122514Sdarrenr# 222514Sdarrenr# NOTE: Quite a few patches and suggestions come from other sources, to whom 322514Sdarrenr# I'm greatly indebted, even if no names are mentioned. 422514Sdarrenr# 553024Sguido# Thanks to the Coombs Computing Unit at the ANU for their continued support 653024Sguido# in providing a very available location for the IP Filter home page and 753024Sguido# distribution center. 822514Sdarrenr# 937074Speter# Thanks also to all those who have contributed patches and other code, 1037074Speter# and especially those who have found the time to port IP Filter to new 1137074Speter# platforms. 1253024Sguido# 13255332Scy5.1.2 - RELEASED - 22 Jul 2012 14172771Sdarrenr 15255332Scy3546266 macro letters could be more consistent 16255332Scy3546265 not all of the state statistics are displayed 17255332Scy3546261 scripts for updating BSD environment out of date 18255332Scy3546260 compiler warnings about non-integer array subscript 19255332Scy3546259 asserting numdereflists == 0 is not correct 20255332Scy3546258 expression matching does not see IPF_EXP_END 21255332Scy3544317 ipnat/ipfstat are not using ipfexp_t 22255332Scy3545324 proxy checksum calculation is not hardware aware 23255332Scy3545321 FTP sequence number adjustment incorrectly applied 24255332Scy3545320 EPSV is not recognised 25255332Scy3545319 move nat rule creation to ip_proxy.c 26255332Scy3545317 better feedback of checksum requirements for proxies 27255332Scy3545314 ftp proxy levels do not make sense 28255332Scy3545312 EPRT is not supported by ftp proxy 29255332Scy3544318 ipnat.conf parsing ignores LHS address family 30255332Scy3545309 non-ipv6 safe proxies do not fail with ipv6 31255332Scy3545323 NAT updates the source port twice 32255332Scy3545322 ipv6 nat rules cannot start proxies 33255332Scy3544314 bucket copyout tries to copy too much data 34255332Scy3544313 remove nat encap feature 35255332Scy3546248 compat rule pointer type mismatch 36255332Scy3546247 UDP hardware checksum offload not recognised 37255332Scy3545311 ifp_ifaddr does not find the first set address 38255332Scy3545310 ipmon needs ipl_sec on 64bit boundary 39255332Scy3545326 reference count changes made without lock 40255332Scy3544315 stateful matching does not use ipfexp_t 41255332Scy3543493 tokens are not flushed when disabled 42255332Scy3543487 NAT rules do not always release lookup objects 43255332Scy3543491 function comments in ip_state.c are old 44255332Scy3543404 ipnat.conf parsing uses family/ip version badly 45255332Scy3543403 incorrect line number printed in ipnat parsing errors 46255332Scy3543402 Not all NAT statistics are printed 47255332Scy3542979 NAT session list management is too simple 48255332Scy3542978 ipv4 and ipv6 nat insert have common hash insertion 49255332Scy3542977 ipnat_t refence tracking incomplete 50255332Scy3542975 proxies must use ipnat_t separately 51255332Scy3542980 printing ipv6 expressions is wrong 52255332Scy3542983 ippool cannot handle more than one ipv6 address 53255332Scy3543018 mask array shifted incorrectly. 54255332Scy3542974 reason for dropping packet is lost 55255332Scy3542982 line numbers not recorded/displayed correctly by ipf 56255332Scy3542981 exclamation mark cuases trouble with pools 57255332Scy3541655 test suite checksums incorrect 58255332Scy3541653 display proxy fail status correctly 59255332Scy3540993 IP header offset excluded in pullup calculations 60255332Scy3540994 pullupmsg does not work as required 61255332Scy3540992 pointer to ipv6 frag header not updated on pullup 62255332Scy3541645 netmask management adds /32 for /0 63255332Scy3541637 ipnat parser does not zero port fields for non-port protocol 64255332Scy3541635 pool names cannot by numbers 65255332Scy3540995 IPv6 fragment tracking does not always work 66255332Scy3540996 printing of nextip for ipv6 nat rules is wrong 67255332Scy3540999 ipnat.conf parsing has trouble with icmpidmap for ipv6 68255332Scy3540825 whois output parsing error for ipv6 69255332Scy3540814 ipfd_lock serves no purpose 70255332Scy3540810 lookup objects need tail pointers 71255332Scy3540809 refactor hash table lookups for nat 72255332Scy3540819 radix tree does not work with ipv6 73255332Scy3540820 mutex emulation should be logged 74255332Scy3540828 ipfstat filtering with -m fails tests 75255332Scy3536480 ippool could be more like the others 76255332Scy3536477 pool printing not uniform 77255332Scy3536483 flushing empty destination lists causes panic 78255332Scy3536481 more use of bzero after KMALLOC required 79255332Scy3536479 ipnat.conf line numbers not stored 80255332Scy3536484 Makefile missing dependency for ippool 81255332Scy3536199 TFTP proxy requires something extra 82255332Scy3536198 ICMP checksum out by one 83255332Scy3536203 ipnat does not return an error 84255332Scy3536201 ipf.conf parsing too address friendly 85255332Scy3536200 printing of bytes/packets not indented 86255332Scy3497941 ipv4 multicast detection incorrect on little endian 87255332Scy3535361 to interfaces printed out of order 88255332Scy3535363 ipf parser is inconsistent 89255332Scy3532306 deleting ipnat rules does not work 90255332Scy3532054 new error required for ipf_rx_create 91255332Scy3532053 icmp6 checksums wrong 92255332Scy3532052 icmpv6 state check with incorrect length 93255332Scy3531871 checksum verification wants too many icmp6 bytes 94255332Scy3531870 ipnat.conf parsing needs to support inet6 95255332Scy3532048 error in ipf group parsing 96255332Scy3531868 ICMPV6 checksum not validated 97255332Scy3531893 ipftest exits without error for bad input 98255332Scy3531890 whois pool parsing builds bad structures 99255332Scy3531891 icmpv6 text parsing ignorant of icmp types 100255332Scy3531653 rewrite with icmp does not work 101255332Scy3530563 NAT operations fail with EPERM 102255332Scy3530544 first pass at gcc -Wextra cleanup 103255332Scy3530540 lookup create functions do not set error properly 104255332Scy3530539 ipf_main_soft_destroy doesn't need 2nd arg 105255332Scy3530541 reorder structure for better packing 106255332Scy3530543 ipnat purge needs documentation 107255332Scy3530515 BSD upgrade script required 108255332Scy3528029 ipmon bad-mutex panic 109255332Scy3530247 loading address pools light on input validation 110255332Scy3530255 radix tree delete uses wrong lookup 111255332Scy3530254 radix tree allocation support wrong 112255332Scy3530264 ipmon prints qd for some 64bit numbers 113255332Scy3530260 decapsulate rules not printed correctly. 114255332Scy3530266 ipfstat -v/-d flags confused 115255332Scy2939220 why a packet is blocked is not discernable 116255332Scy2939218 output interface not recorded 117255332Scy2941850 use of destination lists with to/dup-to beneficial 118255332Scy3457747 build errors introduced with radix change 119255332Scy3535360 timeout groups leak 120255332Scy3535359 memory leak with tokens 121255332Scy3535358 listing rules in groups requires tracking groups 122255332Scy3535357 rule head removal is problematic 123255332Scy3530259 not all ioctl error checked wth SIOCIPFINTERROR 124255332Scy3530258 error routine that uses fd required 125255332Scy3530253 inadequate function comment blocks 126255332Scy3530249 walking lookup tables leaks memory 127255332Scy3530241 extra lock padding required for freebsd 128255332Scy3529901 ipf returns 0 when rules fail to load 129255332Scy3529491 checksum validation could be better 130255332Scy3529486 tcp checksum wrong for ipv6 131255332Scy3533779 ipv6 nat rules missing inet6 keyword 132255332Scy3532693 ipnat.conf rejects some ipv6 addresses 133255332Scy3532691 ipv4 should not be forced for icmp 134255332Scy3532689 ipv6 nat rules do not print inet6 135255332Scy3532688 ipv6 address always printed with "to <if>" 136255332Scy3532687 with v6hdrs not supported like with ipopts 137255332Scy3532686 ipf expressions do not work with ipv6 138255332Scy3540825 whois output parsing error for ipv6 139255332Scy3540818 NAT for certain IPv6 ICMP packets should not be allowed 140255332Scy3540815 memory leak with destination lists 141255332Scy3540814 ipfd_lock serves no purpose 142255332Scy3540810 lookup objects need tail pointers 143255332Scy3540809 refactor hash table lookups for nat 144255332Scy3540808 completed tokens do not stop iteration 145255332Scy3530492 address hash table name not used 146255332Scy3528029 ipmon bad-mutex panic 147255332Scy3530256 hook memory leaked 148255332Scy3530271 pools parsing produces badly formed address structures 149255332Scy3488061 cleanup for illumos build 150255332Scy3484434 SIOCIPFINTERROR must work for all devices 151255332Scy3484067 mandoc -Tlint warnings to be fixed 152255332Scy3483343 compile warning in ipfcomp.c 153255332Scy3482893 building without IPFILTER_LOG fails 154255332Scy3482765 building netbsd kernel without inet6 fails 155255332Scy3482116 ipf_check frees packet from ipftest 156255332Scy3481663 does not compile on solaris 11 157172771Sdarrenr 158255332Scy5.1.1 - RELEASED - 9 May 2012 159172771Sdarrenr 160255332Scy3481322 ip_fil_compat.c needs a cleanup 161255332Scy3481211 add user errors to dtrace 162255332Scy3481152 compatibility for 4.1 needs more work 163255332Scy3481153 PRIu64 problems on FreeBSD 164255332Scy3481155 ipnat listing incorrect 165255332Scy3480543 change leads to compat problems 166255332Scy3480538 compiler errors from earlier patch 167255332Scy3480537 ipf_instance_destroy is incomplete 168255332Scy3480536 _fini order leads to panic 169255332Scy3479991 compiler warnings about size mismatches 170255332Scy3479974 copyright dates are wrong (fix) 171255332Scy3479464 add support for leaks testing 172255332Scy3479457 %qu is not the prefered way 173255332Scy3479451 iterators leak memory 174255332Scy3479453 nat rules with pools leak 175255332Scy3479454 memory leak in hostmap table 176255332Scy3479461 load_hash uses memory after free 177255332Scy3479462 printpool leaks memory 178255332Scy3479452 missing FREE_MB_T to freembt leaks 179255332Scy3479450 ipfdetach is called when detached 180255332Scy3479448 group mapping rules memory leak 181255332Scy3479455 memory leak from tuning 182255332Scy3479458 ipf must be running in global zone 183255332Scy3479460 driver replace is wrong 184255332Scy3479459 radix tree tries to free null pointer 185255332Scy3479463 rwlock emulation does not free memory 186255332Scy3479465 parser leaks memory 187255332Scy3475959 hardware checksum not correctly used 188255332Scy3475426 ip pseudo checksum wrong 189255332Scy3473566 radix tree does not delete dups right 190255332Scy3472987 compile is not clean 191255332Scy3472337 not everything is zero'd 192255332Scy3472344 interface setup needs to be after insert 193255332Scy3472340 wildcard counter drops twice 194255332Scy3472338 change fastroute interface 195255332Scy3472335 kernel lock defines not placed correctly 196255332Scy3472324 ICMP INFOREQ/REPLY not handled 197255332Scy3472330 multicast packets tagged by address 198255332Scy3472333 ipf_deliverlocal called incorrectly 199255332Scy3472345 mutex debug could be more granular 200255332Scy3472761 building i19 regression is flawed 201255332Scy3456457 use of bsd tree.h needs to be removed 202255332Scy3460522 code cleanup required for building on freebsd 203255332Scy3459734 trade some cpu for memory 204255332Scy3457747 build errors introduced with radix change 205255332Scy3457804 build errors from removal of pcap-int,h 206255332Scy3440163 rewrite radix tree 207255332Scy3428004 snoop, tcpdump, etherfind readers are unused 208255332Scy3439495 ipf_rand_push never called (fix brackets) 209255332Scy3437732 getnattype does not need to use ipnat_t (fix variable name) 210255332Scy3437696 fr_cksum is a nightmare 211255332Scy3439061 ipf_send_ip doesn't need 3rd arg 212255332Scy3439059 ipid needs to be file local 213255332Scy3437740 complete buildout of fnew 214255332Scy3438575 add dtrace probes to block events 215255332Scy3438347 comment blocks missing softc 216255332Scy3437687 description of ipf_makefrip wrong 217255332Scy3438340 more stats as dtrace probes 218255332Scy3438316 free on nat structure uses fixed size 219255332Scy3437745 nat iterator using the wrong size 220255332Scy3437710 fail checksum verification if packet is short 221255332Scy3437696 fr_cksum is a nightmare 222255332Scy3437732 getnattype does not need to use ipnat_t 223255332Scy3437735 rename ipf_allocmbt to allocmbt 224255332Scy3437697 fr_family to version assignment is wrong 225255332Scy3437746 ap_session_t has unused fields 226255332Scy3437747 move softc structure to .h file (ip_state.c) 227255332Scy3437704 there is no DTRACE_PROBE5 228255332Scy3437748 wrong interface in qpktinfo_t 229255332Scy3437729 create function to hexdump mb_t 230255332Scy3438273 msgdsize should be easier to read 231255332Scy3437683 object direction not set for 32bit 232255332Scy3433767 calling ip_cksum could be easier 233255332Scy3433764 left over locking 234255332Scy3428015 printing proxy data size is useless 235255332Scy3428013 add M_ADJ to hide adjmsg/m_adj 236255332Scy3428012 interface name is not always returned correctly 237255332Scy3428002 ip_ttl is too low 238255332Scy3427997 ipft readers do not set buffer length 239255332Scy3426558 resistence is futile 240255332Scy3424495 various copy-paste errors 241255332Scy1826936 shall we allow ipf to be as dumb as its admin 242255332Scy3424477 specfuncs needs to go 243255332Scy3424484 missing fr_checkv6sum 244255332Scy3424478 one entry at a time 245255332Scy2998760 auth rules do not mix well with to/dup-to/fastroute 246255332Scy3424195 add ctfmerge to sunos5 makefile 247255332Scy3424132 some dtrace probes to start with 248255332Scy3423812 makefile needs ip_frag.h for some files 249255332Scy3423817 reference count useful in verbose output 250255332Scy3423800 walking lists does not drop reference 251255332Scy3423805 fragmentation stats not reported correclty 252255332Scy3423808 ip addresses reportied incorrectly with ipfstat -f 253255332Scy3423821 track packets and bytes for fragmentation 254255332Scy3423803 attempt to double free rule 255255332Scy3423805 fragmentation stats not reported correctly 256255332Scy3422712 system panic with ipfstat -f 257255332Scy3422619 pullup counter bumped for every packet 258255332Scy3422608 dummy rtentry required to build 259255332Scy3422018 frflush next to ipf_fini_all is redundant 260255332Scy3422012 instance cleanup is not clean 261255332Scy3421845 instance name not set 262255332Scy3005622 ip_fil5.1.0 does not load on Solaris 10 U8 263255332Scy2976332 stateful filtering is incompatible with ipv4 options 264255332Scy3387509 ipftest needs help construction ip packets with options 265255332Scy2998746 passp can never be null 266255332Scy3064034 mbuf clobbering problem with ipv6 267255332Scy3105725 ipnat divide by zero panic 268255332Scy2998750 ipf_htent_insert can leak memory 269255332Scy3064034 mbuf clobbering problem with ipv6 270255332Scy3105725 ipnat divie by zero panic 271172771Sdarrenr 272255332Scy5.1 - RELEASED - 9 May 2010 273172771Sdarrenr 274255332Scy* See WhatsNew50.txt 275172771Sdarrenr 276145510Sdarrenr4.1 - RELEASED - 12 February 2004 27792686Sdarrenr 278145510Sdarrenr4.0-BETA1 20 August 2003 27992686Sdarrenr 280145510Sdarrenrsupport 0/32 and 0/0 on the RHS in redirect rules 28192686Sdarrenr 282145510Sdarrenrwhere LHS and RHS netmasks are the same size for redirect, do 1:1 mapping 283145510Sdarrenrfor bimap rules. 28492686Sdarrenr 285145510Sdarrenrallow NAT rule to match 'all' interfaces with * as interface name 28692686Sdarrenr 287145510Sdarrenrdo mapping of ICMP sequence id#'s in pings 28892686Sdarrenr 289145510Sdarrenrallow default age for NAT entries to be set per NAT rule 29092686Sdarrenr 291145510Sdarrenrprovide round robin selection of destination addresses for redirect 29292686Sdarrenr 293145510Sdarrenripmon can load a configuration file with instructions on actions 294145510Sdarrenrto take when a matching log entry is received 29592686Sdarrenr 296145510Sdarrenrnow requires pfil to work on Solaris & HP-UX 29792686Sdarrenr 298145510Sdarrenrsupports mapping outbound connections to a specific address/port 29992686Sdarrenr 300145510Sdarrenrsupport toggling of logging per ipfilter 'device' 30192686Sdarrenr 302145510Sdarrenruse queues to expire data rather than lists 30392686Sdarrenr 304145510Sdarrenradd MSN RPC proxy 30592686Sdarrenr 306145510Sdarrenradd IRC proxy 30792686Sdarrenr 308145510Sdarrenrsupport rules with dynamic ip addresses 30992686Sdarrenr 310145510Sdarrenradd ability to define a pool of addresses & networks which can then 311145510Sdarrenrbe placed in a single rule 31292686Sdarrenr 313145510Sdarrenrsupport passing entire packet back to user program for authentication 31492686Sdarrenr 315145510Sdarrenrsupport master/slave for state information sharing 31692686Sdarrenr 317145510Sdarrenrreorganise generic code into a lib directory and make libipf.a 31892686Sdarrenr 319145510Sdarrenruser programs enforce version matching with the kernel 32092686Sdarrenr 321145510Sdarrenrsupports window scaling if seen at TCP session setup 32292686Sdarrenr 323145510Sdarrenrgenerates C code from filter rules to compile in or load as native 324145510Sdarrenrmachine code. 32592686Sdarrenr 326145510Sdarrenrsupports loading rules comprised of BPF bytecode statements 32792686Sdarrenr 328145510SdarrenrHP-UX 11 port completed 32992686Sdarrenr 330145510Sdarrenrand packets-per-second filtering 33192686Sdarrenr 332145510Sdarrenradd numerical tags to rules for filtering and display in ipmon output 33392686Sdarrenr 334145510Sdarrenr3.4.4 23/05/2000 - Released 33592686Sdarrenr 33660841Sdarrenrdon't add TCP state if it is an RST packet and (attempt) to send out 33760841SdarrenrRST/ICMP packets in a manner that bypasses IP Filter. 33860841Sdarrenr 33960841Sdarrenradd patch to work with 4.0_STABLE delayed checksums 34060841Sdarrenr 341145510Sdarrenr3.4.3 20/05/2000 - Released 34260841Sdarrenr 34360841Sdarrenrfix ipmon -F 34460841Sdarrenr 34560841Sdarrenrdon't truncate IPv6 packets on Solaris 34660841Sdarrenr 34760841Sdarrenrfix keep state for ICMP ECHO 34860841Sdarrenr 34960841Sdarrenradd some NAT stats and use def_nat_age rather than DEF_NAT_AGE 35060841Sdarrenr 35160841Sdarrenrdon't make ftp proxy drop packets 35260841Sdarrenr 35360841Sdarrenruse MCLISREFERENCED() in tandem with M_EXT to check if IP fields need to be 35460841Sdarrenrswapped back. 35560841Sdarrenr 35660841Sdarrenrfix up RST generation for non-Solaris 35760841Sdarrenr 35860841Sdarrenrget "short" flag right for IPv6 35960841Sdarrenr 36060841Sdarrenr3.4.2 - 10/5/2000 - Released 36160841Sdarrenr 36260841SdarrenrFix bug in dealing with "hlen == 1 and opt > 1" - Itojun 36360841Sdarrenr 36460841Sdarrenrignore previous NAT mappings for 0/0 and 0/32 rules 36560841Sdarrenr 36660841Sdarrenrbring in a completely new ftp proxy 36760841Sdarrenr 36860841Sdarrenrallow NAT to cause packets to be dropped. 36960841Sdarrenr 37060841Sdarrenradd NetBSD callout support for 1.4-current 37160841Sdarrenr 37260841Sdarrenr3.4.1 - 30/4/2000 - Released 37360841Sdarrenr 37460841Sdarrenradd ratoui() and fix parsing of group numbers to allow 0 - UINT_MAX 37560841Sdarrenr 37660841Sdarrenrdon't include opt_inet6.h for FreeBSD if KLD_MODULE is defined 37760841Sdarrenr 37860841SdarrenrSolaris must use copyin() for all types of ioctl() args 37960841Sdarrenr 38060841Sdarrenrfix up screen/tty when leaving "top mode" of ipfstat 38160841Sdarrenr 38260841Sdarrenrlinked list for maptable not setup correctly in nat_hostmap() 38360841Sdarrenr 38460841Sdarrenrcheck for maptable rather than nat_table[1] to see if malloc for maptable 38560841Sdarrenrsucceeded in nat_init 38660841Sdarrenr 38760841Sdarrenrfix handling of map NAT rules with "from/to" host specs 38860841Sdarrenr 38960841Sdarrenrfix printout out of source address when using "from/to" with map rules 39060841Sdarrenr 39160841Sdarrenrconvert ip_len back to network byte order, not plen, for solaris as ip_len 39260841Sdarrenrmay have been changed by NAT and plen won't reflect this 39360841Sdarrenr 39460841Sdarrenr3.4 - 27/4/2000 - Released 39560841Sdarrenr 39660841Sdarrenrsource address spoofing can be turned on (fr_chksrc) without using 39760841Sdarrenrfilter rules 39860841Sdarrenr 39960841Sdarrenrgroup numbers are now 32bits in size, up from 16bits 40060841Sdarrenr 40160841SdarrenrIPv6 filtering available 40260841Sdarrenr 40360841Sdarrenradd frank volf's state-top patches 40460841Sdarrenr 40560841Sdarrenradd load splitting and round-robin attribute to redirect rules 40660841Sdarrenr 40760841SdarrenrFreeBSD-4.0 support (including KLD) 40860841Sdarrenr 40960841Sdarrenradd top-style operation mode for ipfstat (-t) 41060841Sdarrenr 41160841Sdarrenradd save/restore of IP Filter state/NAT information (ipfs) 41260841Sdarrenr 41360841Sdarrenrfurther ftp proxy security checks 41460841Sdarrenr 41560841Sdarrenrsupport for adding and removing proxies at runtime 41660841Sdarrenr 41760841Sdarrenr3.3.13 26/04/2000 - Released 41860841Sdarrenr 41960841SdarrenrFix parsing of "range" with "portmap" 42060841Sdarrenr 42160841SdarrenrRelax checking of ftp replies, slightly. 42260841Sdarrenr 42360841SdarrenrFix NAT timeouts for ICMP packets 42460841Sdarrenr 42560841SdarrenrSunOS4 patches for ICMP redirects from Jurgen Keil (jk@tools.de) 42660841Sdarrenr 42760841Sdarrenr3.3.12 16/03/2000 - Released 42860841Sdarrenr 42960841Sdarrenrtighten up ftp proxy behaviour. sigh. yuck. hate. 43060841Sdarrenr 43160841Sdarrenrfix bug in range check for NAT where the last IP# was not used. 43260841Sdarrenr 43360841Sdarrenrfix problem with icmp codes > 127 in filter rules caused bad things to 43460841Sdarrenrhappen and in particular, where #18 caused the rule to be printed 43560841Sdarrenrerroneously. 43660841Sdarrenr 43760841Sdarrenrfix bug with the spl level not being reset when returning EIO from 43860841Sdarrenriplioctl due to ipfilter not being initialized yet. 43960841Sdarrenr 44060841Sdarrenr3.3.11 04/03/2000 - Released 44160841Sdarrenr 44260841Sdarrenrmake "or-block" work with lines that start with "log" 44360841Sdarrenr 44460841Sdarrenrfix up parsing and printing of rules with syslog levels in them 44560841Sdarrenr 44660841Sdarrenrfix from Cy Schubert for calling of apr_fini only if non-null 44760841Sdarrenr 44860841Sdarrenr 44960841Sdarrenr3.3.10 24/02/2000 - Released 45060841Sdarrenr 45160841Sdarrenr* fix back from guido for state tracking interfaces 45260841Sdarrenr 45360841Sdarrenr* update for NetBSD pfil interface changes 45460841Sdarrenr 45560841Sdarrenr* if attaching fails and we can abort, then cleanup when doing so. 45660841Sdarrenr 45760841Sdarrenrjulian@computer.org: 45860841Sdarrenr* solaris.c (fr_precheck): After calling freemsg on mt, set it point to *mp. 45960841Sdarrenr* ipf.c (packetlogon): use flag to store the return value from get_flags. 46060841Sdarrenr* ipmon.c (init_tabs): General cleanup so we do not have to cast 46160841Sdarrenr an int s->s_port to u_int port and try to check if the u_int port 46260841Sdarrenr is less than zero. 46360841Sdarrenr 46460841Sdarrenr3.3.9 15/02/2000 - Released 46560841Sdarrenr 46660841Sdarrenrfix scheduling of bad locking in fr_addstate() used when we attach onto 46760841Sdarrenra filter rule. 46860841Sdarrenr 46960841Sdarrenrfix up ip_statesync() with storing interface names in ipstate_t 47060841Sdarrenr 47160841Sdarrenrfix fr_running for LKM's - Eugene Polovnikov 47260841Sdarrenr 47360841Sdarrenrjunk using pullupmsg() for solaris - it's next to useless for what we 47460841Sdarrenrneed to do here anyway - and implement what we require. 47560841Sdarrenr 47660841Sdarrenrdon't call fr_delstate() in fr_checkstate(), when compiled for a user 47760841Sdarrenrprogram, early but when we're finished with it (got fr & pass) 47860841Sdarrenr 47960841Sdarrenripnat(5) fix from Guido 48060841Sdarrenr 48160841Sdarrenron solaris2, copy message and use that with filter if there is another 48260841Sdarrenrcopy if it being used (db_ref > 1). bad for performance, but better 48360841Sdarrenrthan causing a crash. 48460841Sdarrenr 48560841Sdarrenrpatch for solaris8-fcs compile from Casper Dik 48660841Sdarrenr 48757093Sguido3.3.8 01/02/2000 - Released 48857093Sguido 48957093Sguidofix state handling of SYN packets. 49057093Sguido 49157093Sguidoadd parsing recognition of extra icmp types/codes and fix handling of 49257093Sguidoicmp time stamps and mask requests - Frank volf 49357093Sguido 49457093Sguido3.3.7 25/01/2000 - Released 49557093Sguido 49657093Sguidosync on state information as well as NAT information when required 49757093Sguido 49857093Sguidorecord nat protocol in all nat log records 49957093Sguido 50057093Sguidodon't reuse the IP# from an active NAT session if the IP# in the rule 50157093Sguidohas changed dynamically. 50257093Sguido 50357093Sguidolookup the protocol for NAT log information in ipmon and pass that to 50457093Sguidoportname. 50557093Sguido 50657093Sguidofix the bug with changing the outbound interface of a packet where it 50757093Sguidowould lead to a panic. 50857093Sguido 50957093Sguidouse fr_running instead of ipl_inited. (sysctl name change on freebsd) 51057093Sguido 51157093Sguidoreturn EIO if someone attempts an ioctl on state/nat if ipfilter is not 51257093Sguidoenabled. 51357093Sguido 51457093Sguidofix rule insertion bug 51557093Sguido 51657093Sguidomake state flushing clean anything that's not fully established (4/4) 51757093Sguido 51857093Sguidocall fr_state_flush() after we've released ipf_state so we don't generate 51957093Sguidoa recursive mutex acquisition panic 52057093Sguido 52157093Sguidofix parsing of icmp code after return-icmp/return-icmp-as-dest and add 52257093Sguidosome patches to enhance parsing strength 52357093Sguido 52455924Sguido3.3.6 28/12/1999 - Released 52555924Sguido 52655924Sguidoadd in missing rwlock release in fr_checkicmpmatchingstate() and fix check 52755924Sguidofor ICMP_ECHO to only be for packet, not state entry which we don't have yet. 52855924Sguido 52955924Sguidohandle SIOCIPFFB in nat_ioctl() and fr_state_ioctl() 53055924Sguido 53155924Sguidofix size of friostat for SunOS4 53255924Sguido 53355924Sguidofix bug in running off the end of a buffer in real audio proxy 53455924Sguido 53555924Sguido3.3.5 11/12/1999 - Released 53655924Sguido 53755924Sguidofix parsing of "log level" and printing it back out too 53855924Sguido 53955924Sguido<net/if_types.h> is only present on Solaris2.6/7/8 54055924Sguido 54155924Sguidouse send_icmp_err rather than icmp_error to send back a frag-needed error 54255924Sguidowhen doing PMTU 54355924Sguido 54455924Sguidodo not use -b with add_drv on Solaris unless $BASEDIR is set. 54555924Sguido 54655924Sguidofix problem where source address in icmp replies is reversed 54755924Sguido 54855924Sguidofix yet another problem with real audio. 54955924Sguido 55055924Sguido3.3.4 4/12/1999 - Released 55155924Sguido 55255924Sguidofix up the real audio proxy to properly setup state information and NAT 55355924Sguidoentries, thanks to Laine Stump for testing/advice/fixes. 55455924Sguido 55555924Sguidofix ipfr_fastroute to set dst->sin_addr (Sean Farley - appears to prevent 55655924SguidoFreeBSD 3.3 from panic'ing) as this had been removed in prior hacks to this 55755924Sguidoroutine. 55855924Sguido 55955924Sguidofix kinstall for BSDI 56055924Sguido 56155924Sguidosupport ICMP errors being allowed through for ICMP packets going out with 56255924Sguidokeep state enabled 56355924Sguido 56455924Sguidosupport hardware checksumming (gigabit ethernet cards) on Solaris thanks to 56555924SguidoTel.Net Media for providing hardware for testing. 56655924Sguido 56755924Sguidopatched from Frank Volf for ipmon (ICMP & fragmented packets) and allowing 56855924SguidoICMP responses to ICMP packets in the keep state table. 56955924Sguido 57055924Sguidoadd in patches for hardware checksumming under solaris 57155924Sguido 57255924SguidoSolaris install scripts now use $BASEDIR as appropriate. 57355924Sguido 57455924Sguidoadd Solaris8 support 57555924Sguido 57655924Sguidofix "ipf -y" on solaris so that it rescans rules also for changes in 57755924Sguidointerface pointers 57855924Sguido 57955924Sguidolet ipmon become a daemon with -D if it is using syslog 58055924Sguido 58155924Sguidofix parsing of return-icmp-as-dest(foo) 58255924Sguido 58355924Sguidoadd reference to ipfstat -g to ipfstat.8 58455924Sguido 58555924Sguidoipf_mutex needs to be declared for irix in ip_fil.c 58655924Sguido 58753024Sguido3.3.3 22/10/1999 - Released 58837074Speter 58953024Sguidoadd -g command line option to ipfstat to show groups still define. 59053024Sguido 59153024Sguidofix problem with fragment table not recording rule pointer when called 59253024Sguidofrom state functions (fin_fr not set). 59353024Sguido 59453024Sguidofixup fastroute problems with keep state rules. 59553024Sguido 59653024Sguidoload rules into inactive set first, so we don't disable things like NIS 59753024Sguidolookups half way through processing - found by Kevin Littlejohn 59853024Sguido 59953024Sguidofix handling of unaligned ip pointer for solaris 60053024Sguido 60153024Sguidopatch for fr_newauth from Rudi Sluijtman 60253024Sguido 60353024Sguidofixed htons() bug in fr_tcpsum() where ip_p wasn't cast to u_short 60453024Sguido 60553024Sguido3.3.2 23/09/1999 - Released 60653024Sguido 60753024Sguidopatches from Scott Presnell to fix rcmd proxy 60853024Sguido 60953024Sguidopatches from Greg to fix Solaris detachment of interfaces 61053024Sguido 61153024Sguidoadd openbsd compatibility fixes 61253024Sguido 61353024Sguidofix free'ing already freed memory in ipfr_slowtimer() 61453024Sguido 61553024Sguidofix for deferencing invalid memory in cleaning up after a device disappears 61653024Sguido 61753024Sguido3.3.1 14/8/1999 - Released 61853024Sguido 61953024Sguidoremove include file sys/user.h for irix 62053024Sguido 62153024Sguidoprevent people from running buildsunos directly 62253024Sguido 62353024Sguidofix up some problems with the saving of rule pointers so that NAT saves 62453024Sguidothat information in case it should need to call fr_addstate() from a proxy. 62553024Sguido 62653024Sguidofix up scanning for the end of FTP messages 62753024Sguido 62853024Sguidodon't remove /etc/opt/ipf in postremove 62953024Sguido 63053024Sguidoattempt to prevent people running buildsolaris script without doing a 63153024Sguido"make solaris" 63253024Sguido 63353024Sguidofix timeout losing on freebsd3 63453024Sguido 63553024Sguido3.3 7/8/1999 - Released 63653024Sguido 63753024SguidoNAT: information (rules, mappings) are stored in hash tables; setup some 63853024Sguidobasic NAT regression testing. 63953024Sguido 64053024Sguidodisplay version name of installed kernel code when initializing. 64153024Sguido 64253024Sguidoadd -V command line option to ipf, showing version (program and kernel 64353024Sguidomodule) as well as the run-status of the kernel code. 64453024Sguido 64553024Sguidofix problem with "log" rules actually affecting result of filtering. 64653024Sguido 64753024Sguidoautomatically use SUNWspro if available and on a 64bit Solaris system for 64853024Sguidocompiling. 64953024Sguido 65053024Sguidoadd kernel proxies for rcmd(3) and RealAudio (PNA) 65153024Sguido 65253024Sguidouse timeout/untimeout on SunOS4/BSD platforms too rather than hijacking 65353024Sguidoip_slowtimo 65453024Sguido 65553024Sguidofix IP headers generated through parsing of text information 65653024Sguido 65753024Sguidofix NAT rules to be in the correct order again. 65853024Sguido 65953024Sguidomake keep-state work with to/fastroute keywords and enforce usage of those 66053024Sguidointerfaces. 66153024Sguido 66253024Sguidoupdate keep-state code with new algorithm from Guido 66353024Sguido 66453024Sguidoadd FreeBSD-3 support 66553024Sguido 66653024Sguidoadd return-icmp-as-dest option to retrun an ICMP packet using the original 66753024Sguidodestination as the source rather than a local IP address 66853024Sguido 66953024Sguidoadd "level [facility.]<priority>" option to filter language 67053024Sguido 67153024Sguidoadd changes from Guido to state code. 67253024Sguido 67353024Sguidoadd code to return EPERM if the device is opened for writing and we're 67453024Sguidoin securelevel 2 or greater. 67553024Sguido 67653024Sguidoauthentication code patches from Guido 67753024Sguido 67853024Sguidofix real audio proxy 67953024Sguido 68053024Sguidofix ipmon rule printing of interfaces and add IN/OUT to the end of ipmon 68153024Sguidolog output. 68253024Sguido 68353024Sguidofix bimap rules with hash tables 68453024Sguido 68553024Sguidoupdate addresses used in NAT mappings for 0/32 rules for any protocol but TCP 68653024Sguidoif it changes on the interface - check every ip_natexpire() 68753024Sguido 68853024Sguidoadd redirect regression test 68953024Sguido 69053024Sguidocount buckets used in the state hash table. 69153024Sguido 69253024Sguidofix sending of RST's with return-rst to use the ack number provided in 69353024Sguidothe packet being replied to in addition to the sequence number. 69453024Sguido 69553024Sguidofix to compile as a 64bit application on solaris7-64bit 69653024Sguido 69753024Sguidoadd NAT IP mapping to ranges of IP addresses that aren't CIDR specified 69853024Sguido 69953024Sguidofix calculation of in_space parameter for NAT 70053024Sguido 70153024Sguidofix `wrapping' when incrementing the next ip address for use in NAT 70253024Sguido 70353024Sguidofix free'ing of kernel memory in ip_natunload on solaris 70453024Sguido 70553024Sguidofix -l/-U command line options from interfering with each other 70653024Sguido 70753024Sguidofix fastroute under solaris2 and cleanup compilation for solaris7 70853024Sguido 70953024Sguidoadd install scripts and compile cleanly on BSD/OS 4.0 71053024Sguido 71153024Sguidosafely open files in /tmp for writing device output when testing. 71253024Sguido 71353024Sguidofix uninitialized pointer bug in NAT 71453024Sguido 71553024Sguidofix SIOCZRLST (zero list rule stats) bug with groups 71653024Sguido 71753024Sguidochange some usage of u_short to u_int in function calling 71853024Sguido 71953024Sguidofix compilation for Solaris7 (SUNWspro) 72053024Sguido 72153024Sguidochange solaris makefiles to build for either sparc or i386 rather than 72253024Sguidoper-cpu (sun4u, etc). 72353024Sguido 72453024Sguidofixed bug in ipllog 72553024Sguido 72653024Sguidoadd patches from George Michaelson for FreeBSD 3.0 72753024Sguido 72853024Sguidoadd patch from Guido to provide ICMP checking for known state in the same 72953024Sguidomanner as is done for NAT. 73053024Sguido 73153024Sguidoenable FTP PASV proxying and enable wildcarding in NAT/state code for ports 73253024Sguidofor better PORT/PASV support with FTP. 73353024Sguido 73453024Sguidobring into main tree static nat features: map-block and "auto" portmapping. 73553024Sguido 73653024Sguidoadd in source host filtering for redirects (alan jones) 73753024Sguido 73853024Sguido3.2.10 22/11/98 - Released 73953024Sguido 74053024Sguido3.2.10beta9 17/11/98 - Released 74153024Sguido 74253024Sguidofix fr_tcpsum problems in handling mbufs with an odd number of bytes 74353024Sguidoand/or split across an mbuf boundary 74453024Sguido 74553024Sguidofix NAT list entry comparisons and allow multiple entries for the same 74653024Sguidoproxy (but on different ports). 74753024Sguido 74853024Sguidodon't create duplicate NAT entries for repeated PORT commands. 74953024Sguido 75053024Sguido3.2.10beta8 14/11/98 - Released 75153024Sguido 75253024Sguidoalways exit an rwlock before expecting to enter it again on solaris 75353024Sguido 75453024Sguidofix loop in nat_new for pre-existing nat 75553024Sguido 75653024Sguidodon't setup state for an ftp connection if creating nat fails. 75753024Sguido 75853024Sguido3.2.10beta7 05/11/98 - Released 75953024Sguido 76053024Sguidoset fake window in ipft_tx.c to ensure code passes tests. 76153024Sguido 76253024Sguidocleaned up/enhanced ipnat -l/ipnat -lv output 76353024Sguido 76453024Sguidofixed NAT handling of non-TCP/UDP packets, esp. for ICMP errors returned. 76553024Sguido 76653024SguidoSolaris recusive mutex on icmp-error/tcp-reset - requires rwlock's rather 76753024Sguidothan mutexes. 76853024Sguido 76953024Sguido3.2.10beta6 03/11/98 - Released 77053024Sguido 77153024Sguidofix mixed use of krwlock_t and kmutex_t on Solaris2 77253024Sguido 77353024Sguidofix FTP proxy back up, splitting pasv code out of port code. 77453024Sguido 77553024Sguido3.2.10beta5 02/11/98 - Released 77653024Sguido 77753024Sguidofixed port translation in ICMP reply handling 77853024Sguido 77953024Sguido3.2.10beta4 01/11/98 - Released 78053024Sguido 78153024Sguidoincrease useful statistic collection on solaris 78253024Sguido 78353024Sguidofilter DL_UNITDATA_REQ as well as DL_UNITDATA_IND on solaris 78453024Sguido 78553024Sguidodisable PASV reply translation for now 78653024Sguido 78753024Sguidofail with an error if we try to load a NAT rule with a non-existant 78853024Sguido proxy name - Guido 78953024Sguido 79053024Sguidofix portmap usage with 0/0 and 0/32 map rules 79153024Sguido 79253024Sguidoremove ap_unload/ap_expire - automatically done when NAT is cleaned up 79353024Sguido 79453024Sguidoprint "STATE:CLOSED" from ipmon if the connection progresses past established 79553024Sguido rather than "STATE:EXPIRED" 79653024Sguido 79753024Sguido3.2.10beta3 26/10/98 - Released 79853024Sguido 79953024Sguidofixed traceroute/nat problem 80053024Sguido 80153024Sguidorewrote nat/proxy interface 80253024Sguido 80353024Sguidoipnat now lists associated proxy sessions for each NAT where applicable 80453024Sguido 80553024Sguido3.2.10beta2 13/10/98 - Released 80653024Sguido 80753024Sguidouse KRWLOCK_T in place of krwlock_t for solaris as well as irix 80853024Sguido 80953024Sguidodisable use of read-write lock acquisition by default 81053024Sguido 81153024Sguidoadd in mb_t for linux, non-kernel 81253024Sguido 81353024Sguidosome changes to progress compilation on linux with glibc 81453024Sguido 81553024Sguidochange PASV as well as PORT when passed through kernel ftp proxy. 81653024Sguido 81753024Sguidodon't allow window to become 0 in tcp state code 81853024Sguido 81953024Sguidomake ipmon compile cleaner 82053024Sguido 82153024Sguidoirix patches 82253024Sguido 82353024Sguido3.2.10beta 11/09/98 - Released 82453024Sguido 82553024Sguidostop fr_tcpsum() thinking it has run out of data when it hasn't. 82653024Sguido 82753024Sguidostop solaris panics due to fin_dp being something wild. 82853024Sguido 82953024Sguidorevisit usage of ATOMIC_*() 83053024Sguido 83153024Sguidolog closing state of TCP connection in "keep state" 83253024Sguido 83353024Sguidofix fake-arp table code for ipsend. 83453024Sguido 83553024Sguidoipmon now writes pid to a file. 83653024Sguido 83753024Sguidofix "ipmon -a" to actually activate all logging devices. 83853024Sguido 83953024Sguidoadd patches for BSDOS4. 84053024Sguido 84153024Sguidoperl scripts for log analysis donated. 84253024Sguido 84353024Sguido3.2.9 22/06/98 - Released 84453024Sguido 84553024Sguidofix byte order for ICMP packets generated on Solaris 84653024Sguido 84753024Sguidofix some locking problems. 84853024Sguido 84953024Sguidofix malloc bug in NAT (introduced in 3.2.8). 85053024Sguido 85153024Sguidopatch from guido for state connections that get fragmented 85253024Sguido 85353024Sguido3.2.8 08/06/98 - Released 85453024Sguido 85553024Sguidouse readers/writers locks in Solaris2 in place of some mutexes. 85653024Sguido 85753024SguidoSolaris2 installation enhancements - Martin Forssen (maf@carlstedt.se) 85853024Sguido 85937074Speter3.2.7 24/05/98 - Released 86037074Speter 86137074Speteru_long -> u_32_t conversions 86237074Speter 86337074Speterpatches from Bernd Ernesti for NetBSD 86437074Speter 86537074Speterfixup ipmon to actually handle HUP's. 86637074Speter 86737074SpeterLinux fixes from Michael H. Warfield (mhw@wittsend.com) 86837074Speter 86937074Speterupdate for keep state patch (not security related) - Guido 87037074Speter 87137074Speterdumphex() uses stdout rather than log 87237074Speter 87337074Speter3.2.6 18/05/98 - Released 87437074Speter 87537074Speterfix potential security loop hole in keep state code. 87637074Speter 87737074Speterupdate examples. 87837074Speter 87937074Speter3.2.5 09/05/98 - Released 88037074Speter 88137074SpeterBSD/OS 3.1 .o files added for the kernel. 88237074Speter 88337074Speterfix sequence # skew vs window size check. 88437074Speter 88537074Speterfix minimum ICMP header size check. 88637074Speter 88737074Speterremove references to Cybersource. 88837074Speter 88937074Speterfix my email address. 89037074Speter 89137074Speterremove ntohl in ipnat - Thomas Tornblom 89237074Speter 89337074Speter3.2.4 09/04/98 - Released 89437074Speter 89537074Speteradd script to make devices for /dev on BSD boxes 89637074Speter 89737074Speterfixup building into the kernel for FreeBSD 2.2.5 89837074Speter 89937074Speteradd -D command line option to ipmon to make it a daemon and SIGHUP causes 90037074Speterit to close and reopen the logfile 90137074Speter 90237074Speterfixup make clean and make package for SunOS5 - Marc Boucher 90337074Speter 90437074Speterpostinstall keeps adding "minor=ipf ipl" - George Ross <gdmr@dcs.ed.ac.uk> 90537074Speter 90637074Speterprotected by IP Filter gif - Sergey Solyanik <solik@atom.ru> 90737074Speter 90834739Speter3.2.3 10/11/97 - Released 90934739Speter 91034739Speterfix some iplang bugs 91134739Speter 91234739Speterfix tcp checksum data overrun, sgi #define changes, 91334739Speteravoid infinite loop when nat'ing to single IP# - Marc Boucher 91434739Speter 91534739Speterfixup DEVFS usage for FreeBSD 91634739Speter 91734739Speterfix sunos5 "make clean" cleaning up too much 91834739Speter 91934739Speter3.2.2 28/11/97 - Released 92034739Speter 92134739Speterchange packet matching to return actual error, if bad packet, to facilitate 92234739SpeterECONNRESET for TCP. 92334739Speter 92434739Speterallow ip:netmask in grammar too now - Guido 92534739Speter 92634739Speterassume IRIX has u_int32_t in sys/types.h (needed for R10000) 92734739Speter 92834739Speterrewrite parts of command line options for ipmon 92934739Speter 93034739Speterfix TCP urgent packet & offset testing and add LAND attack test for iptest 93134739Speter 93234739Speterfix grammar error in yacc grammar for iplang 93334739Speter 93434739Speterredirect (rdr) destination port bytes-wapped when it shouldn't be. 93534739Speter 93634739Spetergeneral: fr_check now returns error code, such as EHOSTUNREACH or 93734739SpeterECONNRESET (attempt to make ECONNRESET work for locally outbound 93834739Speterpackets). 93934739Speter 94034739Speterlinux: enable return-rst, need to filter tcp retransmits which are sent 94134739Speter separately from normal packets 94234739Speter 94334739Spetermemory leak plugged in ip_proxy.c 94434739Speter 94534739SpeterBSDI compatibility patches from Guido 94634739Speter 94734739Spetertcp checksum fix - Marc Boucher 94834739Speter 94934739Speterrecursive mutex and ioctl param fix - Marc Boucher 95034739Speter 95131183Speter3.2.1 12/11/97 - Released 95231183Speter 95331183Speterport to BSD/OS 3.0 95431183Speter 95531183Speterport to Linux 2.0.31 95631183Speter 95731183Speterpatches to make "map a/m -> 0/0" work with ftp proxying properly - Marc Boucher 95831183Speter 95931183Speteradd "ipf -F s" and "ipf -F S" to flush state table entries. 96031183Speter 96131183Speterannounce if logging is on or off when ip filter initializes. 96231183Speter 96331183Speter"ipf -F a" doesn't flush groups properly for Solaris. 96431183Speter 96531183Speter3.2 30/10/97 - Released 96631183Speter 96731183Speteripnat doesn't successfully remove proxy mappings with "-rf" - 96831183SpeterAlexander Romanyu 96931183Speter 97031183Speteruse K&R C function style for solaris kernel code 97131183Speter 97231183Speteruse m_adj() to decrease packet size in ftp proxy 97331183Speter 97431183Speteruse mbufchainlen rather than msgdsize, 97531183SpeterIRIX update - Marc Boucher 97631183Speter 97731183Speterfix NetBSD modunload bug (pfil_add_hook done twice) 97831183Speter 97931183Speterpatches for OpenBSD 2.1 - Craig Bevins <craigb@bitcom.net.au> 98031183Speter 98131183Speter3.2beta10 24/10/97 - Released 98231183Speter 98331183Speterfix fragment table entries allocated for NAT. 98431183Speter 98531183Speterfix tcp checksum calculations over mbuf/mblk boundaries 98631183Speter 98731183Speterfix panic for blen < 0 in ftp kernel proxy - marc boucher 98831183Speter 98931183Speterfix flushing of rules which have been grouped. 99031183Speter 99131183Speter3.2beta9 20/10/97 - Released 99231183Speter 99331183Spetersome nit picking on solaris2 with SUNWspro - Michael Lyle <mrl@rpnet.net> 99431183Speter 99531183Speterftp kernel proxy patches from Marc Boucher 99631183Speter 99731183Speter3.2beta8 13/10/97 - Released 99831183Speter 99931183Speteradd support for passing ICMP errors back through NAT. 100031183Speter 100131183SpeterIRIX port update - Marc Boucher 100231183Speter 100331183Spetercalculate correct MIN size of packet to log for UDP - Marc Boucher 100431183Speter 100531183Speterneed htons(ETHERTYPE_x) on little endian BSD boxes - Dave Huang 100631183Speter 100731183Spetercopyright header fixups 100831183Speter 100931183Speter3.2beta7 23/09/97 - Released 101031183Speter 101131183Speterfickup problems introduced by prior merges & changes. 101231183Speter 101331183Speter3.2beta6 23/09/97 - Released 101431183Speter 101531183Speterpatch for spin-reading race condition - Marc Boucher. 101631183Speter 101731183SpeterIRIX port by Marc Boucher. 101831183Speter 101931183Spetercompatibility updates for Linux to ipsend 102031183Speter 102131183Speter3.2beta5 13/09/97 - Released 102231183Speter 102331183Speterpatches from Bernd Ernesti for NetBSD integration (mostly prototyping and 102431183Spetercompiler warning things) 102531183Speter 102631183Speteripf -y will resync IP#'s allocated with 0/32 in NAT to match interface if it 102731183Speterchanges. 102831183Speter 102931183Speterupdate manual pages and other documentation updates. 103031183Speter 103131183Speter3.2beta4 27/8/97 - Released 103231183Speter 103331183Speterenable setting IP and TCP options for iplang/ 103431183Speter 103531183SpeterSolaris2 patches from Marc Boucher. 103631183Speter 103731183Speteradd groups for filter rules. 103831183Speter 103931183Speter3.2beta3 21/8/97 - Released 104031183Speter 104131183Speterpatches for Solaris2 (interface panic solution ?): fix FIONREAD and 104231183Speterreplacing q_qinfo points - Marc Boucher <marc@CAM.ORG> 104331183Speter 104431183Speterchange ipsend/* and ipsd/* copyright notices to be the same as ip filter's 104531183Speter 104631183Speterpatch for SYN-ACK skew testing fix from Eric V. Smith <EricSmith@windsor.com> 104731183Speter 104831183Speter3.2beta2 6/8/97 - Released 104931183Speter 105031183Spetermake it load on Solaris 2.3 105131183Speter 105231183Speterrewrote logging to remove solaris errors, introduced checking to see if the 105331183Spetersame packet is logged successively. 105431183Speter 105531183Speterfix filter cache to work when there are no rules loaded. 105631183Speter 105731183Speteradd "raw" option to ipresend to send entire ethernet frames. 105831183Speter 105931183Speternat list corruption bug - NetBSD - Klaus Klein 106031183Speter 106131183Speter3.2beta1 5/7/97 - Released 106231183Speter 106331183Speterpatches from Jason Thorpe fixing: UNSIGNED_CHAR lossage, off_t being 64bits 106431183Speterlossage, and other NetBSD bits. 106531183Speter 106631183SpeterNetBSD 1.2G update. 106731183Speter 106831183Speterfixup fwtk patches and add protocol field for SIOCGNATL. 106931183Speter 107031183Speterrdr bugs reported by Alexander Romanyu (alexr@aix.krid.crimea.ua), with 107131183Speterfixes: 107231183Speter* rdr matched all packets of a given protocol (ignored ports). 107331183Speter* severe bug in nat_delete which caused system crash/freeze. 107431183Speter 107531183Speterchange Makefile so that CC isn't passed on for FreeBSD/NetBSD (will use 107631183Speterthe default CC - cc, not gcc) 107731183Speter 107831183Speter3.2alpha9 16/6/97 - Released 107931183Speter 108031183Speteradded "skip" keyword. 108131183Speter 108231183Speterimplement preauthentication of packets, as outlined by Guido. 108331183Speter 108431183SpeterMake it compile as cleanly as possible with -Wall & general code cleanup 108531183Speter 108631183Spetergetopt returns int, not char. Bernd Ernesti 108731183Speter 108831183Speter3.2alpha8 13/6/97 - Released 108931183Speter 109031183Spetercode added to support "auth" rules which require a user program to allow them 109131183Speterthrough. First revision and much of the code came from Guido. 109231183Speter 109331183Speterhex output from ipmon doesn't goto syslog when recovering from out of sync 109431183Spetererror. Luke Mewburn (lukem@connect.com.au) 109531183Speter 109631183Speterfix solaris2.6 lookup of destination ire's. 109731183Speter 109831183Speteripnat doesn't throw away unused bits (after masking), causing it to 109931183Speterbehave incorrectly. Carson Gaspar 110031183Speter 110131183SpeterNAT code doesn't include inteface name when matching - Alexey Mavrin 110231183Speter<lha@elco.spb.ru> 110331183Speter 110431183Speterreplace old SunOS tcpip.h with new tcpip.h (from 4.4BSD) - Jason Thorpe. 110531183Speter 110631183Speterupdate install procedures to include ip_proxy.c 110731183Speter 110831183Spetermask out unused bits in NAT/RDR rules. 110931183Speter 111031183Speteruse a generic type (u_32_t) for 32bit variables, rather than rely on 111131183Speteru_long being such - Jason Thorpe. 111231183Speter 111331183Spetercreate a local "netinet" directory and include from ~netinet/*" rather than 111431183Speterjust "*" to make keeping the code working on ports easier. 111531183Speter 111631183Speteradd an m_copydata and m_copyback for SunOS4 (based on 4.4BSD-Lite versions) 111731183Speter 111831183Speterdocumentation updates. 111931183Speter 112031183SpeterNetBSD update from Jason Thorpe <thorpej@netbsd.org> 112131183Speter 112231183Speterallow RST's through with a matching SEQ # and 0 ACK. Guido Van Rooij 112331183Speter 112431183Speteripmon uses excessive amounts of CPU on Solaris2 - Reinhard Bertram 112531183Speter<Reinhard.Bertram@KOM.th-darmstadt.de> 112631183Speter 112726119Sdarrenr3.2alpha7 25/5/97 - Released 112826119Sdarrenr 112926119Sdarrenradd strlen for pre-2.2 kernels - Doug Kite <dkite@websgi.icomnet.com> 113026119Sdarrenr 113126119Sdarrenrsetup bits and pieces for compiling into a FreeBSD-2.2 kernel. 113226119Sdarrenr 113326119Sdarrenrsplit up "bsd" targets. Now a separate netbsd/freebsd/bsd target. 113426119Sdarrenrmln_ipl.c has been split up into itself and mlf_ipl.c (for freebsd). 113526119Sdarrenr 113626119Sdarrenrfix (negative) host matching in filtering. 113726119Sdarrenr 113826119Sdarrenradd sysctl interface for some variables when compiled into FreeBSD-2.2 kernels 113926119Sdarrenror later. 114026119Sdarrenr 114126119Sdarrenrmake all the candidates for kernel compiling include "netinet/..." and build 114226119Sdarrenra subdirectory "netinet" when compiling and symlink all .h files into this. 114326119Sdarrenr 114426119Sdarrenradd install make target to Makefile.ipsend 114526119Sdarrenr 114626119Sdarrenr3.2alpha6 8/5/97 - Released 114726119Sdarrenr 114826119SdarrenrAdd "!" (not) to hostname/ip matching. 114926119Sdarrenr 115026119SdarrenrAutomatically add packet info to the fragment cache if it is a fragment 115126119Sdarrenrand we're translating addreses for. 115226119Sdarrenr 115326119SdarrenrAutomatically add packet info to the fragment cache if it is a fragment 115426119Sdarrenrand we're "keeping state" for the packet. 115526119Sdarrenr 115626119SdarrenrSolaris2 patches - Anthony Baxter (arb@connect.com.au) 115726119Sdarrenr 115826119Sdarrenrchange install procedure for FreeBSD 2.2 to allow building to a kernel 115926119Sdarrenrwhich is different to the running kernel. 116026119Sdarrenr 116126119Sdarrenradd FIONREAD for Solaris2! 116226119Sdarrenr 116326119Sdarrenrwhen expiring NAT table entries, if we would set a time to fr_tcpclosed 116426119Sdarrenr(which is 1), make it fr_tcplaskack(20) so that the state tables have a 116526119Sdarrenrchance to clear up. 116626119Sdarrenr 116726119Sdarrenr3.2alpha5 116826119Sdarrenr 116926119Sdarrenradd proxying skeleton support and sample ftp transparent proxy code. 117026119Sdarrenr 117126119Sdarrenradd printfs at startup to tell user what is happening. 117226119Sdarrenr 117326119Sdarrenradd packets & bytes for EXPIRE NAT log records. 117426119Sdarrenr 117526119Sdarrenrfix the "install-bsd" target in the root Makefile. Chris Williams 117626119Sdarrenr<psion@mv.mv.com> 117726119Sdarrenr 117826119SdarrenrFixes for FreeBSD 2.2 (and later revs) to prevent panics. Julian Assange. 117926119Sdarrenr 118024583Sdarrenr3.2alpha4 2/4/97 - Released 118124583Sdarrenr 118224583SdarrenrSome compiler warnings cleaned up. 118324583Sdarrenr 118424583SdarrenrFreeBSD-2.2 patches for LKM completed. 118524583Sdarrenr 118624583Sdarrenr3.2alpha3 31/3/97 - Released 118724583Sdarrenr 118824583Sdarrenripmon changes: -N for reading NAT logfile, -S for reading state logfile. 118924583Sdarrenr-a for reading all. -n now toggles hostname resolution. 119024583Sdarrenr 119124583SdarrenrAdd logging of new state entries and expiration of old state entries. 119224583Sdarrenrcount log successes and failures. 119324583Sdarrenr 119424583SdarrenrAdd logging of new NAT entries and expiration of old NAT entries. 119524583Sdarrenrcount log successes and failures. 119624583Sdarrenr 119724583SdarrenrUse u_quad_t for records of bytes & packets where kept 119824583Sdarrenr(IP Accounting: fr_hits, fr_bytes; IP state: is_pkts, is_bytes). 119924583Sdarrenr 120024583SdarrenrFixup use of CPU and DCPU in Makefiles. 120124583Sdarrenr 120224583SdarrenrFix broken 0/32 NAT mapping. Carl Makin <cmakin@nla.gov.au> 120324583Sdarrenr 120424583Sdarrenr3.2alpha2 120524583Sdarrenr 120624583SdarrenrImplement mapping to 0/32 as being an alias for automatically using the 120724583Sdarrenrinterface's first IP address. 120824583Sdarrenr 120924583SdarrenrImplement separate minor devices for both NAT and IP state code. 121024583Sdarrenr 121124583SdarrenrFully prototype all functions. 121224583Sdarrenr 121324583SdarrenrFix Makefile problem due to attempt to fix Sun compiling problems. 121424583Sdarrenr 121524583Sdarrenr3.1.10 23/3/97 - Released 121624583Sdarrenr 121724583Sdarrenripfstat -a requires a -i or -o command line option too. Print an error 121824583Sdarrenrwhen not present rather than attempt to do something. 121924583Sdarrenr 122024583Sdarrenrpatch updates for SunOS4 for kernel compiling. 122124583Sdarrenrpatch for ipmon -s (flush's syslog file which isn't good). Andrew J. Schorr 122224583Sdarrenr<schorr@ead.dsa.com> 122324583Sdarrenr 122424583Sdarrenrtoo many people hit their heads hard when compiling code into the kernel 122524583Sdarrenrthat doesn't let any packets through. (fil.c - IPF_NOMATCH) 122624583Sdarrenr 122724583Sdarrenricmp-type parsing doesn't return any errors when it isn't constructed 122824583Sdarrenrcorrectly. Neil Readwin 122924583Sdarrenr 123024583SdarrenrUsing "-conf" with modload on SunOS4 doesn't work. 123124583SdarrenrTimothy Demarest <demarest@arraycomm.com> 123224583Sdarrenr 123324583SdarrenrNeed to define ARCH in makefile for SunOS4 building. "make sunos4" 123424583Sdarrenrin INSTALL.SunOS is incorrect. James R Grinter <jrg@blodwen.demon.co.uk> 123524583Sdarrenr[all SunOS targets now run buildsunos] 123624583Sdarrenr 123724583SdarrenrNAT lookups are still incorrect, matching non-TCP/UDP with TCP/UDP 123824583Sdarrenrinformation. ArkanoiD <ark@paranoid.convey.ru> 123924583Sdarrenr 124024583SdarrenrNeed to check for __FreeBSD_version being 199511 rather than 199607 124124583Sdarrenrin mln_ipl.c. Eric Feillant <Eric.Feillant@EUnet.fr> 124224583Sdarrenr 124324583Sdarrenr3.1.9 8/3/97 - Released 124424583Sdarrenr 124524583Sdarrenrfixed incorrect lookup of active NAT entries. 124624583Sdarrenr 124724583Sdarrenrpatch for ip_deq() wrong for pre 2.1.6 FreeBSD. 124824583Sdarrenrfyeung@fyeung8.netific.com (Francis Yeung) 124924583Sdarrenr 125024583Sdarrenrcheck for out with return-rst/return-icmp at wrong place - Erkki Ritoniemi 125124583Sdarrenr(erkki@vlsi.fi) 125224583Sdarrenr 125324583Sdarrenrtext_readip returns the interface pointer pointing to text on stack - 125424583SdarrenrNeil Readwin 125524583Sdarrenr 125624583Sdarrenrfix from Pradeep Krishnan for printout rules "with not opt sec". 125724583Sdarrenr 125824583Sdarrenr3.1.8 18/2/97 - Released 125924583Sdarrenr 126024583SdarrenrDiffs for ip_output.c and ip_input.c updated to fix bug with fastroute and 126124583Sdarrenrcompiling warnings about reuse of m0. 126224583Sdarrenr 126323279Speterprevent use of return-rst and return-icmp with rules blocking packets going 126423279Speterout, preventing panics in certain situations. 126523279Speter 126623279Speterloop forms in frag cache table - Yury Pshenychny <yura@rd.zgik.zaporizhzhe.ua> 126723279Speter 126823279Spetershould use SPLNET/SPLX around expire routines in NAT/frag/state code. 126923279Speter 1270255332Scyredeclared malloc in 44arp.c - 127123279Speter 127222514Sdarrenr3.1.7 8/2/97 - Released 127322514Sdarrenr 127422514SdarrenrMacros used for ntohs/htons supplied with gcc don't always work very well 127522514Sdarrenrwhen the assignment is the same variable being converted. 127622514Sdarrenr 127722514SdarrenrFilter matching doesn't not match rule which checks tcp flags on packets 127822514Sdarrenrwhich are fragments - David Wilson 127922514Sdarrenr 128022514Sdarrenr3.1.7beta 30/1/97 - Released 128122514Sdarrenr 128222514SdarrenrFix up NAT bugs introduced in last major change (now tested), including 128322514Sdarrenrnat_delete(), nat_lookupredir(), checksum changes, etc. 128422514Sdarrenr 128522514Sdarrenr3.1.7alpha 30/1/97 - Released 128622514Sdarrenr 128722514SdarrenrMany changes to NAT code, including contributions from Laurent Joncheray 128822514Sdarrenr<lpj@ans.net> 128922514Sdarrenr 129022514SdarrenrUse "NO_SLEEP" when allocating memory under SunOS. 129122514Sdarrenr 129222514SdarrenrMake kernel printf's nicer for BSD/SunOS4 129322514Sdarrenr 129422514SdarrenrAlways do a checksum for packets being filtered going out and being 129522514Sdarrenrprocessed by fastroute. 129622514Sdarrenr 129722514SdarrenrLeave kernel to play with cdevsw on *BSD systems with LKM's. 129822514Sdarrenr 129922514Sdarrenripnat.1 man page fixes. 130022514Sdarrenr 130122514Sdarrenr3.1.6 21/1/97 - Released 130222514Sdarrenr 130322514SdarrenrAllow NAT to work on BSD systems in conjunction with "pass .. to ifname" 130422514Sdarrenr 130522514SdarrenrMemory leak introduced in 3.1.3 in NAT lists, clearing of NAT table tried 130622514Sdarrenrto free memory twice. 130722514Sdarrenr 130822514SdarrenrNAT recalculates IP header checksum based on difference between IP#'s and 130922514Sdarrenrport numbers - should be just IP#'s (Solaris2 only) 131022514Sdarrenr 131122514Sdarrenr3.1.5 13/1/97 - Released 131222514Sdarrenr 131322514Sdarrenrfixed setting of NAT timeouts and use different timeouts for concurrent 131422514SdarrenrTCP sessions using the same IP# mapping (when port mapping isn't used) 131522514Sdarrenr 131622514Sdarrenrmultiple loading/unloading of LKM's doesn't clean up cdevsw properly for 131722514Sdarrenr*BSD systems. 131822514Sdarrenr 131922514Sdarrenr3.1.4 10/1/97 - Released 132022514Sdarrenr 132122514Sdarrenradd command line options -C and -F to ipnat to flush NAT list and table 132222514Sdarrenr 132322514Sdarrenripnat -l loops on output - Neil Readwin (nreadwin@nysales.micrognosis.com) 132422514Sdarrenr 132522514SdarrenrNetBSD/FreeBSD kernel malloc changes - Daniel Carosone 132622514Sdarrenr 132722514Sdarrenr3.1.3 10/1/97 - Released 132822514Sdarrenr 132922514SdarrenrNAT chains not constructed correctly in hash tables - Antony Y.R Lu 133022514Sdarrenr(antony@hawk.ee.ncku.edu.tw) 133122514Sdarrenr 133222514SdarrenrUpdated INSTALL.NetBSD, INSTALL.FreeBSD and INSTALL.Sol2 133322514Sdarrenr 133422514Sdarrenrman page update (ipf.5) from Daniel Carosone (dan@geek.com.au) 133522514Sdarrenr 133622514SdarrenrICMP header checksum update now included in NAT. 133722514Sdarrenr 133822514SdarrenrSolaris2 needs to modify IP header checksums in ip_natin and ip_natout. 133922514Sdarrenr 134022514Sdarrenr3.1.2 4/12/96 - Released 134122514Sdarrenr 134222514Sdarrenripmon doesn't use syslog all the time when given -s option 134322514Sdarrenr 134422514Sdarrenrfixed mclput panic in ip_input.c and replace ntohs() with NTOHS() macro 134522514Sdarrenr 134622514Sdarrenrcheck the results of hostname resolution in ipnat 134722514Sdarrenr 134822514Sdarrenr"make *install" fixed for subdirectories. 134922514Sdarrenr 135022514Sdarrenrproblems with "ARCH:=" and gnu make resolved 135122514Sdarrenr 135222514Sdarrenrparser reports an error for lines with whitespaces only rather than skipping 135322514Sdarrenrthem. D.Carosone@abm.com.au (Daniel Carosone) 135422514Sdarrenr 135522514Sdarrenrpatches for integration into NetBSD-current (post 1.2). 135622514Sdarrenr 135722514Sdarrenradd an option to allow non-IP packets going up/down the stream on Solaris2 135822514Sdarrenrto be dropped. John Bass. 135922514Sdarrenr 136022514Sdarrenr3.1.2beta 21/11/96 - Released 136122514Sdarrenr 136222514Sdarrenrmake ipsend compile on Linux 2.0.24 136322514Sdarrenr 136422514Sdarrenrchanges to TCP kept state algorithm, making it watch state on TCP 136522514Sdarrenrconnections in both directions. Also use the same algorithm for NAT TCP. 136622514Sdarrenr 136722514Sdarrenr-Wall cleanup - Bernd Ernesti 136822514Sdarrenr 136922514Sdarrenradded "or-block" for "pass .. log or-block" after a suggestion from 137022514SdarrenrDavid Oppenheim (davido@optimation.com.au) 137122514Sdarrenr 137222514Sdarrenradded subdirectories for building IP Filter in SunOS5/BSD for different 137322514Sdarrenrcpu architecures 137422514Sdarrenr 137522514SdarrenrSolaris2 fixes to logging and pre-filtering packet processing - 3.1.1p2 137622514Sdarrenr 137722514Sdarrenrmbuf logging not using mtod(), remove iplbusy - 3.1.1p1 1/11/96 137822514Sdarrenr 137922514Sdarrenr3.1.1 28/10/96 - Released 138022514Sdarrenr 138122514SdarrenrInstallation script fixes and deinstall scripts for IP Filter on: 138222514SdarrenrSunOS4/FreeBSD/NetBSD 138322514Sdarrenr 138422514SdarrenrMan page fixes - Paul Dubois (dubois@primate.wisc.edu) 138522514Sdarrenr 138622514SdarrenrFix use of SOLARIS macro in ipmon, rewrote ipllog() (again!) 138722514Sdarrenr 138822514Sdarrenrparsing isn't completely case insensitive - David Wilson 138922514Sdarrenr(davidw@optimation.com.au) 139022514Sdarrenr 139122514SdarrenrRelease ipl_mutex across uiomove() calls 139222514Sdarrenr 139322514Sdarrenrprint entire rule entries out for "ipf -z" when zero'ing per-rule stats. 139422514Sdarrenr 139522514Sdarrenripfstat returns same output for "hits" in "ipfstat -aio" - Terletsky Slavik 139622514Sdarrenr(ts@polynet.lviv.ua) 139722514Sdarrenr 139822514SdarrenrNew algorithm for setting timeouts for TCP connection (more closely follow 139922514SdarrenrTCP FSM) - Pradeep Krishnan (pkrishna@netcom.com) 140022514Sdarrenr 140122514SdarrenrTrack both window sizes for TCP connections through "keep state". 140222514Sdarrenr 140322514SdarrenrSolaris2 doesn't like _KERNEL defined in stdargs.h - Jos van Wezel 140422514Sdarrenr(wezel@bio.vu.nl) 140522514Sdarrenr 140622514Sdarrenr3.1.1-beta2 6/10/96 - Released 140722514Sdarrenr 140822514SdarrenrSolaris2 fastroute/dup-to/to now works 140922514Sdarrenr 141022514Sdarrenripmon `record' reading rewritten 141122514Sdarrenr 141222514SdarrenrAdded post-NetBSD1.2 packet filter patches - Mathew Green (mrg@eterna.com.au) 141322514Sdarrenr 141422514SdarrenrAttempt to use in_proto.c.diff, not "..diffs" for SunOS4 - David Wilson 141522514Sdarrenr(davidw@optimation.com.au) 141622514Sdarrenr 141722514SdarrenrMichael Ryan (mike@NetworX.ie) reports the following: 141822514Sdarrenr* The Trumpet WinSock under Windows always sends its SYN packet with an ACK 141922514Sdarrenr value of 1, unlike any other implementation I've seen, which would set it 142022514Sdarrenr to zero. The "keep state" feature of IP Filter doesn't work when receiving 142122514Sdarrenr non-zero ACK values on new connection requests. 142222514Sdarrenr* */Makefile install rule doesn't install all the binaries/man pages 142322514Sdarrenr* Make ipnat use "tcp/udp" instead of "tcpudp" 142422514Sdarrenr* Print out "tcp/udp" properly 142522514Sdarrenr* ipnat "portmap tcp" matches "portmap udp" when adding/removing 142622514Sdarrenr* NAT dest. ip# increased by one on mask of 0xffffffff when it shouldn't 142722514Sdarrenr 142822514Sdarrenr3.1.1-beta 1/9/96 - Released 142922514Sdarrenr 143022514Sdarrenradd better detection of TCP connections closing to TCP state monitoring. 143122514Sdarrenr 143222514Sdarrenrfr_addstate() not called correctly for fragments. "keep state" and 143322514Sdarrenr"keep frag" code don't work together 100% - Songqing Cai 143422514Sdarrenr(songqing_cai@sterling.com) 143522514Sdarrenr 143622514Sdarrenrcall to fr_addstate() incorrect for adding state in combination with keeping 143722514Sdarrenrfragment information - Songqing Cai (songqing_cai@sterling.com) 143822514Sdarrenr 143922514SdarrenrKFREE() passed fp (incorrect) and not fr (correct) in ip_frag.c - John Hood 144022514Sdarrenr(cgull@smoke.marlboro.vt.us) 144122514Sdarrenr 144222514Sdarrenrmake ipf parser recognise '\\' as a `continued line' marker - Dima Ruban 144322514Sdarrenr(dima@best.net) 144422514Sdarrenr 144522514Sdarrenr3.1.1-alpha 23/8/96 - Released 144622514Sdarrenr 144722514Sdarrenrkernel panic's when ICMP packets go through NAT code 144822514Sdarrenr 144922514Sdarrenrstats aren't zero'd properly with ipf -Z 145022514Sdarrenr 145122514Sdarrenripnat doesn't show port numbers correctly all the time and also add the 145222514Sdarrenrprotocol (tcp/udp/tcpudp) to rdr output - Carson Gaspar (carson@lehman.com) 145322514Sdarrenr 145422514Sdarrenrfast checksum fixing not 100% - backout patch - Bill Dorsey (dorsey@lila.com) 145522514Sdarrenr 145622514SdarrenrNetBSD-1.2 patches from - VaX#n8 <vax@linkdead.paranoia.com> 145722514Sdarrenr 145822514SdarrenrUsage() call error in fils.c - Ajay Shekhawat (ajay@cedar.buffalo.edu) 145922514Sdarrenr 146022514Sdarrenrip_optcopy() staticly defined in ip_output.c in SunOS4 - Nick Hall 146122514Sdarrenr(nrh@tardis.ed.ac.uk) 146222514Sdarrenr 146322514Sdarrenr3.1.0 7/7/96 - Released 146422514Sdarrenr 146522514SdarrenrReformatted ipnat output to be compatible with it's input, so that 146622514Sdarrenr"ipnat -l | ipnat -rf -" is possible. 146722514Sdarrenr 146822514Sdarrenr3.1.0beta 30/6/96 - Released 146922514Sdarrenr 147022514SdarrenrNetBSD-1.2 patches from Greg Woods (woods@most.weird.com) 147122514Sdarrenr 147222514Sdarrenrkernel module must not be installed stripped (Solaris2), as created by 147322514Sdarrenr"make package" for Solaris2 - Peter Heimann 147422514Sdarrenr(peter@i3.informatik.rwth-aachen.de) 147522514Sdarrenr 147622514Sdarrenr3.1.0alpha 5/6/96 - Released 147722514Sdarrenr 147822514Sdarrenrinclude examples in package for solaris2 147922514Sdarrenr 148022514Sdarrenrpatches for removing an extra ip header checksum (FreeBSD/NetBSD/SunOS) 148122514Sdarrenr 148222514Sdarrenrremoved trailing space from printouts of rules in ipf. 148322514Sdarrenr 148422514Sdarrenripresend supports the same range of inputs that ipftest does. 148522514Sdarrenr 148622514Sdarrenrsending a duplicate copy of a packet to another network devices is now 148722514Sdarrenrsupported. ("dup-to") 148822514Sdarrenr 148922514Sdarrenrsending a packet to an arbitary interface is now supported, irrespective 149022514Sdarrenrof its actual route, with no ttl decrement. Can also be routed without 149122514Sdarrenrthe ttl being decremented. ("to" and "fastroute"). 149222514Sdarrenr 149322514Sdarrenr"call" option added to support calling a generic function if a packet is 149422514Sdarrenrmatched. 149522514Sdarrenr 149622514Sdarrenrshow all (upto 4) recorded bytes from the interface name in logging from 149722514Sdarrenripmon. 149822514Sdarrenr 149922514Sdarrenrsupport for using unix file permissions for read/write access on the device 150022514Sdarrenris now in place. 150122514Sdarrenr 150222514Sdarrenrrecursive mutex in nat_new() for Solaris 2.x - Per L. Hagen <per@stibo.dk> 150322514Sdarrenr 150422514Sdarrenripftest doesn't call initparse() for THISHOST - Catherine Allen 150522514Sdarrenr(cla@connect.com.au) 150622514Sdarrenr 150722514SdarrenrMan page corrections from Rex Bona (rex@pengo.comsmiths.com.au) 150822514Sdarrenr 150922514Sdarrenr3.0.4 10/4/96 - Released 151022514Sdarrenr 151122514Sdarrenrlooop in `parsing' IP packets with optlen 0 for ip options. 151222514Sdarrenr 151322514Sdarrenrrule number not initialized and resulted in unexpected results for state 151422514Sdarrenrmaching. 151522514Sdarrenr 151622514Sdarrenroption parsing and printing bugs - Pradeep Krishnan 151722514Sdarrenr 151822514Sdarrenr3.0.4beta 25/3/96 - Released 151922514Sdarrenr 152022514Sdarrenrwouldn't parse "keep flags keep state" correctly. 152122514Sdarrenr 152222514SdarrenrSunOS4.1.x ip_input.c doesn't recognise all 1s broadcast address - Nigel Verdon 152322514Sdarrenr 152422514Sdarrenrpatches for BSDI's BSD/OS 2.1 and libpcap reader on little endian systems 152522514Sdarrenrfrom Thorsten Lockert <tholo@tetherless.com> 152622514Sdarrenr 152722514Sdarrenrb* functions in fil.c on Solaris 2.4 152822514Sdarrenr 152922514Sdarrenr3.0.3 17/3/96 - Released 153022514Sdarrenr 153122514Sdarrenradded patches to support IP Filter initialisation when compiled into the 153222514Sdarrenrkernel. 153322514Sdarrenr 153422514Sdarrenradded -x option to ipmon to display hex dumps of logged packets. 153522514Sdarrenr 153622514Sdarrenradded -H option to ipftest to allow ascii-hex formatted input to specify 153722514Sdarrenrarbitary IP packets. 153822514Sdarrenr 153922514SdarrenrSending TCP RSTs as a response now work for Solaris2 x86 154022514Sdarrenr 154122514Sdarrenradd patches to make IP Filter compile into NetBSD kernels properly. 154222514Sdarrenr 154322514Sdarrenrpatch to stop SunOS 4.1.x kernels panicing with "data traps". 154422514Sdarrenr 154522514Sdarrenripfboot script unloads and reloads ipf module on Solaris2 if it is already 154622514Sdarrenrloaded into the kernel. 154722514Sdarrenr 154822514SdarrenrInstallation of IP Filter as a Solaris2 package is now supported. 154922514Sdarrenr 155022514SdarrenrMan pages for ipnat.4, ipnat.5 added. 155122514Sdarrenr 155222514Sdarrenradded some more regression tests and fixed up IP Filter to pass the new tests 155322514Sdarrenr(previous versions failed some of the tests in set 12). 155422514Sdarrenr 155522514SdarrenrIP option filter processing has changed so that saying "with opt lsrr" will 155622514Sdarrenrcheck only for that one, but not mask out other options, so a packet with 155722514Sdarrenrstrict source routing, along with loose source routing will match all of 155822514Sdarrenr"with opt lsrr", "with opt ssrr" and "with opt lsrr,ssrr". 155922514Sdarrenr 156022514SdarrenrIPL_NAME needed in ipnat.c - Kelly (kelly@count04.mry.scruznet.com) 156122514Sdarrenr 156222514Sdarrenrpatches for clean NetBSD compilation from Bernd Ernesti (bernd@arresum.inka.de) 156322514Sdarrenr 156422514Sdarrenrmake install is incorrect - Julian Briggs (julian@lightwork.co.uk) 156522514Sdarrenr 156622514Sdarrenrstrtol() returns 0x7fffffff for all negative numbers, 156722514Sdarrenrprintfr() generates incorrect output for "opt sec-class *", 156822514Sdarrenrhandling of "not opt xxx opt yyy" incorrect. 156922514Sdarrenr- Minh Tonthat (minht@sbei.com)/Pradeep Krishnan (pradeepk@sbei.com) 157022514Sdarrenr 157122514Sdarrenrm_pullup() called only for input and not output; caused problems 157222514Sdarrenrwith filtering icmp - Nigel Verdon (verdenn@gb.swissbank.com) 157322514Sdarrenr 157422514Sdarrenrparsing problem for "port 1" and NetBSD patches incorrect - 157522514SdarrenrAndreas Gustafsson (gson@guava.araneus.fi) 157622514Sdarrenr 157722514Sdarrenr3.0.2 4/2/96 - Released 157822514Sdarrenr 157922514SdarrenrCorrected bug where NAT recalculates checksums for fragments. 158022514Sdarrenr 158122514Sdarrenrmake NAT recalculate UDP checksums (rather than setting them to 0), 158222514Sdarrenrif they're non-zero. 158322514Sdarrenr 158422514SdarrenrDNS patches - Real Page (Real.Page@Matrox.com) 158522514Sdarrenr 158622514Sdarrenralteration of checksum recalculations in NAT code and addition of 158722514Sdarrenrredirection with NAT - Mike Neuman 158822514Sdarrenr 158922514Sdarrenrcore dump, if tcp/udp is used with a port number and not service name, 159022514Sdarrenrin ipf - Mike Neuman (mcn@engarde.com) 159122514Sdarrenr 159222514Sdarrenrinitparse() call, missing to prime "<thishost>" hook - Craig Bishop 159322514Sdarrenr 159422514Sdarrenr3.0.1 14/1/96 - Released 159522514Sdarrenr 159622514Sdarrenrmiscellaneous patches for Solaris2 159722514Sdarrenr 159822514Sdarrenr3.0 14/1/96 - Released 159922514Sdarrenr 160022514SdarrenrPatch included for FDDI, from Richard Ohnemus 160122514Sdarrenr(Richard_Ohnemus@dallas.csd.sterling.com) 160222514Sdarrenr 160322514SdarrenrCode cleanup for release. 160422514Sdarrenr 160522514Sdarrenr3.0beta4 10/1/96 160622514Sdarrenr 160722514Sdarrenrrecursive mutex in ipfr_slowtimer fixed, reported by Craig Bishop 160822514Sdarrenr 160922514Sdarrenrrecursive mutex in sending TCP RSTs fixed, reported by Tony Becker 161022514Sdarrenr 161122514Sdarrenr3.0beta3 9/1/96 161222514Sdarrenr 161322514SdarrenrFIxup for Solaris2.5 install and interface name bug in ipftest from 161422514SdarrenrJulian Briggs (julian@lightwork.co.uk) 161522514Sdarrenr 161622514SdarrenrByte order patches for ipmon from Tony Becker (tony@mcrsys.com) 161722514Sdarrenr 161822514Sdarrenr3.0beta2 7/1/96 161922514Sdarrenr 162022514SdarrenrAdded the (somewhat warped) IP accounting as it exists in ipfw on FreeBSD. 162122514SdarrenrNote, this isn't really what one would call IP account, when compared to 162222514Sdarrenrprocess accounting, sigh. 162322514Sdarrenr 162422514SdarrenrSplit up ipresend into iptest/ipresend/ipsend 162522514Sdarrenr 162622514SdarrenrAdded another m_pullup() inside fr_check() for BSD style kernels and 162722514Sdarrenradded some checks to ipllog() to not log more than is present (for short 162822514Sdarrenrpackets). 162922514Sdarrenr 163022514SdarrenrFixed bug where failed hostname/netname resolution goes undetecte and 163122514Sdarrenrbecomes 0.0.0.0 (any) (reported Guido van Rooij) 163222514Sdarrenr 163322514Sdarrenr3.0beta 11/11/95 - Released 163422514Sdarrenr 163522514SdarrenrRewrote the way rule testing is done, reducing the number of files needed and 163622514Sdarrenrgenerated. 163722514Sdarrenr 163822514SdarrenrSIOCIPFFL was incorrectly affected by IPFILTER_LOG (Mathew Green) 163922514Sdarrenr 164022514SdarrenrPatches from Guido van Rooij to fix sending back TCP RSTs on Net-2/Net-3 164122514SdarrenrBSD based Unixes (panic'd) 164222514Sdarrenr 164322514SdarrenrPatches for FreeBSD/i86 ipmon from Riku Kalinen <riku@tequila.nixu.fi> 164422514Sdarrenr(I think someone else already told me about these but they got lost :-/) 164522514Sdarrenr 164622514SdarrenrChanged Makefile structure to build object files for different operating 164722514Sdarrenrsystems in separate directories by default. 164822514Sdarrenr 164922514SdarrenrBSDI has ef0 for first ethernet interface 165022514Sdarrenr 165122514SdarrenrAllow for a "not" operator before optional keywords. 165222514Sdarrenr 165322514SdarrenrThe "rule number" was being incorrectly incremented every time it went through 165422514Sdarrenrthe loop rather than when it matched a rule. 165522514Sdarrenr 165622514Sdarrenr2.8.2 24/10/95 - Released 165722514Sdarrenr 165822514SdarrenrFixed up problems with "textip" for doing lots of testing. 165922514Sdarrenr 166022514SdarrenrFixed bug in detection of "short" tcp/ip packets (all reported as being short). 166122514Sdarrenr 166222514SdarrenrSolaris 2.4 port now works 100%. 166322514Sdarrenr 166422514SdarrenrMan page errors reported and fixed. 166522514Sdarrenr 166622514SdarrenrRemoved duplicate entry in etc/services for login on port 49 (Craig Bishop). 166722514Sdarrenr 166822514SdarrenrFixed ipmon output to put a space after the log-letter. 166922514Sdarrenr 167022514SdarrenrPatch from Guido van Rooij to fix parsing problem. 167122514Sdarrenr 167222514Sdarrenr2.8.1 15/10/95 - Released 167322514Sdarrenr 167422514SdarrenrAdded ttl and tos filtering. 167522514Sdarrenr 167622514SdarrenrPatches for fixing up compilation and port problems (little endian) 167722514Sdarrenrfrom Guido van Rooij <guido@IAEhv.nl>. 167822514Sdarrenr 167922514SdarrenrMan page problems reported and fixed by Carson Gaspar <carson@lehman.com>. 168022514Sdarrenr 168122514Sdarrenripsend doesn't compile properly on Solaris2.4 168222514Sdarrenr 168322514SdarrenrLots of work done for Solaris2.4 to make it MT/MP safe and work. 168422514Sdarrenr 168522514Sdarrenr2.8 15/9/95 - Released 168622514Sdarrenr 168722514Sdarrenripmon can now send messages to syslogd (-s) and use names instead of 168822514Sdarrenrnumbers (-N). 168922514Sdarrenr 169022514SdarrenrIP packets are now "compiled" into a structure only containing filterable 169122514Sdarrenrbits. 169222514Sdarrenr 169322514SdarrenrAdded regression testing in the test/ subdirectory, using a new option 169422514Sdarrenr(-b) with the ipftest program. 169522514Sdarrenr 169622514SdarrenrAdded "nomatch" return to filter results. These are counted and show 169722514Sdarrenrup in reports from ipfstat. 169822514Sdarrenr 169922514SdarrenrMoved filter code out of ip_fil.c and into fil.c - there is now only one 170022514Sdarrenrinstance of it in the package. 170122514Sdarrenr 170222514SdarrenrAdded Solaris 2.4 support. 170322514Sdarrenr 170422514SdarrenrAdded IPSO basic security option filtering. 170522514Sdarrenr 170622514SdarrenrAdded name support for filtering on all 19 named IP options. 170722514Sdarrenr 170822514SdarrenrPatches from Ivan Brawley to log packet contents as well as packet headers. 170922514Sdarrenr 171022514SdarrenrUpdate for sun/conf.c.diff from Ivan Brawley <ibrawley@awadi.com.AU> 171122514Sdarrenr 171222514SdarrenrAdded patches for FreeBSD 1, and added two new switches (-E, -D) to ipf, 171322514Sdarrenralong with a new ioctl, SIOCFRENB. 171422514SdarrenrFrom: Dieter Dworkin Muller <dworkin@village.org> 171522514Sdarrenr 171622514Sdarrenr2.7.3 31/7.95 - Released 171722514Sdarrenr 171822514SdarrenrDidn't compile cleanly without IPFILTER_LOG defined (Mathew Green). 171922514Sdarrenr 172022514Sdarrenripftest now deals with tcpdump3 binary output files (from libpcap) with -P. 172122514Sdarrenr 172222514SdarrenrBrought ipftest program upto date with actual filter code. 172322514Sdarrenr 172422514SdarrenrFilter would cause a match to occur when it wasn't meant to if the packet 172522514Sdarrenrhad short headers and was missing portions that should have been there. 172622514SdarrenrErr, it would rightly not match on them, but their absence caused a match 172722514Sdarrenrwhen it shouldn't have been. 172822514Sdarrenr 172922514Sdarrenr2.7.2 26/7/95 - Released 173022514Sdarrenr 173122514SdarrenrProblem with filtering just SYN flagged packets reported by 173222514SdarrenrDieter Dworkin Muller <dworkin@village.org>. To solve this 173322514Sdarrenrproblem, added support for masking TCP flags for comparison "flags X/Y". 173422514Sdarrenr 173522514Sdarrenr2.7.1 9/7/95 - Released 173622514Sdarrenr 173722514SdarrenrAdded ip_dirbroadcast support for Sun ip_input.c 173822514Sdarrenr 173922514SdarrenrFixed up the install scripts for FreeBSD/NetBSD to recognise where they are 174022514Sdarrenrbetter. 174122514Sdarrenr 174222514Sdarrenr2.7 7/7/95 - Released 174322514Sdarrenr 174422514SdarrenrAdded "return-rst" to return TCP RST's to TCP packets. 174522514Sdarrenr 174622514SdarrenrActually ported it to FreeBSD-i386 2.0.0, so it works there properly now. 174722514Sdarrenr 174822514SdarrenrAdded insertion of filter rules. Use "@<#>" at the beginning of a filter 174922514Sdarrenrto insert a rule at row #. 175022514Sdarrenr 175122514SdarrenrFilter keeps track of how many times each rule is matched. 175222514Sdarrenr 175322514SdarrenrChanged compile time things to match kernel option (IPFILTER_LKM & 175422514SdarrenrIPFILTER_LOG). 175522514Sdarrenr 175622514SdarrenrUpdated ip_input.c and ip_output.c with paches for 3.5 Multicast IP. 175722514Sdarrenr(No change required for 3.6) 175822514Sdarrenr 175922514SdarrenrNow includes TCP fragments which start inside the TCP header as being short. 176022514SdarrenrAdded counting the number of times each rule is matched. 176122514Sdarrenr 176222514Sdarrenr 176322514Sdarrenr2.6 11/5/95 - Released 176422514Sdarrenr 176522514SdarrenrAdded -n option to ipf: when supplied, no changes are made to the kernel. 176622514Sdarrenr 176722514SdarrenrAdded installation scripts for SunOS 4.1.x and NetBSD/FreeBSD/BSDI. 176822514Sdarrenr 176922514SdarrenrRewrote filtering to use a more generic mask & match procedure for 177022514Sdarrenrchecking if a packet matches a rule. 177122514Sdarrenr 177222514Sdarrenr2.5.2 27/4/95 - Released 177322514Sdarrenr 177422514Sdarrenr"tcp/udp" and a non-initialised pointer caused the "proto" to become 177522514Sdarrenra `random' value; added "ip#/dotted.mask" notation to the BNF. 177622514SdarrenrFrom Adam W. Feigin <feigin@iis.ee.ethz.ch> 177722514Sdarrenr 177822514Sdarrenr2.5.1 22/3/95 - Released 177922514Sdarrenr 178022514Sdarrenr"tcp/udp" had a strange effect (undesired) on getserv*() functions, 178122514Sdarrenrcausing protocol/service lookups to fail. Reported by Matthew Green. 178222514Sdarrenr 178322514Sdarrenr2.5 17/3/95 - Released 178422514Sdarrenr 178522514SdarrenrAdded a new keyword "all" to BNF and parsing of tcpdump/etherfind/snoop 178622514Sdarrenroutput through the ipftest program. Suggestions from: 178722514SdarrenrMichael Ciavarella (mikec@phyto.apana.org.au) 178822514Sdarrenr 178922514SdarrenrConflicts occur when "general" filter rules are used for ports and the 179022514Sdarrenrlack of a "proto" when used with "port" matches other packets when only 179122514SdarrenrTCP/UDP are implied. 179222514SdarrenrReported Matthew Green (mrg@fulcom.com.au); 179322514Sdarrenrreported & fixed 6-8/3/95 179422514Sdarrenr 179522514SdarrenrAdded filtering of short TCP packets using "with short" 28/2/95 179622514Sdarrenr(These can possibly slip by checks for the various flags). Short UDP 179722514Sdarrenror ICMP are dropped to the floor and logged. 179822514Sdarrenr 179922514SdarrenrAdded filtering of fragmented packets using "with frag" 24/2/95 180022514Sdarrenr 180122514SdarrenrPort to NetBSD-current completed 20/2/95, using LKM. 180222514Sdarrenr 180322514SdarrenrAdded logging of the rule # which caused the logging to happen and the 180422514Sdarrenrinterface on which the packet is currently as suggested by 180522514SdarrenrAndreas Greulich (greulich@math-stat.unibe.ch) 10/2/95 180622514Sdarrenr 180722514Sdarrenr2.4 9/2/95 - Released 180822514SdarrenrFixed saving of IP headers in ICMP packets. 180922514Sdarrenr 181022514Sdarrenr2.3 29/1/95 181122514SdarrenrAdded ipf -F [in|out|all] to flush filter rule sets (SIOCIPFFL). 181222514SdarrenrFixed iplread() and iplsave() with help from Marc Huber. 181322514Sdarrenr 181422514Sdarrenr2.2 7/1/95 - Released 181522514SdarrenrAdded code from Marc Huber <huber@fzi.de> to allow it to allocate 181622514Sdarrenrits own major char number dynamically when modload'ing. Fixed up 181722514Sdarrenruse of <, >, <=, >= and >< for ports. 181822514Sdarrenr 181922514Sdarrenr2.1 21/12/94 - Released 182022514Sdarrenrrepackaged to include the correct ip_output.c and ip_input.c *goof* 182122514Sdarrenr 182222514Sdarrenr2.0 18/12/94 - Released 182322514Sdarrenradded code to check for port ranges - complete. 182422514Sdarrenrrewrote to work as a loadable kernel module - complete. 182522514Sdarrenr 182622514Sdarrenr1.1 182722514Sdarrenradded code for ouput filtering as well as input filtering and added support for logging to a simple character device of packet headers. 182822514Sdarrenr 182922514Sdarrenr1.0 22/04/93 - Released 183022514SdarrenrFirst release cut. 1831