1What's new in IPFilter 4.1
2==========================
3(Well, compared to 3.*, anyway)
4In no particular order, except headline alphabetical:
5
6Administration:
7	- Run-time support for modifying ipf table size parameters.
8	- Run-time support for tuning other ipfilter parameters.
9
10Content Scanning:
11	- Simple matching of content for TCP session startup.
12
13Firewall Synchronising:
14	- Master/slave programs available.
15
16General:
17	- All input files allow simple 'marco' definitions and expansion,
18	  including nesting.
19	- Code has been rototilled to make maintenance and enhancements
20	  eaiser for me and you.
21	- More configuration files and binaries.
22	- Takes up more memory.
23	- Probably slower.
24	- Versioned API to support changes in the ABI without breaking
25	  existing binaries (4.0 onward only.)
26	- IP-Filter framework in place for handling multiple different
27	  types of packet matching for firewalling.
28	- IP Id number rewriting available.
29	- Verification of checksums for recognised packet types.
30	- Optionally enable/disable IP forwarding when enabled/disabled.
31
32IPF:
33	- BPF syntax available for matching packets in ipf rules (1).
34	- Can convert IPv4 ipf rules into C code and either:
35	  * load them as an LKM o;
36	  * compile them statically into the kernel (where possible.)
37	- Address pools allow for simpler rules covering large numbers of
38	  addresses/networks (IPv4 only).
39	- Lookup functions available to map an IPv4 address to a group.
40	- Groups can be referenced by multiple heads for subroutine-like use.
41	- NAT/ipf rules can refer to each other via a tag, creating an implied
42	  join that forms part of the packet matching.
43	- Extra packet attributes available for filter rules:
44	  * source address/routing interface mismatch;
45	  * multicast (3);
46	  * broadcast (2,3);
47	  * state lookup partially failed;
48	  * out of the TCP window for a state connection;
49	  * NAT lookup partially failed.
50	- PPS (packets per second) matching available for ipf rules.
51	- Rule collections (cf FreeBSD numbering) supported for ipf rules.
52	- Groups can now be names rather than just numbers
53
54IPV6:
55	- understands extension headers.
56	- can filter on extension headers.
57
58Logging:
59	- ipmon now comes with a configuration file for more advanced logging
60	  behaviour.
61	- Can append arbitrary logging tags with ipf rules for easy matching.
62
63NAT:
64	- "sticky" mapping available to ensure an address translation on
65	  a per-address basis is always the same (while known) for a set
66	  IP address.
67
68Operating System Support:
69	- HP-UX 11 added.
70	- Tru64 5.1a added.
71	- Solaris/HP-UX now use pfil STREAMS module.
72	- Linux 2.4 on the way.
73
74Proxies:
75	- PPTP proxy added.
76	- IRC proxy added.
77	- RPCBIND proxy added.
78	- FTP proxy support for EPSV (IPv4 only.)
79
80Stateful Inspection:
81	- Can insist that all TCP data arrives in order.
82	- Can insist that all fragments pass through in order.
83	- The number of states created per-rule can be set where the total
84	  across all rules may exceed the maximum allowed.
85	- Can elect not to automatically match ICMP error packets.
86	- TCP sequence number rewriting supported.
87
88(1) - Requires libpcap for rule parsing
89(2) - On Solaris/HP-UX, broadcast packets are seen as multicast packets.
90(3) - Not supported on SunOS4
91