pegasus/unrealircd
1
0
Fork 0
mirror of https://github.com/unrealircd/unrealircd.git synced 2026-06-25 21:26:38 +02:00
Code Activity
Files
ab50bf2afc008da48f6b94de21bf223cd23ca4d8
unrealircd/doc/RELEASE-NOTES.old
T
Bram Matthys e82dbdce1a Update doc/RELEASE-NOTES.old. Now contains 4.2.0 and 4.2.1 release notes, 
I forgot the 4.2.0 one earlier..
2019-01-18 13:20:28 +01:00

1184 lines
58 KiB
Plaintext
Raw Blame History

See doc/RELEASE-NOTES for the latest release notes.
This file (doc/RELEASE-NOTES.old) contains the release notes
of OLDER releases for historical purposes.
==[ CHANGES BETWEEN 4.2.1 AND 4.2.1.1 ]==
The 4.2.1.1 version includes a compile fix for Debian.
==[ CHANGES BETWEEN 4.2.0 AND 4.2.1 ]==
This version enhances support for authentication for clients that do not
support SASL. Also new is a module to combat mixed UTF8 character spam,
a rewrite of the operclass privileges and more secure password hashing.
If you missed the 4.2.0 release, then consider looking at the previous
release announcement as well, since it introduced a lot of new features:
https://forums.unrealircd.org/viewtopic.php?f=1&t=8843
NOTE: There will be no further 4.0.x releases. Current stable is 4.2.x.
https://www.unrealircd.org/docs/FAQ#Questions_about_the_new_4.2.x_series
Enhancements:
* Support for authentication prompt:
Since 4.2.0 you can require specific users to authenticate themselves with
their nickname and password via SASL. We now offer a new experimental
module called 'authprompt' which will help non-SASL users by showing a
notice and asking them to authenticate to their account using the command
/AUTH <user>:<pass>. See the new authentication article on the wiki for
an overview: https://www.unrealircd.org/docs/Authentication and also
https://www.unrealircd.org/docs/Set_block#set::authentication-prompt
* New optional module 'antimixedutf8' to combat mixed UTF8 character spam
(also called freenode spam) that has been plaguing networks.
See: https://www.unrealircd.org/docs/Set_block#set::antimixedutf8
* Support for Argon2 password hashing, which is more resilient against
brute force cracking.
* Indicate 's' in WHO reply flags if the user is secure (SSL/TLS).
Configuration changes:
* The require sasl { } block is now called require authentication { }
* The operclass privileges have been redone. Since there were 50+ changes
to the 100+ privileges it makes little sense to list the changes here.
If, like 99% of the users, you use default operclasses such as "globop"
and "admin-with-override" then you don't need to do anything.
However, if you have custom operclass { } blocks then the privileges
will have to be redone. For more information on the conversion process,
see https://www.unrealircd.org/docs/FAQ#New_operclass_permissions
For the new list of permissions, with much better naming and grouping:
https://www.unrealircd.org/docs/Operclass_permissions
* In the configuration file you can now use } instead of };
Both forms are accepted. There's no need to change if you don't like it.
* A /* comment in the configuration file is now terminated at the
first occurrence of */, instead of two /* /* requiring two */ */.
See https://www.unrealircd.org/docs/FAQ#Nesting_comments
Major issues fixed:
* The blacklist module did not act on IPv6 users listed in DNSBLs.
Minor issues fixed:
* By default a user shouldn't be allowed to change to a banned nick,
unless (s)he has +hoaq in the channel. This was broken since 4.0.0.
This feature can be disabled via set { check-target-nick-bans no; };
* Rehash error messages sent to opers regarding remote includes now no
longer include authentication information (replaced with ***:***).
Deprecated:
* The authentication types 'md5', 'sha1' and 'ripemd160' have been
deprecated because they can be cracked at high speeds. They still
work, but a warning will be shown on boot and on rehash.
Please use the new 'argon2' type instead. Type /MKPASSWD argon2 passwd
on IRC, or "./unrealircd mkpasswd argon2" on the command line.
Module coders:
* Priorities in command overrides were reversed (was added in 4.2.0).
Future versions:
* We intend to change the default plaintext oper policy from 'warn' to 'deny'
in the year 2019. This will deny /OPER when used from a non-SSL connection.
For security, IRC Operators should really use SSL/TLS!
==[ CHANGES BETWEEN 4.0.18 AND 4.2.0 ]==
There have been so many changes in this and the last few 4.0.x versions,
it justifies calling this new release "UnrealIRCd 4.2.0".
Marking the beginning of the 4.2 series, this release introduces features
such as "soft klines" and "soft actions". A significant number of optional
modules are now loaded as default, including timed channel bans and
textbans. Also, a lot more smaller changes are included in this release,
such as fixes for TLSv1.3 and experimental WHOX support.
See further down for a full list of changes.
NOTE: Version 4.2.0 is the direct successor to 4.0.18. There will be
no further 4.0.x releases (in particular there will be no 4.0.19).
https://www.unrealircd.org/docs/FAQ#Questions_about_the_new_4.2.x_series
Enhancements:
* New option to disable a module: blacklist-module "modulename";
This will cause any 'loadmodule' lines for that module to be ignored.
This is especially useful if you only want to disable a few modules
that are (normally) automatically loaded by conf/modules.default.conf.
https://www.unrealircd.org/docs/Blacklist-module_directive
* Next three new features have to do with SASL. More information on SASL
in general can be found at https://www.unrealircd.org/docs/SASL
* A new require sasl { } block which allows you to force users on the
specified hostmask to use SASL. Any unauthenticated users matching
the specified hostmask are are rejected.
See https://www.unrealircd.org/docs/Require_sasl_block
* New "soft kline" and "soft gline". These will not be applied to users
that are authenticated to services using SASL.
These are just GLINE/KLINE's but prefixed with a percent sign:
Example: /GLINE %*@10.* 0 Only SASL allowed from here
* New "soft" ban actions for spamfilter, blacklist, antirandom, etc.
Actions such as "soft-kline" and "soft-kill" will only be applied to
unauthenticated users. Users who are authenticated to services (SASL)
are exempt from the corresponding spamfilter/blacklist/antirandom/..
See https://www.unrealircd.org/docs/Actions for the full action list.
* WARNING: If your network also contains UnrealIRCd servers below v4.2.0
then it is not recommended to use global soft bans (such as soft gline
or any spamfilter with soft-xx actions). There won't be havoc, but the
bans won't be effective on parts of the network.
* The following extban modules are not new but are now enabled by default:
extbans/textban, extbans/timedban and extbans/msgbypass.
In case you don't like them, use blacklist-module as mentioned earlier.
Just as a reminder, they provide the following functionality:
* TextBan: +b ~T:block:*badword* to block sentences with 'badword'
* Timed bans: ~t:duration:mask
These are bans that are automatically removed by the server.
The duration is in minutes and the mask can be any ban mask.
Some examples:
* A 5 minute ban on a host:
+b ~t:5:*!*@host
* A 5 minute quiet ban on a host (unable to speak):
+b ~t:5:~q:*!*@host
* An invite exception for 24 hours (1440 minutes):
+I ~t:1440:*!*@host
* A temporary exempt ban for a services account:
+e ~t:1440:~a:Account
* Allows someone to speak through +m for the next 24hrs:
+e ~t:1440:~m:moderated:*!*@host
* And any other crazy ideas you can come up with...
* Ban exception ~m:type:mask to allow bypassing of message restrictions.
Valid types are: 'external' (bypass +n), moderated (bypass +m/+M),
'censor' (bypass +G), 'color' (bypass +S/+c) and 'notice' (bypass +T).
Some examples:
* Let LAN users bypass +m: +e ~m:moderated:*!*@192.168.*
* Let ops in #otherchan bypass +m: +e ~m:moderated:~c:@#otherchan
* Make GitHub commit bot bypass +n: +e ~m:external:*!*@ipmask
* Allow a services account to use color: +e ~m:color:~a:ColorBot
* Timedban support in +f [5t#b2]:10 (set 2 minute ban on text flood).
* AntiRandom: The module will now (by default) exempt WEBIRC gateways
from antirandom checking because they frequently cause false positives.
This new behavior can be disabled via:
set { antirandom { except-webirc no; }; };
* Server linking attempts and errors are now also put in the log file.
* A new module that provides WHOX support, an enhanced and more standard
version of WHO (NOTE: the command is still "WHO").
This allows, among other things, the client to request additional
information, such as which services account each channel member is using.
The module is currently experimental. To use it, add this to your conf:
loadmodule "m_whox";
Major issues fixed:
* Blacklist: Potential crash issue when concurrently checking DNSBL
for the WEBIRC gateway and the spoofed host.
* Blacklist: In case of multiple blacklists the 2nd/3rd/.. blacklists
were not always checked properly.
Minor issues fixed:
* Remote includes: ./Config didn't properly detect libcurl on Ubuntu 18
(and possibly other Linux distributions as well)
* Timeouts during server linking attempts were not displayed.
* Delayjoin: Halfops did not see JOIN's when channel mode +D was set.
* IRCOps with minimal privileges lost their user modes on MODE change.
* IRCOps could not override channel mode +z (when not using SSL/TLS)
* Channel names sometimes truncated if using accents or special chars.
* TLSv1.3 ciphersuite setting was changed to reflect OpenSSL's behavior.
There is now set::ssl::ciphersuites, specifically for TLSv1.3.
Note that the default is perfectly fine so at this point in time it
shouldn't need any adjustment (but the option is there...).
* Windows: conf\modules.optional.conf was missing.
Removed:
* allow::options::sasl has been removed. Use the new and more flexible
require sasl { } block instead.
Other changes:
* Windows users may be prompted to install the Visual C++ redistributable
package for Visual Studio 2017. This is because we now build on VS 2017
instead of VS 2012.
* We now use standard formatted messages for all K-Lines, G-Lines and
any other bans that will cause the user to be disconnected.
For technical details see the banned_client() function.
* The except throttle { } block now also overrides any limitations from
set::max-unknown-connection-per-ip. Useful for WEBIRC/cgiirc gateways.
* Localhost connections are considered secure, so these can be used even
if you have a plaintext-policy of 'deny' or 'warn'. (This was already
the case for servers, but now also for users and opers)
* Allow slashes in vhost/chghost/sethost/.. (but not through DNS)
Module coders:
* Windows: Be aware that we now build with Visual Studio 2017. This means
3rd party modules should be compiled with VS 2017 (or VS 2015) as well.
Future versions:
* We intend to change the default plaintext oper policy from 'warn' to 'deny'
later this year. This will deny /OPER when used from a non-SSL connection.
For security, IRC Operators should really use SSL/TLS!
==[ CHANGES BETWEEN 4.0.17 AND 4.0.18 ]==
Enhancements:
* Support for checking IPv6 addresses in DNS blacklists
* For SSL/TLS we now set the default ECDH(E) curves to be
X25519:secp521r1:secp384r1:prime256v1 if using a recent version of
OpenSSL/LibreSSL. This can be overridden via set::ssl::ecdh-curve.
* The blacklist module now checks WEBIRC users as well.
* You can now require SASL for all clients via the allow block via:
allow { ip *; class clients; maxperip 2; options { sasl; }; };
This can be useful for a special sasl-only server which, for example,
only permits proxies and tor clients. In a future release the feature
will be made more flexible so it can be used for other purposes
as well.
Major issues fixed:
* A number of (potential) security issues were fixed:
* Memory leaks: this could allow an attacker to slowly consume all
available memory and ultimately cause UnrealIRCd to crash.
* Out of bounds read: in practice this does not seem to be
exploitable due to the many restrictions that are imposed.
* Compile issues on macOS
* Bug in blacklist module which could have caused false negatives,
allowing bad guys in which should have been denied.
* The new optional feature 'set::cloak-method ip' caused identical cloaks
Minor issues fixed:
* When using '/REHASH -ssl' or './unrealircd reloadtls' it did not reload
the SSL certificate/key if you were using ssl-options in listen, sni or
link blocks. In short: it only reloaded the ones from set::ssl until now.
* m_ircops sent a conflicting numeric, confusing some clients.
* Starting UnrealIRCd through a non-interactive(!) ssh session could cause
the ssh session to hang.
* An upgrade issue with non-system cURL causing compile problems.
Other changes:
* The built-in time synchronization feature is now disabled by default.
TimeSynch was added back in 2006 when lots of operating systems did not
ship with time synchronization turned on by default. Since incorrect time
severely breaks IRC networks this was a major problem. Nowadays this is
completely different with most Linux distro's, OS X, Windows, etc. doing
time synchronization out of the box. Since UnrealIRCd's implementation is
less precise and lacks authentication it's best left over to the system.
You can still re-enable timesynch via:
set { timesynch { enabled yes; }; };
.. but you should really use NTP or similar for system-wide time
synchronization instead.
* For developers there's now the --with-werror compile option which will
add -Werror.
* Added a lot more Travis-CI tests: various LibreSSL/OpenSSL versions
and also test macOS. This to prevent us from releasing broken stuff.
* Various code cleanups to get rid of lots of needless casts and to
eliminate compiler warnings.
* Just as a reminder (this change was already in version 4.0.17):
UnrealIRCd will no longer give user mode +z to users on WEBIRC
gateways using SSL/TLS IRC, unless the WEBIRC gateway gives us
some assurance that the client<->webirc gateway connection is
also secure (eg: https).
This is the regular WEBIRC format:
WEBIRC password gateway hostname ip
This indicates a secure client connection (NEW):
WEBIRC password gateway hostname ip :secure
Naturally, WEBIRC gateways MUST NOT send the "secure" option if
the client is using http or some other insecure protocol.
Module coders:
* HOOKTYPE_CHANNEL_SYNCED prototype changed, the 'merge' and 'removetheirs'
is now no longer an 'unsigned short' but an 'int' instead.
* HOOKTYPE_MODE_DEOP prototype changed, the 'modechar' is now no longer
a 'char' but an 'int' instead.
* In addition to safestrdup() there's now also safestrldup() which allows
you to specify a maximum allocated length (so including the nul byte).
This is used in m_pass.c and m_topic.c.
* New hook HOOKTYPE_CAN_BYPASS_CHANNEL_MESSAGE_RESTRICTION
https://www.unrealircd.org/docs/Dev:Hook_API#HOOKTYPE_CAN_BYPASS_CHANNEL_MESSAGE_RESTRICTION
Future versions:
* We intend to change the default plaintext oper policy from 'warn' to 'deny'
later this year. This will deny /OPER when used from a non-SSL connection.
For security, IRC Operators should really use SSL/TLS!
==[ CHANGES BETWEEN 4.0.16.1 AND 4.0.17 ]==
Enhancements:
* Two optional modules. These are not loaded by default. To use them,
include modules.optional.conf, or add these loadmodule lines:
loadmodule "extbans/timedban";
loadmodule "extbans/msgbypass";
* Timed bans: ~t:duration:mask
These are bans that are automatically removed by the server.
The duration is in minutes and the mask can be any ban mask.
Some examples:
* A 5 minute ban on a host:
+b ~t:5:*!*@host
* A 5 minute quiet ban on a host (unable to speak):
+b ~t:5:~q:*!*@host
* An invite exception for 1440m/24hrs
+I ~t:1440:*!*@host
* A temporary exempt ban for a services account
+e ~t:1440:~a:Account
* Allows someone to speak through +m for the next 24hrs:
+e ~t:1440:~m:moderated:*!*@host
* And any other crazy ideas you can come up with...
* New ban exception ~m:type:mask which allows bypassing of message
restrictions. Valid types are: 'external' (bypass +n),
moderated (bypass +m/+M), 'censor' (bypass +G),
'color' (bypass +S/+c) and 'notice' (bypass +T).
Some examples:
* Let LAN users bypass +m: +e ~m:moderated:*!*@192.168.*
* Let ops in #otherchan bypass +m: +e ~m:moderated:~c:@#otherchan
* Make GitHub commit bot bypass +n: +e ~m:external:*!*@ipmask
* Allow a services account to use color: +e ~m:color:~a:ColorBot
* Timedban support in +f [5t#b2]:10 (set 2 minute ban on text flood).
This is only available if the previously mentioned extbans/timedban
module is loaded.
* Added experimental UTF8 support in set::allowed-nickchars
See https://www.unrealircd.org/docs/Nick_Character_Sets
Example: set { allowed-nickchars { latin-utf8; }; };
Important remarks:
* All your servers must be on UnrealIRCd 4.0.17 (or later)
* Most(?) services do not support this, so users using UTF8 nicknames
won't be able to register at NickServ.
* In set::allowed-nickchars you must either choose an utf8 language
or a non-utf8 character set. You cannot combine the two.
* You also cannot combine multiple scripts/alphabets, such as:
latin, greek, cyrillic and hebrew. You must choose one.
* If you are already using set::allowed-nickchars on your network
(eg: 'latin1') then be careful when migrating (to eg: 'latin-utf8'):
* Your clients may still assume non-UTF8
* If users registered nicks with accents or other special characters
at NickServ then they may not be able to access their account
after the migration to UTF8.
* There is no CASEMAPPING or "visually identical character"-checking.
Just like in the old (non-utf8) charsys this means there is no
lower/uppercase checking for allowed-nickchars nicks. So a nick with
"O with accent" can be online at the same time as "o with accent".
They are treated as two different users.
The identical character looking issue is particular noticeable in
cyrillic script where for example cyrillic "A" looks identical to
latin "A" and thus can be used to impersonate a user.
Improved CASEMAPPING and "visually similar character"-checking is
part of ongoing research at the IRCv3 working group.
* Ability to customize the reject connection messages:
set {
reject-message {
password-mismatch "Password mismatch";
too-many-connections "Too many connections from your IP";
server-full "This server is full.";
unauthorized "You are not authorized to connect to this server";
};
};
* Added optional AppArmor profile in extras/security/apparmor/unrealircd
See https://www.unrealircd.org/docs/Using_AppArmor_with_UnrealIRCd
Major issues fixed:
* Crash when using OperOverride (*NIX only)
* Crash if linking anope with the 'unreal' module from a non-localhost
SSL connection. This is rarely done but also acts as a reminder that
people should really use the 'unreal4' module in anope (2.0.3+).
Minor issues fixed:
* set::restrict-extendedbans was not effective for stacked bans
* linking if only using link::outgoing caused a 'server name mismatch'
Other:
* UnrealIRCd will no longer give user mode +z to users on WEBIRC
gateways using SSL/TLS IRC, unless the WEBIRC gateway gives us
some assurance that the client<->webirc gateway connection is
also secure (eg: https).
This is the regular WEBIRC format:
WEBIRC password gateway hostname ip
This indicates a secure client connection (NEW):
WEBIRC password gateway hostname ip :secure
Naturally, WEBIRC gateways MUST NOT send the "secure" option if
the client is using http or some other insecure protocol.
Module coders:
* New hook HOOKTYPE_CAN_BYPASS_CHANNEL_MESSAGE_RESTRICTION
https://www.unrealircd.org/docs/Dev:Hook_API#HOOKTYPE_CAN_BYPASS_CHANNEL_MESSAGE_RESTRICTION
==[ CHANGES BETWEEN 4.0.16 AND 4.0.16.1 ]==
An interim release with a couple of backported fixes:
* Fix hang in (outgoing) server linking
* Fix crash when linking anope over SSL from non-localhost
* '/SPAMFILTER del <id>' did not remove the spamfilter on other servers
* set::restrict-extendedbans was not always applied (when stacked)
* Update automated build scripts
==[ CHANGES BETWEEN 4.0.15 AND 4.0.16 ]==
This is a major release with lots of new features and changes.
Enhancements:
* There's now an easy method to remove spamfilters:
'/SPAMFILTER del' will show a list of spamfilters along
with the appropriate command to remove them (by id).
* CAP v3.2 support.
* CAP 'cap-notify': notify users of any CAP changes.
* CAP 'extended-join': show account and gecos in JOIN.
* CAP 'chghost': notify on user/host changes.
Note that if you use set::allow-userhost-change force-rejoin
then clients which support CAP 'chghost' will not see the
PART+JOIN+MODE sequence as it is unnecessary. They already receive
a "CHGHOST" message as part of CAP 'chghost' instead.
* Updated CAP 'sasl' to specification 3.2 (includes mechlist).
* Automatically discover SASL server if saslmechlist is sent by services
and set::sasl-server is not set by the administrator. This should
help to get more networks to support SASL automatically (if you
run up to date services, of course)
* We send "CAP DEL sasl" if set::sasl-server squits and a "CAP NEW"
message when the server returns (to cap-notify and CAPv3.2 clients).
* Added password::type 'spkifp'. It's similar to 'sslclientcertfp' but
is a hash based on the public TLS key rather than the certificate.
The benefit of this is that the 'spkifp' can stay the same even if
you get a new certificate from Let's Encrypt. Note that 'certbot'
does not re-use keys by default so you will still get a different
spkifp every 60-90 days. Consider using another (3rd party) client
or tell the certbot guys to finally implement --reuse-key at
https://github.com/certbot/certbot/issues/3788
* The command './unrealircd spkifp' will output the SPKI fingerprint
* New option set::handshake-delay will delay the handshake (when a
user is connecting) up to this amount of time.
* If you have any blacklist { } block then UnrealIRCd will set an
set::handshake-delay of 2 seconds by default. This will allow (most)
DNSBL checking to be finished before the user comes online, while
still allowing a smooth user experience.
If your DNS(BL) is slow then you could raise this setting slightly.
* You can now have multiple webirc { } blocks with the same mask.
This permits multiple blocks like..
webirc {
mask *;
password "....." { sslclientcertfp; };
};
..should you need it.
In other words: we don't stop matching upon an authentication failure.
* Move CONNECTTIMEOUT to set::handshake-timeout and document it at
https://www.unrealircd.org/docs/Set_block#set::handshake-timeout
* Move MAXUNKNOWNCONNECTIONSPERIP to set::max-unknown-connections-per-ip
https://www.unrealircd.org/docs/Set_block#set::max-unknown-connections-per-ip
* Add set { cloak-method ip; }; which will make cloaking only be done
on the IP and thus result in an XX.YY.ZZ.IP cloaked host.
This so you can have "IP cloaking" without disabling DNS lookups.
GLINES on hosts still work and IRCOps (and yourself) can still see
the host in /WHOIS.
* New option set { ban-include-username yes; }; which will make bans
placed by spamfilters (and some other systems) to be placed not on *@ip
but on user@ip. Note that this won't work for ZLINE/GZLINE since no
no ident/username lookups are done in such cases.
Major issues fixed:
* None
Minor issues fixed:
* Gracefully handle incorrect server-to-server messages. These no longer
cause UnrealIRCd to crash. Note that this does not mean you can now
go send random RAW messages from a trusted server connection. Doing so
can cause desynchs, KILLs and SQUITs. We just try not to crash anymore.
* A small memory leak upon 'DNS i' (IRCOp only command)
Removed:
* Various old config.h settings that didn't have any effect.
* A few config.h settings that should never be turned off have been
removed altogether (eg: NO_FLOOD_AWAY is now always on).
* The deprecated and unused commands "CAP CLEAR" and "CAP ACK".
Other changes:
* When linking servers and not having any certificate validation,
UnrealIRCd will give you specific instructions on how to use
password::spkifp or verify-certificate. This to fix a possible
Man-in-the-Middle attack. Note that you'll only see this message
when linking two servers that are 4.0.16+.
* When a user does a nick change from a registered nick you will
now see the user mode -r. Previously this happened invisibly.
* The default oper snomask now includes 'S' (spamfilter notices).
* The shipped PCRE2 library has been upgraded to 10.30
Module coders:
* API change for HOOKTYPE_PRE_INVITE:
(aClient *sptr, aClient *target, aChannel *chptr, int *override)
Modules must now send the error message instead of only returning
HOOK_DENY. Also check for operoverride and set *override=1.
* Please use the following procedure in case of an user/host change:
userhost_save_current(acptr);
/* now do what you need to do: like change username or hostname */
userhost_changed(acptr);
This function will take care of notifying other clients about
the userhost change, such as doing PART+JOIN+MODE if force-rejoin
is enabled, and sending :xx CHGHOST user host messages to
"CAP chghost" capable clients.
Services coders:
* If you provide SASL then please send the mechlist like this:
MD client your.services.server saslmechlist :EXTERNAL,PLAIN
* Don't forget to send an EOS (End Of Synch) as part of the handshake,
if you are not doing so already. It's important:
:your.services.server EOS
==[ CHANGES BETWEEN 4.0.14 AND 4.0.15 ]==
Major issues fixed:
* Fix remotely triggerable crash issue in handshake. This allows a user
to crash an UnrealIRCd server, even those with restrictions such as
password protected hubs.
* Fix another remotely triggerable crash issue. This one requires the
user to connect, join a channel and have channel operator privileges.
==[ CHANGES BETWEEN 4.0.13 AND 4.0.14 ]==
Enhancements:
* New set::plaintext-policy configuration settings. This defines what
happens to users/ircops/servers that are not using SSL/TLS.
The default settings are:
set {
plaintext-policy {
user allow; /* allow any user to connect */
oper warn; /* warn on /OPER if not using SSL/TLS */
server deny; /* deny servers without SSL/TLS, except localhost */
};
};
You can change each of the three classes to 'allow', 'warn' or 'deny'.
See: https://www.unrealircd.org/docs/Set_block#set::plaintext-policy
If your services do not run on localhost and link without SSL/TLS
then you may get an error during linking. In such a case check out:
https://www.unrealircd.org/docs/FAQ#ERROR:_Servers_need_to_use_SSL.2FTLS
* You can now ask UnrealIRCd to verify certificates of server links by:
link irc1.test.net {
[..]
verify-certificate yes;
};
This will verify the certificate of the link, making sure it is valid,
issued for the specified name (irc1.test.net) and given out by a
trusted Certificate Authority (like Let's Encrypt).
Obviously, if you use self-signed certificates then you can't use this.
* Introduce a concept called "link security level". This will rate the
security of your network from 0 to 2. Whenever security is degraded
due to a new server link UnrealIRCd will print a warning about it.
See https://www.unrealircd.org/docs/Link_security
This also adds a new command /LINKSECURITY (IRCop-only).
* The plaintext-policy and link-security is shown in "CAP LS".
Major issues fixed:
* None
Minor issues fixed:
* If you had a link block named irc1.example.net and did an outgoing
connect to that server, then the server could introduce himself under
a different name, such as irc1.other.net. Not a security issue, since
all authentication has to be passed, but this could cause confusing
autoconnect attempts.
* password::sslclientcert did not accept relative paths
* Compile problem with LibreSSL (regarding SSL_CTX_get0_param)
* set::modes-on-connect: was refusing certain (old) modes like +N
Other changes:
* The ssl options 'verify-certificate' and 'no-self-signed' have been
removed. Use link::verify-certificate instead. It makes no sense to
verify certificates or prevent self signed certificates elsewhere
such as in vhost or oper, since there is no hostname to match against.
* Weak cipher suites such as 3DES and RC4 are disabled by default but
previously you could still enable them through set::ssl::ciphers.
Now you can no longer, since there is no legitimate reason to do so.
* Update cipher suite to work with TLS 1.3. This ensures you can use
TLS 1.3 in UnrealIRCd 4.0.14+ when OpenSSL supports it (in the future).
* Bump MODDATA_MAX_CLIENT from 8 to 12: needed if you have a lot of
3rd party modules loaded. Also moved MODDATA_MAX_* to include/config.h
Module coders:
* You can now attach ModData to server objects as well (including &me).
* Please do not use UmodeDel, CmdoverrideDel and any other *Del()
functions from MOD_UNLOAD. These undocumented functions are unnecessary
since 2008 or so. UnrealIRCd takes care of unloading all module objects.
It can cause a crash if someone unloads the module in UnrealIRCd 4
(more specifically: double free if unloading modules which use ModData).
Attempts to use these functions in future UnrealIRCd versions may result
in a compile error.
==[ CHANGES BETWEEN 4.0.12 AND 4.0.13 ]==
Enhancements:
* Support for Strict Transport Security (draft/sts).
See: https://www.unrealircd.org/docs/SSL/TLS#Strict_Transport_Security
* Support for Server Name Indication (SNI):
See: https://www.unrealircd.org/docs/Sni_block
* Add conf/modules.optional.conf. This loads all additional modules
that are not in modules.default.conf (m_ircops, m_staff, nocodes,
textban, hideserver, antirandom and websocket)
Major issues fixed:
* 'simple' spamfilters ended up being 'posix' after server linking.
* User mode +Z (secureonly) not working properly across server links.
* REHASH from WebSocket connection would cause a crash (requires IRCOp
privileges)
Minor issues fixed:
* We now prevent /OPER for oper blocks with a non-existant operclass
* Bump MAXCONNECTIONS for Windows, allowing you to hold more clients.
* The 'ban too broad' checking was broken. This permitted glines such
as 192.168.0.0/1 being set. Now it rejects CIDR of /15 and lower.
To disable this safety measure you can (still) use:
set { options { allow-insane-bans; }; };
Other changes:
* The websocket module now no longer sends \r\n in the websocket
data and no longer requires it on incoming messages (but you
can still send it if you like). Also version bumped to 1.0.0.
* Mark all shipped modules as official (non-3rd-party)
* Verify certificate when submitting crash reports
* Support --without-privatelibdir for packagers
* CACERT has been removed from curl-ca-bundle
Module coders:
* CAP API changes:
* The cap->visible(void) callback is now cap->visible(aClient *)
* There is a new cap->parameter(aClient *) callback function,
see the cap/sts module for how it can be used.
* Various updates to subfunctions to pass 'sptr' (due to the above),
including clicap_find(sptr, ...)
* New CLICAP_FLAGS_ADVERTISE_ONLY flag (CAP cannot be REQ'd)
==[ CHANGES BETWEEN 4.0.11 AND 4.0.12 ]==
Enhancements:
* New user mode +Z: Only allow SSL/TLS users to private message you.
* Ability to hide all channels in /LIST that you cannot join due to
deny channel blocks: set { hide-list { deny-channel }; };
* The optional 'nocodes' module which you can load will make +S/+c
also block/strip bold, underline and italic text. (The latter is new)
* Add support for 'mask' in allow channel { } and deny channel { }
and add some support for negative 'mask'. Probably not very useful
on most networks with services since bans/AKICK do the same, but:
deny channel { channel "#help*"; };
allow channel { channel "#help-nolan"; mask !192.168.*; };
allow channel { channel "#help-lan"; mask 192.168.*; };
Major issues fixed:
* Crash issue if a module using ModData was unloading (not reloading)
* Vhosts were not always correctly synched across servers.
* The maximum number of clients that a server could accept was decreased
by one on every linking attempt if it was both: 1) an outgoing
SSL/TLS linking attempt; AND 2) the error was "Connection refused".
Minor issues fixed:
* Adjustments to channel mode +f were not always effective.
* If you have a vhost set and wish to remove it and change to a cloaked
host you can now safely use '/MODE yournick -t'. This feature was
rarely used so far and it previously had a bug which caused it to
still expose the real host/IP to others. This has been resolved.
* Channel mode +D (delayjoin): when people are de-oped we now part
'hidden' users to avoid a client desynch.
* Bump lag for remote MOTD requests to avoid flooding.
Other changes:
* More than 95% of the crashes reported to us are due to 3rd party
modules (and thus not bugs in our code). We now ask users to unload
any recently installed 3rd party modules first, see if the crash
issue persists, and only then submit a crash report to us.
* UnrealIRCd will now refuse to run as root
https://www.unrealircd.org/docs/Do_not_run_as_root
Module coders:
* Added two functions to search for user modes:
has_user_mode(acptr, 'i') // returns 1 / 0
find_user_mode('i') // returns the user mode (as 'long')
==[ UNREALIRCD 4 INTRODUCTION ]==
UnrealIRCd 4 is here!
We have been working hard over the past few years to replace the successful
3.2.x series with a more modern code base. At the same time we have been
incorporating requests from our bug tracker, ideas from ourselves and
many suggestions that came up during the UnrealIRCd survey from Q4 2013.
UnrealIRCd is far more modular and configurable than before. For a brief
overview of what's new in UnrealIRCd 4 have a look at:
https://www.unrealircd.org/docs/What's_new_in_UnrealIRCd_4
==[ DOCUMENTATION ]==
All documentation has been moved to our wiki:
* Documentation: https://www.unrealircd.org/docs/
* FAQ: https://www.unrealircd.org/docs/FAQ
Be sure not to use any other (older) documentation as it isn't fully
compatible with UnrealIRCd 4. In particular, do NOT use unreal32docs*html.
==[ UPGRADING FROM 3.2.x ]==
If you are upgrading from 3.2.x then there are three important things to know:
1) NEW FILE LOCATIONS
In UnrealIRCd 4 the location of the configuration files and other files have
been changed. On *NIX the directory where you compile the IRCd from
(previously 'Unreal3.2.X', now 'unrealircd-4.0.X') is no longer the same as
the directory where the IRCd will be running from.
By default the IRCd is installed to /home/yourusername/unrealircd on *NIX
On Windows UnrealIRCd will install to C:\Program Files (x86\UnrealIRCd 4
The new directory structure is as follows (both on Windows and *NIX):
conf/ contains all configuration files
logs/ for log files
modules/ all modules (.so files on *NIX, .dll files on Windows)
2) CONFIGURATION FILE CHANGES
There have also been changes in various configuration blocks and settings.
Don't worry, UnrealIRCd can convert your existing 3.2.x configuration files
to UnrealIRCd 4 format. There's no need to start from scratch.
Please read https://www.unrealircd.org/docs/Upgrading_from_3.2.x !!
3) THIRD PARTY MODULES
If you are using 3rd party modules then they will need an update to run on
UnrealIRCd 4. Due to the many core changes in UnrealIRCd 4 it was simply
impossible to make 3.2.x modules work out-of-the-box on 4.x.
Contact your developer for a new version or ask on our Modules forum where
someone may be kind enough to convert the module for you if you ask nicely:
https://forums.unrealircd.org/viewforum.php?f=52
==[ END OF THE 3.2.X SERIES ]==
UnrealIRCd 3.2.x is no longer supported after December 31, 2016.
See https://www.unrealircd.org/docs/UnrealIRCd_3.2.x_deprecated
==[ SUPPORT ]==
Before you seek support, please check our documentation and FAQ:
* https://www.unrealircd.org/docs/Main_Page
* https://www.unrealircd.org/docs/FAQ
For support you have two choices:
* Forums: https://forums.unrealircd.org/
* IRC: irc.unrealircd.org / #unreal-support
==[ CHANGES BETWEEN 4.0.10 AND 4.0.11 ]==
Major issues fixed:
* Fix crash issue that can be triggered by regular users
* Fix crash if TOPIC_NICK_IS_NUHOST is enabled (rarely enabled)
* Fix crash if services send an incorrect raw command
Minor issues fixed:
* Now properly support 'z' when used in set::modes-on-join
Other changes:
* Show a warning if you don't have any SSL listeners
==[ CHANGES BETWEEN 4.0.9 AND 4.0.10 ]==
Improvements:
* Added "websocket" module. This provides support for WebSocket (RFC6455),
allowing JavaScript (internet browsers) to connect directly to IRC
without the need of a "gateway". This module is experimental and not
loaded by default. See https://www.unrealircd.org/docs/WebSocket_support
for more information on the module. For a very crude client example check
https://www.unrealircd.org/files/dev/ws/websocket_unrealircd.html
This module was sponsored by Aberrant Software Inc.
* UnrealIRCd already has the ability to configure SSL settings via the
set::ssl block. Now you can also override these settings for a link block
and listen block. One possible use for this would be having a long-lived
self-signed certificate for server linking on a serversonly port, and
a short-lived certificate for your users on the other ports (such as
a certificate from Let's Encrypt).
Another example would be to force TLSv1.2 for server linking but not
for users. Etc. Etc.
General settings (already existed) are in the set::ssl block:
https://www.unrealircd.org/docs/Set_block#set::ssl::certificate
Per-port settings go via listen::ssl-options:
https://www.unrealircd.org/docs/Listen_block
Per-link block settings go via link::outgoing::ssl-options:
https://www.unrealircd.org/docs/Link_block
* You can now exempt IP's from (DNSBL) blacklist checking via:
except blacklist { mask 1.2.3.4; };
* All free modules from vulnscan.org (by Syzop) are now included in
UnrealIRCd itself. Note that only the "privdeaf" and "jumpserver" modules
are loaded by default. The others you will need to load explicitly.
The new modules are:
* extbans/textban - Channel specific word filter (+b ~T:censor:*badword*)
https://www.unrealircd.org/docs/Extended_Bans
* usermodes/privdeaf - Do not permit PM's from others (User Mode +D)
* jumpserver - Redirect users to another server during maintenance
www.unrealircd.org/docs/User_%26_Oper_commands#JUMPSERVER
* antirandom - Detect drones with random nicks / ident / etc.
https://www.unrealircd.org/docs/Set_block#set::antirandom
* hideserver - Hide servers in /MAP and /LINKS
(Note that this does not truly enhance security)
* m_ircops - Show which ircops are online (/IRCOPS command)
* m_staff - Show custom file (/STAFF command)
* nocodes - Makes chanmode +S/+c also strip/block bold and underline
Major issues fixed:
* Incorrect bans being added during server linking
* Compile fixes for Ubuntu 16 LTS / gcc 5.4.x
* Crash if you had an invalid crypt password in your unrealircd.conf
* Crash if you did not load the chanmodes/nocolor module or changed
the order in which modules were loaded
Minor issues fixed:
* Delayjoin (channel mode +D) sending QUITs for hidden users, double JOIN, ..
* You no longer need to place 'class' blocks before 'allow' blocks
* Some error messages were not throttled
* WHO now supports multi-prefix
* Date in Windows log file for the first few messages was always 1970.
For services and module coders:
* Services coders: "SVSMODE Nick +d" will now mark a client as deaf.
Don't confuse this with "SVSMODE Nick +d <svid>". The parameter
makes all the difference.
* Module coders: changed return value handling of HOOKTYPE_RAWPACKET_IN
-1 indicates to stop parsing (return) and 0 indicates don't parse but
proceed to next packet. If you kill a client in this hook then be
sure to return -1.
==[ CHANGES BETWEEN 4.0.8.4 AND 4.0.9 ]==
* Fix "ghost" bug which could cause annoyed users and a memory leak
in UnrealIRCd. For more information see
https://forums.unrealircd.org/viewtopic.php?f=1&t=8625
==[ CHANGES BETWEEN 4.0.8 AND 4.0.8.4 ]==
* Fix build on FreeBSD with clang / without gcc
* If using remote includes and system curl not available then
install it during ./Config and no longer use /home/xyz/curl.
* More fixes for self-compiled remote includes
* Fix build if --with-system-cares is specified explicitly (which
is unnecessary anyway, as system c-ares this is auto-detected).
* More build fixes for older GCC compilers
==[ CHANGES BETWEEN 4.0.7 AND 4.0.8 ]==
Improvements:
* *NIX: As part of defense-in-depth UnrealIRCd now compiles with
several hardening options by default. This makes several type of
exploits more difficult and in some cases even impossible.
Tech: this enables full RELRO (GOT and PLT being read-only),
everything compiled as PIE making ASLR possible, stack protector
canaries are added, etc.
* Windows: releases are now signed. If you download the UnrealIRCd
installer you will no longer see "Unknown publisher" but rather
"Open Source Developer, Bram Matthys". Similarly all the EXE and
DLL module files have been signed which should make it easy for
anti virus software to see if something is an official UnrealIRCd
release file or not.
Major issues fixed:
* Possible crash if you have several blacklist blocks
Minor issues fixed:
* User mode +d (deaf) did not work
Other changes:
* We've always printed big warnings when running UnrealIRCd as root.
In this version we still do, but in future versions we will simply
refuse to boot. https://www.unrealircd.org/docs/Do_not_run_as_root
* System c-ares is preferred over our own shipped c-ares
* System cURL is preferred over ~/curl (if it has AsynchDNS)
* Our shipped libraries are no longer built as static
* Now that shipped libraries are dynamic they need to be installed
somewhere (if used). The default location is ~/unrealircd/lib and
can be changed via --with-privatelibdir. (Although, if you are a
package builder then you will probably use --with-system-xxx and
then private libraries are not used at all)
==[ CHANGES BETWEEN 4.0.6 AND 4.0.7 ]==
Improvements:
* UnrealIRCd now ships with a default ciphersuite list to have more
secure SSL/TLS defaults (rather than relying on your OS/Distro).
You can still customize ciphersuites through set::ssl::ciphers.
Details: https://www.unrealircd.org/docs/SSL_Ciphers_and_protocols
* set::ssl::protocols allows you to specify which SSL/TLS protocols
are permitted. The default is (still): TLSv1,TLSv1.1,TLSv1.2.
* Windows: remote includes now support IPv6
Major issues fixed:
* FreeBSD: unstable SSL links to other servers
Minor issues fixed:
* It was impossible to set both +b ~r:xyz and +b ~R:xyz
Removed the following rarely used build-time options:
* CHROOTDIR: Never worked in 4.0.x anyway. You can use AppArmor,
SELinux, FreeBSD jails, etc. as an alternative.
* IRC_USER/IRC_GROUP: Since this only applies to users installing
UnrealIRCd system-wide you should use your system services to do
this as well, such as: systemd's User=xx or start-stop-daemon.
Other changes:
* PCRE2 and c-ares libraries updated to latest versions
==[ CHANGES BETWEEN 4.0.5 AND 4.0.6 ]==
Major issues fixed:
* Fix SASL security issue with AUTHENTICATE
==[ CHANGES BETWEEN 4.0.4 AND 4.0.5 ]==
Major issues fixed:
* Crash issue (read-after-free)
* Bans on IPv6 cloaked hosts had no effect
* Prevent flood from unknown connection (with bugfix)
==[ CHANGES BETWEEN 4.0.4 AND 4.0.3(.1) ]==
New:
* Italian /HELPOP translation (help.it.conf)
* set::options::no-connect-ssl-info to hide SSL-related connect info
Major issues fixed:
* GLINE/KLINE on usermask@ did not have any effect
* Crash if you have a listen block with port 0
* Infinite loop on invalid operclass::parent reference
Minor issues fixed:
* files { } block only worked with absolute paths
* delayjoin: hidden users were not always joined on +vhoaq
* Fix small memory leak
* Duplicate replies on /VERSION
* When doing /VERSION on IRC as an IRCOp it showed the compile-time
rather than runtime OpenSSL/LibreSSL version
Other changes:
* Documentation updates
* Prevent installation in the same directory as the source
==[ CHANGES BETWEEN 4.0.3 AND 4.0.3.1 ]==
* Fix compile problem on FreeBSD & OpenBSD
Note: there is no 4.0.3.1 release for Windows since there were no
changes for the Windows version.
==[ CHANGES BETWEEN 4.0.2 AND 4.0.3 ]==
Major issues fixed:
* Crash on RPING command (IRCOp-only!)
* Crash on Windows on failed outgoing server connect
* Crash if you had a link { } block with invalid syntax
Minor issues fixed:
* Windows: Remote includes did not support https
Other:
* Windows version compiled with Visual Studio 2012 rather than a mix
* Windows version now using LibreSSL
* Crash reporter produces more useful reports (important for us)
==[ CHANGES BETWEEN 4.0.1 AND 4.0.2 ]==
The 4.0.2 release comes with the following new features:
* Ability to hide quit messages from *LINEd users (set::hide-ban-reason)
* Blacklist hits are now sent to new snomask +b rather than all ircops
Major issues fixed:
* None
Minor issues fixed:
* prefix-quit was not working
* FreeBSD: fix kevent bug flood in error log
* Incorrect server description in /LINKS
* Logging to syslog was broken
* OS X: Update ./Config to use Homebrew OpenSSL by default
* Don't show UID to client in case of a SVSMODE
==[ CHANGES BETWEEN 4.0.0 AND 4.0.1 ]==
The 4.0.1 release comes with the following minor improvements:
* The blacklist module now supports %ip (=banned IP) in blacklist::reason.
* *NIX: You can use cron again, see https://www.unrealircd.org/docs/Cron_job
* /MODULE now lists only 3rd party modules by default so you don't get flooded.
* *NIX: Added './unrealircd reloadtls' to reload TLS certificate and keys.
Major issue fixed:
* Crash if you removed a listen { } block with active clients on that port
* MODEs set by a server (not by a user) were not always propagated
correctly accross the network. In practice this only affected /SAMODE
and possibly some services that don't send MODEs from ChanServ/BotServ.
Minor issues fixed:
* When doing /LIST under mIRC it would hide empty +P channels.
* Servers wouldn't link if link::outgoing::hostname was a CNAME.
* SSL Certificate fingerprint not communicated properly to servers/services.
* *NIX: ./unrealircd [stop|rehash] failed if not installed to ~/unrealircd.
* Windows: IRCd could crash after showing the config error screen on startup.
==[ CHANGES BETWEEN 3.2.X AND 4.X ]==
Below is a summary of the changes between UnrealIRCd 3.2.x and UnrealIRCd 4.
For a complete list of all 1100+ changes you can use 'git log' or have a
look at: https://github.com/unrealircd/unrealircd/commits/unreal40
==[ NEW ]==
* We moved a lot of functionality, including most channel modes, user
modes and all extended bans into 138 separate modules.
This makes it...
A) possible to fully customize what exact functionality you want to load.
You could even strip down UnrealIRCd to get something close to the
basic RFC1459 features from the 1990s. (No idea why you would want
that, but it's possible)
B) easier for coders to see all source code related to a specific feature
C) possible to fix bugs and just reload rather than restart the IRCd.
Have a look at modules.default.conf which contains the "default" set of
modules that you can load if you just want to load all functionality.
If you want to customize the list of modules to load then simply make
a copy of that file, give it a different name, and include that one
instead. Since the file is fully documented, you can just comment out
or delete the loadmodule lines of things you don't want to load.
* Oper permissions have changed completely: [A4+]
* All previous oper levels/ranks no longer exist (Netadmin, Admin, ..)
* oper::flags has been removed. Instead you must specify an operclass
in oper::operclass (for example, 'operclass netadmin').
* In operclass block(s) you define the privileges. You can now control
exactly what an IRCOp can and cannot do.
Have a look at operclass.default.conf which ships with UnrealIRCd,
it contains a number of default operclass blocks suitable for the
most common situations. See also the operclass block documentation:
https://www.unrealircd.org/docs/Operclass_block
* If you ask UnrealIRCd to convert your 3.2.x configuration file then
it will try to select a suitable operclass for the oper. This will
not always 100% match your current oper block rights, though.
* Channel Mode +A (Admin Only) has been removed. You can use the new
extended ban ~O:<operclass>. This allows you to, for example, create
an operclass 'netadmin' only channel: /MODE #chan +iI ~O:netadmin*
* set::hosts has been removed, use oper::vhost instead.
* Since oper levels have been removed you no longer see things like
"OperX is a Network Administrator" in /WHOIS by default.
If you want that, then you can set oper::swhois to
"is a Network Administrator" (or any other text).
* Entirely rewritten I/O and event loop. This allows the IRCd to scale
more easily to tens of thousands of clients by using kernel-evented I/O
mechanisms such as epoll and kqueue.
* Memory pooling has been added to improve memory allocation efficiency
and performance.
* On-connect DNSBL/RBL checking via the new blacklist block. [B1]
* The Windows version now has IPv6 support too. [B3]
* On all OS's we compile with IPv6 support enabled. You can still
disable IPv6 at runtime by setting set::options::disable-ipv6. [B3]
* The local nickname length can be modified without recompiling the IRCd
* Channel Mode +d: This will hide joins/parts for users who don't say
anything in a channel. Whenever a user speaks for the first time they
will appear to join. Chanops will still see everyone joining normally
as if there was no +d set.
* If you connect with SSL/TLS with a client certificate then your SSL
Fingerprint (SHA256 hash) can be seen by yourself and others through
/WHOIS. The fingerprint is also shared with all servers on the network.
* ExtBan ~S:<certificate fingerprint> for ban exceptions / invex. This
can be used like +iI ~S:000000000etc.
* bcrypt has been added as a password hashing algorithm and is now the
preferred algorithm [A3]
* './unreal mkpasswd' will now prompt you for the password to hash [A3]
* Protection against SSL renegotiation attacks [A3]
* When you link two servers the current timestamp is exchanged. If the
time differs more than 60 seconds then servers won't link and it will
show a message that you should fix your clock(s). This requires
version alpha3 (or later) on both ends of the link [A3]
* Configuration file converter that will upgrade your 3.2.x conf to 4.x.
On *NIX run './unreal upgrade-conf'. On Windows simply try to boot and
after the config errors screen UnrealIRCd offers the conversion. [A3]
* The IRCd can now better handle unknown channel modes which expect a
parameter. This can be useful in a scenario where you are slowly
upgrading all your servers.
* If you want to unset a vhost but keep cloaked then use /MODE yournick -t
* A "crash reporter" was added. When UnrealIRCd is started it will check
if a previous UnrealIRCd instance crashed and (after booting a new
instance) it will spit out a report and ask if you want to submit it
to the UnrealIRCd developers. Doing so will help us a lot as many bugs
are often not reported. Note that UnrealIRCd will always ask before
sending any information and never do so automatically. [B3]
* SSL: Support for ECDHE has been added to provide "forward secrecy". [B4]
==[ CHANGED ]==
* Numerics have been removed. Instead we now use SIDs (Server ID's) and
UIDs (User ID's). SIDs work very similar to server numerics and UIDs
help us to fix a number of lag-related race conditions / bugs.
* The module commands.so / commands.dll has been removed. All commands
(those that are modular) are now in their own module.
* Self-signed certificates are now generated using 4096 bits, a SHA256
hash and validity of 10 years. [A2]
* Building with SSL (OpenSSL) is now mandatory [A2]
* The link { } block has been restructured, see
https://www.unrealircd.org/docs/Upgrading_from_3.2.x#Link_block [A3]
* Better yet, check out our secure server linking tutorial:
https://www.unrealircd.org/docs/Tutorial:_Linking_servers
* If you have no set::throttle block you now get a default of 3:60 [A3]
* password entries in the conf no longer require specifying an auth-type
like password "..." { md5; };. UnrealIRCd will now auto-detect. [A3]
* You will now see a warning when you link to a non-SSL server. [A3]
* Previously we used POSIX Regular expressions in spamfilters and at
some other places. We have now moved to PCRE Regular expressions.
They look very similar, but PCRE is a lot faster.
For backwards-compatibility we still compile with both regex engines. [A3]
* Spamfilter command syntax has been changed, it now has an extra option
to indicate the matching method:
/SPAMFILTER [add|del|remove|+|-] [method] [type] ....
Where 'method' can be one of:
* -regex: this is the new fast PCRE2 regex engine
* -simple: supports just strings and ? and * wildcards (super fast)
* -posix: the old regex engine for compatibility with 3.2.x. [A3]
* If you have both 3.2.x and 4.x servers on your network then the
4.x server will only send spamfilters of type 'posix' to the 3.2.x
servers because 3.2.x servers don't support the other two types.
So in a mixed network you probably want to keep using 'posix' for
a while until all your servers are running UnrealIRCd 4. [A3]
* set::oper-only-stats now defaults to "*"
* oper::from::userhost and vhost::from::userhost are now called
oper::mask and vhost::mask. The usermask@ part is now optional and
it supports two syntaxes. For one entry you can use: mask 1.2.3.*;
For multiple entries the syntax is: mask { 192.168.*; 10.*; };
* Because having both allow::ip and allow::hostname in the same allow
block was highly confusing (it was an OR-match) you must now choose
between either allow::ip OR allow::hostname. [A3]
* cgiirc block is renamed to webirc and the syntax has changed [A4]
* set::pingpong-warning is removed, warning always off now [A4]
* More helpful configuration file parse error messages [A4]
* You can use '/OPER username' without password if you use SSL
certificate (fingerprint) authentication. The same is true for
'/VHOST username'. [A4]
* You must now always use 'make install' on *NIX [A4]
* Changed (default) directory structure entirely, see the section
titled 'CONFIGURATION CHANGES' about 100 lines up. [A4]
* badword quit { } is removed, we use badword channel for it. [A4]
* badwords.*.conf is now just one badwords.conf
* To load all default modules you now include modules.default.conf.
This file was called modules.conf in earlier alpha's.
The file has been split up in sections and a lot of comments have
been added to aid the user in deciding whether to load or not to
load each module. [A4]
* Snomask +s is now (always) IRCOp-only. [A4]
* Previously there was little logic behind what modes halfops could
set. Now the idea is as follows: halfops should be able to help out
in case of a flood but not be able to change any 'policy decission
modes' such as +G, +S, +c, +s. Due to this change halfops can now
set modes +beiklmntIMKNCR (was: +beikmntI). [A4]
* If no link::hub or link::leaf is specified then assume hub "*". [B1]
* SWHOIS (Special whois title) has been extended in a number of ways:
* We now "track" who or what set an swhois. This allows us to
remove the swhois received via oper/vhost on de-oper/de-vhost.
* You can now have multiple swhois lines
* Multiple oper::swhois and vhost::swhois items are supported. [B1]
* When trying to link two servers without link::outgoing::options::ssl
(which is not recommended) we try to use STARTTLS in order to
'upgrade' the connection to use SSL/TLS anyway. This can be disabled
via link::outgoing::options::insecure. [B2]
* SSLv3 has now been disabled for security. This also means you can only
link UnrealIRCd 4 with 3.2.10.3 and later because earlier versions
used SSLv3 instead of TLS due to an OpenSSL API mistake. [B4]
==[ MODULE CODERS / DEVELOPERS ]==
* A lot of technical documentation for module coders has been added
at https://www.unrealircd.org/docs/ describing things like how to
write a module from scratch, the User & Channel Mode System, Commands,
Command Overrides, Hooks, attaching custom-data to users/channels,
and more. [A2+]
* For commands: do not read from parv[0] anymore, doing so will lead
to a crash. Use sptr->name instead. This change is necessary as
the "name" in parv[0] could possibly point to a UID/SID rather than
a nick name. Thus, if you would send parv[0] to a non-UID or non-SID
capable server this would lead to serious issues (not found errors).
* Added MOD_OPT_PERM_RELOADABLE which permits reloading (eg: upgrades)
but disallows unloading of a module [A3]
* There have been *a lot* of source code cleanups (ALL)
* We now use the information from PROTOCTL CHANMODES= for parameter
skipping if the channel mode is unknown. Also, when channel modes
are loaded or unloaded we re-broadcast PROTOCTL CHANMODES=. [B1]
* The server protocol docs have been removed. The protocol is now
documented at https://www.unrealircd.org/docs/Server_protocol
See also https://www.unrealircd.org/docs/Server_protocol:Changes
for a list of changes between the 3.2 and 4.0 server protocol.
* GCC typechecking has been added to make sure your HookAdd... calls
are adding hook functions with the correct parameter (types).
==[ REMOVED / DROPPED ]==
* Numeric server IDs, see above. [A1]
* PROTOCTL TOKEN and SJB64 are no longer implemented. [A1]
* Ziplinks have been removed. [A1]
* WebTV support. [A3]
* Channel Mode +j was removed and replaced by the configuration setting
set::anti-flood::join-flood (default: 3 per 90 seconds). [B1]
* /CHATOPS: use /GLOBOPS instead which does the same
/ADCHAT & /NACHAT: gone as we don't have such oper levels anymore
Your opers should actually be in an #opers channel. If you also want
special classes of oper channels like #admins then use +iI ~O:*admin*
* User modes:
* +N (Network Administrator): see 'Oper permissions' under NEW as for why
* +a (Services Administrator): same
* +A (Server Administrator: same
* +C (Co Administrator): same
* +O (Local IRC Operator): same
* +h (HelpOp): all this did was add a line "is available for help" in
WHOIS. You can use a vhost block with vhost::swhois as a replacement
or for opers just add an oper::swhois item.
* +g (failops): we already have snomasks and the +o usermode for this
* +v (receive infected DCC SEND rejection notices): moved to snomask +D
View Git Blame Copy Permalink