[sip-router] / NEWS

Release notes for SIP Express Router (ser)
***********************************************

$Id$



2.1.0 changes

modules:
 - textops   - functions:
                        - remove_hf_re("regexp") -- filter message headers out
                          by matching the header name field against a regular
                          expression.
 - avp       - export new selects table to allow dissecting the content of an
               attribute by interpreting it as a "name-addr" value 
 - auth      - experimental support for one-time nonces: when enabled a nonce
               will be accepted only for one response (each new request will
               be challenged). See one_time_nonce.
             - experimental support for nc checking when qop=auth
               (fast, non-locking implementation, see nonce_count, 
                nc_array_size, nc_array_order and nid_pool_no) 
             - switched to base64 nonces
             - record nonce generation time inside the nonce so that a 
               received nonce can be checked against ser start time
               (if older => stale). This allows gracefully handling ser
               restarts with different auth configs.
             - added extra authentication checks support, to protect
               against various reply attacks.
             - params:
                       - nonce_auth_max_drift - maximum difference in seconds
                          from the current time, if a nonce appears to be
                          created in the future (if exceeded the nonce is 
                          considered stale).
                       - one_time_nonce - if enabled each nonce is allowed 
                          only once => each new request (including 
                          retransmissions!) will be challenged. It should be
                          used only in stateful mode (so that tm deals with
                          the retransmissions). The major disadvantage is that
                          the UA won't be able to used any cached credentials
                          (=> extra messages, extra round trips, more work for
                           the proxy)
                       - otn_in_flight_no - maximum number of in-flight nonces
                          for one-time-nonces. It must be a number of the form
                          2^k (if not it will be automatically rounded down).
                          The memory used will be otn_in_flight_no/8
                       - otn_in_flight_order - like otn_in_flight_no, but 
                          instead of specifying the number as 2^k, it directly
                          sets k (otn_in_flight_no=2^otn_in_flight_order)
                       - nonce_count - if enabled and qop=auth or 
                          qop=auth-int, store and check received nc values
                          (for details see rfc2617 and auth/doc). It should be
                          used only in stateful mode (so that tm deals with
                          the retransmissions which would otherwise be 
                          challenged). The major advantage is greatly 
                          enhanced security (extremely small probability of
                          a succesfull replay attack) combine with support
                          for cached credentials (if the UAs do support qop 
                          and auth)
                       - nc_array_size - size of the array used for storing
                          nc values, default 1Mb. It will be rounded down to
                          a 2^k value. It represents the maximum number of
                          in-flight nonces supported
                       - nc_array_order - equivalent to nc_array_size, but 
                          instead of specifying the size in bytes, it can 
                          be used to directly set the power of 2 used
                          (nc_array_size=2^nc_array_order)
                       - nid_pool_no - number of nc and one-time-nonce array 
                          and index partitions, useful for increasing 
                          performance on multi-cpu systems (default 1,
                          recommended 4)
                       - auth_checks_register, auth_checks_no_dlg, 
                         auth_checks_in_dlg - flags specifying which extra
                          message part/parts will be checked for change before
                          allowing nonce reuse. See the auth module docs for
                          for more information (modules/auth/README).
 - blst      - new module containing script blacklist manipulations functions
               (the source of a message can be blacklisted, removed from the
                blacklist or checked for presence in the blacklist).
 - tm        - added t_reset_fr(), t_reset_retr(), t_reset_max_lifetime()
             - t_relay_to renamed to t_relay_to_avp (undocumented function)
             - t_relay() can now also take host and port parameters (e.g.
               t_relay(host, port)), behaving like a statefull 
               forwad(host, port) version (forward to host:port using the same
               protocol on which the message was received)
             - t_relay_to_udp(), t_relay_to_tcp() and t_relay_to_tls() work
               now even with no parameters: in this case the message is 
               forwarded using the request uri, but with the specified protocol
               (equivalent to a t_relay() with a forced protocol)
             - method for canceling unreplied branches can now be selected
               using the new cancel_b_method tm parameter.
             - support for adding a 503 reply source to the blacklist for
               the time specified in the Retry-After header (see the new tm
               parameters blst_503, blst_503_def_timeout, blst_503_min_timeout
               and blst_503_max_timeout).
             - different error replies for too many branches (500 but with
               different text), resolve error (478) or send error
               (477).
             - tm can be configured not to automatically send 100 replies
               for invites either globally (see the auto_inv_100 parameter)
               or on a per transaction basis (see t_set_auto_inv_100(...))
             - t_relay* error reply are delayed till the end of the script
               to allow the script writer to overwrite them
             - branches are always canceled hop by hop
             - cancels for silently canceled branches (no replies ever 
               received) are automatically generated if later a provisional
               reply arrives on such a branch
             - noisy_ctimer is now 1 (on) by default
             - added maximum transaction lifetime - a transaction is not
               allowed to be active longer then this interval. See
               t_set_max_lifetime(), max_inv_lifetime and max_noninv_lifetime.
             - support for changing the retransmission intervals on the fly,
               on a per transaction basis (it is enabled if tm is compiled
               with -DTM_DIFF_RT_TIMEOUT -- default): t_set_retr(t1, t2).
             - transaction are deleted the moment they are not referenced 
               anymore (removed the need for the delete timer) -- this 
               should improve memory usage on very busy proxies.
             - lots of callbacks added
             - new onsend callbacks support (require defining TMCB_ONSEND prior
               to compiling tm)
             - behaviour when receiving a CANCEL which doesn't match any 
               transaction can be selected using the unmatched_cancel param.
             - params: 
                        - cancel_b_method - selects one of the three methods
                          for dealing with unreplied branches when the 
                          transaction must be canceled. The possible values
                          are 0 (old behaviour) for stopping request 
                          retransmission on the branch and act as if 
                          the branch was immediately replied with a 487,
                          1 for continuing to retransmit the request until an
                          answer is received or the timeout kicks in (default)
                          and
                          2 for stopping the request retransmission and sending
                          CANCEL on the branch (not rfc conforming).
                          For more information see tm docs.
                        - blst_503 - if set and if the blacklist is used
                          (use_dst_blacklist=1), add the source of a 503 reply
                          to the blacklist
                        - blst_503_def_timeout - if the Retry-After header from
                          a 503 reply is missing, use this value for the 
                          blacklist timeout (in s). Depends on blst_503.
                          The default value is 0 ( do not blacklist if no
                          Retry-After is present).
                        - blst_503_min_timeot (in s) - if the 503 reply 
                          Retry-After header value is less, use this value
                          for the blacklist timeout. Depends on blst_503.
                          The default value is 0.
                        - blst_503_max_timeout (in s) - if the 503 reply 
                          Retry-After header value is greater, use this value
                          instead. Depends on blst_503.
                          The default value is 3600 s.
                        - auto_inv_100 - if set (default) tm will automatically
                          send an 100 reply to INVITEs (see also 
                         t_set_auto_inv_100())
                        - noisy_ctimer is now 1 by default
                        - max_inv_lifetime & max_noninv_lifetime - default
                          maximum lifetimes for an invite or non-invite 
                          transaction. After this interval has passed from 
                          the transaction creation the transaction will be 
                          either switched into the wait state or in the
                          final response retransmission state => a transaction
                          will be kept in memory for maximum: 
                           max_*inv_lifetime + fr_timer /*ack w.*/ +wait_timer.
                        - unmatched_cancel - selects between forwarding cancels
                           that do not match any transaction statefully (0, 
                           default value), statelessly (1) or dropping them
                           (2). Note that the statefull forwarding has an 
                           additional hidden advantage: tm will be able to
                           recognize INVITEs that arrive after their CANCEL.
                           Note also that this feature could be used to try
                           a memory exhaustion DOS attack against a proxy that
                           authenticates all requests, by continuously flooding
                           the victim with CANCELs to random destinations 
                           (since the CANCEL cannot be authenticated, each
                           received bogus CANCEL will create a new transaction 
                           that will live by default 30s).
             - functions:
                        - t_reset_fr() -- resets the current transaction 
                          fr_inv_timer and fr_timer to the default values
                          (set via the tm modparams fr_inv_timer and fr_timer).
                        - t_reset_retr() -- resets the current transaction
                          retransmission intervals on the fly, to the default
                          values (set via the tm modparams retr_timer1 and 
                          retr_timer2).
                        - t_reset_max_lifetime() -- resets the current 
                          transaction maximum lifetime to the default value
                          (set via the tm  modparam max_inv_lifetime or 
                           max_noninv_lifetime).
                        - t_grep_status("code") -- returns true if any branch
                          received code as the final reply (or if no final 
                          reply was yet received, but a "code" provisional 
                          reply).
                        - t_set_auto_inv_100(on/off) - switch automatically
                          sending 100 replies to INVITEs on/off on a per
                          transaction basis. It overrides the tm param.
                          auto_inv_100.
                        - t_set_max_lifetime(inv, noninv) - changes the 
                          maximum transaction lifetime on the fly, for the
                          current or next to be created transaction.
                        - t_set_retr(t1, t2) - changes the retransmissions
                           intervals on the fly, on a per transaction basis.
core:
             - partial cygwin (windows) support revived: core+static modules, 
               no ipv6, no tcp, no dynamic modules
             - most of the config variables can now be changed on the fly,
               without ser restart  (migration work in progress)
             - tcp improvements (better tcp timers, send fd cache, special
                options support)
             - dns naptr support (see dns_try_naptr and dns_<proto>_pref)
             - dns srv based load balancing support (see dns_srv_lb)
             - support for locking ser's pages in memory, pre-mapping
               all the shared memory on startup (fill it with 0)
             - real time options
             - devel: new PROC_INIT rank, init_child(PROC_INIT) called first
             - futex support on linux (better behaviour when waiting on 
               long held locks, almost no performance impact otherwise)
             - when dns search list was used for resolution, store the "link"
               between the short name and long name in cache as CNAME record

new config variables:
  server_id = number - A configurable unique server id that can be used to
                       discriminate server instances within a cluster of
                       servers when all other information, such as IP adddresses
                       are same.
  loadpath = <modules path> - directory where to load the modules from (-L
     equivalent); modules can be loaded simply by specifying their name
     (loadmodule "maxfwd")
  tcp_fd_cache = yes | no (default yes) - if enabled FDs used for sending
     will be cached inside the process calling tcp_send (performance increase
     for sending over tcp at the cost of slightly slower connection closing and
     extra FDs kept open)
  tcp_buf_write = yes | no (default no) - if enabled all the tcp  writes that 
     would block / wait for connect to finish, will be queued and attempted
     latter (see also tcp_conn_wq_max and tcp_wq_max).
  tcp_conn_wq_max = bytes (default 32 K) - maximum bytes queued for write 
     allowed per connection. Attempting to queue more bytes would result
     in an error and in the connection being closed (too slow). If 
     tcp_write_buf is not enabled, it has no effect.
  tcp_wq_max = bytes (default 10 Mb) - maximum bytes queued for write allowed
     globally. It has no effect if tcp_write_buf is not enabled.
  tcp_defer_accept =  yes | no (default no) on freebsd  / number of seconds
        before timeout on linux (default disabled) - tcp accepts will be 
        delayed until some data is received (improves performance on proxies
        with lots of opened tcp connections). See linux tcp(7) TCP_DEFER_ACCEPT
        or freebsd ACCF_DATA(0). For now linux and freebsd only.
        WARNING: the  linux TCP_DEFER_ACCEPT is buggy (<=2.6.23) and doesn't 
         work exactly as expected (if no data is received it will retransmit 
         syn acks for ~ 190 s, irrespective of the set timeout and then it will
         silently drop the connection without sending a RST or FIN). Try to 
         use it together with tcp_syncnt (this way the number of retrans.
          SYNACKs can be limited => the timeout can be controlled in some way).
  tcp_delayed_ack  = yes | no (default yes when supported) - initial ACK for
        opened connections will be delayed and sent with the first data
        segment (see linux tcp(7) TCP_QUICKACK). For now linux only.
  tcp_syncnt = number of syn retr. (default not set) - number of SYN 
        retransmissions before aborting a connect attempt (see linux tcp(7)
        TCP_SYNCNT). Linux only.
  tcp_linger2 = seconds (not set by default) - lifetime of orphaned sockets
        in FIN_WAIT2 state (overrides tcp_fin_timeout on, see linux tcp(7) 
        TCP_LINGER2). Linux only.
  tcp_keepalive = yes | no (default yes) - enables keepalive for tcp.
  tcp_keepidle  = seconds (not set by default) - time before starting to send
         keepalives, if the connection is idle. Linux only.
  tcp_keepintvl = seconds (not set by default) - time interval between 
         keepalive probes, when the previous probe failed. Linux only.
  tcp_keepcnt = number (not set by default) - number of keepalives sent before
         dropping the connection. Linux only.
  tcp_crlf_ping = yes | no (set by default) - enable CRLF keepalives aka
         SIP outbound.
  pmtu_discovery = 0 | 1 (default 0) - set DF bit in outbound IP if enabled
  dns_srv_lb = yes | no (default no) - enable dns srv weight based load 
    balancing (see doc/dns.txt)
  dns_try_naptr = yes | no (default no) - enable naptr support 
    (see doc/dns.txt for more info)
  dns_{udp,tcp,tls}_pref = number - ser preference for each protocol when
    doing naptr lookups. By default dns_udp_pref=3, dns_tcp_pref=2 and 
    dns_tls_pref=1. To use the remote site preferences set all dns_*_pref to 
    the same positive value (e.g. dns_udp_pref=1, dns_tcp_pref=1, 
    dns_udp_pref=1). To completely ignore NAPTR records for a specific 
    protocol, set the corresponding protocol preference to -1 (or any other 
    negative number).  (see doc/dns.txt for more info)
  dns_search_full_match = yes | no (default yes) - when name was resolved using
    dns search list, check the domain added in the answer matches with one from
    the search list (small performance hit, but more safe)
  mlock_pages = yes |no (default no) - locks all ser pages into memory making 
    it unswappable (in general one doesn't want his sip proxy swapped out :-))
  shm_force_alloc = yes | no (default no) - tries to pre-fault all the 
    shared memory, before starting. When on start time will increase, but
    combined with mlock_pages will guarantee ser will get all its memory from
    the beginning (no more kswapd slow downs)
  real_time = <int> (flags) (default off). - sets real time priority
     for all the ser processes, or the timers. 
     Possible values:   0  - off
                        1  - the "fast" timer
                        2  - the "slow" timer
                        4  - all processes, except the timers
     Example: real_time= 7 => everything switched to real time priority.
  rt_prio = <int> (default 0) - real time priority used for everything except
     the timers, if real_time is enabled
  rt_policy= <0..3> (default 0)- real time scheduling policy, 0 = SCHED_OTHER,
     1= SCHED_RR and 2=SCHED_FIFO
  rt_timer1_prio=<int> (default 0) - like rt_prio but for the "fast" timer
     process (if real_time & 1)
  rt_timer1_policy=<0..3> (default 0) - like rt_policy but for the "fast" timer
  rt_timer2_prio=<int> (default 0) - like rt_prio but for the "slow" timer
  rt_timer2_policy=<0..3> (default 0) - like rt_policy but for the "slow" timer
  tcp_source_ipv4 = IPv4 address
  tcp_source_ipv6 = IPv6 address
    Set the given source IP for all outbound TCP connections.
    If setting the IP fails the TCP connection will use the default.
  dns_cache_init = on | off (default on) - if off, the dns cache is not
    initialized at startup and cannot be enabled runtime, that saves some
    memory.
  dst_blacklist_init = on | off (default on) - if off, the blacklist
    is not initialized at startup and cannot be enabled runtime,
    that saves some memory.

build system:
 - check defines and includes used at compile time and if different 
   force rebuilding everything in the current dir (creates a new file: 
   makecfg.lst that stores the compile defines & includes used at compile 
   time)
 - make cfg / config support: store the build config in an autogenerated file 
   (config.mak) and use it for future compiles (e.g.: 
   make cfg include_modules=mysql skip_modules=print CPU=pentium-m; make all).
   Main advantages are easier usage and faster builds (e.g. make proper is
    +16 times faster, make clean ~9 times, make with previously generated
    config is 2.6 times faster and a make that has nothing to do is ~9 times
    faster).




2.0.0 changes


new archs:


modules:
 - tls        - new module that enables tls support (set enable_tls=yes
                in the config file and load the tls module)
 - ctl        - new  fifo/unixsocket/xmlrpc like module, using a space 
                efficient binary encoding for the requests.
                It supports multiple clients on tcp, udp, unix stream or
                unix datagram modes. By default (no modparams) it opens
                one unix stream control socket in /tmp/ser_ctl.
                It also includes extended fifo support: multiple fifos,
                fifo over tcp, udp and unix sockets (see ctl/ctl.cfg).
                Use utils/sercmd/sercmd to send commands to it.
 - dispatcher - added hashing after request uri and to uri
              - added a new flag parameter which can be used (for now) to
                select only the username or the username, host and port when
                hashing after an uri (to, from or request uri)
              - improved uri hashing (password is ignored, port is used only
                if != 5060 or 5061)
 - tm        - aggregate challenges (WWW/Proxy-Authenticate) from all the
               401 & 407 if the final reply is a 401/407. To turn this off
               and fall back to the old behaviour set tm aggregate_challenges
               parameter to 0.
             - if a relayed 503 is the final reply, replace it by a 500
             - if a 503 reply is received try the dns based failover
               (forward to another ip if the original destination uri 
                resolved to several SRV, A or AAAA records)
             - on 6xx immediately cancel all the branches for which a 
               provisional response was received and wait for all the 
               branches to finish (either timeout, the 487 from the CANCEL
               or a final response still on the wire in the moment the
               CANCEL was sent)
             - better final reply selection: 6xx is preferred over other 
               negative replies; from several 4xx prefer 401, 407, 415, 420,
               484 (in this order). For all the other cases, return the lowest
               code (as before)
             - special functions for checking for timeout, if a reply was
               received or if the current transaction was canceled
             - dns failover and dst blacklist support
             - migrated to the new timers (tm timers completely rewritten)
             - improved speed and less memory usage
             - much more precise retransmissions timing
             - params: - retr_timer1p1, retr_timer1p2, retr_timer1p3 removed
                         and replaced by retr_timer1 and retr_timer2
                       - all timer values are now expressed in milliseconds
                         (they were in seconds before).
                         Affected params: fr_timer, fr_inv_timer, wt_timer,
                         delete_timer, retr_timer1, retr_timer2
                       - retr_timer1 (first retransmission) changed to 500 ms
                       - delete_timer changed to 200 ms
                       - unix_tx_timeout expressed now in milliseconds; default
                         value changed to 500 ms
             - functions:
                       - t_branch_timeout() -- returns true if the failure
                         route is executed for a branch that did timeout
                         (failure_route only).
                       - t_branch_replied() -- returns true if the failure 
                         route is executed for a branch that did receive at
                         least one reply in the past (the current reply 
                          is not taken into account). It can be used
                         together with t_branch_timeout() to distinguish 
                         between a remote side that doesn't respond (some 
                         provisional reply received) and one that is completely
                          dead. (failure_route only)
                       - t_any_timeout() -- returns true if any of the current
                         transaction branches did timeout.
                       - t_any_replied() -- returns true if at least one branch
                          of the current transaction received one reply in the
                          past. If called from a failure_route or an
                          onreply_route, the "current" reply is not taken into
                          account.
                       - t_is_canceled() -- returns true if the current 
                         transaction  has been canceled.
                       - new t_set_fr(timeout_fr_inv, timeout_fr) -- allows
                         changing the transaction timer from script, even if
                         the transaction was already created (see tm docs for
                         more).
            - t_relay will not stop script execution anymore in case of
              send error
 - textops  - search() can be used in the onsend_route where it will search
              on the "new" message (after applying all script changes, adding
              Vias a.s.o) and not on the original message
 
core:
 - compiled by default with tls hooks support (so that no recompile is
   needed before loading the tls module and enabling the tls support)
 -  enable_tls config option added (the reverse of disable_tls)
 - added STUN keep-alive functionality in accordance with 
   draft-ietf-behave-rfc3489bis-04.txt
 - dns cache and dns failover support added (see doc/dns.txt)
 - destination blacklist added -- destinations to which forwarding fails
   (send error, tm timeout a.s.o) are temporarily added to a blacklist which 
    is consulted before each send => faster send error detection
    in the near future (see doc/dst_blacklist.txt)
 - default log level switched to 0 (only messages < L_WARN will be printed
   by default)
 - separate memdbg log level which controls the memory/malloc related
   debug messages (to see them ser must be compiled with malloc debuging:
     -DDBG_QM_MALLOC or -DDBG_FM_MALLOC and memdbg must be <= debug )
 - added named routes: names can be used instead of numbers in all the
   route commads or route declarations. route(number) is equivalent to
   route("number").
   Example:
     route("test");
      route["test"]{
           ...
     }
 - added named flags, declared at the beginning of the config file with:
     flags  flag1_name[:position],  flag2_name ...
   Example:
       flags test, a:1, b:2 ;
       route{
              setflag(test);
              if (isflagset(a)){ # equiv. to isflagset(1)
                ....
              }
              resetflag(b);  # equiv. to resetflag(2) 
 - added return [val] which returns from a route. if no value is specified, or
   a route reaches its end without executing a return statement, it returns 1.
   If return is used in the top level route is equivalent with exit [val].
 - drop /exit [n] now will end the script execution
   exit n will exit with code n (usefull in onreply/onsend routes where
   if script code !=0 a reply is generated/the message is sent or to force
   script errors)
 - added $? which can be used to check the return code of the last executed
   route{} (e.g. route(1); if ($?==1){ /* ... */}else if ($?==2) ... )
 - onsend_route added: special route executed before a request is sent.
                       Only a limited number of commands are allowed (drop, if
                       + all the checks, msg flag manipulations, send(), log(),
                       textops::search()). In this route the final destination
                       of the message is available an can be checked (with
                       snd_ip, snd_port, to_ip, to_port, snd_proto, snd_af).
                       This route is executed only when forwarding requests.
                       It's not executed for replies, retransmissions, or
                       locally generated messages (e.g. via fifo uac).
      short example:
            onsend_route{  if(to_ip==1.2.3.4 && !isflagset(12)){
                              log(1, "message blocked\n");
                              drop;
                           }
                         }
 - onsend_route specific checks:
     - snd_ip, snd_port - behave like src_ip/src_port, but contain the
       ip/port ser will use to send the message
     - to_ip, to_port - like above, but contain the ip/port the message will
       be sent to (not to be confused with dst_ip/dst-port, which are the
       destination of the original message: ser's ip and port on which the
       message was received)
     - snd_proto, snd_af - behave like proto/af but contain the 
       protocol/address family that ser will use to send the message
     - msg:len - when used in an onsend_route, msg:len will contain the length
       of the message on the wire (after all the changes in the script are
       applied, Vias are added a.s.o) and not the lentgh of the original 
       message
 - timer: - improved performance/precision, new api, see doc/timers.txt 
 - tcp: - improved  performance (io event handling), using OS specific
           optimizations
        - 1024 connections limit removed (see tcp_max_connections)
-  resolver: - timeouts, retries a.s.o can now be set from ser.cfg
             (see below dns_* and man resolv.conf(6)).
             The maximum time a dns request can take (before failing) is:
              (dns_retr_time*dns_retr_no)*(search_list_domains)
             If dns_try_ipv6 is yes, mutliply it again by 2.
             The fastest possible dns config (max 1s):
                dns_try_ipv6=no
                dns_retr_time=1
                dns_retr_no=1
                dns_use_search_list=no
- default on reply route added: onreply_route {.. } will add a default 
    onreply route that will be executed for any reply (usefull to catch
    replies without using tm)
- branch_routes added (tm triggered), only a very limited number of commands
   are available (see tm docs)
- avps directly accessible from script with %avp_name (variable style)
new config variables:
   enable_tls/disable_tls = enable/disable tls support, default disable.
       Note: a tls "engine" is still needed (e.g. the tls module must
              be loaded, enable_tls by itself is not enough).
   exit_timeout = seconds - how much time ser will wait for all the shutdown
       procedures to complete. If this time is exceeded, all the remaining
       processes are immediately killed and ser exits immediately (it might
       also generate a core dump if the cleanup part takes too long).
       Default: 60 s. Use 0 to disable.
   stun_refresh_interval = number in millisecond (default 0); value for 
      attribute REFRESH INTERVAL
   stun_allow_stun = 0 | 1 (off | on - default 1); use STUN or not if compiled
   stun_allow_fp = 0 | 1 (off | on - default 1); use FINGERPRINT attribute
   use_dns_cache = on | off  (default on)  
   use_dns_failover = on | off (default off)
   dns_cache_flags = number (default 0)
   dns_cache_negative_ttl = number in seconds (default 60)
   dns_cache_min_ttl = time in seconds (default 0)
   dns_cache_max_ttl = time in seconds (default MAXINT)
   dns_cache_mem = maximum memory used for the dns cache in Kb (default 500 K)
   dns_cache_gc_interval = interval in seconds after which the dns cache is
      garbage collected (default: 120 s)
   use_dst_blacklist = on | off (default off)
   dst_blacklist_expire = time in s (default 60)
   dst_blacklist_mem = maximum memory used for the blacklist in Kb (default 250
      K)
   dst_blacklist_gc_interval = interval in seconds after which the destination 
      blacklist is garbage collected (default 60)
   tos = number  - ip type of service (TOS) value
   dns_try_ipv6 = yes/no - if yes and a dns lookup fails, it will retry it
      for ipv6 (AAAA record). Default: yes
   dns_retr_time = time - time in s before retrying a dns request.
      Default: system specific, depends also on the/etc/resolv.conf content
      (usually 5s).
   dns_retr_no = no. - number of dns retransmissions before giving up.
      Default: see above (usually 4)
   dns_servers_no = no. - how many dns servers from the ones defined in 
      /etc/resolv.conf will be used. Default: all of them.
   dns_use_search_list= yes/no - if no, the search list in /etc/resolv.conf
      will be ignored (=> fewer lookups => gives up faster). Default: yes.
      HINT: even if you don't have a search list defined, setting this option
      to "no" will still be "faster", because an empty search list is in 
      fact search "" (so even if the search list is empty/missing there will
      still be 2 dns queries, eg. foo+'.' and foo+""+'.')
   tcp_connection_lifetime = value (s) - how long the lifetime of a
      tcp connection will be exteneded after an IO event (accept, connect, 
      read, write). Default: 120 s.
   tcp_poll_method = poll|select|epoll_et|epoll-lt|kqueue|devpoll - poll
      method used (by default the best one for the current OS is selected)
   tcp_max_connections = no. - maximum number of tcp connections (if the number
      is exceeded no new tcp connections will be accepted). Default: 2048.

tools:
  utils/sercmd - command line serctl like tool for interrogating ser ctl
                 module (uses the binrpc encoding). Supports various
                 connection methods (udp, tcp, unix stream & datagram sockets),
                 reply formating (see -f, e.g. sercmd -f "pid:%v %v\n" core.ps)
                 , interactive mode, command line completion (if compiled with 
                 libreadline) a.s.o.

WARNING: - older 0.10.99-dev version (< 0.10.99-dev46) returned a 480 reply
 on invite transaction timeout, if a provisional reply was received. Newer
 versions reverted to returning 408 on all timeouts (one can use 
  t_branch_timeout() and t_branch_replied() to distinguish between the two
  timeout types)



0.9.4 fixes/improvements (0.9.4 is a bug fix release for 0.9.3)
 
general:
 - gcc 4.0 support
 - mutlicast options are set for all the sockets
 - mediaproxy: memory leak, unchecked memory allocations
 - postgress: some bugs and cleanups (compiles cleanly now)
 - tm: shm cloned lumps (SER-55) 
 - tm: t_fifo: 64-bit fix
 - tm: dst_uri clone fix
 - tm: t_newtran/t_restransmit* races  (!)
 - usloc: memory leak

solaris:
 - serctl, better ISA detection, signals
*bsd:
 - multicast options are properly set
openbsd:
 - tcp 64 bit fix



0.9.3 changes


new archs:
 - alpha experimental support
 - mips2/cobalt experimental support
 - x86_64 support
 - OS X (darwin) support
 - sparc32 single cpu highly experimental support
 - ppc64 support

modules:
 - enum - support for more than one NAPTR
 - msilo - explicit multidomain support -- recipient's user ID is stored in
   the columns username and domain -- r_uri column kept for compatibility
   reasons (will be removed in future) but not filled by this version of
   module
 - mysql - implements a connection pool, all modules will use same connection
   to access the database
 - nathelper received port  test (flag 16 for nat_uac_test): compares the
   source port of the message with sip port in the first Via and returns
   true if different.
 - permsions - support for multiple allow/deny files, allow_register function
 - TM has a new parameter: restart_fr_on_each_reply. If set (default)
   fr_inv timer will be restarted for each provisional reply, if not set
   it will be restarted only for the first reply and for replies >=180
   (but only if increasing, eg.: 180, 181 ...). Usefull when dealing with bad
   UAs that re-transmit 180s.
 - TM saves the avp list into transactions, and make it available into
   callbacks, failure and reply routes.
 - TM contains new command - t_write_unix("/tmp/sems.sock", "announcement")
   sends a message using unix socket interface instead of FIFO interface.
 - TM contains new config variable - unix_tx_timeout -- it specifies the
   transmit timeout of t_write_sock
 - VM functionality was transfered into TM module. Instead of fetching the
   email value from DB (as VM), TM looks for the "email" attribute to get the
   value.
   vm() function was replaced with t_write_req()
   vm_reply() fifo functions was replcated by TM with t_reply() fifo function
   NOTE!! because current version of SEMS/AA try to send reply via vm_reply,
   it will not work with the TM version.
 - xlog - printing the body of any header by specifying the name; new
   specifiers for user-agent, message buffer, message length, message's flags,
   message id.

new modules:
 - avp / avp_db / avp_radius - load and check avps per caller or callee
 - avpops - flexible module for operations with avps and database, introducing
   a pseudo-varible support in SER configuration file
 - cpl-c - implementation of Call Processing Language
 - dispatcher - implements a dispatcher for incoming requests using hashes
   over parts of the request to select the destination
 - diversion - implements the Diversion extensions as per 
   draft-levy-sip-diversion-08
 - flatstore - simple module that implements very fast inserts for accounting
   purposes
 - gflags - keeps a bitmap of flags in shared memory and may be used to change
   behaviour of server based on value of the flags
 - options - answer server options requests
 - speeddial - provides on-server speed dial facilities
 - uri_db - split from uri module, performs various checks related to SIP URI
   over database fields

removed modules:
 - vm - the functionality was transfered to tm module (see t_write_req(...)
   method)

core:
 - new parts:
       UNIX domain socket server implemented
 - changes: 
    - command line: removed -p port and extended -l:
       -l [proto:]addr[:port] , where proto=udp|tcp and 
       addr= host|ip_address|interface_name. The format is the same
       as for listen in the config file. ipv6 addresses must be enclosed in
       [].
    - added from_uri & to_uri: behave exactly like uri but use the
      "From:"/"To:" uris
       (e.g.: if (from_uri==myself) ..., if (to_uri=~"^sip:test@")... )
    - config: better escape support in strings (e.g. \", \<cr>, \x0a, \012)
    - bad network addresses are now automatically fixed
      (e.g. 192.168.1.80/27 => 192.168.1.64/27)
    - avp (Attribute-Value Pair) support added
    - avp alias support added
    - multicast support added (see mcast_loopback & mcast_ttl)
    - saving of procces group id enabled, if the -G option is specified
      (a safe way to quickly kill all ser processes)
    - core dump-ing is enabled by default, see also disable_core_dump
    - protocol and port can be specified in the alias and listen lines, e.g.:
        alias= tcp:foo.bar:* udp:test.bar:5080 foo.com
        listen= eth0   tcp:eth0:5065 udp:127.0.0.1 [3ffe::1]
    - multiple operator support: ==, != for special operations (e.g myself, ip)
                              ==, !=, ~= for strings
                              ==, !=, >, <, >=, <= for integers
    - database api changed to support usage of different drivers
      simultaneously. The database URL must start now with the name of the
      driver (module). Example: for mysql the DB URL
      'sql://user:password@dbhost:port/database' must be specified now as
      'mysql://user:password@dbhost:port/database'
 - new config variables:
   mcast_loopback = <yes/no> - loopback sent multicast datagram, default no.
   mcast_ttl = number - set multicast ttl, default OS specific (usually 1).
   sock_mode = <permissions> (e.g. sock_mode=0600:  default value = 0660)
       ser unix sockets and fifo will be created with this permissions
       (old name fifo_mode is still supported, but deprecated)
   sock_user = username|"uid"
   sock_group = groupname|"gid"
      change the owner and/or group of the ser unix sockets or fifo
      Short example config snippet:
           sock_mode=0600        # ser socket/fifo mode
           sock_user="www-data"  # ser socket/fifo owner
           sock_group=nogroup  
           user=nobody       # ser user (ser will suid to it)
   disable_core_dump= yes|no 
       by default core dump limits are set to unlimited or a high enough
       value, set this config variable o yes to disable core dump-ing
       (will set core limits to 0)
   open_files_limit= number
       if set and bigger than the current open file limit, ser will try
       to increase its open file limit to this number. Note: ser must be
       started as root to be able to increase a limit past the hard limit
       (which, for open files, is 1024 on most systems)
   tcp_connect_timeout= seconds
       time before an ongoing connect will be aborted
   tcp_send_timeout= seconds
       time after a tcp connection will be closed if it is not available 
       for writing in this interval (and ser wants to send something on it)
   tcp_accept_aliases= yes|no
       if a message received over a tcp connection has "alias" in its via
       a new tcp alias port will be created for the connection the message
       came from (the alias port will be set to the via one).
       Based on draft-ietf-sip-connect-reuse-00.txt, but using only the port
       (host aliases are too dangerous IMHO, involve extra DNS
        lookups and the need for them is questionable)
       See force_tcp_alias for more details.
   log_facility = LOG_LOCAL0
       if ser logs to syslog, you can control the facility for logging. Very
       useful when you want to divert all ser logs to a different log file.
       See man page syslog(3) for more detailes.
   unix_sock = "/tmp/ser.sock"
       The name of the socket the unixsock server should listen on.
   unix_sock_children = 1
       The number of children that will listen on the unix domain socket.
   unix_tx_timeout = 2000
       Timeout (in ms) used when sending replies through unix sockets.
 - new script commands:
   force_send_socket([proto:]address[:port])
       sends the message from the specified socket (it _must_ be one of the
       sockets ser listens on). If the protocol doesn't match (e.g. udp
       message "forced" to a tcp socket) the closest socket of the same
       protocol is used.
   force_tcp_alias()
   force_tcp_alias(port)
       adds a tcp port alias for the current connection (if tcp).
       Usefull if you want to send all the trafic to port_alias through
       the same connection this request came from [it could help 
       for firewall or nat traversal].
       With no parameters adds the port from the message via as the alias.
       When the "aliased" connection is closed (e.g. it's idle for too
       much time), all the port aliases are removed.
       Note: by default ser closes idle connection after 3 minutes (stable)
       or 1 minute (unstable) so to take full advantage of tcp aliases for
       things like firewall and nat traversal, redefine TCP_CON_*TIMEOUT
       in tcp_conn.h and recompile. Also right now there can be maximum
       3 port aliases to a connection (you shouldn't need more than one).
       To change this redefine TCP_CON_MAX_ALIASES in the same file
       (set it to you desired value + 1; 1 is needed for the real port).

utilities:
 - ngrep patch for displaying new lines in captured SIP messages is no longer
   needed; use ngrep V 1.42 with the option "-W byline"



***********************************************
* Changes/fixes introduced in 0.8.12
***********************************************
+--------------------------------------------------------+
| WARNING: if you want to use a 0.8.11 config script     |
| with 0.8.12, replace if ( len_gt(number) ) with:       |
|                      if ( msg:len > bumber )           |
+--------------------------------------------------------+

New Features
============

texops:
 - subst('s/re/repl/flags') support
core:
 - added switch to check the config file (-c)
 - changes: removed len_gt() and replaced with if (msg:len op number|max_len)
 - multiple operator support: ==, != for special operations (e.g myself, ip)
                              ==, !=, ~= for strings
                              ==, !=, >, <, >=, <= for integers
 - new config variables:
     advertised_address= ip | string
       address advertised in via and in the DST_* lumps (e.g RR)
       This is the default value, if empty (default) the socket
       address will be used.
       WARNING: - don't set it unless you know what you are doing
                 (e.g. nat traversal)
               - you can set anything here, no check is made
                (e.g. foo.bar will be accepted even if 
                 foo.bar doesn't exist)
    advertised_port= no
       port advertised in via and in the DST_*lumps (e.g. RR)
       This is the default value, if empty (default) the socket
       port will be used.
       Same warnings as above.
 - new script commands:
    set_advertised_address(ip|string)
       same as advertised_address but it affects only the current message:
       Message host/lump address= the set_advertised one if
       present, else advertised_address else socket address.
    set_advertised_port(no)
       same as advertised_port but it affects only the current
       message; see set_advertised_address & s/address/port/g

usrloc:
 - usernames are case insensitive
 
registrar:
 - lookup function succeeds when appending of a branch failed

auth_db:
 - support for rpid stored in database (thanks to Jakob Schlyter)

Bug fixes
=========
- memory leak in digest credentials parser fixed
- authenticathion ha1 didn't include domain if username was of the form
  user@domain and calculate_ha1 was set to yes (modules/auth_db)
- tm reply processing race condition (modules/tm), special thanks go to
 Dong Liu
- Many bugs in pa module fixed, works with registrar again.
 
Security updates
================
 
- fifo processing code will write responses only to other
 fifos and only if they are not hard-linked, also default
 ser fifo persmissions were changed to 0600.
                                                                                
Performance improvements
========================
- tuned internal malloc implementation parameters to better reflect the
actual workload (malloc is a little bit faster now)



***********************************************
* Changes introduced in 0.8.11
***********************************************

+--------------------------------------------------------+
| CAUTION: the 0.8.11 release include changes which      |
| are incompatible with scripts and databases used       |
| in previous versions. Care is advised when upgrading   |
| from previous releases to 0.8.11.                      |
+--------------------------------------------------------+

New features
=============
- RFC3261 support
    - TCP support and cross-transport forwarding [core]
    - loose routing support [rr module]
- New modules
    - vm -- voicemail interface [vm]
    - ENUM support [enum]
    - presence agent [pa]
    - dynamic domain management -- allows to manipulate 
      hosting of multiple domains in run-time [module]
    - flat-text-file database support [dbtext]
    - rich access control lists [permissions]
- Feature Improvements
    - click-to-dial, which is based on improved tm/FIFO 
      that better supports external applications [tm module]
    - web accounting -- acc module can report to serweb
        on placed calls [acc module]
    - improved exec module (header fields passed now
      as environment variables to scripts) [exec module]
- Architectural Improvements
    - powerpc fast locking support
    - netbsd support
    - 64 bits arch. support (e.g. netbsd/sparc64).
- New Experimental Features (not tested at all yet)
    - nathelper utility for Cisco/ATA NAT traversal [nathelper]
    - another NAT traversal utility [mangler]
    - postgress support [postgress]
    - fcp module [fcp]
    - pdt module (prefix2domain) [pdt]

Changes to use of ser scripts
=============================

About Multiple Transport Support
--------------------------------
SER now suports multiple transport protocols: UDP and TCP. As there
may be UAs which support only either protocol and cannot speak to
each other directly, we recommend to alway record-route SIP requests,
to keep the transport-translating SER in path. Also, if a destination
transport is not known, stateful forwarding is recommended -- use of
stateless forwarding for TCP2UDP would result in loss of reliability.


core
----
- reply_route has been renamed to failure_route -- the old name caused
  too much confusion
- forward_tcp and forward_udp can force SER to forward via specific
  transport protocol

acc module:
-----------
- radius and sql support integrated in this module; you need to
  recompile to enable it
- acc_flag is now called log_flag to better reflect it relates
  to the syslog mode (as opposed to sql/radius); for the same
  reasons, the accounting action is now called "acc_log_request"
  and the option for missed calls "log_missed_calls"
- log_fmt allows now to specify what will be printed to syslog

auth module:
------------
- auth module has been split in auth, auth_db, auth_radius, group
  group_radius, uri and uri_radius 
- all the parameters that were part of former auth module are now 
  part of auth_db module
- auth_db module contains all functions needed for database
  authentication
- auth_radius contains functions needed for radius authentication
- group module contains group membership checking functions
- group_radius contains radius group membeship checking functions
- is_in_group has been renamed to is_user_in and places to groups
  module
- check_to and check_from have been moved to the uri module
 

im module:
----------
- im is no longer used and has been obsoleted by TM

exec module:
------------
- exec_uri and exec_user have been obsoleted by exec_dset; 
  exec_dset is identical to exec_uri in capabilities; it 
  additionaly passes content of request elements (header 
  fields and URI parts) in environment variables; users of 
  exec_user can use exec_dset now and use the "URI_USER"  
  variable to learn user part of URI
- exec_dset and exec_msg return false, if return value of 
  script does not euqal zero
- exec_dset takes an additional parameter, which enables 
  validation of SIP URIs returned by external application

jabber module:
--------------
- presence support for Jabber users is enabled loading the PA
  module and using handle_subscribe("jabber") for SUBSCRIBE 
  requests to jabber user 

msilo module:
-------------
- m_store has now a parameter to set what should be considered
  for storing as destination uri. This enables support for saving
  the messages on negative replies.

radius_acc module:
------------------
- radius_acc module has been removed and radius accounting 
  is now part of acc module

registrar/usrloc modules:
-------------------------
- multi domain support, the modules user username@domain as AOR
  if enabled
- descent modification time ordering of contacts
- case sensitive/insensitive comparison of URI can be enabled

rr module:
----------
- addRecordRoute has been replaced with record_route
- rewriteFromRoute has been replaced with loose_route()
- a new option, "enable_full_lr" can be set to make life
  with misimplemented UAs easier and put LR in from "lr=on"
- rr module can insert two Record-Route header fields when
  necesarry (disconnected networks, UDP->TCP and so on)

tm module:
----------
- t_reply_unsafe, used in former versions within reply_routes,
  is deprecated; now t_reply is used from any places in script
- t_on_negative is renamed to t_on_failure -- the old name just
  caused too much confusion
- FIFO t_uac used by some applications (like serweb) has been
  replaced with t_uac_dlg (which allows easier use by dialog-
  oriented applications, like click-to-dial) 
- if you wish to do forward to another destination from 
  failure_route (reply_route formerly), you need to call t_relay
  or t_relay_to explicitely now
- t_relay_to has been replaced with t_relay_to_udp and t_relay_to_tcp