1 pve-firewall (4.1-3) pve; urgency=medium
3 * fix #2773: ebtables: keep policy of custom chains
5 * introduce new icmp-type parameter
7 -- Proxmox Support Team <support@proxmox.com> Fri, 18 Sep 2020 16:51:27 +0200
9 pve-firewall (4.1-2) pve; urgency=medium
11 * revert: rules: verify referenced security group exists
13 -- Proxmox Support Team <support@proxmox.com> Wed, 06 May 2020 17:41:36 +0200
15 pve-firewall (4.1-1) pve; urgency=medium
17 * logging: add missing log message for inbound rules
19 * fix #2686: avoid adding 'arp-ip-src' IP filter if guests uses DHCP
21 * IPSets: parse the CIDR before checking for duplicates
23 * verify that a referenced security group exists
25 * ICMP: fix iptables-restore failing if ICMP-type values bigger than '255'
27 * ICMP: allow one to specify the 'echo-reply' (0) type also as integer
29 * improve handling concurrent (parallel) access and modifications to rules
31 -- Proxmox Support Team <support@proxmox.com> Mon, 04 May 2020 15:01:57 +0200
33 pve-firewall (4.0-10) pve; urgency=medium
35 * macros: add macro for Proxmox Mail Gateway web interface
37 * api node: always pass cluster conf to node FW parser to fix false positive
38 error message about non existing aliases, or IP sets, when querying the
39 node FW options GET API call.
41 * grammar fix: s/does not exists/does not exist/g
43 -- Proxmox Support Team <support@proxmox.com> Mon, 27 Jan 2020 19:25:49 +0100
45 pve-firewall (4.0-9) pve; urgency=medium
47 * ensure port range used for offline storage migration and insecure migration
48 traffic is allowed by default rule set.
50 -- Proxmox Support Team <support@proxmox.com> Tue, 03 Dec 2019 08:12:20 +0100
52 pve-firewall (4.0-8) pve; urgency=medium
54 * increase default nf_conntrack_max to the kernel's default
56 * fix some "use of uninitialized value" warnings when updating CIDRs
58 * update schema documentation
60 * add explicit dependency on libpve-cluster-perl
62 * add support for "raw" tables
64 * add options for synflood protection for host firewall:
65 - nf_conntrack_tcp_timeout_syn_recv
66 - protection_synflood: boolean
67 - protection_synflood_rate: SYN rate limit (default 200 per second)
68 - protection_synflood_burst: SYN burst limit (default 1000)
70 -- Proxmox Support Team <support@proxmox.com> Mon, 18 Nov 2019 13:48:20 +0100
72 pve-firewall (4.0-7) pve; urgency=medium
74 * only add VM chains and rules if VM firewall is enabled
76 -- Proxmox Support Team <support@proxmox.com> Wed, 7 Aug 2019 10:55:06 +0200
78 pve-firewall (4.0-6) pve; urgency=medium
80 * firewall macros: add new Ceph protocol v2 port while keeping v1 port
82 -- Proxmox Support Team <support@proxmox.com> Tue, 23 Jul 2019 18:57:48 +0200
84 pve-firewall (4.0-5) pve; urgency=medium
86 * don't use any base path at all for calls to external binaries to make use
87 compativle with bot, /usr merged and unmerged setups
89 -- Proxmox Support Team <support@proxmox.com> Fri, 12 Jul 2019 11:47:53 +0200
91 pve-firewall (4.0-4) pve; urgency=medium
93 * ebtables: remove PVE chains properly
95 * ebtables: treat chain deletion as change
97 * use /usr/sbin as base path
99 -- Proxmox Support Team <support@proxmox.com> Thu, 11 Jul 2019 19:40:01 +0200
101 pve-firewall (4.0-3) pve; urgency=medium
103 * Create corosync firewall rules independently of localnet~
105 * Display corosync rule info on localnet call
107 -- Proxmox Support Team <support@proxmox.com> Thu, 04 Jul 2019 15:56:11 +0200
109 pve-firewall (4.0-2) pve; urgency=medium
111 * fix systemd warning about PIDFile directory
113 * fix CT rule generation with ipfilter set
115 * pve-firewall service: update-alternative iptables and ebtables to working
118 -- Proxmox Support Team <support@proxmox.com> Mon, 24 Jun 2019 20:43:21 +0200
120 pve-firewall (4.0-1) pve; urgency=medium
122 * re-build for Debian Buster / PVE 6
124 -- Proxmox Support Team <support@proxmox.com> Tue, 21 May 2019 22:28:55 +0200
126 pve-firewall (3.0-21) unstable; urgency=medium
128 * fix ipv6 PVEFW-reject
130 * fix #2193: arpfilter: CT: remove mask from net IP/CIDR to avoid
131 ebtables doing the wrong thing here
133 -- Proxmox Support Team <support@proxmox.com> Wed, 08 May 2019 10:09:31 +0000
135 pve-firewall (3.0-20) unstable; urgency=medium
137 * use IPCC to read config and rule files, if the are backed by pmxcfs which
138 has better handling for pmxcfs restarts
140 * fix #2178: endless loop on ipv6 extension headers
142 -- Proxmox Support Team <support@proxmox.com> Fri, 19 Apr 2019 05:10:13 +0000
144 pve-firewall (3.0-19) unstable; urgency=medium
146 * ebtables: add arp filtering
148 * fix: #2123 Logging of user defined firewall rules
152 * allow to enable/disable and modify cluster wide log ratelimits
154 -- Proxmox Support Team <support@proxmox.com> Tue, 02 Apr 2019 11:15:16 +0200
156 pve-firewall (3.0-18) unstable; urgency=medium
158 * fix #1606: Add nf_conntrack_allow_invalid option
160 * log reject : add space after policy REJECT like drop
162 * fix #1891: Add zsh command completion for pve-firewall
164 -- Proxmox Support Team <support@proxmox.com> Mon, 04 Mar 2019 10:27:01 +0100
166 pve-firewall (3.0-17) unstable; urgency=medium
168 * fix #2005: only allow ascii port digits
170 * fix #2004: do not allow backwards ranges
172 * add conntrack logging via libnetfilter_conntrack and allow one to enable
173 it through the firewall host configuration
175 -- Proxmox Support Team <support@proxmox.com> Wed, 09 Jan 2019 16:56:17 +0100
177 pve-firewall (3.0-16) unstable; urgency=medium
179 * api/rules: fix macro return type
181 -- Proxmox Support Team <support@proxmox.com> Fri, 30 Nov 2018 16:02:59 +0100
183 pve-firewall (3.0-15) unstable; urgency=medium
185 * fix #1971: display firewall rule properties
187 -- Proxmox Support Team <support@proxmox.com> Fri, 23 Nov 2018 14:01:33 +0100
189 pve-firewall (3.0-14) unstable; urgency=medium
191 * fix #1841: avoid ebtable reloads when containers have multiple network
194 -- Proxmox Support Team <support@proxmox.com> Fri, 24 Aug 2018 10:51:04 +0200
196 pve-firewall (3.0-13) unstable; urgency=medium
198 * avoid unnecessary reloads of ebtable ruleset
200 -- Proxmox Support Team <support@proxmox.com> Thu, 28 Jun 2018 14:47:16 +0200
202 pve-firewall (3.0-12) unstable; urgency=medium
204 * fix deleted iptables chains not being properly detected as a change
206 -- Proxmox Support Team <support@proxmox.com> Tue, 12 Jun 2018 12:01:02 +0200
208 pve-firewall (3.0-11) unstable; urgency=medium
210 * #1764: rename 'ebtales_enable' option to 'ebtables'
212 -- Proxmox Support Team <support@proxmox.com> Wed, 06 Jun 2018 16:18:13 +0200
214 pve-firewall (3.0-10) unstable; urgency=medium
216 * fix #1764: handle existing ebtables rules and allow disabling ebtables
218 * ebtables handling can be disabled via /etc/pve/firewall/cluster.fw's new
219 ebtables_enable option.
221 -- Proxmox Support Team <support@proxmox.com> Tue, 29 May 2018 15:14:33 +0200
223 pve-firewall (3.0-9) unstable; urgency=medium
225 * fix creation of ebltables FORWARD rule entry
227 -- Proxmox Support Team <support@proxmox.com> Thu, 17 May 2018 14:41:27 +0200
229 pve-firewall (3.0-8) unstable; urgency=medium
231 * add ebtables support for better MAC filtering
233 -- Proxmox Support Team <support@proxmox.com> Wed, 11 Apr 2018 14:25:41 +0200
235 pve-firewall (3.0-7) unstable; urgency=medium
237 * support distinct source and destination multi-port matching
239 * multi-port matching: when specifying the same list of ports for source and
240 destination require them both to match, rather than one of them, as this
241 was rather unexpected behavior
243 -- Proxmox Support Team <support@proxmox.com> Mon, 12 Mar 2018 14:58:08 +0100
245 pve-firewall (3.0-6) unstable; urgency=medium
247 * fix #1319: don't fail postinst with masked service
249 * debian: switch to compat 9, drop init scripts, drop preinst
251 * check multiport limit in port ranges
253 * build: use git rev-parse for GITVERSION
255 -- Proxmox Support Team <support@proxmox.com> Thu, 08 Mar 2018 13:53:11 +0100
257 pve-firewall (3.0-5) unstable; urgency=medium
259 * fix issue with disabled flag not being honored within groups
261 -- Proxmox Support Team <support@proxmox.com> Thu, 07 Dec 2017 08:31:42 +0100
263 pve-firewall (3.0-4) unstable; urgency=medium
265 * fix issues with ipsets reloading unnecessarily or too late
267 * fix some typos in the logs
269 -- Proxmox Support Team <support@proxmox.com> Thu, 16 Nov 2017 11:41:56 +0100
271 pve-firewall (3.0-3) unstable; urgency=medium
273 * Fix #1492: logger: use current timestamp if the packet doesn't have one
275 -- Proxmox Support Team <support@proxmox.com> Tue, 12 Sep 2017 14:43:06 +0200
277 pve-firewall (3.0-2) unstable; urgency=medium
279 * Fix #1446: remove masks in case the package had previously been removed but
282 * improve logging on errors in the firewall configuration
284 * forbid trailing commas in lists as iptables-restore doesn't support them
286 -- Proxmox Support Team <support@proxmox.com> Mon, 17 Jul 2017 15:24:40 +0200
288 pve-firewall (3.0-1) unstable; urgency=medium
290 * rebuild for Debian Stretch
292 -- Proxmox Support Team <support@proxmox.com> Thu, 9 Mar 2017 14:04:17 +0100
294 pve-firewall (2.0-33) unstable; urgency=medium
296 * ipset: don't allow zero-prefix entries
298 -- Proxmox Support Team <support@proxmox.com> Tue, 29 Nov 2016 12:18:04 +0100
300 pve-firewall (2.0-32) unstable; urgency=medium
302 * improve search for local-network
304 -- Proxmox Support Team <support@proxmox.com> Tue, 29 Nov 2016 06:35:08 +0100
306 pve-firewall (2.0-31) unstable; urgency=medium
308 * don't try to apply ports to rules which don't support them
310 -- Proxmox Support Team <support@proxmox.com> Thu, 06 Oct 2016 08:31:51 +0200
312 pve-firewall (2.0-30) unstable; urgency=medium
314 * add multicast DNS to the list of Macros
316 * add missing parameter descriptions
318 * build-depends: add dh-systemd
320 -- Proxmox Support Team <support@proxmox.com> Fri, 16 Sep 2016 08:53:16 +0200
322 pve-firewall (2.0-29) unstable; urgency=medium
324 * prevent overwriting ipsets/sec. groups by renaming
326 -- Proxmox Support Team <support@proxmox.com> Fri, 03 Jun 2016 16:46:10 +0200
328 pve-firewall (2.0-28) unstable; urgency=medium
330 * use pve-common's ipv4_mask_hash_localnet
332 * fix allowed group name length
334 * make group digest stable
336 -- Proxmox Support Team <support@proxmox.com> Fri, 03 Jun 2016 11:01:47 +0200
338 pve-firewall (2.0-27) unstable; urgency=medium
340 * fix #972: make PVEFW-FWBR-* rule order stable
342 -- Proxmox Support Team <support@proxmox.com> Tue, 17 May 2016 07:59:52 +0200
344 pve-firewall (2.0-26) unstable; urgency=medium
346 * fix #988: set rp_filter=2
348 -- Proxmox Support Team <support@proxmox.com> Mon, 09 May 2016 10:01:28 +0200
350 pve-firewall (2.0-25) unstable; urgency=medium
352 * fix #945: add uninitialized check in lxc ipset compilation
354 -- Proxmox Support Team <support@proxmox.com> Thu, 21 Apr 2016 09:58:33 +0200
356 pve-firewall (2.0-24) unstable; urgency=medium
358 * Build-Depend on pve-doc-generator
360 * generate manpage with pve-doc-generator
362 -- Proxmox Support Team <support@proxmox.com> Wed, 06 Apr 2016 10:52:45 +0200
364 pve-firewall (2.0-23) unstable; urgency=medium
366 * use only the top bit for our accept marks
368 -- Proxmox Support Team <support@proxmox.com> Fri, 01 Apr 2016 07:35:38 +0200
370 pve-firewall (2.0-22) unstable; urgency=medium
372 * Use cfs_config_path from PVE::QemuConfig
374 -- Proxmox Support Team <support@proxmox.com> Tue, 08 Mar 2016 11:47:40 +0100
376 pve-firewall (2.0-21) unstable; urgency=medium
378 * added new 'ipfilter' option
380 -- Proxmox Support Team <support@proxmox.com> Thu, 03 Mar 2016 09:43:39 +0100
382 pve-firewall (2.0-20) unstable; urgency=medium
384 * fix 901: encode unicode characters in sha digest
386 -- Proxmox Support Team <support@proxmox.com> Mon, 29 Feb 2016 12:40:14 +0100
388 pve-firewall (2.0-19) unstable; urgency=medium
390 * Add radv option to VM options
392 -- Proxmox Support Team <support@proxmox.com> Sat, 27 Feb 2016 10:24:42 +0100
394 pve-firewall (2.0-18) unstable; urgency=medium
396 * Add ndp option to host and VM firewall options
398 * Add router-solicitation to NeighborDiscovery macro
400 -- Proxmox Support Team <support@proxmox.com> Fri, 19 Feb 2016 10:01:22 +0100
402 pve-firewall (2.0-17) unstable; urgency=medium
404 * Don't leave empty FW config files behind
406 -- Proxmox Support Team <support@proxmox.com> Mon, 08 Feb 2016 14:09:24 +0100
408 pve-firewall (2.0-16) unstable; urgency=medium
410 * logger: basic ipv6 support
414 * add dhcpv6 support to the dhcp option
416 -- Proxmox Support Team <support@proxmox.com> Tue, 26 Jan 2016 16:52:14 +0100
418 pve-firewall (2.0-15) unstable; urgency=medium
420 * fix bug #859: use $security_group_name_pattern in iptables_get_chains
422 * fix some regular expressions mixups
424 -- Proxmox Support Team <support@proxmox.com> Thu, 07 Jan 2016 16:33:23 +0100
426 pve-firewall (2.0-14) unstable; urgency=medium
428 * fix systemd service dependencies
430 -- Proxmox Support Team <support@proxmox.com> Fri, 27 Nov 2015 10:52:57 +0100
432 pve-firewall (2.0-13) unstable; urgency=medium
434 * allow numeric icmp types
436 -- Proxmox Support Team <support@proxmox.com> Fri, 23 Oct 2015 13:21:53 +0200
438 pve-firewall (2.0-12) unstable; urgency=medium
440 * implement bash completions
442 * convert pve-firewall into a PVE::Service class
444 -- Proxmox Support Team <support@proxmox.com> Thu, 24 Sep 2015 12:15:00 +0200
446 pve-firewall (2.0-11) unstable; urgency=medium
448 * iptables_get_chains: fix veth device name
450 -- Proxmox Support Team <support@proxmox.com> Tue, 08 Sep 2015 07:54:35 +0200
452 pve-firewall (2.0-10) unstable; urgency=medium
454 * new helper: clone_vmfw_conf()
456 -- Proxmox Support Team <support@proxmox.com> Tue, 25 Aug 2015 06:47:49 +0200
458 pve-firewall (2.0-9) unstable; urgency=medium
460 * remove firewall config file subroutine added
462 -- Proxmox Support Team <support@proxmox.com> Wed, 19 Aug 2015 15:42:51 +0200
464 pve-firewall (2.0-8) unstable; urgency=medium
466 * adopt regresion tests for lxc containers
468 * removed firewall code for openVZ
470 * Subroutine verify_rule fixed to correctly check only for "net\d+"
471 interface device names
473 -- Proxmox Support Team <support@proxmox.com> Wed, 12 Aug 2015 12:01:43 +0200
475 pve-firewall (2.0-7) unstable; urgency=medium
477 * added firewall code for lxc
479 -- Proxmox Support Team <support@proxmox.com> Mon, 10 Aug 2015 09:21:14 +0200
481 pve-firewall (2.0-6) unstable; urgency=medium
483 * firewall ipversion comparison fix
485 -- Proxmox Support Team <support@proxmox.com> Tue, 04 Aug 2015 11:14:51 +0200
487 pve-firewall (2.0-5) unstable; urgency=medium
489 * add ipv6 neighbor discovery and solicitation macros
491 * ip6tables accepts both spellings of the word neighbor
495 -- Proxmox Support Team <support@proxmox.com> Mon, 27 Jul 2015 13:20:55 +0200
497 pve-firewall (2.0-4) unstable; urgency=medium
499 * include manual page for pve-firewall
501 -- Proxmox Support Team <support@proxmox.com> Sat, 27 Jun 2015 16:26:28 +0200
503 pve-firewall (2.0-3) unstable; urgency=medium
505 * use noawait trigers for pve-api-updates
507 -- Proxmox Support Team <support@proxmox.com> Mon, 01 Jun 2015 12:33:06 +0200
509 pve-firewall (2.0-2) unstable; urgency=medium
511 * trigger pve-api-updates event
513 -- Proxmox Support Team <support@proxmox.com> Tue, 05 May 2015 15:10:24 +0200
515 pve-firewall (2.0-1) unstable; urgency=medium
517 * recompile for debian jessie
519 -- Proxmox Support Team <support@proxmox.com> Fri, 27 Feb 2015 12:22:04 +0100
521 pve-firewall (1.0-18) unstable; urgency=low
525 -- Proxmox Support Team <support@proxmox.com> Mon, 09 Feb 2015 09:32:03 +0100
527 pve-firewall (1.0-17) unstable; urgency=low
529 * fix restart behavior
531 -- Proxmox Support Team <support@proxmox.com> Thu, 15 Jan 2015 06:45:58 +0100
533 pve-firewall (1.0-16) unstable; urgency=low
535 * use new Daemon class from pve-common
537 -- Proxmox Support Team <support@proxmox.com> Thu, 18 Dec 2014 09:45:07 +0100
539 pve-firewall (1.0-15) unstable; urgency=low
541 * bug fix: load cluster conf for host rules
543 -- Proxmox Support Team <support@proxmox.com> Fri, 12 Dec 2014 06:33:28 +0100
545 pve-firewall (1.0-14) unstable; urgency=low
547 * do not use ipset list chains
549 * remove preinst script (not needed anymore)
551 -- Proxmox Support Team <support@proxmox.com> Fri, 05 Dec 2014 13:42:00 +0100
553 pve-firewall (1.0-13) unstable; urgency=low
555 * fix ipset remove order
557 -- Proxmox Support Team <support@proxmox.com> Fri, 28 Nov 2014 12:45:48 +0100
559 pve-firewall (1.0-12) unstable; urgency=low
561 * add preinst script to clear ipset from older installation (because
562 sets cannot be swapped if there type does not match.
564 -- Proxmox Support Team <support@proxmox.com> Fri, 28 Nov 2014 08:59:38 +0100
566 pve-firewall (1.0-11) unstable; urgency=low
568 * bug fix: correctly set ipversion for aliases in verify_rule
570 * save restore commands into files to make debugging
571 easier (/var/lib/pve-firewall/)
573 -- Proxmox Support Team <support@proxmox.com> Fri, 28 Nov 2014 08:04:05 +0100
575 pve-firewall (1.0-10) unstable; urgency=low
577 * add IPv6 support for VMs (hostfw is IPv4 only)
579 -- Proxmox Support Team <support@proxmox.com> Wed, 26 Nov 2014 07:00:29 +0100
581 pve-firewall (1.0-9) unstable; urgency=low
583 * fix max ipset name name length
585 -- Proxmox Support Team <support@proxmox.com> Tue, 14 Oct 2014 16:29:34 +0200
587 pve-firewall (1.0-8) unstable; urgency=low
589 * implement permission
591 -- Proxmox Support Team <support@proxmox.com> Mon, 08 Sep 2014 12:15:21 +0200
593 pve-firewall (1.0-7) unstable; urgency=low
595 * proxy host rule API calls to correct node
597 * always generate MAC and IP filter rules if firewall is enabled on NIC
599 -- Proxmox Support Team <support@proxmox.com> Thu, 26 Jun 2014 07:12:57 +0200
601 pve-firewall (1.0-6) unstable; urgency=low
603 * ipmlement ipfilter ipsets
605 -- Proxmox Support Team <support@proxmox.com> Thu, 12 Jun 2014 08:37:08 +0200
607 pve-firewall (1.0-5) unstable; urgency=low
609 * remove ipsets when firewall disabled
611 -- Proxmox Support Team <support@proxmox.com> Wed, 04 Jun 2014 08:50:18 +0200
613 pve-firewall (1.0-4) unstable; urgency=low
615 * depend on iptables and ipset
617 -- Proxmox Support Team <support@proxmox.com> Wed, 04 Jun 2014 06:45:33 +0200
619 pve-firewall (1.0-3) unstable; urgency=low
621 * change dh_installinit order (register pvefw-logger before pve-firewall)
623 -- Proxmox Support Team <support@proxmox.com> Wed, 04 Jun 2014 06:24:21 +0200
625 pve-firewall (1.0-2) unstable; urgency=low
627 * add experimental nflog logging daemon
629 -- Proxmox Support Team <support@proxmox.com> Thu, 13 Mar 2014 08:27:01 +0100
631 pve-firewall (1.0-1) unstable; urgency=low
635 -- Proxmox Support Team <support@proxmox.com> Mon, 03 Mar 2014 08:37:06 +0100