v1.3.0

Summary

A new same_network_verdict option was added to the container-to-container configuration, enabling you to specify whether traffic between containers within the same network should be allowed or not.

Additionally, the pre-built Docker image now supports additional architectures in addition to amd64: arm64 and armv7 (specifically armhf). This means you can now pull and use the Docker image on e.g. your Raspberry Pis!

You can upgrade from version 1.2.1 and 1.2.0 without further considerations, i.e. you don't have to change anything in your config. If you are upgrading from an earlier version, you can consult the release notes for version 1.2.0, the upgrade considerations described there apply to version 1.3.0 as well.

Changes

1.3.0 (2024-01-07)

• Add same_network_verdict option to container-to-container configuration, enabling users to specify whether traffic between containers within the same network should be allowed or not.

• Replace library used to communicate with Docker (which also fixes #411).

  This release replaces the previously used library shiplift by bollard.
  This is not expected to have any impact on users of DFW.

• Build Docker images for multiple architectures: amd64, arm64, arm/v7.

  This is especially helpful for Raspberry Pi users, as they can now use the official Docker image instead of having to build the binary themselves.

  You can pull the image from Docker Hub (pitkley/dfw:1.3.0) or the GitHub Container Registry (ghcr.io/pitkley/dfw:1.3.0) for any of the mentioned architectures.

_{Internal changes: dependency updates, CI updates, bump minimum supported Rust version to 1.67.0 (from 1.46.0), bump to Rust edition 2021.}

Installation

While you can use Cargo to install dfw as a binary, using the Docker image is the preferred way to go, especially if you don't want to install Rust and Cargo on your host:

$ docker pull pitkley/dfw:1.3.0
$ docker run -d \
      --name=dfw \
      --restart=unless-stopped \
      -v /var/run/docker.sock:/var/run/docker.sock:ro \
      -v /path/to/your/config:/config \
      --net host --cap-add=NET_ADMIN \
      pitkley/dfw:1.3.0 --config-path /config

This will download a lightweight image, coming in at around 20 MB, and subsequently run it using your configuration.
The image supports multiple architectures: amd64, arm64, armv7 (specifically armhf).

v1.3.0-rc.2

Summary

A new same_network_verdict option was added to the container-to-container configuration, enabling you to specify whether traffic between containers within the same network should be allowed or not.

Additionally, the pre-built Docker image now supports additional architectures in addition to amd64: arm64 and armv7 (specifically armhf).
This means you can now pull and use the Docker image on e.g. your Raspberry Pis!

You can upgrade from version 1.2.1 and 1.2.0 without further considerations. If you are upgrading from an earlier version, you can consult the release notes for version 1.2.0, the upgrade considerations described there apply to version 1.3.0 as well.

Changes

• Add same_network_verdict option to container-to-container configuration, enabling users to specify whether traffic between containers within the same network should be allowed or not.

• Replace library used to communicate with Docker (which also fixes #411).

  This release replaces the previously used library shiplift by bollard.
  This is not expected to have any impact on users of DFW.

• Build Docker images for multiple architectures: amd64, arm64, arm/v7.

  This is especially helpful for Raspberry Pi users, as they can now use the official Docker image instead of having to build the binary themselves.

  You can pull the image from Docker Hub (pitkley/dfw:1.3.0) or the GitHub Container Registry (ghcr.io/pitkley/dfw:1.3.0) for any of the mentioned architectures.

_{Internal changes: dependency updates, CI updates, bump minimum supported Rust version to 1.67.0 (from 1.46.0), bump to Rust edition 2021.}

Installation

While you can use Cargo to install dfw as a binary, using the Docker image is the preferred way to go, especially if you don't want to install Rust and Cargo on your host:

$ docker pull pitkley/dfw:1.3.0-rc.2
$ docker run -d \
      --name=dfw \
      --restart=unless-stopped \
      -v /var/run/docker.sock:/var/run/docker.sock:ro \
      -v /path/to/your/config:/config \
      --net host --cap-add=NET_ADMIN \
      pitkley/dfw:1.3.0-rc.2 --config-path /config

This will download a lightweight image, coming in at around 20 MB, and subsequently run it using your configuration.
The image supports multiple architectures: amd64, arm64, armv7 (specifically armhf).

v1.3.0-rc.1

Summary

The pre-built Docker image now supports additional architectures in addition to amd64: arm64 and armv7 (specifically armhf).
This means you can now pull and use the Docker image on e.g. your Raspberry Pis!

You can upgrade from any version after 1.2.0 without further considerations. If you are upgrading from an earlier version, you can consult the release notes for version 1.2.0.

Changes

• Replace library used to communicate with Docker (which also fixes #411).

  This release replaces the previously used library shiplift by bollard.
  This is not expected to have any impact on users of DFW.

• Bump minimum supported Rust version to 1.54.0 (from 1.46.0).

  (Required after updating dependencies.)

• Build Docker images for multiple architectures: amd64, arm64, arm/v7.

  This allows users to pull the image from Docker Hub or GHCR for any of the mentioned architectures (from the same tag).

_{Internal changes: dependency updates, CI updates.}

Installation

While you can use Cargo to install dfw as a binary, using the Docker image is the preferred way to go, especially if you don't want to install Rust and Cargo on your host:

$ docker pull pitkley/dfw:1.3.0-rc.1
$ docker run -d \
      --name=dfw \
      --restart=unless-stopped \
      -v /var/run/docker.sock:/var/run/docker.sock:ro \
      -v /path/to/your/config:/config \
      --net host --cap-add=NET_ADMIN \
      pitkley/dfw:1.3.0-rc.1 --config-path /config

This will download a lightweight image, coming in at under 10 MB, and subsequently run it using your configuration.
The image supports multiple architectures: amd64, arm64, armv7 (specifically armhf).

v1.2.1

Summary

This release fixes a bug where host-ports in wider-world-to-container rules were not handled correctly, causing rules to not apply correctly.

You can upgrade from version 1.2.0 without further considerations. If you are upgrading from an earlier version, you can consult the release notes for version 1.2.0.

Changes

1.2.1 (2020-12-13)

• Fix incorrect handling of host-ports in wider-world-to-container rules.

Installation

While you can use Cargo to install dfw as a binary, using the Docker image is the preferred way to go, especially if you don't want to install Rust and Cargo on your host:

$ docker pull pitkley/dfw:1.2.1
$ docker run -d \
      --name=dfw \
      --restart=unless-stopped \
      -v /var/run/docker.sock:/var/run/docker.sock:ro \
      -v /path/to/your/config:/config \
      --net host --cap-add=NET_ADMIN \
      pitkley/dfw:1.2.1 --config-path /config

This will download a lightweight image, coming in at under 10 MB, and subsequently run it using your configuration.

v1.2.0

Summary

This release reintroduces an iptables-based firewall-backend. This means that if you previously didn't upgrade from DFW v0.5 to v1.0 because you didn't want to switch to nftables, now you can upgrade to v1.2 and continue using iptables.

Please consult the documentation on how to upgrade from a previous release of DFW to v1.2:

• Migrating from DFW 1.x to 1.2
• Migrating from DFW 0.x to 1.2

Changes

1.2.0 (2020-07-13)

• Reintegrate the iptables-backend.

  This reintroduces an iptables-based firewall-backend (v1.0 initially dropped iptables-support), specifically the iptables-restore backend that was made available in v0.4+.

  The backend can be selected through the --firewall-backend iptables CLI parameter (nftables is the default).

• Make exposing containers via IPv6 configurable.

  You can now specify the expose_via_ipv6-key within a wider-world-to-container-rule to configure whether the service should be exposed via IPv6 or not (the default is true).

  (Please note that further requirements need to be fulfilled such that exposing services via IPv6 to works, see here.)

• Ensure consistent behaviour regardless of whether [global_defaults] has been specified or not.

  Previously DFW showed different behaviour depending on whether global_defaults was specified or not, regardless of the actual content within the section (which was allowed to be empty).
  This release ensures that the same behaviour is maintained no matter if the section was defined or not.

• Don't exit DFW if there are no containers running (#243, thanks to @Georgiy-Tugai).

_{Internal changes: dependency updates, move CI entirely to GitHub Actions.}

Installation

While you can use Cargo to install dfw as a binary, using the Docker image is the preferred way to go, especially if you don't want to install Rust and Cargo on your host:

$ docker pull pitkley/dfw:1.2.0
$ docker run -d \
      --name=dfw \
      --restart=unless-stopped \
      -v /var/run/docker.sock:/var/run/docker.sock:ro \
      -v /path/to/your/config:/config \
      --net host --cap-add=NET_ADMIN \
      pitkley/dfw:1.2.0 --config-path /config

This will download a lightweight image, coming in at under 10 MB, and subsequently run it using your configuration.

v1.2.0-rc.6

Prerelease

Changes

• Reintegrate the iptables-backend.

  This reintroduces an iptables-based firewall-backend (v1.0 initially dropped iptables-support), specifically the iptables-restore backend that was made available in v0.4+.

  The backend can be selected through the --firewall-backend iptables CLI parameter (nftables is the default).

• Make exposing containers via IPv6 configurable.

  You can now specify the expose_via_ipv6-key within a wider-world-to-container-rule to configure whether the service should be exposed via IPv6 or not (the default is true).

  (Please note that further requirements need to be fulfilled such that exposing services via IPv6 to works, see here.)

• Ensure consistent behaviour regardless of whether [global_defaults] has been specified or not.

  Previously DFW showed different behaviour depending on whether global_defaults was specified or not, regardless of the actual content within the section (which was allowed to be empty).
  This release ensures that the same behaviour is maintained no matter if the section was defined or not.

• Don't exit DFW if there are no containers running (#243, thanks to @Georgiy-Tugai).

_{Internal changes: dependency updates, move CI entirely to GitHub Actions.}

Installation

While you can use Cargo to install dfw as a binary, using the Docker image is the preferred way to go, especially if you don't want to install Rust and Cargo on your host:

$ docker pull pitkley/dfw:1.2.0-rc.6
$ docker run -d \
      --name=dfw \
      --restart=unless-stopped \
      -v /var/run/docker.sock:/var/run/docker.sock:ro \
      -v /path/to/your/config:/config \
      --net host --cap-add=NET_ADMIN \
      pitkley/dfw:1.2.0-rc.6 --config-path /config

This will download a lightweight image, coming in at under 10 MB, and subsequently run it using your configuration.

v1.2.0-rc.3

Prerelease summary

• Reintegrate the iptables-backend.
• Make exposing containers via IPv6 configurable.
• Ensure consistent behaviour regardless of whether [global_defaults] has been specified or not.

Installation

While you can use Cargo to install dfw as a binary, using the Docker image is the preferred way to go, especially if you don't want to install Rust and Cargo on your host:

$ docker pull pitkley/dfw:1.2.0-rc.3
$ docker run -d \
      --name=dfw \
      --restart=unless-stopped \
      -v /var/run/docker.sock:/var/run/docker.sock:ro \
      -v /path/to/your/config:/config \
      --net host --cap-add=NET_ADMIN \
      pitkley/dfw:1.2.0-rc.3 --config-path /config

This will download a lightweight image, coming in at under 10 MB, and subsequently run it using your configuration.

v1.1.0 - Bugfix, dependency updates

Summary

This release fixes two issues brought up in #166 and contains updates to DFW's dependencies.

One of our most central dependencies, shiplift, was upgraded from version 0.3 to 0.6. This upgrade introduced asynchronous execution to shiplift itself, which brought an async-runtime (Tokio) with it. While we are not using the asynchronous features of shiplift (yet), upgrading still required adding the runtime to at least synchronously block when executing the futures; hence marking this release as v1.1.0.

The release is fully backwards-compatible with all previous v1.0.x versions.

Installation

While you can use Cargo to install dfw as a binary, using the Docker image is the preferred
way to go, especially if you don't want to install Rust and Cargo on your host:

$ docker pull pitkley/dfw:1.1.0
$ docker run -d \
      --name=dfw \
      --restart=unless-stopped \
      -v /var/run/docker.sock:/var/run/docker.sock:ro \
      -v /path/to/your/config:/config \
      --net host --cap-add=NET_ADMIN \
      pitkley/dfw:1.1.0 --config-path /config

This will download a lightweight image, coming in at under 7 MB, and subsequently run it using
your configuration.

v1.0.1 - Bugfixes, dependency updates

Summary

This is a small release, fixing the source-CIDR filtering for wider-world-to-container rules. v1.0.0 broke this functionality with introduction of IPv6 support, which unfortunately was incomplete. v1.0.1 fixes this by splitting the source_cidr field into source_cidr_v4 and source_cidr_v6 (this change is backwards-compatible), allowing you to specify your sources separately for IPv4 and IPv6:

[[wider_world_to_container.rules]]
network = "network"
dst_container = "dst_container"
expose_port = 22
external_network_interface = "eni"
source_cidr_v4 = ["192.0.2.1/32", "192.0.2.2/32"]
source_cidr_v6 = ["2001:db8::1/128", "2001:db8::2/128"]

Installation

While you can use Cargo to install dfw as a binary, using the Docker image is the preferred
way to go, especially if you don't want to install Rust and Cargo on your host:

$ docker pull pitkley/dfw:1.0.1
$ docker run -d \
      --name=dfw \
      --restart=unless-stopped \
      -v /var/run/docker.sock:/var/run/docker.sock:ro \
      -v /path/to/your/config:/config \
      --net host --cap-add=NET_ADMIN \
      pitkley/dfw:1.0.1 --config-path /config

This will download a lightweight image, coming in at under 7 MB, and subsequently run it using
your configuration.

v1.0.0 - Goodbye iptables, hello nftables; IPv6 support

Summary

This release replaces the iptables-based backends for an nftables-based backend. This makes this a very big change, requiring not only changes to your configuration, but probably also to your host.

The reasons for the switch to nftables are manyfold:

• nftables is intended to replace iptables in the long-term. It is integrated directly into the kernel like iptables, is actively being worked on, and is already the default of some big distributions (like Debian 10 Buster).
• nftables supports multiple tables of the same type, unlike iptables which only had one table per type. This allows DFW to manage its rules in entirely different tables, requiring only very minimal intrusion into pre-existing tables and chains.
• This release supports IPv6 for the first time. nftables has made implementing this easier and cleaner than it would have been with iptables. See the documentation on what you need to do if you want your services to be reachable via IPv6.

Take a look at the dedicated migration documentation on how to upgrade from v0.x of DFW to v1.0.

Staying on iptables

Should you be unable to switch from iptables to nftables, you can find the last working state of the iptables-based DFW under the iptables branch. This branch is kept up-to-date on dependencies on a best-effort basis, and is available on Docker Hub under pitkley/dfw:iptables. (The iptables branch equals release v0.5.1, no changes are required if you come from any 0.5 release.)

Installation

While you can use Cargo to install dfw as a binary, using the Docker image is the preferred
way to go, especially if you don't want to install Rust and Cargo on your host:

$ docker pull pitkley/dfw:1.0.0
$ docker run -d \
      --name=dfw \
      --restart=unless-stopped \
      -v /var/run/docker.sock:/var/run/docker.sock:ro \
      -v /path/to/your/config:/config \
      --net host --cap-add=NET_ADMIN \
      pitkley/dfw:1.0.0 --config-path /config

This will download a lightweight image, coming in at under 7 MB, and subsequently run it using
your configuration.