doc: release notes update for rpcallowip syntax change

TrezarCoin · Oct 23, 2014 · c8a2518 · c8a2518
1 parent 25cc1cf
commit c8a2518
Showing 1 changed file with 35 additions and 11 deletions.
diff --git a/doc/release-notes.md b/doc/release-notes.md
@@ -34,29 +34,53 @@ confirmation times.
 Prior releases used hard-coded fees (and priorities), and would
 sometimes create transactions that took a very long time to confirm.
 
+Statistics used to estimate fees and priorities are saved in the
+data directory in the `fee_estimates.dat` file just before
+program shutdown, and are read in at startup.
 
 New Command Line Options
-========================
+---------------------------
 
--txconfirmtarget=n : create transactions that have enough fees (or priority)
+- `-txconfirmtarget=n` : create transactions that have enough fees (or priority)
 so they are likely to confirm within n blocks (default: 1). This setting
 is over-ridden by the -paytxfee option.
 
 New RPC methods
-===============
+----------------
 
-Fee/Priority estimation
------------------------
-
-estimatefee nblocks : Returns approximate fee-per-1,000-bytes needed for
+- `estimatefee nblocks` : Returns approximate fee-per-1,000-bytes needed for
 a transaction to be confirmed within nblocks. Returns -1 if not enough
 transactions have been observed to compute a good estimate.
 
-estimatepriority nblocks : Returns approximate priority needed for
+- `estimatepriority nblocks` : Returns approximate priority needed for
 a zero-fee transaction to confirm within nblocks. Returns -1 if not
 enough free transactions have been observed to compute a good
 estimate.
 
-Statistics used to estimate fees and priorities are saved in the
-data directory in the 'fee_estimates.dat' file just before
-program shutdown, and are read in at startup.
+RPC access control changes
+==========================================
+
+Subnet matching for the purpose of access control is now done
+by matching the binary network address, instead of with string wildcard matching.
+For the user this means that `-rpcallowip` takes a subnet specification, which can be
+
+- a single IP address (e.g. `1.2.3.4` or `fe80::0012:3456:789a:bcde`)
+- a network/CIDR (e.g. `1.2.3.0/24` or `fe80::0000/64`)
+- a network/netmask (e.g. `1.2.3.4/255.255.255.0` or `fe80::0012:3456:789a:bcde/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff`)
+
+An arbitrary number of `-rpcallow` arguments can be given. An incoming connection will be accepted if its origin address
+matches one of them.
+
+For example:
+
+| 0.9.x and before                           | 0.10.x                                |
+|--------------------------------------------|---------------------------------------|
+| `-rpcallowip=192.168.1.1`                  | `-rpcallowip=192.168.1.1` (unchanged) |
+| `-rpcallowip=192.168.1.*`                  | `-rpcallowip=192.168.1.0/24`          |
+| `-rpcallowip=192.168.*`                    | `-rpcallowip=192.168.0.0/16`          |
+| `-rpcallowip=*` (dangerous!)               | `-rpcallowip=::/0`                    |
+
+Using wildcards will result in the rule being rejected with the following error in debug.log:
+
+    Error: Invalid -rpcallowip subnet specification: *. Valid are a single IP (e.g. 1.2.3.4), a network/netmask (e.g. 1.2.3.4/255.255.255.0) or a network/CIDR (e.g. 1.2.3.4/24).
+