* Planned for the future
-Netlink device that implements an Ethernet bridge.
+Please note that the 0.1 series of secnet releases is now 'maintenance
+only'; further development continues in secnet-0.2.
-Modular transform code: choice of block ciphers, modes, sequence
-numbers / timestamps, etc. similar to IWJ's udptunnel
+Debconf support - if you are using the Debian packaged version and
+your secnet configuration is autogenerated using debconf then the
+upgrade to version 0.2.0 should just involve installing the package;
+an appropriate 0.2-style configuration file will be generated
+automatically.
-Path-MTU discovery for each tunnel, and fragmentation/DF support in
-netlink code.
+* New in version 0.1.18
+
+ipaddr.py now declares its character encoding; required by recent
+versions of Python
+
+* New in version 0.1.17
+
+autoconf updates for cross-compilation / more modern autoconf from
+Ross Younger <ross@crazyscot.com>
+
+MacOS X support from Richard Kettlewell <richard@sfere.greenend.org.uk>
+
+Makefile fix: Update bison pattern rule to indicate that both the
+.tab.c and .tab.h files are generated by the same command.
+
+i386 ip_csum implementation updated to work with modern gcc
+
+Rename global 'log' to 'slilog' to avoid conflict with gcc built-in
+log() function.
+
+* New in version 0.1.16
+
+XXX XXX PROTOCOL COMPATIBILITY IS BROKEN BETWEEN VERSION 0.1.16 AND
+XXX XXX ALL PREVIOUS VERSIONS.
+
+Bugfix: rsa.c private-key now works properly when you choose not to
+verify it.
+
+Bugfix: serpent key setup was only using the first 8 bytes of the key
+material. (Oops!) Ian Jackson contributed a fix so the full 32 bytes
+are used, in big-endian mode.
+
+Debatable-bugfix: RSA operations now use PKCS1 v1.5-style padding
+
+"Hacky parallelism" contributed by Ian Jackson; this permits
+public-key operations to be performed in a subprocess during key
+exchange, to make secnet more usable on very slow machines. This is
+not compiled in by default; if you find you need it (because key
+exchanges are taking more than a second or two) then add
+-DHACKY_PARALLEL to FLAGS in the Makefile.in and recompile.
+
+udp module updates from Peter Benie:
+ 1) Handle the case where authbind-helper terminates with a signal
+ 2) Cope with signals being delivered during waitpid
+ 3) Add 'address' (optional) to the udp settings. This is an IP address
+ that the socket will be bound to.
+ 4) Change the endianess of the arguments to authbind-helper.
+ sprintf("%04X") already translates from machine repesentation to most
+ significant octet first so htons reversed it again.
+
+All uses of alloca() expunged by Peter Benie.
+
+make-secnet-sites now supports configurations where each tunnel gets
+its own interface on the host, and the IP router code in secnet is
+disabled. make-secnet-sites has been rewritten for clarity. For
+information on how to configure secnet for one-interface-per-tunnel,
+see the example.conf file.
+
+* New in version 0.1.15
+
+Now terminates with an error when an "include" filename is not
+specified in the configuration file (thanks to RJK).
+
+RSA private key operations optimised using CRT. Thanks to SGT.
+
+Now compiles cleanly with -Wwrite-strings turned on in gcc.
+
+Anything sent to stderr once secnet has started running in the
+background is now redirected to the system/log facility.
+
+* New in version 0.1.14
+
+The --help and --version options now send their output to stdout.
+
+Bugfix: TUN flavour "BSD" no longer implies a BSD-style ifconfig and
+route command invocation. Instead "ioctl"-style is used, which should
+work on both BSD and linux-2.2 systems.
+
+If no "networks" parameter is specified for a netlink device then it
+is assumed to be 0.0.0.0/0 rather than the empty set. So, by default
+there is a default route from each netlink device to the host machine.
+The "networks" parameter can be used to implement a primitive
+firewall, restricting the destination addresses of packets received
+through tunnels; if a more complex firewall is required then implement
+it on the host.
+
+* New in version 0.1.13
+
+site.c code cleaned up; no externally visible changes
+
+secnet now calls setsid() after becoming a daemon.
+
+secnet now supports TUN on Solaris 2.5 and above (and possibly other
+STREAMS-based systems as well).
+
+The TUN code now tries to auto-detect the type of "TUN" in use
+(BSD-style, Linux-style or STREAMS-style). If your configuration file
+specifies "tun-old" then it defaults to BSD-style; however, since
+"tun-old" will be removed in a future release, you should change your
+configuration file to specify "tun" and if there's a problem also
+specify the flavour in use.
+
+Example:
+netlink tun-old {
+ ...
+};
+should be rewritten as
+netlink tun {
+ flavour "bsd";
+ ...
+};
+
+The flavours currently defined are "bsd", "linux" and "streams".
+
+The TUN code can now be configured to configure interfaces and
+add/delete routes using one of several methods: invoking a
+"linux"-style ifconfig/route command, a "bsd"-style ifconfig/route
+command, "solaris-2.5"-style ifconfig/route command or calling ioctl()
+directly. These methods can be selected using the "ifconfig-type" and
+"route-type" options.
+
+Example:
+netlink tun {
+ ifconfig-type "ioctl";
+ route-type "ioctl";
+ ...
+};
+
+The ioctl-based method is now the default for Linux systems.
+
+Magic numbers used within secnet are now collected in the header file
+"magic.h".
+
+netlink now uses ICMP type=0 code=13 for 'administratively prohibited'
+instead of code 9. See RFC1812 section 5.2.7.1.
+
+The UDP comm module now supports a proxy server, "udpforward". This
+runs on a machine which is directly accessible by secnet and which can
+send packets to appropriate destinations. It's useful when the proxy
+machine doesn't support source- and destination-NAT. The proxy server
+is specified using the "proxy" key in the UDP module configuration;
+parameters are IP address (string) and port number.
+
+Bugfix: ipset_to_subnet_list() in ipaddr.c now believed to work in all
+cases, including 0.0.0.0/0
* New in version 0.1.12
~ian / secnet.git / blobdiff