doc: add documentation for new modules

[ferm.git] / NEWS

    CHANGES

    version history for ferm

    Max Kellermann <max@foo-projects.org>
    Auke Kok <sofar@foo-projects.org>


v2.2.1 - not yet released
  - new function @defined
  - support netfilter match modules:
    * bpf
    * connlabel
    * cpu
    * dst
    * rpfilter
  - support netfilter targets:
    * CHECKSUM
    * CONNMARK: support set-xmark, nfmask, and-mark, or-mark, xor-mark
    * NFQUEUE: support queue-balance, queue-bypass, queue-cpu-fanout
  - recognize BROUTING as built-in chain (for ebtables)
  - check exit status of included shell commands
  - documentation
    * fixed wrongly used quotation marks in piped @include example

v2.2 - 1 Jul 2013
  - support netfilter modules:
    * CT
    * TEE
  - automatically apply @ipfilter on dual-stack config


v2.1.2 - 17 Dec 2012
  - support netfilter modules:
    * osf
  - updated netfilter modules:
    * hashlimit: allow list after hashlimit-mode
  - fix functions containing mixed domains
  - check function parameter types
  - allow policy QUEUE and RETURN
  - support setting policy of non-builtin chains


v2.1.1 - 29 Jul 2012
  - updated netfilter modules:
    * conntrack: support ctorigsrcport, ctorigdstport
  - new netfilter modules:
    * TPROXY target
  - allow folding @resolve value into a string


v2.1 - 17 Jul 2011
  - new functions @basename, @dirname, @ipfilter
  - add automatic variables $FILENAME, $LINE
  - updated netfilter modules:
    * pkg-type: support negation
    * set: "--match set" support for newer iptables
  - updated ebtables support:
    * use per-protocol options
    * add support for -p ARP --arp-gratuitous
    * support abbreviations in arguments
    * add support for matching IPv6
    * add support for "among" match
    * add support for the "limit" match
  - honor --noflush in fast mode
  - discard previous specifications when @if fails
  - use the --domain argument as the default domain
  - keep track of line numbers within custom function calls


v2.0.9 - 26 Feb 2011
  - updated netfilter modules:
    * state: support negation
    * icmp: translate "icmp-type" to "icmpv6-type" in domain "ip6"
  - add functions @cat, @substr, @length
  - subchain names can now be expanded
  - import-ferm: support empty string parameters


v2.0.8 - 4 Nov 2010
  - added automatic variable $DIRNAME
  - implement confirmation/rollback for --shell --interactive
  - added the "type" parameter to @resolve()
  - new functions @eq, @ne, @not
  - updated netfilter modules:
    * ebtables/snat: support --snat-arp
  - add parameter --timeout for rollback


v2.0.7 - 2 Jan 2010
  - fix post and flush hooks with --lines
  - always prefix the negation operator
  - updated netfilter modules:
    * addrtype: support negation and --limit-iface-{in,out}
    * conntrack: support negation and --ctdir
    * owner: support negation and --socket-exists
    * policy: support negation


v2.0.6 - 18 Jul 2009
  - support negation in mark/connmark
  - support negation in set
  - added automatic variable $FILENAME
  - allow @subchain as the first keyword in a closure
  - don't allow semicolon after empty rule
  - enable @include to run a program
  - removed superfluous tokens from error message
  - create a new stack frame for @subchain (fixes $CHAIN)


v2.0.5 - 28 Feb 2009
  - detect double negation
  - improved detection of negated arrays
  - ignore dpkg's backup/temporary files on @include
  - renamed "hook" to "@hook"
  - disable "pre" and "post" hooks with --flush
  - added "flush" hooks


v2.0.4 - 2 Dec 2008
  - enable policy-only domains (no rules, just policy declarations)
  - don't list custom chains in --flush --fast mode


v2.0.3 - 30 Sep 2008
  - create chains and subchains even if they are empty
  - fix includes within a rule ("Missing semicolon...")
  - fix subchain in include ("Died at [...] line 1493")
  - "protocol" is an alias for "proto", to fix the keyword conflict with
    the "policy" module


v2.0.2 - 26 Jul 2008
  - allow duplicate specification of "table" and "chain", for better
    1.3.x compatibility.  Support for this will be removed in a later
    release.  This does not apply to "domain".


v2.0.1 - 24 Jul 2008
  - generate "COMMIT" lines when flushing in fast mode
  - don't hard-code the path of iptables-save
  - install manpages in PREFIX/share/man


v2.0 - 22 Jul 2008
  - don't hard code built-in match modules
  - support for arptables and ebtables
  - removed support for deprecated ferm 1.1 syntax
    - removed the "set" and the "option" keyword
    - removed support for array-in-string
    - cleared the deprecated keyword translation table
    - removed TOS parameter shortcuts
    - don't default to policy if no action is specified
    - don't allow lower case built-in chain or policy names
    - removed --automod, --use, --clearall, --flushall, --flushchains,
      --createchains, --location, --debug, --verbose
    - comma in array is forbidden
    - removed "source" and "destination" as prefix for "addr" and "port" 
  - don't allow match rules before and after "policy"
  - removed support for deprecated netfilter modules
    - dst
    - frag
    - iplimit
  - rewrote the internal rule storage
    - honor the order of match modules
  - import-ferm rewrite
    - use module data from ferm
    - write policy in chain block
  - do not generate implicit protocol modules
  - do not allow targets options after "jump"
  - fixed rollback when there is no iptables-save
  - enable fast mode by default, can be disabled with --slow


v1.3.5 - 21 Jul 2008
  - don't ignore unknown keywords after target (reported by Kai
    Sassmannshausen)
  - don't include hidden files (reported by Florian Reitmeir)


v1.3.4 - 28 May 2008
  - fixed single quote escaping
  - escape empty strings
  - reset module list after semicolon handler (reported by Ralph Oesker)
  - import-ferm: ignore the position of the negation marker; this allows us
    to parse invalid save files generated by iptables-save (reported by
    Andri Moell)
  - fixed REDIRECT example in the manual


v1.3.3 - 22 Jan 2008
  - updated netfilter modules:
    * recent: support --rsource, --rdest
    * time: support --monthday, --weekdays, --utc, --localtz
    * u32: suport negated --u3
    * DNAT: support --random
    * MARK: support --set-xmark, --and-mark, --or-mark, --xor-mark
    * MASQUERADE: support --random
    * REDIRECT: support --random
    * SNAT: support --random
    * TOS: support --and-tos, --or-tos, --xor-tos
  - check if chain was specified before @subchain
  - suppress "not declared" warnings on empty custom chains


v1.3.2 - 19 Dec 2007
  - bugfix: emit "--proto" instead of "--protocol" for xt_policy "proto"
  - bugfix: handle array after DNAT/to-destination correctly
  - target options cannot have arrays by default
  - support netfilter modules:
    * ipv4options
    * string
  - support netfilter targets:
    * CLASSIFY (documentation)
    * CLUSTERIP
    * IPV4OPTSSTRIP
    * SAME (--random, documentation)


v1.3.1 - 9 Dec 2007
  - require IO::Handle, this fixes the interactive mode
  - configure test mode properly when running on microperl


v1.3 - 6 Dec 2007
  - reserve tokens starting with "@" as ferm keywords
  - implemented conditionals with @if/@else
  - added @include/@def/@subchain as alias to include/def/subchain
  - redirect STDOUT into STDERR --shell mode; this way, iptables warnings
    are separated from the ferm shell script output
  - microperl compatiblity:
    - don't require strict.pm / vars.pm
    - don't use IO::File
    - added simple Getopt::Long emulation
  - look for iptables in PATH
  - added function @resolve which resolves host names to IPv4 addresses
  - import-ferm supports ip6tables-save files
  - support "proto icmp" in the ip6 domain
  - make "goto" deprecated to remap it to "--goto" later
  - implemented "--goto" support, keyword is "realgoto"
  - don't default to policy if rule action is missing
  - support protocol modules
    * mh
    * udplite (sport, dport, mod multiport)
  - support netfilter modules:
    * connbytes
    * connlimit
    * u32
  - support netfilter targets:
    * CONNSECMARK
    * SECMARK
  - abort when there is an unrecognized command line option (reported by
    Han Holl)
  - import-ferm: don't generate NOP action before a block
  - import-ferm: quote array values
  - quote the ampersand


v1.2.5 - 14 Oct 2007
  - make --flush do something in fast mode (reported by Hans-Georg Bork)
  - fix automatic protocol modules when used in an expanded array
    (reported by Ralph Oesker)


v1.2.4 - 24 May 2007
  - support netfilter modules:
    * hashlimit
    * ipset (patch by Martin Schuster)
  - ignore empty lines in backticks result (reported by Martin Klozik)
  - the match module for protocol "icmpv6" is named "icmp6"
  - implemented basic hooks (suggested by Joerg Jaspert)
  - documentation:
    * targets CONNMARK


v1.2.3 - 14 Feb 2007
  - subchains may be named
  - don't copy module references to subchain (patch by Alex Metelka)
  - override variables on the command line with "--def"
  - auto-load modules only when their parameters are used
  - documentation:
    * targets MIRROR, NETMAP, NFQUEUE, NOTRACK, QUEUE


v1.2.2 - 15 Nov 2006
  - documentation:
    * warn against using iptables 1.2 with import-ferm
    * extended the transition section in the manpage
  - support netfilter modules: account
  - bugfix: don't clear variable value when used as parameter in
    multiport/destination-ports (reported by Bill Goudie)


v1.2.1 - 25 Sep 2006
  - bugfix: reset domains after all rules were parsed and don't forget to
    reset a table; this bug only affects users who run ferm on a remote
    machine
  - reset policy on all guessed built-in chains if no authoritative
    information about built-in chains is available
  - support netfilter modules: condition, fuzzy, hbh, hl, ipv6header, rt,
    quota, HL
  - extended module support
    * ah now supports the IPv6 options
  - added missing documentation
    * target ECN
    * match modules: dst, eui64, frag
  - disabled array after ttl-lt, ttl-gt
  - allow "length", "physdev", "tos" negation
  - translate sports, dports to source-ports, destination-ports in import-ferm
  - added the "--remote" option


v1.2 - 13 Sep 2006
  - import-ferm runs iptables-save if no input file is provided


v1.2beta2 - 9 Sep 2006
  - added --flush
  - added --shell which generates a shell script
  - don't check available netfilter modules
  - read iptables-save in initialize_netfilter()
  - option --location is deprecated, ferm now calls /sbin/iptables
  - whitespace fix in import-ferm
  - allow late chain/table specification again
  - set a second alarm in the confirmation dialog
  - enable rollback feature even in non-interactive mode


v1.2beta1 - 28 Aug 2006
  - perl strict mode
  - removed support for ipfwadm and ipchains
  - get a list of netfilter table names from /proc/net/ip_tables_names
  - error messages go to STDERR
  - full support for the match extensions: recent, comment, conntrack,
    addrtype, ah, owner, time, dscp, ecn, helper, iprange, iplimit, length,
    multiport, physdev, policy, realm, tcpmss, dst, frag
  - full support for the targets: BALANCE, CLASSIFY, CONNMARK, NETMAP, ROUTE,
    SNAT, TARPIT, NFQUEUE, SAME, DSCP
  - support the protocols: dccp, sctp
  - implemented variables and functions with 'def'
    * variables and functions are local to their containing block
  - stricter syntax checks, e.g.:
    * some built-in targets must be uppercase
    * only one target is allowed
    * target parameters are only recognized after the target name, protocol
      parameters only after the protocol match etc.
    * referenced variables must exist
    * list item negation is not possible
    * only ACCEPT and DROP are allowed as policy
    * tables and chains must be specified first
  - deprecated syntax:
    * using a policy as default target for a rule
    * target MASQ, use MASQUERADE instead
    * lower-case built-in chain names and targets
    * lists must be specified with parantheses and no commas (old syntax
      is deprecated, but still supported)
    * variables declared with 'set' and referenced with '%NAME'
    * many shortcuts like 'mac' and 'tosrc'
    * shortcuts without the dash like 'tcpflags' ('tcp-flags')
    * "option iptables"; only iptables is supported
    * source/destination
    * option automod
    * policy within a rule declaration
  - fixed the double-module bug
  - show filename and line number in error message
  - implemented the 'include' command
  - more shortcuts for command line options
  - better set-tos parameter parser
  - reimplemented backticks
  - reimplemented tokenizer and parser
  - escape shell parameters
  - warn about unused custom chains
  - ignore empty rules
  - options --clearall, --createchains are implied and deprecated
  - options --debug and --verbose are deprecated
  - reset all policies to ACCEPT
  - variables expansion happens within double quotes
  - implemented automatic variables: $TABLE, $CHAIN
  - IPv6/ip6tables support
  - raw table support
  - print line number when iptables reports an error
  - write error messages to STDERR
  - replaced the old samples with new ones
  - check which match and target modules are available
  - generate output iptables-save format when --fast is specified
  - semi-automatic sub chains with the 'subchain' keyword
  - support tcp-flags negation
  - added interactive mode


v1.1 - 5 May 2003
  - Removed 'mark' as possible target due to nameclash
  - Fixed typo in tos values with missing space
  - Added support for shell escapes
  - Updated manual page
  - Fixed bug with ! before variable lists
  - Added support for multiple variables inside a value
  - Changed variable character from '$' to '%' to allow system variables
  - Split up the pod stuff from the ferm source
  - Fixed word splitter to more a serious approach
  - Removed internal proxy variable, replaced with 'to' and 'toports' for clearity
  - Removed the 'relaxed' option, for it wasn't used at it's potential (once)
  - Added location option for the meek
  - Have ferm prescan input to look for the kernel program and location
  - Modified $(DOCDIR) to /usr/share/doc/ferm
  - Added debug (--debug or -d) parameter for even more output
  - Added --length,ttl, ttl[set|inc|dec] and ttl-[eq|lt|gt],
    --[every|counter|start|packet], --average, --pkt-type, --string
    --time[start|stop] and --days, ip-limit-[above|mask]
    --psd-[weight-threshold|delay-threshold|[lo|hi]-ports-weight]
    --to-[source|ports|destination], --set-ftos 
  - Added BALANCE, FTOS, SAME, TCPMSS targets and more
  - Fixed bug on log/goto combination (missing space) -debian bugs
  - Allow lists in set statements -debian bugs
  - Added several patches from misc sources (thanks everyone)
  - Cleaned up order of builtin targets (now alphabetically ordered)


v1.0pl8 - 13 july 2001
  - Fixed nonexistent parameter values for log-[ip|tcp]-...
  - Made keyword pattern matching strict, better for finding typo's
  - Added NOP action (for match-counting)
  - Added option automodule for automaticly loading correct modules
  - Fixed -m for mark in iptables mixo
  - Fixed relaxed matching tos values, still relaxed now though
  - Fixed mark missing as normal target
  - Added variable support
  - Updated manual page partly


v1.0pl7 - 21 may 2001
  - Added support for multiple modules


v1.0pl6 - 19 may 2001
  - Fixed wrongly flushing of chains
  - Fixed bug which infected policies already set
  - Updated manual to distinguish between 'log' and 'LOG'
  - Fixed lower case mismatching targets due to faulty
    substring expression matching
   

v1.0pl5 - 16 may 2001
  - Fixed policy keyword bug
  - Added consistency check for missing semicolons before
    section closing
  - Fixed flushall target for multiple tables
  - Reworked policy system to allow multiple policy settings for
    single chains
  - Changed syntax to allow "--state A,B", adapted "--tcp-flags"
    syntax to do exactly the same (see manual)


v1.0pl4 - 11 may 2001
  - Fixed order of TOS targets/params for iptables
  - Added correct flushing in combination with policy-setting only
  - Stripped trailing spaces on rule
  - Fixed a small grammar error in description
  - Removed SNAT and DNAT as valid policy targets
  - Added QUEUE, MARK, MIRROR and RETURN as valid (policy) targets
  - Added PRE/POSTROUTING chains as valid for policy
  - Added set-mark parameter, moved 'mark' in ipchains to 'setmark'
  - Added MASQUERADE <port/range> syntax for iptables


v1.0pl3 - 9 may 2001
  - Fixed DENY rule appearing uncapitalized


v1.0pl2 - 8 may 2001
  - Added support for SNAT and DNAT targets
  - Added support for the tcp-flags option


v1.0pl1 - 3 May 2001
  - Fixed redirection to host vs port in iptables section
  - Fixed chain clearing in all tables
  - Switched to Makefiles for install & uninstall script


v1.0 - 2 May 2001
  - Fixed iptables addr/port combination errors (iptables lacks
    ipchains shorthand method for this)
  - Removed 'reverse' for iptables (misses capability)
  - Added filter and nat cleaning for 'clearall' option
  - Major update on chain-administration in iptables


v0.0.18 - 18 Apr 2001
  - Fixed two minor bugs (typo/parm ordering)
  - Added ttl-* options for iptables
  - Fixed log-tcp-*, which don't want parameters
  - Return of default kernel program, now checked for at first rule
    generation moment. Default is ipchains (again)
  - Added PRE- and POSTROUTING targets for iptables


v0.0.17 - 19 Feb 2001
  - Added better literal string handling enclosed in quotes
  - Added "module" parameter for iptables
  - Added "LOG" target for iptables, the "log" option still works
    the old way, so "proto tcp log ACCEPT;" works fine
  - Fixed table parameter in clearing/policy/creation of chains
  - Added a special iptables example
  - Added support for "! syn" and "! fragment" syntax
  - Fixed fragment parameter bug


v0.0.16 - 12 Feb 2001
  - Fixed default ipchains option- removed the default kernel
    interface program
  - Fixed 5 iptables/ipchains copy-paste typo's


v0.0.15 - 7 Feb 2001
  - Added possibility of "" parameters including spaces and special
    characters, handy for 'log-prefix'
  - Fixed minor 'rejectt' bug
  - Added a realistic ferm config example
  - Fixed iptables log error (Klaus Lichtenwalder)


v0.0.14 - 28 Jan 2001
  - Fixed tos and set-tos parameter switches for iptables
  - Added install script
  - Updated manual page to reflect changes in 0.0.13
  - Fixed flushing/clearing in iptables


v0.0.13 - 10 Jan 2001
  - Improved iptables support: the following parameters:
    * table, out-interface, tcp-option, mac-source, limit, limit-burst,
     all owner-parameters, state, logging options, reject-with
  - Changed 'tos' into 'settos' to allow 'tos' matching in iptables
  - Implemented the ! operator, partly by John Auer


v0.0.12 - 8 Jan 2001
  - Fixed an incredibly stupid bug created in 0.0.11


v0.0.11 - 5 Jan 2001
  - Fixed a lot of silly bugs with the policy system (uc/lc, wrong
    targets)
  - Allows empty files


v0.0.10 - 4 Jan 2001
  - Policy can now be specified as a single statement, like
    "chain input policy ACCEPT;", allowing policies to be
    shut down and opened in the process of loading
  - Added the 'reverse' option
  - Fixed fqdn specification (Yannick Le Briquer)
  - Package contains man page in html


v0.0.9 - 14 Dec 2000
  - REDIRECT option corrected, you can now specify the port number
    that you are redirecting to (D. Bidwell)
  - Added basic iptables support
  - fixed typo error between 's' and 'd' for portspec
  - Updated manual page


v0.0.8 - 12 Dec 2000
  - initial release, features:
    * ipchains support
    * ipfwadm support
    * complete man page
    * examples