HISTORY revision 110917
1# 2# NOTE: Quite a few patches and suggestions come from other sources, to whom 3# I'm greatly indebted, even if no names are mentioned. 4# 5# Thanks to the Coombs Computing Unit at the ANU for their continued support 6# in providing a very available location for the IP Filter home page and 7# distribution center. 8# 9# Thanks to Hewlett Packard for making it possible to port IP Filter to 10# HP-UX 11.00. 11# 12# Thanks to Tel.Net Media for supplying me with equipment to ensure that 13# IP Filter continues to work on Solaris/sparc64. 14# 15# Thanks to BSDI for providing object files for BSD/OS 3.1 and the means 16# to further support development of IP Filter under BSDI. 17# 18# Thanks to Craig Bishop of connect.com.au and Sun Microsystems for the 19# loan of a machine to work on a Solaris 2.x port of this software. 20# 21# Thanks also to all those who have contributed patches and other code, 22# and especially those who have found the time to port IP Filter to new 23# platforms. 24# 253.4.31 7/12/2002 - Released 26 27Solaris 10 compatibility 28 29fix linking into pfil in NetBSD 30 31fix IRIX 6.2 compatibility 32 33add code to check consistency of fr_checkp/fr_check on non-Solaris 34 35OpenBSD: missing patches for ip6_output.c on OpenBSD 3.2, 36 make LKM work for 3.2 (OpenBSD LKMs now match NetBSD) 37 383.4.30 26/11/2002 - Released 39 40attempt to detect using GNU make and abort if so 41 42OpenBSD 3.2 patches from Stefan Hermes von GMX 43 44add MSS clamping code from NetBSD 45 46correctly display ipv6 output with ipfstat for (accounting) rules 47 48fix problems with ioctl handling for /dev/ipauth 49 50set SYN bit in rcmd fake packet to create back channel 51 52make libpcap reader capable of determining in/out (not in libpcap file) 53and add more DLT types 54 55do not allow redirects to localhost for Solaris in NAT parser 56 57allow return-rst with auth rules 58 59man page corrections 60 61fix for handling ipv6 icmp errors 62 63fix up ipfs command line option processing 64 65only allow processing a ftp 227 response following a PASV command 66 67NetBSD: use poll() and adapt to new cdevsw mechanism 68 69make flushing for just ipv6 things work 70 713.4.29 28/8/2002 - Released 72 73Make substantial changes to the FTP proxy to improve reliability, security 74and functionality. 75 76don't send ICMP errors/TCP RST's in response to blocked proxy packets 77 78fix potential memory leaks when unloading ipfilter from kernel 79 80fix bug in SIOCGNATL handler that did not preserve the expected 81byte order from earlier versions in the port number 82 83set do not fragment flag in generated packets according to system flags, 84where available. 85 86preserve filter rule number and group number in state structure 87 88fix bug in ipmon printing of p/P/b/B 89 90make some changes to the kmem.c code for IRIX compatibility 91 92add code to specifically handle ip.tun* interfaces on Solaris 93 943.4.28 6/6/2002 - Released 95 96Fix for H.323 proxy to work on little endian boxes 97 98IRIX: Update installation documentation 99 add route lock patch 100 101allow use of groups > 65535 102 103create a new packet info summary for packets going through ipfr_fastroute() 104so that where details are different (RST/ICMP errors), the packet now gets 105correctly NAT'd, etc. 106 107fix the FTP proxy so that checks for TCP sequence numbers outside the 108normal offset due to data changes use absolute numbers 109 110make it possible to remove rules in ipftest 111 112Update installing onto OpenBSD and split into two directories: 113OpenBSD-2 and OpenBSD-3 114 115fix error in printout out the protocol in NAT rules 116 117always unlock ipfilter if locking fails half way through in ipfs 118 119fix problems with TCP window scaling 120 121update of man pages for ipnat(4) and ipftest(1) 122 1233.4.27 28/04/2002 - Released 124 125fix calculation of 2's complmenent 16 bit checksum for user space 126 127add mbuflen() to usespace compiles. 128 129add more #ifdef complexity for platform portability 130 131add OpenBSD 3.1 diffs 132 1333.4.26 25/04/2002 - Released 134 135fix parsing and printing of NAT rules with regression tests. 136 137add code to adjust TCP checksums inside ICMP errors where present and as 138required for NAT. 139 140fix documentation problems in instal documents 141 142fix locking problem with auth code on Solaris 143 144fix use of version macros for FreeBSD and make the use of __FreeBSD_version 145override previous hacks except when not present 146 147fix the macros defined for SIOCAUTHR and SIOCAUTHW 148 149fix the H.323 proxy so it no longer panics (multiple issues: re-entry into 150nat_ioctl with lock held on Solaris, trying to copy data from kernel space 151with copyin, unaligned access to get 32bit & 16bit numbers) 152 153use the ip_ttl ndd parameter on Solaris to fill in ip_ttl for packets 154generated by IPFilter 155 156fix comparing state information to delete state table entries 157 158flag packets as being "bad state" if they're outside the window and prevent 159them from being able to cause new state to be created - except for SYN packets 160 161be stricter about what packets match a TCP state table entry if its creation 162was triggered by a SYN packet. 163 164add patches to handle TCP window scaling 165 166don't update TCP state table entries if the packet is not considered to be 167part of the connection 168 169ipfs wasn't allowing -i command line option in getopt 170 171IRIX: fix kvm interface, fix compile warnings, compile the kernel with -O2 172 regardless of user compile, fix the getkflags script to prune down the 173 output more so it is acceptable 174 175change building in Makefiles to create links to the application in $(TOP) 176at the end of "build" rather than when each is created. 177 178update BSD/kupgrade for FreeBSD 179 180l4check wasn't properly closing things when a connection fails 181 182man page updates for ipmon(8) and ipnat(5) 183 184more regression tests added. 185 1863.4.25 13/03/2002 - Released 187 188retain rule # in state information 189 190log the direction of a packet so ipmon gets it right rather than incorrectly 191deriving it from the rule flags 192 193add #ifdef for IPFILTER_LOGSIZE (put options IPFILTER_LOGSIZE=16384 in BSD 194kernel config files to increase that buffer size) 195 196recognise return-* rules differently to block in ipftest 197 198fix bug in ipmon output for solaris 199 200add regression testing for skip rules, logging and using head/group 201 202fix output of ipmon: was displaying large unsigned ints rather than -1 203when no rules matched. 204 205make logging code compile into ipftest and add -l command line option to 206dump binary log file (read with ipmon -f) when it finishes. 207 208protect rule # and group # from interference when checking accounting rules 209 210add regression testing for log output (text) from ipmon. 211 212document -b command line option for ipmon 213 214fix double-quick in Solaris startup script 215 2163.4.24 01/03/2002 - Released 217 218fix how files are installed on SunOS5 219 220fix some minor problems in SunOS5 ipfboot script 221 222by default, compile all OpenBSD tools in 3.0 for IPv6 223 224fix NULL-pointer dereference in NAT code 225 226make a better attempt at replacing the appropriate binaries on BSD systems 227 228always print IPv6 icmp-types as a number 229 230impose some rules about what "skip" can be used with 231 232fix parsing problems with "keep state" and "keep state-age" 233 234Try to read as much data as is in the log device in ipmon 235 236remove some redundant checks when searching for rdr/nat rules 237 238fix bug in handling of ACCT with FTP proxy 239 240increase array size for interface names, using LIFNAMSIZ 241 242include H.323 proxy from QNX 243 2443.4.23 16/01/2002 - Released 245 246Include patches to install IPFilter into OpenBSD 3.0, both for just kernel 247compiles and complete system builds. 248 249Fix bug in automatic flushing of state table which would cause it to hang 250in an infinite loop bug introduced in 3.4.20. 251 252Modify the sample proxy (samples/proxy.c) so that it ads a NAT mapping for 253the outgoing connection to make it look like it comes from the real source. 254 255Only support ICMPv6 with IPv6. 256 257Move ipnat.1 to ipnat.8 258 259Enhance ipmon to print textual ICMP[v6] types and subtypes where possible. 260 261Make it possible to do IPv6 regression testing with ipftest. 262 263Use kvm library for kmem access, rather than trying to do it manually with 264open/lseek/read. 265 266Fix diffs for ip_input.c on BSDOS so it doesn't crash with fastroute. 267 268Remove Berkeley advertising licence clause. Reference: 269ftp://ftp.cs.berkeley.edu/pub/4bsd/README.Impt.License.Change 270 271Add more regression tests: ICMPv6 neighbour discovery, ICMP time exceeded 272and fragmentation required. 273 274Fix ipfboot script on Solaris to deal with no nameservers or no route to 275them in a clean manner. 276 277Support per-rule set timeouts for non-TCP NAT and state 278 279Add netbios proxy 280 281Add ICMPv6 stateful checking, including handling multicast destination 282addresses for neighbour discovery. 283 284Fix problems with internals of ICMP messages for MTU discovery and 285unreachables not being correctly adjust on little endian boxes. 286 287Add "in-via" and "out-via" to filtering rules grammar. It is now possible 288to bind a rule to both incoming and outgoing interfaces, in both forward 289and reverse directions (4 directions in total). allows for asymetric flows 290through a firewall. 291 292Fix ipfstat and ipnat for working on crash dumps. 293 294Don't let USE_INET6 stay defined for SunOS4 295 296Count things we see for each interface on solaris. 297 298Include <netinet/icmp6.h> when compiling with USE_INET6 defined and 299also include a whole bunch of #define's to make sure the symbols expected 300can be used. 301 302Fix up fastroute on BSD systems. 303 304Make fastrouting work for IPv6 just a bit better. doesn't split up big 305packets into fragments like the IPv4 one does. You can now do a 306"to <if>:<ipv6_addr>" 307 308Remove some of the differences between user-space and kernel-space code 309that is internal to ipfilter. 310 311Call ipfr_slowtimer() after each packet is processed in ipftest to artificially 312create the illusion of passing time and include the expire functions in the 313code compiled for user-space. 314 315Fix issues with the IPSec proxy not working or leading to a system crash. 316 317Junk all processing of SPIs and special handling for ESP. 318 319Add "no-match" as a filter rule action (resets _LAST_ match) 320 321Add hack to workaround problems with Cassini interface cards on 322Solaris and VLANs 323 324Add some protocols to etc/protocols 325 3263.4.22 03/12/2001 - Released 327 328various openbsd changes 329 330sorting based on IP numbers for ipfstat top output 331 332fix various IPv6 code & compile problems 333 334modify ip_fil.c to be more netbsd friendly 335 336fix fastroute bug where it modified a packet post-sending 337 338fix get_unit() - don't understand why it was broken. 339 340add FI_IGNOREPKT and don't count so marked packets when doing stats or 341state/nat. 342 343extend the interface name saved to log output 344 345make proxies capable of extending the matching done on a packet with a 346particular nat session 347 348change interfaces inside NAT & state code to accomodate redesign to allow 349IPsec proxy to work. 350 351fix bug when free'ing loaded rules that results in a memory leak 352(only an issue with "ipf -rf -", not flush) 353 354make ipftest capable of loading > 1 file or rules, making it now possible 355to load both NAT & filter rules 356 357fix hex input for ipftest to allow interface name & direction to work 358 359show ipsec proxy details in ipnat output 360 361if OPT_HEX is set in opts, print a packet out as hex 362 363don't modify b_next or preseve it or preserve b_prev for solaris 364 365fix up kinstall scripts to install all the files everywhere they need to 366 367fix overflowing of bits in ip_off inside iptest 368 369make userauth and proxy in samples directory compile 370 371fix minimum size when doing a pullup for ESP & ICMPv6 372 3733.4.21 24/10/2001 - Released 374 375include ipsec proxy 376 377make state work for non-tcp/udp/icmp in a very simple way 378 379include diffs for ipv6 firewall on openbsd-2.9 380 381add compatibility filter wrapper for NetBSD-current 382 383fix command line option problems with ipfs 384 385if we fill the state table and a automated flush doesn't purge any 386expiring entries, remove all entries idle for more than half a day 387 388fix bug with sending resets/icmp errors where the pointer to the data 389section of the packet was not being set (BSD only) 390 391split out validating ftp commands and responses into different halves, 392one for each of server & client. 393 394do not compile in STATETOP support for specific architectures 395 396fix INSTALL.FreeBSD to no longer provide directions and properly direct 397people to the right file for the right version of FreeBSD. 398 3993.4.20 24/07/2001 - Released 400 401adjust NAT hashing to give a better spread across the table 402 403show icmp code/type names in output, where known 404 405fix bug in altering cached interface names in state when resync'ing 406 407fix bug in real audio proxy that caused crashs 408 409fix compiling using sunos4 cc 410 411patch from casper to address weird exit problem for ipstat in top mode 412 413patch from Greg Woods to produce names for icmp types/unreach codes, 414where they are known 415 416fix bug where ipfr_fastroute() would use a mblk and it would also get 417freed later. 418 419don't match fragments which would cause 64k length to be exceeded 420 421ftp proxy fix for port numbers being setup for pasv ftp with state/nat 422 423change hashing for NAT to include both IP#'s and ports. 424 425Solaris fixes for IPv6 426 427fix compiling iplang bits, under Solaris, for ipsend 428 4293.4.19 29/06/2001 - Released 430 431fix to support suspend/resume on solaris8 as well as ipv6 432 433include group/group-head in match of filter rules 434 435fix endian problem reading snoop files 436 437make all licence comments point to the one place 438 439fix ftp proxy to only advance state if a reply is received in response to 440a recognised command 441 4423.4.18 05/06/2001 - Released 443 444fix up parsing of "from ! host" where '!' is separate 445 446disable hardware checksums for NetBSD 447 448put ipftest temporary files in . rather than /tmp 449 450modify ftp proxy to be more intelligent about moving between states 451and recognise new authentication commands 452 453allow state/nat table sizes to be externally influenced 454 455print out host mapping table for NAT with ipnat -l 456 457fix handling of hardware checksum'ing on Solaris 458 459fixup makefiles for Solaris 460 461update regression tests 462 463fix surrender of SPL's for failure cases 464 465include patches for OpenBSD's new timeout mechanism 466 467default ipl_unreach to ICMP_UNREACH_FILTER_PROHIB if defined, else make it 468ICMP_UNREACH_FILTER 469 470fix up handling of packets matching auth rules and interaction with state 471 472add -q command line option to ipfstat on Solaris to list bound interfaces 473 474add command line option to ipfstat/ipnat to select different core image 475 476don't use ncurses on Solaris for STATETOP 477 478fix includes to get FreeBSD version 479 480do not byte swap ip_id 481 482fix handling success for packets matching the auth rule 483 484don't double-count short packets 485 486add ICMP router discovery message size recognition 487 488fix packet length calculation for IPv6 489 490set CPUDIR when for install-sunos5 make target 491 492SUNWspro -xF causes Solaris 2.5.1 kernel to crash 493 4943.4.17 06/04/2001 - Released 495 496fix fragment#0 handling bug where they could get in via cache information 497created by state table entries 498 499use ire_walk to look for ire cache entries with link layer headers cached 500 501deal with bad SPL assumptions for log reading on BSD 502 503fix ftp proxy to allow logins with passwords 504 505some auth rule patches, fixing byte endian problems and returning as an error 506 507support LOG_SECURITY, where available, in ipmon 508 509don't return an error for packets which match auth rules 510 511introduce fr_icmpacktimeout to timeout entries once an ICMP reply has 512been seen separately to when created 513 5143.4.16 15/01/2001 - Released 515 516fix race condition in flushing of state entries that are timing out 517 518Add TCP ECN patches 519 520log all NAT entries created, not just those via rules 521 5223.4.15 17/12/2000 - Released 523 524add minimum ttl filtering (to be replaced later by return-icmp-as-dest 525for all ICMP packets matching state entries). 526 527fix NAT'ing of fragments 528 529fix sanity checks for ICMPV6 530 531fix up compiling on IRIX 6.2 with IDF/IDL installed 532 5333.4.14 02/11/2000 - Released 534 535cause flushing NAT table to generate log records the same as state flush 536does. 537 538fix ftp proxy port/pasv 539 540fix problem where nat_{in,out}lookup() would release a write lock when it 541didn't need to. 542 543add check for ipf6.conf in Solaris ipfboot 544 5453.4.13 28/10/2000 - Released 546 547fix introduced bug with ICMP packets being rejected when valid 548 549fix bug with proxy's that don't set fin_dlen correctly when calling 550fr_addstate() 551 5523.4.12 26/10/2000 - Released 553 554fix installing into FreeBSD-4.1 555 556fix FTP proxy bug where it'd hang and make NAT slightly more efficient 557 558fix general compiling errors/warnings on various platforms 559 560don't access ICMP data fields that aren't there 561 5623.4.11 09/10/2000 - Released 563 564return NULL for IPv6 access control lists if it is disabled rather than 565random garbage. 566 567fix for getting protocol & packet length for IPv6 packets for pullup. 568 569update plog script from version 0.8 to version 0.10 570 571patch from Frank Volf adding fix_datacksum() to NAT code, enhancing the 572capabilities for "fixing" checksums. 573 5743.4.10 03/09/2000 - Released 575 576merge patch from Frank Volf for ICMP nat handling of TCP/UDP data `errors' 577 578getline() adjusts linenum now 579 580add tcphalfclosed timeout 581 582fill in icmp_nextmtu field if it is defined on the platform 583 584RST generation fix from guido 585 586force 32bit compile for gcc on solaris if it can't generate 64bit code 587 588encase logging when fr_chksrc == 2 in #ifdef IPFILTER_LOG 589 590fix up line wrap problems in plog script 591 592fix ICMP packet handling to not drop valid ICMP errors 593 594freebsd 5.0 compat changes 595 5963.4.9 08/08/2000 - Released 597 598implement new aging mechanism in fr_tcp_age() 599 600fix icmp state checking bug 601 602revamp buildsunos script and build both sparcv7/sparcv9 for Solaris 603if on an Ultra with a 64bit system & compiler (Caseper Dik) 604 605open ipfilter device read only if we know we can 606 607print out better information for ICMP packets in ipmon 608 609move checking for source spoofed packets to a point where we can generate 610logs of them 611 612return EFAULT from ircopyptr/iwcopyptr 613 614don't do ioctl(SIOCGETFS) for auth stats 615 616fix up freeing mbufs for post-4.3BSD 617 618fix returning of inc from ftp proxy 619 620fix bugs with ipfs -R/-W (Caseper Dik) 621 6223.4.8 19/07/2000 - Released 623 624create fake opt_inet6.h for FreeBSD-4 compile as LKM 625 626add #ifdef's for KLD_MODULE sanity 627 628NAT fastroute'd packets which come out of return-* 629 630fix upper/lower case crap in ftp proxy and get seq# checking fixed up. 631 6323.4.7 08/07/2000 - Released 633 634make "ipf -y" lookup NAT if's which are unknown 635 636prepend line numbers to ioctl error messages in ipf/ipnat 637 638don't apply patches to FreeBSD twice 639 640allow for ip_len to be on an unaligned boundary early on in fr_precheck 641 642fix printing of icmp code when it is 0 643 644correct printing of port numbers in map rules with from/to 645 646don't allow fr_func to be called at securelevel > 0 or rules to be added 647if securelevel > 0 if they have a non-zero fr_func. 648 6493.4.6 11/06/2000 - Released 650 651add extra regression tests for new nat functionality 652 653place restrictions on using '!' in map/rdr rules 654 655fix up solaris compile problems 656 6573.4.5 10/06/2000 - Released 658 659mention -sl in ipfstat.8 660 661fix/support '!' in from/to rules (rdr) for NAT 662 663add from/to support to rdr NAT rules 664 665don't send ICMP errors in response to ICMP errors 666 667fix sunos5 compilation for "ipfstat-top" and cleanup ipfboot 668 669input accounting list used for both outbound and inbound packets 670 6713.4.4 23/05/2000 - Released 672 673don't add TCP state if it is an RST packet and (attempt) to send out 674RST/ICMP packets in a manner that bypasses IP Filter. 675 676add patch to work with 4.0_STABLE delayed checksums 677 6783.4.3 20/05/2000 - Released 679 680fix ipmon -F 681 682don't truncate IPv6 packets on Solaris 683 684fix keep state for ICMP ECHO 685 686add some NAT stats and use def_nat_age rather than DEF_NAT_AGE 687 688don't make ftp proxy drop packets 689 690use MCLISREFERENCED() in tandem with M_EXT to check if IP fields need to be 691swapped back. 692 693fix up RST generation for non-Solaris 694 695get "short" flag right for IPv6 696 6973.4.2 - 10/5/2000 - Released 698 699Fix bug in dealing with "hlen == 1 and opt > 1" - Itojun 700 701ignore previous NAT mappings for 0/0 and 0/32 rules 702 703bring in a completely new ftp proxy 704 705allow NAT to cause packets to be dropped. 706 707add NetBSD callout support for 1.4-current 708 7093.4.1 - 30/4/2000 - Released 710 711add ratoui() and fix parsing of group numbers to allow 0 - UINT_MAX 712 713don't include opt_inet6.h for FreeBSD if KLD_MODULE is defined 714 715Solaris must use copyin() for all types of ioctl() args 716 717fix up screen/tty when leaving "top mode" of ipfstat 718 719linked list for maptable not setup correctly in nat_hostmap() 720 721check for maptable rather than nat_table[1] to see if malloc for maptable 722succeeded in nat_init 723 724fix handling of map NAT rules with "from/to" host specs 725 726fix printout out of source address when using "from/to" with map rules 727 728convert ip_len back to network byte order, not plen, for solaris as ip_len 729may have been changed by NAT and plen won't reflect this 730 7313.4 - 27/4/2000 - Released 732 733source address spoofing can be turned on (fr_chksrc) without using 734filter rules 735 736group numbers are now 32bits in size, up from 16bits 737 738IPv6 filtering available 739 740add frank volf's state-top patches 741 742add load splitting and round-robin attribute to redirect rules 743 744FreeBSD-4.0 support (including KLD) 745 746add top-style operation mode for ipfstat (-t) 747 748add save/restore of IP Filter state/NAT information (ipfs) 749 750further ftp proxy security checks 751 752support for adding and removing proxies at runtime 753 7543.3.13 26/04/2000 - Released 755 756Fix parsing of "range" with "portmap" 757 758Relax checking of ftp replies, slightly. 759 760Fix NAT timeouts for ICMP packets 761 762SunOS4 patches for ICMP redirects from Jurgen Keil (jk@tools.de) 763 7643.3.12 16/03/2000 - Released 765 766tighten up ftp proxy behaviour. sigh. yuck. hate. 767 768fix bug in range check for NAT where the last IP# was not used. 769 770fix problem with icmp codes > 127 in filter rules caused bad things to 771happen and in particular, where #18 caused the rule to be printed 772erroneously. 773 774fix bug with the spl level not being reset when returning EIO from 775iplioctl due to ipfilter not being initialized yet. 776 7773.3.11 04/03/2000 - Released 778 779make "or-block" work with lines that start with "log" 780 781fix up parsing and printing of rules with syslog levels in them 782 783fix from Cy Schubert for calling of apr_fini only if non-null 784 785 7863.3.10 24/02/2000 - Released 787 788* fix back from guido for state tracking interfaces 789 790* update for NetBSD pfil interface changes 791 792* if attaching fails and we can abort, then cleanup when doing so. 793 794julian@computer.org: 795* solaris.c (fr_precheck): After calling freemsg on mt, set it point to *mp. 796* ipf.c (packetlogon): use flag to store the return value from get_flags. 797* ipmon.c (init_tabs): General cleanup so we do not have to cast 798 an int s->s_port to u_int port and try to check if the u_int port 799 is less than zero. 800 8013.3.9 15/02/2000 - Released 802 803fix scheduling of bad locking in fr_addstate() used when we attach onto 804a filter rule. 805 806fix up ip_statesync() with storing interface names in ipstate_t 807 808fix fr_running for LKM's - Eugene Polovnikov 809 810junk using pullupmsg() for solaris - it's next to useless for what we 811need to do here anyway - and implement what we require. 812 813don't call fr_delstate() in fr_checkstate(), when compiled for a user 814program, early but when we're finished with it (got fr & pass) 815 816ipnat(5) fix from Guido 817 818on solaris2, copy message and use that with filter if there is another 819copy if it being used (db_ref > 1). bad for performance, but better 820than causing a crash. 821 822patch for solaris8-fcs compile from Casper Dik 823 8243.3.8 01/02/2000 - Released 825 826fix state handling of SYN packets. 827 828add parsing recognition of extra icmp types/codes and fix handling of 829icmp time stamps and mask requests - Frank volf 830 8313.3.7 25/01/2000 - Released 832 833sync on state information as well as NAT information when required 834 835record nat protocol in all nat log records 836 837don't reuse the IP# from an active NAT session if the IP# in the rule 838has changed dynamically. 839 840lookup the protocol for NAT log information in ipmon and pass that to 841portname. 842 843fix the bug with changing the outbound interface of a packet where it 844would lead to a panic. 845 846use fr_running instead of ipl_inited. (sysctl name change on freebsd) 847 848return EIO if someone attempts an ioctl on state/nat if ipfilter is not 849enabled. 850 851fix rule insertion bug 852 853make state flushing clean anything that's not fully established (4/4) 854 855call fr_state_flush() after we've released ipf_state so we don't generate 856a recursive mutex acquisition panic 857 858fix parsing of icmp code after return-icmp/return-icmp-as-dest and add 859some patches to enhance parsing strength 860 8613.3.6 28/12/1999 - Released 862 863add in missing rwlock release in fr_checkicmpmatchingstate() and fix check 864for ICMP_ECHO to only be for packet, not state entry which we don't have yet. 865 866handle SIOCIPFFB in nat_ioctl() and fr_state_ioctl() 867 868fix size of friostat for SunOS4 869 870fix bug in running off the end of a buffer in real audio proxy 871 8723.3.5 11/12/1999 - Released 873 874fix parsing of "log level" and printing it back out too 875 876<net/if_types.h> is only present on Solaris2.6/7/8 877 878use send_icmp_err rather than icmp_error to send back a frag-needed error 879when doing PMTU 880 881do not use -b with add_drv on Solaris unless $BASEDIR is set. 882 883fix problem where source address in icmp replies is reversed 884 885fix yet another problem with real audio. 886 8873.3.4 4/12/1999 - Released 888 889fix up the real audio proxy to properly setup state information and NAT 890entries, thanks to Laine Stump for testing/advice/fixes. 891 892fix ipfr_fastroute to set dst->sin_addr (Sean Farley - appears to prevent 893FreeBSD 3.3 from panic'ing) as this had been removed in prior hacks to this 894routine. 895 896fix kinstall for BSDI 897 898support ICMP errors being allowed through for ICMP packets going out with 899keep state enabled 900 901support hardware checksumming (gigabit ethernet cards) on Solaris thanks to 902Tel.Net Media for providing hardware for testing. 903 904patched from Frank Volf for ipmon (ICMP & fragmented packets) and allowing 905ICMP responses to ICMP packets in the keep state table. 906 907add in patches for hardware checksumming under solaris 908 909Solaris install scripts now use $BASEDIR as appropriate. 910 911add Solaris8 support 912 913fix "ipf -y" on solaris so that it rescans rules also for changes in 914interface pointers 915 916let ipmon become a daemon with -D if it is using syslog 917 918fix parsing of return-icmp-as-dest(foo) 919 920add reference to ipfstat -g to ipfstat.8 921 922ipf_mutex needs to be declared for irix in ip_fil.c 923 9243.3.3 22/10/1999 - Released 925 926add -g command line option to ipfstat to show groups still define. 927 928fix problem with fragment table not recording rule pointer when called 929from state functions (fin_fr not set). 930 931fixup fastroute problems with keep state rules. 932 933load rules into inactive set first, so we don't disable things like NIS 934lookups half way through processing - found by Kevin Littlejohn 935 936fix handling of unaligned ip pointer for solaris 937 938patch for fr_newauth from Rudi Sluijtman 939 940fixed htons() bug in fr_tcpsum() where ip_p wasn't cast to u_short 941 9423.3.2 23/09/1999 - Released 943 944patches from Scott Presnell to fix rcmd proxy 945 946patches from Greg to fix Solaris detachment of interfaces 947 948add openbsd compatibility fixes 949 950fix free'ing already freed memory in ipfr_slowtimer() 951 952fix for deferencing invalid memory in cleaning up after a device disappears 953 9543.3.1 14/8/1999 - Released 955 956remove include file sys/user.h for irix 957 958prevent people from running buildsunos directly 959 960fix up some problems with the saving of rule pointers so that NAT saves 961that information in case it should need to call fr_addstate() from a proxy. 962 963fix up scanning for the end of FTP messages 964 965don't remove /etc/opt/ipf in postremove 966 967attempt to prevent people running buildsolaris script without doing a 968"make solaris" 969 970fix timeout losing on freebsd3 971 9723.3 7/8/1999 - Released 973 974NAT: information (rules, mappings) are stored in hash tables; setup some 975basic NAT regression testing. 976 977display version name of installed kernel code when initializing. 978 979add -V command line option to ipf, showing version (program and kernel 980module) as well as the run-status of the kernel code. 981 982fix problem with "log" rules actually affecting result of filtering. 983 984automatically use SUNWspro if available and on a 64bit Solaris system for 985compiling. 986 987add kernel proxies for rcmd(3) and RealAudio (PNA) 988 989use timeout/untimeout on SunOS4/BSD platforms too rather than hijacking 990ip_slowtimo 991 992fix IP headers generated through parsing of text information 993 994fix NAT rules to be in the correct order again. 995 996make keep-state work with to/fastroute keywords and enforce usage of those 997interfaces. 998 999update keep-state code with new algorithm from Guido 1000 1001add FreeBSD-3 support 1002 1003add return-icmp-as-dest option to retrun an ICMP packet using the original 1004destination as the source rather than a local IP address 1005 1006add "level [facility.]<priority>" option to filter language 1007 1008add changes from Guido to state code. 1009 1010add code to return EPERM if the device is opened for writing and we're 1011in securelevel 2 or greater. 1012 1013authentication code patches from Guido 1014 1015fix real audio proxy 1016 1017fix ipmon rule printing of interfaces and add IN/OUT to the end of ipmon 1018log output. 1019 1020fix bimap rules with hash tables 1021 1022update addresses used in NAT mappings for 0/32 rules for any protocol but TCP 1023if it changes on the interface - check every ip_natexpire() 1024 1025add redirect regression test 1026 1027count buckets used in the state hash table. 1028 1029fix sending of RST's with return-rst to use the ack number provided in 1030the packet being replied to in addition to the sequence number. 1031 1032fix to compile as a 64bit application on solaris7-64bit 1033 1034add NAT IP mapping to ranges of IP addresses that aren't CIDR specified 1035 1036fix calculation of in_space parameter for NAT 1037 1038fix `wrapping' when incrementing the next ip address for use in NAT 1039 1040fix free'ing of kernel memory in ip_natunload on solaris 1041 1042fix -l/-U command line options from interfering with each other 1043 1044fix fastroute under solaris2 and cleanup compilation for solaris7 1045 1046add install scripts and compile cleanly on BSD/OS 4.0 1047 1048safely open files in /tmp for writing device output when testing. 1049 1050fix uninitialized pointer bug in NAT 1051 1052fix SIOCZRLST (zero list rule stats) bug with groups 1053 1054change some usage of u_short to u_int in function calling 1055 1056fix compilation for Solaris7 (SUNWspro) 1057 1058change solaris makefiles to build for either sparc or i386 rather than 1059per-cpu (sun4u, etc). 1060 1061fixed bug in ipllog 1062 1063add patches from George Michaelson for FreeBSD 3.0 1064 1065add patch from Guido to provide ICMP checking for known state in the same 1066manner as is done for NAT. 1067 1068enable FTP PASV proxying and enable wildcarding in NAT/state code for ports 1069for better PORT/PASV support with FTP. 1070 1071bring into main tree static nat features: map-block and "auto" portmapping. 1072 1073add in source host filtering for redirects (alan jones) 1074 10753.2.10 22/11/98 - Released 1076 10773.2.10beta9 17/11/98 - Released 1078 1079fix fr_tcpsum problems in handling mbufs with an odd number of bytes 1080and/or split across an mbuf boundary 1081 1082fix NAT list entry comparisons and allow multiple entries for the same 1083proxy (but on different ports). 1084 1085don't create duplicate NAT entries for repeated PORT commands. 1086 10873.2.10beta8 14/11/98 - Released 1088 1089always exit an rwlock before expecting to enter it again on solaris 1090 1091fix loop in nat_new for pre-existing nat 1092 1093don't setup state for an ftp connection if creating nat fails. 1094 10953.2.10beta7 05/11/98 - Released 1096 1097set fake window in ipft_tx.c to ensure code passes tests. 1098 1099cleaned up/enhanced ipnat -l/ipnat -lv output 1100 1101fixed NAT handling of non-TCP/UDP packets, esp. for ICMP errors returned. 1102 1103Solaris recusive mutex on icmp-error/tcp-reset - requires rwlock's rather 1104than mutexes. 1105 11063.2.10beta6 03/11/98 - Released 1107 1108fix mixed use of krwlock_t and kmutex_t on Solaris2 1109 1110fix FTP proxy back up, splitting pasv code out of port code. 1111 11123.2.10beta5 02/11/98 - Released 1113 1114fixed port translation in ICMP reply handling 1115 11163.2.10beta4 01/11/98 - Released 1117 1118increase useful statistic collection on solaris 1119 1120filter DL_UNITDATA_REQ as well as DL_UNITDATA_IND on solaris 1121 1122disable PASV reply translation for now 1123 1124fail with an error if we try to load a NAT rule with a non-existant 1125 proxy name - Guido 1126 1127fix portmap usage with 0/0 and 0/32 map rules 1128 1129remove ap_unload/ap_expire - automatically done when NAT is cleaned up 1130 1131print "STATE:CLOSED" from ipmon if the connection progresses past established 1132 rather than "STATE:EXPIRED" 1133 11343.2.10beta3 26/10/98 - Released 1135 1136fixed traceroute/nat problem 1137 1138rewrote nat/proxy interface 1139 1140ipnat now lists associated proxy sessions for each NAT where applicable 1141 11423.2.10beta2 13/10/98 - Released 1143 1144use KRWLOCK_T in place of krwlock_t for solaris as well as irix 1145 1146disable use of read-write lock acquisition by default 1147 1148add in mb_t for linux, non-kernel 1149 1150some changes to progress compilation on linux with glibc 1151 1152change PASV as well as PORT when passed through kernel ftp proxy. 1153 1154don't allow window to become 0 in tcp state code 1155 1156make ipmon compile cleaner 1157 1158irix patches 1159 11603.2.10beta 11/09/98 - Released 1161 1162stop fr_tcpsum() thinking it has run out of data when it hasn't. 1163 1164stop solaris panics due to fin_dp being something wild. 1165 1166revisit usage of ATOMIC_*() 1167 1168log closing state of TCP connection in "keep state" 1169 1170fix fake-arp table code for ipsend. 1171 1172ipmon now writes pid to a file. 1173 1174fix "ipmon -a" to actually activate all logging devices. 1175 1176add patches for BSDOS4. 1177 1178perl scripts for log analysis donated. 1179 11803.2.9 22/06/98 - Released 1181 1182fix byte order for ICMP packets generated on Solaris 1183 1184fix some locking problems. 1185 1186fix malloc bug in NAT (introduced in 3.2.8). 1187 1188patch from guido for state connections that get fragmented 1189 11903.2.8 08/06/98 - Released 1191 1192use readers/writers locks in Solaris2 in place of some mutexes. 1193 1194Solaris2 installation enhancements - Martin Forssen (maf@carlstedt.se) 1195 11963.2.7 24/05/98 - Released 1197 1198u_long -> u_32_t conversions 1199 1200patches from Bernd Ernesti for NetBSD 1201 1202fixup ipmon to actually handle HUP's. 1203 1204Linux fixes from Michael H. Warfield (mhw@wittsend.com) 1205 1206update for keep state patch (not security related) - Guido 1207 1208dumphex() uses stdout rather than log 1209 12103.2.6 18/05/98 - Released 1211 1212fix potential security loop hole in keep state code. 1213 1214update examples. 1215 12163.2.5 09/05/98 - Released 1217 1218BSD/OS 3.1 .o files added for the kernel. 1219 1220fix sequence # skew vs window size check. 1221 1222fix minimum ICMP header size check. 1223 1224remove references to Cybersource. 1225 1226fix my email address. 1227 1228remove ntohl in ipnat - Thomas Tornblom 1229 12303.2.4 09/04/98 - Released 1231 1232add script to make devices for /dev on BSD boxes 1233 1234fixup building into the kernel for FreeBSD 2.2.5 1235 1236add -D command line option to ipmon to make it a daemon and SIGHUP causes 1237it to close and reopen the logfile 1238 1239fixup make clean and make package for SunOS5 - Marc Boucher 1240 1241postinstall keeps adding "minor=ipf ipl" - George Ross <gdmr@dcs.ed.ac.uk> 1242 1243protected by IP Filter gif - Sergey Solyanik <solik@atom.ru> 1244 12453.2.3 10/11/97 - Released 1246 1247fix some iplang bugs 1248 1249fix tcp checksum data overrun, sgi #define changes, 1250avoid infinite loop when nat'ing to single IP# - Marc Boucher 1251 1252fixup DEVFS usage for FreeBSD 1253 1254fix sunos5 "make clean" cleaning up too much 1255 12563.2.2 28/11/97 - Released 1257 1258change packet matching to return actual error, if bad packet, to facilitate 1259ECONNRESET for TCP. 1260 1261allow ip:netmask in grammar too now - Guido 1262 1263assume IRIX has u_int32_t in sys/types.h (needed for R10000) 1264 1265rewrite parts of command line options for ipmon 1266 1267fix TCP urgent packet & offset testing and add LAND attack test for iptest 1268 1269fix grammar error in yacc grammar for iplang 1270 1271redirect (rdr) destination port bytes-wapped when it shouldn't be. 1272 1273general: fr_check now returns error code, such as EHOSTUNREACH or 1274ECONNRESET (attempt to make ECONNRESET work for locally outbound 1275packets). 1276 1277linux: enable return-rst, need to filter tcp retransmits which are sent 1278 separately from normal packets 1279 1280memory leak plugged in ip_proxy.c 1281 1282BSDI compatibility patches from Guido 1283 1284tcp checksum fix - Marc Boucher 1285 1286recursive mutex and ioctl param fix - Marc Boucher 1287 12883.2.1 12/11/97 - Released 1289 1290port to BSD/OS 3.0 1291 1292port to Linux 2.0.31 1293 1294patches to make "map a/m -> 0/0" work with ftp proxying properly - Marc Boucher 1295 1296add "ipf -F s" and "ipf -F S" to flush state table entries. 1297 1298announce if logging is on or off when ip filter initializes. 1299 1300"ipf -F a" doesn't flush groups properly for Solaris. 1301 13023.2 30/10/97 - Released 1303 1304ipnat doesn't successfully remove proxy mappings with "-rf" - 1305Alexander Romanyu 1306 1307use K&R C function style for solaris kernel code 1308 1309use m_adj() to decrease packet size in ftp proxy 1310 1311use mbufchainlen rather than msgdsize, 1312IRIX update - Marc Boucher 1313 1314fix NetBSD modunload bug (pfil_add_hook done twice) 1315 1316patches for OpenBSD 2.1 - Craig Bevins <craigb@bitcom.net.au> 1317 13183.2beta10 24/10/97 - Released 1319 1320fix fragment table entries allocated for NAT. 1321 1322fix tcp checksum calculations over mbuf/mblk boundaries 1323 1324fix panic for blen < 0 in ftp kernel proxy - marc boucher 1325 1326fix flushing of rules which have been grouped. 1327 13283.2beta9 20/10/97 - Released 1329 1330some nit picking on solaris2 with SUNWspro - Michael Lyle <mrl@rpnet.net> 1331 1332ftp kernel proxy patches from Marc Boucher 1333 13343.2beta8 13/10/97 - Released 1335 1336add support for passing ICMP errors back through NAT. 1337 1338IRIX port update - Marc Boucher 1339 1340calculate correct MIN size of packet to log for UDP - Marc Boucher 1341 1342need htons(ETHERTYPE_x) on little endian BSD boxes - Dave Huang 1343 1344copyright header fixups 1345 13463.2beta7 23/09/97 - Released 1347 1348fickup problems introduced by prior merges & changes. 1349 13503.2beta6 23/09/97 - Released 1351 1352patch for spin-reading race condition - Marc Boucher. 1353 1354IRIX port by Marc Boucher. 1355 1356compatibility updates for Linux to ipsend 1357 13583.2beta5 13/09/97 - Released 1359 1360patches from Bernd Ernesti for NetBSD integration (mostly prototyping and 1361compiler warning things) 1362 1363ipf -y will resync IP#'s allocated with 0/32 in NAT to match interface if it 1364changes. 1365 1366update manual pages and other documentation updates. 1367 13683.2beta4 27/8/97 - Released 1369 1370enable setting IP and TCP options for iplang/ 1371 1372Solaris2 patches from Marc Boucher. 1373 1374add groups for filter rules. 1375 13763.2beta3 21/8/97 - Released 1377 1378patches for Solaris2 (interface panic solution ?): fix FIONREAD and 1379replacing q_qinfo points - Marc Boucher <marc@CAM.ORG> 1380 1381change ipsend/* and ipsd/* copyright notices to be the same as ip filter's 1382 1383patch for SYN-ACK skew testing fix from Eric V. Smith <EricSmith@windsor.com> 1384 13853.2beta2 6/8/97 - Released 1386 1387make it load on Solaris 2.3 1388 1389rewrote logging to remove solaris errors, introduced checking to see if the 1390same packet is logged successively. 1391 1392fix filter cache to work when there are no rules loaded. 1393 1394add "raw" option to ipresend to send entire ethernet frames. 1395 1396nat list corruption bug - NetBSD - Klaus Klein 1397 13983.2beta1 5/7/97 - Released 1399 1400patches from Jason Thorpe fixing: UNSIGNED_CHAR lossage, off_t being 64bits 1401lossage, and other NetBSD bits. 1402 1403NetBSD 1.2G update. 1404 1405fixup fwtk patches and add protocol field for SIOCGNATL. 1406 1407rdr bugs reported by Alexander Romanyu (alexr@aix.krid.crimea.ua), with 1408fixes: 1409* rdr matched all packets of a given protocol (ignored ports). 1410* severe bug in nat_delete which caused system crash/freeze. 1411 1412change Makefile so that CC isn't passed on for FreeBSD/NetBSD (will use 1413the default CC - cc, not gcc) 1414 14153.2alpha9 16/6/97 - Released 1416 1417added "skip" keyword. 1418 1419implement preauthentication of packets, as outlined by Guido. 1420 1421Make it compile as cleanly as possible with -Wall & general code cleanup 1422 1423getopt returns int, not char. Bernd Ernesti 1424 14253.2alpha8 13/6/97 - Released 1426 1427code added to support "auth" rules which require a user program to allow them 1428through. First revision and much of the code came from Guido. 1429 1430hex output from ipmon doesn't goto syslog when recovering from out of sync 1431error. Luke Mewburn (lukem@connect.com.au) 1432 1433fix solaris2.6 lookup of destination ire's. 1434 1435ipnat doesn't throw away unused bits (after masking), causing it to 1436behave incorrectly. Carson Gaspar 1437 1438NAT code doesn't include inteface name when matching - Alexey Mavrin 1439<lha@elco.spb.ru> 1440 1441replace old SunOS tcpip.h with new tcpip.h (from 4.4BSD) - Jason Thorpe. 1442 1443update install procedures to include ip_proxy.c 1444 1445mask out unused bits in NAT/RDR rules. 1446 1447use a generic type (u_32_t) for 32bit variables, rather than rely on 1448u_long being such - Jason Thorpe. 1449 1450create a local "netinet" directory and include from ~netinet/*" rather than 1451just "*" to make keeping the code working on ports easier. 1452 1453add an m_copydata and m_copyback for SunOS4 (based on 4.4BSD-Lite versions) 1454 1455documentation updates. 1456 1457NetBSD update from Jason Thorpe <thorpej@netbsd.org> 1458 1459allow RST's through with a matching SEQ # and 0 ACK. Guido Van Rooij 1460 1461ipmon uses excessive amounts of CPU on Solaris2 - Reinhard Bertram 1462<Reinhard.Bertram@KOM.th-darmstadt.de> 1463 14643.2alpha7 25/5/97 - Released 1465 1466add strlen for pre-2.2 kernels - Doug Kite <dkite@websgi.icomnet.com> 1467 1468setup bits and pieces for compiling into a FreeBSD-2.2 kernel. 1469 1470split up "bsd" targets. Now a separate netbsd/freebsd/bsd target. 1471mln_ipl.c has been split up into itself and mlf_ipl.c (for freebsd). 1472 1473fix (negative) host matching in filtering. 1474 1475add sysctl interface for some variables when compiled into FreeBSD-2.2 kernels 1476or later. 1477 1478make all the candidates for kernel compiling include "netinet/..." and build 1479a subdirectory "netinet" when compiling and symlink all .h files into this. 1480 1481add install make target to Makefile.ipsend 1482 14833.2alpha6 8/5/97 - Released 1484 1485Add "!" (not) to hostname/ip matching. 1486 1487Automatically add packet info to the fragment cache if it is a fragment 1488and we're translating addreses for. 1489 1490Automatically add packet info to the fragment cache if it is a fragment 1491and we're "keeping state" for the packet. 1492 1493Solaris2 patches - Anthony Baxter (arb@connect.com.au) 1494 1495change install procedure for FreeBSD 2.2 to allow building to a kernel 1496which is different to the running kernel. 1497 1498add FIONREAD for Solaris2! 1499 1500when expiring NAT table entries, if we would set a time to fr_tcpclosed 1501(which is 1), make it fr_tcplaskack(20) so that the state tables have a 1502chance to clear up. 1503 15043.2alpha5 1505 1506add proxying skeleton support and sample ftp transparent proxy code. 1507 1508add printfs at startup to tell user what is happening. 1509 1510add packets & bytes for EXPIRE NAT log records. 1511 1512fix the "install-bsd" target in the root Makefile. Chris Williams 1513<psion@mv.mv.com> 1514 1515Fixes for FreeBSD 2.2 (and later revs) to prevent panics. Julian Assange. 1516 15173.2alpha4 2/4/97 - Released 1518 1519Some compiler warnings cleaned up. 1520 1521FreeBSD-2.2 patches for LKM completed. 1522 15233.2alpha3 31/3/97 - Released 1524 1525ipmon changes: -N for reading NAT logfile, -S for reading state logfile. 1526-a for reading all. -n now toggles hostname resolution. 1527 1528Add logging of new state entries and expiration of old state entries. 1529count log successes and failures. 1530 1531Add logging of new NAT entries and expiration of old NAT entries. 1532count log successes and failures. 1533 1534Use u_quad_t for records of bytes & packets where kept 1535(IP Accounting: fr_hits, fr_bytes; IP state: is_pkts, is_bytes). 1536 1537Fixup use of CPU and DCPU in Makefiles. 1538 1539Fix broken 0/32 NAT mapping. Carl Makin <cmakin@nla.gov.au> 1540 15413.2alpha2 1542 1543Implement mapping to 0/32 as being an alias for automatically using the 1544interface's first IP address. 1545 1546Implement separate minor devices for both NAT and IP state code. 1547 1548Fully prototype all functions. 1549 1550Fix Makefile problem due to attempt to fix Sun compiling problems. 1551 15523.1.10 23/3/97 - Released 1553 1554ipfstat -a requires a -i or -o command line option too. Print an error 1555when not present rather than attempt to do something. 1556 1557patch updates for SunOS4 for kernel compiling. 1558patch for ipmon -s (flush's syslog file which isn't good). Andrew J. Schorr 1559<schorr@ead.dsa.com> 1560 1561too many people hit their heads hard when compiling code into the kernel 1562that doesn't let any packets through. (fil.c - IPF_NOMATCH) 1563 1564icmp-type parsing doesn't return any errors when it isn't constructed 1565correctly. Neil Readwin 1566 1567Using "-conf" with modload on SunOS4 doesn't work. 1568Timothy Demarest <demarest@arraycomm.com> 1569 1570Need to define ARCH in makefile for SunOS4 building. "make sunos4" 1571in INSTALL.SunOS is incorrect. James R Grinter <jrg@blodwen.demon.co.uk> 1572[all SunOS targets now run buildsunos] 1573 1574NAT lookups are still incorrect, matching non-TCP/UDP with TCP/UDP 1575information. ArkanoiD <ark@paranoid.convey.ru> 1576 1577Need to check for __FreeBSD_version being 199511 rather than 199607 1578in mln_ipl.c. Eric Feillant <Eric.Feillant@EUnet.fr> 1579 15803.1.9 8/3/97 - Released 1581 1582fixed incorrect lookup of active NAT entries. 1583 1584patch for ip_deq() wrong for pre 2.1.6 FreeBSD. 1585fyeung@fyeung8.netific.com (Francis Yeung) 1586 1587check for out with return-rst/return-icmp at wrong place - Erkki Ritoniemi 1588(erkki@vlsi.fi) 1589 1590text_readip returns the interface pointer pointing to text on stack - 1591Neil Readwin 1592 1593fix from Pradeep Krishnan for printout rules "with not opt sec". 1594 15953.1.8 18/2/97 - Released 1596 1597Diffs for ip_output.c and ip_input.c updated to fix bug with fastroute and 1598compiling warnings about reuse of m0. 1599 1600prevent use of return-rst and return-icmp with rules blocking packets going 1601out, preventing panics in certain situations. 1602 1603loop forms in frag cache table - Yury Pshenychny <yura@rd.zgik.zaporizhzhe.ua> 1604 1605should use SPLNET/SPLX around expire routines in NAT/frag/state code. 1606 1607redeclared malloc in 44arp.c - 1608 16093.1.7 8/2/97 - Released 1610 1611Macros used for ntohs/htons supplied with gcc don't always work very well 1612when the assignment is the same variable being converted. 1613 1614Filter matching doesn't not match rule which checks tcp flags on packets 1615which are fragments - David Wilson 1616 16173.1.7beta 30/1/97 - Released 1618 1619Fix up NAT bugs introduced in last major change (now tested), including 1620nat_delete(), nat_lookupredir(), checksum changes, etc. 1621 16223.1.7alpha 30/1/97 - Released 1623 1624Many changes to NAT code, including contributions from Laurent Joncheray 1625<lpj@ans.net> 1626 1627Use "NO_SLEEP" when allocating memory under SunOS. 1628 1629Make kernel printf's nicer for BSD/SunOS4 1630 1631Always do a checksum for packets being filtered going out and being 1632processed by fastroute. 1633 1634Leave kernel to play with cdevsw on *BSD systems with LKM's. 1635 1636ipnat.1 man page fixes. 1637 16383.1.6 21/1/97 - Released 1639 1640Allow NAT to work on BSD systems in conjunction with "pass .. to ifname" 1641 1642Memory leak introduced in 3.1.3 in NAT lists, clearing of NAT table tried 1643to free memory twice. 1644 1645NAT recalculates IP header checksum based on difference between IP#'s and 1646port numbers - should be just IP#'s (Solaris2 only) 1647 16483.1.5 13/1/97 - Released 1649 1650fixed setting of NAT timeouts and use different timeouts for concurrent 1651TCP sessions using the same IP# mapping (when port mapping isn't used) 1652 1653multiple loading/unloading of LKM's doesn't clean up cdevsw properly for 1654*BSD systems. 1655 16563.1.4 10/1/97 - Released 1657 1658add command line options -C and -F to ipnat to flush NAT list and table 1659 1660ipnat -l loops on output - Neil Readwin (nreadwin@nysales.micrognosis.com) 1661 1662NetBSD/FreeBSD kernel malloc changes - Daniel Carosone 1663 16643.1.3 10/1/97 - Released 1665 1666NAT chains not constructed correctly in hash tables - Antony Y.R Lu 1667(antony@hawk.ee.ncku.edu.tw) 1668 1669Updated INSTALL.NetBSD, INSTALL.FreeBSD and INSTALL.Sol2 1670 1671man page update (ipf.5) from Daniel Carosone (dan@geek.com.au) 1672 1673ICMP header checksum update now included in NAT. 1674 1675Solaris2 needs to modify IP header checksums in ip_natin and ip_natout. 1676 16773.1.2 4/12/96 - Released 1678 1679ipmon doesn't use syslog all the time when given -s option 1680 1681fixed mclput panic in ip_input.c and replace ntohs() with NTOHS() macro 1682 1683check the results of hostname resolution in ipnat 1684 1685"make *install" fixed for subdirectories. 1686 1687problems with "ARCH:=" and gnu make resolved 1688 1689parser reports an error for lines with whitespaces only rather than skipping 1690them. D.Carosone@abm.com.au (Daniel Carosone) 1691 1692patches for integration into NetBSD-current (post 1.2). 1693 1694add an option to allow non-IP packets going up/down the stream on Solaris2 1695to be dropped. John Bass. 1696 16973.1.2beta 21/11/96 - Released 1698 1699make ipsend compile on Linux 2.0.24 1700 1701changes to TCP kept state algorithm, making it watch state on TCP 1702connections in both directions. Also use the same algorithm for NAT TCP. 1703 1704-Wall cleanup - Bernd Ernesti 1705 1706added "or-block" for "pass .. log or-block" after a suggestion from 1707David Oppenheim (davido@optimation.com.au) 1708 1709added subdirectories for building IP Filter in SunOS5/BSD for different 1710cpu architecures 1711 1712Solaris2 fixes to logging and pre-filtering packet processing - 3.1.1p2 1713 1714mbuf logging not using mtod(), remove iplbusy - 3.1.1p1 1/11/96 1715 17163.1.1 28/10/96 - Released 1717 1718Installation script fixes and deinstall scripts for IP Filter on: 1719SunOS4/FreeBSD/NetBSD 1720 1721Man page fixes - Paul Dubois (dubois@primate.wisc.edu) 1722 1723Fix use of SOLARIS macro in ipmon, rewrote ipllog() (again!) 1724 1725parsing isn't completely case insensitive - David Wilson 1726(davidw@optimation.com.au) 1727 1728Release ipl_mutex across uiomove() calls 1729 1730print entire rule entries out for "ipf -z" when zero'ing per-rule stats. 1731 1732ipfstat returns same output for "hits" in "ipfstat -aio" - Terletsky Slavik 1733(ts@polynet.lviv.ua) 1734 1735New algorithm for setting timeouts for TCP connection (more closely follow 1736TCP FSM) - Pradeep Krishnan (pkrishna@netcom.com) 1737 1738Track both window sizes for TCP connections through "keep state". 1739 1740Solaris2 doesn't like _KERNEL defined in stdargs.h - Jos van Wezel 1741(wezel@bio.vu.nl) 1742 17433.1.1-beta2 6/10/96 - Released 1744 1745Solaris2 fastroute/dup-to/to now works 1746 1747ipmon `record' reading rewritten 1748 1749Added post-NetBSD1.2 packet filter patches - Mathew Green (mrg@eterna.com.au) 1750 1751Attempt to use in_proto.c.diff, not "..diffs" for SunOS4 - David Wilson 1752(davidw@optimation.com.au) 1753 1754Michael Ryan (mike@NetworX.ie) reports the following: 1755* The Trumpet WinSock under Windows always sends its SYN packet with an ACK 1756 value of 1, unlike any other implementation I've seen, which would set it 1757 to zero. The "keep state" feature of IP Filter doesn't work when receiving 1758 non-zero ACK values on new connection requests. 1759* */Makefile install rule doesn't install all the binaries/man pages 1760* Make ipnat use "tcp/udp" instead of "tcpudp" 1761* Print out "tcp/udp" properly 1762* ipnat "portmap tcp" matches "portmap udp" when adding/removing 1763* NAT dest. ip# increased by one on mask of 0xffffffff when it shouldn't 1764 17653.1.1-beta 1/9/96 - Released 1766 1767add better detection of TCP connections closing to TCP state monitoring. 1768 1769fr_addstate() not called correctly for fragments. "keep state" and 1770"keep frag" code don't work together 100% - Songqing Cai 1771(songqing_cai@sterling.com) 1772 1773call to fr_addstate() incorrect for adding state in combination with keeping 1774fragment information - Songqing Cai (songqing_cai@sterling.com) 1775 1776KFREE() passed fp (incorrect) and not fr (correct) in ip_frag.c - John Hood 1777(cgull@smoke.marlboro.vt.us) 1778 1779make ipf parser recognise '\\' as a `continued line' marker - Dima Ruban 1780(dima@best.net) 1781 17823.1.1-alpha 23/8/96 - Released 1783 1784kernel panic's when ICMP packets go through NAT code 1785 1786stats aren't zero'd properly with ipf -Z 1787 1788ipnat doesn't show port numbers correctly all the time and also add the 1789protocol (tcp/udp/tcpudp) to rdr output - Carson Gaspar (carson@lehman.com) 1790 1791fast checksum fixing not 100% - backout patch - Bill Dorsey (dorsey@lila.com) 1792 1793NetBSD-1.2 patches from - VaX#n8 <vax@linkdead.paranoia.com> 1794 1795Usage() call error in fils.c - Ajay Shekhawat (ajay@cedar.buffalo.edu) 1796 1797ip_optcopy() staticly defined in ip_output.c in SunOS4 - Nick Hall 1798(nrh@tardis.ed.ac.uk) 1799 18003.1.0 7/7/96 - Released 1801 1802Reformatted ipnat output to be compatible with it's input, so that 1803"ipnat -l | ipnat -rf -" is possible. 1804 18053.1.0beta 30/6/96 - Released 1806 1807NetBSD-1.2 patches from Greg Woods (woods@most.weird.com) 1808 1809kernel module must not be installed stripped (Solaris2), as created by 1810"make package" for Solaris2 - Peter Heimann 1811(peter@i3.informatik.rwth-aachen.de) 1812 18133.1.0alpha 5/6/96 - Released 1814 1815include examples in package for solaris2 1816 1817patches for removing an extra ip header checksum (FreeBSD/NetBSD/SunOS) 1818 1819removed trailing space from printouts of rules in ipf. 1820 1821ipresend supports the same range of inputs that ipftest does. 1822 1823sending a duplicate copy of a packet to another network devices is now 1824supported. ("dup-to") 1825 1826sending a packet to an arbitary interface is now supported, irrespective 1827of its actual route, with no ttl decrement. Can also be routed without 1828the ttl being decremented. ("to" and "fastroute"). 1829 1830"call" option added to support calling a generic function if a packet is 1831matched. 1832 1833show all (upto 4) recorded bytes from the interface name in logging from 1834ipmon. 1835 1836support for using unix file permissions for read/write access on the device 1837is now in place. 1838 1839recursive mutex in nat_new() for Solaris 2.x - Per L. Hagen <per@stibo.dk> 1840 1841ipftest doesn't call initparse() for THISHOST - Catherine Allen 1842(cla@connect.com.au) 1843 1844Man page corrections from Rex Bona (rex@pengo.comsmiths.com.au) 1845 18463.0.4 10/4/96 - Released 1847 1848looop in `parsing' IP packets with optlen 0 for ip options. 1849 1850rule number not initialized and resulted in unexpected results for state 1851maching. 1852 1853option parsing and printing bugs - Pradeep Krishnan 1854 18553.0.4beta 25/3/96 - Released 1856 1857wouldn't parse "keep flags keep state" correctly. 1858 1859SunOS4.1.x ip_input.c doesn't recognise all 1s broadcast address - Nigel Verdon 1860 1861patches for BSDI's BSD/OS 2.1 and libpcap reader on little endian systems 1862from Thorsten Lockert <tholo@tetherless.com> 1863 1864b* functions in fil.c on Solaris 2.4 1865 18663.0.3 17/3/96 - Released 1867 1868added patches to support IP Filter initialisation when compiled into the 1869kernel. 1870 1871added -x option to ipmon to display hex dumps of logged packets. 1872 1873added -H option to ipftest to allow ascii-hex formatted input to specify 1874arbitary IP packets. 1875 1876Sending TCP RSTs as a response now work for Solaris2 x86 1877 1878add patches to make IP Filter compile into NetBSD kernels properly. 1879 1880patch to stop SunOS 4.1.x kernels panicing with "data traps". 1881 1882ipfboot script unloads and reloads ipf module on Solaris2 if it is already 1883loaded into the kernel. 1884 1885Installation of IP Filter as a Solaris2 package is now supported. 1886 1887Man pages for ipnat.4, ipnat.5 added. 1888 1889added some more regression tests and fixed up IP Filter to pass the new tests 1890(previous versions failed some of the tests in set 12). 1891 1892IP option filter processing has changed so that saying "with opt lsrr" will 1893check only for that one, but not mask out other options, so a packet with 1894strict source routing, along with loose source routing will match all of 1895"with opt lsrr", "with opt ssrr" and "with opt lsrr,ssrr". 1896 1897IPL_NAME needed in ipnat.c - Kelly (kelly@count04.mry.scruznet.com) 1898 1899patches for clean NetBSD compilation from Bernd Ernesti (bernd@arresum.inka.de) 1900 1901make install is incorrect - Julian Briggs (julian@lightwork.co.uk) 1902 1903strtol() returns 0x7fffffff for all negative numbers, 1904printfr() generates incorrect output for "opt sec-class *", 1905handling of "not opt xxx opt yyy" incorrect. 1906- Minh Tonthat (minht@sbei.com)/Pradeep Krishnan (pradeepk@sbei.com) 1907 1908m_pullup() called only for input and not output; caused problems 1909with filtering icmp - Nigel Verdon (verdenn@gb.swissbank.com) 1910 1911parsing problem for "port 1" and NetBSD patches incorrect - 1912Andreas Gustafsson (gson@guava.araneus.fi) 1913 19143.0.2 4/2/96 - Released 1915 1916Corrected bug where NAT recalculates checksums for fragments. 1917 1918make NAT recalculate UDP checksums (rather than setting them to 0), 1919if they're non-zero. 1920 1921DNS patches - Real Page (Real.Page@Matrox.com) 1922 1923alteration of checksum recalculations in NAT code and addition of 1924redirection with NAT - Mike Neuman 1925 1926core dump, if tcp/udp is used with a port number and not service name, 1927in ipf - Mike Neuman (mcn@engarde.com) 1928 1929initparse() call, missing to prime "<thishost>" hook - Craig Bishop 1930 19313.0.1 14/1/96 - Released 1932 1933miscellaneous patches for Solaris2 1934 19353.0 14/1/96 - Released 1936 1937Patch included for FDDI, from Richard Ohnemus 1938(Richard_Ohnemus@dallas.csd.sterling.com) 1939 1940Code cleanup for release. 1941 19423.0beta4 10/1/96 1943 1944recursive mutex in ipfr_slowtimer fixed, reported by Craig Bishop 1945 1946recursive mutex in sending TCP RSTs fixed, reported by Tony Becker 1947 19483.0beta3 9/1/96 1949 1950FIxup for Solaris2.5 install and interface name bug in ipftest from 1951Julian Briggs (julian@lightwork.co.uk) 1952 1953Byte order patches for ipmon from Tony Becker (tony@mcrsys.com) 1954 19553.0beta2 7/1/96 1956 1957Added the (somewhat warped) IP accounting as it exists in ipfw on FreeBSD. 1958Note, this isn't really what one would call IP account, when compared to 1959process accounting, sigh. 1960 1961Split up ipresend into iptest/ipresend/ipsend 1962 1963Added another m_pullup() inside fr_check() for BSD style kernels and 1964added some checks to ipllog() to not log more than is present (for short 1965packets). 1966 1967Fixed bug where failed hostname/netname resolution goes undetecte and 1968becomes 0.0.0.0 (any) (reported Guido van Rooij) 1969 19703.0beta 11/11/95 - Released 1971 1972Rewrote the way rule testing is done, reducing the number of files needed and 1973generated. 1974 1975SIOCIPFFL was incorrectly affected by IPFILTER_LOG (Mathew Green) 1976 1977Patches from Guido van Rooij to fix sending back TCP RSTs on Net-2/Net-3 1978BSD based Unixes (panic'd) 1979 1980Patches for FreeBSD/i86 ipmon from Riku Kalinen <riku@tequila.nixu.fi> 1981(I think someone else already told me about these but they got lost :-/) 1982 1983Changed Makefile structure to build object files for different operating 1984systems in separate directories by default. 1985 1986BSDI has ef0 for first ethernet interface 1987 1988Allow for a "not" operator before optional keywords. 1989 1990The "rule number" was being incorrectly incremented every time it went through 1991the loop rather than when it matched a rule. 1992 19932.8.2 24/10/95 - Released 1994 1995Fixed up problems with "textip" for doing lots of testing. 1996 1997Fixed bug in detection of "short" tcp/ip packets (all reported as being short). 1998 1999Solaris 2.4 port now works 100%. 2000 2001Man page errors reported and fixed. 2002 2003Removed duplicate entry in etc/services for login on port 49 (Craig Bishop). 2004 2005Fixed ipmon output to put a space after the log-letter. 2006 2007Patch from Guido van Rooij to fix parsing problem. 2008 20092.8.1 15/10/95 - Released 2010 2011Added ttl and tos filtering. 2012 2013Patches for fixing up compilation and port problems (little endian) 2014from Guido van Rooij <guido@IAEhv.nl>. 2015 2016Man page problems reported and fixed by Carson Gaspar <carson@lehman.com>. 2017 2018ipsend doesn't compile properly on Solaris2.4 2019 2020Lots of work done for Solaris2.4 to make it MT/MP safe and work. 2021 20222.8 15/9/95 - Released 2023 2024ipmon can now send messages to syslogd (-s) and use names instead of 2025numbers (-N). 2026 2027IP packets are now "compiled" into a structure only containing filterable 2028bits. 2029 2030Added regression testing in the test/ subdirectory, using a new option 2031(-b) with the ipftest program. 2032 2033Added "nomatch" return to filter results. These are counted and show 2034up in reports from ipfstat. 2035 2036Moved filter code out of ip_fil.c and into fil.c - there is now only one 2037instance of it in the package. 2038 2039Added Solaris 2.4 support. 2040 2041Added IPSO basic security option filtering. 2042 2043Added name support for filtering on all 19 named IP options. 2044 2045Patches from Ivan Brawley to log packet contents as well as packet headers. 2046 2047Update for sun/conf.c.diff from Ivan Brawley <ibrawley@awadi.com.AU> 2048 2049Added patches for FreeBSD 1, and added two new switches (-E, -D) to ipf, 2050along with a new ioctl, SIOCFRENB. 2051From: Dieter Dworkin Muller <dworkin@village.org> 2052 20532.7.3 31/7.95 - Released 2054 2055Didn't compile cleanly without IPFILTER_LOG defined (Mathew Green). 2056 2057ipftest now deals with tcpdump3 binary output files (from libpcap) with -P. 2058 2059Brought ipftest program upto date with actual filter code. 2060 2061Filter would cause a match to occur when it wasn't meant to if the packet 2062had short headers and was missing portions that should have been there. 2063Err, it would rightly not match on them, but their absence caused a match 2064when it shouldn't have been. 2065 20662.7.2 26/7/95 - Released 2067 2068Problem with filtering just SYN flagged packets reported by 2069Dieter Dworkin Muller <dworkin@village.org>. To solve this 2070problem, added support for masking TCP flags for comparison "flags X/Y". 2071 20722.7.1 9/7/95 - Released 2073 2074Added ip_dirbroadcast support for Sun ip_input.c 2075 2076Fixed up the install scripts for FreeBSD/NetBSD to recognise where they are 2077better. 2078 20792.7 7/7/95 - Released 2080 2081Added "return-rst" to return TCP RST's to TCP packets. 2082 2083Actually ported it to FreeBSD-i386 2.0.0, so it works there properly now. 2084 2085Added insertion of filter rules. Use "@<#>" at the beginning of a filter 2086to insert a rule at row #. 2087 2088Filter keeps track of how many times each rule is matched. 2089 2090Changed compile time things to match kernel option (IPFILTER_LKM & 2091IPFILTER_LOG). 2092 2093Updated ip_input.c and ip_output.c with paches for 3.5 Multicast IP. 2094(No change required for 3.6) 2095 2096Now includes TCP fragments which start inside the TCP header as being short. 2097Added counting the number of times each rule is matched. 2098 2099 21002.6 11/5/95 - Released 2101 2102Added -n option to ipf: when supplied, no changes are made to the kernel. 2103 2104Added installation scripts for SunOS 4.1.x and NetBSD/FreeBSD/BSDI. 2105 2106Rewrote filtering to use a more generic mask & match procedure for 2107checking if a packet matches a rule. 2108 21092.5.2 27/4/95 - Released 2110 2111"tcp/udp" and a non-initialised pointer caused the "proto" to become 2112a `random' value; added "ip#/dotted.mask" notation to the BNF. 2113From Adam W. Feigin <feigin@iis.ee.ethz.ch> 2114 21152.5.1 22/3/95 - Released 2116 2117"tcp/udp" had a strange effect (undesired) on getserv*() functions, 2118causing protocol/service lookups to fail. Reported by Matthew Green. 2119 21202.5 17/3/95 - Released 2121 2122Added a new keyword "all" to BNF and parsing of tcpdump/etherfind/snoop 2123output through the ipftest program. Suggestions from: 2124Michael Ciavarella (mikec@phyto.apana.org.au) 2125 2126Conflicts occur when "general" filter rules are used for ports and the 2127lack of a "proto" when used with "port" matches other packets when only 2128TCP/UDP are implied. 2129Reported Matthew Green (mrg@fulcom.com.au); 2130reported & fixed 6-8/3/95 2131 2132Added filtering of short TCP packets using "with short" 28/2/95 2133(These can possibly slip by checks for the various flags). Short UDP 2134or ICMP are dropped to the floor and logged. 2135 2136Added filtering of fragmented packets using "with frag" 24/2/95 2137 2138Port to NetBSD-current completed 20/2/95, using LKM. 2139 2140Added logging of the rule # which caused the logging to happen and the 2141interface on which the packet is currently as suggested by 2142Andreas Greulich (greulich@math-stat.unibe.ch) 10/2/95 2143 21442.4 9/2/95 - Released 2145Fixed saving of IP headers in ICMP packets. 2146 21472.3 29/1/95 2148Added ipf -F [in|out|all] to flush filter rule sets (SIOCIPFFL). 2149Fixed iplread() and iplsave() with help from Marc Huber. 2150 21512.2 7/1/95 - Released 2152Added code from Marc Huber <huber@fzi.de> to allow it to allocate 2153its own major char number dynamically when modload'ing. Fixed up 2154use of <, >, <=, >= and >< for ports. 2155 21562.1 21/12/94 - Released 2157repackaged to include the correct ip_output.c and ip_input.c *goof* 2158 21592.0 18/12/94 - Released 2160added code to check for port ranges - complete. 2161rewrote to work as a loadable kernel module - complete. 2162 21631.1 2164added code for ouput filtering as well as input filtering and added support for logging to a simple character device of packet headers. 2165 21661.0 22/04/93 - Released 2167First release cut. 2168