mirror of
https://github.com/outbackdingo/firezone.git
synced 2026-01-27 10:18:54 +00:00
62dfe65679a0bb2abffffbaeff6f8f44ee44abe2
636 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
Thomas Eizinger
|
b63061994d |
chore(headless-client): release version 1.4.0 (#7495)
Headless Client 1.4.0 has been released (https://github.com/firezone/firezone/releases/tag/headless-client-1.4.0). This PR updates the changelog and version numbers accordingly. |
||
|
Thomas Eizinger
|
7309428cae |
chore(gateway): release version 1.4.2 (#7494)
Gateway 1.4.2 has been released (https://github.com/firezone/firezone/releases/tag/gateway-1.4.2). This PR updates the changelog and version numbers accordingly. |
||
|
Thomas Eizinger
|
f0c2bfa6eb |
chore(gui-client): release version 1.4.0 (#7496)
GUI Client 1.4.0 has been released (https://github.com/firezone/firezone/releases/tag/gui-client-1.4.0). This PR updates the changelog and versions accordingly. |
||
|
Thomas Eizinger
|
7a478634a8 |
feat(connlib): buffer packets during connection and NAT setup (#7477)
At present, `connlib` will always drop all IP packets until a connection is established and the DNS resource NAT is created. This causes an unnecessary delay until the connection is working because we need to wait for retransmission timers of the host's network stack to resend those packets. With the new idempotent control protocol, it is now much easier to buffer these packets and send them to the gateway once the connection is established. The buffer sizes are chosen somewhat conservatively to ensure we don't consume a lot of memory. The hypothesis here is that every protocol - even if the transport layer is unreliable like UDP - will start with a handshake involving only one or at most a few packets and waiting for a reply before sending more. Thus, as long as we can set up a connection quicker than the re-transmit timer in the host's network stack, buffering those packets should result in no packet loss. Typically, setting up a new connection takes at most 500ms which should be fast enough to not trigger any re-transmits. Resolves: #3246. |
||
|
dependabot[bot]
|
d0aef8f1d8 |
build(deps): Bump nanoid from 3.3.7 to 3.3.8 in /website in the npm_and_yarn group (#7485)
Bumps the npm_and_yarn group in /website with 1 update: [nanoid](https://github.com/ai/nanoid). Updates `nanoid` from 3.3.7 to 3.3.8 <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/ai/nanoid/blob/main/CHANGELOG.md">nanoid's changelog</a>.</em></p> <blockquote> <h2>3.3.8</h2> <ul> <li>Fixed a way to break Nano ID by passing non-integer size (by <a href="https://github.com/myndzi"><code>@myndzi</code></a>).</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
Thomas Eizinger
|
e507197480 |
docs(gateway): add changelog entry for #7479 (#7484)
The issue is now fixed and `git pull` from `github.com` as a resource now works as expected. |
||
|
Thomas Eizinger
|
90cf191a7c |
feat(linux): multi-threaded TUN device operations (#7449)
## Context At present, we only have a single thread that reads and writes to the TUN device on all platforms. On Linux, it is possible to open the file descriptor of a TUN device multiple times by setting the `IFF_MULTI_QUEUE` option using `ioctl`. Using multi-queue, we can then spawn multiple threads that concurrently read and write to the TUN device. This is critical for achieving a better throughput. ## Solution `IFF_MULTI_QUEUE` is a Linux-only thing and therefore only applies to headless-client, GUI-client on Linux and the Gateway (it may also be possible on Android, I haven't tried). As such, we need to first change our internal abstractions a bit to move the creation of the TUN thread to the `Tun` abstraction itself. For this, we change the interface of `Tun` to the following: - `poll_recv_many`: An API, inspired by tokio's `mpsc::Receiver` where multiple items in a channel can be batch-received. - `poll_send_ready`: Mimics the API of `Sink` to check whether more items can be written. - `send`: Mimics the API of `Sink` to actually send an item. With these APIs in place, we can implement various (performance) improvements for the different platforms. - On Linux, this allows us to spawn multiple threads to read and write from the TUN device and send all packets into the same channel. The `Io` component of `connlib` then uses `poll_recv_many` to read batches of up to 100 packets at once. This ties in well with #7210 because we can then use GSO to send the encrypted packets in single syscalls to the OS. - On Windows, we already have a dedicated recv thread because `WinTun`'s most-convenient API uses blocking IO. As such, we can now also tie into that by batch-receiving from this channel. - In addition to using multiple threads, this API now also uses correct readiness checks on Linux, Darwin and Android to uphold backpressure in case we cannot write to the TUN device. ## Configuration Local testing has shown that 2 threads give the best performance for a local `iperf3` run. I suspect this is because there is only so much traffic that a single application (i.e. `iperf3`) can generate. With more than 2 threads, the throughput actually drops drastically because `connlib`'s main thread is too busy with lock-contention and triggering `Waker`s for the TUN threads (which mostly idle around if there are 4+ of them). I've made it configurable on the Gateway though so we can experiment with this during concurrent speedtests etc. In addition, switching `connlib` to a single-threaded tokio runtime further increased the throughput. I suspect due to less task / context switching. ## Results Local testing with `iperf3` shows some very promising results. We now achieve a throughput of 2+ Gbit/s. ``` Connecting to host 172.20.0.110, port 5201 Reverse mode, remote host 172.20.0.110 is sending [ 5] local 100.80.159.34 port 57040 connected to 172.20.0.110 port 5201 [ ID] Interval Transfer Bitrate [ 5] 0.00-1.00 sec 274 MBytes 2.30 Gbits/sec [ 5] 1.00-2.00 sec 279 MBytes 2.34 Gbits/sec [ 5] 2.00-3.00 sec 216 MBytes 1.82 Gbits/sec [ 5] 3.00-4.00 sec 224 MBytes 1.88 Gbits/sec [ 5] 4.00-5.00 sec 234 MBytes 1.96 Gbits/sec [ 5] 5.00-6.00 sec 238 MBytes 2.00 Gbits/sec [ 5] 6.00-7.00 sec 229 MBytes 1.92 Gbits/sec [ 5] 7.00-8.00 sec 222 MBytes 1.86 Gbits/sec [ 5] 8.00-9.00 sec 223 MBytes 1.87 Gbits/sec [ 5] 9.00-10.00 sec 217 MBytes 1.82 Gbits/sec - - - - - - - - - - - - - - - - - - - - - - - - - [ ID] Interval Transfer Bitrate Retr [ 5] 0.00-10.00 sec 2.30 GBytes 1.98 Gbits/sec 22247 sender [ 5] 0.00-10.00 sec 2.30 GBytes 1.98 Gbits/sec receiver iperf Done. ``` This is a pretty solid improvement over what is in `main`: ``` Connecting to host 172.20.0.110, port 5201 [ 5] local 100.65.159.3 port 56970 connected to 172.20.0.110 port 5201 [ ID] Interval Transfer Bitrate Retr Cwnd [ 5] 0.00-1.00 sec 90.4 MBytes 758 Mbits/sec 1800 106 KBytes [ 5] 1.00-2.00 sec 93.4 MBytes 783 Mbits/sec 1550 51.6 KBytes [ 5] 2.00-3.00 sec 92.6 MBytes 777 Mbits/sec 1350 76.8 KBytes [ 5] 3.00-4.00 sec 92.9 MBytes 779 Mbits/sec 1800 56.4 KBytes [ 5] 4.00-5.00 sec 93.4 MBytes 783 Mbits/sec 1650 69.6 KBytes [ 5] 5.00-6.00 sec 90.6 MBytes 760 Mbits/sec 1500 73.2 KBytes [ 5] 6.00-7.00 sec 87.6 MBytes 735 Mbits/sec 1400 76.8 KBytes [ 5] 7.00-8.00 sec 92.6 MBytes 777 Mbits/sec 1600 82.7 KBytes [ 5] 8.00-9.00 sec 91.1 MBytes 764 Mbits/sec 1500 70.8 KBytes [ 5] 9.00-10.00 sec 92.0 MBytes 771 Mbits/sec 1550 85.1 KBytes - - - - - - - - - - - - - - - - - - - - - - - - - [ ID] Interval Transfer Bitrate Retr [ 5] 0.00-10.00 sec 917 MBytes 769 Mbits/sec 15700 sender [ 5] 0.00-10.00 sec 916 MBytes 768 Mbits/sec receiver iperf Done. ``` |
||
|
Thomas Eizinger
|
2f2ad2cffe |
docs(changelog): remove enable attr (#7458)
Idiomatic React is to conditionally render the entire element instead of passing down an `enable` attribute. |
||
|
Thomas Eizinger
|
b802021cc4 |
feat(connlib): implement idempotent control protocol for client (#6942)
Building on top of the gateway PR (#6941), this PR transitions the clients to the new control protocol. Clients are **not** backwards-compatible with old gateways. As a result, a certain customer environment MUST have at least one gateway with the above PR running in order for clients to be able to establish connections. With this transition, Clients send explicit events to Gateways whenever they assign IPs to a DNS resource name. The actual assignment only happens once and the IPs then remain stable for the duration of the client session. When the Gateway receives such an event, it will perform a DNS resolution of the requested domain name and set up the NAT between the assigned proxy IPs and the IPs the domain actually resolves to. In order to support self-healing of any problems that happen during this process, the client will send an "Assigned IPs" event every time it receives a DNS query for a particular domain. This in turn will trigger another DNS resolution on the Gateway. Effectively, this means that DNS queries for DNS resources propagate to the Gateway, triggering a DNS resolution there. In case the domain resolves to the same set of IPs, no state is changed to ensure existing connections are not interrupted. With this new functionality in place, we can delete the old logic around detecting "expired" IPs. This is considered a bugfix as this logic isn't currently working as intended. It has been observed multiple times that the Gateway can loop on this behaviour and resolving the same domain over and over again. The only theoretical "incompatibility" here is that pre-1.4.0 clients won't have access to this functionality of triggering DNS refreshes on a Gateway 1.4.2+ Gateway. However, as soon as this PR merges, we expect all admins to have already upgraded to a 1.4.0+ Gateway anyway which already mandates clients to be on 1.4.0+. Resolves: #7391. Resolves: #6828. |
||
|
Jamil
|
bd3f912542 |
refactor(apple/macos): Use System Extension packaging mode for macOS Network Extension (#7344)
To allow macOS users to rollback, it would be helpful to distribute a standalone macOS app, similar to how we distribute the GUI client. The first step in this process is to refactor the macOS client to use a System Extension -based Network Extension rather than an App Extension based one. This offers us the flexibility to distribute the macOS client outside the Mac App Store in addition to via the store. For this PR I focused on making the minimal set of changes necessary to support this change. This PR intentionally doesn't update the CI pipeline to notarize and attach a standalone bundle that will run ad-hoc on other Macs. That will come in a subsequent PR. One thing to note about System Extensions is that they're slightly more finicky when it comes to getting the signing and packaging right. Thus, the README.md is updated to account for the gotchas involved in developing System Extensions locally. Related: #7071. |
||
|
Thomas Eizinger
|
9073bddaef |
fix(gateway): translate ICMP destination unreachable errors (#7398)
## Context The Gateway implements a stateful NAT that translates the destination IP and source protocol of every packet that targets a DNS resource IP. This is necessary because the IPs for DNS resources are generated on the client without actually performing a DNS lookup, instead it always generates 4 IPv4 and 4 IPv6 addresses. On the Gateway, these IPs are then assigned in a round-robin fashion to the actual IPs that the domain resolves to, necessitating a NAT64/46 translation in case a domain only resolves to IPs of one family. A domain may resolve to a set of IPs but not all of these IPs may be routable. Whilst an arguably poor practise of the domain administrator, routing problems can occur for all kinds of reasons and are well handled on the wider Internet. When an IP packet cannot be routed further, the current routing node generates an ICMP error describing the routing failure and sends it back to the original sender. ICMP is a layer 4 protocol itself, same as TCP and UDP. As such, sending out a UDP packet may result in receiving an ICMP response. In order to allow the sender to learn, which packet failed to route, the ICMP error embeds parts of the original packet in its payload [0] [1]. The Gateway's NAT table uses parts of the layer 4 protocol as part of its key; the UDP and TCP source port and the ICMP echo request identifier (further referred to as "source protocol"). An ICMP error message doesn't have any of these, meaning the lookup in the NAT table currently fails and the ICMP error is silently dropped. A lot of software implements a happy-eyeballs approach and probs for IPv6 and IPv4 connectivity simulataneously. The absence of the ICMP errors confuses that algorithm as it detects the packet loss and starts retransmits instead of giving up. ## Solution Upon receiving an ICMP error on the Gateway, we now extract the partially embedded packet in the ICMP error payload. We use the destination IP and source protocol of _that_ packet for the lookup in the NAT table. This returns us the original (client-assigned) destination IP and source protocol. In order for the Gateway's NAT to be transparent, we need to patch the packet embedded in the ICMP error to use the original destination and source protocol. We also have to account for the fact that the original packet may have been translated with NAT64/46 and translate it back. Finally, we generate an ICMP error with the appropriate code and embed the patched packet in its payload. ## Test implementation To test that this works for all kind of combinations, we extend `tunnel_test` to sample a list of unreachable IPs from all IPs sampled for DNS resources. Upon receiving a packet for one of these IPs, the Gateway will send an ICMP error back instead of invoking its regular echo reply logic. On the client-side, upon receiving an ICMP error, we extract the originally failed packet from the body and treat it as a successful response. This may seem a bit hacky at first but is actually how operating systems would treat ICMP errors as well. For example, a `TcpSocket::connect` call (triggering a TCP SYN packet) may fail with an IO error if we receive an ICMP error packet. Thus, in a way, the original packet got answered, just not with what we expected. In addition, by treating these ICMP errors as responses to the original packet, we automatically perform other assertions on them, like ensuring that they come from the right IP address, that there are no unexpected packets etc. ## Test alternatives It is tricky to solve this in other ways in the test suite because at the time of generating a packet for a DNS resource, we don't know the actual IP that is being targeted by a certain proxy IP unless we'd start reimplementing the round-robin algorithm employed by the Gateway. To "test" the transparency of the NAT, we'd like to avoid knowing about these implementation details in the test. ## Future work In this PR, we currently only deal with "Destination Unreachable" ICMP errors. There are other ICMP messages such as ICMPv6's `PacketTooBig` or `ParameterProblem`. We should eventually handle these as well. They are being deferred because translating those between the different IP versions is only partially implemented and would thus require more work. The most pressing need is to translate destination unreachable errors to enable happy-eyeballs algorithms to work correctly. Resolves: #5614. Resolves: #6371. [0]: https://www.rfc-editor.org/rfc/rfc792 [1]: https://www.rfc-editor.org/rfc/rfc4443#section-3.1 |
||
|
dependabot[bot]
|
e88f73be3b |
build(deps-dev): Bump flowbite-typography from 1.0.4 to 1.0.5 in /website (#7435)
Bumps [flowbite-typography](https://github.com/themesberg/flowbite-typography) from 1.0.4 to 1.0.5. <details> <summary>Commits</summary> <ul> <li>See full diff in <a href="https://github.com/themesberg/flowbite-typography/commits">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> |
||
|
dependabot[bot]
|
66f46f742f |
build(deps-dev): Bump typescript from 5.6.3 to 5.7.2 in /website (#7434)
Bumps [typescript](https://github.com/microsoft/TypeScript) from 5.6.3 to 5.7.2. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/microsoft/TypeScript/releases">typescript's releases</a>.</em></p> <blockquote> <h2>TypeScript 5.7</h2> <p>For release notes, check out the <a href="https://devblogs.microsoft.com/typescript/announcing-typescript-5-7/">release announcement</a>.</p> <ul> <li><a href="https://github.com/Microsoft/TypeScript/issues?utf8=%E2%9C%93&q=milestone%3A%22TypeScript+5.7.0%22+is%3Aclosed+">fixed issues query for Typescript 5.7.0 (Beta)</a>.</li> <li><a href="https://github.com/Microsoft/TypeScript/issues?utf8=%E2%9C%93&q=milestone%3A%22TypeScript+5.7.1%22+is%3Aclosed+">fixed issues query for Typescript 5.7.1 (RC)</a>.</li> <li><a href="https://github.com/Microsoft/TypeScript/issues?utf8=%E2%9C%93&q=milestone%3A%22TypeScript+5.7.2%22+is%3Aclosed+">fixed issues query for Typescript 5.7.2 (Stable)</a>.</li> </ul> <p>Downloads are available on:</p> <ul> <li><a href="https://www.npmjs.com/package/typescript">npm</a></li> </ul> <h2>TypeScript 5.7 RC</h2> <p>For release notes, check out the <a href="https://devblogs.microsoft.com/typescript/announcing-typescript-5-7-rc/">release announcement</a>.</p> <p>For the complete list of fixed issues, check out the</p> <ul> <li><a href="https://github.com/Microsoft/TypeScript/issues?utf8=%E2%9C%93&q=milestone%3A%22TypeScript+5.7.0%22+is%3Aclosed+">fixed issues query for Typescript 5.7.0 (Beta)</a>.</li> <li><a href="https://github.com/Microsoft/TypeScript/issues?utf8=%E2%9C%93&q=milestone%3A%22TypeScript+5.7.1%22+is%3Aclosed+">fixed issues query for Typescript 5.7.1 (RC)</a>.</li> </ul> <p>Downloads are available on:</p> <ul> <li><a href="https://www.npmjs.com/package/typescript">npm</a></li> </ul> <h2>TypeScript 5.7 Beta</h2> <p>For release notes, check out the <a href="https://devblogs.microsoft.com/typescript/announcing-typescript-5-7-beta/">release announcement</a>.</p> <p>For the complete list of fixed issues, check out the</p> <ul> <li><a href="https://github.com/Microsoft/TypeScript/issues?utf8=%E2%9C%93&q=milestone%3A%22TypeScript+5.7.0%22+is%3Aclosed+">fixed issues query for Typescript 5.7.0 (Beta)</a>.</li> </ul> <p>Downloads are available on:</p> <ul> <li><a href="https://www.npmjs.com/package/typescript">npm</a></li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
aa0f8c2248 |
build(deps): Bump postcss from 8.4.47 to 8.4.49 in /website (#7436)
Bumps [postcss](https://github.com/postcss/postcss) from 8.4.47 to 8.4.49. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/postcss/postcss/releases">postcss's releases</a>.</em></p> <blockquote> <h2>8.4.49</h2> <ul> <li>Fixed custom syntax without <code>source.offset</code> (by <a href="https://github.com/romainmenke"><code>@romainmenke</code></a>).</li> </ul> <h2>8.4.48</h2> <ul> <li>Fixed position calculation in error/warnings methods (by <a href="https://github.com/romainmenke"><code>@romainmenke</code></a>).</li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/postcss/postcss/blob/main/CHANGELOG.md">postcss's changelog</a>.</em></p> <blockquote> <h2>8.4.49</h2> <ul> <li>Fixed custom syntax without <code>source.offset</code> (by <a href="https://github.com/romainmenke"><code>@romainmenke</code></a>).</li> </ul> <h2>8.4.48</h2> <ul> <li>Fixed position calculation in error/warnings methods (by <a href="https://github.com/romainmenke"><code>@romainmenke</code></a>).</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
183df5c572 |
build(deps): Bump tailwindcss from 3.4.14 to 3.4.15 in /website (#7437)
Bumps [tailwindcss](https://github.com/tailwindlabs/tailwindcss) from 3.4.14 to 3.4.15. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/tailwindlabs/tailwindcss/releases">tailwindcss's releases</a>.</em></p> <blockquote> <h2>v3.4.15</h2> <ul> <li>Bump versions for security vulnerabilities (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/14697">#14697</a>)</li> <li>Ensure the TypeScript types for the <code>boxShadow</code> theme configuration allows arrays (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/14856">#14856</a>)</li> <li>Set fallback for opacity variables to ensure setting colors with the <code>selection:*</code> variant works in Chrome 131 (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/15003">#15003</a>)</li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/tailwindlabs/tailwindcss/blob/v3.4.15/CHANGELOG.md">tailwindcss's changelog</a>.</em></p> <blockquote> <h2>[3.4.15] - 2024-11-14</h2> <ul> <li>Bump versions for security vulnerabilities (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/14697">#14697</a>)</li> <li>Ensure the TypeScript types for the <code>boxShadow</code> theme configuration allows arrays (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/14856">#14856</a>)</li> <li>Set fallback for opacity variables to ensure setting colors with the <code>selection:*</code> variant works in Chrome 131 (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/15003">#15003</a>)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
36725a8246 |
build(deps): Bump framer-motion from 11.11.17 to 11.12.0 in /website (#7438)
Bumps [framer-motion](https://github.com/framer/motion) from 11.11.17 to 11.12.0. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/motiondivision/motion/blob/main/CHANGELOG.md">framer-motion's changelog</a>.</em></p> <blockquote> <h2>[11.12.0] 2024-11-27</h2> <h3>Added</h3> <ul> <li>New <code>visualDuration</code> option for <code>spring</code> animations.</li> <li>New <code>spring(visualDuration, bounce)</code> syntax.</li> </ul> <h2>[11.11.16] 2024-11-14</h2> <h3>Fixed</h3> <ul> <li>Fixing <code>stagger</code> with mini <code>animate</code>.</li> </ul> <h2>[11.11.16] 2024-11-14</h2> <h3>Fixed</h3> <ul> <li>Ensuring animations passed to <code>scroll</code> are scrubbed linearly.</li> <li>Fixing <code>mini</code> types entrypoint.</li> <li>Exporting easing types from <code>"motion"</code>.</li> </ul> <h2>[11.11.15] 2024-11-13</h2> <h3>Fixed</h3> <ul> <li>Fixing <code>mini</code> and <code>react-mini</code> entrypoints.</li> </ul> <h2>[11.11.14] 2024-11-12</h2> <h3>Fixed</h3> <ul> <li>Fixing fallback entry points for <code>"motion/react"</code> etc.</li> </ul> <h2>[11.11.13] 2024-11-12</h2> <h3>Fixed</h3> <ul> <li>Fixing build and entry points for <code>"motion"</code>.</li> </ul> <h2>[11.11.12] 2024-11-12</h2> <h3>Changed</h3> <ul> <li>Adding <code>"motion"</code> package.</li> <li>Replaced Motion One (see <a href="https://motion.dev/docs/upgrade-guide">upgrade guide</a>).</li> </ul> <h2>[11.11.11] 2024-10-31</h2> <h3>Fixed</h3> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
Thomas Eizinger
|
0a6554122a |
feat(connlib): utilise GSO for UDP sockets (#7210)
## Context At present, `connlib` sends UDP packets one at a time. Sending a packet requires us to make a syscall which is quite expensive. Under load, i.e. during a speedtest, syscalls account for over 50% of our CPU time [0]. In order to improve this situation, we need to somehow make use of GSO (generic segmentation offload). With GSO, we can send multiple packets to the same destination in a single syscall. The tricky question here is, how can we achieve having multiple UDP packets ready at once so we can send them in a single syscall? Our TUN interface only feeds us packets one at a time and `connlib`'s state machine is single-threaded. Additionally, we currently only have a single `EncryptBuffer` in which the to-be-sent datagram sits. ## 1. Stack-allocating encrypted IP packets As a first step, we get rid of the single `EncryptBuffer` and instead stack-allocate each encrypted IP packet. Due to our small MTU, these packets are only around 1300 bytes. Stack-allocating that requires a few memcpy's but those are in the single-digit % range in the terms of CPU time performance hit. That is nothing compared to how much time we are spending on UDP syscalls. With the `EncryptBuffer` out the way, we can now "freely" move around the `EncryptedPacket` structs and - technically - we can have multiple of them at the same time. ## 2. Implementing GSO The GSO interface allows you to pass multiple packets **of the same length and for the same destination** in a single syscall, meaning we cannot just batch-up arbitrary UDP packets. Counterintuitively, making use of GSO requires us to do more copying: In particular, we change the interface of `Io` such that "sending" a packet performs essentially a lookup of a `BytesMut`-buffer by destination and packet length and appends the payload to that packet. ## 3. Batch-read IP packets In order to actually perform GSO, we need to process more than a single IP packet in one event-loop tick. We achieve this by batch-reading up to 50 IP packets from the mpsc-channel that connects `connlib`'s main event-loop with the dedicated thread that reads and writes to the TUN device. These reads and writes happen concurrently to `connlib`'s packet processing. Thus, it is likely that by the time `connlib` is ready to process another IP packet, multiple have been read from the device and are sitting in the channel. Batch-processing these IP packets means that the buffers in our `GsoQueue` are more likely to contain more than a single datagram. Imagine you are running a file upload. The OS will send many packets to the same destination IP and likely max MTU to the TUN device. It is likely, that we read 10-20 of these packets in one batch (i.e. within a single "tick" of the event-loop). All packets will be appended to the same buffer in the `GsoQueue` and on the next event-loop tick, they will all be flushed out in a single syscall. ## Results Overall, this results in a significant reduction of syscalls for sending UDP message. In [1], we spend only a total of 16% of our CPU time in `udpv6_sendmsg` whereas in [0] (main), we spent a total of 34%. Do note that these numbers are relative to the total CPU time spent per program run and thus can't be compared directly (i.e. you cannot just do 34 - 16 and say we now spend 18% less time sending UDP packets). Nevertheless, this appears to be a great improvement. In terms of throughput, we achieve a ~60% improvement in our benchmark suite. That one is running on localhost though so it might not necessarily be reflect like that in a real network. [0]: https://share.firefox.dev/4hvoPju [1]: https://share.firefox.dev/4frhCPv |
||
|
Jamil
|
3a62709c77 |
docs: Add restricted regions docs (#7395)
This will be referred to when we make our email announcement. |
||
|
Jamil
|
8aed0c6644 |
chore(website): Remove link to probe.sh (#7377)
We'll be winding down this service to reduce maintenance overhead. |
||
|
Jamil
|
b5b0ee2090 |
fix(website): cache api responses properly (#7373)
We blew through our Edge Function invocation allotment (1M). Upon investigating, it became clear the way we were doing caching previously was for the app / page rendering. This is how Vercel [instructs](https://vercel.com/docs/edge-network/caching#using-vercel-functions) us to do it for Edge functions. |
||
|
Jamil
|
d2a224e3cb |
chore: Bump website deps (#7372)
Fixes https://github.com/firezone/firezone/security/dependabot/125 |
||
|
Thomas Eizinger
|
2b3469954a |
chore(headless-client): allow disabling telemetry (#7350)
I've started to set this in my local env to not spam Sentry with events while I am developing. |
||
|
Thomas Eizinger
|
0b22892a77 |
docs: refer to correct way how to disable gateway telemetry (#7351)
Shame on me for not actually testing this when I built it. `clap` requires you to explicitly spell out `true` or `false`. |
||
|
Thomas Eizinger
|
0cb96f5a18 | chore(gui-client): publish version 1.3.13 (#7346) | ||
|
Thomas Eizinger
|
4db3a457a9 | chore(gateway): publish version 1.4.1 (#7347) | ||
|
Thomas Eizinger
|
4fc7e62ba8 | chore(headless-client): publish version 1.3.7 (#7348) | ||
|
Thomas Eizinger
|
00c7c42113 |
fix(snownet): don't allow duplicate server-reflexive candidates (#7334)
In #7163, we introduced a shared cache of server-reflexive candidates within a `snownet::Node`. What we unfortunately overlooked is that if a node (i.e. a client or a gateway) is behind symmetric NAT, then we will repeatedly create "new" server-reflexive candiates, thereby filling up this cache. This cache is used to initialise the agents with local candidates, which manifests in us sending dozens if not hundreds of candidates to the other party. Whilst not harmful in itself, it does create quite a lot of spam. To fix this, we introduce a limit of only keeping around 1 server-reflexive candidate per IP version, i.e. only 1 IPv4 and IPv6 address. At present, `connlib` only supports a single egress interface meaning for now, we are fine with making this assumption. In case we encounter a new candidate of the same kind and same IP version, we evict the old one and replace it with the new one. Thus, for subsequent connections, only the new candidate is used. |
||
|
Jamil
|
6f7f6a4f34 |
style: Enforce code style across all supported languages using Prettier (#7322)
This ensure that we run prettier across all supported filetypes to check for any formatting / style inconsistencies. Previously, it was only run for files in the website/ directory using a deprecated pre-commit plugin. The benefit to keeping this in our pre-commit config is that devs can optionally run these checks locally with `pre-commit run --config .github/pre-commit-config.yaml`. --------- Signed-off-by: Jamil <jamilbk@users.noreply.github.com> Co-authored-by: Thomas Eizinger <thomas@eizinger.io> |
||
|
Thomas Eizinger
|
764af71f66 |
fix(website): remove duplicate tailwind rule (#7316)
My editor complained that the `hover:ring-2` class was applied twice for these elements. |
||
|
Jamil
|
1dda915376 |
ci: Publish new clients (#7291)
Fixes the roaming bug. |
||
|
Thomas Eizinger
|
8653146c18 |
fix(connlib): discard timer once it fired (#7288)
Within `connlib`, we have many nested state machines. Many of them have internal timers by means of timestamps with which they indicate, when they'd like to be "woken" to perform time-related processing. For example, the `Allocation` state machine would indicate with a timestamp 5 minutes from the time an allocation is created that it needs to be woken again in order to send the refresh message to the relay. When we reset our network connections, we pretty much discard all state within connlib and together with that, all of these timers. Thus the `poll_timeout` function would return `None`, indicating that our state machines are not waiting for anything. Within the eventloop, the most outer state machine, i.e. `ClientState` is paired with an `Io` component that actually implements the timer by scheduling a wake-up aggregated as the earliest point of all state machines. In order to not fire the same timer multiple times in a row, we already intended to reset the timer once it fired. It turns out that this never worked and the timer still lingered around. When we call `reset`, `poll_timeout` - which feeds this timer - returns `None` and the timer doesn't get updated until it will finally return `Some` with an `Instant`. Because the previous timer didn't get cleared when it fired, this caused `connlib` to busy loop and prevent some(?) other parts of it from progressing, resulting in us never being able to reconnect to the portal. Yet, because the event loop itself was still operating, we could still resolve DNS queries and such. Resolves: #7254. --------- Co-authored-by: Jamil Bou Kheir <jamilbk@users.noreply.github.com> |
||
|
Thomas Eizinger
|
cdd3e4d25c |
fix(headless-client): don't fuse futures outside of the loop (#7287)
When waiting on multiple futures concurrently within a loop, it is important that they all get re-created whenever one of them resolves. Currently, due to the `.fuse` call, the SIGHUP signal can only be sent once and future signals get ignored. As a more general fix, I swapped the `futures::select!` macro to the `tokio::select!` macro which allows referencing these futures without pinning and fusing. Ideally, we'd not use any of these macros here and write our own eventloop but that is a larger refactoring. |
||
|
Thomas Eizinger
|
a5730b6f3b |
chore: release apple client 1.3.8 (#7268)
To be merged once Apple approves the app review. --------- Co-authored-by: Jamil Bou Kheir <jamilbk@users.noreply.github.com> |
||
|
Jamil
|
19da306839 | ci: Publish GUI 1.3.11 (#7269) | ||
|
Thomas Eizinger
|
9d7a597c05 |
fix(connlib): apply timeout to WebSocket connection to portal (#7265)
The issue in #7254 and #7200 appears to be that eventually, we fail to connect to the portal because we stop re-trying, i.e. the socket connect appears to hang forever. Perhaps there is race condition somewhere in how we resolve DNS / flush DNS servers etc. Regardless of that, connecting to the portal should never take more than 5s so timing out after that ensures we retry the connection. Resolves: #7254. Resolves: #7200. |
||
|
Thomas Eizinger
|
271c480357 |
fix(connlib): don't attempt to encrypt too large packets (#7263)
When encrypting packets, we need to reserve a buffer within which boringtun will encrypt the IP packet. Unfortunately, `boringtun` panics if that buffer is not big enough which essentially brings all of `connlib` down. Really, we should never see a packet that is too large and ideally, we enforce this at compile-time by creating different variants of `IpPacket` that are sized accordingly. That is a large refactoring so until then, we simply discard them instead of panicking. --------- Signed-off-by: Thomas Eizinger <thomas@eizinger.io> Co-authored-by: Jamil <jamilbk@users.noreply.github.com> |
||
|
Jamil
|
b2c99a6ddc |
chore(website): Publish Gateway 1.4.0 changelog (#7255)
Publishes the 1.4.0 Gateway changelog and fixes a couple other minor issues. --------- Signed-off-by: Jamil <jamilbk@users.noreply.github.com> |
||
|
Jamil
|
bc46d95350 |
chore(website): Increase cache revalidation to 1 hour (#7258)
Why: Reduces the number of edge functions that need to run, and thus reducing the likelihood this endpoint will timeout due to slow edge function startup. |
||
|
dependabot[bot]
|
f7f9c76241 |
build(deps): Bump @next/third-parties from 14.2.15 to 15.0.2 in /website (#7211)
Bumps [@next/third-parties](https://github.com/vercel/next.js/tree/HEAD/packages/third-parties) from 14.2.15 to 15.0.2. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/vercel/next.js/releases"><code>@next/third-parties</code>'s releases</a>.</em></p> <blockquote> <h2>v15.0.2</h2> <h3>Core Changes</h3> <ul> <li>Read page name from work store in server module map proxy: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/third-parties/issues/71669">#71669</a></li> <li>codemod: should not transform when param is not used: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/third-parties/issues/71664">#71664</a></li> <li>[dynamicIO] complete refactor to prerender: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/third-parties/issues/71687">#71687</a></li> <li>fix: metadata image route normalize path posix for windows: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/third-parties/issues/71673">#71673</a></li> <li>next-codemod(upgrade): optional catch when missing dev script: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/third-parties/issues/71598">#71598</a></li> <li>Avoid server action function indirection in Turbopack: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/third-parties/issues/71628">#71628</a></li> <li>fix: exclude <code>basePath</code> in <code>findSourceMapURL</code>: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/third-parties/issues/71719">#71719</a></li> <li>fix: stack frame text color in dark mode: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/third-parties/issues/71656">#71656</a></li> <li>Fix: revert the bad node binary handling: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/third-parties/issues/71723">#71723</a></li> <li>next-codemod: add empty <code>pnpm-workspace.yaml</code> to test fixtures to bypass PNPM workspace checks: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/third-parties/issues/71726">#71726</a></li> <li>warn on sync access if dynamicIO is not enabled: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/third-parties/issues/71696">#71696</a></li> <li>Update React from <code>69d4b800-20241021</code> to <code>45804af1-20241021</code>: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/third-parties/issues/71718">#71718</a></li> <li>next-upgrade: do not add <code>--turbopack</code> flag when <code>--turbo</code> exists in <code>next dev</code>: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/third-parties/issues/71730">#71730</a></li> <li>feat: stitch errors with react owner stack: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/third-parties/issues/70393">#70393</a></li> <li>[dynamicIO] update data access error and documentation: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/third-parties/issues/71738">#71738</a></li> <li>Test cached form action with revalidate: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/third-parties/issues/71591">#71591</a></li> <li>Upgrade React from <code>45804af1-20241021</code> to <code>28668d39-20241023</code>: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/third-parties/issues/71745">#71745</a></li> <li>Fix race condition when setting client reference manifests: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/third-parties/issues/71741">#71741</a></li> <li>Fix fetch with no-store inside of use cache: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/third-parties/issues/71754">#71754</a></li> <li>Remove the bottom collapse button in dev overlay: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/third-parties/issues/71658">#71658</a></li> <li>[dynamicIO] unify cache filling and lazy-module warming: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/third-parties/issues/71749">#71749</a></li> <li>Don't filter out <!-- raw HTML omitted --> source location frames through RSC: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/third-parties/issues/71752">#71752</a></li> <li>fix undefined default export error msg: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/third-parties/issues/71762">#71762</a></li> <li>Upgrade React from <code>28668d39-20241023</code> to <code>1631855f-20241023</code>: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/third-parties/issues/71769">#71769</a></li> <li>Enable owner stack in experimental build: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/third-parties/issues/71716">#71716</a></li> <li>feat: add experiment for sharpjs cpu flags: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/third-parties/issues/71733">#71733</a></li> <li>fix: handle server component replay error in error overlay: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/third-parties/issues/71772">#71772</a></li> <li>Don't error asking for prebuilt bundles: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/third-parties/issues/71778">#71778</a></li> <li>Replace <code>turbopack://[project]/...</code> sourcemap uris with <code>file://...</code> in development: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/third-parties/issues/71489">#71489</a></li> <li>misc: update source map paths for bundled Next.js runtime: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/third-parties/issues/71779">#71779</a></li> <li>[dynamicIO] refine error message and docs: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/third-parties/issues/71781">#71781</a></li> <li>next-upgrade: change <code>--turbo</code> to <code>--turbopack</code> if applicable: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/third-parties/issues/71737">#71737</a></li> <li>Show all diff when uncollapse: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/third-parties/issues/71792">#71792</a></li> <li>Sourcemap errors in terminal by default : <a href="https://github.com/vercel/next.js/tree/HEAD/packages/third-parties/issues/71444">#71444</a></li> <li>Fully enable custom error callbacks for app router: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/third-parties/issues/71794">#71794</a></li> <li>Simplify Server Action Webpack plugin: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/third-parties/issues/71721">#71721</a></li> <li>ensure DIO development segment errors are cleared after correcting: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/third-parties/issues/71811">#71811</a></li> <li>Include sourceframe in errors logged in the terminal during development: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/third-parties/issues/71803">#71803</a></li> <li>[dynamicIO] update prerender cache scoping and cache warming for validation: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/third-parties/issues/71822">#71822</a></li> <li>only force stack frame color in tty: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/third-parties/issues/71860">#71860</a></li> <li>Add test for fetch with auth in use cache: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/third-parties/issues/71768">#71768</a></li> <li>Fix race with hot-reloader-client clearing overlay errors: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/third-parties/issues/71771">#71771</a></li> <li>Fix dynamic tracking in dev: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/third-parties/issues/71867">#71867</a></li> <li>Revert "Sourcemap errors in terminal by default (<a href="https://github.com/vercel/next.js/tree/HEAD/packages/third-parties/issues/71444">#71444</a>)": <a href="https://github.com/vercel/next.js/tree/HEAD/packages/third-parties/issues/71868">#71868</a></li> <li>Fix fetch caching inside of <code>"use cache"</code>: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/third-parties/issues/71793">#71793</a></li> <li>Trace upload: only send traces for current session: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/third-parties/issues/71838">#71838</a></li> <li>Reland "Sourcemap errors in terminal by default": <a href="https://github.com/vercel/next.js/tree/HEAD/packages/third-parties/issues/71877">#71877</a></li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
c64c8fae19 |
build(deps): Bump @mdx-js/loader from 3.0.1 to 3.1.0 in /website (#7215)
Bumps [@mdx-js/loader](https://github.com/mdx-js/mdx/tree/HEAD/packages/loader) from 3.0.1 to 3.1.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/mdx-js/mdx/releases"><code>@mdx-js/loader</code>'s releases</a>.</em></p> <blockquote> <h2>3.1.0</h2> <h4>Add</h4> <ul> <li>715ddd96 <strong><code>@mdx-js/esbuild</code></strong>: add source maps by <a href="https://github.com/remcohaszing"><code>@remcohaszing</code></a> in <a href="https://redirect.github.com/mdx-js/mdx/pull/2464">mdx-js/mdx#2464</a></li> <li>d5867203 <strong><code>@mdx-js/node-loader</code></strong>: add support for options w/ <code>initialize</code></li> <li>cd2907dd <strong><code>@mdx-js/node-loader</code></strong>: add support showing messages</li> <li>ceea80dd <strong><code>@mdx-js/node-loader</code></strong>: add source maps by <a href="https://github.com/remcohaszing"><code>@remcohaszing</code></a> in <a href="https://redirect.github.com/mdx-js/mdx/pull/2458">mdx-js/mdx#2458</a></li> </ul> <h4>Fix</h4> <ul> <li>d306f870 <strong><code>@mdx-js/core</code></strong>: replace <code>periscopic</code> with <code>estree-util-scope</code></li> <li>c7479905 <strong><code>@mdx-js/core</code></strong>: fix injecting providers for jsx in esm, expressions</li> <li>3a794ab5 <strong><code>@mdx-js/loader</code></strong>: fix ESM type import by <a href="https://github.com/remcohaszing"><code>@remcohaszing</code></a> in <a href="https://redirect.github.com/mdx-js/mdx/pull/2452">mdx-js/mdx#2452</a></li> <li>be79212a <strong><code>@mdx-js/loader</code></strong>: change webpack peer dependency to optional by <a href="https://github.com/chenjiahan"><code>@chenjiahan</code></a> in <a href="https://redirect.github.com/mdx-js/mdx/pull/2440">mdx-js/mdx#2440</a></li> </ul> <h4>Types</h4> <ul> <li>f12afda2 Refactor to use <code>@import</code> JSDoc tags by <a href="https://github.com/remcohaszing"><code>@remcohaszing</code></a> in <a href="https://redirect.github.com/mdx-js/mdx/pull/2498">mdx-js/mdx#2498</a></li> </ul> <h4>Miscellaneous</h4> <ul> <li>77158cdb Refactor to externalize recma packages</li> </ul> <h4>Site</h4> <ul> <li>67500792 Add link to <code>parcel-transformer-mdx</code> in docs</li> <li>3f8344b3 Add search to site</li> <li>05ecf65f Fix example</li> <li>f8648861 Fix types, lints in example by <a href="https://github.com/karlhorky"><code>@karlhorky</code></a> in <a href="https://redirect.github.com/mdx-js/mdx/pull/2518">mdx-js/mdx#2518</a></li> <li>37318def Add Bun section to Getting started by <a href="https://github.com/karlhorky"><code>@karlhorky</code></a> in <a href="https://redirect.github.com/mdx-js/mdx/pull/2517">mdx-js/mdx#2517</a></li> <li>07d5e2fc Refactor to improve wording by <a href="https://github.com/filippovd20"><code>@filippovd20</code></a> in <a href="https://redirect.github.com/mdx-js/mdx/pull/2513">mdx-js/mdx#2513</a></li> <li>95ba33e1 Add notes on how to type props and components by <a href="https://github.com/karlhorky"><code>@karlhorky</code></a> in <a href="https://redirect.github.com/mdx-js/mdx/pull/2510">mdx-js/mdx#2510</a></li> <li>044e8b2a Add example illustrating JSX literals, references</li> <li>1d0a9b68 Add more links across docs</li> <li>716ab3c8 Fix link for MDX Analyzer by <a href="https://github.com/karlhorky"><code>@karlhorky</code></a> in <a href="https://redirect.github.com/mdx-js/mdx/pull/2509">mdx-js/mdx#2509</a></li> <li>f1ca4b2f Fix link by <a href="https://github.com/artola"><code>@artola</code></a> in <a href="https://redirect.github.com/mdx-js/mdx/pull/2508">mdx-js/mdx#2508</a></li> <li>11ac939b Add <code>rehype-twoslash</code></li> <li>b749d38f Add <code>rehype-starry-night</code> to website</li> <li>dfdcb502 Fix to recommend <code>rehype-mdx-code-props</code></li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
32761d8f01 |
build(deps): Bump framer-motion from 11.11.8 to 11.11.11 in /website (#7212)
Bumps [framer-motion](https://github.com/framer/motion) from 11.11.8 to 11.11.11. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/framer/motion/blob/main/CHANGELOG.md">framer-motion's changelog</a>.</em></p> <blockquote> <h2>[11.11.11] 2024-10-31</h2> <h3>Fixed</h3> <ul> <li>Fixing double <code>update()</code> call on mount.</li> </ul> <h2>[11.11.10] 2024-10-25</h2> <h3>Fixed</h3> <ul> <li>Removing <code>will-change</code> from SSR.</li> </ul> <h2>[11.11.9] 2024-10-15</h2> <h3>Changed</h3> <ul> <li><code>will-change</code> is now no longer automatically managed without <code>useWillChange</code>.</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
94b8522ad1 |
build(deps): Bump autoprefixer from 10.4.19 to 10.4.20 in /website (#7213)
Bumps [autoprefixer](https://github.com/postcss/autoprefixer) from 10.4.19 to 10.4.20. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/postcss/autoprefixer/releases">autoprefixer's releases</a>.</em></p> <blockquote> <h2>10.4.20</h2> <ul> <li>Fixed <code>fit-content</code> prefix for Firefox.</li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/postcss/autoprefixer/blob/main/CHANGELOG.md">autoprefixer's changelog</a>.</em></p> <blockquote> <h2>10.4.20</h2> <ul> <li>Fixed <code>fit-content</code> prefix for Firefox.</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
c6d335c8f9 |
build(deps): Bump @next/mdx from 14.2.15 to 15.0.2 in /website (#7214)
Bumps [@next/mdx](https://github.com/vercel/next.js/tree/HEAD/packages/next-mdx) from 14.2.15 to 15.0.2. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/vercel/next.js/releases"><code>@next/mdx</code>'s releases</a>.</em></p> <blockquote> <h2>v15.0.2</h2> <h3>Core Changes</h3> <ul> <li>Read page name from work store in server module map proxy: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/next-mdx/issues/71669">#71669</a></li> <li>codemod: should not transform when param is not used: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/next-mdx/issues/71664">#71664</a></li> <li>[dynamicIO] complete refactor to prerender: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/next-mdx/issues/71687">#71687</a></li> <li>fix: metadata image route normalize path posix for windows: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/next-mdx/issues/71673">#71673</a></li> <li>next-codemod(upgrade): optional catch when missing dev script: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/next-mdx/issues/71598">#71598</a></li> <li>Avoid server action function indirection in Turbopack: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/next-mdx/issues/71628">#71628</a></li> <li>fix: exclude <code>basePath</code> in <code>findSourceMapURL</code>: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/next-mdx/issues/71719">#71719</a></li> <li>fix: stack frame text color in dark mode: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/next-mdx/issues/71656">#71656</a></li> <li>Fix: revert the bad node binary handling: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/next-mdx/issues/71723">#71723</a></li> <li>next-codemod: add empty <code>pnpm-workspace.yaml</code> to test fixtures to bypass PNPM workspace checks: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/next-mdx/issues/71726">#71726</a></li> <li>warn on sync access if dynamicIO is not enabled: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/next-mdx/issues/71696">#71696</a></li> <li>Update React from <code>69d4b800-20241021</code> to <code>45804af1-20241021</code>: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/next-mdx/issues/71718">#71718</a></li> <li>next-upgrade: do not add <code>--turbopack</code> flag when <code>--turbo</code> exists in <code>next dev</code>: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/next-mdx/issues/71730">#71730</a></li> <li>feat: stitch errors with react owner stack: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/next-mdx/issues/70393">#70393</a></li> <li>[dynamicIO] update data access error and documentation: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/next-mdx/issues/71738">#71738</a></li> <li>Test cached form action with revalidate: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/next-mdx/issues/71591">#71591</a></li> <li>Upgrade React from <code>45804af1-20241021</code> to <code>28668d39-20241023</code>: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/next-mdx/issues/71745">#71745</a></li> <li>Fix race condition when setting client reference manifests: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/next-mdx/issues/71741">#71741</a></li> <li>Fix fetch with no-store inside of use cache: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/next-mdx/issues/71754">#71754</a></li> <li>Remove the bottom collapse button in dev overlay: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/next-mdx/issues/71658">#71658</a></li> <li>[dynamicIO] unify cache filling and lazy-module warming: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/next-mdx/issues/71749">#71749</a></li> <li>Don't filter out <!-- raw HTML omitted --> source location frames through RSC: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/next-mdx/issues/71752">#71752</a></li> <li>fix undefined default export error msg: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/next-mdx/issues/71762">#71762</a></li> <li>Upgrade React from <code>28668d39-20241023</code> to <code>1631855f-20241023</code>: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/next-mdx/issues/71769">#71769</a></li> <li>Enable owner stack in experimental build: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/next-mdx/issues/71716">#71716</a></li> <li>feat: add experiment for sharpjs cpu flags: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/next-mdx/issues/71733">#71733</a></li> <li>fix: handle server component replay error in error overlay: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/next-mdx/issues/71772">#71772</a></li> <li>Don't error asking for prebuilt bundles: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/next-mdx/issues/71778">#71778</a></li> <li>Replace <code>turbopack://[project]/...</code> sourcemap uris with <code>file://...</code> in development: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/next-mdx/issues/71489">#71489</a></li> <li>misc: update source map paths for bundled Next.js runtime: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/next-mdx/issues/71779">#71779</a></li> <li>[dynamicIO] refine error message and docs: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/next-mdx/issues/71781">#71781</a></li> <li>next-upgrade: change <code>--turbo</code> to <code>--turbopack</code> if applicable: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/next-mdx/issues/71737">#71737</a></li> <li>Show all diff when uncollapse: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/next-mdx/issues/71792">#71792</a></li> <li>Sourcemap errors in terminal by default : <a href="https://github.com/vercel/next.js/tree/HEAD/packages/next-mdx/issues/71444">#71444</a></li> <li>Fully enable custom error callbacks for app router: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/next-mdx/issues/71794">#71794</a></li> <li>Simplify Server Action Webpack plugin: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/next-mdx/issues/71721">#71721</a></li> <li>ensure DIO development segment errors are cleared after correcting: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/next-mdx/issues/71811">#71811</a></li> <li>Include sourceframe in errors logged in the terminal during development: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/next-mdx/issues/71803">#71803</a></li> <li>[dynamicIO] update prerender cache scoping and cache warming for validation: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/next-mdx/issues/71822">#71822</a></li> <li>only force stack frame color in tty: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/next-mdx/issues/71860">#71860</a></li> <li>Add test for fetch with auth in use cache: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/next-mdx/issues/71768">#71768</a></li> <li>Fix race with hot-reloader-client clearing overlay errors: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/next-mdx/issues/71771">#71771</a></li> <li>Fix dynamic tracking in dev: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/next-mdx/issues/71867">#71867</a></li> <li>Revert "Sourcemap errors in terminal by default (<a href="https://github.com/vercel/next.js/tree/HEAD/packages/next-mdx/issues/71444">#71444</a>)": <a href="https://github.com/vercel/next.js/tree/HEAD/packages/next-mdx/issues/71868">#71868</a></li> <li>Fix fetch caching inside of <code>"use cache"</code>: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/next-mdx/issues/71793">#71793</a></li> <li>Trace upload: only send traces for current session: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/next-mdx/issues/71838">#71838</a></li> <li>Reland "Sourcemap errors in terminal by default": <a href="https://github.com/vercel/next.js/tree/HEAD/packages/next-mdx/issues/71877">#71877</a></li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
Thomas Eizinger
|
88404c3148 |
chore: publish headless-client v1.3.5 (#7191)
Signed-off-by: Thomas Eizinger <thomas@eizinger.io> |
||
|
Thomas Eizinger
|
de97735ab2 |
chore: mark Apple apps 1.3.7 as published (#7194)
As soon as this version hits the app stores, we can merge this. --------- Signed-off-by: Thomas Eizinger <thomas@eizinger.io> |
||
|
Thomas Eizinger
|
6db06b0509 |
chore: mark Android app version 1.3.6 as published (#7193)
As soon as this version hits the app store, we can merge this. |
||
|
Thomas Eizinger
|
8c9c5aeb8c |
chore: publish GUI client 1.3.10 (#7195)
We've successfully published release 1.3.10 for the GUI client: https://github.com/firezone/firezone/releases/tag/gui-client-1.3.10. This PR bumps the versions for development going forward. |
||
|
Jamil
|
e9b2e4735a |
ci: Publish Gateway 1.4.0 (#7187)
Publish the 1.4.0 release so it's available at `/api/releases` and will send upgrade Gateway notifications. |
||
|
Thomas Eizinger
|
f7a388345b |
fix(connlib): reconnect in case we lose all relays (#7164)
During normal operation, we should never lose connectivity to the set of assigned relays in a client or gateway. In the presence of odd network conditions and partitions however, it is possible that we disconnect from a relay that is in fact only temporarily unavailable. Without an explicit mechanism to retrieve new relays, this means that both clients and gateways can end up with no relays at all. For clients, this can be fixed by either roaming or signing out and in again. For gateways, this can only be fixed by a restart! Without connected relays, no connections can be established. With #7163, we will at least be able to still establish direct connections. Yet, that isn't good enough and we need a mechanism for restoring full connectivity in such a case. We creating a new connection, we already sample one of our relays and assign it to this particular connection. This ensures that we don't create an excessive amount of candidates for each individual connection. Currently, this selection is allowed to be silently fallible. With this PR, we make this a hard-error and bubble up the error that all the way to the client's and gateway's event-loop. There, we initiate a reconnect to the portal as a compensating action. Reconnecting to the portal means we will receive another `init` message that allows us to reconnect the relays. Due to the nature of this implementation, this fix may only apply with a certain delay from when we actually lost connectivity to the last relay. However, this design has the advantage that we don't have to introduce an additional state within `snownet`: Connections now simply fail to establish and the next one soon after _should_ succeed again because we will have received a new `init` message. Resolves: #7162. |
||
|
Thomas Eizinger
|
51d92265f4 |
fix(android): never route notifications through the tunnel (#7160)
Resolves: #5637. |