]> git.proxmox.com Git - pve-firewall.git/blame - debian/changelog
projects / pve-firewall.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
rules: allow connections on port range 60000:60050 in management network for migration
[pve-firewall.git] / debian / changelog
CommitLineData
5ac03b1c
WB		 1pve-firewall (4.0-8) pve; urgency=medium
2
3 * increase default nf_conntrack_max to the kernel's default
4
5 * fix some "use of uninitialized value" warnings when updating CIDRs
6
7 * update schema documentation
8
9 * add explicit dependency on libpve-cluster-perl
10
11 * add support for "raw" tables
12
13 * add options for synflood protection for host firewall:
14 - nf_conntrack_tcp_timeout_syn_recv
15 - protection_synflood: boolean
16 - protection_synflood_rate: SYN rate limit (default 200 per second)
17 - protection_synflood_burst: SYN burst limit (default 1000)
18
19 -- Proxmox Support Team <support@proxmox.com> Mon, 18 Nov 2019 13:48:20 +0100
20
bd368955
FG		 21pve-firewall (4.0-7) pve; urgency=medium
22
23 * only add VM chains and rules if VM firewall is enabled
24
25 -- Proxmox Support Team <support@proxmox.com> Wed, 7 Aug 2019 10:55:06 +0200
26
c8f3e1ee
TL		 27pve-firewall (4.0-6) pve; urgency=medium
28
29 * firewall macros: add new Ceph protocol v2 port while keeping v1 port
30
31 -- Proxmox Support Team <support@proxmox.com> Tue, 23 Jul 2019 18:57:48 +0200
32
6fc572dc
TL		 33pve-firewall (4.0-5) pve; urgency=medium
34
35 * don't use any base path at all for calls to external binaries to make use
36 compativle with bot, /usr merged and unmerged setups
37
38 -- Proxmox Support Team <support@proxmox.com> Fri, 12 Jul 2019 11:47:53 +0200
39
b1379400
TL		 40pve-firewall (4.0-4) pve; urgency=medium
41
42 * ebtables: remove PVE chains properly
43
44 * ebtables: treat chain deletion as change
45
46 * use /usr/sbin as base path
47
48 -- Proxmox Support Team <support@proxmox.com> Thu, 11 Jul 2019 19:40:01 +0200
49
9e01d77d
TL		 50pve-firewall (4.0-3) pve; urgency=medium
51
52 * Create corosync firewall rules independently of localnet~
53
54 * Display corosync rule info on localnet call
55
56 -- Proxmox Support Team <support@proxmox.com> Thu, 04 Jul 2019 15:56:11 +0200
57
9429bd35
TL		 58pve-firewall (4.0-2) pve; urgency=medium
59
60 * fix systemd warning about PIDFile directory
61
62 * fix CT rule generation with ipfilter set
63
64 * pve-firewall service: update-alternative iptables and ebtables to working
65 legacy versions
66
67 -- Proxmox Support Team <support@proxmox.com> Mon, 24 Jun 2019 20:43:21 +0200
68
6b9da9b0
TL		 69pve-firewall (4.0-1) pve; urgency=medium
70
71 * re-build for Debian Buster / PVE 6
72
73 -- Proxmox Support Team <support@proxmox.com> Tue, 21 May 2019 22:28:55 +0200
74
dd7d737b
TL		 75pve-firewall (3.0-21) unstable; urgency=medium
76
77 * fix ipv6 PVEFW-reject
78
79 * fix #2193: arpfilter: CT: remove mask from net IP/CIDR to avoid
80 ebtables doing the wrong thing here
81
82 -- Proxmox Support Team <support@proxmox.com> Wed, 08 May 2019 10:09:31 +0000
83
bbf77725
TL		 84pve-firewall (3.0-20) unstable; urgency=medium
85
86 * use IPCC to read config and rule files, if the are backed by pmxcfs which
87 has better handling for pmxcfs restarts
88
89 * fix #2178: endless loop on ipv6 extension headers
90
91 -- Proxmox Support Team <support@proxmox.com> Fri, 19 Apr 2019 05:10:13 +0000
92
baba607a
TL		 93pve-firewall (3.0-19) unstable; urgency=medium
94
95 * ebtables: add arp filtering
96
97 * fix: #2123 Logging of user defined firewall rules
98
99 * fix Razor macro
100
101 * allow to enable/disable and modify cluster wide log ratelimits
102
103 -- Proxmox Support Team <support@proxmox.com> Tue, 02 Apr 2019 11:15:16 +0200
104
d8ea08e3
TL		 105pve-firewall (3.0-18) unstable; urgency=medium
106
107 * fix #1606: Add nf_conntrack_allow_invalid option
108
109 * log reject : add space after policy REJECT like drop
110
111 * fix #1891: Add zsh command completion for pve-firewall
112
113 -- Proxmox Support Team <support@proxmox.com> Mon, 04 Mar 2019 10:27:01 +0100
114
91d88bc5
TL		 115pve-firewall (3.0-17) unstable; urgency=medium
116
117 * fix #2005: only allow ascii port digits
118
119 * fix #2004: do not allow backwards ranges
120
121 * add conntrack logging via libnetfilter_conntrack and allow one to enable
122 it through the firewall host configuration
123
124 -- Proxmox Support Team <support@proxmox.com> Wed, 09 Jan 2019 16:56:17 +0100
125
81d13a9d
TL		 126pve-firewall (3.0-16) unstable; urgency=medium
127
128 * api/rules: fix macro return type
129
130 -- Proxmox Support Team <support@proxmox.com> Fri, 30 Nov 2018 16:02:59 +0100
131
bed701bc
TL		 132pve-firewall (3.0-15) unstable; urgency=medium
133
134 * fix #1971: display firewall rule properties
135
136 -- Proxmox Support Team <support@proxmox.com> Fri, 23 Nov 2018 14:01:33 +0100
137
a24b157b
WB		 138pve-firewall (3.0-14) unstable; urgency=medium
139
140 * fix #1841: avoid ebtable reloads when containers have multiple network
141 interfaces
142
143 -- Proxmox Support Team <support@proxmox.com> Fri, 24 Aug 2018 10:51:04 +0200
144
cf7dd94b
WB		 145pve-firewall (3.0-13) unstable; urgency=medium
146
147 * avoid unnecessary reloads of ebtable ruleset
148
149 -- Proxmox Support Team <support@proxmox.com> Thu, 28 Jun 2018 14:47:16 +0200
150
dd03bf6e
WB		 151pve-firewall (3.0-12) unstable; urgency=medium
152
153 * fix deleted iptables chains not being properly detected as a change
154
155 -- Proxmox Support Team <support@proxmox.com> Tue, 12 Jun 2018 12:01:02 +0200
156
587a0f20 157pve-firewall (3.0-11) unstable; urgency=medium
a3a51dad
TL		 158
159 * #1764: rename 'ebtales_enable' option to 'ebtables'
160
587a0f20 161 -- Proxmox Support Team <support@proxmox.com> Wed, 06 Jun 2018 16:18:13 +0200
a3a51dad 162
423b86ef
WB		 163pve-firewall (3.0-10) unstable; urgency=medium
164
165 * fix #1764: handle existing ebtables rules and allow disabling ebtables
166
167 * ebtables handling can be disabled via /etc/pve/firewall/cluster.fw's new
168 ebtables_enable option.
169
170 -- Proxmox Support Team <support@proxmox.com> Tue, 29 May 2018 15:14:33 +0200
171
567e58ce
WB		 172pve-firewall (3.0-9) unstable; urgency=medium
173
174 * fix creation of ebltables FORWARD rule entry
175
176 -- Proxmox Support Team <support@proxmox.com> Thu, 17 May 2018 14:41:27 +0200
177
ea0d59ed
WB		 178pve-firewall (3.0-8) unstable; urgency=medium
179
180 * add ebtables support for better MAC filtering
181
182 -- Proxmox Support Team <support@proxmox.com> Wed, 11 Apr 2018 14:25:41 +0200
183
9a19ec81
WB		 184pve-firewall (3.0-7) unstable; urgency=medium
185
186 * support distinct source and destination multi-port matching
187
188 * multi-port matching: when specifying the same list of ports for source and
189 destination require them both to match, rather than one of them, as this
190 was rather unexpected behavior
191
192 -- Proxmox Support Team <support@proxmox.com> Mon, 12 Mar 2018 14:58:08 +0100
193
8c41d444
DM		 194pve-firewall (3.0-6) unstable; urgency=medium
195
196 * fix #1319: don't fail postinst with masked service
197
198 * debian: switch to compat 9, drop init scripts, drop preinst
199
200 * check multiport limit in port ranges
201
202 * build: use git rev-parse for GITVERSION
203
204 -- Proxmox Support Team <support@proxmox.com> Thu, 08 Mar 2018 13:53:11 +0100
205
4299c35f
WB		 206pve-firewall (3.0-5) unstable; urgency=medium
207
208 * fix issue with disabled flag not being honored within groups
209
210 -- Proxmox Support Team <support@proxmox.com> Thu, 07 Dec 2017 08:31:42 +0100
211
a19d4127
WB		 212pve-firewall (3.0-4) unstable; urgency=medium
213
214 * fix issues with ipsets reloading unnecessarily or too late
215
216 * fix some typos in the logs
217
218 -- Proxmox Support Team <support@proxmox.com> Thu, 16 Nov 2017 11:41:56 +0100
219
c0c71b1b
WB		 220pve-firewall (3.0-3) unstable; urgency=medium
221
222 * Fix #1492: logger: use current timestamp if the packet doesn't have one
223
224 -- Proxmox Support Team <support@proxmox.com> Tue, 12 Sep 2017 14:43:06 +0200
225
4f7a4bdd
WB		 226pve-firewall (3.0-2) unstable; urgency=medium
227
228 * Fix #1446: remove masks in case the package had previously been removed but
229 not purged.
230
231 * improve logging on errors in the firewall configuration
232
233 * forbid trailing commas in lists as iptables-restore doesn't support them
234
235 -- Proxmox Support Team <support@proxmox.com> Mon, 17 Jul 2017 15:24:40 +0200
236
29a94c79
FG		 237pve-firewall (3.0-1) unstable; urgency=medium
238
239 * rebuild for Debian Stretch
240
241 -- Proxmox Support Team <support@proxmox.com> Thu, 9 Mar 2017 14:04:17 +0100
242
df67a3dc
DM		 243pve-firewall (2.0-33) unstable; urgency=medium
244
245 * ipset: don't allow zero-prefix entries
246
247 -- Proxmox Support Team <support@proxmox.com> Tue, 29 Nov 2016 12:18:04 +0100
248
dc643b4d
DM		 249pve-firewall (2.0-32) unstable; urgency=medium
250
251 * improve search for local-network
252
253 -- Proxmox Support Team <support@proxmox.com> Tue, 29 Nov 2016 06:35:08 +0100
254
45f206fd
DM		 255pve-firewall (2.0-31) unstable; urgency=medium
256
257 * don't try to apply ports to rules which don't support them
258
259 -- Proxmox Support Team <support@proxmox.com> Thu, 06 Oct 2016 08:31:51 +0200
260
2ea28d0c
DM		 261pve-firewall (2.0-30) unstable; urgency=medium
262
263 * add multicast DNS to the list of Macros
264
265 * add missing parameter descriptions
266
267 * build-depends: add dh-systemd
268
269 -- Proxmox Support Team <support@proxmox.com> Fri, 16 Sep 2016 08:53:16 +0200
270
b65d13d9
DM		 271pve-firewall (2.0-29) unstable; urgency=medium
272
273 * prevent overwriting ipsets/sec. groups by renaming
274
275 -- Proxmox Support Team <support@proxmox.com> Fri, 03 Jun 2016 16:46:10 +0200
276
d0f3bb08
DM		 277pve-firewall (2.0-28) unstable; urgency=medium
278
279 * use pve-common's ipv4_mask_hash_localnet
280
5c53cde4
DC		 281 * fix allowed group name length
282
283 * make group digest stable
284
d0f3bb08
DM		 285 -- Proxmox Support Team <support@proxmox.com> Fri, 03 Jun 2016 11:01:47 +0200
286
76a57e1a
DM		 287pve-firewall (2.0-27) unstable; urgency=medium
288
289 * fix #972: make PVEFW-FWBR-* rule order stable
290
291 -- Proxmox Support Team <support@proxmox.com> Tue, 17 May 2016 07:59:52 +0200
292
17642172
DM		 293pve-firewall (2.0-26) unstable; urgency=medium
294
295 * fix #988: set rp_filter=2
296
297 -- Proxmox Support Team <support@proxmox.com> Mon, 09 May 2016 10:01:28 +0200
298
6e29af12
DM		 299pve-firewall (2.0-25) unstable; urgency=medium
300
301 * fix #945: add uninitialized check in lxc ipset compilation
302
303 -- Proxmox Support Team <support@proxmox.com> Thu, 21 Apr 2016 09:58:33 +0200
304
edb4aff5
DM		 305pve-firewall (2.0-24) unstable; urgency=medium
306
307 * Build-Depend on pve-doc-generator
308
309 * generate manpage with pve-doc-generator
310
311 -- Proxmox Support Team <support@proxmox.com> Wed, 06 Apr 2016 10:52:45 +0200
312
e1158c15
DM		 313pve-firewall (2.0-23) unstable; urgency=medium
314
315 * use only the top bit for our accept marks
316
317 -- Proxmox Support Team <support@proxmox.com> Fri, 01 Apr 2016 07:35:38 +0200
318
5399f912
DM		 319pve-firewall (2.0-22) unstable; urgency=medium
320
321 * Use cfs_config_path from PVE::QemuConfig
322
323 -- Proxmox Support Team <support@proxmox.com> Tue, 08 Mar 2016 11:47:40 +0100
324
b9e73915
DM		 325pve-firewall (2.0-21) unstable; urgency=medium
326
327 * added new 'ipfilter' option
328
329 -- Proxmox Support Team <support@proxmox.com> Thu, 03 Mar 2016 09:43:39 +0100
330
e2a49003
DM		 331pve-firewall (2.0-20) unstable; urgency=medium
332
333 * fix 901: encode unicode characters in sha digest
334
335 -- Proxmox Support Team <support@proxmox.com> Mon, 29 Feb 2016 12:40:14 +0100
336
1d10f89a
DM		 337pve-firewall (2.0-19) unstable; urgency=medium
338
339 * Add radv option to VM options
340
341 -- Proxmox Support Team <support@proxmox.com> Sat, 27 Feb 2016 10:24:42 +0100
342
666093cd
DM		 343pve-firewall (2.0-18) unstable; urgency=medium
344
345 * Add ndp option to host and VM firewall options
346
347 * Add router-solicitation to NeighborDiscovery macro
348
349 -- Proxmox Support Team <support@proxmox.com> Fri, 19 Feb 2016 10:01:22 +0100
350
eaf25885
DM		 351pve-firewall (2.0-17) unstable; urgency=medium
352
353 * Don't leave empty FW config files behind
354
355 -- Proxmox Support Team <support@proxmox.com> Mon, 08 Feb 2016 14:09:24 +0100
356
a177fb07
DM		 357pve-firewall (2.0-16) unstable; urgency=medium
358
359 * logger: basic ipv6 support
360
361 * add DHCPv6 macro
362
363 * add dhcpv6 support to the dhcp option
364
365 -- Proxmox Support Team <support@proxmox.com> Tue, 26 Jan 2016 16:52:14 +0100
366
ab1b8d3c
DM		 367pve-firewall (2.0-15) unstable; urgency=medium
368
369 * fix bug #859: use $security_group_name_pattern in iptables_get_chains
370
371 * fix some regular expressions mixups
372
373 -- Proxmox Support Team <support@proxmox.com> Thu, 07 Jan 2016 16:33:23 +0100
374
c9c8d7a3
DM		 375pve-firewall (2.0-14) unstable; urgency=medium
376
377 * fix systemd service dependencies
378
379 -- Proxmox Support Team <support@proxmox.com> Fri, 27 Nov 2015 10:52:57 +0100
380
aa818ae7
DM		 381pve-firewall (2.0-13) unstable; urgency=medium
382
383 * allow numeric icmp types
384
385 -- Proxmox Support Team <support@proxmox.com> Fri, 23 Oct 2015 13:21:53 +0200
386
8dbebe7d
DM		 387pve-firewall (2.0-12) unstable; urgency=medium
388
389 * implement bash completions
390
391 * convert pve-firewall into a PVE::Service class
392
393 -- Proxmox Support Team <support@proxmox.com> Thu, 24 Sep 2015 12:15:00 +0200
394
47704f4c
DM		 395pve-firewall (2.0-11) unstable; urgency=medium
396
397 * iptables_get_chains: fix veth device name
398
399 -- Proxmox Support Team <support@proxmox.com> Tue, 08 Sep 2015 07:54:35 +0200
400
9eb84dc7
DM		 401pve-firewall (2.0-10) unstable; urgency=medium
402
403 * new helper: clone_vmfw_conf()
404
405 -- Proxmox Support Team <support@proxmox.com> Tue, 25 Aug 2015 06:47:49 +0200
406
a3d34dac
DM		 407pve-firewall (2.0-9) unstable; urgency=medium
408
409 * remove firewall config file subroutine added
410
411 -- Proxmox Support Team <support@proxmox.com> Wed, 19 Aug 2015 15:42:51 +0200
412
2a42a237
DM		 413pve-firewall (2.0-8) unstable; urgency=medium
414
415 * adopt regresion tests for lxc containers
416
417 * removed firewall code for openVZ
418
419 * Subroutine verify_rule fixed to correctly check only for "net\d+"
420 interface device names
421
422 -- Proxmox Support Team <support@proxmox.com> Wed, 12 Aug 2015 12:01:43 +0200
423
33448a6e
DM		 424pve-firewall (2.0-7) unstable; urgency=medium
425
426 * added firewall code for lxc
427
428 -- Proxmox Support Team <support@proxmox.com> Mon, 10 Aug 2015 09:21:14 +0200
429
19f14465
DM		 430pve-firewall (2.0-6) unstable; urgency=medium
431
432 * firewall ipversion comparison fix
433
434 -- Proxmox Support Team <support@proxmox.com> Tue, 04 Aug 2015 11:14:51 +0200
435
8feec9fa
DM		 436pve-firewall (2.0-5) unstable; urgency=medium
437
438 * add ipv6 neighbor discovery and solicitation macros
439
440 * ip6tables accepts both spellings of the word neighbor
441
442 * added Ceph macro
443
444 -- Proxmox Support Team <support@proxmox.com> Mon, 27 Jul 2015 13:20:55 +0200
445
e02c77aa
DM		 446pve-firewall (2.0-4) unstable; urgency=medium
447
448 * include manual page for pve-firewall
449
450 -- Proxmox Support Team <support@proxmox.com> Sat, 27 Jun 2015 16:26:28 +0200
451
eb4a2902
DM		 452pve-firewall (2.0-3) unstable; urgency=medium
453
454 * use noawait trigers for pve-api-updates
455
456 -- Proxmox Support Team <support@proxmox.com> Mon, 01 Jun 2015 12:33:06 +0200
457
56bb2e69
DM		 458pve-firewall (2.0-2) unstable; urgency=medium
459
460 * trigger pve-api-updates event
461
462 -- Proxmox Support Team <support@proxmox.com> Tue, 05 May 2015 15:10:24 +0200
463
0b18ebe8
DM		 464pve-firewall (2.0-1) unstable; urgency=medium
465
466 * recompile for debian jessie
467
468 -- Proxmox Support Team <support@proxmox.com> Fri, 27 Feb 2015 12:22:04 +0100
469
609f00c7
DM		 470pve-firewall (1.0-18) unstable; urgency=low
471
472 * fix alias lookup
473
474 -- Proxmox Support Team <support@proxmox.com> Mon, 09 Feb 2015 09:32:03 +0100
475
de48e659
DM		 476pve-firewall (1.0-17) unstable; urgency=low
477
478 * fix restart behavior
479
480 -- Proxmox Support Team <support@proxmox.com> Thu, 15 Jan 2015 06:45:58 +0100
481
b92d2ed2
DM		 482pve-firewall (1.0-16) unstable; urgency=low
483
484 * use new Daemon class from pve-common
485
486 -- Proxmox Support Team <support@proxmox.com> Thu, 18 Dec 2014 09:45:07 +0100
487
22dde8d6
DM		 488pve-firewall (1.0-15) unstable; urgency=low
489
490 * bug fix: load cluster conf for host rules
491
492 -- Proxmox Support Team <support@proxmox.com> Fri, 12 Dec 2014 06:33:28 +0100
493
e33e2f16
DM		 494pve-firewall (1.0-14) unstable; urgency=low
495
496 * do not use ipset list chains
497
498 * remove preinst script (not needed anymore)
499
500 -- Proxmox Support Team <support@proxmox.com> Fri, 05 Dec 2014 13:42:00 +0100
501
3bce273b
DM		 502pve-firewall (1.0-13) unstable; urgency=low
503
504 * fix ipset remove order
505
506 -- Proxmox Support Team <support@proxmox.com> Fri, 28 Nov 2014 12:45:48 +0100
507
7a7c322c
DM		 508pve-firewall (1.0-12) unstable; urgency=low
509
510 * add preinst script to clear ipset from older installation (because
511 sets cannot be swapped if there type does not match.
ce41ae23 512
7a7c322c
DM		 513 -- Proxmox Support Team <support@proxmox.com> Fri, 28 Nov 2014 08:59:38 +0100
514
1b918ee5
DM		 515pve-firewall (1.0-11) unstable; urgency=low
516
517 * bug fix: correctly set ipversion for aliases in verify_rule
518
519 * save restore commands into files to make debugging
520 easier (/var/lib/pve-firewall/)
521
522 -- Proxmox Support Team <support@proxmox.com> Fri, 28 Nov 2014 08:04:05 +0100
523
df617cea
DM		 524pve-firewall (1.0-10) unstable; urgency=low
525
526 * add IPv6 support for VMs (hostfw is IPv4 only)
527
528 -- Proxmox Support Team <support@proxmox.com> Wed, 26 Nov 2014 07:00:29 +0100
529
0ac57570
DM		 530pve-firewall (1.0-9) unstable; urgency=low
531
532 * fix max ipset name name length
533
534 -- Proxmox Support Team <support@proxmox.com> Tue, 14 Oct 2014 16:29:34 +0200
535
05fd3b63
DM		 536pve-firewall (1.0-8) unstable; urgency=low
537
538 * implement permission
539
540 -- Proxmox Support Team <support@proxmox.com> Mon, 08 Sep 2014 12:15:21 +0200
541
bea9d5ab
DM		 542pve-firewall (1.0-7) unstable; urgency=low
543
544 * proxy host rule API calls to correct node
a34cfdd0
DM		 545
546 * always generate MAC and IP filter rules if firewall is enabled on NIC
bea9d5ab
DM		 547
548 -- Proxmox Support Team <support@proxmox.com> Thu, 26 Jun 2014 07:12:57 +0200
549
582275c3
DM		 550pve-firewall (1.0-6) unstable; urgency=low
551
552 * ipmlement ipfilter ipsets
553
554 -- Proxmox Support Team <support@proxmox.com> Thu, 12 Jun 2014 08:37:08 +0200
555
de0c1e49
DM		 556pve-firewall (1.0-5) unstable; urgency=low
557
558 * remove ipsets when firewall disabled
559
560 -- Proxmox Support Team <support@proxmox.com> Wed, 04 Jun 2014 08:50:18 +0200
561
64c266f5
DM		 562pve-firewall (1.0-4) unstable; urgency=low
563
564 * depend on iptables and ipset
565
566 -- Proxmox Support Team <support@proxmox.com> Wed, 04 Jun 2014 06:45:33 +0200
567
16bcfa8b
DM		 568pve-firewall (1.0-3) unstable; urgency=low
569
570 * change dh_installinit order (register pvefw-logger before pve-firewall)
571
572 -- Proxmox Support Team <support@proxmox.com> Wed, 04 Jun 2014 06:24:21 +0200
573
ba0b3a0a
DM		 574pve-firewall (1.0-2) unstable; urgency=low
575
576 * add experimental nflog logging daemon
577
578 -- Proxmox Support Team <support@proxmox.com> Thu, 13 Mar 2014 08:27:01 +0100
579
bb272dd3
DM		 580pve-firewall (1.0-1) unstable; urgency=low
581
582 * initial package
583
584 -- Proxmox Support Team <support@proxmox.com> Mon, 03 Mar 2014 08:37:06 +0100
585
Firewall test scripts