UnrealIRCd 6.1.1 release notes

UnrealIRCd 6.1.1 comes with various bug fixes and performance improvements, especially for channels with thousands of users.

It also has more options to override settings per security group, for example if you want to give trusted users or bots more rights or higher flood rates than regular users. All these options are now in a single Special users article on the wiki.

Other notable features are better connection errors to SSL/TLS users and a new proxy { } block for websocket reverse proxies.

See the full release notes below. As usual on *NIX you can upgrade easily with the command: ./unrealircd upgrade

Enhancements:

Two new features that are conditionally on:
- SSL/TLS users will now correctly receive the error message if they are rejected due to throttling (connect-flood) and some other situations.
- DNS lookups are done before throttling. This allows exempting a hostname from both maxperip and connect-flood restrictions.
  A good example for IRCCloud would be:
```
except ban {
    mask *.irccloud.com;
    type { maxperip; connect-flood; }
}
```
- Both features are temporarily disabled whenever a high rate of connection attempts is detected, to save CPU and other resources during such an attack. The default rate is 1000 per second, so this would be unusual to trigger accidentally.
It is now possible to override some set settings per-security group by having a set block with a name, like set unknown-users { }
- You could use this to set more limitations for unknown-users:
```
set unknown-users {
        max-channels-per-user 5;
        static-quit "Quit";
        static-part yes;
}
```
- Or to set higher values (higher than the normal set block) for trusted users:
```
security-group trusted-bots {
        account { BotOne; BotTwo; }
}
set trusted-bots {
        max-channels-per-user 25;
}
```
- Currently the following settings can be used in a set xxx { } block: set::auto-join, set::modes-on-connect, set::restrict-usermodes, set::max-channels-per-user, set::static-quit, set::static-part.
- See also Special users in the documentation for applying settings to a security groups.
New proxy { } block that can be used for spoofing IP addresses when:
- Reverse proxying websocket connections (eg. via NGINX, a load balancer or other reverse proxy)
- WEBIRC/CGI:IRC gateways. This will replace the old webirc { } block in the future, though the old one will still work for now.
New setting set::handshake-boot-delay which allows server linking autoconnects to kick in (and incoming servers on serversonly ports), before allowing clients in. This potentially avoids part of the mess when initially linking on-boot. This option is not turned on by default, you have to set it explicitly.
- This is not a useful feature on hubs, as they don't have clients.
- It can be useful on client servers, if you autoconnect to your hub.
- If you connect services to a server with clients this can be useful as well, especially in single-server setups. You would have to set a low retrywait in your anope conf (or similar services package) of like 5s instead of the default 60s. Then after an IRCd restart, your services link in before your clients and your IRC users have SASL available straight from the start.
JSON-RPC:
- New call log.list to fetch past 1000 log entries. This functionality is only loaded if you include rpc.modules.default.conf, so not wasting any memory on servers that are not used for JSON-RPC.

Changes:

set::topic-setter and set::ban-setter are now by default set to nick-user-host instead of nick, so you can see the full nick!user@host of who set the topic/ban/exempt/invex.
You can no longer (accidentally) load an old modules.default.conf. People must always use the shipped version of this file as the file VERY clearly says in the beginning (see also that file for instructions on how to deal with customizations). People run into lots of (strange) problems, not only missing nice new functionality, but also Services not working because the svslogin module is not loaded, etc.
Usually mistakes with an old modules.default.conf are not deliberate, like a cp *.conf of an old installation, so this error should be helpful for those users (who otherwise tend to bang their head for hours).
Some small DNS performance improvements:
- We now 'negatively cache' unresolved hosts for 60 seconds.
- The maximum number of cached records (positive and negative) was raised to 4096.
- We no longer use "search domains" to avoid silly lookups for like 4.3.2.1.dnsbl.dronebl.org.mydomain.org.
Data buffer chunks bumped from 512 bytes to ~4K. This results in less write calls (lower CPU usage) and more data per TCP/IP packet.
We now cache sending of lines in sendto_channel via a new "LineCache" system. It saves CPU on (very) large channels.
Several other performance improvements such as checking maxperip via a hash table and faster invisibility checks for delayjoin.
Blacklist hits are now logged globally. This means they show up in snomask B, are logged, and show up in the webpanel "Logs" view.
The event REMOTE_CLIENT_JOIN was mass-triggered when servers were syncing. They are now hidden, like REMOTE_CLIENT_CONNECT.
Update shipped libraries: c-ares to 1.19.1

Fixes:

Crash on FreeBSD/NetBSD when using JSON-RPC, due to clashing rpc_call symbol in their libc library.
Crash when removing a listen { } block for websocket or rpc (or changin the port number)
When using the webpanel, if an IRC client tried to connect with the same IP as the webpanel server, it would often receive the error "Too many unknown connections". This only affected non-localhost connections.
The require module block was only checked of one side of the link, thus partially not working.