This release of IPFilter comes after the code base has been covered by Coverity scans via both FreeBSD and NetBSD. This picked up a whole range of "bugs", some of which were quite deliberate choices at the time - like not free'ing up malloc'd space when returning from a function in a program that runs and exist. Anyhow, the good news is that the code has been through that already.
There are two important changes with this release. The first is I have added in poll(2) support for the device driver on FreeBSD, NetBSD, Solaris and Linux. ipmon hasn't yet been updated to use this, that'll come next. The second is I've "fixed" /dev/ipauth so it can be used now. The motivation for this came with the desire to write a program to use grey-listing to help stem the spam tide. More on that in another email. For Solaris users, you will need to update pfil as well, to 2.1.8. This change is required because to address testing of ipfauth, I needed to generate TCP RSTs and that wasn't happening if I just receive a new packet and no traffic before hand. The only problem with this fix is that if I generate the first packet to go out of a NIC after it is plumb'd, and it is a TCP RST, it has the wrong checksum. Subsequent packets, even if an ARP is required, are all fine. On the feature side of things, someone didn't like that it wasn't possible to list multiple interfaces in a single rule, like is possible with addresses, so this is now possible: block in on (ex0 ex1) all http://coombs.anu.edu.au/~avalon/ip_fil4.1.11.tar.gz http://coombs.anu.edu.au/~avalon/pfil-2.1.8.tar.gz Darren # 4.1.11 - Released 19 March 2006 Patch for NAT with ipfsync from N. Ersen (SESCI) - www.enderunix.org NetBSD coverity report fixes (from run 5) Possible to reacquire ipf_auth without releasing it in some circumstances Locking in FreeBSD's iplioctl for ipf_global isn't present like it shoudl be Add poll support for platforms I can build on: NetBSD, FreeBSD, Solaris, Linux Using auth rules to return "keep state" got broken with pushing fr_addstate call into fr_firewall all use of '!' in map/rdr rules to match use in ipf configs add -L command line option to ipmon to set the default syslog facility looking up a port number is more complex than needed in ipft_tx.c allow lib/getport to work when neither tcp or udp are specified in a rule remove some dead code from lib/addicmpc, lib/facpri.c, lib/icmpcode.c program in some more cases where TCP packets fail an initial in-window check but should be allowed to match filter rule added with NAT/state handling of SIOCSTPUT doesn't properly initialise all fields, making it possible to panic simplify NAT ICMP error handling where it updates checksums rename "min" variables to "xmin" on NetBSD to avoid problems with the macro "min" #ifdef's for NetBSD compile incorrect for pfil interface support select/poll on NetBSD copying out a packet with an auth rule fails (EFAULT) because the wrong pointer is passed to copyoutptr ip_len/ip_off where byte swapped twice instead of once for packets going to be stored on the auth queue change timeout queue manipulation functions to make fewer mutex calls fix use of skip rules with groups fix coding problems discovered by the coverity project for FreeBSD update BPF program validation with FreeBSD changes 4.1.10 - Released 6 December 2005
