Cross Reference: /freebsd-9.3-release/contrib/ipfilter/HISTORY

#
# NOTE: Quite a few patches and suggestions come from other sources, to whom
#       I'm greatly indebted, even if no names are mentioned.
#
# Thanks to the Coombs Computing Unit at the ANU for their continued support
# in providing a very available location for the IP Filter home page and
# distribution center.
#
# Thanks also to all those who have contributed patches and other code,
# and especially those who have found the time to port IP Filter to new
# platforms.
#
4.1.28 - Release 16 October 2007

backout changes (B1) & (B2) as they've caused NAT entries to persist for
too long and possibly other side effects.

Still need to compile in our own radix.c for Solaris as the one in S10U4
has a different alignment of structure members (causes panic)

keep state doesn't work with multicast/broadcast packets (makes UPnP easier)

ippool -l may only lists every 2nd pool's contents

4.1.27 - Released 29 September 2007

SunOS5/replace script does not deal with i386 systems that have the
i86/amd64 directory pair.

make BSD/kupgrade try to build ip_rules.[ch] before complaining

Need to look for ipl.ko LKM on FreeBSD, not just ipf.ko

Cleanup SunOS5 Makefile pieces, removing CPU, sunos5x86; buildsunos needs
to drive 32bit cc builds differently for sparc/i386 now.

Update instructions for rebuilding FreeBSD kernels

Make the target "freebsd" work for building ipfilter

destroying NAT entries for blocked packets can lead to NAT table entry leak,
provide a counter of orphan'd NAT entries to track this problem.

4.1.26 - Released 24 September 2007

Fix build problem for Solaris prior to S10U4

4.1.25 - Released 20 September 2007

stepping through structures with ioctls can lead to the wrong things
being free'd and panics

if a NAT entry (such as an rdr) is created but the packet ends up being
blocked, tear down the NAT entry.

fix fragment cache preventing keep state from functioning

fix handling of \ to indicate a continued line in .conf files

include port ranges in the allowed input for ipf when using "port = ()"

only advance TCP state for packets on the leading edge of the window. (B1)

using ipnat -l can lead to memory corruption in high stress situations

track TCP sequence numbers with NAT so that it can do timeout advances
correctly inline with state

ICMP checksums for some redirect'd packets are not adjusted correctly.

IPv6 address components need to be explicitly cast to a 32bit pointer
boundary so that compilers don't try to access them as two 64bit
pieces (no guarantee is made that an Ipv6 address is on a 64bit
aligned address)

filling up the ipauth packet queue can lead to no more packets being
processed.

locking used to deref a nat entry causes a significant performance hit

m_pulldown isn't properly handled, leading to possible panics with ICMPv6
packets

IPv6 fragment handling doesn't allow for "keep frag" to work

build on Solaris10 Update4 with pfhooks in the kernel

logging of Ipv6 packets with extension headers fix - Miroslaw Luc

4.1.24 - Released 8 July 2007

patch from Stuart Remphrey to address recursive mutex lock with TCP state

add hash table bucket stats display to ipnat -s

give ASSERT some teeth for user compiles

initialising ipf_global, ipf_frcache, ipf_mutex should all be done very
early on

do some caddr_t cleanup, where possible

fr_ref no longer tracks the number of children rules in a group for head rules

make sure all BCOPY* have a value assigned to something

fix possible use of icmp pointer after pullup makes it invalid

resolve compile problems related to FreeBSD tree

4.1.23 - Released 31 May 2007

NAT was not always correctly fixing ICMP headers for errors

some TCP state steps when closing do not update timeouts, leading to
them being removed prematurely. (B2)

fix compilation problems for netbsd 4.99

protect enumeration of lists in the kernel from callout interrupts on
BSD without locking

fix various problems with IPv6 header checks: TCP/UDP checksum validation
was not being done, fragmentation header parsed dangerously and routing
header prevented others from being seen

fix gcc 4.2 compiler warnings

fix TCP/UDP checksum calculation for IPv6

fix reference after free'ing ipftoken memory

4.1.22 - Released 13 May 2007

fix endless loop when flushing state/NAT by idle time

4.1.21 - Released 12 May 2007

show the number of states created against a rule with "-v" for ipfstat

fix build problems with FreeBSD

make it possible to flush the state table by idle time and TCP state

fix flushing out idle connections when state/NAT tables fill

print out the TCP state population with ipfstat/ipnat

stop creation of state table orphans via return-*/fastroute

fix printing out of rule groups - they now only appear once

4.1.20 - Released 30 April 2007

adjust TCP state numbers, making 11 closed (was 0) to better facilitate
detecting closing connections that we can wipe out when a SYN arrives
that matches the old

make it compile on Solaris10 Update3

structures used for ipf command ioctls weren't being freed in timeout
fashion on solairs

use NL_EXPIRE, not ISL_EXPIRE, for expiring NAT sessions

adjust TCP timeout values and introduce a time-wait specifc timeout
to get a better TCP FSM emulation and one that can hopefully do a better
job of cleaning up in a speedy fashion than previous

refactor the automatic flushing of TCP state entries when we fill up,
but use the same algorithm as before but now it hopefully works

only 2 out of 4 interface names were being changed by ipfs when
interface renaming was being used for state entries

add ipf_proxy_debug to ipf-T

matching of last fragments that had a number of bytes that wasn't a
multiple of 8 failed

some combinations of TCP flags are considered bad aren't picked up as such,
but these may be possible with T/TCP

4.1.19 - Released 22 February 2007

Fix up compilation problems with NetBSD and Solaris.

4.1.18 - Released 18 February 2007

fix compiling on Tru64

fix listing out filter rules with ipfstat (delete token at end of
the list and detect zero rule being returned.)

fix extended flushing of NAT tables (was clearing out state tables)

fix null-pointer deref in hash table lookup

fix NAT and stateful filtering with to/reply-to on destination interface

4.1.17 - Released 20 January 2007

make flushing pools that are still in use mark them for deletion and
have attempting to recreate them clear the delete flag

walking through the NAT tables with ioctls caused lock recursion

fix tracking TCP window scaling in the state code

4.1.16 - Released 20 December 2006

allow rdr rules to only differ on the new port number

when creating state entry orphans, leave them on the linked list but not
attached to the hash table and mark them visible as orphans in "ipfstat -sl"

log state removed when unloading differently to allow visible cues

return ipf ticks via SIOCGETGS for /dev/ipnat so "ipnat -l" can display ttl

abort logging a packet if the mbuf pointer is null when ipflog is called

Some NetBSD's have a selinfo.h instead of select.h

SIOCIPFFL was using copyoutptr and should have been using bcopy for /dev/ipauth

listing accounting rules using ioctl interface wasn't possible

fix leakage of state entries due to packets not matching up with NAT

improve ICMP error packet matching with state/NAT

fix problems with parsing and printing "-" as an interface name in ipnat.conf

4.1.15 - Released 03 November 2006

Add in automatic flushing of NAT, like state, table if it fills up too much

Update comments in the code for NAT checksum adjustments

Fix compiling on FreeBSD 5.4 and 6.0

prevent panics from read/write IOs trying to use uninitialised structures

Newer NetBSD should use malloc() instead of MALLOC() in the kernel where
the size is not staticly defined

Some gcc warning message cleanup from NetBSD

Missing include for <sys/filio.h> on Solaris for poll work

NetBSD now uses opt_ipfilter.h, not opt_ipfilter_log.h

4.1.14 - Released 04 October 2006

rewrite checksum alteration for ICMP packets being NAT'd to use a sane
algorithm that can be understood...now it needs better comments

fix 1 byte error in checksum validation perl script

remove unused files in lib directory

ipftest will say "bad-packet" if it has been freed rather than just "blocked"

make it possible to load IP address pools from external files in ippool.conf

update copyright messages in tools directory

consolidate ioctl hanlding source code into fil.c

make ipfstat, ippool, ipnat retrieve information via ioctls rather than /dev/kmem

4.1.13 - Released 4 April 2006

fix bug where null pointers introduced by proxies could cause a crash

pass out the rule flags with SIOCAUTHW

force loading NAT rules with bad proxy labels to cause an error

nat_state is used unsafely in calls to fr_addstate

make return-rst and return-icmp* work with auth rules

4.1.12 - Released 28 March 2006

poll support on FreeBSD/NetBSD needs to use selrecord/selwakeup

make the fastroute code used by ipftest invoke state/NAT

move verbose/debug macros out of fil.c and into ip_fil.h (for wider use)

remove unused code in fr_fastroute

fix NAT with rules that specify forward and reverise interfaces

add missing ipfsync_canread() and ipfsync_canwrite()

behaviour of \ on the end of a line in ipf.conf does not match older behaviour

remove duplicate statistics line output with "ipfstat -s"

4.1.11 - Released 19 March 2006

Patch for NAT with ipfsync from N. Ersen (SESCI) - www.enderunix.org

NetBSD coverity report fixes (from run 5)

Possible to reacquire ipf_auth without releasing it in some circumstances

Locking in FreeBSD's iplioctl for ipf_global isn't present like it shoudl be

Add poll support for platforms I can build on: NetBSD, FreeBSD, Solaris, Linux

Using auth rules to return "keep state" got broken with pushing fr_addstate
call into fr_firewall

all use of '!' in map/rdr rules to match use in ipf configs

add -L command line option to ipmon to set the default syslog facility

looking up a port number is more complex than needed in ipft_tx.c

allow lib/getport to work when neither tcp or udp are specified in a rule

remove some dead code from lib/addicmpc, lib/facpri.c, lib/icmpcode.c

program in some more cases where TCP packets fail an initial in-window
check but should be allowed to match

filter rule added with NAT/state handling of SIOCSTPUT doesn't properly
initialise all fields, making it possible to panic

simplify NAT ICMP error handling where it updates checksums

rename "min" variables to "xmin" on NetBSD to avoid problems with the
macro "min"

#ifdef's for NetBSD compile incorrect for pfil interface

support select/poll on NetBSD

copying out a packet with an auth rule fails (EFAULT) because the wrong
pointer is passed to copyoutptr

ip_len/ip_off where byte swapped twice instead of once for packets
going to be stored on the auth queue

change timeout queue manipulation functions to make fewer mutex calls

fix use of skip rules with groups
fix coding problems discovered by the coverity project for FreeBSD

update BPF program validation with FreeBSD changes

4.1.10 - Released 6 December 2005

Expand regression testing to cover more features

Add "coverage" build target for BSD

Fix building 64bit sparc target for Solaris

Add IPv6 mobility header to list of accepted keywords for V6 headers

Resolve locking problems on Solaris when sending RST/icmp packets

#ifdef's for IPFILTER_BPF need to check if words are defined before
using them in comparisons

Add checking for SACK permitted option in TCP SYN packets

Fix loading anonymous pools from inline rule configuration groups

Add -C command line option to ipftest

Include extra "const" from NetBSD

Don't require SIOCKSTLCK for SIOCSTPUT

Fix some use of "sticky" on NAT rules

Fix statistical counting of deleting state for TCP connections

Fix compile problems caused by changes to is_opt/is_optmsk in ip_sync.c

Fix TCP out-of-window (OOW) problems:
- window scaling turned off if one chose for its scale factor
- Microsoft Windows TCP sends the "next packet" to the right of the window
  when using SACK and filling in a hole

4.1.9 - Released 13 August 2005

make ipfilter fix IPv4 header checksums for outgoing packets if BRIDGE_IPF
is defined when compiled.

move the definition of SIOCPROXY from ip_nat.h to ip_proxy.h

make the BSD/upgrade script more instructive about the requiements for
ip_rules.[ch] when it is run

register for interface events on FreeBSD (>5.2.1) and NetBSD so that
"ipf -y" is not not requried to tell ipfilter about interface changes.

for "quick" rules that do "keep state", move the state adding into the rule
evaluation so that we can detect it failing as rules are evaluated and
continue on to the next rather than wait until we're done and it's too late
to recover for more rule processing.

mark ICMP packets advertising an MTU that's too small as being bad

rework ipv6 header parsing to get better code reuse and fix logic errors
in dealing with ipv6 packets containing fragment headers.  Also, where a
protocol handler was doing both v4 & v6, make a seperate function for each.

build for both amd64 and i86pc (32bit) on Solaris10 and later, if possible

include start of work to get IPFilter working on AIX 5.3

Use FI_ICMPERR flag rather than try to compute its equivalent all the time

Rewrork IPv6 extension header parsing to get better code reuse

Add missing timeout on Linux

Fix for locking when reading from ipsync (Frank Volf)

Fix insertion/appending of rules that use a collection number

Somehow turning up the spl knob to splnet disappeared on platforms that still
use the spl interface.

fix problems with "ipf -T" not listing multiple variables properly

4.1.8 - Released 29 March 2005

include path from Phil Dibowitz for sorting ipfstat -t output by source or
destination port.

fix a bug in printing rules where interface names could not be printed,
even if they're in the rule structure.

fix BSD/kupgrade to correctly change ipfilter lkm Makefile for FreeBSD

add 2 new features to SIOCGNATL:
- if IPN_FINDFORWARD is set, check if the respective MAP is already
  present in the outbound table
- if IPN_IN is set, search for a matching MAP entry instead of RDR
  (Peter Potsma)

turn off function inlining for freebsd 5.3+

UDP doesn't pullup enough data which can sometimes cause a panic.
Fix other protocols, as required, where a similar problem may exist.

overhaul the timeout queue management, especially that for user defined queues
which are now only freed in an orderly manner.

4.1.7 - Released 13 March 2005

Using the GRE call field is almost impossible because it is unbalanced and
both call fields are not present in each v1 header.

Fix a problem where it was possible to load duplicate rules into ipf

patch from John Wehle to address problems with fastroute on solaris

Copying data out for ipf -z failed because it tried to copy out to an address
that is a kernel pointer in user space.

add "ip" timeout for both NAT & state that's for non-TCP/UDP/ICMP

synch up with NetBSD's changes

fix problems parsing long lines of text in the ftp proxy where they would not
be parsed properly and stop the session from working

enhance the PPTP proxy so that it tries to decode messages in the TCP stream
so it knows when to create and destroy the state/nat sessions for GRE.  There
are also 4 new regression tests for it, testing map/rdr rules.

impose some limits on the size of data that can be moved with SIOCSTPUT in
the NAT code and also prevent a duplicate session entry from being created
using this method.

add a new flag (IPN_FINDFORWARD) to NAT code that can be used with SIOCGNATL
to check if it is possible to create an outgoing transparent NAT mapping to
compliment the redirect being investigated.

Linux requires that the checksums in the IP header get adjusted

only resolve unknown interfaces in fr_stinsert, and nuke all interface pointers
in SIOCSTPUT to prevent bad data being loaded from userspace.

make the byte counting for state correct (was counting data from ICMP packet
twice)

print out the keyword "frag-body" if the flag is set.

fix ipfs loading/restoring NAT sessions

patch from Frank to correctly format IP addresses in ipfstat -t output

parsing port numbers in ipf/ipnat was confusing as the port number was returned
in an int that was also overloaded to be the suceess/failure.  instead, change
the port using pass by reference and only use the return value for indicating
success or failure.

4.1.6 - Released 19 February 2005

add a new timeout number to NAT (fr_defnatipage) that is used for all
non-TCP/UDP/ICMP protocols - default 60 seconds.

buffer leak with bad nat - David Gueluy

fix memory leak with state entries created by proxies

eliminate copying too much data into a scan buffer

allow a trailing protocol name for map rules as well as rdr ones

fix bug in parsing of <= and > for NAT rules (two were crossed over)

FreeBSD's iplwrite hasn't kept pace with iplread's prototype

expand documention on the karma of using "auto" in ipnat map rules

add matching on IP protocol to ipnat map rules

allow ippool definitions to contain no addresses to start with

Linux NAT needs to modify the IP header checksum as it gets called after it
has been computed by IP.

UDP was missing a pullup for packet header information before examining
the header

4.1.5 - Released 9 January 2005

all rules were being converted into "dup-to" rules in the kernel

fix two ftp proxy problems: 1st, buffer needs to be bigger for fitting in
complete RETR/CWD commands, 2nd is () use in 227 messages isn't copied
over correctly.

response to CWDs
revert ip_off back to network byte order in the ICMP error packet that
gets generated.

4.1.4 - Released 9 January 2005

force NAT rules to only match ipv4 NAT rules (which all are, currently,
by default)

include state synchronisation fixes from Frank Volf

make the maximum log size for internally buffered log entries accessible
via "ipf -T"

redesign start of fr_check() to avoid putting duplicate information in
ipfilter about how much data needs to be pulled up for a protocol to be
properly filtered.

tidy up sending ICMP error messages - some bad inputs could result in
data not being freed and/or no error returned.

make the maximum size of the log buffer run-time tunable

fix bug in parsing TCP header when looking for MSS option that could make
the system hang

change pool lookups that fail to find a match to return "no match"
rather than fail.

add run-time tunable debugging for proxy support code and FTP proxy.

fix state table updates for entries where the first packet as an ICMPv6
multicast message

fix hang when flushing state for v4/v6 and other (v6/v4) entries are present
too

attaching filtering to ipv6 pfil hook wasn't present for solaris

don't allow rules with "keep state" and "with oow"

move a bunch of userland only code from fil.c to ip_fil.c

make fr_coalesce() more resiliant to bad input, just returning an error
instead of crashing, making calling it easier in many places

When m_pulldown doesn't return NULL, it doesn't necessarily return a pointer
to the same mbuf passed in as the first arg.

remove fr_unreach and use ENETUNREACH by default.

printing out of tag data in ipf rules doesn't match input syntax

ipftest(1) man page update

ipfs command line option parsing still rejects some valid syntaxes

SIGHUP handling by ipmon was not as safe as it could be

fix various parsing regressions, including "<thishost>", "tcpudp", ordering
of "keep" options

patches from Frank Volk: add udp_acktimeout to sysctl list for FreeBSD,
ICMP packet length not calculated correctly in send_icmp_err, reply-to
not printed by ipfstat, keep state with icmp passing (mtrr)

patches for return-rst and return-icmp from Attila Fueloep
(lichtscheu@gesindel.org)

4.1.3 - Released 18 July 2004

do some more fine tuning on NAT checksum adjustments

correct IP address byte order in proxy setup for ipsec/pptp

man page updates

fix numerous problems with ipfs operation

complete new syntax for ipmon.conf in its parser and update the sample file

assign error value consistantly in fastroute code

rewrite allocation of mbufs in send_reset/send_icmp_err to better use
mbuf clusters and size calculations

resolve problem with linux panic'ing because the wrong flag was being
passed to skb_clone/skb_alloc

enable use of shared/exclusive locks on freebsd5 and above

do not rely on m_pkthdr.len to be valid all the time for mbufs on modern BSD
and so use mbufchainlen to get the mbuf length instead

replace lots of COPYIN/COPYOUT with BCOPYIN/BCOPYOUT where the data is
going to be on the stack and not in userland

packet buffer pointers were not refreshed & used properly in fr_check()

include extra bits for OpenBSD 3.4 & 3.5.

fix ipf/ipnat parsing regression problems with v3.4

4.1.2 - RELEASED - 27 May 2004

add state top for ipv6

fix numerous parsing regressions

change sample proxies to use SIOCGNATL with the new API

allow macro names to contain underscores (_)

split the parser into a collection of dictionaries so that keywords do
not interfere with resolving hostnames and portnames

fix ipfrule LKM loading on freebsd

support mapping a fixed range of ports to a single port

fix timeout queue use by proxies with private queues

handle space-led ftp server replies properly

fix timeout queue management

fix fastroute, generation of RST & ICMP packets and operation with to/fastroute

resolve further linux compatibility problems

replace the use of COPYIN with BCOPYIN for platforms that provide ioctl
args on the stack

allow flushing of ipv6 rules independant of ipv4 rules

correct internal ipv6 checksum calculations

if a 'keep state' rule fails to create state, block the packet rather
than let it through

correct all checksums in regression tests and correct NAT code to adjust
checksums correctly.

fix ipfs -R/-W

4.1.1 - RELEASED - 24 March 2004

allow new connections with the same port numbers as an existing one
in the state table if the creating packet is a SYN

timeout values have drifted, incorrectly, from what they were in 3.4

FreeBSD - compatibility changes for 5.2

don't match on sequence number (as well) for ICMO ECHO/REPLY, just the
ICMP Id. field as otherwise thre is a state/NAT entry per packet pair
rather than per "flow"

fr_cksum() returned the wrong answer for ICMP

Linux:
- get return-rst and return-icmp working
- treat the interface name the same as if_xname on BSD

adjust expectations for TCP urgent bits based on observed traffic in the
wild

openbsd3.4 has ip_len/ip_off in network byte order when ipfilter is called

fix flushing of hash pool gorups (ippool -F) as well as displaying them
(ippool -l)

passing of pointers to interface structures wrong for HP-UX/Solaris with
return-* rules.

Make the solaris boot script able to run on 2.5.1

ippool related files missing from Solaris packages

The name /dev/ippool should be /dev/iplookup

add regression testing for parsing long interface names in nat rules,
along with mssclamp and tags.  Also add test for mssclamp operation.

ttl displayed for "ipfstat -t" is wrong because ttl is not computed.

parse logical interface names (Sun)

unloading LKMs was only working if they were enabled.

sync'ing up NAT sessions when NICs change should cause NAT rules to
re-lookup name->pointer mappings

not all of the ippool ioctl's are IOWR and they should be because they
use the ipfobj_t for passing information in/out of the kernel.  leave the
old values defined and handle them, for compatibility.

pool stats wrong: ippoolstate used where ipoolstat should be, hash table
  statistics not reported at all

fr_running not set correctly for OpenBSD when compiled into the kernel

Allow SIOCGETFF while disabled

Fix mssclamp with NAT (pasing and printing of the word, plus wrong bytes
altered.  How do you say "untested" ?)

4.1 - RELEASED - 12 February 2004

4.0-BETA1 20 August 2003

support 0/32 and 0/0 on the RHS in redirect rules

where LHS and RHS netmasks are the same size for redirect, do 1:1 mapping
for bimap rules.

allow NAT rule to match 'all' interfaces with * as interface name

do mapping of ICMP sequence id#'s in pings

allow default age for NAT entries to be set per NAT rule

provide round robin selection of destination addresses for redirect

ipmon can load a configuration file with instructions on actions
to take when a matching log entry is received

now requires pfil to work on Solaris & HP-UX

supports mapping outbound connections to a specific address/port

support toggling of logging per ipfilter 'device'

use queues to expire data rather than lists

add MSN RPC proxy

add IRC proxy

support rules with dynamic ip addresses

add ability to define a pool of addresses & networks which can then
be placed in a single rule

support passing entire packet back to user program for authentication

support master/slave for state information sharing

reorganise generic code into a lib directory and make libipf.a

user programs enforce version matching with the kernel

supports window scaling if seen at TCP session setup

generates C code from filter rules to compile in or load as native
machine code.

supports loading rules comprised of BPF bytecode statements

HP-UX 11 port completed

and packets-per-second filtering

add numerical tags to rules for filtering and display in ipmon output

3.4.4 23/05/2000 - Released

don't add TCP state if it is an RST packet and (attempt) to send out
RST/ICMP packets in a manner that bypasses IP Filter.

add patch to work with 4.0_STABLE delayed checksums

3.4.3 20/05/2000 - Released

fix ipmon -F

don't truncate IPv6 packets on Solaris

fix keep state for ICMP ECHO

add some NAT stats and use def_nat_age rather than DEF_NAT_AGE

don't make ftp proxy drop packets

use MCLISREFERENCED() in tandem with M_EXT to check if IP fields need to be
swapped back.

fix up RST generation for non-Solaris

get "short" flag right for IPv6

3.4.2 - 10/5/2000 - Released

Fix bug in dealing with "hlen == 1 and opt > 1" - Itojun

ignore previous NAT mappings for 0/0 and 0/32 rules

bring in a completely new ftp proxy

allow NAT to cause packets to be dropped.

add NetBSD callout support for 1.4-current

3.4.1 - 30/4/2000 - Released

add ratoui() and fix parsing of group numbers to allow 0 - UINT_MAX

don't include opt_inet6.h for FreeBSD if KLD_MODULE is defined

Solaris must use copyin() for all types of ioctl() args

fix up screen/tty when leaving "top mode" of ipfstat

linked list for maptable not setup correctly in nat_hostmap()

check for maptable rather than nat_table[1] to see if malloc for maptable
succeeded in nat_init

fix handling of map NAT rules with "from/to" host specs

fix printout out of source address when using "from/to" with map rules

convert ip_len back to network byte order, not plen, for solaris as ip_len
may have been changed by NAT and plen won't reflect this

3.4 - 27/4/2000 - Released

source address spoofing can be turned on (fr_chksrc) without using
filter rules

group numbers are now 32bits in size, up from 16bits

IPv6 filtering available

add frank volf's state-top patches

add load splitting and round-robin attribute to redirect rules

FreeBSD-4.0 support (including KLD)

add top-style operation mode for ipfstat (-t)

add save/restore of IP Filter state/NAT information (ipfs)

further ftp proxy security checks

support for adding and removing proxies at runtime

3.3.13  26/04/2000 - Released

Fix parsing of "range" with "portmap"

Relax checking of ftp replies, slightly.

Fix NAT timeouts for ICMP packets

SunOS4 patches for ICMP redirects from Jurgen Keil (jk@tools.de)

3.3.12  16/03/2000 - Released

tighten up ftp proxy behaviour.  sigh.  yuck.  hate.

fix bug in range check for NAT where the last IP# was not used.

fix problem with icmp codes > 127 in filter rules caused bad things to
happen and in particular, where #18 caused the rule to be printed
erroneously.

fix bug with the spl level not being reset when returning EIO from
iplioctl due to ipfilter not being initialized yet.

3.3.11  04/03/2000 - Released

make "or-block" work with lines that start with "log"

fix up parsing and printing of rules with syslog levels in them

fix from Cy Schubert for calling of apr_fini only if non-null


3.3.10	24/02/2000 - Released

* fix back from guido for state tracking interfaces

* update for NetBSD pfil interface changes

* if attaching fails and we can abort, then cleanup when doing so.

julian@computer.org:
* solaris.c (fr_precheck): After calling freemsg on mt, set it point to *mp.
* ipf.c (packetlogon): use flag to store the return value from get_flags.
* ipmon.c (init_tabs): General cleanup so we do not have to cast
  an int s->s_port to u_int port and try to check if the u_int port
  is less than zero.

3.3.9	15/02/2000 - Released

fix scheduling of bad locking in fr_addstate() used when we attach onto
a filter rule.

fix up ip_statesync() with storing interface names in ipstate_t

fix fr_running for LKM's - Eugene Polovnikov

junk using pullupmsg() for solaris - it's next to useless for what we
need to do here anyway - and implement what we require.

don't call fr_delstate() in fr_checkstate(), when compiled for a user
program, early but when we're finished with it (got fr & pass)

ipnat(5) fix from Guido

on solaris2, copy message and use that with filter if there is another
copy if it being used (db_ref > 1).  bad for performance, but better
than causing a crash.

patch for solaris8-fcs compile from Casper Dik

3.3.8	01/02/2000 - Released

fix state handling of SYN packets.

add parsing recognition of extra icmp types/codes and fix handling of
icmp time stamps and mask requests - Frank volf

3.3.7	25/01/2000 - Released

sync on state information as well as NAT information when required

record nat protocol in all nat log records

don't reuse the IP# from an active NAT session if the IP# in the rule
has changed dynamically.

lookup the protocol for NAT log information in ipmon and pass that to
portname.

fix the bug with changing the outbound interface of a packet where it
would lead to a panic.

use fr_running instead of ipl_inited. (sysctl name change on freebsd)

return EIO if someone attempts an ioctl on state/nat if ipfilter is not
enabled.

fix rule insertion bug

make state flushing clean anything that's not fully established (4/4)

call fr_state_flush() after we've released ipf_state so we don't generate
a recursive mutex acquisition panic

fix parsing of icmp code after return-icmp/return-icmp-as-dest and add
some patches to enhance parsing strength

3.3.6	28/12/1999 - Released

add in missing rwlock release in fr_checkicmpmatchingstate() and fix check
for ICMP_ECHO to only be for packet, not state entry which we don't have yet.

handle SIOCIPFFB in nat_ioctl() and fr_state_ioctl()

fix size of friostat for SunOS4

fix bug in running off the end of a buffer in real audio proxy

3.3.5	11/12/1999 - Released

fix parsing of "log level" and printing it back out too

<net/if_types.h> is only present on Solaris2.6/7/8

use send_icmp_err rather than icmp_error to send back a frag-needed error
when doing PMTU

do not use -b with add_drv on Solaris unless $BASEDIR is set.

fix problem where source address in icmp replies is reversed

fix yet another problem with real audio.

3.3.4	4/12/1999 - Released

fix up the real audio proxy to properly setup state information and NAT
entries, thanks to Laine Stump for testing/advice/fixes.

fix ipfr_fastroute to set dst->sin_addr (Sean Farley - appears to prevent
FreeBSD 3.3 from panic'ing) as this had been removed in prior hacks to this
routine.

fix kinstall for BSDI

support ICMP errors being allowed through for ICMP packets going out with
keep state enabled

support hardware checksumming (gigabit ethernet cards) on Solaris thanks to
Tel.Net Media for providing hardware for testing.

patched from Frank Volf for ipmon (ICMP & fragmented packets) and allowing
ICMP responses to ICMP packets in the keep state table.

add in patches for hardware checksumming under solaris

Solaris install scripts now use $BASEDIR as appropriate.

add Solaris8 support

fix "ipf -y" on solaris so that it rescans rules also for changes in
interface pointers

let ipmon become a daemon with -D if it is using syslog

fix parsing of return-icmp-as-dest(foo)

add reference to ipfstat -g to ipfstat.8

ipf_mutex needs to be declared for irix in ip_fil.c

3.3.3	22/10/1999 - Released

add -g command line option to ipfstat to show groups still define.

fix problem with fragment table not recording rule pointer when called
from state functions (fin_fr not set).

fixup fastroute problems with keep state rules.

load rules into inactive set first, so we don't disable things like NIS
lookups half way through processing - found by Kevin Littlejohn

fix handling of unaligned ip pointer for solaris

patch for fr_newauth from Rudi Sluijtman

fixed htons() bug in fr_tcpsum() where ip_p wasn't cast to u_short

3.3.2	23/09/1999 - Released

patches from Scott Presnell to fix rcmd proxy

patches from Greg to fix Solaris detachment of interfaces

add openbsd compatibility fixes

fix free'ing already freed memory in ipfr_slowtimer()

fix for deferencing invalid memory in cleaning up after a device disappears

3.3.1	14/8/1999 - Released

remove include file sys/user.h for irix

prevent people from running buildsunos directly

fix up some problems with the saving of rule pointers so that NAT saves
that information in case it should need to call fr_addstate() from a proxy.

fix up scanning for the end of FTP messages

don't remove /etc/opt/ipf in postremove

attempt to prevent people running buildsolaris script without doing a
"make solaris"

fix timeout losing on freebsd3

3.3	7/8/1999 - Released

NAT: information (rules, mappings) are stored in hash tables; setup some
basic NAT regression testing.

display version name of installed kernel code when initializing.

add -V command line option to ipf, showing version (program and kernel
module) as well as the run-status of the kernel code.

fix problem with "log" rules actually affecting result of filtering.

automatically use SUNWspro if available and on a 64bit Solaris system for
compiling.

add kernel proxies for rcmd(3) and RealAudio (PNA)

use timeout/untimeout on SunOS4/BSD platforms too rather than hijacking
ip_slowtimo

fix IP headers generated through parsing of text information

fix NAT rules to be in the correct order again.

make keep-state work with to/fastroute keywords and enforce usage of those
interfaces.

update keep-state code with new algorithm from Guido

add FreeBSD-3 support

add return-icmp-as-dest option to retrun an ICMP packet using the original
destination as the source rather than a local IP address

add "level [facility.]<priority>" option to filter language

add changes from Guido to state code.

add code to return EPERM if the device is opened for writing and we're
in securelevel 2 or greater.

authentication code patches from Guido

fix real audio proxy

fix ipmon rule printing of interfaces and add IN/OUT to the end of ipmon
log output.

fix bimap rules with hash tables

update addresses used in NAT mappings for 0/32 rules for any protocol but TCP
if it changes on the interface - check every ip_natexpire()

add redirect regression test

count buckets used in the state hash table.

fix sending of RST's with return-rst to use the ack number provided in
the packet being replied to in addition to the sequence number.

fix to compile as a 64bit application on solaris7-64bit

add NAT IP mapping to ranges of IP addresses that aren't CIDR specified

fix calculation of in_space parameter for NAT

fix `wrapping' when incrementing the next ip address for use in NAT

fix free'ing of kernel memory in ip_natunload on solaris

fix -l/-U command line options from interfering with each other

fix fastroute under solaris2 and cleanup compilation for solaris7

add install scripts and compile cleanly on BSD/OS 4.0

safely open files in /tmp for writing device output when testing.

fix uninitialized pointer bug in NAT

fix SIOCZRLST (zero list rule stats) bug with groups

change some usage of u_short to u_int in function calling

fix compilation for Solaris7 (SUNWspro)

change solaris makefiles to build for either sparc or i386 rather than
per-cpu (sun4u, etc).

fixed bug in ipllog

add patches from George Michaelson for FreeBSD 3.0

add patch from Guido to provide ICMP checking for known state in the same
manner as is done for NAT.

enable FTP PASV proxying and enable wildcarding in NAT/state code for ports
for better PORT/PASV support with FTP.

bring into main tree static nat features: map-block and "auto" portmapping.

add in source host filtering for redirects (alan jones)

3.2.10		22/11/98 - Released

3.2.10beta9	17/11/98 - Released

fix fr_tcpsum problems in handling mbufs with an odd number of bytes
and/or split across an mbuf boundary

fix NAT list entry comparisons and allow multiple entries for the same
proxy (but on different ports).

don't create duplicate NAT entries for repeated PORT commands.

3.2.10beta8	14/11/98 - Released

always exit an rwlock before expecting to enter it again on solaris

fix loop in nat_new for pre-existing nat

don't setup state for an ftp connection if creating nat fails.

3.2.10beta7	05/11/98 - Released

set fake window in ipft_tx.c to ensure code passes tests.

cleaned up/enhanced ipnat -l/ipnat -lv output

fixed NAT handling of non-TCP/UDP packets, esp. for ICMP errors returned.

Solaris recusive mutex on icmp-error/tcp-reset - requires rwlock's rather
than mutexes.

3.2.10beta6	03/11/98 - Released

fix mixed use of krwlock_t and kmutex_t on Solaris2

fix FTP proxy back up, splitting pasv code out of port code.

3.2.10beta5	02/11/98 - Released

fixed port translation in ICMP reply handling

3.2.10beta4	01/11/98 - Released

increase useful statistic collection on solaris

filter DL_UNITDATA_REQ as well as DL_UNITDATA_IND on solaris

disable PASV reply translation for now

fail with an error if we try to load a NAT rule with a non-existant
   proxy name - Guido

fix portmap usage with 0/0 and 0/32 map rules

remove ap_unload/ap_expire - automatically done when NAT is cleaned up

print "STATE:CLOSED" from ipmon if the connection progresses past established
   rather than "STATE:EXPIRED"

3.2.10beta3	26/10/98 - Released

fixed traceroute/nat problem

rewrote nat/proxy interface

ipnat now lists associated proxy sessions for each NAT where applicable

3.2.10beta2	13/10/98 - Released

use KRWLOCK_T in place of krwlock_t for solaris as well as irix

disable use of read-write lock acquisition by default

add in mb_t for linux, non-kernel

some changes to progress compilation on linux with glibc

change PASV as well as PORT when passed through kernel ftp proxy.

don't allow window to become 0 in tcp state code

make ipmon compile cleaner

irix patches

3.2.10beta	11/09/98 - Released

stop fr_tcpsum() thinking it has run out of data when it hasn't.

stop solaris panics due to fin_dp being something wild.

revisit usage of ATOMIC_*()

log closing state of TCP connection in "keep state"

fix fake-arp table code for ipsend.

ipmon now writes pid to a file.

fix "ipmon -a" to actually activate all logging devices.

add patches for BSDOS4.

perl scripts for log analysis donated.

3.2.9	22/06/98 - Released

fix byte order for ICMP packets generated on Solaris

fix some locking problems.

fix malloc bug in NAT (introduced in 3.2.8).

patch from guido for state connections that get fragmented

3.2.8	08/06/98 - Released

use readers/writers locks in Solaris2 in place of some mutexes.

Solaris2 installation enhancements - Martin Forssen (maf@carlstedt.se)

3.2.7	24/05/98 - Released

u_long -> u_32_t conversions

patches from Bernd Ernesti for NetBSD

fixup ipmon to actually handle HUP's.

Linux fixes from Michael H. Warfield (mhw@wittsend.com)

update for keep state patch (not security related) - Guido

dumphex() uses stdout rather than log

3.2.6	18/05/98 - Released

fix potential security loop hole in keep state code.

update examples.

3.2.5	09/05/98 - Released

BSD/OS 3.1 .o files added for the kernel.

fix sequence # skew vs window size check.

fix minimum ICMP header size check.

remove references to Cybersource.

fix my email address.

remove ntohl in ipnat - Thomas Tornblom

3.2.4	09/04/98 - Released

add script to make devices for /dev on BSD boxes

fixup building into the kernel for FreeBSD 2.2.5

add -D command line option to ipmon to make it a daemon and SIGHUP causes
it to close and reopen the logfile

fixup make clean and make package for SunOS5 - Marc Boucher

postinstall keeps adding "minor=ipf ipl" - George Ross <gdmr@dcs.ed.ac.uk>

protected by IP Filter gif - Sergey Solyanik <solik@atom.ru>

3.2.3	10/11/97 - Released

fix some iplang bugs

fix tcp checksum data overrun, sgi #define changes,
avoid infinite loop when nat'ing to single IP# - Marc Boucher

fixup DEVFS usage for FreeBSD

fix sunos5 "make clean" cleaning up too much

3.2.2	28/11/97 - Released

change packet matching to return actual error, if bad packet, to facilitate
ECONNRESET for TCP.

allow ip:netmask in grammar too now - Guido

assume IRIX has u_int32_t in sys/types.h (needed for R10000)

rewrite parts of command line options for ipmon

fix TCP urgent packet & offset testing and add LAND attack test for iptest

fix grammar error in yacc grammar for iplang

redirect (rdr) destination port bytes-wapped when it shouldn't be.

general: fr_check now returns error code, such as EHOSTUNREACH or
ECONNRESET (attempt to make ECONNRESET work for locally outbound
packets).

linux: enable return-rst, need to filter tcp retransmits which are sent
       separately from normal packets

memory leak plugged in ip_proxy.c

BSDI compatibility patches from Guido

tcp checksum fix - Marc Boucher

recursive mutex and ioctl param fix - Marc Boucher

3.2.1	12/11/97 - Released

port to BSD/OS 3.0

port to Linux 2.0.31

patches to make "map a/m -> 0/0" work with ftp proxying properly - Marc Boucher

add "ipf -F s" and "ipf -F S" to flush state table entries.

announce if logging is on or off when ip filter initializes.

"ipf -F a" doesn't flush groups properly for Solaris.

3.2		30/10/97 - Released

ipnat doesn't successfully remove proxy mappings with "-rf" -
Alexander Romanyu

use K&R C function style for solaris kernel code

use m_adj() to decrease packet size in ftp proxy

use mbufchainlen rather than msgdsize,
IRIX update - Marc Boucher

fix NetBSD modunload bug (pfil_add_hook done twice)

patches for OpenBSD 2.1 - Craig Bevins <craigb@bitcom.net.au>

3.2beta10	24/10/97 - Released

fix fragment table entries allocated for NAT.

fix tcp checksum calculations over mbuf/mblk boundaries

fix panic for blen < 0 in ftp kernel proxy - marc boucher

fix flushing of rules which have been grouped.

3.2beta9	20/10/97 - Released

some nit picking on solaris2 with SUNWspro - Michael Lyle <mrl@rpnet.net>

ftp kernel proxy patches from Marc Boucher

3.2beta8	13/10/97 - Released

add support for passing ICMP errors back through NAT.

IRIX port update - Marc Boucher

calculate correct MIN size of packet to log for UDP - Marc Boucher

need htons(ETHERTYPE_x) on little endian BSD boxes - Dave Huang

copyright header fixups

3.2beta7	23/09/97 - Released

fickup problems introduced by prior merges & changes.

3.2beta6	23/09/97 - Released

patch for spin-reading race condition - Marc Boucher.

IRIX port by Marc Boucher.

compatibility updates for Linux to ipsend

3.2beta5	13/09/97 - Released

patches from Bernd Ernesti for NetBSD integration (mostly prototyping and
compiler warning things)

ipf -y will resync IP#'s allocated with 0/32 in NAT to match interface if it
changes.

update manual pages and other documentation updates.

3.2beta4	27/8/97 - Released

enable setting IP and TCP options for iplang/

Solaris2 patches from Marc Boucher.

add groups for filter rules.

3.2beta3	21/8/97 - Released

patches for Solaris2 (interface panic solution ?): fix FIONREAD and
replacing q_qinfo points - Marc Boucher <marc@CAM.ORG>

change ipsend/* and ipsd/* copyright notices to be the same as ip filter's

patch for SYN-ACK skew testing fix from Eric V. Smith <EricSmith@windsor.com>

3.2beta2	6/8/97 - Released

make it load on Solaris 2.3

rewrote logging to remove solaris errors, introduced checking to see if the
same packet is logged successively.

fix filter cache to work when there are no rules loaded.

add "raw" option to ipresend to send entire ethernet frames.

nat list corruption bug - NetBSD - Klaus Klein

3.2beta1	5/7/97 - Released

patches from Jason Thorpe fixing: UNSIGNED_CHAR lossage, off_t being 64bits
lossage, and other NetBSD bits.

NetBSD 1.2G update.

fixup fwtk patches and add protocol field for SIOCGNATL.

rdr bugs reported by Alexander Romanyu (alexr@aix.krid.crimea.ua), with
fixes:
* rdr matched all packets of a given protocol (ignored ports).
* severe bug in nat_delete which caused system crash/freeze.

change Makefile so that CC isn't passed on for FreeBSD/NetBSD (will use
the default CC - cc, not gcc)

3.2alpha9	16/6/97 - Released

added "skip" keyword.

implement preauthentication of packets, as outlined by Guido.

Make it compile as cleanly as possible with -Wall & general code cleanup

getopt returns int, not char. Bernd Ernesti

3.2alpha8	13/6/97 - Released

code added to support "auth" rules which require a user program to allow them
through.  First revision and much of the code came from Guido.

hex output from ipmon doesn't goto syslog when recovering from out of sync
error.  Luke Mewburn (lukem@connect.com.au)

fix solaris2.6 lookup of destination ire's.

ipnat doesn't throw away unused bits (after masking), causing it to
behave incorrectly. Carson Gaspar

NAT code doesn't include inteface name when matching - Alexey Mavrin
<lha@elco.spb.ru>

replace old SunOS tcpip.h with new tcpip.h (from 4.4BSD) - Jason Thorpe.

update install procedures to include ip_proxy.c

mask out unused bits in NAT/RDR rules.

use a generic type (u_32_t) for 32bit variables, rather than rely on
u_long being such - Jason Thorpe.

create a local "netinet" directory and include from ~netinet/*" rather than
just "*" to make keeping the code working on ports easier.

add an m_copydata and m_copyback for SunOS4 (based on 4.4BSD-Lite versions)

documentation updates.

NetBSD update from Jason Thorpe <thorpej@netbsd.org>

allow RST's through with a matching SEQ # and 0 ACK.  Guido Van Rooij

ipmon uses excessive amounts of CPU on Solaris2 - Reinhard Bertram
<Reinhard.Bertram@KOM.th-darmstadt.de>

3.2alpha7	25/5/97 - Released

add strlen for pre-2.2 kernels - Doug Kite <dkite@websgi.icomnet.com>

setup bits and pieces for compiling into a FreeBSD-2.2 kernel.

split up "bsd" targets.  Now a separate netbsd/freebsd/bsd target.
mln_ipl.c has been split up into itself and mlf_ipl.c (for freebsd).

fix (negative) host matching in filtering.

add sysctl interface for some variables when compiled into FreeBSD-2.2 kernels
or later.

make all the candidates for kernel compiling include "netinet/..." and build
a subdirectory "netinet" when compiling and symlink all .h files into this.

add install make target to Makefile.ipsend

3.2alpha6	8/5/97 - Released

Add "!" (not) to hostname/ip matching.

Automatically add packet info to the fragment cache if it is a fragment
and we're translating addreses for.

Automatically add packet info to the fragment cache if it is a fragment
and we're "keeping state" for the packet.

Solaris2 patches - Anthony Baxter (arb@connect.com.au)

change install procedure for FreeBSD 2.2 to allow building to a kernel
which is different to the running kernel.

add FIONREAD for Solaris2!

when expiring NAT table entries, if we would set a time to fr_tcpclosed
(which is 1), make it fr_tcplaskack(20) so that the state tables have a
chance to clear up.

3.2alpha5

add proxying skeleton support and sample ftp transparent proxy code.

add printfs at startup to tell user what is happening.

add packets & bytes for EXPIRE NAT log records.

fix the "install-bsd" target in the root Makefile. Chris Williams
<psion@mv.mv.com>

Fixes for FreeBSD 2.2 (and later revs) to prevent panics.  Julian Assange.

3.2alpha4	2/4/97 - Released

Some compiler warnings cleaned up.

FreeBSD-2.2 patches for LKM completed.

3.2alpha3	31/3/97 - Released

ipmon changes: -N for reading NAT logfile, -S for reading state logfile.
-a for reading all.  -n now toggles hostname resolution.

Add logging of new state entries and expiration of old state entries.
count log successes and failures.

Add logging of new NAT entries and expiration of old NAT entries.
count log successes and failures.

Use u_quad_t for records of bytes & packets where kept
(IP Accounting: fr_hits, fr_bytes; IP state: is_pkts, is_bytes).

Fixup use of CPU and DCPU in Makefiles.

Fix broken 0/32 NAT mapping. Carl Makin <cmakin@nla.gov.au>

3.2alpha2

Implement mapping to 0/32 as being an alias for automatically using the
interface's first IP address.

Implement separate minor devices for both NAT and IP state code.

Fully prototype all functions.

Fix Makefile problem due to attempt to fix Sun compiling problems.

3.1.10		23/3/97 - Released

ipfstat -a requires a -i or -o command line option too.  Print an error
when not present rather than attempt to do something.

patch updates for SunOS4 for kernel compiling.
patch for ipmon -s (flush's syslog file which isn't good).  Andrew J. Schorr
<schorr@ead.dsa.com>

too many people hit their heads hard when compiling code into the kernel
that doesn't let any packets through. (fil.c - IPF_NOMATCH)

icmp-type parsing doesn't return any errors when it isn't constructed
correctly.  Neil Readwin

Using "-conf" with modload on SunOS4 doesn't work.
Timothy Demarest <demarest@arraycomm.com>

Need to define ARCH in makefile for SunOS4 building.  "make sunos4"
in INSTALL.SunOS is incorrect. James R Grinter <jrg@blodwen.demon.co.uk>
[all SunOS targets now run buildsunos]

NAT lookups are still incorrect, matching non-TCP/UDP with TCP/UDP
information. ArkanoiD <ark@paranoid.convey.ru>

Need to check for __FreeBSD_version being 199511 rather than 199607
in mln_ipl.c. Eric Feillant <Eric.Feillant@EUnet.fr>

3.1.9		8/3/97 - Released

fixed incorrect lookup of active NAT entries.

patch for ip_deq() wrong for pre 2.1.6 FreeBSD.
fyeung@fyeung8.netific.com (Francis Yeung)

check for out with return-rst/return-icmp at wrong place - Erkki Ritoniemi
(erkki@vlsi.fi)

text_readip returns the interface pointer pointing to text on stack -
Neil Readwin

fix from Pradeep Krishnan for printout rules "with not opt sec".

3.1.8		18/2/97 - Released

Diffs for ip_output.c and ip_input.c updated to fix bug with fastroute and
compiling warnings about reuse of m0.

prevent use of return-rst and return-icmp with rules blocking packets going
out, preventing panics in certain situations.

loop forms in frag cache table - Yury Pshenychny <yura@rd.zgik.zaporizhzhe.ua>

should use SPLNET/SPLX around expire routines in NAT/frag/state code.

redeclared malloc in 44arp.c -

3.1.7		8/2/97 - Released

Macros used for ntohs/htons supplied with gcc don't always work very well
when the assignment is the same variable being converted.

Filter matching doesn't not match rule which checks tcp flags on packets
which are fragments - David Wilson

3.1.7beta	30/1/97 - Released

Fix up NAT bugs introduced in last major change (now tested), including
nat_delete(), nat_lookupredir(), checksum changes, etc.

3.1.7alpha	30/1/97 - Released

Many changes to NAT code, including contributions from Laurent Joncheray
<lpj@ans.net>

Use "NO_SLEEP" when allocating memory under SunOS.

Make kernel printf's nicer for BSD/SunOS4

Always do a checksum for packets being filtered going out and being
processed by fastroute.

Leave kernel to play with cdevsw on *BSD systems with LKM's.

ipnat.1 man page fixes.

3.1.6		21/1/97 - Released

Allow NAT to work on BSD systems in conjunction with "pass .. to ifname"

Memory leak introduced in 3.1.3 in NAT lists, clearing of NAT table tried
to free memory twice.

NAT recalculates IP header checksum based on difference between IP#'s and
port numbers - should be just IP#'s (Solaris2 only)

3.1.5		13/1/97 - Released

fixed setting of NAT timeouts and use different timeouts for concurrent
TCP sessions using the same IP# mapping (when port mapping isn't used)

multiple loading/unloading of LKM's doesn't clean up cdevsw properly for
*BSD systems.

3.1.4		10/1/97	- Released

add command line options -C and -F to ipnat to flush NAT list and table

ipnat -l loops on output - Neil Readwin (nreadwin@nysales.micrognosis.com)

NetBSD/FreeBSD kernel malloc changes - Daniel Carosone

3.1.3		10/1/97 - Released

NAT chains not constructed correctly in hash tables - Antony Y.R Lu
(antony@hawk.ee.ncku.edu.tw)

Updated INSTALL.NetBSD, INSTALL.FreeBSD and INSTALL.Sol2

man page update (ipf.5) from Daniel Carosone (dan@geek.com.au)

ICMP header checksum update now included in NAT.

Solaris2 needs to modify IP header checksums in ip_natin and ip_natout.

3.1.2		4/12/96 - Released

ipmon doesn't use syslog all the time when given -s option

fixed mclput panic in ip_input.c and replace ntohs() with NTOHS() macro

check the results of hostname resolution in ipnat

"make *install" fixed for subdirectories.

problems with "ARCH:=" and gnu make resolved

parser reports an error for lines with whitespaces only rather than skipping
them. D.Carosone@abm.com.au (Daniel Carosone)

patches for integration into NetBSD-current (post 1.2).

add an option to allow non-IP packets going up/down the stream on Solaris2
to be dropped. John Bass.

3.1.2beta	21/11/96 - Released

make ipsend compile on Linux 2.0.24

changes to TCP kept state algorithm, making it watch state on TCP
connections in both directions.  Also use the same algorithm for NAT TCP.

-Wall cleanup - Bernd Ernesti

added "or-block" for "pass .. log or-block" after a suggestion from
David Oppenheim (davido@optimation.com.au)

added subdirectories for building IP Filter in SunOS5/BSD for different
cpu architecures

Solaris2 fixes to logging and pre-filtering packet processing - 3.1.1p2

mbuf logging not using mtod(), remove iplbusy - 3.1.1p1		1/11/96

3.1.1		28/10/96 - Released

Installation script fixes and deinstall scripts for IP Filter on:
SunOS4/FreeBSD/NetBSD

Man page fixes - Paul Dubois (dubois@primate.wisc.edu)

Fix use of SOLARIS macro in ipmon, rewrote ipllog() (again!)

parsing isn't completely case insensitive - David Wilson
(davidw@optimation.com.au)

Release ipl_mutex across uiomove() calls

print entire rule entries out for "ipf -z" when zero'ing per-rule stats.

ipfstat returns same output for "hits" in "ipfstat -aio" - Terletsky Slavik
(ts@polynet.lviv.ua)

New algorithm for setting timeouts for TCP connection (more closely follow
TCP FSM) - Pradeep Krishnan (pkrishna@netcom.com)

Track both window sizes for TCP connections through "keep state".

Solaris2 doesn't like _KERNEL defined in stdargs.h - Jos van Wezel
(wezel@bio.vu.nl)

3.1.1-beta2	6/10/96 - Released

Solaris2 fastroute/dup-to/to now works

ipmon `record' reading rewritten

Added post-NetBSD1.2 packet filter patches - Mathew Green (mrg@eterna.com.au)

Attempt to use in_proto.c.diff, not "..diffs" for SunOS4 - David Wilson
(davidw@optimation.com.au)

Michael Ryan (mike@NetworX.ie) reports the following:
* The Trumpet WinSock under Windows always sends its SYN packet with an ACK
  value of 1, unlike any other implementation I've seen, which would set it
  to zero.  The "keep state" feature of IP Filter doesn't work when receiving
  non-zero ACK values on new connection requests.
* */Makefile install rule doesn't install all the binaries/man pages
* Make ipnat use "tcp/udp" instead of "tcpudp"
* Print out "tcp/udp" properly
* ipnat "portmap tcp" matches "portmap udp" when adding/removing
* NAT dest. ip# increased by one on mask of 0xffffffff when it shouldn't

3.1.1-beta	1/9/96 - Released

add better detection of TCP connections closing to TCP state monitoring.

fr_addstate() not called correctly for fragments.  "keep state" and
"keep frag" code don't work together 100% - Songqing Cai
(songqing_cai@sterling.com)

call to fr_addstate() incorrect for adding state in combination with keeping
fragment information - Songqing Cai (songqing_cai@sterling.com)

KFREE() passed fp (incorrect) and not fr (correct) in ip_frag.c - John Hood
(cgull@smoke.marlboro.vt.us)

make ipf parser recognise '\\' as a `continued line' marker - Dima Ruban
(dima@best.net)

3.1.1-alpha	23/8/96 - Released

kernel panic's when ICMP packets go through NAT code

stats aren't zero'd properly with ipf -Z

ipnat doesn't show port numbers correctly all the time and also add the
protocol (tcp/udp/tcpudp) to rdr output - Carson Gaspar (carson@lehman.com)

fast checksum fixing not 100% - backout patch - Bill Dorsey (dorsey@lila.com)

NetBSD-1.2 patches from - VaX#n8 <vax@linkdead.paranoia.com>

Usage() call error in fils.c - Ajay Shekhawat (ajay@cedar.buffalo.edu)

ip_optcopy() staticly defined in ip_output.c in SunOS4 - Nick Hall
(nrh@tardis.ed.ac.uk)

3.1.0		7/7/96 - Released

Reformatted ipnat output to be compatible with it's input, so that
"ipnat -l | ipnat -rf -" is possible.

3.1.0beta	30/6/96 - Released

NetBSD-1.2 patches from Greg Woods (woods@most.weird.com)

kernel module must not be installed stripped (Solaris2), as created by
"make package" for Solaris2 - Peter Heimann
(peter@i3.informatik.rwth-aachen.de)

3.1.0alpha	5/6/96 - Released

include examples in package for solaris2

patches for removing an extra ip header checksum (FreeBSD/NetBSD/SunOS)

removed trailing space from printouts of rules in ipf.

ipresend supports the same range of inputs that ipftest does.

sending a duplicate copy of a packet to another network devices is now
supported. ("dup-to")

sending a packet to an arbitary interface is now supported, irrespective
of its actual route, with no ttl decrement.  Can also be routed without
the ttl being decremented. ("to" and "fastroute").

"call" option added to support calling a generic function if a packet is
matched.

show all (upto 4) recorded bytes from the interface name in logging from
ipmon.

support for using unix file permissions for read/write access on the device
is now in place.

recursive mutex in nat_new() for Solaris 2.x - Per L. Hagen <per@stibo.dk>

ipftest doesn't call initparse() for THISHOST - Catherine Allen
(cla@connect.com.au)

Man page corrections from Rex Bona (rex@pengo.comsmiths.com.au)

3.0.4		10/4/96 - Released

looop in `parsing' IP packets with optlen 0 for ip options.

rule number not initialized and resulted in unexpected results for state
maching.

option parsing and printing bugs - Pradeep Krishnan

3.0.4beta	25/3/96	- Released

wouldn't parse "keep flags keep state" correctly.

SunOS4.1.x ip_input.c doesn't recognise all 1s broadcast address - Nigel Verdon

patches for BSDI's BSD/OS 2.1 and libpcap reader on little endian systems
from Thorsten Lockert <tholo@tetherless.com>

b* functions in fil.c on Solaris 2.4

3.0.3	17/3/96 - Released

added patches to support IP Filter initialisation when compiled into the
kernel.

added -x option to ipmon to display hex dumps of logged packets.

added -H option to ipftest to allow ascii-hex formatted input to specify
arbitary IP packets.

Sending TCP RSTs as a response now work for Solaris2 x86

add patches to make IP Filter compile into NetBSD kernels properly.

patch to stop SunOS 4.1.x kernels panicing with "data traps".

ipfboot script unloads and reloads ipf module on Solaris2 if it is already
loaded into the kernel.

Installation of IP Filter as a Solaris2 package is now supported.

Man pages for ipnat.4, ipnat.5 added.

added some more regression tests and fixed up IP Filter to pass the new tests
(previous versions failed some of the tests in set 12).

IP option filter processing has changed so that saying "with opt lsrr" will
check only for that one, but not mask out other options, so a packet with
strict source routing, along with loose source routing will match all of
"with opt lsrr", "with opt ssrr" and "with opt lsrr,ssrr".

IPL_NAME needed in ipnat.c - Kelly (kelly@count04.mry.scruznet.com)

patches for clean NetBSD compilation from Bernd Ernesti (bernd@arresum.inka.de)

make install is incorrect - Julian Briggs (julian@lightwork.co.uk)

strtol() returns 0x7fffffff for all negative numbers,
printfr() generates incorrect output for "opt sec-class *",
handling of "not opt xxx opt yyy" incorrect.
- Minh Tonthat (minht@sbei.com)/Pradeep Krishnan (pradeepk@sbei.com)

m_pullup() called only for input and not output; caused problems
with filtering icmp - Nigel Verdon (verdenn@gb.swissbank.com)

parsing problem for "port 1" and NetBSD patches incorrect -
Andreas Gustafsson (gson@guava.araneus.fi)

3.0.2	4/2/96 - Released

Corrected bug where NAT recalculates checksums for fragments.

make NAT recalculate UDP checksums (rather than setting them to 0),
if they're non-zero.

DNS patches - Real Page (Real.Page@Matrox.com)

alteration of checksum recalculations in NAT code and addition of
redirection with NAT - Mike Neuman

core dump, if tcp/udp is used with a port number and not service name,
in ipf - Mike Neuman (mcn@engarde.com)

initparse() call, missing to prime "<thishost>" hook - Craig Bishop

3.0.1	14/1/96 - Released

miscellaneous patches for Solaris2

3.0	14/1/96	- Released

Patch included for FDDI, from Richard Ohnemus
(Richard_Ohnemus@dallas.csd.sterling.com)

Code cleanup for release.

3.0beta4 10/1/96

recursive mutex in ipfr_slowtimer fixed, reported by Craig Bishop

recursive mutex in sending TCP RSTs fixed, reported by Tony Becker

3.0beta3 9/1/96

FIxup for Solaris2.5 install and interface name bug in ipftest from
Julian Briggs (julian@lightwork.co.uk)

Byte order patches for ipmon from Tony Becker (tony@mcrsys.com)

3.0beta2 7/1/96

Added the (somewhat warped) IP accounting as it exists in ipfw on FreeBSD.
Note, this isn't really what one would call IP account, when compared to
process accounting, sigh.

Split up ipresend into iptest/ipresend/ipsend

Added another m_pullup() inside fr_check() for BSD style kernels and
added some checks to ipllog() to not log more than is present (for short
packets).

Fixed bug where failed hostname/netname resolution goes undetecte and
becomes 0.0.0.0 (any) (reported Guido van Rooij)

3.0beta	11/11/95	- Released

Rewrote the way rule testing is done, reducing the number of files needed and
generated.

SIOCIPFFL was incorrectly affected by IPFILTER_LOG (Mathew Green)

Patches from Guido van Rooij to fix sending back TCP RSTs on Net-2/Net-3
BSD based Unixes (panic'd)

Patches for FreeBSD/i86 ipmon from Riku Kalinen <riku@tequila.nixu.fi>
(I think someone else already told me about these but they got lost :-/)

Changed Makefile structure to build object files for different operating
systems in separate directories by default.

BSDI has ef0 for first ethernet interface

Allow for a "not" operator before optional keywords.

The "rule number" was being incorrectly incremented every time it went through
the loop rather than when it matched a rule.

2.8.2	24/10/95	- Released

Fixed up problems with "textip" for doing lots of testing.

Fixed bug in detection of "short" tcp/ip packets (all reported as being short).

Solaris 2.4 port now works 100%.

Man page errors reported and fixed.

Removed duplicate entry in etc/services for login on port 49 (Craig Bishop).

Fixed ipmon output to put a space after the log-letter.

Patch from Guido van Rooij to fix parsing problem.

2.8.1	15/10/95	- Released

Added ttl and tos filtering.

Patches for fixing up compilation and port problems (little endian)
from Guido van Rooij <guido@IAEhv.nl>.

Man page problems reported and fixed by Carson Gaspar <carson@lehman.com>.

ipsend doesn't compile properly on Solaris2.4

Lots of work done for Solaris2.4 to make it MT/MP safe and work.

2.8	15/9/95		- Released

ipmon can now send messages to syslogd (-s) and use names instead of
numbers (-N).

IP packets are now "compiled" into a structure only containing filterable
bits.

Added regression testing in the test/ subdirectory, using a new option
(-b) with the ipftest program.

Added "nomatch" return to filter results.  These are counted and show
up in reports from ipfstat.

Moved filter code out of ip_fil.c and into fil.c - there is now only one
instance of it in the package.

Added Solaris 2.4 support.

Added IPSO basic security option filtering.

Added name support for filtering on all 19 named IP options.

Patches from Ivan Brawley to log packet contents as well as packet headers.

Update for sun/conf.c.diff from Ivan Brawley <ibrawley@awadi.com.AU>

Added patches for FreeBSD 1, and added two new switches (-E, -D) to ipf,
along with a new ioctl, SIOCFRENB.
From: Dieter Dworkin Muller <dworkin@village.org>

2.7.3	31/7.95		- Released

Didn't compile cleanly without IPFILTER_LOG defined (Mathew Green).

ipftest now deals with tcpdump3 binary output files (from libpcap) with -P.

Brought ipftest program upto date with actual filter code.

Filter would cause a match to occur when it wasn't meant to if the packet
had short headers and was missing portions that should have been there.
Err, it would rightly not match on them, but their absence caused a match
when it shouldn't have been.

2.7.2	26/7/95		- Released

Problem with filtering just SYN flagged packets reported by
Dieter Dworkin Muller <dworkin@village.org>.  To solve this
problem, added support for masking TCP flags for comparison "flags X/Y".

2.7.1	9/7/95		- Released

Added ip_dirbroadcast support for Sun ip_input.c

Fixed up the install scripts for FreeBSD/NetBSD to recognise where they are
better.

2.7	7/7/95		- Released

Added "return-rst" to return TCP RST's to TCP packets.

Actually ported it to FreeBSD-i386 2.0.0, so it works there properly now.

Added insertion of filter rules.  Use "@<#>" at the beginning of a filter
to insert a rule at row #.

Filter keeps track of how many times each rule is matched.

Changed compile time things to match kernel option (IPFILTER_LKM &
IPFILTER_LOG).

Updated ip_input.c and ip_output.c with paches for 3.5 Multicast IP.
(No change required for 3.6)

Now includes TCP fragments which start inside the TCP header as being short.
Added counting the number of times each rule is matched.


2.6	11/5/95		- Released

Added -n option to ipf: when supplied, no changes are made to the kernel.

Added installation scripts for SunOS 4.1.x and NetBSD/FreeBSD/BSDI.

Rewrote filtering to use a more generic mask & match procedure for
checking if a packet matches a rule.

2.5.2	27/4/95		- Released

"tcp/udp" and a non-initialised pointer caused the "proto" to become
a `random' value; added "ip#/dotted.mask" notation to the BNF.
From Adam W. Feigin  <feigin@iis.ee.ethz.ch>

2.5.1	22/3/95		- Released

"tcp/udp" had a strange effect (undesired) on getserv*() functions,
causing protocol/service lookups to fail.  Reported by Matthew Green.

2.5	17/3/95		- Released

Added a new keyword "all" to BNF and parsing of tcpdump/etherfind/snoop
output through the ipftest program.  Suggestions from:
Michael Ciavarella (mikec@phyto.apana.org.au)

Conflicts occur when "general" filter rules are used for ports and the
lack of a "proto" when used with "port" matches other packets when only
TCP/UDP are implied.
Reported Matthew Green (mrg@fulcom.com.au);
reported & fixed 6-8/3/95

Added filtering of short TCP packets using "with short" 28/2/95
(These can possibly slip by checks for the various flags).  Short UDP
or ICMP are dropped to the floor and logged.

Added filtering of fragmented packets using "with frag" 24/2/95

Port to NetBSD-current completed 20/2/95, using LKM.

Added logging of the rule # which caused the logging to happen and the
interface on which the packet is currently as suggested by
Andreas Greulich (greulich@math-stat.unibe.ch) 10/2/95

2.4	9/2/95		- Released
Fixed saving of IP headers in ICMP packets.

2.3	29/1/95
Added ipf -F [in|out|all] to flush filter rule sets (SIOCIPFFL).
Fixed iplread() and iplsave() with help from Marc Huber.

2.2	7/1/95		- Released
Added code from Marc Huber <huber@fzi.de> to allow it to allocate
its own major char number dynamically when modload'ing.  Fixed up
use of <, >, <=, >= and >< for ports.

2.1	21/12/94	- Released
repackaged to include the correct ip_output.c and ip_input.c *goof*

2.0	18/12/94	- Released
added code to check for port ranges - complete.
rewrote to work as a loadable kernel module - complete.

1.1
added code for ouput filtering as well as input filtering and added support for logging to a simple character device of packet headers.

1.0	22/04/93	- Released
First release cut.