Manualshelf

HP-UX IPFilter Version 17 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software
11121314151617181920
Fixes in this Release
Fixes for HP-UX 11i v3
QXCR1000923645—Provide tunable to enable/disable NAT functionality.
The new ipnat_enable tunable is provided to enable/disable NAT functionality. By default,
this tunable is set to 1. If you do not use NAT functionality, disabling this tunable will improve
performance.
QXCR1000923671—Enhancement to list interfaces not covered.
The -l option to ipfilter is provided. This option lists the interfaces and shows which are
protected or unprotected by IPFilter. For more information, see“The ipfilter Utility (HP-UX 11i
v3)” (page 99).
QXCR1000888008—The ipfstat -io and ipfilter -q commands return the wrong status.
The ipfstat -io and ipfilter -q commands could show IPFilter status as up and running
when it is not plumbed into the stack. Two new messages have been added:
IPFilter enabled but not filtering.
IPFilter enabled and filtering traffic.
QXCR1000866813—The ipfilter(8) command removes secondary and further IP addresses
by -d option.
When the ipfilter interactive mode -i option is used with -e or -d, a warning is issued.
QXCR1000926632—The pfilboot script does not unplumb interface when interface is down.
This occurs when IPFilter is disabled and does not recognize a down interface that has the pfil
module loaded. In this case, the pfilboot script does not unplumb all interfaces and unload
the pfil module.
QXCR1000926637—The ipfstat -Q command causes panic when pfil module is not bound
to any interface.
The pfil module is a stream module. When it is not plumbed to any interface and the ipfstat
-Qv command is run, the system panics.
QXCR1000926726—Multicast packets more than 84 bytes are corrupted in IPFilter and dropped
in IP module.
Multicast packets more than 84 bytes are now received properly when IPFilter is enabled.
QXCR1000950055—The ipmon utility does not format IP addresses and protocol correctly.
The IP addresses are formatted as IPv6 addresses when they are IPv4 addresses. Protocol is
displayed as 159 instead of TCP, but can be any other value.
QXCR1000971666—ipfboot stop forces ip_forward_directed_broadcasts back to
1
ip_forward_directed_broadcasts is an ndd tunable that enables broadcast messages to
pass through the system. When IPFilter is enabled, the IPFilter startup rc script, ipfboot is
executed as ipfboot start. The ipfboot script sets the
ip_forward_directed_broadcasts value to "0" using the ndd command:
/usr/bin/ndd -set /dev/ip ip_forward_directed_broadcasts 0
This value is set to stop broadcast storms for security reasons. When IPFilter is disabled with
ipfboot stop, the ip_forward_directed_broadcasts value is reset to "1" using the ndd
command:
14