home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
ftp.ee.lbl.gov
/
2014.05.ftp.ee.lbl.gov.tar
/
ftp.ee.lbl.gov
/
acld-1.11.tar.gz
/
acld-1.11.tar
/
acld-1.11
/
CHANGES
< prev
next >
Wrap
Text File
|
2012-02-18
|
11KB
|
416 lines
@(#) $Id: CHANGES 812 2012-02-18 06:09:03Z leres $ (LBL)
v1.11 Fri Feb 17 21:59:35 PST 2012
- Implement missing IPv6 functionality in force10.expect and
cisco.expect
v1.10 Wed Feb 8 17:08:38 PST 2012
- Add acl name to NETS syslog
- Add "id" keyword that apepars in the NETS syslog
v1.9 Wed Jan 18 18:48:09 PST 2012
- Keep statistics for nullzero routes
- Rewrite parts of cisco.expect to deal with the gratiously different
IPv6 access-list output format
v1.8 Thu Nov 3 17:48:49 PDT 2011
- Handle cforce CAPACITY_EXCEEDED more gracefully
- Add -f to acl.exp for blockhosthost and restorehosthost
v1.7 Sun Oct 23 18:14:42 PDT 2011
- Add ACL list full check to check_acld nagios plugin
- Add /usr/local/bin to path in acl.exp so it can find socket
- Fix some sequence number issues in the cforce module
v1.6 Tue Sep 27 17:48:36 PDT 2011
- cForce appliance fixes
- Implement permitudpdstnetport, blockudpdstnetport, permittcpdstnetport
and blocktcpdstnetport in acld and force10.expect
- Don't allow quoted configuration options to be repeated
- Fix various bugs in cisco.expect
- query now reports all host, hosthost and net acl matches
- querywhitelist now reports all whitelist matches
v1.5 Wed Sep 14 18:09:15 PDT 2011
- Fix query bugs introduced in v1.2 and v1.4
- Change query to report host, host to host or subnet blocks
v1.3 Fri Sep 9 15:50:04 PDT 2011
- Add -f to acl.exp for nullzero, nonullzero, querynullzero,
addwhitelist, remwhitelist and querywhitelist
v1.2 Thu Sep 8 19:57:45 PDT 2011
- Query now correctly reports hosts within a subnet block
- Add nets_log() for nullzero
v1.2 Thu Sep 8 19:57:45 PDT 2011
- Query now correctly reports hosts within a subnet block.
v1.1 Fri Jul 1 15:02:06 PDT 2011
- Allow wider cider blocks to be dropped via new ipv4_maxwidth and
ipv6_maxwidth configuration options
v1.0 Wed May 18 13:45:50 PDT 2011
- cForce appliance
- Fix broccoli minimum version test
- Remove certificate scripts in favor of the new "does everything"
create-cert: ftp://ee.lbl.gov/create-cert.tar.gz
- Add comment flag (-c) to aclc
- Change default connect port based on use_ssl setting in broccoli.conf
- Move logs to /var/log/acld, run time files to /var/run/acld and
scripts to /usr/local/libexec
v0.4.7 Wed Aug 25 18:29:56 PDT 2010
- Turn off idle task check
v0.4.6 Fri Aug 6 10:58:06 PDT 2010
- Add missing -re's to cisco.expect
- Define u_int16_t when missing
v0.4.5 Thu Jul 1 18:12:19 PDT 2010
- Disable "idle failure" abort()
v0.4.4 Thu Jun 24 11:13:06 PDT 2010
- Change acl.exp to run hostname/whoami when we can't (cheaply)
get the USER/HOSTNAME from the environment
- Add acld_blockhosthost()/acld_restorehosthost() to acld.bro
- force10.expect: graceful handle case when we only have one enable
password
- cisco.expect: updated to support modern IOS versions
- aclcompact.sh: use percentage instead of slots left and default to 50%
- autoconf improvements
v0.4.3 Thu Mar 11 20:34:35 PST 2010
- Abort if we haven't tried to run the idle tasks in a long time
- Rewrite nagios plugin, adding new features
- Fix Makefile.in to honor the CFLAGS environment variable when
configure is run
v0.4.2 Wed Feb 3 20:38:53 PST 2010
- Require SSL for broccoli connections
- Only try to open the broccoli port if it was configured
- Update help message to reflect currently implemented commands
- Check for network addresses in places where hosts are required
- Flush stdout in acl.exp so timing message doesn't commingle with
stderr messages
v0.4.1 Sat Jan 16 18:55:12 PST 2010
- Autoconf upgrades
- Don't bomb on attempt to limit an undefined ACL
- Check for limits on undefined ACLs
- Find default IPv4 or IPv6 ACL for permit UDP/TCP host+port ACLs
- Remove ACL if router command failed when the child includes details
- Fix permit UDP/TCP host+port bug; add missing return to switch case
- Fix initial acquisition of IPv6 ACLs; run childsendattr() before
childlistacl()
- Handle IPv6 issues caused when not using an IPv6 FTOS capable cam
profile
- Wait for prompt before returning errors when changing modes in FTOS
- Do a better job of keeping track of our current FTOS mode
- Keep better track of when we entered config mode
- Update realloc'ed pointer in suck2dot() in a possibly more portable
way
v0.4.0 Sat Jan 16 18:42:16 PST 2010
- Add support for IPv6 addresses
- Implment ACL group limits
- Enforce limits on ACL types other than the host types
- Make sure childinput() collects the comment/response before
finishing request
- Add -o logfile
- Check both addrs against whitelist for blockhosthost
- Avoid ssh login failure loops: use stricthostkeychecking=no
- Add nets_log() for addwhitelist/remwhitelist
- Implement batch file mode for aclc
- Fix silly string length restriction in aclc payload
- Fix select() race condition
v0.3.3 Sun Mar 22 20:48:29 PDT 2009
- Improve Broccoli connection code
- Fix bug in ipfw.expect version of printroute()
v0.3.2 Thu Mar 12 19:33:04 PDT 2009
- Remove adddefault/removedefault from various expect scripts
- Implement blockhosthost, droptcpdsthostport, permitudpdsthostport,
unpermitudpdsthostport, restorehosthost and restoretcpdsthostport
to ipfw.expect
v0.3.1 Fri Feb 13 21:45:57 PST 2009
- Implement blocknet
- Implement nullzero with network (address+mask)
- Impose maximum mask width of /24 on nullzero routes
- Eat blank lines when reading route list from router
- Fix blank line in query and querynullzero output
- Extend whitelist() to check the for overlap between the test
addr/net and the whitelist addr/net
- All addresses/nets are eligible for null zero routes if there are
no configured nullzero nets (subject to maximum mask width and
whitelist checks)
v0.3 Fri Jan 16 13:19:00 PST 2009
- Add Bro Broccoli support (aka Broccolized acld)
- Add blockhosthost/restorehosthost
- Validate ports values fit in 16 bits
- If removing an ACL, check that its seq number is in the range
- Fix servermoveacl(): we need to know the ACL name when compacting ports
- Add permitipnethost, blockipnethost, permitudpdstnet, blockudpdstnet,
permittcpdstnet, blocktcpdstnet, permitudpnethostport,
blockudpnethostport, permittcpnethostport and blocktcpnethostport
- Update force10.expect to use ssh
v0.2 Tue Jun 10 18:15:41 PDT 2008
- Add whitelist.
- Add dynamic whitelist.
- Add nullzero, nonullzero, querynullzero and listroute.
- Add permittcpdsthostport and unpermittcpdsthostport.
- Compact port and permithostport sequence ranges.
- Fix buffer problems when there are a LOT of entries in an ACL.
- Change force10.expect to not generate an error when you call
listacl with an ACL that doesn't exist.
- Fix pty leak in ipfw.expect.
- Change acl.exp to report any error messages socket generates. Also,
capture dst port (and addr) for use in error messages.
- Change force10.expect to exit when the child goes away to force
a clean restart.
- Fix port byte order in connect log message.
- Add some statistics gathering.
- Upgrade to autoconf 2.61.
- Fix dynamic memory problems in acladdacl() and routeadd().
- Support socket various different versions of socket.
- Explicitly kill the child when we receive a TERM.
- Check the pidfile and don't start a new acld if we think one is
already running.
- Add code to reacquire route list when logging after the first time.
- Change order of actions in listroute so avoid race if the route
list is short and the prompt comes quickly.
- Don't sleep for 600 seconds before listing routes.
- Ok to handle non-blocking client requests and drain client output
when not LOGGEDIN. In particular this allows the "state" command
to always work.
- Add optional ports with restricted capabilities, one for read/only
access and one for web registration clients.
- Store ACL counts as unsigned long longs.
- Validate flags to acl.exp. This lets us catch attempts to use batch
mode (-f) for commands that do not support it.
- Rename the ACL interface script "acl.exp". Display the package
version as part of the usage printout.
- Determine expect path for use with acl.exp.
- Add droptcpdsthostport and restoretcpdsthostport.
- Changed permit{udp,tcp}dsthostport to always use the default ACL.
- Fixed a bug when receiving client request before we're LOGGEDIN.
This would cause requests to stack up when first starting acld.
- Add querywhitelist.
- Fix dynamic memory bug related to the compact operation.
v0.1 Tue Jan 24 18:30:05 PST 2006
- Drain output to client before closing socket.
- Only sync when we're truely idle.
- After sync'ing, return to the mode we started in.
- Modifiy force10.expect to deal with old and new style of "sync"
dialogue
- Don't drop back to enable mode for "ayt"
- Rewrite force10.expect's entermode to use a table
- Timestamp debug printouts.
- Don't use "count" with force10 acls since only a few thousand
are supported.
- Add permitudphostsrcport, blockudphostsrcport, permittcphostsrcport,
and blocktcphostsrcport.
- Clear sp->reqclient freeclient() to avoid problems when it's
non-null and there are no clients.
- Handle the extra \r's newer versions of the force10 FTOS insert.
- Add permitudpdsthost, blockudpdsthost, permittcpdsthost, blocktcpdsthost,
permitipdsthost, blockipdsthost, permiticmpdsthost, blockicmpdsthost,
permitipdstnet, blockipdstnet, permiticmpdstnet and blockicmpdstnet.
- Print out seq instead of type for ATYPE_UNKNOWN.
- Modifiy force10.expect to deal with old and new style of "sync"
dialogue.
- Change the last "timeouts" to exit instead of return so acld will
start a fresh expect session.
- Fix state bugs that caused "query" and "logout" to hang.
- Add maxseq.
- Handle "Access List is not in sync ..." message that occurs when
the cam table fills up on the force10.
- Pass through informational comments that the listacl expect script
might generate.
- Add stunnel example configs and installation instructions.
- Cleanup client input processing a bit.
- Detect non-numeric cookies.
- Pass NULL to extractaddr() if we don't have a 4th argument.
- Fix state setup so comments work.
- Changed -d to not force -f.
- Added incrseq.
- Change debuging timestamp to show microseconds (instead of hundredths).
- Rewrite client input processing.
- Save the raw text for unknown acls so we can print them in the
listacl output.
- Add compact.
- Implement dropudpport, droptcpport, restoreudpport and restoretcpport.
- Add a netsfac.
- Add user comment feature to acl.exp
- Fix issue with child extended response.
v0.0.1 Wed Dec 11 22:58:45 PST 2002
- Fix bug in client output drain loop that could cause a crash.
- Add -f flag (foreground).
- Exit with /bin/sh 128 + signal number status on TERM.
v0.0 Mon Dec 2 18:59:01 PST 2002
- Initial public release.