mirror of
https://github.com/outbackdingo/firezone.git
synced 2026-01-27 18:18:55 +00:00
9cd25d70d83beda8a4280d001c86dcddc9513751
8077 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
Thomas Eizinger
|
9cd25d70d8 |
ci: prevent packet reordering by router containers (#10328)
By default, RPS (Receive Packet Steering) is disabled on Linux which means the CPU handling the interrupt for an incoming packet also handles the packet. Under high-load, this can causes packet reordering in your test setup where at least two routers are in the path between Client and Gateway. To ensure our test suite is deterministic, we enable RPS and set it to 1, meaning always CPU 1 will handle all packets. Local testing has shown that this fixes the warnings of "packet counter too old" on the Gateway and instead, all packets arrive entirely in order. Source: https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/6/html/performance_tuning_guide/network-rps |
||
|
Brian Manifold
|
e2e370fd76 | fix(portal): fix client show page sign-in method (#10327) | ||
|
Thomas Eizinger
|
83171d3a2d |
ci: add integration test for graceful Gateway shutdown (#10077)
Signed-off-by: Thomas Eizinger <thomas@eizinger.io> |
||
|
Thomas Eizinger
|
d1d46fdfb4 |
ci: create a more realistic network setup (#10301)
Currently, the setup we have in docker-compose does not reflect real-world scenarios very well because most components share the same subnet. In reality, Clients, Gateways, relays and the backend are all in separate subnets, connected via multiple routers on the Internet. The current setup makes it hard to properly test relayed connections. To fix this, we move all components into their own subnet with a dedicated router container that performs source and destination NAT as well as acts as a firewall for the client and gateway containers to not allow inbound traffic. This setup will allow us to more easily test #10286 which requires port randomization for outgoing traffic on the Client and Gateway side. |
||
|
Firezone Bot
|
d8079c869f | chore: publish apple-client 1.5.8 (#10323) | ||
|
Thomas Eizinger
|
f96cc3d583 |
feat(relay): remove graceful shutdown (#10322)
Initially, we added the graceful shutdown functionality to the relay to better deal with deploys and achieve as minimal downtime as possible. With the split of app and infrastructure that we now have, this functionality is no longer necessary as portal deploys don't touch the relay infra at all. Thus, we can remove this functionality which will actually speed-up deploys of the relays as systemd no longer has to time-out after sending the SIGTERM to the binary. |
||
|
Firezone Bot
|
af7f4c9992 | chore: publish headless-client 1.5.3 (#10320) | ||
|
Firezone Bot
|
cacef44b4b | chore: publish gateway 1.4.16 (#10321) | ||
|
Firezone Bot
|
ff8781b7b6 | chore: publish gui-client 1.5.7 (#10319) | ||
|
dependabot[bot]
|
0f17b5d4a3 |
build(deps): bump chrono from 0.4.41 to 0.4.42 in /rust (#10308)
Bumps [chrono](https://github.com/chronotope/chrono) from 0.4.41 to 0.4.42. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/chronotope/chrono/releases">chrono's releases</a>.</em></p> <blockquote> <h2>0.4.42</h2> <h2>What's Changed</h2> <ul> <li>Add fuzzer for DateTime::parse_from_str by <a href="https://github.com/tyler92"><code>@tyler92</code></a> in <a href="https://redirect.github.com/chronotope/chrono/pull/1700">chronotope/chrono#1700</a></li> <li>Fix wrong amount of micro/milliseconds by <a href="https://github.com/nmlt"><code>@nmlt</code></a> in <a href="https://redirect.github.com/chronotope/chrono/pull/1703">chronotope/chrono#1703</a></li> <li>Add warning about MappedLocalTime and wasm by <a href="https://github.com/lutzky"><code>@lutzky</code></a> in <a href="https://redirect.github.com/chronotope/chrono/pull/1702">chronotope/chrono#1702</a></li> <li>Fix incorrect parsing of fixed-length second fractions by <a href="https://github.com/chris-leach"><code>@chris-leach</code></a> in <a href="https://redirect.github.com/chronotope/chrono/pull/1705">chronotope/chrono#1705</a></li> <li>Fix cfgs for <code>wasm32-linux</code> support by <a href="https://github.com/arjunr2"><code>@arjunr2</code></a> in <a href="https://redirect.github.com/chronotope/chrono/pull/1707">chronotope/chrono#1707</a></li> <li>Fix OpenHarmony's <code>tzdata</code> parsing by <a href="https://github.com/ldm0"><code>@ldm0</code></a> in <a href="https://redirect.github.com/chronotope/chrono/pull/1679">chronotope/chrono#1679</a></li> <li>Convert NaiveDate to/from days since unix epoch by <a href="https://github.com/findepi"><code>@findepi</code></a> in <a href="https://redirect.github.com/chronotope/chrono/pull/1715">chronotope/chrono#1715</a></li> <li>Add <code>?Sized</code> bound to related methods of <code>DelayedFormat::write_to</code> by <a href="https://github.com/Huliiiiii"><code>@Huliiiiii</code></a> in <a href="https://redirect.github.com/chronotope/chrono/pull/1721">chronotope/chrono#1721</a></li> <li>Add <code>from_timestamp_secs</code> method to <code>DateTime</code> by <a href="https://github.com/jasonaowen"><code>@jasonaowen</code></a> in <a href="https://redirect.github.com/chronotope/chrono/pull/1719">chronotope/chrono#1719</a></li> <li>Migrate to core::error::Error by <a href="https://github.com/benbrittain"><code>@benbrittain</code></a> in <a href="https://redirect.github.com/chronotope/chrono/pull/1704">chronotope/chrono#1704</a></li> <li>Upgrade to windows-bindgen 0.63 by <a href="https://github.com/djc"><code>@djc</code></a> in <a href="https://redirect.github.com/chronotope/chrono/pull/1730">chronotope/chrono#1730</a></li> <li>strftime: simplify error handling by <a href="https://github.com/djc"><code>@djc</code></a> in <a href="https://redirect.github.com/chronotope/chrono/pull/1731">chronotope/chrono#1731</a></li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
5f73627eb7 |
build(deps): bump uuid from 1.18.0 to 1.18.1 in /rust (#10305)
Bumps [uuid](https://github.com/uuid-rs/uuid) from 1.18.0 to 1.18.1. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/uuid-rs/uuid/releases">uuid's releases</a>.</em></p> <blockquote> <h2>v1.18.1</h2> <h2>What's Changed</h2> <ul> <li>Unsafe cleanup by <a href="https://github.com/KodrAus"><code>@KodrAus</code></a> in <a href="https://redirect.github.com/uuid-rs/uuid/pull/841">uuid-rs/uuid#841</a></li> <li>Prepare for 1.18.1 release by <a href="https://github.com/KodrAus"><code>@KodrAus</code></a> in <a href="https://redirect.github.com/uuid-rs/uuid/pull/842">uuid-rs/uuid#842</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/uuid-rs/uuid/compare/v1.18.0...v1.18.1">https://github.com/uuid-rs/uuid/compare/v1.18.0...v1.18.1</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
Thomas Eizinger
|
e0ee94f60e |
chore: add basic context about Firezone for AI agents (#10284)
When using an AI-enabled editor (like Zed), it is useful to have a "rules" file to give it basic context about the project so we don't have to re-explain it every time. We can also extend this file with a list of code review instructions / coding guidelines for Copilot. See https://docs.github.com/en/copilot/how-tos/configure-custom-instructions/add-repository-instructions#asking-copilot-coding-agent-to-generate-a-githubcopilot-instructionsmd-file. I expect this file to grow as we learn which info the agents need about the product to be helpful. In order to use it, people are encouraged to create locally-ignored symlinks to the `docs/AGENT.md` file. --------- Signed-off-by: Thomas Eizinger <thomas@eizinger.io> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> |
||
|
Mariusz Klochowicz
|
963cc8ede0 |
fix(apple): Enforce single Firezone instance (#10313)
show an alert to the user and ask to quit previous Firezone instance manually before starting a new one. Resolves: #10295 --------- Signed-off-by: Mariusz Klochowicz <mariusz@klochowicz.com> Co-authored-by: Jamil <jamilbk@users.noreply.github.com> |
||
|
Thomas Eizinger
|
33a75f6fee |
chore(headless-client): don't make failures look like crashes (#10290)
Returning an error from `main` by default prints a backtrace. This may lead users to believe that the program is crashing when in fact it is exiting in a controlled way but with an error (such as when we don't have Internet during startup). Printing the chain of errors ourselves resolves this. |
||
|
Brian Manifold
|
56a3ce9041 |
fix(portal): move hard delete migrations (#10316)
Move some of the hard-delete migrations from manual to inline to allow us to deploy the `HEAD` of main |
||
|
Thomas Eizinger
|
4a612da189 |
fix(relay): filter traces by log filter (#10317)
We want to control which traces are collected and sent to OTEL with the log filter. To do that, we need to also apply the supplied log filter to the tracer. |
||
|
dependabot[bot]
|
46eb118a46 |
build(deps): bump time from 0.3.41 to 0.3.43 in /rust (#10309)
Bumps [time](https://github.com/time-rs/time) from 0.3.41 to 0.3.43. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/time-rs/time/releases">time's releases</a>.</em></p> <blockquote> <h2>v0.3.43</h2> <p>See the <a href="https://github.com/time-rs/time/blob/main/CHANGELOG.md">changelog</a> for details.</p> <h2>v0.3.42</h2> <p>See the <a href="https://github.com/time-rs/time/blob/main/CHANGELOG.md">changelog</a> for details.</p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/time-rs/time/blob/main/CHANGELOG.md">time's changelog</a>.</em></p> <blockquote> <h2>0.3.43 [2025-09-02]</h2> <h3>Added</h3> <ul> <li>Support for <code>rand</code> 0.9</li> </ul> <h3>Fixed</h3> <ul> <li>In the <code>convert</code> module, any use of <code>per</code> with types that were not the same (such as <code>Nanosecond::per(Second)</code>) would not compile due to a bug. This has been fixed.</li> </ul> <h2>0.3.42 [2025-08-31]</h2> <h3>Added</h3> <ul> <li><code>Time::duration_until</code></li> <li><code>Time::duration_since</code></li> <li><code>per_t</code> method for all types in <code>time::convert</code>. This is similar to the existing <code>per</code> method, but can return any of the primitive numeric types that can represent the result. This will cut down on <code>as</code> casts while ensuring correctness. Type inference isn't perfect, so you may need to provide a type annotation in some situations.</li> <li><code>impl PartialOrd for Month</code> and <code>impl Ord for Month</code>; this assumes the months are in the same year</li> <li><code>SystemTimeExt</code> trait, adding methods for checked arithmetic with <code>time::Duration</code> and obtaining the difference between two <code>SystemTime</code>s as a <code>time::Duration</code></li> <li>Permit using <code>UtcDateTime</code> with <code>rand</code> (this was inadvertently omitted previously)</li> <li><code>impl core::error::Error</code> for all error types (now available when the <code>std</code> feature is disabled)</li> <li>MacOS can now obtain the local UTC offset in multi-threaded programs as the system APIs are thread-safe.</li> <li><code>#[track_caller]</code> has been added to all relevant methods.</li> </ul> <h3>Changed</h3> <ul> <li>The minimum supported Rust version is now 1.81.0.</li> <li>The dependency on <code>itoa</code> has been removed, as the standard library now has similar functionality by default.</li> <li>Formatting a component that involves a floating point number is now guaranteed to be deterministic, avoiding any subtle differences between platforms or compiler versions.</li> </ul> <h3>Fixed</h3> <ul> <li>Serializing timestamps with nanosecond precision <em>should</em> always emit the correct value. Previously, it could be off by one nanosecond due to floating point imprecision.</li> <li>A previously unknown bug in <code>OffsetDateTime::to_offset</code> and <code>UtcDateTime::to_offset</code> has been fixed. The bug could result in a value that was invalid. It was unlikely to ever occur in real-world code, as it involved passing a UTC offset that has never been used in any location.</li> </ul> <h3>Miscellaneous</h3> <ul> <li>The amount of code generated by macros has been massively reduced, on the order of 65-70% for typical use cases of <code>format_description!</code>.</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
c16918116c |
build(deps): bump clap from 4.5.45 to 4.5.47 in /rust (#10307)
Bumps [clap](https://github.com/clap-rs/clap) from 4.5.45 to 4.5.47. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/clap-rs/clap/releases">clap's releases</a>.</em></p> <blockquote> <h2>v4.5.47</h2> <h2>[4.5.47] - 2025-09-02</h2> <h3>Features</h3> <ul> <li>Added <code>impl FromArgMatches for ()</code></li> <li>Added <code>impl Args for ()</code></li> <li>Added <code>impl Subcommand for ()</code></li> <li>Added <code>impl FromArgMatches for Infallible</code></li> <li>Added <code>impl Subcommand for Infallible</code></li> </ul> <h3>Fixes</h3> <ul> <li><em>(derive)</em> Update runtime error text to match <code>clap</code></li> </ul> <h2>v4.5.46</h2> <h2>[4.5.46] - 2025-08-26</h2> <h3>Features</h3> <ul> <li>Expose <code>StyledStr::push_str</code></li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/clap-rs/clap/blob/master/CHANGELOG.md">clap's changelog</a>.</em></p> <blockquote> <h2>[4.5.47] - 2025-09-02</h2> <h3>Features</h3> <ul> <li>Added <code>impl FromArgMatches for ()</code></li> <li>Added <code>impl Args for ()</code></li> <li>Added <code>impl Subcommand for ()</code></li> <li>Added <code>impl FromArgMatches for Infallible</code></li> <li>Added <code>impl Subcommand for Infallible</code></li> </ul> <h3>Fixes</h3> <ul> <li><em>(derive)</em> Update runtime error text to match <code>clap</code></li> </ul> <h2>[4.5.46] - 2025-08-26</h2> <h3>Features</h3> <ul> <li>Expose <code>StyledStr::push_str</code></li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
a8f76aea30 |
build(deps): bump log from 0.4.27 to 0.4.28 in /rust (#10306)
Bumps [log](https://github.com/rust-lang/log) from 0.4.27 to 0.4.28. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/rust-lang/log/releases">log's releases</a>.</em></p> <blockquote> <h2>0.4.28</h2> <h2>What's Changed</h2> <ul> <li>ci: drop really old trick and ensure MSRV for all feature combo by <a href="https://github.com/tisonkun"><code>@tisonkun</code></a> in <a href="https://redirect.github.com/rust-lang/log/pull/676">rust-lang/log#676</a></li> <li>chore: fix some typos in comment by <a href="https://github.com/xixishidibei"><code>@xixishidibei</code></a> in <a href="https://redirect.github.com/rust-lang/log/pull/677">rust-lang/log#677</a></li> <li>Unhide <code>#[derive(Debug)]</code> in example by <a href="https://github.com/ZylosLumen"><code>@ZylosLumen</code></a> in <a href="https://redirect.github.com/rust-lang/log/pull/688">rust-lang/log#688</a></li> <li>Chore: delete compare_exchange method for AtomicUsize on platforms without atomics by <a href="https://github.com/HaoliangXu"><code>@HaoliangXu</code></a> in <a href="https://redirect.github.com/rust-lang/log/pull/690">rust-lang/log#690</a></li> <li>Add <code>increment_severity()</code> and <code>decrement_severity()</code> methods for <code>Level</code> and <code>LevelFilter</code> by <a href="https://github.com/nebkor"><code>@nebkor</code></a> in <a href="https://redirect.github.com/rust-lang/log/pull/692">rust-lang/log#692</a></li> <li>Prepare for 0.4.28 release by <a href="https://github.com/KodrAus"><code>@KodrAus</code></a> in <a href="https://redirect.github.com/rust-lang/log/pull/695">rust-lang/log#695</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/xixishidibei"><code>@xixishidibei</code></a> made their first contribution in <a href="https://redirect.github.com/rust-lang/log/pull/677">rust-lang/log#677</a></li> <li><a href="https://github.com/ZylosLumen"><code>@ZylosLumen</code></a> made their first contribution in <a href="https://redirect.github.com/rust-lang/log/pull/688">rust-lang/log#688</a></li> <li><a href="https://github.com/HaoliangXu"><code>@HaoliangXu</code></a> made their first contribution in <a href="https://redirect.github.com/rust-lang/log/pull/690">rust-lang/log#690</a></li> <li><a href="https://github.com/nebkor"><code>@nebkor</code></a> made their first contribution in <a href="https://redirect.github.com/rust-lang/log/pull/692">rust-lang/log#692</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/rust-lang/log/compare/0.4.27...0.4.28">https://github.com/rust-lang/log/compare/0.4.27...0.4.28</a></p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/rust-lang/log/blob/master/CHANGELOG.md">log's changelog</a>.</em></p> <blockquote> <h2>[0.4.28] - 2025-09-02</h2> <h2>What's Changed</h2> <ul> <li>ci: drop really old trick and ensure MSRV for all feature combo by <a href="https://github.com/tisonkun"><code>@tisonkun</code></a> in <a href="https://redirect.github.com/rust-lang/log/pull/676">rust-lang/log#676</a></li> <li>Chore: delete compare_exchange method for AtomicUsize on platforms without atomics by <a href="https://github.com/HaoliangXu"><code>@HaoliangXu</code></a> in <a href="https://redirect.github.com/rust-lang/log/pull/690">rust-lang/log#690</a></li> <li>Add <code>increment_severity()</code> and <code>decrement_severity()</code> methods for <code>Level</code> and <code>LevelFilter</code> by <a href="https://github.com/nebkor"><code>@nebkor</code></a> in <a href="https://redirect.github.com/rust-lang/log/pull/692">rust-lang/log#692</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/xixishidibei"><code>@xixishidibei</code></a> made their first contribution in <a href="https://redirect.github.com/rust-lang/log/pull/677">rust-lang/log#677</a></li> <li><a href="https://github.com/ZylosLumen"><code>@ZylosLumen</code></a> made their first contribution in <a href="https://redirect.github.com/rust-lang/log/pull/688">rust-lang/log#688</a></li> <li><a href="https://github.com/HaoliangXu"><code>@HaoliangXu</code></a> made their first contribution in <a href="https://redirect.github.com/rust-lang/log/pull/690">rust-lang/log#690</a></li> <li><a href="https://github.com/nebkor"><code>@nebkor</code></a> made their first contribution in <a href="https://redirect.github.com/rust-lang/log/pull/692">rust-lang/log#692</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/rust-lang/log/compare/0.4.27...0.4.28">https://github.com/rust-lang/log/compare/0.4.27...0.4.28</a></p> <h3>Notable Changes</h3> <ul> <li>MSRV is bumped to 1.61.0 in <a href="https://redirect.github.com/rust-lang/log/pull/676">rust-lang/log#676</a></li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
68c1ce25ba |
build(deps): bump the tauri group in /rust with 4 updates (#10304)
Bumps the tauri group in /rust with 4 updates: [tauri](https://github.com/tauri-apps/tauri), [tauri-build](https://github.com/tauri-apps/tauri), [tauri-plugin-dialog](https://github.com/tauri-apps/plugins-workspace) and [tauri-plugin-shell](https://github.com/tauri-apps/plugins-workspace). Updates `tauri` from 2.8.3 to 2.8.4 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/tauri-apps/tauri/releases">tauri's releases</a>.</em></p> <blockquote> <h2>tauri v2.8.4</h2> <!-- raw HTML omitted --> <pre><code>Updating git repository `https://github.com/tauri-apps/schemars.git` Updating crates.io index warning: Patch `schemars_derive v0.8.21 (https://github.com/tauri-apps/schemars.git?branch=feat%2Fpreserve-description-newlines#c30f9848)` was not used in the crate graph. Check that the patched package version and available features are compatible with the dependency requirements. If the patch has a different version from what is locked in the Cargo.lock file, run `cargo update` to use the new version. This may also occur with an optional dependency that is not enabled. Locking 1037 packages to latest compatible versions Adding apple-codesign v0.27.0 (available: v0.29.0) Adding borsh v1.3.0 (available: v1.5.7) Adding borsh-derive v1.3.0 (available: v1.5.7) Adding cargo_metadata v0.19.2 (available: v0.22.0) Adding colored v2.2.0 (available: v3.0.0) Adding ctor v0.2.9 (available: v0.5.0) Adding dialoguer v0.11.0 (available: v0.12.0) Adding elf v0.7.4 (available: v0.8.0) Adding goblin v0.9.3 (available: v0.10.1) Adding html5ever v0.29.1 (available: v0.35.0) Adding itertools v0.13.0 (available: v0.14.0) Adding json-patch v3.0.1 (available: v4.0.0) Adding jsonrpsee v0.24.9 (available: v0.26.0) Adding jsonrpsee-client-transport v0.24.9 (available: v0.26.0) Adding jsonrpsee-core v0.24.9 (available: v0.26.0) Adding jsonrpsee-ws-client v0.24.9 (available: v0.26.0) Adding matchit v0.8.4 (available: v0.8.6) Adding minisign v0.7.3 (available: v0.7.9) Adding object v0.36.7 (available: v0.37.3) Adding oxc_allocator v0.36.0 (available: v0.82.3) Adding oxc_ast v0.36.0 (available: v0.82.3) Adding oxc_parser v0.36.0 (available: v0.82.3) Adding oxc_span v0.36.0 (available: v0.82.3) Adding phf v0.11.3 (available: v0.13.1) Adding rpm v0.16.1 (available: v0.17.1) Adding schemars v0.8.22 (available: v1.0.4) Adding tiny_http v0.11.0 (available: v0.12.0) Adding toml v0.8.2 (available: v0.8.23) Adding toml_datetime v0.6.3 (available: v0.6.11) Adding toml_edit v0.20.2 (available: v0.20.7) Adding x509-certificate v0.23.1 (available: v0.25.0) Fetching advisory database from `https://github.com/RustSec/advisory-db.git` Loaded 797 security advisories (from /home/runner/.cargo/advisory-db) Updating crates.io index Scanning Cargo.lock for vulnerabilities (1062 crate dependencies) Crate: atk Version: 0.18.2 </tr></table> </code></pre> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
Thomas Eizinger
|
3cffeef483 |
ci: reduce target bitrate for UDP perf tests to 600Mbit/s (#10312)
To achieve a more stable CI, we need to reduce the target bitrate of the UDP perf tests. Now that we no longer have GSO enabled in the tests, the most we can achieve in CI is 600Mbit/s. Forcing more packets through the tunnel results in all sorts of warnings which end up failing CI. |
||
|
Thomas Eizinger
|
03ac73ac00 |
fix(gateway): reset DNS resource NAT if proxy IPs change (#10310)
In #10040, we decided to persist a peer's routing state on the Gateway across ICE sessions. This routing state also includes the DNS resource NAT. Prior to #10104 (which is not released yet), when a Client signs out and back in, it resets the proxy IP mapping for DNS resources and will start numbering them again from the front, i.e. starting from 100.96.0.1. With the state still being preserved on the Gateway, this represents a problem: We keep existing mappings around if there is still a NAT session for this proxy IP. However, if the proxy IP is actually for a different domain, this NAT session is meaningless. In fact, not replacing the IP is problematic as we will now route packets for the new proxy IP to the wrong destination. The persistent DNS resource mapping from #10104 fixes this. In this PR, we add an additional check to the Gateway where we detect whether the Client has started to re-assign proxy IPs and if so, we completely reset the DNS resource NAT state including all existing NAT sessions. Fixes #10268 |
||
|
Jamil
|
5e0ca45c67 |
fix(relay): XDP_PASS non-STUN UDP traffic (#10292)
To prevent userspace relaying, all traffic that seemingly looked like STUN/TURN but we couldn't handle via the eBPF codepath we would `XDP_DROP`. This turned out to be too heavy-handed of an approach since it end up matching DNS query responses as well due to them arriving within the TURN ephemeral port range. To fix this, we `XDP_PASS` the traffic up the stack so that the kernel is able to match it to existing conntrack entries. We've identified a minor race condition where the first few channel data packets might be dropped when a channel is first being bound, but fixing this will be saved for a later PR. Related: https://github.com/firezone/infra/pull/132 |
||
|
Jamil
|
b8e0cf9b53 |
fix(ci): temporarily suppress fxhash unmaintained (#10298)
Ignoring for now to get CI to pass, since this isn't an urgent problem. Related: #10297 |
||
|
Brian Manifold
|
a178508c8d |
docs(website): Update Entra sync note (#10294)
Co-authored-by: Jamil Bou Kheir <jamilbk@users.noreply.github.com> |
||
|
Thomas Eizinger
|
c891d9c864 |
fix(relay): re-add eBPF channel map entry on refresh (#10291)
TURN channels have a 5 minute cooldown period after they expire where they cannot be rebound to another peer but can be refreshed and thus "reactivated". To stop routing packets when the channel expires, we remove it from the channel map of the eBPF code. The client however knows that it still has a channel that it can reactivate for another 5min. In case it chooses to do so, we refresh the channel in userspace but until now, forget to re-populate the eBPF map. This effectively blocks this communication path from working because the relay reports the channel from being refreshed successfully, yet the new eBPF kernel drops all packets without a map entry. |
||
|
Thomas Eizinger
|
ead1f40101 |
chore(gateway): only log skipped NAT entry if IP differs (#10285)
When we resolve a DNS resource domain name on the Gateway, we establish the mapping between proxy IPs and resolved IPs in order to correctly NAT traffic. These domains are re-resolved every time the Client sees a DNS query for it. Thus, established connections could be interrupted if the IPs returned by consecutive DNS queries are different. Many SaaS products (GitHub for example) use DNS to load balance between different IPs. In order to not interrupt those connections, we check whether we have an open NAT session for an existing mapping every time we re-resolve DNS. This log is currently printed too often though because it doesn't take into account whether the IPs actually changed. If the IP is the same, we don't need to print this because the update is a no-op. |
||
|
Brian Manifold
|
826a304071 |
feat(portal): enable outdated gateway email (#10281)
Enables 'outdated gateway' notifications for all accounts. Closes #8361 |
||
|
Thomas Eizinger
|
eeadde0c86 |
ci: bump Ubuntu runners to 24.04 (#10288)
Ubuntu 22.04 is over 3 years old and therefore ships with quite an old kernel. Our production VMs (for relays) all run Ubuntu 24.04 so it makes sense to build and test them on the same kernel / OS release. For consistency reasons, we therefore bump all runners to 24.04. |
||
|
Thomas Eizinger
|
7b5f5d9a30 |
ci: remove exception for OS error 5 (#10287)
Now that we retry packets that encounter OS error 5, we no longer need to ignore those warnings in CI. Related: #10279 |
||
|
Thomas Eizinger
|
ec0c7c148b |
chore(eBPF): minor polish (#10282)
Some follow-up polish for the eBPF module: - Changes the cfg's to also include Linux, allowing rust-analyzer to assist with auto-complete etc. - Moves code to sub-modules of `try_handle_turn`, removing the need for making them conditional. - Move all maps to sub-modules to allow for a single place to put comments: In the module documentation at the top. - Removes interface IP learning, these are now configured via env variables. |
||
|
Thomas Eizinger
|
fb7b001cbf | chore(rust): fix unused variable warning (#10283) | ||
|
Thomas Eizinger
|
d718c5de8e |
fix(connlib): retry packets on IO error 5 (#10279)
Unfortunately, it isn't very easy to detect whether a socket supports GSO on Linux. Hence, `quinn-udp` simply probes for its support by trying to send GSO batches and effectively disables GSO by setting the `max-gso-segments` state variable to 1 if it encounters either EINVAL (-22) or EIO (-5). For EINVAL, `quinn-udp` has an internal retry mechanism. For EIO, the `Transmit` which is passed to `quinn-udp` needs to be re-chunked and thus cannot be automatically retried. In order to avoid dropping packets, we therefore add a once-off retry step to sending a datagram whenever we hit EIO on Linux or Android. If the error was due to GSO not being supported, the 2nd attempt should be successful and going forward, even the first one should be until we roam the socket (where this state variable gets reset). These packet drops have been causing flakiness in CI ever since we merged the eBPF tests. Those disable checksum offloading which appears to trigger these errors. |
||
|
Jamil
|
1a251406c9 |
fix(ci): bump tauri setup timeout to 15m (#10280)
These occasionally take just a bit more time to complete. Related: https://github.com/firezone/firezone/actions/runs/17403822300/job/49402974171 |
||
|
Thomas Eizinger
|
8877f3d7c2 |
chore(telemetry): remove span name from attributes in Sentry (#10278)
Before sending logs to Sentry, we perform a pass over them to make them somewhat look like the output of `tracing_subscriber::fmt`. In particular, we trim the span name from fields in order to shorten the message. In our logger config, we don't render the span name at all and just append all fields at the end of the message. Sentry supports filtering by field names but unfortunately, those cannot contain a colon (`:`). Given that we already trim the span name in the actual message, it also makes sense to remove the span name from the actual attributes. That allows us to actually filter by these attributes and has the additional advantage that fields from different spans with the same name are merged. This is especially useful because we purposely reuse names like `cid` to refer the current connection from different spans. |
||
|
Mariusz Klochowicz
|
d07e32d91f |
chore: Build whole workspace on macos (#10228)
- Add some macos stubs to gui-smoke-test. - Hide `ebpf-turn-router` binary functionality behind `#[cfg(target_arch = "bpf")]` Signed-off-by: Mariusz Klochowicz <mariusz@klochowicz.com> |
||
|
Thomas Eizinger
|
e84bdc5566 |
refactor(connlib): periodically record queue depths (#10242)
Instead of recording the queue depths on every event-loop tick, we now record them once a second by setting a Gauge. Not only is that a simpler instrument to work with but it is significantly more performant. The current version - when metrics are enabled - takes on quite a bit of CPU time. Resolves: #10237 |
||
|
Thomas Eizinger
|
2dd61d7c5c |
chore: Support Docker builds of Rust (#10230)
Signed-off-by: Mariusz Klochowicz <mariusz@klochowicz.com> Co-authored-by: Mariusz Klochowicz <mariusz@klochowicz.com> |
||
|
Jamil
|
61e0a22886 |
docs: update telemetry/feature-flag FW guide (#10276)
Updates our published hosts so customers have accurate guidance on how to configure their Gateway deployments. Related: #10271 Related: https://app.hubspot.com/live-messages/23723443/inbox/9598356483 |
||
|
Thomas Eizinger
|
b762c3acde |
ci: don't restart portal at the beginning of the test (#10274)
Restarting the portal at the beginning of the test is useless. We haven't made any connections yet so restarting it will just get us back to the same state that we are already in. |
||
|
Thomas Eizinger
|
a9e1b0fbfb |
chore(connlib): print full error when failing to read IP packet (#10275)
The error returned from `IpPacket::new` is an `anyhow::Error` but in order to return it from `async_io`, we need to wrap it in an `io::Error`. Printing an `io::Error` only prints the top-level error. To fix this, we re-wrap the `io::Error` in an `anyhow::Error` again and toggle "alternate" printing mode to see the full error chain. |
||
|
dependabot[bot]
|
023e784fb3 |
build(deps): bump tracing-subscriber from 0.3.19 to 0.3.20 in /rust in the cargo group (#10265)
Bumps the cargo group in /rust with 1 update: [tracing-subscriber](https://github.com/tokio-rs/tracing). Updates `tracing-subscriber` from 0.3.19 to 0.3.20 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/tokio-rs/tracing/releases">tracing-subscriber's releases</a>.</em></p> <blockquote> <h2>tracing-subscriber 0.3.20</h2> <p><strong>Security Fix</strong>: ANSI Escape Sequence Injection (CVE-TBD)</p> <h2>Impact</h2> <p>Previous versions of tracing-subscriber were vulnerable to ANSI escape sequence injection attacks. Untrusted user input containing ANSI escape sequences could be injected into terminal output when logged, potentially allowing attackers to:</p> <ul> <li>Manipulate terminal title bars</li> <li>Clear screens or modify terminal display</li> <li>Potentially mislead users through terminal manipulation</li> </ul> <p>In isolation, impact is minimal, however security issues have been found in terminal emulators that enabled an attacker to use ANSI escape sequences via logs to exploit vulnerabilities in the terminal emulator.</p> <h2>Solution</h2> <p>Version 0.3.20 fixes this vulnerability by escaping ANSI control characters in when writing events to destinations that may be printed to the terminal.</p> <h2>Affected Versions</h2> <p>All versions of tracing-subscriber prior to 0.3.20 are affected by this vulnerability.</p> <h2>Recommendations</h2> <p>Immediate Action Required: We recommend upgrading to tracing-subscriber 0.3.20 immediately, especially if your application:</p> <ul> <li>Logs user-provided input (form data, HTTP headers, query parameters, etc.)</li> <li>Runs in environments where terminal output is displayed to users</li> </ul> <h2>Migration</h2> <p>This is a patch release with no breaking API changes. Simply update your Cargo.toml:</p> <pre lang="toml"><code>[dependencies] tracing-subscriber = "0.3.20" </code></pre> <h2>Acknowledgments</h2> <p>We would like to thank <a href="http://github.com/zefr0x">zefr0x</a> who responsibly reported the issue at <code>security@tokio.rs</code>.</p> <p>If you believe you have found a security vulnerability in any tokio-rs project, please email us at <code>security@tokio.rs</code>.</p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
cc9147eecd |
build(deps): bump tempfile from 3.20.0 to 3.21.0 in /rust (#10252)
Bumps [tempfile](https://github.com/Stebalien/tempfile) from 3.20.0 to 3.21.0. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/Stebalien/tempfile/blob/master/CHANGELOG.md">tempfile's changelog</a>.</em></p> <blockquote> <h2>3.21.0</h2> <ul> <li>Updated <code>windows-sys</code> requirement to allow version 0.60.x</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li>See full diff in <a href="https://github.com/Stebalien/tempfile/commits">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> |
||
|
Thomas Eizinger
|
90803d50b1 |
chore(telemetry): use Firezone-specific ingest hosts (#10271)
These give us more control over where this traffic goes. For example, based on this, we will be able to exclude this traffic from the Internet Resource. |
||
|
Thomas Eizinger
|
0c2e54f54c |
feat(connlib): persistent DNS resource records across sessions (#10104)
When we receive a DNS query for a DNS resource in Firezone, we take the next available 4 IPs from the CG-NAT range and assign them to the domain name. For example, if `example.com` is a DNS resource and it is the first resource being queried in a Firezone session, we will assigned the IPs `100.96.0.1` - `100.96.0.4` to it. If the user now restarts Firezone or signs out and back in, this state is lost and we assign those same IPs to the next DNS query coming in. This creates a problem for applications that do not re-query DNS very often or never. They expect these IPs to not change. Restarting software or signing out and back in is a common approach to fixing software problems, yet in this specific case, doing so may create even more problems for the user. To mitigate this, `ClientState` introduce a new event `DnsRecordsChanged` that gets emitted to the event-loop every time we assign new records. The event-loop then caches this in memory and reuses it in case a new session is initiated. The records are only stored in-memory and not on disk. Most likely, the tunnel process will be alive for the entire OS session. To verify this behaviour, we add a new `RestartClient` transition to our proptests. In the proptests, we already keep a mapping of all DNS names we ever resolved, including DNS resources. When generating IP traffic, we sample from this list of IPs and then expect the packet to be routed. By replacing the `ClientState` as part of this transition and re-seeding it with the previously exported DNS records, we can verify that packets to IPs resolved from a previous session still get successfully routed to the resource. Related: #5498 |
||
|
Jamil
|
94981e50e2 |
fix(relay): relay cross-stack docker container startup (#10270)
These aren't _strictly_ required, and we emit a warning already if they're not set. |
||
|
Thomas Eizinger
|
533f4c319b |
feat(connlib): gracefully shutdown connections (#10076)
Right now, connections cannot be actively closed in Firezone. The WireGuard tunnel and the ICE agent are coupled together, meaning only if either one of them fails will we clean up the connection. One exception here is when the Client roams. In that case, the Client simply clears its local memory completely and then re-establishes all necessary connections by re-requesting access. There are three cases where gracefully closing a connection is useful: 1. If an access authorization is revoked or expires and this was the last resource authorisation for that peer, we don't currently remove the connection on the Gateway. Instead, the Client is still able to send packets by they'll be dropped because we don't have a peer state anymore. 1. If a Gateway gets restarted due to e.g. an upgrade or other maintenance work, it loses all its connections and every Client needs to wait for the ICE timeout (~15 seconds) before it can establish a new one. 1. If a Client has its access revoked for all resources it has access to in a particular site we also don't remove this connection, even though it has become practically useless. All of these cases are fixed with this PR. Here we introduce a way to gracefully shutdown a connection without forcing the other side into an ICE timeout. The graceful connection shutdown works by introducing a new "goodbye" p2p control protocol message. Like all our p2p control protocol messages, this is based on IP and therefore delivery is not guaranteed. In other words, this "goodbye" message is sent on a best-effort basis. In the case of shutdown, the Gateway will wait for all UDP packets to be flushed but will not resend them or wait for an ACK. If either end receives such a "goodbye" message, they simply remove the local peer and connection state just as if the connection would have failed due to either ICE or WireGuard. For the Client, this means that the next packet for a resource will trigger a new access authorization request. |
||
|
dependabot[bot]
|
289c87e227 |
build(deps): bump arboard from 3.6.0 to 3.6.1 in /rust (#10250)
Bumps [arboard](https://github.com/1Password/arboard) from 3.6.0 to 3.6.1. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/1Password/arboard/releases">arboard's releases</a>.</em></p> <blockquote> <h2>v3.6.1</h2> <p>This release focuses on improving compatibility with data in the real world and bug fixes. It also includes a new <code>Set</code> API for working with file paths via drag-and-drop interfaces across Linux, macOS, and Windows.</p> <p>This release also marks the start of exclusively publishing changelogs via GitHub Releases. The old <code>CHANGELOG.md</code> has been removed due to maintenance overhead and duplication. <a href="https://github.com/1Password/arboard/releases/tag/v3.6.0">v3.6.0</a> is the last revision to include this file.</p> <h3>Added</h3> <ul> <li>Add support for pasting lists of files via <code>Set::file_list</code> interface by <a href="https://github.com/Gae24"><code>@Gae24</code></a> in <a href="https://redirect.github.com/1Password/arboard/pull/181">1Password/arboard#181</a></li> <li>Support <code>windows-sys</code> 0.60 in <code>arboard</code>'s allowed version range by <a href="https://github.com/complexspaces"><code>@complexspaces</code></a> in <a href="https://redirect.github.com/1Password/arboard/pull/201">1Password/arboard#201</a></li> </ul> <h3>Changed</h3> <ul> <li>Fix grammar and typos by <a href="https://github.com/complexspaces"><code>@complexspaces</code></a> and <a href="https://github.com/gagath"><code>@gagath</code></a> in <a href="https://redirect.github.com/1Password/arboard/pull/194">1Password/arboard#194</a> and <a href="https://redirect.github.com/1Password/arboard/pull/196">1Password/arboard#196</a></li> <li>Prefer PNG when pasting images on Windows by <a href="https://github.com/wcassels"><code>@wcassels</code></a> in <a href="https://redirect.github.com/1Password/arboard/pull/198">1Password/arboard#198</a> <ul> <li>Note: This change greatly increases compatibility for "complicated" images that contain alpha values and/or transparent pixels. Support for transparency in <code>BITMAP</code> formats is ill-defined and inconsistently implemented in the wild, but is consistent in <code>PNG</code>. Most applications loading images onto the clipboard include <code>PNG</code>-encoded data already.</li> </ul> </li> <li>Bitmap images pasted on Windows now use the <code>image</code> crate instead of a homegrown internal parser. <ul> <li>This <strong>should not</strong> regress any existing Bitmap use cases and instead will provide more consistent and robust parsing. If you notice something now broken, please open an issue!</li> </ul> </li> </ul> <h3>Fixed</h3> <ul> <li>Remove silent dropping of file paths when non-UTF8 was mixed in on Linux by <a href="https://github.com/Gae24"><code>@Gae24</code></a> in <a href="https://redirect.github.com/1Password/arboard/pull/197">1Password/arboard#197</a></li> <li>Fix parsing of 24-bit bitmaps on Windows by <a href="https://github.com/wcassels"><code>@wcassels</code></a> in <a href="https://redirect.github.com/1Password/arboard/pull/198">1Password/arboard#198</a> <ul> <li>Example: Images with transparency copied by Firefox are now handled correctly, among others.</li> </ul> </li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/gagath"><code>@gagath</code></a> made their first contribution in <a href="https://redirect.github.com/1Password/arboard/pull/196">1Password/arboard#196</a></li> <li><a href="https://github.com/wcassels"><code>@wcassels</code></a> made their first contribution in <a href="https://redirect.github.com/1Password/arboard/pull/198">1Password/arboard#198</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/1Password/arboard/compare/v3.6.0...v3.6.1">https://github.com/1Password/arboard/compare/v3.6.0...v3.6.1</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
Thomas Eizinger
|
9cddfe59fa |
fix(rust): don't require Internet on startup (#10264)
With the introduction of the pre-resolved Sentry host, all Firezone clients now require Internet on startup. That is a signficant usability hit that we can easily fix by simply falling back to resolving the host on-demand. |
||
|
Jamil
|
275f38a828 |
chore(ci): copy staging artifacts to azure (#10269)
To deploy the relays on Azure, we need to make sure the binaries are copied there, similar to GCP. This adds a job step to do just that, placing them into a storage account + container using new infra provisioned in Azure. |