Feature: NTM open SMTP + add rate limit fn & [DOCs/operators]: Release updates niolo (#6317)
* initialise smtp rate limit * simplify * remove duplicate hooks * fix ordering * ntm finalized * add changelog for niolo * bump up version * correct nym buy info * update stats * fix typo * fix typo * ready to merge * PR finished
This commit is contained in:
@@ -9,7 +9,7 @@
|
||||
changed_when: false
|
||||
when: not ansible_check_mode
|
||||
|
||||
# show the full stdout so we don’t depend on regex parsing at all
|
||||
# show the full stdout
|
||||
# show full upgraded version output, line by line
|
||||
- name: Show upgraded nym-node version info
|
||||
debug:
|
||||
|
||||
@@ -5,7 +5,7 @@
|
||||
},
|
||||
"mixmining_reserve": {
|
||||
"denom": "unym",
|
||||
"amount": "176683247613141"
|
||||
"amount": "174592308324894"
|
||||
},
|
||||
"vesting_tokens": {
|
||||
"denom": "unym",
|
||||
@@ -13,6 +13,6 @@
|
||||
},
|
||||
"circulating_supply": {
|
||||
"denom": "unym",
|
||||
"amount": "823316752386859"
|
||||
"amount": "825407691675106"
|
||||
}
|
||||
}
|
||||
|
||||
+1
-1
@@ -1 +1 @@
|
||||
823_316_752
|
||||
825_407_691
|
||||
|
||||
+1
-1
@@ -1 +1 @@
|
||||
4_907
|
||||
4_849
|
||||
|
||||
+1
-1
@@ -1 +1 @@
|
||||
0.79%
|
||||
0.83%
|
||||
|
||||
+1
-1
@@ -1 +1 @@
|
||||
36.446
|
||||
34.648
|
||||
|
||||
+1
-1
@@ -1 +1 @@
|
||||
251_896
|
||||
252_536
|
||||
|
||||
+1
-1
@@ -1 +1 @@
|
||||
60_455_259
|
||||
60_608_795
|
||||
|
||||
+1
-1
@@ -1 +1 @@
|
||||
60_455_258
|
||||
60_608_794
|
||||
|
||||
+3
-3
@@ -1,7 +1,7 @@
|
||||
| **Item** | **Description** | **Amount in NYM** |
|
||||
|:-------------------|:------------------------------------------------------|--------------------:|
|
||||
| Total Supply | Maximum amount of NYM token in existence | 1_000_000_000 |
|
||||
| Mixmining Reserve | Tokens releasing for operators rewards | 176_683_247 |
|
||||
| Mixmining Reserve | Tokens releasing for operators rewards | 174_592_308 |
|
||||
| Vesting Tokens | Tokens locked outside of cicrulation for future claim | 0 |
|
||||
| Circulating Supply | Amount of unlocked tokens | 823_316_752 |
|
||||
| Stake Saturation | Optimal size of node self-bond + delegation | 251_896 |
|
||||
| Circulating Supply | Amount of unlocked tokens | 825_407_691 |
|
||||
| Stake Saturation | Optimal size of node self-bond + delegation | 252_536 |
|
||||
|
||||
@@ -1,10 +1,10 @@
|
||||
{
|
||||
"interval": {
|
||||
"reward_pool": "176683247613141.489518623753339272",
|
||||
"staking_supply": "60455258984180.809034503857018251",
|
||||
"reward_pool": "174592308324894.719164125613282609",
|
||||
"staking_supply": "60608794397902.33807512267258462",
|
||||
"staking_supply_scale_factor": "0.07342892",
|
||||
"epoch_reward_budget": "4907867989.25393026440621537",
|
||||
"stake_saturation_point": "251896912434.086704310432737576",
|
||||
"epoch_reward_budget": "4849786342.358186643447933702",
|
||||
"stake_saturation_point": "252536643324.593075313011135769",
|
||||
"sybil_resistance": "0.3",
|
||||
"active_set_work_factor": "10",
|
||||
"interval_pool_emission": "0.02"
|
||||
|
||||
@@ -1 +1 @@
|
||||
Thursday, December 11th 2025, 11:24:33 UTC
|
||||
Thursday, January 15th 2026, 09:44:55 UTC
|
||||
|
||||
@@ -49,6 +49,95 @@ This page displays a full list of all the changes during our release cycle from
|
||||
|
||||
<VarInfo />
|
||||
|
||||
## `v2026.1-niolo`
|
||||
|
||||
- [Release Binaries](https://github.com/nymtech/nym/releases/tag/nym-binaries-v2026.1-niolo)
|
||||
- [`nym-node`](nodes/nym-node.mdx) version `1.23.0`
|
||||
|
||||
```sh
|
||||
nym-node
|
||||
Binary Name: nym-node
|
||||
Build Timestamp: 2025-12-02T16:21:03.251191389Z
|
||||
Build Version: 1.23.0
|
||||
Commit SHA: 46fe1bc8191f42aa27f34743c96e9e9f26453d87
|
||||
Commit Date: 2025-12-02T15:29:30.000000000Z
|
||||
Commit Branch: release/2025.22-niolo
|
||||
rustc Version: 1.91.1
|
||||
rustc Channel: stable
|
||||
cargo Profile: release
|
||||
```
|
||||
|
||||
### Operators Updates & Tools
|
||||
|
||||
We’re excited to announce the first **nym-node release of 2026**.
|
||||
|
||||
**Exit Policy Ports Management**
|
||||
|
||||
In December 2025, two NIP proposals were approved, introducing new ports to Nym network: [NIP-6](https://governator.nym.com/proposal/prop-ba886b9d-6f6e-4365-b4ed-fe7e604bc375), opening ports for WhatsApp and Session + Port `465` and [NIP-4](https://governator.nym.com/proposal/prop-ca6726ea-38b1-4568-97fe-8bdc5fdc83a0), opening port `587`.
|
||||
|
||||
**Due to the concerns raised by the operators we built a rate limiting function to Network tunnel manager (NTM) to prevent spam abuse of the network. You can see the changes [here](https://github.com/nymtech/nym/pull/6317).**
|
||||
|
||||
To implement the changes and ensure that the nodes have expected performance, please re-run NTM following these steps:
|
||||
|
||||
<Steps>
|
||||
###### 1. Get the new NTM
|
||||
- Download the updated NTM and make executable
|
||||
```sh
|
||||
curl -L https://raw.githubusercontent.com/nymtech/nym/refs/heads/develop/scripts/nym-node-setup/network-tunnel-manager.sh -o ./network-tunnel-manager.sh && \
|
||||
chmod +x network-tunnel-manager.sh
|
||||
```
|
||||
|
||||
###### 2. Update exit policy
|
||||
- To be sure that your routing is clean, run this command:
|
||||
```sh
|
||||
./network-tunnel-manager.sh complete_networking_configuration
|
||||
```
|
||||
</ Steps>
|
||||
|
||||
**Node Orchestration**
|
||||
|
||||
Nym network scaling is done mostly by squads, organizations, DAOs and other entities of collaborating operators administrating multiple nodes. To improve efficiency, user experience and cost we added a new menu item [*Orchestration*](/operators/orchestration) where you can find step by step guides to:
|
||||
|
||||
- [Virtualise server using KVM](/operators/nodes/preliminary-steps/vps-setup/advanced): Creating VMs with desired size, bandwidth and capacity for lower cost in comparison to renting VPS
|
||||
- [Ansible guide](/operators/orchestration/ansible): Orchestrating many nodes effectively using the [Ansible template](https://github.com/nymtech/nym/tree/develop/ansible/nym-node)
|
||||
|
||||
Please, let us know how that worked for you.
|
||||
|
||||
### Features
|
||||
|
||||
- [Merge intermediate upgrade mode changes](https://github.com/nymtech/nym/pull/6174): This PR contains a long changelog on itself, please read the full [in the PR description](https://github.com/nymtech/nym/pull/6174)
|
||||
|
||||
- [Config migration](https://github.com/nymtech/nym/pull/6259)
|
||||
|
||||
- [Statistics API v2](https://github.com/nymtech/nym/pull/6227): This PRs adds a v2 of the `VpnClientSessionReport` and update the stats API to be able to store it
|
||||
|
||||
- [Update chain registry link](https://github.com/nymtech/nym/pull/6219)
|
||||
|
||||
|
||||
### Bugfix
|
||||
|
||||
- [Re-exposed 'derive_extended_private_key'](https://github.com/nymtech/nym/pull/6247)
|
||||
|
||||
- [`gateway-probe` fixes for run-local](https://github.com/nymtech/nym/pull/6212)
|
||||
|
||||
- [Upgrade mode: VPN adjustments](https://github.com/nymtech/nym/pull/6189): This PR further builds up on [\#6174](https://github.com/nymtech/nym/pull/6174) to include changes required by the VPN-client to fully support the upgrade mode, what is relevant here is that this PR modifies the credential storage to allow it to storage an opaque `emergency credential` that lets it be shared between sessions (if it is still valid) ]
|
||||
|
||||
- [Add weighted scoring to NS API](https://github.com/nymtech/nym/pull/6144)
|
||||
|
||||
### Refactors & Maintenance
|
||||
|
||||
- [Remove run DKG migration](https://github.com/nymtech/nym/pull/6253)
|
||||
|
||||
- [Do not re-derive wallet keys on every tx](https://github.com/nymtech/nym/pull/6213): The `cosmrs' trait bounds on `EcdsaSigner` got updated to include `Send` and `Sync`, meaning we no longer need to derive private keys on every transaction and instead we can just do it once, on construction
|
||||
|
||||
- [Remove support for legacy mixnode within the performance contract](https://github.com/nymtech/nym/pull/6205): The network no longer supports those nodes, there's no point in having the "brand new" (kinda) contract support them either
|
||||
|
||||
|
||||
|
||||
|
||||
<br />
|
||||
<AccordionTemplate name="Changelog 2025">
|
||||
|
||||
## Last Update of 2025
|
||||
|
||||
We are not going to do a platform release this year anymore, but we have two important updates to share.
|
||||
@@ -2750,6 +2839,7 @@ Config changes:
|
||||
|
||||
To allow reading through older changelogs, we store them below sorted by years.
|
||||
|
||||
</ AccordionTemplate>
|
||||
<br />
|
||||
<AccordionTemplate name="Changelog 2024">
|
||||
|
||||
@@ -4444,7 +4534,7 @@ done
|
||||
- Top routing score now includes:
|
||||
- Wireguard registration and complete handshake test, to configure see [tasklist below](#operators-tasks)
|
||||
- DNS resolution check, to configure see [tasklist below](#operators-tasks)
|
||||
- Wireguard perfomance bigger than 0.75, to configure see [tasklist below](#operators-tasks)
|
||||
- Wireguard performance bigger than 0.75, to configure see [tasklist below](#operators-tasks)
|
||||
|
||||
- New [Nym Wallet](https://github.com/nymtech/nym/releases/tag/nym-wallet-v1.2.14) is out!
|
||||
- Vesting contract functionalities have been purged, users can only remove tokens from vesting
|
||||
|
||||
@@ -21,16 +21,17 @@ This documentation page provides a guide on how to set up and run a [NYM NODE](.
|
||||
```sh
|
||||
nym-node
|
||||
Binary Name: nym-node
|
||||
Build Timestamp: 2025-11-25T14:26:29.627763948Z
|
||||
Build Version: 1.22.0
|
||||
Commit SHA: 22793bc45ea21561671d6670497ff42bc36b9d76
|
||||
Commit Date: 2025-11-25T15:16:42.000000000+01:00
|
||||
Commit Branch: HEAD
|
||||
rustc Version: 1.88.0
|
||||
Build Timestamp: 2025-12-02T16:21:03.251191389Z
|
||||
Build Version: 1.23.0
|
||||
Commit SHA: 46fe1bc8191f42aa27f34743c96e9e9f26453d87
|
||||
Commit Date: 2025-12-02T15:29:30.000000000Z
|
||||
Commit Branch: release/2025.22-niolo
|
||||
rustc Version: 1.91.1
|
||||
rustc Channel: stable
|
||||
cargo Profile: release
|
||||
```
|
||||
|
||||
|
||||
Detailed version archive and release notes is documented [here](../../changelog.mdx).
|
||||
|
||||
{/* COMMENTING THIS OUT ASS WE HAVE TO FIGURE OUT HOW TO SHOW THE LATEST VERSION FROM MASTER BRANCH
|
||||
|
||||
@@ -11,7 +11,13 @@ If pre-compiled binaries for your operating system aren't available, you can bui
|
||||
|
||||
If you don't already have one, please create a Nym address using the wallet, and fund it with NYM tokens. The minimum amount required to bond a node is 100 `NYM`, but make sure you have a bit more to account for gas costs.
|
||||
|
||||
`NYM` can be purchased via [Bity](https://bity.com) from the wallet itself with BTC or fiat, and is currently present on several [exchanges](https://www.coingecko.com/en/coins/nym#markets).
|
||||
`NYM` can be swapped in these places:
|
||||
|
||||
- [SpectreDAO Swap](https://explorer.nym.spectredao.net/swap) (1000+ tokens supported)
|
||||
- [Binance bridge](https://bridge.nym.com/)
|
||||
- [ERC20 bridge](https://swapper.nym.com/swap) - follow [this guide](https://nym.com/blog/nym-for-nym-swapper-app-bridges-native-and-erc20-token)
|
||||
|
||||
`NYM` can be also bought on several [exchanges](https://www.coingecko.com/en/coins/nym#markets).
|
||||
|
||||
> Remember that you can **only** use Cosmos `NYM` tokens to bond your node. You **cannot** use ERC20 representations of `NYM` to run a node.
|
||||
|
||||
|
||||
@@ -487,6 +487,25 @@ configure_dns_and_icmp_wg() {
|
||||
ok "dns and icmp configuration completed"
|
||||
}
|
||||
|
||||
apply_smtps_465_rate_limit() {
|
||||
info "adding SMTPS tcp/465 rules with rate limiting to ${NYM_CHAIN}"
|
||||
|
||||
# IPv4
|
||||
iptables -A "$NYM_CHAIN" -p tcp --dport 465 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||
iptables -A "$NYM_CHAIN" -p tcp --dport 465 -m conntrack --ctstate NEW -m hashlimit \
|
||||
--hashlimit-upto 30/min --hashlimit-burst 60 --hashlimit-mode srcip --hashlimit-name smtps465v4 -j ACCEPT
|
||||
iptables -A "$NYM_CHAIN" -p tcp --dport 465 -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset
|
||||
|
||||
# IPv6
|
||||
ip6tables -A "$NYM_CHAIN" -p tcp --dport 465 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||
ip6tables -A "$NYM_CHAIN" -p tcp --dport 465 -m conntrack --ctstate NEW -m hashlimit \
|
||||
--hashlimit-upto 30/min --hashlimit-burst 60 --hashlimit-mode srcip --hashlimit-name smtps465v6 -j ACCEPT
|
||||
ip6tables -A "$NYM_CHAIN" -p tcp --dport 465 -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset
|
||||
|
||||
ok "SMTPS tcp/465 installed: NEW <= 30/min burst 60 per srcip; overflow rejected; ESTABLISHED allowed"
|
||||
}
|
||||
|
||||
|
||||
###############################################################################
|
||||
# part 2: wireguard exit policy manager
|
||||
###############################################################################
|
||||
@@ -527,6 +546,7 @@ exit_policy_install_deps() {
|
||||
create_nym_chain() {
|
||||
info "creating nym exit policy chain $NYM_CHAIN"
|
||||
|
||||
# create/flush chain
|
||||
if iptables -S "$NYM_CHAIN" >/dev/null 2>&1; then
|
||||
iptables -F "$NYM_CHAIN"
|
||||
else
|
||||
@@ -539,15 +559,25 @@ create_nym_chain() {
|
||||
ip6tables -N "$NYM_CHAIN"
|
||||
fi
|
||||
|
||||
if ! iptables -C FORWARD -i "$WG_INTERFACE" -o "$NETWORK_DEVICE" -j "$NYM_CHAIN" 2>/dev/null; then
|
||||
iptables -I FORWARD 1 -i "$WG_INTERFACE" -o "$NETWORK_DEVICE" -j "$NYM_CHAIN"
|
||||
fi
|
||||
# remove *all* FORWARD -> NYM-EXIT jumps
|
||||
while read -r rule; do
|
||||
spec="${rule#-A FORWARD }"
|
||||
iptables -D FORWARD $spec 2>/dev/null || true
|
||||
done < <(iptables -S FORWARD | grep -F " -j $NYM_CHAIN" || true)
|
||||
|
||||
if ! ip6tables -C FORWARD -i "$WG_INTERFACE" -o "$NETWORK_DEVICE" -j "$NYM_CHAIN" 2>/dev/null; then
|
||||
ip6tables -I FORWARD 1 -i "$WG_INTERFACE" -o "$NETWORK_DEVICE" -j "$NYM_CHAIN"
|
||||
fi
|
||||
while read -r rule; do
|
||||
spec="${rule#-A FORWARD }"
|
||||
ip6tables -D FORWARD $spec 2>/dev/null || true
|
||||
done < <(ip6tables -S FORWARD | grep -F " -j $NYM_CHAIN" || true)
|
||||
|
||||
# add the single correct hook
|
||||
iptables -I FORWARD 1 -i "$WG_INTERFACE" -o "$NETWORK_DEVICE" -j "$NYM_CHAIN"
|
||||
ip6tables -I FORWARD 1 -i "$WG_INTERFACE" -o "$NETWORK_DEVICE" -j "$NYM_CHAIN"
|
||||
|
||||
ok "NYM-EXIT chain ready + single FORWARD hook installed"
|
||||
}
|
||||
|
||||
|
||||
setup_nat_rules() {
|
||||
info "setting up nat and forwarding rules for $WG_INTERFACE via $NETWORK_DEVICE"
|
||||
|
||||
@@ -616,6 +646,8 @@ apply_port_allowlist() {
|
||||
["HTTPS"]="443"
|
||||
["SMBWindowsFileShare"]="445"
|
||||
["Kpasswd"]="464"
|
||||
# this port is opened and rate limited in apply_smtps_465_rate_limit
|
||||
# ["SMTP"]="465"
|
||||
["RTSP"]="554"
|
||||
["SMTPSubmission"]="587"
|
||||
["LDAPS"]="636"
|
||||
@@ -1178,6 +1210,7 @@ exit_policy_install() {
|
||||
create_nym_chain
|
||||
setup_nat_rules
|
||||
apply_port_allowlist
|
||||
apply_smtps_465_rate_limit
|
||||
apply_spamhaus_blocklist
|
||||
add_default_reject_rule
|
||||
save_iptables_rules
|
||||
|
||||
Reference in New Issue
Block a user