All of our Linux applications have a soft-dependency on systemd. That
is, in the default configuration, we expect systemd to be present on the
machine. The only exception here are the docker containers for Headless
Client and Gateway.
For the GUI client in particular, systemd is a hard-dependency in order
to control DNS on the system which we do via `systemd-resolved`. To
secure the communication between the GUI client and its tunnel process,
we automatically create a group called `firezone-client` to which the
user gets added. All members of the group are allowed to access the unix
socket which is used for IPC between the two processes. Membership in
this group is also a prerequisite for accessing any of the configuration
files.
On the first launch of the GUI client on a Linux system, this presents a
problem. For group membership changes to take the effect, the user needs
to reboot. We say that in the documentation but it is unclear whether
all users will read that thoroughly enough. To help the user, the GUI
client checks for membership of the current user in the group and alerts
the user via a dialog box if that isn't the case. This would all be fine
if it would actually work. Unfortunately, that check ends up being too
late in the process. If we aren't a member of the group, we cannot read
the device ID and bail early, thus never reaching the check and
terminating the process without any dialog box or user-visible error.
We could attempt to fix this by shuffling around some of the startup
init code. That is a sub-optimal solution however because it a) may get
broken again in the future and b) it means we have to delay
initialisation of telemetry until a much later point.
Given that this is only a problem on Linux, a better solution is to
simply not rely on the disk-based device ID at all. Instead, we can
integrate with systemd and deterministically derive a device ID from the
unique machine ID and a randomly chosen "app ID".
For backwards-compatibility reasons, the disk-based device ID is still
prioritised. For all new installs however, we will use the one based on
`/etc/machine-id`.
When we are building the log message that is sent to Sentry, we append
several attributes to mimic the formatting that we get from
`tracing_subscriber::fmt`. To do that, we strip the span name from the
attribute which can result in us processing the same attribute such as
`cid` twice: Once from a span and once from the actual log message. In
order to not append the same message twice, we check for its presence in
the attributes map first.
This avoids having message in Sentry such as:
```
Sampled relay cid=c18e1da8-8ef8-4e11-a325-28d6b387d503 rid=3af15c76-9e84-46a6-90e1-63ecb2bc9f80 cid=c18e1da8-8ef8-4e11-a325-28d6b387d503
```
When investigating, why a connection fails it is useful to know right
away, what the last connection state was, including the kind of
connection, such as `PeerToPeer`, `RelayToPeer` etc.
Sentry appends "breadcrumbs" to every error that gets sent to the
backend. By default, those include the last 500 DEBUG logs. Our
`phoenix_channel` module logs the incoming and outgoing messages on
TRACE using the `wire::api::send` and `wire::api::recv` targets.
To make debugging these easier, we always include anything on
`wire::api` in the breadcrumbs.
The current test installation fails because it is operating in a
headless environment without a display user. Some more testing of the
`who` command showed that we can simply take the first user. That avoids
`grep` which was previously failing with an exit code of 1, aborting the
installation because our `postinst` script has `pipefail` set.
Specifying `sudo` in the script is unnecessary as it already runs as
root. Additionally, only executing `systemd-sysusers` for our config
file is better because it narrows the scope of what should be done.
Several aspects of the Gateway's Debian package depend on `systemd`
being present. Without it, we don't have the necessary users and files
in place for the Gateway to function. With that specified, we can fail
the `postinst` script (and therefore the installation) if anything in
there goes wrong.
By checking various environment variables, we can automatically add the
current user to the `firezone-client` group which allows them to connect
to the IPC socket of the tunnel process. Unfortunately, they still have
to create a new login session / reboot for that to be reflected.
The docs update for this will follow once we have cut a release with
this code in it.
---------
Signed-off-by: Thomas Eizinger <thomas@eizinger.io>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
For DNS resources, the Gateway maintains a per-peer NAT table from the
client-assigned proxy IPs to the real IPs of the domain. Whenever the
Client re-queries a DNS resource domain locally, we asynchronously ping
the Gateway to also re-query said domain. This allows us to detect
changes in the DNS records of DNS resources.
To avoid breaking existing connections, the mapping between proxy IPs
and real IPs is currently not updated if there are any active UDP or TCP
flows for a proxy IP.
This logic turns out to be unnecessarily restrictive as TCP flows can
linger around for up to 2h before they timeout if they are not closed
with a TCP RST. What we really need to do is always update the mapping
of proxy IP <> real IP but honor existing NAT table entries when we
route packets before creating new ones. This ensures that an existing
connection to a previously resolved IP remains intact, even if a later
DNS response for the same domain updates the mapping. At the same time,
new connections (i.e. with a different source port) will immediately use
the new destination IP.
Firezone's ability to tunnel all traffic on a particular Client (i.e.
the Internet Resource) means we have to ensure that traffic originating
from within the Firezone process does not get routed back into the
tunnel. On MacOS and iOS, this is automatically taken care of for us. On
all other platforms, we need to take steps to prevent these routing
loops.
This functionality is abstracted away using our `SocketFactory`. A
socket created with such a factory is guaranteed to route its traffic
outside of the tunnel. These sockets are used for the WebSocket
connection to the portal, as well as for recursive UDP and TCP DNS
queries.
In order to support DoH, we need to also be able to send HTTPS requests
without causing packet loops.
This PR adds a new crate `http-client` that does exactly that. It
composes together `hyper` and `rustls` such that the configured
`SocketFactory` is used to create the TCP socket for the underlying
HTTP2 connection. Consequently, HTTPS requests made with this library
will automatically be routed outside of the tunnel, assuming the
`SocketFactory` is adequately configured.
Right now, this crate just stands by itself. It will be integrated into
connlib at a later point.
Resolves: #10774
Related: #4668
Related: #10272
Within Firezone, there are multiple components that deal with DNS
queries. Two of those components are the `l4-udp-dns-server` and
`l4-tcp-dns-server`. Both of them are responsible for receiving DNS
queries on layer 4, i.e. UDP or TCP. In other words, they do _not_
operate on an IP level (which would be layer 3) but instead use
`UdpSocket` and `TcpListener` to receive queries and sent back
responses.
Right now, the interfaces of these crates are designed for the usecase
of receiving forwarded DNS queries from the CLient on the Gateway's TUN
device. This is a special-case of DNS resolution. When receiving a TXT
or SRV query for a domain that is covered by a DNS resources, Firezone
Client's will forward that query to the corresponding Gateway and
resolve it in its network context. SRV and TXT records are commonly used
for service discovery and as such, should be resolved in the network
context of the service, i.e. the site that assigned to the resource.
For that usecase, it made sense to allow each DNS server to listen on 1
IPv4 and 1 IPv6 address. Since then, our event-loop has evolved a bit,
being able to handle multiple inputs at once. As such, we can simplify
the API of these crates to only listen on a single address and instead
create multiple instances of them inside `Io`. Depending on how the
design of our DNS implementation for the Clients evolves, this may be
used to listen on multiple IPs later (e.g. from the `127.0.0.0/8`
subnet).
Related: #8263
Right now, connlib hands out a `BiMap` of sentinel IPs <> upstream
servers whenever it emits a `TunInterfaceUpdated` event. This `BiMap`
internally uses two `HashMap`s. The iteration order of `HashMap`s is
non-deterministic and therefore, we lose the order in which the upstream
/ system resolvers have been passed to us originally.
To prevent that, we now emit a dedicated `DnsMapping` type that does not
expose its internal data structure but only getters for retrieving the
sentinel and upstream servers. Internally, it uses a `Vec` to store this
mapping and thus retains the original order. This is asserted as part of
our proptests by comparing the resulting `Vec`s.
This fix is preceded by a few refactorings that encapsulate the code for
creating and updating this DNS mapping.
Resolves: #8439
With #8263, we will stop receiving UDP and TCP DNS queries on the tunnel
but use regular sockets instead. This means that for UDP DNS queries
that need to be sent _through_ the tunnel, we actually need to make new
IP packets again. For TCP, we already have a crate that does this for us
because there, we need to manage an entire TCP stack.
For UDP, the story is a bit simpler but there are still a few things
involved. In particular, we need to set a source address for the packets
and we need to sample a new random port for each query.
The crate added in this PR does exactly that. It is not yet used
anywhere but split out into a separate PR to reduce the reviewing burden
of the larger refactor.
Related: #8263
Related: #10758
On Ubuntu, this should be the default anyway and already be installed
but to be correct, we should list this dependency in the `depends`
section of our `.deb`. That way, it will automatically get installed
again if a user chooses to install the GUI client from our repository
and doesn't have `systemd-resolved` installed.
Bumps [serde_with](https://github.com/jonasbb/serde_with) from 3.14.0 to
3.15.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/jonasbb/serde_with/releases">serde_with's
releases</a>.</em></p>
<blockquote>
<h2>serde_with v3.15.0</h2>
<h3>Added</h3>
<ul>
<li>
<p>Added error inspection to <code>VecSkipError</code> and
<code>MapSkipError</code> by <a
href="https://github.com/michelhe"><code>@michelhe</code></a> (<a
href="https://redirect.github.com/jonasbb/serde_with/issues/878">#878</a>)
This allows interacting with the previously hidden error, for example
for logging.
Checkout the newly added example to both types.</p>
</li>
<li>
<p>Allow documenting the types generated by <code>serde_conv!</code>.
The <code>serde_conv!</code> macro now acceps outer attributes before
the optional visibility modifier.
This allow adding doc comments in the shape of <code>#[doc =
"..."]</code> or any other attributes, such as lint
modifiers.</p>
<pre lang="rust"><code>serde_conv!(
#[doc = "Serialize bools as string"]
#[allow(dead_code)]
pub BoolAsString,
bool,
|x: &bool| ::std::string::ToString::to_string(x),
|x: ::std::string::String| x.parse()
);
</code></pre>
</li>
<li>
<p>Add support for <code>hashbrown</code> v0.16 (<a
href="https://redirect.github.com/jonasbb/serde_with/issues/877">#877</a>)</p>
<p>This extends the existing support for <code>hashbrown</code> v0.14
and v0.15 to the newly released version.</p>
</li>
</ul>
<h3>Changed</h3>
<ul>
<li>Bump MSRV to 1.76, since that is required for <code>toml</code>
dev-dependency.</li>
</ul>
<h2>serde_with v3.14.1</h2>
<h3>Fixed</h3>
<ul>
<li>Show macro expansion in the docs.rs generated rustdoc.
Since macros are used to generate trait implementations, this is useful
to understand the exact generated code.</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="ea38dce3a6"><code>ea38dce</code></a>
Bump version to 3.15.0 (<a
href="https://redirect.github.com/jonasbb/serde_with/issues/892">#892</a>)</li>
<li><a
href="a3da8e643f"><code>a3da8e6</code></a>
Bump version to 3.15.0</li>
<li><a
href="c36e692de3"><code>c36e692</code></a>
Bump dev-dependencies (<a
href="https://redirect.github.com/jonasbb/serde_with/issues/891">#891</a>)</li>
<li><a
href="ae8466dd31"><code>ae8466d</code></a>
Bump dev-dependencies</li>
<li><a
href="f7337ff7ec"><code>f7337ff</code></a>
Support <code>serde_core</code> and remove dependencies on
<code>serde_derive</code> (<a
href="https://redirect.github.com/jonasbb/serde_with/issues/889">#889</a>)</li>
<li><a
href="c1d73b3c31"><code>c1d73b3</code></a>
Replace serde with serde_core in all files</li>
<li><a
href="320d292f23"><code>320d292</code></a>
Remove dependency on serde_derive</li>
<li><a
href="dca6df8083"><code>dca6df8</code></a>
Remove version-sync crate and reimplement needed functionality with
regex and...</li>
<li><a
href="6c6e53f0b1"><code>6c6e53f</code></a>
Remove version-sync crate and reimplement needed functionality with
regex and...</li>
<li><a
href="f64ea4035c"><code>f64ea40</code></a>
Add support for <code>hashbrown</code> v0.16 (<a
href="https://redirect.github.com/jonasbb/serde_with/issues/888">#888</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/jonasbb/serde_with/compare/v3.14.0...v3.15.0">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps
[gat-lending-iterator](https://github.com/Crazytieguy/gat-lending-iterator)
from 0.1.6 to 0.1.7.
<details>
<summary>Commits</summary>
<ul>
<li>See full diff in <a
href="https://github.com/Crazytieguy/gat-lending-iterator/commits/v0.1.7">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Rust 1.91 has been released and brings with it a few new lints that we
need to tidy up. In addition, it also stabilizes `BTreeMap::extract_if`:
A really nifty std-lib function that allows us to conditionally take
elements from a map. We need that in a bunch of places.
Bumps the sentry group in /rust with 2 updates:
[sentry](https://github.com/getsentry/sentry-rust) and
[sentry-tracing](https://github.com/getsentry/sentry-rust).
Updates `sentry` from 0.42.0 to 0.43.0
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/getsentry/sentry-rust/releases">sentry's
releases</a>.</em></p>
<blockquote>
<h2>0.43.0</h2>
<h3>Breaking changes</h3>
<ul>
<li>ref(tracing): rework tracing to Sentry span name/op conversion (<a
href="https://redirect.github.com/getsentry/sentry-rust/pull/887">#887</a>)
by <a href="https://github.com/lcian"><code>@lcian</code></a>
<ul>
<li>The <code>tracing</code> integration now uses the tracing span name
as the Sentry span name by default.</li>
<li>Before this change, the span name would be set based on the
<code>tracing</code> span target
(<code><module>::<function></code> when using the
<code>tracing::instrument</code> macro).</li>
<li>The <code>tracing</code> integration now uses <code><span
target>::<span name></code> as the default Sentry span op (i.e.
<code><module>::<function></code> when using
<code>tracing::instrument</code>).</li>
<li>Before this change, the span op would be set based on the
<code>tracing</code> span name.</li>
<li>Read below to learn how to customize the span name and op.</li>
<li>When upgrading, please ensure to adapt any queries, metrics or
dashboards to use the new span names/ops.</li>
</ul>
</li>
<li>ref(tracing): use standard code attributes (<a
href="https://redirect.github.com/getsentry/sentry-rust/pull/899">#899</a>)
by <a href="https://github.com/lcian"><code>@lcian</code></a>
<ul>
<li>Logs now carry the attributes <code>code.module.name</code>,
<code>code.file.path</code> and <code>code.line.number</code>
standardized in OTEL to surface the respective information, in contrast
with the previously sent <code>tracing.module_path</code>,
<code>tracing.file</code> and <code>tracing.line</code>.</li>
</ul>
</li>
<li>fix(actix): capture only server errors (<a
href="https://redirect.github.com/getsentry/sentry-rust/pull/877">#877</a>)
by <a href="https://github.com/lcian"><code>@lcian</code></a>
<ul>
<li>The Actix integration now properly honors the
<code>capture_server_errors</code> option (enabled by default),
capturing errors returned by middleware only if they are server errors
(HTTP status code 5xx).</li>
<li>Previously, if a middleware were to process the request after the
Sentry middleware and return an error, our middleware would always
capture it and send it to Sentry, regardless if it was a client, server
or some other kind of error.</li>
<li>With this change, we capture errors returned by middleware only if
those errors can be classified as server errors.</li>
<li>There is no change in behavior when it comes to errors returned by
services, in which case the Sentry middleware only captures server
errors exclusively.</li>
</ul>
</li>
<li>fix: send trace origin correctly (<a
href="https://redirect.github.com/getsentry/sentry-rust/pull/906">#906</a>)
by <a href="https://github.com/lcian"><code>@lcian</code></a>
<ul>
<li><code>TraceContext</code> now has an additional field
<code>origin</code>, used to report which integration created a
transaction.</li>
</ul>
</li>
</ul>
<h3>Behavioral changes</h3>
<ul>
<li>feat(tracing): send both breadcrumbs and logs by default (<a
href="https://redirect.github.com/getsentry/sentry-rust/pull/878">#878</a>)
by <a href="https://github.com/lcian"><code>@lcian</code></a>
<ul>
<li>If the <code>logs</code> feature flag is enabled, and
<code>enable_logs: true</code> is set on your client options, the
default Sentry <code>tracing</code> layer now sends logs for all events
at or above INFO.</li>
</ul>
</li>
</ul>
<h3>Features</h3>
<ul>
<li>
<p>ref(tracing): rework tracing to Sentry span name/op conversion (<a
href="https://redirect.github.com/getsentry/sentry-rust/pull/887">#887</a>)
by <a href="https://github.com/lcian"><code>@lcian</code></a></p>
<ul>
<li>Additional special fields have been added that allow overriding
certain data on the Sentry span:
<ul>
<li><code>sentry.op</code>: override the Sentry span op.</li>
<li><code>sentry.name</code>: override the Sentry span name.</li>
<li><code>sentry.trace</code>: given a string matching a valid
<code>sentry-trace</code> header (sent automatically by client SDKs),
continues the distributed trace instead of starting a new one. If the
value is not a valid <code>sentry-trace</code> header or a trace is
already started, this value is ignored.</li>
</ul>
</li>
<li><code>sentry.op</code> and <code>sentry.name</code> can also be
applied retroactively by declaring fields with value
<code>tracing::field::Empty</code> and then recorded using
<code>tracing::Span::record</code>.</li>
<li>Example usage:
<pre lang="rust"><code>#[tracing::instrument(skip_all, fields(
sentry.op = "http.server",
sentry.name = "GET /payments",
sentry.trace =
headers.get("sentry-trace").unwrap_or(&"".to_owned()),
))]
async fn handle_request(headers: std::collections::HashMap<String,
String>) {
// ...
}
</code></pre>
</li>
<li>Additional attributes are sent along with each span by default:
<ul>
<li><code>sentry.tracing.target</code>: corresponds to the
<code>tracing</code> span's <code>metadata.target()</code></li>
<li><code>code.module.name</code>, <code>code.file.path</code>,
<code>code.line.number</code></li>
</ul>
</li>
</ul>
</li>
<li>
<p>feat(core): add Response context (<a
href="https://redirect.github.com/getsentry/sentry-rust/pull/874">#874</a>)
by <a href="https://github.com/lcian"><code>@lcian</code></a></p>
<ul>
<li>The <code>Response</code> context can now be attached to events, to
include information about HTTP responses such as headers, cookies and
status code.</li>
</ul>
</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/getsentry/sentry-rust/blob/master/CHANGELOG.md">sentry's
changelog</a>.</em></p>
<blockquote>
<h2>0.43.0</h2>
<h3>Breaking changes</h3>
<ul>
<li>ref(tracing): rework tracing to Sentry span name/op conversion (<a
href="https://redirect.github.com/getsentry/sentry-rust/pull/887">#887</a>)
by <a href="https://github.com/lcian"><code>@lcian</code></a>
<ul>
<li>The <code>tracing</code> integration now uses the tracing span name
as the Sentry span name by default.</li>
<li>Before this change, the span name would be set based on the
<code>tracing</code> span target
(<code><module>::<function></code> when using the
<code>tracing::instrument</code> macro).</li>
<li>The <code>tracing</code> integration now uses <code><span
target>::<span name></code> as the default Sentry span op (i.e.
<code><module>::<function></code> when using
<code>tracing::instrument</code>).</li>
<li>Before this change, the span op would be set based on the
<code>tracing</code> span name.</li>
<li>Read below to learn how to customize the span name and op.</li>
<li>When upgrading, please ensure to adapt any queries, metrics or
dashboards to use the new span names/ops.</li>
</ul>
</li>
<li>ref(tracing): use standard code attributes (<a
href="https://redirect.github.com/getsentry/sentry-rust/pull/899">#899</a>)
by <a href="https://github.com/lcian"><code>@lcian</code></a>
<ul>
<li>Logs now carry the attributes <code>code.module.name</code>,
<code>code.file.path</code> and <code>code.line.number</code>
standardized in OTEL to surface the respective information, in contrast
with the previously sent <code>tracing.module_path</code>,
<code>tracing.file</code> and <code>tracing.line</code>.</li>
</ul>
</li>
<li>fix(actix): capture only server errors (<a
href="https://redirect.github.com/getsentry/sentry-rust/pull/877">#877</a>)
by <a href="https://github.com/lcian"><code>@lcian</code></a>
<ul>
<li>The Actix integration now properly honors the
<code>capture_server_errors</code> option (enabled by default),
capturing errors returned by middleware only if they are server errors
(HTTP status code 5xx).</li>
<li>Previously, if a middleware were to process the request after the
Sentry middleware and return an error, our middleware would always
capture it and send it to Sentry, regardless if it was a client, server
or some other kind of error.</li>
<li>With this change, we capture errors returned by middleware only if
those errors can be classified as server errors.</li>
<li>There is no change in behavior when it comes to errors returned by
services, in which case the Sentry middleware only captures server
errors exclusively.</li>
</ul>
</li>
<li>fix: send trace origin correctly (<a
href="https://redirect.github.com/getsentry/sentry-rust/pull/906">#906</a>)
by <a href="https://github.com/lcian"><code>@lcian</code></a>
<ul>
<li><code>TraceContext</code> now has an additional field
<code>origin</code>, used to report which integration created a
transaction.</li>
</ul>
</li>
</ul>
<h3>Behavioral changes</h3>
<ul>
<li>feat(tracing): send both breadcrumbs and logs by default (<a
href="https://redirect.github.com/getsentry/sentry-rust/pull/878">#878</a>)
by <a href="https://github.com/lcian"><code>@lcian</code></a>
<ul>
<li>If the <code>logs</code> feature flag is enabled, and
<code>enable_logs: true</code> is set on your client options, the
default Sentry <code>tracing</code> layer now sends logs for all events
at or above INFO.</li>
</ul>
</li>
</ul>
<h3>Features</h3>
<ul>
<li>
<p>ref(tracing): rework tracing to Sentry span name/op conversion (<a
href="https://redirect.github.com/getsentry/sentry-rust/pull/887">#887</a>)
by <a href="https://github.com/lcian"><code>@lcian</code></a></p>
<ul>
<li>Additional special fields have been added that allow overriding
certain data on the Sentry span:
<ul>
<li><code>sentry.op</code>: override the Sentry span op.</li>
<li><code>sentry.name</code>: override the Sentry span name.</li>
<li><code>sentry.trace</code>: given a string matching a valid
<code>sentry-trace</code> header (sent automatically by client SDKs),
continues the distributed trace instead of starting a new one. If the
value is not a valid <code>sentry-trace</code> header or a trace is
already started, this value is ignored.</li>
</ul>
</li>
<li><code>sentry.op</code> and <code>sentry.name</code> can also be
applied retroactively by declaring fields with value
<code>tracing::field::Empty</code> and then recorded using
<code>tracing::Span::record</code>.</li>
<li>Example usage:
<pre lang="rust"><code>#[tracing::instrument(skip_all, fields(
sentry.op = "http.server",
sentry.name = "GET /payments",
sentry.trace =
headers.get("sentry-trace").unwrap_or(&"".to_owned()),
))]
async fn handle_request(headers: std::collections::HashMap<String,
String>) {
// ...
}
</code></pre>
</li>
<li>Additional attributes are sent along with each span by default:
<ul>
<li><code>sentry.tracing.target</code>: corresponds to the
<code>tracing</code> span's <code>metadata.target()</code></li>
<li><code>code.module.name</code>, <code>code.file.path</code>,
<code>code.line.number</code></li>
</ul>
</li>
</ul>
</li>
<li>
<p>feat(core): add Response context (<a
href="https://redirect.github.com/getsentry/sentry-rust/pull/874">#874</a>)
by <a href="https://github.com/lcian"><code>@lcian</code></a></p>
</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="b08b24a057"><code>b08b24a</code></a>
release: 0.43.0</li>
<li><a
href="1c08ca8671"><code>1c08ca8</code></a>
ref(tracing): keep old span name as op instead of default (<a
href="https://redirect.github.com/getsentry/sentry-rust/issues/905">#905</a>)</li>
<li><a
href="75aff83c65"><code>75aff83</code></a>
fix(tracing): skip default span attributes when propagating to event (<a
href="https://redirect.github.com/getsentry/sentry-rust/issues/904">#904</a>)</li>
<li><a
href="6b61b31367"><code>6b61b31</code></a>
fix: send trace origin correctly (<a
href="https://redirect.github.com/getsentry/sentry-rust/issues/906">#906</a>)</li>
<li><a
href="75a8c03de7"><code>75a8c03</code></a>
ref(tracing): use standard code attributes (<a
href="https://redirect.github.com/getsentry/sentry-rust/issues/899">#899</a>)</li>
<li><a
href="bbd667ab00"><code>bbd667a</code></a>
meta: add pull request template (<a
href="https://redirect.github.com/getsentry/sentry-rust/issues/898">#898</a>)</li>
<li><a
href="5c8ab31b61"><code>5c8ab31</code></a>
ref(tracing): rework <code>tracing</code> to Sentry span name/op
conversion (<a
href="https://redirect.github.com/getsentry/sentry-rust/issues/887">#887</a>)</li>
<li><a
href="045c2e2fed"><code>045c2e2</code></a>
feat(tracing): send both breadcrumbs and logs by default (<a
href="https://redirect.github.com/getsentry/sentry-rust/issues/878">#878</a>)</li>
<li><a
href="a5932c0295"><code>a5932c0</code></a>
fix(transport): add rate limit for logs (<a
href="https://redirect.github.com/getsentry/sentry-rust/issues/894">#894</a>)</li>
<li><a
href="280dab99be"><code>280dab9</code></a>
build(deps): bump tracing-subscriber from 0.3.19 to 0.3.20 (<a
href="https://redirect.github.com/getsentry/sentry-rust/issues/891">#891</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/getsentry/sentry-rust/compare/0.42.0...0.43.0">compare
view</a></li>
</ul>
</details>
<br />
Updates `sentry-tracing` from 0.42.0 to 0.43.0
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/getsentry/sentry-rust/releases">sentry-tracing's
releases</a>.</em></p>
<blockquote>
<h2>0.43.0</h2>
<h3>Breaking changes</h3>
<ul>
<li>ref(tracing): rework tracing to Sentry span name/op conversion (<a
href="https://redirect.github.com/getsentry/sentry-rust/pull/887">#887</a>)
by <a href="https://github.com/lcian"><code>@lcian</code></a>
<ul>
<li>The <code>tracing</code> integration now uses the tracing span name
as the Sentry span name by default.</li>
<li>Before this change, the span name would be set based on the
<code>tracing</code> span target
(<code><module>::<function></code> when using the
<code>tracing::instrument</code> macro).</li>
<li>The <code>tracing</code> integration now uses <code><span
target>::<span name></code> as the default Sentry span op (i.e.
<code><module>::<function></code> when using
<code>tracing::instrument</code>).</li>
<li>Before this change, the span op would be set based on the
<code>tracing</code> span name.</li>
<li>Read below to learn how to customize the span name and op.</li>
<li>When upgrading, please ensure to adapt any queries, metrics or
dashboards to use the new span names/ops.</li>
</ul>
</li>
<li>ref(tracing): use standard code attributes (<a
href="https://redirect.github.com/getsentry/sentry-rust/pull/899">#899</a>)
by <a href="https://github.com/lcian"><code>@lcian</code></a>
<ul>
<li>Logs now carry the attributes <code>code.module.name</code>,
<code>code.file.path</code> and <code>code.line.number</code>
standardized in OTEL to surface the respective information, in contrast
with the previously sent <code>tracing.module_path</code>,
<code>tracing.file</code> and <code>tracing.line</code>.</li>
</ul>
</li>
<li>fix(actix): capture only server errors (<a
href="https://redirect.github.com/getsentry/sentry-rust/pull/877">#877</a>)
by <a href="https://github.com/lcian"><code>@lcian</code></a>
<ul>
<li>The Actix integration now properly honors the
<code>capture_server_errors</code> option (enabled by default),
capturing errors returned by middleware only if they are server errors
(HTTP status code 5xx).</li>
<li>Previously, if a middleware were to process the request after the
Sentry middleware and return an error, our middleware would always
capture it and send it to Sentry, regardless if it was a client, server
or some other kind of error.</li>
<li>With this change, we capture errors returned by middleware only if
those errors can be classified as server errors.</li>
<li>There is no change in behavior when it comes to errors returned by
services, in which case the Sentry middleware only captures server
errors exclusively.</li>
</ul>
</li>
<li>fix: send trace origin correctly (<a
href="https://redirect.github.com/getsentry/sentry-rust/pull/906">#906</a>)
by <a href="https://github.com/lcian"><code>@lcian</code></a>
<ul>
<li><code>TraceContext</code> now has an additional field
<code>origin</code>, used to report which integration created a
transaction.</li>
</ul>
</li>
</ul>
<h3>Behavioral changes</h3>
<ul>
<li>feat(tracing): send both breadcrumbs and logs by default (<a
href="https://redirect.github.com/getsentry/sentry-rust/pull/878">#878</a>)
by <a href="https://github.com/lcian"><code>@lcian</code></a>
<ul>
<li>If the <code>logs</code> feature flag is enabled, and
<code>enable_logs: true</code> is set on your client options, the
default Sentry <code>tracing</code> layer now sends logs for all events
at or above INFO.</li>
</ul>
</li>
</ul>
<h3>Features</h3>
<ul>
<li>
<p>ref(tracing): rework tracing to Sentry span name/op conversion (<a
href="https://redirect.github.com/getsentry/sentry-rust/pull/887">#887</a>)
by <a href="https://github.com/lcian"><code>@lcian</code></a></p>
<ul>
<li>Additional special fields have been added that allow overriding
certain data on the Sentry span:
<ul>
<li><code>sentry.op</code>: override the Sentry span op.</li>
<li><code>sentry.name</code>: override the Sentry span name.</li>
<li><code>sentry.trace</code>: given a string matching a valid
<code>sentry-trace</code> header (sent automatically by client SDKs),
continues the distributed trace instead of starting a new one. If the
value is not a valid <code>sentry-trace</code> header or a trace is
already started, this value is ignored.</li>
</ul>
</li>
<li><code>sentry.op</code> and <code>sentry.name</code> can also be
applied retroactively by declaring fields with value
<code>tracing::field::Empty</code> and then recorded using
<code>tracing::Span::record</code>.</li>
<li>Example usage:
<pre lang="rust"><code>#[tracing::instrument(skip_all, fields(
sentry.op = "http.server",
sentry.name = "GET /payments",
sentry.trace =
headers.get("sentry-trace").unwrap_or(&"".to_owned()),
))]
async fn handle_request(headers: std::collections::HashMap<String,
String>) {
// ...
}
</code></pre>
</li>
<li>Additional attributes are sent along with each span by default:
<ul>
<li><code>sentry.tracing.target</code>: corresponds to the
<code>tracing</code> span's <code>metadata.target()</code></li>
<li><code>code.module.name</code>, <code>code.file.path</code>,
<code>code.line.number</code></li>
</ul>
</li>
</ul>
</li>
<li>
<p>feat(core): add Response context (<a
href="https://redirect.github.com/getsentry/sentry-rust/pull/874">#874</a>)
by <a href="https://github.com/lcian"><code>@lcian</code></a></p>
<ul>
<li>The <code>Response</code> context can now be attached to events, to
include information about HTTP responses such as headers, cookies and
status code.</li>
</ul>
</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/getsentry/sentry-rust/blob/master/CHANGELOG.md">sentry-tracing's
changelog</a>.</em></p>
<blockquote>
<h2>0.43.0</h2>
<h3>Breaking changes</h3>
<ul>
<li>ref(tracing): rework tracing to Sentry span name/op conversion (<a
href="https://redirect.github.com/getsentry/sentry-rust/pull/887">#887</a>)
by <a href="https://github.com/lcian"><code>@lcian</code></a>
<ul>
<li>The <code>tracing</code> integration now uses the tracing span name
as the Sentry span name by default.</li>
<li>Before this change, the span name would be set based on the
<code>tracing</code> span target
(<code><module>::<function></code> when using the
<code>tracing::instrument</code> macro).</li>
<li>The <code>tracing</code> integration now uses <code><span
target>::<span name></code> as the default Sentry span op (i.e.
<code><module>::<function></code> when using
<code>tracing::instrument</code>).</li>
<li>Before this change, the span op would be set based on the
<code>tracing</code> span name.</li>
<li>Read below to learn how to customize the span name and op.</li>
<li>When upgrading, please ensure to adapt any queries, metrics or
dashboards to use the new span names/ops.</li>
</ul>
</li>
<li>ref(tracing): use standard code attributes (<a
href="https://redirect.github.com/getsentry/sentry-rust/pull/899">#899</a>)
by <a href="https://github.com/lcian"><code>@lcian</code></a>
<ul>
<li>Logs now carry the attributes <code>code.module.name</code>,
<code>code.file.path</code> and <code>code.line.number</code>
standardized in OTEL to surface the respective information, in contrast
with the previously sent <code>tracing.module_path</code>,
<code>tracing.file</code> and <code>tracing.line</code>.</li>
</ul>
</li>
<li>fix(actix): capture only server errors (<a
href="https://redirect.github.com/getsentry/sentry-rust/pull/877">#877</a>)
by <a href="https://github.com/lcian"><code>@lcian</code></a>
<ul>
<li>The Actix integration now properly honors the
<code>capture_server_errors</code> option (enabled by default),
capturing errors returned by middleware only if they are server errors
(HTTP status code 5xx).</li>
<li>Previously, if a middleware were to process the request after the
Sentry middleware and return an error, our middleware would always
capture it and send it to Sentry, regardless if it was a client, server
or some other kind of error.</li>
<li>With this change, we capture errors returned by middleware only if
those errors can be classified as server errors.</li>
<li>There is no change in behavior when it comes to errors returned by
services, in which case the Sentry middleware only captures server
errors exclusively.</li>
</ul>
</li>
<li>fix: send trace origin correctly (<a
href="https://redirect.github.com/getsentry/sentry-rust/pull/906">#906</a>)
by <a href="https://github.com/lcian"><code>@lcian</code></a>
<ul>
<li><code>TraceContext</code> now has an additional field
<code>origin</code>, used to report which integration created a
transaction.</li>
</ul>
</li>
</ul>
<h3>Behavioral changes</h3>
<ul>
<li>feat(tracing): send both breadcrumbs and logs by default (<a
href="https://redirect.github.com/getsentry/sentry-rust/pull/878">#878</a>)
by <a href="https://github.com/lcian"><code>@lcian</code></a>
<ul>
<li>If the <code>logs</code> feature flag is enabled, and
<code>enable_logs: true</code> is set on your client options, the
default Sentry <code>tracing</code> layer now sends logs for all events
at or above INFO.</li>
</ul>
</li>
</ul>
<h3>Features</h3>
<ul>
<li>
<p>ref(tracing): rework tracing to Sentry span name/op conversion (<a
href="https://redirect.github.com/getsentry/sentry-rust/pull/887">#887</a>)
by <a href="https://github.com/lcian"><code>@lcian</code></a></p>
<ul>
<li>Additional special fields have been added that allow overriding
certain data on the Sentry span:
<ul>
<li><code>sentry.op</code>: override the Sentry span op.</li>
<li><code>sentry.name</code>: override the Sentry span name.</li>
<li><code>sentry.trace</code>: given a string matching a valid
<code>sentry-trace</code> header (sent automatically by client SDKs),
continues the distributed trace instead of starting a new one. If the
value is not a valid <code>sentry-trace</code> header or a trace is
already started, this value is ignored.</li>
</ul>
</li>
<li><code>sentry.op</code> and <code>sentry.name</code> can also be
applied retroactively by declaring fields with value
<code>tracing::field::Empty</code> and then recorded using
<code>tracing::Span::record</code>.</li>
<li>Example usage:
<pre lang="rust"><code>#[tracing::instrument(skip_all, fields(
sentry.op = "http.server",
sentry.name = "GET /payments",
sentry.trace =
headers.get("sentry-trace").unwrap_or(&"".to_owned()),
))]
async fn handle_request(headers: std::collections::HashMap<String,
String>) {
// ...
}
</code></pre>
</li>
<li>Additional attributes are sent along with each span by default:
<ul>
<li><code>sentry.tracing.target</code>: corresponds to the
<code>tracing</code> span's <code>metadata.target()</code></li>
<li><code>code.module.name</code>, <code>code.file.path</code>,
<code>code.line.number</code></li>
</ul>
</li>
</ul>
</li>
<li>
<p>feat(core): add Response context (<a
href="https://redirect.github.com/getsentry/sentry-rust/pull/874">#874</a>)
by <a href="https://github.com/lcian"><code>@lcian</code></a></p>
</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="b08b24a057"><code>b08b24a</code></a>
release: 0.43.0</li>
<li><a
href="1c08ca8671"><code>1c08ca8</code></a>
ref(tracing): keep old span name as op instead of default (<a
href="https://redirect.github.com/getsentry/sentry-rust/issues/905">#905</a>)</li>
<li><a
href="75aff83c65"><code>75aff83</code></a>
fix(tracing): skip default span attributes when propagating to event (<a
href="https://redirect.github.com/getsentry/sentry-rust/issues/904">#904</a>)</li>
<li><a
href="6b61b31367"><code>6b61b31</code></a>
fix: send trace origin correctly (<a
href="https://redirect.github.com/getsentry/sentry-rust/issues/906">#906</a>)</li>
<li><a
href="75a8c03de7"><code>75a8c03</code></a>
ref(tracing): use standard code attributes (<a
href="https://redirect.github.com/getsentry/sentry-rust/issues/899">#899</a>)</li>
<li><a
href="bbd667ab00"><code>bbd667a</code></a>
meta: add pull request template (<a
href="https://redirect.github.com/getsentry/sentry-rust/issues/898">#898</a>)</li>
<li><a
href="5c8ab31b61"><code>5c8ab31</code></a>
ref(tracing): rework <code>tracing</code> to Sentry span name/op
conversion (<a
href="https://redirect.github.com/getsentry/sentry-rust/issues/887">#887</a>)</li>
<li><a
href="045c2e2fed"><code>045c2e2</code></a>
feat(tracing): send both breadcrumbs and logs by default (<a
href="https://redirect.github.com/getsentry/sentry-rust/issues/878">#878</a>)</li>
<li><a
href="a5932c0295"><code>a5932c0</code></a>
fix(transport): add rate limit for logs (<a
href="https://redirect.github.com/getsentry/sentry-rust/issues/894">#894</a>)</li>
<li><a
href="280dab99be"><code>280dab9</code></a>
build(deps): bump tracing-subscriber from 0.3.19 to 0.3.20 (<a
href="https://redirect.github.com/getsentry/sentry-rust/issues/891">#891</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/getsentry/sentry-rust/compare/0.42.0...0.43.0">compare
view</a></li>
</ul>
</details>
<br />
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions
</details>
---------
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Thomas Eizinger <thomas@eizinger.io>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Thomas Eizinger <thomas@eizinger.io>
Bumps [lru](https://github.com/jeromefroe/lru-rs) from 0.12.5 to 0.16.1.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/jeromefroe/lru-rs/blob/master/CHANGELOG.md">lru's
changelog</a>.</em></p>
<blockquote>
<h2><a
href="https://github.com/jeromefroe/lru-rs/tree/0.16.1">v0.16.1</a> -
2025-09-08</h2>
<ul>
<li>Fix <code>Clone</code> for unbounded cache.</li>
</ul>
<h2><a
href="https://github.com/jeromefroe/lru-rs/tree/0.16.0">v0.16.0</a> -
2025-07-02</h2>
<ul>
<li>Implement <code>Clone</code> for caches with custom hashers.</li>
</ul>
<h2><a
href="https://github.com/jeromefroe/lru-rs/tree/0.15.0">v0.15.0</a> -
2025-06-26</h2>
<ul>
<li>Return bool from <code>promote</code> and <code>demote</code> to
indicate whether key was found.</li>
</ul>
<h2><a
href="https://github.com/jeromefroe/lru-rs/tree/0.14.0">v0.14.0</a> -
2025-04-12</h2>
<ul>
<li>Use <code>NonZeroUsize::MAX</code> instead of <code>unwrap()</code>,
and update MSRV to 1.70.0.</li>
</ul>
<h2><a
href="https://github.com/jeromefroe/lru-rs/tree/0.13.0">v0.13.0</a> -
2025-01-27</h2>
<ul>
<li>Add <code>peek_mru</code> and <code>pop_mru</code> methods, upgrade
dependency on <code>hashbrown</code> to 0.15.2, and update MSRV to
1.65.0.</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="c699209232"><code>c699209</code></a>
Merge pull request <a
href="https://redirect.github.com/jeromefroe/lru-rs/issues/220">#220</a>
from jeromefroe/jerome/prepare-0-16-1-release</li>
<li><a
href="2bd8207030"><code>2bd8207</code></a>
Prepare 0.16.1 release</li>
<li><a
href="1b21bf1c59"><code>1b21bf1</code></a>
Merge pull request <a
href="https://redirect.github.com/jeromefroe/lru-rs/issues/219">#219</a>
from wqfish/bk</li>
<li><a
href="3ec42b6369"><code>3ec42b6</code></a>
Fix clone implementation for unbounded cache</li>
<li><a
href="e2e3e47c33"><code>e2e3e47</code></a>
Merge pull request <a
href="https://redirect.github.com/jeromefroe/lru-rs/issues/218">#218</a>
from jeromefroe/jerome/prepare-0-16-0-release</li>
<li><a
href="17fe4f328a"><code>17fe4f3</code></a>
Prepare 0.16.0 release</li>
<li><a
href="b1b974ba35"><code>b1b974b</code></a>
Merge pull request <a
href="https://redirect.github.com/jeromefroe/lru-rs/issues/217">#217</a>
from kralverde/clone</li>
<li><a
href="20bdf9831a"><code>20bdf98</code></a>
clone all hashers</li>
<li><a
href="5ef01d3e1d"><code>5ef01d3</code></a>
Merge pull request <a
href="https://redirect.github.com/jeromefroe/lru-rs/issues/216">#216</a>
from atouchet/codecov</li>
<li><a
href="6d35290666"><code>6d35290</code></a>
Remove Codecov badge</li>
<li>Additional commits viewable in <a
href="https://github.com/jeromefroe/lru-rs/compare/0.12.5...0.16.1">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
With the fix of taking into account link-scoped routes in #10554 we
introduced a bug: If a customer defines routes in Firezone that conflict
with the link-scope ones, those currently take priority as they are
usually more specific.
To fix this, we introduce tiered routing tables controlled by a set of
rules with different priority.
1. In the first "Firezone" routing table, we add all CIDR/IP routes that
users define in Firezone.
2. In the second "Firezone" routing table, we sync in all link-scope
routes from the system.
3. In the third "Firezone" routing table, we only add the Internet
Resource if it is active.
By evaluating the routing tables in this order, we effectively always
prioritize Firezone-controlled routes over local ones but still allow
access to LAN resources when the Internet Resource is active.
---------
Signed-off-by: Thomas Eizinger <thomas@eizinger.io>
Co-authored-by: Jamil <jamilbk@users.noreply.github.com>
Bumps [serde](https://github.com/serde-rs/serde) from 1.0.223 to
1.0.228.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/serde-rs/serde/releases">serde's
releases</a>.</em></p>
<blockquote>
<h2>v1.0.228</h2>
<ul>
<li>Allow building documentation with
<code>RUSTDOCFLAGS='--cfg=docsrs'</code> set for the whole dependency
graph (<a
href="https://redirect.github.com/serde-rs/serde/issues/2995">#2995</a>)</li>
</ul>
<h2>v1.0.227</h2>
<ul>
<li>Documentation improvements (<a
href="https://redirect.github.com/serde-rs/serde/issues/2991">#2991</a>)</li>
</ul>
<h2>v1.0.226</h2>
<ul>
<li>Deduplicate variant matching logic inside generated Deserialize impl
for adjacently tagged enums (<a
href="https://redirect.github.com/serde-rs/serde/issues/2935">#2935</a>,
thanks <a
href="https://github.com/Mingun"><code>@Mingun</code></a>)</li>
</ul>
<h2>v1.0.225</h2>
<ul>
<li>Avoid triggering a deprecation warning in derived Serialize and
Deserialize impls for a data structure that contains its own
deprecations (<a
href="https://redirect.github.com/serde-rs/serde/issues/2879">#2879</a>,
thanks <a
href="https://github.com/rcrisanti"><code>@rcrisanti</code></a>)</li>
</ul>
<h2>v1.0.224</h2>
<ul>
<li>Remove private types being suggested in rustc diagnostics (<a
href="https://redirect.github.com/serde-rs/serde/issues/2979">#2979</a>)</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="a866b336f1"><code>a866b33</code></a>
Release 1.0.228</li>
<li><a
href="5adc9e816c"><code>5adc9e8</code></a>
Merge pull request <a
href="https://redirect.github.com/serde-rs/serde/issues/2995">#2995</a>
from dtolnay/rustdocflags</li>
<li><a
href="ab581789f4"><code>ab58178</code></a>
Workaround for RUSTDOCFLAGS='--cfg=docsrs'</li>
<li><a
href="415d9fc560"><code>415d9fc</code></a>
Release 1.0.227</li>
<li><a
href="7c58427e12"><code>7c58427</code></a>
Merge pull request <a
href="https://redirect.github.com/serde-rs/serde/issues/2991">#2991</a>
from dtolnay/inlinecoredoc</li>
<li><a
href="9d3410e3f4"><code>9d3410e</code></a>
Merge pull request <a
href="https://redirect.github.com/serde-rs/serde/issues/2992">#2992</a>
from dtolnay/inplaceseed</li>
<li><a
href="2fb6748bf1"><code>2fb6748</code></a>
Remove InPlaceSeed public re-export</li>
<li><a
href="f8137c79a2"><code>f8137c7</code></a>
Inline serde_core into serde in docsrs mode</li>
<li><a
href="b7dbf7e3cb"><code>b7dbf7e</code></a>
Merge pull request <a
href="https://redirect.github.com/serde-rs/serde/issues/2990">#2990</a>
from dtolnay/integer128</li>
<li><a
href="7c836915fc"><code>7c83691</code></a>
No longer macro_use integer128 module</li>
<li>Additional commits viewable in <a
href="https://github.com/serde-rs/serde/compare/v1.0.223...v1.0.228">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
In order to make the flow logs emitted by the Gateway more useful and
self-contained, we extend the `authorize_flow` message sent to the
Gateway with some more context around the Client and Actor of that flow.
In particular, we now also send the following to the Gateway:
- `client_version`
- `device_os_version`
- `device_os_name`
- `device_serial`
- `device_uuid`
- `device_identifier_for_vendor`
- `device_firebase_installation_id`
- `identity_id`
- `identity_name`
- `actor_id`
- `actor_email`
We only extend the `authorize_flow` message with these additional
properties. The legacy messages for 1.3.x Clients remain as is. For
those Clients, the above properties will be empty in the flow logs.
Resolves: #10690
---------
Signed-off-by: Thomas Eizinger <thomas@eizinger.io>
Co-authored-by: Jamil <jamilbk@users.noreply.github.com>
[//]: # (dependabot-start)
⚠️ **Dependabot is rebasing this PR** ⚠️
Rebasing might not happen immediately, so don't worry if this takes some
time.
Note: if you make any changes to this PR yourself, they will take
precedence over the rebase.
---
[//]: # (dependabot-end)
Bumps the netlink group in /rust with 3 updates:
[netlink-packet-core](https://github.com/rust-netlink/netlink-packet-core),
[netlink-packet-route](https://github.com/rust-netlink/netlink-packet-route)
and [rtnetlink](https://github.com/rust-netlink/rtnetlink).
Updates `netlink-packet-core` from 0.7.0 to 0.8.1
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/rust-netlink/netlink-packet-core/releases">netlink-packet-core's
releases</a>.</em></p>
<blockquote>
<h2>New release 0.8.1</h2>
<h3>Breaking changes</h3>
<ul>
<li>N/A</li>
</ul>
<h3>New features</h3>
<ul>
<li>N/A</li>
</ul>
<h3>Bug fixes</h3>
<ul>
<li>Revert back to paste dependency. (4447216)</li>
</ul>
<h2>New release 0.8.0</h2>
<h3>Breaking changes</h3>
<ul>
<li>Changed <code>DecodeError</code> from enum to struct. (f55d7b7,
63da36a)</li>
<li>Merged <code>netlink-packet-utils</code> into
<code>netlink-packet-core</code>. (f55d7b7, 0951455,
ba127bf, a232478, 8027f63, 41fe03d, 260e596, cc6bf08, 63da36a,
410c61d)</li>
<li>Remove dependency of byteorder crate. (16d63fb)</li>
</ul>
<h3>New features</h3>
<ul>
<li>Support zero sized done message. (100413a)</li>
</ul>
<h3>Bug fixes</h3>
<ul>
<li>N/A</li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/rust-netlink/netlink-packet-core/blob/main/CHANGELOG">netlink-packet-core's
changelog</a>.</em></p>
<blockquote>
<h2>[0.8.1] - 2025-09-18</h2>
<h3>Breaking changes</h3>
<ul>
<li>N/A</li>
</ul>
<h3>New features</h3>
<ul>
<li>N/A</li>
</ul>
<h3>Bug fixes</h3>
<ul>
<li>Revert back to paste dependency. (4447216)</li>
</ul>
<h2>[0.8.0] - 2025-08-27</h2>
<h3>Breaking changes</h3>
<ul>
<li>Changed <code>DecodeError</code> from enum to struct. (f55d7b7,
63da36a)</li>
<li>Merged <code>netlink-packet-utils</code> into
<code>netlink-packet-core</code>. (f55d7b7, 0951455,
ba127bf, a232478, 8027f63, 41fe03d, 260e596, cc6bf08, 63da36a,
410c61d)</li>
<li>Remove dependency of byteorder crate. (16d63fb)</li>
</ul>
<h3>New features</h3>
<ul>
<li>Support zero sized done message. (100413a)</li>
</ul>
<h3>Bug fixes</h3>
<ul>
<li>N/A</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="e34595f54f"><code>e34595f</code></a>
New release 0.8.1</li>
<li><a
href="44472161c5"><code>4447216</code></a>
Revert back to paste dependency</li>
<li><a
href="b40f3d616f"><code>b40f3d6</code></a>
New release 0.8.0</li>
<li><a
href="46a3fee30b"><code>46a3fee</code></a>
Run cargo fmt</li>
<li><a
href="100413a1b7"><code>100413a</code></a>
Support zero sized done message</li>
<li><a
href="81b2d0f406"><code>81b2d0f</code></a>
CI: Fail to test for clippy warnings</li>
<li><a
href="663310a04c"><code>663310a</code></a>
Revert "ci: add code coverage support"</li>
<li><a
href="16d63fb0a8"><code>16d63fb</code></a>
Remove dependency of byteorder crate</li>
<li><a
href="410c61db71"><code>410c61d</code></a>
Changed Parseable to raise DecodeError</li>
<li><a
href="63da36a2fc"><code>63da36a</code></a>
Extend ErrorContext to accept <code>std::fmt::Display</code></li>
<li>Additional commits viewable in <a
href="https://github.com/rust-netlink/netlink-packet-core/compare/v0.7.0...v0.8.1">compare
view</a></li>
</ul>
</details>
<br />
Updates `netlink-packet-route` from 0.24.0 to 0.25.1
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/rust-netlink/netlink-packet-route/releases">netlink-packet-route's
releases</a>.</em></p>
<blockquote>
<h2>New release 0.25.1</h2>
<h3>Breaking changes</h3>
<ul>
<li>Set minimum supported rust version to 1.77. (6bd5418)</li>
</ul>
<h3>New features</h3>
<ul>
<li>N/A</li>
</ul>
<h3>Bug fixes</h3>
<ul>
<li>Fix compiling error on rust 1.77. (6bd5418)</li>
</ul>
<h2>New release 0.25.0</h2>
<h3>Breaking changes</h3>
<ul>
<li>Drop the dependency on <code>netlink-packet-utils</code>.
(e09acbd)</li>
<li>Add <code>non_exhaustive</code> to these bond options: (eacf67f)
<ul>
<li><code>BondArpValidate</code></li>
<li><code>BondPrimaryReselect</code></li>
<li><code>BondXmitHashPolicy</code></li>
<li><code>BondArpAllTargets</code></li>
<li><code>BondFailOverMac</code></li>
</ul>
</li>
<li>Changed <code>AfSpecInet6::AddrGenMode</code> to enum.
(7daf895)</li>
<li>Changed <code>LinkAttribute::Mode</code> to enum. (be2796c)</li>
</ul>
<h3>New features</h3>
<ul>
<li>Support <code>LWTUNNEL_ENCAP_IP6</code>. (0e49453)</li>
</ul>
<h3>Bug fixes</h3>
<ul>
<li>Expose In6AddrGenMode. (faf9d39)</li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/rust-netlink/netlink-packet-route/blob/main/CHANGELOG">netlink-packet-route's
changelog</a>.</em></p>
<blockquote>
<h2>[0.25.1] - 2025-08-29</h2>
<h3>Breaking changes</h3>
<ul>
<li>Set minimum supported rust version to 1.77. (6bd5418)</li>
</ul>
<h3>New features</h3>
<ul>
<li>N/A</li>
</ul>
<h3>Bug fixes</h3>
<ul>
<li>Fix compiling error on rust 1.77. (6bd5418)</li>
</ul>
<h2>[0.25.0] - 2025-08-27</h2>
<h3>Breaking changes</h3>
<ul>
<li>Drop the dependency on <code>netlink-packet-utils</code>.
(e09acbd)</li>
<li>Add <code>non_exhaustive</code> to these bond options: (eacf67f)
<ul>
<li><code>BondArpValidate</code></li>
<li><code>BondPrimaryReselect</code></li>
<li><code>BondXmitHashPolicy</code></li>
<li><code>BondArpAllTargets</code></li>
<li><code>BondFailOverMac</code></li>
</ul>
</li>
<li>Changed <code>AfSpecInet6::AddrGenMode</code> to enum.
(7daf895)</li>
<li>Changed <code>LinkAttribute::Mode</code> to enum. (be2796c)</li>
</ul>
<h3>New features</h3>
<ul>
<li>Support <code>LWTUNNEL_ENCAP_IP6</code>. (0e49453)</li>
</ul>
<h3>Bug fixes</h3>
<ul>
<li>Expose In6AddrGenMode. (faf9d39)</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="e3dc02da86"><code>e3dc02d</code></a>
New release 0.25.1</li>
<li><a
href="4dfe87d7cb"><code>4dfe87d</code></a>
CI: Change MSRV test not using metric</li>
<li><a
href="6bd5418da9"><code>6bd5418</code></a>
Set minimum supported rust version to 1.77</li>
<li><a
href="a473cca426"><code>a473cca</code></a>
New release 0.25.0</li>
<li><a
href="e09acbd440"><code>e09acbd</code></a>
Use netlink-packet-core 0.8.0</li>
<li><a
href="faf9d390f2"><code>faf9d39</code></a>
Fix private In6AddrGenMode</li>
<li><a
href="eacf67f90f"><code>eacf67f</code></a>
link: Add <code>non_exhaustive</code> to bond classes</li>
<li><a
href="eef9be7e7c"><code>eef9be7</code></a>
Add example code of dumping routes</li>
<li><a
href="0e49453468"><code>0e49453</code></a>
Add support for LWTUNNEL_ENCAP_IP6</li>
<li><a
href="7daf895552"><code>7daf895</code></a>
Change AddrGenMode into enum</li>
<li>Additional commits viewable in <a
href="https://github.com/rust-netlink/netlink-packet-route/compare/v0.24.0...v0.25.1">compare
view</a></li>
</ul>
</details>
<br />
Updates `rtnetlink` from 0.17.0 to 0.18.1
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/rust-netlink/rtnetlink/releases">rtnetlink's
releases</a>.</em></p>
<blockquote>
<h2>New release 0.18.1</h2>
<h3>Breaking changes</h3>
<ul>
<li>N/A</li>
</ul>
<h3>New features</h3>
<ul>
<li>route: Support defining ECMP weight. (7fcba62)</li>
<li>route: Support defining ECMP flags. (18c4331)</li>
<li>route: allow IPv6 gateway in IPv4 route. (e1784a3)</li>
</ul>
<h3>Bug fixes</h3>
<ul>
<li>N/A</li>
</ul>
<h2>New release 0.18.0</h2>
<h3>Breaking changes</h3>
<ul>
<li>Please check <code>netlink-packet-route</code> 0.25.0 breaking
changes.</li>
<li>Please check <code>netlink-packet-core</code> 0.8.0 breaking
changes.</li>
<li>Please check <code>netlink-proto</code> 0.12.0 breaking
changes.</li>
<li>Removed <code>rtnetlink::packet_utils</code>. (9373d77)</li>
</ul>
<h3>New features</h3>
<ul>
<li>ip: Introduced <code>AddressMessageBuilder</code>. (1fe2569)</li>
<li>macsec: Introduced <code>LinkMacSec</code>. (b9dd9d9)</li>
<li>Allow the user to specify their own socket. (6547f22)</li>
<li>Allow <code>TrafficGetFilterRequest</code> to get ingress or egress
filters. (45f9206)</li>
</ul>
<h3>Bug fixes</h3>
<ul>
<li>Replace <code>impl TryStream</code> with <code>impl Stream</code>.
(513e8c3)</li>
<li>Fix android build. (3e270c6)</li>
<li>Should not set <code>NLM_F_EXCL</code> when deleting alt-name.
(7dd58dd)</li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/rust-netlink/rtnetlink/blob/main/CHANGELOG">rtnetlink's
changelog</a>.</em></p>
<blockquote>
<h2>[0.18.1] - 2025-09-09</h2>
<h3>Breaking changes</h3>
<ul>
<li>N/A</li>
</ul>
<h3>New features</h3>
<ul>
<li>route: Support defining ECMP weight. (7fcba62)</li>
<li>route: Support defining ECMP flags. (18c4331)</li>
<li>route: allow IPv6 gateway in IPv4 route. (e1784a3)</li>
</ul>
<h3>Bug fixes</h3>
<ul>
<li>N/A</li>
</ul>
<h2>[0.18.0] - 2025-08-27</h2>
<h3>Breaking changes</h3>
<ul>
<li>Please check <code>netlink-packet-route</code> 0.25.0 breaking
changes.</li>
<li>Please check <code>netlink-packet-core</code> 0.8.0 breaking
changes.</li>
<li>Please check <code>netlink-proto</code> 0.12.0 breaking
changes.</li>
<li>Removed <code>rtnetlink::packet_utils</code>. (9373d77)</li>
</ul>
<h3>New features</h3>
<ul>
<li>ip: Introduced <code>AddressMessageBuilder</code>. (1fe2569)</li>
<li>macsec: Introduced <code>LinkMacSec</code>. (b9dd9d9)</li>
<li>Allow the user to specify their own socket. (6547f22)</li>
<li>Allow <code>TrafficGetFilterRequest</code> to get ingress or egress
filters. (45f9206)</li>
</ul>
<h3>Bug fixes</h3>
<ul>
<li>Replace <code>impl TryStream</code> with <code>impl Stream</code>.
(513e8c3)</li>
<li>Fix android build. (3e270c6)</li>
<li>Should not set <code>NLM_F_EXCL</code> when deleting alt-name.
(7dd58dd)</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="e28f321f40"><code>e28f321</code></a>
New release 0.18.1</li>
<li><a
href="18c433148d"><code>18c4331</code></a>
rotue: Add <code>RouteNextHopBuilder::flags()</code></li>
<li><a
href="e1784a308b"><code>e1784a3</code></a>
route: allow IPv6 gateway in IPv4 route</li>
<li><a
href="7fcba62c1c"><code>7fcba62</code></a>
route: Support defining ECMP weight</li>
<li><a
href="e1184c005f"><code>e1184c0</code></a>
New release 0.18.0</li>
<li><a
href="9373d773d9"><code>9373d77</code></a>
Use latest rust-netlink crates</li>
<li><a
href="96d381efa8"><code>96d381e</code></a>
Fix cargo fmt and cargo clippy warnings</li>
<li><a
href="1fe25698f4"><code>1fe2569</code></a>
Create AddressMessageBuilder</li>
<li><a
href="6485710c84"><code>6485710</code></a>
Fix document code for Macsec</li>
<li><a
href="c7598bef13"><code>c7598be</code></a>
fix format</li>
<li>Additional commits viewable in <a
href="https://github.com/rust-netlink/rtnetlink/compare/v0.17.0...v0.18.1">compare
view</a></li>
</ul>
</details>
<br />
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [secrecy](https://github.com/iqlusioninc/crates) from 0.8.0 to
0.10.3.
<details>
<summary>Commits</summary>
<ul>
<li>See full diff in <a
href="https://github.com/iqlusioninc/crates/commits">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
---------
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Thomas Eizinger <thomas@eizinger.io>
Bumps [proptest-state-machine](https://github.com/proptest-rs/proptest)
from 0.4.0 to 0.5.0.
<details>
<summary>Commits</summary>
<ul>
<li><a
href="2885bc2f3d"><code>2885bc2</code></a>
new releases for proptest, proptest-macro, and state-machine</li>
<li><a
href="a85563f3cc"><code>a85563f</code></a>
Merge pull request <a
href="https://redirect.github.com/proptest-rs/proptest/issues/584">#584</a>
from wojciech-graj/main</li>
<li><a
href="5331517f52"><code>5331517</code></a>
Merge pull request <a
href="https://redirect.github.com/proptest-rs/proptest/issues/596">#596</a>
from alexanderkjall/fix-arithmetic-overflow</li>
<li><a
href="157f3c083f"><code>157f3c0</code></a>
Merge pull request <a
href="https://redirect.github.com/proptest-rs/proptest/issues/595">#595</a>
from ebegumisa/main</li>
<li><a
href="02fa1fcc45"><code>02fa1fc</code></a>
changelog: add <a
href="https://redirect.github.com/proptest-rs/proptest/issues/595">#595</a></li>
<li><a
href="27fd76fbbc"><code>27fd76f</code></a>
fix for 32 bit processors</li>
<li><a
href="d1716ca7b4"><code>d1716ca</code></a>
Add <code>ReferenceStateMachine</code> arg to
<code>SystemUnderTest::teardown</code></li>
<li><a
href="ea4ddeb0a8"><code>ea4ddeb</code></a>
Merge pull request <a
href="https://redirect.github.com/proptest-rs/proptest/issues/594">#594</a>
from proptest-rs/attr-macro-preserve-arg-names</li>
<li><a
href="f80c1e6e8d"><code>f80c1e6</code></a>
fix shorthand struct initialization lint</li>
<li><a
href="b7590fa642"><code>b7590fa</code></a>
add new test for complex patterns</li>
<li>Additional commits viewable in <a
href="https://github.com/proptest-rs/proptest/compare/proptest-state-machine-0.4.0...proptest-state-machine-0.5.0">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [tokio-tungstenite](https://github.com/snapview/tokio-tungstenite)
from 0.27.0 to 0.28.0.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/snapview/tokio-tungstenite/blob/master/CHANGELOG.md">tokio-tungstenite's
changelog</a>.</em></p>
<blockquote>
<h1>0.28.0</h1>
<ul>
<li>Update <code>tungstenite</code> to <code>0.18.0</code>. See <a
href="https://github.com/snapview/tungstenite-rs/blob/master/CHANGELOG.md"><code>tungstenite</code>
release</a>.</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="35d110c24c"><code>35d110c</code></a>
Implement into_inner to get the underlying stream (<a
href="https://redirect.github.com/snapview/tokio-tungstenite/issues/367">#367</a>)</li>
<li><a
href="f3ae75d1de"><code>f3ae75d</code></a>
Update <code>tungstenite</code> version and fix bugs</li>
<li><a
href="25b544e43f"><code>25b544e</code></a>
Allow getting a reference to the shared inner stream (<a
href="https://redirect.github.com/snapview/tokio-tungstenite/issues/363">#363</a>)</li>
<li>See full diff in <a
href="https://github.com/snapview/tokio-tungstenite/compare/v0.27.0...v0.28.0">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Upon moving the version string from PKG_VERSION and Cargo.toml, we lost
the bump version automation. To avoid more bugs here in the future, we
now check for the version marker across all Git-tracked files,
regardless of their extension.
Fixes#10748
---------
Co-authored-by: Thomas Eizinger <thomas@eizinger.io>
Bumps [thiserror](https://github.com/dtolnay/thiserror) from 2.0.16 to
2.0.17.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/dtolnay/thiserror/releases">thiserror's
releases</a>.</em></p>
<blockquote>
<h2>2.0.17</h2>
<ul>
<li>Use differently named __private module per patch release (<a
href="https://redirect.github.com/dtolnay/thiserror/issues/434">#434</a>)</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="72ae716e6d"><code>72ae716</code></a>
Release 2.0.17</li>
<li><a
href="599fdce83a"><code>599fdce</code></a>
Merge pull request <a
href="https://redirect.github.com/dtolnay/thiserror/issues/434">#434</a>
from dtolnay/private</li>
<li><a
href="9ec05f6b38"><code>9ec05f6</code></a>
Use differently named __private module per patch release</li>
<li><a
href="d2c492b549"><code>d2c492b</code></a>
Raise minimum tested compiler to rust 1.76</li>
<li><a
href="fc3ab9501d"><code>fc3ab95</code></a>
Opt in to generate-macro-expansion when building on docs.rs</li>
<li><a
href="819fe29dbb"><code>819fe29</code></a>
Update ui test suite to nightly-2025-09-12</li>
<li><a
href="259f48c549"><code>259f48c</code></a>
Enforce trybuild >= 1.0.108</li>
<li><a
href="470e6a681c"><code>470e6a6</code></a>
Update ui test suite to nightly-2025-08-24</li>
<li><a
href="544e191e6e"><code>544e191</code></a>
Update actions/checkout@v4 -> v5</li>
<li><a
href="cbc1ebad3e"><code>cbc1eba</code></a>
Delete duplicate cap-lints flag from build script</li>
<li>See full diff in <a
href="https://github.com/dtolnay/thiserror/compare/2.0.16...2.0.17">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [quote](https://github.com/dtolnay/quote) from 1.0.40 to 1.0.41.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/dtolnay/quote/releases">quote's
releases</a>.</em></p>
<blockquote>
<h2>1.0.41</h2>
<ul>
<li>Improve compile error when repetition contains no interpolated value
that is an iterator (<a
href="https://redirect.github.com/dtolnay/quote/issues/302">#302</a>)</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="594c865ce8"><code>594c865</code></a>
Release 1.0.41</li>
<li><a
href="68956e650b"><code>68956e6</code></a>
Merge pull request <a
href="https://redirect.github.com/dtolnay/quote/issues/302">#302</a>
from dtolnay/hasiter</li>
<li><a
href="6a69784268"><code>6a69784</code></a>
Make diagnostic attribute conditional on compiler version</li>
<li><a
href="5f1924bd99"><code>5f1924b</code></a>
Tweak CheckHasIterator error message</li>
<li><a
href="c0adb26f41"><code>c0adb26</code></a>
Add diagnostic::on_unimplemented for no iterator in repetition</li>
<li><a
href="a1ddcab61b"><code>a1ddcab</code></a>
Combine HasIterator and ThereIsNoIteratorInRepetition to one type</li>
<li><a
href="bf48c854da"><code>bf48c85</code></a>
Switch to trait for checking iterator in repetition</li>
<li><a
href="d3b4777367"><code>d3b4777</code></a>
Update ui test suite to nightly-2025-09-27</li>
<li><a
href="3e6b04d98b"><code>3e6b04d</code></a>
Raise minimum tested compiler to rust 1.76</li>
<li><a
href="07deaaf89e"><code>07deaaf</code></a>
Opt in to generate-macro-expansion when building on docs.rs</li>
<li>Additional commits viewable in <a
href="https://github.com/dtolnay/quote/compare/1.0.40...1.0.41">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
To allow for better analysis of flow logs, we embed the resource name
and its address into the flow flogs. For the Internet Resource, the name
will be displayed as "Internet` and the address is either `0.0.0.0/0` or
`::/0` depending on the IP version of the packet. For CIDR resources,
the address is the subnet and for DNS resources, it is the domain
pattern.
Resolves: #10693
This improves the secret handling inside `firezone-cli` by using the
`rpassword` crate to hide the token from stdin and using `secrecy` to
zeroize the memory afterwards. To make it easier to test locally, we add
a dry run mode for local testing, hidden behind the `FZ_DRY_RUN` env
variable.
With this PR we add `cargo-deb` to our CI pipeline and build a debian
package for the Gateway. The debian package comes with several
configuration files that make it easy for admins to start and maintain a
Gateway installation:
- The embedded systemd unit file is essentially the same one as what we
currently install with the install script with some minor modifications.
- The token is read from `/etc/firezone/gateway-token` and passed as a
systemd credential. This allows us to set the permissions for this file
to `0400` and have it owned by `root:root`.
- The configuration is read from `/etc/firezone/gateway-env`.
- Both of these changes basically mean the user should never need to
touch the unit file itself.
- The `sysusers` configuration file ensures the `firezone` user and
group are present on the system.
- The `tmpfiles` configuration file ensures the necessary directories
are present.
All of the above is automatically installed and configured using the
post-installation script which is called by `apt` once the package is
installed.
In addition to the Gateway, we also package a first version of the
`firezone-cli`. Right now, `firezone-cli` (installed as `firezone`) has
three subcommands:
- `gateway authenticate`: Asks for the Gateway's token and installs it
at `/etc/firezone/gateway-token`. The user doesn't have to know how we
manage this token and can trust that we are using safe defaults.
- `gateway enable`: Enables and starts the systemd service.
- `gateway disable`: Disables the systemd service.
Right now, the `.deb` file is only uploaded to the preview APT
repository and not attached to the release. It should therefore not yet
be user-visible unless somebody pokes around a lot, meaning we can defer
documentation to a later PR and start testing it from the preview
repository for our own purposes.
Related: #10598Resolves: #8484Resolves: #10681
Currently, the default log level for both the Gateway and the headless
Client is actually `error` which basically means no logs at all. To
avoid having to create additional configuration as part of the Debian
packages, we set the default log level to `info`.
Unix tools often write a newline at the end of a file. When using the
file's contents as a token, they need to match byte-for-byte otherwise
we cannot authenticate to the portal. To ensure that, we trim the
content from the file before creating the `SecretString`.
Thomas Eizinger