1 pve-firewall (4.2-6) bullseye; urgency=medium
3 * config defaults: document that the mac filter defaults to on
5 * fix #4175: ignore non-filter ebtables tables
7 * fix enabling ebtables if VM firewall config is invalid
9 -- Proxmox Support Team <support@proxmox.com> Mon, 29 Aug 2022 09:43:53 +0200
11 pve-firewall (4.2-5) bullseye; urgency=medium
13 * fix #3677 ipset get chains: handle newer ipset output for actual
16 -- Proxmox Support Team <support@proxmox.com> Thu, 04 Nov 2021 16:37:13 +0100
18 pve-firewall (4.2-4) bullseye; urgency=medium
20 * re-build to avoid issues stemming from semi-broken systemd-debhelper version
22 -- Proxmox Support Team <support@proxmox.com> Tue, 12 Oct 2021 10:39:05 +0200
24 pve-firewall (4.2-3) bullseye; urgency=medium
26 * fix #2721: remove the (nowadays) bogus reject for TCP port 43 from the
27 default drop and reject actions
29 -- Proxmox Support Team <support@proxmox.com> Fri, 10 Sep 2021 13:00:07 +0200
31 pve-firewall (4.2-2) bullseye; urgency=medium
33 * re-set relevant sysctls on every apply round
35 -- Proxmox Support Team <support@proxmox.com> Mon, 21 Jun 2021 11:31:42 +0200
37 pve-firewall (4.2-1) bullseye; urgency=medium
39 * fix #967: source: dest: limit length
41 * re-build for Debian 11 Bullseye based releases (Proxmox VE 7)
43 * fix #2358: allow --<opt> in firewall rule config files
45 -- Proxmox Support Team <support@proxmox.com> Wed, 12 May 2021 20:32:30 +0200
47 pve-firewall (4.1-3) pve; urgency=medium
49 * fix #2773: ebtables: keep policy of custom chains
51 * introduce new icmp-type parameter
53 -- Proxmox Support Team <support@proxmox.com> Fri, 18 Sep 2020 16:51:27 +0200
55 pve-firewall (4.1-2) pve; urgency=medium
57 * revert: rules: verify referenced security group exists
59 -- Proxmox Support Team <support@proxmox.com> Wed, 06 May 2020 17:41:36 +0200
61 pve-firewall (4.1-1) pve; urgency=medium
63 * logging: add missing log message for inbound rules
65 * fix #2686: avoid adding 'arp-ip-src' IP filter if guests uses DHCP
67 * IPSets: parse the CIDR before checking for duplicates
69 * verify that a referenced security group exists
71 * ICMP: fix iptables-restore failing if ICMP-type values bigger than '255'
73 * ICMP: allow one to specify the 'echo-reply' (0) type also as integer
75 * improve handling concurrent (parallel) access and modifications to rules
77 -- Proxmox Support Team <support@proxmox.com> Mon, 04 May 2020 15:01:57 +0200
79 pve-firewall (4.0-10) pve; urgency=medium
81 * macros: add macro for Proxmox Mail Gateway web interface
83 * api node: always pass cluster conf to node FW parser to fix false positive
84 error message about non existing aliases, or IP sets, when querying the
85 node FW options GET API call.
87 * grammar fix: s/does not exists/does not exist/g
89 -- Proxmox Support Team <support@proxmox.com> Mon, 27 Jan 2020 19:25:49 +0100
91 pve-firewall (4.0-9) pve; urgency=medium
93 * ensure port range used for offline storage migration and insecure migration
94 traffic is allowed by default rule set.
96 -- Proxmox Support Team <support@proxmox.com> Tue, 03 Dec 2019 08:12:20 +0100
98 pve-firewall (4.0-8) pve; urgency=medium
100 * increase default nf_conntrack_max to the kernel's default
102 * fix some "use of uninitialized value" warnings when updating CIDRs
104 * update schema documentation
106 * add explicit dependency on libpve-cluster-perl
108 * add support for "raw" tables
110 * add options for synflood protection for host firewall:
111 - nf_conntrack_tcp_timeout_syn_recv
112 - protection_synflood: boolean
113 - protection_synflood_rate: SYN rate limit (default 200 per second)
114 - protection_synflood_burst: SYN burst limit (default 1000)
116 -- Proxmox Support Team <support@proxmox.com> Mon, 18 Nov 2019 13:48:20 +0100
118 pve-firewall (4.0-7) pve; urgency=medium
120 * only add VM chains and rules if VM firewall is enabled
122 -- Proxmox Support Team <support@proxmox.com> Wed, 7 Aug 2019 10:55:06 +0200
124 pve-firewall (4.0-6) pve; urgency=medium
126 * firewall macros: add new Ceph protocol v2 port while keeping v1 port
128 -- Proxmox Support Team <support@proxmox.com> Tue, 23 Jul 2019 18:57:48 +0200
130 pve-firewall (4.0-5) pve; urgency=medium
132 * don't use any base path at all for calls to external binaries to make use
133 compativle with bot, /usr merged and unmerged setups
135 -- Proxmox Support Team <support@proxmox.com> Fri, 12 Jul 2019 11:47:53 +0200
137 pve-firewall (4.0-4) pve; urgency=medium
139 * ebtables: remove PVE chains properly
141 * ebtables: treat chain deletion as change
143 * use /usr/sbin as base path
145 -- Proxmox Support Team <support@proxmox.com> Thu, 11 Jul 2019 19:40:01 +0200
147 pve-firewall (4.0-3) pve; urgency=medium
149 * Create corosync firewall rules independently of localnet~
151 * Display corosync rule info on localnet call
153 -- Proxmox Support Team <support@proxmox.com> Thu, 04 Jul 2019 15:56:11 +0200
155 pve-firewall (4.0-2) pve; urgency=medium
157 * fix systemd warning about PIDFile directory
159 * fix CT rule generation with ipfilter set
161 * pve-firewall service: update-alternative iptables and ebtables to working
164 -- Proxmox Support Team <support@proxmox.com> Mon, 24 Jun 2019 20:43:21 +0200
166 pve-firewall (4.0-1) pve; urgency=medium
168 * re-build for Debian Buster / PVE 6
170 -- Proxmox Support Team <support@proxmox.com> Tue, 21 May 2019 22:28:55 +0200
172 pve-firewall (3.0-21) unstable; urgency=medium
174 * fix ipv6 PVEFW-reject
176 * fix #2193: arpfilter: CT: remove mask from net IP/CIDR to avoid
177 ebtables doing the wrong thing here
179 -- Proxmox Support Team <support@proxmox.com> Wed, 08 May 2019 10:09:31 +0000
181 pve-firewall (3.0-20) unstable; urgency=medium
183 * use IPCC to read config and rule files, if the are backed by pmxcfs which
184 has better handling for pmxcfs restarts
186 * fix #2178: endless loop on ipv6 extension headers
188 -- Proxmox Support Team <support@proxmox.com> Fri, 19 Apr 2019 05:10:13 +0000
190 pve-firewall (3.0-19) unstable; urgency=medium
192 * ebtables: add arp filtering
194 * fix: #2123 Logging of user defined firewall rules
198 * allow to enable/disable and modify cluster wide log ratelimits
200 -- Proxmox Support Team <support@proxmox.com> Tue, 02 Apr 2019 11:15:16 +0200
202 pve-firewall (3.0-18) unstable; urgency=medium
204 * fix #1606: Add nf_conntrack_allow_invalid option
206 * log reject : add space after policy REJECT like drop
208 * fix #1891: Add zsh command completion for pve-firewall
210 -- Proxmox Support Team <support@proxmox.com> Mon, 04 Mar 2019 10:27:01 +0100
212 pve-firewall (3.0-17) unstable; urgency=medium
214 * fix #2005: only allow ascii port digits
216 * fix #2004: do not allow backwards ranges
218 * add conntrack logging via libnetfilter_conntrack and allow one to enable
219 it through the firewall host configuration
221 -- Proxmox Support Team <support@proxmox.com> Wed, 09 Jan 2019 16:56:17 +0100
223 pve-firewall (3.0-16) unstable; urgency=medium
225 * api/rules: fix macro return type
227 -- Proxmox Support Team <support@proxmox.com> Fri, 30 Nov 2018 16:02:59 +0100
229 pve-firewall (3.0-15) unstable; urgency=medium
231 * fix #1971: display firewall rule properties
233 -- Proxmox Support Team <support@proxmox.com> Fri, 23 Nov 2018 14:01:33 +0100
235 pve-firewall (3.0-14) unstable; urgency=medium
237 * fix #1841: avoid ebtable reloads when containers have multiple network
240 -- Proxmox Support Team <support@proxmox.com> Fri, 24 Aug 2018 10:51:04 +0200
242 pve-firewall (3.0-13) unstable; urgency=medium
244 * avoid unnecessary reloads of ebtable ruleset
246 -- Proxmox Support Team <support@proxmox.com> Thu, 28 Jun 2018 14:47:16 +0200
248 pve-firewall (3.0-12) unstable; urgency=medium
250 * fix deleted iptables chains not being properly detected as a change
252 -- Proxmox Support Team <support@proxmox.com> Tue, 12 Jun 2018 12:01:02 +0200
254 pve-firewall (3.0-11) unstable; urgency=medium
256 * #1764: rename 'ebtales_enable' option to 'ebtables'
258 -- Proxmox Support Team <support@proxmox.com> Wed, 06 Jun 2018 16:18:13 +0200
260 pve-firewall (3.0-10) unstable; urgency=medium
262 * fix #1764: handle existing ebtables rules and allow disabling ebtables
264 * ebtables handling can be disabled via /etc/pve/firewall/cluster.fw's new
265 ebtables_enable option.
267 -- Proxmox Support Team <support@proxmox.com> Tue, 29 May 2018 15:14:33 +0200
269 pve-firewall (3.0-9) unstable; urgency=medium
271 * fix creation of ebltables FORWARD rule entry
273 -- Proxmox Support Team <support@proxmox.com> Thu, 17 May 2018 14:41:27 +0200
275 pve-firewall (3.0-8) unstable; urgency=medium
277 * add ebtables support for better MAC filtering
279 -- Proxmox Support Team <support@proxmox.com> Wed, 11 Apr 2018 14:25:41 +0200
281 pve-firewall (3.0-7) unstable; urgency=medium
283 * support distinct source and destination multi-port matching
285 * multi-port matching: when specifying the same list of ports for source and
286 destination require them both to match, rather than one of them, as this
287 was rather unexpected behavior
289 -- Proxmox Support Team <support@proxmox.com> Mon, 12 Mar 2018 14:58:08 +0100
291 pve-firewall (3.0-6) unstable; urgency=medium
293 * fix #1319: don't fail postinst with masked service
295 * debian: switch to compat 9, drop init scripts, drop preinst
297 * check multiport limit in port ranges
299 * build: use git rev-parse for GITVERSION
301 -- Proxmox Support Team <support@proxmox.com> Thu, 08 Mar 2018 13:53:11 +0100
303 pve-firewall (3.0-5) unstable; urgency=medium
305 * fix issue with disabled flag not being honored within groups
307 -- Proxmox Support Team <support@proxmox.com> Thu, 07 Dec 2017 08:31:42 +0100
309 pve-firewall (3.0-4) unstable; urgency=medium
311 * fix issues with ipsets reloading unnecessarily or too late
313 * fix some typos in the logs
315 -- Proxmox Support Team <support@proxmox.com> Thu, 16 Nov 2017 11:41:56 +0100
317 pve-firewall (3.0-3) unstable; urgency=medium
319 * Fix #1492: logger: use current timestamp if the packet doesn't have one
321 -- Proxmox Support Team <support@proxmox.com> Tue, 12 Sep 2017 14:43:06 +0200
323 pve-firewall (3.0-2) unstable; urgency=medium
325 * Fix #1446: remove masks in case the package had previously been removed but
328 * improve logging on errors in the firewall configuration
330 * forbid trailing commas in lists as iptables-restore doesn't support them
332 -- Proxmox Support Team <support@proxmox.com> Mon, 17 Jul 2017 15:24:40 +0200
334 pve-firewall (3.0-1) unstable; urgency=medium
336 * rebuild for Debian Stretch
338 -- Proxmox Support Team <support@proxmox.com> Thu, 9 Mar 2017 14:04:17 +0100
340 pve-firewall (2.0-33) unstable; urgency=medium
342 * ipset: don't allow zero-prefix entries
344 -- Proxmox Support Team <support@proxmox.com> Tue, 29 Nov 2016 12:18:04 +0100
346 pve-firewall (2.0-32) unstable; urgency=medium
348 * improve search for local-network
350 -- Proxmox Support Team <support@proxmox.com> Tue, 29 Nov 2016 06:35:08 +0100
352 pve-firewall (2.0-31) unstable; urgency=medium
354 * don't try to apply ports to rules which don't support them
356 -- Proxmox Support Team <support@proxmox.com> Thu, 06 Oct 2016 08:31:51 +0200
358 pve-firewall (2.0-30) unstable; urgency=medium
360 * add multicast DNS to the list of Macros
362 * add missing parameter descriptions
364 * build-depends: add dh-systemd
366 -- Proxmox Support Team <support@proxmox.com> Fri, 16 Sep 2016 08:53:16 +0200
368 pve-firewall (2.0-29) unstable; urgency=medium
370 * prevent overwriting ipsets/sec. groups by renaming
372 -- Proxmox Support Team <support@proxmox.com> Fri, 03 Jun 2016 16:46:10 +0200
374 pve-firewall (2.0-28) unstable; urgency=medium
376 * use pve-common's ipv4_mask_hash_localnet
378 * fix allowed group name length
380 * make group digest stable
382 -- Proxmox Support Team <support@proxmox.com> Fri, 03 Jun 2016 11:01:47 +0200
384 pve-firewall (2.0-27) unstable; urgency=medium
386 * fix #972: make PVEFW-FWBR-* rule order stable
388 -- Proxmox Support Team <support@proxmox.com> Tue, 17 May 2016 07:59:52 +0200
390 pve-firewall (2.0-26) unstable; urgency=medium
392 * fix #988: set rp_filter=2
394 -- Proxmox Support Team <support@proxmox.com> Mon, 09 May 2016 10:01:28 +0200
396 pve-firewall (2.0-25) unstable; urgency=medium
398 * fix #945: add uninitialized check in lxc ipset compilation
400 -- Proxmox Support Team <support@proxmox.com> Thu, 21 Apr 2016 09:58:33 +0200
402 pve-firewall (2.0-24) unstable; urgency=medium
404 * Build-Depend on pve-doc-generator
406 * generate manpage with pve-doc-generator
408 -- Proxmox Support Team <support@proxmox.com> Wed, 06 Apr 2016 10:52:45 +0200
410 pve-firewall (2.0-23) unstable; urgency=medium
412 * use only the top bit for our accept marks
414 -- Proxmox Support Team <support@proxmox.com> Fri, 01 Apr 2016 07:35:38 +0200
416 pve-firewall (2.0-22) unstable; urgency=medium
418 * Use cfs_config_path from PVE::QemuConfig
420 -- Proxmox Support Team <support@proxmox.com> Tue, 08 Mar 2016 11:47:40 +0100
422 pve-firewall (2.0-21) unstable; urgency=medium
424 * added new 'ipfilter' option
426 -- Proxmox Support Team <support@proxmox.com> Thu, 03 Mar 2016 09:43:39 +0100
428 pve-firewall (2.0-20) unstable; urgency=medium
430 * fix 901: encode unicode characters in sha digest
432 -- Proxmox Support Team <support@proxmox.com> Mon, 29 Feb 2016 12:40:14 +0100
434 pve-firewall (2.0-19) unstable; urgency=medium
436 * Add radv option to VM options
438 -- Proxmox Support Team <support@proxmox.com> Sat, 27 Feb 2016 10:24:42 +0100
440 pve-firewall (2.0-18) unstable; urgency=medium
442 * Add ndp option to host and VM firewall options
444 * Add router-solicitation to NeighborDiscovery macro
446 -- Proxmox Support Team <support@proxmox.com> Fri, 19 Feb 2016 10:01:22 +0100
448 pve-firewall (2.0-17) unstable; urgency=medium
450 * Don't leave empty FW config files behind
452 -- Proxmox Support Team <support@proxmox.com> Mon, 08 Feb 2016 14:09:24 +0100
454 pve-firewall (2.0-16) unstable; urgency=medium
456 * logger: basic ipv6 support
460 * add dhcpv6 support to the dhcp option
462 -- Proxmox Support Team <support@proxmox.com> Tue, 26 Jan 2016 16:52:14 +0100
464 pve-firewall (2.0-15) unstable; urgency=medium
466 * fix bug #859: use $security_group_name_pattern in iptables_get_chains
468 * fix some regular expressions mixups
470 -- Proxmox Support Team <support@proxmox.com> Thu, 07 Jan 2016 16:33:23 +0100
472 pve-firewall (2.0-14) unstable; urgency=medium
474 * fix systemd service dependencies
476 -- Proxmox Support Team <support@proxmox.com> Fri, 27 Nov 2015 10:52:57 +0100
478 pve-firewall (2.0-13) unstable; urgency=medium
480 * allow numeric icmp types
482 -- Proxmox Support Team <support@proxmox.com> Fri, 23 Oct 2015 13:21:53 +0200
484 pve-firewall (2.0-12) unstable; urgency=medium
486 * implement bash completions
488 * convert pve-firewall into a PVE::Service class
490 -- Proxmox Support Team <support@proxmox.com> Thu, 24 Sep 2015 12:15:00 +0200
492 pve-firewall (2.0-11) unstable; urgency=medium
494 * iptables_get_chains: fix veth device name
496 -- Proxmox Support Team <support@proxmox.com> Tue, 08 Sep 2015 07:54:35 +0200
498 pve-firewall (2.0-10) unstable; urgency=medium
500 * new helper: clone_vmfw_conf()
502 -- Proxmox Support Team <support@proxmox.com> Tue, 25 Aug 2015 06:47:49 +0200
504 pve-firewall (2.0-9) unstable; urgency=medium
506 * remove firewall config file subroutine added
508 -- Proxmox Support Team <support@proxmox.com> Wed, 19 Aug 2015 15:42:51 +0200
510 pve-firewall (2.0-8) unstable; urgency=medium
512 * adopt regresion tests for lxc containers
514 * removed firewall code for openVZ
516 * Subroutine verify_rule fixed to correctly check only for "net\d+"
517 interface device names
519 -- Proxmox Support Team <support@proxmox.com> Wed, 12 Aug 2015 12:01:43 +0200
521 pve-firewall (2.0-7) unstable; urgency=medium
523 * added firewall code for lxc
525 -- Proxmox Support Team <support@proxmox.com> Mon, 10 Aug 2015 09:21:14 +0200
527 pve-firewall (2.0-6) unstable; urgency=medium
529 * firewall ipversion comparison fix
531 -- Proxmox Support Team <support@proxmox.com> Tue, 04 Aug 2015 11:14:51 +0200
533 pve-firewall (2.0-5) unstable; urgency=medium
535 * add ipv6 neighbor discovery and solicitation macros
537 * ip6tables accepts both spellings of the word neighbor
541 -- Proxmox Support Team <support@proxmox.com> Mon, 27 Jul 2015 13:20:55 +0200
543 pve-firewall (2.0-4) unstable; urgency=medium
545 * include manual page for pve-firewall
547 -- Proxmox Support Team <support@proxmox.com> Sat, 27 Jun 2015 16:26:28 +0200
549 pve-firewall (2.0-3) unstable; urgency=medium
551 * use noawait trigers for pve-api-updates
553 -- Proxmox Support Team <support@proxmox.com> Mon, 01 Jun 2015 12:33:06 +0200
555 pve-firewall (2.0-2) unstable; urgency=medium
557 * trigger pve-api-updates event
559 -- Proxmox Support Team <support@proxmox.com> Tue, 05 May 2015 15:10:24 +0200
561 pve-firewall (2.0-1) unstable; urgency=medium
563 * recompile for debian jessie
565 -- Proxmox Support Team <support@proxmox.com> Fri, 27 Feb 2015 12:22:04 +0100
567 pve-firewall (1.0-18) unstable; urgency=low
571 -- Proxmox Support Team <support@proxmox.com> Mon, 09 Feb 2015 09:32:03 +0100
573 pve-firewall (1.0-17) unstable; urgency=low
575 * fix restart behavior
577 -- Proxmox Support Team <support@proxmox.com> Thu, 15 Jan 2015 06:45:58 +0100
579 pve-firewall (1.0-16) unstable; urgency=low
581 * use new Daemon class from pve-common
583 -- Proxmox Support Team <support@proxmox.com> Thu, 18 Dec 2014 09:45:07 +0100
585 pve-firewall (1.0-15) unstable; urgency=low
587 * bug fix: load cluster conf for host rules
589 -- Proxmox Support Team <support@proxmox.com> Fri, 12 Dec 2014 06:33:28 +0100
591 pve-firewall (1.0-14) unstable; urgency=low
593 * do not use ipset list chains
595 * remove preinst script (not needed anymore)
597 -- Proxmox Support Team <support@proxmox.com> Fri, 05 Dec 2014 13:42:00 +0100
599 pve-firewall (1.0-13) unstable; urgency=low
601 * fix ipset remove order
603 -- Proxmox Support Team <support@proxmox.com> Fri, 28 Nov 2014 12:45:48 +0100
605 pve-firewall (1.0-12) unstable; urgency=low
607 * add preinst script to clear ipset from older installation (because
608 sets cannot be swapped if there type does not match.
610 -- Proxmox Support Team <support@proxmox.com> Fri, 28 Nov 2014 08:59:38 +0100
612 pve-firewall (1.0-11) unstable; urgency=low
614 * bug fix: correctly set ipversion for aliases in verify_rule
616 * save restore commands into files to make debugging
617 easier (/var/lib/pve-firewall/)
619 -- Proxmox Support Team <support@proxmox.com> Fri, 28 Nov 2014 08:04:05 +0100
621 pve-firewall (1.0-10) unstable; urgency=low
623 * add IPv6 support for VMs (hostfw is IPv4 only)
625 -- Proxmox Support Team <support@proxmox.com> Wed, 26 Nov 2014 07:00:29 +0100
627 pve-firewall (1.0-9) unstable; urgency=low
629 * fix max ipset name name length
631 -- Proxmox Support Team <support@proxmox.com> Tue, 14 Oct 2014 16:29:34 +0200
633 pve-firewall (1.0-8) unstable; urgency=low
635 * implement permission
637 -- Proxmox Support Team <support@proxmox.com> Mon, 08 Sep 2014 12:15:21 +0200
639 pve-firewall (1.0-7) unstable; urgency=low
641 * proxy host rule API calls to correct node
643 * always generate MAC and IP filter rules if firewall is enabled on NIC
645 -- Proxmox Support Team <support@proxmox.com> Thu, 26 Jun 2014 07:12:57 +0200
647 pve-firewall (1.0-6) unstable; urgency=low
649 * ipmlement ipfilter ipsets
651 -- Proxmox Support Team <support@proxmox.com> Thu, 12 Jun 2014 08:37:08 +0200
653 pve-firewall (1.0-5) unstable; urgency=low
655 * remove ipsets when firewall disabled
657 -- Proxmox Support Team <support@proxmox.com> Wed, 04 Jun 2014 08:50:18 +0200
659 pve-firewall (1.0-4) unstable; urgency=low
661 * depend on iptables and ipset
663 -- Proxmox Support Team <support@proxmox.com> Wed, 04 Jun 2014 06:45:33 +0200
665 pve-firewall (1.0-3) unstable; urgency=low
667 * change dh_installinit order (register pvefw-logger before pve-firewall)
669 -- Proxmox Support Team <support@proxmox.com> Wed, 04 Jun 2014 06:24:21 +0200
671 pve-firewall (1.0-2) unstable; urgency=low
673 * add experimental nflog logging daemon
675 -- Proxmox Support Team <support@proxmox.com> Thu, 13 Mar 2014 08:27:01 +0100
677 pve-firewall (1.0-1) unstable; urgency=low
681 -- Proxmox Support Team <support@proxmox.com> Mon, 03 Mar 2014 08:37:06 +0100
projects / pve-firewall.git / blob