1 pve-firewall (4.2-1) bullseye; urgency=medium
3 * fix #967: source: dest: limit length
5 * re-build for Debian 11 Bullseye based releases (Proxmox VE 7)
7 * fix #2358: allow --<opt> in firewall rule config files
9 -- Proxmox Support Team <support@proxmox.com> Wed, 12 May 2021 20:32:30 +0200
11 pve-firewall (4.1-3) pve; urgency=medium
13 * fix #2773: ebtables: keep policy of custom chains
15 * introduce new icmp-type parameter
17 -- Proxmox Support Team <support@proxmox.com> Fri, 18 Sep 2020 16:51:27 +0200
19 pve-firewall (4.1-2) pve; urgency=medium
21 * revert: rules: verify referenced security group exists
23 -- Proxmox Support Team <support@proxmox.com> Wed, 06 May 2020 17:41:36 +0200
25 pve-firewall (4.1-1) pve; urgency=medium
27 * logging: add missing log message for inbound rules
29 * fix #2686: avoid adding 'arp-ip-src' IP filter if guests uses DHCP
31 * IPSets: parse the CIDR before checking for duplicates
33 * verify that a referenced security group exists
35 * ICMP: fix iptables-restore failing if ICMP-type values bigger than '255'
37 * ICMP: allow one to specify the 'echo-reply' (0) type also as integer
39 * improve handling concurrent (parallel) access and modifications to rules
41 -- Proxmox Support Team <support@proxmox.com> Mon, 04 May 2020 15:01:57 +0200
43 pve-firewall (4.0-10) pve; urgency=medium
45 * macros: add macro for Proxmox Mail Gateway web interface
47 * api node: always pass cluster conf to node FW parser to fix false positive
48 error message about non existing aliases, or IP sets, when querying the
49 node FW options GET API call.
51 * grammar fix: s/does not exists/does not exist/g
53 -- Proxmox Support Team <support@proxmox.com> Mon, 27 Jan 2020 19:25:49 +0100
55 pve-firewall (4.0-9) pve; urgency=medium
57 * ensure port range used for offline storage migration and insecure migration
58 traffic is allowed by default rule set.
60 -- Proxmox Support Team <support@proxmox.com> Tue, 03 Dec 2019 08:12:20 +0100
62 pve-firewall (4.0-8) pve; urgency=medium
64 * increase default nf_conntrack_max to the kernel's default
66 * fix some "use of uninitialized value" warnings when updating CIDRs
68 * update schema documentation
70 * add explicit dependency on libpve-cluster-perl
72 * add support for "raw" tables
74 * add options for synflood protection for host firewall:
75 - nf_conntrack_tcp_timeout_syn_recv
76 - protection_synflood: boolean
77 - protection_synflood_rate: SYN rate limit (default 200 per second)
78 - protection_synflood_burst: SYN burst limit (default 1000)
80 -- Proxmox Support Team <support@proxmox.com> Mon, 18 Nov 2019 13:48:20 +0100
82 pve-firewall (4.0-7) pve; urgency=medium
84 * only add VM chains and rules if VM firewall is enabled
86 -- Proxmox Support Team <support@proxmox.com> Wed, 7 Aug 2019 10:55:06 +0200
88 pve-firewall (4.0-6) pve; urgency=medium
90 * firewall macros: add new Ceph protocol v2 port while keeping v1 port
92 -- Proxmox Support Team <support@proxmox.com> Tue, 23 Jul 2019 18:57:48 +0200
94 pve-firewall (4.0-5) pve; urgency=medium
96 * don't use any base path at all for calls to external binaries to make use
97 compativle with bot, /usr merged and unmerged setups
99 -- Proxmox Support Team <support@proxmox.com> Fri, 12 Jul 2019 11:47:53 +0200
101 pve-firewall (4.0-4) pve; urgency=medium
103 * ebtables: remove PVE chains properly
105 * ebtables: treat chain deletion as change
107 * use /usr/sbin as base path
109 -- Proxmox Support Team <support@proxmox.com> Thu, 11 Jul 2019 19:40:01 +0200
111 pve-firewall (4.0-3) pve; urgency=medium
113 * Create corosync firewall rules independently of localnet~
115 * Display corosync rule info on localnet call
117 -- Proxmox Support Team <support@proxmox.com> Thu, 04 Jul 2019 15:56:11 +0200
119 pve-firewall (4.0-2) pve; urgency=medium
121 * fix systemd warning about PIDFile directory
123 * fix CT rule generation with ipfilter set
125 * pve-firewall service: update-alternative iptables and ebtables to working
128 -- Proxmox Support Team <support@proxmox.com> Mon, 24 Jun 2019 20:43:21 +0200
130 pve-firewall (4.0-1) pve; urgency=medium
132 * re-build for Debian Buster / PVE 6
134 -- Proxmox Support Team <support@proxmox.com> Tue, 21 May 2019 22:28:55 +0200
136 pve-firewall (3.0-21) unstable; urgency=medium
138 * fix ipv6 PVEFW-reject
140 * fix #2193: arpfilter: CT: remove mask from net IP/CIDR to avoid
141 ebtables doing the wrong thing here
143 -- Proxmox Support Team <support@proxmox.com> Wed, 08 May 2019 10:09:31 +0000
145 pve-firewall (3.0-20) unstable; urgency=medium
147 * use IPCC to read config and rule files, if the are backed by pmxcfs which
148 has better handling for pmxcfs restarts
150 * fix #2178: endless loop on ipv6 extension headers
152 -- Proxmox Support Team <support@proxmox.com> Fri, 19 Apr 2019 05:10:13 +0000
154 pve-firewall (3.0-19) unstable; urgency=medium
156 * ebtables: add arp filtering
158 * fix: #2123 Logging of user defined firewall rules
162 * allow to enable/disable and modify cluster wide log ratelimits
164 -- Proxmox Support Team <support@proxmox.com> Tue, 02 Apr 2019 11:15:16 +0200
166 pve-firewall (3.0-18) unstable; urgency=medium
168 * fix #1606: Add nf_conntrack_allow_invalid option
170 * log reject : add space after policy REJECT like drop
172 * fix #1891: Add zsh command completion for pve-firewall
174 -- Proxmox Support Team <support@proxmox.com> Mon, 04 Mar 2019 10:27:01 +0100
176 pve-firewall (3.0-17) unstable; urgency=medium
178 * fix #2005: only allow ascii port digits
180 * fix #2004: do not allow backwards ranges
182 * add conntrack logging via libnetfilter_conntrack and allow one to enable
183 it through the firewall host configuration
185 -- Proxmox Support Team <support@proxmox.com> Wed, 09 Jan 2019 16:56:17 +0100
187 pve-firewall (3.0-16) unstable; urgency=medium
189 * api/rules: fix macro return type
191 -- Proxmox Support Team <support@proxmox.com> Fri, 30 Nov 2018 16:02:59 +0100
193 pve-firewall (3.0-15) unstable; urgency=medium
195 * fix #1971: display firewall rule properties
197 -- Proxmox Support Team <support@proxmox.com> Fri, 23 Nov 2018 14:01:33 +0100
199 pve-firewall (3.0-14) unstable; urgency=medium
201 * fix #1841: avoid ebtable reloads when containers have multiple network
204 -- Proxmox Support Team <support@proxmox.com> Fri, 24 Aug 2018 10:51:04 +0200
206 pve-firewall (3.0-13) unstable; urgency=medium
208 * avoid unnecessary reloads of ebtable ruleset
210 -- Proxmox Support Team <support@proxmox.com> Thu, 28 Jun 2018 14:47:16 +0200
212 pve-firewall (3.0-12) unstable; urgency=medium
214 * fix deleted iptables chains not being properly detected as a change
216 -- Proxmox Support Team <support@proxmox.com> Tue, 12 Jun 2018 12:01:02 +0200
218 pve-firewall (3.0-11) unstable; urgency=medium
220 * #1764: rename 'ebtales_enable' option to 'ebtables'
222 -- Proxmox Support Team <support@proxmox.com> Wed, 06 Jun 2018 16:18:13 +0200
224 pve-firewall (3.0-10) unstable; urgency=medium
226 * fix #1764: handle existing ebtables rules and allow disabling ebtables
228 * ebtables handling can be disabled via /etc/pve/firewall/cluster.fw's new
229 ebtables_enable option.
231 -- Proxmox Support Team <support@proxmox.com> Tue, 29 May 2018 15:14:33 +0200
233 pve-firewall (3.0-9) unstable; urgency=medium
235 * fix creation of ebltables FORWARD rule entry
237 -- Proxmox Support Team <support@proxmox.com> Thu, 17 May 2018 14:41:27 +0200
239 pve-firewall (3.0-8) unstable; urgency=medium
241 * add ebtables support for better MAC filtering
243 -- Proxmox Support Team <support@proxmox.com> Wed, 11 Apr 2018 14:25:41 +0200
245 pve-firewall (3.0-7) unstable; urgency=medium
247 * support distinct source and destination multi-port matching
249 * multi-port matching: when specifying the same list of ports for source and
250 destination require them both to match, rather than one of them, as this
251 was rather unexpected behavior
253 -- Proxmox Support Team <support@proxmox.com> Mon, 12 Mar 2018 14:58:08 +0100
255 pve-firewall (3.0-6) unstable; urgency=medium
257 * fix #1319: don't fail postinst with masked service
259 * debian: switch to compat 9, drop init scripts, drop preinst
261 * check multiport limit in port ranges
263 * build: use git rev-parse for GITVERSION
265 -- Proxmox Support Team <support@proxmox.com> Thu, 08 Mar 2018 13:53:11 +0100
267 pve-firewall (3.0-5) unstable; urgency=medium
269 * fix issue with disabled flag not being honored within groups
271 -- Proxmox Support Team <support@proxmox.com> Thu, 07 Dec 2017 08:31:42 +0100
273 pve-firewall (3.0-4) unstable; urgency=medium
275 * fix issues with ipsets reloading unnecessarily or too late
277 * fix some typos in the logs
279 -- Proxmox Support Team <support@proxmox.com> Thu, 16 Nov 2017 11:41:56 +0100
281 pve-firewall (3.0-3) unstable; urgency=medium
283 * Fix #1492: logger: use current timestamp if the packet doesn't have one
285 -- Proxmox Support Team <support@proxmox.com> Tue, 12 Sep 2017 14:43:06 +0200
287 pve-firewall (3.0-2) unstable; urgency=medium
289 * Fix #1446: remove masks in case the package had previously been removed but
292 * improve logging on errors in the firewall configuration
294 * forbid trailing commas in lists as iptables-restore doesn't support them
296 -- Proxmox Support Team <support@proxmox.com> Mon, 17 Jul 2017 15:24:40 +0200
298 pve-firewall (3.0-1) unstable; urgency=medium
300 * rebuild for Debian Stretch
302 -- Proxmox Support Team <support@proxmox.com> Thu, 9 Mar 2017 14:04:17 +0100
304 pve-firewall (2.0-33) unstable; urgency=medium
306 * ipset: don't allow zero-prefix entries
308 -- Proxmox Support Team <support@proxmox.com> Tue, 29 Nov 2016 12:18:04 +0100
310 pve-firewall (2.0-32) unstable; urgency=medium
312 * improve search for local-network
314 -- Proxmox Support Team <support@proxmox.com> Tue, 29 Nov 2016 06:35:08 +0100
316 pve-firewall (2.0-31) unstable; urgency=medium
318 * don't try to apply ports to rules which don't support them
320 -- Proxmox Support Team <support@proxmox.com> Thu, 06 Oct 2016 08:31:51 +0200
322 pve-firewall (2.0-30) unstable; urgency=medium
324 * add multicast DNS to the list of Macros
326 * add missing parameter descriptions
328 * build-depends: add dh-systemd
330 -- Proxmox Support Team <support@proxmox.com> Fri, 16 Sep 2016 08:53:16 +0200
332 pve-firewall (2.0-29) unstable; urgency=medium
334 * prevent overwriting ipsets/sec. groups by renaming
336 -- Proxmox Support Team <support@proxmox.com> Fri, 03 Jun 2016 16:46:10 +0200
338 pve-firewall (2.0-28) unstable; urgency=medium
340 * use pve-common's ipv4_mask_hash_localnet
342 * fix allowed group name length
344 * make group digest stable
346 -- Proxmox Support Team <support@proxmox.com> Fri, 03 Jun 2016 11:01:47 +0200
348 pve-firewall (2.0-27) unstable; urgency=medium
350 * fix #972: make PVEFW-FWBR-* rule order stable
352 -- Proxmox Support Team <support@proxmox.com> Tue, 17 May 2016 07:59:52 +0200
354 pve-firewall (2.0-26) unstable; urgency=medium
356 * fix #988: set rp_filter=2
358 -- Proxmox Support Team <support@proxmox.com> Mon, 09 May 2016 10:01:28 +0200
360 pve-firewall (2.0-25) unstable; urgency=medium
362 * fix #945: add uninitialized check in lxc ipset compilation
364 -- Proxmox Support Team <support@proxmox.com> Thu, 21 Apr 2016 09:58:33 +0200
366 pve-firewall (2.0-24) unstable; urgency=medium
368 * Build-Depend on pve-doc-generator
370 * generate manpage with pve-doc-generator
372 -- Proxmox Support Team <support@proxmox.com> Wed, 06 Apr 2016 10:52:45 +0200
374 pve-firewall (2.0-23) unstable; urgency=medium
376 * use only the top bit for our accept marks
378 -- Proxmox Support Team <support@proxmox.com> Fri, 01 Apr 2016 07:35:38 +0200
380 pve-firewall (2.0-22) unstable; urgency=medium
382 * Use cfs_config_path from PVE::QemuConfig
384 -- Proxmox Support Team <support@proxmox.com> Tue, 08 Mar 2016 11:47:40 +0100
386 pve-firewall (2.0-21) unstable; urgency=medium
388 * added new 'ipfilter' option
390 -- Proxmox Support Team <support@proxmox.com> Thu, 03 Mar 2016 09:43:39 +0100
392 pve-firewall (2.0-20) unstable; urgency=medium
394 * fix 901: encode unicode characters in sha digest
396 -- Proxmox Support Team <support@proxmox.com> Mon, 29 Feb 2016 12:40:14 +0100
398 pve-firewall (2.0-19) unstable; urgency=medium
400 * Add radv option to VM options
402 -- Proxmox Support Team <support@proxmox.com> Sat, 27 Feb 2016 10:24:42 +0100
404 pve-firewall (2.0-18) unstable; urgency=medium
406 * Add ndp option to host and VM firewall options
408 * Add router-solicitation to NeighborDiscovery macro
410 -- Proxmox Support Team <support@proxmox.com> Fri, 19 Feb 2016 10:01:22 +0100
412 pve-firewall (2.0-17) unstable; urgency=medium
414 * Don't leave empty FW config files behind
416 -- Proxmox Support Team <support@proxmox.com> Mon, 08 Feb 2016 14:09:24 +0100
418 pve-firewall (2.0-16) unstable; urgency=medium
420 * logger: basic ipv6 support
424 * add dhcpv6 support to the dhcp option
426 -- Proxmox Support Team <support@proxmox.com> Tue, 26 Jan 2016 16:52:14 +0100
428 pve-firewall (2.0-15) unstable; urgency=medium
430 * fix bug #859: use $security_group_name_pattern in iptables_get_chains
432 * fix some regular expressions mixups
434 -- Proxmox Support Team <support@proxmox.com> Thu, 07 Jan 2016 16:33:23 +0100
436 pve-firewall (2.0-14) unstable; urgency=medium
438 * fix systemd service dependencies
440 -- Proxmox Support Team <support@proxmox.com> Fri, 27 Nov 2015 10:52:57 +0100
442 pve-firewall (2.0-13) unstable; urgency=medium
444 * allow numeric icmp types
446 -- Proxmox Support Team <support@proxmox.com> Fri, 23 Oct 2015 13:21:53 +0200
448 pve-firewall (2.0-12) unstable; urgency=medium
450 * implement bash completions
452 * convert pve-firewall into a PVE::Service class
454 -- Proxmox Support Team <support@proxmox.com> Thu, 24 Sep 2015 12:15:00 +0200
456 pve-firewall (2.0-11) unstable; urgency=medium
458 * iptables_get_chains: fix veth device name
460 -- Proxmox Support Team <support@proxmox.com> Tue, 08 Sep 2015 07:54:35 +0200
462 pve-firewall (2.0-10) unstable; urgency=medium
464 * new helper: clone_vmfw_conf()
466 -- Proxmox Support Team <support@proxmox.com> Tue, 25 Aug 2015 06:47:49 +0200
468 pve-firewall (2.0-9) unstable; urgency=medium
470 * remove firewall config file subroutine added
472 -- Proxmox Support Team <support@proxmox.com> Wed, 19 Aug 2015 15:42:51 +0200
474 pve-firewall (2.0-8) unstable; urgency=medium
476 * adopt regresion tests for lxc containers
478 * removed firewall code for openVZ
480 * Subroutine verify_rule fixed to correctly check only for "net\d+"
481 interface device names
483 -- Proxmox Support Team <support@proxmox.com> Wed, 12 Aug 2015 12:01:43 +0200
485 pve-firewall (2.0-7) unstable; urgency=medium
487 * added firewall code for lxc
489 -- Proxmox Support Team <support@proxmox.com> Mon, 10 Aug 2015 09:21:14 +0200
491 pve-firewall (2.0-6) unstable; urgency=medium
493 * firewall ipversion comparison fix
495 -- Proxmox Support Team <support@proxmox.com> Tue, 04 Aug 2015 11:14:51 +0200
497 pve-firewall (2.0-5) unstable; urgency=medium
499 * add ipv6 neighbor discovery and solicitation macros
501 * ip6tables accepts both spellings of the word neighbor
505 -- Proxmox Support Team <support@proxmox.com> Mon, 27 Jul 2015 13:20:55 +0200
507 pve-firewall (2.0-4) unstable; urgency=medium
509 * include manual page for pve-firewall
511 -- Proxmox Support Team <support@proxmox.com> Sat, 27 Jun 2015 16:26:28 +0200
513 pve-firewall (2.0-3) unstable; urgency=medium
515 * use noawait trigers for pve-api-updates
517 -- Proxmox Support Team <support@proxmox.com> Mon, 01 Jun 2015 12:33:06 +0200
519 pve-firewall (2.0-2) unstable; urgency=medium
521 * trigger pve-api-updates event
523 -- Proxmox Support Team <support@proxmox.com> Tue, 05 May 2015 15:10:24 +0200
525 pve-firewall (2.0-1) unstable; urgency=medium
527 * recompile for debian jessie
529 -- Proxmox Support Team <support@proxmox.com> Fri, 27 Feb 2015 12:22:04 +0100
531 pve-firewall (1.0-18) unstable; urgency=low
535 -- Proxmox Support Team <support@proxmox.com> Mon, 09 Feb 2015 09:32:03 +0100
537 pve-firewall (1.0-17) unstable; urgency=low
539 * fix restart behavior
541 -- Proxmox Support Team <support@proxmox.com> Thu, 15 Jan 2015 06:45:58 +0100
543 pve-firewall (1.0-16) unstable; urgency=low
545 * use new Daemon class from pve-common
547 -- Proxmox Support Team <support@proxmox.com> Thu, 18 Dec 2014 09:45:07 +0100
549 pve-firewall (1.0-15) unstable; urgency=low
551 * bug fix: load cluster conf for host rules
553 -- Proxmox Support Team <support@proxmox.com> Fri, 12 Dec 2014 06:33:28 +0100
555 pve-firewall (1.0-14) unstable; urgency=low
557 * do not use ipset list chains
559 * remove preinst script (not needed anymore)
561 -- Proxmox Support Team <support@proxmox.com> Fri, 05 Dec 2014 13:42:00 +0100
563 pve-firewall (1.0-13) unstable; urgency=low
565 * fix ipset remove order
567 -- Proxmox Support Team <support@proxmox.com> Fri, 28 Nov 2014 12:45:48 +0100
569 pve-firewall (1.0-12) unstable; urgency=low
571 * add preinst script to clear ipset from older installation (because
572 sets cannot be swapped if there type does not match.
574 -- Proxmox Support Team <support@proxmox.com> Fri, 28 Nov 2014 08:59:38 +0100
576 pve-firewall (1.0-11) unstable; urgency=low
578 * bug fix: correctly set ipversion for aliases in verify_rule
580 * save restore commands into files to make debugging
581 easier (/var/lib/pve-firewall/)
583 -- Proxmox Support Team <support@proxmox.com> Fri, 28 Nov 2014 08:04:05 +0100
585 pve-firewall (1.0-10) unstable; urgency=low
587 * add IPv6 support for VMs (hostfw is IPv4 only)
589 -- Proxmox Support Team <support@proxmox.com> Wed, 26 Nov 2014 07:00:29 +0100
591 pve-firewall (1.0-9) unstable; urgency=low
593 * fix max ipset name name length
595 -- Proxmox Support Team <support@proxmox.com> Tue, 14 Oct 2014 16:29:34 +0200
597 pve-firewall (1.0-8) unstable; urgency=low
599 * implement permission
601 -- Proxmox Support Team <support@proxmox.com> Mon, 08 Sep 2014 12:15:21 +0200
603 pve-firewall (1.0-7) unstable; urgency=low
605 * proxy host rule API calls to correct node
607 * always generate MAC and IP filter rules if firewall is enabled on NIC
609 -- Proxmox Support Team <support@proxmox.com> Thu, 26 Jun 2014 07:12:57 +0200
611 pve-firewall (1.0-6) unstable; urgency=low
613 * ipmlement ipfilter ipsets
615 -- Proxmox Support Team <support@proxmox.com> Thu, 12 Jun 2014 08:37:08 +0200
617 pve-firewall (1.0-5) unstable; urgency=low
619 * remove ipsets when firewall disabled
621 -- Proxmox Support Team <support@proxmox.com> Wed, 04 Jun 2014 08:50:18 +0200
623 pve-firewall (1.0-4) unstable; urgency=low
625 * depend on iptables and ipset
627 -- Proxmox Support Team <support@proxmox.com> Wed, 04 Jun 2014 06:45:33 +0200
629 pve-firewall (1.0-3) unstable; urgency=low
631 * change dh_installinit order (register pvefw-logger before pve-firewall)
633 -- Proxmox Support Team <support@proxmox.com> Wed, 04 Jun 2014 06:24:21 +0200
635 pve-firewall (1.0-2) unstable; urgency=low
637 * add experimental nflog logging daemon
639 -- Proxmox Support Team <support@proxmox.com> Thu, 13 Mar 2014 08:27:01 +0100
641 pve-firewall (1.0-1) unstable; urgency=low
645 -- Proxmox Support Team <support@proxmox.com> Mon, 03 Mar 2014 08:37:06 +0100