
---------------------------------------
2025-11-17 nScrub 1.8

* Engine
 - Optimize SYN-Proxy in symmetric mode by whitelisting source IP (translate first session only)
   - Do not whitelist IP if session-only is active
 - Add suppor for routing mode and stack injection on NVIDIA/Mellanox ConnectX interfaces
 - Add ability to mirror only WAN or LAN traffic, or any direction
 - Add ability to mirror injected traffic only
 - Extend idle time for established connections
 - Fix fragments management

* Options
 - Add --rss-rehash option to fix asymmetric hw RSS when standard drivers are used

* API
 - Add direction filtering for traffic mirrors (/mirror/[id]/direction with wan/lan/any options)
 - Add ability to configure mirroring for different traffic types (forwarded, discarded, injected)

* Tools
 - nscrub-export
  - Fix tool dependencies on latest RH based systems

* Packages
 - Add packages for Debian 13
 - Add packages for Rocky Linux 10

* Misc
 - Fix logrotate permissions
 - Improve debug messages and tracing

---------------------------------------
2024-12-19 nScrub 1.6

* Engine
 - Add native NVIDIA/Mellanox ConnectX adapters support
 - Add support for TX offload with Napatech adapters
 - Add DPDK support (v.20 or later)
 - Add IPsec basic policies control
 - Add more safety checks on TCP packet headers
 - Add check on max MSS
 - Add per target threshold (global threshold to engage the mitigation)
 - Improve SYN and SYN-ACK rate check (e.g. also check white traffic)
 - Improve RFC (more permissive) when always enabled
 - Improve auto-engage checks
 - Improve blacklist loading to speedup import of huge lists
 - Improve hardware bypass support
   - Improve watchdog management
   - Detect hardware bypass engage (e.g. due to watchdog) and trigger events
   - Fix false positives engaging the watchdog and reduce watchdog sensitivity
 - Check for blacklisted destinations on egress traffic
 - Historical data (RRD) improvements and fixes
   - Fix folder creation with the right user
 - Fix egress monitor queue selection with legacy PF_RING API (e.g. NVIDIA/Mellanox)
 - Fix GRE detection
 - Fix bridging with kernel drivers
 - Fix SYN proxy MITM
 - Fix conversion of the device name to the system device name in Netlink

* Options
 - Add --force-promisc|-4 to force promiscuous in routing mode
 - Add --no-tx-stack-injection|-5 and --no-rx-stack-injection|-6 options to disable stack injection in routing mode

* API
 - New API /tcp/syn/noseqnum/drop to drop SYN with no sequence number
 - Add threads info to the /status
 - Add stats for traffic discarded due to blacklist in the target stats
 - Add more bypass info
 - Add offset/limit when requesting for attackers on a target
 - Add stats for reforged and injected packets
 - Add number of hits for dynamically added IP addresses
 - Add human-readable discard reasons in stats
 - Fix and optimized attackers pagination, added 'limit' parameter
 - Fix port number parsing in the URI for high ports
 - Fix listing of dynamic attackers IP addresses
 - Fix stats when using regexp or * to match multiple targets

* GUI
 - Add statistics for fragments
 - Add more engage/severity indicators
 - Redirection to the monitor page on login 
   - Open monitor.html by default when requesting / from a browser (use /status for the status)

* Tools
 - nscrub-cli
   - Add ability to purge a list by name
   - Added CIDR support when loading IP list from file
 -  Improved nscrub-bl in blacklist generation
  - Added warn-list support to detect when some IPs are in a blacklist
  - Added whitelist support to filter the blacklist
  - Duplicated IPs are now removed

* Packages
 - Add packages for Debian 11, 12
 - Add packages for Ubuntu 20, 22, 24
 
* Misc
 - Add nscrub user to the ntop group
 - Add UNIT_NAME and INSTANCE_NAME env var to the systemd service
 - Fix nscrub-export support for python3

---------------------------------------
2020-03-24 nScrub 1.4

* Engine
 - Support for IPv6 neigh table
 - Support for IPv6 routing table
 - Pure SYN Cookie is used when in SYN Proxy mode and in asymmetric mode
 - SYN Cookie encryption
 - More event types in event notification, sending notificaitons when an event terminates, added the 'status' field to the events
 - Full bypass support in routing mode
 - Uniq event identifier
 - Added options to use different ports for transmission (this is needed by Napatech as streams are RX only), Napatech is supported in transparent bridge only
 - TCP flags sanity check happens only if there is any 3whs check enabled
 - Hardware bypass
  - Silicom hw byapss API update
  - Add hw bypass info to the status information
  - Improved hw bypass watchdog
  - Enable hw bypass on application shutdown (if any)
 - Introduced HSP service type (Generic Hosting Service Provider)

* Plugins
 - New SDK with a sample plugin available
 - Traffic blocking with pre/post hooks
 - Ability to inject packets
 - Inspection of both WAN and LAN traffic
 - Callback called on SIGUSR1 for reloading the configuration
 - Plugins stats (pre/post discard/forward counters) in the target stats

* API
 - API /http/request/host/<id>/pass to discard http requests not matching the specified hostnames
 - API to purge all targets
 - API to print the list of global VLAN mappings
 - API to delete global vlan mapping if dst=src or dst=0, delete target vlan reforging if dst=0
 - API to set a limit to the ip whitelist to engage session whitelisting automatically (/tcp/syn/wl_threshold)
 - API to control tcp check engage (cli: target ID profile white|gray|black|default tcp syn check [disable|threshold|auto|enable])
 - API to drop TCP SYN packets with payload
 - API to set max DNS subdomain length (to block watertorture)
 - API to drop TCP SYN with no options (/profile/tcp/syn/nooption/drop)
 - API to purge all attackers (and delete all lists)
 - API and cli command to set the WAN/LAN interface IP address (required with DPDK TAP interfaces in routing mode)
 - Support for subnets without mask
 - Target stats now supports regex to select targets
 - Add bytes stats per protocol per target
 - wl_threshold: automatically turn off when IP whitelist size comes back below the threshold
 - Full IPv6 support in routing and bridge mode
 - Add gateway mac address to the arp table returned via REST 
 - Added ability to overwrite the default virtual scrubber 0.0.0.0/0 - 0::0/0
 - Dynamic purge fix
 - Attacker search optimizations
 - Attackers list pagination, added list size when listing lists
 - String patterns removal using the '-' special char
 - Add discard reason to target stats
 - Fixed lists counters
 - Fix all lists purging
 - Stats fixes

* Tools
 - New nscrub-bl to manage blacklists
 - nscrub-cli
  - History now keeps also wrong commands
  - Add command to load list from file in nscrub-cli (target ID attackers load LISTNAME FILEPATH white|gray|black [SEC])
  - Load lists in batch mode
  - Fix integer parameters
 - nscrub-export reworked and improved options
   - Full configuration backup/restore
   - Add -i option to select the nscrub instance

* Packages
 - New Ubuntu 18 package
 - New Debian 10 package
 - New CentOS 8 package
 
* Misc
 - Systemd support for multiple nscrub instances
 - The nscrub service is now 'PartOf' the pf_ring service
 - Running nscrub as 'nscrub' by default, falling back to nobody if it does not exist
