version 1.104, 2023/10/15 15:32:37 |
version 1.105, 2023/10/15 15:49:48 |
|
|
In particular, <a href="https://man.openbsd.org/snmpd.8">snmpd(8)</a> |
In particular, <a href="https://man.openbsd.org/snmpd.8">snmpd(8)</a> |
and <a href="https://man.openbsd.org/systat.1">systat(1)</a> |
and <a href="https://man.openbsd.org/systat.1">systat(1)</a> |
now do that. |
now do that. |
<li>In <a href="https://man.openbsd.org/pf.4">pf(4)</a>, |
<li>Relax the implementation of the <code>pass all</code> rule so all |
relax the implementation of the <code>pass all</code> rule so all |
|
forms of neighbor advertisements are allowed in either direction. |
forms of neighbor advertisements are allowed in either direction. |
<li>In <a href="https://man.openbsd.org/pf.4">pf(4)</a>, |
<li>When redirecting locally generated IP packets to userland with |
when redirecting locally generated IP packets to userland with |
<a href="https://man.openbsd.org/pf.conf.5#divert-packet" |
<code>divert-packet</code> rules, the packets may have no checksum |
>divert-packet</a> rules, the packets may have no checksum |
due to hardware offloading. Calculate the checksum in that case. |
due to hardware offloading. Calculate the checksum in that case. |
<li>Fix a bug in <a href="https://man.openbsd.org/pf.4">pf(4)</a> |
<li>Fix a bug where |
where <code>nat-to</code> could fail to insert a state |
<a href="https://man.openbsd.org/pf.conf.5#nat-to">nat-to</a> |
|
could fail to insert a state |
due to conflict on chosen source port number. |
due to conflict on chosen source port number. |
<li><a href="https://man.openbsd.org/pf.4">pf(4)</a> ignored 'keep |
<li>No longer ignore <code>keep state</code> and <code>nat-to</code> |
state' and 'nat-to' actions for unsolicited icmp error responses. With |
actions for unsolicited ICMP error responses. |
OpenBSD 7.4, the rule matching logic is tightened so icmp error |
Tighten the rule matching logic so ICMP error responses |
responses no longer match 'keep state' rule. In typical scenarios icmp |
no longer match <code>keep state</code> rule. |
errors (if solicited) should match existing state. The change is |
In typical scenarios, ICMP errors (if solicited) should match |
going to bite firewalls which deal with asymmetric routes. In those |
existing state. The change is going to bite firewalls which deal |
cases the 'keep state' action should be relaxed to sloppy or new 'no |
with asymmetric routes. In those cases the <code>keep state</code> |
state' rule to explicitly match icmp errors should be added. |
action should be relaxed to sloppy or new <code>no state</code> |
|
rule to explicitly match ICMP errors should be added. |
</ul> |
</ul> |
<li>Do not calculate IP, TCP, and UDP checksums on |
<li>Do not calculate IP, TCP, and UDP checksums on |
<a href="https://man.openbsd.org/lo.4">lo(4)</a> interfaces. |
<a href="https://man.openbsd.org/lo.4">lo(4)</a> interfaces. |