Unreal3.2.9 Release Notes ========================== ==[ GENERAL INFORMATION ]== * If you are upgrading on *NIX, make sure you run 'make clean' and './Config' first, before doing 'make' * The official UnrealIRCd documentation is doc/unreal32docs.html online version at: http://www.vulnscan.org/UnrealIRCd/unreal32docs.html FAQ: http://www.vulnscan.org/UnrealIRCd/faq/ Read them before asking for help. * Report bugs at http://bugs.unrealircd.org/ * When upgrading a network, we assume you are upgrading from the previous version (3.2.8/3.2.8.1). Upgrading from 3.2.6 or 3.2.7 should also be no problem. * The purpose of the sections below (NEW, CHANGED, MINOR, etc) is to be a SUMMARY of the changes in this release. There have been 160+ changes, twice as much as usual for a release, hence this summary is a bit long too. For the FULL list of changes, see the Changelog. * If you previously used CVS to access the development version of UnrealIRCd, you now need to use Mercurial, see see http://www.unrealircd.com/hgmove ==[ NEW ]== * Extban ~j: this only prevents a user from joining, once in he can speak freely. * Extban ~R:: this ban only matches if is a registered user (has identified to services). Especially useful in cases like: +e ~R:TrustedUser. * Stacked Extended Bans: * Extbans are now split in two groups: * Ones that specify which user actions are affected (group 1): ~q (quiet), ~n (nick change), ~j (join) * Ones that introduce new criteria that can be used (group 2): ~c (channel), ~r (realname), ~R (registered) * With stacked extbans you can combine an extban of the first group with the second For example: ~q:~c:#lamers would quiet all users who are also in #lamers * Extended Invex: very much like extended bans, but for +I (Invite Exception). Currently supported are: ~c (channel, ~r (realname) and ~R (registered) [=group 2] Possible useful uses are setting a channel +i (invite only) and then setting +I ~c:#trustedchan (or even: +I ~c:+#trustedchan) while still retaining the ability to easily ban users through +b. * Channel Mode +Z: indicates whether a channel is 'secure' or not. This channel mode works in conjunction with +z (lower case z). While +z (normally) prevents new non-SSL users from joining, sometimes they can still join, like when after a netsplit the channels merge again. When all users on the channel are connected through SSL, the channel is set +Z by the server. Whenever an insecure user joins, the channel is put -Z. * Remote MOTD support: you can now specify an URL instead of a file * Automatic installation of curl (w/c-ares) if you answer 'Yes' to remote includes * One can now rehash ALL servers with the command '/REHASH -global'. This can be particularly useful if you use remote includes or MOTD's. NetAdmin only command. * files { } block by which you can configure the location of the tune file, pid, etc * STARTTLS: On an IRCd compiled with SSL support this allows a client to start a SSL session on a regular non-SSL port (like 6667). Only supported by a few IRC clients. Can be disabled by setting set::ssl::options::no-starttls * set::uhnames: this allows one to turn UHNAMES off ('no'), which can be a good idea if you have channels with more than 1000 users, as otherwise the nicklist can take several seconds to load. Defaults to on ('yes'). * IPv6 clones detection support: allow::ipv6-clone-mask determines the number of bits used when comparing two IPv6 addresses to determine if allow::maxperip is exceeded. This allows an admin to recognize that most IPv6 blocks are allocated to individuals, who might each get a /64 IPv6 block. set::default-ipv6-clone-mask defaults to 64 and provides default value for the allow blocks. * The m_nopost module is now part of Unreal: this defends against the Firefox/ Javascript 'XPS attack' which uses HTTP POST to create dummy IRC bots. * There have also been some behavior changes, which can be considered NEW, see next section (CHANGED). ==[ CHANGED ]== * Channel Mode +z: due to the +z/+Z changes, some things have changed: * +z can now be set even when insecure users are present (the channel will then be set +Z when the last insecure user leaves) * An oper previously had to invite himself and then join the channel with the key 'override' to set -z. This is no longer needed. The channel stays +z, but will be set -Z when the oper joins. * Remote includes: if a remote include fails to load (eg: webserver down) then the most recent (cached) version of that remote include will be used, and the IRCd will still boot and be able to REHASH. This means it is now 'safe' to use remote includes on a network, without risking problems like unable to rehash in case of webserver problems. * set::level-on-join now supports voice/halfop/protect/owner * Backslashes (\) in MOTD/RULES files are no longer considered special, this might mean that you have to change some escaped backslashes (\\) to \. * '/REHASH -motd' really rehashes ALL MOTD/OPERMOTD/BOTMOTD/RULES files, both the 'normal' files and the ones in tld { } blocks. * The 'Compile as hub/leaf' choice is now gone, as it didn't do anything. * Better document 'sslclientcert' in the Oper Block documentation. This allows one to authenticate against a SSL certificate for /OPER, instead of using a password. ==[ MAJOR BUGS FIXED ]== * If you have autoconnect with a low connfreq, previously you often risked getting 'Server exists' errors and 'breaking' the network. Now, the server handshake has been redesigned which means this will no longer happen. You can now safely have a low connfreq of - for example - 10 seconds. * Windows: 'Permission denied' errors when starting Unreal * A crash on some new Linux systems when replacing .so files * Solaris & QNX: Compile problems * IPv6: admins no longer have to tweak sysctl, like on FreeBSD & newer Linux systems * IPv6: IPv4 ip's in link::bind-ip did not work properly which made the IRCd either not bind to the correct IP, or - like on FreeBSD - made it unable to link at all. * A very rare crash on outgoing connect ==[ MINOR BUGS FIXED ]== * autoconnect not working if TS offset was negative (for the duration of the offset) * CGI:IRC & IPv6: sometimes a users' IP was incorrectly formatted, causing 'ghosts' * Mac OS X: permission problems * Several installation issues with curl * SSL: No more 'Underlying syscall error', the actual error is now shown * And many more... see Changelog ==[ KNOWN ISSUES ]== * Regexes: Be careful with backreferences (\1, etc), certain regexes can slow the IRCd down considerably and even bring it to a near-halt. In the spamfilter user target it's usually safe though. Slow spamfilter detection can help prevent the slowdown/freeze, but might not work in worst-case scenario's. * Regexes: Possessive quantifiers such as, for example, "++" (not to be confused with "+") are not safe to use, they can easily freeze the IRCd. ==[ CHANGELOG ]== Full list of changes since previous release (3.2.8.1): * Fixed compile issue on Solaris regarding c-ares (-lrt), reported and test shell provided by fraggeln (#0003854). * Improved automatic SSL detection on Solaris (/usr/sfw), reported by fraggeln (also #0003854). * Don't do show-connect-info on serversonly ports * Fixed crash on Linux (with a 'new' dynamic linker) when a module has been updated and then reloaded. From now on we just copy to a tempfile, and never hardlink. (bug #3557). * Print out an error if a user uses standard ./configure stuff instead of ./Config. Won't catch all cases, but will definitely catch most problems. * Update some urls * Added ./configure option called --with-system-tre by which you can specify a path to the TRE library (instead of using the TRE we ship with Unreal). Patch provided by ohnobinki (#0003842). * Applied another patch from ohnobinki which adds --with-system-cares (#0003847). * Comitted Windows Installer fix that was put in 3.2.8.1, fixing #0003845 and #0003809 (MS Visual Studio Redistributable package automatic installation). * Fix /VERSION output on Windows, especially for Vista and newer Windows, patch from BuHHunyx and Bock (#0003846). * Fixed issue where a negative time offset (either caused by ircd.tune or timesynch) made autoconnect not work for the duration of the offset (eg: -60 would make autoconnect wait 60 seconds after boot, instead of autoconnecting almost immediately). Reported by aragon (#0003853). * class name 'default' is reserved. Using it caused the ircd to crash on-boot, reported by Dragon_Legion (#0003864). * Fixed IPv4 ip's in link::bind-ip on IPv6 builds. This caused issues ranging from not binding to that ip when linking, to not being able to link at all. Also fixed a very small memory leak upon /REHASH. Bug reported by Mr_Smoke (#0003858). * Applied patch from k4be (#0003866) which introduces a new packet hook (HOOKTYPE_PACKET). Replacing the 'text to be sent' to a client is supported, which allows character(set) conversion in a module. Note that modifying an incoming message by the hook is not supported. * Applied patch from ohnobinki (#0003863) which makes run-time configuration of files (tune, pid, motd) possible. * Fixed bug reported by mut80r (#0003867) where locops didn't get a proper vhost when set::hosts::local had a 'user@host' syntax instead of just 'host'. Also fixed a bug with regards to +x on-oper with locops. * When an incorrect command line argument is passed, the IRCd will no longer boot. Previously it said 'Server not started' but started anyway. Reported and patch provided by ohnobinki (#0003870). * Added special caching of remote includes. When a remote include fails to load (for example when the webserver is down), then the most recent version of that remote include will be used, and the ircd will still boot and be able to rehash. Even though this is quite a simple feature, it can make a key difference when deciding to roll out remote includes on your network. Previously, servers would be unable to boot or rehash when the webserver was down, which would be a big problem (often unacceptable). The latest version of fetched urls are cached in the cache/ directory as cache/. Obviously, if there's no 'latest version' and an url fails, the ircd will still not be able to boot. This would be the case if you added or changed the path of a remote include and it's trying to fetch it for the first time. To disable this new behavior, check out REMOTEINC_SPECIALCACHE in include/config.h. * set::level-on-join now also supports voice, halfop, protect and owner. Requested by katsklaw (#0003852). Partial patch provided by katsklaw and morpheus_pl. * Added initial support for "stacked" extbans. Please see the Changelog item further down (250 lines or so) for more information, as it was heavily reworked later on and the API was changed. * Misc fix for disabling stacked extbans, should've done stuff in our autoconf stuff instead of hacking configure directly :P . * Made the timesynch log output more clear and understandable. * Added an 'UnrealIRCd started' log message on startup. * Added support for STARTTLS. This allows users to switch to SSL without having to use a special SSL-only port, they can simply switch to SSL on any port. This is currently only supported by few clients (such as KVIrc 4). This functionality can be disabled by setting set::ssl::options::no-starttls, for example if you don't want to offer SSL to your users and only want it to be used for server to server links. Naturally, the IRCd must be compiled with SSL support for STARTTLS to work. * Fixed SSL_ERROR_WANT_READ in IRCd_ssl_write() * Use RPL_STARTTLS/ERR_STARTTLS numerics * Removed log target 'kline' from documentation, as it didn't do anything (use 'tkl' instead). Reported by nephilim and Stealth (#0003849). * Server protocol: added PROTOCTL EAUTH=servername, which allows us to authenticate the server very early in the handshake process. That way, certain commands and PROTOCTL tokens can 'trust' the server. See doc/technical/protoctl.txt for details. * Server protocol: between new Unreal servers we now do the handshake a little bit different, so it waits with sending the SERVER command until the first PROTOCTL is received. Needed for next. * Server protocol: added PROTOCTL SERVERS=1,2,3,4,etc by which a server can inform the other server which servers (server numeric, actually) it has linked. See doc/technical/protoctl.txt and next for details. * When our server was trying to link to some server, and at the same time another server was also trying to link with us, this would lead to a server collision: the server would link (twice) ok at first, but then a second later or so both would quit with 'Server Exists' with quite some mess as a result. This isn't unique to Unreal, btw. This happened more often when you had a low connfreq in your link blocks (aka: quick reconnects), or had multiple hubs on autoconnect (with same connfreq), or when you (re)started all servers at the same time. This should now be solved by a new server handshake design, which detects this race condition and solves it by closing one of the two (or more) connections to avoid the issue. This also means that it should now be safe to have multiple hubs with low connfreq's (eg: 10s) without risking that your network falls apart. This new server handshake (protocol updates, etc) was actually quite some work, especially for something that only happened sporadically. I felt it was needed though, because (re)linking stability is extremely important. This new feature/design/fix requires extensive testing. This feature can be disabled by: set { new-linking-protocol 0; }; * Made ./Config description about remote includes a bit more clear. * When you now answer Yes to Remote includes in ./Config and $HOME/curl does not exist, it now asks you if you want to automatically download and install curl (which is done by ./curlinstall). This has been tested on Linux, further testing on f.e. FreeBSD is required. * Fixed a /RESTART issue on Linux: Unreal did not properly close all file- descriptors. Because of this, Unreal did not restart properly as you would get an "Address already in use" error. This only seemed to happen when logging to syslog, or when there was something wrong with syslogd. Reported by Mouse (#0003882). * Fixed a similar issue with syslog (and debugmode) and closing fd's as well: the first port we listened on would not open up, ircd did not log any error. * Added set::uhnames setting which can be used to disable uhnames by setting it to 'no', the default is 'yes' (on). Requested by Robin (#0003885) as UHNAMES may increase the time of the nick list being loaded from 1 to 4 seconds when joining several channels with more than 1000 users. As this problem is only present on some networks, we keep UHNAMES enabled by default. * Added patch from ohnobinki (#0003888), only slightly edited, which improves curl detection, added checks to see if curl actually works (print out a clear curl error during configure, instead of getting an error during 'make'), and we now error when using --enable-libcurl without --with-system-cares if the system curl depends on c-ares. This is because this can cause ABI incompatability between curl's c-ares and our c-ares, which leads to odd issues such as: Could not resolve host: www.example.net (Successful completion) And possibly other weird issues, perhaps even crashes. * Patch from above is (temp.) reverted, Unreal wouldn't compile without curl. * Reverted the revert and updated one line to fix the fix. * Fix for --with-system-cares, reported and patch provided by ohnobinki (#0003890). * Another c-ares fix for Solaris 10, this time it had to do with PATH_SEPARATOR, the exact error was: error: PATH_SEPARATOR not set. Reported by j0inty, patch provided by ohnobinki (#0003887). * Updated pkg-config m4 macro (now 0.23) for configure, patch from ohnobinki (#0003889). * Better document /REHASH flags. No longer document some flags as they are redundant and confusing. Also removed an old statement saying k-lines would be erased on rehash which is not true. Documented '/rehash -dns'. Reported by ohnobinki (#0003881). * We now no longer treat \ (backslash) in *MOTD and RULES files as special. Previously this caused some really odd behavior. Backslashes are now treated as-is, so no special escaping is necessary. Reported by DelGurth (#0003002). * Removed old dgets() and crc32 function (code cleanup) * Updated ./Config description for NOSPOOF, it already said it protects against HTTP POST proxies, now added some extra text to say it also protects against the Firefox XPS IRC Attack. Also made NOSPOOF enabled by default on *NIX (this was already the case on Windows). * Updated ./Config description for DPATH. Seems quite some people answer this question wrong, and when that happens, you only get some obscure error when running './unreal start'. * Fixed 'unreal' script to give a better error if it cannot find the IRCd binary. * Made '/REHASH -motd' really rehash *all* MOTD, OPERMOTD, BOTMOTD and RULES files. Reported by bitmaster (#0003894). * IPv6: it seems some recent Linux dists decided to make IPv6 sockets IPv6-only, instead of accepting both IPv4&IPv6 on them like until now. FreeBSD (and other *BSD's) already did that move a few years back, requiring server admins to sysctl. We now make use of a new option to explicitly disable "IPv6-only". This should work fine on Linux. Whether it provides a complete solution for FreeBSD, I don't know, testing is welcome! In theory setting net.inet6.ip6.v6only to 0 should no longer be needed, but you might still need to enable ipv6_ipv4mapping. * Fix stupid issue where current CVS would no longer link TO an earlier Unreal server (eg: outgoing connect to a 3.2.8 hub). Reported by ohnobinki (#0003901). * Update Unreal.nfo with information about new support network setup (#0003904) * Remove the ``Compile as hub/leaf'' concept as I'm quite sure this doesn't actually do anything (#0003891) * Clarify/expand alias block documentation, especially for alias::type=command; (#0003902) * Fix -DDEFAULT_PERMISSIONS=0 support. Previously, support.c:unreal_copyfile() would create files with no permissions, breaking loadmodule. (#0003905) * Remove m_addline from commands.so * Removed ugly ``files {} got initialized!'' message. * SVSMODE now triggers HOOKTYPE_UMODE_CHANGE and HOOKTYPE_REMOTE_CHANMODE. * Added chmode +r to HTML documentation. * ./Config now remembers extra/custom ./configure parameters. * Fixed bug in CVS where the ban exempt (+e) handling was reversed: if a non-matching +e was present, one could walk through bans. Reported by tabrisnet (#0003909). Bug was caused by stacked extbans. * Partially fixed bug where IPv4 addresses were randomly mishandled by the cgiirc code, resulting in the sockhost/hostmask being set to something like ::ffff:127.0.0.1, which confused the s2s protocol. Reported by tabrisnet (#0003907). Also, reject incorrectly formed hostnames from WEBIRC command. * More strict sockhost (hostmask) checking in m_nick.c:_register_user(). Fixed some bad string handling as well. See comments in bug (#0003907). * Throw out old USE_POLL code which 1. has no buildsystem support and 2. has comments which claim it doesn't work. * Removed extraneous apostrophe from a module loader error message. * Added error message for unknown directives in the "files" block * Remote MOTD support. Not adequately tested. Required restructuring of the asynchronous download callback and handler. (#) * Added some consts throughout url.c, etc. * Fix segfault where the an include directive specifies a URL and cURL follows redirects, resulting in a different resultant URL. The remote includes code would look for the an include block using the resultant URL and assume that it would be found. The new code searches differently, has new checks, and ignores the resultant URL. * Removed duplicated m_motd() and friends that were both in modules and s_serv.c. The copies in s_serv.c (core) were overriding the in-module functions. * Forgot to commit the REMOTEINC_SPECIALCACHE stuff to config.h which means it wasn't actually enabled until now... * Fix typo * Fix files::shortmotd to by accepted by unrealircd like the docs say it is. * Fix remote includes download handling which I broke for remote includes ;-). * Recursively add more consts. * Rename configure.in to configure.ac and modernize AC_INIT. * Handle bad flags in set::ssl::options better (#0003896). * When removing a SHUN, check if users who were blocked by this SHUN are still blocked by another SHUN. Previously, if multiple shuns covered a single user, removing one of these shuns would mark the user as un-SHUN-ed. (#0003906) * Fixed race condition / reference count issue where an outgoing server connect would cause the IRCd to crash. Reported by Monk (#0003913). * Replaced some coders@lists.unrealircd.org references with bugs.unrealircd.org * Fixed desynchronized prototype. * Fixed a few trivial compilation warnings. * Move configure.ac to the project's root. * Separate m4 macros into *.m4 files (it is much easier to run aclocal now). * Remove unused DOMAINNAME macro and --with-hostname= options as the DOMAINNAME macro isn't used anywheres and its use shouldn't be encouraged. * autogen.sh to bootstrap the buildsystem. We now maintain setup.h with autoheader. * --disable-blah now does the opposite of --enable-blah. The same for --with-blah and --without-blah. (This makes Gentoo users happier). * Attempt to make up for Windows not having mode_t and not complying to POSIX. * Fix references in src/win32 to aMotd to now be to aMotdFile. * Fix references to motd and friends in src/win32. (#0003918) * Remove include/nameser.h and reference to nameser.h from s_bsd.c. The associated functionality has been provided by c-ares for a long time. * Remove remaining nameser.h references from Makfiles. * Prevent stacked bans (like +b ~q:~q:~n:~c:#chanel) from crashing unrealircd due to over-recycling a static buffer. Discovered by syzop. * helpop documentation for stacked extbans. * Updated doc/coding-guidelines * Fixed some odd behavior with SVSMODE and +z/-z, reported by TehRes (#0003498), fixed a strange SVSMODE +d bug where it would act as a +x too. * The patch from #0003888 made ./Config favor the curl in /usr, even if it was not compiled with c-ares, which is clearly a bad idea as then the entire IRCd can hang for several seconds or more... We now check if they support asynch DNS, and skip them if they don't. * Remove extraneous `I' from configure.ac, run ./autogen.sh. (#3930) * Added some checks in ./Config which (often) ensures that the self-compiled curl version is new enough and is not using a c-ares which is binary incompatible. If the self-compiled curl version is (too) outdated, then we now suggest to rename it and have the installer re-download and compile it automatically. This avoids some potential crashes. * Give more clear error to users who use ``make custommodule'' without MODULEFILE. (#3935) * Support compiling with a bundled c-ares again, the hacky way. (#3931) * The configure.ac change silently changed the nospoof parameter in ./configure. This meant that the answer to NOSPOOF in ./Config was ignored and it was always enabled. * Initialize ARG parameter properly in ./Config, otherwise everything fails. * Fixed similar bug like nospoof with ./Config, but now with prefixaq. * Same for IPv6 * Now define _SOLARIS, USE_LIBCURL, and ZIP_LINKS in setup.h instead of the Makefiles. This means better automatic rebuilds if the latter settings change. * Updated unreal32docs: * Remove browser compatibility listing. * Added information about ``oper::password::auth-type sslclientcert'' and the same for link::password-receive::auth-type. * A little bit more of interlinking and using id="" instead of a name="" * Some minor tweaks * Fix the detection for curl-without-c-ares a little (#0003940). * Add an extban of the schema +b ~j:*!*@* which _only_ prevents a user from joining a channel. (#3192) * Fix src/Makefile's lack of depencencies for modules.c, related to #3938. * Fix a few compiler warnings with some double-casting and another const. (#3939) * Define intptr_t in win32's setup.h. (#3939) * Upgraded c-ares to 1.7.3. API seems compatible with c-ares-1.6.0. (#3932) * Force compilation with bundled c-ares to statically link using more sed hackery in configure.ac. * Remove extras/c-ares before each time c-ares is compiled. * Uniform naming for 'stacked extbans' in Changelog/etc. * Make extended bans documentation more clear by splitting the extbans in two groups: one that specifies ban actions (~q/~n/~j) and one that introduces new criteria (~c/~r). Also added documentation for ~R which does not exist yet, but will soon... * This is actually an update of earlier code from CVS, but now it works ok: * Added support for "stacked" extbans. Put simply this allows extban combinations such as ~q:~c:#test to only silence users on #test, for example. This feature is enabled by default, but can be disabled during ./Config -advanced. This feature was suggested by Shining Phoenix (#0003193), was then coded by aquanight for U3.3, and later on backported and partially redone by Syzop. Module coders: In an extban ~x:~y:something where we call ~x the 1st, and ~y the 2nd extban: Since stacked extbans only makes sense where the 1st one is an action extended ban like ~q/~n/~j, most modules won't have to be changed, as their extban never gets extended (just like ~c:~q: makes no sense). However, you may still want to indicate in some cases that the extban your module introduces also shouldn't be used as 2nd extban. For example with a textban extban ~T it makes no sense to have ~n:~T. The module can indicate this by setting EXTBOPT_NOSTACKCHILD in the ExtbanInfo struct used by ExtbanAdd(). For completeness I note that action modifier extbans are indicated by EXTBOPT_ACTMODIFIER. However, note that we currently assume all such extbans use the extban_is_ok_nuh_extban and extban_conv_param_nuh_or_extban functions. If you don't use these and use EXTBOPT_ACTMODIFIER, then things will go wrong with regards to stack-counting. Module coders should also note that stacked extbans are not available if DISABLE_STACKED_EXTBANS is defined. * Added extended ban ~R:, which only matches if is a registered user (has identified to services). This is really only useful in ban exemptions, like: +e ~R:Nick would allow Nick to go through all bans if he has identified to NickServ. This is often safer than using +e n!u@h. * Added Extended Invex. This is very much like extended bans, in fact it supports some of the same flags. Syntax: +I ~character:mask Currently supported are: ~c (channel), ~r (realname) and ~R (registered). This can be useful when setting a channel invite only (+i) and then setting invite exceptions such as +I ~c:#chan (or even ~c:+#chan), while still being able to ban users. Because action modifiers (~q/~n/~j) make no sense here, extended invex stacking (+I ~a:~b:c) makes no sense either, and is not supported. Suggested by DanPMK (#0002817), parts based on patch from ohnobinki. Module coders: set EXTBOPT_INVEX in the ExtbanInfo struct used by ExtbanAdd() to indicate that your extban may also be used in +I. * Invex (+I) now always checks cloaked hosts as well. Just like with bans, it checks them also when the user is not currently cloaked (eg: did -x, or is currently using some VHOST). * Fixed client desynch caused by (un)banning, reported by Sephiroth (#2837). * IPv6 clones detection support (#2321). allow::ipv6-clone-mask determines the number of bits used when comparing two IPv6 addresses to determine if allow::maxperip is exceeded. This allows an admin to recognize that most IPv6 blocks are allocated to individuals, who might each get a /64 IPv6 block. set::default-ipv6-clone-mask defaults to 64 and provides default value for the allow blocks. * Upgrade to tre-0.8.0, adding hack similar to the one for c-ares to ensure that the bundled tre is compiled against even when a system libtre is installed. (#3916) * Install ircdcron scripts. (#2620) * Autogenerate ircdcron/ircd.cron based on ./configure settings. * Get rid of any setsockopt(IPV6_V6ONLY) errors in ircd.log (#3944). * Actually initialize m_starttls when it's included into commands.so. * Prepend a `0' to the begining of --with-permission, working around a Mac OS X bug and hiding the fact that chmod()'s params are octal from users. (#3189) * Warn users against running UnrealIRCd as root without setting IRC_USER. (#3053 reported by Stealth) * Remove snomasks upon deopering when it seems like the user shouldn't have snomasks. (#3329) * Fix /msg IRC WHOIS response for persons with secure connections. (#3947) * Fix segfault by checking if RESTRICT_USERMODES is NULL in the code for bug #3329. * Don't use sys/errno.h, as it's not POSIX and breaks on QNX-6.5.0. (#3955) * Fixed another compile problem on QNX, reported by chotaire (#3955 too). * Fixed incorrect messages regarding clock going backwards on QNX 6 and later, reported by chotaire (#0003956). * Reverted an IPv6/Config fix I did on July 17. Reported by chotaire (#3958). * Document the badword block more explicitly and clearly. (#3959) * Add the m_nopost module written by syzop and compile it into commands.so. This module was written to help IRCd maintainers deal with some sort of ``XPS'' attack in which javascript-initiated HTTP POST form submissions were able to act as dummy IRC bots. These simple bots were the cause of much spam. Note that enabling NOSPOOF, which was the default on Windows and is now also the default on *NIX, already stops the troublemakers from getting on IRC. However, the nopost module kills them right away, rather than have them idle for 30 seconds which could consume all your connections, preventing (legit) users from being able to connect (#3893). * Add a modules section to the documentation. This was created to put all documentation specific to the m_post module in one, easy to find place. The documentation on m_post is likely incomplete, however. * Fixed notices to opers about server delinks not being broadcasted to all other servers if they were on SSL links. Reported by chotaire (#0003957). * SSL errors are now more descriptive. In some cases, like server to server links it was still showing 'Underlying syscall error', this has now been replaced to show the actual (surprise!) underlying syscall error instead. Reported by vonitsanet, patch from ohnobinki (#0003157). * Fix ordering of ``9. FAQ'' and ``10. Modules'' in HTML docs. * Always display the real host of successful OPERing up. Reported by Josh. (#3950) * Fixed braindamage in stacked bans. * Add m_nopost to makefile.win32 in the hopes that it may work (#3961). * Document spamfilter 'warn' action in unreal32docs. * Fix missing OperOverride notices for +u and +L if not chanowner, reported by Mareo (#0003358), partial patch from goldenwolf. * Updated doc/compiling_win32.txt with current free MS SDK information, patch from goldenwolf. * And another m_nopost makefile.win32 fix. * Some small updates to the extended channel mode system: it now has minimal support for 'local channel modes'. This is really only meant for channel mode +Z (upcase z), see next. * Added Channel Mode Z which indicates if a channel is 'secure' or not. This mode works in conjunction with +z (lower case z). If +z is set ('only secure users may join'), then the IRCd scans to see if everyone in the channel is connected through SSL. If so, then the channel is set +Z as well ('channel is secure'). Whenever an insecure user manages to join, the channel is -Z. And whenever all insecure users leave, the channel is set +Z. The 'insecure user being present in a +z channel' can be because: - An IRCOp joined the channel, and he's not secure - When servers link together and a user on the other side is not secure This only happens on net merge (equal time stamp). On different time stamp, we still kick insecure users on the new side. - At the time when +z is set, there are insecure users present. This feature was implemented after a heavy discussion in bug #3720 by fez and others, and was suggested by Stealth. Tech note: +Z/-Z is handled locally by each server. Any attempt to remotely set +Z/-Z (eg: by services) will be ignored. * As mentioned above, +z can now be set even if any insecure users are present. Previously, this was not permitted. Now, as soon as the last non-SSL user leaves, the channel will be set +Z. * An oper not connected through SSL previously had to /INVITE himself to a channel and then /JOIN the channel with the key 'override'. This 'override' key is no longer required, a simple JOIN will suffice. * Sorted channel modes in /HELPOP ?CHMODES * Re-enabled 'fishy timestamp' errors in MODE. For some reason this was commented out, even though the (more annoying and less useful) code in JOIN was enabled so that did not make a lot of sense. It also now logs to ircd.log (or whatever you configure). This enables people to easier find the cause of any timestamp issues (which usually is badly coded services). * Win32 installer: Make it so a user can no longer accidentally check both 'install as service' and 'encrypt SSL certificate', as they are incompatible (a service cannot ask a user to enter a password). Reported by HotFusionMan (#0003848). * Win32 installer: Fixed long outstanding problem with some Vista / Windows 7 installations, which has to do with file permissions of the Unreal3.2 folder. Symptoms were error messages such as: Unable to create file 'tmp/10D9D743.commands.dll': Permission denied But also failing to create SSL certificates, nothing being logged, etc. This is now fixed by setting write access on the Unreal3.2 folder to the user running the install, unless the user chooses not to use this new option (it can be unchecked), in which case the user is warned that he should take care of this himself. Reported by various persons, special thanks to Bock and goldenwolf for helping us to track down this issue (#0003943). * Little tweak to +Z: when the last insecure user parts and the channel is set +Z (secure), the parting user saw the MODE too, which was silly. Reported by Robby22 (#0003720). * Added '/REHASH -global' command which will rehash all servers on the network. You can also specify options like '/REHASH -global -motd' to rehash only the MOTD/RULES/etc. Just like /REHASH this is a NetAdmin-only command. This command is fully backwards compatible with older UnrealIRCd version in the sense that it will also REHASH old Unreal's. Suggested by 'P' in #0001522. * Clarified the difference between 'except ban' (which exempts from KLINE and ZLINE) and 'except tkl' (which can exempt from GLINE, GZLINE, SHUN, QLINE and GQLINE). Reported by Digerati (#0002535). * Added except tkl::type 'all', which exempts from all TKL types (except KLINE). * Added set::options::allow-insane-bans which makes it possible to set really broad bans such as *@*.xx. Needless to say this can be very dangerous. Reported and patch provided by Stealth (#0003963). * Windows: When trying to load a module (DLL) windows can give us the mysterious error 'The specified module could not be found' even though the file exists. This usually means that it depends on another DLL, but apparently Microsoft decided not to mention that in the error message. We now append some small text when such an error happens, saying that it could be because of a missing dependency. Reported by Phil. * Fixed Windows compile problem with current CVS due to m_issecure, reported and fix provided by therock247uk (#3970). * Added release notes. * Error on zero sendq in class::sendq, reported by jonbeard. * Fix return values in src/auth.c on Win32. * Win32: Attempt to move to 100% winsock2 (the include, to be precise), this means includes have to be in a very particular order (!) * Win32: #define _WIN32_WINNT 0x0501 and force our own inet_ntop/pton, otherwise you get an ntop runtime error on XP and earlier. * Win32: Get rid of c-ares includes and library in our tree, and use the DLL instead of static LIB, just like we do for ssl and zlib. * Win32: Get rid of TRE lib and includes * Win32: reorder includes to fix winsock errors with curl * Win32: show missing /INFO in GUI ** 3.2.9-rc1 release ** * Enable parallel building of modules. * Fixed bug with curl not finding libcares, reported by katslaw. * Added workaround for 'curl-config' depending on 'bc'. * Fix typo 'alias::spampfilter' in German docs, reported by seraphim (#3978). * Fix missing #include . Fixes compile error on OpenBSD reported by CuleX (#3977). * Fix invalid use of 'wc -l' when detecting the AsynchDNS feature of libcurl which breaks compilation on FreeBSD; instead use 'grep -q'. Reported by Jobe (#3981), solution proposed by satmd. * Fix bundled TRE compilation error on OpenBSD with pkg-config-0.21 where pkg-config can't find 'tre.pc'. Reported by CuleX. (#3982) Also properly escape the sed expression used in the pkg-config call. * Fix remote MOTDs for URLs whose path components contain subdirectories, in the process much simplifying my remote MOTD code. Reported by goldenwolf (#3986). * Windows installer: if an SSL certificate already exists, then don't check the 'create SSL certificate' by default. Patch from goldenwolf (#3965). * Update doc/compiling_win32.txt a bit (#3975). * Updated credits a bit (#3980). * Fix set::ssl::options::no-starttls not being recognized. * Fix pointer handling in remote MOTD code, fixing a crash on REHASH reported by goldenwolf (#3992). * Bump server protocol version to 2310, due to the various changes and so you can use deny link { } blocks if you want to deny older versions than this release. * Fix documentation about channel mode +t and halfops, thanks warg (#4007). * Fix empty/nonexistent short MOTD being shown instead of the full MOTD on user registration. Thanks WakiMiko (#4011). * Module coders: Added HOOKTYPE_HANDSHAKE which is called before the client handshake, IOTW: as soon as the connection is established. This can be used to do things prior to accepting any commands, such as sending some text. * Moved from cvs to hg (thanks binki!), this means cvs from this point in time should no longer be used (the lastest CVS version will not compile, this has been done on-purpose). The new way to access the development version of UnrealIRCd is: hg clone http://hg.unrealircd.org/unreal If you get something like 'hg: command not found' then you need to install mercurial. Most *NIX systems have such a 'mercurial' package, but if you don't, or you are on Windows or Mac OS X, then grab it at http://mercurial.selenic.com/ * Updated doc/compiling_win32.txt a bit. * The unreal32docs translations in Greek, Spanish and Dutch are marked as out of date. * CRLF conversion of unreal32docs.gr.html * Zip links: once a link was zipped, the error message when closing the connection was never actually sent (due to buffering). Hence, things like the /SQUIT reason was never seen on the other side (just 'server closed the connection'). This has now been fixed. * Fix compile failure introduced by last change when zip links are disabled. * Check that the automatically-generated cloak keys fit unrealircd's own criteria before printing them out. (#4017) * Added aliases/atheme.conf, provided by katsklaw (#0003990). * Support installing the ircd binary for people who set --with-spath=/bin/ircd. * Add missing quotation to doc/help.fr.conf (#4026 by MewT). * Remove temporary message (Unreal3.2.1) regarding cloaking modules. * Add a self-documented and commented files {} block to example.conf. * Another fix-for-fix of zip links buffering from a few weeks ago. Reported by fbi (#0004030). * Win32: fix rehash from the command line not working, reported by Platzii (#0004028). * Update curl-ca-bundle.crt ** 3.2.9-rc2 release ** * Updated credits (donations) * Updated credits (supporters, coders) ** 3.2.9 release **