changelog

calico (1.2.0-1)  trusty; urgency=medium

  * Truncate long output from FailedSystemCall exception.
  * Add instructions for use with OpenStack Liberty.

 -- Matt Dupre <matt@projectcalico.org>  Mon, 26 Oct 2015 17:50:04 +0000

calico (1.2.0~pre.2-1) trusty; urgency=medium

  * Add endpoint status reporting to Felix.  Felix now reports the state of
    endpoints into etcd so that the OpenStack plugin can report this
    information into Neutron.  If Felix fails to configure a port, this now
    causes VM creation to fail.
  * Reduce occupancy of Felix's tag resolution index in the common case
    where IP addresses only have a single owner.
  * Felix now sets the default.rp_filter sysctl to ensure that endpoints
    come up with the Kernel's RPF check enabled by default.
  * Optimize Felix's actor framework to reduce message-passing overhead.

 -- Matt Dupre <matt@projectcalico.org>  Mon, 19 Oct 2015 15:28:30 +0100

calico (1.2.0~pre.1~dev.1) trusty; urgency=low

  * Internal testing release.
  * Add liveness reporting to Felix.  Felix now reports its liveness into
    etcd and the neutron driver copies that information to the Neutron DB.
  * Performance enhancements to ipset manipulation.
  * Rev python-etcd dependency to 0.4.1.  Our patched python-etcd version
    (which contains additional patches) is still required.

 -- Shaun Crampton <shaun@projectcalico.org>  Fri, 25 Sep 2015 14:40:00 +0100

calico (1.1.0-1) trusty; urgency=low

  * Improve the documentation about upgrading a Calico/OpenStack system.
  * Fix compatibility with latest OpenStack code (oslo_config).
  * Use posix_spawn to improve Felix's performance under heavy load.
  * Explicitly use and enable the kernel's reverse path filtering
    function, and remove our iptables anti-spoofing rules, which were not
    as robust.

 -- Neil Jerram <Neil.Jerram@metaswitch.com>  Tue, 08 Sep 2015 11:46:51 +0100

calico (1.0.0-1) trusty; urgency=medium

  * Calico version 1.0.0 release

 -- Matt Dupre <matt@projectcalico.org>  Fri, 14 Aug 2015 13:40:28 +0100

calico (0.29~rc1) trusty; urgency=medium

  * First release candidate

 -- Matt Dupre <matt@projectcalico.org>  Wed, 05 Aug 2015 16:46:08 +0100

calico (0.28) trusty; urgency=medium

  * Felix now restarts if its etcd configuration changes.
  * Felix now periodically refreshes iptables to be robust to other processes
    corrupting its chains.
  * More thorough resynchronization of etcd from the Neutron mechanism driver.
  * Added process-specific information to the diagnostics dumps from Felix.

 -- Matt Dupre <matt@projectcalico.org>  Tue, 04 Aug 2015 17:36:13 +0100

calico (0.27.1) trusty; urgency=medium

  * Interim bug-fix release - reinstate DHCP checksum calculation rule.

 -- Matt Dupre <matt@projectcalico.org>  Wed, 15 Jul 2015 17:28:43 +0100

calico (0.27) trusty; urgency=medium

  * Limit number of concurrent shell-outs in felix to prevent file descriptor
    exhaustion.
  * Have felix periodically resync from etcd and force-refresh the dataplane.
  * Stop restarting Felix on Ubuntu if it fails more than 5 times in 10 seconds.
  * Move DHCP checksum calculation to Neutron.
  * Get all fixed IPs for a port.

 -- Matt Dupre <matt@projectcalico.org>  Tue, 14 Jul 2015 11:58:44 +0100

calico (0.26) trusty; urgency=medium

  * Update and improve security model documentation.
  * Streamline conntrack rules, move them to top-level chains to avoid
    duplication.
  * Narrow focus of input iptables chain so that it only applies to
    Calico-handled traffic.
  * Provide warning log when attempting to use Neutron networks that are not of
    type 'local' or 'flat' with Calico.
  * Handle invalid JSON in IPAM key in etcd.
  * Move all log rotation into logrotate and out of Felix, to prevent conflicts.
  * Change log rotation strategy for logrotate to not rotate small log files.
  * Delay starting the Neutron resynchronization thread until after all the
    necessary state has been configured, to avoid race conditions.
  * Prevent systemd restarting Felix when it is killed by administrators.

 -- Cory Benfield <cory@projectcalico.org>  Mon, 29 Jun 2015 11:49:42 +0100

calico (0.25) trusty; urgency=medium

  * Remove stale conntrack entries when an endpoint's IP is removed.
  * Fix bug where profile chain was left empty instead of being stubbed out.
  * Improve security between endpoint and host and simplify INPUT chain logic.

 -- Cory Benfield <cory@projectcalico.org>  Mon, 22 Jun 2015 14:07:48 +0100

calico (0.24) trusty; urgency=medium

  * Add Felix statistics logging on USR1 signal.
  * Add support for routing over IP-in-IP interfaces in order to make it
    easier to evaluate Calico without reconfiguring underlying network.
  * Reduce felix occupancy by replacing endpoint dictionaries by "struct"
    objects.
  * Allow different hosts to have different interface prefixes for combined
    OpenStack and Docker systems.
  * Add missing support for 0 as a TCP port.
  * Add support for arbitrary IP protocols.
  * Intern various IDs in felix to reduce occupancy.
  * Fix bug where Calico may not propagate security group rule changes from
    OpenStack.
  * Reduced logspam from Calico Mechanism Driver.

 -- Cory Benfield <cory@projectcalico.org>  Mon, 15 Jun 2015 11:45:01 +0100

calico (0.23) trusty; urgency=medium

  * Reset ARP configuration when endpoint MAC changes.
  * Forget about profiles when they are deleted.
  * Treat bad JSON as missing data.
  * Add instructions for Kilo on RHEL7.
  * Extend diagnostics script to collect etcd and RabbitMQ information.
  * Improve BIRD config to prevent NETLINK: File Exists log spam.
  * Reduce Felix logging volume.

 -- Matt Dupre <matt@projectcalico.org>  Mon, 08 Jun 2015 16:37:50 +0100

calico (0.22.1) trusty; urgency=medium

  * Updated Mechanism driver to specify fixed MAC address for Calico tap
    interfaces.
  * Prevent the possibility of gevent context-switching during garbage collection
    in Felix.
  * Increase the number of file descriptors available to Felix.
  * Firewall input characters in profiles and tags.
  * Implement tree-based dispatch chains to improve IPTables performance with
    many local endpoints.
  * Neutron mechanism driver patches and docs for OpenStack Kilo release.
  * Correct IPv6 documentation for Juno and Kilo.

 -- Matt Dupre <matt@projectcalico.org>  Tue, 02 Jun 2015 17:15:48 +0100

calico (0.21) trusty; urgency=medium

  * Support for running multiple neutron-server instances in OpenStack
  * Support for running neutron-server API workers in OpenStack
  * Calico Mechanism Driver now performs leader election to control state
    resynchronization
  * Extended data model to support multiple security profiles per endpoint
  * Calico Mechanism Driver now attempts to delete empty etcd directories
  * Felix no longer leaks memory when etcd directories it watches are deleted
  * Fix error on port creation where the Mechanism Driver would create, delete,
    and then recreate the port in etcd
  * Handle EtcdKeyNotFound from atomic delete methods
  * Handle etcd cluster ID changes on API actions
  * Fix ipsets cleanup to correctly iterate through stopping ipsets
  * Ensure that metadata is not blocked by over-restrictive rules on outbound
    traffic
  * Updates and clarifications to documentation

 -- Matt Dupre <matt@projectcalico.org>  Tue, 26 May 2015 17:22:01 +0100

calico (0.20) trusty; urgency=medium

  * Felix graceful restart support
  * Refactoring and additional unit testing

 -- Matt Dupre <matt@projectcalico.org>  Mon, 18 May 2015 17:55:32 +0100

calico (0.19) trusty; urgency=medium

  * Further fixes and improvements to Calico components
    - Add script that automates the merging required for a Debian/Ubuntu package
    - Actually save off the endpoints in the endpoint index.
    - Fix reference leak in felix caused by reference cycle.
    - Core review markups and cleanups to ref-tracking code.
    - Add FV-level test that genuinely leaks an exception.

 -- Neil Jerram <Neil.Jerram@metaswitch.com>  Mon, 11 May 2015 12:32:26 +0100

calico (0.18) trusty; urgency=medium

  * Further fixes and improvements to Calico components
    - Note that RHEL 6.5 instructions are not yet complete
    - Document that Felix requires a config file, or it won't start on RHEL
    - Tidy up line wrapping in RHEL install docs
    - Move utility functions to frules
    - Minor code tidies in dispatch.py
    - Refactor DispatchManager API to not use dicts
    - Add unit tests for DispatchChains
    - Clarify DispatchChains comparison logic
    - Move common validation code to single place.
    - Reinstate etc after overwriting import.
    - Initial code review markups for iptables updater.
    - Code review markups for fiptables.py.
    - Address some RHEL 7 install instruction issues:
    - Minor grammar markups
    - Fix missing import in common
    - Revert "Initial code review markups for iptables updater."
    - Docstrings for UpdateSplitter
    - Remove invalid module reference
    - Retire RHEL 6.5 instructions until we can fix them up, or are convinced there is no demand.
    - Allow for config to be read from config files.
    - Code review feedback
    - changed bgp_export policy to be interface of origin based
    - Ensure no logs are made to screen in mainline with screen logging disabled
    - syntax cleanup, prettified, and default filter added back in.
    - cut and paste doh... - v4 default address used in v6 config file
    - Work in progress on cleanup/support for anycast IPs.
    - Minor fixes: typos and incorrect indexing into dicts.
    - Fixes and cleanups: move updates into lower level methods.
    - Fix missing delete when cleaning up ip address.
    - Minor cleanups and self-review markups.
    - Code review markups.  Track dirty tags and update en-masse.
    - Revert "Revert "Initial code review markups for iptables updater.""
    - Revert rename of _Transaction.updates, it is referenced by IptablesUpdater.
    - Suppress start-of-day iptables-restore errors from CaS-type operations.
    - Tidy up etcd exception logging.
    - Clean up devices exception logging.
    - Add actor life-cycle logging.
    - Add endpoint and profile IDs as comments in iptables chains.
    - Unit tests for the UpdateSplitter
    - RHEL7 doc: fix formatting of Calico repo config
    - RHEL7 doc: don't mention Icehouse
    - Clarify that mapping is dict
    - Update documentation of configuration for Felix.
    - Felix review and some UT (actor, refcount)
    - Replace endpoint ID with tuple that includes host and workload too.
    - Code review markups to refcount.py.
    - Don't process endpoint creation until SOD complete
    - Docs typo fix: incorrect etcd mount in fstab
    - Remove comments
    - Document the new mailing lists
    - Update involved.rst
    - Plugin: provide correct workload ID - fixes #445
    - Plugin: provide correct workload ID - UT updates
    - Update README.md
    - Cleanup README line length
    - Missing sec group retries
    - Close race between resync and access to self.sgs in plugin.
    - Remove race in needed_profile cleanup by using a semaphore.
    - Be resilient to ports disappearing while loading SG members.
    - Protect all access to the security groups dict.
    - Fix up UT environment to include neutron.common.exceptions.
    - Reinstate ability to take file path as command line parameter.
    - Markups to config file specification - tidy exception handling
    - Wording tweaks based on previous version of config documentation.

 -- Neil Jerram <Neil.Jerram@metaswitch.com>  Tue, 05 May 2015 16:31:11 +0100

calico (0.17) trusty; urgency=medium

  * Bug fixes and improvements to Calico components
    - Clean up config loading (code review markups).
    - Remove references to ACL manager from RHEL docs
    - Etcd install instructions for RHEL
    - Be more defensive in etcd polling, catch various HTTP-related exceptions.
    - Fix import order in felix.py to invoke gevent monkey-patch first.
    - Fix missing arg to log message.
    - Remove incorrect comment.
    - Fix plugin to set only icmp_type/code and not port range for ICMP.
    - Add UTs for ICMP rule generation.
    - Add felix support for ICMP code, firewall values.
    - Validate plugin data agsint felix's validation routines.
    - Code review markups.
    - Fix missing continue: use setting of response as a gate in fetcd.py.
    - Increase severity of socket.timeout warning.
    - Add httplib errors into excepts.
    - Code review markups.
    - Update involved.rst
    - Update contribute.rst
    - Tidy up line lengths
    - Revert "Tidy up line lengths"
    - Tidy up line lengths
    - Don't unnecessarily pin versions
    - Fix up a range of commnents.
    - Cleanup toctree for contribution doc
    - Further README cleanup
    - The letter 'a' is tricksy
    - Update contribute.rst
    - RPM Version 0.16
    - Fix RPM version
    - Beef up syslog format, add a couple of additional logs.
    - Debian packaging: python-gevent is not actually needed on controller
    - RPM packaging: remove ACL manager and ZMQ deps; add python-gevent (fixes #435)
    - Packaging: add dependency of Felix on net-tools, for the arp command (fixes #146)
    - Make ipset uperations idempotent.
    - Fix cluster UUID check.  Copy UUID from old client to new, fix typo in arg name.
    - RHEL install markups
    - Fix my own review markups
    - Run etcd on startup
    - After reboots
    - Copy etcd binaries to the right place
    - Update bundle for etcd architecture
    - Use commit id instead of tag in tox dependency
    - Code review markups.
    - Prevent ActiveIpset from recreating ipset after on_unreferenced().
    - Fix missing stdin argument to Popen, beef up diags for ActiveIpset.
    - Code review markups.
    - Update openstack.rst
    - Don't setuid on RHEL 6.5.
    - Wrapping lines
    - Fix numbering in ubuntu-opens-install.rst
    - Add missing jump target to ICMPv6 from endpoint rule.
    - Add "icmp_code" to whitelist of allowed rule fields.
    - Prevent programming of ICMP type 255, which the kernel treats as wildcard.
    - Isolate rule parsing failure to individual rule.

 -- Neil Jerram <Neil.Jerram@metaswitch.com>  Mon, 27 Apr 2015 15:58:46 +0100

calico (0.16) trusty; urgency=medium

  * Move to etcd for inter-component communications from zeromq
    - Significant Felix enhancements to take advantage of new data model
    - Retire ACL Manager
    - Mechanism driver updates to take advantage of new data model
    - Update documentation

 -- Matt Dupre <matt@projectcalico.org>  Mon, 20 Apr 2015 18:07:21 +0100

calico (0.15) trusty; urgency=medium

  * Fix exception in Neutron mechanism driver
  * Many documentation changes and additions

 -- Matt Dupre <matthew.dupre@metaswitch.com>  Fri, 10 Apr 2015 15:22:03 +0000

calico (0.14) trusty; urgency=medium

  * Move documentation from separate calico-docs GitHub wiki to Read the Docs
  * Neutron mechanism driver fixes

 -- Matt Dupre <matthew.dupre@metaswitch.com>  Fri, 20 Mar 2015 11:12:44 +0000

calico (0.13) trusty; urgency=medium

  * Bug fixes and enhancements to Calico components
    - Remove python-iptables
    - Add EL6.5 support
    - Make Calico components restart after failures
    - Enhance diagnostics gathering script
    - Fix live migration support
    - Many logging, testing and configuration improvements
    - Improve handling of connection timeouts
    - Program proxy NDP

 -- Matt Dupre <matthew.dupre@metaswitch.com>  Fri, 06 Mar 2015 17:45:21 +0000

calico (0.12.1) trusty; urgency=medium

  * Bug fixes and improvements to Calico components
    - Initial refactor of fsocket.
    - Fix issue #133 (lost resync when connection error)
    - Fix restart failure on connection error (bug #97)
    - More timing tests, and fixing of resulting bugs.
    - Tighten up resync testing, with bug fix.
    - ACL Manager fix: Suppress superfluous unsolicited ACLUPDATE messages when nothing has changed
    - Use ip route replace instead of add Fixes timing window when route exists during live migration
    - Fix #164: Disable proxy_delay on taps to avoid delayed proxy ARP response.
    - Better doc and organization for setup code
    - mech_calico: Bind as directed by Neutron server's bind_host config
    - Delete routes when endpoint destroyed
    - Send ENDPOINTDESTROYED rsp even whenendpoint is unknown (fixes #192)
    - More robust exception handling in handle_endpoint{updated|destroyed}
    - Unit testing and diagnostics improvements

 -- Matt Dupre <matthew.dupre@metaswitch.com>  Fri, 13 Feb 2015 15:52:54 +0000

calico (0.11) trusty; urgency=medium

  * Logging improvements and additional unit tests
  * ACL Manager fixes
    - Support multiple security groups on a single endpoint
    - ACL Manager stops listening for network updates silently when a rule
      references an empty security group
    - Ensure ACL Manager exits cleanly with a log when worker threads crash

 -- Matt Dupre <matthew.dupre@metaswitch.com>  Fri, 30 Jan 2015 16:07:22 +0000

calico (0.10.3~rc3) trusty; urgency=medium

  * Add support for Red Hat 7
  * Fixes and improvements
    - Change from VIF_TYPE_ROUTED to VIF_TYPE_TAP
    - Require explicit configuration before starting Felix or ACL Manager
    - Correct installation of *.cfg example files

 -- Matt Dupre <matthew.dupre@metaswitch.com>  Fri, 23 Jan 2015 11:20:14 +0000

calico (0.10.3~rc2) trusty; urgency=medium

  * Further Felix code fixes:
    - If we recreate the ACL SUB connection, resubscribe to everything.

 -- Neil Jerram <Neil.Jerram@metaswitch.com>  Thu, 22 Jan 2015 11:02:01 +0000

calico (0.10.3~rc1) trusty; urgency=medium

  * More code fixes and improvements
    - Delete old (pre-Felix) Calico agent
    - There are no more *.ini files to install.
    - Felix unit testing and refactoring
    - Add initial diags collection file
    - Ensure that Felix handles resyncs with 0 endpoints

 -- Matt Dupre <matthew.dupre@metaswitch.com>  Tue, 20 Jan 2015 17:45:32 +0000

calico (0.10.2) trusty; urgency=medium

  * Code fixes and improvements
    - Version number now correctly reported by Python.
    - Felix now correctly sends keepalives.
    - Substantial myriad heartbeat fixes in all components.
    - Fixed Felix crash when building certain error logs.
    - Fixed Felix crash when asked to program an interface that is not up yet.

 -- Cory Benfield <cory.benfield@metaswitch.com>  Fri, 16 Jan 2015 13:45:01 +0000

calico (0.10.1) trusty; urgency=medium

  * Increment version number to replace PPA build with proper requirements

 -- Matt Dupre <matthew.dupre@metaswitch.com>  Thu, 15 Jan 2015 17:40:23 +0000

calico (0.10) trusty; urgency=medium

  * Code fixes and improvements
    - Felix now exits with non-zero status code on error.
    - Allow a new log level: NONE which disables that log handler.
    - Broadened check of logfile
    - Log out daemon name to syslog.
    - Set up syslog better - so works on ubuntu.
    - Allow explicit configuration of Felix hostname.
    - Made acl_manager logging config work like felix config
    - Allow the IP address of Felix to be explicitly specified.
    - Add bind address to ACL manager.
    - Review markups - allow hostnames as well as IP addresses.
    - Handle errors from failure to connect to Felix
    - Tell BIRD to run on "br-mgmt" interface, for setups migrated from OVS to Calico
    - Do not leak ipsets for endpoints which have been removed.
    - Remove workaround for (now fixed) python-iptables bug.
    - Improve last fix to avoid duplicate rules.
    - Retire unneeded dropping of DHCP packets.
    - Do not hang in termination in zmq.
    - Restructure rules so that DROP default still works.
    - Add support for port ranges Includes some extra tests to get better coverage of area changed.
    - Split felix-MAIN into felix-INPUT and felix-FORWARD
  * Packaging improvements
    - Add basic requirements files for Felix and ACL Mgr
    - Conditionally install extra dependencies.
    - Add plugin requirements.
    - Add eventlet dependency.
    - Set minimum python-iptables version.

 -- Matt Dupre <matthew.dupre@metaswitch.com>  Wed, 14 Jan 2015 19:18:23 +0000

calico (0.9.1) trusty; urgency=medium

  * Remove python-dev dependency.

 -- Neil Jerram <Neil.Jerram@metaswitch.com>  Thu, 18 Dec 2014 10:17:58 +0000

calico (0.9) trusty; urgency=medium

  * New announced release.

 -- Matt Dupre <matthew.dupre@metaswitch.com>  Mon, 15 Dec 2014 12:05:34 +0000

calico (0.9~rc1) trusty; urgency=medium

  * Felix unit testing, restructuring and fixes
    - Initial test infrastructure - no real tests yet.
    - Basic restructuring - start reorg of futils
    - Move iptables specific stuff into its own module. Not complete, but works in this state, so committing now!
    - Remove some iptc knowledge from frules.
    - More refactoring to allow mocking out of iptables code.
    - Minor fix after some testing of the new code.
    - Tidy up Felix use of system calls.
    - Simplify test framework. Still no actual tests...
    - Move config logic around so it can be tested.
    - Add some config file tests
    - Having got coverage working, a couple of tests.
    - Add .coverage to .gitignore
    - Stub out fiptables properly. Can now do minimal test of felix init.
    - Code review markups.
    - More minor code markups.
    - Force the resync count to be an integer.
    - Tidy up some confusing code relating to resync counts.
    - Simplify the if test by removing extra duplicate test.
    - Firewall against bad plugin or ACL addresses
    - Updated config code to firewall against invalid addresses.
    - Fix incorrect function path causing Felix crash
    - Ensure BIRD gets all kernel routes in its table.
    - Ensure BIRD6 can make correct routing decisions.
    - More code tidies (including a real bug).
  * Packaging tidy-up
    - Harmonize content and presentation of copyright notices
    - Pin Calico package versions to each other
    - RPM packaging fixes
    - Don't include upstart jobs for Felix and ACL manage in calico-compute RPM
    - Move CalicoMechanismDriver back here (i.e. out of Neutron tree)
    - Move CalicoMechanismDriver back here (i.e. out of Neutron tree)
  * Logging improvements
    - Add common logging setup functions.
    - Replace Felix logging with common log functions.
    - Replace ACL manager logging with common code.
    - Fix import statements for logging.

 -- Matt Dupre <matthew.dupre@metaswitch.com>  Fri, 12 Dec 2014 11:15:31 +0000

calico (0.8) trusty; urgency=medium

  * New announced release.

 -- Neil Jerram <Neil.Jerram@metaswitch.com>  Fri, 21 Nov 2014 19:28:34 +0000

calico (0.8~2) trusty; urgency=medium

  * Further fixes and enhancements to Felix
    - Handle ACLUPDATE for deleted endpoint.
    - Config file tweaks. Comment out values matching defaults.
    - Add Metadata IP and Port configuration to Felix
    - Allow address as well as IP for metadata.
    - Ban traffic to the loopback address from VMs (unless for metadata)

 -- Neil Jerram <Neil.Jerram@metaswitch.com>  Fri, 21 Nov 2014 11:59:45 +0000

calico (0.8~1) trusty; urgency=medium

  * New fixes and enhancements to Felix
    - Clean up code and tidy up ready so that accept default rules can work.
    - Some trivial code tidy left over from the merges.
    - Minor typo fixes.
    - Code review markups.
    - Fix bug where duplicate rules created.
    - Fix up ICMP rules for all ICMP.
    - Various code review markups ready for merging.
    - Unblock outgoing DHCP. Bug in fix to issue38.
    - Fix more issues with issue38 code.  Allow DHCP for IPv6 too Fix up
      getting in / out interfaces backwards

 -- Neil Jerram <Neil.Jerram@metaswitch.com>  Thu, 20 Nov 2014 13:05:58 +0000

calico (0.7) trusty; urgency=medium

  * Update packaging to support source package creation and upload.
    - Stop using python-pbr.
    - Implement install steps in setup.py and debian/rules, instead of setup.cfg.

 -- Neil Jerram <Neil.Jerram@metaswitch.com>  Tue, 11 Nov 2014 15:47:22 +0000

calico (0.6.4) trusty; urgency=medium

  * Update version number in setup.cfg

 -- Neil Jerram <nj@metaswitch.com>  Mon, 10 Nov 2014 16:29:06 +0000

calico (0.6.3) trusty; urgency=medium

  * Add Build-Depends: python-setuptools, python-pbr
  * Add debian/source/format

 -- Neil Jerram <nj@metaswitch.com>  Mon, 10 Nov 2014 15:51:45 +0000

calico (0.6) trusty; urgency=medium

  * Many fixes and enhancements to Felix (the new Calico agent)
    - IP v6 support and minor bug fixes.
    - Minor logging enhancement.
    - Fix dull bug where we never left long enough for resync responses to return on a slow system, ignoring the config values.
    - Many more updates. Apart from intermittent iptables issues, mostly working well. Next action is to fix those.
    - Finally fix dull issue with python-iptables, state and IPv6.
    - Add ep_retry code.
    - Fix small bugette in handling of endpoint retry.
    - Stop using "state" completely - "conntrack" seems more reliable.
    - Fix up bug where we created IPv6 sets as IPv4, then crashed.
    - GETACLUPDATE response may arrive before tap interface created; handle it.
    - Speculative fix for problem with icmp ip6tables rules.
    - Do not get confused during second resync and delete endpoints.
    - Allow for the state of endpoints to be disabled.
    - Subscribe to ACL heartbeats to avoid timing it out continuously.
    - Minor cosmetic edits.
    - More minor refactoring and code tidy up.
    - Remove IPs from an endpoint when they are removed by the API. Also, some minor code tidies.
    - Clean up logic when removing unused IPs.
    - Fix up dull typo in IP removal code.
    - Fix bug where tap address got wrong MAC address.
    - Put in candidate workaround for looping in iptables configuration.
  * Packaging: calico-felix needs dependency on python-dev(el)
  * RPM packaging fixes
    - Start and stop Calico services on install/uninstall
    - Run Calico services as root, not as 'neutron'
  * ACL Manager fix
    - ACL manager was sending a three part message for keepalives. Make it a two part message like the others.

 -- Neil Jerram <nj@metaswitch.com>  Fri, 07 Nov 2014 15:39:05 +0000

calico (0.5) trusty; urgency=medium

  * New Calico architecture

 -- Neil Jerram <nj@metaswitch.com>  Mon, 27 Oct 2014 16:31:06 +0000

calico (0.4.1) trusty; urgency=medium

  * Install generator script and template for BIRD6 config

 -- Neil Jerram <nj@metaswitch.com>  Fri, 26 Sep 2014 10:56:05 +0100

calico (0.4) trusty; urgency=medium

  * Import routes from all ethernet interfaces (in BIRD config)
  * Changes to remove unnecessary dependencies on linuxbridge code
  * Enhancements for Calico/IPv6 connectivity

 -- Neil Jerram <nj@metaswitch.com>  Tue, 16 Sep 2014 17:27:09 +0100

calico (0.3-1) trusty; urgency=medium

  * Fix Ubuntu upstart job so that calico-compute runs after iptables-persistent

 -- Neil Jerram <nj@metaswitch.com>  Thu, 24 Jul 2014 17:38:32 +0100

calico (0.3) trusty; urgency=medium

  * Fix provision of metadata to new instances.

 -- Neil Jerram <nj@metaswitch.com>  Fri, 18 Jul 2014 18:06:15 +0100

calico (0.2) trusty; urgency=medium

  * Make iptables rule for DHCP checksum filling persist across compute
	node reboots.
  * Add firewall_driver config to calico_agent.ini.

 -- Neil Jerram <nj@metaswitch.com>  Tue, 01 Jul 2014 15:17:52 +0100

calico (0.1) trusty; urgency=medium

  * Initial release.

 -- Neil Jerram <nj@metaswitch.com>  Thu, 26 Jun 2014 16:03:59 +0100