mirror of
https://github.com/outbackdingo/firezone.git
synced 2026-01-27 10:18:54 +00:00
70a930e45dc5abf1955bed28c9eff60f6d8fa315
7976 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
Thomas Eizinger
|
70a930e45d |
chore(relay): use existing ebpf module import (#10202)
|
||
|
Jamil
|
b07fa341cf |
feat(relay): XDP driver (native) mode for gVNIC (#10177)
This updates our eBPF module to use DRV_MODE for less CPU overhead and better performance for all same-stack TURN relaying. Notably, gVNIC does not seem to support the `bpf_xdp_adjust_head` helper, so unfortunately we need to extend / shrink the packet tail and move the payload instead. Comprehensive benchmarks have not been performed, but early results show that we can saturate about 1 Gbps per E2 core on GCP: ``` [SUM] 0.00-30.04 sec 3.16 GBytes 904 Mbits/sec 12088 sender [SUM] 0.00-30.00 sec 3.12 GBytes 894 Mbits/sec receiver ``` This is with 64 TCP streams. More streams will better utilize all available RX queues, and lead to better performance. Related: #10138 Fixes: #8633 |
||
|
Jamil
|
b7045338df |
fix(ci): compute sha256sum of binaries earlier (#10199)
Fixes an issue where the sha256sum.txt of the relay was not available. Related: #10198 |
||
|
Jamil
|
b3ea251082 |
fix(ci): use correct relay binary location (#10198)
Fixes an issue introduced in #10196. Related: #10196 |
||
|
Jamil
|
1c2d70ac0d |
chore(infra): push relay binary to gcp (#10196)
The COS images we currently use to run our Relays ship with an older Linux kernel that doesn't have some of the nice verifier improvements for our eBPF relay. To fix this, we need to use Ubuntu 24.04. To keep things simple there, we would like to avoid installing Docker on that image and instead run the Relay raw. To support that, we first need to push the built relay binary to our staging cloud storage bucket. Related: #10177 Related: https://github.com/firezone/infra/pull/116 --------- Signed-off-by: Jamil <jamilbk@users.noreply.github.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> |
||
|
Jamil
|
46ffe8fe45 |
docs(relay): add note on channel map safety (#10194)
A fair bit of time was spent validating these map accesses are thread-safe, so just documenting that for the next reader to find. Related: https://github.com/firezone/firezone/issues/10138#issuecomment-3186074350 |
||
|
Jamil
|
3e3f555c1e |
fix(relay): swap MACs for relayed traffic (#10193)
In nearly all environments, we can safely assume that we will always use the same network gateway for forwarding relayed packets as the one we received them from. By leveraging this assumption, we can simply swap the SRC and DST MAC addresses, removing the need to keep a HaspMap for these, which eliminates the need to worry about thread-safety for this particular functionality. Related: #10138 |
||
|
Jamil
|
92137ee76b |
fix(relay): don't inline hotpath loop calls (#10185)
When inlining large(ish) functions that are on the hot-path, it creates a much longer program for the eBPF verifier to validate since the verifier is working through all packet sizes and types. We're hitting an issue on GCP (in the 8-core dev VM, XDP-generic) where verification fails on `main` due to the inlining of some hot-path functions. This PR is the smallest possible change that gets the program to load, highlighting the issue. In practice, I'm not there is a detectable performance difference between having these inlined vs not (especially in DRV_MODE) so I'm not sure it's worth the potential debugging headaches later on. |
||
|
dependabot[bot]
|
c5deb7a839 |
build(deps): bump @eslint/plugin-kit from 0.3.3 to 0.3.4 in /rust/gui-client in the npm_and_yarn group (#10044)
Bumps the npm_and_yarn group in /rust/gui-client with 1 update: [@eslint/plugin-kit](https://github.com/eslint/rewrite/tree/HEAD/packages/plugin-kit). Updates `@eslint/plugin-kit` from 0.3.3 to 0.3.4 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/eslint/rewrite/releases"><code>@eslint/plugin-kit</code>'s releases</a>.</em></p> <blockquote> <h2>plugin-kit: v0.3.4</h2> <h2><a href="https://github.com/eslint/rewrite/compare/plugin-kit-v0.3.3...plugin-kit-v0.3.4">0.3.4</a> (2025-07-21)</h2> <h3>Bug Fixes</h3> <ul> <li>potential quadratic runtime in regular expression (<a href="https://redirect.github.com/eslint/rewrite/issues/240">#240</a>) (<a href=" |
||
|
Jamil
|
3c55ddcd1e |
fix(ci): move rust cache to Azure; docker on main (#10169)
We are _very much_ over our GHA cache limit of 10 GB so in an effort to keep evictions to a minimum, we update the Rust SCCACHE to only write on `main` and the Docker elixir and data plane image build steps to do the same. Fixes #10145 |
||
|
Jamil
|
6f0e7f3caa |
chore(ci): enable data plane arm64 debug images (#10165)
On developers with Apple Silicon machines, this allows for testing native binaries without having to build data plane images. |
||
|
Firezone Bot
|
95ee111e62 | chore: publish apple-client 1.5.7 (#10159) | ||
|
Jamil
|
e5b2af1d4e |
chore(portal): add ChangeLogs.truncate/2 and tests (#10155)
In preparation to delete old change_logs based on account and insertion time, we introduce a simple `truncate` function that removes old change logs past a cutoff date. Related: https://github.com/firezone/firezone/issues/10146 --------- Signed-off-by: Jamil <jamilbk@users.noreply.github.com> |
||
|
Jamil
|
25e15bbd14 |
chore(portal): drop id in favor of lsn pkey (#10152)
On the `change_logs` table, we want to minimize write overhead as much as possible. One major way to do this is the minimize the number of indexes maintained. Because `lsn` is guaranteed to be unique, we can use it as the primary, saving us an index (and column). **NOTE**: This migration will need to acquire a lock on the table, so it's added as a manual migration to execute out of band. Since we don't read ChangeLogs anywhere, it should be fine for the app servers to come up without this migration applied. |
||
|
Jamil
|
2c788a31aa |
test(portal): Flows.delete_expired_flows/0 (#10150)
Adds a missing test for the `Flows.delete_expired_flows/0` function. |
||
|
Thomas Eizinger
|
456fde5b60 |
ci: increase bitrate of direct connection UDP perf tests (#10154)
We can easily handle 1GBit/s for the direct connections. |
||
|
Thomas Eizinger
|
507a8957c2 |
chore(connlib): only debug-assert non-retransmitted DNS queries (#10136)
When we receive the same TCP DNS query twice, we currently wrongly hit a debug assert. |
||
|
Thomas Eizinger
|
2dde3b8573 |
fix(relay): read from most-recently-ready socket first (#10148)
The relay uses `mio` to react to readiness events from multiple sockets at once. Including the control port 3478, the relay needs to also send and receive traffic from up to 16384 sockets (one for each possible allocation). We need to process readiness events from these sockets as fairly as possible. Under high-load, it may otherwise happen that we don't read packets from an allocation socket, resulting in ICE timeouts of the connection being relayed. To achieve this fairness, we collect all readiness tokens into a set and store it with the number of packets we have read so far from this socket. Then, we always read from the socket next that we have so far read the least amount of packets from. |
||
|
Thomas Eizinger
|
b5e3ee8065 |
ci: reduce UDP perf test bitrate (#10153)
Forcing 500MBit/s through a relayed connection in CI makes the user-space relay fall-over and drop control messages, leading to ICE timeouts of the connection. |
||
|
Thomas Eizinger
|
f27683760a | fix(relay): check for ANSI support on stdout (#10149) | ||
|
Thomas Eizinger
|
2841fd0017 |
chore(connlib): spawn dedicated tasks for UDP send/recv (#10147)
At the moment, `connlib`'s UDP thread spawns a single task for reading and writing to the UDP socket. It will always first try to write data before reading new data. To avoid scheduling issues, we split this into two dedicated tasks and insert ```rust tokio::task::yield_now().await; ``` into each loop. This allows the `tokio` runtime to schedule each of the tasks fairly even if one of them is very busy. For example, if we are very busy writing data (because we are receiving a lot of IP traffic), this ensures that we will occasionally also read from our socket to receive STUN control messages from our peers. |
||
|
Jamil
|
708a4b000e |
fix(ci): enable GHA backend for sccache (#10144)
We need to actually enable the GHA backend for sccache. Related: #10142 |
||
|
Jamil
|
b96ee526c1 |
fix(apple/ios): don't require hard link to __res_9_state (#10143)
In Xcode 16, how the compiler determines the size of C structs changed. In Xcode 15 and below, when the compiler saw `__res_9_state()`, it thought, "This is a C struct. I know its size and layout from the system's header files. I will generate code to allocate that much memory and zero it out." This was a type-based operation; it only needed the "blueprint" for the struct. In Xcode 16 and later, the compiler sees `__res_9_state()` and thinks, "This is a C struct. To initialize it, I need to link to the actual symbol named `___res_9_state` inside the libresolv library." This became a symbol-based operation, creating a direct dependency that didn't exist before. To fix this, we initialize a raw pointer with a manual type specification to the zeroed-out struct, which reverts to the prior behavior. Has been tested on iPhone 12, iOS 17. Fixes #10108 |
||
|
Jamil
|
15d281d91c |
chore(ci): set up sccache (again) (#10142)
This was removed in
|
||
|
Brian Manifold
|
80e1c3255f |
refactor(portal): refactor billing event handler (#10064)
Why: * There were intermittent issues with accounts updates from Stripe events. Specifically, when an account would update it's subscription from Starter to Team. The reason was due to the fact that Stripe does not guarantee order of delivery for it's webhook events. At times we were seeing and responding to an event that was a few seconds old after processing a newer event. This would have the effect of quickly transitioning an account from Team back to Starter. This commit refactors our event handler and adds a `processed_stripe_events` DB table to make sure we don't process duplicate events as well as prevent processing an event that was created prior to the last event we've processed for a given account. * Along with refactoring the billing event handling, the Stripe mock module has also been refactored to better reflect real Stripe objects. Related: #8668 |
||
|
Firezone Bot
|
ea960cce74 | chore: publish android-client 1.5.3 (#10141) | ||
|
Jamil
|
6ad10c8f39 |
fix(ci): use etc-resolv-conf as default in headless image (#10126)
The headless client image we ship doesn't have systemd-resolved. By
default, if you try to run it without setting the `FIREZONE_DNS_CONTROL`
var, it will exit with an unhelpful error message that is difficult to
diagnose / debug for anyone unfamiliar to the inner workings of the
headless client:
```
Error: I/O error: No such file or directory (os error 2)
Caused by:
No such file or directory (os error 2)
Stack backtrace:
0: anyhow::error::<impl core::convert::From<E> for anyhow::Error>::from
1: firezone_bin_shared::network_changes::imp::Worker::new_dbus::{{closure}}
2: firezone_headless_client::main::{{closure}}
3: tokio::runtime::runtime::Runtime::block_on
4: firezone_headless_client::main
5: std::sys::backtrace::__rust_begin_short_backtrace
6: std::rt::lang_start::{{closure}}
7: main
```
To fix this, we set `FIREZONE_DNS_CONTROL=etc-resolv-conf` for the user
inside our headless-client image.
---------
Co-authored-by: Thomas Eizinger <thomas@eizinger.io>
|
||
|
Jamil
|
a05067d410 |
chore(ci): Add 50ms simulated API latency (#10132)
In the real world, it's entirely possible that the latency between clients, gateways, and relays is much lower than the latency to the API nodes. This added latency will test that we can handle such cases reliably. --------- Co-authored-by: Thomas Eizinger <thomas@eizinger.io> |
||
|
Jamil
|
cacb44f7bb |
test(portal): fix flaky acceptance auth test (#10140)
Occasionally, this fails because the element is found, but not visible due to a race condition. To fix this, we assert that the element should be visible before clicking on it. Fixes https://github.com/firezone/firezone/actions/runs/16751908154/job/47424125321 |
||
|
Thomas Eizinger
|
3e46727362 |
chore(snownet): improve logging of boringtun session index (#10135)
Previously, boringtun's sender/receiver index of a session would just be rendered as a full u32. In reality, this u32 contains two pieces of information: The higher 24 bits identify the peer and the lower 8 bits identify the session with that peer. With the update to boringtun in https://github.com/firezone/boringtun/pull/112, we encode this logic in a dedicated type that has prints this information separately. Here is what the logs now look like: ``` 2025-08-05T07:38:37.742Z DEBUG boringtun::noise: Received handshake_response local_idx=(3428714|1) remote_idx=(1937676|1) 2025-08-05T07:38:37.743Z DEBUG boringtun::noise: New session idx=(3428714|1) 2025-08-05T07:38:37.743Z DEBUG boringtun::noise: Sending keepalive local_idx=(3428714|1) ``` |
||
|
dependabot[bot]
|
036cae84f3 |
build(deps): bump tokio from 1.46.1 to 1.47.1 in /rust (#10119)
Bumps [tokio](https://github.com/tokio-rs/tokio) from 1.46.1 to 1.47.1. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/tokio-rs/tokio/releases">tokio's releases</a>.</em></p> <blockquote> <h2>Tokio v1.47.1</h2> <h1>1.47.1 (August 1st, 2025)</h1> <h3>Fixed</h3> <ul> <li>process: fix panic from spurious pidfd wakeup (<a href="https://redirect.github.com/tokio-rs/tokio/issues/7494">#7494</a>)</li> <li>sync: fix broken link of Python <code>asyncio.Event</code> in <code>SetOnce</code> docs (<a href="https://redirect.github.com/tokio-rs/tokio/issues/7485">#7485</a>)</li> </ul> <p><a href="https://redirect.github.com/tokio-rs/tokio/issues/7485">#7485</a>: <a href="https://redirect.github.com/tokio-rs/tokio/pull/7485">tokio-rs/tokio#7485</a> <a href="https://redirect.github.com/tokio-rs/tokio/issues/7494">#7494</a>: <a href="https://redirect.github.com/tokio-rs/tokio/pull/7494">tokio-rs/tokio#7494</a></p> <h2>Tokio v1.47.0</h2> <h1>1.47.0 (July 25th, 2025)</h1> <p>This release adds <code>poll_proceed</code> and <code>cooperative</code> to the <code>coop</code> module for cooperative scheduling, adds <code>SetOnce</code> to the <code>sync</code> module which provides similar functionality to [<code>std::sync::OnceLock</code>], and adds a new method <code>sync::Notify::notified_owned()</code> which returns an <code>OwnedNotified</code> without a lifetime parameter.</p> <h2>Added</h2> <ul> <li>coop: add <code>cooperative</code> and <code>poll_proceed</code> (<a href="https://redirect.github.com/tokio-rs/tokio/issues/7405">#7405</a>)</li> <li>sync: add <code>SetOnce</code> (<a href="https://redirect.github.com/tokio-rs/tokio/issues/7418">#7418</a>)</li> <li>sync: add <code>sync::Notify::notified_owned()</code> (<a href="https://redirect.github.com/tokio-rs/tokio/issues/7465">#7465</a>)</li> </ul> <h2>Changed</h2> <ul> <li>deps: upgrade windows-sys 0.52 → 0.59 (<a href="https://redirect.github.com/tokio-rs/tokio/issues/7117">#7117</a>)</li> <li>deps: update to socket2 v0.6 (<a href="https://redirect.github.com/tokio-rs/tokio/issues/7443">#7443</a>)</li> <li>sync: improve <code>AtomicWaker::wake</code> performance (<a href="https://redirect.github.com/tokio-rs/tokio/issues/7450">#7450</a>)</li> </ul> <h2>Documented</h2> <ul> <li>metrics: fix listed feature requirements for some metrics (<a href="https://redirect.github.com/tokio-rs/tokio/issues/7449">#7449</a>)</li> <li>runtime: improve safety comments of <code>Readiness<'_></code> (<a href="https://redirect.github.com/tokio-rs/tokio/issues/7415">#7415</a>)</li> </ul> <p><a href="https://redirect.github.com/tokio-rs/tokio/issues/7405">#7405</a>: <a href="https://redirect.github.com/tokio-rs/tokio/pull/7405">tokio-rs/tokio#7405</a> <a href="https://redirect.github.com/tokio-rs/tokio/issues/7415">#7415</a>: <a href="https://redirect.github.com/tokio-rs/tokio/pull/7415">tokio-rs/tokio#7415</a> <a href="https://redirect.github.com/tokio-rs/tokio/issues/7418">#7418</a>: <a href="https://redirect.github.com/tokio-rs/tokio/pull/7418">tokio-rs/tokio#7418</a> <a href="https://redirect.github.com/tokio-rs/tokio/issues/7449">#7449</a>: <a href="https://redirect.github.com/tokio-rs/tokio/pull/7449">tokio-rs/tokio#7449</a> <a href="https://redirect.github.com/tokio-rs/tokio/issues/7450">#7450</a>: <a href="https://redirect.github.com/tokio-rs/tokio/pull/7450">tokio-rs/tokio#7450</a> <a href="https://redirect.github.com/tokio-rs/tokio/issues/7465">#7465</a>: <a href="https://redirect.github.com/tokio-rs/tokio/pull/7465">tokio-rs/tokio#7465</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
8f35f3a0dc |
build(deps): bump serde_json from 1.0.141 to 1.0.142 in /rust (#10121)
Bumps [serde_json](https://github.com/serde-rs/json) from 1.0.141 to 1.0.142. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/serde-rs/json/releases">serde_json's releases</a>.</em></p> <blockquote> <h2>v1.0.142</h2> <ul> <li>impl Default for &Value (<a href="https://redirect.github.com/serde-rs/json/issues/1265">#1265</a>, thanks <a href="https://github.com/aatifsyed"><code>@aatifsyed</code></a>)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
50f2cc3e2c |
build(deps): bump uniffi from 0.29.3 to 0.29.4 in /rust (#10113)
Bumps [uniffi](https://github.com/mozilla/uniffi-rs) from 0.29.3 to 0.29.4. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/mozilla/uniffi-rs/blob/main/CHANGELOG.md">uniffi's changelog</a>.</em></p> <blockquote> <h2>v0.29.4 (backend crates: v0.29.4) - (<em>2025-07-24</em>)</h2> <ul> <li>Fixed a bug where objects with alignment >= 32 could be freed to early (<a href="https://redirect.github.com/mozilla/uniffi-rs/issues/2600">mozilla/uniffi-rs#2600</a>)</li> </ul> <p><a href="https://github.com/mozilla/uniffi-rs/compare/v0.29.3...v0.29.4">All changes in v0.29.4</a>.</p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
f4e69a2743 |
build(deps): bump rangemap from 1.5.1 to 1.6.0 in /rust (#10116)
Bumps [rangemap](https://github.com/jeffparsons/rangemap) from 1.5.1 to 1.6.0. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/jeffparsons/rangemap/blob/main/CHANGELOG.md">rangemap's changelog</a>.</em></p> <blockquote> <h3>v1.6.0 (2025-07-26)</h3> <ul> <li><strong>Features</strong>: <ul> <li>Add quickcheck support, gated behind the <code>quickcheck</code> feature.</li> <li>Improve performance of <code>RangeMap::gaps</code> by efficiently seeking to the start of the query range.</li> </ul> </li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li>See full diff in <a href="https://github.com/jeffparsons/rangemap/commits">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> |
||
|
dependabot[bot]
|
4f29d13b14 |
build(deps): bump clap from 4.5.41 to 4.5.42 in /rust (#10122)
Bumps [clap](https://github.com/clap-rs/clap) from 4.5.41 to 4.5.42. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/clap-rs/clap/releases">clap's releases</a>.</em></p> <blockquote> <h2>v4.5.42</h2> <h2>[4.5.42] - 2025-07-30</h2> <h3>Fixes</h3> <ul> <li>Include subcommand visible long aliases in <code>--help</code></li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/clap-rs/clap/blob/master/CHANGELOG.md">clap's changelog</a>.</em></p> <blockquote> <h2>[4.5.42] - 2025-07-30</h2> <h3>Fixes</h3> <ul> <li>Include subcommand visible long aliases in <code>--help</code></li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
d30b5e66ae |
build(deps): bump rustls from 0.23.29 to 0.23.31 in /rust (#10120)
Bumps [rustls](https://github.com/rustls/rustls) from 0.23.29 to 0.23.31. <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
b5566f19f2 |
build(deps): bump the tauri group in /rust with 4 updates (#10118)
Bumps the tauri group in /rust with 4 updates: [tauri-build](https://github.com/tauri-apps/tauri), [tauri-plugin-dialog](https://github.com/tauri-apps/plugins-workspace), [tauri-runtime](https://github.com/tauri-apps/tauri) and [tauri-utils](https://github.com/tauri-apps/tauri). Updates `tauri-build` from 2.3.0 to 2.3.1 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/tauri-apps/tauri/releases">tauri-build's releases</a>.</em></p> <blockquote> <h2>tauri-build v2.3.1</h2> <!-- raw HTML omitted --> <pre><code>Updating git repository `https://github.com/tauri-apps/schemars.git` Updating crates.io index warning: Patch `schemars_derive v0.8.21 (https://github.com/tauri-apps/schemars.git?branch=feat%2Fpreserve-description-newlines#c30f9848)` was not used in the crate graph. Check that the patched package version and available features are compatible with the dependency requirements. If the patch has a different version from what is locked in the Cargo.lock file, run `cargo update` to use the new version. This may also occur with an optional dependency that is not enabled. Locking 1034 packages to latest compatible versions Adding apple-codesign v0.27.0 (available: v0.29.0) Adding cargo_metadata v0.19.2 (available: v0.21.0) Adding colored v2.2.0 (available: v3.0.0) Adding ctor v0.2.9 (available: v0.4.2) Adding elf v0.7.4 (available: v0.8.0) Adding goblin v0.9.3 (available: v0.10.0) Adding html5ever v0.29.1 (available: v0.35.0) Adding itertools v0.13.0 (available: v0.14.0) Adding json-patch v3.0.1 (available: v4.0.0) Adding jsonrpsee v0.24.9 (available: v0.25.1) Adding jsonrpsee-client-transport v0.24.9 (available: v0.25.1) Adding jsonrpsee-core v0.24.9 (available: v0.25.1) Adding jsonrpsee-ws-client v0.24.9 (available: v0.25.1) Adding matchit v0.8.4 (available: v0.8.6) Adding minisign v0.7.3 (available: v0.7.9) Adding object v0.36.7 (available: v0.37.1) Adding oxc_allocator v0.36.0 (available: v0.77.3) Adding oxc_ast v0.36.0 (available: v0.77.3) Adding oxc_parser v0.36.0 (available: v0.77.3) Adding oxc_span v0.36.0 (available: v0.77.3) Adding phf v0.11.3 (available: v0.12.1) Adding proc-macro-crate v2.0.0 (available: v2.0.2) Adding rpm v0.16.0 (available: v0.17.0) Adding schemars v0.8.22 (available: v1.0.4) Adding serialize-to-javascript v0.1.1 (available: v0.1.2) Adding serialize-to-javascript-impl v0.1.1 (available: v0.1.2) Adding tiny_http v0.11.0 (available: v0.12.0) Adding toml v0.8.23 (available: v0.9.2) Adding toml_edit v0.22.27 (available: v0.23.2) Adding which v7.0.3 (available: v8.0.0) Adding x509-certificate v0.23.1 (available: v0.24.0) Fetching advisory database from `https://github.com/RustSec/advisory-db.git` Loaded 792 security advisories (from /home/runner/.cargo/advisory-db) Updating crates.io index Scanning Cargo.lock for vulnerabilities (1059 crate dependencies) Crate: atk Version: 0.18.2 </tr></table> </code></pre> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
2816ced0a7 |
build(deps): bump strum from 0.27.1 to 0.27.2 in /rust (#10117)
Bumps [strum](https://github.com/Peternator7/strum) from 0.27.1 to 0.27.2. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/Peternator7/strum/releases">strum's releases</a>.</em></p> <blockquote> <h2>v0.27.2</h2> <h2>What's Changed</h2> <ul> <li>Adding support for doc comments on <code>EnumDiscriminants</code> generated type… by <a href="https://github.com/linclelinkpart5"><code>@linclelinkpart5</code></a> in <a href="https://redirect.github.com/Peternator7/strum/pull/141">Peternator7/strum#141</a></li> <li>Drop needless <code>rustversion</code> dependency by <a href="https://github.com/paolobarbolini"><code>@paolobarbolini</code></a> in <a href="https://redirect.github.com/Peternator7/strum/pull/446">Peternator7/strum#446</a></li> <li>Upgrade <code>phf</code> to v0.12 by <a href="https://github.com/paolobarbolini"><code>@paolobarbolini</code></a> in <a href="https://redirect.github.com/Peternator7/strum/pull/448">Peternator7/strum#448</a></li> <li>allow discriminants on empty enum by <a href="https://github.com/crop2000"><code>@crop2000</code></a> in <a href="https://redirect.github.com/Peternator7/strum/pull/435">Peternator7/strum#435</a></li> <li>Remove broken link to EnumTable docs by <a href="https://github.com/schneems"><code>@schneems</code></a> in <a href="https://redirect.github.com/Peternator7/strum/pull/427">Peternator7/strum#427</a></li> <li>Change enum table callbacks to FnMut. by <a href="https://github.com/ClaytonKnittel"><code>@ClaytonKnittel</code></a> in <a href="https://redirect.github.com/Peternator7/strum/pull/443">Peternator7/strum#443</a></li> <li>Add <code>#[automatically_derived]</code> to the <code>impl</code>s by <a href="https://github.com/dandedotdev"><code>@dandedotdev</code></a> in <a href="https://redirect.github.com/Peternator7/strum/pull/444">Peternator7/strum#444</a></li> <li>Implement a <code>suffix</code> attribute for serialization of enum variants by <a href="https://github.com/amogh-dambal"><code>@amogh-dambal</code></a> in <a href="https://redirect.github.com/Peternator7/strum/pull/440">Peternator7/strum#440</a></li> <li>Expound upon use_phf docs by <a href="https://github.com/Peternator7"><code>@Peternator7</code></a> in <a href="https://redirect.github.com/Peternator7/strum/pull/449">Peternator7/strum#449</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/paolobarbolini"><code>@paolobarbolini</code></a> made their first contribution in <a href="https://redirect.github.com/Peternator7/strum/pull/446">Peternator7/strum#446</a></li> <li><a href="https://github.com/crop2000"><code>@crop2000</code></a> made their first contribution in <a href="https://redirect.github.com/Peternator7/strum/pull/435">Peternator7/strum#435</a></li> <li><a href="https://github.com/schneems"><code>@schneems</code></a> made their first contribution in <a href="https://redirect.github.com/Peternator7/strum/pull/427">Peternator7/strum#427</a></li> <li><a href="https://github.com/ClaytonKnittel"><code>@ClaytonKnittel</code></a> made their first contribution in <a href="https://redirect.github.com/Peternator7/strum/pull/443">Peternator7/strum#443</a></li> <li><a href="https://github.com/dandedotdev"><code>@dandedotdev</code></a> made their first contribution in <a href="https://redirect.github.com/Peternator7/strum/pull/444">Peternator7/strum#444</a></li> <li><a href="https://github.com/amogh-dambal"><code>@amogh-dambal</code></a> made their first contribution in <a href="https://redirect.github.com/Peternator7/strum/pull/440">Peternator7/strum#440</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/Peternator7/strum/compare/v0.27.1...v0.27.2">https://github.com/Peternator7/strum/compare/v0.27.1...v0.27.2</a></p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/Peternator7/strum/blob/master/CHANGELOG.md">strum's changelog</a>.</em></p> <blockquote> <h2>0.27.2</h2> <ul> <li> <p><a href="https://redirect.github.com/Peternator7/strum/pull/141">#141</a>: Adding support for doc comments on <code>EnumDiscriminants</code> generated type.</p> <ul> <li>The doc comment will be copied from the variant on the type itself.</li> </ul> </li> <li> <p><a href="https://redirect.github.com/Peternator7/strum/pull/435">#435</a>:allow discriminants on empty enum.</p> </li> <li> <p><a href="https://redirect.github.com/Peternator7/strum/pull/443">#443</a>: Change enum table callbacks to FnMut.</p> </li> <li> <p><a href="https://redirect.github.com/Peternator7/strum/pull/444">#444</a>: Add <code>#[automatically_derived]</code> to the <code>impl</code>s by <a href="https://github.com/dandedotdev"><code>@dandedotdev</code></a> in <a href="https://redirect.github.com/Peternator7/strum/pull/444">Peternator7/strum#444</a></p> <ul> <li>This should make the linter less noisy with warnings in generated code.</li> </ul> </li> <li> <p><a href="https://redirect.github.com/Peternator7/strum/pull/440">#440</a>: Implement a <code>suffix</code> attribute for serialization of enum variants.</p> <pre lang="rust"><code>#[derive(strum::Display)] #[strum(suffix=".json")] #[strum(serialize_all="snake_case")] enum StorageConfiguration { PostgresProvider, S3StorageProvider, AzureStorageProvider, } <p>fn main() { let response = SurveyResponse::Other("It was good".into()); println!("Loading configuration from: {}", StorageConfiguration::PostgresProvider); // prints: Loaded Configuration from: postgres_provider.json } </code></pre></p> </li> <li> <p><a href="https://redirect.github.com/Peternator7/strum/pull/446">#446</a>: Drop needless <code>rustversion</code> dependency.</p> </li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
46373d3020 |
build(deps): bump tokio-util from 0.7.15 to 0.7.16 in /rust (#10115)
Bumps [tokio-util](https://github.com/tokio-rs/tokio) from 0.7.15 to 0.7.16. <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
Jamil
|
56f5405849 |
chore(ci): increase perf test time to 30s (#10133)
Our ICE timeout is ~15s, so it would be a good idea to ensure the perf tests span a possible ICE timeout if it occurs in the test, so that we may detect cases where high throughput may cause an ICE timeout. |
||
|
Firezone Bot
|
3e529ed36c | chore: publish gateway 1.4.15 (#10134) | ||
|
Thomas Eizinger
|
0e32f1c4f2 |
fix(relay): increase nonce usage to 10000 (#10128)
On a Gateway with a busy connections, only being able to use a nonce 100 times causes unnecessary churn. We increase this to 10000 to be able to handle bursts of messages such as channel bindings better. |
||
|
Thomas Eizinger
|
96579483d8 |
fix(phoenix-channel): timeout room join after 5s (#10130)
If we fail to join a given room for longer than 5s, we fail the WebSocket connection and reconnect. |
||
|
Thomas Eizinger
|
d1cbf4f76d |
chore(snownet): fix relay sampling spam (#10127)
When we disconnect from a relay, we currently spam `Failed to sample new relay for connection` until we connect to a new one. |
||
|
Thomas Eizinger
|
08d900f3dc |
ci: remove duplicate log output (#10124)
These are already shown in prior steps. |
||
|
Thomas Eizinger
|
27de29fee7 |
test(connlib): downgrade error (#10123)
We can run into this when multiple DNS queries all need to be sent to the same Gateway and we don't have a connection yet. Hence, downgrade this error to a debug log. |
||
|
Thomas Eizinger
|
1222be8fc9 |
fix(snownet): de-multiplex packets based on WG session index (#10109)
Right now, `snownet` de-multiplexes WireGuard packets based on their source tuple (IP + port) to the _first_ connection that would like to handle this traffic. What appears to be happening based on observation from customer logs is that we sometimes dispatch the traffic to the wrong connection. The WireGuard packet format uses session indices to declare, which session a packet is for. The local session index is selected during the handshake for a particular session. By associating the different session indices (we can have up to 8 in parallel per peer) with our Firezone-specific connection ID, we can change our de-multiplexing scheme to uses these indices instead of the source tuple. This is especially important for Gateways as those talk to multiple different clients. The session index is a 32-bit integer where the top 24 bits identify the connection and the bottom 8 bits are used in a round-robin fashion to identify individual sessions within the connection. Thus, to find the correct connection, we right-shift the session index of an incoming packet to arrive back at the 24-bit connection identifier. In environments with a limited number of ports outside the NAT, a connection from a new Client may come from a source tuple of a previous Client. In such a case, we'd dispatch the packets to the wrong connection, causing the Client to not be able to handshake a tunnel. |
||
|
Thomas Eizinger
|
324edce754 |
feat(connlib): roll-over WireGuard session on connection upsert (#10102)
When a Client upserts a connection to a Gateway, we currently assume that the connection is still intact. After all, it hasn't hit an ICE timeout, otherwise the connection would not be present in memory. If however the Gateway restarted or somehow lost its connection state and the Client hasn't noticed yet, then the upsert will be an _insert_ for the Gateway and ICE will create a new connection for us. In order to ensure that the WireGuard tunnel state and ICE are synchronized at all times, we also need to handshake a new session. `boringtun` maintains up to 8 concurrent sessions for us. This allows for a smooth roll-over where packets encrypted with the keys from previous sessions can still be decrypted. Thus, we can easily roll-over the session on every connection upsert without any trouble. To ensure that this doesn't happen _very_ rapidly, we debounce these proactive session roll-overs to happen at most every 20s. This follows the idea of MADR-0017. --------- Signed-off-by: Thomas Eizinger <thomas@eizinger.io> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: Jamil <jamilbk@users.noreply.github.com> |
||
|
Firezone Bot
|
acf52ccf1e | chore: publish apple-client 1.5.6 (#10106) | ||
|
dependabot[bot]
|
eb31d71ffa |
build(deps): bump fast-xml-parser from 5.2.4 to 5.2.5 in /website (#10082)
Bumps [fast-xml-parser](https://github.com/NaturalIntelligence/fast-xml-parser) from 5.2.4 to 5.2.5. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/NaturalIntelligence/fast-xml-parser/blob/master/CHANGELOG.md">fast-xml-parser's changelog</a>.</em></p> <blockquote> <p><!-- raw HTML omitted -->Note: If you find missing information about particular minor version, that version must have been changed without any functional change in this library.<!-- raw HTML omitted --></p> <p><strong>5.2.5 / 2025-06-08</strong></p> <ul> <li>Inform user to use <a href="https://github.com/NaturalIntelligence/fxp-cli">fxp-cli</a> instead of in-built CLI feature</li> <li>Export typings for direct use</li> </ul> <p><strong>5.2.4 / 2025-06-06</strong></p> <ul> <li>fix (<a href="https://redirect.github.com/NaturalIntelligence/fast-xml-parser/issues/747">#747</a>): fix EMPTY and ANY with ELEMENT in DOCTYPE</li> </ul> <p><strong>5.2.3 / 2025-05-11</strong></p> <ul> <li>fix (<a href="https://redirect.github.com/NaturalIntelligence/fast-xml-parser/issues/747">#747</a>): support EMPTY and ANY with ELEMENT in DOCTYPE</li> </ul> <p><strong>5.2.2 / 2025-05-05</strong></p> <ul> <li>fix (<a href="https://redirect.github.com/NaturalIntelligence/fast-xml-parser/issues/746">#746</a>): update strnum to fix parsing issues related to enotations</li> </ul> <p><strong>5.2.1 / 2025-04-22</strong></p> <ul> <li>fix: read DOCTYPE entity value correctly</li> <li>read DOCTYPE NOTATION, ELEMENT exp but not using read values</li> </ul> <p><strong>5.2.0 / 2025-04-03</strong></p> <ul> <li>feat: support metadata on nodes (<a href="https://redirect.github.com/NaturalIntelligence/fast-xml-parser/issues/593">#593</a>) (By <a href="https://github.com/srl295">Steven R. Loomis</a>)</li> </ul> <p><strong>5.1.0 / 2025-04-02</strong></p> <ul> <li>feat: declare package as side-effect free (<a href="https://redirect.github.com/NaturalIntelligence/fast-xml-parser/issues/738">#738</a>) (By <a href="https://github.com/tbouffard">Thomas Bouffard</a>)</li> <li>fix cjs build mode</li> <li>fix builder return type to string</li> <li></li> </ul> <p><strong>5.0.9 / 2025-03-14</strong></p> <ul> <li>fix: support numeric entities with values over 0xFFFF (<a href="https://redirect.github.com/NaturalIntelligence/fast-xml-parser/issues/726">#726</a>) (By <a href="https://github.com/mcdurdin">Marc Durdin</a>)</li> <li>fix: update strnum to fix parsing 0 if skiplike option is used</li> </ul> <p><strong>5.0.8 / 2025-02-27</strong></p> <ul> <li>fix parsing 0 if skiplike option is used. <ul> <li>updating strnum dependency</li> </ul> </li> </ul> <p><strong>5.0.7 / 2025-02-25</strong></p> <ul> <li>fix (<a href="https://redirect.github.com/NaturalIntelligence/fast-xml-parser/issues/724">#724</a>) typings for cjs.</li> </ul> <p><strong>5.0.6 / 2025-02-20</strong></p> <ul> <li>fix cli output (By <a href="https://github.com/angeld7">Angel Delgado</a>) <ul> <li>remove multiple JSON parsing</li> </ul> </li> </ul> <p><strong>5.0.5 / 2025-02-20</strong></p> <ul> <li>fix parsing of string starting with 'e' or 'E' by updating strnum</li> </ul> <p><strong>5.0.4 / 2025-02-20</strong></p> <ul> <li>fix CLI to support all the versions of node js when displaying library version.</li> <li>fix CJS import in v5</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |