1 pve-firewall (4.1-2) pve; urgency=medium
3 * revert: rules: verify referenced security group exists
5 -- Proxmox Support Team <support@proxmox.com> Wed, 06 May 2020 17:41:36 +0200
7 pve-firewall (4.1-1) pve; urgency=medium
9 * logging: add missing log message for inbound rules
11 * fix #2686: avoid adding 'arp-ip-src' IP filter if guests uses DHCP
13 * IPSets: parse the CIDR before checking for duplicates
15 * verify that a referenced security group exists
17 * ICMP: fix iptables-restore failing if ICMP-type values bigger than '255'
19 * ICMP: allow one to specify the 'echo-reply' (0) type also as integer
21 * improve handling concurrent (parallel) access and modifications to rules
23 -- Proxmox Support Team <support@proxmox.com> Mon, 04 May 2020 15:01:57 +0200
25 pve-firewall (4.0-10) pve; urgency=medium
27 * macros: add macro for Proxmox Mail Gateway web interface
29 * api node: always pass cluster conf to node FW parser to fix false positive
30 error message about non existing aliases, or IP sets, when querying the
31 node FW options GET API call.
33 * grammar fix: s/does not exists/does not exist/g
35 -- Proxmox Support Team <support@proxmox.com> Mon, 27 Jan 2020 19:25:49 +0100
37 pve-firewall (4.0-9) pve; urgency=medium
39 * ensure port range used for offline storage migration and insecure migration
40 traffic is allowed by default rule set.
42 -- Proxmox Support Team <support@proxmox.com> Tue, 03 Dec 2019 08:12:20 +0100
44 pve-firewall (4.0-8) pve; urgency=medium
46 * increase default nf_conntrack_max to the kernel's default
48 * fix some "use of uninitialized value" warnings when updating CIDRs
50 * update schema documentation
52 * add explicit dependency on libpve-cluster-perl
54 * add support for "raw" tables
56 * add options for synflood protection for host firewall:
57 - nf_conntrack_tcp_timeout_syn_recv
58 - protection_synflood: boolean
59 - protection_synflood_rate: SYN rate limit (default 200 per second)
60 - protection_synflood_burst: SYN burst limit (default 1000)
62 -- Proxmox Support Team <support@proxmox.com> Mon, 18 Nov 2019 13:48:20 +0100
64 pve-firewall (4.0-7) pve; urgency=medium
66 * only add VM chains and rules if VM firewall is enabled
68 -- Proxmox Support Team <support@proxmox.com> Wed, 7 Aug 2019 10:55:06 +0200
70 pve-firewall (4.0-6) pve; urgency=medium
72 * firewall macros: add new Ceph protocol v2 port while keeping v1 port
74 -- Proxmox Support Team <support@proxmox.com> Tue, 23 Jul 2019 18:57:48 +0200
76 pve-firewall (4.0-5) pve; urgency=medium
78 * don't use any base path at all for calls to external binaries to make use
79 compativle with bot, /usr merged and unmerged setups
81 -- Proxmox Support Team <support@proxmox.com> Fri, 12 Jul 2019 11:47:53 +0200
83 pve-firewall (4.0-4) pve; urgency=medium
85 * ebtables: remove PVE chains properly
87 * ebtables: treat chain deletion as change
89 * use /usr/sbin as base path
91 -- Proxmox Support Team <support@proxmox.com> Thu, 11 Jul 2019 19:40:01 +0200
93 pve-firewall (4.0-3) pve; urgency=medium
95 * Create corosync firewall rules independently of localnet~
97 * Display corosync rule info on localnet call
99 -- Proxmox Support Team <support@proxmox.com> Thu, 04 Jul 2019 15:56:11 +0200
101 pve-firewall (4.0-2) pve; urgency=medium
103 * fix systemd warning about PIDFile directory
105 * fix CT rule generation with ipfilter set
107 * pve-firewall service: update-alternative iptables and ebtables to working
110 -- Proxmox Support Team <support@proxmox.com> Mon, 24 Jun 2019 20:43:21 +0200
112 pve-firewall (4.0-1) pve; urgency=medium
114 * re-build for Debian Buster / PVE 6
116 -- Proxmox Support Team <support@proxmox.com> Tue, 21 May 2019 22:28:55 +0200
118 pve-firewall (3.0-21) unstable; urgency=medium
120 * fix ipv6 PVEFW-reject
122 * fix #2193: arpfilter: CT: remove mask from net IP/CIDR to avoid
123 ebtables doing the wrong thing here
125 -- Proxmox Support Team <support@proxmox.com> Wed, 08 May 2019 10:09:31 +0000
127 pve-firewall (3.0-20) unstable; urgency=medium
129 * use IPCC to read config and rule files, if the are backed by pmxcfs which
130 has better handling for pmxcfs restarts
132 * fix #2178: endless loop on ipv6 extension headers
134 -- Proxmox Support Team <support@proxmox.com> Fri, 19 Apr 2019 05:10:13 +0000
136 pve-firewall (3.0-19) unstable; urgency=medium
138 * ebtables: add arp filtering
140 * fix: #2123 Logging of user defined firewall rules
144 * allow to enable/disable and modify cluster wide log ratelimits
146 -- Proxmox Support Team <support@proxmox.com> Tue, 02 Apr 2019 11:15:16 +0200
148 pve-firewall (3.0-18) unstable; urgency=medium
150 * fix #1606: Add nf_conntrack_allow_invalid option
152 * log reject : add space after policy REJECT like drop
154 * fix #1891: Add zsh command completion for pve-firewall
156 -- Proxmox Support Team <support@proxmox.com> Mon, 04 Mar 2019 10:27:01 +0100
158 pve-firewall (3.0-17) unstable; urgency=medium
160 * fix #2005: only allow ascii port digits
162 * fix #2004: do not allow backwards ranges
164 * add conntrack logging via libnetfilter_conntrack and allow one to enable
165 it through the firewall host configuration
167 -- Proxmox Support Team <support@proxmox.com> Wed, 09 Jan 2019 16:56:17 +0100
169 pve-firewall (3.0-16) unstable; urgency=medium
171 * api/rules: fix macro return type
173 -- Proxmox Support Team <support@proxmox.com> Fri, 30 Nov 2018 16:02:59 +0100
175 pve-firewall (3.0-15) unstable; urgency=medium
177 * fix #1971: display firewall rule properties
179 -- Proxmox Support Team <support@proxmox.com> Fri, 23 Nov 2018 14:01:33 +0100
181 pve-firewall (3.0-14) unstable; urgency=medium
183 * fix #1841: avoid ebtable reloads when containers have multiple network
186 -- Proxmox Support Team <support@proxmox.com> Fri, 24 Aug 2018 10:51:04 +0200
188 pve-firewall (3.0-13) unstable; urgency=medium
190 * avoid unnecessary reloads of ebtable ruleset
192 -- Proxmox Support Team <support@proxmox.com> Thu, 28 Jun 2018 14:47:16 +0200
194 pve-firewall (3.0-12) unstable; urgency=medium
196 * fix deleted iptables chains not being properly detected as a change
198 -- Proxmox Support Team <support@proxmox.com> Tue, 12 Jun 2018 12:01:02 +0200
200 pve-firewall (3.0-11) unstable; urgency=medium
202 * #1764: rename 'ebtales_enable' option to 'ebtables'
204 -- Proxmox Support Team <support@proxmox.com> Wed, 06 Jun 2018 16:18:13 +0200
206 pve-firewall (3.0-10) unstable; urgency=medium
208 * fix #1764: handle existing ebtables rules and allow disabling ebtables
210 * ebtables handling can be disabled via /etc/pve/firewall/cluster.fw's new
211 ebtables_enable option.
213 -- Proxmox Support Team <support@proxmox.com> Tue, 29 May 2018 15:14:33 +0200
215 pve-firewall (3.0-9) unstable; urgency=medium
217 * fix creation of ebltables FORWARD rule entry
219 -- Proxmox Support Team <support@proxmox.com> Thu, 17 May 2018 14:41:27 +0200
221 pve-firewall (3.0-8) unstable; urgency=medium
223 * add ebtables support for better MAC filtering
225 -- Proxmox Support Team <support@proxmox.com> Wed, 11 Apr 2018 14:25:41 +0200
227 pve-firewall (3.0-7) unstable; urgency=medium
229 * support distinct source and destination multi-port matching
231 * multi-port matching: when specifying the same list of ports for source and
232 destination require them both to match, rather than one of them, as this
233 was rather unexpected behavior
235 -- Proxmox Support Team <support@proxmox.com> Mon, 12 Mar 2018 14:58:08 +0100
237 pve-firewall (3.0-6) unstable; urgency=medium
239 * fix #1319: don't fail postinst with masked service
241 * debian: switch to compat 9, drop init scripts, drop preinst
243 * check multiport limit in port ranges
245 * build: use git rev-parse for GITVERSION
247 -- Proxmox Support Team <support@proxmox.com> Thu, 08 Mar 2018 13:53:11 +0100
249 pve-firewall (3.0-5) unstable; urgency=medium
251 * fix issue with disabled flag not being honored within groups
253 -- Proxmox Support Team <support@proxmox.com> Thu, 07 Dec 2017 08:31:42 +0100
255 pve-firewall (3.0-4) unstable; urgency=medium
257 * fix issues with ipsets reloading unnecessarily or too late
259 * fix some typos in the logs
261 -- Proxmox Support Team <support@proxmox.com> Thu, 16 Nov 2017 11:41:56 +0100
263 pve-firewall (3.0-3) unstable; urgency=medium
265 * Fix #1492: logger: use current timestamp if the packet doesn't have one
267 -- Proxmox Support Team <support@proxmox.com> Tue, 12 Sep 2017 14:43:06 +0200
269 pve-firewall (3.0-2) unstable; urgency=medium
271 * Fix #1446: remove masks in case the package had previously been removed but
274 * improve logging on errors in the firewall configuration
276 * forbid trailing commas in lists as iptables-restore doesn't support them
278 -- Proxmox Support Team <support@proxmox.com> Mon, 17 Jul 2017 15:24:40 +0200
280 pve-firewall (3.0-1) unstable; urgency=medium
282 * rebuild for Debian Stretch
284 -- Proxmox Support Team <support@proxmox.com> Thu, 9 Mar 2017 14:04:17 +0100
286 pve-firewall (2.0-33) unstable; urgency=medium
288 * ipset: don't allow zero-prefix entries
290 -- Proxmox Support Team <support@proxmox.com> Tue, 29 Nov 2016 12:18:04 +0100
292 pve-firewall (2.0-32) unstable; urgency=medium
294 * improve search for local-network
296 -- Proxmox Support Team <support@proxmox.com> Tue, 29 Nov 2016 06:35:08 +0100
298 pve-firewall (2.0-31) unstable; urgency=medium
300 * don't try to apply ports to rules which don't support them
302 -- Proxmox Support Team <support@proxmox.com> Thu, 06 Oct 2016 08:31:51 +0200
304 pve-firewall (2.0-30) unstable; urgency=medium
306 * add multicast DNS to the list of Macros
308 * add missing parameter descriptions
310 * build-depends: add dh-systemd
312 -- Proxmox Support Team <support@proxmox.com> Fri, 16 Sep 2016 08:53:16 +0200
314 pve-firewall (2.0-29) unstable; urgency=medium
316 * prevent overwriting ipsets/sec. groups by renaming
318 -- Proxmox Support Team <support@proxmox.com> Fri, 03 Jun 2016 16:46:10 +0200
320 pve-firewall (2.0-28) unstable; urgency=medium
322 * use pve-common's ipv4_mask_hash_localnet
324 * fix allowed group name length
326 * make group digest stable
328 -- Proxmox Support Team <support@proxmox.com> Fri, 03 Jun 2016 11:01:47 +0200
330 pve-firewall (2.0-27) unstable; urgency=medium
332 * fix #972: make PVEFW-FWBR-* rule order stable
334 -- Proxmox Support Team <support@proxmox.com> Tue, 17 May 2016 07:59:52 +0200
336 pve-firewall (2.0-26) unstable; urgency=medium
338 * fix #988: set rp_filter=2
340 -- Proxmox Support Team <support@proxmox.com> Mon, 09 May 2016 10:01:28 +0200
342 pve-firewall (2.0-25) unstable; urgency=medium
344 * fix #945: add uninitialized check in lxc ipset compilation
346 -- Proxmox Support Team <support@proxmox.com> Thu, 21 Apr 2016 09:58:33 +0200
348 pve-firewall (2.0-24) unstable; urgency=medium
350 * Build-Depend on pve-doc-generator
352 * generate manpage with pve-doc-generator
354 -- Proxmox Support Team <support@proxmox.com> Wed, 06 Apr 2016 10:52:45 +0200
356 pve-firewall (2.0-23) unstable; urgency=medium
358 * use only the top bit for our accept marks
360 -- Proxmox Support Team <support@proxmox.com> Fri, 01 Apr 2016 07:35:38 +0200
362 pve-firewall (2.0-22) unstable; urgency=medium
364 * Use cfs_config_path from PVE::QemuConfig
366 -- Proxmox Support Team <support@proxmox.com> Tue, 08 Mar 2016 11:47:40 +0100
368 pve-firewall (2.0-21) unstable; urgency=medium
370 * added new 'ipfilter' option
372 -- Proxmox Support Team <support@proxmox.com> Thu, 03 Mar 2016 09:43:39 +0100
374 pve-firewall (2.0-20) unstable; urgency=medium
376 * fix 901: encode unicode characters in sha digest
378 -- Proxmox Support Team <support@proxmox.com> Mon, 29 Feb 2016 12:40:14 +0100
380 pve-firewall (2.0-19) unstable; urgency=medium
382 * Add radv option to VM options
384 -- Proxmox Support Team <support@proxmox.com> Sat, 27 Feb 2016 10:24:42 +0100
386 pve-firewall (2.0-18) unstable; urgency=medium
388 * Add ndp option to host and VM firewall options
390 * Add router-solicitation to NeighborDiscovery macro
392 -- Proxmox Support Team <support@proxmox.com> Fri, 19 Feb 2016 10:01:22 +0100
394 pve-firewall (2.0-17) unstable; urgency=medium
396 * Don't leave empty FW config files behind
398 -- Proxmox Support Team <support@proxmox.com> Mon, 08 Feb 2016 14:09:24 +0100
400 pve-firewall (2.0-16) unstable; urgency=medium
402 * logger: basic ipv6 support
406 * add dhcpv6 support to the dhcp option
408 -- Proxmox Support Team <support@proxmox.com> Tue, 26 Jan 2016 16:52:14 +0100
410 pve-firewall (2.0-15) unstable; urgency=medium
412 * fix bug #859: use $security_group_name_pattern in iptables_get_chains
414 * fix some regular expressions mixups
416 -- Proxmox Support Team <support@proxmox.com> Thu, 07 Jan 2016 16:33:23 +0100
418 pve-firewall (2.0-14) unstable; urgency=medium
420 * fix systemd service dependencies
422 -- Proxmox Support Team <support@proxmox.com> Fri, 27 Nov 2015 10:52:57 +0100
424 pve-firewall (2.0-13) unstable; urgency=medium
426 * allow numeric icmp types
428 -- Proxmox Support Team <support@proxmox.com> Fri, 23 Oct 2015 13:21:53 +0200
430 pve-firewall (2.0-12) unstable; urgency=medium
432 * implement bash completions
434 * convert pve-firewall into a PVE::Service class
436 -- Proxmox Support Team <support@proxmox.com> Thu, 24 Sep 2015 12:15:00 +0200
438 pve-firewall (2.0-11) unstable; urgency=medium
440 * iptables_get_chains: fix veth device name
442 -- Proxmox Support Team <support@proxmox.com> Tue, 08 Sep 2015 07:54:35 +0200
444 pve-firewall (2.0-10) unstable; urgency=medium
446 * new helper: clone_vmfw_conf()
448 -- Proxmox Support Team <support@proxmox.com> Tue, 25 Aug 2015 06:47:49 +0200
450 pve-firewall (2.0-9) unstable; urgency=medium
452 * remove firewall config file subroutine added
454 -- Proxmox Support Team <support@proxmox.com> Wed, 19 Aug 2015 15:42:51 +0200
456 pve-firewall (2.0-8) unstable; urgency=medium
458 * adopt regresion tests for lxc containers
460 * removed firewall code for openVZ
462 * Subroutine verify_rule fixed to correctly check only for "net\d+"
463 interface device names
465 -- Proxmox Support Team <support@proxmox.com> Wed, 12 Aug 2015 12:01:43 +0200
467 pve-firewall (2.0-7) unstable; urgency=medium
469 * added firewall code for lxc
471 -- Proxmox Support Team <support@proxmox.com> Mon, 10 Aug 2015 09:21:14 +0200
473 pve-firewall (2.0-6) unstable; urgency=medium
475 * firewall ipversion comparison fix
477 -- Proxmox Support Team <support@proxmox.com> Tue, 04 Aug 2015 11:14:51 +0200
479 pve-firewall (2.0-5) unstable; urgency=medium
481 * add ipv6 neighbor discovery and solicitation macros
483 * ip6tables accepts both spellings of the word neighbor
487 -- Proxmox Support Team <support@proxmox.com> Mon, 27 Jul 2015 13:20:55 +0200
489 pve-firewall (2.0-4) unstable; urgency=medium
491 * include manual page for pve-firewall
493 -- Proxmox Support Team <support@proxmox.com> Sat, 27 Jun 2015 16:26:28 +0200
495 pve-firewall (2.0-3) unstable; urgency=medium
497 * use noawait trigers for pve-api-updates
499 -- Proxmox Support Team <support@proxmox.com> Mon, 01 Jun 2015 12:33:06 +0200
501 pve-firewall (2.0-2) unstable; urgency=medium
503 * trigger pve-api-updates event
505 -- Proxmox Support Team <support@proxmox.com> Tue, 05 May 2015 15:10:24 +0200
507 pve-firewall (2.0-1) unstable; urgency=medium
509 * recompile for debian jessie
511 -- Proxmox Support Team <support@proxmox.com> Fri, 27 Feb 2015 12:22:04 +0100
513 pve-firewall (1.0-18) unstable; urgency=low
517 -- Proxmox Support Team <support@proxmox.com> Mon, 09 Feb 2015 09:32:03 +0100
519 pve-firewall (1.0-17) unstable; urgency=low
521 * fix restart behavior
523 -- Proxmox Support Team <support@proxmox.com> Thu, 15 Jan 2015 06:45:58 +0100
525 pve-firewall (1.0-16) unstable; urgency=low
527 * use new Daemon class from pve-common
529 -- Proxmox Support Team <support@proxmox.com> Thu, 18 Dec 2014 09:45:07 +0100
531 pve-firewall (1.0-15) unstable; urgency=low
533 * bug fix: load cluster conf for host rules
535 -- Proxmox Support Team <support@proxmox.com> Fri, 12 Dec 2014 06:33:28 +0100
537 pve-firewall (1.0-14) unstable; urgency=low
539 * do not use ipset list chains
541 * remove preinst script (not needed anymore)
543 -- Proxmox Support Team <support@proxmox.com> Fri, 05 Dec 2014 13:42:00 +0100
545 pve-firewall (1.0-13) unstable; urgency=low
547 * fix ipset remove order
549 -- Proxmox Support Team <support@proxmox.com> Fri, 28 Nov 2014 12:45:48 +0100
551 pve-firewall (1.0-12) unstable; urgency=low
553 * add preinst script to clear ipset from older installation (because
554 sets cannot be swapped if there type does not match.
556 -- Proxmox Support Team <support@proxmox.com> Fri, 28 Nov 2014 08:59:38 +0100
558 pve-firewall (1.0-11) unstable; urgency=low
560 * bug fix: correctly set ipversion for aliases in verify_rule
562 * save restore commands into files to make debugging
563 easier (/var/lib/pve-firewall/)
565 -- Proxmox Support Team <support@proxmox.com> Fri, 28 Nov 2014 08:04:05 +0100
567 pve-firewall (1.0-10) unstable; urgency=low
569 * add IPv6 support for VMs (hostfw is IPv4 only)
571 -- Proxmox Support Team <support@proxmox.com> Wed, 26 Nov 2014 07:00:29 +0100
573 pve-firewall (1.0-9) unstable; urgency=low
575 * fix max ipset name name length
577 -- Proxmox Support Team <support@proxmox.com> Tue, 14 Oct 2014 16:29:34 +0200
579 pve-firewall (1.0-8) unstable; urgency=low
581 * implement permission
583 -- Proxmox Support Team <support@proxmox.com> Mon, 08 Sep 2014 12:15:21 +0200
585 pve-firewall (1.0-7) unstable; urgency=low
587 * proxy host rule API calls to correct node
589 * always generate MAC and IP filter rules if firewall is enabled on NIC
591 -- Proxmox Support Team <support@proxmox.com> Thu, 26 Jun 2014 07:12:57 +0200
593 pve-firewall (1.0-6) unstable; urgency=low
595 * ipmlement ipfilter ipsets
597 -- Proxmox Support Team <support@proxmox.com> Thu, 12 Jun 2014 08:37:08 +0200
599 pve-firewall (1.0-5) unstable; urgency=low
601 * remove ipsets when firewall disabled
603 -- Proxmox Support Team <support@proxmox.com> Wed, 04 Jun 2014 08:50:18 +0200
605 pve-firewall (1.0-4) unstable; urgency=low
607 * depend on iptables and ipset
609 -- Proxmox Support Team <support@proxmox.com> Wed, 04 Jun 2014 06:45:33 +0200
611 pve-firewall (1.0-3) unstable; urgency=low
613 * change dh_installinit order (register pvefw-logger before pve-firewall)
615 -- Proxmox Support Team <support@proxmox.com> Wed, 04 Jun 2014 06:24:21 +0200
617 pve-firewall (1.0-2) unstable; urgency=low
619 * add experimental nflog logging daemon
621 -- Proxmox Support Team <support@proxmox.com> Thu, 13 Mar 2014 08:27:01 +0100
623 pve-firewall (1.0-1) unstable; urgency=low
627 -- Proxmox Support Team <support@proxmox.com> Mon, 03 Mar 2014 08:37:06 +0100