---
- branch: MAIN
  date: Sat May 23 19:56:00 UTC 2020
  files:
  - new: '1.16'
    old: '1.15'
    path: src/sys/net/npf/npf_conf.c
    pathrev: src/sys/net/npf/npf_conf.c@1.16
    type: modified
  - new: '1.31'
    old: '1.30'
    path: src/sys/net/npf/npf_conn.c
    pathrev: src/sys/net/npf/npf_conn.c@1.31
    type: modified
  - new: '1.19'
    old: '1.18'
    path: src/sys/net/npf/npf_conn.h
    pathrev: src/sys/net/npf/npf_conn.h@1.19
    type: modified
  - new: '1.8'
    old: '1.7'
    path: src/sys/net/npf/npf_conndb.c
    pathrev: src/sys/net/npf/npf_conndb.c@1.8
    type: modified
  - new: '1.56'
    old: '1.55'
    path: src/sys/net/npf/npf_inet.c
    pathrev: src/sys/net/npf/npf_inet.c@1.56
    type: modified
  - new: '1.49'
    old: '1.48'
    path: src/sys/net/npf/npf_nat.c
    pathrev: src/sys/net/npf/npf_nat.c@1.49
    type: modified
  - new: '1.54'
    old: '1.53'
    path: src/usr.sbin/npf/npfctl/npf_build.c
    pathrev: src/usr.sbin/npf/npfctl/npf_build.c@1.54
    type: modified
  - new: '1.31'
    old: '1.30'
    path: src/usr.sbin/npf/npfctl/npf_show.c
    pathrev: src/usr.sbin/npf/npfctl/npf_show.c@1.31
    type: modified
  - new: '1.52'
    old: '1.51'
    path: src/usr.sbin/npf/npfctl/npfctl.h
    pathrev: src/usr.sbin/npf/npfctl/npfctl.h@1.52
    type: modified
  id: 20200523T195600Z.d9399b4fa20941e0722acd09808c705a6c7ff20d
  log: |
    Backport selected NPF fixes from the upstream (to be pulled up):

    - npf_conndb_lookup: protect the connection lookup with pserialize(9),
      instead of incorrectly assuming that the handler always runs at IPL_SOFNET.
      Should fix crashes reported on high load (PR/55182).

    - npf_config_destroy: handle partially initialized config; fixes crashes
      with some invalid configurations.

    - NAT policy creation / destruction: set the initial reference and do not
      wait for reference draining on destruction; destroy the policy on the
      last reference drop instead.  Fixes a lockup with the dynamic NAT rules.

    - npf_nat_{export,import}: fix a regression since dynamic NAT rules.

    - npfctl: fix a regression and restore the default group behaviour.

    - Add npf_cache_tcp() and validate the TCP data offset (from maxv@).
  module: src
  subject: 'CVS commit: src'
  unixtime: '1590263760'
  user: rmind