DH parameters files must be encoded in PEM format, and the path is
set using the ssl::dh config setting. This is based on a patch
submitted by wolfwood, with some modifications to avoid using stdio
unnecessarily and to avoid code duplication.
If this is not set, then SASL is off and not advertised.
If the specified server is not connected, then SASL is off as well.
This prevents unnecessary delay (and the inability for some clients to
get online) when SASL is not in use or when the SASL server is down.
it to 'no', the default is 'yes' (on). Requested by Robin (#0003885) as
UHNAMES may increase the time of the nick list being loaded from 1 to 4
seconds when joining several channels with more than 1000 users. As this
problem is only present on some networks, we keep UHNAMES enabled by
default.
- Server protocol: added PROTOCTL EATH=servername, which allows us to
authenticate the server very early in the handshake process. That way,
certain commands and PROTOCTL tokens can 'trust' the server.
See doc/technical/protoctl.txt for details.
- Server protocol: between new Unreal servers we now do the handshake a
little bit different, so it waits with sending the SERVER command until
the first PROTOCTL is received. Needed for next.
- Server protocol: added PROTOCTL SERVERS=1,2,3,4,etc by which a server can
inform the other server which servers (server numeric, actually) it has
linked. See doc/technical/protoctl.txt and next for details.
- When our server was trying to link to some server, and at the same time
another server was also trying to link with us, this would lead to a
server collision: the server would link (twice) ok at first, but then a
second later or so both would quit with 'Server Exists' with quite some
mess as a result. This isn't unique to Unreal, btw.
This happened more often when you had a low connfreq in your link blocks
(aka: quick reconnects), or had multiple hubs on autoconnect (with same
connfreq), or when you (re)started all servers at the same time.
This should now be solved by a new server handshake design, which detects
this race condition and solves it by closing one of the two (or more)
connections to avoid the issue.
This also means that it should now be safe to have multiple hubs with low
connfreq's (eg: 10s) without risking that your network falls apart.
This new server handshake (protocol updates, etc) was actually quite some
work, especially for something that only happened sporadically. I felt it
was needed though, because (re)linking stability is extremely important.
This new feature/design/fix requires extensive testing.
This feature can be disabled by: set { new-linking-protocol 0; };
each time it executes, how LONG it takes to execute. When a certain
threshold
is reached the IRCd will warn or even remove the spamfilter. This will
prevent
a spamfilter (regex) from slowing down the IRCd too much, though it's
still not
a guarantee that it will never go to a halt (eg: in case it takes several
minutes to execute a regex or loops forever).
Warning can be configured via set::spamfilter::slowdetect-warn (default:
250 milliseconds) and automatic deletion of spamfilters if it takes too
long is set through set::spamfilter::slowdetect-fatal (default: 500 ms).
NOTE: slow spamfilter detection is currently not available on Windows.
NOTE 2: to disable slow detection you can set the warn and fatal settings
to 0 (zero). OR to really disable all code, remove SPAMFILTER_DETECTSLOW
from include/config.h and recompile.
- Fixed set::dns::bind-ip directive seen as duplicate, reported by aegis (#0003074).
- set::dns::* block is now no longer mandatory. All info has always been read from
/etc/resolv.conf (*NIX) or the registry (Win32), and the set::dns block is ignored
(except for set::dns::bind-ip, but that's a special case). Suggested by many including
djGrrr to make things slightly more logical (#0003019).
- As a consequence of the above, set::dns blocks were removed from doc/example*conf.
- Added two more characters to Catalan charset, reported by rmh (#0002995).
- Added set::pingpong-warning [yes|no] which decides whether to send the "** If you are
having problems connecting due to ping timeouts, please type /quote pong .." message
to each client when NOSPOOF is enabled (usually on Win32). The default is NO.
Previously this message was always sent if NOSPOOF was on, which often caused
confusion among users. The message was intended for non-confirming clients, but these
should be fixed by now, and those that were not fixed (self-made bots/etc) did often
not understand the message anyway. Anyway, you can still turn it on ;). (#2680).
synchronize the IRCd clock (TSOffset) with a few good time servers. It currently only does
this on-boot, but it will hopefully help a lot of people with most of their time differences.
I still keep recommending anyone who can to run proper time-synchronization software such as
ntpd/ntpdate on their servers.
To disable time synchronization (eg: because you are already running ntp), you can simply
set set::timesynch::enabled to no.
The boot timeout for the timeserver response (=causes boot delay) can be configured via
set::timesynch::timeout and is set to 3 seconds by default (range is 1s-5s), there should
be no reason to change this.
The time server can be configured by setting set::timesynch::server, the default is to
use 3 time servers on 3 continents (US, EU, AU) which should be sufficient for anyone but
if you got a good one near you you can use that one instead.
The time protocol we use is (S)NTP v4.
We now support the webirc ('webirc_password' in CGI:IRC) method, which is kinda superior
to the older method ('realhost_as_password').
See the Unreal documentation (section '4.36 - Cgiirc Block') for details on how to configure.
- Changed quoting color in unreal32docs.. looks better now IMO (only English docs updated).
"trusted" and the IRCd will show the users' _real_ host/ip everywhere on IRC, instead of the
_CGI:IRC-gateway_ host/ip.
To do so you must set 'realhost_as_password' to 1 in your cgiirc.conf. And add the
CGI:IRC gateway(s) you fully trust to set::cgiirc::hosts.
set::maxbans in the configfile, note that you probably also want to enlarge set::maxbanlength
as well (see docs) or else you will hit that limit first.
- Changed the default maxbanlength from 1K to 2K, which in practice will mean people can set
a lot more bans since in practice the 60 (maxbans) limit was never met because the
maxbanlimit was set so low.
it will just accept it if it's from a remote server, and also ops/etc will be allowed
to REMOVE any unknown extbans (but not add new unknown ones).
- Added extended ban type ~n (nickchange ban), if a user matches this (s)he can not
change nicks (eg: +b ~n:*!*@*.aol.com) unless (s)he has voice or higher.
This can be useful as an overall measure for some +m chans (+b ~n:!*@*) or against
specific 'good' people that are just nickflooding due to a wrongly configured script.
- Added set::restrict-extendedbans by which you can disallow normal users to use
any extendedbans ("*") or disallow only certain ones (eg: "qc").
- Made the negative TS message a bit more annoying if time is off more than 10 seconds.
- Module coders: if CmdoverrideAdd() is called for an override that is already in place, it
now sets MODERR_EXISTS as errorcode and returns NULL (previously it added duplicates).
In the past module coders had many issues with PERM mods... you had to use weird tricks,
but now you can (and should!) just override on INIT and on HOOKTYPE_REHASH_COMPLETE.
- Moved register_user declaration to h.h, updated call in m_pingpong.c (due new 'ip' field).
- Usermode +v ('receive dcc send rejection notices') is oper-only now for privacy reasons.
- Added dcc allow { }, which allows one to make exceptions over deny dcc { }.
- Added deny dcc::soft and allow dcc::soft item, if set to 'yes' it allows someone
to explicitly override it per-person via /DCCALLOW (see next).
- Added DCCALLOW system, taken directly from bahamut.
With this system you can block certain (or all) DCC SENDs and then allow the user to
'override' this limit for every user he/she trusts via '/DCCALLOW +User'.
This is an attempt to stop (or at least limit) the spreading of viruses/etc.
See '/DCCALLOW HELP' for more info.
- Added example dccallow.conf which filters everything except some known
'safe types' (jpg, jpeg, png, gif, etc). Note that the purpose of this file
is NOT to get a complete list, rather to limit it to a few 'known safe' entries.
- Added set::maxdccallow: max number of entries of the DCCALLOW list (default: 10).
- Added release notes (no, we won't release 3.2.1 anytime soon.. just updating ;p).
- Added various extra messages to make it a bit more easier for people who are
upgrading (win32 commands.dll, cloaking mod).
- Made win32 ssl<->non-ssl modules binary compatible.
- Added ssl/non-ssl check in Mod_Version on *NIX.
- Added set::options::flat-map: This makes all servers look like they are linked
directly to the server you are on (/map, /links), thus you cannot see which server
is linked to which ("hopcount"). This can make it a bit harder for kiddies to find
any 'weak spots' (which server to attack/[D]DoS). Obviously opers will always
see the real map.
normal joins to the virus-help-channel. This way you could prevent users into
accidental (or tricked) joining of the virus-help-channel and becomming infected.
This feature is disabled by default. Requested by bleepy (#0001811).
in a netjoin when there was no need to (nothing to synch).
- Added spamfilter::except which allows you to specify targets
(eg: channels) where spamfilter should not take action. Requested by Fury
(#0001586). Ex: set { spamfilter { except "#spamreport,#help"; }; };
- Fixed a few wrong macro's (ircstrdup/ircfree) in s_conf.c causing
very weird behavior... This also fixes a bug where set::spamfilter::ban-reason
would have the value of ban-time.
- Improved spamfilter again.
- The new syntax is:
/spamfilter [what] [type] [action] [tkltime] [reason] [regex]
[tkltime] specifies the duration of any *lines placed by this rule.
[reason] specifies the *line, kill and/or block reason.. no spaces
allowed, but '_' will be escaped to a space.
In both cases you can simply use '-' to skip and use the default.
Ex: /spamfilter add p block - - Come watch me on my webcam
/spamfilter add p gline 3h Please_go_to_www.viruscan.xx/
nicepage/virus=blah Come watch me on my webcam
- A message is now shown if the msg/notice/dcc is blocked.
- There are 2 new spamfilter action types:
'dccblock' will mark the user so (s)he's unable to send any files by DCC.
'viruschan' will part the user from all channels and join
set::spamfilter::virus-help-channel (default: #help).
this action might be improved to do more later.
- Internal: added EXTTKL PROTOCTL, this determinates if 10 parameters
instead of 8 are supported for m_tkl (used by spamfilter add).
This new system needs some testing... :)
If set to 'yes' or '1' it will strip all part comments,
if set to something else it will use that as a part comment.
- Partial cleanup of m_part (hopefully I didn't destroy anything).
- Minor stats compile warning fixed
- Added 'action' field to ban version { } which can be: kill: kills the user (default),
tempshun: shun the specific connection only, kline/zline/gline/gzline/shun: place
a ban on *@IP. Time of those bans can be specified in set::ban-version-tkl-time.
It's up to the admin to take a good decision, sometimes zlines are best (=won't use
much sockets but will reconnect quite quickly), sometimes tempshun (=will use 1 socket
but generates nearly no network traffic), sometimes klines/glines, etc..
- Added checks for /sethost&/chghost to same host.
- Added remove-chanmode-after-X-minutes in +f.
The format is +f [30j#R5]:15, where 5 is the "do -R after 5 minutes". For a default
action like +i you would have to do the same: +f [30j#i5]:15 (remove 'i' after 5 minutes).
Additionally, 2 config items are added:
- set::modef-default-unsettime, if this is set to for example '5' then things like
+f [30j]:15 will be transormed into +f [30j#i5]:15. It's just a default, the user can still
override it. By default this feature is not used.
- set::modef-max-unsettime, specifies the maximum amount of time for the <time> parameter,
by default this is set to 60 (=1 hour), the value should be between 0 and 255.
I didn't do the extended tests I usually do but it seems stable, also the docs are updated
but are probably updated again later to make it a bit more readable.
Feel free to report any bugs as soon as you discover them.
The only thing I could think of is: _usually_ only 1 server will have the -i/-R/.. timer
running, so if that server splits (or even worse dies) it will only be -i/-R/.. at that server
and when they sync back they merge chanmodes so +i/+R is set again.
I don't consider this a huge problem but maybe it can be inconveniently, if people have
a lot of trouble with this I'll have to consider a 50% recode of the +f system :/.
===
- Internal code cleanups: EOS var rename, got rid of old UnknownUser structs, moved
anti away flood to new flood struct.
- Changed away flood configuration to set::anti-flood::away-flood <count>:<period>.
- Added nickflood protection, can be set in set::anti-flood::away-flood <count>:<period>
to allow max 'count' nickchanges per 'period' seconds. The default is 3 per 60s.
As usual, the nickchange limiting does not apply to ircops.
William Pitcock