July 29, 2004: - Stateful filtering problem found with IPFLT31 from BM37SP3 or BM38SP2a
Updated - Sept. 21, 2004 - Novell has finally found the coding issue, and is testing a new patch.
Updated - Nov. 4, 2004 - Novell releases new IPFLT31.NLM in BM37FP4D.EXE patch that hopefully fixes the stateful filter bug. This version is *not* in B1BM38SP3, which still contains the buggy
version.
Updated Dec. 6, 2004: - Newest IPFLT31.NLM and FILTSRV.NLM can be found in the BM38FP3C.EXE patch.
Versions of IPFLT31 dated June 24, 2004 may exhibit severe problems with stateful filters failing. A typical symptom is a general slowing of performance after 1-2 days, with the server
becoming almost unusable. Unloading/reloading IPFLT restores performance for a while. The 'bad' version of IPFLT31 comes in various patches, including BM37SP3, BM38SP2A and B1BM38SP3.
Stateful exceptions have suffered from some occasional problems for a long time (some packets dropped that should not be), but the problem is worse in the patches mentioned, and especially if you
use the default all-stateful filter exceptions from BorderManager 3.7 or 3.8. (I generally change them completely, as described in the advanced chapter of my BorderManage filtering book, and I do not
see these problems on my servers, or servers I configure for my clients).
Novell is aware of the problem, and is working on a patch. [On Dec. 4, 2004, the BM38FP3C.EXE patch was released, and has the newest filtering modules. On Nov. 4, patch BM37FP4D.EXE was released, which has an updated IPFLT31.NLM. Try one of those versions, and if it does not help, use the older one here.] Until that patch comes out, you can get better performance from the IPFLT31.NLM from BM37SP2. I have posted the BM37SP2 of IPFLT31.NLM HERE.
Back up your current version, copy this one to SYS:SYSTEM, and Unload IPFLT, then Load IPFLT. If performance improves keep using this version until the next patch comes out.
Jan 31, 2001 - added note under BM3 SP3 IPFLT31 version.
Note: The module that actually does the filtering in BorderManager 3.x is called IPFLT31.NLM, and the IPFLT.NLM module simply serves as some sort of loader to pull up the other module.
Also, Novell says about the filtering modules that "they are NetWare OS dependency NLMs. Both share same header files with OS's TCPIP.NLM modules. All must go together in order to work correctly. We
had many customer instances installing BorderManager support packs without updating TCPIP.NLM module causing filtering problems. Upgrading TCPIP.NLM must also upgrade the entire OS patch."
Starting with service pack 2 (bm35sp2.exe) for BorderManager 3.5, the updated filtering modules are no longer included. This is because the newer IPFLT.NLM and IPFLT31.NLM modules are included in the
latest NetWare 4.11/4.2 and 5.0 support packs (NW4SP9.EXE and NW5SP6.EXE).
NetWare 5.1 contains an updated (though older) version of the modules in the installation files. NetWare 5.1 gives you the same version of IPFLT31 that was included in the BorderManager 3.5 service
pack 1, but not the later version included in the NetWare 4.11/4.2 and NetWare 5.0 support packs.
This means, for NetWare 4.11/4.2 and 5.0 administrators, that it is critical to apply the latest NetWare service pack to get an updated filtering module, if you have installed BorderManager 3.5 and
not applied the BorderManager 3.5 service pack 1 (BM35SP1.EXE) at any time.
As of 11/30/2000, I am not sure of the exact sequence that patches have to be applied to the server to get the updated BorderManager modules, but I suspect you would have to FIRST install
BorderManager 3.5, and LATER apply the latest service pack in order to get the proper filtering modules installed.
The NW4SP9 and NW5SP6 patches include the newer filtering modules under the PRODUCTS\MPR3031\SYSTEM directory.
The file dates for the IPFLT31.NLM module are as follows: Raw BorderManager 3.5 installation (filtering module is very buggy with stateful filter exceptions, at least): 6/1/1999
BorderManager Service Pack 1 BM35SP1.EXE (good version of IPFLT31.NLM): 9/14/1999
BorderManager 3.0 Service Pack 3 BM3SP3.EXE (good version of IPFLT31.NLM, works with packet filter logging): version 5.14, 1/29/1999 (NOTE: I'm trying to confirm this one - this was a version
I had on a test server patched to BM3SP3 at the time, as reported by the modules command, but the latest BM3SP3 does not contain IPFLT and IPFLT31. I may have had some beta version of these NLM's on
my server when I first reported the version).
NetWare 5.1 raw installation (same version of IPFLT31.NLM as BM35SP1.EXE): 9/14/1999
NetWare 5.1 NW51SP2A - beware! Novell has made a blind revision of this patch. The latest rev (282.340 K, dated 11-01-2001) should have the updated IPFLT.NLM and IPFLT31.NLM as in NW5SP6, but
previous version(s) did not include any filtering modules...
NetWare 5.0 support pack 6 NW5SP6.EXE / NW5SP6a.EXE (latest version of IPFLT31.NLM): 7/17/2000
NetWare 4.11/4.2 support pack 9 NW4SP9.EXE (latest version of IPFLT31.NLM): 7/17/2000
NetWare 4.11/4.2 support pack 8a NW4SP8A.EXE (don't want this version of IPFLT31.NLM!): 7/22/98
I am at this time unaware of what improvements have been made to the 7/17/2000 version of IPFLT31.NLM over the 9/14/1999 version.
If you are having issues with filtering, particularly with stateful filter exceptions, please check the version of IPFLT31.NLM in your SYS:SYSTEM directory and compare it to the list above.
If you have the newer version(s) of IPFLT.NLM and IPFLT31.NLM from the latest service packs, and you are running BorderManager 3.0, then packet filter logging will not work. (Filtering
itself works fine). Until Novell posts a fix, you will have to back-rev the filtering modules to get packet filter logging working.