ITVal

File Release Notes and Changelog

Release Name: ITVal-0.99

Notes:
Thank you for downloading version 0.99 of ITVal, an iptables
configuration verification and analysis tool.  

Release 0.99 is a pre-release intended for beta-testing in preparation for ITVal-1.0.  Version 1.0 will features RPM and DPKG packages of the tool, as well as several new features and a few minor bug fixes in calculation
of equivalence classes and parsing.

IMPORTANT NOTE: Version 0.99 breaks compatibility with previous versions of the tool!  Query files created for versions 0.7 and lower may not work with this version or may generate unexpected results.  See below for more details.

What's new in 0.99?
------------------
*Witnesses and Counter-examples (for Assertions)

If you insert the keyword "EXAMPLE" at the beginning of your assertion, ITVal will generate a packet illustating why the assertion failed or, if the assertion holds, a packet that honors the assertion.

For example, you can use:

ASSERT EXAMPLE FROM 192.168.2.* AND NOT INFACE eth1 SUBSET OF DROPPED FORWARD;

To test whether a packet from 192.168.2.0/24 can show up on interface eth1 without being dropped.  If the assertion fails, ITVal will show you a packet from 192.168.2.0/24 that can arrive on eth1 without being dropped by the firewall.

*Changes to queries and assertions:

The semantics of a the ACCEPT and DROPPED keywords have changed so that queries no longer take an "input_chain" argument.  Instead, this argument should be passed to the "ACCEPTED" or "DROPPED" keyword.  

This change BREAKS COMPATABILITY with old query files.  To convert old files to the new syntax, replace the "input_chain" parameter from each query with an "AND ACCEPTED <input_chain>" at the end of the query.  For
instance:

QUERY SADDY INPUT FROM 192.168.2.* AND IN NEW;

would become:

QUERY SADDY (FROM 192.168.2.* AND IN NEW) AND ACCEPTED INPUT;

What is not provided in release 0.99?
------------------------------------
1.  Support for non-iptables filters.

ITVal does not filters for platforms other than Linux. Because maintaining parsers for other languages is costly and time-consuming, it is unlikely that I will be adding support for other platforms.  However, I do intend to create an API for writing language modules, so if you want to see your platform supported, you will have the tools to add
support for that language.  I am working with Alain Mayer at redseal.org to generate conversion tools from redseal's excellent security tool to work with ITVal an vice-versa.  You can also obtain tools for converting from ipfw or ipchains to iptables at http://www.stearns.org.

2.  Support for application level filtering.

ITVal is designed to work only with packet-filters.  While, in theory, ITVal could be extended to other uses, such as e-mail filtering, to do so would require a significant overhaul of the internal design.

3.  A fancy graphical front-end.

Work on the GUI continues slowly as we decide what to provide through the interface and refactor the code to make it more amenable to graphical manipulation.

4.  Support for dynamic firewalls

ITVal can process a ``snapshot in time'' of a firewall, but has no query capabilities for analyzing the evolution of firewalls over time.

What is coming in future versions of ITVal?
-------------------------------------------
1.  Guided repair
ITVal will generate a list of suggested changes to the rule set that satisfy all the assertions in a query file.

2.  Translations
Aleksandr Shubnik has volunteered to provide Russian translations for ITVal.  Hopefully, others will join the team to provide translations in other languages.

3.  A Graphical Front-End
Yes, really!  I am leaning now toward a QT-based interface that will allow the user to manipulate queries in a text-editing environment and then check them in
real time against the rule set.  The old, klugy, python/TK attempt was not very portable and introduced problems with paths.


Changes:
ITVal-0.99: Feb 1, 2007 Robert Marmorstein
**THIS RELEASE BREAKS COMPATABILITY WITH PREVIOUS VERSIONS**
   Pre-release of ITVal-1.0 for beta testing purposes. 
ITVal now features witnesses and counterexamples in addition to the new ASSERT structure.  I have also fixed several bugs and support for equivalence classes.

*IMPORTANT* 
 
   The syntax of the ACCEPT and DROPPED conditions 
has changed!  Instead of doing:

   QUERY SADDY INPUT FROM 192.168.1.* AND ACCEPTED;

The syntax is now:

   QUERY SADDY FROM 192.168.1.* AND ACCEPTED INPUT;

This allows you to do things like:

   QUERY SADDY FROM 192.168.1.* AND ACCEPTED INPUT OR ACCEPTED FORWARD;

ITVal-0.8: June 17, 2006 Robert Marmorstein
	Began preliminary support for guided repair.  Adding history options to the MDD library.  Redesigning the GUI in QT/KDE.  Fixed several memory leaks in Topology handling.

	Added "ACCEPTED" and "DROPPED" primitive conditions that specify the set of accepted and dropped packets respectively.  Queries no longer automatically intersect the query condition with "ACCEPTED".  This allows the user to generate more complex and interesting queries such as:
	QUERY FROM 192.168.1.* AND ((FOR TCP 25 AND ACCEPTED) OR (FOR 22 AND DROPPED));
	
	Added "ASSERT" statements. ASSERT allows the user to check whether two conditions are equivalent or if one is a subset of the other.
  
	The syntax of ASSERT is: 
	
	ASSERT <condition> <operator> <condition>;

	where <operator> is either "IS" or "SUBSET OF".
	

ITVal-0.7: April 26, 2006 Robert Marmorstein
        ITVal now supports ranged addresses in queries and group/service definitions.   For instance, you can use the query: QUERY FROM 192.168.1.[10-20] to specify a group of adjacently addresses hosts;
        Support for INFACE and OUTFACE queries has also been improved and more work on the equivalence classes and GUI has been done.  They should still be considered beta features, though.

ITVal-0.6-r1: March 7, 2006 Robert Marmorstein
	ITVal now ignores "PKTTYPE = <blah>" style conditions in the options section of the rule table.  Also fixed a bug that caused segmentation faults when no topology file was given.  ITVal now "creates" interfaces on the fly as it detects them in the rule file and the query file.  It is always better to specify them in the topology file, though, so that ITVal knows what IP address to use for MASQUERADING and REDIRECT.

ITVal-0.6: March 6, 2006 Robert Marmorstein
	Birthday "release".  Fixed a bug in handling of interfaces not explicitly mentioned in the topology file.  Before, if ITVal came across an unmentioned interface, it silently renamed that interface to '*'.  Now, it adds the interface to the topology list and gives it a bogus address, which I think is better default behavior.  Also added rudimentary support for handling topology files with multiple firewalls.  However, the new system just takes the topology file of the 'last' filter rather than trying to merge and rename them.

Also, added a preliminary man page for ITVal.
   
ITVal-0.5: January 11, 2006 Robert Marmorstein
	Implemented a new "CLASSES" query which decomposes the set of all IP addresses into groups based on how the firewall treats all packets originating from or destined for them.  Two hosts in an equivalence class are always treated identically by the firewall with respect to filtering.  This is useful for visualizing the firewall configuration and potentially for future development of the tool.
	
ITVal-0.4-r3: December 13, 2005 Robert Marmorstein
	 Fixed some memory access bugs that caused ITVal to crash when the parser freed names already freed by the MDD query construction code.  Also changed the output of the "Ports" subject to be more readable.  Fixed other minor problems.  ITVal now ignores "MASQUERADE" and "REDIRECT" targets.  It used to NAT them to 127.0.0.1, which is not realistic.  (It had no topology file to work with at that point).  Now that we have the topology file, implementing 
realistic MASQ is on the TODO list and ITVal temporarily 
ignores these targets.
	 
ITVal-0.4-r2: December 13, 2005 Robert Marmorstein
    Fixed a bug in src/chains.cc and src/iface.cc that caused ITVal to crash when encountering a "strange" target like TCPMSS.
    
ITVal-0.4-r1: December 13, 2005 Robert Marmorstein
    Fixed a bug in Makefile.am that broke "make dist" so that .h files were not distributed with the package.

ITVal-0.4: November 9, 2005 Robert Marmorstein 
   Queries may now use the "INFACE" and "OUTFACE" operators to specify a network interface for incoming or outgoing connections.  These queries only make sense when using the verbose firewall input.

ITVal-0.4: November 8, 2005 Robert Marmorstein 
    Introduced several changes to the command line.  The -f command loads a "normal" filter file.  The -F command loads a verbose filter file.  Similarly, -n loads a normal NAT file, while -N loads a verbose NAT file.  I believe it is a bad idea to mix and match file types for a single firewall.  Firewalls specified with the -f and -n flags assume that every rule matches ALL interfaces.  To use -F and -N, a topology file MUST be specified.

ITVal-0.4: November 2, 2004 Robert Marmorstein 
    Changed the format of the command line options to allow reordering of the flags.   Multiple NAT files are now associated with the most recent filter file.  Topology files can be specified with the -t flag.

ITVal-0.4: November 1, 2005 Robert Marmorstein 
    Added support for topology files.  Each line of the topology file consists of a space seperated list of the form: <interface> <ip address>

ITVal-0.4: November 1, 2005 Robert Marmorstein
    Migrated ITVal make system to use the GNU autoconf tools.

ITVal-0.3: August 5, 2005 Robert Marmorstein
    Primarily a bugfix release.  Some improvements to the printing system and some preparation for interface support.

ITVal-0.2: April 30, 2005 Robert Marmorstein
    Introduced several bugfixes, added support for NAT and for analysis of multiple serially connected firewalls.

ITVal-0.1: October 15, 2004 Robert Marmorstein
    Initial release of ITVal.  Support for simple queries on a single firewall.