mirror of
https://github.com/outbackdingo/firezone.git
synced 2026-01-27 18:18:55 +00:00
5eef5f90dffc5fadebc3e5ac1f459ded3a715c21
2832 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
Thomas Eizinger
|
5eef5f90df |
feat(gateway): emit resource name and address in flow logs (#10710)
To allow for better analysis of flow logs, we embed the resource name and its address into the flow flogs. For the Internet Resource, the name will be displayed as "Internet` and the address is either `0.0.0.0/0` or `::/0` depending on the IP version of the packet. For CIDR resources, the address is the subnet and for DNS resources, it is the domain pattern. Resolves: #10693 |
||
|
Thomas Eizinger
|
37aad65f28 |
feat(fz-cli): better secret handling (#10709)
This improves the secret handling inside `firezone-cli` by using the `rpassword` crate to hide the token from stdin and using `secrecy` to zeroize the memory afterwards. To make it easier to test locally, we add a dry run mode for local testing, hidden behind the `FZ_DRY_RUN` env variable. |
||
|
Thomas Eizinger
|
0d2ddd8497 |
feat(gateway): create debian package (#10537)
With this PR we add `cargo-deb` to our CI pipeline and build a debian package for the Gateway. The debian package comes with several configuration files that make it easy for admins to start and maintain a Gateway installation: - The embedded systemd unit file is essentially the same one as what we currently install with the install script with some minor modifications. - The token is read from `/etc/firezone/gateway-token` and passed as a systemd credential. This allows us to set the permissions for this file to `0400` and have it owned by `root:root`. - The configuration is read from `/etc/firezone/gateway-env`. - Both of these changes basically mean the user should never need to touch the unit file itself. - The `sysusers` configuration file ensures the `firezone` user and group are present on the system. - The `tmpfiles` configuration file ensures the necessary directories are present. All of the above is automatically installed and configured using the post-installation script which is called by `apt` once the package is installed. In addition to the Gateway, we also package a first version of the `firezone-cli`. Right now, `firezone-cli` (installed as `firezone`) has three subcommands: - `gateway authenticate`: Asks for the Gateway's token and installs it at `/etc/firezone/gateway-token`. The user doesn't have to know how we manage this token and can trust that we are using safe defaults. - `gateway enable`: Enables and starts the systemd service. - `gateway disable`: Disables the systemd service. Right now, the `.deb` file is only uploaded to the preview APT repository and not attached to the release. It should therefore not yet be user-visible unless somebody pokes around a lot, meaning we can defer documentation to a later PR and start testing it from the preview repository for our own purposes. Related: #10598 Resolves: #8484 Resolves: #10681 |
||
|
Thomas Eizinger
|
1bec325a64 |
feat(gateway,headless-client): set default log level to INFO (#10702)
Currently, the default log level for both the Gateway and the headless Client is actually `error` which basically means no logs at all. To avoid having to create additional configuration as part of the Debian packages, we set the default log level to `info`. |
||
|
Thomas Eizinger
|
fbf1a1e322 |
fix(gateway): trim whitespace from systemd credential (#10695)
Unix tools often write a newline at the end of a file. When using the file's contents as a token, they need to match byte-for-byte otherwise we cannot authenticate to the portal. To ensure that, we trim the content from the file before creating the `SecretString`. |
||
|
dependabot[bot]
|
30b70b408c |
build(deps): bump dns-lookup from 2.1.1 to 3.0.0 in /rust (#10646)
Bumps [dns-lookup](https://github.com/keeperofdakeys/dns-lookup) from 2.1.1 to 3.0.0. <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
7438e7f2f5 |
build(deps): bump winreg from 0.52.0 to 0.55.0 in /rust (#10641)
Bumps [winreg](https://github.com/gentoo90/winreg-rs) from 0.52.0 to 0.55.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/gentoo90/winreg-rs/releases">winreg's releases</a>.</em></p> <blockquote> <h2>0.55.0 (windows-sys)</h2> <ul> <li>Breaking change: Increate MSRV to 1.60</li> <li>Breaking change: Upgrade <code>windows-sys</code> to version 0.59 (<a href="https://redirect.github.com/gentoo90/winreg-rs/issues/77">#77</a>)</li> </ul> <h2>0.54.0 (windows-sys)</h2> <ul> <li>Breaking change: Migrate to the 2021 edition of Rust (MSRV 1.56)</li> <li>Breaking change: Upgrade <code>windows-sys</code> to version 0.52 (closes <a href="https://redirect.github.com/gentoo90/winreg-rs/issues/63">#63</a>, <a href="https://redirect.github.com/gentoo90/winreg-rs/issues/70">#70</a>)</li> </ul> <h2>0.53.0 (windows-sys)</h2> <ul> <li>Don't stop deserialization of <code>Any</code> due to <code>REG_NONE</code> (pullrequest <a href="https://redirect.github.com/gentoo90/winreg-rs/issues/67">#67</a>, fixes <a href="https://redirect.github.com/gentoo90/winreg-rs/issues/66">#66</a>)</li> <li>Implement (de)serialization of <code>Option</code> (<a href="https://redirect.github.com/gentoo90/winreg-rs/issues/56">#56</a>)</li> <li>Add <code>RegKey</code> methods for creating/opening subkeys with custom options (<a href="https://redirect.github.com/gentoo90/winreg-rs/issues/65">#65</a>)</li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/gentoo90/winreg-rs/blob/master/CHANGELOG.md">winreg's changelog</a>.</em></p> <blockquote> <h2>0.55.0</h2> <ul> <li>Breaking change: Increate MSRV to 1.60</li> <li>Breaking change: Upgrade <code>windows-sys</code> to version 0.59 (<a href="https://redirect.github.com/gentoo90/winreg-rs/pull/77">#77</a>)</li> </ul> <h2>0.54.0</h2> <ul> <li>Breaking change: Migrate to the 2021 edition of Rust (MSRV 1.56)</li> <li>Breaking change: Upgrade <code>windows-sys</code> to version 0.52 (closes <a href="https://redirect.github.com/gentoo90/winreg-rs/pull/63">#63</a>, <a href="https://redirect.github.com/gentoo90/winreg-rs/pull/70">#70</a>)</li> </ul> <h2>0.15.0, 0.53.0</h2> <ul> <li>Don't stop deserialization of <code>Any</code> due to <code>REG_NONE</code> (pullrequest <a href="https://redirect.github.com/gentoo90/winreg-rs/pull/67">#67</a>, fixes <a href="https://redirect.github.com/gentoo90/winreg-rs/issues/66">#66</a>)</li> <li>Implement (de)serialization of <code>Option</code> (<a href="https://redirect.github.com/gentoo90/winreg-rs/issues/56">#56</a>)</li> <li>Add <code>RegKey</code> methods for creating/opening subkeys with custom options (<a href="https://redirect.github.com/gentoo90/winreg-rs/pull/65">#65</a>)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
9c7ec9ff47 |
build(deps): bump the sentry group in /rust with 2 updates (#10672)
Bumps the sentry group in /rust with 2 updates: [sentry](https://github.com/getsentry/sentry-rust) and [sentry-tracing](https://github.com/getsentry/sentry-rust). Updates `sentry` from 0.41.0 to 0.42.0 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/getsentry/sentry-rust/releases">sentry's releases</a>.</em></p> <blockquote> <h2>0.42.0</h2> <h3>Features</h3> <ul> <li>feat(log): support kv feature of log (<a href="https://redirect.github.com/getsentry/sentry-rust/issues/851">#851</a>) by <a href="https://github.com/lcian"><code>@lcian</code></a> <ul> <li>Attributes added to a <code>log</code> record using the <code>kv</code> feature are now recorded as attributes on the log sent to Sentry.</li> </ul> </li> <li>feat(types): add all the missing supported envelope headers (<a href="https://redirect.github.com/getsentry/sentry-rust/pull/867">#867</a>) by <a href="https://github.com/lcian"><code>@lcian</code></a></li> <li>feat(types): add setters for envelope headers (<a href="https://redirect.github.com/getsentry/sentry-rust/pull/868">#868</a>) by <a href="https://github.com/lcian"><code>@lcian</code></a> <ul> <li>It's now possible to set all of the <a href="https://develop.sentry.dev/sdk/data-model/envelopes/#headers">envelope headers</a> supported by the protocol when constructing envelopes.</li> </ul> </li> <li>feat(core): add some DSC fields to transaction envelope headers (<a href="https://redirect.github.com/getsentry/sentry-rust/pull/869">#869</a>) by <a href="https://github.com/lcian"><code>@lcian</code></a> <ul> <li>The SDK now sends additional envelope headers with transactions. This should solve some extrapolation issues for span metrics.</li> </ul> </li> </ul> <h3>Behavioral changes</h3> <ul> <li>feat: filter username and password in URLs (<a href="https://redirect.github.com/getsentry/sentry-rust/pull/864">#864</a>) by <a href="https://github.com/lcian"><code>@lcian</code></a> <ul> <li>Usernames and passwords that could be contained in URLs captured when using the Actix Web or axum integration are now always filtered out.</li> <li>If the <code>Request</code> is created manually by the user, then these fields are not filtered out.</li> <li>This information was already filtered by Relay, but should also be filtered by the SDK itself as a first line of defense.</li> </ul> </li> </ul> <h3>Fixes</h3> <ul> <li>docs: match description of <code>debug</code> option with behavior since PR <a href="https://redirect.github.com/getsentry/sentry-rust/issues/820">#820</a> (<a href="https://redirect.github.com/getsentry/sentry-rust/pull/860">#860</a>) by <a href="https://github.com/AlexTMjugador"><code>@AlexTMjugador</code></a></li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/getsentry/sentry-rust/blob/master/CHANGELOG.md">sentry's changelog</a>.</em></p> <blockquote> <h2>0.42.0</h2> <h3>Features</h3> <ul> <li>feat(log): support kv feature of log (<a href="https://redirect.github.com/getsentry/sentry-rust/issues/851">#851</a>) by <a href="https://github.com/lcian"><code>@lcian</code></a> <ul> <li>Attributes added to a <code>log</code> record using the <code>kv</code> feature are now recorded as attributes on the log sent to Sentry.</li> </ul> </li> <li>feat(types): add all the missing supported envelope headers (<a href="https://redirect.github.com/getsentry/sentry-rust/pull/867">#867</a>) by <a href="https://github.com/lcian"><code>@lcian</code></a></li> <li>feat(types): add setters for envelope headers (<a href="https://redirect.github.com/getsentry/sentry-rust/pull/868">#868</a>) by <a href="https://github.com/lcian"><code>@lcian</code></a> <ul> <li>It's now possible to set all of the <a href="https://develop.sentry.dev/sdk/data-model/envelopes/#headers">envelope headers</a> supported by the protocol when constructing envelopes.</li> </ul> </li> <li>feat(core): add some DSC fields to transaction envelope headers (<a href="https://redirect.github.com/getsentry/sentry-rust/pull/869">#869</a>) by <a href="https://github.com/lcian"><code>@lcian</code></a> <ul> <li>The SDK now sends additional envelope headers with transactions. This should solve some extrapolation issues for span metrics.</li> </ul> </li> </ul> <h3>Behavioral changes</h3> <ul> <li>feat: filter username and password in URLs (<a href="https://redirect.github.com/getsentry/sentry-rust/pull/864">#864</a>) by <a href="https://github.com/lcian"><code>@lcian</code></a> <ul> <li>Usernames and passwords that could be contained in URLs captured when using the Actix Web or axum integration are now always filtered out.</li> <li>If the <code>Request</code> is created manually by the user, then these fields are not filtered out.</li> <li>This information was already filtered by Relay, but should also be filtered by the SDK itself as a first line of defense.</li> </ul> </li> </ul> <h3>Fixes</h3> <ul> <li>docs: match description of <code>debug</code> option with behavior since PR <a href="https://redirect.github.com/getsentry/sentry-rust/issues/820">#820</a> (<a href="https://redirect.github.com/getsentry/sentry-rust/pull/860">#860</a>) by <a href="https://github.com/AlexTMjugador"><code>@AlexTMjugador</code></a></li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
Thomas Eizinger
|
ce297999c9 |
feat(gateway): capture domain name of flow (#10692)
Whenever we route a packet from the Client to a DNS resource, we now also capture the domain name. If this is the first packet and we are thus creating a new flow, we'll save that domain in it. Later packets for the same IP are rolled up under the same flow and thus don't need to re-set the domain. Resolves: #10691 |
||
|
dependabot[bot]
|
d23224cbce |
build(deps): bump vite from 6.3.6 to 7.1.7 in /rust/gui-client (#10638)
Bumps [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) from 6.3.6 to 7.1.7. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/vitejs/vite/releases">vite's releases</a>.</em></p> <blockquote> <h2>v7.1.7</h2> <p>Please refer to <a href="https://github.com/vitejs/vite/blob/v7.1.7/packages/vite/CHANGELOG.md">CHANGELOG.md</a> for details.</p> <h2>v7.1.6</h2> <p>Please refer to <a href="https://github.com/vitejs/vite/blob/v7.1.6/packages/vite/CHANGELOG.md">CHANGELOG.md</a> for details.</p> <h2>v7.1.5</h2> <p>Please refer to <a href="https://github.com/vitejs/vite/blob/v7.1.5/packages/vite/CHANGELOG.md">CHANGELOG.md</a> for details.</p> <h2>v7.1.4</h2> <p>Please refer to <a href="https://github.com/vitejs/vite/blob/v7.1.4/packages/vite/CHANGELOG.md">CHANGELOG.md</a> for details.</p> <h2>v7.1.3</h2> <p>Please refer to <a href="https://github.com/vitejs/vite/blob/v7.1.3/packages/vite/CHANGELOG.md">CHANGELOG.md</a> for details.</p> <h2>create-vite@7.1.3</h2> <p>Please refer to <a href="https://github.com/vitejs/vite/blob/create-vite@7.1.3/packages/create-vite/CHANGELOG.md">CHANGELOG.md</a> for details.</p> <h2>v7.1.2</h2> <p>Please refer to <a href="https://github.com/vitejs/vite/blob/v7.1.2/packages/vite/CHANGELOG.md">CHANGELOG.md</a> for details.</p> <h2>create-vite@7.1.2</h2> <p>Please refer to <a href="https://github.com/vitejs/vite/blob/create-vite@7.1.2/packages/create-vite/CHANGELOG.md">CHANGELOG.md</a> for details.</p> <h2>v7.1.1</h2> <p>Please refer to <a href="https://github.com/vitejs/vite/blob/v7.1.1/packages/vite/CHANGELOG.md">CHANGELOG.md</a> for details.</p> <h2>create-vite@7.1.1</h2> <p>Please refer to <a href="https://github.com/vitejs/vite/blob/create-vite@7.1.1/packages/create-vite/CHANGELOG.md">CHANGELOG.md</a> for details.</p> <h2>plugin-legacy@7.1.0</h2> <p>Please refer to <a href="https://github.com/vitejs/vite/blob/plugin-legacy@7.1.0/packages/plugin-legacy/CHANGELOG.md">CHANGELOG.md</a> for details.</p> <h2>create-vite@7.1.0</h2> <p>Please refer to <a href="https://github.com/vitejs/vite/blob/create-vite@7.1.0/packages/create-vite/CHANGELOG.md">CHANGELOG.md</a> for details.</p> <h2>v7.1.0</h2> <p>Please refer to <a href="https://github.com/vitejs/vite/blob/v7.1.0/packages/vite/CHANGELOG.md">CHANGELOG.md</a> for details.</p> <h2>v7.1.0-beta.1</h2> <p>Please refer to <a href="https://github.com/vitejs/vite/blob/v7.1.0-beta.1/packages/vite/CHANGELOG.md">CHANGELOG.md</a> for details.</p> <h2>v7.1.0-beta.0</h2> <p>Please refer to <a href="https://github.com/vitejs/vite/blob/v7.1.0-beta.0/packages/vite/CHANGELOG.md">CHANGELOG.md</a> for details.</p> <h2>v7.0.8</h2> <p>Please refer to <a href="https://github.com/vitejs/vite/blob/v7.0.8/packages/vite/CHANGELOG.md">CHANGELOG.md</a> for details.</p> <h2>v7.0.7</h2> <p>Please refer to <a href="https://github.com/vitejs/vite/blob/v7.0.7/packages/vite/CHANGELOG.md">CHANGELOG.md</a> for details.</p> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/vitejs/vite/blob/main/packages/vite/CHANGELOG.md">vite's changelog</a>.</em></p> <blockquote> <h2><!-- raw HTML omitted --><a href="https://github.com/vitejs/vite/compare/v7.1.6...v7.1.7">7.1.7</a> (2025-09-22)<!-- raw HTML omitted --></h2> <h3>Bug Fixes</h3> <ul> <li><strong>build:</strong> fix ssr environment <code>emitAssets: true</code> when <code>sharedConfigBuild: true</code> (<a href="https://redirect.github.com/vitejs/vite/issues/20787">#20787</a>) (<a href=" |
||
|
Thomas Eizinger
|
21a848a4cb |
chore(connlib): tune INFO logs (#10677)
The INFO logs of Firezone (specifically `connlib`) should be a good
balance between useful and not noisy. Several of the INFO logs we
currently have a probably a bit too noisy and can be tuned down or
optimised to be easier to read.
Before:
```
2025-10-22T01:48:38.836Z INFO firezone_headless_client: arch="x86_64" version="1.5.5"
2025-10-22T01:48:38.840Z INFO socket_factory: Set UDP socket buffer sizes requested_send_buffer_size=16777216 send_buffer_size=425984 requested_recv_buffer_size=134217728 recv_buffer_size=425984 port=52625
2025-10-22T01:48:38.841Z INFO socket_factory: Set UDP socket buffer sizes requested_send_buffer_size=16777216 send_buffer_size=425984 requested_recv_buffer_size=134217728 recv_buffer_size=425984 port=52625
2025-10-22T01:48:38.851Z INFO firezone_tunnel::device_channel: Initializing TUN device name=tun-firezone
2025-10-22T01:48:38.852Z INFO firezone_tunnel::client: Resetting network state (network changed)
2025-10-22T01:48:38.853Z INFO socket_factory: Set UDP socket buffer sizes requested_send_buffer_size=16777216 send_buffer_size=425984 requested_recv_buffer_size=134217728 recv_buffer_size=425984 port=52625
2025-10-22T01:48:38.854Z INFO socket_factory: Set UDP socket buffer sizes requested_send_buffer_size=16777216 send_buffer_size=425984 requested_recv_buffer_size=134217728 recv_buffer_size=425984 port=52625
2025-10-22T01:48:39.263Z INFO phoenix_channel: Connected to portal host=api
2025-10-22T01:48:39.408Z INFO firezone_tunnel::client: Updating TUN device config=TunConfig { ip: IpConfig { v4: 100.90.205.158, v6: fd00:2021:1111::2:76b2 }, dns_by_sentinel: {}, search_domain: Some(Name(httpbin.search.test.)), ipv4_routes: [100.64.0.0/11, 100.96.0.0/11, 100.100.111.0/24], ipv6_routes: [fd00:2021:1111::/107, fd00:2021:1111:8000::/107, fd00:2021:1111:8000:100:100:111:0/120] }
2025-10-22T01:48:39.408Z INFO firezone_tunnel::client: Updating TUN device config=TunConfig { ip: IpConfig { v4: 100.90.205.158, v6: fd00:2021:1111::2:76b2 }, dns_by_sentinel: {100.100.111.1 <> 127.0.0.11:53}, search_domain: Some(Name(httpbin.search.test.)), ipv4_routes: [100.64.0.0/11, 100.96.0.0/11, 100.100.111.0/24], ipv6_routes: [fd00:2021:1111::/107, fd00:2021:1111:8000::/107, fd00:2021:1111:8000:100:100:111:0/120] }
2025-10-22T01:48:39.408Z INFO firezone_tunnel::client: Activating resource name=foobar.com address=foobar.com sites=mycro-aws-gws
2025-10-22T01:48:39.409Z INFO firezone_tunnel::client: Activating resource name=*.firezone.dev address=*.firezone.dev sites=mycro-aws-gws
2025-10-22T01:48:39.409Z INFO firezone_tunnel::client: Activating resource name=ip6only address=ip6only.me sites=mycro-aws-gws
2025-10-22T01:48:39.409Z INFO firezone_tunnel::client: Activating resource name=example.com address=example.com sites=mycro-aws-gws
2025-10-22T01:48:39.409Z INFO firezone_tunnel::client: Activating resource name=Example address=*.example.com sites=mycro-aws-gws
2025-10-22T01:48:39.409Z INFO firezone_tunnel::client: Activating resource name=**.httpbin address=**.httpbin sites=mycro-aws-gws
2025-10-22T01:48:39.409Z INFO firezone_tunnel::client: Activating resource name=MyCorp Network (IPv6) address=172:20::/64 sites=mycro-aws-gws
2025-10-22T01:48:39.409Z INFO firezone_tunnel::client: Updating TUN device config=TunConfig { ip: IpConfig { v4: 100.90.205.158, v6: fd00:2021:1111::2:76b2 }, dns_by_sentinel: {100.100.111.1 <> 127.0.0.11:53}, search_domain: Some(Name(httpbin.search.test.)), ipv4_routes: [100.64.0.0/11, 100.96.0.0/11, 100.100.111.0/24], ipv6_routes: [172:20::/64, fd00:2021:1111::/107, fd00:2021:1111:8000::/107, fd00:2021:1111:8000:100:100:111:0/120] }
2025-10-22T01:48:39.409Z INFO firezone_tunnel::client: Activating resource name=**.httpbin.search.test address=**.httpbin.search.test sites=mycro-aws-gws
2025-10-22T01:48:39.409Z INFO firezone_tunnel::client: Activating resource name=**.firez.one address=**.firez.one sites=mycro-aws-gws
2025-10-22T01:48:39.409Z INFO firezone_tunnel::client: Activating resource name=MyCorp Network address=172.20.0.0/16 sites=mycro-aws-gws
2025-10-22T01:48:39.409Z INFO firezone_tunnel::client: Updating TUN device config=TunConfig { ip: IpConfig { v4: 100.90.205.158, v6: fd00:2021:1111::2:76b2 }, dns_by_sentinel: {100.100.111.1 <> 127.0.0.11:53}, search_domain: Some(Name(httpbin.search.test.)), ipv4_routes: [100.64.0.0/11, 100.96.0.0/11, 100.100.111.0/24, 172.20.0.0/16], ipv6_routes: [172:20::/64, fd00:2021:1111::/107, fd00:2021:1111:8000::/107, fd00:2021:1111:8000:100:100:111:0/120] }
2025-10-22T01:48:39.418Z INFO firezone_bin_shared::tun_device_manager::linux: Setting new routes new_routes={V4(Ipv4Network { network_address: 100.64.0.0, netmask: 11 }), V4(Ipv4Network { network_address: 172.20.0.0, netmask: 16 }), V6(Ipv6Network { network_address: 172:20::, netmask: 64 }), V4(Ipv4Network { network_address: 100.96.0.0, netmask: 11 }), V6(Ipv6Network { network_address: fd00:2021:1111::, netmask: 107 }), V6(Ipv6Network { network_address: fd00:2021:1111:8000::, netmask: 107 }), V6(Ipv6Network { network_address: fd00:2021:1111:8000:100:100:111:0, netmask: 120 }), V4(Ipv4Network { network_address: 100.100.111.0, netmask: 24 })}
2025-10-22T01:48:39.420Z INFO firezone_headless_client: Tunnel ready elapsed=583.523468ms
2025-10-22T01:48:39.430Z INFO snownet::node: Added new TURN server rid=2a413094-32d4-4a69-8e92-642d60e885e9 address=Dual { v4: 203.0.113.102:3478, v6: [203:0:113::102]:3478 }
2025-10-22T01:49:44.814Z INFO snownet::node: Creating new connection local=IceCreds { ufrag: "bly5", pass: "bdjtlfpvfdhhya6om4kssi" } remote=IceCreds { ufrag: "24gy", pass: "5mqlci4n4nmoovovihswvq" } index=(2378720|0) cid=ea82a87c-ca11-4292-a332-940ac386cba1
2025-10-22T01:49:45.634Z INFO snownet::node: Updating remote socket new=PeerToPeer { source: 172.30.0.100:52625, dest: 203.0.113.3:52625 } duration_since_intent=821.149802ms cid=ea82a87c-ca11-4292-a332-940ac386cba1
2025-10-22T01:49:45.783Z INFO snownet::node: Updating remote socket old=PeerToPeer { source: 172.30.0.100:52625, dest: 203.0.113.3:52625 } new=PeerToPeer { source: [172:30::100]:52625, dest: [203:0:113::3]:52625 } duration_since_intent=971.112388ms cid=ea82a87c-ca11-4292-a332-940ac386cba1
```
After:
```
2025-10-22T01:58:09.972Z INFO firezone_headless_client: arch="x86_64" version="1.5.5"
2025-10-22T01:58:09.980Z INFO firezone_tunnel::client: Resetting network state (network changed)
2025-10-22T01:58:10.271Z INFO phoenix_channel: Connected to portal host=api
2025-10-22T01:58:10.369Z INFO firezone_tunnel::client: Activating resource name=foobar.com address=foobar.com sites=mycro-aws-gws
2025-10-22T01:58:10.369Z INFO firezone_tunnel::client: Activating resource name=*.firezone.dev address=*.firezone.dev sites=mycro-aws-gws
2025-10-22T01:58:10.369Z INFO firezone_tunnel::client: Activating resource name=ip6only address=ip6only.me sites=mycro-aws-gws
2025-10-22T01:58:10.369Z INFO firezone_tunnel::client: Activating resource name=example.com address=example.com sites=mycro-aws-gws
2025-10-22T01:58:10.369Z INFO firezone_tunnel::client: Activating resource name=Example address=*.example.com sites=mycro-aws-gws
2025-10-22T01:58:10.369Z INFO firezone_tunnel::client: Activating resource name=**.httpbin address=**.httpbin sites=mycro-aws-gws
2025-10-22T01:58:10.370Z INFO firezone_tunnel::client: Activating resource name=MyCorp Network (IPv6) address=172:20::/64 sites=mycro-aws-gws
2025-10-22T01:58:10.370Z INFO firezone_tunnel::client: Activating resource name=**.httpbin.search.test address=**.httpbin.search.test sites=mycro-aws-gws
2025-10-22T01:58:10.370Z INFO firezone_tunnel::client: Activating resource name=**.firez.one address=**.firez.one sites=mycro-aws-gws
2025-10-22T01:58:10.370Z INFO firezone_tunnel::client: Activating resource name=MyCorp Network address=172.20.0.0/16 sites=mycro-aws-gws
2025-10-22T01:58:10.370Z INFO snownet::node: Added new TURN server rid=2a413094-32d4-4a69-8e92-642d60e885e9 address=Dual { v4: 203.0.113.102:3478, v6: [203:0:113::102]:3478 }
2025-10-22T01:58:10.370Z INFO snownet::node: Added new TURN server rid=54f6ba35-1914-48fc-be24-62f6293936eb address=Dual { v4: 203.0.113.101:3478, v6: [203:0:113::101]:3478 }
2025-10-22T01:58:10.370Z INFO firezone_tunnel::client: Updating TUN device config=TunConfig { ip: IpConfig { v4: 100.90.205.158, v6: fd00:2021:1111::2:76b2 }, dns_by_sentinel: {100.100.111.1 <> 127.0.0.11:53}, search_domain: Some(Name(httpbin.search.test.)), ipv4_routes: [100.64.0.0/11, 100.96.0.0/11, 100.100.111.0/24, 172.20.0.0/16], ipv6_routes: [172:20::/64, fd00:2021:1111::/107, fd00:2021:1111:8000::/107, fd00:2021:1111:8000:100:100:111:0/120] }
2025-10-22T01:58:10.383Z INFO firezone_bin_shared::tun_device_manager::linux: Setting new routes new_routes=[100.64.0.0/11, 100.96.0.0/11, 100.100.111.0/24, 172.20.0.0/16, 172:20::/64, fd00:2021:1111::/107, fd00:2021:1111:8000::/107, fd00:2021:1111:8000:100:100:111:0/120]
2025-10-22T01:58:10.495Z INFO snownet::allocation: Invalidating allocation active_socket=Some(203.0.113.101:3478)
2025-10-22T01:58:10.495Z INFO snownet::allocation: Invalidating allocation active_socket=Some(203.0.113.102:3478)
2025-10-22T02:03:04.410Z INFO snownet::node: Creating new connection local=IceCreds { ufrag: "uxgc", pass: "xxdgp5ivfhqloedzdmgi3j" } remote=IceCreds { ufrag: "es6w", pass: "doa2s3hmiteid7dtlszsbq" } index=(583098|0) cid=ea82a87c-ca11-4292-a332-940ac386cba1
2025-10-22T02:03:04.960Z INFO snownet::node: Updating remote socket new=PeerToPeer { source: 172.30.0.100:52625, dest: 203.0.113.3:52625 } duration_since_intent=550.756408ms cid=ea82a87c-ca11-4292-a332-940ac386cba1
2025-10-22T02:03:05.112Z INFO snownet::node: Updating remote socket old=PeerToPeer { source: 172.30.0.100:52625, dest: 203.0.113.3:52625 } new=PeerToPeer { source: [172:30::100]:52625, dest: [203:0:113::3]:52625 } duration_since_intent=702.23775ms cid=ea82a87c-ca11-4292-a332-940ac386cba1
```
|
||
|
dependabot[bot]
|
8d69320985 |
build(deps): bump eslint from 9.31.0 to 9.36.0 in /rust/gui-client (#10636)
Bumps [eslint](https://github.com/eslint/eslint) from 9.31.0 to 9.36.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/eslint/eslint/releases">eslint's releases</a>.</em></p> <blockquote> <h2>v9.36.0</h2> <h2>Features</h2> <ul> <li><a href=" |
||
|
dependabot[bot]
|
4d3dad63ae |
build(deps): bump @types/node from 24.5.0 to 24.5.2 in /rust/gui-client (#10640)
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 24.5.0 to 24.5.2. <details> <summary>Commits</summary> <ul> <li>See full diff in <a href="https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> |
||
|
dependabot[bot]
|
9b85034b0c |
build(deps): bump etherparse from 0.17.0 to 0.19.0 in /rust (#10648)
Bumps [etherparse](https://github.com/JulianSchmid/etherparse) from 0.17.0 to 0.19.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/JulianSchmid/etherparse/releases">etherparse's releases</a>.</em></p> <blockquote> <h2>v0.19.0 Add basic ICMPv6 Neighbor Discovery Support</h2> <h2>What's Changed</h2> <ul> <li>feat: add ICMPv6 neighbour solicitation by <a href="https://github.com/thomaseizinger"><code>@thomaseizinger</code></a> in <a href="https://redirect.github.com/JulianSchmid/etherparse/pull/129">JulianSchmid/etherparse#129</a></li> <li>Minor fixups for ICMPv6 NeighborSolicitation & NeighborAdvertisement & Add RouterSolicitation & RouterAdvertisement & Redirect by <a href="https://github.com/JulianSchmid"><code>@JulianSchmid</code></a> in <a href="https://redirect.github.com/JulianSchmid/etherparse/pull/130">JulianSchmid/etherparse#130</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/thomaseizinger"><code>@thomaseizinger</code></a> made their first contribution in <a href="https://redirect.github.com/JulianSchmid/etherparse/pull/129">JulianSchmid/etherparse#129</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/JulianSchmid/etherparse/compare/v0.18.2...v0.19.0">https://github.com/JulianSchmid/etherparse/compare/v0.18.2...v0.19.0</a></p> <h2>v0.18.2 Add core::error::Error implementation to non_std build</h2> <h2>What's Changed</h2> <ul> <li>Implement core::error::Error for the error types by <a href="https://github.com/xyzzyz"><code>@xyzzyz</code></a> in <a href="https://redirect.github.com/JulianSchmid/etherparse/pull/127">JulianSchmid/etherparse#127</a></li> <li>Increment version 0.18.2 by <a href="https://github.com/JulianSchmid"><code>@JulianSchmid</code></a> in <a href="https://redirect.github.com/JulianSchmid/etherparse/pull/128">JulianSchmid/etherparse#128</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/xyzzyz"><code>@xyzzyz</code></a> made their first contribution in <a href="https://redirect.github.com/JulianSchmid/etherparse/pull/127">JulianSchmid/etherparse#127</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/JulianSchmid/etherparse/compare/v0.18.1...v0.18.2">https://github.com/JulianSchmid/etherparse/compare/v0.18.1...v0.18.2</a></p> <h2>v0.18.1 Add LaxPacketHeader:: from_linux_sll</h2> <h2>What's Changed</h2> <ul> <li>Add from_linux_sll for LaxPacketHeaders by <a href="https://github.com/shu-kitamura"><code>@shu-kitamura</code></a> in <a href="https://redirect.github.com/JulianSchmid/etherparse/pull/125">JulianSchmid/etherparse#125</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/shu-kitamura"><code>@shu-kitamura</code></a> made their first contribution in <a href="https://redirect.github.com/JulianSchmid/etherparse/pull/125">JulianSchmid/etherparse#125</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/JulianSchmid/etherparse/compare/v0.18.0...v0.18.1">https://github.com/JulianSchmid/etherparse/compare/v0.18.0...v0.18.1</a></p> <h2>v0.18.0 MACsec Support & ECN+DSCP Support for IPv6</h2> <h2>What are the major changes?</h2> <ul> <li>Support for MACsec (IEEE 802.1AE)</li> <li>The <code>vlan</code> field in <code>SlicedPacket</code>, <code>LaxSlicedPacket</code>, <code>PacketHeaders</code>, <code>LaxPacketHeaders</code> has been replaced with <code>link_exts</code>.</li> <li><code>Ipv4Ecn</code> & <code>Ipv4Dscp</code> have been replaced by <code>IpEcn</code> & <code>IpDscp</code>.</li> <li><code>Ipv6Header</code> & <code>Ipv6HeaderSlice</code> now supports the reading & setting of <code>IpEcn</code> & <code>IpDscp</code> (thanks to <a href="https://github.com/baxterjo"><code>@baxterjo</code></a>)</li> <li><code>LaxEtherPayloadSlice</code> has been introduced & <code>len_source</code> added to <code>EtherPayloadSlice</code>.</li> <li><code>source_addr()</code> & <code>destination_addr()</code> methods of <code>IpSlice</code>, <code>Ipv4HeaderSlice</code>, <code>Ipv6Header</code>, <code>Ipv6HeaderSlice</code>, <code>LaxIpSlice</code> are now available in non-std mode (thanks to <a href="https://github.com/Dominaezzz"><code>@Dominaezzz</code></a>)</li> <li>Minimum supported Rust version as been configured to 1.83.0 (thanks to <a href="https://github.com/baxterjo"><code>@baxterjo</code></a>)</li> </ul> <h3>What is MACsec (IEEE 802.1AE)?</h3> <p>MACsec is a protocol that allows the signing and/or encryption of packet contents from the link layer downwards. The main difference between MACsec and IPSec is that IPSec is located after the IP header while MACsec is located above the IP header and can also encrypt the contents of the IP header itself while IPSSec does not encrypt the IP header. As such MACsec is usually used to secure local networks, while IPSec is more commonly used for VPNs and alike that leave the local network.</p> <h3>Changes needed for MACsec Support</h3> <p>Adding MACsec support required some breaking changes, specifically on how VLAN headers are handled. The MACsec SECTAG is a header that can be present in the same locations as "VLAN" headers. It has no fixed position and can be located before or after VLAN headers or after the Ethernet 2 header without a VLAN header being present at all. This invalidates the assumption <code>etherparse</code> had in previous versions that VLAN headers are always directly located after the Ethernet2 header and that if there are multiple VLAN headers that they are directly located after each other. Now there could be a MACsec header present in between VLAN headers.</p> <p>To support the different combinations of MACSec & VLAN headers the <code>vlan</code> field in <code>SlicedPacket</code>, <code>PacketHeaders</code>, <code>LaxSlicedPacket</code> & <code>LaxPacketHeaders</code> has been replaced with a <code>link_exts</code> field that can contain up to three "link extensions":</p> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
9e5a08809b |
build(deps): bump hex-literal from 0.4.1 to 1.0.0 in /rust (#10651)
Bumps [hex-literal](https://github.com/RustCrypto/utils) from 0.4.1 to 1.0.0. <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
7100b4a674 |
build(deps): bump vite from 6.3.6 to 6.4.1 in /rust/gui-client in the npm_and_yarn group across 1 directory (#10666)
Bumps the npm_and_yarn group with 1 update in the /rust/gui-client directory: [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite). Updates `vite` from 6.3.6 to 6.4.1 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/vitejs/vite/releases">vite's releases</a>.</em></p> <blockquote> <h2>create-vite@6.4.1</h2> <p>Please refer to <a href="https://github.com/vitejs/vite/blob/create-vite@6.4.1/packages/create-vite/CHANGELOG.md">CHANGELOG.md</a> for details.</p> <h2>v6.4.1</h2> <p>Please refer to <a href="https://github.com/vitejs/vite/blob/v6.4.1/packages/vite/CHANGELOG.md">CHANGELOG.md</a> for details.</p> <h2>create-vite@6.4.0</h2> <p>Please refer to <a href="https://github.com/vitejs/vite/blob/create-vite@6.4.0/packages/create-vite/CHANGELOG.md">CHANGELOG.md</a> for details.</p> <h2>v6.4.0</h2> <p>Please refer to <a href="https://github.com/vitejs/vite/blob/v6.4.0/packages/vite/CHANGELOG.md">CHANGELOG.md</a> for details.</p> <h2>v6.3.7</h2> <p>Please refer to <a href="https://github.com/vitejs/vite/blob/v6.3.7/packages/vite/CHANGELOG.md">CHANGELOG.md</a> for details.</p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
132784ac82 |
build(deps): bump ringbuffer from 0.15.0 to 0.16.0 in /rust (#10653)
Bumps [ringbuffer](https://github.com/NULLx76/ringbuffer) from 0.15.0 to 0.16.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/NULLx76/ringbuffer/releases">ringbuffer's releases</a>.</em></p> <blockquote> <h2>0.16.0</h2> <h2>What's Changed</h2> <ul> <li>Implement nth and nth_back to provide a O(1) way of skipping through elements by <a href="https://github.com/cdellacqua"><code>@cdellacqua</code></a> in <a href="https://redirect.github.com/NULLx76/ringbuffer/pull/142">NULLx76/ringbuffer#142</a></li> <li>Increase copy speed by orders of magnitude by <a href="https://github.com/cdellacqua"><code>@cdellacqua</code></a> in <a href="https://redirect.github.com/NULLx76/ringbuffer/pull/142">NULLx76/ringbuffer#142</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/NULLx76/ringbuffer/compare/0.15.0...v0.16.0">https://github.com/NULLx76/ringbuffer/compare/0.15.0...v0.16.0</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
b394c054f6 |
build(deps): bump tempfile from 3.22.0 to 3.23.0 in /rust (#10673)
Bumps [tempfile](https://github.com/Stebalien/tempfile) from 3.22.0 to 3.23.0. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/Stebalien/tempfile/blob/master/CHANGELOG.md">tempfile's changelog</a>.</em></p> <blockquote> <h2>3.23.0</h2> <ul> <li>Remove need for the "nightly" feature to compile with "wasip2".</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
Thomas Eizinger
|
ed2bc0bd25 |
feat(gateway): revise handling of DNS resolution errors (#10623)
Even prior to #10373, failures in resolving a name on the Gateway for a DNS resource resulted in a failure of setting up the DNS resource NAT. Without the DNS resource NAT, packets for that resource bounced on the Gateway because we didn't have any traffic filters. A non-existent filter is being treated as a "traffic not allowed" error and we respond with an ICMP permission denied error. For domains where both the A and AAAA query result in NXDOMAIN, that isn't necessarily appropriate. Instead, I am proposing that for such cases, we want to return a regular "address/host unreachable" ICMP error instead of the more specific "permission denied" variant. To achieve that, we refactor the Gateway's peer state to be able to hold an `Option<IpAddr>` inside the `TranslationState`. This allows us to always insert an entry for each proxy IP, even if we did not resolve any IPs for it. Then, when receiving traffic for a proxy IP where the resolved IP is `None`, we reply with the appropriate ICMP error. As part of this, we also simplify the assignment of the proxy IPs. With the NAT64 module removed, there is no more reason to cross-assign IPv4 and IPv6 addresses. We can simply leave the mappings for e.g. IPv6 proxy addresses empty if the AAAA query didn't resolve anything. From the Client's perspective, not much changes. The DNS resource NAT setup will now succeed, even for domains that don't resolve to anything. This doesn't change any behaviour though as we are currently already passing packets through for failed DNS resource NAT setups. The main change is that we now send back a different ICMP error. Most importantly, the "address/host unreachable variant" does not trigger #10462. |
||
|
dependabot[bot]
|
c795e0da72 |
build(deps): bump futures-bounded from 0.2.4 to 0.3.0 in /rust (#10645)
Bumps [futures-bounded](https://github.com/thomaseizinger/rust-futures-bounded) from 0.2.4 to 0.3.0. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/thomaseizinger/rust-futures-bounded/blob/main/CHANGELOG.md">futures-bounded's changelog</a>.</em></p> <blockquote> <h2>0.3.0</h2> <ul> <li>Allow for multiple timer implementations. See <a href="https://redirect.github.com/thomaseizinger/rust-futures-bounded/pull/5">PR 5</a>.</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li>See full diff in <a href="https://github.com/thomaseizinger/rust-futures-bounded/commits">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Thomas Eizinger <thomas@eizinger.io> |
||
|
dependabot[bot]
|
08f6989391 |
build(deps): bump proptest-state-machine from 0.3.1 to 0.4.0 in /rust (#10633)
Bumps [proptest-state-machine](https://github.com/proptest-rs/proptest) from 0.3.1 to 0.4.0. <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
5378525e70 |
build(deps): bump zip from 2.4.2 to 5.1.1 in /rust (#10652)
Bumps [zip](https://github.com/zip-rs/zip2) from 2.4.2 to 5.1.1. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/zip-rs/zip2/releases">zip's releases</a>.</em></p> <blockquote> <h2>v5.1.1</h2> <h3><!-- raw HTML omitted -->🐛 Bug Fixes</h3> <ul> <li>panic when reading empty extended-timestamp field (<a href="https://redirect.github.com/zip-rs/zip2/pull/404">#404</a>) (<a href="https://redirect.github.com/zip-rs/zip2/pull/422">#422</a>)</li> <li>Restore original file timestamp when unzipping with <code>chrono</code> (<a href="https://redirect.github.com/zip-rs/zip2/pull/46">#46</a>)</li> </ul> <h3><!-- raw HTML omitted -->⚙️ Miscellaneous Tasks</h3> <ul> <li>Configure Amazon Q rules (<a href="https://redirect.github.com/zip-rs/zip2/pull/421">#421</a>)</li> </ul> <h2>v5.1.0</h2> <h3><!-- raw HTML omitted -->🚀 Features</h3> <ul> <li>Add legacy shrink/reduce/implode compression (<a href="https://redirect.github.com/zip-rs/zip2/pull/303">#303</a>)</li> </ul> <h2>v5.0.1</h2> <h3><!-- raw HTML omitted -->🐛 Bug Fixes</h3> <ul> <li>AES metadata was not copied correctly in raw copy methods, which could corrupt the copied file. (<a href="https://redirect.github.com/zip-rs/zip2/pull/417">#417</a>)</li> </ul> <h2>v5.0.0</h2> <h3><!-- raw HTML omitted -->🚀 Features</h3> <ul> <li>Implement by_path*() methods on ZipArchive (<a href="https://redirect.github.com/zip-rs/zip2/pull/382">#382</a>)</li> </ul> <h2>v4.6.1</h2> <h3><!-- raw HTML omitted -->🐛 Bug Fixes</h3> <ul> <li>Fixes an issue introduced by the swap from <code>lzma-rs</code> to <code>liblzma</code> (<a href="https://redirect.github.com/zip-rs/zip2/pull/407">#407</a>)</li> </ul> <h2>v4.6.0</h2> <h3><!-- raw HTML omitted -->🚀 Features</h3> <ul> <li>Allow to read zip files with unsupported extended timestamps (<a href="https://redirect.github.com/zip-rs/zip2/pull/400">#400</a>)</li> </ul> <h3><!-- raw HTML omitted -->🐛 Bug Fixes</h3> <ul> <li>enable clamp_opt for ppmd and xz (<a href="https://redirect.github.com/zip-rs/zip2/pull/401">#401</a>)</li> </ul> <h2>v4.5.0</h2> <h3><!-- raw HTML omitted -->🚀 Features</h3> <ul> <li>Allow reading ZIP files where the central directory comes <em>before</em> the files (<a href="https://redirect.github.com/zip-rs/zip2/pull/384">#384</a>) (<a href="https://redirect.github.com/zip-rs/zip2/pull/396">#396</a>)</li> </ul> <h2>v4.4.0</h2> <h3><!-- raw HTML omitted -->🚀 Features</h3> <ul> <li>Add <code>lzma-static</code> and <code>xz-static</code> features that enable <code>liblzma/static</code> (<a href="https://redirect.github.com/zip-rs/zip2/pull/393">#393</a>)</li> </ul> <h3><!-- raw HTML omitted -->⚙️ Miscellaneous Tasks</h3> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/zip-rs/zip2/blob/master/CHANGELOG.md">zip's changelog</a>.</em></p> <blockquote> <h2><a href="https://github.com/zip-rs/zip2/compare/v5.1.0...v5.1.1">5.1.1</a> - 2025-09-11</h2> <h3><!-- raw HTML omitted -->🐛 Bug Fixes</h3> <ul> <li>panic when reading empty extended-timestamp field (<a href="https://redirect.github.com/zip-rs/zip2/pull/404">#404</a>) (<a href="https://redirect.github.com/zip-rs/zip2/pull/422">#422</a>)</li> <li>Restore original file timestamp when unzipping with <code>chrono</code> (<a href="https://redirect.github.com/zip-rs/zip2/pull/46">#46</a>)</li> </ul> <h3><!-- raw HTML omitted -->⚙️ Miscellaneous Tasks</h3> <ul> <li>Configure Amazon Q rules (<a href="https://redirect.github.com/zip-rs/zip2/pull/421">#421</a>)</li> </ul> <h2><a href="https://github.com/zip-rs/zip2/compare/v5.0.1...v5.1.0">5.1.0</a> - 2025-09-10</h2> <h3><!-- raw HTML omitted -->🚀 Features</h3> <ul> <li>Add legacy shrink/reduce/implode compression (<a href="https://redirect.github.com/zip-rs/zip2/pull/303">#303</a>)</li> </ul> <h2><a href="https://github.com/zip-rs/zip2/compare/v5.0.0...v5.0.1">5.0.1</a> - 2025-09-09</h2> <h3><!-- raw HTML omitted -->🐛 Bug Fixes</h3> <ul> <li>AES metadata was not copied correctly in raw copy methods, which could corrupt the copied file. (<a href="https://redirect.github.com/zip-rs/zip2/pull/417">#417</a>)</li> </ul> <h2><a href="https://github.com/zip-rs/zip2/compare/v4.6.1...v5.0.0">5.0.0</a> - 2025-09-05</h2> <h3><!-- raw HTML omitted -->🚀 Features</h3> <ul> <li>Implement by_path*() methods on ZipArchive (<a href="https://redirect.github.com/zip-rs/zip2/pull/382">#382</a>)</li> </ul> <h2><a href="https://github.com/zip-rs/zip2/compare/v4.6.0...v4.6.1">4.6.1</a> - 2025-09-03</h2> <h3><!-- raw HTML omitted -->🐛 Bug Fixes</h3> <ul> <li>Fixes an issue introduced by the swap from <code>lzma-rs</code> to <code>liblzma</code> (<a href="https://redirect.github.com/zip-rs/zip2/pull/407">#407</a>)</li> </ul> <h2><a href="https://github.com/zip-rs/zip2/compare/v4.5.0...v4.6.0">4.6.0</a> - 2025-08-30</h2> <h3><!-- raw HTML omitted -->🚀 Features</h3> <ul> <li>Allow to read zip files with unsupported extended timestamps (<a href="https://redirect.github.com/zip-rs/zip2/pull/400">#400</a>)</li> </ul> <h3><!-- raw HTML omitted -->🐛 Bug Fixes</h3> <ul> <li>enable clamp_opt for ppmd and xz (<a href="https://redirect.github.com/zip-rs/zip2/pull/401">#401</a>)</li> </ul> <h2><a href="https://github.com/zip-rs/zip2/compare/v4.4.0...v4.5.0">4.5.0</a> - 2025-08-21</h2> <h3><!-- raw HTML omitted -->🚀 Features</h3> <ul> <li>Allow reading ZIP files where the central directory comes <em>before</em> the files (<a href="https://redirect.github.com/zip-rs/zip2/pull/384">#384</a>) (<a href="https://redirect.github.com/zip-rs/zip2/pull/396">#396</a>)</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
Thomas Eizinger
|
6a538368cb |
feat(gateway): add flow-logs MVP (#10576)
Network flow logs are a common feature of VPNs. Due to the nature of a shared exit node, it is of great interest to a network analyst, which TCP connections are getting routed through the tunnel, who is initiating them, for long do they last and how much traffic is sent across them. With this PR, the Firezone Gateway gains the ability of detecting the TCP and UDP flows that are being routed through it. The information we want to attach to these flows is spread out over several layers of the packet handling code. To simplify the implementation and not complicate the APIs unnecessarily, we chose to rely on TLS (thread-local storage) for gathering all the necessary data as a packet gets passed through the various layers. When using a const initializer, the overhead of a TLS variable over an actual local variable is basically zero. The entire routing state of the Gateway is also never sent across any threads, making TLS variables a particularly good choice for this problem. In its MVP form, the detected flows are only emitted on stdout and also that only if `flow_logs=trace` is set using `RUST_LOG`. Early adopters of this feature are encouraged to enable these logs as described and then ingest the Gateway's logs into the SIEM of their choice for further analysis. Related: #8353 |
||
|
Thomas Eizinger
|
80331b4e93 |
feat(gateway): add option for outputting logs as JSON (#10620)
To enable customers to ingest flow logs (#8353) into various SIEMS, outputting structured logs is crucial. |
||
|
Thomas Eizinger
|
08857d602b |
chore(client-ffi): add dummy constructor (#10659)
When working on the `client-ffi` module on a Linux or Windows machine, we currently see a lot of "unused code" warnings. We could feature-gate the remaining functions too but that would result in not having code-completion on those platforms at all. To make working on this module more ergonomic, we add a dummy constructor for the session. |
||
|
Thomas Eizinger
|
57a2330ca2 |
chore: fix cargo deny errors (#10676)
The crates from https://github.com/open-i18n/rust-unic are unmaintained but they are still being pulled in via `tauri`. Unfortunately, we have to wait for an MSRV bump from `tauri` before the update of `urlpattern` can be completed. Until then, we need to ignore these advisories to keep our CI passing. Related: https://github.com/tauri-apps/tauri/pull/14195 |
||
|
Thomas Eizinger
|
dee535f30e |
chore(client-ffi): tweak uniffi settings (#10665)
As far as I can tell, the `async_runtime` config option doesn't exist in UniFFI, hence we remove that. Whilst going through the UniFFI docs, I also noticed that there is a specific flag about Android that we can toggle on. Effectively, this uses the shared [`SystemCleaner`](https://developer.android.com/reference/android/system/SystemCleaner) instead of a per-thread one which is supposed to be more performant. Finally, using immutable records seems like a good idea as mutating any FFI-originated field is not going to be reflected in connlib's state. Preventing that at compile-time has a good chance of reducing bugs. |
||
|
Thomas Eizinger
|
b854b7407c |
chore: fix clippy warnings in eBPF code (#10660)
This code appears to be configured out in CI and thus we don't run clippy there. My IDE pointed these out however so it seems fair enough to fix them. It is just unnecessary references, doesn't actually have an impact on the functionality. |
||
|
Thomas Eizinger
|
8bb157f579 |
chore(connlib): silence hickory_proto logs (#10624)
These are a bit noisy on DEBUG. |
||
|
Thomas Eizinger
|
20d0298a8a |
chore: fix clippy warnings about HashMap iteration (#10661)
Not quite sure how these didn't get picked up by CI but they showed in my local IDE. --------- Signed-off-by: Thomas Eizinger <thomas@eizinger.io> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> |
||
|
Thomas Eizinger
|
fc97816d6e | chore: remove redunant clone (#10662) | ||
|
Thomas Eizinger
|
0e48d27b5a |
feat(ffi): make all calls infallible (#10621)
In the spirit of making Firezone as robust as possible, we make the FFI calls infallible and complete as much of the task as possible. For example, we don't fail `setDns` entirely just because we cannot parse a single DNS server's IP. Resolves: #10611 |
||
|
Thomas Eizinger
|
fcda9c3b65 |
chore(connlib): add unit test for site-name change (#10622)
Turns out name changes of sites are already ignored as per the `PartialEq` implementation of `Site`. This adds a unit-test to assert that. |
||
|
Thomas Eizinger
|
fdd05e0e0f |
chore(connlib): remove stale comments (#10617)
These comments are no longer correct and need to be removed before the confuse someone. |
||
|
Thomas Eizinger
|
a07dfc9869 |
test(connlib): workaround DNS cache in proptests (#10602)
With the introduction of the DNS cache for Clients in #10533, we now enable a behaviour where we don't necessarily need to establish a connection to a Gateway to resolve a DNS query if we still have a valid entry in the DNS cache. In particular, the proptests discovered that: - a DNS query for an upstream resolver - which happens to be a resource - and has a valid entry in the DNS cache - but (no longer) a connection to the corresponding Gateway will now serve the cached DNS records instead of establishing a new connection to the Gateway. As a result, the site status which we assert in the proptests remains in "unknown" instead of the expected "online". Modelling the caching behaviour in the tests is rather tedious. To avoid that, we set the TTL of all simulated upstream DNS responses to 1 which effectively bypasses the cache. Whilst not an ideal solution, it ensures that CI is consistently green without flaky tests. The DNS cache itself is already unit-tested. |
||
|
Thomas Eizinger
|
928d8a2512 |
fix(connlib): handle resources changing site (#10604)
Similar to how resources can be edited to change their address, IP stack or other properties, they can also be moved between different sites. Currently, `connlib` requires the portal to explicitly remove the resource and then re-add it for this to work. Our system gets more robust if we also detect that the sites of a resource have changed and handle it like other addressability changes. To ensure that this works correctly, we also extend the proptests to simulate addressability changes of resources. Resolves: #9881 Related: #10593 |
||
|
Thomas Eizinger
|
6b3f2a32ce |
feat(gateway): associate packets with resource ID (#10588)
In order to support flow logs, we need to associate each IP packet that gets routed with its corresponding resource ID. Currently, we only track what is necessary for the actual routing behaviour: The IP addresses and the filters. Therefore, we extend the data structures in `peer` to also track the `ResourceId` now. The entire code within `peer` became a bit hard to manage so I took this opportunity to split it out into two dedicated modules. This PR forms the base for recording flows logs in #10576. |
||
|
Firezone Bot
|
5272e0c992 | chore: publish headless-client 1.5.4 (#10590) | ||
|
Firezone Bot
|
f78cccea1b | chore: publish gui-client 1.5.8 (#10591) | ||
|
Firezone Bot
|
e3bb2fb931 | chore: publish gateway 1.4.17 (#10584) | ||
|
Thomas Eizinger
|
d35cf445d4 |
fix(linux): don't sync link-scope routes of offline interfaces (#10583)
In #10554, we added a syncing mechanism that would copy all link-scoped routes of the `main` routing table over to the Firezone routing table. Routes for interfaces that are currently offline cannot be added and cause a netlink error of "Invalid argument". To prevent unnecessary warnings from being logged to Sentry, we retrieve the link state of each interface and skip routes for interfaces are not online. |
||
|
Mariusz Klochowicz
|
e76daaaab3 |
refactor: remove JSON serialization from FFI boundary (#10575)
This PR eliminates JSON-based communication across the FFI boundary, replacing it with proper uniffi-generated types for improved type safety, performance, and reliability. We replace JSON string parameters with native uniffi types for: - Resources (DNS, CIDR, Internet) - Device information - DNS server lists - Network routes (CIDR representation) Also, get rid of JSON serialisation in Swift client IPC in favour of PropertyList based serialisation. Fixes: https://github.com/firezone/firezone/issues/9548 --------- Co-authored-by: Thomas Eizinger <thomas@eizinger.io> |
||
|
Thomas Eizinger
|
08f8e886f1 |
chore(connlib): tune down INFO logs (#10574)
Several of these INFO logs are actually quite noisy, like exchanging candidates with Gateways or updating the allocation. We barely look at the INFO logs from customers and primarily investigate issues with DEBUG logs streamed to Sentry. |
||
|
Thomas Eizinger
|
df601be538 |
chore(rust): ban keys and values from HashMap (#10569)
In addition to the `iter` functions, `keys` and `values` also iterate over the contents of a `HashMap` and are thus non-deterministic. This can create problems where our test-suite is non-deterministic. |
||
|
Thomas Eizinger
|
eb75cef467 |
fix(linux): allow LAN access when Internet Resource is on (#10554)
## Context On Linux, we create a dedicated routing table for all routes of the Firezone TUN device, including the `0.0.0.0/0` route. At a minimum, this routing table contains the following if the Internet Resource is active: ``` > ip route show table 539098368 default dev tun-firezone proto static 100.64.0.0/11 dev tun-firezone proto static 100.96.0.0/11 dev tun-firezone proto static 100.100.111.0/24 dev tun-firezone proto static ``` In addition, we also create a routing rule that bypasses this routing table for all packets that are tagged with the `0xfd002021` mark: ``` > ip rule list 0: from all lookup local 32765: not from all fwmark 0xfd002021 lookup 539098368 32766: from all lookup main 32767: from all lookup default ``` Firezone's internal UDP and TCP sockets are tagged with this mark and thus prevent routing loops where our own packets would otherwise get redirected back into the tunnel. Without the Internet Resource active, the rule `from all lookup main` triggers for local LAN traffic and correctly route the traffic out via that interface. For example, on my computer, the Linux kernel created the following route with the `link` scope in the main table: ``` 192.168.188.0/24 dev wlp192s0 proto kernel scope link src 192.168.188.112 metric 600 ``` ## The problem With the Internet Resource active, there is a problem. The default route matches ALL destinations, including those for local LAN destinations which should actually be sent out via a different interface. As a result, local LAN traffic is broken on Linux as soon as the Internet Resource is active. Instead of being sent out via the local interface, these packets get sent to `tun-firezone` where they get forwarded to the Gateway and then dropped because their source IP is not a Firezone Client IP. ## Solution Fixing this is unfortunately non-trivial. The best I could come up with is to create a copy of all link-scoped routes in the Firezone routing table and keep those in sync with all route changes that happen. For example, when we roam, the link-scoped routes obviously change because we join a new subnet. We therefore listen to change-events from netlink and create a debounced task that reads the current link-scoped routes from the main routing table, compares it to the ones in the Firezone table and adds any routes not present. We don't need to worry about removing routes as link-scoped routes automatically disappear once the resulting interface goes away. --------- Signed-off-by: Thomas Eizinger <thomas@eizinger.io> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> |
||
|
dependabot[bot]
|
bb4a0deb8c |
build(deps): bump @types/node from 22.15.30 to 24.4.0 in /rust/gui-client (#10564)
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 22.15.30 to 24.4.0. <details> <summary>Commits</summary> <ul> <li>See full diff in <a href="https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> |
||
|
dependabot[bot]
|
10dc78f51f |
build(deps): bump @vitejs/plugin-react from 4.5.1 to 5.0.2 in /rust/gui-client (#10566)
Bumps [@vitejs/plugin-react](https://github.com/vitejs/vite-plugin-react/tree/HEAD/packages/plugin-react) from 4.5.1 to 5.0.2. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/vitejs/vite-plugin-react/releases"><code>@vitejs/plugin-react</code>'s releases</a>.</em></p> <blockquote> <h2>plugin-react@5.0.2</h2> <h3>Skip transform hook completely in rolldown-vite in dev if possible (<a href="https://redirect.github.com/vitejs/vite-plugin-react/pull/783">#783</a>)</h3> <h2>plugin-react@5.0.1</h2> <h3>Set <code>optimizeDeps.rollupOptions.transform.jsx</code> instead of <code>optimizeDeps.rollupOptions.jsx</code> for rolldown-vite (<a href="https://redirect.github.com/vitejs/vite-plugin-react/pull/735">#735</a>)</h3> <p><code>optimizeDeps.rollupOptions.jsx</code> is going to be deprecated in favor of <code>optimizeDeps.rollupOptions.transform.jsx</code>.</p> <h3>Perf: skip <code>babel-plugin-react-compiler</code> if code has no <code>"use memo"</code> when <code>{ compilationMode: "annotation" }</code> (<a href="https://redirect.github.com/vitejs/vite-plugin-react/pull/734">#734</a>)</h3> <h3>Respect tsconfig <code>jsxImportSource</code> (<a href="https://redirect.github.com/vitejs/vite-plugin-react/pull/726">#726</a>)</h3> <h3>Fix <code>reactRefreshHost</code> option on rolldown-vite (<a href="https://redirect.github.com/vitejs/vite-plugin-react/pull/716">#716</a>)</h3> <h3>Fix <code>RefreshRuntime</code> being injected twice for class components on rolldown-vite (<a href="https://redirect.github.com/vitejs/vite-plugin-react/pull/708">#708</a>)</h3> <h3>Skip <code>babel-plugin-react-compiler</code> on non client environment (<a href="https://redirect.github.com/vitejs/vite-plugin-react/pull/689">689</a>)</h3> <h2>plugin-react@5.0.0</h2> <p>(Same content as v5.0.0-beta.0 <a href="https://github.com/vitejs/vite-plugin-react/releases/tag/plugin-react%405.0.0-beta.0">https://github.com/vitejs/vite-plugin-react/releases/tag/plugin-react%405.0.0-beta.0</a>)</p> <h3>Use Oxc for react refresh transform in rolldown-vite</h3> <p>When used with rolldown-vite, this plugin now uses Oxc for react refresh transform.</p> <p>Since this behavior is what <code>@vitejs/plugin-react-oxc</code> did, <code>@vitejs/plugin-react-oxc</code> is now deprecated and the <code>disableOxcRecommendation</code> option is removed.</p> <p>Also, while <code>@vitejs/plugin-react-oxc</code> used the production JSX transform even for <code>NODE_ENV=development</code> build, <code>@vitejs/plugin-react</code> uses the development JSX transform for <code>NODE_ENV=development</code> build.</p> <h3>Allow processing files in <code>node_modules</code></h3> <p>The default value of <code>exclude</code> options is now <code>[/\/node_modules\//]</code> to allow processing files in <code>node_modules</code> directory. It was previously <code>[]</code> and files in <code>node_modules</code> was always excluded regardless of the value of <code>exclude</code> option.</p> <h3><code>react</code> and <code>react-dom</code> is no longer added to <a href="https://vite.dev/config/#resolve-dedupe"><code>resolve.dedupe</code></a> automatically</h3> <p>Adding values to <code>resolve.dedupe</code> forces Vite to resolve them differently from how Node.js does, which can be confusing and may not be expected. This plugin no longer adds <code>react</code> and <code>react-dom</code> to <code>resolve.dedupe</code> automatically.</p> <p>If you encounter errors after upgrading, check your package.json for version mismatches in <code>dependencies</code> or <code>devDependencies</code>, as well as your package manager’s configuration. If you prefer the previous behavior, you can manually add <code>react</code> and <code>react-dom</code> to <code>resolve.dedupe</code>.</p> <h3>Remove old <code>babel-plugin-react-compiler</code> support that requires <code>runtimeModule</code> option</h3> <p><code>runtimeModule</code> option is no longer needed in newer <code>babel-plugin-react-compiler</code> versions. Make sure to use a newer version of <code>babel-plugin-react-compiler</code> that supports <code>target</code> option.</p> <h3>Require Node 20.19+, 22.12+</h3> <p>This plugin now requires Node 20.19+ or 22.12+.</p> <h2>plugin-react@5.0.0-beta.0</h2> <h3>Use Oxc for react refresh transform in rolldown-vite</h3> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/vitejs/vite-plugin-react/blob/main/packages/plugin-react/CHANGELOG.md"><code>@vitejs/plugin-react</code>'s changelog</a>.</em></p> <blockquote> <h2>5.0.2 (2025-08-28)</h2> <h3>Skip transform hook completely in rolldown-vite in dev if possible (<a href="https://redirect.github.com/vitejs/vite-plugin-react/pull/783">#783</a>)</h3> <h2>5.0.1 (2025-08-19)</h2> <h3>Set <code>optimizeDeps.rollupOptions.transform.jsx</code> instead of <code>optimizeDeps.rollupOptions.jsx</code> for rolldown-vite (<a href="https://redirect.github.com/vitejs/vite-plugin-react/pull/735">#735</a>)</h3> <p><code>optimizeDeps.rollupOptions.jsx</code> is going to be deprecated in favor of <code>optimizeDeps.rollupOptions.transform.jsx</code>.</p> <h3>Perf: skip <code>babel-plugin-react-compiler</code> if code has no <code>"use memo"</code> when <code>{ compilationMode: "annotation" }</code> (<a href="https://redirect.github.com/vitejs/vite-plugin-react/pull/734">#734</a>)</h3> <h3>Respect tsconfig <code>jsxImportSource</code> (<a href="https://redirect.github.com/vitejs/vite-plugin-react/pull/726">#726</a>)</h3> <h3>Fix <code>reactRefreshHost</code> option on rolldown-vite (<a href="https://redirect.github.com/vitejs/vite-plugin-react/pull/716">#716</a>)</h3> <h3>Fix <code>RefreshRuntime</code> being injected twice for class components on rolldown-vite (<a href="https://redirect.github.com/vitejs/vite-plugin-react/pull/708">#708</a>)</h3> <h3>Skip <code>babel-plugin-react-compiler</code> on non client environment (<a href="https://redirect.github.com/vitejs/vite-plugin-react/pull/689">689</a>)</h3> <h2>5.0.0 (2025-08-07)</h2> <h2>5.0.0-beta.0 (2025-07-28)</h2> <h3>Use Oxc for react refresh transform in rolldown-vite</h3> <p>When used with rolldown-vite, this plugin now uses Oxc for react refresh transform.</p> <p>Since this behavior is what <code>@vitejs/plugin-react-oxc</code> did, <code>@vitejs/plugin-react-oxc</code> is now deprecated and the <code>disableOxcRecommendation</code> option is removed.</p> <p>Also, while <code>@vitejs/plugin-react-oxc</code> used the production JSX transform even for <code>NODE_ENV=development</code> build, <code>@vitejs/plugin-react</code> uses the development JSX transform for <code>NODE_ENV=development</code> build.</p> <h3>Allow processing files in <code>node_modules</code></h3> <p>The default value of <code>exclude</code> options is now <code>[/\/node_modules\//]</code> to allow processing files in <code>node_modules</code> directory. It was previously <code>[]</code> and files in <code>node_modules</code> was always excluded regardless of the value of <code>exclude</code> option.</p> <h3><code>react</code> and <code>react-dom</code> is no longer added to <a href="https://vite.dev/config/#resolve-dedupe"><code>resolve.dedupe</code></a> automatically</h3> <p>Adding values to <code>resolve.dedupe</code> forces Vite to resolve them differently from how Node.js does, which can be confusing and may not be expected. This plugin no longer adds <code>react</code> and <code>react-dom</code> to <code>resolve.dedupe</code> automatically.</p> <p>If you encounter errors after upgrading, check your package.json for version mismatches in <code>dependencies</code> or <code>devDependencies</code>, as well as your package manager’s configuration. If you prefer the previous behavior, you can manually add <code>react</code> and <code>react-dom</code> to <code>resolve.dedupe</code>.</p> <h3>Remove old <code>babel-plugin-react-compiler</code> support that requires <code>runtimeModule</code> option</h3> <p><code>runtimeModule</code> option is no longer needed in newer <code>babel-plugin-react-compiler</code> versions. Make sure to use a newer version of <code>babel-plugin-react-compiler</code> that supports <code>target</code> option.</p> <h3>Require Node 20.19+, 22.12+</h3> <p>This plugin now requires Node 20.19+ or 22.12+.</p> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
3ac2f27f83 |
build(deps): bump the react group in /rust/gui-client with 2 updates (#10565)
Bumps the react group in /rust/gui-client with 2 updates: [@types/react](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/react) and [react-router](https://github.com/remix-run/react-router/tree/HEAD/packages/react-router). Updates `@types/react` from 19.1.12 to 19.1.13 <details> <summary>Commits</summary> <ul> <li>See full diff in <a href="https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/react">compare view</a></li> </ul> </details> <br /> Updates `react-router` from 7.8.2 to 7.9.1 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/remix-run/react-router/releases">react-router's releases</a>.</em></p> <blockquote> <h2>v7.9.1</h2> <p>See the changelog for release notes: <a href="https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v791">https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v791</a></p> <h2>v7.9.0</h2> <p>See the changelog for release notes: <a href="https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v790">https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v790</a></p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/remix-run/react-router/blob/main/packages/react-router/CHANGELOG.md">react-router's changelog</a>.</em></p> <blockquote> <h2>7.9.1</h2> <h3>Patch Changes</h3> <ul> <li>Fix internal <code>Future</code> interface naming from <code>middleware</code> -> <code>v8_middleware</code> (<a href="https://redirect.github.com/remix-run/react-router/pull/14327">#14327</a>)</li> </ul> <h2>7.9.0</h2> <h3>Minor Changes</h3> <ul> <li> <p>Stabilize middleware and context APIs. (<a href="https://redirect.github.com/remix-run/react-router/pull/14215">#14215</a>)</p> <p>We have removed the <code>unstable_</code> prefix from the following APIs and they are now considered stable and ready for production use:</p> <ul> <li><a href="https://reactrouter.com/api/utils/RouterContextProvider"><code>RouterContextProvider</code></a></li> <li><a href="https://reactrouter.com/api/utils/createContext"><code>createContext</code></a></li> <li><code>createBrowserRouter</code> <a href="https://reactrouter.com/api/data-routers/createBrowserRouter#optsgetcontext"><code>getContext</code></a> option</li> <li><code><HydratedRouter></code> <a href="https://reactrouter.com/api/framework-routers/HydratedRouter#getcontext"><code>getContext</code></a> prop</li> </ul> <p>Please see the <a href="https://reactrouter.com/how-to/middleware">Middleware Docs</a>, the <a href="https://github.com/remix-run/remix/discussions/7642">Middleware RFC</a>, and the <a href="https://github.com/remix-run/react-router/discussions/9856">Client-side Context RFC</a> for more information.</p> </li> </ul> <h3>Patch Changes</h3> <ul> <li>Escape HTML in <code>meta()</code> JSON-LD content (<a href="https://redirect.github.com/remix-run/react-router/pull/14316">#14316</a>)</li> <li>Add react-server Await component implementation (<a href="https://redirect.github.com/remix-run/react-router/pull/14261">#14261</a>)</li> <li>In RSC Data Mode when using a custom basename, fix hydration errors for routes that only have client loaders (<a href="https://redirect.github.com/remix-run/react-router/pull/14264">#14264</a>)</li> <li>Make <code>href</code> function available in a react-server context (<a href="https://redirect.github.com/remix-run/react-router/pull/14262">#14262</a>)</li> <li>decode each time <code>getPayload()</code> is called to allow for "in-context" decoding and hoisting of contextual assets (<a href="https://redirect.github.com/remix-run/react-router/pull/14248">#14248</a>)</li> <li><code>href()</code> now correctly processes routes that have an extension after the parameter or are a single optional parameter. (<a href="https://redirect.github.com/remix-run/react-router/pull/13797">#13797</a>)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
Thomas Eizinger
|
038aa6b590 |
feat(gateway): support systemd credentials (#10538)
For more permanent Gateway installations, or ones that are managed through something else other than our install script, it is useful to define the Gateway's token outside the systemd unit file. Systemd provides support for credentials via the `LoadCredential` and `LoadCredentialEncrypted` instructions. We just need a tiny bit of glue code in the Gateway to actually use that if it is set. --------- Signed-off-by: Thomas Eizinger <thomas@eizinger.io> Co-authored-by: Jamil <jamilbk@users.noreply.github.com> |
||
|
Thomas Eizinger
|
4930aa7956 |
feat: allow setting Internet Resource from headless client (#10553)
Currently, the Internet Resource cannot be toggled on/off in the headless client. With #10509, the default state of the Internet Resource is now disabled, meaning users of the headless client are no longer able to use the Internet Resource. We fix this by introducing a new CLI argument `--activate-internet-resource` that can also be set via the env variable `FIREZONE_ACTIVATE_INTERNET_RESOURCE=true`. Resolves: #8342 |