HP-UX IPFilter

HP-UX IPFilter, product number 15.01 (A.11.23.15.01 for HP-UX 11.23), is a TCP/IP packet filter suitable for use as a system firewall to protect application servers.

Summary of Change

The Dynamic Connection Allocation (DCA) feature now supports IPv6 rules.
The ipftest utility now supports IPv6 rules.
The kernel tunable parameter, icmp6_passthru. The default setting of this parameter allows all ICMPv6 Router Discovery and Neighbor Discovery packets to bypass normal IPFilter rule processing and always pass through the system.
Administrators can now distinguish between IPv4 rule sets and IPv6 rule sets when switching active and inactive rule sets with the ipf -s command. The ipf -s command now supports the -6 option to specify the IPv6 rule sets. In previous releases, the ipf -s command switched active and inactive rule sets for both IPv4 rule sets and IPv6 rule sets.

Impact

You will be able to use the new features.

Compatibility

Existing configuration files will continue to work as before.

Customers who selectively filtered ICMPv6 Router Discovery and Neighbor Discovery packets will need to modify the kernel tunable parameter icmp6_passthru. Customers who want to allow all Router Discovery and Neighbor Discovery packets do not have to modify any settings or configuration files.

Customers who used the ipf -s command to switch active and inactive rules for both IPv4 and IPv6 rulesets must also execute the command ipf -6 -s.

Performance

There is no change.

Documentation

Manpages:

ipf(4): packet filtering kernel interface
ipf(5): IP packet filter rule syntax
ipf(8): alters packet filtering kernel's internal lists
ipl(4): data structure for IP packet log device
ipmon(8): monitors /dev/ipl for logged packets
ipstat(8): reports on packet filter statistics and filter list
iptest(1): test packet rules with arbitrary input

Documents:

HP-UX IPFilter Version 15.01 Administrator's Guide (B9901-90042)
HP-UX IPFilter Version 15.01 Release Notes (B9901-90041)

Obsolescence

Not applicable.