mirror of
https://github.com/outbackdingo/firezone.git
synced 2026-01-27 18:18:55 +00:00
537295d8a3902eb6553b5aeaf1e986abc7eb045e
2317 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
Jamil
|
537295d8a3 |
fix(rust): Downgrade fastest nameserver to DEBUG (#9071)
These run every minute and add a lot of noise to the logs.
```
May 11 18:21:14 gateway-z1w4 firezone-gateway[2007]: 2025-05-11T18:21:14.154Z INFO firezone_tunnel::io::nameserver_set: Evaluating fastest nameserver ips={127.0.0.53}
May 11 18:21:14 gateway-z1w4 firezone-gateway[2007]: 2025-05-11T18:21:14.155Z INFO firezone_tunnel::io::nameserver_set: Evaluated fastest nameserver fastest=127.0.0.53
May 11 18:22:14 gateway-z1w4 firezone-gateway[2007]: 2025-05-11T18:22:14.154Z INFO firezone_tunnel::io::nameserver_set: Evaluating fastest nameserver ips={127.0.0.53}
May 11 18:22:14 gateway-z1w4 firezone-gateway[2007]: 2025-05-11T18:22:14.155Z INFO firezone_tunnel::io::nameserver_set: Evaluated fastest nameserver fastest=127.0.0.53
May 11 18:23:14 gateway-z1w4 firezone-gateway[2007]: 2025-05-11T18:23:14.153Z INFO firezone_tunnel::io::nameserver_set: Evaluating fastest nameserver ips={127.0.0.53}
May 11 18:23:14 gateway-z1w4 firezone-gateway[2007]: 2025-05-11T18:23:14.155Z INFO firezone_tunnel::io::nameserver_set: Evaluated fastest nameserver fastest=127.0.0.53
May 11 18:24:14 gateway-z1w4 firezone-gateway[2007]: 2025-05-11T18:24:14.154Z INFO firezone_tunnel::io::nameserver_set: Evaluating fastest nameserver ips={127.0.0.53}
May 11 18:24:14 gateway-z1w4 firezone-gateway[2007]: 2025-05-11T18:24:14.155Z INFO firezone_tunnel::io::nameserver_set: Evaluated fastest nameserver fastest=127.0.0.53
May 11 18:25:14 gateway-z1w4 firezone-gateway[2007]: 2025-05-11T18:25:14.153Z INFO firezone_tunnel::io::nameserver_set: Evaluating fastest nameserver ips={127.0.0.53}
```
|
||
|
Thomas Eizinger
|
5566f1847f |
refactor(rust): move crates into a more sensical hierarchy (#9066)
The current `rust/` directory is a bit of a wild-west in terms of how the crates are organised. Most of them are simply at the top-level when in reality, they are all `connlib`-related. The Apple and Android FFI crates - which are entrypoints in the Rust code are defined several layers deep. To improve the situation, we move around and rename several crates. The end result is that all top-level crates / directories are: - Either entrypoints into the Rust code, i.e. applications such as Gateway, Relay or a Client - Or crates shared across all those entrypoints, such as `telemetry` or `logging` |
||
|
Thomas Eizinger
|
3f4e004a48 |
fix(connlib): don't recreate DNS resource NAT for failed domains (#9064)
Before a Client can send packets to a DNS resource, the Gateway must first setup a NAT table between the IPs assigned by the Client and the IPs the domain actually resolves to. This is what we call the DNS resource NAT. The communication for this process happens over IP through the tunnel which is an unreliable transport. To ensure that this works reliably even in the presence of packet loss on the wire, the Client uses an idempotent algorithm where it tracks the state of the NAT for each domain that is has ever assigned IPs for (i.e. received an A or AAAA query from an application). This algorithm ensures that if we don't hear anything back from the Gateway within 2s, another packet for setting up the NAT is sent as soon as we receive _any_ DNS query. This design balances efficiency (we don't try forever) with reliability (we always check all of them). In case a domain does not resolve at all or there are resolution errors, the Gateway replies with `NatStatus::Inactive`. At present, the Client doesn't handle this in any particular way other than logging that it was not able to successfully setup the NAT. The combination of the above results in an undesirable behaviour: If an application queries a domain without A and AAAA records once, we will keep retrying forever to resolve it upon every other DNS query issued to the system. To fix this, we introduce `dns_resource_nat::State::Failed`. Entries in this state are ignored as part of the above algorithm and only recreated when explicitly told to do so which we only do when we receive another DNS query for this domain. To handle the increased complexity around this system, we extract it into its own component and add a fleet of unit tests for its behaviour. |
||
|
Thomas Eizinger
|
d80765b290 |
ci: explicitly bundle the tunnel service (#9065)
Currently, the Tauri build is broken on `main` because #9045 accidentally merged a bit too soon. In that PR, the two binaries that the `gui-client` crate is composed of are now both defined in `src/bin`. For some reason, this breaks Tauri's bundler and now on aarch64, it stops including the `firezone-client-ipc` binary in the bundle. I don't fully understand why and how that even works for x64 in the first place. Nowhere in our repository can I find a configuration for the bundler as to why it should even include that binary in the first place. To fix this, we now explicitly copy this binary into the correct path and also rebuild the `data` archive in addition to the `control` archive. |
||
|
Thomas Eizinger
|
fa790b231a |
fix(gateway): respond with SERVFAIL for missing nameserver (#9061)
When we implemented #8350, we chose an error handling strategy that would shutdown the Gateway in case we didn't have a nameserver selected for handling those SRV and TXT queries. At the time, this was deemed to be sufficiently rare to be an adequate strategy. We have since learned that this can indeed happen when the Gateway starts without network connectivity which is quite common when using tools such as terraform to provision infrastructure. In #9060, we fix this by re-evaluating the fastest nameserver on a timer. This however doesn't change the error handling strategy when we don't have a working nameserver at all. It is practically impossible to have a working Gateway yet us being unable to select a nameserver. We read them from `/etc/resolv.conf` which is what `libc` uses to also resolve the domain we connect to for the WebSocket. A working WebSocket connection is required for us to establish connections to Clients, which in turn is a precursor to us receiving DNS queries from a Client. It causes unnecessary complexity to have a code path that can potentially terminate the Gateway, yet is practically unreachable. To fix this situation, we remove this code path and instead reply with a DNS SERVFAIL error. --------- Signed-off-by: Thomas Eizinger <thomas@eizinger.io> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> |
||
|
Thomas Eizinger
|
f70ddc9ee6 |
chore(connlib): filter noisy log from opentelemetry_sdk (#9062)
Opentelemetry logs a DEBUG log every time it creates a new meter. That happens fairly often now in our codebase which spams the logs on the DEBUG level. ``` 2025-05-09T02:31:51.147Z DEBUG opentelemetry_sdk: name="MeterProvider.ExistingMeterReturned" meter_name="connlib" ``` We fix that be setting `opentelemetry_sdk` to default to `INFO` if it is not specified explicitly. |
||
|
Thomas Eizinger
|
ac339ff63b |
fix(gateway): evaluate fastest nameserver every 60s (#9060)
Currently, the Gateway reads all nameservers from `/etc/resolv.conf` on startup and evaluates the fastest one to use for SRV and TXT DNS queries that are forwarded by the Client. If the machine just booted and we do not have Internet connectivity just yet, this fails which leaves the Gateway in state where it cannot fulfill those queries. In order to ensure we always use the fastest one and to self-heal from such situations, we add a 60s timer that refreshes this state. Currently, this will **not** re-read the nameservers from `/etc/resolv.conf` but still use the same IPs read on startup. |
||
|
Thomas Eizinger
|
33d5c32f35 |
fix(gateway): truncate payload of ICMP errors (#9059)
When the Gateway is handed an IP packet for a DNS resource that it cannot route, it sends back an ICMP unreachable error. According to RFC 792 [0] (for ICMPv4) and RFC 4443 [1] (for ICMPv6), parts of the original packet should be included in the ICMP error payload to allow the sending party to correlate, what could not be sent. For ICMPv4, the RFC says: ``` Internet Header + 64 bits of Data Datagram The internet header plus the first 64 bits of the original datagram's data. This data is used by the host to match the message to the appropriate process. If a higher level protocol uses port numbers, they are assumed to be in the first 64 data bits of the original datagram's data. ``` For ICMPv6, the RFC says: ``` As much of invoking packet as possible without the ICMPv6 packet exceeding the minimum IPv6 MTU ``` [0]: https://datatracker.ietf.org/doc/html/rfc792 [1]: https://datatracker.ietf.org/doc/html/rfc4443#section-3.1 |
||
|
Thomas Eizinger
|
18ec6c6860 |
refactor(rust): move service implementation to GUI client (#9045)
The module and crate structure around the GUI client and its background service are currently a mess of circular dependencies. Most of the service implementation actually sits in `firezone-headless-client` because the headless-client and the service share certain modules. We have recently moved most of these to `firezone-bin-shared` which is the correct place for these modules. In order to move the background service to `firezone-gui-client`, we need to untangle a few more things in the GUI client. Those are done commit-by-commit in this PR. With that out the way, we can finally move the service module to the GUI client; where is should actually live given that it has nothing to do with the headless client. As a result, the headless-client is - as one would expect - really just a thin wrapper around connlib itself and is reduced down to 4 files with this PR. To make things more consistent in the GUI client, we move the `main.rs` file also into `bin/`. By convention `bin/` is where you define binaries if a crate has more than one. cargo will then build all of them. Eventually, we can optimise the compile-times for `firezone-gui-client` by splitting it into multiple crates: - Shared structs like IPC messages - Background service - GUI client This will be useful because it allows only re-compiling of the GUI client alone if nothing in `connlib` changes and vice versa. Resolves: #6913 Resolves: #5754 |
||
|
Thomas Eizinger
|
e96fbde493 |
build(rust): bump stun_codec (#9044)
This brings in new versions of `stun_codec` and `bytecodec` which end up removing a duplicate dependency from our dependency tree. Related: https://github.com/sile/bytecodec/pull/8 Related: https://github.com/sile/stun_codec |
||
|
Thomas Eizinger
|
f2b1fbe718 |
refactor(rust): move device_id to bin-shared (#9040)
Both `device_id` and `device_info` are used by the headless-client and the GUI client / IPC service. They should therefore be defined in the `bin-shared` crate. |
||
|
Thomas Eizinger
|
5ac5fc45e4 |
chore(gui-client): delete unused code (#9041)
Something seems to have gone wrong while rebasing #9022 and we have left some dead code behind. |
||
|
Thomas Eizinger
|
c20cc779ac |
refactor(gui-client): inline -common crate (#9022)
In order to experiment with alternative GUI libraries, we extracted a `gui-client-common` crate that would hold GUI-library agnostic code. We've since upgraded to Tauri v2 and settled on that as the GUI framework for the Windows and Linux Firezone Clients. Therefore this abstraction is unnecessary and can be removed again. This makes it easier to work on the GUI client and also allows the compiler to flag unused code more easily. |
||
|
Thomas Eizinger
|
f11a902b3d |
refactor(rust): move dns-control to bin-shared (#9023)
Currently, the platform-specific code for controlling DNS resolution on a system sits in `firezone-headless-client`. This code is also used by the GUI client. This creates a weird compile-time dependency from the GUI client to the headless client. For other components that have platform-specific implementations, we use the `firezone-bin-shared` crate. As a first step of resolving the compile-time dependency, we move the `dns_control` module to `firezone-bin-shared`. |
||
|
dependabot[bot]
|
bea57c02c4 |
build(deps): bump libc from 0.2.171 to 0.2.172 in /rust (#9031)
Bumps [libc](https://github.com/rust-lang/libc) from 0.2.171 to 0.2.172. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/rust-lang/libc/releases">libc's releases</a>.</em></p> <blockquote> <h2>0.2.172</h2> <h3>Added</h3> <ul> <li>Android: Add <code>getauxval</code> for 32-bit targets (<a href="https://redirect.github.com/rust-lang/libc/pull/4338">#4338</a>)</li> <li>Android: Add <code>if_tun.h</code> ioctls (<a href="https://redirect.github.com/rust-lang/libc/pull/4379">#4379</a>)</li> <li>Android: Define <code>SO_BINDTOIFINDEX</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4391">#4391</a>)</li> <li>Cygwin: Add <code>posix_spawn_file_actions_add[f]chdir[_np]</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4387">#4387</a>)</li> <li>Cygwin: Add new socket options (<a href="https://redirect.github.com/rust-lang/libc/pull/4350">#4350</a>)</li> <li>Cygwin: Add statfs & fcntl (<a href="https://redirect.github.com/rust-lang/libc/pull/4321">#4321</a>)</li> <li>FreeBSD: Add <code>filedesc</code> and <code>fdescenttbl</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4327">#4327</a>)</li> <li>Glibc: Add unstable support for _FILE_OFFSET_BITS=64 (<a href="https://redirect.github.com/rust-lang/libc/pull/4345">#4345</a>)</li> <li>Hermit: Add <code>AF_UNSPEC</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4344">#4344</a>)</li> <li>Hermit: Add <code>AF_VSOCK</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4344">#4344</a>)</li> <li>Illumos, NetBSD: Add <code>timerfd</code> APIs (<a href="https://redirect.github.com/rust-lang/libc/pull/4333">#4333</a>)</li> <li>Linux: Add <code>_IO</code>, <code>_IOW</code>, <code>_IOR</code>, <code>_IOWR</code> to the exported API (<a href="https://redirect.github.com/rust-lang/libc/pull/4325">#4325</a>)</li> <li>Linux: Add <code>tcp_info</code> to uClibc bindings (<a href="https://redirect.github.com/rust-lang/libc/pull/4347">#4347</a>)</li> <li>Linux: Add further BPF program flags (<a href="https://redirect.github.com/rust-lang/libc/pull/4356">#4356</a>)</li> <li>Linux: Add missing INPUT_PROP_XXX flags from <code>input-event-codes.h</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4326">#4326</a>)</li> <li>Linux: Add missing TLS bindings (<a href="https://redirect.github.com/rust-lang/libc/pull/4296">#4296</a>)</li> <li>Linux: Add more constants from <code>seccomp.h</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4330">#4330</a>)</li> <li>Linux: Add more glibc <code>ptrace_sud_config</code> and related <code>PTRACE_*ET_SYSCALL_USER_DISPATCH_CONFIG</code>. (<a href="https://redirect.github.com/rust-lang/libc/pull/4386">#4386</a>)</li> <li>Linux: Add new netlink flags (<a href="https://redirect.github.com/rust-lang/libc/pull/4288">#4288</a>)</li> <li>Linux: Define ioctl codes on more architectures (<a href="https://redirect.github.com/rust-lang/libc/pull/4382">#4382</a>)</li> <li>Linux: Add missing <code>pthread_attr_setstack</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4349">#4349</a>)</li> <li>Musl: Add missing <code>utmpx</code> API (<a href="https://redirect.github.com/rust-lang/libc/pull/4332">#4332</a>)</li> <li>Musl: Enable <code>getrandom</code> on all platforms (<a href="https://redirect.github.com/rust-lang/libc/pull/4346">#4346</a>)</li> <li>NuttX: Add more signal constants (<a href="https://redirect.github.com/rust-lang/libc/pull/4353">#4353</a>)</li> <li>QNX: Add QNX 7.1-iosock and 8.0 to list of additional cfgs (<a href="https://redirect.github.com/rust-lang/libc/pull/4169">#4169</a>)</li> <li>QNX: Add support for alternative Neutrino network stack <code>io-sock</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4169">#4169</a>)</li> <li>Redox: Add more <code>sys/socket.h</code> and <code>sys/uio.h</code> definitions (<a href="https://redirect.github.com/rust-lang/libc/pull/4388">#4388</a>)</li> <li>Solaris: Temporarily define <code>O_DIRECT</code> and <code>SIGINFO</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4348">#4348</a>)</li> <li>Solarish: Add <code>secure_getenv</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4342">#4342</a>)</li> <li>VxWorks: Add missing <code>d_type</code> member to <code>dirent</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4352">#4352</a>)</li> <li>VxWorks: Add missing signal-related constsants (<a href="https://redirect.github.com/rust-lang/libc/pull/4352">#4352</a>)</li> <li>VxWorks: Add more error codes (<a href="https://redirect.github.com/rust-lang/libc/pull/4337">#4337</a>)</li> </ul> <h3>Deprecated</h3> <ul> <li>FreeBSD: Deprecate <code>TCP_PCAP_OUT</code> and <code>TCP_PCAP_IN</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4381">#4381</a>)</li> </ul> <h3>Fixed</h3> <ul> <li>Cygwin: Fix member types of <code>statfs</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4324">#4324</a>)</li> <li>Cygwin: Fix tests (<a href="https://redirect.github.com/rust-lang/libc/pull/4357">#4357</a>)</li> <li>Hermit: Make <code>AF_INET = 3</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4344">#4344</a>)</li> <li>Musl: Fix the syscall table on RISC-V-32 (<a href="https://redirect.github.com/rust-lang/libc/pull/4335">#4335</a>)</li> <li>Musl: Fix the value of <code>SA_ONSTACK</code> on RISC-V-32 (<a href="https://redirect.github.com/rust-lang/libc/pull/4335">#4335</a>)</li> <li>VxWorks: Fix a typo in the <code>waitpid</code> parameter name (<a href="https://redirect.github.com/rust-lang/libc/pull/4334">#4334</a>)</li> </ul> <h3>Removed</h3> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/rust-lang/libc/blob/0.2.172/CHANGELOG.md">libc's changelog</a>.</em></p> <blockquote> <h2><a href="https://github.com/rust-lang/libc/compare/0.2.171...0.2.172">0.2.172</a> - 2025-04-14</h2> <h3>Added</h3> <ul> <li>Android: Add <code>getauxval</code> for 32-bit targets (<a href="https://redirect.github.com/rust-lang/libc/pull/4338">#4338</a>)</li> <li>Android: Add <code>if_tun.h</code> ioctls (<a href="https://redirect.github.com/rust-lang/libc/pull/4379">#4379</a>)</li> <li>Android: Define <code>SO_BINDTOIFINDEX</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4391">#4391</a>)</li> <li>Cygwin: Add <code>posix_spawn_file_actions_add[f]chdir[_np]</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4387">#4387</a>)</li> <li>Cygwin: Add new socket options (<a href="https://redirect.github.com/rust-lang/libc/pull/4350">#4350</a>)</li> <li>Cygwin: Add statfs & fcntl (<a href="https://redirect.github.com/rust-lang/libc/pull/4321">#4321</a>)</li> <li>FreeBSD: Add <code>filedesc</code> and <code>fdescenttbl</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4327">#4327</a>)</li> <li>Glibc: Add unstable support for _FILE_OFFSET_BITS=64 (<a href="https://redirect.github.com/rust-lang/libc/pull/4345">#4345</a>)</li> <li>Hermit: Add <code>AF_UNSPEC</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4344">#4344</a>)</li> <li>Hermit: Add <code>AF_VSOCK</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4344">#4344</a>)</li> <li>Illumos, NetBSD: Add <code>timerfd</code> APIs (<a href="https://redirect.github.com/rust-lang/libc/pull/4333">#4333</a>)</li> <li>Linux: Add <code>_IO</code>, <code>_IOW</code>, <code>_IOR</code>, <code>_IOWR</code> to the exported API (<a href="https://redirect.github.com/rust-lang/libc/pull/4325">#4325</a>)</li> <li>Linux: Add <code>tcp_info</code> to uClibc bindings (<a href="https://redirect.github.com/rust-lang/libc/pull/4347">#4347</a>)</li> <li>Linux: Add further BPF program flags (<a href="https://redirect.github.com/rust-lang/libc/pull/4356">#4356</a>)</li> <li>Linux: Add missing INPUT_PROP_XXX flags from <code>input-event-codes.h</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4326">#4326</a>)</li> <li>Linux: Add missing TLS bindings (<a href="https://redirect.github.com/rust-lang/libc/pull/4296">#4296</a>)</li> <li>Linux: Add more constants from <code>seccomp.h</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4330">#4330</a>)</li> <li>Linux: Add more glibc <code>ptrace_sud_config</code> and related <code>PTRACE_*ET_SYSCALL_USER_DISPATCH_CONFIG</code>. (<a href="https://redirect.github.com/rust-lang/libc/pull/4386">#4386</a>)</li> <li>Linux: Add new netlink flags (<a href="https://redirect.github.com/rust-lang/libc/pull/4288">#4288</a>)</li> <li>Linux: Define ioctl codes on more architectures (<a href="https://redirect.github.com/rust-lang/libc/pull/4382">#4382</a>)</li> <li>Linux: Add missing <code>pthread_attr_setstack</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4349">#4349</a>)</li> <li>Musl: Add missing <code>utmpx</code> API (<a href="https://redirect.github.com/rust-lang/libc/pull/4332">#4332</a>)</li> <li>Musl: Enable <code>getrandom</code> on all platforms (<a href="https://redirect.github.com/rust-lang/libc/pull/4346">#4346</a>)</li> <li>NuttX: Add more signal constants (<a href="https://redirect.github.com/rust-lang/libc/pull/4353">#4353</a>)</li> <li>QNX: Add QNX 7.1-iosock and 8.0 to list of additional cfgs (<a href="https://redirect.github.com/rust-lang/libc/pull/4169">#4169</a>)</li> <li>QNX: Add support for alternative Neutrino network stack <code>io-sock</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4169">#4169</a>)</li> <li>Redox: Add more <code>sys/socket.h</code> and <code>sys/uio.h</code> definitions (<a href="https://redirect.github.com/rust-lang/libc/pull/4388">#4388</a>)</li> <li>Solaris: Temporarily define <code>O_DIRECT</code> and <code>SIGINFO</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4348">#4348</a>)</li> <li>Solarish: Add <code>secure_getenv</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4342">#4342</a>)</li> <li>VxWorks: Add missing <code>d_type</code> member to <code>dirent</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4352">#4352</a>)</li> <li>VxWorks: Add missing signal-related constsants (<a href="https://redirect.github.com/rust-lang/libc/pull/4352">#4352</a>)</li> <li>VxWorks: Add more error codes (<a href="https://redirect.github.com/rust-lang/libc/pull/4337">#4337</a>)</li> </ul> <h3>Deprecated</h3> <ul> <li>FreeBSD: Deprecate <code>TCP_PCAP_OUT</code> and <code>TCP_PCAP_IN</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4381">#4381</a>)</li> </ul> <h3>Fixed</h3> <ul> <li>Cygwin: Fix member types of <code>statfs</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4324">#4324</a>)</li> <li>Cygwin: Fix tests (<a href="https://redirect.github.com/rust-lang/libc/pull/4357">#4357</a>)</li> <li>Hermit: Make <code>AF_INET = 3</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4344">#4344</a>)</li> <li>Musl: Fix the syscall table on RISC-V-32 (<a href="https://redirect.github.com/rust-lang/libc/pull/4335">#4335</a>)</li> <li>Musl: Fix the value of <code>SA_ONSTACK</code> on RISC-V-32 (<a href="https://redirect.github.com/rust-lang/libc/pull/4335">#4335</a>)</li> <li>VxWorks: Fix a typo in the <code>waitpid</code> parameter name (<a href="https://redirect.github.com/rust-lang/libc/pull/4334">#4334</a>)</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
Thomas Eizinger
|
5c9dd439e2 |
chore(rust): filter spammy WinTUN errors in the sentry_layer (#9036)
By default, we send all WARN and ERROR logs to Sentry. This also includes logs emitted via the `log` crate via a facade that `tracing` installs. The wintun-rs bindings install such a logger in the native WinTUN code. The WinTUN code has a bug where it doesn't handle adapter removal idempotently. That is, if the adapter has already been removed it logs an error instead of succeeding. Typically, such logs can easily be suppressed in Sentry. In this case however, Sentry fails to group these different logs together because WinTUN's error message contains a path to a temporary directory which is different every time it gets executed. As such, these logs spam our Sentry instance with no way for us to disable them with existing tools. The WireGuard mailing list for WinTUN also appears to be dead. We attempted to contact the list in February and have not received a reply yet. The last archive goes back to November 2024 [0]. We use WinTUN as a prebuild and signed DLL so we also cannot meaningfully patch this on our end without upstreaming it. Thus, as a last resort, we add some infrastructure to our logging setup that allows us to client-side filter events based on certain patterns of the message and a log level. [0]: https://lists.zx2c4.com/pipermail/wireguard/ --------- Signed-off-by: Thomas Eizinger <thomas@eizinger.io> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> |
||
|
Thomas Eizinger
|
005b6fe863 |
feat(windows): optimise network change detection (#9021)
Presently, the network change detection on Windows is very naive and simply emits a change event everytime _anything_ changes. We can optimise this and therefore improve the start-up time of Firezone by: - Filtering out duplicate events - Filtering out network change events for our own network adapter This reduces the number of network change events to 1 during startup. As far as I can tell from the code comments in this area, we explicitly send this one to ensure we don't run into a race condition whilst we are starting up. Resolves: #8905 |
||
|
Thomas Eizinger
|
806996c245 |
refactor(rust): move signals to bin-shared (#9024)
The `signals` module isn't something headless-client specific and should live in our `bin-shared` crate. Once the `ipc_service` module is decoupled from the headless-client crate, it will be used by both the headless client and IPC service (which then will be defined in the GUI client crate). |
||
|
Thomas Eizinger
|
ce51c40d0d |
refactor(rust): move known_dirs to bin-shared (#9026)
The `known_dirs` module is used across the headless-client and the GUI client. It should live in `bin-shared` where all the other cross-platform modules are. --------- Signed-off-by: Thomas Eizinger <thomas@eizinger.io> |
||
|
dependabot[bot]
|
2c467f7b4e |
build(deps): bump anyhow from 1.0.97 to 1.0.98 in /rust (#9033)
Bumps [anyhow](https://github.com/dtolnay/anyhow) from 1.0.97 to 1.0.98. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/dtolnay/anyhow/releases">anyhow's releases</a>.</em></p> <blockquote> <h2>1.0.98</h2> <ul> <li>Add <a href="https://docs.rs/anyhow/1/anyhow/struct.Error.html#method.into_boxed_dyn_error"><code>self.into_boxed_dyn_error()</code></a> and <a href="https://docs.rs/anyhow/1/anyhow/struct.Error.html#method.reallocate_into_boxed_dyn_error_without_backtrace"><code>self.reallocate_into_boxed_dyn_error_without_backtrace()</code></a> methods for anyhow::Error (<a href="https://redirect.github.com/dtolnay/anyhow/issues/415">#415</a>)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
eed093710a |
build(deps): bump tokio-util from 0.7.13 to 0.7.15 in /rust (#9032)
Bumps [tokio-util](https://github.com/tokio-rs/tokio) from 0.7.13 to 0.7.15. <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
1294e20859 |
build(deps): bump clap from 4.5.34 to 4.5.37 in /rust (#9030)
Bumps [clap](https://github.com/clap-rs/clap) from 4.5.34 to 4.5.37. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/clap-rs/clap/releases">clap's releases</a>.</em></p> <blockquote> <h2>v4.5.37</h2> <h2>[4.5.37] - 2025-04-18</h2> <h3>Features</h3> <ul> <li>Added <code>ArgMatches::try_clear_id()</code></li> </ul> <h2>v4.5.36</h2> <h2>[4.5.36] - 2025-04-11</h2> <h3>Fixes</h3> <ul> <li><em>(help)</em> Revert 4.5.35's "Don't leave space for shorts if there are none" for now</li> </ul> <h2>v4.5.35</h2> <h2>[4.5.35] - 2025-04-01</h2> <h3>Fixes</h3> <ul> <li><em>(help)</em> Align positionals and flags when put in the same <code>help_heading</code></li> <li><em>(help)</em> Don't leave space for shorts if there are none</li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/clap-rs/clap/blob/master/CHANGELOG.md">clap's changelog</a>.</em></p> <blockquote> <h2>[4.5.37] - 2025-04-18</h2> <h3>Features</h3> <ul> <li>Added <code>ArgMatches::try_clear_id()</code></li> </ul> <h2>[4.5.36] - 2025-04-11</h2> <h3>Fixes</h3> <ul> <li><em>(help)</em> Revert 4.5.35's "Don't leave space for shorts if there are none" for now</li> </ul> <h2>[4.5.35] - 2025-04-01</h2> <h3>Fixes</h3> <ul> <li><em>(help)</em> Align positionals and flags when put in the same <code>help_heading</code></li> <li><em>(help)</em> Don't leave space for shorts if there are none</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
Thomas Eizinger
|
37529803ce | build(rust): bump otel ecosystem crates to 0.29 (#9029) | ||
|
Thomas Eizinger
|
80335676b1 |
refactor(rust): move uptime to bin-shared (#9027)
The `uptime` module from `firezone-headless-client` is also used in the GUI client. In order to decouple this dependency, we move the module to `bin-shared`, next to the other cross-plaform modules. |
||
|
Thomas Eizinger
|
2d802edf6a |
fix(connlib): _always_ use one IP stack for relayed connections (#9018)
At the moment, Firezone already attempts to prefer the same IP stack across relayed connections all the way through to the Gateway. This is achieved with a feature in str0m implemented in https://github.com/algesten/str0m/pull/640 where the `IceAgent` computes the local preference of an added candidate such that an IPv4 candidate allocated over an IPv4 network has a higher preference than an IPv6 candidate allocated over an IPv4 network. If a candidate gets accepted by the local agent, it is signaled to the remote via our control protocol. The remote peer then adds the candidate as a remote candidate and the ICE process starts by pairing them with local ones and testing connectivity. Currently, str0m's API consumes the candidate and only returns a `bool` whether it should be sent signaled to the remote. This means the local preference computed as part of `add_local_candidate` **is not** reflected in the priority of the candidate sent to the remote. As a result, if the controlled agent (i.e. the Gateway) is behind symmetric NAT and therefore only has relay candidates available, the preference of IPv4 over IPv6 candidates on an IPv4 network is lost. This is what we are seeing in #8998. This changes with https://github.com/algesten/str0m/pull/650 being merged to `main` which we are updating to with this PR. Now, `add_local_candidate` returns an `Option<&Candidate>` which has been modified with the local preference of the `IceAgent` around the preferred IP stack of relay candidates. As such, the priority calculated and signaled to the remote embeds this information and will be taken into account by the controlling agent (i.e. the Client) when nominating a pair. Resolves: #8998 |
||
|
Thomas Eizinger
|
56a4cad124 |
fix(connlib): ensure ICE timing config applies immediately (#9014)
When there is no traffic going through the tunnel, Firezone switches into a low-power mode where it only sends STUN bindings every 60s. As soon as we see traffic, we move out of this low-power mode to detect connectivity problems early. Applying this new timing config however does not clear some internal caches in `str0m` and therefore, it can take up to the previously set timeout value until str0m actually picks up on the new timers. This is being fixed in https://github.com/algesten/str0m/pull/649. Until that is merged, we depend on our fork that has these changes merged already. Resolves: #8999 |
||
|
dependabot[bot]
|
5fc55ed357 |
build(deps): bump the aya group in /rust with 5 updates (#8993)
Bumps the aya group in /rust with 5 updates: | Package | From | To | | --- | --- | --- | | [aya](https://github.com/aya-rs/aya) | ``c65a200`` | ``583709f`` | | [aya-build](https://github.com/aya-rs/aya) | ``c65a200`` | ``583709f`` | | [aya-ebpf](https://github.com/aya-rs/aya) | ``c65a200`` | ``583709f`` | | [aya-log](https://github.com/aya-rs/aya) | ``c65a200`` | ``583709f`` | | [aya-log-ebpf](https://github.com/aya-rs/aya) | ``c65a200`` | ``583709f`` | Updates `aya` from `c65a200` to `583709f` <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
Jamil
|
6e0e7343ba | chore: release Apple & Gateway with ECN fix (#9013) | ||
|
Thomas Eizinger
|
0aab954fa9 |
fix(connlib): never clear ECT from IP packets (#9009)
ECN information is helpful to allow the congestion controllers to more easily fine-tune their send and receive windows. When a Firezone Client receives an IP packet where the ECN bits signal an ECN capable transport, we mirror this bit on the UDP datagram that carries the encrypted IP packet. When receiving a datagram with ECN bits set, the Gateway will then apply these bits to the decrypted IP packet and pass it along towards its destination. This implementation is unfortunately a bit too naive. Not all devices on the Internet support ECN and therefore, we may receive a datagram that has its ECN bits cleared when the ECN bits on the inner IP packet still signal an ECN capable transport. In this case, we should _not_ override the ECN bits and instead pass the IP packet along as is. Network devices along the path between Gateway and Resource may still use these ECN bits to signal congestion. We fix this by making the `with_ecn` function on `IpPacket` private. It is not meant to be used outside of the module. We supersede it with a `with_ecn_from_transport` function that implements the above logic. --------- Signed-off-by: Thomas Eizinger <thomas@eizinger.io> Co-authored-by: Jamil <jamilbk@users.noreply.github.com> |
||
|
Thomas Eizinger
|
43c4c5f91b |
feat(gateway): add CLI flag to validate checksums of all packets (#9007)
Validating checksums can be expensive so this is off-by-default. The intent is to turn it on in our staging environment so we can detects bugs in our packet handling code during testing. |
||
|
Thomas Eizinger
|
471483f5d8 |
fix(connlib): update checksum after setting ECN information (#9005)
When setting ECN information on an IP packet, the header changes and therefore, we need to update the IP checksum. MacOS attempts to open TCP connections with ECN information but will fallback to non-ECT if it detects packet loss. Failing to update the checksums caused the packet to get dropped at the remote TCP stack and therefore triggered a retransmission on the MacOS side. Related: #8899 |
||
|
Thomas Eizinger
|
0fd14b993b |
chore(connlib): buffer most recent TCP SYN (#9004)
When establishing connections that take longer than the TCP RTO, we may see duplicate TCP SYNs. Those have different timestamps from each other but are otherwise equal. To provide more accurate timing information to the TCP stack, we now keep the latest TCP SYN around instead of the very first one. |
||
|
dependabot[bot]
|
79c05dc881 |
build(deps): bump resolv-conf from 0.7.1 to 0.7.3 in /rust (#8996)
Bumps [resolv-conf](https://github.com/hickory-dns/resolv-conf) from 0.7.1 to 0.7.3. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/hickory-dns/resolv-conf/releases">resolv-conf's releases</a>.</em></p> <blockquote> <h2>0.7.3</h2> <h2>What's Changed</h2> <ul> <li>Bump version and add dummy / compat "system" feature by <a href="https://github.com/decathorpe"><code>@decathorpe</code></a> in <a href="https://redirect.github.com/hickory-dns/resolv-conf/pull/48">hickory-dns/resolv-conf#48</a></li> </ul> <h2>0.7.2</h2> <h2>What's Changed</h2> <ul> <li>Replace external crate with inline code by <a href="https://github.com/Jake-Shadle"><code>@Jake-Shadle</code></a> in <a href="https://redirect.github.com/hickory-dns/resolv-conf/pull/44">hickory-dns/resolv-conf#44</a></li> <li>Hostname tweaks by <a href="https://github.com/djc"><code>@djc</code></a> in <a href="https://redirect.github.com/hickory-dns/resolv-conf/pull/45">hickory-dns/resolv-conf#45</a></li> <li>Style updates by <a href="https://github.com/djc"><code>@djc</code></a> in <a href="https://redirect.github.com/hickory-dns/resolv-conf/pull/46">hickory-dns/resolv-conf#46</a></li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
5af50f4f6d |
build(deps): bump chrono from 0.4.39 to 0.4.41 in /rust (#8994)
Bumps [chrono](https://github.com/chronotope/chrono) from 0.4.39 to 0.4.41. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/chronotope/chrono/releases">chrono's releases</a>.</em></p> <blockquote> <h2>v0.4.41</h2> <h2>What's Changed</h2> <ul> <li>Add <code>subsec_micros</code> and <code>subsec_millis</code> methods to <code>TimeDelta</code> by <a href="https://github.com/ggoetz"><code>@ggoetz</code></a> in <a href="https://redirect.github.com/chronotope/chrono/pull/1668">chronotope/chrono#1668</a></li> <li>Deprecate <code>NaiveDateTime::UNIX_EPOCH</code> by <a href="https://github.com/robertbastian"><code>@robertbastian</code></a> in <a href="https://redirect.github.com/chronotope/chrono/pull/1670">chronotope/chrono#1670</a></li> <li>Implement <code>as_seconds_f32</code> and <code>as_seconds_f64</code> for <code>TimeDelta</code> by <a href="https://github.com/ggoetz"><code>@ggoetz</code></a> in <a href="https://redirect.github.com/chronotope/chrono/pull/1671">chronotope/chrono#1671</a></li> <li>chore: fix some comments by <a href="https://github.com/jimmycathy"><code>@jimmycathy</code></a> in <a href="https://redirect.github.com/chronotope/chrono/pull/1677">chronotope/chrono#1677</a></li> <li>Add <code>num_days_in_month</code> method to <code>Datelike</code> trait by <a href="https://github.com/aslilac"><code>@aslilac</code></a> in <a href="https://redirect.github.com/chronotope/chrono/pull/1673">chronotope/chrono#1673</a></li> <li>add <code>WeekdaySet</code>, a collection of <code>Weekday</code> that is <code>Copy</code> by <a href="https://github.com/Kinrany"><code>@Kinrany</code></a> in <a href="https://redirect.github.com/chronotope/chrono/pull/1676">chronotope/chrono#1676</a></li> <li>WeekdaySet tweaks by <a href="https://github.com/djc"><code>@djc</code></a> in <a href="https://redirect.github.com/chronotope/chrono/pull/1680">chronotope/chrono#1680</a></li> <li>Upgrade to windows-bindgen 0.61 by <a href="https://github.com/djc"><code>@djc</code></a> in <a href="https://redirect.github.com/chronotope/chrono/pull/1682">chronotope/chrono#1682</a></li> <li>Implemented a consistent Eq trait for NaiveWeek by <a href="https://github.com/Splashling1789"><code>@Splashling1789</code></a> in <a href="https://redirect.github.com/chronotope/chrono/pull/1687">chronotope/chrono#1687</a></li> <li>TimeZone::from_posix_tz: Treat empty TZ variable as UTC by <a href="https://github.com/drinkcat"><code>@drinkcat</code></a> in <a href="https://redirect.github.com/chronotope/chrono/pull/1691">chronotope/chrono#1691</a></li> <li>Add support for lossy format strings by <a href="https://github.com/Qelxiros"><code>@Qelxiros</code></a> in <a href="https://redirect.github.com/chronotope/chrono/pull/1693">chronotope/chrono#1693</a></li> </ul> <h2>0.4.40</h2> <h2>What's Changed</h2> <ul> <li>Add Month::num_days() by <a href="https://github.com/djc"><code>@djc</code></a> in <a href="https://redirect.github.com/chronotope/chrono/pull/1645">chronotope/chrono#1645</a></li> <li>Update Windows dependencies by <a href="https://github.com/kennykerr"><code>@kennykerr</code></a> in <a href="https://redirect.github.com/chronotope/chrono/pull/1646">chronotope/chrono#1646</a></li> <li>Feature/round_up method on DurationRound trait by <a href="https://github.com/MagnumTrader"><code>@MagnumTrader</code></a> in <a href="https://redirect.github.com/chronotope/chrono/pull/1651">chronotope/chrono#1651</a></li> <li>Expose <code>write_to</code> for <code>DelayedFormat</code> by <a href="https://github.com/tugtugtug"><code>@tugtugtug</code></a> in <a href="https://redirect.github.com/chronotope/chrono/pull/1654">chronotope/chrono#1654</a></li> <li>Update LICENSE.txt by <a href="https://github.com/maximevtush"><code>@maximevtush</code></a> in <a href="https://redirect.github.com/chronotope/chrono/pull/1656">chronotope/chrono#1656</a></li> <li>docs: fix minor typo by <a href="https://github.com/samfolo"><code>@samfolo</code></a> in <a href="https://redirect.github.com/chronotope/chrono/pull/1659">chronotope/chrono#1659</a></li> <li>Use NaiveDateTime for internal tz_info methods. by <a href="https://github.com/AVee"><code>@AVee</code></a> in <a href="https://redirect.github.com/chronotope/chrono/pull/1658">chronotope/chrono#1658</a></li> <li>Upgrade to windows-bindgen 0.60 by <a href="https://github.com/djc"><code>@djc</code></a> in <a href="https://redirect.github.com/chronotope/chrono/pull/1665">chronotope/chrono#1665</a></li> <li>Add quarter (%q) date string specifier by <a href="https://github.com/drinkcat"><code>@drinkcat</code></a> in <a href="https://redirect.github.com/chronotope/chrono/pull/1666">chronotope/chrono#1666</a></li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
b463439093 |
build(deps): bump serde from 1.0.217 to 1.0.219 in /rust (#8995)
Bumps [serde](https://github.com/serde-rs/serde) from 1.0.217 to 1.0.219. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/serde-rs/serde/releases">serde's releases</a>.</em></p> <blockquote> <h2>v1.0.219</h2> <ul> <li>Prevent <code>absolute_paths</code> Clippy restriction being triggered inside macro-generated code (<a href="https://redirect.github.com/serde-rs/serde/issues/2906">#2906</a>, thanks <a href="https://github.com/davidzeng0"><code>@davidzeng0</code></a>)</li> </ul> <h2>v1.0.218</h2> <ul> <li>Documentation improvements</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
Thomas Eizinger
|
497f8a7f8a |
ci(rust): make compile-packages opt-out from workspace (#8979)
Instead of explicitly listing every package we want to compile, attempt to compile the entire workspace and exclude the ones we know won't work on Windows. |
||
|
dependabot[bot]
|
b08510100e |
build(deps): bump the tailwind group in /rust/gui-client with 2 updates (#8964)
Bumps the tailwind group in /rust/gui-client with 2 updates: [@tailwindcss/cli](https://github.com/tailwindlabs/tailwindcss/tree/HEAD/packages/@tailwindcss-cli) and [tailwindcss](https://github.com/tailwindlabs/tailwindcss/tree/HEAD/packages/tailwindcss). Updates `@tailwindcss/cli` from 4.1.4 to 4.1.5 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/tailwindlabs/tailwindcss/releases"><code>@tailwindcss/cli</code>'s releases</a>.</em></p> <blockquote> <h2>v4.1.5</h2> <h3>Added</h3> <ul> <li>Support using <code>@tailwindcss/upgrade</code> to upgrade between versions of v4.* (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/17717">#17717</a>)</li> <li>Add <code>h-lh</code> / <code>min-h-lh</code> / <code>max-h-lh</code> utilities (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/17790">#17790</a>)</li> <li>Transition <code>display</code>, <code>visibility</code>, <code>content-visibility</code>, <code>overlay</code>, and <code>pointer-events</code> when using <code>transition</code> to simplify <code>@starting-style</code> usage (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/17812">#17812</a>)</li> </ul> <h3>Fixed</h3> <ul> <li>Don't scan <code>.geojson</code> or <code>.db</code> files for classes by default (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/17700">#17700</a>, <a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/17711">#17711</a>)</li> <li>Hide default shadow suggestions when missing default shadow theme keys (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/17743">#17743</a>)</li> <li>Replace <code>_</code> with <code>.</code> in theme suggestions for <code>@utility</code> if surrounded by digits (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/17733">#17733</a>)</li> <li>Skip <code>color-mix(…)</code> when opacity is <code>100%</code> (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/17815">#17815</a>)</li> <li>PostCSS: Ensure that errors in imported stylesheets are recoverable (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/17754">#17754</a>)</li> <li>Upgrade: Bump all Tailwind CSS related dependencies during upgrade (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/17763">#17763</a>)</li> <li>Upgrade: Don't add <code>-</code> to variants starting with <code>@</code> (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/17814">#17814</a>)</li> <li>Upgrade: Don't format stylesheets that didn't change when upgrading (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/17824">#17824</a>)</li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md"><code>@tailwindcss/cli</code>'s changelog</a>.</em></p> <blockquote> <h2>[4.1.5] - 2025-04-30</h2> <h3>Added</h3> <ul> <li>Support using <code>@tailwindcss/upgrade</code> to upgrade between versions of v4.* (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/17717">#17717</a>)</li> <li>Add <code>h-lh</code> / <code>min-h-lh</code> / <code>max-h-lh</code> utilities (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/17790">#17790</a>)</li> <li>Transition <code>display</code>, <code>visibility</code>, <code>content-visibility</code>, <code>overlay</code>, and <code>pointer-events</code> when using <code>transition</code> to simplify <code>@starting-style</code> usage (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/17812">#17812</a>)</li> </ul> <h3>Fixed</h3> <ul> <li>Don't scan <code>.geojson</code> or <code>.db</code> files for classes by default (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/17700">#17700</a>, <a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/17711">#17711</a>)</li> <li>Hide default shadow suggestions when missing default shadow theme keys (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/17743">#17743</a>)</li> <li>Replace <code>_</code> with <code>.</code> in theme suggestions for <code>@utility</code> if surrounded by digits (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/17733">#17733</a>)</li> <li>Skip <code>color-mix(…)</code> when opacity is <code>100%</code> (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/17815">#17815</a>)</li> <li>PostCSS: Ensure that errors in imported stylesheets are recoverable (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/17754">#17754</a>)</li> <li>Upgrade: Bump all Tailwind CSS related dependencies during upgrade (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/17763">#17763</a>)</li> <li>Upgrade: Don't add <code>-</code> to variants starting with <code>@</code> (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/17814">#17814</a>)</li> <li>Upgrade: Don't format stylesheets that didn't change when upgrading (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/17824">#17824</a>)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
a2b4928ee7 |
build(deps-dev): bump @types/node from 22.14.1 to 22.15.3 in /rust/gui-client (#8965)
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 22.14.1 to 22.15.3. <details> <summary>Commits</summary> <ul> <li>See full diff in <a href="https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> |
||
|
Thomas Eizinger
|
ea5709e8da |
chore(rust): initialise OTEL with useful metadata (#8945)
Once we start collecting metrics across various Clients and Gateways, these metrics need to be tagged with the correct `service.name`, `service.version` as well as an instance ID to differentiate metrics from different instances. |
||
|
Thomas Eizinger
|
8233db4d00 |
chore(connlib): bump quinn-udp (#8954)
The latest release includes our upstreamed fix for handling `segment_size` > `contents.len()` and therefore our local workaround is no longer necessary. |
||
|
dependabot[bot]
|
1ff545814d |
build(deps-dev): bump vite from 6.3.2 to 6.3.4 in /rust/gui-client in the npm_and_yarn group (#8949)
Bumps the npm_and_yarn group in /rust/gui-client with 1 update: [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite). Updates `vite` from 6.3.2 to 6.3.4 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/vitejs/vite/releases">vite's releases</a>.</em></p> <blockquote> <h2>v6.3.4</h2> <p>Please refer to <a href="https://github.com/vitejs/vite/blob/v6.3.4/packages/vite/CHANGELOG.md">CHANGELOG.md</a> for details.</p> <h2>v6.3.3</h2> <p>Please refer to <a href="https://github.com/vitejs/vite/blob/v6.3.3/packages/vite/CHANGELOG.md">CHANGELOG.md</a> for details.</p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/vitejs/vite/blob/main/packages/vite/CHANGELOG.md">vite's changelog</a>.</em></p> <blockquote> <h2><!-- raw HTML omitted -->6.3.4 (2025-04-30)<!-- raw HTML omitted --></h2> <ul> <li>fix: check static serve file inside sirv (<a href="https://github.com/vitejs/vite/tree/HEAD/packages/vite/issues/19965">#19965</a>) (<a href=" |
||
|
Thomas Eizinger
|
8dd794d8c8 |
chore(gateway): record metrics about dropped packets (#8942)
When a NAT session expires or other unallowed traffic is routed to the Gateway, we drop these packets. It will be useful to learn, how often that actually happens and what the reason is for why they got dropped. To do so, we add a counter metric for these packets. --------- Signed-off-by: Thomas Eizinger <thomas@eizinger.io> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> |
||
|
Thomas Eizinger
|
8a201494d0 |
ci: remove flaky Windows benchmark (#8941)
This tunnel throughput benchmark isn't a very useful benchmark and it is very flaky. Remove it entirely until we can replace it with something more robust and useful. Resolves: #8172 |
||
|
Thomas Eizinger
|
6f11568c8c |
fix(connlib): move wire::dev::recv log to right location (#8944)
I don't understand why but in the current location, this log simply doesn't show up for anything other than UDP packets. If we move it up, it will actually log all packets. |
||
|
Thomas Eizinger
|
ec4cd898ba | chore: release Gateway v1.4.7 (#8943) | ||
|
Thomas Eizinger
|
e031dfdb4a |
refactor(connlib): introduce our own bufferpool crate (#8928)
We have been using buffer pools for a while all over `connlib` as a way
to efficiently use heap-allocated memory. This PR harmonizes the usage
of buffer pools across the codebase by introducing a dedicated
`bufferpool` crate. This crate offers a convenient and easy-to-use API
for all the things we (currently) need from buffer pools. As a nice
bonus of having it all in one place, we can now also track metrics of
how many buffers we have currently allocated.
An example output from the local metrics exporter looks like this:
```
Name : system.buffer.count
Description : The number of buffers allocated in the pool.
Unit : {buffers}
Type : Sum
Sum DataPoints
Monotonic : false
Temporality : Cumulative
DataPoint #0
StartTime : 2025-04-29 12:41:25.278436
EndTime : 2025-04-29 12:42:25.278088
Value : 96
Attributes :
-> system.buffer.pool.name: udp-socket-v6
-> system.buffer.pool.buffer_size: 65535
DataPoint #1
StartTime : 2025-04-29 12:41:25.278436
EndTime : 2025-04-29 12:42:25.278088
Value : 7
Attributes :
-> system.buffer.pool.buffer_size: 131600
-> system.buffer.pool.name: gso-queue
DataPoint #2
StartTime : 2025-04-29 12:41:25.278436
EndTime : 2025-04-29 12:42:25.278088
Value : 128
Attributes :
-> system.buffer.pool.name: udp-socket-v4
-> system.buffer.pool.buffer_size: 65535
DataPoint #3
StartTime : 2025-04-29 12:41:25.278436
EndTime : 2025-04-29 12:42:25.278088
Value : 8
Attributes :
-> system.buffer.pool.buffer_size: 1336
-> system.buffer.pool.name: ip-packet
DataPoint #4
StartTime : 2025-04-29 12:41:25.278436
EndTime : 2025-04-29 12:42:25.278088
Value : 9
Attributes :
-> system.buffer.pool.buffer_size: 1336
-> system.buffer.pool.name: snownet
```
Resolves: #8385
|
||
|
Thomas Eizinger
|
f7df445924 |
fix(gateway): don't invalidate active NAT sessions (#8937)
Whenever the Gateway is instructed to (re)create the NAT for a DNS resource, it performs a DNS query and then overwrite the existing entries in the NAT table. Depending on how the DNS records are defined, this may lead to a very bad user experience where connections are cut regularly. In particular, if a service utilises round-robin DNS where a DNS query only ever returns a single entry yet that entry may change as soon as the TTL expires, all connections for this particular DNS resource for a Client get cut. To fix this, we now first check for active NAT sessions for a given proxy IP and only replace it if we don't have an open NAT session. The NAT sessions have a TTL of 1 minute, meaning there needs to be at least 1 outgoing packet from the Client every minute to keep it open. |
||
|
Jamil
|
2650d81444 | chore: release clients with GSO fix (#8936) | ||
|
Thomas Eizinger
|
c75b6c6641 |
feat(connlib): record the number of IO errors as a metric (#8934)
It will be interesting to learn for example, how many installations have no IPv6 connectivity as those will encounter `NetworkUnreachable` errors. We categorise the errors by IO direction and IP stack which will allow us to deduce this information. |
||
|
Thomas Eizinger
|
6dc5f85cc5 |
fix(connlib): don't buffer when recreating DNS resource NAT (#8935)
In order to detect changes to DNS records of DNS resources, `connlib` will recreate the DNS resource NAT whenever it receives a query for a DNS resource. The way we implemented this was by clearing the local state of the DNS resource NAT, which triggered us to perform the handshake with the Gateway again upon the next packet for this resource. The Gateway would then perform the DNS query and respond back when this was finished. In order to not drop any packets, `connlib` has a buffer where it keeps the packets that are arriving in the meantime. This works reasonably well when the connection is first set up because we are only buffering a TCP SYN or equivalent handshake packet. Yet, when the connection is full use, and the application just so happens to make another DNS query, we halt the entire flow of packets until this is confirmed again. To prevent high memory use, the buffer for this packets is constrained to 32 packets which is nowhere near enough when a connection is actively transferring data (like a file upload). In most cases, the DNS query on the Gateway will yield the exact same results as because the records haven't changed. Thus, there is no reason for us to actually halt the flow of these packets when we are _recreating_ the DNS resource NAT. That way, this handshake happens in parallel to the actual packet flow and does not interrupt anything in the happy path case. |