1# 2# NOTE: Quite a few patches and suggestions come from other sources, to whom 3# I'm greatly indebted, even if no names are mentioned. 4# 5# Thanks to the Coombs Computing Unit at the ANU for their continued support 6# in providing a very available location for the IP Filter home page and 7# distribution center. 8# 9# Thanks also to all those who have contributed patches and other code, 10# and especially those who have found the time to port IP Filter to new 11# platforms. 12# 135.1.2 - RELEASED - 22 Jul 2012 14 153546266 macro letters could be more consistent 163546265 not all of the state statistics are displayed 173546261 scripts for updating BSD environment out of date 183546260 compiler warnings about non-integer array subscript 193546259 asserting numdereflists == 0 is not correct 203546258 expression matching does not see IPF_EXP_END 213544317 ipnat/ipfstat are not using ipfexp_t 223545324 proxy checksum calculation is not hardware aware 233545321 FTP sequence number adjustment incorrectly applied 243545320 EPSV is not recognised 253545319 move nat rule creation to ip_proxy.c 263545317 better feedback of checksum requirements for proxies 273545314 ftp proxy levels do not make sense 283545312 EPRT is not supported by ftp proxy 293544318 ipnat.conf parsing ignores LHS address family 303545309 non-ipv6 safe proxies do not fail with ipv6 313545323 NAT updates the source port twice 323545322 ipv6 nat rules cannot start proxies 333544314 bucket copyout tries to copy too much data 343544313 remove nat encap feature 353546248 compat rule pointer type mismatch 363546247 UDP hardware checksum offload not recognised 373545311 ifp_ifaddr does not find the first set address 383545310 ipmon needs ipl_sec on 64bit boundary 393545326 reference count changes made without lock 403544315 stateful matching does not use ipfexp_t 413543493 tokens are not flushed when disabled 423543487 NAT rules do not always release lookup objects 433543491 function comments in ip_state.c are old 443543404 ipnat.conf parsing uses family/ip version badly 453543403 incorrect line number printed in ipnat parsing errors 463543402 Not all NAT statistics are printed 473542979 NAT session list management is too simple 483542978 ipv4 and ipv6 nat insert have common hash insertion 493542977 ipnat_t refence tracking incomplete 503542975 proxies must use ipnat_t separately 513542980 printing ipv6 expressions is wrong 523542983 ippool cannot handle more than one ipv6 address 533543018 mask array shifted incorrectly. 543542974 reason for dropping packet is lost 553542982 line numbers not recorded/displayed correctly by ipf 563542981 exclamation mark cuases trouble with pools 573541655 test suite checksums incorrect 583541653 display proxy fail status correctly 593540993 IP header offset excluded in pullup calculations 603540994 pullupmsg does not work as required 613540992 pointer to ipv6 frag header not updated on pullup 623541645 netmask management adds /32 for /0 633541637 ipnat parser does not zero port fields for non-port protocol 643541635 pool names cannot by numbers 653540995 IPv6 fragment tracking does not always work 663540996 printing of nextip for ipv6 nat rules is wrong 673540999 ipnat.conf parsing has trouble with icmpidmap for ipv6 683540825 whois output parsing error for ipv6 693540814 ipfd_lock serves no purpose 703540810 lookup objects need tail pointers 713540809 refactor hash table lookups for nat 723540819 radix tree does not work with ipv6 733540820 mutex emulation should be logged 743540828 ipfstat filtering with -m fails tests 753536480 ippool could be more like the others 763536477 pool printing not uniform 773536483 flushing empty destination lists causes panic 783536481 more use of bzero after KMALLOC required 793536479 ipnat.conf line numbers not stored 803536484 Makefile missing dependency for ippool 813536199 TFTP proxy requires something extra 823536198 ICMP checksum out by one 833536203 ipnat does not return an error 843536201 ipf.conf parsing too address friendly 853536200 printing of bytes/packets not indented 863497941 ipv4 multicast detection incorrect on little endian 873535361 to interfaces printed out of order 883535363 ipf parser is inconsistent 893532306 deleting ipnat rules does not work 903532054 new error required for ipf_rx_create 913532053 icmp6 checksums wrong 923532052 icmpv6 state check with incorrect length 933531871 checksum verification wants too many icmp6 bytes 943531870 ipnat.conf parsing needs to support inet6 953532048 error in ipf group parsing 963531868 ICMPV6 checksum not validated 973531893 ipftest exits without error for bad input 983531890 whois pool parsing builds bad structures 993531891 icmpv6 text parsing ignorant of icmp types 1003531653 rewrite with icmp does not work 1013530563 NAT operations fail with EPERM 1023530544 first pass at gcc -Wextra cleanup 1033530540 lookup create functions do not set error properly 1043530539 ipf_main_soft_destroy doesn't need 2nd arg 1053530541 reorder structure for better packing 1063530543 ipnat purge needs documentation 1073530515 BSD upgrade script required 1083528029 ipmon bad-mutex panic 1093530247 loading address pools light on input validation 1103530255 radix tree delete uses wrong lookup 1113530254 radix tree allocation support wrong 1123530264 ipmon prints qd for some 64bit numbers 1133530260 decapsulate rules not printed correctly. 1143530266 ipfstat -v/-d flags confused 1152939220 why a packet is blocked is not discernable 1162939218 output interface not recorded 1172941850 use of destination lists with to/dup-to beneficial 1183457747 build errors introduced with radix change 1193535360 timeout groups leak 1203535359 memory leak with tokens 1213535358 listing rules in groups requires tracking groups 1223535357 rule head removal is problematic 1233530259 not all ioctl error checked wth SIOCIPFINTERROR 1243530258 error routine that uses fd required 1253530253 inadequate function comment blocks 1263530249 walking lookup tables leaks memory 1273530241 extra lock padding required for freebsd 1283529901 ipf returns 0 when rules fail to load 1293529491 checksum validation could be better 1303529486 tcp checksum wrong for ipv6 1313533779 ipv6 nat rules missing inet6 keyword 1323532693 ipnat.conf rejects some ipv6 addresses 1333532691 ipv4 should not be forced for icmp 1343532689 ipv6 nat rules do not print inet6 1353532688 ipv6 address always printed with "to <if>" 1363532687 with v6hdrs not supported like with ipopts 1373532686 ipf expressions do not work with ipv6 1383540825 whois output parsing error for ipv6 1393540818 NAT for certain IPv6 ICMP packets should not be allowed 1403540815 memory leak with destination lists 1413540814 ipfd_lock serves no purpose 1423540810 lookup objects need tail pointers 1433540809 refactor hash table lookups for nat 1443540808 completed tokens do not stop iteration 1453530492 address hash table name not used 1463528029 ipmon bad-mutex panic 1473530256 hook memory leaked 1483530271 pools parsing produces badly formed address structures 1493488061 cleanup for illumos build 1503484434 SIOCIPFINTERROR must work for all devices 1513484067 mandoc -Tlint warnings to be fixed 1523483343 compile warning in ipfcomp.c 1533482893 building without IPFILTER_LOG fails 1543482765 building netbsd kernel without inet6 fails 1553482116 ipf_check frees packet from ipftest 1563481663 does not compile on solaris 11 157 1585.1.1 - RELEASED - 9 May 2012 159 1603481322 ip_fil_compat.c needs a cleanup 1613481211 add user errors to dtrace 1623481152 compatibility for 4.1 needs more work 1633481153 PRIu64 problems on FreeBSD 1643481155 ipnat listing incorrect 1653480543 change leads to compat problems 1663480538 compiler errors from earlier patch 1673480537 ipf_instance_destroy is incomplete 1683480536 _fini order leads to panic 1693479991 compiler warnings about size mismatches 1703479974 copyright dates are wrong (fix) 1713479464 add support for leaks testing 1723479457 %qu is not the prefered way 1733479451 iterators leak memory 1743479453 nat rules with pools leak 1753479454 memory leak in hostmap table 1763479461 load_hash uses memory after free 1773479462 printpool leaks memory 1783479452 missing FREE_MB_T to freembt leaks 1793479450 ipfdetach is called when detached 1803479448 group mapping rules memory leak 1813479455 memory leak from tuning 1823479458 ipf must be running in global zone 1833479460 driver replace is wrong 1843479459 radix tree tries to free null pointer 1853479463 rwlock emulation does not free memory 1863479465 parser leaks memory 1873475959 hardware checksum not correctly used 1883475426 ip pseudo checksum wrong 1893473566 radix tree does not delete dups right 1903472987 compile is not clean 1913472337 not everything is zero'd 1923472344 interface setup needs to be after insert 1933472340 wildcard counter drops twice 1943472338 change fastroute interface 1953472335 kernel lock defines not placed correctly 1963472324 ICMP INFOREQ/REPLY not handled 1973472330 multicast packets tagged by address 1983472333 ipf_deliverlocal called incorrectly 1993472345 mutex debug could be more granular 2003472761 building i19 regression is flawed 2013456457 use of bsd tree.h needs to be removed 2023460522 code cleanup required for building on freebsd 2033459734 trade some cpu for memory 2043457747 build errors introduced with radix change 2053457804 build errors from removal of pcap-int,h 2063440163 rewrite radix tree 2073428004 snoop, tcpdump, etherfind readers are unused 2083439495 ipf_rand_push never called (fix brackets) 2093437732 getnattype does not need to use ipnat_t (fix variable name) 2103437696 fr_cksum is a nightmare 2113439061 ipf_send_ip doesn't need 3rd arg 2123439059 ipid needs to be file local 2133437740 complete buildout of fnew 2143438575 add dtrace probes to block events 2153438347 comment blocks missing softc 2163437687 description of ipf_makefrip wrong 2173438340 more stats as dtrace probes 2183438316 free on nat structure uses fixed size 2193437745 nat iterator using the wrong size 2203437710 fail checksum verification if packet is short 2213437696 fr_cksum is a nightmare 2223437732 getnattype does not need to use ipnat_t 2233437735 rename ipf_allocmbt to allocmbt 2243437697 fr_family to version assignment is wrong 2253437746 ap_session_t has unused fields 2263437747 move softc structure to .h file (ip_state.c) 2273437704 there is no DTRACE_PROBE5 2283437748 wrong interface in qpktinfo_t 2293437729 create function to hexdump mb_t 2303438273 msgdsize should be easier to read 2313437683 object direction not set for 32bit 2323433767 calling ip_cksum could be easier 2333433764 left over locking 2343428015 printing proxy data size is useless 2353428013 add M_ADJ to hide adjmsg/m_adj 2363428012 interface name is not always returned correctly 2373428002 ip_ttl is too low 2383427997 ipft readers do not set buffer length 2393426558 resistence is futile 2403424495 various copy-paste errors 2411826936 shall we allow ipf to be as dumb as its admin 2423424477 specfuncs needs to go 2433424484 missing fr_checkv6sum 2443424478 one entry at a time 2452998760 auth rules do not mix well with to/dup-to/fastroute 2463424195 add ctfmerge to sunos5 makefile 2473424132 some dtrace probes to start with 2483423812 makefile needs ip_frag.h for some files 2493423817 reference count useful in verbose output 2503423800 walking lists does not drop reference 2513423805 fragmentation stats not reported correclty 2523423808 ip addresses reportied incorrectly with ipfstat -f 2533423821 track packets and bytes for fragmentation 2543423803 attempt to double free rule 2553423805 fragmentation stats not reported correctly 2563422712 system panic with ipfstat -f 2573422619 pullup counter bumped for every packet 2583422608 dummy rtentry required to build 2593422018 frflush next to ipf_fini_all is redundant 2603422012 instance cleanup is not clean 2613421845 instance name not set 2623005622 ip_fil5.1.0 does not load on Solaris 10 U8 2632976332 stateful filtering is incompatible with ipv4 options 2643387509 ipftest needs help construction ip packets with options 2652998746 passp can never be null 2663064034 mbuf clobbering problem with ipv6 2673105725 ipnat divide by zero panic 2682998750 ipf_htent_insert can leak memory 2693064034 mbuf clobbering problem with ipv6 2703105725 ipnat divie by zero panic 271 2725.1 - RELEASED - 9 May 2010 273 274* See WhatsNew50.txt 275 2764.1 - RELEASED - 12 February 2004 277 2784.0-BETA1 20 August 2003 279 280support 0/32 and 0/0 on the RHS in redirect rules 281 282where LHS and RHS netmasks are the same size for redirect, do 1:1 mapping 283for bimap rules. 284 285allow NAT rule to match 'all' interfaces with * as interface name 286 287do mapping of ICMP sequence id#'s in pings 288 289allow default age for NAT entries to be set per NAT rule 290 291provide round robin selection of destination addresses for redirect 292 293ipmon can load a configuration file with instructions on actions 294to take when a matching log entry is received 295 296now requires pfil to work on Solaris & HP-UX 297 298supports mapping outbound connections to a specific address/port 299 300support toggling of logging per ipfilter 'device' 301 302use queues to expire data rather than lists 303 304add MSN RPC proxy 305 306add IRC proxy 307 308support rules with dynamic ip addresses 309 310add ability to define a pool of addresses & networks which can then 311be placed in a single rule 312 313support passing entire packet back to user program for authentication 314 315support master/slave for state information sharing 316 317reorganise generic code into a lib directory and make libipf.a 318 319user programs enforce version matching with the kernel 320 321supports window scaling if seen at TCP session setup 322 323generates C code from filter rules to compile in or load as native 324machine code. 325 326supports loading rules comprised of BPF bytecode statements 327 328HP-UX 11 port completed 329 330and packets-per-second filtering 331 332add numerical tags to rules for filtering and display in ipmon output 333 3343.4.4 23/05/2000 - Released 335 336don't add TCP state if it is an RST packet and (attempt) to send out 337RST/ICMP packets in a manner that bypasses IP Filter. 338 339add patch to work with 4.0_STABLE delayed checksums 340 3413.4.3 20/05/2000 - Released 342 343fix ipmon -F 344 345don't truncate IPv6 packets on Solaris 346 347fix keep state for ICMP ECHO 348 349add some NAT stats and use def_nat_age rather than DEF_NAT_AGE 350 351don't make ftp proxy drop packets 352 353use MCLISREFERENCED() in tandem with M_EXT to check if IP fields need to be 354swapped back. 355 356fix up RST generation for non-Solaris 357 358get "short" flag right for IPv6 359 3603.4.2 - 10/5/2000 - Released 361 362Fix bug in dealing with "hlen == 1 and opt > 1" - Itojun 363 364ignore previous NAT mappings for 0/0 and 0/32 rules 365 366bring in a completely new ftp proxy 367 368allow NAT to cause packets to be dropped. 369 370add NetBSD callout support for 1.4-current 371 3723.4.1 - 30/4/2000 - Released 373 374add ratoui() and fix parsing of group numbers to allow 0 - UINT_MAX 375 376don't include opt_inet6.h for FreeBSD if KLD_MODULE is defined 377 378Solaris must use copyin() for all types of ioctl() args 379 380fix up screen/tty when leaving "top mode" of ipfstat 381 382linked list for maptable not setup correctly in nat_hostmap() 383 384check for maptable rather than nat_table[1] to see if malloc for maptable 385succeeded in nat_init 386 387fix handling of map NAT rules with "from/to" host specs 388 389fix printout out of source address when using "from/to" with map rules 390 391convert ip_len back to network byte order, not plen, for solaris as ip_len 392may have been changed by NAT and plen won't reflect this 393 3943.4 - 27/4/2000 - Released 395 396source address spoofing can be turned on (fr_chksrc) without using 397filter rules 398 399group numbers are now 32bits in size, up from 16bits 400 401IPv6 filtering available 402 403add frank volf's state-top patches 404 405add load splitting and round-robin attribute to redirect rules 406 407FreeBSD-4.0 support (including KLD) 408 409add top-style operation mode for ipfstat (-t) 410 411add save/restore of IP Filter state/NAT information (ipfs) 412 413further ftp proxy security checks 414 415support for adding and removing proxies at runtime 416 4173.3.13 26/04/2000 - Released 418 419Fix parsing of "range" with "portmap" 420 421Relax checking of ftp replies, slightly. 422 423Fix NAT timeouts for ICMP packets 424 425SunOS4 patches for ICMP redirects from Jurgen Keil (jk@tools.de) 426 4273.3.12 16/03/2000 - Released 428 429tighten up ftp proxy behaviour. sigh. yuck. hate. 430 431fix bug in range check for NAT where the last IP# was not used. 432 433fix problem with icmp codes > 127 in filter rules caused bad things to 434happen and in particular, where #18 caused the rule to be printed 435erroneously. 436 437fix bug with the spl level not being reset when returning EIO from 438iplioctl due to ipfilter not being initialized yet. 439 4403.3.11 04/03/2000 - Released 441 442make "or-block" work with lines that start with "log" 443 444fix up parsing and printing of rules with syslog levels in them 445 446fix from Cy Schubert for calling of apr_fini only if non-null 447 448 4493.3.10 24/02/2000 - Released 450 451* fix back from guido for state tracking interfaces 452 453* update for NetBSD pfil interface changes 454 455* if attaching fails and we can abort, then cleanup when doing so. 456 457julian@computer.org: 458* solaris.c (fr_precheck): After calling freemsg on mt, set it point to *mp. 459* ipf.c (packetlogon): use flag to store the return value from get_flags. 460* ipmon.c (init_tabs): General cleanup so we do not have to cast 461 an int s->s_port to u_int port and try to check if the u_int port 462 is less than zero. 463 4643.3.9 15/02/2000 - Released 465 466fix scheduling of bad locking in fr_addstate() used when we attach onto 467a filter rule. 468 469fix up ip_statesync() with storing interface names in ipstate_t 470 471fix fr_running for LKM's - Eugene Polovnikov 472 473junk using pullupmsg() for solaris - it's next to useless for what we 474need to do here anyway - and implement what we require. 475 476don't call fr_delstate() in fr_checkstate(), when compiled for a user 477program, early but when we're finished with it (got fr & pass) 478 479ipnat(5) fix from Guido 480 481on solaris2, copy message and use that with filter if there is another 482copy if it being used (db_ref > 1). bad for performance, but better 483than causing a crash. 484 485patch for solaris8-fcs compile from Casper Dik 486 4873.3.8 01/02/2000 - Released 488 489fix state handling of SYN packets. 490 491add parsing recognition of extra icmp types/codes and fix handling of 492icmp time stamps and mask requests - Frank volf 493 4943.3.7 25/01/2000 - Released 495 496sync on state information as well as NAT information when required 497 498record nat protocol in all nat log records 499 500don't reuse the IP# from an active NAT session if the IP# in the rule 501has changed dynamically. 502 503lookup the protocol for NAT log information in ipmon and pass that to 504portname. 505 506fix the bug with changing the outbound interface of a packet where it 507would lead to a panic. 508 509use fr_running instead of ipl_inited. (sysctl name change on freebsd) 510 511return EIO if someone attempts an ioctl on state/nat if ipfilter is not 512enabled. 513 514fix rule insertion bug 515 516make state flushing clean anything that's not fully established (4/4) 517 518call fr_state_flush() after we've released ipf_state so we don't generate 519a recursive mutex acquisition panic 520 521fix parsing of icmp code after return-icmp/return-icmp-as-dest and add 522some patches to enhance parsing strength 523 5243.3.6 28/12/1999 - Released 525 526add in missing rwlock release in fr_checkicmpmatchingstate() and fix check 527for ICMP_ECHO to only be for packet, not state entry which we don't have yet. 528 529handle SIOCIPFFB in nat_ioctl() and fr_state_ioctl() 530 531fix size of friostat for SunOS4 532 533fix bug in running off the end of a buffer in real audio proxy 534 5353.3.5 11/12/1999 - Released 536 537fix parsing of "log level" and printing it back out too 538 539<net/if_types.h> is only present on Solaris2.6/7/8 540 541use send_icmp_err rather than icmp_error to send back a frag-needed error 542when doing PMTU 543 544do not use -b with add_drv on Solaris unless $BASEDIR is set. 545 546fix problem where source address in icmp replies is reversed 547 548fix yet another problem with real audio. 549 5503.3.4 4/12/1999 - Released 551 552fix up the real audio proxy to properly setup state information and NAT 553entries, thanks to Laine Stump for testing/advice/fixes. 554 555fix ipfr_fastroute to set dst->sin_addr (Sean Farley - appears to prevent 556FreeBSD 3.3 from panic'ing) as this had been removed in prior hacks to this 557routine. 558 559fix kinstall for BSDI 560 561support ICMP errors being allowed through for ICMP packets going out with 562keep state enabled 563 564support hardware checksumming (gigabit ethernet cards) on Solaris thanks to 565Tel.Net Media for providing hardware for testing. 566 567patched from Frank Volf for ipmon (ICMP & fragmented packets) and allowing 568ICMP responses to ICMP packets in the keep state table. 569 570add in patches for hardware checksumming under solaris 571 572Solaris install scripts now use $BASEDIR as appropriate. 573 574add Solaris8 support 575 576fix "ipf -y" on solaris so that it rescans rules also for changes in 577interface pointers 578 579let ipmon become a daemon with -D if it is using syslog 580 581fix parsing of return-icmp-as-dest(foo) 582 583add reference to ipfstat -g to ipfstat.8 584 585ipf_mutex needs to be declared for irix in ip_fil.c 586 5873.3.3 22/10/1999 - Released 588 589add -g command line option to ipfstat to show groups still define. 590 591fix problem with fragment table not recording rule pointer when called 592from state functions (fin_fr not set). 593 594fixup fastroute problems with keep state rules. 595 596load rules into inactive set first, so we don't disable things like NIS 597lookups half way through processing - found by Kevin Littlejohn 598 599fix handling of unaligned ip pointer for solaris 600 601patch for fr_newauth from Rudi Sluijtman 602 603fixed htons() bug in fr_tcpsum() where ip_p wasn't cast to u_short 604 6053.3.2 23/09/1999 - Released 606 607patches from Scott Presnell to fix rcmd proxy 608 609patches from Greg to fix Solaris detachment of interfaces 610 611add openbsd compatibility fixes 612 613fix free'ing already freed memory in ipfr_slowtimer() 614 615fix for deferencing invalid memory in cleaning up after a device disappears 616 6173.3.1 14/8/1999 - Released 618 619remove include file sys/user.h for irix 620 621prevent people from running buildsunos directly 622 623fix up some problems with the saving of rule pointers so that NAT saves 624that information in case it should need to call fr_addstate() from a proxy. 625 626fix up scanning for the end of FTP messages 627 628don't remove /etc/opt/ipf in postremove 629 630attempt to prevent people running buildsolaris script without doing a 631"make solaris" 632 633fix timeout losing on freebsd3 634 6353.3 7/8/1999 - Released 636 637NAT: information (rules, mappings) are stored in hash tables; setup some 638basic NAT regression testing. 639 640display version name of installed kernel code when initializing. 641 642add -V command line option to ipf, showing version (program and kernel 643module) as well as the run-status of the kernel code. 644 645fix problem with "log" rules actually affecting result of filtering. 646 647automatically use SUNWspro if available and on a 64bit Solaris system for 648compiling. 649 650add kernel proxies for rcmd(3) and RealAudio (PNA) 651 652use timeout/untimeout on SunOS4/BSD platforms too rather than hijacking 653ip_slowtimo 654 655fix IP headers generated through parsing of text information 656 657fix NAT rules to be in the correct order again. 658 659make keep-state work with to/fastroute keywords and enforce usage of those 660interfaces. 661 662update keep-state code with new algorithm from Guido 663 664add FreeBSD-3 support 665 666add return-icmp-as-dest option to retrun an ICMP packet using the original 667destination as the source rather than a local IP address 668 669add "level [facility.]<priority>" option to filter language 670 671add changes from Guido to state code. 672 673add code to return EPERM if the device is opened for writing and we're 674in securelevel 2 or greater. 675 676authentication code patches from Guido 677 678fix real audio proxy 679 680fix ipmon rule printing of interfaces and add IN/OUT to the end of ipmon 681log output. 682 683fix bimap rules with hash tables 684 685update addresses used in NAT mappings for 0/32 rules for any protocol but TCP 686if it changes on the interface - check every ip_natexpire() 687 688add redirect regression test 689 690count buckets used in the state hash table. 691 692fix sending of RST's with return-rst to use the ack number provided in 693the packet being replied to in addition to the sequence number. 694 695fix to compile as a 64bit application on solaris7-64bit 696 697add NAT IP mapping to ranges of IP addresses that aren't CIDR specified 698 699fix calculation of in_space parameter for NAT 700 701fix `wrapping' when incrementing the next ip address for use in NAT 702 703fix free'ing of kernel memory in ip_natunload on solaris 704 705fix -l/-U command line options from interfering with each other 706 707fix fastroute under solaris2 and cleanup compilation for solaris7 708 709add install scripts and compile cleanly on BSD/OS 4.0 710 711safely open files in /tmp for writing device output when testing. 712 713fix uninitialized pointer bug in NAT 714 715fix SIOCZRLST (zero list rule stats) bug with groups 716 717change some usage of u_short to u_int in function calling 718 719fix compilation for Solaris7 (SUNWspro) 720 721change solaris makefiles to build for either sparc or i386 rather than 722per-cpu (sun4u, etc). 723 724fixed bug in ipllog 725 726add patches from George Michaelson for FreeBSD 3.0 727 728add patch from Guido to provide ICMP checking for known state in the same 729manner as is done for NAT. 730 731enable FTP PASV proxying and enable wildcarding in NAT/state code for ports 732for better PORT/PASV support with FTP. 733 734bring into main tree static nat features: map-block and "auto" portmapping. 735 736add in source host filtering for redirects (alan jones) 737 7383.2.10 22/11/98 - Released 739 7403.2.10beta9 17/11/98 - Released 741 742fix fr_tcpsum problems in handling mbufs with an odd number of bytes 743and/or split across an mbuf boundary 744 745fix NAT list entry comparisons and allow multiple entries for the same 746proxy (but on different ports). 747 748don't create duplicate NAT entries for repeated PORT commands. 749 7503.2.10beta8 14/11/98 - Released 751 752always exit an rwlock before expecting to enter it again on solaris 753 754fix loop in nat_new for pre-existing nat 755 756don't setup state for an ftp connection if creating nat fails. 757 7583.2.10beta7 05/11/98 - Released 759 760set fake window in ipft_tx.c to ensure code passes tests. 761 762cleaned up/enhanced ipnat -l/ipnat -lv output 763 764fixed NAT handling of non-TCP/UDP packets, esp. for ICMP errors returned. 765 766Solaris recusive mutex on icmp-error/tcp-reset - requires rwlock's rather 767than mutexes. 768 7693.2.10beta6 03/11/98 - Released 770 771fix mixed use of krwlock_t and kmutex_t on Solaris2 772 773fix FTP proxy back up, splitting pasv code out of port code. 774 7753.2.10beta5 02/11/98 - Released 776 777fixed port translation in ICMP reply handling 778 7793.2.10beta4 01/11/98 - Released 780 781increase useful statistic collection on solaris 782 783filter DL_UNITDATA_REQ as well as DL_UNITDATA_IND on solaris 784 785disable PASV reply translation for now 786 787fail with an error if we try to load a NAT rule with a non-existant 788 proxy name - Guido 789 790fix portmap usage with 0/0 and 0/32 map rules 791 792remove ap_unload/ap_expire - automatically done when NAT is cleaned up 793 794print "STATE:CLOSED" from ipmon if the connection progresses past established 795 rather than "STATE:EXPIRED" 796 7973.2.10beta3 26/10/98 - Released 798 799fixed traceroute/nat problem 800 801rewrote nat/proxy interface 802 803ipnat now lists associated proxy sessions for each NAT where applicable 804 8053.2.10beta2 13/10/98 - Released 806 807use KRWLOCK_T in place of krwlock_t for solaris as well as irix 808 809disable use of read-write lock acquisition by default 810 811add in mb_t for linux, non-kernel 812 813some changes to progress compilation on linux with glibc 814 815change PASV as well as PORT when passed through kernel ftp proxy. 816 817don't allow window to become 0 in tcp state code 818 819make ipmon compile cleaner 820 821irix patches 822 8233.2.10beta 11/09/98 - Released 824 825stop fr_tcpsum() thinking it has run out of data when it hasn't. 826 827stop solaris panics due to fin_dp being something wild. 828 829revisit usage of ATOMIC_*() 830 831log closing state of TCP connection in "keep state" 832 833fix fake-arp table code for ipsend. 834 835ipmon now writes pid to a file. 836 837fix "ipmon -a" to actually activate all logging devices. 838 839add patches for BSDOS4. 840 841perl scripts for log analysis donated. 842 8433.2.9 22/06/98 - Released 844 845fix byte order for ICMP packets generated on Solaris 846 847fix some locking problems. 848 849fix malloc bug in NAT (introduced in 3.2.8). 850 851patch from guido for state connections that get fragmented 852 8533.2.8 08/06/98 - Released 854 855use readers/writers locks in Solaris2 in place of some mutexes. 856 857Solaris2 installation enhancements - Martin Forssen (maf@carlstedt.se) 858 8593.2.7 24/05/98 - Released 860 861u_long -> u_32_t conversions 862 863patches from Bernd Ernesti for NetBSD 864 865fixup ipmon to actually handle HUP's. 866 867Linux fixes from Michael H. Warfield (mhw@wittsend.com) 868 869update for keep state patch (not security related) - Guido 870 871dumphex() uses stdout rather than log 872 8733.2.6 18/05/98 - Released 874 875fix potential security loop hole in keep state code. 876 877update examples. 878 8793.2.5 09/05/98 - Released 880 881BSD/OS 3.1 .o files added for the kernel. 882 883fix sequence # skew vs window size check. 884 885fix minimum ICMP header size check. 886 887remove references to Cybersource. 888 889fix my email address. 890 891remove ntohl in ipnat - Thomas Tornblom 892 8933.2.4 09/04/98 - Released 894 895add script to make devices for /dev on BSD boxes 896 897fixup building into the kernel for FreeBSD 2.2.5 898 899add -D command line option to ipmon to make it a daemon and SIGHUP causes 900it to close and reopen the logfile 901 902fixup make clean and make package for SunOS5 - Marc Boucher 903 904postinstall keeps adding "minor=ipf ipl" - George Ross <gdmr@dcs.ed.ac.uk> 905 906protected by IP Filter gif - Sergey Solyanik <solik@atom.ru> 907 9083.2.3 10/11/97 - Released 909 910fix some iplang bugs 911 912fix tcp checksum data overrun, sgi #define changes, 913avoid infinite loop when nat'ing to single IP# - Marc Boucher 914 915fixup DEVFS usage for FreeBSD 916 917fix sunos5 "make clean" cleaning up too much 918 9193.2.2 28/11/97 - Released 920 921change packet matching to return actual error, if bad packet, to facilitate 922ECONNRESET for TCP. 923 924allow ip:netmask in grammar too now - Guido 925 926assume IRIX has u_int32_t in sys/types.h (needed for R10000) 927 928rewrite parts of command line options for ipmon 929 930fix TCP urgent packet & offset testing and add LAND attack test for iptest 931 932fix grammar error in yacc grammar for iplang 933 934redirect (rdr) destination port bytes-wapped when it shouldn't be. 935 936general: fr_check now returns error code, such as EHOSTUNREACH or 937ECONNRESET (attempt to make ECONNRESET work for locally outbound 938packets). 939 940linux: enable return-rst, need to filter tcp retransmits which are sent 941 separately from normal packets 942 943memory leak plugged in ip_proxy.c 944 945BSDI compatibility patches from Guido 946 947tcp checksum fix - Marc Boucher 948 949recursive mutex and ioctl param fix - Marc Boucher 950 9513.2.1 12/11/97 - Released 952 953port to BSD/OS 3.0 954 955port to Linux 2.0.31 956 957patches to make "map a/m -> 0/0" work with ftp proxying properly - Marc Boucher 958 959add "ipf -F s" and "ipf -F S" to flush state table entries. 960 961announce if logging is on or off when ip filter initializes. 962 963"ipf -F a" doesn't flush groups properly for Solaris. 964 9653.2 30/10/97 - Released 966 967ipnat doesn't successfully remove proxy mappings with "-rf" - 968Alexander Romanyu 969 970use K&R C function style for solaris kernel code 971 972use m_adj() to decrease packet size in ftp proxy 973 974use mbufchainlen rather than msgdsize, 975IRIX update - Marc Boucher 976 977fix NetBSD modunload bug (pfil_add_hook done twice) 978 979patches for OpenBSD 2.1 - Craig Bevins <craigb@bitcom.net.au> 980 9813.2beta10 24/10/97 - Released 982 983fix fragment table entries allocated for NAT. 984 985fix tcp checksum calculations over mbuf/mblk boundaries 986 987fix panic for blen < 0 in ftp kernel proxy - marc boucher 988 989fix flushing of rules which have been grouped. 990 9913.2beta9 20/10/97 - Released 992 993some nit picking on solaris2 with SUNWspro - Michael Lyle <mrl@rpnet.net> 994 995ftp kernel proxy patches from Marc Boucher 996 9973.2beta8 13/10/97 - Released 998 999add support for passing ICMP errors back through NAT. 1000 1001IRIX port update - Marc Boucher 1002 1003calculate correct MIN size of packet to log for UDP - Marc Boucher 1004 1005need htons(ETHERTYPE_x) on little endian BSD boxes - Dave Huang 1006 1007copyright header fixups 1008 10093.2beta7 23/09/97 - Released 1010 1011fickup problems introduced by prior merges & changes. 1012 10133.2beta6 23/09/97 - Released 1014 1015patch for spin-reading race condition - Marc Boucher. 1016 1017IRIX port by Marc Boucher. 1018 1019compatibility updates for Linux to ipsend 1020 10213.2beta5 13/09/97 - Released 1022 1023patches from Bernd Ernesti for NetBSD integration (mostly prototyping and 1024compiler warning things) 1025 1026ipf -y will resync IP#'s allocated with 0/32 in NAT to match interface if it 1027changes. 1028 1029update manual pages and other documentation updates. 1030 10313.2beta4 27/8/97 - Released 1032 1033enable setting IP and TCP options for iplang/ 1034 1035Solaris2 patches from Marc Boucher. 1036 1037add groups for filter rules. 1038 10393.2beta3 21/8/97 - Released 1040 1041patches for Solaris2 (interface panic solution ?): fix FIONREAD and 1042replacing q_qinfo points - Marc Boucher <marc@CAM.ORG> 1043 1044change ipsend/* and ipsd/* copyright notices to be the same as ip filter's 1045 1046patch for SYN-ACK skew testing fix from Eric V. Smith <EricSmith@windsor.com> 1047 10483.2beta2 6/8/97 - Released 1049 1050make it load on Solaris 2.3 1051 1052rewrote logging to remove solaris errors, introduced checking to see if the 1053same packet is logged successively. 1054 1055fix filter cache to work when there are no rules loaded. 1056 1057add "raw" option to ipresend to send entire ethernet frames. 1058 1059nat list corruption bug - NetBSD - Klaus Klein 1060 10613.2beta1 5/7/97 - Released 1062 1063patches from Jason Thorpe fixing: UNSIGNED_CHAR lossage, off_t being 64bits 1064lossage, and other NetBSD bits. 1065 1066NetBSD 1.2G update. 1067 1068fixup fwtk patches and add protocol field for SIOCGNATL. 1069 1070rdr bugs reported by Alexander Romanyu (alexr@aix.krid.crimea.ua), with 1071fixes: 1072* rdr matched all packets of a given protocol (ignored ports). 1073* severe bug in nat_delete which caused system crash/freeze. 1074 1075change Makefile so that CC isn't passed on for FreeBSD/NetBSD (will use 1076the default CC - cc, not gcc) 1077 10783.2alpha9 16/6/97 - Released 1079 1080added "skip" keyword. 1081 1082implement preauthentication of packets, as outlined by Guido. 1083 1084Make it compile as cleanly as possible with -Wall & general code cleanup 1085 1086getopt returns int, not char. Bernd Ernesti 1087 10883.2alpha8 13/6/97 - Released 1089 1090code added to support "auth" rules which require a user program to allow them 1091through. First revision and much of the code came from Guido. 1092 1093hex output from ipmon doesn't goto syslog when recovering from out of sync 1094error. Luke Mewburn (lukem@connect.com.au) 1095 1096fix solaris2.6 lookup of destination ire's. 1097 1098ipnat doesn't throw away unused bits (after masking), causing it to 1099behave incorrectly. Carson Gaspar 1100 1101NAT code doesn't include inteface name when matching - Alexey Mavrin 1102<lha@elco.spb.ru> 1103 1104replace old SunOS tcpip.h with new tcpip.h (from 4.4BSD) - Jason Thorpe. 1105 1106update install procedures to include ip_proxy.c 1107 1108mask out unused bits in NAT/RDR rules. 1109 1110use a generic type (u_32_t) for 32bit variables, rather than rely on 1111u_long being such - Jason Thorpe. 1112 1113create a local "netinet" directory and include from ~netinet/*" rather than 1114just "*" to make keeping the code working on ports easier. 1115 1116add an m_copydata and m_copyback for SunOS4 (based on 4.4BSD-Lite versions) 1117 1118documentation updates. 1119 1120NetBSD update from Jason Thorpe <thorpej@netbsd.org> 1121 1122allow RST's through with a matching SEQ # and 0 ACK. Guido Van Rooij 1123 1124ipmon uses excessive amounts of CPU on Solaris2 - Reinhard Bertram 1125<Reinhard.Bertram@KOM.th-darmstadt.de> 1126 11273.2alpha7 25/5/97 - Released 1128 1129add strlen for pre-2.2 kernels - Doug Kite <dkite@websgi.icomnet.com> 1130 1131setup bits and pieces for compiling into a FreeBSD-2.2 kernel. 1132 1133split up "bsd" targets. Now a separate netbsd/freebsd/bsd target. 1134mln_ipl.c has been split up into itself and mlf_ipl.c (for freebsd). 1135 1136fix (negative) host matching in filtering. 1137 1138add sysctl interface for some variables when compiled into FreeBSD-2.2 kernels 1139or later. 1140 1141make all the candidates for kernel compiling include "netinet/..." and build 1142a subdirectory "netinet" when compiling and symlink all .h files into this. 1143 1144add install make target to Makefile.ipsend 1145 11463.2alpha6 8/5/97 - Released 1147 1148Add "!" (not) to hostname/ip matching. 1149 1150Automatically add packet info to the fragment cache if it is a fragment 1151and we're translating addreses for. 1152 1153Automatically add packet info to the fragment cache if it is a fragment 1154and we're "keeping state" for the packet. 1155 1156Solaris2 patches - Anthony Baxter (arb@connect.com.au) 1157 1158change install procedure for FreeBSD 2.2 to allow building to a kernel 1159which is different to the running kernel. 1160 1161add FIONREAD for Solaris2! 1162 1163when expiring NAT table entries, if we would set a time to fr_tcpclosed 1164(which is 1), make it fr_tcplaskack(20) so that the state tables have a 1165chance to clear up. 1166 11673.2alpha5 1168 1169add proxying skeleton support and sample ftp transparent proxy code. 1170 1171add printfs at startup to tell user what is happening. 1172 1173add packets & bytes for EXPIRE NAT log records. 1174 1175fix the "install-bsd" target in the root Makefile. Chris Williams 1176<psion@mv.mv.com> 1177 1178Fixes for FreeBSD 2.2 (and later revs) to prevent panics. Julian Assange. 1179 11803.2alpha4 2/4/97 - Released 1181 1182Some compiler warnings cleaned up. 1183 1184FreeBSD-2.2 patches for LKM completed. 1185 11863.2alpha3 31/3/97 - Released 1187 1188ipmon changes: -N for reading NAT logfile, -S for reading state logfile. 1189-a for reading all. -n now toggles hostname resolution. 1190 1191Add logging of new state entries and expiration of old state entries. 1192count log successes and failures. 1193 1194Add logging of new NAT entries and expiration of old NAT entries. 1195count log successes and failures. 1196 1197Use u_quad_t for records of bytes & packets where kept 1198(IP Accounting: fr_hits, fr_bytes; IP state: is_pkts, is_bytes). 1199 1200Fixup use of CPU and DCPU in Makefiles. 1201 1202Fix broken 0/32 NAT mapping. Carl Makin <cmakin@nla.gov.au> 1203 12043.2alpha2 1205 1206Implement mapping to 0/32 as being an alias for automatically using the 1207interface's first IP address. 1208 1209Implement separate minor devices for both NAT and IP state code. 1210 1211Fully prototype all functions. 1212 1213Fix Makefile problem due to attempt to fix Sun compiling problems. 1214 12153.1.10 23/3/97 - Released 1216 1217ipfstat -a requires a -i or -o command line option too. Print an error 1218when not present rather than attempt to do something. 1219 1220patch updates for SunOS4 for kernel compiling. 1221patch for ipmon -s (flush's syslog file which isn't good). Andrew J. Schorr 1222<schorr@ead.dsa.com> 1223 1224too many people hit their heads hard when compiling code into the kernel 1225that doesn't let any packets through. (fil.c - IPF_NOMATCH) 1226 1227icmp-type parsing doesn't return any errors when it isn't constructed 1228correctly. Neil Readwin 1229 1230Using "-conf" with modload on SunOS4 doesn't work. 1231Timothy Demarest <demarest@arraycomm.com> 1232 1233Need to define ARCH in makefile for SunOS4 building. "make sunos4" 1234in INSTALL.SunOS is incorrect. James R Grinter <jrg@blodwen.demon.co.uk> 1235[all SunOS targets now run buildsunos] 1236 1237NAT lookups are still incorrect, matching non-TCP/UDP with TCP/UDP 1238information. ArkanoiD <ark@paranoid.convey.ru> 1239 1240Need to check for __FreeBSD_version being 199511 rather than 199607 1241in mln_ipl.c. Eric Feillant <Eric.Feillant@EUnet.fr> 1242 12433.1.9 8/3/97 - Released 1244 1245fixed incorrect lookup of active NAT entries. 1246 1247patch for ip_deq() wrong for pre 2.1.6 FreeBSD. 1248fyeung@fyeung8.netific.com (Francis Yeung) 1249 1250check for out with return-rst/return-icmp at wrong place - Erkki Ritoniemi 1251(erkki@vlsi.fi) 1252 1253text_readip returns the interface pointer pointing to text on stack - 1254Neil Readwin 1255 1256fix from Pradeep Krishnan for printout rules "with not opt sec". 1257 12583.1.8 18/2/97 - Released 1259 1260Diffs for ip_output.c and ip_input.c updated to fix bug with fastroute and 1261compiling warnings about reuse of m0. 1262 1263prevent use of return-rst and return-icmp with rules blocking packets going 1264out, preventing panics in certain situations. 1265 1266loop forms in frag cache table - Yury Pshenychny <yura@rd.zgik.zaporizhzhe.ua> 1267 1268should use SPLNET/SPLX around expire routines in NAT/frag/state code. 1269 1270redeclared malloc in 44arp.c - 1271 12723.1.7 8/2/97 - Released 1273 1274Macros used for ntohs/htons supplied with gcc don't always work very well 1275when the assignment is the same variable being converted. 1276 1277Filter matching doesn't not match rule which checks tcp flags on packets 1278which are fragments - David Wilson 1279 12803.1.7beta 30/1/97 - Released 1281 1282Fix up NAT bugs introduced in last major change (now tested), including 1283nat_delete(), nat_lookupredir(), checksum changes, etc. 1284 12853.1.7alpha 30/1/97 - Released 1286 1287Many changes to NAT code, including contributions from Laurent Joncheray 1288<lpj@ans.net> 1289 1290Use "NO_SLEEP" when allocating memory under SunOS. 1291 1292Make kernel printf's nicer for BSD/SunOS4 1293 1294Always do a checksum for packets being filtered going out and being 1295processed by fastroute. 1296 1297Leave kernel to play with cdevsw on *BSD systems with LKM's. 1298 1299ipnat.1 man page fixes. 1300 13013.1.6 21/1/97 - Released 1302 1303Allow NAT to work on BSD systems in conjunction with "pass .. to ifname" 1304 1305Memory leak introduced in 3.1.3 in NAT lists, clearing of NAT table tried 1306to free memory twice. 1307 1308NAT recalculates IP header checksum based on difference between IP#'s and 1309port numbers - should be just IP#'s (Solaris2 only) 1310 13113.1.5 13/1/97 - Released 1312 1313fixed setting of NAT timeouts and use different timeouts for concurrent 1314TCP sessions using the same IP# mapping (when port mapping isn't used) 1315 1316multiple loading/unloading of LKM's doesn't clean up cdevsw properly for 1317*BSD systems. 1318 13193.1.4 10/1/97 - Released 1320 1321add command line options -C and -F to ipnat to flush NAT list and table 1322 1323ipnat -l loops on output - Neil Readwin (nreadwin@nysales.micrognosis.com) 1324 1325NetBSD/FreeBSD kernel malloc changes - Daniel Carosone 1326 13273.1.3 10/1/97 - Released 1328 1329NAT chains not constructed correctly in hash tables - Antony Y.R Lu 1330(antony@hawk.ee.ncku.edu.tw) 1331 1332Updated INSTALL.NetBSD, INSTALL.FreeBSD and INSTALL.Sol2 1333 1334man page update (ipf.5) from Daniel Carosone (dan@geek.com.au) 1335 1336ICMP header checksum update now included in NAT. 1337 1338Solaris2 needs to modify IP header checksums in ip_natin and ip_natout. 1339 13403.1.2 4/12/96 - Released 1341 1342ipmon doesn't use syslog all the time when given -s option 1343 1344fixed mclput panic in ip_input.c and replace ntohs() with NTOHS() macro 1345 1346check the results of hostname resolution in ipnat 1347 1348"make *install" fixed for subdirectories. 1349 1350problems with "ARCH:=" and gnu make resolved 1351 1352parser reports an error for lines with whitespaces only rather than skipping 1353them. D.Carosone@abm.com.au (Daniel Carosone) 1354 1355patches for integration into NetBSD-current (post 1.2). 1356 1357add an option to allow non-IP packets going up/down the stream on Solaris2 1358to be dropped. John Bass. 1359 13603.1.2beta 21/11/96 - Released 1361 1362make ipsend compile on Linux 2.0.24 1363 1364changes to TCP kept state algorithm, making it watch state on TCP 1365connections in both directions. Also use the same algorithm for NAT TCP. 1366 1367-Wall cleanup - Bernd Ernesti 1368 1369added "or-block" for "pass .. log or-block" after a suggestion from 1370David Oppenheim (davido@optimation.com.au) 1371 1372added subdirectories for building IP Filter in SunOS5/BSD for different 1373cpu architecures 1374 1375Solaris2 fixes to logging and pre-filtering packet processing - 3.1.1p2 1376 1377mbuf logging not using mtod(), remove iplbusy - 3.1.1p1 1/11/96 1378 13793.1.1 28/10/96 - Released 1380 1381Installation script fixes and deinstall scripts for IP Filter on: 1382SunOS4/FreeBSD/NetBSD 1383 1384Man page fixes - Paul Dubois (dubois@primate.wisc.edu) 1385 1386Fix use of SOLARIS macro in ipmon, rewrote ipllog() (again!) 1387 1388parsing isn't completely case insensitive - David Wilson 1389(davidw@optimation.com.au) 1390 1391Release ipl_mutex across uiomove() calls 1392 1393print entire rule entries out for "ipf -z" when zero'ing per-rule stats. 1394 1395ipfstat returns same output for "hits" in "ipfstat -aio" - Terletsky Slavik 1396(ts@polynet.lviv.ua) 1397 1398New algorithm for setting timeouts for TCP connection (more closely follow 1399TCP FSM) - Pradeep Krishnan (pkrishna@netcom.com) 1400 1401Track both window sizes for TCP connections through "keep state". 1402 1403Solaris2 doesn't like _KERNEL defined in stdargs.h - Jos van Wezel 1404(wezel@bio.vu.nl) 1405 14063.1.1-beta2 6/10/96 - Released 1407 1408Solaris2 fastroute/dup-to/to now works 1409 1410ipmon `record' reading rewritten 1411 1412Added post-NetBSD1.2 packet filter patches - Mathew Green (mrg@eterna.com.au) 1413 1414Attempt to use in_proto.c.diff, not "..diffs" for SunOS4 - David Wilson 1415(davidw@optimation.com.au) 1416 1417Michael Ryan (mike@NetworX.ie) reports the following: 1418* The Trumpet WinSock under Windows always sends its SYN packet with an ACK 1419 value of 1, unlike any other implementation I've seen, which would set it 1420 to zero. The "keep state" feature of IP Filter doesn't work when receiving 1421 non-zero ACK values on new connection requests. 1422* */Makefile install rule doesn't install all the binaries/man pages 1423* Make ipnat use "tcp/udp" instead of "tcpudp" 1424* Print out "tcp/udp" properly 1425* ipnat "portmap tcp" matches "portmap udp" when adding/removing 1426* NAT dest. ip# increased by one on mask of 0xffffffff when it shouldn't 1427 14283.1.1-beta 1/9/96 - Released 1429 1430add better detection of TCP connections closing to TCP state monitoring. 1431 1432fr_addstate() not called correctly for fragments. "keep state" and 1433"keep frag" code don't work together 100% - Songqing Cai 1434(songqing_cai@sterling.com) 1435 1436call to fr_addstate() incorrect for adding state in combination with keeping 1437fragment information - Songqing Cai (songqing_cai@sterling.com) 1438 1439KFREE() passed fp (incorrect) and not fr (correct) in ip_frag.c - John Hood 1440(cgull@smoke.marlboro.vt.us) 1441 1442make ipf parser recognise '\\' as a `continued line' marker - Dima Ruban 1443(dima@best.net) 1444 14453.1.1-alpha 23/8/96 - Released 1446 1447kernel panic's when ICMP packets go through NAT code 1448 1449stats aren't zero'd properly with ipf -Z 1450 1451ipnat doesn't show port numbers correctly all the time and also add the 1452protocol (tcp/udp/tcpudp) to rdr output - Carson Gaspar (carson@lehman.com) 1453 1454fast checksum fixing not 100% - backout patch - Bill Dorsey (dorsey@lila.com) 1455 1456NetBSD-1.2 patches from - VaX#n8 <vax@linkdead.paranoia.com> 1457 1458Usage() call error in fils.c - Ajay Shekhawat (ajay@cedar.buffalo.edu) 1459 1460ip_optcopy() staticly defined in ip_output.c in SunOS4 - Nick Hall 1461(nrh@tardis.ed.ac.uk) 1462 14633.1.0 7/7/96 - Released 1464 1465Reformatted ipnat output to be compatible with it's input, so that 1466"ipnat -l | ipnat -rf -" is possible. 1467 14683.1.0beta 30/6/96 - Released 1469 1470NetBSD-1.2 patches from Greg Woods (woods@most.weird.com) 1471 1472kernel module must not be installed stripped (Solaris2), as created by 1473"make package" for Solaris2 - Peter Heimann 1474(peter@i3.informatik.rwth-aachen.de) 1475 14763.1.0alpha 5/6/96 - Released 1477 1478include examples in package for solaris2 1479 1480patches for removing an extra ip header checksum (FreeBSD/NetBSD/SunOS) 1481 1482removed trailing space from printouts of rules in ipf. 1483 1484ipresend supports the same range of inputs that ipftest does. 1485 1486sending a duplicate copy of a packet to another network devices is now 1487supported. ("dup-to") 1488 1489sending a packet to an arbitary interface is now supported, irrespective 1490of its actual route, with no ttl decrement. Can also be routed without 1491the ttl being decremented. ("to" and "fastroute"). 1492 1493"call" option added to support calling a generic function if a packet is 1494matched. 1495 1496show all (upto 4) recorded bytes from the interface name in logging from 1497ipmon. 1498 1499support for using unix file permissions for read/write access on the device 1500is now in place. 1501 1502recursive mutex in nat_new() for Solaris 2.x - Per L. Hagen <per@stibo.dk> 1503 1504ipftest doesn't call initparse() for THISHOST - Catherine Allen 1505(cla@connect.com.au) 1506 1507Man page corrections from Rex Bona (rex@pengo.comsmiths.com.au) 1508 15093.0.4 10/4/96 - Released 1510 1511looop in `parsing' IP packets with optlen 0 for ip options. 1512 1513rule number not initialized and resulted in unexpected results for state 1514maching. 1515 1516option parsing and printing bugs - Pradeep Krishnan 1517 15183.0.4beta 25/3/96 - Released 1519 1520wouldn't parse "keep flags keep state" correctly. 1521 1522SunOS4.1.x ip_input.c doesn't recognise all 1s broadcast address - Nigel Verdon 1523 1524patches for BSDI's BSD/OS 2.1 and libpcap reader on little endian systems 1525from Thorsten Lockert <tholo@tetherless.com> 1526 1527b* functions in fil.c on Solaris 2.4 1528 15293.0.3 17/3/96 - Released 1530 1531added patches to support IP Filter initialisation when compiled into the 1532kernel. 1533 1534added -x option to ipmon to display hex dumps of logged packets. 1535 1536added -H option to ipftest to allow ascii-hex formatted input to specify 1537arbitary IP packets. 1538 1539Sending TCP RSTs as a response now work for Solaris2 x86 1540 1541add patches to make IP Filter compile into NetBSD kernels properly. 1542 1543patch to stop SunOS 4.1.x kernels panicing with "data traps". 1544 1545ipfboot script unloads and reloads ipf module on Solaris2 if it is already 1546loaded into the kernel. 1547 1548Installation of IP Filter as a Solaris2 package is now supported. 1549 1550Man pages for ipnat.4, ipnat.5 added. 1551 1552added some more regression tests and fixed up IP Filter to pass the new tests 1553(previous versions failed some of the tests in set 12). 1554 1555IP option filter processing has changed so that saying "with opt lsrr" will 1556check only for that one, but not mask out other options, so a packet with 1557strict source routing, along with loose source routing will match all of 1558"with opt lsrr", "with opt ssrr" and "with opt lsrr,ssrr". 1559 1560IPL_NAME needed in ipnat.c - Kelly (kelly@count04.mry.scruznet.com) 1561 1562patches for clean NetBSD compilation from Bernd Ernesti (bernd@arresum.inka.de) 1563 1564make install is incorrect - Julian Briggs (julian@lightwork.co.uk) 1565 1566strtol() returns 0x7fffffff for all negative numbers, 1567printfr() generates incorrect output for "opt sec-class *", 1568handling of "not opt xxx opt yyy" incorrect. 1569- Minh Tonthat (minht@sbei.com)/Pradeep Krishnan (pradeepk@sbei.com) 1570 1571m_pullup() called only for input and not output; caused problems 1572with filtering icmp - Nigel Verdon (verdenn@gb.swissbank.com) 1573 1574parsing problem for "port 1" and NetBSD patches incorrect - 1575Andreas Gustafsson (gson@guava.araneus.fi) 1576 15773.0.2 4/2/96 - Released 1578 1579Corrected bug where NAT recalculates checksums for fragments. 1580 1581make NAT recalculate UDP checksums (rather than setting them to 0), 1582if they're non-zero. 1583 1584DNS patches - Real Page (Real.Page@Matrox.com) 1585 1586alteration of checksum recalculations in NAT code and addition of 1587redirection with NAT - Mike Neuman 1588 1589core dump, if tcp/udp is used with a port number and not service name, 1590in ipf - Mike Neuman (mcn@engarde.com) 1591 1592initparse() call, missing to prime "<thishost>" hook - Craig Bishop 1593 15943.0.1 14/1/96 - Released 1595 1596miscellaneous patches for Solaris2 1597 15983.0 14/1/96 - Released 1599 1600Patch included for FDDI, from Richard Ohnemus 1601(Richard_Ohnemus@dallas.csd.sterling.com) 1602 1603Code cleanup for release. 1604 16053.0beta4 10/1/96 1606 1607recursive mutex in ipfr_slowtimer fixed, reported by Craig Bishop 1608 1609recursive mutex in sending TCP RSTs fixed, reported by Tony Becker 1610 16113.0beta3 9/1/96 1612 1613FIxup for Solaris2.5 install and interface name bug in ipftest from 1614Julian Briggs (julian@lightwork.co.uk) 1615 1616Byte order patches for ipmon from Tony Becker (tony@mcrsys.com) 1617 16183.0beta2 7/1/96 1619 1620Added the (somewhat warped) IP accounting as it exists in ipfw on FreeBSD. 1621Note, this isn't really what one would call IP account, when compared to 1622process accounting, sigh. 1623 1624Split up ipresend into iptest/ipresend/ipsend 1625 1626Added another m_pullup() inside fr_check() for BSD style kernels and 1627added some checks to ipllog() to not log more than is present (for short 1628packets). 1629 1630Fixed bug where failed hostname/netname resolution goes undetecte and 1631becomes 0.0.0.0 (any) (reported Guido van Rooij) 1632 16333.0beta 11/11/95 - Released 1634 1635Rewrote the way rule testing is done, reducing the number of files needed and 1636generated. 1637 1638SIOCIPFFL was incorrectly affected by IPFILTER_LOG (Mathew Green) 1639 1640Patches from Guido van Rooij to fix sending back TCP RSTs on Net-2/Net-3 1641BSD based Unixes (panic'd) 1642 1643Patches for FreeBSD/i86 ipmon from Riku Kalinen <riku@tequila.nixu.fi> 1644(I think someone else already told me about these but they got lost :-/) 1645 1646Changed Makefile structure to build object files for different operating 1647systems in separate directories by default. 1648 1649BSDI has ef0 for first ethernet interface 1650 1651Allow for a "not" operator before optional keywords. 1652 1653The "rule number" was being incorrectly incremented every time it went through 1654the loop rather than when it matched a rule. 1655 16562.8.2 24/10/95 - Released 1657 1658Fixed up problems with "textip" for doing lots of testing. 1659 1660Fixed bug in detection of "short" tcp/ip packets (all reported as being short). 1661 1662Solaris 2.4 port now works 100%. 1663 1664Man page errors reported and fixed. 1665 1666Removed duplicate entry in etc/services for login on port 49 (Craig Bishop). 1667 1668Fixed ipmon output to put a space after the log-letter. 1669 1670Patch from Guido van Rooij to fix parsing problem. 1671 16722.8.1 15/10/95 - Released 1673 1674Added ttl and tos filtering. 1675 1676Patches for fixing up compilation and port problems (little endian) 1677from Guido van Rooij <guido@IAEhv.nl>. 1678 1679Man page problems reported and fixed by Carson Gaspar <carson@lehman.com>. 1680 1681ipsend doesn't compile properly on Solaris2.4 1682 1683Lots of work done for Solaris2.4 to make it MT/MP safe and work. 1684 16852.8 15/9/95 - Released 1686 1687ipmon can now send messages to syslogd (-s) and use names instead of 1688numbers (-N). 1689 1690IP packets are now "compiled" into a structure only containing filterable 1691bits. 1692 1693Added regression testing in the test/ subdirectory, using a new option 1694(-b) with the ipftest program. 1695 1696Added "nomatch" return to filter results. These are counted and show 1697up in reports from ipfstat. 1698 1699Moved filter code out of ip_fil.c and into fil.c - there is now only one 1700instance of it in the package. 1701 1702Added Solaris 2.4 support. 1703 1704Added IPSO basic security option filtering. 1705 1706Added name support for filtering on all 19 named IP options. 1707 1708Patches from Ivan Brawley to log packet contents as well as packet headers. 1709 1710Update for sun/conf.c.diff from Ivan Brawley <ibrawley@awadi.com.AU> 1711 1712Added patches for FreeBSD 1, and added two new switches (-E, -D) to ipf, 1713along with a new ioctl, SIOCFRENB. 1714From: Dieter Dworkin Muller <dworkin@village.org> 1715 17162.7.3 31/7.95 - Released 1717 1718Didn't compile cleanly without IPFILTER_LOG defined (Mathew Green). 1719 1720ipftest now deals with tcpdump3 binary output files (from libpcap) with -P. 1721 1722Brought ipftest program upto date with actual filter code. 1723 1724Filter would cause a match to occur when it wasn't meant to if the packet 1725had short headers and was missing portions that should have been there. 1726Err, it would rightly not match on them, but their absence caused a match 1727when it shouldn't have been. 1728 17292.7.2 26/7/95 - Released 1730 1731Problem with filtering just SYN flagged packets reported by 1732Dieter Dworkin Muller <dworkin@village.org>. To solve this 1733problem, added support for masking TCP flags for comparison "flags X/Y". 1734 17352.7.1 9/7/95 - Released 1736 1737Added ip_dirbroadcast support for Sun ip_input.c 1738 1739Fixed up the install scripts for FreeBSD/NetBSD to recognise where they are 1740better. 1741 17422.7 7/7/95 - Released 1743 1744Added "return-rst" to return TCP RST's to TCP packets. 1745 1746Actually ported it to FreeBSD-i386 2.0.0, so it works there properly now. 1747 1748Added insertion of filter rules. Use "@<#>" at the beginning of a filter 1749to insert a rule at row #. 1750 1751Filter keeps track of how many times each rule is matched. 1752 1753Changed compile time things to match kernel option (IPFILTER_LKM & 1754IPFILTER_LOG). 1755 1756Updated ip_input.c and ip_output.c with paches for 3.5 Multicast IP. 1757(No change required for 3.6) 1758 1759Now includes TCP fragments which start inside the TCP header as being short. 1760Added counting the number of times each rule is matched. 1761 1762 17632.6 11/5/95 - Released 1764 1765Added -n option to ipf: when supplied, no changes are made to the kernel. 1766 1767Added installation scripts for SunOS 4.1.x and NetBSD/FreeBSD/BSDI. 1768 1769Rewrote filtering to use a more generic mask & match procedure for 1770checking if a packet matches a rule. 1771 17722.5.2 27/4/95 - Released 1773 1774"tcp/udp" and a non-initialised pointer caused the "proto" to become 1775a `random' value; added "ip#/dotted.mask" notation to the BNF. 1776From Adam W. Feigin <feigin@iis.ee.ethz.ch> 1777 17782.5.1 22/3/95 - Released 1779 1780"tcp/udp" had a strange effect (undesired) on getserv*() functions, 1781causing protocol/service lookups to fail. Reported by Matthew Green. 1782 17832.5 17/3/95 - Released 1784 1785Added a new keyword "all" to BNF and parsing of tcpdump/etherfind/snoop 1786output through the ipftest program. Suggestions from: 1787Michael Ciavarella (mikec@phyto.apana.org.au) 1788 1789Conflicts occur when "general" filter rules are used for ports and the 1790lack of a "proto" when used with "port" matches other packets when only 1791TCP/UDP are implied. 1792Reported Matthew Green (mrg@fulcom.com.au); 1793reported & fixed 6-8/3/95 1794 1795Added filtering of short TCP packets using "with short" 28/2/95 1796(These can possibly slip by checks for the various flags). Short UDP 1797or ICMP are dropped to the floor and logged. 1798 1799Added filtering of fragmented packets using "with frag" 24/2/95 1800 1801Port to NetBSD-current completed 20/2/95, using LKM. 1802 1803Added logging of the rule # which caused the logging to happen and the 1804interface on which the packet is currently as suggested by 1805Andreas Greulich (greulich@math-stat.unibe.ch) 10/2/95 1806 18072.4 9/2/95 - Released 1808Fixed saving of IP headers in ICMP packets. 1809 18102.3 29/1/95 1811Added ipf -F [in|out|all] to flush filter rule sets (SIOCIPFFL). 1812Fixed iplread() and iplsave() with help from Marc Huber. 1813 18142.2 7/1/95 - Released 1815Added code from Marc Huber <huber@fzi.de> to allow it to allocate 1816its own major char number dynamically when modload'ing. Fixed up 1817use of <, >, <=, >= and >< for ports. 1818 18192.1 21/12/94 - Released 1820repackaged to include the correct ip_output.c and ip_input.c *goof* 1821 18222.0 18/12/94 - Released 1823added code to check for port ranges - complete. 1824rewrote to work as a loadable kernel module - complete. 1825 18261.1 1827added code for ouput filtering as well as input filtering and added support for logging to a simple character device of packet headers. 1828 18291.0 22/04/93 - Released 1830First release cut. 1831