1 pve-firewall (4.2-2) bullseye; urgency=medium
3 * re-set relevant sysctls on every apply round
5 -- Proxmox Support Team <support@proxmox.com> Mon, 21 Jun 2021 11:31:42 +0200
7 pve-firewall (4.2-1) bullseye; urgency=medium
9 * fix #967: source: dest: limit length
11 * re-build for Debian 11 Bullseye based releases (Proxmox VE 7)
13 * fix #2358: allow --<opt> in firewall rule config files
15 -- Proxmox Support Team <support@proxmox.com> Wed, 12 May 2021 20:32:30 +0200
17 pve-firewall (4.1-3) pve; urgency=medium
19 * fix #2773: ebtables: keep policy of custom chains
21 * introduce new icmp-type parameter
23 -- Proxmox Support Team <support@proxmox.com> Fri, 18 Sep 2020 16:51:27 +0200
25 pve-firewall (4.1-2) pve; urgency=medium
27 * revert: rules: verify referenced security group exists
29 -- Proxmox Support Team <support@proxmox.com> Wed, 06 May 2020 17:41:36 +0200
31 pve-firewall (4.1-1) pve; urgency=medium
33 * logging: add missing log message for inbound rules
35 * fix #2686: avoid adding 'arp-ip-src' IP filter if guests uses DHCP
37 * IPSets: parse the CIDR before checking for duplicates
39 * verify that a referenced security group exists
41 * ICMP: fix iptables-restore failing if ICMP-type values bigger than '255'
43 * ICMP: allow one to specify the 'echo-reply' (0) type also as integer
45 * improve handling concurrent (parallel) access and modifications to rules
47 -- Proxmox Support Team <support@proxmox.com> Mon, 04 May 2020 15:01:57 +0200
49 pve-firewall (4.0-10) pve; urgency=medium
51 * macros: add macro for Proxmox Mail Gateway web interface
53 * api node: always pass cluster conf to node FW parser to fix false positive
54 error message about non existing aliases, or IP sets, when querying the
55 node FW options GET API call.
57 * grammar fix: s/does not exists/does not exist/g
59 -- Proxmox Support Team <support@proxmox.com> Mon, 27 Jan 2020 19:25:49 +0100
61 pve-firewall (4.0-9) pve; urgency=medium
63 * ensure port range used for offline storage migration and insecure migration
64 traffic is allowed by default rule set.
66 -- Proxmox Support Team <support@proxmox.com> Tue, 03 Dec 2019 08:12:20 +0100
68 pve-firewall (4.0-8) pve; urgency=medium
70 * increase default nf_conntrack_max to the kernel's default
72 * fix some "use of uninitialized value" warnings when updating CIDRs
74 * update schema documentation
76 * add explicit dependency on libpve-cluster-perl
78 * add support for "raw" tables
80 * add options for synflood protection for host firewall:
81 - nf_conntrack_tcp_timeout_syn_recv
82 - protection_synflood: boolean
83 - protection_synflood_rate: SYN rate limit (default 200 per second)
84 - protection_synflood_burst: SYN burst limit (default 1000)
86 -- Proxmox Support Team <support@proxmox.com> Mon, 18 Nov 2019 13:48:20 +0100
88 pve-firewall (4.0-7) pve; urgency=medium
90 * only add VM chains and rules if VM firewall is enabled
92 -- Proxmox Support Team <support@proxmox.com> Wed, 7 Aug 2019 10:55:06 +0200
94 pve-firewall (4.0-6) pve; urgency=medium
96 * firewall macros: add new Ceph protocol v2 port while keeping v1 port
98 -- Proxmox Support Team <support@proxmox.com> Tue, 23 Jul 2019 18:57:48 +0200
100 pve-firewall (4.0-5) pve; urgency=medium
102 * don't use any base path at all for calls to external binaries to make use
103 compativle with bot, /usr merged and unmerged setups
105 -- Proxmox Support Team <support@proxmox.com> Fri, 12 Jul 2019 11:47:53 +0200
107 pve-firewall (4.0-4) pve; urgency=medium
109 * ebtables: remove PVE chains properly
111 * ebtables: treat chain deletion as change
113 * use /usr/sbin as base path
115 -- Proxmox Support Team <support@proxmox.com> Thu, 11 Jul 2019 19:40:01 +0200
117 pve-firewall (4.0-3) pve; urgency=medium
119 * Create corosync firewall rules independently of localnet~
121 * Display corosync rule info on localnet call
123 -- Proxmox Support Team <support@proxmox.com> Thu, 04 Jul 2019 15:56:11 +0200
125 pve-firewall (4.0-2) pve; urgency=medium
127 * fix systemd warning about PIDFile directory
129 * fix CT rule generation with ipfilter set
131 * pve-firewall service: update-alternative iptables and ebtables to working
134 -- Proxmox Support Team <support@proxmox.com> Mon, 24 Jun 2019 20:43:21 +0200
136 pve-firewall (4.0-1) pve; urgency=medium
138 * re-build for Debian Buster / PVE 6
140 -- Proxmox Support Team <support@proxmox.com> Tue, 21 May 2019 22:28:55 +0200
142 pve-firewall (3.0-21) unstable; urgency=medium
144 * fix ipv6 PVEFW-reject
146 * fix #2193: arpfilter: CT: remove mask from net IP/CIDR to avoid
147 ebtables doing the wrong thing here
149 -- Proxmox Support Team <support@proxmox.com> Wed, 08 May 2019 10:09:31 +0000
151 pve-firewall (3.0-20) unstable; urgency=medium
153 * use IPCC to read config and rule files, if the are backed by pmxcfs which
154 has better handling for pmxcfs restarts
156 * fix #2178: endless loop on ipv6 extension headers
158 -- Proxmox Support Team <support@proxmox.com> Fri, 19 Apr 2019 05:10:13 +0000
160 pve-firewall (3.0-19) unstable; urgency=medium
162 * ebtables: add arp filtering
164 * fix: #2123 Logging of user defined firewall rules
168 * allow to enable/disable and modify cluster wide log ratelimits
170 -- Proxmox Support Team <support@proxmox.com> Tue, 02 Apr 2019 11:15:16 +0200
172 pve-firewall (3.0-18) unstable; urgency=medium
174 * fix #1606: Add nf_conntrack_allow_invalid option
176 * log reject : add space after policy REJECT like drop
178 * fix #1891: Add zsh command completion for pve-firewall
180 -- Proxmox Support Team <support@proxmox.com> Mon, 04 Mar 2019 10:27:01 +0100
182 pve-firewall (3.0-17) unstable; urgency=medium
184 * fix #2005: only allow ascii port digits
186 * fix #2004: do not allow backwards ranges
188 * add conntrack logging via libnetfilter_conntrack and allow one to enable
189 it through the firewall host configuration
191 -- Proxmox Support Team <support@proxmox.com> Wed, 09 Jan 2019 16:56:17 +0100
193 pve-firewall (3.0-16) unstable; urgency=medium
195 * api/rules: fix macro return type
197 -- Proxmox Support Team <support@proxmox.com> Fri, 30 Nov 2018 16:02:59 +0100
199 pve-firewall (3.0-15) unstable; urgency=medium
201 * fix #1971: display firewall rule properties
203 -- Proxmox Support Team <support@proxmox.com> Fri, 23 Nov 2018 14:01:33 +0100
205 pve-firewall (3.0-14) unstable; urgency=medium
207 * fix #1841: avoid ebtable reloads when containers have multiple network
210 -- Proxmox Support Team <support@proxmox.com> Fri, 24 Aug 2018 10:51:04 +0200
212 pve-firewall (3.0-13) unstable; urgency=medium
214 * avoid unnecessary reloads of ebtable ruleset
216 -- Proxmox Support Team <support@proxmox.com> Thu, 28 Jun 2018 14:47:16 +0200
218 pve-firewall (3.0-12) unstable; urgency=medium
220 * fix deleted iptables chains not being properly detected as a change
222 -- Proxmox Support Team <support@proxmox.com> Tue, 12 Jun 2018 12:01:02 +0200
224 pve-firewall (3.0-11) unstable; urgency=medium
226 * #1764: rename 'ebtales_enable' option to 'ebtables'
228 -- Proxmox Support Team <support@proxmox.com> Wed, 06 Jun 2018 16:18:13 +0200
230 pve-firewall (3.0-10) unstable; urgency=medium
232 * fix #1764: handle existing ebtables rules and allow disabling ebtables
234 * ebtables handling can be disabled via /etc/pve/firewall/cluster.fw's new
235 ebtables_enable option.
237 -- Proxmox Support Team <support@proxmox.com> Tue, 29 May 2018 15:14:33 +0200
239 pve-firewall (3.0-9) unstable; urgency=medium
241 * fix creation of ebltables FORWARD rule entry
243 -- Proxmox Support Team <support@proxmox.com> Thu, 17 May 2018 14:41:27 +0200
245 pve-firewall (3.0-8) unstable; urgency=medium
247 * add ebtables support for better MAC filtering
249 -- Proxmox Support Team <support@proxmox.com> Wed, 11 Apr 2018 14:25:41 +0200
251 pve-firewall (3.0-7) unstable; urgency=medium
253 * support distinct source and destination multi-port matching
255 * multi-port matching: when specifying the same list of ports for source and
256 destination require them both to match, rather than one of them, as this
257 was rather unexpected behavior
259 -- Proxmox Support Team <support@proxmox.com> Mon, 12 Mar 2018 14:58:08 +0100
261 pve-firewall (3.0-6) unstable; urgency=medium
263 * fix #1319: don't fail postinst with masked service
265 * debian: switch to compat 9, drop init scripts, drop preinst
267 * check multiport limit in port ranges
269 * build: use git rev-parse for GITVERSION
271 -- Proxmox Support Team <support@proxmox.com> Thu, 08 Mar 2018 13:53:11 +0100
273 pve-firewall (3.0-5) unstable; urgency=medium
275 * fix issue with disabled flag not being honored within groups
277 -- Proxmox Support Team <support@proxmox.com> Thu, 07 Dec 2017 08:31:42 +0100
279 pve-firewall (3.0-4) unstable; urgency=medium
281 * fix issues with ipsets reloading unnecessarily or too late
283 * fix some typos in the logs
285 -- Proxmox Support Team <support@proxmox.com> Thu, 16 Nov 2017 11:41:56 +0100
287 pve-firewall (3.0-3) unstable; urgency=medium
289 * Fix #1492: logger: use current timestamp if the packet doesn't have one
291 -- Proxmox Support Team <support@proxmox.com> Tue, 12 Sep 2017 14:43:06 +0200
293 pve-firewall (3.0-2) unstable; urgency=medium
295 * Fix #1446: remove masks in case the package had previously been removed but
298 * improve logging on errors in the firewall configuration
300 * forbid trailing commas in lists as iptables-restore doesn't support them
302 -- Proxmox Support Team <support@proxmox.com> Mon, 17 Jul 2017 15:24:40 +0200
304 pve-firewall (3.0-1) unstable; urgency=medium
306 * rebuild for Debian Stretch
308 -- Proxmox Support Team <support@proxmox.com> Thu, 9 Mar 2017 14:04:17 +0100
310 pve-firewall (2.0-33) unstable; urgency=medium
312 * ipset: don't allow zero-prefix entries
314 -- Proxmox Support Team <support@proxmox.com> Tue, 29 Nov 2016 12:18:04 +0100
316 pve-firewall (2.0-32) unstable; urgency=medium
318 * improve search for local-network
320 -- Proxmox Support Team <support@proxmox.com> Tue, 29 Nov 2016 06:35:08 +0100
322 pve-firewall (2.0-31) unstable; urgency=medium
324 * don't try to apply ports to rules which don't support them
326 -- Proxmox Support Team <support@proxmox.com> Thu, 06 Oct 2016 08:31:51 +0200
328 pve-firewall (2.0-30) unstable; urgency=medium
330 * add multicast DNS to the list of Macros
332 * add missing parameter descriptions
334 * build-depends: add dh-systemd
336 -- Proxmox Support Team <support@proxmox.com> Fri, 16 Sep 2016 08:53:16 +0200
338 pve-firewall (2.0-29) unstable; urgency=medium
340 * prevent overwriting ipsets/sec. groups by renaming
342 -- Proxmox Support Team <support@proxmox.com> Fri, 03 Jun 2016 16:46:10 +0200
344 pve-firewall (2.0-28) unstable; urgency=medium
346 * use pve-common's ipv4_mask_hash_localnet
348 * fix allowed group name length
350 * make group digest stable
352 -- Proxmox Support Team <support@proxmox.com> Fri, 03 Jun 2016 11:01:47 +0200
354 pve-firewall (2.0-27) unstable; urgency=medium
356 * fix #972: make PVEFW-FWBR-* rule order stable
358 -- Proxmox Support Team <support@proxmox.com> Tue, 17 May 2016 07:59:52 +0200
360 pve-firewall (2.0-26) unstable; urgency=medium
362 * fix #988: set rp_filter=2
364 -- Proxmox Support Team <support@proxmox.com> Mon, 09 May 2016 10:01:28 +0200
366 pve-firewall (2.0-25) unstable; urgency=medium
368 * fix #945: add uninitialized check in lxc ipset compilation
370 -- Proxmox Support Team <support@proxmox.com> Thu, 21 Apr 2016 09:58:33 +0200
372 pve-firewall (2.0-24) unstable; urgency=medium
374 * Build-Depend on pve-doc-generator
376 * generate manpage with pve-doc-generator
378 -- Proxmox Support Team <support@proxmox.com> Wed, 06 Apr 2016 10:52:45 +0200
380 pve-firewall (2.0-23) unstable; urgency=medium
382 * use only the top bit for our accept marks
384 -- Proxmox Support Team <support@proxmox.com> Fri, 01 Apr 2016 07:35:38 +0200
386 pve-firewall (2.0-22) unstable; urgency=medium
388 * Use cfs_config_path from PVE::QemuConfig
390 -- Proxmox Support Team <support@proxmox.com> Tue, 08 Mar 2016 11:47:40 +0100
392 pve-firewall (2.0-21) unstable; urgency=medium
394 * added new 'ipfilter' option
396 -- Proxmox Support Team <support@proxmox.com> Thu, 03 Mar 2016 09:43:39 +0100
398 pve-firewall (2.0-20) unstable; urgency=medium
400 * fix 901: encode unicode characters in sha digest
402 -- Proxmox Support Team <support@proxmox.com> Mon, 29 Feb 2016 12:40:14 +0100
404 pve-firewall (2.0-19) unstable; urgency=medium
406 * Add radv option to VM options
408 -- Proxmox Support Team <support@proxmox.com> Sat, 27 Feb 2016 10:24:42 +0100
410 pve-firewall (2.0-18) unstable; urgency=medium
412 * Add ndp option to host and VM firewall options
414 * Add router-solicitation to NeighborDiscovery macro
416 -- Proxmox Support Team <support@proxmox.com> Fri, 19 Feb 2016 10:01:22 +0100
418 pve-firewall (2.0-17) unstable; urgency=medium
420 * Don't leave empty FW config files behind
422 -- Proxmox Support Team <support@proxmox.com> Mon, 08 Feb 2016 14:09:24 +0100
424 pve-firewall (2.0-16) unstable; urgency=medium
426 * logger: basic ipv6 support
430 * add dhcpv6 support to the dhcp option
432 -- Proxmox Support Team <support@proxmox.com> Tue, 26 Jan 2016 16:52:14 +0100
434 pve-firewall (2.0-15) unstable; urgency=medium
436 * fix bug #859: use $security_group_name_pattern in iptables_get_chains
438 * fix some regular expressions mixups
440 -- Proxmox Support Team <support@proxmox.com> Thu, 07 Jan 2016 16:33:23 +0100
442 pve-firewall (2.0-14) unstable; urgency=medium
444 * fix systemd service dependencies
446 -- Proxmox Support Team <support@proxmox.com> Fri, 27 Nov 2015 10:52:57 +0100
448 pve-firewall (2.0-13) unstable; urgency=medium
450 * allow numeric icmp types
452 -- Proxmox Support Team <support@proxmox.com> Fri, 23 Oct 2015 13:21:53 +0200
454 pve-firewall (2.0-12) unstable; urgency=medium
456 * implement bash completions
458 * convert pve-firewall into a PVE::Service class
460 -- Proxmox Support Team <support@proxmox.com> Thu, 24 Sep 2015 12:15:00 +0200
462 pve-firewall (2.0-11) unstable; urgency=medium
464 * iptables_get_chains: fix veth device name
466 -- Proxmox Support Team <support@proxmox.com> Tue, 08 Sep 2015 07:54:35 +0200
468 pve-firewall (2.0-10) unstable; urgency=medium
470 * new helper: clone_vmfw_conf()
472 -- Proxmox Support Team <support@proxmox.com> Tue, 25 Aug 2015 06:47:49 +0200
474 pve-firewall (2.0-9) unstable; urgency=medium
476 * remove firewall config file subroutine added
478 -- Proxmox Support Team <support@proxmox.com> Wed, 19 Aug 2015 15:42:51 +0200
480 pve-firewall (2.0-8) unstable; urgency=medium
482 * adopt regresion tests for lxc containers
484 * removed firewall code for openVZ
486 * Subroutine verify_rule fixed to correctly check only for "net\d+"
487 interface device names
489 -- Proxmox Support Team <support@proxmox.com> Wed, 12 Aug 2015 12:01:43 +0200
491 pve-firewall (2.0-7) unstable; urgency=medium
493 * added firewall code for lxc
495 -- Proxmox Support Team <support@proxmox.com> Mon, 10 Aug 2015 09:21:14 +0200
497 pve-firewall (2.0-6) unstable; urgency=medium
499 * firewall ipversion comparison fix
501 -- Proxmox Support Team <support@proxmox.com> Tue, 04 Aug 2015 11:14:51 +0200
503 pve-firewall (2.0-5) unstable; urgency=medium
505 * add ipv6 neighbor discovery and solicitation macros
507 * ip6tables accepts both spellings of the word neighbor
511 -- Proxmox Support Team <support@proxmox.com> Mon, 27 Jul 2015 13:20:55 +0200
513 pve-firewall (2.0-4) unstable; urgency=medium
515 * include manual page for pve-firewall
517 -- Proxmox Support Team <support@proxmox.com> Sat, 27 Jun 2015 16:26:28 +0200
519 pve-firewall (2.0-3) unstable; urgency=medium
521 * use noawait trigers for pve-api-updates
523 -- Proxmox Support Team <support@proxmox.com> Mon, 01 Jun 2015 12:33:06 +0200
525 pve-firewall (2.0-2) unstable; urgency=medium
527 * trigger pve-api-updates event
529 -- Proxmox Support Team <support@proxmox.com> Tue, 05 May 2015 15:10:24 +0200
531 pve-firewall (2.0-1) unstable; urgency=medium
533 * recompile for debian jessie
535 -- Proxmox Support Team <support@proxmox.com> Fri, 27 Feb 2015 12:22:04 +0100
537 pve-firewall (1.0-18) unstable; urgency=low
541 -- Proxmox Support Team <support@proxmox.com> Mon, 09 Feb 2015 09:32:03 +0100
543 pve-firewall (1.0-17) unstable; urgency=low
545 * fix restart behavior
547 -- Proxmox Support Team <support@proxmox.com> Thu, 15 Jan 2015 06:45:58 +0100
549 pve-firewall (1.0-16) unstable; urgency=low
551 * use new Daemon class from pve-common
553 -- Proxmox Support Team <support@proxmox.com> Thu, 18 Dec 2014 09:45:07 +0100
555 pve-firewall (1.0-15) unstable; urgency=low
557 * bug fix: load cluster conf for host rules
559 -- Proxmox Support Team <support@proxmox.com> Fri, 12 Dec 2014 06:33:28 +0100
561 pve-firewall (1.0-14) unstable; urgency=low
563 * do not use ipset list chains
565 * remove preinst script (not needed anymore)
567 -- Proxmox Support Team <support@proxmox.com> Fri, 05 Dec 2014 13:42:00 +0100
569 pve-firewall (1.0-13) unstable; urgency=low
571 * fix ipset remove order
573 -- Proxmox Support Team <support@proxmox.com> Fri, 28 Nov 2014 12:45:48 +0100
575 pve-firewall (1.0-12) unstable; urgency=low
577 * add preinst script to clear ipset from older installation (because
578 sets cannot be swapped if there type does not match.
580 -- Proxmox Support Team <support@proxmox.com> Fri, 28 Nov 2014 08:59:38 +0100
582 pve-firewall (1.0-11) unstable; urgency=low
584 * bug fix: correctly set ipversion for aliases in verify_rule
586 * save restore commands into files to make debugging
587 easier (/var/lib/pve-firewall/)
589 -- Proxmox Support Team <support@proxmox.com> Fri, 28 Nov 2014 08:04:05 +0100
591 pve-firewall (1.0-10) unstable; urgency=low
593 * add IPv6 support for VMs (hostfw is IPv4 only)
595 -- Proxmox Support Team <support@proxmox.com> Wed, 26 Nov 2014 07:00:29 +0100
597 pve-firewall (1.0-9) unstable; urgency=low
599 * fix max ipset name name length
601 -- Proxmox Support Team <support@proxmox.com> Tue, 14 Oct 2014 16:29:34 +0200
603 pve-firewall (1.0-8) unstable; urgency=low
605 * implement permission
607 -- Proxmox Support Team <support@proxmox.com> Mon, 08 Sep 2014 12:15:21 +0200
609 pve-firewall (1.0-7) unstable; urgency=low
611 * proxy host rule API calls to correct node
613 * always generate MAC and IP filter rules if firewall is enabled on NIC
615 -- Proxmox Support Team <support@proxmox.com> Thu, 26 Jun 2014 07:12:57 +0200
617 pve-firewall (1.0-6) unstable; urgency=low
619 * ipmlement ipfilter ipsets
621 -- Proxmox Support Team <support@proxmox.com> Thu, 12 Jun 2014 08:37:08 +0200
623 pve-firewall (1.0-5) unstable; urgency=low
625 * remove ipsets when firewall disabled
627 -- Proxmox Support Team <support@proxmox.com> Wed, 04 Jun 2014 08:50:18 +0200
629 pve-firewall (1.0-4) unstable; urgency=low
631 * depend on iptables and ipset
633 -- Proxmox Support Team <support@proxmox.com> Wed, 04 Jun 2014 06:45:33 +0200
635 pve-firewall (1.0-3) unstable; urgency=low
637 * change dh_installinit order (register pvefw-logger before pve-firewall)
639 -- Proxmox Support Team <support@proxmox.com> Wed, 04 Jun 2014 06:24:21 +0200
641 pve-firewall (1.0-2) unstable; urgency=low
643 * add experimental nflog logging daemon
645 -- Proxmox Support Team <support@proxmox.com> Thu, 13 Mar 2014 08:27:01 +0100
647 pve-firewall (1.0-1) unstable; urgency=low
651 -- Proxmox Support Team <support@proxmox.com> Mon, 03 Mar 2014 08:37:06 +0100