Cross Reference: /freebsd-10.2-release/contrib/ipfilter/HISTORY

#
# NOTE: Quite a few patches and suggestions come from other sources, to whom
#       I'm greatly indebted, even if no names are mentioned.
#
# Thanks to the Coombs Computing Unit at the ANU for their continued support
# in providing a very available location for the IP Filter home page and
# distribution center.
#
# Thanks to Hewlett Packard for making it possible to port IP Filter to
# HP-UX 11.00.
#
# Thanks to Tel.Net Media for supplying me with equipment to ensure that
# IP Filter continues to work on Solaris/sparc64.
#
# Thanks to BSDI for providing object files for BSD/OS 3.1 and the means
# to further support development of IP Filter under BSDI.
#
# Thanks to Craig Bishop of connect.com.au and Sun Microsystems for the
# loan of a machine to work on a Solaris 2.x port of this software.
#
# Thanks also to all those who have contributed patches and other code,
# and especially those who have found the time to port IP Filter to new
# platforms.
#
3.4.13	28/10/2000 - Released

fix introduced bug with ICMP packets being rejected when valid

fix bug with proxy's that don't set fin_dlen correctly when calling
fr_addstate()

3.4.12	26/10/2000 - Released

fix installing into FreeBSD-4.1

fix FTP proxy bug where it'd hang and make NAT slightly more efficient

fix general compiling errors/warnings on various platforms

don't access ICMP data fields that aren't there

3.4.11	09/10/2000 - Released

return NULL for IPv6 access control lists if it is disabled rather than
random garbage.

fix for getting protocol & packet length for IPv6 packets for pullup.

update plog script from version 0.8 to version 0.10

patch from Frank Volf adding fix_datacksum() to NAT code, enhancing the
capabilities for "fixing" checksums.

3.4.10	03/09/2000 - Released

merge patch from Frank Volf for ICMP nat handling of TCP/UDP data `errors'

getline() adjusts linenum now

add tcphalfclosed timeout

fill in icmp_nextmtu field if it is defined on the platform

RST generation fix from guido

force 32bit compile for gcc on solaris if it can't generate 64bit code

encase logging when fr_chksrc == 2 in #ifdef IPFILTER_LOG

fix up line wrap problems in plog script

fix ICMP packet handling to not drop valid ICMP errors

freebsd 5.0 compat changes

3.4.9	08/08/2000 - Released

implement new aging mechanism in fr_tcp_age()

fix icmp state checking bug

revamp buildsunos script and build both sparcv7/sparcv9 for Solaris
if on an Ultra with a 64bit system & compiler (Caseper Dik)

open ipfilter device read only if we know we can

print out better information for ICMP packets in ipmon

move checking for source spoofed packets to a point where we can generate
logs of them

return EFAULT from ircopyptr/iwcopyptr

don't do ioctl(SIOCGETFS) for auth stats

fix up freeing mbufs for post-4.3BSD

fix returning of inc from ftp proxy

fix bugs with ipfs -R/-W (Caseper Dik)

3.4.8	19/07/2000 - Released

create fake opt_inet6.h for FreeBSD-4 compile as LKM

add #ifdef's for KLD_MODULE sanity

NAT fastroute'd packets which come out of return-*

fix upper/lower case crap in ftp proxy and get seq# checking fixed up.

3.4.7	08/07/2000 - Released

make "ipf -y" lookup NAT if's which are unknown

prepend line numbers to ioctl error messages in ipf/ipnat

don't apply patches to FreeBSD twice

allow for ip_len to be on an unaligned boundary early on in fr_precheck

fix printing of icmp code when it is 0

correct printing of port numbers in map rules with from/to

don't allow fr_func to be called at securelevel > 0 or rules to be added
if securelevel > 0 if they have a non-zero fr_func.

3.4.6	11/06/2000 - Released

add extra regression tests for new nat functionality

place restrictions on using '!' in map/rdr rules

fix up solaris compile problems

3.4.5	10/06/2000 - Released

mention -sl in ipfstat.8

fix/support '!' in from/to rules (rdr) for NAT

add from/to support to rdr NAT rules

don't send ICMP errors in response to ICMP errors

fix sunos5 compilation for "ipfstat-top" and cleanup ipfboot

input accounting list used for both outbound and inbound packets

3.4.4	23/05/2000 - Released

don't add TCP state if it is an RST packet and (attempt) to send out
RST/ICMP packets in a manner that bypasses IP Filter.

add patch to work with 4.0_STABLE delayed checksums

3.4.3	20/05/2000 - Released

fix ipmon -F

don't truncate IPv6 packets on Solaris

fix keep state for ICMP ECHO

add some NAT stats and use def_nat_age rather than DEF_NAT_AGE

don't make ftp proxy drop packets

use MCLISREFERENCED() in tandem with M_EXT to check if IP fields need to be
swapped back.

fix up RST generation for non-Solaris

get "short" flag right for IPv6

3.4.2 - 10/5/2000 - Released

Fix bug in dealing with "hlen == 1 and opt > 1" - Itojun

ignore previous NAT mappings for 0/0 and 0/32 rules

bring in a completely new ftp proxy

allow NAT to cause packets to be dropped.

add NetBSD callout support for 1.4-current

3.4.1 - 30/4/2000 - Released

add ratoui() and fix parsing of group numbers to allow 0 - UINT_MAX

don't include opt_inet6.h for FreeBSD if KLD_MODULE is defined

Solaris must use copyin() for all types of ioctl() args

fix up screen/tty when leaving "top mode" of ipfstat

linked list for maptable not setup correctly in nat_hostmap()

check for maptable rather than nat_table[1] to see if malloc for maptable
succeeded in nat_init

fix handling of map NAT rules with "from/to" host specs

fix printout out of source address when using "from/to" with map rules

convert ip_len back to network byte order, not plen, for solaris as ip_len
may have been changed by NAT and plen won't reflect this

3.4 - 27/4/2000 - Released

source address spoofing can be turned on (fr_chksrc) without using
filter rules

group numbers are now 32bits in size, up from 16bits

IPv6 filtering available

add frank volf's state-top patches

add load splitting and round-robin attribute to redirect rules

FreeBSD-4.0 support (including KLD)

add top-style operation mode for ipfstat (-t)

add save/restore of IP Filter state/NAT information (ipfs)

further ftp proxy security checks

support for adding and removing proxies at runtime

3.3.13  26/04/2000 - Released

Fix parsing of "range" with "portmap"

Relax checking of ftp replies, slightly.

Fix NAT timeouts for ICMP packets

SunOS4 patches for ICMP redirects from Jurgen Keil (jk@tools.de)

3.3.12  16/03/2000 - Released

tighten up ftp proxy behaviour.  sigh.  yuck.  hate.

fix bug in range check for NAT where the last IP# was not used.

fix problem with icmp codes > 127 in filter rules caused bad things to
happen and in particular, where #18 caused the rule to be printed
erroneously.

fix bug with the spl level not being reset when returning EIO from
iplioctl due to ipfilter not being initialized yet.

3.3.11  04/03/2000 - Released

make "or-block" work with lines that start with "log"

fix up parsing and printing of rules with syslog levels in them

fix from Cy Schubert for calling of apr_fini only if non-null


3.3.10	24/02/2000 - Released

* fix back from guido for state tracking interfaces

* update for NetBSD pfil interface changes

* if attaching fails and we can abort, then cleanup when doing so.

julian@computer.org:
* solaris.c (fr_precheck): After calling freemsg on mt, set it point to *mp.
* ipf.c (packetlogon): use flag to store the return value from get_flags.
* ipmon.c (init_tabs): General cleanup so we do not have to cast
  an int s->s_port to u_int port and try to check if the u_int port
  is less than zero.

3.3.9	15/02/2000 - Released

fix scheduling of bad locking in fr_addstate() used when we attach onto
a filter rule.

fix up ip_statesync() with storing interface names in ipstate_t

fix fr_running for LKM's - Eugene Polovnikov

junk using pullupmsg() for solaris - it's next to useless for what we
need to do here anyway - and implement what we require.

don't call fr_delstate() in fr_checkstate(), when compiled for a user
program, early but when we're finished with it (got fr & pass)

ipnat(5) fix from Guido

on solaris2, copy message and use that with filter if there is another
copy if it being used (db_ref > 1).  bad for performance, but better
than causing a crash.

patch for solaris8-fcs compile from Casper Dik

3.3.8	01/02/2000 - Released

fix state handling of SYN packets.

add parsing recognition of extra icmp types/codes and fix handling of
icmp time stamps and mask requests - Frank volf

3.3.7	25/01/2000 - Released

sync on state information as well as NAT information when required

record nat protocol in all nat log records

don't reuse the IP# from an active NAT session if the IP# in the rule
has changed dynamically.

lookup the protocol for NAT log information in ipmon and pass that to
portname.

fix the bug with changing the outbound interface of a packet where it
would lead to a panic.

use fr_running instead of ipl_inited. (sysctl name change on freebsd)

return EIO if someone attempts an ioctl on state/nat if ipfilter is not
enabled.

fix rule insertion bug

make state flushing clean anything that's not fully established (4/4)

call fr_state_flush() after we've released ipf_state so we don't generate
a recursive mutex acquisition panic

fix parsing of icmp code after return-icmp/return-icmp-as-dest and add
some patches to enhance parsing strength

3.3.6	28/12/1999 - Released

add in missing rwlock release in fr_checkicmpmatchingstate() and fix check
for ICMP_ECHO to only be for packet, not state entry which we don't have yet.

handle SIOCIPFFB in nat_ioctl() and fr_state_ioctl()

fix size of friostat for SunOS4

fix bug in running off the end of a buffer in real audio proxy

3.3.5	11/12/1999 - Released

fix parsing of "log level" and printing it back out too

<net/if_types.h> is only present on Solaris2.6/7/8

use send_icmp_err rather than icmp_error to send back a frag-needed error
when doing PMTU

do not use -b with add_drv on Solaris unless $BASEDIR is set.

fix problem where source address in icmp replies is reversed

fix yet another problem with real audio.

3.3.4	4/12/1999 - Released

fix up the real audio proxy to properly setup state information and NAT
entries, thanks to Laine Stump for testing/advice/fixes.

fix ipfr_fastroute to set dst->sin_addr (Sean Farley - appears to prevent
FreeBSD 3.3 from panic'ing) as this had been removed in prior hacks to this
routine.

fix kinstall for BSDI

support ICMP errors being allowed through for ICMP packets going out with
keep state enabled

support hardware checksumming (gigabit ethernet cards) on Solaris thanks to
Tel.Net Media for providing hardware for testing.

patched from Frank Volf for ipmon (ICMP & fragmented packets) and allowing
ICMP responses to ICMP packets in the keep state table.

add in patches for hardware checksumming under solaris

Solaris install scripts now use $BASEDIR as appropriate.

add Solaris8 support

fix "ipf -y" on solaris so that it rescans rules also for changes in
interface pointers

let ipmon become a daemon with -D if it is using syslog

fix parsing of return-icmp-as-dest(foo)

add reference to ipfstat -g to ipfstat.8

ipf_mutex needs to be declared for irix in ip_fil.c

3.3.3	22/10/1999 - Released

add -g command line option to ipfstat to show groups still define.

fix problem with fragment table not recording rule pointer when called
from state functions (fin_fr not set).

fixup fastroute problems with keep state rules.

load rules into inactive set first, so we don't disable things like NIS
lookups half way through processing - found by Kevin Littlejohn

fix handling of unaligned ip pointer for solaris

patch for fr_newauth from Rudi Sluijtman

fixed htons() bug in fr_tcpsum() where ip_p wasn't cast to u_short

3.3.2	23/09/1999 - Released

patches from Scott Presnell to fix rcmd proxy

patches from Greg to fix Solaris detachment of interfaces

add openbsd compatibility fixes

fix free'ing already freed memory in ipfr_slowtimer()

fix for deferencing invalid memory in cleaning up after a device disappears

3.3.1	14/8/1999 - Released

remove include file sys/user.h for irix

prevent people from running buildsunos directly

fix up some problems with the saving of rule pointers so that NAT saves
that information in case it should need to call fr_addstate() from a proxy.

fix up scanning for the end of FTP messages

don't remove /etc/opt/ipf in postremove

attempt to prevent people running buildsolaris script without doing a
"make solaris"

fix timeout losing on freebsd3

3.3	7/8/1999 - Released

NAT: information (rules, mappings) are stored in hash tables; setup some
basic NAT regression testing.

display version name of installed kernel code when initializing.

add -V command line option to ipf, showing version (program and kernel
module) as well as the run-status of the kernel code.

fix problem with "log" rules actually affecting result of filtering.

automatically use SUNWspro if available and on a 64bit Solaris system for
compiling.

add kernel proxies for rcmd(3) and RealAudio (PNA)

use timeout/untimeout on SunOS4/BSD platforms too rather than hijacking
ip_slowtimo

fix IP headers generated through parsing of text information

fix NAT rules to be in the correct order again.

make keep-state work with to/fastroute keywords and enforce usage of those
interfaces.

update keep-state code with new algorithm from Guido

add FreeBSD-3 support

add return-icmp-as-dest option to retrun an ICMP packet using the original
destination as the source rather than a local IP address

add "level [facility.]<priority>" option to filter language

add changes from Guido to state code.

add code to return EPERM if the device is opened for writing and we're
in securelevel 2 or greater.

authentication code patches from Guido

fix real audio proxy

fix ipmon rule printing of interfaces and add IN/OUT to the end of ipmon
log output.

fix bimap rules with hash tables

update addresses used in NAT mappings for 0/32 rules for any protocol but TCP
if it changes on the interface - check every ip_natexpire()

add redirect regression test

count buckets used in the state hash table.

fix sending of RST's with return-rst to use the ack number provided in
the packet being replied to in addition to the sequence number.

fix to compile as a 64bit application on solaris7-64bit

add NAT IP mapping to ranges of IP addresses that aren't CIDR specified

fix calculation of in_space parameter for NAT

fix `wrapping' when incrementing the next ip address for use in NAT

fix free'ing of kernel memory in ip_natunload on solaris

fix -l/-U command line options from interfering with each other

fix fastroute under solaris2 and cleanup compilation for solaris7

add install scripts and compile cleanly on BSD/OS 4.0

safely open files in /tmp for writing device output when testing.

fix uninitialized pointer bug in NAT

fix SIOCZRLST (zero list rule stats) bug with groups

change some usage of u_short to u_int in function calling

fix compilation for Solaris7 (SUNWspro)

change solaris makefiles to build for either sparc or i386 rather than
per-cpu (sun4u, etc).

fixed bug in ipllog

add patches from George Michaelson for FreeBSD 3.0

add patch from Guido to provide ICMP checking for known state in the same
manner as is done for NAT.

enable FTP PASV proxying and enable wildcarding in NAT/state code for ports
for better PORT/PASV support with FTP.

bring into main tree static nat features: map-block and "auto" portmapping.

add in source host filtering for redirects (alan jones)

3.2.10		22/11/98 - Released

3.2.10beta9	17/11/98 - Released

fix fr_tcpsum problems in handling mbufs with an odd number of bytes
and/or split across an mbuf boundary

fix NAT list entry comparisons and allow multiple entries for the same
proxy (but on different ports).

don't create duplicate NAT entries for repeated PORT commands.

3.2.10beta8	14/11/98 - Released

always exit an rwlock before expecting to enter it again on solaris

fix loop in nat_new for pre-existing nat

don't setup state for an ftp connection if creating nat fails.

3.2.10beta7	05/11/98 - Released

set fake window in ipft_tx.c to ensure code passes tests.

cleaned up/enhanced ipnat -l/ipnat -lv output

fixed NAT handling of non-TCP/UDP packets, esp. for ICMP errors returned.

Solaris recusive mutex on icmp-error/tcp-reset - requires rwlock's rather
than mutexes.

3.2.10beta6	03/11/98 - Released

fix mixed use of krwlock_t and kmutex_t on Solaris2

fix FTP proxy back up, splitting pasv code out of port code.

3.2.10beta5	02/11/98 - Released

fixed port translation in ICMP reply handling

3.2.10beta4	01/11/98 - Released

increase useful statistic collection on solaris

filter DL_UNITDATA_REQ as well as DL_UNITDATA_IND on solaris

disable PASV reply translation for now

fail with an error if we try to load a NAT rule with a non-existant
   proxy name - Guido

fix portmap usage with 0/0 and 0/32 map rules

remove ap_unload/ap_expire - automatically done when NAT is cleaned up

print "STATE:CLOSED" from ipmon if the connection progresses past established
   rather than "STATE:EXPIRED"

3.2.10beta3	26/10/98 - Released

fixed traceroute/nat problem

rewrote nat/proxy interface

ipnat now lists associated proxy sessions for each NAT where applicable

3.2.10beta2	13/10/98 - Released

use KRWLOCK_T in place of krwlock_t for solaris as well as irix

disable use of read-write lock acquisition by default

add in mb_t for linux, non-kernel

some changes to progress compilation on linux with glibc

change PASV as well as PORT when passed through kernel ftp proxy.

don't allow window to become 0 in tcp state code

make ipmon compile cleaner

irix patches

3.2.10beta	11/09/98 - Released

stop fr_tcpsum() thinking it has run out of data when it hasn't.

stop solaris panics due to fin_dp being something wild.

revisit usage of ATOMIC_*()

log closing state of TCP connection in "keep state"

fix fake-arp table code for ipsend.

ipmon now writes pid to a file.

fix "ipmon -a" to actually activate all logging devices.

add patches for BSDOS4.

perl scripts for log analysis donated.

3.2.9	22/06/98 - Released

fix byte order for ICMP packets generated on Solaris

fix some locking problems.

fix malloc bug in NAT (introduced in 3.2.8).

patch from guido for state connections that get fragmented

3.2.8	08/06/98 - Released

use readers/writers locks in Solaris2 in place of some mutexes.

Solaris2 installation enhancements - Martin Forssen (maf@carlstedt.se)

3.2.7	24/05/98 - Released

u_long -> u_32_t conversions

patches from Bernd Ernesti for NetBSD

fixup ipmon to actually handle HUP's.

Linux fixes from Michael H. Warfield (mhw@wittsend.com)

update for keep state patch (not security related) - Guido

dumphex() uses stdout rather than log

3.2.6	18/05/98 - Released

fix potential security loop hole in keep state code.

update examples.

3.2.5	09/05/98 - Released

BSD/OS 3.1 .o files added for the kernel.

fix sequence # skew vs window size check.

fix minimum ICMP header size check.

remove references to Cybersource.

fix my email address.

remove ntohl in ipnat - Thomas Tornblom

3.2.4	09/04/98 - Released

add script to make devices for /dev on BSD boxes

fixup building into the kernel for FreeBSD 2.2.5

add -D command line option to ipmon to make it a daemon and SIGHUP causes
it to close and reopen the logfile

fixup make clean and make package for SunOS5 - Marc Boucher

postinstall keeps adding "minor=ipf ipl" - George Ross <gdmr@dcs.ed.ac.uk>

protected by IP Filter gif - Sergey Solyanik <solik@atom.ru>

3.2.3	10/11/97 - Released

fix some iplang bugs

fix tcp checksum data overrun, sgi #define changes,
avoid infinite loop when nat'ing to single IP# - Marc Boucher

fixup DEVFS usage for FreeBSD

fix sunos5 "make clean" cleaning up too much

3.2.2	28/11/97 - Released

change packet matching to return actual error, if bad packet, to facilitate
ECONNRESET for TCP.

allow ip:netmask in grammar too now - Guido

assume IRIX has u_int32_t in sys/types.h (needed for R10000)

rewrite parts of command line options for ipmon

fix TCP urgent packet & offset testing and add LAND attack test for iptest

fix grammar error in yacc grammar for iplang

redirect (rdr) destination port bytes-wapped when it shouldn't be.

general: fr_check now returns error code, such as EHOSTUNREACH or
ECONNRESET (attempt to make ECONNRESET work for locally outbound
packets).

linux: enable return-rst, need to filter tcp retransmits which are sent
       separately from normal packets

memory leak plugged in ip_proxy.c

BSDI compatibility patches from Guido

tcp checksum fix - Marc Boucher

recursive mutex and ioctl param fix - Marc Boucher

3.2.1	12/11/97 - Released

port to BSD/OS 3.0

port to Linux 2.0.31

patches to make "map a/m -> 0/0" work with ftp proxying properly - Marc Boucher

add "ipf -F s" and "ipf -F S" to flush state table entries.

announce if logging is on or off when ip filter initializes.

"ipf -F a" doesn't flush groups properly for Solaris.

3.2		30/10/97 - Released

ipnat doesn't successfully remove proxy mappings with "-rf" -
Alexander Romanyu

use K&R C function style for solaris kernel code

use m_adj() to decrease packet size in ftp proxy

use mbufchainlen rather than msgdsize,
IRIX update - Marc Boucher

fix NetBSD modunload bug (pfil_add_hook done twice)

patches for OpenBSD 2.1 - Craig Bevins <craigb@bitcom.net.au>

3.2beta10	24/10/97 - Released

fix fragment table entries allocated for NAT.

fix tcp checksum calculations over mbuf/mblk boundaries

fix panic for blen < 0 in ftp kernel proxy - marc boucher

fix flushing of rules which have been grouped.

3.2beta9	20/10/97 - Released

some nit picking on solaris2 with SUNWspro - Michael Lyle <mrl@rpnet.net>

ftp kernel proxy patches from Marc Boucher

3.2beta8	13/10/97 - Released

add support for passing ICMP errors back through NAT.

IRIX port update - Marc Boucher

calculate correct MIN size of packet to log for UDP - Marc Boucher

need htons(ETHERTYPE_x) on little endian BSD boxes - Dave Huang

copyright header fixups

3.2beta7	23/09/97 - Released

fickup problems introduced by prior merges & changes.

3.2beta6	23/09/97 - Released

patch for spin-reading race condition - Marc Boucher.

IRIX port by Marc Boucher.

compatibility updates for Linux to ipsend

3.2beta5	13/09/97 - Released

patches from Bernd Ernesti for NetBSD integration (mostly prototyping and
compiler warning things)

ipf -y will resync IP#'s allocated with 0/32 in NAT to match interface if it
changes.

update manual pages and other documentation updates.

3.2beta4	27/8/97 - Released

enable setting IP and TCP options for iplang/

Solaris2 patches from Marc Boucher.

add groups for filter rules.

3.2beta3	21/8/97 - Released

patches for Solaris2 (interface panic solution ?): fix FIONREAD and
replacing q_qinfo points - Marc Boucher <marc@CAM.ORG>

change ipsend/* and ipsd/* copyright notices to be the same as ip filter's

patch for SYN-ACK skew testing fix from Eric V. Smith <EricSmith@windsor.com>

3.2beta2	6/8/97 - Released

make it load on Solaris 2.3

rewrote logging to remove solaris errors, introduced checking to see if the
same packet is logged successively.

fix filter cache to work when there are no rules loaded.

add "raw" option to ipresend to send entire ethernet frames.

nat list corruption bug - NetBSD - Klaus Klein

3.2beta1	5/7/97 - Released

patches from Jason Thorpe fixing: UNSIGNED_CHAR lossage, off_t being 64bits
lossage, and other NetBSD bits.

NetBSD 1.2G update.

fixup fwtk patches and add protocol field for SIOCGNATL.

rdr bugs reported by Alexander Romanyu (alexr@aix.krid.crimea.ua), with
fixes:
* rdr matched all packets of a given protocol (ignored ports).
* severe bug in nat_delete which caused system crash/freeze.

change Makefile so that CC isn't passed on for FreeBSD/NetBSD (will use
the default CC - cc, not gcc)

3.2alpha9	16/6/97 - Released

added "skip" keyword.

implement preauthentication of packets, as outlined by Guido.

Make it compile as cleanly as possible with -Wall & general code cleanup

getopt returns int, not char. Bernd Ernesti

3.2alpha8	13/6/97 - Released

code added to support "auth" rules which require a user program to allow them
through.  First revision and much of the code came from Guido.

hex output from ipmon doesn't goto syslog when recovering from out of sync
error.  Luke Mewburn (lukem@connect.com.au)

fix solaris2.6 lookup of destination ire's.

ipnat doesn't throw away unused bits (after masking), causing it to
behave incorrectly. Carson Gaspar

NAT code doesn't include inteface name when matching - Alexey Mavrin
<lha@elco.spb.ru>

replace old SunOS tcpip.h with new tcpip.h (from 4.4BSD) - Jason Thorpe.

update install procedures to include ip_proxy.c

mask out unused bits in NAT/RDR rules.

use a generic type (u_32_t) for 32bit variables, rather than rely on
u_long being such - Jason Thorpe.

create a local "netinet" directory and include from ~netinet/*" rather than
just "*" to make keeping the code working on ports easier.

add an m_copydata and m_copyback for SunOS4 (based on 4.4BSD-Lite versions)

documentation updates.

NetBSD update from Jason Thorpe <thorpej@netbsd.org>

allow RST's through with a matching SEQ # and 0 ACK.  Guido Van Rooij

ipmon uses excessive amounts of CPU on Solaris2 - Reinhard Bertram
<Reinhard.Bertram@KOM.th-darmstadt.de>

3.2alpha7	25/5/97 - Released

add strlen for pre-2.2 kernels - Doug Kite <dkite@websgi.icomnet.com>

setup bits and pieces for compiling into a FreeBSD-2.2 kernel.

split up "bsd" targets.  Now a separate netbsd/freebsd/bsd target.
mln_ipl.c has been split up into itself and mlf_ipl.c (for freebsd).

fix (negative) host matching in filtering.

add sysctl interface for some variables when compiled into FreeBSD-2.2 kernels
or later.

make all the candidates for kernel compiling include "netinet/..." and build
a subdirectory "netinet" when compiling and symlink all .h files into this.

add install make target to Makefile.ipsend

3.2alpha6	8/5/97 - Released

Add "!" (not) to hostname/ip matching.

Automatically add packet info to the fragment cache if it is a fragment
and we're translating addreses for.

Automatically add packet info to the fragment cache if it is a fragment
and we're "keeping state" for the packet.

Solaris2 patches - Anthony Baxter (arb@connect.com.au)

change install procedure for FreeBSD 2.2 to allow building to a kernel
which is different to the running kernel.

add FIONREAD for Solaris2!

when expiring NAT table entries, if we would set a time to fr_tcpclosed
(which is 1), make it fr_tcplaskack(20) so that the state tables have a
chance to clear up.

3.2alpha5

add proxying skeleton support and sample ftp transparent proxy code.

add printfs at startup to tell user what is happening.

add packets & bytes for EXPIRE NAT log records.

fix the "install-bsd" target in the root Makefile. Chris Williams
<psion@mv.mv.com>

Fixes for FreeBSD 2.2 (and later revs) to prevent panics.  Julian Assange.

3.2alpha4	2/4/97 - Released

Some compiler warnings cleaned up.

FreeBSD-2.2 patches for LKM completed.

3.2alpha3	31/3/97 - Released

ipmon changes: -N for reading NAT logfile, -S for reading state logfile.
-a for reading all.  -n now toggles hostname resolution.

Add logging of new state entries and expiration of old state entries.
count log successes and failures.

Add logging of new NAT entries and expiration of old NAT entries.
count log successes and failures.

Use u_quad_t for records of bytes & packets where kept
(IP Accounting: fr_hits, fr_bytes; IP state: is_pkts, is_bytes).

Fixup use of CPU and DCPU in Makefiles.

Fix broken 0/32 NAT mapping. Carl Makin <cmakin@nla.gov.au>

3.2alpha2

Implement mapping to 0/32 as being an alias for automatically using the
interface's first IP address.

Implement separate minor devices for both NAT and IP state code.

Fully prototype all functions.

Fix Makefile problem due to attempt to fix Sun compiling problems.

3.1.10		23/3/97 - Released

ipfstat -a requires a -i or -o command line option too.  Print an error
when not present rather than attempt to do something.

patch updates for SunOS4 for kernel compiling.
patch for ipmon -s (flush's syslog file which isn't good).  Andrew J. Schorr
<schorr@ead.dsa.com>

too many people hit their heads hard when compiling code into the kernel
that doesn't let any packets through. (fil.c - IPF_NOMATCH)

icmp-type parsing doesn't return any errors when it isn't constructed
correctly.  Neil Readwin

Using "-conf" with modload on SunOS4 doesn't work.
Timothy Demarest <demarest@arraycomm.com>

Need to define ARCH in makefile for SunOS4 building.  "make sunos4"
in INSTALL.SunOS is incorrect. James R Grinter <jrg@blodwen.demon.co.uk>
[all SunOS targets now run buildsunos]

NAT lookups are still incorrect, matching non-TCP/UDP with TCP/UDP
information. ArkanoiD <ark@paranoid.convey.ru>

Need to check for __FreeBSD_version being 199511 rather than 199607
in mln_ipl.c. Eric Feillant <Eric.Feillant@EUnet.fr>

3.1.9		8/3/97 - Released

fixed incorrect lookup of active NAT entries.

patch for ip_deq() wrong for pre 2.1.6 FreeBSD.
fyeung@fyeung8.netific.com (Francis Yeung)

check for out with return-rst/return-icmp at wrong place - Erkki Ritoniemi
(erkki@vlsi.fi)

text_readip returns the interface pointer pointing to text on stack -
Neil Readwin

fix from Pradeep Krishnan for printout rules "with not opt sec".

3.1.8		18/2/97 - Released

Diffs for ip_output.c and ip_input.c updated to fix bug with fastroute and
compiling warnings about reuse of m0.

prevent use of return-rst and return-icmp with rules blocking packets going
out, preventing panics in certain situations.

loop forms in frag cache table - Yury Pshenychny <yura@rd.zgik.zaporizhzhe.ua>

should use SPLNET/SPLX around expire routines in NAT/frag/state code.

redeclared malloc in 44arp.c -

3.1.7		8/2/97 - Released

Macros used for ntohs/htons supplied with gcc don't always work very well
when the assignment is the same variable being converted.

Filter matching doesn't not match rule which checks tcp flags on packets
which are fragments - David Wilson

3.1.7beta	30/1/97 - Released

Fix up NAT bugs introduced in last major change (now tested), including
nat_delete(), nat_lookupredir(), checksum changes, etc.

3.1.7alpha	30/1/97 - Released

Many changes to NAT code, including contributions from Laurent Joncheray
<lpj@ans.net>

Use "NO_SLEEP" when allocating memory under SunOS.

Make kernel printf's nicer for BSD/SunOS4

Always do a checksum for packets being filtered going out and being
processed by fastroute.

Leave kernel to play with cdevsw on *BSD systems with LKM's.

ipnat.1 man page fixes.

3.1.6		21/1/97 - Released

Allow NAT to work on BSD systems in conjunction with "pass .. to ifname"

Memory leak introduced in 3.1.3 in NAT lists, clearing of NAT table tried
to free memory twice.

NAT recalculates IP header checksum based on difference between IP#'s and
port numbers - should be just IP#'s (Solaris2 only)

3.1.5		13/1/97 - Released

fixed setting of NAT timeouts and use different timeouts for concurrent
TCP sessions using the same IP# mapping (when port mapping isn't used)

multiple loading/unloading of LKM's doesn't clean up cdevsw properly for
*BSD systems.

3.1.4		10/1/97	- Released

add command line options -C and -F to ipnat to flush NAT list and table

ipnat -l loops on output - Neil Readwin (nreadwin@nysales.micrognosis.com)

NetBSD/FreeBSD kernel malloc changes - Daniel Carosone

3.1.3		10/1/97 - Released

NAT chains not constructed correctly in hash tables - Antony Y.R Lu
(antony@hawk.ee.ncku.edu.tw)

Updated INSTALL.NetBSD, INSTALL.FreeBSD and INSTALL.Sol2

man page update (ipf.5) from Daniel Carosone (dan@geek.com.au)

ICMP header checksum update now included in NAT.

Solaris2 needs to modify IP header checksums in ip_natin and ip_natout.

3.1.2		4/12/96 - Released

ipmon doesn't use syslog all the time when given -s option

fixed mclput panic in ip_input.c and replace ntohs() with NTOHS() macro

check the results of hostname resolution in ipnat

"make *install" fixed for subdirectories.

problems with "ARCH:=" and gnu make resolved

parser reports an error for lines with whitespaces only rather than skipping
them. D.Carosone@abm.com.au (Daniel Carosone)

patches for integration into NetBSD-current (post 1.2).

add an option to allow non-IP packets going up/down the stream on Solaris2
to be dropped. John Bass.

3.1.2beta	21/11/96 - Released

make ipsend compile on Linux 2.0.24

changes to TCP kept state algorithm, making it watch state on TCP
connections in both directions.  Also use the same algorithm for NAT TCP.

-Wall cleanup - Bernd Ernesti

added "or-block" for "pass .. log or-block" after a suggestion from
David Oppenheim (davido@optimation.com.au)

added subdirectories for building IP Filter in SunOS5/BSD for different
cpu architecures

Solaris2 fixes to logging and pre-filtering packet processing - 3.1.1p2

mbuf logging not using mtod(), remove iplbusy - 3.1.1p1		1/11/96

3.1.1		28/10/96 - Released

Installation script fixes and deinstall scripts for IP Filter on:
SunOS4/FreeBSD/NetBSD

Man page fixes - Paul Dubois (dubois@primate.wisc.edu)

Fix use of SOLARIS macro in ipmon, rewrote ipllog() (again!)

parsing isn't completely case insensitive - David Wilson
(davidw@optimation.com.au)

Release ipl_mutex across uiomove() calls

print entire rule entries out for "ipf -z" when zero'ing per-rule stats.

ipfstat returns same output for "hits" in "ipfstat -aio" - Terletsky Slavik
(ts@polynet.lviv.ua)

New algorithm for setting timeouts for TCP connection (more closely follow
TCP FSM) - Pradeep Krishnan (pkrishna@netcom.com)

Track both window sizes for TCP connections through "keep state".

Solaris2 doesn't like _KERNEL defined in stdargs.h - Jos van Wezel
(wezel@bio.vu.nl)

3.1.1-beta2	6/10/96 - Released

Solaris2 fastroute/dup-to/to now works

ipmon `record' reading rewritten

Added post-NetBSD1.2 packet filter patches - Mathew Green (mrg@eterna.com.au)

Attempt to use in_proto.c.diff, not "..diffs" for SunOS4 - David Wilson
(davidw@optimation.com.au)

Michael Ryan (mike@NetworX.ie) reports the following:
* The Trumpet WinSock under Windows always sends its SYN packet with an ACK
  value of 1, unlike any other implementation I've seen, which would set it
  to zero.  The "keep state" feature of IP Filter doesn't work when receiving
  non-zero ACK values on new connection requests.
* */Makefile install rule doesn't install all the binaries/man pages
* Make ipnat use "tcp/udp" instead of "tcpudp"
* Print out "tcp/udp" properly
* ipnat "portmap tcp" matches "portmap udp" when adding/removing
* NAT dest. ip# increased by one on mask of 0xffffffff when it shouldn't

3.1.1-beta	1/9/96 - Released

add better detection of TCP connections closing to TCP state monitoring.

fr_addstate() not called correctly for fragments.  "keep state" and
"keep frag" code don't work together 100% - Songqing Cai
(songqing_cai@sterling.com)

call to fr_addstate() incorrect for adding state in combination with keeping
fragment information - Songqing Cai (songqing_cai@sterling.com)

KFREE() passed fp (incorrect) and not fr (correct) in ip_frag.c - John Hood
(cgull@smoke.marlboro.vt.us)

make ipf parser recognise '\\' as a `continued line' marker - Dima Ruban
(dima@best.net)

3.1.1-alpha	23/8/96 - Released

kernel panic's when ICMP packets go through NAT code

stats aren't zero'd properly with ipf -Z

ipnat doesn't show port numbers correctly all the time and also add the
protocol (tcp/udp/tcpudp) to rdr output - Carson Gaspar (carson@lehman.com)

fast checksum fixing not 100% - backout patch - Bill Dorsey (dorsey@lila.com)

NetBSD-1.2 patches from - VaX#n8 <vax@linkdead.paranoia.com>

Usage() call error in fils.c - Ajay Shekhawat (ajay@cedar.buffalo.edu)

ip_optcopy() staticly defined in ip_output.c in SunOS4 - Nick Hall
(nrh@tardis.ed.ac.uk)

3.1.0		7/7/96 - Released

Reformatted ipnat output to be compatible with it's input, so that
"ipnat -l | ipnat -rf -" is possible.

3.1.0beta	30/6/96 - Released

NetBSD-1.2 patches from Greg Woods (woods@most.weird.com)

kernel module must not be installed stripped (Solaris2), as created by
"make package" for Solaris2 - Peter Heimann
(peter@i3.informatik.rwth-aachen.de)

3.1.0alpha	5/6/96 - Released

include examples in package for solaris2

patches for removing an extra ip header checksum (FreeBSD/NetBSD/SunOS)

removed trailing space from printouts of rules in ipf.

ipresend supports the same range of inputs that ipftest does.

sending a duplicate copy of a packet to another network devices is now
supported. ("dup-to")

sending a packet to an arbitary interface is now supported, irrespective
of its actual route, with no ttl decrement.  Can also be routed without
the ttl being decremented. ("to" and "fastroute").

"call" option added to support calling a generic function if a packet is
matched.

show all (upto 4) recorded bytes from the interface name in logging from
ipmon.

support for using unix file permissions for read/write access on the device
is now in place.

recursive mutex in nat_new() for Solaris 2.x - Per L. Hagen <per@stibo.dk>

ipftest doesn't call initparse() for THISHOST - Catherine Allen
(cla@connect.com.au)

Man page corrections from Rex Bona (rex@pengo.comsmiths.com.au)

3.0.4		10/4/96 - Released

looop in `parsing' IP packets with optlen 0 for ip options.

rule number not initialized and resulted in unexpected results for state
maching.

option parsing and printing bugs - Pradeep Krishnan

3.0.4beta	25/3/96	- Released

wouldn't parse "keep flags keep state" correctly.

SunOS4.1.x ip_input.c doesn't recognise all 1s broadcast address - Nigel Verdon

patches for BSDI's BSD/OS 2.1 and libpcap reader on little endian systems
from Thorsten Lockert <tholo@tetherless.com>

b* functions in fil.c on Solaris 2.4

3.0.3	17/3/96 - Released

added patches to support IP Filter initialisation when compiled into the
kernel.

added -x option to ipmon to display hex dumps of logged packets.

added -H option to ipftest to allow ascii-hex formatted input to specify
arbitary IP packets.

Sending TCP RSTs as a response now work for Solaris2 x86

add patches to make IP Filter compile into NetBSD kernels properly.

patch to stop SunOS 4.1.x kernels panicing with "data traps".

ipfboot script unloads and reloads ipf module on Solaris2 if it is already
loaded into the kernel.

Installation of IP Filter as a Solaris2 package is now supported.

Man pages for ipnat.4, ipnat.5 added.

added some more regression tests and fixed up IP Filter to pass the new tests
(previous versions failed some of the tests in set 12).

IP option filter processing has changed so that saying "with opt lsrr" will
check only for that one, but not mask out other options, so a packet with
strict source routing, along with loose source routing will match all of
"with opt lsrr", "with opt ssrr" and "with opt lsrr,ssrr".

IPL_NAME needed in ipnat.c - Kelly (kelly@count04.mry.scruznet.com)

patches for clean NetBSD compilation from Bernd Ernesti (bernd@arresum.inka.de)

make install is incorrect - Julian Briggs (julian@lightwork.co.uk)

strtol() returns 0x7fffffff for all negative numbers,
printfr() generates incorrect output for "opt sec-class *",
handling of "not opt xxx opt yyy" incorrect.
- Minh Tonthat (minht@sbei.com)/Pradeep Krishnan (pradeepk@sbei.com)

m_pullup() called only for input and not output; caused problems
with filtering icmp - Nigel Verdon (verdenn@gb.swissbank.com)

parsing problem for "port 1" and NetBSD patches incorrect -
Andreas Gustafsson (gson@guava.araneus.fi)

3.0.2	4/2/96 - Released

Corrected bug where NAT recalculates checksums for fragments.

make NAT recalculate UDP checksums (rather than setting them to 0),
if they're non-zero.

DNS patches - Real Page (Real.Page@Matrox.com)

alteration of checksum recalculations in NAT code and addition of
redirection with NAT - Mike Neuman

core dump, if tcp/udp is used with a port number and not service name,
in ipf - Mike Neuman (mcn@engarde.com)

initparse() call, missing to prime "<thishost>" hook - Craig Bishop

3.0.1	14/1/96 - Released

miscellaneous patches for Solaris2

3.0	14/1/96	- Released

Patch included for FDDI, from Richard Ohnemus
(Richard_Ohnemus@dallas.csd.sterling.com)

Code cleanup for release.

3.0beta4 10/1/96

recursive mutex in ipfr_slowtimer fixed, reported by Craig Bishop

recursive mutex in sending TCP RSTs fixed, reported by Tony Becker

3.0beta3 9/1/96

FIxup for Solaris2.5 install and interface name bug in ipftest from
Julian Briggs (julian@lightwork.co.uk)

Byte order patches for ipmon from Tony Becker (tony@mcrsys.com)

3.0beta2 7/1/96

Added the (somewhat warped) IP accounting as it exists in ipfw on FreeBSD.
Note, this isn't really what one would call IP account, when compared to
process accounting, sigh.

Split up ipresend into iptest/ipresend/ipsend

Added another m_pullup() inside fr_check() for BSD style kernels and
added some checks to ipllog() to not log more than is present (for short
packets).

Fixed bug where failed hostname/netname resolution goes undetecte and
becomes 0.0.0.0 (any) (reported Guido van Rooij)

3.0beta	11/11/95	- Released

Rewrote the way rule testing is done, reducing the number of files needed and
generated.

SIOCIPFFL was incorrectly affected by IPFILTER_LOG (Mathew Green)

Patches from Guido van Rooij to fix sending back TCP RSTs on Net-2/Net-3
BSD based Unixes (panic'd)

Patches for FreeBSD/i86 ipmon from Riku Kalinen <riku@tequila.nixu.fi>
(I think someone else already told me about these but they got lost :-/)

Changed Makefile structure to build object files for different operating
systems in separate directories by default.

BSDI has ef0 for first ethernet interface

Allow for a "not" operator before optional keywords.

The "rule number" was being incorrectly incremented every time it went through
the loop rather than when it matched a rule.

2.8.2	24/10/95	- Released

Fixed up problems with "textip" for doing lots of testing.

Fixed bug in detection of "short" tcp/ip packets (all reported as being short).

Solaris 2.4 port now works 100%.

Man page errors reported and fixed.

Removed duplicate entry in etc/services for login on port 49 (Craig Bishop).

Fixed ipmon output to put a space after the log-letter.

Patch from Guido van Rooij to fix parsing problem.

2.8.1	15/10/95	- Released

Added ttl and tos filtering.

Patches for fixing up compilation and port problems (little endian)
from Guido van Rooij <guido@IAEhv.nl>.

Man page problems reported and fixed by Carson Gaspar <carson@lehman.com>.

ipsend doesn't compile properly on Solaris2.4

Lots of work done for Solaris2.4 to make it MT/MP safe and work.

2.8	15/9/95		- Released

ipmon can now send messages to syslogd (-s) and use names instead of
numbers (-N).

IP packets are now "compiled" into a structure only containing filterable
bits.

Added regression testing in the test/ subdirectory, using a new option
(-b) with the ipftest program.

Added "nomatch" return to filter results.  These are counted and show
up in reports from ipfstat.

Moved filter code out of ip_fil.c and into fil.c - there is now only one
instance of it in the package.

Added Solaris 2.4 support.

Added IPSO basic security option filtering.

Added name support for filtering on all 19 named IP options.

Patches from Ivan Brawley to log packet contents as well as packet headers.

Update for sun/conf.c.diff from Ivan Brawley <ibrawley@awadi.com.AU>

Added patches for FreeBSD 1, and added two new switches (-E, -D) to ipf,
along with a new ioctl, SIOCFRENB.
From: Dieter Dworkin Muller <dworkin@village.org>

2.7.3	31/7.95		- Released

Didn't compile cleanly without IPFILTER_LOG defined (Mathew Green).

ipftest now deals with tcpdump3 binary output files (from libpcap) with -P.

Brought ipftest program upto date with actual filter code.

Filter would cause a match to occur when it wasn't meant to if the packet
had short headers and was missing portions that should have been there.
Err, it would rightly not match on them, but their absence caused a match
when it shouldn't have been.

2.7.2	26/7/95		- Released

Problem with filtering just SYN flagged packets reported by
Dieter Dworkin Muller <dworkin@village.org>.  To solve this
problem, added support for masking TCP flags for comparison "flags X/Y".

2.7.1	9/7/95		- Released

Added ip_dirbroadcast support for Sun ip_input.c

Fixed up the install scripts for FreeBSD/NetBSD to recognise where they are
better.

2.7	7/7/95		- Released

Added "return-rst" to return TCP RST's to TCP packets.

Actually ported it to FreeBSD-i386 2.0.0, so it works there properly now.

Added insertion of filter rules.  Use "@<#>" at the beginning of a filter
to insert a rule at row #.

Filter keeps track of how many times each rule is matched.

Changed compile time things to match kernel option (IPFILTER_LKM &
IPFILTER_LOG).

Updated ip_input.c and ip_output.c with paches for 3.5 Multicast IP.
(No change required for 3.6)

Now includes TCP fragments which start inside the TCP header as being short.
Added counting the number of times each rule is matched.


2.6	11/5/95		- Released

Added -n option to ipf: when supplied, no changes are made to the kernel.

Added installation scripts for SunOS 4.1.x and NetBSD/FreeBSD/BSDI.

Rewrote filtering to use a more generic mask & match procedure for
checking if a packet matches a rule.

2.5.2	27/4/95		- Released

"tcp/udp" and a non-initialised pointer caused the "proto" to become
a `random' value; added "ip#/dotted.mask" notation to the BNF.
From Adam W. Feigin  <feigin@iis.ee.ethz.ch>

2.5.1	22/3/95		- Released

"tcp/udp" had a strange effect (undesired) on getserv*() functions,
causing protocol/service lookups to fail.  Reported by Matthew Green.

2.5	17/3/95		- Released

Added a new keyword "all" to BNF and parsing of tcpdump/etherfind/snoop
output through the ipftest program.  Suggestions from:
Michael Ciavarella (mikec@phyto.apana.org.au)

Conflicts occur when "general" filter rules are used for ports and the
lack of a "proto" when used with "port" matches other packets when only
TCP/UDP are implied.
Reported Matthew Green (mrg@fulcom.com.au);
reported & fixed 6-8/3/95

Added filtering of short TCP packets using "with short" 28/2/95
(These can possibly slip by checks for the various flags).  Short UDP
or ICMP are dropped to the floor and logged.

Added filtering of fragmented packets using "with frag" 24/2/95

Port to NetBSD-current completed 20/2/95, using LKM.

Added logging of the rule # which caused the logging to happen and the
interface on which the packet is currently as suggested by
Andreas Greulich (greulich@math-stat.unibe.ch) 10/2/95

2.4	9/2/95		- Released
Fixed saving of IP headers in ICMP packets.

2.3	29/1/95
Added ipf -F [in|out|all] to flush filter rule sets (SIOCIPFFL).
Fixed iplread() and iplsave() with help from Marc Huber.

2.2	7/1/95		- Released
Added code from Marc Huber <huber@fzi.de> to allow it to allocate
its own major char number dynamically when modload'ing.  Fixed up
use of <, >, <=, >= and >< for ports.

2.1	21/12/94	- Released
repackaged to include the correct ip_output.c and ip_input.c *goof*

2.0	18/12/94	- Released
added code to check for port ranges - complete.
rewrote to work as a loadable kernel module - complete.

1.1
added code for ouput filtering as well as input filtering and added support for logging to a simple character device of packet headers.

1.0	22/04/93	- Released
First release cut.