mirror of
https://github.com/outbackdingo/firezone.git
synced 2026-01-27 10:18:54 +00:00
8eb738e66a0d82a93022b89f50519c132598c6c8
8018 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
Jamil
|
8eb738e66a |
chore(ci): downgrade runners to free tier (#10248)
To avoid burning Azure credits, we move the runners back down to the free tier. Now that caching is properly set up, this should incur only a minor increase in CI time. |
||
|
Jamil
|
6c485be45e |
fix(portal): fix socket based postgres connections (#10189) (#10245)
This adds the option to do socket based postgres connection to the replication connections. Basically just a copy of the existing config for the base postgres connection. --------- Co-authored-by: PatrickDaG <patrickdag@failmail.dev> |
||
|
Jamil
|
6d2ea0b224 |
fix(portal): adapt resource on resource_updated (#10247)
When filters are updated for a Resource, we need to first adapt the resource before rendering it down to the Gateway. Otherwise, the gateway may see a Resource that does not match its expected schema. |
||
|
Jamil
|
b774dee41d |
chore(dev): postgres max_connections=200 (#10246)
On machines with many cores, the elixir apps will crashloop because we exceed the number of allowed postgres connections. This raises the limit with virtually no downside except for a bit more memory usage. |
||
|
Jamil
|
cafe6554ff |
refactor(portal): reduce cache memory usage (#10058)
Napkin math shows that we can save substantial memory (~3x or more) on the API nodes as connected clients/gateways grow if we just store the fields we need in order to keep the client and gateway state maintained in the channel pids. To facilitate this, we create new `Cacheable` structs that represent their `Domain` cousins, which use byte arrays for `id`s and strip out unused fields. Additionally, all business logic involved with maintaining these caches is now contained within two modules: `Domain.Cache.Client` and `Domain.Cache.Gateway`, and type specs have been added to aid in static analysis and code documentation. Comprehensive testing is now added not only for the cache modules, but for their associated channel modules as well to ensure we handle different kinds of edge cases gracefully. The `Events` nomenclature was renamed to `Changes` to better name what we are doing: Change-Data-Capture. Lastly, the following related changes are included in this PR since they were "in the way" so to speak of getting this done: - We save the last received LSN in each channel and drop the `change` with a warning if we receive it twice in a row, or we receive it out of order - The client/gateway version compatibility calculations have been moved to `Domain.Resources` and `Domain.Gateways` and have been simplified to make them easier to understand and maintain going forward. Related: #10174 Fixes: #9392 Fixes: #9965 Fixes: #9501 Fixes: #10227 --------- Signed-off-by: Jamil <jamilbk@users.noreply.github.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> |
||
|
Thomas Eizinger
|
544ba11f21 |
chore(rust): allow too_many_arguments repo-wide (#10236)
We always end up allow this lint when it pops up so we can also just allow it for the whole repo in general. Most of the time, the reason for too many arguments are borrow-checker limitations of Rust where mutable references need to be tracked explicitly. |
||
|
Thomas Eizinger
|
da802323e4 |
feat(telemetry): pre-resolve PostHog ingest host (#10207)
In order to effectively share the HTTP client for requests to PostHog, we pre-resolve the IPs of the host and create a lazily initialised `reqwest::Client` that gets shared between all analytics calls. |
||
|
Thomas Eizinger
|
ae2066379e |
feat(headless-client): allow exporting metrics via OTLP (#10240)
In order to explore our metrics more easily, we add an exporter via OTLP to the headless-client. The Gateway already supports this. |
||
|
Jamil
|
d9f1b42595 |
feat(relay): handle ipv4-ipv6 relaying in eBPF (#10226)
Data has shown that we are doing a significant amount of relaying in userspace because the latency of which candidates establish first matters - if an IPv6 to IPv4 path establishes first, we could often pick that, which would bypass the eBPF relaying altogether. To address this, we now perform address translation when relaying so these paths are covered. Preliminary benchmarking on Azure has shown this performs around ~1.5 Gbps for a single client - gateway path, scaling linearly with the number clients up to the core count. On GCP, performance will be a fraction of that because we need to attach the program in SKB_MODE (generic) based on the fact the `gve` driver there does not support the needed `bpf_xdp_adjust_head` call. To keep the verifier happy (and make the verifier error trace log usable) throughout this large refactor, we unfortunately had to drop down to pointer arithmetic in this process. This however means that we have full control (and visibility) over how the bytes are loaded, stored, and copied. Each struct / abstraction adds a little bit of overhead on the stack which pushed us over the 512-byte limit. Since we are generally loading only one set of packet headers onto the stack to then copy into their new locations, our actual stack usage should be well the 512-byte limit. Further performance analysis is required to push past the current per-core 1.5 Gbps limit. This, along with CI support for integration testing these codepaths is left for a later date as this PR is already quite large and needs to soak test for a bit in a live environment before we push to prod. Fixes #10192 |
||
|
Thomas Eizinger
|
c70c88c856 | build(deps): upgrade to opentelemetry 0.30 (#10239) | ||
|
Jamil
|
f76abfa656 |
fix(docs): GoAuthentik docs OAuth2 instructions (#10244)
Fixes #10243 |
||
|
Thomas Eizinger
|
99155490c5 |
chore(connlib): make UDP buffer sizes tunable at runtime (#10234)
For easier benchmarking, we make the UDP socket send and receive buffers runtime-tunable. Related: #7452 |
||
|
Thomas Eizinger
|
f85ae75ae0 |
refactor(connlib): increase UDP queues on desktop platforms (#10235)
On desktop platforms, we can easily afford to have larger queues here despite each item in there being 65k. Benchmarking showed that we do sometimes fill these up. Related: #7452 |
||
|
Thomas Eizinger
|
a109c1a2ef |
feat(connlib): discard intermediate resource and TUN updates (#10223)
Right now, the Client event-loops have a channel with 1000 items for sending new resource lists and updates to the TUN device to the host app. This is kind of unnecessary as we always only care about the last version of these. Intermediate updates that the host app doesn't process are effectively irrelevant. We've had an issue before where a bug in the portal caused us to receive many updates to resources which ended up crashing Client apps because this channel filled up. To be more resilient on this front, we refactor the Client event loop to use a `watch` channel for this. Watch channels only retain the last value that got sent into them. |
||
|
Thomas Eizinger
|
46afa52f78 |
feat(telemetry): pre-resolve Sentry ingest host (#10206)
Our Sentry client needs to resolve DNS before being able to send logs or errors to the backend. Currently, this DNS resolution happens on-demand as we don't take any control of the underlying HTTP client. In addition, this will use HTTP/1.1 by default which isn't as efficient as it could be, especially with concurrent requests. Finally, if we decide to ever proxy all Sentry for traffic through our own domain, we have to take control of the underlying client anyway. To resolve all of the above, we create a custom `TransportFactory` where we reuse the existing `ReqwestHttpTransport` but provide an already configured `reqwest::Client` that always uses HTTP/2 with a pre-configured set of DNS records for the given ingest host. |
||
|
Thomas Eizinger
|
b4cbc4f33b |
fix(connlib): exit phoenix-channel event-loop on error (#10229)
We cannot poll the `PhoenixChannel` after it has returned an error, otherwise it will panic. Therefore, we exit the event-loop then. The outer event-loop also exits as soon as it receives an error from this channel so this is fine. `PhoenixChannel` only returns an error when it has irrecoverably disconnected, e.g. after the retries have been exhausted or we hit a 4xx error on the WebSocket connection. --------- Signed-off-by: Thomas Eizinger <thomas@eizinger.io> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> |
||
|
Thomas Eizinger
|
4e11112d9b |
feat(connlib): improve throughput on higher latencies (#10231)
Turns out the multi-threaded access of the TUN device on the Gateway causes packet reordering which makes the TCP congestion controller throttle the connection. Additionally, the default TX queue length of a TUN device on Linux is only 500 packets. With just a single thread and an increased TX queue length, we get a throughput performance of just over 1 GBit/s for a 20ms link between Client and Gateway with basically no packet drops: ``` Connecting to host 172.20.0.110, port 5201 [ 5] local 100.79.130.70 port 49546 connected to 172.20.0.110 port 5201 [ ID] Interval Transfer Bitrate Retr Cwnd [ 5] 0.00-1.00 sec 116 MBytes 977 Mbits/sec 0 6.40 MBytes [ 5] 1.00-2.00 sec 137 MBytes 1.15 Gbits/sec 0 6.40 MBytes [ 5] 2.00-3.00 sec 134 MBytes 1.13 Gbits/sec 0 6.40 MBytes [ 5] 3.00-4.00 sec 136 MBytes 1.14 Gbits/sec 47 6.40 MBytes [ 5] 4.00-5.00 sec 137 MBytes 1.15 Gbits/sec 0 6.40 MBytes [ 5] 5.00-6.00 sec 138 MBytes 1.16 Gbits/sec 0 6.40 MBytes [ 5] 6.00-7.00 sec 138 MBytes 1.15 Gbits/sec 0 6.40 MBytes [ 5] 7.00-8.00 sec 138 MBytes 1.15 Gbits/sec 0 6.40 MBytes [ 5] 8.00-9.00 sec 138 MBytes 1.16 Gbits/sec 0 6.40 MBytes [ 5] 9.00-10.00 sec 138 MBytes 1.15 Gbits/sec 0 6.40 MBytes [ 5] 10.00-11.00 sec 139 MBytes 1.17 Gbits/sec 0 6.40 MBytes [ 5] 11.00-12.00 sec 139 MBytes 1.17 Gbits/sec 0 6.40 MBytes [ 5] 12.00-13.00 sec 136 MBytes 1.14 Gbits/sec 0 6.40 MBytes [ 5] 13.00-14.00 sec 139 MBytes 1.17 Gbits/sec 0 6.40 MBytes [ 5] 14.00-15.00 sec 140 MBytes 1.17 Gbits/sec 0 6.40 MBytes [ 5] 15.00-16.00 sec 138 MBytes 1.16 Gbits/sec 0 6.40 MBytes [ 5] 16.00-17.00 sec 137 MBytes 1.15 Gbits/sec 0 6.40 MBytes [ 5] 17.00-18.00 sec 139 MBytes 1.17 Gbits/sec 0 6.40 MBytes [ 5] 18.00-19.00 sec 138 MBytes 1.16 Gbits/sec 0 6.40 MBytes [ 5] 19.00-20.00 sec 136 MBytes 1.14 Gbits/sec 0 6.40 MBytes - - - - - - - - - - - - - - - - - - - - - - - - - [ ID] Interval Transfer Bitrate Retr [ 5] 0.00-20.00 sec 2.67 GBytes 1.15 Gbits/sec 47 sender [ 5] 0.00-20.02 sec 2.67 GBytes 1.15 Gbits/sec receiver iperf Done. ``` For further debugging in the future, we are now recording the send and receive queue depths of both the TUN device and the UDP sockets. Neither of those showed to be full in my testing which leads me to conclude that it isn't any buffer inside Firezone that is too small here. Related: #7452 --------- Signed-off-by: Thomas Eizinger <thomas@eizinger.io> |
||
|
Brian Manifold
|
551ceafb13 |
fix(portal): REST api updates (#10191)
* Minor updates to the REST API to more gracefully handle incorrect input data from requests. * Minor updates to the OpenAPI spec. |
||
|
Jamil
|
9696d00cc3 |
fix(apple): flush dns cache on resource updates (#10224)
In the following sequence of events, a user will be unable to connect to the DNS resource for a few seconds because macOS is caching the queries, preventing connlib from seeing them. 1. User signs in 2. User has _no_ access to DNS Resource A 3. User queries for DNS Resource A - NXDOMAIN -> macOS caches this 4. Admin grants access to DNS Resource A 5. User tries query again -> connlib never sees the query -> cache hit -> NXDOMAIN To fix this, we call `networkSettings.apply()` whenever the resource list has changed. This has been tested to trigger a DNS cache flush on macOS. |
||
|
dependabot[bot]
|
6fa8c0b52a |
build(deps): bump proc-macro2 from 1.0.95 to 1.0.101 in /rust (#10218)
Bumps [proc-macro2](https://github.com/dtolnay/proc-macro2) from 1.0.95 to 1.0.101. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/dtolnay/proc-macro2/releases">proc-macro2's releases</a>.</em></p> <blockquote> <h2>1.0.101</h2> <ul> <li>Optimize Span location accessors (<a href="https://redirect.github.com/dtolnay/proc-macro2/issues/519">#519</a>)</li> </ul> <h2>1.0.100</h2> <ul> <li>Stabilize <code>Span</code> methods on Rust 1.88+: <code>start</code>, <code>end</code>, <code>line</code>, <code>column</code>, <code>file</code>, <code>local_file</code> (<a href="https://redirect.github.com/dtolnay/proc-macro2/issues/517">#517</a>, <a href="https://redirect.github.com/dtolnay/proc-macro2/issues/518">#518</a>)</li> </ul> <h2>1.0.99</h2> <ul> <li>Prevent Span's unstable API becoming unavailable from a future new compiler lint (<a href="https://redirect.github.com/dtolnay/proc-macro2/issues/515">#515</a>)</li> </ul> <h2>1.0.98</h2> <ul> <li>Disallow prefixed identifier as name of lifetime: <code>'prefix#lifetime</code> (<a href="https://redirect.github.com/dtolnay/proc-macro2/issues/514">#514</a>, <a href="https://redirect.github.com/rust-lang/rust/pull/126452">rust-lang/rust#126452</a>)</li> </ul> <h2>1.0.97</h2> <ul> <li>Allow build-script cleanup failure with NFSv3 output directory to be non-fatal (<a href="https://redirect.github.com/dtolnay/proc-macro2/issues/505">#505</a>, <a href="https://redirect.github.com/dtolnay/proc-macro2/issues/512">#512</a>, thanks <a href="https://github.com/davvid"><code>@davvid</code></a>)</li> </ul> <h2>1.0.96</h2> <ul> <li>Simplify how rustdoc flags are decided during docs.rs builds (<a href="https://redirect.github.com/dtolnay/proc-macro2/issues/511">#511</a>)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
c6cb22bbd1 |
build(deps): bump anyhow from 1.0.98 to 1.0.99 in /rust (#10212)
Bumps [anyhow](https://github.com/dtolnay/anyhow) from 1.0.98 to 1.0.99. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/dtolnay/anyhow/releases">anyhow's releases</a>.</em></p> <blockquote> <h2>1.0.99</h2> <ul> <li>Allow build-script cleanup failure with NFSv3 output directory to be non-fatal (<a href="https://redirect.github.com/dtolnay/anyhow/issues/420">#420</a>)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
52e3aeab74 |
build(deps): bump arbitrary from 1.4.1 to 1.4.2 in /rust (#10220)
Bumps [arbitrary](https://github.com/rust-fuzz/arbitrary) from 1.4.1 to 1.4.2. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/rust-fuzz/arbitrary/blob/main/CHANGELOG.md">arbitrary's changelog</a>.</em></p> <blockquote> <h2>1.4.2</h2> <p>Released 2025-08-13.</p> <h3>Added</h3> <ul> <li>Added formal MSRV policy: "We reserve the right to increment the MSRV on minor releases, however we will strive to only do it deliberately and for good reasons." The current MSRV is 1.63.0.</li> <li>Added an <code>Arbitrary</code> implementation for <code>core::cmp::Reverse</code>.</li> </ul> <h3>Changed</h3> <ul> <li>Landed a handful of changes to the code generated by <code>#[derive(Arbitrary)]</code> that speed up compilation.</li> </ul> <h3>Fixed</h3> <ul> <li>Better documented bias and behavior when running out of entropy, fixed some outdated and incorrect docs related to this.</li> </ul> <hr /> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
742b94be90 |
build(deps): bump thiserror from 2.0.12 to 2.0.15 in /rust (#10213)
Bumps [thiserror](https://github.com/dtolnay/thiserror) from 2.0.12 to 2.0.15. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/dtolnay/thiserror/releases">thiserror's releases</a>.</em></p> <blockquote> <h2>2.0.15</h2> <ul> <li>Prevent <code>Error::provide</code> API becoming unavailable from a future new compiler lint (<a href="https://redirect.github.com/dtolnay/thiserror/issues/427">#427</a>)</li> </ul> <h2>2.0.14</h2> <ul> <li>Allow build-script cleanup failure with NFSv3 output directory to be non-fatal (<a href="https://redirect.github.com/dtolnay/thiserror/issues/426">#426</a>)</li> </ul> <h2>2.0.13</h2> <ul> <li>Documentation improvements</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
a4352137f2 |
build(deps): bump uuid from 1.17.0 to 1.18.0 in /rust (#10214)
Bumps [uuid](https://github.com/uuid-rs/uuid) from 1.17.0 to 1.18.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/uuid-rs/uuid/releases">uuid's releases</a>.</em></p> <blockquote> <h2>v1.18.0</h2> <h2>What's Changed</h2> <ul> <li>Fix up mismatched_lifetime_syntaxes lint by <a href="https://github.com/KodrAus"><code>@KodrAus</code></a> in <a href="https://redirect.github.com/uuid-rs/uuid/pull/837">uuid-rs/uuid#837</a></li> <li>Conversions between <code>Timestamp</code> and <code>std::time::SystemTime</code> by <a href="https://github.com/dcormier"><code>@dcormier</code></a> in <a href="https://redirect.github.com/uuid-rs/uuid/pull/835">uuid-rs/uuid#835</a></li> <li>Wrap the error type used in time conversions by <a href="https://github.com/KodrAus"><code>@KodrAus</code></a> in <a href="https://redirect.github.com/uuid-rs/uuid/pull/838">uuid-rs/uuid#838</a></li> <li>Prepare for 1.18.0 release by <a href="https://github.com/KodrAus"><code>@KodrAus</code></a> in <a href="https://redirect.github.com/uuid-rs/uuid/pull/839">uuid-rs/uuid#839</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/dcormier"><code>@dcormier</code></a> made their first contribution in <a href="https://redirect.github.com/uuid-rs/uuid/pull/835">uuid-rs/uuid#835</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/uuid-rs/uuid/compare/v1.17.0...v1.18.0">https://github.com/uuid-rs/uuid/compare/v1.17.0...v1.18.0</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
dd312a9a83 |
build(deps): bump glob from 0.3.2 to 0.3.3 in /rust (#10215)
Bumps [glob](https://github.com/rust-lang/glob) from 0.3.2 to 0.3.3. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/rust-lang/glob/releases">glob's releases</a>.</em></p> <blockquote> <h2>v0.3.3</h2> <ul> <li>Optimize memory allocations (<a href="https://redirect.github.com/rust-lang/glob/pull/147">#147</a>)</li> <li>Bump the MSRV to 1.63 (<a href="https://redirect.github.com/rust-lang/glob/pull/172">#172</a>)</li> <li>Fix spelling in pattern documentation (<a href="https://redirect.github.com/rust-lang/glob/pull/164">#164</a>)</li> <li>Fix version numbers and some formatting (<a href="https://redirect.github.com/rust-lang/glob/pull/157">#157</a>)</li> <li>Style fixes (<a href="https://redirect.github.com/rust-lang/glob/pull/137">#137</a>)</li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/rust-lang/glob/blob/master/CHANGELOG.md">glob's changelog</a>.</em></p> <blockquote> <h2><a href="https://github.com/rust-lang/glob/compare/v0.3.2...v0.3.3">0.3.3</a> - 2025-08-11</h2> <ul> <li>Optimize memory allocations (<a href="https://redirect.github.com/rust-lang/glob/pull/147">#147</a>)</li> <li>Bump the MSRV to 1.63 (<a href="https://redirect.github.com/rust-lang/glob/pull/172">#172</a>)</li> <li>Fix spelling in pattern documentation (<a href="https://redirect.github.com/rust-lang/glob/pull/164">#164</a>)</li> <li>Fix version numbers and some formatting (<a href="https://redirect.github.com/rust-lang/glob/pull/157">#157</a>)</li> <li>Style fixes (<a href="https://redirect.github.com/rust-lang/glob/pull/137">#137</a>)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
05b736c5a1 |
build(deps): bump clap from 4.5.43 to 4.5.45 in /rust (#10216)
Bumps [clap](https://github.com/clap-rs/clap) from 4.5.43 to 4.5.45. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/clap-rs/clap/releases">clap's releases</a>.</em></p> <blockquote> <h2>v4.5.45</h2> <h2>[4.5.45] - 2025-08-12</h2> <h3>Fixes</h3> <ul> <li><em>(unstable-v5)</em> <code>ValueEnum</code> variants now use the full doc comment, not summary, for <code>PossibleValue::help</code></li> </ul> <h2>v4.5.44</h2> <h2>[4.5.44] - 2025-08-11</h2> <h3>Features</h3> <ul> <li>Add <code>Command::mut_subcommands</code></li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/clap-rs/clap/blob/master/CHANGELOG.md">clap's changelog</a>.</em></p> <blockquote> <h2>[4.5.45] - 2025-08-12</h2> <h3>Fixes</h3> <ul> <li><em>(unstable-v5)</em> <code>ValueEnum</code> variants now use the full doc comment, not summary, for <code>PossibleValue::help</code></li> </ul> <h2>[4.5.44] - 2025-08-11</h2> <h3>Features</h3> <ul> <li>Add <code>Command::mut_subcommands</code></li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
eb0526ce5f |
build(deps): bump async-trait from 0.1.88 to 0.1.89 in /rust (#10221)
Bumps [async-trait](https://github.com/dtolnay/async-trait) from 0.1.88 to 0.1.89. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/dtolnay/async-trait/releases">async-trait's releases</a>.</em></p> <blockquote> <h2>0.1.89</h2> <ul> <li>Improve IDE functionality (<a href="https://redirect.github.com/dtolnay/async-trait/issues/293">#293</a>, thanks <a href="https://github.com/Veykril"><code>@Veykril</code></a>)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
2265114f6f |
build(deps): bump syn from 2.0.104 to 2.0.106 in /rust (#10219)
Bumps [syn](https://github.com/dtolnay/syn) from 2.0.104 to 2.0.106. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/dtolnay/syn/releases">syn's releases</a>.</em></p> <blockquote> <h2>2.0.106</h2> <ul> <li>Replace <code>~const</code> syntax with <code>[const]</code> conditionally const syntax in trait bounds (<a href="https://redirect.github.com/dtolnay/syn/issues/1896">#1896</a>, <a href="https://redirect.github.com/rust-lang/rust/pull/139858">rust-lang/rust#139858</a>)</li> <li>Support conditionally const impl Trait types (<a href="https://redirect.github.com/dtolnay/syn/issues/1897">#1897</a>)</li> <li>Reject polarity modifier and lifetime binder used in the same trait bound (<a href="https://redirect.github.com/dtolnay/syn/issues/1899">#1899</a>, <a href="https://redirect.github.com/rust-lang/rust/pull/127054">rust-lang/rust#127054</a>)</li> <li>Parse const trait bounds with bound lifetimes (<a href="https://redirect.github.com/dtolnay/syn/issues/1902">#1902</a>)</li> <li>Parse bound lifetimes with lifetime bounds (<a href="https://redirect.github.com/dtolnay/syn/issues/1903">#1903</a>)</li> <li>Allow type parameters and const parameters in trait bounds and generic closures (<a href="https://redirect.github.com/dtolnay/syn/issues/1904">#1904</a>, <a href="https://redirect.github.com/dtolnay/syn/issues/1907">#1907</a>, <a href="https://redirect.github.com/dtolnay/syn/issues/1908">#1908</a>, <a href="https://redirect.github.com/dtolnay/syn/issues/1909">#1909</a>)</li> </ul> <h2>2.0.105</h2> <ul> <li>Disallow "negative" inherent impls like <code>impl !T {}</code> (<a href="https://redirect.github.com/dtolnay/syn/issues/1881">#1881</a>, <a href="https://redirect.github.com/rust-lang/rust/pull/144386">rust-lang/rust#144386</a>)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
5cac8538b4 |
build(deps): bump reqwest from 0.12.22 to 0.12.23 in /rust (#10217)
Bumps [reqwest](https://github.com/seanmonstar/reqwest) from 0.12.22 to 0.12.23. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/seanmonstar/reqwest/releases">reqwest's releases</a>.</em></p> <blockquote> <h2>v0.12.23</h2> <h2>tl;dr</h2> <ul> <li>🇺🇩🇸 Add <code>ClientBuilder::unix_socket(path)</code> option that will force all requests over that Unix Domain Socket.</li> <li>🔁 Add <code>ClientBuilder::retries(policy)</code> and <code>reqwest::retry::Builder</code> to configure <a href="https://seanmonstar.com/blog/reqwest-retries/">automatic retries</a>.</li> <li>Add <code>ClientBuilder::dns_resolver2()</code> with more ergonomic argument bounds, allowing more resolver implementations.</li> <li>Add <code>http3_*</code> options to <code>blocking::ClientBuilder</code>.</li> <li>Fix default TCP timeout values to enabled and faster.</li> <li>Fix SOCKS proxies to default to port 1080</li> <li>(wasm) Add cache methods to <code>RequestBuilder</code>.</li> </ul> <h2>What's Changed</h2> <ul> <li>Minimize package size by <a href="https://github.com/weiznich"><code>@weiznich</code></a> in <a href="https://redirect.github.com/seanmonstar/reqwest/pull/2759">seanmonstar/reqwest#2759</a></li> <li>chore(dev-dependencies): bump brotli by <a href="https://github.com/seanmonstar"><code>@seanmonstar</code></a> in <a href="https://redirect.github.com/seanmonstar/reqwest/pull/2760">seanmonstar/reqwest#2760</a></li> <li>upgrade hickory-dns to 0.25 by <a href="https://github.com/seanmonstar"><code>@seanmonstar</code></a> in <a href="https://redirect.github.com/seanmonstar/reqwest/pull/2761">seanmonstar/reqwest#2761</a></li> <li>Re-expose http3 options in blocking::clientBuilder by <a href="https://github.com/ducaale"><code>@ducaale</code></a> in <a href="https://redirect.github.com/seanmonstar/reqwest/pull/2770">seanmonstar/reqwest#2770</a></li> <li>fix(proxy): restore default port 1080 for SOCKS proxies without explicit port by <a href="https://github.com/0x676e67"><code>@0x676e67</code></a> in <a href="https://redirect.github.com/seanmonstar/reqwest/pull/2771">seanmonstar/reqwest#2771</a></li> <li>ci: use msrv-aware cargo in msrv job by <a href="https://github.com/seanmonstar"><code>@seanmonstar</code></a> in <a href="https://redirect.github.com/seanmonstar/reqwest/pull/2779">seanmonstar/reqwest#2779</a></li> <li>feat: add request cache option for wasm by <a href="https://github.com/Spxg"><code>@Spxg</code></a> in <a href="https://redirect.github.com/seanmonstar/reqwest/pull/2775">seanmonstar/reqwest#2775</a></li> <li>style(client): use <code>std::task::ready!</code> macro to simplify <code>Poll</code> branch match by <a href="https://github.com/0x676e67"><code>@0x676e67</code></a> in <a href="https://redirect.github.com/seanmonstar/reqwest/pull/2781">seanmonstar/reqwest#2781</a></li> <li>fix: add default tcp keepalive and user_timeout values by <a href="https://github.com/seanmonstar"><code>@seanmonstar</code></a> in <a href="https://redirect.github.com/seanmonstar/reqwest/pull/2780">seanmonstar/reqwest#2780</a></li> <li>feat: add unix_socket() option to client builder by <a href="https://github.com/seanmonstar"><code>@seanmonstar</code></a> in <a href="https://redirect.github.com/seanmonstar/reqwest/pull/2624">seanmonstar/reqwest#2624</a></li> <li>Add retry policies by <a href="https://github.com/seanmonstar"><code>@seanmonstar</code></a> in <a href="https://redirect.github.com/seanmonstar/reqwest/pull/2763">seanmonstar/reqwest#2763</a></li> <li>refactor: loosen retry <code>for_host</code> parameter bounds by <a href="https://github.com/Enduriel"><code>@Enduriel</code></a> in <a href="https://redirect.github.com/seanmonstar/reqwest/pull/2792">seanmonstar/reqwest#2792</a></li> <li>feat: add dns_resolver2 that is more ergonomic and flexible by <a href="https://github.com/seanmonstar"><code>@seanmonstar</code></a> in <a href="https://redirect.github.com/seanmonstar/reqwest/pull/2793">seanmonstar/reqwest#2793</a></li> <li>Prepare v0.12.23 by <a href="https://github.com/seanmonstar"><code>@seanmonstar</code></a> in <a href="https://redirect.github.com/seanmonstar/reqwest/pull/2795">seanmonstar/reqwest#2795</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/weiznich"><code>@weiznich</code></a> made their first contribution in <a href="https://redirect.github.com/seanmonstar/reqwest/pull/2759">seanmonstar/reqwest#2759</a></li> <li><a href="https://github.com/Spxg"><code>@Spxg</code></a> made their first contribution in <a href="https://redirect.github.com/seanmonstar/reqwest/pull/2775">seanmonstar/reqwest#2775</a></li> <li><a href="https://github.com/Enduriel"><code>@Enduriel</code></a> made their first contribution in <a href="https://redirect.github.com/seanmonstar/reqwest/pull/2792">seanmonstar/reqwest#2792</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/seanmonstar/reqwest/compare/v0.12.22...v0.12.23">https://github.com/seanmonstar/reqwest/compare/v0.12.22...v0.12.23</a></p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/seanmonstar/reqwest/blob/master/CHANGELOG.md">reqwest's changelog</a>.</em></p> <blockquote> <h2>v0.12.23</h2> <ul> <li>Add <code>ClientBuilder::unix_socket(path)</code> option that will force all requests over that Unix Domain Socket.</li> <li>Add <code>ClientBuilder::retries(policy)</code> and <code>reqwest::retry::Builder</code> to configure automatic retries.</li> <li>Add <code>ClientBuilder::dns_resolver2()</code> with more ergonomic argument bounds, allowing more resolver implementations.</li> <li>Add <code>http3_*</code> options to <code>blocking::ClientBuilder</code>.</li> <li>Fix default TCP timeout values to enabled and faster.</li> <li>Fix SOCKS proxies to default to port 1080</li> <li>(wasm) Add cache methods to <code>RequestBuilder</code>.</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
Jamil
|
618254cdfc |
refactor(relay): use zero check for is_learned (#10209)
Simplifies the interface map we store to use a zero-check instead of explicit bool. Related: https://github.com/firezone/firezone/pull/10200#discussion_r2281117072 |
||
|
Jamil
|
0698e0d35f |
ci: test IPv6 for CIDR resources (#10168)
Docker for Mac finally supports IPv6 in general availability. It's time to add IPv6 to our suite of integration tests. The thinking behind this PR is try and not slow down CI much, if at all, by testing IPv6 side-by-side with the existing IPv4 tests. More comprehensive testing is being developed in #10131 that will test things like IPv4-in-6 relaying, client / gateway IP stack mismatches, and so forth. |
||
|
Thomas Eizinger
|
6f4242769a |
refactor(connlib): move gw phoenix-channel to separate task (#10211)
Similar to #10210, we also move the phoenix-channel to a separate task for the Gateway's and connect it with channels to the event-loop. Related: #10003 --------- Signed-off-by: Thomas Eizinger <thomas@eizinger.io> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> |
||
|
dependabot[bot]
|
dae9a10e00 |
build(deps): bump tauri from 2.6.2 to 2.7.0 in /rust in the tauri group (#10179)
Bumps the tauri group in /rust with 1 update: [tauri](https://github.com/tauri-apps/tauri). Updates `tauri` from 2.6.2 to 2.7.0 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/tauri-apps/tauri/releases">tauri's releases</a>.</em></p> <blockquote> <h2>tauri-runtime v2.7.0</h2> <!-- raw HTML omitted --> <pre><code>Updating git repository `https://github.com/tauri-apps/schemars.git` Updating crates.io index warning: Patch `schemars_derive v0.8.21 (https://github.com/tauri-apps/schemars.git?branch=feat%2Fpreserve-description-newlines#c30f9848)` was not used in the crate graph. Check that the patched package version and available features are compatible with the dependency requirements. If the patch has a different version from what is locked in the Cargo.lock file, run `cargo update` to use the new version. This may also occur with an optional dependency that is not enabled. Locking 1020 packages to latest compatible versions Adding apple-codesign v0.27.0 (available: v0.29.0) Adding axum v0.7.9 (available: v0.8.4) Adding cargo_metadata v0.19.2 (available: v0.20.0) Adding colored v2.2.0 (available: v3.0.0) Adding ctor v0.2.9 (available: v0.4.2) Adding elf v0.7.4 (available: v0.8.0) Adding getrandom v0.2.16 (available: v0.3.3) Adding html5ever v0.29.1 (available: v0.32.0) Adding itertools v0.13.0 (available: v0.14.0) Adding json-patch v3.0.1 (available: v4.0.0) Adding jsonrpsee v0.24.9 (available: v0.25.1) Adding jsonrpsee-client-transport v0.24.9 (available: v0.25.1) Adding jsonrpsee-core v0.24.9 (available: v0.25.1) Adding jsonrpsee-ws-client v0.24.9 (available: v0.25.1) Adding minisign v0.7.3 (available: v0.7.9) Adding muda v0.16.1 (available: v0.17.0) Adding object v0.36.7 (available: v0.37.1) Adding oxc_allocator v0.36.0 (available: v0.74.0) Adding oxc_ast v0.36.0 (available: v0.74.0) Adding oxc_parser v0.36.0 (available: v0.74.0) Adding oxc_span v0.36.0 (available: v0.74.0) Adding phf v0.11.3 (available: v0.12.1) Adding proc-macro-crate v2.0.0 (available: v2.0.2) Adding rand v0.8.5 (available: v0.9.1) Adding rpm v0.16.0 (available: v0.17.0) Adding schemars v0.8.22 (available: v1.0.1) Adding serialize-to-javascript v0.1.1 (available: v0.1.2) Adding serialize-to-javascript-impl v0.1.1 (available: v0.1.2) Adding tiny_http v0.11.0 (available: v0.12.0) Adding which v7.0.3 (available: v8.0.0) Adding worker v0.5.0 (available: v0.6.0) Adding worker-macros v0.5.0 (available: v0.6.0) Adding x509-certificate v0.23.1 (available: v0.24.0) Fetching advisory database from `https://github.com/RustSec/advisory-db.git` Loaded 787 security advisories (from /home/runner/.cargo/advisory-db) Updating crates.io index Scanning Cargo.lock for vulnerabilities (1045 crate dependencies) </tr></table> </code></pre> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
319b31da64 |
build(deps): bump clap from 4.5.42 to 4.5.43 in /rust (#10182)
Bumps [clap](https://github.com/clap-rs/clap) from 4.5.42 to 4.5.43. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/clap-rs/clap/releases">clap's releases</a>.</em></p> <blockquote> <h2>v4.5.43</h2> <h2>[4.5.43] - 2025-08-06</h2> <h3>Fixes</h3> <ul> <li><em>(help)</em> In long help, list Possible Values before defaults, rather than after, for a more consistent look</li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/clap-rs/clap/blob/master/CHANGELOG.md">clap's changelog</a>.</em></p> <blockquote> <h2>[4.5.43] - 2025-08-06</h2> <h3>Fixes</h3> <ul> <li><em>(help)</em> In long help, list Possible Values before defaults, rather than after, for a more consistent look</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
6038ade9a0 |
build(deps): bump socket2 from 0.5.10 to 0.6.0 in /rust (#10183)
Bumps [socket2](https://github.com/rust-lang/socket2) from 0.5.10 to 0.6.0. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/rust-lang/socket2/blob/master/CHANGELOG.md">socket2's changelog</a>.</em></p> <blockquote> <h1>0.6.0</h1> <h2>Breaking changes</h2> <p>All IPv4 methods now have a <code>_v4</code> suffix, IPv6 uses <code>_v6</code>. TCP methods have a <code>tcp_</code> prefix (looked better than a suffix).</p> <p>Furthermore we removed all types from external libraries (i.e. libc or windows-sys) from the public API, allowing us to update those without breaking the API.</p> <ul> <li>Renamed <code>Socket::freebind_ipv6</code> to <code>freebind_v6</code> (<a href="https://redirect.github.com/rust-lang/socket2/pull/592">rust-lang/socket2#592</a>).</li> <li>Renamed <code>Socket::freebind</code> to <code>freebind_v4</code> (<a href="https://redirect.github.com/rust-lang/socket2/pull/592">rust-lang/socket2#592</a>).</li> <li>Renamed <code>Socket::original_dst</code> to <code>original_dst_v4</code> (<a href="https://redirect.github.com/rust-lang/socket2/pull/592">rust-lang/socket2#592</a>).</li> <li>Renamed <code>Socket::original_dst_ipv6</code> to <code>original_dst_v6</code> (<a href="https://redirect.github.com/rust-lang/socket2/pull/592">rust-lang/socket2#592</a>).</li> <li>Bump MSRV to 1.70 (<a href="https://redirect.github.com/rust-lang/socket2/pull/597">rust-lang/socket2#597</a>).</li> <li>Use <code>c_int</code> from <code>std::ffi</code> instead of from libc (<a href="https://redirect.github.com/rust-lang/socket2/pull/599">rust-lang/socket2#599</a>, <a href="https://redirect.github.com/rust-lang/socket2/pull/595">rust-lang/socket2#595</a>).</li> <li><code>SockAddr</code>'s methods now accept/return <code>SockAddrStorage</code> instead of <code>sockaddr_storage</code>/<code>SOCKADDR_STORAGE</code> (<a href="https://redirect.github.com/rust-lang/socket2/pull/576">rust-lang/socket2#576</a>): <ul> <li><code>new</code></li> <li><code>try_init</code></li> <li><code>as_ptr</code></li> <li><code>as_storage</code></li> </ul> </li> <li>Add <code>SockFilter</code>, wrapper around <code>libc::sock_filter</code>, argument to <code>Socket::attach_filter</code> (<a href="https://redirect.github.com/rust-lang/socket2/pull/581">rust-lang/socket2#581</a>).</li> <li>Various renames of TCP methods on <code>Socket</code> (<a href="https://redirect.github.com/rust-lang/socket2/pull/592">rust-lang/socket2#592</a>): <ul> <li><code>keepalive_time</code> -> <code>tcp_keepalive_time</code></li> <li><code>keepalive_interval</code> -> <code>tcp_keepalive_interval</code></li> <li><code>keepalive_retries</code> -> <code>tcp_keepalive_retries</code></li> <li><code>nodelay</code> -> <code>tcp_nodelay</code></li> <li><code>set_nodelay</code> -> <code>tcp_set_nodelay</code></li> <li><code>tcp_mss</code> -> <code>mss</code></li> <li><code>tcp_set_mss</code> -> <code>set_mss</code></li> <li><code>tcp_cork</code> -> <code>cork</code></li> <li><code>tcp_set_cork</code> -> <code>set_cork</code></li> <li><code>tcp_quickack</code> -> <code>quickack</code></li> <li><code>tcp_set_quickack</code> -> <code>set_quickack</code></li> <li><code>thin_linear_timeouts</code> -> <code>tcp_thin_linear_timeouts</code>.</li> </ul> </li> </ul> <h2>Non-breaking changes</h2> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li>See full diff in <a href="https://github.com/rust-lang/socket2/commits">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> |
||
|
dependabot[bot]
|
12667a98df |
build(deps): bump libc from 0.2.174 to 0.2.175 in /rust (#10181)
Bumps [libc](https://github.com/rust-lang/libc) from 0.2.174 to 0.2.175. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/rust-lang/libc/releases">libc's releases</a>.</em></p> <blockquote> <h2>0.2.175</h2> <h3>Added</h3> <ul> <li>AIX: Add <code>getpeereid</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4524">#4524</a>)</li> <li>AIX: Add <code>struct ld_info</code> and friends (<a href="https://redirect.github.com/rust-lang/libc/pull/4578">#4578</a>)</li> <li>AIX: Retore <code>struct winsize</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4577">#4577</a>)</li> <li>Android: Add UDP socket option constants (<a href="https://redirect.github.com/rust-lang/libc/pull/4619">#4619</a>)</li> <li>Android: Add <code>CLONE_CLEAR_SIGHAND</code> and <code>CLONE_INTO_CGROUP</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4502">#4502</a>)</li> <li>Android: Add more <code>prctl</code> constants (<a href="https://redirect.github.com/rust-lang/libc/pull/4531">#4531</a>)</li> <li>FreeBSD Add further TCP stack-related constants (<a href="https://redirect.github.com/rust-lang/libc/pull/4196">#4196</a>)</li> <li>FreeBSD x86-64: Add <code>mcontext_t.mc_tlsbase </code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4503">#4503</a>)</li> <li>FreeBSD15: Add <code>kinfo_proc.ki_uerrmsg</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4552">#4552</a>)</li> <li>FreeBSD: Add <code>in_conninfo</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4482">#4482</a>)</li> <li>FreeBSD: Add <code>xinpgen</code> and related types (<a href="https://redirect.github.com/rust-lang/libc/pull/4482">#4482</a>)</li> <li>FreeBSD: Add <code>xktls_session</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4482">#4482</a>)</li> <li>Haiku: Add functionality from <code>libbsd</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4221">#4221</a>)</li> <li>Linux: Add <code>SECBIT_*</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4480">#4480</a>)</li> <li>NetBSD, OpenBSD: Export <code>ioctl</code> request generator macros (<a href="https://redirect.github.com/rust-lang/libc/pull/4460">#4460</a>)</li> <li>NetBSD: Add <code>ptsname_r</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4608">#4608</a>)</li> <li>RISCV32: Add time-related syscalls (<a href="https://redirect.github.com/rust-lang/libc/pull/4612">#4612</a>)</li> <li>Solarish: Add <code>strftime*</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4453">#4453</a>)</li> <li>linux: Add <code>EXEC_RESTRICT_*</code> and <code>EXEC_DENY_*</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4545">#4545</a>)</li> </ul> <h3>Changed</h3> <ul> <li>AIX: Add <code>const</code> to signatures to be consistent with other platforms (<a href="https://redirect.github.com/rust-lang/libc/pull/4563">#4563</a>)</li> </ul> <h3>Fixed</h3> <ul> <li>AIX: Fix the type of <code>struct statvfs.f_fsid</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4576">#4576</a>)</li> <li>AIX: Fix the type of constants for the <code>ioctl</code> <code>request</code> argument (<a href="https://redirect.github.com/rust-lang/libc/pull/4582">#4582</a>)</li> <li>AIX: Fix the types of <code>stat{,64}.st_*tim</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4597">#4597</a>)</li> <li>AIX: Use unique <code>errno</code> values (<a href="https://redirect.github.com/rust-lang/libc/pull/4507">#4507</a>)</li> <li>Build: Fix an incorrect <code>target_os</code> -> <code>target_arch</code> check (<a href="https://redirect.github.com/rust-lang/libc/pull/4550">#4550</a>)</li> <li>FreeBSD: Fix the type of <code>xktls_session_onedir.ifnet</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4552">#4552</a>)</li> <li>Mips64 musl: Fix the type of <code>nlink_t</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4509">#4509</a>)</li> <li>Mips64 musl: Use a special MIPS definition of <code>stack_t</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4528">#4528</a>)</li> <li>Mips64: Fix <code>SI_TIMER</code>, <code>SI_MESGQ</code> and <code>SI_ASYNCIO</code> definitions (<a href="https://redirect.github.com/rust-lang/libc/pull/4529">#4529</a>)</li> <li>Musl Mips64: Swap the order of <code>si_errno</code> and <code>si_code</code> in <code>siginfo_t</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4530">#4530</a>)</li> <li>Musl Mips64: Use a special MIPS definition of <code>statfs</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4527">#4527</a>)</li> <li>Musl: Fix the definition of <code>fanotify_event_metadata</code> (<a href="https://redirect.github.com/rust-lang/libc/pull/4510">#4510</a>)</li> <li>NetBSD: Correct <code>enum fae_action</code> to be <code>#[repr(C)]</code> (<a href=" |
||
|
Thomas Eizinger
|
2545c41366 |
refactor(connlib): move client phoenix-channel to separate task (#10210)
Currently, `connlib`'s event-loop for clients uses manual polling to advance the state of the tunnel and the phoenix-channel. Manual polling is powerful but also easy to get wrong, resulting in task-wakeup bugs. Additionally, if the tunnel is very busy with processing packets, the phoenix-channel may not get enough CPU time, resulting in a loss of the WebSocket connection. To fix this, we move the phoenix-channel to a separate task and use channels to connect it with `connlib`'s main event-loop. This one is now primarily focused on advancing the tunnel state, effectively offloading the problem of fair scheduling to the tokio runtime. Related: #10003 |
||
|
Thomas Eizinger
|
da00848549 |
build(deps): bump to Rust 1.89 (#10208)
Rust 1.89 comes with a new lint that wants us to use explicitly refer to lifetimes, even if they are elided. |
||
|
Thomas Eizinger
|
0f2cfa2e3c |
fix(rust): don't block runtime shutdown (#10204)
By default, dropping a `tokio` runtime waits until all tasks have finished. The tasks we spawn within `connlib` can have complex dependencies with each other. To ensure that we can shut down in any case and don't hang, we apply a timeout of 1s to the runtime. |
||
|
Thomas Eizinger
|
c8b01d9f43 | fix(telemetry): timeout Sentry session shutdown within 1s (#10205) | ||
|
Thomas Eizinger
|
1bdc5f0584 | feat(telemetry): reuse connections to PostHog server (#10203) | ||
|
Jamil
|
f47fb46cc7 |
feat(relay): learn interface addresses (#10200)
In order to support cross-stack relaying, we need to know what the source IP is going to be to write the packets from. To know this, we can simply learn the destination IP address for incoming packets to our XDP program. A separate cache is used per IP stack in order be a bit more cache line friendly and prevent contention when only IP stack lookup is needed. Related: #10192 |
||
|
Thomas Eizinger
|
70a930e45d |
chore(relay): use existing ebpf module import (#10202)
|
||
|
Jamil
|
b07fa341cf |
feat(relay): XDP driver (native) mode for gVNIC (#10177)
This updates our eBPF module to use DRV_MODE for less CPU overhead and better performance for all same-stack TURN relaying. Notably, gVNIC does not seem to support the `bpf_xdp_adjust_head` helper, so unfortunately we need to extend / shrink the packet tail and move the payload instead. Comprehensive benchmarks have not been performed, but early results show that we can saturate about 1 Gbps per E2 core on GCP: ``` [SUM] 0.00-30.04 sec 3.16 GBytes 904 Mbits/sec 12088 sender [SUM] 0.00-30.00 sec 3.12 GBytes 894 Mbits/sec receiver ``` This is with 64 TCP streams. More streams will better utilize all available RX queues, and lead to better performance. Related: #10138 Fixes: #8633 |
||
|
Jamil
|
b7045338df |
fix(ci): compute sha256sum of binaries earlier (#10199)
Fixes an issue where the sha256sum.txt of the relay was not available. Related: #10198 |
||
|
Jamil
|
b3ea251082 |
fix(ci): use correct relay binary location (#10198)
Fixes an issue introduced in #10196. Related: #10196 |
||
|
Jamil
|
1c2d70ac0d |
chore(infra): push relay binary to gcp (#10196)
The COS images we currently use to run our Relays ship with an older Linux kernel that doesn't have some of the nice verifier improvements for our eBPF relay. To fix this, we need to use Ubuntu 24.04. To keep things simple there, we would like to avoid installing Docker on that image and instead run the Relay raw. To support that, we first need to push the built relay binary to our staging cloud storage bucket. Related: #10177 Related: https://github.com/firezone/infra/pull/116 --------- Signed-off-by: Jamil <jamilbk@users.noreply.github.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> |
||
|
Jamil
|
46ffe8fe45 |
docs(relay): add note on channel map safety (#10194)
A fair bit of time was spent validating these map accesses are thread-safe, so just documenting that for the next reader to find. Related: https://github.com/firezone/firezone/issues/10138#issuecomment-3186074350 |
||
|
Jamil
|
3e3f555c1e |
fix(relay): swap MACs for relayed traffic (#10193)
In nearly all environments, we can safely assume that we will always use the same network gateway for forwarding relayed packets as the one we received them from. By leveraging this assumption, we can simply swap the SRC and DST MAC addresses, removing the need to keep a HaspMap for these, which eliminates the need to worry about thread-safety for this particular functionality. Related: #10138 |
||
|
Jamil
|
92137ee76b |
fix(relay): don't inline hotpath loop calls (#10185)
When inlining large(ish) functions that are on the hot-path, it creates a much longer program for the eBPF verifier to validate since the verifier is working through all packet sizes and types. We're hitting an issue on GCP (in the 8-core dev VM, XDP-generic) where verification fails on `main` due to the inlining of some hot-path functions. This PR is the smallest possible change that gets the program to load, highlighting the issue. In practice, I'm not there is a detectable performance difference between having these inlined vs not (especially in DRV_MODE) so I'm not sure it's worth the potential debugging headaches later on. |