git: 5ee61c7daa51 - main - ipfilter: Remove remaining unused bits
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 20 Dec 2021 14:17:35 UTC
The branch main has been updated by cy: URL: https://cgit.FreeBSD.org/src/commit/?id=5ee61c7daa511927aae8652d6a3ea78866a50ef8 commit 5ee61c7daa511927aae8652d6a3ea78866a50ef8 Author: Cy Schubert <cy@FreeBSD.org> AuthorDate: 2021-12-16 04:52:48 +0000 Commit: Cy Schubert <cy@FreeBSD.org> CommitDate: 2021-12-20 14:16:33 +0000 ipfilter: Remove remaining unused bits Remove the remaining unused source files. These were never used. This is the last of a three commit series to move ipfilter. Discussed with: glebius Reviewed by: glebius, kp (for #network) MFC after: 1 month Differential Revision: https://reviews.freebsd.org/D33510 --- contrib/ipfilter/BugReport | 12 - contrib/ipfilter/HISTORY | 1830 ------------ contrib/ipfilter/LICENCE | 16 - contrib/ipfilter/Makefile | 410 --- contrib/ipfilter/NAT.FreeBSD | 104 - contrib/ipfilter/README | 101 - contrib/ipfilter/STYLE.TXT | 57 - contrib/ipfilter/WhatsNew50.txt | 83 - contrib/ipfilter/Y2K | 3 - contrib/ipfilter/arc4random.c | 267 -- contrib/ipfilter/ip_fil_compat.c | 4811 -------------------------------- contrib/ipfilter/ipf_rb.h | 364 --- contrib/ipfilter/lib/Makefile | 443 --- contrib/ipfilter/man/Makefile | 31 - contrib/ipfilter/man/ipfilter.4.mandoc | 267 -- contrib/ipfilter/opt_inet6.h | 1 - contrib/ipfilter/snoop.h | 47 - contrib/ipfilter/sys/tree.h | 750 ----- contrib/ipfilter/tools/BNF.ipf | 80 - contrib/ipfilter/tools/BNF.ipnat | 28 - contrib/ipfilter/tools/Makefile | 104 - contrib/ipfilter/tools/ipfsyncd.c | 671 ----- contrib/ipfilter/tools/ipsyncm.c | 256 -- contrib/ipfilter/tools/ipsyncs.c | 274 -- contrib/ipfilter/tools/lex_var.h | 60 - 25 files changed, 11070 deletions(-) diff --git a/contrib/ipfilter/BugReport b/contrib/ipfilter/BugReport deleted file mode 100644 index 699483189012..000000000000 --- a/contrib/ipfilter/BugReport +++ /dev/null @@ -1,12 +0,0 @@ -Please submit this information at SourceForge using this URL: -http://sourceforge.net/tracker/?func=add&group_id=169098&atid=849053 - -Please also send an email to darrenr@reed.wattle.id.au. - -Some information that I generally find important: --------------------------- -* IP Filter Version -* Operating System and its Version -* Configuration: (LKM or compiled-into-kernel) -* Description of problem -* How to repeat diff --git a/contrib/ipfilter/HISTORY b/contrib/ipfilter/HISTORY deleted file mode 100644 index 8b67de7bfe47..000000000000 --- a/contrib/ipfilter/HISTORY +++ /dev/null @@ -1,1830 +0,0 @@ -# -# NOTE: Quite a few patches and suggestions come from other sources, to whom -# I'm greatly indebted, even if no names are mentioned. -# -# Thanks to the Coombs Computing Unit at the ANU for their continued support -# in providing a very available location for the IP Filter home page and -# distribution center. -# -# Thanks also to all those who have contributed patches and other code, -# and especially those who have found the time to port IP Filter to new -# platforms. -# -5.1.2 - RELEASED - 22 Jul 2012 - -3546266 macro letters could be more consistent -3546265 not all of the state statistics are displayed -3546261 scripts for updating BSD environment out of date -3546260 compiler warnings about non-integer array subscript -3546259 asserting numdereflists == 0 is not correct -3546258 expression matching does not see IPF_EXP_END -3544317 ipnat/ipfstat are not using ipfexp_t -3545324 proxy checksum calculation is not hardware aware -3545321 FTP sequence number adjustment incorrectly applied -3545320 EPSV is not recognised -3545319 move nat rule creation to ip_proxy.c -3545317 better feedback of checksum requirements for proxies -3545314 ftp proxy levels do not make sense -3545312 EPRT is not supported by ftp proxy -3544318 ipnat.conf parsing ignores LHS address family -3545309 non-ipv6 safe proxies do not fail with ipv6 -3545323 NAT updates the source port twice -3545322 ipv6 nat rules cannot start proxies -3544314 bucket copyout tries to copy too much data -3544313 remove nat encap feature -3546248 compat rule pointer type mismatch -3546247 UDP hardware checksum offload not recognised -3545311 ifp_ifaddr does not find the first set address -3545310 ipmon needs ipl_sec on 64bit boundary -3545326 reference count changes made without lock -3544315 stateful matching does not use ipfexp_t -3543493 tokens are not flushed when disabled -3543487 NAT rules do not always release lookup objects -3543491 function comments in ip_state.c are old -3543404 ipnat.conf parsing uses family/ip version badly -3543403 incorrect line number printed in ipnat parsing errors -3543402 Not all NAT statistics are printed -3542979 NAT session list management is too simple -3542978 ipv4 and ipv6 nat insert have common hash insertion -3542977 ipnat_t refence tracking incomplete -3542975 proxies must use ipnat_t separately -3542980 printing ipv6 expressions is wrong -3542983 ippool cannot handle more than one ipv6 address -3543018 mask array shifted incorrectly. -3542974 reason for dropping packet is lost -3542982 line numbers not recorded/displayed correctly by ipf -3542981 exclamation mark cuases trouble with pools -3541655 test suite checksums incorrect -3541653 display proxy fail status correctly -3540993 IP header offset excluded in pullup calculations -3540994 pullupmsg does not work as required -3540992 pointer to ipv6 frag header not updated on pullup -3541645 netmask management adds /32 for /0 -3541637 ipnat parser does not zero port fields for non-port protocol -3541635 pool names cannot by numbers -3540995 IPv6 fragment tracking does not always work -3540996 printing of nextip for ipv6 nat rules is wrong -3540999 ipnat.conf parsing has trouble with icmpidmap for ipv6 -3540825 whois output parsing error for ipv6 -3540814 ipfd_lock serves no purpose -3540810 lookup objects need tail pointers -3540809 refactor hash table lookups for nat -3540819 radix tree does not work with ipv6 -3540820 mutex emulation should be logged -3540828 ipfstat filtering with -m fails tests -3536480 ippool could be more like the others -3536477 pool printing not uniform -3536483 flushing empty destination lists causes panic -3536481 more use of bzero after KMALLOC required -3536479 ipnat.conf line numbers not stored -3536484 Makefile missing dependency for ippool -3536199 TFTP proxy requires something extra -3536198 ICMP checksum out by one -3536203 ipnat does not return an error -3536201 ipf.conf parsing too address friendly -3536200 printing of bytes/packets not indented -3497941 ipv4 multicast detection incorrect on little endian -3535361 to interfaces printed out of order -3535363 ipf parser is inconsistent -3532306 deleting ipnat rules does not work -3532054 new error required for ipf_rx_create -3532053 icmp6 checksums wrong -3532052 icmpv6 state check with incorrect length -3531871 checksum verification wants too many icmp6 bytes -3531870 ipnat.conf parsing needs to support inet6 -3532048 error in ipf group parsing -3531868 ICMPV6 checksum not validated -3531893 ipftest exits without error for bad input -3531890 whois pool parsing builds bad structures -3531891 icmpv6 text parsing ignorant of icmp types -3531653 rewrite with icmp does not work -3530563 NAT operations fail with EPERM -3530544 first pass at gcc -Wextra cleanup -3530540 lookup create functions do not set error properly -3530539 ipf_main_soft_destroy doesn't need 2nd arg -3530541 reorder structure for better packing -3530543 ipnat purge needs documentation -3530515 BSD upgrade script required -3528029 ipmon bad-mutex panic -3530247 loading address pools light on input validation -3530255 radix tree delete uses wrong lookup -3530254 radix tree allocation support wrong -3530264 ipmon prints qd for some 64bit numbers -3530260 decapsulate rules not printed correctly. -3530266 ipfstat -v/-d flags confused -2939220 why a packet is blocked is not discernable -2939218 output interface not recorded -2941850 use of destination lists with to/dup-to beneficial -3457747 build errors introduced with radix change -3535360 timeout groups leak -3535359 memory leak with tokens -3535358 listing rules in groups requires tracking groups -3535357 rule head removal is problematic -3530259 not all ioctl error checked wth SIOCIPFINTERROR -3530258 error routine that uses fd required -3530253 inadequate function comment blocks -3530249 walking lookup tables leaks memory -3530241 extra lock padding required for freebsd -3529901 ipf returns 0 when rules fail to load -3529491 checksum validation could be better -3529486 tcp checksum wrong for ipv6 -3533779 ipv6 nat rules missing inet6 keyword -3532693 ipnat.conf rejects some ipv6 addresses -3532691 ipv4 should not be forced for icmp -3532689 ipv6 nat rules do not print inet6 -3532688 ipv6 address always printed with "to <if>" -3532687 with v6hdrs not supported like with ipopts -3532686 ipf expressions do not work with ipv6 -3540825 whois output parsing error for ipv6 -3540818 NAT for certain IPv6 ICMP packets should not be allowed -3540815 memory leak with destination lists -3540814 ipfd_lock serves no purpose -3540810 lookup objects need tail pointers -3540809 refactor hash table lookups for nat -3540808 completed tokens do not stop iteration -3530492 address hash table name not used -3528029 ipmon bad-mutex panic -3530256 hook memory leaked -3530271 pools parsing produces badly formed address structures -3488061 cleanup for illumos build -3484434 SIOCIPFINTERROR must work for all devices -3484067 mandoc -Tlint warnings to be fixed -3483343 compile warning in ipfcomp.c -3482893 building without IPFILTER_LOG fails -3482765 building netbsd kernel without inet6 fails -3482116 ipf_check frees packet from ipftest -3481663 does not compile on solaris 11 - -5.1.1 - RELEASED - 9 May 2012 - -3481322 ip_fil_compat.c needs a cleanup -3481211 add user errors to dtrace -3481152 compatibility for 4.1 needs more work -3481153 PRIu64 problems on FreeBSD -3481155 ipnat listing incorrect -3480543 change leads to compat problems -3480538 compiler errors from earlier patch -3480537 ipf_instance_destroy is incomplete -3480536 _fini order leads to panic -3479991 compiler warnings about size mismatches -3479974 copyright dates are wrong (fix) -3479464 add support for leaks testing -3479457 %qu is not the prefered way -3479451 iterators leak memory -3479453 nat rules with pools leak -3479454 memory leak in hostmap table -3479461 load_hash uses memory after free -3479462 printpool leaks memory -3479452 missing FREE_MB_T to freembt leaks -3479450 ipfdetach is called when detached -3479448 group mapping rules memory leak -3479455 memory leak from tuning -3479458 ipf must be running in global zone -3479460 driver replace is wrong -3479459 radix tree tries to free null pointer -3479463 rwlock emulation does not free memory -3479465 parser leaks memory -3475959 hardware checksum not correctly used -3475426 ip pseudo checksum wrong -3473566 radix tree does not delete dups right -3472987 compile is not clean -3472337 not everything is zero'd -3472344 interface setup needs to be after insert -3472340 wildcard counter drops twice -3472338 change fastroute interface -3472335 kernel lock defines not placed correctly -3472324 ICMP INFOREQ/REPLY not handled -3472330 multicast packets tagged by address -3472333 ipf_deliverlocal called incorrectly -3472345 mutex debug could be more granular -3472761 building i19 regression is flawed -3456457 use of bsd tree.h needs to be removed -3460522 code cleanup required for building on freebsd -3459734 trade some cpu for memory -3457747 build errors introduced with radix change -3457804 build errors from removal of pcap-int,h -3440163 rewrite radix tree -3428004 snoop, tcpdump, etherfind readers are unused -3439495 ipf_rand_push never called (fix brackets) -3437732 getnattype does not need to use ipnat_t (fix variable name) -3437696 fr_cksum is a nightmare -3439061 ipf_send_ip doesn't need 3rd arg -3439059 ipid needs to be file local -3437740 complete buildout of fnew -3438575 add dtrace probes to block events -3438347 comment blocks missing softc -3437687 description of ipf_makefrip wrong -3438340 more stats as dtrace probes -3438316 free on nat structure uses fixed size -3437745 nat iterator using the wrong size -3437710 fail checksum verification if packet is short -3437696 fr_cksum is a nightmare -3437732 getnattype does not need to use ipnat_t -3437735 rename ipf_allocmbt to allocmbt -3437697 fr_family to version assignment is wrong -3437746 ap_session_t has unused fields -3437747 move softc structure to .h file (ip_state.c) -3437704 there is no DTRACE_PROBE5 -3437748 wrong interface in qpktinfo_t -3437729 create function to hexdump mb_t -3438273 msgdsize should be easier to read -3437683 object direction not set for 32bit -3433767 calling ip_cksum could be easier -3433764 left over locking -3428015 printing proxy data size is useless -3428013 add M_ADJ to hide adjmsg/m_adj -3428012 interface name is not always returned correctly -3428002 ip_ttl is too low -3427997 ipft readers do not set buffer length -3426558 resistence is futile -3424495 various copy-paste errors -1826936 shall we allow ipf to be as dumb as its admin -3424477 specfuncs needs to go -3424484 missing fr_checkv6sum -3424478 one entry at a time -2998760 auth rules do not mix well with to/dup-to/fastroute -3424195 add ctfmerge to sunos5 makefile -3424132 some dtrace probes to start with -3423812 makefile needs ip_frag.h for some files -3423817 reference count useful in verbose output -3423800 walking lists does not drop reference -3423805 fragmentation stats not reported correclty -3423808 ip addresses reportied incorrectly with ipfstat -f -3423821 track packets and bytes for fragmentation -3423803 attempt to double free rule -3423805 fragmentation stats not reported correctly -3422712 system panic with ipfstat -f -3422619 pullup counter bumped for every packet -3422608 dummy rtentry required to build -3422018 frflush next to ipf_fini_all is redundant -3422012 instance cleanup is not clean -3421845 instance name not set -3005622 ip_fil5.1.0 does not load on Solaris 10 U8 -2976332 stateful filtering is incompatible with ipv4 options -3387509 ipftest needs help construction ip packets with options -2998746 passp can never be null -3064034 mbuf clobbering problem with ipv6 -3105725 ipnat divide by zero panic -2998750 ipf_htent_insert can leak memory -3064034 mbuf clobbering problem with ipv6 -3105725 ipnat divie by zero panic - -5.1 - RELEASED - 9 May 2010 - -* See WhatsNew50.txt - -4.1 - RELEASED - 12 February 2004 - -4.0-BETA1 20 August 2003 - -support 0/32 and 0/0 on the RHS in redirect rules - -where LHS and RHS netmasks are the same size for redirect, do 1:1 mapping -for bimap rules. - -allow NAT rule to match 'all' interfaces with * as interface name - -do mapping of ICMP sequence id#'s in pings - -allow default age for NAT entries to be set per NAT rule - -provide round robin selection of destination addresses for redirect - -ipmon can load a configuration file with instructions on actions -to take when a matching log entry is received - -now requires pfil to work on Solaris & HP-UX - -supports mapping outbound connections to a specific address/port - -support toggling of logging per ipfilter 'device' - -use queues to expire data rather than lists - -add MSN RPC proxy - -add IRC proxy - -support rules with dynamic ip addresses - -add ability to define a pool of addresses & networks which can then -be placed in a single rule - -support passing entire packet back to user program for authentication - -support master/slave for state information sharing - -reorganise generic code into a lib directory and make libipf.a - -user programs enforce version matching with the kernel - -supports window scaling if seen at TCP session setup - -generates C code from filter rules to compile in or load as native -machine code. - -supports loading rules comprised of BPF bytecode statements - -HP-UX 11 port completed - -and packets-per-second filtering - -add numerical tags to rules for filtering and display in ipmon output - -3.4.4 23/05/2000 - Released - -don't add TCP state if it is an RST packet and (attempt) to send out -RST/ICMP packets in a manner that bypasses IP Filter. - -add patch to work with 4.0_STABLE delayed checksums - -3.4.3 20/05/2000 - Released - -fix ipmon -F - -don't truncate IPv6 packets on Solaris - -fix keep state for ICMP ECHO - -add some NAT stats and use def_nat_age rather than DEF_NAT_AGE - -don't make ftp proxy drop packets - -use MCLISREFERENCED() in tandem with M_EXT to check if IP fields need to be -swapped back. - -fix up RST generation for non-Solaris - -get "short" flag right for IPv6 - -3.4.2 - 10/5/2000 - Released - -Fix bug in dealing with "hlen == 1 and opt > 1" - Itojun - -ignore previous NAT mappings for 0/0 and 0/32 rules - -bring in a completely new ftp proxy - -allow NAT to cause packets to be dropped. - -add NetBSD callout support for 1.4-current - -3.4.1 - 30/4/2000 - Released - -add ratoui() and fix parsing of group numbers to allow 0 - UINT_MAX - -don't include opt_inet6.h for FreeBSD if KLD_MODULE is defined - -Solaris must use copyin() for all types of ioctl() args - -fix up screen/tty when leaving "top mode" of ipfstat - -linked list for maptable not setup correctly in nat_hostmap() - -check for maptable rather than nat_table[1] to see if malloc for maptable -succeeded in nat_init - -fix handling of map NAT rules with "from/to" host specs - -fix printout out of source address when using "from/to" with map rules - -convert ip_len back to network byte order, not plen, for solaris as ip_len -may have been changed by NAT and plen won't reflect this - -3.4 - 27/4/2000 - Released - -source address spoofing can be turned on (fr_chksrc) without using -filter rules - -group numbers are now 32bits in size, up from 16bits - -IPv6 filtering available - -add frank volf's state-top patches - -add load splitting and round-robin attribute to redirect rules - -FreeBSD-4.0 support (including KLD) - -add top-style operation mode for ipfstat (-t) - -add save/restore of IP Filter state/NAT information (ipfs) - -further ftp proxy security checks - -support for adding and removing proxies at runtime - -3.3.13 26/04/2000 - Released - -Fix parsing of "range" with "portmap" - -Relax checking of ftp replies, slightly. - -Fix NAT timeouts for ICMP packets - -SunOS4 patches for ICMP redirects from Jurgen Keil (jk@tools.de) - -3.3.12 16/03/2000 - Released - -tighten up ftp proxy behaviour. sigh. yuck. hate. - -fix bug in range check for NAT where the last IP# was not used. - -fix problem with icmp codes > 127 in filter rules caused bad things to -happen and in particular, where #18 caused the rule to be printed -erroneously. - -fix bug with the spl level not being reset when returning EIO from -iplioctl due to ipfilter not being initialized yet. - -3.3.11 04/03/2000 - Released - -make "or-block" work with lines that start with "log" - -fix up parsing and printing of rules with syslog levels in them - -fix from Cy Schubert for calling of apr_fini only if non-null - - -3.3.10 24/02/2000 - Released - -* fix back from guido for state tracking interfaces - -* update for NetBSD pfil interface changes - -* if attaching fails and we can abort, then cleanup when doing so. - -julian@computer.org: -* solaris.c (fr_precheck): After calling freemsg on mt, set it point to *mp. -* ipf.c (packetlogon): use flag to store the return value from get_flags. -* ipmon.c (init_tabs): General cleanup so we do not have to cast - an int s->s_port to u_int port and try to check if the u_int port - is less than zero. - -3.3.9 15/02/2000 - Released - -fix scheduling of bad locking in fr_addstate() used when we attach onto -a filter rule. - -fix up ip_statesync() with storing interface names in ipstate_t - -fix fr_running for LKM's - Eugene Polovnikov - -junk using pullupmsg() for solaris - it's next to useless for what we -need to do here anyway - and implement what we require. - -don't call fr_delstate() in fr_checkstate(), when compiled for a user -program, early but when we're finished with it (got fr & pass) - -ipnat(5) fix from Guido - -on solaris2, copy message and use that with filter if there is another -copy if it being used (db_ref > 1). bad for performance, but better -than causing a crash. - -patch for solaris8-fcs compile from Casper Dik - -3.3.8 01/02/2000 - Released - -fix state handling of SYN packets. - -add parsing recognition of extra icmp types/codes and fix handling of -icmp time stamps and mask requests - Frank volf - -3.3.7 25/01/2000 - Released - -sync on state information as well as NAT information when required - -record nat protocol in all nat log records - -don't reuse the IP# from an active NAT session if the IP# in the rule -has changed dynamically. - -lookup the protocol for NAT log information in ipmon and pass that to -portname. - -fix the bug with changing the outbound interface of a packet where it -would lead to a panic. - -use fr_running instead of ipl_inited. (sysctl name change on freebsd) - -return EIO if someone attempts an ioctl on state/nat if ipfilter is not -enabled. - -fix rule insertion bug - -make state flushing clean anything that's not fully established (4/4) - -call fr_state_flush() after we've released ipf_state so we don't generate -a recursive mutex acquisition panic - -fix parsing of icmp code after return-icmp/return-icmp-as-dest and add -some patches to enhance parsing strength - -3.3.6 28/12/1999 - Released - -add in missing rwlock release in fr_checkicmpmatchingstate() and fix check -for ICMP_ECHO to only be for packet, not state entry which we don't have yet. - -handle SIOCIPFFB in nat_ioctl() and fr_state_ioctl() - -fix size of friostat for SunOS4 - -fix bug in running off the end of a buffer in real audio proxy - -3.3.5 11/12/1999 - Released - -fix parsing of "log level" and printing it back out too - -<net/if_types.h> is only present on Solaris2.6/7/8 - -use send_icmp_err rather than icmp_error to send back a frag-needed error -when doing PMTU - -do not use -b with add_drv on Solaris unless $BASEDIR is set. - -fix problem where source address in icmp replies is reversed - -fix yet another problem with real audio. - -3.3.4 4/12/1999 - Released - -fix up the real audio proxy to properly setup state information and NAT -entries, thanks to Laine Stump for testing/advice/fixes. - -fix ipfr_fastroute to set dst->sin_addr (Sean Farley - appears to prevent -FreeBSD 3.3 from panic'ing) as this had been removed in prior hacks to this -routine. - -fix kinstall for BSDI - -support ICMP errors being allowed through for ICMP packets going out with -keep state enabled - -support hardware checksumming (gigabit ethernet cards) on Solaris thanks to -Tel.Net Media for providing hardware for testing. - -patched from Frank Volf for ipmon (ICMP & fragmented packets) and allowing -ICMP responses to ICMP packets in the keep state table. - -add in patches for hardware checksumming under solaris - -Solaris install scripts now use $BASEDIR as appropriate. - -add Solaris8 support - -fix "ipf -y" on solaris so that it rescans rules also for changes in -interface pointers - -let ipmon become a daemon with -D if it is using syslog - -fix parsing of return-icmp-as-dest(foo) - -add reference to ipfstat -g to ipfstat.8 - -ipf_mutex needs to be declared for irix in ip_fil.c - -3.3.3 22/10/1999 - Released - -add -g command line option to ipfstat to show groups still define. - -fix problem with fragment table not recording rule pointer when called -from state functions (fin_fr not set). - -fixup fastroute problems with keep state rules. - -load rules into inactive set first, so we don't disable things like NIS -lookups half way through processing - found by Kevin Littlejohn - -fix handling of unaligned ip pointer for solaris - -patch for fr_newauth from Rudi Sluijtman - -fixed htons() bug in fr_tcpsum() where ip_p wasn't cast to u_short - -3.3.2 23/09/1999 - Released - -patches from Scott Presnell to fix rcmd proxy - -patches from Greg to fix Solaris detachment of interfaces - -add openbsd compatibility fixes - -fix free'ing already freed memory in ipfr_slowtimer() - -fix for deferencing invalid memory in cleaning up after a device disappears - -3.3.1 14/8/1999 - Released - -remove include file sys/user.h for irix - -prevent people from running buildsunos directly - -fix up some problems with the saving of rule pointers so that NAT saves -that information in case it should need to call fr_addstate() from a proxy. - -fix up scanning for the end of FTP messages - -don't remove /etc/opt/ipf in postremove - -attempt to prevent people running buildsolaris script without doing a -"make solaris" - -fix timeout losing on freebsd3 - -3.3 7/8/1999 - Released - -NAT: information (rules, mappings) are stored in hash tables; setup some -basic NAT regression testing. - -display version name of installed kernel code when initializing. - -add -V command line option to ipf, showing version (program and kernel -module) as well as the run-status of the kernel code. - -fix problem with "log" rules actually affecting result of filtering. - -automatically use SUNWspro if available and on a 64bit Solaris system for -compiling. - -add kernel proxies for rcmd(3) and RealAudio (PNA) - -use timeout/untimeout on SunOS4/BSD platforms too rather than hijacking -ip_slowtimo - -fix IP headers generated through parsing of text information - -fix NAT rules to be in the correct order again. - -make keep-state work with to/fastroute keywords and enforce usage of those -interfaces. - -update keep-state code with new algorithm from Guido - -add FreeBSD-3 support - -add return-icmp-as-dest option to retrun an ICMP packet using the original -destination as the source rather than a local IP address - -add "level [facility.]<priority>" option to filter language - -add changes from Guido to state code. - -add code to return EPERM if the device is opened for writing and we're -in securelevel 2 or greater. - -authentication code patches from Guido - -fix real audio proxy - -fix ipmon rule printing of interfaces and add IN/OUT to the end of ipmon -log output. - -fix bimap rules with hash tables - -update addresses used in NAT mappings for 0/32 rules for any protocol but TCP -if it changes on the interface - check every ip_natexpire() - -add redirect regression test - -count buckets used in the state hash table. - -fix sending of RST's with return-rst to use the ack number provided in -the packet being replied to in addition to the sequence number. - -fix to compile as a 64bit application on solaris7-64bit - -add NAT IP mapping to ranges of IP addresses that aren't CIDR specified - -fix calculation of in_space parameter for NAT - -fix `wrapping' when incrementing the next ip address for use in NAT - -fix free'ing of kernel memory in ip_natunload on solaris - -fix -l/-U command line options from interfering with each other - -fix fastroute under solaris2 and cleanup compilation for solaris7 - -add install scripts and compile cleanly on BSD/OS 4.0 - -safely open files in /tmp for writing device output when testing. - -fix uninitialized pointer bug in NAT - -fix SIOCZRLST (zero list rule stats) bug with groups - -change some usage of u_short to u_int in function calling - -fix compilation for Solaris7 (SUNWspro) - -change solaris makefiles to build for either sparc or i386 rather than -per-cpu (sun4u, etc). - -fixed bug in ipllog - -add patches from George Michaelson for FreeBSD 3.0 - -add patch from Guido to provide ICMP checking for known state in the same -manner as is done for NAT. - -enable FTP PASV proxying and enable wildcarding in NAT/state code for ports -for better PORT/PASV support with FTP. - -bring into main tree static nat features: map-block and "auto" portmapping. - -add in source host filtering for redirects (alan jones) - -3.2.10 22/11/98 - Released - -3.2.10beta9 17/11/98 - Released - -fix fr_tcpsum problems in handling mbufs with an odd number of bytes -and/or split across an mbuf boundary - -fix NAT list entry comparisons and allow multiple entries for the same -proxy (but on different ports). - -don't create duplicate NAT entries for repeated PORT commands. - -3.2.10beta8 14/11/98 - Released - -always exit an rwlock before expecting to enter it again on solaris - -fix loop in nat_new for pre-existing nat - -don't setup state for an ftp connection if creating nat fails. - -3.2.10beta7 05/11/98 - Released - -set fake window in ipft_tx.c to ensure code passes tests. - -cleaned up/enhanced ipnat -l/ipnat -lv output - -fixed NAT handling of non-TCP/UDP packets, esp. for ICMP errors returned. - -Solaris recusive mutex on icmp-error/tcp-reset - requires rwlock's rather -than mutexes. - -3.2.10beta6 03/11/98 - Released - -fix mixed use of krwlock_t and kmutex_t on Solaris2 - -fix FTP proxy back up, splitting pasv code out of port code. - -3.2.10beta5 02/11/98 - Released - -fixed port translation in ICMP reply handling - -3.2.10beta4 01/11/98 - Released - -increase useful statistic collection on solaris - -filter DL_UNITDATA_REQ as well as DL_UNITDATA_IND on solaris - -disable PASV reply translation for now - -fail with an error if we try to load a NAT rule with a non-existant - proxy name - Guido - -fix portmap usage with 0/0 and 0/32 map rules - -remove ap_unload/ap_expire - automatically done when NAT is cleaned up - -print "STATE:CLOSED" from ipmon if the connection progresses past established - rather than "STATE:EXPIRED" - -3.2.10beta3 26/10/98 - Released - -fixed traceroute/nat problem - -rewrote nat/proxy interface - -ipnat now lists associated proxy sessions for each NAT where applicable - -3.2.10beta2 13/10/98 - Released - -use KRWLOCK_T in place of krwlock_t for solaris as well as irix - -disable use of read-write lock acquisition by default - -add in mb_t for linux, non-kernel - -some changes to progress compilation on linux with glibc - -change PASV as well as PORT when passed through kernel ftp proxy. - -don't allow window to become 0 in tcp state code - -make ipmon compile cleaner - -irix patches - -3.2.10beta 11/09/98 - Released - -stop fr_tcpsum() thinking it has run out of data when it hasn't. - -stop solaris panics due to fin_dp being something wild. - -revisit usage of ATOMIC_*() - -log closing state of TCP connection in "keep state" - -fix fake-arp table code for ipsend. - -ipmon now writes pid to a file. - -fix "ipmon -a" to actually activate all logging devices. - -add patches for BSDOS4. - -perl scripts for log analysis donated. - -3.2.9 22/06/98 - Released - -fix byte order for ICMP packets generated on Solaris - -fix some locking problems. - -fix malloc bug in NAT (introduced in 3.2.8). - -patch from guido for state connections that get fragmented - -3.2.8 08/06/98 - Released - -use readers/writers locks in Solaris2 in place of some mutexes. - -Solaris2 installation enhancements - Martin Forssen (maf@carlstedt.se) - -3.2.7 24/05/98 - Released - -u_long -> u_32_t conversions - -patches from Bernd Ernesti for NetBSD - -fixup ipmon to actually handle HUP's. - -Linux fixes from Michael H. Warfield (mhw@wittsend.com) - -update for keep state patch (not security related) - Guido - -dumphex() uses stdout rather than log - -3.2.6 18/05/98 - Released - -fix potential security loop hole in keep state code. - -update examples. - -3.2.5 09/05/98 - Released - -BSD/OS 3.1 .o files added for the kernel. - -fix sequence # skew vs window size check. - -fix minimum ICMP header size check. - -remove references to Cybersource. - -fix my email address. - -remove ntohl in ipnat - Thomas Tornblom - -3.2.4 09/04/98 - Released - -add script to make devices for /dev on BSD boxes - -fixup building into the kernel for FreeBSD 2.2.5 - -add -D command line option to ipmon to make it a daemon and SIGHUP causes -it to close and reopen the logfile - -fixup make clean and make package for SunOS5 - Marc Boucher - -postinstall keeps adding "minor=ipf ipl" - George Ross <gdmr@dcs.ed.ac.uk> - -protected by IP Filter gif - Sergey Solyanik <solik@atom.ru> - -3.2.3 10/11/97 - Released - -fix some iplang bugs - -fix tcp checksum data overrun, sgi #define changes, -avoid infinite loop when nat'ing to single IP# - Marc Boucher - -fixup DEVFS usage for FreeBSD *** 10281 LINES SKIPPED ***