Hi!

I have just upgraded IPFilter to the latest version (3.4.29) on
NetBSD -current. You must recompile kernel and the ipf tools to
use the new version:

# (cd /usr/src/sys && make includes)
# (cd /usr/src/usr.sbin/ipf && make dependall install)

After reboot you should see this message:

IP Filter: v3.4.29 initialized.  Default = pass all, Logging = enabled

I have tested this on alpha, i386 and sparc64 and things seem to work
without any errors. If you detect errors (or have improvements), please
send a problem report with the send-pr tool.

Changes since 3.4.27:

* Make substantial changes to the FTP proxy to improve reliability, security
  and functionality.
* Don't send ICMP errors/TCP RST's in response to blocked proxy packets
* Fix potential memory leaks when unloading ipfilter from kernel
* Fix bug in SIOCGNATL handler that did not preserve the expected
  byte order from earlier versions in the port number
* Set do not fragment flag in generated packets according to system flags,
  where available.
* Preserve filter rule number and group number in state structure
* Fix bug in ipmon printing of p/P/b/B
* Make some changes to the kmem.c code for IRIX compatibility
* Fix for H.323 proxy to work on little endian boxes
* Allow use of groups > 65535
* Create a new packet info summary for packets going through ipfr_fastroute()
  so that where details are different (RST/ICMP errors), the packet now gets
  correctly NAT'd, etc.
* Fix the FTP proxy so that checks for TCP sequence numbers outside the
  normal offset due to data changes use absolute numbers
* Make it possible to remove rules in ipftest
* Fix error in printout out the protocol in NAT rules
* Always unlock ipfilter if locking fails half way through in ipfs
* Fix problems with TCP window scaling
* Update of man pages for ipnat(4) and ipftest(1)

Martti

---
Martti Kuparinen <martti.kuparinen@iki.fi>      NetBSD - No media hype
http://www.iki.fi/kuparine/                     http://www.netbsd.org/