current-users: HEADS UP: IPF 4.1.13

Subject: HEADS UP: IPF 4.1.13
To: None <current-users@netbsd.org>
From: Martti Kuparinen <martti.kuparinen@iki.fi>
List: current-users
Date: 04/04/2006 19:22:33
Hi!

I have just upgraded IPFilter to the latest version (4.1.13) on
NetBSD -current. You must recompile kernel and the ipf tools to
use the new version:

(cd share/mk && make install)
(cd sys && make includes)
(cd usr.sbin/ipf && make dependall install)

cd sys/arch/`uname -p`/conf
config GENERIC
cd ../compile/GENERIC
make dependall install

After reboot you may want to check the version number and run the
regression tests:

ipf -V
(cd regress/sys/kern/ipf && make && make clean)

If you detect errors (or have improvements), please send a problem report
with the send-pr tool.

Changes since 4.1.8
===================
- fix bug where null pointers introduced by proxies could cause a crash
- pass out the rule flags with SIOCAUTHW
- force loading NAT rules with bad proxy labels to cause an error
- nat_state is used unsafely in calls to fr_addstate
- make return-rst and return-icmp* work with auth rules
- poll support on FreeBSD/NetBSD needs to use selrecord/selwakeup
- make the fastroute code used by ipftest invoke state/NAT
- move verbose/debug macros out of fil.c and into ip_fil.h (for wider use)
- remove unused code in fr_fastroute
- fix NAT with rules that specify forward and reverise interfaces
- add missing ipfsync_canread() and ipfsync_canwrite()
- behaviour of \ on the end of a line in ipf.conf does not match older behaviour
- remove duplicate statistics line output with "ipfstat -s"
- Patch for NAT with ipfsync
- NetBSD coverity report fixes (from run 5)
- Possible to reacquire ipf_auth without releasing it in some circumstances
- Add poll support for platforms I can build on: NetBSD, FreeBSD, Solaris, Linux
- Using auth rules to return "keep state" got broken with pushing fr_addstate
   call into fr_firewall
- all use of '!' in map/rdr rules to match use in ipf configs
- add -L command line option to ipmon to set the default syslog facility
- looking up a port number is more complex than needed in ipft_tx.c
- allow lib/getport to work when neither tcp or udp are specified in a rule
- remove some dead code from lib/addicmpc, lib/facpri.c, lib/icmpcode.c
- program in some more cases where TCP packets fail an initial in-window
   check but should be allowed to match
- filter rule added with NAT/state handling of SIOCSTPUT doesn't properly
   initialise all fields, making it possible to panic
- simplify NAT ICMP error handling where it updates checksums
- rename "min" variables to "xmin" on NetBSD to avoid problems with the
   macro "min"
- #ifdef's for NetBSD compile incorrect for pfil interface
- support select/poll on NetBSD
- copying out a packet with an auth rule fails (EFAULT) because the wrong
   pointer is passed to copyoutptr
- ip_len/ip_off where byte swapped twice instead of once for packets
   going to be stored on the auth queue
- change timeout queue manipulation functions to make fewer mutex calls
- fix use of skip rules with groups
- fix coding problems discovered by the coverity project for FreeBSD
- Expand regression testing to cover more features
- Add IPv6 mobility header to list of accepted keywords for V6 headers
- Add checking for SACK permitted option in TCP SYN packets
- Fix loading anonymous pools from inline rule configuration groups
- Add -C command line option to ipftest
- Include extra "const" from NetBSD
- Don't require SIOCKSTLCK for SIOCSTPUT
- Fix some use of "sticky" on NAT rules
- Fix statistical counting of deleting state for TCP connections
- Fix compile problems caused by changes to is_opt/is_optmsk in ip_sync.c
- Fix TCP out-of-window (OOW) problems:
   * window scaling turned off if one chose for its scale factor
   * Microsoft Windows TCP sends the "next packet" to the right of the window
     when using SACK and filling in a hole
- make ipfilter fix IPv4 header checksums for outgoing packets if BRIDGE_IPF
   is defined when compiled.
- move the definition of SIOCPROXY from ip_nat.h to ip_proxy.h
- register for interface events on FreeBSD (>5.2.1) and NetBSD so that
   "ipf -y" is not not requried to tell ipfilter about interface changes.
- for "quick" rules that do "keep state", move the state adding into the rule
   evaluation so that we can detect it failing as rules are evaluated and
   continue on to the next rather than wait until we're done and it's too late
   to recover for more rule processing.
- mark ICMP packets advertising an MTU that's too small as being bad
- rework ipv6 header parsing to get better code reuse and fix logic errors
   in dealing with ipv6 packets containing fragment headers.  Also, where a
   protocol handler was doing both v4 & v6, make a seperate function for each.
- Use FI_ICMPERR flag rather than try to compute its equivalent all the time
- Rewrork IPv6 extension header parsing to get better code reuse
- Fix for locking when reading from ipsync
- Fix insertion/appending of rules that use a collection number
- fix problems with "ipf -T" not listing multiple variables properly