1 pve-firewall (4.2-4) bullseye; urgency=medium
3 * re-build to avoid issues stemming from semi-broken systemd-debhelper version
5 -- Proxmox Support Team <support@proxmox.com> Tue, 12 Oct 2021 10:39:05 +0200
7 pve-firewall (4.2-3) bullseye; urgency=medium
9 * fix #2721: remove the (nowadays) bogus reject for TCP port 43 from the
10 default drop and reject actions
12 -- Proxmox Support Team <support@proxmox.com> Fri, 10 Sep 2021 13:00:07 +0200
14 pve-firewall (4.2-2) bullseye; urgency=medium
16 * re-set relevant sysctls on every apply round
18 -- Proxmox Support Team <support@proxmox.com> Mon, 21 Jun 2021 11:31:42 +0200
20 pve-firewall (4.2-1) bullseye; urgency=medium
22 * fix #967: source: dest: limit length
24 * re-build for Debian 11 Bullseye based releases (Proxmox VE 7)
26 * fix #2358: allow --<opt> in firewall rule config files
28 -- Proxmox Support Team <support@proxmox.com> Wed, 12 May 2021 20:32:30 +0200
30 pve-firewall (4.1-3) pve; urgency=medium
32 * fix #2773: ebtables: keep policy of custom chains
34 * introduce new icmp-type parameter
36 -- Proxmox Support Team <support@proxmox.com> Fri, 18 Sep 2020 16:51:27 +0200
38 pve-firewall (4.1-2) pve; urgency=medium
40 * revert: rules: verify referenced security group exists
42 -- Proxmox Support Team <support@proxmox.com> Wed, 06 May 2020 17:41:36 +0200
44 pve-firewall (4.1-1) pve; urgency=medium
46 * logging: add missing log message for inbound rules
48 * fix #2686: avoid adding 'arp-ip-src' IP filter if guests uses DHCP
50 * IPSets: parse the CIDR before checking for duplicates
52 * verify that a referenced security group exists
54 * ICMP: fix iptables-restore failing if ICMP-type values bigger than '255'
56 * ICMP: allow one to specify the 'echo-reply' (0) type also as integer
58 * improve handling concurrent (parallel) access and modifications to rules
60 -- Proxmox Support Team <support@proxmox.com> Mon, 04 May 2020 15:01:57 +0200
62 pve-firewall (4.0-10) pve; urgency=medium
64 * macros: add macro for Proxmox Mail Gateway web interface
66 * api node: always pass cluster conf to node FW parser to fix false positive
67 error message about non existing aliases, or IP sets, when querying the
68 node FW options GET API call.
70 * grammar fix: s/does not exists/does not exist/g
72 -- Proxmox Support Team <support@proxmox.com> Mon, 27 Jan 2020 19:25:49 +0100
74 pve-firewall (4.0-9) pve; urgency=medium
76 * ensure port range used for offline storage migration and insecure migration
77 traffic is allowed by default rule set.
79 -- Proxmox Support Team <support@proxmox.com> Tue, 03 Dec 2019 08:12:20 +0100
81 pve-firewall (4.0-8) pve; urgency=medium
83 * increase default nf_conntrack_max to the kernel's default
85 * fix some "use of uninitialized value" warnings when updating CIDRs
87 * update schema documentation
89 * add explicit dependency on libpve-cluster-perl
91 * add support for "raw" tables
93 * add options for synflood protection for host firewall:
94 - nf_conntrack_tcp_timeout_syn_recv
95 - protection_synflood: boolean
96 - protection_synflood_rate: SYN rate limit (default 200 per second)
97 - protection_synflood_burst: SYN burst limit (default 1000)
99 -- Proxmox Support Team <support@proxmox.com> Mon, 18 Nov 2019 13:48:20 +0100
101 pve-firewall (4.0-7) pve; urgency=medium
103 * only add VM chains and rules if VM firewall is enabled
105 -- Proxmox Support Team <support@proxmox.com> Wed, 7 Aug 2019 10:55:06 +0200
107 pve-firewall (4.0-6) pve; urgency=medium
109 * firewall macros: add new Ceph protocol v2 port while keeping v1 port
111 -- Proxmox Support Team <support@proxmox.com> Tue, 23 Jul 2019 18:57:48 +0200
113 pve-firewall (4.0-5) pve; urgency=medium
115 * don't use any base path at all for calls to external binaries to make use
116 compativle with bot, /usr merged and unmerged setups
118 -- Proxmox Support Team <support@proxmox.com> Fri, 12 Jul 2019 11:47:53 +0200
120 pve-firewall (4.0-4) pve; urgency=medium
122 * ebtables: remove PVE chains properly
124 * ebtables: treat chain deletion as change
126 * use /usr/sbin as base path
128 -- Proxmox Support Team <support@proxmox.com> Thu, 11 Jul 2019 19:40:01 +0200
130 pve-firewall (4.0-3) pve; urgency=medium
132 * Create corosync firewall rules independently of localnet~
134 * Display corosync rule info on localnet call
136 -- Proxmox Support Team <support@proxmox.com> Thu, 04 Jul 2019 15:56:11 +0200
138 pve-firewall (4.0-2) pve; urgency=medium
140 * fix systemd warning about PIDFile directory
142 * fix CT rule generation with ipfilter set
144 * pve-firewall service: update-alternative iptables and ebtables to working
147 -- Proxmox Support Team <support@proxmox.com> Mon, 24 Jun 2019 20:43:21 +0200
149 pve-firewall (4.0-1) pve; urgency=medium
151 * re-build for Debian Buster / PVE 6
153 -- Proxmox Support Team <support@proxmox.com> Tue, 21 May 2019 22:28:55 +0200
155 pve-firewall (3.0-21) unstable; urgency=medium
157 * fix ipv6 PVEFW-reject
159 * fix #2193: arpfilter: CT: remove mask from net IP/CIDR to avoid
160 ebtables doing the wrong thing here
162 -- Proxmox Support Team <support@proxmox.com> Wed, 08 May 2019 10:09:31 +0000
164 pve-firewall (3.0-20) unstable; urgency=medium
166 * use IPCC to read config and rule files, if the are backed by pmxcfs which
167 has better handling for pmxcfs restarts
169 * fix #2178: endless loop on ipv6 extension headers
171 -- Proxmox Support Team <support@proxmox.com> Fri, 19 Apr 2019 05:10:13 +0000
173 pve-firewall (3.0-19) unstable; urgency=medium
175 * ebtables: add arp filtering
177 * fix: #2123 Logging of user defined firewall rules
181 * allow to enable/disable and modify cluster wide log ratelimits
183 -- Proxmox Support Team <support@proxmox.com> Tue, 02 Apr 2019 11:15:16 +0200
185 pve-firewall (3.0-18) unstable; urgency=medium
187 * fix #1606: Add nf_conntrack_allow_invalid option
189 * log reject : add space after policy REJECT like drop
191 * fix #1891: Add zsh command completion for pve-firewall
193 -- Proxmox Support Team <support@proxmox.com> Mon, 04 Mar 2019 10:27:01 +0100
195 pve-firewall (3.0-17) unstable; urgency=medium
197 * fix #2005: only allow ascii port digits
199 * fix #2004: do not allow backwards ranges
201 * add conntrack logging via libnetfilter_conntrack and allow one to enable
202 it through the firewall host configuration
204 -- Proxmox Support Team <support@proxmox.com> Wed, 09 Jan 2019 16:56:17 +0100
206 pve-firewall (3.0-16) unstable; urgency=medium
208 * api/rules: fix macro return type
210 -- Proxmox Support Team <support@proxmox.com> Fri, 30 Nov 2018 16:02:59 +0100
212 pve-firewall (3.0-15) unstable; urgency=medium
214 * fix #1971: display firewall rule properties
216 -- Proxmox Support Team <support@proxmox.com> Fri, 23 Nov 2018 14:01:33 +0100
218 pve-firewall (3.0-14) unstable; urgency=medium
220 * fix #1841: avoid ebtable reloads when containers have multiple network
223 -- Proxmox Support Team <support@proxmox.com> Fri, 24 Aug 2018 10:51:04 +0200
225 pve-firewall (3.0-13) unstable; urgency=medium
227 * avoid unnecessary reloads of ebtable ruleset
229 -- Proxmox Support Team <support@proxmox.com> Thu, 28 Jun 2018 14:47:16 +0200
231 pve-firewall (3.0-12) unstable; urgency=medium
233 * fix deleted iptables chains not being properly detected as a change
235 -- Proxmox Support Team <support@proxmox.com> Tue, 12 Jun 2018 12:01:02 +0200
237 pve-firewall (3.0-11) unstable; urgency=medium
239 * #1764: rename 'ebtales_enable' option to 'ebtables'
241 -- Proxmox Support Team <support@proxmox.com> Wed, 06 Jun 2018 16:18:13 +0200
243 pve-firewall (3.0-10) unstable; urgency=medium
245 * fix #1764: handle existing ebtables rules and allow disabling ebtables
247 * ebtables handling can be disabled via /etc/pve/firewall/cluster.fw's new
248 ebtables_enable option.
250 -- Proxmox Support Team <support@proxmox.com> Tue, 29 May 2018 15:14:33 +0200
252 pve-firewall (3.0-9) unstable; urgency=medium
254 * fix creation of ebltables FORWARD rule entry
256 -- Proxmox Support Team <support@proxmox.com> Thu, 17 May 2018 14:41:27 +0200
258 pve-firewall (3.0-8) unstable; urgency=medium
260 * add ebtables support for better MAC filtering
262 -- Proxmox Support Team <support@proxmox.com> Wed, 11 Apr 2018 14:25:41 +0200
264 pve-firewall (3.0-7) unstable; urgency=medium
266 * support distinct source and destination multi-port matching
268 * multi-port matching: when specifying the same list of ports for source and
269 destination require them both to match, rather than one of them, as this
270 was rather unexpected behavior
272 -- Proxmox Support Team <support@proxmox.com> Mon, 12 Mar 2018 14:58:08 +0100
274 pve-firewall (3.0-6) unstable; urgency=medium
276 * fix #1319: don't fail postinst with masked service
278 * debian: switch to compat 9, drop init scripts, drop preinst
280 * check multiport limit in port ranges
282 * build: use git rev-parse for GITVERSION
284 -- Proxmox Support Team <support@proxmox.com> Thu, 08 Mar 2018 13:53:11 +0100
286 pve-firewall (3.0-5) unstable; urgency=medium
288 * fix issue with disabled flag not being honored within groups
290 -- Proxmox Support Team <support@proxmox.com> Thu, 07 Dec 2017 08:31:42 +0100
292 pve-firewall (3.0-4) unstable; urgency=medium
294 * fix issues with ipsets reloading unnecessarily or too late
296 * fix some typos in the logs
298 -- Proxmox Support Team <support@proxmox.com> Thu, 16 Nov 2017 11:41:56 +0100
300 pve-firewall (3.0-3) unstable; urgency=medium
302 * Fix #1492: logger: use current timestamp if the packet doesn't have one
304 -- Proxmox Support Team <support@proxmox.com> Tue, 12 Sep 2017 14:43:06 +0200
306 pve-firewall (3.0-2) unstable; urgency=medium
308 * Fix #1446: remove masks in case the package had previously been removed but
311 * improve logging on errors in the firewall configuration
313 * forbid trailing commas in lists as iptables-restore doesn't support them
315 -- Proxmox Support Team <support@proxmox.com> Mon, 17 Jul 2017 15:24:40 +0200
317 pve-firewall (3.0-1) unstable; urgency=medium
319 * rebuild for Debian Stretch
321 -- Proxmox Support Team <support@proxmox.com> Thu, 9 Mar 2017 14:04:17 +0100
323 pve-firewall (2.0-33) unstable; urgency=medium
325 * ipset: don't allow zero-prefix entries
327 -- Proxmox Support Team <support@proxmox.com> Tue, 29 Nov 2016 12:18:04 +0100
329 pve-firewall (2.0-32) unstable; urgency=medium
331 * improve search for local-network
333 -- Proxmox Support Team <support@proxmox.com> Tue, 29 Nov 2016 06:35:08 +0100
335 pve-firewall (2.0-31) unstable; urgency=medium
337 * don't try to apply ports to rules which don't support them
339 -- Proxmox Support Team <support@proxmox.com> Thu, 06 Oct 2016 08:31:51 +0200
341 pve-firewall (2.0-30) unstable; urgency=medium
343 * add multicast DNS to the list of Macros
345 * add missing parameter descriptions
347 * build-depends: add dh-systemd
349 -- Proxmox Support Team <support@proxmox.com> Fri, 16 Sep 2016 08:53:16 +0200
351 pve-firewall (2.0-29) unstable; urgency=medium
353 * prevent overwriting ipsets/sec. groups by renaming
355 -- Proxmox Support Team <support@proxmox.com> Fri, 03 Jun 2016 16:46:10 +0200
357 pve-firewall (2.0-28) unstable; urgency=medium
359 * use pve-common's ipv4_mask_hash_localnet
361 * fix allowed group name length
363 * make group digest stable
365 -- Proxmox Support Team <support@proxmox.com> Fri, 03 Jun 2016 11:01:47 +0200
367 pve-firewall (2.0-27) unstable; urgency=medium
369 * fix #972: make PVEFW-FWBR-* rule order stable
371 -- Proxmox Support Team <support@proxmox.com> Tue, 17 May 2016 07:59:52 +0200
373 pve-firewall (2.0-26) unstable; urgency=medium
375 * fix #988: set rp_filter=2
377 -- Proxmox Support Team <support@proxmox.com> Mon, 09 May 2016 10:01:28 +0200
379 pve-firewall (2.0-25) unstable; urgency=medium
381 * fix #945: add uninitialized check in lxc ipset compilation
383 -- Proxmox Support Team <support@proxmox.com> Thu, 21 Apr 2016 09:58:33 +0200
385 pve-firewall (2.0-24) unstable; urgency=medium
387 * Build-Depend on pve-doc-generator
389 * generate manpage with pve-doc-generator
391 -- Proxmox Support Team <support@proxmox.com> Wed, 06 Apr 2016 10:52:45 +0200
393 pve-firewall (2.0-23) unstable; urgency=medium
395 * use only the top bit for our accept marks
397 -- Proxmox Support Team <support@proxmox.com> Fri, 01 Apr 2016 07:35:38 +0200
399 pve-firewall (2.0-22) unstable; urgency=medium
401 * Use cfs_config_path from PVE::QemuConfig
403 -- Proxmox Support Team <support@proxmox.com> Tue, 08 Mar 2016 11:47:40 +0100
405 pve-firewall (2.0-21) unstable; urgency=medium
407 * added new 'ipfilter' option
409 -- Proxmox Support Team <support@proxmox.com> Thu, 03 Mar 2016 09:43:39 +0100
411 pve-firewall (2.0-20) unstable; urgency=medium
413 * fix 901: encode unicode characters in sha digest
415 -- Proxmox Support Team <support@proxmox.com> Mon, 29 Feb 2016 12:40:14 +0100
417 pve-firewall (2.0-19) unstable; urgency=medium
419 * Add radv option to VM options
421 -- Proxmox Support Team <support@proxmox.com> Sat, 27 Feb 2016 10:24:42 +0100
423 pve-firewall (2.0-18) unstable; urgency=medium
425 * Add ndp option to host and VM firewall options
427 * Add router-solicitation to NeighborDiscovery macro
429 -- Proxmox Support Team <support@proxmox.com> Fri, 19 Feb 2016 10:01:22 +0100
431 pve-firewall (2.0-17) unstable; urgency=medium
433 * Don't leave empty FW config files behind
435 -- Proxmox Support Team <support@proxmox.com> Mon, 08 Feb 2016 14:09:24 +0100
437 pve-firewall (2.0-16) unstable; urgency=medium
439 * logger: basic ipv6 support
443 * add dhcpv6 support to the dhcp option
445 -- Proxmox Support Team <support@proxmox.com> Tue, 26 Jan 2016 16:52:14 +0100
447 pve-firewall (2.0-15) unstable; urgency=medium
449 * fix bug #859: use $security_group_name_pattern in iptables_get_chains
451 * fix some regular expressions mixups
453 -- Proxmox Support Team <support@proxmox.com> Thu, 07 Jan 2016 16:33:23 +0100
455 pve-firewall (2.0-14) unstable; urgency=medium
457 * fix systemd service dependencies
459 -- Proxmox Support Team <support@proxmox.com> Fri, 27 Nov 2015 10:52:57 +0100
461 pve-firewall (2.0-13) unstable; urgency=medium
463 * allow numeric icmp types
465 -- Proxmox Support Team <support@proxmox.com> Fri, 23 Oct 2015 13:21:53 +0200
467 pve-firewall (2.0-12) unstable; urgency=medium
469 * implement bash completions
471 * convert pve-firewall into a PVE::Service class
473 -- Proxmox Support Team <support@proxmox.com> Thu, 24 Sep 2015 12:15:00 +0200
475 pve-firewall (2.0-11) unstable; urgency=medium
477 * iptables_get_chains: fix veth device name
479 -- Proxmox Support Team <support@proxmox.com> Tue, 08 Sep 2015 07:54:35 +0200
481 pve-firewall (2.0-10) unstable; urgency=medium
483 * new helper: clone_vmfw_conf()
485 -- Proxmox Support Team <support@proxmox.com> Tue, 25 Aug 2015 06:47:49 +0200
487 pve-firewall (2.0-9) unstable; urgency=medium
489 * remove firewall config file subroutine added
491 -- Proxmox Support Team <support@proxmox.com> Wed, 19 Aug 2015 15:42:51 +0200
493 pve-firewall (2.0-8) unstable; urgency=medium
495 * adopt regresion tests for lxc containers
497 * removed firewall code for openVZ
499 * Subroutine verify_rule fixed to correctly check only for "net\d+"
500 interface device names
502 -- Proxmox Support Team <support@proxmox.com> Wed, 12 Aug 2015 12:01:43 +0200
504 pve-firewall (2.0-7) unstable; urgency=medium
506 * added firewall code for lxc
508 -- Proxmox Support Team <support@proxmox.com> Mon, 10 Aug 2015 09:21:14 +0200
510 pve-firewall (2.0-6) unstable; urgency=medium
512 * firewall ipversion comparison fix
514 -- Proxmox Support Team <support@proxmox.com> Tue, 04 Aug 2015 11:14:51 +0200
516 pve-firewall (2.0-5) unstable; urgency=medium
518 * add ipv6 neighbor discovery and solicitation macros
520 * ip6tables accepts both spellings of the word neighbor
524 -- Proxmox Support Team <support@proxmox.com> Mon, 27 Jul 2015 13:20:55 +0200
526 pve-firewall (2.0-4) unstable; urgency=medium
528 * include manual page for pve-firewall
530 -- Proxmox Support Team <support@proxmox.com> Sat, 27 Jun 2015 16:26:28 +0200
532 pve-firewall (2.0-3) unstable; urgency=medium
534 * use noawait trigers for pve-api-updates
536 -- Proxmox Support Team <support@proxmox.com> Mon, 01 Jun 2015 12:33:06 +0200
538 pve-firewall (2.0-2) unstable; urgency=medium
540 * trigger pve-api-updates event
542 -- Proxmox Support Team <support@proxmox.com> Tue, 05 May 2015 15:10:24 +0200
544 pve-firewall (2.0-1) unstable; urgency=medium
546 * recompile for debian jessie
548 -- Proxmox Support Team <support@proxmox.com> Fri, 27 Feb 2015 12:22:04 +0100
550 pve-firewall (1.0-18) unstable; urgency=low
554 -- Proxmox Support Team <support@proxmox.com> Mon, 09 Feb 2015 09:32:03 +0100
556 pve-firewall (1.0-17) unstable; urgency=low
558 * fix restart behavior
560 -- Proxmox Support Team <support@proxmox.com> Thu, 15 Jan 2015 06:45:58 +0100
562 pve-firewall (1.0-16) unstable; urgency=low
564 * use new Daemon class from pve-common
566 -- Proxmox Support Team <support@proxmox.com> Thu, 18 Dec 2014 09:45:07 +0100
568 pve-firewall (1.0-15) unstable; urgency=low
570 * bug fix: load cluster conf for host rules
572 -- Proxmox Support Team <support@proxmox.com> Fri, 12 Dec 2014 06:33:28 +0100
574 pve-firewall (1.0-14) unstable; urgency=low
576 * do not use ipset list chains
578 * remove preinst script (not needed anymore)
580 -- Proxmox Support Team <support@proxmox.com> Fri, 05 Dec 2014 13:42:00 +0100
582 pve-firewall (1.0-13) unstable; urgency=low
584 * fix ipset remove order
586 -- Proxmox Support Team <support@proxmox.com> Fri, 28 Nov 2014 12:45:48 +0100
588 pve-firewall (1.0-12) unstable; urgency=low
590 * add preinst script to clear ipset from older installation (because
591 sets cannot be swapped if there type does not match.
593 -- Proxmox Support Team <support@proxmox.com> Fri, 28 Nov 2014 08:59:38 +0100
595 pve-firewall (1.0-11) unstable; urgency=low
597 * bug fix: correctly set ipversion for aliases in verify_rule
599 * save restore commands into files to make debugging
600 easier (/var/lib/pve-firewall/)
602 -- Proxmox Support Team <support@proxmox.com> Fri, 28 Nov 2014 08:04:05 +0100
604 pve-firewall (1.0-10) unstable; urgency=low
606 * add IPv6 support for VMs (hostfw is IPv4 only)
608 -- Proxmox Support Team <support@proxmox.com> Wed, 26 Nov 2014 07:00:29 +0100
610 pve-firewall (1.0-9) unstable; urgency=low
612 * fix max ipset name name length
614 -- Proxmox Support Team <support@proxmox.com> Tue, 14 Oct 2014 16:29:34 +0200
616 pve-firewall (1.0-8) unstable; urgency=low
618 * implement permission
620 -- Proxmox Support Team <support@proxmox.com> Mon, 08 Sep 2014 12:15:21 +0200
622 pve-firewall (1.0-7) unstable; urgency=low
624 * proxy host rule API calls to correct node
626 * always generate MAC and IP filter rules if firewall is enabled on NIC
628 -- Proxmox Support Team <support@proxmox.com> Thu, 26 Jun 2014 07:12:57 +0200
630 pve-firewall (1.0-6) unstable; urgency=low
632 * ipmlement ipfilter ipsets
634 -- Proxmox Support Team <support@proxmox.com> Thu, 12 Jun 2014 08:37:08 +0200
636 pve-firewall (1.0-5) unstable; urgency=low
638 * remove ipsets when firewall disabled
640 -- Proxmox Support Team <support@proxmox.com> Wed, 04 Jun 2014 08:50:18 +0200
642 pve-firewall (1.0-4) unstable; urgency=low
644 * depend on iptables and ipset
646 -- Proxmox Support Team <support@proxmox.com> Wed, 04 Jun 2014 06:45:33 +0200
648 pve-firewall (1.0-3) unstable; urgency=low
650 * change dh_installinit order (register pvefw-logger before pve-firewall)
652 -- Proxmox Support Team <support@proxmox.com> Wed, 04 Jun 2014 06:24:21 +0200
654 pve-firewall (1.0-2) unstable; urgency=low
656 * add experimental nflog logging daemon
658 -- Proxmox Support Team <support@proxmox.com> Thu, 13 Mar 2014 08:27:01 +0100
660 pve-firewall (1.0-1) unstable; urgency=low
664 -- Proxmox Support Team <support@proxmox.com> Mon, 03 Mar 2014 08:37:06 +0100