Uruk NEWS - user visible changes (and some other changes also.)

Refer to ChangeLog for detailed per-file info.

uruk version 20080330

- Make behaviour more robust when uruk loglevel is set between 20 and 40 and
  IPv6 is enabled.  In case not all IPv6 adresses were explicitly specified,
  uruk would give an error:
     ip6tables v1.3.6: Unknown arg `--destination'
     Try `ip6tables -h' or 'ip6tables --help' for more information.
  (it would try to run
     /sbin/ip6tables -A INPUT -j LOG --log-level debug --log-prefix
     'ip6tables: ' -i eth0 --destination
  in this situation.)   These errors these did NOT compromise the firewall
  rules, btw.  When adresses are missing, uruk does no longer try to log the
  traffic.


uruk version 20080307

- Fix a bug showing up when uruk loglevel is set between 20 and 40 and IPv6
  is enabled: it caused errors like "ip6tables v1.3.6: host/network 10.1.2.3
  not found".  These errors these did NOT compromise the firewall rules, btw.
- Added support for multiple hook files (like rc_a) working at one entry
  point.  See uruk-rc(5) and uruk(8).  Thanks Wessel Dankers for the
  suggestion and for a first implementation.


uruk version 20071101

- Added another contribution from Fred Vos to contrib/: fw2dot.xsl: generating
  a dot file (for graphiz) from an XML-ed uruk rc file.
- Various fixes in uruk init script.  Among others: fix behaviour of "reload"
  and "force-reload" in case uruk not running.


uruk version 20071030

- We ACCEPT traffic on lo earlier in the uruk ruleset: that's more efficient.
  Traffic on lo will no longer be delayed by our ruleset.

  Uruk <= 20051129 built it's rule like:

      1  rc is sourced as a shell script
      2  $rc_a is sourced as a shell script
     [...]
      8  $rc_d is sourced
      9  Traffic on lo is trusted
     10  $rc_e is sourced
     11  Don't answer broadcast and multicast packets
    [...]

  Uruk >= FIXME builds it's rule as:

      1  rc is sourced as a shell script
      2  Traffic on lo is trusted
      3  $rc_a is sourced as a shell script
    [...]
      9  $rc_d is sourced
     10  Don't answer broadcast and multicast packets
    [...]

  see uruk(5)

  If you've done tricks with lo in any of the rc_ hook scripts, you risk being
  hit by incompatibilities.  Study the uruk source to find out how to fix your
  hook.  If you're not using any hook scripts, you are save: your uruk
  configuration will still work fine.   If you're using hook scripts, but don't
  do anything specific with lo in your scripts, you are likely save: your
  configuration will likely still work.

  If you were using rc_a to add rules to the absolute beginning of the ruleset,
  you might have to move these to the rc-file: traffic on lo is now accepted
  _before_ rc_a is sourced.

  If you rely on traffic on lo to be logged, and your loglevel was "fascist",
  you should craft some hack: this traffic will no longer be logged by default
  with this loglevel.

  rc_e is now obsolete.  You should move your rc_e stuff to rc_d.  (rc_e for
  now will still work, though.)

- The uruk init script now is (should be) Linux Standards Base v 3.1.0
  compliant.  Added extra supported argument "status".  The script now
  _requires_ the file /lib/lsb/init-functions to be present, and to define the
  shell functions log_success_msg, log_failure_msg and log_warning_msg.  LSB
  compliant systems (recent releases of Debian GNU/Linux, Red Hat Enterprise
  Linux, Ubuntu Linux, a.o.) supply this.
- Introduced new variables interfaces_unprotect and URUK_INTERFACES_UNPROTECT.
- Add XML stuff contributed by Fred Vos, including some preliminary documentation
  (in Dutch).  Could be used to transform an XML-file describing uruk rules to
  an uruk rc file.  Shipped in contrib/, installed in .../doc/uruk/contrib/.
- Uruk is now licensed under GPLv3 (or any later version).
- man/Makefile.am: no longer try to support non-ascii characters in .txt
  manpages.  col, as shipped with the bsdutils 1:2.13-2 Debian package chokes
  on output of groff, as shipped with the 1.18.1.1-12 Debian package.  See also
  Debian bug Bug#441659.
- TODO: added some more received wishlist bugs (thanks Wessel Dankers and Fred
  Vos)
- Minor fixes in uruk(8) manpage.
- uruk-rc(5): documented improved way to unprotect an interface, thanks Wessel
  Dankers.
- TODO, init/uruk.in: found and documented bug: /etc/init.d/uruk force-reload
  breaks when nat or mangle table are used.  Thanks Wessel Dankers for spotting
  this.


uruk version 20051129

- On Red Hat, run start uruk initscript _after_ network interfaces are
  configured.  (We have always been doing this in the Debian package.) This is
  needed in order to support usage where the rc file queries the operating
  system to learn about current IP adresses.  With uruk 20051026 and 20051027,
  such usage was not possible.  See TODO for notes on pending issues related
  to this.
- Build-depend upon zoem >= 05-328.


uruk version 20051027

- Fixed bug in uruk script.  Reported to pop up when /bin/sh is bash
  and $version is not set in /etc/uruk/rc.


uruk version 20051026

- More examples in uruk-rc(5) manpage.  Thanks Roland van Hout for
  suggestion.
- Experimental ip6tables support added to uruk(8) and uruk-save(8).
  See comments in the uruk script.  New option "-6" for uruk-save(8).
- The uruk init script now sources both /etc/default/uruk and
  /etc/sysconfig/uruk (if present, of course).  An example file for
  /etc/{default,sysconfig}/uruk is now shipped and gets installed in
  /usr/[local/]share/doc/uruk/examples/.
- Major overhaul of the uruk init script.  This script now is more integrated
  in the uruk framework.
  + The pre-uruk situation is now saved and restorable.
  + Optionally calls uruk-save (and displays a warning by default).
  + Calls uruk if applicable.
  + Improved options: start, stop, force-reload, reload.  These now
    behave more intuitive.
  + The saved active and inactive rules now no longer get out of sync with
    the uruk rc file.  (O.t.o.h.: one can no longer maintain part of the
    firewall configuration outside the uruk rc file.)
  + New option: create
  See README on what the implications are if you're upgrading.  Thanks to
  Wessel Dankers for his ideas about an improved uruk init script.
- uruk(8) now checks for the Uruk version the rc file was created for.
  This will allow for more sane behaviour in case of future incompatible
  upgrades.
- Buildsystem: ./bootstrap now uses autoreconf(1).


uruk version 20050718

- This is a pre-release.
- Added support for loglevel, see uruk-rc(5).  Some people were annoyed
  by uruk's syslog spamming.  If you're one of these, set loglevel=30 (or
  10) in your rc-file.


uruk version 20050414

- This is a pre-release.
- Uruk now is maintained using GNU Arch on http://arch.gna.org/uruk/ .
  See README.
- ChangeLog entries from 2003 split off in ChangeLog.2003.
- Uruk(8) now honors environment variables URUK_IPTABLES (/sbin/iptables by
  default) and URUK_CONFIG (/etc/uruk/rc by default).
- Now ships new script uruk-save(8); which saves /etc/uruk/rc in
  iptables-{save,restore} format, without invoking iptables.  You could
  use it e.g. when loading a new rc file.  See the updated uruk(8) manpage.
- The uruk init script now honors /etc/default/uruk.  See comments in the
  code.
- The uruk init script acts more sane when passed {stop,start} while no
  saved rules files are present: it tries to generate these in such
  circumstances.  It will warn you it's doing so.


uruk version 20040625

- Fixed bug in multiple IP per network interface mode.  Uruk was
  unusable in such a setup.
- Some tweaking of build system.


uruk version 20040216

- Fixed severe bugs in uruk script: 20040213 was unusable.
- init script now supports chkconfig: Red Hat is now better supported.


uruk version 20040213

- Support for multiple IP adresses on one network interface added.  New
  variables ips_<nic> and bcasts_<nic> introduced.  See uruk-rc(5).  Don't
  worry: your old rc file will still behave as it used to.


uruk version 20040210

- Allow more ICMP types by default.  Tnx Wessel Dankers for suggestion.
- The Uruk init script is now more helpful when often-encountered errors occur.
- Added warning to uruk(8) manpage: uruk does no sanity checking.


uruk version 20031111

- We no longer create our own ``block'' chain: the built-in INPUT and OUTPUT
  chains suffice for our purposes.  This makes uruk's rule setup much more
  simple.  Thanks to Wessel Dankers.
- rc_1, ... , rc_10 are NO LONGER SUPPORTED.  We use rc_a, rc_b, rc_c, ... now.
  In the future, rc_aa, rc_aab, ... might get added.  You'll HAVE TO rewrite
  your rc_<n> style stuff MANUALLY.  See the notes on UPGRADE in the README
  file.  (Your uruk/rc file will still work fine.  No other changes in the
  configuration file syntax are introduced in this release.)
- If you have saved your rules using iptables-save or the uruk init script,
  you'll have to rebuild them.  The old-style rules are not supported by this
  uruk release.


uruk version 20031026

- Fixed bug which made "/etc/init.d/uruk stop" to fail.
- Documented more of uruk's features.


uruk version 20031008

- Init script more robust, especially on fresh installs. (We still suffer
  from at least one bug though, see TODO.)
- Started documenting rc_<n> hooks.
- Various minor and cosmetic cleanups in documentation.


uruk version 20031004

- ad1810-firewall is now called uruk.
- big changes in build system and documentation system:
  - manpages have been converted from Perl's pod format to zoem format.  See
    README for details.
  - now build-depends on zoem: documentation depends on configure-time
    settings.
- ad1810-firewall under some circumstances was not reboot-resistent: I've
  missed a change in the Debian iptables package behaviour.
  The Debian iptables package >= 1.2.7-8 (7 Dec 2002) will not call
  /etc/init.d/iptables on boot by default.  We now ship our own
  init script to deal with this (thanks to Laurence J. Lane).


ad1810-firewall version 20030829

- ad1810-firewall-rc manpage converted from pod to zoem
  ( http://micans.org/zoem ).
- rc_1, rc_2, .... rc_10 feature supported by ad1810-firewall script: set
  e.g. rc_1=/usr/local/etc/ad1810-firewall/rc_1 in your
  ad1810-firewall-rc(5).  This file should contain shell code.  This is
  executed early in the ad1810-firewall routine, allowing finegrained tweaking
  of rules, for systems with special demands.  For now, see the
  ad1810-firewall shell code for more details.  More documentation will follow.


ad1810-firewall version 20030512

- Moving manpage format from pod to zoem.
- Fixed automatic version numbering in build system; no more wacky vyyyymmdd
  versions.  Thanks Raja R Harinath on the autoconf list.
- rc should no longer define e.g. sources_eth0_tcp_www, where www is a port,
  but e.g. sources_eth0_tcp_public, where public is a symbolic name for a
  (set of) services.  Furthermore, the new variable ports_eth0_tcp_public
  should be defined as e.g. "www".


ad1810-firewall version v20030427

- rc File location now depends on sysconfdir, as set during configure.
- Various documentation updates.


ad1810-firewall version v20030426

- First public alpha release.  Untested!

# this file maintained using arch at http://arch.gna.org/uruk/