September 15, 2020
After a period of deprecation, we’ve removed support for the
ports attributes of external networks.
Before upgrading, ensure the following:
- You have converted any import file, script, or automation using the
portattributes to use
- You don’t have any enforcers earlier than 3.12.
Enforcers prior to version 3.12 ignore external networks that use
Allow ICMP traffic by message type and code
You can now allow specific ICMP message types and codes using the following syntax:
We recommend allowing ICMP types and codes used for troubleshooting. Examples follow.
|Aporeto syntax||ICMP type and code||Description||Usage|
||ICMP Type 8 Code 0||echo requests||ping|
||ICMP Type 0 Code 0||echo replies||ping|
||ICMP Type 11 Code 0||time to live expired in transit||traceroute|
||ICMP Type 3 Code 4||fragment needed but do not fragment bit set||path MTU discovery|
NOT operator extended to external networks
External networks now support the NOT (
Express network policy destination ports as ranges
Network policies now support ranges of destination ports using the following syntax:
New restricted token for enforcer registration
Aporeto now offers a new, restricted token for enforcer registration. We are deprecating use of the one-time token and encourage those using one-time tokens to migrate to the restricted token. For more information on the restricted token, refer to the installation documentation.
eBPF disabled by default
We now disable eBPF by default. This feature is still in beta. We encourage you to try it out in testing and development environments but not in production.
#249: Attempts to renew the Aporeto certificate authority’s certificate no longer fail under certain circumstances.
#618: The enforcer now returns the proper exit codes so that it can be monitored by tools like Puppet. Due to a known issue in upstart you may still encounter incorrect exit codes in Ubuntu 14.04. Contact us for a patch to your service script or other workarounds.
nflogpacket errors no longer appear in the enforcer logs after enabling host protection on an OpenShift master node and setting
#738: When host protection is enabled, the enforcer now allows itself to query local DNS servers, such as systemd-resolved (default in Ubuntu 18.04). You no longer need to use an enforcer profile to configure the enforcer to ignore loopback traffic. You can use network policies to allow DNS traffic and the enforcer reports the flows.
#146: RHEL 8 and RHEL CoreOS 8 (used by OpenShift 4) have deprecated
iptablesin favor of
nftables. Before installing Aporeto in these environments, you must enable
iptables, such as via the following commands:
modprobe ip_tables modprobe iptable_nat
#597: When using relative time values with
apoctl, the values must be in relation to Pacific Standard Time (PST). For example, if you are in France and want to retrieve the last five minues of flow logs, you could use
-9h5m. Another workaround for this issue is to use absolute time values.
#801: After decommissioning an enforcer, you may find some of its iptables rules still in place.
#815: When multiple clients attempt to connect to the same HTTP service on a Windows host, some may experience timeouts.