1 pve-firewall (4.2-3) bullseye; urgency=medium
3 * fix #2721: remove the (nowadays) bogus reject for TCP port 43 from the
4 default drop and reject actions
6 -- Proxmox Support Team <support@proxmox.com> Fri, 10 Sep 2021 13:00:07 +0200
8 pve-firewall (4.2-2) bullseye; urgency=medium
10 * re-set relevant sysctls on every apply round
12 -- Proxmox Support Team <support@proxmox.com> Mon, 21 Jun 2021 11:31:42 +0200
14 pve-firewall (4.2-1) bullseye; urgency=medium
16 * fix #967: source: dest: limit length
18 * re-build for Debian 11 Bullseye based releases (Proxmox VE 7)
20 * fix #2358: allow --<opt> in firewall rule config files
22 -- Proxmox Support Team <support@proxmox.com> Wed, 12 May 2021 20:32:30 +0200
24 pve-firewall (4.1-3) pve; urgency=medium
26 * fix #2773: ebtables: keep policy of custom chains
28 * introduce new icmp-type parameter
30 -- Proxmox Support Team <support@proxmox.com> Fri, 18 Sep 2020 16:51:27 +0200
32 pve-firewall (4.1-2) pve; urgency=medium
34 * revert: rules: verify referenced security group exists
36 -- Proxmox Support Team <support@proxmox.com> Wed, 06 May 2020 17:41:36 +0200
38 pve-firewall (4.1-1) pve; urgency=medium
40 * logging: add missing log message for inbound rules
42 * fix #2686: avoid adding 'arp-ip-src' IP filter if guests uses DHCP
44 * IPSets: parse the CIDR before checking for duplicates
46 * verify that a referenced security group exists
48 * ICMP: fix iptables-restore failing if ICMP-type values bigger than '255'
50 * ICMP: allow one to specify the 'echo-reply' (0) type also as integer
52 * improve handling concurrent (parallel) access and modifications to rules
54 -- Proxmox Support Team <support@proxmox.com> Mon, 04 May 2020 15:01:57 +0200
56 pve-firewall (4.0-10) pve; urgency=medium
58 * macros: add macro for Proxmox Mail Gateway web interface
60 * api node: always pass cluster conf to node FW parser to fix false positive
61 error message about non existing aliases, or IP sets, when querying the
62 node FW options GET API call.
64 * grammar fix: s/does not exists/does not exist/g
66 -- Proxmox Support Team <support@proxmox.com> Mon, 27 Jan 2020 19:25:49 +0100
68 pve-firewall (4.0-9) pve; urgency=medium
70 * ensure port range used for offline storage migration and insecure migration
71 traffic is allowed by default rule set.
73 -- Proxmox Support Team <support@proxmox.com> Tue, 03 Dec 2019 08:12:20 +0100
75 pve-firewall (4.0-8) pve; urgency=medium
77 * increase default nf_conntrack_max to the kernel's default
79 * fix some "use of uninitialized value" warnings when updating CIDRs
81 * update schema documentation
83 * add explicit dependency on libpve-cluster-perl
85 * add support for "raw" tables
87 * add options for synflood protection for host firewall:
88 - nf_conntrack_tcp_timeout_syn_recv
89 - protection_synflood: boolean
90 - protection_synflood_rate: SYN rate limit (default 200 per second)
91 - protection_synflood_burst: SYN burst limit (default 1000)
93 -- Proxmox Support Team <support@proxmox.com> Mon, 18 Nov 2019 13:48:20 +0100
95 pve-firewall (4.0-7) pve; urgency=medium
97 * only add VM chains and rules if VM firewall is enabled
99 -- Proxmox Support Team <support@proxmox.com> Wed, 7 Aug 2019 10:55:06 +0200
101 pve-firewall (4.0-6) pve; urgency=medium
103 * firewall macros: add new Ceph protocol v2 port while keeping v1 port
105 -- Proxmox Support Team <support@proxmox.com> Tue, 23 Jul 2019 18:57:48 +0200
107 pve-firewall (4.0-5) pve; urgency=medium
109 * don't use any base path at all for calls to external binaries to make use
110 compativle with bot, /usr merged and unmerged setups
112 -- Proxmox Support Team <support@proxmox.com> Fri, 12 Jul 2019 11:47:53 +0200
114 pve-firewall (4.0-4) pve; urgency=medium
116 * ebtables: remove PVE chains properly
118 * ebtables: treat chain deletion as change
120 * use /usr/sbin as base path
122 -- Proxmox Support Team <support@proxmox.com> Thu, 11 Jul 2019 19:40:01 +0200
124 pve-firewall (4.0-3) pve; urgency=medium
126 * Create corosync firewall rules independently of localnet~
128 * Display corosync rule info on localnet call
130 -- Proxmox Support Team <support@proxmox.com> Thu, 04 Jul 2019 15:56:11 +0200
132 pve-firewall (4.0-2) pve; urgency=medium
134 * fix systemd warning about PIDFile directory
136 * fix CT rule generation with ipfilter set
138 * pve-firewall service: update-alternative iptables and ebtables to working
141 -- Proxmox Support Team <support@proxmox.com> Mon, 24 Jun 2019 20:43:21 +0200
143 pve-firewall (4.0-1) pve; urgency=medium
145 * re-build for Debian Buster / PVE 6
147 -- Proxmox Support Team <support@proxmox.com> Tue, 21 May 2019 22:28:55 +0200
149 pve-firewall (3.0-21) unstable; urgency=medium
151 * fix ipv6 PVEFW-reject
153 * fix #2193: arpfilter: CT: remove mask from net IP/CIDR to avoid
154 ebtables doing the wrong thing here
156 -- Proxmox Support Team <support@proxmox.com> Wed, 08 May 2019 10:09:31 +0000
158 pve-firewall (3.0-20) unstable; urgency=medium
160 * use IPCC to read config and rule files, if the are backed by pmxcfs which
161 has better handling for pmxcfs restarts
163 * fix #2178: endless loop on ipv6 extension headers
165 -- Proxmox Support Team <support@proxmox.com> Fri, 19 Apr 2019 05:10:13 +0000
167 pve-firewall (3.0-19) unstable; urgency=medium
169 * ebtables: add arp filtering
171 * fix: #2123 Logging of user defined firewall rules
175 * allow to enable/disable and modify cluster wide log ratelimits
177 -- Proxmox Support Team <support@proxmox.com> Tue, 02 Apr 2019 11:15:16 +0200
179 pve-firewall (3.0-18) unstable; urgency=medium
181 * fix #1606: Add nf_conntrack_allow_invalid option
183 * log reject : add space after policy REJECT like drop
185 * fix #1891: Add zsh command completion for pve-firewall
187 -- Proxmox Support Team <support@proxmox.com> Mon, 04 Mar 2019 10:27:01 +0100
189 pve-firewall (3.0-17) unstable; urgency=medium
191 * fix #2005: only allow ascii port digits
193 * fix #2004: do not allow backwards ranges
195 * add conntrack logging via libnetfilter_conntrack and allow one to enable
196 it through the firewall host configuration
198 -- Proxmox Support Team <support@proxmox.com> Wed, 09 Jan 2019 16:56:17 +0100
200 pve-firewall (3.0-16) unstable; urgency=medium
202 * api/rules: fix macro return type
204 -- Proxmox Support Team <support@proxmox.com> Fri, 30 Nov 2018 16:02:59 +0100
206 pve-firewall (3.0-15) unstable; urgency=medium
208 * fix #1971: display firewall rule properties
210 -- Proxmox Support Team <support@proxmox.com> Fri, 23 Nov 2018 14:01:33 +0100
212 pve-firewall (3.0-14) unstable; urgency=medium
214 * fix #1841: avoid ebtable reloads when containers have multiple network
217 -- Proxmox Support Team <support@proxmox.com> Fri, 24 Aug 2018 10:51:04 +0200
219 pve-firewall (3.0-13) unstable; urgency=medium
221 * avoid unnecessary reloads of ebtable ruleset
223 -- Proxmox Support Team <support@proxmox.com> Thu, 28 Jun 2018 14:47:16 +0200
225 pve-firewall (3.0-12) unstable; urgency=medium
227 * fix deleted iptables chains not being properly detected as a change
229 -- Proxmox Support Team <support@proxmox.com> Tue, 12 Jun 2018 12:01:02 +0200
231 pve-firewall (3.0-11) unstable; urgency=medium
233 * #1764: rename 'ebtales_enable' option to 'ebtables'
235 -- Proxmox Support Team <support@proxmox.com> Wed, 06 Jun 2018 16:18:13 +0200
237 pve-firewall (3.0-10) unstable; urgency=medium
239 * fix #1764: handle existing ebtables rules and allow disabling ebtables
241 * ebtables handling can be disabled via /etc/pve/firewall/cluster.fw's new
242 ebtables_enable option.
244 -- Proxmox Support Team <support@proxmox.com> Tue, 29 May 2018 15:14:33 +0200
246 pve-firewall (3.0-9) unstable; urgency=medium
248 * fix creation of ebltables FORWARD rule entry
250 -- Proxmox Support Team <support@proxmox.com> Thu, 17 May 2018 14:41:27 +0200
252 pve-firewall (3.0-8) unstable; urgency=medium
254 * add ebtables support for better MAC filtering
256 -- Proxmox Support Team <support@proxmox.com> Wed, 11 Apr 2018 14:25:41 +0200
258 pve-firewall (3.0-7) unstable; urgency=medium
260 * support distinct source and destination multi-port matching
262 * multi-port matching: when specifying the same list of ports for source and
263 destination require them both to match, rather than one of them, as this
264 was rather unexpected behavior
266 -- Proxmox Support Team <support@proxmox.com> Mon, 12 Mar 2018 14:58:08 +0100
268 pve-firewall (3.0-6) unstable; urgency=medium
270 * fix #1319: don't fail postinst with masked service
272 * debian: switch to compat 9, drop init scripts, drop preinst
274 * check multiport limit in port ranges
276 * build: use git rev-parse for GITVERSION
278 -- Proxmox Support Team <support@proxmox.com> Thu, 08 Mar 2018 13:53:11 +0100
280 pve-firewall (3.0-5) unstable; urgency=medium
282 * fix issue with disabled flag not being honored within groups
284 -- Proxmox Support Team <support@proxmox.com> Thu, 07 Dec 2017 08:31:42 +0100
286 pve-firewall (3.0-4) unstable; urgency=medium
288 * fix issues with ipsets reloading unnecessarily or too late
290 * fix some typos in the logs
292 -- Proxmox Support Team <support@proxmox.com> Thu, 16 Nov 2017 11:41:56 +0100
294 pve-firewall (3.0-3) unstable; urgency=medium
296 * Fix #1492: logger: use current timestamp if the packet doesn't have one
298 -- Proxmox Support Team <support@proxmox.com> Tue, 12 Sep 2017 14:43:06 +0200
300 pve-firewall (3.0-2) unstable; urgency=medium
302 * Fix #1446: remove masks in case the package had previously been removed but
305 * improve logging on errors in the firewall configuration
307 * forbid trailing commas in lists as iptables-restore doesn't support them
309 -- Proxmox Support Team <support@proxmox.com> Mon, 17 Jul 2017 15:24:40 +0200
311 pve-firewall (3.0-1) unstable; urgency=medium
313 * rebuild for Debian Stretch
315 -- Proxmox Support Team <support@proxmox.com> Thu, 9 Mar 2017 14:04:17 +0100
317 pve-firewall (2.0-33) unstable; urgency=medium
319 * ipset: don't allow zero-prefix entries
321 -- Proxmox Support Team <support@proxmox.com> Tue, 29 Nov 2016 12:18:04 +0100
323 pve-firewall (2.0-32) unstable; urgency=medium
325 * improve search for local-network
327 -- Proxmox Support Team <support@proxmox.com> Tue, 29 Nov 2016 06:35:08 +0100
329 pve-firewall (2.0-31) unstable; urgency=medium
331 * don't try to apply ports to rules which don't support them
333 -- Proxmox Support Team <support@proxmox.com> Thu, 06 Oct 2016 08:31:51 +0200
335 pve-firewall (2.0-30) unstable; urgency=medium
337 * add multicast DNS to the list of Macros
339 * add missing parameter descriptions
341 * build-depends: add dh-systemd
343 -- Proxmox Support Team <support@proxmox.com> Fri, 16 Sep 2016 08:53:16 +0200
345 pve-firewall (2.0-29) unstable; urgency=medium
347 * prevent overwriting ipsets/sec. groups by renaming
349 -- Proxmox Support Team <support@proxmox.com> Fri, 03 Jun 2016 16:46:10 +0200
351 pve-firewall (2.0-28) unstable; urgency=medium
353 * use pve-common's ipv4_mask_hash_localnet
355 * fix allowed group name length
357 * make group digest stable
359 -- Proxmox Support Team <support@proxmox.com> Fri, 03 Jun 2016 11:01:47 +0200
361 pve-firewall (2.0-27) unstable; urgency=medium
363 * fix #972: make PVEFW-FWBR-* rule order stable
365 -- Proxmox Support Team <support@proxmox.com> Tue, 17 May 2016 07:59:52 +0200
367 pve-firewall (2.0-26) unstable; urgency=medium
369 * fix #988: set rp_filter=2
371 -- Proxmox Support Team <support@proxmox.com> Mon, 09 May 2016 10:01:28 +0200
373 pve-firewall (2.0-25) unstable; urgency=medium
375 * fix #945: add uninitialized check in lxc ipset compilation
377 -- Proxmox Support Team <support@proxmox.com> Thu, 21 Apr 2016 09:58:33 +0200
379 pve-firewall (2.0-24) unstable; urgency=medium
381 * Build-Depend on pve-doc-generator
383 * generate manpage with pve-doc-generator
385 -- Proxmox Support Team <support@proxmox.com> Wed, 06 Apr 2016 10:52:45 +0200
387 pve-firewall (2.0-23) unstable; urgency=medium
389 * use only the top bit for our accept marks
391 -- Proxmox Support Team <support@proxmox.com> Fri, 01 Apr 2016 07:35:38 +0200
393 pve-firewall (2.0-22) unstable; urgency=medium
395 * Use cfs_config_path from PVE::QemuConfig
397 -- Proxmox Support Team <support@proxmox.com> Tue, 08 Mar 2016 11:47:40 +0100
399 pve-firewall (2.0-21) unstable; urgency=medium
401 * added new 'ipfilter' option
403 -- Proxmox Support Team <support@proxmox.com> Thu, 03 Mar 2016 09:43:39 +0100
405 pve-firewall (2.0-20) unstable; urgency=medium
407 * fix 901: encode unicode characters in sha digest
409 -- Proxmox Support Team <support@proxmox.com> Mon, 29 Feb 2016 12:40:14 +0100
411 pve-firewall (2.0-19) unstable; urgency=medium
413 * Add radv option to VM options
415 -- Proxmox Support Team <support@proxmox.com> Sat, 27 Feb 2016 10:24:42 +0100
417 pve-firewall (2.0-18) unstable; urgency=medium
419 * Add ndp option to host and VM firewall options
421 * Add router-solicitation to NeighborDiscovery macro
423 -- Proxmox Support Team <support@proxmox.com> Fri, 19 Feb 2016 10:01:22 +0100
425 pve-firewall (2.0-17) unstable; urgency=medium
427 * Don't leave empty FW config files behind
429 -- Proxmox Support Team <support@proxmox.com> Mon, 08 Feb 2016 14:09:24 +0100
431 pve-firewall (2.0-16) unstable; urgency=medium
433 * logger: basic ipv6 support
437 * add dhcpv6 support to the dhcp option
439 -- Proxmox Support Team <support@proxmox.com> Tue, 26 Jan 2016 16:52:14 +0100
441 pve-firewall (2.0-15) unstable; urgency=medium
443 * fix bug #859: use $security_group_name_pattern in iptables_get_chains
445 * fix some regular expressions mixups
447 -- Proxmox Support Team <support@proxmox.com> Thu, 07 Jan 2016 16:33:23 +0100
449 pve-firewall (2.0-14) unstable; urgency=medium
451 * fix systemd service dependencies
453 -- Proxmox Support Team <support@proxmox.com> Fri, 27 Nov 2015 10:52:57 +0100
455 pve-firewall (2.0-13) unstable; urgency=medium
457 * allow numeric icmp types
459 -- Proxmox Support Team <support@proxmox.com> Fri, 23 Oct 2015 13:21:53 +0200
461 pve-firewall (2.0-12) unstable; urgency=medium
463 * implement bash completions
465 * convert pve-firewall into a PVE::Service class
467 -- Proxmox Support Team <support@proxmox.com> Thu, 24 Sep 2015 12:15:00 +0200
469 pve-firewall (2.0-11) unstable; urgency=medium
471 * iptables_get_chains: fix veth device name
473 -- Proxmox Support Team <support@proxmox.com> Tue, 08 Sep 2015 07:54:35 +0200
475 pve-firewall (2.0-10) unstable; urgency=medium
477 * new helper: clone_vmfw_conf()
479 -- Proxmox Support Team <support@proxmox.com> Tue, 25 Aug 2015 06:47:49 +0200
481 pve-firewall (2.0-9) unstable; urgency=medium
483 * remove firewall config file subroutine added
485 -- Proxmox Support Team <support@proxmox.com> Wed, 19 Aug 2015 15:42:51 +0200
487 pve-firewall (2.0-8) unstable; urgency=medium
489 * adopt regresion tests for lxc containers
491 * removed firewall code for openVZ
493 * Subroutine verify_rule fixed to correctly check only for "net\d+"
494 interface device names
496 -- Proxmox Support Team <support@proxmox.com> Wed, 12 Aug 2015 12:01:43 +0200
498 pve-firewall (2.0-7) unstable; urgency=medium
500 * added firewall code for lxc
502 -- Proxmox Support Team <support@proxmox.com> Mon, 10 Aug 2015 09:21:14 +0200
504 pve-firewall (2.0-6) unstable; urgency=medium
506 * firewall ipversion comparison fix
508 -- Proxmox Support Team <support@proxmox.com> Tue, 04 Aug 2015 11:14:51 +0200
510 pve-firewall (2.0-5) unstable; urgency=medium
512 * add ipv6 neighbor discovery and solicitation macros
514 * ip6tables accepts both spellings of the word neighbor
518 -- Proxmox Support Team <support@proxmox.com> Mon, 27 Jul 2015 13:20:55 +0200
520 pve-firewall (2.0-4) unstable; urgency=medium
522 * include manual page for pve-firewall
524 -- Proxmox Support Team <support@proxmox.com> Sat, 27 Jun 2015 16:26:28 +0200
526 pve-firewall (2.0-3) unstable; urgency=medium
528 * use noawait trigers for pve-api-updates
530 -- Proxmox Support Team <support@proxmox.com> Mon, 01 Jun 2015 12:33:06 +0200
532 pve-firewall (2.0-2) unstable; urgency=medium
534 * trigger pve-api-updates event
536 -- Proxmox Support Team <support@proxmox.com> Tue, 05 May 2015 15:10:24 +0200
538 pve-firewall (2.0-1) unstable; urgency=medium
540 * recompile for debian jessie
542 -- Proxmox Support Team <support@proxmox.com> Fri, 27 Feb 2015 12:22:04 +0100
544 pve-firewall (1.0-18) unstable; urgency=low
548 -- Proxmox Support Team <support@proxmox.com> Mon, 09 Feb 2015 09:32:03 +0100
550 pve-firewall (1.0-17) unstable; urgency=low
552 * fix restart behavior
554 -- Proxmox Support Team <support@proxmox.com> Thu, 15 Jan 2015 06:45:58 +0100
556 pve-firewall (1.0-16) unstable; urgency=low
558 * use new Daemon class from pve-common
560 -- Proxmox Support Team <support@proxmox.com> Thu, 18 Dec 2014 09:45:07 +0100
562 pve-firewall (1.0-15) unstable; urgency=low
564 * bug fix: load cluster conf for host rules
566 -- Proxmox Support Team <support@proxmox.com> Fri, 12 Dec 2014 06:33:28 +0100
568 pve-firewall (1.0-14) unstable; urgency=low
570 * do not use ipset list chains
572 * remove preinst script (not needed anymore)
574 -- Proxmox Support Team <support@proxmox.com> Fri, 05 Dec 2014 13:42:00 +0100
576 pve-firewall (1.0-13) unstable; urgency=low
578 * fix ipset remove order
580 -- Proxmox Support Team <support@proxmox.com> Fri, 28 Nov 2014 12:45:48 +0100
582 pve-firewall (1.0-12) unstable; urgency=low
584 * add preinst script to clear ipset from older installation (because
585 sets cannot be swapped if there type does not match.
587 -- Proxmox Support Team <support@proxmox.com> Fri, 28 Nov 2014 08:59:38 +0100
589 pve-firewall (1.0-11) unstable; urgency=low
591 * bug fix: correctly set ipversion for aliases in verify_rule
593 * save restore commands into files to make debugging
594 easier (/var/lib/pve-firewall/)
596 -- Proxmox Support Team <support@proxmox.com> Fri, 28 Nov 2014 08:04:05 +0100
598 pve-firewall (1.0-10) unstable; urgency=low
600 * add IPv6 support for VMs (hostfw is IPv4 only)
602 -- Proxmox Support Team <support@proxmox.com> Wed, 26 Nov 2014 07:00:29 +0100
604 pve-firewall (1.0-9) unstable; urgency=low
606 * fix max ipset name name length
608 -- Proxmox Support Team <support@proxmox.com> Tue, 14 Oct 2014 16:29:34 +0200
610 pve-firewall (1.0-8) unstable; urgency=low
612 * implement permission
614 -- Proxmox Support Team <support@proxmox.com> Mon, 08 Sep 2014 12:15:21 +0200
616 pve-firewall (1.0-7) unstable; urgency=low
618 * proxy host rule API calls to correct node
620 * always generate MAC and IP filter rules if firewall is enabled on NIC
622 -- Proxmox Support Team <support@proxmox.com> Thu, 26 Jun 2014 07:12:57 +0200
624 pve-firewall (1.0-6) unstable; urgency=low
626 * ipmlement ipfilter ipsets
628 -- Proxmox Support Team <support@proxmox.com> Thu, 12 Jun 2014 08:37:08 +0200
630 pve-firewall (1.0-5) unstable; urgency=low
632 * remove ipsets when firewall disabled
634 -- Proxmox Support Team <support@proxmox.com> Wed, 04 Jun 2014 08:50:18 +0200
636 pve-firewall (1.0-4) unstable; urgency=low
638 * depend on iptables and ipset
640 -- Proxmox Support Team <support@proxmox.com> Wed, 04 Jun 2014 06:45:33 +0200
642 pve-firewall (1.0-3) unstable; urgency=low
644 * change dh_installinit order (register pvefw-logger before pve-firewall)
646 -- Proxmox Support Team <support@proxmox.com> Wed, 04 Jun 2014 06:24:21 +0200
648 pve-firewall (1.0-2) unstable; urgency=low
650 * add experimental nflog logging daemon
652 -- Proxmox Support Team <support@proxmox.com> Thu, 13 Mar 2014 08:27:01 +0100
654 pve-firewall (1.0-1) unstable; urgency=low
658 -- Proxmox Support Team <support@proxmox.com> Mon, 03 Mar 2014 08:37:06 +0100