"Fossies" - the Fresh Open Source Software Archive 
Member "aif-2.1.1/CHANGELOG" (16 Sep 2020, 16607 Bytes) of package /linux/privat/aif-2.1.1.tar.gz:
As a special service "Fossies" has tried to format the requested text file into HTML format (style:
standard) with prefixed line numbers.
Alternatively you can here
view or
download the uninterpreted source code file.
See also the latest
Fossies "Diffs" side-by-side code changes report for "CHANGELOG":
2.1.0_vs_2.1.1.
1 Version 2.1.1 (September 16, 2020)
2 ----------------------------------
3 * Improve stdout/stderr handling in ip4tables/ip6tables/ip4tables_restore/ip6tables_restore functions
4 ! ip4tables/ip6tables functions were broken for multiline result since 2.1.0 breaking eg. the traffic-accounting-plugin
5 + Enable logrotate for /var/log/arno-iptables-firewall
6 * Cleanup log handling + rename /var/log/firewall.log to /var/log/arno-iptables-firewall
7 * Refactor lock_enter/lock_enter_single
8 ! Stale lock file removal didn't work properly
9 * Detect if dist version is already installed and generate a warning in that case
10 * Get rid of ENV_FILE/PLUGIN_CONF_PATH/PLUGIN_BIN_PATH setting in config file and improve autodetection
11
12 Version 2.1.0 (January 3, 2020)
13 -------------------------------
14 ! systemd script had private tmp enabled causing problems with the job manager
15 * Use start-stop-daemon to start the job manager. Hopefully fixes the issue of it sometimes terminating suddenly
16 * Some tweaks/cleanups for the job manager
17 ! Potential systemd service file shutdown problem (thanks to Sven Geuer from Debian upstream)
18 * Have installer install rsyslog config file, if rsyslog is available
19 ! Fixed (dynamic) host multi IP handling in plugins
20 * Default FRAG_DROP to off
21 * Tweaks in the job manager process
22
23 Version 2.1.0-RC2 (February 13, 2019)
24 -------------------------------------
25 ! ipt_if() expansion didn't work as it should
26 * Improve copy/overwrite logic in install.sh
27 * Tweak job manager start/stop logic
28
29 Version 2.1.0-RC1 (February 10, 2019)
30 -------------------------------------
31 ! The install and configure scripts didn't work properly on systems without an /etc/init.d directory (eg. Arch Linux)
32 ! Error handling in the plugin helpers was broken
33 * Workaround non-working + interface wildcard in nftables's iptables binary
34 * It's useless to reset the counters when we've just flushed all chains
35 - Get rid of the BAD_TCP_FLAGS setting, which in fact always was a "bad tcp options" setting. This also fixes
36 problems with nftables's iptables emulation
37 ! aif-job-processor lock was not removed when jobs file became empty
38 * Change FRAG_LOG option to FRAG_DROP to allow disabling fragment dropping (eg. for broken nftables)
39 * Backport systemd updates/improvements from Debian (thanks Sven Geuer)
40
41 Version 2.1.0-BETA1 (June 29, 2018)
42 -----------------------------------
43 * Move dynamic host handling (no longer via DynDNS-host-open plugin but handled internally)
44 + Capability for hostnames resolving to multiple IPs in dynamic host support
45 + New job manager to accommodate improved (plugin) helper support (replaces cron jobs)
46 * Move duplicate code from some of the plugins to environment (like locking for instance)
47 * Various other tweaks/refactoring
48
49 Version 2.0.3 (June 28, 2018)
50 -----------------------------
51 ! Missing mention in man page of arno-fwfilter's --no-resolve option
52 ! Various fixes in the installer
53 * Improvements in the parasitic net plugin
54 * Various tweaks
55
56 Version 2.0.2a (October 26, 2017)
57 ---------------------------------
58 ! Fixed log line being too long (>28 chars)
59 ! Fixed systemd installation failed on some systems
60 ! Service file should start AIF after network is up and local filesystems are mounted
61 * Tweaks/improvements in configure/install scripts
62
63 Version 2.0.2 (July 28, 2017)
64 -----------------------------
65 + Added new Parasitic Network plugin, allows "clients" on the same subnet to use this device as a gateway upstream.
66 * Improve lock-file handling in the "DynDNS Host Open" and "Traffic Accounting" plugins.
67 + Disable nf_conntrack automatic helper assignment when possible, attach with CT target, Issue #35
68 ! Fixed IPv6 NAT table was not flushed on start/stop/restart, Issue #36
69 + Added EXT_IF_DHCPV6_IPV6 config variable supporting DHCPv6 when DHCP is not enabled, Issue #34
70 + Added ability to selectively log blocked hosts by inbound and outbound direction.
71 BLOCKED_HOST_LOG Options: 0 = Disable, 1 = Inbound & Outbound, 2 = Inbound, 3 = Outbound
72
73 Version 2.0.1g (October 11, 2016)
74 ---------------------------------
75 + Added new BLOCK_NETSET_DIR variable which efficiently creates ipsets for blocklists using .netset files.
76 + Added expert DEFAULT_NETSET_WHITELIST and DEFAULT_NETSET_WHITELISTV6 variables when BLOCK_NETSET_DIR is defined.
77 + Added ipset support when IPTABLES_IPSET=1 and ipset is installed, disabled by default, Issues: #1, #24, #31
78 + Added LAN to DMZ forwarding policy, new optional LAN_DMZ_ALLOW_IF variable, Issue #30
79 + Added NAT_IF option to optionally specify external interfaces to be used for NAT
80 + Added LAN to LAN (Inter-LAN) filtering rules, LAN_LAN_HOST_OPEN_xxx, Issue #28
81 - Removed unused INT_FORWARD_IN_CHAIN and INT_FORWARD_OUT_CHAIN user chains, related to Issue #28
82 Note: Any custom rule or plugin should generally use the FORWARD_CHAIN or POST_FORWARD_CHAIN to access the FORWARD chain.
83 Additionally, the new LAN_LAN_HOST_OPEN_xxx rules natively handle Inter-LAN filtering.
84 * New support for ICMPv6 Multicast Listener Discovery, enable with OPEN_ICMPV6_MLD=1, disabled by default
85 * Keep external ICMPv6 packets appearing as annoying logs, common with native IPv6 ISP's. Thanks to David Kerr
86 + Added new PPTP VPN Passthrough plugin, suggested by Yuriy Cherniavsky, Issue #27
87 * Detect and remove stale lockfiles for plugin helpers
88 ! Support kernel version check where "uname -r" doesn't contain a '-' character
89 ! Leave the IPv6 sysctl accept_ra setting alone when forwarding=1, fixes WAN DHCPv6-client, Issue #21
90
91 Version 2.0.1f (October 1, 2015)
92 --------------------------------
93 * Honour Debian recommendations for systemd service file
94 ! Enable xtables lock "wait" option found in iptables 1.4.20+, Issue #17
95 ! Using NAT_STATIC_IP with multiple ext interfaces would fail in case not enough ext IPs were specified
96 * Don't hardcode IP4TABLES/IP6TABLES binary in the config file. Just autodetect it like the other binaries
97 ! Misc. fixes for newer SuSE & Redhat systems concerning systemd & init
98 * Moved get host cache logic from traffic accounting plugin to environment to avoid (future) code duplication
99 ! Fixed NAT_LOCAL_REDIRECT=1 packets from being logged as if they were dropped
100 + Added tcp_be_liberal option
101 + Allow rp_filter to be mode 2 (loose)
102 ! Fixed functions get_ifs() and get_ips() with a '#', distinguish IPv4 from VLAN interfaces and check for
103 IPv6 addresses (thanks to Mike C. Fletcher)
104 * Improve y/n user handling
105 * Improve log handling for dyndns plugin
106 + Try to auto detect external net settings automatically on start
107 * Improve error handling especially for plugins
108 * Several plugin updates
109
110 Version 2.0.1e (February 2, 2014)
111 ---------------------------------
112 * Updated arno-fwfilter
113 * Updated install.sh for Git
114 * traffic-shaper plugin, allow DOWNLINK=0 to disable inbound (ingress) shaping
115 * Updated Gentoo init script (thanks to Erki Ferenc)
116 - Removed some Gentoo specific stuff that isn't required anymore
117 - Removed TRACE option. It's broken and there's no good way to implement it
118 + Added DMZ_INPUT_DENY_LOG variable support for default "AIF:DMZ-INPUT denied:" logs, "0" disables logs
119 + Added DMZ_OUTPUT_DENY_LOG variable support for default "AIF:DMZ->LAN denied:" logs, "0" disables logs
120 * DYNDNS & Traffic Accounting Plugin refactor
121 * Misc. tweaks
122
123 Version 2.0.1d (November 16, 2012)
124 ----------------------------------
125 + Reintroduce DNS fast fail option + add additional option (DNS_FAST_FAIL_ONCE) to allow plugins to use it
126 + Added nat-loopback plugin for local nets using existing NAT_FORWARD_TCP and NAT_FORWARD_UDP rules.
127 + Added new main command 'status-plugins [name]'. Useful [name] values are: dyndns-host-open, multiroute, nat-loopback,
128 rpc, traffic-accounting and traffic-shaper. When [name] is specified, only that plugin is shown.
129 For Example:
130 $ arno-iptables-firewall status-plugins (shows all plugins status results)
131 $ arno-iptables-firewall status-plugins dyndns-host-open (shows only dyndns-host-open plugin status results)
132 + Added outbound-snat plugin to support when a NAT'ed external interface has multiple IPv4 addresses, it may be
133 desirable to specify which internal IP's or CIDR's use which external IPv4 addresses for outbound connections.
134 ! Fixed modprobe() function when using kmod. Apparently kmod doesn't echo anything (to stderr) when a module is not found?!
135 ! Fix logging dropped packets matching (ie, not just TCP) for LAN_INET_FORWARD_CHAIN and DMZ_INET_FORWARD_CHAIN.
136 + Added new variables LAN_INET_DEFAULT_POLICY_DROP, DMZ_INET_DEFAULT_POLICY_DROP and LAN_DEFAULT_POLICY_DROP
137 to define the default policies. When undefined the 'automatic' policy is the default as with all previous versions.
138 * Allow plugins to maintain a dynamic chain (e.g. MINIUPNPD) in the nat table and not get automatically flushed on a restart.
139 * Improved traffic-accounting & dyndns-host-open plugins with a new host cache mechanism
140
141 Version 2.0.1c (June 27, 2012)
142 ------------------------------
143 ! Fix a script 'IFS' issue if IPv6 and DMZ is enabled together with DMZ_HOST_OPEN_IP (thanks to Ingmar Schraub)
144 ! Newer kernels (3.4+) replaced ipt_LOG & ip6t_LOG with xt_LOG (thanks to Adam Young)
145
146 Version 2.0.1b (March 16, 2012)
147 -------------------------------
148 ! RESERVED_NET_DROP only worked when RESERVED_NET_LOG was enabled (regression) (thanks to gregoryach@gmail.com)
149 ! Removed stray line in install.sh
150 * Updated/corrected documentation
151
152 Version 2.0.1a (March 7, 2012)
153 ------------------------------
154 * Misc. tweaks for arno-fwfilter (thanks Mark van Dijk)
155 * Use ls instead of [ -n (find) ] as it's much faster (thanks Lonnie)
156 * As with previous versions, when LAN_INET_OPEN_xxx and LAN_INET_HOST_OPEN_xxx are NOT defined
157 the default LAN->INET policy is ACCEPT. Changed is when *any* of these variables are defined
158 the default LAN->INET policy is DROP for all ports and protocols, not just TCP/UDP/IP as before.
159 * As with previous versions, when DMZ_INET_OPEN_xxx and DMZ_INET_HOST_OPEN_xxx are NOT defined
160 the default DMZ->INET policy is ACCEPT. Changed is when *any* of these variables are defined
161 the default DMZ->INET policy is DROP for all ports and protocols, not just TCP/UDP/IP as before.
162 * Tweak the handling of some of the sysctl kernel settings. This now also
163 allows disabling setting/resetting some settings (like forwarding)
164 * Default UDP connection timeout to 60 seconds
165 + Added support for new LOCAL_CONFIG_DIR variable, defaults to "/etc/arno-iptables-firewall/conf.d" (Debian bug #658458)
166 ! Set default policy to DROP if either LAN_INET_HOST_OPEN_xxx or DMZ_INET_HOST_OPEN_xxx are defined,
167 to match the documentation. (thanks Schilling Thomas Ing for reporting)
168 * Improve documentation
169
170 Version 2.0.1 (December 18, 2011)
171 ---------------------------------
172 - Removed DNS_FAST_FAIL & RESOLV_IPS since they are both obsolete
173 * Few changes in the install/uninstall scripts. eg. arno-fwfilter now installs to /usr/local/bin instead
174
175 Version 2.0.1-BETA1 (October 10, 2011)
176 --------------------------------------
177 ! Fixed kernel_ver_chk() function to properly handle kernel 3. (thanks Gunawan Lim for reporting)
178 ! Fixed variables containing REJECT_UDP with IPv6 enabled, it should use 'icmp6-addr-unreachable' for IPv6.
179 * Updated "DynDNS Host Open" and "DMZ-DNAT" plugins to use new parse_rule() function.
180 * AIF variables are now parsed with a common function, now missing fields are logged with a warning.
181 * Misc. tweaks
182
183 Version 2.0.0c (July 28, 2011)
184 -----------------------------------
185 * Call insserv during configure, when available. This is required for eg.
186 Debian/Ubuntu systems that use dependency based booting
187 ! Fixed MULTICAST jumping should be done at the end of the EXT_INPUT_CHAIN, not
188 at the beginning else users won't be able create "normal" rules for it
189 * Updated several plugins
190 * Several tweaks
191
192 Version 2.0.0b (March 25, 2011)
193 -------------------------------
194 + Perform kernel check when IPv6 support is enabled
195 - Don't auto detect external interface settings during configure. It's too
196 confusing and fills out the wrong values for certain setups (like laptops that are moved around)
197 + Show platform information on start/restart when verbose
198 ! remove bash-ism related to traffic-shaper plugin (Reported by Debian upstream, Debian bug #619496)
199 ! remove bash-ism in ipsec-vpn plugin (Reported by Debian upstream, Debian bug #617510)
200 ! workaround Busybox 'ash' bug when IPV6_SUPPORT is enabled
201 + Added pptp-vpn plugin for local PPTP server support
202 ! arno-fwfilter uses incorrect URL for location lookup (Debian bug #613631, thanks to Tony Evans for the patch)
203 + Drop all IPv6 packets with Routing Header Type 0, new variable IPV6_DROP_RH_ZERO (thanks Klemen Mihevc)
204 ! Fixed handling HOST_OPEN_ICMP, HOST_DENY_ICMP_NOLOG and HOST_DENY_ICMP variables
205 with IPv6 addresses. (thanks Klemen Mihevc)
206 * Tweaked NAT module loading + cosmetics. iptable_nat is a required module for
207 AIF because of the plugin framework/helper chains so it's wrong to only load
208 it when NAT is enabled in the main script.
209
210 Version 2.0.0a (December 30, 2010)
211 ----------------------------------------
212 ! Set IFS=' ' in our batch-functions else the wrappers fail in some cases
213 - Removed old legacy plugin support that used the PLUGIN_PATH variable
214 ! Fixed an issue when the value of IPV6_SUPPORT was changed then followed with a 'restart'
215 * (Cosmetic) tweaks
216
217 Version 2.0.0 (November 15, 2010)
218 ---------------------------------
219 ! dig wrapper using nslookup, extract IPv4 addresses over IPv6 addresses
220 * ipsec-vpn plugin, removed unnecessary EXT_INPUT_CHAIN rule and added IPv6 support
221 for matching AH headers
222
223 Version 1.9.9-RC1 (October 25, 2010)
224 ------------------------------------
225 - Removed deprecated check_binary() function from environment
226 + Added support for an optional plugin_restart() function in plugins using a new plugin template,
227 while supporting previous plugins without a plugin_restart() function
228 * Refactor load_modules() using our new modprobe_multi()
229 * Allow modprobe_multi() function arguments to be grouped by a comma
230 + Use IDENT environment variable for plugins
231 + Added SHAPER_IF variable to traffic-shaper plugin to specify a single external interface
232 should the default EXT_IF value contain more than one interface
233 + Added SIP_VOIP_REMOTE_HOSTS variable to sip-voip plugin to limit access by source address
234 - Removed obsolete module_probe() function. Use modprobe() instead
235 + Added IPV6_AUTO_CONFIGURATION variable to control autoconf when IP_FORWARDING = 0
236 + Added IPV6_OVER_IPV4_SERVER variable for ipv6-over-ipv4 plugin, restricting 6to4 source packets
237 * Misc. tweaks & fixes
238
239 Version 1.9.9-BETA1 (October 8, 2010)
240 -------------------------------------
241 * Refactor setting kernel parameters
242 ! Revert change that didn't masquerade IPv6/proto 41, so outgoing forwarded connections work properly
243 + Added EXTERNAL_DHCPV6_SERVER variable to allow DHCPv6 clients on the *external* interface
244 * The default INET->DMZ policy is now DROP. Common variables this change may effect are:
245 INET_DMZ_HOST_OPEN_xxx and INET_DMZ_OPEN_xxx
246 + Added support for Link-Local-Multicast ICMPv6 echo-request packets
247 + Added LINK_LOCAL_DROP_LOG variable which controls logging of dropped IPv6 Link-Local addresses.
248 + Added FORWARD_LINK_LOCAL variable which, by default (0), disables forwarding of IPv6 Link-Local addresses.
249 + Added EXT_MULTICAST_CHAIN to handle external-inbound multicast traffic
250 + Added DHCPv6 support for the EXT_IF_DHCP_IP variable.
251 + Added a new variable FORWARD_DROP_LOG to disable logging dropped forwards when set to 0, defaults to 1.
252 ! Fixed handling of destination host~port fields where only the host was specified.
253 + Added a new set of variables INET_FORWARD_xxx to allow forwarding INET IPv6 and non-NAT'ed IPv4 packets
254 to other interfaces. The format is similar to the IPv4 NAT_FORWARD_xxx without port mapping.
255 + Added a new variable OPEN_ICMPV6 to allow independent control of INET ICMP for IPv4 and IPv6, enabled by default.
256 ! Fixed handling of INET_DMZ_HOST_OPEN_xxx variables
257 ! Fixed handling of INET_DMZ_HOST_DENY_xxx variables
258 ! Fixed handling of INET_DMZ_DENY_TCP
259 ! Fixed variable typo, INET_DMZ_HOST_DENY_TCP was not handled
260 + Added IPv6 reserved network support, label logs by IPv4 and IPv6
261 ! Fixed RESERVED_NET_LOG is now independant from DROP_PRIVATE_ADDRESSES
262 + Added option to the configure script to enable/disable IPv6 + several tweaks
263 * Sanity check should always be the first thing we do since we probably can't
264 write the log-file in case we're not root
265 + Automatically disable IPV6_SUPPORT if IPv6 is not detected in the kernel
266 + Add support for mixed IPv4/IPv6 when IPV6_SUPPORT=1
267