Subject: HEADS UP: ipf 4.1.8
To: None <firstname.lastname@example.org>
From: Martti Kuparinen <email@example.com>
Date: 04/03/2005 18:09:00
I have just upgraded IPFilter to the latest version (4.1.8) on
NetBSD -current. You must recompile kernel and the ipf tools to
use the new version:
(cd share/mk && make install)
(cd sys && make includes)
(cd usr.sbin/ipf && make dependall install)
cd sys/arch/`uname -p`/conf
make dependall install
After reboot you may want to check the version number and run the
(cd regress/sys/kern/ipf && make && make clean)
If you detect errors (or have improvements), please send a problem report
with the send-pr tool.
Changes since 4.1.6
* include path from Phil Dibowitz for sorting ipfstat -t output by source or
* fix a bug in printing rules where interface names could not be printed,
even if they're in the rule structure.
add 2 new features to SIOCGNATL:
- if IPN_FINDFORWARD is set, check if the respective MAP is already
present in the outbound table
- if IPN_IN is set, search for a matching MAP entry instead of RDR
* UDP doesn't pullup enough data which can sometimes cause a panic.
Fix other protocols, as required, where a similar problem may exist.
* overhaul the timeout queue management, especially that for user defined queues
which are now only freed in an orderly manner.
* Using the GRE call field is almost impossible because it is unbalanced and
both call fields are not present in each v1 header.
* Fix a problem where it was possible to load duplicate rules into ipf
* Copying data out for ipf -z failed because it tried to copy out to an address
that is a kernel pointer in user space.
* add "ip" timeout for both NAT & state that's for non-TCP/UDP/ICMP
* fix problems parsing long lines of text in the ftp proxy where they would not
be parsed properly and stop the session from working
* enhance the PPTP proxy so that it tries to decode messages in the TCP stream
so it knows when to create and destroy the state/nat sessions for GRE. There
are also 4 new regression tests for it, testing map/rdr rules.
* impose some limits on the size of data that can be moved with SIOCSTPUT in
the NAT code and also prevent a duplicate session entry from being created
using this method.
* add a new flag (IPN_FINDFORWARD) to NAT code that can be used with SIOCGNATL
to check if it is possible to create an outgoing transparent NAT mapping to
compliment the redirect being investigated.
* only resolve unknown interfaces in fr_stinsert, and nuke all interface
pointers in SIOCSTPUT to prevent bad data being loaded from userspace.
* make the byte counting for state correct (was counting data from ICMP
* print out the keyword "frag-body" if the flag is set.
* fix ipfs loading/restoring NAT sessions
* patch from Frank to correctly format IP addresses in ipfstat -t output
* parsing port numbers in ipf/ipnat was confusing as the port number was
returned in an int that was also overloaded to be the suceess/failure.
instead, change the port using pass by reference and only use the return
value for indicating success or failure.