Re: IPFilter 4.1.10

Never mind, I found it... Could pfil be placed in the same
directory as ipfilter please?

On Thu, 8 Dec 2005, Jeff A. Earickson wrote:

> Date: Thu, 8 Dec 2005 09:55:53 -0500 (EST)
> From: Jeff A. Earickson <jaearick@colby.edu>
> To: Darren Reed <darrenr@reed.wattle.id.au>
> Cc: ipfilter@coombs.anu.edu.au
> Subject: Re: IPFilter 4.1.10
>
> Darren,
>
> Is there a new version of pfil? I remember a mention of pfil-2.1.7
> on the list a while back, but all I find on avalon is 2.1.6. Which
> version of pfil should we use with 4.1.10?
>
> Jeff Earickson
> Colby College
>
> On Thu, 8 Dec 2005, Darren Reed wrote:
>
>> Date: Thu, 8 Dec 2005 21:23:20 +1100 (EST)
>> From: Darren Reed <darrenr@reed.wattle.id.au>
>> To: ipfilter@coombs.anu.edu.au
>> Subject: IPFilter 4.1.10
>>
>>
>> There are a couple of significant changes between 4.1.9 and 4.1.10.
>>
>> Firstly, after spending some time with gcov, I've taken steps to expand
>> the number of lines of code that the test suite covers. I'll continue
>> to work on expanding the coverage here until I'm satisfied that as much
>> of the code can be tested with ipftest as possible.
>>
>> Next, there have been some problems on Solaris with sending TCP RST
>> and ICMP packets back, causing panics due to bad use of locks. These
>> problems have been licked.
>>
>> Lastly, I've spent some time closely analysing packet traces from
>> situations where TCP out of window (OOW) packets have been resulting
>> in RSTs being sent and the connections closed. As noted in an earlier
>> email, there have been two contributors to this: window scaling being
>> incorrectly turned off and bugs in Microsoft Windows XP/2000's TCP,
>> especially SACK. My advice is that if you're having problems with
>> "keep state" and TCP data transfers with Windows, disable SACK. To
>> reduce the problem, RST packets are no longer sent if a packet is OOW,
>> the offender will just be dropped.
>>
>> Of course there are other changes and bug fixes, including those
>> posted to this list - see below for a bigger summary.
>>
>> http://coombs.anu.edu.au/~avalon/ip_fil4.1.10.tar.gz
>>
>> MD5 (ip_fil4.1.10.tar.gz) = 6d00cb091ba047738d2c14a23b3020ed
>> MD5 (patch-4.1.10.gz) = b0bf95ffdbae2a3d877aadb214f68a97
>>
>> Darren
>>
>> 4.1.10 - Released 6 December 2005
>>
>> Expand regression testing to cover more features
>>
>> Add "coverage" build target for BSD
>>
>> Fix building 64bit sparc target for Solaris
>>
>> Add IPv6 mobility header to list of accepted keywords for V6 headers
>>
>> Resolve locking problems on Solaris when sending RST/icmp packets
>>
>> #ifdef's for IPFILTER_BPF need to check if words are defined before
>> using them in comparisons
>>
>> Add checking for SACK permitted option in TCP SYN packets
>>
>> Fix loading anonymous pools from inline rule configuration groups
>>
>> Add -C command line option to ipftest
>>
>> Include extra "const" from NetBSD
>>
>> Don't require SIOCKSTLCK for SIOCSTPUT
>>
>> Fix some use of "sticky" on NAT rules
>>
>> Fix statistical counting of deleting state for TCP connections
>>
>> Fix compile problems caused by changes to is_opt/is_optmsk in ip_sync.c
>>
>> Fix TCP out-of-window (OOW) problems:
>> - window scaling turned off if one chose for its scale factor
>> - Microsoft Windows TCP sends the "next packet" to the right of the window
>> when using SACK and filling in a hole
>>
>> 4.1.9 - Released 13 August 2005
>>
>