"Fossies" - the Fresh Open Source Software Archive

Member "aif-2.1.1/CHANGELOG" (16 Sep 2020, 16607 Bytes) of package /linux/privat/aif-2.1.1.tar.gz:


As a special service "Fossies" has tried to format the requested text file into HTML format (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file. See also the latest Fossies "Diffs" side-by-side code changes report for "CHANGELOG": 2.1.0_vs_2.1.1.

    1 Version 2.1.1 (September 16, 2020)
    2 ----------------------------------
    3 * Improve stdout/stderr handling in ip4tables/ip6tables/ip4tables_restore/ip6tables_restore functions
    4 ! ip4tables/ip6tables functions were broken for multiline result since 2.1.0 breaking eg. the traffic-accounting-plugin
    5 + Enable logrotate for /var/log/arno-iptables-firewall
    6 * Cleanup log handling + rename /var/log/firewall.log to /var/log/arno-iptables-firewall
    7 * Refactor lock_enter/lock_enter_single
    8 ! Stale lock file removal didn't work properly
    9 * Detect if dist version is already installed and generate a warning in that case
   10 * Get rid of ENV_FILE/PLUGIN_CONF_PATH/PLUGIN_BIN_PATH setting in config file and improve autodetection
   11 
   12 Version 2.1.0 (January 3, 2020)
   13 -------------------------------
   14 ! systemd script had private tmp enabled causing problems with the job manager
   15 * Use start-stop-daemon to start the job manager. Hopefully fixes the issue of it sometimes terminating suddenly
   16 * Some tweaks/cleanups for the job manager
   17 ! Potential systemd service file shutdown problem (thanks to Sven Geuer from Debian upstream)
   18 * Have installer install rsyslog config file, if rsyslog is available
   19 ! Fixed (dynamic) host multi IP handling in plugins
   20 * Default FRAG_DROP to off
   21 * Tweaks in the job manager process
   22 
   23 Version 2.1.0-RC2 (February 13, 2019)
   24 -------------------------------------
   25 ! ipt_if() expansion didn't work as it should
   26 * Improve copy/overwrite logic in install.sh
   27 * Tweak job manager start/stop logic
   28 
   29 Version 2.1.0-RC1 (February 10, 2019)
   30 -------------------------------------
   31 ! The install and configure scripts didn't work properly on systems without an /etc/init.d directory (eg. Arch Linux)
   32 ! Error handling in the plugin helpers was broken
   33 * Workaround non-working + interface wildcard in nftables's iptables binary
   34 * It's useless to reset the counters when we've just flushed all chains
   35 - Get rid of the BAD_TCP_FLAGS setting, which in fact always was a "bad tcp options" setting. This also fixes
   36   problems with nftables's iptables emulation
   37 ! aif-job-processor lock was not removed when jobs file became empty
   38 * Change FRAG_LOG option to FRAG_DROP to allow disabling fragment dropping (eg. for broken nftables)
   39 * Backport systemd updates/improvements from Debian (thanks Sven Geuer)
   40 
   41 Version 2.1.0-BETA1 (June 29, 2018)
   42 -----------------------------------
   43 * Move dynamic host handling (no longer via DynDNS-host-open plugin but handled internally)
   44 + Capability for hostnames resolving to multiple IPs in dynamic host support
   45 + New job manager to accommodate improved (plugin) helper support (replaces cron jobs)
   46 * Move duplicate code from some of the plugins to environment (like locking for instance)
   47 * Various other tweaks/refactoring
   48 
   49 Version 2.0.3 (June 28, 2018)
   50 -----------------------------
   51 ! Missing mention in man page of arno-fwfilter's --no-resolve option
   52 ! Various fixes in the installer
   53 * Improvements in the parasitic net plugin
   54 * Various tweaks
   55 
   56 Version 2.0.2a (October 26, 2017)
   57 ---------------------------------
   58 ! Fixed log line being too long (>28 chars)
   59 ! Fixed systemd installation failed on some systems
   60 ! Service file should start AIF after network is up and local filesystems are mounted
   61 * Tweaks/improvements in configure/install scripts
   62 
   63 Version 2.0.2 (July 28, 2017)
   64 -----------------------------
   65 + Added new Parasitic Network plugin, allows "clients" on the same subnet to use this device as a gateway upstream.
   66 * Improve lock-file handling in the "DynDNS Host Open" and "Traffic Accounting" plugins.
   67 + Disable nf_conntrack automatic helper assignment when possible, attach with CT target, Issue #35
   68 ! Fixed IPv6 NAT table was not flushed on start/stop/restart, Issue #36
   69 + Added EXT_IF_DHCPV6_IPV6 config variable supporting DHCPv6 when DHCP is not enabled, Issue #34
   70 + Added ability to selectively log blocked hosts by inbound and outbound direction.
   71   BLOCKED_HOST_LOG Options: 0 = Disable, 1 = Inbound & Outbound, 2 = Inbound, 3 = Outbound
   72 
   73 Version 2.0.1g (October 11, 2016)
   74 ---------------------------------
   75 + Added new BLOCK_NETSET_DIR variable which efficiently creates ipsets for blocklists using .netset files.
   76 + Added expert DEFAULT_NETSET_WHITELIST and DEFAULT_NETSET_WHITELISTV6 variables when BLOCK_NETSET_DIR is defined.
   77 + Added ipset support when IPTABLES_IPSET=1 and ipset is installed, disabled by default, Issues: #1, #24, #31
   78 + Added LAN to DMZ forwarding policy, new optional LAN_DMZ_ALLOW_IF variable, Issue #30
   79 + Added NAT_IF option to optionally specify external interfaces to be used for NAT
   80 + Added LAN to LAN (Inter-LAN) filtering rules, LAN_LAN_HOST_OPEN_xxx, Issue #28
   81 - Removed unused INT_FORWARD_IN_CHAIN and INT_FORWARD_OUT_CHAIN user chains, related to Issue #28
   82   Note: Any custom rule or plugin should generally use the FORWARD_CHAIN or POST_FORWARD_CHAIN to access the FORWARD chain.
   83         Additionally, the new LAN_LAN_HOST_OPEN_xxx rules natively handle Inter-LAN filtering.
   84 * New support for ICMPv6 Multicast Listener Discovery, enable with OPEN_ICMPV6_MLD=1, disabled by default
   85 * Keep external ICMPv6 packets appearing as annoying logs, common with native IPv6 ISP's. Thanks to David Kerr
   86 + Added new PPTP VPN Passthrough plugin, suggested by Yuriy Cherniavsky, Issue #27
   87 * Detect and remove stale lockfiles for plugin helpers
   88 ! Support kernel version check where "uname -r" doesn't contain a '-' character
   89 ! Leave the IPv6 sysctl accept_ra setting alone when forwarding=1, fixes WAN DHCPv6-client, Issue #21
   90 
   91 Version 2.0.1f (October 1, 2015)
   92 --------------------------------
   93 * Honour Debian recommendations for systemd service file
   94 ! Enable xtables lock "wait" option found in iptables 1.4.20+, Issue #17
   95 ! Using NAT_STATIC_IP with multiple ext interfaces would fail in case not enough ext IPs were specified
   96 * Don't hardcode IP4TABLES/IP6TABLES binary in the config file. Just autodetect it like the other binaries
   97 ! Misc. fixes for newer SuSE & Redhat systems concerning systemd & init
   98 * Moved get host cache logic from traffic accounting plugin to environment to avoid (future) code duplication
   99 ! Fixed NAT_LOCAL_REDIRECT=1 packets from being logged as if they were dropped
  100 + Added tcp_be_liberal option
  101 + Allow rp_filter to be mode 2 (loose)
  102 ! Fixed functions get_ifs() and get_ips() with a '#', distinguish IPv4 from VLAN interfaces and check for
  103   IPv6 addresses (thanks to Mike C. Fletcher)
  104 * Improve y/n user handling
  105 * Improve log handling for dyndns plugin
  106 + Try to auto detect external net settings automatically on start
  107 * Improve error handling especially for plugins
  108 * Several plugin updates
  109 
  110 Version 2.0.1e (February 2, 2014)
  111 ---------------------------------
  112 * Updated arno-fwfilter
  113 * Updated install.sh for Git
  114 * traffic-shaper plugin, allow DOWNLINK=0 to disable inbound (ingress) shaping
  115 * Updated Gentoo init script (thanks to Erki Ferenc)
  116 - Removed some Gentoo specific stuff that isn't required anymore
  117 - Removed TRACE option. It's broken and there's no good way to implement it
  118 + Added DMZ_INPUT_DENY_LOG variable support for default "AIF:DMZ-INPUT denied:" logs, "0" disables logs
  119 + Added DMZ_OUTPUT_DENY_LOG variable support for default "AIF:DMZ->LAN denied:" logs, "0" disables logs
  120 * DYNDNS & Traffic Accounting Plugin refactor
  121 * Misc. tweaks
  122 
  123 Version 2.0.1d (November 16, 2012)
  124 ----------------------------------
  125 + Reintroduce DNS fast fail option + add additional option (DNS_FAST_FAIL_ONCE) to allow plugins to use it
  126 + Added nat-loopback plugin for local nets using existing NAT_FORWARD_TCP and NAT_FORWARD_UDP rules.
  127 + Added new main command 'status-plugins [name]'.  Useful [name] values are: dyndns-host-open, multiroute, nat-loopback,
  128   rpc, traffic-accounting and traffic-shaper.  When [name] is specified, only that plugin is shown.
  129   For Example:
  130     $ arno-iptables-firewall status-plugins                       (shows all plugins status results)
  131     $ arno-iptables-firewall status-plugins dyndns-host-open      (shows only dyndns-host-open plugin status results)
  132 + Added outbound-snat plugin to support when a NAT'ed external interface has multiple IPv4 addresses, it may be
  133   desirable to specify which internal IP's or CIDR's use which external IPv4 addresses for outbound connections.
  134 ! Fixed modprobe() function when using kmod. Apparently kmod doesn't echo anything (to stderr) when a module is not found?!
  135 ! Fix logging dropped packets matching (ie, not just TCP) for LAN_INET_FORWARD_CHAIN and DMZ_INET_FORWARD_CHAIN.
  136 + Added new variables LAN_INET_DEFAULT_POLICY_DROP, DMZ_INET_DEFAULT_POLICY_DROP and LAN_DEFAULT_POLICY_DROP
  137   to define the default policies. When undefined the 'automatic' policy is the default as with all previous versions.
  138 * Allow plugins to maintain a dynamic chain (e.g. MINIUPNPD) in the nat table and not get automatically flushed on a restart.
  139 * Improved traffic-accounting & dyndns-host-open plugins with a new host cache mechanism
  140 
  141 Version 2.0.1c (June 27, 2012)
  142 ------------------------------
  143 ! Fix a script 'IFS' issue if IPv6 and DMZ is enabled together with DMZ_HOST_OPEN_IP (thanks to Ingmar Schraub)
  144 ! Newer kernels (3.4+) replaced ipt_LOG & ip6t_LOG with xt_LOG (thanks to Adam Young)
  145 
  146 Version 2.0.1b (March 16, 2012)
  147 -------------------------------
  148 ! RESERVED_NET_DROP only worked when RESERVED_NET_LOG was enabled (regression) (thanks to gregoryach@gmail.com)
  149 ! Removed stray line in install.sh
  150 * Updated/corrected documentation
  151 
  152 Version 2.0.1a (March 7, 2012)
  153 ------------------------------
  154 * Misc. tweaks for arno-fwfilter (thanks Mark van Dijk)
  155 * Use ls instead of [ -n (find) ] as it's much faster (thanks Lonnie)
  156 * As with previous versions, when LAN_INET_OPEN_xxx and LAN_INET_HOST_OPEN_xxx are NOT defined
  157   the default LAN->INET policy is ACCEPT. Changed is when *any* of these variables are defined
  158   the default LAN->INET policy is DROP for all ports and protocols, not just TCP/UDP/IP as before.
  159 * As with previous versions, when DMZ_INET_OPEN_xxx and DMZ_INET_HOST_OPEN_xxx are NOT defined
  160   the default DMZ->INET policy is ACCEPT. Changed is when *any* of these variables are defined
  161   the default DMZ->INET policy is DROP for all ports and protocols, not just TCP/UDP/IP as before.
  162 * Tweak the handling of some of the sysctl kernel settings. This now also
  163   allows disabling setting/resetting some settings (like forwarding)
  164 * Default UDP connection timeout to 60 seconds
  165 + Added support for new LOCAL_CONFIG_DIR variable, defaults to "/etc/arno-iptables-firewall/conf.d" (Debian bug #658458)
  166 ! Set default policy to DROP if either LAN_INET_HOST_OPEN_xxx or DMZ_INET_HOST_OPEN_xxx are defined,
  167   to match the documentation. (thanks Schilling Thomas Ing for reporting)
  168 * Improve documentation
  169 
  170 Version 2.0.1 (December 18, 2011)
  171 ---------------------------------
  172 - Removed DNS_FAST_FAIL & RESOLV_IPS since they are both obsolete
  173 * Few changes in the install/uninstall scripts. eg. arno-fwfilter now installs to /usr/local/bin instead
  174 
  175 Version 2.0.1-BETA1 (October 10, 2011)
  176 --------------------------------------
  177 ! Fixed kernel_ver_chk() function to properly handle kernel 3. (thanks Gunawan Lim for reporting)
  178 ! Fixed variables containing REJECT_UDP with IPv6 enabled, it should use 'icmp6-addr-unreachable' for IPv6.
  179 * Updated "DynDNS Host Open" and "DMZ-DNAT" plugins to use new parse_rule() function.
  180 * AIF variables are now parsed with a common function, now missing fields are logged with a warning.
  181 * Misc. tweaks
  182 
  183 Version 2.0.0c (July 28, 2011)
  184 -----------------------------------
  185 * Call insserv during configure, when available. This is required for eg.
  186   Debian/Ubuntu systems that use dependency based booting
  187 ! Fixed MULTICAST jumping should be done at the end of the EXT_INPUT_CHAIN, not
  188   at the beginning else users won't be able create "normal" rules for it
  189 * Updated several plugins
  190 * Several tweaks
  191 
  192 Version 2.0.0b (March 25, 2011)
  193 -------------------------------
  194 + Perform kernel check when IPv6 support is enabled
  195 - Don't auto detect external interface settings during configure. It's too
  196   confusing and fills out the wrong values for certain setups (like laptops that are moved around)
  197 + Show platform information on start/restart when verbose
  198 ! remove bash-ism related to traffic-shaper plugin (Reported by Debian upstream, Debian bug #619496)
  199 ! remove bash-ism in ipsec-vpn plugin (Reported by Debian upstream, Debian bug #617510)
  200 ! workaround Busybox 'ash' bug when IPV6_SUPPORT is enabled
  201 + Added pptp-vpn plugin for local PPTP server support
  202 ! arno-fwfilter uses incorrect URL for location lookup (Debian bug #613631, thanks to Tony Evans for the patch)
  203 + Drop all IPv6 packets with Routing Header Type 0, new variable IPV6_DROP_RH_ZERO (thanks Klemen Mihevc)
  204 ! Fixed handling HOST_OPEN_ICMP, HOST_DENY_ICMP_NOLOG and HOST_DENY_ICMP variables
  205   with IPv6 addresses. (thanks Klemen Mihevc)
  206 * Tweaked NAT module loading + cosmetics. iptable_nat is a required module for
  207   AIF because of the plugin framework/helper chains so it's wrong to only load
  208   it when NAT is enabled in the main script.
  209 
  210 Version 2.0.0a (December 30, 2010)
  211 ----------------------------------------
  212 ! Set IFS=' ' in our batch-functions else the wrappers fail in some cases
  213 - Removed old legacy plugin support that used the PLUGIN_PATH variable
  214 ! Fixed an issue when the value of IPV6_SUPPORT was changed then followed with a 'restart'
  215 * (Cosmetic) tweaks
  216 
  217 Version 2.0.0 (November 15, 2010)
  218 ---------------------------------
  219 ! dig wrapper using nslookup, extract IPv4 addresses over IPv6 addresses
  220 * ipsec-vpn plugin, removed unnecessary EXT_INPUT_CHAIN rule and added IPv6 support
  221   for matching AH headers
  222 
  223 Version 1.9.9-RC1 (October 25, 2010)
  224 ------------------------------------
  225 - Removed deprecated check_binary() function from environment
  226 + Added support for an optional plugin_restart() function in plugins using a new plugin template,
  227   while supporting previous plugins without a plugin_restart() function
  228 * Refactor load_modules() using our new modprobe_multi() 
  229 * Allow modprobe_multi() function arguments to be grouped by a comma
  230 + Use IDENT environment variable for plugins
  231 + Added SHAPER_IF variable to traffic-shaper plugin to specify a single external interface
  232   should the default EXT_IF value contain more than one interface
  233 + Added SIP_VOIP_REMOTE_HOSTS variable to sip-voip plugin to limit access by source address
  234 - Removed obsolete module_probe() function. Use modprobe() instead
  235 + Added IPV6_AUTO_CONFIGURATION variable to control autoconf when IP_FORWARDING = 0
  236 + Added IPV6_OVER_IPV4_SERVER variable for ipv6-over-ipv4 plugin, restricting 6to4 source packets
  237 * Misc. tweaks & fixes
  238 
  239 Version 1.9.9-BETA1 (October 8, 2010)
  240 -------------------------------------
  241 * Refactor setting kernel parameters
  242 ! Revert change that didn't masquerade IPv6/proto 41, so outgoing forwarded connections work properly
  243 + Added EXTERNAL_DHCPV6_SERVER variable to allow DHCPv6 clients on the *external* interface
  244 * The default INET->DMZ policy is now DROP.  Common variables this change may effect are:
  245   INET_DMZ_HOST_OPEN_xxx and INET_DMZ_OPEN_xxx
  246 + Added support for Link-Local-Multicast ICMPv6 echo-request packets
  247 + Added LINK_LOCAL_DROP_LOG variable which controls logging of dropped IPv6 Link-Local addresses.
  248 + Added FORWARD_LINK_LOCAL variable which, by default (0), disables forwarding of IPv6 Link-Local addresses.
  249 + Added EXT_MULTICAST_CHAIN to handle external-inbound multicast traffic
  250 + Added DHCPv6 support for the EXT_IF_DHCP_IP variable.
  251 + Added a new variable FORWARD_DROP_LOG to disable logging dropped forwards when set to 0, defaults to 1.
  252 ! Fixed handling of destination host~port fields where only the host was specified.
  253 + Added a new set of variables INET_FORWARD_xxx to allow forwarding INET IPv6 and non-NAT'ed IPv4 packets
  254   to other interfaces.  The format is similar to the IPv4 NAT_FORWARD_xxx without port mapping.
  255 + Added a new variable OPEN_ICMPV6 to allow independent control of INET ICMP for IPv4 and IPv6, enabled by default.
  256 ! Fixed handling of INET_DMZ_HOST_OPEN_xxx variables
  257 ! Fixed handling of INET_DMZ_HOST_DENY_xxx variables
  258 ! Fixed handling of INET_DMZ_DENY_TCP
  259 ! Fixed variable typo, INET_DMZ_HOST_DENY_TCP was not handled
  260 + Added IPv6 reserved network support, label logs by IPv4 and IPv6
  261 ! Fixed RESERVED_NET_LOG is now independant from DROP_PRIVATE_ADDRESSES
  262 + Added option to the configure script to enable/disable IPv6 + several tweaks
  263 * Sanity check should always be the first thing we do since we probably can't
  264   write the log-file in case we're not root
  265 + Automatically disable IPV6_SUPPORT if IPv6 is not detected in the kernel
  266 + Add support for mixed IPv4/IPv6 when IPV6_SUPPORT=1
  267