From 4c0d830ae14f452daaff11f451500e0ea686881f Mon Sep 17 00:00:00 2001 From: Bram Matthys Date: Fri, 8 May 2026 19:24:07 +0200 Subject: [PATCH] Write release notes. --- doc/RELEASE-NOTES.md | 51 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 51 insertions(+) diff --git a/doc/RELEASE-NOTES.md b/doc/RELEASE-NOTES.md index bf3234d19..bb4abc94c 100644 --- a/doc/RELEASE-NOTES.md +++ b/doc/RELEASE-NOTES.md @@ -4,12 +4,63 @@ UnrealIRCd 6.2.5-git This is the git version (development version) for future UnrealIRCd 6.2.5. This is work in progress and may not always be a stable version. +This version changes the way we deal with IPv6 clone detection. If you +run an IRC network with IPv6 connectivity, be sure to read the first 3 +points of the **Enhancements** section below carefully. + ### Enhancements: +* [allow::maxperip](https://www.unrealircd.org/docs/Allow_block#maxperip) + and [connect-flood](https://www.unrealircd.org/docs/Anti-flood_settings#connect-flood) + now treat an IPv6 /64 as a single host + ([set::default-ipv6-clone-mask](https://www.unrealircd.org/docs/Set_block#set::default-ipv6-clone-mask)). + Since end users are typically allocated a whole /64, per-/128 counting + offered no real clone protection. We previously claimed to be doing this + already in the documentation, but in practice the setting was ignored. + A related unused option allow::ipv6-clone-mask has been removed and will + now raise an error. +* [ConnThrottle](https://www.unrealircd.org/docs/Connthrottle) now has a + set::connthrottle::ipv6-unknown-users-limit (enabled by default). + This limits the number of *unknown IPv6 users* per /56, /48 and /32. + This reduces the effect of an attacker launching many IPv6 clones at + a server. Users in the "known-users" security-group are exempt (by + default: identified to services, or + [reputation](https://www.unrealircd.org/docs/Reputation_score) of 25 or more). + Also exempt are users matching set::connthrottle::except or an + except ban with type maxperip. +* New set::known-cloud-services (enabled by default) automatically + exempts large IRC platforms with stable published IP ranges from + [allow::maxperip](https://www.unrealircd.org/docs/Allow_block#maxperip) + and [connect-flood](https://www.unrealircd.org/docs/Anti-flood_settings#connect-flood). + Currently only IRCCloud qualifies. This is more reliable than the DNS-based + `except ban { mask *.irccloud.com; ... }` block that `example.conf` + has shipped since 2023, which can fail during outages or restarts + when DNS isn't fully resolving. The new maxperip and connthrottle limits + make this even more important. To disable, use: + `set { known-cloud-services no; }`. +* New [snomask](https://www.unrealircd.org/docs/Snomasks) `+x` for rejections + from [allow::maxperip](https://www.unrealircd.org/docs/Allow_block#maxperip) + and [ConnThrottle](https://www.unrealircd.org/docs/Connthrottle). + Included in the default oper snomask (unless overridden in + [set::snomask-on-oper](https://www.unrealircd.org/docs/Set_block#set::snomask-on-oper) + or [oper::snomask](https://www.unrealircd.org/docs/Oper_block#snomask)). +* New [set::log-throttle](https://www.unrealircd.org/docs/Set_block#set::log-throttle): + suppresses high-rate events. This is on by default for the new `+x` rejections. +* [ConnThrottle](https://www.unrealircd.org/docs/Connthrottle) now + also exempts users with an except ban of type `connect-flood` from + the new-users rate limit. ### Changes: +* The maxperip and connthrottle rejection messages were changed to give + more information about the IPv6 range limitation and now include the + text `[maxperip]` or `[connthrottle]` so you can see which limit is hit. * Update shipped libs: Sodium (1.0.22) +* The event names `CONNTHROTLE_*` were renamed to `CONNTHROTTLE_*` as the + former was a typo. ### Fixes: +* [set::connthrottle::disabled-when::reputation-gathering](https://www.unrealircd.org/docs/Connthrottle) + has been set to 1 week in example.conf since 2019, but if you did + not have that item it defaulted to 0 (no delay). Now 1 week. ### Developers and protocol: