----- Forwarded message from Darren Reed -----

From owner-ipfilter@cairo.anu.edu.au Wed Aug  9  0:20:00 2000
From: Darren Reed <darrenr@reed.wattle.id.au>
Message-Id: <200008081409.AAA20852@avalon.reed.wattle.id.au>
Subject: IP Filter 3.4.9/3.3.18 (fwd)
To: ipfilter@coombs.anu.edu.au
Date: Wed, 9 Aug 2000 00:09:06 +1000 (EST)
Sender: owner-ipfilter@coombs.anu.edu.au

My apologies for the "lockup", but at the last moment I realised
that similar code paths were used in NAT and state and had to fix
a similar ICMP handling but in NAT.  I *really* didn't want to
have to make a new version# just for that.  Everything should
now be accessible...

Darren

> Ok, now I'm relaxed...and the niggles should be ironed out.
> 
> 3.4.9/3.3.18 fix up existing problems with the FTP proxy in
> prior versions.  The reason it took so long to iron out the
> problem with 3.4.8 is due to a dodgy interface which will be
> addressed for 4.0 (currently exists there too :-/).
> 
> The 'global' fr_chksrc can now be 0 (disable checking of
> spoofed source address packets), 1 (enabled) or 2 (log the
> packets which it detects as having spoofed source IP#'s).
> This check is done using the routing table.  For FreeBSD 4,
> the sysctl will now show up (I'll merge this into -current
> over the weekend when I'm not in a hurry).
> 
> Most of the other changes have been "spurious" except for
> one - the handling of ICMP packets for known state.
> This bug crept in with fr_checkicmpmatchingstate() and has
> been made mention of to me without any real pointers until
> the weekend (which is the impetus for these).  That is now
> plugged and all should be well there.  If you feel nervous
> about uprading then dig through the patch files for the
> changes to ip_state.c (blocking packets won't help because
> state check happens before that...mmm, having the source..
> but that'll change soon too, in 4.0alpha O:-).
> 
> I will be updating 4.0alpha later...
> 
> Darren
> 
> ftp://coombs.anu.edu.au/pub/net/ip-filter/ip_fil3.4.9.tar.gz
> ftp://coombs.anu.edu.au/pub/net/ip-filter/patch-3.4.9.gz
> ftp://coombs.anu.edu.au/pub/net/ip-filter/ip_fil3.3.18.tar.gz
> ftp://coombs.anu.edu.au/pub/net/ip-filter/patch-3.3.18.gz
> 
> --------------------------------------------------------------------
> 3.4.9   08/08/2000 - Released
> 
> implement new aging mechanism in fr_tcp_age()
> 
> fix icmp state checking bug
> 
> revamp buildsunos script and build both sparcv7/sparcv9 for Solaris
> if on an Ultra with a 64bit system & compiler (Caseper Dik)
> 
> open ipfilter device read only if we know we can
> 
> print out better information for ICMP packets in ipmon
> 
> move checking for source spoofed packets to a point where we can generate
> logs of them
> 
> return EFAULT from ircopyptr/iwcopyptr
> 
> don't do ioctl(SIOCGETFS) for auth stats
> 
> fix up freeing mbufs for post-4.3BSD
> 
> fix returning of inc from ftp proxy
> 
> fix bugs with ipfs -R/-W (Caseper Dik)
> 
> 3.4.8   19/07/2000 - Released
> --------------------------------------------------------------------
> 3.3.18  08/08/2000 - Released
> 
> fix up command checking in the ftp proxy
> 
> fix getting the version from the kernel for solaris
> 
> fix icmp state checking bug
> 
> print out better information for ICMP packets in ipmon
> 
> open ipfilter device read only if we know we can
> 
> 3.3.17  08/07/2000 - Released
> --------------------------------------------------------------------
> 
> ----- End of forwarded message from Darren Reed -----

----- End of forwarded message from Darren Reed -----