diff options
| -rw-r--r-- | sbin/ipf/HISTORY | 1324 |
1 files changed, 1324 insertions, 0 deletions
diff --git a/sbin/ipf/HISTORY b/sbin/ipf/HISTORY new file mode 100644 index 00000000000..ff068aa3779 --- /dev/null +++ b/sbin/ipf/HISTORY @@ -0,0 +1,1324 @@ +# $OpenBSD: HISTORY,v 1.1 1999/12/28 07:46:01 kjell Exp $ +# +# NOTE: Quite a few patches and suggestions come from other sources, to whom +# I'm greatly indebted, even if no names are mentioned. +# +# Thanks to the Coombs Computing Unit at the ANU for their continued support +# in providing a very available location for the IP Filter home page and +# distribution center. +# +# Thanks to Tel.Net Media for allowing me to maintain and further develop +# IP Filter as part of my job and supplying Sun equipment for testing the +# move to 64bits. +# +# Thanks to BSDI for providing object files for BSD/OS 3.1 and the means +# to further support development of IP Filter under BSDI. +# +# Thanks to Craig Bishop of connect.com.au and Sun Microsystems for the +# loan of a machine to work on a Solaris 2.x port of this software. +# +# Thanks also to all those who have contributed patches and other code, +# and especially those who have found the time to port IP Filter to new +# platforms. +# +3.3.5 11/12/1999 - Released + +fix parsing of "log level" and printing it back out too + +<net/if_types.h> is only present on Solaris2.6/7/8 + +use send_icmp_err rather than icmp_error to send back a frag-needed error +when doing PMTU + +do not use -b with add_drv on Solaris unless $BASEDIR is set. + +fix problem where source address in icmp replies is reversed + +fix yet another problem with real audio. + +3.3.4 4/12/1999 - Released + +patches from Guido: fix panic in ip_state:fr_checkicmpmatchingstate(), fix +byte order problem in ip_id (host order when called from ip_input(), vs +network byte order when called from ip_output()) and fix a problem where the +fragment cache was never timedout early. + +fix up the real audio proxy to properly setup state information and NAT +entries, thanks to Laine Stump for testing/advice/fixes. + +fix ipfr_fastroute to set dst->sin_addr (Sean Farley - appears to prevent +FreeBSD 3.3 from panic'ing) as this had been removed in prior hacks to this +routine. + +fix kinstall for BSDI + +support ICMP errors being allowed through for ICMP packets going out with +keep state enabled + +support hardware checksumming (gigabit ethernet cards) on Solaris thanks to +Tel.Net Media for providing hardware for testing. + +patched from Frank Volf for ipmon (ICMP & fragmented packets) and allowing +ICMP responses to ICMP packets in the keep state table. + +add in patches for hardware checksumming under solaris + +Solaris install scripts now use $BASEDIR as appropriate. + +add Solaris8 support + +fix "ipf -y" on solaris so that it rescans rules also for changes in +interface pointers + +let ipmon become a daemon with -D if it is using syslog + +fix parsing of return-icmp-as-dest(foo) + +add reference to ipfstat -g to ipfstat.8 + +ipf_mutex needs to be declared for irix in ip_fil.c + +3.3.3 22/10/1999 - Released + +add -g command line option to ipfstat to show groups still define. + +fix problem with fragment table not recording rule pointer when called +from state functions (fin_fr not set). + +fixup fastroute problems with keep state rules. + +load rules into inactive set first, so we don't disable things like NIS +lookups half way through processing - found by Kevin Littlejohn + +fix handling of unaligned ip pointer for solaris + +patch for fr_newauth from Rudi Sluijtman + +fixed htons() bug in fr_tcpsum() where ip_p wasn't cast to u_short + +3.3.2 23/09/1999 - Released + +patches from Scott Presnell to fix rcmd proxy + +patches from Greg to fix Solaris detachment of interfaces + +add openbsd compatibility fixes + +fix free'ing already freed memory in ipfr_slowtimer() + +fix for deferencing invalid memory in cleaning up after a device disappears + +3.3.1 14/8/1999 - Released + +remove include file sys/user.h for irix + +prevent people from running buildsunos directly + +fix up some problems with the saving of rule pointers so that NAT saves +that information in case it should need to call fr_addstate() from a proxy. + +fix up scanning for the end of FTP messages + +don't remove /etc/opt/ipf in postremove + +attempt to prevent people running buildsolaris script without doing a +"make solaris" + +fix timeout losing on freebsd3 + +3.3 7/8/1999 - Released + +NAT: information (rules, mappings) are stored in hash tables; setup some +basic NAT regression testing. + +display version name of installed kernel code when initializing. + +add -V command line option to ipf, showing version (program and kernel +module) as well as the run-status of the kernel code. + +fix problem with "log" rules actually affecting result of filtering. + +automatically use SUNWspro if available and on a 64bit Solaris system for +compiling. + +add kernel proxies for rcmd(3) and RealAudio (PNA) + +use timeout/untimeout on SunOS4/BSD platforms too rather than hijacking +ip_slowtimo + +fix IP headers generated through parsing of text information + +fix NAT rules to be in the correct order again. + +make keep-state work with to/fastroute keywords and enforce usage of those +interfaces. + +update keep-state code with new algorithm from Guido + +add FreeBSD-3 support + +add return-icmp-as-dest option to retrun an ICMP packet using the original +destination as the source rather than a local IP address + +add "level [facility.]<priority>" option to filter language + +add changes from Guido to state code. + +add code to return EPERM if the device is opened for writing and we're +in securelevel 2 or greater. + +authentication code patches from Guido + +fix real audio proxy + +fix ipmon rule printing of interfaces and add IN/OUT to the end of ipmon +log output. + +fix bimap rules with hash tables + +update addresses used in NAT mappings for 0/32 rules for any protocol but TCP +if it changes on the interface - check every ip_natexpire() + +add redirect regression test + +count buckets used in the state hash table. + +fix sending of RST's with return-rst to use the ack number provided in +the packet being replied to in addition to the sequence number. + +fix to compile as a 64bit application on solaris7-64bit + +add NAT IP mapping to ranges of IP addresses that aren't CIDR specified + +fix calculation of in_space parameter for NAT + +fix `wrapping' when incrementing the next ip address for use in NAT + +fix free'ing of kernel memory in ip_natunload on solaris + +fix -l/-U command line options from interfering with each other + +fix fastroute under solaris2 and cleanup compilation for solaris7 + +add install scripts and compile cleanly on BSD/OS 4.0 + +safely open files in /tmp for writing device output when testing. + +fix uninitialized pointer bug in NAT + +fix SIOCZRLST (zero list rule stats) bug with groups + +change some usage of u_short to u_int in function calling + +fix compilation for Solaris7 (SUNWspro) + +change solaris makefiles to build for either sparc or i386 rather than +per-cpu (sun4u, etc). + +fixed bug in ipllog + +add patches from George Michaelson for FreeBSD 3.0 + +add patch from Guido to provide ICMP checking for known state in the same +manner as is done for NAT. + +enable FTP PASV proxying and enable wildcarding in NAT/state code for ports +for better PORT/PASV support with FTP. + +bring into main tree static nat features: map-block and "auto" portmapping. + +add in source host filtering for redirects (alan jones) + +3.2.10 22/11/98 - Released + +3.2.10beta9 17/11/98 - Released + +fix fr_tcpsum problems in handling mbufs with an odd number of bytes +and/or split across an mbuf boundary + +fix NAT list entry comparisons and allow multiple entries for the same +proxy (but on different ports). + +don't create duplicate NAT entries for repeated PORT commands. + +3.2.10beta8 14/11/98 - Released + +always exit an rwlock before expecting to enter it again on solaris + +fix loop in nat_new for pre-existing nat + +don't setup state for an ftp connection if creating nat fails. + +3.2.10beta7 05/11/98 - Released + +set fake window in ipft_tx.c to ensure code passes tests. + +cleaned up/enhanced ipnat -l/ipnat -lv output + +fixed NAT handling of non-TCP/UDP packets, esp. for ICMP errors returned. + +Solaris recusive mutex on icmp-error/tcp-reset - requires rwlock's rather +than mutexes. + +3.2.10beta6 03/11/98 - Released + +fix mixed use of krwlock_t and kmutex_t on Solaris2 + +fix FTP proxy back up, splitting pasv code out of port code. + +3.2.10beta5 02/11/98 - Released + +fixed port translation in ICMP reply handling + +3.2.10beta4 01/11/98 - Released + +increase useful statistic collection on solaris + +filter DL_UNITDATA_REQ as well as DL_UNITDATA_IND on solaris + +disable PASV reply translation for now + +fail with an error if we try to load a NAT rule with a non-existant + proxy name - Guido + +fix portmap usage with 0/0 and 0/32 map rules + +remove ap_unload/ap_expire - automatically done when NAT is cleaned up + +print "STATE:CLOSED" from ipmon if the connection progresses past established + rather than "STATE:EXPIRED" + +3.2.10beta3 26/10/98 - Released + +fixed traceroute/nat problem + +rewrote nat/proxy interface + +ipnat now lists associated proxy sessions for each NAT where applicable + +3.2.10beta2 13/10/98 - Released + +use KRWLOCK_T in place of krwlock_t for solaris as well as irix + +disable use of read-write lock acquisition by default + +add in mb_t for linux, non-kernel + +some changes to progress compilation on linux with glibc + +change PASV as well as PORT when passed through kernel ftp proxy. + +don't allow window to become 0 in tcp state code + +make ipmon compile cleaner + +irix patches + +3.2.10beta 11/09/98 - Released + +stop fr_tcpsum() thinking it has run out of data when it hasn't. + +stop solaris panics due to fin_dp being something wild. + +revisit usage of ATOMIC_*() + +log closing state of TCP connection in "keep state" + +fix fake-arp table code for ipsend. + +ipmon now writes pid to a file. + +fix "ipmon -a" to actually activate all logging devices. + +add patches for BSDOS4. + +perl scripts for log analysis donated. + +3.2.9 22/06/98 - Released + +fix byte order for ICMP packets generated on Solaris + +fix some locking problems. + +fix malloc bug in NAT (introduced in 3.2.8). + +patch from guido for state connections that get fragmented + +3.2.8 08/06/98 - Released + +use readers/writers locks in Solaris2 in place of some mutexes. + +Solaris2 installation enhancements - Martin Forssen (maf@carlstedt.se) + +3.2.7 24/05/98 - Released + +u_long -> u_32_t conversions + +patches from Bernd Ernesti for NetBSD + +fixup ipmon to actually handle HUP's. + +Linux fixes from Michael H. Warfield (mhw@wittsend.com) + +update for keep state patch (not security related) - Guido + +dumphex() uses stdout rather than log + +3.2.6 18/05/98 - Released + +fix potential security loop hole in keep state code. + +update examples. + +3.2.5 09/05/98 - Released + +BSD/OS 3.1 .o files added for the kernel. + +fix sequence # skew vs window size check. + +fix minimum ICMP header size check. + +remove references to Cybersource. + +fix my email address. + +remove ntohl in ipnat - Thomas Tornblom + +3.2.4 09/04/98 - Released + +add script to make devices for /dev on BSD boxes + +fixup building into the kernel for FreeBSD 2.2.5 + +add -D command line option to ipmon to make it a daemon and SIGHUP causes +it to close and reopen the logfile + +fixup make clean and make package for SunOS5 - Marc Boucher + +postinstall keeps adding "minor=ipf ipl" - George Ross <gdmr@dcs.ed.ac.uk> + +protected by IP Filter gif - Sergey Solyanik <solik@atom.ru> + +3.2.3 10/11/97 - Released + +fix some iplang bugs + +fix tcp checksum data overrun, sgi #define changes, +avoid infinite loop when nat'ing to single IP# - Marc Boucher + +fixup DEVFS usage for FreeBSD + +fix sunos5 "make clean" cleaning up too much + +3.2.2 28/11/97 - Released + +change packet matching to return actual error, if bad packet, to facilitate +ECONNRESET for TCP. + +allow ip:netmask in grammar too now - Guido + +assume IRIX has u_int32_t in sys/types.h (needed for R10000) + +rewrite parts of command line options for ipmon + +fix TCP urgent packet & offset testing and add LAND attack test for iptest + +fix grammar error in yacc grammar for iplang + +redirect (rdr) destination port bytes-wapped when it shouldn't be. + +general: fr_check now returns error code, such as EHOSTUNREACH or +ECONNRESET (attempt to make ECONNRESET work for locally outbound +packets). + +linux: enable return-rst, need to filter tcp retransmits which are sent + separately from normal packets + +memory leak plugged in ip_proxy.c + +BSDI compatibility patches from Guido + +tcp checksum fix - Marc Boucher + +recursive mutex and ioctl param fix - Marc Boucher + +3.2.1 12/11/97 - Released + +port to BSD/OS 3.0 + +port to Linux 2.0.31 + +patches to make "map a/m -> 0/0" work with ftp proxying properly - Marc Boucher + +add "ipf -F s" and "ipf -F S" to flush state table entries. + +announce if logging is on or off when ip filter initializes. + +"ipf -F a" doesn't flush groups properly for Solaris. + +3.2 30/10/97 - Released + +ipnat doesn't successfully remove proxy mappings with "-rf" - +Alexander Romanyu + +use K&R C function style for solaris kernel code + +use m_adj() to decrease packet size in ftp proxy + +use mbufchainlen rather than msgdsize, +IRIX update - Marc Boucher + +fix NetBSD modunload bug (pfil_add_hook done twice) + +patches for OpenBSD 2.1 - Craig Bevins <craigb@bitcom.net.au> + +3.2beta10 24/10/97 - Released + +fix fragment table entries allocated for NAT. + +fix tcp checksum calculations over mbuf/mblk boundaries + +fix panic for blen < 0 in ftp kernel proxy - marc boucher + +fix flushing of rules which have been grouped. + +3.2beta9 20/10/97 - Released + +some nit picking on solaris2 with SUNWspro - Michael Lyle <mrl@rpnet.net> + +ftp kernel proxy patches from Marc Boucher + +3.2beta8 13/10/97 - Released + +add support for passing ICMP errors back through NAT. + +IRIX port update - Marc Boucher + +calculate correct MIN size of packet to log for UDP - Marc Boucher + +need htons(ETHERTYPE_x) on little endian BSD boxes - Dave Huang + +copyright header fixups + +3.2beta7 23/09/97 - Released + +fickup problems introduced by prior merges & changes. + +3.2beta6 23/09/97 - Released + +patch for spin-reading race condition - Marc Boucher. + +IRIX port by Marc Boucher. + +compatibility updates for Linux to ipsend + +3.2beta5 13/09/97 - Released + +patches from Bernd Ernesti for NetBSD integration (mostly prototyping and +compiler warning things) + +ipf -y will resync IP#'s allocated with 0/32 in NAT to match interface if it +changes. + +update manual pages and other documentation updates. + +3.2beta4 27/8/97 - Released + +enable setting IP and TCP options for iplang/ + +Solaris2 patches from Marc Boucher. + +add groups for filter rules. + +3.2beta3 21/8/97 - Released + +patches for Solaris2 (interface panic solution ?): fix FIONREAD and +replacing q_qinfo points - Marc Boucher <marc@CAM.ORG> + +change ipsend/* and ipsd/* copyright notices to be the same as ip filter's + +patch for SYN-ACK skew testing fix from Eric V. Smith <EricSmith@windsor.com> + +3.2beta2 6/8/97 - Released + +make it load on Solaris 2.3 + +rewrote logging to remove solaris errors, introduced checking to see if the +same packet is logged successively. + +fix filter cache to work when there are no rules loaded. + +add "raw" option to ipresend to send entire ethernet frames. + +nat list corruption bug - NetBSD - Klaus Klein + +3.2beta1 5/7/97 - Released + +patches from Jason Thorpe fixing: UNSIGNED_CHAR lossage, off_t being 64bits +lossage, and other NetBSD bits. + +NetBSD 1.2G update. + +fixup fwtk patches and add protocol field for SIOCGNATL. + +rdr bugs reported by Alexander Romanyu (alexr@aix.krid.crimea.ua), with +fixes: +* rdr matched all packets of a given protocol (ignored ports). +* severe bug in nat_delete which caused system crash/freeze. + +change Makefile so that CC isn't passed on for FreeBSD/NetBSD (will use +the default CC - cc, not gcc) + +3.2alpha9 16/6/97 - Released + +added "skip" keyword. + +implement preauthentication of packets, as outlined by Guido. + +Make it compile as cleanly as possible with -Wall & general code cleanup + +getopt returns int, not char. Bernd Ernesti + +3.2alpha8 13/6/97 - Released + +code added to support "auth" rules which require a user program to allow them +through. First revision and much of the code came from Guido. + +hex output from ipmon doesn't goto syslog when recovering from out of sync +error. Luke Mewburn (lukem@connect.com.au) + +fix solaris2.6 lookup of destination ire's. + +ipnat doesn't throw away unused bits (after masking), causing it to +behave incorrectly. Carson Gaspar + +NAT code doesn't include inteface name when matching - Alexey Mavrin +<lha@elco.spb.ru> + +replace old SunOS tcpip.h with new tcpip.h (from 4.4BSD) - Jason Thorpe. + +update install procedures to include ip_proxy.c + +mask out unused bits in NAT/RDR rules. + +use a generic type (u_32_t) for 32bit variables, rather than rely on +u_long being such - Jason Thorpe. + +create a local "netinet" directory and include from ~netinet/*" rather than +just "*" to make keeping the code working on ports easier. + +add an m_copydata and m_copyback for SunOS4 (based on 4.4BSD-Lite versions) + +documentation updates. + +NetBSD update from Jason Thorpe <thorpej@netbsd.org> + +allow RST's through with a matching SEQ # and 0 ACK. Guido Van Rooij + +ipmon uses excessive amounts of CPU on Solaris2 - Reinhard Bertram +<Reinhard.Bertram@KOM.th-darmstadt.de> + +3.2alpha7 25/5/97 - Released + +add strlen for pre-2.2 kernels - Doug Kite <dkite@websgi.icomnet.com> + +setup bits and pieces for compiling into a FreeBSD-2.2 kernel. + +split up "bsd" targets. Now a separate netbsd/freebsd/bsd target. +mln_ipl.c has been split up into itself and mlf_ipl.c (for freebsd). + +fix (negative) host matching in filtering. + +add sysctl interface for some variables when compiled into FreeBSD-2.2 kernels +or later. + +make all the candidates for kernel compiling include "netinet/..." and build +a subdirectory "netinet" when compiling and symlink all .h files into this. + +add install make target to Makefile.ipsend + +3.2alpha6 8/5/97 - Released + +Add "!" (not) to hostname/ip matching. + +Automatically add packet info to the fragment cache if it is a fragment +and we're translating addreses for. + +Automatically add packet info to the fragment cache if it is a fragment +and we're "keeping state" for the packet. + +Solaris2 patches - Anthony Baxter (arb@connect.com.au) + +change install procedure for FreeBSD 2.2 to allow building to a kernel +which is different to the running kernel. + +add FIONREAD for Solaris2! + +when expiring NAT table entries, if we would set a time to fr_tcpclosed +(which is 1), make it fr_tcplaskack(20) so that the state tables have a +chance to clear up. + +3.2alpha5 + +add proxying skeleton support and sample ftp transparent proxy code. + +add printfs at startup to tell user what is happening. + +add packets & bytes for EXPIRE NAT log records. + +fix the "install-bsd" target in the root Makefile. Chris Williams +<psion@mv.mv.com> + +Fixes for FreeBSD 2.2 (and later revs) to prevent panics. Julian Assange. + +3.2alpha4 2/4/97 - Released + +Some compiler warnings cleaned up. + +FreeBSD-2.2 patches for LKM completed. + +3.2alpha3 31/3/97 - Released + +ipmon changes: -N for reading NAT logfile, -S for reading state logfile. +-a for reading all. -n now toggles hostname resolution. + +Add logging of new state entries and expiration of old state entries. +count log successes and failures. + +Add logging of new NAT entries and expiration of old NAT entries. +count log successes and failures. + +Use u_quad_t for records of bytes & packets where kept +(IP Accounting: fr_hits, fr_bytes; IP state: is_pkts, is_bytes). + +Fixup use of CPU and DCPU in Makefiles. + +Fix broken 0/32 NAT mapping. Carl Makin <cmakin@nla.gov.au> + +3.2alpha2 + +Implement mapping to 0/32 as being an alias for automatically using the +interface's first IP address. + +Implement separate minor devices for both NAT and IP state code. + +Fully prototype all functions. + +Fix Makefile problem due to attempt to fix Sun compiling problems. + +3.1.10 23/3/97 - Released + +ipfstat -a requires a -i or -o command line option too. Print an error +when not present rather than attempt to do something. + +patch updates for SunOS4 for kernel compiling. +patch for ipmon -s (flush's syslog file which isn't good). Andrew J. Schorr +<schorr@ead.dsa.com> + +too many people hit their heads hard when compiling code into the kernel +that doesn't let any packets through. (fil.c - IPF_NOMATCH) + +icmp-type parsing doesn't return any errors when it isn't constructed +correctly. Neil Readwin + +Using "-conf" with modload on SunOS4 doesn't work. +Timothy Demarest <demarest@arraycomm.com> + +Need to define ARCH in makefile for SunOS4 building. "make sunos4" +in INSTALL.SunOS is incorrect. James R Grinter <jrg@blodwen.demon.co.uk> +[all SunOS targets now run buildsunos] + +NAT lookups are still incorrect, matching non-TCP/UDP with TCP/UDP +information. ArkanoiD <ark@paranoid.convey.ru> + +Need to check for __FreeBSD_version being 199511 rather than 199607 +in mln_ipl.c. Eric Feillant <Eric.Feillant@EUnet.fr> + +3.1.9 8/3/97 - Released + +fixed incorrect lookup of active NAT entries. + +patch for ip_deq() wrong for pre 2.1.6 FreeBSD. +fyeung@fyeung8.netific.com (Francis Yeung) + +check for out with return-rst/return-icmp at wrong place - Erkki Ritoniemi +(erkki@vlsi.fi) + +text_readip returns the interface pointer pointing to text on stack - +Neil Readwin + +fix from Pradeep Krishnan for printout rules "with not opt sec". + +3.1.8 18/2/97 - Released + +Diffs for ip_output.c and ip_input.c updated to fix bug with fastroute and +compiling warnings about reuse of m0. + +prevent use of return-rst and return-icmp with rules blocking packets going +out, preventing panics in certain situations. + +loop forms in frag cache table - Yury Pshenychny <yura@rd.zgik.zaporizhzhe.ua> + +should use SPLNET/SPLX around expire routines in NAT/frag/state code. + +redeclared malloc in 44arp.c - + +3.1.7 8/2/97 - Released + +Macros used for ntohs/htons supplied with gcc don't always work very well +when the assignment is the same variable being converted. + +Filter matching doesn't not match rule which checks tcp flags on packets +which are fragments - David Wilson + +3.1.7beta 30/1/97 - Released + +Fix up NAT bugs introduced in last major change (now tested), including +nat_delete(), nat_lookupredir(), checksum changes, etc. + +3.1.7alpha 30/1/97 - Released + +Many changes to NAT code, including contributions from Laurent Joncheray +<lpj@ans.net> + +Use "NO_SLEEP" when allocating memory under SunOS. + +Make kernel printf's nicer for BSD/SunOS4 + +Always do a checksum for packets being filtered going out and being +processed by fastroute. + +Leave kernel to play with cdevsw on *BSD systems with LKM's. + +ipnat.1 man page fixes. + +3.1.6 21/1/97 - Released + +Allow NAT to work on BSD systems in conjunction with "pass .. to ifname" + +Memory leak introduced in 3.1.3 in NAT lists, clearing of NAT table tried +to free memory twice. + +NAT recalculates IP header checksum based on difference between IP#'s and +port numbers - should be just IP#'s (Solaris2 only) + +3.1.5 13/1/97 - Released + +fixed setting of NAT timeouts and use different timeouts for concurrent +TCP sessions using the same IP# mapping (when port mapping isn't used) + +multiple loading/unloading of LKM's doesn't clean up cdevsw properly for +*BSD systems. + +3.1.4 10/1/97 - Released + +add command line options -C and -F to ipnat to flush NAT list and table + +ipnat -l loops on output - Neil Readwin (nreadwin@nysales.micrognosis.com) + +NetBSD/FreeBSD kernel malloc changes - Daniel Carosone + +3.1.3 10/1/97 - Released + +NAT chains not constructed correctly in hash tables - Antony Y.R Lu +(antony@hawk.ee.ncku.edu.tw) + +Updated INSTALL.NetBSD, INSTALL.FreeBSD and INSTALL.Sol2 + +man page update (ipf.5) from Daniel Carosone (dan@geek.com.au) + +ICMP header checksum update now included in NAT. + +Solaris2 needs to modify IP header checksums in ip_natin and ip_natout. + +3.1.2 4/12/96 - Released + +ipmon doesn't use syslog all the time when given -s option + +fixed mclput panic in ip_input.c and replace ntohs() with NTOHS() macro + +check the results of hostname resolution in ipnat + +"make *install" fixed for subdirectories. + +problems with "ARCH:=" and gnu make resolved + +parser reports an error for lines with whitespaces only rather than skipping +them. D.Carosone@abm.com.au (Daniel Carosone) + +patches for integration into NetBSD-current (post 1.2). + +add an option to allow non-IP packets going up/down the stream on Solaris2 +to be dropped. John Bass. + +3.1.2beta 21/11/96 - Released + +make ipsend compile on Linux 2.0.24 + +changes to TCP kept state algorithm, making it watch state on TCP +connections in both directions. Also use the same algorithm for NAT TCP. + +-Wall cleanup - Bernd Ernesti + +added "or-block" for "pass .. log or-block" after a suggestion from +David Oppenheim (davido@optimation.com.au) + +added subdirectories for building IP Filter in SunOS5/BSD for different +cpu architecures + +Solaris2 fixes to logging and pre-filtering packet processing - 3.1.1p2 + +mbuf logging not using mtod(), remove iplbusy - 3.1.1p1 1/11/96 + +3.1.1 28/10/96 - Released + +Installation script fixes and deinstall scripts for IP Filter on: +SunOS4/FreeBSD/NetBSD + +Man page fixes - Paul Dubois (dubois@primate.wisc.edu) + +Fix use of SOLARIS macro in ipmon, rewrote ipllog() (again!) + +parsing isn't completely case insensitive - David Wilson +(davidw@optimation.com.au) + +Release ipl_mutex across uiomove() calls + +print entire rule entries out for "ipf -z" when zero'ing per-rule stats. + +ipfstat returns same output for "hits" in "ipfstat -aio" - Terletsky Slavik +(ts@polynet.lviv.ua) + +New algorithm for setting timeouts for TCP connection (more closely follow +TCP FSM) - Pradeep Krishnan (pkrishna@netcom.com) + +Track both window sizes for TCP connections through "keep state". + +Solaris2 doesn't like _KERNEL defined in stdargs.h - Jos van Wezel +(wezel@bio.vu.nl) + +3.1.1-beta2 6/10/96 - Released + +Solaris2 fastroute/dup-to/to now works + +ipmon `record' reading rewritten + +Added post-NetBSD1.2 packet filter patches - Mathew Green (mrg@eterna.com.au) + +Attempt to use in_proto.c.diff, not "..diffs" for SunOS4 - David Wilson +(davidw@optimation.com.au) + +Michael Ryan (mike@NetworX.ie) reports the following: +* The Trumpet WinSock under Windows always sends its SYN packet with an ACK + value of 1, unlike any other implementation I've seen, which would set it + to zero. The "keep state" feature of IP Filter doesn't work when receiving + non-zero ACK values on new connection requests. +* */Makefile install rule doesn't install all the binaries/man pages +* Make ipnat use "tcp/udp" instead of "tcpudp" +* Print out "tcp/udp" properly +* ipnat "portmap tcp" matches "portmap udp" when adding/removing +* NAT dest. ip# increased by one on mask of 0xffffffff when it shouldn't + +3.1.1-beta 1/9/96 - Released + +add better detection of TCP connections closing to TCP state monitoring. + +fr_addstate() not called correctly for fragments. "keep state" and +"keep frag" code don't work together 100% - Songqing Cai +(songqing_cai@sterling.com) + +call to fr_addstate() incorrect for adding state in combination with keeping +fragment information - Songqing Cai (songqing_cai@sterling.com) + +KFREE() passed fp (incorrect) and not fr (correct) in ip_frag.c - John Hood +(cgull@smoke.marlboro.vt.us) + +make ipf parser recognise '\\' as a `continued line' marker - Dima Ruban +(dima@best.net) + +3.1.1-alpha 23/8/96 - Released + +kernel panic's when ICMP packets go through NAT code + +stats aren't zero'd properly with ipf -Z + +ipnat doesn't show port numbers correctly all the time and also add the +protocol (tcp/udp/tcpudp) to rdr output - Carson Gaspar (carson@lehman.com) + +fast checksum fixing not 100% - backout patch - Bill Dorsey (dorsey@lila.com) + +NetBSD-1.2 patches from - VaX#n8 <vax@linkdead.paranoia.com> + +Usage() call error in fils.c - Ajay Shekhawat (ajay@cedar.buffalo.edu) + +ip_optcopy() staticly defined in ip_output.c in SunOS4 - Nick Hall +(nrh@tardis.ed.ac.uk) + +3.1.0 7/7/96 - Released + +Reformatted ipnat output to be compatible with it's input, so that +"ipnat -l | ipnat -rf -" is possible. + +3.1.0beta 30/6/96 - Released + +NetBSD-1.2 patches from Greg Woods (woods@most.weird.com) + +kernel module must not be installed stripped (Solaris2), as created by +"make package" for Solaris2 - Peter Heimann +(peter@i3.informatik.rwth-aachen.de) + +3.1.0alpha 5/6/96 - Released + +include examples in package for solaris2 + +patches for removing an extra ip header checksum (FreeBSD/NetBSD/SunOS) + +removed trailing space from printouts of rules in ipf. + +ipresend supports the same range of inputs that ipftest does. + +sending a duplicate copy of a packet to another network devices is now +supported. ("dup-to") + +sending a packet to an arbitary interface is now supported, irrespective +of its actual route, with no ttl decrement. Can also be routed without +the ttl being decremented. ("to" and "fastroute"). + +"call" option added to support calling a generic function if a packet is +matched. + +show all (upto 4) recorded bytes from the interface name in logging from +ipmon. + +support for using unix file permissions for read/write access on the device +is now in place. + +recursive mutex in nat_new() for Solaris 2.x - Per L. Hagen <per@stibo.dk> + +ipftest doesn't call initparse() for THISHOST - Catherine Allen +(cla@connect.com.au) + +Man page corrections from Rex Bona (rex@pengo.comsmiths.com.au) + +3.0.4 10/4/96 - Released + +looop in `parsing' IP packets with optlen 0 for ip options. + +rule number not initialized and resulted in unexpected results for state +maching. + +option parsing and printing bugs - Pradeep Krishnan + +3.0.4beta 25/3/96 - Released + +wouldn't parse "keep flags keep state" correctly. + +SunOS4.1.x ip_input.c doesn't recognise all 1s broadcast address - Nigel Verdon + +patches for BSDI's BSD/OS 2.1 and libpcap reader on little endian systems +from Thorsten Lockert <tholo@tetherless.com> + +b* functions in fil.c on Solaris 2.4 + +3.0.3 17/3/96 - Released + +added patches to support IP Filter initialisation when compiled into the +kernel. + +added -x option to ipmon to display hex dumps of logged packets. + +added -H option to ipftest to allow ascii-hex formatted input to specify +arbitary IP packets. + +Sending TCP RSTs as a response now work for Solaris2 x86 + +add patches to make IP Filter compile into NetBSD kernels properly. + +patch to stop SunOS 4.1.x kernels panicing with "data traps". + +ipfboot script unloads and reloads ipf module on Solaris2 if it is already +loaded into the kernel. + +Installation of IP Filter as a Solaris2 package is now supported. + +Man pages for ipnat.4, ipnat.5 added. + +added some more regression tests and fixed up IP Filter to pass the new tests +(previous versions failed some of the tests in set 12). + +IP option filter processing has changed so that saying "with opt lsrr" will +check only for that one, but not mask out other options, so a packet with +strict source routing, along with loose source routing will match all of +"with opt lsrr", "with opt ssrr" and "with opt lsrr,ssrr". + +IPL_NAME needed in ipnat.c - Kelly (kelly@count04.mry.scruznet.com) + +patches for clean NetBSD compilation from Bernd Ernesti (bernd@arresum.inka.de) + +make install is incorrect - Julian Briggs (julian@lightwork.co.uk) + +strtol() returns 0x7fffffff for all negative numbers, +printfr() generates incorrect output for "opt sec-class *", +handling of "not opt xxx opt yyy" incorrect. +- Minh Tonthat (minht@sbei.com)/Pradeep Krishnan (pradeepk@sbei.com) + +m_pullup() called only for input and not output; caused problems +with filtering icmp - Nigel Verdon (verdenn@gb.swissbank.com) + +parsing problem for "port 1" and NetBSD patches incorrect - +Andreas Gustafsson (gson@guava.araneus.fi) + +3.0.2 4/2/96 - Released + +Corrected bug where NAT recalculates checksums for fragments. + +make NAT recalculate UDP checksums (rather than setting them to 0), +if they're non-zero. + +DNS patches - Real Page (Real.Page@Matrox.com) + +alteration of checksum recalculations in NAT code and addition of +redirection with NAT - Mike Neuman + +core dump, if tcp/udp is used with a port number and not service name, +in ipf - Mike Neuman (mcn@engarde.com) + +initparse() call, missing to prime "<thishost>" hook - Craig Bishop + +3.0.1 14/1/96 - Released + +miscellaneous patches for Solaris2 + +3.0 14/1/96 - Released + +Patch included for FDDI, from Richard Ohnemus +(Richard_Ohnemus@dallas.csd.sterling.com) + +Code cleanup for release. + +3.0beta4 10/1/96 + +recursive mutex in ipfr_slowtimer fixed, reported by Craig Bishop + +recursive mutex in sending TCP RSTs fixed, reported by Tony Becker + +3.0beta3 9/1/96 + +FIxup for Solaris2.5 install and interface name bug in ipftest from +Julian Briggs (julian@lightwork.co.uk) + +Byte order patches for ipmon from Tony Becker (tony@mcrsys.com) + +3.0beta2 7/1/96 + +Added the (somewhat warped) IP accounting as it exists in ipfw on FreeBSD. +Note, this isn't really what one would call IP account, when compared to +process accounting, sigh. + +Split up ipresend into iptest/ipresend/ipsend + +Added another m_pullup() inside fr_check() for BSD style kernels and +added some checks to ipllog() to not log more than is present (for short +packets). + +Fixed bug where failed hostname/netname resolution goes undetecte and +becomes 0.0.0.0 (any) (reported Guido van Rooij) + +3.0beta 11/11/95 - Released + +Rewrote the way rule testing is done, reducing the number of files needed and +generated. + +SIOCIPFFL was incorrectly affected by IPFILTER_LOG (Mathew Green) + +Patches from Guido van Rooij to fix sending back TCP RSTs on Net-2/Net-3 +BSD based Unixes (panic'd) + +Patches for FreeBSD/i86 ipmon from Riku Kalinen <riku@tequila.nixu.fi> +(I think someone else already told me about these but they got lost :-/) + +Changed Makefile structure to build object files for different operating +systems in separate directories by default. + +BSDI has ef0 for first ethernet interface + +Allow for a "not" operator before optional keywords. + +The "rule number" was being incorrectly incremented every time it went through +the loop rather than when it matched a rule. + +2.8.2 24/10/95 - Released + +Fixed up problems with "textip" for doing lots of testing. + +Fixed bug in detection of "short" tcp/ip packets (all reported as being short). + +Solaris 2.4 port now works 100%. + +Man page errors reported and fixed. + +Removed duplicate entry in etc/services for login on port 49 (Craig Bishop). + +Fixed ipmon output to put a space after the log-letter. + +Patch from Guido van Rooij to fix parsing problem. + +2.8.1 15/10/95 - Released + +Added ttl and tos filtering. + +Patches for fixing up compilation and port problems (little endian) +from Guido van Rooij <guido@IAEhv.nl>. + +Man page problems reported and fixed by Carson Gaspar <carson@lehman.com>. + +ipsend doesn't compile properly on Solaris2.4 + +Lots of work done for Solaris2.4 to make it MT/MP safe and work. + +2.8 15/9/95 - Released + +ipmon can now send messages to syslogd (-s) and use names instead of +numbers (-N). + +IP packets are now "compiled" into a structure only containing filterable +bits. + +Added regression testing in the test/ subdirectory, using a new option +(-b) with the ipftest program. + +Added "nomatch" return to filter results. These are counted and show +up in reports from ipfstat. + +Moved filter code out of ip_fil.c and into fil.c - there is now only one +instance of it in the package. + +Added Solaris 2.4 support. + +Added IPSO basic security option filtering. + +Added name support for filtering on all 19 named IP options. + +Patches from Ivan Brawley to log packet contents as well as packet headers. + +Update for sun/conf.c.diff from Ivan Brawley <ibrawley@awadi.com.AU> + +Added patches for FreeBSD 1, and added two new switches (-E, -D) to ipf, +along with a new ioctl, SIOCFRENB. +From: Dieter Dworkin Muller <dworkin@village.org> + +2.7.3 31/7.95 - Released + +Didn't compile cleanly without IPFILTER_LOG defined (Mathew Green). + +ipftest now deals with tcpdump3 binary output files (from libpcap) with -P. + +Brought ipftest program upto date with actual filter code. + +Filter would cause a match to occur when it wasn't meant to if the packet +had short headers and was missing portions that should have been there. +Err, it would rightly not match on them, but their absence caused a match +when it shouldn't have been. + +2.7.2 26/7/95 - Released + +Problem with filtering just SYN flagged packets reported by +Dieter Dworkin Muller <dworkin@village.org>. To solve this +problem, added support for masking TCP flags for comparison "flags X/Y". + +2.7.1 9/7/95 - Released + +Added ip_dirbroadcast support for Sun ip_input.c + +Fixed up the install scripts for FreeBSD/NetBSD to recognise where they are +better. + +2.7 7/7/95 - Released + +Added "return-rst" to return TCP RST's to TCP packets. + +Actually ported it to FreeBSD-i386 2.0.0, so it works there properly now. + +Added insertion of filter rules. Use "@<#>" at the beginning of a filter +to insert a rule at row #. + +Filter keeps track of how many times each rule is matched. + +Changed compile time things to match kernel option (IPFILTER_LKM & +IPFILTER_LOG). + +Updated ip_input.c and ip_output.c with paches for 3.5 Multicast IP. +(No change required for 3.6) + +Now includes TCP fragments which start inside the TCP header as being short. +Added counting the number of times each rule is matched. + + +2.6 11/5/95 - Released + +Added -n option to ipf: when supplied, no changes are made to the kernel. + +Added installation scripts for SunOS 4.1.x and NetBSD/FreeBSD/BSDI. + +Rewrote filtering to use a more generic mask & match procedure for +checking if a packet matches a rule. + +2.5.2 27/4/95 - Released + +"tcp/udp" and a non-initialised pointer caused the "proto" to become +a `random' value; added "ip#/dotted.mask" notation to the BNF. +From Adam W. Feigin <feigin@iis.ee.ethz.ch> + +2.5.1 22/3/95 - Released + +"tcp/udp" had a strange effect (undesired) on getserv*() functions, +causing protocol/service lookups to fail. Reported by Matthew Green. + +2.5 17/3/95 - Released + +Added a new keyword "all" to BNF and parsing of tcpdump/etherfind/snoop +output through the ipftest program. Suggestions from: +Michael Ciavarella (mikec@phyto.apana.org.au) + +Conflicts occur when "general" filter rules are used for ports and the +lack of a "proto" when used with "port" matches other packets when only +TCP/UDP are implied. +Reported Matthew Green (mrg@fulcom.com.au); +reported & fixed 6-8/3/95 + +Added filtering of short TCP packets using "with short" 28/2/95 +(These can possibly slip by checks for the various flags). Short UDP +or ICMP are dropped to the floor and logged. + +Added filtering of fragmented packets using "with frag" 24/2/95 + +Port to NetBSD-current completed 20/2/95, using LKM. + +Added logging of the rule # which caused the logging to happen and the +interface on which the packet is currently as suggested by +Andreas Greulich (greulich@math-stat.unibe.ch) 10/2/95 + +2.4 9/2/95 - Released +Fixed saving of IP headers in ICMP packets. + +2.3 29/1/95 +Added ipf -F [in|out|all] to flush filter rule sets (SIOCIPFFL). +Fixed iplread() and iplsave() with help from Marc Huber. + +2.2 7/1/95 - Released +Added code from Marc Huber <huber@fzi.de> to allow it to allocate +its own major char number dynamically when modload'ing. Fixed up +use of <, >, <=, >= and >< for ports. + +2.1 21/12/94 - Released +repackaged to include the correct ip_output.c and ip_input.c *goof* + +2.0 18/12/94 - Released +added code to check for port ranges - complete. +rewrote to work as a loadable kernel module - complete. + +1.1 +added code for ouput filtering as well as input filtering and added support for logging to a simple character device of packet headers. + +1.0 22/04/93 - Released +First release cut. |