# Copyright 2004 Neil Gorsuch
#
# This file is part of pfilter.
#
# pfilter is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# pfilter is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA

TODO:

If no interfaces are found, have all open statements to this computer
insert literal blocks to handle that.
Don't modprobe certain modules unless they are needed by the filtering.
Add to smb service allowing destination broadcast packages udp 137 138.

CHANGES:

version: 1.707; date: Tue Aug 24 13:14:06 CDT 2004; author: ngorsuch
Removed code from pfilter that hooked itself into these events and restarted
itself: "ifconfig up" or "ifconfig down" executed on any network interface.
Added code to pfilter rpm post-install to remove hooks when upgrading.

version: 1.706; date: Wed Feb  4 22:47:19 CST 2004; author: ngorsuch
Allowed interface names to be letter(s) possibly followed by digit(s),
instead of letter(s) always followed by digit(s).

version: 1.705; date: Wed Jan 14 21:02:32 CST 2004; author: ngorsuch
Turned off martian packet logging if logging level is set to none.

version: 1.704; date: Wed Jan 14 15:56:02 CST 2004; author: ngorsuch
Added logic to determine the kernel name as well as version.
Fixed the nfs service definition to work in more shells.

version: 1.703; date: Fri Dec 12 15:47:31 CST 2003; author: ngorsuch
Added code to have pfilter hook itself into these events and restart itself:
"ifconfig up" or "ifconfig down" executed on any network interface.
This does not, unfortunately, allow pfilter to be notified when 
network interfaces come up or down in the kernel.
Fixed a bug in the Makefile that sometimes caused wrong rpm builds.
Added syslog logging of pfilter start/stop/restart.
Fixed bug in Makefile that prevented the pfilter service from
being stopped if /etc/init.d exists but not /etc/rc.d/init.d.
Expanded the definition of the ping service to include icmp type 0.
Made ping from anywhere be allowed.

version: 1.702; date: Mon Nov 17 08:59:50 CST 2003; author: ngorsuch
Updated the pfilter man page to show more of the missing command line options.
Made pfilter more error tolerant:
If no interfaces found when pfilter started, pfilter still starts.
If no pfilter configuration file found, pfilter uses a default file.
If pfilter cannot write out expanded source or commands files, still starts.

version: 1.701; date: Sun Nov 16 12:35:00 CST 2003; author: ngorsuch
Added code so that pseudo interfaces created by alias
directives will have the correct broadcast address
(since the ifconfig command doesn't always do this correctly).
Fixed the ping service ruleset so that error messages are not being
generated when there is no broadcast address for an interface.
Fixed the pfilter command so that it doesn't delay for dns timeouts.
Added the replace Makefile target.
Commented out webmin support in the Makefile.

version: 1.700; date: Mon Nov  3 07:38:57 CST 2003; author: ngorsuch
Added the endpoint network service definition.
Fixed a bug that caused the pseudo interfaces created by alias 
directives to have the wrong netmask.
Fixed the Makefile to use "rpmbuild -ba" instead of "rpm -ba".

version: 1.699; date: Tue May  6 13:33:33 CDT 2003; author: ngorsuch
Moved the generated files /usr/sbin/pfilter.src and /usr/sbin/pfilter.cmds
into /etc/pfilter.src and /etc/pfilter.cmds, respectively.

version: 1.698; date: Thu Mar  6 22:40:47 CST 2003; author: ngorsuch
Fixed a mistake made in the 1.696 version change that caused opening
ping to open up more than ping.

version: 1.697; date: Thu Mar  6 22:40:47 CST 2003; author: ngorsuch
Fixed a bug in the forwarding directives so that they would work
when forwarding an outward natted connection into a private network.

version: 1.696; date: Fri Feb 28 16:12:44 CST 2003; author: ngorsuch
Expanded the definition of the ping service to include broadcast pings.

version: 1.695; date: Sun Feb 23 23:32:00 CST 2003; author: ngorsuch
Added surmised broadcast addresses to the addresses that are not
logged in limited logging mode.

version: 1.694; date: Sun Feb 23 23:05:38 CST 2003; author: ngorsuch
Changed limited logging mode to not log broadcast packet rejections.

version: 1.693; date: Thu Jan 23 10:47:03 CST 2003; author: ngorsuch
Finished fixing a bug that prevented the init.d pfilter scripts from 
working when the environmental variable for system languagewas not 
set to english.

version: 1.692; date: Mon Jan 13 20:02:12 CST 2003; author: ngorsuch
Fixed a bug that prevented the init.d pfilter scripts from working when
the environmental variable for system languagewas not set to english.
Updated copyright notices to 2003.

version: 1.691; date: Tue Dec  3 13:45:44 CST 2002; author: ngorsuch
Improved Makefile prototype to final files editing.
Moved the init.d start/stop system script to /etc/init.d/pfilter.
Modified the /etc/init.d/pfilter script to work on
Redhat, Mandrake, and SuSE type init.d structures.

version: 1.690; date: Thu Oct 10 01:11:24 CDT 2002; author: ngorsuch
Changed the "bug Neil" error messages to also list Neil's email address.

version: 1.689; date: Wed Oct  9 23:03:09 CDT 2002; author: ngorsuch
Fixed NFS open/closing.

version: 1.688; date: Sun Sep 22 10:19:29 CDT 2002; author: ngorsuch
Fixed pfilter.conf man page to show low:high instead of low-high for
port ranges. Updated man pages email address to ngorsuch@ncsa.uiuc.edu.

version: 1.687; date: Sat Sep 14 02:27:45 CDT 2002; author: ngorsuch
Allowed the %LOOP to have beginning/ending values seperated by ..
so that "host9 .. host11" expands to "host9 host10 host11" and
"097 .. 101" expands to "097 098 099 100 101". Added --nolimits
and --limits command line flags to control .. range expansion limits.

version: 1.686; date: Wed Sep 11 23:43:36 CDT 2002; author: ngorsuch
Updated the pfilter.conf man page to list some ruleset defined
network services.

version: 1.685; date: Fri Sep  6 23:04:09 CDT 2002; author: ngorsuch
Changed default configuration file to open defined service "ssh"
instead of specifying "tcp ssh". Cleaned up default configuration file.

version: 1.683; date: Sat Aug 31 11:35:09 CDT 2002; author: ngorsuch
Changed generated output for OPEN/CLOSE directives to have the numeric
port numbers for each directive be in sorted numeric order.

version: 1.682; date: Sat Aug 31 00:51:13 CDT 2002; author: ngorsuch
Added the ability to specify an input interface for FORWARD directives.

version: 1.681; date: Mon Aug 26 02:55:14 CDT 2002; author: ngorsuch
Fixed a few minor bugs in the pfilter.rulesets man page.
Added more information to the pfilter.conf man page.

version: 1.680; date: Mon Aug 26 01:11:54 CDT 2002; author: ngorsuch
Added configuration/ruleset files looping constructs %LOOP and %ENDLOOP.
Reworked rulesetfile to use the %LOOP and %ENDLOOP constructs.
Speeded up pfilter by moving un-needed fields_without_ruleset_comment
calls into the blocks where they would actually be useful in Expand.pl.
Rewrote filtered/unfiltered/protected/unprotected interfaces logic
to avoid some fringe case errors.
Expanded some of the man pages, notably the pfilter.rulesets man page.
Updated comments at beginning of source perl files to show which
functions are in each file.

version: 1.679; date: Mon Aug 19 00:49:13 CDT 2002; author: ngorsuch
Updated the rulesets/README file.

version: 1.678; date: Sun Aug 18 15:53:42 MST 2002; author: ngorsuch
Fixed small bug in forced iptables mode.
Changed logic in iptables mode selection so that:
if the kernel is recent enough to support iptables,
and if the ipchains kernel module is still supported,
and if the /sbin/iptables program is executable,
iptables mode will be chosen with a warning message being printed.

version: 1.677; date: Wed Aug 14 13:14:22 CDT 2002; author: ngorsuch
Added support for ON interface(s) in OPEN/CLOSE directives.
Added %constant% default_route_interfaces.
Added logic so that interfaces that were not declared as PROTECTED
or as UNPROTECTED, that will be marked as PROTECTED under certain
circumstances, will be only if be so if they are not determined to
be a default route interface.
Changed things so that the %interface_addresses% constant is available
during macro/definition/constant expansions of the configuration file,
instead of just later during output code generation as it was before.
Added more webmin pfilter code.

version: 1.676; date: Sat Jul 27 21:53:29 CDT 2002; author: ngorsuch
Improved formatting of generated code.
Fixed rpm dependencies to be more complete.
Changed the default filtered/unfiltered attribute for interfaces to filtered.
Added logic so that if one or more interfaces are declared to be protected,
all other interfaces that have not been declared as protected or unprotected
are set to be unprotected, ignoring the RFC1918 attributes of each.

version: 1.675; date: Mon Jul 22 23:38:52 CDT 2002; author: ngorsuch
Fixed the code that generates output for FORWARD configuration directives.
Fixed a bug in the parsing of configuration files that made this not
work: ... from --- to --- onto ---.

version: 1.674; date: Wed Jul 17 16:44:40 CDT 2002; author: ngorsuch
Fixed rpms to not set permissions of system directories such as /etc.

version: 1.673; date: Wed Jul 17 14:55:40 CDT 2002; author: ngorsuch
Fixed forwarding/aliasing/natting generated code so that the following
situation will work:  two different hosts on private subnet aliased to
two different public addresses can talk to each other's public addresses
through the pfilter/forwarding/aliasing machine. This means that all
packets going through the pfilter machine coming from the private address
of an aliased host will be made to look like they are coming from 
the aliased host's public address.

version: 1.672; date: Mon Jul 15 16:45:02 CDT 2002; author: ngorsuch
Fixed bugs in Makefile from last checkins.
Fixed libraries inclusion list in pfilter.in.

version: 1.671; date: Wed Jul 10 01:29:44 CDT 2002; author: ngorsuch
Changed the Makefile and rpm spec file to use an rpm buildroot directory
so that building rpms doesn't overwrite any installed pfilter files.
Added the docs directory contents to the files in the install rpm.
Added support to make the webmin rpm for pfilter, the rpm won't work
yet though since the webmin code is not complete.

version: 1.670; date: Sun Jun 30 22:13:22 CDT 2002; author: ngorsuch
Added logging options to usage message from "pfilter -h" command.

version: 1.669; date: Wed Jun 26 16:57:22 CDT 2002; author: ngorsuch
Added more logic to the ruleset defined network service smb to
allow more cases to work.

version: 1.668; date: Wed Jun 26 15:55:57 CDT 2002; author: ngorsuch
Re-wrote the sequencing of macro/constant/defines/conditionals 
processing to get rid of some marginal bugs when expanding 
complicated macros and lines with trailing conditionals.

version: 1.667; date: Tue Jun 25 21:49:37 CDT 2002; author: ngorsuch
Fixed a minor bug that, during a "service pfilter stop" or during a
"service pfilter restart" when not in verbose mode, caused these 
messages to be output when hosts are aliased:
"Removing pseudo interface INTERFACE:N ..."

version: 1.666; date: Tue Jun 25 17:43:07 CDT 2002; author: ngorsuch
Fixed minor bug that sometimes caused false error messages of:
error - invalid address ANY.

version: 1.665; date: Tue Jun 25 15:23:07 CDT 2002; author: ngorsuch
Fixed a bug that caused lines with conditionals at the end of the
line to sometimes be evaluated without define/constant substitutions.

version: 1.664; date: Tue Jun 25 14:33:51 CDT 2002; author: ngorsuch
Added more information to the values passed to ruleset defined 
network services so they can do a better job if needing to know
things like interface names or addresses or broadcast addresses.
Added support to the code generation to allow for interfaces
to be specified in open/close operations where possible.
Fixed a bug in address range processing that caused ranges such
as /24 to cause wierd results when deternmining which network
interfaces packets can come from to go out on.
Re-organized and simplified code generation.
Improved ruleset define smb service open/close macros.
Added text to pfilter rulesets to invite people to join
the pfilter development team when they discover a combination
of outputs that needs more macro/code work.
Fixed a bug that caused the first interface name after
the INTERFACE keyword to be ignored in interface specification
directives such as UNTRUSTED OR FILTERED.
Re-wrote most of conditional/macro/defines/constants expansions,
to allow for on-pass processing which avoids some subtle
variable assigning/conditional bugs.

version: 1.663; date: Tue Jun 18 10:22:24 CDT 2002; author: ngorsuch
Added --logging and --nologging command line switches.
Added --noverbose command line switch.
Added LOGGING configuration file directive.
Added NOVERBOSE configuration file directive.
Made appropriate command line switches override configuration file.
Fixed bug in conditional expressions that didn't allow any white
space before or after the = or != operators.
Made rulesets more readable by putting white space around != and =.

Version: 1.662; date: Mon Jun 17 14:22:24 CDT 2002 ; author: ngorsuch
Further refined dhcp server open/close support by adding more cases.

version: 1.661; date: Sun Jun 16 04:12:22 CDT 2002 ; author: ngorsuch
Added dhcp server open/close support by adding a ruleset file that
defines the dhcp service.

version: 1.660; date: Fri Jun 14 12:28:15 CDT 2002 ; author: ngorsuch
Finished fixing protected/unprotected interfaces packet forwaring.

version: 1.659; date: Fri Jun 14 10:02:01 CDT 2002 ; author: ngorsuch
Cleaned up formatting of generated output commands file.

version: 1.658; date: Fri Jun 14 09:11:16 CDT 2002 ; author: ngorsuch
Removed unused source file Pfilter/Error.pl.

version: 1.657; date: Thu Jun 13 23:39:04 CDT 2002 ; author: ngorsuch
Removed obsolete rulsets/pfilter file which was replaced by the
rulesets/pfilter.default.rulesets file.
Cleaned up packet forwarding generated code so that all interfaces
can be UNTRUSTED with some of them being PROTECTED.

version: 1.656; date: Thu Jun 13 19:33:20 MDT 2002 ; author: download
Flubbed a comment.  fixed it.

version: 1.655; date: Thu Jun 13 19:27:42 MDT 2002 ; author: download
Optimized some of the shell in the makefile.  find does more work and the shell
does less execing and piping now.

version: 1.654; date: Thu Jun 13 09:48:06 CDT 2002 ; author: ngorsuch
Fixed bug that prevented ruleset defined network services from being
correctly opened for aliased hosts when they were listed on the 
line that included the ALIAS directive and the real and pseudo addresses.

version: 1.653; date: Wed Jun 12 23:59:06 CDT 2002 ; author: ngorsuch
Added instructions in the /etc/rc.d/init.d/pfilter service file to
allow users to not re-compile the pfilter configuration file every 
time so that they can customize the compiled output file and keep 
their customizations, but still user pfilter as a linux service.
Added the LITERAL and ENDLITERAL directives to the pfilter configuration
file to allow users to pass through shell command lines to the compiled
pfilter output file.

version: 1.652; date: Wed Jun 12 22:28:06 CDT 2002 ; author: ngorsuch
These are all lumped together because I did them on vacation without
in places that had no internet access.
Added    TRUSTED host[s]/ip-address[es]/range[s] capability to pfilter.conf.
Added  UNTRUSTED host[s]/ip-address[es]/range[s] capability to pfilter.conf.
Added   FILTERED host[s]/ip-address[es]/range[s] capability to pfilter.conf.
Added UNFILTERED host[s]/ip-address[es]/range[s] capability to pfilter.conf.
Added the capability for OPEN/CLOSE directives to not specify any 
protocols/ports/services, which makes them have the same effect as 
TRUSTED/UNTUSTED directive lines that specify source address (range)(s).
Added the capability for TRUSTED/UNTRUSTED directives to specify 
destination addresses with a TO keyword before the addresses.
Fixed code that uses ruleset defined text including network services.
Added capability for lopsided ruleset defined text including network
services, for instance by defining the macro service-NAME-open but 
not defining the name service-NAME-close.
Made small improvements to man pages.
Fixed bug that caused macro invocations with leading space from being
recognized and expanded.
Added --dumpservices flag to dump ruleset defined text including services.
Added --nooptpath flag to disable source-destination optimizations.
Removed unused code blocks that were already commented out (but left
all the commented out debug print segments in case I want to uncomment
them for debugging).
Fixed bug introduced by last change in service pfilter restart.

version: 1.651; date: Mon May 20 17:28:58 CDT 2002 ; author: ngorsuch
Added proper output to service pfilter start/stop/restart commands.

version: 1.650; date: Sat May 18 10:26:23 MDT 2002 ; author: download
Simplified matching of DEBUG and VERBOSE directives by making the regex 
case insensitive.  Changed system(chmod()) calls to perl's internal chmod
function.

version: 1.649; date: Fri May 17 00:52:33 CDT 2002 ; author: ngorsuch
Corrected Neil's email address.

version: 1.648; date: Thu May 16 20:09:48 MDT 2002 ; author: download
Began re-writing the pfilter.8 manpage.  

version: 1.647; date: Thu May 16 08:48:41 MDT 2002 ; author: download
Changed all occurances of Linux in documentation and comments to GNU/Linux.

version: 1.646; date: Thu May 16 08:39:34 MDT 2002 ; author: download
Modified pfilter.conf.5.in.  Added documentation for changes added in version
1.644 (int/internal/intif/ext/external/extif).  Also noted that internal 
deprecates intif and external deprecates extif.

version: 1.645; date: Wed May 15 12:56:17 CDT 2002 ; author: ngorsuch
Fixed usage error message for /etc/rc.d/init.d/pfilter.

version: 1.644; date: Wed May 15 12:10:17 CDT 2002 ; author: ngorsuch
Finished rework of parsing of extif and intif directives so that any
of the following forms will work:
EXTIF  interface-name(s)
EXT interface-name(s)
EXTERNAL interface-name(s)
EXT INTERFACE interface-name(s)
EXTERNAL INTERFACE interface-name(s)
EXT INTERFACES interface-name(s)
EXTERNAL INTERFACES interface-name(s)
INTIF  interface-name(s)
INT interface-name(s)
INTERNAL interface-name(s)
INT INTERFACE interface-name(s)
INTERNAL INTERFACE interface-name(s)
INT INTERFACES interface-name(s)
INTERNAL INTERFACES interface-name(s)
Reworked FILTERED PROTECTED PUBLIC TRUSTED UNFILTERED UNPROTECTED UNTRUSTED
directives so that they could all have a second keyword INTERFACE(s).
Fixed bug that prevented error messages from including second keyword.

version: 1.643; date: Wed May 15 09:27:47 MDT 2002 ; author: download
worked on the code to parse intif/int(ernal) interfaces.  I think it was 
incorrectly not taking the newer specifications.  Maybe someone else should take
a look at this change.

version: 1.642; date: Wed May 15 08:39:43 MDT 2002 ; author: download
Fixed some spelling and formatting errors in the manual pages.

version: 1.641; date: Tue May 14 11:34:50 CDT 2002 ; author: ngorsuch
Modified the chkconfig/service status command to output the standard
running or stopped. Added a chkconfig/service chains command to output
a listing of all of the the packet filtering chains.

version: 1.640; date: Tue May 14 11:34:50 CDT 2002 ; author: ngorsuch
Modified the chkconfig/service installation to be turned off by default.

version: 1.639; date: Tue May 14 09:30:57 MDT 2002 ; author: download
modified pfilter.8.in.  Fixed spelling errors.

version: 1.638; date: Tue May 14 08:38:46 MDT 2002 ; author: download
modified pfilter.8.in. I added a note on what stop,start,restart and status
do to the OPTIONS section.

version: 1.637; date: Mon May 13 09:11:24 MDT 2002 ; author: download
modified pfilter.8.in.  I renamed the section called SYNOPSIS to DESCRIPTION.
I added a SYNOPSYS section summarizing the command line switches and added an
OPTIONS section explaining those options.

version: 1.636; date: Sat May 11 22:19:24 MDT 2002 ; author: download
fixed minor bug where when you set pfilter's output file to stdout (-) 
it was still calling chmod and throwing an error.

version: 1.635; date: Sat May 11 12:19:49 MDT 2002 ; author: download
cleaned up the formatting of the pre-defined variables section of 
pfilter.rulesets.5.  Changed CHANGELOG to reflect that version 1.633 was
by ngorsuch not download.

version: 1.634; date: Sat May 11 11:13:12 MDT 2002 ; author: download
noted a couple of command line equivalents in the configuration manual page.
Fixed a bug in %ifdef and %ifndef.  They seem to work now. 

version: 1.633; date: Fri May 10 04:49:51 CDT 2002 ; author: ngorsuch
Fixed pfilter service start level so that it is started
after the network interfaces are already up.

version: 1.632; date: Sat Apr 27 21:08:41 MDT 2002 ; author: download
cleaned up pfilter.conf man page.  made syntax on directives more consistent.

version: 1.631; date: Fri Apr 26 06:31:04 MDT 2002; author: download
Worked on pfilter.conf man page.  Added more directives and gave options to the
directives in the man page already.  Changed some wording to be imperative.

version: 1.630; date: 2002/04/23 12:39:00; author: ngorsuch
Made the "status" command use dns output rather than numeric.
Fixed "status" to tolerate missing /proc/net/ip_tables_names.
Changed Makefile to name the generated rpm spec file
pfilter.spec instead of the previous pfilter-N.NNN-N.spec.

version: 1.628; date: 2002/04/22 00:08:00; author: ngorsuch
Added --dumpconf debug command line option that dumps the 
internal hash of the config file after the config file is parsed.

version: 1.627; date: 2002/04/21 23:30:00; author: ngorsuch
Added capability of -h and --help command line options to also
display hidden commands if debug mode options -d or --debug present.

version: 1.626; date: 2002/04/06 19:39:00; author: ngorsuch
Expanded pfilter section 8 man page.

version: 1.625; date: 2002/04/05 00:17:00; author: ngorsuch
Fixed a bug that prevented FROM and other keywords from being
used when capitalized.

version: 1.624; date: 2002/04/03 18:20:00; author: ngorsuch
Changed the configuration file merging code to not put in commented
out new sectoins, if a NOMERGE directive exists in the current 
configuration file.

version: 1.623; date: 2002/04/03 13:16:00; author: ngorsuch
Made opening of ssh to everywhere the default for new configuration files.
This only happens if not configuration file existed before the pfilter rpm
was installed, or if an existing file had no OPEN or CLOSE directives when
pfilter was upgraded.

version: 1.622; date: 2002/03/25 14:22:00; author: ngorsuch
Fixed major bug in new ALIAS code that prevented ALIASING from working.
This required all iptables output commands that have "--to hostname"
to use "--to host-ip-address" when in iptables mode. This is because 
the iptables command cannot handle anything but a numeric IP address
after a "--to" on a command line.

version: 1.621; date: 2002/03/24 09:00:00; author: ngorsuch
Made the "service pfilter status" command much faster by not having
parse the configuration file or re-generate the commands file.

version: 1.620; date: 2002/03/23 00:57:00; author: ngorsuch
Modified NAT/protected interface handling to add a postrouting 
rule for each pair of protected/unprotected interfaces to do
network address translation.  This prevents packets being
forwarded from one unprotected interface to another unprotected
interface from having their source address being changed.

version: 1.619; date: 2002/03/22 23:33:00; author: ngorsuch
Updated pfilter.conf man pages to include all interface directives.
Made configuration file parsing of interface directives match the
output scripts generation for interface directives.

version: 1.617; date: 2002/03/07 01:23:00; author: ngorsuch
Added error and warning lines to generated intermediate source file and
to the generated output commands file.

version: 1.616; date: 2002/03/01 07:41:00; author: ngorsuch
Improved output commands file comments regarding pseudo/real addresses.

version: 1.615; date: 2002/02/22 19:41:00; author: ngorsuch
Added optimization of output commands resulting in far fewer
iptables/ipchains/whatever filter rules being put in kernel.
Added code to allow services/protocols/ports to be seperated
by commas to allow older pfilter configuration files to work.
Fixed bug that prevented proper --output= command line parsing.

version: 1.612; date: 2002/01/26 23:57:00; author: ngorsuch
Fixed code to allow proper functioning with point-to-point interfaces.

version: 1.611; date: 2002/01/26 23:05:00; author: ngorsuch
Commented out NEW without SYN bit rule blockage to allow cvs/ssh
logins through natted firewall.

version: 1.607; date: 2002/01/25 18:46:00; author: ngorsuch
Improved formatting of packet rejection system log entries.

version: 1.607; date: 2002/01/25 18:46:00; author: ngorsuch
Finished code/rulesets to allow ALIAS directives to work.
Fixed a bug in rulesets that caused some logging rules to not be included.
Fixed bugs in code to allow named network services to be defined as macros.
Added rulesets logic to stop packets marked as NEW without SYN bit set.
Added capability to have OPEN/CLOSE directives for ALIAS connections
refer to the destination as either the faked or real destination address.
Added %error and %warning metadirective capability to rulesets/config.

version: 1.606; date: 2002/01/24 12:05:00; author: ngorsuch
Fixed bug in rulesets that caused some logging rules to not be included.

version: 1.605; date: 2002/01/24 11:00:00; author: ngorsuch
Fixed major bug in OPEN/CLOSE directives.

version: 1.603; date: 2002/01/24 10:00:00; author: ngorsuch
Fixed bugs in code and rulesets that prevented proper protected/natted networking.
Fixed minor bugs in rulesets that generate output commands "glue" code.
Cleaned up some output commands formatting.

version: 1.601; date: 2002/01/19 23:49:00; author: ngorsuch
Changed copyright notices from 2001 to 2002.
Added new pfilter command line switches:
	--nodebug
	--nowarnings
Made warning messages output follow --warnings and --nowarnings flags.

version: 1.600; date: 2002/01/18 16:49:00; author: ngorsuch
finished alpha version of ruleset files content
finished alpha version of second generation pfilter
added constants/defines capabilities to ruleset files
added macros capability to ruleset files
added --noout command line option
added --source= command line option
added undocumented --nocond command line option
added undocumented --noconst command line option
added undocumented --nomacro command line option
added undocumented --noprefix command line option
added undocumented --nosuffix command line option
added new configuration file syntax capabilities:
	constants/defines
	macros
        to/from on open/close
	unfiltered/filtered/protected/unprotected interface(s)
	allowed interface commands to accept ALL as interface name
added new pre-defined constants:
	%config_file_path%
	%date%
	%domainname%
	%filtered_interface_addresses%
	%filtered_interface_names%
	%hostname%
	%mode% (iptables or ipchain or whatever)
	%pfilter_version%
	%protected_interface_addresses%
	%protected_interface_names%
	%uname%
	%unfiltered_interface_addresses%
	%unfiltered_interface_names%
	%unprotected_interface_addresses%
	%unprotected_interface_names%

version: 1.553; date: 2001/11/25 03:36:00; author: ngorsuch
corrected installation file modes
changed installed files to be owned by root
corrected installation file locations to have library modules
put into /usr/lib/pfilter.

version: 1.552; date: 2001/11/08 05:00:00; author: lewart
restored $syntax_error to Pfilter/Config.pm and Pfilter/Lib.pm

version: 1.549; date: 2001/11/06 23:45:00; author: ngorsuch
removed non-error output from configuration file merging

version: 1.521; date: 2001/10/31 11:00:00; author: ngorsuch
modified Makefile to get rid of harmless but annoying error 
messages during make tar and make pfilter-N.NN.wbm
going to N.NNN revision numbers instead of N.NN

version: 1.52; date: 2001/10/31 05:00:00; author: lewart
Made everything work with strict and warnings!!
Explicitly list global and mystery variables
Deleted outline sub
Use warnings
use Pfilter::Lib instead of require './pfilter-lib.pl'
s/$config_path/$vars{config_file_path)/
valid_bcast: last chunk need only have two least-significant bits on

Re-wrote pfilter to do following:
added suppport for modular directives. 
re-wrote pfilter parsing code to support modular directives.
fixed kernel version logic.
Folded in changes/fixes from pfilter first version tree:
0.84 removed duplicate icmptype, deleted duplicate help/version code.
0.83 made perl language warnings come out in verbose and debug mode.
0.82 made pfilter remove iptables/ipchains services/modules before starting.
0.81 made pfilter more tolerant of ipt_limit module not working.
0.80 fixed minor bug in finding alias ip addresses.
0.79 made perl language warnings only come out if debug output enables.
0.78 changed tarball to extract to pfilter-n.nn directory instead of pfilter dir.
0.77 fixed ne != confusion in code to get rid of warnings.
0.76 Enabled perl warnings, removed some warnings, cleaned up --output= logic.
0.74 Added installed documentation directory.
0.70 fixed REJECTPED/REJECTED spelling mistake in logging.
0.68 changed start/stop priorities of rc script to match iptables and ipchains.
0.67 added -n to all iptables -L commands to avoid no-dns timeouts.
0.66 fixed rfc1918 logic.

version: 0.65; date: 2001/08/25 18:48:06; author: ngorsuch
fixed OPENNFS bug to allow opening of nfs exports

version: 0.64; date: 2001/08/24 16:21:06; author: ngorsuch
use /proc entries to drop source routed packets and disable icmp redirects

version: 0.63; date: 2001/08/24 10:03:06; author: ngorsuch
added silent dropping of broadcast and multicast packets
and made aliased outbound packets look like they are from aliased address

version: 0.62; date: 2001/08/14 13:40:00; author: ngorsuch
added /etc/rc.d/init.d/pfilter to pfilter man page

version: 0.61; date: 2001/08/14 12:41:26; author: ngorsuch
added manual pages directories to rpm/spec files

version: 0.60; date: 2001/08/14 09:03:04; author: ngorsuch
fixed man pages formatting

date: 2001/08/14 01:09:04; author: ngorsuch
added rudimentary man pages pfilter and pfilter.conf

date: 2001/07/29 23:09:35; author: ngorsuch
fixed ALIAS parsing of multiple ports

date: 2001/07/26 19:39:07; author: ngorsuch
added ability to find executable paths for needed programs in default or PATH

date: 2001/07/25 02:19:0612:25:52; author: ngorsuch
changed rpm and make install to merge /etc/pfilter.conf file

date: 2001/07/23 12:25:52; author: ngorsuch
added CHANGELOG file

date: 2001/07/23 07:57:01;  author: ngorsuch
added dynamic addressing enabling when external interface uses dynamic addressing

date: 2001/07/23 06:49:28;  author: ngorsuch
cleaned up output commands file formatting functions

date: 2001/07/23 04:59:05;  author: ngorsuch
updated copyright/distribution notices

date: 2001/07/23 04:39:32;  author: ngorsuch
improved output commands file formatting

date: 2001/07/22 08:01:46;  author: ngorsuch
added Makefile with targets tar and rpms

date: 2001/07/22 07:55:29;  author: ngorsuch
fixed --version output format

date: 2001/07/22 03:01:46;  author: ngorsuch
fixed bug caused by last change

date: 2001/07/21 06:31:23;  author: ngorsuch
added --ipchains and --iptables command line flags to pfilter.pl

date: 2001/07/14 07:51:52;  author: ngorsuch
added output commands file command line switch

date: 2001/07/08 03:58:52;  author: ngorsuch
fixed problem that blocked loopback interface packets

date: 2001/07/02 03:16:21;  author: ngorsuch
added support for DROP and REJECT in configuration file

date: 2001/06/29 22:04:06;  author: ngorsuch
added 2>/dev/null to modprobe commands

date: 2001/06/29 03:53:57;  author: ngorsuch
cleaned up --version and --help



