HISTORY revision 153877
1# 2# NOTE: Quite a few patches and suggestions come from other sources, to whom 3# I'm greatly indebted, even if no names are mentioned. 4# 5# Thanks to the Coombs Computing Unit at the ANU for their continued support 6# in providing a very available location for the IP Filter home page and 7# distribution center. 8# 9# Thanks also to all those who have contributed patches and other code, 10# and especially those who have found the time to port IP Filter to new 11# platforms. 12# 134.1.10 - Released 6 December 2005 14 15Expand regression testing to cover more features 16 17Add "coverage" build target for BSD 18 19Fix building 64bit sparc target for Solaris 20 21Add IPv6 mobility header to list of accepted keywords for V6 headers 22 23Resolve locking problems on Solaris when sending RST/icmp packets 24 25#ifdef's for IPFILTER_BPF need to check if words are defined before 26using them in comparisons 27 28Add checking for SACK permitted option in TCP SYN packets 29 30Fix loading anonymous pools from inline rule configuration groups 31 32Add -C command line option to ipftest 33 34Include extra "const" from NetBSD 35 36Don't require SIOCKSTLCK for SIOCSTPUT 37 38Fix some use of "sticky" on NAT rules 39 40Fix statistical counting of deleting state for TCP connections 41 42Fix compile problems caused by changes to is_opt/is_optmsk in ip_sync.c 43 44Fix TCP out-of-window (OOW) problems: 45- window scaling turned off if one chose for its scale factor 46- Microsoft Windows TCP sends the "next packet" to the right of the window 47 when using SACK and filling in a hole 48 494.1.9 - Released 13 August 2005 50 51make ipfilter fix IPv4 header checksums for outgoing packets if BRIDGE_IPF 52is defined when compiled. 53 54move the definition of SIOCPROXY from ip_nat.h to ip_proxy.h 55 56make the BSD/upgrade script more instructive about the requiements for 57ip_rules.[ch] when it is run 58 59register for interface events on FreeBSD (>5.2.1) and NetBSD so that 60"ipf -y" is not not requried to tell ipfilter about interface changes. 61 62for "quick" rules that do "keep state", move the state adding into the rule 63evaluation so that we can detect it failing as rules are evaluated and 64continue on to the next rather than wait until we're done and it's too late 65to recover for more rule processing. 66 67mark ICMP packets advertising an MTU that's too small as being bad 68 69rework ipv6 header parsing to get better code reuse and fix logic errors 70in dealing with ipv6 packets containing fragment headers. Also, where a 71protocol handler was doing both v4 & v6, make a seperate function for each. 72 73build for both amd64 and i86pc (32bit) on Solaris10 and later, if possible 74 75include start of work to get IPFilter working on AIX 5.3 76 77Use FI_ICMPERR flag rather than try to compute its equivalent all the time 78 79Rewrork IPv6 extension header parsing to get better code reuse 80 81Add missing timeout on Linux 82 83Fix for locking when reading from ipsync (Frank Volf) 84 85Fix insertion/appending of rules that use a collection number 86 87Somehow turning up the spl knob to splnet disappeared on platforms that still 88use the spl interface. 89 90fix problems with "ipf -T" not listing multiple variables properly 91 924.1.8 - Released 29 March 2005 93 94include path from Phil Dibowitz for sorting ipfstat -t output by source or 95destination port. 96 97fix a bug in printing rules where interface names could not be printed, 98even if they're in the rule structure. 99 100fix BSD/kupgrade to correctly change ipfilter lkm Makefile for FreeBSD 101 102add 2 new features to SIOCGNATL: 103- if IPN_FINDFORWARD is set, check if the respective MAP is already 104 present in the outbound table 105- if IPN_IN is set, search for a matching MAP entry instead of RDR 106 (Peter Potsma) 107 108turn off function inlining for freebsd 5.3+ 109 110UDP doesn't pullup enough data which can sometimes cause a panic. 111Fix other protocols, as required, where a similar problem may exist. 112 113overhaul the timeout queue management, especially that for user defined queues 114which are now only freed in an orderly manner. 115 1164.1.7 - Released 13 March 2005 117 118Using the GRE call field is almost impossible because it is unbalanced and 119both call fields are not present in each v1 header. 120 121Fix a problem where it was possible to load duplicate rules into ipf 122 123patch from John Wehle to address problems with fastroute on solaris 124 125Copying data out for ipf -z failed because it tried to copy out to an address 126that is a kernel pointer in user space. 127 128add "ip" timeout for both NAT & state that's for non-TCP/UDP/ICMP 129 130synch up with NetBSD's changes 131 132fix problems parsing long lines of text in the ftp proxy where they would not 133be parsed properly and stop the session from working 134 135enhance the PPTP proxy so that it tries to decode messages in the TCP stream 136so it knows when to create and destroy the state/nat sessions for GRE. There 137are also 4 new regression tests for it, testing map/rdr rules. 138 139impose some limits on the size of data that can be moved with SIOCSTPUT in 140the NAT code and also prevent a duplicate session entry from being created 141using this method. 142 143add a new flag (IPN_FINDFORWARD) to NAT code that can be used with SIOCGNATL 144to check if it is possible to create an outgoing transparent NAT mapping to 145compliment the redirect being investigated. 146 147Linux requires that the checksums in the IP header get adjusted 148 149only resolve unknown interfaces in fr_stinsert, and nuke all interface pointers 150in SIOCSTPUT to prevent bad data being loaded from userspace. 151 152make the byte counting for state correct (was counting data from ICMP packet 153twice) 154 155print out the keyword "frag-body" if the flag is set. 156 157fix ipfs loading/restoring NAT sessions 158 159patch from Frank to correctly format IP addresses in ipfstat -t output 160 161parsing port numbers in ipf/ipnat was confusing as the port number was returned 162in an int that was also overloaded to be the suceess/failure. instead, change 163the port using pass by reference and only use the return value for indicating 164success or failure. 165 1664.1.6 - Released 19 February 2005 167 168add a new timeout number to NAT (fr_defnatipage) that is used for all 169non-TCP/UDP/ICMP protocols - default 60 seconds. 170 171buffer leak with bad nat - David Gueluy 172 173fix memory leak with state entries created by proxies 174 175eliminate copying too much data into a scan buffer 176 177allow a trailing protocol name for map rules as well as rdr ones 178 179fix bug in parsing of <= and > for NAT rules (two were crossed over) 180 181FreeBSD's iplwrite hasn't kept pace with iplread's prototype 182 183expand documention on the karma of using "auto" in ipnat map rules 184 185add matching on IP protocol to ipnat map rules 186 187allow ippool definitions to contain no addresses to start with 188 189Linux NAT needs to modify the IP header checksum as it gets called after it 190has been computed by IP. 191 192UDP was missing a pullup for packet header information before examining 193the header 194 1954.1.5 - Released 9 January 2005 196 197all rules were being converted into "dup-to" rules in the kernel 198 199fix two ftp proxy problems: 1st, buffer needs to be bigger for fitting in 200complete RETR/CWD commands, 2nd is () use in 227 messages isn't copied 201over correctly. 202 203response to CWDs 204revert ip_off back to network byte order in the ICMP error packet that 205gets generated. 206 2074.1.4 - Released 9 January 2005 208 209force NAT rules to only match ipv4 NAT rules (which all are, currently, 210by default) 211 212include state synchronisation fixes from Frank Volf 213 214make the maximum log size for internally buffered log entries accessible 215via "ipf -T" 216 217redesign start of fr_check() to avoid putting duplicate information in 218ipfilter about how much data needs to be pulled up for a protocol to be 219properly filtered. 220 221tidy up sending ICMP error messages - some bad inputs could result in 222data not being freed and/or no error returned. 223 224make the maximum size of the log buffer run-time tunable 225 226fix bug in parsing TCP header when looking for MSS option that could make 227the system hang 228 229change pool lookups that fail to find a match to return "no match" 230rather than fail. 231 232add run-time tunable debugging for proxy support code and FTP proxy. 233 234fix state table updates for entries where the first packet as an ICMPv6 235multicast message 236 237fix hang when flushing state for v4/v6 and other (v6/v4) entries are present 238too 239 240attaching filtering to ipv6 pfil hook wasn't present for solaris 241 242don't allow rules with "keep state" and "with oow" 243 244move a bunch of userland only code from fil.c to ip_fil.c 245 246make fr_coalesce() more resiliant to bad input, just returning an error 247instead of crashing, making calling it easier in many places 248 249When m_pulldown doesn't return NULL, it doesn't necessarily return a pointer 250to the same mbuf passed in as the first arg. 251 252remove fr_unreach and use ENETUNREACH by default. 253 254printing out of tag data in ipf rules doesn't match input syntax 255 256ipftest(1) man page update 257 258ipfs command line option parsing still rejects some valid syntaxes 259 260SIGHUP handling by ipmon was not as safe as it could be 261 262fix various parsing regressions, including "<thishost>", "tcpudp", ordering 263of "keep" options 264 265patches from Frank Volk: add udp_acktimeout to sysctl list for FreeBSD, 266ICMP packet length not calculated correctly in send_icmp_err, reply-to 267not printed by ipfstat, keep state with icmp passing (mtrr) 268 269patches for return-rst and return-icmp from Attila Fueloep 270(lichtscheu@gesindel.org) 271 2724.1.3 - Released 18 July 2004 273 274do some more fine tuning on NAT checksum adjustments 275 276correct IP address byte order in proxy setup for ipsec/pptp 277 278man page updates 279 280fix numerous problems with ipfs operation 281 282complete new syntax for ipmon.conf in its parser and update the sample file 283 284assign error value consistantly in fastroute code 285 286rewrite allocation of mbufs in send_reset/send_icmp_err to better use 287mbuf clusters and size calculations 288 289resolve problem with linux panic'ing because the wrong flag was being 290passed to skb_clone/skb_alloc 291 292enable use of shared/exclusive locks on freebsd5 and above 293 294do not rely on m_pkthdr.len to be valid all the time for mbufs on modern BSD 295and so use mbufchainlen to get the mbuf length instead 296 297replace lots of COPYIN/COPYOUT with BCOPYIN/BCOPYOUT where the data is 298going to be on the stack and not in userland 299 300packet buffer pointers were not refreshed & used properly in fr_check() 301 302include extra bits for OpenBSD 3.4 & 3.5. 303 304fix ipf/ipnat parsing regression problems with v3.4 305 3064.1.2 - RELEASED - 27 May 2004 307 308add state top for ipv6 309 310fix numerous parsing regressions 311 312change sample proxies to use SIOCGNATL with the new API 313 314allow macro names to contain underscores (_) 315 316split the parser into a collection of dictionaries so that keywords do 317not interfere with resolving hostnames and portnames 318 319fix ipfrule LKM loading on freebsd 320 321support mapping a fixed range of ports to a single port 322 323fix timeout queue use by proxies with private queues 324 325handle space-led ftp server replies properly 326 327fix timeout queue management 328 329fix fastroute, generation of RST & ICMP packets and operation with to/fastroute 330 331resolve further linux compatibility problems 332 333replace the use of COPYIN with BCOPYIN for platforms that provide ioctl 334args on the stack 335 336allow flushing of ipv6 rules independant of ipv4 rules 337 338correct internal ipv6 checksum calculations 339 340if a 'keep state' rule fails to create state, block the packet rather 341than let it through 342 343correct all checksums in regression tests and correct NAT code to adjust 344checksums correctly. 345 346fix ipfs -R/-W 347 3484.1.1 - RELEASED - 24 March 2004 349 350allow new connections with the same port numbers as an existing one 351in the state table if the creating packet is a SYN 352 353timeout values have drifted, incorrectly, from what they were in 3.4 354 355FreeBSD - compatibility changes for 5.2 356 357don't match on sequence number (as well) for ICMO ECHO/REPLY, just the 358ICMP Id. field as otherwise thre is a state/NAT entry per packet pair 359rather than per "flow" 360 361fr_cksum() returned the wrong answer for ICMP 362 363Linux: 364- get return-rst and return-icmp working 365- treat the interface name the same as if_xname on BSD 366 367adjust expectations for TCP urgent bits based on observed traffic in the 368wild 369 370openbsd3.4 has ip_len/ip_off in network byte order when ipfilter is called 371 372fix flushing of hash pool gorups (ippool -F) as well as displaying them 373(ippool -l) 374 375passing of pointers to interface structures wrong for HP-UX/Solaris with 376return-* rules. 377 378Make the solaris boot script able to run on 2.5.1 379 380ippool related files missing from Solaris packages 381 382The name /dev/ippool should be /dev/iplookup 383 384add regression testing for parsing long interface names in nat rules, 385along with mssclamp and tags. Also add test for mssclamp operation. 386 387ttl displayed for "ipfstat -t" is wrong because ttl is not computed. 388 389parse logical interface names (Sun) 390 391unloading LKMs was only working if they were enabled. 392 393sync'ing up NAT sessions when NICs change should cause NAT rules to 394re-lookup name->pointer mappings 395 396not all of the ippool ioctl's are IOWR and they should be because they 397use the ipfobj_t for passing information in/out of the kernel. leave the 398old values defined and handle them, for compatibility. 399 400pool stats wrong: ippoolstate used where ipoolstat should be, hash table 401 statistics not reported at all 402 403fr_running not set correctly for OpenBSD when compiled into the kernel 404 405Allow SIOCGETFF while disabled 406 407Fix mssclamp with NAT (pasing and printing of the word, plus wrong bytes 408altered. How do you say "untested" ?) 409 4104.1 - RELEASED - 12 February 2004 411 4124.0-BETA1 20 August 2003 413 414support 0/32 and 0/0 on the RHS in redirect rules 415 416where LHS and RHS netmasks are the same size for redirect, do 1:1 mapping 417for bimap rules. 418 419allow NAT rule to match 'all' interfaces with * as interface name 420 421do mapping of ICMP sequence id#'s in pings 422 423allow default age for NAT entries to be set per NAT rule 424 425provide round robin selection of destination addresses for redirect 426 427ipmon can load a configuration file with instructions on actions 428to take when a matching log entry is received 429 430now requires pfil to work on Solaris & HP-UX 431 432supports mapping outbound connections to a specific address/port 433 434support toggling of logging per ipfilter 'device' 435 436use queues to expire data rather than lists 437 438add MSN RPC proxy 439 440add IRC proxy 441 442support rules with dynamic ip addresses 443 444add ability to define a pool of addresses & networks which can then 445be placed in a single rule 446 447support passing entire packet back to user program for authentication 448 449support master/slave for state information sharing 450 451reorganise generic code into a lib directory and make libipf.a 452 453user programs enforce version matching with the kernel 454 455supports window scaling if seen at TCP session setup 456 457generates C code from filter rules to compile in or load as native 458machine code. 459 460supports loading rules comprised of BPF bytecode statements 461 462HP-UX 11 port completed 463 464and packets-per-second filtering 465 466add numerical tags to rules for filtering and display in ipmon output 467 4683.4.4 23/05/2000 - Released 469 470don't add TCP state if it is an RST packet and (attempt) to send out 471RST/ICMP packets in a manner that bypasses IP Filter. 472 473add patch to work with 4.0_STABLE delayed checksums 474 4753.4.3 20/05/2000 - Released 476 477fix ipmon -F 478 479don't truncate IPv6 packets on Solaris 480 481fix keep state for ICMP ECHO 482 483add some NAT stats and use def_nat_age rather than DEF_NAT_AGE 484 485don't make ftp proxy drop packets 486 487use MCLISREFERENCED() in tandem with M_EXT to check if IP fields need to be 488swapped back. 489 490fix up RST generation for non-Solaris 491 492get "short" flag right for IPv6 493 4943.4.2 - 10/5/2000 - Released 495 496Fix bug in dealing with "hlen == 1 and opt > 1" - Itojun 497 498ignore previous NAT mappings for 0/0 and 0/32 rules 499 500bring in a completely new ftp proxy 501 502allow NAT to cause packets to be dropped. 503 504add NetBSD callout support for 1.4-current 505 5063.4.1 - 30/4/2000 - Released 507 508add ratoui() and fix parsing of group numbers to allow 0 - UINT_MAX 509 510don't include opt_inet6.h for FreeBSD if KLD_MODULE is defined 511 512Solaris must use copyin() for all types of ioctl() args 513 514fix up screen/tty when leaving "top mode" of ipfstat 515 516linked list for maptable not setup correctly in nat_hostmap() 517 518check for maptable rather than nat_table[1] to see if malloc for maptable 519succeeded in nat_init 520 521fix handling of map NAT rules with "from/to" host specs 522 523fix printout out of source address when using "from/to" with map rules 524 525convert ip_len back to network byte order, not plen, for solaris as ip_len 526may have been changed by NAT and plen won't reflect this 527 5283.4 - 27/4/2000 - Released 529 530source address spoofing can be turned on (fr_chksrc) without using 531filter rules 532 533group numbers are now 32bits in size, up from 16bits 534 535IPv6 filtering available 536 537add frank volf's state-top patches 538 539add load splitting and round-robin attribute to redirect rules 540 541FreeBSD-4.0 support (including KLD) 542 543add top-style operation mode for ipfstat (-t) 544 545add save/restore of IP Filter state/NAT information (ipfs) 546 547further ftp proxy security checks 548 549support for adding and removing proxies at runtime 550 5513.3.13 26/04/2000 - Released 552 553Fix parsing of "range" with "portmap" 554 555Relax checking of ftp replies, slightly. 556 557Fix NAT timeouts for ICMP packets 558 559SunOS4 patches for ICMP redirects from Jurgen Keil (jk@tools.de) 560 5613.3.12 16/03/2000 - Released 562 563tighten up ftp proxy behaviour. sigh. yuck. hate. 564 565fix bug in range check for NAT where the last IP# was not used. 566 567fix problem with icmp codes > 127 in filter rules caused bad things to 568happen and in particular, where #18 caused the rule to be printed 569erroneously. 570 571fix bug with the spl level not being reset when returning EIO from 572iplioctl due to ipfilter not being initialized yet. 573 5743.3.11 04/03/2000 - Released 575 576make "or-block" work with lines that start with "log" 577 578fix up parsing and printing of rules with syslog levels in them 579 580fix from Cy Schubert for calling of apr_fini only if non-null 581 582 5833.3.10 24/02/2000 - Released 584 585* fix back from guido for state tracking interfaces 586 587* update for NetBSD pfil interface changes 588 589* if attaching fails and we can abort, then cleanup when doing so. 590 591julian@computer.org: 592* solaris.c (fr_precheck): After calling freemsg on mt, set it point to *mp. 593* ipf.c (packetlogon): use flag to store the return value from get_flags. 594* ipmon.c (init_tabs): General cleanup so we do not have to cast 595 an int s->s_port to u_int port and try to check if the u_int port 596 is less than zero. 597 5983.3.9 15/02/2000 - Released 599 600fix scheduling of bad locking in fr_addstate() used when we attach onto 601a filter rule. 602 603fix up ip_statesync() with storing interface names in ipstate_t 604 605fix fr_running for LKM's - Eugene Polovnikov 606 607junk using pullupmsg() for solaris - it's next to useless for what we 608need to do here anyway - and implement what we require. 609 610don't call fr_delstate() in fr_checkstate(), when compiled for a user 611program, early but when we're finished with it (got fr & pass) 612 613ipnat(5) fix from Guido 614 615on solaris2, copy message and use that with filter if there is another 616copy if it being used (db_ref > 1). bad for performance, but better 617than causing a crash. 618 619patch for solaris8-fcs compile from Casper Dik 620 6213.3.8 01/02/2000 - Released 622 623fix state handling of SYN packets. 624 625add parsing recognition of extra icmp types/codes and fix handling of 626icmp time stamps and mask requests - Frank volf 627 6283.3.7 25/01/2000 - Released 629 630sync on state information as well as NAT information when required 631 632record nat protocol in all nat log records 633 634don't reuse the IP# from an active NAT session if the IP# in the rule 635has changed dynamically. 636 637lookup the protocol for NAT log information in ipmon and pass that to 638portname. 639 640fix the bug with changing the outbound interface of a packet where it 641would lead to a panic. 642 643use fr_running instead of ipl_inited. (sysctl name change on freebsd) 644 645return EIO if someone attempts an ioctl on state/nat if ipfilter is not 646enabled. 647 648fix rule insertion bug 649 650make state flushing clean anything that's not fully established (4/4) 651 652call fr_state_flush() after we've released ipf_state so we don't generate 653a recursive mutex acquisition panic 654 655fix parsing of icmp code after return-icmp/return-icmp-as-dest and add 656some patches to enhance parsing strength 657 6583.3.6 28/12/1999 - Released 659 660add in missing rwlock release in fr_checkicmpmatchingstate() and fix check 661for ICMP_ECHO to only be for packet, not state entry which we don't have yet. 662 663handle SIOCIPFFB in nat_ioctl() and fr_state_ioctl() 664 665fix size of friostat for SunOS4 666 667fix bug in running off the end of a buffer in real audio proxy 668 6693.3.5 11/12/1999 - Released 670 671fix parsing of "log level" and printing it back out too 672 673<net/if_types.h> is only present on Solaris2.6/7/8 674 675use send_icmp_err rather than icmp_error to send back a frag-needed error 676when doing PMTU 677 678do not use -b with add_drv on Solaris unless $BASEDIR is set. 679 680fix problem where source address in icmp replies is reversed 681 682fix yet another problem with real audio. 683 6843.3.4 4/12/1999 - Released 685 686fix up the real audio proxy to properly setup state information and NAT 687entries, thanks to Laine Stump for testing/advice/fixes. 688 689fix ipfr_fastroute to set dst->sin_addr (Sean Farley - appears to prevent 690FreeBSD 3.3 from panic'ing) as this had been removed in prior hacks to this 691routine. 692 693fix kinstall for BSDI 694 695support ICMP errors being allowed through for ICMP packets going out with 696keep state enabled 697 698support hardware checksumming (gigabit ethernet cards) on Solaris thanks to 699Tel.Net Media for providing hardware for testing. 700 701patched from Frank Volf for ipmon (ICMP & fragmented packets) and allowing 702ICMP responses to ICMP packets in the keep state table. 703 704add in patches for hardware checksumming under solaris 705 706Solaris install scripts now use $BASEDIR as appropriate. 707 708add Solaris8 support 709 710fix "ipf -y" on solaris so that it rescans rules also for changes in 711interface pointers 712 713let ipmon become a daemon with -D if it is using syslog 714 715fix parsing of return-icmp-as-dest(foo) 716 717add reference to ipfstat -g to ipfstat.8 718 719ipf_mutex needs to be declared for irix in ip_fil.c 720 7213.3.3 22/10/1999 - Released 722 723add -g command line option to ipfstat to show groups still define. 724 725fix problem with fragment table not recording rule pointer when called 726from state functions (fin_fr not set). 727 728fixup fastroute problems with keep state rules. 729 730load rules into inactive set first, so we don't disable things like NIS 731lookups half way through processing - found by Kevin Littlejohn 732 733fix handling of unaligned ip pointer for solaris 734 735patch for fr_newauth from Rudi Sluijtman 736 737fixed htons() bug in fr_tcpsum() where ip_p wasn't cast to u_short 738 7393.3.2 23/09/1999 - Released 740 741patches from Scott Presnell to fix rcmd proxy 742 743patches from Greg to fix Solaris detachment of interfaces 744 745add openbsd compatibility fixes 746 747fix free'ing already freed memory in ipfr_slowtimer() 748 749fix for deferencing invalid memory in cleaning up after a device disappears 750 7513.3.1 14/8/1999 - Released 752 753remove include file sys/user.h for irix 754 755prevent people from running buildsunos directly 756 757fix up some problems with the saving of rule pointers so that NAT saves 758that information in case it should need to call fr_addstate() from a proxy. 759 760fix up scanning for the end of FTP messages 761 762don't remove /etc/opt/ipf in postremove 763 764attempt to prevent people running buildsolaris script without doing a 765"make solaris" 766 767fix timeout losing on freebsd3 768 7693.3 7/8/1999 - Released 770 771NAT: information (rules, mappings) are stored in hash tables; setup some 772basic NAT regression testing. 773 774display version name of installed kernel code when initializing. 775 776add -V command line option to ipf, showing version (program and kernel 777module) as well as the run-status of the kernel code. 778 779fix problem with "log" rules actually affecting result of filtering. 780 781automatically use SUNWspro if available and on a 64bit Solaris system for 782compiling. 783 784add kernel proxies for rcmd(3) and RealAudio (PNA) 785 786use timeout/untimeout on SunOS4/BSD platforms too rather than hijacking 787ip_slowtimo 788 789fix IP headers generated through parsing of text information 790 791fix NAT rules to be in the correct order again. 792 793make keep-state work with to/fastroute keywords and enforce usage of those 794interfaces. 795 796update keep-state code with new algorithm from Guido 797 798add FreeBSD-3 support 799 800add return-icmp-as-dest option to retrun an ICMP packet using the original 801destination as the source rather than a local IP address 802 803add "level [facility.]<priority>" option to filter language 804 805add changes from Guido to state code. 806 807add code to return EPERM if the device is opened for writing and we're 808in securelevel 2 or greater. 809 810authentication code patches from Guido 811 812fix real audio proxy 813 814fix ipmon rule printing of interfaces and add IN/OUT to the end of ipmon 815log output. 816 817fix bimap rules with hash tables 818 819update addresses used in NAT mappings for 0/32 rules for any protocol but TCP 820if it changes on the interface - check every ip_natexpire() 821 822add redirect regression test 823 824count buckets used in the state hash table. 825 826fix sending of RST's with return-rst to use the ack number provided in 827the packet being replied to in addition to the sequence number. 828 829fix to compile as a 64bit application on solaris7-64bit 830 831add NAT IP mapping to ranges of IP addresses that aren't CIDR specified 832 833fix calculation of in_space parameter for NAT 834 835fix `wrapping' when incrementing the next ip address for use in NAT 836 837fix free'ing of kernel memory in ip_natunload on solaris 838 839fix -l/-U command line options from interfering with each other 840 841fix fastroute under solaris2 and cleanup compilation for solaris7 842 843add install scripts and compile cleanly on BSD/OS 4.0 844 845safely open files in /tmp for writing device output when testing. 846 847fix uninitialized pointer bug in NAT 848 849fix SIOCZRLST (zero list rule stats) bug with groups 850 851change some usage of u_short to u_int in function calling 852 853fix compilation for Solaris7 (SUNWspro) 854 855change solaris makefiles to build for either sparc or i386 rather than 856per-cpu (sun4u, etc). 857 858fixed bug in ipllog 859 860add patches from George Michaelson for FreeBSD 3.0 861 862add patch from Guido to provide ICMP checking for known state in the same 863manner as is done for NAT. 864 865enable FTP PASV proxying and enable wildcarding in NAT/state code for ports 866for better PORT/PASV support with FTP. 867 868bring into main tree static nat features: map-block and "auto" portmapping. 869 870add in source host filtering for redirects (alan jones) 871 8723.2.10 22/11/98 - Released 873 8743.2.10beta9 17/11/98 - Released 875 876fix fr_tcpsum problems in handling mbufs with an odd number of bytes 877and/or split across an mbuf boundary 878 879fix NAT list entry comparisons and allow multiple entries for the same 880proxy (but on different ports). 881 882don't create duplicate NAT entries for repeated PORT commands. 883 8843.2.10beta8 14/11/98 - Released 885 886always exit an rwlock before expecting to enter it again on solaris 887 888fix loop in nat_new for pre-existing nat 889 890don't setup state for an ftp connection if creating nat fails. 891 8923.2.10beta7 05/11/98 - Released 893 894set fake window in ipft_tx.c to ensure code passes tests. 895 896cleaned up/enhanced ipnat -l/ipnat -lv output 897 898fixed NAT handling of non-TCP/UDP packets, esp. for ICMP errors returned. 899 900Solaris recusive mutex on icmp-error/tcp-reset - requires rwlock's rather 901than mutexes. 902 9033.2.10beta6 03/11/98 - Released 904 905fix mixed use of krwlock_t and kmutex_t on Solaris2 906 907fix FTP proxy back up, splitting pasv code out of port code. 908 9093.2.10beta5 02/11/98 - Released 910 911fixed port translation in ICMP reply handling 912 9133.2.10beta4 01/11/98 - Released 914 915increase useful statistic collection on solaris 916 917filter DL_UNITDATA_REQ as well as DL_UNITDATA_IND on solaris 918 919disable PASV reply translation for now 920 921fail with an error if we try to load a NAT rule with a non-existant 922 proxy name - Guido 923 924fix portmap usage with 0/0 and 0/32 map rules 925 926remove ap_unload/ap_expire - automatically done when NAT is cleaned up 927 928print "STATE:CLOSED" from ipmon if the connection progresses past established 929 rather than "STATE:EXPIRED" 930 9313.2.10beta3 26/10/98 - Released 932 933fixed traceroute/nat problem 934 935rewrote nat/proxy interface 936 937ipnat now lists associated proxy sessions for each NAT where applicable 938 9393.2.10beta2 13/10/98 - Released 940 941use KRWLOCK_T in place of krwlock_t for solaris as well as irix 942 943disable use of read-write lock acquisition by default 944 945add in mb_t for linux, non-kernel 946 947some changes to progress compilation on linux with glibc 948 949change PASV as well as PORT when passed through kernel ftp proxy. 950 951don't allow window to become 0 in tcp state code 952 953make ipmon compile cleaner 954 955irix patches 956 9573.2.10beta 11/09/98 - Released 958 959stop fr_tcpsum() thinking it has run out of data when it hasn't. 960 961stop solaris panics due to fin_dp being something wild. 962 963revisit usage of ATOMIC_*() 964 965log closing state of TCP connection in "keep state" 966 967fix fake-arp table code for ipsend. 968 969ipmon now writes pid to a file. 970 971fix "ipmon -a" to actually activate all logging devices. 972 973add patches for BSDOS4. 974 975perl scripts for log analysis donated. 976 9773.2.9 22/06/98 - Released 978 979fix byte order for ICMP packets generated on Solaris 980 981fix some locking problems. 982 983fix malloc bug in NAT (introduced in 3.2.8). 984 985patch from guido for state connections that get fragmented 986 9873.2.8 08/06/98 - Released 988 989use readers/writers locks in Solaris2 in place of some mutexes. 990 991Solaris2 installation enhancements - Martin Forssen (maf@carlstedt.se) 992 9933.2.7 24/05/98 - Released 994 995u_long -> u_32_t conversions 996 997patches from Bernd Ernesti for NetBSD 998 999fixup ipmon to actually handle HUP's. 1000 1001Linux fixes from Michael H. Warfield (mhw@wittsend.com) 1002 1003update for keep state patch (not security related) - Guido 1004 1005dumphex() uses stdout rather than log 1006 10073.2.6 18/05/98 - Released 1008 1009fix potential security loop hole in keep state code. 1010 1011update examples. 1012 10133.2.5 09/05/98 - Released 1014 1015BSD/OS 3.1 .o files added for the kernel. 1016 1017fix sequence # skew vs window size check. 1018 1019fix minimum ICMP header size check. 1020 1021remove references to Cybersource. 1022 1023fix my email address. 1024 1025remove ntohl in ipnat - Thomas Tornblom 1026 10273.2.4 09/04/98 - Released 1028 1029add script to make devices for /dev on BSD boxes 1030 1031fixup building into the kernel for FreeBSD 2.2.5 1032 1033add -D command line option to ipmon to make it a daemon and SIGHUP causes 1034it to close and reopen the logfile 1035 1036fixup make clean and make package for SunOS5 - Marc Boucher 1037 1038postinstall keeps adding "minor=ipf ipl" - George Ross <gdmr@dcs.ed.ac.uk> 1039 1040protected by IP Filter gif - Sergey Solyanik <solik@atom.ru> 1041 10423.2.3 10/11/97 - Released 1043 1044fix some iplang bugs 1045 1046fix tcp checksum data overrun, sgi #define changes, 1047avoid infinite loop when nat'ing to single IP# - Marc Boucher 1048 1049fixup DEVFS usage for FreeBSD 1050 1051fix sunos5 "make clean" cleaning up too much 1052 10533.2.2 28/11/97 - Released 1054 1055change packet matching to return actual error, if bad packet, to facilitate 1056ECONNRESET for TCP. 1057 1058allow ip:netmask in grammar too now - Guido 1059 1060assume IRIX has u_int32_t in sys/types.h (needed for R10000) 1061 1062rewrite parts of command line options for ipmon 1063 1064fix TCP urgent packet & offset testing and add LAND attack test for iptest 1065 1066fix grammar error in yacc grammar for iplang 1067 1068redirect (rdr) destination port bytes-wapped when it shouldn't be. 1069 1070general: fr_check now returns error code, such as EHOSTUNREACH or 1071ECONNRESET (attempt to make ECONNRESET work for locally outbound 1072packets). 1073 1074linux: enable return-rst, need to filter tcp retransmits which are sent 1075 separately from normal packets 1076 1077memory leak plugged in ip_proxy.c 1078 1079BSDI compatibility patches from Guido 1080 1081tcp checksum fix - Marc Boucher 1082 1083recursive mutex and ioctl param fix - Marc Boucher 1084 10853.2.1 12/11/97 - Released 1086 1087port to BSD/OS 3.0 1088 1089port to Linux 2.0.31 1090 1091patches to make "map a/m -> 0/0" work with ftp proxying properly - Marc Boucher 1092 1093add "ipf -F s" and "ipf -F S" to flush state table entries. 1094 1095announce if logging is on or off when ip filter initializes. 1096 1097"ipf -F a" doesn't flush groups properly for Solaris. 1098 10993.2 30/10/97 - Released 1100 1101ipnat doesn't successfully remove proxy mappings with "-rf" - 1102Alexander Romanyu 1103 1104use K&R C function style for solaris kernel code 1105 1106use m_adj() to decrease packet size in ftp proxy 1107 1108use mbufchainlen rather than msgdsize, 1109IRIX update - Marc Boucher 1110 1111fix NetBSD modunload bug (pfil_add_hook done twice) 1112 1113patches for OpenBSD 2.1 - Craig Bevins <craigb@bitcom.net.au> 1114 11153.2beta10 24/10/97 - Released 1116 1117fix fragment table entries allocated for NAT. 1118 1119fix tcp checksum calculations over mbuf/mblk boundaries 1120 1121fix panic for blen < 0 in ftp kernel proxy - marc boucher 1122 1123fix flushing of rules which have been grouped. 1124 11253.2beta9 20/10/97 - Released 1126 1127some nit picking on solaris2 with SUNWspro - Michael Lyle <mrl@rpnet.net> 1128 1129ftp kernel proxy patches from Marc Boucher 1130 11313.2beta8 13/10/97 - Released 1132 1133add support for passing ICMP errors back through NAT. 1134 1135IRIX port update - Marc Boucher 1136 1137calculate correct MIN size of packet to log for UDP - Marc Boucher 1138 1139need htons(ETHERTYPE_x) on little endian BSD boxes - Dave Huang 1140 1141copyright header fixups 1142 11433.2beta7 23/09/97 - Released 1144 1145fickup problems introduced by prior merges & changes. 1146 11473.2beta6 23/09/97 - Released 1148 1149patch for spin-reading race condition - Marc Boucher. 1150 1151IRIX port by Marc Boucher. 1152 1153compatibility updates for Linux to ipsend 1154 11553.2beta5 13/09/97 - Released 1156 1157patches from Bernd Ernesti for NetBSD integration (mostly prototyping and 1158compiler warning things) 1159 1160ipf -y will resync IP#'s allocated with 0/32 in NAT to match interface if it 1161changes. 1162 1163update manual pages and other documentation updates. 1164 11653.2beta4 27/8/97 - Released 1166 1167enable setting IP and TCP options for iplang/ 1168 1169Solaris2 patches from Marc Boucher. 1170 1171add groups for filter rules. 1172 11733.2beta3 21/8/97 - Released 1174 1175patches for Solaris2 (interface panic solution ?): fix FIONREAD and 1176replacing q_qinfo points - Marc Boucher <marc@CAM.ORG> 1177 1178change ipsend/* and ipsd/* copyright notices to be the same as ip filter's 1179 1180patch for SYN-ACK skew testing fix from Eric V. Smith <EricSmith@windsor.com> 1181 11823.2beta2 6/8/97 - Released 1183 1184make it load on Solaris 2.3 1185 1186rewrote logging to remove solaris errors, introduced checking to see if the 1187same packet is logged successively. 1188 1189fix filter cache to work when there are no rules loaded. 1190 1191add "raw" option to ipresend to send entire ethernet frames. 1192 1193nat list corruption bug - NetBSD - Klaus Klein 1194 11953.2beta1 5/7/97 - Released 1196 1197patches from Jason Thorpe fixing: UNSIGNED_CHAR lossage, off_t being 64bits 1198lossage, and other NetBSD bits. 1199 1200NetBSD 1.2G update. 1201 1202fixup fwtk patches and add protocol field for SIOCGNATL. 1203 1204rdr bugs reported by Alexander Romanyu (alexr@aix.krid.crimea.ua), with 1205fixes: 1206* rdr matched all packets of a given protocol (ignored ports). 1207* severe bug in nat_delete which caused system crash/freeze. 1208 1209change Makefile so that CC isn't passed on for FreeBSD/NetBSD (will use 1210the default CC - cc, not gcc) 1211 12123.2alpha9 16/6/97 - Released 1213 1214added "skip" keyword. 1215 1216implement preauthentication of packets, as outlined by Guido. 1217 1218Make it compile as cleanly as possible with -Wall & general code cleanup 1219 1220getopt returns int, not char. Bernd Ernesti 1221 12223.2alpha8 13/6/97 - Released 1223 1224code added to support "auth" rules which require a user program to allow them 1225through. First revision and much of the code came from Guido. 1226 1227hex output from ipmon doesn't goto syslog when recovering from out of sync 1228error. Luke Mewburn (lukem@connect.com.au) 1229 1230fix solaris2.6 lookup of destination ire's. 1231 1232ipnat doesn't throw away unused bits (after masking), causing it to 1233behave incorrectly. Carson Gaspar 1234 1235NAT code doesn't include inteface name when matching - Alexey Mavrin 1236<lha@elco.spb.ru> 1237 1238replace old SunOS tcpip.h with new tcpip.h (from 4.4BSD) - Jason Thorpe. 1239 1240update install procedures to include ip_proxy.c 1241 1242mask out unused bits in NAT/RDR rules. 1243 1244use a generic type (u_32_t) for 32bit variables, rather than rely on 1245u_long being such - Jason Thorpe. 1246 1247create a local "netinet" directory and include from ~netinet/*" rather than 1248just "*" to make keeping the code working on ports easier. 1249 1250add an m_copydata and m_copyback for SunOS4 (based on 4.4BSD-Lite versions) 1251 1252documentation updates. 1253 1254NetBSD update from Jason Thorpe <thorpej@netbsd.org> 1255 1256allow RST's through with a matching SEQ # and 0 ACK. Guido Van Rooij 1257 1258ipmon uses excessive amounts of CPU on Solaris2 - Reinhard Bertram 1259<Reinhard.Bertram@KOM.th-darmstadt.de> 1260 12613.2alpha7 25/5/97 - Released 1262 1263add strlen for pre-2.2 kernels - Doug Kite <dkite@websgi.icomnet.com> 1264 1265setup bits and pieces for compiling into a FreeBSD-2.2 kernel. 1266 1267split up "bsd" targets. Now a separate netbsd/freebsd/bsd target. 1268mln_ipl.c has been split up into itself and mlf_ipl.c (for freebsd). 1269 1270fix (negative) host matching in filtering. 1271 1272add sysctl interface for some variables when compiled into FreeBSD-2.2 kernels 1273or later. 1274 1275make all the candidates for kernel compiling include "netinet/..." and build 1276a subdirectory "netinet" when compiling and symlink all .h files into this. 1277 1278add install make target to Makefile.ipsend 1279 12803.2alpha6 8/5/97 - Released 1281 1282Add "!" (not) to hostname/ip matching. 1283 1284Automatically add packet info to the fragment cache if it is a fragment 1285and we're translating addreses for. 1286 1287Automatically add packet info to the fragment cache if it is a fragment 1288and we're "keeping state" for the packet. 1289 1290Solaris2 patches - Anthony Baxter (arb@connect.com.au) 1291 1292change install procedure for FreeBSD 2.2 to allow building to a kernel 1293which is different to the running kernel. 1294 1295add FIONREAD for Solaris2! 1296 1297when expiring NAT table entries, if we would set a time to fr_tcpclosed 1298(which is 1), make it fr_tcplaskack(20) so that the state tables have a 1299chance to clear up. 1300 13013.2alpha5 1302 1303add proxying skeleton support and sample ftp transparent proxy code. 1304 1305add printfs at startup to tell user what is happening. 1306 1307add packets & bytes for EXPIRE NAT log records. 1308 1309fix the "install-bsd" target in the root Makefile. Chris Williams 1310<psion@mv.mv.com> 1311 1312Fixes for FreeBSD 2.2 (and later revs) to prevent panics. Julian Assange. 1313 13143.2alpha4 2/4/97 - Released 1315 1316Some compiler warnings cleaned up. 1317 1318FreeBSD-2.2 patches for LKM completed. 1319 13203.2alpha3 31/3/97 - Released 1321 1322ipmon changes: -N for reading NAT logfile, -S for reading state logfile. 1323-a for reading all. -n now toggles hostname resolution. 1324 1325Add logging of new state entries and expiration of old state entries. 1326count log successes and failures. 1327 1328Add logging of new NAT entries and expiration of old NAT entries. 1329count log successes and failures. 1330 1331Use u_quad_t for records of bytes & packets where kept 1332(IP Accounting: fr_hits, fr_bytes; IP state: is_pkts, is_bytes). 1333 1334Fixup use of CPU and DCPU in Makefiles. 1335 1336Fix broken 0/32 NAT mapping. Carl Makin <cmakin@nla.gov.au> 1337 13383.2alpha2 1339 1340Implement mapping to 0/32 as being an alias for automatically using the 1341interface's first IP address. 1342 1343Implement separate minor devices for both NAT and IP state code. 1344 1345Fully prototype all functions. 1346 1347Fix Makefile problem due to attempt to fix Sun compiling problems. 1348 13493.1.10 23/3/97 - Released 1350 1351ipfstat -a requires a -i or -o command line option too. Print an error 1352when not present rather than attempt to do something. 1353 1354patch updates for SunOS4 for kernel compiling. 1355patch for ipmon -s (flush's syslog file which isn't good). Andrew J. Schorr 1356<schorr@ead.dsa.com> 1357 1358too many people hit their heads hard when compiling code into the kernel 1359that doesn't let any packets through. (fil.c - IPF_NOMATCH) 1360 1361icmp-type parsing doesn't return any errors when it isn't constructed 1362correctly. Neil Readwin 1363 1364Using "-conf" with modload on SunOS4 doesn't work. 1365Timothy Demarest <demarest@arraycomm.com> 1366 1367Need to define ARCH in makefile for SunOS4 building. "make sunos4" 1368in INSTALL.SunOS is incorrect. James R Grinter <jrg@blodwen.demon.co.uk> 1369[all SunOS targets now run buildsunos] 1370 1371NAT lookups are still incorrect, matching non-TCP/UDP with TCP/UDP 1372information. ArkanoiD <ark@paranoid.convey.ru> 1373 1374Need to check for __FreeBSD_version being 199511 rather than 199607 1375in mln_ipl.c. Eric Feillant <Eric.Feillant@EUnet.fr> 1376 13773.1.9 8/3/97 - Released 1378 1379fixed incorrect lookup of active NAT entries. 1380 1381patch for ip_deq() wrong for pre 2.1.6 FreeBSD. 1382fyeung@fyeung8.netific.com (Francis Yeung) 1383 1384check for out with return-rst/return-icmp at wrong place - Erkki Ritoniemi 1385(erkki@vlsi.fi) 1386 1387text_readip returns the interface pointer pointing to text on stack - 1388Neil Readwin 1389 1390fix from Pradeep Krishnan for printout rules "with not opt sec". 1391 13923.1.8 18/2/97 - Released 1393 1394Diffs for ip_output.c and ip_input.c updated to fix bug with fastroute and 1395compiling warnings about reuse of m0. 1396 1397prevent use of return-rst and return-icmp with rules blocking packets going 1398out, preventing panics in certain situations. 1399 1400loop forms in frag cache table - Yury Pshenychny <yura@rd.zgik.zaporizhzhe.ua> 1401 1402should use SPLNET/SPLX around expire routines in NAT/frag/state code. 1403 1404redeclared malloc in 44arp.c - 1405 14063.1.7 8/2/97 - Released 1407 1408Macros used for ntohs/htons supplied with gcc don't always work very well 1409when the assignment is the same variable being converted. 1410 1411Filter matching doesn't not match rule which checks tcp flags on packets 1412which are fragments - David Wilson 1413 14143.1.7beta 30/1/97 - Released 1415 1416Fix up NAT bugs introduced in last major change (now tested), including 1417nat_delete(), nat_lookupredir(), checksum changes, etc. 1418 14193.1.7alpha 30/1/97 - Released 1420 1421Many changes to NAT code, including contributions from Laurent Joncheray 1422<lpj@ans.net> 1423 1424Use "NO_SLEEP" when allocating memory under SunOS. 1425 1426Make kernel printf's nicer for BSD/SunOS4 1427 1428Always do a checksum for packets being filtered going out and being 1429processed by fastroute. 1430 1431Leave kernel to play with cdevsw on *BSD systems with LKM's. 1432 1433ipnat.1 man page fixes. 1434 14353.1.6 21/1/97 - Released 1436 1437Allow NAT to work on BSD systems in conjunction with "pass .. to ifname" 1438 1439Memory leak introduced in 3.1.3 in NAT lists, clearing of NAT table tried 1440to free memory twice. 1441 1442NAT recalculates IP header checksum based on difference between IP#'s and 1443port numbers - should be just IP#'s (Solaris2 only) 1444 14453.1.5 13/1/97 - Released 1446 1447fixed setting of NAT timeouts and use different timeouts for concurrent 1448TCP sessions using the same IP# mapping (when port mapping isn't used) 1449 1450multiple loading/unloading of LKM's doesn't clean up cdevsw properly for 1451*BSD systems. 1452 14533.1.4 10/1/97 - Released 1454 1455add command line options -C and -F to ipnat to flush NAT list and table 1456 1457ipnat -l loops on output - Neil Readwin (nreadwin@nysales.micrognosis.com) 1458 1459NetBSD/FreeBSD kernel malloc changes - Daniel Carosone 1460 14613.1.3 10/1/97 - Released 1462 1463NAT chains not constructed correctly in hash tables - Antony Y.R Lu 1464(antony@hawk.ee.ncku.edu.tw) 1465 1466Updated INSTALL.NetBSD, INSTALL.FreeBSD and INSTALL.Sol2 1467 1468man page update (ipf.5) from Daniel Carosone (dan@geek.com.au) 1469 1470ICMP header checksum update now included in NAT. 1471 1472Solaris2 needs to modify IP header checksums in ip_natin and ip_natout. 1473 14743.1.2 4/12/96 - Released 1475 1476ipmon doesn't use syslog all the time when given -s option 1477 1478fixed mclput panic in ip_input.c and replace ntohs() with NTOHS() macro 1479 1480check the results of hostname resolution in ipnat 1481 1482"make *install" fixed for subdirectories. 1483 1484problems with "ARCH:=" and gnu make resolved 1485 1486parser reports an error for lines with whitespaces only rather than skipping 1487them. D.Carosone@abm.com.au (Daniel Carosone) 1488 1489patches for integration into NetBSD-current (post 1.2). 1490 1491add an option to allow non-IP packets going up/down the stream on Solaris2 1492to be dropped. John Bass. 1493 14943.1.2beta 21/11/96 - Released 1495 1496make ipsend compile on Linux 2.0.24 1497 1498changes to TCP kept state algorithm, making it watch state on TCP 1499connections in both directions. Also use the same algorithm for NAT TCP. 1500 1501-Wall cleanup - Bernd Ernesti 1502 1503added "or-block" for "pass .. log or-block" after a suggestion from 1504David Oppenheim (davido@optimation.com.au) 1505 1506added subdirectories for building IP Filter in SunOS5/BSD for different 1507cpu architecures 1508 1509Solaris2 fixes to logging and pre-filtering packet processing - 3.1.1p2 1510 1511mbuf logging not using mtod(), remove iplbusy - 3.1.1p1 1/11/96 1512 15133.1.1 28/10/96 - Released 1514 1515Installation script fixes and deinstall scripts for IP Filter on: 1516SunOS4/FreeBSD/NetBSD 1517 1518Man page fixes - Paul Dubois (dubois@primate.wisc.edu) 1519 1520Fix use of SOLARIS macro in ipmon, rewrote ipllog() (again!) 1521 1522parsing isn't completely case insensitive - David Wilson 1523(davidw@optimation.com.au) 1524 1525Release ipl_mutex across uiomove() calls 1526 1527print entire rule entries out for "ipf -z" when zero'ing per-rule stats. 1528 1529ipfstat returns same output for "hits" in "ipfstat -aio" - Terletsky Slavik 1530(ts@polynet.lviv.ua) 1531 1532New algorithm for setting timeouts for TCP connection (more closely follow 1533TCP FSM) - Pradeep Krishnan (pkrishna@netcom.com) 1534 1535Track both window sizes for TCP connections through "keep state". 1536 1537Solaris2 doesn't like _KERNEL defined in stdargs.h - Jos van Wezel 1538(wezel@bio.vu.nl) 1539 15403.1.1-beta2 6/10/96 - Released 1541 1542Solaris2 fastroute/dup-to/to now works 1543 1544ipmon `record' reading rewritten 1545 1546Added post-NetBSD1.2 packet filter patches - Mathew Green (mrg@eterna.com.au) 1547 1548Attempt to use in_proto.c.diff, not "..diffs" for SunOS4 - David Wilson 1549(davidw@optimation.com.au) 1550 1551Michael Ryan (mike@NetworX.ie) reports the following: 1552* The Trumpet WinSock under Windows always sends its SYN packet with an ACK 1553 value of 1, unlike any other implementation I've seen, which would set it 1554 to zero. The "keep state" feature of IP Filter doesn't work when receiving 1555 non-zero ACK values on new connection requests. 1556* */Makefile install rule doesn't install all the binaries/man pages 1557* Make ipnat use "tcp/udp" instead of "tcpudp" 1558* Print out "tcp/udp" properly 1559* ipnat "portmap tcp" matches "portmap udp" when adding/removing 1560* NAT dest. ip# increased by one on mask of 0xffffffff when it shouldn't 1561 15623.1.1-beta 1/9/96 - Released 1563 1564add better detection of TCP connections closing to TCP state monitoring. 1565 1566fr_addstate() not called correctly for fragments. "keep state" and 1567"keep frag" code don't work together 100% - Songqing Cai 1568(songqing_cai@sterling.com) 1569 1570call to fr_addstate() incorrect for adding state in combination with keeping 1571fragment information - Songqing Cai (songqing_cai@sterling.com) 1572 1573KFREE() passed fp (incorrect) and not fr (correct) in ip_frag.c - John Hood 1574(cgull@smoke.marlboro.vt.us) 1575 1576make ipf parser recognise '\\' as a `continued line' marker - Dima Ruban 1577(dima@best.net) 1578 15793.1.1-alpha 23/8/96 - Released 1580 1581kernel panic's when ICMP packets go through NAT code 1582 1583stats aren't zero'd properly with ipf -Z 1584 1585ipnat doesn't show port numbers correctly all the time and also add the 1586protocol (tcp/udp/tcpudp) to rdr output - Carson Gaspar (carson@lehman.com) 1587 1588fast checksum fixing not 100% - backout patch - Bill Dorsey (dorsey@lila.com) 1589 1590NetBSD-1.2 patches from - VaX#n8 <vax@linkdead.paranoia.com> 1591 1592Usage() call error in fils.c - Ajay Shekhawat (ajay@cedar.buffalo.edu) 1593 1594ip_optcopy() staticly defined in ip_output.c in SunOS4 - Nick Hall 1595(nrh@tardis.ed.ac.uk) 1596 15973.1.0 7/7/96 - Released 1598 1599Reformatted ipnat output to be compatible with it's input, so that 1600"ipnat -l | ipnat -rf -" is possible. 1601 16023.1.0beta 30/6/96 - Released 1603 1604NetBSD-1.2 patches from Greg Woods (woods@most.weird.com) 1605 1606kernel module must not be installed stripped (Solaris2), as created by 1607"make package" for Solaris2 - Peter Heimann 1608(peter@i3.informatik.rwth-aachen.de) 1609 16103.1.0alpha 5/6/96 - Released 1611 1612include examples in package for solaris2 1613 1614patches for removing an extra ip header checksum (FreeBSD/NetBSD/SunOS) 1615 1616removed trailing space from printouts of rules in ipf. 1617 1618ipresend supports the same range of inputs that ipftest does. 1619 1620sending a duplicate copy of a packet to another network devices is now 1621supported. ("dup-to") 1622 1623sending a packet to an arbitary interface is now supported, irrespective 1624of its actual route, with no ttl decrement. Can also be routed without 1625the ttl being decremented. ("to" and "fastroute"). 1626 1627"call" option added to support calling a generic function if a packet is 1628matched. 1629 1630show all (upto 4) recorded bytes from the interface name in logging from 1631ipmon. 1632 1633support for using unix file permissions for read/write access on the device 1634is now in place. 1635 1636recursive mutex in nat_new() for Solaris 2.x - Per L. Hagen <per@stibo.dk> 1637 1638ipftest doesn't call initparse() for THISHOST - Catherine Allen 1639(cla@connect.com.au) 1640 1641Man page corrections from Rex Bona (rex@pengo.comsmiths.com.au) 1642 16433.0.4 10/4/96 - Released 1644 1645looop in `parsing' IP packets with optlen 0 for ip options. 1646 1647rule number not initialized and resulted in unexpected results for state 1648maching. 1649 1650option parsing and printing bugs - Pradeep Krishnan 1651 16523.0.4beta 25/3/96 - Released 1653 1654wouldn't parse "keep flags keep state" correctly. 1655 1656SunOS4.1.x ip_input.c doesn't recognise all 1s broadcast address - Nigel Verdon 1657 1658patches for BSDI's BSD/OS 2.1 and libpcap reader on little endian systems 1659from Thorsten Lockert <tholo@tetherless.com> 1660 1661b* functions in fil.c on Solaris 2.4 1662 16633.0.3 17/3/96 - Released 1664 1665added patches to support IP Filter initialisation when compiled into the 1666kernel. 1667 1668added -x option to ipmon to display hex dumps of logged packets. 1669 1670added -H option to ipftest to allow ascii-hex formatted input to specify 1671arbitary IP packets. 1672 1673Sending TCP RSTs as a response now work for Solaris2 x86 1674 1675add patches to make IP Filter compile into NetBSD kernels properly. 1676 1677patch to stop SunOS 4.1.x kernels panicing with "data traps". 1678 1679ipfboot script unloads and reloads ipf module on Solaris2 if it is already 1680loaded into the kernel. 1681 1682Installation of IP Filter as a Solaris2 package is now supported. 1683 1684Man pages for ipnat.4, ipnat.5 added. 1685 1686added some more regression tests and fixed up IP Filter to pass the new tests 1687(previous versions failed some of the tests in set 12). 1688 1689IP option filter processing has changed so that saying "with opt lsrr" will 1690check only for that one, but not mask out other options, so a packet with 1691strict source routing, along with loose source routing will match all of 1692"with opt lsrr", "with opt ssrr" and "with opt lsrr,ssrr". 1693 1694IPL_NAME needed in ipnat.c - Kelly (kelly@count04.mry.scruznet.com) 1695 1696patches for clean NetBSD compilation from Bernd Ernesti (bernd@arresum.inka.de) 1697 1698make install is incorrect - Julian Briggs (julian@lightwork.co.uk) 1699 1700strtol() returns 0x7fffffff for all negative numbers, 1701printfr() generates incorrect output for "opt sec-class *", 1702handling of "not opt xxx opt yyy" incorrect. 1703- Minh Tonthat (minht@sbei.com)/Pradeep Krishnan (pradeepk@sbei.com) 1704 1705m_pullup() called only for input and not output; caused problems 1706with filtering icmp - Nigel Verdon (verdenn@gb.swissbank.com) 1707 1708parsing problem for "port 1" and NetBSD patches incorrect - 1709Andreas Gustafsson (gson@guava.araneus.fi) 1710 17113.0.2 4/2/96 - Released 1712 1713Corrected bug where NAT recalculates checksums for fragments. 1714 1715make NAT recalculate UDP checksums (rather than setting them to 0), 1716if they're non-zero. 1717 1718DNS patches - Real Page (Real.Page@Matrox.com) 1719 1720alteration of checksum recalculations in NAT code and addition of 1721redirection with NAT - Mike Neuman 1722 1723core dump, if tcp/udp is used with a port number and not service name, 1724in ipf - Mike Neuman (mcn@engarde.com) 1725 1726initparse() call, missing to prime "<thishost>" hook - Craig Bishop 1727 17283.0.1 14/1/96 - Released 1729 1730miscellaneous patches for Solaris2 1731 17323.0 14/1/96 - Released 1733 1734Patch included for FDDI, from Richard Ohnemus 1735(Richard_Ohnemus@dallas.csd.sterling.com) 1736 1737Code cleanup for release. 1738 17393.0beta4 10/1/96 1740 1741recursive mutex in ipfr_slowtimer fixed, reported by Craig Bishop 1742 1743recursive mutex in sending TCP RSTs fixed, reported by Tony Becker 1744 17453.0beta3 9/1/96 1746 1747FIxup for Solaris2.5 install and interface name bug in ipftest from 1748Julian Briggs (julian@lightwork.co.uk) 1749 1750Byte order patches for ipmon from Tony Becker (tony@mcrsys.com) 1751 17523.0beta2 7/1/96 1753 1754Added the (somewhat warped) IP accounting as it exists in ipfw on FreeBSD. 1755Note, this isn't really what one would call IP account, when compared to 1756process accounting, sigh. 1757 1758Split up ipresend into iptest/ipresend/ipsend 1759 1760Added another m_pullup() inside fr_check() for BSD style kernels and 1761added some checks to ipllog() to not log more than is present (for short 1762packets). 1763 1764Fixed bug where failed hostname/netname resolution goes undetecte and 1765becomes 0.0.0.0 (any) (reported Guido van Rooij) 1766 17673.0beta 11/11/95 - Released 1768 1769Rewrote the way rule testing is done, reducing the number of files needed and 1770generated. 1771 1772SIOCIPFFL was incorrectly affected by IPFILTER_LOG (Mathew Green) 1773 1774Patches from Guido van Rooij to fix sending back TCP RSTs on Net-2/Net-3 1775BSD based Unixes (panic'd) 1776 1777Patches for FreeBSD/i86 ipmon from Riku Kalinen <riku@tequila.nixu.fi> 1778(I think someone else already told me about these but they got lost :-/) 1779 1780Changed Makefile structure to build object files for different operating 1781systems in separate directories by default. 1782 1783BSDI has ef0 for first ethernet interface 1784 1785Allow for a "not" operator before optional keywords. 1786 1787The "rule number" was being incorrectly incremented every time it went through 1788the loop rather than when it matched a rule. 1789 17902.8.2 24/10/95 - Released 1791 1792Fixed up problems with "textip" for doing lots of testing. 1793 1794Fixed bug in detection of "short" tcp/ip packets (all reported as being short). 1795 1796Solaris 2.4 port now works 100%. 1797 1798Man page errors reported and fixed. 1799 1800Removed duplicate entry in etc/services for login on port 49 (Craig Bishop). 1801 1802Fixed ipmon output to put a space after the log-letter. 1803 1804Patch from Guido van Rooij to fix parsing problem. 1805 18062.8.1 15/10/95 - Released 1807 1808Added ttl and tos filtering. 1809 1810Patches for fixing up compilation and port problems (little endian) 1811from Guido van Rooij <guido@IAEhv.nl>. 1812 1813Man page problems reported and fixed by Carson Gaspar <carson@lehman.com>. 1814 1815ipsend doesn't compile properly on Solaris2.4 1816 1817Lots of work done for Solaris2.4 to make it MT/MP safe and work. 1818 18192.8 15/9/95 - Released 1820 1821ipmon can now send messages to syslogd (-s) and use names instead of 1822numbers (-N). 1823 1824IP packets are now "compiled" into a structure only containing filterable 1825bits. 1826 1827Added regression testing in the test/ subdirectory, using a new option 1828(-b) with the ipftest program. 1829 1830Added "nomatch" return to filter results. These are counted and show 1831up in reports from ipfstat. 1832 1833Moved filter code out of ip_fil.c and into fil.c - there is now only one 1834instance of it in the package. 1835 1836Added Solaris 2.4 support. 1837 1838Added IPSO basic security option filtering. 1839 1840Added name support for filtering on all 19 named IP options. 1841 1842Patches from Ivan Brawley to log packet contents as well as packet headers. 1843 1844Update for sun/conf.c.diff from Ivan Brawley <ibrawley@awadi.com.AU> 1845 1846Added patches for FreeBSD 1, and added two new switches (-E, -D) to ipf, 1847along with a new ioctl, SIOCFRENB. 1848From: Dieter Dworkin Muller <dworkin@village.org> 1849 18502.7.3 31/7.95 - Released 1851 1852Didn't compile cleanly without IPFILTER_LOG defined (Mathew Green). 1853 1854ipftest now deals with tcpdump3 binary output files (from libpcap) with -P. 1855 1856Brought ipftest program upto date with actual filter code. 1857 1858Filter would cause a match to occur when it wasn't meant to if the packet 1859had short headers and was missing portions that should have been there. 1860Err, it would rightly not match on them, but their absence caused a match 1861when it shouldn't have been. 1862 18632.7.2 26/7/95 - Released 1864 1865Problem with filtering just SYN flagged packets reported by 1866Dieter Dworkin Muller <dworkin@village.org>. To solve this 1867problem, added support for masking TCP flags for comparison "flags X/Y". 1868 18692.7.1 9/7/95 - Released 1870 1871Added ip_dirbroadcast support for Sun ip_input.c 1872 1873Fixed up the install scripts for FreeBSD/NetBSD to recognise where they are 1874better. 1875 18762.7 7/7/95 - Released 1877 1878Added "return-rst" to return TCP RST's to TCP packets. 1879 1880Actually ported it to FreeBSD-i386 2.0.0, so it works there properly now. 1881 1882Added insertion of filter rules. Use "@<#>" at the beginning of a filter 1883to insert a rule at row #. 1884 1885Filter keeps track of how many times each rule is matched. 1886 1887Changed compile time things to match kernel option (IPFILTER_LKM & 1888IPFILTER_LOG). 1889 1890Updated ip_input.c and ip_output.c with paches for 3.5 Multicast IP. 1891(No change required for 3.6) 1892 1893Now includes TCP fragments which start inside the TCP header as being short. 1894Added counting the number of times each rule is matched. 1895 1896 18972.6 11/5/95 - Released 1898 1899Added -n option to ipf: when supplied, no changes are made to the kernel. 1900 1901Added installation scripts for SunOS 4.1.x and NetBSD/FreeBSD/BSDI. 1902 1903Rewrote filtering to use a more generic mask & match procedure for 1904checking if a packet matches a rule. 1905 19062.5.2 27/4/95 - Released 1907 1908"tcp/udp" and a non-initialised pointer caused the "proto" to become 1909a `random' value; added "ip#/dotted.mask" notation to the BNF. 1910From Adam W. Feigin <feigin@iis.ee.ethz.ch> 1911 19122.5.1 22/3/95 - Released 1913 1914"tcp/udp" had a strange effect (undesired) on getserv*() functions, 1915causing protocol/service lookups to fail. Reported by Matthew Green. 1916 19172.5 17/3/95 - Released 1918 1919Added a new keyword "all" to BNF and parsing of tcpdump/etherfind/snoop 1920output through the ipftest program. Suggestions from: 1921Michael Ciavarella (mikec@phyto.apana.org.au) 1922 1923Conflicts occur when "general" filter rules are used for ports and the 1924lack of a "proto" when used with "port" matches other packets when only 1925TCP/UDP are implied. 1926Reported Matthew Green (mrg@fulcom.com.au); 1927reported & fixed 6-8/3/95 1928 1929Added filtering of short TCP packets using "with short" 28/2/95 1930(These can possibly slip by checks for the various flags). Short UDP 1931or ICMP are dropped to the floor and logged. 1932 1933Added filtering of fragmented packets using "with frag" 24/2/95 1934 1935Port to NetBSD-current completed 20/2/95, using LKM. 1936 1937Added logging of the rule # which caused the logging to happen and the 1938interface on which the packet is currently as suggested by 1939Andreas Greulich (greulich@math-stat.unibe.ch) 10/2/95 1940 19412.4 9/2/95 - Released 1942Fixed saving of IP headers in ICMP packets. 1943 19442.3 29/1/95 1945Added ipf -F [in|out|all] to flush filter rule sets (SIOCIPFFL). 1946Fixed iplread() and iplsave() with help from Marc Huber. 1947 19482.2 7/1/95 - Released 1949Added code from Marc Huber <huber@fzi.de> to allow it to allocate 1950its own major char number dynamically when modload'ing. Fixed up 1951use of <, >, <=, >= and >< for ports. 1952 19532.1 21/12/94 - Released 1954repackaged to include the correct ip_output.c and ip_input.c *goof* 1955 19562.0 18/12/94 - Released 1957added code to check for port ranges - complete. 1958rewrote to work as a loadable kernel module - complete. 1959 19601.1 1961added code for ouput filtering as well as input filtering and added support for logging to a simple character device of packet headers. 1962 19631.0 22/04/93 - Released 1964First release cut. 1965