X-Git-Url: https://git.distorted.org.uk/~mdw/secnet/blobdiff_plain/8dea8d37a13fcc615daba3375809900f04a2e5a2..469fd1d95b2528212a46b155cb115c078de4228f:/NEWS diff --git a/NEWS b/NEWS index c26e086..be5c38a 100644 --- a/NEWS +++ b/NEWS @@ -1,13 +1,83 @@ * Planned for the future -New configuration syntax for netlinks: basic 'netlink' closure yields -a pure closure that can be applied in each site() to generate a -netlink for that site (with routes, options, etc.). Works well for -point-to-point: that netlink can be used directly by just one site. -Much cleaner separation between site() and netlink code this way. +Netlink device that implements an Ethernet bridge. -(Backward compatibility will be kept for a while.) +Modular transform code: choice of block ciphers, modes, sequence +numbers / timestamps, etc. similar to IWJ's udptunnel +* New in versino 0.1.11 + +* New in version 0.1.10 + +WARNING: THIS VERSION MAKES A CHANGE TO THE CONFIGURATION FILE FORMAT +THAT IS NOT BACKWARD COMPATIBLE. However, in most configurations the +change only affects the sites.conf file, which is generated by the +make-secnet-sites script; after you regenerate your sites.conf using +version 0.1.10, everything should continue to work. + +Netlink devices now interact slightly differently with the 'site' +code. When you invoke a netlink closure like 'tun' or 'userv-ipif', +you get another closure back. You then invoke this closure (usually +in the site definitions) to specify things like routes and options. +The result of this invocation should be used as the 'link' option in +site configurations. + +All this really means is that instead of site configurations looking +like this: + +foo { + name "foo"; + networks "a", "b", "c"; + etc. +}; + +...they look like this: + +foo { + name "foo"; + link netlink { routes "a", "b", "c"; }; + etc. +}; + +This change was made to enable the 'site' code to be completely free +of any knowledge of the contents of the packets it transmits. It +should now be possible in the future to tunnel other protocols like +IPv6, IPX, raw Ethernet frames, etc. without changing the 'site' code +at all. + +Point-to-point netlink devices work slightly differently; when you +apply the 'tun', 'userv-ipif', etc. closure and specify the +ptp-address option, you must also specify the 'routes' option. The +result of this invocation should be passed directly to the 'link' +option of the site configuration. You can do things like this: + +sites site { + name "foo"; + link tun { + networks "192.168.73.76/32"; + local-address "192.168.73.76"; # IP address of interface + ptp-address "192.168.73.75"; # IP address of other end of link + routes "192.168.73.74/32"; + mtu 1400; + buffer sysbuffer(); + }; + etc. +}; + +The route dump obtained by sending SIGUSR1 to secnet now includes +packet counts. + +Point-to-point mode has now been tested. + +tun-old has now been tested, and the annoying 'untested' message has +been removed. Thanks to SGT and JDA. + +secnet now closes its stdin, stdout and stderr just after +backgrounding. + +Bugfix: specifying network "0.0.0.0/0" (or "default") now works +correctly. + * New in version 0.1.9 The netlink code may now generate ICMP responses to ICMP messages that