HISTORY revision 92686
1# 2# NOTE: Quite a few patches and suggestions come from other sources, to whom 3# I'm greatly indebted, even if no names are mentioned. 4# 5# Thanks to the Coombs Computing Unit at the ANU for their continued support 6# in providing a very available location for the IP Filter home page and 7# distribution center. 8# 9# Thanks to Hewlett Packard for making it possible to port IP Filter to 10# HP-UX 11.00. 11# 12# Thanks to Tel.Net Media for supplying me with equipment to ensure that 13# IP Filter continues to work on Solaris/sparc64. 14# 15# Thanks to BSDI for providing object files for BSD/OS 3.1 and the means 16# to further support development of IP Filter under BSDI. 17# 18# Thanks to Craig Bishop of connect.com.au and Sun Microsystems for the 19# loan of a machine to work on a Solaris 2.x port of this software. 20# 21# Thanks also to all those who have contributed patches and other code, 22# and especially those who have found the time to port IP Filter to new 23# platforms. 24# 253.4.25 13/03/2002 - Released 26 27retain rule # in state information 28 29log the direction of a packet so ipmon gets it right rather than incorrectly 30deriving it from the rule flags 31 32add #ifdef for IPFILTER_LOGSIZE (put options IPFILTER_LOGSIZE=16384 in BSD 33kernel config files to increase that buffer size) 34 35recognise return-* rules differently to block in ipftest 36 37fix bug in ipmon output for solaris 38 39add regression testing for skip rules, logging and using head/group 40 41fix output of ipmon: was displaying large unsigned ints rather than -1 42when no rules matched. 43 44make logging code compile into ipftest and add -l command line option to 45dump binary log file (read with ipmon -f) when it finishes. 46 47protect rule # and group # from interference when checking accounting rules 48 49add regression testing for log output (text) from ipmon. 50 51document -b command line option for ipmon 52 53fix double-quick in Solaris startup script 54 553.4.24 01/03/2002 - Released 56 57fix how files are installed on SunOS5 58 59fix some minor problems in SunOS5 ipfboot script 60 61by default, compile all OpenBSD tools in 3.0 for IPv6 62 63fix NULL-pointer dereference in NAT code 64 65make a better attempt at replacing the appropriate binaries on BSD systems 66 67always print IPv6 icmp-types as a number 68 69impose some rules about what "skip" can be used with 70 71fix parsing problems with "keep state" and "keep state-age" 72 73Try to read as much data as is in the log device in ipmon 74 75remove some redundant checks when searching for rdr/nat rules 76 77fix bug in handling of ACCT with FTP proxy 78 79increase array size for interface names, using LIFNAMSIZ 80 81include H.323 proxy from QNX 82 833.4.23 16/01/2002 - Released 84 85Include patches to install IPFilter into OpenBSD 3.0, both for just kernel 86compiles and complete system builds. 87 88Fix bug in automatic flushing of state table which would cause it to hang 89in an infinite loop bug introduced in 3.4.20. 90 91Modify the sample proxy (samples/proxy.c) so that it ads a NAT mapping for 92the outgoing connection to make it look like it comes from the real source. 93 94Only support ICMPv6 with IPv6. 95 96Move ipnat.1 to ipnat.8 97 98Enhance ipmon to print textual ICMP[v6] types and subtypes where possible. 99 100Make it possible to do IPv6 regression testing with ipftest. 101 102Use kvm library for kmem access, rather than trying to do it manually with 103open/lseek/read. 104 105Fix diffs for ip_input.c on BSDOS so it doesn't crash with fastroute. 106 107Remove Berkeley advertising licence clause. Reference: 108ftp://ftp.cs.berkeley.edu/pub/4bsd/README.Impt.License.Change 109 110Add more regression tests: ICMPv6 neighbour discovery, ICMP time exceeded 111and fragmentation required. 112 113Fix ipfboot script on Solaris to deal with no nameservers or no route to 114them in a clean manner. 115 116Support per-rule set timeouts for non-TCP NAT and state 117 118Add netbios proxy 119 120Add ICMPv6 stateful checking, including handling multicast destination 121addresses for neighbour discovery. 122 123Fix problems with internals of ICMP messages for MTU discovery and 124unreachables not being correctly adjust on little endian boxes. 125 126Add "in-via" and "out-via" to filtering rules grammar. It is now possible 127to bind a rule to both incoming and outgoing interfaces, in both forward 128and reverse directions (4 directions in total). allows for asymetric flows 129through a firewall. 130 131Fix ipfstat and ipnat for working on crash dumps. 132 133Don't let USE_INET6 stay defined for SunOS4 134 135Count things we see for each interface on solaris. 136 137Include <netinet/icmp6.h> when compiling with USE_INET6 defined and 138also include a whole bunch of #define's to make sure the symbols expected 139can be used. 140 141Fix up fastroute on BSD systems. 142 143Make fastrouting work for IPv6 just a bit better. doesn't split up big 144packets into fragments like the IPv4 one does. You can now do a 145"to <if>:<ipv6_addr>" 146 147Remove some of the differences between user-space and kernel-space code 148that is internal to ipfilter. 149 150Call ipfr_slowtimer() after each packet is processed in ipftest to artificially 151create the illusion of passing time and include the expire functions in the 152code compiled for user-space. 153 154Fix issues with the IPSec proxy not working or leading to a system crash. 155 156Junk all processing of SPIs and special handling for ESP. 157 158Add "no-match" as a filter rule action (resets _LAST_ match) 159 160Add hack to workaround problems with Cassini interface cards on 161Solaris and VLANs 162 163Add some protocols to etc/protocols 164 1653.4.22 03/12/2001 - Released 166 167various openbsd changes 168 169sorting based on IP numbers for ipfstat top output 170 171fix various IPv6 code & compile problems 172 173modify ip_fil.c to be more netbsd friendly 174 175fix fastroute bug where it modified a packet post-sending 176 177fix get_unit() - don't understand why it was broken. 178 179add FI_IGNOREPKT and don't count so marked packets when doing stats or 180state/nat. 181 182extend the interface name saved to log output 183 184make proxies capable of extending the matching done on a packet with a 185particular nat session 186 187change interfaces inside NAT & state code to accomodate redesign to allow 188IPsec proxy to work. 189 190fix bug when free'ing loaded rules that results in a memory leak 191(only an issue with "ipf -rf -", not flush) 192 193make ipftest capable of loading > 1 file or rules, making it now possible 194to load both NAT & filter rules 195 196fix hex input for ipftest to allow interface name & direction to work 197 198show ipsec proxy details in ipnat output 199 200if OPT_HEX is set in opts, print a packet out as hex 201 202don't modify b_next or preseve it or preserve b_prev for solaris 203 204fix up kinstall scripts to install all the files everywhere they need to 205 206fix overflowing of bits in ip_off inside iptest 207 208make userauth and proxy in samples directory compile 209 210fix minimum size when doing a pullup for ESP & ICMPv6 211 2123.4.21 24/10/2001 - Released 213 214include ipsec proxy 215 216make state work for non-tcp/udp/icmp in a very simple way 217 218include diffs for ipv6 firewall on openbsd-2.9 219 220add compatibility filter wrapper for NetBSD-current 221 222fix command line option problems with ipfs 223 224if we fill the state table and a automated flush doesn't purge any 225expiring entries, remove all entries idle for more than half a day 226 227fix bug with sending resets/icmp errors where the pointer to the data 228section of the packet was not being set (BSD only) 229 230split out validating ftp commands and responses into different halves, 231one for each of server & client. 232 233do not compile in STATETOP support for specific architectures 234 235fix INSTALL.FreeBSD to no longer provide directions and properly direct 236people to the right file for the right version of FreeBSD. 237 2383.4.20 24/07/2001 - Released 239 240adjust NAT hashing to give a better spread across the table 241 242show icmp code/type names in output, where known 243 244fix bug in altering cached interface names in state when resync'ing 245 246fix bug in real audio proxy that caused crashs 247 248fix compiling using sunos4 cc 249 250patch from casper to address weird exit problem for ipstat in top mode 251 252patch from Greg Woods to produce names for icmp types/unreach codes, 253where they are known 254 255fix bug where ipfr_fastroute() would use a mblk and it would also get 256freed later. 257 258don't match fragments which would cause 64k length to be exceeded 259 260ftp proxy fix for port numbers being setup for pasv ftp with state/nat 261 262change hashing for NAT to include both IP#'s and ports. 263 264Solaris fixes for IPv6 265 266fix compiling iplang bits, under Solaris, for ipsend 267 2683.4.19 29/06/2001 - Released 269 270fix to support suspend/resume on solaris8 as well as ipv6 271 272include group/group-head in match of filter rules 273 274fix endian problem reading snoop files 275 276make all licence comments point to the one place 277 278fix ftp proxy to only advance state if a reply is received in response to 279a recognised command 280 2813.4.18 05/06/2001 - Released 282 283fix up parsing of "from ! host" where '!' is separate 284 285disable hardware checksums for NetBSD 286 287put ipftest temporary files in . rather than /tmp 288 289modify ftp proxy to be more intelligent about moving between states 290and recognise new authentication commands 291 292allow state/nat table sizes to be externally influenced 293 294print out host mapping table for NAT with ipnat -l 295 296fix handling of hardware checksum'ing on Solaris 297 298fixup makefiles for Solaris 299 300update regression tests 301 302fix surrender of SPL's for failure cases 303 304include patches for OpenBSD's new timeout mechanism 305 306default ipl_unreach to ICMP_UNREACH_FILTER_PROHIB if defined, else make it 307ICMP_UNREACH_FILTER 308 309fix up handling of packets matching auth rules and interaction with state 310 311add -q command line option to ipfstat on Solaris to list bound interfaces 312 313add command line option to ipfstat/ipnat to select different core image 314 315don't use ncurses on Solaris for STATETOP 316 317fix includes to get FreeBSD version 318 319do not byte swap ip_id 320 321fix handling success for packets matching the auth rule 322 323don't double-count short packets 324 325add ICMP router discovery message size recognition 326 327fix packet length calculation for IPv6 328 329set CPUDIR when for install-sunos5 make target 330 331SUNWspro -xF causes Solaris 2.5.1 kernel to crash 332 3333.4.17 06/04/2001 - Released 334 335fix fragment#0 handling bug where they could get in via cache information 336created by state table entries 337 338use ire_walk to look for ire cache entries with link layer headers cached 339 340deal with bad SPL assumptions for log reading on BSD 341 342fix ftp proxy to allow logins with passwords 343 344some auth rule patches, fixing byte endian problems and returning as an error 345 346support LOG_SECURITY, where available, in ipmon 347 348don't return an error for packets which match auth rules 349 350introduce fr_icmpacktimeout to timeout entries once an ICMP reply has 351been seen separately to when created 352 3533.4.16 15/01/2001 - Released 354 355fix race condition in flushing of state entries that are timing out 356 357Add TCP ECN patches 358 359log all NAT entries created, not just those via rules 360 3613.4.15 17/12/2000 - Released 362 363add minimum ttl filtering (to be replaced later by return-icmp-as-dest 364for all ICMP packets matching state entries). 365 366fix NAT'ing of fragments 367 368fix sanity checks for ICMPV6 369 370fix up compiling on IRIX 6.2 with IDF/IDL installed 371 3723.4.14 02/11/2000 - Released 373 374cause flushing NAT table to generate log records the same as state flush 375does. 376 377fix ftp proxy port/pasv 378 379fix problem where nat_{in,out}lookup() would release a write lock when it 380didn't need to. 381 382add check for ipf6.conf in Solaris ipfboot 383 3843.4.13 28/10/2000 - Released 385 386fix introduced bug with ICMP packets being rejected when valid 387 388fix bug with proxy's that don't set fin_dlen correctly when calling 389fr_addstate() 390 3913.4.12 26/10/2000 - Released 392 393fix installing into FreeBSD-4.1 394 395fix FTP proxy bug where it'd hang and make NAT slightly more efficient 396 397fix general compiling errors/warnings on various platforms 398 399don't access ICMP data fields that aren't there 400 4013.4.11 09/10/2000 - Released 402 403return NULL for IPv6 access control lists if it is disabled rather than 404random garbage. 405 406fix for getting protocol & packet length for IPv6 packets for pullup. 407 408update plog script from version 0.8 to version 0.10 409 410patch from Frank Volf adding fix_datacksum() to NAT code, enhancing the 411capabilities for "fixing" checksums. 412 4133.4.10 03/09/2000 - Released 414 415merge patch from Frank Volf for ICMP nat handling of TCP/UDP data `errors' 416 417getline() adjusts linenum now 418 419add tcphalfclosed timeout 420 421fill in icmp_nextmtu field if it is defined on the platform 422 423RST generation fix from guido 424 425force 32bit compile for gcc on solaris if it can't generate 64bit code 426 427encase logging when fr_chksrc == 2 in #ifdef IPFILTER_LOG 428 429fix up line wrap problems in plog script 430 431fix ICMP packet handling to not drop valid ICMP errors 432 433freebsd 5.0 compat changes 434 4353.4.9 08/08/2000 - Released 436 437implement new aging mechanism in fr_tcp_age() 438 439fix icmp state checking bug 440 441revamp buildsunos script and build both sparcv7/sparcv9 for Solaris 442if on an Ultra with a 64bit system & compiler (Caseper Dik) 443 444open ipfilter device read only if we know we can 445 446print out better information for ICMP packets in ipmon 447 448move checking for source spoofed packets to a point where we can generate 449logs of them 450 451return EFAULT from ircopyptr/iwcopyptr 452 453don't do ioctl(SIOCGETFS) for auth stats 454 455fix up freeing mbufs for post-4.3BSD 456 457fix returning of inc from ftp proxy 458 459fix bugs with ipfs -R/-W (Caseper Dik) 460 4613.4.8 19/07/2000 - Released 462 463create fake opt_inet6.h for FreeBSD-4 compile as LKM 464 465add #ifdef's for KLD_MODULE sanity 466 467NAT fastroute'd packets which come out of return-* 468 469fix upper/lower case crap in ftp proxy and get seq# checking fixed up. 470 4713.4.7 08/07/2000 - Released 472 473make "ipf -y" lookup NAT if's which are unknown 474 475prepend line numbers to ioctl error messages in ipf/ipnat 476 477don't apply patches to FreeBSD twice 478 479allow for ip_len to be on an unaligned boundary early on in fr_precheck 480 481fix printing of icmp code when it is 0 482 483correct printing of port numbers in map rules with from/to 484 485don't allow fr_func to be called at securelevel > 0 or rules to be added 486if securelevel > 0 if they have a non-zero fr_func. 487 4883.4.6 11/06/2000 - Released 489 490add extra regression tests for new nat functionality 491 492place restrictions on using '!' in map/rdr rules 493 494fix up solaris compile problems 495 4963.4.5 10/06/2000 - Released 497 498mention -sl in ipfstat.8 499 500fix/support '!' in from/to rules (rdr) for NAT 501 502add from/to support to rdr NAT rules 503 504don't send ICMP errors in response to ICMP errors 505 506fix sunos5 compilation for "ipfstat-top" and cleanup ipfboot 507 508input accounting list used for both outbound and inbound packets 509 5103.4.4 23/05/2000 - Released 511 512don't add TCP state if it is an RST packet and (attempt) to send out 513RST/ICMP packets in a manner that bypasses IP Filter. 514 515add patch to work with 4.0_STABLE delayed checksums 516 5173.4.3 20/05/2000 - Released 518 519fix ipmon -F 520 521don't truncate IPv6 packets on Solaris 522 523fix keep state for ICMP ECHO 524 525add some NAT stats and use def_nat_age rather than DEF_NAT_AGE 526 527don't make ftp proxy drop packets 528 529use MCLISREFERENCED() in tandem with M_EXT to check if IP fields need to be 530swapped back. 531 532fix up RST generation for non-Solaris 533 534get "short" flag right for IPv6 535 5363.4.2 - 10/5/2000 - Released 537 538Fix bug in dealing with "hlen == 1 and opt > 1" - Itojun 539 540ignore previous NAT mappings for 0/0 and 0/32 rules 541 542bring in a completely new ftp proxy 543 544allow NAT to cause packets to be dropped. 545 546add NetBSD callout support for 1.4-current 547 5483.4.1 - 30/4/2000 - Released 549 550add ratoui() and fix parsing of group numbers to allow 0 - UINT_MAX 551 552don't include opt_inet6.h for FreeBSD if KLD_MODULE is defined 553 554Solaris must use copyin() for all types of ioctl() args 555 556fix up screen/tty when leaving "top mode" of ipfstat 557 558linked list for maptable not setup correctly in nat_hostmap() 559 560check for maptable rather than nat_table[1] to see if malloc for maptable 561succeeded in nat_init 562 563fix handling of map NAT rules with "from/to" host specs 564 565fix printout out of source address when using "from/to" with map rules 566 567convert ip_len back to network byte order, not plen, for solaris as ip_len 568may have been changed by NAT and plen won't reflect this 569 5703.4 - 27/4/2000 - Released 571 572source address spoofing can be turned on (fr_chksrc) without using 573filter rules 574 575group numbers are now 32bits in size, up from 16bits 576 577IPv6 filtering available 578 579add frank volf's state-top patches 580 581add load splitting and round-robin attribute to redirect rules 582 583FreeBSD-4.0 support (including KLD) 584 585add top-style operation mode for ipfstat (-t) 586 587add save/restore of IP Filter state/NAT information (ipfs) 588 589further ftp proxy security checks 590 591support for adding and removing proxies at runtime 592 5933.3.13 26/04/2000 - Released 594 595Fix parsing of "range" with "portmap" 596 597Relax checking of ftp replies, slightly. 598 599Fix NAT timeouts for ICMP packets 600 601SunOS4 patches for ICMP redirects from Jurgen Keil (jk@tools.de) 602 6033.3.12 16/03/2000 - Released 604 605tighten up ftp proxy behaviour. sigh. yuck. hate. 606 607fix bug in range check for NAT where the last IP# was not used. 608 609fix problem with icmp codes > 127 in filter rules caused bad things to 610happen and in particular, where #18 caused the rule to be printed 611erroneously. 612 613fix bug with the spl level not being reset when returning EIO from 614iplioctl due to ipfilter not being initialized yet. 615 6163.3.11 04/03/2000 - Released 617 618make "or-block" work with lines that start with "log" 619 620fix up parsing and printing of rules with syslog levels in them 621 622fix from Cy Schubert for calling of apr_fini only if non-null 623 624 6253.3.10 24/02/2000 - Released 626 627* fix back from guido for state tracking interfaces 628 629* update for NetBSD pfil interface changes 630 631* if attaching fails and we can abort, then cleanup when doing so. 632 633julian@computer.org: 634* solaris.c (fr_precheck): After calling freemsg on mt, set it point to *mp. 635* ipf.c (packetlogon): use flag to store the return value from get_flags. 636* ipmon.c (init_tabs): General cleanup so we do not have to cast 637 an int s->s_port to u_int port and try to check if the u_int port 638 is less than zero. 639 6403.3.9 15/02/2000 - Released 641 642fix scheduling of bad locking in fr_addstate() used when we attach onto 643a filter rule. 644 645fix up ip_statesync() with storing interface names in ipstate_t 646 647fix fr_running for LKM's - Eugene Polovnikov 648 649junk using pullupmsg() for solaris - it's next to useless for what we 650need to do here anyway - and implement what we require. 651 652don't call fr_delstate() in fr_checkstate(), when compiled for a user 653program, early but when we're finished with it (got fr & pass) 654 655ipnat(5) fix from Guido 656 657on solaris2, copy message and use that with filter if there is another 658copy if it being used (db_ref > 1). bad for performance, but better 659than causing a crash. 660 661patch for solaris8-fcs compile from Casper Dik 662 6633.3.8 01/02/2000 - Released 664 665fix state handling of SYN packets. 666 667add parsing recognition of extra icmp types/codes and fix handling of 668icmp time stamps and mask requests - Frank volf 669 6703.3.7 25/01/2000 - Released 671 672sync on state information as well as NAT information when required 673 674record nat protocol in all nat log records 675 676don't reuse the IP# from an active NAT session if the IP# in the rule 677has changed dynamically. 678 679lookup the protocol for NAT log information in ipmon and pass that to 680portname. 681 682fix the bug with changing the outbound interface of a packet where it 683would lead to a panic. 684 685use fr_running instead of ipl_inited. (sysctl name change on freebsd) 686 687return EIO if someone attempts an ioctl on state/nat if ipfilter is not 688enabled. 689 690fix rule insertion bug 691 692make state flushing clean anything that's not fully established (4/4) 693 694call fr_state_flush() after we've released ipf_state so we don't generate 695a recursive mutex acquisition panic 696 697fix parsing of icmp code after return-icmp/return-icmp-as-dest and add 698some patches to enhance parsing strength 699 7003.3.6 28/12/1999 - Released 701 702add in missing rwlock release in fr_checkicmpmatchingstate() and fix check 703for ICMP_ECHO to only be for packet, not state entry which we don't have yet. 704 705handle SIOCIPFFB in nat_ioctl() and fr_state_ioctl() 706 707fix size of friostat for SunOS4 708 709fix bug in running off the end of a buffer in real audio proxy 710 7113.3.5 11/12/1999 - Released 712 713fix parsing of "log level" and printing it back out too 714 715<net/if_types.h> is only present on Solaris2.6/7/8 716 717use send_icmp_err rather than icmp_error to send back a frag-needed error 718when doing PMTU 719 720do not use -b with add_drv on Solaris unless $BASEDIR is set. 721 722fix problem where source address in icmp replies is reversed 723 724fix yet another problem with real audio. 725 7263.3.4 4/12/1999 - Released 727 728fix up the real audio proxy to properly setup state information and NAT 729entries, thanks to Laine Stump for testing/advice/fixes. 730 731fix ipfr_fastroute to set dst->sin_addr (Sean Farley - appears to prevent 732FreeBSD 3.3 from panic'ing) as this had been removed in prior hacks to this 733routine. 734 735fix kinstall for BSDI 736 737support ICMP errors being allowed through for ICMP packets going out with 738keep state enabled 739 740support hardware checksumming (gigabit ethernet cards) on Solaris thanks to 741Tel.Net Media for providing hardware for testing. 742 743patched from Frank Volf for ipmon (ICMP & fragmented packets) and allowing 744ICMP responses to ICMP packets in the keep state table. 745 746add in patches for hardware checksumming under solaris 747 748Solaris install scripts now use $BASEDIR as appropriate. 749 750add Solaris8 support 751 752fix "ipf -y" on solaris so that it rescans rules also for changes in 753interface pointers 754 755let ipmon become a daemon with -D if it is using syslog 756 757fix parsing of return-icmp-as-dest(foo) 758 759add reference to ipfstat -g to ipfstat.8 760 761ipf_mutex needs to be declared for irix in ip_fil.c 762 7633.3.3 22/10/1999 - Released 764 765add -g command line option to ipfstat to show groups still define. 766 767fix problem with fragment table not recording rule pointer when called 768from state functions (fin_fr not set). 769 770fixup fastroute problems with keep state rules. 771 772load rules into inactive set first, so we don't disable things like NIS 773lookups half way through processing - found by Kevin Littlejohn 774 775fix handling of unaligned ip pointer for solaris 776 777patch for fr_newauth from Rudi Sluijtman 778 779fixed htons() bug in fr_tcpsum() where ip_p wasn't cast to u_short 780 7813.3.2 23/09/1999 - Released 782 783patches from Scott Presnell to fix rcmd proxy 784 785patches from Greg to fix Solaris detachment of interfaces 786 787add openbsd compatibility fixes 788 789fix free'ing already freed memory in ipfr_slowtimer() 790 791fix for deferencing invalid memory in cleaning up after a device disappears 792 7933.3.1 14/8/1999 - Released 794 795remove include file sys/user.h for irix 796 797prevent people from running buildsunos directly 798 799fix up some problems with the saving of rule pointers so that NAT saves 800that information in case it should need to call fr_addstate() from a proxy. 801 802fix up scanning for the end of FTP messages 803 804don't remove /etc/opt/ipf in postremove 805 806attempt to prevent people running buildsolaris script without doing a 807"make solaris" 808 809fix timeout losing on freebsd3 810 8113.3 7/8/1999 - Released 812 813NAT: information (rules, mappings) are stored in hash tables; setup some 814basic NAT regression testing. 815 816display version name of installed kernel code when initializing. 817 818add -V command line option to ipf, showing version (program and kernel 819module) as well as the run-status of the kernel code. 820 821fix problem with "log" rules actually affecting result of filtering. 822 823automatically use SUNWspro if available and on a 64bit Solaris system for 824compiling. 825 826add kernel proxies for rcmd(3) and RealAudio (PNA) 827 828use timeout/untimeout on SunOS4/BSD platforms too rather than hijacking 829ip_slowtimo 830 831fix IP headers generated through parsing of text information 832 833fix NAT rules to be in the correct order again. 834 835make keep-state work with to/fastroute keywords and enforce usage of those 836interfaces. 837 838update keep-state code with new algorithm from Guido 839 840add FreeBSD-3 support 841 842add return-icmp-as-dest option to retrun an ICMP packet using the original 843destination as the source rather than a local IP address 844 845add "level [facility.]<priority>" option to filter language 846 847add changes from Guido to state code. 848 849add code to return EPERM if the device is opened for writing and we're 850in securelevel 2 or greater. 851 852authentication code patches from Guido 853 854fix real audio proxy 855 856fix ipmon rule printing of interfaces and add IN/OUT to the end of ipmon 857log output. 858 859fix bimap rules with hash tables 860 861update addresses used in NAT mappings for 0/32 rules for any protocol but TCP 862if it changes on the interface - check every ip_natexpire() 863 864add redirect regression test 865 866count buckets used in the state hash table. 867 868fix sending of RST's with return-rst to use the ack number provided in 869the packet being replied to in addition to the sequence number. 870 871fix to compile as a 64bit application on solaris7-64bit 872 873add NAT IP mapping to ranges of IP addresses that aren't CIDR specified 874 875fix calculation of in_space parameter for NAT 876 877fix `wrapping' when incrementing the next ip address for use in NAT 878 879fix free'ing of kernel memory in ip_natunload on solaris 880 881fix -l/-U command line options from interfering with each other 882 883fix fastroute under solaris2 and cleanup compilation for solaris7 884 885add install scripts and compile cleanly on BSD/OS 4.0 886 887safely open files in /tmp for writing device output when testing. 888 889fix uninitialized pointer bug in NAT 890 891fix SIOCZRLST (zero list rule stats) bug with groups 892 893change some usage of u_short to u_int in function calling 894 895fix compilation for Solaris7 (SUNWspro) 896 897change solaris makefiles to build for either sparc or i386 rather than 898per-cpu (sun4u, etc). 899 900fixed bug in ipllog 901 902add patches from George Michaelson for FreeBSD 3.0 903 904add patch from Guido to provide ICMP checking for known state in the same 905manner as is done for NAT. 906 907enable FTP PASV proxying and enable wildcarding in NAT/state code for ports 908for better PORT/PASV support with FTP. 909 910bring into main tree static nat features: map-block and "auto" portmapping. 911 912add in source host filtering for redirects (alan jones) 913 9143.2.10 22/11/98 - Released 915 9163.2.10beta9 17/11/98 - Released 917 918fix fr_tcpsum problems in handling mbufs with an odd number of bytes 919and/or split across an mbuf boundary 920 921fix NAT list entry comparisons and allow multiple entries for the same 922proxy (but on different ports). 923 924don't create duplicate NAT entries for repeated PORT commands. 925 9263.2.10beta8 14/11/98 - Released 927 928always exit an rwlock before expecting to enter it again on solaris 929 930fix loop in nat_new for pre-existing nat 931 932don't setup state for an ftp connection if creating nat fails. 933 9343.2.10beta7 05/11/98 - Released 935 936set fake window in ipft_tx.c to ensure code passes tests. 937 938cleaned up/enhanced ipnat -l/ipnat -lv output 939 940fixed NAT handling of non-TCP/UDP packets, esp. for ICMP errors returned. 941 942Solaris recusive mutex on icmp-error/tcp-reset - requires rwlock's rather 943than mutexes. 944 9453.2.10beta6 03/11/98 - Released 946 947fix mixed use of krwlock_t and kmutex_t on Solaris2 948 949fix FTP proxy back up, splitting pasv code out of port code. 950 9513.2.10beta5 02/11/98 - Released 952 953fixed port translation in ICMP reply handling 954 9553.2.10beta4 01/11/98 - Released 956 957increase useful statistic collection on solaris 958 959filter DL_UNITDATA_REQ as well as DL_UNITDATA_IND on solaris 960 961disable PASV reply translation for now 962 963fail with an error if we try to load a NAT rule with a non-existant 964 proxy name - Guido 965 966fix portmap usage with 0/0 and 0/32 map rules 967 968remove ap_unload/ap_expire - automatically done when NAT is cleaned up 969 970print "STATE:CLOSED" from ipmon if the connection progresses past established 971 rather than "STATE:EXPIRED" 972 9733.2.10beta3 26/10/98 - Released 974 975fixed traceroute/nat problem 976 977rewrote nat/proxy interface 978 979ipnat now lists associated proxy sessions for each NAT where applicable 980 9813.2.10beta2 13/10/98 - Released 982 983use KRWLOCK_T in place of krwlock_t for solaris as well as irix 984 985disable use of read-write lock acquisition by default 986 987add in mb_t for linux, non-kernel 988 989some changes to progress compilation on linux with glibc 990 991change PASV as well as PORT when passed through kernel ftp proxy. 992 993don't allow window to become 0 in tcp state code 994 995make ipmon compile cleaner 996 997irix patches 998 9993.2.10beta 11/09/98 - Released 1000 1001stop fr_tcpsum() thinking it has run out of data when it hasn't. 1002 1003stop solaris panics due to fin_dp being something wild. 1004 1005revisit usage of ATOMIC_*() 1006 1007log closing state of TCP connection in "keep state" 1008 1009fix fake-arp table code for ipsend. 1010 1011ipmon now writes pid to a file. 1012 1013fix "ipmon -a" to actually activate all logging devices. 1014 1015add patches for BSDOS4. 1016 1017perl scripts for log analysis donated. 1018 10193.2.9 22/06/98 - Released 1020 1021fix byte order for ICMP packets generated on Solaris 1022 1023fix some locking problems. 1024 1025fix malloc bug in NAT (introduced in 3.2.8). 1026 1027patch from guido for state connections that get fragmented 1028 10293.2.8 08/06/98 - Released 1030 1031use readers/writers locks in Solaris2 in place of some mutexes. 1032 1033Solaris2 installation enhancements - Martin Forssen (maf@carlstedt.se) 1034 10353.2.7 24/05/98 - Released 1036 1037u_long -> u_32_t conversions 1038 1039patches from Bernd Ernesti for NetBSD 1040 1041fixup ipmon to actually handle HUP's. 1042 1043Linux fixes from Michael H. Warfield (mhw@wittsend.com) 1044 1045update for keep state patch (not security related) - Guido 1046 1047dumphex() uses stdout rather than log 1048 10493.2.6 18/05/98 - Released 1050 1051fix potential security loop hole in keep state code. 1052 1053update examples. 1054 10553.2.5 09/05/98 - Released 1056 1057BSD/OS 3.1 .o files added for the kernel. 1058 1059fix sequence # skew vs window size check. 1060 1061fix minimum ICMP header size check. 1062 1063remove references to Cybersource. 1064 1065fix my email address. 1066 1067remove ntohl in ipnat - Thomas Tornblom 1068 10693.2.4 09/04/98 - Released 1070 1071add script to make devices for /dev on BSD boxes 1072 1073fixup building into the kernel for FreeBSD 2.2.5 1074 1075add -D command line option to ipmon to make it a daemon and SIGHUP causes 1076it to close and reopen the logfile 1077 1078fixup make clean and make package for SunOS5 - Marc Boucher 1079 1080postinstall keeps adding "minor=ipf ipl" - George Ross <gdmr@dcs.ed.ac.uk> 1081 1082protected by IP Filter gif - Sergey Solyanik <solik@atom.ru> 1083 10843.2.3 10/11/97 - Released 1085 1086fix some iplang bugs 1087 1088fix tcp checksum data overrun, sgi #define changes, 1089avoid infinite loop when nat'ing to single IP# - Marc Boucher 1090 1091fixup DEVFS usage for FreeBSD 1092 1093fix sunos5 "make clean" cleaning up too much 1094 10953.2.2 28/11/97 - Released 1096 1097change packet matching to return actual error, if bad packet, to facilitate 1098ECONNRESET for TCP. 1099 1100allow ip:netmask in grammar too now - Guido 1101 1102assume IRIX has u_int32_t in sys/types.h (needed for R10000) 1103 1104rewrite parts of command line options for ipmon 1105 1106fix TCP urgent packet & offset testing and add LAND attack test for iptest 1107 1108fix grammar error in yacc grammar for iplang 1109 1110redirect (rdr) destination port bytes-wapped when it shouldn't be. 1111 1112general: fr_check now returns error code, such as EHOSTUNREACH or 1113ECONNRESET (attempt to make ECONNRESET work for locally outbound 1114packets). 1115 1116linux: enable return-rst, need to filter tcp retransmits which are sent 1117 separately from normal packets 1118 1119memory leak plugged in ip_proxy.c 1120 1121BSDI compatibility patches from Guido 1122 1123tcp checksum fix - Marc Boucher 1124 1125recursive mutex and ioctl param fix - Marc Boucher 1126 11273.2.1 12/11/97 - Released 1128 1129port to BSD/OS 3.0 1130 1131port to Linux 2.0.31 1132 1133patches to make "map a/m -> 0/0" work with ftp proxying properly - Marc Boucher 1134 1135add "ipf -F s" and "ipf -F S" to flush state table entries. 1136 1137announce if logging is on or off when ip filter initializes. 1138 1139"ipf -F a" doesn't flush groups properly for Solaris. 1140 11413.2 30/10/97 - Released 1142 1143ipnat doesn't successfully remove proxy mappings with "-rf" - 1144Alexander Romanyu 1145 1146use K&R C function style for solaris kernel code 1147 1148use m_adj() to decrease packet size in ftp proxy 1149 1150use mbufchainlen rather than msgdsize, 1151IRIX update - Marc Boucher 1152 1153fix NetBSD modunload bug (pfil_add_hook done twice) 1154 1155patches for OpenBSD 2.1 - Craig Bevins <craigb@bitcom.net.au> 1156 11573.2beta10 24/10/97 - Released 1158 1159fix fragment table entries allocated for NAT. 1160 1161fix tcp checksum calculations over mbuf/mblk boundaries 1162 1163fix panic for blen < 0 in ftp kernel proxy - marc boucher 1164 1165fix flushing of rules which have been grouped. 1166 11673.2beta9 20/10/97 - Released 1168 1169some nit picking on solaris2 with SUNWspro - Michael Lyle <mrl@rpnet.net> 1170 1171ftp kernel proxy patches from Marc Boucher 1172 11733.2beta8 13/10/97 - Released 1174 1175add support for passing ICMP errors back through NAT. 1176 1177IRIX port update - Marc Boucher 1178 1179calculate correct MIN size of packet to log for UDP - Marc Boucher 1180 1181need htons(ETHERTYPE_x) on little endian BSD boxes - Dave Huang 1182 1183copyright header fixups 1184 11853.2beta7 23/09/97 - Released 1186 1187fickup problems introduced by prior merges & changes. 1188 11893.2beta6 23/09/97 - Released 1190 1191patch for spin-reading race condition - Marc Boucher. 1192 1193IRIX port by Marc Boucher. 1194 1195compatibility updates for Linux to ipsend 1196 11973.2beta5 13/09/97 - Released 1198 1199patches from Bernd Ernesti for NetBSD integration (mostly prototyping and 1200compiler warning things) 1201 1202ipf -y will resync IP#'s allocated with 0/32 in NAT to match interface if it 1203changes. 1204 1205update manual pages and other documentation updates. 1206 12073.2beta4 27/8/97 - Released 1208 1209enable setting IP and TCP options for iplang/ 1210 1211Solaris2 patches from Marc Boucher. 1212 1213add groups for filter rules. 1214 12153.2beta3 21/8/97 - Released 1216 1217patches for Solaris2 (interface panic solution ?): fix FIONREAD and 1218replacing q_qinfo points - Marc Boucher <marc@CAM.ORG> 1219 1220change ipsend/* and ipsd/* copyright notices to be the same as ip filter's 1221 1222patch for SYN-ACK skew testing fix from Eric V. Smith <EricSmith@windsor.com> 1223 12243.2beta2 6/8/97 - Released 1225 1226make it load on Solaris 2.3 1227 1228rewrote logging to remove solaris errors, introduced checking to see if the 1229same packet is logged successively. 1230 1231fix filter cache to work when there are no rules loaded. 1232 1233add "raw" option to ipresend to send entire ethernet frames. 1234 1235nat list corruption bug - NetBSD - Klaus Klein 1236 12373.2beta1 5/7/97 - Released 1238 1239patches from Jason Thorpe fixing: UNSIGNED_CHAR lossage, off_t being 64bits 1240lossage, and other NetBSD bits. 1241 1242NetBSD 1.2G update. 1243 1244fixup fwtk patches and add protocol field for SIOCGNATL. 1245 1246rdr bugs reported by Alexander Romanyu (alexr@aix.krid.crimea.ua), with 1247fixes: 1248* rdr matched all packets of a given protocol (ignored ports). 1249* severe bug in nat_delete which caused system crash/freeze. 1250 1251change Makefile so that CC isn't passed on for FreeBSD/NetBSD (will use 1252the default CC - cc, not gcc) 1253 12543.2alpha9 16/6/97 - Released 1255 1256added "skip" keyword. 1257 1258implement preauthentication of packets, as outlined by Guido. 1259 1260Make it compile as cleanly as possible with -Wall & general code cleanup 1261 1262getopt returns int, not char. Bernd Ernesti 1263 12643.2alpha8 13/6/97 - Released 1265 1266code added to support "auth" rules which require a user program to allow them 1267through. First revision and much of the code came from Guido. 1268 1269hex output from ipmon doesn't goto syslog when recovering from out of sync 1270error. Luke Mewburn (lukem@connect.com.au) 1271 1272fix solaris2.6 lookup of destination ire's. 1273 1274ipnat doesn't throw away unused bits (after masking), causing it to 1275behave incorrectly. Carson Gaspar 1276 1277NAT code doesn't include inteface name when matching - Alexey Mavrin 1278<lha@elco.spb.ru> 1279 1280replace old SunOS tcpip.h with new tcpip.h (from 4.4BSD) - Jason Thorpe. 1281 1282update install procedures to include ip_proxy.c 1283 1284mask out unused bits in NAT/RDR rules. 1285 1286use a generic type (u_32_t) for 32bit variables, rather than rely on 1287u_long being such - Jason Thorpe. 1288 1289create a local "netinet" directory and include from ~netinet/*" rather than 1290just "*" to make keeping the code working on ports easier. 1291 1292add an m_copydata and m_copyback for SunOS4 (based on 4.4BSD-Lite versions) 1293 1294documentation updates. 1295 1296NetBSD update from Jason Thorpe <thorpej@netbsd.org> 1297 1298allow RST's through with a matching SEQ # and 0 ACK. Guido Van Rooij 1299 1300ipmon uses excessive amounts of CPU on Solaris2 - Reinhard Bertram 1301<Reinhard.Bertram@KOM.th-darmstadt.de> 1302 13033.2alpha7 25/5/97 - Released 1304 1305add strlen for pre-2.2 kernels - Doug Kite <dkite@websgi.icomnet.com> 1306 1307setup bits and pieces for compiling into a FreeBSD-2.2 kernel. 1308 1309split up "bsd" targets. Now a separate netbsd/freebsd/bsd target. 1310mln_ipl.c has been split up into itself and mlf_ipl.c (for freebsd). 1311 1312fix (negative) host matching in filtering. 1313 1314add sysctl interface for some variables when compiled into FreeBSD-2.2 kernels 1315or later. 1316 1317make all the candidates for kernel compiling include "netinet/..." and build 1318a subdirectory "netinet" when compiling and symlink all .h files into this. 1319 1320add install make target to Makefile.ipsend 1321 13223.2alpha6 8/5/97 - Released 1323 1324Add "!" (not) to hostname/ip matching. 1325 1326Automatically add packet info to the fragment cache if it is a fragment 1327and we're translating addreses for. 1328 1329Automatically add packet info to the fragment cache if it is a fragment 1330and we're "keeping state" for the packet. 1331 1332Solaris2 patches - Anthony Baxter (arb@connect.com.au) 1333 1334change install procedure for FreeBSD 2.2 to allow building to a kernel 1335which is different to the running kernel. 1336 1337add FIONREAD for Solaris2! 1338 1339when expiring NAT table entries, if we would set a time to fr_tcpclosed 1340(which is 1), make it fr_tcplaskack(20) so that the state tables have a 1341chance to clear up. 1342 13433.2alpha5 1344 1345add proxying skeleton support and sample ftp transparent proxy code. 1346 1347add printfs at startup to tell user what is happening. 1348 1349add packets & bytes for EXPIRE NAT log records. 1350 1351fix the "install-bsd" target in the root Makefile. Chris Williams 1352<psion@mv.mv.com> 1353 1354Fixes for FreeBSD 2.2 (and later revs) to prevent panics. Julian Assange. 1355 13563.2alpha4 2/4/97 - Released 1357 1358Some compiler warnings cleaned up. 1359 1360FreeBSD-2.2 patches for LKM completed. 1361 13623.2alpha3 31/3/97 - Released 1363 1364ipmon changes: -N for reading NAT logfile, -S for reading state logfile. 1365-a for reading all. -n now toggles hostname resolution. 1366 1367Add logging of new state entries and expiration of old state entries. 1368count log successes and failures. 1369 1370Add logging of new NAT entries and expiration of old NAT entries. 1371count log successes and failures. 1372 1373Use u_quad_t for records of bytes & packets where kept 1374(IP Accounting: fr_hits, fr_bytes; IP state: is_pkts, is_bytes). 1375 1376Fixup use of CPU and DCPU in Makefiles. 1377 1378Fix broken 0/32 NAT mapping. Carl Makin <cmakin@nla.gov.au> 1379 13803.2alpha2 1381 1382Implement mapping to 0/32 as being an alias for automatically using the 1383interface's first IP address. 1384 1385Implement separate minor devices for both NAT and IP state code. 1386 1387Fully prototype all functions. 1388 1389Fix Makefile problem due to attempt to fix Sun compiling problems. 1390 13913.1.10 23/3/97 - Released 1392 1393ipfstat -a requires a -i or -o command line option too. Print an error 1394when not present rather than attempt to do something. 1395 1396patch updates for SunOS4 for kernel compiling. 1397patch for ipmon -s (flush's syslog file which isn't good). Andrew J. Schorr 1398<schorr@ead.dsa.com> 1399 1400too many people hit their heads hard when compiling code into the kernel 1401that doesn't let any packets through. (fil.c - IPF_NOMATCH) 1402 1403icmp-type parsing doesn't return any errors when it isn't constructed 1404correctly. Neil Readwin 1405 1406Using "-conf" with modload on SunOS4 doesn't work. 1407Timothy Demarest <demarest@arraycomm.com> 1408 1409Need to define ARCH in makefile for SunOS4 building. "make sunos4" 1410in INSTALL.SunOS is incorrect. James R Grinter <jrg@blodwen.demon.co.uk> 1411[all SunOS targets now run buildsunos] 1412 1413NAT lookups are still incorrect, matching non-TCP/UDP with TCP/UDP 1414information. ArkanoiD <ark@paranoid.convey.ru> 1415 1416Need to check for __FreeBSD_version being 199511 rather than 199607 1417in mln_ipl.c. Eric Feillant <Eric.Feillant@EUnet.fr> 1418 14193.1.9 8/3/97 - Released 1420 1421fixed incorrect lookup of active NAT entries. 1422 1423patch for ip_deq() wrong for pre 2.1.6 FreeBSD. 1424fyeung@fyeung8.netific.com (Francis Yeung) 1425 1426check for out with return-rst/return-icmp at wrong place - Erkki Ritoniemi 1427(erkki@vlsi.fi) 1428 1429text_readip returns the interface pointer pointing to text on stack - 1430Neil Readwin 1431 1432fix from Pradeep Krishnan for printout rules "with not opt sec". 1433 14343.1.8 18/2/97 - Released 1435 1436Diffs for ip_output.c and ip_input.c updated to fix bug with fastroute and 1437compiling warnings about reuse of m0. 1438 1439prevent use of return-rst and return-icmp with rules blocking packets going 1440out, preventing panics in certain situations. 1441 1442loop forms in frag cache table - Yury Pshenychny <yura@rd.zgik.zaporizhzhe.ua> 1443 1444should use SPLNET/SPLX around expire routines in NAT/frag/state code. 1445 1446redeclared malloc in 44arp.c - 1447 14483.1.7 8/2/97 - Released 1449 1450Macros used for ntohs/htons supplied with gcc don't always work very well 1451when the assignment is the same variable being converted. 1452 1453Filter matching doesn't not match rule which checks tcp flags on packets 1454which are fragments - David Wilson 1455 14563.1.7beta 30/1/97 - Released 1457 1458Fix up NAT bugs introduced in last major change (now tested), including 1459nat_delete(), nat_lookupredir(), checksum changes, etc. 1460 14613.1.7alpha 30/1/97 - Released 1462 1463Many changes to NAT code, including contributions from Laurent Joncheray 1464<lpj@ans.net> 1465 1466Use "NO_SLEEP" when allocating memory under SunOS. 1467 1468Make kernel printf's nicer for BSD/SunOS4 1469 1470Always do a checksum for packets being filtered going out and being 1471processed by fastroute. 1472 1473Leave kernel to play with cdevsw on *BSD systems with LKM's. 1474 1475ipnat.1 man page fixes. 1476 14773.1.6 21/1/97 - Released 1478 1479Allow NAT to work on BSD systems in conjunction with "pass .. to ifname" 1480 1481Memory leak introduced in 3.1.3 in NAT lists, clearing of NAT table tried 1482to free memory twice. 1483 1484NAT recalculates IP header checksum based on difference between IP#'s and 1485port numbers - should be just IP#'s (Solaris2 only) 1486 14873.1.5 13/1/97 - Released 1488 1489fixed setting of NAT timeouts and use different timeouts for concurrent 1490TCP sessions using the same IP# mapping (when port mapping isn't used) 1491 1492multiple loading/unloading of LKM's doesn't clean up cdevsw properly for 1493*BSD systems. 1494 14953.1.4 10/1/97 - Released 1496 1497add command line options -C and -F to ipnat to flush NAT list and table 1498 1499ipnat -l loops on output - Neil Readwin (nreadwin@nysales.micrognosis.com) 1500 1501NetBSD/FreeBSD kernel malloc changes - Daniel Carosone 1502 15033.1.3 10/1/97 - Released 1504 1505NAT chains not constructed correctly in hash tables - Antony Y.R Lu 1506(antony@hawk.ee.ncku.edu.tw) 1507 1508Updated INSTALL.NetBSD, INSTALL.FreeBSD and INSTALL.Sol2 1509 1510man page update (ipf.5) from Daniel Carosone (dan@geek.com.au) 1511 1512ICMP header checksum update now included in NAT. 1513 1514Solaris2 needs to modify IP header checksums in ip_natin and ip_natout. 1515 15163.1.2 4/12/96 - Released 1517 1518ipmon doesn't use syslog all the time when given -s option 1519 1520fixed mclput panic in ip_input.c and replace ntohs() with NTOHS() macro 1521 1522check the results of hostname resolution in ipnat 1523 1524"make *install" fixed for subdirectories. 1525 1526problems with "ARCH:=" and gnu make resolved 1527 1528parser reports an error for lines with whitespaces only rather than skipping 1529them. D.Carosone@abm.com.au (Daniel Carosone) 1530 1531patches for integration into NetBSD-current (post 1.2). 1532 1533add an option to allow non-IP packets going up/down the stream on Solaris2 1534to be dropped. John Bass. 1535 15363.1.2beta 21/11/96 - Released 1537 1538make ipsend compile on Linux 2.0.24 1539 1540changes to TCP kept state algorithm, making it watch state on TCP 1541connections in both directions. Also use the same algorithm for NAT TCP. 1542 1543-Wall cleanup - Bernd Ernesti 1544 1545added "or-block" for "pass .. log or-block" after a suggestion from 1546David Oppenheim (davido@optimation.com.au) 1547 1548added subdirectories for building IP Filter in SunOS5/BSD for different 1549cpu architecures 1550 1551Solaris2 fixes to logging and pre-filtering packet processing - 3.1.1p2 1552 1553mbuf logging not using mtod(), remove iplbusy - 3.1.1p1 1/11/96 1554 15553.1.1 28/10/96 - Released 1556 1557Installation script fixes and deinstall scripts for IP Filter on: 1558SunOS4/FreeBSD/NetBSD 1559 1560Man page fixes - Paul Dubois (dubois@primate.wisc.edu) 1561 1562Fix use of SOLARIS macro in ipmon, rewrote ipllog() (again!) 1563 1564parsing isn't completely case insensitive - David Wilson 1565(davidw@optimation.com.au) 1566 1567Release ipl_mutex across uiomove() calls 1568 1569print entire rule entries out for "ipf -z" when zero'ing per-rule stats. 1570 1571ipfstat returns same output for "hits" in "ipfstat -aio" - Terletsky Slavik 1572(ts@polynet.lviv.ua) 1573 1574New algorithm for setting timeouts for TCP connection (more closely follow 1575TCP FSM) - Pradeep Krishnan (pkrishna@netcom.com) 1576 1577Track both window sizes for TCP connections through "keep state". 1578 1579Solaris2 doesn't like _KERNEL defined in stdargs.h - Jos van Wezel 1580(wezel@bio.vu.nl) 1581 15823.1.1-beta2 6/10/96 - Released 1583 1584Solaris2 fastroute/dup-to/to now works 1585 1586ipmon `record' reading rewritten 1587 1588Added post-NetBSD1.2 packet filter patches - Mathew Green (mrg@eterna.com.au) 1589 1590Attempt to use in_proto.c.diff, not "..diffs" for SunOS4 - David Wilson 1591(davidw@optimation.com.au) 1592 1593Michael Ryan (mike@NetworX.ie) reports the following: 1594* The Trumpet WinSock under Windows always sends its SYN packet with an ACK 1595 value of 1, unlike any other implementation I've seen, which would set it 1596 to zero. The "keep state" feature of IP Filter doesn't work when receiving 1597 non-zero ACK values on new connection requests. 1598* */Makefile install rule doesn't install all the binaries/man pages 1599* Make ipnat use "tcp/udp" instead of "tcpudp" 1600* Print out "tcp/udp" properly 1601* ipnat "portmap tcp" matches "portmap udp" when adding/removing 1602* NAT dest. ip# increased by one on mask of 0xffffffff when it shouldn't 1603 16043.1.1-beta 1/9/96 - Released 1605 1606add better detection of TCP connections closing to TCP state monitoring. 1607 1608fr_addstate() not called correctly for fragments. "keep state" and 1609"keep frag" code don't work together 100% - Songqing Cai 1610(songqing_cai@sterling.com) 1611 1612call to fr_addstate() incorrect for adding state in combination with keeping 1613fragment information - Songqing Cai (songqing_cai@sterling.com) 1614 1615KFREE() passed fp (incorrect) and not fr (correct) in ip_frag.c - John Hood 1616(cgull@smoke.marlboro.vt.us) 1617 1618make ipf parser recognise '\\' as a `continued line' marker - Dima Ruban 1619(dima@best.net) 1620 16213.1.1-alpha 23/8/96 - Released 1622 1623kernel panic's when ICMP packets go through NAT code 1624 1625stats aren't zero'd properly with ipf -Z 1626 1627ipnat doesn't show port numbers correctly all the time and also add the 1628protocol (tcp/udp/tcpudp) to rdr output - Carson Gaspar (carson@lehman.com) 1629 1630fast checksum fixing not 100% - backout patch - Bill Dorsey (dorsey@lila.com) 1631 1632NetBSD-1.2 patches from - VaX#n8 <vax@linkdead.paranoia.com> 1633 1634Usage() call error in fils.c - Ajay Shekhawat (ajay@cedar.buffalo.edu) 1635 1636ip_optcopy() staticly defined in ip_output.c in SunOS4 - Nick Hall 1637(nrh@tardis.ed.ac.uk) 1638 16393.1.0 7/7/96 - Released 1640 1641Reformatted ipnat output to be compatible with it's input, so that 1642"ipnat -l | ipnat -rf -" is possible. 1643 16443.1.0beta 30/6/96 - Released 1645 1646NetBSD-1.2 patches from Greg Woods (woods@most.weird.com) 1647 1648kernel module must not be installed stripped (Solaris2), as created by 1649"make package" for Solaris2 - Peter Heimann 1650(peter@i3.informatik.rwth-aachen.de) 1651 16523.1.0alpha 5/6/96 - Released 1653 1654include examples in package for solaris2 1655 1656patches for removing an extra ip header checksum (FreeBSD/NetBSD/SunOS) 1657 1658removed trailing space from printouts of rules in ipf. 1659 1660ipresend supports the same range of inputs that ipftest does. 1661 1662sending a duplicate copy of a packet to another network devices is now 1663supported. ("dup-to") 1664 1665sending a packet to an arbitary interface is now supported, irrespective 1666of its actual route, with no ttl decrement. Can also be routed without 1667the ttl being decremented. ("to" and "fastroute"). 1668 1669"call" option added to support calling a generic function if a packet is 1670matched. 1671 1672show all (upto 4) recorded bytes from the interface name in logging from 1673ipmon. 1674 1675support for using unix file permissions for read/write access on the device 1676is now in place. 1677 1678recursive mutex in nat_new() for Solaris 2.x - Per L. Hagen <per@stibo.dk> 1679 1680ipftest doesn't call initparse() for THISHOST - Catherine Allen 1681(cla@connect.com.au) 1682 1683Man page corrections from Rex Bona (rex@pengo.comsmiths.com.au) 1684 16853.0.4 10/4/96 - Released 1686 1687looop in `parsing' IP packets with optlen 0 for ip options. 1688 1689rule number not initialized and resulted in unexpected results for state 1690maching. 1691 1692option parsing and printing bugs - Pradeep Krishnan 1693 16943.0.4beta 25/3/96 - Released 1695 1696wouldn't parse "keep flags keep state" correctly. 1697 1698SunOS4.1.x ip_input.c doesn't recognise all 1s broadcast address - Nigel Verdon 1699 1700patches for BSDI's BSD/OS 2.1 and libpcap reader on little endian systems 1701from Thorsten Lockert <tholo@tetherless.com> 1702 1703b* functions in fil.c on Solaris 2.4 1704 17053.0.3 17/3/96 - Released 1706 1707added patches to support IP Filter initialisation when compiled into the 1708kernel. 1709 1710added -x option to ipmon to display hex dumps of logged packets. 1711 1712added -H option to ipftest to allow ascii-hex formatted input to specify 1713arbitary IP packets. 1714 1715Sending TCP RSTs as a response now work for Solaris2 x86 1716 1717add patches to make IP Filter compile into NetBSD kernels properly. 1718 1719patch to stop SunOS 4.1.x kernels panicing with "data traps". 1720 1721ipfboot script unloads and reloads ipf module on Solaris2 if it is already 1722loaded into the kernel. 1723 1724Installation of IP Filter as a Solaris2 package is now supported. 1725 1726Man pages for ipnat.4, ipnat.5 added. 1727 1728added some more regression tests and fixed up IP Filter to pass the new tests 1729(previous versions failed some of the tests in set 12). 1730 1731IP option filter processing has changed so that saying "with opt lsrr" will 1732check only for that one, but not mask out other options, so a packet with 1733strict source routing, along with loose source routing will match all of 1734"with opt lsrr", "with opt ssrr" and "with opt lsrr,ssrr". 1735 1736IPL_NAME needed in ipnat.c - Kelly (kelly@count04.mry.scruznet.com) 1737 1738patches for clean NetBSD compilation from Bernd Ernesti (bernd@arresum.inka.de) 1739 1740make install is incorrect - Julian Briggs (julian@lightwork.co.uk) 1741 1742strtol() returns 0x7fffffff for all negative numbers, 1743printfr() generates incorrect output for "opt sec-class *", 1744handling of "not opt xxx opt yyy" incorrect. 1745- Minh Tonthat (minht@sbei.com)/Pradeep Krishnan (pradeepk@sbei.com) 1746 1747m_pullup() called only for input and not output; caused problems 1748with filtering icmp - Nigel Verdon (verdenn@gb.swissbank.com) 1749 1750parsing problem for "port 1" and NetBSD patches incorrect - 1751Andreas Gustafsson (gson@guava.araneus.fi) 1752 17533.0.2 4/2/96 - Released 1754 1755Corrected bug where NAT recalculates checksums for fragments. 1756 1757make NAT recalculate UDP checksums (rather than setting them to 0), 1758if they're non-zero. 1759 1760DNS patches - Real Page (Real.Page@Matrox.com) 1761 1762alteration of checksum recalculations in NAT code and addition of 1763redirection with NAT - Mike Neuman 1764 1765core dump, if tcp/udp is used with a port number and not service name, 1766in ipf - Mike Neuman (mcn@engarde.com) 1767 1768initparse() call, missing to prime "<thishost>" hook - Craig Bishop 1769 17703.0.1 14/1/96 - Released 1771 1772miscellaneous patches for Solaris2 1773 17743.0 14/1/96 - Released 1775 1776Patch included for FDDI, from Richard Ohnemus 1777(Richard_Ohnemus@dallas.csd.sterling.com) 1778 1779Code cleanup for release. 1780 17813.0beta4 10/1/96 1782 1783recursive mutex in ipfr_slowtimer fixed, reported by Craig Bishop 1784 1785recursive mutex in sending TCP RSTs fixed, reported by Tony Becker 1786 17873.0beta3 9/1/96 1788 1789FIxup for Solaris2.5 install and interface name bug in ipftest from 1790Julian Briggs (julian@lightwork.co.uk) 1791 1792Byte order patches for ipmon from Tony Becker (tony@mcrsys.com) 1793 17943.0beta2 7/1/96 1795 1796Added the (somewhat warped) IP accounting as it exists in ipfw on FreeBSD. 1797Note, this isn't really what one would call IP account, when compared to 1798process accounting, sigh. 1799 1800Split up ipresend into iptest/ipresend/ipsend 1801 1802Added another m_pullup() inside fr_check() for BSD style kernels and 1803added some checks to ipllog() to not log more than is present (for short 1804packets). 1805 1806Fixed bug where failed hostname/netname resolution goes undetecte and 1807becomes 0.0.0.0 (any) (reported Guido van Rooij) 1808 18093.0beta 11/11/95 - Released 1810 1811Rewrote the way rule testing is done, reducing the number of files needed and 1812generated. 1813 1814SIOCIPFFL was incorrectly affected by IPFILTER_LOG (Mathew Green) 1815 1816Patches from Guido van Rooij to fix sending back TCP RSTs on Net-2/Net-3 1817BSD based Unixes (panic'd) 1818 1819Patches for FreeBSD/i86 ipmon from Riku Kalinen <riku@tequila.nixu.fi> 1820(I think someone else already told me about these but they got lost :-/) 1821 1822Changed Makefile structure to build object files for different operating 1823systems in separate directories by default. 1824 1825BSDI has ef0 for first ethernet interface 1826 1827Allow for a "not" operator before optional keywords. 1828 1829The "rule number" was being incorrectly incremented every time it went through 1830the loop rather than when it matched a rule. 1831 18322.8.2 24/10/95 - Released 1833 1834Fixed up problems with "textip" for doing lots of testing. 1835 1836Fixed bug in detection of "short" tcp/ip packets (all reported as being short). 1837 1838Solaris 2.4 port now works 100%. 1839 1840Man page errors reported and fixed. 1841 1842Removed duplicate entry in etc/services for login on port 49 (Craig Bishop). 1843 1844Fixed ipmon output to put a space after the log-letter. 1845 1846Patch from Guido van Rooij to fix parsing problem. 1847 18482.8.1 15/10/95 - Released 1849 1850Added ttl and tos filtering. 1851 1852Patches for fixing up compilation and port problems (little endian) 1853from Guido van Rooij <guido@IAEhv.nl>. 1854 1855Man page problems reported and fixed by Carson Gaspar <carson@lehman.com>. 1856 1857ipsend doesn't compile properly on Solaris2.4 1858 1859Lots of work done for Solaris2.4 to make it MT/MP safe and work. 1860 18612.8 15/9/95 - Released 1862 1863ipmon can now send messages to syslogd (-s) and use names instead of 1864numbers (-N). 1865 1866IP packets are now "compiled" into a structure only containing filterable 1867bits. 1868 1869Added regression testing in the test/ subdirectory, using a new option 1870(-b) with the ipftest program. 1871 1872Added "nomatch" return to filter results. These are counted and show 1873up in reports from ipfstat. 1874 1875Moved filter code out of ip_fil.c and into fil.c - there is now only one 1876instance of it in the package. 1877 1878Added Solaris 2.4 support. 1879 1880Added IPSO basic security option filtering. 1881 1882Added name support for filtering on all 19 named IP options. 1883 1884Patches from Ivan Brawley to log packet contents as well as packet headers. 1885 1886Update for sun/conf.c.diff from Ivan Brawley <ibrawley@awadi.com.AU> 1887 1888Added patches for FreeBSD 1, and added two new switches (-E, -D) to ipf, 1889along with a new ioctl, SIOCFRENB. 1890From: Dieter Dworkin Muller <dworkin@village.org> 1891 18922.7.3 31/7.95 - Released 1893 1894Didn't compile cleanly without IPFILTER_LOG defined (Mathew Green). 1895 1896ipftest now deals with tcpdump3 binary output files (from libpcap) with -P. 1897 1898Brought ipftest program upto date with actual filter code. 1899 1900Filter would cause a match to occur when it wasn't meant to if the packet 1901had short headers and was missing portions that should have been there. 1902Err, it would rightly not match on them, but their absence caused a match 1903when it shouldn't have been. 1904 19052.7.2 26/7/95 - Released 1906 1907Problem with filtering just SYN flagged packets reported by 1908Dieter Dworkin Muller <dworkin@village.org>. To solve this 1909problem, added support for masking TCP flags for comparison "flags X/Y". 1910 19112.7.1 9/7/95 - Released 1912 1913Added ip_dirbroadcast support for Sun ip_input.c 1914 1915Fixed up the install scripts for FreeBSD/NetBSD to recognise where they are 1916better. 1917 19182.7 7/7/95 - Released 1919 1920Added "return-rst" to return TCP RST's to TCP packets. 1921 1922Actually ported it to FreeBSD-i386 2.0.0, so it works there properly now. 1923 1924Added insertion of filter rules. Use "@<#>" at the beginning of a filter 1925to insert a rule at row #. 1926 1927Filter keeps track of how many times each rule is matched. 1928 1929Changed compile time things to match kernel option (IPFILTER_LKM & 1930IPFILTER_LOG). 1931 1932Updated ip_input.c and ip_output.c with paches for 3.5 Multicast IP. 1933(No change required for 3.6) 1934 1935Now includes TCP fragments which start inside the TCP header as being short. 1936Added counting the number of times each rule is matched. 1937 1938 19392.6 11/5/95 - Released 1940 1941Added -n option to ipf: when supplied, no changes are made to the kernel. 1942 1943Added installation scripts for SunOS 4.1.x and NetBSD/FreeBSD/BSDI. 1944 1945Rewrote filtering to use a more generic mask & match procedure for 1946checking if a packet matches a rule. 1947 19482.5.2 27/4/95 - Released 1949 1950"tcp/udp" and a non-initialised pointer caused the "proto" to become 1951a `random' value; added "ip#/dotted.mask" notation to the BNF. 1952From Adam W. Feigin <feigin@iis.ee.ethz.ch> 1953 19542.5.1 22/3/95 - Released 1955 1956"tcp/udp" had a strange effect (undesired) on getserv*() functions, 1957causing protocol/service lookups to fail. Reported by Matthew Green. 1958 19592.5 17/3/95 - Released 1960 1961Added a new keyword "all" to BNF and parsing of tcpdump/etherfind/snoop 1962output through the ipftest program. Suggestions from: 1963Michael Ciavarella (mikec@phyto.apana.org.au) 1964 1965Conflicts occur when "general" filter rules are used for ports and the 1966lack of a "proto" when used with "port" matches other packets when only 1967TCP/UDP are implied. 1968Reported Matthew Green (mrg@fulcom.com.au); 1969reported & fixed 6-8/3/95 1970 1971Added filtering of short TCP packets using "with short" 28/2/95 1972(These can possibly slip by checks for the various flags). Short UDP 1973or ICMP are dropped to the floor and logged. 1974 1975Added filtering of fragmented packets using "with frag" 24/2/95 1976 1977Port to NetBSD-current completed 20/2/95, using LKM. 1978 1979Added logging of the rule # which caused the logging to happen and the 1980interface on which the packet is currently as suggested by 1981Andreas Greulich (greulich@math-stat.unibe.ch) 10/2/95 1982 19832.4 9/2/95 - Released 1984Fixed saving of IP headers in ICMP packets. 1985 19862.3 29/1/95 1987Added ipf -F [in|out|all] to flush filter rule sets (SIOCIPFFL). 1988Fixed iplread() and iplsave() with help from Marc Huber. 1989 19902.2 7/1/95 - Released 1991Added code from Marc Huber <huber@fzi.de> to allow it to allocate 1992its own major char number dynamically when modload'ing. Fixed up 1993use of <, >, <=, >= and >< for ports. 1994 19952.1 21/12/94 - Released 1996repackaged to include the correct ip_output.c and ip_input.c *goof* 1997 19982.0 18/12/94 - Released 1999added code to check for port ranges - complete. 2000rewrote to work as a loadable kernel module - complete. 2001 20021.1 2003added code for ouput filtering as well as input filtering and added support for logging to a simple character device of packet headers. 2004 20051.0 22/04/93 - Released 2006First release cut. 2007