Unreal 3.2.9-rc1 released for testing

News about the UnrealIRCd project, including release announcements
Post Reply
UnrealIRCd head coder
Posts: 1938
Joined: Sat Mar 06, 2004 8:57 pm
Location: .nl

Unreal 3.2.9-rc1 released for testing

Post by Syzop » Wed Dec 15, 2010 4:04 pm

I've released Unreal3.2.9-rc1 (Release Candidate 1) for testing.
There have been a lot of changes - twice as much as usual - since 3.2.8(.1), so this is just the first in a series of RC's for Unreal3.2.9.

Members from the public are welcome to test if there are any major release critical bugs (eg: crash bugs) present, so they can be corrected before the real 3.2.9 release. If you want to help out testing a bit, check out the downloads below. Note that 3.2.9-rc1 should NOT be used at production servers!

For downloads, see www.unrealircd.com -> Downloads.

If you're willing to help some more, maybe you could help out in the Unreal3.2 testing forum as well, to test specific test-items, be sure to read the first post ('READ THIS! (how to use)').

Code: Select all

Unreal3.2.9-RC1 Release Notes

- If you are upgrading on *NIX, make sure you run 'make clean' and './Config'
  first, before doing 'make'
- The official UnrealIRCd documentation is doc/unreal32docs.html
  online version at: http://www.vulnscan.org/UnrealIRCd/unreal32docs.html
  FAQ: http://www.vulnscan.org/UnrealIRCd/faq/
  Read them before asking for help.
- Report bugs at http://bugs.unrealircd.org/
- When upgrading a network, we assume you are upgrading from the previous
  version (3.2.8/ Upgrading from 3.2.6 or 3.2.7 should also be no problem.
- The purpose of the sections below (NEW, CHANGED, MINOR, etc) is to be a SUMMARY
  of the changes in this release. There have been 160+ changes, twice as much
  as usual for a release, hence this summary is a bit long too.
  For the FULL list of changes, see the Changelog.

==[ NEW ]==
- Extban ~j: this only prevents a user from joining, once in he can speak freely.
- Extban ~R:<nick>: this ban only matches if <nick> is a registered user (has
  identified to services). Especially useful in cases like: +e ~R:TrustedUser.
- Stacked Extended Bans:
  - Extbans are now split in two groups:
    - Ones that specify which user actions are affected (group 1):
      ~q (quiet), ~n (nick change), ~j (join)
    - Ones that introduce new criteria that can be used (group 2):
      ~c (channel), ~r (realname), ~R (registered)
  - With stacked extbans you can combine an extban of the first group with the second
    For example: ~q:~c:#lamers would quiet all users who are also in #lamers
- Extended Invex: very much like extended bans, but for +I (Invite Exception).
  Currently supported are: ~c (channel, ~r (realname) and ~R (registered) [=group 2]
  Possible useful uses are setting a channel +i (invite only) and then setting
  +I ~c:#trustedchan (or even: +I ~c:+#trustedchan) while still retaining the ability
  to easily ban users through +b.
- Channel Mode +Z: indicates whether a channel is 'secure' or not.
  This channel mode works in conjunction with +z (lower case z).
  While +z (normally) prevents new non-SSL users from joining, sometimes they
  can still join, like when after a netsplit the channels merge again.
  When all users on the channel are connected through SSL, the channel is set +Z
  by the server. Whenever an insecure user joins, the channel is put -Z.
- Remote MOTD support: you can now specify an URL instead of a file
- Automatic installation of curl (w/c-ares) if you answer 'Yes' to remote includes
- One can now rehash ALL servers with the command '/REHASH -global'. This can be
  particularly useful if you use remote includes or MOTD's. NetAdmin only command.
- files { } block by which you can configure the location of the tune file, pid, etc
- STARTTLS: On an IRCd compiled with SSL support this allows a client to start a SSL
  session on a regular non-SSL port (like 6667). Only supported by a few IRC clients.
  Can be disabled by setting set::ssl::options::no-starttls
- set::uhnames: this allows one to turn UHNAMES off ('no'), which can be a good idea
  if you have channels with more than 1000 users, as otherwise the nicklist can take
  several seconds to load. Defaults to on ('yes').
- IPv6 clones detection support: allow::ipv6-clone-mask determines the number of bits
  used when comparing two IPv6 addresses to determine if allow::maxperip is exceeded.
  This allows an admin to recognize that most IPv6 blocks are allocated to individuals,
  who might each get a /64 IPv6 block. set::default-ipv6-clone-mask defaults to 64 and
  provides default value for the allow blocks.
- The m_nopost module is now part of Unreal: this defends against the Firefox/
  Javascript 'XPS attack' which uses HTTP POST to create dummy IRC bots.
- There have also been some behavior changes, which can be considered NEW, see
  next section (CHANGED).

==[ CHANGED ]==
- Channel Mode +z: due to the +z/+Z changes, some things have changed:
  - +z can now be set even when insecure users are present
    (the channel will then be set +Z when the last insecure user leaves)
  - An oper previously had to invite himself and then join the channel
    with the key 'override' to set -z. This is no longer needed.
    The channel stays +z, but will be set -Z when the oper joins.
- Remote includes: if a remote include fails to load (eg: webserver down) then
  the most recent (cached) version of that remote include will be used, and the
  IRCd will still boot and be able to REHASH. This means it is now 'safe' to
  use remote includes on a network, without risking problems like unable to
  rehash in case of webserver problems.
- set::level-on-join now supports voice/halfop/protect/owner
- Backslashes (\) in MOTD/RULES files are no longer considered special, this
  might mean that you have to change some escaped backslashes (\\) to \.
- '/REHASH -motd' really rehashes ALL MOTD/OPERMOTD/BOTMOTD/RULES files, both
  the 'normal' files and the ones in tld { } blocks.
- The 'Compile as hub/leaf' choice is now gone, as it didn't do anything.
- Better document 'sslclientcert' in the Oper Block documentation.
  This allows one to authenticate against a SSL certificate for /OPER, instead
  of using a password.

- If you have autoconnect with a low connfreq, previously you often risked getting
  'Server exists' errors and 'breaking' the network. Now, the server handshake has
  been redesigned which means this will no longer happen. You can now safely have
  a low connfreq of - for example - 10 seconds.
- Windows: 'Permission denied' errors when starting Unreal
- A crash on some new Linux systems when replacing .so files
- Solaris & QNX: Compile problems
- IPv6: admins no longer have to tweak sysctl, like on FreeBSD & newer Linux systems
- IPv6: IPv4 ip's in link::bind-ip did not work properly which made the IRCd either
  not bind to the correct IP, or - like on FreeBSD - made it unable to link at all.
- A very rare crash on outgoing connect

- autoconnect not working if TS offset was negative (for the duration of the offset)
- CGI:IRC & IPv6: sometimes a users' IP was incorrectly formatted, causing 'ghosts'
- Mac OS X: permission problems
- Several installation issues with curl
- SSL: No more 'Underlying syscall error', the actual error is now shown
- And many more... see Changelog

- Regexes: Be careful with backreferences (\1, etc), certain regexes can slow the
  IRCd down considerably and even bring it to a near-halt. In the spamfilter user
  target it's usually safe though. Slow spamfilter detection can help prevent the
  slowdown/freeze, but might not work in worst-case scenario's.
- Regexes: Possessive quantifiers such as, for example, "++" (not to be confused
  with "+") are not safe to use, they can easily freeze the IRCd.

- Fixed compile issue on Solaris regarding c-ares (-lrt), reported and
  test shell provided by fraggeln (#0003854).
- Improved automatic SSL detection on Solaris (/usr/sfw), reported by
  fraggeln (also #0003854).
- Don't do show-connect-info on serversonly ports
- Fixed crash on Linux (with a 'new' dynamic linker) when a module has
  been updated and then reloaded. From now on we just copy to a tempfile,
  and never hardlink. (bug #3557).
- Print out an error if a user uses standard ./configure stuff instead of
  ./Config. Won't catch all cases, but will definitely catch most problems.
- Update some urls
- Added ./configure option called --with-system-tre by which you can specify
  a path to the TRE library (instead of using the TRE we ship with Unreal).
  Patch provided by ohnobinki (#0003842).
- Applied another patch from ohnobinki which adds --with-system-cares
- Comitted Windows Installer fix that was put in, fixing
  #0003845 and #0003809 (MS Visual Studio Redistributable package automatic
- Fix /VERSION output on Windows, especially for Vista and newer Windows,
  patch from BuHHunyx and Bock (#0003846).
- Fixed issue where a negative time offset (either caused by ircd.tune or
  timesynch) made autoconnect not work for the duration of the offset
  (eg: -60 would make autoconnect wait 60 seconds after boot, instead of
  autoconnecting almost immediately). Reported by aragon (#0003853).
- class name 'default' is reserved. Using it caused the ircd to crash
  on-boot, reported by Dragon_Legion (#0003864).
- Fixed IPv4 ip's in link::bind-ip on IPv6 builds. This caused issues ranging
  from not binding to that ip when linking, to not being able to link at
  all. Also fixed a very small memory leak upon /REHASH. Bug reported by
  Mr_Smoke (#0003858).
- Applied patch from k4be (#0003866) which introduces a new packet hook
  (HOOKTYPE_PACKET). Replacing the 'text to be sent' to a client is
  supported, which allows character(set) conversion in a module.
  Note that modifying an incoming message by the hook is not supported.
- Applied patch from ohnobinki (#0003863) which makes run-time configuration
  of files (tune, pid, motd) possible.
- Fixed bug reported by mut80r (#0003867) where locops didn't get a
  proper vhost when set::hosts::local had a 'user@host' syntax instead of
  just 'host'. Also fixed a bug with regards to +x on-oper with locops.
- When an incorrect command line argument is passed, the IRCd will no longer
  boot. Previously it said 'Server not started' but started anyway.
  Reported and patch provided by ohnobinki (#0003870).
- Added special caching of remote includes. When a remote include fails to
  load (for example when the webserver is down), then the most recent
  version of that remote include will be used, and the ircd will still boot
  and be able to rehash. Even though this is quite a simple feature, it
  can make a key difference when deciding to roll out remote includes on
  your network. Previously, servers would be unable to boot or rehash when
  the webserver was down, which would be a big problem (often unacceptable).
  The latest version of fetched urls are cached in the cache/ directory as
  cache/<md5 hash of url>.
  Obviously, if there's no 'latest version' and an url fails, the ircd will
  still not be able to boot. This would be the case if you added or changed
  the path of a remote include and it's trying to fetch it for the first time.
  To disable this new behavior, check out REMOTEINC_SPECIALCACHE in
- set::level-on-join now also supports voice, halfop, protect and owner.
  Requested by katsklaw (#0003852). Partial patch provided by katsklaw and
- Added initial support for "stacked" extbans. Please see the Changelog item
  further down (250 lines or so) for more information, as it was heavily
  reworked later on and the API was changed.
- Misc fix for disabling stacked extbans, should've done stuff in our autoconf
  stuff instead of hacking configure directly :P .
- Made the timesynch log output more clear and understandable.
- Added an 'UnrealIRCd started' log message on startup.
- Added support for STARTTLS. This allows users to switch to SSL without
  having to use a special SSL-only port, they can simply switch to SSL on
  any port. This is currently only supported by few clients (such as KVIrc 4).
  This functionality can be disabled by setting set::ssl::options::no-starttls,
  for example if you don't want to offer SSL to your users and only want it
  to be used for server to server links.
  Naturally, the IRCd must be compiled with SSL support for STARTTLS to work.
- Fixed SSL_ERROR_WANT_READ in IRCd_ssl_write()
- Removed log target 'kline' from documentation, as it didn't do anything
  (use 'tkl' instead). Reported by nephilim and Stealth (#0003849).
- Server protocol: added PROTOCTL EAUTH=servername, which allows us to
  authenticate the server very early in the handshake process. That way,
  certain commands and PROTOCTL tokens can 'trust' the server.
  See doc/technical/protoctl.txt for details.
- Server protocol: between new Unreal servers we now do the handshake a
  little bit different, so it waits with sending the SERVER command until
  the first PROTOCTL is received. Needed for next.
- Server protocol: added PROTOCTL SERVERS=1,2,3,4,etc by which a server can
  inform the other server which servers (server numeric, actually) it has
  linked. See doc/technical/protoctl.txt and next for details.
- When our server was trying to link to some server, and at the same time
  another server was also trying to link with us, this would lead to a
  server collision: the server would link (twice) ok at first, but then a
  second later or so both would quit with 'Server Exists' with quite some
  mess as a result. This isn't unique to Unreal, btw.
  This happened more often when you had a low connfreq in your link blocks
  (aka: quick reconnects), or had multiple hubs on autoconnect (with same
  connfreq), or when you (re)started all servers at the same time.
  This should now be solved by a new server handshake design, which detects
  this race condition and solves it by closing one of the two (or more)
  connections to avoid the issue.
  This also means that it should now be safe to have multiple hubs with low
  connfreq's (eg: 10s) without risking that your network falls apart.
  This new server handshake (protocol updates, etc) was actually quite some
  work, especially for something that only happened sporadically. I felt it
  was needed though, because (re)linking stability is extremely important.
  This new feature/design/fix requires extensive testing.
  This feature can be disabled by: set { new-linking-protocol 0; };
- Made ./Config description about remote includes a bit more clear.
- When you now answer Yes to Remote includes in ./Config and $HOME/curl does
  not exist, it now asks you if you want to automatically download and
  install curl (which is done by ./curlinstall).
  This has been tested on Linux, further testing on f.e. FreeBSD is required.
- Fixed a /RESTART issue on Linux: Unreal did not properly close all file-
  descriptors. Because of this, Unreal did not restart properly as you would
  get an "Address already in use" error. This only seemed to happen when
  logging to syslog, or when there was something wrong with syslogd.
  Reported by Mouse (#0003882).
- Fixed a similar issue with syslog (and debugmode) and closing fd's as well:
  the first port we listened on would not open up, ircd did not log any error.
- Added set::uhnames setting which can be used to disable uhnames by setting
  it to 'no', the default is 'yes' (on). Requested by Robin (#0003885) as
  UHNAMES may increase the time of the nick list being loaded from 1 to 4
  seconds when joining several channels with more than 1000 users. As this
  problem is only present on some networks, we keep UHNAMES enabled by default.
- Added patch from ohnobinki (#0003888), only slightly edited, which improves
  curl detection, added checks to see if curl actually works (print out a
  clear curl error during configure, instead of getting an error during
  'make'), and we now error when using --enable-libcurl without
  --with-system-cares if the system curl depends on c-ares. This is because
  this can cause ABI incompatability between curl's c-ares and our c-ares,
  which leads to odd issues such as:
  Could not resolve host: http://www.example.net (Successful completion)
  And possibly other weird issues, perhaps even crashes.
- Patch from above is (temp.) reverted, Unreal wouldn't compile without curl.
- Reverted the revert and updated one line to fix the fix.
- Fix for --with-system-cares, reported and patch provided by ohnobinki
- Another c-ares fix for Solaris 10, this time it had to do with
  PATH_SEPARATOR, the exact error was: error: PATH_SEPARATOR not set.
  Reported by j0inty, patch provided by ohnobinki (#0003887).
- Updated pkg-config m4 macro (now 0.23) for configure, patch from ohnobinki
- Better document /REHASH flags. No longer document some flags as they are
  redundant and confusing. Also removed an old statement saying k-lines would
  be erased on rehash which is not true. Documented '/rehash -dns'.
  Reported by ohnobinki (#0003881).
- We now no longer treat \ (backslash) in *MOTD and RULES files as special.
  Previously this caused some really odd behavior. Backslashes are now
  treated as-is, so no special escaping is necessary. Reported by DelGurth
- Removed old dgets() and crc32 function (code cleanup)
- Updated ./Config description for NOSPOOF, it already said it protects
  against HTTP POST proxies, now added some extra text to say it also
  protects against the Firefox XPS IRC Attack. Also made NOSPOOF enabled by
  default on *NIX (this was already the case on Windows).
- Updated ./Config description for DPATH. Seems quite some people answer
  this question wrong, and when that happens, you only get some obscure
  error when running './unreal start'.
- Fixed 'unreal' script to give a better error if it cannot find the IRCd
- Made '/REHASH -motd' really rehash *all* MOTD, OPERMOTD, BOTMOTD and RULES
  files. Reported by bitmaster (#0003894).
- IPv6: it seems some recent Linux dists decided to make IPv6 sockets
  IPv6-only, instead of accepting both IPv4&IPv6 on them like until now.
  FreeBSD (and other *BSD's) already did that move a few years back,
  requiring server admins to sysctl.
  We now make use of a new option to explicitly disable "IPv6-only".
  This should work fine on Linux.
  Whether it provides a complete solution for FreeBSD, I don't know, testing
  is welcome! In theory setting net.inet6.ip6.v6only to 0 should no longer
  be needed, but you might still need to enable ipv6_ipv4mapping.
- Fix stupid issue where current CVS would no longer link TO an earlier
  Unreal server (eg: outgoing connect to a 3.2.8 hub). Reported by ohnobinki
- Update Unreal.nfo with information about new support network setup (#0003904)
- Remove the ``Compile as hub/leaf'' concept as I'm quite sure this doesn't
  actually do anything (#0003891)
- Clarify/expand alias block documentation, especially for alias::type=command;
- Fix -DDEFAULT_PERMISSIONS=0 support. Previously, support.c:unreal_copyfile()
  would create files with no permissions, breaking loadmodule. (#0003905)
- Remove m_addline from commands.so
- Removed ugly ``files {} got initialized!'' message.
- Added chmode +r to HTML documentation.
- ./Config now remembers extra/custom ./configure parameters.
- Fixed bug in CVS where the ban exempt (+e) handling was reversed: if a
  non-matching +e was present, one could walk through bans. Reported by
  tabrisnet (#0003909). Bug was caused by stacked extbans.
- Partially fixed bug where IPv4 addresses were randomly mishandled by the
  cgiirc code, resulting in the sockhost/hostmask being set to something like
  ::ffff:, which confused the s2s protocol. Reported by tabrisnet
  (#0003907). Also, reject incorrectly formed hostnames from WEBIRC command.
- More strict sockhost (hostmask) checking in m_nick.c:_register_user(). Fixed
  some bad string handling as well. See comments in bug (#0003907).
- Throw out old USE_POLL code which 1. has no buildsystem support and 2.
  has comments which claim it doesn't work.
- Removed extraneous apostrophe from a module loader error message.
- Added error message for unknown directives in the "files" block
- Remote MOTD support. Not adequately tested. Required restructuring of the
  asynchronous download callback and handler. (#)
- Added some consts throughout url.c, etc.
- Fix segfault where the an include directive specifies a URL and cURL follows
  redirects, resulting in a different resultant URL. The remote includes code
  would look for the an include block using the resultant URL and assume that
  it would be found. The new code searches differently, has new checks, and
  ignores the resultant URL.
- Removed duplicated m_motd() and friends that were both in modules and s_serv.c.
  The copies in s_serv.c (core) were overriding the in-module functions.
- Forgot to commit the REMOTEINC_SPECIALCACHE stuff to config.h which means
  it wasn't actually enabled until now...
- Fix typo
- Fix files::shortmotd to by accepted by unrealircd like the docs say it is.
- Fix remote includes download handling which I broke for remote includes ;-).
- Recursively add more consts.
- Rename configure.in to configure.ac and modernize AC_INIT.
- Handle bad flags in set::ssl::options better (#0003896).
- When removing a SHUN, check if users who were blocked by this SHUN are still
  blocked by another SHUN. Previously, if multiple shuns covered a single user,
  removing one of these shuns would mark the user as un-SHUN-ed. (#0003906)
- Fixed race condition / reference count issue where an outgoing server connect
  would cause the IRCd to crash. Reported by Monk (#0003913).
- Replaced some coders@lists.unrealircd.org references with bugs.unrealircd.org
- Fixed desynchronized prototype.
- Fixed a few trivial compilation warnings.
- Move configure.ac to the project's root.
- Separate m4 macros into *.m4 files (it is much easier to run aclocal now).
- Remove unused DOMAINNAME macro and --with-hostname= options as the DOMAINNAME
  macro isn't used anywheres and its use shouldn't be encouraged.
- autogen.sh to bootstrap the buildsystem. We now maintain setup.h with autoheader.
- --disable-blah now does the opposite of --enable-blah. The same for --with-blah
  and --without-blah. (This makes Gentoo users happier).
- Attempt to make up for Windows not having mode_t and not complying to POSIX.
- Fix references in src/win32 to aMotd to now be to aMotdFile.
- Fix references to motd and friends in src/win32. (#0003918)
- Remove include/nameser.h and reference to nameser.h from s_bsd.c. The associated
  functionality has been provided by c-ares for a long time.
- Remove remaining nameser.h references from Makfiles.
- Prevent stacked bans (like +b ~q:~q:~n:~c:#chanel) from crashing unrealircd due
  to over-recycling a static buffer. Discovered by syzop.
- helpop documentation for stacked extbans.
- Updated doc/coding-guidelines
- Fixed some odd behavior with SVSMODE and +z/-z, reported by TehRes (#0003498),
  fixed a strange SVSMODE +d <non-number> bug where it would act as a +x too.
- The patch from #0003888 made ./Config favor the curl in /usr, even if it
  was not compiled with c-ares, which is clearly a bad idea as then the
  entire IRCd can hang for several seconds or more...
  We now check if they support asynch DNS, and skip them if they don't.
- Remove extraneous `I' from configure.ac, run ./autogen.sh. (#3930)
- Added some checks in ./Config which (often) ensures that the self-compiled
  curl version is new enough and is not using a c-ares which is binary
  incompatible. If the self-compiled curl version is (too) outdated, then we
  now suggest to rename it and have the installer re-download and compile
  it automatically. This avoids some potential crashes.
- Give more clear error to users who use ``make custommodule'' without
  MODULEFILE. (#3935)
- Support compiling with a bundled c-ares again, the hacky way. (#3931)
- The configure.ac change silently changed the nospoof parameter in
  ./configure. This meant that the answer to NOSPOOF in ./Config was ignored
  and it was always enabled.
- Initialize ARG parameter properly in ./Config, otherwise everything fails.
- Fixed similar bug like nospoof with ./Config, but now with prefixaq.
- Same for IPv6
- Now define _SOLARIS, USE_LIBCURL, and ZIP_LINKS in setup.h instead
  of the Makefiles. This means better automatic rebuilds if the latter
  settings change.
- Updated unreal32docs:
  - Remove browser compatibility listing.
  - Added information about ``oper::password::auth-type sslclientcert''
    and the same for link::password-receive::auth-type.
  - A little bit more of interlinking and using id="" instead of <a
    name="" />
  - Some minor tweaks
- Fix the detection for curl-without-c-ares a little (#0003940).
- Add an extban of the schema +b ~j:*!*@* which _only_ prevents a user
  from joining a channel. (#3192)
- Fix src/Makefile's lack of depencencies for modules.c, related to
- Fix a few compiler warnings with some double-casting and another
  const. (#3939)
- Define intptr_t in win32's setup.h. (#3939)
- Upgraded c-ares to 1.7.3. API seems compatible with
  c-ares-1.6.0. (#3932)
- Force compilation with bundled c-ares to statically link using more
  sed hackery in configure.ac.
- Remove extras/c-ares before each time c-ares is compiled.
- Uniform naming for 'stacked extbans' in Changelog/etc.
- Make extended bans documentation more clear by splitting the extbans in
  two groups: one that specifies ban actions (~q/~n/~j) and one that
  introduces new criteria (~c/~r). Also added documentation for ~R which
  does not exist yet, but will soon...
- This is actually an update of earlier code from CVS, but now it works ok:
- Added support for "stacked" extbans. Put simply this allows extban combinations
  such as ~q:~c:#test to only silence users on #test, for example. This feature
  is enabled by default, but can be disabled during ./Config -advanced.
  This feature was suggested by Shining Phoenix (#0003193), was then coded
  by aquanight for U3.3, and later on backported and partially redone by Syzop.
  Module coders:
  In an extban ~x:~y:something where we call ~x the 1st, and ~y the 2nd extban:
  Since stacked extbans only makes sense where the 1st one is an action
  extended ban like ~q/~n/~j, most modules won't have to be changed, as
  their extban never gets extended (just like ~c:~q: makes no sense).
  However, you may still want to indicate in some cases that the extban your
  module introduces also shouldn't be used as 2nd extban.
  For example with a textban extban ~T it makes no sense to have ~n:~T.
  The module can indicate this by setting EXTBOPT_NOSTACKCHILD in
  the ExtbanInfo struct used by ExtbanAdd().
  For completeness I note that action modifier extbans are indicated by
  EXTBOPT_ACTMODIFIER. However, note that we currently assume all such
  extbans use the extban_is_ok_nuh_extban and extban_conv_param_nuh_or_extban
  functions. If you don't use these and use EXTBOPT_ACTMODIFIER, then things
  will go wrong with regards to stack-counting.
  Module coders should also note that stacked extbans are not available if
- Added extended ban ~R:<nick>, which only matches if <nick> is a registered
  user (has identified to services). This is really only useful in ban
  exemptions, like: +e ~R:Nick would allow Nick to go through all bans if he
  has identified to NickServ. This is often safer than using +e n!u@h.
- Added Extended Invex. This is very much like extended bans, in fact it
  supports some of the same flags. Syntax: +I ~character:mask
  Currently supported are: ~c (channel), ~r (realname) and ~R (registered).
  This can be useful when setting a channel invite only (+i) and then
  setting invite exceptions such as +I ~c:#chan (or even ~c:+#chan), while
  still being able to ban users.
  Because action modifiers (~q/~n/~j) make no sense here, extended invex
  stacking (+I ~a:~b:c) makes no sense either, and is not supported.
  Suggested by DanPMK (#0002817), parts based on patch from ohnobinki.
  Module coders: set EXTBOPT_INVEX in the ExtbanInfo struct used by
  ExtbanAdd() to indicate that your extban may also be used in +I.
- Invex (+I) now always checks cloaked hosts as well. Just like with bans,
  it checks them also when the user is not currently cloaked (eg: did -x, or
  is currently using some VHOST).
- Fixed client desynch caused by (un)banning, reported by Sephiroth (#2837).
- IPv6 clones detection support (#2321). allow::ipv6-clone-mask determines
  the number of bits used when comparing two IPv6 addresses to determine if
  allow::maxperip is exceeded. This allows an admin to recognize that most
  IPv6 blocks are allocated to individuals, who might each get a /64 IPv6
  block. set::default-ipv6-clone-mask defaults to 64 and provides default
  value for the allow blocks.
- Upgrade to tre-0.8.0, adding hack similar to the one for c-ares to
  ensure that the bundled tre is compiled against even when a system
  libtre is installed. (#3916)
- Install ircdcron scripts. (#2620)
- Autogenerate ircdcron/ircd.cron based on ./configure settings.
- Get rid of any setsockopt(IPV6_V6ONLY) errors in ircd.log (#3944).
- Actually initialize m_starttls when it's included into commands.so.
- Prepend a `0' to the begining of --with-permission, working around a
  Mac OS X bug and hiding the fact that chmod()'s params are octal
  from users. (#3189)
- Warn users against running UnrealIRCd as root without setting
  IRC_USER. (#3053 reported by Stealth)
- Remove snomasks upon deopering when it seems like the user shouldn't
  have snomasks. (#3329)
- Fix /msg IRC WHOIS response for persons with secure connections. (#3947)
- Fix segfault by checking if RESTRICT_USERMODES is NULL in the code
  for bug #3329.
- Don't use sys/errno.h, as it's not POSIX and breaks on QNX-6.5.0. (#3955)
- Fixed another compile problem on QNX, reported by chotaire (#3955 too).
- Fixed incorrect messages regarding clock going backwards on QNX 6 and
  later, reported by chotaire (#0003956).
- Reverted an IPv6/Config fix I did on July 17. Reported by chotaire (#3958).
- Document the badword block more explicitly and clearly. (#3959)
- Add the m_nopost module written by syzop and compile it into
  commands.so. This module was written to help IRCd maintainers deal
  with some sort of ``XPS'' attack in which javascript-initiated HTTP
  POST form submissions were able to act as dummy IRC bots. These
  simple bots were the cause of much spam. Note that enabling NOSPOOF,
  which was the default on Windows and is now also the default on *NIX,
  already stops the troublemakers from getting on IRC. However, the nopost
  module kills them right away, rather than have them idle for 30 seconds
  which could consume all your connections, preventing (legit) users
  from being able to connect (#3893).
- Add a modules section to the documentation. This was created to put
  all documentation specific to the m_post module in one, easy to find
  place. The documentation on m_post is likely incomplete, however.
- Fixed notices to opers about server delinks not being broadcasted to all
  other servers if they were on SSL links. Reported by chotaire (#0003957).
- SSL errors are now more descriptive. In some cases, like server to server
  links it was still showing 'Underlying syscall error', this has now been
  replaced to show the actual (surprise!) underlying syscall error instead.
  Reported by vonitsanet, patch from ohnobinki (#0003157).
- Fix ordering of ``9. FAQ'' and ``10. Modules'' in HTML docs.
- Always display the real host of successful OPERing up. Reported by
  Josh. (#3950)
- Fixed braindamage in stacked bans.
- Add m_nopost to makefile.win32 in the hopes that it may work (#3961).
- Document spamfilter 'warn' action in unreal32docs.
- Fix missing OperOverride notices for +u and +L if not chanowner, reported
  by Mareo (#0003358), partial patch from goldenwolf.
- Updated doc/compiling_win32.txt with current free MS SDK information,
  patch from goldenwolf.
- And another m_nopost makefile.win32 fix.
- Some small updates to the extended channel mode system: it now has minimal
  support for 'local channel modes'. This is really only meant for channel
  mode +Z (upcase z), see next.
- Added Channel Mode Z which indicates if a channel is 'secure' or not.
  This mode works in conjunction with +z (lower case z).
  If +z is set ('only secure users may join'), then the IRCd scans to see
  if everyone in the channel is connected through SSL. If so, then the
  channel is set +Z as well ('channel is secure').
  Whenever an insecure user manages to join, the channel is -Z. And whenever
  all insecure users leave, the channel is set +Z.
  The 'insecure user being present in a +z channel' can be because:
  - An IRCOp joined the channel, and he's not secure
  - When servers link together and a user on the other side is not secure
    This only happens on net merge (equal time stamp).
    On different time stamp, we still kick insecure users on the new side.
  - At the time when +z is set, there are insecure users present.
  This feature was implemented after a heavy discussion in bug #3720 by fez
  and others, and was suggested by Stealth.
  Tech note: +Z/-Z is handled locally by each server. Any attempt to
  remotely set +Z/-Z (eg: by services) will be ignored.
- As mentioned above, +z can now be set even if any insecure users are
  present. Previously, this was not permitted. Now, as soon as the last
  non-SSL user leaves, the channel will be set +Z.
- An oper not connected through SSL previously had to /INVITE himself
  to a channel and then /JOIN the channel with the key 'override'.
  This 'override' key is no longer required, a simple JOIN will suffice.
- Sorted channel modes in /HELPOP ?CHMODES
- Re-enabled 'fishy timestamp' errors in MODE. For some reason this was
  commented out, even though the (more annoying and less useful) code in
  JOIN was enabled so that did not make a lot of sense. It also now logs to
  ircd.log (or whatever you configure). This enables people to easier find
  the cause of any timestamp issues (which usually is badly coded services).
- Win32 installer: Make it so a user can no longer accidentally check both
  'install as service' and 'encrypt SSL certificate', as they are
  incompatible (a service cannot ask a user to enter a password).
  Reported by HotFusionMan (#0003848).
- Win32 installer: Fixed long outstanding problem with some Vista / Windows 7
  installations, which has to do with file permissions of the Unreal3.2
  folder. Symptoms were error messages such as:
  Unable to create file 'tmp/10D9D743.commands.dll': Permission denied
  But also failing to create SSL certificates, nothing being logged, etc.
  This is now fixed by setting write access on the Unreal3.2 folder to the
  user running the install, unless the user chooses not to use this new
  option (it can be unchecked), in which case the user is warned that he
  should take care of this himself.
  Reported by various persons, special thanks to Bock and goldenwolf for
  helping us to track down this issue (#0003943).
- Little tweak to +Z: when the last insecure user parts and the channel is
  set +Z (secure), the parting user saw the MODE too, which was silly.
  Reported by Robby22 (#0003720).
- Added '/REHASH -global' command which will rehash all servers on the
  network. You can also specify options like '/REHASH -global -motd' to
  rehash only the MOTD/RULES/etc. Just like /REHASH <servername> this is a
  NetAdmin-only command. This command is fully backwards compatible with
  older UnrealIRCd version in the sense that it will also REHASH old
  Unreal's. Suggested by 'P' in #0001522.
- Clarified the difference between 'except ban' (which exempts from KLINE
  and ZLINE) and 'except tkl' (which can exempt from GLINE, GZLINE, SHUN,
  QLINE and GQLINE). Reported by Digerati (#0002535).
- Added except tkl::type 'all', which exempts from all TKL types (except
- Added set::options::allow-insane-bans which makes it possible to set
  really broad bans such as *@*.xx. Needless to say this can be very
  dangerous. Reported and patch provided by Stealth (#0003963).
- Windows: When trying to load a module (DLL) windows can give us the
  mysterious error 'The specified module could not be found' even though the
  file exists. This usually means that it depends on another DLL, but
  apparently Microsoft decided not to mention that in the error message.
  We now append some small text when such an error happens, saying that it
  could be because of a missing dependency. Reported by Phil.
- Fixed Windows compile problem with current CVS due to m_issecure,
  reported and fix provided by therock247uk (#3970).
- Added release notes.
- Error on zero sendq in class::sendq, reported by jonbeard.
- Fix return values in src/auth.c on Win32.
- Win32: Attempt to move to 100% winsock2 (the include, to be precise),
  this means includes have to be in a very particular order (!)
- Win32: #define _WIN32_WINNT 0x0501 and force our own inet_ntop/pton,
  otherwise you get an ntop runtime error on XP and earlier.
- Win32: Get rid of c-ares includes and library in our tree, and use the
  DLL instead of static LIB, just like we do for ssl and zlib.
- Win32: Get rid of TRE lib and includes
- Win32: reorder includes to fix winsock errors with curl
- Win32: show missing /INFO in GUI
** 3.2.9-rc1 release **

Post Reply