6 branch:
  &&/|| inversion would try to merge IP addresses with non-addresses into a
  single table causing a ruleset load error and eventually a double-free.

* Applied patch to pf.c from OPENBSD_3_6 branch:
  Initialise init_addr in pf_map_addr() in the PF_POOL_ROUNDROBIN,
  prevents a possible endless loop in pf_get_sport() with 'static-port'

* Fix to if_events.diff from Miles Nordin <carton at Ivy dot NET>:
  Call free after removing the element from the list, not before.
  Fixes panic with "unaligned access" on Alpha.

diffstat:

 security/pflkm/Makefile |  5 ++---
 security/pflkm/distinfo |  6 +++---
 2 files changed, 5 insertions(+), 6 deletions(-)

diffs (24 lines):

diff -r 41d4385e2a80 -r 989fa3db0462 security/pflkm/Makefile
--- a/security/pflkm/Makefile   Tue Jan 18 17:30:59 2005 +0000
+++ b/security/pflkm/Makefile   Tue Jan 18 17:35:27 2005 +0000
@@ -1,7 +1,6 @@
-# $NetBSD: Makefile,v 1.4 2005/01/02 15:51:24 peter Exp $
+# $NetBSD: Makefile,v 1.5 2005/01/18 17:35:27 peter Exp $
 
-DISTNAME=              pflkm-20041204
-PKGREVISION=           1
+DISTNAME=              pflkm-20050118
 CATEGORIES=            security ipv6
 MASTER_SITES=          http://nedbsd.nl/~ppostma/pf/
 
diff -r 41d4385e2a80 -r 989fa3db0462 security/pflkm/distinfo
--- a/security/pflkm/distinfo   Tue Jan 18 17:30:59 2005 +0000
+++ b/security/pflkm/distinfo   Tue Jan 18 17:35:27 2005 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.2 2004/12/04 15:01:55 peter Exp $
+$NetBSD: distinfo,v 1.3 2005/01/18 17:35:27 peter Exp $
 
-SHA1 (pflkm-20041204.tar.gz) = 057af53e5f935e29d576acc822c52467510cda87
-Size (pflkm-20041204.tar.gz) = 893641 bytes
+SHA1 (pflkm-20050118.tar.gz) = 1f03fa4656f23594a260dafd6373b289daad4775
+Size (pflkm-20050118.tar.gz) = 886852 bytes