firehol (3.1.8) - 2025-03-15

  * Update-Ipsets

    - Remove some dead lists
    - Handle ipsets temporarily locked by another process with retrys

  * Common

    - Update github actions to latest versions
    - Fix deprecated environment use

firehol (3.1.7) - 2020-12-31

  * FireHOL
    - Fix dhcpv6 example to say dhcpv6 #438
    - blacklist - add "nolog" option
    - blacklist - reject with tcp-reset for outbound TCP connections
    - firehol.service - Use `firehol start` for  ExecReload=
    - Don't drop icmpv6 rules with FIREHOL_RULESET_MODE optimal #372

  * FireQos
    - workaround for cases where "-ifb" name gets truncated
    - Fix for low-res timer check on openwrt

  * Common
    - Replace Travis with Github actions
    - Various typo fixes
    - Print unit test names as we run them
    - Unit test fixes for Ubuntu 20.20 output differences

firehol (3.1.6) - 2018-08-13

  * FireHOL

    - Boot startup fix #260
    - docker_bridge helper #114
    - Allow newer iptables #264
    - Log blocked/dropped packets in synproxy, mac, connlimit, fragments, ...
    - Fix wait for netfilter ready when using namespaces
    - Fast activation fixes #272
    - Allow matching DSCP CS0; fixes #288
    - Moved service definitions out of firehol / fireqos into separate files
    - Allow DROP_INVALID with any action (e.g. REJECT)
    - Add option FIREHOL_ACCEPT_OUTPUT_UNMATCHED_TCP_RST

  * FireQOS

    - Fix status to works with newer iproute; fixes #317
    - Update sample service definition to start after network #315

  * Link-Balancer

    - linkdown: routes cannot be added or deleted whilst marked invalid #211

  * Update-Ipsets

    - Various fixes, including #266 #265
    - List additions, updates and removals
    - Minor enhancements

 * Common

    - Fix parallel builds #255
    - Harden unit tests against tool output changes

firehol (3.1.5) - 2017-09-17

  * FireHOL

    - Fix some links in documentation

  * FireQOS

    - Insert a rawmark mask if none specified

  * Update-Ipsets

    - Support serving ipset files from local web server
    - Lower pressure on github

firehol (3.1.4) - 2017-08-20

  * FireHOL

    - Google hangouts port range fix #235
    - Fix hashlimit option names #223
    - Documentation improvements, marks #184 and cthelper #94
    - Allow negating interface in blacklist #143

  * FireQOS

    - DSCP match fixes #248
    - TCP match fix #249
    - Improve docs on using act_connmark to match ingress marked traffic #231

  * Update-Ipsets

    - Added various lists, removed discontinued ones
    - Include URL in user agent string in #217
    - Relax umask to allow stats collection by netdata #221


firehol (3.1.3) - 2017-02-17

  * FireHOL

    - Be more strict when detecting address ranges

      Fixes #199 where hostnames such as x-2.example.com are incorrectly
      identified as ranges.

  * Common

    - Create relative links to binaries, which prevents errors when
      installing with DESTDIR other than /

      Fix for #178 and #201 proposed by @kneeke

firehol (3.1.2) - 2017-02-05

  * FireHOL
    - Include user policies in chains before handling orphans. Fixes NFS
      client where FIREHOL_DROP_ORPHAN_TCP_* options are in force.

    - Do not allow server/client statements without any effect on the
      firewall; #193

    - Saved firewall contents made reproducible by always zeroing counters
      and removing the dates from comments

  * FireQOS

    - Example had an ambiguous shebang which has been removed

  * Common

    - Running "make check" now exits non-zero if a test failed or none ran

    - Various copyright updates

    - Fixed pull requests from external repositories; these would previously
      fail to build on Travis

firehol (3.1.1) - 2017-01-10

  * FireHOL
    - Accept correctly spelled keyword stateful as well as statefull
      to match documentation

  * VNetBuild
    - drop ksh support (bash is preferred and required by other programs)

  * Common
    - drop ksh detection from configure script

  * Update-Ipsets
    - added urandom.us.to list
    - added dataplane.org SIP Invitation and SIP Registration feeds

firehol (3.1.0) - 2016-11-28

  * Common
    - Rework installation to make full use of autoconf results in all
      programs
    - Enabled unit tests on "make check", provided the user has
      unprivileged user namespaces enabled.

  * FireHOL
    - Option to disable wizard (reduces required tools slightly) and
      other fixes for small systems e.g. OpenWRT
    - Emit help in syslog on failure if we are running with no terminal
      since otherwise when running via systemd a user cannot see full error.
    - Deprecated service ipv6error, not needed since 3.0.0. Moved ICMPv6
      RELATED matching earlier to stop user accidentally preventing them.

  * VNetBuild
    - improve graphviz output

firehol (3.0.2) - 2016-11-22

  * FireHOL
    - Fix transparent_proxy IPV6 output #164
    - sysctl commands for synproxy, did not specify read or write operation
    - added manual page for cthelper
    - added connlimit to blacklist and iptrap
    - added stateful option to blacklist
    - FIREHOL_DROP_ORPHAN_TCP_ACK_FIN fixed to match only ACK+FIN
    - FIREHOL_DROP_ORPHAN_TCP_ACK_RST added
    - FIREHOL_DROP_ORPHAN_TCP_ACK added
    - FIREHOL_DROP_ORPHAN_TCP_RST added
    - FIREHOL_DROP_ORPHAN_IPV4_ICMP_TYPE3 (orphan destination unreachable)
    - added the word BLOCKED to the log messages of INVALID packets dropped

  * FireQOS
    - experimental ematch support #125
    - new functions #113

  * VNetBuild
    - fix for not detecting running vhosts
    - added command comments on status output

  * Link-Balancer
    - Detect if ping -6 should be used #126

  * Update-IPsets
    - Various feed additions and fixes

  * Common
    - Fix commit hook regex for newer perl
    - Documentation fixes

firehol (3.0.1) - 2016-01-10

  * FireHOL
    - Add ipv6mld to simplify enabling Multicast Listener Discovery
      protocol, required on networks which do multicast snooping.
    - Update the example to make it more likely to work copy-pasted,
      include MLD

  * VNetBuild
    - Add pre_up to run commands immediately before an interface is started

  * Common
    - Packaging fixes
    - Command detection fix for :

firehol (3.0.0) - 2015-12-20

  * FireQOS
    - Bidirectional fixes
    - accept DSCP parameters case insensitive
    - allow matching within GRE packets
    - use configured firehol config directory

  * Update-Ipsets
    - added jigsaw lists

firehol (3.0.0-rc.4) - 2015-11-28

  * Rework packaging
    - Simplify version number handling
    - Common functions moved to a file in lib
    - Allow disabling IPv4/IPv6 at configure time
    - Allow disabling any unwanted tools
    - Allow disabling manpages and/or docs
    - Honour configure script setting for AUTOSAVE and others
    - All commands detected via configure, used via variables
      Incuding new 'iprange' tool https://github.com/firehol/iprange/releases

  * FireHOL
    - Fixes to DSCP class
    - added protection *connlimit* and *connrate*; removed default mask
      from parameter connlimit
    - added rule option *connlog* to only log the first packet of connections
      added *hashlimit* with all its options
    - most actions now accept the keywork *with* which also supports
      *with connlimit* and *with hashlimit*
    - use iprange --diff mode for comparing ipset versions

  * FireQOS
    - fail if DSCP and TOS match have been specified at the same time
    - various fixes

  * VNetBuild
    - Eliminate dependency on brctl

  * Update-Ipsets
    - Promoted from contrib
    - Various improvements

firehol (3.0.0-rc.3) - 2015-10-10

  * Common
    - ipset fixes
    - require pandoc 1.12.2.1 and use its features
    - iprove contents page in documentation

  * FireHOL updates
    - made STOP mode exit successfully
    - add support for restore when specifying a filename on the command line
    - allow multiple "except" rules in statements that accept the keyword
    - disabled spinner in explain mode
    - add support for comma as an ipset IP separator
    - tproxy now uses markdef() to allocate a mark
    - save marks.conf only after successful firewall activation
    - drop requirement for awk (other programs still use it)
    - add log() and loglimit() helpers to allow logging from ipsets globally
    - prevented backup of all the ipsets in memory - it takes too long
      when the system has many ipsets installed
    - rewrote the ipsets functionality so that:s
      - it optimizes netsets with iprange if present
      - it adapts the maxelem parameter for the updated ipset so that
        updating ipsets with big incremental updates does not fail
      - maintains compatibility with older ipset versions
        (side-effect: calling an ipset update without restarting the
         firewall now only support ipsets that are used in firehol.conf)
      - if iprange is present, processing of ipsets is a lot faster

  * FireQOS updates
    - add ability to stop QoS on a specific device
    - fix for ERROR columns on some tc versions
    - max/ceil % is now relative to parent's ceiling rate
      (it was by mistake to parent's base rate)
    - warn if a class takes priority outside the valid ranges of HTB (0-7)
    - switched default color from blue to green

  * Link-Balancer updates
    - add wrappers for rawmark() and custommark()
    - when a table was already up to date but other depend on it,
      it was failing #78
    - fix issue when specifying loop and timeout #77

  * Contrib (ipsets scripts)
    - various fixes and lists added
    - support aggregate to optimize netsets
    - support syslog logging
    - add iprange program, various enhancements over original

  * VNetBuild updates
    - Added

firehol (3.0.0-rc.2) - 2015-03-14

  * Common
    - Added --disable-doc to configure script to stop the installation
      of PDF and HTML versions of documentation
    - Start to bring documentation in line
    - Disable colour on non-terminals

  * FireHOL updates
    - Added synproxy support
    - Services "all" and "any" are now simple services. Service "all" now
      has multiple helpers, thus eliminating the need for ALL_SHOULD_ALSO_RUN.
    - Fix REJECT action by accepting RELATED TCP ACK,RST packets appropriately
    - Fix empty firewall case
    - Added state NEW to masquerade
    - Fix to ensure the final firewall close code emits as both ipv4 and ipv6
      where appropriate even if only ipv4 or ipv6 was used for the final
      interface/router
    - Added action type "sockets_suspects_trap"
    - iptrap now creates the trap if it is not already created
    - Eliminate a warning for kernels prior to 3.5
    - NAT now supports balancing multiple IPs or ports on all NAT modes
    - NAT now supports keyword "at" to specify the chain to be attached to
    - Optimise multi-port matching rules

  * FireQOS updates
    - Optimisations
    - Create FIREQOS_INTERFACE_DEFAULT_CLASSID (8000), FIREQOS_MATCHES_STEP
    - Fixed monitor mode

  * Link-Balancer updates
    - Fix to stop ignoring fallback gateways
    - Use "traceroute -6" not "traceroute6"

firehol (3.0.0-rc.1) - 2015-02-15

  * Performance improvements
    - Both the script and resulting firewalls are faster
    - Choose original complete bi-directional or even faster runtime matching

  * New firewall features
    - ipset support and management
    - IDS and port knocking with traps
    - multiple mark definitions
    - conntrack helpers
    - experimental tproxy support
    - separate default settings file

  * Introduction of link-balancer script
