mirror of
https://github.com/outbackdingo/firezone.git
synced 2026-01-27 10:18:54 +00:00
6e2be658b03b965321e82424fc47fae293793617
8458 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
Thomas Eizinger
|
6e2be658b0 |
chore(gateway): log unroutable packets only on DEBUG (#10897)
Currently, the Gateway logs all kinds of errors during packet processing on WARN. Whilst it is generally good to be aware of warnings / errors, some of these scenarios are particularly noisy. For various reasons, we may not be able to route a packet arriving from the TUN device. In such cases, we now return an `UnroutablePacket` error to the event-loop which is special-cased to only log on DEBUG. It also includes the 5 tuple as variables, which should make log analysis a bit easier if we want to filter on specific parts of the 5 tuple. |
||
|
dependabot[bot]
|
a742e0a10d |
build(deps): bump @next/mdx from 15.5.4 to 15.5.6 in /website (#10902)
Bumps [@next/mdx](https://github.com/vercel/next.js/tree/HEAD/packages/next-mdx) from 15.5.4 to 15.5.6. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/vercel/next.js/releases"><code>@next/mdx</code>'s releases</a>.</em></p> <blockquote> <h2>v15.5.6</h2> <blockquote> <p>[!NOTE]<br /> This release is backporting bug fixes. It does <strong>not</strong> include all pending features/changes on canary.</p> </blockquote> <h3>Core Changes</h3> <ul> <li>Turbopack: don't define process.cwd() in node_modules <a href="https://github.com/vercel/next.js/tree/HEAD/packages/next-mdx/issues/83452">#83452</a></li> </ul> <h3>Credits</h3> <p>Huge thanks to <a href="https://github.com/mischnic"><code>@mischnic</code></a> for helping!</p> <h2>v15.5.5</h2> <blockquote> <p>[!NOTE]<br /> This release is backporting bug fixes. It does <strong>not</strong> include all pending features/changes on canary.</p> </blockquote> <h3>Core Changes</h3> <ul> <li>Split code-frame into separate compiled package (<a href="https://github.com/vercel/next.js/tree/HEAD/packages/next-mdx/issues/84238">#84238</a>)</li> <li>Add deprecation warning to Runtime config (<a href="https://github.com/vercel/next.js/tree/HEAD/packages/next-mdx/issues/84650">#84650</a>)</li> <li>fix: unstable_cache should perform blocking revalidation during ISR revalidation (<a href="https://github.com/vercel/next.js/tree/HEAD/packages/next-mdx/issues/84716">#84716</a>)</li> <li>feat: <code>experimental.middlewareClientMaxBodySize</code> body cloning limit (<a href="https://github.com/vercel/next.js/tree/HEAD/packages/next-mdx/issues/84722">#84722</a>)</li> <li>fix: missing next/link types with typedRoutes (<a href="https://github.com/vercel/next.js/tree/HEAD/packages/next-mdx/issues/84779">#84779</a>)</li> </ul> <h3>Misc Changes</h3> <ul> <li>docs: early October improvements and fixes (<a href="https://github.com/vercel/next.js/tree/HEAD/packages/next-mdx/issues/84334">#84334</a>)</li> </ul> <h3>Credits</h3> <p>Huge thanks to <a href="https://github.com/devjiwonchoi"><code>@devjiwonchoi</code></a>, <a href="https://github.com/ztanner"><code>@ztanner</code></a>, and <a href="https://github.com/icyJoseph"><code>@icyJoseph</code></a> for helping!</p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
2cb3b326fb |
build(deps): bump mixpanel-browser from 2.70.0 to 2.71.0 in /website (#10901)
Bumps [mixpanel-browser](https://github.com/mixpanel/mixpanel-js) from 2.70.0 to 2.71.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/mixpanel/mixpanel-js/releases">mixpanel-browser's releases</a>.</em></p> <blockquote> <h2>Autocapture Updates</h2> <p>New autocapture events are now available:</p> <ul> <li>Dead Click (<code>$mp_dead_click</code>): when a click occurs but there is no DOM mutation afterwards</li> <li>Page Leave (<code>$mp_page_leave</code>): when a page is "left" either by navigation or leaving the tab</li> </ul> <p>Dead Click event tracking is ON in the default autotrack configuration, but Page Leave tracking must be turned on explicitly (with the config option <code>{autocapture: {page_leave: true}}</code>.</p> <p>This release also includes several other updates:</p> <ul> <li>adding additional properties to experiment exposure events for feature flags</li> <li>upgrade rrweb fork to fix a hidden input masking issue</li> <li>getting rid of package.json <code>exports</code> feature to be less restrictive of what can be imported</li> <li>adding type definitions for each build option</li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/mixpanel/mixpanel-js/blob/master/CHANGELOG.md">mixpanel-browser's changelog</a>.</em></p> <blockquote> <p><strong>2.72.0</strong> (14 Nov 2025)</p> <ul> <li>Adds Autocapture rage-click configuration option <code>interactive_elements_only</code>, to ignore clicks on non-interactive page elements such as text. Configure with: <code>mixpanel.init('<TOKEN>', {autocapture: {rage_click: {interactive_elements_only: true}}})</code></li> <li>Adds TypeScript types for Feature Flags subsystem (<code>mixpanel.flags</code>)</li> <li>Adds JS console data to Session Recordings, enabled by default but configurable via the <code>record_console</code> initialization option.</li> <li>Fixes an issue in session recording where closing and opening a page would upload a replay shorter than the configured minimum duration (<code>record_min_ms</code>)</li> <li>Fixes an issue in session recording where payloads get truncated on old Safari versions due to a bug in their CompressionStream implementation</li> </ul> <p><strong>2.71.1</strong> (30 Oct 2025)</p> <ul> <li>fixes issue with $mp_page_leave events getting tracked when <code>record_heatmap_data</code> is on and there was no session recording taking place.</li> </ul> <p><strong>2.71.0</strong> (2 Oct 2025)</p> <ul> <li>adds Dead Click ($mp_dead_click) autocapture event: when a click occurs but there is no DOM mutation afterwards</li> <li>adds Page Leave ($mp_page_leave) autocapture event: when a page is "left" either by navigation or leaving the tab</li> <li>adds additional properties to experiment exposure events for feature flags</li> <li>upgrades rrweb fork to fix a hidden input masking issue</li> <li>gets rid of package.json exports feature to be less restrictive of what can be imported</li> <li>adds type definitions for each build option</li> </ul> <p><strong>2.70.0</strong> (4 Sep 2025)</p> <ul> <li>Feature flags requests now send params on query string with GET instead of POST for easier caching</li> </ul> <p><strong>2.68.0</strong> (11 Aug 2025)</p> <ul> <li>Initial rage-click detection support</li> <li>Block <code><audio></code> tags by default in Session Recording</li> <li>Add <code>flags.update_context()</code> method for updating context variables and refetching variants</li> </ul> <p><strong>2.67.0</strong> (17 Jul 2025)</p> <ul> <li>Use <code>get_api_host()</code> consistently across the SDK</li> <li>Include <code>device_id</code> in default Feature Flag context</li> <li>Track latency props in <code>$experiment_started</code> event</li> <li>Fix async behavior in <code>mixpanel.reset()</code> when a session recording is active</li> <li>Fix recorder integration test race conditions</li> </ul> <p><strong>2.66.0</strong> (8 Jul 2025)</p> <ul> <li>Add <code>api_host</code> configuration option to support different hosts/proxies for different endpoints (thanks <a href="https://github.com/chrisknu"><code>@chrisknu</code></a>)</li> <li>Add types.d.ts from existing public repo</li> <li>Fix race condition when calling <code>mixpanel.reset()</code> while a session recording is active</li> </ul> <p><strong>2.65.0</strong> (20 May 2025)</p> <ul> <li><code>mixpanel.people.track_charge()</code> (deprecated) no longer sets profile property</li> <li>Adds page height and width tracking to autocapture click tracking</li> <li>Session recording now stops when mixpanel.reset() is called</li> <li>Support for adding arbitrary query string params to tracking requests (thanks <a href="https://github.com/dylan-asos"><code>@dylan-asos</code></a>)</li> <li>Feature flagging API revisions</li> <li>Whale Browser detection</li> </ul> <p><strong>2.64.0</strong> (15 Apr 2025)</p> <ul> <li>Add <code>record_heatmap_data</code> init option for Session Recording to ensure click events are captured for Heat Maps</li> <li>Initial support for feature flagging</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li>See full diff in <a href="https://github.com/mixpanel/mixpanel-js/compare/v2.70.0...v2.71.0">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> |
||
|
dependabot[bot]
|
39d5f97c77 |
build(deps): bump @next/third-parties from 15.5.3 to 15.5.6 in /website (#10900)
Bumps [@next/third-parties](https://github.com/vercel/next.js/tree/HEAD/packages/third-parties) from 15.5.3 to 15.5.6. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/vercel/next.js/releases"><code>@next/third-parties</code>'s releases</a>.</em></p> <blockquote> <h2>v15.5.6</h2> <blockquote> <p>[!NOTE]<br /> This release is backporting bug fixes. It does <strong>not</strong> include all pending features/changes on canary.</p> </blockquote> <h3>Core Changes</h3> <ul> <li>Turbopack: don't define process.cwd() in node_modules <a href="https://github.com/vercel/next.js/tree/HEAD/packages/third-parties/issues/83452">#83452</a></li> </ul> <h3>Credits</h3> <p>Huge thanks to <a href="https://github.com/mischnic"><code>@mischnic</code></a> for helping!</p> <h2>v15.5.5</h2> <blockquote> <p>[!NOTE]<br /> This release is backporting bug fixes. It does <strong>not</strong> include all pending features/changes on canary.</p> </blockquote> <h3>Core Changes</h3> <ul> <li>Split code-frame into separate compiled package (<a href="https://github.com/vercel/next.js/tree/HEAD/packages/third-parties/issues/84238">#84238</a>)</li> <li>Add deprecation warning to Runtime config (<a href="https://github.com/vercel/next.js/tree/HEAD/packages/third-parties/issues/84650">#84650</a>)</li> <li>fix: unstable_cache should perform blocking revalidation during ISR revalidation (<a href="https://github.com/vercel/next.js/tree/HEAD/packages/third-parties/issues/84716">#84716</a>)</li> <li>feat: <code>experimental.middlewareClientMaxBodySize</code> body cloning limit (<a href="https://github.com/vercel/next.js/tree/HEAD/packages/third-parties/issues/84722">#84722</a>)</li> <li>fix: missing next/link types with typedRoutes (<a href="https://github.com/vercel/next.js/tree/HEAD/packages/third-parties/issues/84779">#84779</a>)</li> </ul> <h3>Misc Changes</h3> <ul> <li>docs: early October improvements and fixes (<a href="https://github.com/vercel/next.js/tree/HEAD/packages/third-parties/issues/84334">#84334</a>)</li> </ul> <h3>Credits</h3> <p>Huge thanks to <a href="https://github.com/devjiwonchoi"><code>@devjiwonchoi</code></a>, <a href="https://github.com/ztanner"><code>@ztanner</code></a>, and <a href="https://github.com/icyJoseph"><code>@icyJoseph</code></a> for helping!</p> <h2>v15.5.4</h2> <blockquote> <p>[!NOTE]<br /> This release is backporting bug fixes. It does <strong>not</strong> include all pending features/changes on canary.</p> </blockquote> <h3>Core Changes</h3> <ul> <li>fix: ensure onRequestError is invoked when otel enabled (<a href="https://github.com/vercel/next.js/tree/HEAD/packages/third-parties/issues/83343">#83343</a>)</li> <li>fix: devtools initial position should be from next config (<a href="https://github.com/vercel/next.js/tree/HEAD/packages/third-parties/issues/83571">#83571</a>)</li> <li>[devtool] fix overlay styles are missing (<a href="https://github.com/vercel/next.js/tree/HEAD/packages/third-parties/issues/83721">#83721</a>)</li> <li>Turbopack: don't match dynamic pattern for node_modules packages (<a href="https://github.com/vercel/next.js/tree/HEAD/packages/third-parties/issues/83176">#83176</a>)</li> <li>Turbopack: don't treat metadata routes as RSC (<a href="https://github.com/vercel/next.js/tree/HEAD/packages/third-parties/issues/82911">#82911</a>)</li> <li>[turbopack] Improve handling of symlink resolution errors in track_glob and read_glob (<a href="https://github.com/vercel/next.js/tree/HEAD/packages/third-parties/issues/83357">#83357</a>)</li> <li>Turbopack: throw large static metadata error earlier (<a href="https://github.com/vercel/next.js/tree/HEAD/packages/third-parties/issues/82939">#82939</a>)</li> <li>fix: error overlay not closing when backdrop clicked (<a href="https://github.com/vercel/next.js/tree/HEAD/packages/third-parties/issues/83981">#83981</a>)</li> <li>Turbopack: flush Node.js worker IPC on error (<a href="https://github.com/vercel/next.js/tree/HEAD/packages/third-parties/issues/84077">#84077</a>)</li> </ul> <h3>Misc Changes</h3> <ul> <li>[CNA] use linter preference (<a href="https://github.com/vercel/next.js/tree/HEAD/packages/third-parties/issues/83194">#83194</a>)</li> <li>CI: use KV for test timing data (<a href="https://github.com/vercel/next.js/tree/HEAD/packages/third-parties/issues/83745">#83745</a>)</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
eee0572972 |
build(deps): bump @docsearch/react from 4.1.0 to 4.2.0 in /website (#10903)
Bumps [@docsearch/react](https://github.com/algolia/docsearch/tree/HEAD/packages/docsearch-react) from 4.1.0 to 4.2.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/algolia/docsearch/releases"><code>@docsearch/react</code>'s releases</a>.</em></p> <blockquote> <h2>v4.2.0</h2> <h1><a href="https://github.com/algolia/docsearch/compare/v4.1.0...v4.2.0">4.2.0</a> (2025-10-06)</h1> <h3>Bug Fixes</h3> <ul> <li><strong>askai:</strong> Fixes issue with askai state being outside DocSearchModal (<a href="https://redirect.github.com/algolia/docsearch/issues/2778">#2778</a>) (<a href=" |
||
|
Jamil
|
164f1976c7 |
fix(apple): queue path updates onto workQueue (#10896)
Path updates are received on a queue which can be (and is typically) on a different thread from the one the workQueue runs on. Since we are sharing instance properties across these two threads, we need to make sure reads and writes to all properties ideally happen on the same queue. Moving `Adapter` to an actor class could solve these issues, but that is a much larger refactor to be done in #10895 and we'd like to ship this fix in the next release to verify it fixes our issue. |
||
|
Jamil
|
91962acb83 |
chore(apple): ignore benign keychain errors (#10899)
* macOS 13 and below has a known bug that prevents us from saving the token on the system keychain. To avoid Sentry noise, we ignore this specific error and continue to log other errors that aren't an exact match. * Relatedly, if we try to start the tunnel and a token is not found, it's not necessarily an error. This happens when the user signs out and then tries to activate the VPN from system settings, for example. --------- Signed-off-by: Jamil <jamilbk@users.noreply.github.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> |
||
|
Brian Manifold
|
c8900c2a94 |
fix(portal): update deletion circuit breaker (#10898)
Why: * The directory sync circuit breaker was put in place to prevent errors in IdP API responses from deleting identities and groups incorrectly and thus also deleting policies. This was especially an issue with Google Workspace sync. The circuit breaker has done a good job of catching some erroneous API responses, however, it is now preventing legitimate syncs where large numbers of groups are needing to be deleted. While a few options have been quickly talked about, no final solution has been decided on. In the mean time, this commit will update the threshold of what is considered a "mass deletion" to 75% from 25%. This should give some time to figure out what a more permanent solution will look like. Fixes #10892 |
||
|
Jamil
|
2643492534 |
fix(website): update link to pwc study (#10894)
fixes #10812 --------- Signed-off-by: Jamil <jamilbk@users.noreply.github.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> |
||
|
Thomas Eizinger
|
663f23e9fb |
fix(connlib): classify WireGuard first (#10890)
WireGuard packets can have all kinds of byte-patterns at the very front of the packet. Thus, we need to first check if a payload is a WireGuard packet before attempting to classify it as anything else. This function is currently only used for logging purposes. `snownet` has its own logic for de-multiplexing and classifying packets. |
||
|
Thomas Eizinger
|
7e5994b3c6 |
chore: bump to upstream proptest (#10888)
The changes from our fork have been upstreamed successfully. We can therefore switch our dependency back to that. |
||
|
Thomas Eizinger
|
ed6e2a4e7d |
feat(connlib): introduce DoHUrl abstraction (#10881)
When connlib processes DoH queries, we need to pass the server's URL around a lot. In order to bootstrap the HTTP client, we need to extract the host part of this URL and resolve it for IP addresses using the system resolver. A regular URL doesn't necessarily have a host: It could be relative. This creates an error path within our code that _should_ never get hit for DoH URLs as those are always absolute. To avoid this error path, we follow the "parse, don't validate" approach typical among strongly typed languages. We create our own type that can only be constructed from absolute URLs. If we receive a URL from the portal that is not absolute, we already fail at the deserialization step. Using data privacy of the encapsulated url, we can then guarantee that the host-part of the URL is always there and can access it in an infallible way. Given that we are now already parsing the URL to begin with, I've also opted to directly implement an optimisation where we create a fast-path for the 4 known DoH providers that we have which allows us to pass them around and copy them without incurring extra allocations. Finally, this custom type also comes with its own Display/Debug implementation, making the log output a bit easier to read. |
||
|
dependabot[bot]
|
c523add895 |
build(deps): bump zip from 5.1.1 to 6.0.0 in /rust (#10829)
Bumps [zip](https://github.com/zip-rs/zip2) from 5.1.1 to 6.0.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/zip-rs/zip2/releases">zip's releases</a>.</em></p> <blockquote> <h2>v6.0.0</h2> <h3><!-- raw HTML omitted -->🐛 Bug Fixes</h3> <ul> <li>panic when reading empty extended-timestamp field (<a href="https://redirect.github.com/zip-rs/zip2/pull/404">#404</a>) (<a href="https://redirect.github.com/zip-rs/zip2/pull/422">#422</a>)</li> <li>Restore original file timestamp when unzipping with <code>chrono</code> (<a href="https://redirect.github.com/zip-rs/zip2/pull/46">#46</a>)</li> </ul> <h3><!-- raw HTML omitted -->⚙️ Miscellaneous Tasks</h3> <ul> <li>Configure Amazon Q rules (<a href="https://redirect.github.com/zip-rs/zip2/pull/421">#421</a>)</li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/zip-rs/zip2/blob/master/CHANGELOG.md">zip's changelog</a>.</em></p> <blockquote> <h2><a href="https://github.com/zip-rs/zip2/compare/v5.1.1...v6.0.0">6.0.0</a> - 2025-10-09</h2> <h3><!-- raw HTML omitted -->🚀 Features</h3> <ul> <li>Add by_index_with_options(), which can be used to ignore encryption in a file's metadata (<a href="https://redirect.github.com/zip-rs/zip2/pull/439">#439</a>) and may be used for other file-specific overrides in the future.</li> </ul> <h3><!-- raw HTML omitted -->⚙️ Miscellaneous Tasks</h3> <ul> <li>[<strong>breaking</strong>] <code>FileOptions::add_extra_data</code> is now generic and accepts any <code>AsRef<[u8]></code>. (<a href="https://redirect.github.com/zip-rs/zip2/issues/435">#435</a>)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
Thomas Eizinger
|
95fdb7f62a |
fix(connlib): sanitize resolvers before re-resolving portal URL (#10880)
In #10817, connlib gained the ability to re-resolve the portal's hostname on WebSocket connection hiccups. The list of upstream servers used for that may contain sentinel DNS server IPs on certain systems if connlib's DNS control is currently active. Connlib filters these servers internally before computing the effective list of upstream servers. The DNS client used by the event-loop contacts all servers in the list but waits for at most 2s before merging all received records together. If there are upstream DNS servers defined in the portal and those are also resources which we are currently not connected to, querying these servers would trigger a message to the portal, forming a circular dependency. This circular dependency is only broken by the 2s timeout. Whilst not fatal for connlib's functionality, it means that in such a situation, reconnecting to the portal always has to wait for this timeout. To fix this, we first apply the system DNS resolvers to connlib and only pass the now returned sanitized list on to the DNS client. Related: #10854 --------- Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com> Co-authored-by: thomaseizinger <5486389+thomaseizinger@users.noreply.github.com> |
||
|
Jamil
|
12f3f53d45 |
fix(portal): use []:53 for ipv6 addresses (#10883)
connlib expects the following format for IP addresses: - ipv4:port - ipv6 - \[ipv6]:port When storing the clients_upstream_dns values from the form in the admin portal, we do not add brackets to IPv6 addresses, so URI.parse thinks the address contains a port and strips the trailing `:` off. We then sent these invalid IPs down to connlib which causes a deserialization error. To fix, we simply ensure IPs sent to connlib adhere to one of the formats above. Related: #10851 |
||
|
dependabot[bot]
|
ba1b81ced0 |
build(deps): bump framer-motion from 12.23.22 to 12.23.24 in /website (#10837)
Bumps [framer-motion](https://github.com/motiondivision/motion) from 12.23.22 to 12.23.24. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/motiondivision/motion/blob/main/CHANGELOG.md">framer-motion's changelog</a>.</em></p> <blockquote> <h2>[12.23.24] 2025-10-10</h2> <h3>Fixed</h3> <ul> <li>Ensure that when a component remounts, it continues to fire animations even when <code>initial={false}</code>.</li> </ul> <h2>[12.23.23] 2025-10-10</h2> <h3>Added</h3> <ul> <li>Exporting <code>PresenceChild</code> and <code>PopChild</code> type for internal use.</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
a60391725c |
build(deps): bump pnpm/action-setup from 4.1.0 to 4.2.0 in /.github/actions/setup-node (#10845)
Bumps [pnpm/action-setup](https://github.com/pnpm/action-setup) from 4.1.0 to 4.2.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/pnpm/action-setup/releases">pnpm/action-setup's releases</a>.</em></p> <blockquote> <h2>v4.2.0</h2> <p>When there's a <code>.npmrc</code> file at the root of the repository, pnpm will be fetched from the registry that is specified in that <code>.npmrc</code> file <a href="https://redirect.github.com/pnpm/action-setup/pull/179">#179</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
dcfc8c7300 |
build(deps): bump docker/login-action from 3.5.0 to 3.6.0 in /.github/actions/ghcr-docker-login (#10843)
Bumps [docker/login-action](https://github.com/docker/login-action) from 3.5.0 to 3.6.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/docker/login-action/releases">docker/login-action's releases</a>.</em></p> <blockquote> <h2>v3.6.0</h2> <ul> <li>Add <code>registry-auth</code> input for raw authentication to registries by <a href="https://github.com/crazy-max"><code>@crazy-max</code></a> in <a href="https://redirect.github.com/docker/login-action/pull/887">docker/login-action#887</a></li> <li>Bump <code>@aws-sdk/client-ecr</code> to 3.890.0 in <a href="https://redirect.github.com/docker/login-action/pull/882">docker/login-action#882</a> <a href="https://redirect.github.com/docker/login-action/pull/890">docker/login-action#890</a></li> <li>Bump <code>@aws-sdk/client-ecr-public</code> to 3.890.0 in <a href="https://redirect.github.com/docker/login-action/pull/882">docker/login-action#882</a> <a href="https://redirect.github.com/docker/login-action/pull/890">docker/login-action#890</a></li> <li>Bump <code>@docker/actions-toolkit</code> from 0.62.1 to 0.63.0 in <a href="https://redirect.github.com/docker/login-action/pull/883">docker/login-action#883</a></li> <li>Bump brace-expansion from 1.1.11 to 1.1.12 in <a href="https://redirect.github.com/docker/login-action/pull/880">docker/login-action#880</a></li> <li>Bump undici from 5.28.4 to 5.29.0 in <a href="https://redirect.github.com/docker/login-action/pull/879">docker/login-action#879</a></li> <li>Bump tmp from 0.2.3 to 0.2.4 in <a href="https://redirect.github.com/docker/login-action/pull/881">docker/login-action#881</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/docker/login-action/compare/v3.5.0...v3.6.0">https://github.com/docker/login-action/compare/v3.5.0...v3.6.0</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
7688dd1862 |
build(deps): bump docker/login-action from 3.4.0 to 3.6.0 (#10838)
Bumps [docker/login-action](https://github.com/docker/login-action) from 3.4.0 to 3.6.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/docker/login-action/releases">docker/login-action's releases</a>.</em></p> <blockquote> <h2>v3.6.0</h2> <ul> <li>Add <code>registry-auth</code> input for raw authentication to registries by <a href="https://github.com/crazy-max"><code>@crazy-max</code></a> in <a href="https://redirect.github.com/docker/login-action/pull/887">docker/login-action#887</a></li> <li>Bump <code>@aws-sdk/client-ecr</code> to 3.890.0 in <a href="https://redirect.github.com/docker/login-action/pull/882">docker/login-action#882</a> <a href="https://redirect.github.com/docker/login-action/pull/890">docker/login-action#890</a></li> <li>Bump <code>@aws-sdk/client-ecr-public</code> to 3.890.0 in <a href="https://redirect.github.com/docker/login-action/pull/882">docker/login-action#882</a> <a href="https://redirect.github.com/docker/login-action/pull/890">docker/login-action#890</a></li> <li>Bump <code>@docker/actions-toolkit</code> from 0.62.1 to 0.63.0 in <a href="https://redirect.github.com/docker/login-action/pull/883">docker/login-action#883</a></li> <li>Bump brace-expansion from 1.1.11 to 1.1.12 in <a href="https://redirect.github.com/docker/login-action/pull/880">docker/login-action#880</a></li> <li>Bump undici from 5.28.4 to 5.29.0 in <a href="https://redirect.github.com/docker/login-action/pull/879">docker/login-action#879</a></li> <li>Bump tmp from 0.2.3 to 0.2.4 in <a href="https://redirect.github.com/docker/login-action/pull/881">docker/login-action#881</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/docker/login-action/compare/v3.5.0...v3.6.0">https://github.com/docker/login-action/compare/v3.5.0...v3.6.0</a></p> <h2>v3.5.0</h2> <ul> <li>Support dual-stack endpoints for AWS ECR by <a href="https://github.com/Spacefish"><code>@Spacefish</code></a> <a href="https://github.com/crazy-max"><code>@crazy-max</code></a> in <a href="https://redirect.github.com/docker/login-action/pull/874">docker/login-action#874</a> <a href="https://redirect.github.com/docker/login-action/pull/876">docker/login-action#876</a></li> <li>Bump <code>@aws-sdk/client-ecr</code> to 3.859.0 in <a href="https://redirect.github.com/docker/login-action/pull/860">docker/login-action#860</a> <a href="https://redirect.github.com/docker/login-action/pull/878">docker/login-action#878</a></li> <li>Bump <code>@aws-sdk/client-ecr-public</code> to 3.859.0 in <a href="https://redirect.github.com/docker/login-action/pull/860">docker/login-action#860</a> <a href="https://redirect.github.com/docker/login-action/pull/878">docker/login-action#878</a></li> <li>Bump <code>@docker/actions-toolkit</code> from 0.57.0 to 0.62.1 in <a href="https://redirect.github.com/docker/login-action/pull/870">docker/login-action#870</a></li> <li>Bump form-data from 2.5.1 to 2.5.5 in <a href="https://redirect.github.com/docker/login-action/pull/875">docker/login-action#875</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/docker/login-action/compare/v3.4.0...v3.5.0">https://github.com/docker/login-action/compare/v3.4.0...v3.5.0</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
Thomas Eizinger
|
33bd31c1eb |
chore(connlib): pass through DoH servers to DNS config (#10872)
This is a follow-up to #10851. In order to be able to use and reason about the DoH servers, we need to deserialize the list and pass the servers into connlib's `DnsConfig`. Right now, they just sit there and we don't do anything with them. Thus, this PR is save to go into `main`, even if we were to make a release before our DoH support is fully finished. To ensure this is the case, we also update the proptests in this PR to randomly sample and apply DoH servers. --------- Signed-off-by: Thomas Eizinger <thomas@eizinger.io> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> |
||
|
dependabot[bot]
|
b77472095d |
build(deps): bump gradle/actions from 4.4.1 to 5.0.0 in /.github/actions/setup-android (#10844)
Bumps [gradle/actions](https://github.com/gradle/actions) from 4.4.1 to 5.0.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/gradle/actions/releases">gradle/actions's releases</a>.</em></p> <blockquote> <h2>v5.0.0</h2> <h2>What's Changed</h2> <h3>Breaking Changes</h3> <ul> <li>Upgrade to node 24 by <a href="https://github.com/amyu"><code>@amyu</code></a> in <a href="https://redirect.github.com/gradle/actions/pull/721">gradle/actions#721</a></li> </ul> <p>Make sure your runner is updated to this version or newer to use this release. v2.327.1 <a href="https://github.com/actions/runner/releases/tag/v2.327.1">Release Notes</a></p> <h3>Dependency upgrades</h3> <ul> <li>Bump the github-actions group across 1 directory with 2 updates by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/gradle/actions/pull/748">gradle/actions#748</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/gradle/actions/compare/v4...v5.0.0">https://github.com/gradle/actions/compare/v4...v5.0.0</a></p> <h2>v4.4.4</h2> <h2>What's Changed</h2> <ul> <li>Bump the github-actions group across 2 directories with 3 updates by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/gradle/actions/pull/726">gradle/actions#726</a></li> <li>Regenerating package lock by <a href="https://github.com/cdsap"><code>@cdsap</code></a> in <a href="https://redirect.github.com/gradle/actions/pull/729">gradle/actions#729</a></li> <li>Update known wrapper checksums by <a href="https://github.com/github-actions"><code>@github-actions</code></a>[bot] in <a href="https://redirect.github.com/gradle/actions/pull/730">gradle/actions#730</a></li> <li>Bump the github-actions group across 1 directory with 3 updates by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/gradle/actions/pull/735">gradle/actions#735</a></li> <li>Bump the gradle group across 3 directories with 1 update by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/gradle/actions/pull/734">gradle/actions#734</a></li> <li>Bump the npm-dependencies group in /sources with 4 updates by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/gradle/actions/pull/733">gradle/actions#733</a></li> <li>Bump references to Develocity Gradle plugin from 4.1.1 to 4.2 by <a href="https://github.com/bot-githubaction"><code>@bot-githubaction</code></a> in <a href="https://redirect.github.com/gradle/actions/pull/736">gradle/actions#736</a></li> <li>Handle gracefully parse errors in checksum file by <a href="https://github.com/jprinet"><code>@jprinet</code></a> in <a href="https://redirect.github.com/gradle/actions/pull/737">gradle/actions#737</a></li> <li>Bump Gradle Wrapper from 9.0.0 to 9.1.0 in /.github/workflow-samples/kotlin-dsl by <a href="https://github.com/bot-githubaction"><code>@bot-githubaction</code></a> in <a href="https://redirect.github.com/gradle/actions/pull/742">gradle/actions#742</a></li> <li>Bump Gradle Wrapper from 9.0.0 to 9.1.0 in /.github/workflow-samples/java-toolchain by <a href="https://github.com/bot-githubaction"><code>@bot-githubaction</code></a> in <a href="https://redirect.github.com/gradle/actions/pull/741">gradle/actions#741</a></li> <li>Bump Gradle Wrapper from 9.0.0 to 9.1.0 in /.github/workflow-samples/groovy-dsl by <a href="https://github.com/bot-githubaction"><code>@bot-githubaction</code></a> in <a href="https://redirect.github.com/gradle/actions/pull/740">gradle/actions#740</a></li> <li>Bump Gradle Wrapper from 9.0.0 to 9.1.0 in /.github/workflow-samples/gradle-plugin by <a href="https://github.com/bot-githubaction"><code>@bot-githubaction</code></a> in <a href="https://redirect.github.com/gradle/actions/pull/739">gradle/actions#739</a></li> <li>Bump Gradle Wrapper from 9.0.0 to 9.1.0 in /sources/test/init-scripts by <a href="https://github.com/bot-githubaction"><code>@bot-githubaction</code></a> in <a href="https://redirect.github.com/gradle/actions/pull/738">gradle/actions#738</a></li> <li>Update known wrapper checksums by <a href="https://github.com/github-actions"><code>@github-actions</code></a>[bot] in <a href="https://redirect.github.com/gradle/actions/pull/743">gradle/actions#743</a></li> <li>Bump com.google.guava:guava from 33.4.8-jre to 33.5.0-jre in /.github/workflow-samples/kotlin-dsl in the gradle group across 1 directory by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/gradle/actions/pull/746">gradle/actions#746</a></li> <li>Bump the npm-dependencies group in /sources with 5 updates by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/gradle/actions/pull/745">gradle/actions#745</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/gradle/actions/compare/v4...v4.4.4">https://github.com/gradle/actions/compare/v4...v4.4.4</a></p> <h2>v4.4.3</h2> <h2>What's Changed</h2> <ul> <li>Adapt tests to future new Build Scan publication message by <a href="https://github.com/alextu"><code>@alextu</code></a> in <a href="https://redirect.github.com/gradle/actions/pull/708">gradle/actions#708</a></li> <li>Add missing Gradle version input to setup-gradle by <a href="https://github.com/jprinet"><code>@jprinet</code></a> in <a href="https://redirect.github.com/gradle/actions/pull/713">gradle/actions#713</a></li> <li>Bump the github-actions group across 2 directories with 4 updates by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/gradle/actions/pull/710">gradle/actions#710</a></li> <li>Bump references to Develocity Gradle plugin from 4.1 to 4.1.1 by <a href="https://github.com/bot-githubaction"><code>@bot-githubaction</code></a> in <a href="https://redirect.github.com/gradle/actions/pull/712">gradle/actions#712</a></li> <li>Update known wrapper checksums by <a href="https://github.com/github-actions"><code>@github-actions</code></a>[bot] in <a href="https://redirect.github.com/gradle/actions/pull/709">gradle/actions#709</a></li> <li>Bump the npm-dependencies group across 1 directory with 4 updates by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/gradle/actions/pull/711">gradle/actions#711</a></li> <li>Do not run setup-gradle post action if workflow is cancelled by <a href="https://github.com/jprinet"><code>@jprinet</code></a> in <a href="https://redirect.github.com/gradle/actions/pull/716">gradle/actions#716</a></li> <li>Bump the github-actions group across 2 directories with 2 updates by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/gradle/actions/pull/715">gradle/actions#715</a></li> <li>Bump the npm-dependencies group across 1 directory with 3 updates by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/gradle/actions/pull/720">gradle/actions#720</a></li> <li>Bump github/codeql-action from 3.29.11 to 3.30.0 in the github-actions group across 1 directory by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/gradle/actions/pull/719">gradle/actions#719</a></li> <li>Bump com.fasterxml.jackson.dataformat:jackson-dataformat-smile from 2.19.2 to 2.20.0 in /sources/test/init-scripts in the gradle group across 1 directory by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/gradle/actions/pull/718">gradle/actions#718</a></li> <li>Update known wrapper checksums by <a href="https://github.com/github-actions"><code>@github-actions</code></a>[bot] in <a href="https://redirect.github.com/gradle/actions/pull/723">gradle/actions#723</a></li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
Mariusz Klochowicz
|
bdffa3a697 |
fix(apple): prevent utun increments from IPC calls (#10855)
On macOS, IPC calls to the network extension can wake it whilst not connected, causing the system to create a utun device. If startTunnel() is not subsequently called, these devices persist and accumulate over time. The existing dryStartStopCycle() mechanism was introduced to wake the extension after upgrades, but other IPC operations (log management functions) could also wake the extension without proper cleanup. Solution -------- Add wrapper functions in IPCClient that automatically handle wake-up and cleanup lifecycle for IPC calls made whilst disconnected: - Check VPN connection status - If connected: execute IPC operation directly (utun already exists) - If disconnected: wake extension → wait 500ms → execute IPC → cleanup Implementation -------------- For async IPC operations (clearLogs, getLogFolderSize): Created free functions in IPCClient that wrap low-level IPC calls with wrapIPCCallIfNeeded(): - clearLogsWithCleanup(store:session:) - getLogFolderSizeWithCleanup(store:session:) For callback-based exportLogs: We cannot use wrapper because exportLogs returns immediately and uses callbacks for streaming chunks. Wrapper would call stop() before export finishes, killing the extension mid-stream. Solution: Manual wake-up/cleanup in LogExporter where we already have continuation that waits for chunk.done signal: 1. Check if extension needs waking (vpnStatus != .connected) 2. If yes: wake extension, wait 500ms 3. Start export with callbacks 4. When chunk.done=true: cleanup utun device, then resume continuation 5. On error: cleanup utun device, then resume with error Fixes #10580 --------- Co-authored-by: Jamil Bou Kheir <jamilbk@users.noreply.github.com> |
||
|
Thomas Eizinger
|
d282b641c5 |
refactor(connlib): use anyhow::Error for recursive DNS (#10871)
With the introduction of DoH, we will need a more advanced error type for recursive DNS responses. In particular, a DoH query might fail because the underlying TCP connection got closed. With #10856, the HTTP client no longer supports retries but instead needs to be recreated. In order to accurately detect this failure case, we need `anyhow`'s downcasting abilities. This PR prepares the already existing code for that by switching from `io::Error` to `anyhow::Error`. |
||
|
Jamil
|
8f6f6666a1 |
fix(portal): phx-ignore checkbox changes (#10879)
On Resources and Policies forms, we were triggering the form's validation helpers when checking and unchecking a checkbox. Unfortunately this causes the checkbox to be reset since it was not saved across the to_form(changeset) rebuilding. To prevent this, we simply ignore checkbox changes from triggering form validations. We can also remove the `field=` property on these because we are setting the `checked` property ourselves. This will be refactored to be made simpler with the new modals approach, so a minimal fix is implemented for now. Related: https://firezonehq.slack.com/archives/C098RV5BL1K/p1763024374383399 Fixes: #9143 |
||
|
Thomas Eizinger
|
1a5c40bd75 |
refactor(connlib): extract l4-udp-dns-client (#10854)
In order to bootstrap DoH servers, we need a way of reliably resolving the domain of the DoH server to an IP address. Initially, I thought that this would be tricky to do if we have to integrate this into the Client's state machine. Whilst implementing DoH however, I realised that we can instead put this responsibility onto the IO layer of connlib. Similar to other cases, we can reuse external triggers as our retry mechanism in case of failure. In particular, we can simply issue UDP DNS queries for the DoH domain to all system-defined DNS resolvers every time we are told to send a DNS query over DoH but the corresponding client isn't initialized yet. In other words, instead of building a retry mechanism ourselves, we attempt to repair any kind of broken state once per DNS query that we receive. Performing this DNS resolution does require a bit of code. We already started to do something similar in #10817. In order to reuse that code, we extract it into a `l4-udp-dns-client` crate and slightly refactor its semantics. In particular, we now wait for the response of all upstream servers (but at most 2s) and combine the result. The resulting `UdpDnsClient` can now be used inside the Client's event-loop to re-resolve the portal URL and will also be used as part of our DoH implementation to bootstrap the connection to the DoH server. Related: #4668 |
||
|
Thomas Eizinger
|
ff3ff93e1a |
fix(dns-types): use base64url encoding without padding (#10875)
According to the DoH spec, the base64url encoded query must not include any padding characters. |
||
|
Thomas Eizinger
|
81023dbf52 |
feat(connlib): make parallel requests with HttpClient (#10856)
Our `socket-factory`-aware HttpClient is currently only able to handle a single request at a time. That is a result of the requirement that we wanted to support connections to different domains but also be able to "self-heal" those connections by establishing a new one if the current one failed. As I am learning more about how connlib's DoH support is going to work, it became apparent that we will only ever need to connect to a single domain per instance of the `HttpClient`. In addition, it is quite important to allow for concurrent requests: We don't want to process DoH queries in sequence but instead make full use of the underlying HTTP2 protocol and send multiple requests in parallel. This PR refactors the `HttpClient` (which isn't in use anywhere yet) to only support a single connection per instance. That connection is established when the instance is created. This is also conceptually easier to understand as we only manage a single connection without mutable state. Related: #4668 |
||
|
Thomas Eizinger
|
53113c645f |
fix(connlib): don't panic in fallible function (#10874)
Panicking - even though it is unlikely to happen here - is unnecessary because we can simply return an error instead. |
||
|
Thomas Eizinger
|
103aa16b2f | fix: use our own docker install action (#10877) | ||
|
Thomas Eizinger
|
cd650de1f8 |
refactor: prepare client init for upstream DoH servers (#10851)
In order to support multiple different protocols of upstream DNS resolvers, we deprecate the `upstream_dns` field in the client's `init` message and introduce two new fields: - `upstream_do53` - `upstream_doh` For now, only `upstream_do53` is populated and `upstream_doh` is always empty. On the client-side, we for now only introduce the `upstream_do53` field but fall-back to `upstream_dns` if that one is empty. This makes this PR backwards-compatible with the portal version that is currently deployed in production. Thus, this PR can be merged even prior to deploying the portal. Internally, we prepare connlib's abstractions to deal with different kinds of upstreams by renaming all existing "upstream DNS" references to `upstream_do53`: DNS over port 53. That includes UDP as well as TCP DNS resolution. Resolves: #10791 --------- Co-authored-by: Jamil Bou Kheir <jamilbk@users.noreply.github.com> |
||
|
dependabot[bot]
|
4bd768aed5 |
build(deps): bump @types/node from 24.5.2 to 24.7.2 in /rust/gui-client (#10834)
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 24.5.2 to 24.7.2. <details> <summary>Commits</summary> <ul> <li>See full diff in <a href="https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> |
||
|
Thomas Eizinger
|
8af8978ad5 |
chore(connlib): include "packet kind" in decapsulation errors (#10867)
When looking at error logs from Gateways or Clients, it can be useful to know, what kind of packet we failed to process. |
||
|
Thomas Eizinger
|
ee38ccc120 |
chore(connlib): log index of failed connections (#10866)
Logging the peer index of a failed connection makes it easier to correlate it with logs when we receive packets for an unknown connection. |
||
|
Thomas Eizinger
|
32e1c088e7 |
chore(gateway): include domain in "not allowed" log (#10863)
The resource could be a wildcard DNS resource. It is useful to know, which particular domain the client tried to access. |
||
|
Thomas Eizinger
|
94985a7b77 |
fix(scripts): replace all occurrences of version marker (#10865)
Related: #10860 |
||
|
dependabot[bot]
|
64da55707f |
build(deps): bump @types/node from 24.5.2 to 24.7.2 in /website (#10835)
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 24.5.2 to 24.7.2. <details> <summary>Commits</summary> <ul> <li>See full diff in <a href="https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> |
||
|
Thomas Eizinger
|
4a64ff889b |
fix(website): redirect to correct release (#10864)
Quick-fix to ensure Gateway upgrades work. Fix for the script will come later. Resolves: #10860 |
||
|
Thomas Eizinger
|
5f61eaf8f2 |
feat(connlib): encode and decode DoH messages (#10857)
In order to support DoH, we need to be able to encode and decode DNS queries and responses from and to HTTP requests and responses. We therefore extend your `dns-types` crate with the required functionality. The [RFC8484](https://datatracker.ietf.org/doc/html/rfc8484) provides us with two test vectors that we can test against. Related: #4668 --------- Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com> Co-authored-by: thomaseizinger <5486389+thomaseizinger@users.noreply.github.com> |
||
|
Thomas Eizinger
|
cf14a8694c |
fix(connlib): use system DNS resolvers to re-resolve portal URL (#10853)
In #10817, we landed a fix that allows Clients to re-resolve the portal URL every time the WebSocket connection fails. Currently, we use the active upstream resolvers for this. This can lead to a kind of deadlock in case the upstream resolver is a CIDR resource that we are not yet connected to. In that case, we'd need a connection to the portal to establish a connection to the Gateway. By always using the system resolvers for this, we avoid this circular dependency. |
||
|
Thomas Eizinger
|
3e849ae852 |
fix(gui-client): use Wayland rendering backend on Linux (#10849)
Previously, we opted into the X11 GTK backend when rendering the GUI Client's window. This is causing issues on newer Linux distributions such as Fedora 43 where Wayland is now the only available compositor. Removing the X11 GTK requires us to draw our own CSDs such as titlebars and a close button. This PR does exactly that by adding a minimalistic title bar. To make better use of the space, we move the section headers into there. |Before|After| |---|---| |<img width="1900" height="1174" alt="Screenshot From 2025-11-11 11-14-11" src="https://github.com/user-attachments/assets/9439a69b-65ba-41d6-b1f8-4448e0f80728" />|<img width="1800" height="1000" alt="Screenshot From 2025-11-11 11-40-55" src="https://github.com/user-attachments/assets/7884b2cc-3d9c-4b47-9a1e-c6462aef36ab" />| |<img width="1900" height="1174" alt="Screenshot From 2025-11-11 11-14-16" src="https://github.com/user-attachments/assets/2cfea825-5c08-45a5-873c-5afcbc1dbf16" />|<img width="1800" height="1000" alt="Screenshot From 2025-11-11 11-40-58" src="https://github.com/user-attachments/assets/43ddd7c9-ce65-42f7-b972-28c6b172b70d" />| |<img width="1900" height="1174" alt="Screenshot From 2025-11-11 11-14-19" src="https://github.com/user-attachments/assets/446873a7-9023-4266-9377-ea7b8b4353ee" />|<img width="1800" height="1000" alt="Screenshot From 2025-11-11 11-41-01" src="https://github.com/user-attachments/assets/64439383-f33f-461d-9b4a-6b4138bd675b" />| |<img width="1900" height="1174" alt="Screenshot From 2025-11-11 11-14-22" src="https://github.com/user-attachments/assets/6c39e06c-1d77-471f-91f1-32a78b90a21c" />|<img width="1800" height="1000" alt="Screenshot From 2025-11-11 11-41-04" src="https://github.com/user-attachments/assets/b56912cb-9c85-4b5a-9295-dae6139b25c6" />| |<img width="1900" height="1174" alt="Screenshot From 2025-11-11 11-14-26" src="https://github.com/user-attachments/assets/5a5d638c-15bf-4523-8466-2e0977a03e22" />|<img width="1800" height="1000" alt="Screenshot From 2025-11-11 11-41-06" src="https://github.com/user-attachments/assets/ed169b52-ef86-4dc4-8f25-852da622eaa1" />| |
||
|
Thomas Eizinger
|
0008539b65 |
refactor(connlib): use dedicated UDP DNS client (#10850)
By default, DNS queries are sent over UDP by most systems. UDP is an easy to understand protocol because each packet stands by itself and at least as far as UDP is concerned, the payload is contained within a single packet. In Firezone, we receive all DNS traffic on the TUN device as IP packets. Processing the UDP packets is trivial as each query is contained within a single IP packet. For TCP, we first need to assemble the TCP stream before we can read the entire query. In case a DNS query is not for a Firezone DNS resource, we want to forward it to the specified upstream resolver, either directly from the system or - in case the specified upstream resolver is an IP resource - through the tunnel as an IP packet. Specifically, the forwarding of UDP DNS packets through the tunnel currently happens like this: IP packet -> read UDP payload -> parse DNS query -> mangle original destination IP to new upstream -> send through tunnel For TCP DNS queries, it is not quite as easy as we have to decode the incoming TCP stream first before we can parse the DNS query. Thus, when we want to then forward the query, we need to open our own TCP stream to the upstream resolver and encode the DNS query onto that stream, sending each IP packet from the TCP client through the tunnel. The difference in these designs makes several code paths in connlib hard to follow. Therefore - and despite the simplicity of DNS over UDP - we already created our own "Layer 3 UDP DNS"-client. This PR now integrates this client into the tunnel. Using this new client, we can simplify the processing of UDP DNS queries because we never have to "go back" to the original IP packet. Instead, when a DNS query needs to be forwarded to an usptream resolver through the tunnel, we simply tell the Layer 3 UDP DNS client to make a new DNS query. The processing of the resulting IP packet then happens in a different place, right next to where we also process the IP packets of the TCP DNS client. That simplifications unlocks further refactorings where we now only process DNS queries in a single place and the transport we received it over is a simple function parameter with the control flow for both of them being identical. Related: #4668 |
||
|
Thomas Eizinger
|
de7d3bff89 |
fix(connlib): re-resolve portal host on WS hiccup (#10817)
Currently, the DNS records for the portal's hostname are only resolved during startup. When the WebSocket connection fails, we try to reconnect but only with the IPs that we have previously resolved. If the local IP stack changed since then or the hostname now points to different IPs, we will run into the reconnect-timeout configured in `phoenix-channel`. To fix this, we re-resolve the portal's hostname every time the WebSocket connection fails. For the Gateway, this is easy as we can simply reuse the already existing `TokioResolver` provided by hickory. For the Client, we need to write our own DNS client on top of our socket factory abstraction to ensure we don't create a routing loop with the resulting DNS queries. To simplify things, we only send DNS queries over UDP. Those are not guaranteed to succeed but given that we do this on every "hiccup", we already have a retry mechanism. We use the currently configured upstream DNS servers for this. Resolves: #10238 |
||
|
Thomas Eizinger
|
189c358975 |
feat(portal): add Debian/Ubuntu deployment tab (#10741)
Now that we have an APT repository for Debian / Ubuntu packages, we should also tell our users about it. We introduce a new "Debian / Ubuntu" tab on the deployments screen in the portal. The tab is selected by default as it should provide the best user experience for manually deployed Gateways: - Updates are as easy as `sudo apt upgrade` - The systemd file and token are fully managed in the background Here is what the new tab looks like: <img width="679" height="786" alt="image" src="https://github.com/user-attachments/assets/da69fc55-6a6a-476d-bed4-634dd05df8bc" /> Resolves: #10701 --------- Signed-off-by: Thomas Eizinger <thomas@eizinger.io> Co-authored-by: Jamil <jamilbk@users.noreply.github.com> |
||
|
dependabot[bot]
|
a982f0bafb |
build(deps-dev): bump typescript from 5.9.2 to 5.9.3 in /website (#10840)
Bumps [typescript](https://github.com/microsoft/TypeScript) from 5.9.2 to 5.9.3. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/microsoft/TypeScript/releases">typescript's releases</a>.</em></p> <blockquote> <h2>TypeScript 5.9.3</h2> <p>Note: this tag was recreated to point at the correct commit. The npm package contained the correct content.</p> <p>For release notes, check out the <a href="https://devblogs.microsoft.com/typescript/announcing-typescript-5-9/">release announcement</a></p> <ul> <li><a href="https://github.com/Microsoft/TypeScript/issues?utf8=%E2%9C%93&q=milestone%3A%22TypeScript+5.9.0%22+is%3Aclosed+">fixed issues query for Typescript 5.9.0 (Beta)</a>.</li> <li><a href="https://github.com/Microsoft/TypeScript/issues?utf8=%E2%9C%93&q=milestone%3A%22TypeScript+5.9.1%22+is%3Aclosed+">fixed issues query for Typescript 5.9.1 (RC)</a>.</li> <li><em>No specific changes for TypeScript 5.9.2 (Stable)</em></li> <li><a href="https://github.com/Microsoft/TypeScript/issues?utf8=%E2%9C%93&q=milestone%3A%22TypeScript+5.9.3%22+is%3Aclosed+">fixed issues query for Typescript 5.9.3 (Stable)</a>.</li> </ul> <p>Downloads are available on:</p> <ul> <li><a href="https://www.npmjs.com/package/typescript">npm</a></li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
c6aa971947 |
build(deps): bump fast-xml-parser from 5.2.5 to 5.3.0 in /website (#10841)
Bumps [fast-xml-parser](https://github.com/NaturalIntelligence/fast-xml-parser) from 5.2.5 to 5.3.0. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/NaturalIntelligence/fast-xml-parser/blob/master/CHANGELOG.md">fast-xml-parser's changelog</a>.</em></p> <blockquote> <p><!-- raw HTML omitted -->Note: If you find missing information about particular minor version, that version must have been changed without any functional change in this library.<!-- raw HTML omitted --></p> <p><strong>5.3.1 / 2025-11-03</strong></p> <ul> <li>Performance improvement for stopNodes (By <a href="https://github.com/macieklamberski">Maciek Lamberski</a>)</li> </ul> <p><strong>5.3.0 / 2025-10-03</strong></p> <ul> <li>Use <code>Uint8Array</code> in place of <code>Buffer</code> in Parser</li> </ul> <p><strong>5.2.5 / 2025-06-08</strong></p> <ul> <li>Inform user to use <a href="https://github.com/NaturalIntelligence/fxp-cli">fxp-cli</a> instead of in-built CLI feature</li> <li>Export typings for direct use</li> </ul> <p><strong>5.2.4 / 2025-06-06</strong></p> <ul> <li>fix (<a href="https://redirect.github.com/NaturalIntelligence/fast-xml-parser/issues/747">#747</a>): fix EMPTY and ANY with ELEMENT in DOCTYPE</li> </ul> <p><strong>5.2.3 / 2025-05-11</strong></p> <ul> <li>fix (<a href="https://redirect.github.com/NaturalIntelligence/fast-xml-parser/issues/747">#747</a>): support EMPTY and ANY with ELEMENT in DOCTYPE</li> </ul> <p><strong>5.2.2 / 2025-05-05</strong></p> <ul> <li>fix (<a href="https://redirect.github.com/NaturalIntelligence/fast-xml-parser/issues/746">#746</a>): update strnum to fix parsing issues related to enotations</li> </ul> <p><strong>5.2.1 / 2025-04-22</strong></p> <ul> <li>fix: read DOCTYPE entity value correctly</li> <li>read DOCTYPE NOTATION, ELEMENT exp but not using read values</li> </ul> <p><strong>5.2.0 / 2025-04-03</strong></p> <ul> <li>feat: support metadata on nodes (<a href="https://redirect.github.com/NaturalIntelligence/fast-xml-parser/issues/593">#593</a>) (By <a href="https://github.com/srl295">Steven R. Loomis</a>)</li> </ul> <p><strong>5.1.0 / 2025-04-02</strong></p> <ul> <li>feat: declare package as side-effect free (<a href="https://redirect.github.com/NaturalIntelligence/fast-xml-parser/issues/738">#738</a>) (By <a href="https://github.com/tbouffard">Thomas Bouffard</a>)</li> <li>fix cjs build mode</li> <li>fix builder return type to string</li> <li></li> </ul> <p><strong>5.0.9 / 2025-03-14</strong></p> <ul> <li>fix: support numeric entities with values over 0xFFFF (<a href="https://redirect.github.com/NaturalIntelligence/fast-xml-parser/issues/726">#726</a>) (By <a href="https://github.com/mcdurdin">Marc Durdin</a>)</li> <li>fix: update strnum to fix parsing 0 if skiplike option is used</li> </ul> <p><strong>5.0.8 / 2025-02-27</strong></p> <ul> <li>fix parsing 0 if skiplike option is used. <ul> <li>updating strnum dependency</li> </ul> </li> </ul> <p><strong>5.0.7 / 2025-02-25</strong></p> <ul> <li>fix (<a href="https://redirect.github.com/NaturalIntelligence/fast-xml-parser/issues/724">#724</a>) typings for cjs.</li> </ul> <p><strong>5.0.6 / 2025-02-20</strong></p> <ul> <li>fix cli output (By <a href="https://github.com/angeld7">Angel Delgado</a>) <ul> <li>remove multiple JSON parsing</li> </ul> </li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
a9058c7f55 |
build(deps): bump known-folders from 1.3.1 to 1.4.0 in /rust (#10831)
Bumps [known-folders](https://github.com/artichoke/known-folders-rs) from 1.3.1 to 1.4.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/artichoke/known-folders-rs/releases">known-folders's releases</a>.</em></p> <blockquote> <h2>v1.4.0</h2> <h2>What's Changed</h2> <ul> <li>Bump thor from 1.3.2 to 1.4.0 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/artichoke/known-folders-rs/pull/85">artichoke/known-folders-rs#85</a></li> <li>Bump rubocop from 1.77.0 to 1.79.1 in the bundler-deps group by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/artichoke/known-folders-rs/pull/86">artichoke/known-folders-rs#86</a></li> <li>Bump the gha-deps group with 3 updates by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/artichoke/known-folders-rs/pull/87">artichoke/known-folders-rs#87</a></li> <li>Use zizmor audit action by <a href="https://github.com/lopopolo"><code>@lopopolo</code></a> in <a href="https://redirect.github.com/artichoke/known-folders-rs/pull/88">artichoke/known-folders-rs#88</a></li> <li>Bump rubocop from 1.79.1 to 1.81.1 in the bundler-deps group by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/artichoke/known-folders-rs/pull/89">artichoke/known-folders-rs#89</a></li> <li>Bump the gha-deps group with 5 updates by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/artichoke/known-folders-rs/pull/91">artichoke/known-folders-rs#91</a></li> <li>Relax windows-sys version requirement, prepare for v1.4.0 release by <a href="https://github.com/lopopolo"><code>@lopopolo</code></a> in <a href="https://redirect.github.com/artichoke/known-folders-rs/pull/92">artichoke/known-folders-rs#92</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/artichoke/known-folders-rs/compare/v1.3.1...v1.4.0">https://github.com/artichoke/known-folders-rs/compare/v1.3.1...v1.4.0</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
e9fcb20564 |
build(deps): bump nu-ansi-term from 0.50.1 to 0.50.3 in /rust (#10830)
Bumps [nu-ansi-term](https://github.com/nushell/nu-ansi-term) from 0.50.1 to 0.50.3. <details> <summary>Commits</summary> <ul> <li>See full diff in <a href="https://github.com/nushell/nu-ansi-term/commits">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> |
||
|
Thomas Eizinger
|
6e85638360 |
chore(connlib): silence hickory_resolver (#10848)
Logs from the `hickory_resolver` module are a bit noisy, so filter those out from our logs. |
||
|
Thomas Eizinger
|
49b7701536 |
ci: promote preview .deb to stable on release (#10846)
The current CI job expects the release to have the `.deb` files attached. Since writing that workflow, I've changed my mind on attaching the `.deb` files there. Instead, they are only uploaded to the repository. Without documentation on how to use them, these `.deb` files are unlikely to provide a good user experience. We change the job to instead promote the latest "preview` archives to the stable repo. |
||
|
Jamil
|
bd2abbaae3 |
feat(apple): config to hide resource list (#10824)
Adds a configuration variable `hideResourceList` accessible by provisioning profile only to hide or show the Resource list. This is helpful when end-users need not be concerned with the resources available to their account. Also updates the associated ProfileManifests, docs, and a little bit of housekeeping around `configuration`, making it public for direct access. <img width="292" height="228" alt="Screenshot 2025-11-09 at 9 12 47 PM" src="https://github.com/user-attachments/assets/a4ce5586-bf92-4ebc-bc0d-51215e1efd61" /> Related: https://github.com/ProfileManifests/ProfileManifests/pull/839 Fixes: #10808 --------- Signed-off-by: Jamil <jamilbk@users.noreply.github.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> |