* Planned for the future
-New configuration syntax for netlinks: basic 'netlink' closure yields
-a pure closure that can be applied in each site() to generate a
-netlink for that site (with routes, options, etc.). Works well for
-point-to-point: that netlink can be used directly by just one site.
-Much cleaner separation between site() and netlink code this way.
+Netlink device that implements an Ethernet bridge.
-(Backward compatibility will be kept for a while.)
+Modular transform code: choice of block ciphers, modes, sequence
+numbers / timestamps, etc. similar to IWJ's udptunnel
+* New in versino 0.1.11
+
+* New in version 0.1.10
+
+WARNING: THIS VERSION MAKES A CHANGE TO THE CONFIGURATION FILE FORMAT
+THAT IS NOT BACKWARD COMPATIBLE. However, in most configurations the
+change only affects the sites.conf file, which is generated by the
+make-secnet-sites script; after you regenerate your sites.conf using
+version 0.1.10, everything should continue to work.
+
+Netlink devices now interact slightly differently with the 'site'
+code. When you invoke a netlink closure like 'tun' or 'userv-ipif',
+you get another closure back. You then invoke this closure (usually
+in the site definitions) to specify things like routes and options.
+The result of this invocation should be used as the 'link' option in
+site configurations.
+
+All this really means is that instead of site configurations looking
+like this:
+
+foo {
+ name "foo";
+ networks "a", "b", "c";
+ etc.
+};
+
+...they look like this:
+
+foo {
+ name "foo";
+ link netlink { routes "a", "b", "c"; };
+ etc.
+};
+
+This change was made to enable the 'site' code to be completely free
+of any knowledge of the contents of the packets it transmits. It
+should now be possible in the future to tunnel other protocols like
+IPv6, IPX, raw Ethernet frames, etc. without changing the 'site' code
+at all.
+
+Point-to-point netlink devices work slightly differently; when you
+apply the 'tun', 'userv-ipif', etc. closure and specify the
+ptp-address option, you must also specify the 'routes' option. The
+result of this invocation should be passed directly to the 'link'
+option of the site configuration. You can do things like this:
+
+sites site {
+ name "foo";
+ link tun {
+ networks "192.168.73.76/32";
+ local-address "192.168.73.76"; # IP address of interface
+ ptp-address "192.168.73.75"; # IP address of other end of link
+ routes "192.168.73.74/32";
+ mtu 1400;
+ buffer sysbuffer();
+ };
+ etc.
+};
+
+The route dump obtained by sending SIGUSR1 to secnet now includes
+packet counts.
+
+Point-to-point mode has now been tested.
+
+tun-old has now been tested, and the annoying 'untested' message has
+been removed. Thanks to SGT and JDA.
+
+secnet now closes its stdin, stdout and stderr just after
+backgrounding.
+
+Bugfix: specifying network "0.0.0.0/0" (or "default") now works
+correctly.
+
* New in version 0.1.9
The netlink code may now generate ICMP responses to ICMP messages that