1 pve-firewall (4.2-5) bullseye; urgency=medium
3 * fix #3677 ipset get chains: handle newer ipset output for actual
6 -- Proxmox Support Team <support@proxmox.com> Thu, 04 Nov 2021 16:37:13 +0100
8 pve-firewall (4.2-4) bullseye; urgency=medium
10 * re-build to avoid issues stemming from semi-broken systemd-debhelper version
12 -- Proxmox Support Team <support@proxmox.com> Tue, 12 Oct 2021 10:39:05 +0200
14 pve-firewall (4.2-3) bullseye; urgency=medium
16 * fix #2721: remove the (nowadays) bogus reject for TCP port 43 from the
17 default drop and reject actions
19 -- Proxmox Support Team <support@proxmox.com> Fri, 10 Sep 2021 13:00:07 +0200
21 pve-firewall (4.2-2) bullseye; urgency=medium
23 * re-set relevant sysctls on every apply round
25 -- Proxmox Support Team <support@proxmox.com> Mon, 21 Jun 2021 11:31:42 +0200
27 pve-firewall (4.2-1) bullseye; urgency=medium
29 * fix #967: source: dest: limit length
31 * re-build for Debian 11 Bullseye based releases (Proxmox VE 7)
33 * fix #2358: allow --<opt> in firewall rule config files
35 -- Proxmox Support Team <support@proxmox.com> Wed, 12 May 2021 20:32:30 +0200
37 pve-firewall (4.1-3) pve; urgency=medium
39 * fix #2773: ebtables: keep policy of custom chains
41 * introduce new icmp-type parameter
43 -- Proxmox Support Team <support@proxmox.com> Fri, 18 Sep 2020 16:51:27 +0200
45 pve-firewall (4.1-2) pve; urgency=medium
47 * revert: rules: verify referenced security group exists
49 -- Proxmox Support Team <support@proxmox.com> Wed, 06 May 2020 17:41:36 +0200
51 pve-firewall (4.1-1) pve; urgency=medium
53 * logging: add missing log message for inbound rules
55 * fix #2686: avoid adding 'arp-ip-src' IP filter if guests uses DHCP
57 * IPSets: parse the CIDR before checking for duplicates
59 * verify that a referenced security group exists
61 * ICMP: fix iptables-restore failing if ICMP-type values bigger than '255'
63 * ICMP: allow one to specify the 'echo-reply' (0) type also as integer
65 * improve handling concurrent (parallel) access and modifications to rules
67 -- Proxmox Support Team <support@proxmox.com> Mon, 04 May 2020 15:01:57 +0200
69 pve-firewall (4.0-10) pve; urgency=medium
71 * macros: add macro for Proxmox Mail Gateway web interface
73 * api node: always pass cluster conf to node FW parser to fix false positive
74 error message about non existing aliases, or IP sets, when querying the
75 node FW options GET API call.
77 * grammar fix: s/does not exists/does not exist/g
79 -- Proxmox Support Team <support@proxmox.com> Mon, 27 Jan 2020 19:25:49 +0100
81 pve-firewall (4.0-9) pve; urgency=medium
83 * ensure port range used for offline storage migration and insecure migration
84 traffic is allowed by default rule set.
86 -- Proxmox Support Team <support@proxmox.com> Tue, 03 Dec 2019 08:12:20 +0100
88 pve-firewall (4.0-8) pve; urgency=medium
90 * increase default nf_conntrack_max to the kernel's default
92 * fix some "use of uninitialized value" warnings when updating CIDRs
94 * update schema documentation
96 * add explicit dependency on libpve-cluster-perl
98 * add support for "raw" tables
100 * add options for synflood protection for host firewall:
101 - nf_conntrack_tcp_timeout_syn_recv
102 - protection_synflood: boolean
103 - protection_synflood_rate: SYN rate limit (default 200 per second)
104 - protection_synflood_burst: SYN burst limit (default 1000)
106 -- Proxmox Support Team <support@proxmox.com> Mon, 18 Nov 2019 13:48:20 +0100
108 pve-firewall (4.0-7) pve; urgency=medium
110 * only add VM chains and rules if VM firewall is enabled
112 -- Proxmox Support Team <support@proxmox.com> Wed, 7 Aug 2019 10:55:06 +0200
114 pve-firewall (4.0-6) pve; urgency=medium
116 * firewall macros: add new Ceph protocol v2 port while keeping v1 port
118 -- Proxmox Support Team <support@proxmox.com> Tue, 23 Jul 2019 18:57:48 +0200
120 pve-firewall (4.0-5) pve; urgency=medium
122 * don't use any base path at all for calls to external binaries to make use
123 compativle with bot, /usr merged and unmerged setups
125 -- Proxmox Support Team <support@proxmox.com> Fri, 12 Jul 2019 11:47:53 +0200
127 pve-firewall (4.0-4) pve; urgency=medium
129 * ebtables: remove PVE chains properly
131 * ebtables: treat chain deletion as change
133 * use /usr/sbin as base path
135 -- Proxmox Support Team <support@proxmox.com> Thu, 11 Jul 2019 19:40:01 +0200
137 pve-firewall (4.0-3) pve; urgency=medium
139 * Create corosync firewall rules independently of localnet~
141 * Display corosync rule info on localnet call
143 -- Proxmox Support Team <support@proxmox.com> Thu, 04 Jul 2019 15:56:11 +0200
145 pve-firewall (4.0-2) pve; urgency=medium
147 * fix systemd warning about PIDFile directory
149 * fix CT rule generation with ipfilter set
151 * pve-firewall service: update-alternative iptables and ebtables to working
154 -- Proxmox Support Team <support@proxmox.com> Mon, 24 Jun 2019 20:43:21 +0200
156 pve-firewall (4.0-1) pve; urgency=medium
158 * re-build for Debian Buster / PVE 6
160 -- Proxmox Support Team <support@proxmox.com> Tue, 21 May 2019 22:28:55 +0200
162 pve-firewall (3.0-21) unstable; urgency=medium
164 * fix ipv6 PVEFW-reject
166 * fix #2193: arpfilter: CT: remove mask from net IP/CIDR to avoid
167 ebtables doing the wrong thing here
169 -- Proxmox Support Team <support@proxmox.com> Wed, 08 May 2019 10:09:31 +0000
171 pve-firewall (3.0-20) unstable; urgency=medium
173 * use IPCC to read config and rule files, if the are backed by pmxcfs which
174 has better handling for pmxcfs restarts
176 * fix #2178: endless loop on ipv6 extension headers
178 -- Proxmox Support Team <support@proxmox.com> Fri, 19 Apr 2019 05:10:13 +0000
180 pve-firewall (3.0-19) unstable; urgency=medium
182 * ebtables: add arp filtering
184 * fix: #2123 Logging of user defined firewall rules
188 * allow to enable/disable and modify cluster wide log ratelimits
190 -- Proxmox Support Team <support@proxmox.com> Tue, 02 Apr 2019 11:15:16 +0200
192 pve-firewall (3.0-18) unstable; urgency=medium
194 * fix #1606: Add nf_conntrack_allow_invalid option
196 * log reject : add space after policy REJECT like drop
198 * fix #1891: Add zsh command completion for pve-firewall
200 -- Proxmox Support Team <support@proxmox.com> Mon, 04 Mar 2019 10:27:01 +0100
202 pve-firewall (3.0-17) unstable; urgency=medium
204 * fix #2005: only allow ascii port digits
206 * fix #2004: do not allow backwards ranges
208 * add conntrack logging via libnetfilter_conntrack and allow one to enable
209 it through the firewall host configuration
211 -- Proxmox Support Team <support@proxmox.com> Wed, 09 Jan 2019 16:56:17 +0100
213 pve-firewall (3.0-16) unstable; urgency=medium
215 * api/rules: fix macro return type
217 -- Proxmox Support Team <support@proxmox.com> Fri, 30 Nov 2018 16:02:59 +0100
219 pve-firewall (3.0-15) unstable; urgency=medium
221 * fix #1971: display firewall rule properties
223 -- Proxmox Support Team <support@proxmox.com> Fri, 23 Nov 2018 14:01:33 +0100
225 pve-firewall (3.0-14) unstable; urgency=medium
227 * fix #1841: avoid ebtable reloads when containers have multiple network
230 -- Proxmox Support Team <support@proxmox.com> Fri, 24 Aug 2018 10:51:04 +0200
232 pve-firewall (3.0-13) unstable; urgency=medium
234 * avoid unnecessary reloads of ebtable ruleset
236 -- Proxmox Support Team <support@proxmox.com> Thu, 28 Jun 2018 14:47:16 +0200
238 pve-firewall (3.0-12) unstable; urgency=medium
240 * fix deleted iptables chains not being properly detected as a change
242 -- Proxmox Support Team <support@proxmox.com> Tue, 12 Jun 2018 12:01:02 +0200
244 pve-firewall (3.0-11) unstable; urgency=medium
246 * #1764: rename 'ebtales_enable' option to 'ebtables'
248 -- Proxmox Support Team <support@proxmox.com> Wed, 06 Jun 2018 16:18:13 +0200
250 pve-firewall (3.0-10) unstable; urgency=medium
252 * fix #1764: handle existing ebtables rules and allow disabling ebtables
254 * ebtables handling can be disabled via /etc/pve/firewall/cluster.fw's new
255 ebtables_enable option.
257 -- Proxmox Support Team <support@proxmox.com> Tue, 29 May 2018 15:14:33 +0200
259 pve-firewall (3.0-9) unstable; urgency=medium
261 * fix creation of ebltables FORWARD rule entry
263 -- Proxmox Support Team <support@proxmox.com> Thu, 17 May 2018 14:41:27 +0200
265 pve-firewall (3.0-8) unstable; urgency=medium
267 * add ebtables support for better MAC filtering
269 -- Proxmox Support Team <support@proxmox.com> Wed, 11 Apr 2018 14:25:41 +0200
271 pve-firewall (3.0-7) unstable; urgency=medium
273 * support distinct source and destination multi-port matching
275 * multi-port matching: when specifying the same list of ports for source and
276 destination require them both to match, rather than one of them, as this
277 was rather unexpected behavior
279 -- Proxmox Support Team <support@proxmox.com> Mon, 12 Mar 2018 14:58:08 +0100
281 pve-firewall (3.0-6) unstable; urgency=medium
283 * fix #1319: don't fail postinst with masked service
285 * debian: switch to compat 9, drop init scripts, drop preinst
287 * check multiport limit in port ranges
289 * build: use git rev-parse for GITVERSION
291 -- Proxmox Support Team <support@proxmox.com> Thu, 08 Mar 2018 13:53:11 +0100
293 pve-firewall (3.0-5) unstable; urgency=medium
295 * fix issue with disabled flag not being honored within groups
297 -- Proxmox Support Team <support@proxmox.com> Thu, 07 Dec 2017 08:31:42 +0100
299 pve-firewall (3.0-4) unstable; urgency=medium
301 * fix issues with ipsets reloading unnecessarily or too late
303 * fix some typos in the logs
305 -- Proxmox Support Team <support@proxmox.com> Thu, 16 Nov 2017 11:41:56 +0100
307 pve-firewall (3.0-3) unstable; urgency=medium
309 * Fix #1492: logger: use current timestamp if the packet doesn't have one
311 -- Proxmox Support Team <support@proxmox.com> Tue, 12 Sep 2017 14:43:06 +0200
313 pve-firewall (3.0-2) unstable; urgency=medium
315 * Fix #1446: remove masks in case the package had previously been removed but
318 * improve logging on errors in the firewall configuration
320 * forbid trailing commas in lists as iptables-restore doesn't support them
322 -- Proxmox Support Team <support@proxmox.com> Mon, 17 Jul 2017 15:24:40 +0200
324 pve-firewall (3.0-1) unstable; urgency=medium
326 * rebuild for Debian Stretch
328 -- Proxmox Support Team <support@proxmox.com> Thu, 9 Mar 2017 14:04:17 +0100
330 pve-firewall (2.0-33) unstable; urgency=medium
332 * ipset: don't allow zero-prefix entries
334 -- Proxmox Support Team <support@proxmox.com> Tue, 29 Nov 2016 12:18:04 +0100
336 pve-firewall (2.0-32) unstable; urgency=medium
338 * improve search for local-network
340 -- Proxmox Support Team <support@proxmox.com> Tue, 29 Nov 2016 06:35:08 +0100
342 pve-firewall (2.0-31) unstable; urgency=medium
344 * don't try to apply ports to rules which don't support them
346 -- Proxmox Support Team <support@proxmox.com> Thu, 06 Oct 2016 08:31:51 +0200
348 pve-firewall (2.0-30) unstable; urgency=medium
350 * add multicast DNS to the list of Macros
352 * add missing parameter descriptions
354 * build-depends: add dh-systemd
356 -- Proxmox Support Team <support@proxmox.com> Fri, 16 Sep 2016 08:53:16 +0200
358 pve-firewall (2.0-29) unstable; urgency=medium
360 * prevent overwriting ipsets/sec. groups by renaming
362 -- Proxmox Support Team <support@proxmox.com> Fri, 03 Jun 2016 16:46:10 +0200
364 pve-firewall (2.0-28) unstable; urgency=medium
366 * use pve-common's ipv4_mask_hash_localnet
368 * fix allowed group name length
370 * make group digest stable
372 -- Proxmox Support Team <support@proxmox.com> Fri, 03 Jun 2016 11:01:47 +0200
374 pve-firewall (2.0-27) unstable; urgency=medium
376 * fix #972: make PVEFW-FWBR-* rule order stable
378 -- Proxmox Support Team <support@proxmox.com> Tue, 17 May 2016 07:59:52 +0200
380 pve-firewall (2.0-26) unstable; urgency=medium
382 * fix #988: set rp_filter=2
384 -- Proxmox Support Team <support@proxmox.com> Mon, 09 May 2016 10:01:28 +0200
386 pve-firewall (2.0-25) unstable; urgency=medium
388 * fix #945: add uninitialized check in lxc ipset compilation
390 -- Proxmox Support Team <support@proxmox.com> Thu, 21 Apr 2016 09:58:33 +0200
392 pve-firewall (2.0-24) unstable; urgency=medium
394 * Build-Depend on pve-doc-generator
396 * generate manpage with pve-doc-generator
398 -- Proxmox Support Team <support@proxmox.com> Wed, 06 Apr 2016 10:52:45 +0200
400 pve-firewall (2.0-23) unstable; urgency=medium
402 * use only the top bit for our accept marks
404 -- Proxmox Support Team <support@proxmox.com> Fri, 01 Apr 2016 07:35:38 +0200
406 pve-firewall (2.0-22) unstable; urgency=medium
408 * Use cfs_config_path from PVE::QemuConfig
410 -- Proxmox Support Team <support@proxmox.com> Tue, 08 Mar 2016 11:47:40 +0100
412 pve-firewall (2.0-21) unstable; urgency=medium
414 * added new 'ipfilter' option
416 -- Proxmox Support Team <support@proxmox.com> Thu, 03 Mar 2016 09:43:39 +0100
418 pve-firewall (2.0-20) unstable; urgency=medium
420 * fix 901: encode unicode characters in sha digest
422 -- Proxmox Support Team <support@proxmox.com> Mon, 29 Feb 2016 12:40:14 +0100
424 pve-firewall (2.0-19) unstable; urgency=medium
426 * Add radv option to VM options
428 -- Proxmox Support Team <support@proxmox.com> Sat, 27 Feb 2016 10:24:42 +0100
430 pve-firewall (2.0-18) unstable; urgency=medium
432 * Add ndp option to host and VM firewall options
434 * Add router-solicitation to NeighborDiscovery macro
436 -- Proxmox Support Team <support@proxmox.com> Fri, 19 Feb 2016 10:01:22 +0100
438 pve-firewall (2.0-17) unstable; urgency=medium
440 * Don't leave empty FW config files behind
442 -- Proxmox Support Team <support@proxmox.com> Mon, 08 Feb 2016 14:09:24 +0100
444 pve-firewall (2.0-16) unstable; urgency=medium
446 * logger: basic ipv6 support
450 * add dhcpv6 support to the dhcp option
452 -- Proxmox Support Team <support@proxmox.com> Tue, 26 Jan 2016 16:52:14 +0100
454 pve-firewall (2.0-15) unstable; urgency=medium
456 * fix bug #859: use $security_group_name_pattern in iptables_get_chains
458 * fix some regular expressions mixups
460 -- Proxmox Support Team <support@proxmox.com> Thu, 07 Jan 2016 16:33:23 +0100
462 pve-firewall (2.0-14) unstable; urgency=medium
464 * fix systemd service dependencies
466 -- Proxmox Support Team <support@proxmox.com> Fri, 27 Nov 2015 10:52:57 +0100
468 pve-firewall (2.0-13) unstable; urgency=medium
470 * allow numeric icmp types
472 -- Proxmox Support Team <support@proxmox.com> Fri, 23 Oct 2015 13:21:53 +0200
474 pve-firewall (2.0-12) unstable; urgency=medium
476 * implement bash completions
478 * convert pve-firewall into a PVE::Service class
480 -- Proxmox Support Team <support@proxmox.com> Thu, 24 Sep 2015 12:15:00 +0200
482 pve-firewall (2.0-11) unstable; urgency=medium
484 * iptables_get_chains: fix veth device name
486 -- Proxmox Support Team <support@proxmox.com> Tue, 08 Sep 2015 07:54:35 +0200
488 pve-firewall (2.0-10) unstable; urgency=medium
490 * new helper: clone_vmfw_conf()
492 -- Proxmox Support Team <support@proxmox.com> Tue, 25 Aug 2015 06:47:49 +0200
494 pve-firewall (2.0-9) unstable; urgency=medium
496 * remove firewall config file subroutine added
498 -- Proxmox Support Team <support@proxmox.com> Wed, 19 Aug 2015 15:42:51 +0200
500 pve-firewall (2.0-8) unstable; urgency=medium
502 * adopt regresion tests for lxc containers
504 * removed firewall code for openVZ
506 * Subroutine verify_rule fixed to correctly check only for "net\d+"
507 interface device names
509 -- Proxmox Support Team <support@proxmox.com> Wed, 12 Aug 2015 12:01:43 +0200
511 pve-firewall (2.0-7) unstable; urgency=medium
513 * added firewall code for lxc
515 -- Proxmox Support Team <support@proxmox.com> Mon, 10 Aug 2015 09:21:14 +0200
517 pve-firewall (2.0-6) unstable; urgency=medium
519 * firewall ipversion comparison fix
521 -- Proxmox Support Team <support@proxmox.com> Tue, 04 Aug 2015 11:14:51 +0200
523 pve-firewall (2.0-5) unstable; urgency=medium
525 * add ipv6 neighbor discovery and solicitation macros
527 * ip6tables accepts both spellings of the word neighbor
531 -- Proxmox Support Team <support@proxmox.com> Mon, 27 Jul 2015 13:20:55 +0200
533 pve-firewall (2.0-4) unstable; urgency=medium
535 * include manual page for pve-firewall
537 -- Proxmox Support Team <support@proxmox.com> Sat, 27 Jun 2015 16:26:28 +0200
539 pve-firewall (2.0-3) unstable; urgency=medium
541 * use noawait trigers for pve-api-updates
543 -- Proxmox Support Team <support@proxmox.com> Mon, 01 Jun 2015 12:33:06 +0200
545 pve-firewall (2.0-2) unstable; urgency=medium
547 * trigger pve-api-updates event
549 -- Proxmox Support Team <support@proxmox.com> Tue, 05 May 2015 15:10:24 +0200
551 pve-firewall (2.0-1) unstable; urgency=medium
553 * recompile for debian jessie
555 -- Proxmox Support Team <support@proxmox.com> Fri, 27 Feb 2015 12:22:04 +0100
557 pve-firewall (1.0-18) unstable; urgency=low
561 -- Proxmox Support Team <support@proxmox.com> Mon, 09 Feb 2015 09:32:03 +0100
563 pve-firewall (1.0-17) unstable; urgency=low
565 * fix restart behavior
567 -- Proxmox Support Team <support@proxmox.com> Thu, 15 Jan 2015 06:45:58 +0100
569 pve-firewall (1.0-16) unstable; urgency=low
571 * use new Daemon class from pve-common
573 -- Proxmox Support Team <support@proxmox.com> Thu, 18 Dec 2014 09:45:07 +0100
575 pve-firewall (1.0-15) unstable; urgency=low
577 * bug fix: load cluster conf for host rules
579 -- Proxmox Support Team <support@proxmox.com> Fri, 12 Dec 2014 06:33:28 +0100
581 pve-firewall (1.0-14) unstable; urgency=low
583 * do not use ipset list chains
585 * remove preinst script (not needed anymore)
587 -- Proxmox Support Team <support@proxmox.com> Fri, 05 Dec 2014 13:42:00 +0100
589 pve-firewall (1.0-13) unstable; urgency=low
591 * fix ipset remove order
593 -- Proxmox Support Team <support@proxmox.com> Fri, 28 Nov 2014 12:45:48 +0100
595 pve-firewall (1.0-12) unstable; urgency=low
597 * add preinst script to clear ipset from older installation (because
598 sets cannot be swapped if there type does not match.
600 -- Proxmox Support Team <support@proxmox.com> Fri, 28 Nov 2014 08:59:38 +0100
602 pve-firewall (1.0-11) unstable; urgency=low
604 * bug fix: correctly set ipversion for aliases in verify_rule
606 * save restore commands into files to make debugging
607 easier (/var/lib/pve-firewall/)
609 -- Proxmox Support Team <support@proxmox.com> Fri, 28 Nov 2014 08:04:05 +0100
611 pve-firewall (1.0-10) unstable; urgency=low
613 * add IPv6 support for VMs (hostfw is IPv4 only)
615 -- Proxmox Support Team <support@proxmox.com> Wed, 26 Nov 2014 07:00:29 +0100
617 pve-firewall (1.0-9) unstable; urgency=low
619 * fix max ipset name name length
621 -- Proxmox Support Team <support@proxmox.com> Tue, 14 Oct 2014 16:29:34 +0200
623 pve-firewall (1.0-8) unstable; urgency=low
625 * implement permission
627 -- Proxmox Support Team <support@proxmox.com> Mon, 08 Sep 2014 12:15:21 +0200
629 pve-firewall (1.0-7) unstable; urgency=low
631 * proxy host rule API calls to correct node
633 * always generate MAC and IP filter rules if firewall is enabled on NIC
635 -- Proxmox Support Team <support@proxmox.com> Thu, 26 Jun 2014 07:12:57 +0200
637 pve-firewall (1.0-6) unstable; urgency=low
639 * ipmlement ipfilter ipsets
641 -- Proxmox Support Team <support@proxmox.com> Thu, 12 Jun 2014 08:37:08 +0200
643 pve-firewall (1.0-5) unstable; urgency=low
645 * remove ipsets when firewall disabled
647 -- Proxmox Support Team <support@proxmox.com> Wed, 04 Jun 2014 08:50:18 +0200
649 pve-firewall (1.0-4) unstable; urgency=low
651 * depend on iptables and ipset
653 -- Proxmox Support Team <support@proxmox.com> Wed, 04 Jun 2014 06:45:33 +0200
655 pve-firewall (1.0-3) unstable; urgency=low
657 * change dh_installinit order (register pvefw-logger before pve-firewall)
659 -- Proxmox Support Team <support@proxmox.com> Wed, 04 Jun 2014 06:24:21 +0200
661 pve-firewall (1.0-2) unstable; urgency=low
663 * add experimental nflog logging daemon
665 -- Proxmox Support Team <support@proxmox.com> Thu, 13 Mar 2014 08:27:01 +0100
667 pve-firewall (1.0-1) unstable; urgency=low
671 -- Proxmox Support Team <support@proxmox.com> Mon, 03 Mar 2014 08:37:06 +0100