Subject: IPFilter updated to 4.1.19
To: None <>
From: Martin Husemann <>
List: current-users
Date: 04/14/2007 23:16:02

I have just upgraded IPFilter to the latest version (4.1.19) on
NetBSD -current. You must recompile kernel and the ipf tools to
use the new version:

(cd share/mk && make install)
(cd sys && make includes)
(cd usr.sbin/ipf && make dependall install)

cd sys/arch/`uname -p`/conf
config GENERIC
cd ../compile/GENERIC
make dependall install

After reboot you may want to check the version number and run the
regression tests:

ipf -V
(cd regress/sys/kern/ipf && make && make clean)

If you detect errors (or have improvements), please send a problem report
with the send-pr tool.


Changes since 4.1.13

- fix listing out filter rules with ipfstat (delete token at end of
  the list and detect zero rule being returned.)

- fix extended flushing of NAT tables (was clearing out state tables)

- fix null-pointer deref in hash table lookup

- fix NAT and stateful filtering with to/reply-to on destination interface

- make flushing pools that are still in use mark them for deletion and
  have attempting to recreate them clear the delete flag

- walking through the NAT tables with ioctls caused lock recursion

- fix tracking TCP window scaling in the state code

- missing include for <sys/filio.h> on Solaris for poll work

- rewrite checksum alteration for ICMP packets being NAT'd to use a sane
  algorithm that can be it needs better comments

- fix 1 byte error in checksum validation perl script

- remove unused files in lib directory

- ipftest will say "bad-packet" if it has been freed rather than just "blocked"

- make it possible to load IP address pools from external files in ippool.conf

- update copyright messages in tools directory

- consolidate ioctl hanlding source code into fil.c

- make ipfstat, ippool, ipnat retrieve information via ioctls rather than

- Add in automatic flushing of NAT, like state, table if it fills up too much

- Update comments in the code for NAT checksum adjustments

- prevent panics from read/write IOs trying to use uninitialised structures

- Newer NetBSD should use malloc() instead of MALLOC() in the kernel where
  the size is not staticly defined

- Some gcc warning message cleanup from NetBSD

- NetBSD now uses opt_ipfilter.h, not opt_ipfilter_log.h

- allow rdr rules to only differ on the new port number

- when creating state entry orphans, leave them on the linked list but not
  attached to the hash table and mark them visible as orphans in "ipfstat -sl"

- log state removed when unloading differently to allow visible cues

- return ipf ticks via SIOCGETGS for /dev/ipnat so "ipnat -l" can display ttl

- abort logging a packet if the mbuf pointer is null when ipflog is called

- Some NetBSD's have a selinfo.h instead of select.h

- SIOCIPFFL was using copyoutptr and should have been using bcopy for

- listing accounting rules using ioctl interface wasn't possible

- fix leakage of state entries due to packets not matching up with NAT

- improve ICMP error packet matching with state/NAT

- fix problems with parsing and printing "-" as an interface name in ipnat.conf