mirror of
https://github.com/outbackdingo/firezone.git
synced 2026-01-27 10:18:54 +00:00
7100b4a67417ecdf46a822b0be1ec1bd9e6d4a94
2817 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
dependabot[bot]
|
7100b4a674 |
build(deps): bump vite from 6.3.6 to 6.4.1 in /rust/gui-client in the npm_and_yarn group across 1 directory (#10666)
Bumps the npm_and_yarn group with 1 update in the /rust/gui-client directory: [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite). Updates `vite` from 6.3.6 to 6.4.1 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/vitejs/vite/releases">vite's releases</a>.</em></p> <blockquote> <h2>create-vite@6.4.1</h2> <p>Please refer to <a href="https://github.com/vitejs/vite/blob/create-vite@6.4.1/packages/create-vite/CHANGELOG.md">CHANGELOG.md</a> for details.</p> <h2>v6.4.1</h2> <p>Please refer to <a href="https://github.com/vitejs/vite/blob/v6.4.1/packages/vite/CHANGELOG.md">CHANGELOG.md</a> for details.</p> <h2>create-vite@6.4.0</h2> <p>Please refer to <a href="https://github.com/vitejs/vite/blob/create-vite@6.4.0/packages/create-vite/CHANGELOG.md">CHANGELOG.md</a> for details.</p> <h2>v6.4.0</h2> <p>Please refer to <a href="https://github.com/vitejs/vite/blob/v6.4.0/packages/vite/CHANGELOG.md">CHANGELOG.md</a> for details.</p> <h2>v6.3.7</h2> <p>Please refer to <a href="https://github.com/vitejs/vite/blob/v6.3.7/packages/vite/CHANGELOG.md">CHANGELOG.md</a> for details.</p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
132784ac82 |
build(deps): bump ringbuffer from 0.15.0 to 0.16.0 in /rust (#10653)
Bumps [ringbuffer](https://github.com/NULLx76/ringbuffer) from 0.15.0 to 0.16.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/NULLx76/ringbuffer/releases">ringbuffer's releases</a>.</em></p> <blockquote> <h2>0.16.0</h2> <h2>What's Changed</h2> <ul> <li>Implement nth and nth_back to provide a O(1) way of skipping through elements by <a href="https://github.com/cdellacqua"><code>@cdellacqua</code></a> in <a href="https://redirect.github.com/NULLx76/ringbuffer/pull/142">NULLx76/ringbuffer#142</a></li> <li>Increase copy speed by orders of magnitude by <a href="https://github.com/cdellacqua"><code>@cdellacqua</code></a> in <a href="https://redirect.github.com/NULLx76/ringbuffer/pull/142">NULLx76/ringbuffer#142</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/NULLx76/ringbuffer/compare/0.15.0...v0.16.0">https://github.com/NULLx76/ringbuffer/compare/0.15.0...v0.16.0</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
b394c054f6 |
build(deps): bump tempfile from 3.22.0 to 3.23.0 in /rust (#10673)
Bumps [tempfile](https://github.com/Stebalien/tempfile) from 3.22.0 to 3.23.0. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/Stebalien/tempfile/blob/master/CHANGELOG.md">tempfile's changelog</a>.</em></p> <blockquote> <h2>3.23.0</h2> <ul> <li>Remove need for the "nightly" feature to compile with "wasip2".</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
Thomas Eizinger
|
ed2bc0bd25 |
feat(gateway): revise handling of DNS resolution errors (#10623)
Even prior to #10373, failures in resolving a name on the Gateway for a DNS resource resulted in a failure of setting up the DNS resource NAT. Without the DNS resource NAT, packets for that resource bounced on the Gateway because we didn't have any traffic filters. A non-existent filter is being treated as a "traffic not allowed" error and we respond with an ICMP permission denied error. For domains where both the A and AAAA query result in NXDOMAIN, that isn't necessarily appropriate. Instead, I am proposing that for such cases, we want to return a regular "address/host unreachable" ICMP error instead of the more specific "permission denied" variant. To achieve that, we refactor the Gateway's peer state to be able to hold an `Option<IpAddr>` inside the `TranslationState`. This allows us to always insert an entry for each proxy IP, even if we did not resolve any IPs for it. Then, when receiving traffic for a proxy IP where the resolved IP is `None`, we reply with the appropriate ICMP error. As part of this, we also simplify the assignment of the proxy IPs. With the NAT64 module removed, there is no more reason to cross-assign IPv4 and IPv6 addresses. We can simply leave the mappings for e.g. IPv6 proxy addresses empty if the AAAA query didn't resolve anything. From the Client's perspective, not much changes. The DNS resource NAT setup will now succeed, even for domains that don't resolve to anything. This doesn't change any behaviour though as we are currently already passing packets through for failed DNS resource NAT setups. The main change is that we now send back a different ICMP error. Most importantly, the "address/host unreachable variant" does not trigger #10462. |
||
|
dependabot[bot]
|
c795e0da72 |
build(deps): bump futures-bounded from 0.2.4 to 0.3.0 in /rust (#10645)
Bumps [futures-bounded](https://github.com/thomaseizinger/rust-futures-bounded) from 0.2.4 to 0.3.0. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/thomaseizinger/rust-futures-bounded/blob/main/CHANGELOG.md">futures-bounded's changelog</a>.</em></p> <blockquote> <h2>0.3.0</h2> <ul> <li>Allow for multiple timer implementations. See <a href="https://redirect.github.com/thomaseizinger/rust-futures-bounded/pull/5">PR 5</a>.</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li>See full diff in <a href="https://github.com/thomaseizinger/rust-futures-bounded/commits">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Thomas Eizinger <thomas@eizinger.io> |
||
|
dependabot[bot]
|
08f6989391 |
build(deps): bump proptest-state-machine from 0.3.1 to 0.4.0 in /rust (#10633)
Bumps [proptest-state-machine](https://github.com/proptest-rs/proptest) from 0.3.1 to 0.4.0. <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
5378525e70 |
build(deps): bump zip from 2.4.2 to 5.1.1 in /rust (#10652)
Bumps [zip](https://github.com/zip-rs/zip2) from 2.4.2 to 5.1.1. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/zip-rs/zip2/releases">zip's releases</a>.</em></p> <blockquote> <h2>v5.1.1</h2> <h3><!-- raw HTML omitted -->🐛 Bug Fixes</h3> <ul> <li>panic when reading empty extended-timestamp field (<a href="https://redirect.github.com/zip-rs/zip2/pull/404">#404</a>) (<a href="https://redirect.github.com/zip-rs/zip2/pull/422">#422</a>)</li> <li>Restore original file timestamp when unzipping with <code>chrono</code> (<a href="https://redirect.github.com/zip-rs/zip2/pull/46">#46</a>)</li> </ul> <h3><!-- raw HTML omitted -->⚙️ Miscellaneous Tasks</h3> <ul> <li>Configure Amazon Q rules (<a href="https://redirect.github.com/zip-rs/zip2/pull/421">#421</a>)</li> </ul> <h2>v5.1.0</h2> <h3><!-- raw HTML omitted -->🚀 Features</h3> <ul> <li>Add legacy shrink/reduce/implode compression (<a href="https://redirect.github.com/zip-rs/zip2/pull/303">#303</a>)</li> </ul> <h2>v5.0.1</h2> <h3><!-- raw HTML omitted -->🐛 Bug Fixes</h3> <ul> <li>AES metadata was not copied correctly in raw copy methods, which could corrupt the copied file. (<a href="https://redirect.github.com/zip-rs/zip2/pull/417">#417</a>)</li> </ul> <h2>v5.0.0</h2> <h3><!-- raw HTML omitted -->🚀 Features</h3> <ul> <li>Implement by_path*() methods on ZipArchive (<a href="https://redirect.github.com/zip-rs/zip2/pull/382">#382</a>)</li> </ul> <h2>v4.6.1</h2> <h3><!-- raw HTML omitted -->🐛 Bug Fixes</h3> <ul> <li>Fixes an issue introduced by the swap from <code>lzma-rs</code> to <code>liblzma</code> (<a href="https://redirect.github.com/zip-rs/zip2/pull/407">#407</a>)</li> </ul> <h2>v4.6.0</h2> <h3><!-- raw HTML omitted -->🚀 Features</h3> <ul> <li>Allow to read zip files with unsupported extended timestamps (<a href="https://redirect.github.com/zip-rs/zip2/pull/400">#400</a>)</li> </ul> <h3><!-- raw HTML omitted -->🐛 Bug Fixes</h3> <ul> <li>enable clamp_opt for ppmd and xz (<a href="https://redirect.github.com/zip-rs/zip2/pull/401">#401</a>)</li> </ul> <h2>v4.5.0</h2> <h3><!-- raw HTML omitted -->🚀 Features</h3> <ul> <li>Allow reading ZIP files where the central directory comes <em>before</em> the files (<a href="https://redirect.github.com/zip-rs/zip2/pull/384">#384</a>) (<a href="https://redirect.github.com/zip-rs/zip2/pull/396">#396</a>)</li> </ul> <h2>v4.4.0</h2> <h3><!-- raw HTML omitted -->🚀 Features</h3> <ul> <li>Add <code>lzma-static</code> and <code>xz-static</code> features that enable <code>liblzma/static</code> (<a href="https://redirect.github.com/zip-rs/zip2/pull/393">#393</a>)</li> </ul> <h3><!-- raw HTML omitted -->⚙️ Miscellaneous Tasks</h3> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/zip-rs/zip2/blob/master/CHANGELOG.md">zip's changelog</a>.</em></p> <blockquote> <h2><a href="https://github.com/zip-rs/zip2/compare/v5.1.0...v5.1.1">5.1.1</a> - 2025-09-11</h2> <h3><!-- raw HTML omitted -->🐛 Bug Fixes</h3> <ul> <li>panic when reading empty extended-timestamp field (<a href="https://redirect.github.com/zip-rs/zip2/pull/404">#404</a>) (<a href="https://redirect.github.com/zip-rs/zip2/pull/422">#422</a>)</li> <li>Restore original file timestamp when unzipping with <code>chrono</code> (<a href="https://redirect.github.com/zip-rs/zip2/pull/46">#46</a>)</li> </ul> <h3><!-- raw HTML omitted -->⚙️ Miscellaneous Tasks</h3> <ul> <li>Configure Amazon Q rules (<a href="https://redirect.github.com/zip-rs/zip2/pull/421">#421</a>)</li> </ul> <h2><a href="https://github.com/zip-rs/zip2/compare/v5.0.1...v5.1.0">5.1.0</a> - 2025-09-10</h2> <h3><!-- raw HTML omitted -->🚀 Features</h3> <ul> <li>Add legacy shrink/reduce/implode compression (<a href="https://redirect.github.com/zip-rs/zip2/pull/303">#303</a>)</li> </ul> <h2><a href="https://github.com/zip-rs/zip2/compare/v5.0.0...v5.0.1">5.0.1</a> - 2025-09-09</h2> <h3><!-- raw HTML omitted -->🐛 Bug Fixes</h3> <ul> <li>AES metadata was not copied correctly in raw copy methods, which could corrupt the copied file. (<a href="https://redirect.github.com/zip-rs/zip2/pull/417">#417</a>)</li> </ul> <h2><a href="https://github.com/zip-rs/zip2/compare/v4.6.1...v5.0.0">5.0.0</a> - 2025-09-05</h2> <h3><!-- raw HTML omitted -->🚀 Features</h3> <ul> <li>Implement by_path*() methods on ZipArchive (<a href="https://redirect.github.com/zip-rs/zip2/pull/382">#382</a>)</li> </ul> <h2><a href="https://github.com/zip-rs/zip2/compare/v4.6.0...v4.6.1">4.6.1</a> - 2025-09-03</h2> <h3><!-- raw HTML omitted -->🐛 Bug Fixes</h3> <ul> <li>Fixes an issue introduced by the swap from <code>lzma-rs</code> to <code>liblzma</code> (<a href="https://redirect.github.com/zip-rs/zip2/pull/407">#407</a>)</li> </ul> <h2><a href="https://github.com/zip-rs/zip2/compare/v4.5.0...v4.6.0">4.6.0</a> - 2025-08-30</h2> <h3><!-- raw HTML omitted -->🚀 Features</h3> <ul> <li>Allow to read zip files with unsupported extended timestamps (<a href="https://redirect.github.com/zip-rs/zip2/pull/400">#400</a>)</li> </ul> <h3><!-- raw HTML omitted -->🐛 Bug Fixes</h3> <ul> <li>enable clamp_opt for ppmd and xz (<a href="https://redirect.github.com/zip-rs/zip2/pull/401">#401</a>)</li> </ul> <h2><a href="https://github.com/zip-rs/zip2/compare/v4.4.0...v4.5.0">4.5.0</a> - 2025-08-21</h2> <h3><!-- raw HTML omitted -->🚀 Features</h3> <ul> <li>Allow reading ZIP files where the central directory comes <em>before</em> the files (<a href="https://redirect.github.com/zip-rs/zip2/pull/384">#384</a>) (<a href="https://redirect.github.com/zip-rs/zip2/pull/396">#396</a>)</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
Thomas Eizinger
|
6a538368cb |
feat(gateway): add flow-logs MVP (#10576)
Network flow logs are a common feature of VPNs. Due to the nature of a shared exit node, it is of great interest to a network analyst, which TCP connections are getting routed through the tunnel, who is initiating them, for long do they last and how much traffic is sent across them. With this PR, the Firezone Gateway gains the ability of detecting the TCP and UDP flows that are being routed through it. The information we want to attach to these flows is spread out over several layers of the packet handling code. To simplify the implementation and not complicate the APIs unnecessarily, we chose to rely on TLS (thread-local storage) for gathering all the necessary data as a packet gets passed through the various layers. When using a const initializer, the overhead of a TLS variable over an actual local variable is basically zero. The entire routing state of the Gateway is also never sent across any threads, making TLS variables a particularly good choice for this problem. In its MVP form, the detected flows are only emitted on stdout and also that only if `flow_logs=trace` is set using `RUST_LOG`. Early adopters of this feature are encouraged to enable these logs as described and then ingest the Gateway's logs into the SIEM of their choice for further analysis. Related: #8353 |
||
|
Thomas Eizinger
|
80331b4e93 |
feat(gateway): add option for outputting logs as JSON (#10620)
To enable customers to ingest flow logs (#8353) into various SIEMS, outputting structured logs is crucial. |
||
|
Thomas Eizinger
|
08857d602b |
chore(client-ffi): add dummy constructor (#10659)
When working on the `client-ffi` module on a Linux or Windows machine, we currently see a lot of "unused code" warnings. We could feature-gate the remaining functions too but that would result in not having code-completion on those platforms at all. To make working on this module more ergonomic, we add a dummy constructor for the session. |
||
|
Thomas Eizinger
|
57a2330ca2 |
chore: fix cargo deny errors (#10676)
The crates from https://github.com/open-i18n/rust-unic are unmaintained but they are still being pulled in via `tauri`. Unfortunately, we have to wait for an MSRV bump from `tauri` before the update of `urlpattern` can be completed. Until then, we need to ignore these advisories to keep our CI passing. Related: https://github.com/tauri-apps/tauri/pull/14195 |
||
|
Thomas Eizinger
|
dee535f30e |
chore(client-ffi): tweak uniffi settings (#10665)
As far as I can tell, the `async_runtime` config option doesn't exist in UniFFI, hence we remove that. Whilst going through the UniFFI docs, I also noticed that there is a specific flag about Android that we can toggle on. Effectively, this uses the shared [`SystemCleaner`](https://developer.android.com/reference/android/system/SystemCleaner) instead of a per-thread one which is supposed to be more performant. Finally, using immutable records seems like a good idea as mutating any FFI-originated field is not going to be reflected in connlib's state. Preventing that at compile-time has a good chance of reducing bugs. |
||
|
Thomas Eizinger
|
b854b7407c |
chore: fix clippy warnings in eBPF code (#10660)
This code appears to be configured out in CI and thus we don't run clippy there. My IDE pointed these out however so it seems fair enough to fix them. It is just unnecessary references, doesn't actually have an impact on the functionality. |
||
|
Thomas Eizinger
|
8bb157f579 |
chore(connlib): silence hickory_proto logs (#10624)
These are a bit noisy on DEBUG. |
||
|
Thomas Eizinger
|
20d0298a8a |
chore: fix clippy warnings about HashMap iteration (#10661)
Not quite sure how these didn't get picked up by CI but they showed in my local IDE. --------- Signed-off-by: Thomas Eizinger <thomas@eizinger.io> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> |
||
|
Thomas Eizinger
|
fc97816d6e | chore: remove redunant clone (#10662) | ||
|
Thomas Eizinger
|
0e48d27b5a |
feat(ffi): make all calls infallible (#10621)
In the spirit of making Firezone as robust as possible, we make the FFI calls infallible and complete as much of the task as possible. For example, we don't fail `setDns` entirely just because we cannot parse a single DNS server's IP. Resolves: #10611 |
||
|
Thomas Eizinger
|
fcda9c3b65 |
chore(connlib): add unit test for site-name change (#10622)
Turns out name changes of sites are already ignored as per the `PartialEq` implementation of `Site`. This adds a unit-test to assert that. |
||
|
Thomas Eizinger
|
fdd05e0e0f |
chore(connlib): remove stale comments (#10617)
These comments are no longer correct and need to be removed before the confuse someone. |
||
|
Thomas Eizinger
|
a07dfc9869 |
test(connlib): workaround DNS cache in proptests (#10602)
With the introduction of the DNS cache for Clients in #10533, we now enable a behaviour where we don't necessarily need to establish a connection to a Gateway to resolve a DNS query if we still have a valid entry in the DNS cache. In particular, the proptests discovered that: - a DNS query for an upstream resolver - which happens to be a resource - and has a valid entry in the DNS cache - but (no longer) a connection to the corresponding Gateway will now serve the cached DNS records instead of establishing a new connection to the Gateway. As a result, the site status which we assert in the proptests remains in "unknown" instead of the expected "online". Modelling the caching behaviour in the tests is rather tedious. To avoid that, we set the TTL of all simulated upstream DNS responses to 1 which effectively bypasses the cache. Whilst not an ideal solution, it ensures that CI is consistently green without flaky tests. The DNS cache itself is already unit-tested. |
||
|
Thomas Eizinger
|
928d8a2512 |
fix(connlib): handle resources changing site (#10604)
Similar to how resources can be edited to change their address, IP stack or other properties, they can also be moved between different sites. Currently, `connlib` requires the portal to explicitly remove the resource and then re-add it for this to work. Our system gets more robust if we also detect that the sites of a resource have changed and handle it like other addressability changes. To ensure that this works correctly, we also extend the proptests to simulate addressability changes of resources. Resolves: #9881 Related: #10593 |
||
|
Thomas Eizinger
|
6b3f2a32ce |
feat(gateway): associate packets with resource ID (#10588)
In order to support flow logs, we need to associate each IP packet that gets routed with its corresponding resource ID. Currently, we only track what is necessary for the actual routing behaviour: The IP addresses and the filters. Therefore, we extend the data structures in `peer` to also track the `ResourceId` now. The entire code within `peer` became a bit hard to manage so I took this opportunity to split it out into two dedicated modules. This PR forms the base for recording flows logs in #10576. |
||
|
Firezone Bot
|
5272e0c992 | chore: publish headless-client 1.5.4 (#10590) | ||
|
Firezone Bot
|
f78cccea1b | chore: publish gui-client 1.5.8 (#10591) | ||
|
Firezone Bot
|
e3bb2fb931 | chore: publish gateway 1.4.17 (#10584) | ||
|
Thomas Eizinger
|
d35cf445d4 |
fix(linux): don't sync link-scope routes of offline interfaces (#10583)
In #10554, we added a syncing mechanism that would copy all link-scoped routes of the `main` routing table over to the Firezone routing table. Routes for interfaces that are currently offline cannot be added and cause a netlink error of "Invalid argument". To prevent unnecessary warnings from being logged to Sentry, we retrieve the link state of each interface and skip routes for interfaces are not online. |
||
|
Mariusz Klochowicz
|
e76daaaab3 |
refactor: remove JSON serialization from FFI boundary (#10575)
This PR eliminates JSON-based communication across the FFI boundary, replacing it with proper uniffi-generated types for improved type safety, performance, and reliability. We replace JSON string parameters with native uniffi types for: - Resources (DNS, CIDR, Internet) - Device information - DNS server lists - Network routes (CIDR representation) Also, get rid of JSON serialisation in Swift client IPC in favour of PropertyList based serialisation. Fixes: https://github.com/firezone/firezone/issues/9548 --------- Co-authored-by: Thomas Eizinger <thomas@eizinger.io> |
||
|
Thomas Eizinger
|
08f8e886f1 |
chore(connlib): tune down INFO logs (#10574)
Several of these INFO logs are actually quite noisy, like exchanging candidates with Gateways or updating the allocation. We barely look at the INFO logs from customers and primarily investigate issues with DEBUG logs streamed to Sentry. |
||
|
Thomas Eizinger
|
df601be538 |
chore(rust): ban keys and values from HashMap (#10569)
In addition to the `iter` functions, `keys` and `values` also iterate over the contents of a `HashMap` and are thus non-deterministic. This can create problems where our test-suite is non-deterministic. |
||
|
Thomas Eizinger
|
eb75cef467 |
fix(linux): allow LAN access when Internet Resource is on (#10554)
## Context On Linux, we create a dedicated routing table for all routes of the Firezone TUN device, including the `0.0.0.0/0` route. At a minimum, this routing table contains the following if the Internet Resource is active: ``` > ip route show table 539098368 default dev tun-firezone proto static 100.64.0.0/11 dev tun-firezone proto static 100.96.0.0/11 dev tun-firezone proto static 100.100.111.0/24 dev tun-firezone proto static ``` In addition, we also create a routing rule that bypasses this routing table for all packets that are tagged with the `0xfd002021` mark: ``` > ip rule list 0: from all lookup local 32765: not from all fwmark 0xfd002021 lookup 539098368 32766: from all lookup main 32767: from all lookup default ``` Firezone's internal UDP and TCP sockets are tagged with this mark and thus prevent routing loops where our own packets would otherwise get redirected back into the tunnel. Without the Internet Resource active, the rule `from all lookup main` triggers for local LAN traffic and correctly route the traffic out via that interface. For example, on my computer, the Linux kernel created the following route with the `link` scope in the main table: ``` 192.168.188.0/24 dev wlp192s0 proto kernel scope link src 192.168.188.112 metric 600 ``` ## The problem With the Internet Resource active, there is a problem. The default route matches ALL destinations, including those for local LAN destinations which should actually be sent out via a different interface. As a result, local LAN traffic is broken on Linux as soon as the Internet Resource is active. Instead of being sent out via the local interface, these packets get sent to `tun-firezone` where they get forwarded to the Gateway and then dropped because their source IP is not a Firezone Client IP. ## Solution Fixing this is unfortunately non-trivial. The best I could come up with is to create a copy of all link-scoped routes in the Firezone routing table and keep those in sync with all route changes that happen. For example, when we roam, the link-scoped routes obviously change because we join a new subnet. We therefore listen to change-events from netlink and create a debounced task that reads the current link-scoped routes from the main routing table, compares it to the ones in the Firezone table and adds any routes not present. We don't need to worry about removing routes as link-scoped routes automatically disappear once the resulting interface goes away. --------- Signed-off-by: Thomas Eizinger <thomas@eizinger.io> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> |
||
|
dependabot[bot]
|
bb4a0deb8c |
build(deps): bump @types/node from 22.15.30 to 24.4.0 in /rust/gui-client (#10564)
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 22.15.30 to 24.4.0. <details> <summary>Commits</summary> <ul> <li>See full diff in <a href="https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> |
||
|
dependabot[bot]
|
10dc78f51f |
build(deps): bump @vitejs/plugin-react from 4.5.1 to 5.0.2 in /rust/gui-client (#10566)
Bumps [@vitejs/plugin-react](https://github.com/vitejs/vite-plugin-react/tree/HEAD/packages/plugin-react) from 4.5.1 to 5.0.2. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/vitejs/vite-plugin-react/releases"><code>@vitejs/plugin-react</code>'s releases</a>.</em></p> <blockquote> <h2>plugin-react@5.0.2</h2> <h3>Skip transform hook completely in rolldown-vite in dev if possible (<a href="https://redirect.github.com/vitejs/vite-plugin-react/pull/783">#783</a>)</h3> <h2>plugin-react@5.0.1</h2> <h3>Set <code>optimizeDeps.rollupOptions.transform.jsx</code> instead of <code>optimizeDeps.rollupOptions.jsx</code> for rolldown-vite (<a href="https://redirect.github.com/vitejs/vite-plugin-react/pull/735">#735</a>)</h3> <p><code>optimizeDeps.rollupOptions.jsx</code> is going to be deprecated in favor of <code>optimizeDeps.rollupOptions.transform.jsx</code>.</p> <h3>Perf: skip <code>babel-plugin-react-compiler</code> if code has no <code>"use memo"</code> when <code>{ compilationMode: "annotation" }</code> (<a href="https://redirect.github.com/vitejs/vite-plugin-react/pull/734">#734</a>)</h3> <h3>Respect tsconfig <code>jsxImportSource</code> (<a href="https://redirect.github.com/vitejs/vite-plugin-react/pull/726">#726</a>)</h3> <h3>Fix <code>reactRefreshHost</code> option on rolldown-vite (<a href="https://redirect.github.com/vitejs/vite-plugin-react/pull/716">#716</a>)</h3> <h3>Fix <code>RefreshRuntime</code> being injected twice for class components on rolldown-vite (<a href="https://redirect.github.com/vitejs/vite-plugin-react/pull/708">#708</a>)</h3> <h3>Skip <code>babel-plugin-react-compiler</code> on non client environment (<a href="https://redirect.github.com/vitejs/vite-plugin-react/pull/689">689</a>)</h3> <h2>plugin-react@5.0.0</h2> <p>(Same content as v5.0.0-beta.0 <a href="https://github.com/vitejs/vite-plugin-react/releases/tag/plugin-react%405.0.0-beta.0">https://github.com/vitejs/vite-plugin-react/releases/tag/plugin-react%405.0.0-beta.0</a>)</p> <h3>Use Oxc for react refresh transform in rolldown-vite</h3> <p>When used with rolldown-vite, this plugin now uses Oxc for react refresh transform.</p> <p>Since this behavior is what <code>@vitejs/plugin-react-oxc</code> did, <code>@vitejs/plugin-react-oxc</code> is now deprecated and the <code>disableOxcRecommendation</code> option is removed.</p> <p>Also, while <code>@vitejs/plugin-react-oxc</code> used the production JSX transform even for <code>NODE_ENV=development</code> build, <code>@vitejs/plugin-react</code> uses the development JSX transform for <code>NODE_ENV=development</code> build.</p> <h3>Allow processing files in <code>node_modules</code></h3> <p>The default value of <code>exclude</code> options is now <code>[/\/node_modules\//]</code> to allow processing files in <code>node_modules</code> directory. It was previously <code>[]</code> and files in <code>node_modules</code> was always excluded regardless of the value of <code>exclude</code> option.</p> <h3><code>react</code> and <code>react-dom</code> is no longer added to <a href="https://vite.dev/config/#resolve-dedupe"><code>resolve.dedupe</code></a> automatically</h3> <p>Adding values to <code>resolve.dedupe</code> forces Vite to resolve them differently from how Node.js does, which can be confusing and may not be expected. This plugin no longer adds <code>react</code> and <code>react-dom</code> to <code>resolve.dedupe</code> automatically.</p> <p>If you encounter errors after upgrading, check your package.json for version mismatches in <code>dependencies</code> or <code>devDependencies</code>, as well as your package manager’s configuration. If you prefer the previous behavior, you can manually add <code>react</code> and <code>react-dom</code> to <code>resolve.dedupe</code>.</p> <h3>Remove old <code>babel-plugin-react-compiler</code> support that requires <code>runtimeModule</code> option</h3> <p><code>runtimeModule</code> option is no longer needed in newer <code>babel-plugin-react-compiler</code> versions. Make sure to use a newer version of <code>babel-plugin-react-compiler</code> that supports <code>target</code> option.</p> <h3>Require Node 20.19+, 22.12+</h3> <p>This plugin now requires Node 20.19+ or 22.12+.</p> <h2>plugin-react@5.0.0-beta.0</h2> <h3>Use Oxc for react refresh transform in rolldown-vite</h3> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/vitejs/vite-plugin-react/blob/main/packages/plugin-react/CHANGELOG.md"><code>@vitejs/plugin-react</code>'s changelog</a>.</em></p> <blockquote> <h2>5.0.2 (2025-08-28)</h2> <h3>Skip transform hook completely in rolldown-vite in dev if possible (<a href="https://redirect.github.com/vitejs/vite-plugin-react/pull/783">#783</a>)</h3> <h2>5.0.1 (2025-08-19)</h2> <h3>Set <code>optimizeDeps.rollupOptions.transform.jsx</code> instead of <code>optimizeDeps.rollupOptions.jsx</code> for rolldown-vite (<a href="https://redirect.github.com/vitejs/vite-plugin-react/pull/735">#735</a>)</h3> <p><code>optimizeDeps.rollupOptions.jsx</code> is going to be deprecated in favor of <code>optimizeDeps.rollupOptions.transform.jsx</code>.</p> <h3>Perf: skip <code>babel-plugin-react-compiler</code> if code has no <code>"use memo"</code> when <code>{ compilationMode: "annotation" }</code> (<a href="https://redirect.github.com/vitejs/vite-plugin-react/pull/734">#734</a>)</h3> <h3>Respect tsconfig <code>jsxImportSource</code> (<a href="https://redirect.github.com/vitejs/vite-plugin-react/pull/726">#726</a>)</h3> <h3>Fix <code>reactRefreshHost</code> option on rolldown-vite (<a href="https://redirect.github.com/vitejs/vite-plugin-react/pull/716">#716</a>)</h3> <h3>Fix <code>RefreshRuntime</code> being injected twice for class components on rolldown-vite (<a href="https://redirect.github.com/vitejs/vite-plugin-react/pull/708">#708</a>)</h3> <h3>Skip <code>babel-plugin-react-compiler</code> on non client environment (<a href="https://redirect.github.com/vitejs/vite-plugin-react/pull/689">689</a>)</h3> <h2>5.0.0 (2025-08-07)</h2> <h2>5.0.0-beta.0 (2025-07-28)</h2> <h3>Use Oxc for react refresh transform in rolldown-vite</h3> <p>When used with rolldown-vite, this plugin now uses Oxc for react refresh transform.</p> <p>Since this behavior is what <code>@vitejs/plugin-react-oxc</code> did, <code>@vitejs/plugin-react-oxc</code> is now deprecated and the <code>disableOxcRecommendation</code> option is removed.</p> <p>Also, while <code>@vitejs/plugin-react-oxc</code> used the production JSX transform even for <code>NODE_ENV=development</code> build, <code>@vitejs/plugin-react</code> uses the development JSX transform for <code>NODE_ENV=development</code> build.</p> <h3>Allow processing files in <code>node_modules</code></h3> <p>The default value of <code>exclude</code> options is now <code>[/\/node_modules\//]</code> to allow processing files in <code>node_modules</code> directory. It was previously <code>[]</code> and files in <code>node_modules</code> was always excluded regardless of the value of <code>exclude</code> option.</p> <h3><code>react</code> and <code>react-dom</code> is no longer added to <a href="https://vite.dev/config/#resolve-dedupe"><code>resolve.dedupe</code></a> automatically</h3> <p>Adding values to <code>resolve.dedupe</code> forces Vite to resolve them differently from how Node.js does, which can be confusing and may not be expected. This plugin no longer adds <code>react</code> and <code>react-dom</code> to <code>resolve.dedupe</code> automatically.</p> <p>If you encounter errors after upgrading, check your package.json for version mismatches in <code>dependencies</code> or <code>devDependencies</code>, as well as your package manager’s configuration. If you prefer the previous behavior, you can manually add <code>react</code> and <code>react-dom</code> to <code>resolve.dedupe</code>.</p> <h3>Remove old <code>babel-plugin-react-compiler</code> support that requires <code>runtimeModule</code> option</h3> <p><code>runtimeModule</code> option is no longer needed in newer <code>babel-plugin-react-compiler</code> versions. Make sure to use a newer version of <code>babel-plugin-react-compiler</code> that supports <code>target</code> option.</p> <h3>Require Node 20.19+, 22.12+</h3> <p>This plugin now requires Node 20.19+ or 22.12+.</p> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
3ac2f27f83 |
build(deps): bump the react group in /rust/gui-client with 2 updates (#10565)
Bumps the react group in /rust/gui-client with 2 updates: [@types/react](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/react) and [react-router](https://github.com/remix-run/react-router/tree/HEAD/packages/react-router). Updates `@types/react` from 19.1.12 to 19.1.13 <details> <summary>Commits</summary> <ul> <li>See full diff in <a href="https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/react">compare view</a></li> </ul> </details> <br /> Updates `react-router` from 7.8.2 to 7.9.1 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/remix-run/react-router/releases">react-router's releases</a>.</em></p> <blockquote> <h2>v7.9.1</h2> <p>See the changelog for release notes: <a href="https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v791">https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v791</a></p> <h2>v7.9.0</h2> <p>See the changelog for release notes: <a href="https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v790">https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v790</a></p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/remix-run/react-router/blob/main/packages/react-router/CHANGELOG.md">react-router's changelog</a>.</em></p> <blockquote> <h2>7.9.1</h2> <h3>Patch Changes</h3> <ul> <li>Fix internal <code>Future</code> interface naming from <code>middleware</code> -> <code>v8_middleware</code> (<a href="https://redirect.github.com/remix-run/react-router/pull/14327">#14327</a>)</li> </ul> <h2>7.9.0</h2> <h3>Minor Changes</h3> <ul> <li> <p>Stabilize middleware and context APIs. (<a href="https://redirect.github.com/remix-run/react-router/pull/14215">#14215</a>)</p> <p>We have removed the <code>unstable_</code> prefix from the following APIs and they are now considered stable and ready for production use:</p> <ul> <li><a href="https://reactrouter.com/api/utils/RouterContextProvider"><code>RouterContextProvider</code></a></li> <li><a href="https://reactrouter.com/api/utils/createContext"><code>createContext</code></a></li> <li><code>createBrowserRouter</code> <a href="https://reactrouter.com/api/data-routers/createBrowserRouter#optsgetcontext"><code>getContext</code></a> option</li> <li><code><HydratedRouter></code> <a href="https://reactrouter.com/api/framework-routers/HydratedRouter#getcontext"><code>getContext</code></a> prop</li> </ul> <p>Please see the <a href="https://reactrouter.com/how-to/middleware">Middleware Docs</a>, the <a href="https://github.com/remix-run/remix/discussions/7642">Middleware RFC</a>, and the <a href="https://github.com/remix-run/react-router/discussions/9856">Client-side Context RFC</a> for more information.</p> </li> </ul> <h3>Patch Changes</h3> <ul> <li>Escape HTML in <code>meta()</code> JSON-LD content (<a href="https://redirect.github.com/remix-run/react-router/pull/14316">#14316</a>)</li> <li>Add react-server Await component implementation (<a href="https://redirect.github.com/remix-run/react-router/pull/14261">#14261</a>)</li> <li>In RSC Data Mode when using a custom basename, fix hydration errors for routes that only have client loaders (<a href="https://redirect.github.com/remix-run/react-router/pull/14264">#14264</a>)</li> <li>Make <code>href</code> function available in a react-server context (<a href="https://redirect.github.com/remix-run/react-router/pull/14262">#14262</a>)</li> <li>decode each time <code>getPayload()</code> is called to allow for "in-context" decoding and hoisting of contextual assets (<a href="https://redirect.github.com/remix-run/react-router/pull/14248">#14248</a>)</li> <li><code>href()</code> now correctly processes routes that have an extension after the parameter or are a single optional parameter. (<a href="https://redirect.github.com/remix-run/react-router/pull/13797">#13797</a>)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
Thomas Eizinger
|
038aa6b590 |
feat(gateway): support systemd credentials (#10538)
For more permanent Gateway installations, or ones that are managed through something else other than our install script, it is useful to define the Gateway's token outside the systemd unit file. Systemd provides support for credentials via the `LoadCredential` and `LoadCredentialEncrypted` instructions. We just need a tiny bit of glue code in the Gateway to actually use that if it is set. --------- Signed-off-by: Thomas Eizinger <thomas@eizinger.io> Co-authored-by: Jamil <jamilbk@users.noreply.github.com> |
||
|
Thomas Eizinger
|
4930aa7956 |
feat: allow setting Internet Resource from headless client (#10553)
Currently, the Internet Resource cannot be toggled on/off in the headless client. With #10509, the default state of the Internet Resource is now disabled, meaning users of the headless client are no longer able to use the Internet Resource. We fix this by introducing a new CLI argument `--activate-internet-resource` that can also be set via the env variable `FIREZONE_ACTIVATE_INTERNET_RESOURCE=true`. Resolves: #8342 |
||
|
Mariusz Klochowicz
|
cb50800d52 |
refactor(apple): Migrate iOS/macOS clients to UniFFI (#10368)
Replace callback-based Adapter with event polling-based AdapterUniFfi This change improves reliability by eliminating callback lifetime issues. |
||
|
Thomas Eizinger
|
039d0be7b8 |
fix(connlib): drop packets with bad source IP on clients (#10552)
When using the Internet Resource, it can happen that Clients are still receiving packets with a source IP that is different from the TUN IP. Such packets are dropped on the Gateway already today and therefore have never been routed to their destination. The Gateway cannot route these packets because the reply packets would have the original source address set as the destination and that one is not unique across all Firezone Clients. Without a unique destination, the Gateway cannot send the packet to the correct Client. Today, these packets are filtered on the Gateway and thus trigger an ICMP error. With the addition of #10462, we create a new flow for each one of these packets. To prevent this spam, we drop such packets early in the Client and don't even route them to the Gateway. |
||
|
dependabot[bot]
|
d4a3a7404f |
build(deps): bump the aya group in /rust with 5 updates (#10519)
Bumps the aya group in /rust with 5 updates: | Package | From | To | | --- | --- | --- | | [aya](https://github.com/aya-rs/aya) | ``ec3eacc`` | ``fe99fa1`` | | [aya-build](https://github.com/aya-rs/aya) | ``ec3eacc`` | ``fe99fa1`` | | [aya-ebpf](https://github.com/aya-rs/aya) | ``ec3eacc`` | ``fe99fa1`` | | [aya-log](https://github.com/aya-rs/aya) | ``ec3eacc`` | ``fe99fa1`` | | [aya-log-ebpf](https://github.com/aya-rs/aya) | ``ec3eacc`` | ``fe99fa1`` | Updates `aya` from `ec3eacc` to `fe99fa1` <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
ea997146d3 |
build(deps): bump vite from 6.3.5 to 6.3.6 in /rust/gui-client in the npm_and_yarn group across 1 directory (#10545)
Bumps the npm_and_yarn group with 1 update in the /rust/gui-client directory: [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite). Updates `vite` from 6.3.5 to 6.3.6 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/vitejs/vite/releases">vite's releases</a>.</em></p> <blockquote> <h2>v6.3.6</h2> <p>Please refer to <a href="https://github.com/vitejs/vite/blob/v6.3.6/packages/vite/CHANGELOG.md">CHANGELOG.md</a> for details.</p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/vitejs/vite/blob/v6.3.6/packages/vite/CHANGELOG.md">vite's changelog</a>.</em></p> <blockquote> <h2><!-- raw HTML omitted -->6.3.6 (2025-09-08)<!-- raw HTML omitted --></h2> <ul> <li>fix: apply <code>fs.strict</code> check to HTML files (<a href="https://github.com/vitejs/vite/tree/HEAD/packages/vite/issues/20736">#20736</a>) (<a href=" |
||
|
dependabot[bot]
|
57970c56f1 |
build(deps): bump the tailwind group in /rust/gui-client with 3 updates (#10526)
Bumps the tailwind group in /rust/gui-client with 3 updates: [@tailwindcss/cli](https://github.com/tailwindlabs/tailwindcss/tree/HEAD/packages/@tailwindcss-cli), [@tailwindcss/vite](https://github.com/tailwindlabs/tailwindcss/tree/HEAD/packages/@tailwindcss-vite) and [tailwindcss](https://github.com/tailwindlabs/tailwindcss/tree/HEAD/packages/tailwindcss). Updates `@tailwindcss/cli` from 4.1.12 to 4.1.13 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/tailwindlabs/tailwindcss/releases"><code>@tailwindcss/cli</code>'s releases</a>.</em></p> <blockquote> <h2>v4.1.13</h2> <h3>Changed</h3> <ul> <li>Drop warning from browser build (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/issues/18731">#18731</a>)</li> <li>Drop exact duplicate declarations when emitting CSS (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/issues/18809">#18809</a>)</li> </ul> <h3>Fixed</h3> <ul> <li>Don't transition <code>visibility</code> when using <code>transition</code> (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/18795">#18795</a>)</li> <li>Discard matched variants with unknown named values (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/18799">#18799</a>)</li> <li>Discard matched variants with non-string values (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/18799">#18799</a>)</li> <li>Show suggestions for known <code>matchVariant</code> values (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/18798">#18798</a>)</li> <li>Replace deprecated <code>clip</code> with <code>clip-path</code> in <code>sr-only</code> (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/18769">#18769</a>)</li> <li>Hide internal fields from completions in <code>matchUtilities</code> (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/18820">#18820</a>)</li> <li>Ignore <code>.vercel</code> folders by default (can be overridden by <code>@source …</code> rules) (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/18855">#18855</a>)</li> <li>Consider variants starting with <code>@-</code> to be invalid (e.g. <code>@-2xl:flex</code>) (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/18869">#18869</a>)</li> <li>Do not allow custom variants to start or end with a <code>-</code> or <code>_</code> (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/18867">#18867</a>, <a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/18872">#18872</a>)</li> <li>Upgrade: Migrate <code>aria</code> theme keys to <code>@custom-variant</code> (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/18815">#18815</a>)</li> <li>Upgrade: Migrate <code>data</code> theme keys to <code>@custom-variant</code> (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/18816">#18816</a>)</li> <li>Upgrade: Migrate <code>supports</code> theme keys to <code>@custom-variant</code> (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/18817">#18817</a>)</li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md"><code>@tailwindcss/cli</code>'s changelog</a>.</em></p> <blockquote> <h2>[4.1.13] - 2025-09-03</h2> <h3>Changed</h3> <ul> <li>Drop warning from browser build (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/issues/18731">#18731</a>)</li> <li>Drop exact duplicate declarations when emitting CSS (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/issues/18809">#18809</a>)</li> </ul> <h3>Fixed</h3> <ul> <li>Don't transition <code>visibility</code> when using <code>transition</code> (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/18795">#18795</a>)</li> <li>Discard matched variants with unknown named values (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/18799">#18799</a>)</li> <li>Discard matched variants with non-string values (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/18799">#18799</a>)</li> <li>Show suggestions for known <code>matchVariant</code> values (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/18798">#18798</a>)</li> <li>Replace deprecated <code>clip</code> with <code>clip-path</code> in <code>sr-only</code> (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/18769">#18769</a>)</li> <li>Hide internal fields from completions in <code>matchUtilities</code> (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/18820">#18820</a>)</li> <li>Ignore <code>.vercel</code> folders by default (can be overridden by <code>@source …</code> rules) (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/18855">#18855</a>)</li> <li>Consider variants starting with <code>@-</code> to be invalid (e.g. <code>@-2xl:flex</code>) (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/18869">#18869</a>)</li> <li>Do not allow custom variants to start or end with a <code>-</code> or <code>_</code> (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/18867">#18867</a>, <a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/18872">#18872</a>)</li> <li>Upgrade: Migrate <code>aria</code> theme keys to <code>@custom-variant</code> (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/18815">#18815</a>)</li> <li>Upgrade: Migrate <code>data</code> theme keys to <code>@custom-variant</code> (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/18816">#18816</a>)</li> <li>Upgrade: Migrate <code>supports</code> theme keys to <code>@custom-variant</code> (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/18817">#18817</a>)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
c5728d2ee6 |
build(deps): bump @fontsource-variable/source-sans-3 from 5.2.8 to 5.2.9 in /rust/gui-client (#10527)
Bumps [@fontsource-variable/source-sans-3](https://github.com/fontsource/font-files/tree/HEAD/fonts/variable/source-sans-3) from 5.2.8 to 5.2.9. <details> <summary>Commits</summary> <ul> <li>See full diff in <a href="https://github.com/fontsource/font-files/commits/HEAD/fonts/variable/source-sans-3">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> |
||
|
dependabot[bot]
|
5d7a3d1628 |
build(deps): bump @tauri-apps/cli from 2.8.3 to 2.8.4 in /rust/gui-client in the tauri group (#10525)
Bumps the tauri group in /rust/gui-client with 1 update: [@tauri-apps/cli](https://github.com/tauri-apps/tauri). Updates `@tauri-apps/cli` from 2.8.3 to 2.8.4 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/tauri-apps/tauri/releases"><code>@tauri-apps/cli</code>'s releases</a>.</em></p> <blockquote> <h2><code>@tauri-apps/cli</code> v2.8.4</h2> <h2>[2.8.4]</h2> <h3>Enhancements</h3> <ul> <li><a href=" |
||
|
Thomas Eizinger
|
5600011d65 |
fix(connlib): patch mio to resolve panic bug on Windows (#10543)
The `mio` library which underpins `tokio` has a bug on Windows in regards to named pipes where under certain circumstances an "unreachable code" section is entered. See https://github.com/tokio-rs/mio/issues/1819 for the upstream bug report. In this PR, we patch in a fork of `mio` that aims to fix these issues by handling the state transitions more gracefully. I am not a Windows expert by any means so this will need some rigorous testing to make sure the IPC channel between GUI and Tunnel service still works reliably. Related: https://github.com/tokio-rs/mio/pull/1903 |
||
|
Thomas Eizinger
|
5b60d9d64d |
fix(gui-client): don't stop service after upgrade on Fedora (#10539)
On Fedora, when a package gets upgraded, the new package is installed first, followed by the uninstall of the old package. As a result, the `prerm` script is called after the `postinst` script of the new package. In our `prerm` script, we stop the tunnel service. On package upgrades, this results in us stopping the tunnel service after installing the new package, confronting the user with an error that the tunnel service is not running. `rpm` passes arguments to these maintenance scripts. In the case of `prerm`, we receive the count of how many other instances of this packages are installed. To fix this bug, we check whether the first argument to the script is "1", meaning that we are being upgraded and should not stop the tunnel service. |
||
|
Thomas Eizinger
|
8ccf8b90bc |
chore(tests): remove comments from regression seeds file (#10534)
Whilst the regression seeds file itself is useful to have a fixed set of tests that are always run, the comments what a specific seed samples to quickly get outdated as the test suite evolves. Therefore, we remove the comments to not confuse developers. |
||
|
Thomas Eizinger
|
1140f6ffa3 |
feat(clients): cache DNS responses (#10533)
Firezone Clients set themselves as the system-wide DNS resolver on startup. This is necessary to intercept queries for DNS resources which resolve to proxy IPs whilst Firezone is active. All DNS queries for non-resources are forwarded to either the resolver defined on the system or the ones defined in the portal (if any). These DNS servers can also be CIDR resources in which cases the queries get forwarded through the tunnel to a Gateway. Right now, the responses from these DNS servers are never cached. DNS is pretty heavily relied on on most systems and having DNS fail or be slow usually results in a bad user experience. To improve on this, we embed a small DNS cache into connlib where for each query, we first try to answer it from the cache. Queries otherwise forwarded to the system/upstream resolver or through the tunnel will see a much improved response time with this change. When serving responses from this cache, the TTL is decremented automatically based on how much time has passed since the entry was first added to the cache. Outside of the response time being ~1ms, this makes the cache fully transparent. Resolves: #10508 |
||
|
Thomas Eizinger
|
8fc2ef8ad1 |
fix(clients): set Internet Resource state on startup (#10509)
Building on top of #10507, setting the initial Internet Resource state is a piece of cake. All we need to do is thread a boolean variable through to all call-sites of `Session::connect`. Without the need for the Internet Resource's ID, we can simply pass in the boolean that is saved in the configuration of each client. Resolves: #10255 |
||
|
Thomas Eizinger
|
36dfee2c42 |
refactor(connlib): explicitly enable/disable Internet Resource (#10507)
Instead of the generic "disable any kind of resource"-functionality that connlib currently exposes, we now provide an API to only enable / disable the Internet Resource. This is a lot simpler to deal with and reason about than the previous system, especially when it comes to the proptests. Those need to model connlib's behaviour correctly across its entire API surface which makes them unnecessarily complex if we only ever use the `set_disabled_resources` API with a single resource. In preparation for #4789, I want to extend the proptests to cover traffic filters (#7126). This will make them a fair bit more complicated, so any prior removal of complexity is appreciated. Simplifying the implementation here is also a good starting point to fix #10255. Not implicitly enabling the Internet Resource when it gets added should be quite simple after this change. Finally, resolving #8885 should also be quite easy. We just need to store the state of the Internet Resource once per API URL instead of globally. Resolves: #8404 --------- Signed-off-by: Thomas Eizinger <thomas@eizinger.io> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> |
||
|
Thomas Eizinger
|
531a84268f |
fix(connlib): always process all errors from tunnel (#10500)
In #10347, we made sure that we always return all errors that happen during a single tick of the event-loop. What we overlooked is that as part of handling the errors, we need to use `continue` to jump to the next one instead of returning directly from the function. Signed-off-by: Thomas Eizinger <thomas@eizinger.io> |
||
|
Thomas Eizinger
|
e9e8792512 |
feat(connlib): tune down logs for recently disconnected clients (#10501)
When a Client disconnects from a Gateway, we might still be receiving packets that are either in-flight or are still being sent by the resource. For some amount of time after a disconnect, this is expected and not worth logging a warning for. With this PR, we define this time to be 60s. If we cannot look up a connection either by ID, session index or public key but the peer has disconnected within the last 60s, we will now only print a DEBUG log instead of a WARN. Resolves: #10175 |