83.2.1 12/11/97 - Released
9
10port to BSD/OS 3.0
11
12port to Linux 2.0.31
13
14patches to make "map a/m -> 0/0" work with ftp proxying properly - Marc Boucher
15
16add "ipf -F s" and "ipf -F S" to flush state table entries.
17
18announce if logging is on or off when ip filter initializes.
19
20"ipf -F a" doesn't flush groups properly for Solaris.
21
223.2 30/10/97 - Released
23
24ipnat doesn't successfully remove proxy mappings with "-rf" -
25Alexander Romanyu
26
27use K&R C function style for solaris kernel code
28
29use m_adj() to decrease packet size in ftp proxy
30
31use mbufchainlen rather than msgdsize,
32IRIX update - Marc Boucher
33
34fix NetBSD modunload bug (pfil_add_hook done twice)
35
36patches for OpenBSD 2.1 - Craig Bevins <craigb@bitcom.net.au>
37
383.2beta10 24/10/97 - Released
39
40fix fragment table entries allocated for NAT.
41
42fix tcp checksum calculations over mbuf/mblk boundaries
43
44fix panic for blen < 0 in ftp kernel proxy - marc boucher
45
46fix flushing of rules which have been grouped.
47
483.2beta9 20/10/97 - Released
49
50some nit picking on solaris2 with SUNWspro - Michael Lyle <mrl@rpnet.net>
51
52ftp kernel proxy patches from Marc Boucher
53
543.2beta8 13/10/97 - Released
55
56add support for passing ICMP errors back through NAT.
57
58IRIX port update - Marc Boucher
59
60calculate correct MIN size of packet to log for UDP - Marc Boucher
61
62need htons(ETHERTYPE_x) on little endian BSD boxes - Dave Huang
63
64copyright header fixups
65
663.2beta7 23/09/97 - Released
67
68fickup problems introduced by prior merges & changes.
69
703.2beta6 23/09/97 - Released
71
72patch for spin-reading race condition - Marc Boucher.
73
74IRIX port by Marc Boucher.
75
76compatibility updates for Linux to ipsend
77
783.2beta5 13/09/97 - Released
79
80patches from Bernd Ernesti for NetBSD integration (mostly prototyping and
81compiler warning things)
82
83ipf -y will resync IP#'s allocated with 0/32 in NAT to match interface if it
84changes.
85
86update manual pages and other documentation updates.
87
883.2beta4 27/8/97 - Released
89
90enable setting IP and TCP options for iplang/
91
92Solaris2 patches from Marc Boucher.
93
94add groups for filter rules.
95
963.2beta3 21/8/97 - Released
97
98patches for Solaris2 (interface panic solution ?): fix FIONREAD and
99replacing q_qinfo points - Marc Boucher <marc@CAM.ORG>
100
101change ipsend/* and ipsd/* copyright notices to be the same as ip filter's
102
103patch for SYN-ACK skew testing fix from Eric V. Smith <EricSmith@windsor.com>
104
1053.2beta2 6/8/97 - Released
106
107make it load on Solaris 2.3
108
109rewrote logging to remove solaris errors, introduced checking to see if the
110same packet is logged successively.
111
112fix filter cache to work when there are no rules loaded.
113
114add "raw" option to ipresend to send entire ethernet frames.
115
116nat list corruption bug - NetBSD - Klaus Klein
117
1183.2beta1 5/7/97 - Released
119
120patches from Jason Thorpe fixing: UNSIGNED_CHAR lossage, off_t being 64bits
121lossage, and other NetBSD bits.
122
123NetBSD 1.2G update.
124
125fixup fwtk patches and add protocol field for SIOCGNATL.
126
127rdr bugs reported by Alexander Romanyu (alexr@aix.krid.crimea.ua), with
128fixes:
129* rdr matched all packets of a given protocol (ignored ports).
130* severe bug in nat_delete which caused system crash/freeze.
131
132change Makefile so that CC isn't passed on for FreeBSD/NetBSD (will use
133the default CC - cc, not gcc)
134
1353.2alpha9 16/6/97 - Released
136
137added "skip" keyword.
138
139implement preauthentication of packets, as outlined by Guido.
140
141Make it compile as cleanly as possible with -Wall & general code cleanup
142
143getopt returns int, not char. Bernd Ernesti
144
1453.2alpha8 13/6/97 - Released
146
147code added to support "auth" rules which require a user program to allow them
148through. First revision and much of the code came from Guido.
149
150hex output from ipmon doesn't goto syslog when recovering from out of sync
151error. Luke Mewburn (lukem@connect.com.au)
152
153fix solaris2.6 lookup of destination ire's.
154
155ipnat doesn't throw away unused bits (after masking), causing it to
156behave incorrectly. Carson Gaspar
157
158NAT code doesn't include inteface name when matching - Alexey Mavrin
159<lha@elco.spb.ru>
160
161replace old SunOS tcpip.h with new tcpip.h (from 4.4BSD) - Jason Thorpe.
162
163update install procedures to include ip_proxy.c
164
165mask out unused bits in NAT/RDR rules.
166
167use a generic type (u_32_t) for 32bit variables, rather than rely on
168u_long being such - Jason Thorpe.
169
170create a local "netinet" directory and include from ~netinet/*" rather than
171just "*" to make keeping the code working on ports easier.
172
173add an m_copydata and m_copyback for SunOS4 (based on 4.4BSD-Lite versions)
174
175documentation updates.
176
177NetBSD update from Jason Thorpe <thorpej@netbsd.org>
178
179allow RST's through with a matching SEQ # and 0 ACK. Guido Van Rooij
180
181ipmon uses excessive amounts of CPU on Solaris2 - Reinhard Bertram
182<Reinhard.Bertram@KOM.th-darmstadt.de>
183 |
1843.2alpha7 25/5/97 - Released
185
186add strlen for pre-2.2 kernels - Doug Kite <dkite@websgi.icomnet.com>
187
188setup bits and pieces for compiling into a FreeBSD-2.2 kernel.
189
190split up "bsd" targets. Now a separate netbsd/freebsd/bsd target.
191mln_ipl.c has been split up into itself and mlf_ipl.c (for freebsd).
192
193fix (negative) host matching in filtering.
194
195add sysctl interface for some variables when compiled into FreeBSD-2.2 kernels
196or later.
197
198make all the candidates for kernel compiling include "netinet/..." and build
199a subdirectory "netinet" when compiling and symlink all .h files into this.
200
201add install make target to Makefile.ipsend
202
2033.2alpha6 8/5/97 - Released
204
205Add "!" (not) to hostname/ip matching.
206
207Automatically add packet info to the fragment cache if it is a fragment
208and we're translating addreses for.
209
210Automatically add packet info to the fragment cache if it is a fragment
211and we're "keeping state" for the packet.
212
213Solaris2 patches - Anthony Baxter (arb@connect.com.au)
214
215change install procedure for FreeBSD 2.2 to allow building to a kernel
216which is different to the running kernel.
217
218add FIONREAD for Solaris2!
219
220when expiring NAT table entries, if we would set a time to fr_tcpclosed
221(which is 1), make it fr_tcplaskack(20) so that the state tables have a
222chance to clear up.
223
2243.2alpha5
225
226add proxying skeleton support and sample ftp transparent proxy code.
227
228add printfs at startup to tell user what is happening.
229
230add packets & bytes for EXPIRE NAT log records.
231
232fix the "install-bsd" target in the root Makefile. Chris Williams
233<psion@mv.mv.com>
234
235Fixes for FreeBSD 2.2 (and later revs) to prevent panics. Julian Assange.
236
2373.2alpha4 2/4/97 - Released
238
239Some compiler warnings cleaned up.
240
241FreeBSD-2.2 patches for LKM completed.
242
2433.2alpha3 31/3/97 - Released
244
245ipmon changes: -N for reading NAT logfile, -S for reading state logfile.
246-a for reading all. -n now toggles hostname resolution.
247
248Add logging of new state entries and expiration of old state entries.
249count log successes and failures.
250
251Add logging of new NAT entries and expiration of old NAT entries.
252count log successes and failures.
253
254Use u_quad_t for records of bytes & packets where kept
255(IP Accounting: fr_hits, fr_bytes; IP state: is_pkts, is_bytes).
256
257Fixup use of CPU and DCPU in Makefiles.
258
259Fix broken 0/32 NAT mapping. Carl Makin <cmakin@nla.gov.au>
260
2613.2alpha2
262
263Implement mapping to 0/32 as being an alias for automatically using the
264interface's first IP address.
265
266Implement separate minor devices for both NAT and IP state code.
267
268Fully prototype all functions.
269
270Fix Makefile problem due to attempt to fix Sun compiling problems.
271
2723.1.10 23/3/97 - Released
273
274ipfstat -a requires a -i or -o command line option too. Print an error
275when not present rather than attempt to do something.
276
277patch updates for SunOS4 for kernel compiling.
278patch for ipmon -s (flush's syslog file which isn't good). Andrew J. Schorr
279<schorr@ead.dsa.com>
280
281too many people hit their heads hard when compiling code into the kernel
282that doesn't let any packets through. (fil.c - IPF_NOMATCH)
283
284icmp-type parsing doesn't return any errors when it isn't constructed
285correctly. Neil Readwin
286
287Using "-conf" with modload on SunOS4 doesn't work.
288Timothy Demarest <demarest@arraycomm.com>
289
290Need to define ARCH in makefile for SunOS4 building. "make sunos4"
291in INSTALL.SunOS is incorrect. James R Grinter <jrg@blodwen.demon.co.uk>
292[all SunOS targets now run buildsunos]
293
294NAT lookups are still incorrect, matching non-TCP/UDP with TCP/UDP
295information. ArkanoiD <ark@paranoid.convey.ru>
296
297Need to check for __FreeBSD_version being 199511 rather than 199607
298in mln_ipl.c. Eric Feillant <Eric.Feillant@EUnet.fr>
299
3003.1.9 8/3/97 - Released
301
302fixed incorrect lookup of active NAT entries.
303
304patch for ip_deq() wrong for pre 2.1.6 FreeBSD.
305fyeung@fyeung8.netific.com (Francis Yeung)
306
307check for out with return-rst/return-icmp at wrong place - Erkki Ritoniemi
308(erkki@vlsi.fi)
309
310text_readip returns the interface pointer pointing to text on stack -
311Neil Readwin
312
313fix from Pradeep Krishnan for printout rules "with not opt sec".
314
3153.1.8 18/2/97 - Released
316
317Diffs for ip_output.c and ip_input.c updated to fix bug with fastroute and
318compiling warnings about reuse of m0.
319
320prevent use of return-rst and return-icmp with rules blocking packets going
321out, preventing panics in certain situations.
322
323loop forms in frag cache table - Yury Pshenychny <yura@rd.zgik.zaporizhzhe.ua>
324
325should use SPLNET/SPLX around expire routines in NAT/frag/state code.
326
327redeclared malloc in 44arp.c -
328
3293.1.7 8/2/97 - Released
330
331Macros used for ntohs/htons supplied with gcc don't always work very well
332when the assignment is the same variable being converted.
333
334Filter matching doesn't not match rule which checks tcp flags on packets
335which are fragments - David Wilson
336
3373.1.7beta 30/1/97 - Released
338
339Fix up NAT bugs introduced in last major change (now tested), including
340nat_delete(), nat_lookupredir(), checksum changes, etc.
341
3423.1.7alpha 30/1/97 - Released
343
344Many changes to NAT code, including contributions from Laurent Joncheray
345<lpj@ans.net>
346
347Use "NO_SLEEP" when allocating memory under SunOS.
348
349Make kernel printf's nicer for BSD/SunOS4
350
351Always do a checksum for packets being filtered going out and being
352processed by fastroute.
353
354Leave kernel to play with cdevsw on *BSD systems with LKM's.
355
356ipnat.1 man page fixes.
357
3583.1.6 21/1/97 - Released
359
360Allow NAT to work on BSD systems in conjunction with "pass .. to ifname"
361
362Memory leak introduced in 3.1.3 in NAT lists, clearing of NAT table tried
363to free memory twice.
364
365NAT recalculates IP header checksum based on difference between IP#'s and
366port numbers - should be just IP#'s (Solaris2 only)
367
3683.1.5 13/1/97 - Released
369
370fixed setting of NAT timeouts and use different timeouts for concurrent
371TCP sessions using the same IP# mapping (when port mapping isn't used)
372
373multiple loading/unloading of LKM's doesn't clean up cdevsw properly for
374*BSD systems.
375
3763.1.4 10/1/97 - Released
377
378add command line options -C and -F to ipnat to flush NAT list and table
379
380ipnat -l loops on output - Neil Readwin (nreadwin@nysales.micrognosis.com)
381
382NetBSD/FreeBSD kernel malloc changes - Daniel Carosone
383
3843.1.3 10/1/97 - Released
385
386NAT chains not constructed correctly in hash tables - Antony Y.R Lu
387(antony@hawk.ee.ncku.edu.tw)
388
389Updated INSTALL.NetBSD, INSTALL.FreeBSD and INSTALL.Sol2
390
391man page update (ipf.5) from Daniel Carosone (dan@geek.com.au)
392
393ICMP header checksum update now included in NAT.
394
395Solaris2 needs to modify IP header checksums in ip_natin and ip_natout.
396
3973.1.2 4/12/96 - Released
398
399ipmon doesn't use syslog all the time when given -s option
400
401fixed mclput panic in ip_input.c and replace ntohs() with NTOHS() macro
402
403check the results of hostname resolution in ipnat
404
405"make *install" fixed for subdirectories.
406
407problems with "ARCH:=" and gnu make resolved
408
409parser reports an error for lines with whitespaces only rather than skipping
410them. D.Carosone@abm.com.au (Daniel Carosone)
411
412patches for integration into NetBSD-current (post 1.2).
413
414add an option to allow non-IP packets going up/down the stream on Solaris2
415to be dropped. John Bass.
416
4173.1.2beta 21/11/96 - Released
418
419make ipsend compile on Linux 2.0.24
420
421changes to TCP kept state algorithm, making it watch state on TCP
422connections in both directions. Also use the same algorithm for NAT TCP.
423
424-Wall cleanup - Bernd Ernesti
425
426added "or-block" for "pass .. log or-block" after a suggestion from
427David Oppenheim (davido@optimation.com.au)
428
429added subdirectories for building IP Filter in SunOS5/BSD for different
430cpu architecures
431
432Solaris2 fixes to logging and pre-filtering packet processing - 3.1.1p2
433
434mbuf logging not using mtod(), remove iplbusy - 3.1.1p1 1/11/96
435
4363.1.1 28/10/96 - Released
437
438Installation script fixes and deinstall scripts for IP Filter on:
439SunOS4/FreeBSD/NetBSD
440
441Man page fixes - Paul Dubois (dubois@primate.wisc.edu)
442
443Fix use of SOLARIS macro in ipmon, rewrote ipllog() (again!)
444
445parsing isn't completely case insensitive - David Wilson
446(davidw@optimation.com.au)
447
448Release ipl_mutex across uiomove() calls
449
450print entire rule entries out for "ipf -z" when zero'ing per-rule stats.
451
452ipfstat returns same output for "hits" in "ipfstat -aio" - Terletsky Slavik
453(ts@polynet.lviv.ua)
454
455New algorithm for setting timeouts for TCP connection (more closely follow
456TCP FSM) - Pradeep Krishnan (pkrishna@netcom.com)
457
458Track both window sizes for TCP connections through "keep state".
459
460Solaris2 doesn't like _KERNEL defined in stdargs.h - Jos van Wezel
461(wezel@bio.vu.nl)
462
4633.1.1-beta2 6/10/96 - Released
464
465Solaris2 fastroute/dup-to/to now works
466
467ipmon `record' reading rewritten
468
469Added post-NetBSD1.2 packet filter patches - Mathew Green (mrg@eterna.com.au)
470
471Attempt to use in_proto.c.diff, not "..diffs" for SunOS4 - David Wilson
472(davidw@optimation.com.au)
473
474Michael Ryan (mike@NetworX.ie) reports the following:
475* The Trumpet WinSock under Windows always sends its SYN packet with an ACK
476 value of 1, unlike any other implementation I've seen, which would set it
477 to zero. The "keep state" feature of IP Filter doesn't work when receiving
478 non-zero ACK values on new connection requests.
479* */Makefile install rule doesn't install all the binaries/man pages
480* Make ipnat use "tcp/udp" instead of "tcpudp"
481* Print out "tcp/udp" properly
482* ipnat "portmap tcp" matches "portmap udp" when adding/removing
483* NAT dest. ip# increased by one on mask of 0xffffffff when it shouldn't
484
4853.1.1-beta 1/9/96 - Released
486
487add better detection of TCP connections closing to TCP state monitoring.
488
489fr_addstate() not called correctly for fragments. "keep state" and
490"keep frag" code don't work together 100% - Songqing Cai
491(songqing_cai@sterling.com)
492
493call to fr_addstate() incorrect for adding state in combination with keeping
494fragment information - Songqing Cai (songqing_cai@sterling.com)
495
496KFREE() passed fp (incorrect) and not fr (correct) in ip_frag.c - John Hood
497(cgull@smoke.marlboro.vt.us)
498
499make ipf parser recognise '\\' as a `continued line' marker - Dima Ruban
500(dima@best.net)
501
5023.1.1-alpha 23/8/96 - Released
503
504kernel panic's when ICMP packets go through NAT code
505
506stats aren't zero'd properly with ipf -Z
507
508ipnat doesn't show port numbers correctly all the time and also add the
509protocol (tcp/udp/tcpudp) to rdr output - Carson Gaspar (carson@lehman.com)
510
511fast checksum fixing not 100% - backout patch - Bill Dorsey (dorsey@lila.com)
512
513NetBSD-1.2 patches from - VaX#n8 <vax@linkdead.paranoia.com>
514
515Usage() call error in fils.c - Ajay Shekhawat (ajay@cedar.buffalo.edu)
516
517ip_optcopy() staticly defined in ip_output.c in SunOS4 - Nick Hall
518(nrh@tardis.ed.ac.uk)
519
5203.1.0 7/7/96 - Released
521
522Reformatted ipnat output to be compatible with it's input, so that
523"ipnat -l | ipnat -rf -" is possible.
524
5253.1.0beta 30/6/96 - Released
526
527NetBSD-1.2 patches from Greg Woods (woods@most.weird.com)
528
529kernel module must not be installed stripped (Solaris2), as created by
530"make package" for Solaris2 - Peter Heimann
531(peter@i3.informatik.rwth-aachen.de)
532
5333.1.0alpha 5/6/96 - Released
534
535include examples in package for solaris2
536
537patches for removing an extra ip header checksum (FreeBSD/NetBSD/SunOS)
538
539removed trailing space from printouts of rules in ipf.
540
541ipresend supports the same range of inputs that ipftest does.
542
543sending a duplicate copy of a packet to another network devices is now
544supported. ("dup-to")
545
546sending a packet to an arbitary interface is now supported, irrespective
547of its actual route, with no ttl decrement. Can also be routed without
548the ttl being decremented. ("to" and "fastroute").
549
550"call" option added to support calling a generic function if a packet is
551matched.
552
553show all (upto 4) recorded bytes from the interface name in logging from
554ipmon.
555
556support for using unix file permissions for read/write access on the device
557is now in place.
558
559recursive mutex in nat_new() for Solaris 2.x - Per L. Hagen <per@stibo.dk>
560
561ipftest doesn't call initparse() for THISHOST - Catherine Allen
562(cla@connect.com.au)
563
564Man page corrections from Rex Bona (rex@pengo.comsmiths.com.au)
565
5663.0.4 10/4/96 - Released
567
568looop in `parsing' IP packets with optlen 0 for ip options.
569
570rule number not initialized and resulted in unexpected results for state
571maching.
572
573option parsing and printing bugs - Pradeep Krishnan
574
5753.0.4beta 25/3/96 - Released
576
577wouldn't parse "keep flags keep state" correctly.
578
579SunOS4.1.x ip_input.c doesn't recognise all 1s broadcast address - Nigel Verdon
580
581patches for BSDI's BSD/OS 2.1 and libpcap reader on little endian systems
582from Thorsten Lockert <tholo@tetherless.com>
583
584b* functions in fil.c on Solaris 2.4
585
5863.0.3 17/3/96 - Released
587
588added patches to support IP Filter initialisation when compiled into the
589kernel.
590
591added -x option to ipmon to display hex dumps of logged packets.
592
593added -H option to ipftest to allow ascii-hex formatted input to specify
594arbitary IP packets.
595
596Sending TCP RSTs as a response now work for Solaris2 x86
597
598add patches to make IP Filter compile into NetBSD kernels properly.
599
600patch to stop SunOS 4.1.x kernels panicing with "data traps".
601
602ipfboot script unloads and reloads ipf module on Solaris2 if it is already
603loaded into the kernel.
604
605Installation of IP Filter as a Solaris2 package is now supported.
606
607Man pages for ipnat.4, ipnat.5 added.
608
609added some more regression tests and fixed up IP Filter to pass the new tests
610(previous versions failed some of the tests in set 12).
611
612IP option filter processing has changed so that saying "with opt lsrr" will
613check only for that one, but not mask out other options, so a packet with
614strict source routing, along with loose source routing will match all of
615"with opt lsrr", "with opt ssrr" and "with opt lsrr,ssrr".
616
617IPL_NAME needed in ipnat.c - Kelly (kelly@count04.mry.scruznet.com)
618
619patches for clean NetBSD compilation from Bernd Ernesti (bernd@arresum.inka.de)
620
621make install is incorrect - Julian Briggs (julian@lightwork.co.uk)
622
623strtol() returns 0x7fffffff for all negative numbers,
624printfr() generates incorrect output for "opt sec-class *",
625handling of "not opt xxx opt yyy" incorrect.
626- Minh Tonthat (minht@sbei.com)/Pradeep Krishnan (pradeepk@sbei.com)
627
628m_pullup() called only for input and not output; caused problems
629with filtering icmp - Nigel Verdon (verdenn@gb.swissbank.com)
630
631parsing problem for "port 1" and NetBSD patches incorrect -
632Andreas Gustafsson (gson@guava.araneus.fi)
633
6343.0.2 4/2/96 - Released
635
636Corrected bug where NAT recalculates checksums for fragments.
637
638make NAT recalculate UDP checksums (rather than setting them to 0),
639if they're non-zero.
640
641DNS patches - Real Page (Real.Page@Matrox.com)
642
643alteration of checksum recalculations in NAT code and addition of
644redirection with NAT - Mike Neuman
645
646core dump, if tcp/udp is used with a port number and not service name,
647in ipf - Mike Neuman (mcn@engarde.com)
648
649initparse() call, missing to prime "<thishost>" hook - Craig Bishop
650
6513.0.1 14/1/96 - Released
652
653miscellaneous patches for Solaris2
654
6553.0 14/1/96 - Released
656
657Patch included for FDDI, from Richard Ohnemus
658(Richard_Ohnemus@dallas.csd.sterling.com)
659
660Code cleanup for release.
661
6623.0beta4 10/1/96
663
664recursive mutex in ipfr_slowtimer fixed, reported by Craig Bishop
665
666recursive mutex in sending TCP RSTs fixed, reported by Tony Becker
667
6683.0beta3 9/1/96
669
670FIxup for Solaris2.5 install and interface name bug in ipftest from
671Julian Briggs (julian@lightwork.co.uk)
672
673Byte order patches for ipmon from Tony Becker (tony@mcrsys.com)
674
6753.0beta2 7/1/96
676
677Added the (somewhat warped) IP accounting as it exists in ipfw on FreeBSD.
678Note, this isn't really what one would call IP account, when compared to
679process accounting, sigh.
680
681Split up ipresend into iptest/ipresend/ipsend
682
683Added another m_pullup() inside fr_check() for BSD style kernels and
684added some checks to ipllog() to not log more than is present (for short
685packets).
686
687Fixed bug where failed hostname/netname resolution goes undetecte and
688becomes 0.0.0.0 (any) (reported Guido van Rooij)
689
6903.0beta 11/11/95 - Released
691
692Rewrote the way rule testing is done, reducing the number of files needed and
693generated.
694
695SIOCIPFFL was incorrectly affected by IPFILTER_LOG (Mathew Green)
696
697Patches from Guido van Rooij to fix sending back TCP RSTs on Net-2/Net-3
698BSD based Unixes (panic'd)
699
700Patches for FreeBSD/i86 ipmon from Riku Kalinen <riku@tequila.nixu.fi>
701(I think someone else already told me about these but they got lost :-/)
702
703Changed Makefile structure to build object files for different operating
704systems in separate directories by default.
705
706BSDI has ef0 for first ethernet interface
707
708Allow for a "not" operator before optional keywords.
709
710The "rule number" was being incorrectly incremented every time it went through
711the loop rather than when it matched a rule.
712
7132.8.2 24/10/95 - Released
714
715Fixed up problems with "textip" for doing lots of testing.
716
717Fixed bug in detection of "short" tcp/ip packets (all reported as being short).
718
719Solaris 2.4 port now works 100%.
720
721Man page errors reported and fixed.
722
723Removed duplicate entry in etc/services for login on port 49 (Craig Bishop).
724
725Fixed ipmon output to put a space after the log-letter.
726
727Patch from Guido van Rooij to fix parsing problem.
728
7292.8.1 15/10/95 - Released
730
731Added ttl and tos filtering.
732
733Patches for fixing up compilation and port problems (little endian)
734from Guido van Rooij <guido@IAEhv.nl>.
735
736Man page problems reported and fixed by Carson Gaspar <carson@lehman.com>.
737
738ipsend doesn't compile properly on Solaris2.4
739
740Lots of work done for Solaris2.4 to make it MT/MP safe and work.
741
7422.8 15/9/95 - Released
743
744ipmon can now send messages to syslogd (-s) and use names instead of
745numbers (-N).
746
747IP packets are now "compiled" into a structure only containing filterable
748bits.
749
750Added regression testing in the test/ subdirectory, using a new option
751(-b) with the ipftest program.
752
753Added "nomatch" return to filter results. These are counted and show
754up in reports from ipfstat.
755
756Moved filter code out of ip_fil.c and into fil.c - there is now only one
757instance of it in the package.
758
759Added Solaris 2.4 support.
760
761Added IPSO basic security option filtering.
762
763Added name support for filtering on all 19 named IP options.
764
765Patches from Ivan Brawley to log packet contents as well as packet headers.
766
767Update for sun/conf.c.diff from Ivan Brawley <ibrawley@awadi.com.AU>
768
769Added patches for FreeBSD 1, and added two new switches (-E, -D) to ipf,
770along with a new ioctl, SIOCFRENB.
771From: Dieter Dworkin Muller <dworkin@village.org>
772
7732.7.3 31/7.95 - Released
774
775Didn't compile cleanly without IPFILTER_LOG defined (Mathew Green).
776
777ipftest now deals with tcpdump3 binary output files (from libpcap) with -P.
778
779Brought ipftest program upto date with actual filter code.
780
781Filter would cause a match to occur when it wasn't meant to if the packet
782had short headers and was missing portions that should have been there.
783Err, it would rightly not match on them, but their absence caused a match
784when it shouldn't have been.
785
7862.7.2 26/7/95 - Released
787
788Problem with filtering just SYN flagged packets reported by
789Dieter Dworkin Muller <dworkin@village.org>. To solve this
790problem, added support for masking TCP flags for comparison "flags X/Y".
791
7922.7.1 9/7/95 - Released
793
794Added ip_dirbroadcast support for Sun ip_input.c
795
796Fixed up the install scripts for FreeBSD/NetBSD to recognise where they are
797better.
798
7992.7 7/7/95 - Released
800
801Added "return-rst" to return TCP RST's to TCP packets.
802
803Actually ported it to FreeBSD-i386 2.0.0, so it works there properly now.
804
805Added insertion of filter rules. Use "@<#>" at the beginning of a filter
806to insert a rule at row #.
807
808Filter keeps track of how many times each rule is matched.
809
810Changed compile time things to match kernel option (IPFILTER_LKM &
811IPFILTER_LOG).
812
813Updated ip_input.c and ip_output.c with paches for 3.5 Multicast IP.
814(No change required for 3.6)
815
816Now includes TCP fragments which start inside the TCP header as being short.
817Added counting the number of times each rule is matched.
818
819
8202.6 11/5/95 - Released
821
822Added -n option to ipf: when supplied, no changes are made to the kernel.
823
824Added installation scripts for SunOS 4.1.x and NetBSD/FreeBSD/BSDI.
825
826Rewrote filtering to use a more generic mask & match procedure for
827checking if a packet matches a rule.
828
8292.5.2 27/4/95 - Released
830
831"tcp/udp" and a non-initialised pointer caused the "proto" to become
832a `random' value; added "ip#/dotted.mask" notation to the BNF.
833From Adam W. Feigin <feigin@iis.ee.ethz.ch>
834
8352.5.1 22/3/95 - Released
836
837"tcp/udp" had a strange effect (undesired) on getserv*() functions,
838causing protocol/service lookups to fail. Reported by Matthew Green.
839
8402.5 17/3/95 - Released
841
842Added a new keyword "all" to BNF and parsing of tcpdump/etherfind/snoop
843output through the ipftest program. Suggestions from:
844Michael Ciavarella (mikec@phyto.apana.org.au)
845
846Conflicts occur when "general" filter rules are used for ports and the
847lack of a "proto" when used with "port" matches other packets when only
848TCP/UDP are implied.
849Reported Matthew Green (mrg@fulcom.com.au);
850reported & fixed 6-8/3/95
851
852Added filtering of short TCP packets using "with short" 28/2/95
853(These can possibly slip by checks for the various flags). Short UDP
854or ICMP are dropped to the floor and logged.
855
856Added filtering of fragmented packets using "with frag" 24/2/95
857
858Port to NetBSD-current completed 20/2/95, using LKM.
859
860Added logging of the rule # which caused the logging to happen and the
861interface on which the packet is currently as suggested by
862Andreas Greulich (greulich@math-stat.unibe.ch) 10/2/95
863
8642.4 9/2/95 - Released
865Fixed saving of IP headers in ICMP packets.
866
8672.3 29/1/95
868Added ipf -F [in|out|all] to flush filter rule sets (SIOCIPFFL).
869Fixed iplread() and iplsave() with help from Marc Huber.
870
8712.2 7/1/95 - Released
872Added code from Marc Huber <huber@fzi.de> to allow it to allocate
873its own major char number dynamically when modload'ing. Fixed up
874use of <, >, <=, >= and >< for ports.
875
8762.1 21/12/94 - Released
877repackaged to include the correct ip_output.c and ip_input.c *goof*
878
8792.0 18/12/94 - Released
880added code to check for port ranges - complete.
881rewrote to work as a loadable kernel module - complete.
882
8831.1
884added code for ouput filtering as well as input filtering and added support for logging to a simple character device of packet headers.
885
8861.0 22/04/93 - Released
887First release cut.
|