4 version history for ferm
6 Max Kellermann <max@foo-projects.org>
7 Auke Kok <sofar@foo-projects.org>
10 v2.2.1 - not yet released
11 - new function @defined
12 - support netfilter match modules:
18 - support netfilter targets:
20 * CONNMARK: support set-xmark, nfmask, and-mark, or-mark, xor-mark
21 * NFQUEUE: support queue-balance, queue-bypass, queue-cpu-fanout
22 - recognize BROUTING as built-in chain (for ebtables)
23 - check exit status of included shell commands
25 * fixed wrongly used quotation marks in piped @include example
28 - support netfilter modules:
31 - automatically apply @ipfilter on dual-stack config
35 - support netfilter modules:
37 - updated netfilter modules:
38 * hashlimit: allow list after hashlimit-mode
39 - fix functions containing mixed domains
40 - check function parameter types
41 - allow policy QUEUE and RETURN
42 - support setting policy of non-builtin chains
46 - updated netfilter modules:
47 * conntrack: support ctorigsrcport, ctorigdstport
48 - new netfilter modules:
50 - allow folding @resolve value into a string
54 - new functions @basename, @dirname, @ipfilter
55 - add automatic variables $FILENAME, $LINE
56 - updated netfilter modules:
57 * pkg-type: support negation
58 * set: "--match set" support for newer iptables
59 - updated ebtables support:
60 * use per-protocol options
61 * add support for -p ARP --arp-gratuitous
62 * support abbreviations in arguments
63 * add support for matching IPv6
64 * add support for "among" match
65 * add support for the "limit" match
66 - honor --noflush in fast mode
67 - discard previous specifications when @if fails
68 - use the --domain argument as the default domain
69 - keep track of line numbers within custom function calls
73 - updated netfilter modules:
74 * state: support negation
75 * icmp: translate "icmp-type" to "icmpv6-type" in domain "ip6"
76 - add functions @cat, @substr, @length
77 - subchain names can now be expanded
78 - import-ferm: support empty string parameters
82 - added automatic variable $DIRNAME
83 - implement confirmation/rollback for --shell --interactive
84 - added the "type" parameter to @resolve()
85 - new functions @eq, @ne, @not
86 - updated netfilter modules:
87 * ebtables/snat: support --snat-arp
88 - add parameter --timeout for rollback
92 - fix post and flush hooks with --lines
93 - always prefix the negation operator
94 - updated netfilter modules:
95 * addrtype: support negation and --limit-iface-{in,out}
96 * conntrack: support negation and --ctdir
97 * owner: support negation and --socket-exists
98 * policy: support negation
102 - support negation in mark/connmark
103 - support negation in set
104 - added automatic variable $FILENAME
105 - allow @subchain as the first keyword in a closure
106 - don't allow semicolon after empty rule
107 - enable @include to run a program
108 - removed superfluous tokens from error message
109 - create a new stack frame for @subchain (fixes $CHAIN)
113 - detect double negation
114 - improved detection of negated arrays
115 - ignore dpkg's backup/temporary files on @include
116 - renamed "hook" to "@hook"
117 - disable "pre" and "post" hooks with --flush
118 - added "flush" hooks
122 - enable policy-only domains (no rules, just policy declarations)
123 - don't list custom chains in --flush --fast mode
127 - create chains and subchains even if they are empty
128 - fix includes within a rule ("Missing semicolon...")
129 - fix subchain in include ("Died at [...] line 1493")
130 - "protocol" is an alias for "proto", to fix the keyword conflict with
135 - allow duplicate specification of "table" and "chain", for better
136 1.3.x compatibility. Support for this will be removed in a later
137 release. This does not apply to "domain".
141 - generate "COMMIT" lines when flushing in fast mode
142 - don't hard-code the path of iptables-save
143 - install manpages in PREFIX/share/man
147 - don't hard code built-in match modules
148 - support for arptables and ebtables
149 - removed support for deprecated ferm 1.1 syntax
150 - removed the "set" and the "option" keyword
151 - removed support for array-in-string
152 - cleared the deprecated keyword translation table
153 - removed TOS parameter shortcuts
154 - don't default to policy if no action is specified
155 - don't allow lower case built-in chain or policy names
156 - removed --automod, --use, --clearall, --flushall, --flushchains,
157 --createchains, --location, --debug, --verbose
158 - comma in array is forbidden
159 - removed "source" and "destination" as prefix for "addr" and "port"
160 - don't allow match rules before and after "policy"
161 - removed support for deprecated netfilter modules
165 - rewrote the internal rule storage
166 - honor the order of match modules
167 - import-ferm rewrite
168 - use module data from ferm
169 - write policy in chain block
170 - do not generate implicit protocol modules
171 - do not allow targets options after "jump"
172 - fixed rollback when there is no iptables-save
173 - enable fast mode by default, can be disabled with --slow
177 - don't ignore unknown keywords after target (reported by Kai
179 - don't include hidden files (reported by Florian Reitmeir)
183 - fixed single quote escaping
184 - escape empty strings
185 - reset module list after semicolon handler (reported by Ralph Oesker)
186 - import-ferm: ignore the position of the negation marker; this allows us
187 to parse invalid save files generated by iptables-save (reported by
189 - fixed REDIRECT example in the manual
193 - updated netfilter modules:
194 * recent: support --rsource, --rdest
195 * time: support --monthday, --weekdays, --utc, --localtz
196 * u32: suport negated --u3
197 * DNAT: support --random
198 * MARK: support --set-xmark, --and-mark, --or-mark, --xor-mark
199 * MASQUERADE: support --random
200 * REDIRECT: support --random
201 * SNAT: support --random
202 * TOS: support --and-tos, --or-tos, --xor-tos
203 - check if chain was specified before @subchain
204 - suppress "not declared" warnings on empty custom chains
208 - bugfix: emit "--proto" instead of "--protocol" for xt_policy "proto"
209 - bugfix: handle array after DNAT/to-destination correctly
210 - target options cannot have arrays by default
211 - support netfilter modules:
214 - support netfilter targets:
215 * CLASSIFY (documentation)
218 * SAME (--random, documentation)
222 - require IO::Handle, this fixes the interactive mode
223 - configure test mode properly when running on microperl
227 - reserve tokens starting with "@" as ferm keywords
228 - implemented conditionals with @if/@else
229 - added @include/@def/@subchain as alias to include/def/subchain
230 - redirect STDOUT into STDERR --shell mode; this way, iptables warnings
231 are separated from the ferm shell script output
232 - microperl compatiblity:
233 - don't require strict.pm / vars.pm
235 - added simple Getopt::Long emulation
236 - look for iptables in PATH
237 - added function @resolve which resolves host names to IPv4 addresses
238 - import-ferm supports ip6tables-save files
239 - support "proto icmp" in the ip6 domain
240 - make "goto" deprecated to remap it to "--goto" later
241 - implemented "--goto" support, keyword is "realgoto"
242 - don't default to policy if rule action is missing
243 - support protocol modules
245 * udplite (sport, dport, mod multiport)
246 - support netfilter modules:
250 - support netfilter targets:
253 - abort when there is an unrecognized command line option (reported by
255 - import-ferm: don't generate NOP action before a block
256 - import-ferm: quote array values
257 - quote the ampersand
261 - make --flush do something in fast mode (reported by Hans-Georg Bork)
262 - fix automatic protocol modules when used in an expanded array
263 (reported by Ralph Oesker)
267 - support netfilter modules:
269 * ipset (patch by Martin Schuster)
270 - ignore empty lines in backticks result (reported by Martin Klozik)
271 - the match module for protocol "icmpv6" is named "icmp6"
272 - implemented basic hooks (suggested by Joerg Jaspert)
278 - subchains may be named
279 - don't copy module references to subchain (patch by Alex Metelka)
280 - override variables on the command line with "--def"
281 - auto-load modules only when their parameters are used
283 * targets MIRROR, NETMAP, NFQUEUE, NOTRACK, QUEUE
288 * warn against using iptables 1.2 with import-ferm
289 * extended the transition section in the manpage
290 - support netfilter modules: account
291 - bugfix: don't clear variable value when used as parameter in
292 multiport/destination-ports (reported by Bill Goudie)
296 - bugfix: reset domains after all rules were parsed and don't forget to
297 reset a table; this bug only affects users who run ferm on a remote
299 - reset policy on all guessed built-in chains if no authoritative
300 information about built-in chains is available
301 - support netfilter modules: condition, fuzzy, hbh, hl, ipv6header, rt,
303 - extended module support
304 * ah now supports the IPv6 options
305 - added missing documentation
307 * match modules: dst, eui64, frag
308 - disabled array after ttl-lt, ttl-gt
309 - allow "length", "physdev", "tos" negation
310 - translate sports, dports to source-ports, destination-ports in import-ferm
311 - added the "--remote" option
315 - import-ferm runs iptables-save if no input file is provided
318 v1.2beta2 - 9 Sep 2006
320 - added --shell which generates a shell script
321 - don't check available netfilter modules
322 - read iptables-save in initialize_netfilter()
323 - option --location is deprecated, ferm now calls /sbin/iptables
324 - whitespace fix in import-ferm
325 - allow late chain/table specification again
326 - set a second alarm in the confirmation dialog
327 - enable rollback feature even in non-interactive mode
330 v1.2beta1 - 28 Aug 2006
332 - removed support for ipfwadm and ipchains
333 - get a list of netfilter table names from /proc/net/ip_tables_names
334 - error messages go to STDERR
335 - full support for the match extensions: recent, comment, conntrack,
336 addrtype, ah, owner, time, dscp, ecn, helper, iprange, iplimit, length,
337 multiport, physdev, policy, realm, tcpmss, dst, frag
338 - full support for the targets: BALANCE, CLASSIFY, CONNMARK, NETMAP, ROUTE,
339 SNAT, TARPIT, NFQUEUE, SAME, DSCP
340 - support the protocols: dccp, sctp
341 - implemented variables and functions with 'def'
342 * variables and functions are local to their containing block
343 - stricter syntax checks, e.g.:
344 * some built-in targets must be uppercase
345 * only one target is allowed
346 * target parameters are only recognized after the target name, protocol
347 parameters only after the protocol match etc.
348 * referenced variables must exist
349 * list item negation is not possible
350 * only ACCEPT and DROP are allowed as policy
351 * tables and chains must be specified first
353 * using a policy as default target for a rule
354 * target MASQ, use MASQUERADE instead
355 * lower-case built-in chain names and targets
356 * lists must be specified with parantheses and no commas (old syntax
357 is deprecated, but still supported)
358 * variables declared with 'set' and referenced with '%NAME'
359 * many shortcuts like 'mac' and 'tosrc'
360 * shortcuts without the dash like 'tcpflags' ('tcp-flags')
361 * "option iptables"; only iptables is supported
364 * policy within a rule declaration
365 - fixed the double-module bug
366 - show filename and line number in error message
367 - implemented the 'include' command
368 - more shortcuts for command line options
369 - better set-tos parameter parser
370 - reimplemented backticks
371 - reimplemented tokenizer and parser
372 - escape shell parameters
373 - warn about unused custom chains
375 - options --clearall, --createchains are implied and deprecated
376 - options --debug and --verbose are deprecated
377 - reset all policies to ACCEPT
378 - variables expansion happens within double quotes
379 - implemented automatic variables: $TABLE, $CHAIN
380 - IPv6/ip6tables support
382 - print line number when iptables reports an error
383 - write error messages to STDERR
384 - replaced the old samples with new ones
385 - check which match and target modules are available
386 - generate output iptables-save format when --fast is specified
387 - semi-automatic sub chains with the 'subchain' keyword
388 - support tcp-flags negation
389 - added interactive mode
393 - Removed 'mark' as possible target due to nameclash
394 - Fixed typo in tos values with missing space
395 - Added support for shell escapes
396 - Updated manual page
397 - Fixed bug with ! before variable lists
398 - Added support for multiple variables inside a value
399 - Changed variable character from '$' to '%' to allow system variables
400 - Split up the pod stuff from the ferm source
401 - Fixed word splitter to more a serious approach
402 - Removed internal proxy variable, replaced with 'to' and 'toports' for clearity
403 - Removed the 'relaxed' option, for it wasn't used at it's potential (once)
404 - Added location option for the meek
405 - Have ferm prescan input to look for the kernel program and location
406 - Modified $(DOCDIR) to /usr/share/doc/ferm
407 - Added debug (--debug or -d) parameter for even more output
408 - Added --length,ttl, ttl[set|inc|dec] and ttl-[eq|lt|gt],
409 --[every|counter|start|packet], --average, --pkt-type, --string
410 --time[start|stop] and --days, ip-limit-[above|mask]
411 --psd-[weight-threshold|delay-threshold|[lo|hi]-ports-weight]
412 --to-[source|ports|destination], --set-ftos
413 - Added BALANCE, FTOS, SAME, TCPMSS targets and more
414 - Fixed bug on log/goto combination (missing space) -debian bugs
415 - Allow lists in set statements -debian bugs
416 - Added several patches from misc sources (thanks everyone)
417 - Cleaned up order of builtin targets (now alphabetically ordered)
420 v1.0pl8 - 13 july 2001
421 - Fixed nonexistent parameter values for log-[ip|tcp]-...
422 - Made keyword pattern matching strict, better for finding typo's
423 - Added NOP action (for match-counting)
424 - Added option automodule for automaticly loading correct modules
425 - Fixed -m for mark in iptables mixo
426 - Fixed relaxed matching tos values, still relaxed now though
427 - Fixed mark missing as normal target
428 - Added variable support
429 - Updated manual page partly
432 v1.0pl7 - 21 may 2001
433 - Added support for multiple modules
436 v1.0pl6 - 19 may 2001
437 - Fixed wrongly flushing of chains
438 - Fixed bug which infected policies already set
439 - Updated manual to distinguish between 'log' and 'LOG'
440 - Fixed lower case mismatching targets due to faulty
441 substring expression matching
444 v1.0pl5 - 16 may 2001
445 - Fixed policy keyword bug
446 - Added consistency check for missing semicolons before
448 - Fixed flushall target for multiple tables
449 - Reworked policy system to allow multiple policy settings for
451 - Changed syntax to allow "--state A,B", adapted "--tcp-flags"
452 syntax to do exactly the same (see manual)
455 v1.0pl4 - 11 may 2001
456 - Fixed order of TOS targets/params for iptables
457 - Added correct flushing in combination with policy-setting only
458 - Stripped trailing spaces on rule
459 - Fixed a small grammar error in description
460 - Removed SNAT and DNAT as valid policy targets
461 - Added QUEUE, MARK, MIRROR and RETURN as valid (policy) targets
462 - Added PRE/POSTROUTING chains as valid for policy
463 - Added set-mark parameter, moved 'mark' in ipchains to 'setmark'
464 - Added MASQUERADE <port/range> syntax for iptables
468 - Fixed DENY rule appearing uncapitalized
472 - Added support for SNAT and DNAT targets
473 - Added support for the tcp-flags option
477 - Fixed redirection to host vs port in iptables section
478 - Fixed chain clearing in all tables
479 - Switched to Makefiles for install & uninstall script
483 - Fixed iptables addr/port combination errors (iptables lacks
484 ipchains shorthand method for this)
485 - Removed 'reverse' for iptables (misses capability)
486 - Added filter and nat cleaning for 'clearall' option
487 - Major update on chain-administration in iptables
490 v0.0.18 - 18 Apr 2001
491 - Fixed two minor bugs (typo/parm ordering)
492 - Added ttl-* options for iptables
493 - Fixed log-tcp-*, which don't want parameters
494 - Return of default kernel program, now checked for at first rule
495 generation moment. Default is ipchains (again)
496 - Added PRE- and POSTROUTING targets for iptables
499 v0.0.17 - 19 Feb 2001
500 - Added better literal string handling enclosed in quotes
501 - Added "module" parameter for iptables
502 - Added "LOG" target for iptables, the "log" option still works
503 the old way, so "proto tcp log ACCEPT;" works fine
504 - Fixed table parameter in clearing/policy/creation of chains
505 - Added a special iptables example
506 - Added support for "! syn" and "! fragment" syntax
507 - Fixed fragment parameter bug
510 v0.0.16 - 12 Feb 2001
511 - Fixed default ipchains option- removed the default kernel
513 - Fixed 5 iptables/ipchains copy-paste typo's
517 - Added possibility of "" parameters including spaces and special
518 characters, handy for 'log-prefix'
519 - Fixed minor 'rejectt' bug
520 - Added a realistic ferm config example
521 - Fixed iptables log error (Klaus Lichtenwalder)
524 v0.0.14 - 28 Jan 2001
525 - Fixed tos and set-tos parameter switches for iptables
526 - Added install script
527 - Updated manual page to reflect changes in 0.0.13
528 - Fixed flushing/clearing in iptables
531 v0.0.13 - 10 Jan 2001
532 - Improved iptables support: the following parameters:
533 * table, out-interface, tcp-option, mac-source, limit, limit-burst,
534 all owner-parameters, state, logging options, reject-with
535 - Changed 'tos' into 'settos' to allow 'tos' matching in iptables
536 - Implemented the ! operator, partly by John Auer
540 - Fixed an incredibly stupid bug created in 0.0.11
544 - Fixed a lot of silly bugs with the policy system (uc/lc, wrong
550 - Policy can now be specified as a single statement, like
551 "chain input policy ACCEPT;", allowing policies to be
552 shut down and opened in the process of loading
553 - Added the 'reverse' option
554 - Fixed fqdn specification (Yannick Le Briquer)
555 - Package contains man page in html
559 - REDIRECT option corrected, you can now specify the port number
560 that you are redirecting to (D. Bidwell)
561 - Added basic iptables support
562 - fixed typo error between 's' and 'd' for portspec
563 - Updated manual page
567 - initial release, features: