6 * all of the tuneables can now be set at any time, not just whilst disabled
7 or prior to loading rules;
9 * group identifiers may now be a number or name (universal);
13 * tunables can now be set via ipf.conf;
17 * ipmon.conf can now be used to generate SNMPv1 and SNMPv2 traps using
18 information from log entries from the kernel;
22 * DNS proxy for the kernel that can block queries based on domain names;
24 * FTP proxy can be configured to limit data connections to one or many
25 connections per client;
27 * NAT on IPv6 is now supported;
29 * rewrite command allows changing both the source and destination address
32 * simple encapsulation can now be configured with ipnat.conf,
34 * TFTP proxy now included;
38 * acceptance of ICMP packets for "keep state" rules can be refined through
39 the use of filtering rules;
41 * alternative form for writing rules using simple filtering expressions;
43 * CIPSO headers now recognised and analysed for filtering on DOI;
45 * comments can now be a part of a rule and loaded into the kernel and
46 thus displayed with ipfstat;
48 * decapsulation rules allow filtering on inner headers, providing they
51 * interface names, aside from that the packet is on, can be present in
54 * internally now a single list of filter rules, there is no longer an
57 * rules can now be added with an expiration time, allowing for their
58 automatic removal after some period of time;
60 * single file, ipf.conf, can now be used for both IPv4 and IPv6 rules;
62 * stateful filtering now allows for limits to be placed on the number
63 of distinct hosts allowed per rule;
67 * addresses added to a pool via the command line (only!) can be given
68 an expiration timeout;
70 * destination lists are a new type of address pool, primarily for use with
71 NAT rdr rules, supporting newer algorithms for target selection;
73 * raw whois information saved to a file can be used to populate a pool;
77 * support for use in zones with exclusive IP instances fully supported.
81 * use of matching expressions allows for refining what is displayed or