proxmox-firewall (1.2.2) trixie; urgency=medium * fix regression in IP-set lookup for auto-generated IPAM IP-sets. -- Proxmox Support Team Tue, 21 Apr 2026 12:52:09 +0200 proxmox-firewall (1.2.1) trixie; urgency=medium * fix generating rules with both ICMP type and ICMP code set. * map the iptables icmp(v6)-types to the nftables icmp(v6)-types -- Proxmox Support Team Mon, 17 Nov 2025 16:25:50 +0100 proxmox-firewall (1.2.0) trixie; urgency=medium * fix #6831: move conntrack statement to forward chain to avoid that conntracked flows that are routed by the PVE host to not get accepted. * vnet firewall: create chains in host table only if host-level firewall is enabled. * ip filter: restrict containers to use their specific IP, not the full CIDR network. * fix #6336: fix IP filter matching logic so that filters with empty nomatch sets can actually work. * fix #6107: add support for legacy ipset and alias names, i.e. those that do not include the explicit scope (dc or guest). * firewall: set auto-merge flag for ipsets to ensure that sets that contain overlapping IP ranges do not cause rules to be generated that are not accepted by nftables. * merge management ipset with local_network to avoid pitfall and to better align the behavior with the perl pve-firewall daemon. -- Proxmox Support Team Sat, 04 Oct 2025 15:06:40 +0200 proxmox-firewall (1.1.2) trixie; urgency=medium * update to proxmox-network-api interface parser -- Proxmox Support Team Thu, 14 Aug 2025 12:39:04 +0200 proxmox-firewall (1.1.1) trixie; urgency=medium * firewall: add connmark rule with VMID to all guest chains. -- Proxmox Support Team Wed, 30 Jul 2025 22:48:49 +0200 proxmox-firewall (1.1.0) trixie; urgency=medium * add subcommands for: - starting proxmox-firewall in the foreground - printing the rule skeleton that is included in the binary. - printing the nft commands generated from the firewall configuration files * add localnet subcommand to query the currently used IPs in the management IP set. * use common proxmox-log crate for all logging. -- Proxmox Support Team Tue, 29 Jul 2025 08:27:33 +0200 proxmox-firewall (1.0.1) trixie; urgency=medium * add transparent altname support for firewall rules. -- Proxmox Support Team Wed, 16 Jul 2025 17:17:37 +0200 proxmox-firewall (1.0.0) trixie; urgency=medium * re-build for Debian Trixie based releases. -- Proxmox Support Team Tue, 17 Jun 2025 11:58:27 +0200 proxmox-firewall (0.7.1) bookworm; urgency=medium * guest: do not try to create map entries if there are no devices that have the firewall enabled -- Proxmox Support Team Tue, 08 Apr 2025 15:54:01 +0200 proxmox-firewall (0.7.0) bookworm; urgency=medium * security groups: skip in forward chain when interface is specified. * apply `nf_conntrack_allow_invalid` to all chains on the guest table. * apply `nf_conntrack_allow_invalid` option to host table on all chains that check for ct state. * partially fix #6176: correctly honor default value for enable-firewall setting from guest config. * firewall macros: fix macros using ICMP protocol. * fix #6108: firewall macros: Add missing ICMPv6 statements -- Proxmox Support Team Mon, 07 Apr 2025 15:08:21 +0200 proxmox-firewall (0.6.0) bookworm; urgency=medium * ipsets: autogenerate ipsets for vnets and ipam * sdn: add support for loading vnet-level firewall config * sdn: create forward firewall rules * firewall: apply `nt_conntrack_allow_invalid` option to guest table * config: fallback to legacy path when reading PVE IPAM state -- Proxmox Support Team Tue, 19 Nov 2024 16:46:26 +0100 proxmox-firewall (0.5.0) bookworm; urgency=medium * rules: allow vital ICMP(v6) types irregardless of any other rules, which is particularly for ICMPv6 related ones. This follows RFC 4890. * service: flush firewall rules on force disable to avoid a race condition where the nftables rule-set never gets flushed and persists after disabling. * update to newer proxmox-sys and proxmox-schema dependencies * conntrack: arp: move handling to guest chains in order to avoid affecting bridged host interfaces. * guest: match arp packets via 'meta' filter type to ensure that valid ARP packets encapsulated in VLAN frames get through, as with the 'ether' type ARP traffic inside VLANs always gets dropped. -- Proxmox Support Team Mon, 22 Jul 2024 18:05:36 +0200 proxmox-firewall (0.4.2) bookworm; urgency=medium * rules: use proper ICMPv6 admin-prohibited type for rejecting IPv6 traffic, host-prohibited only exist for IPv4 * guest out: fix handling ARP traffic with a default block/reject policy * guest out: fix handling connection tracking with a default block/reject policy -- Proxmox Support Team Tue, 21 May 2024 15:43:51 +0200 proxmox-firewall (0.4.1) bookworm; urgency=medium * check for file flag in /run signaling that this service is disabled and skip config parsing completely in that case to avoid logging errors even if the user cannot be affected by them -- Proxmox Support Team Fri, 26 Apr 2024 17:22:01 +0200 proxmox-firewall (0.4.0) bookworm; urgency=medium * config: macros: add SPICE-proxy macro * config: nftables: add support for icmp-type any * firewall: improve error handling of daemon -- Proxmox Support Team Thu, 25 Apr 2024 19:29:47 +0200 proxmox-firewall (0.3.1) bookworm; urgency=medium * fix #5410: config: fix naming scheme for aliases in firewall config, allow underscores as long as it's not the first character. -- Proxmox Support Team Wed, 24 Apr 2024 19:40:16 +0200 proxmox-firewall (0.3.0) bookworm; urgency=medium * firewall: improve handling REJECT rules -- Proxmox Support Team Tue, 23 Apr 2024 18:33:38 +0200 proxmox-firewall (0.2.1) bookworm; urgency=medium * firewall: properly cleanup tables when firewall is inactive -- Proxmox Support Team Tue, 23 Apr 2024 13:20:12 +0200 proxmox-firewall (0.2.0) bookworm; urgency=medium * firewall: wait for nft process to avoid left-over zombie processes * firewall: change systemd unit file to type simple and drop PID file, not relevant here -- Proxmox Support Team Fri, 19 Apr 2024 19:42:26 +0200 proxmox-firewall (0.1.0) bookworm; urgency=medium * Initial release. -- Proxmox Support Team Thu, 18 Apr 2024 21:07:32 +0200