A printable plain text version is also available.
ImageStream Linux Version 4.2.7 is now available as a general availability (GA)
release for all ImageStream router customers.

This software release is provided at no charge to all ImageStream customers.
Version 4.2.7 is a maintenance release and recommended for all customers who
wish to run the latest GA release.

This release note documents commands and features added between version 4.2.6
and version 4.2.7 including features added in all version 4.2.7 beta releases.


----------------------------


New Features in Version 4.2.7

ATM Quality of Service Support Added to SoftCell ATM/IMA

SoftCell ATM/IMA now supports UBR, VBR and CBR settings identical to those
previously supported in ImageStream's ATM DS3 and OC3 hardware adapters.
SoftCell also has an improved cell scheduler with the ability to interleave
cells from multiple PVCs.


DHCP Server Support Added to Inetics

A full-featured DHCP server has been added to the 4.2.7 release and integrated
into the Inetics interface configuration. The DHCP server is very easy to
configure and supports most commonly used DHCP server features.

For more information on DHCP server configuration, please visit
http://support.imagestream.com/DHCP_Server_Configuration.html


PIM Multicast Routing Support Added to Inetics

Previous ImageStream Linux releases had basic PIM V2 support that was not
configured via Inetics. Version 4.2.7 adds enhanced PIM V2 support integrated
into the Inetics interface configuration.


Enhanced RADIUS Support for PPPoE/PPPoA/L2TP

Version 4.2.7 supports RADIUS bandwidth limiting on a per-user basis via the
ASCEND_DATA_RATE (rx) and ASCEND_XMIT_RATE (tx) RADIUS attributes. PPPoE, PPPoA
and L2TP sessions can now have their transmit and receive bandwidth limited
using these RADIUS attributes. The stats utility has been updated to show
users' download and upload speeds.  Other attributes now supported include
FRAMED_IP_NETMASK, FRAMED_MTU, and FRAMED_ROUTE. Failover support has been
improved and the ability to specify separate authentication and accounting
servers has been added.


New Command to Show Current PPPoE/PPPoA/L2TP Users

A new command "ppp-users" has been added to the system. This command displays a
list of current PPPoE, PPPoA aand L2TP users, the interface they're logged in
from, their user name and their IP address. This command can be used from the
command prompt.


OpenSSL, OpenSSH and zlib Potential Vulnerabilities Patched

Version 4.2.7 includes the latest versions of the OpenSSL and zlib libraries
that patch potential vulnerabilities.


OpenVPN Enhancements

OpenVPN has been updated to version 2.0.7. It is now configured via the Inteics
interface configuration, and includes a highly scalable server mode for handling
multiple TCP/UDP clients with a single port number. Server mode enables a
simplified and usually identical client configuration, with centralized
server-side management of client IP addresses, routes and other tunnel options
using the new server push feature.

For more information on OpenVPN server configuration, please visit
http://support.imagestream.com/OpenVPN_Server_Configuration.html


Quagga Enhancements

Quagga 0.99.5 adds SMUX support, debugging and status information, and fixes
many problems with BGP and OSPF. All versions of Quagga prior to 0.99 used a
synchronous messaging interface between the BGP, OSPF and Zebra processes. This
could lead to dropped BGP sessions under certain circumstances such as when
short keepalive timers were used. Also included in version 4.2.7 is a new
Quagga periodic timer which checks the kernel routing table to ensure the
kernel stays in sync with Quagga. An out-of-sync event could happen in previous
versions when a BGP interface was shut down or had an IP address added, changed
or removed.


Added Unstructured/Unframed and CRC4 support to 604 and 608 E1 cards

Version 4.2.7 adds unstructured/unframed and CRC4 support to the 4 and 8 port
E1 cards.


VRRP Now Supports Subnet Mask and Broadcast Address Options

Version 4.2.7 adds a subnet mask and broadcast address specification to the vrrp
command. Previous versions required all backup routers to allocate an IP
address in the same subnet as the master router. These extra allocations are
wasteful and often not possible with small subnets. These options allow a
backup router to take over the VRRP IP address without allocating a second IP
address in the VRRP subnet.


Dumpleases Added to UDHCP server

The dumpleases utility has been added to the UDHCP package. This utility is
required to view information on DHCP leases handed out by the udhcpd server.
Previous releases included the udhcpd server as a simple stand-alone DHCP
server with no Inetics integration. Version 4.2.7 includes a new full-featured
DHCP server with Inetics integration. This utility is useful for customers who
prefer to use the older stand-alone udhcpd server.


Persistent Command Tracking in Configmgr

Configmgr now has the ability to keep track of daemons and restart them if they
exit for any reason. Configmgr now tracks OpenVPN and pimd processes. It is
possible for an OpenVPN client process to terminate if invalid server push
options are specified.
With persistent command tracking, invalid options from the server will not
require an administrative restart on the client.


Configmgr Logs Messages via Syslog

Configmgr now logs all messages to syslog. Users can view the router event log,
if enabled, to see configmgr messages.


Added Support for netfilter "recent" module

Version 4.2.7 adds support for the iptables "recent" module which can be used to
prevent brute force attacks and stop network scans.



The following bugs have been fixed in Version 4.2.7:


bwadd Doesn't Work for IP-based Rate-Limiting

Version 4.2.6 incorrectly added tc filters to the wrong parent class for IPs
specified with the "--ip" command. Version 4.2.7 correctly adds filters to the
proper parent class.


530 Series DS3/E3 Card Queues Can Stall Under Heavy Transmit Loads

Version 4.2.7 fixes a driver problem with the 530 series DS3/E3 cards.  In
previous 4.2 releases, the 530 series DS3/E3 cards could periodically encounter
a panic condition with heavily loaded transmit queues.  Version 4.2.7 corrects
the queue problem that causes this error.


SoftCell ATM PVCs Stop Transmitting Under Specific Conditions

Version 4.2.7 fixes several related driver problems with interfaces that support
SoftCell ATM for T1 and E1.  Previous versions would periodically stop
transmitting with a "NULL token" error or a "transmit timed-out" error.  The
new PVC scheduling in Version 4.2.7 corrects this problem.


Improper Interface Restarting with ATM PVC Range Statement

The 4.2.7 release fixes a reload problem with certain ATM PVCs being restarted
when nothing on the PVC changed. The restart could disconnect PPPoE/PPPoA users
unnecessarily. Exceptions to ATM PVC ranges no longer trigger a PVC restart when
the configuration is reloaded.


Fix Hardware Status Monitoring with the 1104-O3 POS Card

Version 4.2.7 fixes problems with the 1104-O3 card's ability to detect hardware
status transitions. Previous versions used an interrupt-based method which
could miss a hardware up event if another transient line condition was also
present.


Fix Stability Problem with the 1104-O3 POS Card in Rebel Routers

The 4.2.7 release includes numerous stability enhancements for the 1104-O3 POS
Card including an interrupt lockup issue when the card is installed in a Rebel
Router.


430-TE Card Transmit Timeout and Rx Overrun Recovery Bug

Version 4.2.7 solves a race condition in the 430-TE driver which could lead to
occasional transmit timeout errors. The receive overrun handling was also
reworked so that the entire card is not reset on Rx overruns to solve a
receiver lockup problem on certain platforms.


IPCP Negotiation Problem with Multilink PPP

Previous releases negotiated IPCP for each link instead of just once for the 
Multilink PPP bundle. This caused interoperability problems with Huawei routers.


QOS on VLAN Interfaces Did Not Function Properly

Transmit queues have been enabled on VLAN interfaces to allow QOS to function
properly on VLAN interfaces.


L2TP Fixes

Version 4.2.7 solves several problems with L2TP. An error condition could cause
a NULL pointer to be passed to the kernel causing a crash. A UDP socket control
bug could lead to certain tunnels going down, getting stuck in the CLOSING
state and not re-establishing connectivity with the LAC.


Cisco HDLC SLARP Requests Freed Memory Twice

Version 4.2.7 fixes a bug in the Cisco HDLC SLARP request processing that caused
memory to be freed twice resulting in a kernel panic.


Updated Ethernet Networking Drivers

Updated drivers include the E100 and E1000 drivers from Intel, Tigon3 (3Com
GigE), National Semiconductor (Envoy) and RealTek 8169 (Latest R1).


Source NAT with Multiple Providers Did Not Function Properly

Version 4.2.6 removed a routes patch which performs a source IP lookup from
the connection tracking table prior to making routing decisions. The patch
was thought to have caused problems with source NAT and multiple providers.
The patch was not the problem. An ip rule statement is needed in addition to
the routes patch for multi-provider SNAT. The routes patch is included again in
the 4.2.7 release.  


Communications Problems between PPPoE over ATM and ATM Route-bridged Interfaces

Version 4.2.7 fixes a Linux netfilter bridging bug with PPPoE over ATM and ATM
Route-bridged interfaces. Packets recevied on route-bridged interfaces would
have their ethernet headers mangled when transmitting them on a PPPoE over ATM
interface.


E1000 Does not Support Forced Speed and Duplex Settings

Version 4.2.7 fixes an inability to set Speed or Duplex settings the E1000
Gigabit Ethernet adapter. This release also fixes a spinlock bug present in the
Intel E1000 driver which can cause an SMP router to freeze when ethtool is used
to set the speed or duplex.


Connection Tracking/NAT Enhancements

The 4.2.7 release includes a rework of the Linux connection tracking module core
and its handling of table overflows. The new code works harder to remove invalid
connections from network scans before resorting to an overflow event - i.e.
dropping a new connection when the table is full. This release also increases
the size of the conntrack hash table and maximum number of connections tracked.
These changes greatly reduce occurances of table overflows and result in better
performance when connection tracking is enabled.


Displaying Firewall Rules and Packet Counters Loads Connection Tracking Modules

Version 4.2.7 fixes a problem with the "Display rules and packet counters" menu
option. The option would inadvertantly load the connection tracking module even
if no NAT rules were present in the firewall configuration. This could lead to
higher CPU utilization, higher memory consumption and connection tracking table
overflows on routers that were not configured for connection tracking.


Pico Editor Word Wrap Creates Errors in Firewall Configuration

Version 4.2.7 disables pico word wrap which caused problems in configuration
files with very long lines - most notably the firewall configuration file.


Configmgr Didn't Properly Set Path Cost or Port Priorities on Bridges

Version 4.2.7 fixes a problem with Configmgr not setting the specified path cost
or port priorities on bridge groups.


ARP Entries Created for Interfaces with IFF_NOARP set

Version 4.2.7 fixes a problem with ARP entries being added on point-to-point
interfaces with ARP disabled. Routes added via device name (Serial0) instead of
gateway IP address would have hidden ARP entries added for each unique
destination. Those hidden ARP could not be shown using userspace commands but
were present and could lead to neighbour table overflows on very busy routers.