HISTORY revision 67615
1# 2# NOTE: Quite a few patches and suggestions come from other sources, to whom 3# I'm greatly indebted, even if no names are mentioned. 4# 5# Thanks to the Coombs Computing Unit at the ANU for their continued support 6# in providing a very available location for the IP Filter home page and 7# distribution center. 8# 9# Thanks to Hewlett Packard for making it possible to port IP Filter to 10# HP-UX 11.00. 11# 12# Thanks to Tel.Net Media for supplying me with equipment to ensure that 13# IP Filter continues to work on Solaris/sparc64. 14# 15# Thanks to BSDI for providing object files for BSD/OS 3.1 and the means 16# to further support development of IP Filter under BSDI. 17# 18# Thanks to Craig Bishop of connect.com.au and Sun Microsystems for the 19# loan of a machine to work on a Solaris 2.x port of this software. 20# 21# Thanks also to all those who have contributed patches and other code, 22# and especially those who have found the time to port IP Filter to new 23# platforms. 24# 253.4.12 26/10/2000 - Released 26 27fix installing into FreeBSD-4.1 28 29fix FTP proxy bug where it'd hang and make NAT slightly more efficient 30 31fix general compiling errors/warnings on various platforms 32 33don't access ICMP data fields that aren't there 34 353.4.11 09/10/2000 - Released 36 37return NULL for IPv6 access control lists if it is disabled rather than 38random garbage. 39 40fix for getting protocol & packet length for IPv6 packets for pullup. 41 42update plog script from version 0.8 to version 0.10 43 44patch from Frank Volf adding fix_datacksum() to NAT code, enhancing the 45capabilities for "fixing" checksums. 46 473.4.10 03/09/2000 - Released 48 49merge patch from Frank Volf for ICMP nat handling of TCP/UDP data `errors' 50 51getline() adjusts linenum now 52 53add tcphalfclosed timeout 54 55fill in icmp_nextmtu field if it is defined on the platform 56 57RST generation fix from guido 58 59force 32bit compile for gcc on solaris if it can't generate 64bit code 60 61encase logging when fr_chksrc == 2 in #ifdef IPFILTER_LOG 62 63fix up line wrap problems in plog script 64 65fix ICMP packet handling to not drop valid ICMP errors 66 67freebsd 5.0 compat changes 68 693.4.9 08/08/2000 - Released 70 71implement new aging mechanism in fr_tcp_age() 72 73fix icmp state checking bug 74 75revamp buildsunos script and build both sparcv7/sparcv9 for Solaris 76if on an Ultra with a 64bit system & compiler (Caseper Dik) 77 78open ipfilter device read only if we know we can 79 80print out better information for ICMP packets in ipmon 81 82move checking for source spoofed packets to a point where we can generate 83logs of them 84 85return EFAULT from ircopyptr/iwcopyptr 86 87don't do ioctl(SIOCGETFS) for auth stats 88 89fix up freeing mbufs for post-4.3BSD 90 91fix returning of inc from ftp proxy 92 93fix bugs with ipfs -R/-W (Caseper Dik) 94 953.4.8 19/07/2000 - Released 96 97create fake opt_inet6.h for FreeBSD-4 compile as LKM 98 99add #ifdef's for KLD_MODULE sanity 100 101NAT fastroute'd packets which come out of return-* 102 103fix upper/lower case crap in ftp proxy and get seq# checking fixed up. 104 1053.4.7 08/07/2000 - Released 106 107make "ipf -y" lookup NAT if's which are unknown 108 109prepend line numbers to ioctl error messages in ipf/ipnat 110 111don't apply patches to FreeBSD twice 112 113allow for ip_len to be on an unaligned boundary early on in fr_precheck 114 115fix printing of icmp code when it is 0 116 117correct printing of port numbers in map rules with from/to 118 119don't allow fr_func to be called at securelevel > 0 or rules to be added 120if securelevel > 0 if they have a non-zero fr_func. 121 1223.4.6 11/06/2000 - Released 123 124add extra regression tests for new nat functionality 125 126place restrictions on using '!' in map/rdr rules 127 128fix up solaris compile problems 129 1303.4.5 10/06/2000 - Released 131 132mention -sl in ipfstat.8 133 134fix/support '!' in from/to rules (rdr) for NAT 135 136add from/to support to rdr NAT rules 137 138don't send ICMP errors in response to ICMP errors 139 140fix sunos5 compilation for "ipfstat-top" and cleanup ipfboot 141 142input accounting list used for both outbound and inbound packets 143 1443.4.4 23/05/2000 - Released 145 146don't add TCP state if it is an RST packet and (attempt) to send out 147RST/ICMP packets in a manner that bypasses IP Filter. 148 149add patch to work with 4.0_STABLE delayed checksums 150 1513.4.3 20/05/2000 - Released 152 153fix ipmon -F 154 155don't truncate IPv6 packets on Solaris 156 157fix keep state for ICMP ECHO 158 159add some NAT stats and use def_nat_age rather than DEF_NAT_AGE 160 161don't make ftp proxy drop packets 162 163use MCLISREFERENCED() in tandem with M_EXT to check if IP fields need to be 164swapped back. 165 166fix up RST generation for non-Solaris 167 168get "short" flag right for IPv6 169 1703.4.2 - 10/5/2000 - Released 171 172Fix bug in dealing with "hlen == 1 and opt > 1" - Itojun 173 174ignore previous NAT mappings for 0/0 and 0/32 rules 175 176bring in a completely new ftp proxy 177 178allow NAT to cause packets to be dropped. 179 180add NetBSD callout support for 1.4-current 181 1823.4.1 - 30/4/2000 - Released 183 184add ratoui() and fix parsing of group numbers to allow 0 - UINT_MAX 185 186don't include opt_inet6.h for FreeBSD if KLD_MODULE is defined 187 188Solaris must use copyin() for all types of ioctl() args 189 190fix up screen/tty when leaving "top mode" of ipfstat 191 192linked list for maptable not setup correctly in nat_hostmap() 193 194check for maptable rather than nat_table[1] to see if malloc for maptable 195succeeded in nat_init 196 197fix handling of map NAT rules with "from/to" host specs 198 199fix printout out of source address when using "from/to" with map rules 200 201convert ip_len back to network byte order, not plen, for solaris as ip_len 202may have been changed by NAT and plen won't reflect this 203 2043.4 - 27/4/2000 - Released 205 206source address spoofing can be turned on (fr_chksrc) without using 207filter rules 208 209group numbers are now 32bits in size, up from 16bits 210 211IPv6 filtering available 212 213add frank volf's state-top patches 214 215add load splitting and round-robin attribute to redirect rules 216 217FreeBSD-4.0 support (including KLD) 218 219add top-style operation mode for ipfstat (-t) 220 221add save/restore of IP Filter state/NAT information (ipfs) 222 223further ftp proxy security checks 224 225support for adding and removing proxies at runtime 226 2273.3.13 26/04/2000 - Released 228 229Fix parsing of "range" with "portmap" 230 231Relax checking of ftp replies, slightly. 232 233Fix NAT timeouts for ICMP packets 234 235SunOS4 patches for ICMP redirects from Jurgen Keil (jk@tools.de) 236 2373.3.12 16/03/2000 - Released 238 239tighten up ftp proxy behaviour. sigh. yuck. hate. 240 241fix bug in range check for NAT where the last IP# was not used. 242 243fix problem with icmp codes > 127 in filter rules caused bad things to 244happen and in particular, where #18 caused the rule to be printed 245erroneously. 246 247fix bug with the spl level not being reset when returning EIO from 248iplioctl due to ipfilter not being initialized yet. 249 2503.3.11 04/03/2000 - Released 251 252make "or-block" work with lines that start with "log" 253 254fix up parsing and printing of rules with syslog levels in them 255 256fix from Cy Schubert for calling of apr_fini only if non-null 257 258 2593.3.10 24/02/2000 - Released 260 261* fix back from guido for state tracking interfaces 262 263* update for NetBSD pfil interface changes 264 265* if attaching fails and we can abort, then cleanup when doing so. 266 267julian@computer.org: 268* solaris.c (fr_precheck): After calling freemsg on mt, set it point to *mp. 269* ipf.c (packetlogon): use flag to store the return value from get_flags. 270* ipmon.c (init_tabs): General cleanup so we do not have to cast 271 an int s->s_port to u_int port and try to check if the u_int port 272 is less than zero. 273 2743.3.9 15/02/2000 - Released 275 276fix scheduling of bad locking in fr_addstate() used when we attach onto 277a filter rule. 278 279fix up ip_statesync() with storing interface names in ipstate_t 280 281fix fr_running for LKM's - Eugene Polovnikov 282 283junk using pullupmsg() for solaris - it's next to useless for what we 284need to do here anyway - and implement what we require. 285 286don't call fr_delstate() in fr_checkstate(), when compiled for a user 287program, early but when we're finished with it (got fr & pass) 288 289ipnat(5) fix from Guido 290 291on solaris2, copy message and use that with filter if there is another 292copy if it being used (db_ref > 1). bad for performance, but better 293than causing a crash. 294 295patch for solaris8-fcs compile from Casper Dik 296 2973.3.8 01/02/2000 - Released 298 299fix state handling of SYN packets. 300 301add parsing recognition of extra icmp types/codes and fix handling of 302icmp time stamps and mask requests - Frank volf 303 3043.3.7 25/01/2000 - Released 305 306sync on state information as well as NAT information when required 307 308record nat protocol in all nat log records 309 310don't reuse the IP# from an active NAT session if the IP# in the rule 311has changed dynamically. 312 313lookup the protocol for NAT log information in ipmon and pass that to 314portname. 315 316fix the bug with changing the outbound interface of a packet where it 317would lead to a panic. 318 319use fr_running instead of ipl_inited. (sysctl name change on freebsd) 320 321return EIO if someone attempts an ioctl on state/nat if ipfilter is not 322enabled. 323 324fix rule insertion bug 325 326make state flushing clean anything that's not fully established (4/4) 327 328call fr_state_flush() after we've released ipf_state so we don't generate 329a recursive mutex acquisition panic 330 331fix parsing of icmp code after return-icmp/return-icmp-as-dest and add 332some patches to enhance parsing strength 333 3343.3.6 28/12/1999 - Released 335 336add in missing rwlock release in fr_checkicmpmatchingstate() and fix check 337for ICMP_ECHO to only be for packet, not state entry which we don't have yet. 338 339handle SIOCIPFFB in nat_ioctl() and fr_state_ioctl() 340 341fix size of friostat for SunOS4 342 343fix bug in running off the end of a buffer in real audio proxy 344 3453.3.5 11/12/1999 - Released 346 347fix parsing of "log level" and printing it back out too 348 349<net/if_types.h> is only present on Solaris2.6/7/8 350 351use send_icmp_err rather than icmp_error to send back a frag-needed error 352when doing PMTU 353 354do not use -b with add_drv on Solaris unless $BASEDIR is set. 355 356fix problem where source address in icmp replies is reversed 357 358fix yet another problem with real audio. 359 3603.3.4 4/12/1999 - Released 361 362fix up the real audio proxy to properly setup state information and NAT 363entries, thanks to Laine Stump for testing/advice/fixes. 364 365fix ipfr_fastroute to set dst->sin_addr (Sean Farley - appears to prevent 366FreeBSD 3.3 from panic'ing) as this had been removed in prior hacks to this 367routine. 368 369fix kinstall for BSDI 370 371support ICMP errors being allowed through for ICMP packets going out with 372keep state enabled 373 374support hardware checksumming (gigabit ethernet cards) on Solaris thanks to 375Tel.Net Media for providing hardware for testing. 376 377patched from Frank Volf for ipmon (ICMP & fragmented packets) and allowing 378ICMP responses to ICMP packets in the keep state table. 379 380add in patches for hardware checksumming under solaris 381 382Solaris install scripts now use $BASEDIR as appropriate. 383 384add Solaris8 support 385 386fix "ipf -y" on solaris so that it rescans rules also for changes in 387interface pointers 388 389let ipmon become a daemon with -D if it is using syslog 390 391fix parsing of return-icmp-as-dest(foo) 392 393add reference to ipfstat -g to ipfstat.8 394 395ipf_mutex needs to be declared for irix in ip_fil.c 396 3973.3.3 22/10/1999 - Released 398 399add -g command line option to ipfstat to show groups still define. 400 401fix problem with fragment table not recording rule pointer when called 402from state functions (fin_fr not set). 403 404fixup fastroute problems with keep state rules. 405 406load rules into inactive set first, so we don't disable things like NIS 407lookups half way through processing - found by Kevin Littlejohn 408 409fix handling of unaligned ip pointer for solaris 410 411patch for fr_newauth from Rudi Sluijtman 412 413fixed htons() bug in fr_tcpsum() where ip_p wasn't cast to u_short 414 4153.3.2 23/09/1999 - Released 416 417patches from Scott Presnell to fix rcmd proxy 418 419patches from Greg to fix Solaris detachment of interfaces 420 421add openbsd compatibility fixes 422 423fix free'ing already freed memory in ipfr_slowtimer() 424 425fix for deferencing invalid memory in cleaning up after a device disappears 426 4273.3.1 14/8/1999 - Released 428 429remove include file sys/user.h for irix 430 431prevent people from running buildsunos directly 432 433fix up some problems with the saving of rule pointers so that NAT saves 434that information in case it should need to call fr_addstate() from a proxy. 435 436fix up scanning for the end of FTP messages 437 438don't remove /etc/opt/ipf in postremove 439 440attempt to prevent people running buildsolaris script without doing a 441"make solaris" 442 443fix timeout losing on freebsd3 444 4453.3 7/8/1999 - Released 446 447NAT: information (rules, mappings) are stored in hash tables; setup some 448basic NAT regression testing. 449 450display version name of installed kernel code when initializing. 451 452add -V command line option to ipf, showing version (program and kernel 453module) as well as the run-status of the kernel code. 454 455fix problem with "log" rules actually affecting result of filtering. 456 457automatically use SUNWspro if available and on a 64bit Solaris system for 458compiling. 459 460add kernel proxies for rcmd(3) and RealAudio (PNA) 461 462use timeout/untimeout on SunOS4/BSD platforms too rather than hijacking 463ip_slowtimo 464 465fix IP headers generated through parsing of text information 466 467fix NAT rules to be in the correct order again. 468 469make keep-state work with to/fastroute keywords and enforce usage of those 470interfaces. 471 472update keep-state code with new algorithm from Guido 473 474add FreeBSD-3 support 475 476add return-icmp-as-dest option to retrun an ICMP packet using the original 477destination as the source rather than a local IP address 478 479add "level [facility.]<priority>" option to filter language 480 481add changes from Guido to state code. 482 483add code to return EPERM if the device is opened for writing and we're 484in securelevel 2 or greater. 485 486authentication code patches from Guido 487 488fix real audio proxy 489 490fix ipmon rule printing of interfaces and add IN/OUT to the end of ipmon 491log output. 492 493fix bimap rules with hash tables 494 495update addresses used in NAT mappings for 0/32 rules for any protocol but TCP 496if it changes on the interface - check every ip_natexpire() 497 498add redirect regression test 499 500count buckets used in the state hash table. 501 502fix sending of RST's with return-rst to use the ack number provided in 503the packet being replied to in addition to the sequence number. 504 505fix to compile as a 64bit application on solaris7-64bit 506 507add NAT IP mapping to ranges of IP addresses that aren't CIDR specified 508 509fix calculation of in_space parameter for NAT 510 511fix `wrapping' when incrementing the next ip address for use in NAT 512 513fix free'ing of kernel memory in ip_natunload on solaris 514 515fix -l/-U command line options from interfering with each other 516 517fix fastroute under solaris2 and cleanup compilation for solaris7 518 519add install scripts and compile cleanly on BSD/OS 4.0 520 521safely open files in /tmp for writing device output when testing. 522 523fix uninitialized pointer bug in NAT 524 525fix SIOCZRLST (zero list rule stats) bug with groups 526 527change some usage of u_short to u_int in function calling 528 529fix compilation for Solaris7 (SUNWspro) 530 531change solaris makefiles to build for either sparc or i386 rather than 532per-cpu (sun4u, etc). 533 534fixed bug in ipllog 535 536add patches from George Michaelson for FreeBSD 3.0 537 538add patch from Guido to provide ICMP checking for known state in the same 539manner as is done for NAT. 540 541enable FTP PASV proxying and enable wildcarding in NAT/state code for ports 542for better PORT/PASV support with FTP. 543 544bring into main tree static nat features: map-block and "auto" portmapping. 545 546add in source host filtering for redirects (alan jones) 547 5483.2.10 22/11/98 - Released 549 5503.2.10beta9 17/11/98 - Released 551 552fix fr_tcpsum problems in handling mbufs with an odd number of bytes 553and/or split across an mbuf boundary 554 555fix NAT list entry comparisons and allow multiple entries for the same 556proxy (but on different ports). 557 558don't create duplicate NAT entries for repeated PORT commands. 559 5603.2.10beta8 14/11/98 - Released 561 562always exit an rwlock before expecting to enter it again on solaris 563 564fix loop in nat_new for pre-existing nat 565 566don't setup state for an ftp connection if creating nat fails. 567 5683.2.10beta7 05/11/98 - Released 569 570set fake window in ipft_tx.c to ensure code passes tests. 571 572cleaned up/enhanced ipnat -l/ipnat -lv output 573 574fixed NAT handling of non-TCP/UDP packets, esp. for ICMP errors returned. 575 576Solaris recusive mutex on icmp-error/tcp-reset - requires rwlock's rather 577than mutexes. 578 5793.2.10beta6 03/11/98 - Released 580 581fix mixed use of krwlock_t and kmutex_t on Solaris2 582 583fix FTP proxy back up, splitting pasv code out of port code. 584 5853.2.10beta5 02/11/98 - Released 586 587fixed port translation in ICMP reply handling 588 5893.2.10beta4 01/11/98 - Released 590 591increase useful statistic collection on solaris 592 593filter DL_UNITDATA_REQ as well as DL_UNITDATA_IND on solaris 594 595disable PASV reply translation for now 596 597fail with an error if we try to load a NAT rule with a non-existant 598 proxy name - Guido 599 600fix portmap usage with 0/0 and 0/32 map rules 601 602remove ap_unload/ap_expire - automatically done when NAT is cleaned up 603 604print "STATE:CLOSED" from ipmon if the connection progresses past established 605 rather than "STATE:EXPIRED" 606 6073.2.10beta3 26/10/98 - Released 608 609fixed traceroute/nat problem 610 611rewrote nat/proxy interface 612 613ipnat now lists associated proxy sessions for each NAT where applicable 614 6153.2.10beta2 13/10/98 - Released 616 617use KRWLOCK_T in place of krwlock_t for solaris as well as irix 618 619disable use of read-write lock acquisition by default 620 621add in mb_t for linux, non-kernel 622 623some changes to progress compilation on linux with glibc 624 625change PASV as well as PORT when passed through kernel ftp proxy. 626 627don't allow window to become 0 in tcp state code 628 629make ipmon compile cleaner 630 631irix patches 632 6333.2.10beta 11/09/98 - Released 634 635stop fr_tcpsum() thinking it has run out of data when it hasn't. 636 637stop solaris panics due to fin_dp being something wild. 638 639revisit usage of ATOMIC_*() 640 641log closing state of TCP connection in "keep state" 642 643fix fake-arp table code for ipsend. 644 645ipmon now writes pid to a file. 646 647fix "ipmon -a" to actually activate all logging devices. 648 649add patches for BSDOS4. 650 651perl scripts for log analysis donated. 652 6533.2.9 22/06/98 - Released 654 655fix byte order for ICMP packets generated on Solaris 656 657fix some locking problems. 658 659fix malloc bug in NAT (introduced in 3.2.8). 660 661patch from guido for state connections that get fragmented 662 6633.2.8 08/06/98 - Released 664 665use readers/writers locks in Solaris2 in place of some mutexes. 666 667Solaris2 installation enhancements - Martin Forssen (maf@carlstedt.se) 668 6693.2.7 24/05/98 - Released 670 671u_long -> u_32_t conversions 672 673patches from Bernd Ernesti for NetBSD 674 675fixup ipmon to actually handle HUP's. 676 677Linux fixes from Michael H. Warfield (mhw@wittsend.com) 678 679update for keep state patch (not security related) - Guido 680 681dumphex() uses stdout rather than log 682 6833.2.6 18/05/98 - Released 684 685fix potential security loop hole in keep state code. 686 687update examples. 688 6893.2.5 09/05/98 - Released 690 691BSD/OS 3.1 .o files added for the kernel. 692 693fix sequence # skew vs window size check. 694 695fix minimum ICMP header size check. 696 697remove references to Cybersource. 698 699fix my email address. 700 701remove ntohl in ipnat - Thomas Tornblom 702 7033.2.4 09/04/98 - Released 704 705add script to make devices for /dev on BSD boxes 706 707fixup building into the kernel for FreeBSD 2.2.5 708 709add -D command line option to ipmon to make it a daemon and SIGHUP causes 710it to close and reopen the logfile 711 712fixup make clean and make package for SunOS5 - Marc Boucher 713 714postinstall keeps adding "minor=ipf ipl" - George Ross <gdmr@dcs.ed.ac.uk> 715 716protected by IP Filter gif - Sergey Solyanik <solik@atom.ru> 717 7183.2.3 10/11/97 - Released 719 720fix some iplang bugs 721 722fix tcp checksum data overrun, sgi #define changes, 723avoid infinite loop when nat'ing to single IP# - Marc Boucher 724 725fixup DEVFS usage for FreeBSD 726 727fix sunos5 "make clean" cleaning up too much 728 7293.2.2 28/11/97 - Released 730 731change packet matching to return actual error, if bad packet, to facilitate 732ECONNRESET for TCP. 733 734allow ip:netmask in grammar too now - Guido 735 736assume IRIX has u_int32_t in sys/types.h (needed for R10000) 737 738rewrite parts of command line options for ipmon 739 740fix TCP urgent packet & offset testing and add LAND attack test for iptest 741 742fix grammar error in yacc grammar for iplang 743 744redirect (rdr) destination port bytes-wapped when it shouldn't be. 745 746general: fr_check now returns error code, such as EHOSTUNREACH or 747ECONNRESET (attempt to make ECONNRESET work for locally outbound 748packets). 749 750linux: enable return-rst, need to filter tcp retransmits which are sent 751 separately from normal packets 752 753memory leak plugged in ip_proxy.c 754 755BSDI compatibility patches from Guido 756 757tcp checksum fix - Marc Boucher 758 759recursive mutex and ioctl param fix - Marc Boucher 760 7613.2.1 12/11/97 - Released 762 763port to BSD/OS 3.0 764 765port to Linux 2.0.31 766 767patches to make "map a/m -> 0/0" work with ftp proxying properly - Marc Boucher 768 769add "ipf -F s" and "ipf -F S" to flush state table entries. 770 771announce if logging is on or off when ip filter initializes. 772 773"ipf -F a" doesn't flush groups properly for Solaris. 774 7753.2 30/10/97 - Released 776 777ipnat doesn't successfully remove proxy mappings with "-rf" - 778Alexander Romanyu 779 780use K&R C function style for solaris kernel code 781 782use m_adj() to decrease packet size in ftp proxy 783 784use mbufchainlen rather than msgdsize, 785IRIX update - Marc Boucher 786 787fix NetBSD modunload bug (pfil_add_hook done twice) 788 789patches for OpenBSD 2.1 - Craig Bevins <craigb@bitcom.net.au> 790 7913.2beta10 24/10/97 - Released 792 793fix fragment table entries allocated for NAT. 794 795fix tcp checksum calculations over mbuf/mblk boundaries 796 797fix panic for blen < 0 in ftp kernel proxy - marc boucher 798 799fix flushing of rules which have been grouped. 800 8013.2beta9 20/10/97 - Released 802 803some nit picking on solaris2 with SUNWspro - Michael Lyle <mrl@rpnet.net> 804 805ftp kernel proxy patches from Marc Boucher 806 8073.2beta8 13/10/97 - Released 808 809add support for passing ICMP errors back through NAT. 810 811IRIX port update - Marc Boucher 812 813calculate correct MIN size of packet to log for UDP - Marc Boucher 814 815need htons(ETHERTYPE_x) on little endian BSD boxes - Dave Huang 816 817copyright header fixups 818 8193.2beta7 23/09/97 - Released 820 821fickup problems introduced by prior merges & changes. 822 8233.2beta6 23/09/97 - Released 824 825patch for spin-reading race condition - Marc Boucher. 826 827IRIX port by Marc Boucher. 828 829compatibility updates for Linux to ipsend 830 8313.2beta5 13/09/97 - Released 832 833patches from Bernd Ernesti for NetBSD integration (mostly prototyping and 834compiler warning things) 835 836ipf -y will resync IP#'s allocated with 0/32 in NAT to match interface if it 837changes. 838 839update manual pages and other documentation updates. 840 8413.2beta4 27/8/97 - Released 842 843enable setting IP and TCP options for iplang/ 844 845Solaris2 patches from Marc Boucher. 846 847add groups for filter rules. 848 8493.2beta3 21/8/97 - Released 850 851patches for Solaris2 (interface panic solution ?): fix FIONREAD and 852replacing q_qinfo points - Marc Boucher <marc@CAM.ORG> 853 854change ipsend/* and ipsd/* copyright notices to be the same as ip filter's 855 856patch for SYN-ACK skew testing fix from Eric V. Smith <EricSmith@windsor.com> 857 8583.2beta2 6/8/97 - Released 859 860make it load on Solaris 2.3 861 862rewrote logging to remove solaris errors, introduced checking to see if the 863same packet is logged successively. 864 865fix filter cache to work when there are no rules loaded. 866 867add "raw" option to ipresend to send entire ethernet frames. 868 869nat list corruption bug - NetBSD - Klaus Klein 870 8713.2beta1 5/7/97 - Released 872 873patches from Jason Thorpe fixing: UNSIGNED_CHAR lossage, off_t being 64bits 874lossage, and other NetBSD bits. 875 876NetBSD 1.2G update. 877 878fixup fwtk patches and add protocol field for SIOCGNATL. 879 880rdr bugs reported by Alexander Romanyu (alexr@aix.krid.crimea.ua), with 881fixes: 882* rdr matched all packets of a given protocol (ignored ports). 883* severe bug in nat_delete which caused system crash/freeze. 884 885change Makefile so that CC isn't passed on for FreeBSD/NetBSD (will use 886the default CC - cc, not gcc) 887 8883.2alpha9 16/6/97 - Released 889 890added "skip" keyword. 891 892implement preauthentication of packets, as outlined by Guido. 893 894Make it compile as cleanly as possible with -Wall & general code cleanup 895 896getopt returns int, not char. Bernd Ernesti 897 8983.2alpha8 13/6/97 - Released 899 900code added to support "auth" rules which require a user program to allow them 901through. First revision and much of the code came from Guido. 902 903hex output from ipmon doesn't goto syslog when recovering from out of sync 904error. Luke Mewburn (lukem@connect.com.au) 905 906fix solaris2.6 lookup of destination ire's. 907 908ipnat doesn't throw away unused bits (after masking), causing it to 909behave incorrectly. Carson Gaspar 910 911NAT code doesn't include inteface name when matching - Alexey Mavrin 912<lha@elco.spb.ru> 913 914replace old SunOS tcpip.h with new tcpip.h (from 4.4BSD) - Jason Thorpe. 915 916update install procedures to include ip_proxy.c 917 918mask out unused bits in NAT/RDR rules. 919 920use a generic type (u_32_t) for 32bit variables, rather than rely on 921u_long being such - Jason Thorpe. 922 923create a local "netinet" directory and include from ~netinet/*" rather than 924just "*" to make keeping the code working on ports easier. 925 926add an m_copydata and m_copyback for SunOS4 (based on 4.4BSD-Lite versions) 927 928documentation updates. 929 930NetBSD update from Jason Thorpe <thorpej@netbsd.org> 931 932allow RST's through with a matching SEQ # and 0 ACK. Guido Van Rooij 933 934ipmon uses excessive amounts of CPU on Solaris2 - Reinhard Bertram 935<Reinhard.Bertram@KOM.th-darmstadt.de> 936 9373.2alpha7 25/5/97 - Released 938 939add strlen for pre-2.2 kernels - Doug Kite <dkite@websgi.icomnet.com> 940 941setup bits and pieces for compiling into a FreeBSD-2.2 kernel. 942 943split up "bsd" targets. Now a separate netbsd/freebsd/bsd target. 944mln_ipl.c has been split up into itself and mlf_ipl.c (for freebsd). 945 946fix (negative) host matching in filtering. 947 948add sysctl interface for some variables when compiled into FreeBSD-2.2 kernels 949or later. 950 951make all the candidates for kernel compiling include "netinet/..." and build 952a subdirectory "netinet" when compiling and symlink all .h files into this. 953 954add install make target to Makefile.ipsend 955 9563.2alpha6 8/5/97 - Released 957 958Add "!" (not) to hostname/ip matching. 959 960Automatically add packet info to the fragment cache if it is a fragment 961and we're translating addreses for. 962 963Automatically add packet info to the fragment cache if it is a fragment 964and we're "keeping state" for the packet. 965 966Solaris2 patches - Anthony Baxter (arb@connect.com.au) 967 968change install procedure for FreeBSD 2.2 to allow building to a kernel 969which is different to the running kernel. 970 971add FIONREAD for Solaris2! 972 973when expiring NAT table entries, if we would set a time to fr_tcpclosed 974(which is 1), make it fr_tcplaskack(20) so that the state tables have a 975chance to clear up. 976 9773.2alpha5 978 979add proxying skeleton support and sample ftp transparent proxy code. 980 981add printfs at startup to tell user what is happening. 982 983add packets & bytes for EXPIRE NAT log records. 984 985fix the "install-bsd" target in the root Makefile. Chris Williams 986<psion@mv.mv.com> 987 988Fixes for FreeBSD 2.2 (and later revs) to prevent panics. Julian Assange. 989 9903.2alpha4 2/4/97 - Released 991 992Some compiler warnings cleaned up. 993 994FreeBSD-2.2 patches for LKM completed. 995 9963.2alpha3 31/3/97 - Released 997 998ipmon changes: -N for reading NAT logfile, -S for reading state logfile. 999-a for reading all. -n now toggles hostname resolution. 1000 1001Add logging of new state entries and expiration of old state entries. 1002count log successes and failures. 1003 1004Add logging of new NAT entries and expiration of old NAT entries. 1005count log successes and failures. 1006 1007Use u_quad_t for records of bytes & packets where kept 1008(IP Accounting: fr_hits, fr_bytes; IP state: is_pkts, is_bytes). 1009 1010Fixup use of CPU and DCPU in Makefiles. 1011 1012Fix broken 0/32 NAT mapping. Carl Makin <cmakin@nla.gov.au> 1013 10143.2alpha2 1015 1016Implement mapping to 0/32 as being an alias for automatically using the 1017interface's first IP address. 1018 1019Implement separate minor devices for both NAT and IP state code. 1020 1021Fully prototype all functions. 1022 1023Fix Makefile problem due to attempt to fix Sun compiling problems. 1024 10253.1.10 23/3/97 - Released 1026 1027ipfstat -a requires a -i or -o command line option too. Print an error 1028when not present rather than attempt to do something. 1029 1030patch updates for SunOS4 for kernel compiling. 1031patch for ipmon -s (flush's syslog file which isn't good). Andrew J. Schorr 1032<schorr@ead.dsa.com> 1033 1034too many people hit their heads hard when compiling code into the kernel 1035that doesn't let any packets through. (fil.c - IPF_NOMATCH) 1036 1037icmp-type parsing doesn't return any errors when it isn't constructed 1038correctly. Neil Readwin 1039 1040Using "-conf" with modload on SunOS4 doesn't work. 1041Timothy Demarest <demarest@arraycomm.com> 1042 1043Need to define ARCH in makefile for SunOS4 building. "make sunos4" 1044in INSTALL.SunOS is incorrect. James R Grinter <jrg@blodwen.demon.co.uk> 1045[all SunOS targets now run buildsunos] 1046 1047NAT lookups are still incorrect, matching non-TCP/UDP with TCP/UDP 1048information. ArkanoiD <ark@paranoid.convey.ru> 1049 1050Need to check for __FreeBSD_version being 199511 rather than 199607 1051in mln_ipl.c. Eric Feillant <Eric.Feillant@EUnet.fr> 1052 10533.1.9 8/3/97 - Released 1054 1055fixed incorrect lookup of active NAT entries. 1056 1057patch for ip_deq() wrong for pre 2.1.6 FreeBSD. 1058fyeung@fyeung8.netific.com (Francis Yeung) 1059 1060check for out with return-rst/return-icmp at wrong place - Erkki Ritoniemi 1061(erkki@vlsi.fi) 1062 1063text_readip returns the interface pointer pointing to text on stack - 1064Neil Readwin 1065 1066fix from Pradeep Krishnan for printout rules "with not opt sec". 1067 10683.1.8 18/2/97 - Released 1069 1070Diffs for ip_output.c and ip_input.c updated to fix bug with fastroute and 1071compiling warnings about reuse of m0. 1072 1073prevent use of return-rst and return-icmp with rules blocking packets going 1074out, preventing panics in certain situations. 1075 1076loop forms in frag cache table - Yury Pshenychny <yura@rd.zgik.zaporizhzhe.ua> 1077 1078should use SPLNET/SPLX around expire routines in NAT/frag/state code. 1079 1080redeclared malloc in 44arp.c - 1081 10823.1.7 8/2/97 - Released 1083 1084Macros used for ntohs/htons supplied with gcc don't always work very well 1085when the assignment is the same variable being converted. 1086 1087Filter matching doesn't not match rule which checks tcp flags on packets 1088which are fragments - David Wilson 1089 10903.1.7beta 30/1/97 - Released 1091 1092Fix up NAT bugs introduced in last major change (now tested), including 1093nat_delete(), nat_lookupredir(), checksum changes, etc. 1094 10953.1.7alpha 30/1/97 - Released 1096 1097Many changes to NAT code, including contributions from Laurent Joncheray 1098<lpj@ans.net> 1099 1100Use "NO_SLEEP" when allocating memory under SunOS. 1101 1102Make kernel printf's nicer for BSD/SunOS4 1103 1104Always do a checksum for packets being filtered going out and being 1105processed by fastroute. 1106 1107Leave kernel to play with cdevsw on *BSD systems with LKM's. 1108 1109ipnat.1 man page fixes. 1110 11113.1.6 21/1/97 - Released 1112 1113Allow NAT to work on BSD systems in conjunction with "pass .. to ifname" 1114 1115Memory leak introduced in 3.1.3 in NAT lists, clearing of NAT table tried 1116to free memory twice. 1117 1118NAT recalculates IP header checksum based on difference between IP#'s and 1119port numbers - should be just IP#'s (Solaris2 only) 1120 11213.1.5 13/1/97 - Released 1122 1123fixed setting of NAT timeouts and use different timeouts for concurrent 1124TCP sessions using the same IP# mapping (when port mapping isn't used) 1125 1126multiple loading/unloading of LKM's doesn't clean up cdevsw properly for 1127*BSD systems. 1128 11293.1.4 10/1/97 - Released 1130 1131add command line options -C and -F to ipnat to flush NAT list and table 1132 1133ipnat -l loops on output - Neil Readwin (nreadwin@nysales.micrognosis.com) 1134 1135NetBSD/FreeBSD kernel malloc changes - Daniel Carosone 1136 11373.1.3 10/1/97 - Released 1138 1139NAT chains not constructed correctly in hash tables - Antony Y.R Lu 1140(antony@hawk.ee.ncku.edu.tw) 1141 1142Updated INSTALL.NetBSD, INSTALL.FreeBSD and INSTALL.Sol2 1143 1144man page update (ipf.5) from Daniel Carosone (dan@geek.com.au) 1145 1146ICMP header checksum update now included in NAT. 1147 1148Solaris2 needs to modify IP header checksums in ip_natin and ip_natout. 1149 11503.1.2 4/12/96 - Released 1151 1152ipmon doesn't use syslog all the time when given -s option 1153 1154fixed mclput panic in ip_input.c and replace ntohs() with NTOHS() macro 1155 1156check the results of hostname resolution in ipnat 1157 1158"make *install" fixed for subdirectories. 1159 1160problems with "ARCH:=" and gnu make resolved 1161 1162parser reports an error for lines with whitespaces only rather than skipping 1163them. D.Carosone@abm.com.au (Daniel Carosone) 1164 1165patches for integration into NetBSD-current (post 1.2). 1166 1167add an option to allow non-IP packets going up/down the stream on Solaris2 1168to be dropped. John Bass. 1169 11703.1.2beta 21/11/96 - Released 1171 1172make ipsend compile on Linux 2.0.24 1173 1174changes to TCP kept state algorithm, making it watch state on TCP 1175connections in both directions. Also use the same algorithm for NAT TCP. 1176 1177-Wall cleanup - Bernd Ernesti 1178 1179added "or-block" for "pass .. log or-block" after a suggestion from 1180David Oppenheim (davido@optimation.com.au) 1181 1182added subdirectories for building IP Filter in SunOS5/BSD for different 1183cpu architecures 1184 1185Solaris2 fixes to logging and pre-filtering packet processing - 3.1.1p2 1186 1187mbuf logging not using mtod(), remove iplbusy - 3.1.1p1 1/11/96 1188 11893.1.1 28/10/96 - Released 1190 1191Installation script fixes and deinstall scripts for IP Filter on: 1192SunOS4/FreeBSD/NetBSD 1193 1194Man page fixes - Paul Dubois (dubois@primate.wisc.edu) 1195 1196Fix use of SOLARIS macro in ipmon, rewrote ipllog() (again!) 1197 1198parsing isn't completely case insensitive - David Wilson 1199(davidw@optimation.com.au) 1200 1201Release ipl_mutex across uiomove() calls 1202 1203print entire rule entries out for "ipf -z" when zero'ing per-rule stats. 1204 1205ipfstat returns same output for "hits" in "ipfstat -aio" - Terletsky Slavik 1206(ts@polynet.lviv.ua) 1207 1208New algorithm for setting timeouts for TCP connection (more closely follow 1209TCP FSM) - Pradeep Krishnan (pkrishna@netcom.com) 1210 1211Track both window sizes for TCP connections through "keep state". 1212 1213Solaris2 doesn't like _KERNEL defined in stdargs.h - Jos van Wezel 1214(wezel@bio.vu.nl) 1215 12163.1.1-beta2 6/10/96 - Released 1217 1218Solaris2 fastroute/dup-to/to now works 1219 1220ipmon `record' reading rewritten 1221 1222Added post-NetBSD1.2 packet filter patches - Mathew Green (mrg@eterna.com.au) 1223 1224Attempt to use in_proto.c.diff, not "..diffs" for SunOS4 - David Wilson 1225(davidw@optimation.com.au) 1226 1227Michael Ryan (mike@NetworX.ie) reports the following: 1228* The Trumpet WinSock under Windows always sends its SYN packet with an ACK 1229 value of 1, unlike any other implementation I've seen, which would set it 1230 to zero. The "keep state" feature of IP Filter doesn't work when receiving 1231 non-zero ACK values on new connection requests. 1232* */Makefile install rule doesn't install all the binaries/man pages 1233* Make ipnat use "tcp/udp" instead of "tcpudp" 1234* Print out "tcp/udp" properly 1235* ipnat "portmap tcp" matches "portmap udp" when adding/removing 1236* NAT dest. ip# increased by one on mask of 0xffffffff when it shouldn't 1237 12383.1.1-beta 1/9/96 - Released 1239 1240add better detection of TCP connections closing to TCP state monitoring. 1241 1242fr_addstate() not called correctly for fragments. "keep state" and 1243"keep frag" code don't work together 100% - Songqing Cai 1244(songqing_cai@sterling.com) 1245 1246call to fr_addstate() incorrect for adding state in combination with keeping 1247fragment information - Songqing Cai (songqing_cai@sterling.com) 1248 1249KFREE() passed fp (incorrect) and not fr (correct) in ip_frag.c - John Hood 1250(cgull@smoke.marlboro.vt.us) 1251 1252make ipf parser recognise '\\' as a `continued line' marker - Dima Ruban 1253(dima@best.net) 1254 12553.1.1-alpha 23/8/96 - Released 1256 1257kernel panic's when ICMP packets go through NAT code 1258 1259stats aren't zero'd properly with ipf -Z 1260 1261ipnat doesn't show port numbers correctly all the time and also add the 1262protocol (tcp/udp/tcpudp) to rdr output - Carson Gaspar (carson@lehman.com) 1263 1264fast checksum fixing not 100% - backout patch - Bill Dorsey (dorsey@lila.com) 1265 1266NetBSD-1.2 patches from - VaX#n8 <vax@linkdead.paranoia.com> 1267 1268Usage() call error in fils.c - Ajay Shekhawat (ajay@cedar.buffalo.edu) 1269 1270ip_optcopy() staticly defined in ip_output.c in SunOS4 - Nick Hall 1271(nrh@tardis.ed.ac.uk) 1272 12733.1.0 7/7/96 - Released 1274 1275Reformatted ipnat output to be compatible with it's input, so that 1276"ipnat -l | ipnat -rf -" is possible. 1277 12783.1.0beta 30/6/96 - Released 1279 1280NetBSD-1.2 patches from Greg Woods (woods@most.weird.com) 1281 1282kernel module must not be installed stripped (Solaris2), as created by 1283"make package" for Solaris2 - Peter Heimann 1284(peter@i3.informatik.rwth-aachen.de) 1285 12863.1.0alpha 5/6/96 - Released 1287 1288include examples in package for solaris2 1289 1290patches for removing an extra ip header checksum (FreeBSD/NetBSD/SunOS) 1291 1292removed trailing space from printouts of rules in ipf. 1293 1294ipresend supports the same range of inputs that ipftest does. 1295 1296sending a duplicate copy of a packet to another network devices is now 1297supported. ("dup-to") 1298 1299sending a packet to an arbitary interface is now supported, irrespective 1300of its actual route, with no ttl decrement. Can also be routed without 1301the ttl being decremented. ("to" and "fastroute"). 1302 1303"call" option added to support calling a generic function if a packet is 1304matched. 1305 1306show all (upto 4) recorded bytes from the interface name in logging from 1307ipmon. 1308 1309support for using unix file permissions for read/write access on the device 1310is now in place. 1311 1312recursive mutex in nat_new() for Solaris 2.x - Per L. Hagen <per@stibo.dk> 1313 1314ipftest doesn't call initparse() for THISHOST - Catherine Allen 1315(cla@connect.com.au) 1316 1317Man page corrections from Rex Bona (rex@pengo.comsmiths.com.au) 1318 13193.0.4 10/4/96 - Released 1320 1321looop in `parsing' IP packets with optlen 0 for ip options. 1322 1323rule number not initialized and resulted in unexpected results for state 1324maching. 1325 1326option parsing and printing bugs - Pradeep Krishnan 1327 13283.0.4beta 25/3/96 - Released 1329 1330wouldn't parse "keep flags keep state" correctly. 1331 1332SunOS4.1.x ip_input.c doesn't recognise all 1s broadcast address - Nigel Verdon 1333 1334patches for BSDI's BSD/OS 2.1 and libpcap reader on little endian systems 1335from Thorsten Lockert <tholo@tetherless.com> 1336 1337b* functions in fil.c on Solaris 2.4 1338 13393.0.3 17/3/96 - Released 1340 1341added patches to support IP Filter initialisation when compiled into the 1342kernel. 1343 1344added -x option to ipmon to display hex dumps of logged packets. 1345 1346added -H option to ipftest to allow ascii-hex formatted input to specify 1347arbitary IP packets. 1348 1349Sending TCP RSTs as a response now work for Solaris2 x86 1350 1351add patches to make IP Filter compile into NetBSD kernels properly. 1352 1353patch to stop SunOS 4.1.x kernels panicing with "data traps". 1354 1355ipfboot script unloads and reloads ipf module on Solaris2 if it is already 1356loaded into the kernel. 1357 1358Installation of IP Filter as a Solaris2 package is now supported. 1359 1360Man pages for ipnat.4, ipnat.5 added. 1361 1362added some more regression tests and fixed up IP Filter to pass the new tests 1363(previous versions failed some of the tests in set 12). 1364 1365IP option filter processing has changed so that saying "with opt lsrr" will 1366check only for that one, but not mask out other options, so a packet with 1367strict source routing, along with loose source routing will match all of 1368"with opt lsrr", "with opt ssrr" and "with opt lsrr,ssrr". 1369 1370IPL_NAME needed in ipnat.c - Kelly (kelly@count04.mry.scruznet.com) 1371 1372patches for clean NetBSD compilation from Bernd Ernesti (bernd@arresum.inka.de) 1373 1374make install is incorrect - Julian Briggs (julian@lightwork.co.uk) 1375 1376strtol() returns 0x7fffffff for all negative numbers, 1377printfr() generates incorrect output for "opt sec-class *", 1378handling of "not opt xxx opt yyy" incorrect. 1379- Minh Tonthat (minht@sbei.com)/Pradeep Krishnan (pradeepk@sbei.com) 1380 1381m_pullup() called only for input and not output; caused problems 1382with filtering icmp - Nigel Verdon (verdenn@gb.swissbank.com) 1383 1384parsing problem for "port 1" and NetBSD patches incorrect - 1385Andreas Gustafsson (gson@guava.araneus.fi) 1386 13873.0.2 4/2/96 - Released 1388 1389Corrected bug where NAT recalculates checksums for fragments. 1390 1391make NAT recalculate UDP checksums (rather than setting them to 0), 1392if they're non-zero. 1393 1394DNS patches - Real Page (Real.Page@Matrox.com) 1395 1396alteration of checksum recalculations in NAT code and addition of 1397redirection with NAT - Mike Neuman 1398 1399core dump, if tcp/udp is used with a port number and not service name, 1400in ipf - Mike Neuman (mcn@engarde.com) 1401 1402initparse() call, missing to prime "<thishost>" hook - Craig Bishop 1403 14043.0.1 14/1/96 - Released 1405 1406miscellaneous patches for Solaris2 1407 14083.0 14/1/96 - Released 1409 1410Patch included for FDDI, from Richard Ohnemus 1411(Richard_Ohnemus@dallas.csd.sterling.com) 1412 1413Code cleanup for release. 1414 14153.0beta4 10/1/96 1416 1417recursive mutex in ipfr_slowtimer fixed, reported by Craig Bishop 1418 1419recursive mutex in sending TCP RSTs fixed, reported by Tony Becker 1420 14213.0beta3 9/1/96 1422 1423FIxup for Solaris2.5 install and interface name bug in ipftest from 1424Julian Briggs (julian@lightwork.co.uk) 1425 1426Byte order patches for ipmon from Tony Becker (tony@mcrsys.com) 1427 14283.0beta2 7/1/96 1429 1430Added the (somewhat warped) IP accounting as it exists in ipfw on FreeBSD. 1431Note, this isn't really what one would call IP account, when compared to 1432process accounting, sigh. 1433 1434Split up ipresend into iptest/ipresend/ipsend 1435 1436Added another m_pullup() inside fr_check() for BSD style kernels and 1437added some checks to ipllog() to not log more than is present (for short 1438packets). 1439 1440Fixed bug where failed hostname/netname resolution goes undetecte and 1441becomes 0.0.0.0 (any) (reported Guido van Rooij) 1442 14433.0beta 11/11/95 - Released 1444 1445Rewrote the way rule testing is done, reducing the number of files needed and 1446generated. 1447 1448SIOCIPFFL was incorrectly affected by IPFILTER_LOG (Mathew Green) 1449 1450Patches from Guido van Rooij to fix sending back TCP RSTs on Net-2/Net-3 1451BSD based Unixes (panic'd) 1452 1453Patches for FreeBSD/i86 ipmon from Riku Kalinen <riku@tequila.nixu.fi> 1454(I think someone else already told me about these but they got lost :-/) 1455 1456Changed Makefile structure to build object files for different operating 1457systems in separate directories by default. 1458 1459BSDI has ef0 for first ethernet interface 1460 1461Allow for a "not" operator before optional keywords. 1462 1463The "rule number" was being incorrectly incremented every time it went through 1464the loop rather than when it matched a rule. 1465 14662.8.2 24/10/95 - Released 1467 1468Fixed up problems with "textip" for doing lots of testing. 1469 1470Fixed bug in detection of "short" tcp/ip packets (all reported as being short). 1471 1472Solaris 2.4 port now works 100%. 1473 1474Man page errors reported and fixed. 1475 1476Removed duplicate entry in etc/services for login on port 49 (Craig Bishop). 1477 1478Fixed ipmon output to put a space after the log-letter. 1479 1480Patch from Guido van Rooij to fix parsing problem. 1481 14822.8.1 15/10/95 - Released 1483 1484Added ttl and tos filtering. 1485 1486Patches for fixing up compilation and port problems (little endian) 1487from Guido van Rooij <guido@IAEhv.nl>. 1488 1489Man page problems reported and fixed by Carson Gaspar <carson@lehman.com>. 1490 1491ipsend doesn't compile properly on Solaris2.4 1492 1493Lots of work done for Solaris2.4 to make it MT/MP safe and work. 1494 14952.8 15/9/95 - Released 1496 1497ipmon can now send messages to syslogd (-s) and use names instead of 1498numbers (-N). 1499 1500IP packets are now "compiled" into a structure only containing filterable 1501bits. 1502 1503Added regression testing in the test/ subdirectory, using a new option 1504(-b) with the ipftest program. 1505 1506Added "nomatch" return to filter results. These are counted and show 1507up in reports from ipfstat. 1508 1509Moved filter code out of ip_fil.c and into fil.c - there is now only one 1510instance of it in the package. 1511 1512Added Solaris 2.4 support. 1513 1514Added IPSO basic security option filtering. 1515 1516Added name support for filtering on all 19 named IP options. 1517 1518Patches from Ivan Brawley to log packet contents as well as packet headers. 1519 1520Update for sun/conf.c.diff from Ivan Brawley <ibrawley@awadi.com.AU> 1521 1522Added patches for FreeBSD 1, and added two new switches (-E, -D) to ipf, 1523along with a new ioctl, SIOCFRENB. 1524From: Dieter Dworkin Muller <dworkin@village.org> 1525 15262.7.3 31/7.95 - Released 1527 1528Didn't compile cleanly without IPFILTER_LOG defined (Mathew Green). 1529 1530ipftest now deals with tcpdump3 binary output files (from libpcap) with -P. 1531 1532Brought ipftest program upto date with actual filter code. 1533 1534Filter would cause a match to occur when it wasn't meant to if the packet 1535had short headers and was missing portions that should have been there. 1536Err, it would rightly not match on them, but their absence caused a match 1537when it shouldn't have been. 1538 15392.7.2 26/7/95 - Released 1540 1541Problem with filtering just SYN flagged packets reported by 1542Dieter Dworkin Muller <dworkin@village.org>. To solve this 1543problem, added support for masking TCP flags for comparison "flags X/Y". 1544 15452.7.1 9/7/95 - Released 1546 1547Added ip_dirbroadcast support for Sun ip_input.c 1548 1549Fixed up the install scripts for FreeBSD/NetBSD to recognise where they are 1550better. 1551 15522.7 7/7/95 - Released 1553 1554Added "return-rst" to return TCP RST's to TCP packets. 1555 1556Actually ported it to FreeBSD-i386 2.0.0, so it works there properly now. 1557 1558Added insertion of filter rules. Use "@<#>" at the beginning of a filter 1559to insert a rule at row #. 1560 1561Filter keeps track of how many times each rule is matched. 1562 1563Changed compile time things to match kernel option (IPFILTER_LKM & 1564IPFILTER_LOG). 1565 1566Updated ip_input.c and ip_output.c with paches for 3.5 Multicast IP. 1567(No change required for 3.6) 1568 1569Now includes TCP fragments which start inside the TCP header as being short. 1570Added counting the number of times each rule is matched. 1571 1572 15732.6 11/5/95 - Released 1574 1575Added -n option to ipf: when supplied, no changes are made to the kernel. 1576 1577Added installation scripts for SunOS 4.1.x and NetBSD/FreeBSD/BSDI. 1578 1579Rewrote filtering to use a more generic mask & match procedure for 1580checking if a packet matches a rule. 1581 15822.5.2 27/4/95 - Released 1583 1584"tcp/udp" and a non-initialised pointer caused the "proto" to become 1585a `random' value; added "ip#/dotted.mask" notation to the BNF. 1586From Adam W. Feigin <feigin@iis.ee.ethz.ch> 1587 15882.5.1 22/3/95 - Released 1589 1590"tcp/udp" had a strange effect (undesired) on getserv*() functions, 1591causing protocol/service lookups to fail. Reported by Matthew Green. 1592 15932.5 17/3/95 - Released 1594 1595Added a new keyword "all" to BNF and parsing of tcpdump/etherfind/snoop 1596output through the ipftest program. Suggestions from: 1597Michael Ciavarella (mikec@phyto.apana.org.au) 1598 1599Conflicts occur when "general" filter rules are used for ports and the 1600lack of a "proto" when used with "port" matches other packets when only 1601TCP/UDP are implied. 1602Reported Matthew Green (mrg@fulcom.com.au); 1603reported & fixed 6-8/3/95 1604 1605Added filtering of short TCP packets using "with short" 28/2/95 1606(These can possibly slip by checks for the various flags). Short UDP 1607or ICMP are dropped to the floor and logged. 1608 1609Added filtering of fragmented packets using "with frag" 24/2/95 1610 1611Port to NetBSD-current completed 20/2/95, using LKM. 1612 1613Added logging of the rule # which caused the logging to happen and the 1614interface on which the packet is currently as suggested by 1615Andreas Greulich (greulich@math-stat.unibe.ch) 10/2/95 1616 16172.4 9/2/95 - Released 1618Fixed saving of IP headers in ICMP packets. 1619 16202.3 29/1/95 1621Added ipf -F [in|out|all] to flush filter rule sets (SIOCIPFFL). 1622Fixed iplread() and iplsave() with help from Marc Huber. 1623 16242.2 7/1/95 - Released 1625Added code from Marc Huber <huber@fzi.de> to allow it to allocate 1626its own major char number dynamically when modload'ing. Fixed up 1627use of <, >, <=, >= and >< for ports. 1628 16292.1 21/12/94 - Released 1630repackaged to include the correct ip_output.c and ip_input.c *goof* 1631 16322.0 18/12/94 - Released 1633added code to check for port ranges - complete. 1634rewrote to work as a loadable kernel module - complete. 1635 16361.1 1637added code for ouput filtering as well as input filtering and added support for logging to a simple character device of packet headers. 1638 16391.0 22/04/93 - Released 1640First release cut. 1641