Firezone's DNS resource NAT can only route certain ICMP packets. In
particular, we can only route ICMP _echo_ packets as only those have a
stable identifier that we can use in our NAT table.
To clarify that, rename the enum variant to `IcmpEcho` from `Icmp`.
ICMP errors like "Destination unreachable" can be sent by both ends of a
network connection. For DNS resources, handling these packets requires
special care as we also need to translate the failed packet embedded
within these ICMP messages such that the recipient can correctly relate
them to the network socket that has sent the original packet.
We do this for inbound ICMP errors already to alert the Client of e.g.
unreachable paths such as unreachable IPv6 networks. Outbound ICMP
errors, that is, ICMP errors generated by the Client for a packet sent
by a resource are currently not handled and result in warnings such as:
> Failed to translate outbound packet: Unsupported ICMPv4 type:
DestinationUnreachable(Port)
Whilst it is possible to correctly handle and translate these packets,
doing so requires a fair amount of work and changes to a very critical
part of the Gateway. As such, we simply drop these packets for now as
"unroutable packets" which downgrades their log level to DEBUG.
Resolves: #10983
In #9798, we added a check to map `ENOBUFS` to `WOUDLBLOCK` on MacOS.
More experimentation on that front revealed that this was actually
incorrect and the UDP sending task will hang as the OS does **not**
notify us once there are new buffers available.
This may explain some random connection hangs that some users have
recently complained about. I've already disabled the feature flag in
production, this PR therefore only removes code that is now inactive.
In order to make this as robust as possible, we implement a retry loop
with an exponential backoff, starting a 2ns. At most, we will be
retrying such a packet for 16ms. Local experiments on my Macbook have
shown that most of the time, new buffer space is available within 1ms.
The exponential backoff ensures we retry very quickly on faster machines
but still successfully send the packet on slower machines.
According to the linked mailing list, the link-speed of the attached
network has nothing to do with this which makes sense. UDP has no
congestion control so sending packets is merely a function of how fast
the CPU can process them.
Related:
https://lists.freebsd.org/pipermail/freebsd-hackers/2004-January/005369.html
---------
Signed-off-by: Thomas Eizinger <thomas@eizinger.io>
Co-authored-by: Jamil <jamilbk@users.noreply.github.com>
Bumps the tauri group in /rust with 5 updates:
| Package | From | To |
| --- | --- | --- |
| [tauri-plugin-dialog](https://github.com/tauri-apps/plugins-workspace)
| `2.4.0` | `2.4.1` |
|
[tauri-plugin-notification](https://github.com/tauri-apps/plugins-workspace)
| `2.3.1` | `2.3.2` |
| [tauri-plugin-opener](https://github.com/tauri-apps/plugins-workspace)
| `2.5.0` | `2.5.1` |
| [tauri-plugin-shell](https://github.com/tauri-apps/plugins-workspace)
| `2.3.1` | `2.3.2` |
| [tauri-utils](https://github.com/tauri-apps/tauri) | `2.7.0` | `2.8.0`
|
Updates `tauri-plugin-dialog` from 2.4.0 to 2.4.1
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/tauri-apps/plugins-workspace/releases">tauri-plugin-dialog's
releases</a>.</em></p>
<blockquote>
<h2>barcode-scanner-js v2.4.1</h2>
<h2>[2.4.1]</h2>
<ul>
<li><a
href="654bf4891a"><code>654bf489</code></a>
(<a
href="https://redirect.github.com/tauri-apps/plugins-workspace/pull/3038">#3038</a>
by <a
href="https://github.com/tauri-apps/plugins-workspace/../../daniel-mader"><code>@daniel-mader</code></a>)
Update <code>androidx.camera</code> from <code>1.1.0</code> to
<code>1.5.1</code> to support 16 KB memory page sizes.</li>
<li><a
href="6c9b61fb65"><code>6c9b61fb</code></a>
(<a
href="https://redirect.github.com/tauri-apps/plugins-workspace/pull/3039">#3039</a>
by <a
href="https://github.com/tauri-apps/plugins-workspace/../../FabianLars"><code>@FabianLars</code></a>)
On Android, updated compileSdk to 36.</li>
</ul>
<!-- raw HTML omitted -->
<pre><code>npm warn publish npm auto-corrected some errors in your
package.json when publishing. Please run "npm pkg fix" to
address these errors.
npm warn publish errors corrected:
npm warn publish "repository" was changed from a string to an
object
npm warn publish "repository.url" was normalized to
"git+https://github.com/tauri-apps/plugins-workspace.git"
npm notice
npm notice 📦 @tauri-apps/plugin-barcode-scanner@2.4.1
npm notice Tarball Contents
npm notice 888B LICENSE.spdx
npm notice 3.3kB README.md
npm notice 2.2kB dist-js/index.cjs
npm notice 1.6kB dist-js/index.d.ts
npm notice 2.1kB dist-js/index.js
npm notice 754B package.json
npm notice Tarball Details
npm notice name: @tauri-apps/plugin-barcode-scanner
npm notice version: 2.4.1
npm notice filename: tauri-apps-plugin-barcode-scanner-2.4.1.tgz
npm notice package size: 3.4 kB
npm notice unpacked size: 10.9 kB
npm notice shasum: 1425963d0302d3947c3b6d5309671cce390cfb5e
npm notice integrity: sha512-AN5vdeLvuv93z[...]PrRCthwUgTgow==
npm notice total files: 6
npm notice
npm notice Publishing to https://registry.npmjs.org/ with tag latest and
public access
npm notice publish Signed provenance statement with source and build
information from GitHub Actions
npm notice publish Provenance statement published to transparency log:
https://search.sigstore.dev/?logIndex=642040114
+ @tauri-apps/plugin-barcode-scanner@2.4.1
</code></pre>
<!-- raw HTML omitted -->
<h2>barcode-scanner v2.4.1</h2>
<h2>[2.4.1]</h2>
<ul>
<li><a
href="654bf4891a"><code>654bf489</code></a>
(<a
href="https://redirect.github.com/tauri-apps/plugins-workspace/pull/3038">#3038</a>
by <a
href="https://github.com/tauri-apps/plugins-workspace/../../daniel-mader"><code>@daniel-mader</code></a>)
Update <code>androidx.camera</code> from <code>1.1.0</code> to
<code>1.5.1</code> to support 16 KB memory page sizes.</li>
<li><a
href="6c9b61fb65"><code>6c9b61fb</code></a>
(<a
href="https://redirect.github.com/tauri-apps/plugins-workspace/pull/3039">#3039</a>
by <a
href="https://github.com/tauri-apps/plugins-workspace/../../FabianLars"><code>@FabianLars</code></a>)
On Android, updated compileSdk to 36.</li>
</ul>
<!-- raw HTML omitted -->
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="d66aa6ff78"><code>d66aa6f</code></a>
publish new versions (<a
href="https://redirect.github.com/tauri-apps/plugins-workspace/issues/2822">#2822</a>)</li>
<li><a
href="6f345870df"><code>6f34587</code></a>
fix(single-instance): disable dbus name replacement (<a
href="https://redirect.github.com/tauri-apps/plugins-workspace/issues/2860">#2860</a>)</li>
<li><a
href="708fa4e2b7"><code>708fa4e</code></a>
chore(deps): update dependency eslint-config-prettier to v10.1.8 (<a
href="https://redirect.github.com/tauri-apps/plugins-workspace/issues/2858">#2858</a>)</li>
<li><a
href="b729203059"><code>b729203</code></a>
fix(upload): fix download() locks main thread on Android (<a
href="https://redirect.github.com/tauri-apps/plugins-workspace/issues/2838">#2838</a>)</li>
<li><a
href="2f9c71aae7"><code>2f9c71a</code></a>
chore(deps): update dependency rollup to v4.45.1 (<a
href="https://redirect.github.com/tauri-apps/plugins-workspace/issues/2850">#2850</a>)</li>
<li><a
href="80d4d8e128"><code>80d4d8e</code></a>
chore(deps): update eslint monorepo to v9.31.0 (v2) (<a
href="https://redirect.github.com/tauri-apps/plugins-workspace/issues/2839">#2839</a>)</li>
<li><a
href="e7a98b0d2e"><code>e7a98b0</code></a>
chore(deps): update dependency typescript-eslint to v8.37.0 (<a
href="https://redirect.github.com/tauri-apps/plugins-workspace/issues/2848">#2848</a>)</li>
<li><a
href="44a1f65912"><code>44a1f65</code></a>
fix(fs): <code>writeFile</code> create file by default (<a
href="https://redirect.github.com/tauri-apps/plugins-workspace/issues/2846">#2846</a>)</li>
<li><a
href="6210cd31df"><code>6210cd3</code></a>
chore(deps): update dependency rollup to v4.45.0 (<a
href="https://redirect.github.com/tauri-apps/plugins-workspace/issues/2841">#2841</a>)</li>
<li><a
href="467f07b7de"><code>467f07b</code></a>
chore(deps): update dependency vite to v7 (v2) (<a
href="https://redirect.github.com/tauri-apps/plugins-workspace/issues/2800">#2800</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/tauri-apps/plugins-workspace/compare/fs-v2.4.0...fs-v2.4.1">compare
view</a></li>
</ul>
</details>
<br />
Updates `tauri-plugin-notification` from 2.3.1 to 2.3.2
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/tauri-apps/plugins-workspace/releases">tauri-plugin-notification's
releases</a>.</em></p>
<blockquote>
<h2>persisted-scope v2.3.2</h2>
<h2>[2.3.2]</h2>
<h3>Dependencies</h3>
<ul>
<li>Upgraded to <code>fs@2.4.2</code></li>
</ul>
<!-- raw HTML omitted -->
<pre><code>Updating crates.io index
Packaging tauri-plugin-persisted-scope v2.3.2
(/home/runner/work/plugins-workspace/plugins-workspace/plugins/persisted-scope)
Updating crates.io index
Packaged 12 files, 185.1KiB (83.8KiB compressed)
Uploading tauri-plugin-persisted-scope v2.3.2
(/home/runner/work/plugins-workspace/plugins-workspace/plugins/persisted-scope)
Uploaded tauri-plugin-persisted-scope v2.3.2 to registry `crates-io`
note: waiting for tauri-plugin-persisted-scope v2.3.2 to be available at
registry `crates-io`.
You may press ctrl-c to skip waiting; the crate should be available
shortly.
Published tauri-plugin-persisted-scope v2.3.2 at registry `crates-io`
</code></pre>
<!-- raw HTML omitted -->
<h2>nfc-js v2.3.2</h2>
<h2>[2.3.2]</h2>
<ul>
<li><a
href="6c9b61fb65"><code>6c9b61fb</code></a>
(<a
href="https://redirect.github.com/tauri-apps/plugins-workspace/pull/3039">#3039</a>
by <a
href="https://github.com/tauri-apps/plugins-workspace/../../FabianLars"><code>@FabianLars</code></a>)
On Android, updated compileSdk to 36.</li>
</ul>
<!-- raw HTML omitted -->
<pre><code>npm warn publish npm auto-corrected some errors in your
package.json when publishing. Please run "npm pkg fix" to
address these errors.
npm warn publish errors corrected:
npm warn publish "repository" was changed from a string to an
object
npm warn publish "repository.url" was normalized to
"git+https://github.com/tauri-apps/plugins-workspace.git"
npm notice
npm notice 📦 @tauri-apps/plugin-nfc@2.3.2
npm notice Tarball Contents
npm notice 888B LICENSE.spdx
npm notice 3.1kB README.md
npm notice 5.0kB dist-js/index.cjs
npm notice 3.7kB dist-js/index.d.ts
npm notice 4.8kB dist-js/index.js
npm notice 678B package.json
npm notice Tarball Details
npm notice name: @tauri-apps/plugin-nfc
npm notice version: 2.3.2
npm notice filename: tauri-apps-plugin-nfc-2.3.2.tgz
</tr></table>
</code></pre>
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="e7a68fa637"><code>e7a68fa</code></a>
publish new versions (<a
href="https://redirect.github.com/tauri-apps/plugins-workspace/issues/3068">#3068</a>)</li>
<li><a
href="b5550a3b0d"><code>b5550a3</code></a>
chore: temp delete updater changefile</li>
<li><a
href="93426f8512"><code>93426f8</code></a>
fix: fix docsrs builds</li>
<li><a
href="4ee61e055e"><code>4ee61e0</code></a>
Revert "chore: temp delete updater changefile"</li>
<li><a
href="06124af8d6"><code>06124af</code></a>
publish new versions (<a
href="https://redirect.github.com/tauri-apps/plugins-workspace/issues/2972">#2972</a>)</li>
<li><a
href="060219e597"><code>060219e</code></a>
chore(deps): update dependency <code>@rollup/plugin-typescript</code>
to v12.3.0 (<a
href="https://redirect.github.com/tauri-apps/plugins-workspace/issues/3067">#3067</a>)</li>
<li><a
href="c7e9766ff5"><code>c7e9766</code></a>
chore(deps): update tauri monorepo (v2) (<a
href="https://redirect.github.com/tauri-apps/plugins-workspace/issues/3058">#3058</a>)</li>
<li><a
href="d4a8ce962b"><code>d4a8ce9</code></a>
chore(deps): update rust crate tokio-tungstenite to 0.28 (<a
href="https://redirect.github.com/tauri-apps/plugins-workspace/issues/3016">#3016</a>)</li>
<li><a
href="cdc7eec415"><code>cdc7eec</code></a>
chore(deps): update dependency <code>@rollup/plugin-typescript</code>
to v12.2.0 (<a
href="https://redirect.github.com/tauri-apps/plugins-workspace/issues/3066">#3066</a>)</li>
<li><a
href="6314b004ab"><code>6314b00</code></a>
chore: temp delete updater changefile</li>
<li>Additional commits viewable in <a
href="https://github.com/tauri-apps/plugins-workspace/compare/os-v2.3.1...os-v2.3.2">compare
view</a></li>
</ul>
</details>
<br />
Updates `tauri-plugin-opener` from 2.5.0 to 2.5.1
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/tauri-apps/plugins-workspace/releases">tauri-plugin-opener's
releases</a>.</em></p>
<blockquote>
<h2>opener-js v2.5.1</h2>
<h2>[2.5.1]</h2>
<ul>
<li><a
href="6c9b61fb65"><code>6c9b61fb</code></a>
(<a
href="https://redirect.github.com/tauri-apps/plugins-workspace/pull/3039">#3039</a>
by <a
href="https://github.com/tauri-apps/plugins-workspace/../../FabianLars"><code>@FabianLars</code></a>)
On Android, updated compileSdk to 36.</li>
<li><a
href="67a7bf80f8"><code>67a7bf80</code></a>
(<a
href="https://redirect.github.com/tauri-apps/plugins-workspace/pull/3018">#3018</a>
by <a
href="https://github.com/tauri-apps/plugins-workspace/../../Legend-Master"><code>@Legend-Master</code></a>)
Fix opener doesn't open same origin links in the browser</li>
</ul>
<!-- raw HTML omitted -->
<pre><code>npm warn publish npm auto-corrected some errors in your
package.json when publishing. Please run "npm pkg fix" to
address these errors.
npm warn publish errors corrected:
npm warn publish "repository" was changed from a string to an
object
npm warn publish "repository.url" was normalized to
"git+https://github.com/tauri-apps/plugins-workspace.git"
npm notice
npm notice 📦 @tauri-apps/plugin-opener@2.5.1
npm notice Tarball Contents
npm notice 888B LICENSE.spdx
npm notice 4.2kB README.md
npm notice 3.1kB dist-js/index.cjs
npm notice 2.0kB dist-js/index.d.ts
npm notice 3.1kB dist-js/index.js
npm notice 11B dist-js/init.d.ts
npm notice 729B package.json
npm notice Tarball Details
npm notice name: @tauri-apps/plugin-opener
npm notice version: 2.5.1
npm notice filename: tauri-apps-plugin-opener-2.5.1.tgz
npm notice package size: 3.5 kB
npm notice unpacked size: 14.1 kB
npm notice shasum: aedf32d399e9d0f6dcaacca4e2461550ab8d3b79
npm notice integrity: sha512-nyT6oW4ibyXJN[...]7/Q46ZKuzeeBQ==
npm notice total files: 7
npm notice
npm notice Publishing to https://registry.npmjs.org/ with tag latest and
public access
npm notice publish Signed provenance statement with source and build
information from GitHub Actions
npm notice publish Provenance statement published to transparency log:
https://search.sigstore.dev/?logIndex=642040262
+ @tauri-apps/plugin-opener@2.5.1
</code></pre>
<!-- raw HTML omitted -->
<h2>opener v2.5.1</h2>
<h2>[2.5.1]</h2>
<ul>
<li><a
href="6c9b61fb65"><code>6c9b61fb</code></a>
(<a
href="https://redirect.github.com/tauri-apps/plugins-workspace/pull/3039">#3039</a>
by <a
href="https://github.com/tauri-apps/plugins-workspace/../../FabianLars"><code>@FabianLars</code></a>)
On Android, updated compileSdk to 36.</li>
<li><a
href="67a7bf80f8"><code>67a7bf80</code></a>
(<a
href="https://redirect.github.com/tauri-apps/plugins-workspace/pull/3018">#3018</a>
by <a
href="https://github.com/tauri-apps/plugins-workspace/../../Legend-Master"><code>@Legend-Master</code></a>)
Fix opener doesn't open same origin links in the browser</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="5779099688"><code>5779099</code></a>
publish new versions (<a
href="https://redirect.github.com/tauri-apps/plugins-workspace/issues/2780">#2780</a>)</li>
<li><a
href="2aec8ff4c4"><code>2aec8ff</code></a>
feat(opener): add <code>inAppBrowser</code> option for iOS and Android
(<a
href="https://redirect.github.com/tauri-apps/plugins-workspace/issues/2803">#2803</a>)</li>
<li><a
href="9799f0dbab"><code>9799f0d</code></a>
fix(log): iOS simulator freezing due to early logging (<a
href="https://redirect.github.com/tauri-apps/plugins-workspace/issues/2802">#2802</a>)</li>
<li><a
href="8cdaacdc6e"><code>8cdaacd</code></a>
chore(examples): update API example mobile projects</li>
<li><a
href="d46778e80b"><code>d46778e</code></a>
chore(deps): update dependency typescript-eslint to v8.35.0 (<a
href="https://redirect.github.com/tauri-apps/plugins-workspace/issues/2794">#2794</a>)</li>
<li><a
href="a0288648f8"><code>a028864</code></a>
chore(deps): update dependency prettier to v3.6.0 (v2) (<a
href="https://redirect.github.com/tauri-apps/plugins-workspace/issues/2789">#2789</a>)</li>
<li><a
href="f6e11282a7"><code>f6e1128</code></a>
feat(cli): Pass optional args to get matches (<a
href="https://redirect.github.com/tauri-apps/plugins-workspace/issues/2787">#2787</a>)</li>
<li><a
href="5642283dba"><code>5642283</code></a>
chore(deps): update dependency rollup to v4.44.0 (<a
href="https://redirect.github.com/tauri-apps/plugins-workspace/issues/2782">#2782</a>)</li>
<li><a
href="37c2fb4120"><code>37c2fb4</code></a>
feat(cli): add support for global CLI arguments (<a
href="https://redirect.github.com/tauri-apps/plugins-workspace/issues/2772">#2772</a>)</li>
<li><a
href="27c2193d42"><code>27c2193</code></a>
chore(deps): update dependency <code>@rollup/plugin-typescript</code>
to v12.1.3 (<a
href="https://redirect.github.com/tauri-apps/plugins-workspace/issues/2778">#2778</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/tauri-apps/plugins-workspace/compare/log-v2.5.0...log-v2.5.1">compare
view</a></li>
</ul>
</details>
<br />
Updates `tauri-plugin-shell` from 2.3.1 to 2.3.2
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/tauri-apps/plugins-workspace/releases">tauri-plugin-shell's
releases</a>.</em></p>
<blockquote>
<h2>persisted-scope v2.3.2</h2>
<h2>[2.3.2]</h2>
<h3>Dependencies</h3>
<ul>
<li>Upgraded to <code>fs@2.4.2</code></li>
</ul>
<!-- raw HTML omitted -->
<pre><code>Updating crates.io index
Packaging tauri-plugin-persisted-scope v2.3.2
(/home/runner/work/plugins-workspace/plugins-workspace/plugins/persisted-scope)
Updating crates.io index
Packaged 12 files, 185.1KiB (83.8KiB compressed)
Uploading tauri-plugin-persisted-scope v2.3.2
(/home/runner/work/plugins-workspace/plugins-workspace/plugins/persisted-scope)
Uploaded tauri-plugin-persisted-scope v2.3.2 to registry `crates-io`
note: waiting for tauri-plugin-persisted-scope v2.3.2 to be available at
registry `crates-io`.
You may press ctrl-c to skip waiting; the crate should be available
shortly.
Published tauri-plugin-persisted-scope v2.3.2 at registry `crates-io`
</code></pre>
<!-- raw HTML omitted -->
<h2>nfc-js v2.3.2</h2>
<h2>[2.3.2]</h2>
<ul>
<li><a
href="6c9b61fb65"><code>6c9b61fb</code></a>
(<a
href="https://redirect.github.com/tauri-apps/plugins-workspace/pull/3039">#3039</a>
by <a
href="https://github.com/tauri-apps/plugins-workspace/../../FabianLars"><code>@FabianLars</code></a>)
On Android, updated compileSdk to 36.</li>
</ul>
<!-- raw HTML omitted -->
<pre><code>npm warn publish npm auto-corrected some errors in your
package.json when publishing. Please run "npm pkg fix" to
address these errors.
npm warn publish errors corrected:
npm warn publish "repository" was changed from a string to an
object
npm warn publish "repository.url" was normalized to
"git+https://github.com/tauri-apps/plugins-workspace.git"
npm notice
npm notice 📦 @tauri-apps/plugin-nfc@2.3.2
npm notice Tarball Contents
npm notice 888B LICENSE.spdx
npm notice 3.1kB README.md
npm notice 5.0kB dist-js/index.cjs
npm notice 3.7kB dist-js/index.d.ts
npm notice 4.8kB dist-js/index.js
npm notice 678B package.json
npm notice Tarball Details
npm notice name: @tauri-apps/plugin-nfc
npm notice version: 2.3.2
npm notice filename: tauri-apps-plugin-nfc-2.3.2.tgz
</tr></table>
</code></pre>
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="e7a68fa637"><code>e7a68fa</code></a>
publish new versions (<a
href="https://redirect.github.com/tauri-apps/plugins-workspace/issues/3068">#3068</a>)</li>
<li><a
href="b5550a3b0d"><code>b5550a3</code></a>
chore: temp delete updater changefile</li>
<li><a
href="93426f8512"><code>93426f8</code></a>
fix: fix docsrs builds</li>
<li><a
href="4ee61e055e"><code>4ee61e0</code></a>
Revert "chore: temp delete updater changefile"</li>
<li><a
href="06124af8d6"><code>06124af</code></a>
publish new versions (<a
href="https://redirect.github.com/tauri-apps/plugins-workspace/issues/2972">#2972</a>)</li>
<li><a
href="060219e597"><code>060219e</code></a>
chore(deps): update dependency <code>@rollup/plugin-typescript</code>
to v12.3.0 (<a
href="https://redirect.github.com/tauri-apps/plugins-workspace/issues/3067">#3067</a>)</li>
<li><a
href="c7e9766ff5"><code>c7e9766</code></a>
chore(deps): update tauri monorepo (v2) (<a
href="https://redirect.github.com/tauri-apps/plugins-workspace/issues/3058">#3058</a>)</li>
<li><a
href="d4a8ce962b"><code>d4a8ce9</code></a>
chore(deps): update rust crate tokio-tungstenite to 0.28 (<a
href="https://redirect.github.com/tauri-apps/plugins-workspace/issues/3016">#3016</a>)</li>
<li><a
href="cdc7eec415"><code>cdc7eec</code></a>
chore(deps): update dependency <code>@rollup/plugin-typescript</code>
to v12.2.0 (<a
href="https://redirect.github.com/tauri-apps/plugins-workspace/issues/3066">#3066</a>)</li>
<li><a
href="6314b004ab"><code>6314b00</code></a>
chore: temp delete updater changefile</li>
<li>Additional commits viewable in <a
href="https://github.com/tauri-apps/plugins-workspace/compare/os-v2.3.1...os-v2.3.2">compare
view</a></li>
</ul>
</details>
<br />
Updates `tauri-utils` from 2.7.0 to 2.8.0
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/tauri-apps/tauri/releases">tauri-utils's
releases</a>.</em></p>
<blockquote>
<h2>tauri-utils v2.8.0</h2>
<!-- raw HTML omitted -->
<pre><code>Updating git repository
`https://github.com/tauri-apps/schemars.git`
Updating crates.io index
warning: Patch `schemars_derive v0.8.21
(https://github.com/tauri-apps/schemars.git?branch=feat%2Fpreserve-description-newlines#c30f9848)`
was not used in the crate graph.
Check that the patched package version and available features are
compatible
with the dependency requirements. If the patch has a different version
from
what is locked in the Cargo.lock file, run `cargo update` to use the new
version. This may also occur with an optional dependency that is not
enabled.
Locking 1051 packages to latest compatible versions
Adding apple-codesign v0.27.0 (available: v0.29.0)
Adding cargo-mobile2 v0.21.2 (available: v0.22.1)
Adding cargo_metadata v0.19.2 (available: v0.23.0)
Adding colored v2.2.0 (available: v3.0.0)
Adding ctor v0.2.9 (available: v0.6.0)
Adding dialoguer v0.11.0 (available: v0.12.0)
Adding elf v0.7.4 (available: v0.8.0)
Adding goblin v0.9.3 (available: v0.10.3)
Adding html5ever v0.29.1 (available: v0.35.0)
Adding itertools v0.13.0 (available: v0.14.0)
Adding json-patch v3.0.1 (available: v4.1.0)
Adding jsonrpsee v0.24.9 (available: v0.26.0)
Adding jsonrpsee-client-transport v0.24.9 (available: v0.26.0)
Adding jsonrpsee-core v0.24.9 (available: v0.26.0)
Adding jsonrpsee-ws-client v0.24.9 (available: v0.26.0)
Adding matchit v0.8.4 (available: v0.8.6)
Adding minisign v0.7.3 (available: v0.7.9)
Adding object v0.36.7 (available: v0.37.3)
Adding oxc_allocator v0.36.0 (available: v0.95.0)
Adding oxc_ast v0.36.0 (available: v0.95.0)
Adding oxc_parser v0.36.0 (available: v0.95.0)
Adding oxc_span v0.36.0 (available: v0.95.0)
Adding phf v0.11.3 (available: v0.13.1)
Adding png v0.17.16 (available: v0.18.0)
Adding rpm v0.16.1 (available: v0.18.4)
Adding schemars v0.8.22 (available: v1.0.4)
Adding tiny_http v0.11.0 (available: v0.12.0)
Adding toml v0.8.2 (available: v0.8.23)
Adding toml_datetime v0.6.3 (available: v0.6.11)
Adding toml_edit v0.20.2 (available: v0.20.7)
Adding urlpattern v0.3.0 (available: v0.4.0)
Adding windows v0.61.3 (available: v0.62.2)
Adding windows-registry v0.5.3 (available: v0.6.1)
Adding windows-sys v0.60.2 (available: v0.61.2)
Adding x509-certificate v0.23.1 (available: v0.25.0)
Adding zip v4.6.1 (available: v6.0.0)
Fetching advisory database from
`https://github.com/RustSec/advisory-db.git`
</tr></table>
</code></pre>
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="cb28f4368c"><code>cb28f43</code></a>
apply version updates (<a
href="https://redirect.github.com/tauri-apps/tauri/issues/14137">#14137</a>)</li>
<li><a
href="6aa7f2d852"><code>6aa7f2d</code></a>
chore(deps): minor bump plugin, codegen and macros crates</li>
<li><a
href="06f26bbb24"><code>06f26bb</code></a>
chore(deps): update tao to 0.34.5</li>
<li><a
href="68cb318979"><code>68cb318</code></a>
feat(core): add stop, restart, destroy and configuration changed Android
hook...</li>
<li><a
href="3397fd9bfe"><code>3397fd9</code></a>
feat(core): back button event on Android, closes <a
href="https://redirect.github.com/tauri-apps/tauri/issues/8142">#8142</a>
(<a
href="https://redirect.github.com/tauri-apps/tauri/issues/14133">#14133</a>)</li>
<li><a
href="3b4fac2017"><code>3b4fac2</code></a>
feat(android): add auto_increment_version_code option for Android builds
(<a
href="https://redirect.github.com/tauri-apps/tauri/issues/1">#1</a>...</li>
<li><a
href="684791efa6"><code>684791e</code></a>
fix(macos): Always try to create webview, even if webkit runtime isn't
detect...</li>
<li><a
href="25e920e169"><code>25e920e</code></a>
fix(cli): wait for dev command to exit with --no-watch, closes <a
href="https://redirect.github.com/tauri-apps/tauri/issues/14284">#14284</a>
(<a
href="https://redirect.github.com/tauri-apps/tauri/issues/14298">#14298</a>)</li>
<li><a
href="a279485856"><code>a279485</code></a>
chore(cli): update cargo-mobile2 to 0.21.1</li>
<li><a
href="7b0d4e7322"><code>7b0d4e7</code></a>
fix(core): SHA256 hash for JS scripts CSP on Windows (<a
href="https://redirect.github.com/tauri-apps/tauri/issues/14265">#14265</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/tauri-apps/tauri/compare/tauri-utils-v2.7.0...tauri-utils-v2.8.0">compare
view</a></li>
</ul>
</details>
<br />
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
In a recent refactor, we appear to have broken DNS resources that are
IPv6 only. This was caused by a change in how we iterate over the proxy
IP mappings. By bailing out as soon as we "run out" of IP mappings, we
actually never get to the IPv6 mappings.
This PR fixes this behaviour and adds a regression test to ensure we
always insert an entry for all proxy IPs.
The current Rust workspace isn't as consistent as it could be. To make
navigation a bit easier, we move a few crates around. Generally, we
follow the idea that entry-points should be at the top-level. `rust/`
now looks like this (directories only):
```
.
├── cli # Firezone CLI
├── client-ffi # Entry point for Apple & Android
├── gateway # Gateway
├── gui-client # GUI client
├── headless-client # Headless client
├── libs # Library crates
├── relay # Relay
├── target # Compile artifacts
├── tests # Crates for testing
└── tools # Local tools
```
To further enforce this structure, we also drop the `firezone-` prefix
from all crates that are not top-level binary crates.
Within the proptests, we assert that connlib correctly reports the
online status of resources. For resources where we establish TCP
connections, that is difficult to model exactly due to the number of
error cases we also run through in the tests like rejecting connections
with ICMP errors, rebooting relays etc.
Up until now, we tried to model this quite precisely by only allowing
deviations of the resource status for TCP connections that have received
ICMP errors. With the prolonged ICE timeout on the Gateway, this is
turning out to not be enough.
We therefore relax the assertion here to allow all resources that are
within sites that we made a TCP connection to deviate from their
expected online/unknown status.
The downcasting abilities of `anyhow` are pretty powerful.
Unfortunately, they can also be a bit tricky to get right. Whilst `is`
and `downcast` work fine for any errors that are within the `anyhow`
error chain, they don't check the chain of errors prior to that. In
other words, if we already have a nested `std::error::Error` with
several causes, `anyhow` cannot downcast to these causes directly.
In order to avoid this footgun, we create a thin-layer on top of the
`anyhow` crate with some downcasting functions that always try to do the
right thing.
When upserting a connection, we need to sample one of our relays to use
as a fallback. If we don't have any relays (because they all got
disconnected), we cannot create the connection.
Right now, we perform this sampling a bit too late in the function and
thus wrongly print "Creating new connection" even though we never make
it that for.
To avoid that, move the `sample_relay` call higher up to avoid making
any state modifications if we cannot proceed.
Bumps [caps](https://github.com/lucab/caps-rs) from 0.5.5 to 0.5.6.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/lucab/caps-rs/releases">caps's
releases</a>.</em></p>
<blockquote>
<h2>v0.5.6</h2>
<p>Changes:</p>
<ul>
<li>Update minimum toolchain to 1.63</li>
<li>Remove <code>thiserror</code> dependency</li>
<li>Gracefully handle unsupported capabilities in clear and read
operations</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="d5dcf952ad"><code>d5dcf95</code></a>
cargo: caps release 0.5.6</li>
<li><a
href="4743546164"><code>4743546</code></a>
Merge pull request <a
href="https://redirect.github.com/lucab/caps-rs/issues/97">#97</a> from
bilelmoussaoui/master</li>
<li><a
href="a541bc1e0d"><code>a541bc1</code></a>
Get rid of thiserror</li>
<li><a
href="2a64efc2f4"><code>2a64efc</code></a>
Merge pull request <a
href="https://redirect.github.com/lucab/caps-rs/issues/96">#96</a> from
Soft/clear_supported_caps_from_bounding_set</li>
<li><a
href="5a9ae19fdf"><code>5a9ae19</code></a>
Handle unsupported capabilities gracefully in clear and read
operations</li>
<li><a
href="8ae9b4f960"><code>8ae9b4f</code></a>
Merge pull request <a
href="https://redirect.github.com/lucab/caps-rs/issues/95">#95</a> from
lucab/push-sqknlowmyxmp</li>
<li><a
href="f3c7fb4827"><code>f3c7fb4</code></a>
cargo: add MSRV to manifest metadata</li>
<li><a
href="bbf8b0006d"><code>bbf8b00</code></a>
Merge pull request <a
href="https://redirect.github.com/lucab/caps-rs/issues/94">#94</a> from
lucab/push-kvotmuqtvsnp</li>
<li><a
href="2a9635c62e"><code>2a9635c</code></a>
docs: minor fixes</li>
<li><a
href="757ae11d49"><code>757ae11</code></a>
Merge pull request <a
href="https://redirect.github.com/lucab/caps-rs/issues/93">#93</a> from
lucab/push-xwkvyrnzmvtt</li>
<li>Additional commits viewable in <a
href="https://github.com/lucab/caps-rs/compare/v0.5.5...v0.5.6">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
The health-check tests for the relay use `Instant::elapsed` which
implicitly uses `Instant::now`. On a freshly booted Windows machine,
these tests might easily fail because we are subtracting 15 minutes from
`Instant::now` which might result in an underflow as Windows cannot
represent `Instant`s prior to the boot time.
Related: #10927
Bumps [rustls](https://github.com/rustls/rustls) from 0.23.31 to
0.23.34.
<details>
<summary>Commits</summary>
<ul>
<li><a
href="4cee226dbe"><code>4cee226</code></a>
Cargo: rustls v0.23.33 -> v0.23.34</li>
<li><a
href="278391eb38"><code>278391e</code></a>
Remove use of <code>doc_auto_cfg</code></li>
<li><a
href="31ca6afe91"><code>31ca6af</code></a>
Avoid use of <code>docsrs</code> cfg</li>
<li><a
href="b4597ca1f6"><code>b4597ca</code></a>
Prepare 0.23.33</li>
<li><a
href="667a71d513"><code>667a71d</code></a>
Reset KeyUpdate counter on AppData</li>
<li><a
href="48b2fd919f"><code>48b2fd9</code></a>
Support encryption for QUIC multipath</li>
<li><a
href="6a188a70a0"><code>6a188a7</code></a>
Take semver-compatible updates</li>
<li><a
href="5abe33e71d"><code>5abe33e</code></a>
Prepare 0.23.32</li>
<li><a
href="d3c502e0f5"><code>d3c502e</code></a>
Improve compatibility of TLS1.2 with ECDSA+SHA512</li>
<li><a
href="ef7063d21f"><code>ef7063d</code></a>
take webpki 0.103.5</li>
<li>Additional commits viewable in <a
href="https://github.com/rustls/rustls/compare/v/0.23.31...v/0.23.34">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [proc-macro2](https://github.com/dtolnay/proc-macro2) from 1.0.101
to 1.0.103.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/dtolnay/proc-macro2/releases">proc-macro2's
releases</a>.</em></p>
<blockquote>
<h2>1.0.103</h2>
<ul>
<li>Add semver-exempt <code>Literal</code> methods
<code>str_value</code>, <code>cstr_value</code>,
<code>byte_str_value</code> (<a
href="https://redirect.github.com/dtolnay/proc-macro2/issues/525">#525</a>)</li>
</ul>
<h2>1.0.102</h2>
<ul>
<li>Fix interaction of Display impls for TokenStream and Ident with
formatting specifiers for padding, alignment, width (<a
href="https://redirect.github.com/dtolnay/proc-macro2/issues/523">#523</a>,
<a
href="https://redirect.github.com/dtolnay/proc-macro2/issues/524">#524</a>)</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="d1bf13ac1d"><code>d1bf13a</code></a>
Release 1.0.103</li>
<li><a
href="29e08c06e5"><code>29e08c0</code></a>
Merge pull request <a
href="https://redirect.github.com/dtolnay/proc-macro2/issues/525">#525</a>
from dtolnay/literalvalue</li>
<li><a
href="f9eec24c5e"><code>f9eec24</code></a>
Restore support for rustc older than 1.74</li>
<li><a
href="cc983fce21"><code>cc983fc</code></a>
Restore support for rustc older than 1.79</li>
<li><a
href="465f7813e4"><code>465f781</code></a>
Restore support for rustc older than 1.89</li>
<li><a
href="ab5231cd46"><code>ab5231c</code></a>
Add string literal value tests</li>
<li><a
href="4c039a8e03"><code>4c039a8</code></a>
Add Literal methods from proc_macro_value feature</li>
<li><a
href="885fde9b29"><code>885fde9</code></a>
Vendor rustc_literal_escaper v0.0.5</li>
<li><a
href="39b016a50c"><code>39b016a</code></a>
Release 1.0.102</li>
<li><a
href="c3870f1fc5"><code>c3870f1</code></a>
Add raw identifier Debug test</li>
<li>Additional commits viewable in <a
href="https://github.com/dtolnay/proc-macro2/compare/1.0.101...1.0.103">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [zbus](https://github.com/z-galaxy/zbus) from 5.11.0 to 5.12.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/z-galaxy/zbus/releases">zbus's
releases</a>.</em></p>
<blockquote>
<h2>🔖 zbus 5.12.0</h2>
<ul>
<li>🚚 Update name of Github space from <code>dbus2</code> to
<code>z-galaxy</code>.</li>
<li>✨ Add <code>Error::description</code> method. This gives a simple
description about the error.</li>
<li>🥅 Provide description for zbus::Error in DBusError. <a
href="https://redirect.github.com/z-galaxy/zbus/issues/1523">#1523</a></li>
<li>🐛 Remove minimum amount of required address options. Set the minimum
amount of address options to 0, as per the spec. <a
href="https://redirect.github.com/z-galaxy/zbus/issues/1513">#1513</a></li>
<li>➖ remove <code>rand</code> and replace with <code>uuid</code>. This
makes <code>uuid</code> mandatory for <code>zbus</code>, and changes the
<code>p2p</code> feature to enable <code>v4</code> of
<code>uuid</code>.</li>
<li>📝 book: Update version of zbus in the sample Cargo.toml.</li>
<li>🧵 Launch a multi-threaded tokio runtime for blocking. Otherwise, any
blocking calls in the application code can block our internal tasks.
This is breaking our "we won't launch threads behind your
back" promise a little but its only limited to blocking API and
therefore worth the benefit of not unexpectedly stopping to work. <a
href="https://redirect.github.com/z-galaxy/zbus/issues/1512">#1512</a></li>
<li>🐛 Fix tracing span names showing as {}.</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="d4254d63cc"><code>d4254d6</code></a>
Merge pull request <a
href="https://redirect.github.com/z-galaxy/zbus/issues/1544">#1544</a>
from zeenix/releases</li>
<li><a
href="bd399ae442"><code>bd399ae</code></a>
🔖 zb: Release 5.12.0</li>
<li><a
href="14fce7cb33"><code>14fce7c</code></a>
🔖 zv: Release 5.8.0</li>
<li><a
href="33cb56caae"><code>33cb56c</code></a>
🚚 Update name of Github space from dbus2 to z-galaxy</li>
<li><a
href="a00e93c314"><code>a00e93c</code></a>
⬆️ micro: Update clap to v4.5.49 (<a
href="https://redirect.github.com/z-galaxy/zbus/issues/1540">#1540</a>)</li>
<li><a
href="7c2baf6511"><code>7c2baf6</code></a>
Merge pull request <a
href="https://redirect.github.com/z-galaxy/zbus/issues/1538">#1538</a>
from dbus2/renovate/actions-checkout-5.x</li>
<li><a
href="5ac2239827"><code>5ac2239</code></a>
⬆️ Update actions/checkout action to v5</li>
<li><a
href="c9a00ea68a"><code>c9a00ea</code></a>
Merge pull request <a
href="https://redirect.github.com/z-galaxy/zbus/issues/1537">#1537</a>
from DarthB/codspeed</li>
<li><a
href="562f125de6"><code>562f125</code></a>
use codspeed benchmarks with criterion compat layer</li>
<li><a
href="4dc5325e2f"><code>4dc5325</code></a>
⬆️ micro: Update serde to v1.0.228 (<a
href="https://redirect.github.com/z-galaxy/zbus/issues/1534">#1534</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/z-galaxy/zbus/compare/zbus-5.11.0...zbus-5.12.0">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [clap](https://github.com/clap-rs/clap) from 4.5.47 to 4.5.50.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/clap-rs/clap/releases">clap's
releases</a>.</em></p>
<blockquote>
<h2>v4.5.50</h2>
<h2>[4.5.50] - 2025-10-20</h2>
<h3>Features</h3>
<ul>
<li>Accept <code>Cow</code> where <code>String</code> and
<code>&str</code> are accepted</li>
</ul>
<h2>v4.5.48</h2>
<h2>[4.5.48] - 2025-09-19</h2>
<h3>Documentation</h3>
<ul>
<li>Add a new CLI Concepts document as another way of framing clap</li>
<li>Expand the <code>typed_derive</code> cookbook entry</li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/clap-rs/clap/blob/master/CHANGELOG.md">clap's
changelog</a>.</em></p>
<blockquote>
<h2>[4.5.50] - 2025-10-20</h2>
<h3>Features</h3>
<ul>
<li>Accept <code>Cow</code> where <code>String</code> and
<code>&str</code> are accepted</li>
</ul>
<h2>[4.5.49] - 2025-10-13</h2>
<h3>Fixes</h3>
<ul>
<li><em>(help)</em> Correctly wrap when ANSI escape codes are
present</li>
</ul>
<h2>[4.5.48] - 2025-09-19</h2>
<h3>Documentation</h3>
<ul>
<li>Add a new CLI Concepts document as another way of framing clap</li>
<li>Expand the <code>typed_derive</code> cookbook entry</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="d8acd47298"><code>d8acd47</code></a>
chore: Release</li>
<li><a
href="7c2b8d9ad4"><code>7c2b8d9</code></a>
docs: Update changelog</li>
<li><a
href="e69a2ea55b"><code>e69a2ea</code></a>
Merge pull request <a
href="https://redirect.github.com/clap-rs/clap/issues/5987">#5987</a>
from mernen/fix-bash-comp-words-loop</li>
<li><a
href="e03cc2e798"><code>e03cc2e</code></a>
Merge pull request <a
href="https://redirect.github.com/clap-rs/clap/issues/5988">#5988</a>
from cordx56/fix-builder-custom-version-docs</li>
<li><a
href="5ab2579844"><code>5ab2579</code></a>
fix: Minor fix for builder docs about version</li>
<li><a
href="2f66432721"><code>2f66432</code></a>
fix(complete): Only parse arguments before current</li>
<li><a
href="4d9d2100f7"><code>4d9d210</code></a>
test(complete): Illustrate current behavior in Bash</li>
<li><a
href="6abe2f8c61"><code>6abe2f8</code></a>
chore: Release</li>
<li><a
href="d5c74542ce"><code>d5c7454</code></a>
docs: Update changelog</li>
<li><a
href="5b2e960267"><code>5b2e960</code></a>
Merge pull request <a
href="https://redirect.github.com/clap-rs/clap/issues/5985">#5985</a>
from mernen/bash-cur</li>
<li>Additional commits viewable in <a
href="https://github.com/clap-rs/clap/compare/clap_complete-v4.5.47...clap_complete-v4.5.50">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Running only the unit-tests of select crates on some platforms is
problematic. We are unlikely to update this list of crates as we
introduce new ones. It is a better default to run the tests of all
crates on all platforms and selectively exclude the ones that can't run
because they are unsupported.
As per the RFC, queries to DoH servers should always set their query ID
to 0. This is more cache-friendly because two queries for the same
domain end up being byte-for-byte equivalent in the HTTP request. When
transported over HTTP, the query ID is obsolete because the response can
be unambiguously mapped back to the request already.
Connlib's DoH feature zeros out the query ID in the IO layer. To
correctly test this functionality, we therefore extend the test-suite to
do the same and restore the original query ID before sending back the
response on the original transport.
This fixes a bug where all DNS queries that were forwarded to a DoH
server incorrectly had their query ID set to 0.
Firezone's UDP connections are designed to be idempotent. If a Client
discards its "half" of the connection but the Gateway still keeps the
state around, a subsequent connection setup by the Client will reuse
connection state on the Gateway. To fully support this, `snownet`
re-sends all its local candidates to the remote peer whenever a
connection gets upserted.
The current `seed_agent_with_local_candidates` function attempts to do
this job but its design overlooked a crucial detail: Re-adding a
candidate that the `IceAgent` already knows about is considered to be
redundant. As such, the candidate is not re-signalled to the remote!
The real-world consequences for this are subtle. `str0m`'s support for
peer-reflexive candidate means that incoming STUN binding requests are
still answered, even if they come from an address that the agent doesn't
know anything about, i.e. it has never been told about that candidate.
Thus, what happens right now is that when a Client re-creates a
connection that is still present on the Gateway, it will start receiving
STUN binding requests for candidates it doesn't know about and create
peer-reflexive candidates for them.
Where this does show up is in our test-suite which has fairly strict
timing constraints. When we simulate the re-deploy of relays, we expect
connections to be migrated to a new relay immediately. To support this,
the current relay candidates are invalidated on both sides. This however
only works if the current candidate is correctly recognised by the local
ICE agent. Peer-reflexive candidates are created on-demand and typically
only serve a placeholder-like role until we learn about the real
candidate that is being used. Due to the above described behaviour of
`seed_agent_with_local_candidates`, this however may not happen at all.
As a result, attempting to invalidate a relay candidate fails because we
don't recognise the relay candidate as we only have a peer-reflexive
one.
Putting all of this together, whilst not re-sending all candidates
doesn't cause immediate issues for a connection, it may cause problems
at a later point when we are trying to invalidate a currently active
candidate to achieve a speedy failover to a new one.
It appears that several systems (at least MacOS) may send DNS queries to
the same server with the same query ID but from different source
sockets. Within connlib, we operate multiple DNS servers (one for each
upstream) and use the tuple of server address and query ID to remember
the necessary state we need to map the response back once we have the
response from the upstream server.
Given the discovery that this tuple is not necessarily unique, we now
need to also track the source socket that _we_ are using to send our
queries in order to correctly remember, which socket we need to send the
response back to. For that, we extend the layer 3 UDP and TCP clients to
return us the socket they are using for each query that we queue.
In very specific circumstances, this can still fail. In particular, when
connlib receives an SRV or TXT query for a resource, it resolves that
query in the context of the resource's site by sending it to port 53535
of the Gateway's TUN device. The Gateway listens to DNS queries on this
port and resolves them using its configured system resolvers. It however
only listens on a single address, meaning we may be forwarding queries
from several of connlib's "servers" to a single query which again may
break the uniqueness constraint if two queries with the same ID are
received at the same time because we would reuse the TCP connection to
the resolver running in the Gateway and thus send them from the same
source port.
We consider this case to be sufficiently rare and handle it by just
failing the 2nd DNS query. There may be ways of resolving it but it
requires a bigger refactoring of how we establish TCP connections to
upstream resolvers.
Not all tools are needed for all parts of the codebase. In order to avoid installing all tools, we create nested `.tool-versions` files that list the specific dev-tools needed for a certain part of the product.
TCP connections have a keep-alive mechanism and therefore will
automatically trigger a new connection to a resource after roaming. We
need to model this in our tests by setting the resource as connected
whenever we reset the network state.
A CI failure uncovered that we have an off-by-1 second error in our NAT
table test. The mapping only expires after the last packet seen + the
protocol TTL, not after the first sent one + protocol TTL.
---------
Signed-off-by: Thomas Eizinger <thomas@eizinger.io>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Building on top of a series of refactors and smaller features, this PR
enables connlib to send DNS queries over HTTPS to one or more configured
DoH providers.
A DoH server itself is addressed via a domain which first needs to be
resolved before it can be contacted. The RFC recommends to perform this
bootstrapping using the system DNS resolvers. For connlib, this is a bit
tricky because the system resolvers may already be set to connlib's
sentinel servers by the time we need to bootstrap the DoH clients.
Therefore, we maintain a dedicated UDP DNS client inside connlib's `Io`
component which is always configured with the latest system DNS
resolvers known to connlib.
The actual bootstrapping of a DoH client happens in the following cases:
1. Our TUN device configuration changes and the configured DNS servers
mapping contains DoH upstreams.
2. We need to make a DNS query to a DoH server but don't have a client
yet.
The first case ensures we bootstrap the DoH clients as early as
possible. The latter case ensures we have a self-healing behaviour in
case the TCP connection to the DoH server breaks (in which case the DoH
client will be de-allocated).
Once the DoH client is initialized, making queries with it is a trivial
act of sending an HTTP request and parsing the HTTP response. Within
connlib, this now requires almost no special handling apart from a new
`dns::Upstream` type that differentiates between Do53 servers (addressed
by a `SocketAddr`) and DoH servers (addressed by a `Url`).
Related: #10764
Related: #10788
Related: #10850
Related: #10851
Related: #10856
Related: #10857
Related: #10871
Related: #10872
Related: #10875
Related: #10881Resolves: #10790
Currently, a `snownet` Client and Server always have the same ICE
timeout configuration. This doesn't necessarily have to be the case. A
Gateway cannot establish connections to a Client anyway and thus, we can
have much laxer requirements on when we detect that a Client has
disappeared (without saying "goodbye").
Extending the idle and default ICE timeout values should hopefully
reduce the number of false-positive disconnects that users may
experience where a Gateway cuts a connection because it believes the
Client is gone when in reality, perhaps a few STUN packets just got lost
or backed up.
Changing the ICE timeout exposes a few corner-cases in how we track and
use time within `snownet`. In particular, it is now obviously possible
for a Gateway to still retain the connection state of a Client whilst
the Client has long disconnected but now reconnects using the same ICE
credentials and private key.
Our proptests uncovered some state misalignment in that scenario due to
some remaining time impurity within `boringtun` (see
https://github.com/firezone/boringtun/pull/126 for details). In
addition, our idle state transitions needed to be updated to also take
into account candidate changes on both sides in order to achieve a
deterministic outcome.
When a NAT between the Client and Gateway remaps the source port to
3478, it is tricky to de-multiplex that p2p traffic from the packets we
receive from a relay. Currently, we handle this edge-case by dropping
these packets which effectively forces a fallback to a relayed
connection.
Remapping onto exactly this port is likely to be quite rare in practice
which is why this behaviour was implemented in the first place.
We can however do better than that by remembering, which relays we have
previously been connected to. That is because the problem with traffic
on port 3478 isn't so much the correct handling in case it _is_ p2p
traffic: We can simply check whether the IP is one of the relays we are
connected to. The problem is the mis-classification as p2p traffic in
case they are packets from a relay that we have disconnected from,
causing a log-spam of "unknown packet".
To gracefully handle this, we now remember up to 64 relay IPs that we
have been connected to in the past. This ensures we can correctly
classify traffic from previous relays as such and drop the packet whilst
at the same time continuing processing of packets from unknown origins
which likely then is p2p traffic.
The effect of this is that we can now establish direct connections to
peers, even if a NAT inbetween remaps their source port to 3478. To make
this fix easier, we precede it with a refactoring of introducing an
`Allocations` container for the map of `Allocations`. This allows us to
easily track, when we remove a value from the map and then remember the
relay's IPs.
This came up as part of test failures in #10887.
---------
Signed-off-by: Thomas Eizinger <thomas@eizinger.io>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Right now, the state tracking within the DNS resource NAT table is
pretty simple:
- We map from inside to outside and back
- When we see a TCP RST, we remove it immediately
To improve our logs a bit and make the NAT table more robust, we extend
it by:
- Tracking last inbound and outbound packet
- Tracking FIN and RST flags
This allows us to fully observe e.g. a TCP shutdown where both parties
send TCP FIN. It also allows us to remove entries that have never been
confirmed after a shorter amount of time.
Resolves: #10795
---------
Signed-off-by: Thomas Eizinger <thomas@eizinger.io>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Bumps [roxmltree](https://github.com/RazrFalcon/roxmltree) from 0.20.0
to 0.21.1.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/RazrFalcon/roxmltree/blob/master/CHANGELOG.md">roxmltree's
changelog</a>.</em></p>
<blockquote>
<h2>[0.21.1] - 2025-10-09</h2>
<h3>Fixed</h3>
<ul>
<li>Remove implict <code>'static</code> lifetime bound on
<code>EntityResolver</code> dyn trait type alias.</li>
<li>Upgrade <code>EntityResolver</code> dyn trait type alias from
<code>FnMut</code> to <code>Fn</code> to resolve lifetime issues.</li>
</ul>
<h2>[0.21.0] - 2025-10-04</h2>
<h3>Added</h3>
<ul>
<li><code>ParsingOptions::entity_resolver</code> can be used to resolve
external entities referenced via public ID and URI.</li>
</ul>
<h3>Changed</h3>
<ul>
<li><code>Node::has_attribute</code>, <code>Node::attribute</code> and
<code>Node::attribute_node</code> match local names similar to how
<code>Node::has_tag_name</code> works.</li>
<li>Various internal performance improvements, e.g. devirtualization of
token dispatch and usage of <code>memchr</code> for finding
delimiters.</li>
</ul>
<h3>Fixed</h3>
<ul>
<li>Possible panic when entity resolution yields unbalanced tags.</li>
<li>Quadratic runtime when merging consecutive text nodes.</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="67644e16f4"><code>67644e1</code></a>
Also upgrade it from FnMut to Fn as borrowing entities from elsewhere
wont wo...</li>
<li><a
href="cfc15b7811"><code>cfc15b7</code></a>
Fix implicit 'static bound on EntityResolve dyn trait type alias.</li>
<li><a
href="cd5b0e80f4"><code>cd5b0e8</code></a>
Fix benchmark build, update changelog and bump version.</li>
<li><a
href="634f4d0047"><code>634f4d0</code></a>
Add support for resolving external entities</li>
<li><a
href="a1bd711620"><code>a1bd711</code></a>
Adjust attribute accessors to match purely on local names</li>
<li><a
href="5528680688"><code>5528680</code></a>
Fix lints emitted by current nightly Clippy.</li>
<li><a
href="d2c7801624"><code>d2c7801</code></a>
Speed-up attribute parsing by splitting tokenizing and verification</li>
<li><a
href="239114a9c2"><code>239114a</code></a>
Add benchmark using gigantic SVG containing huge attribute values.</li>
<li><a
href="3b0944785e"><code>3b09447</code></a>
Avoid quadratic runtime when merging text nodes</li>
<li><a
href="6df398d804"><code>6df398d</code></a>
Refine and extend synthetic benchmarks stressing CDATA, text and
attribute va...</li>
<li>Additional commits viewable in <a
href="https://github.com/RazrFalcon/roxmltree/compare/v0.20.0...v0.21.1">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps the sentry group in /rust with 2 updates:
[sentry](https://github.com/getsentry/sentry-rust) and
[sentry-tracing](https://github.com/getsentry/sentry-rust).
Updates `sentry` from 0.43.0 to 0.45.0
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/getsentry/sentry-rust/releases">sentry's
releases</a>.</em></p>
<blockquote>
<h2>0.45.0</h2>
<h3>Breaking changes</h3>
<ul>
<li>Add custom variant to <code>AttachmentType</code> that holds an
arbitrary String. (<a
href="https://redirect.github.com/getsentry/sentry-rust/pull/916">#916</a>)</li>
</ul>
<h2>0.44.0</h2>
<h3>Breaking changes</h3>
<ul>
<li>feat(log): support combined LogFilters and RecordMappings (<a
href="https://redirect.github.com/getsentry/sentry-rust/pull/914">#914</a>)
by <a href="https://github.com/lcian"><code>@lcian</code></a>
<ul>
<li>Breaking change: <code>sentry::integrations::log::LogFilter</code>
has been changed to a <code>bitflags</code> struct.</li>
<li>It's now possible to map a <code>log</code> record to multiple items
in Sentry by combining multiple log filters in the filter, e.g.
<code>log::Level::ERROR => LogFilter::Event |
LogFilter::Log</code>.</li>
<li>If using a custom <code>mapper</code> instead, it's possible to
return a
<code>Vec<sentry::integrations::log::RecordMapping></code> to map
a <code>log</code> record to multiple items in Sentry.</li>
</ul>
</li>
</ul>
<h3>Behavioral changes</h3>
<ul>
<li>ref(log): send logs by default when logs feature flag is enabled (<a
href="https://redirect.github.com/getsentry/sentry-rust/pull/915">#915</a>)
by <a href="https://github.com/lcian"><code>@lcian</code></a>
<ul>
<li>If the <code>logs</code> feature flag is enabled, the default Sentry
<code>log</code> logger now sends logs for all events at or above
INFO.</li>
</ul>
</li>
<li>ref(logs): enable logs by default if logs feature flag is used (<a
href="https://redirect.github.com/getsentry/sentry-rust/pull/910">#910</a>)
by <a href="https://github.com/lcian"><code>@lcian</code></a>
<ul>
<li>This changes the default value of
<code>sentry::ClientOptions::enable_logs</code> to
<code>true</code>.</li>
<li>This simplifies the setup of Sentry structured logs by requiring
users to just add the <code>log</code> feature flag to the
<code>sentry</code> dependency to opt-in to sending logs.</li>
<li>When the <code>log</code> feature flag is enabled, the
<code>tracing</code> and <code>log</code> integrations will send
structured logs to Sentry for all logs/events at or above INFO level by
default.</li>
</ul>
</li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/getsentry/sentry-rust/blob/master/CHANGELOG.md">sentry's
changelog</a>.</em></p>
<blockquote>
<h2>0.45.0</h2>
<h3>Breaking changes</h3>
<ul>
<li>Add custom variant to <code>AttachmentType</code> that holds an
arbitrary String. (<a
href="https://redirect.github.com/getsentry/sentry-rust/pull/916">#916</a>)</li>
</ul>
<h2>0.44.0</h2>
<h3>Breaking changes</h3>
<ul>
<li>feat(log): support combined LogFilters and RecordMappings (<a
href="https://redirect.github.com/getsentry/sentry-rust/pull/914">#914</a>)
by <a href="https://github.com/lcian"><code>@lcian</code></a>
<ul>
<li>Breaking change: <code>sentry::integrations::log::LogFilter</code>
has been changed to a <code>bitflags</code> struct.</li>
<li>It's now possible to map a <code>log</code> record to multiple items
in Sentry by combining multiple log filters in the filter, e.g.
<code>log::Level::ERROR => LogFilter::Event |
LogFilter::Log</code>.</li>
<li>If using a custom <code>mapper</code> instead, it's possible to
return a
<code>Vec<sentry::integrations::log::RecordMapping></code> to map
a <code>log</code> record to multiple items in Sentry.</li>
</ul>
</li>
</ul>
<h3>Behavioral changes</h3>
<ul>
<li>ref(log): send logs by default when logs feature flag is enabled (<a
href="https://redirect.github.com/getsentry/sentry-rust/pull/915">#915</a>)
by <a href="https://github.com/lcian"><code>@lcian</code></a>
<ul>
<li>If the <code>logs</code> feature flag is enabled, the default Sentry
<code>log</code> logger now sends logs for all events at or above
INFO.</li>
</ul>
</li>
<li>ref(logs): enable logs by default if logs feature flag is used (<a
href="https://redirect.github.com/getsentry/sentry-rust/pull/910">#910</a>)
by <a href="https://github.com/lcian"><code>@lcian</code></a>
<ul>
<li>This changes the default value of
<code>sentry::ClientOptions::enable_logs</code> to
<code>true</code>.</li>
<li>This simplifies the setup of Sentry structured logs by requiring
users to just add the <code>log</code> feature flag to the
<code>sentry</code> dependency to opt-in to sending logs.</li>
<li>When the <code>log</code> feature flag is enabled, the
<code>tracing</code> and <code>log</code> integrations will send
structured logs to Sentry for all logs/events at or above INFO level by
default.</li>
</ul>
</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="aa6d85b90f"><code>aa6d85b</code></a>
release: 0.45.0</li>
<li><a
href="b99eb46bcf"><code>b99eb46</code></a>
feat(types): Add custom variant to <code>AttachmentType</code> (<a
href="https://redirect.github.com/getsentry/sentry-rust/issues/916">#916</a>)</li>
<li><a
href="34b27b5ed3"><code>34b27b5</code></a>
Merge branch 'release/0.44.0'</li>
<li><a
href="eb108e858e"><code>eb108e8</code></a>
release: 0.44.0</li>
<li><a
href="900ffa495c"><code>900ffa4</code></a>
ref(logs): enable logs by default if logs feature flag is used (<a
href="https://redirect.github.com/getsentry/sentry-rust/issues/910">#910</a>)</li>
<li><a
href="8af23eec27"><code>8af23ee</code></a>
ref(log): send logs by default when logs feature flag is enabled (<a
href="https://redirect.github.com/getsentry/sentry-rust/issues/915">#915</a>)</li>
<li><a
href="3b78cf8653"><code>3b78cf8</code></a>
feat(log): support combined LogFilters and RecordMappings (<a
href="https://redirect.github.com/getsentry/sentry-rust/issues/914">#914</a>)</li>
<li><a
href="9ba9a6452d"><code>9ba9a64</code></a>
meta(vscode): Run <code>rust-analyzer</code> with all features (<a
href="https://redirect.github.com/getsentry/sentry-rust/issues/902">#902</a>)</li>
<li><a
href="750dec0162"><code>750dec0</code></a>
ci: integrate Sentry Prevent (<a
href="https://redirect.github.com/getsentry/sentry-rust/issues/911">#911</a>)</li>
<li><a
href="d9cdf34d3c"><code>d9cdf34</code></a>
Merge branch 'release/0.43.0'</li>
<li>See full diff in <a
href="https://github.com/getsentry/sentry-rust/compare/0.43.0...0.45.0">compare
view</a></li>
</ul>
</details>
<br />
Updates `sentry-tracing` from 0.43.0 to 0.45.0
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/getsentry/sentry-rust/releases">sentry-tracing's
releases</a>.</em></p>
<blockquote>
<h2>0.45.0</h2>
<h3>Breaking changes</h3>
<ul>
<li>Add custom variant to <code>AttachmentType</code> that holds an
arbitrary String. (<a
href="https://redirect.github.com/getsentry/sentry-rust/pull/916">#916</a>)</li>
</ul>
<h2>0.44.0</h2>
<h3>Breaking changes</h3>
<ul>
<li>feat(log): support combined LogFilters and RecordMappings (<a
href="https://redirect.github.com/getsentry/sentry-rust/pull/914">#914</a>)
by <a href="https://github.com/lcian"><code>@lcian</code></a>
<ul>
<li>Breaking change: <code>sentry::integrations::log::LogFilter</code>
has been changed to a <code>bitflags</code> struct.</li>
<li>It's now possible to map a <code>log</code> record to multiple items
in Sentry by combining multiple log filters in the filter, e.g.
<code>log::Level::ERROR => LogFilter::Event |
LogFilter::Log</code>.</li>
<li>If using a custom <code>mapper</code> instead, it's possible to
return a
<code>Vec<sentry::integrations::log::RecordMapping></code> to map
a <code>log</code> record to multiple items in Sentry.</li>
</ul>
</li>
</ul>
<h3>Behavioral changes</h3>
<ul>
<li>ref(log): send logs by default when logs feature flag is enabled (<a
href="https://redirect.github.com/getsentry/sentry-rust/pull/915">#915</a>)
by <a href="https://github.com/lcian"><code>@lcian</code></a>
<ul>
<li>If the <code>logs</code> feature flag is enabled, the default Sentry
<code>log</code> logger now sends logs for all events at or above
INFO.</li>
</ul>
</li>
<li>ref(logs): enable logs by default if logs feature flag is used (<a
href="https://redirect.github.com/getsentry/sentry-rust/pull/910">#910</a>)
by <a href="https://github.com/lcian"><code>@lcian</code></a>
<ul>
<li>This changes the default value of
<code>sentry::ClientOptions::enable_logs</code> to
<code>true</code>.</li>
<li>This simplifies the setup of Sentry structured logs by requiring
users to just add the <code>log</code> feature flag to the
<code>sentry</code> dependency to opt-in to sending logs.</li>
<li>When the <code>log</code> feature flag is enabled, the
<code>tracing</code> and <code>log</code> integrations will send
structured logs to Sentry for all logs/events at or above INFO level by
default.</li>
</ul>
</li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/getsentry/sentry-rust/blob/master/CHANGELOG.md">sentry-tracing's
changelog</a>.</em></p>
<blockquote>
<h2>0.45.0</h2>
<h3>Breaking changes</h3>
<ul>
<li>Add custom variant to <code>AttachmentType</code> that holds an
arbitrary String. (<a
href="https://redirect.github.com/getsentry/sentry-rust/pull/916">#916</a>)</li>
</ul>
<h2>0.44.0</h2>
<h3>Breaking changes</h3>
<ul>
<li>feat(log): support combined LogFilters and RecordMappings (<a
href="https://redirect.github.com/getsentry/sentry-rust/pull/914">#914</a>)
by <a href="https://github.com/lcian"><code>@lcian</code></a>
<ul>
<li>Breaking change: <code>sentry::integrations::log::LogFilter</code>
has been changed to a <code>bitflags</code> struct.</li>
<li>It's now possible to map a <code>log</code> record to multiple items
in Sentry by combining multiple log filters in the filter, e.g.
<code>log::Level::ERROR => LogFilter::Event |
LogFilter::Log</code>.</li>
<li>If using a custom <code>mapper</code> instead, it's possible to
return a
<code>Vec<sentry::integrations::log::RecordMapping></code> to map
a <code>log</code> record to multiple items in Sentry.</li>
</ul>
</li>
</ul>
<h3>Behavioral changes</h3>
<ul>
<li>ref(log): send logs by default when logs feature flag is enabled (<a
href="https://redirect.github.com/getsentry/sentry-rust/pull/915">#915</a>)
by <a href="https://github.com/lcian"><code>@lcian</code></a>
<ul>
<li>If the <code>logs</code> feature flag is enabled, the default Sentry
<code>log</code> logger now sends logs for all events at or above
INFO.</li>
</ul>
</li>
<li>ref(logs): enable logs by default if logs feature flag is used (<a
href="https://redirect.github.com/getsentry/sentry-rust/pull/910">#910</a>)
by <a href="https://github.com/lcian"><code>@lcian</code></a>
<ul>
<li>This changes the default value of
<code>sentry::ClientOptions::enable_logs</code> to
<code>true</code>.</li>
<li>This simplifies the setup of Sentry structured logs by requiring
users to just add the <code>log</code> feature flag to the
<code>sentry</code> dependency to opt-in to sending logs.</li>
<li>When the <code>log</code> feature flag is enabled, the
<code>tracing</code> and <code>log</code> integrations will send
structured logs to Sentry for all logs/events at or above INFO level by
default.</li>
</ul>
</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="aa6d85b90f"><code>aa6d85b</code></a>
release: 0.45.0</li>
<li><a
href="b99eb46bcf"><code>b99eb46</code></a>
feat(types): Add custom variant to <code>AttachmentType</code> (<a
href="https://redirect.github.com/getsentry/sentry-rust/issues/916">#916</a>)</li>
<li><a
href="34b27b5ed3"><code>34b27b5</code></a>
Merge branch 'release/0.44.0'</li>
<li><a
href="eb108e858e"><code>eb108e8</code></a>
release: 0.44.0</li>
<li><a
href="900ffa495c"><code>900ffa4</code></a>
ref(logs): enable logs by default if logs feature flag is used (<a
href="https://redirect.github.com/getsentry/sentry-rust/issues/910">#910</a>)</li>
<li><a
href="8af23eec27"><code>8af23ee</code></a>
ref(log): send logs by default when logs feature flag is enabled (<a
href="https://redirect.github.com/getsentry/sentry-rust/issues/915">#915</a>)</li>
<li><a
href="3b78cf8653"><code>3b78cf8</code></a>
feat(log): support combined LogFilters and RecordMappings (<a
href="https://redirect.github.com/getsentry/sentry-rust/issues/914">#914</a>)</li>
<li><a
href="9ba9a6452d"><code>9ba9a64</code></a>
meta(vscode): Run <code>rust-analyzer</code> with all features (<a
href="https://redirect.github.com/getsentry/sentry-rust/issues/902">#902</a>)</li>
<li><a
href="750dec0162"><code>750dec0</code></a>
ci: integrate Sentry Prevent (<a
href="https://redirect.github.com/getsentry/sentry-rust/issues/911">#911</a>)</li>
<li><a
href="d9cdf34d3c"><code>d9cdf34</code></a>
Merge branch 'release/0.43.0'</li>
<li>See full diff in <a
href="https://github.com/getsentry/sentry-rust/compare/0.43.0...0.45.0">compare
view</a></li>
</ul>
</details>
<br />
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [socket2](https://github.com/rust-lang/socket2) from 0.6.0 to
0.6.1.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/rust-lang/socket2/blob/master/CHANGELOG.md">socket2's
changelog</a>.</em></p>
<blockquote>
<h1>0.6.1</h1>
<h2>Added</h2>
<ul>
<li>Added support for Windows Registered I/O (RIO)
(<a
href="https://redirect.github.com/rust-lang/socket2/pull/604">rust-lang/socket2#604</a>).</li>
<li>Added support for <code>TCP_NOTSENT_LOWAT</code> on Linux via
<code>Socket::(set_)tcp_notsent_lowat</code>
(<a
href="https://redirect.github.com/rust-lang/socket2/pull/611">rust-lang/socket2#611</a>).</li>
<li>Added support for <code>SO_BUSY_POLL</code> on Linux via
<code>Socket::set_busy_poll</code>
(<a
href="https://redirect.github.com/rust-lang/socket2/pull/607">rust-lang/socket2#607</a>).</li>
<li><code>SockFilter::new</code> is now a const function
(<a
href="https://redirect.github.com/rust-lang/socket2/pull/609">rust-lang/socket2#609</a>).</li>
</ul>
<h2>Changed</h2>
<ul>
<li>Updated the windows-sys dependency to version 0.60
(<a
href="https://redirect.github.com/rust-lang/socket2/pull/605">rust-lang/socket2#605</a>).</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="d0ba3d39a6"><code>d0ba3d3</code></a>
Release v0.6.1</li>
<li><a
href="3a8b7edda3"><code>3a8b7ed</code></a>
Add example to create <code>SockAddr</code> from
<code>libc::sockaddr_storage</code> (<a
href="https://redirect.github.com/rust-lang/socket2/issues/615">#615</a>)</li>
<li><a
href="b54e2e6dbf"><code>b54e2e6</code></a>
Disable armv7-sony-vita-newlibeabihf CI check</li>
<li><a
href="2d4a2f7b3b"><code>2d4a2f7</code></a>
Update feature <code>doc_auto_cfg</code> to <code>doc_cfg</code></li>
<li><a
href="11aa1029f2"><code>11aa102</code></a>
Add missing components when installing Rust in CI</li>
<li><a
href="528ba2b0da"><code>528ba2b</code></a>
Add TCP_NOTSENT_LOWAT socketopt support</li>
<li><a
href="1fdd2938c1"><code>1fdd293</code></a>
Correct rename in CHANGELOG.md (<a
href="https://redirect.github.com/rust-lang/socket2/issues/610">#610</a>)</li>
<li><a
href="600ff0d246"><code>600ff0d</code></a>
Add support for Windows Registered I/O</li>
<li><a
href="f0836965a1"><code>f083696</code></a>
Allow <code>SockFilter::new</code> in const contexts</li>
<li><a
href="15ade5100c"><code>15ade51</code></a>
Refactor for cargo fmt</li>
<li>Additional commits viewable in <a
href="https://github.com/rust-lang/socket2/compare/v0.6.0...v0.6.1">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Currently, the Gateway logs all kinds of errors during packet processing
on WARN. Whilst it is generally good to be aware of warnings / errors,
some of these scenarios are particularly noisy. For various reasons, we
may not be able to route a packet arriving from the TUN device.
In such cases, we now return an `UnroutablePacket` error to the
event-loop which is special-cased to only log on DEBUG. It also includes
the 5 tuple as variables, which should make log analysis a bit easier if
we want to filter on specific parts of the 5 tuple.
WireGuard packets can have all kinds of byte-patterns at the very front
of the packet. Thus, we need to first check if a payload is a WireGuard
packet before attempting to classify it as anything else.
This function is currently only used for logging purposes. `snownet` has
its own logic for de-multiplexing and classifying packets.
When connlib processes DoH queries, we need to pass the server's URL
around a lot. In order to bootstrap the HTTP client, we need to extract
the host part of this URL and resolve it for IP addresses using the
system resolver. A regular URL doesn't necessarily have a host: It could
be relative. This creates an error path within our code that _should_
never get hit for DoH URLs as those are always absolute.
To avoid this error path, we follow the "parse, don't validate" approach
typical among strongly typed languages. We create our own type that can
only be constructed from absolute URLs. If we receive a URL from the
portal that is not absolute, we already fail at the deserialization
step. Using data privacy of the encapsulated url, we can then guarantee
that the host-part of the URL is always there and can access it in an
infallible way.
Given that we are now already parsing the URL to begin with, I've also
opted to directly implement an optimisation where we create a fast-path
for the 4 known DoH providers that we have which allows us to pass them
around and copy them without incurring extra allocations.
Finally, this custom type also comes with its own Display/Debug
implementation, making the log output a bit easier to read.
Bumps [zip](https://github.com/zip-rs/zip2) from 5.1.1 to 6.0.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/zip-rs/zip2/releases">zip's
releases</a>.</em></p>
<blockquote>
<h2>v6.0.0</h2>
<h3><!-- raw HTML omitted -->🐛 Bug Fixes</h3>
<ul>
<li>panic when reading empty extended-timestamp field (<a
href="https://redirect.github.com/zip-rs/zip2/pull/404">#404</a>) (<a
href="https://redirect.github.com/zip-rs/zip2/pull/422">#422</a>)</li>
<li>Restore original file timestamp when unzipping with
<code>chrono</code> (<a
href="https://redirect.github.com/zip-rs/zip2/pull/46">#46</a>)</li>
</ul>
<h3><!-- raw HTML omitted -->⚙️ Miscellaneous Tasks</h3>
<ul>
<li>Configure Amazon Q rules (<a
href="https://redirect.github.com/zip-rs/zip2/pull/421">#421</a>)</li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/zip-rs/zip2/blob/master/CHANGELOG.md">zip's
changelog</a>.</em></p>
<blockquote>
<h2><a
href="https://github.com/zip-rs/zip2/compare/v5.1.1...v6.0.0">6.0.0</a>
- 2025-10-09</h2>
<h3><!-- raw HTML omitted -->🚀 Features</h3>
<ul>
<li>Add by_index_with_options(), which can be used to ignore encryption
in a file's metadata (<a
href="https://redirect.github.com/zip-rs/zip2/pull/439">#439</a>) and
may be used for other file-specific overrides in the future.</li>
</ul>
<h3><!-- raw HTML omitted -->⚙️ Miscellaneous Tasks</h3>
<ul>
<li>[<strong>breaking</strong>] <code>FileOptions::add_extra_data</code>
is now generic and accepts any <code>AsRef<[u8]></code>. (<a
href="https://redirect.github.com/zip-rs/zip2/issues/435">#435</a>)</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="abfc23d19e"><code>abfc23d</code></a>
feat: Upgrade [Extended]FileOptions::add_extra_data() data from
Box<[u8]> to ...</li>
<li><a
href="eb1b586d0e"><code>eb1b586</code></a>
docs: Update zip_writer documentation example (<a
href="https://redirect.github.com/zip-rs/zip2/issues/431">#431</a>)</li>
<li><a
href="26e6e08e70"><code>26e6e08</code></a>
feat: Add by_index_with_options() for ignoring encryption (<a
href="https://redirect.github.com/zip-rs/zip2/issues/439">#439</a>)</li>
<li><a
href="165415d7e2"><code>165415d</code></a>
chore(deps): update nt-time requirement from 0.10.6 to 0.12.1 (<a
href="https://redirect.github.com/zip-rs/zip2/issues/429">#429</a>)</li>
<li><a
href="1d5d4edf6c"><code>1d5d4ed</code></a>
chore(deps): update lzma-rust2 requirement from 0.13 to 0.14 (<a
href="https://redirect.github.com/zip-rs/zip2/issues/432">#432</a>)</li>
<li><a
href="72cce40def"><code>72cce40</code></a>
chore(deps): update nt-time requirement from 0.10.6 to 0.12.1 (<a
href="https://redirect.github.com/zip-rs/zip2/issues/428">#428</a>)</li>
<li><a
href="2ef4d3e549"><code>2ef4d3e</code></a>
chore(deps): update nt-time requirement from 0.10.6 to 0.12.1 (<a
href="https://redirect.github.com/zip-rs/zip2/issues/427">#427</a>)</li>
<li><a
href="9cf28cb6c0"><code>9cf28cb</code></a>
test(ci): Fix: <code>rename</code> can't be skipped</li>
<li><a
href="5987cdd709"><code>5987cdd</code></a>
test(ci): Fix: need recursive rename</li>
<li><a
href="74f8a3c189"><code>74f8a3c</code></a>
test(ci): Need to rename more files during fuzz runs</li>
<li>Additional commits viewable in <a
href="https://github.com/zip-rs/zip2/compare/v5.1.1...v6.0.0">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
In #10817, connlib gained the ability to re-resolve the portal's
hostname on WebSocket connection hiccups. The list of upstream servers
used for that may contain sentinel DNS server IPs on certain systems if
connlib's DNS control is currently active. Connlib filters these servers
internally before computing the effective list of upstream servers.
The DNS client used by the event-loop contacts all servers in the list
but waits for at most 2s before merging all received records together.
If there are upstream DNS servers defined in the portal and those are
also resources which we are currently not connected to, querying these
servers would trigger a message to the portal, forming a circular
dependency. This circular dependency is only broken by the 2s timeout.
Whilst not fatal for connlib's functionality, it means that in such a
situation, reconnecting to the portal always has to wait for this
timeout.
To fix this, we first apply the system DNS resolvers to connlib and only
pass the now returned sanitized list on to the DNS client.
Related: #10854
---------
Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com>
Co-authored-by: thomaseizinger <5486389+thomaseizinger@users.noreply.github.com>
This is a follow-up to #10851.
In order to be able to use and reason about the DoH servers, we need to
deserialize the list and pass the servers into connlib's `DnsConfig`.
Right now, they just sit there and we don't do anything with them. Thus,
this PR is save to go into `main`, even if we were to make a release
before our DoH support is fully finished.
To ensure this is the case, we also update the proptests in this PR to
randomly sample and apply DoH servers.
---------
Signed-off-by: Thomas Eizinger <thomas@eizinger.io>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
With the introduction of DoH, we will need a more advanced error type
for recursive DNS responses. In particular, a DoH query might fail
because the underlying TCP connection got closed. With #10856, the HTTP
client no longer supports retries but instead needs to be recreated.
In order to accurately detect this failure case, we need `anyhow`'s
downcasting abilities.
This PR prepares the already existing code for that by switching from
`io::Error` to `anyhow::Error`.
In order to bootstrap DoH servers, we need a way of reliably resolving
the domain of the DoH server to an IP address. Initially, I thought that
this would be tricky to do if we have to integrate this into the
Client's state machine.
Whilst implementing DoH however, I realised that we can instead put this
responsibility onto the IO layer of connlib. Similar to other cases, we
can reuse external triggers as our retry mechanism in case of failure.
In particular, we can simply issue UDP DNS queries for the DoH domain to
all system-defined DNS resolvers every time we are told to send a DNS
query over DoH but the corresponding client isn't initialized yet.
In other words, instead of building a retry mechanism ourselves, we
attempt to repair any kind of broken state once per DNS query that we
receive.
Performing this DNS resolution does require a bit of code. We already
started to do something similar in #10817. In order to reuse that code,
we extract it into a `l4-udp-dns-client` crate and slightly refactor its
semantics. In particular, we now wait for the response of all upstream
servers (but at most 2s) and combine the result.
The resulting `UdpDnsClient` can now be used inside the Client's
event-loop to re-resolve the portal URL and will also be used as part of
our DoH implementation to bootstrap the connection to the DoH server.
Related: #4668
Our `socket-factory`-aware HttpClient is currently only able to handle a
single request at a time. That is a result of the requirement that we
wanted to support connections to different domains but also be able to
"self-heal" those connections by establishing a new one if the current
one failed.
As I am learning more about how connlib's DoH support is going to work,
it became apparent that we will only ever need to connect to a single
domain per instance of the `HttpClient`. In addition, it is quite
important to allow for concurrent requests: We don't want to process DoH
queries in sequence but instead make full use of the underlying HTTP2
protocol and send multiple requests in parallel.
This PR refactors the `HttpClient` (which isn't in use anywhere yet) to
only support a single connection per instance. That connection is
established when the instance is created. This is also conceptually
easier to understand as we only manage a single connection without
mutable state.
Related: #4668
Thomas Eizinger