File: NEWS

package info (click to toggle)
uruk 20190121-1
  • links: PTS, VCS
  • area: main
  • in suites: bullseye, buster, sid
  • size: 1,188 kB
  • sloc: sh: 1,852; makefile: 151; xml: 51
file content (964 lines) | stat: -rw-r--r-- 41,073 bytes parent folder | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
Uruk NEWS - user visible changes (and some other changes also.)

Refer to ChangeLog for detailed per-file info.

uruk version 20190121 - The van Keistoep naar Heisteeg Release

[ changes by Joost van Baal-Ilić ]
- init/autodetect-ips: ignore IPs which have "deprecated nodad".


uruk version 20181116 - The Lombardijen Release

[ changes by Joost van Baal-Ilić ]
- init/autodetect-ips: deal yet even more properly with IPv4 addresses: previous
  version 20181112 failed on some other RHEL 6.10 systems with bash 4.1.2.
- man/Makefile.am: MAINTAINERCLEANFILES: add $(man_MANS), remove undefined
  $(manazms).


uruk version 20181113 - The Alfama Release

[ changes by Joost van Baal-Ilić ]
- init/autodetect-ips: deal even more properly with IPv4 addresses: previous
  version 20181112 failed on some RHEL 6.10 systems with bash 4.1.2.


uruk version 20181112 - The Plantagedok Release

[ changes by Joost van Baal-Ilić ]
- init/autodetect-ips: properly deal with IPs assigned to virtual interfaces
  like eth0:1.


uruk version 20181109 - The Catharijnepoort Release

[ changes by Joost van Baal-Ilić ]
- init/autodetect-ips: In case runtime configuration of IPs to network
  interfaces is available and differs from what's specified in
  /etc/network/interfaces or /etc/sysconfig/network-scripts/ifcfg-*, use the
  runtime information.  Therefore, you might now observe different uruk
  behaviour if you use e.g. udev to assign IPs to your network interfaces.
  Thanks Lars Biemans and Wessel Dankers for joining the discussion on how to
  deal with this issue.


uruk version 20181107 - The Daničareva Release

[ changes by Joost van Baal-Ilić ]
- init/autodetect-ips: drop support for ancient bash 3.2.  (So we drop support
  for Red Hat EL 5 and older.  Red Hat EL 6.10 ships bash 4.1.  Debian "jessie"
  ships bash 4.3.)  Fix bug: when some needed IPs are not defined in
  /etc/sysconfig/network-scripts/ifcfg-* (Red Hat) or /etc/network/interfaces
  (Debian), and autodetect-ips needs to parse output from ip(8), it is reported
  to use scope link IPv6 adresses where it should have used scope global IPv6
  addresses.


uruk version 20181006 - The Tidal Basin, Washington, D.C. Release

[ changes by Joost van Baal-Ilić ]
- bootstrap: deal with Wessel's e-mail address as with mine.
- regenerate tarball to workaround bug in typesetting bootstrap code which
  caused uruk-rc.html and uruk.8 to be empty.


uruk version 20181005 - The Dampad Release

[ changes by Wessel Dankers ]
- init/uruk.service: Remove "DefaultDependencies=no" from [Unit].  This
  should fix uruk problems during system boot like:

    urukctl[307]: Saving IPv4 uruk rules as active ruleset.
    urukctl[307]: Loading iptables ruleset: load "active".
    urukctl[307]: Saving IPv6 uruk rules as active
      rulesetcat: /tmp/tmp.LbYuEr3kNg/raw: No such file or directory
    urukctl[307]: .
    urukctl[307]: Loading ip6tables ruleset: load "active"ip6tables-restore:
      line 134 failed
    systemd[1]: uruk.service: Main process exited, code=exited,
      status=1/FAILURE
    systemd[1]: uruk.service: Unit entered failed state.
    systemd[1]: uruk.service: Failed with result 'exit-code'.

  . "het faalt op alle systemen, maar slechts like 5% van de tijd": this bug
  was hard to reproduce.


uruk version 20180528 - The Verliefd Laantje Release

[ changes by Joost van Baal-Ilić ]
- init/uruk.service: Add Install section to uruk's unit configuration file for
  systemd, in order to act sane upon "systemctl disable uruk" and "systemctl
  enable uruk".  Thanks Wessel Dankers.


uruk version 20160219 - The Speurgt Release

[ changes by Wessel Dankers ]
- script/uruk.in: Fix bug which was introduced in version 20151118: when
  uruk-save is enabled, loading saved active ruleset fails with
  Loading iptables ruleset: load "active"Bad argument `REASON=invalid'
  .


uruk version 20160218 - The Snijders-Chaam Release

[ changes by Joost van Baal-Ilić ]
- Set enable_uruk_save to true in example configuration file doc/default.  If
  this variable is unset or false, uruk-save(8) is by default (still) not used.
  No longer warn when obsolete (since 2013-04) variable enable_uruk_save_warning
  is found in /etc/default/uruk (or /etc/sysconfig/uruk):
  + doc/default: set enable_uruk_save to true.
  + script/urukctl: no longer assign obsolete variable enable_uruk_save_warning,
    get rid of warn_uruk_save() function.
- bootstrap: upgrade from automake 1.14 to 1.15.


uruk version 20151118 - The Āne-wātak Release

[ changes by Joost van Baal-Ilić ]
- script/uruk.in: uruk is now more verbose when logging the blocking packets
  with an INVALID connection tracking state.


uruk version 20150921 - The Prishtinë Release

[ changes by Wessel Dankers ]
- script/uruk.in: Add missing conntrack statements:
  For some reason uruk created conntrack entries for outgoing IPv4 traffic but
  not for IPv6. Fixed by adding entries for IPv6 as well.  And even though
  conntrack entries were created in the output chain, these were not used. Fixed
  by adding "--ctstate ESTABLISHED,RELATED" rules, just like in the INPUT chain.
- script/uruk.in: Always treat IPv6 as a multiple-IPs-per-interface case:
  Even if you do not explicitly configure multiple IPv6 addresses, you still
  have to deal with the fact that an interface has at least a link-local and a
  global address.  That means you can't simply drop traffic that isn't directed
  at the primary global address because that will interfere with things like
  router advertisements.  Likewise, in the output chain you have to provide for
  the fact that sometimes the source address on outgoing traffic will not be the
  primary global address.  This change removes the code path that would block
  all traffic not directed at the primary global address as well as outgoing
  traffic with something other than that primary global address.  It will just
  always apply the simple bogon network range filtering that it used for the
  explicit multiple address case.

[ changes by Joost van Baal-Ilić ]
- init/{uruk.service,Makefile.am}: ship and install new file
  /lib/systemd/system/uruk.service, for systems using the systemd system and
  service manager by Lennart Poettering, Kay Sievers e.a.  NB: this is untested
  experimental code.  It is interesting for developers only.  Do not use.


uruk version 20150916 - The ᎠᏍᎦᏯ ᎩᎦᎨᏱ; Release

[ changes by Joost van Baal-Ilić ]
- script/urukctl: Behave sane after reboot.  Under some circumstances, after
  a reboot, one would end up with files like

   -rw-r--r--   1 root     root  17658 Sep 11 13:00 iptables/active
   -rw-r--r--   1 root     root      0 Sep 11 13:00 iptables/inactive
   -rw-r--r--   1 root     root      0 Sep 11 13:00 iptables/autosave
   -rw-r--r--   1 root     root   4060 Sep 11 13:00 ip6tables/active
   -rw-r--r--   1 root     root      0 Sep 11 13:00 ip6tables/inactive
   -rw-r--r--   1 root     root      0 Sep 11 13:00 ip6tables/autosave

  in /var/lib/uruk .  Running "sudo service uruk status" would yield

   Checking uruk (iptables): active uruk rules loaded
   Checking uruk (ip6tables): active uruk rules loaded
   [ ok ] Checking uruk (): uruk not running.

  . However, uruk _is_ running.  We now no longer ignore zero-sized files in
  /var/lib/uruk/*/ , but regard them as valid rulesets.  This fixes this bug.


uruk version 20150825 - The Прибој Release

[ changes by Wessel Dankers ]
- script/uruk.in: Fix two cases where $ip6_defined was used without being set.
  uruk was unusable in cases where more than one IPv6 address is defined on an
  interface.


uruk version 20150810 - The Гoрњи Милановац Release

[ changes by Joost van Baal-Ilić ]
- init/uruk: no longer inspect obsolete variable $status_active.  Now "service
  uruk status" will no longer report _both_ 'active uruk rules loaded' _and_
  'active ruleset not loaded' when uruk is running.  Thanks Casper Gielen for
  bugreport.


uruk version 20150608 - The Oude Leije Release

[ changes by Joost van Baal-Ilić ]
- init/autodetect-ips: make sure it no longer gives "autodetect-ips: command
  substitution: line 106: syntax error near unexpected token `newline' [...]"
  when running under bash 3.2.  The old Red Hat Enterprise Linux 5.11 ships
  bash-3.2-33.el5_11.4. Also, bash 3.2-4.2 is shipped with Debian GNU/Linux
  5.0.10 (lenny) (a currently unsupported old Debian release).  Debian releases
  6.0 Squeeze and later install with dash as /bin/sh so on these platforms, uruk
  does not suffer from this issue with bash.  Thanks Casper Gielen for report
  and initial patch.
- Makefile.am: no longer ship uruk-VERSION.tar.bz2, do ship
  uruk-VERSION.tar.xz (next to .tar.gz).


uruk version 20150401 - The Gorp en Roovert Release

[ changes by Wessel Dankers ]
- script/uruk.in: Don't drop all traffic when multiple addresses are used:
  In uruk there is a bit of code that drops incoming packets for unknown
  destinations. In the case where there are multiple IP addresses on an
  interface, it falls back to just restricting the destination address to
  non-bogon ranges. In theory it could restrict these packets to the set of
  configured IP addresses, but this would require creating an extra filter chain
  (something which uruk has avoided so far).  In commit
  4b2dd0f71bf38dbf1e759d3b078c8c8692328dee the code for handling multiple IP
  addresses on an interface was changed, which also touched the code mentioned
  above. In this commit a logic bug was introduced, which caused packets to be
  dropped unless they had ALL destinations (instead of ANY). Since packets by
  design only have a single destination address, that meant all packets were
  dropped on that interface.  This patch fixes this showstopper issue by fixing
  the logic bug, properly keeping track of the number of addresses on an
  interface, and separating the filters for local and remote addresses.
- init/uruk: fix improper parameter passing (and typo)


uruk version 20150325 - The De Drie Zwaantjes Release

Uruk is no longer a one man show: Since this release, Wessel Dankers joined the
uruk maintainers. Welcome aboard!

[ changes by Joost van Baal-Ilić ]
- man/uruk-rc.azm doc/rc: Things like

   interfaces_nocast="eth0"

  are now deprecated in favor of

   bcasts_eth1="local"

  : use the multiple-IP-per-nic style if you want full control over which
  broadcast and multicast-traffic gets dropped.  (The old syntax is still
  supported; for now it's just no longer documented.)

[ changes by Wessel Dankers ]
- script/uruk.in man/uruk-rc.azm: ip_* and ip6_* are now unified in the same way
  as sources_* and sources6_*. As a bonus you can now mention multiple addresses
  in each ip "name". Example:

   ips_eth0='admin service'
   ip_eth0_admin='192.0.2.2 2001:db8::2'
   ip_eth0_public='192.0.2.3 192.0.2.4 2001:db8::3 2001:db8::4'

   services_eth0_admin_tcp='ssh'
   ports_eth0_admin_tcp_admin='22'
   sources_eth0_admin_tcp_admin='192.0.2.0/24 2001:db8::/32'

   services_eth0_public_tcp='www'
   ports_eth0_public_tcp_www='80 443'
   sources_eth0_public_tcp_www='0/0 ::/0'
- script/uruk.in script/uruk-save: net_* and net6_ are now unified as well, and
  accept multiple networks.  The list of bogon networks is significantly
  expanded and now contains:

   0.0.0.0/8
   10.0.0.0/8
   100.64.0.0/10
   127.0.0.0/8
   169.254.0.0/16
   172.16.0.0/12
   192.0.0.0/24
   192.0.2.0/24
   192.88.99.0/24
   192.168.0.0/16
   198.18.0.0/15
   198.51.100.0/24
   203.0.113.0/24
   224.0.0.0/3

   64:ff9b::/96
   ::ffff:0:0/96
   100::/64
   200::/7
   2001:2::/48
   2001:db8::/32
   2001:10::/28
   fc00::/7
   fec0::/10
   3ffe::/16
   5f00::/8
   ::1/128
   ::/128


uruk version 20141120 - The Јадар Release

- script/uruk.in: make uruk_version available to rc files.  One can use that
  to handle unsupported uruk versions gracefully in rc files.  Thanks Wessel
  Dankers for suggestion.
- script/uruk.in: no longer warn if services_${iface}_${proto} is undefined
  for proto in udp, dccp or sctp.  To reduce useless warnings, we now only
  warn for undefined services_${iface}_tcp.  Thanks Wessel Dankers, Thijs
  Kinkhorst and Casper Gielen for suggestion.


uruk version 20140627 - The Vlook Release

- script/uruk: next to protocols tcp and udp, uruk now has preliminary
  experimental support for dccp and sctp.  Stream Control Transmission Protocol
  (needs iptables >= 1.2.9) is defined in RFC 4960; Datagram Congestion Control
  Protocol is defined in RFC 4340. These protocols are implemented in the
  sctp.ko and dccp.ko Linux kernel modules.
  Beware!  For TCP, we do inspect "tcp --tcp-flags SYN,ACK,FIN,RST [...]".
  However, for DCCP or SCTP, we don't do anything specific yet with respect to
  the state of the DCCP or SCTP connections!  You'll have to take measures
  yourself to deal sanely with open connections.  Untested code.
- doc/rc, man/uruk-rc.azm: document new semantics of
  sources_${iface}_${proto}_${service} vs sources6_${iface}_${proto}_${service}
- bootstrap: update to automake 1.14.


uruk version 20140319 - The Alfama Release

- init/uruk: no longer abort on failed commands.  This fixes a bug: upgrading
  a "not running" uruk from 20130426 to 20131213 on Debian systems
  would fail with "invoke-rc.d: initscript uruk, action "force-reload" failed.
  dpkg: error processing uruk (--install): subprocess installed
  post-installation script returned error exit status 3".  Indeed, calling
  /etc/init.d/uruk force-reload on a "not running" uruk would give error exit
  status 3, and would not give any output.
- init/autodetect-ips: make sure Debian inet6 stanzas default to netmask=64.
  Patch contributed by Wessel Dankers.
- script/uruk: Simplify semantics of sources_${iface}_${proto}_${service} vs
  sources6_${iface}_${proto}_${service}.  sources6_* is no longer needed; just
  list both IPv4 and IPv6 addresses in sources_*.

  Before this change, uruk required seperate sources_* and sources6_*
  variables to configure access for v4/v6 sources.  To be precise, the semantics
  now is: 1) If both sources_* and sources6_* are defined (even if they're just
  empty), each is used for its respective address family. (This ensures
  backwards compatibility.) 2) If sources6_* is undefined, sources_* is used
  for both v4 and v6.  3) In either case, v4 literals in v6 context and v6
  literals in v4 context are silently (!) ignored.

  The patch also fixes the detection of undefined variables, which was broken.
  Patch contributed by Wessel Dankers.


uruk version 20131213 - The Gweek Release

- init/uruk: actually _do_ perform a reload when called as "service uruk
  force-reload".
- script/urukctl: fix warning about "enable_uruk_save_warning is no longer
  supported".


uruk version 20130913 - The Clochán na bhFomhórach Release

- script/urukctl: use just initd_status to decide upon status; do not inspect
  $status_active.  This fixes a severe bug, which made the Dr Syntax's Head
  release unusable: running "# urukctl start && service uruk force-reload"
  would give "Nothing to do for reloading uruk: uruk is not running [ OK ]".
  Thanks Casper Gielen for reporting this issue.
- doc/default, script/urukctl: default: explicitly add /sbin to PATH.  urukctl:
  check command line args earlier in execution.  Now "urukctl --help" and
  "urukctl help" e.a. behave better when called as non-root.
- script/urukctl: don't test running iptables when called with argument "save",
  enable running "urukctl save active" as non-root, using uruk-save.
- bootstrap: bootstrap: upgrade from automake 1.11 to 1.13


uruk version 20130830 - The Dr Syntax's Head Release

- script/uruk: work around possible bug in conntrack, found when: we are client
  and initialize outgoing tcp session.  Return traffic gets allowed since
  matching state.  Incoming rset packet gets received, apparently kernel doesn't
  recognize it as belonging to a tcp-session being shut down, and can't match
  the state.  Uruk then blocks and logs it.  Now it explictly allows such RSET
  packets.  This closes Debian Bug#720306 (http://bugs.debian.org/720306).


uruk version 20130809 - The Corbeşti Release

- script/urukctl: Fix bug in urukctl, introduced 2013-05-29.  (Previous uruk
  versions 20130619 and 20130618 are unusable.)  Be sure to assign variables
  ($libdir e.a.) on time.  No longer fails with "mkdir: cannot create directory
  `': No such file or directory".  Thanks Casper Gielen for bugreport.
- script/urukctl: no longer strictly requires root-access when called as
  "urukctl create active".
- init/autodetect-ips, man/uruk-rc.azm: detect IPs currently assigned to
  interfaces, which are not listed in config files /etc/network/interfaces or
  /etc/sysconfig/network-scripts/ifcfg-*, by calling ip(8) if needed.  Useful in
  case e.g. udev is used to assign IPs to interfaces.  This closes Debian
  Bug#712869 (http://bugs.debian.org/712869).
- init/autodetect-ips: Apply patch contributed by Wessel Dankers: "accept
  debian interfaces entries that include the netmask".
- man/{uruk,urukctl}.azm: Various improvements in uruk(8) and urukctl(8)
  manpages.
- man/include.zmm.in, man/uruk*.azm: introduce zoem macro \gplheader, update
  copyright of all manpages
- Special thanks to Wessel Dankers for recovering my git repo: it didn't really
  like a sudden powerfailure.  And thanks for lending me an Ubuntu EeePC to
  replace mine which died after an encounter with my bicycle's wheel spokes.
- Thanks Jelena for teaching me how to spell četiri.


uruk version 20130619 - The Het De Siptenpad Release

- init/uruk: bugfix: change DAEMON from /usr/sbin/uruk to /sbin/uruk.
- man/urukctl.azm: various improvements.


uruk version 20130618 - The Sterreke Release

- A part of the uruk init script's functionality is now delivered by the new
  script urukctl (with manpage urukctl(8)).  Calling the init script with
  arguments "save", "create", "load", "reload", "clear", "halt" and "flush" is
  deprecated (but still supported for now; the init script calls urukctl).
  Only the arguments "start", "stop", "restart", "force-reload" are still (and
  will continue to be) fully supported in /etc/init.d/uruk.

  When the uruk software is removed from a system, but one chooses to keep the
  uruk configuration files, /etc/init.d/uruk could be kept (e.g. on a Debian
  system when removing (not purging) the uruk package; /etc/init.d/uruk is
  considered to be a configuration file on Debian).  When one boots such a
  system, the LSB standards require the init script to exit with error 5
  ("program is not installed").  Such an error causes the boot process to fail.

  The revised uruk init script now exits succesfully when the uruk program is
  not installed, like any init script on Debian systems.


uruk version 20130426 - The Sy Release

- 10th anniversary release \o/

- Currently, setting enable_ipv6=false in /etc/{default,sysconfig}/uruk means:
  uruk should never call ip6tables, i.e. uruk won't change or set any
  ip6tables rule.  In an upcoming uruk release (not this one), setting
  enable_ipv6=false will mean: block all IPv6 traffic.

  So, if you don't use any IPv6 networking functionality, you're advised
  to now make sure you have set enable_ipv6=false.

  If you have some IPv6 filtering rules but are managing them NOT using uruk,
  and therefore have set enable_ipv6=false, you should start thinking about
  migration now.  You can either decide to start managing your IPv6 rules with
  uruk, and set enable_ipv6=true, or stop using uruk.

  In all other cases, things will just continue to work.

- The uruk-save script (managed by setting enable_uruk_save in
  /etc/{default,sysconfig}/uruk) is now no longer considered experimental,
  but fully supported.  It is still disabled by default, though.

- README, man/uruk.azm, script/uruk: apply patch contributed by Thijs
  Kinkhorst, 1 Mar 2013, in <1362140354-7012-1-git-send-email-thijs@uvt.nl>:
  "Replace obsolete 'state' module usage with 'conntrack'.":

   The iptables 'state' module has been obsoleted and produces warnings in
   current Debian sid. The modern form to express this is with the 'conntrack'
   module. Change uruk's iptables commands to make use of the newer syntax.

   As according to the README uruk already depended on the conntrack module
   being present, this introduces no higher minimum iptables version. The change
   has been tested against Debian Lenny, Squeeze, Wheezy and Sid.

  Thanks Thijs!  This closes bug http://bugs.debian.org/702064 .

- script/uruk: apply patch contibuted by Casper Gielen, fixing typo in the
  ip6_noroute_ranges value.  Thanks Casper!  This closes bug
  http://bugs.debian.org/705202 .


uruk version 20130226 - The Vlist Release

- init/autodetect-ips: Apply patch contributed by Wessel Dankers,
  2013-02-15: "typo in autodetect-ips breekt situaties met eth0:0"
- man/uruk-rc.azm: cosmetic fixes.


uruk version 20121205 - The Zes Blokskes Release

- init/autodetect-ips init/enable-ipv6: add missing #!/bin/sh.
- man/uruk-rc.azm: documented autodetect-ips in uruk-rc(5).
- man/uruk-save.azm: documented changes in 20121130 in uruk-save(8).


uruk version 20121130 - The Вршац Release

- experimental release.
- init/autodetect-ips, init/enable-ipv6: Added new helpers for uruk rc and for
  uruk/default, contributed by Wessel Dankers.
- script/uruk, script/uruk-save: Apply patch contributed by Wessel Dankers in
  <1354116979-10246-1-git-send-email-wsl@fruit.je>: "allow access to different
  tables (nat, mangle, raw) in uruk-save".


uruk version 20121023 - The Grafwegen Release

- uruk/script/uruk: Fix IPv6 firewalling in case uruk is used on a host (not
  transit) firewall by applying patch contributed by Thijs Kinkhorst: "Uruk
  implemented RFC 4890 section 4.3: Recommendations for ICMPv6 Transit Traffic.
  However uruk is used in some (many?) cases not as a transit firewall but as a
  host firewall for destination entities. Therefore, also the recommendations
  from section 4.4: Recommendations for ICMPv6 Local Configuration Traffic need
  to be added."


uruk version 20121005 - The Onze-Lieve-Vrouw-Waver Release

- lsb/init-functions, lsb/lsb_killproc, lsb/lsb_log_message, lsb/lsb_pidofproc,
  lsb/lsb_start_daemon: added.  By default installed in
  /usr/local/libexec/uruk/lsb/; RPM packages should install these in
  /lib/uruk/lsb/.  On a non-LSB-system, uruk tries to use
  /etc/init.d/functions.  This file is installed by the initscripts RPM package
  (e.g. with version 9.03.31-2.el6.x86_64 for Red Hat Enterprise Linux).
  Rationale for shipping /lib/uruk/lsb/: In order to supply a RHEL 6 system
  with the LSB init interface, one has to install the redhat-lsb RPM package
  (e.g. version 4.0-3.el6.x86_64).  This package pulls in massive amounts of
  dependencies.  (70 MBs, we've been told, thanks Thijs Kinkhorst for reporting
  this issue.)  Using the initscripts RPM package and /lib/uruk/lsb/ keeps the
  system small and lean.
- uruk/init/uruk: add missing $local_fs (for /var) to Required-Stop LSB header.


uruk version 20120914 - The Sankt Goar Release

- uruk/init/uruk: init script should now work without /usr being mounted.  (It
  still needs /var though.)  It no longer sets PATH.  (It used to set it to
  include /usr{,/local}/{,s}bin.)  This init script should work on systems
  using our Debian package, as well as on systems using our RPM package.  If
  you run uruk on another system you likely have to make sure /usr/sbin and/or
  /usr/local/sbin are in your PATH when executing the init script.
- uruk/init/uruk: stop uruk when switching to single-user mode (runlevel 1),
  not just when rebooting the system (runlevel 6) or halting the system
  (runlevel 0).
- Linux kernel behaves in ways which makes iptables incorrectly block final
  FIN-ACK packets.  Workaround implemented.  Uruk now explicitly allows these,
  and no longer logs them.  See http://bugs.debian.org/687621.  Thanks Wessel
  Dankers.
- uruk/man/uruk-rc.azm: document how to allow IPv6 tunneling by ACCEPTing
  IP protocol 41.


uruk version 20120608 - The Hooidonk Release

- uruk/script/uruk: No longer block, but allow ICMPv6 type 137 Redirect Message
  [RFC4861].  These are needed for Duplicate Address Detection in IPv6
  autoconfiguration: RFC 4429 says: "the router should [...] provide the ON with
  an ICMP Redirect, which may include a Target Link-Layer Address Option
  (TLLAO)."  Thanks Casper Gielen.
- uruk/init/uruk: Apply patch for uruk init script, in order to make sure uruk
  starts early enough in boot sequence:

   -# Required-Start:    $network $remote_fs
   -# Required-Stop:     $network $remote_fs
   +# Required-Start:    mountkernfs $local_fs
   +# Required-Stop:

   -# Default-Stop:      0 1 6
   +# Default-Stop:      0 6

   +# X-Start-Before: networking
   +# X-Stop-Before:

  contributed by Wessel Dankers.  Thanks!


uruk version 20120605 - The Pickensteeg Release

- configure.ac: no longer die if programs zoem, col and/or groff are not found.


uruk version 20120530

- uruk/script/uruk.in: icmpv6: DROP some.  Based upon suggestions found in
  rfc4890-icmpv6-firewall.sh.  A.o., the following ICMPv6 packets are now
  dropped by default: Redirect messages: redirect; Multicast Listener queries
  (MLDv1 and MLDv2): 130; Multicast Listener reports (MLDv1): 131; Multicast
  Listener Done messages (MLDv1): 132; Multicast Listener reports (MLDv2):
  143; Router renumbering messages: 138; and Node information queries (139)
  and replies (140): 139 140.
- uruk/doc/rfc4890-icmpv6-firewall.sh, uruk/doc/rfc4890.license.msg: ship
  example ICMP v6 script from RFC 4890, by Suresh Krishnan.  It is available
  under a BSD-style license.
- zoem no longer needed to build from this tarball: pretypeset documentation is
  shipped.
- we no longer rely upon expansion of BIN_PATH SBIN_PATH DATA_PATH SYSCONF_PATH
  LOCALSTATE_PATH using AC_DEFINE_DIR, as defined in GNU Autoconf Macro
  Archive's ac_define_dir.m4.  These are now hardcoded to /usr/bin, /usr/sbin,
  /var, /etc and /usr/share.  (Package autoconf-archive >= 20111221-1 (and
  possible also older ones) no longer ships ac_define_dir.  From changelog:
  2011-09-16 "AX_DEFINE_DIR: Obsolete: it doesn't comply with the GCS." See
  http://lists.gnu.org/archive/html/bug-autoconf/2011-09/msg00013.html for
  discussion.)


uruk version 20110831

- uruk/man/Makefile.am: assume zoem knows where to find aephea; get rid of
  hardcoded ZOEMSEARCHPATH=/usr/share/aephea.  You need zoem >= 11-166 to build
  this uruk.


uruk version 20110608

- The IPv6 Day release!  (Today is ISOC's World IPv6 Day, see
  http://www.worldipv6day.org/)
- Fix some more zoem >= 10-265-1 (cosmetic) issues.
- doc/default: examples now more useful: just uncomment the line to change
  behaviour. tnx Thijs Kinkhorst for sharing ideas.


uruk version 20110602

- bootstap: now builds with automake 1.11 (no longer 1.9)
- uruk/man/Makefile.am, uruk/man/uruk-rc.azm, uruk/man/uruk-save.azm,
  uruk/man/uruk.azm: converted manpages to zoem >= 10-265-1 + aephea >= 10.008-1
  format.
- script/uruk.in: behave more gracefully on suspicious rc file: issue a warning
  in case of undefined variable.  Thanks Wessel Dankers for bringing this up &
  supplying a first implementation.


uruk version 20110213

- init/uruk.in: Support for IPv6 packet filtering has been enabled by default.
  It is no longer required to edit /etc/default/uruk to enable it: if you'd
  like to use IPv6 packet filtering, you now can remove any setting of
  enable_ipv6 in /etc/default/uruk.  If you'd prefer NOT to use IPv6 packet
  filtering, be sure your /etc/default/uruk has "enable_ipv6=false".


uruk version 20100831

- Fix example rc file: found out /sbin/ip6tables (as shipped with e.g. iptables
  1.4.8-2) understands both full and abbreviated IPv6 names, while the shipped
  /sbin/iptables understands full names only.  Thanks ﻢﻫﺪﻳ ﺎﻟﺩڤﻱ.


uruk version 20100823

- README: added upgrade instructions for releases <= 20100717.
- script/uruk.in: Update to new iptables syntax: Get rid of warning "Using
  intrapositioned negation (`--option ! this`) is deprecated in favor of
  extrapositioned (`! --option this`)."


uruk version 20100821

- script/uruk.in: fix bug introduced in version 20100820: uruk: 391: Syntax
  error: Unterminated quoted string.


uruk version 20100820

- Enable support for IPv6 packet filtering.  See the README file for
  upgrade instructions.
  + script/uruk.in: ip6tables is now enabled in the uruk script by default.
    However, if you interact with uruk using the init script, you still have
    to add "enable_ipv6=true" to /etc/default/uruk to fully enable it.
  + man/uruk*.azm, doc/rc: manpages and example rc file updated to reflect
    IPv6-support is no longer considered experimental.
  + script/uruk.in: Drop unroutable IPv6 traffic.  Use connection tracking
    for IPv6.  Patch supplied by Casper Gielen.
- init/uruk.in: Fix bugs in support for dependency based boot sequencing
  + We want to start early in boot sequence (on entering runlevel S).  LSB
    init.d header however had "Default-Start: 2 3 5". Fix this to S.  Thanks
    Petter Reinholdtsen for the patch in http://bugs.debian.org/581659.
  + Furthermore, change Default-Stop: "0 6" to "0 1 6": no need to special
    case runlevel 1 (thanks Debian's lintian).
  + Finally, added "$remote_fs" to Required-Start: and Required-Stop: since
    obviously we need /usr/sbin/uruk to be available (thanks again Debian's
    lintian).
- Makefile.am, bootstrap: some tweaking of buildsystem.


uruk version 20100717

- The uruk code is no longer maintained using GNU Arch, but using the git
  version control system.
- Use IPv6 connection tracking if supported by kernel. Patch contributed by
  Casper Gielen in Message-ID: <4B8D3D30.50201@uvt.nl>.


uruk version 20080330

- Make behaviour more robust when uruk loglevel is set between 20 and 40 and
  IPv6 is enabled.  In case not all IPv6 adresses were explicitly specified,
  uruk would give an error:
     ip6tables v1.3.6: Unknown arg `--destination'
     Try `ip6tables -h' or 'ip6tables --help' for more information.
  (it would try to run
     /sbin/ip6tables -A INPUT -j LOG --log-level debug --log-prefix
     'ip6tables: ' -i eth0 --destination
  in this situation.)   These errors these did NOT compromise the firewall
  rules, btw.  When adresses are missing, uruk does no longer try to log the
  traffic.


uruk version 20080307

- Fix a bug showing up when uruk loglevel is set between 20 and 40 and IPv6 is
  enabled: it caused errors like "ip6tables v1.3.6: host/network 10.1.2.3 not
  found".  These errors these did NOT compromise the firewall rules, btw.
- Added support for multiple hook files (like rc_a) working at one entry point.
  See uruk-rc(5) and uruk(8).  Thanks Wessel Dankers for the suggestion and for
  a first implementation.


uruk version 20071101

- Added another contribution from Fred Vos to contrib/: fw2dot.xsl: generating
  a dot file (for graphiz) from an XML-ed uruk rc file.
- Various fixes in uruk init script.  Among others: fix behaviour of "reload"
  and "force-reload" in case uruk not running.


uruk version 20071030

- We ACCEPT traffic on lo earlier in the uruk ruleset: that's more efficient.
  Traffic on lo will no longer be delayed by our ruleset.

  Uruk <= 20051129 built it's rule like:

      1  rc is sourced as a shell script
      2  $rc_a is sourced as a shell script
     [...]
      8  $rc_d is sourced
      9  Traffic on lo is trusted
     10  $rc_e is sourced
     11  Don't answer broadcast and multicast packets
    [...]

  Uruk >= FIXME builds it's rule as:

      1  rc is sourced as a shell script
      2  Traffic on lo is trusted
      3  $rc_a is sourced as a shell script
    [...]
      9  $rc_d is sourced
     10  Don't answer broadcast and multicast packets
    [...]

  see uruk(5)

  If you've done tricks with lo in any of the rc_ hook scripts, you risk being
  hit by incompatibilities.  Study the uruk source to find out how to fix your
  hook.  If you're not using any hook scripts, you are save: your uruk
  configuration will still work fine.   If you're using hook scripts, but don't
  do anything specific with lo in your scripts, you are likely save: your
  configuration will likely still work.

  If you were using rc_a to add rules to the absolute beginning of the ruleset,
  you might have to move these to the rc-file: traffic on lo is now accepted
  _before_ rc_a is sourced.

  If you rely on traffic on lo to be logged, and your loglevel was "fascist",
  you should craft some hack: this traffic will no longer be logged by default
  with this loglevel.

  rc_e is now obsolete.  You should move your rc_e stuff to rc_d.  (rc_e for now
  will still work, though.)

- The uruk init script now is (should be) Linux Standards Base v 3.1.0 compliant.
  Added extra supported argument "status".  The script now _requires_ the file
  /lib/lsb/init-functions to be present, and to define the shell functions
  log_success_msg, log_failure_msg and log_warning_msg.  LSB compliant systems
  (recent releases of Debian GNU/Linux, Red Hat Enterprise Linux, Ubuntu Linux,
  a.o.) supply this.
- Introduced new variables interfaces_unprotect and URUK_INTERFACES_UNPROTECT.
- Add XML stuff contributed by Fred Vos, including some preliminary documentation
  (in Dutch).  Could be used to transform an XML-file describing uruk rules to an
  uruk rc file.  Shipped in contrib/, installed in .../doc/uruk/contrib/.
- Uruk is now licensed under GPLv3 (or any later version).
- man/Makefile.am: no longer try to support non-ascii characters in .txt
  manpages.  col, as shipped with the bsdutils 1:2.13-2 Debian package chokes
  on output of groff, as shipped with the 1.18.1.1-12 Debian package.  See also
  Debian bug Bug#441659.
- TODO: added some more received wishlist bugs (thanks Wessel Dankers and Fred
  Vos)
- Minor fixes in uruk(8) manpage.
- uruk-rc(5): documented improved way to unprotect an interface, thanks Wessel
  Dankers.
- TODO, init/uruk.in: found and documented bug: /etc/init.d/uruk force-reload
  breaks when nat or mangle table are used.  Thanks Wessel Dankers for spotting
  this.


uruk version 20051129

- On Red Hat, run start uruk initscript _after_ network interfaces are
  configured.  (We have always been doing this in the Debian package.) This is
  needed in order to support usage where the rc file queries the operating
  system to learn about current IP adresses.  With uruk 20051026 and 20051027,
  such usage was not possible.  See TODO for notes on pending issues related to
  this.
- Build-depend upon zoem >= 05-328.


uruk version 20051027

- Fixed bug in uruk script.  Reported to pop up when /bin/sh is bash and
  $version is not set in /etc/uruk/rc.


uruk version 20051026

- More examples in uruk-rc(5) manpage.  Thanks Roland van Hout for suggestion.
- Experimental ip6tables support added to uruk(8) and uruk-save(8). See comments
  in the uruk script.  New option "-6" for uruk-save(8).
- The uruk init script now sources both /etc/default/uruk and /etc/sysconfig/uruk
  (if present, of course).  An example file for /etc/{default,sysconfig}/uruk is
  now shipped and gets installed in /usr/[local/]share/doc/uruk/examples/.
- Major overhaul of the uruk init script.  This script now is more integrated in
  the uruk framework.
  + The pre-uruk situation is now saved and restorable.
  + Optionally calls uruk-save (and displays a warning by default).
  + Calls uruk if applicable.
  + Improved options: start, stop, force-reload, reload.  These now behave more
    intuitive.
  + The saved active and inactive rules now no longer get out of sync with the
    uruk rc file.  (O.t.o.h.: one can no longer maintain part of the firewall
    configuration outside the uruk rc file.)
  + New option: create
  See README on what the implications are if you're upgrading.  Thanks to Wessel
  Dankers for his ideas about an improved uruk init script.
- uruk(8) now checks for the Uruk version the rc file was created for.  This
  will allow for more sane behaviour in case of future incompatible upgrades.
- Buildsystem: ./bootstrap now uses autoreconf(1).


uruk version 20050718

- This is a pre-release.
- Added support for loglevel, see uruk-rc(5).  Some people were annoyed by uruk's
  syslog spamming.  If you're one of these, set loglevel=30 (or 10) in your
  rc-file.


uruk version 20050414

- This is a pre-release.
- Uruk now is maintained using GNU Arch on http://arch.gna.org/uruk/ .  See
  README.
- ChangeLog entries from 2003 split off in ChangeLog.2003.
- Uruk(8) now honors environment variables URUK_IPTABLES (/sbin/iptables by
  default) and URUK_CONFIG (/etc/uruk/rc by default).
- Now ships new script uruk-save(8); which saves /etc/uruk/rc in
  iptables-{save,restore} format, without invoking iptables.  You could
  use it e.g. when loading a new rc file.  See the updated uruk(8) manpage.
- The uruk init script now honors /etc/default/uruk.  See comments in the code.
- The uruk init script acts more sane when passed {stop,start} while no saved
  rules files are present: it tries to generate these in such circumstances.  It
  will warn you it's doing so.


uruk version 20040625

- Fixed bug in multiple IP per network interface mode.  Uruk was unusable in
  such a setup.
- Some tweaking of build system.


uruk version 20040216

- Fixed severe bugs in uruk script: 20040213 was unusable.
- init script now supports chkconfig: Red Hat is now better supported.


uruk version 20040213

- Support for multiple IP adresses on one network interface added.  New
  variables ips_<nic> and bcasts_<nic> introduced.  See uruk-rc(5).  Don't
  worry: your old rc file will still behave as it used to.


uruk version 20040210

- Allow more ICMP types by default.  Tnx Wessel Dankers for suggestion.
- The Uruk init script is now more helpful when often-encountered errors occur.
- Added warning to uruk(8) manpage: uruk does no sanity checking.


uruk version 20031111

- We no longer create our own ``block'' chain: the built-in INPUT and OUTPUT
  chains suffice for our purposes.  This makes uruk's rule setup much more
  simple.  Thanks to Wessel Dankers.
- rc_1, ... , rc_10 are NO LONGER SUPPORTED.  We use rc_a, rc_b, rc_c, ... now.
  In the future, rc_aa, rc_aab, ... might get added.  You'll HAVE TO rewrite
  your rc_<n> style stuff MANUALLY.  See the notes on UPGRADE in the README
  file.  (Your uruk/rc file will still work fine.  No other changes in the
  configuration file syntax are introduced in this release.)
- If you have saved your rules using iptables-save or the uruk init script,
  you'll have to rebuild them.  The old-style rules are not supported by this
  uruk release.


uruk version 20031026

- Fixed bug which made "/etc/init.d/uruk stop" to fail.
- Documented more of uruk's features.


uruk version 20031008

- Init script more robust, especially on fresh installs. (We still suffer from
  at least one bug though, see TODO.)
- Started documenting rc_<n> hooks.
- Various minor and cosmetic cleanups in documentation.


uruk version 20031004

- ad1810-firewall is now called uruk.
- big changes in build system and documentation system:
  - manpages have been converted from Perl's pod format to zoem format.  See
    README for details.
  - now build-depends on zoem: documentation depends on configure-time
    settings.
- ad1810-firewall under some circumstances was not reboot-resistent: I've
  missed a change in the Debian iptables package behaviour.  The Debian iptables
  package >= 1.2.7-8 (7 Dec 2002) will not call /etc/init.d/iptables on boot by
  default.  We now ship our own init script to deal with this (thanks to
  Laurence J. Lane).


ad1810-firewall version 20030829

- ad1810-firewall-rc manpage converted from pod to zoem
  ( http://micans.org/zoem ).
- rc_1, rc_2, .... rc_10 feature supported by ad1810-firewall script: set e.g.
  rc_1=/usr/local/etc/ad1810-firewall/rc_1 in your ad1810-firewall-rc(5).  This
  file should contain shell code.  This is executed early in the ad1810-firewall
  routine, allowing finegrained tweaking of rules, for systems with special
  demands.  For now, see the ad1810-firewall shell code for more details.  More
  documentation will follow.


ad1810-firewall version 20030512

- Moving manpage format from pod to zoem.
- Fixed automatic version numbering in build system; no more wacky vyyyymmdd
  versions.  Thanks Raja R Harinath on the autoconf list.
- rc should no longer define e.g. sources_eth0_tcp_www, where www is a port, but
  e.g. sources_eth0_tcp_public, where public is a symbolic name for a (set of)
  services.  Furthermore, the new variable ports_eth0_tcp_public should be
  defined as e.g. "www".


ad1810-firewall version v20030427

- rc File location now depends on sysconfdir, as set during configure.
- Various documentation updates.


ad1810-firewall version v20030426

- First public alpha release.  Untested!