1.2.9 28/10/2002 released - Fixed support for 32-bits IP Filter v3.4.x rule group numbers (previous incorrect implementation was introduced in IPA-1.1.3) - Now it is possible to remove not needed accounting systems support with the help of -DWITHOUT_{IPFW|IP6FW|IPFIL|PF} options - Now FreeBSD IPFW2 is supported - "getsockopt(IPV6_FW_GET): Invalid argument" IPv6 Firewall bug was fixed - Minor improvements for IPv4/v6 Firewall support 1.2.8 27/09/2002 released - Locale names have been renamed ru_SU* -> ru_RU*, ru_SU* now are symlinks - Fixed some minor bugs - Now a new record is added to each accounting file after reconfiguration - Now ipa(8) and ipastat(8) do not use database locking feature by default - All manual pages were updated to reflect changes in IPA - The -u switch was removed from and the -L switch was added to ipastat(8) - All code of ipa(8) was revised, now ipa(8) tests directories and files in the database more carefully - Several bugs and memory leak with the "db_dir" parameter were fixed - Added new parameter "db_group" - Parameters "acl", "db_owner", "db_perm" have been removed 1.2.7 30/06/2002 released - SECURITY PROBLEM: I removed SUID bit from ipastat(8) due to security problems, and don't even try to set it back. Admins who use the "db_owner" parameter *and* use some safe user/group, *and* didn't forget to set the same safe user/group for the ipastat(8) program, as it was said in the SECURITY NOTE on the ipastat(8) manual page, should not worry a lot. Admins, who ignored that SECURITY NOTE, should double check security of their systems and change all passwords, secrets keys, etc., if you think that somebody cracked your systems by ipastat(8). I'm sorry about this sad program mistake. - Now ipl.h, ip_fil.h, ip_compat.h (and ip_fil_compat.h) files are searched by the gensysinfo script in /usr/include, /usr/src/sys/netinet, /usr/src/sys/contrib/ipfilter/netinet directories 1.2.6 19/06/2002 released - Now '{', '}', '#' and ';' characters are not allowed for naming rules and limits - Fixed bug in ipa(8): when ipa(8) parsed "rule" and "limit" sections, it accessed not allocated memory (this bug was introduced in IPA-1.2.1), also remove some memory leaks - Fixed bug in ipa(8): if the "include" section was used, then ipa(8) could free(3) no tallocated chunk of memory and also could access to not allocated memory - Fixed some similar bugs in ipa(8): some functions return 0 instead of -1 to indicate an error 1.2.5 03/04/2002 released - Added new switch to ipastat(8): -x, treat rule names as POSIX regular expressions - Fixed incorrect parsing of debug_* parameters arguments 1.2.4 10/03/2002 released - Added new switch to ipastat(8): -p - Fixed incorrect usage of functions in async signal handlers: usage of some functions in async signal handlers is not allowed by POSIX (async-signal-safe functions) 1.2.3 30/01/2002 released - Fixed one bug in ipa(8): ipa(8) incorrectly understood "unknown type of frentry" in the IP Filter kernel table, actually this is IP Filter's bug - Revised manual pages and documentation - Minor improvements 1.2.2 25/12/2001 released - Added OpenBSD Packet Filter support - Added protection against including already included configuration files - Fixed possible incorrect work with fcntl(2) (was used, when sending a signal to the working copy of ipa(8)) 1.2.1 18/11/2001 released - Added new switch to ipastat(8): -k, assume that 1k is equal to 1000 bytes - Now it is possible to use abbreviated month names in -i and -I options in ipastat(8) - Now it is possible to run from the ipa(8)'s command line commands from "reach" and "expire" sections - Speed-up configuration file parsing 1.2 09/11/2001 released - Added new section "include" and new parameter "debug_include" to the configuration file, also two switches "-tt" for ipa(8) have new sense - Now ipastat(8) correctly determines last day in the month in incomplete time intervals (before it just sets last day to 31) - Fixed bug in ipastat(8): incomplete time intervals were not the same in the -i and in the -I option - If gensysinfo script can't find ipl.h file, then it tries to parse output of the "/sbin/ipf -V" command - Minor improvements and code style changes 1.1.6 03/10/2001 released - Implemented new method of handling overflowed IPv4/v6 Firewall and IP Filter accounting rules with the "maxchunk" parameter (thanks to Vlad Timoshik for the idea). Read more information in the ipa.conf(5) manual page - Now ipa(8) understands new signal: USR1, corresponding option is "-k dump" 1.1.5 04/09/2001 released - Fixed two incorrect memory access bugs in ipa(8) - Fixed bug: "ipa -t" didn't show "info" parameters - Fixed bug: IPA could not be built on some versions of FreeBSD with IPv6 Firewall support - Fixed some incorrect explanations of time intervals in the ipastat(8) manual page 1.1.4 16/07/2001 released - Added new options and new feature to ipa(8): [-r [-l ]] section [subsection] 1.1.3 25/06/2001 released - Now IP Filter version is determined by parsing netinet/ipl.h file - Changed IP Filter rule group size from 16 bits to 32 bits, because of the same changes in IP Filter v3.4.x - Changed -l option in ipa(8): -l -> -L - Manual pages were translated to Russian (thanks to all who asked to do it) - A lot of errors were fixed in manual pages 1.1.2 19/04/2001 released - Improved understanding of incomplete queries in -i and -I options in ipastat(8): now -i 2000 means -i 2000.01.01/00:00:00-2000.12.31/24:00:00 1.1.1 24/03/2001 released - Added new option to ipastat(8): -R allows to output summary accounting information - Added new option to ipastat(8): -q, don't read and output any "info" files 1.1 03/03/2001 released - Added NetBSD support - Added FreeBSD IPv6 Firewall support - Added new option to ipa(8): -c , specifies the ipa(8) should chroot() into immediately - Fixed incorrect work with "if_limit_is_not_reached" section in "rule" section - Fixed bug: ipa(8) could forget that all commands in "reach" or "expire" sections are executed 1.0.4 11/02/2001 released - Fixed bug, which could cause core dump, strange incorrect work with "exec" parameter (thanks to Billy for bug reports and testing) - Fixed bug: when some command in the "exec" parameter wrote to unopened descriptor (for example stderr), then files in database could be damaged 1.0.3 21/01/2001 released - Fixed bug with "acl" parameter: groups didn't work in ACL - Fixed security bugs with exec()-like parameters: inherited supplementary GIDs - Added new parameter to "global" section: "only_abs_paths" - Fixed reconfigure facility. When ipa(8) couldn't parse configuration file, it begun to test it undefined times. Removed memory leak with worktime parameter - Added new option to ipa(8): -l , probably should be used with -p option 1.0.2 02/01/2001 released - Added OpenBSD support (thanks to Chris Cappuccio for the initial patch) - New record is always appended to database when ipa(8) starts - Fixed bugs with timestamps - Added new option to ipa(8): -p , this option allows to start more then one copy of ipa(8) - Added database locking feature and three parameters: "lock_db", "lock_wait_time" and "debug_lock" - Fixed reconfigure facility. When ipa(8) couldn't parse configuration file, it began to use some new settings 1.0.1 04/12/2000 released - Fixed bug in database implementation: now a record at the end of the day is updated with second timestamp equal to 24:00:00 - Fixed bugs with -i and -I options in ipastat(8) - Changed format for worktime parameter: added '*' for all minutes in a day - Added sorting of rules and limits when -a switch is used 1.0 20/11/2000 released - Initial public release