Re: IPFilter 4.1.10

Darren,

Is there a new version of pfil? I remember a mention of pfil-2.1.7
on the list a while back, but all I find on avalon is 2.1.6. Which
version of pfil should we use with 4.1.10?

Jeff Earickson
Colby College

On Thu, 8 Dec 2005, Darren Reed wrote:

> Date: Thu, 8 Dec 2005 21:23:20 +1100 (EST)
> From: Darren Reed <darrenr@reed.wattle.id.au>
> To: ipfilter@coombs.anu.edu.au
> Subject: IPFilter 4.1.10
>
>
> There are a couple of significant changes between 4.1.9 and 4.1.10.
>
> Firstly, after spending some time with gcov, I've taken steps to expand
> the number of lines of code that the test suite covers. I'll continue
> to work on expanding the coverage here until I'm satisfied that as much
> of the code can be tested with ipftest as possible.
>
> Next, there have been some problems on Solaris with sending TCP RST
> and ICMP packets back, causing panics due to bad use of locks. These
> problems have been licked.
>
> Lastly, I've spent some time closely analysing packet traces from
> situations where TCP out of window (OOW) packets have been resulting
> in RSTs being sent and the connections closed. As noted in an earlier
> email, there have been two contributors to this: window scaling being
> incorrectly turned off and bugs in Microsoft Windows XP/2000's TCP,
> especially SACK. My advice is that if you're having problems with
> "keep state" and TCP data transfers with Windows, disable SACK. To
> reduce the problem, RST packets are no longer sent if a packet is OOW,
> the offender will just be dropped.
>
> Of course there are other changes and bug fixes, including those
> posted to this list - see below for a bigger summary.
>
> http://coombs.anu.edu.au/~avalon/ip_fil4.1.10.tar.gz
>
> MD5 (ip_fil4.1.10.tar.gz) = 6d00cb091ba047738d2c14a23b3020ed
> MD5 (patch-4.1.10.gz) = b0bf95ffdbae2a3d877aadb214f68a97
>
> Darren
>
> 4.1.10 - Released 6 December 2005
>
> Expand regression testing to cover more features
>
> Add "coverage" build target for BSD
>
> Fix building 64bit sparc target for Solaris
>
> Add IPv6 mobility header to list of accepted keywords for V6 headers
>
> Resolve locking problems on Solaris when sending RST/icmp packets
>
> #ifdef's for IPFILTER_BPF need to check if words are defined before
> using them in comparisons
>
> Add checking for SACK permitted option in TCP SYN packets
>
> Fix loading anonymous pools from inline rule configuration groups
>
> Add -C command line option to ipftest
>
> Include extra "const" from NetBSD
>
> Don't require SIOCKSTLCK for SIOCSTPUT
>
> Fix some use of "sticky" on NAT rules
>
> Fix statistical counting of deleting state for TCP connections
>
> Fix compile problems caused by changes to is_opt/is_optmsk in ip_sync.c
>
> Fix TCP out-of-window (OOW) problems:
> - window scaling turned off if one chose for its scale factor
> - Microsoft Windows TCP sends the "next packet" to the right of the window
> when using SACK and filling in a hole
>
> 4.1.9 - Released 13 August 2005
>