[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfilter
Subject:    IPFilter 4.1.14
From:       Darren Reed <darrenr () reed ! wattle ! id ! au>
Date:       2006-10-02 22:53:30
Message-ID: 200610022253.k92MrUqk014861 () firewall ! reed ! wattle ! id ! au
[Download RAW message or body]


After what has possibly been too long, I've finally gotten around
to rolling together version 4.1.14 of IPFilter.

What took it so long?

I got stuck into verifying all of the test results for NAT'd ICMP
packets and their checksums, where unknowingly there was a bug in
one of my test scripts I found by developing another path to verify
checksums.  Anyway, this is now done and I've a lot more confidence
in the ability of IPFilter to correctly modify ICMP checksums now.

There are two other significant changes with this version.

The first is that output from "ipfstat -io" and similar is now all
retrieved by using ioctls to iterate through in-memory lists.  This
should remedy that problem on Linux as well as other systems that
use IPFilter and choose not to have a /dev/mem or /dev/kmem.

The second is short pool names can now be used in filter rules like
this:
ippool.conf:
table role = ipf type = tree name = letters
        { 1.1.1.1/32; !2.2.0.0/16; 2.2.2.0/24; };

ipf.conf:
pass in from pool/letters to any

Anyway, I think that's all for now.
I'll be updating sourceforge later in the day/week.

http://coombs.anu.edu.au/~avalon/ip_fil4.1.14.tar.gz
http://coombs.anu.edu.au/~avalon/patch-4.1.14..gz

Cheers,
Darren

4.1.14 - Released 04 October 2006

rewrite checksum alteration for ICMP packets being NAT'd to use a sane
algorithm that can be understood...now it needs better comments

fix 1 byte error in checksum validation perl script

remove unused files in lib directory

ipftest will say "bad-packet" if it has been freed rather than just "blocked"

make it possible to load IP address pools from external files in ippool.conf

update copyright messages in tools directory

consolidate ioctl hanlding source code into fil.c

make ipfstat, ippool, ipnat retrieve information via ioctls rather than /dev/kme
m

4.1.13 - Released 4 April 2006

[prev in list] [next in list] [prev in thread] [next in thread]