mirror of
https://github.com/unrealircd/unrealircd.git
synced 2026-07-04 05:03:12 +02:00
122 lines
6.9 KiB
Plaintext
122 lines
6.9 KiB
Plaintext
UnrealIRCd 4.2.3 Release Notes
|
|
===============================
|
|
|
|
This UnrealIRCd release adds new modules to combat drones, it bumps the
|
|
default concurrent user limit, and UnrealIRCd can now easily deal with
|
|
1 million *LINE's placed on *@IP without any noticeable performance impact.
|
|
|
|
There is also one important change with regards to old style 'posix'
|
|
spamfilters (see under "Deprecated"), these will raise a warning but
|
|
will continue to work for now.
|
|
|
|
Enhancements:
|
|
* New optional modules 'reputation' and 'connthrottle' to fight drones:
|
|
* The 'reputation' module will learn what users (IP addresses) are
|
|
frequently seen on your server and classify these as "known IP's".
|
|
For every 5 minutes that someone is connected, the IP address receives
|
|
+1 point. IP's with registered users receive +2 points per 5 minutes.
|
|
An IRCOp can /WHOIS a user to view this "reputation score".
|
|
The "/REPUTATION nick" and "/REPUTATION ip" commands are also available.
|
|
Note that the reputation score is capped at a maximum of 10000 and
|
|
entries expire if the IP has not been seen online for 30 days (or
|
|
even sooner for very low reputation scores).
|
|
* The 'connthrottle' module puts users in one of these two groups:
|
|
* "known users" with IP addresses that have been online before on
|
|
your network for some time. By default: 2+ hours past 30 days.
|
|
* "new users" who have not been seen online before (or too short).
|
|
Users in the "known users" group can connect without any limitation.
|
|
Similarly, users who authenticate to services using SASL can also
|
|
always get in. However, "new users" can be limited, for example
|
|
at a maximum rate of 20 "new users" per minute.
|
|
The end result and goal is that in case of a drone attack, 99% of
|
|
your regular users can still connect as usual. This, while drones
|
|
and other unknown IP's are limited at, for example, 20 per minute.
|
|
By limiting the connection rate for drones and other unknown users
|
|
the damage is limited. It also gives IRCOps a chance to react and
|
|
take additional countermeasures, if possible.
|
|
* The modules are not loaded by default. If you want to use them,
|
|
then have a look at their example configuration in the file
|
|
conf/modules.optional.conf
|
|
* The reputation module needs to be running for some time before it
|
|
contains a meaningful database of "known users". Therefore the
|
|
connthrottle module will be disabled until the reputation module
|
|
has gathered sufficient data. This defaults to 1 week.
|
|
* Full documentation: https://www.unrealircd.org/docs/Connthrottle
|
|
* On *NIX we now default to 'auto' mode to discover MAXCONNECTIONS.
|
|
On systems that support it this means UnrealIRCd supports up to 8192
|
|
connections by default. It automatically falls back to a lower value
|
|
such as 2048 or 1024 if the user account has a lower limit or if the OS
|
|
does not support it. We recommend users to no longer set any specific
|
|
value in ./Config and just leave it at 'auto'. If you want to see the
|
|
effective limit, then look at this message when you start the server
|
|
on the console: "This server can handle XYZ concurrent sockets".
|
|
* UnrealIRCd now uses a technique that makes KLINE's, GLINE's and (G)ZLINE's
|
|
placed on individual IP's (*@IP) extremely fast. Just to illustrate:
|
|
* Previously it took 129 seconds to add 100k ZLINE's, now it takes 2.5 secs.
|
|
* Checking a connection against 100,000 ZLINE's is now 250 times faster.
|
|
* Previously 7,500 clients could connect per minute, now 33,560 per minute.
|
|
* Even with 1 million ZLINE's on *@IP it can handle 30,000 connections p/m.
|
|
* Rejecting Z-lined users is even faster at 435,000 connections per minute
|
|
with 100,000 active ZLINE's.
|
|
Benchmarked on a 2GHz Intel Xeon Skylake CPU with Linux 4.15.
|
|
To benefit from these speed improvements, just place a *LINE on *@IP.
|
|
* When the server has just been restarted, many users will reconnect and
|
|
rejoin channels. We now disable the join flood limit in channel mode +f
|
|
during the first 75 seconds since startup. This so the channel does not
|
|
become +i or +R due to "flooding". See:
|
|
https://www.unrealircd.org/docs/Set_block#set::modef-boot-delay
|
|
|
|
Deprecated:
|
|
* Spamfilter has 3 matching methods: 'simple', 'regex' and 'posix'.
|
|
The old method 'posix' is deprecated as this uses the TRE regex library
|
|
which contains bugs and has not been maintained for more than 10 years.
|
|
On *NIX the 'make install' script will try to upgrade the example
|
|
spamfilter.conf. This may not work if you have customizations in that
|
|
file or if it was originating from 3.2.x. Helpful warnings or error
|
|
messages are printed when you try to start UnrealIRCd, to guide the
|
|
user in this upgrade process. For details see:
|
|
https://www.unrealircd.org/docs/FAQ#spamfilter-posix-deprecated
|
|
https://www.unrealircd.org/docs/FAQ#old-spamfilter-conf
|
|
|
|
Major issues fixed:
|
|
* None
|
|
|
|
Minor issues fixed:
|
|
* Changing the set::anti-flood::invite-flood setting had no effect.
|
|
* Sometimes when a server (re)links to the network via 2+ connections it
|
|
could trigger a race condition where the server would be delinked again.
|
|
|
|
Module coders / Developers:
|
|
* We now compile with a lot more compiler warnings enabled by default.
|
|
Similarly, our Travis-CI compiles with --with-werror which enables the
|
|
-Werror compiler option, which you may want to use as well. This enables
|
|
the compiler to detect more possible bugs and sketchy code.
|
|
* Some modules still prepend DLLFUNC to functions. This is unnecessary.
|
|
* Similarly, if (!cep->ce_varname) is unnecessary, it never happens.
|
|
* The functions del_Command() and such have been removed. You never needed
|
|
to use this. Just use CommandAdd() and UnrealIRCd takes care of the rest.
|
|
* For command functions we encourage you to use CMD_FUNC(m_something),
|
|
this is not new. New is that we now also have something similar for
|
|
command overrides, namely: CMD_OVERRIDE_FUNC(override_something).
|
|
This way you don't have to type yourself the int parc, char *parv[] etc.
|
|
stuff and this way we can also easily change the passed parameters in
|
|
the future in an automatic way. Eg: provide more variables.
|
|
* If you use linked lists and you use AddListItem() or DelListItem() then
|
|
you should always have pointers to prev and next at the beginning of
|
|
your struct (and in that order!), otherwise you risk memory corruption.
|
|
Because this is an easy mistake to make we will now abort() we detect
|
|
such an error at runtime in AddListItem or DelListItem (on *NIX).
|
|
|
|
IRC protocol:
|
|
* Many things changed in previous release (4.2.2).
|
|
* No changes in this release.
|
|
|
|
Future versions:
|
|
* We intend to change the default plaintext oper policy from 'warn' to 'deny'
|
|
in the summer of 2019. This will deny /OPER when used from a non-SSL
|
|
connection. For security, IRC Operators should really use SSL/TLS!
|
|
|
|
==[ CHANGES IN OLDER RELEASES ]==
|
|
For changes in previous UnrealIRCd releases see doc/RELEASE-NOTES.old or
|
|
https://raw.githubusercontent.com/unrealircd/unrealircd/unreal42/doc/RELEASE-NOTES.old
|