NuFW

This new release mainly fixes a compilation issue appeared in NuFW 2.4.1. GNUtls mode was not working anymore.

• log_mysql: don't over stress nuauth after DOS mode (Eric Leblond)
• libnuclient: fix memory leak. (Eric Leblond)
• nuauth: avoid double logging of some packets (Eric Leblond)
• nussl: add support for several CA certificates in one PEM file (Pierre Chifflier)
• Revert "NuSSL: fix sub CA" (Pierre Chifflier)

This new release fixes a problem in libnuclient which could lead to a crash on some systems. It also adds support for chained certificate support in nuauth authentication server.

• libnussl: fix sub CA support
• libnuclient: fix proc hash handling
• nuauth_command: add thread pool information
• nuauth_command: add "refresh crl" command

After a long work, NuFW 2.4.0 is available. It contains a bunch of new features and improvements.

New features and major improvements¶

Extensible protocol¶

NuFW protocol between authentication server and clients has evolved and it is now possible to extend the protocol via plugin (on both client and nuauth side).

A simple extension is provided. It adds a message to have local user identity sent to authentication server. This is a simple proof of concept and some more interesting extension can be easily developed.

Optimized protocol¶

Client to authentication server protocol has been heavily optimized for laggy network and computer used simultaneously by multiple users. For example, on a 1 sec delay network, authentication is done at worst in 1.2 sec which is only 0.2 sec more than non authenticated flow. With previous protocol authentication was done in more than 3 sec...

Filtering capabilities improvements¶

Client is now computing hash of application binary for advanced filtering.

It is also possible to use an authentication quality in filtering rules. For example, this mean it is possible to accept a packet if and only if the authentication of the user has been done via certificate.

Rewrite and code factorization¶

A huge code factorization and rewrite has been done. Convenience libraries are now shared between the different components. Cryptography can now be done via openssl or gnutls and all components now share the same configuration file parser.

Changelog summary¶

• Support for plugin in libnuclient
• Improved client-server protocol
  • Protocol extension via plugin
  • Better performances on bad network
  • Better error handling
• Filtering capabilities improvements:
  • Client compute hash of application for advanced filtering
  • Authentication quality support
• Configuration file for nufw and client
• New convenience libraries:
  • nussl: TLS abstraction library (gnutls or openssl)
  • nuconfparser: Configuration library
  • nubase: Common use library
• log_ulogd2 module: log packet via ulogd2
• postauth_localuser module: sample postauthentication protocol modification
• nufw: switch libnetfilter_conntrack code to new API
• client proto: negotiate protocol version

This new release of 2.2 branch contains some minor bugfixes.

• system: suppress prefixed domain when fetching group and id.
• nufw: work around non thread-safeness of libnfnetlink
• nuauth: fix logging of connection end timestamp
• nuauth: fix rare bug related to nufw server handling