Current Path : /usr/src/contrib/ipfilter/ |
FreeBSD hs32.drive.ne.jp 9.1-RELEASE FreeBSD 9.1-RELEASE #1: Wed Jan 14 12:18:08 JST 2015 root@hs32.drive.ne.jp:/sys/amd64/compile/hs32 amd64 |
Current File : //usr/src/contrib/ipfilter/WhatsNew40.txt |
What's new in IPFilter 4.1 ========================== (Well, compared to 3.*, anyway) In no particular order, except headline alphabetical: Administration: - Run-time support for modifying ipf table size parameters. - Run-time support for tuning other ipfilter parameters. Content Scanning: - Simple matching of content for TCP session startup. Firewall Synchronising: - Master/slave programs available. General: - All input files allow simple 'marco' definitions and expansion, including nesting. - Code has been rototilled to make maintenance and enhancements eaiser for me and you. - More configuration files and binaries. - Takes up more memory. - Probably slower. - Versioned API to support changes in the ABI without breaking existing binaries (4.0 onward only.) - IP-Filter framework in place for handling multiple different types of packet matching for firewalling. - IP Id number rewriting available. - Verification of checksums for recognised packet types. - Optionally enable/disable IP forwarding when enabled/disabled. IPF: - BPF syntax available for matching packets in ipf rules (1). - Can convert IPv4 ipf rules into C code and either: * load them as an LKM o; * compile them statically into the kernel (where possible.) - Address pools allow for simpler rules covering large numbers of addresses/networks (IPv4 only). - Lookup functions available to map an IPv4 address to a group. - Groups can be referenced by multiple heads for subroutine-like use. - NAT/ipf rules can refer to each other via a tag, creating an implied join that forms part of the packet matching. - Extra packet attributes available for filter rules: * source address/routing interface mismatch; * multicast (3); * broadcast (2,3); * state lookup partially failed; * out of the TCP window for a state connection; * NAT lookup partially failed. - PPS (packets per second) matching available for ipf rules. - Rule collections (cf FreeBSD numbering) supported for ipf rules. - Groups can now be names rather than just numbers IPV6: - understands extension headers. - can filter on extension headers. Logging: - ipmon now comes with a configuration file for more advanced logging behaviour. - Can append arbitrary logging tags with ipf rules for easy matching. NAT: - "sticky" mapping available to ensure an address translation on a per-address basis is always the same (while known) for a set IP address. Operating System Support: - HP-UX 11 added. - Tru64 5.1a added. - Solaris/HP-UX now use pfil STREAMS module. - Linux 2.4 on the way. Proxies: - PPTP proxy added. - IRC proxy added. - RPCBIND proxy added. - FTP proxy support for EPSV (IPv4 only.) Stateful Inspection: - Can insist that all TCP data arrives in order. - Can insist that all fragments pass through in order. - The number of states created per-rule can be set where the total across all rules may exceed the maximum allowed. - Can elect not to automatically match ICMP error packets. - TCP sequence number rewriting supported. (1) - Requires libpcap for rule parsing (2) - On Solaris/HP-UX, broadcast packets are seen as multicast packets. (3) - Not supported on SunOS4