HISTORY revision 98005
1# 2# NOTE: Quite a few patches and suggestions come from other sources, to whom 3# I'm greatly indebted, even if no names are mentioned. 4# 5# Thanks to the Coombs Computing Unit at the ANU for their continued support 6# in providing a very available location for the IP Filter home page and 7# distribution center. 8# 9# Thanks to Hewlett Packard for making it possible to port IP Filter to 10# HP-UX 11.00. 11# 12# Thanks to Tel.Net Media for supplying me with equipment to ensure that 13# IP Filter continues to work on Solaris/sparc64. 14# 15# Thanks to BSDI for providing object files for BSD/OS 3.1 and the means 16# to further support development of IP Filter under BSDI. 17# 18# Thanks to Craig Bishop of connect.com.au and Sun Microsystems for the 19# loan of a machine to work on a Solaris 2.x port of this software. 20# 21# Thanks also to all those who have contributed patches and other code, 22# and especially those who have found the time to port IP Filter to new 23# platforms. 24# 253.4.28 6/6/2002 - Released 26 27Fix for H.323 proxy to work on little endian boxes 28 29IRIX: Update installation documentation 30 add route lock patch 31 32allow use of groups > 65535 33 34create a new packet info summary for packets going through ipfr_fastroute() 35so that where details are different (RST/ICMP errors), the packet now gets 36correctly NAT'd, etc. 37 38fix the FTP proxy so that checks for TCP sequence numbers outside the 39normal offset due to data changes use absolute numbers 40 41make it possible to remove rules in ipftest 42 43Update installing onto OpenBSD and split into two directories: 44OpenBSD-2 and OpenBSD-3 45 46fix error in printout out the protocol in NAT rules 47 48always unlock ipfilter if locking fails half way through in ipfs 49 50fix problems with TCP window scaling 51 52update of man pages for ipnat(4) and ipftest(1) 53 543.4.27 28/04/2002 - Released 55 56fix calculation of 2's complmenent 16 bit checksum for user space 57 58add mbuflen() to usespace compiles. 59 60add more #ifdef complexity for platform portability 61 62add OpenBSD 3.1 diffs 63 643.4.26 25/04/2002 - Released 65 66fix parsing and printing of NAT rules with regression tests. 67 68add code to adjust TCP checksums inside ICMP errors where present and as 69required for NAT. 70 71fix documentation problems in instal documents 72 73fix locking problem with auth code on Solaris 74 75fix use of version macros for FreeBSD and make the use of __FreeBSD_version 76override previous hacks except when not present 77 78fix the macros defined for SIOCAUTHR and SIOCAUTHW 79 80fix the H.323 proxy so it no longer panics (multiple issues: re-entry into 81nat_ioctl with lock held on Solaris, trying to copy data from kernel space 82with copyin, unaligned access to get 32bit & 16bit numbers) 83 84use the ip_ttl ndd parameter on Solaris to fill in ip_ttl for packets 85generated by IPFilter 86 87fix comparing state information to delete state table entries 88 89flag packets as being "bad state" if they're outside the window and prevent 90them from being able to cause new state to be created - except for SYN packets 91 92be stricter about what packets match a TCP state table entry if its creation 93was triggered by a SYN packet. 94 95add patches to handle TCP window scaling 96 97don't update TCP state table entries if the packet is not considered to be 98part of the connection 99 100ipfs wasn't allowing -i command line option in getopt 101 102IRIX: fix kvm interface, fix compile warnings, compile the kernel with -O2 103 regardless of user compile, fix the getkflags script to prune down the 104 output more so it is acceptable 105 106change building in Makefiles to create links to the application in $(TOP) 107at the end of "build" rather than when each is created. 108 109update BSD/kupgrade for FreeBSD 110 111l4check wasn't properly closing things when a connection fails 112 113man page updates for ipmon(8) and ipnat(5) 114 115more regression tests added. 116 1173.4.25 13/03/2002 - Released 118 119retain rule # in state information 120 121log the direction of a packet so ipmon gets it right rather than incorrectly 122deriving it from the rule flags 123 124add #ifdef for IPFILTER_LOGSIZE (put options IPFILTER_LOGSIZE=16384 in BSD 125kernel config files to increase that buffer size) 126 127recognise return-* rules differently to block in ipftest 128 129fix bug in ipmon output for solaris 130 131add regression testing for skip rules, logging and using head/group 132 133fix output of ipmon: was displaying large unsigned ints rather than -1 134when no rules matched. 135 136make logging code compile into ipftest and add -l command line option to 137dump binary log file (read with ipmon -f) when it finishes. 138 139protect rule # and group # from interference when checking accounting rules 140 141add regression testing for log output (text) from ipmon. 142 143document -b command line option for ipmon 144 145fix double-quick in Solaris startup script 146 1473.4.24 01/03/2002 - Released 148 149fix how files are installed on SunOS5 150 151fix some minor problems in SunOS5 ipfboot script 152 153by default, compile all OpenBSD tools in 3.0 for IPv6 154 155fix NULL-pointer dereference in NAT code 156 157make a better attempt at replacing the appropriate binaries on BSD systems 158 159always print IPv6 icmp-types as a number 160 161impose some rules about what "skip" can be used with 162 163fix parsing problems with "keep state" and "keep state-age" 164 165Try to read as much data as is in the log device in ipmon 166 167remove some redundant checks when searching for rdr/nat rules 168 169fix bug in handling of ACCT with FTP proxy 170 171increase array size for interface names, using LIFNAMSIZ 172 173include H.323 proxy from QNX 174 1753.4.23 16/01/2002 - Released 176 177Include patches to install IPFilter into OpenBSD 3.0, both for just kernel 178compiles and complete system builds. 179 180Fix bug in automatic flushing of state table which would cause it to hang 181in an infinite loop bug introduced in 3.4.20. 182 183Modify the sample proxy (samples/proxy.c) so that it ads a NAT mapping for 184the outgoing connection to make it look like it comes from the real source. 185 186Only support ICMPv6 with IPv6. 187 188Move ipnat.1 to ipnat.8 189 190Enhance ipmon to print textual ICMP[v6] types and subtypes where possible. 191 192Make it possible to do IPv6 regression testing with ipftest. 193 194Use kvm library for kmem access, rather than trying to do it manually with 195open/lseek/read. 196 197Fix diffs for ip_input.c on BSDOS so it doesn't crash with fastroute. 198 199Remove Berkeley advertising licence clause. Reference: 200ftp://ftp.cs.berkeley.edu/pub/4bsd/README.Impt.License.Change 201 202Add more regression tests: ICMPv6 neighbour discovery, ICMP time exceeded 203and fragmentation required. 204 205Fix ipfboot script on Solaris to deal with no nameservers or no route to 206them in a clean manner. 207 208Support per-rule set timeouts for non-TCP NAT and state 209 210Add netbios proxy 211 212Add ICMPv6 stateful checking, including handling multicast destination 213addresses for neighbour discovery. 214 215Fix problems with internals of ICMP messages for MTU discovery and 216unreachables not being correctly adjust on little endian boxes. 217 218Add "in-via" and "out-via" to filtering rules grammar. It is now possible 219to bind a rule to both incoming and outgoing interfaces, in both forward 220and reverse directions (4 directions in total). allows for asymetric flows 221through a firewall. 222 223Fix ipfstat and ipnat for working on crash dumps. 224 225Don't let USE_INET6 stay defined for SunOS4 226 227Count things we see for each interface on solaris. 228 229Include <netinet/icmp6.h> when compiling with USE_INET6 defined and 230also include a whole bunch of #define's to make sure the symbols expected 231can be used. 232 233Fix up fastroute on BSD systems. 234 235Make fastrouting work for IPv6 just a bit better. doesn't split up big 236packets into fragments like the IPv4 one does. You can now do a 237"to <if>:<ipv6_addr>" 238 239Remove some of the differences between user-space and kernel-space code 240that is internal to ipfilter. 241 242Call ipfr_slowtimer() after each packet is processed in ipftest to artificially 243create the illusion of passing time and include the expire functions in the 244code compiled for user-space. 245 246Fix issues with the IPSec proxy not working or leading to a system crash. 247 248Junk all processing of SPIs and special handling for ESP. 249 250Add "no-match" as a filter rule action (resets _LAST_ match) 251 252Add hack to workaround problems with Cassini interface cards on 253Solaris and VLANs 254 255Add some protocols to etc/protocols 256 2573.4.22 03/12/2001 - Released 258 259various openbsd changes 260 261sorting based on IP numbers for ipfstat top output 262 263fix various IPv6 code & compile problems 264 265modify ip_fil.c to be more netbsd friendly 266 267fix fastroute bug where it modified a packet post-sending 268 269fix get_unit() - don't understand why it was broken. 270 271add FI_IGNOREPKT and don't count so marked packets when doing stats or 272state/nat. 273 274extend the interface name saved to log output 275 276make proxies capable of extending the matching done on a packet with a 277particular nat session 278 279change interfaces inside NAT & state code to accomodate redesign to allow 280IPsec proxy to work. 281 282fix bug when free'ing loaded rules that results in a memory leak 283(only an issue with "ipf -rf -", not flush) 284 285make ipftest capable of loading > 1 file or rules, making it now possible 286to load both NAT & filter rules 287 288fix hex input for ipftest to allow interface name & direction to work 289 290show ipsec proxy details in ipnat output 291 292if OPT_HEX is set in opts, print a packet out as hex 293 294don't modify b_next or preseve it or preserve b_prev for solaris 295 296fix up kinstall scripts to install all the files everywhere they need to 297 298fix overflowing of bits in ip_off inside iptest 299 300make userauth and proxy in samples directory compile 301 302fix minimum size when doing a pullup for ESP & ICMPv6 303 3043.4.21 24/10/2001 - Released 305 306include ipsec proxy 307 308make state work for non-tcp/udp/icmp in a very simple way 309 310include diffs for ipv6 firewall on openbsd-2.9 311 312add compatibility filter wrapper for NetBSD-current 313 314fix command line option problems with ipfs 315 316if we fill the state table and a automated flush doesn't purge any 317expiring entries, remove all entries idle for more than half a day 318 319fix bug with sending resets/icmp errors where the pointer to the data 320section of the packet was not being set (BSD only) 321 322split out validating ftp commands and responses into different halves, 323one for each of server & client. 324 325do not compile in STATETOP support for specific architectures 326 327fix INSTALL.FreeBSD to no longer provide directions and properly direct 328people to the right file for the right version of FreeBSD. 329 3303.4.20 24/07/2001 - Released 331 332adjust NAT hashing to give a better spread across the table 333 334show icmp code/type names in output, where known 335 336fix bug in altering cached interface names in state when resync'ing 337 338fix bug in real audio proxy that caused crashs 339 340fix compiling using sunos4 cc 341 342patch from casper to address weird exit problem for ipstat in top mode 343 344patch from Greg Woods to produce names for icmp types/unreach codes, 345where they are known 346 347fix bug where ipfr_fastroute() would use a mblk and it would also get 348freed later. 349 350don't match fragments which would cause 64k length to be exceeded 351 352ftp proxy fix for port numbers being setup for pasv ftp with state/nat 353 354change hashing for NAT to include both IP#'s and ports. 355 356Solaris fixes for IPv6 357 358fix compiling iplang bits, under Solaris, for ipsend 359 3603.4.19 29/06/2001 - Released 361 362fix to support suspend/resume on solaris8 as well as ipv6 363 364include group/group-head in match of filter rules 365 366fix endian problem reading snoop files 367 368make all licence comments point to the one place 369 370fix ftp proxy to only advance state if a reply is received in response to 371a recognised command 372 3733.4.18 05/06/2001 - Released 374 375fix up parsing of "from ! host" where '!' is separate 376 377disable hardware checksums for NetBSD 378 379put ipftest temporary files in . rather than /tmp 380 381modify ftp proxy to be more intelligent about moving between states 382and recognise new authentication commands 383 384allow state/nat table sizes to be externally influenced 385 386print out host mapping table for NAT with ipnat -l 387 388fix handling of hardware checksum'ing on Solaris 389 390fixup makefiles for Solaris 391 392update regression tests 393 394fix surrender of SPL's for failure cases 395 396include patches for OpenBSD's new timeout mechanism 397 398default ipl_unreach to ICMP_UNREACH_FILTER_PROHIB if defined, else make it 399ICMP_UNREACH_FILTER 400 401fix up handling of packets matching auth rules and interaction with state 402 403add -q command line option to ipfstat on Solaris to list bound interfaces 404 405add command line option to ipfstat/ipnat to select different core image 406 407don't use ncurses on Solaris for STATETOP 408 409fix includes to get FreeBSD version 410 411do not byte swap ip_id 412 413fix handling success for packets matching the auth rule 414 415don't double-count short packets 416 417add ICMP router discovery message size recognition 418 419fix packet length calculation for IPv6 420 421set CPUDIR when for install-sunos5 make target 422 423SUNWspro -xF causes Solaris 2.5.1 kernel to crash 424 4253.4.17 06/04/2001 - Released 426 427fix fragment#0 handling bug where they could get in via cache information 428created by state table entries 429 430use ire_walk to look for ire cache entries with link layer headers cached 431 432deal with bad SPL assumptions for log reading on BSD 433 434fix ftp proxy to allow logins with passwords 435 436some auth rule patches, fixing byte endian problems and returning as an error 437 438support LOG_SECURITY, where available, in ipmon 439 440don't return an error for packets which match auth rules 441 442introduce fr_icmpacktimeout to timeout entries once an ICMP reply has 443been seen separately to when created 444 4453.4.16 15/01/2001 - Released 446 447fix race condition in flushing of state entries that are timing out 448 449Add TCP ECN patches 450 451log all NAT entries created, not just those via rules 452 4533.4.15 17/12/2000 - Released 454 455add minimum ttl filtering (to be replaced later by return-icmp-as-dest 456for all ICMP packets matching state entries). 457 458fix NAT'ing of fragments 459 460fix sanity checks for ICMPV6 461 462fix up compiling on IRIX 6.2 with IDF/IDL installed 463 4643.4.14 02/11/2000 - Released 465 466cause flushing NAT table to generate log records the same as state flush 467does. 468 469fix ftp proxy port/pasv 470 471fix problem where nat_{in,out}lookup() would release a write lock when it 472didn't need to. 473 474add check for ipf6.conf in Solaris ipfboot 475 4763.4.13 28/10/2000 - Released 477 478fix introduced bug with ICMP packets being rejected when valid 479 480fix bug with proxy's that don't set fin_dlen correctly when calling 481fr_addstate() 482 4833.4.12 26/10/2000 - Released 484 485fix installing into FreeBSD-4.1 486 487fix FTP proxy bug where it'd hang and make NAT slightly more efficient 488 489fix general compiling errors/warnings on various platforms 490 491don't access ICMP data fields that aren't there 492 4933.4.11 09/10/2000 - Released 494 495return NULL for IPv6 access control lists if it is disabled rather than 496random garbage. 497 498fix for getting protocol & packet length for IPv6 packets for pullup. 499 500update plog script from version 0.8 to version 0.10 501 502patch from Frank Volf adding fix_datacksum() to NAT code, enhancing the 503capabilities for "fixing" checksums. 504 5053.4.10 03/09/2000 - Released 506 507merge patch from Frank Volf for ICMP nat handling of TCP/UDP data `errors' 508 509getline() adjusts linenum now 510 511add tcphalfclosed timeout 512 513fill in icmp_nextmtu field if it is defined on the platform 514 515RST generation fix from guido 516 517force 32bit compile for gcc on solaris if it can't generate 64bit code 518 519encase logging when fr_chksrc == 2 in #ifdef IPFILTER_LOG 520 521fix up line wrap problems in plog script 522 523fix ICMP packet handling to not drop valid ICMP errors 524 525freebsd 5.0 compat changes 526 5273.4.9 08/08/2000 - Released 528 529implement new aging mechanism in fr_tcp_age() 530 531fix icmp state checking bug 532 533revamp buildsunos script and build both sparcv7/sparcv9 for Solaris 534if on an Ultra with a 64bit system & compiler (Caseper Dik) 535 536open ipfilter device read only if we know we can 537 538print out better information for ICMP packets in ipmon 539 540move checking for source spoofed packets to a point where we can generate 541logs of them 542 543return EFAULT from ircopyptr/iwcopyptr 544 545don't do ioctl(SIOCGETFS) for auth stats 546 547fix up freeing mbufs for post-4.3BSD 548 549fix returning of inc from ftp proxy 550 551fix bugs with ipfs -R/-W (Caseper Dik) 552 5533.4.8 19/07/2000 - Released 554 555create fake opt_inet6.h for FreeBSD-4 compile as LKM 556 557add #ifdef's for KLD_MODULE sanity 558 559NAT fastroute'd packets which come out of return-* 560 561fix upper/lower case crap in ftp proxy and get seq# checking fixed up. 562 5633.4.7 08/07/2000 - Released 564 565make "ipf -y" lookup NAT if's which are unknown 566 567prepend line numbers to ioctl error messages in ipf/ipnat 568 569don't apply patches to FreeBSD twice 570 571allow for ip_len to be on an unaligned boundary early on in fr_precheck 572 573fix printing of icmp code when it is 0 574 575correct printing of port numbers in map rules with from/to 576 577don't allow fr_func to be called at securelevel > 0 or rules to be added 578if securelevel > 0 if they have a non-zero fr_func. 579 5803.4.6 11/06/2000 - Released 581 582add extra regression tests for new nat functionality 583 584place restrictions on using '!' in map/rdr rules 585 586fix up solaris compile problems 587 5883.4.5 10/06/2000 - Released 589 590mention -sl in ipfstat.8 591 592fix/support '!' in from/to rules (rdr) for NAT 593 594add from/to support to rdr NAT rules 595 596don't send ICMP errors in response to ICMP errors 597 598fix sunos5 compilation for "ipfstat-top" and cleanup ipfboot 599 600input accounting list used for both outbound and inbound packets 601 6023.4.4 23/05/2000 - Released 603 604don't add TCP state if it is an RST packet and (attempt) to send out 605RST/ICMP packets in a manner that bypasses IP Filter. 606 607add patch to work with 4.0_STABLE delayed checksums 608 6093.4.3 20/05/2000 - Released 610 611fix ipmon -F 612 613don't truncate IPv6 packets on Solaris 614 615fix keep state for ICMP ECHO 616 617add some NAT stats and use def_nat_age rather than DEF_NAT_AGE 618 619don't make ftp proxy drop packets 620 621use MCLISREFERENCED() in tandem with M_EXT to check if IP fields need to be 622swapped back. 623 624fix up RST generation for non-Solaris 625 626get "short" flag right for IPv6 627 6283.4.2 - 10/5/2000 - Released 629 630Fix bug in dealing with "hlen == 1 and opt > 1" - Itojun 631 632ignore previous NAT mappings for 0/0 and 0/32 rules 633 634bring in a completely new ftp proxy 635 636allow NAT to cause packets to be dropped. 637 638add NetBSD callout support for 1.4-current 639 6403.4.1 - 30/4/2000 - Released 641 642add ratoui() and fix parsing of group numbers to allow 0 - UINT_MAX 643 644don't include opt_inet6.h for FreeBSD if KLD_MODULE is defined 645 646Solaris must use copyin() for all types of ioctl() args 647 648fix up screen/tty when leaving "top mode" of ipfstat 649 650linked list for maptable not setup correctly in nat_hostmap() 651 652check for maptable rather than nat_table[1] to see if malloc for maptable 653succeeded in nat_init 654 655fix handling of map NAT rules with "from/to" host specs 656 657fix printout out of source address when using "from/to" with map rules 658 659convert ip_len back to network byte order, not plen, for solaris as ip_len 660may have been changed by NAT and plen won't reflect this 661 6623.4 - 27/4/2000 - Released 663 664source address spoofing can be turned on (fr_chksrc) without using 665filter rules 666 667group numbers are now 32bits in size, up from 16bits 668 669IPv6 filtering available 670 671add frank volf's state-top patches 672 673add load splitting and round-robin attribute to redirect rules 674 675FreeBSD-4.0 support (including KLD) 676 677add top-style operation mode for ipfstat (-t) 678 679add save/restore of IP Filter state/NAT information (ipfs) 680 681further ftp proxy security checks 682 683support for adding and removing proxies at runtime 684 6853.3.13 26/04/2000 - Released 686 687Fix parsing of "range" with "portmap" 688 689Relax checking of ftp replies, slightly. 690 691Fix NAT timeouts for ICMP packets 692 693SunOS4 patches for ICMP redirects from Jurgen Keil (jk@tools.de) 694 6953.3.12 16/03/2000 - Released 696 697tighten up ftp proxy behaviour. sigh. yuck. hate. 698 699fix bug in range check for NAT where the last IP# was not used. 700 701fix problem with icmp codes > 127 in filter rules caused bad things to 702happen and in particular, where #18 caused the rule to be printed 703erroneously. 704 705fix bug with the spl level not being reset when returning EIO from 706iplioctl due to ipfilter not being initialized yet. 707 7083.3.11 04/03/2000 - Released 709 710make "or-block" work with lines that start with "log" 711 712fix up parsing and printing of rules with syslog levels in them 713 714fix from Cy Schubert for calling of apr_fini only if non-null 715 716 7173.3.10 24/02/2000 - Released 718 719* fix back from guido for state tracking interfaces 720 721* update for NetBSD pfil interface changes 722 723* if attaching fails and we can abort, then cleanup when doing so. 724 725julian@computer.org: 726* solaris.c (fr_precheck): After calling freemsg on mt, set it point to *mp. 727* ipf.c (packetlogon): use flag to store the return value from get_flags. 728* ipmon.c (init_tabs): General cleanup so we do not have to cast 729 an int s->s_port to u_int port and try to check if the u_int port 730 is less than zero. 731 7323.3.9 15/02/2000 - Released 733 734fix scheduling of bad locking in fr_addstate() used when we attach onto 735a filter rule. 736 737fix up ip_statesync() with storing interface names in ipstate_t 738 739fix fr_running for LKM's - Eugene Polovnikov 740 741junk using pullupmsg() for solaris - it's next to useless for what we 742need to do here anyway - and implement what we require. 743 744don't call fr_delstate() in fr_checkstate(), when compiled for a user 745program, early but when we're finished with it (got fr & pass) 746 747ipnat(5) fix from Guido 748 749on solaris2, copy message and use that with filter if there is another 750copy if it being used (db_ref > 1). bad for performance, but better 751than causing a crash. 752 753patch for solaris8-fcs compile from Casper Dik 754 7553.3.8 01/02/2000 - Released 756 757fix state handling of SYN packets. 758 759add parsing recognition of extra icmp types/codes and fix handling of 760icmp time stamps and mask requests - Frank volf 761 7623.3.7 25/01/2000 - Released 763 764sync on state information as well as NAT information when required 765 766record nat protocol in all nat log records 767 768don't reuse the IP# from an active NAT session if the IP# in the rule 769has changed dynamically. 770 771lookup the protocol for NAT log information in ipmon and pass that to 772portname. 773 774fix the bug with changing the outbound interface of a packet where it 775would lead to a panic. 776 777use fr_running instead of ipl_inited. (sysctl name change on freebsd) 778 779return EIO if someone attempts an ioctl on state/nat if ipfilter is not 780enabled. 781 782fix rule insertion bug 783 784make state flushing clean anything that's not fully established (4/4) 785 786call fr_state_flush() after we've released ipf_state so we don't generate 787a recursive mutex acquisition panic 788 789fix parsing of icmp code after return-icmp/return-icmp-as-dest and add 790some patches to enhance parsing strength 791 7923.3.6 28/12/1999 - Released 793 794add in missing rwlock release in fr_checkicmpmatchingstate() and fix check 795for ICMP_ECHO to only be for packet, not state entry which we don't have yet. 796 797handle SIOCIPFFB in nat_ioctl() and fr_state_ioctl() 798 799fix size of friostat for SunOS4 800 801fix bug in running off the end of a buffer in real audio proxy 802 8033.3.5 11/12/1999 - Released 804 805fix parsing of "log level" and printing it back out too 806 807<net/if_types.h> is only present on Solaris2.6/7/8 808 809use send_icmp_err rather than icmp_error to send back a frag-needed error 810when doing PMTU 811 812do not use -b with add_drv on Solaris unless $BASEDIR is set. 813 814fix problem where source address in icmp replies is reversed 815 816fix yet another problem with real audio. 817 8183.3.4 4/12/1999 - Released 819 820fix up the real audio proxy to properly setup state information and NAT 821entries, thanks to Laine Stump for testing/advice/fixes. 822 823fix ipfr_fastroute to set dst->sin_addr (Sean Farley - appears to prevent 824FreeBSD 3.3 from panic'ing) as this had been removed in prior hacks to this 825routine. 826 827fix kinstall for BSDI 828 829support ICMP errors being allowed through for ICMP packets going out with 830keep state enabled 831 832support hardware checksumming (gigabit ethernet cards) on Solaris thanks to 833Tel.Net Media for providing hardware for testing. 834 835patched from Frank Volf for ipmon (ICMP & fragmented packets) and allowing 836ICMP responses to ICMP packets in the keep state table. 837 838add in patches for hardware checksumming under solaris 839 840Solaris install scripts now use $BASEDIR as appropriate. 841 842add Solaris8 support 843 844fix "ipf -y" on solaris so that it rescans rules also for changes in 845interface pointers 846 847let ipmon become a daemon with -D if it is using syslog 848 849fix parsing of return-icmp-as-dest(foo) 850 851add reference to ipfstat -g to ipfstat.8 852 853ipf_mutex needs to be declared for irix in ip_fil.c 854 8553.3.3 22/10/1999 - Released 856 857add -g command line option to ipfstat to show groups still define. 858 859fix problem with fragment table not recording rule pointer when called 860from state functions (fin_fr not set). 861 862fixup fastroute problems with keep state rules. 863 864load rules into inactive set first, so we don't disable things like NIS 865lookups half way through processing - found by Kevin Littlejohn 866 867fix handling of unaligned ip pointer for solaris 868 869patch for fr_newauth from Rudi Sluijtman 870 871fixed htons() bug in fr_tcpsum() where ip_p wasn't cast to u_short 872 8733.3.2 23/09/1999 - Released 874 875patches from Scott Presnell to fix rcmd proxy 876 877patches from Greg to fix Solaris detachment of interfaces 878 879add openbsd compatibility fixes 880 881fix free'ing already freed memory in ipfr_slowtimer() 882 883fix for deferencing invalid memory in cleaning up after a device disappears 884 8853.3.1 14/8/1999 - Released 886 887remove include file sys/user.h for irix 888 889prevent people from running buildsunos directly 890 891fix up some problems with the saving of rule pointers so that NAT saves 892that information in case it should need to call fr_addstate() from a proxy. 893 894fix up scanning for the end of FTP messages 895 896don't remove /etc/opt/ipf in postremove 897 898attempt to prevent people running buildsolaris script without doing a 899"make solaris" 900 901fix timeout losing on freebsd3 902 9033.3 7/8/1999 - Released 904 905NAT: information (rules, mappings) are stored in hash tables; setup some 906basic NAT regression testing. 907 908display version name of installed kernel code when initializing. 909 910add -V command line option to ipf, showing version (program and kernel 911module) as well as the run-status of the kernel code. 912 913fix problem with "log" rules actually affecting result of filtering. 914 915automatically use SUNWspro if available and on a 64bit Solaris system for 916compiling. 917 918add kernel proxies for rcmd(3) and RealAudio (PNA) 919 920use timeout/untimeout on SunOS4/BSD platforms too rather than hijacking 921ip_slowtimo 922 923fix IP headers generated through parsing of text information 924 925fix NAT rules to be in the correct order again. 926 927make keep-state work with to/fastroute keywords and enforce usage of those 928interfaces. 929 930update keep-state code with new algorithm from Guido 931 932add FreeBSD-3 support 933 934add return-icmp-as-dest option to retrun an ICMP packet using the original 935destination as the source rather than a local IP address 936 937add "level [facility.]<priority>" option to filter language 938 939add changes from Guido to state code. 940 941add code to return EPERM if the device is opened for writing and we're 942in securelevel 2 or greater. 943 944authentication code patches from Guido 945 946fix real audio proxy 947 948fix ipmon rule printing of interfaces and add IN/OUT to the end of ipmon 949log output. 950 951fix bimap rules with hash tables 952 953update addresses used in NAT mappings for 0/32 rules for any protocol but TCP 954if it changes on the interface - check every ip_natexpire() 955 956add redirect regression test 957 958count buckets used in the state hash table. 959 960fix sending of RST's with return-rst to use the ack number provided in 961the packet being replied to in addition to the sequence number. 962 963fix to compile as a 64bit application on solaris7-64bit 964 965add NAT IP mapping to ranges of IP addresses that aren't CIDR specified 966 967fix calculation of in_space parameter for NAT 968 969fix `wrapping' when incrementing the next ip address for use in NAT 970 971fix free'ing of kernel memory in ip_natunload on solaris 972 973fix -l/-U command line options from interfering with each other 974 975fix fastroute under solaris2 and cleanup compilation for solaris7 976 977add install scripts and compile cleanly on BSD/OS 4.0 978 979safely open files in /tmp for writing device output when testing. 980 981fix uninitialized pointer bug in NAT 982 983fix SIOCZRLST (zero list rule stats) bug with groups 984 985change some usage of u_short to u_int in function calling 986 987fix compilation for Solaris7 (SUNWspro) 988 989change solaris makefiles to build for either sparc or i386 rather than 990per-cpu (sun4u, etc). 991 992fixed bug in ipllog 993 994add patches from George Michaelson for FreeBSD 3.0 995 996add patch from Guido to provide ICMP checking for known state in the same 997manner as is done for NAT. 998 999enable FTP PASV proxying and enable wildcarding in NAT/state code for ports 1000for better PORT/PASV support with FTP. 1001 1002bring into main tree static nat features: map-block and "auto" portmapping. 1003 1004add in source host filtering for redirects (alan jones) 1005 10063.2.10 22/11/98 - Released 1007 10083.2.10beta9 17/11/98 - Released 1009 1010fix fr_tcpsum problems in handling mbufs with an odd number of bytes 1011and/or split across an mbuf boundary 1012 1013fix NAT list entry comparisons and allow multiple entries for the same 1014proxy (but on different ports). 1015 1016don't create duplicate NAT entries for repeated PORT commands. 1017 10183.2.10beta8 14/11/98 - Released 1019 1020always exit an rwlock before expecting to enter it again on solaris 1021 1022fix loop in nat_new for pre-existing nat 1023 1024don't setup state for an ftp connection if creating nat fails. 1025 10263.2.10beta7 05/11/98 - Released 1027 1028set fake window in ipft_tx.c to ensure code passes tests. 1029 1030cleaned up/enhanced ipnat -l/ipnat -lv output 1031 1032fixed NAT handling of non-TCP/UDP packets, esp. for ICMP errors returned. 1033 1034Solaris recusive mutex on icmp-error/tcp-reset - requires rwlock's rather 1035than mutexes. 1036 10373.2.10beta6 03/11/98 - Released 1038 1039fix mixed use of krwlock_t and kmutex_t on Solaris2 1040 1041fix FTP proxy back up, splitting pasv code out of port code. 1042 10433.2.10beta5 02/11/98 - Released 1044 1045fixed port translation in ICMP reply handling 1046 10473.2.10beta4 01/11/98 - Released 1048 1049increase useful statistic collection on solaris 1050 1051filter DL_UNITDATA_REQ as well as DL_UNITDATA_IND on solaris 1052 1053disable PASV reply translation for now 1054 1055fail with an error if we try to load a NAT rule with a non-existant 1056 proxy name - Guido 1057 1058fix portmap usage with 0/0 and 0/32 map rules 1059 1060remove ap_unload/ap_expire - automatically done when NAT is cleaned up 1061 1062print "STATE:CLOSED" from ipmon if the connection progresses past established 1063 rather than "STATE:EXPIRED" 1064 10653.2.10beta3 26/10/98 - Released 1066 1067fixed traceroute/nat problem 1068 1069rewrote nat/proxy interface 1070 1071ipnat now lists associated proxy sessions for each NAT where applicable 1072 10733.2.10beta2 13/10/98 - Released 1074 1075use KRWLOCK_T in place of krwlock_t for solaris as well as irix 1076 1077disable use of read-write lock acquisition by default 1078 1079add in mb_t for linux, non-kernel 1080 1081some changes to progress compilation on linux with glibc 1082 1083change PASV as well as PORT when passed through kernel ftp proxy. 1084 1085don't allow window to become 0 in tcp state code 1086 1087make ipmon compile cleaner 1088 1089irix patches 1090 10913.2.10beta 11/09/98 - Released 1092 1093stop fr_tcpsum() thinking it has run out of data when it hasn't. 1094 1095stop solaris panics due to fin_dp being something wild. 1096 1097revisit usage of ATOMIC_*() 1098 1099log closing state of TCP connection in "keep state" 1100 1101fix fake-arp table code for ipsend. 1102 1103ipmon now writes pid to a file. 1104 1105fix "ipmon -a" to actually activate all logging devices. 1106 1107add patches for BSDOS4. 1108 1109perl scripts for log analysis donated. 1110 11113.2.9 22/06/98 - Released 1112 1113fix byte order for ICMP packets generated on Solaris 1114 1115fix some locking problems. 1116 1117fix malloc bug in NAT (introduced in 3.2.8). 1118 1119patch from guido for state connections that get fragmented 1120 11213.2.8 08/06/98 - Released 1122 1123use readers/writers locks in Solaris2 in place of some mutexes. 1124 1125Solaris2 installation enhancements - Martin Forssen (maf@carlstedt.se) 1126 11273.2.7 24/05/98 - Released 1128 1129u_long -> u_32_t conversions 1130 1131patches from Bernd Ernesti for NetBSD 1132 1133fixup ipmon to actually handle HUP's. 1134 1135Linux fixes from Michael H. Warfield (mhw@wittsend.com) 1136 1137update for keep state patch (not security related) - Guido 1138 1139dumphex() uses stdout rather than log 1140 11413.2.6 18/05/98 - Released 1142 1143fix potential security loop hole in keep state code. 1144 1145update examples. 1146 11473.2.5 09/05/98 - Released 1148 1149BSD/OS 3.1 .o files added for the kernel. 1150 1151fix sequence # skew vs window size check. 1152 1153fix minimum ICMP header size check. 1154 1155remove references to Cybersource. 1156 1157fix my email address. 1158 1159remove ntohl in ipnat - Thomas Tornblom 1160 11613.2.4 09/04/98 - Released 1162 1163add script to make devices for /dev on BSD boxes 1164 1165fixup building into the kernel for FreeBSD 2.2.5 1166 1167add -D command line option to ipmon to make it a daemon and SIGHUP causes 1168it to close and reopen the logfile 1169 1170fixup make clean and make package for SunOS5 - Marc Boucher 1171 1172postinstall keeps adding "minor=ipf ipl" - George Ross <gdmr@dcs.ed.ac.uk> 1173 1174protected by IP Filter gif - Sergey Solyanik <solik@atom.ru> 1175 11763.2.3 10/11/97 - Released 1177 1178fix some iplang bugs 1179 1180fix tcp checksum data overrun, sgi #define changes, 1181avoid infinite loop when nat'ing to single IP# - Marc Boucher 1182 1183fixup DEVFS usage for FreeBSD 1184 1185fix sunos5 "make clean" cleaning up too much 1186 11873.2.2 28/11/97 - Released 1188 1189change packet matching to return actual error, if bad packet, to facilitate 1190ECONNRESET for TCP. 1191 1192allow ip:netmask in grammar too now - Guido 1193 1194assume IRIX has u_int32_t in sys/types.h (needed for R10000) 1195 1196rewrite parts of command line options for ipmon 1197 1198fix TCP urgent packet & offset testing and add LAND attack test for iptest 1199 1200fix grammar error in yacc grammar for iplang 1201 1202redirect (rdr) destination port bytes-wapped when it shouldn't be. 1203 1204general: fr_check now returns error code, such as EHOSTUNREACH or 1205ECONNRESET (attempt to make ECONNRESET work for locally outbound 1206packets). 1207 1208linux: enable return-rst, need to filter tcp retransmits which are sent 1209 separately from normal packets 1210 1211memory leak plugged in ip_proxy.c 1212 1213BSDI compatibility patches from Guido 1214 1215tcp checksum fix - Marc Boucher 1216 1217recursive mutex and ioctl param fix - Marc Boucher 1218 12193.2.1 12/11/97 - Released 1220 1221port to BSD/OS 3.0 1222 1223port to Linux 2.0.31 1224 1225patches to make "map a/m -> 0/0" work with ftp proxying properly - Marc Boucher 1226 1227add "ipf -F s" and "ipf -F S" to flush state table entries. 1228 1229announce if logging is on or off when ip filter initializes. 1230 1231"ipf -F a" doesn't flush groups properly for Solaris. 1232 12333.2 30/10/97 - Released 1234 1235ipnat doesn't successfully remove proxy mappings with "-rf" - 1236Alexander Romanyu 1237 1238use K&R C function style for solaris kernel code 1239 1240use m_adj() to decrease packet size in ftp proxy 1241 1242use mbufchainlen rather than msgdsize, 1243IRIX update - Marc Boucher 1244 1245fix NetBSD modunload bug (pfil_add_hook done twice) 1246 1247patches for OpenBSD 2.1 - Craig Bevins <craigb@bitcom.net.au> 1248 12493.2beta10 24/10/97 - Released 1250 1251fix fragment table entries allocated for NAT. 1252 1253fix tcp checksum calculations over mbuf/mblk boundaries 1254 1255fix panic for blen < 0 in ftp kernel proxy - marc boucher 1256 1257fix flushing of rules which have been grouped. 1258 12593.2beta9 20/10/97 - Released 1260 1261some nit picking on solaris2 with SUNWspro - Michael Lyle <mrl@rpnet.net> 1262 1263ftp kernel proxy patches from Marc Boucher 1264 12653.2beta8 13/10/97 - Released 1266 1267add support for passing ICMP errors back through NAT. 1268 1269IRIX port update - Marc Boucher 1270 1271calculate correct MIN size of packet to log for UDP - Marc Boucher 1272 1273need htons(ETHERTYPE_x) on little endian BSD boxes - Dave Huang 1274 1275copyright header fixups 1276 12773.2beta7 23/09/97 - Released 1278 1279fickup problems introduced by prior merges & changes. 1280 12813.2beta6 23/09/97 - Released 1282 1283patch for spin-reading race condition - Marc Boucher. 1284 1285IRIX port by Marc Boucher. 1286 1287compatibility updates for Linux to ipsend 1288 12893.2beta5 13/09/97 - Released 1290 1291patches from Bernd Ernesti for NetBSD integration (mostly prototyping and 1292compiler warning things) 1293 1294ipf -y will resync IP#'s allocated with 0/32 in NAT to match interface if it 1295changes. 1296 1297update manual pages and other documentation updates. 1298 12993.2beta4 27/8/97 - Released 1300 1301enable setting IP and TCP options for iplang/ 1302 1303Solaris2 patches from Marc Boucher. 1304 1305add groups for filter rules. 1306 13073.2beta3 21/8/97 - Released 1308 1309patches for Solaris2 (interface panic solution ?): fix FIONREAD and 1310replacing q_qinfo points - Marc Boucher <marc@CAM.ORG> 1311 1312change ipsend/* and ipsd/* copyright notices to be the same as ip filter's 1313 1314patch for SYN-ACK skew testing fix from Eric V. Smith <EricSmith@windsor.com> 1315 13163.2beta2 6/8/97 - Released 1317 1318make it load on Solaris 2.3 1319 1320rewrote logging to remove solaris errors, introduced checking to see if the 1321same packet is logged successively. 1322 1323fix filter cache to work when there are no rules loaded. 1324 1325add "raw" option to ipresend to send entire ethernet frames. 1326 1327nat list corruption bug - NetBSD - Klaus Klein 1328 13293.2beta1 5/7/97 - Released 1330 1331patches from Jason Thorpe fixing: UNSIGNED_CHAR lossage, off_t being 64bits 1332lossage, and other NetBSD bits. 1333 1334NetBSD 1.2G update. 1335 1336fixup fwtk patches and add protocol field for SIOCGNATL. 1337 1338rdr bugs reported by Alexander Romanyu (alexr@aix.krid.crimea.ua), with 1339fixes: 1340* rdr matched all packets of a given protocol (ignored ports). 1341* severe bug in nat_delete which caused system crash/freeze. 1342 1343change Makefile so that CC isn't passed on for FreeBSD/NetBSD (will use 1344the default CC - cc, not gcc) 1345 13463.2alpha9 16/6/97 - Released 1347 1348added "skip" keyword. 1349 1350implement preauthentication of packets, as outlined by Guido. 1351 1352Make it compile as cleanly as possible with -Wall & general code cleanup 1353 1354getopt returns int, not char. Bernd Ernesti 1355 13563.2alpha8 13/6/97 - Released 1357 1358code added to support "auth" rules which require a user program to allow them 1359through. First revision and much of the code came from Guido. 1360 1361hex output from ipmon doesn't goto syslog when recovering from out of sync 1362error. Luke Mewburn (lukem@connect.com.au) 1363 1364fix solaris2.6 lookup of destination ire's. 1365 1366ipnat doesn't throw away unused bits (after masking), causing it to 1367behave incorrectly. Carson Gaspar 1368 1369NAT code doesn't include inteface name when matching - Alexey Mavrin 1370<lha@elco.spb.ru> 1371 1372replace old SunOS tcpip.h with new tcpip.h (from 4.4BSD) - Jason Thorpe. 1373 1374update install procedures to include ip_proxy.c 1375 1376mask out unused bits in NAT/RDR rules. 1377 1378use a generic type (u_32_t) for 32bit variables, rather than rely on 1379u_long being such - Jason Thorpe. 1380 1381create a local "netinet" directory and include from ~netinet/*" rather than 1382just "*" to make keeping the code working on ports easier. 1383 1384add an m_copydata and m_copyback for SunOS4 (based on 4.4BSD-Lite versions) 1385 1386documentation updates. 1387 1388NetBSD update from Jason Thorpe <thorpej@netbsd.org> 1389 1390allow RST's through with a matching SEQ # and 0 ACK. Guido Van Rooij 1391 1392ipmon uses excessive amounts of CPU on Solaris2 - Reinhard Bertram 1393<Reinhard.Bertram@KOM.th-darmstadt.de> 1394 13953.2alpha7 25/5/97 - Released 1396 1397add strlen for pre-2.2 kernels - Doug Kite <dkite@websgi.icomnet.com> 1398 1399setup bits and pieces for compiling into a FreeBSD-2.2 kernel. 1400 1401split up "bsd" targets. Now a separate netbsd/freebsd/bsd target. 1402mln_ipl.c has been split up into itself and mlf_ipl.c (for freebsd). 1403 1404fix (negative) host matching in filtering. 1405 1406add sysctl interface for some variables when compiled into FreeBSD-2.2 kernels 1407or later. 1408 1409make all the candidates for kernel compiling include "netinet/..." and build 1410a subdirectory "netinet" when compiling and symlink all .h files into this. 1411 1412add install make target to Makefile.ipsend 1413 14143.2alpha6 8/5/97 - Released 1415 1416Add "!" (not) to hostname/ip matching. 1417 1418Automatically add packet info to the fragment cache if it is a fragment 1419and we're translating addreses for. 1420 1421Automatically add packet info to the fragment cache if it is a fragment 1422and we're "keeping state" for the packet. 1423 1424Solaris2 patches - Anthony Baxter (arb@connect.com.au) 1425 1426change install procedure for FreeBSD 2.2 to allow building to a kernel 1427which is different to the running kernel. 1428 1429add FIONREAD for Solaris2! 1430 1431when expiring NAT table entries, if we would set a time to fr_tcpclosed 1432(which is 1), make it fr_tcplaskack(20) so that the state tables have a 1433chance to clear up. 1434 14353.2alpha5 1436 1437add proxying skeleton support and sample ftp transparent proxy code. 1438 1439add printfs at startup to tell user what is happening. 1440 1441add packets & bytes for EXPIRE NAT log records. 1442 1443fix the "install-bsd" target in the root Makefile. Chris Williams 1444<psion@mv.mv.com> 1445 1446Fixes for FreeBSD 2.2 (and later revs) to prevent panics. Julian Assange. 1447 14483.2alpha4 2/4/97 - Released 1449 1450Some compiler warnings cleaned up. 1451 1452FreeBSD-2.2 patches for LKM completed. 1453 14543.2alpha3 31/3/97 - Released 1455 1456ipmon changes: -N for reading NAT logfile, -S for reading state logfile. 1457-a for reading all. -n now toggles hostname resolution. 1458 1459Add logging of new state entries and expiration of old state entries. 1460count log successes and failures. 1461 1462Add logging of new NAT entries and expiration of old NAT entries. 1463count log successes and failures. 1464 1465Use u_quad_t for records of bytes & packets where kept 1466(IP Accounting: fr_hits, fr_bytes; IP state: is_pkts, is_bytes). 1467 1468Fixup use of CPU and DCPU in Makefiles. 1469 1470Fix broken 0/32 NAT mapping. Carl Makin <cmakin@nla.gov.au> 1471 14723.2alpha2 1473 1474Implement mapping to 0/32 as being an alias for automatically using the 1475interface's first IP address. 1476 1477Implement separate minor devices for both NAT and IP state code. 1478 1479Fully prototype all functions. 1480 1481Fix Makefile problem due to attempt to fix Sun compiling problems. 1482 14833.1.10 23/3/97 - Released 1484 1485ipfstat -a requires a -i or -o command line option too. Print an error 1486when not present rather than attempt to do something. 1487 1488patch updates for SunOS4 for kernel compiling. 1489patch for ipmon -s (flush's syslog file which isn't good). Andrew J. Schorr 1490<schorr@ead.dsa.com> 1491 1492too many people hit their heads hard when compiling code into the kernel 1493that doesn't let any packets through. (fil.c - IPF_NOMATCH) 1494 1495icmp-type parsing doesn't return any errors when it isn't constructed 1496correctly. Neil Readwin 1497 1498Using "-conf" with modload on SunOS4 doesn't work. 1499Timothy Demarest <demarest@arraycomm.com> 1500 1501Need to define ARCH in makefile for SunOS4 building. "make sunos4" 1502in INSTALL.SunOS is incorrect. James R Grinter <jrg@blodwen.demon.co.uk> 1503[all SunOS targets now run buildsunos] 1504 1505NAT lookups are still incorrect, matching non-TCP/UDP with TCP/UDP 1506information. ArkanoiD <ark@paranoid.convey.ru> 1507 1508Need to check for __FreeBSD_version being 199511 rather than 199607 1509in mln_ipl.c. Eric Feillant <Eric.Feillant@EUnet.fr> 1510 15113.1.9 8/3/97 - Released 1512 1513fixed incorrect lookup of active NAT entries. 1514 1515patch for ip_deq() wrong for pre 2.1.6 FreeBSD. 1516fyeung@fyeung8.netific.com (Francis Yeung) 1517 1518check for out with return-rst/return-icmp at wrong place - Erkki Ritoniemi 1519(erkki@vlsi.fi) 1520 1521text_readip returns the interface pointer pointing to text on stack - 1522Neil Readwin 1523 1524fix from Pradeep Krishnan for printout rules "with not opt sec". 1525 15263.1.8 18/2/97 - Released 1527 1528Diffs for ip_output.c and ip_input.c updated to fix bug with fastroute and 1529compiling warnings about reuse of m0. 1530 1531prevent use of return-rst and return-icmp with rules blocking packets going 1532out, preventing panics in certain situations. 1533 1534loop forms in frag cache table - Yury Pshenychny <yura@rd.zgik.zaporizhzhe.ua> 1535 1536should use SPLNET/SPLX around expire routines in NAT/frag/state code. 1537 1538redeclared malloc in 44arp.c - 1539 15403.1.7 8/2/97 - Released 1541 1542Macros used for ntohs/htons supplied with gcc don't always work very well 1543when the assignment is the same variable being converted. 1544 1545Filter matching doesn't not match rule which checks tcp flags on packets 1546which are fragments - David Wilson 1547 15483.1.7beta 30/1/97 - Released 1549 1550Fix up NAT bugs introduced in last major change (now tested), including 1551nat_delete(), nat_lookupredir(), checksum changes, etc. 1552 15533.1.7alpha 30/1/97 - Released 1554 1555Many changes to NAT code, including contributions from Laurent Joncheray 1556<lpj@ans.net> 1557 1558Use "NO_SLEEP" when allocating memory under SunOS. 1559 1560Make kernel printf's nicer for BSD/SunOS4 1561 1562Always do a checksum for packets being filtered going out and being 1563processed by fastroute. 1564 1565Leave kernel to play with cdevsw on *BSD systems with LKM's. 1566 1567ipnat.1 man page fixes. 1568 15693.1.6 21/1/97 - Released 1570 1571Allow NAT to work on BSD systems in conjunction with "pass .. to ifname" 1572 1573Memory leak introduced in 3.1.3 in NAT lists, clearing of NAT table tried 1574to free memory twice. 1575 1576NAT recalculates IP header checksum based on difference between IP#'s and 1577port numbers - should be just IP#'s (Solaris2 only) 1578 15793.1.5 13/1/97 - Released 1580 1581fixed setting of NAT timeouts and use different timeouts for concurrent 1582TCP sessions using the same IP# mapping (when port mapping isn't used) 1583 1584multiple loading/unloading of LKM's doesn't clean up cdevsw properly for 1585*BSD systems. 1586 15873.1.4 10/1/97 - Released 1588 1589add command line options -C and -F to ipnat to flush NAT list and table 1590 1591ipnat -l loops on output - Neil Readwin (nreadwin@nysales.micrognosis.com) 1592 1593NetBSD/FreeBSD kernel malloc changes - Daniel Carosone 1594 15953.1.3 10/1/97 - Released 1596 1597NAT chains not constructed correctly in hash tables - Antony Y.R Lu 1598(antony@hawk.ee.ncku.edu.tw) 1599 1600Updated INSTALL.NetBSD, INSTALL.FreeBSD and INSTALL.Sol2 1601 1602man page update (ipf.5) from Daniel Carosone (dan@geek.com.au) 1603 1604ICMP header checksum update now included in NAT. 1605 1606Solaris2 needs to modify IP header checksums in ip_natin and ip_natout. 1607 16083.1.2 4/12/96 - Released 1609 1610ipmon doesn't use syslog all the time when given -s option 1611 1612fixed mclput panic in ip_input.c and replace ntohs() with NTOHS() macro 1613 1614check the results of hostname resolution in ipnat 1615 1616"make *install" fixed for subdirectories. 1617 1618problems with "ARCH:=" and gnu make resolved 1619 1620parser reports an error for lines with whitespaces only rather than skipping 1621them. D.Carosone@abm.com.au (Daniel Carosone) 1622 1623patches for integration into NetBSD-current (post 1.2). 1624 1625add an option to allow non-IP packets going up/down the stream on Solaris2 1626to be dropped. John Bass. 1627 16283.1.2beta 21/11/96 - Released 1629 1630make ipsend compile on Linux 2.0.24 1631 1632changes to TCP kept state algorithm, making it watch state on TCP 1633connections in both directions. Also use the same algorithm for NAT TCP. 1634 1635-Wall cleanup - Bernd Ernesti 1636 1637added "or-block" for "pass .. log or-block" after a suggestion from 1638David Oppenheim (davido@optimation.com.au) 1639 1640added subdirectories for building IP Filter in SunOS5/BSD for different 1641cpu architecures 1642 1643Solaris2 fixes to logging and pre-filtering packet processing - 3.1.1p2 1644 1645mbuf logging not using mtod(), remove iplbusy - 3.1.1p1 1/11/96 1646 16473.1.1 28/10/96 - Released 1648 1649Installation script fixes and deinstall scripts for IP Filter on: 1650SunOS4/FreeBSD/NetBSD 1651 1652Man page fixes - Paul Dubois (dubois@primate.wisc.edu) 1653 1654Fix use of SOLARIS macro in ipmon, rewrote ipllog() (again!) 1655 1656parsing isn't completely case insensitive - David Wilson 1657(davidw@optimation.com.au) 1658 1659Release ipl_mutex across uiomove() calls 1660 1661print entire rule entries out for "ipf -z" when zero'ing per-rule stats. 1662 1663ipfstat returns same output for "hits" in "ipfstat -aio" - Terletsky Slavik 1664(ts@polynet.lviv.ua) 1665 1666New algorithm for setting timeouts for TCP connection (more closely follow 1667TCP FSM) - Pradeep Krishnan (pkrishna@netcom.com) 1668 1669Track both window sizes for TCP connections through "keep state". 1670 1671Solaris2 doesn't like _KERNEL defined in stdargs.h - Jos van Wezel 1672(wezel@bio.vu.nl) 1673 16743.1.1-beta2 6/10/96 - Released 1675 1676Solaris2 fastroute/dup-to/to now works 1677 1678ipmon `record' reading rewritten 1679 1680Added post-NetBSD1.2 packet filter patches - Mathew Green (mrg@eterna.com.au) 1681 1682Attempt to use in_proto.c.diff, not "..diffs" for SunOS4 - David Wilson 1683(davidw@optimation.com.au) 1684 1685Michael Ryan (mike@NetworX.ie) reports the following: 1686* The Trumpet WinSock under Windows always sends its SYN packet with an ACK 1687 value of 1, unlike any other implementation I've seen, which would set it 1688 to zero. The "keep state" feature of IP Filter doesn't work when receiving 1689 non-zero ACK values on new connection requests. 1690* */Makefile install rule doesn't install all the binaries/man pages 1691* Make ipnat use "tcp/udp" instead of "tcpudp" 1692* Print out "tcp/udp" properly 1693* ipnat "portmap tcp" matches "portmap udp" when adding/removing 1694* NAT dest. ip# increased by one on mask of 0xffffffff when it shouldn't 1695 16963.1.1-beta 1/9/96 - Released 1697 1698add better detection of TCP connections closing to TCP state monitoring. 1699 1700fr_addstate() not called correctly for fragments. "keep state" and 1701"keep frag" code don't work together 100% - Songqing Cai 1702(songqing_cai@sterling.com) 1703 1704call to fr_addstate() incorrect for adding state in combination with keeping 1705fragment information - Songqing Cai (songqing_cai@sterling.com) 1706 1707KFREE() passed fp (incorrect) and not fr (correct) in ip_frag.c - John Hood 1708(cgull@smoke.marlboro.vt.us) 1709 1710make ipf parser recognise '\\' as a `continued line' marker - Dima Ruban 1711(dima@best.net) 1712 17133.1.1-alpha 23/8/96 - Released 1714 1715kernel panic's when ICMP packets go through NAT code 1716 1717stats aren't zero'd properly with ipf -Z 1718 1719ipnat doesn't show port numbers correctly all the time and also add the 1720protocol (tcp/udp/tcpudp) to rdr output - Carson Gaspar (carson@lehman.com) 1721 1722fast checksum fixing not 100% - backout patch - Bill Dorsey (dorsey@lila.com) 1723 1724NetBSD-1.2 patches from - VaX#n8 <vax@linkdead.paranoia.com> 1725 1726Usage() call error in fils.c - Ajay Shekhawat (ajay@cedar.buffalo.edu) 1727 1728ip_optcopy() staticly defined in ip_output.c in SunOS4 - Nick Hall 1729(nrh@tardis.ed.ac.uk) 1730 17313.1.0 7/7/96 - Released 1732 1733Reformatted ipnat output to be compatible with it's input, so that 1734"ipnat -l | ipnat -rf -" is possible. 1735 17363.1.0beta 30/6/96 - Released 1737 1738NetBSD-1.2 patches from Greg Woods (woods@most.weird.com) 1739 1740kernel module must not be installed stripped (Solaris2), as created by 1741"make package" for Solaris2 - Peter Heimann 1742(peter@i3.informatik.rwth-aachen.de) 1743 17443.1.0alpha 5/6/96 - Released 1745 1746include examples in package for solaris2 1747 1748patches for removing an extra ip header checksum (FreeBSD/NetBSD/SunOS) 1749 1750removed trailing space from printouts of rules in ipf. 1751 1752ipresend supports the same range of inputs that ipftest does. 1753 1754sending a duplicate copy of a packet to another network devices is now 1755supported. ("dup-to") 1756 1757sending a packet to an arbitary interface is now supported, irrespective 1758of its actual route, with no ttl decrement. Can also be routed without 1759the ttl being decremented. ("to" and "fastroute"). 1760 1761"call" option added to support calling a generic function if a packet is 1762matched. 1763 1764show all (upto 4) recorded bytes from the interface name in logging from 1765ipmon. 1766 1767support for using unix file permissions for read/write access on the device 1768is now in place. 1769 1770recursive mutex in nat_new() for Solaris 2.x - Per L. Hagen <per@stibo.dk> 1771 1772ipftest doesn't call initparse() for THISHOST - Catherine Allen 1773(cla@connect.com.au) 1774 1775Man page corrections from Rex Bona (rex@pengo.comsmiths.com.au) 1776 17773.0.4 10/4/96 - Released 1778 1779looop in `parsing' IP packets with optlen 0 for ip options. 1780 1781rule number not initialized and resulted in unexpected results for state 1782maching. 1783 1784option parsing and printing bugs - Pradeep Krishnan 1785 17863.0.4beta 25/3/96 - Released 1787 1788wouldn't parse "keep flags keep state" correctly. 1789 1790SunOS4.1.x ip_input.c doesn't recognise all 1s broadcast address - Nigel Verdon 1791 1792patches for BSDI's BSD/OS 2.1 and libpcap reader on little endian systems 1793from Thorsten Lockert <tholo@tetherless.com> 1794 1795b* functions in fil.c on Solaris 2.4 1796 17973.0.3 17/3/96 - Released 1798 1799added patches to support IP Filter initialisation when compiled into the 1800kernel. 1801 1802added -x option to ipmon to display hex dumps of logged packets. 1803 1804added -H option to ipftest to allow ascii-hex formatted input to specify 1805arbitary IP packets. 1806 1807Sending TCP RSTs as a response now work for Solaris2 x86 1808 1809add patches to make IP Filter compile into NetBSD kernels properly. 1810 1811patch to stop SunOS 4.1.x kernels panicing with "data traps". 1812 1813ipfboot script unloads and reloads ipf module on Solaris2 if it is already 1814loaded into the kernel. 1815 1816Installation of IP Filter as a Solaris2 package is now supported. 1817 1818Man pages for ipnat.4, ipnat.5 added. 1819 1820added some more regression tests and fixed up IP Filter to pass the new tests 1821(previous versions failed some of the tests in set 12). 1822 1823IP option filter processing has changed so that saying "with opt lsrr" will 1824check only for that one, but not mask out other options, so a packet with 1825strict source routing, along with loose source routing will match all of 1826"with opt lsrr", "with opt ssrr" and "with opt lsrr,ssrr". 1827 1828IPL_NAME needed in ipnat.c - Kelly (kelly@count04.mry.scruznet.com) 1829 1830patches for clean NetBSD compilation from Bernd Ernesti (bernd@arresum.inka.de) 1831 1832make install is incorrect - Julian Briggs (julian@lightwork.co.uk) 1833 1834strtol() returns 0x7fffffff for all negative numbers, 1835printfr() generates incorrect output for "opt sec-class *", 1836handling of "not opt xxx opt yyy" incorrect. 1837- Minh Tonthat (minht@sbei.com)/Pradeep Krishnan (pradeepk@sbei.com) 1838 1839m_pullup() called only for input and not output; caused problems 1840with filtering icmp - Nigel Verdon (verdenn@gb.swissbank.com) 1841 1842parsing problem for "port 1" and NetBSD patches incorrect - 1843Andreas Gustafsson (gson@guava.araneus.fi) 1844 18453.0.2 4/2/96 - Released 1846 1847Corrected bug where NAT recalculates checksums for fragments. 1848 1849make NAT recalculate UDP checksums (rather than setting them to 0), 1850if they're non-zero. 1851 1852DNS patches - Real Page (Real.Page@Matrox.com) 1853 1854alteration of checksum recalculations in NAT code and addition of 1855redirection with NAT - Mike Neuman 1856 1857core dump, if tcp/udp is used with a port number and not service name, 1858in ipf - Mike Neuman (mcn@engarde.com) 1859 1860initparse() call, missing to prime "<thishost>" hook - Craig Bishop 1861 18623.0.1 14/1/96 - Released 1863 1864miscellaneous patches for Solaris2 1865 18663.0 14/1/96 - Released 1867 1868Patch included for FDDI, from Richard Ohnemus 1869(Richard_Ohnemus@dallas.csd.sterling.com) 1870 1871Code cleanup for release. 1872 18733.0beta4 10/1/96 1874 1875recursive mutex in ipfr_slowtimer fixed, reported by Craig Bishop 1876 1877recursive mutex in sending TCP RSTs fixed, reported by Tony Becker 1878 18793.0beta3 9/1/96 1880 1881FIxup for Solaris2.5 install and interface name bug in ipftest from 1882Julian Briggs (julian@lightwork.co.uk) 1883 1884Byte order patches for ipmon from Tony Becker (tony@mcrsys.com) 1885 18863.0beta2 7/1/96 1887 1888Added the (somewhat warped) IP accounting as it exists in ipfw on FreeBSD. 1889Note, this isn't really what one would call IP account, when compared to 1890process accounting, sigh. 1891 1892Split up ipresend into iptest/ipresend/ipsend 1893 1894Added another m_pullup() inside fr_check() for BSD style kernels and 1895added some checks to ipllog() to not log more than is present (for short 1896packets). 1897 1898Fixed bug where failed hostname/netname resolution goes undetecte and 1899becomes 0.0.0.0 (any) (reported Guido van Rooij) 1900 19013.0beta 11/11/95 - Released 1902 1903Rewrote the way rule testing is done, reducing the number of files needed and 1904generated. 1905 1906SIOCIPFFL was incorrectly affected by IPFILTER_LOG (Mathew Green) 1907 1908Patches from Guido van Rooij to fix sending back TCP RSTs on Net-2/Net-3 1909BSD based Unixes (panic'd) 1910 1911Patches for FreeBSD/i86 ipmon from Riku Kalinen <riku@tequila.nixu.fi> 1912(I think someone else already told me about these but they got lost :-/) 1913 1914Changed Makefile structure to build object files for different operating 1915systems in separate directories by default. 1916 1917BSDI has ef0 for first ethernet interface 1918 1919Allow for a "not" operator before optional keywords. 1920 1921The "rule number" was being incorrectly incremented every time it went through 1922the loop rather than when it matched a rule. 1923 19242.8.2 24/10/95 - Released 1925 1926Fixed up problems with "textip" for doing lots of testing. 1927 1928Fixed bug in detection of "short" tcp/ip packets (all reported as being short). 1929 1930Solaris 2.4 port now works 100%. 1931 1932Man page errors reported and fixed. 1933 1934Removed duplicate entry in etc/services for login on port 49 (Craig Bishop). 1935 1936Fixed ipmon output to put a space after the log-letter. 1937 1938Patch from Guido van Rooij to fix parsing problem. 1939 19402.8.1 15/10/95 - Released 1941 1942Added ttl and tos filtering. 1943 1944Patches for fixing up compilation and port problems (little endian) 1945from Guido van Rooij <guido@IAEhv.nl>. 1946 1947Man page problems reported and fixed by Carson Gaspar <carson@lehman.com>. 1948 1949ipsend doesn't compile properly on Solaris2.4 1950 1951Lots of work done for Solaris2.4 to make it MT/MP safe and work. 1952 19532.8 15/9/95 - Released 1954 1955ipmon can now send messages to syslogd (-s) and use names instead of 1956numbers (-N). 1957 1958IP packets are now "compiled" into a structure only containing filterable 1959bits. 1960 1961Added regression testing in the test/ subdirectory, using a new option 1962(-b) with the ipftest program. 1963 1964Added "nomatch" return to filter results. These are counted and show 1965up in reports from ipfstat. 1966 1967Moved filter code out of ip_fil.c and into fil.c - there is now only one 1968instance of it in the package. 1969 1970Added Solaris 2.4 support. 1971 1972Added IPSO basic security option filtering. 1973 1974Added name support for filtering on all 19 named IP options. 1975 1976Patches from Ivan Brawley to log packet contents as well as packet headers. 1977 1978Update for sun/conf.c.diff from Ivan Brawley <ibrawley@awadi.com.AU> 1979 1980Added patches for FreeBSD 1, and added two new switches (-E, -D) to ipf, 1981along with a new ioctl, SIOCFRENB. 1982From: Dieter Dworkin Muller <dworkin@village.org> 1983 19842.7.3 31/7.95 - Released 1985 1986Didn't compile cleanly without IPFILTER_LOG defined (Mathew Green). 1987 1988ipftest now deals with tcpdump3 binary output files (from libpcap) with -P. 1989 1990Brought ipftest program upto date with actual filter code. 1991 1992Filter would cause a match to occur when it wasn't meant to if the packet 1993had short headers and was missing portions that should have been there. 1994Err, it would rightly not match on them, but their absence caused a match 1995when it shouldn't have been. 1996 19972.7.2 26/7/95 - Released 1998 1999Problem with filtering just SYN flagged packets reported by 2000Dieter Dworkin Muller <dworkin@village.org>. To solve this 2001problem, added support for masking TCP flags for comparison "flags X/Y". 2002 20032.7.1 9/7/95 - Released 2004 2005Added ip_dirbroadcast support for Sun ip_input.c 2006 2007Fixed up the install scripts for FreeBSD/NetBSD to recognise where they are 2008better. 2009 20102.7 7/7/95 - Released 2011 2012Added "return-rst" to return TCP RST's to TCP packets. 2013 2014Actually ported it to FreeBSD-i386 2.0.0, so it works there properly now. 2015 2016Added insertion of filter rules. Use "@<#>" at the beginning of a filter 2017to insert a rule at row #. 2018 2019Filter keeps track of how many times each rule is matched. 2020 2021Changed compile time things to match kernel option (IPFILTER_LKM & 2022IPFILTER_LOG). 2023 2024Updated ip_input.c and ip_output.c with paches for 3.5 Multicast IP. 2025(No change required for 3.6) 2026 2027Now includes TCP fragments which start inside the TCP header as being short. 2028Added counting the number of times each rule is matched. 2029 2030 20312.6 11/5/95 - Released 2032 2033Added -n option to ipf: when supplied, no changes are made to the kernel. 2034 2035Added installation scripts for SunOS 4.1.x and NetBSD/FreeBSD/BSDI. 2036 2037Rewrote filtering to use a more generic mask & match procedure for 2038checking if a packet matches a rule. 2039 20402.5.2 27/4/95 - Released 2041 2042"tcp/udp" and a non-initialised pointer caused the "proto" to become 2043a `random' value; added "ip#/dotted.mask" notation to the BNF. 2044From Adam W. Feigin <feigin@iis.ee.ethz.ch> 2045 20462.5.1 22/3/95 - Released 2047 2048"tcp/udp" had a strange effect (undesired) on getserv*() functions, 2049causing protocol/service lookups to fail. Reported by Matthew Green. 2050 20512.5 17/3/95 - Released 2052 2053Added a new keyword "all" to BNF and parsing of tcpdump/etherfind/snoop 2054output through the ipftest program. Suggestions from: 2055Michael Ciavarella (mikec@phyto.apana.org.au) 2056 2057Conflicts occur when "general" filter rules are used for ports and the 2058lack of a "proto" when used with "port" matches other packets when only 2059TCP/UDP are implied. 2060Reported Matthew Green (mrg@fulcom.com.au); 2061reported & fixed 6-8/3/95 2062 2063Added filtering of short TCP packets using "with short" 28/2/95 2064(These can possibly slip by checks for the various flags). Short UDP 2065or ICMP are dropped to the floor and logged. 2066 2067Added filtering of fragmented packets using "with frag" 24/2/95 2068 2069Port to NetBSD-current completed 20/2/95, using LKM. 2070 2071Added logging of the rule # which caused the logging to happen and the 2072interface on which the packet is currently as suggested by 2073Andreas Greulich (greulich@math-stat.unibe.ch) 10/2/95 2074 20752.4 9/2/95 - Released 2076Fixed saving of IP headers in ICMP packets. 2077 20782.3 29/1/95 2079Added ipf -F [in|out|all] to flush filter rule sets (SIOCIPFFL). 2080Fixed iplread() and iplsave() with help from Marc Huber. 2081 20822.2 7/1/95 - Released 2083Added code from Marc Huber <huber@fzi.de> to allow it to allocate 2084its own major char number dynamically when modload'ing. Fixed up 2085use of <, >, <=, >= and >< for ports. 2086 20872.1 21/12/94 - Released 2088repackaged to include the correct ip_output.c and ip_input.c *goof* 2089 20902.0 18/12/94 - Released 2091added code to check for port ranges - complete. 2092rewrote to work as a loadable kernel module - complete. 2093 20941.1 2095added code for ouput filtering as well as input filtering and added support for logging to a simple character device of packet headers. 2096 20971.0 22/04/93 - Released 2098First release cut. 2099