Netsweeper is pleased to announce the Netsweeper 6.4.10 GA release. This is the tenth release in the 6.4 release cycle and finishes all major features in the 6.4 release series. Customers running version 6.3 or prior releases should consider upgrading depending on the features, functionality, security enhancements, and bug fixes found in the 6.4 release series.
New features in this release:
Deny Pages
- Assign the same Deny Page to multiple Groups
- Allows Reporter Categories to be selected
NSProxy
- New NSProxy nat lookup mode named ‘samproxy’ that allows you to use the Linux kernels TPROXY feature to redirect IPv4 and IPv6 packets to NSProxy but will not maintain the Client IP address
- Ability to set a netfilter mark per listen socket with a new nfmarkclient and nfmarkserver setting
- Ability to copy the nfmark from the connection to the socket on accept() allowing us to mark the connection to NSProxy after we accept the packet
- Capture Modules can now set a netfilter mark, nfmark on deny packets
- New auth redirect and auth portal use two cookies netsweeper=, and netsweepers= for secure sites. NSProxy “protect_netsweeper_cookie” has been updated to detect and remove both cookies if present when the feature is enabled
- Allows control of SSL decryption on a per-port (listen) basis with new setting: decrypt_enabled that enables or disables per-port SSL decryption
Radius
- Workstation as a configurable Radius field which populates in the WebAdmin
Additional Features:
- New ‘timestamp’ options have been added to the ‘Request Logger Framework Options’ to allow you to explicitly include the record timestamp
If you have any questions or concerns about planning an upgrade to this release, please contact Netsweeper Technical Support support@netsweeper.com.
Customers can access our community site for more information.
Change Log 6.4.10:
| Ticket | Description |
| 15620 | FEATURE: You can now assign the same Deny Page to multiple Groups. |
| 23236 | FEATURE: There is a new NSProxy nat lookup mode named ‘samproxy’. This allows you to use the Linux kernels TPROXY feature to redirect IPv4 and IPv6 packets to NSProxy but will not maintain the Client IP address. This allows for normal transparent proxy without the connection tracking/nat process and does not require the complex load balancing and routing. The main advantage is transparent IPv6 filtering possible. |
| 23237 | BUG: The NSRoutes cache file was not updating automatically. |
| 23244 | FEATURE: There is now the ability to set a netfilter mark per listen socket. A new nfmarkclient and nfmarkserver setting has been added so each listen port can set a specific socket mark on either the client to proxy socket or the proxy to server socket thus allowing for epic solutions to be done. |
| 23245 | FEATURE: There is now the ability to copy the nfmark from the connection to the socket on accept() which allows us to mark the connection to NSProxy after we accept the packet, which allows us to route traffic from gre1 back to gre1 or specifically change routing based on the port NSProxy accepts the packet on. |
| 23246 | BUG: Directory sync Managers were not assigned to the Groups when the Group is created. This is an issue in 6.4.1 to 6.4.9. |
| 23247 | BUG: The Chrome Client 7.39 and 7.40 Client Filters could send Asset ID or device serials that caused the domain, user, group message to get corrupted. This is fixed in the Chrome Client Filter 7.41 and policy service 7.1.1 and above. |
| 23251 | FEATURE: The Capture Modules can now set a netfilter mark, nfmark on deny packets. This allows for mark based routing to occur in Linux with ip rules/ip route tables. This will only work when a DMAC/SMAC/FLIPMAC/DEVICE is not set in nptransmit and the default OS layer routing is used. |
| 23268 | FEATURE: We now include the Workstation as a configurable Radius field which populates in the WebAdmin, there is now also the option to add validation on stop to ensure that clients deleted match the username or workstation of the RADIUS accounting stop. |
| 23280 | BUG: When sending LogMod5 logs to Syslog, an empty field was logged as an empty string. We will now replace any empty string with a dash – in order to make for easier log file parsing when using processors that interpret multiple spaces as a single space causing field count corruption. |
| 23297 | BUG: In the Directory Sync, some user groups were not updating when they have different appends. |
| 23303 | BUG: NSProxy could have stability issues when used as an explicit proxy when invalid hostnames are sent it due to changes to c-ares DNS library. This impacts version 6.4.5 to 6.4.9. |
| 23320 | BUG: The Policy Service would abort and restart when using the Deny Page Redirect URL option with no CGI arguments. |
| 23340 | BUG: Upgrading from 6.2.5 to 6.4.9 GA could cause the Policy Service to segfault if the WebAdmin is not upgraded. |
| 23357 | BUG: The ‘Run Only on Server’ option was not working correctly for Quick Demand Reports and the Create Report button in Report Templates. |
| 23358 | FEATURE: Deny Pages now allow Reporter Categories to be selected. |
| 23414 | BUG: The Auth Portal cookie injection process could be halted by new Chrome security settings on HTTPS based sites. This could reject the cookie unless the Chrome feature for SameSite is disabled in Chrome flags. The auth portal redirect process now supports the new Chrome SameSite security feature and segments the cookie between https and http websites. |
| 23417 | FEATURE: The new auth redirect and auth portal use two cookies netsweeper=, and netsweepers= for secure sites. NSProxy “protect_netsweeper_cookie” has been updated to detect and remove both of these cookies if present when the feature is enabled. |
| 23420 | BUG: The default WebAdmin Auth Portal has been updated to support the Chrome SameSite cookie feature. |
| 23459 | BUG: The NSRoutes service did not properly remove both IPv4 and IPv6 entries when lists where changes or DNS resolution changed. |
| 23462 | BUG: The New URL refresh on default Deny Page breaks as “$encodedcat” is not supported. |
| 23492 | FEATURE: The logmod5 module for the syslog did not include the record timestamp by default. A new ‘timestamp’ option has been added to the ‘Request Logger Framework Options’ in Policy Server Settings that allows you to explicitly include the record timestamp. |
| 23524 | BUG: If all file descriptors are used in NSProxy the listener threads would abort. This could cause a denial of service. When all file descriptors are used, we will continue waiting for more requests and accept when more file descriptors are available. This impacted MacOS when the default file descriptors were set very low at the default 256. |
| 23575 | BUG: The Policy Service can stop processing all requests when doing DNS lookups in the 6.4.9 and below releases. This can happen if DNS connectivity is present, but Internet connectivity is not. |
| 23601 | BUG: A Policy Service memory leak in List data has been fixed. |
| 23630 | BUG: WebDB can run out of memory when sending a cached version of the database to a policy service. This is a 6.3 to 7.1.3 issue. |
| 23635 | BUG: LogMod5 disk queue would lockup in deadlock on a write error. |
| 23641 | BUG: The policy server had a request rate drop to 0 under high load for a few seconds due to glibc malloc_consolidate. There is a new setting configmanager_mxfast that can be changed to disable glibc fast bin support by setting this new setting to 0. It is -1 by default. |
| 23693 | FEATURE: NSProxy now allows control of SSL decryption on a per-port (listen) basis. Two new settings have been added: decrypt_enabled that enables or disables per-port SSL decryption and decrypt_request that enables or disables per-port decrypt:// policy request. |