1What's new in IPFilter 4.1
2==========================
3(Well, compared to 3.*, anyway)
4In no particular order, except headline alphabetical:
5
6Administration:
7          - Run-time support for modifying ipf table size parameters.
8          - Run-time support for tuning other ipfilter parameters.
9
10Content Scanning:
11          - Simple matching of content for TCP session startup.
12
13Firewall Synchronising:
14          - Master/slave programs available.
15
16General:
17          - All input files allow simple 'marco' definitions and expansion,
18            including nesting.
19          - Code has been rototilled to make maintenance and enhancements
20            eaiser for me and you.
21          - More configuration files and binaries.
22          - Takes up more memory.
23          - Probably slower.
24          - Versioned API to support changes in the ABI without breaking
25            existing binaries (4.0 onward only.)
26          - IP-Filter framework in place for handling multiple different
27            types of packet matching for firewalling.
28          - IP Id number rewriting available.
29          - Verification of checksums for recognised packet types.
30          - Optionally enable/disable IP forwarding when enabled/disabled.
31
32IPF:
33          - BPF syntax available for matching packets in ipf rules (1).
34          - Can convert IPv4 ipf rules into C code and either:
35            * load them as an LKM o;
36            * compile them statically into the kernel (where possible.)
37          - Address pools allow for simpler rules covering large numbers of
38            addresses/networks (IPv4 only).
39          - Lookup functions available to map an IPv4 address to a group.
40          - Groups can be referenced by multiple heads for subroutine-like use.
41          - NAT/ipf rules can refer to each other via a tag, creating an implied
42            join that forms part of the packet matching.
43          - Extra packet attributes available for filter rules:
44            * source address/routing interface mismatch;
45            * multicast (3);
46            * broadcast (2,3);
47            * state lookup partially failed;
48            * out of the TCP window for a state connection;
49            * NAT lookup partially failed.
50          - PPS (packets per second) matching available for ipf rules.
51          - Rule collections (cf FreeBSD numbering) supported for ipf rules.
52          - Groups can now be names rather than just numbers
53
54IPV6:
55          - understands extension headers.
56          - can filter on extension headers.
57
58Logging:
59          - ipmon now comes with a configuration file for more advanced logging
60            behaviour.
61          - Can append arbitrary logging tags with ipf rules for easy matching.
62
63NAT:
64          - "sticky" mapping available to ensure an address translation on
65            a per-address basis is always the same (while known) for a set
66            IP address.
67
68Operating System Support:
69          - HP-UX 11 added.
70          - Tru64 5.1a added.
71          - Solaris/HP-UX now use pfil STREAMS module.
72          - Linux 2.4 on the way.
73
74Proxies:
75          - PPTP proxy added.
76          - IRC proxy added.
77          - RPCBIND proxy added.
78          - FTP proxy support for EPSV (IPv4 only.)
79
80Stateful Inspection:
81          - Can insist that all TCP data arrives in order.
82          - Can insist that all fragments pass through in order.
83          - The number of states created per-rule can be set where the total
84            across all rules may exceed the maximum allowed.
85          - Can elect not to automatically match ICMP error packets.
86          - TCP sequence number rewriting supported.
87
88(1) - Requires libpcap for rule parsing
89(2) - On Solaris/HP-UX, broadcast packets are seen as multicast packets.
90(3) - Not supported on SunOS4
91