X-Git-Url: https://git.proxmox.com/?p=pve-firewall.git;a=blobdiff_plain;f=debian%2Fchangelog;h=934947b94732a2bf6e3d3ad470140629f76344a7;hp=1307d8be003de80a197c7dbb8b44def6f58c4c8d;hb=HEAD;hpb=9a19ec817c4ed3a338d3e296fda7e1f62649a4f3 diff --git a/debian/changelog b/debian/changelog index 1307d8b..7d62a41 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,368 @@ +pve-firewall (5.0.7) bookworm; urgency=medium + + * also signal force-disable nftables if FW is completely disabled + + -- Proxmox Support Team Tue, 30 Apr 2024 10:30:16 +0200 + +pve-firewall (5.0.6) bookworm; urgency=medium + + * add flag to signal the new nftables-based proxmox-firewall that it's + disabled without the need to parse the config + + -- Proxmox Support Team Fri, 26 Apr 2024 17:19:50 +0200 + +pve-firewall (5.0.5) bookworm; urgency=medium + + * simulator: adapt to more flexible bridge naming scheme + + -- Proxmox Support Team Tue, 23 Apr 2024 13:11:43 +0200 + +pve-firewall (5.0.4) bookworm; urgency=medium + + * fix #5335: stable sorting in cluster.fw + + * add configuration option for new nftables firewall tech-preview + + -- Proxmox Support Team Fri, 19 Apr 2024 20:04:09 +0200 + +pve-firewall (5.0.3) bookworm; urgency=medium + + * fix resolution of scoped aliases in ipsets + + -- Proxmox Support Team Mon, 17 Jul 2023 10:39:28 +0200 + +pve-firewall (5.0.2) bookworm; urgency=medium + + * fix #4556: api: return scoped IPSets and aliases + + -- Proxmox Support Team Wed, 21 Jun 2023 19:17:19 +0200 + +pve-firewall (5.0.1) bookworm; urgency=medium + + * fix #4556: support 'dc/' and 'guest/' prefix for aliases and ipsets + + -- Proxmox Support Team Wed, 07 Jun 2023 16:06:10 +0200 + +pve-firewall (5.0.0) bookworm; urgency=medium + + * switch to native versioning scheme + + * build for Proxmox VE 8 / Debian 12 Bookworm + + -- Proxmox Support Team Mon, 22 May 2023 14:43:58 +0200 + +pve-firewall (4.3-2) bullseye; urgency=medium + + * fix variables declared in conditional statement + + * fix #4730: add safeguards to prevent ICMP type misuse + + -- Proxmox Support Team Tue, 16 May 2023 11:17:58 +0200 + +pve-firewall (4.3-1) bullseye; urgency=medium + + * allow entering IP address with the host bits (those inside the mask) not + being all zero non-zero, like 192.168.1.155/24 for example. + + * api: firewall logger: add optional parameters `since` and `until` for + time-range filtering + + * fix #4550: host options: add nf_conntrack_helpers to compensate that + kernel 6.1 and newer have removed the auto helpers + + -- Proxmox Support Team Fri, 17 Mar 2023 15:24:56 +0100 + +pve-firewall (4.2-7) bullseye; urgency=medium + + * fix #4018: add firewall macro for SPICE proxy + + * fix #4204: automatically update each usage of a group to the new ID when + it is renamed + + * fix #4268: add 'force' parameter to delete IPSet with members + + -- Proxmox Support Team Thu, 17 Nov 2022 19:53:04 +0100 + +pve-firewall (4.2-6) bullseye; urgency=medium + + * config defaults: document that the mac filter defaults to on + + * fix #4175: ignore non-filter ebtables tables + + * fix enabling ebtables if VM firewall config is invalid + + -- Proxmox Support Team Mon, 29 Aug 2022 09:43:53 +0200 + +pve-firewall (4.2-5) bullseye; urgency=medium + + * fix #3677 ipset get chains: handle newer ipset output for actual + change detection + + -- Proxmox Support Team Thu, 04 Nov 2021 16:37:13 +0100 + +pve-firewall (4.2-4) bullseye; urgency=medium + + * re-build to avoid issues stemming from semi-broken systemd-debhelper version + + -- Proxmox Support Team Tue, 12 Oct 2021 10:39:05 +0200 + +pve-firewall (4.2-3) bullseye; urgency=medium + + * fix #2721: remove the (nowadays) bogus reject for TCP port 43 from the + default drop and reject actions + + -- Proxmox Support Team Fri, 10 Sep 2021 13:00:07 +0200 + +pve-firewall (4.2-2) bullseye; urgency=medium + + * re-set relevant sysctls on every apply round + + -- Proxmox Support Team Mon, 21 Jun 2021 11:31:42 +0200 + +pve-firewall (4.2-1) bullseye; urgency=medium + + * fix #967: source: dest: limit length + + * re-build for Debian 11 Bullseye based releases (Proxmox VE 7) + + * fix #2358: allow -- in firewall rule config files + + -- Proxmox Support Team Wed, 12 May 2021 20:32:30 +0200 + +pve-firewall (4.1-3) pve; urgency=medium + + * fix #2773: ebtables: keep policy of custom chains + + * introduce new icmp-type parameter + + -- Proxmox Support Team Fri, 18 Sep 2020 16:51:27 +0200 + +pve-firewall (4.1-2) pve; urgency=medium + + * revert: rules: verify referenced security group exists + + -- Proxmox Support Team Wed, 06 May 2020 17:41:36 +0200 + +pve-firewall (4.1-1) pve; urgency=medium + + * logging: add missing log message for inbound rules + + * fix #2686: avoid adding 'arp-ip-src' IP filter if guests uses DHCP + + * IPSets: parse the CIDR before checking for duplicates + + * verify that a referenced security group exists + + * ICMP: fix iptables-restore failing if ICMP-type values bigger than '255' + + * ICMP: allow one to specify the 'echo-reply' (0) type also as integer + + * improve handling concurrent (parallel) access and modifications to rules + + -- Proxmox Support Team Mon, 04 May 2020 15:01:57 +0200 + +pve-firewall (4.0-10) pve; urgency=medium + + * macros: add macro for Proxmox Mail Gateway web interface + + * api node: always pass cluster conf to node FW parser to fix false positive + error message about non existing aliases, or IP sets, when querying the + node FW options GET API call. + + * grammar fix: s/does not exists/does not exist/g + + -- Proxmox Support Team Mon, 27 Jan 2020 19:25:49 +0100 + +pve-firewall (4.0-9) pve; urgency=medium + + * ensure port range used for offline storage migration and insecure migration + traffic is allowed by default rule set. + + -- Proxmox Support Team Tue, 03 Dec 2019 08:12:20 +0100 + +pve-firewall (4.0-8) pve; urgency=medium + + * increase default nf_conntrack_max to the kernel's default + + * fix some "use of uninitialized value" warnings when updating CIDRs + + * update schema documentation + + * add explicit dependency on libpve-cluster-perl + + * add support for "raw" tables + + * add options for synflood protection for host firewall: + - nf_conntrack_tcp_timeout_syn_recv + - protection_synflood: boolean + - protection_synflood_rate: SYN rate limit (default 200 per second) + - protection_synflood_burst: SYN burst limit (default 1000) + + -- Proxmox Support Team Mon, 18 Nov 2019 13:48:20 +0100 + +pve-firewall (4.0-7) pve; urgency=medium + + * only add VM chains and rules if VM firewall is enabled + + -- Proxmox Support Team Wed, 7 Aug 2019 10:55:06 +0200 + +pve-firewall (4.0-6) pve; urgency=medium + + * firewall macros: add new Ceph protocol v2 port while keeping v1 port + + -- Proxmox Support Team Tue, 23 Jul 2019 18:57:48 +0200 + +pve-firewall (4.0-5) pve; urgency=medium + + * don't use any base path at all for calls to external binaries to make use + compativle with bot, /usr merged and unmerged setups + + -- Proxmox Support Team Fri, 12 Jul 2019 11:47:53 +0200 + +pve-firewall (4.0-4) pve; urgency=medium + + * ebtables: remove PVE chains properly + + * ebtables: treat chain deletion as change + + * use /usr/sbin as base path + + -- Proxmox Support Team Thu, 11 Jul 2019 19:40:01 +0200 + +pve-firewall (4.0-3) pve; urgency=medium + + * Create corosync firewall rules independently of localnet~ + + * Display corosync rule info on localnet call + + -- Proxmox Support Team Thu, 04 Jul 2019 15:56:11 +0200 + +pve-firewall (4.0-2) pve; urgency=medium + + * fix systemd warning about PIDFile directory + + * fix CT rule generation with ipfilter set + + * pve-firewall service: update-alternative iptables and ebtables to working + legacy versions + + -- Proxmox Support Team Mon, 24 Jun 2019 20:43:21 +0200 + +pve-firewall (4.0-1) pve; urgency=medium + + * re-build for Debian Buster / PVE 6 + + -- Proxmox Support Team Tue, 21 May 2019 22:28:55 +0200 + +pve-firewall (3.0-21) unstable; urgency=medium + + * fix ipv6 PVEFW-reject + + * fix #2193: arpfilter: CT: remove mask from net IP/CIDR to avoid + ebtables doing the wrong thing here + + -- Proxmox Support Team Wed, 08 May 2019 10:09:31 +0000 + +pve-firewall (3.0-20) unstable; urgency=medium + + * use IPCC to read config and rule files, if the are backed by pmxcfs which + has better handling for pmxcfs restarts + + * fix #2178: endless loop on ipv6 extension headers + + -- Proxmox Support Team Fri, 19 Apr 2019 05:10:13 +0000 + +pve-firewall (3.0-19) unstable; urgency=medium + + * ebtables: add arp filtering + + * fix: #2123 Logging of user defined firewall rules + + * fix Razor macro + + * allow to enable/disable and modify cluster wide log ratelimits + + -- Proxmox Support Team Tue, 02 Apr 2019 11:15:16 +0200 + +pve-firewall (3.0-18) unstable; urgency=medium + + * fix #1606: Add nf_conntrack_allow_invalid option + + * log reject : add space after policy REJECT like drop + + * fix #1891: Add zsh command completion for pve-firewall + + -- Proxmox Support Team Mon, 04 Mar 2019 10:27:01 +0100 + +pve-firewall (3.0-17) unstable; urgency=medium + + * fix #2005: only allow ascii port digits + + * fix #2004: do not allow backwards ranges + + * add conntrack logging via libnetfilter_conntrack and allow one to enable + it through the firewall host configuration + + -- Proxmox Support Team Wed, 09 Jan 2019 16:56:17 +0100 + +pve-firewall (3.0-16) unstable; urgency=medium + + * api/rules: fix macro return type + + -- Proxmox Support Team Fri, 30 Nov 2018 16:02:59 +0100 + +pve-firewall (3.0-15) unstable; urgency=medium + + * fix #1971: display firewall rule properties + + -- Proxmox Support Team Fri, 23 Nov 2018 14:01:33 +0100 + +pve-firewall (3.0-14) unstable; urgency=medium + + * fix #1841: avoid ebtable reloads when containers have multiple network + interfaces + + -- Proxmox Support Team Fri, 24 Aug 2018 10:51:04 +0200 + +pve-firewall (3.0-13) unstable; urgency=medium + + * avoid unnecessary reloads of ebtable ruleset + + -- Proxmox Support Team Thu, 28 Jun 2018 14:47:16 +0200 + +pve-firewall (3.0-12) unstable; urgency=medium + + * fix deleted iptables chains not being properly detected as a change + + -- Proxmox Support Team Tue, 12 Jun 2018 12:01:02 +0200 + +pve-firewall (3.0-11) unstable; urgency=medium + + * #1764: rename 'ebtales_enable' option to 'ebtables' + + -- Proxmox Support Team Wed, 06 Jun 2018 16:18:13 +0200 + +pve-firewall (3.0-10) unstable; urgency=medium + + * fix #1764: handle existing ebtables rules and allow disabling ebtables + + * ebtables handling can be disabled via /etc/pve/firewall/cluster.fw's new + ebtables_enable option. + + -- Proxmox Support Team Tue, 29 May 2018 15:14:33 +0200 + +pve-firewall (3.0-9) unstable; urgency=medium + + * fix creation of ebltables FORWARD rule entry + + -- Proxmox Support Team Thu, 17 May 2018 14:41:27 +0200 + +pve-firewall (3.0-8) unstable; urgency=medium + + * add ebtables support for better MAC filtering + + -- Proxmox Support Team Wed, 11 Apr 2018 14:25:41 +0200 + pve-firewall (3.0-7) unstable; urgency=medium * support distinct source and destination multi-port matching