File: NEWS

package info (click to toggle)
uruk 20140627-1
links: PTS, VCS
area: main
in suites: jessie, jessie-kfreebsd
size: 1,088 kB
ctags: 70
sloc: sh: 1,770; makefile: 143; xml: 51
file content (661 lines) | stat: -rw-r--r-- 28,960 bytes
Uruk NEWS - user visible changes (and some other changes also.)

Refer to ChangeLog for detailed per-file info.

uruk version 20140627 - The Vlook Release

- script/uruk: next to protocols tcp and udp, uruk now has preliminary
  experimental support for dccp and sctp.  Stream Control Transmission Protocol
  (needs iptables >= 1.2.9) is defined in RFC 4960; Datagram Congestion Control
  Protocol is defined in RFC 4340. These protocols are implemented in the
  sctp.ko and dccp.ko Linux kernel modules.
  Beware!  For TCP, we do inspect "tcp --tcp-flags SYN,ACK,FIN,RST [...]".
  However, for DCCP or SCTP, we don't do anything specific yet with respect to
  the state of the DCCP or SCTP connections!  You'll have to take measures
  yourself to deal sanely with open connections.  Untested code.
- doc/rc, man/uruk-rc.azm: document new semantics of
  sources_${iface}_${proto}_${service} vs sources6_${iface}_${proto}_${service}
- bootstrap: update to automake 1.14.


uruk version 20140319 - The Alfama Release

- init/uruk: no longer abort on failed commands.  This fixes a bug: upgrading
  a "not running" uruk from 20130426 to 20131213 on Debian systems
  would fail with "invoke-rc.d: initscript uruk, action "force-reload" failed.
  dpkg: error processing uruk (--install): subprocess installed
  post-installation script returned error exit status 3".  Indeed, calling
  /etc/init.d/uruk force-reload on a "not running" uruk would give error exit
  status 3, and would not give any output.
- init/autodetect-ips: make sure Debian inet6 stanzas default to netmask=64.
  Patch contributed by Wessel Dankers.
- script/uruk: Simplify semantics of sources_${iface}_${proto}_${service} vs
  sources6_${iface}_${proto}_${service}.  sources6_* is no longer needed; just
  list both IPv4 and IPv6 addresses in sources_*.

  Before this change, uruk required seperate sources_* and sources6_*
  variables to configure access for v4/v6 sources.  To be precise, the semantics
  now is: 1) If both sources_* and sources6_* are defined (even if they're just
  empty), each is used for its respective address family. (This ensures
  backwards compatibility.) 2) If sources6_* is undefined, sources_* is used
  for both v4 and v6.  3) In either case, v4 literals in v6 context and v6
  literals in v4 context are silently (!) ignored.

  The patch also fixes the detection of undefined variables, which was broken.
  Patch contributed by Wessel Dankers.


uruk version 20131213 - The Gweek Release

- init/uruk: actually _do_ perform a reload when called as "service uruk
  force-reload".
- script/urukctl: fix warning about "enable_uruk_save_warning is no longer
  supported".


uruk version 20130913 - The Clochán na bhFomhórach Release

- script/urukctl: use just initd_status to decide upon status; do not inspect
  $status_active.  This fixes a severe bug, which made the Dr Syntax's Head
  release unusable: running "# urukctl start && service uruk force-reload"
  would give "Nothing to do for reloading uruk: uruk is not running [ OK ]".
  Thanks Casper Gielen for reporting this issue.
- doc/default, script/urukctl: default: explicitly add /sbin to PATH.  urukctl:
  check command line args earlier in execution.  Now "urukctl --help" and
  "urukctl help" e.a. behave better when called as non-root.
- script/urukctl: don't test running iptables when called with argument "save",
  enable running "urukctl save active" as non-root, using uruk-save.
- bootstrap: bootstrap: upgrade from automake 1.11 to 1.13


uruk version 20130830 - The Dr Syntax's Head Release

- script/uruk: work around possible bug in conntrack, found when: we are client
  and initialize outgoing tcp session.  Return traffic gets allowed since
  matching state.  Incoming rset packet gets received, apparently kernel doesn't
  recognize it as belonging to a tcp-session being shut down, and can't match
  the state.  Uruk then blocks and logs it.  Now it explictly allows such RSET
  packets.  This closes Debian Bug#720306 (http://bugs.debian.org/720306).


uruk version 20130809 - The Corbeşti Release

- script/urukctl: Fix bug in urukctl, introduced 2013-05-29.  (Previous uruk
  versions 20130619 and 20130618 are unusable.)  Be sure to assign variables
  ($libdir e.a.) on time.  No longer fails with "mkdir: cannot create directory
  `': No such file or directory".  Thanks Casper Gielen for bugreport.
- script/urukctl: no longer strictly requires root-access when called as
  "urukctl create active".
- init/autodetect-ips, man/uruk-rc.azm: detect IPs currently assigned to
  interfaces, which are not listed in config files /etc/network/interfaces or
  /etc/sysconfig/network-scripts/ifcfg-*, by calling ip(8) if needed.  Useful in
  case e.g. udev is used to assign IPs to interfaces.  This closes Debian
  Bug#712869 (http://bugs.debian.org/712869).
- init/autodetect-ips: Apply patch contributed by Wessel Dankers: "accept
  debian interfaces entries that include the netmask".
- man/{uruk,urukctl}.azm: Various improvements in uruk(8) and urukctl(8)
  manpages.
- man/include.zmm.in, man/uruk*.azm: introduce zoem macro \gplheader, update
  copyright of all manpages
- Special thanks to Wessel Dankers for recovering my git repo: it didn't really
  like a sudden powerfailure.  And thanks for lending me an Ubuntu EeePC to
  replace mine which died after an encounter with my bicycle's wheel spokes.
- Thanks Jelena for teaching me how to spell četiri.


uruk version 20130619 - The Het De Siptenpad Release

- init/uruk: bugfix: change DAEMON from /usr/sbin/uruk to /sbin/uruk.
- man/urukctl.azm: various improvements.


uruk version 20130618 - The Sterreke Release

- A part of the uruk init script's functionality is now delivered by the new
  script urukctl (with manpage urukctl(8)).  Calling the init script with
  arguments "save", "create", "load", "reload", "clear", "halt" and "flush" is
  deprecated (but still supported for now; the init script calls urukctl).
  Only the arguments "start", "stop", "restart", "force-reload" are still (and
  will continue to be) fully supported in /etc/init.d/uruk.

  When the uruk software is removed from a system, but one chooses to keep the
  uruk configuration files, /etc/init.d/uruk could be kept (e.g. on a Debian
  system when removing (not purging) the uruk package; /etc/init.d/uruk is
  considered to be a configuration file on Debian).  When one boots such a
  system, the LSB standards require the init script to exit with error 5
  ("program is not installed").  Such an error causes the boot process to fail.

  The revised uruk init script now exits succesfully when the uruk program is
  not installed, like any init script on Debian systems.


uruk version 20130426 - The Sy Release

- 10th anniversary release \o/

- Currently, setting enable_ipv6=false in /etc/{default,sysconfig}/uruk means:
  uruk should never call ip6tables, i.e. uruk won't change or set any
  ip6tables rule.  In an upcoming uruk release (not this one), setting
  enable_ipv6=false will mean: block all IPv6 traffic.

  So, if you don't use any IPv6 networking functionality, you're advised
  to now make sure you have set enable_ipv6=false.

  If you have some IPv6 filtering rules but are managing them NOT using uruk,
  and therefore have set enable_ipv6=false, you should start thinking about
  migration now.  You can either decide to start managing your IPv6 rules with
  uruk, and set enable_ipv6=true, or stop using uruk.

  In all other cases, things will just continue to work.

- The uruk-save script (managed by setting enable_uruk_save in
  /etc/{default,sysconfig}/uruk) is now no longer considered experimental,
  but fully supported.  It is still disabled by default, though.

- README, man/uruk.azm, script/uruk: apply patch contributed by Thijs
  Kinkhorst, 1 Mar 2013, in <1362140354-7012-1-git-send-email-thijs@uvt.nl>:
  "Replace obsolete 'state' module usage with 'conntrack'.":

   The iptables 'state' module has been obsoleted and produces warnings in
   current Debian sid. The modern form to express this is with the 'conntrack'
   module. Change uruk's iptables commands to make use of the newer syntax.

   As according to the README uruk already depended on the conntrack module
   being present, this introduces no higher minimum iptables version. The change
   has been tested against Debian Lenny, Squeeze, Wheezy and Sid.

  Thanks Thijs!  This closes bug http://bugs.debian.org/702064 .

- script/uruk: apply patch contibuted by Casper Gielen, fixing typo in the
  ip6_noroute_ranges value.  Thanks Casper!  This closes bug
  http://bugs.debian.org/705202 .


uruk version 20130226 - The Vlist Release

- init/autodetect-ips: Apply patch contributed by Wessel Dankers,
  2013-02-15: "typo in autodetect-ips breekt situaties met eth0:0"
- man/uruk-rc.azm: cosmetic fixes.


uruk version 20121205 - The Zes Blokskes Release

- init/autodetect-ips init/enable-ipv6: add missing #!/bin/sh.
- man/uruk-rc.azm: documented autodetect-ips in uruk-rc(5).
- man/uruk-save.azm: documented changes in 20121130 in uruk-save(8).


uruk version 20121130 - The Вршац Release

- experimental release.
- init/autodetect-ips, init/enable-ipv6: Added new helpers for uruk rc and for
  uruk/default, contributed by Wessel Dankers.
- script/uruk, script/uruk-save: Apply patch contributed by Wessel Dankers in
  <1354116979-10246-1-git-send-email-wsl@fruit.je>: "allow access to different
  tables (nat, mangle, raw) in uruk-save".


uruk version 20121023 - The Grafwegen Release

- uruk/script/uruk: Fix IPv6 firewalling in case uruk is used on a host (not
  transit) firewall by applying patch contributed by Thijs Kinkhorst: "Uruk
  implemented RFC 4890 section 4.3: Recommendations for ICMPv6 Transit Traffic.
  However uruk is used in some (many?) cases not as a transit firewall but as a
  host firewall for destination entities. Therefore, also the recommendations
  from section 4.4: Recommendations for ICMPv6 Local Configuration Traffic need
  to be added."


uruk version 20121005 - The Onze-Lieve-Vrouw-Waver Release

- lsb/init-functions, lsb/lsb_killproc, lsb/lsb_log_message, lsb/lsb_pidofproc,
  lsb/lsb_start_daemon: added.  By default installed in
  /usr/local/libexec/uruk/lsb/; RPM packages should install these in
  /lib/uruk/lsb/.  On a non-LSB-system, uruk tries to use
  /etc/init.d/functions.  This file is installed by the initscripts RPM package
  (e.g. with version 9.03.31-2.el6.x86_64 for Red Hat Enterprise Linux).
  Rationale for shipping /lib/uruk/lsb/: In order to supply a RHEL 6 system
  with the LSB init interface, one has to install the redhat-lsb RPM package
  (e.g. version 4.0-3.el6.x86_64).  This package pulls in massive amounts of
  dependencies.  (70 MBs, we've been told, thanks Thijs Kinkhorst for reporting
  this issue.)  Using the initscripts RPM package and /lib/uruk/lsb/ keeps the
  system small and lean.
- uruk/init/uruk: add missing $local_fs (for /var) to Required-Stop LSB header.


uruk version 20120914 - The Sankt Goar Release

- uruk/init/uruk: init script should now work without /usr being mounted.  (It
  still needs /var though.)  It no longer sets PATH.  (It used to set it to
  include /usr{,/local}/{,s}bin.)  This init script should work on systems
  using our Debian package, as well as on systems using our RPM package.  If
  you run uruk on another system you likely have to make sure /usr/sbin and/or
  /usr/local/sbin are in your PATH when executing the init script.
- uruk/init/uruk: stop uruk when switching to single-user mode (runlevel 1),
  not just when rebooting the system (runlevel 6) or halting the system
  (runlevel 0).
- Linux kernel behaves in ways which makes iptables incorrectly block final
  FIN-ACK packets.  Workaround implemented.  Uruk now explicitly allows these,
  and no longer logs them.  See http://bugs.debian.org/687621.  Thanks Wessel
  Dankers.
- uruk/man/uruk-rc.azm: document how to allow IPv6 tunneling by ACCEPTing
  IP protocol 41.


uruk version 20120608 - The Hooidonk Release

- uruk/script/uruk: No longer block, but allow ICMPv6 type 137 Redirect Message
  [RFC4861].  These are needed for Duplicate Address Detection in IPv6
  autoconfiguration: RFC 4429 says: "the router should [...] provide the ON with
  an ICMP Redirect, which may include a Target Link-Layer Address Option
  (TLLAO)."  Thanks Casper Gielen.
- uruk/init/uruk: Apply patch for uruk init script, in order to make sure uruk
  starts early enough in boot sequence:

   -# Required-Start:    $network $remote_fs
   -# Required-Stop:     $network $remote_fs
   +# Required-Start:    mountkernfs $local_fs
   +# Required-Stop:

   -# Default-Stop:      0 1 6
   +# Default-Stop:      0 6

   +# X-Start-Before: networking
   +# X-Stop-Before:

  contributed by Wessel Dankers.  Thanks!


uruk version 20120605 - The Pickensteeg Release

- configure.ac: no longer die if programs zoem, col and/or groff are not found.


uruk version 20120530

- uruk/script/uruk.in: icmpv6: DROP some.  Based upon suggestions found in
  rfc4890-icmpv6-firewall.sh.  A.o., the following ICMPv6 packets are now
  dropped by default: Redirect messages: redirect; Multicast Listener queries
  (MLDv1 and MLDv2): 130; Multicast Listener reports (MLDv1): 131; Multicast
  Listener Done messages (MLDv1): 132; Multicast Listener reports (MLDv2):
  143; Router renumbering messages: 138; and Node information queries (139)
  and replies (140): 139 140.
- uruk/doc/rfc4890-icmpv6-firewall.sh, uruk/doc/rfc4890.license.msg: ship
  example ICMP v6 script from RFC 4890, by Suresh Krishnan.  It is available
  under a BSD-style license.
- zoem no longer needed to build from this tarball: pretypeset documentation is
  shipped.
- we no longer rely upon expansion of BIN_PATH SBIN_PATH DATA_PATH SYSCONF_PATH
  LOCALSTATE_PATH using AC_DEFINE_DIR, as defined in GNU Autoconf Macro
  Archive's ac_define_dir.m4.  These are now hardcoded to /usr/bin, /usr/sbin,
  /var, /etc and /usr/share.  (Package autoconf-archive >= 20111221-1 (and
  possible also older ones) no longer ships ac_define_dir.  From changelog:
  2011-09-16 "AX_DEFINE_DIR: Obsolete: it doesn't comply with the GCS." See
  http://lists.gnu.org/archive/html/bug-autoconf/2011-09/msg00013.html for
  discussion.)


uruk version 20110831

- uruk/man/Makefile.am: assume zoem knows where to find aephea; get rid of
  hardcoded ZOEMSEARCHPATH=/usr/share/aephea.  You need zoem >= 11-166 to build
  this uruk.


uruk version 20110608

- The IPv6 Day release!  (Today is ISOC's World IPv6 Day, see
  http://www.worldipv6day.org/)
- Fix some more zoem >= 10-265-1 (cosmetic) issues.
- doc/default: examples now more useful: just uncomment the line to change
  behaviour. tnx Thijs Kinkhorst for sharing ideas.


uruk version 20110602

- bootstap: now builds with automake 1.11 (no longer 1.9)
- uruk/man/Makefile.am, uruk/man/uruk-rc.azm, uruk/man/uruk-save.azm,
  uruk/man/uruk.azm: converted manpages to zoem >= 10-265-1 + aephea >= 10.008-1
  format.
- script/uruk.in: behave more gracefully on suspicious rc file: issue a warning
  in case of undefined variable.  Thanks Wessel Dankers for bringing this up &
  supplying a first implementation.


uruk version 20110213

- init/uruk.in: Support for IPv6 packet filtering has been enabled by default.
  It is no longer required to edit /etc/default/uruk to enable it: if you'd
  like to use IPv6 packet filtering, you now can remove any setting of
  enable_ipv6 in /etc/default/uruk.  If you'd prefer NOT to use IPv6 packet
  filtering, be sure your /etc/default/uruk has "enable_ipv6=false".


uruk version 20100831

- Fix example rc file: found out /sbin/ip6tables (as shipped with e.g. iptables
  1.4.8-2) understands both full and abbreviated IPv6 names, while the shipped
  /sbin/iptables understands full names only.  Thanks ﻢﻫﺪﻳ ﺎﻟﺩڤﻱ.


uruk version 20100823

- README: added upgrade instructions for releases <= 20100717.
- script/uruk.in: Update to new iptables syntax: Get rid of warning "Using
  intrapositioned negation (`--option ! this`) is deprecated in favor of
  extrapositioned (`! --option this`)."


uruk version 20100821

- script/uruk.in: fix bug introduced in version 20100820: uruk: 391: Syntax
  error: Unterminated quoted string.


uruk version 20100820

- Enable support for IPv6 packet filtering.  See the README file for
  upgrade instructions.
  + script/uruk.in: ip6tables is now enabled in the uruk script by default.
    However, if you interact with uruk using the init script, you still have
    to add "enable_ipv6=true" to /etc/default/uruk to fully enable it.
  + man/uruk*.azm, doc/rc: manpages and example rc file updated to reflect
    IPv6-support is no longer considered experimental.
  + script/uruk.in: Drop unroutable IPv6 traffic.  Use connection tracking
    for IPv6.  Patch supplied by Casper Gielen.
- init/uruk.in: Fix bugs in support for dependency based boot sequencing
  + We want to start early in boot sequence (on entering runlevel S).  LSB
    init.d header however had "Default-Start: 2 3 5". Fix this to S.  Thanks
    Petter Reinholdtsen for the patch in http://bugs.debian.org/581659.
  + Furthermore, change Default-Stop: "0 6" to "0 1 6": no need to special
    case runlevel 1 (thanks Debian's lintian).
  + Finally, added "$remote_fs" to Required-Start: and Required-Stop: since
    obviously we need /usr/sbin/uruk to be available (thanks again Debian's
    lintian).
- Makefile.am, bootstrap: some tweaking of buildsystem.


uruk version 20100717

- The uruk code is no longer maintained using GNU Arch, but using the git
  version control system.
- Use IPv6 connection tracking if supported by kernel. Patch contributed by
  Casper Gielen in Message-ID: <4B8D3D30.50201@uvt.nl>.


uruk version 20080330

- Make behaviour more robust when uruk loglevel is set between 20 and 40 and
  IPv6 is enabled.  In case not all IPv6 adresses were explicitly specified,
  uruk would give an error:
     ip6tables v1.3.6: Unknown arg `--destination'
     Try `ip6tables -h' or 'ip6tables --help' for more information.
  (it would try to run
     /sbin/ip6tables -A INPUT -j LOG --log-level debug --log-prefix
     'ip6tables: ' -i eth0 --destination
  in this situation.)   These errors these did NOT compromise the firewall
  rules, btw.  When adresses are missing, uruk does no longer try to log the
  traffic.


uruk version 20080307

- Fix a bug showing up when uruk loglevel is set between 20 and 40 and IPv6 is
  enabled: it caused errors like "ip6tables v1.3.6: host/network 10.1.2.3 not
  found".  These errors these did NOT compromise the firewall rules, btw.
- Added support for multiple hook files (like rc_a) working at one entry point.
  See uruk-rc(5) and uruk(8).  Thanks Wessel Dankers for the suggestion and for
  a first implementation.


uruk version 20071101

- Added another contribution from Fred Vos to contrib/: fw2dot.xsl: generating
  a dot file (for graphiz) from an XML-ed uruk rc file.
- Various fixes in uruk init script.  Among others: fix behaviour of "reload"
  and "force-reload" in case uruk not running.


uruk version 20071030

- We ACCEPT traffic on lo earlier in the uruk ruleset: that's more efficient.
  Traffic on lo will no longer be delayed by our ruleset.

  Uruk <= 20051129 built it's rule like:

      1  rc is sourced as a shell script
      2  $rc_a is sourced as a shell script
     [...]
      8  $rc_d is sourced
      9  Traffic on lo is trusted
     10  $rc_e is sourced
     11  Don't answer broadcast and multicast packets
    [...]

  Uruk >= FIXME builds it's rule as:

      1  rc is sourced as a shell script
      2  Traffic on lo is trusted
      3  $rc_a is sourced as a shell script
    [...]
      9  $rc_d is sourced
     10  Don't answer broadcast and multicast packets
    [...]

  see uruk(5)

  If you've done tricks with lo in any of the rc_ hook scripts, you risk being
  hit by incompatibilities.  Study the uruk source to find out how to fix your
  hook.  If you're not using any hook scripts, you are save: your uruk
  configuration will still work fine.   If you're using hook scripts, but don't
  do anything specific with lo in your scripts, you are likely save: your
  configuration will likely still work.

  If you were using rc_a to add rules to the absolute beginning of the ruleset,
  you might have to move these to the rc-file: traffic on lo is now accepted
  _before_ rc_a is sourced.

  If you rely on traffic on lo to be logged, and your loglevel was "fascist",
  you should craft some hack: this traffic will no longer be logged by default
  with this loglevel.

  rc_e is now obsolete.  You should move your rc_e stuff to rc_d.  (rc_e for now
  will still work, though.)

- The uruk init script now is (should be) Linux Standards Base v 3.1.0 compliant.
  Added extra supported argument "status".  The script now _requires_ the file
  /lib/lsb/init-functions to be present, and to define the shell functions
  log_success_msg, log_failure_msg and log_warning_msg.  LSB compliant systems
  (recent releases of Debian GNU/Linux, Red Hat Enterprise Linux, Ubuntu Linux,
  a.o.) supply this.
- Introduced new variables interfaces_unprotect and URUK_INTERFACES_UNPROTECT.
- Add XML stuff contributed by Fred Vos, including some preliminary documentation
  (in Dutch).  Could be used to transform an XML-file describing uruk rules to an
  uruk rc file.  Shipped in contrib/, installed in .../doc/uruk/contrib/.
- Uruk is now licensed under GPLv3 (or any later version).
- man/Makefile.am: no longer try to support non-ascii characters in .txt
  manpages.  col, as shipped with the bsdutils 1:2.13-2 Debian package chokes
  on output of groff, as shipped with the 1.18.1.1-12 Debian package.  See also
  Debian bug Bug#441659.
- TODO: added some more received wishlist bugs (thanks Wessel Dankers and Fred
  Vos)
- Minor fixes in uruk(8) manpage.
- uruk-rc(5): documented improved way to unprotect an interface, thanks Wessel
  Dankers.
- TODO, init/uruk.in: found and documented bug: /etc/init.d/uruk force-reload
  breaks when nat or mangle table are used.  Thanks Wessel Dankers for spotting
  this.


uruk version 20051129

- On Red Hat, run start uruk initscript _after_ network interfaces are
  configured.  (We have always been doing this in the Debian package.) This is
  needed in order to support usage where the rc file queries the operating
  system to learn about current IP adresses.  With uruk 20051026 and 20051027,
  such usage was not possible.  See TODO for notes on pending issues related to
  this.
- Build-depend upon zoem >= 05-328.


uruk version 20051027

- Fixed bug in uruk script.  Reported to pop up when /bin/sh is bash and
  $version is not set in /etc/uruk/rc.


uruk version 20051026

- More examples in uruk-rc(5) manpage.  Thanks Roland van Hout for suggestion.
- Experimental ip6tables support added to uruk(8) and uruk-save(8). See comments
  in the uruk script.  New option "-6" for uruk-save(8).
- The uruk init script now sources both /etc/default/uruk and /etc/sysconfig/uruk
  (if present, of course).  An example file for /etc/{default,sysconfig}/uruk is
  now shipped and gets installed in /usr/[local/]share/doc/uruk/examples/.
- Major overhaul of the uruk init script.  This script now is more integrated in
  the uruk framework.
  + The pre-uruk situation is now saved and restorable.
  + Optionally calls uruk-save (and displays a warning by default).
  + Calls uruk if applicable.
  + Improved options: start, stop, force-reload, reload.  These now behave more
    intuitive.
  + The saved active and inactive rules now no longer get out of sync with the
    uruk rc file.  (O.t.o.h.: one can no longer maintain part of the firewall
    configuration outside the uruk rc file.)
  + New option: create
  See README on what the implications are if you're upgrading.  Thanks to Wessel
  Dankers for his ideas about an improved uruk init script.
- uruk(8) now checks for the Uruk version the rc file was created for.  This
  will allow for more sane behaviour in case of future incompatible upgrades.
- Buildsystem: ./bootstrap now uses autoreconf(1).


uruk version 20050718

- This is a pre-release.
- Added support for loglevel, see uruk-rc(5).  Some people were annoyed by uruk's
  syslog spamming.  If you're one of these, set loglevel=30 (or 10) in your
  rc-file.


uruk version 20050414

- This is a pre-release.
- Uruk now is maintained using GNU Arch on http://arch.gna.org/uruk/ .  See
  README.
- ChangeLog entries from 2003 split off in ChangeLog.2003.
- Uruk(8) now honors environment variables URUK_IPTABLES (/sbin/iptables by
  default) and URUK_CONFIG (/etc/uruk/rc by default).
- Now ships new script uruk-save(8); which saves /etc/uruk/rc in
  iptables-{save,restore} format, without invoking iptables.  You could
  use it e.g. when loading a new rc file.  See the updated uruk(8) manpage.
- The uruk init script now honors /etc/default/uruk.  See comments in the code.
- The uruk init script acts more sane when passed {stop,start} while no saved
  rules files are present: it tries to generate these in such circumstances.  It
  will warn you it's doing so.


uruk version 20040625

- Fixed bug in multiple IP per network interface mode.  Uruk was unusable in
  such a setup.
- Some tweaking of build system.


uruk version 20040216

- Fixed severe bugs in uruk script: 20040213 was unusable.
- init script now supports chkconfig: Red Hat is now better supported.


uruk version 20040213

- Support for multiple IP adresses on one network interface added.  New
  variables ips_<nic> and bcasts_<nic> introduced.  See uruk-rc(5).  Don't
  worry: your old rc file will still behave as it used to.


uruk version 20040210

- Allow more ICMP types by default.  Tnx Wessel Dankers for suggestion.
- The Uruk init script is now more helpful when often-encountered errors occur.
- Added warning to uruk(8) manpage: uruk does no sanity checking.


uruk version 20031111

- We no longer create our own ``block'' chain: the built-in INPUT and OUTPUT
  chains suffice for our purposes.  This makes uruk's rule setup much more
  simple.  Thanks to Wessel Dankers.
- rc_1, ... , rc_10 are NO LONGER SUPPORTED.  We use rc_a, rc_b, rc_c, ... now.
  In the future, rc_aa, rc_aab, ... might get added.  You'll HAVE TO rewrite
  your rc_<n> style stuff MANUALLY.  See the notes on UPGRADE in the README
  file.  (Your uruk/rc file will still work fine.  No other changes in the
  configuration file syntax are introduced in this release.)
- If you have saved your rules using iptables-save or the uruk init script,
  you'll have to rebuild them.  The old-style rules are not supported by this
  uruk release.


uruk version 20031026

- Fixed bug which made "/etc/init.d/uruk stop" to fail.
- Documented more of uruk's features.


uruk version 20031008

- Init script more robust, especially on fresh installs. (We still suffer from
  at least one bug though, see TODO.)
- Started documenting rc_<n> hooks.
- Various minor and cosmetic cleanups in documentation.


uruk version 20031004

- ad1810-firewall is now called uruk.
- big changes in build system and documentation system:
  - manpages have been converted from Perl's pod format to zoem format.  See
    README for details.
  - now build-depends on zoem: documentation depends on configure-time
    settings.
- ad1810-firewall under some circumstances was not reboot-resistent: I've
  missed a change in the Debian iptables package behaviour.  The Debian iptables
  package >= 1.2.7-8 (7 Dec 2002) will not call /etc/init.d/iptables on boot by
  default.  We now ship our own init script to deal with this (thanks to
  Laurence J. Lane).


ad1810-firewall version 20030829

- ad1810-firewall-rc manpage converted from pod to zoem
  ( http://micans.org/zoem ).
- rc_1, rc_2, .... rc_10 feature supported by ad1810-firewall script: set e.g.
  rc_1=/usr/local/etc/ad1810-firewall/rc_1 in your ad1810-firewall-rc(5).  This
  file should contain shell code.  This is executed early in the ad1810-firewall
  routine, allowing finegrained tweaking of rules, for systems with special
  demands.  For now, see the ad1810-firewall shell code for more details.  More
  documentation will follow.


ad1810-firewall version 20030512

- Moving manpage format from pod to zoem.
- Fixed automatic version numbering in build system; no more wacky vyyyymmdd
  versions.  Thanks Raja R Harinath on the autoconf list.
- rc should no longer define e.g. sources_eth0_tcp_www, where www is a port, but
  e.g. sources_eth0_tcp_public, where public is a symbolic name for a (set of)
  services.  Furthermore, the new variable ports_eth0_tcp_public should be
  defined as e.g. "www".


ad1810-firewall version v20030427

- rc File location now depends on sysconfdir, as set during configure.
- Various documentation updates.


ad1810-firewall version v20030426

- First public alpha release.  Untested!