Rivoreo Source Code Repositories
src.rivoreo.one / net / ipfilter / 52aadf0f0c1adb88bf8e7cacf5368d971d48af61 / . / HISTORY
blob: fc4d928e57472713cfbfdee724889e2157c64ccf [file] [log] [blame] [raw]
#
# NOTE: Quite a few patches and suggestions come from other sources, to whom
# I'm greatly indebted, even if no names are mentioned.
#
# Thanks to the Coombs Computing Unit at the ANU for their continued support
# in providing a very available location for the IP Filter home page and
# distribution center.
#
# Thanks also to all those who have contributed patches and other code,
# and especially those who have found the time to port IP Filter to new
# platforms.
#
4.1.32 RC1 - Release 1 January 2009
2031730 4.1.31 Nat drops fragmented packets after the first
2214661 ipf doesn't handle IPv6 fragments
2473273 NAT removed before RST/ICMP sent
2216500 fin_state serves no purpose
2424604 adding random MD5 data causes panic
2304435 Ineffecient lock usage in logging
2216491 fin_nat serves little purpose
1859718 IPF 4.1.28 repeated kernel panic Solaris 9 32bit
2055619 duplicating a free'd packet will fail
2042949 Excessive locking when creating nat_t
2035610 nat_update does not need to get locks
2214658 ipf mostly ignores locking in NetBSD
1979427 Memory leak in user utilities - token never freed (rel br)
* try to guess if SUNWspro wants -m64
2063742 4.1.30 breaks builds on Solaris 8
4.1.31 - Release 27 July 2008
* compiling arc4random.c is challenging on solaris 10 or solaris without gcc
* SunOS4 doesn't have a curproc, but it does have u.
* The fix for 2020447 generated random port numbers but not within the
range specified in the map rule. Add in a regression test to verify
that the "random" part works.
4.1.30 - Release 24 July 2008
2022104 solaris's driver.conf cannot set timeout values
2020447 IPFilter's NAT can undo name server random port selection
1988795 NetBSD doesn't build with kernel malloc stats
1988782 fr_movequeue can take a short cut
1988669 first nat creation failure prevents further success
1988668 hostmap searching does not work properly
* on some 64bit architectures (such as alpha), the addrfamily_t is packed
differently, throwing off the calculations for adf_len
* one too many READ_ENTERs in ip_sync code.
* clean up fr_fastroute a little by removing some #ifdefs and pushing the
code around a bit to use the same variables (NetBSD)
* more recent NetBSDs use VOP related macros differently
4.1.29 - Release 14 April 2008
* #ifdef warning fixes from Victor M Blood (FreeBSD) - #1821249
* An error in NAT'ing a packet that is being fed through the fastroute
code (i.e return-icmp/return-rst/to/dup-to) can lead to a memory leak
with mbufs
* NetBSD has removed rnh_walktree
* Remove exit/enter of ipf_global lock as they are now no longer held by
what calls fr_auth_ioctl()
* add in checks to see that a symbol is defined before using it in a test
case with C preprocessor #if statements
* add setting TCP TIME_WAIT timer to list of tuneables
* call of _pullup() high up in _icmp() means later checks for fin_dlen
that are less than 8 are not required.
* cleanup some errors in merging patches
* merge changes from netbsd for updated poll apis
* merge white space cleanup
* preserve and restore the fin_flx bits from the packet before it is
authorised to after it is.
* remove old comment that is no longer accurate
* sunos5x86 Makefile target has been removed from the Makefile
* try and optimise fr_movequeue and short cut some cases where there
is no requirement to change the position of the object on the list.
* update ip_compat.h for NetBSD changes with POLLWAKEUP
* use defined() in #if statements to make sure something has a value
before its use
1785476 more state entries might be created for single connection
1821247 holding ipf_global lock over call to fr_ioctlswitch() causes
a panic for FreeBSD with INVARIANTS - move holding locks in ioctl
processing to only where they are necessary.
1821358 errors can lead to mbufs not being freed
1825877 variables called min should be renamed to xmin
1835705 It is impossible to delete a state using SIOCDELST ioctl
1839009 Auth rules with both "quick" and "keep state" don't work
1839023 OS freeze: race condition in the auth code.
1839028 Potential problems in auth code
1855763 Fixed bug (#1838530) is reintoduced in the recent CVS commit
1872740 the ipfr_size tunable is ignored
1886836 open on devices not compiled in always succeed
1886965 sync code does not wakeup sleeping polls
1890025 sync code uses state table for nat objects
1915176 Use of "age X/Y" can lead to panic
4.1.28 - Release 16 October 2007
backout changes (B1) & (B2) as they've caused NAT entries to persist for
too long and possibly other side effects.
Still need to compile in our own radix.c for Solaris as the one in S10U4
has a different alignment of structure members (causes panic)
keep state doesn't work with multicast/broadcast packets (makes UPnP easier)
ippool -l may only lists every 2nd pool's contents
4.1.27 - Released 29 September 2007
SunOS5/replace script does not deal with i386 systems that have the
i86/amd64 directory pair.
make BSD/kupgrade try to build ip_rules.[ch] before complaining
Need to look for ipl.ko LKM on FreeBSD, not just ipf.ko
Cleanup SunOS5 Makefile pieces, removing CPU, sunos5x86; buildsunos needs
to drive 32bit cc builds differently for sparc/i386 now.
Update instructions for rebuilding FreeBSD kernels
Make the target "freebsd" work for building ipfilter
destroying NAT entries for blocked packets can lead to NAT table entry leak,
provide a counter of orphan'd NAT entries to track this problem.
4.1.26 - Released 24 September 2007
Fix build problem for Solaris prior to S10U4
4.1.25 - Released 20 September 2007
stepping through structures with ioctls can lead to the wrong things
being free'd and panics
if a NAT entry (such as an rdr) is created but the packet ends up being
blocked, tear down the NAT entry.
fix fragment cache preventing keep state from functioning
fix handling of \ to indicate a continued line in .conf files
include port ranges in the allowed input for ipf when using "port = ()"
only advance TCP state for packets on the leading edge of the window. (B1)
using ipnat -l can lead to memory corruption in high stress situations
track TCP sequence numbers with NAT so that it can do timeout advances
correctly inline with state
ICMP checksums for some redirect'd packets are not adjusted correctly.
IPv6 address components need to be explicitly cast to a 32bit pointer
boundary so that compilers don't try to access them as two 64bit
pieces (no guarantee is made that an Ipv6 address is on a 64bit
aligned address)
filling up the ipauth packet queue can lead to no more packets being
processed.
locking used to deref a nat entry causes a significant performance hit
m_pulldown isn't properly handled, leading to possible panics with ICMPv6
packets
IPv6 fragment handling doesn't allow for "keep frag" to work
build on Solaris10 Update4 with pfhooks in the kernel
logging of Ipv6 packets with extension headers fix - Miroslaw Luc
4.1.24 - Released 8 July 2007
patch from Stuart Remphrey to address recursive mutex lock with TCP state
add hash table bucket stats display to ipnat -s
give ASSERT some teeth for user compiles
initialising ipf_global, ipf_frcache, ipf_mutex should all be done very
early on
do some caddr_t cleanup, where possible
fr_ref no longer tracks the number of children rules in a group for head rules
make sure all BCOPY* have a value assigned to something
fix possible use of icmp pointer after pullup makes it invalid
resolve compile problems related to FreeBSD tree
4.1.23 - Released 31 May 2007
NAT was not always correctly fixing ICMP headers for errors
some TCP state steps when closing do not update timeouts, leading to
them being removed prematurely. (B2)
fix compilation problems for netbsd 4.99
protect enumeration of lists in the kernel from callout interrupts on
BSD without locking
fix various problems with IPv6 header checks: TCP/UDP checksum validation
was not being done, fragmentation header parsed dangerously and routing
header prevented others from being seen
fix gcc 4.2 compiler warnings
fix TCP/UDP checksum calculation for IPv6
fix reference after free'ing ipftoken memory
4.1.22 - Released 13 May 2007
fix endless loop when flushing state/NAT by idle time
4.1.21 - Released 12 May 2007
show the number of states created against a rule with "-v" for ipfstat
fix build problems with FreeBSD
make it possible to flush the state table by idle time and TCP state
fix flushing out idle connections when state/NAT tables fill
print out the TCP state population with ipfstat/ipnat
stop creation of state table orphans via return-*/fastroute
fix printing out of rule groups - they now only appear once
4.1.20 - Released 30 April 2007
adjust TCP state numbers, making 11 closed (was 0) to better facilitate
detecting closing connections that we can wipe out when a SYN arrives
that matches the old
make it compile on Solaris10 Update3
structures used for ipf command ioctls weren't being freed in timeout
fashion on solairs
use NL_EXPIRE, not ISL_EXPIRE, for expiring NAT sessions
adjust TCP timeout values and introduce a time-wait specifc timeout
to get a better TCP FSM emulation and one that can hopefully do a better
job of cleaning up in a speedy fashion than previous
refactor the automatic flushing of TCP state entries when we fill up,
but use the same algorithm as before but now it hopefully works
only 2 out of 4 interface names were being changed by ipfs when
interface renaming was being used for state entries
add ipf_proxy_debug to ipf-T
matching of last fragments that had a number of bytes that wasn't a
multiple of 8 failed
some combinations of TCP flags are considered bad aren't picked up as such,
but these may be possible with T/TCP
4.1.19 - Released 22 February 2007
Fix up compilation problems with NetBSD and Solaris.
4.1.18 - Released 18 February 2007
fix compiling on Tru64
fix listing out filter rules with ipfstat (delete token at end of
the list and detect zero rule being returned.)
fix extended flushing of NAT tables (was clearing out state tables)
fix null-pointer deref in hash table lookup
fix NAT and stateful filtering with to/reply-to on destination interface
4.1.17 - Released 20 January 2007
make flushing pools that are still in use mark them for deletion and
have attempting to recreate them clear the delete flag
walking through the NAT tables with ioctls caused lock recursion
fix tracking TCP window scaling in the state code
4.1.16 - Released 20 December 2006
allow rdr rules to only differ on the new port number
when creating state entry orphans, leave them on the linked list but not
attached to the hash table and mark them visible as orphans in "ipfstat -sl"
log state removed when unloading differently to allow visible cues
return ipf ticks via SIOCGETGS for /dev/ipnat so "ipnat -l" can display ttl
abort logging a packet if the mbuf pointer is null when ipflog is called
Some NetBSD's have a selinfo.h instead of select.h
SIOCIPFFL was using copyoutptr and should have been using bcopy for /dev/ipauth
listing accounting rules using ioctl interface wasn't possible
fix leakage of state entries due to packets not matching up with NAT
improve ICMP error packet matching with state/NAT
fix problems with parsing and printing "-" as an interface name in ipnat.conf
4.1.15 - Released 03 November 2006
Add in automatic flushing of NAT, like state, table if it fills up too much
Update comments in the code for NAT checksum adjustments
Fix compiling on FreeBSD 5.4 and 6.0
prevent panics from read/write IOs trying to use uninitialised structures
Newer NetBSD should use malloc() instead of MALLOC() in the kernel where
the size is not staticly defined
Some gcc warning message cleanup from NetBSD
Missing include for <sys/filio.h> on Solaris for poll work
NetBSD now uses opt_ipfilter.h, not opt_ipfilter_log.h
4.1.14 - Released 04 October 2006
rewrite checksum alteration for ICMP packets being NAT'd to use a sane
algorithm that can be understood...now it needs better comments
fix 1 byte error in checksum validation perl script
remove unused files in lib directory
ipftest will say "bad-packet" if it has been freed rather than just "blocked"
make it possible to load IP address pools from external files in ippool.conf
update copyright messages in tools directory
consolidate ioctl hanlding source code into fil.c
make ipfstat, ippool, ipnat retrieve information via ioctls rather than /dev/kmem
4.1.13 - Released 4 April 2006
fix bug where null pointers introduced by proxies could cause a crash
pass out the rule flags with SIOCAUTHW
force loading NAT rules with bad proxy labels to cause an error
nat_state is used unsafely in calls to fr_addstate
make return-rst and return-icmp* work with auth rules
4.1.12 - Released 28 March 2006
poll support on FreeBSD/NetBSD needs to use selrecord/selwakeup
make the fastroute code used by ipftest invoke state/NAT
move verbose/debug macros out of fil.c and into ip_fil.h (for wider use)
remove unused code in fr_fastroute
fix NAT with rules that specify forward and reverise interfaces
add missing ipfsync_canread() and ipfsync_canwrite()
behaviour of \ on the end of a line in ipf.conf does not match older behaviour
remove duplicate statistics line output with "ipfstat -s"
4.1.11 - Released 19 March 2006
Patch for NAT with ipfsync from N. Ersen (SESCI) - www.enderunix.org
NetBSD coverity report fixes (from run 5)
Possible to reacquire ipf_auth without releasing it in some circumstances
Locking in FreeBSD's iplioctl for ipf_global isn't present like it shoudl be
Add poll support for platforms I can build on: NetBSD, FreeBSD, Solaris, Linux
Using auth rules to return "keep state" got broken with pushing fr_addstate
call into fr_firewall
all use of '!' in map/rdr rules to match use in ipf configs
add -L command line option to ipmon to set the default syslog facility
looking up a port number is more complex than needed in ipft_tx.c
allow lib/getport to work when neither tcp or udp are specified in a rule
remove some dead code from lib/addicmpc, lib/facpri.c, lib/icmpcode.c
program in some more cases where TCP packets fail an initial in-window
check but should be allowed to match
filter rule added with NAT/state handling of SIOCSTPUT doesn't properly
initialise all fields, making it possible to panic
simplify NAT ICMP error handling where it updates checksums
rename "min" variables to "xmin" on NetBSD to avoid problems with the
macro "min"
#ifdef's for NetBSD compile incorrect for pfil interface
support select/poll on NetBSD
copying out a packet with an auth rule fails (EFAULT) because the wrong
pointer is passed to copyoutptr
ip_len/ip_off where byte swapped twice instead of once for packets
going to be stored on the auth queue
change timeout queue manipulation functions to make fewer mutex calls
fix use of skip rules with groups
fix coding problems discovered by the coverity project for FreeBSD
update BPF program validation with FreeBSD changes
4.1.10 - Released 6 December 2005
Expand regression testing to cover more features
Add "coverage" build target for BSD
Fix building 64bit sparc target for Solaris
Add IPv6 mobility header to list of accepted keywords for V6 headers
Resolve locking problems on Solaris when sending RST/icmp packets
#ifdef's for IPFILTER_BPF need to check if words are defined before
using them in comparisons
Add checking for SACK permitted option in TCP SYN packets
Fix loading anonymous pools from inline rule configuration groups
Add -C command line option to ipftest
Include extra "const" from NetBSD
Don't require SIOCKSTLCK for SIOCSTPUT
Fix some use of "sticky" on NAT rules
Fix statistical counting of deleting state for TCP connections
Fix compile problems caused by changes to is_opt/is_optmsk in ip_sync.c
Fix TCP out-of-window (OOW) problems:
- window scaling turned off if one chose for its scale factor
- Microsoft Windows TCP sends the "next packet" to the right of the window
when using SACK and filling in a hole
4.1.9 - Released 13 August 2005
make ipfilter fix IPv4 header checksums for outgoing packets if BRIDGE_IPF
is defined when compiled.
move the definition of SIOCPROXY from ip_nat.h to ip_proxy.h
make the BSD/upgrade script more instructive about the requiements for
ip_rules.[ch] when it is run
register for interface events on FreeBSD (>5.2.1) and NetBSD so that
"ipf -y" is not not requried to tell ipfilter about interface changes.
for "quick" rules that do "keep state", move the state adding into the rule
evaluation so that we can detect it failing as rules are evaluated and
continue on to the next rather than wait until we're done and it's too late
to recover for more rule processing.
mark ICMP packets advertising an MTU that's too small as being bad
rework ipv6 header parsing to get better code reuse and fix logic errors
in dealing with ipv6 packets containing fragment headers. Also, where a
protocol handler was doing both v4 & v6, make a seperate function for each.
build for both amd64 and i86pc (32bit) on Solaris10 and later, if possible
include start of work to get IPFilter working on AIX 5.3
Use FI_ICMPERR flag rather than try to compute its equivalent all the time
Rewrork IPv6 extension header parsing to get better code reuse
Add missing timeout on Linux
Fix for locking when reading from ipsync (Frank Volf)
Fix insertion/appending of rules that use a collection number
Somehow turning up the spl knob to splnet disappeared on platforms that still
use the spl interface.
fix problems with "ipf -T" not listing multiple variables properly
4.1.8 - Released 29 March 2005
include path from Phil Dibowitz for sorting ipfstat -t output by source or
destination port.
fix a bug in printing rules where interface names could not be printed,
even if they're in the rule structure.
fix BSD/kupgrade to correctly change ipfilter lkm Makefile for FreeBSD
add 2 new features to SIOCGNATL:
- if IPN_FINDFORWARD is set, check if the respective MAP is already
present in the outbound table
- if IPN_IN is set, search for a matching MAP entry instead of RDR
(Peter Potsma)
turn off function inlining for freebsd 5.3+
UDP doesn't pullup enough data which can sometimes cause a panic.
Fix other protocols, as required, where a similar problem may exist.
overhaul the timeout queue management, especially that for user defined queues
which are now only freed in an orderly manner.
4.1.7 - Released 13 March 2005
Using the GRE call field is almost impossible because it is unbalanced and
both call fields are not present in each v1 header.
Fix a problem where it was possible to load duplicate rules into ipf
patch from John Wehle to address problems with fastroute on solaris
Copying data out for ipf -z failed because it tried to copy out to an address
that is a kernel pointer in user space.
add "ip" timeout for both NAT & state that's for non-TCP/UDP/ICMP
synch up with NetBSD's changes
fix problems parsing long lines of text in the ftp proxy where they would not
be parsed properly and stop the session from working
enhance the PPTP proxy so that it tries to decode messages in the TCP stream
so it knows when to create and destroy the state/nat sessions for GRE. There
are also 4 new regression tests for it, testing map/rdr rules.
impose some limits on the size of data that can be moved with SIOCSTPUT in
the NAT code and also prevent a duplicate session entry from being created
using this method.
add a new flag (IPN_FINDFORWARD) to NAT code that can be used with SIOCGNATL
to check if it is possible to create an outgoing transparent NAT mapping to
compliment the redirect being investigated.
Linux requires that the checksums in the IP header get adjusted
only resolve unknown interfaces in fr_stinsert, and nuke all interface pointers
in SIOCSTPUT to prevent bad data being loaded from userspace.
make the byte counting for state correct (was counting data from ICMP packet
twice)
print out the keyword "frag-body" if the flag is set.
fix ipfs loading/restoring NAT sessions
patch from Frank to correctly format IP addresses in ipfstat -t output
parsing port numbers in ipf/ipnat was confusing as the port number was returned
in an int that was also overloaded to be the suceess/failure. instead, change
the port using pass by reference and only use the return value for indicating
success or failure.
4.1.6 - Released 19 February 2005
add a new timeout number to NAT (fr_defnatipage) that is used for all
non-TCP/UDP/ICMP protocols - default 60 seconds.
buffer leak with bad nat - David Gueluy
fix memory leak with state entries created by proxies
eliminate copying too much data into a scan buffer
allow a trailing protocol name for map rules as well as rdr ones
fix bug in parsing of <= and > for NAT rules (two were crossed over)
FreeBSD's iplwrite hasn't kept pace with iplread's prototype
expand documention on the karma of using "auto" in ipnat map rules
add matching on IP protocol to ipnat map rules
allow ippool definitions to contain no addresses to start with
Linux NAT needs to modify the IP header checksum as it gets called after it
has been computed by IP.
UDP was missing a pullup for packet header information before examining
the header
4.1.5 - Released 9 January 2005
all rules were being converted into "dup-to" rules in the kernel
fix two ftp proxy problems: 1st, buffer needs to be bigger for fitting in
complete RETR/CWD commands, 2nd is () use in 227 messages isn't copied
over correctly.
response to CWDs
revert ip_off back to network byte order in the ICMP error packet that
gets generated.
4.1.4 - Released 9 January 2005
force NAT rules to only match ipv4 NAT rules (which all are, currently,
by default)
include state synchronisation fixes from Frank Volf
make the maximum log size for internally buffered log entries accessible
via "ipf -T"
redesign start of fr_check() to avoid putting duplicate information in
ipfilter about how much data needs to be pulled up for a protocol to be
properly filtered.
tidy up sending ICMP error messages - some bad inputs could result in
data not being freed and/or no error returned.
make the maximum size of the log buffer run-time tunable
fix bug in parsing TCP header when looking for MSS option that could make
the system hang
change pool lookups that fail to find a match to return "no match"
rather than fail.
add run-time tunable debugging for proxy support code and FTP proxy.
fix state table updates for entries where the first packet as an ICMPv6
multicast message
fix hang when flushing state for v4/v6 and other (v6/v4) entries are present
too
attaching filtering to ipv6 pfil hook wasn't present for solaris
don't allow rules with "keep state" and "with oow"
move a bunch of userland only code from fil.c to ip_fil.c
make fr_coalesce() more resiliant to bad input, just returning an error
instead of crashing, making calling it easier in many places
When m_pulldown doesn't return NULL, it doesn't necessarily return a pointer
to the same mbuf passed in as the first arg.
remove fr_unreach and use ENETUNREACH by default.
printing out of tag data in ipf rules doesn't match input syntax
ipftest(1) man page update
ipfs command line option parsing still rejects some valid syntaxes
SIGHUP handling by ipmon was not as safe as it could be
fix various parsing regressions, including "<thishost>", "tcpudp", ordering
of "keep" options
patches from Frank Volk: add udp_acktimeout to sysctl list for FreeBSD,
ICMP packet length not calculated correctly in send_icmp_err, reply-to
not printed by ipfstat, keep state with icmp passing (mtrr)
patches for return-rst and return-icmp from Attila Fueloep
(lichtscheu@gesindel.org)
4.1.3 - Released 18 July 2004
do some more fine tuning on NAT checksum adjustments
correct IP address byte order in proxy setup for ipsec/pptp
man page updates
fix numerous problems with ipfs operation
complete new syntax for ipmon.conf in its parser and update the sample file
assign error value consistantly in fastroute code
rewrite allocation of mbufs in send_reset/send_icmp_err to better use
mbuf clusters and size calculations
resolve problem with linux panic'ing because the wrong flag was being
passed to skb_clone/skb_alloc
enable use of shared/exclusive locks on freebsd5 and above
do not rely on m_pkthdr.len to be valid all the time for mbufs on modern BSD
and so use mbufchainlen to get the mbuf length instead
replace lots of COPYIN/COPYOUT with BCOPYIN/BCOPYOUT where the data is
going to be on the stack and not in userland
packet buffer pointers were not refreshed & used properly in fr_check()
include extra bits for OpenBSD 3.4 & 3.5.
fix ipf/ipnat parsing regression problems with v3.4
4.1.2 - RELEASED - 27 May 2004
add state top for ipv6
fix numerous parsing regressions
change sample proxies to use SIOCGNATL with the new API
allow macro names to contain underscores (_)
split the parser into a collection of dictionaries so that keywords do
not interfere with resolving hostnames and portnames
fix ipfrule LKM loading on freebsd
support mapping a fixed range of ports to a single port
fix timeout queue use by proxies with private queues
handle space-led ftp server replies properly
fix timeout queue management
fix fastroute, generation of RST & ICMP packets and operation with to/fastroute
resolve further linux compatibility problems
replace the use of COPYIN with BCOPYIN for platforms that provide ioctl
args on the stack
allow flushing of ipv6 rules independant of ipv4 rules
correct internal ipv6 checksum calculations
if a 'keep state' rule fails to create state, block the packet rather
than let it through
correct all checksums in regression tests and correct NAT code to adjust
checksums correctly.
fix ipfs -R/-W
4.1.1 - RELEASED - 24 March 2004
allow new connections with the same port numbers as an existing one
in the state table if the creating packet is a SYN
timeout values have drifted, incorrectly, from what they were in 3.4
FreeBSD - compatibility changes for 5.2
don't match on sequence number (as well) for ICMO ECHO/REPLY, just the
ICMP Id. field as otherwise thre is a state/NAT entry per packet pair
rather than per "flow"
fr_cksum() returned the wrong answer for ICMP
Linux:
- get return-rst and return-icmp working
- treat the interface name the same as if_xname on BSD
adjust expectations for TCP urgent bits based on observed traffic in the
wild
openbsd3.4 has ip_len/ip_off in network byte order when ipfilter is called
fix flushing of hash pool gorups (ippool -F) as well as displaying them
(ippool -l)
passing of pointers to interface structures wrong for HP-UX/Solaris with
return-* rules.
Make the solaris boot script able to run on 2.5.1
ippool related files missing from Solaris packages
The name /dev/ippool should be /dev/iplookup
add regression testing for parsing long interface names in nat rules,
along with mssclamp and tags. Also add test for mssclamp operation.
ttl displayed for "ipfstat -t" is wrong because ttl is not computed.
parse logical interface names (Sun)
unloading LKMs was only working if they were enabled.
sync'ing up NAT sessions when NICs change should cause NAT rules to
re-lookup name->pointer mappings
not all of the ippool ioctl's are IOWR and they should be because they
use the ipfobj_t for passing information in/out of the kernel. leave the
old values defined and handle them, for compatibility.
pool stats wrong: ippoolstate used where ipoolstat should be, hash table
statistics not reported at all
fr_running not set correctly for OpenBSD when compiled into the kernel
Allow SIOCGETFF while disabled
Fix mssclamp with NAT (pasing and printing of the word, plus wrong bytes
altered. How do you say "untested" ?)
4.1 - RELEASED - 12 February 2004
4.0-BETA1 20 August 2003
support 0/32 and 0/0 on the RHS in redirect rules
where LHS and RHS netmasks are the same size for redirect, do 1:1 mapping
for bimap rules.
allow NAT rule to match 'all' interfaces with * as interface name
do mapping of ICMP sequence id#'s in pings
allow default age for NAT entries to be set per NAT rule
provide round robin selection of destination addresses for redirect
ipmon can load a configuration file with instructions on actions
to take when a matching log entry is received
now requires pfil to work on Solaris & HP-UX
supports mapping outbound connections to a specific address/port
support toggling of logging per ipfilter 'device'
use queues to expire data rather than lists
add MSN RPC proxy
add IRC proxy
support rules with dynamic ip addresses
add ability to define a pool of addresses & networks which can then
be placed in a single rule
support passing entire packet back to user program for authentication
support master/slave for state information sharing
reorganise generic code into a lib directory and make libipf.a
user programs enforce version matching with the kernel
supports window scaling if seen at TCP session setup
generates C code from filter rules to compile in or load as native
machine code.
supports loading rules comprised of BPF bytecode statements
HP-UX 11 port completed
and packets-per-second filtering
add numerical tags to rules for filtering and display in ipmon output
3.4.4 23/05/2000 - Released
don't add TCP state if it is an RST packet and (attempt) to send out
RST/ICMP packets in a manner that bypasses IP Filter.
add patch to work with 4.0_STABLE delayed checksums
3.4.3 20/05/2000 - Released
fix ipmon -F
don't truncate IPv6 packets on Solaris
fix keep state for ICMP ECHO
add some NAT stats and use def_nat_age rather than DEF_NAT_AGE
don't make ftp proxy drop packets
use MCLISREFERENCED() in tandem with M_EXT to check if IP fields need to be
swapped back.
fix up RST generation for non-Solaris
get "short" flag right for IPv6
3.4.2 - 10/5/2000 - Released
Fix bug in dealing with "hlen == 1 and opt > 1" - Itojun
ignore previous NAT mappings for 0/0 and 0/32 rules
bring in a completely new ftp proxy
allow NAT to cause packets to be dropped.
add NetBSD callout support for 1.4-current
3.4.1 - 30/4/2000 - Released
add ratoui() and fix parsing of group numbers to allow 0 - UINT_MAX
don't include opt_inet6.h for FreeBSD if KLD_MODULE is defined
Solaris must use copyin() for all types of ioctl() args
fix up screen/tty when leaving "top mode" of ipfstat
linked list for maptable not setup correctly in nat_hostmap()
check for maptable rather than nat_table[1] to see if malloc for maptable
succeeded in nat_init
fix handling of map NAT rules with "from/to" host specs
fix printout out of source address when using "from/to" with map rules
convert ip_len back to network byte order, not plen, for solaris as ip_len
may have been changed by NAT and plen won't reflect this
3.4 - 27/4/2000 - Released
source address spoofing can be turned on (fr_chksrc) without using
filter rules
group numbers are now 32bits in size, up from 16bits
IPv6 filtering available
add frank volf's state-top patches
add load splitting and round-robin attribute to redirect rules
FreeBSD-4.0 support (including KLD)
add top-style operation mode for ipfstat (-t)
add save/restore of IP Filter state/NAT information (ipfs)
further ftp proxy security checks
support for adding and removing proxies at runtime
3.3.13 26/04/2000 - Released
Fix parsing of "range" with "portmap"
Relax checking of ftp replies, slightly.
Fix NAT timeouts for ICMP packets
SunOS4 patches for ICMP redirects from Jurgen Keil (jk@tools.de)
3.3.12 16/03/2000 - Released
tighten up ftp proxy behaviour. sigh. yuck. hate.
fix bug in range check for NAT where the last IP# was not used.
fix problem with icmp codes > 127 in filter rules caused bad things to
happen and in particular, where #18 caused the rule to be printed
erroneously.
fix bug with the spl level not being reset when returning EIO from
iplioctl due to ipfilter not being initialized yet.
3.3.11 04/03/2000 - Released
make "or-block" work with lines that start with "log"
fix up parsing and printing of rules with syslog levels in them
fix from Cy Schubert for calling of apr_fini only if non-null
3.3.10 24/02/2000 - Released
* fix back from guido for state tracking interfaces
* update for NetBSD pfil interface changes
* if attaching fails and we can abort, then cleanup when doing so.
julian@computer.org:
* solaris.c (fr_precheck): After calling freemsg on mt, set it point to *mp.
* ipf.c (packetlogon): use flag to store the return value from get_flags.
* ipmon.c (init_tabs): General cleanup so we do not have to cast
an int s->s_port to u_int port and try to check if the u_int port
is less than zero.
3.3.9 15/02/2000 - Released
fix scheduling of bad locking in fr_addstate() used when we attach onto
a filter rule.
fix up ip_statesync() with storing interface names in ipstate_t
fix fr_running for LKM's - Eugene Polovnikov
junk using pullupmsg() for solaris - it's next to useless for what we
need to do here anyway - and implement what we require.
don't call fr_delstate() in fr_checkstate(), when compiled for a user
program, early but when we're finished with it (got fr & pass)
ipnat(5) fix from Guido
on solaris2, copy message and use that with filter if there is another
copy if it being used (db_ref > 1). bad for performance, but better
than causing a crash.
patch for solaris8-fcs compile from Casper Dik
3.3.8 01/02/2000 - Released
fix state handling of SYN packets.
add parsing recognition of extra icmp types/codes and fix handling of
icmp time stamps and mask requests - Frank volf
3.3.7 25/01/2000 - Released
sync on state information as well as NAT information when required
record nat protocol in all nat log records
don't reuse the IP# from an active NAT session if the IP# in the rule
has changed dynamically.
lookup the protocol for NAT log information in ipmon and pass that to
portname.
fix the bug with changing the outbound interface of a packet where it
would lead to a panic.
use fr_running instead of ipl_inited. (sysctl name change on freebsd)
return EIO if someone attempts an ioctl on state/nat if ipfilter is not
enabled.
fix rule insertion bug
make state flushing clean anything that's not fully established (4/4)
call fr_state_flush() after we've released ipf_state so we don't generate
a recursive mutex acquisition panic
fix parsing of icmp code after return-icmp/return-icmp-as-dest and add
some patches to enhance parsing strength
3.3.6 28/12/1999 - Released
add in missing rwlock release in fr_checkicmpmatchingstate() and fix check
for ICMP_ECHO to only be for packet, not state entry which we don't have yet.
handle SIOCIPFFB in nat_ioctl() and fr_state_ioctl()
fix size of friostat for SunOS4
fix bug in running off the end of a buffer in real audio proxy
3.3.5 11/12/1999 - Released
fix parsing of "log level" and printing it back out too
<net/if_types.h> is only present on Solaris2.6/7/8
use send_icmp_err rather than icmp_error to send back a frag-needed error
when doing PMTU
do not use -b with add_drv on Solaris unless $BASEDIR is set.
fix problem where source address in icmp replies is reversed
fix yet another problem with real audio.
3.3.4 4/12/1999 - Released
fix up the real audio proxy to properly setup state information and NAT
entries, thanks to Laine Stump for testing/advice/fixes.
fix ipfr_fastroute to set dst->sin_addr (Sean Farley - appears to prevent
FreeBSD 3.3 from panic'ing) as this had been removed in prior hacks to this
routine.
fix kinstall for BSDI
support ICMP errors being allowed through for ICMP packets going out with
keep state enabled
support hardware checksumming (gigabit ethernet cards) on Solaris thanks to
Tel.Net Media for providing hardware for testing.
patched from Frank Volf for ipmon (ICMP & fragmented packets) and allowing
ICMP responses to ICMP packets in the keep state table.
add in patches for hardware checksumming under solaris
Solaris install scripts now use $BASEDIR as appropriate.
add Solaris8 support
fix "ipf -y" on solaris so that it rescans rules also for changes in
interface pointers
let ipmon become a daemon with -D if it is using syslog
fix parsing of return-icmp-as-dest(foo)
add reference to ipfstat -g to ipfstat.8
ipf_mutex needs to be declared for irix in ip_fil.c
3.3.3 22/10/1999 - Released
add -g command line option to ipfstat to show groups still define.
fix problem with fragment table not recording rule pointer when called
from state functions (fin_fr not set).
fixup fastroute problems with keep state rules.
load rules into inactive set first, so we don't disable things like NIS
lookups half way through processing - found by Kevin Littlejohn
fix handling of unaligned ip pointer for solaris
patch for fr_newauth from Rudi Sluijtman
fixed htons() bug in fr_tcpsum() where ip_p wasn't cast to u_short
3.3.2 23/09/1999 - Released
patches from Scott Presnell to fix rcmd proxy
patches from Greg to fix Solaris detachment of interfaces
add openbsd compatibility fixes
fix free'ing already freed memory in ipfr_slowtimer()
fix for deferencing invalid memory in cleaning up after a device disappears
3.3.1 14/8/1999 - Released
remove include file sys/user.h for irix
prevent people from running buildsunos directly
fix up some problems with the saving of rule pointers so that NAT saves
that information in case it should need to call fr_addstate() from a proxy.
fix up scanning for the end of FTP messages
don't remove /etc/opt/ipf in postremove
attempt to prevent people running buildsolaris script without doing a
"make solaris"
fix timeout losing on freebsd3
3.3 7/8/1999 - Released
NAT: information (rules, mappings) are stored in hash tables; setup some
basic NAT regression testing.
display version name of installed kernel code when initializing.
add -V command line option to ipf, showing version (program and kernel
module) as well as the run-status of the kernel code.
fix problem with "log" rules actually affecting result of filtering.
automatically use SUNWspro if available and on a 64bit Solaris system for
compiling.
add kernel proxies for rcmd(3) and RealAudio (PNA)
use timeout/untimeout on SunOS4/BSD platforms too rather than hijacking
ip_slowtimo
fix IP headers generated through parsing of text information
fix NAT rules to be in the correct order again.
make keep-state work with to/fastroute keywords and enforce usage of those
interfaces.
update keep-state code with new algorithm from Guido
add FreeBSD-3 support
add return-icmp-as-dest option to retrun an ICMP packet using the original
destination as the source rather than a local IP address
add "level [facility.]<priority>" option to filter language
add changes from Guido to state code.
add code to return EPERM if the device is opened for writing and we're
in securelevel 2 or greater.
authentication code patches from Guido
fix real audio proxy
fix ipmon rule printing of interfaces and add IN/OUT to the end of ipmon
log output.
fix bimap rules with hash tables
update addresses used in NAT mappings for 0/32 rules for any protocol but TCP
if it changes on the interface - check every ip_natexpire()
add redirect regression test
count buckets used in the state hash table.
fix sending of RST's with return-rst to use the ack number provided in
the packet being replied to in addition to the sequence number.
fix to compile as a 64bit application on solaris7-64bit
add NAT IP mapping to ranges of IP addresses that aren't CIDR specified
fix calculation of in_space parameter for NAT
fix `wrapping' when incrementing the next ip address for use in NAT
fix free'ing of kernel memory in ip_natunload on solaris
fix -l/-U command line options from interfering with each other
fix fastroute under solaris2 and cleanup compilation for solaris7
add install scripts and compile cleanly on BSD/OS 4.0
safely open files in /tmp for writing device output when testing.
fix uninitialized pointer bug in NAT
fix SIOCZRLST (zero list rule stats) bug with groups
change some usage of u_short to u_int in function calling
fix compilation for Solaris7 (SUNWspro)
change solaris makefiles to build for either sparc or i386 rather than
per-cpu (sun4u, etc).
fixed bug in ipllog
add patches from George Michaelson for FreeBSD 3.0
add patch from Guido to provide ICMP checking for known state in the same
manner as is done for NAT.
enable FTP PASV proxying and enable wildcarding in NAT/state code for ports
for better PORT/PASV support with FTP.
bring into main tree static nat features: map-block and "auto" portmapping.
add in source host filtering for redirects (alan jones)
3.2.10 22/11/98 - Released
3.2.10beta9 17/11/98 - Released
fix fr_tcpsum problems in handling mbufs with an odd number of bytes
and/or split across an mbuf boundary
fix NAT list entry comparisons and allow multiple entries for the same
proxy (but on different ports).
don't create duplicate NAT entries for repeated PORT commands.
3.2.10beta8 14/11/98 - Released
always exit an rwlock before expecting to enter it again on solaris
fix loop in nat_new for pre-existing nat
don't setup state for an ftp connection if creating nat fails.
3.2.10beta7 05/11/98 - Released
set fake window in ipft_tx.c to ensure code passes tests.
cleaned up/enhanced ipnat -l/ipnat -lv output
fixed NAT handling of non-TCP/UDP packets, esp. for ICMP errors returned.
Solaris recusive mutex on icmp-error/tcp-reset - requires rwlock's rather
than mutexes.
3.2.10beta6 03/11/98 - Released
fix mixed use of krwlock_t and kmutex_t on Solaris2
fix FTP proxy back up, splitting pasv code out of port code.
3.2.10beta5 02/11/98 - Released
fixed port translation in ICMP reply handling
3.2.10beta4 01/11/98 - Released
increase useful statistic collection on solaris
filter DL_UNITDATA_REQ as well as DL_UNITDATA_IND on solaris
disable PASV reply translation for now
fail with an error if we try to load a NAT rule with a non-existant
proxy name - Guido
fix portmap usage with 0/0 and 0/32 map rules
remove ap_unload/ap_expire - automatically done when NAT is cleaned up
print "STATE:CLOSED" from ipmon if the connection progresses past established
rather than "STATE:EXPIRED"
3.2.10beta3 26/10/98 - Released
fixed traceroute/nat problem
rewrote nat/proxy interface
ipnat now lists associated proxy sessions for each NAT where applicable
3.2.10beta2 13/10/98 - Released
use KRWLOCK_T in place of krwlock_t for solaris as well as irix
disable use of read-write lock acquisition by default
add in mb_t for linux, non-kernel
some changes to progress compilation on linux with glibc
change PASV as well as PORT when passed through kernel ftp proxy.
don't allow window to become 0 in tcp state code
make ipmon compile cleaner
irix patches
3.2.10beta 11/09/98 - Released
stop fr_tcpsum() thinking it has run out of data when it hasn't.
stop solaris panics due to fin_dp being something wild.
revisit usage of ATOMIC_*()
log closing state of TCP connection in "keep state"
fix fake-arp table code for ipsend.
ipmon now writes pid to a file.
fix "ipmon -a" to actually activate all logging devices.
add patches for BSDOS4.
perl scripts for log analysis donated.
3.2.9 22/06/98 - Released
fix byte order for ICMP packets generated on Solaris
fix some locking problems.
fix malloc bug in NAT (introduced in 3.2.8).
patch from guido for state connections that get fragmented
3.2.8 08/06/98 - Released
use readers/writers locks in Solaris2 in place of some mutexes.
Solaris2 installation enhancements - Martin Forssen (maf@carlstedt.se)
3.2.7 24/05/98 - Released
u_long -> u_32_t conversions
patches from Bernd Ernesti for NetBSD
fixup ipmon to actually handle HUP's.
Linux fixes from Michael H. Warfield (mhw@wittsend.com)
update for keep state patch (not security related) - Guido
dumphex() uses stdout rather than log
3.2.6 18/05/98 - Released
fix potential security loop hole in keep state code.
update examples.
3.2.5 09/05/98 - Released
BSD/OS 3.1 .o files added for the kernel.
fix sequence # skew vs window size check.
fix minimum ICMP header size check.
remove references to Cybersource.
fix my email address.
remove ntohl in ipnat - Thomas Tornblom
3.2.4 09/04/98 - Released
add script to make devices for /dev on BSD boxes
fixup building into the kernel for FreeBSD 2.2.5
add -D command line option to ipmon to make it a daemon and SIGHUP causes
it to close and reopen the logfile
fixup make clean and make package for SunOS5 - Marc Boucher
postinstall keeps adding "minor=ipf ipl" - George Ross <gdmr@dcs.ed.ac.uk>
protected by IP Filter gif - Sergey Solyanik <solik@atom.ru>
3.2.3 10/11/97 - Released
fix some iplang bugs
fix tcp checksum data overrun, sgi #define changes,
avoid infinite loop when nat'ing to single IP# - Marc Boucher
fixup DEVFS usage for FreeBSD
fix sunos5 "make clean" cleaning up too much
3.2.2 28/11/97 - Released
change packet matching to return actual error, if bad packet, to facilitate
ECONNRESET for TCP.
allow ip:netmask in grammar too now - Guido
assume IRIX has u_int32_t in sys/types.h (needed for R10000)
rewrite parts of command line options for ipmon
fix TCP urgent packet & offset testing and add LAND attack test for iptest
fix grammar error in yacc grammar for iplang
redirect (rdr) destination port bytes-wapped when it shouldn't be.
general: fr_check now returns error code, such as EHOSTUNREACH or
ECONNRESET (attempt to make ECONNRESET work for locally outbound
packets).
linux: enable return-rst, need to filter tcp retransmits which are sent
separately from normal packets
memory leak plugged in ip_proxy.c
BSDI compatibility patches from Guido
tcp checksum fix - Marc Boucher
recursive mutex and ioctl param fix - Marc Boucher
3.2.1 12/11/97 - Released
port to BSD/OS 3.0
port to Linux 2.0.31
patches to make "map a/m -> 0/0" work with ftp proxying properly - Marc Boucher
add "ipf -F s" and "ipf -F S" to flush state table entries.
announce if logging is on or off when ip filter initializes.
"ipf -F a" doesn't flush groups properly for Solaris.
3.2 30/10/97 - Released
ipnat doesn't successfully remove proxy mappings with "-rf" -
Alexander Romanyu
use K&R C function style for solaris kernel code
use m_adj() to decrease packet size in ftp proxy
use mbufchainlen rather than msgdsize,
IRIX update - Marc Boucher
fix NetBSD modunload bug (pfil_add_hook done twice)
patches for OpenBSD 2.1 - Craig Bevins <craigb@bitcom.net.au>
3.2beta10 24/10/97 - Released
fix fragment table entries allocated for NAT.
fix tcp checksum calculations over mbuf/mblk boundaries
fix panic for blen < 0 in ftp kernel proxy - marc boucher
fix flushing of rules which have been grouped.
3.2beta9 20/10/97 - Released
some nit picking on solaris2 with SUNWspro - Michael Lyle <mrl@rpnet.net>
ftp kernel proxy patches from Marc Boucher
3.2beta8 13/10/97 - Released
add support for passing ICMP errors back through NAT.
IRIX port update - Marc Boucher
calculate correct MIN size of packet to log for UDP - Marc Boucher
need htons(ETHERTYPE_x) on little endian BSD boxes - Dave Huang
copyright header fixups
3.2beta7 23/09/97 - Released
fickup problems introduced by prior merges & changes.
3.2beta6 23/09/97 - Released
patch for spin-reading race condition - Marc Boucher.
IRIX port by Marc Boucher.
compatibility updates for Linux to ipsend
3.2beta5 13/09/97 - Released
patches from Bernd Ernesti for NetBSD integration (mostly prototyping and
compiler warning things)
ipf -y will resync IP#'s allocated with 0/32 in NAT to match interface if it
changes.
update manual pages and other documentation updates.
3.2beta4 27/8/97 - Released
enable setting IP and TCP options for iplang/
Solaris2 patches from Marc Boucher.
add groups for filter rules.
3.2beta3 21/8/97 - Released
patches for Solaris2 (interface panic solution ?): fix FIONREAD and
replacing q_qinfo points - Marc Boucher <marc@CAM.ORG>
change ipsend/* and ipsd/* copyright notices to be the same as ip filter's
patch for SYN-ACK skew testing fix from Eric V. Smith <EricSmith@windsor.com>
3.2beta2 6/8/97 - Released
make it load on Solaris 2.3
rewrote logging to remove solaris errors, introduced checking to see if the
same packet is logged successively.
fix filter cache to work when there are no rules loaded.
add "raw" option to ipresend to send entire ethernet frames.
nat list corruption bug - NetBSD - Klaus Klein
3.2beta1 5/7/97 - Released
patches from Jason Thorpe fixing: UNSIGNED_CHAR lossage, off_t being 64bits
lossage, and other NetBSD bits.
NetBSD 1.2G update.
fixup fwtk patches and add protocol field for SIOCGNATL.
rdr bugs reported by Alexander Romanyu (alexr@aix.krid.crimea.ua), with
fixes:
* rdr matched all packets of a given protocol (ignored ports).
* severe bug in nat_delete which caused system crash/freeze.
change Makefile so that CC isn't passed on for FreeBSD/NetBSD (will use
the default CC - cc, not gcc)
3.2alpha9 16/6/97 - Released
added "skip" keyword.
implement preauthentication of packets, as outlined by Guido.
Make it compile as cleanly as possible with -Wall & general code cleanup
getopt returns int, not char. Bernd Ernesti
3.2alpha8 13/6/97 - Released
code added to support "auth" rules which require a user program to allow them
through. First revision and much of the code came from Guido.
hex output from ipmon doesn't goto syslog when recovering from out of sync
error. Luke Mewburn (lukem@connect.com.au)
fix solaris2.6 lookup of destination ire's.
ipnat doesn't throw away unused bits (after masking), causing it to
behave incorrectly. Carson Gaspar
NAT code doesn't include inteface name when matching - Alexey Mavrin
<lha@elco.spb.ru>
replace old SunOS tcpip.h with new tcpip.h (from 4.4BSD) - Jason Thorpe.
update install procedures to include ip_proxy.c
mask out unused bits in NAT/RDR rules.
use a generic type (u_32_t) for 32bit variables, rather than rely on
u_long being such - Jason Thorpe.
create a local "netinet" directory and include from ~netinet/*" rather than
just "*" to make keeping the code working on ports easier.
add an m_copydata and m_copyback for SunOS4 (based on 4.4BSD-Lite versions)
documentation updates.
NetBSD update from Jason Thorpe <thorpej@netbsd.org>
allow RST's through with a matching SEQ # and 0 ACK. Guido Van Rooij
ipmon uses excessive amounts of CPU on Solaris2 - Reinhard Bertram
<Reinhard.Bertram@KOM.th-darmstadt.de>
3.2alpha7 25/5/97 - Released
add strlen for pre-2.2 kernels - Doug Kite <dkite@websgi.icomnet.com>
setup bits and pieces for compiling into a FreeBSD-2.2 kernel.
split up "bsd" targets. Now a separate netbsd/freebsd/bsd target.
mln_ipl.c has been split up into itself and mlf_ipl.c (for freebsd).
fix (negative) host matching in filtering.
add sysctl interface for some variables when compiled into FreeBSD-2.2 kernels
or later.
make all the candidates for kernel compiling include "netinet/..." and build
a subdirectory "netinet" when compiling and symlink all .h files into this.
add install make target to Makefile.ipsend
3.2alpha6 8/5/97 - Released
Add "!" (not) to hostname/ip matching.
Automatically add packet info to the fragment cache if it is a fragment
and we're translating addreses for.
Automatically add packet info to the fragment cache if it is a fragment
and we're "keeping state" for the packet.
Solaris2 patches - Anthony Baxter (arb@connect.com.au)
change install procedure for FreeBSD 2.2 to allow building to a kernel
which is different to the running kernel.
add FIONREAD for Solaris2!
when expiring NAT table entries, if we would set a time to fr_tcpclosed
(which is 1), make it fr_tcplaskack(20) so that the state tables have a
chance to clear up.
3.2alpha5
add proxying skeleton support and sample ftp transparent proxy code.
add printfs at startup to tell user what is happening.
add packets & bytes for EXPIRE NAT log records.
fix the "install-bsd" target in the root Makefile. Chris Williams
<psion@mv.mv.com>
Fixes for FreeBSD 2.2 (and later revs) to prevent panics. Julian Assange.
3.2alpha4 2/4/97 - Released
Some compiler warnings cleaned up.
FreeBSD-2.2 patches for LKM completed.
3.2alpha3 31/3/97 - Released
ipmon changes: -N for reading NAT logfile, -S for reading state logfile.
-a for reading all. -n now toggles hostname resolution.
Add logging of new state entries and expiration of old state entries.
count log successes and failures.
Add logging of new NAT entries and expiration of old NAT entries.
count log successes and failures.
Use u_quad_t for records of bytes & packets where kept
(IP Accounting: fr_hits, fr_bytes; IP state: is_pkts, is_bytes).
Fixup use of CPU and DCPU in Makefiles.
Fix broken 0/32 NAT mapping. Carl Makin <cmakin@nla.gov.au>
3.2alpha2
Implement mapping to 0/32 as being an alias for automatically using the
interface's first IP address.
Implement separate minor devices for both NAT and IP state code.
Fully prototype all functions.
Fix Makefile problem due to attempt to fix Sun compiling problems.
3.1.10 23/3/97 - Released
ipfstat -a requires a -i or -o command line option too. Print an error
when not present rather than attempt to do something.
patch updates for SunOS4 for kernel compiling.
patch for ipmon -s (flush's syslog file which isn't good). Andrew J. Schorr
<schorr@ead.dsa.com>
too many people hit their heads hard when compiling code into the kernel
that doesn't let any packets through. (fil.c - IPF_NOMATCH)
icmp-type parsing doesn't return any errors when it isn't constructed
correctly. Neil Readwin
Using "-conf" with modload on SunOS4 doesn't work.
Timothy Demarest <demarest@arraycomm.com>
Need to define ARCH in makefile for SunOS4 building. "make sunos4"
in INSTALL.SunOS is incorrect. James R Grinter <jrg@blodwen.demon.co.uk>
[all SunOS targets now run buildsunos]
NAT lookups are still incorrect, matching non-TCP/UDP with TCP/UDP
information. ArkanoiD <ark@paranoid.convey.ru>
Need to check for __FreeBSD_version being 199511 rather than 199607
in mln_ipl.c. Eric Feillant <Eric.Feillant@EUnet.fr>
3.1.9 8/3/97 - Released
fixed incorrect lookup of active NAT entries.
patch for ip_deq() wrong for pre 2.1.6 FreeBSD.
fyeung@fyeung8.netific.com (Francis Yeung)
check for out with return-rst/return-icmp at wrong place - Erkki Ritoniemi
(erkki@vlsi.fi)
text_readip returns the interface pointer pointing to text on stack -
Neil Readwin
fix from Pradeep Krishnan for printout rules "with not opt sec".
3.1.8 18/2/97 - Released
Diffs for ip_output.c and ip_input.c updated to fix bug with fastroute and
compiling warnings about reuse of m0.
prevent use of return-rst and return-icmp with rules blocking packets going
out, preventing panics in certain situations.
loop forms in frag cache table - Yury Pshenychny <yura@rd.zgik.zaporizhzhe.ua>
should use SPLNET/SPLX around expire routines in NAT/frag/state code.
redeclared malloc in 44arp.c -
3.1.7 8/2/97 - Released
Macros used for ntohs/htons supplied with gcc don't always work very well
when the assignment is the same variable being converted.
Filter matching doesn't not match rule which checks tcp flags on packets
which are fragments - David Wilson
3.1.7beta 30/1/97 - Released
Fix up NAT bugs introduced in last major change (now tested), including
nat_delete(), nat_lookupredir(), checksum changes, etc.
3.1.7alpha 30/1/97 - Released
Many changes to NAT code, including contributions from Laurent Joncheray
<lpj@ans.net>
Use "NO_SLEEP" when allocating memory under SunOS.
Make kernel printf's nicer for BSD/SunOS4
Always do a checksum for packets being filtered going out and being
processed by fastroute.
Leave kernel to play with cdevsw on *BSD systems with LKM's.
ipnat.1 man page fixes.
3.1.6 21/1/97 - Released
Allow NAT to work on BSD systems in conjunction with "pass .. to ifname"
Memory leak introduced in 3.1.3 in NAT lists, clearing of NAT table tried
to free memory twice.
NAT recalculates IP header checksum based on difference between IP#'s and
port numbers - should be just IP#'s (Solaris2 only)
3.1.5 13/1/97 - Released
fixed setting of NAT timeouts and use different timeouts for concurrent
TCP sessions using the same IP# mapping (when port mapping isn't used)
multiple loading/unloading of LKM's doesn't clean up cdevsw properly for
*BSD systems.
3.1.4 10/1/97 - Released
add command line options -C and -F to ipnat to flush NAT list and table
ipnat -l loops on output - Neil Readwin (nreadwin@nysales.micrognosis.com)
NetBSD/FreeBSD kernel malloc changes - Daniel Carosone
3.1.3 10/1/97 - Released
NAT chains not constructed correctly in hash tables - Antony Y.R Lu
(antony@hawk.ee.ncku.edu.tw)
Updated INSTALL.NetBSD, INSTALL.FreeBSD and INSTALL.Sol2
man page update (ipf.5) from Daniel Carosone (dan@geek.com.au)
ICMP header checksum update now included in NAT.
Solaris2 needs to modify IP header checksums in ip_natin and ip_natout.
3.1.2 4/12/96 - Released
ipmon doesn't use syslog all the time when given -s option
fixed mclput panic in ip_input.c and replace ntohs() with NTOHS() macro
check the results of hostname resolution in ipnat
"make *install" fixed for subdirectories.
problems with "ARCH:=" and gnu make resolved
parser reports an error for lines with whitespaces only rather than skipping
them. D.Carosone@abm.com.au (Daniel Carosone)
patches for integration into NetBSD-current (post 1.2).
add an option to allow non-IP packets going up/down the stream on Solaris2
to be dropped. John Bass.
3.1.2beta 21/11/96 - Released
make ipsend compile on Linux 2.0.24
changes to TCP kept state algorithm, making it watch state on TCP
connections in both directions. Also use the same algorithm for NAT TCP.
-Wall cleanup - Bernd Ernesti
added "or-block" for "pass .. log or-block" after a suggestion from
David Oppenheim (davido@optimation.com.au)
added subdirectories for building IP Filter in SunOS5/BSD for different
cpu architecures
Solaris2 fixes to logging and pre-filtering packet processing - 3.1.1p2
mbuf logging not using mtod(), remove iplbusy - 3.1.1p1 1/11/96
3.1.1 28/10/96 - Released
Installation script fixes and deinstall scripts for IP Filter on:
SunOS4/FreeBSD/NetBSD
Man page fixes - Paul Dubois (dubois@primate.wisc.edu)
Fix use of SOLARIS macro in ipmon, rewrote ipllog() (again!)
parsing isn't completely case insensitive - David Wilson
(davidw@optimation.com.au)
Release ipl_mutex across uiomove() calls
print entire rule entries out for "ipf -z" when zero'ing per-rule stats.
ipfstat returns same output for "hits" in "ipfstat -aio" - Terletsky Slavik
(ts@polynet.lviv.ua)
New algorithm for setting timeouts for TCP connection (more closely follow
TCP FSM) - Pradeep Krishnan (pkrishna@netcom.com)
Track both window sizes for TCP connections through "keep state".
Solaris2 doesn't like _KERNEL defined in stdargs.h - Jos van Wezel
(wezel@bio.vu.nl)
3.1.1-beta2 6/10/96 - Released
Solaris2 fastroute/dup-to/to now works
ipmon `record' reading rewritten
Added post-NetBSD1.2 packet filter patches - Mathew Green (mrg@eterna.com.au)
Attempt to use in_proto.c.diff, not "..diffs" for SunOS4 - David Wilson
(davidw@optimation.com.au)
Michael Ryan (mike@NetworX.ie) reports the following:
* The Trumpet WinSock under Windows always sends its SYN packet with an ACK
value of 1, unlike any other implementation I've seen, which would set it
to zero. The "keep state" feature of IP Filter doesn't work when receiving
non-zero ACK values on new connection requests.
* */Makefile install rule doesn't install all the binaries/man pages
* Make ipnat use "tcp/udp" instead of "tcpudp"
* Print out "tcp/udp" properly
* ipnat "portmap tcp" matches "portmap udp" when adding/removing
* NAT dest. ip# increased by one on mask of 0xffffffff when it shouldn't
3.1.1-beta 1/9/96 - Released
add better detection of TCP connections closing to TCP state monitoring.
fr_addstate() not called correctly for fragments. "keep state" and
"keep frag" code don't work together 100% - Songqing Cai
(songqing_cai@sterling.com)
call to fr_addstate() incorrect for adding state in combination with keeping
fragment information - Songqing Cai (songqing_cai@sterling.com)
KFREE() passed fp (incorrect) and not fr (correct) in ip_frag.c - John Hood
(cgull@smoke.marlboro.vt.us)
make ipf parser recognise '\\' as a `continued line' marker - Dima Ruban
(dima@best.net)
3.1.1-alpha 23/8/96 - Released
kernel panic's when ICMP packets go through NAT code
stats aren't zero'd properly with ipf -Z
ipnat doesn't show port numbers correctly all the time and also add the
protocol (tcp/udp/tcpudp) to rdr output - Carson Gaspar (carson@lehman.com)
fast checksum fixing not 100% - backout patch - Bill Dorsey (dorsey@lila.com)
NetBSD-1.2 patches from - VaX#n8 <vax@linkdead.paranoia.com>
Usage() call error in fils.c - Ajay Shekhawat (ajay@cedar.buffalo.edu)
ip_optcopy() staticly defined in ip_output.c in SunOS4 - Nick Hall
(nrh@tardis.ed.ac.uk)
3.1.0 7/7/96 - Released
Reformatted ipnat output to be compatible with it's input, so that
"ipnat -l | ipnat -rf -" is possible.
3.1.0beta 30/6/96 - Released
NetBSD-1.2 patches from Greg Woods (woods@most.weird.com)
kernel module must not be installed stripped (Solaris2), as created by
"make package" for Solaris2 - Peter Heimann
(peter@i3.informatik.rwth-aachen.de)
3.1.0alpha 5/6/96 - Released
include examples in package for solaris2
patches for removing an extra ip header checksum (FreeBSD/NetBSD/SunOS)
removed trailing space from printouts of rules in ipf.
ipresend supports the same range of inputs that ipftest does.
sending a duplicate copy of a packet to another network devices is now
supported. ("dup-to")
sending a packet to an arbitary interface is now supported, irrespective
of its actual route, with no ttl decrement. Can also be routed without
the ttl being decremented. ("to" and "fastroute").
"call" option added to support calling a generic function if a packet is
matched.
show all (upto 4) recorded bytes from the interface name in logging from
ipmon.
support for using unix file permissions for read/write access on the device
is now in place.
recursive mutex in nat_new() for Solaris 2.x - Per L. Hagen <per@stibo.dk>
ipftest doesn't call initparse() for THISHOST - Catherine Allen
(cla@connect.com.au)
Man page corrections from Rex Bona (rex@pengo.comsmiths.com.au)
3.0.4 10/4/96 - Released
looop in `parsing' IP packets with optlen 0 for ip options.
rule number not initialized and resulted in unexpected results for state
maching.
option parsing and printing bugs - Pradeep Krishnan
3.0.4beta 25/3/96 - Released
wouldn't parse "keep flags keep state" correctly.
SunOS4.1.x ip_input.c doesn't recognise all 1s broadcast address - Nigel Verdon
patches for BSDI's BSD/OS 2.1 and libpcap reader on little endian systems
from Thorsten Lockert <tholo@tetherless.com>
b* functions in fil.c on Solaris 2.4
3.0.3 17/3/96 - Released
added patches to support IP Filter initialisation when compiled into the
kernel.
added -x option to ipmon to display hex dumps of logged packets.
added -H option to ipftest to allow ascii-hex formatted input to specify
arbitary IP packets.
Sending TCP RSTs as a response now work for Solaris2 x86
add patches to make IP Filter compile into NetBSD kernels properly.
patch to stop SunOS 4.1.x kernels panicing with "data traps".
ipfboot script unloads and reloads ipf module on Solaris2 if it is already
loaded into the kernel.
Installation of IP Filter as a Solaris2 package is now supported.
Man pages for ipnat.4, ipnat.5 added.
added some more regression tests and fixed up IP Filter to pass the new tests
(previous versions failed some of the tests in set 12).
IP option filter processing has changed so that saying "with opt lsrr" will
check only for that one, but not mask out other options, so a packet with
strict source routing, along with loose source routing will match all of
"with opt lsrr", "with opt ssrr" and "with opt lsrr,ssrr".
IPL_NAME needed in ipnat.c - Kelly (kelly@count04.mry.scruznet.com)
patches for clean NetBSD compilation from Bernd Ernesti (bernd@arresum.inka.de)
make install is incorrect - Julian Briggs (julian@lightwork.co.uk)
strtol() returns 0x7fffffff for all negative numbers,
printfr() generates incorrect output for "opt sec-class *",
handling of "not opt xxx opt yyy" incorrect.
- Minh Tonthat (minht@sbei.com)/Pradeep Krishnan (pradeepk@sbei.com)
m_pullup() called only for input and not output; caused problems
with filtering icmp - Nigel Verdon (verdenn@gb.swissbank.com)
parsing problem for "port 1" and NetBSD patches incorrect -
Andreas Gustafsson (gson@guava.araneus.fi)
3.0.2 4/2/96 - Released
Corrected bug where NAT recalculates checksums for fragments.
make NAT recalculate UDP checksums (rather than setting them to 0),
if they're non-zero.
DNS patches - Real Page (Real.Page@Matrox.com)
alteration of checksum recalculations in NAT code and addition of
redirection with NAT - Mike Neuman
core dump, if tcp/udp is used with a port number and not service name,
in ipf - Mike Neuman (mcn@engarde.com)
initparse() call, missing to prime "<thishost>" hook - Craig Bishop
3.0.1 14/1/96 - Released
miscellaneous patches for Solaris2
3.0 14/1/96 - Released
Patch included for FDDI, from Richard Ohnemus
(Richard_Ohnemus@dallas.csd.sterling.com)
Code cleanup for release.
3.0beta4 10/1/96
recursive mutex in ipfr_slowtimer fixed, reported by Craig Bishop
recursive mutex in sending TCP RSTs fixed, reported by Tony Becker
3.0beta3 9/1/96
FIxup for Solaris2.5 install and interface name bug in ipftest from
Julian Briggs (julian@lightwork.co.uk)
Byte order patches for ipmon from Tony Becker (tony@mcrsys.com)
3.0beta2 7/1/96
Added the (somewhat warped) IP accounting as it exists in ipfw on FreeBSD.
Note, this isn't really what one would call IP account, when compared to
process accounting, sigh.
Split up ipresend into iptest/ipresend/ipsend
Added another m_pullup() inside fr_check() for BSD style kernels and
added some checks to ipllog() to not log more than is present (for short
packets).
Fixed bug where failed hostname/netname resolution goes undetecte and
becomes 0.0.0.0 (any) (reported Guido van Rooij)
3.0beta 11/11/95 - Released
Rewrote the way rule testing is done, reducing the number of files needed and
generated.
SIOCIPFFL was incorrectly affected by IPFILTER_LOG (Mathew Green)
Patches from Guido van Rooij to fix sending back TCP RSTs on Net-2/Net-3
BSD based Unixes (panic'd)
Patches for FreeBSD/i86 ipmon from Riku Kalinen <riku@tequila.nixu.fi>
(I think someone else already told me about these but they got lost :-/)
Changed Makefile structure to build object files for different operating
systems in separate directories by default.
BSDI has ef0 for first ethernet interface
Allow for a "not" operator before optional keywords.
The "rule number" was being incorrectly incremented every time it went through
the loop rather than when it matched a rule.
2.8.2 24/10/95 - Released
Fixed up problems with "textip" for doing lots of testing.
Fixed bug in detection of "short" tcp/ip packets (all reported as being short).
Solaris 2.4 port now works 100%.
Man page errors reported and fixed.
Removed duplicate entry in etc/services for login on port 49 (Craig Bishop).
Fixed ipmon output to put a space after the log-letter.
Patch from Guido van Rooij to fix parsing problem.
2.8.1 15/10/95 - Released
Added ttl and tos filtering.
Patches for fixing up compilation and port problems (little endian)
from Guido van Rooij <guido@IAEhv.nl>.
Man page problems reported and fixed by Carson Gaspar <carson@lehman.com>.
ipsend doesn't compile properly on Solaris2.4
Lots of work done for Solaris2.4 to make it MT/MP safe and work.
2.8 15/9/95 - Released
ipmon can now send messages to syslogd (-s) and use names instead of
numbers (-N).
IP packets are now "compiled" into a structure only containing filterable
bits.
Added regression testing in the test/ subdirectory, using a new option
(-b) with the ipftest program.
Added "nomatch" return to filter results. These are counted and show
up in reports from ipfstat.
Moved filter code out of ip_fil.c and into fil.c - there is now only one
instance of it in the package.
Added Solaris 2.4 support.
Added IPSO basic security option filtering.
Added name support for filtering on all 19 named IP options.
Patches from Ivan Brawley to log packet contents as well as packet headers.
Update for sun/conf.c.diff from Ivan Brawley <ibrawley@awadi.com.AU>
Added patches for FreeBSD 1, and added two new switches (-E, -D) to ipf,
along with a new ioctl, SIOCFRENB.
From: Dieter Dworkin Muller <dworkin@village.org>
2.7.3 31/7.95 - Released
Didn't compile cleanly without IPFILTER_LOG defined (Mathew Green).
ipftest now deals with tcpdump3 binary output files (from libpcap) with -P.
Brought ipftest program upto date with actual filter code.
Filter would cause a match to occur when it wasn't meant to if the packet
had short headers and was missing portions that should have been there.
Err, it would rightly not match on them, but their absence caused a match
when it shouldn't have been.
2.7.2 26/7/95 - Released
Problem with filtering just SYN flagged packets reported by
Dieter Dworkin Muller <dworkin@village.org>. To solve this
problem, added support for masking TCP flags for comparison "flags X/Y".
2.7.1 9/7/95 - Released
Added ip_dirbroadcast support for Sun ip_input.c
Fixed up the install scripts for FreeBSD/NetBSD to recognise where they are
better.
2.7 7/7/95 - Released
Added "return-rst" to return TCP RST's to TCP packets.
Actually ported it to FreeBSD-i386 2.0.0, so it works there properly now.
Added insertion of filter rules. Use "@<#>" at the beginning of a filter
to insert a rule at row #.
Filter keeps track of how many times each rule is matched.
Changed compile time things to match kernel option (IPFILTER_LKM &
IPFILTER_LOG).
Updated ip_input.c and ip_output.c with paches for 3.5 Multicast IP.
(No change required for 3.6)
Now includes TCP fragments which start inside the TCP header as being short.
Added counting the number of times each rule is matched.
2.6 11/5/95 - Released
Added -n option to ipf: when supplied, no changes are made to the kernel.
Added installation scripts for SunOS 4.1.x and NetBSD/FreeBSD/BSDI.
Rewrote filtering to use a more generic mask & match procedure for
checking if a packet matches a rule.
2.5.2 27/4/95 - Released
"tcp/udp" and a non-initialised pointer caused the "proto" to become
a `random' value; added "ip#/dotted.mask" notation to the BNF.
From Adam W. Feigin <feigin@iis.ee.ethz.ch>
2.5.1 22/3/95 - Released
"tcp/udp" had a strange effect (undesired) on getserv*() functions,
causing protocol/service lookups to fail. Reported by Matthew Green.
2.5 17/3/95 - Released
Added a new keyword "all" to BNF and parsing of tcpdump/etherfind/snoop
output through the ipftest program. Suggestions from:
Michael Ciavarella (mikec@phyto.apana.org.au)
Conflicts occur when "general" filter rules are used for ports and the
lack of a "proto" when used with "port" matches other packets when only
TCP/UDP are implied.
Reported Matthew Green (mrg@fulcom.com.au);
reported & fixed 6-8/3/95
Added filtering of short TCP packets using "with short" 28/2/95
(These can possibly slip by checks for the various flags). Short UDP
or ICMP are dropped to the floor and logged.
Added filtering of fragmented packets using "with frag" 24/2/95
Port to NetBSD-current completed 20/2/95, using LKM.
Added logging of the rule # which caused the logging to happen and the
interface on which the packet is currently as suggested by
Andreas Greulich (greulich@math-stat.unibe.ch) 10/2/95
2.4 9/2/95 - Released
Fixed saving of IP headers in ICMP packets.
2.3 29/1/95
Added ipf -F [in|out|all] to flush filter rule sets (SIOCIPFFL).
Fixed iplread() and iplsave() with help from Marc Huber.
2.2 7/1/95 - Released
Added code from Marc Huber <huber@fzi.de> to allow it to allocate
its own major char number dynamically when modload'ing. Fixed up
use of <, >, <=, >= and >< for ports.
2.1 21/12/94 - Released
repackaged to include the correct ip_output.c and ip_input.c *goof*
2.0 18/12/94 - Released
added code to check for port ranges - complete.
rewrote to work as a loadable kernel module - complete.
1.1
added code for ouput filtering as well as input filtering and added support for logging to a simple character device of packet headers.
1.0 22/04/93 - Released
First release cut.