=====================================
Bonded Internet 2014.3 release notes
=====================================

July 25, 2014

Bonded Internet 2014.3 offers a variety of improvements: the TCP proxy
uses fewer resources, Bonding Admin supports Debian 7 (Wheezy), and many
bugs are fixed.

Aggregators must be upgraded to 2014.3 before upgrading their bonders. A
2014.3 bonder with TCP proxy enabled will not work properly on a 2014.2
or earlier aggregator.

Bonding Node
-------------

Additions
^^^^^^^^^^

-  If a DHCP leg is assigned a gateway outside of the IP subnet, an
   error is logged and the leg is stopped.
-  The ``nodeconfig`` and ``nodessl`` commands show the name of the
   management server when run in verbose mode.

Changes
^^^^^^^^

-  The TCP proxy protocol has been replaced with a new protocol that
   improves performance and uses fewer resources. The old protocol
   required "concurrency" number of TCP connections between the bonder
   and aggregator for each proxied connection—for example, with
   concurrency 8 and 100 connections proxied, there would be 800 TCP
   connections between the bonder and aggregator. The new protocol uses
   only "concurrency" connections between the bonder and aggregator no
   matter how many connections are proxied. The application has also
   been simplified by moving certain functionality to the operating
   system, and logging and error reporting have been improved.
-  Supervision of tunnel and TCP proxy applications has been
   significantly improved. The new design offers better reliability and
   scalability.

Removals
^^^^^^^^^

-  The TCP proxy connection timeout option has been removed. It is now
   statically set to 30.0 seconds.

Fixes
^^^^^^

-  Upload speed tests no longer run repeatedly in certain conditions.
-  Aggregators apply bond configuration changes correctly even when the
   updates come immediately after adding the bond.
-  Nodes release DHCP leases properly.
-  The node process handles setting a leg MTU to an impossibly small
   value.
-  Idle aggregator tunnel processes no longer report invalid traffic
   rates in certain rare cases.
-  Link latency charts show current data instead of the average of
   latency samples from up to the last hour.
-  The config service no longer leaks memory when the nodeupdates
   service on the management server is unavailable.
-  When a tunnel process restarts, the bond's TCP proxy application no
   longer restarts unnecessarily.
-  When a bond is restarted from Bonding Admin, the TCP proxy no longer
   starts before the tunnel and then fails because it cannot bind to the
   tunnel IP. Instead, it waits until the tunnel has started.
-  QoS hooks no longer fail with a "File descriptor out of range" error
   in certain rare conditions.
-  Bonders imaged from a clone template no longer report errors about
   failing to find RSA keys.
-  The tunnel process on bonders no longer opens an unused UDP socket
   for each link.

Patches
^^^^^^^^

:2014.3-1: Fixed an issue between connected IPs and TCP proxies.
:2014.3-2: Fixed an issue between CPE NAT IPs and TCP proxies.
:2014.3-3: PPPoE links handle losing Ethernet carrier more gracefully
  in some rare scenarios.
:2014.3-4: TCP proxies close connections more reliably.
:2014.3-5: Fixed TCP proxy memory leaks related to connection state
  tracking.
:2014.3-6: Improved connection handling in TCP proxy and fixed a TCP
  proxy memory leak relating to data retention for incomplete
  connections.
:2014.3-7: Further improved supervision of PPPoE sessions.
:2014.3-8: Fixed issues relating to speed tests and source IP selection
  on bonds with TCP proxy and CPE NAT IPs.
:2014.3-9: Fixed a rare issue with DTLS encryption and added a minor
  improvement to the CPE NAT IP fix in the previous patch.
:2014.3-10: Improved error handling and logging in the TCP proxy.
:2014.3-11: Fixed an issue causing high CPU and memory usage in the TCP
  proxy when many connection errors occur.
:2014.3-12: Improved fairness of connection handling in the TCP proxy.
  Short and interactive TCP sessions now perform much better when bulk
  transfers are in progress.
:2014.3-13: Increased buffer sizes in TCP proxy to support higher, more
  stable speeds, and other reliability improvements.
:2014.3-14: Fixed an issue where connections could be closed before
  sending all the connection's data.
:2014.3-15: Fixed uncaught exceptions in the config service and PPPoE
  leg management.
:2014.3-17: Fixed various issues with connection closing logic in the
  TCP proxy.
:2014.3-18: Further improvements to connection closing logic in the TCP
  proxy.
:2014.3-19: Worked around a possible kernel crashing bug when disabling
  the TCP proxy.
:2014.3-21: Minor change to socket creation behaviour of the TCP proxy
  to reduce the number of "address already in use" warnings.

Bonding Admin
--------------

Additions
^^^^^^^^^^

-  The management server supports Debian 7 (Wheezy).
-  A completely unattended installation option has been added to the ISO
   installer menus and PXE server setup instructions. This method does
   not prompt for a node key but creates a default bonder without
   prompting the user.
-  Traffic sent to the management server with a destination in the
   10.250.0.0/16 network used by the management VPN clients is NAT'ed
   and forwarded to the nodes. This allows external hosts such as SNMP
   monitors to access the nodes over the VPN.
-  Console commands have be added that copy SSH authorized key files,
   resolve.conf files, and firewall configuration files to nodes. These
   commands can be used to update nodes in bulk. For details, please
   e-mail the technical support department.
-  Notes have been added to the bonder and aggregator username and
   password fields to clarify that passwords are not synced on the
   devices.
-  The management server 5-minute load average chart has been added to
   the System Charts web page.

Changes
^^^^^^^^

-  The "filter unrecognized traffic" option has been renamed "source
   address verification" to match industry standards. The corresponding
   API field has been renamed.
-  The certificate authority updates its certificate revocation list
   daily instead of monthly.
-  Management servers report more detailed information about errors in
   the web application. This will help Technical Support staff investigate
   errors more effectively.

Fixes
^^^^^^

-  The position of QoS filters is saved properly when the form is
   submitted.
-  The aggregator failover service no longer tries to access sockets
   that have been closed.
-  The management VPN server accurately records when a client connects.
   A race condition between two applications meant that a node's
   connected status could previously have been incorrect for up to five
   minutes.
-  The service that pushes out configuration updates to nodes no longer
   pushes duplicate updates in some circumstances.
-  Munin configuration files for each node have correct permissions.
-  The push-bondingadmin-backup script has been renamed to fix a
   misspelling.

Patches
^^^^^^^^

:2014.3-1: Fixed some documentation pages not loading.
:2014.3-2: Improved validation of connected IP forms and reliability of
  configuration updates.
:2014.3-3: Doubled the number of worker processes handling HTTP
  application requests. Added scripts to the ISO that ensure bonder
  Ethernet ports are assigned in the expected order even if the
  motherboard has two different Ethernet controllers.
