1 pve-firewall (4.2-7) bullseye; urgency=medium
3 * fix #4018: add firewall macro for SPICE proxy
5 * fix #4204: automatically update each usage of a group to the new ID when
8 * fix #4268: add 'force' parameter to delete IPSet with members
10 -- Proxmox Support Team <support@proxmox.com> Thu, 17 Nov 2022 19:53:04 +0100
12 pve-firewall (4.2-6) bullseye; urgency=medium
14 * config defaults: document that the mac filter defaults to on
16 * fix #4175: ignore non-filter ebtables tables
18 * fix enabling ebtables if VM firewall config is invalid
20 -- Proxmox Support Team <support@proxmox.com> Mon, 29 Aug 2022 09:43:53 +0200
22 pve-firewall (4.2-5) bullseye; urgency=medium
24 * fix #3677 ipset get chains: handle newer ipset output for actual
27 -- Proxmox Support Team <support@proxmox.com> Thu, 04 Nov 2021 16:37:13 +0100
29 pve-firewall (4.2-4) bullseye; urgency=medium
31 * re-build to avoid issues stemming from semi-broken systemd-debhelper version
33 -- Proxmox Support Team <support@proxmox.com> Tue, 12 Oct 2021 10:39:05 +0200
35 pve-firewall (4.2-3) bullseye; urgency=medium
37 * fix #2721: remove the (nowadays) bogus reject for TCP port 43 from the
38 default drop and reject actions
40 -- Proxmox Support Team <support@proxmox.com> Fri, 10 Sep 2021 13:00:07 +0200
42 pve-firewall (4.2-2) bullseye; urgency=medium
44 * re-set relevant sysctls on every apply round
46 -- Proxmox Support Team <support@proxmox.com> Mon, 21 Jun 2021 11:31:42 +0200
48 pve-firewall (4.2-1) bullseye; urgency=medium
50 * fix #967: source: dest: limit length
52 * re-build for Debian 11 Bullseye based releases (Proxmox VE 7)
54 * fix #2358: allow --<opt> in firewall rule config files
56 -- Proxmox Support Team <support@proxmox.com> Wed, 12 May 2021 20:32:30 +0200
58 pve-firewall (4.1-3) pve; urgency=medium
60 * fix #2773: ebtables: keep policy of custom chains
62 * introduce new icmp-type parameter
64 -- Proxmox Support Team <support@proxmox.com> Fri, 18 Sep 2020 16:51:27 +0200
66 pve-firewall (4.1-2) pve; urgency=medium
68 * revert: rules: verify referenced security group exists
70 -- Proxmox Support Team <support@proxmox.com> Wed, 06 May 2020 17:41:36 +0200
72 pve-firewall (4.1-1) pve; urgency=medium
74 * logging: add missing log message for inbound rules
76 * fix #2686: avoid adding 'arp-ip-src' IP filter if guests uses DHCP
78 * IPSets: parse the CIDR before checking for duplicates
80 * verify that a referenced security group exists
82 * ICMP: fix iptables-restore failing if ICMP-type values bigger than '255'
84 * ICMP: allow one to specify the 'echo-reply' (0) type also as integer
86 * improve handling concurrent (parallel) access and modifications to rules
88 -- Proxmox Support Team <support@proxmox.com> Mon, 04 May 2020 15:01:57 +0200
90 pve-firewall (4.0-10) pve; urgency=medium
92 * macros: add macro for Proxmox Mail Gateway web interface
94 * api node: always pass cluster conf to node FW parser to fix false positive
95 error message about non existing aliases, or IP sets, when querying the
96 node FW options GET API call.
98 * grammar fix: s/does not exists/does not exist/g
100 -- Proxmox Support Team <support@proxmox.com> Mon, 27 Jan 2020 19:25:49 +0100
102 pve-firewall (4.0-9) pve; urgency=medium
104 * ensure port range used for offline storage migration and insecure migration
105 traffic is allowed by default rule set.
107 -- Proxmox Support Team <support@proxmox.com> Tue, 03 Dec 2019 08:12:20 +0100
109 pve-firewall (4.0-8) pve; urgency=medium
111 * increase default nf_conntrack_max to the kernel's default
113 * fix some "use of uninitialized value" warnings when updating CIDRs
115 * update schema documentation
117 * add explicit dependency on libpve-cluster-perl
119 * add support for "raw" tables
121 * add options for synflood protection for host firewall:
122 - nf_conntrack_tcp_timeout_syn_recv
123 - protection_synflood: boolean
124 - protection_synflood_rate: SYN rate limit (default 200 per second)
125 - protection_synflood_burst: SYN burst limit (default 1000)
127 -- Proxmox Support Team <support@proxmox.com> Mon, 18 Nov 2019 13:48:20 +0100
129 pve-firewall (4.0-7) pve; urgency=medium
131 * only add VM chains and rules if VM firewall is enabled
133 -- Proxmox Support Team <support@proxmox.com> Wed, 7 Aug 2019 10:55:06 +0200
135 pve-firewall (4.0-6) pve; urgency=medium
137 * firewall macros: add new Ceph protocol v2 port while keeping v1 port
139 -- Proxmox Support Team <support@proxmox.com> Tue, 23 Jul 2019 18:57:48 +0200
141 pve-firewall (4.0-5) pve; urgency=medium
143 * don't use any base path at all for calls to external binaries to make use
144 compativle with bot, /usr merged and unmerged setups
146 -- Proxmox Support Team <support@proxmox.com> Fri, 12 Jul 2019 11:47:53 +0200
148 pve-firewall (4.0-4) pve; urgency=medium
150 * ebtables: remove PVE chains properly
152 * ebtables: treat chain deletion as change
154 * use /usr/sbin as base path
156 -- Proxmox Support Team <support@proxmox.com> Thu, 11 Jul 2019 19:40:01 +0200
158 pve-firewall (4.0-3) pve; urgency=medium
160 * Create corosync firewall rules independently of localnet~
162 * Display corosync rule info on localnet call
164 -- Proxmox Support Team <support@proxmox.com> Thu, 04 Jul 2019 15:56:11 +0200
166 pve-firewall (4.0-2) pve; urgency=medium
168 * fix systemd warning about PIDFile directory
170 * fix CT rule generation with ipfilter set
172 * pve-firewall service: update-alternative iptables and ebtables to working
175 -- Proxmox Support Team <support@proxmox.com> Mon, 24 Jun 2019 20:43:21 +0200
177 pve-firewall (4.0-1) pve; urgency=medium
179 * re-build for Debian Buster / PVE 6
181 -- Proxmox Support Team <support@proxmox.com> Tue, 21 May 2019 22:28:55 +0200
183 pve-firewall (3.0-21) unstable; urgency=medium
185 * fix ipv6 PVEFW-reject
187 * fix #2193: arpfilter: CT: remove mask from net IP/CIDR to avoid
188 ebtables doing the wrong thing here
190 -- Proxmox Support Team <support@proxmox.com> Wed, 08 May 2019 10:09:31 +0000
192 pve-firewall (3.0-20) unstable; urgency=medium
194 * use IPCC to read config and rule files, if the are backed by pmxcfs which
195 has better handling for pmxcfs restarts
197 * fix #2178: endless loop on ipv6 extension headers
199 -- Proxmox Support Team <support@proxmox.com> Fri, 19 Apr 2019 05:10:13 +0000
201 pve-firewall (3.0-19) unstable; urgency=medium
203 * ebtables: add arp filtering
205 * fix: #2123 Logging of user defined firewall rules
209 * allow to enable/disable and modify cluster wide log ratelimits
211 -- Proxmox Support Team <support@proxmox.com> Tue, 02 Apr 2019 11:15:16 +0200
213 pve-firewall (3.0-18) unstable; urgency=medium
215 * fix #1606: Add nf_conntrack_allow_invalid option
217 * log reject : add space after policy REJECT like drop
219 * fix #1891: Add zsh command completion for pve-firewall
221 -- Proxmox Support Team <support@proxmox.com> Mon, 04 Mar 2019 10:27:01 +0100
223 pve-firewall (3.0-17) unstable; urgency=medium
225 * fix #2005: only allow ascii port digits
227 * fix #2004: do not allow backwards ranges
229 * add conntrack logging via libnetfilter_conntrack and allow one to enable
230 it through the firewall host configuration
232 -- Proxmox Support Team <support@proxmox.com> Wed, 09 Jan 2019 16:56:17 +0100
234 pve-firewall (3.0-16) unstable; urgency=medium
236 * api/rules: fix macro return type
238 -- Proxmox Support Team <support@proxmox.com> Fri, 30 Nov 2018 16:02:59 +0100
240 pve-firewall (3.0-15) unstable; urgency=medium
242 * fix #1971: display firewall rule properties
244 -- Proxmox Support Team <support@proxmox.com> Fri, 23 Nov 2018 14:01:33 +0100
246 pve-firewall (3.0-14) unstable; urgency=medium
248 * fix #1841: avoid ebtable reloads when containers have multiple network
251 -- Proxmox Support Team <support@proxmox.com> Fri, 24 Aug 2018 10:51:04 +0200
253 pve-firewall (3.0-13) unstable; urgency=medium
255 * avoid unnecessary reloads of ebtable ruleset
257 -- Proxmox Support Team <support@proxmox.com> Thu, 28 Jun 2018 14:47:16 +0200
259 pve-firewall (3.0-12) unstable; urgency=medium
261 * fix deleted iptables chains not being properly detected as a change
263 -- Proxmox Support Team <support@proxmox.com> Tue, 12 Jun 2018 12:01:02 +0200
265 pve-firewall (3.0-11) unstable; urgency=medium
267 * #1764: rename 'ebtales_enable' option to 'ebtables'
269 -- Proxmox Support Team <support@proxmox.com> Wed, 06 Jun 2018 16:18:13 +0200
271 pve-firewall (3.0-10) unstable; urgency=medium
273 * fix #1764: handle existing ebtables rules and allow disabling ebtables
275 * ebtables handling can be disabled via /etc/pve/firewall/cluster.fw's new
276 ebtables_enable option.
278 -- Proxmox Support Team <support@proxmox.com> Tue, 29 May 2018 15:14:33 +0200
280 pve-firewall (3.0-9) unstable; urgency=medium
282 * fix creation of ebltables FORWARD rule entry
284 -- Proxmox Support Team <support@proxmox.com> Thu, 17 May 2018 14:41:27 +0200
286 pve-firewall (3.0-8) unstable; urgency=medium
288 * add ebtables support for better MAC filtering
290 -- Proxmox Support Team <support@proxmox.com> Wed, 11 Apr 2018 14:25:41 +0200
292 pve-firewall (3.0-7) unstable; urgency=medium
294 * support distinct source and destination multi-port matching
296 * multi-port matching: when specifying the same list of ports for source and
297 destination require them both to match, rather than one of them, as this
298 was rather unexpected behavior
300 -- Proxmox Support Team <support@proxmox.com> Mon, 12 Mar 2018 14:58:08 +0100
302 pve-firewall (3.0-6) unstable; urgency=medium
304 * fix #1319: don't fail postinst with masked service
306 * debian: switch to compat 9, drop init scripts, drop preinst
308 * check multiport limit in port ranges
310 * build: use git rev-parse for GITVERSION
312 -- Proxmox Support Team <support@proxmox.com> Thu, 08 Mar 2018 13:53:11 +0100
314 pve-firewall (3.0-5) unstable; urgency=medium
316 * fix issue with disabled flag not being honored within groups
318 -- Proxmox Support Team <support@proxmox.com> Thu, 07 Dec 2017 08:31:42 +0100
320 pve-firewall (3.0-4) unstable; urgency=medium
322 * fix issues with ipsets reloading unnecessarily or too late
324 * fix some typos in the logs
326 -- Proxmox Support Team <support@proxmox.com> Thu, 16 Nov 2017 11:41:56 +0100
328 pve-firewall (3.0-3) unstable; urgency=medium
330 * Fix #1492: logger: use current timestamp if the packet doesn't have one
332 -- Proxmox Support Team <support@proxmox.com> Tue, 12 Sep 2017 14:43:06 +0200
334 pve-firewall (3.0-2) unstable; urgency=medium
336 * Fix #1446: remove masks in case the package had previously been removed but
339 * improve logging on errors in the firewall configuration
341 * forbid trailing commas in lists as iptables-restore doesn't support them
343 -- Proxmox Support Team <support@proxmox.com> Mon, 17 Jul 2017 15:24:40 +0200
345 pve-firewall (3.0-1) unstable; urgency=medium
347 * rebuild for Debian Stretch
349 -- Proxmox Support Team <support@proxmox.com> Thu, 9 Mar 2017 14:04:17 +0100
351 pve-firewall (2.0-33) unstable; urgency=medium
353 * ipset: don't allow zero-prefix entries
355 -- Proxmox Support Team <support@proxmox.com> Tue, 29 Nov 2016 12:18:04 +0100
357 pve-firewall (2.0-32) unstable; urgency=medium
359 * improve search for local-network
361 -- Proxmox Support Team <support@proxmox.com> Tue, 29 Nov 2016 06:35:08 +0100
363 pve-firewall (2.0-31) unstable; urgency=medium
365 * don't try to apply ports to rules which don't support them
367 -- Proxmox Support Team <support@proxmox.com> Thu, 06 Oct 2016 08:31:51 +0200
369 pve-firewall (2.0-30) unstable; urgency=medium
371 * add multicast DNS to the list of Macros
373 * add missing parameter descriptions
375 * build-depends: add dh-systemd
377 -- Proxmox Support Team <support@proxmox.com> Fri, 16 Sep 2016 08:53:16 +0200
379 pve-firewall (2.0-29) unstable; urgency=medium
381 * prevent overwriting ipsets/sec. groups by renaming
383 -- Proxmox Support Team <support@proxmox.com> Fri, 03 Jun 2016 16:46:10 +0200
385 pve-firewall (2.0-28) unstable; urgency=medium
387 * use pve-common's ipv4_mask_hash_localnet
389 * fix allowed group name length
391 * make group digest stable
393 -- Proxmox Support Team <support@proxmox.com> Fri, 03 Jun 2016 11:01:47 +0200
395 pve-firewall (2.0-27) unstable; urgency=medium
397 * fix #972: make PVEFW-FWBR-* rule order stable
399 -- Proxmox Support Team <support@proxmox.com> Tue, 17 May 2016 07:59:52 +0200
401 pve-firewall (2.0-26) unstable; urgency=medium
403 * fix #988: set rp_filter=2
405 -- Proxmox Support Team <support@proxmox.com> Mon, 09 May 2016 10:01:28 +0200
407 pve-firewall (2.0-25) unstable; urgency=medium
409 * fix #945: add uninitialized check in lxc ipset compilation
411 -- Proxmox Support Team <support@proxmox.com> Thu, 21 Apr 2016 09:58:33 +0200
413 pve-firewall (2.0-24) unstable; urgency=medium
415 * Build-Depend on pve-doc-generator
417 * generate manpage with pve-doc-generator
419 -- Proxmox Support Team <support@proxmox.com> Wed, 06 Apr 2016 10:52:45 +0200
421 pve-firewall (2.0-23) unstable; urgency=medium
423 * use only the top bit for our accept marks
425 -- Proxmox Support Team <support@proxmox.com> Fri, 01 Apr 2016 07:35:38 +0200
427 pve-firewall (2.0-22) unstable; urgency=medium
429 * Use cfs_config_path from PVE::QemuConfig
431 -- Proxmox Support Team <support@proxmox.com> Tue, 08 Mar 2016 11:47:40 +0100
433 pve-firewall (2.0-21) unstable; urgency=medium
435 * added new 'ipfilter' option
437 -- Proxmox Support Team <support@proxmox.com> Thu, 03 Mar 2016 09:43:39 +0100
439 pve-firewall (2.0-20) unstable; urgency=medium
441 * fix 901: encode unicode characters in sha digest
443 -- Proxmox Support Team <support@proxmox.com> Mon, 29 Feb 2016 12:40:14 +0100
445 pve-firewall (2.0-19) unstable; urgency=medium
447 * Add radv option to VM options
449 -- Proxmox Support Team <support@proxmox.com> Sat, 27 Feb 2016 10:24:42 +0100
451 pve-firewall (2.0-18) unstable; urgency=medium
453 * Add ndp option to host and VM firewall options
455 * Add router-solicitation to NeighborDiscovery macro
457 -- Proxmox Support Team <support@proxmox.com> Fri, 19 Feb 2016 10:01:22 +0100
459 pve-firewall (2.0-17) unstable; urgency=medium
461 * Don't leave empty FW config files behind
463 -- Proxmox Support Team <support@proxmox.com> Mon, 08 Feb 2016 14:09:24 +0100
465 pve-firewall (2.0-16) unstable; urgency=medium
467 * logger: basic ipv6 support
471 * add dhcpv6 support to the dhcp option
473 -- Proxmox Support Team <support@proxmox.com> Tue, 26 Jan 2016 16:52:14 +0100
475 pve-firewall (2.0-15) unstable; urgency=medium
477 * fix bug #859: use $security_group_name_pattern in iptables_get_chains
479 * fix some regular expressions mixups
481 -- Proxmox Support Team <support@proxmox.com> Thu, 07 Jan 2016 16:33:23 +0100
483 pve-firewall (2.0-14) unstable; urgency=medium
485 * fix systemd service dependencies
487 -- Proxmox Support Team <support@proxmox.com> Fri, 27 Nov 2015 10:52:57 +0100
489 pve-firewall (2.0-13) unstable; urgency=medium
491 * allow numeric icmp types
493 -- Proxmox Support Team <support@proxmox.com> Fri, 23 Oct 2015 13:21:53 +0200
495 pve-firewall (2.0-12) unstable; urgency=medium
497 * implement bash completions
499 * convert pve-firewall into a PVE::Service class
501 -- Proxmox Support Team <support@proxmox.com> Thu, 24 Sep 2015 12:15:00 +0200
503 pve-firewall (2.0-11) unstable; urgency=medium
505 * iptables_get_chains: fix veth device name
507 -- Proxmox Support Team <support@proxmox.com> Tue, 08 Sep 2015 07:54:35 +0200
509 pve-firewall (2.0-10) unstable; urgency=medium
511 * new helper: clone_vmfw_conf()
513 -- Proxmox Support Team <support@proxmox.com> Tue, 25 Aug 2015 06:47:49 +0200
515 pve-firewall (2.0-9) unstable; urgency=medium
517 * remove firewall config file subroutine added
519 -- Proxmox Support Team <support@proxmox.com> Wed, 19 Aug 2015 15:42:51 +0200
521 pve-firewall (2.0-8) unstable; urgency=medium
523 * adopt regresion tests for lxc containers
525 * removed firewall code for openVZ
527 * Subroutine verify_rule fixed to correctly check only for "net\d+"
528 interface device names
530 -- Proxmox Support Team <support@proxmox.com> Wed, 12 Aug 2015 12:01:43 +0200
532 pve-firewall (2.0-7) unstable; urgency=medium
534 * added firewall code for lxc
536 -- Proxmox Support Team <support@proxmox.com> Mon, 10 Aug 2015 09:21:14 +0200
538 pve-firewall (2.0-6) unstable; urgency=medium
540 * firewall ipversion comparison fix
542 -- Proxmox Support Team <support@proxmox.com> Tue, 04 Aug 2015 11:14:51 +0200
544 pve-firewall (2.0-5) unstable; urgency=medium
546 * add ipv6 neighbor discovery and solicitation macros
548 * ip6tables accepts both spellings of the word neighbor
552 -- Proxmox Support Team <support@proxmox.com> Mon, 27 Jul 2015 13:20:55 +0200
554 pve-firewall (2.0-4) unstable; urgency=medium
556 * include manual page for pve-firewall
558 -- Proxmox Support Team <support@proxmox.com> Sat, 27 Jun 2015 16:26:28 +0200
560 pve-firewall (2.0-3) unstable; urgency=medium
562 * use noawait trigers for pve-api-updates
564 -- Proxmox Support Team <support@proxmox.com> Mon, 01 Jun 2015 12:33:06 +0200
566 pve-firewall (2.0-2) unstable; urgency=medium
568 * trigger pve-api-updates event
570 -- Proxmox Support Team <support@proxmox.com> Tue, 05 May 2015 15:10:24 +0200
572 pve-firewall (2.0-1) unstable; urgency=medium
574 * recompile for debian jessie
576 -- Proxmox Support Team <support@proxmox.com> Fri, 27 Feb 2015 12:22:04 +0100
578 pve-firewall (1.0-18) unstable; urgency=low
582 -- Proxmox Support Team <support@proxmox.com> Mon, 09 Feb 2015 09:32:03 +0100
584 pve-firewall (1.0-17) unstable; urgency=low
586 * fix restart behavior
588 -- Proxmox Support Team <support@proxmox.com> Thu, 15 Jan 2015 06:45:58 +0100
590 pve-firewall (1.0-16) unstable; urgency=low
592 * use new Daemon class from pve-common
594 -- Proxmox Support Team <support@proxmox.com> Thu, 18 Dec 2014 09:45:07 +0100
596 pve-firewall (1.0-15) unstable; urgency=low
598 * bug fix: load cluster conf for host rules
600 -- Proxmox Support Team <support@proxmox.com> Fri, 12 Dec 2014 06:33:28 +0100
602 pve-firewall (1.0-14) unstable; urgency=low
604 * do not use ipset list chains
606 * remove preinst script (not needed anymore)
608 -- Proxmox Support Team <support@proxmox.com> Fri, 05 Dec 2014 13:42:00 +0100
610 pve-firewall (1.0-13) unstable; urgency=low
612 * fix ipset remove order
614 -- Proxmox Support Team <support@proxmox.com> Fri, 28 Nov 2014 12:45:48 +0100
616 pve-firewall (1.0-12) unstable; urgency=low
618 * add preinst script to clear ipset from older installation (because
619 sets cannot be swapped if there type does not match.
621 -- Proxmox Support Team <support@proxmox.com> Fri, 28 Nov 2014 08:59:38 +0100
623 pve-firewall (1.0-11) unstable; urgency=low
625 * bug fix: correctly set ipversion for aliases in verify_rule
627 * save restore commands into files to make debugging
628 easier (/var/lib/pve-firewall/)
630 -- Proxmox Support Team <support@proxmox.com> Fri, 28 Nov 2014 08:04:05 +0100
632 pve-firewall (1.0-10) unstable; urgency=low
634 * add IPv6 support for VMs (hostfw is IPv4 only)
636 -- Proxmox Support Team <support@proxmox.com> Wed, 26 Nov 2014 07:00:29 +0100
638 pve-firewall (1.0-9) unstable; urgency=low
640 * fix max ipset name name length
642 -- Proxmox Support Team <support@proxmox.com> Tue, 14 Oct 2014 16:29:34 +0200
644 pve-firewall (1.0-8) unstable; urgency=low
646 * implement permission
648 -- Proxmox Support Team <support@proxmox.com> Mon, 08 Sep 2014 12:15:21 +0200
650 pve-firewall (1.0-7) unstable; urgency=low
652 * proxy host rule API calls to correct node
654 * always generate MAC and IP filter rules if firewall is enabled on NIC
656 -- Proxmox Support Team <support@proxmox.com> Thu, 26 Jun 2014 07:12:57 +0200
658 pve-firewall (1.0-6) unstable; urgency=low
660 * ipmlement ipfilter ipsets
662 -- Proxmox Support Team <support@proxmox.com> Thu, 12 Jun 2014 08:37:08 +0200
664 pve-firewall (1.0-5) unstable; urgency=low
666 * remove ipsets when firewall disabled
668 -- Proxmox Support Team <support@proxmox.com> Wed, 04 Jun 2014 08:50:18 +0200
670 pve-firewall (1.0-4) unstable; urgency=low
672 * depend on iptables and ipset
674 -- Proxmox Support Team <support@proxmox.com> Wed, 04 Jun 2014 06:45:33 +0200
676 pve-firewall (1.0-3) unstable; urgency=low
678 * change dh_installinit order (register pvefw-logger before pve-firewall)
680 -- Proxmox Support Team <support@proxmox.com> Wed, 04 Jun 2014 06:24:21 +0200
682 pve-firewall (1.0-2) unstable; urgency=low
684 * add experimental nflog logging daemon
686 -- Proxmox Support Team <support@proxmox.com> Thu, 13 Mar 2014 08:27:01 +0100
688 pve-firewall (1.0-1) unstable; urgency=low
692 -- Proxmox Support Team <support@proxmox.com> Mon, 03 Mar 2014 08:37:06 +0100