Native Node Artifact Versions and Changelog¶
This document lists available versions of the Native Wallarm Node 0.14.x+ in various form factors, helping you track releases and plan upgrades.
All-in-one installer¶
The all-in-one installer for the Native Node is used for TCP traffic mirror analysis and self-hosted node deployment with the MuleSoft Mule or Flex Gateway, CloudFront, Cloudflare, Istio, Broadcom Layer7 API Gateway, Fastly, IBM DataPower connectors.
History of all-in-one installer updates simultaneously applies to it's x86_64 and ARM64 (beta) versions.
0.16.1 (2025-08-01)¶
-
Introduced the
drop_on_overload
parameter to control dropping excess input under high loadEnabled (
true
) by default. -
Added new Prometheus metrics:
-
wallarm_gonode_application_info
with the general Native Node instance information, e.g.: -
wallarm_gonode_http_inspector_balancer_workers
wallarm_gonode_http_inspector_debug_container_len
now includesaggregate="sum"
fortype="channel:in"
wallarm_gonode_http_inspector_errors_total
now includes a newtype="FlowTimeouts"
-
-
Improved stability in the internal
http_inspector
module
0.16.0 (2025-07-23)¶
-
Added support for the MuleSoft Flex Gateway connector
-
Introduced the
input_filters
configuration section, allowing to define which requests should be inspected or bypassed by the Node -
Fixed memory leak
-
In rules, the separator used in xml_tag values that combine a URI, namespace, and tag name has been changed from
:
to|
-
Fixed blocking issue with denylisted origins and Wallarm Console UI-configured mode
-
Internal improvements
0.15.1 (2025-07-08)¶
-
Introduced the
proxy_headers
configuration to configure trusted networks and extract real client IP and host headersThis replaces
http_inspector.real_ip_header
used in earlier versions in thetcp-capture
mode. -
Added the
metrics.namespace
configuration option to customize the prefix of Prometheus metrics exposed by thego-node
binary -
Fixed the
--preserve
script flag behavior to correctly retain the existingnode.yaml
andenv.list
files during upgradePreviously, these files could be overwritten, resulting in loss of configuration.
-
Added
connector.per_connection_limits
to controlkeep-alive
connection limits -
Minor internal file structure change
-
Fixed wstore ports binding: now bound to
127.0.0.1
instead of0.0.0.0
-
Fixed the CVE-2025-22874 vulnerability
-
Fixed the CVE-2025-47273 vulnerability
0.14.1 (2025-05-07)¶
-
Added support for enumeration mitigation controls
-
Added support for Rate abuse protection mitigation control
-
Added support for the IBM API Connect connector
-
Fixed the CVE-2024-56406, CVE-2025-31115 vulnerabilities
-
Added support for external health check endpoint in the
connector-server
modeThis is controlled by the new
connector.external_health_check
configuration section. -
Fixed a recurring intermittent bug that could cause occasional corruption of request and response bodies
-
The following fixes and updates were made in
tcp-capture
mode:- GoReplay is now built with Go 1.24
- Fixed:
go-node
process no longer hangs when thegoreplay
process crashes - Fixed a crash caused by a slice out-of-bounds error during header parsing in GoReplay
- Fixed incorrect display of Native Node versions in Wallarm Console → Nodes
0.14.0 (2025-04-16)¶
-
Wallarm Node now uses wstore, a Wallarm-developed service, instead of Tarantool for local postanalytics processing
-
The collectd service, previously installed on all filtering nodes, has been removed along with its related plugins
Metrics are now collected and sent using Wallarm's built-in mechanisms, reducing dependencies on external tools.
Helm chart¶
The Helm chart for the Native Node is used for self-hosted node deployments with the MuleSoft Mule or Flex Gateway, CloudFront, Cloudflare, Broadcom Layer7 API Gateway, Fastly, IBM DataPower, Kong API Gateway, and Istio connectors.
0.16.1 (2025-08-01)¶
-
Introduced the
input_filters
configuration section, allowing to define which requests should be inspected or bypassed by the Node -
Introduced the
drop_on_overload
parameter to control dropping excess input under high loadEnabled (
true
) by default. -
Added new Prometheus metrics:
-
wallarm_gonode_application_info
with the general Native Node instance information, e.g.: -
wallarm_gonode_http_inspector_balancer_workers
wallarm_gonode_http_inspector_debug_container_len
now includesaggregate="sum"
fortype="channel:in"
wallarm_gonode_http_inspector_errors_total
now includes a newtype="FlowTimeouts"
-
-
Deprecated the Wallarm Connector for Istio that relied on a Lua plugin
We recommend using the gRPC-based external processing filter for Istio instead.
-
For the deprecated Istio connector, the following improvements were made to ensure compatibility in existing deployments:
- Fixed mesh balancing logic for messages
- Added the
disable_mesh
parameter to process all connector traffic on the Node without mesh balancing (false
by default - mesh balancing is enabled) - Added support for the
drop_on_overload
parameter
-
Improved stability in the internal
http_inspector
module
0.16.0 (2025-07-23)¶
-
Added support for the MuleSoft Flex Gateway connector
-
Fixed memory leak
-
In rules, the separator used in xml_tag values that combine a URI, namespace, and tag name has been changed from
:
to|
-
Fixed blocking issue with denylisted origins and Wallarm Console UI-configured mode
-
Internal improvements
0.15.1 (2025-07-08)¶
-
Added support for the
config.aggregation.serviceAddress
parameter to customize the address and port for incoming wstore connections -
Minor internal file structure change
-
Fixed the CVE-2025-22874 vulnerability
-
Fixed the CVE-2025-47273 vulnerability
0.14.1 (2025-05-07)¶
-
Added support for the IBM API Connect connector
-
Fixed the CVE-2025-22871 vulnerability
-
Fixed handling of
clusterIP: None
in Helm chart headless service -
Fixed a recurring intermittent bug that could cause occasional corruption of request and response bodies
- Fixed incorrect display of Native Node versions in Wallarm Console → Nodes
0.14.0 (2025-04-16)¶
-
Wallarm Node now uses wstore, a Wallarm-developed service, instead of Tarantool for local postanalytics processing
-
All
tarantool
references invalues.yaml
(including container names and parameter keys) have been renamed towstore
If you override these parameters in your configuration, update their names accordingly.
-
The collectd service, previously installed on all filtering nodes, has been removed along with its related plugins
Metrics are now collected and sent using Wallarm's built-in mechanisms, reducing dependencies on external tools.
-
Renamed the
container
label totype
in all Prometheus metrics matching*_container_*
to prevent conflicts with Kubernetes system labels
Docker image¶
The Docker image for the Native Node is used for self-hosted node deployment with the MuleSoft Mule or Flex Gateway, CloudFront, Cloudflare, Istio, Broadcom Layer7 API Gateway, Fastly, IBM DataPower connectors.
0.16.1 (2025-08-01)¶
-
Introduced the
drop_on_overload
parameter to control dropping excess input under high loadEnabled (
true
) by default. -
Added new Prometheus metrics:
-
wallarm_gonode_application_info
with the general Native Node instance information, e.g.: -
wallarm_gonode_http_inspector_balancer_workers
wallarm_gonode_http_inspector_debug_container_len
now includesaggregate="sum"
fortype="channel:in"
wallarm_gonode_http_inspector_errors_total
now includes a newtype="FlowTimeouts"
-
-
Improved stability in the internal
http_inspector
module
0.16.0 (2025-07-23)¶
-
Added support for the MuleSoft Flex Gateway connector
-
Introduced the
input_filters
configuration section, allowing to define which requests should be inspected or bypassed by the Node -
Fixed memory leak
-
In rules, the separator used in xml_tag values that combine a URI, namespace, and tag name has been changed from
:
to|
-
Fixed blocking issue with denylisted origins and Wallarm Console UI-configured mode
-
Internal improvements
0.15.1 (2025-07-08)¶
-
Introduced the
proxy_headers
configuration to configure trusted networks and extract real client IP and host headersThis replaces
http_inspector.real_ip_header
used in earlier versions in thetcp-capture
mode. -
Added the
metrics.namespace
configuration option to customize the prefix of Prometheus metrics exposed by thego-node
binary -
Added
connector.per_connection_limits
to controlkeep-alive
connection limits -
Minor internal file structure change
-
Fixed wstore ports binding: now bound to
127.0.0.1
instead of0.0.0.0
-
Fixed the CVE-2025-22874 vulnerability
-
Fixed the CVE-2025-47273 vulnerability
0.14.1 (2025-05-07)¶
-
Added support for the IBM API Connect connector
-
Fixed the CVE-2025-22871 vulnerability
-
Added support for external health check endpoint
This is controlled by the new
connector.external_health_check
configuration section. -
Fixed a recurring intermittent bug that could cause occasional corruption of request and response bodies
- Fixed incorrect display of Native Node versions in Wallarm Console → Nodes
0.14.0 (2025-04-16)¶
-
Wallarm Node now uses wstore, a Wallarm-developed service, instead of Tarantool for local postanalytics processing
-
The collectd service, previously installed on all filtering nodes, has been removed along with its related plugins
Metrics are now collected and sent using Wallarm's built-in mechanisms, reducing dependencies on external tools.
Amazon Machine Image (AMI)¶
0.14.0 (2025-05-07)¶
- Initial release