1# 2# NOTE: Quite a few patches and suggestions come from other sources, to whom 3# I'm greatly indebted, even if no names are mentioned. 4# 5# Thanks to the Coombs Computing Unit at the ANU for their continued support 6# in providing a very available location for the IP Filter home page and 7# distribution center. 8# 9# Thanks also to all those who have contributed patches and other code, 10# and especially those who have found the time to port IP Filter to new 11# platforms. 12# 134.1.28 - Release 16 October 2007 14 15backout changes (B1) & (B2) as they've caused NAT entries to persist for 16too long and possibly other side effects. 17 18Still need to compile in our own radix.c for Solaris as the one in S10U4 19has a different alignment of structure members (causes panic) 20 21keep state doesn't work with multicast/broadcast packets (makes UPnP easier) 22 23ippool -l may only lists every 2nd pool's contents 24 254.1.27 - Released 29 September 2007 26 27SunOS5/replace script does not deal with i386 systems that have the 28i86/amd64 directory pair. 29 30make BSD/kupgrade try to build ip_rules.[ch] before complaining 31 32Need to look for ipl.ko LKM on FreeBSD, not just ipf.ko 33 34Cleanup SunOS5 Makefile pieces, removing CPU, sunos5x86; buildsunos needs 35to drive 32bit cc builds differently for sparc/i386 now. 36 37Update instructions for rebuilding FreeBSD kernels 38 39Make the target "freebsd" work for building ipfilter 40 41destroying NAT entries for blocked packets can lead to NAT table entry leak, 42provide a counter of orphan'd NAT entries to track this problem. 43 444.1.26 - Released 24 September 2007 45 46Fix build problem for Solaris prior to S10U4 47 484.1.25 - Released 20 September 2007 49 50stepping through structures with ioctls can lead to the wrong things 51being free'd and panics 52 53if a NAT entry (such as an rdr) is created but the packet ends up being 54blocked, tear down the NAT entry. 55 56fix fragment cache preventing keep state from functioning 57 58fix handling of \ to indicate a continued line in .conf files 59 60include port ranges in the allowed input for ipf when using "port = ()" 61 62only advance TCP state for packets on the leading edge of the window. (B1) 63 64using ipnat -l can lead to memory corruption in high stress situations 65 66track TCP sequence numbers with NAT so that it can do timeout advances 67correctly inline with state 68 69ICMP checksums for some redirect'd packets are not adjusted correctly. 70 71IPv6 address components need to be explicitly cast to a 32bit pointer 72boundary so that compilers don't try to access them as two 64bit 73pieces (no guarantee is made that an Ipv6 address is on a 64bit 74aligned address) 75 76filling up the ipauth packet queue can lead to no more packets being 77processed. 78 79locking used to deref a nat entry causes a significant performance hit 80 81m_pulldown isn't properly handled, leading to possible panics with ICMPv6 82packets 83 84IPv6 fragment handling doesn't allow for "keep frag" to work 85 86build on Solaris10 Update4 with pfhooks in the kernel 87 88logging of Ipv6 packets with extension headers fix - Miroslaw Luc 89 904.1.24 - Released 8 July 2007 91 92patch from Stuart Remphrey to address recursive mutex lock with TCP state 93 94add hash table bucket stats display to ipnat -s 95 96give ASSERT some teeth for user compiles 97 98initialising ipf_global, ipf_frcache, ipf_mutex should all be done very 99early on 100 101do some caddr_t cleanup, where possible 102 103fr_ref no longer tracks the number of children rules in a group for head rules 104 105make sure all BCOPY* have a value assigned to something 106 107fix possible use of icmp pointer after pullup makes it invalid 108 109resolve compile problems related to FreeBSD tree 110 1114.1.23 - Released 31 May 2007 112 113NAT was not always correctly fixing ICMP headers for errors 114 115some TCP state steps when closing do not update timeouts, leading to 116them being removed prematurely. (B2) 117 118fix compilation problems for netbsd 4.99 119 120protect enumeration of lists in the kernel from callout interrupts on 121BSD without locking 122 123fix various problems with IPv6 header checks: TCP/UDP checksum validation 124was not being done, fragmentation header parsed dangerously and routing 125header prevented others from being seen 126 127fix gcc 4.2 compiler warnings 128 129fix TCP/UDP checksum calculation for IPv6 130 131fix reference after free'ing ipftoken memory 132 1334.1.22 - Released 13 May 2007 134 135fix endless loop when flushing state/NAT by idle time 136 1374.1.21 - Released 12 May 2007 138 139show the number of states created against a rule with "-v" for ipfstat 140 141fix build problems with FreeBSD 142 143make it possible to flush the state table by idle time and TCP state 144 145fix flushing out idle connections when state/NAT tables fill 146 147print out the TCP state population with ipfstat/ipnat 148 149stop creation of state table orphans via return-*/fastroute 150 151fix printing out of rule groups - they now only appear once 152 1534.1.20 - Released 30 April 2007 154 155adjust TCP state numbers, making 11 closed (was 0) to better facilitate 156detecting closing connections that we can wipe out when a SYN arrives 157that matches the old 158 159make it compile on Solaris10 Update3 160 161structures used for ipf command ioctls weren't being freed in timeout 162fashion on solairs 163 164use NL_EXPIRE, not ISL_EXPIRE, for expiring NAT sessions 165 166adjust TCP timeout values and introduce a time-wait specifc timeout 167to get a better TCP FSM emulation and one that can hopefully do a better 168job of cleaning up in a speedy fashion than previous 169 170refactor the automatic flushing of TCP state entries when we fill up, 171but use the same algorithm as before but now it hopefully works 172 173only 2 out of 4 interface names were being changed by ipfs when 174interface renaming was being used for state entries 175 176add ipf_proxy_debug to ipf-T 177 178matching of last fragments that had a number of bytes that wasn't a 179multiple of 8 failed 180 181some combinations of TCP flags are considered bad aren't picked up as such, 182but these may be possible with T/TCP 183 1844.1.19 - Released 22 February 2007 185 186Fix up compilation problems with NetBSD and Solaris. 187 1884.1.18 - Released 18 February 2007 189 190fix compiling on Tru64 191 192fix listing out filter rules with ipfstat (delete token at end of 193the list and detect zero rule being returned.) 194 195fix extended flushing of NAT tables (was clearing out state tables) 196 197fix null-pointer deref in hash table lookup 198 199fix NAT and stateful filtering with to/reply-to on destination interface 200 2014.1.17 - Released 20 January 2007 202 203make flushing pools that are still in use mark them for deletion and 204have attempting to recreate them clear the delete flag 205 206walking through the NAT tables with ioctls caused lock recursion 207 208fix tracking TCP window scaling in the state code 209 2104.1.16 - Released 20 December 2006 211 212allow rdr rules to only differ on the new port number 213 214when creating state entry orphans, leave them on the linked list but not 215attached to the hash table and mark them visible as orphans in "ipfstat -sl" 216 217log state removed when unloading differently to allow visible cues 218 219return ipf ticks via SIOCGETGS for /dev/ipnat so "ipnat -l" can display ttl 220 221abort logging a packet if the mbuf pointer is null when ipflog is called 222 223Some NetBSD's have a selinfo.h instead of select.h 224 225SIOCIPFFL was using copyoutptr and should have been using bcopy for /dev/ipauth 226 227listing accounting rules using ioctl interface wasn't possible 228 229fix leakage of state entries due to packets not matching up with NAT 230 231improve ICMP error packet matching with state/NAT 232 233fix problems with parsing and printing "-" as an interface name in ipnat.conf 234 2354.1.15 - Released 03 November 2006 236 237Add in automatic flushing of NAT, like state, table if it fills up too much 238 239Update comments in the code for NAT checksum adjustments 240 241Fix compiling on FreeBSD 5.4 and 6.0 242 243prevent panics from read/write IOs trying to use uninitialised structures 244 245Newer NetBSD should use malloc() instead of MALLOC() in the kernel where 246the size is not staticly defined 247 248Some gcc warning message cleanup from NetBSD 249 250Missing include for <sys/filio.h> on Solaris for poll work 251 252NetBSD now uses opt_ipfilter.h, not opt_ipfilter_log.h 253 2544.1.14 - Released 04 October 2006 255 256rewrite checksum alteration for ICMP packets being NAT'd to use a sane 257algorithm that can be understood...now it needs better comments 258 259fix 1 byte error in checksum validation perl script 260 261remove unused files in lib directory 262 263ipftest will say "bad-packet" if it has been freed rather than just "blocked" 264 265make it possible to load IP address pools from external files in ippool.conf 266 267update copyright messages in tools directory 268 269consolidate ioctl hanlding source code into fil.c 270 271make ipfstat, ippool, ipnat retrieve information via ioctls rather than /dev/kmem 272 2734.1.13 - Released 4 April 2006 274 275fix bug where null pointers introduced by proxies could cause a crash 276 277pass out the rule flags with SIOCAUTHW 278 279force loading NAT rules with bad proxy labels to cause an error 280 281nat_state is used unsafely in calls to fr_addstate 282 283make return-rst and return-icmp* work with auth rules 284 2854.1.12 - Released 28 March 2006 286 287poll support on FreeBSD/NetBSD needs to use selrecord/selwakeup 288 289make the fastroute code used by ipftest invoke state/NAT 290 291move verbose/debug macros out of fil.c and into ip_fil.h (for wider use) 292 293remove unused code in fr_fastroute 294 295fix NAT with rules that specify forward and reverise interfaces 296 297add missing ipfsync_canread() and ipfsync_canwrite() 298 299behaviour of \ on the end of a line in ipf.conf does not match older behaviour 300 301remove duplicate statistics line output with "ipfstat -s" 302 3034.1.11 - Released 19 March 2006 304 305Patch for NAT with ipfsync from N. Ersen (SESCI) - www.enderunix.org 306 307NetBSD coverity report fixes (from run 5) 308 309Possible to reacquire ipf_auth without releasing it in some circumstances 310 311Locking in FreeBSD's iplioctl for ipf_global isn't present like it shoudl be 312 313Add poll support for platforms I can build on: NetBSD, FreeBSD, Solaris, Linux 314 315Using auth rules to return "keep state" got broken with pushing fr_addstate 316call into fr_firewall 317 318all use of '!' in map/rdr rules to match use in ipf configs 319 320add -L command line option to ipmon to set the default syslog facility 321 322looking up a port number is more complex than needed in ipft_tx.c 323 324allow lib/getport to work when neither tcp or udp are specified in a rule 325 326remove some dead code from lib/addicmpc, lib/facpri.c, lib/icmpcode.c 327 328program in some more cases where TCP packets fail an initial in-window 329check but should be allowed to match 330 331filter rule added with NAT/state handling of SIOCSTPUT doesn't properly 332initialise all fields, making it possible to panic 333 334simplify NAT ICMP error handling where it updates checksums 335 336rename "min" variables to "xmin" on NetBSD to avoid problems with the 337macro "min" 338 339#ifdef's for NetBSD compile incorrect for pfil interface 340 341support select/poll on NetBSD 342 343copying out a packet with an auth rule fails (EFAULT) because the wrong 344pointer is passed to copyoutptr 345 346ip_len/ip_off where byte swapped twice instead of once for packets 347going to be stored on the auth queue 348 349change timeout queue manipulation functions to make fewer mutex calls 350 351fix use of skip rules with groups 352fix coding problems discovered by the coverity project for FreeBSD 353 354update BPF program validation with FreeBSD changes 355 3564.1.10 - Released 6 December 2005 357 358Expand regression testing to cover more features 359 360Add "coverage" build target for BSD 361 362Fix building 64bit sparc target for Solaris 363 364Add IPv6 mobility header to list of accepted keywords for V6 headers 365 366Resolve locking problems on Solaris when sending RST/icmp packets 367 368#ifdef's for IPFILTER_BPF need to check if words are defined before 369using them in comparisons 370 371Add checking for SACK permitted option in TCP SYN packets 372 373Fix loading anonymous pools from inline rule configuration groups 374 375Add -C command line option to ipftest 376 377Include extra "const" from NetBSD 378 379Don't require SIOCKSTLCK for SIOCSTPUT 380 381Fix some use of "sticky" on NAT rules 382 383Fix statistical counting of deleting state for TCP connections 384 385Fix compile problems caused by changes to is_opt/is_optmsk in ip_sync.c 386 387Fix TCP out-of-window (OOW) problems: 388- window scaling turned off if one chose for its scale factor 389- Microsoft Windows TCP sends the "next packet" to the right of the window 390 when using SACK and filling in a hole 391 3924.1.9 - Released 13 August 2005 393 394make ipfilter fix IPv4 header checksums for outgoing packets if BRIDGE_IPF 395is defined when compiled. 396 397move the definition of SIOCPROXY from ip_nat.h to ip_proxy.h 398 399make the BSD/upgrade script more instructive about the requiements for 400ip_rules.[ch] when it is run 401 402register for interface events on FreeBSD (>5.2.1) and NetBSD so that 403"ipf -y" is not not requried to tell ipfilter about interface changes. 404 405for "quick" rules that do "keep state", move the state adding into the rule 406evaluation so that we can detect it failing as rules are evaluated and 407continue on to the next rather than wait until we're done and it's too late 408to recover for more rule processing. 409 410mark ICMP packets advertising an MTU that's too small as being bad 411 412rework ipv6 header parsing to get better code reuse and fix logic errors 413in dealing with ipv6 packets containing fragment headers. Also, where a 414protocol handler was doing both v4 & v6, make a seperate function for each. 415 416build for both amd64 and i86pc (32bit) on Solaris10 and later, if possible 417 418include start of work to get IPFilter working on AIX 5.3 419 420Use FI_ICMPERR flag rather than try to compute its equivalent all the time 421 422Rewrork IPv6 extension header parsing to get better code reuse 423 424Add missing timeout on Linux 425 426Fix for locking when reading from ipsync (Frank Volf) 427 428Fix insertion/appending of rules that use a collection number 429 430Somehow turning up the spl knob to splnet disappeared on platforms that still 431use the spl interface. 432 433fix problems with "ipf -T" not listing multiple variables properly 434 4354.1.8 - Released 29 March 2005 436 437include path from Phil Dibowitz for sorting ipfstat -t output by source or 438destination port. 439 440fix a bug in printing rules where interface names could not be printed, 441even if they're in the rule structure. 442 443fix BSD/kupgrade to correctly change ipfilter lkm Makefile for FreeBSD 444 445add 2 new features to SIOCGNATL: 446- if IPN_FINDFORWARD is set, check if the respective MAP is already 447 present in the outbound table 448- if IPN_IN is set, search for a matching MAP entry instead of RDR 449 (Peter Potsma) 450 451turn off function inlining for freebsd 5.3+ 452 453UDP doesn't pullup enough data which can sometimes cause a panic. 454Fix other protocols, as required, where a similar problem may exist. 455 456overhaul the timeout queue management, especially that for user defined queues 457which are now only freed in an orderly manner. 458 4594.1.7 - Released 13 March 2005 460 461Using the GRE call field is almost impossible because it is unbalanced and 462both call fields are not present in each v1 header. 463 464Fix a problem where it was possible to load duplicate rules into ipf 465 466patch from John Wehle to address problems with fastroute on solaris 467 468Copying data out for ipf -z failed because it tried to copy out to an address 469that is a kernel pointer in user space. 470 471add "ip" timeout for both NAT & state that's for non-TCP/UDP/ICMP 472 473synch up with NetBSD's changes 474 475fix problems parsing long lines of text in the ftp proxy where they would not 476be parsed properly and stop the session from working 477 478enhance the PPTP proxy so that it tries to decode messages in the TCP stream 479so it knows when to create and destroy the state/nat sessions for GRE. There 480are also 4 new regression tests for it, testing map/rdr rules. 481 482impose some limits on the size of data that can be moved with SIOCSTPUT in 483the NAT code and also prevent a duplicate session entry from being created 484using this method. 485 486add a new flag (IPN_FINDFORWARD) to NAT code that can be used with SIOCGNATL 487to check if it is possible to create an outgoing transparent NAT mapping to 488compliment the redirect being investigated. 489 490Linux requires that the checksums in the IP header get adjusted 491 492only resolve unknown interfaces in fr_stinsert, and nuke all interface pointers 493in SIOCSTPUT to prevent bad data being loaded from userspace. 494 495make the byte counting for state correct (was counting data from ICMP packet 496twice) 497 498print out the keyword "frag-body" if the flag is set. 499 500fix ipfs loading/restoring NAT sessions 501 502patch from Frank to correctly format IP addresses in ipfstat -t output 503 504parsing port numbers in ipf/ipnat was confusing as the port number was returned 505in an int that was also overloaded to be the suceess/failure. instead, change 506the port using pass by reference and only use the return value for indicating 507success or failure. 508 5094.1.6 - Released 19 February 2005 510 511add a new timeout number to NAT (fr_defnatipage) that is used for all 512non-TCP/UDP/ICMP protocols - default 60 seconds. 513 514buffer leak with bad nat - David Gueluy 515 516fix memory leak with state entries created by proxies 517 518eliminate copying too much data into a scan buffer 519 520allow a trailing protocol name for map rules as well as rdr ones 521 522fix bug in parsing of <= and > for NAT rules (two were crossed over) 523 524FreeBSD's iplwrite hasn't kept pace with iplread's prototype 525 526expand documention on the karma of using "auto" in ipnat map rules 527 528add matching on IP protocol to ipnat map rules 529 530allow ippool definitions to contain no addresses to start with 531 532Linux NAT needs to modify the IP header checksum as it gets called after it 533has been computed by IP. 534 535UDP was missing a pullup for packet header information before examining 536the header 537 5384.1.5 - Released 9 January 2005 539 540all rules were being converted into "dup-to" rules in the kernel 541 542fix two ftp proxy problems: 1st, buffer needs to be bigger for fitting in 543complete RETR/CWD commands, 2nd is () use in 227 messages isn't copied 544over correctly. 545 546response to CWDs 547revert ip_off back to network byte order in the ICMP error packet that 548gets generated. 549 5504.1.4 - Released 9 January 2005 551 552force NAT rules to only match ipv4 NAT rules (which all are, currently, 553by default) 554 555include state synchronisation fixes from Frank Volf 556 557make the maximum log size for internally buffered log entries accessible 558via "ipf -T" 559 560redesign start of fr_check() to avoid putting duplicate information in 561ipfilter about how much data needs to be pulled up for a protocol to be 562properly filtered. 563 564tidy up sending ICMP error messages - some bad inputs could result in 565data not being freed and/or no error returned. 566 567make the maximum size of the log buffer run-time tunable 568 569fix bug in parsing TCP header when looking for MSS option that could make 570the system hang 571 572change pool lookups that fail to find a match to return "no match" 573rather than fail. 574 575add run-time tunable debugging for proxy support code and FTP proxy. 576 577fix state table updates for entries where the first packet as an ICMPv6 578multicast message 579 580fix hang when flushing state for v4/v6 and other (v6/v4) entries are present 581too 582 583attaching filtering to ipv6 pfil hook wasn't present for solaris 584 585don't allow rules with "keep state" and "with oow" 586 587move a bunch of userland only code from fil.c to ip_fil.c 588 589make fr_coalesce() more resiliant to bad input, just returning an error 590instead of crashing, making calling it easier in many places 591 592When m_pulldown doesn't return NULL, it doesn't necessarily return a pointer 593to the same mbuf passed in as the first arg. 594 595remove fr_unreach and use ENETUNREACH by default. 596 597printing out of tag data in ipf rules doesn't match input syntax 598 599ipftest(1) man page update 600 601ipfs command line option parsing still rejects some valid syntaxes 602 603SIGHUP handling by ipmon was not as safe as it could be 604 605fix various parsing regressions, including "<thishost>", "tcpudp", ordering 606of "keep" options 607 608patches from Frank Volk: add udp_acktimeout to sysctl list for FreeBSD, 609ICMP packet length not calculated correctly in send_icmp_err, reply-to 610not printed by ipfstat, keep state with icmp passing (mtrr) 611 612patches for return-rst and return-icmp from Attila Fueloep 613(lichtscheu@gesindel.org) 614 6154.1.3 - Released 18 July 2004 616 617do some more fine tuning on NAT checksum adjustments 618 619correct IP address byte order in proxy setup for ipsec/pptp 620 621man page updates 622 623fix numerous problems with ipfs operation 624 625complete new syntax for ipmon.conf in its parser and update the sample file 626 627assign error value consistantly in fastroute code 628 629rewrite allocation of mbufs in send_reset/send_icmp_err to better use 630mbuf clusters and size calculations 631 632resolve problem with linux panic'ing because the wrong flag was being 633passed to skb_clone/skb_alloc 634 635enable use of shared/exclusive locks on freebsd5 and above 636 637do not rely on m_pkthdr.len to be valid all the time for mbufs on modern BSD 638and so use mbufchainlen to get the mbuf length instead 639 640replace lots of COPYIN/COPYOUT with BCOPYIN/BCOPYOUT where the data is 641going to be on the stack and not in userland 642 643packet buffer pointers were not refreshed & used properly in fr_check() 644 645include extra bits for OpenBSD 3.4 & 3.5. 646 647fix ipf/ipnat parsing regression problems with v3.4 648 6494.1.2 - RELEASED - 27 May 2004 650 651add state top for ipv6 652 653fix numerous parsing regressions 654 655change sample proxies to use SIOCGNATL with the new API 656 657allow macro names to contain underscores (_) 658 659split the parser into a collection of dictionaries so that keywords do 660not interfere with resolving hostnames and portnames 661 662fix ipfrule LKM loading on freebsd 663 664support mapping a fixed range of ports to a single port 665 666fix timeout queue use by proxies with private queues 667 668handle space-led ftp server replies properly 669 670fix timeout queue management 671 672fix fastroute, generation of RST & ICMP packets and operation with to/fastroute 673 674resolve further linux compatibility problems 675 676replace the use of COPYIN with BCOPYIN for platforms that provide ioctl 677args on the stack 678 679allow flushing of ipv6 rules independant of ipv4 rules 680 681correct internal ipv6 checksum calculations 682 683if a 'keep state' rule fails to create state, block the packet rather 684than let it through 685 686correct all checksums in regression tests and correct NAT code to adjust 687checksums correctly. 688 689fix ipfs -R/-W 690 6914.1.1 - RELEASED - 24 March 2004 692 693allow new connections with the same port numbers as an existing one 694in the state table if the creating packet is a SYN 695 696timeout values have drifted, incorrectly, from what they were in 3.4 697 698FreeBSD - compatibility changes for 5.2 699 700don't match on sequence number (as well) for ICMO ECHO/REPLY, just the 701ICMP Id. field as otherwise thre is a state/NAT entry per packet pair 702rather than per "flow" 703 704fr_cksum() returned the wrong answer for ICMP 705 706Linux: 707- get return-rst and return-icmp working 708- treat the interface name the same as if_xname on BSD 709 710adjust expectations for TCP urgent bits based on observed traffic in the 711wild 712 713openbsd3.4 has ip_len/ip_off in network byte order when ipfilter is called 714 715fix flushing of hash pool gorups (ippool -F) as well as displaying them 716(ippool -l) 717 718passing of pointers to interface structures wrong for HP-UX/Solaris with 719return-* rules. 720 721Make the solaris boot script able to run on 2.5.1 722 723ippool related files missing from Solaris packages 724 725The name /dev/ippool should be /dev/iplookup 726 727add regression testing for parsing long interface names in nat rules, 728along with mssclamp and tags. Also add test for mssclamp operation. 729 730ttl displayed for "ipfstat -t" is wrong because ttl is not computed. 731 732parse logical interface names (Sun) 733 734unloading LKMs was only working if they were enabled. 735 736sync'ing up NAT sessions when NICs change should cause NAT rules to 737re-lookup name->pointer mappings 738 739not all of the ippool ioctl's are IOWR and they should be because they 740use the ipfobj_t for passing information in/out of the kernel. leave the 741old values defined and handle them, for compatibility. 742 743pool stats wrong: ippoolstate used where ipoolstat should be, hash table 744 statistics not reported at all 745 746fr_running not set correctly for OpenBSD when compiled into the kernel 747 748Allow SIOCGETFF while disabled 749 750Fix mssclamp with NAT (pasing and printing of the word, plus wrong bytes 751altered. How do you say "untested" ?) 752 7534.1 - RELEASED - 12 February 2004 754 7554.0-BETA1 20 August 2003 756 757support 0/32 and 0/0 on the RHS in redirect rules 758 759where LHS and RHS netmasks are the same size for redirect, do 1:1 mapping 760for bimap rules. 761 762allow NAT rule to match 'all' interfaces with * as interface name 763 764do mapping of ICMP sequence id#'s in pings 765 766allow default age for NAT entries to be set per NAT rule 767 768provide round robin selection of destination addresses for redirect 769 770ipmon can load a configuration file with instructions on actions 771to take when a matching log entry is received 772 773now requires pfil to work on Solaris & HP-UX 774 775supports mapping outbound connections to a specific address/port 776 777support toggling of logging per ipfilter 'device' 778 779use queues to expire data rather than lists 780 781add MSN RPC proxy 782 783add IRC proxy 784 785support rules with dynamic ip addresses 786 787add ability to define a pool of addresses & networks which can then 788be placed in a single rule 789 790support passing entire packet back to user program for authentication 791 792support master/slave for state information sharing 793 794reorganise generic code into a lib directory and make libipf.a 795 796user programs enforce version matching with the kernel 797 798supports window scaling if seen at TCP session setup 799 800generates C code from filter rules to compile in or load as native 801machine code. 802 803supports loading rules comprised of BPF bytecode statements 804 805HP-UX 11 port completed 806 807and packets-per-second filtering 808 809add numerical tags to rules for filtering and display in ipmon output 810 8113.4.4 23/05/2000 - Released 812 813don't add TCP state if it is an RST packet and (attempt) to send out 814RST/ICMP packets in a manner that bypasses IP Filter. 815 816add patch to work with 4.0_STABLE delayed checksums 817 8183.4.3 20/05/2000 - Released 819 820fix ipmon -F 821 822don't truncate IPv6 packets on Solaris 823 824fix keep state for ICMP ECHO 825 826add some NAT stats and use def_nat_age rather than DEF_NAT_AGE 827 828don't make ftp proxy drop packets 829 830use MCLISREFERENCED() in tandem with M_EXT to check if IP fields need to be 831swapped back. 832 833fix up RST generation for non-Solaris 834 835get "short" flag right for IPv6 836 8373.4.2 - 10/5/2000 - Released 838 839Fix bug in dealing with "hlen == 1 and opt > 1" - Itojun 840 841ignore previous NAT mappings for 0/0 and 0/32 rules 842 843bring in a completely new ftp proxy 844 845allow NAT to cause packets to be dropped. 846 847add NetBSD callout support for 1.4-current 848 8493.4.1 - 30/4/2000 - Released 850 851add ratoui() and fix parsing of group numbers to allow 0 - UINT_MAX 852 853don't include opt_inet6.h for FreeBSD if KLD_MODULE is defined 854 855Solaris must use copyin() for all types of ioctl() args 856 857fix up screen/tty when leaving "top mode" of ipfstat 858 859linked list for maptable not setup correctly in nat_hostmap() 860 861check for maptable rather than nat_table[1] to see if malloc for maptable 862succeeded in nat_init 863 864fix handling of map NAT rules with "from/to" host specs 865 866fix printout out of source address when using "from/to" with map rules 867 868convert ip_len back to network byte order, not plen, for solaris as ip_len 869may have been changed by NAT and plen won't reflect this 870 8713.4 - 27/4/2000 - Released 872 873source address spoofing can be turned on (fr_chksrc) without using 874filter rules 875 876group numbers are now 32bits in size, up from 16bits 877 878IPv6 filtering available 879 880add frank volf's state-top patches 881 882add load splitting and round-robin attribute to redirect rules 883 884FreeBSD-4.0 support (including KLD) 885 886add top-style operation mode for ipfstat (-t) 887 888add save/restore of IP Filter state/NAT information (ipfs) 889 890further ftp proxy security checks 891 892support for adding and removing proxies at runtime 893 8943.3.13 26/04/2000 - Released 895 896Fix parsing of "range" with "portmap" 897 898Relax checking of ftp replies, slightly. 899 900Fix NAT timeouts for ICMP packets 901 902SunOS4 patches for ICMP redirects from Jurgen Keil (jk@tools.de) 903 9043.3.12 16/03/2000 - Released 905 906tighten up ftp proxy behaviour. sigh. yuck. hate. 907 908fix bug in range check for NAT where the last IP# was not used. 909 910fix problem with icmp codes > 127 in filter rules caused bad things to 911happen and in particular, where #18 caused the rule to be printed 912erroneously. 913 914fix bug with the spl level not being reset when returning EIO from 915iplioctl due to ipfilter not being initialized yet. 916 9173.3.11 04/03/2000 - Released 918 919make "or-block" work with lines that start with "log" 920 921fix up parsing and printing of rules with syslog levels in them 922 923fix from Cy Schubert for calling of apr_fini only if non-null 924 925 9263.3.10 24/02/2000 - Released 927 928* fix back from guido for state tracking interfaces 929 930* update for NetBSD pfil interface changes 931 932* if attaching fails and we can abort, then cleanup when doing so. 933 934julian@computer.org: 935* solaris.c (fr_precheck): After calling freemsg on mt, set it point to *mp. 936* ipf.c (packetlogon): use flag to store the return value from get_flags. 937* ipmon.c (init_tabs): General cleanup so we do not have to cast 938 an int s->s_port to u_int port and try to check if the u_int port 939 is less than zero. 940 9413.3.9 15/02/2000 - Released 942 943fix scheduling of bad locking in fr_addstate() used when we attach onto 944a filter rule. 945 946fix up ip_statesync() with storing interface names in ipstate_t 947 948fix fr_running for LKM's - Eugene Polovnikov 949 950junk using pullupmsg() for solaris - it's next to useless for what we 951need to do here anyway - and implement what we require. 952 953don't call fr_delstate() in fr_checkstate(), when compiled for a user 954program, early but when we're finished with it (got fr & pass) 955 956ipnat(5) fix from Guido 957 958on solaris2, copy message and use that with filter if there is another 959copy if it being used (db_ref > 1). bad for performance, but better 960than causing a crash. 961 962patch for solaris8-fcs compile from Casper Dik 963 9643.3.8 01/02/2000 - Released 965 966fix state handling of SYN packets. 967 968add parsing recognition of extra icmp types/codes and fix handling of 969icmp time stamps and mask requests - Frank volf 970 9713.3.7 25/01/2000 - Released 972 973sync on state information as well as NAT information when required 974 975record nat protocol in all nat log records 976 977don't reuse the IP# from an active NAT session if the IP# in the rule 978has changed dynamically. 979 980lookup the protocol for NAT log information in ipmon and pass that to 981portname. 982 983fix the bug with changing the outbound interface of a packet where it 984would lead to a panic. 985 986use fr_running instead of ipl_inited. (sysctl name change on freebsd) 987 988return EIO if someone attempts an ioctl on state/nat if ipfilter is not 989enabled. 990 991fix rule insertion bug 992 993make state flushing clean anything that's not fully established (4/4) 994 995call fr_state_flush() after we've released ipf_state so we don't generate 996a recursive mutex acquisition panic 997 998fix parsing of icmp code after return-icmp/return-icmp-as-dest and add 999some patches to enhance parsing strength 1000 10013.3.6 28/12/1999 - Released 1002 1003add in missing rwlock release in fr_checkicmpmatchingstate() and fix check 1004for ICMP_ECHO to only be for packet, not state entry which we don't have yet. 1005 1006handle SIOCIPFFB in nat_ioctl() and fr_state_ioctl() 1007 1008fix size of friostat for SunOS4 1009 1010fix bug in running off the end of a buffer in real audio proxy 1011 10123.3.5 11/12/1999 - Released 1013 1014fix parsing of "log level" and printing it back out too 1015 1016<net/if_types.h> is only present on Solaris2.6/7/8 1017 1018use send_icmp_err rather than icmp_error to send back a frag-needed error 1019when doing PMTU 1020 1021do not use -b with add_drv on Solaris unless $BASEDIR is set. 1022 1023fix problem where source address in icmp replies is reversed 1024 1025fix yet another problem with real audio. 1026 10273.3.4 4/12/1999 - Released 1028 1029fix up the real audio proxy to properly setup state information and NAT 1030entries, thanks to Laine Stump for testing/advice/fixes. 1031 1032fix ipfr_fastroute to set dst->sin_addr (Sean Farley - appears to prevent 1033FreeBSD 3.3 from panic'ing) as this had been removed in prior hacks to this 1034routine. 1035 1036fix kinstall for BSDI 1037 1038support ICMP errors being allowed through for ICMP packets going out with 1039keep state enabled 1040 1041support hardware checksumming (gigabit ethernet cards) on Solaris thanks to 1042Tel.Net Media for providing hardware for testing. 1043 1044patched from Frank Volf for ipmon (ICMP & fragmented packets) and allowing 1045ICMP responses to ICMP packets in the keep state table. 1046 1047add in patches for hardware checksumming under solaris 1048 1049Solaris install scripts now use $BASEDIR as appropriate. 1050 1051add Solaris8 support 1052 1053fix "ipf -y" on solaris so that it rescans rules also for changes in 1054interface pointers 1055 1056let ipmon become a daemon with -D if it is using syslog 1057 1058fix parsing of return-icmp-as-dest(foo) 1059 1060add reference to ipfstat -g to ipfstat.8 1061 1062ipf_mutex needs to be declared for irix in ip_fil.c 1063 10643.3.3 22/10/1999 - Released 1065 1066add -g command line option to ipfstat to show groups still define. 1067 1068fix problem with fragment table not recording rule pointer when called 1069from state functions (fin_fr not set). 1070 1071fixup fastroute problems with keep state rules. 1072 1073load rules into inactive set first, so we don't disable things like NIS 1074lookups half way through processing - found by Kevin Littlejohn 1075 1076fix handling of unaligned ip pointer for solaris 1077 1078patch for fr_newauth from Rudi Sluijtman 1079 1080fixed htons() bug in fr_tcpsum() where ip_p wasn't cast to u_short 1081 10823.3.2 23/09/1999 - Released 1083 1084patches from Scott Presnell to fix rcmd proxy 1085 1086patches from Greg to fix Solaris detachment of interfaces 1087 1088add openbsd compatibility fixes 1089 1090fix free'ing already freed memory in ipfr_slowtimer() 1091 1092fix for deferencing invalid memory in cleaning up after a device disappears 1093 10943.3.1 14/8/1999 - Released 1095 1096remove include file sys/user.h for irix 1097 1098prevent people from running buildsunos directly 1099 1100fix up some problems with the saving of rule pointers so that NAT saves 1101that information in case it should need to call fr_addstate() from a proxy. 1102 1103fix up scanning for the end of FTP messages 1104 1105don't remove /etc/opt/ipf in postremove 1106 1107attempt to prevent people running buildsolaris script without doing a 1108"make solaris" 1109 1110fix timeout losing on freebsd3 1111 11123.3 7/8/1999 - Released 1113 1114NAT: information (rules, mappings) are stored in hash tables; setup some 1115basic NAT regression testing. 1116 1117display version name of installed kernel code when initializing. 1118 1119add -V command line option to ipf, showing version (program and kernel 1120module) as well as the run-status of the kernel code. 1121 1122fix problem with "log" rules actually affecting result of filtering. 1123 1124automatically use SUNWspro if available and on a 64bit Solaris system for 1125compiling. 1126 1127add kernel proxies for rcmd(3) and RealAudio (PNA) 1128 1129use timeout/untimeout on SunOS4/BSD platforms too rather than hijacking 1130ip_slowtimo 1131 1132fix IP headers generated through parsing of text information 1133 1134fix NAT rules to be in the correct order again. 1135 1136make keep-state work with to/fastroute keywords and enforce usage of those 1137interfaces. 1138 1139update keep-state code with new algorithm from Guido 1140 1141add FreeBSD-3 support 1142 1143add return-icmp-as-dest option to retrun an ICMP packet using the original 1144destination as the source rather than a local IP address 1145 1146add "level [facility.]<priority>" option to filter language 1147 1148add changes from Guido to state code. 1149 1150add code to return EPERM if the device is opened for writing and we're 1151in securelevel 2 or greater. 1152 1153authentication code patches from Guido 1154 1155fix real audio proxy 1156 1157fix ipmon rule printing of interfaces and add IN/OUT to the end of ipmon 1158log output. 1159 1160fix bimap rules with hash tables 1161 1162update addresses used in NAT mappings for 0/32 rules for any protocol but TCP 1163if it changes on the interface - check every ip_natexpire() 1164 1165add redirect regression test 1166 1167count buckets used in the state hash table. 1168 1169fix sending of RST's with return-rst to use the ack number provided in 1170the packet being replied to in addition to the sequence number. 1171 1172fix to compile as a 64bit application on solaris7-64bit 1173 1174add NAT IP mapping to ranges of IP addresses that aren't CIDR specified 1175 1176fix calculation of in_space parameter for NAT 1177 1178fix `wrapping' when incrementing the next ip address for use in NAT 1179 1180fix free'ing of kernel memory in ip_natunload on solaris 1181 1182fix -l/-U command line options from interfering with each other 1183 1184fix fastroute under solaris2 and cleanup compilation for solaris7 1185 1186add install scripts and compile cleanly on BSD/OS 4.0 1187 1188safely open files in /tmp for writing device output when testing. 1189 1190fix uninitialized pointer bug in NAT 1191 1192fix SIOCZRLST (zero list rule stats) bug with groups 1193 1194change some usage of u_short to u_int in function calling 1195 1196fix compilation for Solaris7 (SUNWspro) 1197 1198change solaris makefiles to build for either sparc or i386 rather than 1199per-cpu (sun4u, etc). 1200 1201fixed bug in ipllog 1202 1203add patches from George Michaelson for FreeBSD 3.0 1204 1205add patch from Guido to provide ICMP checking for known state in the same 1206manner as is done for NAT. 1207 1208enable FTP PASV proxying and enable wildcarding in NAT/state code for ports 1209for better PORT/PASV support with FTP. 1210 1211bring into main tree static nat features: map-block and "auto" portmapping. 1212 1213add in source host filtering for redirects (alan jones) 1214 12153.2.10 22/11/98 - Released 1216 12173.2.10beta9 17/11/98 - Released 1218 1219fix fr_tcpsum problems in handling mbufs with an odd number of bytes 1220and/or split across an mbuf boundary 1221 1222fix NAT list entry comparisons and allow multiple entries for the same 1223proxy (but on different ports). 1224 1225don't create duplicate NAT entries for repeated PORT commands. 1226 12273.2.10beta8 14/11/98 - Released 1228 1229always exit an rwlock before expecting to enter it again on solaris 1230 1231fix loop in nat_new for pre-existing nat 1232 1233don't setup state for an ftp connection if creating nat fails. 1234 12353.2.10beta7 05/11/98 - Released 1236 1237set fake window in ipft_tx.c to ensure code passes tests. 1238 1239cleaned up/enhanced ipnat -l/ipnat -lv output 1240 1241fixed NAT handling of non-TCP/UDP packets, esp. for ICMP errors returned. 1242 1243Solaris recusive mutex on icmp-error/tcp-reset - requires rwlock's rather 1244than mutexes. 1245 12463.2.10beta6 03/11/98 - Released 1247 1248fix mixed use of krwlock_t and kmutex_t on Solaris2 1249 1250fix FTP proxy back up, splitting pasv code out of port code. 1251 12523.2.10beta5 02/11/98 - Released 1253 1254fixed port translation in ICMP reply handling 1255 12563.2.10beta4 01/11/98 - Released 1257 1258increase useful statistic collection on solaris 1259 1260filter DL_UNITDATA_REQ as well as DL_UNITDATA_IND on solaris 1261 1262disable PASV reply translation for now 1263 1264fail with an error if we try to load a NAT rule with a non-existant 1265 proxy name - Guido 1266 1267fix portmap usage with 0/0 and 0/32 map rules 1268 1269remove ap_unload/ap_expire - automatically done when NAT is cleaned up 1270 1271print "STATE:CLOSED" from ipmon if the connection progresses past established 1272 rather than "STATE:EXPIRED" 1273 12743.2.10beta3 26/10/98 - Released 1275 1276fixed traceroute/nat problem 1277 1278rewrote nat/proxy interface 1279 1280ipnat now lists associated proxy sessions for each NAT where applicable 1281 12823.2.10beta2 13/10/98 - Released 1283 1284use KRWLOCK_T in place of krwlock_t for solaris as well as irix 1285 1286disable use of read-write lock acquisition by default 1287 1288add in mb_t for linux, non-kernel 1289 1290some changes to progress compilation on linux with glibc 1291 1292change PASV as well as PORT when passed through kernel ftp proxy. 1293 1294don't allow window to become 0 in tcp state code 1295 1296make ipmon compile cleaner 1297 1298irix patches 1299 13003.2.10beta 11/09/98 - Released 1301 1302stop fr_tcpsum() thinking it has run out of data when it hasn't. 1303 1304stop solaris panics due to fin_dp being something wild. 1305 1306revisit usage of ATOMIC_*() 1307 1308log closing state of TCP connection in "keep state" 1309 1310fix fake-arp table code for ipsend. 1311 1312ipmon now writes pid to a file. 1313 1314fix "ipmon -a" to actually activate all logging devices. 1315 1316add patches for BSDOS4. 1317 1318perl scripts for log analysis donated. 1319 13203.2.9 22/06/98 - Released 1321 1322fix byte order for ICMP packets generated on Solaris 1323 1324fix some locking problems. 1325 1326fix malloc bug in NAT (introduced in 3.2.8). 1327 1328patch from guido for state connections that get fragmented 1329 13303.2.8 08/06/98 - Released 1331 1332use readers/writers locks in Solaris2 in place of some mutexes. 1333 1334Solaris2 installation enhancements - Martin Forssen (maf@carlstedt.se) 1335 13363.2.7 24/05/98 - Released 1337 1338u_long -> u_32_t conversions 1339 1340patches from Bernd Ernesti for NetBSD 1341 1342fixup ipmon to actually handle HUP's. 1343 1344Linux fixes from Michael H. Warfield (mhw@wittsend.com) 1345 1346update for keep state patch (not security related) - Guido 1347 1348dumphex() uses stdout rather than log 1349 13503.2.6 18/05/98 - Released 1351 1352fix potential security loop hole in keep state code. 1353 1354update examples. 1355 13563.2.5 09/05/98 - Released 1357 1358BSD/OS 3.1 .o files added for the kernel. 1359 1360fix sequence # skew vs window size check. 1361 1362fix minimum ICMP header size check. 1363 1364remove references to Cybersource. 1365 1366fix my email address. 1367 1368remove ntohl in ipnat - Thomas Tornblom 1369 13703.2.4 09/04/98 - Released 1371 1372add script to make devices for /dev on BSD boxes 1373 1374fixup building into the kernel for FreeBSD 2.2.5 1375 1376add -D command line option to ipmon to make it a daemon and SIGHUP causes 1377it to close and reopen the logfile 1378 1379fixup make clean and make package for SunOS5 - Marc Boucher 1380 1381postinstall keeps adding "minor=ipf ipl" - George Ross <gdmr@dcs.ed.ac.uk> 1382 1383protected by IP Filter gif - Sergey Solyanik <solik@atom.ru> 1384 13853.2.3 10/11/97 - Released 1386 1387fix some iplang bugs 1388 1389fix tcp checksum data overrun, sgi #define changes, 1390avoid infinite loop when nat'ing to single IP# - Marc Boucher 1391 1392fixup DEVFS usage for FreeBSD 1393 1394fix sunos5 "make clean" cleaning up too much 1395 13963.2.2 28/11/97 - Released 1397 1398change packet matching to return actual error, if bad packet, to facilitate 1399ECONNRESET for TCP. 1400 1401allow ip:netmask in grammar too now - Guido 1402 1403assume IRIX has u_int32_t in sys/types.h (needed for R10000) 1404 1405rewrite parts of command line options for ipmon 1406 1407fix TCP urgent packet & offset testing and add LAND attack test for iptest 1408 1409fix grammar error in yacc grammar for iplang 1410 1411redirect (rdr) destination port bytes-wapped when it shouldn't be. 1412 1413general: fr_check now returns error code, such as EHOSTUNREACH or 1414ECONNRESET (attempt to make ECONNRESET work for locally outbound 1415packets). 1416 1417linux: enable return-rst, need to filter tcp retransmits which are sent 1418 separately from normal packets 1419 1420memory leak plugged in ip_proxy.c 1421 1422BSDI compatibility patches from Guido 1423 1424tcp checksum fix - Marc Boucher 1425 1426recursive mutex and ioctl param fix - Marc Boucher 1427 14283.2.1 12/11/97 - Released 1429 1430port to BSD/OS 3.0 1431 1432port to Linux 2.0.31 1433 1434patches to make "map a/m -> 0/0" work with ftp proxying properly - Marc Boucher 1435 1436add "ipf -F s" and "ipf -F S" to flush state table entries. 1437 1438announce if logging is on or off when ip filter initializes. 1439 1440"ipf -F a" doesn't flush groups properly for Solaris. 1441 14423.2 30/10/97 - Released 1443 1444ipnat doesn't successfully remove proxy mappings with "-rf" - 1445Alexander Romanyu 1446 1447use K&R C function style for solaris kernel code 1448 1449use m_adj() to decrease packet size in ftp proxy 1450 1451use mbufchainlen rather than msgdsize, 1452IRIX update - Marc Boucher 1453 1454fix NetBSD modunload bug (pfil_add_hook done twice) 1455 1456patches for OpenBSD 2.1 - Craig Bevins <craigb@bitcom.net.au> 1457 14583.2beta10 24/10/97 - Released 1459 1460fix fragment table entries allocated for NAT. 1461 1462fix tcp checksum calculations over mbuf/mblk boundaries 1463 1464fix panic for blen < 0 in ftp kernel proxy - marc boucher 1465 1466fix flushing of rules which have been grouped. 1467 14683.2beta9 20/10/97 - Released 1469 1470some nit picking on solaris2 with SUNWspro - Michael Lyle <mrl@rpnet.net> 1471 1472ftp kernel proxy patches from Marc Boucher 1473 14743.2beta8 13/10/97 - Released 1475 1476add support for passing ICMP errors back through NAT. 1477 1478IRIX port update - Marc Boucher 1479 1480calculate correct MIN size of packet to log for UDP - Marc Boucher 1481 1482need htons(ETHERTYPE_x) on little endian BSD boxes - Dave Huang 1483 1484copyright header fixups 1485 14863.2beta7 23/09/97 - Released 1487 1488fickup problems introduced by prior merges & changes. 1489 14903.2beta6 23/09/97 - Released 1491 1492patch for spin-reading race condition - Marc Boucher. 1493 1494IRIX port by Marc Boucher. 1495 1496compatibility updates for Linux to ipsend 1497 14983.2beta5 13/09/97 - Released 1499 1500patches from Bernd Ernesti for NetBSD integration (mostly prototyping and 1501compiler warning things) 1502 1503ipf -y will resync IP#'s allocated with 0/32 in NAT to match interface if it 1504changes. 1505 1506update manual pages and other documentation updates. 1507 15083.2beta4 27/8/97 - Released 1509 1510enable setting IP and TCP options for iplang/ 1511 1512Solaris2 patches from Marc Boucher. 1513 1514add groups for filter rules. 1515 15163.2beta3 21/8/97 - Released 1517 1518patches for Solaris2 (interface panic solution ?): fix FIONREAD and 1519replacing q_qinfo points - Marc Boucher <marc@CAM.ORG> 1520 1521change ipsend/* and ipsd/* copyright notices to be the same as ip filter's 1522 1523patch for SYN-ACK skew testing fix from Eric V. Smith <EricSmith@windsor.com> 1524 15253.2beta2 6/8/97 - Released 1526 1527make it load on Solaris 2.3 1528 1529rewrote logging to remove solaris errors, introduced checking to see if the 1530same packet is logged successively. 1531 1532fix filter cache to work when there are no rules loaded. 1533 1534add "raw" option to ipresend to send entire ethernet frames. 1535 1536nat list corruption bug - NetBSD - Klaus Klein 1537 15383.2beta1 5/7/97 - Released 1539 1540patches from Jason Thorpe fixing: UNSIGNED_CHAR lossage, off_t being 64bits 1541lossage, and other NetBSD bits. 1542 1543NetBSD 1.2G update. 1544 1545fixup fwtk patches and add protocol field for SIOCGNATL. 1546 1547rdr bugs reported by Alexander Romanyu (alexr@aix.krid.crimea.ua), with 1548fixes: 1549* rdr matched all packets of a given protocol (ignored ports). 1550* severe bug in nat_delete which caused system crash/freeze. 1551 1552change Makefile so that CC isn't passed on for FreeBSD/NetBSD (will use 1553the default CC - cc, not gcc) 1554 15553.2alpha9 16/6/97 - Released 1556 1557added "skip" keyword. 1558 1559implement preauthentication of packets, as outlined by Guido. 1560 1561Make it compile as cleanly as possible with -Wall & general code cleanup 1562 1563getopt returns int, not char. Bernd Ernesti 1564 15653.2alpha8 13/6/97 - Released 1566 1567code added to support "auth" rules which require a user program to allow them 1568through. First revision and much of the code came from Guido. 1569 1570hex output from ipmon doesn't goto syslog when recovering from out of sync 1571error. Luke Mewburn (lukem@connect.com.au) 1572 1573fix solaris2.6 lookup of destination ire's. 1574 1575ipnat doesn't throw away unused bits (after masking), causing it to 1576behave incorrectly. Carson Gaspar 1577 1578NAT code doesn't include inteface name when matching - Alexey Mavrin 1579<lha@elco.spb.ru> 1580 1581replace old SunOS tcpip.h with new tcpip.h (from 4.4BSD) - Jason Thorpe. 1582 1583update install procedures to include ip_proxy.c 1584 1585mask out unused bits in NAT/RDR rules. 1586 1587use a generic type (u_32_t) for 32bit variables, rather than rely on 1588u_long being such - Jason Thorpe. 1589 1590create a local "netinet" directory and include from ~netinet/*" rather than 1591just "*" to make keeping the code working on ports easier. 1592 1593add an m_copydata and m_copyback for SunOS4 (based on 4.4BSD-Lite versions) 1594 1595documentation updates. 1596 1597NetBSD update from Jason Thorpe <thorpej@netbsd.org> 1598 1599allow RST's through with a matching SEQ # and 0 ACK. Guido Van Rooij 1600 1601ipmon uses excessive amounts of CPU on Solaris2 - Reinhard Bertram 1602<Reinhard.Bertram@KOM.th-darmstadt.de> 1603 16043.2alpha7 25/5/97 - Released 1605 1606add strlen for pre-2.2 kernels - Doug Kite <dkite@websgi.icomnet.com> 1607 1608setup bits and pieces for compiling into a FreeBSD-2.2 kernel. 1609 1610split up "bsd" targets. Now a separate netbsd/freebsd/bsd target. 1611mln_ipl.c has been split up into itself and mlf_ipl.c (for freebsd). 1612 1613fix (negative) host matching in filtering. 1614 1615add sysctl interface for some variables when compiled into FreeBSD-2.2 kernels 1616or later. 1617 1618make all the candidates for kernel compiling include "netinet/..." and build 1619a subdirectory "netinet" when compiling and symlink all .h files into this. 1620 1621add install make target to Makefile.ipsend 1622 16233.2alpha6 8/5/97 - Released 1624 1625Add "!" (not) to hostname/ip matching. 1626 1627Automatically add packet info to the fragment cache if it is a fragment 1628and we're translating addreses for. 1629 1630Automatically add packet info to the fragment cache if it is a fragment 1631and we're "keeping state" for the packet. 1632 1633Solaris2 patches - Anthony Baxter (arb@connect.com.au) 1634 1635change install procedure for FreeBSD 2.2 to allow building to a kernel 1636which is different to the running kernel. 1637 1638add FIONREAD for Solaris2! 1639 1640when expiring NAT table entries, if we would set a time to fr_tcpclosed 1641(which is 1), make it fr_tcplaskack(20) so that the state tables have a 1642chance to clear up. 1643 16443.2alpha5 1645 1646add proxying skeleton support and sample ftp transparent proxy code. 1647 1648add printfs at startup to tell user what is happening. 1649 1650add packets & bytes for EXPIRE NAT log records. 1651 1652fix the "install-bsd" target in the root Makefile. Chris Williams 1653<psion@mv.mv.com> 1654 1655Fixes for FreeBSD 2.2 (and later revs) to prevent panics. Julian Assange. 1656 16573.2alpha4 2/4/97 - Released 1658 1659Some compiler warnings cleaned up. 1660 1661FreeBSD-2.2 patches for LKM completed. 1662 16633.2alpha3 31/3/97 - Released 1664 1665ipmon changes: -N for reading NAT logfile, -S for reading state logfile. 1666-a for reading all. -n now toggles hostname resolution. 1667 1668Add logging of new state entries and expiration of old state entries. 1669count log successes and failures. 1670 1671Add logging of new NAT entries and expiration of old NAT entries. 1672count log successes and failures. 1673 1674Use u_quad_t for records of bytes & packets where kept 1675(IP Accounting: fr_hits, fr_bytes; IP state: is_pkts, is_bytes). 1676 1677Fixup use of CPU and DCPU in Makefiles. 1678 1679Fix broken 0/32 NAT mapping. Carl Makin <cmakin@nla.gov.au> 1680 16813.2alpha2 1682 1683Implement mapping to 0/32 as being an alias for automatically using the 1684interface's first IP address. 1685 1686Implement separate minor devices for both NAT and IP state code. 1687 1688Fully prototype all functions. 1689 1690Fix Makefile problem due to attempt to fix Sun compiling problems. 1691 16923.1.10 23/3/97 - Released 1693 1694ipfstat -a requires a -i or -o command line option too. Print an error 1695when not present rather than attempt to do something. 1696 1697patch updates for SunOS4 for kernel compiling. 1698patch for ipmon -s (flush's syslog file which isn't good). Andrew J. Schorr 1699<schorr@ead.dsa.com> 1700 1701too many people hit their heads hard when compiling code into the kernel 1702that doesn't let any packets through. (fil.c - IPF_NOMATCH) 1703 1704icmp-type parsing doesn't return any errors when it isn't constructed 1705correctly. Neil Readwin 1706 1707Using "-conf" with modload on SunOS4 doesn't work. 1708Timothy Demarest <demarest@arraycomm.com> 1709 1710Need to define ARCH in makefile for SunOS4 building. "make sunos4" 1711in INSTALL.SunOS is incorrect. James R Grinter <jrg@blodwen.demon.co.uk> 1712[all SunOS targets now run buildsunos] 1713 1714NAT lookups are still incorrect, matching non-TCP/UDP with TCP/UDP 1715information. ArkanoiD <ark@paranoid.convey.ru> 1716 1717Need to check for __FreeBSD_version being 199511 rather than 199607 1718in mln_ipl.c. Eric Feillant <Eric.Feillant@EUnet.fr> 1719 17203.1.9 8/3/97 - Released 1721 1722fixed incorrect lookup of active NAT entries. 1723 1724patch for ip_deq() wrong for pre 2.1.6 FreeBSD. 1725fyeung@fyeung8.netific.com (Francis Yeung) 1726 1727check for out with return-rst/return-icmp at wrong place - Erkki Ritoniemi 1728(erkki@vlsi.fi) 1729 1730text_readip returns the interface pointer pointing to text on stack - 1731Neil Readwin 1732 1733fix from Pradeep Krishnan for printout rules "with not opt sec". 1734 17353.1.8 18/2/97 - Released 1736 1737Diffs for ip_output.c and ip_input.c updated to fix bug with fastroute and 1738compiling warnings about reuse of m0. 1739 1740prevent use of return-rst and return-icmp with rules blocking packets going 1741out, preventing panics in certain situations. 1742 1743loop forms in frag cache table - Yury Pshenychny <yura@rd.zgik.zaporizhzhe.ua> 1744 1745should use SPLNET/SPLX around expire routines in NAT/frag/state code. 1746 1747redeclared malloc in 44arp.c - 1748 17493.1.7 8/2/97 - Released 1750 1751Macros used for ntohs/htons supplied with gcc don't always work very well 1752when the assignment is the same variable being converted. 1753 1754Filter matching doesn't not match rule which checks tcp flags on packets 1755which are fragments - David Wilson 1756 17573.1.7beta 30/1/97 - Released 1758 1759Fix up NAT bugs introduced in last major change (now tested), including 1760nat_delete(), nat_lookupredir(), checksum changes, etc. 1761 17623.1.7alpha 30/1/97 - Released 1763 1764Many changes to NAT code, including contributions from Laurent Joncheray 1765<lpj@ans.net> 1766 1767Use "NO_SLEEP" when allocating memory under SunOS. 1768 1769Make kernel printf's nicer for BSD/SunOS4 1770 1771Always do a checksum for packets being filtered going out and being 1772processed by fastroute. 1773 1774Leave kernel to play with cdevsw on *BSD systems with LKM's. 1775 1776ipnat.1 man page fixes. 1777 17783.1.6 21/1/97 - Released 1779 1780Allow NAT to work on BSD systems in conjunction with "pass .. to ifname" 1781 1782Memory leak introduced in 3.1.3 in NAT lists, clearing of NAT table tried 1783to free memory twice. 1784 1785NAT recalculates IP header checksum based on difference between IP#'s and 1786port numbers - should be just IP#'s (Solaris2 only) 1787 17883.1.5 13/1/97 - Released 1789 1790fixed setting of NAT timeouts and use different timeouts for concurrent 1791TCP sessions using the same IP# mapping (when port mapping isn't used) 1792 1793multiple loading/unloading of LKM's doesn't clean up cdevsw properly for 1794*BSD systems. 1795 17963.1.4 10/1/97 - Released 1797 1798add command line options -C and -F to ipnat to flush NAT list and table 1799 1800ipnat -l loops on output - Neil Readwin (nreadwin@nysales.micrognosis.com) 1801 1802NetBSD/FreeBSD kernel malloc changes - Daniel Carosone 1803 18043.1.3 10/1/97 - Released 1805 1806NAT chains not constructed correctly in hash tables - Antony Y.R Lu 1807(antony@hawk.ee.ncku.edu.tw) 1808 1809Updated INSTALL.NetBSD, INSTALL.FreeBSD and INSTALL.Sol2 1810 1811man page update (ipf.5) from Daniel Carosone (dan@geek.com.au) 1812 1813ICMP header checksum update now included in NAT. 1814 1815Solaris2 needs to modify IP header checksums in ip_natin and ip_natout. 1816 18173.1.2 4/12/96 - Released 1818 1819ipmon doesn't use syslog all the time when given -s option 1820 1821fixed mclput panic in ip_input.c and replace ntohs() with NTOHS() macro 1822 1823check the results of hostname resolution in ipnat 1824 1825"make *install" fixed for subdirectories. 1826 1827problems with "ARCH:=" and gnu make resolved 1828 1829parser reports an error for lines with whitespaces only rather than skipping 1830them. D.Carosone@abm.com.au (Daniel Carosone) 1831 1832patches for integration into NetBSD-current (post 1.2). 1833 1834add an option to allow non-IP packets going up/down the stream on Solaris2 1835to be dropped. John Bass. 1836 18373.1.2beta 21/11/96 - Released 1838 1839make ipsend compile on Linux 2.0.24 1840 1841changes to TCP kept state algorithm, making it watch state on TCP 1842connections in both directions. Also use the same algorithm for NAT TCP. 1843 1844-Wall cleanup - Bernd Ernesti 1845 1846added "or-block" for "pass .. log or-block" after a suggestion from 1847David Oppenheim (davido@optimation.com.au) 1848 1849added subdirectories for building IP Filter in SunOS5/BSD for different 1850cpu architecures 1851 1852Solaris2 fixes to logging and pre-filtering packet processing - 3.1.1p2 1853 1854mbuf logging not using mtod(), remove iplbusy - 3.1.1p1 1/11/96 1855 18563.1.1 28/10/96 - Released 1857 1858Installation script fixes and deinstall scripts for IP Filter on: 1859SunOS4/FreeBSD/NetBSD 1860 1861Man page fixes - Paul Dubois (dubois@primate.wisc.edu) 1862 1863Fix use of SOLARIS macro in ipmon, rewrote ipllog() (again!) 1864 1865parsing isn't completely case insensitive - David Wilson 1866(davidw@optimation.com.au) 1867 1868Release ipl_mutex across uiomove() calls 1869 1870print entire rule entries out for "ipf -z" when zero'ing per-rule stats. 1871 1872ipfstat returns same output for "hits" in "ipfstat -aio" - Terletsky Slavik 1873(ts@polynet.lviv.ua) 1874 1875New algorithm for setting timeouts for TCP connection (more closely follow 1876TCP FSM) - Pradeep Krishnan (pkrishna@netcom.com) 1877 1878Track both window sizes for TCP connections through "keep state". 1879 1880Solaris2 doesn't like _KERNEL defined in stdargs.h - Jos van Wezel 1881(wezel@bio.vu.nl) 1882 18833.1.1-beta2 6/10/96 - Released 1884 1885Solaris2 fastroute/dup-to/to now works 1886 1887ipmon `record' reading rewritten 1888 1889Added post-NetBSD1.2 packet filter patches - Mathew Green (mrg@eterna.com.au) 1890 1891Attempt to use in_proto.c.diff, not "..diffs" for SunOS4 - David Wilson 1892(davidw@optimation.com.au) 1893 1894Michael Ryan (mike@NetworX.ie) reports the following: 1895* The Trumpet WinSock under Windows always sends its SYN packet with an ACK 1896 value of 1, unlike any other implementation I've seen, which would set it 1897 to zero. The "keep state" feature of IP Filter doesn't work when receiving 1898 non-zero ACK values on new connection requests. 1899* */Makefile install rule doesn't install all the binaries/man pages 1900* Make ipnat use "tcp/udp" instead of "tcpudp" 1901* Print out "tcp/udp" properly 1902* ipnat "portmap tcp" matches "portmap udp" when adding/removing 1903* NAT dest. ip# increased by one on mask of 0xffffffff when it shouldn't 1904 19053.1.1-beta 1/9/96 - Released 1906 1907add better detection of TCP connections closing to TCP state monitoring. 1908 1909fr_addstate() not called correctly for fragments. "keep state" and 1910"keep frag" code don't work together 100% - Songqing Cai 1911(songqing_cai@sterling.com) 1912 1913call to fr_addstate() incorrect for adding state in combination with keeping 1914fragment information - Songqing Cai (songqing_cai@sterling.com) 1915 1916KFREE() passed fp (incorrect) and not fr (correct) in ip_frag.c - John Hood 1917(cgull@smoke.marlboro.vt.us) 1918 1919make ipf parser recognise '\\' as a `continued line' marker - Dima Ruban 1920(dima@best.net) 1921 19223.1.1-alpha 23/8/96 - Released 1923 1924kernel panic's when ICMP packets go through NAT code 1925 1926stats aren't zero'd properly with ipf -Z 1927 1928ipnat doesn't show port numbers correctly all the time and also add the 1929protocol (tcp/udp/tcpudp) to rdr output - Carson Gaspar (carson@lehman.com) 1930 1931fast checksum fixing not 100% - backout patch - Bill Dorsey (dorsey@lila.com) 1932 1933NetBSD-1.2 patches from - VaX#n8 <vax@linkdead.paranoia.com> 1934 1935Usage() call error in fils.c - Ajay Shekhawat (ajay@cedar.buffalo.edu) 1936 1937ip_optcopy() staticly defined in ip_output.c in SunOS4 - Nick Hall 1938(nrh@tardis.ed.ac.uk) 1939 19403.1.0 7/7/96 - Released 1941 1942Reformatted ipnat output to be compatible with it's input, so that 1943"ipnat -l | ipnat -rf -" is possible. 1944 19453.1.0beta 30/6/96 - Released 1946 1947NetBSD-1.2 patches from Greg Woods (woods@most.weird.com) 1948 1949kernel module must not be installed stripped (Solaris2), as created by 1950"make package" for Solaris2 - Peter Heimann 1951(peter@i3.informatik.rwth-aachen.de) 1952 19533.1.0alpha 5/6/96 - Released 1954 1955include examples in package for solaris2 1956 1957patches for removing an extra ip header checksum (FreeBSD/NetBSD/SunOS) 1958 1959removed trailing space from printouts of rules in ipf. 1960 1961ipresend supports the same range of inputs that ipftest does. 1962 1963sending a duplicate copy of a packet to another network devices is now 1964supported. ("dup-to") 1965 1966sending a packet to an arbitary interface is now supported, irrespective 1967of its actual route, with no ttl decrement. Can also be routed without 1968the ttl being decremented. ("to" and "fastroute"). 1969 1970"call" option added to support calling a generic function if a packet is 1971matched. 1972 1973show all (upto 4) recorded bytes from the interface name in logging from 1974ipmon. 1975 1976support for using unix file permissions for read/write access on the device 1977is now in place. 1978 1979recursive mutex in nat_new() for Solaris 2.x - Per L. Hagen <per@stibo.dk> 1980 1981ipftest doesn't call initparse() for THISHOST - Catherine Allen 1982(cla@connect.com.au) 1983 1984Man page corrections from Rex Bona (rex@pengo.comsmiths.com.au) 1985 19863.0.4 10/4/96 - Released 1987 1988looop in `parsing' IP packets with optlen 0 for ip options. 1989 1990rule number not initialized and resulted in unexpected results for state 1991maching. 1992 1993option parsing and printing bugs - Pradeep Krishnan 1994 19953.0.4beta 25/3/96 - Released 1996 1997wouldn't parse "keep flags keep state" correctly. 1998 1999SunOS4.1.x ip_input.c doesn't recognise all 1s broadcast address - Nigel Verdon 2000 2001patches for BSDI's BSD/OS 2.1 and libpcap reader on little endian systems 2002from Thorsten Lockert <tholo@tetherless.com> 2003 2004b* functions in fil.c on Solaris 2.4 2005 20063.0.3 17/3/96 - Released 2007 2008added patches to support IP Filter initialisation when compiled into the 2009kernel. 2010 2011added -x option to ipmon to display hex dumps of logged packets. 2012 2013added -H option to ipftest to allow ascii-hex formatted input to specify 2014arbitary IP packets. 2015 2016Sending TCP RSTs as a response now work for Solaris2 x86 2017 2018add patches to make IP Filter compile into NetBSD kernels properly. 2019 2020patch to stop SunOS 4.1.x kernels panicing with "data traps". 2021 2022ipfboot script unloads and reloads ipf module on Solaris2 if it is already 2023loaded into the kernel. 2024 2025Installation of IP Filter as a Solaris2 package is now supported. 2026 2027Man pages for ipnat.4, ipnat.5 added. 2028 2029added some more regression tests and fixed up IP Filter to pass the new tests 2030(previous versions failed some of the tests in set 12). 2031 2032IP option filter processing has changed so that saying "with opt lsrr" will 2033check only for that one, but not mask out other options, so a packet with 2034strict source routing, along with loose source routing will match all of 2035"with opt lsrr", "with opt ssrr" and "with opt lsrr,ssrr". 2036 2037IPL_NAME needed in ipnat.c - Kelly (kelly@count04.mry.scruznet.com) 2038 2039patches for clean NetBSD compilation from Bernd Ernesti (bernd@arresum.inka.de) 2040 2041make install is incorrect - Julian Briggs (julian@lightwork.co.uk) 2042 2043strtol() returns 0x7fffffff for all negative numbers, 2044printfr() generates incorrect output for "opt sec-class *", 2045handling of "not opt xxx opt yyy" incorrect. 2046- Minh Tonthat (minht@sbei.com)/Pradeep Krishnan (pradeepk@sbei.com) 2047 2048m_pullup() called only for input and not output; caused problems 2049with filtering icmp - Nigel Verdon (verdenn@gb.swissbank.com) 2050 2051parsing problem for "port 1" and NetBSD patches incorrect - 2052Andreas Gustafsson (gson@guava.araneus.fi) 2053 20543.0.2 4/2/96 - Released 2055 2056Corrected bug where NAT recalculates checksums for fragments. 2057 2058make NAT recalculate UDP checksums (rather than setting them to 0), 2059if they're non-zero. 2060 2061DNS patches - Real Page (Real.Page@Matrox.com) 2062 2063alteration of checksum recalculations in NAT code and addition of 2064redirection with NAT - Mike Neuman 2065 2066core dump, if tcp/udp is used with a port number and not service name, 2067in ipf - Mike Neuman (mcn@engarde.com) 2068 2069initparse() call, missing to prime "<thishost>" hook - Craig Bishop 2070 20713.0.1 14/1/96 - Released 2072 2073miscellaneous patches for Solaris2 2074 20753.0 14/1/96 - Released 2076 2077Patch included for FDDI, from Richard Ohnemus 2078(Richard_Ohnemus@dallas.csd.sterling.com) 2079 2080Code cleanup for release. 2081 20823.0beta4 10/1/96 2083 2084recursive mutex in ipfr_slowtimer fixed, reported by Craig Bishop 2085 2086recursive mutex in sending TCP RSTs fixed, reported by Tony Becker 2087 20883.0beta3 9/1/96 2089 2090FIxup for Solaris2.5 install and interface name bug in ipftest from 2091Julian Briggs (julian@lightwork.co.uk) 2092 2093Byte order patches for ipmon from Tony Becker (tony@mcrsys.com) 2094 20953.0beta2 7/1/96 2096 2097Added the (somewhat warped) IP accounting as it exists in ipfw on FreeBSD. 2098Note, this isn't really what one would call IP account, when compared to 2099process accounting, sigh. 2100 2101Split up ipresend into iptest/ipresend/ipsend 2102 2103Added another m_pullup() inside fr_check() for BSD style kernels and 2104added some checks to ipllog() to not log more than is present (for short 2105packets). 2106 2107Fixed bug where failed hostname/netname resolution goes undetecte and 2108becomes 0.0.0.0 (any) (reported Guido van Rooij) 2109 21103.0beta 11/11/95 - Released 2111 2112Rewrote the way rule testing is done, reducing the number of files needed and 2113generated. 2114 2115SIOCIPFFL was incorrectly affected by IPFILTER_LOG (Mathew Green) 2116 2117Patches from Guido van Rooij to fix sending back TCP RSTs on Net-2/Net-3 2118BSD based Unixes (panic'd) 2119 2120Patches for FreeBSD/i86 ipmon from Riku Kalinen <riku@tequila.nixu.fi> 2121(I think someone else already told me about these but they got lost :-/) 2122 2123Changed Makefile structure to build object files for different operating 2124systems in separate directories by default. 2125 2126BSDI has ef0 for first ethernet interface 2127 2128Allow for a "not" operator before optional keywords. 2129 2130The "rule number" was being incorrectly incremented every time it went through 2131the loop rather than when it matched a rule. 2132 21332.8.2 24/10/95 - Released 2134 2135Fixed up problems with "textip" for doing lots of testing. 2136 2137Fixed bug in detection of "short" tcp/ip packets (all reported as being short). 2138 2139Solaris 2.4 port now works 100%. 2140 2141Man page errors reported and fixed. 2142 2143Removed duplicate entry in etc/services for login on port 49 (Craig Bishop). 2144 2145Fixed ipmon output to put a space after the log-letter. 2146 2147Patch from Guido van Rooij to fix parsing problem. 2148 21492.8.1 15/10/95 - Released 2150 2151Added ttl and tos filtering. 2152 2153Patches for fixing up compilation and port problems (little endian) 2154from Guido van Rooij <guido@IAEhv.nl>. 2155 2156Man page problems reported and fixed by Carson Gaspar <carson@lehman.com>. 2157 2158ipsend doesn't compile properly on Solaris2.4 2159 2160Lots of work done for Solaris2.4 to make it MT/MP safe and work. 2161 21622.8 15/9/95 - Released 2163 2164ipmon can now send messages to syslogd (-s) and use names instead of 2165numbers (-N). 2166 2167IP packets are now "compiled" into a structure only containing filterable 2168bits. 2169 2170Added regression testing in the test/ subdirectory, using a new option 2171(-b) with the ipftest program. 2172 2173Added "nomatch" return to filter results. These are counted and show 2174up in reports from ipfstat. 2175 2176Moved filter code out of ip_fil.c and into fil.c - there is now only one 2177instance of it in the package. 2178 2179Added Solaris 2.4 support. 2180 2181Added IPSO basic security option filtering. 2182 2183Added name support for filtering on all 19 named IP options. 2184 2185Patches from Ivan Brawley to log packet contents as well as packet headers. 2186 2187Update for sun/conf.c.diff from Ivan Brawley <ibrawley@awadi.com.AU> 2188 2189Added patches for FreeBSD 1, and added two new switches (-E, -D) to ipf, 2190along with a new ioctl, SIOCFRENB. 2191From: Dieter Dworkin Muller <dworkin@village.org> 2192 21932.7.3 31/7.95 - Released 2194 2195Didn't compile cleanly without IPFILTER_LOG defined (Mathew Green). 2196 2197ipftest now deals with tcpdump3 binary output files (from libpcap) with -P. 2198 2199Brought ipftest program upto date with actual filter code. 2200 2201Filter would cause a match to occur when it wasn't meant to if the packet 2202had short headers and was missing portions that should have been there. 2203Err, it would rightly not match on them, but their absence caused a match 2204when it shouldn't have been. 2205 22062.7.2 26/7/95 - Released 2207 2208Problem with filtering just SYN flagged packets reported by 2209Dieter Dworkin Muller <dworkin@village.org>. To solve this 2210problem, added support for masking TCP flags for comparison "flags X/Y". 2211 22122.7.1 9/7/95 - Released 2213 2214Added ip_dirbroadcast support for Sun ip_input.c 2215 2216Fixed up the install scripts for FreeBSD/NetBSD to recognise where they are 2217better. 2218 22192.7 7/7/95 - Released 2220 2221Added "return-rst" to return TCP RST's to TCP packets. 2222 2223Actually ported it to FreeBSD-i386 2.0.0, so it works there properly now. 2224 2225Added insertion of filter rules. Use "@<#>" at the beginning of a filter 2226to insert a rule at row #. 2227 2228Filter keeps track of how many times each rule is matched. 2229 2230Changed compile time things to match kernel option (IPFILTER_LKM & 2231IPFILTER_LOG). 2232 2233Updated ip_input.c and ip_output.c with paches for 3.5 Multicast IP. 2234(No change required for 3.6) 2235 2236Now includes TCP fragments which start inside the TCP header as being short. 2237Added counting the number of times each rule is matched. 2238 2239 22402.6 11/5/95 - Released 2241 2242Added -n option to ipf: when supplied, no changes are made to the kernel. 2243 2244Added installation scripts for SunOS 4.1.x and NetBSD/FreeBSD/BSDI. 2245 2246Rewrote filtering to use a more generic mask & match procedure for 2247checking if a packet matches a rule. 2248 22492.5.2 27/4/95 - Released 2250 2251"tcp/udp" and a non-initialised pointer caused the "proto" to become 2252a `random' value; added "ip#/dotted.mask" notation to the BNF. 2253From Adam W. Feigin <feigin@iis.ee.ethz.ch> 2254 22552.5.1 22/3/95 - Released 2256 2257"tcp/udp" had a strange effect (undesired) on getserv*() functions, 2258causing protocol/service lookups to fail. Reported by Matthew Green. 2259 22602.5 17/3/95 - Released 2261 2262Added a new keyword "all" to BNF and parsing of tcpdump/etherfind/snoop 2263output through the ipftest program. Suggestions from: 2264Michael Ciavarella (mikec@phyto.apana.org.au) 2265 2266Conflicts occur when "general" filter rules are used for ports and the 2267lack of a "proto" when used with "port" matches other packets when only 2268TCP/UDP are implied. 2269Reported Matthew Green (mrg@fulcom.com.au); 2270reported & fixed 6-8/3/95 2271 2272Added filtering of short TCP packets using "with short" 28/2/95 2273(These can possibly slip by checks for the various flags). Short UDP 2274or ICMP are dropped to the floor and logged. 2275 2276Added filtering of fragmented packets using "with frag" 24/2/95 2277 2278Port to NetBSD-current completed 20/2/95, using LKM. 2279 2280Added logging of the rule # which caused the logging to happen and the 2281interface on which the packet is currently as suggested by 2282Andreas Greulich (greulich@math-stat.unibe.ch) 10/2/95 2283 22842.4 9/2/95 - Released 2285Fixed saving of IP headers in ICMP packets. 2286 22872.3 29/1/95 2288Added ipf -F [in|out|all] to flush filter rule sets (SIOCIPFFL). 2289Fixed iplread() and iplsave() with help from Marc Huber. 2290 22912.2 7/1/95 - Released 2292Added code from Marc Huber <huber@fzi.de> to allow it to allocate 2293its own major char number dynamically when modload'ing. Fixed up 2294use of <, >, <=, >= and >< for ports. 2295 22962.1 21/12/94 - Released 2297repackaged to include the correct ip_output.c and ip_input.c *goof* 2298 22992.0 18/12/94 - Released 2300added code to check for port ranges - complete. 2301rewrote to work as a loadable kernel module - complete. 2302 23031.1 2304added code for ouput filtering as well as input filtering and added support for logging to a simple character device of packet headers. 2305 23061.0 22/04/93 - Released 2307First release cut. 2308