vyatta-cfg-firewall (0.13.90) unstable; urgency=low * PBR: config command validations, help strings etc. cleaned up and -- susheela Sat, 06 Oct 2012 15:09:36 -0700 vyatta-cfg-firewall (0.13.89) unstable; urgency=low [ Bharat ] * Bug 8200: Changed gred to not display shim6 [ bharat ] -- bharat Thu, 04 Oct 2012 11:55:24 -0700 vyatta-cfg-firewall (0.13.88) unstable; urgency=low * Bug 8348: policy route <> rule <> action, 'modify' shouldn't be allowed -- Robert Bays Thu, 13 Sep 2012 16:53:57 -0700 vyatta-cfg-firewall (0.13.87) unstable; urgency=low * 8330: return rule number in error message -- Gaurav Sinha Thu, 13 Sep 2012 09:42:12 -0700 vyatta-cfg-firewall (0.13.86) unstable; urgency=low * Fixing 3167, mandate multiport values after single port, remove misleading error message -- Gaurav Sinha Fri, 07 Sep 2012 17:22:05 -0700 vyatta-cfg-firewall (0.13.85) unstable; urgency=low * reserve upper table numbers for future use -- Robert Bays Wed, 05 Sep 2012 15:32:06 -0700 vyatta-cfg-firewall (0.13.84) unstable; urgency=low * initial checkin for pbr functionality * update script executable permissions * lower priority on policy route node so it is run before interfaces * Add val_help for table numbers * Table should be between 1-250, not 1-249. * changes to policy tables to add accept * populate firewall policy tables based on refcount * add support for main table -- Robert Bays Wed, 05 Sep 2012 14:26:40 -0700 vyatta-cfg-firewall (0.13.83) unstable; urgency=low * fix 8200, don't allow shim6 in allowed list of ipv4 protocols for firewall -- Gaurav Sinha Wed, 29 Aug 2012 17:03:52 -0700 vyatta-cfg-firewall (0.13.82) unstable; urgency=low * add conntrack raw table ignore chain * move CT_IGNORE chain up, first in raw table -- Gaurav Sinha Wed, 22 Aug 2012 17:42:02 -0700 vyatta-cfg-firewall (0.13.81) unstable; urgency=low * Bugfix 8271: Remove Vestigial VRRP hooks. The implementation changed and these are no longer needed. * 0.13.80 -- John Southworth Thu, 09 Aug 2012 16:53:27 -0700 vyatta-cfg-firewall (0.13.80) unstable; urgency=low * Bugfix 8271: Remove Vestigial VRRP hooks. The implementation changed and these are no longer needed. -- John Southworth Thu, 09 Aug 2012 16:53:20 -0700 vyatta-cfg-firewall (0.13.79) unstable; urgency=low * Bugfix 8217: VTI: add firewall cfg commands under interfaces vti * 0.13.78 -- Saurabh Mohan Thu, 09 Aug 2012 14:01:58 -0700 vyatta-cfg-firewall (0.13.78) unstable; urgency=low * Bugfix 8217: VTI: add firewall cfg commands under interfaces vti -- Saurabh Mohan Thu, 09 Aug 2012 13:29:07 -0700 vyatta-cfg-firewall (0.13.77) unstable; urgency=low * fixing 8173: moving CT_HELPER chain just before CTTIMEOUT -- Gaurav Sinha Fri, 22 Jun 2012 15:21:31 -0700 vyatta-cfg-firewall (0.13.76) unstable; urgency=low * fix 8112 -- Gaurav Sinha Mon, 18 Jun 2012 15:13:32 -0700 vyatta-cfg-firewall (0.13.75) unstable; urgency=low * Bugfix 8042: increase number of firewall groups to a reasonable number -- John Southworth Fri, 08 Jun 2012 14:02:27 -0700 vyatta-cfg-firewall (0.13.74) unstable; urgency=low * Adding functions to conditionally add CT_HELPER chain and remove when not in use, neither by FW nor by NAT. -- Gaurav Sinha Thu, 07 Jun 2012 22:17:09 -0700 vyatta-cfg-firewall (0.13.73) unstable; urgency=low * create CT_HELPER chain in PREROUTING and OUTPUT * don't add CTHELPER chain by default on boot. add when needed. * create nfct helper policies and prepare VYATTA_CT_HELPER chain -- Gaurav Sinha Wed, 06 Jun 2012 21:47:45 -0700 vyatta-cfg-firewall (0.13.72) unstable; urgency=low * Remove sudo from port-group syntax check call -- John Southworth Sun, 03 Jun 2012 12:16:21 -0700 vyatta-cfg-firewall (0.13.71) unstable; urgency=low * Make firewall syntax checks use the vyatta-util library -- John Southworth Sat, 02 Jun 2012 21:05:27 -0700 vyatta-cfg-firewall (0.13.70) unstable; urgency=low * No need to have vrrp specific interface templates anymore -- John Southworth Tue, 15 May 2012 20:43:09 -0700 vyatta-cfg-firewall (0.13.69) unstable; urgency=low * service names with hyphen need to be escaped using square brackets. -- Gaurav Sinha Mon, 30 Apr 2012 16:13:31 -0700 vyatta-cfg-firewall (0.13.68) unstable; urgency=low * fixing 7998 -- Gaurav Sinha Mon, 16 Apr 2012 11:12:28 -0700 vyatta-cfg-firewall (0.13.67) unstable; urgency=low * include CT_TIMEOUT chain for conntrack timeouts. -- Gaurav Fri, 23 Mar 2012 18:18:39 -0700 vyatta-cfg-firewall (0.13.66) unstable; urgency=low * new branch -- Deepti Kulkarni Sat, 03 Mar 2012 02:25:26 -0800 vyatta-cfg-firewall (0.13.65) unstable; urgency=low * 7047:use DEFLT instead of default -- Gaurav Wed, 29 Feb 2012 15:59:30 -0800 vyatta-cfg-firewall (0.13.64) unstable; urgency=low * fixing 7047 -- Gaurav Wed, 29 Feb 2012 13:51:06 -0800 vyatta-cfg-firewall (0.13.63) unstable; urgency=low * Bug Fix for 7751, 7753, 7757 -- Mohit Mehta Fri, 24 Feb 2012 19:11:48 -0800 vyatta-cfg-firewall (0.13.62) unstable; urgency=low * Fix help string of state-policy for related connections -- Mohit Mehta Fri, 06 Jan 2012 11:37:16 -0800 vyatta-cfg-firewall (0.13.61) unstable; urgency=low * Create VRRP output filter to filter IGMP from vmac interfaces -- John Southworth Tue, 27 Dec 2011 10:32:23 -0800 vyatta-cfg-firewall (0.13.60) unstable; urgency=low * Setup filter for VRRP vmac interfaces -- John Southworth Mon, 12 Dec 2011 15:18:47 -0800 vyatta-cfg-firewall (0.13.59) unstable; urgency=low * Add vrrp interface parameters for bonding vifs -- John Southworth Fri, 02 Dec 2011 11:24:59 -0800 vyatta-cfg-firewall (0.13.58) unstable; urgency=low * Warn users when stateful rules are set with state-policy configured -- Mohit Mehta Fri, 02 Dec 2011 03:58:22 -0800 vyatta-cfg-firewall (0.13.57) unstable; urgency=low [ Daniil Baturin ] * Remove conntrack-related templates from firewall * Remove remaining conntrack-related templates. * Remove conntrack modprobe config file (will be in vyatta-conntrack now). * Delete conntrack modprobe config file from automake rules. [ John Southworth ] * generate firewall templates for vrrp interfaces -- John Southworth Thu, 01 Dec 2011 16:54:09 -0800 vyatta-cfg-firewall (0.13.56) unstable; urgency=low * Bug 6063 ENH: Provide option(s) to globally allow stateful return traffic -- Mohit Mehta Thu, 01 Dec 2011 05:38:33 -0800 vyatta-cfg-firewall (0.13.55) unstable; urgency=low * Move check-params-on-reboot script for conntrack hash size to -- Daniil Baturin Thu, 24 Nov 2011 01:05:16 +0700 vyatta-cfg-firewall (0.13.54) unstable; urgency=low * Remove conntrack-related code from firewall top level template -- Daniil Baturin Tue, 08 Nov 2011 04:15:53 +0700 vyatta-cfg-firewall (0.13.53) unstable; urgency=low * Force release -- Daniil Baturin Sat, 05 Nov 2011 06:16:01 +0700 vyatta-cfg-firewall (0.13.52) unstable; urgency=low * Remove conntrack-related templates from firewall * Remove remaining conntrack-related templates. * Remove conntrack modprobe config file (will be in vyatta-conntrack now). * Change firewall version from 4 to 5. * Fix automake rules to reflect version change and removal of conntrack modprobe config. -- Daniil Baturin Sat, 05 Nov 2011 06:14:59 +0700 vyatta-cfg-firewall (0.13.51) unstable; urgency=low * Add support for vif on pseudo-ethernet * fix duplicate definiton in Makefile * Add dependency on version of vyatta-cfg-system -- Stephen Hemminger Thu, 03 Nov 2011 14:41:47 -0700 vyatta-cfg-firewall (0.13.50) unstable; urgency=low [ Stig ] * Fix Bug 7477 firewall group negation doesn't work in vc6.3 [ Mohit Mehta ] -- Mohit Mehta Mon, 29 Aug 2011 14:44:37 -0700 vyatta-cfg-firewall (0.13.49) unstable; urgency=low * Fix README -- Mohit Mehta Mon, 18 Jul 2011 19:02:05 -0700 vyatta-cfg-firewall (0.13.48) unstable; urgency=low * Fix Bug 7340 Unable to apply modify firewall to interface when zone policy exists -- Mohit Mehta Fri, 15 Jul 2011 12:04:29 -0700 vyatta-cfg-firewall (0.13.47) unstable; urgency=low * new branch -- Deepti Kulkarni Thu, 07 Jul 2011 20:55:14 -0700 vyatta-cfg-firewall (0.13.46) unstable; urgency=low * add "two-stage commit" equivalent to previous fix for bug 5227. -- An-Cheng Huang Fri, 20 May 2011 12:17:44 -0700 vyatta-cfg-firewall (0.13.45) unstable; urgency=low * modify firewall groups to work with new commit -- An-Cheng Huang Tue, 10 May 2011 09:22:01 +0800 vyatta-cfg-firewall (0.13.44) unstable; urgency=low * * Fix Bug 6915 conntrack-hash-size reverts to default after upgrade -- Mohit Mehta Mon, 18 Apr 2011 18:17:25 -0700 vyatta-cfg-firewall (0.13.43) unstable; urgency=low * more ipset 6.0 change -- An-Cheng Huang Mon, 07 Mar 2011 11:42:28 -0800 vyatta-cfg-firewall (0.13.42) unstable; urgency=low * changes for ipset 6.0 -- An-Cheng Huang Fri, 04 Mar 2011 19:14:31 -0800 vyatta-cfg-firewall (0.13.41) unstable; urgency=low * Partial fix for bug 6759 serial packages are incorrectly included in virt ISO -- Mohit Mehta Wed, 02 Feb 2011 12:05:35 -0800 vyatta-cfg-firewall (0.13.40) unstable; urgency=low * Fix Bug 6292 iptables chain-name must be reduced to 28 characters max -- Mohit Mehta Mon, 10 Jan 2011 17:36:06 -0800 vyatta-cfg-firewall (0.13.39) unstable; urgency=low * new branch -- An-Cheng Huang Tue, 28 Dec 2010 13:47:02 -0800 vyatta-cfg-firewall (0.13.38) unstable; urgency=low * Fix help text for firewall interface rules -- Stephen Hemminger Mon, 06 Dec 2010 17:08:10 -0800 vyatta-cfg-firewall (0.13.37) unstable; urgency=low * Fix help text in generated templates -- Stephen Hemminger Fri, 03 Dec 2010 13:48:09 -0800 vyatta-cfg-firewall (0.13.36) unstable; urgency=low * Fix 6442: Request to remove "Error: ipt_disable_conntrack failed to find -- Stig Thormodsrud Mon, 29 Nov 2010 17:27:49 -0800 vyatta-cfg-firewall (0.13.35) unstable; urgency=low * Show if logging is enabled on the default action. -- Stig Thormodsrud Mon, 29 Nov 2010 15:01:47 -0800 vyatta-cfg-firewall (0.13.34) unstable; urgency=low * Use regex to test for name length rather than wc program -- Stephen Hemminger Wed, 24 Nov 2010 09:12:43 -0800 vyatta-cfg-firewall (0.13.33) unstable; urgency=low * Updated to change in error location api. -- Michael Larson Tue, 16 Nov 2010 09:36:48 -0800 vyatta-cfg-firewall (0.13.32) unstable; urgency=low * Fix Bug 6421 cannot set content-inspection in the same -- Mohit Mehta Thu, 11 Nov 2010 18:09:13 -0800 vyatta-cfg-firewall (0.13.31) unstable; urgency=low * Fix 5247: Firewall groups CLI becomes out of sync with ipset when sets and deletes are contained within a single commit -- Stig Thormodsrud Sat, 30 Oct 2010 13:20:25 -0700 vyatta-cfg-firewall (0.13.30) unstable; urgency=low * use single variable to reference firewall IN and OUT hooks * add local hook setup/tear for filter table similar to in|out hooks -- Mohit Mehta Tue, 19 Oct 2010 18:59:56 -0700 vyatta-cfg-firewall (0.13.29) unstable; urgency=low * Change snort queue target use default queue. -- Stig Thormodsrud Fri, 15 Oct 2010 18:16:38 -0700 vyatta-cfg-firewall (0.13.28) unstable; urgency=low * Fix 6296: "iptables: No chain..." message when committing the firewall group configuration. -- Stig Thormodsrud Fri, 15 Oct 2010 16:38:25 -0700 vyatta-cfg-firewall (0.13.27) unstable; urgency=low * missing paren -- root Fri, 15 Oct 2010 16:09:48 -0700 vyatta-cfg-firewall (0.13.26) unstable; urgency=low * additional errors w/ location of error. -- root Fri, 15 Oct 2010 15:08:19 -0700 vyatta-cfg-firewall (0.13.25) unstable; urgency=low [ Stephen Hemminger ] * Use Sys::Syslog to avoid calling logger excessively [ Stig Thormodsrud ] * Add Iptables::Mgr route to get queue target. -- Stig Thormodsrud Thu, 14 Oct 2010 14:11:01 -0700 vyatta-cfg-firewall (0.13.24) unstable; urgency=low * Fix dependency on sysklogd * Fix dependency on virtual-package -- Stephen Hemminger Thu, 07 Oct 2010 11:41:43 -0700 vyatta-cfg-firewall (0.13.23) unstable; urgency=low * move chain_referenced function to Mgr.pm module -- Mohit Mehta Fri, 01 Oct 2010 11:32:43 -0700 vyatta-cfg-firewall (0.13.22) unstable; urgency=low * * move count_iptables_rule to Iptables::Mgr and update it's usage -- Mohit Mehta Tue, 21 Sep 2010 21:16:45 -0700 vyatta-cfg-firewall (0.13.21) unstable; urgency=low * * separate out post fw hooks for IN, FWD, OUT. Use count_iptables_rule from lib -- Mohit Mehta Tue, 21 Sep 2010 17:35:13 -0700 vyatta-cfg-firewall (0.13.20) unstable; urgency=low * rename existing file no matter what; don't need the -n flag -- Mohit Mehta Mon, 13 Sep 2010 15:34:09 -0700 vyatta-cfg-firewall (0.13.19) unstable; urgency=low * Fix bug 6149 Warning on boot because of modprobe config file names -- Mohit Mehta Mon, 13 Sep 2010 15:03:33 -0700 vyatta-cfg-firewall (0.13.18) unstable; urgency=low * Fix Bug 6149 Warning on boot because of modprobe config file names -- Mohit Mehta Mon, 13 Sep 2010 14:07:16 -0700 vyatta-cfg-firewall (0.13.17) unstable; urgency=low * Fix Bug 5309 Allow modifyining TCP MSS option -- Mohit Mehta Fri, 10 Sep 2010 16:49:42 -0700 vyatta-cfg-firewall (0.13.16) unstable; urgency=low * add Replaces field for vyatta-cfg-firewall-serial -- An-Cheng Huang Wed, 08 Sep 2010 11:33:31 -0700 vyatta-cfg-firewall (0.13.15) unstable; urgency=low * Split serial templates into separate package -- Stephen Hemminger Tue, 07 Sep 2010 08:54:41 -0700 vyatta-cfg-firewall (0.13.14) unstable; urgency=low * UNRELEASED -- An-Cheng Huang Thu, 02 Sep 2010 18:28:11 -0700 vyatta-cfg-firewall (0.13.13) unstable; urgency=low * Fix 6125: iptables errors on boot up of mendocino -- Stig Thormodsrud Tue, 31 Aug 2010 16:09:26 -0700 vyatta-cfg-firewall (0.13.12) unstable; urgency=low * remove low-level config dir usage -- An-Cheng Huang Tue, 17 Aug 2010 18:24:25 -0700 vyatta-cfg-firewall (0.13.11) unstable; urgency=low * update help text to use val_help -- An-Cheng Huang Tue, 17 Aug 2010 15:31:04 -0700 vyatta-cfg-firewall (0.13.10) unstable; urgency=low [ Mohit Mehta ] * fix range in help strings for count parameter under recent * fix bug 6055 firewall rule help strings are confusing [ Stig Thormodsrud ] * Fix 5917: FW: Max characters exceeded for ipset rule when using "set firewall -- Stig Thormodsrud Tue, 17 Aug 2010 10:58:05 -0700 vyatta-cfg-firewall (0.13.9) unstable; urgency=low * remove low-level config dir usage -- An-Cheng Huang Mon, 16 Aug 2010 18:32:41 -0700 vyatta-cfg-firewall (0.13.8) unstable; urgency=low * remove CLI backend env variables usage * get rid of lintian warnings -- An-Cheng Huang Wed, 11 Aug 2010 18:46:50 -0700 vyatta-cfg-firewall (0.13.7-94) unstable; urgency=low [ Stephen Hemminger ] * Convert firewall rules to val_help: [ Stig Thormodsrud ] * Fix 5917: FW: Max characters exceeded for ipset rule when using "set firewall group address-group" command -- Stig Thormodsrud Tue, 27 Jul 2010 15:58:57 -0700 vyatta-cfg-firewall (0.13.7-93) unstable; urgency=low * UNRELEASED -- An-Cheng Huang Thu, 22 Jul 2010 17:23:10 -0700 vyatta-cfg-firewall (0.13.7-92) unstable; urgency=low * undo verb usage at the start of help strings -- Mohit Mehta Wed, 21 Jul 2010 14:10:52 -0700 vyatta-cfg-firewall (0.13.7-91) unstable; urgency=low * Fix bug 4629 configuration limit of recent count firewall rule is 20 -- Mohit Mehta Thu, 15 Jul 2010 10:55:42 -0700 vyatta-cfg-firewall (0.13.7-90) unstable; urgency=low * Fix Bug 5744 unable to use firewall group with recent match condition -- Mohit Mehta Tue, 13 Jul 2010 18:54:01 -0700 vyatta-cfg-firewall (0.13.7-89) unstable; urgency=low * Dont tear down conntrack if the other table is using it. -- Stig Thormodsrud Sat, 12 Jun 2010 15:47:49 -0700 vyatta-cfg-firewall (0.13.7-88) unstable; urgency=low * Dont create FW_CONNTRACK if it already exists. -- Stig Thormodsrud Sat, 12 Jun 2010 15:20:36 -0700 vyatta-cfg-firewall (0.13.7-87) unstable; urgency=low * Add support for firewall enable-default-log. -- Stig Thormodsrud Fri, 11 Jun 2010 18:10:17 -0700 vyatta-cfg-firewall (0.13.7-86) unstable; urgency=low * Fix ipt_disable_conntrack() to delete correct chain. -- Stig Thormodsrud Fri, 11 Jun 2010 10:21:10 -0700 vyatta-cfg-firewall (0.13.7-85) unstable; urgency=low * Infrastruction needed for bug 5583. -- Stig Thormodsrud Thu, 10 Jun 2010 15:02:08 -0700 vyatta-cfg-firewall (0.13.7-84) unstable; urgency=low * Bugfix 5632: Add ability to configure SIP UDP port numbers. -- Bob Gilligan Mon, 31 May 2010 00:36:47 -0700 vyatta-cfg-firewall (0.13.7-83) unstable; urgency=low * need to restart conntrackd when conntrack table size changes -- Mohit Mehta Thu, 20 May 2010 19:28:57 -0700 vyatta-cfg-firewall (0.13.7-82) unstable; urgency=low * Fix Bug 5588 Add ability to modify conntrack expectation table size -- Mohit Mehta Mon, 17 May 2010 15:29:58 -0700 vyatta-cfg-firewall (0.13.7-81) unstable; urgency=low * add input interface templates * Make sure perl packages load successfully -- Stephen Hemminger Thu, 06 May 2010 16:19:09 -0700 vyatta-cfg-firewall (0.13.7-80) unstable; urgency=low * Add VYATTA_PRE_DNAT_HOOK in nat PREROUTING table. -- Stig Thormodsrud Fri, 09 Apr 2010 14:54:20 -0700 vyatta-cfg-firewall (0.13.7-79) unstable; urgency=low * Fix 5203: negation in firewall rule causes deprecation message -- Stig Thormodsrud Wed, 24 Mar 2010 17:12:32 -0700 vyatta-cfg-firewall (0.13.7-78) unstable; urgency=low * Fix firewall group parent delete while still referenced. -- Stig Thormodsrud Thu, 18 Mar 2010 19:45:24 -0700 vyatta-cfg-firewall (0.13.7-77) unstable; urgency=low * Fix 5453: can't delete "address" under "firewall group <> address- group <> " -- Stig Thormodsrud Wed, 17 Mar 2010 16:43:04 -0700 vyatta-cfg-firewall (0.13.7-76) unstable; urgency=low * Fix 5453: can't delete "address" under "firewall group <> address- group <>" -- Stig Thormodsrud Wed, 17 Mar 2010 14:32:14 -0700 vyatta-cfg-firewall (0.13.7-75) unstable; urgency=low * Fix firewall conntrack teardown. -- Stig Thormodsrud Fri, 05 Mar 2010 11:43:23 -0800 vyatta-cfg-firewall (0.13.7-74) unstable; urgency=low * UNRELEASED -- An-Cheng Huang Wed, 17 Feb 2010 16:13:01 -0800 vyatta-cfg-firewall (0.13.7-73) unstable; urgency=low * Fix 5227: firewall group config can get out of sync with ipset -- Stig Thormodsrud Mon, 15 Feb 2010 13:10:57 -0800 vyatta-cfg-firewall (0.13.7-72) unstable; urgency=low [ Stephen Hemminger ] * Remove old Xorp template [ Stig Thormodsrud ] * Fix 5326: firewall group address range wraps at 255. -- Stig Thormodsrud Fri, 12 Feb 2010 13:12:03 -0800 vyatta-cfg-firewall (0.13.7-71) unstable; urgency=low * Fix 5248: Firewall config and show commands hang when showing and committing address groups. -- Stig Thormodsrud Fri, 22 Jan 2010 15:01:46 -0800 vyatta-cfg-firewall (0.13.7-70) unstable; urgency=low * Add same restrictions to ipv6-firewall name -- Stephen Hemminger Mon, 04 Jan 2010 16:08:14 -0800 vyatta-cfg-firewall (0.13.7-69) unstable; urgency=low * Add VIF for wireless templates * Don't allow spaces or other shell-confusing characters in firewall name -- Stephen Hemminger Mon, 04 Jan 2010 15:26:19 -0800 vyatta-cfg-firewall (0.13.7-68) unstable; urgency=low * Fix Bug 5173 Firewall becomes out of sync with iptables when logging is used -- Mohit Mehta Tue, 22 Dec 2009 21:01:08 -0800 vyatta-cfg-firewall (0.13.7-67) unstable; urgency=low * added required keyword to help text. -- Michael Larson Mon, 30 Nov 2009 15:31:39 -0800 vyatta-cfg-firewall (0.13.7-66) unstable; urgency=low * dependencyupdate -- Michael Larson Fri, 13 Nov 2009 14:16:15 -0800 vyatta-cfg-firewall (0.13.7-65) unstable; urgency=low * move priority after tag nodes. -- slioch Wed, 21 Oct 2009 09:18:12 -0700 vyatta-cfg-firewall (0.13.7-64) unstable; urgency=low * add priority to node.def files. -- slioch Tue, 20 Oct 2009 16:22:22 -0700 vyatta-cfg-firewall (0.13.7-63) unstable; urgency=low * Change syntax exec to syntax pattern. -- Stig Thormodsrud Fri, 02 Oct 2009 18:18:32 -0700 vyatta-cfg-firewall (0.13.7-62) unstable; urgency=low * Bugfix 4951: Don't fail if IPv6 kernel module is not loaded. -- Bob Gilligan Tue, 22 Sep 2009 15:54:19 -0700 vyatta-cfg-firewall (0.13.7-61) unstable; urgency=low [ rbays ] * fix for bug 4794 SIP Helper/ALG module does not translate RTP traffic... -- Mohit Mehta Mon, 31 Aug 2009 12:29:12 -0700 vyatta-cfg-firewall (0.13.7-60) unstable; urgency=low * Add templates for wireless devices -- Stephen Hemminger Thu, 20 Aug 2009 13:42:49 -0700 vyatta-cfg-firewall (0.13.7-59) unstable; urgency=low * * Fix Bug 3625 Firewall protocol option should have a selection for TCP and UDP -- Mohit Mehta Fri, 07 Aug 2009 18:56:15 -0700 vyatta-cfg-firewall (0.13.7-58) unstable; urgency=low * prevent possible situation where the two iptables rules for match condition -- Mohit Mehta Thu, 06 Aug 2009 12:01:29 -0700 vyatta-cfg-firewall (0.13.7-57) unstable; urgency=low [ Stig Thormodsrud ] * Fix 4683: Firewall Rule number maximum 1024 reached * Another attempt to fix 4760. [ Mohit Mehta ] * add tcp_udp as a valid key to hash. feature developer is responsible -- Mohit Mehta Wed, 05 Aug 2009 12:35:54 -0700 vyatta-cfg-firewall (0.13.7-56) unstable; urgency=low [ Stephen Hemminger ] * remove pseudo-ethernet vif -- Stig Thormodsrud Fri, 10 Jul 2009 16:57:49 -0700 vyatta-cfg-firewall (0.13.7-55) unstable; urgency=low * Firewall groups fail on bootup - change syntax check to commit check. * Fix negate of firewall group. -- Stig Thormodsrud Mon, 15 Jun 2009 18:11:15 -0700 vyatta-cfg-firewall (0.13.7-54) unstable; urgency=low * Fix 4581: Firewall name issue causes failed commit -- Stig Thormodsrud Sun, 14 Jun 2009 11:25:43 -0700 vyatta-cfg-firewall (0.13.7-53) unstable; urgency=low * Change syntax err msg from default-policy to default-action. -- Stig Thormodsrud Tue, 02 Jun 2009 20:23:39 -0700 vyatta-cfg-firewall (0.13.7-52) unstable; urgency=low * Change firewall default-policy to default-action. -- Stig Thormodsrud Tue, 02 Jun 2009 18:52:16 -0700 vyatta-cfg-firewall (0.13.7-51) unstable; urgency=low * * fix syntax error message -- Mohit Mehta Tue, 02 Jun 2009 18:03:59 -0700 vyatta-cfg-firewall (0.13.7-50) unstable; urgency=low * Make firewall group comp_help more consistent with the rest of the cli. -- Stig Thormodsrud Tue, 02 Jun 2009 15:41:44 -0700 vyatta-cfg-firewall (0.13.7-49) unstable; urgency=low * * add default value of 1 for 'limit burst' in its node.def -- Mohit Mehta Tue, 02 Jun 2009 12:25:46 -0700 vyatta-cfg-firewall (0.13.7-48) unstable; urgency=low * UNRELEASED -- An-Cheng Huang Fri, 29 May 2009 18:35:06 -0700 vyatta-cfg-firewall (0.13.7-47) unstable; urgency=low * Bugfix 4462: Fix typo in interface name references. -- Bob Gilligan Thu, 28 May 2009 15:39:53 -0700 vyatta-cfg-firewall (0.13.7-46) unstable; urgency=low [ Stephen Hemminger ] * remove unused ifrename [ Mohit Mehta ] * explicitly set conntrack table size to 16384 on system boot -- Mohit Mehta Wed, 27 May 2009 14:08:26 -0700 vyatta-cfg-firewall (0.13.7-45) unstable; urgency=low * Fix 4390: Firewall config error: Cannot specify multiple ports when both -- Stig Thormodsrud Thu, 14 May 2009 16:43:44 -0700 vyatta-cfg-firewall (0.13.7-44) unstable; urgency=low * rectify regex check -- Mohit Mehta Wed, 13 May 2009 18:18:58 -0700 vyatta-cfg-firewall (0.13.7-43) unstable; urgency=low * Fix Bug 4394 reject is an invalid action for rules in modify rulesets -- Mohit Mehta Tue, 12 May 2009 12:17:15 -0700 vyatta-cfg-firewall (0.13.7-42) unstable; urgency=low * Add 'reject' as a configurable value for default-policy -- Mohit Mehta Mon, 11 May 2009 16:58:26 -0700 vyatta-cfg-firewall (0.13.7-41) unstable; urgency=low [ Bob Gilligan ] * Bugfix 4340: Enable net.netfilter.nf_conntrack_tcp_be_liberal by default. [ Mohit Mehta ] * Fix Bug 4388 firewall name shouldn't have been set after commit failed -- Mohit Mehta Fri, 08 May 2009 17:19:24 -0700 vyatta-cfg-firewall (0.13.7-40) unstable; urgency=low * * don't allow user to create a chain that exists in the system. This may be -- Mohit Mehta Tue, 05 May 2009 11:51:19 -0700 vyatta-cfg-firewall (0.13.7-39) unstable; urgency=low * * setup table only for specific tree, not both filter and mangle -- Mohit Mehta Fri, 01 May 2009 16:33:59 -0700 vyatta-cfg-firewall (0.13.7-38) unstable; urgency=low * Handle files moved from other packages to this package. -- Bob Gilligan Wed, 29 Apr 2009 16:01:44 -0700 vyatta-cfg-firewall (0.13.7-37) unstable; urgency=low * Rename virtual-ethernet to pseudo-ethernet -- Stephen Hemminger Wed, 29 Apr 2009 12:33:08 -0700 vyatta-cfg-firewall (0.13.7-36) unstable; urgency=low * outlaw applying firewall to an interface that is defined under a zone -- Mohit Mehta Mon, 27 Apr 2009 17:20:49 -0700 vyatta-cfg-firewall (0.13.7-35) unstable; urgency=low * Disable firewall debuging by default. -- Stig Thormodsrud Mon, 27 Apr 2009 15:37:15 -0700 vyatta-cfg-firewall (0.13.7-34) unstable; urgency=low * enable/disable conntrack separately for ipv4/ipv6 -- Stig Thormodsrud Fri, 24 Apr 2009 18:17:26 -0700 vyatta-cfg-firewall (0.13.7-33) unstable; urgency=low * Move setup/teardown out from top-level firewall node. -- Stig Thormodsrud Fri, 24 Apr 2009 16:20:03 -0700 vyatta-cfg-firewall (0.13.7-32) unstable; urgency=low [ Stephen Hemminger ] * Add support for virtual-ethernet [ Bob Gilligan ] * bugfix 4297: Don't allow modify rulesets on local traffic. -- Bob Gilligan Fri, 24 Apr 2009 14:32:27 -0700 vyatta-cfg-firewall (0.13.7-31) unstable; urgency=low * Fix Bug 4261 - Features missing in various firewall sub-trees -- Mohit Mehta Wed, 22 Apr 2009 16:25:44 -0700 vyatta-cfg-firewall (0.13.7-30) unstable; urgency=low * Add conntrack and post firewall hooks for IPv6. -- Bob Gilligan Mon, 13 Apr 2009 15:15:40 -0700 vyatta-cfg-firewall (0.13.7-29) unstable; urgency=low * Move firewall "end" processing down to each table. * Fix bug where an empty firewall rule deletes the default drop policy. -- Stig Thormodsrud Mon, 13 Apr 2009 13:58:29 -0700 vyatta-cfg-firewall (0.13.7-28) unstable; urgency=low * Fix faulty search loop. * Add ability for firename to select default policy. -- Stig Thormodsrud Thu, 09 Apr 2009 11:28:51 -0700 vyatta-cfg-firewall (0.13.7-27) unstable; urgency=low * Apply interface firewalls to separate VYATTA_(IN|OUT)_HOOK. -- Stig Thormodsrud Tue, 07 Apr 2009 19:46:53 -0700 vyatta-cfg-firewall (0.13.7-26) unstable; urgency=low * Bugfix 4261: Add support to configure "limit" for IPv6 modify rulesets. -- Bob Gilligan Fri, 03 Apr 2009 14:21:44 -0700 vyatta-cfg-firewall (0.13.7-25) unstable; urgency=low * Bugfix 4261: Add support to configure "limit" in IPv6. -- Bob Gilligan Fri, 03 Apr 2009 14:13:10 -0700 vyatta-cfg-firewall (0.13.7-24) unstable; urgency=low [ Stig Thormodsrud ] * Allow user configurable default-policy on firewall. * Revert "Allow user configurable default-policy on firewall." [ Stephen Hemminger ] * Cleanup perl code that generates templates [ Stig Thormodsrud ] * Remove extra carriage return that was breaking the generated firewall -- Stig Thormodsrud Tue, 31 Mar 2009 18:02:34 -0700 vyatta-cfg-firewall (0.13.7-23) unstable; urgency=low * * add 'redirect' to Valid ICMPv6 Types -- Mohit Mehta Thu, 26 Mar 2009 11:32:39 -0700 vyatta-cfg-firewall (0.13.7-22) unstable; urgency=low * Doing strict ES won't work for router -- Stephen Hemminger Fri, 13 Mar 2009 10:19:02 -0700 vyatta-cfg-firewall (0.13.7-21) unstable; urgency=low * Enable strict host matching * Don't use -P -- Stephen Hemminger Thu, 12 Mar 2009 11:32:50 -0700 vyatta-cfg-firewall (0.13.7-20) unstable; urgency=low * Bugfix 4203: Name of template should be classical-ipoa, not classical_ipoa -- Bob Gilligan Tue, 10 Mar 2009 16:34:31 -0700 vyatta-cfg-firewall (0.13.7-19) unstable; urgency=low * Automatically generate more per-interface firewall templates. -- Bob Gilligan Mon, 09 Mar 2009 11:19:04 -0700 vyatta-cfg-firewall (0.13.7-18) unstable; urgency=low * Remove per-interface firewall templates; They are now generated. -- Bob Gilligan Fri, 06 Mar 2009 17:09:08 -0800 vyatta-cfg-firewall (0.13.7-17) unstable; urgency=low * Don't attempt to delete ruleset from "other" trees -- Bob Gilligan Wed, 04 Mar 2009 12:00:51 -0800 vyatta-cfg-firewall (0.13.7-16) unstable; urgency=low * Fix generated templates for ethernet vifs. -- Bob Gilligan Tue, 03 Mar 2009 18:15:47 -0800 vyatta-cfg-firewall (0.13.7-15) unstable; urgency=low [ Stig Thormodsrud ] * Revert "Make sure to quote $VAR(@)." * Use single quote around $VAR(@). [ Bob Gilligan ] * The generated-templates directory holds only derived files. [ Stig Thormodsrud ] * Add allow/comp_help to firewall action. * Limit address range to a /24, but make easy to change if it's deam too restrictive. * Prevent ';' from being used in a firewall name. * Fix 3422: fw logging fails if logprefix is too long (> 29 characters) -- Stig Thormodsrud Sun, 01 Mar 2009 12:17:09 -0800 vyatta-cfg-firewall (0.13.7-14) unstable; urgency=low [ Stig Thormodsrud ] * Limit firewall name to 29 characters since that is the iptables/ip6tables [ Mohit Mehta ] * add ipv6 accept_redirects and accept_source_route under firewall [ Stig Thormodsrud ] * Make sure to quote $VAR(@). [ Mohit Mehta ] -- Mohit Mehta Tue, 24 Feb 2009 18:56:15 -0800 vyatta-cfg-firewall (0.13.7-13) unstable; urgency=low [ Mohit Mehta ] * Fix Bug 4150 enable loose reverse path filtering [ Bob Gilligan ] * Allow IPv6 firewall rulesets to be configured on an interface independent of IPv4. -- Bob Gilligan Tue, 24 Feb 2009 16:43:15 -0800 vyatta-cfg-firewall (0.13.7-12) unstable; urgency=low * Add "ipv6-modify" firewall configuration sub-tree. -- Bob Gilligan Mon, 23 Feb 2009 12:00:44 -0800 vyatta-cfg-firewall (0.13.7-11) unstable; urgency=low * Fix Bug 3951 default values for kernel tunable security parameters under firewall * Fix Bug 3951 default values for kernel tunable security parameters under firewall -- Mohit Mehta Thu, 19 Feb 2009 19:14:17 -0800 vyatta-cfg-firewall (0.13.7-10) unstable; urgency=low * Multiple updates for IPv6: -- Bob Gilligan Wed, 18 Feb 2009 16:52:51 -0800 vyatta-cfg-firewall (0.13.7-9) UNRELEASED; urgency=low * Add check for address range starting with higher address. * Add natural-order sort for displaying address/network groups. -- Stig Thormodsrud Mon, 16 Feb 2009 13:28:42 -0800 vyatta-cfg-firewall (0.13.7-8) UNRELEASED; urgency=low * Add support for ranges in firewall group address & port. * Change delete_member_range to use the same subnet prefix. * Reduce duplicate code. -- Stig Thormodsrud Mon, 16 Feb 2009 11:59:41 -0800 vyatta-cfg-firewall (0.13.7-7) unstable; urgency=low [ Mohit Mehta ] * no need to use loop to echo allowed values [ Stig Thormodsrud ] * Add allow values for firewall groups. * Add firewall group nodes to firewall modify. * Add check for combining network-group and address-group. * Add support for "show firewall group". * Cache exists() to reduce calls to external /usr/sbin/ipset. * Add show-set to display all sets. [ Mohit Mehta ] * Fix Bug 4074 firewall broadcast ping parameter needs to be clarified [ Stig Thormodsrud ] * Add description and references to "show firewall group". * Make "show firewall group" work for operator. -- Stig Thormodsrud Fri, 13 Feb 2009 20:52:51 -0800 vyatta-cfg-firewall (0.13.7-6) unstable; urgency=low [ Stig Thormodsrud ] * Add back parameter that was dropped when converting to use run_cmd(). * Add more firewall group validation before calling ipset. * Add more validation of firewall network-group before calling ipset. * Add space in front of match rule just in case other match rules don't. * Clean up mapping between vyatta firewall group_type vs ipset set_type. * Change sudo usage to be more consistent. * Add check for combination of IP range and network-group. [ Mohit Mehta ] * better off storing icmp type-names than depend on iptables help -- Mohit Mehta Thu, 12 Feb 2009 17:33:55 -0800 vyatta-cfg-firewall (0.13.7-5) unstable; urgency=low * Delete commented out code. * Add validation of group type. * Add carriage return to error message. -- Stig Thormodsrud Mon, 09 Feb 2009 10:22:42 -0800 vyatta-cfg-firewall (0.13.7-4) unstable; urgency=low * changing debian version string -- Mohit Mehta Thu, 05 Feb 2009 18:52:36 -0800 vyatta-cfg-firewall (0.13.7-3) unstable; urgency=low [ Stig Thormodsrud ] * Reduce duplicate code. * Reduce duplicate code in setup/setupOrig. * Add validation that group and non-groups can't be used in the same src/dst rule. * Reduce duplicate code in setup/setupOrig. [ Mohit Mehta ] * display appropriate anywhere address depending on IPv4 or IPv6 -- Mohit Mehta Thu, 05 Feb 2009 18:41:00 -0800 vyatta-cfg-firewall (0.13.7-2) unstable; urgency=low [ Bob Gilligan ] * Rever to specific IP version in help text. * Bugfix 4052: Support PPPOE over an ethernet VIF. [ Stig Thormodsrud ] * Add 1st pass of firewall group support (ipset netfilter module * Fix call to returnValue that should be returnOrigValue. [ Stephen Hemminger ] * Remove prototype * Enable strict checking * Fix perlcritic warnings * Turn on strict checking and fix warnings -- Stephen Hemminger Tue, 03 Feb 2009 09:24:52 -0800 vyatta-cfg-firewall (0.13.7-1) unstable; urgency=low * Fix Bug 2741 ENH: filter based on ICMP Type/code by name -- Mohit Mehta Fri, 30 Jan 2009 18:39:18 -0800 vyatta-cfg-firewall (0.13.7) unstable; urgency=low [ Bob Gilligan ] * Add support for IPv6 address ranges. [ Mohit Mehta ] * Use iptables comment to identify CLI rule numbers in iptables output -- Mohit Mehta Fri, 30 Jan 2009 11:17:19 -0800 vyatta-cfg-firewall (0.13.6) unstable; urgency=low * Fix Bug 2474 https://bugzilla.vyatta.com/show_bug.cgi?id=2474 -- Mohit Mehta Mon, 26 Jan 2009 16:45:01 -0800 vyatta-cfg-firewall (0.13.5) unstable; urgency=low * Bugfix 4062: Don't reference parameters outside the config tree. -- Bob Gilligan Fri, 23 Jan 2009 14:09:27 -0800 vyatta-cfg-firewall (0.13.4) unstable; urgency=low * Initial support for IPv6. -- Bob Gilligan Thu, 22 Jan 2009 13:36:29 -0800 vyatta-cfg-firewall (0.13.3) unstable; urgency=low * UNRELEASED * - Fix Bug 2223 Add rate rate limiting / burst limiting functions to the Vyatta firewall * Fix Bug 3653 Add the ability to configure time-based firewall rules * Fix Bug 3653 Add the ability to configure time-based firewall rules -- Mohit Mehta Fri, 16 Jan 2009 18:33:11 -0800 vyatta-cfg-firewall (0.13.2) unstable; urgency=low * UNRELEASED * Fix Bug 3653 Add the ability to configure time-based firewall rules -- Mohit Mehta Tue, 13 Jan 2009 18:09:11 -0800 vyatta-cfg-firewall (0.13.1) unstable; urgency=low [ An-Cheng Huang ] * add support for development build [ Stephen Hemminger ] * Rename VyattaIpTablesRule to Vyatta::IpTables::Rule * Convert to Vyatta::Config * Convert VyattaConfig to Vyatta::Config * Fix reference to Vyatta::Misc [ An-Cheng Huang ] * fix for perl module reorganization * add ipp2p config options [ Stig Thormodsrud ] * Convert to use Vyatta:: [ Bob Gilligan ] * Cleanup firewall templates for readability. Update help strings to reflect IPv4. [ Stig Thormodsrud ] * Warning are now enabled - don't reference undefined values. [ An-Cheng Huang ] * update maintainer information * "files" file should be removed before package build [ Stig Thormodsrud ] * Fix 3626: Not all protocol numbers are accepted in firewall rules. * Fix 2563: Add firewall-rule specific disable configuration parameter. [ An-Cheng Huang ] -- An-Cheng Huang Thu, 08 Jan 2009 09:20:14 -0800 vyatta-cfg-firewall (0.13) unstable; urgency=low 3.2.0 [ Mark O'Brien ] [ Bob Gilligan ] * Bugfix: 3684 [ Stephen Hemminger ] * add firewall hooks for ethernet bonding [ An-Cheng Huang ] * fix for bug 3622: add pre-SNAT hook * fix for bug 3604: add fragment matching options * fix conntrack enabling mechanism * fix for bug 2224: add "recent" matching [ Mark O'Brien ] -- Mark O'Brien Tue, 25 Nov 2008 19:08:40 -0800 vyatta-cfg-firewall (0.12) unstable; urgency=low 3.1.3 [ Mark O'Brien ] [ An-Cheng Huang ] * fix conntrack enabling mechanism [ Mark O'Brien ] -- Mark O'Brien Tue, 19 Aug 2008 17:48:24 -0700 vyatta-cfg-firewall (0.11) unstable; urgency=low 3.1.1 [ Mark O'Brien ] [ An-Cheng Huang ] * increment firewall config syntax version for hollywood. [ Mark O'Brien ] -- Mark O'Brien Sat, 28 Jun 2008 11:22:07 -0700 vyatta-cfg-firewall (0.10) unstable; urgency=low 3.1.0 [ Mark O'Brien ] [ Stephen Hemminger ] * Use regular snmpd [ Bob Gilligan ] * Bugfix: 2120 * Bugfix: 2122 [ rbalocca ] * Add vyatta-snmpd [ An-Cheng Huang ] * rename "mangle" to "modify" [ rbalocca ] * Ignore derived files [ An-Cheng Huang ] * allow firewall rule to match inbound IPsec packets. * add "inspect" action (maps to QUEUE) so "custom" traffic-filter for IPS * add mangle table support to firewall configuration. initial implementation [ rbalocca ] * Convert to our method of changelog creation [ Bob Gilligan ] * Add firewall templates for PPPOA, PPPOE, and classical IP over ATM, on [ Mohit Mehta ] * Fix Bug 3069 Help strings should be standardized [ An-Cheng Huang ] * add post-firewall hook for other features * fix for bug 3127: look for an exact match to replace/delete. [ Mark O'Brien ] -- Mark O'Brien Tue, 17 Jun 2008 09:26:05 -0700 vyatta-cfg-firewall (0.9) unstable; urgency=low 3.0.5 -- Mark O'Brien Tue, 06 May 2008 12:43:09 -0700 vyatta-cfg-firewall (0.8) unstable; urgency=low 3.0.4 -- Mark O'Brien Mon, 05 May 2008 16:40:28 -0700 vyatta-cfg-firewall (0.7) unstable; urgency=low 3.0.3 [ Mark O'Brien ] [ rbalocca ] * Indicate the VC4.0.2 release candidate in the changelog [ Mark O'Brien ] -- Mark O'Brien Tue, 29 Apr 2008 16:42:09 -0700 vyatta-cfg-firewall (0.6) unstable; urgency=low VC4.0.2 [ Mark O'Brien ] [ An-Cheng Huang ] * fix for bug 3167: get the actual return status from iptables. * fix for bug 3167: disallow multiport specification if both source and [ Mark O'Brien ] -- Mark O'Brien Sat, 19 Apr 2008 11:55:56 -0700 vyatta-cfg-firewall (0.5) unstable; urgency=low VC4.0.2 release candidate [ Mark O'Brien ] [ An-Cheng Huang ] * fix for bug 3127: look for an exact match to replace/delete. [ Mark O'Brien ] -- Mark O'Brien Wed, 16 Apr 2008 09:49:51 -0700 vyatta-cfg-firewall (0.4) unstable; urgency=low 3.0.2 [ Mark O'Brien ] * 3.0.1 [ rbalocca ] * Fix debian dependencies * Set dependencies on either bash or vyatta-bash [ Mark O'Brien ] -- Mark O'Brien Fri, 04 Apr 2008 18:00:16 -0700 vyatta-cfg-firewall (0.3) unstable; urgency=low VC4.0.1 [ Mark O'Brien ] [ An-Cheng Huang ] * fix a problem in the interaction between "firewall" and "interfaces". [ Stephen Hemminger ] * Replace VPL with GPLv2 * Change to GPLv2 * Update debian/copyright for GPLv2 * update from VPL1 to GPLv2 [ Mark O'Brien ] -- Mark O'Brien Tue, 18 Mar 2008 19:03:26 -0700 vyatta-cfg-firewall (0.2) unstable; urgency=low vc4.0.0 [ Mark O'Brien ] [ An-Cheng Huang ] * convert templates to new syntax * fix for bug 2591: update help text * fix for bug 2528: collapse source/destination "address" and "network". * fix for bug 2789: merge port configuration options. * merge ports in show output * merge address range into address * add address validation * move common module to vyatta-cfg [ Bob Gilligan ] * Extend firewall support to PPPOE interfaces. [ Stig Thormodsrud ] * Add firewall node to tunnel interface * Remove vif node as it's not valid for tunnel interfaces. [ Mark O'Brien ] -- Mark O'Brien Mon, 25 Feb 2008 17:38:04 -0800 vyatta-cfg-firewall (0.1) unstable; urgency=low * Initial Release. -- Bob Gilligan Mon, 10 Dec 2007 11:03:18 -0700