HISTORY revision 145510
1# 2# NOTE: Quite a few patches and suggestions come from other sources, to whom 3# I'm greatly indebted, even if no names are mentioned. 4# 5# Thanks to the Coombs Computing Unit at the ANU for their continued support 6# in providing a very available location for the IP Filter home page and 7# distribution center. 8# 9# Thanks also to all those who have contributed patches and other code, 10# and especially those who have found the time to port IP Filter to new 11# platforms. 12# 134.1.8 - Released 29 March 2005 14 15include path from Phil Dibowitz for sorting ipfstat -t output by source or 16destination port. 17 18fix a bug in printing rules where interface names could not be printed, 19even if they're in the rule structure. 20 21fix BSD/kupgrade to correctly change ipfilter lkm Makefile for FreeBSD 22 23add 2 new features to SIOCGNATL: 24- if IPN_FINDFORWARD is set, check if the respective MAP is already 25 present in the outbound table 26- if IPN_IN is set, search for a matching MAP entry instead of RDR 27 (Peter Potsma) 28 29turn off function inlining for freebsd 5.3+ 30 31UDP doesn't pullup enough data which can sometimes cause a panic. 32Fix other protocols, as required, where a similar problem may exist. 33 34overhaul the timeout queue management, especially that for user defined queues 35which are now only freed in an orderly manner. 36 374.1.7 - Released 13 March 2005 38 39Using the GRE call field is almost impossible because it is unbalanced and 40both call fields are not present in each v1 header. 41 42Fix a problem where it was possible to load duplicate rules into ipf 43 44patch from John Wehle to address problems with fastroute on solaris 45 46Copying data out for ipf -z failed because it tried to copy out to an address 47that is a kernel pointer in user space. 48 49add "ip" timeout for both NAT & state that's for non-TCP/UDP/ICMP 50 51synch up with NetBSD's changes 52 53fix problems parsing long lines of text in the ftp proxy where they would not 54be parsed properly and stop the session from working 55 56enhance the PPTP proxy so that it tries to decode messages in the TCP stream 57so it knows when to create and destroy the state/nat sessions for GRE. There 58are also 4 new regression tests for it, testing map/rdr rules. 59 60impose some limits on the size of data that can be moved with SIOCSTPUT in 61the NAT code and also prevent a duplicate session entry from being created 62using this method. 63 64add a new flag (IPN_FINDFORWARD) to NAT code that can be used with SIOCGNATL 65to check if it is possible to create an outgoing transparent NAT mapping to 66compliment the redirect being investigated. 67 68Linux requires that the checksums in the IP header get adjusted 69 70only resolve unknown interfaces in fr_stinsert, and nuke all interface pointers 71in SIOCSTPUT to prevent bad data being loaded from userspace. 72 73make the byte counting for state correct (was counting data from ICMP packet 74twice) 75 76print out the keyword "frag-body" if the flag is set. 77 78fix ipfs loading/restoring NAT sessions 79 80patch from Frank to correctly format IP addresses in ipfstat -t output 81 82parsing port numbers in ipf/ipnat was confusing as the port number was returned 83in an int that was also overloaded to be the suceess/failure. instead, change 84the port using pass by reference and only use the return value for indicating 85success or failure. 86 874.1.6 - Released 19 February 2005 88 89add a new timeout number to NAT (fr_defnatipage) that is used for all 90non-TCP/UDP/ICMP protocols - default 60 seconds. 91 92buffer leak with bad nat - David Gueluy 93 94fix memory leak with state entries created by proxies 95 96eliminate copying too much data into a scan buffer 97 98allow a trailing protocol name for map rules as well as rdr ones 99 100fix bug in parsing of <= and > for NAT rules (two were crossed over) 101 102FreeBSD's iplwrite hasn't kept pace with iplread's prototype 103 104expand documention on the karma of using "auto" in ipnat map rules 105 106add matching on IP protocol to ipnat map rules 107 108allow ippool definitions to contain no addresses to start with 109 110Linux NAT needs to modify the IP header checksum as it gets called after it 111has been computed by IP. 112 113UDP was missing a pullup for packet header information before examining 114the header 115 1164.1.5 - Released 9 January 2005 117 118all rules were being converted into "dup-to" rules in the kernel 119 120fix two ftp proxy problems: 1st, buffer needs to be bigger for fitting in 121complete RETR/CWD commands, 2nd is () use in 227 messages isn't copied 122over correctly. 123 124response to CWDs 125revert ip_off back to network byte order in the ICMP error packet that 126gets generated. 127 1284.1.4 - Released 9 January 2005 129 130force NAT rules to only match ipv4 NAT rules (which all are, currently, 131by default) 132 133include state synchronisation fixes from Frank Volf 134 135make the maximum log size for internally buffered log entries accessible 136via "ipf -T" 137 138redesign start of fr_check() to avoid putting duplicate information in 139ipfilter about how much data needs to be pulled up for a protocol to be 140properly filtered. 141 142tidy up sending ICMP error messages - some bad inputs could result in 143data not being freed and/or no error returned. 144 145make the maximum size of the log buffer run-time tunable 146 147fix bug in parsing TCP header when looking for MSS option that could make 148the system hang 149 150change pool lookups that fail to find a match to return "no match" 151rather than fail. 152 153add run-time tunable debugging for proxy support code and FTP proxy. 154 155fix state table updates for entries where the first packet as an ICMPv6 156multicast message 157 158fix hang when flushing state for v4/v6 and other (v6/v4) entries are present 159too 160 161attaching filtering to ipv6 pfil hook wasn't present for solaris 162 163don't allow rules with "keep state" and "with oow" 164 165move a bunch of userland only code from fil.c to ip_fil.c 166 167make fr_coalesce() more resiliant to bad input, just returning an error 168instead of crashing, making calling it easier in many places 169 170When m_pulldown doesn't return NULL, it doesn't necessarily return a pointer 171to the same mbuf passed in as the first arg. 172 173remove fr_unreach and use ENETUNREACH by default. 174 175printing out of tag data in ipf rules doesn't match input syntax 176 177ipftest(1) man page update 178 179ipfs command line option parsing still rejects some valid syntaxes 180 181SIGHUP handling by ipmon was not as safe as it could be 182 183fix various parsing regressions, including "<thishost>", "tcpudp", ordering 184of "keep" options 185 186patches from Frank Volk: add udp_acktimeout to sysctl list for FreeBSD, 187ICMP packet length not calculated correctly in send_icmp_err, reply-to 188not printed by ipfstat, keep state with icmp passing (mtrr) 189 190patches for return-rst and return-icmp from Attila Fueloep 191(lichtscheu@gesindel.org) 192 1934.1.3 - Released 18 July 2004 194 195do some more fine tuning on NAT checksum adjustments 196 197correct IP address byte order in proxy setup for ipsec/pptp 198 199man page updates 200 201fix numerous problems with ipfs operation 202 203complete new syntax for ipmon.conf in its parser and update the sample file 204 205assign error value consistantly in fastroute code 206 207rewrite allocation of mbufs in send_reset/send_icmp_err to better use 208mbuf clusters and size calculations 209 210resolve problem with linux panic'ing because the wrong flag was being 211passed to skb_clone/skb_alloc 212 213enable use of shared/exclusive locks on freebsd5 and above 214 215do not rely on m_pkthdr.len to be valid all the time for mbufs on modern BSD 216and so use mbufchainlen to get the mbuf length instead 217 218replace lots of COPYIN/COPYOUT with BCOPYIN/BCOPYOUT where the data is 219going to be on the stack and not in userland 220 221packet buffer pointers were not refreshed & used properly in fr_check() 222 223include extra bits for OpenBSD 3.4 & 3.5. 224 225fix ipf/ipnat parsing regression problems with v3.4 226 2274.1.2 - RELEASED - 27 May 2004 228 229add state top for ipv6 230 231fix numerous parsing regressions 232 233change sample proxies to use SIOCGNATL with the new API 234 235allow macro names to contain underscores (_) 236 237split the parser into a collection of dictionaries so that keywords do 238not interfere with resolving hostnames and portnames 239 240fix ipfrule LKM loading on freebsd 241 242support mapping a fixed range of ports to a single port 243 244fix timeout queue use by proxies with private queues 245 246handle space-led ftp server replies properly 247 248fix timeout queue management 249 250fix fastroute, generation of RST & ICMP packets and operation with to/fastroute 251 252resolve further linux compatibility problems 253 254replace the use of COPYIN with BCOPYIN for platforms that provide ioctl 255args on the stack 256 257allow flushing of ipv6 rules independant of ipv4 rules 258 259correct internal ipv6 checksum calculations 260 261if a 'keep state' rule fails to create state, block the packet rather 262than let it through 263 264correct all checksums in regression tests and correct NAT code to adjust 265checksums correctly. 266 267fix ipfs -R/-W 268 2694.1.1 - RELEASED - 24 March 2004 270 271allow new connections with the same port numbers as an existing one 272in the state table if the creating packet is a SYN 273 274timeout values have drifted, incorrectly, from what they were in 3.4 275 276FreeBSD - compatibility changes for 5.2 277 278don't match on sequence number (as well) for ICMO ECHO/REPLY, just the 279ICMP Id. field as otherwise thre is a state/NAT entry per packet pair 280rather than per "flow" 281 282fr_cksum() returned the wrong answer for ICMP 283 284Linux: 285- get return-rst and return-icmp working 286- treat the interface name the same as if_xname on BSD 287 288adjust expectations for TCP urgent bits based on observed traffic in the 289wild 290 291openbsd3.4 has ip_len/ip_off in network byte order when ipfilter is called 292 293fix flushing of hash pool gorups (ippool -F) as well as displaying them 294(ippool -l) 295 296passing of pointers to interface structures wrong for HP-UX/Solaris with 297return-* rules. 298 299Make the solaris boot script able to run on 2.5.1 300 301ippool related files missing from Solaris packages 302 303The name /dev/ippool should be /dev/iplookup 304 305add regression testing for parsing long interface names in nat rules, 306along with mssclamp and tags. Also add test for mssclamp operation. 307 308ttl displayed for "ipfstat -t" is wrong because ttl is not computed. 309 310parse logical interface names (Sun) 311 312unloading LKMs was only working if they were enabled. 313 314sync'ing up NAT sessions when NICs change should cause NAT rules to 315re-lookup name->pointer mappings 316 317not all of the ippool ioctl's are IOWR and they should be because they 318use the ipfobj_t for passing information in/out of the kernel. leave the 319old values defined and handle them, for compatibility. 320 321pool stats wrong: ippoolstate used where ipoolstat should be, hash table 322 statistics not reported at all 323 324fr_running not set correctly for OpenBSD when compiled into the kernel 325 326Allow SIOCGETFF while disabled 327 328Fix mssclamp with NAT (pasing and printing of the word, plus wrong bytes 329altered. How do you say "untested" ?) 330 3314.1 - RELEASED - 12 February 2004 332 3334.0-BETA1 20 August 2003 334 335support 0/32 and 0/0 on the RHS in redirect rules 336 337where LHS and RHS netmasks are the same size for redirect, do 1:1 mapping 338for bimap rules. 339 340allow NAT rule to match 'all' interfaces with * as interface name 341 342do mapping of ICMP sequence id#'s in pings 343 344allow default age for NAT entries to be set per NAT rule 345 346provide round robin selection of destination addresses for redirect 347 348ipmon can load a configuration file with instructions on actions 349to take when a matching log entry is received 350 351now requires pfil to work on Solaris & HP-UX 352 353supports mapping outbound connections to a specific address/port 354 355support toggling of logging per ipfilter 'device' 356 357use queues to expire data rather than lists 358 359add MSN RPC proxy 360 361add IRC proxy 362 363support rules with dynamic ip addresses 364 365add ability to define a pool of addresses & networks which can then 366be placed in a single rule 367 368support passing entire packet back to user program for authentication 369 370support master/slave for state information sharing 371 372reorganise generic code into a lib directory and make libipf.a 373 374user programs enforce version matching with the kernel 375 376supports window scaling if seen at TCP session setup 377 378generates C code from filter rules to compile in or load as native 379machine code. 380 381supports loading rules comprised of BPF bytecode statements 382 383HP-UX 11 port completed 384 385and packets-per-second filtering 386 387add numerical tags to rules for filtering and display in ipmon output 388 3893.4.4 23/05/2000 - Released 390 391don't add TCP state if it is an RST packet and (attempt) to send out 392RST/ICMP packets in a manner that bypasses IP Filter. 393 394add patch to work with 4.0_STABLE delayed checksums 395 3963.4.3 20/05/2000 - Released 397 398fix ipmon -F 399 400don't truncate IPv6 packets on Solaris 401 402fix keep state for ICMP ECHO 403 404add some NAT stats and use def_nat_age rather than DEF_NAT_AGE 405 406don't make ftp proxy drop packets 407 408use MCLISREFERENCED() in tandem with M_EXT to check if IP fields need to be 409swapped back. 410 411fix up RST generation for non-Solaris 412 413get "short" flag right for IPv6 414 4153.4.2 - 10/5/2000 - Released 416 417Fix bug in dealing with "hlen == 1 and opt > 1" - Itojun 418 419ignore previous NAT mappings for 0/0 and 0/32 rules 420 421bring in a completely new ftp proxy 422 423allow NAT to cause packets to be dropped. 424 425add NetBSD callout support for 1.4-current 426 4273.4.1 - 30/4/2000 - Released 428 429add ratoui() and fix parsing of group numbers to allow 0 - UINT_MAX 430 431don't include opt_inet6.h for FreeBSD if KLD_MODULE is defined 432 433Solaris must use copyin() for all types of ioctl() args 434 435fix up screen/tty when leaving "top mode" of ipfstat 436 437linked list for maptable not setup correctly in nat_hostmap() 438 439check for maptable rather than nat_table[1] to see if malloc for maptable 440succeeded in nat_init 441 442fix handling of map NAT rules with "from/to" host specs 443 444fix printout out of source address when using "from/to" with map rules 445 446convert ip_len back to network byte order, not plen, for solaris as ip_len 447may have been changed by NAT and plen won't reflect this 448 4493.4 - 27/4/2000 - Released 450 451source address spoofing can be turned on (fr_chksrc) without using 452filter rules 453 454group numbers are now 32bits in size, up from 16bits 455 456IPv6 filtering available 457 458add frank volf's state-top patches 459 460add load splitting and round-robin attribute to redirect rules 461 462FreeBSD-4.0 support (including KLD) 463 464add top-style operation mode for ipfstat (-t) 465 466add save/restore of IP Filter state/NAT information (ipfs) 467 468further ftp proxy security checks 469 470support for adding and removing proxies at runtime 471 4723.3.13 26/04/2000 - Released 473 474Fix parsing of "range" with "portmap" 475 476Relax checking of ftp replies, slightly. 477 478Fix NAT timeouts for ICMP packets 479 480SunOS4 patches for ICMP redirects from Jurgen Keil (jk@tools.de) 481 4823.3.12 16/03/2000 - Released 483 484tighten up ftp proxy behaviour. sigh. yuck. hate. 485 486fix bug in range check for NAT where the last IP# was not used. 487 488fix problem with icmp codes > 127 in filter rules caused bad things to 489happen and in particular, where #18 caused the rule to be printed 490erroneously. 491 492fix bug with the spl level not being reset when returning EIO from 493iplioctl due to ipfilter not being initialized yet. 494 4953.3.11 04/03/2000 - Released 496 497make "or-block" work with lines that start with "log" 498 499fix up parsing and printing of rules with syslog levels in them 500 501fix from Cy Schubert for calling of apr_fini only if non-null 502 503 5043.3.10 24/02/2000 - Released 505 506* fix back from guido for state tracking interfaces 507 508* update for NetBSD pfil interface changes 509 510* if attaching fails and we can abort, then cleanup when doing so. 511 512julian@computer.org: 513* solaris.c (fr_precheck): After calling freemsg on mt, set it point to *mp. 514* ipf.c (packetlogon): use flag to store the return value from get_flags. 515* ipmon.c (init_tabs): General cleanup so we do not have to cast 516 an int s->s_port to u_int port and try to check if the u_int port 517 is less than zero. 518 5193.3.9 15/02/2000 - Released 520 521fix scheduling of bad locking in fr_addstate() used when we attach onto 522a filter rule. 523 524fix up ip_statesync() with storing interface names in ipstate_t 525 526fix fr_running for LKM's - Eugene Polovnikov 527 528junk using pullupmsg() for solaris - it's next to useless for what we 529need to do here anyway - and implement what we require. 530 531don't call fr_delstate() in fr_checkstate(), when compiled for a user 532program, early but when we're finished with it (got fr & pass) 533 534ipnat(5) fix from Guido 535 536on solaris2, copy message and use that with filter if there is another 537copy if it being used (db_ref > 1). bad for performance, but better 538than causing a crash. 539 540patch for solaris8-fcs compile from Casper Dik 541 5423.3.8 01/02/2000 - Released 543 544fix state handling of SYN packets. 545 546add parsing recognition of extra icmp types/codes and fix handling of 547icmp time stamps and mask requests - Frank volf 548 5493.3.7 25/01/2000 - Released 550 551sync on state information as well as NAT information when required 552 553record nat protocol in all nat log records 554 555don't reuse the IP# from an active NAT session if the IP# in the rule 556has changed dynamically. 557 558lookup the protocol for NAT log information in ipmon and pass that to 559portname. 560 561fix the bug with changing the outbound interface of a packet where it 562would lead to a panic. 563 564use fr_running instead of ipl_inited. (sysctl name change on freebsd) 565 566return EIO if someone attempts an ioctl on state/nat if ipfilter is not 567enabled. 568 569fix rule insertion bug 570 571make state flushing clean anything that's not fully established (4/4) 572 573call fr_state_flush() after we've released ipf_state so we don't generate 574a recursive mutex acquisition panic 575 576fix parsing of icmp code after return-icmp/return-icmp-as-dest and add 577some patches to enhance parsing strength 578 5793.3.6 28/12/1999 - Released 580 581add in missing rwlock release in fr_checkicmpmatchingstate() and fix check 582for ICMP_ECHO to only be for packet, not state entry which we don't have yet. 583 584handle SIOCIPFFB in nat_ioctl() and fr_state_ioctl() 585 586fix size of friostat for SunOS4 587 588fix bug in running off the end of a buffer in real audio proxy 589 5903.3.5 11/12/1999 - Released 591 592fix parsing of "log level" and printing it back out too 593 594<net/if_types.h> is only present on Solaris2.6/7/8 595 596use send_icmp_err rather than icmp_error to send back a frag-needed error 597when doing PMTU 598 599do not use -b with add_drv on Solaris unless $BASEDIR is set. 600 601fix problem where source address in icmp replies is reversed 602 603fix yet another problem with real audio. 604 6053.3.4 4/12/1999 - Released 606 607fix up the real audio proxy to properly setup state information and NAT 608entries, thanks to Laine Stump for testing/advice/fixes. 609 610fix ipfr_fastroute to set dst->sin_addr (Sean Farley - appears to prevent 611FreeBSD 3.3 from panic'ing) as this had been removed in prior hacks to this 612routine. 613 614fix kinstall for BSDI 615 616support ICMP errors being allowed through for ICMP packets going out with 617keep state enabled 618 619support hardware checksumming (gigabit ethernet cards) on Solaris thanks to 620Tel.Net Media for providing hardware for testing. 621 622patched from Frank Volf for ipmon (ICMP & fragmented packets) and allowing 623ICMP responses to ICMP packets in the keep state table. 624 625add in patches for hardware checksumming under solaris 626 627Solaris install scripts now use $BASEDIR as appropriate. 628 629add Solaris8 support 630 631fix "ipf -y" on solaris so that it rescans rules also for changes in 632interface pointers 633 634let ipmon become a daemon with -D if it is using syslog 635 636fix parsing of return-icmp-as-dest(foo) 637 638add reference to ipfstat -g to ipfstat.8 639 640ipf_mutex needs to be declared for irix in ip_fil.c 641 6423.3.3 22/10/1999 - Released 643 644add -g command line option to ipfstat to show groups still define. 645 646fix problem with fragment table not recording rule pointer when called 647from state functions (fin_fr not set). 648 649fixup fastroute problems with keep state rules. 650 651load rules into inactive set first, so we don't disable things like NIS 652lookups half way through processing - found by Kevin Littlejohn 653 654fix handling of unaligned ip pointer for solaris 655 656patch for fr_newauth from Rudi Sluijtman 657 658fixed htons() bug in fr_tcpsum() where ip_p wasn't cast to u_short 659 6603.3.2 23/09/1999 - Released 661 662patches from Scott Presnell to fix rcmd proxy 663 664patches from Greg to fix Solaris detachment of interfaces 665 666add openbsd compatibility fixes 667 668fix free'ing already freed memory in ipfr_slowtimer() 669 670fix for deferencing invalid memory in cleaning up after a device disappears 671 6723.3.1 14/8/1999 - Released 673 674remove include file sys/user.h for irix 675 676prevent people from running buildsunos directly 677 678fix up some problems with the saving of rule pointers so that NAT saves 679that information in case it should need to call fr_addstate() from a proxy. 680 681fix up scanning for the end of FTP messages 682 683don't remove /etc/opt/ipf in postremove 684 685attempt to prevent people running buildsolaris script without doing a 686"make solaris" 687 688fix timeout losing on freebsd3 689 6903.3 7/8/1999 - Released 691 692NAT: information (rules, mappings) are stored in hash tables; setup some 693basic NAT regression testing. 694 695display version name of installed kernel code when initializing. 696 697add -V command line option to ipf, showing version (program and kernel 698module) as well as the run-status of the kernel code. 699 700fix problem with "log" rules actually affecting result of filtering. 701 702automatically use SUNWspro if available and on a 64bit Solaris system for 703compiling. 704 705add kernel proxies for rcmd(3) and RealAudio (PNA) 706 707use timeout/untimeout on SunOS4/BSD platforms too rather than hijacking 708ip_slowtimo 709 710fix IP headers generated through parsing of text information 711 712fix NAT rules to be in the correct order again. 713 714make keep-state work with to/fastroute keywords and enforce usage of those 715interfaces. 716 717update keep-state code with new algorithm from Guido 718 719add FreeBSD-3 support 720 721add return-icmp-as-dest option to retrun an ICMP packet using the original 722destination as the source rather than a local IP address 723 724add "level [facility.]<priority>" option to filter language 725 726add changes from Guido to state code. 727 728add code to return EPERM if the device is opened for writing and we're 729in securelevel 2 or greater. 730 731authentication code patches from Guido 732 733fix real audio proxy 734 735fix ipmon rule printing of interfaces and add IN/OUT to the end of ipmon 736log output. 737 738fix bimap rules with hash tables 739 740update addresses used in NAT mappings for 0/32 rules for any protocol but TCP 741if it changes on the interface - check every ip_natexpire() 742 743add redirect regression test 744 745count buckets used in the state hash table. 746 747fix sending of RST's with return-rst to use the ack number provided in 748the packet being replied to in addition to the sequence number. 749 750fix to compile as a 64bit application on solaris7-64bit 751 752add NAT IP mapping to ranges of IP addresses that aren't CIDR specified 753 754fix calculation of in_space parameter for NAT 755 756fix `wrapping' when incrementing the next ip address for use in NAT 757 758fix free'ing of kernel memory in ip_natunload on solaris 759 760fix -l/-U command line options from interfering with each other 761 762fix fastroute under solaris2 and cleanup compilation for solaris7 763 764add install scripts and compile cleanly on BSD/OS 4.0 765 766safely open files in /tmp for writing device output when testing. 767 768fix uninitialized pointer bug in NAT 769 770fix SIOCZRLST (zero list rule stats) bug with groups 771 772change some usage of u_short to u_int in function calling 773 774fix compilation for Solaris7 (SUNWspro) 775 776change solaris makefiles to build for either sparc or i386 rather than 777per-cpu (sun4u, etc). 778 779fixed bug in ipllog 780 781add patches from George Michaelson for FreeBSD 3.0 782 783add patch from Guido to provide ICMP checking for known state in the same 784manner as is done for NAT. 785 786enable FTP PASV proxying and enable wildcarding in NAT/state code for ports 787for better PORT/PASV support with FTP. 788 789bring into main tree static nat features: map-block and "auto" portmapping. 790 791add in source host filtering for redirects (alan jones) 792 7933.2.10 22/11/98 - Released 794 7953.2.10beta9 17/11/98 - Released 796 797fix fr_tcpsum problems in handling mbufs with an odd number of bytes 798and/or split across an mbuf boundary 799 800fix NAT list entry comparisons and allow multiple entries for the same 801proxy (but on different ports). 802 803don't create duplicate NAT entries for repeated PORT commands. 804 8053.2.10beta8 14/11/98 - Released 806 807always exit an rwlock before expecting to enter it again on solaris 808 809fix loop in nat_new for pre-existing nat 810 811don't setup state for an ftp connection if creating nat fails. 812 8133.2.10beta7 05/11/98 - Released 814 815set fake window in ipft_tx.c to ensure code passes tests. 816 817cleaned up/enhanced ipnat -l/ipnat -lv output 818 819fixed NAT handling of non-TCP/UDP packets, esp. for ICMP errors returned. 820 821Solaris recusive mutex on icmp-error/tcp-reset - requires rwlock's rather 822than mutexes. 823 8243.2.10beta6 03/11/98 - Released 825 826fix mixed use of krwlock_t and kmutex_t on Solaris2 827 828fix FTP proxy back up, splitting pasv code out of port code. 829 8303.2.10beta5 02/11/98 - Released 831 832fixed port translation in ICMP reply handling 833 8343.2.10beta4 01/11/98 - Released 835 836increase useful statistic collection on solaris 837 838filter DL_UNITDATA_REQ as well as DL_UNITDATA_IND on solaris 839 840disable PASV reply translation for now 841 842fail with an error if we try to load a NAT rule with a non-existant 843 proxy name - Guido 844 845fix portmap usage with 0/0 and 0/32 map rules 846 847remove ap_unload/ap_expire - automatically done when NAT is cleaned up 848 849print "STATE:CLOSED" from ipmon if the connection progresses past established 850 rather than "STATE:EXPIRED" 851 8523.2.10beta3 26/10/98 - Released 853 854fixed traceroute/nat problem 855 856rewrote nat/proxy interface 857 858ipnat now lists associated proxy sessions for each NAT where applicable 859 8603.2.10beta2 13/10/98 - Released 861 862use KRWLOCK_T in place of krwlock_t for solaris as well as irix 863 864disable use of read-write lock acquisition by default 865 866add in mb_t for linux, non-kernel 867 868some changes to progress compilation on linux with glibc 869 870change PASV as well as PORT when passed through kernel ftp proxy. 871 872don't allow window to become 0 in tcp state code 873 874make ipmon compile cleaner 875 876irix patches 877 8783.2.10beta 11/09/98 - Released 879 880stop fr_tcpsum() thinking it has run out of data when it hasn't. 881 882stop solaris panics due to fin_dp being something wild. 883 884revisit usage of ATOMIC_*() 885 886log closing state of TCP connection in "keep state" 887 888fix fake-arp table code for ipsend. 889 890ipmon now writes pid to a file. 891 892fix "ipmon -a" to actually activate all logging devices. 893 894add patches for BSDOS4. 895 896perl scripts for log analysis donated. 897 8983.2.9 22/06/98 - Released 899 900fix byte order for ICMP packets generated on Solaris 901 902fix some locking problems. 903 904fix malloc bug in NAT (introduced in 3.2.8). 905 906patch from guido for state connections that get fragmented 907 9083.2.8 08/06/98 - Released 909 910use readers/writers locks in Solaris2 in place of some mutexes. 911 912Solaris2 installation enhancements - Martin Forssen (maf@carlstedt.se) 913 9143.2.7 24/05/98 - Released 915 916u_long -> u_32_t conversions 917 918patches from Bernd Ernesti for NetBSD 919 920fixup ipmon to actually handle HUP's. 921 922Linux fixes from Michael H. Warfield (mhw@wittsend.com) 923 924update for keep state patch (not security related) - Guido 925 926dumphex() uses stdout rather than log 927 9283.2.6 18/05/98 - Released 929 930fix potential security loop hole in keep state code. 931 932update examples. 933 9343.2.5 09/05/98 - Released 935 936BSD/OS 3.1 .o files added for the kernel. 937 938fix sequence # skew vs window size check. 939 940fix minimum ICMP header size check. 941 942remove references to Cybersource. 943 944fix my email address. 945 946remove ntohl in ipnat - Thomas Tornblom 947 9483.2.4 09/04/98 - Released 949 950add script to make devices for /dev on BSD boxes 951 952fixup building into the kernel for FreeBSD 2.2.5 953 954add -D command line option to ipmon to make it a daemon and SIGHUP causes 955it to close and reopen the logfile 956 957fixup make clean and make package for SunOS5 - Marc Boucher 958 959postinstall keeps adding "minor=ipf ipl" - George Ross <gdmr@dcs.ed.ac.uk> 960 961protected by IP Filter gif - Sergey Solyanik <solik@atom.ru> 962 9633.2.3 10/11/97 - Released 964 965fix some iplang bugs 966 967fix tcp checksum data overrun, sgi #define changes, 968avoid infinite loop when nat'ing to single IP# - Marc Boucher 969 970fixup DEVFS usage for FreeBSD 971 972fix sunos5 "make clean" cleaning up too much 973 9743.2.2 28/11/97 - Released 975 976change packet matching to return actual error, if bad packet, to facilitate 977ECONNRESET for TCP. 978 979allow ip:netmask in grammar too now - Guido 980 981assume IRIX has u_int32_t in sys/types.h (needed for R10000) 982 983rewrite parts of command line options for ipmon 984 985fix TCP urgent packet & offset testing and add LAND attack test for iptest 986 987fix grammar error in yacc grammar for iplang 988 989redirect (rdr) destination port bytes-wapped when it shouldn't be. 990 991general: fr_check now returns error code, such as EHOSTUNREACH or 992ECONNRESET (attempt to make ECONNRESET work for locally outbound 993packets). 994 995linux: enable return-rst, need to filter tcp retransmits which are sent 996 separately from normal packets 997 998memory leak plugged in ip_proxy.c 999 1000BSDI compatibility patches from Guido 1001 1002tcp checksum fix - Marc Boucher 1003 1004recursive mutex and ioctl param fix - Marc Boucher 1005 10063.2.1 12/11/97 - Released 1007 1008port to BSD/OS 3.0 1009 1010port to Linux 2.0.31 1011 1012patches to make "map a/m -> 0/0" work with ftp proxying properly - Marc Boucher 1013 1014add "ipf -F s" and "ipf -F S" to flush state table entries. 1015 1016announce if logging is on or off when ip filter initializes. 1017 1018"ipf -F a" doesn't flush groups properly for Solaris. 1019 10203.2 30/10/97 - Released 1021 1022ipnat doesn't successfully remove proxy mappings with "-rf" - 1023Alexander Romanyu 1024 1025use K&R C function style for solaris kernel code 1026 1027use m_adj() to decrease packet size in ftp proxy 1028 1029use mbufchainlen rather than msgdsize, 1030IRIX update - Marc Boucher 1031 1032fix NetBSD modunload bug (pfil_add_hook done twice) 1033 1034patches for OpenBSD 2.1 - Craig Bevins <craigb@bitcom.net.au> 1035 10363.2beta10 24/10/97 - Released 1037 1038fix fragment table entries allocated for NAT. 1039 1040fix tcp checksum calculations over mbuf/mblk boundaries 1041 1042fix panic for blen < 0 in ftp kernel proxy - marc boucher 1043 1044fix flushing of rules which have been grouped. 1045 10463.2beta9 20/10/97 - Released 1047 1048some nit picking on solaris2 with SUNWspro - Michael Lyle <mrl@rpnet.net> 1049 1050ftp kernel proxy patches from Marc Boucher 1051 10523.2beta8 13/10/97 - Released 1053 1054add support for passing ICMP errors back through NAT. 1055 1056IRIX port update - Marc Boucher 1057 1058calculate correct MIN size of packet to log for UDP - Marc Boucher 1059 1060need htons(ETHERTYPE_x) on little endian BSD boxes - Dave Huang 1061 1062copyright header fixups 1063 10643.2beta7 23/09/97 - Released 1065 1066fickup problems introduced by prior merges & changes. 1067 10683.2beta6 23/09/97 - Released 1069 1070patch for spin-reading race condition - Marc Boucher. 1071 1072IRIX port by Marc Boucher. 1073 1074compatibility updates for Linux to ipsend 1075 10763.2beta5 13/09/97 - Released 1077 1078patches from Bernd Ernesti for NetBSD integration (mostly prototyping and 1079compiler warning things) 1080 1081ipf -y will resync IP#'s allocated with 0/32 in NAT to match interface if it 1082changes. 1083 1084update manual pages and other documentation updates. 1085 10863.2beta4 27/8/97 - Released 1087 1088enable setting IP and TCP options for iplang/ 1089 1090Solaris2 patches from Marc Boucher. 1091 1092add groups for filter rules. 1093 10943.2beta3 21/8/97 - Released 1095 1096patches for Solaris2 (interface panic solution ?): fix FIONREAD and 1097replacing q_qinfo points - Marc Boucher <marc@CAM.ORG> 1098 1099change ipsend/* and ipsd/* copyright notices to be the same as ip filter's 1100 1101patch for SYN-ACK skew testing fix from Eric V. Smith <EricSmith@windsor.com> 1102 11033.2beta2 6/8/97 - Released 1104 1105make it load on Solaris 2.3 1106 1107rewrote logging to remove solaris errors, introduced checking to see if the 1108same packet is logged successively. 1109 1110fix filter cache to work when there are no rules loaded. 1111 1112add "raw" option to ipresend to send entire ethernet frames. 1113 1114nat list corruption bug - NetBSD - Klaus Klein 1115 11163.2beta1 5/7/97 - Released 1117 1118patches from Jason Thorpe fixing: UNSIGNED_CHAR lossage, off_t being 64bits 1119lossage, and other NetBSD bits. 1120 1121NetBSD 1.2G update. 1122 1123fixup fwtk patches and add protocol field for SIOCGNATL. 1124 1125rdr bugs reported by Alexander Romanyu (alexr@aix.krid.crimea.ua), with 1126fixes: 1127* rdr matched all packets of a given protocol (ignored ports). 1128* severe bug in nat_delete which caused system crash/freeze. 1129 1130change Makefile so that CC isn't passed on for FreeBSD/NetBSD (will use 1131the default CC - cc, not gcc) 1132 11333.2alpha9 16/6/97 - Released 1134 1135added "skip" keyword. 1136 1137implement preauthentication of packets, as outlined by Guido. 1138 1139Make it compile as cleanly as possible with -Wall & general code cleanup 1140 1141getopt returns int, not char. Bernd Ernesti 1142 11433.2alpha8 13/6/97 - Released 1144 1145code added to support "auth" rules which require a user program to allow them 1146through. First revision and much of the code came from Guido. 1147 1148hex output from ipmon doesn't goto syslog when recovering from out of sync 1149error. Luke Mewburn (lukem@connect.com.au) 1150 1151fix solaris2.6 lookup of destination ire's. 1152 1153ipnat doesn't throw away unused bits (after masking), causing it to 1154behave incorrectly. Carson Gaspar 1155 1156NAT code doesn't include inteface name when matching - Alexey Mavrin 1157<lha@elco.spb.ru> 1158 1159replace old SunOS tcpip.h with new tcpip.h (from 4.4BSD) - Jason Thorpe. 1160 1161update install procedures to include ip_proxy.c 1162 1163mask out unused bits in NAT/RDR rules. 1164 1165use a generic type (u_32_t) for 32bit variables, rather than rely on 1166u_long being such - Jason Thorpe. 1167 1168create a local "netinet" directory and include from ~netinet/*" rather than 1169just "*" to make keeping the code working on ports easier. 1170 1171add an m_copydata and m_copyback for SunOS4 (based on 4.4BSD-Lite versions) 1172 1173documentation updates. 1174 1175NetBSD update from Jason Thorpe <thorpej@netbsd.org> 1176 1177allow RST's through with a matching SEQ # and 0 ACK. Guido Van Rooij 1178 1179ipmon uses excessive amounts of CPU on Solaris2 - Reinhard Bertram 1180<Reinhard.Bertram@KOM.th-darmstadt.de> 1181 11823.2alpha7 25/5/97 - Released 1183 1184add strlen for pre-2.2 kernels - Doug Kite <dkite@websgi.icomnet.com> 1185 1186setup bits and pieces for compiling into a FreeBSD-2.2 kernel. 1187 1188split up "bsd" targets. Now a separate netbsd/freebsd/bsd target. 1189mln_ipl.c has been split up into itself and mlf_ipl.c (for freebsd). 1190 1191fix (negative) host matching in filtering. 1192 1193add sysctl interface for some variables when compiled into FreeBSD-2.2 kernels 1194or later. 1195 1196make all the candidates for kernel compiling include "netinet/..." and build 1197a subdirectory "netinet" when compiling and symlink all .h files into this. 1198 1199add install make target to Makefile.ipsend 1200 12013.2alpha6 8/5/97 - Released 1202 1203Add "!" (not) to hostname/ip matching. 1204 1205Automatically add packet info to the fragment cache if it is a fragment 1206and we're translating addreses for. 1207 1208Automatically add packet info to the fragment cache if it is a fragment 1209and we're "keeping state" for the packet. 1210 1211Solaris2 patches - Anthony Baxter (arb@connect.com.au) 1212 1213change install procedure for FreeBSD 2.2 to allow building to a kernel 1214which is different to the running kernel. 1215 1216add FIONREAD for Solaris2! 1217 1218when expiring NAT table entries, if we would set a time to fr_tcpclosed 1219(which is 1), make it fr_tcplaskack(20) so that the state tables have a 1220chance to clear up. 1221 12223.2alpha5 1223 1224add proxying skeleton support and sample ftp transparent proxy code. 1225 1226add printfs at startup to tell user what is happening. 1227 1228add packets & bytes for EXPIRE NAT log records. 1229 1230fix the "install-bsd" target in the root Makefile. Chris Williams 1231<psion@mv.mv.com> 1232 1233Fixes for FreeBSD 2.2 (and later revs) to prevent panics. Julian Assange. 1234 12353.2alpha4 2/4/97 - Released 1236 1237Some compiler warnings cleaned up. 1238 1239FreeBSD-2.2 patches for LKM completed. 1240 12413.2alpha3 31/3/97 - Released 1242 1243ipmon changes: -N for reading NAT logfile, -S for reading state logfile. 1244-a for reading all. -n now toggles hostname resolution. 1245 1246Add logging of new state entries and expiration of old state entries. 1247count log successes and failures. 1248 1249Add logging of new NAT entries and expiration of old NAT entries. 1250count log successes and failures. 1251 1252Use u_quad_t for records of bytes & packets where kept 1253(IP Accounting: fr_hits, fr_bytes; IP state: is_pkts, is_bytes). 1254 1255Fixup use of CPU and DCPU in Makefiles. 1256 1257Fix broken 0/32 NAT mapping. Carl Makin <cmakin@nla.gov.au> 1258 12593.2alpha2 1260 1261Implement mapping to 0/32 as being an alias for automatically using the 1262interface's first IP address. 1263 1264Implement separate minor devices for both NAT and IP state code. 1265 1266Fully prototype all functions. 1267 1268Fix Makefile problem due to attempt to fix Sun compiling problems. 1269 12703.1.10 23/3/97 - Released 1271 1272ipfstat -a requires a -i or -o command line option too. Print an error 1273when not present rather than attempt to do something. 1274 1275patch updates for SunOS4 for kernel compiling. 1276patch for ipmon -s (flush's syslog file which isn't good). Andrew J. Schorr 1277<schorr@ead.dsa.com> 1278 1279too many people hit their heads hard when compiling code into the kernel 1280that doesn't let any packets through. (fil.c - IPF_NOMATCH) 1281 1282icmp-type parsing doesn't return any errors when it isn't constructed 1283correctly. Neil Readwin 1284 1285Using "-conf" with modload on SunOS4 doesn't work. 1286Timothy Demarest <demarest@arraycomm.com> 1287 1288Need to define ARCH in makefile for SunOS4 building. "make sunos4" 1289in INSTALL.SunOS is incorrect. James R Grinter <jrg@blodwen.demon.co.uk> 1290[all SunOS targets now run buildsunos] 1291 1292NAT lookups are still incorrect, matching non-TCP/UDP with TCP/UDP 1293information. ArkanoiD <ark@paranoid.convey.ru> 1294 1295Need to check for __FreeBSD_version being 199511 rather than 199607 1296in mln_ipl.c. Eric Feillant <Eric.Feillant@EUnet.fr> 1297 12983.1.9 8/3/97 - Released 1299 1300fixed incorrect lookup of active NAT entries. 1301 1302patch for ip_deq() wrong for pre 2.1.6 FreeBSD. 1303fyeung@fyeung8.netific.com (Francis Yeung) 1304 1305check for out with return-rst/return-icmp at wrong place - Erkki Ritoniemi 1306(erkki@vlsi.fi) 1307 1308text_readip returns the interface pointer pointing to text on stack - 1309Neil Readwin 1310 1311fix from Pradeep Krishnan for printout rules "with not opt sec". 1312 13133.1.8 18/2/97 - Released 1314 1315Diffs for ip_output.c and ip_input.c updated to fix bug with fastroute and 1316compiling warnings about reuse of m0. 1317 1318prevent use of return-rst and return-icmp with rules blocking packets going 1319out, preventing panics in certain situations. 1320 1321loop forms in frag cache table - Yury Pshenychny <yura@rd.zgik.zaporizhzhe.ua> 1322 1323should use SPLNET/SPLX around expire routines in NAT/frag/state code. 1324 1325redeclared malloc in 44arp.c - 1326 13273.1.7 8/2/97 - Released 1328 1329Macros used for ntohs/htons supplied with gcc don't always work very well 1330when the assignment is the same variable being converted. 1331 1332Filter matching doesn't not match rule which checks tcp flags on packets 1333which are fragments - David Wilson 1334 13353.1.7beta 30/1/97 - Released 1336 1337Fix up NAT bugs introduced in last major change (now tested), including 1338nat_delete(), nat_lookupredir(), checksum changes, etc. 1339 13403.1.7alpha 30/1/97 - Released 1341 1342Many changes to NAT code, including contributions from Laurent Joncheray 1343<lpj@ans.net> 1344 1345Use "NO_SLEEP" when allocating memory under SunOS. 1346 1347Make kernel printf's nicer for BSD/SunOS4 1348 1349Always do a checksum for packets being filtered going out and being 1350processed by fastroute. 1351 1352Leave kernel to play with cdevsw on *BSD systems with LKM's. 1353 1354ipnat.1 man page fixes. 1355 13563.1.6 21/1/97 - Released 1357 1358Allow NAT to work on BSD systems in conjunction with "pass .. to ifname" 1359 1360Memory leak introduced in 3.1.3 in NAT lists, clearing of NAT table tried 1361to free memory twice. 1362 1363NAT recalculates IP header checksum based on difference between IP#'s and 1364port numbers - should be just IP#'s (Solaris2 only) 1365 13663.1.5 13/1/97 - Released 1367 1368fixed setting of NAT timeouts and use different timeouts for concurrent 1369TCP sessions using the same IP# mapping (when port mapping isn't used) 1370 1371multiple loading/unloading of LKM's doesn't clean up cdevsw properly for 1372*BSD systems. 1373 13743.1.4 10/1/97 - Released 1375 1376add command line options -C and -F to ipnat to flush NAT list and table 1377 1378ipnat -l loops on output - Neil Readwin (nreadwin@nysales.micrognosis.com) 1379 1380NetBSD/FreeBSD kernel malloc changes - Daniel Carosone 1381 13823.1.3 10/1/97 - Released 1383 1384NAT chains not constructed correctly in hash tables - Antony Y.R Lu 1385(antony@hawk.ee.ncku.edu.tw) 1386 1387Updated INSTALL.NetBSD, INSTALL.FreeBSD and INSTALL.Sol2 1388 1389man page update (ipf.5) from Daniel Carosone (dan@geek.com.au) 1390 1391ICMP header checksum update now included in NAT. 1392 1393Solaris2 needs to modify IP header checksums in ip_natin and ip_natout. 1394 13953.1.2 4/12/96 - Released 1396 1397ipmon doesn't use syslog all the time when given -s option 1398 1399fixed mclput panic in ip_input.c and replace ntohs() with NTOHS() macro 1400 1401check the results of hostname resolution in ipnat 1402 1403"make *install" fixed for subdirectories. 1404 1405problems with "ARCH:=" and gnu make resolved 1406 1407parser reports an error for lines with whitespaces only rather than skipping 1408them. D.Carosone@abm.com.au (Daniel Carosone) 1409 1410patches for integration into NetBSD-current (post 1.2). 1411 1412add an option to allow non-IP packets going up/down the stream on Solaris2 1413to be dropped. John Bass. 1414 14153.1.2beta 21/11/96 - Released 1416 1417make ipsend compile on Linux 2.0.24 1418 1419changes to TCP kept state algorithm, making it watch state on TCP 1420connections in both directions. Also use the same algorithm for NAT TCP. 1421 1422-Wall cleanup - Bernd Ernesti 1423 1424added "or-block" for "pass .. log or-block" after a suggestion from 1425David Oppenheim (davido@optimation.com.au) 1426 1427added subdirectories for building IP Filter in SunOS5/BSD for different 1428cpu architecures 1429 1430Solaris2 fixes to logging and pre-filtering packet processing - 3.1.1p2 1431 1432mbuf logging not using mtod(), remove iplbusy - 3.1.1p1 1/11/96 1433 14343.1.1 28/10/96 - Released 1435 1436Installation script fixes and deinstall scripts for IP Filter on: 1437SunOS4/FreeBSD/NetBSD 1438 1439Man page fixes - Paul Dubois (dubois@primate.wisc.edu) 1440 1441Fix use of SOLARIS macro in ipmon, rewrote ipllog() (again!) 1442 1443parsing isn't completely case insensitive - David Wilson 1444(davidw@optimation.com.au) 1445 1446Release ipl_mutex across uiomove() calls 1447 1448print entire rule entries out for "ipf -z" when zero'ing per-rule stats. 1449 1450ipfstat returns same output for "hits" in "ipfstat -aio" - Terletsky Slavik 1451(ts@polynet.lviv.ua) 1452 1453New algorithm for setting timeouts for TCP connection (more closely follow 1454TCP FSM) - Pradeep Krishnan (pkrishna@netcom.com) 1455 1456Track both window sizes for TCP connections through "keep state". 1457 1458Solaris2 doesn't like _KERNEL defined in stdargs.h - Jos van Wezel 1459(wezel@bio.vu.nl) 1460 14613.1.1-beta2 6/10/96 - Released 1462 1463Solaris2 fastroute/dup-to/to now works 1464 1465ipmon `record' reading rewritten 1466 1467Added post-NetBSD1.2 packet filter patches - Mathew Green (mrg@eterna.com.au) 1468 1469Attempt to use in_proto.c.diff, not "..diffs" for SunOS4 - David Wilson 1470(davidw@optimation.com.au) 1471 1472Michael Ryan (mike@NetworX.ie) reports the following: 1473* The Trumpet WinSock under Windows always sends its SYN packet with an ACK 1474 value of 1, unlike any other implementation I've seen, which would set it 1475 to zero. The "keep state" feature of IP Filter doesn't work when receiving 1476 non-zero ACK values on new connection requests. 1477* */Makefile install rule doesn't install all the binaries/man pages 1478* Make ipnat use "tcp/udp" instead of "tcpudp" 1479* Print out "tcp/udp" properly 1480* ipnat "portmap tcp" matches "portmap udp" when adding/removing 1481* NAT dest. ip# increased by one on mask of 0xffffffff when it shouldn't 1482 14833.1.1-beta 1/9/96 - Released 1484 1485add better detection of TCP connections closing to TCP state monitoring. 1486 1487fr_addstate() not called correctly for fragments. "keep state" and 1488"keep frag" code don't work together 100% - Songqing Cai 1489(songqing_cai@sterling.com) 1490 1491call to fr_addstate() incorrect for adding state in combination with keeping 1492fragment information - Songqing Cai (songqing_cai@sterling.com) 1493 1494KFREE() passed fp (incorrect) and not fr (correct) in ip_frag.c - John Hood 1495(cgull@smoke.marlboro.vt.us) 1496 1497make ipf parser recognise '\\' as a `continued line' marker - Dima Ruban 1498(dima@best.net) 1499 15003.1.1-alpha 23/8/96 - Released 1501 1502kernel panic's when ICMP packets go through NAT code 1503 1504stats aren't zero'd properly with ipf -Z 1505 1506ipnat doesn't show port numbers correctly all the time and also add the 1507protocol (tcp/udp/tcpudp) to rdr output - Carson Gaspar (carson@lehman.com) 1508 1509fast checksum fixing not 100% - backout patch - Bill Dorsey (dorsey@lila.com) 1510 1511NetBSD-1.2 patches from - VaX#n8 <vax@linkdead.paranoia.com> 1512 1513Usage() call error in fils.c - Ajay Shekhawat (ajay@cedar.buffalo.edu) 1514 1515ip_optcopy() staticly defined in ip_output.c in SunOS4 - Nick Hall 1516(nrh@tardis.ed.ac.uk) 1517 15183.1.0 7/7/96 - Released 1519 1520Reformatted ipnat output to be compatible with it's input, so that 1521"ipnat -l | ipnat -rf -" is possible. 1522 15233.1.0beta 30/6/96 - Released 1524 1525NetBSD-1.2 patches from Greg Woods (woods@most.weird.com) 1526 1527kernel module must not be installed stripped (Solaris2), as created by 1528"make package" for Solaris2 - Peter Heimann 1529(peter@i3.informatik.rwth-aachen.de) 1530 15313.1.0alpha 5/6/96 - Released 1532 1533include examples in package for solaris2 1534 1535patches for removing an extra ip header checksum (FreeBSD/NetBSD/SunOS) 1536 1537removed trailing space from printouts of rules in ipf. 1538 1539ipresend supports the same range of inputs that ipftest does. 1540 1541sending a duplicate copy of a packet to another network devices is now 1542supported. ("dup-to") 1543 1544sending a packet to an arbitary interface is now supported, irrespective 1545of its actual route, with no ttl decrement. Can also be routed without 1546the ttl being decremented. ("to" and "fastroute"). 1547 1548"call" option added to support calling a generic function if a packet is 1549matched. 1550 1551show all (upto 4) recorded bytes from the interface name in logging from 1552ipmon. 1553 1554support for using unix file permissions for read/write access on the device 1555is now in place. 1556 1557recursive mutex in nat_new() for Solaris 2.x - Per L. Hagen <per@stibo.dk> 1558 1559ipftest doesn't call initparse() for THISHOST - Catherine Allen 1560(cla@connect.com.au) 1561 1562Man page corrections from Rex Bona (rex@pengo.comsmiths.com.au) 1563 15643.0.4 10/4/96 - Released 1565 1566looop in `parsing' IP packets with optlen 0 for ip options. 1567 1568rule number not initialized and resulted in unexpected results for state 1569maching. 1570 1571option parsing and printing bugs - Pradeep Krishnan 1572 15733.0.4beta 25/3/96 - Released 1574 1575wouldn't parse "keep flags keep state" correctly. 1576 1577SunOS4.1.x ip_input.c doesn't recognise all 1s broadcast address - Nigel Verdon 1578 1579patches for BSDI's BSD/OS 2.1 and libpcap reader on little endian systems 1580from Thorsten Lockert <tholo@tetherless.com> 1581 1582b* functions in fil.c on Solaris 2.4 1583 15843.0.3 17/3/96 - Released 1585 1586added patches to support IP Filter initialisation when compiled into the 1587kernel. 1588 1589added -x option to ipmon to display hex dumps of logged packets. 1590 1591added -H option to ipftest to allow ascii-hex formatted input to specify 1592arbitary IP packets. 1593 1594Sending TCP RSTs as a response now work for Solaris2 x86 1595 1596add patches to make IP Filter compile into NetBSD kernels properly. 1597 1598patch to stop SunOS 4.1.x kernels panicing with "data traps". 1599 1600ipfboot script unloads and reloads ipf module on Solaris2 if it is already 1601loaded into the kernel. 1602 1603Installation of IP Filter as a Solaris2 package is now supported. 1604 1605Man pages for ipnat.4, ipnat.5 added. 1606 1607added some more regression tests and fixed up IP Filter to pass the new tests 1608(previous versions failed some of the tests in set 12). 1609 1610IP option filter processing has changed so that saying "with opt lsrr" will 1611check only for that one, but not mask out other options, so a packet with 1612strict source routing, along with loose source routing will match all of 1613"with opt lsrr", "with opt ssrr" and "with opt lsrr,ssrr". 1614 1615IPL_NAME needed in ipnat.c - Kelly (kelly@count04.mry.scruznet.com) 1616 1617patches for clean NetBSD compilation from Bernd Ernesti (bernd@arresum.inka.de) 1618 1619make install is incorrect - Julian Briggs (julian@lightwork.co.uk) 1620 1621strtol() returns 0x7fffffff for all negative numbers, 1622printfr() generates incorrect output for "opt sec-class *", 1623handling of "not opt xxx opt yyy" incorrect. 1624- Minh Tonthat (minht@sbei.com)/Pradeep Krishnan (pradeepk@sbei.com) 1625 1626m_pullup() called only for input and not output; caused problems 1627with filtering icmp - Nigel Verdon (verdenn@gb.swissbank.com) 1628 1629parsing problem for "port 1" and NetBSD patches incorrect - 1630Andreas Gustafsson (gson@guava.araneus.fi) 1631 16323.0.2 4/2/96 - Released 1633 1634Corrected bug where NAT recalculates checksums for fragments. 1635 1636make NAT recalculate UDP checksums (rather than setting them to 0), 1637if they're non-zero. 1638 1639DNS patches - Real Page (Real.Page@Matrox.com) 1640 1641alteration of checksum recalculations in NAT code and addition of 1642redirection with NAT - Mike Neuman 1643 1644core dump, if tcp/udp is used with a port number and not service name, 1645in ipf - Mike Neuman (mcn@engarde.com) 1646 1647initparse() call, missing to prime "<thishost>" hook - Craig Bishop 1648 16493.0.1 14/1/96 - Released 1650 1651miscellaneous patches for Solaris2 1652 16533.0 14/1/96 - Released 1654 1655Patch included for FDDI, from Richard Ohnemus 1656(Richard_Ohnemus@dallas.csd.sterling.com) 1657 1658Code cleanup for release. 1659 16603.0beta4 10/1/96 1661 1662recursive mutex in ipfr_slowtimer fixed, reported by Craig Bishop 1663 1664recursive mutex in sending TCP RSTs fixed, reported by Tony Becker 1665 16663.0beta3 9/1/96 1667 1668FIxup for Solaris2.5 install and interface name bug in ipftest from 1669Julian Briggs (julian@lightwork.co.uk) 1670 1671Byte order patches for ipmon from Tony Becker (tony@mcrsys.com) 1672 16733.0beta2 7/1/96 1674 1675Added the (somewhat warped) IP accounting as it exists in ipfw on FreeBSD. 1676Note, this isn't really what one would call IP account, when compared to 1677process accounting, sigh. 1678 1679Split up ipresend into iptest/ipresend/ipsend 1680 1681Added another m_pullup() inside fr_check() for BSD style kernels and 1682added some checks to ipllog() to not log more than is present (for short 1683packets). 1684 1685Fixed bug where failed hostname/netname resolution goes undetecte and 1686becomes 0.0.0.0 (any) (reported Guido van Rooij) 1687 16883.0beta 11/11/95 - Released 1689 1690Rewrote the way rule testing is done, reducing the number of files needed and 1691generated. 1692 1693SIOCIPFFL was incorrectly affected by IPFILTER_LOG (Mathew Green) 1694 1695Patches from Guido van Rooij to fix sending back TCP RSTs on Net-2/Net-3 1696BSD based Unixes (panic'd) 1697 1698Patches for FreeBSD/i86 ipmon from Riku Kalinen <riku@tequila.nixu.fi> 1699(I think someone else already told me about these but they got lost :-/) 1700 1701Changed Makefile structure to build object files for different operating 1702systems in separate directories by default. 1703 1704BSDI has ef0 for first ethernet interface 1705 1706Allow for a "not" operator before optional keywords. 1707 1708The "rule number" was being incorrectly incremented every time it went through 1709the loop rather than when it matched a rule. 1710 17112.8.2 24/10/95 - Released 1712 1713Fixed up problems with "textip" for doing lots of testing. 1714 1715Fixed bug in detection of "short" tcp/ip packets (all reported as being short). 1716 1717Solaris 2.4 port now works 100%. 1718 1719Man page errors reported and fixed. 1720 1721Removed duplicate entry in etc/services for login on port 49 (Craig Bishop). 1722 1723Fixed ipmon output to put a space after the log-letter. 1724 1725Patch from Guido van Rooij to fix parsing problem. 1726 17272.8.1 15/10/95 - Released 1728 1729Added ttl and tos filtering. 1730 1731Patches for fixing up compilation and port problems (little endian) 1732from Guido van Rooij <guido@IAEhv.nl>. 1733 1734Man page problems reported and fixed by Carson Gaspar <carson@lehman.com>. 1735 1736ipsend doesn't compile properly on Solaris2.4 1737 1738Lots of work done for Solaris2.4 to make it MT/MP safe and work. 1739 17402.8 15/9/95 - Released 1741 1742ipmon can now send messages to syslogd (-s) and use names instead of 1743numbers (-N). 1744 1745IP packets are now "compiled" into a structure only containing filterable 1746bits. 1747 1748Added regression testing in the test/ subdirectory, using a new option 1749(-b) with the ipftest program. 1750 1751Added "nomatch" return to filter results. These are counted and show 1752up in reports from ipfstat. 1753 1754Moved filter code out of ip_fil.c and into fil.c - there is now only one 1755instance of it in the package. 1756 1757Added Solaris 2.4 support. 1758 1759Added IPSO basic security option filtering. 1760 1761Added name support for filtering on all 19 named IP options. 1762 1763Patches from Ivan Brawley to log packet contents as well as packet headers. 1764 1765Update for sun/conf.c.diff from Ivan Brawley <ibrawley@awadi.com.AU> 1766 1767Added patches for FreeBSD 1, and added two new switches (-E, -D) to ipf, 1768along with a new ioctl, SIOCFRENB. 1769From: Dieter Dworkin Muller <dworkin@village.org> 1770 17712.7.3 31/7.95 - Released 1772 1773Didn't compile cleanly without IPFILTER_LOG defined (Mathew Green). 1774 1775ipftest now deals with tcpdump3 binary output files (from libpcap) with -P. 1776 1777Brought ipftest program upto date with actual filter code. 1778 1779Filter would cause a match to occur when it wasn't meant to if the packet 1780had short headers and was missing portions that should have been there. 1781Err, it would rightly not match on them, but their absence caused a match 1782when it shouldn't have been. 1783 17842.7.2 26/7/95 - Released 1785 1786Problem with filtering just SYN flagged packets reported by 1787Dieter Dworkin Muller <dworkin@village.org>. To solve this 1788problem, added support for masking TCP flags for comparison "flags X/Y". 1789 17902.7.1 9/7/95 - Released 1791 1792Added ip_dirbroadcast support for Sun ip_input.c 1793 1794Fixed up the install scripts for FreeBSD/NetBSD to recognise where they are 1795better. 1796 17972.7 7/7/95 - Released 1798 1799Added "return-rst" to return TCP RST's to TCP packets. 1800 1801Actually ported it to FreeBSD-i386 2.0.0, so it works there properly now. 1802 1803Added insertion of filter rules. Use "@<#>" at the beginning of a filter 1804to insert a rule at row #. 1805 1806Filter keeps track of how many times each rule is matched. 1807 1808Changed compile time things to match kernel option (IPFILTER_LKM & 1809IPFILTER_LOG). 1810 1811Updated ip_input.c and ip_output.c with paches for 3.5 Multicast IP. 1812(No change required for 3.6) 1813 1814Now includes TCP fragments which start inside the TCP header as being short. 1815Added counting the number of times each rule is matched. 1816 1817 18182.6 11/5/95 - Released 1819 1820Added -n option to ipf: when supplied, no changes are made to the kernel. 1821 1822Added installation scripts for SunOS 4.1.x and NetBSD/FreeBSD/BSDI. 1823 1824Rewrote filtering to use a more generic mask & match procedure for 1825checking if a packet matches a rule. 1826 18272.5.2 27/4/95 - Released 1828 1829"tcp/udp" and a non-initialised pointer caused the "proto" to become 1830a `random' value; added "ip#/dotted.mask" notation to the BNF. 1831From Adam W. Feigin <feigin@iis.ee.ethz.ch> 1832 18332.5.1 22/3/95 - Released 1834 1835"tcp/udp" had a strange effect (undesired) on getserv*() functions, 1836causing protocol/service lookups to fail. Reported by Matthew Green. 1837 18382.5 17/3/95 - Released 1839 1840Added a new keyword "all" to BNF and parsing of tcpdump/etherfind/snoop 1841output through the ipftest program. Suggestions from: 1842Michael Ciavarella (mikec@phyto.apana.org.au) 1843 1844Conflicts occur when "general" filter rules are used for ports and the 1845lack of a "proto" when used with "port" matches other packets when only 1846TCP/UDP are implied. 1847Reported Matthew Green (mrg@fulcom.com.au); 1848reported & fixed 6-8/3/95 1849 1850Added filtering of short TCP packets using "with short" 28/2/95 1851(These can possibly slip by checks for the various flags). Short UDP 1852or ICMP are dropped to the floor and logged. 1853 1854Added filtering of fragmented packets using "with frag" 24/2/95 1855 1856Port to NetBSD-current completed 20/2/95, using LKM. 1857 1858Added logging of the rule # which caused the logging to happen and the 1859interface on which the packet is currently as suggested by 1860Andreas Greulich (greulich@math-stat.unibe.ch) 10/2/95 1861 18622.4 9/2/95 - Released 1863Fixed saving of IP headers in ICMP packets. 1864 18652.3 29/1/95 1866Added ipf -F [in|out|all] to flush filter rule sets (SIOCIPFFL). 1867Fixed iplread() and iplsave() with help from Marc Huber. 1868 18692.2 7/1/95 - Released 1870Added code from Marc Huber <huber@fzi.de> to allow it to allocate 1871its own major char number dynamically when modload'ing. Fixed up 1872use of <, >, <=, >= and >< for ports. 1873 18742.1 21/12/94 - Released 1875repackaged to include the correct ip_output.c and ip_input.c *goof* 1876 18772.0 18/12/94 - Released 1878added code to check for port ranges - complete. 1879rewrote to work as a loadable kernel module - complete. 1880 18811.1 1882added code for ouput filtering as well as input filtering and added support for logging to a simple character device of packet headers. 1883 18841.0 22/04/93 - Released 1885First release cut. 1886