synchronize the IRCd clock (TSOffset) with a few good time servers. It currently only does
this on-boot, but it will hopefully help a lot of people with most of their time differences.
I still keep recommending anyone who can to run proper time-synchronization software such as
ntpd/ntpdate on their servers.
To disable time synchronization (eg: because you are already running ntp), you can simply
set set::timesynch::enabled to no.
The boot timeout for the timeserver response (=causes boot delay) can be configured via
set::timesynch::timeout and is set to 3 seconds by default (range is 1s-5s), there should
be no reason to change this.
The time server can be configured by setting set::timesynch::server, the default is to
use 3 time servers on 3 continents (US, EU, AU) which should be sufficient for anyone but
if you got a good one near you you can use that one instead.
The time protocol we use is (S)NTP v4.
We now support the webirc ('webirc_password' in CGI:IRC) method, which is kinda superior
to the older method ('realhost_as_password').
See the Unreal documentation (section '4.36 - Cgiirc Block') for details on how to configure.
- Changed quoting color in unreal32docs.. looks better now IMO (only English docs updated).
"trusted" and the IRCd will show the users' _real_ host/ip everywhere on IRC, instead of the
_CGI:IRC-gateway_ host/ip.
To do so you must set 'realhost_as_password' to 1 in your cgiirc.conf. And add the
CGI:IRC gateway(s) you fully trust to set::cgiirc::hosts.
set::maxbans in the configfile, note that you probably also want to enlarge set::maxbanlength
as well (see docs) or else you will hit that limit first.
- Changed the default maxbanlength from 1K to 2K, which in practice will mean people can set
a lot more bans since in practice the 60 (maxbans) limit was never met because the
maxbanlimit was set so low.
it will just accept it if it's from a remote server, and also ops/etc will be allowed
to REMOVE any unknown extbans (but not add new unknown ones).
- Added extended ban type ~n (nickchange ban), if a user matches this (s)he can not
change nicks (eg: +b ~n:*!*@*.aol.com) unless (s)he has voice or higher.
This can be useful as an overall measure for some +m chans (+b ~n:!*@*) or against
specific 'good' people that are just nickflooding due to a wrongly configured script.
- Added set::restrict-extendedbans by which you can disallow normal users to use
any extendedbans ("*") or disallow only certain ones (eg: "qc").
- Made the negative TS message a bit more annoying if time is off more than 10 seconds.
- Module coders: if CmdoverrideAdd() is called for an override that is already in place, it
now sets MODERR_EXISTS as errorcode and returns NULL (previously it added duplicates).
In the past module coders had many issues with PERM mods... you had to use weird tricks,
but now you can (and should!) just override on INIT and on HOOKTYPE_REHASH_COMPLETE.
- Moved register_user declaration to h.h, updated call in m_pingpong.c (due new 'ip' field).
- Usermode +v ('receive dcc send rejection notices') is oper-only now for privacy reasons.
- Added dcc allow { }, which allows one to make exceptions over deny dcc { }.
- Added deny dcc::soft and allow dcc::soft item, if set to 'yes' it allows someone
to explicitly override it per-person via /DCCALLOW (see next).
- Added DCCALLOW system, taken directly from bahamut.
With this system you can block certain (or all) DCC SENDs and then allow the user to
'override' this limit for every user he/she trusts via '/DCCALLOW +User'.
This is an attempt to stop (or at least limit) the spreading of viruses/etc.
See '/DCCALLOW HELP' for more info.
- Added example dccallow.conf which filters everything except some known
'safe types' (jpg, jpeg, png, gif, etc). Note that the purpose of this file
is NOT to get a complete list, rather to limit it to a few 'known safe' entries.
- Added set::maxdccallow: max number of entries of the DCCALLOW list (default: 10).
- Added release notes (no, we won't release 3.2.1 anytime soon.. just updating ;p).
- Added various extra messages to make it a bit more easier for people who are
upgrading (win32 commands.dll, cloaking mod).
- Made win32 ssl<->non-ssl modules binary compatible.
- Added ssl/non-ssl check in Mod_Version on *NIX.
- Added set::options::flat-map: This makes all servers look like they are linked
directly to the server you are on (/map, /links), thus you cannot see which server
is linked to which ("hopcount"). This can make it a bit harder for kiddies to find
any 'weak spots' (which server to attack/[D]DoS). Obviously opers will always
see the real map.
normal joins to the virus-help-channel. This way you could prevent users into
accidental (or tricked) joining of the virus-help-channel and becomming infected.
This feature is disabled by default. Requested by bleepy (#0001811).
in a netjoin when there was no need to (nothing to synch).
- Added spamfilter::except which allows you to specify targets
(eg: channels) where spamfilter should not take action. Requested by Fury
(#0001586). Ex: set { spamfilter { except "#spamreport,#help"; }; };
- Fixed a few wrong macro's (ircstrdup/ircfree) in s_conf.c causing
very weird behavior... This also fixes a bug where set::spamfilter::ban-reason
would have the value of ban-time.
- Improved spamfilter again.
- The new syntax is:
/spamfilter [what] [type] [action] [tkltime] [reason] [regex]
[tkltime] specifies the duration of any *lines placed by this rule.
[reason] specifies the *line, kill and/or block reason.. no spaces
allowed, but '_' will be escaped to a space.
In both cases you can simply use '-' to skip and use the default.
Ex: /spamfilter add p block - - Come watch me on my webcam
/spamfilter add p gline 3h Please_go_to_www.viruscan.xx/
nicepage/virus=blah Come watch me on my webcam
- A message is now shown if the msg/notice/dcc is blocked.
- There are 2 new spamfilter action types:
'dccblock' will mark the user so (s)he's unable to send any files by DCC.
'viruschan' will part the user from all channels and join
set::spamfilter::virus-help-channel (default: #help).
this action might be improved to do more later.
- Internal: added EXTTKL PROTOCTL, this determinates if 10 parameters
instead of 8 are supported for m_tkl (used by spamfilter add).
This new system needs some testing... :)
If set to 'yes' or '1' it will strip all part comments,
if set to something else it will use that as a part comment.
- Partial cleanup of m_part (hopefully I didn't destroy anything).
- Minor stats compile warning fixed
- Added 'action' field to ban version { } which can be: kill: kills the user (default),
tempshun: shun the specific connection only, kline/zline/gline/gzline/shun: place
a ban on *@IP. Time of those bans can be specified in set::ban-version-tkl-time.
It's up to the admin to take a good decision, sometimes zlines are best (=won't use
much sockets but will reconnect quite quickly), sometimes tempshun (=will use 1 socket
but generates nearly no network traffic), sometimes klines/glines, etc..
- Added checks for /sethost&/chghost to same host.
- Added remove-chanmode-after-X-minutes in +f.
The format is +f [30j#R5]:15, where 5 is the "do -R after 5 minutes". For a default
action like +i you would have to do the same: +f [30j#i5]:15 (remove 'i' after 5 minutes).
Additionally, 2 config items are added:
- set::modef-default-unsettime, if this is set to for example '5' then things like
+f [30j]:15 will be transormed into +f [30j#i5]:15. It's just a default, the user can still
override it. By default this feature is not used.
- set::modef-max-unsettime, specifies the maximum amount of time for the <time> parameter,
by default this is set to 60 (=1 hour), the value should be between 0 and 255.
I didn't do the extended tests I usually do but it seems stable, also the docs are updated
but are probably updated again later to make it a bit more readable.
Feel free to report any bugs as soon as you discover them.
The only thing I could think of is: _usually_ only 1 server will have the -i/-R/.. timer
running, so if that server splits (or even worse dies) it will only be -i/-R/.. at that server
and when they sync back they merge chanmodes so +i/+R is set again.
I don't consider this a huge problem but maybe it can be inconveniently, if people have
a lot of trouble with this I'll have to consider a 50% recode of the +f system :/.
===
- Internal code cleanups: EOS var rename, got rid of old UnknownUser structs, moved
anti away flood to new flood struct.
- Changed away flood configuration to set::anti-flood::away-flood <count>:<period>.
- Added nickflood protection, can be set in set::anti-flood::away-flood <count>:<period>
to allow max 'count' nickchanges per 'period' seconds. The default is 3 per 60s.
As usual, the nickchange limiting does not apply to ircops.
This is more usefull than the no nameserver + useip solution since with this no resolving
is done for incomming clients, but connecting to other servers (with hostnames) still works fine ;P.
+ fail-if-no-clientcert - If SSL client connects and doesn't provide a client certificate, abort connection immediately
+ verify-certificate - Check the certificate's validity using X509 methods, check if we trust CA's, etc.
+ It however does slip self signed certificates through UNLESS
+ no-self-signed - Don't allow self-signed certificates through (requires verify-certificate)
+- Made conf parser mention if we make a link->options with CONNECT_SSL if we don't support SSL (and remove the CONNECT_SSL flag)
+- Made conf parser mention if we make a SSL listener and we don't support SSL
+- Added set::ssl::trusted-ca-file, if enabled, it will point the SSL stuff to use that file as trusted CA's (for verify-certificate)
+- Made conf _not_ bitch that it doesn't know set::ssl
+- Removed some leftover client certificate stuff
this allows the admin to decide a standard custom quit for users. so they
won't be able to make their own quits. This affects set::prefix-quit and
ANTI_SPAM_QUIT_TIME - it simply replaces it with the message if enabled
Bram Matthys