Weblog

« Banning liquid on... | Main | What is wrong with... »

Monday October 02, 2006

IPFilter 4.1.14

After what has possibly been too long, I've finally gotten around to rolling together version 4.1.14 of IPFilter.

What took it so long?

I got stuck into verifying all of the test results for NAT'd ICMP packets and their checksums, where unknowingly there was a bug in one of my test scripts I found by developing another path to verify checksums. Anyway, this is now done and I've a lot more confidence in the ability of IPFilter to correctly modify ICMP checksums now.

There are two other significant changes with this version.

The first is that output from "ipfstat -io" and similar is now all retrieved by using ioctls to iterate through in-memory lists. This should remedy that problem on Linux as well as other systems that use IPFilter and choose not to have a /dev/mem or /dev/kmem.

The second is short pool names can now be used in filter rules like this:

ippool.conf:

table role = ipf type = tree name = letters
        { 1.1.1.1/32; !2.2.0.0/16; 2.2.2.0/24; };

ipf.conf:

pass in from pool/letters to any

Anyway, I think that's all for now. I'll be updating sourceforge later in the day/week.

http://coombs.anu.edu.au/~avalon/ip_fil4.1.14.tar.gz

http://coombs.anu.edu.au/~avalon/patch-4.1.14..gz

Cheers, Darren

4.1.14 - Released 04 October 2006

rewrite checksum alteration for ICMP packets being NAT'd to use a sane algorithm that can be understood...now it needs better comments
fix 1 byte error in checksum validation perl script
remove unused files in lib directory
ipftest will say "bad-packet" if it has been freed rather than just "blocked"
make it possible to load IP address pools from external files in ippool.conf
update copyright messages in tools directory
consolidate ioctl hanlding source code into fil.c
make ipfstat, ippool, ipnat retrieve information via ioctls rather than /dev/kmem

4.1.13 - Released 4 April 2006

( Oct 02 2006, 10:05:26 PM PDT ) Permalink Comments [5]

Trackback URL: http://blogs.sun.com/avalon/entry/ipfilter_4_1_14

Comments:

Darren, do you know when newer (not necessary the newest) version of ipfilter will come to the stable Solaris ? Perhaps 11/06 ?

Posted by przemol on October 02, 2006 at 11:13 PM PDT #

It is on track for Solaris 10, Update 4., which may not be available until CY2007.

At some point later in the year, if you have the right kind of support contract, you may be able to get an IDR patch for Solaris 10, months in advance of the actual release of Solaris 10, Update 4.

Posted by Darren on October 02, 2006 at 11:28 PM PDT #

Hi Darren, My question is not related to this topic at all, just needed a way to contact you and ask you for some information. I am trying to write to code (.NET) that communicates with a server component using what they call IP packets. Basically what I am writing is a gateway between a device and a server component. I communicate serially with the device and then I am suppose to send that data to the server component using IP packets. The flow they have describe to me is as... IP Header: This protocol consists of different components in the following separate sequence: SYN, SYN/ACK, ACK, DATA, ACK, DATA, ACK, ACK/FIN and ACK. DATA: Consists of different components in the following sequence: Message length: In BCD format. Application data: Message data from device End of text: this is the ETX The flow looks like this: Me ---> <SYN> ---> SVR Me <--- <SYN/ACK> <--- SVR Me ---> <ACK> ---> SVR Me ---> (DATA) ---> SVR Me <--- <ACK> <--- SVR Me <--- (DATA) <--- SVR Me ---> <ACK> ---> SVR Me ---> <FIN> ---> SVR Me <--- <ACK/FIN> <--- SVR Me ---> <ACK> ---> SVR Where "Me" is my object and SVR is the server. You seem to know a lot about this stuff and I just need some guidance on how to construct these packets. I have been searching all over, but I need example of what they look like, values and transmission format. Thanks in advance for any help you can provide. Cheers

Posted by Kenneth Gonzalez on October 13, 2006 at 07:17 AM PDT #

I would like to ask you Darren, if there exists some documentation for IOCTL functions for IPFilter? The documentation from man pages isnt so detailed and is old for new versions. I cannot use IOCTL functions like SIOCADAFR, because of EINVAL error. Could you send me some example of adding rule to the kernel IPFilter. Thanks a lot. Petr

Posted by Petr Mlynar on October 23, 2006 at 06:47 AM PDT #

Hello Darren,

I need an old version of IPFILTER (4.1.8) to create a replica of an existing server that is running version 4.1.8. I tried looking around but can't seem to find a download. Is it available somewhere? If not, will the latest version be ok to install using config files from version 4.1.8?

William.

Posted by William L on January 29, 2008 at 04:13 PM PST #

Name:
E-Mail:
URL:
	Notify me by email of new comments
	Remember Information?

Sun	Mon	Tue	Wed	Thu	Fri	Sat
« July 2008
		1	2	3	4	5
6	7	8	9	10	11	12
13	14	15	16	17	18	19
20	21	22	23	24	25	26
27	28	29	30	31

Today

Weblog

4.1.14 - Released 04 October 2006

4.1.13 - Released 4 April 2006

Calendar

RSS Feeds

Search

Links

Navigation

Referers