
(1) Port-hopping removed because firewalls could block connections
from other source-ports but the current one.

(2) UI changed to exit and unload the module as soon as an error is
fired.

(3) Fixed race-condition in UI-code. (Issue reported by Joern)

(4) set_ports_to_scan-handler fixed to make sure no invalid
scan-job-states can be created on error.

(5) Added a check for ports bigger MAX_PORTNUM. (Issue reported by
Joern) in conjuction with change (4)

(6) Minor-syntax changes in UI for python 2.4 compatibility

(7) Initialized trigger-list to an empty list for flood-jobs and
aborted flood-jobs with empty trigger-lists.

(8) Tested with interface without IP: PBunny no longer crashes,
probably due to earlier fixes in (7). This needs some more testing!


made tarball.
----------------------------------------------------------------


(9) Removed notion of "waiting n rounds till outputting"
complete-batches because it wasn't really used and stands in the way
of the updated packet-handling-code.

(10) Removed 'complete_batches' entirely to introduce updated
packet-handling-code.

(11) Removed time_sent-fields from port-result: Old
late-response-handling is now completely removed.

(12) Added recent_batches to save the 20 most recent batches

made tarball.
----------------------------------------------------------------

(13) Implemented new packet-handling based on recent-batches list.
This now means that we have better control over which packets are
actually valid answers.

(14) Fixed memory-leak: Freed trigger-list which got extremely huge on
hosts with mostly closed ports.

made tarball.
----------------------------------------------------------------

(15) Changed queue_clear to use queue_head.
(16) Fixed a memory-leak in batch_creator_create_batch

made tarball. (18DEC)
----------------------------------------------------------------

(17) Forgot to delete nodes in clear_trigger_list: Fixed.
(18) Missing return-statement after error-report in
(1scanner_ui/cmd_handlers:handle_create_scan_job added.

(19) Nade sure scan_job_inits don't leave the module in an incosistent
state on failure.

made tarball.
----------------------------------------------------------------

(21) Increased timeout-value for trigger-phase.

(22) Fixed limited frequency problem with positive TCP_SYN-triggers by
hopping slightly between source-ports when using TCP_SYN-triggers. :)

Here's a little more on that:

Problem:

When using positive TCP_SYN-triggers (such which are answered by a
SYN-ACK), the following pattern can be seen when scanning using the
same trigger at a high frequency:


TCP_SYN 80, seq_num = x >
TCP_SYN 80, seq_num = y  >

...

TCP_SYN_ACK 80 seq_num = x + 1 <
TCP_SYN_ACK 80 seq_num = x + 1 <


Explanation:

After the first TCP_SYN, the receiver sends the SYN_ACK and waits for
an ACK from the sender. On arrival of the second SYN, the receiver
reasons that the SYN_ACK must have been lost for one reason or the
other and sends back an ACK for the original SYN without taking a look
at the sequence-number of the seconds SYN.

While I'm unsure if this is a BUG on the receiver-side or valid
behaviour (one would need to look into the RFC in detail), obviously,
this behaviour can be observed so we should try to decrease its
impact.

Solution to Problem:

Vary the source-port of positive TCP_SYN-triggers slightly to make
sure each trigger is actually requesting a separate connection. This
way the receiver does not have the option of ignoring the second
sequence-number.

Ports are only varied slightly within the range of dynamic ports to be
sure that we don't kill NATs on the way.

(23) Decided not to use UDP-triggers by default because dest-unreach
limits are quite common.

(24) Limited the number of extra triggers added during the actual scan
to reduce Bunny's memory-footprint.

(25) The trigger-finding strategy has been improved:

triggers to search before starting the scan is now 1. In detail,
this means that first TCP-SYN-triggers will be tried all at once, if that works,
no further triggering is done. Next ICMP_ER and ICMP_TS are tried and
if that fails as well, we revert to using UDP-triggers, which are the
worse triggers to use due to extremely widespread use of
rate-limitations on dest-unreachables.

made tarball. (19Dec07)
---------------------------------------------------------------------------

(26) Changed the UI to

1. trigger all jobs first because triggering while scanning can't work
reliably because the flood-job is trying to get packets to drop to do
its timing and trigger-phase does not tolerate drops at all.

2. Execute one flood-job group at a time with a default group-size of
1 because this is actually the sanest default.

This also fixed a very rarely noticable but possible BUG: at one point
global-timing was not reset.

made tarball.
---------------------------------------------------------------------------

(27) Removed global window! This is one of the most idiotic nmap-ideas
on the planet and with our default of 1 job at a time (which is the
best setup for shared-bottleneck-operation and still better than the
global window with multiple scan-jobs) it's no longer needed anyway.
The user can still execute as many jobs in parallel as he likes, but
he'll have to make sure that the lowest traffic of all jobs in sum
does not hit the shared bottleneck because that will kill performance.

(28) Added a very basic but nice progress report to the UI.

made tarball.
---------------------------------------------------------------------------

(29) optimized UI to use blocking semaphores instead of busy-waiting and sleeps.

(30) Caught negative return-values of sock_sendmsg which occur if the
host one is scanning from has firewall-rules which block sending in
one way or the other.

(31) Moved UserEventHandling-code of UI to separate file and updated
it to work with the sleeping (instead of busy-waiting) UI-code.

made tarball.
---------------------------------------------------------------------------

(32) Restructured UI: There are now no more busy-waiting loops and
still user-input as well as SIGINTs are handled immediately and cause
a clean exit.

made tarball.
---------------------------------------------------------------------------

(33) Added initialized_sem to UI to make sure the user-event-handler
cannot be used before the ui-logic has been fully initialized.

(34) Added locking for interface.py's scanner-object as well as the
options_parser to allow interactive UI.

(35) Fixed locking problem.

made tarball.
----------------------------------------------------------------------

(36) Included <linux/rwsem.h> in pending_commands_queue.c to allow
compilation on x86-64bit systems.

(37) unregister_chrdev no longer returns int but void in 2.6.23 so we
no longer check its return-value to allow compilation on x86-64bit
systems.

(38) Updated README to tell people that they should not load the
module manually.

(39) Changed absolute paths in interface.py to relativ paths.
