2 # NOTE: Quite a few patches and suggestions come from other sources, to whom
3 # I'm greatly indebted, even if no names are mentioned.
5 # Thanks to the Coombs Computing Unit at the ANU for their continued support
6 # in providing a very available location for the IP Filter home page and
9 # Thanks to Hewlett Packard for making it possible to port IP Filter to
12 # Thanks to Tel.Net Media for supplying me with equipment to ensure that
13 # IP Filter continues to work on Solaris/sparc64.
15 # Thanks to BSDI for providing object files for BSD/OS 3.1 and the means
16 # to further support development of IP Filter under BSDI.
18 # Thanks to Craig Bishop of connect.com.au and Sun Microsystems for the
19 # loan of a machine to work on a Solaris 2.x port of this software.
21 # Thanks also to all those who have contributed patches and other code,
22 # and especially those who have found the time to port IP Filter to new
25 3.4.35 21/6/2004 - Released
27 some cases of ICMP checksum alteration were wrong
29 block packets that fail to create state table entries
31 correctly handle all return values from ip_natout() when fastrouting
33 ipmon was not correctly calculating the length of the IPv6 packet (excluded
36 3.4.34 20/4/2004 - Released
38 correct the ICMP packet checksum fixing up when processing ICMP errors for NAT
40 various changes to ipsend for sending packets with ipv4 options
42 look for ipmon's pidfile in /var/run and /etc/opt/ipf in Solaris' init script
44 only allow non-fragmented packets to influence whether or not a logged
45 packet is the same as the one logged before.
47 make "ipfstat -f" output more informative
49 compatibility for openbsd byte order changes to ip_off/ip_len
51 disallow "freebsd" as a make target (encourages people to do the wrong thing)
53 3.4.33 15/12/2003 - Released
55 pass on messages moving through ipfilter when it is unloading itself on Solaris
57 add disabling of auto-detach when the module attaches on Solaris
59 compatibility patches for 'struct ifnet' changes on FreeBSD
61 implement a maximum for the number of entries in the NAT table (NAT_TABLE_MAX
66 frsynclist() wasn't paying attention to all the places where interface
67 names are, like it should.
69 fix where packet header pointers are pointing to after doing an ipf_pullup
71 fix comparing ICMP packets with established TCP state where only 8 bytes
72 of header are returned in the ICMP error.
74 3.4.32 18/6/2003 - Released
76 fix up the behaviour of ipfs
78 make parsing errors in ipf/ipnat return an error rather than return
83 make ipfstat work as a set{g,u}id thing - gave up privs before opening
86 checksum adjustment corrections for ICMP & NAT
88 attempt to always get an mbuf full of data through pullup if possible
90 Fix bug with NAT and fragments causing system to crash
92 Add patches for OpenBSD 3.3
94 stop LKM locking up the machine on modern NetBSD(?)
96 allow timeouts in NAT rules to over-ride fr_defnatage if LARGE_NAT is defined
98 Locking patches for IRIX 6.5 from SGI.
100 fix bug in synchronising state sessions where all interfaces were invalidated
102 fix bug in openbsd 3.2 bridge diffs
104 fix bug parsing port comparisons in proxy rules
106 3.4.31 7/12/2002 - Released
108 Solaris 10 compatibility
110 fix linking into pfil in NetBSD
112 fix IRIX 6.2 compatibility
114 add code to check consistency of fr_checkp/fr_check on non-Solaris
116 OpenBSD: missing patches for ip6_output.c on OpenBSD 3.2,
117 make LKM work for 3.2 (OpenBSD LKMs now match NetBSD)
119 3.4.30 26/11/2002 - Released
121 attempt to detect using GNU make and abort if so
123 OpenBSD 3.2 patches from Stefan Hermes von GMX
125 add MSS clamping code from NetBSD
127 correctly display ipv6 output with ipfstat for (accounting) rules
129 fix problems with ioctl handling for /dev/ipauth
131 set SYN bit in rcmd fake packet to create back channel
133 make libpcap reader capable of determining in/out (not in libpcap file)
134 and add more DLT types
136 do not allow redirects to localhost for Solaris in NAT parser
138 allow return-rst with auth rules
142 fix for handling ipv6 icmp errors
144 fix up ipfs command line option processing
146 only allow processing a ftp 227 response following a PASV command
148 NetBSD: use poll() and adapt to new cdevsw mechanism
150 make flushing for just ipv6 things work
152 3.4.29 28/8/2002 - Released
154 Make substantial changes to the FTP proxy to improve reliability, security
157 don't send ICMP errors/TCP RST's in response to blocked proxy packets
159 fix potential memory leaks when unloading ipfilter from kernel
161 fix bug in SIOCGNATL handler that did not preserve the expected
162 byte order from earlier versions in the port number
164 set do not fragment flag in generated packets according to system flags,
167 preserve filter rule number and group number in state structure
169 fix bug in ipmon printing of p/P/b/B
171 make some changes to the kmem.c code for IRIX compatibility
173 add code to specifically handle ip.tun* interfaces on Solaris
175 3.4.28 6/6/2002 - Released
177 Fix for H.323 proxy to work on little endian boxes
179 IRIX: Update installation documentation
182 allow use of groups > 65535
184 create a new packet info summary for packets going through ipfr_fastroute()
185 so that where details are different (RST/ICMP errors), the packet now gets
186 correctly NAT'd, etc.
188 fix the FTP proxy so that checks for TCP sequence numbers outside the
189 normal offset due to data changes use absolute numbers
191 make it possible to remove rules in ipftest
193 Update installing onto OpenBSD and split into two directories:
194 OpenBSD-2 and OpenBSD-3
196 fix error in printout out the protocol in NAT rules
198 always unlock ipfilter if locking fails half way through in ipfs
200 fix problems with TCP window scaling
202 update of man pages for ipnat(4) and ipftest(1)
204 3.4.27 28/04/2002 - Released
206 fix calculation of 2's complmenent 16 bit checksum for user space
208 add mbuflen() to usespace compiles.
210 add more #ifdef complexity for platform portability
212 add OpenBSD 3.1 diffs
214 3.4.26 25/04/2002 - Released
216 fix parsing and printing of NAT rules with regression tests.
218 add code to adjust TCP checksums inside ICMP errors where present and as
221 fix documentation problems in instal documents
223 fix locking problem with auth code on Solaris
225 fix use of version macros for FreeBSD and make the use of __FreeBSD_version
226 override previous hacks except when not present
228 fix the macros defined for SIOCAUTHR and SIOCAUTHW
230 fix the H.323 proxy so it no longer panics (multiple issues: re-entry into
231 nat_ioctl with lock held on Solaris, trying to copy data from kernel space
232 with copyin, unaligned access to get 32bit & 16bit numbers)
234 use the ip_ttl ndd parameter on Solaris to fill in ip_ttl for packets
235 generated by IPFilter
237 fix comparing state information to delete state table entries
239 flag packets as being "bad state" if they're outside the window and prevent
240 them from being able to cause new state to be created - except for SYN packets
242 be stricter about what packets match a TCP state table entry if its creation
243 was triggered by a SYN packet.
245 add patches to handle TCP window scaling
247 don't update TCP state table entries if the packet is not considered to be
248 part of the connection
250 ipfs wasn't allowing -i command line option in getopt
252 IRIX: fix kvm interface, fix compile warnings, compile the kernel with -O2
253 regardless of user compile, fix the getkflags script to prune down the
254 output more so it is acceptable
256 change building in Makefiles to create links to the application in $(TOP)
257 at the end of "build" rather than when each is created.
259 update BSD/kupgrade for FreeBSD
261 l4check wasn't properly closing things when a connection fails
263 man page updates for ipmon(8) and ipnat(5)
265 more regression tests added.
267 3.4.25 13/03/2002 - Released
269 retain rule # in state information
271 log the direction of a packet so ipmon gets it right rather than incorrectly
272 deriving it from the rule flags
274 add #ifdef for IPFILTER_LOGSIZE (put options IPFILTER_LOGSIZE=16384 in BSD
275 kernel config files to increase that buffer size)
277 recognise return-* rules differently to block in ipftest
279 fix bug in ipmon output for solaris
281 add regression testing for skip rules, logging and using head/group
283 fix output of ipmon: was displaying large unsigned ints rather than -1
284 when no rules matched.
286 make logging code compile into ipftest and add -l command line option to
287 dump binary log file (read with ipmon -f) when it finishes.
289 protect rule # and group # from interference when checking accounting rules
291 add regression testing for log output (text) from ipmon.
293 document -b command line option for ipmon
295 fix double-quick in Solaris startup script
297 3.4.24 01/03/2002 - Released
299 fix how files are installed on SunOS5
301 fix some minor problems in SunOS5 ipfboot script
303 by default, compile all OpenBSD tools in 3.0 for IPv6
305 fix NULL-pointer dereference in NAT code
307 make a better attempt at replacing the appropriate binaries on BSD systems
309 always print IPv6 icmp-types as a number
311 impose some rules about what "skip" can be used with
313 fix parsing problems with "keep state" and "keep state-age"
315 Try to read as much data as is in the log device in ipmon
317 remove some redundant checks when searching for rdr/nat rules
319 fix bug in handling of ACCT with FTP proxy
321 increase array size for interface names, using LIFNAMSIZ
323 include H.323 proxy from QNX
325 3.4.23 16/01/2002 - Released
327 Include patches to install IPFilter into OpenBSD 3.0, both for just kernel
328 compiles and complete system builds.
330 Fix bug in automatic flushing of state table which would cause it to hang
331 in an infinite loop bug introduced in 3.4.20.
333 Modify the sample proxy (samples/proxy.c) so that it ads a NAT mapping for
334 the outgoing connection to make it look like it comes from the real source.
336 Only support ICMPv6 with IPv6.
338 Move ipnat.1 to ipnat.8
340 Enhance ipmon to print textual ICMP[v6] types and subtypes where possible.
342 Make it possible to do IPv6 regression testing with ipftest.
344 Use kvm library for kmem access, rather than trying to do it manually with
347 Fix diffs for ip_input.c on BSDOS so it doesn't crash with fastroute.
349 Remove Berkeley advertising licence clause. Reference:
350 ftp://ftp.cs.berkeley.edu/pub/4bsd/README.Impt.License.Change
352 Add more regression tests: ICMPv6 neighbour discovery, ICMP time exceeded
353 and fragmentation required.
355 Fix ipfboot script on Solaris to deal with no nameservers or no route to
356 them in a clean manner.
358 Support per-rule set timeouts for non-TCP NAT and state
362 Add ICMPv6 stateful checking, including handling multicast destination
363 addresses for neighbour discovery.
365 Fix problems with internals of ICMP messages for MTU discovery and
366 unreachables not being correctly adjust on little endian boxes.
368 Add "in-via" and "out-via" to filtering rules grammar. It is now possible
369 to bind a rule to both incoming and outgoing interfaces, in both forward
370 and reverse directions (4 directions in total). allows for asymetric flows
373 Fix ipfstat and ipnat for working on crash dumps.
375 Don't let USE_INET6 stay defined for SunOS4
377 Count things we see for each interface on solaris.
379 Include <netinet/icmp6.h> when compiling with USE_INET6 defined and
380 also include a whole bunch of #define's to make sure the symbols expected
383 Fix up fastroute on BSD systems.
385 Make fastrouting work for IPv6 just a bit better. doesn't split up big
386 packets into fragments like the IPv4 one does. You can now do a
387 "to <if>:<ipv6_addr>"
389 Remove some of the differences between user-space and kernel-space code
390 that is internal to ipfilter.
392 Call ipfr_slowtimer() after each packet is processed in ipftest to artificially
393 create the illusion of passing time and include the expire functions in the
394 code compiled for user-space.
396 Fix issues with the IPSec proxy not working or leading to a system crash.
398 Junk all processing of SPIs and special handling for ESP.
400 Add "no-match" as a filter rule action (resets _LAST_ match)
402 Add hack to workaround problems with Cassini interface cards on
405 Add some protocols to etc/protocols
407 3.4.22 03/12/2001 - Released
409 various openbsd changes
411 sorting based on IP numbers for ipfstat top output
413 fix various IPv6 code & compile problems
415 modify ip_fil.c to be more netbsd friendly
417 fix fastroute bug where it modified a packet post-sending
419 fix get_unit() - don't understand why it was broken.
421 add FI_IGNOREPKT and don't count so marked packets when doing stats or
424 extend the interface name saved to log output
426 make proxies capable of extending the matching done on a packet with a
427 particular nat session
429 change interfaces inside NAT & state code to accomodate redesign to allow
432 fix bug when free'ing loaded rules that results in a memory leak
433 (only an issue with "ipf -rf -", not flush)
435 make ipftest capable of loading > 1 file or rules, making it now possible
436 to load both NAT & filter rules
438 fix hex input for ipftest to allow interface name & direction to work
440 show ipsec proxy details in ipnat output
442 if OPT_HEX is set in opts, print a packet out as hex
444 don't modify b_next or preseve it or preserve b_prev for solaris
446 fix up kinstall scripts to install all the files everywhere they need to
448 fix overflowing of bits in ip_off inside iptest
450 make userauth and proxy in samples directory compile
452 fix minimum size when doing a pullup for ESP & ICMPv6
454 3.4.21 24/10/2001 - Released
458 make state work for non-tcp/udp/icmp in a very simple way
460 include diffs for ipv6 firewall on openbsd-2.9
462 add compatibility filter wrapper for NetBSD-current
464 fix command line option problems with ipfs
466 if we fill the state table and a automated flush doesn't purge any
467 expiring entries, remove all entries idle for more than half a day
469 fix bug with sending resets/icmp errors where the pointer to the data
470 section of the packet was not being set (BSD only)
472 split out validating ftp commands and responses into different halves,
473 one for each of server & client.
475 do not compile in STATETOP support for specific architectures
477 fix INSTALL.FreeBSD to no longer provide directions and properly direct
478 people to the right file for the right version of FreeBSD.
480 3.4.20 24/07/2001 - Released
482 adjust NAT hashing to give a better spread across the table
484 show icmp code/type names in output, where known
486 fix bug in altering cached interface names in state when resync'ing
488 fix bug in real audio proxy that caused crashs
490 fix compiling using sunos4 cc
492 patch from casper to address weird exit problem for ipstat in top mode
494 patch from Greg Woods to produce names for icmp types/unreach codes,
497 fix bug where ipfr_fastroute() would use a mblk and it would also get
500 don't match fragments which would cause 64k length to be exceeded
502 ftp proxy fix for port numbers being setup for pasv ftp with state/nat
504 change hashing for NAT to include both IP#'s and ports.
506 Solaris fixes for IPv6
508 fix compiling iplang bits, under Solaris, for ipsend
510 3.4.19 29/06/2001 - Released
512 fix to support suspend/resume on solaris8 as well as ipv6
514 include group/group-head in match of filter rules
516 fix endian problem reading snoop files
518 make all licence comments point to the one place
520 fix ftp proxy to only advance state if a reply is received in response to
523 3.4.18 05/06/2001 - Released
525 fix up parsing of "from ! host" where '!' is separate
527 disable hardware checksums for NetBSD
529 put ipftest temporary files in . rather than /tmp
531 modify ftp proxy to be more intelligent about moving between states
532 and recognise new authentication commands
534 allow state/nat table sizes to be externally influenced
536 print out host mapping table for NAT with ipnat -l
538 fix handling of hardware checksum'ing on Solaris
540 fixup makefiles for Solaris
542 update regression tests
544 fix surrender of SPL's for failure cases
546 include patches for OpenBSD's new timeout mechanism
548 default ipl_unreach to ICMP_UNREACH_FILTER_PROHIB if defined, else make it
551 fix up handling of packets matching auth rules and interaction with state
553 add -q command line option to ipfstat on Solaris to list bound interfaces
555 add command line option to ipfstat/ipnat to select different core image
557 don't use ncurses on Solaris for STATETOP
559 fix includes to get FreeBSD version
561 do not byte swap ip_id
563 fix handling success for packets matching the auth rule
565 don't double-count short packets
567 add ICMP router discovery message size recognition
569 fix packet length calculation for IPv6
571 set CPUDIR when for install-sunos5 make target
573 SUNWspro -xF causes Solaris 2.5.1 kernel to crash
575 3.4.17 06/04/2001 - Released
577 fix fragment#0 handling bug where they could get in via cache information
578 created by state table entries
580 use ire_walk to look for ire cache entries with link layer headers cached
582 deal with bad SPL assumptions for log reading on BSD
584 fix ftp proxy to allow logins with passwords
586 some auth rule patches, fixing byte endian problems and returning as an error
588 support LOG_SECURITY, where available, in ipmon
590 don't return an error for packets which match auth rules
592 introduce fr_icmpacktimeout to timeout entries once an ICMP reply has
593 been seen separately to when created
595 3.4.16 15/01/2001 - Released
597 fix race condition in flushing of state entries that are timing out
601 log all NAT entries created, not just those via rules
603 3.4.15 17/12/2000 - Released
605 add minimum ttl filtering (to be replaced later by return-icmp-as-dest
606 for all ICMP packets matching state entries).
608 fix NAT'ing of fragments
610 fix sanity checks for ICMPV6
612 fix up compiling on IRIX 6.2 with IDF/IDL installed
614 3.4.14 02/11/2000 - Released
616 cause flushing NAT table to generate log records the same as state flush
619 fix ftp proxy port/pasv
621 fix problem where nat_{in,out}lookup() would release a write lock when it
624 add check for ipf6.conf in Solaris ipfboot
626 3.4.13 28/10/2000 - Released
628 fix introduced bug with ICMP packets being rejected when valid
630 fix bug with proxy's that don't set fin_dlen correctly when calling
633 3.4.12 26/10/2000 - Released
635 fix installing into FreeBSD-4.1
637 fix FTP proxy bug where it'd hang and make NAT slightly more efficient
639 fix general compiling errors/warnings on various platforms
641 don't access ICMP data fields that aren't there
643 3.4.11 09/10/2000 - Released
645 return NULL for IPv6 access control lists if it is disabled rather than
648 fix for getting protocol & packet length for IPv6 packets for pullup.
650 update plog script from version 0.8 to version 0.10
652 patch from Frank Volf adding fix_datacksum() to NAT code, enhancing the
653 capabilities for "fixing" checksums.
655 3.4.10 03/09/2000 - Released
657 merge patch from Frank Volf for ICMP nat handling of TCP/UDP data `errors'
659 getline() adjusts linenum now
661 add tcphalfclosed timeout
663 fill in icmp_nextmtu field if it is defined on the platform
665 RST generation fix from guido
667 force 32bit compile for gcc on solaris if it can't generate 64bit code
669 encase logging when fr_chksrc == 2 in #ifdef IPFILTER_LOG
671 fix up line wrap problems in plog script
673 fix ICMP packet handling to not drop valid ICMP errors
675 freebsd 5.0 compat changes
677 3.4.9 08/08/2000 - Released
679 implement new aging mechanism in fr_tcp_age()
681 fix icmp state checking bug
683 revamp buildsunos script and build both sparcv7/sparcv9 for Solaris
684 if on an Ultra with a 64bit system & compiler (Caseper Dik)
686 open ipfilter device read only if we know we can
688 print out better information for ICMP packets in ipmon
690 move checking for source spoofed packets to a point where we can generate
693 return EFAULT from ircopyptr/iwcopyptr
695 don't do ioctl(SIOCGETFS) for auth stats
697 fix up freeing mbufs for post-4.3BSD
699 fix returning of inc from ftp proxy
701 fix bugs with ipfs -R/-W (Caseper Dik)
703 3.4.8 19/07/2000 - Released
705 create fake opt_inet6.h for FreeBSD-4 compile as LKM
707 add #ifdef's for KLD_MODULE sanity
709 NAT fastroute'd packets which come out of return-*
711 fix upper/lower case crap in ftp proxy and get seq# checking fixed up.
713 3.4.7 08/07/2000 - Released
715 make "ipf -y" lookup NAT if's which are unknown
717 prepend line numbers to ioctl error messages in ipf/ipnat
719 don't apply patches to FreeBSD twice
721 allow for ip_len to be on an unaligned boundary early on in fr_precheck
723 fix printing of icmp code when it is 0
725 correct printing of port numbers in map rules with from/to
727 don't allow fr_func to be called at securelevel > 0 or rules to be added
728 if securelevel > 0 if they have a non-zero fr_func.
730 3.4.6 11/06/2000 - Released
732 add extra regression tests for new nat functionality
734 place restrictions on using '!' in map/rdr rules
736 fix up solaris compile problems
738 3.4.5 10/06/2000 - Released
740 mention -sl in ipfstat.8
742 fix/support '!' in from/to rules (rdr) for NAT
744 add from/to support to rdr NAT rules
746 don't send ICMP errors in response to ICMP errors
748 fix sunos5 compilation for "ipfstat-top" and cleanup ipfboot
750 input accounting list used for both outbound and inbound packets
752 3.4.4 23/05/2000 - Released
754 don't add TCP state if it is an RST packet and (attempt) to send out
755 RST/ICMP packets in a manner that bypasses IP Filter.
757 add patch to work with 4.0_STABLE delayed checksums
759 3.4.3 20/05/2000 - Released
763 don't truncate IPv6 packets on Solaris
765 fix keep state for ICMP ECHO
767 add some NAT stats and use def_nat_age rather than DEF_NAT_AGE
769 don't make ftp proxy drop packets
771 use MCLISREFERENCED() in tandem with M_EXT to check if IP fields need to be
774 fix up RST generation for non-Solaris
776 get "short" flag right for IPv6
778 3.4.2 - 10/5/2000 - Released
780 Fix bug in dealing with "hlen == 1 and opt > 1" - Itojun
782 ignore previous NAT mappings for 0/0 and 0/32 rules
784 bring in a completely new ftp proxy
786 allow NAT to cause packets to be dropped.
788 add NetBSD callout support for 1.4-current
790 3.4.1 - 30/4/2000 - Released
792 add ratoui() and fix parsing of group numbers to allow 0 - UINT_MAX
794 don't include opt_inet6.h for FreeBSD if KLD_MODULE is defined
796 Solaris must use copyin() for all types of ioctl() args
798 fix up screen/tty when leaving "top mode" of ipfstat
800 linked list for maptable not setup correctly in nat_hostmap()
802 check for maptable rather than nat_table[1] to see if malloc for maptable
803 succeeded in nat_init
805 fix handling of map NAT rules with "from/to" host specs
807 fix printout out of source address when using "from/to" with map rules
809 convert ip_len back to network byte order, not plen, for solaris as ip_len
810 may have been changed by NAT and plen won't reflect this
812 3.4 - 27/4/2000 - Released
814 source address spoofing can be turned on (fr_chksrc) without using
817 group numbers are now 32bits in size, up from 16bits
819 IPv6 filtering available
821 add frank volf's state-top patches
823 add load splitting and round-robin attribute to redirect rules
825 FreeBSD-4.0 support (including KLD)
827 add top-style operation mode for ipfstat (-t)
829 add save/restore of IP Filter state/NAT information (ipfs)
831 further ftp proxy security checks
833 support for adding and removing proxies at runtime
835 3.3.13 26/04/2000 - Released
837 Fix parsing of "range" with "portmap"
839 Relax checking of ftp replies, slightly.
841 Fix NAT timeouts for ICMP packets
843 SunOS4 patches for ICMP redirects from Jurgen Keil (jk@tools.de)
845 3.3.12 16/03/2000 - Released
847 tighten up ftp proxy behaviour. sigh. yuck. hate.
849 fix bug in range check for NAT where the last IP# was not used.
851 fix problem with icmp codes > 127 in filter rules caused bad things to
852 happen and in particular, where #18 caused the rule to be printed
855 fix bug with the spl level not being reset when returning EIO from
856 iplioctl due to ipfilter not being initialized yet.
858 3.3.11 04/03/2000 - Released
860 make "or-block" work with lines that start with "log"
862 fix up parsing and printing of rules with syslog levels in them
864 fix from Cy Schubert for calling of apr_fini only if non-null
867 3.3.10 24/02/2000 - Released
869 * fix back from guido for state tracking interfaces
871 * update for NetBSD pfil interface changes
873 * if attaching fails and we can abort, then cleanup when doing so.
876 * solaris.c (fr_precheck): After calling freemsg on mt, set it point to *mp.
877 * ipf.c (packetlogon): use flag to store the return value from get_flags.
878 * ipmon.c (init_tabs): General cleanup so we do not have to cast
879 an int s->s_port to u_int port and try to check if the u_int port
882 3.3.9 15/02/2000 - Released
884 fix scheduling of bad locking in fr_addstate() used when we attach onto
887 fix up ip_statesync() with storing interface names in ipstate_t
889 fix fr_running for LKM's - Eugene Polovnikov
891 junk using pullupmsg() for solaris - it's next to useless for what we
892 need to do here anyway - and implement what we require.
894 don't call fr_delstate() in fr_checkstate(), when compiled for a user
895 program, early but when we're finished with it (got fr & pass)
897 ipnat(5) fix from Guido
899 on solaris2, copy message and use that with filter if there is another
900 copy if it being used (db_ref > 1). bad for performance, but better
901 than causing a crash.
903 patch for solaris8-fcs compile from Casper Dik
905 3.3.8 01/02/2000 - Released
907 fix state handling of SYN packets.
909 add parsing recognition of extra icmp types/codes and fix handling of
910 icmp time stamps and mask requests - Frank volf
912 3.3.7 25/01/2000 - Released
914 sync on state information as well as NAT information when required
916 record nat protocol in all nat log records
918 don't reuse the IP# from an active NAT session if the IP# in the rule
919 has changed dynamically.
921 lookup the protocol for NAT log information in ipmon and pass that to
924 fix the bug with changing the outbound interface of a packet where it
925 would lead to a panic.
927 use fr_running instead of ipl_inited. (sysctl name change on freebsd)
929 return EIO if someone attempts an ioctl on state/nat if ipfilter is not
932 fix rule insertion bug
934 make state flushing clean anything that's not fully established (4/4)
936 call fr_state_flush() after we've released ipf_state so we don't generate
937 a recursive mutex acquisition panic
939 fix parsing of icmp code after return-icmp/return-icmp-as-dest and add
940 some patches to enhance parsing strength
942 3.3.6 28/12/1999 - Released
944 add in missing rwlock release in fr_checkicmpmatchingstate() and fix check
945 for ICMP_ECHO to only be for packet, not state entry which we don't have yet.
947 handle SIOCIPFFB in nat_ioctl() and fr_state_ioctl()
949 fix size of friostat for SunOS4
951 fix bug in running off the end of a buffer in real audio proxy
953 3.3.5 11/12/1999 - Released
955 fix parsing of "log level" and printing it back out too
957 <net/if_types.h> is only present on Solaris2.6/7/8
959 use send_icmp_err rather than icmp_error to send back a frag-needed error
962 do not use -b with add_drv on Solaris unless $BASEDIR is set.
964 fix problem where source address in icmp replies is reversed
966 fix yet another problem with real audio.
968 3.3.4 4/12/1999 - Released
970 fix up the real audio proxy to properly setup state information and NAT
971 entries, thanks to Laine Stump for testing/advice/fixes.
973 fix ipfr_fastroute to set dst->sin_addr (Sean Farley - appears to prevent
974 FreeBSD 3.3 from panic'ing) as this had been removed in prior hacks to this
977 fix kinstall for BSDI
979 support ICMP errors being allowed through for ICMP packets going out with
982 support hardware checksumming (gigabit ethernet cards) on Solaris thanks to
983 Tel.Net Media for providing hardware for testing.
985 patched from Frank Volf for ipmon (ICMP & fragmented packets) and allowing
986 ICMP responses to ICMP packets in the keep state table.
988 add in patches for hardware checksumming under solaris
990 Solaris install scripts now use $BASEDIR as appropriate.
994 fix "ipf -y" on solaris so that it rescans rules also for changes in
997 let ipmon become a daemon with -D if it is using syslog
999 fix parsing of return-icmp-as-dest(foo)
1001 add reference to ipfstat -g to ipfstat.8
1003 ipf_mutex needs to be declared for irix in ip_fil.c
1005 3.3.3 22/10/1999 - Released
1007 add -g command line option to ipfstat to show groups still define.
1009 fix problem with fragment table not recording rule pointer when called
1010 from state functions (fin_fr not set).
1012 fixup fastroute problems with keep state rules.
1014 load rules into inactive set first, so we don't disable things like NIS
1015 lookups half way through processing - found by Kevin Littlejohn
1017 fix handling of unaligned ip pointer for solaris
1019 patch for fr_newauth from Rudi Sluijtman
1021 fixed htons() bug in fr_tcpsum() where ip_p wasn't cast to u_short
1023 3.3.2 23/09/1999 - Released
1025 patches from Scott Presnell to fix rcmd proxy
1027 patches from Greg to fix Solaris detachment of interfaces
1029 add openbsd compatibility fixes
1031 fix free'ing already freed memory in ipfr_slowtimer()
1033 fix for deferencing invalid memory in cleaning up after a device disappears
1035 3.3.1 14/8/1999 - Released
1037 remove include file sys/user.h for irix
1039 prevent people from running buildsunos directly
1041 fix up some problems with the saving of rule pointers so that NAT saves
1042 that information in case it should need to call fr_addstate() from a proxy.
1044 fix up scanning for the end of FTP messages
1046 don't remove /etc/opt/ipf in postremove
1048 attempt to prevent people running buildsolaris script without doing a
1051 fix timeout losing on freebsd3
1053 3.3 7/8/1999 - Released
1055 NAT: information (rules, mappings) are stored in hash tables; setup some
1056 basic NAT regression testing.
1058 display version name of installed kernel code when initializing.
1060 add -V command line option to ipf, showing version (program and kernel
1061 module) as well as the run-status of the kernel code.
1063 fix problem with "log" rules actually affecting result of filtering.
1065 automatically use SUNWspro if available and on a 64bit Solaris system for
1068 add kernel proxies for rcmd(3) and RealAudio (PNA)
1070 use timeout/untimeout on SunOS4/BSD platforms too rather than hijacking
1073 fix IP headers generated through parsing of text information
1075 fix NAT rules to be in the correct order again.
1077 make keep-state work with to/fastroute keywords and enforce usage of those
1080 update keep-state code with new algorithm from Guido
1082 add FreeBSD-3 support
1084 add return-icmp-as-dest option to retrun an ICMP packet using the original
1085 destination as the source rather than a local IP address
1087 add "level [facility.]<priority>" option to filter language
1089 add changes from Guido to state code.
1091 add code to return EPERM if the device is opened for writing and we're
1092 in securelevel 2 or greater.
1094 authentication code patches from Guido
1096 fix real audio proxy
1098 fix ipmon rule printing of interfaces and add IN/OUT to the end of ipmon
1101 fix bimap rules with hash tables
1103 update addresses used in NAT mappings for 0/32 rules for any protocol but TCP
1104 if it changes on the interface - check every ip_natexpire()
1106 add redirect regression test
1108 count buckets used in the state hash table.
1110 fix sending of RST's with return-rst to use the ack number provided in
1111 the packet being replied to in addition to the sequence number.
1113 fix to compile as a 64bit application on solaris7-64bit
1115 add NAT IP mapping to ranges of IP addresses that aren't CIDR specified
1117 fix calculation of in_space parameter for NAT
1119 fix `wrapping' when incrementing the next ip address for use in NAT
1121 fix free'ing of kernel memory in ip_natunload on solaris
1123 fix -l/-U command line options from interfering with each other
1125 fix fastroute under solaris2 and cleanup compilation for solaris7
1127 add install scripts and compile cleanly on BSD/OS 4.0
1129 safely open files in /tmp for writing device output when testing.
1131 fix uninitialized pointer bug in NAT
1133 fix SIOCZRLST (zero list rule stats) bug with groups
1135 change some usage of u_short to u_int in function calling
1137 fix compilation for Solaris7 (SUNWspro)
1139 change solaris makefiles to build for either sparc or i386 rather than
1140 per-cpu (sun4u, etc).
1144 add patches from George Michaelson for FreeBSD 3.0
1146 add patch from Guido to provide ICMP checking for known state in the same
1147 manner as is done for NAT.
1149 enable FTP PASV proxying and enable wildcarding in NAT/state code for ports
1150 for better PORT/PASV support with FTP.
1152 bring into main tree static nat features: map-block and "auto" portmapping.
1154 add in source host filtering for redirects (alan jones)
1156 3.2.10 22/11/98 - Released
1158 3.2.10beta9 17/11/98 - Released
1160 fix fr_tcpsum problems in handling mbufs with an odd number of bytes
1161 and/or split across an mbuf boundary
1163 fix NAT list entry comparisons and allow multiple entries for the same
1164 proxy (but on different ports).
1166 don't create duplicate NAT entries for repeated PORT commands.
1168 3.2.10beta8 14/11/98 - Released
1170 always exit an rwlock before expecting to enter it again on solaris
1172 fix loop in nat_new for pre-existing nat
1174 don't setup state for an ftp connection if creating nat fails.
1176 3.2.10beta7 05/11/98 - Released
1178 set fake window in ipft_tx.c to ensure code passes tests.
1180 cleaned up/enhanced ipnat -l/ipnat -lv output
1182 fixed NAT handling of non-TCP/UDP packets, esp. for ICMP errors returned.
1184 Solaris recusive mutex on icmp-error/tcp-reset - requires rwlock's rather
1187 3.2.10beta6 03/11/98 - Released
1189 fix mixed use of krwlock_t and kmutex_t on Solaris2
1191 fix FTP proxy back up, splitting pasv code out of port code.
1193 3.2.10beta5 02/11/98 - Released
1195 fixed port translation in ICMP reply handling
1197 3.2.10beta4 01/11/98 - Released
1199 increase useful statistic collection on solaris
1201 filter DL_UNITDATA_REQ as well as DL_UNITDATA_IND on solaris
1203 disable PASV reply translation for now
1205 fail with an error if we try to load a NAT rule with a non-existant
1208 fix portmap usage with 0/0 and 0/32 map rules
1210 remove ap_unload/ap_expire - automatically done when NAT is cleaned up
1212 print "STATE:CLOSED" from ipmon if the connection progresses past established
1213 rather than "STATE:EXPIRED"
1215 3.2.10beta3 26/10/98 - Released
1217 fixed traceroute/nat problem
1219 rewrote nat/proxy interface
1221 ipnat now lists associated proxy sessions for each NAT where applicable
1223 3.2.10beta2 13/10/98 - Released
1225 use KRWLOCK_T in place of krwlock_t for solaris as well as irix
1227 disable use of read-write lock acquisition by default
1229 add in mb_t for linux, non-kernel
1231 some changes to progress compilation on linux with glibc
1233 change PASV as well as PORT when passed through kernel ftp proxy.
1235 don't allow window to become 0 in tcp state code
1237 make ipmon compile cleaner
1241 3.2.10beta 11/09/98 - Released
1243 stop fr_tcpsum() thinking it has run out of data when it hasn't.
1245 stop solaris panics due to fin_dp being something wild.
1247 revisit usage of ATOMIC_*()
1249 log closing state of TCP connection in "keep state"
1251 fix fake-arp table code for ipsend.
1253 ipmon now writes pid to a file.
1255 fix "ipmon -a" to actually activate all logging devices.
1257 add patches for BSDOS4.
1259 perl scripts for log analysis donated.
1261 3.2.9 22/06/98 - Released
1263 fix byte order for ICMP packets generated on Solaris
1265 fix some locking problems.
1267 fix malloc bug in NAT (introduced in 3.2.8).
1269 patch from guido for state connections that get fragmented
1271 3.2.8 08/06/98 - Released
1273 use readers/writers locks in Solaris2 in place of some mutexes.
1275 Solaris2 installation enhancements - Martin Forssen (maf@carlstedt.se)
1277 3.2.7 24/05/98 - Released
1279 u_long -> u_32_t conversions
1281 patches from Bernd Ernesti for NetBSD
1283 fixup ipmon to actually handle HUP's.
1285 Linux fixes from Michael H. Warfield (mhw@wittsend.com)
1287 update for keep state patch (not security related) - Guido
1289 dumphex() uses stdout rather than log
1291 3.2.6 18/05/98 - Released
1293 fix potential security loop hole in keep state code.
1297 3.2.5 09/05/98 - Released
1299 BSD/OS 3.1 .o files added for the kernel.
1301 fix sequence # skew vs window size check.
1303 fix minimum ICMP header size check.
1305 remove references to Cybersource.
1307 fix my email address.
1309 remove ntohl in ipnat - Thomas Tornblom
1311 3.2.4 09/04/98 - Released
1313 add script to make devices for /dev on BSD boxes
1315 fixup building into the kernel for FreeBSD 2.2.5
1317 add -D command line option to ipmon to make it a daemon and SIGHUP causes
1318 it to close and reopen the logfile
1320 fixup make clean and make package for SunOS5 - Marc Boucher
1322 postinstall keeps adding "minor=ipf ipl" - George Ross <gdmr@dcs.ed.ac.uk>
1324 protected by IP Filter gif - Sergey Solyanik <solik@atom.ru>
1326 3.2.3 10/11/97 - Released
1328 fix some iplang bugs
1330 fix tcp checksum data overrun, sgi #define changes,
1331 avoid infinite loop when nat'ing to single IP# - Marc Boucher
1333 fixup DEVFS usage for FreeBSD
1335 fix sunos5 "make clean" cleaning up too much
1337 3.2.2 28/11/97 - Released
1339 change packet matching to return actual error, if bad packet, to facilitate
1342 allow ip:netmask in grammar too now - Guido
1344 assume IRIX has u_int32_t in sys/types.h (needed for R10000)
1346 rewrite parts of command line options for ipmon
1348 fix TCP urgent packet & offset testing and add LAND attack test for iptest
1350 fix grammar error in yacc grammar for iplang
1352 redirect (rdr) destination port bytes-wapped when it shouldn't be.
1354 general: fr_check now returns error code, such as EHOSTUNREACH or
1355 ECONNRESET (attempt to make ECONNRESET work for locally outbound
1358 linux: enable return-rst, need to filter tcp retransmits which are sent
1359 separately from normal packets
1361 memory leak plugged in ip_proxy.c
1363 BSDI compatibility patches from Guido
1365 tcp checksum fix - Marc Boucher
1367 recursive mutex and ioctl param fix - Marc Boucher
1369 3.2.1 12/11/97 - Released
1373 port to Linux 2.0.31
1375 patches to make "map a/m -> 0/0" work with ftp proxying properly - Marc Boucher
1377 add "ipf -F s" and "ipf -F S" to flush state table entries.
1379 announce if logging is on or off when ip filter initializes.
1381 "ipf -F a" doesn't flush groups properly for Solaris.
1383 3.2 30/10/97 - Released
1385 ipnat doesn't successfully remove proxy mappings with "-rf" -
1388 use K&R C function style for solaris kernel code
1390 use m_adj() to decrease packet size in ftp proxy
1392 use mbufchainlen rather than msgdsize,
1393 IRIX update - Marc Boucher
1395 fix NetBSD modunload bug (pfil_add_hook done twice)
1397 patches for OpenBSD 2.1 - Craig Bevins <craigb@bitcom.net.au>
1399 3.2beta10 24/10/97 - Released
1401 fix fragment table entries allocated for NAT.
1403 fix tcp checksum calculations over mbuf/mblk boundaries
1405 fix panic for blen < 0 in ftp kernel proxy - marc boucher
1407 fix flushing of rules which have been grouped.
1409 3.2beta9 20/10/97 - Released
1411 some nit picking on solaris2 with SUNWspro - Michael Lyle <mrl@rpnet.net>
1413 ftp kernel proxy patches from Marc Boucher
1415 3.2beta8 13/10/97 - Released
1417 add support for passing ICMP errors back through NAT.
1419 IRIX port update - Marc Boucher
1421 calculate correct MIN size of packet to log for UDP - Marc Boucher
1423 need htons(ETHERTYPE_x) on little endian BSD boxes - Dave Huang
1425 copyright header fixups
1427 3.2beta7 23/09/97 - Released
1429 fickup problems introduced by prior merges & changes.
1431 3.2beta6 23/09/97 - Released
1433 patch for spin-reading race condition - Marc Boucher.
1435 IRIX port by Marc Boucher.
1437 compatibility updates for Linux to ipsend
1439 3.2beta5 13/09/97 - Released
1441 patches from Bernd Ernesti for NetBSD integration (mostly prototyping and
1442 compiler warning things)
1444 ipf -y will resync IP#'s allocated with 0/32 in NAT to match interface if it
1447 update manual pages and other documentation updates.
1449 3.2beta4 27/8/97 - Released
1451 enable setting IP and TCP options for iplang/
1453 Solaris2 patches from Marc Boucher.
1455 add groups for filter rules.
1457 3.2beta3 21/8/97 - Released
1459 patches for Solaris2 (interface panic solution ?): fix FIONREAD and
1460 replacing q_qinfo points - Marc Boucher <marc@CAM.ORG>
1462 change ipsend/* and ipsd/* copyright notices to be the same as ip filter's
1464 patch for SYN-ACK skew testing fix from Eric V. Smith <EricSmith@windsor.com>
1466 3.2beta2 6/8/97 - Released
1468 make it load on Solaris 2.3
1470 rewrote logging to remove solaris errors, introduced checking to see if the
1471 same packet is logged successively.
1473 fix filter cache to work when there are no rules loaded.
1475 add "raw" option to ipresend to send entire ethernet frames.
1477 nat list corruption bug - NetBSD - Klaus Klein
1479 3.2beta1 5/7/97 - Released
1481 patches from Jason Thorpe fixing: UNSIGNED_CHAR lossage, off_t being 64bits
1482 lossage, and other NetBSD bits.
1486 fixup fwtk patches and add protocol field for SIOCGNATL.
1488 rdr bugs reported by Alexander Romanyu (alexr@aix.krid.crimea.ua), with
1490 * rdr matched all packets of a given protocol (ignored ports).
1491 * severe bug in nat_delete which caused system crash/freeze.
1493 change Makefile so that CC isn't passed on for FreeBSD/NetBSD (will use
1494 the default CC - cc, not gcc)
1496 3.2alpha9 16/6/97 - Released
1498 added "skip" keyword.
1500 implement preauthentication of packets, as outlined by Guido.
1502 Make it compile as cleanly as possible with -Wall & general code cleanup
1504 getopt returns int, not char. Bernd Ernesti
1506 3.2alpha8 13/6/97 - Released
1508 code added to support "auth" rules which require a user program to allow them
1509 through. First revision and much of the code came from Guido.
1511 hex output from ipmon doesn't goto syslog when recovering from out of sync
1512 error. Luke Mewburn (lukem@connect.com.au)
1514 fix solaris2.6 lookup of destination ire's.
1516 ipnat doesn't throw away unused bits (after masking), causing it to
1517 behave incorrectly. Carson Gaspar
1519 NAT code doesn't include inteface name when matching - Alexey Mavrin
1522 replace old SunOS tcpip.h with new tcpip.h (from 4.4BSD) - Jason Thorpe.
1524 update install procedures to include ip_proxy.c
1526 mask out unused bits in NAT/RDR rules.
1528 use a generic type (u_32_t) for 32bit variables, rather than rely on
1529 u_long being such - Jason Thorpe.
1531 create a local "netinet" directory and include from ~netinet/*" rather than
1532 just "*" to make keeping the code working on ports easier.
1534 add an m_copydata and m_copyback for SunOS4 (based on 4.4BSD-Lite versions)
1536 documentation updates.
1538 NetBSD update from Jason Thorpe <thorpej@netbsd.org>
1540 allow RST's through with a matching SEQ # and 0 ACK. Guido Van Rooij
1542 ipmon uses excessive amounts of CPU on Solaris2 - Reinhard Bertram
1543 <Reinhard.Bertram@KOM.th-darmstadt.de>
1545 3.2alpha7 25/5/97 - Released
1547 add strlen for pre-2.2 kernels - Doug Kite <dkite@websgi.icomnet.com>
1549 setup bits and pieces for compiling into a FreeBSD-2.2 kernel.
1551 split up "bsd" targets. Now a separate netbsd/freebsd/bsd target.
1552 mln_ipl.c has been split up into itself and mlf_ipl.c (for freebsd).
1554 fix (negative) host matching in filtering.
1556 add sysctl interface for some variables when compiled into FreeBSD-2.2 kernels
1559 make all the candidates for kernel compiling include "netinet/..." and build
1560 a subdirectory "netinet" when compiling and symlink all .h files into this.
1562 add install make target to Makefile.ipsend
1564 3.2alpha6 8/5/97 - Released
1566 Add "!" (not) to hostname/ip matching.
1568 Automatically add packet info to the fragment cache if it is a fragment
1569 and we're translating addreses for.
1571 Automatically add packet info to the fragment cache if it is a fragment
1572 and we're "keeping state" for the packet.
1574 Solaris2 patches - Anthony Baxter (arb@connect.com.au)
1576 change install procedure for FreeBSD 2.2 to allow building to a kernel
1577 which is different to the running kernel.
1579 add FIONREAD for Solaris2!
1581 when expiring NAT table entries, if we would set a time to fr_tcpclosed
1582 (which is 1), make it fr_tcplaskack(20) so that the state tables have a
1587 add proxying skeleton support and sample ftp transparent proxy code.
1589 add printfs at startup to tell user what is happening.
1591 add packets & bytes for EXPIRE NAT log records.
1593 fix the "install-bsd" target in the root Makefile. Chris Williams
1596 Fixes for FreeBSD 2.2 (and later revs) to prevent panics. Julian Assange.
1598 3.2alpha4 2/4/97 - Released
1600 Some compiler warnings cleaned up.
1602 FreeBSD-2.2 patches for LKM completed.
1604 3.2alpha3 31/3/97 - Released
1606 ipmon changes: -N for reading NAT logfile, -S for reading state logfile.
1607 -a for reading all. -n now toggles hostname resolution.
1609 Add logging of new state entries and expiration of old state entries.
1610 count log successes and failures.
1612 Add logging of new NAT entries and expiration of old NAT entries.
1613 count log successes and failures.
1615 Use u_quad_t for records of bytes & packets where kept
1616 (IP Accounting: fr_hits, fr_bytes; IP state: is_pkts, is_bytes).
1618 Fixup use of CPU and DCPU in Makefiles.
1620 Fix broken 0/32 NAT mapping. Carl Makin <cmakin@nla.gov.au>
1624 Implement mapping to 0/32 as being an alias for automatically using the
1625 interface's first IP address.
1627 Implement separate minor devices for both NAT and IP state code.
1629 Fully prototype all functions.
1631 Fix Makefile problem due to attempt to fix Sun compiling problems.
1633 3.1.10 23/3/97 - Released
1635 ipfstat -a requires a -i or -o command line option too. Print an error
1636 when not present rather than attempt to do something.
1638 patch updates for SunOS4 for kernel compiling.
1639 patch for ipmon -s (flush's syslog file which isn't good). Andrew J. Schorr
1640 <schorr@ead.dsa.com>
1642 too many people hit their heads hard when compiling code into the kernel
1643 that doesn't let any packets through. (fil.c - IPF_NOMATCH)
1645 icmp-type parsing doesn't return any errors when it isn't constructed
1646 correctly. Neil Readwin
1648 Using "-conf" with modload on SunOS4 doesn't work.
1649 Timothy Demarest <demarest@arraycomm.com>
1651 Need to define ARCH in makefile for SunOS4 building. "make sunos4"
1652 in INSTALL.SunOS is incorrect. James R Grinter <jrg@blodwen.demon.co.uk>
1653 [all SunOS targets now run buildsunos]
1655 NAT lookups are still incorrect, matching non-TCP/UDP with TCP/UDP
1656 information. ArkanoiD <ark@paranoid.convey.ru>
1658 Need to check for __FreeBSD_version being 199511 rather than 199607
1659 in mln_ipl.c. Eric Feillant <Eric.Feillant@EUnet.fr>
1661 3.1.9 8/3/97 - Released
1663 fixed incorrect lookup of active NAT entries.
1665 patch for ip_deq() wrong for pre 2.1.6 FreeBSD.
1666 fyeung@fyeung8.netific.com (Francis Yeung)
1668 check for out with return-rst/return-icmp at wrong place - Erkki Ritoniemi
1671 text_readip returns the interface pointer pointing to text on stack -
1674 fix from Pradeep Krishnan for printout rules "with not opt sec".
1676 3.1.8 18/2/97 - Released
1678 Diffs for ip_output.c and ip_input.c updated to fix bug with fastroute and
1679 compiling warnings about reuse of m0.
1681 prevent use of return-rst and return-icmp with rules blocking packets going
1682 out, preventing panics in certain situations.
1684 loop forms in frag cache table - Yury Pshenychny <yura@rd.zgik.zaporizhzhe.ua>
1686 should use SPLNET/SPLX around expire routines in NAT/frag/state code.
1688 redeclared malloc in 44arp.c -
1690 3.1.7 8/2/97 - Released
1692 Macros used for ntohs/htons supplied with gcc don't always work very well
1693 when the assignment is the same variable being converted.
1695 Filter matching doesn't not match rule which checks tcp flags on packets
1696 which are fragments - David Wilson
1698 3.1.7beta 30/1/97 - Released
1700 Fix up NAT bugs introduced in last major change (now tested), including
1701 nat_delete(), nat_lookupredir(), checksum changes, etc.
1703 3.1.7alpha 30/1/97 - Released
1705 Many changes to NAT code, including contributions from Laurent Joncheray
1708 Use "NO_SLEEP" when allocating memory under SunOS.
1710 Make kernel printf's nicer for BSD/SunOS4
1712 Always do a checksum for packets being filtered going out and being
1713 processed by fastroute.
1715 Leave kernel to play with cdevsw on *BSD systems with LKM's.
1717 ipnat.1 man page fixes.
1719 3.1.6 21/1/97 - Released
1721 Allow NAT to work on BSD systems in conjunction with "pass .. to ifname"
1723 Memory leak introduced in 3.1.3 in NAT lists, clearing of NAT table tried
1724 to free memory twice.
1726 NAT recalculates IP header checksum based on difference between IP#'s and
1727 port numbers - should be just IP#'s (Solaris2 only)
1729 3.1.5 13/1/97 - Released
1731 fixed setting of NAT timeouts and use different timeouts for concurrent
1732 TCP sessions using the same IP# mapping (when port mapping isn't used)
1734 multiple loading/unloading of LKM's doesn't clean up cdevsw properly for
1737 3.1.4 10/1/97 - Released
1739 add command line options -C and -F to ipnat to flush NAT list and table
1741 ipnat -l loops on output - Neil Readwin (nreadwin@nysales.micrognosis.com)
1743 NetBSD/FreeBSD kernel malloc changes - Daniel Carosone
1745 3.1.3 10/1/97 - Released
1747 NAT chains not constructed correctly in hash tables - Antony Y.R Lu
1748 (antony@hawk.ee.ncku.edu.tw)
1750 Updated INSTALL.NetBSD, INSTALL.FreeBSD and INSTALL.Sol2
1752 man page update (ipf.5) from Daniel Carosone (dan@geek.com.au)
1754 ICMP header checksum update now included in NAT.
1756 Solaris2 needs to modify IP header checksums in ip_natin and ip_natout.
1758 3.1.2 4/12/96 - Released
1760 ipmon doesn't use syslog all the time when given -s option
1762 fixed mclput panic in ip_input.c and replace ntohs() with NTOHS() macro
1764 check the results of hostname resolution in ipnat
1766 "make *install" fixed for subdirectories.
1768 problems with "ARCH:=" and gnu make resolved
1770 parser reports an error for lines with whitespaces only rather than skipping
1771 them. D.Carosone@abm.com.au (Daniel Carosone)
1773 patches for integration into NetBSD-current (post 1.2).
1775 add an option to allow non-IP packets going up/down the stream on Solaris2
1776 to be dropped. John Bass.
1778 3.1.2beta 21/11/96 - Released
1780 make ipsend compile on Linux 2.0.24
1782 changes to TCP kept state algorithm, making it watch state on TCP
1783 connections in both directions. Also use the same algorithm for NAT TCP.
1785 -Wall cleanup - Bernd Ernesti
1787 added "or-block" for "pass .. log or-block" after a suggestion from
1788 David Oppenheim (davido@optimation.com.au)
1790 added subdirectories for building IP Filter in SunOS5/BSD for different
1793 Solaris2 fixes to logging and pre-filtering packet processing - 3.1.1p2
1795 mbuf logging not using mtod(), remove iplbusy - 3.1.1p1 1/11/96
1797 3.1.1 28/10/96 - Released
1799 Installation script fixes and deinstall scripts for IP Filter on:
1800 SunOS4/FreeBSD/NetBSD
1802 Man page fixes - Paul Dubois (dubois@primate.wisc.edu)
1804 Fix use of SOLARIS macro in ipmon, rewrote ipllog() (again!)
1806 parsing isn't completely case insensitive - David Wilson
1807 (davidw@optimation.com.au)
1809 Release ipl_mutex across uiomove() calls
1811 print entire rule entries out for "ipf -z" when zero'ing per-rule stats.
1813 ipfstat returns same output for "hits" in "ipfstat -aio" - Terletsky Slavik
1814 (ts@polynet.lviv.ua)
1816 New algorithm for setting timeouts for TCP connection (more closely follow
1817 TCP FSM) - Pradeep Krishnan (pkrishna@netcom.com)
1819 Track both window sizes for TCP connections through "keep state".
1821 Solaris2 doesn't like _KERNEL defined in stdargs.h - Jos van Wezel
1824 3.1.1-beta2 6/10/96 - Released
1826 Solaris2 fastroute/dup-to/to now works
1828 ipmon `record' reading rewritten
1830 Added post-NetBSD1.2 packet filter patches - Mathew Green (mrg@eterna.com.au)
1832 Attempt to use in_proto.c.diff, not "..diffs" for SunOS4 - David Wilson
1833 (davidw@optimation.com.au)
1835 Michael Ryan (mike@NetworX.ie) reports the following:
1836 * The Trumpet WinSock under Windows always sends its SYN packet with an ACK
1837 value of 1, unlike any other implementation I've seen, which would set it
1838 to zero. The "keep state" feature of IP Filter doesn't work when receiving
1839 non-zero ACK values on new connection requests.
1840 * */Makefile install rule doesn't install all the binaries/man pages
1841 * Make ipnat use "tcp/udp" instead of "tcpudp"
1842 * Print out "tcp/udp" properly
1843 * ipnat "portmap tcp" matches "portmap udp" when adding/removing
1844 * NAT dest. ip# increased by one on mask of 0xffffffff when it shouldn't
1846 3.1.1-beta 1/9/96 - Released
1848 add better detection of TCP connections closing to TCP state monitoring.
1850 fr_addstate() not called correctly for fragments. "keep state" and
1851 "keep frag" code don't work together 100% - Songqing Cai
1852 (songqing_cai@sterling.com)
1854 call to fr_addstate() incorrect for adding state in combination with keeping
1855 fragment information - Songqing Cai (songqing_cai@sterling.com)
1857 KFREE() passed fp (incorrect) and not fr (correct) in ip_frag.c - John Hood
1858 (cgull@smoke.marlboro.vt.us)
1860 make ipf parser recognise '\\' as a `continued line' marker - Dima Ruban
1863 3.1.1-alpha 23/8/96 - Released
1865 kernel panic's when ICMP packets go through NAT code
1867 stats aren't zero'd properly with ipf -Z
1869 ipnat doesn't show port numbers correctly all the time and also add the
1870 protocol (tcp/udp/tcpudp) to rdr output - Carson Gaspar (carson@lehman.com)
1872 fast checksum fixing not 100% - backout patch - Bill Dorsey (dorsey@lila.com)
1874 NetBSD-1.2 patches from - VaX#n8 <vax@linkdead.paranoia.com>
1876 Usage() call error in fils.c - Ajay Shekhawat (ajay@cedar.buffalo.edu)
1878 ip_optcopy() staticly defined in ip_output.c in SunOS4 - Nick Hall
1879 (nrh@tardis.ed.ac.uk)
1881 3.1.0 7/7/96 - Released
1883 Reformatted ipnat output to be compatible with it's input, so that
1884 "ipnat -l | ipnat -rf -" is possible.
1886 3.1.0beta 30/6/96 - Released
1888 NetBSD-1.2 patches from Greg Woods (woods@most.weird.com)
1890 kernel module must not be installed stripped (Solaris2), as created by
1891 "make package" for Solaris2 - Peter Heimann
1892 (peter@i3.informatik.rwth-aachen.de)
1894 3.1.0alpha 5/6/96 - Released
1896 include examples in package for solaris2
1898 patches for removing an extra ip header checksum (FreeBSD/NetBSD/SunOS)
1900 removed trailing space from printouts of rules in ipf.
1902 ipresend supports the same range of inputs that ipftest does.
1904 sending a duplicate copy of a packet to another network devices is now
1905 supported. ("dup-to")
1907 sending a packet to an arbitary interface is now supported, irrespective
1908 of its actual route, with no ttl decrement. Can also be routed without
1909 the ttl being decremented. ("to" and "fastroute").
1911 "call" option added to support calling a generic function if a packet is
1914 show all (upto 4) recorded bytes from the interface name in logging from
1917 support for using unix file permissions for read/write access on the device
1920 recursive mutex in nat_new() for Solaris 2.x - Per L. Hagen <per@stibo.dk>
1922 ipftest doesn't call initparse() for THISHOST - Catherine Allen
1923 (cla@connect.com.au)
1925 Man page corrections from Rex Bona (rex@pengo.comsmiths.com.au)
1927 3.0.4 10/4/96 - Released
1929 looop in `parsing' IP packets with optlen 0 for ip options.
1931 rule number not initialized and resulted in unexpected results for state
1934 option parsing and printing bugs - Pradeep Krishnan
1936 3.0.4beta 25/3/96 - Released
1938 wouldn't parse "keep flags keep state" correctly.
1940 SunOS4.1.x ip_input.c doesn't recognise all 1s broadcast address - Nigel Verdon
1942 patches for BSDI's BSD/OS 2.1 and libpcap reader on little endian systems
1943 from Thorsten Lockert <tholo@tetherless.com>
1945 b* functions in fil.c on Solaris 2.4
1947 3.0.3 17/3/96 - Released
1949 added patches to support IP Filter initialisation when compiled into the
1952 added -x option to ipmon to display hex dumps of logged packets.
1954 added -H option to ipftest to allow ascii-hex formatted input to specify
1955 arbitary IP packets.
1957 Sending TCP RSTs as a response now work for Solaris2 x86
1959 add patches to make IP Filter compile into NetBSD kernels properly.
1961 patch to stop SunOS 4.1.x kernels panicing with "data traps".
1963 ipfboot script unloads and reloads ipf module on Solaris2 if it is already
1964 loaded into the kernel.
1966 Installation of IP Filter as a Solaris2 package is now supported.
1968 Man pages for ipnat.4, ipnat.5 added.
1970 added some more regression tests and fixed up IP Filter to pass the new tests
1971 (previous versions failed some of the tests in set 12).
1973 IP option filter processing has changed so that saying "with opt lsrr" will
1974 check only for that one, but not mask out other options, so a packet with
1975 strict source routing, along with loose source routing will match all of
1976 "with opt lsrr", "with opt ssrr" and "with opt lsrr,ssrr".
1978 IPL_NAME needed in ipnat.c - Kelly (kelly@count04.mry.scruznet.com)
1980 patches for clean NetBSD compilation from Bernd Ernesti (bernd@arresum.inka.de)
1982 make install is incorrect - Julian Briggs (julian@lightwork.co.uk)
1984 strtol() returns 0x7fffffff for all negative numbers,
1985 printfr() generates incorrect output for "opt sec-class *",
1986 handling of "not opt xxx opt yyy" incorrect.
1987 - Minh Tonthat (minht@sbei.com)/Pradeep Krishnan (pradeepk@sbei.com)
1989 m_pullup() called only for input and not output; caused problems
1990 with filtering icmp - Nigel Verdon (verdenn@gb.swissbank.com)
1992 parsing problem for "port 1" and NetBSD patches incorrect -
1993 Andreas Gustafsson (gson@guava.araneus.fi)
1995 3.0.2 4/2/96 - Released
1997 Corrected bug where NAT recalculates checksums for fragments.
1999 make NAT recalculate UDP checksums (rather than setting them to 0),
2000 if they're non-zero.
2002 DNS patches - Real Page (Real.Page@Matrox.com)
2004 alteration of checksum recalculations in NAT code and addition of
2005 redirection with NAT - Mike Neuman
2007 core dump, if tcp/udp is used with a port number and not service name,
2008 in ipf - Mike Neuman (mcn@engarde.com)
2010 initparse() call, missing to prime "<thishost>" hook - Craig Bishop
2012 3.0.1 14/1/96 - Released
2014 miscellaneous patches for Solaris2
2016 3.0 14/1/96 - Released
2018 Patch included for FDDI, from Richard Ohnemus
2019 (Richard_Ohnemus@dallas.csd.sterling.com)
2021 Code cleanup for release.
2025 recursive mutex in ipfr_slowtimer fixed, reported by Craig Bishop
2027 recursive mutex in sending TCP RSTs fixed, reported by Tony Becker
2031 FIxup for Solaris2.5 install and interface name bug in ipftest from
2032 Julian Briggs (julian@lightwork.co.uk)
2034 Byte order patches for ipmon from Tony Becker (tony@mcrsys.com)
2038 Added the (somewhat warped) IP accounting as it exists in ipfw on FreeBSD.
2039 Note, this isn't really what one would call IP account, when compared to
2040 process accounting, sigh.
2042 Split up ipresend into iptest/ipresend/ipsend
2044 Added another m_pullup() inside fr_check() for BSD style kernels and
2045 added some checks to ipllog() to not log more than is present (for short
2048 Fixed bug where failed hostname/netname resolution goes undetecte and
2049 becomes 0.0.0.0 (any) (reported Guido van Rooij)
2051 3.0beta 11/11/95 - Released
2053 Rewrote the way rule testing is done, reducing the number of files needed and
2056 SIOCIPFFL was incorrectly affected by IPFILTER_LOG (Mathew Green)
2058 Patches from Guido van Rooij to fix sending back TCP RSTs on Net-2/Net-3
2059 BSD based Unixes (panic'd)
2061 Patches for FreeBSD/i86 ipmon from Riku Kalinen <riku@tequila.nixu.fi>
2062 (I think someone else already told me about these but they got lost :-/)
2064 Changed Makefile structure to build object files for different operating
2065 systems in separate directories by default.
2067 BSDI has ef0 for first ethernet interface
2069 Allow for a "not" operator before optional keywords.
2071 The "rule number" was being incorrectly incremented every time it went through
2072 the loop rather than when it matched a rule.
2074 2.8.2 24/10/95 - Released
2076 Fixed up problems with "textip" for doing lots of testing.
2078 Fixed bug in detection of "short" tcp/ip packets (all reported as being short).
2080 Solaris 2.4 port now works 100%.
2082 Man page errors reported and fixed.
2084 Removed duplicate entry in etc/services for login on port 49 (Craig Bishop).
2086 Fixed ipmon output to put a space after the log-letter.
2088 Patch from Guido van Rooij to fix parsing problem.
2090 2.8.1 15/10/95 - Released
2092 Added ttl and tos filtering.
2094 Patches for fixing up compilation and port problems (little endian)
2095 from Guido van Rooij <guido@IAEhv.nl>.
2097 Man page problems reported and fixed by Carson Gaspar <carson@lehman.com>.
2099 ipsend doesn't compile properly on Solaris2.4
2101 Lots of work done for Solaris2.4 to make it MT/MP safe and work.
2103 2.8 15/9/95 - Released
2105 ipmon can now send messages to syslogd (-s) and use names instead of
2108 IP packets are now "compiled" into a structure only containing filterable
2111 Added regression testing in the test/ subdirectory, using a new option
2112 (-b) with the ipftest program.
2114 Added "nomatch" return to filter results. These are counted and show
2115 up in reports from ipfstat.
2117 Moved filter code out of ip_fil.c and into fil.c - there is now only one
2118 instance of it in the package.
2120 Added Solaris 2.4 support.
2122 Added IPSO basic security option filtering.
2124 Added name support for filtering on all 19 named IP options.
2126 Patches from Ivan Brawley to log packet contents as well as packet headers.
2128 Update for sun/conf.c.diff from Ivan Brawley <ibrawley@awadi.com.AU>
2130 Added patches for FreeBSD 1, and added two new switches (-E, -D) to ipf,
2131 along with a new ioctl, SIOCFRENB.
2132 From: Dieter Dworkin Muller <dworkin@village.org>
2134 2.7.3 31/7.95 - Released
2136 Didn't compile cleanly without IPFILTER_LOG defined (Mathew Green).
2138 ipftest now deals with tcpdump3 binary output files (from libpcap) with -P.
2140 Brought ipftest program upto date with actual filter code.
2142 Filter would cause a match to occur when it wasn't meant to if the packet
2143 had short headers and was missing portions that should have been there.
2144 Err, it would rightly not match on them, but their absence caused a match
2145 when it shouldn't have been.
2147 2.7.2 26/7/95 - Released
2149 Problem with filtering just SYN flagged packets reported by
2150 Dieter Dworkin Muller <dworkin@village.org>. To solve this
2151 problem, added support for masking TCP flags for comparison "flags X/Y".
2153 2.7.1 9/7/95 - Released
2155 Added ip_dirbroadcast support for Sun ip_input.c
2157 Fixed up the install scripts for FreeBSD/NetBSD to recognise where they are
2160 2.7 7/7/95 - Released
2162 Added "return-rst" to return TCP RST's to TCP packets.
2164 Actually ported it to FreeBSD-i386 2.0.0, so it works there properly now.
2166 Added insertion of filter rules. Use "@<#>" at the beginning of a filter
2167 to insert a rule at row #.
2169 Filter keeps track of how many times each rule is matched.
2171 Changed compile time things to match kernel option (IPFILTER_LKM &
2174 Updated ip_input.c and ip_output.c with paches for 3.5 Multicast IP.
2175 (No change required for 3.6)
2177 Now includes TCP fragments which start inside the TCP header as being short.
2178 Added counting the number of times each rule is matched.
2181 2.6 11/5/95 - Released
2183 Added -n option to ipf: when supplied, no changes are made to the kernel.
2185 Added installation scripts for SunOS 4.1.x and NetBSD/FreeBSD/BSDI.
2187 Rewrote filtering to use a more generic mask & match procedure for
2188 checking if a packet matches a rule.
2190 2.5.2 27/4/95 - Released
2192 "tcp/udp" and a non-initialised pointer caused the "proto" to become
2193 a `random' value; added "ip#/dotted.mask" notation to the BNF.
2194 From Adam W. Feigin <feigin@iis.ee.ethz.ch>
2196 2.5.1 22/3/95 - Released
2198 "tcp/udp" had a strange effect (undesired) on getserv*() functions,
2199 causing protocol/service lookups to fail. Reported by Matthew Green.
2201 2.5 17/3/95 - Released
2203 Added a new keyword "all" to BNF and parsing of tcpdump/etherfind/snoop
2204 output through the ipftest program. Suggestions from:
2205 Michael Ciavarella (mikec@phyto.apana.org.au)
2207 Conflicts occur when "general" filter rules are used for ports and the
2208 lack of a "proto" when used with "port" matches other packets when only
2209 TCP/UDP are implied.
2210 Reported Matthew Green (mrg@fulcom.com.au);
2211 reported & fixed 6-8/3/95
2213 Added filtering of short TCP packets using "with short" 28/2/95
2214 (These can possibly slip by checks for the various flags). Short UDP
2215 or ICMP are dropped to the floor and logged.
2217 Added filtering of fragmented packets using "with frag" 24/2/95
2219 Port to NetBSD-current completed 20/2/95, using LKM.
2221 Added logging of the rule # which caused the logging to happen and the
2222 interface on which the packet is currently as suggested by
2223 Andreas Greulich (greulich@math-stat.unibe.ch) 10/2/95
2225 2.4 9/2/95 - Released
2226 Fixed saving of IP headers in ICMP packets.
2229 Added ipf -F [in|out|all] to flush filter rule sets (SIOCIPFFL).
2230 Fixed iplread() and iplsave() with help from Marc Huber.
2232 2.2 7/1/95 - Released
2233 Added code from Marc Huber <huber@fzi.de> to allow it to allocate
2234 its own major char number dynamically when modload'ing. Fixed up
2235 use of <, >, <=, >= and >< for ports.
2237 2.1 21/12/94 - Released
2238 repackaged to include the correct ip_output.c and ip_input.c *goof*
2240 2.0 18/12/94 - Released
2241 added code to check for port ranges - complete.
2242 rewrote to work as a loadable kernel module - complete.
2245 added code for ouput filtering as well as input filtering and added support for logging to a simple character device of packet headers.
2247 1.0 22/04/93 - Released