PR/59511 CVS commit: src/usr.sbin/npf

["Emmanuel" <joe%netbsd.org@localhost>]

The following reply was made to PR bin/59511; it has been noted by GNATS.

From: "Emmanuel" <joe%netbsd.org@localhost>
To: gnats-bugs%gnats.NetBSD.org@localhost
Cc: 
Subject: PR/59511 CVS commit: src/usr.sbin/npf
Date: Wed, 20 Aug 2025 11:04:00 +0000

 Module Name:	src
 Committed By:	joe
 Date:		Wed Aug 20 11:03:59 UTC 2025
 
 Modified Files:
 	src/usr.sbin/npf/npfctl: npf_build.c npf_var.c npf_var.h
 	src/usr.sbin/npf/npftest: npftest.conf
 	src/usr.sbin/npf/npftest/libnpftest: npf_rule_test.c
 
 Log Message:
 PR bin/59511
 
 when extracting variables for filtering in NPF, allow the handler to
 recursively extract all variables that might be present in the parent variable
 to fully get all the filter elements present in them. this issue poses a security risk
 as intruders can find their way into your machine if you intend to block them
 but have their IPs in a nested variable with other IPs as well.
 
 so this needs to be pulled up to 9, 10, 11
 
 this fix has been reviewed by christos@ and martin@ and tests have been included.
 
 
 To generate a diff of this commit:
 cvs rdiff -u -r1.61 -r1.62 src/usr.sbin/npf/npfctl/npf_build.c
 cvs rdiff -u -r1.15 -r1.16 src/usr.sbin/npf/npfctl/npf_var.c
 cvs rdiff -u -r1.13 -r1.14 src/usr.sbin/npf/npfctl/npf_var.h
 cvs rdiff -u -r1.17 -r1.18 src/usr.sbin/npf/npftest/npftest.conf
 cvs rdiff -u -r1.25 -r1.26 \
     src/usr.sbin/npf/npftest/libnpftest/npf_rule_test.c
 
 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.