diff options
Diffstat (limited to 'contrib/ipfilter/WhatsNew50.txt')
-rw-r--r-- | contrib/ipfilter/WhatsNew50.txt | 83 |
1 files changed, 83 insertions, 0 deletions
diff --git a/contrib/ipfilter/WhatsNew50.txt b/contrib/ipfilter/WhatsNew50.txt new file mode 100644 index 0000000..adbf0a9 --- /dev/null +++ b/contrib/ipfilter/WhatsNew50.txt @@ -0,0 +1,83 @@ +What's new in 5.1 +================= + +General +------- +* all of the tuneables can now be set at any time, not just whilst disabled + or prior to loading rules; + +* group identifiers may now be a number or name (universal); + +* man pages rewritten + +* tunables can now be set via ipf.conf; + +Logging +------- +* ipmon.conf can now be used to generate SNMPv1 and SNMPv2 traps using + information from log entries from the kernel; + +NAT changes +----------- +* DNS proxy for the kernel that can block queries based on domain names; + +* FTP proxy can be configured to limit data connections to one or many + connections per client; + +* NAT on IPv6 is now supported; + +* rewrite command allows changing both the source and destination address + in a single NAT rule; + +* simple encapsulation can now be configured with ipnat.conf, + +* TFTP proxy now included; + +Packet Filtering +---------------- +* acceptance of ICMP packets for "keep state" rules can be refined through + the use of filtering rules; + +* alternative form for writing rules using simple filtering expressions; + +* CIPSO headers now recognised and analysed for filtering on DOI; + +* comments can now be a part of a rule and loaded into the kernel and + thus displayed with ipfstat; + +* decapsulation rules allow filtering on inner headers, providing they + are not encrypted; + +* interface names, aside from that the packet is on, can be present in + filter rules; + +* internally now a single list of filter rules, there is no longer an + IPv4 and IPv6 list; + +* rules can now be added with an expiration time, allowing for their + automatic removal after some period of time; + +* single file, ipf.conf, can now be used for both IPv4 and IPv6 rules; + +* stateful filtering now allows for limits to be placed on the number + of distinct hosts allowed per rule; + +Pools +----- +* addresses added to a pool via the command line (only!) can be given + an expiration timeout; + +* destination lists are a new type of address pool, primarily for use with + NAT rdr rules, supporting newer algorithms for target selection; + +* raw whois information saved to a file can be used to populate a pool; + +Solaris +------- +* support for use in zones with exclusive IP instances fully supported. + +Tools +----- +* use of matching expressions allows for refining what is displayed or + flushed; + |