netfoundry · r-caamano · Sep 11, 2024 · Sep 9, 2024 · Sep 9, 2024 · Sep 9, 2024
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -3,7 +3,12 @@
 All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ---
----
+###
+# [0.8.19] - 2024-09-08
+- Add masquerade/reverse_masquerade map garbage collection to ```zfw.c -L -G, --list-gc-sessions``` which is now added to
+  /etc/cron.d/zfw_refresh as well so it will run once every 60 seconds unless modified.
+- Fixed issue where icmp unreachable were not working for ipv4 masqueraded tcp/udp sessions that was introduced when dynamic PAT was added. 
+
 ###
 # [0.8.18] - 2024-09-07
 - Add removal of udp state upon receipt of DNS reply from server for passthrough tracking / Masquerade

diff --git a/README.md b/README.md
@@ -15,7 +15,10 @@ zfw can now provide native IPv4/IPv6 masquerade operation for outbound pass thro
 ```sudo zfw -k, --masquerade <ifname>```
 
 This function requires that both ingress and egress TC filters are enabled on outbound interface. For IPv4 this is now using Dynamic PAT and IPv6 is using 
-static PAT.  Note: When running on later kernels i.e. 6+ some older network hardware may not work with ebpf Dynamic PAT.   
+static PAT.  Note: When running on later kernels i.e. 6+ some older network hardware may not work with ebpf Dynamic PAT. We have also seen some incompatibility with 2.5Gb interfaces on 5.x+ kernels. 
+
+In release v0.8.19 masquerade session gc was added to /etc/cron.d/zfw_refresh via ```/opt/openziti/bin/zfw -L -G > /dev/null``` and runs once per minute.  Stale udp sessions will be 
+removed if over 30s and stale tcp sessions will be removed if over 3600 seconds(1hr). 
 
 ### Explicit Deny Rules
 This feature adds the ability to enter explicit deny rules by appending ```-d, --disable``` to the ```-I, --insert rule``` to either ingress or egress rules.  Rule precedence is based on longest match prefix.  If the prefix is the same then the precedence follows the order entry of the rules, which when listed will go from top to bottom for ports with in the same prefix e.g.  

diff --git a/files/scripts/zfw_refresh b/files/scripts/zfw_refresh
@@ -1,2 +1,3 @@
 * * * * * root /opt/openziti/bin/zfw -L -E > /dev/null
+* * * * * root /opt/openziti/bin/zfw -L -G > /dev/null