Release Notes
Management
- Introduce a new ACL engine based on Rego (Open Policy Agent) for firewall control
- Personal access tokens generation as a first iteration toward public API release
- Add Keycloak support as an IDP manager
Agent
- Introduce a Firewall interface to apply granular access control (e.g., connection direction, port, or protocol level)
- Make the agent run on Android (mobile support)
Changelog
- Feat rego default policy
- Don't drop Rules from file storage after migration to Policies
- Add version info command to signal server
- Feat firewall controller interface
- Adding Personal Access Token generation
- Exchange proxy mode via signal
- Fix connstate indication
- Mobile
- PAT persistence
- Add Keycloak Idp Manager
- Adjustments for the change server flow
- Disable peer expiration of peers added with setup keys
- Add JWT middleware validation failure log
Signed-off-by: Oskari Rauta <oskari.rauta@gmail.com>
- Update haproxy PKG_VERSION and PKG_HASH
- This release includes a fix for an OOB write. The official notes
do not list a CVE entry but I guess there is a chance for
security implications
- See changes: http://git.haproxy.org/?p=haproxy-2.6.git;a=shortlog
Signed-off-by: Christian Lachner <gladiac@gmail.com>
* raise max. timeouts from 10 to 30 seconds to stabilize the autodetection on slow hardware
* made interface trigger action configurable, set 'ban_triggeraction' accordingly (default: 'start')
* made E-Mail notifications configurable to receive status E-Mais with every banIP run,
set 'ban_mailnotification' accordingly (default: disabled)
* small fixes & optimizations
* readme update
Signed-off-by: Dirk Brenken <dev@brenken.org>
* fix cornercase issue with duplicate entries in black- and whitelist
* change cpbl source URL
* firewall redirects now blocks IPv4 and IPv6 (set family to "any")
Signed-off-by: Dirk Brenken <dev@brenken.org>
We need the host build of swig only.
And the binding uses libgensiocpp - not the plain
C library, so fix the dependency.
Signed-off-by: Michael Heimpold <mhei@heimpold.de>
zerotier as default has executable stack.
[ 11.343143] process '/usr/bin/zerotier-one' started with executable stack
executable stacks are not recommend, possibly provide a threat and there
seems to be no advantage of executable stack with zerotier-one - so let's
build it without instead.
Stack is executable on x86_64, but not on all archs, such as ramips.
Signed-off-by: Oskari Rauta <oskari.rauta@gmail.com>
- changed Config.in to enable unix sockets support by default
- release number bumped
Description:
socket support is very handy when communicating with
various REST APIs.
Size increases are very small, nearly unnoticiable.
Tested-by: Stan Grishin <stangri@melmac.ca>
Signed-off-by: Oskari Rauta <oskari.rauta@gmail.com>
* move network.sh and jshn.sh includes into load_validate_config function
to prevent errors when adding the package to image with the Image Builder
* add @bongochong compressed domains block-list to the config
Signed-off-by: Stan Grishin <stangri@melmac.ca>
- Explicitly request the C++11 standard (codebase is not C++17 compliant).
- Removed categories.json from conffiles -- it's not a configuration
file.
- Removed commented-out convenience git hash place-holder -- for some
reason it irritates people.
- Added radix header file to devel files.
- Removed redundant call to Build/Configure (not needed).
Co-authored-by: Tianling Shen <cnsztl@gmail.com>
Signed-off-by: Darryl Sokoloski <darryl@sokoloski.ca>
* fix the auto-detection for pppoe and 6in4 tunnel interfaces
* add the new 'ban_nftpolicy' option to expose the nft set policy, values: memory (default), performance
* add the new 'ban_nftlogevel' option to expose the nft syslog level, values: emerg, alert, crit, err, warn (default),
notice, info, debug, audit
* status optimizations
* logging optimizations
* update the readme
Signed-off-by: Dirk Brenken <dev@brenken.org>
