HISTORY revision 63516
1# 2# NOTE: Quite a few patches and suggestions come from other sources, to whom 3# I'm greatly indebted, even if no names are mentioned. 4# 5# Thanks to the Coombs Computing Unit at the ANU for their continued support 6# in providing a very available location for the IP Filter home page and 7# distribution center. 8# 9# Thanks to Tel.Net Media for allowing me to maintain and further develop 10# IP Filter as part of my job and supplying Sun equipment for testing the 11# move to 64bits and Gigabit Ethernet. 12# 13# Thanks to BSDI for providing object files for BSD/OS 3.1 and the means 14# to further support development of IP Filter under BSDI. 15# 16# Thanks to Craig Bishop of connect.com.au and Sun Microsystems for the 17# loan of a machine to work on a Solaris 2.x port of this software. 18# 19# Thanks also to all those who have contributed patches and other code, 20# and especially those who have found the time to port IP Filter to new 21# platforms. 22# 233.4.8 19/07/2000 - Released 24 25create fake opt_inet6.h for FreeBSD-4 compile as LKM 26 27add #ifdef's for KLD_MODULE sanity 28 29NAT fastroute'd packets which come out of return-* 30 31fix upper/lower case crap in ftp proxy and get seq# checking fixed up. 32 333.4.7 08/07/2000 - Released 34 35make "ipf -y" lookup NAT if's which are unknown 36 37prepend line numbers to ioctl error messages in ipf/ipnat 38 39don't apply patches to FreeBSD twice 40 41allow for ip_len to be on an unaligned boundary early on in fr_precheck 42 43fix printing of icmp code when it is 0 44 45correct printing of port numbers in map rules with from/to 46 47don't allow fr_func to be called at securelevel > 0 or rules to be added 48if securelevel > 0 if they have a non-zero fr_func. 49 503.4.6 11/06/2000 - Released 51 52add extra regression tests for new nat functionality 53 54place restrictions on using '!' in map/rdr rules 55 56fix up solaris compile problems 57 583.4.5 10/06/2000 - Released 59 60mention -sl in ipfstat.8 61 62fix/support '!' in from/to rules (rdr) for NAT 63 64add from/to support to rdr NAT rules 65 66don't send ICMP errors in response to ICMP errors 67 68fix sunos5 compilation for "ipfstat-top" and cleanup ipfboot 69 70input accounting list used for both outbound and inbound packets 71 723.4.4 23/05/2000 - Released 73 74don't add TCP state if it is an RST packet and (attempt) to send out 75RST/ICMP packets in a manner that bypasses IP Filter. 76 77add patch to work with 4.0_STABLE delayed checksums 78 793.4.3 20/05/2000 - Released 80 81fix ipmon -F 82 83don't truncate IPv6 packets on Solaris 84 85fix keep state for ICMP ECHO 86 87add some NAT stats and use def_nat_age rather than DEF_NAT_AGE 88 89don't make ftp proxy drop packets 90 91use MCLISREFERENCED() in tandem with M_EXT to check if IP fields need to be 92swapped back. 93 94fix up RST generation for non-Solaris 95 96get "short" flag right for IPv6 97 983.4.2 - 10/5/2000 - Released 99 100Fix bug in dealing with "hlen == 1 and opt > 1" - Itojun 101 102ignore previous NAT mappings for 0/0 and 0/32 rules 103 104bring in a completely new ftp proxy 105 106allow NAT to cause packets to be dropped. 107 108add NetBSD callout support for 1.4-current 109 1103.4.1 - 30/4/2000 - Released 111 112add ratoui() and fix parsing of group numbers to allow 0 - UINT_MAX 113 114don't include opt_inet6.h for FreeBSD if KLD_MODULE is defined 115 116Solaris must use copyin() for all types of ioctl() args 117 118fix up screen/tty when leaving "top mode" of ipfstat 119 120linked list for maptable not setup correctly in nat_hostmap() 121 122check for maptable rather than nat_table[1] to see if malloc for maptable 123succeeded in nat_init 124 125fix handling of map NAT rules with "from/to" host specs 126 127fix printout out of source address when using "from/to" with map rules 128 129convert ip_len back to network byte order, not plen, for solaris as ip_len 130may have been changed by NAT and plen won't reflect this 131 1323.4 - 27/4/2000 - Released 133 134source address spoofing can be turned on (fr_chksrc) without using 135filter rules 136 137group numbers are now 32bits in size, up from 16bits 138 139IPv6 filtering available 140 141add frank volf's state-top patches 142 143add load splitting and round-robin attribute to redirect rules 144 145FreeBSD-4.0 support (including KLD) 146 147add top-style operation mode for ipfstat (-t) 148 149add save/restore of IP Filter state/NAT information (ipfs) 150 151further ftp proxy security checks 152 153support for adding and removing proxies at runtime 154 1553.3.13 26/04/2000 - Released 156 157Fix parsing of "range" with "portmap" 158 159Relax checking of ftp replies, slightly. 160 161Fix NAT timeouts for ICMP packets 162 163SunOS4 patches for ICMP redirects from Jurgen Keil (jk@tools.de) 164 1653.3.12 16/03/2000 - Released 166 167tighten up ftp proxy behaviour. sigh. yuck. hate. 168 169fix bug in range check for NAT where the last IP# was not used. 170 171fix problem with icmp codes > 127 in filter rules caused bad things to 172happen and in particular, where #18 caused the rule to be printed 173erroneously. 174 175fix bug with the spl level not being reset when returning EIO from 176iplioctl due to ipfilter not being initialized yet. 177 1783.3.11 04/03/2000 - Released 179 180make "or-block" work with lines that start with "log" 181 182fix up parsing and printing of rules with syslog levels in them 183 184fix from Cy Schubert for calling of apr_fini only if non-null 185 186 1873.3.10 24/02/2000 - Released 188 189* fix back from guido for state tracking interfaces 190 191* update for NetBSD pfil interface changes 192 193* if attaching fails and we can abort, then cleanup when doing so. 194 195julian@computer.org: 196* solaris.c (fr_precheck): After calling freemsg on mt, set it point to *mp. 197* ipf.c (packetlogon): use flag to store the return value from get_flags. 198* ipmon.c (init_tabs): General cleanup so we do not have to cast 199 an int s->s_port to u_int port and try to check if the u_int port 200 is less than zero. 201 2023.3.9 15/02/2000 - Released 203 204fix scheduling of bad locking in fr_addstate() used when we attach onto 205a filter rule. 206 207fix up ip_statesync() with storing interface names in ipstate_t 208 209fix fr_running for LKM's - Eugene Polovnikov 210 211junk using pullupmsg() for solaris - it's next to useless for what we 212need to do here anyway - and implement what we require. 213 214don't call fr_delstate() in fr_checkstate(), when compiled for a user 215program, early but when we're finished with it (got fr & pass) 216 217ipnat(5) fix from Guido 218 219on solaris2, copy message and use that with filter if there is another 220copy if it being used (db_ref > 1). bad for performance, but better 221than causing a crash. 222 223patch for solaris8-fcs compile from Casper Dik 224 2253.3.8 01/02/2000 - Released 226 227fix state handling of SYN packets. 228 229add parsing recognition of extra icmp types/codes and fix handling of 230icmp time stamps and mask requests - Frank volf 231 2323.3.7 25/01/2000 - Released 233 234sync on state information as well as NAT information when required 235 236record nat protocol in all nat log records 237 238don't reuse the IP# from an active NAT session if the IP# in the rule 239has changed dynamically. 240 241lookup the protocol for NAT log information in ipmon and pass that to 242portname. 243 244fix the bug with changing the outbound interface of a packet where it 245would lead to a panic. 246 247use fr_running instead of ipl_inited. (sysctl name change on freebsd) 248 249return EIO if someone attempts an ioctl on state/nat if ipfilter is not 250enabled. 251 252fix rule insertion bug 253 254make state flushing clean anything that's not fully established (4/4) 255 256call fr_state_flush() after we've released ipf_state so we don't generate 257a recursive mutex acquisition panic 258 259fix parsing of icmp code after return-icmp/return-icmp-as-dest and add 260some patches to enhance parsing strength 261 2623.3.6 28/12/1999 - Released 263 264add in missing rwlock release in fr_checkicmpmatchingstate() and fix check 265for ICMP_ECHO to only be for packet, not state entry which we don't have yet. 266 267handle SIOCIPFFB in nat_ioctl() and fr_state_ioctl() 268 269fix size of friostat for SunOS4 270 271fix bug in running off the end of a buffer in real audio proxy 272 2733.3.5 11/12/1999 - Released 274 275fix parsing of "log level" and printing it back out too 276 277<net/if_types.h> is only present on Solaris2.6/7/8 278 279use send_icmp_err rather than icmp_error to send back a frag-needed error 280when doing PMTU 281 282do not use -b with add_drv on Solaris unless $BASEDIR is set. 283 284fix problem where source address in icmp replies is reversed 285 286fix yet another problem with real audio. 287 2883.3.4 4/12/1999 - Released 289 290fix up the real audio proxy to properly setup state information and NAT 291entries, thanks to Laine Stump for testing/advice/fixes. 292 293fix ipfr_fastroute to set dst->sin_addr (Sean Farley - appears to prevent 294FreeBSD 3.3 from panic'ing) as this had been removed in prior hacks to this 295routine. 296 297fix kinstall for BSDI 298 299support ICMP errors being allowed through for ICMP packets going out with 300keep state enabled 301 302support hardware checksumming (gigabit ethernet cards) on Solaris thanks to 303Tel.Net Media for providing hardware for testing. 304 305patched from Frank Volf for ipmon (ICMP & fragmented packets) and allowing 306ICMP responses to ICMP packets in the keep state table. 307 308add in patches for hardware checksumming under solaris 309 310Solaris install scripts now use $BASEDIR as appropriate. 311 312add Solaris8 support 313 314fix "ipf -y" on solaris so that it rescans rules also for changes in 315interface pointers 316 317let ipmon become a daemon with -D if it is using syslog 318 319fix parsing of return-icmp-as-dest(foo) 320 321add reference to ipfstat -g to ipfstat.8 322 323ipf_mutex needs to be declared for irix in ip_fil.c 324 3253.3.3 22/10/1999 - Released 326 327add -g command line option to ipfstat to show groups still define. 328 329fix problem with fragment table not recording rule pointer when called 330from state functions (fin_fr not set). 331 332fixup fastroute problems with keep state rules. 333 334load rules into inactive set first, so we don't disable things like NIS 335lookups half way through processing - found by Kevin Littlejohn 336 337fix handling of unaligned ip pointer for solaris 338 339patch for fr_newauth from Rudi Sluijtman 340 341fixed htons() bug in fr_tcpsum() where ip_p wasn't cast to u_short 342 3433.3.2 23/09/1999 - Released 344 345patches from Scott Presnell to fix rcmd proxy 346 347patches from Greg to fix Solaris detachment of interfaces 348 349add openbsd compatibility fixes 350 351fix free'ing already freed memory in ipfr_slowtimer() 352 353fix for deferencing invalid memory in cleaning up after a device disappears 354 3553.3.1 14/8/1999 - Released 356 357remove include file sys/user.h for irix 358 359prevent people from running buildsunos directly 360 361fix up some problems with the saving of rule pointers so that NAT saves 362that information in case it should need to call fr_addstate() from a proxy. 363 364fix up scanning for the end of FTP messages 365 366don't remove /etc/opt/ipf in postremove 367 368attempt to prevent people running buildsolaris script without doing a 369"make solaris" 370 371fix timeout losing on freebsd3 372 3733.3 7/8/1999 - Released 374 375NAT: information (rules, mappings) are stored in hash tables; setup some 376basic NAT regression testing. 377 378display version name of installed kernel code when initializing. 379 380add -V command line option to ipf, showing version (program and kernel 381module) as well as the run-status of the kernel code. 382 383fix problem with "log" rules actually affecting result of filtering. 384 385automatically use SUNWspro if available and on a 64bit Solaris system for 386compiling. 387 388add kernel proxies for rcmd(3) and RealAudio (PNA) 389 390use timeout/untimeout on SunOS4/BSD platforms too rather than hijacking 391ip_slowtimo 392 393fix IP headers generated through parsing of text information 394 395fix NAT rules to be in the correct order again. 396 397make keep-state work with to/fastroute keywords and enforce usage of those 398interfaces. 399 400update keep-state code with new algorithm from Guido 401 402add FreeBSD-3 support 403 404add return-icmp-as-dest option to retrun an ICMP packet using the original 405destination as the source rather than a local IP address 406 407add "level [facility.]<priority>" option to filter language 408 409add changes from Guido to state code. 410 411add code to return EPERM if the device is opened for writing and we're 412in securelevel 2 or greater. 413 414authentication code patches from Guido 415 416fix real audio proxy 417 418fix ipmon rule printing of interfaces and add IN/OUT to the end of ipmon 419log output. 420 421fix bimap rules with hash tables 422 423update addresses used in NAT mappings for 0/32 rules for any protocol but TCP 424if it changes on the interface - check every ip_natexpire() 425 426add redirect regression test 427 428count buckets used in the state hash table. 429 430fix sending of RST's with return-rst to use the ack number provided in 431the packet being replied to in addition to the sequence number. 432 433fix to compile as a 64bit application on solaris7-64bit 434 435add NAT IP mapping to ranges of IP addresses that aren't CIDR specified 436 437fix calculation of in_space parameter for NAT 438 439fix `wrapping' when incrementing the next ip address for use in NAT 440 441fix free'ing of kernel memory in ip_natunload on solaris 442 443fix -l/-U command line options from interfering with each other 444 445fix fastroute under solaris2 and cleanup compilation for solaris7 446 447add install scripts and compile cleanly on BSD/OS 4.0 448 449safely open files in /tmp for writing device output when testing. 450 451fix uninitialized pointer bug in NAT 452 453fix SIOCZRLST (zero list rule stats) bug with groups 454 455change some usage of u_short to u_int in function calling 456 457fix compilation for Solaris7 (SUNWspro) 458 459change solaris makefiles to build for either sparc or i386 rather than 460per-cpu (sun4u, etc). 461 462fixed bug in ipllog 463 464add patches from George Michaelson for FreeBSD 3.0 465 466add patch from Guido to provide ICMP checking for known state in the same 467manner as is done for NAT. 468 469enable FTP PASV proxying and enable wildcarding in NAT/state code for ports 470for better PORT/PASV support with FTP. 471 472bring into main tree static nat features: map-block and "auto" portmapping. 473 474add in source host filtering for redirects (alan jones) 475 4763.2.10 22/11/98 - Released 477 4783.2.10beta9 17/11/98 - Released 479 480fix fr_tcpsum problems in handling mbufs with an odd number of bytes 481and/or split across an mbuf boundary 482 483fix NAT list entry comparisons and allow multiple entries for the same 484proxy (but on different ports). 485 486don't create duplicate NAT entries for repeated PORT commands. 487 4883.2.10beta8 14/11/98 - Released 489 490always exit an rwlock before expecting to enter it again on solaris 491 492fix loop in nat_new for pre-existing nat 493 494don't setup state for an ftp connection if creating nat fails. 495 4963.2.10beta7 05/11/98 - Released 497 498set fake window in ipft_tx.c to ensure code passes tests. 499 500cleaned up/enhanced ipnat -l/ipnat -lv output 501 502fixed NAT handling of non-TCP/UDP packets, esp. for ICMP errors returned. 503 504Solaris recusive mutex on icmp-error/tcp-reset - requires rwlock's rather 505than mutexes. 506 5073.2.10beta6 03/11/98 - Released 508 509fix mixed use of krwlock_t and kmutex_t on Solaris2 510 511fix FTP proxy back up, splitting pasv code out of port code. 512 5133.2.10beta5 02/11/98 - Released 514 515fixed port translation in ICMP reply handling 516 5173.2.10beta4 01/11/98 - Released 518 519increase useful statistic collection on solaris 520 521filter DL_UNITDATA_REQ as well as DL_UNITDATA_IND on solaris 522 523disable PASV reply translation for now 524 525fail with an error if we try to load a NAT rule with a non-existant 526 proxy name - Guido 527 528fix portmap usage with 0/0 and 0/32 map rules 529 530remove ap_unload/ap_expire - automatically done when NAT is cleaned up 531 532print "STATE:CLOSED" from ipmon if the connection progresses past established 533 rather than "STATE:EXPIRED" 534 5353.2.10beta3 26/10/98 - Released 536 537fixed traceroute/nat problem 538 539rewrote nat/proxy interface 540 541ipnat now lists associated proxy sessions for each NAT where applicable 542 5433.2.10beta2 13/10/98 - Released 544 545use KRWLOCK_T in place of krwlock_t for solaris as well as irix 546 547disable use of read-write lock acquisition by default 548 549add in mb_t for linux, non-kernel 550 551some changes to progress compilation on linux with glibc 552 553change PASV as well as PORT when passed through kernel ftp proxy. 554 555don't allow window to become 0 in tcp state code 556 557make ipmon compile cleaner 558 559irix patches 560 5613.2.10beta 11/09/98 - Released 562 563stop fr_tcpsum() thinking it has run out of data when it hasn't. 564 565stop solaris panics due to fin_dp being something wild. 566 567revisit usage of ATOMIC_*() 568 569log closing state of TCP connection in "keep state" 570 571fix fake-arp table code for ipsend. 572 573ipmon now writes pid to a file. 574 575fix "ipmon -a" to actually activate all logging devices. 576 577add patches for BSDOS4. 578 579perl scripts for log analysis donated. 580 5813.2.9 22/06/98 - Released 582 583fix byte order for ICMP packets generated on Solaris 584 585fix some locking problems. 586 587fix malloc bug in NAT (introduced in 3.2.8). 588 589patch from guido for state connections that get fragmented 590 5913.2.8 08/06/98 - Released 592 593use readers/writers locks in Solaris2 in place of some mutexes. 594 595Solaris2 installation enhancements - Martin Forssen (maf@carlstedt.se) 596 5973.2.7 24/05/98 - Released 598 599u_long -> u_32_t conversions 600 601patches from Bernd Ernesti for NetBSD 602 603fixup ipmon to actually handle HUP's. 604 605Linux fixes from Michael H. Warfield (mhw@wittsend.com) 606 607update for keep state patch (not security related) - Guido 608 609dumphex() uses stdout rather than log 610 6113.2.6 18/05/98 - Released 612 613fix potential security loop hole in keep state code. 614 615update examples. 616 6173.2.5 09/05/98 - Released 618 619BSD/OS 3.1 .o files added for the kernel. 620 621fix sequence # skew vs window size check. 622 623fix minimum ICMP header size check. 624 625remove references to Cybersource. 626 627fix my email address. 628 629remove ntohl in ipnat - Thomas Tornblom 630 6313.2.4 09/04/98 - Released 632 633add script to make devices for /dev on BSD boxes 634 635fixup building into the kernel for FreeBSD 2.2.5 636 637add -D command line option to ipmon to make it a daemon and SIGHUP causes 638it to close and reopen the logfile 639 640fixup make clean and make package for SunOS5 - Marc Boucher 641 642postinstall keeps adding "minor=ipf ipl" - George Ross <gdmr@dcs.ed.ac.uk> 643 644protected by IP Filter gif - Sergey Solyanik <solik@atom.ru> 645 6463.2.3 10/11/97 - Released 647 648fix some iplang bugs 649 650fix tcp checksum data overrun, sgi #define changes, 651avoid infinite loop when nat'ing to single IP# - Marc Boucher 652 653fixup DEVFS usage for FreeBSD 654 655fix sunos5 "make clean" cleaning up too much 656 6573.2.2 28/11/97 - Released 658 659change packet matching to return actual error, if bad packet, to facilitate 660ECONNRESET for TCP. 661 662allow ip:netmask in grammar too now - Guido 663 664assume IRIX has u_int32_t in sys/types.h (needed for R10000) 665 666rewrite parts of command line options for ipmon 667 668fix TCP urgent packet & offset testing and add LAND attack test for iptest 669 670fix grammar error in yacc grammar for iplang 671 672redirect (rdr) destination port bytes-wapped when it shouldn't be. 673 674general: fr_check now returns error code, such as EHOSTUNREACH or 675ECONNRESET (attempt to make ECONNRESET work for locally outbound 676packets). 677 678linux: enable return-rst, need to filter tcp retransmits which are sent 679 separately from normal packets 680 681memory leak plugged in ip_proxy.c 682 683BSDI compatibility patches from Guido 684 685tcp checksum fix - Marc Boucher 686 687recursive mutex and ioctl param fix - Marc Boucher 688 6893.2.1 12/11/97 - Released 690 691port to BSD/OS 3.0 692 693port to Linux 2.0.31 694 695patches to make "map a/m -> 0/0" work with ftp proxying properly - Marc Boucher 696 697add "ipf -F s" and "ipf -F S" to flush state table entries. 698 699announce if logging is on or off when ip filter initializes. 700 701"ipf -F a" doesn't flush groups properly for Solaris. 702 7033.2 30/10/97 - Released 704 705ipnat doesn't successfully remove proxy mappings with "-rf" - 706Alexander Romanyu 707 708use K&R C function style for solaris kernel code 709 710use m_adj() to decrease packet size in ftp proxy 711 712use mbufchainlen rather than msgdsize, 713IRIX update - Marc Boucher 714 715fix NetBSD modunload bug (pfil_add_hook done twice) 716 717patches for OpenBSD 2.1 - Craig Bevins <craigb@bitcom.net.au> 718 7193.2beta10 24/10/97 - Released 720 721fix fragment table entries allocated for NAT. 722 723fix tcp checksum calculations over mbuf/mblk boundaries 724 725fix panic for blen < 0 in ftp kernel proxy - marc boucher 726 727fix flushing of rules which have been grouped. 728 7293.2beta9 20/10/97 - Released 730 731some nit picking on solaris2 with SUNWspro - Michael Lyle <mrl@rpnet.net> 732 733ftp kernel proxy patches from Marc Boucher 734 7353.2beta8 13/10/97 - Released 736 737add support for passing ICMP errors back through NAT. 738 739IRIX port update - Marc Boucher 740 741calculate correct MIN size of packet to log for UDP - Marc Boucher 742 743need htons(ETHERTYPE_x) on little endian BSD boxes - Dave Huang 744 745copyright header fixups 746 7473.2beta7 23/09/97 - Released 748 749fickup problems introduced by prior merges & changes. 750 7513.2beta6 23/09/97 - Released 752 753patch for spin-reading race condition - Marc Boucher. 754 755IRIX port by Marc Boucher. 756 757compatibility updates for Linux to ipsend 758 7593.2beta5 13/09/97 - Released 760 761patches from Bernd Ernesti for NetBSD integration (mostly prototyping and 762compiler warning things) 763 764ipf -y will resync IP#'s allocated with 0/32 in NAT to match interface if it 765changes. 766 767update manual pages and other documentation updates. 768 7693.2beta4 27/8/97 - Released 770 771enable setting IP and TCP options for iplang/ 772 773Solaris2 patches from Marc Boucher. 774 775add groups for filter rules. 776 7773.2beta3 21/8/97 - Released 778 779patches for Solaris2 (interface panic solution ?): fix FIONREAD and 780replacing q_qinfo points - Marc Boucher <marc@CAM.ORG> 781 782change ipsend/* and ipsd/* copyright notices to be the same as ip filter's 783 784patch for SYN-ACK skew testing fix from Eric V. Smith <EricSmith@windsor.com> 785 7863.2beta2 6/8/97 - Released 787 788make it load on Solaris 2.3 789 790rewrote logging to remove solaris errors, introduced checking to see if the 791same packet is logged successively. 792 793fix filter cache to work when there are no rules loaded. 794 795add "raw" option to ipresend to send entire ethernet frames. 796 797nat list corruption bug - NetBSD - Klaus Klein 798 7993.2beta1 5/7/97 - Released 800 801patches from Jason Thorpe fixing: UNSIGNED_CHAR lossage, off_t being 64bits 802lossage, and other NetBSD bits. 803 804NetBSD 1.2G update. 805 806fixup fwtk patches and add protocol field for SIOCGNATL. 807 808rdr bugs reported by Alexander Romanyu (alexr@aix.krid.crimea.ua), with 809fixes: 810* rdr matched all packets of a given protocol (ignored ports). 811* severe bug in nat_delete which caused system crash/freeze. 812 813change Makefile so that CC isn't passed on for FreeBSD/NetBSD (will use 814the default CC - cc, not gcc) 815 8163.2alpha9 16/6/97 - Released 817 818added "skip" keyword. 819 820implement preauthentication of packets, as outlined by Guido. 821 822Make it compile as cleanly as possible with -Wall & general code cleanup 823 824getopt returns int, not char. Bernd Ernesti 825 8263.2alpha8 13/6/97 - Released 827 828code added to support "auth" rules which require a user program to allow them 829through. First revision and much of the code came from Guido. 830 831hex output from ipmon doesn't goto syslog when recovering from out of sync 832error. Luke Mewburn (lukem@connect.com.au) 833 834fix solaris2.6 lookup of destination ire's. 835 836ipnat doesn't throw away unused bits (after masking), causing it to 837behave incorrectly. Carson Gaspar 838 839NAT code doesn't include inteface name when matching - Alexey Mavrin 840<lha@elco.spb.ru> 841 842replace old SunOS tcpip.h with new tcpip.h (from 4.4BSD) - Jason Thorpe. 843 844update install procedures to include ip_proxy.c 845 846mask out unused bits in NAT/RDR rules. 847 848use a generic type (u_32_t) for 32bit variables, rather than rely on 849u_long being such - Jason Thorpe. 850 851create a local "netinet" directory and include from ~netinet/*" rather than 852just "*" to make keeping the code working on ports easier. 853 854add an m_copydata and m_copyback for SunOS4 (based on 4.4BSD-Lite versions) 855 856documentation updates. 857 858NetBSD update from Jason Thorpe <thorpej@netbsd.org> 859 860allow RST's through with a matching SEQ # and 0 ACK. Guido Van Rooij 861 862ipmon uses excessive amounts of CPU on Solaris2 - Reinhard Bertram 863<Reinhard.Bertram@KOM.th-darmstadt.de> 864 8653.2alpha7 25/5/97 - Released 866 867add strlen for pre-2.2 kernels - Doug Kite <dkite@websgi.icomnet.com> 868 869setup bits and pieces for compiling into a FreeBSD-2.2 kernel. 870 871split up "bsd" targets. Now a separate netbsd/freebsd/bsd target. 872mln_ipl.c has been split up into itself and mlf_ipl.c (for freebsd). 873 874fix (negative) host matching in filtering. 875 876add sysctl interface for some variables when compiled into FreeBSD-2.2 kernels 877or later. 878 879make all the candidates for kernel compiling include "netinet/..." and build 880a subdirectory "netinet" when compiling and symlink all .h files into this. 881 882add install make target to Makefile.ipsend 883 8843.2alpha6 8/5/97 - Released 885 886Add "!" (not) to hostname/ip matching. 887 888Automatically add packet info to the fragment cache if it is a fragment 889and we're translating addreses for. 890 891Automatically add packet info to the fragment cache if it is a fragment 892and we're "keeping state" for the packet. 893 894Solaris2 patches - Anthony Baxter (arb@connect.com.au) 895 896change install procedure for FreeBSD 2.2 to allow building to a kernel 897which is different to the running kernel. 898 899add FIONREAD for Solaris2! 900 901when expiring NAT table entries, if we would set a time to fr_tcpclosed 902(which is 1), make it fr_tcplaskack(20) so that the state tables have a 903chance to clear up. 904 9053.2alpha5 906 907add proxying skeleton support and sample ftp transparent proxy code. 908 909add printfs at startup to tell user what is happening. 910 911add packets & bytes for EXPIRE NAT log records. 912 913fix the "install-bsd" target in the root Makefile. Chris Williams 914<psion@mv.mv.com> 915 916Fixes for FreeBSD 2.2 (and later revs) to prevent panics. Julian Assange. 917 9183.2alpha4 2/4/97 - Released 919 920Some compiler warnings cleaned up. 921 922FreeBSD-2.2 patches for LKM completed. 923 9243.2alpha3 31/3/97 - Released 925 926ipmon changes: -N for reading NAT logfile, -S for reading state logfile. 927-a for reading all. -n now toggles hostname resolution. 928 929Add logging of new state entries and expiration of old state entries. 930count log successes and failures. 931 932Add logging of new NAT entries and expiration of old NAT entries. 933count log successes and failures. 934 935Use u_quad_t for records of bytes & packets where kept 936(IP Accounting: fr_hits, fr_bytes; IP state: is_pkts, is_bytes). 937 938Fixup use of CPU and DCPU in Makefiles. 939 940Fix broken 0/32 NAT mapping. Carl Makin <cmakin@nla.gov.au> 941 9423.2alpha2 943 944Implement mapping to 0/32 as being an alias for automatically using the 945interface's first IP address. 946 947Implement separate minor devices for both NAT and IP state code. 948 949Fully prototype all functions. 950 951Fix Makefile problem due to attempt to fix Sun compiling problems. 952 9533.1.10 23/3/97 - Released 954 955ipfstat -a requires a -i or -o command line option too. Print an error 956when not present rather than attempt to do something. 957 958patch updates for SunOS4 for kernel compiling. 959patch for ipmon -s (flush's syslog file which isn't good). Andrew J. Schorr 960<schorr@ead.dsa.com> 961 962too many people hit their heads hard when compiling code into the kernel 963that doesn't let any packets through. (fil.c - IPF_NOMATCH) 964 965icmp-type parsing doesn't return any errors when it isn't constructed 966correctly. Neil Readwin 967 968Using "-conf" with modload on SunOS4 doesn't work. 969Timothy Demarest <demarest@arraycomm.com> 970 971Need to define ARCH in makefile for SunOS4 building. "make sunos4" 972in INSTALL.SunOS is incorrect. James R Grinter <jrg@blodwen.demon.co.uk> 973[all SunOS targets now run buildsunos] 974 975NAT lookups are still incorrect, matching non-TCP/UDP with TCP/UDP 976information. ArkanoiD <ark@paranoid.convey.ru> 977 978Need to check for __FreeBSD_version being 199511 rather than 199607 979in mln_ipl.c. Eric Feillant <Eric.Feillant@EUnet.fr> 980 9813.1.9 8/3/97 - Released 982 983fixed incorrect lookup of active NAT entries. 984 985patch for ip_deq() wrong for pre 2.1.6 FreeBSD. 986fyeung@fyeung8.netific.com (Francis Yeung) 987 988check for out with return-rst/return-icmp at wrong place - Erkki Ritoniemi 989(erkki@vlsi.fi) 990 991text_readip returns the interface pointer pointing to text on stack - 992Neil Readwin 993 994fix from Pradeep Krishnan for printout rules "with not opt sec". 995 9963.1.8 18/2/97 - Released 997 998Diffs for ip_output.c and ip_input.c updated to fix bug with fastroute and 999compiling warnings about reuse of m0. 1000 1001prevent use of return-rst and return-icmp with rules blocking packets going 1002out, preventing panics in certain situations. 1003 1004loop forms in frag cache table - Yury Pshenychny <yura@rd.zgik.zaporizhzhe.ua> 1005 1006should use SPLNET/SPLX around expire routines in NAT/frag/state code. 1007 1008redeclared malloc in 44arp.c - 1009 10103.1.7 8/2/97 - Released 1011 1012Macros used for ntohs/htons supplied with gcc don't always work very well 1013when the assignment is the same variable being converted. 1014 1015Filter matching doesn't not match rule which checks tcp flags on packets 1016which are fragments - David Wilson 1017 10183.1.7beta 30/1/97 - Released 1019 1020Fix up NAT bugs introduced in last major change (now tested), including 1021nat_delete(), nat_lookupredir(), checksum changes, etc. 1022 10233.1.7alpha 30/1/97 - Released 1024 1025Many changes to NAT code, including contributions from Laurent Joncheray 1026<lpj@ans.net> 1027 1028Use "NO_SLEEP" when allocating memory under SunOS. 1029 1030Make kernel printf's nicer for BSD/SunOS4 1031 1032Always do a checksum for packets being filtered going out and being 1033processed by fastroute. 1034 1035Leave kernel to play with cdevsw on *BSD systems with LKM's. 1036 1037ipnat.1 man page fixes. 1038 10393.1.6 21/1/97 - Released 1040 1041Allow NAT to work on BSD systems in conjunction with "pass .. to ifname" 1042 1043Memory leak introduced in 3.1.3 in NAT lists, clearing of NAT table tried 1044to free memory twice. 1045 1046NAT recalculates IP header checksum based on difference between IP#'s and 1047port numbers - should be just IP#'s (Solaris2 only) 1048 10493.1.5 13/1/97 - Released 1050 1051fixed setting of NAT timeouts and use different timeouts for concurrent 1052TCP sessions using the same IP# mapping (when port mapping isn't used) 1053 1054multiple loading/unloading of LKM's doesn't clean up cdevsw properly for 1055*BSD systems. 1056 10573.1.4 10/1/97 - Released 1058 1059add command line options -C and -F to ipnat to flush NAT list and table 1060 1061ipnat -l loops on output - Neil Readwin (nreadwin@nysales.micrognosis.com) 1062 1063NetBSD/FreeBSD kernel malloc changes - Daniel Carosone 1064 10653.1.3 10/1/97 - Released 1066 1067NAT chains not constructed correctly in hash tables - Antony Y.R Lu 1068(antony@hawk.ee.ncku.edu.tw) 1069 1070Updated INSTALL.NetBSD, INSTALL.FreeBSD and INSTALL.Sol2 1071 1072man page update (ipf.5) from Daniel Carosone (dan@geek.com.au) 1073 1074ICMP header checksum update now included in NAT. 1075 1076Solaris2 needs to modify IP header checksums in ip_natin and ip_natout. 1077 10783.1.2 4/12/96 - Released 1079 1080ipmon doesn't use syslog all the time when given -s option 1081 1082fixed mclput panic in ip_input.c and replace ntohs() with NTOHS() macro 1083 1084check the results of hostname resolution in ipnat 1085 1086"make *install" fixed for subdirectories. 1087 1088problems with "ARCH:=" and gnu make resolved 1089 1090parser reports an error for lines with whitespaces only rather than skipping 1091them. D.Carosone@abm.com.au (Daniel Carosone) 1092 1093patches for integration into NetBSD-current (post 1.2). 1094 1095add an option to allow non-IP packets going up/down the stream on Solaris2 1096to be dropped. John Bass. 1097 10983.1.2beta 21/11/96 - Released 1099 1100make ipsend compile on Linux 2.0.24 1101 1102changes to TCP kept state algorithm, making it watch state on TCP 1103connections in both directions. Also use the same algorithm for NAT TCP. 1104 1105-Wall cleanup - Bernd Ernesti 1106 1107added "or-block" for "pass .. log or-block" after a suggestion from 1108David Oppenheim (davido@optimation.com.au) 1109 1110added subdirectories for building IP Filter in SunOS5/BSD for different 1111cpu architecures 1112 1113Solaris2 fixes to logging and pre-filtering packet processing - 3.1.1p2 1114 1115mbuf logging not using mtod(), remove iplbusy - 3.1.1p1 1/11/96 1116 11173.1.1 28/10/96 - Released 1118 1119Installation script fixes and deinstall scripts for IP Filter on: 1120SunOS4/FreeBSD/NetBSD 1121 1122Man page fixes - Paul Dubois (dubois@primate.wisc.edu) 1123 1124Fix use of SOLARIS macro in ipmon, rewrote ipllog() (again!) 1125 1126parsing isn't completely case insensitive - David Wilson 1127(davidw@optimation.com.au) 1128 1129Release ipl_mutex across uiomove() calls 1130 1131print entire rule entries out for "ipf -z" when zero'ing per-rule stats. 1132 1133ipfstat returns same output for "hits" in "ipfstat -aio" - Terletsky Slavik 1134(ts@polynet.lviv.ua) 1135 1136New algorithm for setting timeouts for TCP connection (more closely follow 1137TCP FSM) - Pradeep Krishnan (pkrishna@netcom.com) 1138 1139Track both window sizes for TCP connections through "keep state". 1140 1141Solaris2 doesn't like _KERNEL defined in stdargs.h - Jos van Wezel 1142(wezel@bio.vu.nl) 1143 11443.1.1-beta2 6/10/96 - Released 1145 1146Solaris2 fastroute/dup-to/to now works 1147 1148ipmon `record' reading rewritten 1149 1150Added post-NetBSD1.2 packet filter patches - Mathew Green (mrg@eterna.com.au) 1151 1152Attempt to use in_proto.c.diff, not "..diffs" for SunOS4 - David Wilson 1153(davidw@optimation.com.au) 1154 1155Michael Ryan (mike@NetworX.ie) reports the following: 1156* The Trumpet WinSock under Windows always sends its SYN packet with an ACK 1157 value of 1, unlike any other implementation I've seen, which would set it 1158 to zero. The "keep state" feature of IP Filter doesn't work when receiving 1159 non-zero ACK values on new connection requests. 1160* */Makefile install rule doesn't install all the binaries/man pages 1161* Make ipnat use "tcp/udp" instead of "tcpudp" 1162* Print out "tcp/udp" properly 1163* ipnat "portmap tcp" matches "portmap udp" when adding/removing 1164* NAT dest. ip# increased by one on mask of 0xffffffff when it shouldn't 1165 11663.1.1-beta 1/9/96 - Released 1167 1168add better detection of TCP connections closing to TCP state monitoring. 1169 1170fr_addstate() not called correctly for fragments. "keep state" and 1171"keep frag" code don't work together 100% - Songqing Cai 1172(songqing_cai@sterling.com) 1173 1174call to fr_addstate() incorrect for adding state in combination with keeping 1175fragment information - Songqing Cai (songqing_cai@sterling.com) 1176 1177KFREE() passed fp (incorrect) and not fr (correct) in ip_frag.c - John Hood 1178(cgull@smoke.marlboro.vt.us) 1179 1180make ipf parser recognise '\\' as a `continued line' marker - Dima Ruban 1181(dima@best.net) 1182 11833.1.1-alpha 23/8/96 - Released 1184 1185kernel panic's when ICMP packets go through NAT code 1186 1187stats aren't zero'd properly with ipf -Z 1188 1189ipnat doesn't show port numbers correctly all the time and also add the 1190protocol (tcp/udp/tcpudp) to rdr output - Carson Gaspar (carson@lehman.com) 1191 1192fast checksum fixing not 100% - backout patch - Bill Dorsey (dorsey@lila.com) 1193 1194NetBSD-1.2 patches from - VaX#n8 <vax@linkdead.paranoia.com> 1195 1196Usage() call error in fils.c - Ajay Shekhawat (ajay@cedar.buffalo.edu) 1197 1198ip_optcopy() staticly defined in ip_output.c in SunOS4 - Nick Hall 1199(nrh@tardis.ed.ac.uk) 1200 12013.1.0 7/7/96 - Released 1202 1203Reformatted ipnat output to be compatible with it's input, so that 1204"ipnat -l | ipnat -rf -" is possible. 1205 12063.1.0beta 30/6/96 - Released 1207 1208NetBSD-1.2 patches from Greg Woods (woods@most.weird.com) 1209 1210kernel module must not be installed stripped (Solaris2), as created by 1211"make package" for Solaris2 - Peter Heimann 1212(peter@i3.informatik.rwth-aachen.de) 1213 12143.1.0alpha 5/6/96 - Released 1215 1216include examples in package for solaris2 1217 1218patches for removing an extra ip header checksum (FreeBSD/NetBSD/SunOS) 1219 1220removed trailing space from printouts of rules in ipf. 1221 1222ipresend supports the same range of inputs that ipftest does. 1223 1224sending a duplicate copy of a packet to another network devices is now 1225supported. ("dup-to") 1226 1227sending a packet to an arbitary interface is now supported, irrespective 1228of its actual route, with no ttl decrement. Can also be routed without 1229the ttl being decremented. ("to" and "fastroute"). 1230 1231"call" option added to support calling a generic function if a packet is 1232matched. 1233 1234show all (upto 4) recorded bytes from the interface name in logging from 1235ipmon. 1236 1237support for using unix file permissions for read/write access on the device 1238is now in place. 1239 1240recursive mutex in nat_new() for Solaris 2.x - Per L. Hagen <per@stibo.dk> 1241 1242ipftest doesn't call initparse() for THISHOST - Catherine Allen 1243(cla@connect.com.au) 1244 1245Man page corrections from Rex Bona (rex@pengo.comsmiths.com.au) 1246 12473.0.4 10/4/96 - Released 1248 1249looop in `parsing' IP packets with optlen 0 for ip options. 1250 1251rule number not initialized and resulted in unexpected results for state 1252maching. 1253 1254option parsing and printing bugs - Pradeep Krishnan 1255 12563.0.4beta 25/3/96 - Released 1257 1258wouldn't parse "keep flags keep state" correctly. 1259 1260SunOS4.1.x ip_input.c doesn't recognise all 1s broadcast address - Nigel Verdon 1261 1262patches for BSDI's BSD/OS 2.1 and libpcap reader on little endian systems 1263from Thorsten Lockert <tholo@tetherless.com> 1264 1265b* functions in fil.c on Solaris 2.4 1266 12673.0.3 17/3/96 - Released 1268 1269added patches to support IP Filter initialisation when compiled into the 1270kernel. 1271 1272added -x option to ipmon to display hex dumps of logged packets. 1273 1274added -H option to ipftest to allow ascii-hex formatted input to specify 1275arbitary IP packets. 1276 1277Sending TCP RSTs as a response now work for Solaris2 x86 1278 1279add patches to make IP Filter compile into NetBSD kernels properly. 1280 1281patch to stop SunOS 4.1.x kernels panicing with "data traps". 1282 1283ipfboot script unloads and reloads ipf module on Solaris2 if it is already 1284loaded into the kernel. 1285 1286Installation of IP Filter as a Solaris2 package is now supported. 1287 1288Man pages for ipnat.4, ipnat.5 added. 1289 1290added some more regression tests and fixed up IP Filter to pass the new tests 1291(previous versions failed some of the tests in set 12). 1292 1293IP option filter processing has changed so that saying "with opt lsrr" will 1294check only for that one, but not mask out other options, so a packet with 1295strict source routing, along with loose source routing will match all of 1296"with opt lsrr", "with opt ssrr" and "with opt lsrr,ssrr". 1297 1298IPL_NAME needed in ipnat.c - Kelly (kelly@count04.mry.scruznet.com) 1299 1300patches for clean NetBSD compilation from Bernd Ernesti (bernd@arresum.inka.de) 1301 1302make install is incorrect - Julian Briggs (julian@lightwork.co.uk) 1303 1304strtol() returns 0x7fffffff for all negative numbers, 1305printfr() generates incorrect output for "opt sec-class *", 1306handling of "not opt xxx opt yyy" incorrect. 1307- Minh Tonthat (minht@sbei.com)/Pradeep Krishnan (pradeepk@sbei.com) 1308 1309m_pullup() called only for input and not output; caused problems 1310with filtering icmp - Nigel Verdon (verdenn@gb.swissbank.com) 1311 1312parsing problem for "port 1" and NetBSD patches incorrect - 1313Andreas Gustafsson (gson@guava.araneus.fi) 1314 13153.0.2 4/2/96 - Released 1316 1317Corrected bug where NAT recalculates checksums for fragments. 1318 1319make NAT recalculate UDP checksums (rather than setting them to 0), 1320if they're non-zero. 1321 1322DNS patches - Real Page (Real.Page@Matrox.com) 1323 1324alteration of checksum recalculations in NAT code and addition of 1325redirection with NAT - Mike Neuman 1326 1327core dump, if tcp/udp is used with a port number and not service name, 1328in ipf - Mike Neuman (mcn@engarde.com) 1329 1330initparse() call, missing to prime "<thishost>" hook - Craig Bishop 1331 13323.0.1 14/1/96 - Released 1333 1334miscellaneous patches for Solaris2 1335 13363.0 14/1/96 - Released 1337 1338Patch included for FDDI, from Richard Ohnemus 1339(Richard_Ohnemus@dallas.csd.sterling.com) 1340 1341Code cleanup for release. 1342 13433.0beta4 10/1/96 1344 1345recursive mutex in ipfr_slowtimer fixed, reported by Craig Bishop 1346 1347recursive mutex in sending TCP RSTs fixed, reported by Tony Becker 1348 13493.0beta3 9/1/96 1350 1351FIxup for Solaris2.5 install and interface name bug in ipftest from 1352Julian Briggs (julian@lightwork.co.uk) 1353 1354Byte order patches for ipmon from Tony Becker (tony@mcrsys.com) 1355 13563.0beta2 7/1/96 1357 1358Added the (somewhat warped) IP accounting as it exists in ipfw on FreeBSD. 1359Note, this isn't really what one would call IP account, when compared to 1360process accounting, sigh. 1361 1362Split up ipresend into iptest/ipresend/ipsend 1363 1364Added another m_pullup() inside fr_check() for BSD style kernels and 1365added some checks to ipllog() to not log more than is present (for short 1366packets). 1367 1368Fixed bug where failed hostname/netname resolution goes undetecte and 1369becomes 0.0.0.0 (any) (reported Guido van Rooij) 1370 13713.0beta 11/11/95 - Released 1372 1373Rewrote the way rule testing is done, reducing the number of files needed and 1374generated. 1375 1376SIOCIPFFL was incorrectly affected by IPFILTER_LOG (Mathew Green) 1377 1378Patches from Guido van Rooij to fix sending back TCP RSTs on Net-2/Net-3 1379BSD based Unixes (panic'd) 1380 1381Patches for FreeBSD/i86 ipmon from Riku Kalinen <riku@tequila.nixu.fi> 1382(I think someone else already told me about these but they got lost :-/) 1383 1384Changed Makefile structure to build object files for different operating 1385systems in separate directories by default. 1386 1387BSDI has ef0 for first ethernet interface 1388 1389Allow for a "not" operator before optional keywords. 1390 1391The "rule number" was being incorrectly incremented every time it went through 1392the loop rather than when it matched a rule. 1393 13942.8.2 24/10/95 - Released 1395 1396Fixed up problems with "textip" for doing lots of testing. 1397 1398Fixed bug in detection of "short" tcp/ip packets (all reported as being short). 1399 1400Solaris 2.4 port now works 100%. 1401 1402Man page errors reported and fixed. 1403 1404Removed duplicate entry in etc/services for login on port 49 (Craig Bishop). 1405 1406Fixed ipmon output to put a space after the log-letter. 1407 1408Patch from Guido van Rooij to fix parsing problem. 1409 14102.8.1 15/10/95 - Released 1411 1412Added ttl and tos filtering. 1413 1414Patches for fixing up compilation and port problems (little endian) 1415from Guido van Rooij <guido@IAEhv.nl>. 1416 1417Man page problems reported and fixed by Carson Gaspar <carson@lehman.com>. 1418 1419ipsend doesn't compile properly on Solaris2.4 1420 1421Lots of work done for Solaris2.4 to make it MT/MP safe and work. 1422 14232.8 15/9/95 - Released 1424 1425ipmon can now send messages to syslogd (-s) and use names instead of 1426numbers (-N). 1427 1428IP packets are now "compiled" into a structure only containing filterable 1429bits. 1430 1431Added regression testing in the test/ subdirectory, using a new option 1432(-b) with the ipftest program. 1433 1434Added "nomatch" return to filter results. These are counted and show 1435up in reports from ipfstat. 1436 1437Moved filter code out of ip_fil.c and into fil.c - there is now only one 1438instance of it in the package. 1439 1440Added Solaris 2.4 support. 1441 1442Added IPSO basic security option filtering. 1443 1444Added name support for filtering on all 19 named IP options. 1445 1446Patches from Ivan Brawley to log packet contents as well as packet headers. 1447 1448Update for sun/conf.c.diff from Ivan Brawley <ibrawley@awadi.com.AU> 1449 1450Added patches for FreeBSD 1, and added two new switches (-E, -D) to ipf, 1451along with a new ioctl, SIOCFRENB. 1452From: Dieter Dworkin Muller <dworkin@village.org> 1453 14542.7.3 31/7.95 - Released 1455 1456Didn't compile cleanly without IPFILTER_LOG defined (Mathew Green). 1457 1458ipftest now deals with tcpdump3 binary output files (from libpcap) with -P. 1459 1460Brought ipftest program upto date with actual filter code. 1461 1462Filter would cause a match to occur when it wasn't meant to if the packet 1463had short headers and was missing portions that should have been there. 1464Err, it would rightly not match on them, but their absence caused a match 1465when it shouldn't have been. 1466 14672.7.2 26/7/95 - Released 1468 1469Problem with filtering just SYN flagged packets reported by 1470Dieter Dworkin Muller <dworkin@village.org>. To solve this 1471problem, added support for masking TCP flags for comparison "flags X/Y". 1472 14732.7.1 9/7/95 - Released 1474 1475Added ip_dirbroadcast support for Sun ip_input.c 1476 1477Fixed up the install scripts for FreeBSD/NetBSD to recognise where they are 1478better. 1479 14802.7 7/7/95 - Released 1481 1482Added "return-rst" to return TCP RST's to TCP packets. 1483 1484Actually ported it to FreeBSD-i386 2.0.0, so it works there properly now. 1485 1486Added insertion of filter rules. Use "@<#>" at the beginning of a filter 1487to insert a rule at row #. 1488 1489Filter keeps track of how many times each rule is matched. 1490 1491Changed compile time things to match kernel option (IPFILTER_LKM & 1492IPFILTER_LOG). 1493 1494Updated ip_input.c and ip_output.c with paches for 3.5 Multicast IP. 1495(No change required for 3.6) 1496 1497Now includes TCP fragments which start inside the TCP header as being short. 1498Added counting the number of times each rule is matched. 1499 1500 15012.6 11/5/95 - Released 1502 1503Added -n option to ipf: when supplied, no changes are made to the kernel. 1504 1505Added installation scripts for SunOS 4.1.x and NetBSD/FreeBSD/BSDI. 1506 1507Rewrote filtering to use a more generic mask & match procedure for 1508checking if a packet matches a rule. 1509 15102.5.2 27/4/95 - Released 1511 1512"tcp/udp" and a non-initialised pointer caused the "proto" to become 1513a `random' value; added "ip#/dotted.mask" notation to the BNF. 1514From Adam W. Feigin <feigin@iis.ee.ethz.ch> 1515 15162.5.1 22/3/95 - Released 1517 1518"tcp/udp" had a strange effect (undesired) on getserv*() functions, 1519causing protocol/service lookups to fail. Reported by Matthew Green. 1520 15212.5 17/3/95 - Released 1522 1523Added a new keyword "all" to BNF and parsing of tcpdump/etherfind/snoop 1524output through the ipftest program. Suggestions from: 1525Michael Ciavarella (mikec@phyto.apana.org.au) 1526 1527Conflicts occur when "general" filter rules are used for ports and the 1528lack of a "proto" when used with "port" matches other packets when only 1529TCP/UDP are implied. 1530Reported Matthew Green (mrg@fulcom.com.au); 1531reported & fixed 6-8/3/95 1532 1533Added filtering of short TCP packets using "with short" 28/2/95 1534(These can possibly slip by checks for the various flags). Short UDP 1535or ICMP are dropped to the floor and logged. 1536 1537Added filtering of fragmented packets using "with frag" 24/2/95 1538 1539Port to NetBSD-current completed 20/2/95, using LKM. 1540 1541Added logging of the rule # which caused the logging to happen and the 1542interface on which the packet is currently as suggested by 1543Andreas Greulich (greulich@math-stat.unibe.ch) 10/2/95 1544 15452.4 9/2/95 - Released 1546Fixed saving of IP headers in ICMP packets. 1547 15482.3 29/1/95 1549Added ipf -F [in|out|all] to flush filter rule sets (SIOCIPFFL). 1550Fixed iplread() and iplsave() with help from Marc Huber. 1551 15522.2 7/1/95 - Released 1553Added code from Marc Huber <huber@fzi.de> to allow it to allocate 1554its own major char number dynamically when modload'ing. Fixed up 1555use of <, >, <=, >= and >< for ports. 1556 15572.1 21/12/94 - Released 1558repackaged to include the correct ip_output.c and ip_input.c *goof* 1559 15602.0 18/12/94 - Released 1561added code to check for port ranges - complete. 1562rewrote to work as a loadable kernel module - complete. 1563 15641.1 1565added code for ouput filtering as well as input filtering and added support for logging to a simple character device of packet headers. 1566 15671.0 22/04/93 - Released 1568First release cut. 1569