Bumps [flowbite](https://github.com/themesberg/flowbite) from 2.5.2 to
3.0.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/themesberg/flowbite/releases">flowbite's
releases</a>.</em></p>
<blockquote>
<h2>v3.0.0</h2>
<ul>
<li>upgrade to Tailwind v4</li>
<li>refactor and adapt the Flowbite plugin and UI components to the new
deprecated changes from Tailwind v4</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="a10d2d6fe4"><code>a10d2d6</code></a>
refactor(plugin): use CSS variables for colors instead of hex
overriding</li>
<li><a
href="ad0a91e254"><code>ad0a91e</code></a>
docs(quickstart): slightly improve wording of the docs</li>
<li><a
href="821eb37467"><code>821eb37</code></a>
refactor(general): remove safelist and update example shortcode css
file</li>
<li><a
href="ebd0470946"><code>ebd0470</code></a>
push lock file</li>
<li><a
href="724fcdf538"><code>724fcdf</code></a>
update docs to main css</li>
<li><a
href="85abf7880c"><code>85abf78</code></a>
docs(grammar): fix</li>
<li><a
href="a69649974a"><code>a696499</code></a>
chore(tailwind cli): v4.0</li>
<li><a
href="8165fe54c4"><code>8165fe5</code></a>
readme(v4): guide</li>
<li><a
href="d183a0a9c6"><code>d183a0a</code></a>
chore(tailwind): stable v4</li>
<li><a
href="6cb4657e1a"><code>6cb4657</code></a>
docs(v4): guide finish</li>
<li>Additional commits viewable in <a
href="https://github.com/themesberg/flowbite/compare/v2.5.2...v3.0.0">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
At present, the GUI client uses a separate task for reading messages
from the IPC connection and forwards them to another channel. The other
end of this channel is then used within the controller to actually react
to IPC messages.
We can simplify this by removing the intermediary task and processing
the messages from the IPC connection directly.
This updates `wintun` to include
https://github.com/nulldotblack/wintun/pull/27. The error message of the
linked Sentry issues in #7901 of "Unable to find matching {UUID}" is
removed in that PR in favor of a Win32 function that converts the
adapter name directly to the corresponding index and UUID instead of
searching through the list of adapters.
Resolves: #7901.
For all STUN and TURN messages that are being sent from `connlib`, we
implement a retransmit strategy with an exponential backoff if we don't
hear from the relay within a given amount of time. For this, we are
currently using the `backoff` crate.
For our purposes, this crate is a bit unergonomic. In particular, it has
a mutable `next_backoff` function as well as internal dependency on a
"clock". As a consequence, we need to
a) always make sure the clock of an `ExponentialBackoff` is pointing to
the current time
b) only call `next_backoff` when we want to resend a message
Within the sans-IO design of `connlib`, time-related functions are
handled within `handle_timeout` which is being passed a `now: Instant`
parameter. Instead of ticking over to the next backoff, what we need
from our backoff module are answers to the questions:
- Is the backoff expired?
- When should the next retry happen?
- What is the current waiting interval?
In addition, we want the backoff module to "tick over" to the next
trigger when the time passes the current one, i.e. we want to issue the
command: "This is the current time, update your internal state."
By re-implementing this ourselves, we can avoid this additional state
tracking of `last_now`, thus simplifying the implementation.
Filtering packets is part of a Gateway's day-to-day business. We don't
want to treat those as errors further up as those might get reported to
Sentry but it is still worth logging them on debug.
When `snownet` originally got developed, its API was designed with the
idea in mind that a packet that doesn't get handled is an error. Whilst
that is technically true, we don't have any other component that
processes packets within Firezone. When a connection is killed by e.g.
an ICE timeout, we may still be receiving packets from the other party.
Those fill the logs until the other party also runs into a timeout. To
prevent this, we don't return errors for these but instead, log them on
TRACE.
For the case where we are given a packet that doesn't match any known
format, we still emit an error.
Bumps the tauri group in /rust/gui-client with 1 update:
[@tauri-apps/cli](https://github.com/tauri-apps/tauri).
Updates `@tauri-apps/cli` from 2.2.1 to 2.2.7
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/tauri-apps/tauri/releases"><code>@tauri-apps/cli</code>'s
releases</a>.</em></p>
<blockquote>
<h2><code>@tauri-apps/cli</code> v2.2.7</h2>
<h2>[2.2.7]</h2>
<h3>Bug Fixes</h3>
<ul>
<li><a
href="8e9134c4a2"><code>8e9134c4a</code></a>
(<a
href="https://redirect.github.com/tauri-apps/tauri/pull/12511">#12511</a>
by <a
href="https://www.github.com/tauri-apps/tauri/../../FabianLars"><code>@FabianLars</code></a>)
Fixed an issue that caused <code>tauri dev</code> to fail because of an
incorrect <code>--bins</code> flag.</li>
</ul>
<h3>Dependencies</h3>
<ul>
<li>Upgraded to <code>tauri-cli@2.2.7</code></li>
</ul>
<h2><code>@tauri-apps/cli</code> v2.2.6</h2>
<h2>[2.2.6]</h2>
<h3>Enhancements</h3>
<ul>
<li><a
href="1a86974aa3"><code>1a86974aa</code></a>
(<a
href="https://redirect.github.com/tauri-apps/tauri/pull/12406">#12406</a>
by <a
href="https://www.github.com/tauri-apps/tauri/../../bradleat"><code>@bradleat</code></a>)
<code>ios build --open</code> will now let xcode start the rust build
process.</li>
<li><a
href="0b79af7114"><code>0b79af711</code></a>
(<a
href="https://redirect.github.com/tauri-apps/tauri/pull/12438">#12438</a>
by <a
href="https://www.github.com/tauri-apps/tauri/../../3lpsy"><code>@3lpsy</code></a>)
Log the command used to start the rust app in development.</li>
</ul>
<h3>Dependencies</h3>
<ul>
<li>Upgraded to <code>tauri-cli@2.2.6</code></li>
</ul>
<h2><code>@tauri-apps/cli</code> v2.2.5</h2>
<h2>[2.2.5]</h2>
<h3>Dependencies</h3>
<ul>
<li>Upgraded to <code>tauri-cli@2.2.5</code></li>
</ul>
<h2><code>@tauri-apps/cli</code> v2.2.4</h2>
<h2>[2.2.4]</h2>
<h3>Bug Fixes</h3>
<ul>
<li><a
href="cad5504455"><code>cad550445</code></a>
(<a
href="https://redirect.github.com/tauri-apps/tauri/pull/12354">#12354</a>
by <a
href="https://www.github.com/tauri-apps/tauri/../../FabianLars"><code>@FabianLars</code></a>)
Fixed and issue that caused <code>tauri add</code> to try to install
incorrect npm packages.</li>
</ul>
<h3>Dependencies</h3>
<ul>
<li>Upgraded to <code>tauri-cli@2.2.4</code></li>
</ul>
<h2><code>@tauri-apps/cli</code> v2.2.3</h2>
<h2>[2.2.3]</h2>
<h3>Enhancements</h3>
<ul>
<li><a
href="a0f2c84d51"><code>a0f2c84d5</code></a>
(<a
href="https://redirect.github.com/tauri-apps/tauri/pull/12204">#12204</a>
by <a
href="https://www.github.com/tauri-apps/tauri/../../pjf-dev"><code>@pjf-dev</code></a>)
Enhance <code>tauri icon</code> command by including 64x64 png size in
default icon sizes.</li>
</ul>
<h3>Bug Fixes</h3>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="82d634f4a9"><code>82d634f</code></a>
Apply Version Updates From Current Changes (<a
href="https://redirect.github.com/tauri-apps/tauri/issues/12512">#12512</a>)</li>
<li><a
href="8e9134c4a2"><code>8e9134c</code></a>
fix(cli): Apply --bins flag on build instead of dev (<a
href="https://redirect.github.com/tauri-apps/tauri/issues/12511">#12511</a>)</li>
<li><a
href="dc1997b77d"><code>dc1997b</code></a>
apply version updates (<a
href="https://redirect.github.com/tauri-apps/tauri/issues/12439">#12439</a>)</li>
<li><a
href="1a86974aa3"><code>1a86974</code></a>
fix(cli): let xcode handle building for <code>ios build --open</code>
(<a
href="https://redirect.github.com/tauri-apps/tauri/issues/12406">#12406</a>)</li>
<li><a
href="fb294af8e3"><code>fb294af</code></a>
fix(tauri-driver): Parse ms:edgeOptions separately (<a
href="https://redirect.github.com/tauri-apps/tauri/issues/12383">#12383</a>)</li>
<li><a
href="46c7b16111"><code>46c7b16</code></a>
ci(renovate): Disable oxc_ PRs</li>
<li><a
href="9dac2863af"><code>9dac286</code></a>
fix(bundler): Don't self-sign dmg (<a
href="https://redirect.github.com/tauri-apps/tauri/issues/12323">#12323</a>)</li>
<li><a
href="9a9d1205b0"><code>9a9d120</code></a>
chore(deps): update dependency rollup to v4.32.0 (dev) (<a
href="https://redirect.github.com/tauri-apps/tauri/issues/12502">#12502</a>)</li>
<li><a
href="27096cdc05"><code>27096cd</code></a>
fix(cli): don't force native-tls feature on desktop (<a
href="https://redirect.github.com/tauri-apps/tauri/issues/12445">#12445</a>)</li>
<li><a
href="6cbfc4878d"><code>6cbfc48</code></a>
refactor: document <code>Emitter</code>/<code>Listner</code> traits
panics, refactor check into int...</li>
<li>Additional commits viewable in <a
href="https://github.com/tauri-apps/tauri/compare/@tauri-apps/cli-v2.2.1...@tauri-apps/cli-v2.2.7">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps the tauri group in /rust with 1 update:
[tauri](https://github.com/tauri-apps/tauri).
Updates `tauri` from 2.2.3 to 2.2.5
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/tauri-apps/tauri/releases">tauri's
releases</a>.</em></p>
<blockquote>
<h2>tauri-cli v2.2.5</h2>
<!-- raw HTML omitted -->
<pre><code>Updating git repository
`https://github.com/tauri-apps/schemars.git`
Updating crates.io index
Locking 1053 packages to latest compatible versions
Adding apple-codesign v0.27.0 (available: v0.29.0)
Adding axum v0.7.9 (available: v0.8.1)
Adding colored v2.2.0 (available: v3.0.0)
Adding dirs v5.0.1 (available: v6.0.0)
Adding html5ever v0.26.0 (available: v0.29.0)
Adding itertools v0.13.0 (available: v0.14.0)
Adding minisign v0.7.3 (available: v0.7.9)
Adding oxc_allocator v0.36.0 (available: v0.47.0)
Adding oxc_ast v0.36.0 (available: v0.47.0)
Adding oxc_parser v0.36.0 (available: v0.47.0)
Adding oxc_span v0.36.0 (available: v0.47.0)
Adding proc-macro-crate v2.0.0 (available: v2.0.2)
Adding serialize-to-javascript v0.1.1 (available: v0.1.2)
Adding serialize-to-javascript-impl v0.1.1 (available: v0.1.2)
Adding tauri-utils v1.6.0 (available: v1.6.2)
Adding tiny_http v0.11.0 (available: v0.12.0)
Adding webview2-com v0.34.0 (available: v0.35.0)
Adding windows v0.58.0 (available: v0.59.0)
Adding x509-certificate v0.23.1 (available: v0.24.0)
Fetching advisory database from
`https://github.com/RustSec/advisory-db.git`
Loaded 724 security advisories (from /home/runner/.cargo/advisory-db)
Updating crates.io index
Scanning Cargo.lock for vulnerabilities (1078 crate dependencies)
Crate: atk
Version: 0.18.2
Warning: unmaintained
Title: gtk-rs GTK3 bindings - no longer maintained
Date: 2024-03-04
ID: RUSTSEC-2024-0413
URL: https://rustsec.org/advisories/RUSTSEC-2024-0413
Dependency tree:
atk 0.18.2
└── gtk 0.18.2
├── wry 0.48.1
│ └── tauri-runtime-wry 2.3.0
│ └── tauri 2.2.3
│ ├── tauri-plugin-sample 0.1.0
│ │ └── api 0.1.0
│ ├── tauri-plugin-log 2.2.0
│ │ └── api 0.1.0
│ ├── tauri-file-associations-demo 0.1.0
│ ├── tauri 2.2.3
</tr></table>
</code></pre>
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="5a3647bdfe"><code>5a3647b</code></a>
Apply Version Updates From Current Changes (<a
href="https://redirect.github.com/tauri-apps/tauri/issues/12515">#12515</a>)</li>
<li><a
href="477e9c0496"><code>477e9c0</code></a>
fix(core): Use safe_block_on in mobile proxy (<a
href="https://redirect.github.com/tauri-apps/tauri/issues/12514">#12514</a>)</li>
<li><a
href="82d634f4a9"><code>82d634f</code></a>
Apply Version Updates From Current Changes (<a
href="https://redirect.github.com/tauri-apps/tauri/issues/12512">#12512</a>)</li>
<li><a
href="8e9134c4a2"><code>8e9134c</code></a>
fix(cli): Apply --bins flag on build instead of dev (<a
href="https://redirect.github.com/tauri-apps/tauri/issues/12511">#12511</a>)</li>
<li><a
href="dc1997b77d"><code>dc1997b</code></a>
apply version updates (<a
href="https://redirect.github.com/tauri-apps/tauri/issues/12439">#12439</a>)</li>
<li><a
href="1a86974aa3"><code>1a86974</code></a>
fix(cli): let xcode handle building for <code>ios build --open</code>
(<a
href="https://redirect.github.com/tauri-apps/tauri/issues/12406">#12406</a>)</li>
<li><a
href="fb294af8e3"><code>fb294af</code></a>
fix(tauri-driver): Parse ms:edgeOptions separately (<a
href="https://redirect.github.com/tauri-apps/tauri/issues/12383">#12383</a>)</li>
<li><a
href="46c7b16111"><code>46c7b16</code></a>
ci(renovate): Disable oxc_ PRs</li>
<li><a
href="9dac2863af"><code>9dac286</code></a>
fix(bundler): Don't self-sign dmg (<a
href="https://redirect.github.com/tauri-apps/tauri/issues/12323">#12323</a>)</li>
<li><a
href="9a9d1205b0"><code>9a9d120</code></a>
chore(deps): update dependency rollup to v4.32.0 (dev) (<a
href="https://redirect.github.com/tauri-apps/tauri/issues/12502">#12502</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/tauri-apps/tauri/compare/tauri-v2.2.3...tauri-v2.2.5">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions
</details>
---------
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Thomas Eizinger <thomas@eizinger.io>
Within `connlib` - on UNIX platforms - we have dedicated threads that
read from and write to the TUN device. These threads are connected with
`connlib`'s main thread via bounded channels: one in each direction.
When these channels are full, `connlib`'s main thread will suspend and
not read any network packets from the sockets in order to maintain
back-pressure. Reading more packets from the socket would mean most
likely sending more packets out the TUN device.
When debugging #7763, it became apparent that _something_ must be wrong
with these threads and that somehow, we either consider them as full or
aren't emptying them and as a result, we don't read _any_ network
packets from our sockets.
To maintain back-pressure here, we currently use our own `AtomicWaker`
construct that is shared with the TUN thread(s). This is unnecessary. We
can also directly convert the `flume::Sender` into a
`flume::async::SendSink` and therefore directly access a `poll`
interface.
Once we've finished ICE and nominated a socket, we ignore future
candidates for the same connection (see #6876). To make this log a bit
more helpful, we now log the candidate that we are ignoring on this
connection.
Bumps
[@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node)
from 22.10.5 to 22.12.0.
<details>
<summary>Commits</summary>
<ul>
<li>See full diff in <a
href="https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
`rtnetlink` has some breaking changes in their latest version. To avoid
waiting until they actually cut a release, we temporarily depend on
their `main` branch.
---------
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Thomas Eizinger <thomas@eizinger.io>
The batch size effects how many packets we process one at a time. It
also effects the worst-case size of a single buffer as all packets may
be of the same size and thus need to be appended to the same buffer.
On mobile, we can't afford to allocate all of these so we reduce the
batch-size there.
Within the `GsoQueue` data structure, we keep a hash map indexed by
source, destination and segment length of UDP packets pointing to a
buffer for those payloads. What we intended to do here is to return the
buffer to the pool after we sent the payload. What we failed to realise
is that putting another buffer into the hash map means we have a buffer
allocated for a certain destination address and segment length! This
buffer would only get reused for the exact same address and segment
length, causing memory usage to balloon over time.
To fix this, we wrap the `DatagramBuffer` in an additional `Option`.
This allows us to actually remove it from the hash map and return the
buffer for future use to the buffer pool.
Resolves: #7866.
Resolves: #7747.
At present, the file logger for all Rust code starts each logfile with
`connlib.`. This is very confusing when exporting the logs from the GUI
client because even the logs from the client itself will start with
`connlib.`. To fix this, we make the base file name of the log file
configurable.
When we are queuing a new UDP payload for sending, we always immediately
pulled a new buffer even though we might already have on allocated for
this particular segment length. This causes an unnecessary spike in
memory when we are under load.
When the Gateway's filter-engine drops a packet, we currently only log
"destination not allowed". This could happen either because we don't
have a filter (i.e. the resource is not allowed) or because the TCP /
UDP port or ICMP traffic is not allowed. To make debugging easier, we
now include that information in the error message.
Resolves: #7875.
Nobody looks at these logs, writing them uses unnecessary CPU + storage
on users devices. It also means we have 1 background thread less because
we need one less non-blocking writer.
STUN binding requests & responses are not authenticated on purpose
because they are so easy to fulfill that having to perform the
computational work to check the authentication is more work than
actually just sending the request. With #7819, we send STUN binding
requests more often because they are used as keep-alives to the relay.
This spams the debug log because we see
> Message does not have a `MessageIntegrity` attribute
for every BINDING response. This information isn't interesting for
BINDING responses because those will never have a `MessageIntegrity`
attribute.
In order to debug connection wake-ups, it is useful to know, which
packet is the first one that gets sent on an idle connection. With this
PR, we do exactly that for incoming and outgoing packets through the
tunnel. The resulting log looks something like this:
```
2025-01-24T02:52:51.818Z DEBUG snownet::node: Connection is idle cid=65f149ea-96a4-4eee-ac70-62a1a2590821
2025-01-24T02:52:57.312Z DEBUG firezone_tunnel::client: Cleared DNS resource NAT domain=speed.cloudflare.com
2025-01-24T02:52:57.312Z DEBUG firezone_tunnel::client: Setting up DNS resource NAT gid=65f149ea-96a4-4eee-ac70-62a1a2590821 domain=speed.cloudflare.com
2025-01-24T02:52:57.312Z DEBUG snownet::node: Connection resumed packet=Packet { src: ::, dst: ::, protocol: "Reserved" } cid=65f149ea-96a4-4eee-ac70-62a1a2590821
```
Here, the connection got resumed because we locally received a DNS query
for a DNS resource which triggers a new control protocol message through
the tunnel. For this, we use the unspecified IPv6 address for src and
dst and the 0x255 protocol identifier which here renders as "Reserved".
Currently the GUI Client exits if `update-desktop-database` cannot be
executed after deep-links were registered. On non-Ubuntu systems (or
more generally non-Debian) this will fail since the command does not
exist and prevent the GUI Client from starting.
This PR just ignores any command-not-found error, ensuring the command
still has to succeed on Debian/Ubuntu machines.
---------
Signed-off-by: Thomas Eizinger <thomas@eizinger.io>
Co-authored-by: oddlama <oddlama@oddlama.org>
The committed regression seeds trigger a scenario where the WireGuard
sessions of the peers expire in a way where by the time the Client sends
the packet, it is still active (179.xx seconds old) and with the latency
to the Gateway, the 180s mark is reached and the Gateway clears the
session and discards the packet as a result.
In order to fix this, I opted to patch WireGuard by introducing a new
timer that does not allow the initiator to use a session that is almost
expired: https://github.com/firezone/boringtun/pull/68.
Resolves: #7832.
---------
Signed-off-by: Thomas Eizinger <thomas@eizinger.io>
With #7819, these log messages appear at a ~10x higher rate than before
- a day's worth of these would be over 3,000 messages. For BINDING
requests, these only matter if the candidates change, therefore we can
make the logging conditional to that.
---------
Co-authored-by: Thomas Eizinger <thomas@eizinger.io>
Unfortunately, we don't have a formatter for the manifest other than
sorting the dependencies alphabetically so some things need to be taken
care of manually.
Contrary to my prior belief, we don't actually need the WireGuard
_persistent_ keep-alive. The in-built timers from WireGuard will
automatically send keep-alive messages in case no organic reply is sent
for a particular request.
All NAT bindings along the network path are already kept open using the
STUN bindings sent on all candidate pairs. Even on idle connections, we
send those every 60s. Well-behaved NATs are meant to keep confirmed UDP
bindings open for at least 120s. Even if not, the worst-case here is
that a connection which does not send any(!) application traffic is cut.
#7808 introduced a minor bug that prevented the rust Docker images from
building locally, in `debug` builds. Adding `openssl-dev` to the
builder's container fixes the issue.
```
cargo:warning=Could not find directory of OpenSSL installation, and this `-sys` crate cannot proceed without this knowledge. If OpenSSL is installed and this crate had trouble finding it, you can set the `OPENSSL_DIR` environment variable for the compilation process. See stderr section below for further information.
```
#7819 triggers this log every 25s which isn't exactly describing the
correct condition any longer. This PR updates the log to only fire when
we're determining which socket to use for communicating with the Relay,
and not at each keepalive interval.
The current CLI of the headless-client allows passing the token as a
positional parameter in addition to an env variable. This can be very
confusing if you make a spelling error in the _command_ that you are
trying to pass to the CLI, i.e. `standalone`. A misspelled command will
be interpreted as the token to use to connect to the portal without any
warning that it is similar to a command. The env variable
`FIREZONE_TOKEN` is completely ignored in that case.
To fix this, we remove the ability to pass the token via stdin. The
token should instead be set via en env variable or read from a file at
`FIREZONE_TOKEN_PATH`.
---------
Signed-off-by: Thomas Eizinger <thomas@eizinger.io>
Co-authored-by: Jamil <jamilbk@users.noreply.github.com>
Firezone Clients and Gateways create an allocation with a given set of
Relays as soon as they start up. If no traffic is being secured and thus
no connections are established between them, NAT bindings between
Clients / Gateways and the Relays may expire. Typically, these bindings
last for 120s. Allocations are only refreshed every 5 min (after 50% of
their lifetime has passed).
After a NAT binding is expired, the next UDP message passing through the
NAT may allocate a new port, thus changing the 3-tuple of the sender.
TURN identifies clients by their 3-tuple. Therefore, without a proactive
keepalive, TURN clients lose access to their allocation and need to
create one under the new port.
To fix this, we implement a scheduled STUN binding request every 25s
once we have chosen a socket (IPv4 or IPv6) for a given relay.
Resolves: #7802.
Bumps [rustls](https://github.com/rustls/rustls) from 0.23.19 to
0.23.21.
<details>
<summary>Commits</summary>
<ul>
<li><a
href="d1bd2c8634"><code>d1bd2c8</code></a>
Prepare v0.23.21</li>
<li><a
href="1338caaf8e"><code>1338caa</code></a>
Update Cargo.lock</li>
<li><a
href="12b2276ef9"><code>12b2276</code></a>
Update <code>RELEASING.md</code> with instructions about
<code>fuzz/Cargo.lock</code></li>
<li><a
href="fe6a0d12b5"><code>fe6a0d1</code></a>
docs: update <a href="https://github.com/cpu"><code>@cpu</code></a>
maintainer status</li>
<li><a
href="49b5edc431"><code>49b5edc</code></a>
chore(deps): lock file maintenance</li>
<li><a
href="3751e24bbc"><code>3751e24</code></a>
cleanup: use more parens when calculating ECH seed</li>
<li><a
href="dc1f92c9a8"><code>dc1f92c</code></a>
chore(deps): update rust crate itertools to 0.14</li>
<li><a
href="16a0726e55"><code>16a0726</code></a>
fuzzers/server: cover post-Accepted connections</li>
<li><a
href="b873e4c46d"><code>b873e4c</code></a>
fuzzers/server: fix reachable unwrap</li>
<li><a
href="f98484bdbd"><code>f98484b</code></a>
chore(deps): lock file maintenance</li>
<li>Additional commits viewable in <a
href="https://github.com/rustls/rustls/compare/v/0.23.19...v/0.23.21">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps the tauri group in /rust with 1 update:
[tauri](https://github.com/tauri-apps/tauri).
Updates `tauri` from 2.2.2 to 2.2.3
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/tauri-apps/tauri/releases">tauri's
releases</a>.</em></p>
<blockquote>
<h2>tauri-cli v2.2.3</h2>
<!-- raw HTML omitted -->
<pre><code>Updating git repository
`https://github.com/tauri-apps/schemars.git`
Updating crates.io index
Locking 1051 packages to latest compatible versions
Adding apple-codesign v0.27.0 (available: v0.29.0)
Adding axum v0.7.9 (available: v0.8.1)
Adding colored v2.2.0 (available: v3.0.0)
Adding html5ever v0.26.0 (available: v0.29.0)
Adding itertools v0.13.0 (available: v0.14.0)
Adding minisign v0.7.3 (available: v0.7.9)
Adding notify v7.0.0 (available: v8.0.0)
Adding notify-debouncer-full v0.4.0 (available: v0.5.0)
Adding oxc_allocator v0.36.0 (available: v0.44.0)
Adding oxc_ast v0.36.0 (available: v0.44.0)
Adding oxc_parser v0.36.0 (available: v0.44.0)
Adding oxc_span v0.36.0 (available: v0.44.0)
Adding proc-macro-crate v2.0.0 (available: v2.0.2)
Adding serialize-to-javascript v0.1.1 (available: v0.1.2)
Adding serialize-to-javascript-impl v0.1.1 (available: v0.1.2)
Adding specta v2.0.0-rc.20 (available: v2.0.0-rc.21)
Adding specta-macros v2.0.0-rc.17 (available: v2.0.0-rc.18)
Adding specta-util v0.0.7 (available: v0.0.8)
Adding tauri-utils v1.6.0 (available: v1.6.1)
Adding tiny_http v0.11.0 (available: v0.12.0)
Adding windows v0.58.0 (available: v0.59.0)
Adding x509-certificate v0.23.1 (available: v0.24.0)
Fetching advisory database from
`https://github.com/RustSec/advisory-db.git`
Loaded 724 security advisories (from /home/runner/.cargo/advisory-db)
Updating crates.io index
Scanning Cargo.lock for vulnerabilities (1076 crate dependencies)
Crate: atk
Version: 0.18.2
Warning: unmaintained
Title: gtk-rs GTK3 bindings - no longer maintained
Date: 2024-03-04
ID: RUSTSEC-2024-0413
URL: https://rustsec.org/advisories/RUSTSEC-2024-0413
Dependency tree:
atk 0.18.2
└── gtk 0.18.2
├── wry 0.48.0
│ └── tauri-runtime-wry 2.3.0
│ └── tauri 2.2.1
│ ├── tauri-plugin-sample 0.1.0
│ │ └── api 0.1.0
│ ├── tauri-plugin-log 2.2.0
</tr></table>
</code></pre>
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="a70e690fe7"><code>a70e690</code></a>
apply version updates (<a
href="https://redirect.github.com/tauri-apps/tauri/issues/12425">#12425</a>)</li>
<li><a
href="72748cc45c"><code>72748cc</code></a>
fix(windows): Resolve broken installation directory handling in MSI
& NSIS, p...</li>
<li><a
href="cf771bf69a"><code>cf771bf</code></a>
fix(bundler/wix): Prevent dlls from overwriting root resources (<a
href="https://redirect.github.com/tauri-apps/tauri/issues/12402">#12402</a>)</li>
<li><a
href="07ccdc499c"><code>07ccdc4</code></a>
fix(bundler/nsis): Include WebView2Loader.dll if found to match msi (<a
href="https://redirect.github.com/tauri-apps/tauri/issues/12324">#12324</a>)</li>
<li><a
href="d2c8f0eb5c"><code>d2c8f0e</code></a>
fix: run tauri's internal init scripts before user's scripts (<a
href="https://redirect.github.com/tauri-apps/tauri/issues/12424">#12424</a>)</li>
<li><a
href="b643dcc1c4"><code>b643dcc</code></a>
docs(utils): Fix typo in useLocalToolsDir (<a
href="https://redirect.github.com/tauri-apps/tauri/issues/12409">#12409</a>)</li>
<li><a
href="cd7d08b63f"><code>cd7d08b</code></a>
chore(deps): update dependency eslint-config-prettier to v10 (<a
href="https://redirect.github.com/tauri-apps/tauri/issues/12386">#12386</a>)</li>
<li>See full diff in <a
href="https://github.com/tauri-apps/tauri/compare/tauri-v2.2.2...tauri-v2.2.3">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
In order to ensure that the "site status" in the UIs is always
up-to-date, we model the resource status as part of `tunnel_test`. This
should cover even the most bizarre combinations of adding, removing,
disabling and enabling resources interleaved with sending packets,
resetting connections etc.
Fixes: #7761.
