IPFilter 4.1.26

It's been a while since I blogged about IPFilter. I've been attending to problems over the past few months in a fairly responsive manner. The one consistent message I get out of this is I need to do more testing. Sigh. Just developing code is much more fun :) Testing is for users ;) Of course if there are fewer features then there is also less to test and go wrong. A lot to be said for simplicity!



4.1.26 - Released 24 September 2007

  • Fix build problem for Solaris prior to S10U4

4.1.25 - Released 20 September 2007

  • stepping through structures with ioctls can lead to the wrong things being free'd and panics
  • if a NAT entry (such as an rdr) is created but the packet ends up being blocked, tear down the NAT entry.
  • fix fragment cache preventing keep state from functioning
  • fix handling of \\ to indicate a continued line in .conf files
  • include port ranges in the allowed input for ipf when using "port = ()"
  • only advance TCP state for packets on the leading edgeof the window.
  • using ipnat -l can lead to memory corruption in high stress situations
  • track TCP sequence numbers with NAT so that it can do timeout advances correctly inline with state
  • ICMP checksums for some redirect'd packets are not adjusted correctly.
  • IPv6 address components need to be explicitly cast to a 32bit pointer boundary so that compilers don't try to access them as two 64bit pieces (no guarantee is made that an Ipv6 address is on a 64bit aligned address)
  • filling up the ipauth packet queue can lead to no more packets being processed.
  • locking used to deref a nat entry causes a significant performance hit
  • m_pulldown isn't properly handled, leading to possible panics with ICMPv6 packets
  • IPv6 fragment handling doesn't allow for "keep frag" to work
  • build on Solaris10 Update4 with pfhooks in the kernel
  • logging of Ipv6 packets with extension headers fix - Miroslaw Luc

4.1.24 - Released 8 July 2007

  • patch from Stuart Remphrey to address recursive mutex lock with TCP state
  • add hash table bucket stats display to ipnat -s
  • give ASSERT some teeth for user compiles
  • initialising ipf_global, ipf_frcache, ipf_mutex should all be done very early on
  • do some caddr_t cleanup, where possible
  • fr_ref no longer tracks the number of children rules in a group for head rules
  • make sure all BCOPY\* have a value assigned to something
  • fix possible use of icmp pointer after pullup makes it invalid
  • resolve compile problems related to FreeBSD tree

4.1.23 - Released 31 May 2007


Documentation in this area is hard to find. Needless to say, I've spent a few hours on this. Your blog was most useful, and I thought sharing this here might help others in the community.

This is what I did, and use, for my Open NAT X-Box LIVE connection. For reference

I use Solaris Nevada (snv_94) as my ipfilter box. Though, the same configuration(s) should work on Solaris 10.

1) While I went back and forth, the manual ip configuration is easier (set via the 'System -> Network Settings' blade on the X-Box 360 console).
2) The Xbox manual ip is
3) The LAN netmask is
4) The LAN gateway is (Solaris w/ipfilter)
5) The Solaris ipfilter (skge0) nic is
6) The Solaris ISP/dhcp (nge0) nic is (assigned by cable/dsl modem)
7) The Solaris ISP/PPPoE (sppp0) nic is (assigned by ISP)
8) Use the following /etc/ipf/ipnat.conf

# Per Microsoft, the xbox requires ports 88/udp, 3074/udp, & 3074/tcp open
rdr sppp0 0/0 port 88 -> port 88 udp
rdr sppp0 0/0 port 3074 -> port 3074 udp
rdr sppp0 0/0 port 3074 -> port 3074 tcp

# But, the xbox doesn't like portmap auto, so explictly set it off (first)
map sppp0 -> tcp/udp

# Add these (very popular [moderate NAT] settings), so everything else on the LAN can still use the same gateway (
map sppp0 -> proxy port ftp ftp/tcp
map sppp0 -> portmap tcp/udp auto
map sppp0 ->

9) If you don't use ipf, or have 'pass in quick' configured, then the following line isn't required.

pass in quick from any to keep state keep frags

10) Enable pre-requisite services

svcadm enable network/ipfilter

11) Here's what the output looks like to ipnat, after running "Test Xbox LIVE Connection"

# ipnat -hl | grep -v 192\\.168\\.0\\.12
List of active MAP/Redirect filters:
0 rdr sppp0 port 88 -> port 88 udp
0 rdr sppp0 port 3074 -> port 3074 tcp
2 rdr sppp0 port 3074 -> port 3074 udp
11 map sppp0 -> tcp/udp
0 map sppp0 -> proxy port ftp ftp/tcp
50 map sppp0 -> portmap tcp/udp auto
0 map sppp0 ->

List of active sessions:
RDR 3074 <- -> 3074 [ 39370]
MAP 3074 <- -> 3074 [ 3074]
MAP 3074 <- -> 3074 [ 3074]
MAP 1257 <- -> 1257 [ 88]
MAP 1259 <- -> 1259 [ 3074]
MAP 1258 <- -> 1258 [ 3074]


11) Finally, I'd read somewhere that you may have to turn off hardware checksums on some NICs (or was it for Solaris 10?). Though I did not
have to do it, You may have to add this in /etc/system:

set ip:dohwcksum=0

Posted by Joseph Tingiris on September 17, 2008 at 12:00 PM PDT #

Hello everyone,

We are facing an issue with IP filter in Solaris 10 that even with "keep frags", it is blocking some fragmented packets.
I have read in some blogs that IPv6 fragment handling doesn't allow for "keep frag" to work.

Can someone give an idea on this and how to resolve the issue?

Thanks in advance


Posted by Satish on October 08, 2009 at 05:05 AM PDT #

Post a Comment:
Comments are closed for this entry.



« June 2016