[pve-firewall.git] / debian / changelog

pve-firewall (4.1-1) pve; urgency=medium

  * logging: add missing log message for inbound rules

  * fix #2686: avoid adding 'arp-ip-src' IP filter if guests uses DHCP

  * IPSets: parse the CIDR before checking for duplicates

  * verify that a referenced security group exists

  * ICMP: fix iptables-restore failing if ICMP-type values bigger than '255'

  * ICMP: allow one to specify the 'echo-reply' (0) type also as integer

  * improve handling concurrent (parallel) access and modifications to rules

 -- Proxmox Support Team <support@proxmox.com>  Mon, 04 May 2020 15:01:57 +0200

pve-firewall (4.0-10) pve; urgency=medium

  * macros: add macro for Proxmox Mail Gateway web interface

  * api node: always pass cluster conf to node FW parser to fix false positive
    error message about non existing aliases, or IP sets, when querying the
    node FW options GET API call.

  * grammar fix: s/does not exists/does not exist/g

 -- Proxmox Support Team <support@proxmox.com>  Mon, 27 Jan 2020 19:25:49 +0100

pve-firewall (4.0-9) pve; urgency=medium

  * ensure port range used for offline storage migration and insecure migration
    traffic is allowed by default rule set.

 -- Proxmox Support Team <support@proxmox.com>  Tue, 03 Dec 2019 08:12:20 +0100

pve-firewall (4.0-8) pve; urgency=medium

  * increase default nf_conntrack_max to the kernel's default

  * fix some "use of uninitialized value" warnings when updating CIDRs

  * update schema documentation

  * add explicit dependency on libpve-cluster-perl

  * add support for "raw" tables

  * add options for synflood protection for host firewall:
    - nf_conntrack_tcp_timeout_syn_recv
    - protection_synflood: boolean
    - protection_synflood_rate: SYN rate limit (default 200 per second)
    - protection_synflood_burst: SYN burst limit (default 1000)

 -- Proxmox Support Team <support@proxmox.com>  Mon, 18 Nov 2019 13:48:20 +0100

pve-firewall (4.0-7) pve; urgency=medium

  * only add VM chains and rules if VM firewall is enabled

 -- Proxmox Support Team <support@proxmox.com>  Wed, 7 Aug 2019 10:55:06 +0200

pve-firewall (4.0-6) pve; urgency=medium

  * firewall macros: add new Ceph protocol v2 port while keeping v1 port

 -- Proxmox Support Team <support@proxmox.com>  Tue, 23 Jul 2019 18:57:48 +0200

pve-firewall (4.0-5) pve; urgency=medium

  * don't use any base path at all for calls to external binaries to make use
    compativle with bot, /usr merged and unmerged setups

 -- Proxmox Support Team <support@proxmox.com>  Fri, 12 Jul 2019 11:47:53 +0200

pve-firewall (4.0-4) pve; urgency=medium

  * ebtables: remove PVE chains properly

  * ebtables: treat chain deletion as change

  * use /usr/sbin as base path

 -- Proxmox Support Team <support@proxmox.com>  Thu, 11 Jul 2019 19:40:01 +0200

pve-firewall (4.0-3) pve; urgency=medium

  * Create corosync firewall rules independently of localnet~

  * Display corosync rule info on localnet call

 -- Proxmox Support Team <support@proxmox.com>  Thu, 04 Jul 2019 15:56:11 +0200

pve-firewall (4.0-2) pve; urgency=medium

  * fix systemd warning about PIDFile directory

  * fix CT rule generation with ipfilter set

  * pve-firewall service: update-alternative iptables and ebtables to working
    legacy versions

 -- Proxmox Support Team <support@proxmox.com>  Mon, 24 Jun 2019 20:43:21 +0200

pve-firewall (4.0-1) pve; urgency=medium

  * re-build for Debian Buster / PVE 6

 -- Proxmox Support Team <support@proxmox.com>  Tue, 21 May 2019 22:28:55 +0200

pve-firewall (3.0-21) unstable; urgency=medium

  * fix ipv6 PVEFW-reject

  * fix #2193: arpfilter: CT: remove mask from net IP/CIDR to avoid
    ebtables doing the wrong thing here

 -- Proxmox Support Team <support@proxmox.com>  Wed, 08 May 2019 10:09:31 +0000

pve-firewall (3.0-20) unstable; urgency=medium

  * use IPCC to read config and rule files, if the are backed by pmxcfs which
    has better handling for pmxcfs restarts

  * fix #2178: endless loop on ipv6 extension headers

 -- Proxmox Support Team <support@proxmox.com>  Fri, 19 Apr 2019 05:10:13 +0000

pve-firewall (3.0-19) unstable; urgency=medium

  * ebtables: add arp filtering

  * fix: #2123 Logging of user defined firewall rules

  * fix Razor macro

  * allow to enable/disable and modify cluster wide log ratelimits

 -- Proxmox Support Team <support@proxmox.com>  Tue, 02 Apr 2019 11:15:16 +0200

pve-firewall (3.0-18) unstable; urgency=medium

  * fix #1606: Add nf_conntrack_allow_invalid option

  * log reject : add space after policy REJECT like drop

  * fix #1891: Add zsh command completion for pve-firewall

 -- Proxmox Support Team <support@proxmox.com>  Mon, 04 Mar 2019 10:27:01 +0100

pve-firewall (3.0-17) unstable; urgency=medium

  * fix #2005: only allow ascii port digits

  * fix #2004: do not allow backwards ranges

  * add conntrack logging via libnetfilter_conntrack and allow one to enable
    it through the firewall host configuration

 -- Proxmox Support Team <support@proxmox.com>  Wed, 09 Jan 2019 16:56:17 +0100

pve-firewall (3.0-16) unstable; urgency=medium

  * api/rules: fix macro return type

 -- Proxmox Support Team <support@proxmox.com>  Fri, 30 Nov 2018 16:02:59 +0100

pve-firewall (3.0-15) unstable; urgency=medium

  * fix #1971: display firewall rule properties

 -- Proxmox Support Team <support@proxmox.com>  Fri, 23 Nov 2018 14:01:33 +0100

pve-firewall (3.0-14) unstable; urgency=medium

  * fix #1841: avoid ebtable reloads when containers have multiple network
    interfaces

 -- Proxmox Support Team <support@proxmox.com>  Fri, 24 Aug 2018 10:51:04 +0200

pve-firewall (3.0-13) unstable; urgency=medium

  * avoid unnecessary reloads of ebtable ruleset

 -- Proxmox Support Team <support@proxmox.com>  Thu, 28 Jun 2018 14:47:16 +0200

pve-firewall (3.0-12) unstable; urgency=medium

  * fix deleted iptables chains not being properly detected as a change

 -- Proxmox Support Team <support@proxmox.com>  Tue, 12 Jun 2018 12:01:02 +0200

pve-firewall (3.0-11) unstable; urgency=medium

  * #1764: rename 'ebtales_enable' option to 'ebtables'

 -- Proxmox Support Team <support@proxmox.com>  Wed, 06 Jun 2018 16:18:13 +0200

pve-firewall (3.0-10) unstable; urgency=medium

  * fix #1764: handle existing ebtables rules and allow disabling ebtables

  * ebtables handling can be disabled via /etc/pve/firewall/cluster.fw's new
    ebtables_enable option.

 -- Proxmox Support Team <support@proxmox.com>  Tue, 29 May 2018 15:14:33 +0200

pve-firewall (3.0-9) unstable; urgency=medium

  * fix creation of ebltables FORWARD rule entry

 -- Proxmox Support Team <support@proxmox.com>  Thu, 17 May 2018 14:41:27 +0200

pve-firewall (3.0-8) unstable; urgency=medium

  * add ebtables support for better MAC filtering

 -- Proxmox Support Team <support@proxmox.com>  Wed, 11 Apr 2018 14:25:41 +0200

pve-firewall (3.0-7) unstable; urgency=medium

  * support distinct source and destination multi-port matching

  * multi-port matching: when specifying the same list of ports for source and
    destination require them both to match, rather than one of them, as this
    was rather unexpected behavior

 -- Proxmox Support Team <support@proxmox.com>  Mon, 12 Mar 2018 14:58:08 +0100

pve-firewall (3.0-6) unstable; urgency=medium

  * fix #1319: don't fail postinst with masked service

  * debian: switch to compat 9, drop init scripts, drop preinst

  * check multiport limit in port ranges

  * build: use git rev-parse for GITVERSION

 -- Proxmox Support Team <support@proxmox.com>  Thu, 08 Mar 2018 13:53:11 +0100

pve-firewall (3.0-5) unstable; urgency=medium

  * fix issue with disabled flag not being honored within groups

 -- Proxmox Support Team <support@proxmox.com>  Thu, 07 Dec 2017 08:31:42 +0100

pve-firewall (3.0-4) unstable; urgency=medium

  * fix issues with ipsets reloading unnecessarily or too late

  * fix some typos in the logs

 -- Proxmox Support Team <support@proxmox.com>  Thu, 16 Nov 2017 11:41:56 +0100

pve-firewall (3.0-3) unstable; urgency=medium

  * Fix #1492: logger: use current timestamp if the packet doesn't have one

 -- Proxmox Support Team <support@proxmox.com>  Tue, 12 Sep 2017 14:43:06 +0200

pve-firewall (3.0-2) unstable; urgency=medium

  * Fix #1446: remove masks in case the package had previously been removed but
    not purged.

  * improve logging on errors in the firewall configuration

  * forbid trailing commas in lists as iptables-restore doesn't support them

 -- Proxmox Support Team <support@proxmox.com>  Mon, 17 Jul 2017 15:24:40 +0200

pve-firewall (3.0-1) unstable; urgency=medium

  * rebuild for Debian Stretch

 -- Proxmox Support Team <support@proxmox.com>  Thu, 9 Mar 2017 14:04:17 +0100

pve-firewall (2.0-33) unstable; urgency=medium

  * ipset: don't allow zero-prefix entries

 -- Proxmox Support Team <support@proxmox.com>  Tue, 29 Nov 2016 12:18:04 +0100

pve-firewall (2.0-32) unstable; urgency=medium

  * improve search for local-network

 -- Proxmox Support Team <support@proxmox.com>  Tue, 29 Nov 2016 06:35:08 +0100

pve-firewall (2.0-31) unstable; urgency=medium

  * don't try to apply ports to rules which don't support them

 -- Proxmox Support Team <support@proxmox.com>  Thu, 06 Oct 2016 08:31:51 +0200

pve-firewall (2.0-30) unstable; urgency=medium

  * add multicast DNS to the list of Macros

  * add missing parameter descriptions

  * build-depends: add dh-systemd

 -- Proxmox Support Team <support@proxmox.com>  Fri, 16 Sep 2016 08:53:16 +0200

pve-firewall (2.0-29) unstable; urgency=medium

  * prevent overwriting ipsets/sec. groups by renaming

 -- Proxmox Support Team <support@proxmox.com>  Fri, 03 Jun 2016 16:46:10 +0200

pve-firewall (2.0-28) unstable; urgency=medium

  * use pve-common's ipv4_mask_hash_localnet

  * fix allowed group name length

  * make group digest stable

 -- Proxmox Support Team <support@proxmox.com>  Fri, 03 Jun 2016 11:01:47 +0200

pve-firewall (2.0-27) unstable; urgency=medium

  * fix #972: make PVEFW-FWBR-* rule order stable

 -- Proxmox Support Team <support@proxmox.com>  Tue, 17 May 2016 07:59:52 +0200

pve-firewall (2.0-26) unstable; urgency=medium

  * fix #988: set rp_filter=2

 -- Proxmox Support Team <support@proxmox.com>  Mon, 09 May 2016 10:01:28 +0200

pve-firewall (2.0-25) unstable; urgency=medium

  * fix #945: add uninitialized check in lxc ipset compilation

 -- Proxmox Support Team <support@proxmox.com>  Thu, 21 Apr 2016 09:58:33 +0200

pve-firewall (2.0-24) unstable; urgency=medium

  * Build-Depend on pve-doc-generator

  * generate manpage with pve-doc-generator

 -- Proxmox Support Team <support@proxmox.com>  Wed, 06 Apr 2016 10:52:45 +0200

pve-firewall (2.0-23) unstable; urgency=medium

  * use only the top bit for our accept marks

 -- Proxmox Support Team <support@proxmox.com>  Fri, 01 Apr 2016 07:35:38 +0200

pve-firewall (2.0-22) unstable; urgency=medium

  * Use cfs_config_path from PVE::QemuConfig

 -- Proxmox Support Team <support@proxmox.com>  Tue, 08 Mar 2016 11:47:40 +0100

pve-firewall (2.0-21) unstable; urgency=medium

  * added new 'ipfilter' option

 -- Proxmox Support Team <support@proxmox.com>  Thu, 03 Mar 2016 09:43:39 +0100

pve-firewall (2.0-20) unstable; urgency=medium

  * fix 901: encode unicode characters in sha digest

 -- Proxmox Support Team <support@proxmox.com>  Mon, 29 Feb 2016 12:40:14 +0100

pve-firewall (2.0-19) unstable; urgency=medium

  * Add radv option to VM options

 -- Proxmox Support Team <support@proxmox.com>  Sat, 27 Feb 2016 10:24:42 +0100

pve-firewall (2.0-18) unstable; urgency=medium

  * Add ndp option to host and VM firewall options

  * Add router-solicitation to NeighborDiscovery macro

 -- Proxmox Support Team <support@proxmox.com>  Fri, 19 Feb 2016 10:01:22 +0100

pve-firewall (2.0-17) unstable; urgency=medium

  * Don't leave empty FW config files behind

 -- Proxmox Support Team <support@proxmox.com>  Mon, 08 Feb 2016 14:09:24 +0100

pve-firewall (2.0-16) unstable; urgency=medium

  * logger: basic ipv6 support

  * add DHCPv6 macro

  * add dhcpv6 support to the dhcp option

 -- Proxmox Support Team <support@proxmox.com>  Tue, 26 Jan 2016 16:52:14 +0100

pve-firewall (2.0-15) unstable; urgency=medium

  * fix bug #859: use $security_group_name_pattern in iptables_get_chains

  * fix some regular expressions mixups

 -- Proxmox Support Team <support@proxmox.com>  Thu, 07 Jan 2016 16:33:23 +0100

pve-firewall (2.0-14) unstable; urgency=medium

  * fix systemd service dependencies

 -- Proxmox Support Team <support@proxmox.com>  Fri, 27 Nov 2015 10:52:57 +0100

pve-firewall (2.0-13) unstable; urgency=medium

  * allow numeric icmp types

 -- Proxmox Support Team <support@proxmox.com>  Fri, 23 Oct 2015 13:21:53 +0200

pve-firewall (2.0-12) unstable; urgency=medium

  * implement bash completions

  * convert pve-firewall into a PVE::Service class

 -- Proxmox Support Team <support@proxmox.com>  Thu, 24 Sep 2015 12:15:00 +0200

pve-firewall (2.0-11) unstable; urgency=medium

  * iptables_get_chains: fix veth device name

 -- Proxmox Support Team <support@proxmox.com>  Tue, 08 Sep 2015 07:54:35 +0200

pve-firewall (2.0-10) unstable; urgency=medium

  * new helper: clone_vmfw_conf() 

 -- Proxmox Support Team <support@proxmox.com>  Tue, 25 Aug 2015 06:47:49 +0200

pve-firewall (2.0-9) unstable; urgency=medium

  * remove firewall config file subroutine added

 -- Proxmox Support Team <support@proxmox.com>  Wed, 19 Aug 2015 15:42:51 +0200

pve-firewall (2.0-8) unstable; urgency=medium

  * adopt regresion tests for lxc containers

  * removed firewall code for openVZ

  *  Subroutine verify_rule fixed to correctly check only for "net\d+"
  interface device names

 -- Proxmox Support Team <support@proxmox.com>  Wed, 12 Aug 2015 12:01:43 +0200

pve-firewall (2.0-7) unstable; urgency=medium

  * added firewall code for lxc

 -- Proxmox Support Team <support@proxmox.com>  Mon, 10 Aug 2015 09:21:14 +0200

pve-firewall (2.0-6) unstable; urgency=medium

  * firewall ipversion comparison fix

 -- Proxmox Support Team <support@proxmox.com>  Tue, 04 Aug 2015 11:14:51 +0200

pve-firewall (2.0-5) unstable; urgency=medium

  * add ipv6 neighbor discovery and solicitation macros

  * ip6tables accepts both spellings of the word neighbor

  * added Ceph macro

 -- Proxmox Support Team <support@proxmox.com>  Mon, 27 Jul 2015 13:20:55 +0200

pve-firewall (2.0-4) unstable; urgency=medium

  * include manual page for pve-firewall

 -- Proxmox Support Team <support@proxmox.com>  Sat, 27 Jun 2015 16:26:28 +0200

pve-firewall (2.0-3) unstable; urgency=medium

  * use noawait trigers for pve-api-updates

 -- Proxmox Support Team <support@proxmox.com>  Mon, 01 Jun 2015 12:33:06 +0200

pve-firewall (2.0-2) unstable; urgency=medium

  * trigger pve-api-updates event
  
 -- Proxmox Support Team <support@proxmox.com>  Tue, 05 May 2015 15:10:24 +0200

pve-firewall (2.0-1) unstable; urgency=medium

  * recompile for debian jessie

 -- Proxmox Support Team <support@proxmox.com>  Fri, 27 Feb 2015 12:22:04 +0100

pve-firewall (1.0-18) unstable; urgency=low

  * fix alias lookup

 -- Proxmox Support Team <support@proxmox.com>  Mon, 09 Feb 2015 09:32:03 +0100

pve-firewall (1.0-17) unstable; urgency=low

  * fix restart behavior 

 -- Proxmox Support Team <support@proxmox.com>  Thu, 15 Jan 2015 06:45:58 +0100

pve-firewall (1.0-16) unstable; urgency=low

  * use new Daemon class from pve-common

 -- Proxmox Support Team <support@proxmox.com>  Thu, 18 Dec 2014 09:45:07 +0100

pve-firewall (1.0-15) unstable; urgency=low

  * bug fix: load cluster conf for host rules

 -- Proxmox Support Team <support@proxmox.com>  Fri, 12 Dec 2014 06:33:28 +0100

pve-firewall (1.0-14) unstable; urgency=low

  *  do not use ipset list chains
  
  *  remove preinst script (not needed anymore) 

 -- Proxmox Support Team <support@proxmox.com>  Fri, 05 Dec 2014 13:42:00 +0100

pve-firewall (1.0-13) unstable; urgency=low

  * fix ipset remove order

 -- Proxmox Support Team <support@proxmox.com>  Fri, 28 Nov 2014 12:45:48 +0100

pve-firewall (1.0-12) unstable; urgency=low

  * add preinst script to clear ipset from older installation (because 
    sets cannot be swapped if there type does not match.
  
 -- Proxmox Support Team <support@proxmox.com>  Fri, 28 Nov 2014 08:59:38 +0100

pve-firewall (1.0-11) unstable; urgency=low

  * bug fix: correctly set ipversion for aliases in verify_rule
  
  * save restore commands into files to make debugging 
    easier (/var/lib/pve-firewall/)

 -- Proxmox Support Team <support@proxmox.com>  Fri, 28 Nov 2014 08:04:05 +0100

pve-firewall (1.0-10) unstable; urgency=low

  * add IPv6 support for VMs (hostfw is IPv4 only)

 -- Proxmox Support Team <support@proxmox.com>  Wed, 26 Nov 2014 07:00:29 +0100

pve-firewall (1.0-9) unstable; urgency=low

  * fix max ipset name name length

 -- Proxmox Support Team <support@proxmox.com>  Tue, 14 Oct 2014 16:29:34 +0200

pve-firewall (1.0-8) unstable; urgency=low

  * implement permission

 -- Proxmox Support Team <support@proxmox.com>  Mon, 08 Sep 2014 12:15:21 +0200

pve-firewall (1.0-7) unstable; urgency=low

  * proxy host rule API calls to correct node
  
  * always generate MAC and IP filter rules if firewall is enabled on NIC

 -- Proxmox Support Team <support@proxmox.com>  Thu, 26 Jun 2014 07:12:57 +0200

pve-firewall (1.0-6) unstable; urgency=low

  * ipmlement ipfilter ipsets

 -- Proxmox Support Team <support@proxmox.com>  Thu, 12 Jun 2014 08:37:08 +0200

pve-firewall (1.0-5) unstable; urgency=low

  * remove ipsets when firewall disabled

 -- Proxmox Support Team <support@proxmox.com>  Wed, 04 Jun 2014 08:50:18 +0200

pve-firewall (1.0-4) unstable; urgency=low

  * depend on iptables and ipset

 -- Proxmox Support Team <support@proxmox.com>  Wed, 04 Jun 2014 06:45:33 +0200

pve-firewall (1.0-3) unstable; urgency=low

  * change dh_installinit order (register pvefw-logger before pve-firewall)

 -- Proxmox Support Team <support@proxmox.com>  Wed, 04 Jun 2014 06:24:21 +0200

pve-firewall (1.0-2) unstable; urgency=low

  * add experimental nflog logging daemon

 -- Proxmox Support Team <support@proxmox.com>  Thu, 13 Mar 2014 08:27:01 +0100

pve-firewall (1.0-1) unstable; urgency=low

  * initial package

 -- Proxmox Support Team <support@proxmox.com>  Mon, 03 Mar 2014 08:37:06 +0100