1.4. Change history

Changes since version 4.4:

• Bugfixes:
  • Fixed LCP Time-Remaining packet processing.
  • Fixed packet order on accepting outgoing PPTP call.
  • Changed NAK on multilink options processing. NAK enables rejected options back.
  • Fixed TCP and UDP link type nodes naming bugs.

Changes since version 4.3:

• New features:
  • Added new 'ext-acct' accounting backend as full-featured alternative to 'radius-acct'.
  • If Framed-Netmask RADIUS attribute != 255.255.255.255 mpd will create Framed-IP-Address/Framed-Netmask route to the client side.
• Changes:
  • Added addresses arguments to the down-script call.
  • PPTP windowing is disabled by default.
• Bugfixes:
  • Added check for INT_MAX / 1000 timeouts limit.
  • Fixed MPPE with CHAP-MSv1 auth.
  • Fixed netflow setup errors handeling.
  • Restore link MRU to default after use. Should help with some EAP-TLS cases.
  • Restored LCP-Ident logging.
  • Fixed 'set eap ...' context.
  • Fixed /32 routes processing.
  • Fixed originating of multiple PPTP calls via the same tunnel.
  • Fixed bug in web command syntax check.
  • Fixed bug in tcpmssfix when compression or exncriotion is used.
  • Fixed incorrect IPCP options reject processing.

Changes since version 4.2.2:

• New features:
  • Added L2TP local hostname configuration.
  • Added L2TP length and dataseq options.
  • L2TP local hostname and secret at server side is now configurable depending on client address.
  • Reimplemented RADIUS Class attribute support.
  • Added PPPoE AC-name specification for the server side.
  • Added IP accounting with ng_ipacct node support.
  • Added configure script for better system features detection.
  • 'show version' command now shows compiled-in system features.
  • 'session ...' and 'msession ...' commands to select link/bundle by their current session IDs added.
• Bugfixes:
  • Fixed race condition on PPTP tunnel creation/death.
  • Fixed crash when stdout redirected to /dev/null.
  • Fixed memory leak in proxy-arp.
  • Fixed Dial-on-Demand functionality broken in 4.2.
  • Do not set ACCM for a Sync links.
  • Fixed Sync mode detection for L2TP links.
• Performance improvements:
  • Added support for 64bit ng_ppp counters where available.

Changes since version 4.2.1:

• Bugfixes:
  • Fixed build and stack overflow on FreeBSD 5.x.
  • Fixed startup script dependencies.

Changes since version 4.2:

• Bugfixes:
  • Fixed default route support bug.
  • Fixed memory leak in L2TP link creation.

Changes since version 4.1:

• New features:
  • Implemented link repeater functionality (aka LAC/PAC). New "phys" and "repeater" layers added.
  • PPTP now supports listening on multiple different IPs.
  • L2TP now supports tunnel authentication with shared secret.
  • Implemented traffic filtering using ng_bpf.
  • Implemented fast traffic shaping/rate-limiting using ng_car.
  • Added workaround for Windows 2000 PPPoE MRU negotiation bug.
  • Implemented minimal client side of auth-driven callback (w/o number specification).
  • Restored control console on stdin.
  • Added multiline console command history.
  • Added new 'ext-auth' auth backend as full-featured alternative to 'radius-auth'.
  • Added support for some new ng_nat features.
  • Implemented PPTP/L2TP SetLinkInfo sending to PAC/LAC.
  • NetFlow generation for both incoming and outgoing packets same time is now supported. NOTE: To have more then 1000 interfaces with NetFlow in 6-STABLE you may need to increase NG_NETFLOW_MAXIFACES constant in netflow.h and rebuild ng_netflow kernel module.
  • Added mpd-drop-user vendor specific accounting reply attribute support.
• Changes:
  • 'set link type ...' command is deprecated now. Use 'set phys type ...' instead.
  • -a, -n, -N, and -t bundle options are deprecated now. Use 'set iface enable ...' instead.
  • ng_tee, ng_nat, ng_netflow and other netgraph nodes between ng_ppp anf ng_iface now created when NCP (IPCP/IPV6CP) goes up instead of startup time.
  • Auth subsystem refactored to avoid incorrect cross-level dependencies.
  • Physical device level refactored to remove link and bundle levels dependencies.
  • While accepting calls PPTP, L2TP, TCP and UDP links are now trying to use link with most specific peer address configured.
  • Removed setting up local IPv4 address routing to loopback. /usr/sbin/ppp does not doing it.
• Bugfixes:
  • Fixed thread-safety related crash in accounting.
  • Fixed assertion in PPTP on control connection fail while answering.
  • Fixed assertion in L2TP on control message sending failure.
  • Fixed broken L2TP outcall mode.
  • Updated chat scripts to detect incoming modem calls speed.
• Performance improvements:
  • Calls to ifconfig and route programs replaced by internal functions.
  • Where possible system() calls replaced by fork()+execv() to avoid shell execution.
  • Added connect requests storm overload protection. Mpd will drop incoming requests when message queue reach some defined length.

Changes since version 4.1rc2:

• Changes:
  • Default value of link's max-redial parameter changed to -1.
  • Bundle's noretry option is enabled by default now.
• Bugfixes:
  • Better up/down reason tracking.

Mpd version was bumped from 4.0rc2 to 4.1rc2 due to large number of changes done since 4.0b4 and FreeBSD ports version number conflict.

Changes since version 4.0rc1:

• Bugfixes:
  • Idle timeout fixed.
  • Fixed bug with 'set l2tp self ' specified at the server side.
  • Device type check for device-specific commands added.
  • IPCP reject is not fatal by itself now.
  • Up/down-script will now be called not for the whole interface, but for each of negotiated protocols. Proto parameter should be checked in the script!
  • Fixed ng_ppp link bandwidth configuration.

Changes since version 4.0b5:

• New features:
  • Integrated Web server added.
  • NAT support by ng_nat(4) added.
  • L2TP (RFC 2661) device type implemented.
  • UDP device type was completely rewritten. Now it:
    • does not require manual 'open' command on the server side, it behaves just like any other device type;
    • allows many connections to the same server UDP port;
    • allows not to specify peer address/port for incoming connections (so it will work through different NATs and firewalls);
    • allows not to specify self address/port for outgoing connections (so it is easier to configure);
  • TCP device type was completely rewritten. It has some minor issues due to limitation of ng_ksocket module, but now IT WORKS! :)
  • Compression Predictor-1 (RFC 1978) added.
  • Compression Deflate (RFC 1979) added.
  • Encryption DESE (RFC 1969) support was reimplemented.
  • Encryption DESE-bis (RFC 2419) support added.
  • New command 'show phys' added.
  • New command 'show summary' added.
  • Support for ipfw tables added to RADIUS ACL's.
  • New commands 'set global start...' added..
  • Added support of calling/called numbers (mostly for PPTP/L2TP).
• Changes:
  • "lcp" layer in open/close commands replaced by "link".
  • Auth configuration (set auth ...) moved from bundle layer to lcp. It works per link now.
  • MPPE policy option moved from auth layer to ccp.
• Bugfixes:
  • Fixed a few bugs on amd64 and sparc64 platforms.
  • Phys layer was made stateless to remove race condition.
  • Link layer changed to remove race conditions on LinkDown().
  • Fixed race condition in accepting PPPoE connections.
  • Link up/down reason recording is now more accurate.
  • Complete link shutdown procedure on auth failure implemented.
  • Fixed several small PPTP level processing issues.
  • Removed limitation about PPTP which must be in the bundle alone.
  • Fixed MSCHAP auth which was broken in 4.0b5.
  • Fixed memory leak in PAP and CHAP auth on the client side.
  • Fixed some CCP negotiation issues.
  • Fixed threads-related crash in internal auth.
  • Fixed crash on incoming when no free PPTP link found.
  • Bug in "rubber bandwidth" algorithm fixed.
  • Bug and possible crash fixed in DoD code.
  • Fixed bug in AUTHPROTO negotiation.
  • Fixed bug in RAD_MICROSOFT_MS_CHAP2_SUCCESS handeling. Needs testing.

Changes since version 4.0b4:

• New features:
  • IPv6 support:
    • IPV6CP support added, NCPs and IFACE calls was rewritten to support many NCPs.
    • Console now supports IPv6.
    • UDP and TCP link types now support IPv6.
    • PPTP link type is ready to support IPv6, but requires ng_pptpgre(4) to support IPv6.
    • NetFlow export over IPv6 is supported.
    • The following features don't yet support IPv6: TcpMSSFix, NetFlow, Tee, DialOnDemand.
  • TCP link type now compiles and works (but isn't yet ready for production usage).
  • NetFlow data generation on outgoing interface is supported.
  • Added a possibility to use an existing ng_netflow(4) node.
  • Added a possibility to specify network interface names instead of IP addresses.
  • Added more log levels to decrease log file size.
• Changes:
  • Default argument of open/close commands changed from iface to lcp.
• Bugfixes:
  • Fixed races between startup process and client connecting.
  • Fixed a few crashes in console.
  • Incoming call processing significantly reworked to fix some aspects of multilink server functionality.
  • The shutdown of mpd is now much more graceful: the netgraph nodes are closed, the accounting RADIUS packets for closing links are sent, new connections aren't accepted during shutdown.
  • Fixed races in filling of RADIUS packets. In particular, RAD_NAS_PORT value in the RADIUS could be wrong.
  • RADIUS support rewritten to use poll(2) instead of select(2), allowing to create a bigger number of links.
  • Fixed a problem with identifying correct interface for proxy-arp when alias addresses are used.
  • Fixed memory leaks and crashes when more than 256 PPTP bundles are in use.
  • Fixed crash in PPPoE when more than 64 parent Ethernet interfaces used.
• Performance improvements:
  • Message and PPPoE subsystems reworked to decrease number of open files per bundle.

Changes since version 4.0b3:

• BugFix: fix crash in processing of MS domain name from RADIUS server.
• New feature: automatic creation, configuring and attaching of ng_netflow(4) node.
• ng_tee(4) now can be inserted on a per bundle basis.
• New feature: on FreeBSD 6.0 and higher ng_tcpmss(4) is utilized if doing TCP MSS fixup.
• BugFix: tcpmssfix now works for both incoming and outgoing TCP segments.
• New options: update-limit-in, update-limit-out.
• Fixed loss of statistics when -t options is used.
• Fixed chat scripting, modem links not broken anymore.

Changes since version 4.0b2:

• BugFix: make PPPoE interface control events recurring, PPPoE is not broken anymore.
• Added a new startup section to the config-file, wich is loaded once at startup.
• Added a new global config space for all the global settings.
• BugFix: don't generate new challenges, while retransmitting them.
• Fix va_args bug on certain non-i386 platforms.
• Auto-load ng_ether for PPPoE connections; fix default path for undefined service.
• Rewrite the console-stuff. Multiple telnet connections are now allowed. There is no input-console anymore, must use telnet instead.
• BugFix: The directly configured password wasn't taken into account when using PAP.
• Disallow empty usernames safely.

Changes since version 4.0b1:

• Fixed a race-condition wich caused a dead-lock.
• RADIUS
  • Fixed several race-conditions when sending accounting requests.
  • Use the username from the access-accept packet (if present) for accounting requests.

Changes since version 3 (most of this work was sponsored by SURFnet SURFnet):

• Design changes: Mpd uses now a thread-based event system using libpdel, these libpdel parts are now integrated:
  • typed_mem(3)
  • pevent(3)
  • alog(3)
  Mpd uses a "Giant Mutex" for protecting its resources.
• Major new features:
  • Implemented the Extensible Authentication Protocol RFC 2284 (EAP). Currently only EAP-MD5 is supported (client and server side). EAP negotiaton can be enabled at link level.
  • Implemented OPIE (One-time Passwords In Everything).
  • Implemented authentication against systems password database master.passwd.
  • utmp/wtmp logging.
• Rewrites of the authentication subsystem:
  • Make authentication and accounting requests asynchronous using paction(3).
  • Authentication backends are acting now independently from the rest of Mpd, using some internal structs as interface.
  • The mpd.secrets file is now used as one authentication backends of many, it has no special role anymore, i.e. it could be disabled.
  • Generate a session-id at bundle and link level for using with accounting requests.
• RADIUS related changes:
  • IMPORTANT: Mpd needs now an enhanced libradius, here are the patchsets: 4-STABLE 5-CURRENT
  • Remember and send the RAD_STATE attribute.
  • Message-Authenticator support.
  • EAP Proxy Support.
• Added a new option for PPTP links for disabling the windowing mechanism specified by the protocol. Disabling this will cause Mpd to violate the protocol, possibly confusing other PPTP peers, but often results in better performance. The windowing mechanism is a design error in the PPTP protocol; L2TP, the successor to PPTP, removes it. You need a recent version of FreeBSD (NGM_PPTPGRE_COOKIE >= 1082548365) in order to get this feature.
  set pptp disable windowing
• Added a new commandline option -t for adding ng_tee into the netgraph.
  Submitted by: Gleb Smirnoff, glebius at cell dot sick dot ru
• Removed configuration parameters:
  • bundle: radius-fallback
  • iface: radius-session, radius-idle, radius-mtu, radius-route, radius-acl
  • ipcp: radius-ip
  Moved configuration parameters:
  • bundle to auth: radius-auth, radius-acct, authname, password, max-logins
  • radius to auth: acct-update
  • ccp to auth: radius and renamed to mppc-pol
  New configuration parameters:
  • link: keep-ms-domain, this prevents Mpd from stripping the MS-Domain, this is can be useful when using IAS as RADIUS server.
  • radius: message-authentic, this adds the Message-Authenticator attribute to the RADIUS request.
  • auth: internal, controles the usage of the mpd.secrets file (internal authentication backend).
  • auth: opie, enables/disables the OPIE authentication backend.
  • auth: system, enables/disables authentication against systems password database.
  • auth: utmp-wtmp, enables/disables utmp/wtmp logging. database.
  • auth: timeout, configureable timeout for the authentication phase.
  • eap: radius-proxy, this causes Mpd to proxy all EAP requests to the RADIUS server, Mpd only makes the initial Identity-Request (this saves one round-trip), every other requests are forwarded to the RADIUS server. This adds the possibility supporting every EAP-Type of the RADIUS server, without implementing each EAP-Type into Mpd.
  • eap: md5, EAP-Type MD5, it's the same as CHAP-MD5, but inside EAP frames.
• Removed defines ENCRYPTION_MPPE and COMPRESSION_MPPC, they are now built in.
• Get rid of IA_CUSTOM define.
• BugFix: Fixed a mem-leak in the pptp-ctrl stuff.