@(#) $Id$ (LBL)

v3.5.3 Sat Dec 20 09:59:43 PST 2025

 - /bin/sh script cleanup

v3.5.2 Thu Aug  1 14:52:31 PDT 2024

 - Switch check_acld_pair from netaddr to ipaddress.

v3.5.1 Mon Feb 26 12:41:18 PST 2024

 - Concessions to new super-strict prototype declarations with clang
   17 (FreeBSD 13.3)

v3.5 Tue Feb  6 14:20:28 PST 2024

 - Implement acl-script -n for "drop"

 - Always allow 127/8 (or subparts) to be whitelisted.

 - Added blockmac, restoremac, querymac, and listmac.

 - Added addmacwhitelist, remmacwhitelist, querymacwhitelist, and
   macwhitelist.

 - Add support for multiple acld instances to the rc.d script.

 - Fix FreeBSD rc.d script to require netif so that disc0 (when
   used) will exist.

 - Fix off-by-one problem in ioappendvfmt() that could cause a hard
   loop.

 - Implement nullzero for arbitrary cidrs.

 - Upgrade to autoconf 2.71.

 - Add acl-script -r RATE.

 - Remove unconditional FreeBSD configure mandir hack.

v3.4 Thu Dec 31 13:32:12 PST 2020

 - Fix build with --disable-corsa

 - Change FreeBSD rc.d script to start before quagga, bird, and bird6.

 - Speed up the check_acld_pair nagios plugin by querying a batch
   of targets instead of one at a time. Properly report file I/O
   errors in readfiles().

 - Add the check_nullzero_routes nagios plugin.

 - Add corsalog.

 - Break replicant nullzero ties and accurately set REFLAG_IGNORE.

 - Add configure support for tcmalloc.

 - Add optional filename to the acl statement. This can be used to
   initialize operating sytsem firewall state on bootup.

v3.3 Fri Dec 13 16:51:20 PST 2019

 - Clear per child state in corsavalidate() on error.

 - Modify ioconsolidate() to work with more than two payload lines.

 - Add filter support to check_acld_pair via a new -f flag that
   provides addresses in files. Add test for addresses that
   inconsistent: present on one blocking device but not the other.

v3.2 Mon Aug 26 17:07:53 PDT 2019

 - Manage multiple Corsas.

 - Add the replicant primary keyword that designates an acld as the
   primary and causes the replicate acld to steer persistent clients
   to the primary.

 - py-acld fixes: Catch connection errors, correctly detect connection
   and prefer the first configured server.

 - Fix acld python module to correctly return "connection refused"
   when there is a single server that is not listening on the port.

 - Don't sleep() if there is a connect error and only one server.

 - Fix check_acld to correctly identify the ACL percentage type.

 - Fix checklimits() to use total number of ACLs when checking maxlen.

 - Fix stats hiwater bug that would cause us to loose track if no
   calls to stats_sethiwater() were made in a long time.

 - Return reasonable answers when not configured to have Corsas.

 - Fix conditions when corsaprocess() can call corsasend() and
   assertions corsasend() makes.

 - Fix broken filter add rate stats.

v3.1 Tue Mar 12 19:20:44 PDT 2019

 - Update py-acld module and nagios plugins to Pyton 3.

 - Keep track of when we started and report as "epoc" via the state
   report.

 - Import new acl-script python script.

 - Fix Corsa file descriptor leak.

 - Report when we don't receive Corsa load averages.

 - Fix bug that prevented child2settimeout() from returning a lower
   number of select seconds.

 - Clean up server initiated Corsa "ayt" request when completed or
   else client requests stop working.

 - Allow prefix lists to contain cidrs.

v3.0 Wed Nov 21 18:22:32 PST 2018

 - Add native Corsa GigaFilter support (filter, nofilter and queryfilter).

 - Add (junoscript) prefix, noprefix and listprefix.

 - Fix bug where a failed replicant command would not be detected
   if there was a comment/response.

v2.3.3 Mon Apr 23 18:21:22 PDT 2018

 - Teach check_acld about tcpsynport

v2.3.2 Fri Apr 20 08:49:03 PDT 2018

 - Remove debugging syslog calls from new FreeBSD sysctl code.

v2.3.1 Wed Apr 18 14:06:10 PDT 2018

 - Update nullzero-restart to handle gzip'ed syslog files.

v2.3 Sat Apr 14 10:48:28 PDT 2018

 - Add support for udp/tcp syn ports to check_acld_pair.

v2.2 Thu Apr 12 13:13:18 PDT 2018

 - Add support for FreeBSD 11 routes.

 - Clean up state when multiball enabled requests fail (for example
   junoscript ACL changes).

 - Compile with -Wno-unused-const-variable when using -Wall.

v2.1 Sat Sep 30 14:00:38 PDT 2017

 - Add logic to timeout FreeBSD routing socket reads.

 - Rewrite resolvenullzero() in check_acld_pair.py to actually work.

 - Add -W (whitelist check) to check_acld_pair.

 - Fix acld.open() to return an error if we failed to create a connection.

 - Use prefix lists instead of individual firewall terms (Junoscript).

 - Defer commit until we're processed all pending requests (Junoscript).

 - Add support for multiple port and host port exceptions per commit.

 - Add local copy of strlcpy.c for use on glib based systems.

 - Change nullzero and acl add rate calculation to not include
  transactions that fail due to the whitelist or succeed because
  they are already in place.

 - Add configure support for -pg profiling.

 - Flag requests that are multiball so that we can know later which
  can be completed when the child finishes.

 - IN_SEQRANGE() and related macros should return true when no
  sequence range is defined (i.e. c_lowseq == c_highseq).

 - Remove broccoli support.

 - Added blocktcpsynport.

 - Change logging level from LOG_DEBUG to LOG_INFO in nets_log().

 - Update acld.open() to accept a list of address/port pairs and
  return the first server that connects.

 - Don't leak a socket on each call to junoscriptlogin().

v2.0 Tue Feb  9 17:22:19 PST 2016

 - Add FreeBSD routes feature.

 - Add native Junoscript support.

 - Add replicant feature; acls, nullzero routes and whitelist
  exceptions are supported.

 - Add configure support for electric fence.

 - Raise timeout in cisco.expect from 10 to 30 and eat completely
  blank lines in listacl().

 - Zero acl combined limit counter and fix problem that occured when
  the child exited and logged in again.

 - Always clear sentlistacl in acllistsfree() or else we won't list
  all acl lists when the child exits and restarts.

 - Don't listen for IPv6 connections unless bindaddr6 is specified.

 - Remove auto restart logic from FreeBSD rc.d script.

 - Improve handling of IPv6 routes in ipfw.expect.

 - Rewrite dynarray().

 - Add "device" keyword that appears in the NETS syslog.

 - Fix replicant comment crash.

 - Add pf.expect (FreeBSD pfctl expect).

 - Rewrite ipfwe.expect (FreeBSD ipfw expect) to keep a persistent
  /bin/sh (like pf.expect) to avoid expect spawn races.

 - Add f_childconnect child hook for control methods that need to
  wait for a socket connect() before logging in.

 - Add junoscriptconnect().

 - Allow whielist and FreeBSD route requests to be processed when
  we're not logged into the router.

 - Timeout client requests when we're waiting to login to the router.

 - Add nets_log() for all failures resulting from addresses being
  on the whitelist.

 - Add an acld python module.

 - Change the check_acld nagios plugin to use the acld module and
  talk directly to acld instead of forking a process and using
  acl.exp.

 - Add the check_acld_pair nagios plugin.

 - Use non-blocking I/O for listen sockets.

 - Add to port block parity check (-P) to check_acld nagios plugin.

 - Add error.expect (like debug.expect but returns error for most
  actions).

v1.15 Thu Feb 28 23:22:01 PST 2013

 - Increase listen backlog from 16 to SOMAXCONN (128 on FreeBSD).

 - Handle "Address out of range" nullzero multicast error in
  force10.expect.

 - Add bindaddr6 so we can listen to both IPv4 and IPv6

 - Fix issues due to the difference in size between sockaddr_in and
  sockaddr_in6 structs.

 - Add listnullzero command.

v1.14 Wed Aug 15 20:43:31 PDT 2012

 - Instead of exiting, make all cforce errors (except for
  ERROR_CAPACITY_EXCEEDED) reinitialize the appliance and return.

 - Change check_acld nagios plugin to report CRITICAL when it gets
  connection refused.

 - Handle "Address out of range" nullzero multicast error in
  force10.expect.

 - 

v1.13 Fri Jun 22 21:53:59 PDT 2012

 - Fix bug that was introducing carriage returns into acld comment
  results.

 - Add optional cisco acl sequence renumber check to check_acld.

v1.12 Sat Jun  9 17:24:36 PDT 2012

 - Don't try to parse echo-reply and time-exceeded icmp ACLs in
  cisco.expect.

 - Improve file opening logic in acl.exp.

 - Upgrade to autoconf 2.69.

 - Make some awk compatibly tweaks to aclcompact.sh.

v1.11 Fri Feb 17 21:59:35 PST 2012

 - Implement missing IPv6 functionality in force10.expect and
  cisco.expect

v1.10 Wed Feb  8 17:08:38 PST 2012

 - Add acl name to NETS syslog

 - Add "id" keyword that appears in the NETS syslog

v1.9 Wed Jan 18 18:48:09 PST 2012

 - Keep statistics for nullzero routes

 - Rewrite parts of cisco.expect to deal with the gratiously different
  IPv6 access-list output format

v1.8 Thu Nov  3 17:48:49 PDT 2011

 - Handle cforce CAPACITY_EXCEEDED more gracefully

 - Add -f to acl.exp for blockhosthost and restorehosthost

v1.7 Sun Oct 23 18:14:42 PDT 2011

 - Add ACL list full check to check_acld nagios plugin

 - Add /usr/local/bin to path in acl.exp so it can find socket

 - Fix some sequence number issues in the cforce module

v1.6 Tue Sep 27 17:48:36 PDT 2011

 - cForce appliance fixes

 - Implement permitudpdstnetport, blockudpdstnetport, permittcpdstnetport
  and blocktcpdstnetport in acld and force10.expect

 - Don't allow quoted configuration options to be repeated

 - Fix various bugs in cisco.expect

 - query now reports all host, hosthost and net acl matches

 - querywhitelist now reports all whitelist matches

v1.5 Wed Sep 14 18:09:15 PDT 2011

 - Fix query bugs introduced in v1.2 and v1.4

 - Change query to report host, host to host or subnet blocks

v1.3 Fri Sep  9 15:50:04 PDT 2011

 - Add -f to acl.exp for nullzero, nonullzero, querynullzero,
  addwhitelist, remwhitelist and querywhitelist

v1.2 Thu Sep  8 19:57:45 PDT 2011

 - Query now correctly reports hosts within a subnet block

 - Add nets_log() for nullzero

v1.2 Thu Sep  8 19:57:45 PDT 2011

 - Query now correctly reports hosts within a subnet block.

v1.1 Fri Jul  1 15:02:06 PDT 2011

 - Allow wider cider blocks to be dropped via new ipv4_maxwidth and
  ipv6_maxwidth configuration options

v1.0 Wed May 18 13:45:50 PDT 2011

 - cForce appliance

 - Fix broccoli minimum version test

 - Remove certificate scripts in favor of the new "does everything"
  create-cert: https://ee.lbl.gov/downloads/create-cert/create-cert.tar.gz

 - Add comment flag (-c) to aclc

 - Change default connect port based on use_ssl setting in broccoli.conf

 - Move logs to /var/log/acld, run time files to /var/run/acld and
  scripts to /usr/local/libexec

v0.4.7 Wed Aug 25 18:29:56 PDT 2010

 - Turn off idle task check

v0.4.6 Fri Aug  6 10:58:06 PDT 2010

 - Add missing -re's to cisco.expect

 - Define u_int16_t when missing

v0.4.5 Thu Jul  1 18:12:19 PDT 2010

 - Disable "idle failure" abort()

v0.4.4 Thu Jun 24 11:13:06 PDT 2010

 - Change acl.exp to run hostname/whoami when we can't (cheaply)
  get the USER/HOSTNAME from the environment

 - Add acld_blockhosthost()/acld_restorehosthost() to acld.bro

 - force10.expect: graceful handle case when we only have one enable
  password

 - cisco.expect: updated to support modern IOS versions

 - aclcompact.sh: use percentage instead of slots left and default to 50%

 - autoconf improvements

v0.4.3 Thu Mar 11 20:34:35 PST 2010

 - Abort if we haven't tried to run the idle tasks in a long time

 - Rewrite nagios plugin, adding new features

 - Fix Makefile.in to honor the CFLAGS environment variable when
  configure is run

v0.4.2 Wed Feb  3 20:38:53 PST 2010

 - Require SSL for broccoli connections

 - Only try to open the broccoli port if it was configured

 - Update help message to reflect currently implemented commands

 - Check for network addresses in places where hosts are required

 - Flush stdout in acl.exp so timing message doesn't commingle with
  stderr messages

v0.4.1 Sat Jan 16 18:55:12 PST 2010

 - Autoconf upgrades

 - Don't bomb on attempt to limit an undefined ACL

 - Check for limits on undefined ACLs

 - Find default IPv4 or IPv6 ACL for permit UDP/TCP host+port ACLs

 - Remove ACL if router command failed when the child includes details

 - Fix permit UDP/TCP host+port bug; add missing return to switch case

 - Fix initial acquisition of IPv6 ACLs; run childsendattr() before
  childlistacl()

 - Handle IPv6 issues caused when not using an IPv6 FTOS capable cam
  profile

 - Wait for prompt before returning errors when changing modes in FTOS

 - Do a better job of keeping track of our current FTOS mode

 - Keep better track of when we entered config mode

 - Update realloc'ed pointer in suck2dot() in a possibly more portable
  way

v0.4.0 Sat Jan 16 18:42:16 PST 2010

 - Add support for IPv6 addresses

 - Implment ACL group limits

 - Enforce limits on ACL types other than the host types

 - Make sure childinput() collects the comment/response before
  finishing request

 - Add -o logfile

 - Check both addrs against whitelist for blockhosthost

 - Avoid ssh login failure loops: use stricthostkeychecking=no

 - Add nets_log() for addwhitelist/remwhitelist

 - Implement batch file mode for aclc

 - Fix silly string length restriction in aclc payload

 - Fix select() race condition

v0.3.3 Sun Mar 22 20:48:29 PDT 2009

 - Improve Broccoli connection code

 - Fix bug in ipfw.expect version of printroute()

v0.3.2 Thu Mar 12 19:33:04 PDT 2009

 - Remove adddefault/removedefault from various expect scripts

 - Implement blockhosthost, droptcpdsthostport, permitudpdsthostport,
  unpermitudpdsthostport, restorehosthost and restoretcpdsthostport
  to ipfw.expect

v0.3.1 Fri Feb 13 21:45:57 PST 2009

 - Implement blocknet

 - Implement nullzero with network (address+mask)

 - Impose maximum mask width of /24 on nullzero routes

 - Eat blank lines when reading route list from router

 - Fix blank line in query and querynullzero output

 - Extend whitelist() to check the for overlap between the test
  addr/net and the whitelist addr/net

 - All addresses/nets are eligible for null zero routes if there are
  no configured nullzero nets (subject to maximum mask width and
  whitelist checks)

v0.3 Fri Jan 16 13:19:00 PST 2009

 - Add Bro Broccoli support (aka Broccolized acld)

 - Add blockhosthost/restorehosthost

 - Validate ports values fit in 16 bits

 - If removing an ACL, check that its seq number is in the range

 - Fix servermoveacl(): we need to know the ACL name when compacting ports

 - Add permitipnethost, blockipnethost, permitudpdstnet, blockudpdstnet,
  permittcpdstnet, blocktcpdstnet, permitudpnethostport,
  blockudpnethostport, permittcpnethostport and blocktcpnethostport

 - Update force10.expect to use ssh

v0.2 Tue Jun 10 18:15:41 PDT 2008

 - Add whitelist.

 - Add dynamic whitelist.

 - Add nullzero, nonullzero, querynullzero and listroute.

 - Add permittcpdsthostport and unpermittcpdsthostport.

 - Compact port and permithostport sequence ranges.

 - Fix buffer problems when there are a LOT of entries in an ACL.

 - Change force10.expect to not generate an error when you call
  listacl with an ACL that doesn't exist.

 - Fix pty leak in ipfw.expect.

 - Change acl.exp to report any error messages socket generates. Also,
  capture dst port (and addr) for use in error messages.

 - Change force10.expect to exit when the child goes away to force
  a clean restart.

 - Fix port byte order in connect log message.

 - Add some statistics gathering.

 - Upgrade to autoconf 2.61.

 - Fix dynamic memory problems in acladdacl() and routeadd().

 - Support socket various different versions of socket.

 - Explicitly kill the child when we receive a TERM.

 - Check the pidfile and don't start a new acld if we think one is
  already running.

 - Add code to reacquire route list when logging after the first time.

 - Change order of actions in listroute so avoid race if the route
  list is short and the prompt comes quickly.

 - Don't sleep for 600 seconds before listing routes.

 - Ok to handle non-blocking client requests and drain client output
  when not LOGGEDIN. In particular this allows the "state" command
  to always work.

 - Add optional ports with restricted capabilities, one for read/only
  access and one for web registration clients.

 - Store ACL counts as unsigned long longs.

 - Validate flags to acl.exp. This lets us catch attempts to use batch
  mode (-f) for commands that do not support it.

 - Rename the ACL interface script "acl.exp". Display the package
  version as part of the usage printout.

 - Determine expect path for use with acl.exp.

 - Add droptcpdsthostport and restoretcpdsthostport.

 - Changed permit{udp,tcp}dsthostport to always use the default ACL.

 - Fixed a bug when receiving client request before we're LOGGEDIN.
  This would cause requests to stack up when first starting acld.

 - Add querywhitelist.

 - Fix dynamic memory bug related to the compact operation.

v0.1 Tue Jan 24 18:30:05 PST 2006

 - Drain output to client before closing socket.

 - Only sync when we're truely idle.

 - After sync'ing, return to the mode we started in.

 - Modifiy force10.expect to deal with old and new style of "sync"
  dialogue

 - Don't drop back to enable mode for "ayt"

 - Rewrite force10.expect's entermode to use a table

 - Timestamp debug printouts.

 - Don't use "count" with force10 acls since only a few thousand
  are supported.

 - Add permitudphostsrcport, blockudphostsrcport, permittcphostsrcport,
  and blocktcphostsrcport.

 - Clear sp->reqclient freeclient() to avoid problems when it's
  non-null and there are no clients.

 - Handle the extra \r's newer versions of the force10 FTOS insert.

 - Add permitudpdsthost, blockudpdsthost, permittcpdsthost, blocktcpdsthost,
  permitipdsthost, blockipdsthost, permiticmpdsthost, blockicmpdsthost,
  permitipdstnet, blockipdstnet, permiticmpdstnet and blockicmpdstnet.

 - Print out seq instead of type for ATYPE_UNKNOWN.

 - Modifiy force10.expect to deal with old and new style of "sync"
  dialogue.

 - Change the last "timeouts" to exit instead of return so acld will
  start a fresh expect session.

 - Fix state bugs that caused "query" and "logout" to hang.

 - Add maxseq.

 - Handle "Access List is not in sync ..." message that occurs when
  the cam table fills up on the force10.

 - Pass through informational comments that the listacl expect script
  might generate.

 - Add stunnel example configs and installation instructions.

 - Cleanup client input processing a bit.

 - Detect non-numeric cookies.

 - Pass NULL to extractaddr() if we don't have a 4th argument.

 - Fix state setup so comments work.

 - Changed -d to not force -f.

 - Added incrseq.

 - Change debuging timestamp to show microseconds (instead of hundredths).

 - Rewrite client input processing.

 - Save the raw text for unknown acls so we can print them in the
  listacl output.

 - Add compact.

 - Implement dropudpport, droptcpport, restoreudpport and restoretcpport.

 - Add a netsfac.

 - Add user comment feature to acl.exp

 - Fix issue with child extended response.

v0.0.1 Wed Dec 11 22:58:45 PST 2002

 - Fix bug in client output drain loop that could cause a crash.

 - Add -f flag (foreground).

 - Exit with /bin/sh 128 + signal number status on TERM.

v0.0 Mon Dec  2 18:59:01 PST 2002

 - Initial public release.
