Latest IPfilter merged into NetBSD-current
Darren Reed is the author if IPfilter and also a NetBSD developer.
IPfilter is one of the packet filters available in NetBSD,
and the latest version (5.1.1) was imported into NetBSD-current
by darren. Citing from
his mail to tech-net,
there are a few interesting changes and new features:
``To start with, the man pages for ipf(5) and ipnat(5) have been
rewritten from scratch to make them easier to understand and
thus easier to use the various features in IPFilter. In addition
there is now an ipmon(5) that supports delivery of log messages to
different destinations - including generating SNMP traps messages.
There are a few new actions that can be used with ipnat.conf. The
one that will be of most interest to people is "rewrite" which
supports translation of both the source and destination address
with a single rule. Use of an rdr/map combination is no longer
required. There are also some others that are more experimental.
One of those is a "divert" action that takes a packet and puts an
IP + UDP header on the front, allowing "raw packets" to be delivered
to any socket. Similarly, replies from that socket have the relevant
header data removed.
There are a few extras for ipf.conf, most notably it now allows
for defining limits on how many different hosts/networks can have
a state entry in the state table for each rule. IPFilter 5.1.1 also
supports specifying a filter rule group for the filtering of ICMP
packets that match an entry in the state table. Additionally, there
is a new rule - "decapsulate". This has been designed to allow
filtering on "inner headers" of packets that have been encapsulated
in clear text. It will, for example, allow filtering on IPv4 headers
inside of IPv6 packets (or vice versa.)
It is no longer required to have a separate ipf6.conf file. Both
IPv4 and IPv6 packets can be used in the same file. For those that
have separate files today, they should not interfere with each other
unless you have "block in all" for IPv4 and "pass in all" for IPv6
or similar. In that case, the "block in all" will affect IPv6 traffic.
This is a reflection of the internal design where there is now only
a single list of filter rules, not one for each protocol. Check the
man page for ipf.conf for more details.''
[Tags: ipfilter, Security]