/
ChangeLog
159 lines (131 loc) · 5.67 KB
/
ChangeLog
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
firehol (3.0.1) - 2016-01-10
* FireHOL
- Add ipv6mld to simplify enabling Multicast Listener Discovery
protocol, required on networks which do multicast snooping.
- Update the example to make it more likely to work copy-pasted,
include MLD
* VNetBuild
- Add pre_up to run commands immediately before an interface is started
* Common
- Packaging fixes
- Command detection fix for :
firehol (3.0.0) - 2015-12-20
* FireQOS
- Bidirectional fixes
- accept DSCP parameters case insensitive
- allow matching within GRE packets
- use configured firehol config directory
* Update-Ipsets
- added jigsaw lists
firehol (3.0.0-rc.4) - 2015-11-28
* Rework packaging
- Simplify version number handling
- Common functions moved to a file in lib
- Allow disabling IPv4/IPv6 at configure time
- Allow disabling any unwanted tools
- Allow disabling manpages and/or docs
- Honour configure script setting for AUTOSAVE and others
- All commands detected via configure, used via variables
Incuding new 'iprange' tool https://github.com/firehol/iprange/releases
* FireHOL
- Fixes to DSCP class
- added protection *connlimit* and *connrate*; removed default mask
from parameter connlimit
- added rule option *connlog* to only log the first packet of connections
added *hashlimit* with all its options
- most actions now accept the keywork *with* which also supports
*with connlimit* and *with hashlimit*
- use iprange --diff mode for comparing ipset versions
* FireQOS
- fail if DSCP and TOS match have been specified at the same time
- various fixes
* VNetBuild
- Eliminate dependency on brctl
* Update-Ipsets
- Promoted from contrib
- Various improvements
firehol (3.0.0-rc.3) - 2015-10-10
* Common
- ipset fixes
- require pandoc 1.12.2.1 and use its features
- iprove contents page in documentation
* FireHOL updates
- made STOP mode exit successfully
- add support for restore when specifying a filename on the command line
- allow multiple "except" rules in statements that accept the keyword
- disabled spinner in explain mode
- add support for comma as an ipset IP separator
- tproxy now uses markdef() to allocate a mark
- save marks.conf only after successful firewall activation
- drop requirement for awk (other programs still use it)
- add log() and loglimit() helpers to allow logging from ipsets globally
- prevented backup of all the ipsets in memory - it takes too long
when the system has many ipsets installed
- rewrote the ipsets functionality so that:s
- it optimizes netsets with iprange if present
- it adapts the maxelem parameter for the updated ipset so that
updating ipsets with big incremental updates does not fail
- maintains compatibility with older ipset versions
(side-effect: calling an ipset update without restarting the
firewall now only support ipsets that are used in firehol.conf)
- if iprange is present, processing of ipsets is a lot faster
* FireQOS updates
- add ability to stop QoS on a specific device
- fix for ERROR columns on some tc versions
- max/ceil % is now relative to parent's ceiling rate
(it was by mistake to parent's base rate)
- warn if a class takes priority outside the valid ranges of HTB (0-7)
- switched default color from blue to green
* Link-Balancer updates
- add wrappers for rawmark() and custommark()
- when a table was already up to date but other depend on it,
it was failing #78
- fix issue when specifying loop and timeout #77
* Contrib (ipsets scripts)
- various fixes and lists added
- support aggregate to optimize netsets
- support syslog logging
- add iprange program, various enhancements over original
* VNetBuild updates
- Added
firehol (3.0.0-rc.2) - 2015-03-14
* Common
- Added --disable-doc to configure script to stop the installation
of PDF and HTML versions of documentation
- Start to bring documentation in line
- Disable colour on non-terminals
* FireHOL updates
- Added synproxy support
- Services "all" and "any" are now simple services. Service "all" now
has multiple helpers, thus eliminating the need for ALL_SHOULD_ALSO_RUN.
- Fix REJECT action by accepting RELATED TCP ACK,RST packets appropriately
- Fix empty firewall case
- Added state NEW to masquerade
- Fix to ensure the final firewall close code emits as both ipv4 and ipv6
where appropriate even if only ipv4 or ipv6 was used for the final
interface/router
- Added action type "sockets_suspects_trap"
- iptrap now creates the trap if it is not already created
- Eliminate a warning for kernels prior to 3.5
- NAT now supports balancing multiple IPs or ports on all NAT modes
- NAT now supports keyword "at" to specify the chain to be attached to
- Optimise multi-port matching rules
* FireQOS updates
- Optimisations
- Create FIREQOS_INTERFACE_DEFAULT_CLASSID (8000), FIREQOS_MATCHES_STEP
- Fixed monitor mode
* Link-Balancer updates
- Fix to stop ignoring fallback gateways
- Use "traceroute -6" not "traceroute6"
firehol (3.0.0-rc.1) - 2015-02-15
* Performance improvements
- Both the script and resulting firewalls are faster
- Choose original complete bi-directional or even faster runtime matching
* New firewall features
- ipset support and management
- IDS and port knocking with traps
- multiple mark definitions
- conntrack helpers
- experimental tproxy support
- separate default settings file
* Introduction of link-balancer script