diff options
Diffstat (limited to 'contrib/ipfilter/HISTORY')
-rw-r--r-- | contrib/ipfilter/HISTORY | 2307 |
1 files changed, 0 insertions, 2307 deletions
diff --git a/contrib/ipfilter/HISTORY b/contrib/ipfilter/HISTORY deleted file mode 100644 index b500c20..0000000 --- a/contrib/ipfilter/HISTORY +++ /dev/null @@ -1,2307 +0,0 @@ -# -# NOTE: Quite a few patches and suggestions come from other sources, to whom -# I'm greatly indebted, even if no names are mentioned. -# -# Thanks to the Coombs Computing Unit at the ANU for their continued support -# in providing a very available location for the IP Filter home page and -# distribution center. -# -# Thanks also to all those who have contributed patches and other code, -# and especially those who have found the time to port IP Filter to new -# platforms. -# -4.1.28 - Release 16 October 2007 - -backout changes (B1) & (B2) as they've caused NAT entries to persist for -too long and possibly other side effects. - -Still need to compile in our own radix.c for Solaris as the one in S10U4 -has a different alignment of structure members (causes panic) - -keep state doesn't work with multicast/broadcast packets (makes UPnP easier) - -ippool -l may only lists every 2nd pool's contents - -4.1.27 - Released 29 September 2007 - -SunOS5/replace script does not deal with i386 systems that have the -i86/amd64 directory pair. - -make BSD/kupgrade try to build ip_rules.[ch] before complaining - -Need to look for ipl.ko LKM on FreeBSD, not just ipf.ko - -Cleanup SunOS5 Makefile pieces, removing CPU, sunos5x86; buildsunos needs -to drive 32bit cc builds differently for sparc/i386 now. - -Update instructions for rebuilding FreeBSD kernels - -Make the target "freebsd" work for building ipfilter - -destroying NAT entries for blocked packets can lead to NAT table entry leak, -provide a counter of orphan'd NAT entries to track this problem. - -4.1.26 - Released 24 September 2007 - -Fix build problem for Solaris prior to S10U4 - -4.1.25 - Released 20 September 2007 - -stepping through structures with ioctls can lead to the wrong things -being free'd and panics - -if a NAT entry (such as an rdr) is created but the packet ends up being -blocked, tear down the NAT entry. - -fix fragment cache preventing keep state from functioning - -fix handling of \ to indicate a continued line in .conf files - -include port ranges in the allowed input for ipf when using "port = ()" - -only advance TCP state for packets on the leading edge of the window. (B1) - -using ipnat -l can lead to memory corruption in high stress situations - -track TCP sequence numbers with NAT so that it can do timeout advances -correctly inline with state - -ICMP checksums for some redirect'd packets are not adjusted correctly. - -IPv6 address components need to be explicitly cast to a 32bit pointer -boundary so that compilers don't try to access them as two 64bit -pieces (no guarantee is made that an Ipv6 address is on a 64bit -aligned address) - -filling up the ipauth packet queue can lead to no more packets being -processed. - -locking used to deref a nat entry causes a significant performance hit - -m_pulldown isn't properly handled, leading to possible panics with ICMPv6 -packets - -IPv6 fragment handling doesn't allow for "keep frag" to work - -build on Solaris10 Update4 with pfhooks in the kernel - -logging of Ipv6 packets with extension headers fix - Miroslaw Luc - -4.1.24 - Released 8 July 2007 - -patch from Stuart Remphrey to address recursive mutex lock with TCP state - -add hash table bucket stats display to ipnat -s - -give ASSERT some teeth for user compiles - -initialising ipf_global, ipf_frcache, ipf_mutex should all be done very -early on - -do some caddr_t cleanup, where possible - -fr_ref no longer tracks the number of children rules in a group for head rules - -make sure all BCOPY* have a value assigned to something - -fix possible use of icmp pointer after pullup makes it invalid - -resolve compile problems related to FreeBSD tree - -4.1.23 - Released 31 May 2007 - -NAT was not always correctly fixing ICMP headers for errors - -some TCP state steps when closing do not update timeouts, leading to -them being removed prematurely. (B2) - -fix compilation problems for netbsd 4.99 - -protect enumeration of lists in the kernel from callout interrupts on -BSD without locking - -fix various problems with IPv6 header checks: TCP/UDP checksum validation -was not being done, fragmentation header parsed dangerously and routing -header prevented others from being seen - -fix gcc 4.2 compiler warnings - -fix TCP/UDP checksum calculation for IPv6 - -fix reference after free'ing ipftoken memory - -4.1.22 - Released 13 May 2007 - -fix endless loop when flushing state/NAT by idle time - -4.1.21 - Released 12 May 2007 - -show the number of states created against a rule with "-v" for ipfstat - -fix build problems with FreeBSD - -make it possible to flush the state table by idle time and TCP state - -fix flushing out idle connections when state/NAT tables fill - -print out the TCP state population with ipfstat/ipnat - -stop creation of state table orphans via return-*/fastroute - -fix printing out of rule groups - they now only appear once - -4.1.20 - Released 30 April 2007 - -adjust TCP state numbers, making 11 closed (was 0) to better facilitate -detecting closing connections that we can wipe out when a SYN arrives -that matches the old - -make it compile on Solaris10 Update3 - -structures used for ipf command ioctls weren't being freed in timeout -fashion on solairs - -use NL_EXPIRE, not ISL_EXPIRE, for expiring NAT sessions - -adjust TCP timeout values and introduce a time-wait specifc timeout -to get a better TCP FSM emulation and one that can hopefully do a better -job of cleaning up in a speedy fashion than previous - -refactor the automatic flushing of TCP state entries when we fill up, -but use the same algorithm as before but now it hopefully works - -only 2 out of 4 interface names were being changed by ipfs when -interface renaming was being used for state entries - -add ipf_proxy_debug to ipf-T - -matching of last fragments that had a number of bytes that wasn't a -multiple of 8 failed - -some combinations of TCP flags are considered bad aren't picked up as such, -but these may be possible with T/TCP - -4.1.19 - Released 22 February 2007 - -Fix up compilation problems with NetBSD and Solaris. - -4.1.18 - Released 18 February 2007 - -fix compiling on Tru64 - -fix listing out filter rules with ipfstat (delete token at end of -the list and detect zero rule being returned.) - -fix extended flushing of NAT tables (was clearing out state tables) - -fix null-pointer deref in hash table lookup - -fix NAT and stateful filtering with to/reply-to on destination interface - -4.1.17 - Released 20 January 2007 - -make flushing pools that are still in use mark them for deletion and -have attempting to recreate them clear the delete flag - -walking through the NAT tables with ioctls caused lock recursion - -fix tracking TCP window scaling in the state code - -4.1.16 - Released 20 December 2006 - -allow rdr rules to only differ on the new port number - -when creating state entry orphans, leave them on the linked list but not -attached to the hash table and mark them visible as orphans in "ipfstat -sl" - -log state removed when unloading differently to allow visible cues - -return ipf ticks via SIOCGETGS for /dev/ipnat so "ipnat -l" can display ttl - -abort logging a packet if the mbuf pointer is null when ipflog is called - -Some NetBSD's have a selinfo.h instead of select.h - -SIOCIPFFL was using copyoutptr and should have been using bcopy for /dev/ipauth - -listing accounting rules using ioctl interface wasn't possible - -fix leakage of state entries due to packets not matching up with NAT - -improve ICMP error packet matching with state/NAT - -fix problems with parsing and printing "-" as an interface name in ipnat.conf - -4.1.15 - Released 03 November 2006 - -Add in automatic flushing of NAT, like state, table if it fills up too much - -Update comments in the code for NAT checksum adjustments - -Fix compiling on FreeBSD 5.4 and 6.0 - -prevent panics from read/write IOs trying to use uninitialised structures - -Newer NetBSD should use malloc() instead of MALLOC() in the kernel where -the size is not staticly defined - -Some gcc warning message cleanup from NetBSD - -Missing include for <sys/filio.h> on Solaris for poll work - -NetBSD now uses opt_ipfilter.h, not opt_ipfilter_log.h - -4.1.14 - Released 04 October 2006 - -rewrite checksum alteration for ICMP packets being NAT'd to use a sane -algorithm that can be understood...now it needs better comments - -fix 1 byte error in checksum validation perl script - -remove unused files in lib directory - -ipftest will say "bad-packet" if it has been freed rather than just "blocked" - -make it possible to load IP address pools from external files in ippool.conf - -update copyright messages in tools directory - -consolidate ioctl hanlding source code into fil.c - -make ipfstat, ippool, ipnat retrieve information via ioctls rather than /dev/kmem - -4.1.13 - Released 4 April 2006 - -fix bug where null pointers introduced by proxies could cause a crash - -pass out the rule flags with SIOCAUTHW - -force loading NAT rules with bad proxy labels to cause an error - -nat_state is used unsafely in calls to fr_addstate - -make return-rst and return-icmp* work with auth rules - -4.1.12 - Released 28 March 2006 - -poll support on FreeBSD/NetBSD needs to use selrecord/selwakeup - -make the fastroute code used by ipftest invoke state/NAT - -move verbose/debug macros out of fil.c and into ip_fil.h (for wider use) - -remove unused code in fr_fastroute - -fix NAT with rules that specify forward and reverise interfaces - -add missing ipfsync_canread() and ipfsync_canwrite() - -behaviour of \ on the end of a line in ipf.conf does not match older behaviour - -remove duplicate statistics line output with "ipfstat -s" - -4.1.11 - Released 19 March 2006 - -Patch for NAT with ipfsync from N. Ersen (SESCI) - www.enderunix.org - -NetBSD coverity report fixes (from run 5) - -Possible to reacquire ipf_auth without releasing it in some circumstances - -Locking in FreeBSD's iplioctl for ipf_global isn't present like it shoudl be - -Add poll support for platforms I can build on: NetBSD, FreeBSD, Solaris, Linux - -Using auth rules to return "keep state" got broken with pushing fr_addstate -call into fr_firewall - -all use of '!' in map/rdr rules to match use in ipf configs - -add -L command line option to ipmon to set the default syslog facility - -looking up a port number is more complex than needed in ipft_tx.c - -allow lib/getport to work when neither tcp or udp are specified in a rule - -remove some dead code from lib/addicmpc, lib/facpri.c, lib/icmpcode.c - -program in some more cases where TCP packets fail an initial in-window -check but should be allowed to match - -filter rule added with NAT/state handling of SIOCSTPUT doesn't properly -initialise all fields, making it possible to panic - -simplify NAT ICMP error handling where it updates checksums - -rename "min" variables to "xmin" on NetBSD to avoid problems with the -macro "min" - -#ifdef's for NetBSD compile incorrect for pfil interface - -support select/poll on NetBSD - -copying out a packet with an auth rule fails (EFAULT) because the wrong -pointer is passed to copyoutptr - -ip_len/ip_off where byte swapped twice instead of once for packets -going to be stored on the auth queue - -change timeout queue manipulation functions to make fewer mutex calls - -fix use of skip rules with groups -fix coding problems discovered by the coverity project for FreeBSD - -update BPF program validation with FreeBSD changes - -4.1.10 - Released 6 December 2005 - -Expand regression testing to cover more features - -Add "coverage" build target for BSD - -Fix building 64bit sparc target for Solaris - -Add IPv6 mobility header to list of accepted keywords for V6 headers - -Resolve locking problems on Solaris when sending RST/icmp packets - -#ifdef's for IPFILTER_BPF need to check if words are defined before -using them in comparisons - -Add checking for SACK permitted option in TCP SYN packets - -Fix loading anonymous pools from inline rule configuration groups - -Add -C command line option to ipftest - -Include extra "const" from NetBSD - -Don't require SIOCKSTLCK for SIOCSTPUT - -Fix some use of "sticky" on NAT rules - -Fix statistical counting of deleting state for TCP connections - -Fix compile problems caused by changes to is_opt/is_optmsk in ip_sync.c - -Fix TCP out-of-window (OOW) problems: -- window scaling turned off if one chose for its scale factor -- Microsoft Windows TCP sends the "next packet" to the right of the window - when using SACK and filling in a hole - -4.1.9 - Released 13 August 2005 - -make ipfilter fix IPv4 header checksums for outgoing packets if BRIDGE_IPF -is defined when compiled. - -move the definition of SIOCPROXY from ip_nat.h to ip_proxy.h - -make the BSD/upgrade script more instructive about the requiements for -ip_rules.[ch] when it is run - -register for interface events on FreeBSD (>5.2.1) and NetBSD so that -"ipf -y" is not not requried to tell ipfilter about interface changes. - -for "quick" rules that do "keep state", move the state adding into the rule -evaluation so that we can detect it failing as rules are evaluated and -continue on to the next rather than wait until we're done and it's too late -to recover for more rule processing. - -mark ICMP packets advertising an MTU that's too small as being bad - -rework ipv6 header parsing to get better code reuse and fix logic errors -in dealing with ipv6 packets containing fragment headers. Also, where a -protocol handler was doing both v4 & v6, make a seperate function for each. - -build for both amd64 and i86pc (32bit) on Solaris10 and later, if possible - -include start of work to get IPFilter working on AIX 5.3 - -Use FI_ICMPERR flag rather than try to compute its equivalent all the time - -Rewrork IPv6 extension header parsing to get better code reuse - -Add missing timeout on Linux - -Fix for locking when reading from ipsync (Frank Volf) - -Fix insertion/appending of rules that use a collection number - -Somehow turning up the spl knob to splnet disappeared on platforms that still -use the spl interface. - -fix problems with "ipf -T" not listing multiple variables properly - -4.1.8 - Released 29 March 2005 - -include path from Phil Dibowitz for sorting ipfstat -t output by source or -destination port. - -fix a bug in printing rules where interface names could not be printed, -even if they're in the rule structure. - -fix BSD/kupgrade to correctly change ipfilter lkm Makefile for FreeBSD - -add 2 new features to SIOCGNATL: -- if IPN_FINDFORWARD is set, check if the respective MAP is already - present in the outbound table -- if IPN_IN is set, search for a matching MAP entry instead of RDR - (Peter Potsma) - -turn off function inlining for freebsd 5.3+ - -UDP doesn't pullup enough data which can sometimes cause a panic. -Fix other protocols, as required, where a similar problem may exist. - -overhaul the timeout queue management, especially that for user defined queues -which are now only freed in an orderly manner. - -4.1.7 - Released 13 March 2005 - -Using the GRE call field is almost impossible because it is unbalanced and -both call fields are not present in each v1 header. - -Fix a problem where it was possible to load duplicate rules into ipf - -patch from John Wehle to address problems with fastroute on solaris - -Copying data out for ipf -z failed because it tried to copy out to an address -that is a kernel pointer in user space. - -add "ip" timeout for both NAT & state that's for non-TCP/UDP/ICMP - -synch up with NetBSD's changes - -fix problems parsing long lines of text in the ftp proxy where they would not -be parsed properly and stop the session from working - -enhance the PPTP proxy so that it tries to decode messages in the TCP stream -so it knows when to create and destroy the state/nat sessions for GRE. There -are also 4 new regression tests for it, testing map/rdr rules. - -impose some limits on the size of data that can be moved with SIOCSTPUT in -the NAT code and also prevent a duplicate session entry from being created -using this method. - -add a new flag (IPN_FINDFORWARD) to NAT code that can be used with SIOCGNATL -to check if it is possible to create an outgoing transparent NAT mapping to -compliment the redirect being investigated. - -Linux requires that the checksums in the IP header get adjusted - -only resolve unknown interfaces in fr_stinsert, and nuke all interface pointers -in SIOCSTPUT to prevent bad data being loaded from userspace. - -make the byte counting for state correct (was counting data from ICMP packet -twice) - -print out the keyword "frag-body" if the flag is set. - -fix ipfs loading/restoring NAT sessions - -patch from Frank to correctly format IP addresses in ipfstat -t output - -parsing port numbers in ipf/ipnat was confusing as the port number was returned -in an int that was also overloaded to be the suceess/failure. instead, change -the port using pass by reference and only use the return value for indicating -success or failure. - -4.1.6 - Released 19 February 2005 - -add a new timeout number to NAT (fr_defnatipage) that is used for all -non-TCP/UDP/ICMP protocols - default 60 seconds. - -buffer leak with bad nat - David Gueluy - -fix memory leak with state entries created by proxies - -eliminate copying too much data into a scan buffer - -allow a trailing protocol name for map rules as well as rdr ones - -fix bug in parsing of <= and > for NAT rules (two were crossed over) - -FreeBSD's iplwrite hasn't kept pace with iplread's prototype - -expand documention on the karma of using "auto" in ipnat map rules - -add matching on IP protocol to ipnat map rules - -allow ippool definitions to contain no addresses to start with - -Linux NAT needs to modify the IP header checksum as it gets called after it -has been computed by IP. - -UDP was missing a pullup for packet header information before examining -the header - -4.1.5 - Released 9 January 2005 - -all rules were being converted into "dup-to" rules in the kernel - -fix two ftp proxy problems: 1st, buffer needs to be bigger for fitting in -complete RETR/CWD commands, 2nd is () use in 227 messages isn't copied -over correctly. - -response to CWDs -revert ip_off back to network byte order in the ICMP error packet that -gets generated. - -4.1.4 - Released 9 January 2005 - -force NAT rules to only match ipv4 NAT rules (which all are, currently, -by default) - -include state synchronisation fixes from Frank Volf - -make the maximum log size for internally buffered log entries accessible -via "ipf -T" - -redesign start of fr_check() to avoid putting duplicate information in -ipfilter about how much data needs to be pulled up for a protocol to be -properly filtered. - -tidy up sending ICMP error messages - some bad inputs could result in -data not being freed and/or no error returned. - -make the maximum size of the log buffer run-time tunable - -fix bug in parsing TCP header when looking for MSS option that could make -the system hang - -change pool lookups that fail to find a match to return "no match" -rather than fail. - -add run-time tunable debugging for proxy support code and FTP proxy. - -fix state table updates for entries where the first packet as an ICMPv6 -multicast message - -fix hang when flushing state for v4/v6 and other (v6/v4) entries are present -too - -attaching filtering to ipv6 pfil hook wasn't present for solaris - -don't allow rules with "keep state" and "with oow" - -move a bunch of userland only code from fil.c to ip_fil.c - -make fr_coalesce() more resiliant to bad input, just returning an error -instead of crashing, making calling it easier in many places - -When m_pulldown doesn't return NULL, it doesn't necessarily return a pointer -to the same mbuf passed in as the first arg. - -remove fr_unreach and use ENETUNREACH by default. - -printing out of tag data in ipf rules doesn't match input syntax - -ipftest(1) man page update - -ipfs command line option parsing still rejects some valid syntaxes - -SIGHUP handling by ipmon was not as safe as it could be - -fix various parsing regressions, including "<thishost>", "tcpudp", ordering -of "keep" options - -patches from Frank Volk: add udp_acktimeout to sysctl list for FreeBSD, -ICMP packet length not calculated correctly in send_icmp_err, reply-to -not printed by ipfstat, keep state with icmp passing (mtrr) - -patches for return-rst and return-icmp from Attila Fueloep -(lichtscheu@gesindel.org) - -4.1.3 - Released 18 July 2004 - -do some more fine tuning on NAT checksum adjustments - -correct IP address byte order in proxy setup for ipsec/pptp - -man page updates - -fix numerous problems with ipfs operation - -complete new syntax for ipmon.conf in its parser and update the sample file - -assign error value consistantly in fastroute code - -rewrite allocation of mbufs in send_reset/send_icmp_err to better use -mbuf clusters and size calculations - -resolve problem with linux panic'ing because the wrong flag was being -passed to skb_clone/skb_alloc - -enable use of shared/exclusive locks on freebsd5 and above - -do not rely on m_pkthdr.len to be valid all the time for mbufs on modern BSD -and so use mbufchainlen to get the mbuf length instead - -replace lots of COPYIN/COPYOUT with BCOPYIN/BCOPYOUT where the data is -going to be on the stack and not in userland - -packet buffer pointers were not refreshed & used properly in fr_check() - -include extra bits for OpenBSD 3.4 & 3.5. - -fix ipf/ipnat parsing regression problems with v3.4 - -4.1.2 - RELEASED - 27 May 2004 - -add state top for ipv6 - -fix numerous parsing regressions - -change sample proxies to use SIOCGNATL with the new API - -allow macro names to contain underscores (_) - -split the parser into a collection of dictionaries so that keywords do -not interfere with resolving hostnames and portnames - -fix ipfrule LKM loading on freebsd - -support mapping a fixed range of ports to a single port - -fix timeout queue use by proxies with private queues - -handle space-led ftp server replies properly - -fix timeout queue management - -fix fastroute, generation of RST & ICMP packets and operation with to/fastroute - -resolve further linux compatibility problems - -replace the use of COPYIN with BCOPYIN for platforms that provide ioctl -args on the stack - -allow flushing of ipv6 rules independant of ipv4 rules - -correct internal ipv6 checksum calculations - -if a 'keep state' rule fails to create state, block the packet rather -than let it through - -correct all checksums in regression tests and correct NAT code to adjust -checksums correctly. - -fix ipfs -R/-W - -4.1.1 - RELEASED - 24 March 2004 - -allow new connections with the same port numbers as an existing one -in the state table if the creating packet is a SYN - -timeout values have drifted, incorrectly, from what they were in 3.4 - -FreeBSD - compatibility changes for 5.2 - -don't match on sequence number (as well) for ICMO ECHO/REPLY, just the -ICMP Id. field as otherwise thre is a state/NAT entry per packet pair -rather than per "flow" - -fr_cksum() returned the wrong answer for ICMP - -Linux: -- get return-rst and return-icmp working -- treat the interface name the same as if_xname on BSD - -adjust expectations for TCP urgent bits based on observed traffic in the -wild - -openbsd3.4 has ip_len/ip_off in network byte order when ipfilter is called - -fix flushing of hash pool gorups (ippool -F) as well as displaying them -(ippool -l) - -passing of pointers to interface structures wrong for HP-UX/Solaris with -return-* rules. - -Make the solaris boot script able to run on 2.5.1 - -ippool related files missing from Solaris packages - -The name /dev/ippool should be /dev/iplookup - -add regression testing for parsing long interface names in nat rules, -along with mssclamp and tags. Also add test for mssclamp operation. - -ttl displayed for "ipfstat -t" is wrong because ttl is not computed. - -parse logical interface names (Sun) - -unloading LKMs was only working if they were enabled. - -sync'ing up NAT sessions when NICs change should cause NAT rules to -re-lookup name->pointer mappings - -not all of the ippool ioctl's are IOWR and they should be because they -use the ipfobj_t for passing information in/out of the kernel. leave the -old values defined and handle them, for compatibility. - -pool stats wrong: ippoolstate used where ipoolstat should be, hash table - statistics not reported at all - -fr_running not set correctly for OpenBSD when compiled into the kernel - -Allow SIOCGETFF while disabled - -Fix mssclamp with NAT (pasing and printing of the word, plus wrong bytes -altered. How do you say "untested" ?) - -4.1 - RELEASED - 12 February 2004 - -4.0-BETA1 20 August 2003 - -support 0/32 and 0/0 on the RHS in redirect rules - -where LHS and RHS netmasks are the same size for redirect, do 1:1 mapping -for bimap rules. - -allow NAT rule to match 'all' interfaces with * as interface name - -do mapping of ICMP sequence id#'s in pings - -allow default age for NAT entries to be set per NAT rule - -provide round robin selection of destination addresses for redirect - -ipmon can load a configuration file with instructions on actions -to take when a matching log entry is received - -now requires pfil to work on Solaris & HP-UX - -supports mapping outbound connections to a specific address/port - -support toggling of logging per ipfilter 'device' - -use queues to expire data rather than lists - -add MSN RPC proxy - -add IRC proxy - -support rules with dynamic ip addresses - -add ability to define a pool of addresses & networks which can then -be placed in a single rule - -support passing entire packet back to user program for authentication - -support master/slave for state information sharing - -reorganise generic code into a lib directory and make libipf.a - -user programs enforce version matching with the kernel - -supports window scaling if seen at TCP session setup - -generates C code from filter rules to compile in or load as native -machine code. - -supports loading rules comprised of BPF bytecode statements - -HP-UX 11 port completed - -and packets-per-second filtering - -add numerical tags to rules for filtering and display in ipmon output - -3.4.4 23/05/2000 - Released - -don't add TCP state if it is an RST packet and (attempt) to send out -RST/ICMP packets in a manner that bypasses IP Filter. - -add patch to work with 4.0_STABLE delayed checksums - -3.4.3 20/05/2000 - Released - -fix ipmon -F - -don't truncate IPv6 packets on Solaris - -fix keep state for ICMP ECHO - -add some NAT stats and use def_nat_age rather than DEF_NAT_AGE - -don't make ftp proxy drop packets - -use MCLISREFERENCED() in tandem with M_EXT to check if IP fields need to be -swapped back. - -fix up RST generation for non-Solaris - -get "short" flag right for IPv6 - -3.4.2 - 10/5/2000 - Released - -Fix bug in dealing with "hlen == 1 and opt > 1" - Itojun - -ignore previous NAT mappings for 0/0 and 0/32 rules - -bring in a completely new ftp proxy - -allow NAT to cause packets to be dropped. - -add NetBSD callout support for 1.4-current - -3.4.1 - 30/4/2000 - Released - -add ratoui() and fix parsing of group numbers to allow 0 - UINT_MAX - -don't include opt_inet6.h for FreeBSD if KLD_MODULE is defined - -Solaris must use copyin() for all types of ioctl() args - -fix up screen/tty when leaving "top mode" of ipfstat - -linked list for maptable not setup correctly in nat_hostmap() - -check for maptable rather than nat_table[1] to see if malloc for maptable -succeeded in nat_init - -fix handling of map NAT rules with "from/to" host specs - -fix printout out of source address when using "from/to" with map rules - -convert ip_len back to network byte order, not plen, for solaris as ip_len -may have been changed by NAT and plen won't reflect this - -3.4 - 27/4/2000 - Released - -source address spoofing can be turned on (fr_chksrc) without using -filter rules - -group numbers are now 32bits in size, up from 16bits - -IPv6 filtering available - -add frank volf's state-top patches - -add load splitting and round-robin attribute to redirect rules - -FreeBSD-4.0 support (including KLD) - -add top-style operation mode for ipfstat (-t) - -add save/restore of IP Filter state/NAT information (ipfs) - -further ftp proxy security checks - -support for adding and removing proxies at runtime - -3.3.13 26/04/2000 - Released - -Fix parsing of "range" with "portmap" - -Relax checking of ftp replies, slightly. - -Fix NAT timeouts for ICMP packets - -SunOS4 patches for ICMP redirects from Jurgen Keil (jk@tools.de) - -3.3.12 16/03/2000 - Released - -tighten up ftp proxy behaviour. sigh. yuck. hate. - -fix bug in range check for NAT where the last IP# was not used. - -fix problem with icmp codes > 127 in filter rules caused bad things to -happen and in particular, where #18 caused the rule to be printed -erroneously. - -fix bug with the spl level not being reset when returning EIO from -iplioctl due to ipfilter not being initialized yet. - -3.3.11 04/03/2000 - Released - -make "or-block" work with lines that start with "log" - -fix up parsing and printing of rules with syslog levels in them - -fix from Cy Schubert for calling of apr_fini only if non-null - - -3.3.10 24/02/2000 - Released - -* fix back from guido for state tracking interfaces - -* update for NetBSD pfil interface changes - -* if attaching fails and we can abort, then cleanup when doing so. - -julian@computer.org: -* solaris.c (fr_precheck): After calling freemsg on mt, set it point to *mp. -* ipf.c (packetlogon): use flag to store the return value from get_flags. -* ipmon.c (init_tabs): General cleanup so we do not have to cast - an int s->s_port to u_int port and try to check if the u_int port - is less than zero. - -3.3.9 15/02/2000 - Released - -fix scheduling of bad locking in fr_addstate() used when we attach onto -a filter rule. - -fix up ip_statesync() with storing interface names in ipstate_t - -fix fr_running for LKM's - Eugene Polovnikov - -junk using pullupmsg() for solaris - it's next to useless for what we -need to do here anyway - and implement what we require. - -don't call fr_delstate() in fr_checkstate(), when compiled for a user -program, early but when we're finished with it (got fr & pass) - -ipnat(5) fix from Guido - -on solaris2, copy message and use that with filter if there is another -copy if it being used (db_ref > 1). bad for performance, but better -than causing a crash. - -patch for solaris8-fcs compile from Casper Dik - -3.3.8 01/02/2000 - Released - -fix state handling of SYN packets. - -add parsing recognition of extra icmp types/codes and fix handling of -icmp time stamps and mask requests - Frank volf - -3.3.7 25/01/2000 - Released - -sync on state information as well as NAT information when required - -record nat protocol in all nat log records - -don't reuse the IP# from an active NAT session if the IP# in the rule -has changed dynamically. - -lookup the protocol for NAT log information in ipmon and pass that to -portname. - -fix the bug with changing the outbound interface of a packet where it -would lead to a panic. - -use fr_running instead of ipl_inited. (sysctl name change on freebsd) - -return EIO if someone attempts an ioctl on state/nat if ipfilter is not -enabled. - -fix rule insertion bug - -make state flushing clean anything that's not fully established (4/4) - -call fr_state_flush() after we've released ipf_state so we don't generate -a recursive mutex acquisition panic - -fix parsing of icmp code after return-icmp/return-icmp-as-dest and add -some patches to enhance parsing strength - -3.3.6 28/12/1999 - Released - -add in missing rwlock release in fr_checkicmpmatchingstate() and fix check -for ICMP_ECHO to only be for packet, not state entry which we don't have yet. - -handle SIOCIPFFB in nat_ioctl() and fr_state_ioctl() - -fix size of friostat for SunOS4 - -fix bug in running off the end of a buffer in real audio proxy - -3.3.5 11/12/1999 - Released - -fix parsing of "log level" and printing it back out too - -<net/if_types.h> is only present on Solaris2.6/7/8 - -use send_icmp_err rather than icmp_error to send back a frag-needed error -when doing PMTU - -do not use -b with add_drv on Solaris unless $BASEDIR is set. - -fix problem where source address in icmp replies is reversed - -fix yet another problem with real audio. - -3.3.4 4/12/1999 - Released - -fix up the real audio proxy to properly setup state information and NAT -entries, thanks to Laine Stump for testing/advice/fixes. - -fix ipfr_fastroute to set dst->sin_addr (Sean Farley - appears to prevent -FreeBSD 3.3 from panic'ing) as this had been removed in prior hacks to this -routine. - -fix kinstall for BSDI - -support ICMP errors being allowed through for ICMP packets going out with -keep state enabled - -support hardware checksumming (gigabit ethernet cards) on Solaris thanks to -Tel.Net Media for providing hardware for testing. - -patched from Frank Volf for ipmon (ICMP & fragmented packets) and allowing -ICMP responses to ICMP packets in the keep state table. - -add in patches for hardware checksumming under solaris - -Solaris install scripts now use $BASEDIR as appropriate. - -add Solaris8 support - -fix "ipf -y" on solaris so that it rescans rules also for changes in -interface pointers - -let ipmon become a daemon with -D if it is using syslog - -fix parsing of return-icmp-as-dest(foo) - -add reference to ipfstat -g to ipfstat.8 - -ipf_mutex needs to be declared for irix in ip_fil.c - -3.3.3 22/10/1999 - Released - -add -g command line option to ipfstat to show groups still define. - -fix problem with fragment table not recording rule pointer when called -from state functions (fin_fr not set). - -fixup fastroute problems with keep state rules. - -load rules into inactive set first, so we don't disable things like NIS -lookups half way through processing - found by Kevin Littlejohn - -fix handling of unaligned ip pointer for solaris - -patch for fr_newauth from Rudi Sluijtman - -fixed htons() bug in fr_tcpsum() where ip_p wasn't cast to u_short - -3.3.2 23/09/1999 - Released - -patches from Scott Presnell to fix rcmd proxy - -patches from Greg to fix Solaris detachment of interfaces - -add openbsd compatibility fixes - -fix free'ing already freed memory in ipfr_slowtimer() - -fix for deferencing invalid memory in cleaning up after a device disappears - -3.3.1 14/8/1999 - Released - -remove include file sys/user.h for irix - -prevent people from running buildsunos directly - -fix up some problems with the saving of rule pointers so that NAT saves -that information in case it should need to call fr_addstate() from a proxy. - -fix up scanning for the end of FTP messages - -don't remove /etc/opt/ipf in postremove - -attempt to prevent people running buildsolaris script without doing a -"make solaris" - -fix timeout losing on freebsd3 - -3.3 7/8/1999 - Released - -NAT: information (rules, mappings) are stored in hash tables; setup some -basic NAT regression testing. - -display version name of installed kernel code when initializing. - -add -V command line option to ipf, showing version (program and kernel -module) as well as the run-status of the kernel code. - -fix problem with "log" rules actually affecting result of filtering. - -automatically use SUNWspro if available and on a 64bit Solaris system for -compiling. - -add kernel proxies for rcmd(3) and RealAudio (PNA) - -use timeout/untimeout on SunOS4/BSD platforms too rather than hijacking -ip_slowtimo - -fix IP headers generated through parsing of text information - -fix NAT rules to be in the correct order again. - -make keep-state work with to/fastroute keywords and enforce usage of those -interfaces. - -update keep-state code with new algorithm from Guido - -add FreeBSD-3 support - -add return-icmp-as-dest option to retrun an ICMP packet using the original -destination as the source rather than a local IP address - -add "level [facility.]<priority>" option to filter language - -add changes from Guido to state code. - -add code to return EPERM if the device is opened for writing and we're -in securelevel 2 or greater. - -authentication code patches from Guido - -fix real audio proxy - -fix ipmon rule printing of interfaces and add IN/OUT to the end of ipmon -log output. - -fix bimap rules with hash tables - -update addresses used in NAT mappings for 0/32 rules for any protocol but TCP -if it changes on the interface - check every ip_natexpire() - -add redirect regression test - -count buckets used in the state hash table. - -fix sending of RST's with return-rst to use the ack number provided in -the packet being replied to in addition to the sequence number. - -fix to compile as a 64bit application on solaris7-64bit - -add NAT IP mapping to ranges of IP addresses that aren't CIDR specified - -fix calculation of in_space parameter for NAT - -fix `wrapping' when incrementing the next ip address for use in NAT - -fix free'ing of kernel memory in ip_natunload on solaris - -fix -l/-U command line options from interfering with each other - -fix fastroute under solaris2 and cleanup compilation for solaris7 - -add install scripts and compile cleanly on BSD/OS 4.0 - -safely open files in /tmp for writing device output when testing. - -fix uninitialized pointer bug in NAT - -fix SIOCZRLST (zero list rule stats) bug with groups - -change some usage of u_short to u_int in function calling - -fix compilation for Solaris7 (SUNWspro) - -change solaris makefiles to build for either sparc or i386 rather than -per-cpu (sun4u, etc). - -fixed bug in ipllog - -add patches from George Michaelson for FreeBSD 3.0 - -add patch from Guido to provide ICMP checking for known state in the same -manner as is done for NAT. - -enable FTP PASV proxying and enable wildcarding in NAT/state code for ports -for better PORT/PASV support with FTP. - -bring into main tree static nat features: map-block and "auto" portmapping. - -add in source host filtering for redirects (alan jones) - -3.2.10 22/11/98 - Released - -3.2.10beta9 17/11/98 - Released - -fix fr_tcpsum problems in handling mbufs with an odd number of bytes -and/or split across an mbuf boundary - -fix NAT list entry comparisons and allow multiple entries for the same -proxy (but on different ports). - -don't create duplicate NAT entries for repeated PORT commands. - -3.2.10beta8 14/11/98 - Released - -always exit an rwlock before expecting to enter it again on solaris - -fix loop in nat_new for pre-existing nat - -don't setup state for an ftp connection if creating nat fails. - -3.2.10beta7 05/11/98 - Released - -set fake window in ipft_tx.c to ensure code passes tests. - -cleaned up/enhanced ipnat -l/ipnat -lv output - -fixed NAT handling of non-TCP/UDP packets, esp. for ICMP errors returned. - -Solaris recusive mutex on icmp-error/tcp-reset - requires rwlock's rather -than mutexes. - -3.2.10beta6 03/11/98 - Released - -fix mixed use of krwlock_t and kmutex_t on Solaris2 - -fix FTP proxy back up, splitting pasv code out of port code. - -3.2.10beta5 02/11/98 - Released - -fixed port translation in ICMP reply handling - -3.2.10beta4 01/11/98 - Released - -increase useful statistic collection on solaris - -filter DL_UNITDATA_REQ as well as DL_UNITDATA_IND on solaris - -disable PASV reply translation for now - -fail with an error if we try to load a NAT rule with a non-existant - proxy name - Guido - -fix portmap usage with 0/0 and 0/32 map rules - -remove ap_unload/ap_expire - automatically done when NAT is cleaned up - -print "STATE:CLOSED" from ipmon if the connection progresses past established - rather than "STATE:EXPIRED" - -3.2.10beta3 26/10/98 - Released - -fixed traceroute/nat problem - -rewrote nat/proxy interface - -ipnat now lists associated proxy sessions for each NAT where applicable - -3.2.10beta2 13/10/98 - Released - -use KRWLOCK_T in place of krwlock_t for solaris as well as irix - -disable use of read-write lock acquisition by default - -add in mb_t for linux, non-kernel - -some changes to progress compilation on linux with glibc - -change PASV as well as PORT when passed through kernel ftp proxy. - -don't allow window to become 0 in tcp state code - -make ipmon compile cleaner - -irix patches - -3.2.10beta 11/09/98 - Released - -stop fr_tcpsum() thinking it has run out of data when it hasn't. - -stop solaris panics due to fin_dp being something wild. - -revisit usage of ATOMIC_*() - -log closing state of TCP connection in "keep state" - -fix fake-arp table code for ipsend. - -ipmon now writes pid to a file. - -fix "ipmon -a" to actually activate all logging devices. - -add patches for BSDOS4. - -perl scripts for log analysis donated. - -3.2.9 22/06/98 - Released - -fix byte order for ICMP packets generated on Solaris - -fix some locking problems. - -fix malloc bug in NAT (introduced in 3.2.8). - -patch from guido for state connections that get fragmented - -3.2.8 08/06/98 - Released - -use readers/writers locks in Solaris2 in place of some mutexes. - -Solaris2 installation enhancements - Martin Forssen (maf@carlstedt.se) - -3.2.7 24/05/98 - Released - -u_long -> u_32_t conversions - -patches from Bernd Ernesti for NetBSD - -fixup ipmon to actually handle HUP's. - -Linux fixes from Michael H. Warfield (mhw@wittsend.com) - -update for keep state patch (not security related) - Guido - -dumphex() uses stdout rather than log - -3.2.6 18/05/98 - Released - -fix potential security loop hole in keep state code. - -update examples. - -3.2.5 09/05/98 - Released - -BSD/OS 3.1 .o files added for the kernel. - -fix sequence # skew vs window size check. - -fix minimum ICMP header size check. - -remove references to Cybersource. - -fix my email address. - -remove ntohl in ipnat - Thomas Tornblom - -3.2.4 09/04/98 - Released - -add script to make devices for /dev on BSD boxes - -fixup building into the kernel for FreeBSD 2.2.5 - -add -D command line option to ipmon to make it a daemon and SIGHUP causes -it to close and reopen the logfile - -fixup make clean and make package for SunOS5 - Marc Boucher - -postinstall keeps adding "minor=ipf ipl" - George Ross <gdmr@dcs.ed.ac.uk> - -protected by IP Filter gif - Sergey Solyanik <solik@atom.ru> - -3.2.3 10/11/97 - Released - -fix some iplang bugs - -fix tcp checksum data overrun, sgi #define changes, -avoid infinite loop when nat'ing to single IP# - Marc Boucher - -fixup DEVFS usage for FreeBSD - -fix sunos5 "make clean" cleaning up too much - -3.2.2 28/11/97 - Released - -change packet matching to return actual error, if bad packet, to facilitate -ECONNRESET for TCP. - -allow ip:netmask in grammar too now - Guido - -assume IRIX has u_int32_t in sys/types.h (needed for R10000) - -rewrite parts of command line options for ipmon - -fix TCP urgent packet & offset testing and add LAND attack test for iptest - -fix grammar error in yacc grammar for iplang - -redirect (rdr) destination port bytes-wapped when it shouldn't be. - -general: fr_check now returns error code, such as EHOSTUNREACH or -ECONNRESET (attempt to make ECONNRESET work for locally outbound -packets). - -linux: enable return-rst, need to filter tcp retransmits which are sent - separately from normal packets - -memory leak plugged in ip_proxy.c - -BSDI compatibility patches from Guido - -tcp checksum fix - Marc Boucher - -recursive mutex and ioctl param fix - Marc Boucher - -3.2.1 12/11/97 - Released - -port to BSD/OS 3.0 - -port to Linux 2.0.31 - -patches to make "map a/m -> 0/0" work with ftp proxying properly - Marc Boucher - -add "ipf -F s" and "ipf -F S" to flush state table entries. - -announce if logging is on or off when ip filter initializes. - -"ipf -F a" doesn't flush groups properly for Solaris. - -3.2 30/10/97 - Released - -ipnat doesn't successfully remove proxy mappings with "-rf" - -Alexander Romanyu - -use K&R C function style for solaris kernel code - -use m_adj() to decrease packet size in ftp proxy - -use mbufchainlen rather than msgdsize, -IRIX update - Marc Boucher - -fix NetBSD modunload bug (pfil_add_hook done twice) - -patches for OpenBSD 2.1 - Craig Bevins <craigb@bitcom.net.au> - -3.2beta10 24/10/97 - Released - -fix fragment table entries allocated for NAT. - -fix tcp checksum calculations over mbuf/mblk boundaries - -fix panic for blen < 0 in ftp kernel proxy - marc boucher - -fix flushing of rules which have been grouped. - -3.2beta9 20/10/97 - Released - -some nit picking on solaris2 with SUNWspro - Michael Lyle <mrl@rpnet.net> - -ftp kernel proxy patches from Marc Boucher - -3.2beta8 13/10/97 - Released - -add support for passing ICMP errors back through NAT. - -IRIX port update - Marc Boucher - -calculate correct MIN size of packet to log for UDP - Marc Boucher - -need htons(ETHERTYPE_x) on little endian BSD boxes - Dave Huang - -copyright header fixups - -3.2beta7 23/09/97 - Released - -fickup problems introduced by prior merges & changes. - -3.2beta6 23/09/97 - Released - -patch for spin-reading race condition - Marc Boucher. - -IRIX port by Marc Boucher. - -compatibility updates for Linux to ipsend - -3.2beta5 13/09/97 - Released - -patches from Bernd Ernesti for NetBSD integration (mostly prototyping and -compiler warning things) - -ipf -y will resync IP#'s allocated with 0/32 in NAT to match interface if it -changes. - -update manual pages and other documentation updates. - -3.2beta4 27/8/97 - Released - -enable setting IP and TCP options for iplang/ - -Solaris2 patches from Marc Boucher. - -add groups for filter rules. - -3.2beta3 21/8/97 - Released - -patches for Solaris2 (interface panic solution ?): fix FIONREAD and -replacing q_qinfo points - Marc Boucher <marc@CAM.ORG> - -change ipsend/* and ipsd/* copyright notices to be the same as ip filter's - -patch for SYN-ACK skew testing fix from Eric V. Smith <EricSmith@windsor.com> - -3.2beta2 6/8/97 - Released - -make it load on Solaris 2.3 - -rewrote logging to remove solaris errors, introduced checking to see if the -same packet is logged successively. - -fix filter cache to work when there are no rules loaded. - -add "raw" option to ipresend to send entire ethernet frames. - -nat list corruption bug - NetBSD - Klaus Klein - -3.2beta1 5/7/97 - Released - -patches from Jason Thorpe fixing: UNSIGNED_CHAR lossage, off_t being 64bits -lossage, and other NetBSD bits. - -NetBSD 1.2G update. - -fixup fwtk patches and add protocol field for SIOCGNATL. - -rdr bugs reported by Alexander Romanyu (alexr@aix.krid.crimea.ua), with -fixes: -* rdr matched all packets of a given protocol (ignored ports). -* severe bug in nat_delete which caused system crash/freeze. - -change Makefile so that CC isn't passed on for FreeBSD/NetBSD (will use -the default CC - cc, not gcc) - -3.2alpha9 16/6/97 - Released - -added "skip" keyword. - -implement preauthentication of packets, as outlined by Guido. - -Make it compile as cleanly as possible with -Wall & general code cleanup - -getopt returns int, not char. Bernd Ernesti - -3.2alpha8 13/6/97 - Released - -code added to support "auth" rules which require a user program to allow them -through. First revision and much of the code came from Guido. - -hex output from ipmon doesn't goto syslog when recovering from out of sync -error. Luke Mewburn (lukem@connect.com.au) - -fix solaris2.6 lookup of destination ire's. - -ipnat doesn't throw away unused bits (after masking), causing it to -behave incorrectly. Carson Gaspar - -NAT code doesn't include inteface name when matching - Alexey Mavrin -<lha@elco.spb.ru> - -replace old SunOS tcpip.h with new tcpip.h (from 4.4BSD) - Jason Thorpe. - -update install procedures to include ip_proxy.c - -mask out unused bits in NAT/RDR rules. - -use a generic type (u_32_t) for 32bit variables, rather than rely on -u_long being such - Jason Thorpe. - -create a local "netinet" directory and include from ~netinet/*" rather than -just "*" to make keeping the code working on ports easier. - -add an m_copydata and m_copyback for SunOS4 (based on 4.4BSD-Lite versions) - -documentation updates. - -NetBSD update from Jason Thorpe <thorpej@netbsd.org> - -allow RST's through with a matching SEQ # and 0 ACK. Guido Van Rooij - -ipmon uses excessive amounts of CPU on Solaris2 - Reinhard Bertram -<Reinhard.Bertram@KOM.th-darmstadt.de> - -3.2alpha7 25/5/97 - Released - -add strlen for pre-2.2 kernels - Doug Kite <dkite@websgi.icomnet.com> - -setup bits and pieces for compiling into a FreeBSD-2.2 kernel. - -split up "bsd" targets. Now a separate netbsd/freebsd/bsd target. -mln_ipl.c has been split up into itself and mlf_ipl.c (for freebsd). - -fix (negative) host matching in filtering. - -add sysctl interface for some variables when compiled into FreeBSD-2.2 kernels -or later. - -make all the candidates for kernel compiling include "netinet/..." and build -a subdirectory "netinet" when compiling and symlink all .h files into this. - -add install make target to Makefile.ipsend - -3.2alpha6 8/5/97 - Released - -Add "!" (not) to hostname/ip matching. - -Automatically add packet info to the fragment cache if it is a fragment -and we're translating addreses for. - -Automatically add packet info to the fragment cache if it is a fragment -and we're "keeping state" for the packet. - -Solaris2 patches - Anthony Baxter (arb@connect.com.au) - -change install procedure for FreeBSD 2.2 to allow building to a kernel -which is different to the running kernel. - -add FIONREAD for Solaris2! - -when expiring NAT table entries, if we would set a time to fr_tcpclosed -(which is 1), make it fr_tcplaskack(20) so that the state tables have a -chance to clear up. - -3.2alpha5 - -add proxying skeleton support and sample ftp transparent proxy code. - -add printfs at startup to tell user what is happening. - -add packets & bytes for EXPIRE NAT log records. - -fix the "install-bsd" target in the root Makefile. Chris Williams -<psion@mv.mv.com> - -Fixes for FreeBSD 2.2 (and later revs) to prevent panics. Julian Assange. - -3.2alpha4 2/4/97 - Released - -Some compiler warnings cleaned up. - -FreeBSD-2.2 patches for LKM completed. - -3.2alpha3 31/3/97 - Released - -ipmon changes: -N for reading NAT logfile, -S for reading state logfile. --a for reading all. -n now toggles hostname resolution. - -Add logging of new state entries and expiration of old state entries. -count log successes and failures. - -Add logging of new NAT entries and expiration of old NAT entries. -count log successes and failures. - -Use u_quad_t for records of bytes & packets where kept -(IP Accounting: fr_hits, fr_bytes; IP state: is_pkts, is_bytes). - -Fixup use of CPU and DCPU in Makefiles. - -Fix broken 0/32 NAT mapping. Carl Makin <cmakin@nla.gov.au> - -3.2alpha2 - -Implement mapping to 0/32 as being an alias for automatically using the -interface's first IP address. - -Implement separate minor devices for both NAT and IP state code. - -Fully prototype all functions. - -Fix Makefile problem due to attempt to fix Sun compiling problems. - -3.1.10 23/3/97 - Released - -ipfstat -a requires a -i or -o command line option too. Print an error -when not present rather than attempt to do something. - -patch updates for SunOS4 for kernel compiling. -patch for ipmon -s (flush's syslog file which isn't good). Andrew J. Schorr -<schorr@ead.dsa.com> - -too many people hit their heads hard when compiling code into the kernel -that doesn't let any packets through. (fil.c - IPF_NOMATCH) - -icmp-type parsing doesn't return any errors when it isn't constructed -correctly. Neil Readwin - -Using "-conf" with modload on SunOS4 doesn't work. -Timothy Demarest <demarest@arraycomm.com> - -Need to define ARCH in makefile for SunOS4 building. "make sunos4" -in INSTALL.SunOS is incorrect. James R Grinter <jrg@blodwen.demon.co.uk> -[all SunOS targets now run buildsunos] - -NAT lookups are still incorrect, matching non-TCP/UDP with TCP/UDP -information. ArkanoiD <ark@paranoid.convey.ru> - -Need to check for __FreeBSD_version being 199511 rather than 199607 -in mln_ipl.c. Eric Feillant <Eric.Feillant@EUnet.fr> - -3.1.9 8/3/97 - Released - -fixed incorrect lookup of active NAT entries. - -patch for ip_deq() wrong for pre 2.1.6 FreeBSD. -fyeung@fyeung8.netific.com (Francis Yeung) - -check for out with return-rst/return-icmp at wrong place - Erkki Ritoniemi -(erkki@vlsi.fi) - -text_readip returns the interface pointer pointing to text on stack - -Neil Readwin - -fix from Pradeep Krishnan for printout rules "with not opt sec". - -3.1.8 18/2/97 - Released - -Diffs for ip_output.c and ip_input.c updated to fix bug with fastroute and -compiling warnings about reuse of m0. - -prevent use of return-rst and return-icmp with rules blocking packets going -out, preventing panics in certain situations. - -loop forms in frag cache table - Yury Pshenychny <yura@rd.zgik.zaporizhzhe.ua> - -should use SPLNET/SPLX around expire routines in NAT/frag/state code. - -redeclared malloc in 44arp.c - - -3.1.7 8/2/97 - Released - -Macros used for ntohs/htons supplied with gcc don't always work very well -when the assignment is the same variable being converted. - -Filter matching doesn't not match rule which checks tcp flags on packets -which are fragments - David Wilson - -3.1.7beta 30/1/97 - Released - -Fix up NAT bugs introduced in last major change (now tested), including -nat_delete(), nat_lookupredir(), checksum changes, etc. - -3.1.7alpha 30/1/97 - Released - -Many changes to NAT code, including contributions from Laurent Joncheray -<lpj@ans.net> - -Use "NO_SLEEP" when allocating memory under SunOS. - -Make kernel printf's nicer for BSD/SunOS4 - -Always do a checksum for packets being filtered going out and being -processed by fastroute. - -Leave kernel to play with cdevsw on *BSD systems with LKM's. - -ipnat.1 man page fixes. - -3.1.6 21/1/97 - Released - -Allow NAT to work on BSD systems in conjunction with "pass .. to ifname" - -Memory leak introduced in 3.1.3 in NAT lists, clearing of NAT table tried -to free memory twice. - -NAT recalculates IP header checksum based on difference between IP#'s and -port numbers - should be just IP#'s (Solaris2 only) - -3.1.5 13/1/97 - Released - -fixed setting of NAT timeouts and use different timeouts for concurrent -TCP sessions using the same IP# mapping (when port mapping isn't used) - -multiple loading/unloading of LKM's doesn't clean up cdevsw properly for -*BSD systems. - -3.1.4 10/1/97 - Released - -add command line options -C and -F to ipnat to flush NAT list and table - -ipnat -l loops on output - Neil Readwin (nreadwin@nysales.micrognosis.com) - -NetBSD/FreeBSD kernel malloc changes - Daniel Carosone - -3.1.3 10/1/97 - Released - -NAT chains not constructed correctly in hash tables - Antony Y.R Lu -(antony@hawk.ee.ncku.edu.tw) - -Updated INSTALL.NetBSD, INSTALL.FreeBSD and INSTALL.Sol2 - -man page update (ipf.5) from Daniel Carosone (dan@geek.com.au) - -ICMP header checksum update now included in NAT. - -Solaris2 needs to modify IP header checksums in ip_natin and ip_natout. - -3.1.2 4/12/96 - Released - -ipmon doesn't use syslog all the time when given -s option - -fixed mclput panic in ip_input.c and replace ntohs() with NTOHS() macro - -check the results of hostname resolution in ipnat - -"make *install" fixed for subdirectories. - -problems with "ARCH:=" and gnu make resolved - -parser reports an error for lines with whitespaces only rather than skipping -them. D.Carosone@abm.com.au (Daniel Carosone) - -patches for integration into NetBSD-current (post 1.2). - -add an option to allow non-IP packets going up/down the stream on Solaris2 -to be dropped. John Bass. - -3.1.2beta 21/11/96 - Released - -make ipsend compile on Linux 2.0.24 - -changes to TCP kept state algorithm, making it watch state on TCP -connections in both directions. Also use the same algorithm for NAT TCP. - --Wall cleanup - Bernd Ernesti - -added "or-block" for "pass .. log or-block" after a suggestion from -David Oppenheim (davido@optimation.com.au) - -added subdirectories for building IP Filter in SunOS5/BSD for different -cpu architecures - -Solaris2 fixes to logging and pre-filtering packet processing - 3.1.1p2 - -mbuf logging not using mtod(), remove iplbusy - 3.1.1p1 1/11/96 - -3.1.1 28/10/96 - Released - -Installation script fixes and deinstall scripts for IP Filter on: -SunOS4/FreeBSD/NetBSD - -Man page fixes - Paul Dubois (dubois@primate.wisc.edu) - -Fix use of SOLARIS macro in ipmon, rewrote ipllog() (again!) - -parsing isn't completely case insensitive - David Wilson -(davidw@optimation.com.au) - -Release ipl_mutex across uiomove() calls - -print entire rule entries out for "ipf -z" when zero'ing per-rule stats. - -ipfstat returns same output for "hits" in "ipfstat -aio" - Terletsky Slavik -(ts@polynet.lviv.ua) - -New algorithm for setting timeouts for TCP connection (more closely follow -TCP FSM) - Pradeep Krishnan (pkrishna@netcom.com) - -Track both window sizes for TCP connections through "keep state". - -Solaris2 doesn't like _KERNEL defined in stdargs.h - Jos van Wezel -(wezel@bio.vu.nl) - -3.1.1-beta2 6/10/96 - Released - -Solaris2 fastroute/dup-to/to now works - -ipmon `record' reading rewritten - -Added post-NetBSD1.2 packet filter patches - Mathew Green (mrg@eterna.com.au) - -Attempt to use in_proto.c.diff, not "..diffs" for SunOS4 - David Wilson -(davidw@optimation.com.au) - -Michael Ryan (mike@NetworX.ie) reports the following: -* The Trumpet WinSock under Windows always sends its SYN packet with an ACK - value of 1, unlike any other implementation I've seen, which would set it - to zero. The "keep state" feature of IP Filter doesn't work when receiving - non-zero ACK values on new connection requests. -* */Makefile install rule doesn't install all the binaries/man pages -* Make ipnat use "tcp/udp" instead of "tcpudp" -* Print out "tcp/udp" properly -* ipnat "portmap tcp" matches "portmap udp" when adding/removing -* NAT dest. ip# increased by one on mask of 0xffffffff when it shouldn't - -3.1.1-beta 1/9/96 - Released - -add better detection of TCP connections closing to TCP state monitoring. - -fr_addstate() not called correctly for fragments. "keep state" and -"keep frag" code don't work together 100% - Songqing Cai -(songqing_cai@sterling.com) - -call to fr_addstate() incorrect for adding state in combination with keeping -fragment information - Songqing Cai (songqing_cai@sterling.com) - -KFREE() passed fp (incorrect) and not fr (correct) in ip_frag.c - John Hood -(cgull@smoke.marlboro.vt.us) - -make ipf parser recognise '\\' as a `continued line' marker - Dima Ruban -(dima@best.net) - -3.1.1-alpha 23/8/96 - Released - -kernel panic's when ICMP packets go through NAT code - -stats aren't zero'd properly with ipf -Z - -ipnat doesn't show port numbers correctly all the time and also add the -protocol (tcp/udp/tcpudp) to rdr output - Carson Gaspar (carson@lehman.com) - -fast checksum fixing not 100% - backout patch - Bill Dorsey (dorsey@lila.com) - -NetBSD-1.2 patches from - VaX#n8 <vax@linkdead.paranoia.com> - -Usage() call error in fils.c - Ajay Shekhawat (ajay@cedar.buffalo.edu) - -ip_optcopy() staticly defined in ip_output.c in SunOS4 - Nick Hall -(nrh@tardis.ed.ac.uk) - -3.1.0 7/7/96 - Released - -Reformatted ipnat output to be compatible with it's input, so that -"ipnat -l | ipnat -rf -" is possible. - -3.1.0beta 30/6/96 - Released - -NetBSD-1.2 patches from Greg Woods (woods@most.weird.com) - -kernel module must not be installed stripped (Solaris2), as created by -"make package" for Solaris2 - Peter Heimann -(peter@i3.informatik.rwth-aachen.de) - -3.1.0alpha 5/6/96 - Released - -include examples in package for solaris2 - -patches for removing an extra ip header checksum (FreeBSD/NetBSD/SunOS) - -removed trailing space from printouts of rules in ipf. - -ipresend supports the same range of inputs that ipftest does. - -sending a duplicate copy of a packet to another network devices is now -supported. ("dup-to") - -sending a packet to an arbitary interface is now supported, irrespective -of its actual route, with no ttl decrement. Can also be routed without -the ttl being decremented. ("to" and "fastroute"). - -"call" option added to support calling a generic function if a packet is -matched. - -show all (upto 4) recorded bytes from the interface name in logging from -ipmon. - -support for using unix file permissions for read/write access on the device -is now in place. - -recursive mutex in nat_new() for Solaris 2.x - Per L. Hagen <per@stibo.dk> - -ipftest doesn't call initparse() for THISHOST - Catherine Allen -(cla@connect.com.au) - -Man page corrections from Rex Bona (rex@pengo.comsmiths.com.au) - -3.0.4 10/4/96 - Released - -looop in `parsing' IP packets with optlen 0 for ip options. - -rule number not initialized and resulted in unexpected results for state -maching. - -option parsing and printing bugs - Pradeep Krishnan - -3.0.4beta 25/3/96 - Released - -wouldn't parse "keep flags keep state" correctly. - -SunOS4.1.x ip_input.c doesn't recognise all 1s broadcast address - Nigel Verdon - -patches for BSDI's BSD/OS 2.1 and libpcap reader on little endian systems -from Thorsten Lockert <tholo@tetherless.com> - -b* functions in fil.c on Solaris 2.4 - -3.0.3 17/3/96 - Released - -added patches to support IP Filter initialisation when compiled into the -kernel. - -added -x option to ipmon to display hex dumps of logged packets. - -added -H option to ipftest to allow ascii-hex formatted input to specify -arbitary IP packets. - -Sending TCP RSTs as a response now work for Solaris2 x86 - -add patches to make IP Filter compile into NetBSD kernels properly. - -patch to stop SunOS 4.1.x kernels panicing with "data traps". - -ipfboot script unloads and reloads ipf module on Solaris2 if it is already -loaded into the kernel. - -Installation of IP Filter as a Solaris2 package is now supported. - -Man pages for ipnat.4, ipnat.5 added. - -added some more regression tests and fixed up IP Filter to pass the new tests -(previous versions failed some of the tests in set 12). - -IP option filter processing has changed so that saying "with opt lsrr" will -check only for that one, but not mask out other options, so a packet with -strict source routing, along with loose source routing will match all of -"with opt lsrr", "with opt ssrr" and "with opt lsrr,ssrr". - -IPL_NAME needed in ipnat.c - Kelly (kelly@count04.mry.scruznet.com) - -patches for clean NetBSD compilation from Bernd Ernesti (bernd@arresum.inka.de) - -make install is incorrect - Julian Briggs (julian@lightwork.co.uk) - -strtol() returns 0x7fffffff for all negative numbers, -printfr() generates incorrect output for "opt sec-class *", -handling of "not opt xxx opt yyy" incorrect. -- Minh Tonthat (minht@sbei.com)/Pradeep Krishnan (pradeepk@sbei.com) - -m_pullup() called only for input and not output; caused problems -with filtering icmp - Nigel Verdon (verdenn@gb.swissbank.com) - -parsing problem for "port 1" and NetBSD patches incorrect - -Andreas Gustafsson (gson@guava.araneus.fi) - -3.0.2 4/2/96 - Released - -Corrected bug where NAT recalculates checksums for fragments. - -make NAT recalculate UDP checksums (rather than setting them to 0), -if they're non-zero. - -DNS patches - Real Page (Real.Page@Matrox.com) - -alteration of checksum recalculations in NAT code and addition of -redirection with NAT - Mike Neuman - -core dump, if tcp/udp is used with a port number and not service name, -in ipf - Mike Neuman (mcn@engarde.com) - -initparse() call, missing to prime "<thishost>" hook - Craig Bishop - -3.0.1 14/1/96 - Released - -miscellaneous patches for Solaris2 - -3.0 14/1/96 - Released - -Patch included for FDDI, from Richard Ohnemus -(Richard_Ohnemus@dallas.csd.sterling.com) - -Code cleanup for release. - -3.0beta4 10/1/96 - -recursive mutex in ipfr_slowtimer fixed, reported by Craig Bishop - -recursive mutex in sending TCP RSTs fixed, reported by Tony Becker - -3.0beta3 9/1/96 - -FIxup for Solaris2.5 install and interface name bug in ipftest from -Julian Briggs (julian@lightwork.co.uk) - -Byte order patches for ipmon from Tony Becker (tony@mcrsys.com) - -3.0beta2 7/1/96 - -Added the (somewhat warped) IP accounting as it exists in ipfw on FreeBSD. -Note, this isn't really what one would call IP account, when compared to -process accounting, sigh. - -Split up ipresend into iptest/ipresend/ipsend - -Added another m_pullup() inside fr_check() for BSD style kernels and -added some checks to ipllog() to not log more than is present (for short -packets). - -Fixed bug where failed hostname/netname resolution goes undetecte and -becomes 0.0.0.0 (any) (reported Guido van Rooij) - -3.0beta 11/11/95 - Released - -Rewrote the way rule testing is done, reducing the number of files needed and -generated. - -SIOCIPFFL was incorrectly affected by IPFILTER_LOG (Mathew Green) - -Patches from Guido van Rooij to fix sending back TCP RSTs on Net-2/Net-3 -BSD based Unixes (panic'd) - -Patches for FreeBSD/i86 ipmon from Riku Kalinen <riku@tequila.nixu.fi> -(I think someone else already told me about these but they got lost :-/) - -Changed Makefile structure to build object files for different operating -systems in separate directories by default. - -BSDI has ef0 for first ethernet interface - -Allow for a "not" operator before optional keywords. - -The "rule number" was being incorrectly incremented every time it went through -the loop rather than when it matched a rule. - -2.8.2 24/10/95 - Released - -Fixed up problems with "textip" for doing lots of testing. - -Fixed bug in detection of "short" tcp/ip packets (all reported as being short). - -Solaris 2.4 port now works 100%. - -Man page errors reported and fixed. - -Removed duplicate entry in etc/services for login on port 49 (Craig Bishop). - -Fixed ipmon output to put a space after the log-letter. - -Patch from Guido van Rooij to fix parsing problem. - -2.8.1 15/10/95 - Released - -Added ttl and tos filtering. - -Patches for fixing up compilation and port problems (little endian) -from Guido van Rooij <guido@IAEhv.nl>. - -Man page problems reported and fixed by Carson Gaspar <carson@lehman.com>. - -ipsend doesn't compile properly on Solaris2.4 - -Lots of work done for Solaris2.4 to make it MT/MP safe and work. - -2.8 15/9/95 - Released - -ipmon can now send messages to syslogd (-s) and use names instead of -numbers (-N). - -IP packets are now "compiled" into a structure only containing filterable -bits. - -Added regression testing in the test/ subdirectory, using a new option -(-b) with the ipftest program. - -Added "nomatch" return to filter results. These are counted and show -up in reports from ipfstat. - -Moved filter code out of ip_fil.c and into fil.c - there is now only one -instance of it in the package. - -Added Solaris 2.4 support. - -Added IPSO basic security option filtering. - -Added name support for filtering on all 19 named IP options. - -Patches from Ivan Brawley to log packet contents as well as packet headers. - -Update for sun/conf.c.diff from Ivan Brawley <ibrawley@awadi.com.AU> - -Added patches for FreeBSD 1, and added two new switches (-E, -D) to ipf, -along with a new ioctl, SIOCFRENB. -From: Dieter Dworkin Muller <dworkin@village.org> - -2.7.3 31/7.95 - Released - -Didn't compile cleanly without IPFILTER_LOG defined (Mathew Green). - -ipftest now deals with tcpdump3 binary output files (from libpcap) with -P. - -Brought ipftest program upto date with actual filter code. - -Filter would cause a match to occur when it wasn't meant to if the packet -had short headers and was missing portions that should have been there. -Err, it would rightly not match on them, but their absence caused a match -when it shouldn't have been. - -2.7.2 26/7/95 - Released - -Problem with filtering just SYN flagged packets reported by -Dieter Dworkin Muller <dworkin@village.org>. To solve this -problem, added support for masking TCP flags for comparison "flags X/Y". - -2.7.1 9/7/95 - Released - -Added ip_dirbroadcast support for Sun ip_input.c - -Fixed up the install scripts for FreeBSD/NetBSD to recognise where they are -better. - -2.7 7/7/95 - Released - -Added "return-rst" to return TCP RST's to TCP packets. - -Actually ported it to FreeBSD-i386 2.0.0, so it works there properly now. - -Added insertion of filter rules. Use "@<#>" at the beginning of a filter -to insert a rule at row #. - -Filter keeps track of how many times each rule is matched. - -Changed compile time things to match kernel option (IPFILTER_LKM & -IPFILTER_LOG). - -Updated ip_input.c and ip_output.c with paches for 3.5 Multicast IP. -(No change required for 3.6) - -Now includes TCP fragments which start inside the TCP header as being short. -Added counting the number of times each rule is matched. - - -2.6 11/5/95 - Released - -Added -n option to ipf: when supplied, no changes are made to the kernel. - -Added installation scripts for SunOS 4.1.x and NetBSD/FreeBSD/BSDI. - -Rewrote filtering to use a more generic mask & match procedure for -checking if a packet matches a rule. - -2.5.2 27/4/95 - Released - -"tcp/udp" and a non-initialised pointer caused the "proto" to become -a `random' value; added "ip#/dotted.mask" notation to the BNF. -From Adam W. Feigin <feigin@iis.ee.ethz.ch> - -2.5.1 22/3/95 - Released - -"tcp/udp" had a strange effect (undesired) on getserv*() functions, -causing protocol/service lookups to fail. Reported by Matthew Green. - -2.5 17/3/95 - Released - -Added a new keyword "all" to BNF and parsing of tcpdump/etherfind/snoop -output through the ipftest program. Suggestions from: -Michael Ciavarella (mikec@phyto.apana.org.au) - -Conflicts occur when "general" filter rules are used for ports and the -lack of a "proto" when used with "port" matches other packets when only -TCP/UDP are implied. -Reported Matthew Green (mrg@fulcom.com.au); -reported & fixed 6-8/3/95 - -Added filtering of short TCP packets using "with short" 28/2/95 -(These can possibly slip by checks for the various flags). Short UDP -or ICMP are dropped to the floor and logged. - -Added filtering of fragmented packets using "with frag" 24/2/95 - -Port to NetBSD-current completed 20/2/95, using LKM. - -Added logging of the rule # which caused the logging to happen and the -interface on which the packet is currently as suggested by -Andreas Greulich (greulich@math-stat.unibe.ch) 10/2/95 - -2.4 9/2/95 - Released -Fixed saving of IP headers in ICMP packets. - -2.3 29/1/95 -Added ipf -F [in|out|all] to flush filter rule sets (SIOCIPFFL). -Fixed iplread() and iplsave() with help from Marc Huber. - -2.2 7/1/95 - Released -Added code from Marc Huber <huber@fzi.de> to allow it to allocate -its own major char number dynamically when modload'ing. Fixed up -use of <, >, <=, >= and >< for ports. - -2.1 21/12/94 - Released -repackaged to include the correct ip_output.c and ip_input.c *goof* - -2.0 18/12/94 - Released -added code to check for port ranges - complete. -rewrote to work as a loadable kernel module - complete. - -1.1 -added code for ouput filtering as well as input filtering and added support for logging to a simple character device of packet headers. - -1.0 22/04/93 - Released -First release cut. |