1 pve-firewall (4.1-1) pve; urgency=medium
3 * logging: add missing log message for inbound rules
5 * fix #2686: avoid adding 'arp-ip-src' IP filter if guests uses DHCP
7 * IPSets: parse the CIDR before checking for duplicates
9 * verify that a referenced security group exists
11 * ICMP: fix iptables-restore failing if ICMP-type values bigger than '255'
13 * ICMP: allow one to specify the 'echo-reply' (0) type also as integer
15 * improve handling concurrent (parallel) access and modifications to rules
17 -- Proxmox Support Team <support@proxmox.com> Mon, 04 May 2020 15:01:57 +0200
19 pve-firewall (4.0-10) pve; urgency=medium
21 * macros: add macro for Proxmox Mail Gateway web interface
23 * api node: always pass cluster conf to node FW parser to fix false positive
24 error message about non existing aliases, or IP sets, when querying the
25 node FW options GET API call.
27 * grammar fix: s/does not exists/does not exist/g
29 -- Proxmox Support Team <support@proxmox.com> Mon, 27 Jan 2020 19:25:49 +0100
31 pve-firewall (4.0-9) pve; urgency=medium
33 * ensure port range used for offline storage migration and insecure migration
34 traffic is allowed by default rule set.
36 -- Proxmox Support Team <support@proxmox.com> Tue, 03 Dec 2019 08:12:20 +0100
38 pve-firewall (4.0-8) pve; urgency=medium
40 * increase default nf_conntrack_max to the kernel's default
42 * fix some "use of uninitialized value" warnings when updating CIDRs
44 * update schema documentation
46 * add explicit dependency on libpve-cluster-perl
48 * add support for "raw" tables
50 * add options for synflood protection for host firewall:
51 - nf_conntrack_tcp_timeout_syn_recv
52 - protection_synflood: boolean
53 - protection_synflood_rate: SYN rate limit (default 200 per second)
54 - protection_synflood_burst: SYN burst limit (default 1000)
56 -- Proxmox Support Team <support@proxmox.com> Mon, 18 Nov 2019 13:48:20 +0100
58 pve-firewall (4.0-7) pve; urgency=medium
60 * only add VM chains and rules if VM firewall is enabled
62 -- Proxmox Support Team <support@proxmox.com> Wed, 7 Aug 2019 10:55:06 +0200
64 pve-firewall (4.0-6) pve; urgency=medium
66 * firewall macros: add new Ceph protocol v2 port while keeping v1 port
68 -- Proxmox Support Team <support@proxmox.com> Tue, 23 Jul 2019 18:57:48 +0200
70 pve-firewall (4.0-5) pve; urgency=medium
72 * don't use any base path at all for calls to external binaries to make use
73 compativle with bot, /usr merged and unmerged setups
75 -- Proxmox Support Team <support@proxmox.com> Fri, 12 Jul 2019 11:47:53 +0200
77 pve-firewall (4.0-4) pve; urgency=medium
79 * ebtables: remove PVE chains properly
81 * ebtables: treat chain deletion as change
83 * use /usr/sbin as base path
85 -- Proxmox Support Team <support@proxmox.com> Thu, 11 Jul 2019 19:40:01 +0200
87 pve-firewall (4.0-3) pve; urgency=medium
89 * Create corosync firewall rules independently of localnet~
91 * Display corosync rule info on localnet call
93 -- Proxmox Support Team <support@proxmox.com> Thu, 04 Jul 2019 15:56:11 +0200
95 pve-firewall (4.0-2) pve; urgency=medium
97 * fix systemd warning about PIDFile directory
99 * fix CT rule generation with ipfilter set
101 * pve-firewall service: update-alternative iptables and ebtables to working
104 -- Proxmox Support Team <support@proxmox.com> Mon, 24 Jun 2019 20:43:21 +0200
106 pve-firewall (4.0-1) pve; urgency=medium
108 * re-build for Debian Buster / PVE 6
110 -- Proxmox Support Team <support@proxmox.com> Tue, 21 May 2019 22:28:55 +0200
112 pve-firewall (3.0-21) unstable; urgency=medium
114 * fix ipv6 PVEFW-reject
116 * fix #2193: arpfilter: CT: remove mask from net IP/CIDR to avoid
117 ebtables doing the wrong thing here
119 -- Proxmox Support Team <support@proxmox.com> Wed, 08 May 2019 10:09:31 +0000
121 pve-firewall (3.0-20) unstable; urgency=medium
123 * use IPCC to read config and rule files, if the are backed by pmxcfs which
124 has better handling for pmxcfs restarts
126 * fix #2178: endless loop on ipv6 extension headers
128 -- Proxmox Support Team <support@proxmox.com> Fri, 19 Apr 2019 05:10:13 +0000
130 pve-firewall (3.0-19) unstable; urgency=medium
132 * ebtables: add arp filtering
134 * fix: #2123 Logging of user defined firewall rules
138 * allow to enable/disable and modify cluster wide log ratelimits
140 -- Proxmox Support Team <support@proxmox.com> Tue, 02 Apr 2019 11:15:16 +0200
142 pve-firewall (3.0-18) unstable; urgency=medium
144 * fix #1606: Add nf_conntrack_allow_invalid option
146 * log reject : add space after policy REJECT like drop
148 * fix #1891: Add zsh command completion for pve-firewall
150 -- Proxmox Support Team <support@proxmox.com> Mon, 04 Mar 2019 10:27:01 +0100
152 pve-firewall (3.0-17) unstable; urgency=medium
154 * fix #2005: only allow ascii port digits
156 * fix #2004: do not allow backwards ranges
158 * add conntrack logging via libnetfilter_conntrack and allow one to enable
159 it through the firewall host configuration
161 -- Proxmox Support Team <support@proxmox.com> Wed, 09 Jan 2019 16:56:17 +0100
163 pve-firewall (3.0-16) unstable; urgency=medium
165 * api/rules: fix macro return type
167 -- Proxmox Support Team <support@proxmox.com> Fri, 30 Nov 2018 16:02:59 +0100
169 pve-firewall (3.0-15) unstable; urgency=medium
171 * fix #1971: display firewall rule properties
173 -- Proxmox Support Team <support@proxmox.com> Fri, 23 Nov 2018 14:01:33 +0100
175 pve-firewall (3.0-14) unstable; urgency=medium
177 * fix #1841: avoid ebtable reloads when containers have multiple network
180 -- Proxmox Support Team <support@proxmox.com> Fri, 24 Aug 2018 10:51:04 +0200
182 pve-firewall (3.0-13) unstable; urgency=medium
184 * avoid unnecessary reloads of ebtable ruleset
186 -- Proxmox Support Team <support@proxmox.com> Thu, 28 Jun 2018 14:47:16 +0200
188 pve-firewall (3.0-12) unstable; urgency=medium
190 * fix deleted iptables chains not being properly detected as a change
192 -- Proxmox Support Team <support@proxmox.com> Tue, 12 Jun 2018 12:01:02 +0200
194 pve-firewall (3.0-11) unstable; urgency=medium
196 * #1764: rename 'ebtales_enable' option to 'ebtables'
198 -- Proxmox Support Team <support@proxmox.com> Wed, 06 Jun 2018 16:18:13 +0200
200 pve-firewall (3.0-10) unstable; urgency=medium
202 * fix #1764: handle existing ebtables rules and allow disabling ebtables
204 * ebtables handling can be disabled via /etc/pve/firewall/cluster.fw's new
205 ebtables_enable option.
207 -- Proxmox Support Team <support@proxmox.com> Tue, 29 May 2018 15:14:33 +0200
209 pve-firewall (3.0-9) unstable; urgency=medium
211 * fix creation of ebltables FORWARD rule entry
213 -- Proxmox Support Team <support@proxmox.com> Thu, 17 May 2018 14:41:27 +0200
215 pve-firewall (3.0-8) unstable; urgency=medium
217 * add ebtables support for better MAC filtering
219 -- Proxmox Support Team <support@proxmox.com> Wed, 11 Apr 2018 14:25:41 +0200
221 pve-firewall (3.0-7) unstable; urgency=medium
223 * support distinct source and destination multi-port matching
225 * multi-port matching: when specifying the same list of ports for source and
226 destination require them both to match, rather than one of them, as this
227 was rather unexpected behavior
229 -- Proxmox Support Team <support@proxmox.com> Mon, 12 Mar 2018 14:58:08 +0100
231 pve-firewall (3.0-6) unstable; urgency=medium
233 * fix #1319: don't fail postinst with masked service
235 * debian: switch to compat 9, drop init scripts, drop preinst
237 * check multiport limit in port ranges
239 * build: use git rev-parse for GITVERSION
241 -- Proxmox Support Team <support@proxmox.com> Thu, 08 Mar 2018 13:53:11 +0100
243 pve-firewall (3.0-5) unstable; urgency=medium
245 * fix issue with disabled flag not being honored within groups
247 -- Proxmox Support Team <support@proxmox.com> Thu, 07 Dec 2017 08:31:42 +0100
249 pve-firewall (3.0-4) unstable; urgency=medium
251 * fix issues with ipsets reloading unnecessarily or too late
253 * fix some typos in the logs
255 -- Proxmox Support Team <support@proxmox.com> Thu, 16 Nov 2017 11:41:56 +0100
257 pve-firewall (3.0-3) unstable; urgency=medium
259 * Fix #1492: logger: use current timestamp if the packet doesn't have one
261 -- Proxmox Support Team <support@proxmox.com> Tue, 12 Sep 2017 14:43:06 +0200
263 pve-firewall (3.0-2) unstable; urgency=medium
265 * Fix #1446: remove masks in case the package had previously been removed but
268 * improve logging on errors in the firewall configuration
270 * forbid trailing commas in lists as iptables-restore doesn't support them
272 -- Proxmox Support Team <support@proxmox.com> Mon, 17 Jul 2017 15:24:40 +0200
274 pve-firewall (3.0-1) unstable; urgency=medium
276 * rebuild for Debian Stretch
278 -- Proxmox Support Team <support@proxmox.com> Thu, 9 Mar 2017 14:04:17 +0100
280 pve-firewall (2.0-33) unstable; urgency=medium
282 * ipset: don't allow zero-prefix entries
284 -- Proxmox Support Team <support@proxmox.com> Tue, 29 Nov 2016 12:18:04 +0100
286 pve-firewall (2.0-32) unstable; urgency=medium
288 * improve search for local-network
290 -- Proxmox Support Team <support@proxmox.com> Tue, 29 Nov 2016 06:35:08 +0100
292 pve-firewall (2.0-31) unstable; urgency=medium
294 * don't try to apply ports to rules which don't support them
296 -- Proxmox Support Team <support@proxmox.com> Thu, 06 Oct 2016 08:31:51 +0200
298 pve-firewall (2.0-30) unstable; urgency=medium
300 * add multicast DNS to the list of Macros
302 * add missing parameter descriptions
304 * build-depends: add dh-systemd
306 -- Proxmox Support Team <support@proxmox.com> Fri, 16 Sep 2016 08:53:16 +0200
308 pve-firewall (2.0-29) unstable; urgency=medium
310 * prevent overwriting ipsets/sec. groups by renaming
312 -- Proxmox Support Team <support@proxmox.com> Fri, 03 Jun 2016 16:46:10 +0200
314 pve-firewall (2.0-28) unstable; urgency=medium
316 * use pve-common's ipv4_mask_hash_localnet
318 * fix allowed group name length
320 * make group digest stable
322 -- Proxmox Support Team <support@proxmox.com> Fri, 03 Jun 2016 11:01:47 +0200
324 pve-firewall (2.0-27) unstable; urgency=medium
326 * fix #972: make PVEFW-FWBR-* rule order stable
328 -- Proxmox Support Team <support@proxmox.com> Tue, 17 May 2016 07:59:52 +0200
330 pve-firewall (2.0-26) unstable; urgency=medium
332 * fix #988: set rp_filter=2
334 -- Proxmox Support Team <support@proxmox.com> Mon, 09 May 2016 10:01:28 +0200
336 pve-firewall (2.0-25) unstable; urgency=medium
338 * fix #945: add uninitialized check in lxc ipset compilation
340 -- Proxmox Support Team <support@proxmox.com> Thu, 21 Apr 2016 09:58:33 +0200
342 pve-firewall (2.0-24) unstable; urgency=medium
344 * Build-Depend on pve-doc-generator
346 * generate manpage with pve-doc-generator
348 -- Proxmox Support Team <support@proxmox.com> Wed, 06 Apr 2016 10:52:45 +0200
350 pve-firewall (2.0-23) unstable; urgency=medium
352 * use only the top bit for our accept marks
354 -- Proxmox Support Team <support@proxmox.com> Fri, 01 Apr 2016 07:35:38 +0200
356 pve-firewall (2.0-22) unstable; urgency=medium
358 * Use cfs_config_path from PVE::QemuConfig
360 -- Proxmox Support Team <support@proxmox.com> Tue, 08 Mar 2016 11:47:40 +0100
362 pve-firewall (2.0-21) unstable; urgency=medium
364 * added new 'ipfilter' option
366 -- Proxmox Support Team <support@proxmox.com> Thu, 03 Mar 2016 09:43:39 +0100
368 pve-firewall (2.0-20) unstable; urgency=medium
370 * fix 901: encode unicode characters in sha digest
372 -- Proxmox Support Team <support@proxmox.com> Mon, 29 Feb 2016 12:40:14 +0100
374 pve-firewall (2.0-19) unstable; urgency=medium
376 * Add radv option to VM options
378 -- Proxmox Support Team <support@proxmox.com> Sat, 27 Feb 2016 10:24:42 +0100
380 pve-firewall (2.0-18) unstable; urgency=medium
382 * Add ndp option to host and VM firewall options
384 * Add router-solicitation to NeighborDiscovery macro
386 -- Proxmox Support Team <support@proxmox.com> Fri, 19 Feb 2016 10:01:22 +0100
388 pve-firewall (2.0-17) unstable; urgency=medium
390 * Don't leave empty FW config files behind
392 -- Proxmox Support Team <support@proxmox.com> Mon, 08 Feb 2016 14:09:24 +0100
394 pve-firewall (2.0-16) unstable; urgency=medium
396 * logger: basic ipv6 support
400 * add dhcpv6 support to the dhcp option
402 -- Proxmox Support Team <support@proxmox.com> Tue, 26 Jan 2016 16:52:14 +0100
404 pve-firewall (2.0-15) unstable; urgency=medium
406 * fix bug #859: use $security_group_name_pattern in iptables_get_chains
408 * fix some regular expressions mixups
410 -- Proxmox Support Team <support@proxmox.com> Thu, 07 Jan 2016 16:33:23 +0100
412 pve-firewall (2.0-14) unstable; urgency=medium
414 * fix systemd service dependencies
416 -- Proxmox Support Team <support@proxmox.com> Fri, 27 Nov 2015 10:52:57 +0100
418 pve-firewall (2.0-13) unstable; urgency=medium
420 * allow numeric icmp types
422 -- Proxmox Support Team <support@proxmox.com> Fri, 23 Oct 2015 13:21:53 +0200
424 pve-firewall (2.0-12) unstable; urgency=medium
426 * implement bash completions
428 * convert pve-firewall into a PVE::Service class
430 -- Proxmox Support Team <support@proxmox.com> Thu, 24 Sep 2015 12:15:00 +0200
432 pve-firewall (2.0-11) unstable; urgency=medium
434 * iptables_get_chains: fix veth device name
436 -- Proxmox Support Team <support@proxmox.com> Tue, 08 Sep 2015 07:54:35 +0200
438 pve-firewall (2.0-10) unstable; urgency=medium
440 * new helper: clone_vmfw_conf()
442 -- Proxmox Support Team <support@proxmox.com> Tue, 25 Aug 2015 06:47:49 +0200
444 pve-firewall (2.0-9) unstable; urgency=medium
446 * remove firewall config file subroutine added
448 -- Proxmox Support Team <support@proxmox.com> Wed, 19 Aug 2015 15:42:51 +0200
450 pve-firewall (2.0-8) unstable; urgency=medium
452 * adopt regresion tests for lxc containers
454 * removed firewall code for openVZ
456 * Subroutine verify_rule fixed to correctly check only for "net\d+"
457 interface device names
459 -- Proxmox Support Team <support@proxmox.com> Wed, 12 Aug 2015 12:01:43 +0200
461 pve-firewall (2.0-7) unstable; urgency=medium
463 * added firewall code for lxc
465 -- Proxmox Support Team <support@proxmox.com> Mon, 10 Aug 2015 09:21:14 +0200
467 pve-firewall (2.0-6) unstable; urgency=medium
469 * firewall ipversion comparison fix
471 -- Proxmox Support Team <support@proxmox.com> Tue, 04 Aug 2015 11:14:51 +0200
473 pve-firewall (2.0-5) unstable; urgency=medium
475 * add ipv6 neighbor discovery and solicitation macros
477 * ip6tables accepts both spellings of the word neighbor
481 -- Proxmox Support Team <support@proxmox.com> Mon, 27 Jul 2015 13:20:55 +0200
483 pve-firewall (2.0-4) unstable; urgency=medium
485 * include manual page for pve-firewall
487 -- Proxmox Support Team <support@proxmox.com> Sat, 27 Jun 2015 16:26:28 +0200
489 pve-firewall (2.0-3) unstable; urgency=medium
491 * use noawait trigers for pve-api-updates
493 -- Proxmox Support Team <support@proxmox.com> Mon, 01 Jun 2015 12:33:06 +0200
495 pve-firewall (2.0-2) unstable; urgency=medium
497 * trigger pve-api-updates event
499 -- Proxmox Support Team <support@proxmox.com> Tue, 05 May 2015 15:10:24 +0200
501 pve-firewall (2.0-1) unstable; urgency=medium
503 * recompile for debian jessie
505 -- Proxmox Support Team <support@proxmox.com> Fri, 27 Feb 2015 12:22:04 +0100
507 pve-firewall (1.0-18) unstable; urgency=low
511 -- Proxmox Support Team <support@proxmox.com> Mon, 09 Feb 2015 09:32:03 +0100
513 pve-firewall (1.0-17) unstable; urgency=low
515 * fix restart behavior
517 -- Proxmox Support Team <support@proxmox.com> Thu, 15 Jan 2015 06:45:58 +0100
519 pve-firewall (1.0-16) unstable; urgency=low
521 * use new Daemon class from pve-common
523 -- Proxmox Support Team <support@proxmox.com> Thu, 18 Dec 2014 09:45:07 +0100
525 pve-firewall (1.0-15) unstable; urgency=low
527 * bug fix: load cluster conf for host rules
529 -- Proxmox Support Team <support@proxmox.com> Fri, 12 Dec 2014 06:33:28 +0100
531 pve-firewall (1.0-14) unstable; urgency=low
533 * do not use ipset list chains
535 * remove preinst script (not needed anymore)
537 -- Proxmox Support Team <support@proxmox.com> Fri, 05 Dec 2014 13:42:00 +0100
539 pve-firewall (1.0-13) unstable; urgency=low
541 * fix ipset remove order
543 -- Proxmox Support Team <support@proxmox.com> Fri, 28 Nov 2014 12:45:48 +0100
545 pve-firewall (1.0-12) unstable; urgency=low
547 * add preinst script to clear ipset from older installation (because
548 sets cannot be swapped if there type does not match.
550 -- Proxmox Support Team <support@proxmox.com> Fri, 28 Nov 2014 08:59:38 +0100
552 pve-firewall (1.0-11) unstable; urgency=low
554 * bug fix: correctly set ipversion for aliases in verify_rule
556 * save restore commands into files to make debugging
557 easier (/var/lib/pve-firewall/)
559 -- Proxmox Support Team <support@proxmox.com> Fri, 28 Nov 2014 08:04:05 +0100
561 pve-firewall (1.0-10) unstable; urgency=low
563 * add IPv6 support for VMs (hostfw is IPv4 only)
565 -- Proxmox Support Team <support@proxmox.com> Wed, 26 Nov 2014 07:00:29 +0100
567 pve-firewall (1.0-9) unstable; urgency=low
569 * fix max ipset name name length
571 -- Proxmox Support Team <support@proxmox.com> Tue, 14 Oct 2014 16:29:34 +0200
573 pve-firewall (1.0-8) unstable; urgency=low
575 * implement permission
577 -- Proxmox Support Team <support@proxmox.com> Mon, 08 Sep 2014 12:15:21 +0200
579 pve-firewall (1.0-7) unstable; urgency=low
581 * proxy host rule API calls to correct node
583 * always generate MAC and IP filter rules if firewall is enabled on NIC
585 -- Proxmox Support Team <support@proxmox.com> Thu, 26 Jun 2014 07:12:57 +0200
587 pve-firewall (1.0-6) unstable; urgency=low
589 * ipmlement ipfilter ipsets
591 -- Proxmox Support Team <support@proxmox.com> Thu, 12 Jun 2014 08:37:08 +0200
593 pve-firewall (1.0-5) unstable; urgency=low
595 * remove ipsets when firewall disabled
597 -- Proxmox Support Team <support@proxmox.com> Wed, 04 Jun 2014 08:50:18 +0200
599 pve-firewall (1.0-4) unstable; urgency=low
601 * depend on iptables and ipset
603 -- Proxmox Support Team <support@proxmox.com> Wed, 04 Jun 2014 06:45:33 +0200
605 pve-firewall (1.0-3) unstable; urgency=low
607 * change dh_installinit order (register pvefw-logger before pve-firewall)
609 -- Proxmox Support Team <support@proxmox.com> Wed, 04 Jun 2014 06:24:21 +0200
611 pve-firewall (1.0-2) unstable; urgency=low
613 * add experimental nflog logging daemon
615 -- Proxmox Support Team <support@proxmox.com> Thu, 13 Mar 2014 08:27:01 +0100
617 pve-firewall (1.0-1) unstable; urgency=low
621 -- Proxmox Support Team <support@proxmox.com> Mon, 03 Mar 2014 08:37:06 +0100