OpenNDS v10.2.0 release

opennds (10.2.0)

This version is a minor upgrade that introduces some significant additional functionality.

In addition it includes numerous enhancements bug fixes and cosmetic fixes.

Additional functionality includes:

Pre-emptive Client Lists
A list of the MAC addresses and access conditions of pre-emptively authenticated client devices.
Unlike Trusted Clients, Pre-emptive clients have their data usage monitored. Quotas and timeouts are applied.
Pre-emptive clients are logged both locally and in remote fas servers in the same way as normal validated clients.

Autonomous Block Lists
Autonomous block lists are lists of FQDNs for which all ip addresses allocated to those FQDNs will be blocked.

Internet hosted https FAS support for resource limited routers.
For limited resource router hardware, inbound nat traversal has been extended to allow https FAS without additional dependencies.
An example FAS script fas_hid_https.php is provided.

Fair Usage Policy
A Fair Usage Policy (FUP) option is introduced where if a client exceeds the pre-configured data quota, rate throttling will be enabled automatically.

Changelog:

• Add - Page 202 HTTP_ACCEPTED for future use
• Fix - remove redundant workaround for old MHD versions [bluewavenet]
• Fix - some nft and other error messages [bluewavenet]
• Fix - remove unnecessary debug messages [bluewavenet]
• Add - improved ndsctl status detection for authmon [bluewavenet]
• Add - increase RestartSec parameter in opennds.service for generic Linux [bluewavenet]
• Fix - prevent unnecessary shutdown [bluewavenet]
• Fix - Generic Linux, error updating dnsmasq.conf [bluewavenet]
• Add - allow dynamic update of flowtable rules [bluewavenet]
• Fix - use Themespec in place of deprecated preauth in ndectl status [bluewavenet]
• Fix - Generic linux - keep old config [bluewavenet]
• Fix - remove some unused variables [bluewavenet]
• Add - support for nftables blocklists [bluewavenet]
• Add - ensure authenticated user rules are added in list order [bluewavenet]
• Add - Set default authenticated policy to accept [bluewavenet]
• Add - urandom hash to key generation [bluewavenet]
• Fix - Fix - duplicate users_to_router rules [bluewavenet]
• Add - Automatic dns resolution of fas_remotefqdn in nftables rules [bluewavenet]
• Add - flowtables rules [bluewavenet]
• Add - dynamic flowtable support allowing multiple upstream connections [bluewavenet]
• Add - skip preemptivemac client if not dhcp database or is already authenticated [bluewavenet]
• Add - Skip auth_restore if client is in preemptivemac list [bluewavenet]
• Add - use daemon_auth in auth_restore [bluewavenet]
• Add - Dynamic refresh of configured preemptive macs [bluewavenet]
• Fix - suppress demon_auth debug output [bluewavenet]
• Add - urlencode ALL list blocks and introduce preemptivemac lists [bluewavenet]
• Add - fas-hid-https to makefiles [bluewavenet]
• Add - warning that pre-shared key will be generated and added to config if not present [bluewavenet]
• Add - b64decode payload in fas [bluewavenet]
• Add - b64encode payload before sending to fas [bluewavenet]
• Add - level 4 fas-hid-https [bluewavenet]
• Add - support for fas_secure_enabled = 4 [bluewavenet]
• Add - updates to comments in fas-hid script [bluewavenet]
• Fix - fas-hid icon position [bluewavenet]
• Add - wget_request support to authmon [bluewavenet]
• Add - ruleset full parsing of verdict, protocol ports to/from address [bluewavenet]
• Fix - send_to_fas_deauthed [bluewavenet]
• Fix - ensure action is parsed correctly in all cases [bluewavenet]
• Add - Quota based Fair Usage Policy, sets throttled rate when quota exceeded [bluewavenet]
• Add - QL code scanning support in Community theme_voucher ThemeSpec script [bluewavenet]
• Add - support for cpi_query in example FAS scripts [bluewavenet]
• Fix - memory leak when deleting client from client list [bluewavenet]
• Add - html entity handling for semicolon [bluewavenet]
• Add - Store RFC8910 request string in client data [bluewavenet]

-- Rob White dot@blue-wave.net Wed, 22 Nov 2023 11:08:15 +0000

OpenNDS v10.1.3 release

opennds (10.1.3)

Security Advisory. This version contains fixes for multiple potential security vulnerabilities
Credit - Stanislav Dashevskyi - standash.github.io [standash]
It also contains some minor bug fixes

• Fix - Buffer overflow causing segfault - CVE-2023-41101 [bluewavenet]
• Fix - Memory leaks due to passing allocated buffer into safe_asprintf() - CVE-2023-41102 [bluewavenet]
• Fix - Remove deprecated preauth option [bluewavenet]
• Fix - missing free in show_preauth_page if MHD does not respond [bluewavenet]
• Fix - more safe_asprintf memory leaks [bluewavenet]
• Fix - missing free for mark_auth [bluewavenet]
• Fix - memory leak after starting authmon daemon [bluewavenet]
• Fix - memory leak in encode_and_redirect_to_splashpage [bluewavenet]
• Fix - Community themespec, voucher css and logo image [bluewavenet]
• Fix - ThemeSpec, path to logo in page footer [bluewavenet]
• Fix - ensure gatewayurl is urldecoded to fix broken css and images in themespec [bluewavenet]
• Add - set default fas remote fqdn to disabled [bluewavenet]

-- Rob White dot@blue-wave.net Sat, 28 Aug 2023 09:46:35 +0000

OpenNDS v10.1.2 release

opennds (10.1.2)

Security Advisory. This version contains fixes for multiple potential security vulnerabilities
Credit - Stanislav Dashevskyi - standash.github.io [standash]
It also contains some minor bug fixes

• Fix - Generate unique sha256 faskey if not set in config - CVE-2023-38324 [bluewavenet]
• Fix - NULL pointer dereference if user_agent is NULL - CVE-2023-38320, CVE-2023-38322 [bluewavenet]
• Fix - NULL pointer dereference if authdir is called with an incomplete or missing query string - CVE-2023-38313, CVE-2023-38314, CVE-2023-38315 [bluewavenet]
• Fix - remove deprecated and non-functioning unescape callback - CVE-2023-38316 [bluewavenet]
• Fix - prevent potential recursive dependency and detect if conflicting package is installed [bluewavenet]

-- Rob White dot@blue-wave.net Sat, 29 Jul 2023 10:04:52 +0000

OpenNDS v10.1.1 release

opennds (10.1.1)

This version contains some minor bug fixes and documentation updates

• Fix - send only contents of buffer, not entire buffer when serving page511 [bluewavenet]
• Fix - Set fas_remotefqdn to gw_fqdn when overriding FAS settings [bluewavenet]
• Fix - use absolute path for css and images in ThemeSpec [bluewavenet]
• Fix - revert to old option names without underscores [bluewavenet]
• Fix - FAS URL when fas_remotefqdn is not set [bluewavenet]

-- Rob White dot@blue-wave.net Fri, 14 Jul 2023 13:56:50 +0000

OpenNDS v10.1.0 release

opennds (10.1.0)

This version is a major upgrade including full migration to nftables and native uci configuration support even for generic Linux distributions.

It also includes a significant refactoring of inbuilt memory management, improving long term reliability, fixing several memory leaks, buffer overflows and several edge case crashes.

• Add - support for included custom binauth script [bluewavenet]
• Add - emit a useful stderr message if auth_restore fails [bluewavenet]
• Add - procd respawn threshold, respawn timeout and respawn retry parameters [bluewavenet]
• Add - user friendly commandline message if already running [bluewavenet]
• Fix - Enabling of Data volume quotas [bluewavenet]
• Fix - use get_list_from_config instead of get_option_from_config [bluewavenet]
• Fix - compiler warning - unused variable [bluewavenet]
• Fix - remove redundant function call ipsetconf [bluewavenet]
• Fix - walledgarden for both nftset and ipset on OpenWrt [bluewavenet]
• Add - more meaningful output if attempt is made to restart when already running [bluewavenet]
• Fix - resolve gatewayfqdn after startup [bluewavenet]
• Fix - Choose forground or background running according to commandline arguments [bluewavenet]
• Fix - remove superfluous debug message [bluewavenet]
• Fix - replace sleep with procd_set_param term_timeout [bluewavenet]
• Fix - make option enabled default to enabled [bluewavenet]
• Fix - report authmon pid instead of opennds pid from authmon [bluewavenet]
• Fix - ensure correct pid obtained for opennds [bluewavenet]
• Add - StartLimitIntervalSec and StartLimitBurst to systemd service script [bluewavenet]
• Fix - refactor remote downloads [bluewavenet]
• Fix - suppress error message on ipset test failure [bluewavenet]
• Fix - send non-syslog debug information to stdout by default [bluewavenet]
• Add - C function to check heartbeat watchdog [bluewavenet]
• Fix - Update generic Linux makefile [bluewavenet]
• Fix - remove redundant ruleset struct definition [bluewavenet]
• Fix - potential buffer overflow issue during config stage [bluewavenet]
• Fix - remove unnecessary calls to free() in page 404 processing [bluewavenet]
• Fix - remove redundant code from fw_iptables [bluewavenet]
• Add - updates to binauth_log script [bluewavenet]
• Add - updates for service startup, systemd and procd [bluewavenet]
• Add - refactoring of commandline processing [bluewavenet]
• Fix - remove debugging message [bluewavenet]
• Fix - typo in client ruleset [bluewavenet]
• Add - Refactor to use uci config directly even for Generic Linux [bluewavenet]
• Add - Parsing for multi item lists with spaces in items [bluewavenet]
• Add - use common library call get_option_fom_config [bluewavenet]
• Add - support for direct use of uci format config file - string and integer parameters [bluewavenet]
• Fix - Remove deprecated syslog_facility config setting [bluewavenet]
• Add - thread busy message to ndsctl [bluewavenet]
• Add - refactor configure_log_location [bluewavenet]
• Fix - suppress LOG_NOTICE message when getting mac of interface [bluewavenet]
• Fix - ndsctl error message [bluewavenet]
• Fix - get_client_interface for levels 2 and 3 [bluewavenet]
• Add - use common library write_log function [bluewavenet]
• Add - Refactor memory management [bluewavenet]
• Fix - fix and refactor upload rate limiting rules [bluewavenet]
• Fix - Change a debug message from err to info [bluewavenet]
• Add - refine common buffer sizes [bluewavenet]
• Add - use initialised heap memory for redirect_to_splashpage [bluewavenet]
• Add - user message to themespec [bluewavenet]
• Add - auth_restore support ie reauth clients after a restart by default. [bluewavenet]
• Add - Library call to preemptively re-auth clients after a restart or crash [bluewavenet]
• Add - BinAuth, write an authenticated clients list [bluewavenet]
• Add - library call "check_heartbeat" [bluewavenet]
• Fix - Tidy up redundant code [bluewavenet]
• Fix - change warning message to debug message when iw not installed [bluewavenet]
• Add - library call to log to syslog [bluewavenet]
• Fix - use initialised heap memory for client list entries [bluewavenet]
• Fix - ignore legacy ipset firewall rule [bluewavenet]
• Fix - refactor memory management for MHD calls - use heap memory for buffers etc [bluewavenet]
• Fix - missing free causing memory leak [bluewavenet]
• Fix - predefine and initialise buffer for send_redirect_temp [bluewavenet]
• Add - support protocol "all" in firewall ruleset [bluewavenet]
• Add - pre-allocation of initialised buffers [bluewavenet]
• Fix - prevent buffer overrun on removing client [bluewavenet]
• Add - update MHD connection timeout and connection limit [bluewavenet]
• Add - chain ndsDLR for dynamic client download rate limiting rules [bluewavenet]
• Add - Use Internal Polling Thread / Thread Per Connection in MHD [bluewavenet]
• Add - some new default values [bluewavenet]
• Fix - remove some redundant code and fix some compiler warnings [bluewavenet]
• Fix - remove redundant library command string [bluewavenet]
• Fix - Tidy up redundant iptables code [bluewavenet]
• Add - convert trusted client support to nftables [bluewavenet]
• Add - refer to nftables [bluewavenet]
• Add - move code for generating authentication mark string to initial setup [bluewavenet]
• Add - full nftset support with ipset import where required [bluewavenet]
• Add - nftset support library calls [bluewavenet]
• Add - ipset_to_nftset library call [bluewavenet]
• Add - support for nftables version of append_ruleset and nftables_compile [bluewavenet]
• Fix - buffer overflow in page_511 generation [bluewavenet]
• Add - more nftables migration including rate quotas [bluewavenet]
• Fix - change GatewayInterface to lower case [bluewavenet]
• Add - upload and download limiting client flags for future use [bluewavenet]
• add - lib calls "pad_string" and "replace_client_rule" [bluewavenet]
• Add - further nftables migration [bluewavenet]
• Fix - correctly parse options from legacy conf file [bluewavenet]
• Fix - some compiler warnings and set min iptables version [bluewavenet]
• Add - Generic Linux configure walledgarden [bluewavenet]
• Add - Implementation of nftsets for walledgarden [bluewavenet]
• Add - migration to nftables, next phase. [bluewavenet]
• Add - library function delete_client_rule [bluewavenet]
• Fix - remove duplicate definition [bluewavenet]
• Add - First stage migration to nftables [bluewavenet]

-- Rob White dot@blue-wave.net Tue, 14 Jun 2023 14:22:50 +0000

OpenNDS v9.10.0 release

opennds (9.10.0)

This version adds new functionality, and fixes some issues

• Fix - unable to read client upload traffic volume on some versions of iptables-nft (generic Linux) [bluewavenet]
• Fix - compatibility with bash shell on generic Linux [bluewavenet]
• Fix - compiler warning, unused variable [bluewavenet]
• Fix - silently continue if fw4 table is not found [bluewavenet]
• Add - Start daemon earlier on boot [bluewavenet]
• Fix - compatibility with legacy iptables packages [bluewavenet]
• Add - call to delete nft chains [bluewavenet]
• Fix - stop using legacy INPUT and FORWARD chains [bluewavenet]
• Add - watchdog restart if openNDS nftables ruleset is missing [bluewavenet]
• Add - automated rule setting/deleting for users_to_router [bluewavenet]
• Add - Change fwhook to add users to router rule to fw4 on OpenWrt [bluewavenet]
• Add - Set allow or passthrough mode for users_to_router rules [bluewavenet]
• Fix - set fwhook default to disabled to prevent restart on hotplug event [bluewavenet]
• Fix - fas-aes-https description comments [bluewavenet]
• Fix - icon overspill on splash pages [bluewavenet]
• Fix - missing config option in community script [bluewavenet]
• Fix - urlencode handling of "$" character and add htmlentity encode/decode library call [bluewavenet]

-- Rob White dot@blue-wave.net Tue, 17 Jan 2023 14:33:27 +0000

OpenNDS v9.9.1 release

opennds (9.9.1)

This version fixes some issues

• Fix - minimalise deprecated legacy .conf file
• Fix - Prevent rate limit refresh if rate limit is set to 0 [bluewavenet]
• Fix - Mute some unneccessary debug messages [bluewavenet]
• Fix - do not write unconfigured (null) parameters to client id file (cidfile) [bluewavenet]
• Fix - Prevent error "Command process exited due to signal 13" when executing an external script [bluewavenet]
• Fix - use WTERMSIG() return code for _execute_ret when execute fails [bluewavenet]
• Fix - use correct response type for error 503 [bluewavenet]
• Update Makefile description [bluewavenet]
• Add - Community Local FAS install script [bluewavenet]
• Update - Mention TCP port 80 requires AutonomousWG [afriza]

-- Rob White dot@blue-wave.net Thu, 12 Nov 2022 20:39:31 +0000

OpenNDS v9.9.0 release

opennds (9.9.0)

This version adds new functionality, and fixes some issues

• Add - Community ThemeSpec to support legacy splash.html [bluewavenet]
• Fix - ensure nat_traversal_poll_interval defaults to 10 seconds [bluewavenet]
• Add - process send_to_fas_deauthed and send_to_fas_custom in fas-aes-https [bluewavenet]
• Add - support for send_to_fas_deauthed library call in binauth_log.sh [bluewavenet]
• Add - heartbeat file containing timestamp [bluewavenet]
• Add - send_to_fas_deauthed and send_to_fas_custom library calls [bluewavenet]
• Add - Save authmon daemon startup arguments for libopennds [bluewavenet]
• Fix - potential divide by zero errors [bluewavenet]
• Add - option nat_traversal_poll_interval [bluewavenet]
• Add - Library calls for urlencode and urldecode[bluewavenet]
• Fix - Don't download remotes if ThemeSpec not configured [bluewavenet]
• Add - Error report in syslog if dhcp database is not found [bluewavenet]
• Add - library calls, deauth and daemon_deauth [bluewavenet]
• Fix - change WTERMSIG log from WARNING to NOTICE [bluewavenet]
• Add - Set minimum bucket size to 5 regardless of configured bucket ratio [bluewavenet]
• Fix - safe_vasprint return value [bluewavenet]
• Add - test if safe_calloc failed and serve error 503 [bluewavenet]
• Add - use calloc instead of malloc[bluewavenet]
• fix - safe functions to return error rather than exit [bluewavenet]
• Add - b64decode custom string received by binauth script [bluewavenet]

-- Rob White dot@blue-wave.net Thu, 03 Oct 2022 16:52:46 +0000

OpenNDS v9.8.0 release

opennds (9.8.0)

This version adds new functionality, and fixes some issues

• Fix - suppress stderr in client_params in generic linux [bluewavenet]
• Fix - client_params on generic linux, remote logo not supported yet [bluewavenet]
• Fix - compiler warning [bluewavenet]
• Fix - set voucher script as executable [bluewavenet]
• Update OpenWrt Makefile [bluewavenet]
• Add - format footer in Themespec scripts [bluewavenet]
• Update footer on all scripts [bluewavenet]
• Update - Community Voucher Themespec [bluewavenet]
• Add - Check on startup for Y2.038K bug (32 bit time) [bluewavenet]
• Fix - Remove deprecated Debian specific files [bluewavenet]
• Add - More css updates [bluewavenet]
• Add - user friendly RFC8910 page511 text and remove refresh button [bluewavenet]
• Fix - MHD becomes unresponsive serving page 511 for rfc8910 clients [bluewavenet]
• Add - extra startup settings - ignore_sigpipe and write nds info [bluewavenet]
• Add - set MHD connection limit to 100, set MHD listen backlog size to 128, set MHD_HTTP_HEADER_CONNECTION "close" [bluewavenet]
• Fix - Add missing LOG_CRIT in debug [bluewavenet]
• Add - some useful diagnostic output in authmon [bluewavenet]
• Fix - Move testing to community [bluewavenet]
• Fix - Community - Use tmpfs by default for vouchers.txt file [bluewavenet]
• Add - README with use instructions and notice about flash wearout [fservida]
• Fix - Refactor folder structure for community themespec [fservida]
• Add - Create vouchers.txt [fservida]
• Add - Create theme_voucher.sh [fservida]
• Update - README.md [bluewavenet]
• Add - image download info message [bluewavenet]
• Add - css updates [dianariyanto]
• Add - allow downloaded remotes refresh for all modes [bluewavenet]
• Add - download_resources.sh to installed files [bluewavenet]
• Add - support for download of custom images and files in the status.client page [bluewavenet]
• Remove - Debian man page support [bluewavenet]
• Fix - Add missing mkdir command in Makefile [dzatoah]
• Fix - typos in src/{conf, main}.c [dzatoah]

-- Rob White dot@blue-wave.net Wed, 05 Aug 2022 15:00:13 +0000

OpenNDS v9.7.0 release

opennds (9.7.0)

This version adds new functionality, and fixes some issues.

• Fix - syntax error (missing comma) in awk command in bash on generic Linux [bluewavenet]
• Add - option to append serial number suffix to gatewayname [bluewavenet]
• Add - block use of ip aliases on gateway interface [doctor-ox] [bluewavenet]
• Fix - ndsctl json syntax error [bluewavenet]
• Add - check for null variables in key value pairs in MHD callbacks [bluewavenet]
• Fix - changed some notice messages into debug messages [bluewavenet]
• Fix - possible return of incorrect pid [doctor-ox] [bluewavenet]
• Fix - possible abiguities resulting in failure to parse parameters correctly [bluewavenet]
• Fix - Remove deprecated get_client_token.sh [bluewavenet]
• Fix - Prevent possible malformed mac address returned from dhcpcheck() [doctor-ox] [bluewavenet]

-- Rob White dot@blue-wave.net Wed, 16 Mar 2022 15:54:29 +0000