HISTORY revision 67855
1# 2# NOTE: Quite a few patches and suggestions come from other sources, to whom 3# I'm greatly indebted, even if no names are mentioned. 4# 5# Thanks to the Coombs Computing Unit at the ANU for their continued support 6# in providing a very available location for the IP Filter home page and 7# distribution center. 8# 9# Thanks to Hewlett Packard for making it possible to port IP Filter to 10# HP-UX 11.00. 11# 12# Thanks to Tel.Net Media for supplying me with equipment to ensure that 13# IP Filter continues to work on Solaris/sparc64. 14# 15# Thanks to BSDI for providing object files for BSD/OS 3.1 and the means 16# to further support development of IP Filter under BSDI. 17# 18# Thanks to Craig Bishop of connect.com.au and Sun Microsystems for the 19# loan of a machine to work on a Solaris 2.x port of this software. 20# 21# Thanks also to all those who have contributed patches and other code, 22# and especially those who have found the time to port IP Filter to new 23# platforms. 24# 253.4.13 28/10/2000 - Released 26 27fix introduced bug with ICMP packets being rejected when valid 28 29fix bug with proxy's that don't set fin_dlen correctly when calling 30fr_addstate() 31 323.4.12 26/10/2000 - Released 33 34fix installing into FreeBSD-4.1 35 36fix FTP proxy bug where it'd hang and make NAT slightly more efficient 37 38fix general compiling errors/warnings on various platforms 39 40don't access ICMP data fields that aren't there 41 423.4.11 09/10/2000 - Released 43 44return NULL for IPv6 access control lists if it is disabled rather than 45random garbage. 46 47fix for getting protocol & packet length for IPv6 packets for pullup. 48 49update plog script from version 0.8 to version 0.10 50 51patch from Frank Volf adding fix_datacksum() to NAT code, enhancing the 52capabilities for "fixing" checksums. 53 543.4.10 03/09/2000 - Released 55 56merge patch from Frank Volf for ICMP nat handling of TCP/UDP data `errors' 57 58getline() adjusts linenum now 59 60add tcphalfclosed timeout 61 62fill in icmp_nextmtu field if it is defined on the platform 63 64RST generation fix from guido 65 66force 32bit compile for gcc on solaris if it can't generate 64bit code 67 68encase logging when fr_chksrc == 2 in #ifdef IPFILTER_LOG 69 70fix up line wrap problems in plog script 71 72fix ICMP packet handling to not drop valid ICMP errors 73 74freebsd 5.0 compat changes 75 763.4.9 08/08/2000 - Released 77 78implement new aging mechanism in fr_tcp_age() 79 80fix icmp state checking bug 81 82revamp buildsunos script and build both sparcv7/sparcv9 for Solaris 83if on an Ultra with a 64bit system & compiler (Caseper Dik) 84 85open ipfilter device read only if we know we can 86 87print out better information for ICMP packets in ipmon 88 89move checking for source spoofed packets to a point where we can generate 90logs of them 91 92return EFAULT from ircopyptr/iwcopyptr 93 94don't do ioctl(SIOCGETFS) for auth stats 95 96fix up freeing mbufs for post-4.3BSD 97 98fix returning of inc from ftp proxy 99 100fix bugs with ipfs -R/-W (Caseper Dik) 101 1023.4.8 19/07/2000 - Released 103 104create fake opt_inet6.h for FreeBSD-4 compile as LKM 105 106add #ifdef's for KLD_MODULE sanity 107 108NAT fastroute'd packets which come out of return-* 109 110fix upper/lower case crap in ftp proxy and get seq# checking fixed up. 111 1123.4.7 08/07/2000 - Released 113 114make "ipf -y" lookup NAT if's which are unknown 115 116prepend line numbers to ioctl error messages in ipf/ipnat 117 118don't apply patches to FreeBSD twice 119 120allow for ip_len to be on an unaligned boundary early on in fr_precheck 121 122fix printing of icmp code when it is 0 123 124correct printing of port numbers in map rules with from/to 125 126don't allow fr_func to be called at securelevel > 0 or rules to be added 127if securelevel > 0 if they have a non-zero fr_func. 128 1293.4.6 11/06/2000 - Released 130 131add extra regression tests for new nat functionality 132 133place restrictions on using '!' in map/rdr rules 134 135fix up solaris compile problems 136 1373.4.5 10/06/2000 - Released 138 139mention -sl in ipfstat.8 140 141fix/support '!' in from/to rules (rdr) for NAT 142 143add from/to support to rdr NAT rules 144 145don't send ICMP errors in response to ICMP errors 146 147fix sunos5 compilation for "ipfstat-top" and cleanup ipfboot 148 149input accounting list used for both outbound and inbound packets 150 1513.4.4 23/05/2000 - Released 152 153don't add TCP state if it is an RST packet and (attempt) to send out 154RST/ICMP packets in a manner that bypasses IP Filter. 155 156add patch to work with 4.0_STABLE delayed checksums 157 1583.4.3 20/05/2000 - Released 159 160fix ipmon -F 161 162don't truncate IPv6 packets on Solaris 163 164fix keep state for ICMP ECHO 165 166add some NAT stats and use def_nat_age rather than DEF_NAT_AGE 167 168don't make ftp proxy drop packets 169 170use MCLISREFERENCED() in tandem with M_EXT to check if IP fields need to be 171swapped back. 172 173fix up RST generation for non-Solaris 174 175get "short" flag right for IPv6 176 1773.4.2 - 10/5/2000 - Released 178 179Fix bug in dealing with "hlen == 1 and opt > 1" - Itojun 180 181ignore previous NAT mappings for 0/0 and 0/32 rules 182 183bring in a completely new ftp proxy 184 185allow NAT to cause packets to be dropped. 186 187add NetBSD callout support for 1.4-current 188 1893.4.1 - 30/4/2000 - Released 190 191add ratoui() and fix parsing of group numbers to allow 0 - UINT_MAX 192 193don't include opt_inet6.h for FreeBSD if KLD_MODULE is defined 194 195Solaris must use copyin() for all types of ioctl() args 196 197fix up screen/tty when leaving "top mode" of ipfstat 198 199linked list for maptable not setup correctly in nat_hostmap() 200 201check for maptable rather than nat_table[1] to see if malloc for maptable 202succeeded in nat_init 203 204fix handling of map NAT rules with "from/to" host specs 205 206fix printout out of source address when using "from/to" with map rules 207 208convert ip_len back to network byte order, not plen, for solaris as ip_len 209may have been changed by NAT and plen won't reflect this 210 2113.4 - 27/4/2000 - Released 212 213source address spoofing can be turned on (fr_chksrc) without using 214filter rules 215 216group numbers are now 32bits in size, up from 16bits 217 218IPv6 filtering available 219 220add frank volf's state-top patches 221 222add load splitting and round-robin attribute to redirect rules 223 224FreeBSD-4.0 support (including KLD) 225 226add top-style operation mode for ipfstat (-t) 227 228add save/restore of IP Filter state/NAT information (ipfs) 229 230further ftp proxy security checks 231 232support for adding and removing proxies at runtime 233 2343.3.13 26/04/2000 - Released 235 236Fix parsing of "range" with "portmap" 237 238Relax checking of ftp replies, slightly. 239 240Fix NAT timeouts for ICMP packets 241 242SunOS4 patches for ICMP redirects from Jurgen Keil (jk@tools.de) 243 2443.3.12 16/03/2000 - Released 245 246tighten up ftp proxy behaviour. sigh. yuck. hate. 247 248fix bug in range check for NAT where the last IP# was not used. 249 250fix problem with icmp codes > 127 in filter rules caused bad things to 251happen and in particular, where #18 caused the rule to be printed 252erroneously. 253 254fix bug with the spl level not being reset when returning EIO from 255iplioctl due to ipfilter not being initialized yet. 256 2573.3.11 04/03/2000 - Released 258 259make "or-block" work with lines that start with "log" 260 261fix up parsing and printing of rules with syslog levels in them 262 263fix from Cy Schubert for calling of apr_fini only if non-null 264 265 2663.3.10 24/02/2000 - Released 267 268* fix back from guido for state tracking interfaces 269 270* update for NetBSD pfil interface changes 271 272* if attaching fails and we can abort, then cleanup when doing so. 273 274julian@computer.org: 275* solaris.c (fr_precheck): After calling freemsg on mt, set it point to *mp. 276* ipf.c (packetlogon): use flag to store the return value from get_flags. 277* ipmon.c (init_tabs): General cleanup so we do not have to cast 278 an int s->s_port to u_int port and try to check if the u_int port 279 is less than zero. 280 2813.3.9 15/02/2000 - Released 282 283fix scheduling of bad locking in fr_addstate() used when we attach onto 284a filter rule. 285 286fix up ip_statesync() with storing interface names in ipstate_t 287 288fix fr_running for LKM's - Eugene Polovnikov 289 290junk using pullupmsg() for solaris - it's next to useless for what we 291need to do here anyway - and implement what we require. 292 293don't call fr_delstate() in fr_checkstate(), when compiled for a user 294program, early but when we're finished with it (got fr & pass) 295 296ipnat(5) fix from Guido 297 298on solaris2, copy message and use that with filter if there is another 299copy if it being used (db_ref > 1). bad for performance, but better 300than causing a crash. 301 302patch for solaris8-fcs compile from Casper Dik 303 3043.3.8 01/02/2000 - Released 305 306fix state handling of SYN packets. 307 308add parsing recognition of extra icmp types/codes and fix handling of 309icmp time stamps and mask requests - Frank volf 310 3113.3.7 25/01/2000 - Released 312 313sync on state information as well as NAT information when required 314 315record nat protocol in all nat log records 316 317don't reuse the IP# from an active NAT session if the IP# in the rule 318has changed dynamically. 319 320lookup the protocol for NAT log information in ipmon and pass that to 321portname. 322 323fix the bug with changing the outbound interface of a packet where it 324would lead to a panic. 325 326use fr_running instead of ipl_inited. (sysctl name change on freebsd) 327 328return EIO if someone attempts an ioctl on state/nat if ipfilter is not 329enabled. 330 331fix rule insertion bug 332 333make state flushing clean anything that's not fully established (4/4) 334 335call fr_state_flush() after we've released ipf_state so we don't generate 336a recursive mutex acquisition panic 337 338fix parsing of icmp code after return-icmp/return-icmp-as-dest and add 339some patches to enhance parsing strength 340 3413.3.6 28/12/1999 - Released 342 343add in missing rwlock release in fr_checkicmpmatchingstate() and fix check 344for ICMP_ECHO to only be for packet, not state entry which we don't have yet. 345 346handle SIOCIPFFB in nat_ioctl() and fr_state_ioctl() 347 348fix size of friostat for SunOS4 349 350fix bug in running off the end of a buffer in real audio proxy 351 3523.3.5 11/12/1999 - Released 353 354fix parsing of "log level" and printing it back out too 355 356<net/if_types.h> is only present on Solaris2.6/7/8 357 358use send_icmp_err rather than icmp_error to send back a frag-needed error 359when doing PMTU 360 361do not use -b with add_drv on Solaris unless $BASEDIR is set. 362 363fix problem where source address in icmp replies is reversed 364 365fix yet another problem with real audio. 366 3673.3.4 4/12/1999 - Released 368 369fix up the real audio proxy to properly setup state information and NAT 370entries, thanks to Laine Stump for testing/advice/fixes. 371 372fix ipfr_fastroute to set dst->sin_addr (Sean Farley - appears to prevent 373FreeBSD 3.3 from panic'ing) as this had been removed in prior hacks to this 374routine. 375 376fix kinstall for BSDI 377 378support ICMP errors being allowed through for ICMP packets going out with 379keep state enabled 380 381support hardware checksumming (gigabit ethernet cards) on Solaris thanks to 382Tel.Net Media for providing hardware for testing. 383 384patched from Frank Volf for ipmon (ICMP & fragmented packets) and allowing 385ICMP responses to ICMP packets in the keep state table. 386 387add in patches for hardware checksumming under solaris 388 389Solaris install scripts now use $BASEDIR as appropriate. 390 391add Solaris8 support 392 393fix "ipf -y" on solaris so that it rescans rules also for changes in 394interface pointers 395 396let ipmon become a daemon with -D if it is using syslog 397 398fix parsing of return-icmp-as-dest(foo) 399 400add reference to ipfstat -g to ipfstat.8 401 402ipf_mutex needs to be declared for irix in ip_fil.c 403 4043.3.3 22/10/1999 - Released 405 406add -g command line option to ipfstat to show groups still define. 407 408fix problem with fragment table not recording rule pointer when called 409from state functions (fin_fr not set). 410 411fixup fastroute problems with keep state rules. 412 413load rules into inactive set first, so we don't disable things like NIS 414lookups half way through processing - found by Kevin Littlejohn 415 416fix handling of unaligned ip pointer for solaris 417 418patch for fr_newauth from Rudi Sluijtman 419 420fixed htons() bug in fr_tcpsum() where ip_p wasn't cast to u_short 421 4223.3.2 23/09/1999 - Released 423 424patches from Scott Presnell to fix rcmd proxy 425 426patches from Greg to fix Solaris detachment of interfaces 427 428add openbsd compatibility fixes 429 430fix free'ing already freed memory in ipfr_slowtimer() 431 432fix for deferencing invalid memory in cleaning up after a device disappears 433 4343.3.1 14/8/1999 - Released 435 436remove include file sys/user.h for irix 437 438prevent people from running buildsunos directly 439 440fix up some problems with the saving of rule pointers so that NAT saves 441that information in case it should need to call fr_addstate() from a proxy. 442 443fix up scanning for the end of FTP messages 444 445don't remove /etc/opt/ipf in postremove 446 447attempt to prevent people running buildsolaris script without doing a 448"make solaris" 449 450fix timeout losing on freebsd3 451 4523.3 7/8/1999 - Released 453 454NAT: information (rules, mappings) are stored in hash tables; setup some 455basic NAT regression testing. 456 457display version name of installed kernel code when initializing. 458 459add -V command line option to ipf, showing version (program and kernel 460module) as well as the run-status of the kernel code. 461 462fix problem with "log" rules actually affecting result of filtering. 463 464automatically use SUNWspro if available and on a 64bit Solaris system for 465compiling. 466 467add kernel proxies for rcmd(3) and RealAudio (PNA) 468 469use timeout/untimeout on SunOS4/BSD platforms too rather than hijacking 470ip_slowtimo 471 472fix IP headers generated through parsing of text information 473 474fix NAT rules to be in the correct order again. 475 476make keep-state work with to/fastroute keywords and enforce usage of those 477interfaces. 478 479update keep-state code with new algorithm from Guido 480 481add FreeBSD-3 support 482 483add return-icmp-as-dest option to retrun an ICMP packet using the original 484destination as the source rather than a local IP address 485 486add "level [facility.]<priority>" option to filter language 487 488add changes from Guido to state code. 489 490add code to return EPERM if the device is opened for writing and we're 491in securelevel 2 or greater. 492 493authentication code patches from Guido 494 495fix real audio proxy 496 497fix ipmon rule printing of interfaces and add IN/OUT to the end of ipmon 498log output. 499 500fix bimap rules with hash tables 501 502update addresses used in NAT mappings for 0/32 rules for any protocol but TCP 503if it changes on the interface - check every ip_natexpire() 504 505add redirect regression test 506 507count buckets used in the state hash table. 508 509fix sending of RST's with return-rst to use the ack number provided in 510the packet being replied to in addition to the sequence number. 511 512fix to compile as a 64bit application on solaris7-64bit 513 514add NAT IP mapping to ranges of IP addresses that aren't CIDR specified 515 516fix calculation of in_space parameter for NAT 517 518fix `wrapping' when incrementing the next ip address for use in NAT 519 520fix free'ing of kernel memory in ip_natunload on solaris 521 522fix -l/-U command line options from interfering with each other 523 524fix fastroute under solaris2 and cleanup compilation for solaris7 525 526add install scripts and compile cleanly on BSD/OS 4.0 527 528safely open files in /tmp for writing device output when testing. 529 530fix uninitialized pointer bug in NAT 531 532fix SIOCZRLST (zero list rule stats) bug with groups 533 534change some usage of u_short to u_int in function calling 535 536fix compilation for Solaris7 (SUNWspro) 537 538change solaris makefiles to build for either sparc or i386 rather than 539per-cpu (sun4u, etc). 540 541fixed bug in ipllog 542 543add patches from George Michaelson for FreeBSD 3.0 544 545add patch from Guido to provide ICMP checking for known state in the same 546manner as is done for NAT. 547 548enable FTP PASV proxying and enable wildcarding in NAT/state code for ports 549for better PORT/PASV support with FTP. 550 551bring into main tree static nat features: map-block and "auto" portmapping. 552 553add in source host filtering for redirects (alan jones) 554 5553.2.10 22/11/98 - Released 556 5573.2.10beta9 17/11/98 - Released 558 559fix fr_tcpsum problems in handling mbufs with an odd number of bytes 560and/or split across an mbuf boundary 561 562fix NAT list entry comparisons and allow multiple entries for the same 563proxy (but on different ports). 564 565don't create duplicate NAT entries for repeated PORT commands. 566 5673.2.10beta8 14/11/98 - Released 568 569always exit an rwlock before expecting to enter it again on solaris 570 571fix loop in nat_new for pre-existing nat 572 573don't setup state for an ftp connection if creating nat fails. 574 5753.2.10beta7 05/11/98 - Released 576 577set fake window in ipft_tx.c to ensure code passes tests. 578 579cleaned up/enhanced ipnat -l/ipnat -lv output 580 581fixed NAT handling of non-TCP/UDP packets, esp. for ICMP errors returned. 582 583Solaris recusive mutex on icmp-error/tcp-reset - requires rwlock's rather 584than mutexes. 585 5863.2.10beta6 03/11/98 - Released 587 588fix mixed use of krwlock_t and kmutex_t on Solaris2 589 590fix FTP proxy back up, splitting pasv code out of port code. 591 5923.2.10beta5 02/11/98 - Released 593 594fixed port translation in ICMP reply handling 595 5963.2.10beta4 01/11/98 - Released 597 598increase useful statistic collection on solaris 599 600filter DL_UNITDATA_REQ as well as DL_UNITDATA_IND on solaris 601 602disable PASV reply translation for now 603 604fail with an error if we try to load a NAT rule with a non-existant 605 proxy name - Guido 606 607fix portmap usage with 0/0 and 0/32 map rules 608 609remove ap_unload/ap_expire - automatically done when NAT is cleaned up 610 611print "STATE:CLOSED" from ipmon if the connection progresses past established 612 rather than "STATE:EXPIRED" 613 6143.2.10beta3 26/10/98 - Released 615 616fixed traceroute/nat problem 617 618rewrote nat/proxy interface 619 620ipnat now lists associated proxy sessions for each NAT where applicable 621 6223.2.10beta2 13/10/98 - Released 623 624use KRWLOCK_T in place of krwlock_t for solaris as well as irix 625 626disable use of read-write lock acquisition by default 627 628add in mb_t for linux, non-kernel 629 630some changes to progress compilation on linux with glibc 631 632change PASV as well as PORT when passed through kernel ftp proxy. 633 634don't allow window to become 0 in tcp state code 635 636make ipmon compile cleaner 637 638irix patches 639 6403.2.10beta 11/09/98 - Released 641 642stop fr_tcpsum() thinking it has run out of data when it hasn't. 643 644stop solaris panics due to fin_dp being something wild. 645 646revisit usage of ATOMIC_*() 647 648log closing state of TCP connection in "keep state" 649 650fix fake-arp table code for ipsend. 651 652ipmon now writes pid to a file. 653 654fix "ipmon -a" to actually activate all logging devices. 655 656add patches for BSDOS4. 657 658perl scripts for log analysis donated. 659 6603.2.9 22/06/98 - Released 661 662fix byte order for ICMP packets generated on Solaris 663 664fix some locking problems. 665 666fix malloc bug in NAT (introduced in 3.2.8). 667 668patch from guido for state connections that get fragmented 669 6703.2.8 08/06/98 - Released 671 672use readers/writers locks in Solaris2 in place of some mutexes. 673 674Solaris2 installation enhancements - Martin Forssen (maf@carlstedt.se) 675 6763.2.7 24/05/98 - Released 677 678u_long -> u_32_t conversions 679 680patches from Bernd Ernesti for NetBSD 681 682fixup ipmon to actually handle HUP's. 683 684Linux fixes from Michael H. Warfield (mhw@wittsend.com) 685 686update for keep state patch (not security related) - Guido 687 688dumphex() uses stdout rather than log 689 6903.2.6 18/05/98 - Released 691 692fix potential security loop hole in keep state code. 693 694update examples. 695 6963.2.5 09/05/98 - Released 697 698BSD/OS 3.1 .o files added for the kernel. 699 700fix sequence # skew vs window size check. 701 702fix minimum ICMP header size check. 703 704remove references to Cybersource. 705 706fix my email address. 707 708remove ntohl in ipnat - Thomas Tornblom 709 7103.2.4 09/04/98 - Released 711 712add script to make devices for /dev on BSD boxes 713 714fixup building into the kernel for FreeBSD 2.2.5 715 716add -D command line option to ipmon to make it a daemon and SIGHUP causes 717it to close and reopen the logfile 718 719fixup make clean and make package for SunOS5 - Marc Boucher 720 721postinstall keeps adding "minor=ipf ipl" - George Ross <gdmr@dcs.ed.ac.uk> 722 723protected by IP Filter gif - Sergey Solyanik <solik@atom.ru> 724 7253.2.3 10/11/97 - Released 726 727fix some iplang bugs 728 729fix tcp checksum data overrun, sgi #define changes, 730avoid infinite loop when nat'ing to single IP# - Marc Boucher 731 732fixup DEVFS usage for FreeBSD 733 734fix sunos5 "make clean" cleaning up too much 735 7363.2.2 28/11/97 - Released 737 738change packet matching to return actual error, if bad packet, to facilitate 739ECONNRESET for TCP. 740 741allow ip:netmask in grammar too now - Guido 742 743assume IRIX has u_int32_t in sys/types.h (needed for R10000) 744 745rewrite parts of command line options for ipmon 746 747fix TCP urgent packet & offset testing and add LAND attack test for iptest 748 749fix grammar error in yacc grammar for iplang 750 751redirect (rdr) destination port bytes-wapped when it shouldn't be. 752 753general: fr_check now returns error code, such as EHOSTUNREACH or 754ECONNRESET (attempt to make ECONNRESET work for locally outbound 755packets). 756 757linux: enable return-rst, need to filter tcp retransmits which are sent 758 separately from normal packets 759 760memory leak plugged in ip_proxy.c 761 762BSDI compatibility patches from Guido 763 764tcp checksum fix - Marc Boucher 765 766recursive mutex and ioctl param fix - Marc Boucher 767 7683.2.1 12/11/97 - Released 769 770port to BSD/OS 3.0 771 772port to Linux 2.0.31 773 774patches to make "map a/m -> 0/0" work with ftp proxying properly - Marc Boucher 775 776add "ipf -F s" and "ipf -F S" to flush state table entries. 777 778announce if logging is on or off when ip filter initializes. 779 780"ipf -F a" doesn't flush groups properly for Solaris. 781 7823.2 30/10/97 - Released 783 784ipnat doesn't successfully remove proxy mappings with "-rf" - 785Alexander Romanyu 786 787use K&R C function style for solaris kernel code 788 789use m_adj() to decrease packet size in ftp proxy 790 791use mbufchainlen rather than msgdsize, 792IRIX update - Marc Boucher 793 794fix NetBSD modunload bug (pfil_add_hook done twice) 795 796patches for OpenBSD 2.1 - Craig Bevins <craigb@bitcom.net.au> 797 7983.2beta10 24/10/97 - Released 799 800fix fragment table entries allocated for NAT. 801 802fix tcp checksum calculations over mbuf/mblk boundaries 803 804fix panic for blen < 0 in ftp kernel proxy - marc boucher 805 806fix flushing of rules which have been grouped. 807 8083.2beta9 20/10/97 - Released 809 810some nit picking on solaris2 with SUNWspro - Michael Lyle <mrl@rpnet.net> 811 812ftp kernel proxy patches from Marc Boucher 813 8143.2beta8 13/10/97 - Released 815 816add support for passing ICMP errors back through NAT. 817 818IRIX port update - Marc Boucher 819 820calculate correct MIN size of packet to log for UDP - Marc Boucher 821 822need htons(ETHERTYPE_x) on little endian BSD boxes - Dave Huang 823 824copyright header fixups 825 8263.2beta7 23/09/97 - Released 827 828fickup problems introduced by prior merges & changes. 829 8303.2beta6 23/09/97 - Released 831 832patch for spin-reading race condition - Marc Boucher. 833 834IRIX port by Marc Boucher. 835 836compatibility updates for Linux to ipsend 837 8383.2beta5 13/09/97 - Released 839 840patches from Bernd Ernesti for NetBSD integration (mostly prototyping and 841compiler warning things) 842 843ipf -y will resync IP#'s allocated with 0/32 in NAT to match interface if it 844changes. 845 846update manual pages and other documentation updates. 847 8483.2beta4 27/8/97 - Released 849 850enable setting IP and TCP options for iplang/ 851 852Solaris2 patches from Marc Boucher. 853 854add groups for filter rules. 855 8563.2beta3 21/8/97 - Released 857 858patches for Solaris2 (interface panic solution ?): fix FIONREAD and 859replacing q_qinfo points - Marc Boucher <marc@CAM.ORG> 860 861change ipsend/* and ipsd/* copyright notices to be the same as ip filter's 862 863patch for SYN-ACK skew testing fix from Eric V. Smith <EricSmith@windsor.com> 864 8653.2beta2 6/8/97 - Released 866 867make it load on Solaris 2.3 868 869rewrote logging to remove solaris errors, introduced checking to see if the 870same packet is logged successively. 871 872fix filter cache to work when there are no rules loaded. 873 874add "raw" option to ipresend to send entire ethernet frames. 875 876nat list corruption bug - NetBSD - Klaus Klein 877 8783.2beta1 5/7/97 - Released 879 880patches from Jason Thorpe fixing: UNSIGNED_CHAR lossage, off_t being 64bits 881lossage, and other NetBSD bits. 882 883NetBSD 1.2G update. 884 885fixup fwtk patches and add protocol field for SIOCGNATL. 886 887rdr bugs reported by Alexander Romanyu (alexr@aix.krid.crimea.ua), with 888fixes: 889* rdr matched all packets of a given protocol (ignored ports). 890* severe bug in nat_delete which caused system crash/freeze. 891 892change Makefile so that CC isn't passed on for FreeBSD/NetBSD (will use 893the default CC - cc, not gcc) 894 8953.2alpha9 16/6/97 - Released 896 897added "skip" keyword. 898 899implement preauthentication of packets, as outlined by Guido. 900 901Make it compile as cleanly as possible with -Wall & general code cleanup 902 903getopt returns int, not char. Bernd Ernesti 904 9053.2alpha8 13/6/97 - Released 906 907code added to support "auth" rules which require a user program to allow them 908through. First revision and much of the code came from Guido. 909 910hex output from ipmon doesn't goto syslog when recovering from out of sync 911error. Luke Mewburn (lukem@connect.com.au) 912 913fix solaris2.6 lookup of destination ire's. 914 915ipnat doesn't throw away unused bits (after masking), causing it to 916behave incorrectly. Carson Gaspar 917 918NAT code doesn't include inteface name when matching - Alexey Mavrin 919<lha@elco.spb.ru> 920 921replace old SunOS tcpip.h with new tcpip.h (from 4.4BSD) - Jason Thorpe. 922 923update install procedures to include ip_proxy.c 924 925mask out unused bits in NAT/RDR rules. 926 927use a generic type (u_32_t) for 32bit variables, rather than rely on 928u_long being such - Jason Thorpe. 929 930create a local "netinet" directory and include from ~netinet/*" rather than 931just "*" to make keeping the code working on ports easier. 932 933add an m_copydata and m_copyback for SunOS4 (based on 4.4BSD-Lite versions) 934 935documentation updates. 936 937NetBSD update from Jason Thorpe <thorpej@netbsd.org> 938 939allow RST's through with a matching SEQ # and 0 ACK. Guido Van Rooij 940 941ipmon uses excessive amounts of CPU on Solaris2 - Reinhard Bertram 942<Reinhard.Bertram@KOM.th-darmstadt.de> 943 9443.2alpha7 25/5/97 - Released 945 946add strlen for pre-2.2 kernels - Doug Kite <dkite@websgi.icomnet.com> 947 948setup bits and pieces for compiling into a FreeBSD-2.2 kernel. 949 950split up "bsd" targets. Now a separate netbsd/freebsd/bsd target. 951mln_ipl.c has been split up into itself and mlf_ipl.c (for freebsd). 952 953fix (negative) host matching in filtering. 954 955add sysctl interface for some variables when compiled into FreeBSD-2.2 kernels 956or later. 957 958make all the candidates for kernel compiling include "netinet/..." and build 959a subdirectory "netinet" when compiling and symlink all .h files into this. 960 961add install make target to Makefile.ipsend 962 9633.2alpha6 8/5/97 - Released 964 965Add "!" (not) to hostname/ip matching. 966 967Automatically add packet info to the fragment cache if it is a fragment 968and we're translating addreses for. 969 970Automatically add packet info to the fragment cache if it is a fragment 971and we're "keeping state" for the packet. 972 973Solaris2 patches - Anthony Baxter (arb@connect.com.au) 974 975change install procedure for FreeBSD 2.2 to allow building to a kernel 976which is different to the running kernel. 977 978add FIONREAD for Solaris2! 979 980when expiring NAT table entries, if we would set a time to fr_tcpclosed 981(which is 1), make it fr_tcplaskack(20) so that the state tables have a 982chance to clear up. 983 9843.2alpha5 985 986add proxying skeleton support and sample ftp transparent proxy code. 987 988add printfs at startup to tell user what is happening. 989 990add packets & bytes for EXPIRE NAT log records. 991 992fix the "install-bsd" target in the root Makefile. Chris Williams 993<psion@mv.mv.com> 994 995Fixes for FreeBSD 2.2 (and later revs) to prevent panics. Julian Assange. 996 9973.2alpha4 2/4/97 - Released 998 999Some compiler warnings cleaned up. 1000 1001FreeBSD-2.2 patches for LKM completed. 1002 10033.2alpha3 31/3/97 - Released 1004 1005ipmon changes: -N for reading NAT logfile, -S for reading state logfile. 1006-a for reading all. -n now toggles hostname resolution. 1007 1008Add logging of new state entries and expiration of old state entries. 1009count log successes and failures. 1010 1011Add logging of new NAT entries and expiration of old NAT entries. 1012count log successes and failures. 1013 1014Use u_quad_t for records of bytes & packets where kept 1015(IP Accounting: fr_hits, fr_bytes; IP state: is_pkts, is_bytes). 1016 1017Fixup use of CPU and DCPU in Makefiles. 1018 1019Fix broken 0/32 NAT mapping. Carl Makin <cmakin@nla.gov.au> 1020 10213.2alpha2 1022 1023Implement mapping to 0/32 as being an alias for automatically using the 1024interface's first IP address. 1025 1026Implement separate minor devices for both NAT and IP state code. 1027 1028Fully prototype all functions. 1029 1030Fix Makefile problem due to attempt to fix Sun compiling problems. 1031 10323.1.10 23/3/97 - Released 1033 1034ipfstat -a requires a -i or -o command line option too. Print an error 1035when not present rather than attempt to do something. 1036 1037patch updates for SunOS4 for kernel compiling. 1038patch for ipmon -s (flush's syslog file which isn't good). Andrew J. Schorr 1039<schorr@ead.dsa.com> 1040 1041too many people hit their heads hard when compiling code into the kernel 1042that doesn't let any packets through. (fil.c - IPF_NOMATCH) 1043 1044icmp-type parsing doesn't return any errors when it isn't constructed 1045correctly. Neil Readwin 1046 1047Using "-conf" with modload on SunOS4 doesn't work. 1048Timothy Demarest <demarest@arraycomm.com> 1049 1050Need to define ARCH in makefile for SunOS4 building. "make sunos4" 1051in INSTALL.SunOS is incorrect. James R Grinter <jrg@blodwen.demon.co.uk> 1052[all SunOS targets now run buildsunos] 1053 1054NAT lookups are still incorrect, matching non-TCP/UDP with TCP/UDP 1055information. ArkanoiD <ark@paranoid.convey.ru> 1056 1057Need to check for __FreeBSD_version being 199511 rather than 199607 1058in mln_ipl.c. Eric Feillant <Eric.Feillant@EUnet.fr> 1059 10603.1.9 8/3/97 - Released 1061 1062fixed incorrect lookup of active NAT entries. 1063 1064patch for ip_deq() wrong for pre 2.1.6 FreeBSD. 1065fyeung@fyeung8.netific.com (Francis Yeung) 1066 1067check for out with return-rst/return-icmp at wrong place - Erkki Ritoniemi 1068(erkki@vlsi.fi) 1069 1070text_readip returns the interface pointer pointing to text on stack - 1071Neil Readwin 1072 1073fix from Pradeep Krishnan for printout rules "with not opt sec". 1074 10753.1.8 18/2/97 - Released 1076 1077Diffs for ip_output.c and ip_input.c updated to fix bug with fastroute and 1078compiling warnings about reuse of m0. 1079 1080prevent use of return-rst and return-icmp with rules blocking packets going 1081out, preventing panics in certain situations. 1082 1083loop forms in frag cache table - Yury Pshenychny <yura@rd.zgik.zaporizhzhe.ua> 1084 1085should use SPLNET/SPLX around expire routines in NAT/frag/state code. 1086 1087redeclared malloc in 44arp.c - 1088 10893.1.7 8/2/97 - Released 1090 1091Macros used for ntohs/htons supplied with gcc don't always work very well 1092when the assignment is the same variable being converted. 1093 1094Filter matching doesn't not match rule which checks tcp flags on packets 1095which are fragments - David Wilson 1096 10973.1.7beta 30/1/97 - Released 1098 1099Fix up NAT bugs introduced in last major change (now tested), including 1100nat_delete(), nat_lookupredir(), checksum changes, etc. 1101 11023.1.7alpha 30/1/97 - Released 1103 1104Many changes to NAT code, including contributions from Laurent Joncheray 1105<lpj@ans.net> 1106 1107Use "NO_SLEEP" when allocating memory under SunOS. 1108 1109Make kernel printf's nicer for BSD/SunOS4 1110 1111Always do a checksum for packets being filtered going out and being 1112processed by fastroute. 1113 1114Leave kernel to play with cdevsw on *BSD systems with LKM's. 1115 1116ipnat.1 man page fixes. 1117 11183.1.6 21/1/97 - Released 1119 1120Allow NAT to work on BSD systems in conjunction with "pass .. to ifname" 1121 1122Memory leak introduced in 3.1.3 in NAT lists, clearing of NAT table tried 1123to free memory twice. 1124 1125NAT recalculates IP header checksum based on difference between IP#'s and 1126port numbers - should be just IP#'s (Solaris2 only) 1127 11283.1.5 13/1/97 - Released 1129 1130fixed setting of NAT timeouts and use different timeouts for concurrent 1131TCP sessions using the same IP# mapping (when port mapping isn't used) 1132 1133multiple loading/unloading of LKM's doesn't clean up cdevsw properly for 1134*BSD systems. 1135 11363.1.4 10/1/97 - Released 1137 1138add command line options -C and -F to ipnat to flush NAT list and table 1139 1140ipnat -l loops on output - Neil Readwin (nreadwin@nysales.micrognosis.com) 1141 1142NetBSD/FreeBSD kernel malloc changes - Daniel Carosone 1143 11443.1.3 10/1/97 - Released 1145 1146NAT chains not constructed correctly in hash tables - Antony Y.R Lu 1147(antony@hawk.ee.ncku.edu.tw) 1148 1149Updated INSTALL.NetBSD, INSTALL.FreeBSD and INSTALL.Sol2 1150 1151man page update (ipf.5) from Daniel Carosone (dan@geek.com.au) 1152 1153ICMP header checksum update now included in NAT. 1154 1155Solaris2 needs to modify IP header checksums in ip_natin and ip_natout. 1156 11573.1.2 4/12/96 - Released 1158 1159ipmon doesn't use syslog all the time when given -s option 1160 1161fixed mclput panic in ip_input.c and replace ntohs() with NTOHS() macro 1162 1163check the results of hostname resolution in ipnat 1164 1165"make *install" fixed for subdirectories. 1166 1167problems with "ARCH:=" and gnu make resolved 1168 1169parser reports an error for lines with whitespaces only rather than skipping 1170them. D.Carosone@abm.com.au (Daniel Carosone) 1171 1172patches for integration into NetBSD-current (post 1.2). 1173 1174add an option to allow non-IP packets going up/down the stream on Solaris2 1175to be dropped. John Bass. 1176 11773.1.2beta 21/11/96 - Released 1178 1179make ipsend compile on Linux 2.0.24 1180 1181changes to TCP kept state algorithm, making it watch state on TCP 1182connections in both directions. Also use the same algorithm for NAT TCP. 1183 1184-Wall cleanup - Bernd Ernesti 1185 1186added "or-block" for "pass .. log or-block" after a suggestion from 1187David Oppenheim (davido@optimation.com.au) 1188 1189added subdirectories for building IP Filter in SunOS5/BSD for different 1190cpu architecures 1191 1192Solaris2 fixes to logging and pre-filtering packet processing - 3.1.1p2 1193 1194mbuf logging not using mtod(), remove iplbusy - 3.1.1p1 1/11/96 1195 11963.1.1 28/10/96 - Released 1197 1198Installation script fixes and deinstall scripts for IP Filter on: 1199SunOS4/FreeBSD/NetBSD 1200 1201Man page fixes - Paul Dubois (dubois@primate.wisc.edu) 1202 1203Fix use of SOLARIS macro in ipmon, rewrote ipllog() (again!) 1204 1205parsing isn't completely case insensitive - David Wilson 1206(davidw@optimation.com.au) 1207 1208Release ipl_mutex across uiomove() calls 1209 1210print entire rule entries out for "ipf -z" when zero'ing per-rule stats. 1211 1212ipfstat returns same output for "hits" in "ipfstat -aio" - Terletsky Slavik 1213(ts@polynet.lviv.ua) 1214 1215New algorithm for setting timeouts for TCP connection (more closely follow 1216TCP FSM) - Pradeep Krishnan (pkrishna@netcom.com) 1217 1218Track both window sizes for TCP connections through "keep state". 1219 1220Solaris2 doesn't like _KERNEL defined in stdargs.h - Jos van Wezel 1221(wezel@bio.vu.nl) 1222 12233.1.1-beta2 6/10/96 - Released 1224 1225Solaris2 fastroute/dup-to/to now works 1226 1227ipmon `record' reading rewritten 1228 1229Added post-NetBSD1.2 packet filter patches - Mathew Green (mrg@eterna.com.au) 1230 1231Attempt to use in_proto.c.diff, not "..diffs" for SunOS4 - David Wilson 1232(davidw@optimation.com.au) 1233 1234Michael Ryan (mike@NetworX.ie) reports the following: 1235* The Trumpet WinSock under Windows always sends its SYN packet with an ACK 1236 value of 1, unlike any other implementation I've seen, which would set it 1237 to zero. The "keep state" feature of IP Filter doesn't work when receiving 1238 non-zero ACK values on new connection requests. 1239* */Makefile install rule doesn't install all the binaries/man pages 1240* Make ipnat use "tcp/udp" instead of "tcpudp" 1241* Print out "tcp/udp" properly 1242* ipnat "portmap tcp" matches "portmap udp" when adding/removing 1243* NAT dest. ip# increased by one on mask of 0xffffffff when it shouldn't 1244 12453.1.1-beta 1/9/96 - Released 1246 1247add better detection of TCP connections closing to TCP state monitoring. 1248 1249fr_addstate() not called correctly for fragments. "keep state" and 1250"keep frag" code don't work together 100% - Songqing Cai 1251(songqing_cai@sterling.com) 1252 1253call to fr_addstate() incorrect for adding state in combination with keeping 1254fragment information - Songqing Cai (songqing_cai@sterling.com) 1255 1256KFREE() passed fp (incorrect) and not fr (correct) in ip_frag.c - John Hood 1257(cgull@smoke.marlboro.vt.us) 1258 1259make ipf parser recognise '\\' as a `continued line' marker - Dima Ruban 1260(dima@best.net) 1261 12623.1.1-alpha 23/8/96 - Released 1263 1264kernel panic's when ICMP packets go through NAT code 1265 1266stats aren't zero'd properly with ipf -Z 1267 1268ipnat doesn't show port numbers correctly all the time and also add the 1269protocol (tcp/udp/tcpudp) to rdr output - Carson Gaspar (carson@lehman.com) 1270 1271fast checksum fixing not 100% - backout patch - Bill Dorsey (dorsey@lila.com) 1272 1273NetBSD-1.2 patches from - VaX#n8 <vax@linkdead.paranoia.com> 1274 1275Usage() call error in fils.c - Ajay Shekhawat (ajay@cedar.buffalo.edu) 1276 1277ip_optcopy() staticly defined in ip_output.c in SunOS4 - Nick Hall 1278(nrh@tardis.ed.ac.uk) 1279 12803.1.0 7/7/96 - Released 1281 1282Reformatted ipnat output to be compatible with it's input, so that 1283"ipnat -l | ipnat -rf -" is possible. 1284 12853.1.0beta 30/6/96 - Released 1286 1287NetBSD-1.2 patches from Greg Woods (woods@most.weird.com) 1288 1289kernel module must not be installed stripped (Solaris2), as created by 1290"make package" for Solaris2 - Peter Heimann 1291(peter@i3.informatik.rwth-aachen.de) 1292 12933.1.0alpha 5/6/96 - Released 1294 1295include examples in package for solaris2 1296 1297patches for removing an extra ip header checksum (FreeBSD/NetBSD/SunOS) 1298 1299removed trailing space from printouts of rules in ipf. 1300 1301ipresend supports the same range of inputs that ipftest does. 1302 1303sending a duplicate copy of a packet to another network devices is now 1304supported. ("dup-to") 1305 1306sending a packet to an arbitary interface is now supported, irrespective 1307of its actual route, with no ttl decrement. Can also be routed without 1308the ttl being decremented. ("to" and "fastroute"). 1309 1310"call" option added to support calling a generic function if a packet is 1311matched. 1312 1313show all (upto 4) recorded bytes from the interface name in logging from 1314ipmon. 1315 1316support for using unix file permissions for read/write access on the device 1317is now in place. 1318 1319recursive mutex in nat_new() for Solaris 2.x - Per L. Hagen <per@stibo.dk> 1320 1321ipftest doesn't call initparse() for THISHOST - Catherine Allen 1322(cla@connect.com.au) 1323 1324Man page corrections from Rex Bona (rex@pengo.comsmiths.com.au) 1325 13263.0.4 10/4/96 - Released 1327 1328looop in `parsing' IP packets with optlen 0 for ip options. 1329 1330rule number not initialized and resulted in unexpected results for state 1331maching. 1332 1333option parsing and printing bugs - Pradeep Krishnan 1334 13353.0.4beta 25/3/96 - Released 1336 1337wouldn't parse "keep flags keep state" correctly. 1338 1339SunOS4.1.x ip_input.c doesn't recognise all 1s broadcast address - Nigel Verdon 1340 1341patches for BSDI's BSD/OS 2.1 and libpcap reader on little endian systems 1342from Thorsten Lockert <tholo@tetherless.com> 1343 1344b* functions in fil.c on Solaris 2.4 1345 13463.0.3 17/3/96 - Released 1347 1348added patches to support IP Filter initialisation when compiled into the 1349kernel. 1350 1351added -x option to ipmon to display hex dumps of logged packets. 1352 1353added -H option to ipftest to allow ascii-hex formatted input to specify 1354arbitary IP packets. 1355 1356Sending TCP RSTs as a response now work for Solaris2 x86 1357 1358add patches to make IP Filter compile into NetBSD kernels properly. 1359 1360patch to stop SunOS 4.1.x kernels panicing with "data traps". 1361 1362ipfboot script unloads and reloads ipf module on Solaris2 if it is already 1363loaded into the kernel. 1364 1365Installation of IP Filter as a Solaris2 package is now supported. 1366 1367Man pages for ipnat.4, ipnat.5 added. 1368 1369added some more regression tests and fixed up IP Filter to pass the new tests 1370(previous versions failed some of the tests in set 12). 1371 1372IP option filter processing has changed so that saying "with opt lsrr" will 1373check only for that one, but not mask out other options, so a packet with 1374strict source routing, along with loose source routing will match all of 1375"with opt lsrr", "with opt ssrr" and "with opt lsrr,ssrr". 1376 1377IPL_NAME needed in ipnat.c - Kelly (kelly@count04.mry.scruznet.com) 1378 1379patches for clean NetBSD compilation from Bernd Ernesti (bernd@arresum.inka.de) 1380 1381make install is incorrect - Julian Briggs (julian@lightwork.co.uk) 1382 1383strtol() returns 0x7fffffff for all negative numbers, 1384printfr() generates incorrect output for "opt sec-class *", 1385handling of "not opt xxx opt yyy" incorrect. 1386- Minh Tonthat (minht@sbei.com)/Pradeep Krishnan (pradeepk@sbei.com) 1387 1388m_pullup() called only for input and not output; caused problems 1389with filtering icmp - Nigel Verdon (verdenn@gb.swissbank.com) 1390 1391parsing problem for "port 1" and NetBSD patches incorrect - 1392Andreas Gustafsson (gson@guava.araneus.fi) 1393 13943.0.2 4/2/96 - Released 1395 1396Corrected bug where NAT recalculates checksums for fragments. 1397 1398make NAT recalculate UDP checksums (rather than setting them to 0), 1399if they're non-zero. 1400 1401DNS patches - Real Page (Real.Page@Matrox.com) 1402 1403alteration of checksum recalculations in NAT code and addition of 1404redirection with NAT - Mike Neuman 1405 1406core dump, if tcp/udp is used with a port number and not service name, 1407in ipf - Mike Neuman (mcn@engarde.com) 1408 1409initparse() call, missing to prime "<thishost>" hook - Craig Bishop 1410 14113.0.1 14/1/96 - Released 1412 1413miscellaneous patches for Solaris2 1414 14153.0 14/1/96 - Released 1416 1417Patch included for FDDI, from Richard Ohnemus 1418(Richard_Ohnemus@dallas.csd.sterling.com) 1419 1420Code cleanup for release. 1421 14223.0beta4 10/1/96 1423 1424recursive mutex in ipfr_slowtimer fixed, reported by Craig Bishop 1425 1426recursive mutex in sending TCP RSTs fixed, reported by Tony Becker 1427 14283.0beta3 9/1/96 1429 1430FIxup for Solaris2.5 install and interface name bug in ipftest from 1431Julian Briggs (julian@lightwork.co.uk) 1432 1433Byte order patches for ipmon from Tony Becker (tony@mcrsys.com) 1434 14353.0beta2 7/1/96 1436 1437Added the (somewhat warped) IP accounting as it exists in ipfw on FreeBSD. 1438Note, this isn't really what one would call IP account, when compared to 1439process accounting, sigh. 1440 1441Split up ipresend into iptest/ipresend/ipsend 1442 1443Added another m_pullup() inside fr_check() for BSD style kernels and 1444added some checks to ipllog() to not log more than is present (for short 1445packets). 1446 1447Fixed bug where failed hostname/netname resolution goes undetecte and 1448becomes 0.0.0.0 (any) (reported Guido van Rooij) 1449 14503.0beta 11/11/95 - Released 1451 1452Rewrote the way rule testing is done, reducing the number of files needed and 1453generated. 1454 1455SIOCIPFFL was incorrectly affected by IPFILTER_LOG (Mathew Green) 1456 1457Patches from Guido van Rooij to fix sending back TCP RSTs on Net-2/Net-3 1458BSD based Unixes (panic'd) 1459 1460Patches for FreeBSD/i86 ipmon from Riku Kalinen <riku@tequila.nixu.fi> 1461(I think someone else already told me about these but they got lost :-/) 1462 1463Changed Makefile structure to build object files for different operating 1464systems in separate directories by default. 1465 1466BSDI has ef0 for first ethernet interface 1467 1468Allow for a "not" operator before optional keywords. 1469 1470The "rule number" was being incorrectly incremented every time it went through 1471the loop rather than when it matched a rule. 1472 14732.8.2 24/10/95 - Released 1474 1475Fixed up problems with "textip" for doing lots of testing. 1476 1477Fixed bug in detection of "short" tcp/ip packets (all reported as being short). 1478 1479Solaris 2.4 port now works 100%. 1480 1481Man page errors reported and fixed. 1482 1483Removed duplicate entry in etc/services for login on port 49 (Craig Bishop). 1484 1485Fixed ipmon output to put a space after the log-letter. 1486 1487Patch from Guido van Rooij to fix parsing problem. 1488 14892.8.1 15/10/95 - Released 1490 1491Added ttl and tos filtering. 1492 1493Patches for fixing up compilation and port problems (little endian) 1494from Guido van Rooij <guido@IAEhv.nl>. 1495 1496Man page problems reported and fixed by Carson Gaspar <carson@lehman.com>. 1497 1498ipsend doesn't compile properly on Solaris2.4 1499 1500Lots of work done for Solaris2.4 to make it MT/MP safe and work. 1501 15022.8 15/9/95 - Released 1503 1504ipmon can now send messages to syslogd (-s) and use names instead of 1505numbers (-N). 1506 1507IP packets are now "compiled" into a structure only containing filterable 1508bits. 1509 1510Added regression testing in the test/ subdirectory, using a new option 1511(-b) with the ipftest program. 1512 1513Added "nomatch" return to filter results. These are counted and show 1514up in reports from ipfstat. 1515 1516Moved filter code out of ip_fil.c and into fil.c - there is now only one 1517instance of it in the package. 1518 1519Added Solaris 2.4 support. 1520 1521Added IPSO basic security option filtering. 1522 1523Added name support for filtering on all 19 named IP options. 1524 1525Patches from Ivan Brawley to log packet contents as well as packet headers. 1526 1527Update for sun/conf.c.diff from Ivan Brawley <ibrawley@awadi.com.AU> 1528 1529Added patches for FreeBSD 1, and added two new switches (-E, -D) to ipf, 1530along with a new ioctl, SIOCFRENB. 1531From: Dieter Dworkin Muller <dworkin@village.org> 1532 15332.7.3 31/7.95 - Released 1534 1535Didn't compile cleanly without IPFILTER_LOG defined (Mathew Green). 1536 1537ipftest now deals with tcpdump3 binary output files (from libpcap) with -P. 1538 1539Brought ipftest program upto date with actual filter code. 1540 1541Filter would cause a match to occur when it wasn't meant to if the packet 1542had short headers and was missing portions that should have been there. 1543Err, it would rightly not match on them, but their absence caused a match 1544when it shouldn't have been. 1545 15462.7.2 26/7/95 - Released 1547 1548Problem with filtering just SYN flagged packets reported by 1549Dieter Dworkin Muller <dworkin@village.org>. To solve this 1550problem, added support for masking TCP flags for comparison "flags X/Y". 1551 15522.7.1 9/7/95 - Released 1553 1554Added ip_dirbroadcast support for Sun ip_input.c 1555 1556Fixed up the install scripts for FreeBSD/NetBSD to recognise where they are 1557better. 1558 15592.7 7/7/95 - Released 1560 1561Added "return-rst" to return TCP RST's to TCP packets. 1562 1563Actually ported it to FreeBSD-i386 2.0.0, so it works there properly now. 1564 1565Added insertion of filter rules. Use "@<#>" at the beginning of a filter 1566to insert a rule at row #. 1567 1568Filter keeps track of how many times each rule is matched. 1569 1570Changed compile time things to match kernel option (IPFILTER_LKM & 1571IPFILTER_LOG). 1572 1573Updated ip_input.c and ip_output.c with paches for 3.5 Multicast IP. 1574(No change required for 3.6) 1575 1576Now includes TCP fragments which start inside the TCP header as being short. 1577Added counting the number of times each rule is matched. 1578 1579 15802.6 11/5/95 - Released 1581 1582Added -n option to ipf: when supplied, no changes are made to the kernel. 1583 1584Added installation scripts for SunOS 4.1.x and NetBSD/FreeBSD/BSDI. 1585 1586Rewrote filtering to use a more generic mask & match procedure for 1587checking if a packet matches a rule. 1588 15892.5.2 27/4/95 - Released 1590 1591"tcp/udp" and a non-initialised pointer caused the "proto" to become 1592a `random' value; added "ip#/dotted.mask" notation to the BNF. 1593From Adam W. Feigin <feigin@iis.ee.ethz.ch> 1594 15952.5.1 22/3/95 - Released 1596 1597"tcp/udp" had a strange effect (undesired) on getserv*() functions, 1598causing protocol/service lookups to fail. Reported by Matthew Green. 1599 16002.5 17/3/95 - Released 1601 1602Added a new keyword "all" to BNF and parsing of tcpdump/etherfind/snoop 1603output through the ipftest program. Suggestions from: 1604Michael Ciavarella (mikec@phyto.apana.org.au) 1605 1606Conflicts occur when "general" filter rules are used for ports and the 1607lack of a "proto" when used with "port" matches other packets when only 1608TCP/UDP are implied. 1609Reported Matthew Green (mrg@fulcom.com.au); 1610reported & fixed 6-8/3/95 1611 1612Added filtering of short TCP packets using "with short" 28/2/95 1613(These can possibly slip by checks for the various flags). Short UDP 1614or ICMP are dropped to the floor and logged. 1615 1616Added filtering of fragmented packets using "with frag" 24/2/95 1617 1618Port to NetBSD-current completed 20/2/95, using LKM. 1619 1620Added logging of the rule # which caused the logging to happen and the 1621interface on which the packet is currently as suggested by 1622Andreas Greulich (greulich@math-stat.unibe.ch) 10/2/95 1623 16242.4 9/2/95 - Released 1625Fixed saving of IP headers in ICMP packets. 1626 16272.3 29/1/95 1628Added ipf -F [in|out|all] to flush filter rule sets (SIOCIPFFL). 1629Fixed iplread() and iplsave() with help from Marc Huber. 1630 16312.2 7/1/95 - Released 1632Added code from Marc Huber <huber@fzi.de> to allow it to allocate 1633its own major char number dynamically when modload'ing. Fixed up 1634use of <, >, <=, >= and >< for ports. 1635 16362.1 21/12/94 - Released 1637repackaged to include the correct ip_output.c and ip_input.c *goof* 1638 16392.0 18/12/94 - Released 1640added code to check for port ranges - complete. 1641rewrote to work as a loadable kernel module - complete. 1642 16431.1 1644added code for ouput filtering as well as input filtering and added support for logging to a simple character device of packet headers. 1645 16461.0 22/04/93 - Released 1647First release cut. 1648