With a whole host of patches for Solaris that have improved things in any number of ways and some more attention from me on other aspects of the code, I think the quality of ipfilter has made a very worthwhile leap in the last month.
Thanks to a lot of time spent reviewing code, patching and being generally helpful making sure things turned out for the better, John Wehle has had a very positive influence on this release of code - thanks. I could have looked at that code (even being told there were problems) and not seen them, sometimes it just takes new eyes and patience. MD5 (ip_fil4.1.7.tar.gz) = a83b60195cc7aa466c40f514a08e3845 MD5 (pfil-2.1.6.tar.gz) = 54254788f63a21e2936f3bc0175f5e42 Darren 4.1.7 - Released 13 March 2005 Using the GRE call field is almost impossible because it is unbalanced and both call fields are not present in each v1 header. Fix a problem where it was possible to load duplicate rules into ipf patch from John Wehle to address problems with fastroute on solaris Copying data out for ipf -z failed because it tried to copy out to an address that is a kernel pointer in user space. add "ip" timeout for both NAT & state that's for non-TCP/UDP/ICMP synch up with NetBSD's changes fix problems parsing long lines of text in the ftp proxy where they would not be parsed properly and stop the session from working enhance the PPTP proxy so that it tries to decode messages in the TCP stream so it knows when to create and destroy the state/nat sessions for GRE. There are also 4 new regression tests for it, testing map/rdr rules. impose some limits on the size of data that can be moved with SIOCSTPUT in the NAT code and also prevent a duplicate session entry from being created using this method. add a new flag (IPN_FINDFORWARD) to NAT code that can be used with SIOCGNATL to check if it is possible to create an outgoing transparent NAT mapping to compliment the redirect being investigated. Linux requires that the checksums in the IP header get adjusted only resolve unknown interfaces in fr_stinsert, and nuke all interface pointers in SIOCSTPUT to prevent bad data being loaded from userspace. make the byte counting for state correct (was counting data from ICMP packet twice) print out the keyword "frag-body" if the flag is set. fix ipfs loading/restoring NAT sessions patch from Frank to correctly format IP addresses in ipfstat -t output parsing port numbers in ipf/ipnat was confusing as the port number was returned in an int that was also overloaded to be the suceess/failure. instead, change the port using pass by reference and only use the return value for indicating success or failure. 4.1.6 - Released 19 February 2005
