Monday October 02, 2006 Weblog
Monday October 02, 2006 After what has possibly been too long, I've finally gotten around to rolling together version 4.1.14 of IPFilter.
What took it so long?
I got stuck into verifying all of the test results for NAT'd ICMP packets and their checksums, where unknowingly there was a bug in one of my test scripts I found by developing another path to verify checksums. Anyway, this is now done and I've a lot more confidence in the ability of IPFilter to correctly modify ICMP checksums now.
There are two other significant changes with this version.
The first is that output from "ipfstat -io" and similar is now all retrieved by using ioctls to iterate through in-memory lists. This should remedy that problem on Linux as well as other systems that use IPFilter and choose not to have a /dev/mem or /dev/kmem.
The second is short pool names can now be used in filter rules like this:
-
ippool.conf:
table role = ipf type = tree name = letters { 1.1.1.1/32; !2.2.0.0/16; 2.2.2.0/24; }; -
ipf.conf:
pass in from pool/letters to any
Anyway, I think that's all for now. I'll be updating sourceforge later in the day/week.
- http://coombs.anu.edu.au/~avalon/ip_fil4.1.14.tar.gz
- http://coombs.anu.edu.au/~avalon/patch-4.1.14..gz
4.1.14 - Released 04 October 2006
- rewrite checksum alteration for ICMP packets being NAT'd to use a sane algorithm that can be understood...now it needs better comments
- fix 1 byte error in checksum validation perl script
- remove unused files in lib directory
- ipftest will say "bad-packet" if it has been freed rather than just "blocked"
- make it possible to load IP address pools from external files in ippool.conf
- update copyright messages in tools directory
- consolidate ioctl hanlding source code into fil.c
- make ipfstat, ippool, ipnat retrieve information via ioctls rather than /dev/kmem
