Linux IP Firewalling Chains: History

1.3.10 release

• Fixed wildcard interfaces getting extra + with `-A input -v'.
  [ Howard Lowndes ]
• `Maximize throughput' not `minimize throughput' for TOS
  [ Adam Kumiszcza ]
• --delete-chain now takes optional arg, like -X.
  [ Lothar Gerlach ]
• Man page grammar and typo fixes,
  [ Hans Persson ]
• -h message fixes
  [ Hans Persson ]

• Now make install directories if they don't exist
  [ Marc Haber ]
• PREFIX prefix to installation directories
  [ Ytiddo ]
• Warn about `-i !eth0' and `-i eth0:0'.
  [ John Martinez ]
• ICMP numbers printed in -h icmp
  [ Brett Eldridge ]

1.3.9 release

• `!' argument handling cleanup: no longer swallowed silently if ! used after a single arg to `-d' and `-s' options.
• `--sport ! 53' now parses.
• Fixed usage message (--delete-chain not --delete, and --set not --masquerade).
• Fixed TOS value warning for Minimize Cost.

• warns about manipulating forward chain when forwarding disabled, to avoid #1 FAQ (use --no-warnings) to suppress.
  [ Based on Andrew Wansink's patch ]
• Changed --proto to --protocol (you can still used --proto of course).
• Added --line-numbers option for listing chains.
  [ Thanks to Danek Duvall ]
• Improved warning for `-j MASQ' if not masq. kernel.
• Clarified -i meaning (for different chains) in man page.
• Added DIAGNOSTICS section to man page.
• ipfw man page now mentions fw_outputsize field in /proc.
• libipfwc now has ipfwc_get_raw_socket() function.
• libipfwc now returns "" not "-" for accounting rules.
• refcard updated to Scott's latest masterpiece.

1.3.8 release

• -L of chains other than `input' now works. [ Thanks to Bernhard Weisshuhn ]

1.3.7 release

• -Z option no longer acts like -F. [ Thanks to Win Raets ]
• -M by itself no longer causes an abort.
• -C works again.
• -L -M doesn't report an error after successful completion.

• Long options are here at last! [ Thanks to Andi Kleen ]

1.3.6 release

• No longer asks for bug report if invalid rulenum supplied. [ Unknown source: lost in hard drive crash, sorry. ]

• Includes reference card!
• HOWTO updated: 1.0.3. DNS corrections, new section on typical network layouts in which ipchains is interesting.
• Now only includes text version of HOWTO: rest in separate package.
• Reworked to move manip routines into separate library for others to reuse.

1.3.5 release

• Makefile `install' target fixed. [ Thanks to Samuli Kaski and others ]
• ipchains manpage reference to `REDIR' target fixed (it's `REDIRECT'). [ Thanks to Russell Coker ]
• ipchains man page reference to multiple ports removed.
• ipchains now stricter checking on possible policies. [ Thanks to Ryszard Lach ]
• ipchains prints timeout correctly for when HZ != 100 [ Thanks to Richard Henderson ]
• ipchains gives an intelligent error when trying to create an already existing chain.

• HOWTO updated: closer to LDP style guide, new FAQ section, minor corrections.
• ipchains tells you which compulsory option you missed.
• Makefile updated for new HOWTO targets.
• ipchains.c global variables cleaned up.

ipchains-scripts 1.0.2 release

• Handles arguments slightly better.

• New man pages for ipchains-save, ipchains-restore and the ipfwadm wrapper. Thanks to the Debian maintainer for these.

1.3.4 release

• `-j REDIRECT' (without a port number) works. [Thanks to Leos Bitto]

ipchains-scripts 1.0.1 release

• ipfwadm-wrapper calls /sbin/ipfwadm.real if it exists, and we seem to be on an old kernel.
• ipfwadm-wrapper should now work with bash 1.x.
• ipfwadm-wrapper now accepts the obsolescent `-a m' flag.

ipchains-scripts 1.0 release

• ipchains-save now updated to work with latest kernel.
• ipfwadm-wrapper interface handling fixed.

• Split scripts and libfw into separate archives from main ipchains source.

1.3.3 release

• Header order changed; should now compile under libc5 [Thanks to Shaw Carruthers]
• -o option added to man page.
• ipchains-save now works again, and ipchains-restore checks that ipchains command actually succeeds.

• Mark value printed as hex, for easier human parsing.
• HOWTO updates to cover new official status, and treatment of truncated packets as fragments (expected in 2.1.103).

1.3.2a release

• Packet dumping code now prints dst IP (not src IP twice). [Thanks to Alexey Kuznetsov].
• Reject too-small ICMP fragments just like UDP fragments.
• Fixed Makefile and bogus patch element.

1.3.2 release

• Reduced in-kernel size (now only 3.5k bigger than old ip_fw.c code).
• ipchains now understands arbitrary masqueraded protocols. [Thanks to Marco Kremer (mabi)]

• HOWTO example fixed. [Thanks to Jim Kunzman]
• ipchains version string now fixed. [Thanks to Jim Kunzman]
• ipchains now gives error on specifying a too-long chain name. [Thanks to Gerard Gerritsen]
• ipchains -S works again, with or without -M. [Thanks to Serge Sivkov]

1.3.1 release

• Format of policy-change kernel interface changed, to allow same ipchains binary under both 2.0 and 2.1 kernels, and simplify glibc interface.
• Userspace tools now compile under glibc.
• Binary release now glibc.
• Binary release no longer includes `ipfw.4' man page.
• Updated HOWTO.

• Fixed typo which cause mark not to be initialised to 0.
  [Thanks to Alexey Kuznetsov].
• Removed extraneous debug messages for 2.0 kernels.
  [Thanks to Ricardo Kustner].
• Fixed race condition correctly.
• Now compiles under SMP.

1.3.0 release

• `ipchains -X' now deletes all user-defined chains.
  [Thanks to feedback from John D. Hardin]
• Can now specify what packets to be copied to NETLINK device (2.1.x kernels only).
• A simple library to make using the netlink device easier.
• Understands ICMP masquerading.
• Policies have packet and byte counters, for completeness.
• Should be SMP safe now (testers wanted; my laptop is not SMP).
• Introduced libfw.

• Many documentation and HOWTO fixes and updates.
  [Thanks to Dr. Liviu Daia and Matt Kemner.]
• ipchains-save bugfix with destination ports.
  [Thanks to Kevin Littlejohn.]
• Masquerading listing fixed.
  [Thanks to Franck Sicard.]
• Bogus `loop detected' message due to race condition now fixed (also fixes possibility of counter inaccuracies).
  [Thanks to Helmut Adams]
• Masquerading modules now fixed for 2.0.x kernels.
  [Thanks to Marko Injac, and feedback from R. Garth Wood].
• Verbose packet info now logged at KERN_INFO level.
  [Thanks to Dr. Liviu Daia.]

1.2.2 release

• HOWTO updates.
• Kernel policies output changed from numbers to names, for consistency across kernel versions.
• Introduced 2.0 kernel series support.

• ipchains-save and ipchains-restore fixed to handle userdefined chains better.
• Fixed TOS handling in ipfwadm-wrapper script.

1.2.1 release

• Fixed interface (`-i') parsing in ipchains.

1.2 release

• Wildcard interface support.

1.1.1 release

• ICMP codes (as well as types) supported.
• icmp names supported.
• ipfwadm-wrapper released.

• ipchains-save and ipchains-restore fixed.
• -b flag when used with address masks fixed.

1.1 release

• HOWTO introduced.
• ipchains-save and ipchains-restore introduced.
• Inverse rule support.
• -k (TCP ACK) option removed.
• -b (BIDIR) option removed from kernel: handled in userspace.
• Multiple port support removed.
• Test suite removed from release.

• Handling of listing > 8 rules fixed.

1.0.2 release

• Interface address support removed.
• Added skbuff marking support.

1.0.1 release

• Generic protocol support added.
• Tighter TOS checking.
• TOS can now be specified by name.
• New target: RETURN.

• Port range handling fixed.
• Append and delete entry heisenbug fixed.

Enjoy!