By avalon on Sep 23, 2007
It's been a while since I blogged about IPFilter. I've been attending to problems over the past few months in a fairly responsive manner. The one consistent message I get out of this is I need to do more testing. Sigh. Just developing code is much more fun :) Testing is for users ;) Of course if there are fewer features then there is also less to test and go wrong. A lot to be said for simplicity!
4.1.26 - Released 24 September 2007
- Fix build problem for Solaris prior to S10U4
4.1.25 - Released 20 September 2007
- stepping through structures with ioctls can lead to the wrong things being free'd and panics
- if a NAT entry (such as an rdr) is created but the packet ends up being blocked, tear down the NAT entry.
- fix fragment cache preventing keep state from functioning
- fix handling of \\ to indicate a continued line in .conf files
- include port ranges in the allowed input for ipf when using "port = ()"
- only advance TCP state for packets on the leading edgeof the window.
- using ipnat -l can lead to memory corruption in high stress situations
- track TCP sequence numbers with NAT so that it can do timeout advances correctly inline with state
- ICMP checksums for some redirect'd packets are not adjusted correctly.
- IPv6 address components need to be explicitly cast to a 32bit pointer boundary so that compilers don't try to access them as two 64bit pieces (no guarantee is made that an Ipv6 address is on a 64bit aligned address)
- filling up the ipauth packet queue can lead to no more packets being processed.
- locking used to deref a nat entry causes a significant performance hit
- m_pulldown isn't properly handled, leading to possible panics with ICMPv6 packets
- IPv6 fragment handling doesn't allow for "keep frag" to work
- build on Solaris10 Update4 with pfhooks in the kernel
- logging of Ipv6 packets with extension headers fix - Miroslaw Luc
4.1.24 - Released 8 July 2007
- patch from Stuart Remphrey to address recursive mutex lock with TCP state
- add hash table bucket stats display to ipnat -s
- give ASSERT some teeth for user compiles
- initialising ipf_global, ipf_frcache, ipf_mutex should all be done very early on
- do some caddr_t cleanup, where possible
- fr_ref no longer tracks the number of children rules in a group for head rules
- make sure all BCOPY\* have a value assigned to something
- fix possible use of icmp pointer after pullup makes it invalid
- resolve compile problems related to FreeBSD tree