The `connlib-shared` crate has become a bit of a dependency magnet
without a clear purpose. It hosts utilities like `get_user_agent`,
messages for the client and gateway to communicate with the portal and
domain types like `ResourceId`.
To create a better dependency structure in our workspace, we repurpose
`connlib-shared` as a `connlib-model` crate. Its purpose is to host
domain-specific model types that multiple crates may want to use. For
that purpose, we rename the `callbacks::ResourceDescription` type to
`ResourceView`, designating that this is a _view_ onto a resource as
seen by `connlib`. The message types which currently double up as
connlib-internal model thus become an implementation detail of
`firezone-tunnel` and shouldn't be used for anything else.
---------
Signed-off-by: Reactor Scram <ReactorScram@users.noreply.github.com>
Co-authored-by: Reactor Scram <ReactorScram@users.noreply.github.com>
Extracted from #6838
This leads to extra cloning of strings, but if there's less than 1,000
Resources and the tray doesn't update often, it should be fine. We can
sample performance with sentry.io if we're worried.
As part of iterating on the correct approach in #6857, we at some point
removed the hashing of the Firezone-generated device ID. This will break
customers because all of the device IDs as seen by the portal are
changing.
We've since settled on a different approach for device verification. To
not break anyone, we are re-introducing hashing of the device ID.
Related: #6857.
When debugging DNS-related issues, it is useful to see all DNS queries
that go into `connlib` and the responses that we generate. Analogous to
the `wire::net` and `wire::dev` TRACE logs, we introduce `wire::dns`
which logs incoming queries and the responses on TRACE. The output looks
like this:
```
2024-10-02T00:16:47.522847Z TRACE wire::dns::qry: A caldav.fastmail.com qid=55845
2024-10-02T00:16:47.522926Z TRACE wire::dns::qry: AAAA caldav.fastmail.com qid=56277
2024-10-02T00:16:47.531347Z TRACE wire::dns::res: AAAA caldav.fastmail.com => [] qid=56277 rcode=NOERROR
2024-10-02T00:16:47.538984Z TRACE wire::dns::res: A caldav.fastmail.com => [103.168.172.46 | 103.168.172.61] qid=55845 rcode=NOERROR
2024-10-02T00:16:47.580237Z TRACE wire::dns::qry: HTTPS cloudflare-dns.com qid=21518
2024-10-02T00:16:47.580338Z TRACE wire::dns::qry: A example.org qid=35459
2024-10-02T00:16:47.580364Z TRACE wire::dns::qry: AAAA example.org qid=60073
2024-10-02T00:16:47.580699Z TRACE wire::dns::qry: AAAA ipv4only.arpa qid=17280
2024-10-02T00:16:47.580782Z TRACE wire::dns::qry: A ipv4only.arpa qid=47215
2024-10-02T00:16:47.581134Z TRACE wire::dns::qry: A detectportal.firefox.com qid=34970
2024-10-02T00:16:47.581261Z TRACE wire::dns::qry: AAAA detectportal.firefox.com qid=39505
2024-10-02T00:16:47.609502Z TRACE wire::dns::res: AAAA example.org => [2606:2800:21f:cb07:6820:80da:af6b:8b2c] qid=60073 rcode=NOERROR
2024-10-02T00:16:47.609640Z TRACE wire::dns::res: AAAA ipv4only.arpa => [] qid=17280 rcode=NOERROR
2024-10-02T00:16:47.610407Z TRACE wire::dns::res: A ipv4only.arpa => [192.0.0.170 | 192.0.0.171] qid=47215 rcode=NOERROR
2024-10-02T00:16:47.617952Z TRACE wire::dns::res: HTTPS cloudflare-dns.com => [1 alpn=h3,h2 ipv4hint=104.16.248.249,104.16.249.249 ipv6hint=2606:4700::6810:f8f9,2606:4700::6810:f9f9] qid=21518 rcode=NOERROR
2024-10-02T00:16:47.631124Z TRACE wire::dns::res: A example.org => [93.184.215.14] qid=35459 rcode=NOERROR
2024-10-02T00:16:47.640286Z TRACE wire::dns::res: AAAA detectportal.firefox.com => [detectportal.prod.mozaws.net. | prod.detectportal.prod.cloudops.mozgcp.net. | 2600:1901:0:38d7::] qid=39505 rcode=NOERROR
2024-10-02T00:16:47.641332Z TRACE wire::dns::res: A detectportal.firefox.com => [detectportal.prod.mozaws.net. | prod.detectportal.prod.cloudops.mozgcp.net. | 34.107.221.82] qid=34970 rcode=NOERROR
2024-10-02T00:16:48.737608Z TRACE wire::dns::qry: AAAA myfiles.fastmail.com qid=52965
2024-10-02T00:16:48.737710Z TRACE wire::dns::qry: A myfiles.fastmail.com qid=5114
2024-10-02T00:16:48.745282Z TRACE wire::dns::res: AAAA myfiles.fastmail.com => [] qid=52965 rcode=NOERROR
2024-10-02T00:16:49.027932Z TRACE wire::dns::res: A myfiles.fastmail.com => [103.168.172.46 | 103.168.172.61] qid=5114 rcode=NOERROR
2024-10-02T00:16:49.190054Z TRACE wire::dns::qry: HTTPS github.com qid=64696
2024-10-02T00:16:49.190171Z TRACE wire::dns::qry: A github.com qid=11912
2024-10-02T00:16:49.190502Z TRACE wire::dns::res: A github.com => [100.96.0.1 | 100.96.0.2 | 100.96.0.3 | 100.96.0.4] qid=11912 rcode=NOERROR
2024-10-02T00:16:49.190619Z TRACE wire::dns::qry: A github.com qid=63366
2024-10-02T00:16:49.190730Z TRACE wire::dns::res: A github.com => [100.96.0.1 | 100.96.0.2 | 100.96.0.3 | 100.96.0.4] qid=63366 rcode=NOERROR
```
As with the other filters, seeing both queries and responses can be
achieved with `RUST_LOG=wire::dns=trace`. If you are only interested in
the responses, you can activate a more specific log filter using
`RUST_LOG=wire::dns::res=trace`. All responses also print the original
query that they are answering.
Resolves: #6862.
Our relays are essential for connectivity because they also perform STUN
for us through which we learn our server-reflexive address. Thus, we
must at all times have at least one relay that we can reach in order to
establish a connection.
The portal tracks the connectivity to the relays for us and in case any
of them go down, sends us a `relays_presence` message, meaning we can
stop using that relay and migrate any relayed connections to a new one.
This works well for as long as we are connected to the portal while the
relay is rebooting / going-down. If we are not currently connected to
the portal and a relay we are using reboots, we don't learn about it. At
least if we are actively using it, the connection will fail and further
attempted communication with the relay will time-out and we will stop
using it.
In case we aren't currently using the relay, this gets a bit trickier.
If we aren't using the relay but it rebooted while we were partitioned
from the portal, logging in again might return the same relay to us in
the `init` message, but this time with different credentials.
The first bug that we are fixing in this PR is that we previously
ignored those credentials because we already knew about the relay,
thinking that we can still use our existing credentials. The fix here is
to also compare the credentials and ditch the local state if they
differ.
The second bug identified during fixing the first one is that we need to
pro-actively probe whether all other relays that we know about are
actually still responsive. For that, we issue a `REFRESH` message to
them. If that one times-out or fails otherwise, we will remove that one
from our list of `Allocation`s too.
To fix the 2nd bug, several changes were necessary:
1. We lower the log-level of `Disconnecting from relay` from ERROR to
WARN. Any ERROR emitted during a test-run fails our test-suite which is
what partially motivated this. The test suite builds on the assumption
that ERRORs are fatal and thus should never happen during our tests.
This change surfaces that disconnecting from a relay can indeed happen
during normal operation, which justifies lowering this to WARN. Users
should at the minimum monitor on WARN to be alerted about problems.
2. We reduce the total backoff duration for requests to relays from 60s
to 10s. The current 60s result in total of 8 retries. UDP is unreliable
but it isn't THAT unreliable to justify retrying everything for 60s. We
also use a 10s timeout for ICE, which means these are now aligned to
better match each other. We had to change the max backoff duration
because we only idle-spin for at most 10s in the tests and thus the
current 60s were too long to detect that a relay actually disappeared.
3. We had to shuffle around some function calls to make sure all
intermediary event buffers are emptied at the right point in time to
make the test deterministic.
Fixes: #6648.
We want to associate additional device information for the device
verification, these are all parameters that tries to uniquely identify
the hardware.
For that reason we read system information and send it as part of the
query params to the portal, that way the portal can store this when
device is verified and match against that later on.
These are the parameters according to each platform:
|Platform|Query Field|Field Meaning|
|-----|----|-----|
|MacOS|`device_serial`|Hardware's Serial|
|MacOS| `device_uuid`|Hardware's UUID|
|iOS|`identifier_for_vendor`| Identifier for vendor, resets only on
uninstall/install|
|Android|`firebase_installation_id`| Firebase installation ID, resets
only on uninstall/install|
|Windows|`device_serial`|Motherboard's Serial|
|Linux|`device_serial`|Motherboard's Serial|
Fixes#6837
When relays reboot or get redeployed, the portal sends us new relays to
use and or relays we should discontinue using. To be more efficient with
battery and network usage, `connlib` only ever samples a single relay
out of all existing ones for a particular connection.
In case of a network topology where we need to use relays, there are
situations we can end up in:
- The client connects to the gateway's relay, i.e. to the port the
gateway allocated on the relay.
- The gateway connects to the client's relay, i.e to the port the client
allocated on the relay.
When we detect that a relay is down, the party that allocated the port
will now immediately (once #6666 is merged). The other party needs to
wait until it receives the invalidated candidates from its peer.
Invalidating that candidate will also invalidate the currently nominated
socket and fail the connection. In theory at least. That only works if
there are no other candidates available to try.
This is where this patch becomes important. Say we have the following
setup:
- Client samples relay A.
- Gateway samples relay B.
- The nominated candidate pair is "client server-reflexive <=> relay B",
i.e. the client talks to the allocated port on the gateway.
Next:
1. Client and portal get network-partitioned.
2. Relay B disappears.
3. Relay C appears.
4. Relay A reboots.
5. Client reconnects.
At this point, the client is told by the portal to use relays A & C.
Note that relay A rebooted and thus the allocation previously present on
the client is no longer valid. With #6666, we will detect this by
comparing credentials & IPs. The gateway is being told about the same
relays and as part of that, tests that relay B is still there. It learns
that it isn't, invalidates the candidates which fails the connection to
the client (but only locally!).
Meanwhile, as part of the regular `init` procedure, the client made a
new allocation with relays A & C. Because it had previously selected
relay A for the connection with the gateway, the new candidates are
added to the agent, forming new pairs. The gateway has already given up
on this connection however so it won't ever answer these STUN requests.
Concurrently, the gateway's invalidated candidates arrive the client.
They however don't fail the connection because the client is probing the
newly added candidates. This creates a state mismatch between the client
and gateway that is only resolved after the candidates start timing out,
adding an additional delay during which the connection isn't working.
With this PR, we prevent this from happening by only ever adding new
candidates while we are still in the nomination process of a socket. In
theory, there exists a race condition in which we nominate a relay
candidate first and then miss out on a server-reflexive candidate not
being added. In practice, this won't happen because:
- Our host candidates are always available first.
- We learn server-reflexive candidates already as part of the initial
BINDING, before creating the allocation.
- We learn server-reflexive candidates from all relays, not just the one
that has been assigned.
Related: #6666.
Bumps [@tauri-apps/cli](https://github.com/tauri-apps/tauri) from 1.6.1
to 1.6.2.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/tauri-apps/tauri/releases"><code>@tauri-apps/cli</code>'s
releases</a>.</em></p>
<blockquote>
<h2><code>@tauri-apps/cli</code> v1.6.2</h2>
<h2>[1.6.2]</h2>
<h3>Dependencies</h3>
<ul>
<li>Upgraded to <code>tauri-cli@1.6.2</code></li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="bd3c153145"><code>bd3c153</code></a>
Apply Version Updates From Current Changes (v1) (<a
href="https://redirect.github.com/tauri-apps/tauri/issues/11012">#11012</a>)</li>
<li><a
href="328b11f2cd"><code>328b11f</code></a>
fix(ci): increase timeout, cache updater fixtures</li>
<li><a
href="649e01f4e0"><code>649e01f</code></a>
fix(tests): start updater server once</li>
<li><a
href="02dfb0302f"><code>02dfb03</code></a>
fix(tests): use hyper instead of tiny-http to serve updates</li>
<li><a
href="963411a86a"><code>963411a</code></a>
chore(tests): enhance e2e test logs and delay for CI</li>
<li><a
href="70b852595a"><code>70b8525</code></a>
fix(ci): install webkit2gtk-4.1 for e2e tests</li>
<li><a
href="6d629cbf93"><code>6d629cb</code></a>
fix: integration tests</li>
<li><a
href="5f5c7c7a32"><code>5f5c7c7</code></a>
fix(ci): downgrade mac-notification-sys to 0.6.1</li>
<li><a
href="26d243f43a"><code>26d243f</code></a>
fix(core): <code>restart</code> cannot handle binary name change on
macOS (<a
href="https://redirect.github.com/tauri-apps/tauri/issues/10991">#10991</a>)</li>
<li><a
href="8a0e93b5d8"><code>8a0e93b</code></a>
fixes iframes in windows causes window.<strong>TAURI_INVOKE</strong> is
not a function err...</li>
<li>Additional commits viewable in <a
href="https://github.com/tauri-apps/tauri/compare/@tauri-apps/cli-v1.6.1...@tauri-apps/cli-v1.6.2">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [tailwindcss](https://github.com/tailwindlabs/tailwindcss) from
3.4.10 to 3.4.13.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/tailwindlabs/tailwindcss/releases">tailwindcss's
releases</a>.</em></p>
<blockquote>
<h2>v3.4.13</h2>
<h3>Fixed</h3>
<ul>
<li>Improve source glob verification performance (<a
href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/14481">#14481</a>)</li>
</ul>
<h2>v3.4.12</h2>
<h3>Fixed</h3>
<ul>
<li>Ensure using <code>@apply</code> with utilities that use
<code>@defaults</code> works with rules defined in the base layer when
using <code>optimizeUniversalDefaults</code> (<a
href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/14427">#14427</a>)</li>
</ul>
<h2>v3.4.11</h2>
<h3>Fixed</h3>
<ul>
<li>Allow <code>anchor-size(…)</code> in arbitrary values (<a
href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/14393">#14393</a>)</li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/tailwindlabs/tailwindcss/blob/v3.4.13/CHANGELOG.md">tailwindcss's
changelog</a>.</em></p>
<blockquote>
<h2>[3.4.13] - 2024-09-23</h2>
<h3>Fixed</h3>
<ul>
<li>Improve source glob verification performance (<a
href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/14481">#14481</a>)</li>
</ul>
<h2>[3.4.12] - 2024-09-17</h2>
<h3>Fixed</h3>
<ul>
<li>Ensure using <code>@apply</code> with utilities that use
<code>@defaults</code> works with rules defined in the base layer when
using <code>optimizeUniversalDefaults</code> (<a
href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/14427">#14427</a>)</li>
</ul>
<h2>[3.4.11] - 2024-09-11</h2>
<h3>Fixed</h3>
<ul>
<li>Allow <code>anchor-size(…)</code> in arbitrary values (<a
href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/14393">#14393</a>)</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="ed3c5356b7"><code>ed3c535</code></a>
3.4.13</li>
<li><a
href="066ccf8894"><code>066ccf8</code></a>
Improve the performance when checking broad glob patterns. (<a
href="https://redirect.github.com/tailwindlabs/tailwindcss/issues/14481">#14481</a>)</li>
<li><a
href="e8614a268d"><code>e8614a2</code></a>
3.4.12</li>
<li><a
href="fe48ca83d8"><code>fe48ca8</code></a>
Insert <code>@defaults</code> at start of stylesheet (<a
href="https://redirect.github.com/tailwindlabs/tailwindcss/issues/14427">#14427</a>)</li>
<li><a
href="818d10ab84"><code>818d10a</code></a>
3.4.11</li>
<li><a
href="8dd9246a87"><code>8dd9246</code></a>
update changelog</li>
<li><a
href="6d9ae82ba3"><code>6d9ae82</code></a>
Allow <code>anchor-size(…)</code> in arbitrary values (<a
href="https://redirect.github.com/tailwindlabs/tailwindcss/issues/14393">#14393</a>)</li>
<li>See full diff in <a
href="https://github.com/tailwindlabs/tailwindcss/compare/v3.4.10...v3.4.13">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps
[@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node)
from 22.5.2 to 22.7.4.
<details>
<summary>Commits</summary>
<ul>
<li>See full diff in <a
href="https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [flowbite](https://github.com/themesberg/flowbite) from 2.5.1 to
2.5.2.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/themesberg/flowbite/releases">flowbite's
releases</a>.</em></p>
<blockquote>
<h2>v2.5.2</h2>
<ul>
<li>release new <a
href="https://flowbite.com/docs/plugins/wysiwyg/">WYSIWYG text
editor</a> component</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="5c8df35e2b"><code>5c8df35</code></a>
docs(readme): add wysiwyg to readme</li>
<li><a
href="26cb313102"><code>26cb313</code></a>
Merge pull request <a
href="https://redirect.github.com/themesberg/flowbite/issues/971">#971</a>
from themesberg/wysiwyg</li>
<li><a
href="933b112fef"><code>933b112</code></a>
chore(wysiwyg) update to <code>v2.5.2</code></li>
<li><a
href="7aa2a6b366"><code>7aa2a6b</code></a>
feat(wysiwyg): finish the component</li>
<li><a
href="e799dc286e"><code>e799dc2</code></a>
feat(wysiwyg): add toggle buttons</li>
<li><a
href="30f5133ec3"><code>30f5133</code></a>
feat(wysiwyg): add next and prev cell navigation butoons</li>
<li><a
href="6e4cb24cf8"><code>6e4cb24</code></a>
feat(wysiwyg): set styles for currently selected cells</li>
<li><a
href="3d3261d3af"><code>3d3261d</code></a>
feat(wysiwyg): delete table feature and organise buttons</li>
<li><a
href="8270c05898"><code>8270c05</code></a>
feat(wysiwyg): add column and row behaviour actions</li>
<li><a
href="145f5617fb"><code>145f561</code></a>
docs(wysiwyg): write js behaviour docs</li>
<li>Additional commits viewable in <a
href="https://github.com/themesberg/flowbite/compare/v2.5.1...v2.5.2">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Closes#6873
The issue seems to be a race between flushing Sentry in the GUI process
and shutting down Firezone in the tunnel daemon (IPC service).
With this change, the GUI waits to hear `DisconnectedGracefully` from
the tunnel daemon before flushing Sentry, and the issue is prevented.
Adding the new state and new IPC message required small changes in
several places
---------
Signed-off-by: Reactor Scram <ReactorScram@users.noreply.github.com>
Co-authored-by: Thomas Eizinger <thomas@eizinger.io>
Bumps [derive_more](https://github.com/JelteF/derive_more) from 0.99.18
to 1.0.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/JelteF/derive_more/releases">derive_more's
releases</a>.</em></p>
<blockquote>
<h2>v1.0.0 - Finally a stable release</h2>
<p><code>derive_more</code> is a library that adds derives for many of
the standard library traits. By using this library the following code
just works:</p>
<pre lang="rust"><code>use derive_more::{Add, Display, From, Into};
<p>#[derive(PartialEq, From, Add)]
struct MyInt(i32);</p>
<p>#[derive(PartialEq, From, Into)]
struct Point2D {
x: i32,
y: i32,
}</p>
<p>#[derive(PartialEq, From, Add, Display)]
enum MyEnum {
#[display("int: {_0}")]
Int(i32),
Uint(u32),
#[display("nothing")]
Nothing,
}</p>
<p>assert!(MyInt(11) == MyInt(5) + 6.into());
assert!((5, 6) == Point2D { x: 5, y: 6 }.into());
assert!(MyEnum::Int(15) == (MyEnum::Int(8) + 7.into()).unwrap());
assert!(MyEnum::Int(15).to_string() == "int: 15");
assert!(MyEnum::Uint(42).to_string() == "42");
assert!(MyEnum::Nothing.to_string() == "nothing");
</code></pre></p>
<p>Now, more than 8 years after the first commit and almost 5 years
after the 0.99.0 release, <code>derive_more</code> has finally reached
its 1.0.0 release. This release contains a lot of changes (including
some breaking ones) to make it easier to use the derives and make it
possible to extend them without having to break backwards compatibility
again. There are five major changes that I would like to call out, but
there are many more changes that are documented below:</p>
<ol>
<li>There is a new <code>Debug</code> derive that can be used to easily
customize <code>Debug</code> formatting.</li>
<li>A greatly improved <code>Display</code> derive, which allows you to
do anything that <a
href="https://github.com/dtolnay/thiserror"><code>thiserror</code></a>
provides, but it works for any type not just errors. And by combining
the <code>Display</code> derive with the <code>Error</code> and
<code>From</code> derives, there shouldn't really be any need to use
<code>thiserror</code> anymore (if you are missing a feature/behaviour
from <code>thiserror</code> please report an issue).</li>
<li>Traits that can return errors now return a type that implements
<code>Error</code> when an error occurs instead of a <code>&'static
str</code>.</li>
<li>When using <code>use derive_more::SomeTrait</code> the actual trait
is also imported not just the derive macro. This is especially useful
for <code>Error</code> and
<code>Display</code></li>
<li>The docs are now rendered on docs.rs and are much better
overall.</li>
</ol>
<h3>Breaking changes</h3>
<ul>
<li>The minimum supported Rust version (MSRV) is now Rust 1.75.</li>
<li>Add the <code>std</code> feature which should be disabled in
<code>no_std</code> environments.</li>
<li>All Cargo features, except <code>std</code>, are now disabled by
default. The <code>full</code> feature can be used to get the old
behavior of supporting all possible derives.</li>
<li>The <code>TryFrom</code>, <code>Add</code>, <code>Sub</code>,
<code>BitAnd</code>, <code>BitOr</code>, <code>BitXor</code>,
<code>Not</code> and <code>Neg</code> derives now return a dedicated
error type instead of a <code>&'static str</code> on error.</li>
<li>The <code>FromStr</code> derive now uses a dedicated
<code>FromStrError</code> error type instead of generating unique one
each time.</li>
<li>The <code>Display</code> derive (and other <code>fmt</code>-like
ones) now uses <code>#[display("...",
(<expr>),*)]</code> syntax instead of <code>#[display(fmt =
"...", ("<expr>"),*)]</code>, and
<code>#[display(bound(<bound>))]</code> instead of
<code>#[display(bound = "<bound>")]</code>. So without
the double quotes around the expressions and bounds.</li>
<li>The <code>Debug</code> and <code>Display</code> derives (and other
<code>fmt</code>-like ones) now transparently delegate to the inner type
when <code>#[display("...", (<expr>),*)]</code>
attribute is trivially substitutable with a transparent call. (<a
href="https://redirect.github.com/JelteF/derive_more/pull/322">#322</a>)</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/JelteF/derive_more/blob/master/CHANGELOG.md">derive_more's
changelog</a>.</em></p>
<blockquote>
<h2>1.0.0 - 2024-08-07</h2>
<p>More than 8 years after the first commit and almost 5 years after the
0.99.0
release, <code>derive_more</code> has finally reached its 1.0.0 release.
This release
contains a lot of changes (including some breaking ones) to make it
easier to
use the derives and make it possible to extend them without having to
break
backwards compatibility again. There are five major changes that I would
like
to call out, but there are many more changes that are documented
below:</p>
<ol>
<li>There is a new <code>Debug</code> derive that can be used to easily
customize <code>Debug</code>
formatting.</li>
<li>A greatly improved <code>Display</code> derive, which allows you to
do anything that
<a
href="https://github.com/dtolnay/thiserror"><code>thiserror</code></a>
provides, but it works
for any type not just errors. And by combining the <code>Display</code>
derive with the
<code>Error</code> and <code>From</code> derives, there shouldn't really
be any need to use
<code>thiserror</code> anymore (if you are missing a feature/behaviour
from <code>thiserror</code>
please report an issue).</li>
<li>Traits that can return errors now return a type that implements
<code>Error</code>
when an error occurs instead of a <code>&'static str</code>.</li>
<li>When using <code>use derive_more::SomeTrait</code> the actual trait
is also imported
not just the derive macro. This is especially useful for
<code>Error</code> and
<code>Display</code></li>
<li>The docs are now rendered on docs.rs and are much better
overall.</li>
</ol>
<h3>Breaking changes</h3>
<ul>
<li>The minimum supported Rust version (MSRV) is now Rust 1.75.</li>
<li>Add the <code>std</code> feature which should be disabled in
<code>no_std</code> environments.</li>
<li>All Cargo features, except <code>std</code>, are now disabled by
default. The <code>full</code>
feature can be used to get the old behavior of supporting all possible
derives.</li>
<li>The <code>TryFrom</code>, <code>Add</code>, <code>Sub</code>,
<code>BitAnd</code>, <code>BitOr</code>, <code>BitXor</code>,
<code>Not</code> and <code>Neg</code>
derives now return a dedicated error type instead of a
<code>&'static str</code> on
error.</li>
<li>The <code>FromStr</code> derive now uses a dedicated
<code>FromStrError</code> error type instead
of generating unique one each time.</li>
<li>The <code>Display</code> derive (and other <code>fmt</code>-like
ones) now uses
<code>#[display("...", (<expr>),*)]</code> syntax
instead of
<code>#[display(fmt = "...",
("<expr>"),*)]</code>, and
<code>#[display(bound(<bound>))]</code>
instead of <code>#[display(bound = "<bound>")]</code>.
So without the double quotes
around the expressions and bounds.</li>
<li>The <code>Debug</code> and <code>Display</code> derives (and other
<code>fmt</code>-like ones) now transparently
delegate to the inner type when <code>#[display("...",
(<expr>),*)]</code> attribute is
trivially substitutable with a transparent call.
(<a
href="https://redirect.github.com/JelteF/derive_more/pull/322">#322</a>)</li>
<li>The <code>DebugCustom</code> derive is renamed to just
<code>Debug</code> (gated now under a separate
<code>debug</code> feature), and its semantics were changed to be a
superset of <code>std</code> variant
of <code>Debug</code>.</li>
<li>The <code>From</code> derive doesn't derive
<code>From<()></code> for enum variants without any
fields anymore. This feature was removed because it was considered
useless in</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="d7f5b9e94d"><code>d7f5b9e</code></a>
chore: Release</li>
<li><a
href="40201b1e2e"><code>40201b1</code></a>
Update release date to be correct</li>
<li><a
href="88863ca4e6"><code>88863ca</code></a>
Update changelog wording</li>
<li><a
href="b713835894"><code>b713835</code></a>
Improve error when not enabling any features</li>
<li><a
href="330e4252fb"><code>330e425</code></a>
Order features in Cargo.toml alphabetically</li>
<li><a
href="84f2cbb05f"><code>84f2cbb</code></a>
Update README and CHANGELOG in preparation of 1.0.0</li>
<li><a
href="e8d60cf0e5"><code>e8d60cf</code></a>
Add compile_fail test for on purpose limited bounds (<a
href="https://redirect.github.com/JelteF/derive_more/issues/393">#393</a>,
<a
href="https://redirect.github.com/JelteF/derive_more/issues/392">#392</a>)</li>
<li><a
href="f665d18125"><code>f665d18</code></a>
Make anyhow reference a bit less strong</li>
<li><a
href="6d632b2db2"><code>6d632b2</code></a>
Add release announcement (<a
href="https://redirect.github.com/JelteF/derive_more/issues/390">#390</a>)</li>
<li><a
href="e87ab1315f"><code>e87ab13</code></a>
Don't create git tags for derive_more-impl (<a
href="https://redirect.github.com/JelteF/derive_more/issues/391">#391</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/JelteF/derive_more/compare/v0.99.18...v1.0.0">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Reactor Scram <ReactorScram@users.noreply.github.com>
Bumps
[sadness-generator](https://github.com/EmbarkStudios/crash-handling)
from 0.5.0 to 0.6.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/EmbarkStudios/crash-handling/releases">sadness-generator's
releases</a>.</em></p>
<blockquote>
<h2>sadness-generator-0.6.0</h2>
<h3>Changed</h3>
<ul>
<li>Update MSRV to 1.62.0</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="c61c72e0cf"><code>c61c72e</code></a>
chore: Release</li>
<li><a
href="a5553466de"><code>a555346</code></a>
chore: Release</li>
<li><a
href="45a469c86e"><code>45a469c</code></a>
chore: Release</li>
<li><a
href="d4d6f25cce"><code>d4d6f25</code></a>
chore: Release</li>
<li><a
href="7818928239"><code>7818928</code></a>
Update CHANGELOGs</li>
<li><a
href="e524a897c2"><code>e524a89</code></a>
Add heap corruption exception handling (<a
href="https://redirect.github.com/EmbarkStudios/crash-handling/issues/86">#86</a>)</li>
<li><a
href="065f3dd9c1"><code>065f3dd</code></a>
chore: Release</li>
<li><a
href="37e56acd3f"><code>37e56ac</code></a>
Update (<a
href="https://redirect.github.com/EmbarkStudios/crash-handling/issues/83">#83</a>)</li>
<li><a
href="3b77c9b00d"><code>3b77c9b</code></a>
chore: Release</li>
<li><a
href="d34d00bc51"><code>d34d00b</code></a>
chore: Release</li>
<li>Additional commits viewable in <a
href="https://github.com/EmbarkStudios/crash-handling/compare/sadness-generator-0.5.0...sadness-generator-0.6.0">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Reactor Scram <ReactorScram@users.noreply.github.com>
Closes#6854
- Sets release version from the GUI Client / Headless Client version
instead of the `firezone-telemetry` version
- Set environment to "production" and "staging" for well-known API URLs,
and "self-hosted" for others, since environments in Sentry can't have
slashes in them
- Sets API URL as a tag
- Sets release to `unit test` for unit testing `firezone-telemetry`
itself, since it has no good version number
<img width="398" alt="image"
src="https://github.com/user-attachments/assets/86f71193-2511-45c1-8304-413db8e5ef90">
When constructing a span, any currently set span will automatically be
set as the parent. In the case of the `connection` span, this was the
`accept_answer` or `new_connection` span from the client / gateway.
Those are not meant to be re-activated every time we enter the
`connection` span.
By setting an explicit parent, we avoid that.
Unfortunately, this means that this span will never have a parent, even
if other spans are active whilst we enter this one. We enter this one in
the hot-path, which is why it is being constructed ahead of time.
---------
Signed-off-by: Thomas Eizinger <thomas@eizinger.io>
This crate contains a useful macro `dbg!` which acts mostly like
`std::dbg!` but logs to `tracing` instead. Having it easily available as
a dependency during development makes debugging easier, especially with
`tunnel_test` which produces log-files per test-run.
Within `snownet` - `connlib`'s connectivity library - we use ICE to set
up a UDP "connection" between a client and a gateway. UDP is an
unreliable transport, meaning the only way how can detect that the
connection is broken is for both parties to constantly send messages and
acknowledgements back and forth. ICE uses STUN binding requests for
this.
In the default configuration of `str0m`, a STUN binding is sent every
3s, and we tolerate at most 9 missing responses before we consider the
connection broken. As these responses go missing, `str0m` halves this
interval, which results in a total ICE timeout of around 17 seconds. We
already tweak these values by reducing the number of requests to 8 and
setting the interval to 1.5s. This results in a total ICE timeout of
~10s which effectively means that there is at most a 10s lag between the
connection breaking and us considering it broken at which point new
packets arriving at the TUN interface can trigger the setup of a new
connection with the gateway.
Lowering these timeouts improves the user experience in case of a broken
connection because the user doesn't have to wait as long before they can
access their resources again. The downside of lowering these timeouts is
that we generate a lot of background noise. Especially on mobile
devices, this is bad because it prevents the CPU from going to sleep and
thus simply being signed into Firezone will drain your battery, even if
you don't use it.
Note that this doesn't apply at all if the client application on top
detects a network change. In that case, we hard-reset all connections
and instantly create new ones.
We attempted to fix this in #5576 by closing idle connections after 5
minutes. This however created new problems such as #6778.
The original problem here is that we send too many STUN messages as soon
as a connection is established. Simply increasing the timeout is not an
option because it would make the user experience really bad in case the
connection actually drops for reasons that the client app can't detect.
In this patch, we attempt to solve this in a different way: Detecting a
broken connection is only critical if the user is actively using the
tunnel (i.e. sending traffic). If there is no traffic, it doesn't matter
if we need longer to detect a broken connection. The user won't notice
because their phone is probably in their pocket or something.
With this patch, we now implement the following behaviour:
- A connection is considered idle after 10s of no application traffic.
- On idle connections, we send a STUN requests every 60s
- On idle connections, we wait for at most 4 missing responses before
considering the connection broken.
- Every connection will perform a client-initiated WireGuard keep-alive
every 25s, unless there is application traffic.
These values have been chosen while considering the following sources:
1. [RFC4787,
REQ-5](https://www.rfc-editor.org/rfc/rfc4787.html#section-12) requires
NATs to keep UDP NAT mappings alive for at least 2 minutes.
2.
[`conntrack`](https://www.kernel.org/doc/Documentation/networking/nf_conntrack-sysctl.rst)
adopts this requirement via the `nf_conntrack_udp_timeout_stream`
configuration.
3. 25s is the default keep-alive of the WireGuard kernel module.
In theory the WireGuard keep-alive itself should be good enough to keep
all NAT bindings alive. In practice, missed keep-alives are not exposed
by boringtun (the WireGuard implementation we rely on) and thus we need
the additional STUN keep-alives to detect broken connections. We set
those somewhat conservatively to 60s.
As soon as the user triggers new application traffic, these values are
reverted back to their defaults, meaning even if the connection died
just before the user is starting to use it again, we will know within
the usual 10s because we are triggering new STUN requests more often.
Note that existing gateways still implement the "close idle connections
after 5 minutes" behaviour. Customers will need to upgrade to a new
gateway version to fully benefit from these new always-on, low-power
connections.
Resolves: #6778.
---------
Signed-off-by: Thomas Eizinger <thomas@eizinger.io>
Refs #6138
Sentry is always enabled for now. In the near future we'll make it
opt-out per device and opt-in per org (see #6138 for details)
- Replaces the `crash_handling` module
- Catches panics in GUI process, tunnel daemon, and Headless Client
- Added a couple "breadcrumbs" to play with that feature
- User ID is not set yet
- Environment is set to the API URL, e.g. `wss://api.firezone.dev`
- Reports panics from the connlib async task
- Release should be automatically pulled from the Cargo version which we
automatically set in the version Makefile
Example screenshot of sentry.io with a caught panic:
<img width="861" alt="image"
src="https://github.com/user-attachments/assets/c5188d86-10d0-4d94-b503-3fba51a21a90">
In the past, we struggled a lot of the reproducibility of `tunnel_test`
failures because our input state and transition strategies were not
deterministic. In the end, we found out that it was due to the iteration
order of `HashMap`s.
To make sure this doesn't regress, we added a check to CI at the time
that compares the debug output of all regression seeds against a 2nd run
and ensures they are the same. That is overall a bit wonky.
We can do better by simple sampling a value from the strategy twice from
a test runner with the same seed. If the strategy is deterministic,
those need to be the same. We still rely on the debug output being
identical because:
a. Deriving `PartialEq` on everything is somewhat cumbersome
b. We actually care about the iteration order which a fancy `PartialEq`
implementation might ignore
Extracted from #6782
This moves more of `main` inside the async block, which makes it easier
to set up telemetry in the future.
We also log errors for the DNS notifier, which was overlooked before.
At the moment, the mapping of proxy IPs to the resolved IPs of a DNS
resource happens at the same time as the "authorisation" that the client
is allowed to talk to that resource. This is somewhat convoluted
because:
- Mapping proxy IPs to resolved IPs only needs to happen for DNS
resources, yet it is called for all resources (and internally skipped).
- Wildcard DNS resources only need to be authorised once, after which
the client is allowed to communicate with any domain matching the
wildcard address.
- The code that models resources within `ClientOnGateway` doesn't
differentiate between resource types at all.
With #6461, the authorisation of a resource will be completely decoupled
from the domain resolution for a particular domain of a DNS resource. To
make that easier to implement, we re-model the internals of
`ClientOnGateway` to differentiate the various resource types. Instead
of holding a single vec of addresses, the IPs are now indexed by the
respective domain. For CIDR resources, we only hold a single address
anyway and for the Internet Resource, the IP networks are static.
This new model now implies that allowing a resource that has already
been allowed essentially implies an update and the filters get
re-calculated.
Firefox uses this so-called canary domain `use-application-dns.net` to
detect, whether it should use DoH for its DNS queries. If answered with
a server error or without records, Firefox disables DoH as long as it
only its "Default protection" is enabled. If a user forces DoH, this
hint from the network is ignored.
See
https://support.mozilla.org/en-US/kb/canary-domain-use-application-dnsnet
for details.
I tested this on MacOS and Firefox does indeed instantly disable DoH. A
default installation of Chrome doesn't use DoH for me.
Related: #6375.
---------
Signed-off-by: Thomas Eizinger <thomas@eizinger.io>
Co-authored-by: Jamil <jamilbk@users.noreply.github.com>
Currently, `connlib` is entirely single-threaded. This allows us to
reuse a single buffer for processing IP packets and makes reasoning of
the packet processing code very simple. Being single-threaded also means
we can only make use of a single CPU core and all operations have to be
sequential.
Analyzing `connlib` using `perf` shows that we spend 26% of our CPU time
writing packets to the TUN interface [0]. Because we are
single-threaded, `connlib` cannot do anything else during this time. If
we could offload the writing of these packets to a different thread,
`connlib` could already process the next packet while the current one is
writing.
Packets that we send to the TUN interface arrived as an encrypted WG
packet over UDP and get decrypted into a - currently - shared buffer.
Moving the writing to a different thread implies that we have to have
more of these buffer that the next packet(s) can be decrypted into.
To avoid IP fragmentation, we set the maximum IP MTU to 1280 bytes on
the TUN interface. That actually isn't very big and easily fits into a
stackframe. The default stack size for threads is 2MB [1].
Instead of creating more buffers and cycling through them, we can also
simply stack-allocate our IP packets. This incurs some overhead from
copying packets but it is only ~3.5% [2] (This was measured without a
separate thread). With stack-allocated packets, almost all
lifetime-annotations go away which in itself is already a welcome
ergonomics boost. Stack-allocated packets also means we can simply spawn
a new thread for the packet processing. This thread is connected with
two channel to connlib's main thread. The capacity of 1000 packets will
at most consume an additional 3.5 MB of memory which is fine even on our
most-constrained devices such as iOS.
[0]: https://share.firefox.dev/3z78CzD
[1]: https://doc.rust-lang.org/std/thread/#stack-size
[2]: https://share.firefox.dev/3Bf4zlaResolves: #6653.
Resolves: #5541.
Currently, the order in which connlib matches against the patterns of
DNS resources is not specified. We simply iterate over all patterns and
take the first one that matches. Due to the iteration order of
`HashMap`s, this also isn't deterministic.
With this patch, we introduce a defined order in which we attempt to
match a particular domain against the defined DNS resources:
- Resources without wildcards are always prioritised over wildcard
domains
- Single-char wildcards (`?`) take priority over label wildcards (`*`)
- Label wildcards (`*`) take priority over catch-all wildcards (`**`)
By matching against the DNS resources in a defined order, we ensure that
DNS resources that overlap always resolve to the most specific resource.
---------
Signed-off-by: Thomas Eizinger <thomas@eizinger.io>
Co-authored-by: Reactor Scram <ReactorScram@users.noreply.github.com>
This log is currently printed after we receive the `init` message from
the client. It is a left-over from early days of connlib where receiving
`init` itself already triggered all kinds of actions.
These days, we are mostly just updating state. In addition, `init` can
be received multiple times during a client's session which is somewhat
confusing when you see multiple "Firezone started" logs.
When deciding which interface we are going to use for connecting to the
portal API, we need to filter through all adapters on Windows and
exclude our own TUN adapter to avoid routing loops. In addition, we also
need to filter for only online adapters, otherwise we might pick one
that is not actually routable.
Resolves: #6802.
Bumps [tauri-runtime](https://github.com/tauri-apps/tauri) from 0.14.4
to 0.14.5.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/tauri-apps/tauri/releases">tauri-runtime's
releases</a>.</em></p>
<blockquote>
<h2>tauri-runtime v0.14.5</h2>
<p>Updating crates.io index
Locking 595 packages to latest compatible versions
Adding addr2line v0.22.0 (latest: v0.24.1)
Adding atk v0.15.1 (latest: v0.18.0)
Adding atk-sys v0.15.1 (latest: v0.18.0)
Adding base64 v0.13.1 (latest: v0.22.1)
Adding base64 v0.21.7 (latest: v0.22.1)
Adding bit-set v0.5.3 (latest: v0.8.0)
Adding bit-vec v0.6.3 (latest: v0.8.0)
Adding bitflags v1.3.2 (latest: v2.6.0)
Adding cairo-rs v0.15.12 (latest: v0.20.1)
Adding cairo-sys-rs v0.15.1 (latest: v0.20.0)
Adding cargo_toml v0.15.3 (latest: v0.20.4)
Adding cfb v0.7.3 (latest: v0.10.0)
Adding cfg-expr v0.9.1 (latest: v0.16.0)
Adding cfg-expr v0.15.8 (latest: v0.16.0)
Adding cfg_aliases v0.1.1 (latest: v0.2.1)
Adding clap v3.2.25 (latest: v4.5.16)
Adding clap_lex v0.2.4 (latest: v0.7.2)
Adding cocoa v0.24.1 (latest: v0.26.0)
Adding cocoa-foundation v0.1.2 (latest: v0.2.0)
Adding convert_case v0.4.0 (latest: v0.6.0)
Adding core-foundation v0.9.4 (latest: v0.10.0)
Adding core-graphics v0.22.3 (latest: v0.24.0)
Adding core-graphics v0.23.2 (latest: v0.24.0)
Adding core-graphics-types v0.1.3 (latest: v0.2.0)
Adding cssparser v0.27.2 (latest: v0.34.0)
Adding derive_more v0.99.18 (latest: v1.0.0)
Adding env_logger v0.8.4 (latest: v0.11.5)
Adding fixedbitset v0.4.2 (latest: v0.5.7)
Adding fluent-uri v0.1.4 (latest: v0.2.0)
Adding foreign-types v0.3.2 (latest: v0.5.0)
Adding foreign-types-shared v0.1.1 (latest: v0.3.1)
Adding freetype-sys v0.20.1 (latest: v0.22.0)
Adding gdk v0.15.4 (latest: v0.18.0)
Adding gdk-pixbuf v0.15.11 (latest: v0.20.1)
Adding gdk-pixbuf-sys v0.15.10 (latest: v0.20.1)
Adding gdk-sys v0.15.1 (latest: v0.18.0)
Adding gdkwayland-sys v0.15.3 (latest: v0.18.0)
Adding gdkx11-sys v0.15.1 (latest: v0.18.0)
Adding generator v0.7.5 (latest: v0.8.2)
Adding generic-array v0.14.7 (latest: v1.1.0)
Adding gethostname v0.4.3 (latest: v0.5.0)
Adding getrandom v0.1.16 (latest: v0.2.15)
Adding gimli v0.29.0 (latest: v0.31.0)
Adding gio v0.15.12 (latest: v0.20.1)
Adding gio-sys v0.15.10 (latest: v0.20.1)
Adding glib v0.15.12 (latest: v0.20.1)
Adding glib-macros v0.15.13 (latest: v0.20.1)</p>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="1f45808ba0"><code>1f45808</code></a>
Apply Version Updates From Current Changes (v1) (<a
href="https://redirect.github.com/tauri-apps/tauri/issues/10220">#10220</a>)</li>
<li><a
href="9082a39604"><code>9082a39</code></a>
fix(cli): env_logger usage</li>
<li><a
href="d84ae448e5"><code>d84ae44</code></a>
fix(cli): downgrade env_logger to 0.10 to satisfy MSRV, fix CI</li>
<li><a
href="3e1c28b90c"><code>3e1c28b</code></a>
chore(deps) Update dependency <code>@types/node</code> to v20.16.1 (<a
href="https://redirect.github.com/tauri-apps/tauri/issues/10722">#10722</a>)</li>
<li><a
href="2b61447dfc"><code>2b61447</code></a>
chore(deps) Update Rust crate proc-macro2 to v1.0.86 (<a
href="https://redirect.github.com/tauri-apps/tauri/issues/10621">#10621</a>)</li>
<li><a
href="0469b6b078"><code>0469b6b</code></a>
chore(deps) Update Tauri API Definitions (1.x) (<a
href="https://redirect.github.com/tauri-apps/tauri/issues/10622">#10622</a>)</li>
<li><a
href="3b841f28bb"><code>3b841f2</code></a>
chore(deps) Update Tauri CLI (1.x) (<a
href="https://redirect.github.com/tauri-apps/tauri/issues/10628">#10628</a>)</li>
<li><a
href="c3a90e5c27"><code>c3a90e5</code></a>
fix(tauri-runtime-wry): ensure tray is created when event loop ready (<a
href="https://redirect.github.com/tauri-apps/tauri/issues/10611">#10611</a>)</li>
<li><a
href="937849f28c"><code>937849f</code></a>
refactor(tauri-runtime-wry): Arc instead of Rc, closes <a
href="https://redirect.github.com/tauri-apps/tauri/issues/9775">#9775</a>
(<a
href="https://redirect.github.com/tauri-apps/tauri/issues/10587">#10587</a>)</li>
<li><a
href="48a7415c21"><code>48a7415</code></a>
chore(deps): update serialize-to-javascript to 0.1.2 (<a
href="https://redirect.github.com/tauri-apps/tauri/issues/10594">#10594</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/tauri-apps/tauri/compare/tauri-runtime-v0.14.4...tauri-runtime-v0.14.5">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Reactor Scram <ReactorScram@users.noreply.github.com>
Bumps [clap](https://github.com/clap-rs/clap) from 4.5.4 to 4.5.13.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/clap-rs/clap/releases">clap's
releases</a>.</em></p>
<blockquote>
<h2>v4.5.13</h2>
<h2>[4.5.13] - 2024-07-31</h2>
<h3>Fixes</h3>
<ul>
<li><em>(derive)</em> Improve error message when
<code>#[flatten]</code>ing an optional <code>#[group(skip)]</code></li>
<li><em>(help)</em> Properly wrap long subcommand descriptions in
help</li>
</ul>
<h2>v4.5.12</h2>
<h2>[4.5.12] - 2024-07-31</h2>
<h2>v4.5.10</h2>
<h2>[4.5.10] - 2024-07-23</h2>
<h2>v4.5.9</h2>
<h2>[4.5.9] - 2024-07-09</h2>
<h3>Fixes</h3>
<ul>
<li><em>(error)</em> When defining a custom help flag, be sure to
suggest it like we do the built-in one</li>
</ul>
<h2>v4.5.8</h2>
<h2>[4.5.8] - 2024-06-28</h2>
<h3>Fixes</h3>
<ul>
<li>Reduce extra flushes</li>
</ul>
<h2>v4.5.7</h2>
<h2>[4.5.7] - 2024-06-10</h2>
<h3>Fixes</h3>
<ul>
<li>Clean up error message when too few arguments for
<code>num_args</code></li>
</ul>
<h2>v4.5.6</h2>
<h2>[4.5.6] - 2024-06-06</h2>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/clap-rs/clap/blob/master/CHANGELOG.md">clap's
changelog</a>.</em></p>
<blockquote>
<h2>[4.5.13] - 2024-07-31</h2>
<h3>Fixes</h3>
<ul>
<li><em>(derive)</em> Improve error message when
<code>#[flatten]</code>ing an optional <code>#[group(skip)]</code></li>
<li><em>(help)</em> Properly wrap long subcommand descriptions in
help</li>
</ul>
<h2>[4.5.12] - 2024-07-31</h2>
<h2>[4.5.11] - 2024-07-25</h2>
<h2>[4.5.10] - 2024-07-23</h2>
<h2>[4.5.9] - 2024-07-09</h2>
<h3>Fixes</h3>
<ul>
<li><em>(error)</em> When defining a custom help flag, be sure to
suggest it like we do the built-in one</li>
</ul>
<h2>[4.5.8] - 2024-06-28</h2>
<h3>Fixes</h3>
<ul>
<li>Reduce extra flushes</li>
</ul>
<h2>[4.5.7] - 2024-06-10</h2>
<h3>Fixes</h3>
<ul>
<li>Clean up error message when too few arguments for
<code>num_args</code></li>
</ul>
<h2>[4.5.6] - 2024-06-06</h2>
<h2>[4.5.5] - 2024-06-06</h2>
<h3>Fixes</h3>
<ul>
<li>Allow <code>exclusive</code> to override
<code>required_unless_present</code>,
<code>required_unless_present_any</code>,
<code>required_unless_present_all</code></li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="d222ae4cb6"><code>d222ae4</code></a>
chore: Release</li>
<li><a
href="a8abcb40c5"><code>a8abcb4</code></a>
docs: Update changelog</li>
<li><a
href="2690e1bdb1"><code>2690e1b</code></a>
Merge pull request <a
href="https://redirect.github.com/clap-rs/clap/issues/5621">#5621</a>
from shannmu/dynamic_valuehint</li>
<li><a
href="7fd7b3e40b"><code>7fd7b3e</code></a>
feat(clap_complete): Support to complete custom value of argument</li>
<li><a
href="fc6aaca52b"><code>fc6aaca</code></a>
Merge pull request <a
href="https://redirect.github.com/clap-rs/clap/issues/5638">#5638</a>
from epage/cargo</li>
<li><a
href="631e54bc71"><code>631e54b</code></a>
docs(cookbook): Style cargo plugin</li>
<li><a
href="6fb49d08bb"><code>6fb49d0</code></a>
Merge pull request <a
href="https://redirect.github.com/clap-rs/clap/issues/5636">#5636</a>
from gibfahn/styles_const</li>
<li><a
href="6f215eee98"><code>6f215ee</code></a>
refactor(styles): make styles example use a const</li>
<li><a
href="bbb2e6fdde"><code>bbb2e6f</code></a>
test: Add test case for completing custom value of argument</li>
<li><a
href="999071c46d"><code>999071c</code></a>
fix: Change <code>visible</code> to <code>hidden</code></li>
<li>Additional commits viewable in <a
href="https://github.com/clap-rs/clap/compare/clap_complete-v4.5.4...clap_complete-v4.5.13">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Reactor Scram <ReactorScram@users.noreply.github.com>
Closes#6791
We weren't closing the connlib session immediately when we get
`on_disconnect`, this patch fixes that.
This passes the manual test established in #6792. I also cycled through
sign-in, close, open, sign-out, and it looks fine.
---------
Signed-off-by: Reactor Scram <ReactorScram@users.noreply.github.com>
Synthetic replication for #6791.
The diff for the fix will probably be short, so I wanted this diff for
the test to be reviewed separately.
In your normal terminal: `cargo build -p firezone-gui-client -p
gui-smoke-test`
With sudo / admin powers: `./target/debug/gui-smoke-test.exe
--manual-tests`
Some customers _must_ have hit this, it's so easy to trigger.
I can't add it to the CI smoke test because there's no portal in CI
during the smoke test, unless we use Staging.
Fix#6781Fix#6375
The problem was that browsers in iOS(and possible other OSes) queries
for A, AAAA and HTTPS, and we correctly intercept A and AAAA.
Correctly intercepting HTTPS queries is more tricky since we need the
server's alpn, before this PR we were just forwarding those and then the
response back but the problem with that is that it'd return the real IP
for the service instead of our proxy IP.
So to quickly fix this we simply blackhole the query so the browser
never use that response.
In the future an improvement over this would be to intercept the
response instead of the query and mangle the ips there.
---------
Signed-off-by: Gabi <gabrielalejandro7@gmail.com>
Co-authored-by: Reactor Scram <ReactorScram@users.noreply.github.com>
