1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
|
fastd v18
=========
New features
~~~~~~~~~~~~
Multi-interface modes
---------------------
A single fastd instance can now manage multiple TUN/TAP interfaces. This allows to
use multiple peers and peer directories in TUN mode, creating one interface for each
peer. *on-up* and *on-down* scripts are run once for each interface.
By default, all interfaces are created on startup or peer reload; the option
*interface persist* can be used to change this behaviour.
In addition to the multi-peer TUN mode, it is also possible to make fastd create one
interface per peer in TAP mode now. This is enabled by the setting *mode multitap*
(the option for multi-interface TUN mode is just *mode tun*, as there is no TUN mode
which handles multiple peers on a single interface.)
Multi-TAP mode is compatible with TAP mode, i.e. the peer may be configured in normal
TAP mode (and may use a fastd version without multi-TAP support.
If explicit interface names are configured, these names must now be set for each peer,
which may either be done explicitly, or using :ref:`name patterns <option-interface>`.
Peer-specific interfaces may also be configured with peer-specific MTUs.
Interface cleanup on FreeBSD/OpenBSD
------------------------------------
FreeBSD and OpenBSD do not automatically destroy TUN/TAP interfaces. fastd will
now destroy the interfaces it creates on these systems on exit.
Improved capability management
------------------------------
fastd will now automatically retain all POSIX capabilities it needs, so all options
should now work without full root privileges.
The option *drop capabilities force* may be used to drop CAP_NET_ADMIN even when
fastd would normally retain it.
More powerful peer groups
-------------------------
All *on-\** options may now be overridden per peer group.
In particular, the *on-verify* option may be moved into a peer group to determine
the peer group of unconfigured peers. This allows to set a peer limit for unconfigured
peers without globally limiting the peer count.
Bugfixes
~~~~~~~~
* When linked with NaCl instead of libsodium, fastd would use SSE for salsa20/salsa2012 on x86 even after
determining that SSE is not availble. This led to crashes or transmission
failures on CPUs like the Geode.
* Fix crash on x86-64 systems when built with certain combinations of GCC version and
stack-protector compiler flags (observed on Fedora)
* fastd did reject configurations which contain neither static peers nor
peer directories, but a *on-verify* option
* The status socket is now removed correctly if fastd exits with an error message
* fastd did exit with regular exit code 0 instead of re-raising the termination signal after cleanup
* Fix in-tree compile on non-Linux systems
Other changes
~~~~~~~~~~~~~
* fastd now requires at least libuecc v6 (v7 recommended)
* Some error conditions that can't be recovered from will now cause fastd
to exit instead of just logging an error message. This allows service managers like systemd/procd
to restart fastd, so proper operation can be restored.
|
