changes: core:
- Master and childs reread configuration after MAINTENANCE_LEVEL and if the config has changed. (daemon mode) - "reload" action added (daemon mode) - -d (ebug) didn't behave correct, it should now also be possible to run as normal user a debug session - cache_query: alarm on <$csock> didn't result in a break of read() also the validation of returned strings from cache has been improved/corrected. - HELO names with not ASCII chars which were replaced by "?" by postfix don't cause regexes and in consequence perl/policyd-weight to fail/die anymore (reported by Gary V ages ago). Note: I've also ACL support for the inet socket on my schedule, allthough it will be limited ACL support as Berkely TCP Sockets / OS implementations do not provide any way to refuse (RST) a connection attempt in the application (only FreeBSD has accept filters (accept_filter(9), other unices may provide other ways which I'm not aware of). Thus we have first to accept() it before we can ACL() and close() it, which doesn't help in case of "attacks". Thus, firewalling and ACLing on firewall-level is a must. Unless someone can report a way for a application to extract the peer addr and port number _before_ we accepted it. Even then it'd be questionable if we are allowed to send a RST and tell the kernel to erase that one from syn-caches or Cookie caches and other queues. -- Robert Felber (PGP: 896CF30B) Munich, Germany ____________________________________________________________ Policyd-weight Mailinglist - http://www.policyd-weight.org/