git: 5ee61c7daa51 - main - ipfilter: Remove remaining unused bits
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 20 Dec 2021 14:17:35 UTC
The branch main has been updated by cy:
URL: https://cgit.FreeBSD.org/src/commit/?id=5ee61c7daa511927aae8652d6a3ea78866a50ef8
commit 5ee61c7daa511927aae8652d6a3ea78866a50ef8
Author: Cy Schubert <cy@FreeBSD.org>
AuthorDate: 2021-12-16 04:52:48 +0000
Commit: Cy Schubert <cy@FreeBSD.org>
CommitDate: 2021-12-20 14:16:33 +0000
ipfilter: Remove remaining unused bits
Remove the remaining unused source files. These were never used.
This is the last of a three commit series to move ipfilter.
Discussed with: glebius
Reviewed by: glebius, kp (for #network)
MFC after: 1 month
Differential Revision: https://reviews.freebsd.org/D33510
---
contrib/ipfilter/BugReport | 12 -
contrib/ipfilter/HISTORY | 1830 ------------
contrib/ipfilter/LICENCE | 16 -
contrib/ipfilter/Makefile | 410 ---
contrib/ipfilter/NAT.FreeBSD | 104 -
contrib/ipfilter/README | 101 -
contrib/ipfilter/STYLE.TXT | 57 -
contrib/ipfilter/WhatsNew50.txt | 83 -
contrib/ipfilter/Y2K | 3 -
contrib/ipfilter/arc4random.c | 267 --
contrib/ipfilter/ip_fil_compat.c | 4811 --------------------------------
contrib/ipfilter/ipf_rb.h | 364 ---
contrib/ipfilter/lib/Makefile | 443 ---
contrib/ipfilter/man/Makefile | 31 -
contrib/ipfilter/man/ipfilter.4.mandoc | 267 --
contrib/ipfilter/opt_inet6.h | 1 -
contrib/ipfilter/snoop.h | 47 -
contrib/ipfilter/sys/tree.h | 750 -----
contrib/ipfilter/tools/BNF.ipf | 80 -
contrib/ipfilter/tools/BNF.ipnat | 28 -
contrib/ipfilter/tools/Makefile | 104 -
contrib/ipfilter/tools/ipfsyncd.c | 671 -----
contrib/ipfilter/tools/ipsyncm.c | 256 --
contrib/ipfilter/tools/ipsyncs.c | 274 --
contrib/ipfilter/tools/lex_var.h | 60 -
25 files changed, 11070 deletions(-)
diff --git a/contrib/ipfilter/BugReport b/contrib/ipfilter/BugReport
deleted file mode 100644
index 699483189012..000000000000
--- a/contrib/ipfilter/BugReport
+++ /dev/null
@@ -1,12 +0,0 @@
-Please submit this information at SourceForge using this URL:
-http://sourceforge.net/tracker/?func=add&group_id=169098&atid=849053
-
-Please also send an email to darrenr@reed.wattle.id.au.
-
-Some information that I generally find important:
---------------------------
-* IP Filter Version
-* Operating System and its Version
-* Configuration: (LKM or compiled-into-kernel)
-* Description of problem
-* How to repeat
diff --git a/contrib/ipfilter/HISTORY b/contrib/ipfilter/HISTORY
deleted file mode 100644
index 8b67de7bfe47..000000000000
--- a/contrib/ipfilter/HISTORY
+++ /dev/null
@@ -1,1830 +0,0 @@
-#
-# NOTE: Quite a few patches and suggestions come from other sources, to whom
-# I'm greatly indebted, even if no names are mentioned.
-#
-# Thanks to the Coombs Computing Unit at the ANU for their continued support
-# in providing a very available location for the IP Filter home page and
-# distribution center.
-#
-# Thanks also to all those who have contributed patches and other code,
-# and especially those who have found the time to port IP Filter to new
-# platforms.
-#
-5.1.2 - RELEASED - 22 Jul 2012
-
-3546266 macro letters could be more consistent
-3546265 not all of the state statistics are displayed
-3546261 scripts for updating BSD environment out of date
-3546260 compiler warnings about non-integer array subscript
-3546259 asserting numdereflists == 0 is not correct
-3546258 expression matching does not see IPF_EXP_END
-3544317 ipnat/ipfstat are not using ipfexp_t
-3545324 proxy checksum calculation is not hardware aware
-3545321 FTP sequence number adjustment incorrectly applied
-3545320 EPSV is not recognised
-3545319 move nat rule creation to ip_proxy.c
-3545317 better feedback of checksum requirements for proxies
-3545314 ftp proxy levels do not make sense
-3545312 EPRT is not supported by ftp proxy
-3544318 ipnat.conf parsing ignores LHS address family
-3545309 non-ipv6 safe proxies do not fail with ipv6
-3545323 NAT updates the source port twice
-3545322 ipv6 nat rules cannot start proxies
-3544314 bucket copyout tries to copy too much data
-3544313 remove nat encap feature
-3546248 compat rule pointer type mismatch
-3546247 UDP hardware checksum offload not recognised
-3545311 ifp_ifaddr does not find the first set address
-3545310 ipmon needs ipl_sec on 64bit boundary
-3545326 reference count changes made without lock
-3544315 stateful matching does not use ipfexp_t
-3543493 tokens are not flushed when disabled
-3543487 NAT rules do not always release lookup objects
-3543491 function comments in ip_state.c are old
-3543404 ipnat.conf parsing uses family/ip version badly
-3543403 incorrect line number printed in ipnat parsing errors
-3543402 Not all NAT statistics are printed
-3542979 NAT session list management is too simple
-3542978 ipv4 and ipv6 nat insert have common hash insertion
-3542977 ipnat_t refence tracking incomplete
-3542975 proxies must use ipnat_t separately
-3542980 printing ipv6 expressions is wrong
-3542983 ippool cannot handle more than one ipv6 address
-3543018 mask array shifted incorrectly.
-3542974 reason for dropping packet is lost
-3542982 line numbers not recorded/displayed correctly by ipf
-3542981 exclamation mark cuases trouble with pools
-3541655 test suite checksums incorrect
-3541653 display proxy fail status correctly
-3540993 IP header offset excluded in pullup calculations
-3540994 pullupmsg does not work as required
-3540992 pointer to ipv6 frag header not updated on pullup
-3541645 netmask management adds /32 for /0
-3541637 ipnat parser does not zero port fields for non-port protocol
-3541635 pool names cannot by numbers
-3540995 IPv6 fragment tracking does not always work
-3540996 printing of nextip for ipv6 nat rules is wrong
-3540999 ipnat.conf parsing has trouble with icmpidmap for ipv6
-3540825 whois output parsing error for ipv6
-3540814 ipfd_lock serves no purpose
-3540810 lookup objects need tail pointers
-3540809 refactor hash table lookups for nat
-3540819 radix tree does not work with ipv6
-3540820 mutex emulation should be logged
-3540828 ipfstat filtering with -m fails tests
-3536480 ippool could be more like the others
-3536477 pool printing not uniform
-3536483 flushing empty destination lists causes panic
-3536481 more use of bzero after KMALLOC required
-3536479 ipnat.conf line numbers not stored
-3536484 Makefile missing dependency for ippool
-3536199 TFTP proxy requires something extra
-3536198 ICMP checksum out by one
-3536203 ipnat does not return an error
-3536201 ipf.conf parsing too address friendly
-3536200 printing of bytes/packets not indented
-3497941 ipv4 multicast detection incorrect on little endian
-3535361 to interfaces printed out of order
-3535363 ipf parser is inconsistent
-3532306 deleting ipnat rules does not work
-3532054 new error required for ipf_rx_create
-3532053 icmp6 checksums wrong
-3532052 icmpv6 state check with incorrect length
-3531871 checksum verification wants too many icmp6 bytes
-3531870 ipnat.conf parsing needs to support inet6
-3532048 error in ipf group parsing
-3531868 ICMPV6 checksum not validated
-3531893 ipftest exits without error for bad input
-3531890 whois pool parsing builds bad structures
-3531891 icmpv6 text parsing ignorant of icmp types
-3531653 rewrite with icmp does not work
-3530563 NAT operations fail with EPERM
-3530544 first pass at gcc -Wextra cleanup
-3530540 lookup create functions do not set error properly
-3530539 ipf_main_soft_destroy doesn't need 2nd arg
-3530541 reorder structure for better packing
-3530543 ipnat purge needs documentation
-3530515 BSD upgrade script required
-3528029 ipmon bad-mutex panic
-3530247 loading address pools light on input validation
-3530255 radix tree delete uses wrong lookup
-3530254 radix tree allocation support wrong
-3530264 ipmon prints qd for some 64bit numbers
-3530260 decapsulate rules not printed correctly.
-3530266 ipfstat -v/-d flags confused
-2939220 why a packet is blocked is not discernable
-2939218 output interface not recorded
-2941850 use of destination lists with to/dup-to beneficial
-3457747 build errors introduced with radix change
-3535360 timeout groups leak
-3535359 memory leak with tokens
-3535358 listing rules in groups requires tracking groups
-3535357 rule head removal is problematic
-3530259 not all ioctl error checked wth SIOCIPFINTERROR
-3530258 error routine that uses fd required
-3530253 inadequate function comment blocks
-3530249 walking lookup tables leaks memory
-3530241 extra lock padding required for freebsd
-3529901 ipf returns 0 when rules fail to load
-3529491 checksum validation could be better
-3529486 tcp checksum wrong for ipv6
-3533779 ipv6 nat rules missing inet6 keyword
-3532693 ipnat.conf rejects some ipv6 addresses
-3532691 ipv4 should not be forced for icmp
-3532689 ipv6 nat rules do not print inet6
-3532688 ipv6 address always printed with "to <if>"
-3532687 with v6hdrs not supported like with ipopts
-3532686 ipf expressions do not work with ipv6
-3540825 whois output parsing error for ipv6
-3540818 NAT for certain IPv6 ICMP packets should not be allowed
-3540815 memory leak with destination lists
-3540814 ipfd_lock serves no purpose
-3540810 lookup objects need tail pointers
-3540809 refactor hash table lookups for nat
-3540808 completed tokens do not stop iteration
-3530492 address hash table name not used
-3528029 ipmon bad-mutex panic
-3530256 hook memory leaked
-3530271 pools parsing produces badly formed address structures
-3488061 cleanup for illumos build
-3484434 SIOCIPFINTERROR must work for all devices
-3484067 mandoc -Tlint warnings to be fixed
-3483343 compile warning in ipfcomp.c
-3482893 building without IPFILTER_LOG fails
-3482765 building netbsd kernel without inet6 fails
-3482116 ipf_check frees packet from ipftest
-3481663 does not compile on solaris 11
-
-5.1.1 - RELEASED - 9 May 2012
-
-3481322 ip_fil_compat.c needs a cleanup
-3481211 add user errors to dtrace
-3481152 compatibility for 4.1 needs more work
-3481153 PRIu64 problems on FreeBSD
-3481155 ipnat listing incorrect
-3480543 change leads to compat problems
-3480538 compiler errors from earlier patch
-3480537 ipf_instance_destroy is incomplete
-3480536 _fini order leads to panic
-3479991 compiler warnings about size mismatches
-3479974 copyright dates are wrong (fix)
-3479464 add support for leaks testing
-3479457 %qu is not the prefered way
-3479451 iterators leak memory
-3479453 nat rules with pools leak
-3479454 memory leak in hostmap table
-3479461 load_hash uses memory after free
-3479462 printpool leaks memory
-3479452 missing FREE_MB_T to freembt leaks
-3479450 ipfdetach is called when detached
-3479448 group mapping rules memory leak
-3479455 memory leak from tuning
-3479458 ipf must be running in global zone
-3479460 driver replace is wrong
-3479459 radix tree tries to free null pointer
-3479463 rwlock emulation does not free memory
-3479465 parser leaks memory
-3475959 hardware checksum not correctly used
-3475426 ip pseudo checksum wrong
-3473566 radix tree does not delete dups right
-3472987 compile is not clean
-3472337 not everything is zero'd
-3472344 interface setup needs to be after insert
-3472340 wildcard counter drops twice
-3472338 change fastroute interface
-3472335 kernel lock defines not placed correctly
-3472324 ICMP INFOREQ/REPLY not handled
-3472330 multicast packets tagged by address
-3472333 ipf_deliverlocal called incorrectly
-3472345 mutex debug could be more granular
-3472761 building i19 regression is flawed
-3456457 use of bsd tree.h needs to be removed
-3460522 code cleanup required for building on freebsd
-3459734 trade some cpu for memory
-3457747 build errors introduced with radix change
-3457804 build errors from removal of pcap-int,h
-3440163 rewrite radix tree
-3428004 snoop, tcpdump, etherfind readers are unused
-3439495 ipf_rand_push never called (fix brackets)
-3437732 getnattype does not need to use ipnat_t (fix variable name)
-3437696 fr_cksum is a nightmare
-3439061 ipf_send_ip doesn't need 3rd arg
-3439059 ipid needs to be file local
-3437740 complete buildout of fnew
-3438575 add dtrace probes to block events
-3438347 comment blocks missing softc
-3437687 description of ipf_makefrip wrong
-3438340 more stats as dtrace probes
-3438316 free on nat structure uses fixed size
-3437745 nat iterator using the wrong size
-3437710 fail checksum verification if packet is short
-3437696 fr_cksum is a nightmare
-3437732 getnattype does not need to use ipnat_t
-3437735 rename ipf_allocmbt to allocmbt
-3437697 fr_family to version assignment is wrong
-3437746 ap_session_t has unused fields
-3437747 move softc structure to .h file (ip_state.c)
-3437704 there is no DTRACE_PROBE5
-3437748 wrong interface in qpktinfo_t
-3437729 create function to hexdump mb_t
-3438273 msgdsize should be easier to read
-3437683 object direction not set for 32bit
-3433767 calling ip_cksum could be easier
-3433764 left over locking
-3428015 printing proxy data size is useless
-3428013 add M_ADJ to hide adjmsg/m_adj
-3428012 interface name is not always returned correctly
-3428002 ip_ttl is too low
-3427997 ipft readers do not set buffer length
-3426558 resistence is futile
-3424495 various copy-paste errors
-1826936 shall we allow ipf to be as dumb as its admin
-3424477 specfuncs needs to go
-3424484 missing fr_checkv6sum
-3424478 one entry at a time
-2998760 auth rules do not mix well with to/dup-to/fastroute
-3424195 add ctfmerge to sunos5 makefile
-3424132 some dtrace probes to start with
-3423812 makefile needs ip_frag.h for some files
-3423817 reference count useful in verbose output
-3423800 walking lists does not drop reference
-3423805 fragmentation stats not reported correclty
-3423808 ip addresses reportied incorrectly with ipfstat -f
-3423821 track packets and bytes for fragmentation
-3423803 attempt to double free rule
-3423805 fragmentation stats not reported correctly
-3422712 system panic with ipfstat -f
-3422619 pullup counter bumped for every packet
-3422608 dummy rtentry required to build
-3422018 frflush next to ipf_fini_all is redundant
-3422012 instance cleanup is not clean
-3421845 instance name not set
-3005622 ip_fil5.1.0 does not load on Solaris 10 U8
-2976332 stateful filtering is incompatible with ipv4 options
-3387509 ipftest needs help construction ip packets with options
-2998746 passp can never be null
-3064034 mbuf clobbering problem with ipv6
-3105725 ipnat divide by zero panic
-2998750 ipf_htent_insert can leak memory
-3064034 mbuf clobbering problem with ipv6
-3105725 ipnat divie by zero panic
-
-5.1 - RELEASED - 9 May 2010
-
-* See WhatsNew50.txt
-
-4.1 - RELEASED - 12 February 2004
-
-4.0-BETA1 20 August 2003
-
-support 0/32 and 0/0 on the RHS in redirect rules
-
-where LHS and RHS netmasks are the same size for redirect, do 1:1 mapping
-for bimap rules.
-
-allow NAT rule to match 'all' interfaces with * as interface name
-
-do mapping of ICMP sequence id#'s in pings
-
-allow default age for NAT entries to be set per NAT rule
-
-provide round robin selection of destination addresses for redirect
-
-ipmon can load a configuration file with instructions on actions
-to take when a matching log entry is received
-
-now requires pfil to work on Solaris & HP-UX
-
-supports mapping outbound connections to a specific address/port
-
-support toggling of logging per ipfilter 'device'
-
-use queues to expire data rather than lists
-
-add MSN RPC proxy
-
-add IRC proxy
-
-support rules with dynamic ip addresses
-
-add ability to define a pool of addresses & networks which can then
-be placed in a single rule
-
-support passing entire packet back to user program for authentication
-
-support master/slave for state information sharing
-
-reorganise generic code into a lib directory and make libipf.a
-
-user programs enforce version matching with the kernel
-
-supports window scaling if seen at TCP session setup
-
-generates C code from filter rules to compile in or load as native
-machine code.
-
-supports loading rules comprised of BPF bytecode statements
-
-HP-UX 11 port completed
-
-and packets-per-second filtering
-
-add numerical tags to rules for filtering and display in ipmon output
-
-3.4.4 23/05/2000 - Released
-
-don't add TCP state if it is an RST packet and (attempt) to send out
-RST/ICMP packets in a manner that bypasses IP Filter.
-
-add patch to work with 4.0_STABLE delayed checksums
-
-3.4.3 20/05/2000 - Released
-
-fix ipmon -F
-
-don't truncate IPv6 packets on Solaris
-
-fix keep state for ICMP ECHO
-
-add some NAT stats and use def_nat_age rather than DEF_NAT_AGE
-
-don't make ftp proxy drop packets
-
-use MCLISREFERENCED() in tandem with M_EXT to check if IP fields need to be
-swapped back.
-
-fix up RST generation for non-Solaris
-
-get "short" flag right for IPv6
-
-3.4.2 - 10/5/2000 - Released
-
-Fix bug in dealing with "hlen == 1 and opt > 1" - Itojun
-
-ignore previous NAT mappings for 0/0 and 0/32 rules
-
-bring in a completely new ftp proxy
-
-allow NAT to cause packets to be dropped.
-
-add NetBSD callout support for 1.4-current
-
-3.4.1 - 30/4/2000 - Released
-
-add ratoui() and fix parsing of group numbers to allow 0 - UINT_MAX
-
-don't include opt_inet6.h for FreeBSD if KLD_MODULE is defined
-
-Solaris must use copyin() for all types of ioctl() args
-
-fix up screen/tty when leaving "top mode" of ipfstat
-
-linked list for maptable not setup correctly in nat_hostmap()
-
-check for maptable rather than nat_table[1] to see if malloc for maptable
-succeeded in nat_init
-
-fix handling of map NAT rules with "from/to" host specs
-
-fix printout out of source address when using "from/to" with map rules
-
-convert ip_len back to network byte order, not plen, for solaris as ip_len
-may have been changed by NAT and plen won't reflect this
-
-3.4 - 27/4/2000 - Released
-
-source address spoofing can be turned on (fr_chksrc) without using
-filter rules
-
-group numbers are now 32bits in size, up from 16bits
-
-IPv6 filtering available
-
-add frank volf's state-top patches
-
-add load splitting and round-robin attribute to redirect rules
-
-FreeBSD-4.0 support (including KLD)
-
-add top-style operation mode for ipfstat (-t)
-
-add save/restore of IP Filter state/NAT information (ipfs)
-
-further ftp proxy security checks
-
-support for adding and removing proxies at runtime
-
-3.3.13 26/04/2000 - Released
-
-Fix parsing of "range" with "portmap"
-
-Relax checking of ftp replies, slightly.
-
-Fix NAT timeouts for ICMP packets
-
-SunOS4 patches for ICMP redirects from Jurgen Keil (jk@tools.de)
-
-3.3.12 16/03/2000 - Released
-
-tighten up ftp proxy behaviour. sigh. yuck. hate.
-
-fix bug in range check for NAT where the last IP# was not used.
-
-fix problem with icmp codes > 127 in filter rules caused bad things to
-happen and in particular, where #18 caused the rule to be printed
-erroneously.
-
-fix bug with the spl level not being reset when returning EIO from
-iplioctl due to ipfilter not being initialized yet.
-
-3.3.11 04/03/2000 - Released
-
-make "or-block" work with lines that start with "log"
-
-fix up parsing and printing of rules with syslog levels in them
-
-fix from Cy Schubert for calling of apr_fini only if non-null
-
-
-3.3.10 24/02/2000 - Released
-
-* fix back from guido for state tracking interfaces
-
-* update for NetBSD pfil interface changes
-
-* if attaching fails and we can abort, then cleanup when doing so.
-
-julian@computer.org:
-* solaris.c (fr_precheck): After calling freemsg on mt, set it point to *mp.
-* ipf.c (packetlogon): use flag to store the return value from get_flags.
-* ipmon.c (init_tabs): General cleanup so we do not have to cast
- an int s->s_port to u_int port and try to check if the u_int port
- is less than zero.
-
-3.3.9 15/02/2000 - Released
-
-fix scheduling of bad locking in fr_addstate() used when we attach onto
-a filter rule.
-
-fix up ip_statesync() with storing interface names in ipstate_t
-
-fix fr_running for LKM's - Eugene Polovnikov
-
-junk using pullupmsg() for solaris - it's next to useless for what we
-need to do here anyway - and implement what we require.
-
-don't call fr_delstate() in fr_checkstate(), when compiled for a user
-program, early but when we're finished with it (got fr & pass)
-
-ipnat(5) fix from Guido
-
-on solaris2, copy message and use that with filter if there is another
-copy if it being used (db_ref > 1). bad for performance, but better
-than causing a crash.
-
-patch for solaris8-fcs compile from Casper Dik
-
-3.3.8 01/02/2000 - Released
-
-fix state handling of SYN packets.
-
-add parsing recognition of extra icmp types/codes and fix handling of
-icmp time stamps and mask requests - Frank volf
-
-3.3.7 25/01/2000 - Released
-
-sync on state information as well as NAT information when required
-
-record nat protocol in all nat log records
-
-don't reuse the IP# from an active NAT session if the IP# in the rule
-has changed dynamically.
-
-lookup the protocol for NAT log information in ipmon and pass that to
-portname.
-
-fix the bug with changing the outbound interface of a packet where it
-would lead to a panic.
-
-use fr_running instead of ipl_inited. (sysctl name change on freebsd)
-
-return EIO if someone attempts an ioctl on state/nat if ipfilter is not
-enabled.
-
-fix rule insertion bug
-
-make state flushing clean anything that's not fully established (4/4)
-
-call fr_state_flush() after we've released ipf_state so we don't generate
-a recursive mutex acquisition panic
-
-fix parsing of icmp code after return-icmp/return-icmp-as-dest and add
-some patches to enhance parsing strength
-
-3.3.6 28/12/1999 - Released
-
-add in missing rwlock release in fr_checkicmpmatchingstate() and fix check
-for ICMP_ECHO to only be for packet, not state entry which we don't have yet.
-
-handle SIOCIPFFB in nat_ioctl() and fr_state_ioctl()
-
-fix size of friostat for SunOS4
-
-fix bug in running off the end of a buffer in real audio proxy
-
-3.3.5 11/12/1999 - Released
-
-fix parsing of "log level" and printing it back out too
-
-<net/if_types.h> is only present on Solaris2.6/7/8
-
-use send_icmp_err rather than icmp_error to send back a frag-needed error
-when doing PMTU
-
-do not use -b with add_drv on Solaris unless $BASEDIR is set.
-
-fix problem where source address in icmp replies is reversed
-
-fix yet another problem with real audio.
-
-3.3.4 4/12/1999 - Released
-
-fix up the real audio proxy to properly setup state information and NAT
-entries, thanks to Laine Stump for testing/advice/fixes.
-
-fix ipfr_fastroute to set dst->sin_addr (Sean Farley - appears to prevent
-FreeBSD 3.3 from panic'ing) as this had been removed in prior hacks to this
-routine.
-
-fix kinstall for BSDI
-
-support ICMP errors being allowed through for ICMP packets going out with
-keep state enabled
-
-support hardware checksumming (gigabit ethernet cards) on Solaris thanks to
-Tel.Net Media for providing hardware for testing.
-
-patched from Frank Volf for ipmon (ICMP & fragmented packets) and allowing
-ICMP responses to ICMP packets in the keep state table.
-
-add in patches for hardware checksumming under solaris
-
-Solaris install scripts now use $BASEDIR as appropriate.
-
-add Solaris8 support
-
-fix "ipf -y" on solaris so that it rescans rules also for changes in
-interface pointers
-
-let ipmon become a daemon with -D if it is using syslog
-
-fix parsing of return-icmp-as-dest(foo)
-
-add reference to ipfstat -g to ipfstat.8
-
-ipf_mutex needs to be declared for irix in ip_fil.c
-
-3.3.3 22/10/1999 - Released
-
-add -g command line option to ipfstat to show groups still define.
-
-fix problem with fragment table not recording rule pointer when called
-from state functions (fin_fr not set).
-
-fixup fastroute problems with keep state rules.
-
-load rules into inactive set first, so we don't disable things like NIS
-lookups half way through processing - found by Kevin Littlejohn
-
-fix handling of unaligned ip pointer for solaris
-
-patch for fr_newauth from Rudi Sluijtman
-
-fixed htons() bug in fr_tcpsum() where ip_p wasn't cast to u_short
-
-3.3.2 23/09/1999 - Released
-
-patches from Scott Presnell to fix rcmd proxy
-
-patches from Greg to fix Solaris detachment of interfaces
-
-add openbsd compatibility fixes
-
-fix free'ing already freed memory in ipfr_slowtimer()
-
-fix for deferencing invalid memory in cleaning up after a device disappears
-
-3.3.1 14/8/1999 - Released
-
-remove include file sys/user.h for irix
-
-prevent people from running buildsunos directly
-
-fix up some problems with the saving of rule pointers so that NAT saves
-that information in case it should need to call fr_addstate() from a proxy.
-
-fix up scanning for the end of FTP messages
-
-don't remove /etc/opt/ipf in postremove
-
-attempt to prevent people running buildsolaris script without doing a
-"make solaris"
-
-fix timeout losing on freebsd3
-
-3.3 7/8/1999 - Released
-
-NAT: information (rules, mappings) are stored in hash tables; setup some
-basic NAT regression testing.
-
-display version name of installed kernel code when initializing.
-
-add -V command line option to ipf, showing version (program and kernel
-module) as well as the run-status of the kernel code.
-
-fix problem with "log" rules actually affecting result of filtering.
-
-automatically use SUNWspro if available and on a 64bit Solaris system for
-compiling.
-
-add kernel proxies for rcmd(3) and RealAudio (PNA)
-
-use timeout/untimeout on SunOS4/BSD platforms too rather than hijacking
-ip_slowtimo
-
-fix IP headers generated through parsing of text information
-
-fix NAT rules to be in the correct order again.
-
-make keep-state work with to/fastroute keywords and enforce usage of those
-interfaces.
-
-update keep-state code with new algorithm from Guido
-
-add FreeBSD-3 support
-
-add return-icmp-as-dest option to retrun an ICMP packet using the original
-destination as the source rather than a local IP address
-
-add "level [facility.]<priority>" option to filter language
-
-add changes from Guido to state code.
-
-add code to return EPERM if the device is opened for writing and we're
-in securelevel 2 or greater.
-
-authentication code patches from Guido
-
-fix real audio proxy
-
-fix ipmon rule printing of interfaces and add IN/OUT to the end of ipmon
-log output.
-
-fix bimap rules with hash tables
-
-update addresses used in NAT mappings for 0/32 rules for any protocol but TCP
-if it changes on the interface - check every ip_natexpire()
-
-add redirect regression test
-
-count buckets used in the state hash table.
-
-fix sending of RST's with return-rst to use the ack number provided in
-the packet being replied to in addition to the sequence number.
-
-fix to compile as a 64bit application on solaris7-64bit
-
-add NAT IP mapping to ranges of IP addresses that aren't CIDR specified
-
-fix calculation of in_space parameter for NAT
-
-fix `wrapping' when incrementing the next ip address for use in NAT
-
-fix free'ing of kernel memory in ip_natunload on solaris
-
-fix -l/-U command line options from interfering with each other
-
-fix fastroute under solaris2 and cleanup compilation for solaris7
-
-add install scripts and compile cleanly on BSD/OS 4.0
-
-safely open files in /tmp for writing device output when testing.
-
-fix uninitialized pointer bug in NAT
-
-fix SIOCZRLST (zero list rule stats) bug with groups
-
-change some usage of u_short to u_int in function calling
-
-fix compilation for Solaris7 (SUNWspro)
-
-change solaris makefiles to build for either sparc or i386 rather than
-per-cpu (sun4u, etc).
-
-fixed bug in ipllog
-
-add patches from George Michaelson for FreeBSD 3.0
-
-add patch from Guido to provide ICMP checking for known state in the same
-manner as is done for NAT.
-
-enable FTP PASV proxying and enable wildcarding in NAT/state code for ports
-for better PORT/PASV support with FTP.
-
-bring into main tree static nat features: map-block and "auto" portmapping.
-
-add in source host filtering for redirects (alan jones)
-
-3.2.10 22/11/98 - Released
-
-3.2.10beta9 17/11/98 - Released
-
-fix fr_tcpsum problems in handling mbufs with an odd number of bytes
-and/or split across an mbuf boundary
-
-fix NAT list entry comparisons and allow multiple entries for the same
-proxy (but on different ports).
-
-don't create duplicate NAT entries for repeated PORT commands.
-
-3.2.10beta8 14/11/98 - Released
-
-always exit an rwlock before expecting to enter it again on solaris
-
-fix loop in nat_new for pre-existing nat
-
-don't setup state for an ftp connection if creating nat fails.
-
-3.2.10beta7 05/11/98 - Released
-
-set fake window in ipft_tx.c to ensure code passes tests.
-
-cleaned up/enhanced ipnat -l/ipnat -lv output
-
-fixed NAT handling of non-TCP/UDP packets, esp. for ICMP errors returned.
-
-Solaris recusive mutex on icmp-error/tcp-reset - requires rwlock's rather
-than mutexes.
-
-3.2.10beta6 03/11/98 - Released
-
-fix mixed use of krwlock_t and kmutex_t on Solaris2
-
-fix FTP proxy back up, splitting pasv code out of port code.
-
-3.2.10beta5 02/11/98 - Released
-
-fixed port translation in ICMP reply handling
-
-3.2.10beta4 01/11/98 - Released
-
-increase useful statistic collection on solaris
-
-filter DL_UNITDATA_REQ as well as DL_UNITDATA_IND on solaris
-
-disable PASV reply translation for now
-
-fail with an error if we try to load a NAT rule with a non-existant
- proxy name - Guido
-
-fix portmap usage with 0/0 and 0/32 map rules
-
-remove ap_unload/ap_expire - automatically done when NAT is cleaned up
-
-print "STATE:CLOSED" from ipmon if the connection progresses past established
- rather than "STATE:EXPIRED"
-
-3.2.10beta3 26/10/98 - Released
-
-fixed traceroute/nat problem
-
-rewrote nat/proxy interface
-
-ipnat now lists associated proxy sessions for each NAT where applicable
-
-3.2.10beta2 13/10/98 - Released
-
-use KRWLOCK_T in place of krwlock_t for solaris as well as irix
-
-disable use of read-write lock acquisition by default
-
-add in mb_t for linux, non-kernel
-
-some changes to progress compilation on linux with glibc
-
-change PASV as well as PORT when passed through kernel ftp proxy.
-
-don't allow window to become 0 in tcp state code
-
-make ipmon compile cleaner
-
-irix patches
-
-3.2.10beta 11/09/98 - Released
-
-stop fr_tcpsum() thinking it has run out of data when it hasn't.
-
-stop solaris panics due to fin_dp being something wild.
-
-revisit usage of ATOMIC_*()
-
-log closing state of TCP connection in "keep state"
-
-fix fake-arp table code for ipsend.
-
-ipmon now writes pid to a file.
-
-fix "ipmon -a" to actually activate all logging devices.
-
-add patches for BSDOS4.
-
-perl scripts for log analysis donated.
-
-3.2.9 22/06/98 - Released
-
-fix byte order for ICMP packets generated on Solaris
-
-fix some locking problems.
-
-fix malloc bug in NAT (introduced in 3.2.8).
-
-patch from guido for state connections that get fragmented
-
-3.2.8 08/06/98 - Released
-
-use readers/writers locks in Solaris2 in place of some mutexes.
-
-Solaris2 installation enhancements - Martin Forssen (maf@carlstedt.se)
-
-3.2.7 24/05/98 - Released
-
-u_long -> u_32_t conversions
-
-patches from Bernd Ernesti for NetBSD
-
-fixup ipmon to actually handle HUP's.
-
-Linux fixes from Michael H. Warfield (mhw@wittsend.com)
-
-update for keep state patch (not security related) - Guido
-
-dumphex() uses stdout rather than log
-
-3.2.6 18/05/98 - Released
-
-fix potential security loop hole in keep state code.
-
-update examples.
-
-3.2.5 09/05/98 - Released
-
-BSD/OS 3.1 .o files added for the kernel.
-
-fix sequence # skew vs window size check.
-
-fix minimum ICMP header size check.
-
-remove references to Cybersource.
-
-fix my email address.
-
-remove ntohl in ipnat - Thomas Tornblom
-
-3.2.4 09/04/98 - Released
-
-add script to make devices for /dev on BSD boxes
-
-fixup building into the kernel for FreeBSD 2.2.5
-
-add -D command line option to ipmon to make it a daemon and SIGHUP causes
-it to close and reopen the logfile
-
-fixup make clean and make package for SunOS5 - Marc Boucher
-
-postinstall keeps adding "minor=ipf ipl" - George Ross <gdmr@dcs.ed.ac.uk>
-
-protected by IP Filter gif - Sergey Solyanik <solik@atom.ru>
-
-3.2.3 10/11/97 - Released
-
-fix some iplang bugs
-
-fix tcp checksum data overrun, sgi #define changes,
-avoid infinite loop when nat'ing to single IP# - Marc Boucher
-
-fixup DEVFS usage for FreeBSD
*** 10281 LINES SKIPPED ***