All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog.
- Now builds a separate luajit package, based on the openresty luajit fork. This is to address some issues found with stock luajit. The package also includes some lua modules that wforce typically makes use of.
- Build the wforce-minimal image for both arm64 and amd64, and add provenance.
- Fix centos-7/el-7 builds to still work after centos-7 went EOL
- Add support for debian-bookworm, remove support for debian-buster
- Fixed LuaState selection algorithm to use a free pool, which should lead to faster/more consistent selection of lua states by threads.
- CI now builds an additional image 'powerdns/wforce-minimal' using alpine for more secure and much smaller image
- Fixed bug in GeoIP2 lookups where return values were not populated
- Add Enterprise Linux 9 Build Target
- Option to use OpenSSL instead of Libsodium for encryption
- Remove Legacy GeoIP from Packages and Dockerfiles/Images
- Remove the report_api from weakforced entirely
- Move to pytest instead of nose for regression tests
- Support ELK 7.x Stack
- Support Date Expansion in WebHook URLs
- Enable IP and Login substitution in blocklist return messages
- Add config option to disable password for /metrics endpoint
- Support redis usernames and passwords for redis authentication
- Support hostnames for redis configuration in addition to IP addresses
- Fix an issue where IPv6 ComboAddress returned zero port number (which caused v6 HTTP listen addresses to not work)
- Set V6ONLY socket option to stop v6 sockets from managing v4 addresses for replication
- Return the IP address of the client in JSON of ACL denied response
- Fix issue where wforce was complaining about not being able to create tmp file on startup
- Fix timing issue whereby the webserver was not started before syncDB leading to syncDone failures
- Use debian bullseye-slim in wforce docker image
- Fix issue in wforce docker image where the default config file was overridden with a volume mount but not used
- Support HTTPS in webserver using libdrogon
- Add support for configuring TLS behaviour of outbound HTTPS connections
- Remove support for building debian stretch packages
- Change behaviour of default ACLs such that they are overridden by setACL()
- Build for debian bullseye
- New API and Lua commands to dynamically manage siblings
- Siblings can now have unique encryption keys
- Amazon Linux packaging target for pdns-builder
- Fix issue where replication length bytes can be truncated causing syncDB problems
- New wf_dump_entries tool to dump stats DBs to file
- Support for new "forwarding" type in replication messages
- Support for Prometheus via the new /metrics REST endpoint
- Enable TCP keepalive for redis connections
- Configurable timeout for R/W on redis connections
- Fix duplicate command stats under some circumstances
- Support building debian buster packages
- StatsDBs can now be sharded for better performance
- StatsDB expiry thread now runs more often by default
- StatsDB expiry thread sleep time is now configurable
- Support for Kafka REST Proxy in webhooks
- Fix control socket leak when client closes connection immediately
- Fix wforce crash in Sibling send thread triggered by syncDB operation
- Lookup individual GeoIP2 values (Unsigned Integer, String, Double/Float and Boolean)
- Add session_id to wforce LoginTuple
- The report_api is now deployable via proper packaging, systemd and gunicorn
- Custom GET Endpoints supporting non-JSON return values
- New Kibana Reports and Dashboard to view effectiveness of wforce policy
- New "type" field added to built-in webhooks
- Built-in whitelists added in addition to built-in blacklists
- New checkXXXBlacklist (and Whitelist) function in Lua
- Built-in black/whitelisting can be disabled and checked from Lua instead
- Thread names support
- Blacklisting return messages are configurable
- Add support for TCP keepalive
- New functions to retrieve the custom return message for blacklisted IPs, Logins and IP/Logins.
- Fix typo in wforce.conf.example blackistLogin->blacklistLogin
- Python3 support throughout wforce (regression tests and deployment)
- Uses "bytes" instead of "string" in replication, which avoids protobuf errors for non-UTF-8 StatsDB keys or values.
- Remove ctpl from wforce
- Sibling threads now use explicit std::queue instead of ctpl
- Perform replication to siblings asynchronously instead of synchronously, preventing delays at startup and in REST API functions which triggered replication.
- Add configuration setting "setNumWebHookConnsPerThread"
- Add support for querying replication status in showStringStatsDB()
- Add sibling received success/fail stats to sibling() command
- New custom stats framework
- New stats for all commands, including custom commands
- GeoIP2 support (MMDB-style DBs)
- New resetField() function for statsDBs
- Support for building packages using pdnsbuilder
- Configurable accuracy for HLL and CountMin types
- DB Synchronization for newly started wforce instances
- Add configuration settings "addSyncHost" and "setMinSyncHostUptime"
- Add configuration setting "setWebHookTimeoutSecs"
- Support for replication over TCP
- Customizable log facility via a command line option
- Example logstash config and elasticsearch template in docs
- GeoIP Legacy support
- Refactor webhooks to use libcurl multi interface for performance and deprecate per-webhook "num_conns" config
- Change log level of informational messages from warn to notice/info
- Fix broken setVerboseAllowLog() function
- Fix memory leak in statsDBs
- Fix issue where mapped v4 addresses in v6 were not handled correctly
- Support for additional GeoIP DBs: City and ISP
- Support for reloading GeoIP databases
- Blacklists now support IP netmasks as well as individual IP addresses
- Configurable timeout for Redis connections
- New Lua logging function: debugLog
- Webhook support for Basic Authentication
- Support for parsing device_id from http, imap and OX mobile clients
- New tls parameter to report/allow commands
- New console commands - showPerfStats() and reloadGeoIPDBs()
- Wforce daemon changes working directory to config file directory
- Use Content-Length instead of chunked encoding for Webhooks
- Fixed a two bugs in dependent getdns library that could cause crashes