mirror of
https://github.com/outbackdingo/firezone.git
synced 2026-01-27 18:18:55 +00:00
bf81c6fa0bc2e7f068bb87efc88ef3abddecd8a0
6044 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
Thomas Eizinger
|
bf81c6fa0b |
build(deps): bump tracing to 0.1.41 (#7407)
We have a special setup with `tracing` where we patch a Git-dependency to use a released version. Hence bumping this one separately. |
||
|
dependabot[bot]
|
b340448e34 |
build(deps): Bump the navigation group in /kotlin/android with 2 updates (#7424)
Bumps the navigation group in /kotlin/android with 2 updates: androidx.navigation:navigation-fragment-ktx and androidx.navigation:navigation-ui-ktx. Updates `androidx.navigation:navigation-fragment-ktx` from 2.8.3 to 2.8.4 Updates `androidx.navigation:navigation-ui-ktx` from 2.8.3 to 2.8.4 Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> |
||
|
dependabot[bot]
|
aa0f8c2248 |
build(deps): Bump postcss from 8.4.47 to 8.4.49 in /website (#7436)
Bumps [postcss](https://github.com/postcss/postcss) from 8.4.47 to 8.4.49. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/postcss/postcss/releases">postcss's releases</a>.</em></p> <blockquote> <h2>8.4.49</h2> <ul> <li>Fixed custom syntax without <code>source.offset</code> (by <a href="https://github.com/romainmenke"><code>@romainmenke</code></a>).</li> </ul> <h2>8.4.48</h2> <ul> <li>Fixed position calculation in error/warnings methods (by <a href="https://github.com/romainmenke"><code>@romainmenke</code></a>).</li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/postcss/postcss/blob/main/CHANGELOG.md">postcss's changelog</a>.</em></p> <blockquote> <h2>8.4.49</h2> <ul> <li>Fixed custom syntax without <code>source.offset</code> (by <a href="https://github.com/romainmenke"><code>@romainmenke</code></a>).</li> </ul> <h2>8.4.48</h2> <ul> <li>Fixed position calculation in error/warnings methods (by <a href="https://github.com/romainmenke"><code>@romainmenke</code></a>).</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
2a306239f7 |
build(deps): Bump the google group in /terraform/environments/staging with 2 updates (#7429)
Bumps the google group in /terraform/environments/staging with 2 updates: [hashicorp/google](https://github.com/hashicorp/terraform-provider-google) and [hashicorp/google-beta](https://github.com/hashicorp/terraform-provider-google-beta). Updates `hashicorp/google` from 6.9.0 to 6.12.0 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/hashicorp/terraform-provider-google/releases">hashicorp/google's releases</a>.</em></p> <blockquote> <h2>v6.12.0</h2> <p>FEATURES:</p> <ul> <li><strong>New Data Source:</strong> <code>google_access_context_manager_access_policy</code> (<a href="https://redirect.github.com/hashicorp/terraform-provider-google/pull/20295">#20295</a>)</li> <li><strong>New Resource:</strong> <code>google_dataproc_gdc_spark_application</code> (<a href="https://redirect.github.com/hashicorp/terraform-provider-google/pull/20242">#20242</a>)</li> <li><strong>New Resource:</strong> <code>google_managed_kafka_cluster</code> and <code>google_managed_kafka_topic</code> (<a href="https://redirect.github.com/hashicorp/terraform-provider-google/pull/20237">#20237</a>)</li> </ul> <p>IMPROVEMENTS:</p> <ul> <li>artifactregistry: added <code>common_repository</code> field to <code>google_artifact_registry_repository</code> resource (<a href="https://redirect.github.com/hashicorp/terraform-provider-google/pull/20305">#20305</a>)</li> <li>cloudrunv2: added <code>urls</code> output field to <code>google_cloud_run_v2_service</code> resource (<a href="https://redirect.github.com/hashicorp/terraform-provider-google/pull/20313">#20313</a>)</li> <li>compute: added <code>IDPF</code> as a possible value for the <code>network_interface.nic_type</code> field in <code>google_compute_instance</code> resource (<a href="https://redirect.github.com/hashicorp/terraform-provider-google/pull/20250">#20250</a>)</li> <li>compute: added <code>IDPF</code> as a possible value for the <code>guest_os_features.type</code> field in <code>google_compute_image</code> resource (<a href="https://redirect.github.com/hashicorp/terraform-provider-google/pull/20250">#20250</a>)</li> <li>compute: added <code>replica_names</code> field to <code>sql_database_instance</code> resource (<a href="https://redirect.github.com/hashicorp/terraform-provider-google/pull/20202">#20202</a>)</li> <li>filestore: added <code>performance_config</code> field to <code>google_filestore_instance</code> (<a href="https://redirect.github.com/hashicorp/terraform-provider-google/pull/20218">#20218</a>)</li> <li>redis: added <code>persistence_config</code> to <code>google_redis_cluster</code>. (<a href="https://redirect.github.com/hashicorp/terraform-provider-google/pull/20212">#20212</a>)</li> <li>securesourcemanager: added <code>workforce_identity_federation_config</code> field to <code>google_secure_source_manager_instance</code> resource (<a href="https://redirect.github.com/hashicorp/terraform-provider-google/pull/20290">#20290</a>)</li> <li>spanner: added <code>default_backup_schedule_type</code> field to <code>google_spanner_instance</code> (<a href="https://redirect.github.com/hashicorp/terraform-provider-google/pull/20213">#20213</a>)</li> <li>sql: added <code>psc_auto_connections</code> fields to <code>google_sql_database_instance</code> resource (<a href="https://redirect.github.com/hashicorp/terraform-provider-google/pull/20307">#20307</a>)</li> </ul> <p>BUG FIXES:</p> <ul> <li>accesscontextmanager: fixed permadiff in perimeter <code>google_access_context_manager_service_perimeter_ingress_policy</code> and <code>google_access_context_manager_service_perimeter_egress_policy</code> resources when there are duplicate resources in the rules (<a href="https://redirect.github.com/hashicorp/terraform-provider-google/pull/20294">#20294</a>)</li> <li> <ul> <li>accesscontextmanager: fixed comparison of <code>identity_type</code> in <code>ingress_from</code> and <code>egress_from</code> when the <code>IDENTITY_TYPE_UNSPECIFIED</code> is set (<a href="https://redirect.github.com/hashicorp/terraform-provider-google/pull/20221">#20221</a>)</li> </ul> </li> <li>compute: fixed permadiff on attempted <code>type</code> field updates in <code>google_computer_security_policy</code>, updating this field will now force recreation of the resource (<a href="https://redirect.github.com/hashicorp/terraform-provider-google/pull/20316">#20316</a>)</li> <li>identityplatform: fixed perma-diff originating from the <code>sign_in.anonymous.enabled</code> field in <code>google_identity_platform_config</code> (<a href="https://redirect.github.com/hashicorp/terraform-provider-google/pull/20244">#20244</a>)</li> </ul> <h2>v6.11.2</h2> <p>BUG FIXES:</p> <ul> <li>vertexai: fixed issue with google_vertex_ai_endpoint where upgrading to 6.11.0 would delete all traffic splits that were set outside Terraform (which was previously a required step for all meaningful use of this resource). (<a href="https://redirect.github.com/hashicorp/terraform-provider-google/pull/20350">#20350</a>)</li> </ul> <h2>v6.11.1</h2> <p>BUG FIXES:</p> <ul> <li>container: fixed diff on <code>google_container_cluster.user_managed_keys_config</code> field for resources that had not set it. (<a href="https://redirect.github.com/hashicorp/terraform-provider-google/pull/20314">#20314</a>)</li> <li>container: marked <code>google_container_cluster.user_managed_keys_config</code> as immutable because it can't be updated in place. (<a href="https://redirect.github.com/hashicorp/terraform-provider-google/pull/20314">#20314</a>)</li> </ul> <h2>v6.11.0</h2> <p>NOTES:</p> <ul> <li>compute: migrated <code>google_compute_firewall_policy_rule</code> from DCL engine to MMv1 engine. (<a href="https://redirect.github.com/hashicorp/terraform-provider-google/pull/20160">#20160</a>)</li> </ul> <p>BREAKING CHANGES:</p> <ul> <li>looker: made <code>oauth_config</code> a required field in <code>google_looker_instance</code>, as creating this resource without that field always triggers an API error (<a href="https://redirect.github.com/hashicorp/terraform-provider-google/pull/20196">#20196</a>)</li> </ul> <p>FEATURES:</p> <ul> <li><strong>New Data Source:</strong> <code>google_spanner_database</code> (<a href="https://redirect.github.com/hashicorp/terraform-provider-google/pull/20114">#20114</a>)</li> <li><strong>New Resource:</strong> <code>google_apigee_api</code> (<a href="https://redirect.github.com/hashicorp/terraform-provider-google/pull/20113">#20113</a>)</li> <li><strong>New Resource:</strong> <code>google_dataproc_gdc_application_environment</code> (<a href="https://redirect.github.com/hashicorp/terraform-provider-google/pull/20165">#20165</a>)</li> <li><strong>New Resource:</strong> <code>google_dataproc_gdc_service_instance</code> (<a href="https://redirect.github.com/hashicorp/terraform-provider-google/pull/20147">#20147</a>)</li> <li><strong>New Resource:</strong> <code>google_memorystore_instance</code> (<a href="https://redirect.github.com/hashicorp/terraform-provider-google/pull/20108">#20108</a>)</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/hashicorp/terraform-provider-google/blob/main/CHANGELOG.md">hashicorp/google's changelog</a>.</em></p> <blockquote> <h2>6.12.0 (November 18, 2024)</h2> <p>FEATURES:</p> <ul> <li><strong>New Data Source:</strong> <code>google_access_context_manager_access_policy</code> (<a href="https://redirect.github.com/hashicorp/terraform-provider-google/pull/20295">#20295</a>)</li> <li><strong>New Resource:</strong> <code>google_dataproc_gdc_spark_application</code> (<a href="https://redirect.github.com/hashicorp/terraform-provider-google/pull/20242">#20242</a>)</li> <li><strong>New Resource:</strong> <code>google_managed_kafka_cluster</code> and <code>google_managed_kafka_topic</code> (<a href="https://redirect.github.com/hashicorp/terraform-provider-google/pull/20237">#20237</a>)</li> </ul> <p>IMPROVEMENTS:</p> <ul> <li>artifactregistry: added <code>common_repository</code> field to <code>google_artifact_registry_repository</code> resource (<a href="https://redirect.github.com/hashicorp/terraform-provider-google/pull/20305">#20305</a>)</li> <li>cloudrunv2: added <code>urls</code> output field to <code>google_cloud_run_v2_service</code> resource (<a href="https://redirect.github.com/hashicorp/terraform-provider-google/pull/20313">#20313</a>)</li> <li>compute: added <code>IDPF</code> as a possible value for the <code>network_interface.nic_type</code> field in <code>google_compute_instance</code> resource (<a href="https://redirect.github.com/hashicorp/terraform-provider-google/pull/20250">#20250</a>)</li> <li>compute: added <code>IDPF</code> as a possible value for the <code>guest_os_features.type</code> field in <code>google_compute_image</code> resource (<a href="https://redirect.github.com/hashicorp/terraform-provider-google/pull/20250">#20250</a>)</li> <li>compute: added <code>replica_names</code> field to <code>sql_database_instance</code> resource (<a href="https://redirect.github.com/hashicorp/terraform-provider-google/pull/20202">#20202</a>)</li> <li>filestore: added <code>performance_config</code> field to <code>google_filestore_instance</code> (<a href="https://redirect.github.com/hashicorp/terraform-provider-google/pull/20218">#20218</a>)</li> <li>redis: added <code>persistence_config</code> to <code>google_redis_cluster</code>. (<a href="https://redirect.github.com/hashicorp/terraform-provider-google/pull/20212">#20212</a>)</li> <li>securesourcemanager: added <code>workforce_identity_federation_config</code> field to <code>google_secure_source_manager_instance</code> resource (<a href="https://redirect.github.com/hashicorp/terraform-provider-google/pull/20290">#20290</a>)</li> <li>spanner: added <code>default_backup_schedule_type</code> field to <code>google_spanner_instance</code> (<a href="https://redirect.github.com/hashicorp/terraform-provider-google/pull/20213">#20213</a>)</li> <li>sql: added <code>psc_auto_connections</code> fields to <code>google_sql_database_instance</code> resource (<a href="https://redirect.github.com/hashicorp/terraform-provider-google/pull/20307">#20307</a>)</li> </ul> <p>BUG FIXES:</p> <ul> <li>accesscontextmanager: fixed permadiff in perimeter <code>google_access_context_manager_service_perimeter_ingress_policy</code> and <code>google_access_context_manager_service_perimeter_egress_policy</code> resources when there are duplicate resources in the rules (<a href="https://redirect.github.com/hashicorp/terraform-provider-google/pull/20294">#20294</a>)</li> <li> <ul> <li>accesscontextmanager: fixed comparison of <code>identity_type</code> in <code>ingress_from</code> and <code>egress_from</code> when the <code>IDENTITY_TYPE_UNSPECIFIED</code> is set (<a href="https://redirect.github.com/hashicorp/terraform-provider-google/pull/20221">#20221</a>)</li> </ul> </li> <li>compute: fixed permadiff on attempted <code>type</code> field updates in <code>google_computer_security_policy</code>, updating this field will now force recreation of the resource (<a href="https://redirect.github.com/hashicorp/terraform-provider-google/pull/20316">#20316</a>)</li> <li>identityplatform: fixed perma-diff originating from the <code>sign_in.anonymous.enabled</code> field in <code>google_identity_platform_config</code> (<a href="https://redirect.github.com/hashicorp/terraform-provider-google/pull/20244">#20244</a>)</li> </ul> <h2>6.11.2 (November 15, 2024)</h2> <p>BUG FIXES:</p> <ul> <li>vertexai: fixed issue with google_vertex_ai_endpoint where upgrading to 6.11.0 would delete all traffic splits that were set outside Terraform (which was previously a required step for all meaningful use of this resource). (<a href="https://redirect.github.com/hashicorp/terraform-provider-google/pull/20350">#20350</a>)</li> </ul> <h2>6.11.1 (November 12, 2024)</h2> <p>BUG FIXES:</p> <ul> <li>container: fixed diff on <code>google_container_cluster.user_managed_keys_config</code> field for resources that had not set it. (<a href="https://redirect.github.com/hashicorp/terraform-provider-google/pull/20314">#20314</a>)</li> <li>container: marked <code>google_container_cluster.user_managed_keys_config</code> as immutable because it can't be updated in place. (<a href="https://redirect.github.com/hashicorp/terraform-provider-google/pull/20314">#20314</a>)</li> </ul> <h2>6.11.0 (November 11, 2024)</h2> <p>NOTES:</p> <ul> <li>compute: migrated <code>google_compute_firewall_policy_rule</code> from DCL engine to MMv1 engine. (<a href="https://redirect.github.com/hashicorp/terraform-provider-google/pull/20160">#20160</a>)</li> </ul> <p>BREAKING CHANGES:</p> <ul> <li>looker: made <code>oauth_config</code> a required field in <code>google_looker_instance</code>, as creating this resource without that field always triggers an API error (<a href="https://redirect.github.com/hashicorp/terraform-provider-google/pull/20196">#20196</a>)</li> </ul> <p>FEATURES:</p> <ul> <li><strong>New Data Source:</strong> <code>google_spanner_database</code> (<a href="https://redirect.github.com/hashicorp/terraform-provider-google/pull/20114">#20114</a>)</li> <li><strong>New Resource:</strong> <code>google_apigee_api</code> (<a href="https://redirect.github.com/hashicorp/terraform-provider-google/pull/20113">#20113</a>)</li> <li><strong>New Resource:</strong> <code>google_dataproc_gdc_application_environment</code> (<a href="https://redirect.github.com/hashicorp/terraform-provider-google/pull/20165">#20165</a>)</li> <li><strong>New Resource:</strong> <code>google_dataproc_gdc_service_instance</code> (<a href="https://redirect.github.com/hashicorp/terraform-provider-google/pull/20147">#20147</a>)</li> <li><strong>New Resource:</strong> <code>google_memorystore_instance</code> (<a href="https://redirect.github.com/hashicorp/terraform-provider-google/pull/20108">#20108</a>)</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
183df5c572 |
build(deps): Bump tailwindcss from 3.4.14 to 3.4.15 in /website (#7437)
Bumps [tailwindcss](https://github.com/tailwindlabs/tailwindcss) from 3.4.14 to 3.4.15. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/tailwindlabs/tailwindcss/releases">tailwindcss's releases</a>.</em></p> <blockquote> <h2>v3.4.15</h2> <ul> <li>Bump versions for security vulnerabilities (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/14697">#14697</a>)</li> <li>Ensure the TypeScript types for the <code>boxShadow</code> theme configuration allows arrays (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/14856">#14856</a>)</li> <li>Set fallback for opacity variables to ensure setting colors with the <code>selection:*</code> variant works in Chrome 131 (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/15003">#15003</a>)</li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/tailwindlabs/tailwindcss/blob/v3.4.15/CHANGELOG.md">tailwindcss's changelog</a>.</em></p> <blockquote> <h2>[3.4.15] - 2024-11-14</h2> <ul> <li>Bump versions for security vulnerabilities (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/14697">#14697</a>)</li> <li>Ensure the TypeScript types for the <code>boxShadow</code> theme configuration allows arrays (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/14856">#14856</a>)</li> <li>Set fallback for opacity variables to ensure setting colors with the <code>selection:*</code> variant works in Chrome 131 (<a href="https://redirect.github.com/tailwindlabs/tailwindcss/pull/15003">#15003</a>)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
36725a8246 |
build(deps): Bump framer-motion from 11.11.17 to 11.12.0 in /website (#7438)
Bumps [framer-motion](https://github.com/framer/motion) from 11.11.17 to 11.12.0. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/motiondivision/motion/blob/main/CHANGELOG.md">framer-motion's changelog</a>.</em></p> <blockquote> <h2>[11.12.0] 2024-11-27</h2> <h3>Added</h3> <ul> <li>New <code>visualDuration</code> option for <code>spring</code> animations.</li> <li>New <code>spring(visualDuration, bounce)</code> syntax.</li> </ul> <h2>[11.11.16] 2024-11-14</h2> <h3>Fixed</h3> <ul> <li>Fixing <code>stagger</code> with mini <code>animate</code>.</li> </ul> <h2>[11.11.16] 2024-11-14</h2> <h3>Fixed</h3> <ul> <li>Ensuring animations passed to <code>scroll</code> are scrubbed linearly.</li> <li>Fixing <code>mini</code> types entrypoint.</li> <li>Exporting easing types from <code>"motion"</code>.</li> </ul> <h2>[11.11.15] 2024-11-13</h2> <h3>Fixed</h3> <ul> <li>Fixing <code>mini</code> and <code>react-mini</code> entrypoints.</li> </ul> <h2>[11.11.14] 2024-11-12</h2> <h3>Fixed</h3> <ul> <li>Fixing fallback entry points for <code>"motion/react"</code> etc.</li> </ul> <h2>[11.11.13] 2024-11-12</h2> <h3>Fixed</h3> <ul> <li>Fixing build and entry points for <code>"motion"</code>.</li> </ul> <h2>[11.11.12] 2024-11-12</h2> <h3>Changed</h3> <ul> <li>Adding <code>"motion"</code> package.</li> <li>Replaced Motion One (see <a href="https://motion.dev/docs/upgrade-guide">upgrade guide</a>).</li> </ul> <h2>[11.11.11] 2024-10-31</h2> <h3>Fixed</h3> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
Jamil
|
e1ed497d12 |
fix(apple): Expose MACOSX_DEPLOYMENT_TARGET in rust apple build script to signal to rustc which macOS to target (#7443)
`MACOSX_DEPLOYMENT_TARGET` is a standard env var read by gcc and rustc that determines which version of macOS to target binaries for. This variable was being removed inadvertently in our rust build script. Exposing this var fixes a slew of warnings about object files being built for a newer macOS target than being linked that were showing up in Xcode for some time now. Hasn't caused any issues thus far from what I can tell, but possibly related to #7442 |
||
|
Jamil
|
f5717f336f |
ci: group all android navigation libs (#7440)
Fixes some dependabot groups that weren't grouped. Co-authored-by: Thomas Eizinger <thomas@eizinger.io> |
||
|
Thomas Eizinger
|
0a6554122a |
feat(connlib): utilise GSO for UDP sockets (#7210)
## Context At present, `connlib` sends UDP packets one at a time. Sending a packet requires us to make a syscall which is quite expensive. Under load, i.e. during a speedtest, syscalls account for over 50% of our CPU time [0]. In order to improve this situation, we need to somehow make use of GSO (generic segmentation offload). With GSO, we can send multiple packets to the same destination in a single syscall. The tricky question here is, how can we achieve having multiple UDP packets ready at once so we can send them in a single syscall? Our TUN interface only feeds us packets one at a time and `connlib`'s state machine is single-threaded. Additionally, we currently only have a single `EncryptBuffer` in which the to-be-sent datagram sits. ## 1. Stack-allocating encrypted IP packets As a first step, we get rid of the single `EncryptBuffer` and instead stack-allocate each encrypted IP packet. Due to our small MTU, these packets are only around 1300 bytes. Stack-allocating that requires a few memcpy's but those are in the single-digit % range in the terms of CPU time performance hit. That is nothing compared to how much time we are spending on UDP syscalls. With the `EncryptBuffer` out the way, we can now "freely" move around the `EncryptedPacket` structs and - technically - we can have multiple of them at the same time. ## 2. Implementing GSO The GSO interface allows you to pass multiple packets **of the same length and for the same destination** in a single syscall, meaning we cannot just batch-up arbitrary UDP packets. Counterintuitively, making use of GSO requires us to do more copying: In particular, we change the interface of `Io` such that "sending" a packet performs essentially a lookup of a `BytesMut`-buffer by destination and packet length and appends the payload to that packet. ## 3. Batch-read IP packets In order to actually perform GSO, we need to process more than a single IP packet in one event-loop tick. We achieve this by batch-reading up to 50 IP packets from the mpsc-channel that connects `connlib`'s main event-loop with the dedicated thread that reads and writes to the TUN device. These reads and writes happen concurrently to `connlib`'s packet processing. Thus, it is likely that by the time `connlib` is ready to process another IP packet, multiple have been read from the device and are sitting in the channel. Batch-processing these IP packets means that the buffers in our `GsoQueue` are more likely to contain more than a single datagram. Imagine you are running a file upload. The OS will send many packets to the same destination IP and likely max MTU to the TUN device. It is likely, that we read 10-20 of these packets in one batch (i.e. within a single "tick" of the event-loop). All packets will be appended to the same buffer in the `GsoQueue` and on the next event-loop tick, they will all be flushed out in a single syscall. ## Results Overall, this results in a significant reduction of syscalls for sending UDP message. In [1], we spend only a total of 16% of our CPU time in `udpv6_sendmsg` whereas in [0] (main), we spent a total of 34%. Do note that these numbers are relative to the total CPU time spent per program run and thus can't be compared directly (i.e. you cannot just do 34 - 16 and say we now spend 18% less time sending UDP packets). Nevertheless, this appears to be a great improvement. In terms of throughput, we achieve a ~60% improvement in our benchmark suite. That one is running on localhost though so it might not necessarily be reflect like that in a real network. [0]: https://share.firefox.dev/4hvoPju [1]: https://share.firefox.dev/4frhCPv |
||
|
Thomas Eizinger
|
d06bdaac91 |
chore(relay): don't warn on existing allocation (#7415)
A client may have lost its state and therefore "probe" the relay whether or not is still has an allocation. If it does, it will react to the error, delete it and make a new one. This is no reason to print a warning on the relay side. |
||
|
Thomas Eizinger
|
e833cb4f30 |
fix(rust): don't log and return DisconnectErrors (#7416)
These will be handled by whoever sits on the other side of the channel. Logging these here as well causes duplicate logs and error reports to Sentry. |
||
|
Thomas Eizinger
|
5f4816ee46 |
fix(connlib): don't warn on non-UDP packet to DNS resolver IP (#7418)
Windows appears to sometimes send ICMP (error?) packets to our DNS resolver IPs. There is nothing we can do with these but the current code path logs them as a warning because we expect everything that isn't TCP to be UDP. With this patch, we slightly change the parsing logic to first attempt extracting the UDP packet and fail only with a DEBUG log if it isn't. |
||
|
Thomas Eizinger
|
a3e3d4cac5 |
fix(gateway): filter packets not destined for a client (#7417)
This causes unnecessary logs higher up the stack. |
||
|
dependabot[bot]
|
8e967674fc |
build(deps): Bump androidx.navigation:navigation-testing from 2.8.3 to 2.8.4 in /kotlin/android (#7425)
Bumps androidx.navigation:navigation-testing from 2.8.3 to 2.8.4. [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> |
||
|
dependabot[bot]
|
787ee852ac |
build(deps): Bump lycheeverse/lychee-action from 2.0.2 to 2.1.0 (#7422)
Bumps [lycheeverse/lychee-action](https://github.com/lycheeverse/lychee-action) from 2.0.2 to 2.1.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/lycheeverse/lychee-action/releases">lycheeverse/lychee-action's releases</a>.</em></p> <blockquote> <h2>Version 2.1.0</h2> <h2>What's Changed</h2> <ul> <li>Add missing argument <code>failIfEmpty</code> by <a href="https://github.com/LitoMore"><code>@LitoMore</code></a> in <a href="https://redirect.github.com/lycheeverse/lychee-action/pull/261">lycheeverse/lychee-action#261</a></li> <li>Fix bugs about the exit code by <a href="https://github.com/YDX-2147483647"><code>@YDX-2147483647</code></a> in <a href="https://redirect.github.com/lycheeverse/lychee-action/pull/262">lycheeverse/lychee-action#262</a></li> <li>Bump lychee version to 0.17.0 by <a href="https://github.com/mre"><code>@mre</code></a> in <a href="https://redirect.github.com/lycheeverse/lychee-action/pull/263">lycheeverse/lychee-action#263</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/LitoMore"><code>@LitoMore</code></a> made their first contribution in <a href="https://redirect.github.com/lycheeverse/lychee-action/pull/261">lycheeverse/lychee-action#261</a></li> <li><a href="https://github.com/YDX-2147483647"><code>@YDX-2147483647</code></a> made their first contribution in <a href="https://redirect.github.com/lycheeverse/lychee-action/pull/262">lycheeverse/lychee-action#262</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/lycheeverse/lychee-action/compare/v2...v2.1.0">https://github.com/lycheeverse/lychee-action/compare/v2...v2.1.0</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
04843309ce |
build(deps): Bump com.google.firebase:firebase-bom from 33.4.0 to 33.6.0 in /kotlin/android (#7426)
Bumps com.google.firebase:firebase-bom from 33.4.0 to 33.6.0. [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> |
||
|
dependabot[bot]
|
9ce6a721ac |
build(deps): Bump androidx.navigation:navigation-safe-args-gradle-plugin from 2.8.2 to 2.8.4 in /kotlin/android (#7427)
Bumps androidx.navigation:navigation-safe-args-gradle-plugin from 2.8.2 to 2.8.4. [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> |
||
|
dependabot[bot]
|
e0279833da |
build(deps): Bump androidx.fragment:fragment-testing from 1.8.4 to 1.8.5 in /kotlin/android (#7428)
Bumps androidx.fragment:fragment-testing from 1.8.4 to 1.8.5. [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> |
||
|
Thomas Eizinger
|
932f6791fb |
fix(phoenix-channel): lazily create backoff timer (#7414)
Our `phoenix-channel` component is responsible for maintaining a WebSocket connection to the portal. In case that connection fails, we want to reconnect to it using an exponential backoff, eventually giving up after a certain amount of time. Unfortunately, the code we have today doesn't quite do that. An `ExponentialBackoff` has a setting for the `max_elapsed_time`. Regardless of how many and how often we retry something, we won't ever wait longer than this amount of time. For the Relay, this is set to 15min. For other components its indefinite (Gateway, headless-client), or very long (30 days for Android, 1 day for Apple). The point in time from which this duration is counted is when the `ExponentialBackoff` is **constructed** which translates to when we **first** connected to the portal. As a result, our backoff would immediately fail on the first error if it has been longer than `max_elapsed_time` since we first connected. For most components, this codepath is not relevant because the `max_elapsed_time` is so long. For the Relay however, that is only 15 minutes so chances are, the Relay would immediately fail (and get rebooted) on the first connection error with the portal. To fix this, we now lazily create the `ExponentialBackoff` on the first error. This bug has some interesting consequences: When a relay reboots, it looses all its state, i.e. allocations, channel bindings, available nonces etc, stamp-secret. Thus, all credentials and state that got distributed to Clients and Gateways get invalidated, causing disconnects from the Relay. We have observed these alerts in Sentry for a while and couldn't explain them. Most likely, this is the root cause for those because whilst a Relay disconnects, the portal also cannot detect its presence and pro-actively inform Clients and Gateways to no longer use this Relay. |
||
|
Thomas Eizinger
|
c6e7e6192e |
build(rust): bump Rust to 1.83 (#7409)
Rust 1.83 comes with a bunch of new lints for elidible lifetimes. Those also trigger in the generated code of `derivative`. That crate is actually unmaintained so we replace our usages of it with `derive_more`. |
||
|
Thomas Eizinger
|
e46cb3f62b |
chore(snownet): improve log when MessageIntegrity is missing (#7399)
|
||
|
Thomas Eizinger
|
bea8393248 |
fix(relay): reduce number of warnings (#7411)
With this PR, we reduce some of the warnings emitted by the relay. If we can only partially fulfill an allocation, we now only emit a warning. Similarly, if we receive a repeated SIGTERM signal, we shut down successfully (i.e. exit with code 0) instead of failing the event-loop. During normal operation, we wait for all allocations to expire before we shut down. On CI however, the relay gets shutdown much earlier so this would generate unnecessary errors. Receiving another SIGTERM is a user-initiated action so we shouldn't fail as a result but instead just comply with it. |
||
|
Thomas Eizinger
|
c7d46b475e |
build(rust): configure cargo cross to passthrough GITHUB_SHA (#7410)
Our relays aren't semver-versioned like other components. So for the version reported to Sentry, we use the current Git SHA. This one is only available as an ENV variable because we are building within a docker container using `cargo cross`. By default, no env variables are passed through to the container. To fix this, we need to add a configuration file that explicitly opts-in to the necessary ENV variable. |
||
|
Thomas Eizinger
|
d41c3afb0b |
chore(rust): add comments for ignored advisories (#7408)
We ignore some advisories of unmaintained crates flagged by `cargo deny`. As long as the crates work for us, there is not much reason to directly remove them, especially if it requires upstream effort. We will get rid of these as they cause problems. To avoid having to look up what they correspond to, we add a comment to each line. |
||
|
dependabot[bot]
|
075c7bf2ad |
build(deps): Bump tauri-winrt-notification from 0.6.0 to 0.7.0 in /rust (#7306)
Bumps [tauri-winrt-notification](https://github.com/tauri-apps/winrt-notification) from 0.6.0 to 0.7.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/tauri-apps/winrt-notification/releases">tauri-winrt-notification's releases</a>.</em></p> <blockquote> <h2>tauri-winrt-notification v0.7.0</h2> <p>Updating crates.io index Locking 25 packages to latest compatible versions Adding quick-xml v0.31.0 (latest: v0.37.0) Adding windows-strings v0.1.0 (latest: v0.2.0)</p> <!-- raw HTML omitted --> <pre><code>Fetching advisory database from `https://github.com/RustSec/advisory-db.git` Loaded 664 security advisories (from /home/runner/.cargo/advisory-db) Updating crates.io index Scanning Cargo.lock for vulnerabilities (25 crate dependencies) </code></pre> <!-- raw HTML omitted --> <h2>[0.7.0]</h2> <ul> <li><a href=" |
||
|
Thomas Eizinger
|
e91a076307 |
refactor(relay): improve error messages on failed requests (#7405)
Some house-keeping that should make debugging issues around relay-disconnects easier. |
||
|
dependabot[bot]
|
60b48afcc5 |
build(deps): Bump serde_json from 1.0.132 to 1.0.133 in /rust (#7397)
Bumps [serde_json](https://github.com/serde-rs/json) from 1.0.132 to 1.0.133. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/serde-rs/json/releases">serde_json's releases</a>.</em></p> <blockquote> <h2>v1.0.133</h2> <ul> <li>Implement From<[T; N]> for serde_json::Value (<a href="https://redirect.github.com/serde-rs/json/issues/1215">#1215</a>)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
Thomas Eizinger
|
973a806707 |
feat(relay): add Sentry crash reporting (#7406)
In addition to monitoring clients and gateways, it is also useful to monitor relays in the same way. This gives us alerts on ERROR and WARN messages logged by the relay as well as panics. |
||
|
Thomas Eizinger
|
78674a8b14 |
refactor(gateway): start telemetry earlier (#7404)
By removing the use of the `#[tokio::main]`, we can ensure that telemetry is initialised as early as possible. --------- Signed-off-by: Thomas Eizinger <thomas@eizinger.io> |
||
|
Thomas Eizinger
|
1baf669434 |
build(rust): don't strip release binaries (#7403)
Stripping the release binaries makes stacktraces completely useless. |
||
|
Thomas Eizinger
|
3ccf795195 |
test(connlib): don't waste shrinking time & cycles on IDs (#7402)
When `proptest` discovers a test failure, it will attempt to "shrink" the input to identify, what exactly causes the issue. How this is done depends on the data type but mostly performs things such as binary search to be efficient. Not every input within our tests is relevant for a failure. For example, which ID we have sampled for a client or a gateway doesn't at all affect whether or not the test will fail. `proptest` doesn't know that though so it will still happily spend shrinking time and cycles on figuring out the minimal difference in IDs (which is 1 because they have to be different). This is a huge waste of time for no benefit. We are getting much more value out of `proptest` if it tries to adjust other things such as the transitions involved in a test, how many gateways and relays there are etc. By marking the strategies for the IDs and private keys with `no_shrink`, we can achieve that. |
||
|
Thomas Eizinger
|
fd337dd465 |
test: reduce number of local rejects for generating IPs (#7401)
When generating random input data in property-based tests, we have to ensure that the data conforms to certain criteria. For example, IP addresses must not be multicast or unspecified addresses and they must not be within our reserved IP ranges. Currently, we ensure this using "filtering" which is a pretty poor technique [0]. To improve on this, we refactor the generation of IPs to automatically exclude all IPs within certain ranges. On very big test-runs (i.e. > 30000 test cases), too many local rejections lead to the test suite being aborted early. [0]: https://proptest-rs.github.io/proptest/proptest/tutorial/filtering.html |
||
|
Thomas Eizinger
|
15b79cef40 |
build(deps): bump rustls to fix RUSTSEC-2024-0399 (#7400)
See https://rustsec.org/advisories/RUSTSEC-2024-0399. |
||
|
Jamil
|
3a62709c77 |
docs: Add restricted regions docs (#7395)
This will be referred to when we make our email announcement. |
||
|
Thomas Eizinger
|
2c26fc9c0e |
ci: lint Rust dependencies using cargo deny (#7390)
One of Rust's promises is "if it compiles, it works". However, there are certain situations in which this isn't true. In particular, when using dynamic typing patterns where trait objects are downcast to concrete types, having two versions of the same dependency can silently break things. This happened in #7379 where I forgot to patch a certain Sentry dependency. A similar problem exists with our `tracing-stackdriver` dependency (see #7241). Lastly, duplicate dependencies increase the compile-times of a project, so we should aim for having as few duplicate versions of a particular dependency as possible in our dependency graph. This PR introduces `cargo deny`, a linter for Rust dependencies. In addition to linting for duplicate dependencies, it also enforces that all dependencies are compatible with an allow-list of licenses and it warns when a dependency is referred to from multiple crates without introducing a workspace dependency. Thanks to existing tooling (https://github.com/mainmatter/cargo-autoinherit), transitioning all dependencies to workspace dependencies was quite easy. Resolves: #7241. |
||
|
Thomas Eizinger
|
3ba3c2f30b |
ci: tag merged image with branch name (#7393)
In #7389, we started tagging the built images with the branch name in addition to other tags such as `latest` and the version number. That wasn't enough unfortunately because we also need to tag the merged manifest image that bundles the different architectures together as only that one actually gets pushed to the registry. |
||
|
Thomas Eizinger
|
44c1b453f7 |
chore(relay): document authentication scheme (#7388)
Follow-up from #7378 to answer some of the questions. --------- Signed-off-by: Thomas Eizinger <thomas@eizinger.io> |
||
|
Brian Manifold
|
b66a156831 |
fix(portal): Set Floki dependency back to hex (#7387)
Found a small `TODO` while working on other things and figured I'd quickly fix it. Following these 2 github issues indicate the problem has been fixed: https://github.com/philss/floki/issues/556 https://github.com/hexpm/hex/issues/1019 |
||
|
Thomas Eizinger
|
82e5e03b9b |
ci: set branch name as docker tag for images (#7389)
Our `docker-compose` file references the images using the `main` tag. However, doing a `docker compose pull` fails because the `main` tag doesn't exist for the client, gateway and relay images. In order for this tag to exist, we need to instruct the `docker/metadata-action` to generate a tag for the current branch. |
||
|
Thomas Eizinger
|
186c485280 |
revert: include span fields in breadcrumb messages (#7384)
Reverts #7379. Unfortunately, this doesn't actually work because those fields are only recorded as part of spans that get sampled, see https://github.com/getsentry/sentry-rust/issues/617#issuecomment-2487058619. If we were to start recording all spans, we'd have a massive overhead and send lots of spans to Sentry. |
||
|
Thomas Eizinger
|
244816d678 |
chore(telemetry): don't send sentry alerts in CI (#7383)
Sending Sentry alerts in CI unnecessarily consumes our quota. |
||
|
Thomas Eizinger
|
c93391e8fd |
chore(headless-client): setup logging earlier (#7385)
Logging needs to be set up as early as possible to ensure we capture log messages such as `Starting telemetry`. |
||
|
Brian Manifold
|
328e973502 |
feat(portal): add membership to google parent OUs (#6811) (#7382)
Hi @firezone/engineering , this is the following of https://github.com/firezone/firezone/pull/6649 I forgot that people can be member of multiple OUs, this PR aims to add support for this. Imagine I have this OU architecture in my google workspace: ```mermaid flowchart TD A[Employees] --> B[Engineering] A --> C[HR] B --> D[Devs] B --> E[Ops] D --> F{me} ``` Currently in Firezone, I will only be a member of the Firezone Group `OU: Devs`. With this PR: I will be a member of `OU: Devs`, `OU: Engineering` and `OU: Employees` Co-authored-by: Antoine <antoinelabarussias@gmail.com> |
||
|
Thomas Eizinger
|
b4ab569af3 |
feat(telemetry): include span fields in breadcrumb messages (#7379)
This switches our `sentry-tracing` dependency to a fork that includes https://github.com/getsentry/sentry-rust/pull/708. Recording our span fields with breadcrumbs is important to provide accurate context of the message. Without the span fields, the messages give us a lot less information. Since the last release, the open issue on `flush` having a flipped return value got fixed as well. |
||
|
Thomas Eizinger
|
56db250e2c |
feat(connlib): validate integrity of all relay responses (#7378)
In order to avoid processing of responses of relays that somehow got altered on the network path, we now use the client's `password` as a shared secret for the relay to also authenticate its responses. This means that not all message can be authenticated. In particular, BINDING requests will still be unauthenticated. Performing this validation now requires every component that crafts input to the `Allocation` to include a valid `MessageIntegrity` attribute. This is somewhat problematic for the regression tests of the relay and the unit tests of `Allocation`. In both cases, we implement workarounds so we don't have to actually compute a valid `MessageIntegrity`. This is deemed acceptable because: - Both of these are just tests. - We do test the validation path using `tunnel_test` because there we run an actual relay. |
||
|
Thomas Eizinger
|
ecec00afed |
chore(snownet): print attributes for all requests and responses (#7380)
When debugging issues related to our TURN allocation code, we sometimes only have the logs that code submitted to Sentry. As part of the event, we submit the last 500 debug logs as breadcrumbs to give more context to the error. Unconditionally printing the attributes of each request-response pair will help us in more easily diagnosing, why certain errors happen. |
||
|
dependabot[bot]
|
4014373dc2 |
build(deps): Bump clap from 4.5.20 to 4.5.21 in /rust (#7369)
Bumps [clap](https://github.com/clap-rs/clap) from 4.5.20 to 4.5.21. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/clap-rs/clap/releases">clap's releases</a>.</em></p> <blockquote> <h2>v4.5.21</h2> <h2>[4.5.21] - 2024-11-13</h2> <h3>Fixes</h3> <ul> <li><em>(parser)</em> Ensure defaults are filled in on error with <code>ignore_errors(true)</code></li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/clap-rs/clap/blob/master/CHANGELOG.md">clap's changelog</a>.</em></p> <blockquote> <h2>[4.5.21] - 2024-11-13</h2> <h3>Fixes</h3> <ul> <li><em>(parser)</em> Ensure defaults are filled in on error with <code>ignore_errors(true)</code></li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
Jamil
|
8aed0c6644 |
chore(website): Remove link to probe.sh (#7377)
We'll be winding down this service to reduce maintenance overhead. |
||
|
Thomas Eizinger
|
e8519cca0c |
chore(snownet): warn on exceeding number of candidate pairs (#7376)
In the latest version, we added a warning log to str0m when the maximum number of candidate pairs is exceeded: https://github.com/algesten/str0m/pull/587. We only ever add the candidates of a single relay to an agent (2 candidates), plus at most 2 server-reflexive candidates and at most 2 host candidates. Unless there is a bug like what we fixed in #7334, exceeding the default number of candidate _pairs_ (100) should never happen. In case it does, the newly added `warn` log in `str0m` will trigger a Sentry alert. |
||
|
Thomas Eizinger
|
86ada01828 |
fix(gui-client): initialise sentry-tracing for IPC service (#7363)
It was already a bit sus that we didn't receive as many errors in Sentry from the IPC service as from the GUI client. Turns out that we forgot to initialise our `sentry_layer` there. Additionally, we also didn't initialise the `LogTracer`, meaning we didn't capture logs from the `log` crate which is used by some of the dependencies, for example `wintun`. |