secnet 0.4.0

Ian Jackson ijackson at
Sat Feb 28 15:44:16 GMT 2015

Hash: SHA256

I am pleased to announce secnet 0.4.0.

secnet 0.4 contains support for using IPv6 on the public (outside)

secnet 0.4 has support for dynamic use of possibly multiple local
network interfaces, by mobile sites.  A mobile site which has multiple
connections to the public internet (for example, wifi and 3G) can now
arrange to send all traffic by all available routes, improving
reliability.  This functionality is available even when talking to
earlier versions of secnet, provided that the static peer is running
0.2 or later - although the feature will work best when talking to
another secnet 0.4.

secnet 0.4 is properly described everywhere as being GPLv3+ (rather
than GPLv2+, which is not accurate for the binary packages as they
depend on libraries compatible only with GPLv3+).  The source code
licence for most files has been upgraded.

There are also minor bugfixes and logging improvements; but for sites
which do not need IPv6 or polypath support, there is no compelling
reason to upgrade.

(Everyone should be running at least version 0.3.4, as all previous
versions have significant security bugs.)

IPv6 and polypath support are available only if your version of adns
is also IPv6-capable, which means you need adns 1.5.0~rc0 or later.

secnet 0.4.x needs the modern `' library, provided on
Debian-derived systems in the package python-ipaddr.

When upgrading to 0.4.x, it is necessary to remove the `'
library previously provided with secnet (and any corresponding
`ipaddr.pyc' files).  If you are using a .deb version of secnet this
is done automatically; if you are using `make install' you may need
`make install-force'; and if you are running out a build tree you will
need to clean out the .pyc (by hand, or with git clean, or some such).

Installing the modern in python-ipaddr will break secnet
versions before 0.3.3~beta1, but you should be running 0.3.4 anyway.
If you're not and you don't want to change both and secnet
at once, for some reason: install secnet 0.3.4 first, and then
python-ipaddr, and then secnet 0.4.0.

Apart from this installation wrinkle, secnet 0.4.0 is
backwards-compatible with previous versions.

Compared to 0.4.0~beta2, 0.4.0 proper has two minor debugging/logging

0.4.0 can be found here:
(SHA-256 checksums are listed below).

I have provided binaries for vanilla squeeze i386 _without_ IPv6 and
polypath support.  But in the polypath-backport/ subdirectory I have
also provided an IPv6- and polypath-capable secnet.  To use that
secnet you must also install the updated libadns1 provided (or an

For those on the SGO VPN: chiark is currently running this version.
chiark's secnet is listening on IPv6 [2001:ba8:1e3::].  But you should
not set sites file fragments in the SGO VPN which mention IPv6
addresses for your own sites because that would make the sites file
incompatible with older secnet versons.  You can safely set IPv6 sites
file fragments in the `chiark-only' vpn, using the `userv secnet
chiarkvpnsites' facility.

For a more detailed summary of the changes see the changelog extract
below.  For full details see the git history.

secnet (0.4.0) unstable; urgency=low

  Debugging improvements:
  * Packet-level debugging from site notes errors from transmit.
  * Report when transport peers updated as a result of transmit.

 -- Ian Jackson <ijackson at>  Sat, 28 Feb 2015 15:03:00 +0000

secnet (0.4.0~beta2) unstable; urgency=low

  Polypath bugfixes:
  * Ignore IPv6 Unique Local unicast addresses.
  * Skip "tentative" IPv6 local addresses.
  * Improve logging and debug output.

  Portability fix:
  * Build where size_t is not compatible with int.

  Build system and packaging fixes:
  * Makefile: support DESTDIR.
  * debian/rules: set DESTDIR (not prefix).
  * debian/rules: Support dpkg-buildflags.
  * Install and secnet.8 with correct permissions.
  * Fix check for <linux/if_tun.h> and git rid of our copy.
  * Use -lresolv only if inet_aton is not found otherwise.
  * Use -lnsl only if inet_ntoa is not found otherwise.
  * debian/rules: Provide build-arch and build-indep targets.
  * debian/rules: Do not run build for *-indep (!)
  * Putative dual (backport and not) release build process doc.

  Copyright updates:
  * Update to GPLv3.  Add missing copyright notices and credits.
  * Get rid of old FSF street address; use URL instead.
  * Remove obsolete LICENCE.txt (which was for snprintf reimplementation).
  * Remove obsolete references to Cendio (for old

 -- Ian Jackson <ijackson at>  Sun, 28 Dec 2014 17:14:10 +0000

secnet (0.4.0~beta1) unstable; urgency=low

  New features:
  * Support transport over IPv6.  (We do not yet carry IPv6 in the private
    network.)  IPv6 support depends on IPv6-capable adns (adns 1.5.x).
  * New polypath comm, which can duplicate packets so as to send them via
    multiple routes over the public network, for increased
    reliability/performance (but increased cost).  Currently Linux-only
    but should be fairly easy to port.
  * Support multiple public addresses for peers.
  * Discard previously-received packets (by default).

  Logging improvements:
  * Report (each first) transmission and reception success and failure.
  * Log reason for DNS reolution failure.
  * Log unexpected kinds of death from userv.
  * Log authbind exit status as errno value (if appropriate).

  Configuration adjustments:
  * Adjust default number of mobile peer addresses to store when a peer
    public address is also configured.
  * Make specifying peer public port optional.  This avoids making special
    arrangements to bind to a port for in mobile sites with no public
    stable address.

  * Hackypar children will die if they get a terminating signal.
  * Fix signal dispositions inherited by secnet's child processes.
  * Fix off-by-one error which prevented setting transport-peers-max to 5.

  Test, build and internal improvements:
  * Use conventional IP address handling library
  * Provide a fuzzer for the slip decoder.
  * Build system improvements.
  * Many source code cleanups.

 -- Ian Jackson <ijackson at>  Sun, 26 Oct 2014 15:28:31 +0000

5e419c093af9afd00fc16cd058766b298ff192b69ba9c6a5cf19e7e39d5fe02c  ./secnet-0.4.0~beta2.tar.gz
8dd531c5db18edc3ff4d52b0b86cf537b3aa5a856295e31ed6ad57ca57c76727  ./secnet-0.4.0~beta2.tar.gz.sig
ba7721799db68675f5e4950017649ffb6af2cb913013c12a65e4376a6e82179d  ./secnet_0.4.0~beta2_i386.deb

44c54d10850221cdd87d693b6d599545f334215b615e695a258049fb1b3db557  ./polypath-backport/adns-tools_1.5.0~rc1-1~~squeeze~_i386.deb
4c38fafecfbee097baff6479431ca533e11f092ba16c6f8020383bd8dfa01fce  ./polypath-backport/adns_1.5.0~rc1-1~~squeeze~.dsc
718861e48eb391f07b1b278876b6c014cf0fab70680cda9ca800e39765b80974  ./polypath-backport/adns_1.5.0~rc1-1~~squeeze~.tar.gz
1c850f8366a630f9318ad9ddef5a6631226cb0dec3b14dfc01c1fb9aabb2f8a3  ./polypath-backport/libadns1-dbg_1.5.0~rc1-1~~squeeze~_i386.deb
f93fe2c44313df02d4f9549c4a17a6053ab3eda36a9cc4dabf891bcf3167be86  ./polypath-backport/libadns1-dev_1.5.0~rc1-1~~squeeze~_i386.deb
74b2af0d00131060e7aa026e4b99c738362a6e57f011b34e0b7a132e3c6a9616  ./polypath-backport/libadns1_1.5.0~rc1-1~~squeeze~_i386.deb
75256fad6aacb123e926434c76ae35bb0fc0e9ec2ea0d5a59cc1469528688272  ./polypath-backport/secnet_0.4.0_i386.deb
Version: GnuPG v1.4.12 (GNU/Linux)


Ian Jackson                  personal email: <ijackson at>
These opinions are my own.

More information about the sgo-software-announce mailing list