934947b94732a2bf6e3d3ad470140629f76344a7
[pve-firewall.git] / debian / changelog
1 pve-firewall (4.2-2) bullseye; urgency=medium
2
3 * re-set relevant sysctls on every apply round
4
5 -- Proxmox Support Team <support@proxmox.com> Mon, 21 Jun 2021 11:31:42 +0200
6
7 pve-firewall (4.2-1) bullseye; urgency=medium
8
9 * fix #967: source: dest: limit length
10
11 * re-build for Debian 11 Bullseye based releases (Proxmox VE 7)
12
13 * fix #2358: allow --<opt> in firewall rule config files
14
15 -- Proxmox Support Team <support@proxmox.com> Wed, 12 May 2021 20:32:30 +0200
16
17 pve-firewall (4.1-3) pve; urgency=medium
18
19 * fix #2773: ebtables: keep policy of custom chains
20
21 * introduce new icmp-type parameter
22
23 -- Proxmox Support Team <support@proxmox.com> Fri, 18 Sep 2020 16:51:27 +0200
24
25 pve-firewall (4.1-2) pve; urgency=medium
26
27 * revert: rules: verify referenced security group exists
28
29 -- Proxmox Support Team <support@proxmox.com> Wed, 06 May 2020 17:41:36 +0200
30
31 pve-firewall (4.1-1) pve; urgency=medium
32
33 * logging: add missing log message for inbound rules
34
35 * fix #2686: avoid adding 'arp-ip-src' IP filter if guests uses DHCP
36
37 * IPSets: parse the CIDR before checking for duplicates
38
39 * verify that a referenced security group exists
40
41 * ICMP: fix iptables-restore failing if ICMP-type values bigger than '255'
42
43 * ICMP: allow one to specify the 'echo-reply' (0) type also as integer
44
45 * improve handling concurrent (parallel) access and modifications to rules
46
47 -- Proxmox Support Team <support@proxmox.com> Mon, 04 May 2020 15:01:57 +0200
48
49 pve-firewall (4.0-10) pve; urgency=medium
50
51 * macros: add macro for Proxmox Mail Gateway web interface
52
53 * api node: always pass cluster conf to node FW parser to fix false positive
54 error message about non existing aliases, or IP sets, when querying the
55 node FW options GET API call.
56
57 * grammar fix: s/does not exists/does not exist/g
58
59 -- Proxmox Support Team <support@proxmox.com> Mon, 27 Jan 2020 19:25:49 +0100
60
61 pve-firewall (4.0-9) pve; urgency=medium
62
63 * ensure port range used for offline storage migration and insecure migration
64 traffic is allowed by default rule set.
65
66 -- Proxmox Support Team <support@proxmox.com> Tue, 03 Dec 2019 08:12:20 +0100
67
68 pve-firewall (4.0-8) pve; urgency=medium
69
70 * increase default nf_conntrack_max to the kernel's default
71
72 * fix some "use of uninitialized value" warnings when updating CIDRs
73
74 * update schema documentation
75
76 * add explicit dependency on libpve-cluster-perl
77
78 * add support for "raw" tables
79
80 * add options for synflood protection for host firewall:
81 - nf_conntrack_tcp_timeout_syn_recv
82 - protection_synflood: boolean
83 - protection_synflood_rate: SYN rate limit (default 200 per second)
84 - protection_synflood_burst: SYN burst limit (default 1000)
85
86 -- Proxmox Support Team <support@proxmox.com> Mon, 18 Nov 2019 13:48:20 +0100
87
88 pve-firewall (4.0-7) pve; urgency=medium
89
90 * only add VM chains and rules if VM firewall is enabled
91
92 -- Proxmox Support Team <support@proxmox.com> Wed, 7 Aug 2019 10:55:06 +0200
93
94 pve-firewall (4.0-6) pve; urgency=medium
95
96 * firewall macros: add new Ceph protocol v2 port while keeping v1 port
97
98 -- Proxmox Support Team <support@proxmox.com> Tue, 23 Jul 2019 18:57:48 +0200
99
100 pve-firewall (4.0-5) pve; urgency=medium
101
102 * don't use any base path at all for calls to external binaries to make use
103 compativle with bot, /usr merged and unmerged setups
104
105 -- Proxmox Support Team <support@proxmox.com> Fri, 12 Jul 2019 11:47:53 +0200
106
107 pve-firewall (4.0-4) pve; urgency=medium
108
109 * ebtables: remove PVE chains properly
110
111 * ebtables: treat chain deletion as change
112
113 * use /usr/sbin as base path
114
115 -- Proxmox Support Team <support@proxmox.com> Thu, 11 Jul 2019 19:40:01 +0200
116
117 pve-firewall (4.0-3) pve; urgency=medium
118
119 * Create corosync firewall rules independently of localnet~
120
121 * Display corosync rule info on localnet call
122
123 -- Proxmox Support Team <support@proxmox.com> Thu, 04 Jul 2019 15:56:11 +0200
124
125 pve-firewall (4.0-2) pve; urgency=medium
126
127 * fix systemd warning about PIDFile directory
128
129 * fix CT rule generation with ipfilter set
130
131 * pve-firewall service: update-alternative iptables and ebtables to working
132 legacy versions
133
134 -- Proxmox Support Team <support@proxmox.com> Mon, 24 Jun 2019 20:43:21 +0200
135
136 pve-firewall (4.0-1) pve; urgency=medium
137
138 * re-build for Debian Buster / PVE 6
139
140 -- Proxmox Support Team <support@proxmox.com> Tue, 21 May 2019 22:28:55 +0200
141
142 pve-firewall (3.0-21) unstable; urgency=medium
143
144 * fix ipv6 PVEFW-reject
145
146 * fix #2193: arpfilter: CT: remove mask from net IP/CIDR to avoid
147 ebtables doing the wrong thing here
148
149 -- Proxmox Support Team <support@proxmox.com> Wed, 08 May 2019 10:09:31 +0000
150
151 pve-firewall (3.0-20) unstable; urgency=medium
152
153 * use IPCC to read config and rule files, if the are backed by pmxcfs which
154 has better handling for pmxcfs restarts
155
156 * fix #2178: endless loop on ipv6 extension headers
157
158 -- Proxmox Support Team <support@proxmox.com> Fri, 19 Apr 2019 05:10:13 +0000
159
160 pve-firewall (3.0-19) unstable; urgency=medium
161
162 * ebtables: add arp filtering
163
164 * fix: #2123 Logging of user defined firewall rules
165
166 * fix Razor macro
167
168 * allow to enable/disable and modify cluster wide log ratelimits
169
170 -- Proxmox Support Team <support@proxmox.com> Tue, 02 Apr 2019 11:15:16 +0200
171
172 pve-firewall (3.0-18) unstable; urgency=medium
173
174 * fix #1606: Add nf_conntrack_allow_invalid option
175
176 * log reject : add space after policy REJECT like drop
177
178 * fix #1891: Add zsh command completion for pve-firewall
179
180 -- Proxmox Support Team <support@proxmox.com> Mon, 04 Mar 2019 10:27:01 +0100
181
182 pve-firewall (3.0-17) unstable; urgency=medium
183
184 * fix #2005: only allow ascii port digits
185
186 * fix #2004: do not allow backwards ranges
187
188 * add conntrack logging via libnetfilter_conntrack and allow one to enable
189 it through the firewall host configuration
190
191 -- Proxmox Support Team <support@proxmox.com> Wed, 09 Jan 2019 16:56:17 +0100
192
193 pve-firewall (3.0-16) unstable; urgency=medium
194
195 * api/rules: fix macro return type
196
197 -- Proxmox Support Team <support@proxmox.com> Fri, 30 Nov 2018 16:02:59 +0100
198
199 pve-firewall (3.0-15) unstable; urgency=medium
200
201 * fix #1971: display firewall rule properties
202
203 -- Proxmox Support Team <support@proxmox.com> Fri, 23 Nov 2018 14:01:33 +0100
204
205 pve-firewall (3.0-14) unstable; urgency=medium
206
207 * fix #1841: avoid ebtable reloads when containers have multiple network
208 interfaces
209
210 -- Proxmox Support Team <support@proxmox.com> Fri, 24 Aug 2018 10:51:04 +0200
211
212 pve-firewall (3.0-13) unstable; urgency=medium
213
214 * avoid unnecessary reloads of ebtable ruleset
215
216 -- Proxmox Support Team <support@proxmox.com> Thu, 28 Jun 2018 14:47:16 +0200
217
218 pve-firewall (3.0-12) unstable; urgency=medium
219
220 * fix deleted iptables chains not being properly detected as a change
221
222 -- Proxmox Support Team <support@proxmox.com> Tue, 12 Jun 2018 12:01:02 +0200
223
224 pve-firewall (3.0-11) unstable; urgency=medium
225
226 * #1764: rename 'ebtales_enable' option to 'ebtables'
227
228 -- Proxmox Support Team <support@proxmox.com> Wed, 06 Jun 2018 16:18:13 +0200
229
230 pve-firewall (3.0-10) unstable; urgency=medium
231
232 * fix #1764: handle existing ebtables rules and allow disabling ebtables
233
234 * ebtables handling can be disabled via /etc/pve/firewall/cluster.fw's new
235 ebtables_enable option.
236
237 -- Proxmox Support Team <support@proxmox.com> Tue, 29 May 2018 15:14:33 +0200
238
239 pve-firewall (3.0-9) unstable; urgency=medium
240
241 * fix creation of ebltables FORWARD rule entry
242
243 -- Proxmox Support Team <support@proxmox.com> Thu, 17 May 2018 14:41:27 +0200
244
245 pve-firewall (3.0-8) unstable; urgency=medium
246
247 * add ebtables support for better MAC filtering
248
249 -- Proxmox Support Team <support@proxmox.com> Wed, 11 Apr 2018 14:25:41 +0200
250
251 pve-firewall (3.0-7) unstable; urgency=medium
252
253 * support distinct source and destination multi-port matching
254
255 * multi-port matching: when specifying the same list of ports for source and
256 destination require them both to match, rather than one of them, as this
257 was rather unexpected behavior
258
259 -- Proxmox Support Team <support@proxmox.com> Mon, 12 Mar 2018 14:58:08 +0100
260
261 pve-firewall (3.0-6) unstable; urgency=medium
262
263 * fix #1319: don't fail postinst with masked service
264
265 * debian: switch to compat 9, drop init scripts, drop preinst
266
267 * check multiport limit in port ranges
268
269 * build: use git rev-parse for GITVERSION
270
271 -- Proxmox Support Team <support@proxmox.com> Thu, 08 Mar 2018 13:53:11 +0100
272
273 pve-firewall (3.0-5) unstable; urgency=medium
274
275 * fix issue with disabled flag not being honored within groups
276
277 -- Proxmox Support Team <support@proxmox.com> Thu, 07 Dec 2017 08:31:42 +0100
278
279 pve-firewall (3.0-4) unstable; urgency=medium
280
281 * fix issues with ipsets reloading unnecessarily or too late
282
283 * fix some typos in the logs
284
285 -- Proxmox Support Team <support@proxmox.com> Thu, 16 Nov 2017 11:41:56 +0100
286
287 pve-firewall (3.0-3) unstable; urgency=medium
288
289 * Fix #1492: logger: use current timestamp if the packet doesn't have one
290
291 -- Proxmox Support Team <support@proxmox.com> Tue, 12 Sep 2017 14:43:06 +0200
292
293 pve-firewall (3.0-2) unstable; urgency=medium
294
295 * Fix #1446: remove masks in case the package had previously been removed but
296 not purged.
297
298 * improve logging on errors in the firewall configuration
299
300 * forbid trailing commas in lists as iptables-restore doesn't support them
301
302 -- Proxmox Support Team <support@proxmox.com> Mon, 17 Jul 2017 15:24:40 +0200
303
304 pve-firewall (3.0-1) unstable; urgency=medium
305
306 * rebuild for Debian Stretch
307
308 -- Proxmox Support Team <support@proxmox.com> Thu, 9 Mar 2017 14:04:17 +0100
309
310 pve-firewall (2.0-33) unstable; urgency=medium
311
312 * ipset: don't allow zero-prefix entries
313
314 -- Proxmox Support Team <support@proxmox.com> Tue, 29 Nov 2016 12:18:04 +0100
315
316 pve-firewall (2.0-32) unstable; urgency=medium
317
318 * improve search for local-network
319
320 -- Proxmox Support Team <support@proxmox.com> Tue, 29 Nov 2016 06:35:08 +0100
321
322 pve-firewall (2.0-31) unstable; urgency=medium
323
324 * don't try to apply ports to rules which don't support them
325
326 -- Proxmox Support Team <support@proxmox.com> Thu, 06 Oct 2016 08:31:51 +0200
327
328 pve-firewall (2.0-30) unstable; urgency=medium
329
330 * add multicast DNS to the list of Macros
331
332 * add missing parameter descriptions
333
334 * build-depends: add dh-systemd
335
336 -- Proxmox Support Team <support@proxmox.com> Fri, 16 Sep 2016 08:53:16 +0200
337
338 pve-firewall (2.0-29) unstable; urgency=medium
339
340 * prevent overwriting ipsets/sec. groups by renaming
341
342 -- Proxmox Support Team <support@proxmox.com> Fri, 03 Jun 2016 16:46:10 +0200
343
344 pve-firewall (2.0-28) unstable; urgency=medium
345
346 * use pve-common's ipv4_mask_hash_localnet
347
348 * fix allowed group name length
349
350 * make group digest stable
351
352 -- Proxmox Support Team <support@proxmox.com> Fri, 03 Jun 2016 11:01:47 +0200
353
354 pve-firewall (2.0-27) unstable; urgency=medium
355
356 * fix #972: make PVEFW-FWBR-* rule order stable
357
358 -- Proxmox Support Team <support@proxmox.com> Tue, 17 May 2016 07:59:52 +0200
359
360 pve-firewall (2.0-26) unstable; urgency=medium
361
362 * fix #988: set rp_filter=2
363
364 -- Proxmox Support Team <support@proxmox.com> Mon, 09 May 2016 10:01:28 +0200
365
366 pve-firewall (2.0-25) unstable; urgency=medium
367
368 * fix #945: add uninitialized check in lxc ipset compilation
369
370 -- Proxmox Support Team <support@proxmox.com> Thu, 21 Apr 2016 09:58:33 +0200
371
372 pve-firewall (2.0-24) unstable; urgency=medium
373
374 * Build-Depend on pve-doc-generator
375
376 * generate manpage with pve-doc-generator
377
378 -- Proxmox Support Team <support@proxmox.com> Wed, 06 Apr 2016 10:52:45 +0200
379
380 pve-firewall (2.0-23) unstable; urgency=medium
381
382 * use only the top bit for our accept marks
383
384 -- Proxmox Support Team <support@proxmox.com> Fri, 01 Apr 2016 07:35:38 +0200
385
386 pve-firewall (2.0-22) unstable; urgency=medium
387
388 * Use cfs_config_path from PVE::QemuConfig
389
390 -- Proxmox Support Team <support@proxmox.com> Tue, 08 Mar 2016 11:47:40 +0100
391
392 pve-firewall (2.0-21) unstable; urgency=medium
393
394 * added new 'ipfilter' option
395
396 -- Proxmox Support Team <support@proxmox.com> Thu, 03 Mar 2016 09:43:39 +0100
397
398 pve-firewall (2.0-20) unstable; urgency=medium
399
400 * fix 901: encode unicode characters in sha digest
401
402 -- Proxmox Support Team <support@proxmox.com> Mon, 29 Feb 2016 12:40:14 +0100
403
404 pve-firewall (2.0-19) unstable; urgency=medium
405
406 * Add radv option to VM options
407
408 -- Proxmox Support Team <support@proxmox.com> Sat, 27 Feb 2016 10:24:42 +0100
409
410 pve-firewall (2.0-18) unstable; urgency=medium
411
412 * Add ndp option to host and VM firewall options
413
414 * Add router-solicitation to NeighborDiscovery macro
415
416 -- Proxmox Support Team <support@proxmox.com> Fri, 19 Feb 2016 10:01:22 +0100
417
418 pve-firewall (2.0-17) unstable; urgency=medium
419
420 * Don't leave empty FW config files behind
421
422 -- Proxmox Support Team <support@proxmox.com> Mon, 08 Feb 2016 14:09:24 +0100
423
424 pve-firewall (2.0-16) unstable; urgency=medium
425
426 * logger: basic ipv6 support
427
428 * add DHCPv6 macro
429
430 * add dhcpv6 support to the dhcp option
431
432 -- Proxmox Support Team <support@proxmox.com> Tue, 26 Jan 2016 16:52:14 +0100
433
434 pve-firewall (2.0-15) unstable; urgency=medium
435
436 * fix bug #859: use $security_group_name_pattern in iptables_get_chains
437
438 * fix some regular expressions mixups
439
440 -- Proxmox Support Team <support@proxmox.com> Thu, 07 Jan 2016 16:33:23 +0100
441
442 pve-firewall (2.0-14) unstable; urgency=medium
443
444 * fix systemd service dependencies
445
446 -- Proxmox Support Team <support@proxmox.com> Fri, 27 Nov 2015 10:52:57 +0100
447
448 pve-firewall (2.0-13) unstable; urgency=medium
449
450 * allow numeric icmp types
451
452 -- Proxmox Support Team <support@proxmox.com> Fri, 23 Oct 2015 13:21:53 +0200
453
454 pve-firewall (2.0-12) unstable; urgency=medium
455
456 * implement bash completions
457
458 * convert pve-firewall into a PVE::Service class
459
460 -- Proxmox Support Team <support@proxmox.com> Thu, 24 Sep 2015 12:15:00 +0200
461
462 pve-firewall (2.0-11) unstable; urgency=medium
463
464 * iptables_get_chains: fix veth device name
465
466 -- Proxmox Support Team <support@proxmox.com> Tue, 08 Sep 2015 07:54:35 +0200
467
468 pve-firewall (2.0-10) unstable; urgency=medium
469
470 * new helper: clone_vmfw_conf()
471
472 -- Proxmox Support Team <support@proxmox.com> Tue, 25 Aug 2015 06:47:49 +0200
473
474 pve-firewall (2.0-9) unstable; urgency=medium
475
476 * remove firewall config file subroutine added
477
478 -- Proxmox Support Team <support@proxmox.com> Wed, 19 Aug 2015 15:42:51 +0200
479
480 pve-firewall (2.0-8) unstable; urgency=medium
481
482 * adopt regresion tests for lxc containers
483
484 * removed firewall code for openVZ
485
486 * Subroutine verify_rule fixed to correctly check only for "net\d+"
487 interface device names
488
489 -- Proxmox Support Team <support@proxmox.com> Wed, 12 Aug 2015 12:01:43 +0200
490
491 pve-firewall (2.0-7) unstable; urgency=medium
492
493 * added firewall code for lxc
494
495 -- Proxmox Support Team <support@proxmox.com> Mon, 10 Aug 2015 09:21:14 +0200
496
497 pve-firewall (2.0-6) unstable; urgency=medium
498
499 * firewall ipversion comparison fix
500
501 -- Proxmox Support Team <support@proxmox.com> Tue, 04 Aug 2015 11:14:51 +0200
502
503 pve-firewall (2.0-5) unstable; urgency=medium
504
505 * add ipv6 neighbor discovery and solicitation macros
506
507 * ip6tables accepts both spellings of the word neighbor
508
509 * added Ceph macro
510
511 -- Proxmox Support Team <support@proxmox.com> Mon, 27 Jul 2015 13:20:55 +0200
512
513 pve-firewall (2.0-4) unstable; urgency=medium
514
515 * include manual page for pve-firewall
516
517 -- Proxmox Support Team <support@proxmox.com> Sat, 27 Jun 2015 16:26:28 +0200
518
519 pve-firewall (2.0-3) unstable; urgency=medium
520
521 * use noawait trigers for pve-api-updates
522
523 -- Proxmox Support Team <support@proxmox.com> Mon, 01 Jun 2015 12:33:06 +0200
524
525 pve-firewall (2.0-2) unstable; urgency=medium
526
527 * trigger pve-api-updates event
528
529 -- Proxmox Support Team <support@proxmox.com> Tue, 05 May 2015 15:10:24 +0200
530
531 pve-firewall (2.0-1) unstable; urgency=medium
532
533 * recompile for debian jessie
534
535 -- Proxmox Support Team <support@proxmox.com> Fri, 27 Feb 2015 12:22:04 +0100
536
537 pve-firewall (1.0-18) unstable; urgency=low
538
539 * fix alias lookup
540
541 -- Proxmox Support Team <support@proxmox.com> Mon, 09 Feb 2015 09:32:03 +0100
542
543 pve-firewall (1.0-17) unstable; urgency=low
544
545 * fix restart behavior
546
547 -- Proxmox Support Team <support@proxmox.com> Thu, 15 Jan 2015 06:45:58 +0100
548
549 pve-firewall (1.0-16) unstable; urgency=low
550
551 * use new Daemon class from pve-common
552
553 -- Proxmox Support Team <support@proxmox.com> Thu, 18 Dec 2014 09:45:07 +0100
554
555 pve-firewall (1.0-15) unstable; urgency=low
556
557 * bug fix: load cluster conf for host rules
558
559 -- Proxmox Support Team <support@proxmox.com> Fri, 12 Dec 2014 06:33:28 +0100
560
561 pve-firewall (1.0-14) unstable; urgency=low
562
563 * do not use ipset list chains
564
565 * remove preinst script (not needed anymore)
566
567 -- Proxmox Support Team <support@proxmox.com> Fri, 05 Dec 2014 13:42:00 +0100
568
569 pve-firewall (1.0-13) unstable; urgency=low
570
571 * fix ipset remove order
572
573 -- Proxmox Support Team <support@proxmox.com> Fri, 28 Nov 2014 12:45:48 +0100
574
575 pve-firewall (1.0-12) unstable; urgency=low
576
577 * add preinst script to clear ipset from older installation (because
578 sets cannot be swapped if there type does not match.
579
580 -- Proxmox Support Team <support@proxmox.com> Fri, 28 Nov 2014 08:59:38 +0100
581
582 pve-firewall (1.0-11) unstable; urgency=low
583
584 * bug fix: correctly set ipversion for aliases in verify_rule
585
586 * save restore commands into files to make debugging
587 easier (/var/lib/pve-firewall/)
588
589 -- Proxmox Support Team <support@proxmox.com> Fri, 28 Nov 2014 08:04:05 +0100
590
591 pve-firewall (1.0-10) unstable; urgency=low
592
593 * add IPv6 support for VMs (hostfw is IPv4 only)
594
595 -- Proxmox Support Team <support@proxmox.com> Wed, 26 Nov 2014 07:00:29 +0100
596
597 pve-firewall (1.0-9) unstable; urgency=low
598
599 * fix max ipset name name length
600
601 -- Proxmox Support Team <support@proxmox.com> Tue, 14 Oct 2014 16:29:34 +0200
602
603 pve-firewall (1.0-8) unstable; urgency=low
604
605 * implement permission
606
607 -- Proxmox Support Team <support@proxmox.com> Mon, 08 Sep 2014 12:15:21 +0200
608
609 pve-firewall (1.0-7) unstable; urgency=low
610
611 * proxy host rule API calls to correct node
612
613 * always generate MAC and IP filter rules if firewall is enabled on NIC
614
615 -- Proxmox Support Team <support@proxmox.com> Thu, 26 Jun 2014 07:12:57 +0200
616
617 pve-firewall (1.0-6) unstable; urgency=low
618
619 * ipmlement ipfilter ipsets
620
621 -- Proxmox Support Team <support@proxmox.com> Thu, 12 Jun 2014 08:37:08 +0200
622
623 pve-firewall (1.0-5) unstable; urgency=low
624
625 * remove ipsets when firewall disabled
626
627 -- Proxmox Support Team <support@proxmox.com> Wed, 04 Jun 2014 08:50:18 +0200
628
629 pve-firewall (1.0-4) unstable; urgency=low
630
631 * depend on iptables and ipset
632
633 -- Proxmox Support Team <support@proxmox.com> Wed, 04 Jun 2014 06:45:33 +0200
634
635 pve-firewall (1.0-3) unstable; urgency=low
636
637 * change dh_installinit order (register pvefw-logger before pve-firewall)
638
639 -- Proxmox Support Team <support@proxmox.com> Wed, 04 Jun 2014 06:24:21 +0200
640
641 pve-firewall (1.0-2) unstable; urgency=low
642
643 * add experimental nflog logging daemon
644
645 -- Proxmox Support Team <support@proxmox.com> Thu, 13 Mar 2014 08:27:01 +0100
646
647 pve-firewall (1.0-1) unstable; urgency=low
648
649 * initial package
650
651 -- Proxmox Support Team <support@proxmox.com> Mon, 03 Mar 2014 08:37:06 +0100
652