ip_fil5.1.0 compiles just fine on Sparc Solaris 10 latest kernel 142900-10. I have been waiting for this feature:
> Solaris > ------- > * support for use in zones with exclusive IP instances fully supported. > Yours, -- Sum > > All of the code written to support this was done prior to > myself becoming an Oracle "worker-bee." I'm not sure when > I'll be able to confidently start working on new code to > support IPFilter yet, but I'm pursuing multiple options > to enable that to happen. > > Anyway, I consider this to be relatively feature-complete > so I'm happy to stamp it with 5.1.0 and push it out the door. > > It's been 6 years in the development and a lot of new > features have gone in as well as general improvement. > > I suspect that the manual pages are going to be lacking > in some areas but to me they have everything they need ;) > > If you've got questions about what specific features do > or what they mean, feel free to ask. > > Cheers, > Darren > > http://coombs.anu.edu.au/~avalon/ip_fil5.1.0.tar.gz > MD5 (ip_fil5.1.0.tar.gz) = 9660b138ac5fa00ce96a0333b86652ec > > .. and the permssions are right ;) > > What's new in 5.1 > ================= > > General > ------- > * all of the tuneables can now be set at any time, not just whilst disabled > or prior to loading rules; > > * group identifiers may now be a number or name (universal); > > * man pages rewritten > > * tunables can now be set via ipf.conf; > > Logging > ------- > * ipmon.conf can now be used to generate SNMPv1 and SNMPv2 traps using > information from log entries from the kernel; > > NAT changes > ----------- > * DNS proxy for the kernel that can block queries based on domain names; > > * FTP proxy can be configured to limit data connections to one or many > connections per client; > > * NAT on IPv6 is now supported; > > * rewrite command allows changing both the source and destination address > in a single NAT rule; > > * simple encapsulation can now be configured with ipnat.conf, > > * TFTP proxy now included; > > Packet Filtering > ---------------- > * acceptance of ICMP packets for "keep state" rules can be refined through > the use of filtering rules; > > * alternative form for writing rules using simple filtering expressions; > > * CIPSO headers now recognised and analysed for filtering on DOI; > > * comments can now be a part of a rule and loaded into the kernel and > thus displayed with ipfstat; > > * decapsulation rules allow filtering on inner headers, providing they > are not encrypted; > > * interface names, aside from that the packet is on, can be present in > filter rules; > > * internally now a single list of filter rules, there is no longer an > IPv4 and IPv6 list; > > * rules can now be added with an expiration time, allowing for their > automatic removal after some period of time; > > * single file, ipf.conf, can now be used for both IPv4 and IPv6 rules; > > * stateful filtering now allows for limits to be placed on the number > of distinct hosts allowed per rule; > > Pools > ----- > * addresses added to a pool via the command line (only!) can be given > an expiration timeout; > > * destination lists are a new type of address pool, primarily for use with > NAT rdr rules, supporting newer algorithms for target selection; > > * raw whois information saved to a file can be used to populate a pool; > > Solaris > ------- > * support for use in zones with exclusive IP instances fully supported. > > Tools > ----- > * use of matching expressions allows for refining what is displayed or > flushed; > > p.s. I called myself an Oracle worker-bee because our internal > mail server is called a "beehive", so I figure that makes me a > bee...but does that mean Larry Ellison is the queen bee? ;-) >
