letmein-11.1.0

Changes

• The internal locking has been simplified.

letmein-11.0.0

New features

• Added support for inserting nftables jump rules instead of open-port rules on successful knocking. This enables support for the activation of arbitrary fully user defined firewall rules in case of a successful knocking.

letmein-10.4.0

New features

• A cryptographically secure checksum of the configuration file is now transmitted to letmeinfwd and checked between the letmeind and letmeinfwd daemons to ensure they have the same view of the configuration.
• A timeout individual to resources has been added. See timeout configuration option in resources.
• The generated nftables rules now have counter statements added. This makes it easier to check/debug which rules are actually executed.
• Support for specifying the resource ID instead of the port number on the client side has been added.

Incompatible changes

• The length of the nftables chain name is now restricted to 64 bytes. If you have an nftables chan name length longer than 64 bytes, you should shorten it now. I believe that chain names longer than 64 bytes are the exception. Therefore, I think this incompatible change is Ok. This change is necessary to make future changes possible. If you think different, please open an issue.

letmein-10.3.0

New features

• Support for line-continuation has been added to the configuration format parser. With this feature long configuration lines can be split into multiple lines. See the documentation for more information.
• From now on getpwnam_r and getgrnam_r from libc will be used instead of parsing /etc/passwd and /etc/group directly. This enables the use of letmein in scenarios with alternative user handling (e.g. NSS).

letmein-10.2.1

Fixes

• Fix GHSA-jpv7-p47h-f43j
• Fix confusing DNS resolver warning on single stack (IPv4-only) setups.

letmein-10.2.0

Changes

• Minor maintenance changes.

letmein-10.1.0

New features

• Client: Added command line options to select DNS resolve mode.

letmein-10.0.1

Fixes

• letmeinfwd: The sanity check for the nft executable now uses the nft executable path from the letmeind.conf file instead of searching $PATH. This fixes startup, if nft is not in $PATH.

letmein-10.0.0

Added

• Documentation of the wire protocol and the cryptographic algorithms has been added.
• Hints for distribution packaging have been added to the documentation.

Changed

• The MSRV has been bumped from 1.75 to 1.76 due to the nftables dependency MSRV.
• The seccomp rules have been made more strict for the prlimit syscall.
• The nftables.conf example has been simplified.

Removed

• Support for SIGHUP reloading of the daemons has been removed. There are two reasons for this: First it wasn't implemented correctly and didn't notify systemd. This will break with future versions of systemd. Second is that it didn't work (by design) with seccomp. Therefore, I decided to remove the feature. I personally don't think it's important to have it. Just restart the daemons instead of reloading them. If you disagree with this and if you have a valid use case for SIGHUP reloading that cannot easily be solved with restarting, open an issue please.

letmein-9.0.0

New features

• The nft executable can now be pinned in the letmeind.conf configuration file to avoid $PATH searches from the letmeinfwd daemon running as root.

• Use TCP_NODELAY for TCP connections to reduce knock latency.

Distribution packaging

In the default letmeind.conf configuration installed from distribution packaging install scripts please configure

[NFTABLES]
exe = nft

to the default path of the nft executable in your distribution.

For example:

[NFTABLES]
exe = /usr/sbin/nft