mirror of
https://github.com/outbackdingo/firezone.git
synced 2026-01-27 10:18:54 +00:00
b3c2e54460edf7f85b906fcf46977e12faa63258
5781 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
Andrew Dryga
|
b3c2e54460 |
feat(portal): New version of the WS control protocol (#6761)
TODOs: - [x] Switch to sending messages instead of replies - [ ] Do not hide pre-filtered resources and render them with an error instead (in case we will want to expose that on a client later) - [x] Figure out how to generate PSK so that it stays across WS connections |
||
|
dependabot[bot]
|
a1ca33c753 |
build(deps): Bump tailwindcss from 3.4.10 to 3.4.14 in /website (#7050)
Bumps [tailwindcss](https://github.com/tailwindlabs/tailwindcss) from 3.4.10 to 3.4.14. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/tailwindlabs/tailwindcss/releases">tailwindcss's releases</a>.</em></p> <blockquote> <h2>v3.4.14</h2> <h3>Fixed</h3> <ul> <li>Don't set <code>display: none</code> on elements that use <code>hidden="until-found"</code> (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/14625">#14625</a>)</li> </ul> <h2>v3.4.13</h2> <h3>Fixed</h3> <ul> <li>Improve source glob verification performance (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/14481">#14481</a>)</li> </ul> <h2>v3.4.12</h2> <h3>Fixed</h3> <ul> <li>Ensure using <code>@apply</code> with utilities that use <code>@defaults</code> works with rules defined in the base layer when using <code>optimizeUniversalDefaults</code> (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/14427">#14427</a>)</li> </ul> <h2>v3.4.11</h2> <h3>Fixed</h3> <ul> <li>Allow <code>anchor-size(…)</code> in arbitrary values (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/14393">#14393</a>)</li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/tailwindlabs/tailwindcss/blob/v3.4.14/CHANGELOG.md">tailwindcss's changelog</a>.</em></p> <blockquote> <h2>[3.4.14] - 2024-10-15</h2> <h3>Fixed</h3> <ul> <li>Don't set <code>display: none</code> on elements that use <code>hidden="until-found"</code> (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/14625">#14625</a>)</li> </ul> <h2>[3.4.13] - 2024-09-23</h2> <h3>Fixed</h3> <ul> <li>Improve source glob verification performance (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/14481">#14481</a>)</li> </ul> <h2>[3.4.12] - 2024-09-17</h2> <h3>Fixed</h3> <ul> <li>Ensure using <code>@apply</code> with utilities that use <code>@defaults</code> works with rules defined in the base layer when using <code>optimizeUniversalDefaults</code> (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/14427">#14427</a>)</li> </ul> <h2>[3.4.11] - 2024-09-11</h2> <h3>Fixed</h3> <ul> <li>Allow <code>anchor-size(…)</code> in arbitrary values (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/14393">#14393</a>)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
850722d7ed |
build(deps-dev): Bump typescript from 5.5.4 to 5.6.3 in /website (#7053)
Bumps [typescript](https://github.com/microsoft/TypeScript) from 5.5.4 to 5.6.3. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/microsoft/TypeScript/releases">typescript's releases</a>.</em></p> <blockquote> <h2>TypeScript 5.6.3</h2> <p>For release notes, check out the <a href="https://devblogs.microsoft.com/typescript/announcing-typescript-5-6/">release announcement</a>.</p> <p>For the complete list of fixed issues, check out the</p> <ul> <li><a href="https://github.com/Microsoft/TypeScript/issues?utf8=%E2%9C%93&q=milestone%3A%22TypeScript+5.6.0%22+is%3Aclosed+">fixed issues query for Typescript 5.6.0 (Beta)</a>.</li> <li><a href="https://github.com/Microsoft/TypeScript/issues?utf8=%E2%9C%93&q=milestone%3A%22TypeScript+5.6.1%22+is%3Aclosed+">fixed issues query for Typescript 5.6.1 (RC)</a>.</li> <li><a href="https://github.com/Microsoft/TypeScript/issues?utf8=%E2%9C%93&q=milestone%3A%22TypeScript+5.6.2%22+is%3Aclosed+">fixed issues query for Typescript 5.6.2 (Stable)</a>.</li> <li><a href="https://github.com/Microsoft/TypeScript/issues?utf8=%E2%9C%93&q=milestone%3A%22TypeScript+5.6.3%22+is%3Aclosed+">fixed issues query for Typescript 5.6.3 (Stable)</a>.</li> </ul> <p>Downloads are available on:</p> <ul> <li><a href="https://www.npmjs.com/package/typescript">npm</a></li> <li><a href="https://www.nuget.org/packages/Microsoft.TypeScript.MSBuild">NuGet package</a></li> </ul> <h2>TypeScript 5.6</h2> <p>For release notes, check out the <a href="https://devblogs.microsoft.com/typescript/announcing-typescript-5-6/">release announcement</a>.</p> <p>For the complete list of fixed issues, check out the</p> <ul> <li><a href="https://github.com/Microsoft/TypeScript/issues?utf8=%E2%9C%93&q=milestone%3A%22TypeScript+5.6.0%22+is%3Aclosed+">fixed issues query for Typescript 5.6.0 (Beta)</a>.</li> <li><a href="https://github.com/Microsoft/TypeScript/issues?utf8=%E2%9C%93&q=milestone%3A%22TypeScript+5.6.1%22+is%3Aclosed+">fixed issues query for Typescript 5.6.1 (RC)</a>.</li> <li><a href="https://github.com/Microsoft/TypeScript/issues?utf8=%E2%9C%93&q=milestone%3A%22TypeScript+5.6.2%22+is%3Aclosed+">fixed issues query for Typescript 5.6.2 (Stable)</a>.</li> </ul> <p>Downloads are available on:</p> <ul> <li><a href="https://www.npmjs.com/package/typescript">npm</a></li> <li><a href="https://www.nuget.org/packages/Microsoft.TypeScript.MSBuild">NuGet package</a></li> </ul> <h2>TypeScript 5.6 RC</h2> <p>For release notes, check out the <a href="https://devblogs.microsoft.com/typescript/announcing-typescript-5-6-rc/">release announcement</a>.</p> <p>For the complete list of fixed issues, check out the</p> <ul> <li><a href="https://github.com/Microsoft/TypeScript/issues?utf8=%E2%9C%93&milestone%3A%22TypeScript+5.6.1%22+is%3Aclosed+">fixed issues query for TypeScript v5.6.1 (RC)</a>.</li> <li><a href="https://github.com/Microsoft/TypeScript/issues?utf8=%E2%9C%93&milestone%3A%22TypeScript+5.6.0%22+is%3Aclosed+">fixed issues query for TypeScript v5.6.0 (Beta)</a>.</li> </ul> <p>Downloads are available on:</p> <ul> <li><a href="https://www.npmjs.com/package/typescript">npm</a></li> </ul> <h2>TypeScript 5.6 Beta</h2> <p>For release notes, check out the <a href="https://devblogs.microsoft.com/typescript/announcing-typescript-5-6-beta/">release announcement</a>.</p> <p>For the complete list of fixed issues, check out the</p> <ul> <li><a href="https://github.com/Microsoft/TypeScript/issues?utf8=%E2%9C%93&q=milestone%3A%22TypeScript+5.6.0%22+is%3Aclosed+">fixed issues query for Typescript 5.6.0 (Beta)</a>.</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
Jamil
|
53f121f5c9 |
docs: Add known issue: Firefox not used on macOS for auth (#7074)
- Adds Firefox known auth issue - Removes stale known issues |
||
|
Thomas Eizinger
|
2ad65982f0 |
refactor(connlib): hardcode size of EncryptBuffer (#7042)
This buffer is effectively limited by the maximum size of our IP packets (which is guided by our interface MTU). Passing a length is unnecessarily abstract. For implementing DNS over TCP, we will need to encapsulate packets that are emitted by the `dns_over_tcp::Client` which requires creating such a buffer on the fly. In the future, we should probably consider also stack-allocating all our `Transmit`s so we can get rid of passing around this buffer altogether. |
||
|
Thomas Eizinger
|
d8cc4c7161 |
chore(rust): use latest main of smoltcp (#7062)
The last released version of `smoltcp` is `0.11.0`. That version is almost a year old. Since then, an important "bug" got fixed in the IPv6 handling code of `smoltcp`. In order to route packets to our interface, we define a dummy IPv4 and IPv6 address and create catch-all routes with our interface as the gateway. Together with `set_any_ip(true)`, the makes `smoltcp` accept any packet we pass it to. This is necessary because we don't directly connect `smoltcp` to the TUN device but rather have an `InMemoryDevice` where we explicitly feed certain packets to it. In the last released version, `smoltcp` only performs the above logic for IPv4. For IPv6, the additional check for "do we have a route that this packet matches" doesn't exist and thus no IPv6 traffic is accepted by `smoltcp`. Extracted out of #6944. |
||
|
Thomas Eizinger
|
c21bd18b62 |
refactor(connlib): explicitely define UDP DNS server resources (#7043)
Currently, in our tests, traffic that is targeted at a resource is handled "in-line" on the gateway. This doesn't really represent how the real world works. In the real world, the gateway uses the IP forwarding functionality of the Linux kernel and the corresponding NAT to send the IP packet to the actual resource. We don't want to implement this forwarding and NAT in the tests. However, our testing harness is about to get more sophisticated. We will be sending TCP DNS queries with #6944 and we want to test TCP and its traffic filters with #7003. The state of those TCP sockets needs to live _somewhere_. If we "correctly" model this and introduce some kind of `HashMap` with `dyn Resource` in `TunnelTest`, then we will have to actually implement NAT for those packets to ensure that e.g. the SYN-ACK of a TCP handshake makes it back to the correct(!) gateway. That is rather cumbersome. This PR suggests taking a shortcut there by associating the resources with each gateway individually. At present, all we have are UDP DNS servers. Those don't actually have any connection state themselves but putting them in place gives us a framework for where we can put connection-specific state. Most importantly, these resources MUST NOT hold application-specific state. Instead, that state needs to be kept in `ReferenceState` or `TunnelState` and passed in by reference, as we do here for the DNS records. This has effectively the same behaviour as correctly translating IP packets back and forth between resources and gateways. The packets "emitted" by a particular `UdpDnsServerResource` will always go back to the correct gateway. |
||
|
Thomas Eizinger
|
668aa1c40c |
fix(connlib): workaround smoltcp's time impurity (#7041)
The `smoltcp` crate has its own time-related types like `Instant` which are backed by a simple microsecond-based integer. It has an integration with `std::time::Instant` which we are currently using. That integration however is impure because it relies on `Instant::now`. To work around this, we initialise `smoltcp` with `Instant::ZERO` and keep our own `std::time::Instant` around. Using that, we always compute, how much time has elapsed since we initialised `smoltcp` and pass the correct `Instant` to it. Whilst learning about this, I also discovered that `smoltcp` has the equivalent of `poll_timeout` so I went ahead and implemented that too. |
||
|
Gabi
|
eedee56be2 |
chore(connlib): use proxy ip to match filters instead of translated (#6960)
Previously, when a gateway checked if a packet was allowed through, it used the real IP of the DNS resource that the client was trying to communicate with. The problem with this was that if there's an overlapping CIDR resource with the real IP this would allow a user to send packets using the filters for that resource instead of the DNS resource filters. This can be confusing for users as packet can flow unexpectedly to the resources even if the filter doesn't permit it, so we use the IP of the packet before we translate it to the real IP to match the filters. This doesn't change the security of this feature as a user can just change the IP of the packet with the dst of the DNS or the cidr resource according to what they need. Fixes #6806 |
||
|
dependabot[bot]
|
56701d3989 |
build(deps): Bump lycheeverse/lychee-action from 1.10.0 to 2.0.2 (#7046)
Bumps [lycheeverse/lychee-action](https://github.com/lycheeverse/lychee-action) from 1.10.0 to 2.0.2. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/lycheeverse/lychee-action/releases">lycheeverse/lychee-action's releases</a>.</em></p> <blockquote> <h2>Version 2.0.2</h2> <h2>What's Changed</h2> <ul> <li>Fix a typos by <a href="https://github.com/szepeviktor"><code>@szepeviktor</code></a> in <a href="https://redirect.github.com/lycheeverse/lychee-action/pull/257">lycheeverse/lychee-action#257</a></li> <li>Document and use correct permissions in the GitHub workflows by <a href="https://github.com/dscho"><code>@dscho</code></a> in <a href="https://redirect.github.com/lycheeverse/lychee-action/pull/258">lycheeverse/lychee-action#258</a></li> <li>Add security policy by <a href="https://github.com/mondeja"><code>@mondeja</code></a> in <a href="https://redirect.github.com/lycheeverse/lychee-action/pull/259">lycheeverse/lychee-action#259</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/szepeviktor"><code>@szepeviktor</code></a> made their first contribution in <a href="https://redirect.github.com/lycheeverse/lychee-action/pull/257">lycheeverse/lychee-action#257</a></li> <li><a href="https://github.com/mondeja"><code>@mondeja</code></a> made their first contribution in <a href="https://redirect.github.com/lycheeverse/lychee-action/pull/259">lycheeverse/lychee-action#259</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/lycheeverse/lychee-action/compare/v2...v2.0.2">https://github.com/lycheeverse/lychee-action/compare/v2...v2.0.2</a></p> <h2>Version 2.0.1</h2> <h2>What's Changed</h2> <ul> <li>Don't remove the lychee config file by <a href="https://github.com/dmathieu"><code>@dmathieu</code></a> in <a href="https://redirect.github.com/lycheeverse/lychee-action/pull/255">lycheeverse/lychee-action#255</a></li> <li>Bump lycheeverse/lychee-action from 1 to 2 by <a href="https://github.com/dependabot"><code>@dependabot</code></a> in <a href="https://redirect.github.com/lycheeverse/lychee-action/pull/252">lycheeverse/lychee-action#252</a></li> <li>Fix variable name in docs by <a href="https://github.com/kdeldycke"><code>@kdeldycke</code></a> in <a href="https://redirect.github.com/lycheeverse/lychee-action/pull/253">lycheeverse/lychee-action#253</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/dmathieu"><code>@dmathieu</code></a> made their first contribution in <a href="https://redirect.github.com/lycheeverse/lychee-action/pull/255">lycheeverse/lychee-action#255</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/lycheeverse/lychee-action/compare/v2...v2.0.1">https://github.com/lycheeverse/lychee-action/compare/v2...v2.0.1</a></p> <h2>Version 2.0.0</h2> <h2>Breaking Changes</h2> <p><strong>Note:</strong> This release improves the action's robustness by changing default behaviors. Changes are only required if you want to opt out of the new failure conditions. Most users won't need to modify their existing configurations.</p> <h3>Fail pipeline on error by default</h3> <p>We've changed the default behavior: pipelines will now fail on broken links automatically. This addresses user feedback that not failing on broken links was unexpected (see [issue <a href="https://redirect.github.com/lycheeverse/lychee-action/issues/71">#71</a>](<a href="https://redirect.github.com/lycheeverse/lychee-action/issues/71">lycheeverse/lychee-action#71</a>)).</p> <p><strong>What you need to do:</strong></p> <ul> <li>Update to version 2 of this action to apply this change.</li> <li>Users of the <code>lychee-action@master</code> branch don't need to make any changes, as <code>fail: true</code> has been the default there for a while.</li> <li>If you prefer the old behavior, explicitly set <code>fail</code> to <code>false</code> when updating:</li> </ul> <pre lang="yaml"><code>- name: Link Checker id: lychee uses: lycheeverse/lychee-action@v2 with: fail: false # Don't fail action on broken links </code></pre> <h3>Fail pipeline if no links were found</h3> <p>Similar to the above change, we now fail the pipeline if no links are found during a run. This helps warn users about potential configuration issues.</p> <p><strong>What you need to do:</strong></p> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
Reactor Scram
|
8814dc8cdc |
chore(rust): specify exact version of tracing (#7037)
Because of the patch we apply, if we delete `Cargo.lock`, this line causes an error. Deleting `Cargo.lock` should be valid in general. --------- Signed-off-by: Reactor Scram <ReactorScram@users.noreply.github.com> |
||
|
Thomas Eizinger
|
40760869f7 |
refactor(connlib): lazily connect to upstream TCP DNS resolver (#7044)
In order to forward TCP DNS queries to custom resolvers that are also resources, `connlib` needs to establish its own TCP connection to that upstream server. In the current design of `dns_over_tcp::Client`, this connection gets established immediately as soon as we learn about, which upstream resolvers we need to use. This is problematic because the resolver might not **yet** be a resource. Resources can change at any point so until they are a resource, we don't actually need to establish a TCP connection. In fact, even if we wanted to, we couldn't because we can't map the resolvers IP to a `ResourceId`. TCP is a reliable transport so it will keep retrying to establish a connection until it eventually gives up. Not only is this wasteful but it also causes problems in our tests where we have model, how and when connections are established. Having a TCP stack within `connlib` that will retry to establish this connection messes up that model. To fix this, we change `connect_to_resolvers` to `set_resolvers`. This will still create the sockets and allocate the ports but leaves the socket in `Closed` state. We only issue a `connect` once we receive a query that we need to send to that resolver. |
||
|
Reactor Scram
|
bfb3250ae2 |
chore(ci/rust): build and test more packages in Windows (#7036)
Signed-off-by: Reactor Scram <ReactorScram@users.noreply.github.com> |
||
|
Reactor Scram
|
32afc945fd |
fix(phoenix-channel/test/windows): account for 15 ms timing granularity (#7061)
Closes #6953 - Increases heartbeat in unit test from 5 ms to 30 ms to avoid timer aliasing on Windows - Increases interval proportionally to 180 ms - Corrects measurement of elapsed time for `returns_heartbeat_after_interval`. The first `heartbeat.poll` seems to consume a few ms, which can cause a false test failure |
||
|
Andrew Dryga
|
3c4db73946 |
feat(portal): Show client OS and version (#7039)
Closes #6157 <img width="1728" alt="Screenshot 2024-10-14 at 4 37 46 PM" src="https://github.com/user-attachments/assets/5775f2cd-bf0b-43a3-b994-ad0fcfd24ccc"> <img width="1366" alt="Screenshot 2024-10-14 at 4 38 24 PM" src="https://github.com/user-attachments/assets/3dc958a7-62d6-45d8-8258-2790c88c97d4"> |
||
|
Andrew Dryga
|
3567399efe |
fix(portal): Remove extra space before a link (#7040)
<img width="394" alt="Screenshot 2024-10-14 at 4 49 09 PM" src="https://github.com/user-attachments/assets/1f1f3eba-96a5-49c6-b05b-d28439041a56"> |
||
|
dependabot[bot]
|
69c3009949 |
build(deps-dev): Bump typescript from 5.6.2 to 5.6.3 in /rust/gui-client (#7051)
Bumps [typescript](https://github.com/microsoft/TypeScript) from 5.6.2 to 5.6.3. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/microsoft/TypeScript/releases">typescript's releases</a>.</em></p> <blockquote> <h2>TypeScript 5.6.3</h2> <p>For release notes, check out the <a href="https://devblogs.microsoft.com/typescript/announcing-typescript-5-6/">release announcement</a>.</p> <p>For the complete list of fixed issues, check out the</p> <ul> <li><a href="https://github.com/Microsoft/TypeScript/issues?utf8=%E2%9C%93&q=milestone%3A%22TypeScript+5.6.0%22+is%3Aclosed+">fixed issues query for Typescript 5.6.0 (Beta)</a>.</li> <li><a href="https://github.com/Microsoft/TypeScript/issues?utf8=%E2%9C%93&q=milestone%3A%22TypeScript+5.6.1%22+is%3Aclosed+">fixed issues query for Typescript 5.6.1 (RC)</a>.</li> <li><a href="https://github.com/Microsoft/TypeScript/issues?utf8=%E2%9C%93&q=milestone%3A%22TypeScript+5.6.2%22+is%3Aclosed+">fixed issues query for Typescript 5.6.2 (Stable)</a>.</li> <li><a href="https://github.com/Microsoft/TypeScript/issues?utf8=%E2%9C%93&q=milestone%3A%22TypeScript+5.6.3%22+is%3Aclosed+">fixed issues query for Typescript 5.6.3 (Stable)</a>.</li> </ul> <p>Downloads are available on:</p> <ul> <li><a href="https://www.npmjs.com/package/typescript">npm</a></li> <li><a href="https://www.nuget.org/packages/Microsoft.TypeScript.MSBuild">NuGet package</a></li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
d17a78f4c2 |
build(deps-dev): Bump @types/node from 22.7.4 to 22.7.5 in /rust/gui-client (#7055)
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 22.7.4 to 22.7.5. <details> <summary>Commits</summary> <ul> <li>See full diff in <a href="https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> |
||
|
dependabot[bot]
|
45acfce08c |
build(deps): Bump tempfile from 3.12.0 to 3.13.0 in /rust (#7054)
Bumps [tempfile](https://github.com/Stebalien/tempfile) from 3.12.0 to 3.13.0. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/Stebalien/tempfile/blob/master/CHANGELOG.md">tempfile's changelog</a>.</em></p> <blockquote> <h2>3.13.0</h2> <ul> <li>Add <code>with_suffix</code> constructors for easily creating new temporary files with a specific suffix (e.g., a specific file extension). Thanks to <a href="https://github.com/Borgerr"><code>@Borgerr</code></a>.</li> <li>Update dependencies (fastrand & rustix).</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
c0955811f1 |
build(deps): Bump lru from 0.12.4 to 0.12.5 in /rust (#7029)
Bumps [lru](https://github.com/jeromefroe/lru-rs) from 0.12.4 to 0.12.5. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/jeromefroe/lru-rs/blob/master/CHANGELOG.md">lru's changelog</a>.</em></p> <blockquote> <h2><a href="https://github.com/jeromefroe/lru-rs/tree/0.12.5">v0.12.5</a> - 2024-10-30</h2> <ul> <li>Upgrade hashbrown dependency to 0.15.</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
b4cef7fe75 |
build(deps-dev): Bump tailwindcss from 3.4.13 to 3.4.14 in /rust/gui-client (#7052)
Bumps [tailwindcss](https://github.com/tailwindlabs/tailwindcss) from 3.4.13 to 3.4.14. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/tailwindlabs/tailwindcss/releases">tailwindcss's releases</a>.</em></p> <blockquote> <h2>v3.4.14</h2> <h3>Fixed</h3> <ul> <li>Don't set <code>display: none</code> on elements that use <code>hidden="until-found"</code> (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/14625">#14625</a>)</li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/tailwindlabs/tailwindcss/blob/v3.4.14/CHANGELOG.md">tailwindcss's changelog</a>.</em></p> <blockquote> <h2>[3.4.14] - 2024-10-15</h2> <h3>Fixed</h3> <ul> <li>Don't set <code>display: none</code> on elements that use <code>hidden="until-found"</code> (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/14625">#14625</a>)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
Reactor Scram
|
786fbc6689 |
chore(gui-client): delete GTK+ and Iced prototypes (#7035)
We don't need these since Tauri v2 looks like it's about to succeed, and keeping packages outside of the workspace has been breaking dependabot PRs |
||
|
Thomas Eizinger
|
dbe618c080 |
refactor(connlib): expose &mut TRoleState for direct access (#7026)
Currently, we have a lot of stupid code to forward data from the
`{Client,Gateway}Tunnel` interface to `{Client,Gateway}State`. Recent
refactorings such as #6919 made it possible to get rid of this
forwarding layer by directly exposing `&mut TRoleState`.
To maintain some type-privacy, several functions are made generic to
accept `impl Into` or `impl TryInto`.
|
||
|
Thomas Eizinger
|
b1e631dd00 |
fix(connlib): always use ephemeral ports for TCP connections (#7025)
The ports < 1024 are reserved and should not be used for outbound TCP connections. Generally, a port from the ephemeral port range should be used for that. To enforce this, we move the port range of the `dns_over_tcp::Client` to const-generics. At present, `connlib` only uses a single port range so we set those as the default too. |
||
|
Thomas Eizinger
|
6e0194f786 |
refactor(connlib): mangle UDP DNS query via tunnel earlier (#7023)
UDP DNS queries for upstream resolvers that happen to be resources need to be sent through the tunnel. For that to work correctly, `connlib` needs to rewrite the IP header such that the destination IP points to the actual address of the DNS server. Currently, this happens rather "late" in the processing of the packets, i.e. after `try_handle_dns` has returned (where that decision is actually made). This is rather confusing and also forces us to re-parse the packet as a DNS packet at a later stage. To avoid this, we move main functionality of `maybe_mangle_dns_query_to_cidr_resource` into the branch where `connlib`'s stub DNS resolver tells us that the query needs to be forwarded via the tunnel. With the upcoming support of TCP DNS queries, we will have a 2nd source of IP packets that need to go through the tunnel: Packets emitted from our internal TCP stack. Attempting to perform the same post-processing on these TCP packets as we do with UDP is rather confusing, which is why we want to remove this step from the `encapsulate` function. Resolves: #5391. |
||
|
Thomas Eizinger
|
8163c8567c |
refactor(connlib): clarify TUN and network input functions (#7022)
Within `connlib`, the `encapsulate` and `decapsulate` functions on `ClientState` and `GatewayState` are the entrypoint for sending and receiving network traffic. For example, IP packets read from the TUN device are processed using these functions. Not all packets / traffic passed to these functions is meant to be encrypted. Some of it is TURN traffic with relays, some of it is DNS traffic that we intercept. To clarify this, we rename these functions to `handle_tun_input` and `handle_network_input`. As part of this clarification, we also call `handle_timeout` in case we don't emit a decrypted IP packet when handling network input. Once we support DNS over TCP (#6944), some IP packets sent through the tunnel will originate from DNS servers that we forwarded queries to. In that case, those responses will be handled by `connlib`'s internal TCP stack and thus not produce a decrypted IP packet. To correctly, advance the state in this case, we mirror what we already do for `handle_tun_input` and call `handle_timeout` if `handle_network_input` yields `None`. |
||
|
dependabot[bot]
|
28c8b676fb |
build(deps): Bump axum from 0.7.6 to 0.7.7 in /rust (#6871)
Bumps [axum](https://github.com/tokio-rs/axum) from 0.7.6 to 0.7.7. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/tokio-rs/axum/releases">axum's releases</a>.</em></p> <blockquote> <h2>axum-extra - v0.7.7</h2> <ul> <li><strong>added:</strong> <code>Clone</code> implementation for <code>ErasedJson</code> (<a href="https://redirect.github.com/tokio-rs/axum/issues/2142">#2142</a>)</li> </ul> <p><a href="https://redirect.github.com/tokio-rs/axum/issues/2142">#2142</a>: <a href="https://redirect.github.com/tokio-rs/axum/pull/2142">tokio-rs/axum#2142</a></p> <h2>axum v0.7.7</h2> <ul> <li><strong>change</strong>: Remove manual tables of content from the documentation, since rustdoc now generates tables of content in the sidebar (<a href="https://redirect.github.com/tokio-rs/axum/issues/2921">#2921</a>)</li> </ul> <p><a href="https://redirect.github.com/tokio-rs/axum/issues/2921">#2921</a>: <a href="https://redirect.github.com/tokio-rs/axum/pull/2921">tokio-rs/axum#2921</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
Thomas Eizinger
|
aee5019329 |
ci: enable unstable tokio logging for tests (#7038)
Hopefully helps in debugging #6953. |
||
|
Thomas Eizinger
|
539b1c4f00 |
chore(connlib): don't respond on UDP DNS timeouts (#7020)
When handling DNS queries, `connlib` tries to be as transparent as possible. For this reason, we byte-for-byte forward the DNS response from the upstream resolver to the original source socket. In #6999, we started modelling these DNS queries as explicit tasks in preparation for DNS over TCP and DNS over HTTPS. As part of that, we create a DNS response for _every_ IO error we encounter as part of the recursive query. This includes timeouts, i.e. when we don't receive a response at all. That actually breaks the rule of "be a transparent DNS proxy". In this PR, we slightly refactor the handling of the DNS response to explicitly match on `io::Errorkind::TimedOut` to not send a packet back, thus mirroring the behaviour the DNS client would encounter without Firezone being active. |
||
|
Andrew Dryga
|
2ab70c2f27 |
feat(portal): Add flash asking people to deploy more than 1 gateway to a site (#7034)
This should help with showcasing core features of our product and to increase their adoption. Closes #5009 |
||
|
Andrew Dryga
|
7245652671 |
fix(portal): Make sure modals start with Confirm.. (#7032)
Closes #6713 |
||
|
Andrew Dryga
|
f89cc67fda |
fix(portal): Fix copy-paste buttons (#7033)
- Added semi-transparent shadow to the button so that it's more visible when text is overlapping it. Padding did not look well because it required scrollbar to be moved inside the parent container and it looked very ugly - Replaced custom phx hook with a new native Tailwind component Closes #5973 |
||
|
Thomas Eizinger
|
05e895525b |
chore: set simpler default log filters (#7028)
Follow-up from #6985 to simplify our log filters everywhere. If any of
this doesn't fit, we should adjust the things here:
|
||
|
Thomas Eizinger
|
f9bf681e64 |
refactor(connlib): track UDP DNS query source in query meta data (#7018)
When performing recursive DNS queries over UDP, `connlib` needs to remember the original source socket a particular query came from in order to send the response back to the correct socket. Until now, this was tracked in a separate `HashMap`, indexed by upstream server and query ID. When DNS queries are being retried, they may be resent using the same query ID, causing "Unknown query" logs if the retry happens on a shorter interval than the timeout of our recursive query. We are already tracking a bunch of meta data along-side the actual query, meaning we can just as easily add the original source socket to that as well. Once we add TCP DNS queries, we will need to track the handle of the TCP socket in a similar manner. |
||
|
Thomas Eizinger
|
857bbf5d98 |
chore(connlib): introduce custom logging format (#7024)
This PR introduces a custom logging format for all Rust-components. It is more or less a copy of `tracing_subscriber::fmt::format::Compact` with the main difference that span-names don't get logged. Spans are super useful because they allow us to record contextual values, like the current connection ID, for a certain scope. What is IMO less useful about them is that in the default formatter configuration, active spans cause a right-drift of the actual log message. The actual log message is still what most accurately describes, what `connlib` is currently doing. Spans only add contextual information that the reader may use for further understand what is happening. This optional nature of the utility of spans IMO means that they should come _after_ the actual log message. Resolves: #7014. |
||
|
Andrew Dryga
|
1abfa10fb7 |
fix(portal): UX improvements (#7013)
This PR accumulates lots of small UX fixes from #6645. --------- Co-authored-by: Jamil Bou Kheir <jamilbk@users.noreply.github.com> |
||
|
Jamil
|
ce11f26fca | chore(ci): Bump website deps (#7017) | ||
|
Jamil
|
6415ef64c1 |
docs: Document how device serial is read (#6875)
refs #6837 --------- Signed-off-by: Jamil <jamilbk@users.noreply.github.com> Co-authored-by: Andrew Dryga <a@firezone.dev> |
||
|
Brian Manifold
|
41d1916cc7 |
fix(portal): Fix outdated gateway notification to respect enable/disable status (#7016)
Realized the enable/disable setting wasn't being respected for the outdated gateway notification. This PR should fix that issue. |
||
|
dependabot[bot]
|
67462f73ad |
build(deps): Bump hashicorp/null from 3.2.2 to 3.2.3 in /terraform/environments/staging (#6888)
Bumps [hashicorp/null](https://github.com/hashicorp/terraform-provider-null) from 3.2.2 to 3.2.3. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/hashicorp/terraform-provider-null/releases">hashicorp/null's releases</a>.</em></p> <blockquote> <h2>v3.2.3</h2> <p>NOTES:</p> <ul> <li>all: This release introduces no functional changes. It does however include dependency updates which address upstream CVEs. (<a href="https://redirect.github.com/hashicorp/terraform-provider-null/issues/366">#366</a>)</li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/hashicorp/terraform-provider-null/blob/main/CHANGELOG.md">hashicorp/null's changelog</a>.</em></p> <blockquote> <h2>3.2.3 (September 11, 2024)</h2> <p>NOTES:</p> <ul> <li>all: This release introduces no functional changes. It does however include dependency updates which address upstream CVEs. (<a href="https://redirect.github.com/hashicorp/terraform-provider-null/issues/366">#366</a>)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
53f1bb0f78 |
build(deps): Bump hashicorp/tls from 4.0.5 to 4.0.6 in /terraform/environments/staging (#6887)
Bumps [hashicorp/tls](https://github.com/hashicorp/terraform-provider-tls) from 4.0.5 to 4.0.6. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/hashicorp/terraform-provider-tls/releases">hashicorp/tls's releases</a>.</em></p> <blockquote> <h2>v4.0.6</h2> <p>NOTES:</p> <ul> <li>all: This release introduces no functional changes. It does however include dependency updates which address upstream CVEs. (<a href="https://redirect.github.com/hashicorp/terraform-provider-tls/issues/552">#552</a>)</li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/hashicorp/terraform-provider-tls/blob/main/CHANGELOG.md">hashicorp/tls's changelog</a>.</em></p> <blockquote> <h2>4.0.6 (September 11, 2024)</h2> <p>NOTES:</p> <ul> <li>all: This release introduces no functional changes. It does however include dependency updates which address upstream CVEs. (<a href="https://redirect.github.com/hashicorp/terraform-provider-tls/issues/552">#552</a>)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
3c86d519fc |
build(deps): Bump cyrilgdn/postgresql from 1.22 to 1.23.0 in /terraform/environments/staging (#6886)
Bumps [cyrilgdn/postgresql](https://github.com/cyrilgdn/terraform-provider-postgresql) from 1.22 to 1.23.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/cyrilgdn/terraform-provider-postgresql/releases">cyrilgdn/postgresql's releases</a>.</em></p> <blockquote> <h2>v1.23.0</h2> <h2>What's Changed</h2> <ul> <li><strong>Add support for GCP IAM impersonation by <a href="https://github.com/michaellzc"><code>@michaellzc</code></a> in <a href="https://redirect.github.com/cyrilgdn/terraform-provider-postgresql/pull/448">cyrilgdn/terraform-provider-postgresql#448</a></strong></li> <li><strong>postgresql_database: Reassign objects owners if database owner changes by <a href="https://github.com/lukaalba"><code>@lukaalba</code></a> in <a href="https://redirect.github.com/cyrilgdn/terraform-provider-postgresql/pull/458">cyrilgdn/terraform-provider-postgresql#458</a></strong></li> <li>update documentation by <a href="https://github.com/manu-akw"><code>@manu-akw</code></a> in <a href="https://redirect.github.com/cyrilgdn/terraform-provider-postgresql/pull/455">cyrilgdn/terraform-provider-postgresql#455</a></li> <li>build(deps): bump github.com/Azure/azure-sdk-for-go/sdk/azidentity from 1.3.0 to 1.6.0 by <a href="https://github.com/dependabot"><code>@dependabot</code></a> in <a href="https://redirect.github.com/cyrilgdn/terraform-provider-postgresql/pull/447">cyrilgdn/terraform-provider-postgresql#447</a></li> <li>build(deps): bump google.golang.org/protobuf from 1.31.0 to 1.33.0 by <a href="https://github.com/dependabot"><code>@dependabot</code></a> in <a href="https://redirect.github.com/cyrilgdn/terraform-provider-postgresql/pull/421">cyrilgdn/terraform-provider-postgresql#421</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/manu-akw"><code>@manu-akw</code></a> made their first contribution in <a href="https://redirect.github.com/cyrilgdn/terraform-provider-postgresql/pull/455">cyrilgdn/terraform-provider-postgresql#455</a></li> <li><a href="https://github.com/michaellzc"><code>@michaellzc</code></a> made their first contribution in <a href="https://redirect.github.com/cyrilgdn/terraform-provider-postgresql/pull/448">cyrilgdn/terraform-provider-postgresql#448</a></li> <li><a href="https://github.com/lukaalba"><code>@lukaalba</code></a> made their first contribution in <a href="https://redirect.github.com/cyrilgdn/terraform-provider-postgresql/pull/458">cyrilgdn/terraform-provider-postgresql#458</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/cyrilgdn/terraform-provider-postgresql/compare/v1.22.0...v1.23.0">https://github.com/cyrilgdn/terraform-provider-postgresql/compare/v1.22.0...v1.23.0</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
4133c3fe65 |
build(deps): Bump cyrilgdn/postgresql from 1.22.0 to 1.23.0 in /terraform/environments/production (#6879)
Bumps [cyrilgdn/postgresql](https://github.com/cyrilgdn/terraform-provider-postgresql) from 1.22.0 to 1.23.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/cyrilgdn/terraform-provider-postgresql/releases">cyrilgdn/postgresql's releases</a>.</em></p> <blockquote> <h2>v1.23.0</h2> <h2>What's Changed</h2> <ul> <li><strong>Add support for GCP IAM impersonation by <a href="https://github.com/michaellzc"><code>@michaellzc</code></a> in <a href="https://redirect.github.com/cyrilgdn/terraform-provider-postgresql/pull/448">cyrilgdn/terraform-provider-postgresql#448</a></strong></li> <li><strong>postgresql_database: Reassign objects owners if database owner changes by <a href="https://github.com/lukaalba"><code>@lukaalba</code></a> in <a href="https://redirect.github.com/cyrilgdn/terraform-provider-postgresql/pull/458">cyrilgdn/terraform-provider-postgresql#458</a></strong></li> <li>update documentation by <a href="https://github.com/manu-akw"><code>@manu-akw</code></a> in <a href="https://redirect.github.com/cyrilgdn/terraform-provider-postgresql/pull/455">cyrilgdn/terraform-provider-postgresql#455</a></li> <li>build(deps): bump github.com/Azure/azure-sdk-for-go/sdk/azidentity from 1.3.0 to 1.6.0 by <a href="https://github.com/dependabot"><code>@dependabot</code></a> in <a href="https://redirect.github.com/cyrilgdn/terraform-provider-postgresql/pull/447">cyrilgdn/terraform-provider-postgresql#447</a></li> <li>build(deps): bump google.golang.org/protobuf from 1.31.0 to 1.33.0 by <a href="https://github.com/dependabot"><code>@dependabot</code></a> in <a href="https://redirect.github.com/cyrilgdn/terraform-provider-postgresql/pull/421">cyrilgdn/terraform-provider-postgresql#421</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/manu-akw"><code>@manu-akw</code></a> made their first contribution in <a href="https://redirect.github.com/cyrilgdn/terraform-provider-postgresql/pull/455">cyrilgdn/terraform-provider-postgresql#455</a></li> <li><a href="https://github.com/michaellzc"><code>@michaellzc</code></a> made their first contribution in <a href="https://redirect.github.com/cyrilgdn/terraform-provider-postgresql/pull/448">cyrilgdn/terraform-provider-postgresql#448</a></li> <li><a href="https://github.com/lukaalba"><code>@lukaalba</code></a> made their first contribution in <a href="https://redirect.github.com/cyrilgdn/terraform-provider-postgresql/pull/458">cyrilgdn/terraform-provider-postgresql#458</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/cyrilgdn/terraform-provider-postgresql/compare/v1.22.0...v1.23.0">https://github.com/cyrilgdn/terraform-provider-postgresql/compare/v1.22.0...v1.23.0</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
189a70c75f |
build(deps): Bump hashicorp/tls from 4.0.5 to 4.0.6 in /terraform/environments/production (#6878)
Bumps [hashicorp/tls](https://github.com/hashicorp/terraform-provider-tls) from 4.0.5 to 4.0.6. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/hashicorp/terraform-provider-tls/releases">hashicorp/tls's releases</a>.</em></p> <blockquote> <h2>v4.0.6</h2> <p>NOTES:</p> <ul> <li>all: This release introduces no functional changes. It does however include dependency updates which address upstream CVEs. (<a href="https://redirect.github.com/hashicorp/terraform-provider-tls/issues/552">#552</a>)</li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/hashicorp/terraform-provider-tls/blob/main/CHANGELOG.md">hashicorp/tls's changelog</a>.</em></p> <blockquote> <h2>4.0.6 (September 11, 2024)</h2> <p>NOTES:</p> <ul> <li>all: This release introduces no functional changes. It does however include dependency updates which address upstream CVEs. (<a href="https://redirect.github.com/hashicorp/terraform-provider-tls/issues/552">#552</a>)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
bddae223c5 |
build(deps): Bump hashicorp/random from 3.6.2 to 3.6.3 in /terraform/environments/production (#6877)
Bumps [hashicorp/random](https://github.com/hashicorp/terraform-provider-random) from 3.6.2 to 3.6.3. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/hashicorp/terraform-provider-random/releases">hashicorp/random's releases</a>.</em></p> <blockquote> <h2>v3.6.3</h2> <p>NOTES:</p> <ul> <li>all: This release introduces no functional changes. It does however include dependency updates which address upstream CVEs. (<a href="https://redirect.github.com/hashicorp/terraform-provider-random/issues/604">#604</a>)</li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/hashicorp/terraform-provider-random/blob/main/CHANGELOG.md">hashicorp/random's changelog</a>.</em></p> <blockquote> <h2>3.6.3 (September 11, 2024)</h2> <p>NOTES:</p> <ul> <li>all: This release introduces no functional changes. It does however include dependency updates which address upstream CVEs. (<a href="https://redirect.github.com/hashicorp/terraform-provider-random/issues/604">#604</a>)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
Jamil
|
a1f4eaf5d3 |
fix(ci): Bump terraform to fix CI (#7012)
The versions used in CI and in our config need to match. |
||
|
Thomas Eizinger
|
9302331881 |
refactor(connlib): create new UDP socket for each DNS query (#6999)
This extracts the initial refactoring required for #6944. Currently, `connlib` sends all DNS queries over the same UDP socket as all the p2p traffic for gateways and relays. In an earlier design of `connlib`, we already did something similar as we are doing here but using `hickory_resolver` for the actual DNS resolution. Instead of depending on hickory, we implement DNS resolution ourselves by sending a UDP DNS query to the mapped upstream DNS server. There are no retries, instead, we rely on the original DNS client to retry in case a packet gets lost on the way. Modelling recursive DNS queries as explicit events from the `ClientState` is necessary for implement DNS over TCP and DNS over HTTPS. In both cases, the query to the upstream server isn't as simple as emitting a `Transmit`. By modelling the query as an `async fn` within `Io`, it will be possible to perform them all in one place. Resolves: #6297. |
||
|
Thomas Eizinger
|
274cc86557 |
chore(connlib): add sans-IO DNS-over-TCP client (#7007)
This brings us one step closer to completing #6140. In Firezone, users can define custom upstream DNS servers that take priority over system-defined DNS servers. The IPs of these servers could also be resources, meaning the DNS queries must be sent through the WireGuard tunnel to the gateway. For UDP DNS queries, that is easy because each query is only a single packet. For TCP DNS queries, we need to have a dedicated TCP-capable DNS server that parses all incoming queries. If they are required to be forwarded to the gateway, we then need a TCP-capable DNS client that can send them to the actual upstream DNS server. This PR implements such a DNS client. The design is tailored for what we need in `connlib`: We maintain a permanent TCP connection to each upstream DNS server and send queries to them. Most likely, users will only have a handful of DNS servers defined. TCP requires a three-way handshake before any application data can be sent, maintaining a connection should therefore greatly improve DNS resolution latency. DNS resolvers are encouraged to keep TCP connections open but may close them if they run out of resources. We only re-connect once we have more queries to send in order to not spam the resolver with connections. Resolves: #7000. --------- Signed-off-by: Thomas Eizinger <thomas@eizinger.io> |
||
|
Brian Manifold
|
7838da9739 |
fix(portal): Prevent upstream DNS config from using sentinel CIDR ranges (#7010)
Closes #6962 |
||
|
Reactor Scram
|
f1cd137e24 |
feat(rust/gui-client/windows): sign the IPC service exe (#7009)
Closes #7008. We already signed the GUI exe and the entire MSI package, but when adding the IPC service we overlooked that one. This PR: - Modifies the signing script to accept multiple EXEs - Modifies the Tauri bundle command to sign both exes - Updates the changelog  |