From d438802dcb3e270d6fcc65f075c808c64853a7c2 Mon Sep 17 00:00:00 2001 From: darrenr Date: Mon, 25 Apr 2005 17:31:50 +0000 Subject: import ipfilter 4.1.8 into the vendor branch --- contrib/ipfilter/HISTORY | 813 +++++++++++++---------------------------------- 1 file changed, 225 insertions(+), 588 deletions(-) (limited to 'contrib/ipfilter/HISTORY') diff --git a/contrib/ipfilter/HISTORY b/contrib/ipfilter/HISTORY index 85a8b5f..9b93e83 100644 --- a/contrib/ipfilter/HISTORY +++ b/contrib/ipfilter/HISTORY @@ -6,757 +6,394 @@ # in providing a very available location for the IP Filter home page and # distribution center. # -# Thanks to Hewlett Packard for making it possible to port IP Filter to -# HP-UX 11.00. -# -# Thanks to Tel.Net Media for supplying me with equipment to ensure that -# IP Filter continues to work on Solaris/sparc64. -# -# Thanks to BSDI for providing object files for BSD/OS 3.1 and the means -# to further support development of IP Filter under BSDI. -# -# Thanks to Craig Bishop of connect.com.au and Sun Microsystems for the -# loan of a machine to work on a Solaris 2.x port of this software. -# # Thanks also to all those who have contributed patches and other code, # and especially those who have found the time to port IP Filter to new # platforms. # -3.4.35 21/6/2004 - Released - -some cases of ICMP checksum alteration were wrong - -block packets that fail to create state table entries - -correctly handle all return values from ip_natout() when fastrouting - -ipmon was not correctly calculating the length of the IPv6 packet (excluded -ipv6 header length) - -3.4.34 20/4/2004 - Released - -correct the ICMP packet checksum fixing up when processing ICMP errors for NAT - -various changes to ipsend for sending packets with ipv4 options - -look for ipmon's pidfile in /var/run and /etc/opt/ipf in Solaris' init script - -only allow non-fragmented packets to influence whether or not a logged -packet is the same as the one logged before. - -make "ipfstat -f" output more informative - -compatibility for openbsd byte order changes to ip_off/ip_len - -disallow "freebsd" as a make target (encourages people to do the wrong thing) - -3.4.33 15/12/2003 - Released - -pass on messages moving through ipfilter when it is unloading itself on Solaris - -add disabling of auto-detach when the module attaches on Solaris - -compatibility patches for 'struct ifnet' changes on FreeBSD - -implement a maximum for the number of entries in the NAT table (NAT_TABLE_MAX -and ipf_nattable_max) - -fix ipfstat -A - -frsynclist() wasn't paying attention to all the places where interface -names are, like it should. - -fix where packet header pointers are pointing to after doing an ipf_pullup - -fix comparing ICMP packets with established TCP state where only 8 bytes -of header are returned in the ICMP error. - -3.4.32 18/6/2003 - Released - -fix up the behaviour of ipfs - -make parsing errors in ipf/ipnat return an error rather than return -indicating success. - -window scaling patch - -make ipfstat work as a set{g,u}id thing - gave up privs before opening -/dev/ipl - -checksum adjustment corrections for ICMP & NAT - -attempt to always get an mbuf full of data through pullup if possible - -Fix bug with NAT and fragments causing system to crash - -Add patches for OpenBSD 3.3 - -stop LKM locking up the machine on modern NetBSD(?) - -allow timeouts in NAT rules to over-ride fr_defnatage if LARGE_NAT is defined - -Locking patches for IRIX 6.5 from SGI. - -fix bug in synchronising state sessions where all interfaces were invalidated - -fix bug in openbsd 3.2 bridge diffs - -fix bug parsing port comparisons in proxy rules - -3.4.31 7/12/2002 - Released - -Solaris 10 compatibility - -fix linking into pfil in NetBSD - -fix IRIX 6.2 compatibility - -add code to check consistency of fr_checkp/fr_check on non-Solaris - -OpenBSD: missing patches for ip6_output.c on OpenBSD 3.2, - make LKM work for 3.2 (OpenBSD LKMs now match NetBSD) - -3.4.30 26/11/2002 - Released - -attempt to detect using GNU make and abort if so - -OpenBSD 3.2 patches from Stefan Hermes von GMX - -add MSS clamping code from NetBSD - -correctly display ipv6 output with ipfstat for (accounting) rules - -fix problems with ioctl handling for /dev/ipauth - -set SYN bit in rcmd fake packet to create back channel - -make libpcap reader capable of determining in/out (not in libpcap file) -and add more DLT types - -do not allow redirects to localhost for Solaris in NAT parser - -allow return-rst with auth rules - -man page corrections - -fix for handling ipv6 icmp errors - -fix up ipfs command line option processing - -only allow processing a ftp 227 response following a PASV command - -NetBSD: use poll() and adapt to new cdevsw mechanism - -make flushing for just ipv6 things work - -3.4.29 28/8/2002 - Released - -Make substantial changes to the FTP proxy to improve reliability, security -and functionality. - -don't send ICMP errors/TCP RST's in response to blocked proxy packets - -fix potential memory leaks when unloading ipfilter from kernel - -fix bug in SIOCGNATL handler that did not preserve the expected -byte order from earlier versions in the port number - -set do not fragment flag in generated packets according to system flags, -where available. - -preserve filter rule number and group number in state structure - -fix bug in ipmon printing of p/P/b/B - -make some changes to the kmem.c code for IRIX compatibility - -add code to specifically handle ip.tun* interfaces on Solaris - -3.4.28 6/6/2002 - Released - -Fix for H.323 proxy to work on little endian boxes - -IRIX: Update installation documentation - add route lock patch - -allow use of groups > 65535 - -create a new packet info summary for packets going through ipfr_fastroute() -so that where details are different (RST/ICMP errors), the packet now gets -correctly NAT'd, etc. - -fix the FTP proxy so that checks for TCP sequence numbers outside the -normal offset due to data changes use absolute numbers - -make it possible to remove rules in ipftest - -Update installing onto OpenBSD and split into two directories: -OpenBSD-2 and OpenBSD-3 - -fix error in printout out the protocol in NAT rules - -always unlock ipfilter if locking fails half way through in ipfs - -fix problems with TCP window scaling - -update of man pages for ipnat(4) and ipftest(1) - -3.4.27 28/04/2002 - Released - -fix calculation of 2's complmenent 16 bit checksum for user space - -add mbuflen() to usespace compiles. - -add more #ifdef complexity for platform portability - -add OpenBSD 3.1 diffs - -3.4.26 25/04/2002 - Released - -fix parsing and printing of NAT rules with regression tests. - -add code to adjust TCP checksums inside ICMP errors where present and as -required for NAT. - -fix documentation problems in instal documents - -fix locking problem with auth code on Solaris - -fix use of version macros for FreeBSD and make the use of __FreeBSD_version -override previous hacks except when not present - -fix the macros defined for SIOCAUTHR and SIOCAUTHW - -fix the H.323 proxy so it no longer panics (multiple issues: re-entry into -nat_ioctl with lock held on Solaris, trying to copy data from kernel space -with copyin, unaligned access to get 32bit & 16bit numbers) - -use the ip_ttl ndd parameter on Solaris to fill in ip_ttl for packets -generated by IPFilter - -fix comparing state information to delete state table entries - -flag packets as being "bad state" if they're outside the window and prevent -them from being able to cause new state to be created - except for SYN packets - -be stricter about what packets match a TCP state table entry if its creation -was triggered by a SYN packet. - -add patches to handle TCP window scaling - -don't update TCP state table entries if the packet is not considered to be -part of the connection - -ipfs wasn't allowing -i command line option in getopt - -IRIX: fix kvm interface, fix compile warnings, compile the kernel with -O2 - regardless of user compile, fix the getkflags script to prune down the - output more so it is acceptable - -change building in Makefiles to create links to the application in $(TOP) -at the end of "build" rather than when each is created. - -update BSD/kupgrade for FreeBSD - -l4check wasn't properly closing things when a connection fails - -man page updates for ipmon(8) and ipnat(5) - -more regression tests added. - -3.4.25 13/03/2002 - Released - -retain rule # in state information - -log the direction of a packet so ipmon gets it right rather than incorrectly -deriving it from the rule flags - -add #ifdef for IPFILTER_LOGSIZE (put options IPFILTER_LOGSIZE=16384 in BSD -kernel config files to increase that buffer size) - -recognise return-* rules differently to block in ipftest - -fix bug in ipmon output for solaris - -add regression testing for skip rules, logging and using head/group - -fix output of ipmon: was displaying large unsigned ints rather than -1 -when no rules matched. - -make logging code compile into ipftest and add -l command line option to -dump binary log file (read with ipmon -f) when it finishes. - -protect rule # and group # from interference when checking accounting rules - -add regression testing for log output (text) from ipmon. - -document -b command line option for ipmon - -fix double-quick in Solaris startup script - -3.4.24 01/03/2002 - Released - -fix how files are installed on SunOS5 - -fix some minor problems in SunOS5 ipfboot script - -by default, compile all OpenBSD tools in 3.0 for IPv6 - -fix NULL-pointer dereference in NAT code - -make a better attempt at replacing the appropriate binaries on BSD systems - -always print IPv6 icmp-types as a number - -impose some rules about what "skip" can be used with - -fix parsing problems with "keep state" and "keep state-age" - -Try to read as much data as is in the log device in ipmon - -remove some redundant checks when searching for rdr/nat rules - -fix bug in handling of ACCT with FTP proxy - -increase array size for interface names, using LIFNAMSIZ - -include H.323 proxy from QNX - -3.4.23 16/01/2002 - Released - -Include patches to install IPFilter into OpenBSD 3.0, both for just kernel -compiles and complete system builds. - -Fix bug in automatic flushing of state table which would cause it to hang -in an infinite loop bug introduced in 3.4.20. - -Modify the sample proxy (samples/proxy.c) so that it ads a NAT mapping for -the outgoing connection to make it look like it comes from the real source. - -Only support ICMPv6 with IPv6. - -Move ipnat.1 to ipnat.8 - -Enhance ipmon to print textual ICMP[v6] types and subtypes where possible. - -Make it possible to do IPv6 regression testing with ipftest. - -Use kvm library for kmem access, rather than trying to do it manually with -open/lseek/read. - -Fix diffs for ip_input.c on BSDOS so it doesn't crash with fastroute. - -Remove Berkeley advertising licence clause. Reference: -ftp://ftp.cs.berkeley.edu/pub/4bsd/README.Impt.License.Change - -Add more regression tests: ICMPv6 neighbour discovery, ICMP time exceeded -and fragmentation required. - -Fix ipfboot script on Solaris to deal with no nameservers or no route to -them in a clean manner. - -Support per-rule set timeouts for non-TCP NAT and state - -Add netbios proxy - -Add ICMPv6 stateful checking, including handling multicast destination -addresses for neighbour discovery. - -Fix problems with internals of ICMP messages for MTU discovery and -unreachables not being correctly adjust on little endian boxes. - -Add "in-via" and "out-via" to filtering rules grammar. It is now possible -to bind a rule to both incoming and outgoing interfaces, in both forward -and reverse directions (4 directions in total). allows for asymetric flows -through a firewall. - -Fix ipfstat and ipnat for working on crash dumps. - -Don't let USE_INET6 stay defined for SunOS4 - -Count things we see for each interface on solaris. - -Include when compiling with USE_INET6 defined and -also include a whole bunch of #define's to make sure the symbols expected -can be used. - -Fix up fastroute on BSD systems. - -Make fastrouting work for IPv6 just a bit better. doesn't split up big -packets into fragments like the IPv4 one does. You can now do a -"to :" - -Remove some of the differences between user-space and kernel-space code -that is internal to ipfilter. - -Call ipfr_slowtimer() after each packet is processed in ipftest to artificially -create the illusion of passing time and include the expire functions in the -code compiled for user-space. - -Fix issues with the IPSec proxy not working or leading to a system crash. - -Junk all processing of SPIs and special handling for ESP. - -Add "no-match" as a filter rule action (resets _LAST_ match) - -Add hack to workaround problems with Cassini interface cards on -Solaris and VLANs - -Add some protocols to etc/protocols - -3.4.22 03/12/2001 - Released - -various openbsd changes - -sorting based on IP numbers for ipfstat top output - -fix various IPv6 code & compile problems - -modify ip_fil.c to be more netbsd friendly - -fix fastroute bug where it modified a packet post-sending - -fix get_unit() - don't understand why it was broken. +4.1.8 - Released 29 March 2005 -add FI_IGNOREPKT and don't count so marked packets when doing stats or -state/nat. +include path from Phil Dibowitz for sorting ipfstat -t output by source or +destination port. -extend the interface name saved to log output +fix a bug in printing rules where interface names could not be printed, +even if they're in the rule structure. -make proxies capable of extending the matching done on a packet with a -particular nat session +fix BSD/kupgrade to correctly change ipfilter lkm Makefile for FreeBSD -change interfaces inside NAT & state code to accomodate redesign to allow -IPsec proxy to work. +add 2 new features to SIOCGNATL: +- if IPN_FINDFORWARD is set, check if the respective MAP is already + present in the outbound table +- if IPN_IN is set, search for a matching MAP entry instead of RDR + (Peter Potsma) -fix bug when free'ing loaded rules that results in a memory leak -(only an issue with "ipf -rf -", not flush) +turn off function inlining for freebsd 5.3+ -make ipftest capable of loading > 1 file or rules, making it now possible -to load both NAT & filter rules +UDP doesn't pullup enough data which can sometimes cause a panic. +Fix other protocols, as required, where a similar problem may exist. -fix hex input for ipftest to allow interface name & direction to work +overhaul the timeout queue management, especially that for user defined queues +which are now only freed in an orderly manner. -show ipsec proxy details in ipnat output +4.1.7 - Released 13 March 2005 -if OPT_HEX is set in opts, print a packet out as hex +Using the GRE call field is almost impossible because it is unbalanced and +both call fields are not present in each v1 header. -don't modify b_next or preseve it or preserve b_prev for solaris +Fix a problem where it was possible to load duplicate rules into ipf -fix up kinstall scripts to install all the files everywhere they need to +patch from John Wehle to address problems with fastroute on solaris -fix overflowing of bits in ip_off inside iptest +Copying data out for ipf -z failed because it tried to copy out to an address +that is a kernel pointer in user space. -make userauth and proxy in samples directory compile +add "ip" timeout for both NAT & state that's for non-TCP/UDP/ICMP -fix minimum size when doing a pullup for ESP & ICMPv6 +synch up with NetBSD's changes -3.4.21 24/10/2001 - Released +fix problems parsing long lines of text in the ftp proxy where they would not +be parsed properly and stop the session from working -include ipsec proxy +enhance the PPTP proxy so that it tries to decode messages in the TCP stream +so it knows when to create and destroy the state/nat sessions for GRE. There +are also 4 new regression tests for it, testing map/rdr rules. -make state work for non-tcp/udp/icmp in a very simple way +impose some limits on the size of data that can be moved with SIOCSTPUT in +the NAT code and also prevent a duplicate session entry from being created +using this method. -include diffs for ipv6 firewall on openbsd-2.9 +add a new flag (IPN_FINDFORWARD) to NAT code that can be used with SIOCGNATL +to check if it is possible to create an outgoing transparent NAT mapping to +compliment the redirect being investigated. -add compatibility filter wrapper for NetBSD-current +Linux requires that the checksums in the IP header get adjusted -fix command line option problems with ipfs +only resolve unknown interfaces in fr_stinsert, and nuke all interface pointers +in SIOCSTPUT to prevent bad data being loaded from userspace. -if we fill the state table and a automated flush doesn't purge any -expiring entries, remove all entries idle for more than half a day +make the byte counting for state correct (was counting data from ICMP packet +twice) -fix bug with sending resets/icmp errors where the pointer to the data -section of the packet was not being set (BSD only) +print out the keyword "frag-body" if the flag is set. -split out validating ftp commands and responses into different halves, -one for each of server & client. +fix ipfs loading/restoring NAT sessions -do not compile in STATETOP support for specific architectures +patch from Frank to correctly format IP addresses in ipfstat -t output -fix INSTALL.FreeBSD to no longer provide directions and properly direct -people to the right file for the right version of FreeBSD. +parsing port numbers in ipf/ipnat was confusing as the port number was returned +in an int that was also overloaded to be the suceess/failure. instead, change +the port using pass by reference and only use the return value for indicating +success or failure. -3.4.20 24/07/2001 - Released +4.1.6 - Released 19 February 2005 -adjust NAT hashing to give a better spread across the table +add a new timeout number to NAT (fr_defnatipage) that is used for all +non-TCP/UDP/ICMP protocols - default 60 seconds. -show icmp code/type names in output, where known +buffer leak with bad nat - David Gueluy -fix bug in altering cached interface names in state when resync'ing +fix memory leak with state entries created by proxies -fix bug in real audio proxy that caused crashs - -fix compiling using sunos4 cc +eliminate copying too much data into a scan buffer -patch from casper to address weird exit problem for ipstat in top mode +allow a trailing protocol name for map rules as well as rdr ones -patch from Greg Woods to produce names for icmp types/unreach codes, -where they are known +fix bug in parsing of <= and > for NAT rules (two were crossed over) -fix bug where ipfr_fastroute() would use a mblk and it would also get -freed later. +FreeBSD's iplwrite hasn't kept pace with iplread's prototype -don't match fragments which would cause 64k length to be exceeded +expand documention on the karma of using "auto" in ipnat map rules -ftp proxy fix for port numbers being setup for pasv ftp with state/nat +add matching on IP protocol to ipnat map rules -change hashing for NAT to include both IP#'s and ports. +allow ippool definitions to contain no addresses to start with -Solaris fixes for IPv6 +Linux NAT needs to modify the IP header checksum as it gets called after it +has been computed by IP. -fix compiling iplang bits, under Solaris, for ipsend +UDP was missing a pullup for packet header information before examining +the header -3.4.19 29/06/2001 - Released +4.1.5 - Released 9 January 2005 -fix to support suspend/resume on solaris8 as well as ipv6 +all rules were being converted into "dup-to" rules in the kernel -include group/group-head in match of filter rules +fix two ftp proxy problems: 1st, buffer needs to be bigger for fitting in +complete RETR/CWD commands, 2nd is () use in 227 messages isn't copied +over correctly. -fix endian problem reading snoop files +response to CWDs +revert ip_off back to network byte order in the ICMP error packet that +gets generated. -make all licence comments point to the one place +4.1.4 - Released 9 January 2005 -fix ftp proxy to only advance state if a reply is received in response to -a recognised command +force NAT rules to only match ipv4 NAT rules (which all are, currently, +by default) -3.4.18 05/06/2001 - Released +include state synchronisation fixes from Frank Volf -fix up parsing of "from ! host" where '!' is separate +make the maximum log size for internally buffered log entries accessible +via "ipf -T" -disable hardware checksums for NetBSD +redesign start of fr_check() to avoid putting duplicate information in +ipfilter about how much data needs to be pulled up for a protocol to be +properly filtered. -put ipftest temporary files in . rather than /tmp +tidy up sending ICMP error messages - some bad inputs could result in +data not being freed and/or no error returned. -modify ftp proxy to be more intelligent about moving between states -and recognise new authentication commands +make the maximum size of the log buffer run-time tunable -allow state/nat table sizes to be externally influenced +fix bug in parsing TCP header when looking for MSS option that could make +the system hang -print out host mapping table for NAT with ipnat -l +change pool lookups that fail to find a match to return "no match" +rather than fail. -fix handling of hardware checksum'ing on Solaris +add run-time tunable debugging for proxy support code and FTP proxy. -fixup makefiles for Solaris +fix state table updates for entries where the first packet as an ICMPv6 +multicast message -update regression tests +fix hang when flushing state for v4/v6 and other (v6/v4) entries are present +too -fix surrender of SPL's for failure cases +attaching filtering to ipv6 pfil hook wasn't present for solaris -include patches for OpenBSD's new timeout mechanism +don't allow rules with "keep state" and "with oow" -default ipl_unreach to ICMP_UNREACH_FILTER_PROHIB if defined, else make it -ICMP_UNREACH_FILTER +move a bunch of userland only code from fil.c to ip_fil.c -fix up handling of packets matching auth rules and interaction with state +make fr_coalesce() more resiliant to bad input, just returning an error +instead of crashing, making calling it easier in many places -add -q command line option to ipfstat on Solaris to list bound interfaces +When m_pulldown doesn't return NULL, it doesn't necessarily return a pointer +to the same mbuf passed in as the first arg. -add command line option to ipfstat/ipnat to select different core image +remove fr_unreach and use ENETUNREACH by default. -don't use ncurses on Solaris for STATETOP +printing out of tag data in ipf rules doesn't match input syntax -fix includes to get FreeBSD version +ipftest(1) man page update -do not byte swap ip_id +ipfs command line option parsing still rejects some valid syntaxes -fix handling success for packets matching the auth rule +SIGHUP handling by ipmon was not as safe as it could be -don't double-count short packets +fix various parsing regressions, including "", "tcpudp", ordering +of "keep" options -add ICMP router discovery message size recognition +patches from Frank Volk: add udp_acktimeout to sysctl list for FreeBSD, +ICMP packet length not calculated correctly in send_icmp_err, reply-to +not printed by ipfstat, keep state with icmp passing (mtrr) -fix packet length calculation for IPv6 +patches for return-rst and return-icmp from Attila Fueloep +(lichtscheu@gesindel.org) -set CPUDIR when for install-sunos5 make target +4.1.3 - Released 18 July 2004 -SUNWspro -xF causes Solaris 2.5.1 kernel to crash +do some more fine tuning on NAT checksum adjustments -3.4.17 06/04/2001 - Released +correct IP address byte order in proxy setup for ipsec/pptp -fix fragment#0 handling bug where they could get in via cache information -created by state table entries +man page updates -use ire_walk to look for ire cache entries with link layer headers cached +fix numerous problems with ipfs operation -deal with bad SPL assumptions for log reading on BSD +complete new syntax for ipmon.conf in its parser and update the sample file -fix ftp proxy to allow logins with passwords +assign error value consistantly in fastroute code -some auth rule patches, fixing byte endian problems and returning as an error +rewrite allocation of mbufs in send_reset/send_icmp_err to better use +mbuf clusters and size calculations -support LOG_SECURITY, where available, in ipmon +resolve problem with linux panic'ing because the wrong flag was being +passed to skb_clone/skb_alloc -don't return an error for packets which match auth rules +enable use of shared/exclusive locks on freebsd5 and above -introduce fr_icmpacktimeout to timeout entries once an ICMP reply has -been seen separately to when created +do not rely on m_pkthdr.len to be valid all the time for mbufs on modern BSD +and so use mbufchainlen to get the mbuf length instead -3.4.16 15/01/2001 - Released +replace lots of COPYIN/COPYOUT with BCOPYIN/BCOPYOUT where the data is +going to be on the stack and not in userland -fix race condition in flushing of state entries that are timing out +packet buffer pointers were not refreshed & used properly in fr_check() -Add TCP ECN patches +include extra bits for OpenBSD 3.4 & 3.5. -log all NAT entries created, not just those via rules +fix ipf/ipnat parsing regression problems with v3.4 -3.4.15 17/12/2000 - Released +4.1.2 - RELEASED - 27 May 2004 -add minimum ttl filtering (to be replaced later by return-icmp-as-dest -for all ICMP packets matching state entries). +add state top for ipv6 -fix NAT'ing of fragments +fix numerous parsing regressions -fix sanity checks for ICMPV6 +change sample proxies to use SIOCGNATL with the new API -fix up compiling on IRIX 6.2 with IDF/IDL installed +allow macro names to contain underscores (_) -3.4.14 02/11/2000 - Released +split the parser into a collection of dictionaries so that keywords do +not interfere with resolving hostnames and portnames -cause flushing NAT table to generate log records the same as state flush -does. +fix ipfrule LKM loading on freebsd -fix ftp proxy port/pasv +support mapping a fixed range of ports to a single port -fix problem where nat_{in,out}lookup() would release a write lock when it -didn't need to. +fix timeout queue use by proxies with private queues -add check for ipf6.conf in Solaris ipfboot +handle space-led ftp server replies properly -3.4.13 28/10/2000 - Released +fix timeout queue management -fix introduced bug with ICMP packets being rejected when valid +fix fastroute, generation of RST & ICMP packets and operation with to/fastroute -fix bug with proxy's that don't set fin_dlen correctly when calling -fr_addstate() +resolve further linux compatibility problems -3.4.12 26/10/2000 - Released +replace the use of COPYIN with BCOPYIN for platforms that provide ioctl +args on the stack -fix installing into FreeBSD-4.1 +allow flushing of ipv6 rules independant of ipv4 rules -fix FTP proxy bug where it'd hang and make NAT slightly more efficient +correct internal ipv6 checksum calculations -fix general compiling errors/warnings on various platforms +if a 'keep state' rule fails to create state, block the packet rather +than let it through -don't access ICMP data fields that aren't there +correct all checksums in regression tests and correct NAT code to adjust +checksums correctly. -3.4.11 09/10/2000 - Released +fix ipfs -R/-W -return NULL for IPv6 access control lists if it is disabled rather than -random garbage. +4.1.1 - RELEASED - 24 March 2004 -fix for getting protocol & packet length for IPv6 packets for pullup. +allow new connections with the same port numbers as an existing one +in the state table if the creating packet is a SYN -update plog script from version 0.8 to version 0.10 +timeout values have drifted, incorrectly, from what they were in 3.4 -patch from Frank Volf adding fix_datacksum() to NAT code, enhancing the -capabilities for "fixing" checksums. +FreeBSD - compatibility changes for 5.2 -3.4.10 03/09/2000 - Released +don't match on sequence number (as well) for ICMO ECHO/REPLY, just the +ICMP Id. field as otherwise thre is a state/NAT entry per packet pair +rather than per "flow" -merge patch from Frank Volf for ICMP nat handling of TCP/UDP data `errors' +fr_cksum() returned the wrong answer for ICMP -getline() adjusts linenum now +Linux: +- get return-rst and return-icmp working +- treat the interface name the same as if_xname on BSD -add tcphalfclosed timeout +adjust expectations for TCP urgent bits based on observed traffic in the +wild -fill in icmp_nextmtu field if it is defined on the platform +openbsd3.4 has ip_len/ip_off in network byte order when ipfilter is called -RST generation fix from guido +fix flushing of hash pool gorups (ippool -F) as well as displaying them +(ippool -l) -force 32bit compile for gcc on solaris if it can't generate 64bit code +passing of pointers to interface structures wrong for HP-UX/Solaris with +return-* rules. -encase logging when fr_chksrc == 2 in #ifdef IPFILTER_LOG +Make the solaris boot script able to run on 2.5.1 -fix up line wrap problems in plog script +ippool related files missing from Solaris packages -fix ICMP packet handling to not drop valid ICMP errors +The name /dev/ippool should be /dev/iplookup -freebsd 5.0 compat changes +add regression testing for parsing long interface names in nat rules, +along with mssclamp and tags. Also add test for mssclamp operation. -3.4.9 08/08/2000 - Released +ttl displayed for "ipfstat -t" is wrong because ttl is not computed. -implement new aging mechanism in fr_tcp_age() +parse logical interface names (Sun) -fix icmp state checking bug +unloading LKMs was only working if they were enabled. -revamp buildsunos script and build both sparcv7/sparcv9 for Solaris -if on an Ultra with a 64bit system & compiler (Caseper Dik) +sync'ing up NAT sessions when NICs change should cause NAT rules to +re-lookup name->pointer mappings -open ipfilter device read only if we know we can +not all of the ippool ioctl's are IOWR and they should be because they +use the ipfobj_t for passing information in/out of the kernel. leave the +old values defined and handle them, for compatibility. -print out better information for ICMP packets in ipmon +pool stats wrong: ippoolstate used where ipoolstat should be, hash table + statistics not reported at all -move checking for source spoofed packets to a point where we can generate -logs of them +fr_running not set correctly for OpenBSD when compiled into the kernel -return EFAULT from ircopyptr/iwcopyptr +Allow SIOCGETFF while disabled -don't do ioctl(SIOCGETFS) for auth stats +Fix mssclamp with NAT (pasing and printing of the word, plus wrong bytes +altered. How do you say "untested" ?) -fix up freeing mbufs for post-4.3BSD +4.1 - RELEASED - 12 February 2004 -fix returning of inc from ftp proxy +4.0-BETA1 20 August 2003 -fix bugs with ipfs -R/-W (Caseper Dik) +support 0/32 and 0/0 on the RHS in redirect rules -3.4.8 19/07/2000 - Released +where LHS and RHS netmasks are the same size for redirect, do 1:1 mapping +for bimap rules. -create fake opt_inet6.h for FreeBSD-4 compile as LKM +allow NAT rule to match 'all' interfaces with * as interface name -add #ifdef's for KLD_MODULE sanity +do mapping of ICMP sequence id#'s in pings -NAT fastroute'd packets which come out of return-* +allow default age for NAT entries to be set per NAT rule -fix upper/lower case crap in ftp proxy and get seq# checking fixed up. +provide round robin selection of destination addresses for redirect -3.4.7 08/07/2000 - Released +ipmon can load a configuration file with instructions on actions +to take when a matching log entry is received -make "ipf -y" lookup NAT if's which are unknown +now requires pfil to work on Solaris & HP-UX -prepend line numbers to ioctl error messages in ipf/ipnat +supports mapping outbound connections to a specific address/port -don't apply patches to FreeBSD twice +support toggling of logging per ipfilter 'device' -allow for ip_len to be on an unaligned boundary early on in fr_precheck +use queues to expire data rather than lists -fix printing of icmp code when it is 0 +add MSN RPC proxy -correct printing of port numbers in map rules with from/to +add IRC proxy -don't allow fr_func to be called at securelevel > 0 or rules to be added -if securelevel > 0 if they have a non-zero fr_func. +support rules with dynamic ip addresses -3.4.6 11/06/2000 - Released +add ability to define a pool of addresses & networks which can then +be placed in a single rule -add extra regression tests for new nat functionality +support passing entire packet back to user program for authentication -place restrictions on using '!' in map/rdr rules +support master/slave for state information sharing -fix up solaris compile problems +reorganise generic code into a lib directory and make libipf.a -3.4.5 10/06/2000 - Released +user programs enforce version matching with the kernel -mention -sl in ipfstat.8 +supports window scaling if seen at TCP session setup -fix/support '!' in from/to rules (rdr) for NAT +generates C code from filter rules to compile in or load as native +machine code. -add from/to support to rdr NAT rules +supports loading rules comprised of BPF bytecode statements -don't send ICMP errors in response to ICMP errors +HP-UX 11 port completed -fix sunos5 compilation for "ipfstat-top" and cleanup ipfboot +and packets-per-second filtering -input accounting list used for both outbound and inbound packets +add numerical tags to rules for filtering and display in ipmon output -3.4.4 23/05/2000 - Released +3.4.4 23/05/2000 - Released don't add TCP state if it is an RST packet and (attempt) to send out RST/ICMP packets in a manner that bypasses IP Filter. add patch to work with 4.0_STABLE delayed checksums -3.4.3 20/05/2000 - Released +3.4.3 20/05/2000 - Released fix ipmon -F -- cgit v1.1