mirror of
https://github.com/outbackdingo/firezone.git
synced 2026-01-27 18:18:55 +00:00
main
2943 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
Thomas Eizinger
|
53113c645f |
fix(connlib): don't panic in fallible function (#10874)
Panicking - even though it is unlikely to happen here - is unnecessary because we can simply return an error instead. |
||
|
Thomas Eizinger
|
cd650de1f8 |
refactor: prepare client init for upstream DoH servers (#10851)
In order to support multiple different protocols of upstream DNS resolvers, we deprecate the `upstream_dns` field in the client's `init` message and introduce two new fields: - `upstream_do53` - `upstream_doh` For now, only `upstream_do53` is populated and `upstream_doh` is always empty. On the client-side, we for now only introduce the `upstream_do53` field but fall-back to `upstream_dns` if that one is empty. This makes this PR backwards-compatible with the portal version that is currently deployed in production. Thus, this PR can be merged even prior to deploying the portal. Internally, we prepare connlib's abstractions to deal with different kinds of upstreams by renaming all existing "upstream DNS" references to `upstream_do53`: DNS over port 53. That includes UDP as well as TCP DNS resolution. Resolves: #10791 --------- Co-authored-by: Jamil Bou Kheir <jamilbk@users.noreply.github.com> |
||
|
dependabot[bot]
|
4bd768aed5 |
build(deps): bump @types/node from 24.5.2 to 24.7.2 in /rust/gui-client (#10834)
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 24.5.2 to 24.7.2. <details> <summary>Commits</summary> <ul> <li>See full diff in <a href="https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> |
||
|
Thomas Eizinger
|
8af8978ad5 |
chore(connlib): include "packet kind" in decapsulation errors (#10867)
When looking at error logs from Gateways or Clients, it can be useful to know, what kind of packet we failed to process. |
||
|
Thomas Eizinger
|
ee38ccc120 |
chore(connlib): log index of failed connections (#10866)
Logging the peer index of a failed connection makes it easier to correlate it with logs when we receive packets for an unknown connection. |
||
|
Thomas Eizinger
|
32e1c088e7 |
chore(gateway): include domain in "not allowed" log (#10863)
The resource could be a wildcard DNS resource. It is useful to know, which particular domain the client tried to access. |
||
|
Thomas Eizinger
|
5f61eaf8f2 |
feat(connlib): encode and decode DoH messages (#10857)
In order to support DoH, we need to be able to encode and decode DNS queries and responses from and to HTTP requests and responses. We therefore extend your `dns-types` crate with the required functionality. The [RFC8484](https://datatracker.ietf.org/doc/html/rfc8484) provides us with two test vectors that we can test against. Related: #4668 --------- Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com> Co-authored-by: thomaseizinger <5486389+thomaseizinger@users.noreply.github.com> |
||
|
Thomas Eizinger
|
cf14a8694c |
fix(connlib): use system DNS resolvers to re-resolve portal URL (#10853)
In #10817, we landed a fix that allows Clients to re-resolve the portal URL every time the WebSocket connection fails. Currently, we use the active upstream resolvers for this. This can lead to a kind of deadlock in case the upstream resolver is a CIDR resource that we are not yet connected to. In that case, we'd need a connection to the portal to establish a connection to the Gateway. By always using the system resolvers for this, we avoid this circular dependency. |
||
|
Thomas Eizinger
|
3e849ae852 |
fix(gui-client): use Wayland rendering backend on Linux (#10849)
Previously, we opted into the X11 GTK backend when rendering the GUI Client's window. This is causing issues on newer Linux distributions such as Fedora 43 where Wayland is now the only available compositor. Removing the X11 GTK requires us to draw our own CSDs such as titlebars and a close button. This PR does exactly that by adding a minimalistic title bar. To make better use of the space, we move the section headers into there. |Before|After| |---|---| |<img width="1900" height="1174" alt="Screenshot From 2025-11-11 11-14-11" src="https://github.com/user-attachments/assets/9439a69b-65ba-41d6-b1f8-4448e0f80728" />|<img width="1800" height="1000" alt="Screenshot From 2025-11-11 11-40-55" src="https://github.com/user-attachments/assets/7884b2cc-3d9c-4b47-9a1e-c6462aef36ab" />| |<img width="1900" height="1174" alt="Screenshot From 2025-11-11 11-14-16" src="https://github.com/user-attachments/assets/2cfea825-5c08-45a5-873c-5afcbc1dbf16" />|<img width="1800" height="1000" alt="Screenshot From 2025-11-11 11-40-58" src="https://github.com/user-attachments/assets/43ddd7c9-ce65-42f7-b972-28c6b172b70d" />| |<img width="1900" height="1174" alt="Screenshot From 2025-11-11 11-14-19" src="https://github.com/user-attachments/assets/446873a7-9023-4266-9377-ea7b8b4353ee" />|<img width="1800" height="1000" alt="Screenshot From 2025-11-11 11-41-01" src="https://github.com/user-attachments/assets/64439383-f33f-461d-9b4a-6b4138bd675b" />| |<img width="1900" height="1174" alt="Screenshot From 2025-11-11 11-14-22" src="https://github.com/user-attachments/assets/6c39e06c-1d77-471f-91f1-32a78b90a21c" />|<img width="1800" height="1000" alt="Screenshot From 2025-11-11 11-41-04" src="https://github.com/user-attachments/assets/b56912cb-9c85-4b5a-9295-dae6139b25c6" />| |<img width="1900" height="1174" alt="Screenshot From 2025-11-11 11-14-26" src="https://github.com/user-attachments/assets/5a5d638c-15bf-4523-8466-2e0977a03e22" />|<img width="1800" height="1000" alt="Screenshot From 2025-11-11 11-41-06" src="https://github.com/user-attachments/assets/ed169b52-ef86-4dc4-8f25-852da622eaa1" />| |
||
|
Thomas Eizinger
|
0008539b65 |
refactor(connlib): use dedicated UDP DNS client (#10850)
By default, DNS queries are sent over UDP by most systems. UDP is an easy to understand protocol because each packet stands by itself and at least as far as UDP is concerned, the payload is contained within a single packet. In Firezone, we receive all DNS traffic on the TUN device as IP packets. Processing the UDP packets is trivial as each query is contained within a single IP packet. For TCP, we first need to assemble the TCP stream before we can read the entire query. In case a DNS query is not for a Firezone DNS resource, we want to forward it to the specified upstream resolver, either directly from the system or - in case the specified upstream resolver is an IP resource - through the tunnel as an IP packet. Specifically, the forwarding of UDP DNS packets through the tunnel currently happens like this: IP packet -> read UDP payload -> parse DNS query -> mangle original destination IP to new upstream -> send through tunnel For TCP DNS queries, it is not quite as easy as we have to decode the incoming TCP stream first before we can parse the DNS query. Thus, when we want to then forward the query, we need to open our own TCP stream to the upstream resolver and encode the DNS query onto that stream, sending each IP packet from the TCP client through the tunnel. The difference in these designs makes several code paths in connlib hard to follow. Therefore - and despite the simplicity of DNS over UDP - we already created our own "Layer 3 UDP DNS"-client. This PR now integrates this client into the tunnel. Using this new client, we can simplify the processing of UDP DNS queries because we never have to "go back" to the original IP packet. Instead, when a DNS query needs to be forwarded to an usptream resolver through the tunnel, we simply tell the Layer 3 UDP DNS client to make a new DNS query. The processing of the resulting IP packet then happens in a different place, right next to where we also process the IP packets of the TCP DNS client. That simplifications unlocks further refactorings where we now only process DNS queries in a single place and the transport we received it over is a simple function parameter with the control flow for both of them being identical. Related: #4668 |
||
|
Thomas Eizinger
|
de7d3bff89 |
fix(connlib): re-resolve portal host on WS hiccup (#10817)
Currently, the DNS records for the portal's hostname are only resolved during startup. When the WebSocket connection fails, we try to reconnect but only with the IPs that we have previously resolved. If the local IP stack changed since then or the hostname now points to different IPs, we will run into the reconnect-timeout configured in `phoenix-channel`. To fix this, we re-resolve the portal's hostname every time the WebSocket connection fails. For the Gateway, this is easy as we can simply reuse the already existing `TokioResolver` provided by hickory. For the Client, we need to write our own DNS client on top of our socket factory abstraction to ensure we don't create a routing loop with the resulting DNS queries. To simplify things, we only send DNS queries over UDP. Those are not guaranteed to succeed but given that we do this on every "hiccup", we already have a retry mechanism. We use the currently configured upstream DNS servers for this. Resolves: #10238 |
||
|
dependabot[bot]
|
a9058c7f55 |
build(deps): bump known-folders from 1.3.1 to 1.4.0 in /rust (#10831)
Bumps [known-folders](https://github.com/artichoke/known-folders-rs) from 1.3.1 to 1.4.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/artichoke/known-folders-rs/releases">known-folders's releases</a>.</em></p> <blockquote> <h2>v1.4.0</h2> <h2>What's Changed</h2> <ul> <li>Bump thor from 1.3.2 to 1.4.0 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/artichoke/known-folders-rs/pull/85">artichoke/known-folders-rs#85</a></li> <li>Bump rubocop from 1.77.0 to 1.79.1 in the bundler-deps group by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/artichoke/known-folders-rs/pull/86">artichoke/known-folders-rs#86</a></li> <li>Bump the gha-deps group with 3 updates by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/artichoke/known-folders-rs/pull/87">artichoke/known-folders-rs#87</a></li> <li>Use zizmor audit action by <a href="https://github.com/lopopolo"><code>@lopopolo</code></a> in <a href="https://redirect.github.com/artichoke/known-folders-rs/pull/88">artichoke/known-folders-rs#88</a></li> <li>Bump rubocop from 1.79.1 to 1.81.1 in the bundler-deps group by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/artichoke/known-folders-rs/pull/89">artichoke/known-folders-rs#89</a></li> <li>Bump the gha-deps group with 5 updates by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/artichoke/known-folders-rs/pull/91">artichoke/known-folders-rs#91</a></li> <li>Relax windows-sys version requirement, prepare for v1.4.0 release by <a href="https://github.com/lopopolo"><code>@lopopolo</code></a> in <a href="https://redirect.github.com/artichoke/known-folders-rs/pull/92">artichoke/known-folders-rs#92</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/artichoke/known-folders-rs/compare/v1.3.1...v1.4.0">https://github.com/artichoke/known-folders-rs/compare/v1.3.1...v1.4.0</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
e9fcb20564 |
build(deps): bump nu-ansi-term from 0.50.1 to 0.50.3 in /rust (#10830)
Bumps [nu-ansi-term](https://github.com/nushell/nu-ansi-term) from 0.50.1 to 0.50.3. <details> <summary>Commits</summary> <ul> <li>See full diff in <a href="https://github.com/nushell/nu-ansi-term/commits">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> |
||
|
Thomas Eizinger
|
6e85638360 |
chore(connlib): silence hickory_resolver (#10848)
Logs from the `hickory_resolver` module are a bit noisy, so filter those out from our logs. |
||
|
Firezone Bot
|
5ae2707719 | chore: publish gateway 1.4.18 (#10823) | ||
|
Thomas Eizinger
|
3022c019e1 |
chore(connlib): set user.account_slug for Sentry logs (#10815)
By default, the Sentry SDK doesn't include custom user attributes when it sends logs. To make viewing logs easier, we add the `account_slug` attribute to all logs that are posted to Sentry. |
||
|
Thomas Eizinger
|
166b0d1573 |
feat(linux): compute device ID from /etc/machine-id (#10805)
All of our Linux applications have a soft-dependency on systemd. That is, in the default configuration, we expect systemd to be present on the machine. The only exception here are the docker containers for Headless Client and Gateway. For the GUI client in particular, systemd is a hard-dependency in order to control DNS on the system which we do via `systemd-resolved`. To secure the communication between the GUI client and its tunnel process, we automatically create a group called `firezone-client` to which the user gets added. All members of the group are allowed to access the unix socket which is used for IPC between the two processes. Membership in this group is also a prerequisite for accessing any of the configuration files. On the first launch of the GUI client on a Linux system, this presents a problem. For group membership changes to take the effect, the user needs to reboot. We say that in the documentation but it is unclear whether all users will read that thoroughly enough. To help the user, the GUI client checks for membership of the current user in the group and alerts the user via a dialog box if that isn't the case. This would all be fine if it would actually work. Unfortunately, that check ends up being too late in the process. If we aren't a member of the group, we cannot read the device ID and bail early, thus never reaching the check and terminating the process without any dialog box or user-visible error. We could attempt to fix this by shuffling around some of the startup init code. That is a sub-optimal solution however because it a) may get broken again in the future and b) it means we have to delay initialisation of telemetry until a much later point. Given that this is only a problem on Linux, a better solution is to simply not rely on the disk-based device ID at all. Instead, we can integrate with systemd and deterministically derive a device ID from the unique machine ID and a randomly chosen "app ID". For backwards-compatibility reasons, the disk-based device ID is still prioritised. For all new installs however, we will use the one based on `/etc/machine-id`. |
||
|
Thomas Eizinger
|
8651413a95 |
chore(gateway): downgrade warning if peer not found (#10814)
Logging this on WARN appears to be a bit excessive and there is not really anything we can do about it. Resolves: #10813 |
||
|
Thomas Eizinger
|
f4216710e0 |
fix(telemetry): don't append duplicate attributes in Sentry log (#10819)
When we are building the log message that is sent to Sentry, we append several attributes to mimic the formatting that we get from `tracing_subscriber::fmt`. To do that, we strip the span name from the attribute which can result in us processing the same attribute such as `cid` twice: Once from a span and once from the actual log message. In order to not append the same message twice, we check for its presence in the attributes map first. This avoids having message in Sentry such as: ``` Sampled relay cid=c18e1da8-8ef8-4e11-a325-28d6b387d503 rid=3af15c76-9e84-46a6-90e1-63ecb2bc9f80 cid=c18e1da8-8ef8-4e11-a325-28d6b387d503 ``` |
||
|
Thomas Eizinger
|
bc95a1f425 |
chore(snownet): log connection state on failure (#10820)
When investigating, why a connection fails it is useful to know right away, what the last connection state was, including the kind of connection, such as `PeerToPeer`, `RelayToPeer` etc. |
||
|
Thomas Eizinger
|
123c5a5d97 |
chore(connlib): always include wire::api as Sentry breadcrumb (#10821)
Sentry appends "breadcrumbs" to every error that gets sent to the backend. By default, those include the last 500 DEBUG logs. Our `phoenix_channel` module logs the incoming and outgoing messages on TRACE using the `wire::api::send` and `wire::api::recv` targets. To make debugging these easier, we always include anything on `wire::api` in the breadcrumbs. |
||
|
Thomas Eizinger
|
74bd28d25a |
ci(gui-client): fix .deb test installation (#10816)
The current test installation fails because it is operating in a headless environment without a display user. Some more testing of the `who` command showed that we can simply take the first user. That avoids `grep` which was previously failing with an exit code of 1, aborting the installation because our `postinst` script has `pipefail` set. |
||
|
Thomas Eizinger
|
3eead925fe |
chore(gui-client): tidy up postinst script (#10804)
Specifying `sudo` in the script is unnecessary as it already runs as root. Additionally, only executing `systemd-sysusers` for our config file is better because it narrows the scope of what should be done. |
||
|
Thomas Eizinger
|
f98c4dd428 |
fix(gateway): declare hard-dependency on systemd (#10803)
Several aspects of the Gateway's Debian package depend on `systemd` being present. Without it, we don't have the necessary users and files in place for the Gateway to function. With that specified, we can fail the `postinst` script (and therefore the installation) if anything in there goes wrong. |
||
|
dependabot[bot]
|
839cc4b7b3 |
build(deps): bump parking_lot from 0.12.4 to 0.12.5 in /rust (#10780)
Bumps [parking_lot](https://github.com/Amanieu/parking_lot) from 0.12.4 to 0.12.5. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/Amanieu/parking_lot/blob/master/CHANGELOG.md">parking_lot's changelog</a>.</em></p> <blockquote> <h2><code>parking_lot</code> - <a href="https://github.com/Amanieu/parking_lot/compare/parking_lot-v0.12.4...parking_lot-v0.12.5">0.12.5</a> - 2025-09-30</h2> <ul> <li>Bumped MSRV to 1.71</li> <li>Fixed Miri when the <code>hardware-lock-elision</code> feature is enabled (<a href="https://redirect.github.com/Amanieu/parking_lot/issues/491">#491</a>)</li> <li>Added missing <code>into_arc(_fair)</code> methods (<a href="https://redirect.github.com/Amanieu/parking_lot/issues/472">#472</a>)</li> <li>Fixed <code>RawRwLock::bump_*()</code> not releasing lock when there are multiple readers (<a href="https://redirect.github.com/Amanieu/parking_lot/issues/471">#471</a>)</li> </ul> <h2><code>parking_lot_core</code> - <a href="https://github.com/Amanieu/parking_lot/compare/parking_lot_core-v0.9.11...parking_lot_core-v0.9.12">0.9.12</a> - 2025-09-30</h2> <ul> <li>Bumped MSRV to 1.71</li> <li>Switched from <code>windows-targets</code> to <code>windows-link</code>. (<a href="https://redirect.github.com/Amanieu/parking_lot/issues/493">#493</a>)</li> <li>Replaced <code>thread-id</code> dependency with <code>std::thread::ThreadId</code> (<a href="https://redirect.github.com/Amanieu/parking_lot/issues/483">#483</a>)</li> <li>Added SGX implementation for <code>ThreadParker.park_until</code> (<a href="https://redirect.github.com/Amanieu/parking_lot/issues/481">#481</a>)</li> </ul> <h2><code>lock_api</code> - <a href="https://github.com/Amanieu/parking_lot/compare/lock_api-v0.4.13...lock_api-v0.4.14">0.4.14</a> - 2025-09-30</h2> <ul> <li>Fixed use of <code>doc_cfg</code> when building on docs.rs.</li> <li>Bumped MSRV to 1.71</li> <li>Added <code>#[track_caller]</code> where locking implementations could feasibly need to panic</li> <li>Added <code>try_map_or_err</code> to various mutex guards (<a href="https://redirect.github.com/Amanieu/parking_lot/issues/480">#480</a>)</li> <li>Removed unnecessary build script and <code>autocfg</code> dependency (<a href="https://redirect.github.com/Amanieu/parking_lot/issues/474">#474</a>)</li> <li>Added missing <code>into_arc(_fair)</code> methods (<a href="https://redirect.github.com/Amanieu/parking_lot/issues/472">#472</a>)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
Thomas Eizinger
|
89f0af3fd7 | fix(gateway): remove exclamation mark from sysusers.conf (#10802) | ||
|
Thomas Eizinger
|
024b1864b4 |
feat(linux): automatically add user to firezone-client group (#10787)
By checking various environment variables, we can automatically add the current user to the `firezone-client` group which allows them to connect to the IPC socket of the tunnel process. Unfortunately, they still have to create a new login session / reboot for that to be reflected. The docs update for this will follow once we have cut a release with this code in it. --------- Signed-off-by: Thomas Eizinger <thomas@eizinger.io> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> |
||
|
Thomas Eizinger
|
602844ae4a |
fix(gateway): always update translation table from DNS response (#10796)
For DNS resources, the Gateway maintains a per-peer NAT table from the client-assigned proxy IPs to the real IPs of the domain. Whenever the Client re-queries a DNS resource domain locally, we asynchronously ping the Gateway to also re-query said domain. This allows us to detect changes in the DNS records of DNS resources. To avoid breaking existing connections, the mapping between proxy IPs and real IPs is currently not updated if there are any active UDP or TCP flows for a proxy IP. This logic turns out to be unnecessarily restrictive as TCP flows can linger around for up to 2h before they timeout if they are not closed with a TCP RST. What we really need to do is always update the mapping of proxy IP <> real IP but honor existing NAT table entries when we route packets before creating new ones. This ensures that an existing connection to a previously resolved IP remains intact, even if a later DNS response for the same domain updates the mapping. At the same time, new connections (i.e. with a different source port) will immediately use the new destination IP. |
||
|
Thomas Eizinger
|
72dd7187f4 |
revert: specify systemd-resolved dependency (#10798)
I can't make the CI smoke install work with this change. Reverts firezone/firezone#10783 |
||
|
Thomas Eizinger
|
bae38ec345 |
feat(connlib): add HTTP2 client with pluggable sockets (#10788)
Firezone's ability to tunnel all traffic on a particular Client (i.e. the Internet Resource) means we have to ensure that traffic originating from within the Firezone process does not get routed back into the tunnel. On MacOS and iOS, this is automatically taken care of for us. On all other platforms, we need to take steps to prevent these routing loops. This functionality is abstracted away using our `SocketFactory`. A socket created with such a factory is guaranteed to route its traffic outside of the tunnel. These sockets are used for the WebSocket connection to the portal, as well as for recursive UDP and TCP DNS queries. In order to support DoH, we need to also be able to send HTTPS requests without causing packet loops. This PR adds a new crate `http-client` that does exactly that. It composes together `hyper` and `rustls` such that the configured `SocketFactory` is used to create the TCP socket for the underlying HTTP2 connection. Consequently, HTTPS requests made with this library will automatically be routed outside of the tunnel, assuming the `SocketFactory` is adequately configured. Right now, this crate just stands by itself. It will be integrated into connlib at a later point. Resolves: #10774 Related: #4668 Related: #10272 |
||
|
Thomas Eizinger
|
352a83bbb0 |
refactor(connlib): allow creating multiple layer 4 DNS servers (#10763)
Within Firezone, there are multiple components that deal with DNS queries. Two of those components are the `l4-udp-dns-server` and `l4-tcp-dns-server`. Both of them are responsible for receiving DNS queries on layer 4, i.e. UDP or TCP. In other words, they do _not_ operate on an IP level (which would be layer 3) but instead use `UdpSocket` and `TcpListener` to receive queries and sent back responses. Right now, the interfaces of these crates are designed for the usecase of receiving forwarded DNS queries from the CLient on the Gateway's TUN device. This is a special-case of DNS resolution. When receiving a TXT or SRV query for a domain that is covered by a DNS resources, Firezone Client's will forward that query to the corresponding Gateway and resolve it in its network context. SRV and TXT records are commonly used for service discovery and as such, should be resolved in the network context of the service, i.e. the site that assigned to the resource. For that usecase, it made sense to allow each DNS server to listen on 1 IPv4 and 1 IPv6 address. Since then, our event-loop has evolved a bit, being able to handle multiple inputs at once. As such, we can simplify the API of these crates to only listen on a single address and instead create multiple instances of them inside `Io`. Depending on how the design of our DNS implementation for the Clients evolves, this may be used to listen on multiple IPs later (e.g. from the `127.0.0.0/8` subnet). Related: #8263 |
||
|
Thomas Eizinger
|
804ef7a3fb |
fix(connlib): retain order of system/upstream DNS servers (#10773)
Right now, connlib hands out a `BiMap` of sentinel IPs <> upstream servers whenever it emits a `TunInterfaceUpdated` event. This `BiMap` internally uses two `HashMap`s. The iteration order of `HashMap`s is non-deterministic and therefore, we lose the order in which the upstream / system resolvers have been passed to us originally. To prevent that, we now emit a dedicated `DnsMapping` type that does not expose its internal data structure but only getters for retrieving the sentinel and upstream servers. Internally, it uses a `Vec` to store this mapping and thus retains the original order. This is asserted as part of our proptests by comparing the resulting `Vec`s. This fix is preceded by a few refactorings that encapsulate the code for creating and updating this DNS mapping. Resolves: #8439 |
||
|
Thomas Eizinger
|
1b7313622a |
feat(connlib): introduce l3-udp-dns-client (#10764)
With #8263, we will stop receiving UDP and TCP DNS queries on the tunnel but use regular sockets instead. This means that for UDP DNS queries that need to be sent _through_ the tunnel, we actually need to make new IP packets again. For TCP, we already have a crate that does this for us because there, we need to manage an entire TCP stack. For UDP, the story is a bit simpler but there are still a few things involved. In particular, we need to set a source address for the packets and we need to sample a new random port for each query. The crate added in this PR does exactly that. It is not yet used anywhere but split out into a separate PR to reduce the reviewing burden of the larger refactor. Related: #8263 Related: #10758 |
||
|
Thomas Eizinger
|
9e33e514c4 |
chore(linux): specify systemd-resolved dependency (#10783)
On Ubuntu, this should be the default anyway and already be installed but to be correct, we should list this dependency in the `depends` section of our `.deb`. That way, it will automatically get installed again if a user chooses to install the GUI client from our repository and doesn't have `systemd-resolved` installed. |
||
|
dependabot[bot]
|
b5c420bd5b |
build(deps): bump serde_with from 3.14.0 to 3.15.0 in /rust (#10777)
Bumps [serde_with](https://github.com/jonasbb/serde_with) from 3.14.0 to 3.15.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/jonasbb/serde_with/releases">serde_with's releases</a>.</em></p> <blockquote> <h2>serde_with v3.15.0</h2> <h3>Added</h3> <ul> <li> <p>Added error inspection to <code>VecSkipError</code> and <code>MapSkipError</code> by <a href="https://github.com/michelhe"><code>@michelhe</code></a> (<a href="https://redirect.github.com/jonasbb/serde_with/issues/878">#878</a>) This allows interacting with the previously hidden error, for example for logging. Checkout the newly added example to both types.</p> </li> <li> <p>Allow documenting the types generated by <code>serde_conv!</code>. The <code>serde_conv!</code> macro now acceps outer attributes before the optional visibility modifier. This allow adding doc comments in the shape of <code>#[doc = "..."]</code> or any other attributes, such as lint modifiers.</p> <pre lang="rust"><code>serde_conv!( #[doc = "Serialize bools as string"] #[allow(dead_code)] pub BoolAsString, bool, |x: &bool| ::std::string::ToString::to_string(x), |x: ::std::string::String| x.parse() ); </code></pre> </li> <li> <p>Add support for <code>hashbrown</code> v0.16 (<a href="https://redirect.github.com/jonasbb/serde_with/issues/877">#877</a>)</p> <p>This extends the existing support for <code>hashbrown</code> v0.14 and v0.15 to the newly released version.</p> </li> </ul> <h3>Changed</h3> <ul> <li>Bump MSRV to 1.76, since that is required for <code>toml</code> dev-dependency.</li> </ul> <h2>serde_with v3.14.1</h2> <h3>Fixed</h3> <ul> <li>Show macro expansion in the docs.rs generated rustdoc. Since macros are used to generate trait implementations, this is useful to understand the exact generated code.</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
6d60653bac |
build(deps): bump gat-lending-iterator from 0.1.6 to 0.1.7 in /rust (#10776)
Bumps [gat-lending-iterator](https://github.com/Crazytieguy/gat-lending-iterator) from 0.1.6 to 0.1.7. <details> <summary>Commits</summary> <ul> <li>See full diff in <a href="https://github.com/Crazytieguy/gat-lending-iterator/commits/v0.1.7">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> |
||
|
Thomas Eizinger
|
9016ffc9dc |
build(rust): bump to Rust 1.91.0 (#10767)
Rust 1.91 has been released and brings with it a few new lints that we need to tidy up. In addition, it also stabilizes `BTreeMap::extract_if`: A really nifty std-lib function that allows us to conditionally take elements from a map. We need that in a bunch of places. |
||
|
dependabot[bot]
|
21846b81e5 |
build(deps): bump vite from 7.1.7 to 7.1.11 in /rust/gui-client in the npm_and_yarn group across 1 directory (#10769)
Bumps the npm_and_yarn group with 1 update in the /rust/gui-client directory: [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite). Updates `vite` from 7.1.7 to 7.1.11 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/vitejs/vite/releases">vite's releases</a>.</em></p> <blockquote> <h2>v7.1.11</h2> <p>Please refer to <a href="https://github.com/vitejs/vite/blob/v7.1.11/packages/vite/CHANGELOG.md">CHANGELOG.md</a> for details.</p> <h2>v7.1.10</h2> <p>Please refer to <a href="https://github.com/vitejs/vite/blob/v7.1.10/packages/vite/CHANGELOG.md">CHANGELOG.md</a> for details.</p> <h2>v7.1.9</h2> <p>Please refer to <a href="https://github.com/vitejs/vite/blob/v7.1.9/packages/vite/CHANGELOG.md">CHANGELOG.md</a> for details.</p> <h2>v7.1.8</h2> <p>Please refer to <a href="https://github.com/vitejs/vite/blob/v7.1.8/packages/vite/CHANGELOG.md">CHANGELOG.md</a> for details.</p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/vitejs/vite/blob/main/packages/vite/CHANGELOG.md">vite's changelog</a>.</em></p> <blockquote> <h2><!-- raw HTML omitted --><a href="https://github.com/vitejs/vite/compare/v7.1.10...v7.1.11">7.1.11</a> (2025-10-20)<!-- raw HTML omitted --></h2> <h3>Bug Fixes</h3> <ul> <li><strong>dev:</strong> trim trailing slash before <code>server.fs.deny</code> check (<a href="https://redirect.github.com/vitejs/vite/issues/20968">#20968</a>) (<a href=" |
||
|
dependabot[bot]
|
1ac1bb044a |
build(deps): bump the sentry group in /rust with 2 updates (#10727)
Bumps the sentry group in /rust with 2 updates: [sentry](https://github.com/getsentry/sentry-rust) and [sentry-tracing](https://github.com/getsentry/sentry-rust). Updates `sentry` from 0.42.0 to 0.43.0 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/getsentry/sentry-rust/releases">sentry's releases</a>.</em></p> <blockquote> <h2>0.43.0</h2> <h3>Breaking changes</h3> <ul> <li>ref(tracing): rework tracing to Sentry span name/op conversion (<a href="https://redirect.github.com/getsentry/sentry-rust/pull/887">#887</a>) by <a href="https://github.com/lcian"><code>@lcian</code></a> <ul> <li>The <code>tracing</code> integration now uses the tracing span name as the Sentry span name by default.</li> <li>Before this change, the span name would be set based on the <code>tracing</code> span target (<code><module>::<function></code> when using the <code>tracing::instrument</code> macro).</li> <li>The <code>tracing</code> integration now uses <code><span target>::<span name></code> as the default Sentry span op (i.e. <code><module>::<function></code> when using <code>tracing::instrument</code>).</li> <li>Before this change, the span op would be set based on the <code>tracing</code> span name.</li> <li>Read below to learn how to customize the span name and op.</li> <li>When upgrading, please ensure to adapt any queries, metrics or dashboards to use the new span names/ops.</li> </ul> </li> <li>ref(tracing): use standard code attributes (<a href="https://redirect.github.com/getsentry/sentry-rust/pull/899">#899</a>) by <a href="https://github.com/lcian"><code>@lcian</code></a> <ul> <li>Logs now carry the attributes <code>code.module.name</code>, <code>code.file.path</code> and <code>code.line.number</code> standardized in OTEL to surface the respective information, in contrast with the previously sent <code>tracing.module_path</code>, <code>tracing.file</code> and <code>tracing.line</code>.</li> </ul> </li> <li>fix(actix): capture only server errors (<a href="https://redirect.github.com/getsentry/sentry-rust/pull/877">#877</a>) by <a href="https://github.com/lcian"><code>@lcian</code></a> <ul> <li>The Actix integration now properly honors the <code>capture_server_errors</code> option (enabled by default), capturing errors returned by middleware only if they are server errors (HTTP status code 5xx).</li> <li>Previously, if a middleware were to process the request after the Sentry middleware and return an error, our middleware would always capture it and send it to Sentry, regardless if it was a client, server or some other kind of error.</li> <li>With this change, we capture errors returned by middleware only if those errors can be classified as server errors.</li> <li>There is no change in behavior when it comes to errors returned by services, in which case the Sentry middleware only captures server errors exclusively.</li> </ul> </li> <li>fix: send trace origin correctly (<a href="https://redirect.github.com/getsentry/sentry-rust/pull/906">#906</a>) by <a href="https://github.com/lcian"><code>@lcian</code></a> <ul> <li><code>TraceContext</code> now has an additional field <code>origin</code>, used to report which integration created a transaction.</li> </ul> </li> </ul> <h3>Behavioral changes</h3> <ul> <li>feat(tracing): send both breadcrumbs and logs by default (<a href="https://redirect.github.com/getsentry/sentry-rust/pull/878">#878</a>) by <a href="https://github.com/lcian"><code>@lcian</code></a> <ul> <li>If the <code>logs</code> feature flag is enabled, and <code>enable_logs: true</code> is set on your client options, the default Sentry <code>tracing</code> layer now sends logs for all events at or above INFO.</li> </ul> </li> </ul> <h3>Features</h3> <ul> <li> <p>ref(tracing): rework tracing to Sentry span name/op conversion (<a href="https://redirect.github.com/getsentry/sentry-rust/pull/887">#887</a>) by <a href="https://github.com/lcian"><code>@lcian</code></a></p> <ul> <li>Additional special fields have been added that allow overriding certain data on the Sentry span: <ul> <li><code>sentry.op</code>: override the Sentry span op.</li> <li><code>sentry.name</code>: override the Sentry span name.</li> <li><code>sentry.trace</code>: given a string matching a valid <code>sentry-trace</code> header (sent automatically by client SDKs), continues the distributed trace instead of starting a new one. If the value is not a valid <code>sentry-trace</code> header or a trace is already started, this value is ignored.</li> </ul> </li> <li><code>sentry.op</code> and <code>sentry.name</code> can also be applied retroactively by declaring fields with value <code>tracing::field::Empty</code> and then recorded using <code>tracing::Span::record</code>.</li> <li>Example usage: <pre lang="rust"><code>#[tracing::instrument(skip_all, fields( sentry.op = "http.server", sentry.name = "GET /payments", sentry.trace = headers.get("sentry-trace").unwrap_or(&"".to_owned()), ))] async fn handle_request(headers: std::collections::HashMap<String, String>) { // ... } </code></pre> </li> <li>Additional attributes are sent along with each span by default: <ul> <li><code>sentry.tracing.target</code>: corresponds to the <code>tracing</code> span's <code>metadata.target()</code></li> <li><code>code.module.name</code>, <code>code.file.path</code>, <code>code.line.number</code></li> </ul> </li> </ul> </li> <li> <p>feat(core): add Response context (<a href="https://redirect.github.com/getsentry/sentry-rust/pull/874">#874</a>) by <a href="https://github.com/lcian"><code>@lcian</code></a></p> <ul> <li>The <code>Response</code> context can now be attached to events, to include information about HTTP responses such as headers, cookies and status code.</li> </ul> </li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/getsentry/sentry-rust/blob/master/CHANGELOG.md">sentry's changelog</a>.</em></p> <blockquote> <h2>0.43.0</h2> <h3>Breaking changes</h3> <ul> <li>ref(tracing): rework tracing to Sentry span name/op conversion (<a href="https://redirect.github.com/getsentry/sentry-rust/pull/887">#887</a>) by <a href="https://github.com/lcian"><code>@lcian</code></a> <ul> <li>The <code>tracing</code> integration now uses the tracing span name as the Sentry span name by default.</li> <li>Before this change, the span name would be set based on the <code>tracing</code> span target (<code><module>::<function></code> when using the <code>tracing::instrument</code> macro).</li> <li>The <code>tracing</code> integration now uses <code><span target>::<span name></code> as the default Sentry span op (i.e. <code><module>::<function></code> when using <code>tracing::instrument</code>).</li> <li>Before this change, the span op would be set based on the <code>tracing</code> span name.</li> <li>Read below to learn how to customize the span name and op.</li> <li>When upgrading, please ensure to adapt any queries, metrics or dashboards to use the new span names/ops.</li> </ul> </li> <li>ref(tracing): use standard code attributes (<a href="https://redirect.github.com/getsentry/sentry-rust/pull/899">#899</a>) by <a href="https://github.com/lcian"><code>@lcian</code></a> <ul> <li>Logs now carry the attributes <code>code.module.name</code>, <code>code.file.path</code> and <code>code.line.number</code> standardized in OTEL to surface the respective information, in contrast with the previously sent <code>tracing.module_path</code>, <code>tracing.file</code> and <code>tracing.line</code>.</li> </ul> </li> <li>fix(actix): capture only server errors (<a href="https://redirect.github.com/getsentry/sentry-rust/pull/877">#877</a>) by <a href="https://github.com/lcian"><code>@lcian</code></a> <ul> <li>The Actix integration now properly honors the <code>capture_server_errors</code> option (enabled by default), capturing errors returned by middleware only if they are server errors (HTTP status code 5xx).</li> <li>Previously, if a middleware were to process the request after the Sentry middleware and return an error, our middleware would always capture it and send it to Sentry, regardless if it was a client, server or some other kind of error.</li> <li>With this change, we capture errors returned by middleware only if those errors can be classified as server errors.</li> <li>There is no change in behavior when it comes to errors returned by services, in which case the Sentry middleware only captures server errors exclusively.</li> </ul> </li> <li>fix: send trace origin correctly (<a href="https://redirect.github.com/getsentry/sentry-rust/pull/906">#906</a>) by <a href="https://github.com/lcian"><code>@lcian</code></a> <ul> <li><code>TraceContext</code> now has an additional field <code>origin</code>, used to report which integration created a transaction.</li> </ul> </li> </ul> <h3>Behavioral changes</h3> <ul> <li>feat(tracing): send both breadcrumbs and logs by default (<a href="https://redirect.github.com/getsentry/sentry-rust/pull/878">#878</a>) by <a href="https://github.com/lcian"><code>@lcian</code></a> <ul> <li>If the <code>logs</code> feature flag is enabled, and <code>enable_logs: true</code> is set on your client options, the default Sentry <code>tracing</code> layer now sends logs for all events at or above INFO.</li> </ul> </li> </ul> <h3>Features</h3> <ul> <li> <p>ref(tracing): rework tracing to Sentry span name/op conversion (<a href="https://redirect.github.com/getsentry/sentry-rust/pull/887">#887</a>) by <a href="https://github.com/lcian"><code>@lcian</code></a></p> <ul> <li>Additional special fields have been added that allow overriding certain data on the Sentry span: <ul> <li><code>sentry.op</code>: override the Sentry span op.</li> <li><code>sentry.name</code>: override the Sentry span name.</li> <li><code>sentry.trace</code>: given a string matching a valid <code>sentry-trace</code> header (sent automatically by client SDKs), continues the distributed trace instead of starting a new one. If the value is not a valid <code>sentry-trace</code> header or a trace is already started, this value is ignored.</li> </ul> </li> <li><code>sentry.op</code> and <code>sentry.name</code> can also be applied retroactively by declaring fields with value <code>tracing::field::Empty</code> and then recorded using <code>tracing::Span::record</code>.</li> <li>Example usage: <pre lang="rust"><code>#[tracing::instrument(skip_all, fields( sentry.op = "http.server", sentry.name = "GET /payments", sentry.trace = headers.get("sentry-trace").unwrap_or(&"".to_owned()), ))] async fn handle_request(headers: std::collections::HashMap<String, String>) { // ... } </code></pre> </li> <li>Additional attributes are sent along with each span by default: <ul> <li><code>sentry.tracing.target</code>: corresponds to the <code>tracing</code> span's <code>metadata.target()</code></li> <li><code>code.module.name</code>, <code>code.file.path</code>, <code>code.line.number</code></li> </ul> </li> </ul> </li> <li> <p>feat(core): add Response context (<a href="https://redirect.github.com/getsentry/sentry-rust/pull/874">#874</a>) by <a href="https://github.com/lcian"><code>@lcian</code></a></p> </li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
a426ee2608 |
build(deps): bump the react group in /rust/gui-client with 2 updates (#10722)
Bumps the react group in /rust/gui-client with 2 updates: [@types/react](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/react) and [react-router](https://github.com/remix-run/react-router/tree/HEAD/packages/react-router). Updates `@types/react` from 19.1.13 to 19.1.15 <details> <summary>Commits</summary> <ul> <li>See full diff in <a href="https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/react">compare view</a></li> </ul> </details> <br /> Updates `react-router` from 7.9.1 to 7.9.3 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/remix-run/react-router/releases">react-router's releases</a>.</em></p> <blockquote> <h2>v7.9.3</h2> <p>See the changelog for release notes: <a href="https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v793">https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v793</a></p> <h2>v7.9.2</h2> <p>See the changelog for release notes: <a href="https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v792">https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v792</a></p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/remix-run/react-router/blob/main/packages/react-router/CHANGELOG.md">react-router's changelog</a>.</em></p> <blockquote> <h2>7.9.3</h2> <h3>Patch Changes</h3> <ul> <li> <p>Do not try to use <code>turbo-stream</code> to decode CDN errors that never reached the server (<a href="https://redirect.github.com/remix-run/react-router/pull/14385">#14385</a>)</p> <ul> <li>We used to do this but lost this check with the adoption of single fetch</li> </ul> </li> <li> <p>Fix Data Mode regression causing a 404 during initial load in when <code>middleware</code> exists without any <code>loader</code> functions (<a href="https://redirect.github.com/remix-run/react-router/pull/14393">#14393</a>)</p> </li> </ul> <h2>7.9.2</h2> <h3>Patch Changes</h3> <ul> <li> <ul> <li>Update client-side router to run client <code>middleware</code> on initial load even if no loaders exist (<a href="https://redirect.github.com/remix-run/react-router/pull/14348">#14348</a>)</li> <li>Update <code>createRoutesStub</code> to run route middleware <ul> <li>You will need to set the <code><RoutesStub future={{ v8_middleware: true }} /></code> flag to enable the proper <code>context</code> type</li> </ul> </li> </ul> </li> <li> <p>Update Lazy Route Discovery manifest requests to use a singular comma-separated <code>paths</code> query param instead of repeated <code>p</code> query params (<a href="https://redirect.github.com/remix-run/react-router/pull/14321">#14321</a>)</p> <ul> <li>This is because Cloudflare has a hard limit of 100 URL search param key/value pairs when used as a key for caching purposes</li> <li>If more that 100 paths were included, the cache key would be incomplete and could produce false-positive cache hits</li> </ul> </li> <li> <p>[UNSTABLE] Add <code>fetcher.unstable_reset()</code> API (<a href="https://redirect.github.com/remix-run/react-router/pull/14206">#14206</a>)</p> </li> <li> <p>Made useOutlet element reference have stable identity in-between route chages (<a href="https://redirect.github.com/remix-run/react-router/pull/13382">#13382</a>)</p> </li> <li> <p>feat: enable full transition support for the rsc router (<a href="https://redirect.github.com/remix-run/react-router/pull/14362">#14362</a>)</p> </li> <li> <p>In RSC Data Mode, handle SSR'd client errors and re-try in the browser (<a href="https://redirect.github.com/remix-run/react-router/pull/14342">#14342</a>)</p> </li> <li> <p>Support <code>middleware</code> prop on <code><Route></code> for usage with a data router via <code>createRoutesFromElements</code> (<a href="https://redirect.github.com/remix-run/react-router/pull/14357">#14357</a>)</p> </li> <li> <p>Handle encoded question mark and hash characters in ancestor splat routes (<a href="https://redirect.github.com/remix-run/react-router/pull/14249">#14249</a>)</p> </li> <li> <p>Fail gracefully on manifest version mismatch logic if <code>sessionStorage</code> access is blocked (<a href="https://redirect.github.com/remix-run/react-router/pull/14335">#14335</a>)</p> </li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
398bb09880 |
build(deps): bump lru from 0.12.5 to 0.16.1 in /rust (#10650)
Bumps [lru](https://github.com/jeromefroe/lru-rs) from 0.12.5 to 0.16.1. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/jeromefroe/lru-rs/blob/master/CHANGELOG.md">lru's changelog</a>.</em></p> <blockquote> <h2><a href="https://github.com/jeromefroe/lru-rs/tree/0.16.1">v0.16.1</a> - 2025-09-08</h2> <ul> <li>Fix <code>Clone</code> for unbounded cache.</li> </ul> <h2><a href="https://github.com/jeromefroe/lru-rs/tree/0.16.0">v0.16.0</a> - 2025-07-02</h2> <ul> <li>Implement <code>Clone</code> for caches with custom hashers.</li> </ul> <h2><a href="https://github.com/jeromefroe/lru-rs/tree/0.15.0">v0.15.0</a> - 2025-06-26</h2> <ul> <li>Return bool from <code>promote</code> and <code>demote</code> to indicate whether key was found.</li> </ul> <h2><a href="https://github.com/jeromefroe/lru-rs/tree/0.14.0">v0.14.0</a> - 2025-04-12</h2> <ul> <li>Use <code>NonZeroUsize::MAX</code> instead of <code>unwrap()</code>, and update MSRV to 1.70.0.</li> </ul> <h2><a href="https://github.com/jeromefroe/lru-rs/tree/0.13.0">v0.13.0</a> - 2025-01-27</h2> <ul> <li>Add <code>peek_mru</code> and <code>pop_mru</code> methods, upgrade dependency on <code>hashbrown</code> to 0.15.2, and update MSRV to 1.65.0.</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
Thomas Eizinger
|
3811a793f0 |
chore(connlib): log fatal tunnel errors (#10768)
Resolves: #10765 |
||
|
Thomas Eizinger
|
3308e3c010 |
fix(linux): introduce tiered routing tables (#10742)
With the fix of taking into account link-scoped routes in #10554 we introduced a bug: If a customer defines routes in Firezone that conflict with the link-scope ones, those currently take priority as they are usually more specific. To fix this, we introduce tiered routing tables controlled by a set of rules with different priority. 1. In the first "Firezone" routing table, we add all CIDR/IP routes that users define in Firezone. 2. In the second "Firezone" routing table, we sync in all link-scope routes from the system. 3. In the third "Firezone" routing table, we only add the Internet Resource if it is active. By evaluating the routing tables in this order, we effectively always prioritize Firezone-controlled routes over local ones but still allow access to LAN resources when the Internet Resource is active. --------- Signed-off-by: Thomas Eizinger <thomas@eizinger.io> Co-authored-by: Jamil <jamilbk@users.noreply.github.com> |
||
|
Thomas Eizinger
|
9cde3265e7 |
chore: enable lints in dns-over-tcp (#10762)
Appears to have been an oversight when we first introduced this crate. |
||
|
dependabot[bot]
|
4fa92e514c |
build(deps): bump axum from 0.8.4 to 0.8.5 in /rust (#10719)
Bumps [axum](https://github.com/tokio-rs/axum) from 0.8.4 to 0.8.5. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/tokio-rs/axum/releases">axum's releases</a>.</em></p> <blockquote> <h2>axum v0.8.5</h2> <ul> <li><strong>fixed:</strong> Reject JSON request bodies with trailing characters after the JSON document (<a href="https://redirect.github.com/tokio-rs/axum/issues/3453">#3453</a>)</li> <li><strong>added:</strong> Implement <code>OptionalFromRequest</code> for <code>Multipart</code> (<a href="https://redirect.github.com/tokio-rs/axum/issues/3220">#3220</a>)</li> <li><strong>added:</strong> Getter methods <code>Location::{status_code, location}</code></li> <li><strong>added:</strong> Support for writing arbitrary binary data into server-sent events (<a href="https://redirect.github.com/tokio-rs/axum/issues/3425">#3425</a>)]</li> <li><strong>added:</strong> <code>middleware::ResponseAxumBodyLayer</code> for mapping response body to <code>axum::body::Body</code> (<a href="https://redirect.github.com/tokio-rs/axum/issues/3469">#3469</a>)</li> <li><strong>added:</strong> <code>impl FusedStream for WebSocket</code> (<a href="https://redirect.github.com/tokio-rs/axum/issues/3443">#3443</a>)</li> <li><strong>changed:</strong> The <code>sse</code> module and <code>Sse</code> type no longer depend on the <code>tokio</code> feature (<a href="https://redirect.github.com/tokio-rs/axum/issues/3154">#3154</a>)</li> <li><strong>changed:</strong> If the location given to one of <code>Redirect</code>s constructors is not a valid header value, instead of panicking on construction, the <code>IntoResponse</code> impl now returns an HTTP 500, just like <code>Json</code> does when serialization fails (<a href="https://redirect.github.com/tokio-rs/axum/issues/3377">#3377</a>)</li> <li><strong>changed:</strong> Update minimum rust version to 1.78 (<a href="https://redirect.github.com/tokio-rs/axum/issues/3412">#3412</a>)</li> </ul> <p><a href="https://redirect.github.com/tokio-rs/axum/issues/3154">#3154</a>: <a href="https://redirect.github.com/tokio-rs/axum/pull/3154">tokio-rs/axum#3154</a> <a href="https://redirect.github.com/tokio-rs/axum/issues/3220">#3220</a>: <a href="https://redirect.github.com/tokio-rs/axum/pull/3220">tokio-rs/axum#3220</a> <a href="https://redirect.github.com/tokio-rs/axum/issues/3377">#3377</a>: <a href="https://redirect.github.com/tokio-rs/axum/pull/3377">tokio-rs/axum#3377</a> <a href="https://redirect.github.com/tokio-rs/axum/issues/3412">#3412</a>: <a href="https://redirect.github.com/tokio-rs/axum/pull/3412">tokio-rs/axum#3412</a> <a href="https://redirect.github.com/tokio-rs/axum/issues/3425">#3425</a>: <a href="https://redirect.github.com/tokio-rs/axum/pull/3425">tokio-rs/axum#3425</a> <a href="https://redirect.github.com/tokio-rs/axum/issues/3443">#3443</a>: <a href="https://redirect.github.com/tokio-rs/axum/pull/3443">tokio-rs/axum#3443</a> <a href="https://redirect.github.com/tokio-rs/axum/issues/3453">#3453</a>: <a href="https://redirect.github.com/tokio-rs/axum/pull/3453">tokio-rs/axum#3453</a> <a href="https://redirect.github.com/tokio-rs/axum/issues/3469">#3469</a>: <a href="https://redirect.github.com/tokio-rs/axum/pull/3469">tokio-rs/axum#3469</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
97c69dfac6 |
build(deps): bump typescript-eslint from 8.34.1 to 8.44.1 in /rust/gui-client (#10723)
Bumps [typescript-eslint](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/typescript-eslint) from 8.34.1 to 8.44.1. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/typescript-eslint/typescript-eslint/releases">typescript-eslint's releases</a>.</em></p> <blockquote> <h2>v8.44.1</h2> <h2>8.44.1 (2025-09-22)</h2> <h3>🩹 Fixes</h3> <ul> <li><strong>eslint-plugin:</strong> [no-base-to-string] make ignoredTypeNames match type names without generics (<a href="https://redirect.github.com/typescript-eslint/typescript-eslint/pull/11597">#11597</a>)</li> <li><strong>eslint-plugin:</strong> [no-unsafe-enum-comparison] support unions of literals (<a href="https://redirect.github.com/typescript-eslint/typescript-eslint/pull/11599">#11599</a>)</li> <li><strong>eslint-plugin:</strong> [await-thenable] should not report passing values to promise aggregators which may be a promise in an array literal (<a href="https://redirect.github.com/typescript-eslint/typescript-eslint/pull/11611">#11611</a>)</li> <li><strong>typescript-estree:</strong> forbid class property with name <code>constructor</code> (<a href="https://redirect.github.com/typescript-eslint/typescript-eslint/pull/11590">#11590</a>)</li> </ul> <h3>❤️ Thank You</h3> <ul> <li>fisker Cheung <a href="https://github.com/fisker"><code>@fisker</code></a></li> <li>Kirk Waiblinger <a href="https://github.com/kirkwaiblinger"><code>@kirkwaiblinger</code></a></li> <li>mdm317</li> <li>Ronen Amiel</li> </ul> <p>You can read about our <a href="https://typescript-eslint.io/users/versioning">versioning strategy</a> and <a href="https://typescript-eslint.io/users/releases">releases</a> on our website.</p> <h2>v8.44.0</h2> <h2>8.44.0 (2025-09-15)</h2> <h3>🚀 Features</h3> <ul> <li><strong>eslint-plugin:</strong> [await-thenable] report invalid (non-promise) values passed to promise aggregator methods (<a href="https://redirect.github.com/typescript-eslint/typescript-eslint/pull/11267">#11267</a>)</li> </ul> <h3>🩹 Fixes</h3> <ul> <li><strong>deps:</strong> update dependency <code>@eslint-community/eslint-utils</code> to v4.8.0 (<a href="https://redirect.github.com/typescript-eslint/typescript-eslint/pull/11589">#11589</a>)</li> <li><strong>eslint-plugin:</strong> [no-unnecessary-type-conversion] ignore enum members (<a href="https://redirect.github.com/typescript-eslint/typescript-eslint/pull/11490">#11490</a>)</li> </ul> <h3>❤️ Thank You</h3> <ul> <li>Moses Odutusin <a href="https://github.com/thebolarin"><code>@thebolarin</code></a></li> <li>Ronen Amiel</li> </ul> <p>You can read about our <a href="https://typescript-eslint.io/users/versioning">versioning strategy</a> and <a href="https://typescript-eslint.io/users/releases">releases</a> on our website.</p> <h2>v8.43.0</h2> <h2>8.43.0 (2025-09-08)</h2> <h3>🚀 Features</h3> <ul> <li><strong>typescript-estree:</strong> disallow empty type parameter/argument lists (<a href="https://redirect.github.com/typescript-eslint/typescript-eslint/pull/11563">#11563</a>)</li> </ul> <h3>🩹 Fixes</h3> <ul> <li><strong>eslint-plugin:</strong> [no-non-null-assertion] do not suggest optional chain on LHS of assignment (<a href="https://redirect.github.com/typescript-eslint/typescript-eslint/pull/11489">#11489</a>)</li> <li><strong>eslint-plugin:</strong> [no-unnecessary-type-conversion] only report ~~ on integer literal types (<a href="https://redirect.github.com/typescript-eslint/typescript-eslint/pull/11517">#11517</a>)</li> <li><strong>eslint-plugin:</strong> [consistent-type-exports] fix declaration shadowing (<a href="https://redirect.github.com/typescript-eslint/typescript-eslint/pull/11457">#11457</a>)</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/typescript-eslint/CHANGELOG.md">typescript-eslint's changelog</a>.</em></p> <blockquote> <h2>8.44.1 (2025-09-22)</h2> <p>This was a version bump only for typescript-eslint to align it with other projects, there were no code changes.</p> <p>You can read about our <a href="https://typescript-eslint.io/users/versioning">versioning strategy</a> and <a href="https://typescript-eslint.io/users/releases">releases</a> on our website.</p> <h2>8.44.0 (2025-09-15)</h2> <p>This was a version bump only for typescript-eslint to align it with other projects, there were no code changes.</p> <p>You can read about our <a href="https://typescript-eslint.io/users/versioning">versioning strategy</a> and <a href="https://typescript-eslint.io/users/releases">releases</a> on our website.</p> <h2>8.43.0 (2025-09-08)</h2> <h3>🩹 Fixes</h3> <ul> <li><strong>eslint-plugin:</strong> [no-deprecated] should report deprecated exports and reexports (<a href="https://redirect.github.com/typescript-eslint/typescript-eslint/pull/11359">#11359</a>)</li> </ul> <h3>❤️ Thank You</h3> <ul> <li>Victor Genaev <a href="https://github.com/mainframev"><code>@mainframev</code></a></li> </ul> <p>You can read about our <a href="https://typescript-eslint.io/users/versioning">versioning strategy</a> and <a href="https://typescript-eslint.io/users/releases">releases</a> on our website.</p> <h2>8.42.0 (2025-09-02)</h2> <h3>🚀 Features</h3> <ul> <li>deprecate tseslint.config() (<a href="https://redirect.github.com/typescript-eslint/typescript-eslint/pull/11531">#11531</a>)</li> </ul> <h3>🩹 Fixes</h3> <ul> <li><strong>typescript-eslint:</strong> handle non-normalized windows paths produced by jiti (<a href="https://redirect.github.com/typescript-eslint/typescript-eslint/pull/11546">#11546</a>)</li> </ul> <h3>❤️ Thank You</h3> <ul> <li>Kirk Waiblinger <a href="https://github.com/kirkwaiblinger"><code>@kirkwaiblinger</code></a></li> </ul> <p>You can read about our <a href="https://typescript-eslint.io/users/versioning">versioning strategy</a> and <a href="https://typescript-eslint.io/users/releases">releases</a> on our website.</p> <h2>8.41.0 (2025-08-25)</h2> <p>This was a version bump only for typescript-eslint to align it with other projects, there were no code changes.</p> <p>You can read about our <a href="https://main--typescript-eslint.netlify.app/users/versioning">versioning strategy</a> and <a href="https://main--typescript-eslint.netlify.app/users/releases">releases</a> on our website.</p> <h2>8.40.0 (2025-08-18)</h2> <h3>🩹 Fixes</h3> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
08e95d124b |
build(deps): bump libc from 0.2.175 to 0.2.176 in /rust (#10738)
Bumps [libc](https://github.com/rust-lang/libc) from 0.2.175 to 0.2.176. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/rust-lang/libc/releases">libc's releases</a>.</em></p> <blockquote> <h2>0.2.176</h2> <h3>Support</h3> <ul> <li>The default FreeBSD version has been raised from 11 to 12. This matches <code>rustc</code> since 1.78. (<a href="https://redirect.github.com/rust-lang/libc/pull/2406">#2406</a>)</li> <li><code>Debug</code> is now always implemented, rather than being gated behind the <code>extra_traits</code> feature. (<a href="https://redirect.github.com/rust-lang/libc/pull/4624">#4624</a>)</li> </ul> <h3>Added</h3> <ul> <li>AIX: Restore some non-POSIX functions guarded by the <code>_KERNEL</code> macro. (<a href="https://redirect.github.com/rust-lang/libc/pull/4607">#4607</a>)</li> <li>FreeBSD 14: Add <code>st_fileref</code> to <code>struct stat</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4642">#4642</a>)</li> <li>Haiku: Add the <code>accept4</code> POSIX call (<a href="https://redirect.github.com/rust-lang/libc/pull/4586">#4586</a>)</li> <li>Introduce a wrapper for representing padding (<a href="https://redirect.github.com/rust-lang/libc/pull/4632">#4632</a>)</li> <li>Linux: Add <code>EM_RISCV</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4659">#4659</a>)</li> <li>Linux: Add <code>MS_NOSYMFOLLOW</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4389">#4389</a>)</li> <li>Linux: Add <code>backtrace_symbols(_fd)</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4668">#4668</a>)</li> <li>Linux: Add missing <code>SOL_PACKET</code> optnames (<a href="https://redirect.github.com/rust-lang/libc/pull/4669">#4669</a>)</li> <li>Musl s390x: Add <code>SYS_mseal</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4549">#4549</a>)</li> <li>NuttX: Add <code>__errno</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4687">#4687</a>)</li> <li>Redox: Add <code>dirfd</code>, <code>VDISABLE</code>, and resource consts (<a href="https://redirect.github.com/rust-lang/libc/pull/4660">#4660</a>)</li> <li>Redox: Add more <code>resource.h</code>, <code>fcntl.h</code> constants (<a href="https://redirect.github.com/rust-lang/libc/pull/4666">#4666</a>)</li> <li>Redox: Enable <code>strftime</code> and <code>mkostemp[s]</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4629">#4629</a>)</li> <li>Unix, Windows: Add <code>qsort_r</code> (Unix), and <code>qsort(_s)</code> (Windows) (<a href="https://redirect.github.com/rust-lang/libc/pull/4677">#4677</a>)</li> <li>Unix: Add <code>dlvsym</code> for Linux-gnu, FreeBSD, and NetBSD (<a href="https://redirect.github.com/rust-lang/libc/pull/4671">#4671</a>)</li> <li>Unix: Add <code>sigqueue</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4620">#4620</a>)</li> </ul> <h3>Changed</h3> <ul> <li>FreeBSD 15: Mark <code>kinfo_proc</code> as non-exhaustive (<a href="https://redirect.github.com/rust-lang/libc/pull/4553">#4553</a>)</li> <li>FreeBSD: Set the ELF symbol version for <code>readdir_r</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4694">#4694</a>)</li> <li>Linux: Correct the config for whether or not <code>epoll_event</code> is packed (<a href="https://redirect.github.com/rust-lang/libc/pull/4639">#4639</a>)</li> <li>Tests: Replace the old <code>ctest</code> with the much more reliable new implementation (<a href="https://redirect.github.com/rust-lang/libc/pull/4655">#4655</a> and many related PRs)</li> </ul> <h3>Fixed</h3> <ul> <li>AIX: Fix the type of the 4th arguement of <code>getgrnam_r</code> ([#4656](<a href="https://redirect.github.com/rust-lang/libc/pull/4656">rust-lang/libc#4656</a></li> <li>FreeBSD: Limit <code>P_IDLEPROC</code> to FreeBSD 15 (<a href="https://redirect.github.com/rust-lang/libc/pull/4640">#4640</a>)</li> <li>FreeBSD: Limit <code>mcontext_t::mc_tlsbase</code> to FreeBSD 15 (<a href="https://redirect.github.com/rust-lang/libc/pull/464">#4640</a>)</li> <li>FreeBSD: Update gating of <code>mcontext_t.mc_tlsbase</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4703">#4703</a>)</li> <li>Musl s390x: Correct the definition of <code>statfs[64]</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4549">#4549</a>)</li> <li>Musl s390x: Make <code>fpreg_t</code> a union (<a href="https://redirect.github.com/rust-lang/libc/pull/4549">#4549</a>)</li> <li>Redox: Fix the types of <code>gid_t</code> and <code>uid_t</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4689">#4689</a>)</li> <li>Redox: Fix the value of <code>MAP_FIXED</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4684">#4684</a>)</li> </ul> <h3>Deprecated</h3> <ul> <li>Apple: Correct the <code>deprecated</code> attribute for <code>iconv</code> (<a href=" |
||
|
dependabot[bot]
|
4c04d78da2 |
build(deps): bump serde from 1.0.223 to 1.0.228 in /rust (#10731)
Bumps [serde](https://github.com/serde-rs/serde) from 1.0.223 to 1.0.228. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/serde-rs/serde/releases">serde's releases</a>.</em></p> <blockquote> <h2>v1.0.228</h2> <ul> <li>Allow building documentation with <code>RUSTDOCFLAGS='--cfg=docsrs'</code> set for the whole dependency graph (<a href="https://redirect.github.com/serde-rs/serde/issues/2995">#2995</a>)</li> </ul> <h2>v1.0.227</h2> <ul> <li>Documentation improvements (<a href="https://redirect.github.com/serde-rs/serde/issues/2991">#2991</a>)</li> </ul> <h2>v1.0.226</h2> <ul> <li>Deduplicate variant matching logic inside generated Deserialize impl for adjacently tagged enums (<a href="https://redirect.github.com/serde-rs/serde/issues/2935">#2935</a>, thanks <a href="https://github.com/Mingun"><code>@Mingun</code></a>)</li> </ul> <h2>v1.0.225</h2> <ul> <li>Avoid triggering a deprecation warning in derived Serialize and Deserialize impls for a data structure that contains its own deprecations (<a href="https://redirect.github.com/serde-rs/serde/issues/2879">#2879</a>, thanks <a href="https://github.com/rcrisanti"><code>@rcrisanti</code></a>)</li> </ul> <h2>v1.0.224</h2> <ul> <li>Remove private types being suggested in rustc diagnostics (<a href="https://redirect.github.com/serde-rs/serde/issues/2979">#2979</a>)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
Thomas Eizinger
|
3e9ef4772b |
feat(gateway): extend flow logs with more client properties (#10717)
In order to make the flow logs emitted by the Gateway more useful and self-contained, we extend the `authorize_flow` message sent to the Gateway with some more context around the Client and Actor of that flow. In particular, we now also send the following to the Gateway: - `client_version` - `device_os_version` - `device_os_name` - `device_serial` - `device_uuid` - `device_identifier_for_vendor` - `device_firebase_installation_id` - `identity_id` - `identity_name` - `actor_id` - `actor_email` We only extend the `authorize_flow` message with these additional properties. The legacy messages for 1.3.x Clients remain as is. For those Clients, the above properties will be empty in the flow logs. Resolves: #10690 --------- Signed-off-by: Thomas Eizinger <thomas@eizinger.io> Co-authored-by: Jamil <jamilbk@users.noreply.github.com> |
||
|
dependabot[bot]
|
f872754540 |
build(deps): bump the netlink group in /rust with 3 updates (#10635)
[//]: # (dependabot-start) ⚠️ **Dependabot is rebasing this PR** ⚠️ Rebasing might not happen immediately, so don't worry if this takes some time. Note: if you make any changes to this PR yourself, they will take precedence over the rebase. --- [//]: # (dependabot-end) Bumps the netlink group in /rust with 3 updates: [netlink-packet-core](https://github.com/rust-netlink/netlink-packet-core), [netlink-packet-route](https://github.com/rust-netlink/netlink-packet-route) and [rtnetlink](https://github.com/rust-netlink/rtnetlink). Updates `netlink-packet-core` from 0.7.0 to 0.8.1 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/rust-netlink/netlink-packet-core/releases">netlink-packet-core's releases</a>.</em></p> <blockquote> <h2>New release 0.8.1</h2> <h3>Breaking changes</h3> <ul> <li>N/A</li> </ul> <h3>New features</h3> <ul> <li>N/A</li> </ul> <h3>Bug fixes</h3> <ul> <li>Revert back to paste dependency. (4447216)</li> </ul> <h2>New release 0.8.0</h2> <h3>Breaking changes</h3> <ul> <li>Changed <code>DecodeError</code> from enum to struct. (f55d7b7, 63da36a)</li> <li>Merged <code>netlink-packet-utils</code> into <code>netlink-packet-core</code>. (f55d7b7, 0951455, ba127bf, a232478, 8027f63, 41fe03d, 260e596, cc6bf08, 63da36a, 410c61d)</li> <li>Remove dependency of byteorder crate. (16d63fb)</li> </ul> <h3>New features</h3> <ul> <li>Support zero sized done message. (100413a)</li> </ul> <h3>Bug fixes</h3> <ul> <li>N/A</li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/rust-netlink/netlink-packet-core/blob/main/CHANGELOG">netlink-packet-core's changelog</a>.</em></p> <blockquote> <h2>[0.8.1] - 2025-09-18</h2> <h3>Breaking changes</h3> <ul> <li>N/A</li> </ul> <h3>New features</h3> <ul> <li>N/A</li> </ul> <h3>Bug fixes</h3> <ul> <li>Revert back to paste dependency. (4447216)</li> </ul> <h2>[0.8.0] - 2025-08-27</h2> <h3>Breaking changes</h3> <ul> <li>Changed <code>DecodeError</code> from enum to struct. (f55d7b7, 63da36a)</li> <li>Merged <code>netlink-packet-utils</code> into <code>netlink-packet-core</code>. (f55d7b7, 0951455, ba127bf, a232478, 8027f63, 41fe03d, 260e596, cc6bf08, 63da36a, 410c61d)</li> <li>Remove dependency of byteorder crate. (16d63fb)</li> </ul> <h3>New features</h3> <ul> <li>Support zero sized done message. (100413a)</li> </ul> <h3>Bug fixes</h3> <ul> <li>N/A</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |