-
Add
same_network_verdictoption to container-to-container configuration, enabling users to specify whether traffic between containers within the same network should be allowed or not. -
Replace library used to communicate with Docker (which also fixes #411).
This release replaces the previously used library shiplift by bollard. This is not expected to have any impact on users of DFW.
-
Build Docker images for multiple architectures:
amd64,arm64,arm/v7.This is especially helpful for Raspberry Pi users, as they can now use the official Docker image instead of having to build the binary themselves.
You can pull the image from Docker Hub (
pitkley/dfw:1.3.0) or the GitHub Container Registry (ghcr.io/pitkley/dfw:1.3.0) for any of the mentioned architectures.
Internal changes: dependency updates, CI updates, bump minimum supported Rust version to 1.67.0 (from 1.46.0), bump to Rust edition 2021.
- Fix incorrect handling of host-ports in wider-world-to-container rules.
-
Reintegrate the iptables-backend.
This reintroduces an iptables-based firewall-backend (v1.0 initially dropped iptables-support), specifically the iptables-restore backend that was made available in v0.4+.
The backend can be selected through the
--firewall-backend iptablesCLI parameter (nftablesis the default). -
Make exposing containers via IPv6 configurable.
You can now specify the
expose_via_ipv6-key within a wider-world-to-container-rule to configure whether the service should be exposed via IPv6 or not (the default istrue).(Please note that further requirements need to be fulfilled such that exposing services via IPv6 to works, see here.)
-
Ensure consistent behaviour regardless of whether
[global_defaults]has been specified or not.Previously DFW showed different behaviour depending on whether
global_defaultswas specified or not, regardless of the actual content within the section (which was allowed to be empty). This release ensures that the same behaviour is maintained no matter if the section was defined or not. -
Don't exit DFW if there are no containers running (#243, thanks to @Georgiy-Tugai).
Internal changes: dependency updates, move CI entirely to GitHub Actions.
- Fix missing rule-validation causing incorrect rules to be created (#166, add063).
- Fix logic that applied a too coarse rule (#166, e4fb869).
Internal changes: dependency updates, upgraded shiplift from 0.3 to 0.6.
- Fix source-CIDR-filtering for wider-world-to-container rules.
Internal changes: dependency updates.
- Replaced all iptables-backends by an nftables backend.
- Added IPv6 support.
- You can now specify IP-ranges in wider-world-to-container rules, allowing you to restrict the source from which a service can be reached.
Internal changes: dependency updates.
- Added argument
--log-levelwhich allows you to specify the verbosity of DFW's logging.
- The
iptables-restorebackend now acts flushing (033d27c) - Removed the unnecessary
IPTablesProxystruct (4e62ff2)
Internal changes: updated GitLab CI config, updated dependencies, updated tested Docker versions.
- Added argument
--iptables-backendwhich allows selection of what backend to use:iptables(default)iptablesrestoreiptablesdummy(same as--dry-run)
- Added
iptables-restoreas a new backend - Added example configurations
- Extended/updated list of Docker versions tested
Internal changes: updated GitLab CI config, cleaned up macros used, updated dependencies.
- Only process running containers by default.
- Fix DNAT rule generation.
- Added dry-run option to CLI.
- Added option to only process running containers.
Internal changes: split into binary and library, add testing infrastructure to perform integration tests against Docker, add a lot of unit tests.
- Small internal changes.
- Implement further features.
- Refactor configuration types.
- Extend documentation.
- Extend logging.
- Add missing licenses.
- Allow bursting of events.
- Refactor internal rule generation code.
- Add missing
iptables/ip6tablesbinaries to Docker image.
- Add Docker event-monitoring.