New features...and while I've got your attention,
what features do you think ipfilter needs that it
does not yet have?
So what got added...
Rules can now be loaded with active comments:
pass in from any to any port = 80 comment "for the web server"
..and the comment will be displayed by ipfstat.
The comment isn't used to determine if a matching rule
is already present in the kernel.
Rules can be given an expirey (in seconds):
block in from any to any port = 22 rule-ttl 10
But displaying them with ipfstat is slightly different, e.g:
# ipfstat -i
block in from any to any port = 22 # rule-ttl 4191
This prevents temporary rules from being loaded that match
already existing rules and also means you don't need to
worry about guessing the correct ttl to remove a rule.
Both tree and hash type now support temporary additions to
tables from the command line ONLY. e..g
# ippool -a -T 30 -t tree -m tempblock 1.1.1.1
adds 1.1.1.1 to tempblock that will expire in 30 seconds.
Setting a per-address expiration is not supported via ippool.conf.
Filtering with groups now works if you use a group name (limit
is 12 characters long.)
Pools can now be populated from a data file that contains WHOIS
data. For example, in the distribution, this test is present:
ipf.conf:
block in from pool/microsoft to any
ippool.conf:
pool ipf/tree (name microsoft;) { whois file "regress/p6.whois"; };
And lastly, I fixed up the SNMP trap sending code for ipmon.
Cheers,
Darren
http://coombs.anu.edu.au/~avalon/ip_fil5.0.5.tar.gz
SHA1 (ip_fil5.0.5.tar.gz) = a46f6a35dd3605be9ccdf1bc3c013e1c38ee61ea
