-
Notifications
You must be signed in to change notification settings - Fork 2
/
CHANGES
1294 lines (1012 loc) · 58.8 KB
/
CHANGES
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
# -*- indented-text -*- #
This file is a history of changes made in each release.
Next:
----------------------------------------------------------------------------
V1.8, 22-NOV-2010
Bring OpenL2TP into line w.r.t. Debian lib/lib64 directory usage. The
Debian standard is that native packages always install to lib, not
lib64, even on 64-bit systems. For multiarch systems (32-bit and
64-bit versions on the same system), the 32-bit versions will live in
lib32. All of this would be handled by the distros package
installer. Fedora, however, uses lib64 in 64-bit systems, so OpenL2TP
now considers the distro type when it derives the lib64 path.
Always compile with -Wno-strict-aliasing to avoid strict aliasing
warnings using gcc-4.4 and newer. This was causing compile problems in
recent distro versions.
Improve the config file parser to allow numeric values where names are
expected, i.e. for numeric profile names, tunnel/session names
etc. Where a numeric string is desired, the value ie specified in
quotes, i.e. "42". This fixes bugs 2988997 and 2960989.
Add support for non-ASCII usernames and passwords. These values may
now be specified using the same extended syntax as pppd supports,
where non-ASCII characters may be specified as \nnn or \xHH octal or
hex values.
Fix a bug in pppd auth options, reported by Kevin Locke (bug
2981904). If a user sets auth_mschapv2=yes in openl2tpd.conf
refuse-mschapv2 could be wrongly passed to pppd.
Fix a problem in the init script for Debian Squeeze, where a failed
modprobe would cause the script to exit. Fix provided by FrankL.
Import a patch from bircoph posted on forums.openl2tp.org to add name
resolution support for IP address parameters. This lets users specify
a name for IP addresses, which is resolved when the config is
applied. A caveat is that the address saved by "l2tp config save" or
displayed in the tunnel/session show commands will be the resolved IP
address, not the original name supplied by the user.
----------------------------------------------------------------------------
V1.7, 18-MAR-2010
This is the first release for a long time. The L2TP PPP plugins are
now integrated into ppp-2.4.5 so are no longer built and installed by
OpenL2TP by default. There are also some bugfixes and updates for
compatibility with latest distro versions.
The default PPP version is changed to ppp-2.4.5. If building from
source, use make PPP_VER=xxxx to override.
Fix build issues when using latest versions of popular
distros. Specifically, a #define created by the bison parser clashed
with a name used in a libc header file.
Use /dev/urandom to obtain random numbers, not /dev/random, since the
latter might cause openl2tpd to stall if the system's random entropy
is exhausted. This could have the effect of stalling openl2tpd when
lots of tunnels and sessions are used.
Fix a bug in the saving of ppp config options using the "config save"
command. The default_route setting is now saved.
Add new -P <pid-file> command line switch to openl2tpd, which can be
used to tell openl2tpd to use a specific pid filename instead of the
default /var/run/openl2tpd.pid. This is useful if running more than
one L2TP daemon on the same host using the network namespace support.
Fix ppp auth flag modify bugs, caused by wrong use of flags vs flags2
for some flag definitions. This broke several auth_xxx options in the
ppp profile.
Fix a bug reported by Sergei Zhirikov <[email protected]> where OpenL2TP
removes an IPSec SPD entry that it doesn't add, namely
spddelete -4n xxx.xxx.xxx.xxx[1701] 0.0.0.0/0[any] udp -P out;
Define struct l2tp_control_hdr as a packed structure. On some
architectures (ARM), this is otherwise padded by the compiler and
results in L2TP packet parse errors. This problem was reported by
Change RPM packaging to use a separate openl2tp-ppp package for the
OpenL2TP pppd plugins. These are provided in ppp-2.4.5 or later, so
are no longer supplied in openl2tp packages. Users only need to load
the openl2tp-ppp package if using ppp-2.4.4 or earlier. On Fedora,
ppp-2.4.5-7 or later is needed sine earlier versions do not contain
the L2TP plugins due to a packaging bug.
Update startup scripts to handle the module name change in new
versions of the kernel driver. The L2TP driver is being split into
several modules to support L2TPv3. When the new drivers are integrated
into the mainline kernel, "modprobe pppol2tp" will be replaced by
"modprobe l2tp_core l2tp_ppp".
Import a patch to fix Debian source build compatibility problem from
Stony, posted at http://forums.openl2tp.org/viewtopic.php?f=3&t=21
----------------------------------------------------------------------------
V1.6, 25-SEP-2008
Import a patch from Ben McKeegan which ensures that subprocesses don't
inherit opened file descriptors from openl2tpd. In some circumstances,
sockets would remain open until all spawned processes exited, which
lead to some unusual effects. Specifically, for any given tunnel, so
long as any of the pppd processes that were forked while that tunnel
was up (including those on different tunnels) are still running or any
daemons started from their init scripts are running, the UDP socket is
never closed, even when openl2tp itself has long since closed the
socket and forgotten about it. This also fixes Bug #2056243 reported
by Ulrich Holeschak.
Deprecate the l2tpconfig help command. The help command caused
l2tpconfig to hang but since it doesn't add any value over the man
page, let's deprecate it. This was first reported in Bug #1792299.
Fix compiler warnings in the pppd plugins.
Avoid linking openl2tpd/l2tpconfig against unnecessary libs (libnsl,
libncurses, librt).
Fix several problems with the Debian package to make it ready for
upstream submission. The Debian package now supports startup
configuration options in a similar way to the RPM packages. Unlike the
RPM packages, the Debian package automatically starts or stops
openl2tpd when the package is installed, as per Debian guidelines.
Split the RPC and header files out to a separate devel package; these
files only need to be installed by developers implementing OpenL2TP
plugins or applications that use the OpenL2TP APIs so they aren't
needed in standard installs.
Fix a bug that was introduced in v1.5 which broke the
inhibit_default_plugin flag. This flag is used by some test plugins to
inhibit the use of ppp_unix.so for testing.
----------------------------------------------------------------------------
V1.5, 16-AUG-2008
Fix ppp profile ppp authentication options which seem to have been
broken since 0.17. The auth_pap, auth_chap etc options should
translate into refuse-xxx options to pppd, but these pppd arguments
were not generated properly.
While testing an install for an ISP, it was found that pppd would
always offer EAP authentication when negotiating with its peer,
despite auth_eap=off being set in the ppp profile. It turns out that
some ppp peers (including Cisco!) drop the connection unless the peer
asks for the exactly the same authentication method. Specifically, in
a Cisco, if CHAP is configured, it will drop the connection if the
peer suggests that it can do EAP. To configure pppd to force a
specific authentication method, one of pppd's require-xxx options must
be used. Until now, OpenL2TP has no interface to control pppd's
require-xxx auth options. With this release, if all but one of the ppp
profile's auth_xxx options is disabled, OpenL2TP will now
automatically add the require-xxx pppd auth option for the one auth
option that is enabled. For example, to configure CHAP only, set
auth_chap=yes auth_pap=no auth_mschapv1=no auth_mschapv2=no
auth_eap=no in the ppp profile. This will yield the following pppd
arguments: refuse-pap refuse-mschap refuse-mschap-v2 refuse-eap
require-chap.
Fixed a bug in the per-tunnel session limit handling. If configured
with a session limit (non-zero max_sessions value), the tunnel's
session count would be decremented twice if a session was cleaned up
as a result of reaching the session limit. As a result, the next
session would be successfully created, resulting in more sessions on
the tunnel than the user requested.
Improve session event generation such that session_down events are
generated only if the session_up event was previously generated and
session_deleted events are generated only if the session_created event
was previously generated. Previously, if a session never came up
successfully, a session_down and a session_deleted event was
generated. Anyone using custom openl2tp plugins which use the
session_down and session_deleted hooks should test their plugins after
taking this release.
Add a new event_sock plugin which exports a named pipe
/tmp/openl2tpd.evt for use by other processes. A process may listen on
the named pipe for event messages from openl2tpd which tell of session
up/down/created/deleted events. See doc/README.event_sock for details.
Change the loading of plugins to be done after the core application
init has completed. In previous versions, plugins were loaded during
command line argument parsing. This change allows plugins to use
openl2tpd internal APIs that would otherwise be uninintalialised when
the plugin is loaded. The new event_sock plugin makes use of this to
register its file descriptor(s) with the application main loop.
----------------------------------------------------------------------------
V1.4, 27-MAY-2008
Fix a bug in the parsing of some parameters of config files. Previous
versions limited the characters that could be used in string values
such that parameters that were filenames containing the / character
lead to parse errors. The parser is now more flexible about the
characters that it allows in string values.
Revert a change made in 1.0 to do with L2TP Hello message
generation. Prior to 1.0, we only sent Hello packets if no L2TP
control _or_ data packets passed over the tunnel during the Hello
timeout period, but this was changed to unconditionally send
Hellos. It turns out that the L2TPv3 spec (Openl2tp is currently
L2TPv2) specifies the behaviour that we had prior to 1.0. The new spec
says that the L2TPv2 spec was misinterpreted by several vendors and
explicitely calls out that all L2TP implementations should check for
both control and data activity before sending a Hello. This avoids
possible Hello timeouts when under extreme load conditions, where
Hello messages might be swamped by data traffic.
Don't create the tunnel PPPoX socket until the tunnel is up. (Session
PPPoX sockets are unchanged.) We previously created the tunnel socket
when the tunnel instance was created, before the peer tunnel id was
known. This change means that the actual peer tunnel id so can be
passed down to the kernel when the connect() call is made.
Update the ipsec plugin to use absolute paths to the ipsec
utilities. This avoids problems when the server runs somewhere other
than / (typically when run in the foreground for debugging).
Change GNU-specific __FUNCTION__ strings in the source code to
__func__ since the former is now deprecated. This change does not
alter the generated code.
Change the structure of a struct l2tp_packet to store a struct iovec
in the structure rather than using our own struct
l2tp_packet_buffer. This avoids allocating a struct iovec when
building the struct msghdr for sendmsg() calls. It also avoids
converting from one struct format to another and is therefore more
efficient. There are no externally visible differences as a result of
this change.
Fix the no_ppp=yes parameter of session and session profiles. A change
in version 1.2 broke this feature such that sessions failed whenever
this parameter was set.
----------------------------------------------------------------------------
V1.3, 09-APR-2008
Update version number. We forgot to do so for the 1.2 release, so 1.2
claims it is 1.1!!
Fix a bug in the handling of the host_name AVP which would cause junk
characters on the end of the name, depending on the order of the AVPs
in the message. If this AVP is followed by an AVP with its Mandatory
bit set, the host_name string isn't null-terminated, so OpenL2TP
includes extra characters in the string. Since the host_name AVP can
be used by OpenL2TP to find a matching peer profile or to do simple
tunnel authentication, this was causing tunnel setup problems with
some vendor equipment (Huawei). This problem was reported by Keith
Tin.
Remove the validation checks on the M-bit of AVPs. The L2TP spec
specifies whether the M-bit should be set or clear for each AVP, so
OpenL2TP used to validate that and reject messages from peers that did
not conform to the spec. It has recently been found that Huawei L2TP
implementations set the M-bit incorrectly in some AVPs which caused
tunnel setup problems. But further research into L2TPv3 (which is not
yet supported by OpenL2TP) found that L2TPv3 _requires_ that L2TPv2
implementations do not validate AVP M-bit values against the L2TPv2
spec. So for L2TPv3 interopability, this check has been removed.
Rewrite the pppd-to-openl2tpd interface to use regular Unix domain
sockets rather than RPC. This interface is used by pppd to tell
openl2tpd when the ppp interface comes up or goes down. While RPC is
good for the management interface where the command client and L2TP
server may run on machines with different architectures, the pppd
processes always run on the same CPU as openl2tpd, so the complexity
of RPC is overkill. Users won't see any behaviour change - things
should work exactly as before. Heavy users (ISPs) might notice some
performance improvement when setting up or tearing down thousands of
PPP sessions.
----------------------------------------------------------------------------
V1.2, 24-MAR-2008
Fix multilink PPP. This has been broken since 1.0, when the PPP setup
timer was introduced. The fix is to have the openl2tp pppd plugin send
an event to openl2tpd for every PPP interface in the multilink PPP
bundle, not just the first.
Fix a bug in the config file parser which failed to process the
default_route argument of ppp profiles. Any config file with this
option would fail to parse.
Fix the ppp dependency rule in the Debian control file to handle the
fact that Debian/Ubuntu use a suffix name in the ppp package version
which breaks our =2.4.4 dependency and prevents clean package install
on some systems. We now use a combined >=2.4.4 and <2.4.5 rule instead
of =2.4.4.
----------------------------------------------------------------------------
V1.1, 24-FEB-2008
Fix compiler optimisation issues when compiled with recent gcc-4.x
compilers. Modern gcc can aggressively reorder instructions and even
functions. In the case of USL list operations, this can cause code to
be executed the wrong side of list add/remove which results in
corrupted lists or timing issues. The problem can show itself by
openl2tpd hanging while walking lists, but other random crashes could
also occur. The fix is to use memory barriers in the low level USL
list operations.
Initialize the random seed using a value from /dev/urandom at startup
so that the assigned tunnel_id / session_id values have better
randomness. (We used to use /dev/urandom directly for all random ids
rather than libc's random() call but we switched to random() when it
was found that stress testing could cause reads to /dev/urandom to
block due to the system's entropy pool being exhausted in extreme load
conditions.) Using /dev/urandom to init the random seed is a good
compromise.
Fix pppd plugin to always call the ip up/down hooks to send status
back to openl2tpd, regardless of whether pppol2tp_ifname was
specified. Previously, the hooks were only needed when the interface
name wasn't specified because we used the event to discover the ppp
interface name in openl2tpd. But these hooks are now used to stop the
session's ppp setup timer so we always need them. This bug was
introduced in 1.0 and was reported by Iouri Kharon.
Minor improvements to debian startup script.
Apply several fixes from Ben McKeegan:
- Fix ppp_unix plugin to prevent "active pppd count gone negative" error
messages. This bug could cause the daemon to segfault when lots of PPP
sessions were present.
- Fix a bug in the transmit queue code which could crash the daemon if a
ZLB ever found its way onto the packet queue.
- Fix uninitialised variable bug in USL's child pid handling
code. This could cause an openl2tpd crash on a heavily loaded system.
- Fix a buffer overrun bug in the CLI code if l2tpconfig is connected
to a remote openl2tpd.
Fix errors found with valgrind:
- Incorrect checks for valid fd before close() calls in several places.
- Possible buffer overrun when storing result_code AVP data from peer.
- Fix uninitialised data errors in struct sockaddr structures. While
these specific valgrind errors are bogus, it is useful to fix the
code to get rid of the valgrind complaints.
Turn off compiler warnings when compiling rpcgen code.
----------------------------------------------------------------------------
V1.0, 11-FEB-2008
IMPORTANT: THIS RELEASE MUST BE USED WITH KERNEL 2.6.23.5 OR LATER
- Remove dependency on the kernel driver package (pppol2tp-kmod) which
has been integrated into the official kernel since 2.6.23.5.
- Add RPC TCP support. In versions before V1.0, the management API was
UDP only. While UDP is adequate for most environments, the option of
using TCP may be more appropriate in commercial installations. TCP
also has the advantage that RPC packets may be larger than 8K, which
avoids RPC errors in the l2tpconfig "list" commands when there are
so many items to list that 8K is not enough space. Select TCP using
the new "-t" argument to l2tpconfig. Note that this affects only the
management protocol between l2tpconfig and openl2tpd, it does not
change L2TP itself.
- Send L2TP Hello messages even if we have transmitted or received data
packets in the tunnel. The previous behaviour was to minimize Hello
messages, but other L2TP implementations send Hello regardless of
data traffic. So let's do the same.
- Fix endian issue with the src_ipaddr parameter of tunnel
profiles. This caused a bind() error and the tunnel setup
failed. The problem reported by Ben McKeegan.
- Fix a potential race condition which might cause openl2tpd to crash
if a tunnel is deleted when it contains sessions.
- If a session does not have a pppol2tp socket yet, don't throw a "bad
file descriptor" error when reading session status (e.g. l2tpconfig
session show command). Instead, show the session data with all PPP
data counters zero.
- When establishing PPP sessions using UNIX pppd, use a setup timer to
detect cases where pppd fails to signal its state to openl2tpd
properly when the system is under severe load conditions.
- Add a -y <limit> parameter to openl2tpd to configure a maximum ppp
setup rate. When starting or stopping pppd processes per session,
openl2tpd will limit the number of active processes to the specified
value. PPP processes are deemed active when they are trying to
connect to their peer, until the IP connection is made. This
parameter does not limit the total number of pppd processes - it
only limits the number of those processes that are created
simultaneously by openl2tpd. Use this option when starting openl2tpd
if the system becomes overloaded when lots of sessions are created
simultaneously, for example when persistant tunnels recover. Most
users are unlikely to need this option.
- Handle ERESTART error return from connect() and retry connect() calls
if EINTR or ERESTART is returned. This can happen when IPSec is used.
Previously we relied on the IP stack retry during IPSec tunnel setups.
- Change default PPP version to 2.4.4.
- Update debian package directory.
----------------------------------------------------------------------------
V0.19, 21-SEP-2007
IMPORTANT: THIS RELEASE MUST BE USED WITH KERNEL DRIVER 0.17 OR LATER
- Add new APIs to allow profile parameters to be unset (returned to
their default values). Parameters may be individually unset using
new "l2tpconfig xxx profile unset" commands. See updated l2tpconfig
man page for details. This feature was suggested by Tom Murphy.
- Improve internal PPP profile interface such that ppp profile
auth_xxx options are now completely independent. Previously,
changing or setting one auth flag of a ppp profile would cause the
system to behave as if all others had also been set but with default
values. This change should be invisible to users but it allows
individual auth options to be returned to their default values using
the new "unset" commands.
- Update man pages to include information about the new "profile
unset" commands.
- Change SOL_PPPOL2TP value for all kernel versions to the value now
assigned in the official kernel tree. Kernel driver 0.17 must be
used with this version of openl2tp. This change lets us release
openl2tpd ready for the official kernel driver which will appear in
the 2.6.23 kernel.
----------------------------------------------------------------------------
V0.18, 28-MAY-2007
IMPORTANT: There are RPC API changes in this release - rebuild and
install any applications that use the provided RPC API when installing
this OpenL2TP release. This version should be used with pppol2tp-kmod
0.16 or later.
- Change the way random tunnel and session id numbers are internally
generated. Previously, the Unix /dev/urandom device was used to
obtain N random bytes where the random data was randomised by system
entropy. One user reported that when creating hundreds of tunnels
very quickly, some tunnel setup failures would occur. This turned
out to be because there are too many random bytes being requested
from /dev/urandom by openl2tpd in rapid succession and it exhausted
the kernel's random number entropy pool. So use a software-generated
random number instead because it is doesn't use the entropy pool
which is good enough for use as a tunnel or session id. L2TP random
vectors for tunnel authentication will continue to use /dev/urandom
because they are longer sequences of bytes.
- Add new proxy_arp parameter to PPP profiles. If set, it causes the
"proxyarp" argument to be given to pppd.
- Remove the "use counter" field from tunnel, session and ppp
profile data. These were never used.
- Modify makefiles to make it possible to build OpenL2TP for in-tree
pppol2tp kernel driver. Some users prefer to apply the pppol2tp
driver kernel patch and build their own kernel.
- Apply distclean.patch from Chris Elston. This fixes the "make
distclean" target to remove all built files.
- Apply lib64 patch from Chris Elston. On x86_64 and probably other
64-bit architectures, installed libraries go in /usr/lib64, not
/usr/lib.
- Fix bugs in the inheritance of session and ppp profile names from
the tunnel and/or peer profiles for incoming sessions. Also add more
log messages to show which profile names are chosen.
- Fix a problem with the setting of some parameters of sessions from
the default session profile values. The connect_speed and
priv_group_id fields were not set from the default session profile.
Regression tests were very weak in this area, so fix them up too.
- Update debian package directory. Debian packages coming soon!
----------------------------------------------------------------------------
V0.17, 26-FEB-2007
- Add support for recreating sessions in persistent tunnels where the
tunnel stays up. Sessions now do their own persist retries, so if
one session goes down in a tunnel containing other sessions that
stay up, the downed session will retry without affecting other
sessions in the tunnel. This feature may be useful for ISPs who
have multiple sessions in a single tunnel.
- Add a new system parameter: session_persist_pend_timeout, which is
the number of seconds a session in a persistent tunnel will wait
before retrying to connect to the peer. Default is 60 seconds.
- Fix a silly debug bug which could cause garbage characters to be
printed in result code strings.
- Fix bug #1660686 - "server modify" command broken in l2tpconfig.
- Fix theoretical reference count bugs if errors occur while setting
up internal state for pppd contexts.
- Import a patch from Christian Wiese <[email protected]> which
avoids generating bits_per_long.h by using a private h file and the
definitions of LONG_MAX/__WORDSIZE instead. This fixes compile
issues on systems without kernel sources installed since the
previous method used asm/types.h which is not an exported kernel
header.
----------------------------------------------------------------------------
V0.16, 06-JAN-2007
IMPORTANT: There are RPC API changes in this release - rebuild and
install any applications that use the provided RPC API when installing
this OpenL2TP release.
- Change the PPP interface naming convention to use regular pppN
interface names instead of l2tpXXXX-YYYY for L2TP sessions. This
change avoids confusing the standard PPP RADIUS plugin (and possibly
other ppp tools) which assumes that PPP interfaces are named either
/dev/ttySN or pppN. Since OpenL2TP no longer sets the ppp interface
name by default, a mechanism for it to discover the ppp-assigned
interface name is needed. So change the previously unused
l2tp_session_updown_ind API in OpenL2TP's event RPC interface to add
the PPP interface name to the parameter list. Change the openl2tp.so
PPP plugin to use the l2tp_session_updown_ind API to tell OpenL2TP
the PPP interface name. This name is stored in the session context
and can be viewed with the "session show" command. This allows pppd
to assign its own PPP interface names (ppp0, ppp1 etc) while giving
the L2TP administrator the ability to show the interface name for
each L2TP session. Note that specific interface names may be set if
the interface_name parameter is set in the session's
configuration. Note also that this feature means that there is an
extra RPC request from pppd to OpenL2TP per session. This may slow
down PPP session setup rates slightly.
- Provide pppol2tp_tunnel_id and pppol2tp_session_id arguments to pppd
when creating LAC sessions in order that the tunnel/session ids are
known for using the l2tp_session_updown_ind API. Previously only LNS
sessions were passed the tunnel/session ids.
- Change the pppol2tp.so pppd plugin to export hooks for notifying IP
up/down events. These hooks are used by the updated openl2tp.so pppd
plugin to notify openl2tpd of ppp interface status changes.
- Add a new API to obtain a list of current users (PPP sessions)
connected to OpenL2TP. Add a new "user list" command which displays
the tunnel/session id and session creation time with each PPP user
name.
- Change the firmware revision number to map the major OpenL2TP
version number in the top 8 bits and the minor version number in the
lower 8 bits. Previously only 4 bits were used for the major/minor
versions. This change allows version 0.16 to show as firmware
version 16 in the firmware_revision AVP, not 0...
- Add new optional modifiers to the "tunnel list" and "session list"
l2tpconfig commands:-
local_only - list only locally created tunnels/sessions
remote_only - list only remotely created tunnels/sessions
names - list only named tunnels/sessions
When one of the new modifiers is used, only the tunnel/session
ids/names are listed, thus making it easier to use the output in
scripts.
- Add tunnel_name and session_name arguments to l2tpconfig's "debug
show" and "debug modify" commands. This allows debug settings to be
displayed/modified using tunnel/session names. In previous versions,
only the tunnel/session ids could be used.
- Add a new l2tp_session_is_created_by_admin() API to allow OpenL2TP
plugins to determine if a session was created by a local
administrator.
- Fix Bug #1572094 (ppp profile modification of authentication
confusing). When user specifies a subset of the auth_xxx=yes|no
options, leave the unspecified auth_xxx options unchanged. The
following command sequences are now equivalent:-
a) ppp profile modify profile_name=1 auth_mschapv1=no auth_pap=no
b) ppp profile modify profile_name=1 auth_mschapv1=no
ppp profile modify profile_name=1 auth_pap=no
- Add a new "auth_peer" parameter in the PPP profile. This is used to
tell PPP sessions configured via the profile to require the peer to
authenticate. This parameter defaults to ON for incoming sessions
(servers) and OFF for outgoing sessions (clients) and is analagous
to pppd's "auth" option. In previous versions, the "auth" option was
derived from the settings of other authentication options which
wasn't always appropriate.
- RPC errors in the pppd plugin when pppd sends information to
OpenL2TP now cause a fatal pppd exit, causing the session to
close. Such errors previously only caused a debug message to be
logged, resulting in inconsistent state in openl2tpd..
- Fix a small memory leak per session where the stored create time
string was not freed.
- Change the parsing of trace_flags= parameters to allow flags to be
specified as a comma-separated list of trace options, e.g.
tunnel profile modify profile_name=default \
trace_flags=fsm,protocol,avp
A decimal or hexadecimal integer may also be specified for backwards
compatability.
- In openl2tpd, change the parsing of the debug flags (the -d
argument) to accept a comma separated list of debug categories. In
previous versions, a colon-separated list was accepted, though this
was undocumented.
- Change the "debug modify" command to allow debug flags to be
incrementally modified. Previous versions would use the list of
debug options to build a trace_flags parameter mask. Now it modifies
only the trace types specified in the command. e.g.
debug modify tunnel_name=one protocol=yes fsm=no
would yield trace_flags=PROTOCOL, regardless of the previous
value. Now it changes only the PROTOCOL and FSM debug settings,
leaving other trace options unchanged. This change required the
addition of a new trace_flags_mask field in all RPC
interfaces. Details in the l2tpconfig man page.
- Fix Bug #1627955, reported by Eddie Chapman - can't modify
framing_type and bearer_type parameters in session profiles. Code
was missing to do this, as well as test cases in the automated
regression tests!
- Fix Bug #1627958, reported by Eddie Chapman - tunnel/session ids
sometimes shown as negative numbers. This is a Day-1 bug but it
doesn't show up in most environments. It seems some versions of
gcc fix up the issue. Fix the code anyway.
- Fix Bug #1627962, can't control pppd's "nodefaultroute" option thru
ppp profiles. The behaviour of the existing "default_route="
parameter has been changed. Previously, if set to "no", OpenL2TP
would simply revert to default settings by not sending the pppd
"defaultroute" option. Now, it sends "nodefaultroute" or
"defaultroute" explicitely.
- Fix issues in many commands where string parameters would display as
"(null)" if set to the empty string using l2tpconfig commands, e.g.
ppp profile modify profile_name=default radius_hint=
- Fix a bug in l2tpconfig's "ppp profile create" and "ppp profile
modify" which would cause unspecified behaviour if more than 50
parameters were specified with a single command.
- Add new local_name and remote_name parameters to ppp profiles. If
supplied, these names are passed to pppd using its "name" and
"remotename" options.
- Update man pages.
- Update copyright notices for 2007.
----------------------------------------------------------------------------
V0.15, 22-DEC-2006
- Fix bugs in persist tunnel handling reported by Mac Lin
([email protected]). Previous versions had problems with recreating
sessions in persistent tunnels when connected to a Microsoft XP L2TP
server. This was a Day-1 bug in OpenL2TP which didn't show up when
testing with Cisco because unlike Windows XP, Cisco automatically
close tunnels when the last session in that tunnel closes.
- Fix tunnel reference count issues when using persistent tunnels
which could leave state tunnel pointers around which might lead to
an openl2tpd program exception. Such failures could be induced by
deleting a persistent tunnel while it was in certain states. There
were also problems deleting persistent tunnels if they had made one
or more reconnect attempts. These are also now fixed.
- Add a new RETRY virtual state in the tunnel state machine to make it
easier to see when persistent tunnels are waiting to retry
connecting to their peer. The l2tpconfig "tunnel list" and "tunnel
show" commands will show tunnels in RETRY state instead of CLOSING
state when they are waiting on tunnel_persist_pend_timeout.
- Add more debug trace into ppp_unix's create/delete handlers.
- Apply pppd's "nomp noendpoint" args unless multilink is enabled in
the PPP profile. This prevents multilink PPP being used unless the
user specifically requests it.
- Prevent the ppp_unix.so plugin being loaded twice if openl2tpd is
started with args "-p ppp_unix.so".
- Remove the ppp_headers directory now that distros include the
correct PPP package headers. If this breaks builds on older distros,
install PPP sources and point OpenL2TP at them using make
PPPD_SRCDIR=<ppp-source-dir> PPPD_LIBDIR=<ppp-lib-dir>.
- Update Debian package data files. This is work in progress. Debian
packages are planned for future releases.
----------------------------------------------------------------------------
V0.14, 2-DEC-2006
This release adds support for IPSEC when using ephemeral
ports. Special thanks to Michal Ruzicka ([email protected])
for submitting patches and helping to test this feature.
Note: OpenL2TP plugin global symbols have been renamed. Any third
party plugins must be modified and recompiled to work with this
version. Details below.
- Fix an issue with SCCRQ handling from clients not using ephemeral
source ports (like Windows XP) for a specific tunnel setup failure
case. A problem could occur when OpenL2TP's SCCRP is not received by
the client. The client would resend its SCCRQ. OpenL2TP would treat
the SCCRQ retries from the client as new tunnel setup requests. This
would result in a tunnel context being created per SCCRQ retry, each
of which would eventually time out.
- Add hook to notify plugins of tunnel socket close. This will be
useful to cleanup socket-specific setup.
- Change the prototype of the socket connect hook (which was added in
0.13) to include the file descriptor. This allows the plugin to do
additional operations on the file descriptor.
- Add l2tp_tunnel_is_created_by_admin() public function to allow
plugins to determine if a tunnel was created by local admin.
- Include a patch from Michal Ruzicka to change the conditions on
which a Hello message is sent to the peer such that transmitted data
packets do not cause the Hello transmit timer to be restarted. In
other words, Hello messages are transmitted when the control
connection is idle and when data packets are not being received from
the peer.
- Have openl2tpd record each loaded plugin in order that it can call
each plugin's cleanup routine when the daemon exits.
- Rename OpenL2TP plugin global symbols from l2tp_plugin_* to
openl2tp_plugin_* to avoid namespace collision with functions in the
internal plugin support code. Third party OpenL2TP plugins must be
modified to use openl2tp_plugin_* in order to work with this
OpenL2TP version.
- Change the rules for when to load the ppp_unix plugin by
default. Previous behaviour was if any plugin was loaded, ppp_unix
was not loaded. Change it such that plugins that want to take over
from ppp_unix (i.e. when ppp_unix should not be loaded) must set a
new variable in their openl2tp_plugin_init(), namely
l2tp_inhibit_default_plugin. This allows plugins unrelated to
ppp_unix to be loaded without implicitely disabling ppp_unix.
- Add new OpenL2TP plugin for IPSEC support using racoon. When this
plugin is used, OpenL2TP manipulates SPD entries to setup dynamic
IPSEC policies for tunnels. This allows ephemeral ports to be used
for L2TP/IPSEC tunnels, allowing OpenL2TP to serve multiple
L2TP/IPSEC clients behind a NAT gateway. To use OpenL2TP with
racoon, add "-p ipsec.so" to openl2tpd's startup arguments. This
plugin requires the setkey utility from ipsec-tools to be
installed. Racoon should be configured with policies for the L2TP
UDP port (1701) for both in and out directions.
- Add ipsec subdirectory, containing several patches for racoon and
the kernel in order to support multiple L2TP/IPSEC clients behind a
NAT gateway. This work was contributed by Michal Ruzicka. See
ipsec/README for more information.
- Add version info to the startup message of openl2tpd.
----------------------------------------------------------------------------
V0.13, 10-OCT-2006
- Import patch from Chris Elston to fix a bug in l2tpconfig where
session configs were not saved with their username/password
parameters. This prevented sessions being recreated when the saved
config was replayed. [Bug 1572083]
- Use 1M as the default value for the CONNECT_SPEED AVP. Some L2TP
implementations (DrayTek) refuse to set up L2TP sessions when this
AVP is received with value 0. [Bug 1572085]
- Add new hooks to allow OpenL2TP plugins to track network socket
usage (i.e. IP address and UDP port).
- Fix compiler warnings with earlier gcc versions (gcc-3.2.3). These
were missed when compile optimization was enabled in V0.11.
- Reduce compile optimization flags from -O2 to -O to workaround
compiler optimization issues causing application hangs in non-debug
builds on some platforms.
- Don't disable SIGTERM or SIGQUIT signals in l2tpconfig application.
- Fix a bug in l2tpconfig CLI app to allow the following parameters to
be modified in session profiles: session_type, priv_group_id,
framing_type, bearer_type, minimum_bps, maximum_bps, connect_speed
- Enable the -D switch for non-debug builds. It is useful because it
sets the default trace flags of tunnels and sessions for debugging
problems. When -D is used, openl2tpd's log level is also set to
LOG_DEBUG.
- Fix a minor bug which meant that a debug message about "dropping
non-SCCRQ messages when only SCCRQ is expected" was not output.
- Update the UserSpace Library (USL) package to version 0.4. See
usl/CHANGES.
----------------------------------------------------------------------------
V0.12, 17-SEP-2006
IMPORTANT: There are RPC API changes in this release - rebuild and
install any applications that use the provided RPC API when installing
this OpenL2TP release.
- Fix a problem reported by Tom Murphy in ppp profile use_radius=no
and default_route=no parameter handling, where OpenL2TP would treat
those parameters as being set if they were ever specified by the
user, even if set to NO,
- Fix a bug reported by Bob Finch in l2tpconfig's "config
save/restore" command where the tunnel persist pending timeout
parameter was not saved or restored.
- Change "config save" command to consistently save boolean parameters
using yes/no values rather than 1/0.
- Change l2tpconfig to accept an optional leading 0x prefix when
specifying hex buffers for parameters such as PPP challenge/response
data.
- Add compile-time options to allow features such as LNS support, LAC
support, RPC management and which of the 4 session types to be
compiled in or out. By default, all features except the local config
file and status files (described below) are enabled. For details,
see INSTALL. The "system show version" command will list all
compiled-in features.
- Add a new feature in openl2tpd to support a local config file which
is read at startup. The file is re-read if openl2tpd receives a
SIGHUP signal. This feature is intended for use in environments that
do not have RPC available since l2tpconfig's "config restore"
command is typically used. If the feature is enabled, a "-c"
command-line switch allows a file other than /etc/openl2tpd.conf
(the default) to be used. This file should contain
system/profile/tunnel/session create/modify commands with the same
syntax as files written by the "config save" command.
- Add a new feature in openl2tpd to support local status files under
/var/run/openl2tpd/ which show status information from the
daemon. Each profile, peer, tunnel and session has a file under this
directory, whose contents show configuration and status
information. This feature is intended for use in environments that
do not have RPC available. There is some processing overhead since
the files are written when contexts are created, modified or
deleted. All of this information is available using the l2tpconfig
command line utility or RPC, hence it is not enabled by default.
- Split the pppd pppol2tp plugin into two, separating out the OpenL2TP
part (which uses RPC to send events to openl2tpd) into a separate
plugin. This makes it easier to use the pppol2tp plugin with other
L2TP daemons. Build the openl2tp plugin only if the RPC management
feature is enabled. OpenL2TP will only try to use its plugin if it
is built with RPC management support enabled.
- Add more checks for compatible/supported/enabled session types when
creating new sessions. Send a CDN message to peer if session setup
fails early (before session context is created). This makes it
easier to see why sessions fail to create at the L2TP protocol level.
- Add hooks for profile create/modify/delete for plugin use. Also add
peer create/delete hooks. Suggested by Bob Finch.
- Add an optional parameter to tunnel and session delete APIs to allow
caller to give a reason string. If supplied, the reason string is
sent in the L2TP tunnel/session close request to the L2TP peer. If
this parameter is not specified, behaviour will be the same as
previous releases - OpenL2TP will indicate that the reason that the
tunnel or session is being deleted is "Administrative request".
- Add no_ppp parameter to session and session profile to allow
sessions to be created without PPP. Default is NO (create with ppp).
----------------------------------------------------------------------------
V0.11, 26-AUG-2006
- Patches from Michal Ruzicka <[email protected]> to fix segfaults
which could occur when handling certain error conditions while setting
up tunnels and sessions.
- Separate out the kernel PPPoL2TP module from the main OpenL2TP
release. This is done to make it easier to release binary packages
(RPMs etc) since we don't want to rebuild OpenL2TP application code
for every kernel version used by the distros. The OpenL2TP module
now requires the pppol2tp-kmod package to be built and installed
before OpenL2TP will build or install.
- Add a kernel patch for 2.6.17 kernels.
- Compile with optimisation enabled unless debugging.
- Add RedHat/Fedora init scripts with chkconfig support. Have the init
script automatically load the kernel driver module and play back
saved configuration (if configured to do so). See the INSTALL file
for instructions.
- Add RPMs for Fedora Core 5 with instructions to allow others to
build binary packages for other systems.
----------------------------------------------------------------------------
V0.10, 06-MAY-2006
- Add support for 2.6 kernels to 2.6.16. Fix SMP issues in pppol2tp
kernel module. Due to several changes in the 2.6 kernel, conditional
compilation to handle specific kernel versions is required. Separate
kernel patches provided for 2.6.8.1 thru 2.6.16.
- Improve kernel module builds for 2.6 kernels, making it much easier
for common-case where the code is compiled and installed on the same
Linux host. This will also make it much easier to produce binary
packages.
- Handle hostnames longer than 32 chars. If hostnames are longer,
openl2tpd would fail to start!
- Add MIPS architecture support (big and little endian).
- Fix rpcgen segfaults at compile time on some platforms. This turned
out to be caused by the definition of SESSION_INCALL_IND API in the
RPC protocol definition file which is not yet supported anyway,
hence it was safe to redefine the API to avoid the rpcgen
problem. Remove rpcgen sources from the distribution.
- Patch from Alvin Starr <[email protected]> for PPP multilink
support. Includes new "multilink" parameter in ppp
profile. Controlled by new CLI "multilink" parameter for ppp
profiles.
- Minor tweaks to makefiles, allowing daemon and application to be built
separately. This allows for configs where control app is not running
on the same system as the daemon.
----------------------------------------------------------------------------
V0.9, 10-SEP-2005
Key changes are to fix build problems with newer distros. Also,
OpenL2TP now uses an official RPC program ID obtained from Sun
Microsystems. Major bugfixes for problems found during interopability
testing.
- Avoid use of Linux __u8, __u16, __u32 types, Use standard uintN_t
types instead. This change is required because newer glibc header
files warn when some newer Linux kernel headers are included by
application code.
- Fix compile errors in newer distributions (Suse 9.1, FC2+, RHEL3)
caused by including asm/byteorder.h instead or endian.h. For kernel
module builds, let the compiler use include files from the standard
compiler areas.
- Fix pppol2tp kernel driver module load problems. Change the
ip_[gs]setsockopt() calls to use udp_prot.[gs]setsockopt() instead.
- Fix pppol2tp kernel driver "source route failed" errors which
occurred at random in LNS configurations where data traffic was
forwarded through the LNS rather than being locally terminated.
- Fix 2.6 kernel driver for 2.6.10 and later kernels. Core kernel PPP
code has seen significant changes from 2.6.10 thru 2.6.12.
- Use ppp-2.4.3 by default.
- Change default PPP interface names from l2tp<tid>/<sid> to
l2tp<tid>-<sid> where tid and sid are the L2TP tunnel id and session
id. This change is needed because 2.6 kernels now prevent the '/'
character being used in interface names.
- Change RPC interfaces to use the recently registered official RPC
program numbers rather than numbers in Sun's "experimental" range.
Be sure to upgrade client (management) apps in sync with openl2tpd
and ippoold (if used).
- Add PPC architecture support. Minimal changes needed in kernel
module makefile. Support for MIPS is planned before 1.0.
- Add default_route parameter to PPP profile. This tells the system to
make a PPP link of an L2TP session the default route. Add ppp
profile default_route=yes|no command.
- Fix a bug where primary DNS server configuration in a PPP profile
was setting the PPP WINS server address, not DNS server address.
- Patch from Cleber Rodrigues <[email protected]
- Fix default pppd location to use relative path usr/sbin/pppd rather
than absolute path.