CVS commit: src/usr.sbin/npf

To: source-changes%NetBSD.org@localhost
Subject: CVS commit: src/usr.sbin/npf
From: "Emmanuel" <joe%netbsd.org@localhost>
Date: Wed, 20 Aug 2025 11:04:00 +0000

Module Name:    src
Committed By:   joe
Date:           Wed Aug 20 11:03:59 UTC 2025

Modified Files:
        src/usr.sbin/npf/npfctl: npf_build.c npf_var.c npf_var.h
        src/usr.sbin/npf/npftest: npftest.conf
        src/usr.sbin/npf/npftest/libnpftest: npf_rule_test.c

Log Message:
PR bin/59511

when extracting variables for filtering in NPF, allow the handler to
recursively extract all variables that might be present in the parent variable
to fully get all the filter elements present in them. this issue poses a security risk
as intruders can find their way into your machine if you intend to block them
but have their IPs in a nested variable with other IPs as well.

so this needs to be pulled up to 9, 10, 11

this fix has been reviewed by christos@ and martin@ and tests have been included.


To generate a diff of this commit:
cvs rdiff -u -r1.61 -r1.62 src/usr.sbin/npf/npfctl/npf_build.c
cvs rdiff -u -r1.15 -r1.16 src/usr.sbin/npf/npfctl/npf_var.c
cvs rdiff -u -r1.13 -r1.14 src/usr.sbin/npf/npfctl/npf_var.h
cvs rdiff -u -r1.17 -r1.18 src/usr.sbin/npf/npftest/npftest.conf
cvs rdiff -u -r1.25 -r1.26 \
    src/usr.sbin/npf/npftest/libnpftest/npf_rule_test.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Prev by Date: CVS commit: [netbsd-11] src/doc
Next by Date: CVS commit: src/usr.sbin/npf/npfctl
Previous by Thread: CVS commit: [netbsd-11] src/doc
Next by Thread: CVS commit: src/usr.sbin/npf/npfctl
Indexes:

Home | Main Index | Thread Index | Old Index