mirror of
https://github.com/outbackdingo/firezone.git
synced 2026-01-27 10:18:54 +00:00
cbe07caaeaa6ee073270fcf2230ee06666d7b839
8516 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
Thomas Eizinger
|
cbe07caaea |
fix(gateway): always map all proxy IPs (#10972)
In a recent refactor, we appear to have broken DNS resources that are IPv6 only. This was caused by a change in how we iterate over the proxy IP mappings. By bailing out as soon as we "run out" of IP mappings, we actually never get to the IPv6 mappings. This PR fixes this behaviour and adds a regression test to ensure we always insert an entry for all proxy IPs. |
||
|
Thomas Eizinger
|
ae5d80902c |
docs(website): fix references to rust/ directory (#10973)
Resolves: #10971 |
||
|
dependabot[bot]
|
e10d05958c |
build(deps-dev): bump eslint from 9.37.0 to 9.38.0 in /website (#10942)
Bumps [eslint](https://github.com/eslint/eslint) from 9.37.0 to 9.38.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/eslint/eslint/releases">eslint's releases</a>.</em></p> <blockquote> <h2>v9.38.0</h2> <h2>Features</h2> <ul> <li><a href=" |
||
|
dependabot[bot]
|
0a3629e91b |
build(deps): bump @vercel/edge-config from 1.4.0 to 1.4.3 in /website (#10941)
Bumps [@vercel/edge-config](https://github.com/vercel/storage/tree/HEAD/packages/edge-config) from 1.4.0 to 1.4.3. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/vercel/storage/releases"><code>@vercel/edge-config</code>'s releases</a>.</em></p> <blockquote> <h2><code>@vercel/edge-config</code><a href="https://github.com/1"><code>@1</code></a>.4.3</h2> <h3>Patch Changes</h3> <ul> <li> <p>1dee5ab: Support Next.js v16 Cache Components even within <code>proxy.ts</code> (fka <code>middleware.ts</code>) - see <a href="https://redirect.github.com/vercel/storage/pull/890">#890</a></p> <p>The <code>@vercel/edge-config</code> v1.4.1 release added support for Next.js v16 <code>cacheComponents</code>, but did not support using <code>@vercel/edge-config</code> in Next.js's <code>proxy.ts</code> (fka <code>middleware.ts</code>) when the <code>cacheComponents</code> flag was enabled in <code>next.config.ts</code>. This releases fixes this issue so <code>@vercel/edge-config</code> can be used in any server side context in Next.js again.</p> </li> </ul> <h2><code>@vercel/edge-config</code><a href="https://github.com/1"><code>@1</code></a>.4.2</h2> <h3>Patch Changes</h3> <ul> <li>309509c: Adjust README</li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/vercel/storage/blob/main/packages/edge-config/CHANGELOG.md"><code>@vercel/edge-config</code>'s changelog</a>.</em></p> <blockquote> <h2>1.4.3</h2> <h3>Patch Changes</h3> <ul> <li> <p>1dee5ab: Support Next.js v16 Cache Components even within <code>proxy.ts</code> (fka <code>middleware.ts</code>) - see <a href="https://redirect.github.com/vercel/storage/pull/890">#890</a></p> <p>The <code>@vercel/edge-config</code> v1.4.1 release added support for Next.js v16 <code>cacheComponents</code>, but did not support using <code>@vercel/edge-config</code> in Next.js's <code>proxy.ts</code> (fka <code>middleware.ts</code>) when the <code>cacheComponents</code> flag was enabled in <code>next.config.ts</code>. This releases fixes this issue so <code>@vercel/edge-config</code> can be used in any server side context in Next.js again.</p> </li> </ul> <h2>1.4.2</h2> <h3>Patch Changes</h3> <ul> <li>309509c: Adjust README</li> </ul> <h2>1.4.1</h2> <h3>Patch Changes</h3> <ul> <li>ab6681b: Add support for Next.js v16 cache components (see <a href="https://redirect.github.com/vercel/storage/pull/883">#883</a>)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
7d2f0e9696 |
build(deps): bump @next/mdx from 15.5.6 to 16.0.0 in /website (#10944)
Bumps [@next/mdx](https://github.com/vercel/next.js/tree/HEAD/packages/next-mdx) from 15.5.6 to 16.0.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/vercel/next.js/releases"><code>@next/mdx</code>'s releases</a>.</em></p> <blockquote> <h2>v16.0.0</h2> <blockquote> <p>[!TIP]<br /> <strong>Check out our Next v16 <a href="https://nextjs.org/blog/next-16">Blog Post</a> to learn more about this release.</strong></p> </blockquote> <h3>Core Changes</h3> <ul> <li>Development: Don't import app-router / hot-reloader through next/link in application code: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/next-mdx/issues/83656">#83656</a></li> <li>Remove clientParamParsing requirement from RDC for Navigations: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/next-mdx/issues/83661">#83661</a></li> <li>Upgrade React from <code>6b70072c-20250909</code> to <code>886b3d36-20250910</code>: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/next-mdx/issues/83650">#83650</a></li> <li>Turbopack: Use readFileSync / writeFileSync for manifest writing: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/next-mdx/issues/83694">#83694</a></li> <li>Upgrade React from <code>886b3d36-20250910</code> to <code>f3a80361-20250911</code>: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/next-mdx/issues/83696">#83696</a></li> <li>Don't create client-side debug channel if the feature is disabled: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/next-mdx/issues/83699">#83699</a></li> <li>fix: dev should produce the correct default fallback regex to match builds/Turbopack: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/next-mdx/issues/83701">#83701</a></li> <li>[devtool] fix overlay styles are missing: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/next-mdx/issues/83721">#83721</a></li> <li>Revert "Remove clientParamParsing requirement from RDC for Navigations": <a href="https://github.com/vercel/next.js/tree/HEAD/packages/next-mdx/issues/83725">#83725</a></li> <li>Only enable unhandledRejection filtering when opted in: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/next-mdx/issues/83726">#83726</a></li> <li>Fix index data route for adapter build-complete: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/next-mdx/issues/83730">#83730</a></li> <li>Remove leading underscore for unhandledRejection envvar: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/next-mdx/issues/83732">#83732</a></li> <li>Upgrade React from <code>f3a80361-20250911</code> to <code>93d7aa69-20250912</code>: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/next-mdx/issues/83729">#83729</a></li> <li>Upgrade React from <code>93d7aa69-20250912</code> to <code>8a8e9a7e-20250912</code>: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/next-mdx/issues/83742">#83742</a></li> <li>Fix reentrancy of unhandledRejection filtering: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/next-mdx/issues/83741">#83741</a></li> <li>Fix type for unhandled rejection handler process.removeListener: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/next-mdx/issues/83748">#83748</a></li> <li>[OTel] fix: Root span name should not include high cardinality URL: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/next-mdx/issues/75416">#75416</a></li> <li>Turbopack: Remove matchers.reload() call on each request: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/next-mdx/issues/83720">#83720</a></li> <li>[Breaking] Flat config as default in <code>@next/eslint-plugin-next</code>: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/next-mdx/issues/83763">#83763</a></li> <li>fix: Rspack splitChunks.chunks regex: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/next-mdx/issues/83670">#83670</a></li> <li>Revert "Turbopack: Remove matchers.reload() call on each request": <a href="https://github.com/vercel/next.js/tree/HEAD/packages/next-mdx/issues/83819">#83819</a></li> <li>fix: unstable_cache should perform blocking revalidation during ISR revalidation: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/next-mdx/issues/83820">#83820</a></li> <li>fix(Rspack): resolve HMR unresponsiveness or unexpected full reload & update dev snapshot: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/next-mdx/issues/83480">#83480</a></li> <li>Allow <code>next.config.mts</code> for Node.js native TS resolver: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/next-mdx/issues/83556">#83556</a></li> <li>chore: Ensure Import Trace starts in a newline: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/next-mdx/issues/83638">#83638</a></li> <li>Development: Remove matchers.reload() on each request: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/next-mdx/issues/83829">#83829</a></li> <li>Upgrade React from <code>8a8e9a7e-20250912</code> to <code>5e0c951b-20250916</code>: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/next-mdx/issues/83850">#83850</a></li> <li>Bump typescript 5.9.2: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/next-mdx/issues/83833">#83833</a></li> <li>Allow headers, rewrites and redirects to be defined as sync functions: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/next-mdx/issues/83743">#83743</a></li> <li>Turbopack: Optimize addedRoutes and removedRoutes calculation: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/next-mdx/issues/83840">#83840</a></li> <li>[next-config-ts] Set Node.js native TS loader fallback flag to process.env: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/next-mdx/issues/83832">#83832</a></li> <li>Development: Clarify TypescriptStatus in watcher: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/next-mdx/issues/83857">#83857</a></li> <li>Upgrade sharp dependency to version ^0.34.4: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/next-mdx/issues/83892">#83892</a></li> <li>Upgrade React from <code>5e0c951b-20250916</code> to <code>128abcfa-20250917</code>: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/next-mdx/issues/83906">#83906</a></li> <li>Add native ts resolver docs link to transpile-config: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/next-mdx/issues/83914">#83914</a></li> <li>OTel: use <code>srcPage</code> for templates when <code>next.route</code> is unavailable: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/next-mdx/issues/83911">#83911</a></li> <li>Remove inline CSS sourcemaps from next-devtools: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/next-mdx/issues/83917">#83917</a></li> <li>Development: Move all TypeScript related work in watcher together: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/next-mdx/issues/83912">#83912</a></li> <li>[Cache Components] Allow sync IO inside console methods : <a href="https://github.com/vercel/next.js/tree/HEAD/packages/next-mdx/issues/83843">#83843</a></li> <li>Upgrade React from <code>128abcfa-20250917</code> to <code>84af9085-20250917</code>: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/next-mdx/issues/83959">#83959</a></li> <li>Build: Add .next/trace-build with high level trace: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/next-mdx/issues/83949">#83949</a></li> <li>Remove force writing **/*.mts to tsconfig: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/next-mdx/issues/83967">#83967</a></li> <li>feat: Isolate dev build from prod: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/next-mdx/issues/83961">#83961</a></li> <li>Remove JS size reporting from next build: <a href="https://github.com/vercel/next.js/tree/HEAD/packages/next-mdx/issues/83815">#83815</a></li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
Thomas Eizinger
|
b7dc897eea |
refactor(rust): introduce libs/ directory (#10964)
The current Rust workspace isn't as consistent as it could be. To make navigation a bit easier, we move a few crates around. Generally, we follow the idea that entry-points should be at the top-level. `rust/` now looks like this (directories only): ``` . ├── cli # Firezone CLI ├── client-ffi # Entry point for Apple & Android ├── gateway # Gateway ├── gui-client # GUI client ├── headless-client # Headless client ├── libs # Library crates ├── relay # Relay ├── target # Compile artifacts ├── tests # Crates for testing └── tools # Local tools ``` To further enforce this structure, we also drop the `firezone-` prefix from all crates that are not top-level binary crates. |
||
|
Mariusz Klochowicz
|
4e26f9943b |
refactor(apple): remove unsafe code instance (#10967)
Use the Combine pattern to avoid unsafe code. |
||
|
Mariusz Klochowicz
|
5db7eebbb2 |
refactor(apple): remove unsafe from Token (#10968)
Convert static query dictionary to a computed property, eliminating the need for nonisolated(unsafe). Also fixes a bug where kSecAttrLabel used a hardcoded string instead of the label property (which differs between debug and release builds). |
||
|
Thomas Eizinger
|
d6080e3ab1 |
test(connlib): relax site online/unknown assertions (#10963)
Within the proptests, we assert that connlib correctly reports the online status of resources. For resources where we establish TCP connections, that is difficult to model exactly due to the number of error cases we also run through in the tests like rejecting connections with ICMP errors, rebooting relays etc. Up until now, we tried to model this quite precisely by only allowing deviations of the resource status for TCP connections that have received ICMP errors. With the prolonged ICE timeout on the Gateway, this is turning out to not be enough. We therefore relax the assertion here to allow all resources that are within sites that we made a TCP connection to deviate from their expected online/unknown status. |
||
|
Thomas Eizinger
|
bcf4ccf817 |
fix(rust): introduce dedicated downcast functions for anyhow (#10966)
The downcasting abilities of `anyhow` are pretty powerful. Unfortunately, they can also be a bit tricky to get right. Whilst `is` and `downcast` work fine for any errors that are within the `anyhow` error chain, they don't check the chain of errors prior to that. In other words, if we already have a nested `std::error::Error` with several causes, `anyhow` cannot downcast to these causes directly. In order to avoid this footgun, we create a thin-layer on top of the `anyhow` crate with some downcasting functions that always try to do the right thing. |
||
|
Thomas Eizinger
|
48e0a89125 |
fix(connlib): fail connection upsert early (#10962)
When upserting a connection, we need to sample one of our relays to use as a fallback. If we don't have any relays (because they all got disconnected), we cannot create the connection. Right now, we perform this sampling a bit too late in the function and thus wrongly print "Creating new connection" even though we never make it that for. To avoid that, move the `sample_relay` call higher up to avoid making any state modifications if we cannot proceed. |
||
|
dependabot[bot]
|
acb709ef42 |
build(deps): bump caps from 0.5.5 to 0.5.6 in /rust (#10958)
Bumps [caps](https://github.com/lucab/caps-rs) from 0.5.5 to 0.5.6. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/lucab/caps-rs/releases">caps's releases</a>.</em></p> <blockquote> <h2>v0.5.6</h2> <p>Changes:</p> <ul> <li>Update minimum toolchain to 1.63</li> <li>Remove <code>thiserror</code> dependency</li> <li>Gracefully handle unsupported capabilities in clear and read operations</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
Thomas Eizinger
|
d09bab3d0c |
test(relay): go back to the future before healthcheck (#10961)
The health-check tests for the relay use `Instant::elapsed` which implicitly uses `Instant::now`. On a freshly booted Windows machine, these tests might easily fail because we are subtracting 15 minutes from `Instant::now` which might result in an underflow as Windows cannot represent `Instant`s prior to the boot time. Related: #10927 |
||
|
dependabot[bot]
|
328c7dd266 |
build(deps): bump domain from 0.11.0 to 0.11.1 in /rust (#10956)
Bumps [domain](https://github.com/nlnetlabs/domain) from 0.11.0 to 0.11.1. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/nlnetlabs/domain/releases">domain's releases</a>.</em></p> <blockquote> <h2>0.11.1</h2> <p>Bug fixes</p> <ul> <li>Fix handling of tabs when formatting RDATA using <code>DisplayKind::Tabbed</code>. (<a href="https://redirect.github.com/nlnetlabs/domain/issues/516">#516</a>)</li> <li>Fix for in-place zone parser yielding incorrect TTLs. (<a href="https://redirect.github.com/nlnetlabs/domain/issues/538">#538</a>)</li> <li>Generalize <code>ZoneUpdater</code> to support any <code>Record</code> type, not just <code>ParsedRecord</code>. (<a href="https://redirect.github.com/nlnetlabs/domain/issues/535">#535</a>)</li> <li>Trim leading modulus and public exponent zeroes per RFC 3110 section 2. (<a href="https://redirect.github.com/nlnetlabs/domain/issues/541">#541</a>)</li> <li>Fix panic in zonetree from in-place zonefile after encountering a malformed record. (<a href="https://redirect.github.com/nlnetlabs/domain/issues/573">#573</a>)</li> </ul> <p>Unstable features</p> <ul> <li><code>unstable-server-transport</code>: <ul> <li>Don't discard the NOTIFY SOA serial, if one is received. Existing users of the <code>Notifiable</code> trait will need to update their code as this change adds an argument to <code>Notifiable::notify_zone_changed()</code>. <a href="https://redirect.github.com/nlnetlabs/domain/issues/562">#562</a>)</li> </ul> </li> <li><code>unstable-client-transport</code>: <ul> <li>Fix an issue in Stream::Transport when a reply arrives early. (<a href="https://redirect.github.com/nlnetlabs/domain/issues/568">#568</a> by [<a href="https://github.com/TheJokr"><code>@TheJokr</code></a>])</li> </ul> </li> </ul> <p>Other changes</p> <ul> <li>Fix docs on <code>XfrResponseInterpreter</code>. (<a href="https://redirect.github.com/nlnetlabs/domain/issues/510">#510</a>)</li> </ul> <p><a href="https://redirect.github.com/nlnetlabs/domain/issues/510">#510</a>: <a href="https://redirect.github.com/NLnetLabs/domain/pull/510">NLnetLabs/domain#510</a> <a href="https://redirect.github.com/nlnetlabs/domain/issues/516">#516</a>: <a href="https://redirect.github.com/NLnetLabs/domain/pull/516">NLnetLabs/domain#516</a> <a href="https://redirect.github.com/nlnetlabs/domain/issues/535">#535</a>: <a href="https://redirect.github.com/NLnetLabs/domain/pull/535">NLnetLabs/domain#535</a> <a href="https://redirect.github.com/nlnetlabs/domain/issues/538">#538</a>: <a href="https://redirect.github.com/NLnetLabs/domain/pull/538">NLnetLabs/domain#538</a> <a href="https://redirect.github.com/nlnetlabs/domain/issues/541">#541</a>: <a href="https://redirect.github.com/NLnetLabs/domain/pull/541">NLnetLabs/domain#541</a> <a href="https://redirect.github.com/nlnetlabs/domain/issues/562">#562</a>: <a href="https://redirect.github.com/NLnetLabs/domain/pull/562">NLnetLabs/domain#562</a> <a href="https://redirect.github.com/nlnetlabs/domain/issues/568">#568</a>: <a href="https://redirect.github.com/NLnetLabs/domain/pull/568">NLnetLabs/domain#568</a> <a href="https://redirect.github.com/nlnetlabs/domain/issues/573">#573</a>: <a href="https://redirect.github.com/NLnetLabs/domain/pull/573">NLnetLabs/domain#573</a> [<a href="https://github.com/TheJokr"><code>@TheJokr</code></a>]: <a href="https://github.com/TheJokr">https://github.com/TheJokr</a></p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/NLnetLabs/domain/blob/main/Changelog.md">domain's changelog</a>.</em></p> <blockquote> <h2>0.11.1</h2> <p>Released 2025-10-22.</p> <p>Bug fixes</p> <ul> <li>Fix handling of tabs when formatting RDATA using <code>DisplayKind::Tabbed</code>. (<a href="https://redirect.github.com/nlnetlabs/domain/issues/516">#516</a>)</li> <li>Fix for in-place zone parser yielding incorrect TTLs. (<a href="https://redirect.github.com/nlnetlabs/domain/issues/538">#538</a>)</li> <li>Generalize <code>ZoneUpdater</code> to support any <code>Record</code> type, not just <code>ParsedRecord</code>. (<a href="https://redirect.github.com/nlnetlabs/domain/issues/535">#535</a>)</li> <li>Trim leading modulus and public exponent zeroes per RFC 3110 section 2. (<a href="https://redirect.github.com/nlnetlabs/domain/issues/541">#541</a>)</li> <li>Fix panic in zonetree from in-place zonefile after encountering a malformed record. (<a href="https://redirect.github.com/nlnetlabs/domain/issues/573">#573</a>)</li> </ul> <p>Unstable features</p> <ul> <li><code>unstable-server-transport</code>: <ul> <li>Don't discard the NOTIFY SOA serial, if one is received. Existing users of the <code>Notifiable</code> trait will need to update their code as this change adds an argument to <code>Notifiable::notify_zone_changed()</code>. <a href="https://redirect.github.com/nlnetlabs/domain/issues/562">#562</a>)</li> </ul> </li> <li><code>unstable-client-transport</code>: <ul> <li>Fix an issue in Stream::Transport when a reply arrives early. (<a href="https://redirect.github.com/nlnetlabs/domain/issues/568">#568</a> by [<a href="https://github.com/TheJokr"><code>@TheJokr</code></a>])</li> </ul> </li> </ul> <p>Other changes</p> <ul> <li>Fix docs on <code>XfrResponseInterpreter</code>. (<a href="https://redirect.github.com/nlnetlabs/domain/issues/510">#510</a>)</li> </ul> <p><a href="https://redirect.github.com/nlnetlabs/domain/issues/510">#510</a>: <a href="https://redirect.github.com/NLnetLabs/domain/pull/510">NLnetLabs/domain#510</a> <a href="https://redirect.github.com/nlnetlabs/domain/issues/516">#516</a>: <a href="https://redirect.github.com/NLnetLabs/domain/pull/516">NLnetLabs/domain#516</a> <a href="https://redirect.github.com/nlnetlabs/domain/issues/535">#535</a>: <a href="https://redirect.github.com/NLnetLabs/domain/pull/535">NLnetLabs/domain#535</a> <a href="https://redirect.github.com/nlnetlabs/domain/issues/538">#538</a>: <a href="https://redirect.github.com/NLnetLabs/domain/pull/538">NLnetLabs/domain#538</a> <a href="https://redirect.github.com/nlnetlabs/domain/issues/541">#541</a>: <a href="https://redirect.github.com/NLnetLabs/domain/pull/541">NLnetLabs/domain#541</a> <a href="https://redirect.github.com/nlnetlabs/domain/issues/562">#562</a>: <a href="https://redirect.github.com/NLnetLabs/domain/pull/562">NLnetLabs/domain#562</a> <a href="https://redirect.github.com/nlnetlabs/domain/issues/568">#568</a>: <a href="https://redirect.github.com/NLnetLabs/domain/pull/568">NLnetLabs/domain#568</a> <a href="https://redirect.github.com/nlnetlabs/domain/issues/573">#573</a>: <a href="https://redirect.github.com/NLnetLabs/domain/pull/573">NLnetLabs/domain#573</a> [<a href="https://github.com/TheJokr"><code>@TheJokr</code></a>]: <a href="https://github.com/TheJokr">https://github.com/TheJokr</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
e47cb0a5e4 |
build(deps): bump rustls from 0.23.31 to 0.23.34 in /rust (#10954)
Bumps [rustls](https://github.com/rustls/rustls) from 0.23.31 to 0.23.34. <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
7bb8b33ed2 |
build(deps): bump proc-macro2 from 1.0.101 to 1.0.103 in /rust (#10955)
Bumps [proc-macro2](https://github.com/dtolnay/proc-macro2) from 1.0.101 to 1.0.103. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/dtolnay/proc-macro2/releases">proc-macro2's releases</a>.</em></p> <blockquote> <h2>1.0.103</h2> <ul> <li>Add semver-exempt <code>Literal</code> methods <code>str_value</code>, <code>cstr_value</code>, <code>byte_str_value</code> (<a href="https://redirect.github.com/dtolnay/proc-macro2/issues/525">#525</a>)</li> </ul> <h2>1.0.102</h2> <ul> <li>Fix interaction of Display impls for TokenStream and Ident with formatting specifiers for padding, alignment, width (<a href="https://redirect.github.com/dtolnay/proc-macro2/issues/523">#523</a>, <a href="https://redirect.github.com/dtolnay/proc-macro2/issues/524">#524</a>)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
6aa434471b |
build(deps): bump reqwest from 0.12.23 to 0.12.24 in /rust (#10957)
Bumps [reqwest](https://github.com/seanmonstar/reqwest) from 0.12.23 to 0.12.24. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/seanmonstar/reqwest/releases">reqwest's releases</a>.</em></p> <blockquote> <h2>v0.12.24</h2> <h2>Highlights</h2> <ul> <li>Refactor cookie handling to an internal middleware.</li> <li>Refactor internal random generator.</li> <li>Refactor base64 encoding to reduce a copy.</li> <li>Documentation updates.</li> </ul> <h2>What's Changed</h2> <ul> <li>build(deps): silence unused deps in WASM build by <a href="https://github.com/0x676e67"><code>@0x676e67</code></a> in <a href="https://redirect.github.com/seanmonstar/reqwest/pull/2799">seanmonstar/reqwest#2799</a></li> <li>perf(util): avoid extra copy when base64 encoding by <a href="https://github.com/0x676e67"><code>@0x676e67</code></a> in <a href="https://redirect.github.com/seanmonstar/reqwest/pull/2805">seanmonstar/reqwest#2805</a></li> <li>docs: fix method name in changelog entry by <a href="https://github.com/johannespfrang"><code>@johannespfrang</code></a> in <a href="https://redirect.github.com/seanmonstar/reqwest/pull/2807">seanmonstar/reqwest#2807</a></li> <li>chore: Align the name usage of TotalTimeout by <a href="https://github.com/Xuanwo"><code>@Xuanwo</code></a> in <a href="https://redirect.github.com/seanmonstar/reqwest/pull/2657">seanmonstar/reqwest#2657</a></li> <li>refactor(cookie): add <code>CookieService</code> by <a href="https://github.com/linyihai"><code>@linyihai</code></a> in <a href="https://redirect.github.com/seanmonstar/reqwest/pull/2787">seanmonstar/reqwest#2787</a></li> <li>Fixes typo in retry max_retries_per_request doc comment re 2813 by <a href="https://github.com/dmackinn"><code>@dmackinn</code></a> in <a href="https://redirect.github.com/seanmonstar/reqwest/pull/2824">seanmonstar/reqwest#2824</a></li> <li>test(multipart): fix build failure with <code>no-default-features</code> by <a href="https://github.com/0x676e67"><code>@0x676e67</code></a> in <a href="https://redirect.github.com/seanmonstar/reqwest/pull/2801">seanmonstar/reqwest#2801</a></li> <li>refactor(cookie): avoid duplicate cookie insertion by <a href="https://github.com/0x676e67"><code>@0x676e67</code></a> in <a href="https://redirect.github.com/seanmonstar/reqwest/pull/2834">seanmonstar/reqwest#2834</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/johannespfrang"><code>@johannespfrang</code></a> made their first contribution in <a href="https://redirect.github.com/seanmonstar/reqwest/pull/2807">seanmonstar/reqwest#2807</a></li> <li><a href="https://github.com/dmackinn"><code>@dmackinn</code></a> made their first contribution in <a href="https://redirect.github.com/seanmonstar/reqwest/pull/2824">seanmonstar/reqwest#2824</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/seanmonstar/reqwest/compare/v0.12.23...v0.12.24">https://github.com/seanmonstar/reqwest/compare/v0.12.23...v0.12.24</a></p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/seanmonstar/reqwest/blob/master/CHANGELOG.md">reqwest's changelog</a>.</em></p> <blockquote> <h2>v0.12.24</h2> <ul> <li>Refactor cookie handling to an internal middleware.</li> <li>Refactor internal random generator.</li> <li>Refactor base64 encoding to reduce a copy.</li> <li>Documentation updates.</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
d0d4faad65 |
build(deps): bump zbus from 5.11.0 to 5.12.0 in /rust (#10959)
Bumps [zbus](https://github.com/z-galaxy/zbus) from 5.11.0 to 5.12.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/z-galaxy/zbus/releases">zbus's releases</a>.</em></p> <blockquote> <h2>🔖 zbus 5.12.0</h2> <ul> <li>🚚 Update name of Github space from <code>dbus2</code> to <code>z-galaxy</code>.</li> <li>✨ Add <code>Error::description</code> method. This gives a simple description about the error.</li> <li>🥅 Provide description for zbus::Error in DBusError. <a href="https://redirect.github.com/z-galaxy/zbus/issues/1523">#1523</a></li> <li>🐛 Remove minimum amount of required address options. Set the minimum amount of address options to 0, as per the spec. <a href="https://redirect.github.com/z-galaxy/zbus/issues/1513">#1513</a></li> <li>➖ remove <code>rand</code> and replace with <code>uuid</code>. This makes <code>uuid</code> mandatory for <code>zbus</code>, and changes the <code>p2p</code> feature to enable <code>v4</code> of <code>uuid</code>.</li> <li>📝 book: Update version of zbus in the sample Cargo.toml.</li> <li>🧵 Launch a multi-threaded tokio runtime for blocking. Otherwise, any blocking calls in the application code can block our internal tasks. This is breaking our "we won't launch threads behind your back" promise a little but its only limited to blocking API and therefore worth the benefit of not unexpectedly stopping to work. <a href="https://redirect.github.com/z-galaxy/zbus/issues/1512">#1512</a></li> <li>🐛 Fix tracing span names showing as {}.</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
e5a46590e0 |
build(deps): bump clap from 4.5.47 to 4.5.50 in /rust (#10960)
Bumps [clap](https://github.com/clap-rs/clap) from 4.5.47 to 4.5.50. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/clap-rs/clap/releases">clap's releases</a>.</em></p> <blockquote> <h2>v4.5.50</h2> <h2>[4.5.50] - 2025-10-20</h2> <h3>Features</h3> <ul> <li>Accept <code>Cow</code> where <code>String</code> and <code>&str</code> are accepted</li> </ul> <h2>v4.5.48</h2> <h2>[4.5.48] - 2025-09-19</h2> <h3>Documentation</h3> <ul> <li>Add a new CLI Concepts document as another way of framing clap</li> <li>Expand the <code>typed_derive</code> cookbook entry</li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/clap-rs/clap/blob/master/CHANGELOG.md">clap's changelog</a>.</em></p> <blockquote> <h2>[4.5.50] - 2025-10-20</h2> <h3>Features</h3> <ul> <li>Accept <code>Cow</code> where <code>String</code> and <code>&str</code> are accepted</li> </ul> <h2>[4.5.49] - 2025-10-13</h2> <h3>Fixes</h3> <ul> <li><em>(help)</em> Correctly wrap when ANSI escape codes are present</li> </ul> <h2>[4.5.48] - 2025-09-19</h2> <h3>Documentation</h3> <ul> <li>Add a new CLI Concepts document as another way of framing clap</li> <li>Expand the <code>typed_derive</code> cookbook entry</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
Thomas Eizinger
|
36923e7934 |
chore: specify more paths in .prettierignore (#10933)
Prettier is a tool with questionable defaults and performance. Not only is it slow to format files, but it also doesn't respect nested `.gitignore` or `.prettierignore` files. This means we need to specify all paths that it should not touch in the top-level .`prettierignore` to get even close to acceptable performance. Even with these optimisations, it still takes around 8 seconds to format our workspace. |
||
|
Thomas Eizinger
|
16a7284bab |
test: assert at least 1 non-standard source port after roam (#10940)
The current assertion is not robust enough as we can see from the test failure in https://github.com/firezone/firezone/actions/runs/19619954030/job/56178969296?pr=10931. Another way of asserting that we have roamed is to check whether or not we are using a non-standard source port. The NAT binding for the old source port is still active after roaming and therefore, the NAT has to assign a new source port to the traffic arriving from the client. |
||
|
Thomas Eizinger
|
6d01fa6c70 |
ci: run more Rust tests on all platforms (#10927)
Running only the unit-tests of select crates on some platforms is problematic. We are unlikely to update this list of crates as we introduce new ones. It is a better default to run the tests of all crates on all platforms and selectively exclude the ones that can't run because they are unsupported. |
||
|
Thomas Eizinger
|
d70d6168e2 |
fix(connlib): use correct host for OpenDNS DoH URL (#10934)
Fixes a small typo in the hard-coded host of the OpenDNS DoH URL. |
||
|
Thomas Eizinger
|
7c2c78f68c | chore(connlib): improve formatting of wire::dns TRACE logs (#10935) | ||
|
Thomas Eizinger
|
4d95b813bd |
ci(apt): import packages one by one (#10938)
When importing packages into the APT repository, we need to do so one-by-one. Moving packages using a glob-pattern confuses the CLI because it wants to overwrite files it just created. Current main: https://github.com/firezone/firezone/actions/runs/19619491316/job/56177170625 This PR: https://github.com/firezone/firezone/actions/runs/19619725967/job/56177805109 |
||
|
dependabot[bot]
|
658eea900e |
build(deps): bump asciinema-player from 3.10.0 to 3.12.1 in /website (#10943)
Bumps [asciinema-player](https://github.com/asciinema/asciinema-player) from 3.10.0 to 3.12.1. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/asciinema/asciinema-player/releases">asciinema-player's releases</a>.</em></p> <blockquote> <h2>3.12.1</h2> <p>This version includes additional fix for seeking past the end of recording and restarting the playback.</p> <h2>3.12.0</h2> <p>Notable changes:</p> <ul> <li>Live audio stream support for WebSocket sources (see below)</li> <li>Improved adaptive buffer algorithm for WebSocket sources (see below)</li> <li>Fixed keyboard shortcuts issue (stopped working) caused by the new mute/unmute icon</li> <li>Fixed seeking after playback ended (<a href="https://redirect.github.com/asciinema/asciinema-player/issues/282">#282</a>)</li> </ul> <h2>Live audio playback</h2> <p>The <code>audioUrl</code> option, introduced in v3.11, can now also be used with live (WebSocket) sources:</p> <pre lang="javascript"><code>AsciinemaPlayer.create("ws://example.com/ws/stream", document.getElementById("demo"), { audioUrl: "http://example.com/icecast/stream.ogg" }); </code></pre> <p>The URL should be a live audio source - either a direct HTTP audio stream (.mp3, .aac, .ogg, etc) such as Icecast/Shoutcast endpoint, or HLS playlist (.m3u8).</p> <p>Note that it's not recommended to use <code>autoplay: true</code> option together with <code>audioUrl</code> - browsers often require explicit user activity (click, tap) to enable sound, which in the player's case would be starting the playback by clicking on the play button. Without user click the <code>autoplay</code> will start the playback but the sound likely won't be there.</p> <p>Also, for the audio playback to work a server that handles the audio URL (e.g. Icecast) must be configured to allow CORS requests from the page (URL) that hosts the player.</p> <h2>New adaptive buffering</h2> <p>The WebSocket driver uses adaptive buffer (expressed in time) to ensure smooth, stutter free playback of live sessions with minimal latency.</p> <p>The previous algorithm used a moving average over a sliding window of N recent latencies. It did ok-ish job, but given the sparse nature of the event stream (no constant rate) it turned out to be not ideal. Here's how it performed. Red dots are measured latencies, green line is effective buffer time:</p> <!-- raw HTML omitted --> <p>The new algorithm uses time based EMA (exponential moving average), which is much more relevant for sparse events, resulting in more stable and overall lower buffer size when applied to a wide spectrum of terminal activities (here applied to the same input latencies as the one above):</p> <!-- raw HTML omitted --> <h2>3.11.1</h2> <p>This release brings additional fixes for audio loading in Safari.</p> <h2>3.11.0</h2> <p>Notable changes:</p> <ul> <li>Synced audio playback (see below)</li> <li>JS bundle size reduced by 43 KB (202 KB -> 159 KB) - it's now 78% of the previous release (v3.10) size</li> <li>WebSocket driver now uses jitter for exponential backoff calculation when reconnecting</li> <li>WebSocket driver can play live sessions encoded in <a href="https://docs.asciinema.org/manual/server/streaming/#asciicast-v3">asciicast v3 compatible</a> format</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
001cedd844 |
build(deps): bump actions/upload-artifact from 4.6.2 to 5.0.0 (#10950)
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.6.2 to 5.0.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/actions/upload-artifact/releases">actions/upload-artifact's releases</a>.</em></p> <blockquote> <h2>v5.0.0</h2> <h2>What's Changed</h2> <p><strong>BREAKING CHANGE:</strong> this update supports Node <code>v24.x</code>. This is not a breaking change per-se but we're treating it as such.</p> <ul> <li>Update README.md by <a href="https://github.com/GhadimiR"><code>@GhadimiR</code></a> in <a href="https://redirect.github.com/actions/upload-artifact/pull/681">actions/upload-artifact#681</a></li> <li>Update README.md by <a href="https://github.com/nebuk89"><code>@nebuk89</code></a> in <a href="https://redirect.github.com/actions/upload-artifact/pull/712">actions/upload-artifact#712</a></li> <li>Readme: spell out the first use of GHES by <a href="https://github.com/danwkennedy"><code>@danwkennedy</code></a> in <a href="https://redirect.github.com/actions/upload-artifact/pull/727">actions/upload-artifact#727</a></li> <li>Update GHES guidance to include reference to Node 20 version by <a href="https://github.com/patrikpolyak"><code>@patrikpolyak</code></a> in <a href="https://redirect.github.com/actions/upload-artifact/pull/725">actions/upload-artifact#725</a></li> <li>Bump <code>@actions/artifact</code> to <code>v4.0.0</code></li> <li>Prepare <code>v5.0.0</code> by <a href="https://github.com/danwkennedy"><code>@danwkennedy</code></a> in <a href="https://redirect.github.com/actions/upload-artifact/pull/734">actions/upload-artifact#734</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/GhadimiR"><code>@GhadimiR</code></a> made their first contribution in <a href="https://redirect.github.com/actions/upload-artifact/pull/681">actions/upload-artifact#681</a></li> <li><a href="https://github.com/nebuk89"><code>@nebuk89</code></a> made their first contribution in <a href="https://redirect.github.com/actions/upload-artifact/pull/712">actions/upload-artifact#712</a></li> <li><a href="https://github.com/danwkennedy"><code>@danwkennedy</code></a> made their first contribution in <a href="https://redirect.github.com/actions/upload-artifact/pull/727">actions/upload-artifact#727</a></li> <li><a href="https://github.com/patrikpolyak"><code>@patrikpolyak</code></a> made their first contribution in <a href="https://redirect.github.com/actions/upload-artifact/pull/725">actions/upload-artifact#725</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/upload-artifact/compare/v4...v5.0.0">https://github.com/actions/upload-artifact/compare/v4...v5.0.0</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
dcad1c5bd7 |
build(deps): bump actions/download-artifact from 5.0.0 to 6.0.0 (#10951)
Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 5.0.0 to 6.0.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/actions/download-artifact/releases">actions/download-artifact's releases</a>.</em></p> <blockquote> <h2>v6.0.0</h2> <h2>What's Changed</h2> <p><strong>BREAKING CHANGE:</strong> this update supports Node <code>v24.x</code>. This is not a breaking change per-se but we're treating it as such.</p> <ul> <li>Update README for download-artifact v5 changes by <a href="https://github.com/yacaovsnc"><code>@yacaovsnc</code></a> in <a href="https://redirect.github.com/actions/download-artifact/pull/417">actions/download-artifact#417</a></li> <li>Update README with artifact extraction details by <a href="https://github.com/yacaovsnc"><code>@yacaovsnc</code></a> in <a href="https://redirect.github.com/actions/download-artifact/pull/424">actions/download-artifact#424</a></li> <li>Readme: spell out the first use of GHES by <a href="https://github.com/danwkennedy"><code>@danwkennedy</code></a> in <a href="https://redirect.github.com/actions/download-artifact/pull/431">actions/download-artifact#431</a></li> <li>Bump <code>@actions/artifact</code> to <code>v4.0.0</code></li> <li>Prepare <code>v6.0.0</code> by <a href="https://github.com/danwkennedy"><code>@danwkennedy</code></a> in <a href="https://redirect.github.com/actions/download-artifact/pull/438">actions/download-artifact#438</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/danwkennedy"><code>@danwkennedy</code></a> made their first contribution in <a href="https://redirect.github.com/actions/download-artifact/pull/431">actions/download-artifact#431</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/download-artifact/compare/v5...v6.0.0">https://github.com/actions/download-artifact/compare/v5...v6.0.0</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
Thomas Eizinger
|
8539f2ff2c |
refactor(gateway): update flow-logs fields in subject (#10939)
Resolves: #10928 |
||
|
dependabot[bot]
|
4b68cdb98a |
build(deps): bump actions/setup-node from 5.0.0 to 6.0.0 in /.github/actions/setup-node (#10952)
Bumps [actions/setup-node](https://github.com/actions/setup-node) from 5.0.0 to 6.0.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/actions/setup-node/releases">actions/setup-node's releases</a>.</em></p> <blockquote> <h2>v6.0.0</h2> <h2>What's Changed</h2> <p><strong>Breaking Changes</strong></p> <ul> <li>Limit automatic caching to npm, update workflows and documentation by <a href="https://github.com/priyagupta108"><code>@priyagupta108</code></a> in <a href="https://redirect.github.com/actions/setup-node/pull/1374">actions/setup-node#1374</a></li> </ul> <p><strong>Dependency Upgrades</strong></p> <ul> <li>Upgrade ts-jest from 29.1.2 to 29.4.1 and document breaking changes in v5 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/actions/setup-node/pull/1336">#1336</a></li> <li>Upgrade prettier from 2.8.8 to 3.6.2 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/actions/setup-node/pull/1334">#1334</a></li> <li>Upgrade actions/publish-action from 0.3.0 to 0.4.0 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/actions/setup-node/pull/1362">#1362</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/setup-node/compare/v5...v6.0.0">https://github.com/actions/setup-node/compare/v5...v6.0.0</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
Thomas Eizinger
|
0c5ca66f57 |
fix(connlib): override query ID of DoH response (#10931)
As per the RFC, queries to DoH servers should always set their query ID to 0. This is more cache-friendly because two queries for the same domain end up being byte-for-byte equivalent in the HTTP request. When transported over HTTP, the query ID is obsolete because the response can be unambiguously mapped back to the request already. Connlib's DoH feature zeros out the query ID in the IO layer. To correctly test this functionality, we therefore extend the test-suite to do the same and restore the original query ID before sending back the response on the original transport. This fixes a bug where all DNS queries that were forwarded to a DoH server incorrectly had their query ID set to 0. |
||
|
Thomas Eizinger
|
8b16aaa546 |
ci: install dotnet v10 (#10937)
A new version of the `AzureSignTool` appears to require a dotnet version that is not yet installed on the GitHub runners. Ideally we would be managing this via `.tool-versions` but that needs a bit more work, see the CI failures in #10936. |
||
|
Thomas Eizinger
|
5b8343c766 |
fix(website): remove unnecessary newlines from devlog post (#10932)
This fixes CI failures introduced in #10930. |
||
|
Jamil
|
7a81287245 |
feat(website): oct 2025 devlog (#10930)
Adds the October 2025 devlog entry to the blog. |
||
|
Jamil
|
5fe6680256 |
chore(website): add nodejs to .tool-versions (#10929)
Need this for website. Also bumps pnpm to latest. |
||
|
Thomas Eizinger
|
fb418e51b3 |
chore: track pnpm and prettier in .tool-versions (#10926)
|
||
|
Thomas Eizinger
|
bce2aa30b5 |
feat(portal): extend DNS settings to allow for DoH providers (#10882)
In order to allow customers to make use of connlib's DoH functionality, we need a configuration UI for it. We take inspiration from the "New Resource" page and implement a 3-choice UI component for configuring how Clients should resolve DNS queries: - System - Secure DNS - Custom The secure and custom DNS options show an additional form when selected for either picking a DoH provider or the addresses of the custom DNS servers. Right now, the "Secure DNS" part is disabled if the `DISABLE_DOH_PROVIDER` env variable is set. We render a "Coming soon" tooltip on hover: <img width="1534" height="1100" alt="image" src="https://github.com/user-attachments/assets/a12a6ba4-806f-4d19-8aea-5c1cd981d609" /> This allows us to test this in staging and still ship to production if needed prior to enabling it. Resolves: #10792 Resolves: #10786 --------- Co-authored-by: Jamil Bou Kheir <jamilbk@users.noreply.github.com> |
||
|
Thomas Eizinger
|
aab779e68b |
fix(connlib): signal all local candidates on upsert (#10920)
Firezone's UDP connections are designed to be idempotent. If a Client discards its "half" of the connection but the Gateway still keeps the state around, a subsequent connection setup by the Client will reuse connection state on the Gateway. To fully support this, `snownet` re-sends all its local candidates to the remote peer whenever a connection gets upserted. The current `seed_agent_with_local_candidates` function attempts to do this job but its design overlooked a crucial detail: Re-adding a candidate that the `IceAgent` already knows about is considered to be redundant. As such, the candidate is not re-signalled to the remote! The real-world consequences for this are subtle. `str0m`'s support for peer-reflexive candidate means that incoming STUN binding requests are still answered, even if they come from an address that the agent doesn't know anything about, i.e. it has never been told about that candidate. Thus, what happens right now is that when a Client re-creates a connection that is still present on the Gateway, it will start receiving STUN binding requests for candidates it doesn't know about and create peer-reflexive candidates for them. Where this does show up is in our test-suite which has fairly strict timing constraints. When we simulate the re-deploy of relays, we expect connections to be migrated to a new relay immediately. To support this, the current relay candidates are invalidated on both sides. This however only works if the current candidate is correctly recognised by the local ICE agent. Peer-reflexive candidates are created on-demand and typically only serve a placeholder-like role until we learn about the real candidate that is being used. Due to the above described behaviour of `seed_agent_with_local_candidates`, this however may not happen at all. As a result, attempting to invalidate a relay candidate fails because we don't recognise the relay candidate as we only have a peer-reflexive one. Putting all of this together, whilst not re-sending all candidates doesn't cause immediate issues for a connection, it may cause problems at a later point when we are trying to invalidate a currently active candidate to achieve a speedy failover to a new one. |
||
|
Thomas Eizinger
|
ef24617e2c | docs: add changelog entry for #10914 (#10925) | ||
|
Thomas Eizinger
|
62a39a81d0 |
fix(connlib): index tunnelled DNS queries by source socket (#10914)
It appears that several systems (at least MacOS) may send DNS queries to the same server with the same query ID but from different source sockets. Within connlib, we operate multiple DNS servers (one for each upstream) and use the tuple of server address and query ID to remember the necessary state we need to map the response back once we have the response from the upstream server. Given the discovery that this tuple is not necessarily unique, we now need to also track the source socket that _we_ are using to send our queries in order to correctly remember, which socket we need to send the response back to. For that, we extend the layer 3 UDP and TCP clients to return us the socket they are using for each query that we queue. In very specific circumstances, this can still fail. In particular, when connlib receives an SRV or TXT query for a resource, it resolves that query in the context of the resource's site by sending it to port 53535 of the Gateway's TUN device. The Gateway listens to DNS queries on this port and resolves them using its configured system resolvers. It however only listens on a single address, meaning we may be forwarding queries from several of connlib's "servers" to a single query which again may break the uniqueness constraint if two queries with the same ID are received at the same time because we would reuse the TCP connection to the resolver running in the Gateway and thus send them from the same source port. We consider this case to be sufficiently rare and handle it by just failing the 2nd DNS query. There may be ways of resolving it but it requires a bigger refactoring of how we establish TCP connections to upstream resolvers. |
||
|
Thomas Eizinger
|
199766ccf9 |
ci(rust): improve proptest coverage checks (#10918)
The current coverage checks for paths that we hit during our proptests fail as soon as one of them is not satisfied. When iterating on the proptests, it is useful to see in one go, which paths are currently not hit to generate the missing regression seeds. Hence, we refactor the script to perform all checks and fail if any of them are not hit, outputting all missing ones. |
||
|
Thomas Eizinger
|
32df4b399a |
chore: modularize .tool-versions (#10919)
Not all tools are needed for all parts of the codebase. In order to avoid installing all tools, we create nested `.tool-versions` files that list the specific dev-tools needed for a certain part of the product. |
||
|
Mariusz Klochowicz
|
528db7d9c5 |
fix(apple): Prevent Swift6 crash on iPadOS (#10916)
UserDefaults change notifications should always be handled on the main thread. This wasn't the case when PencilKit posted UserDefaults notifications from a background thread during its initialization on iPadOS, causing a Swift 6 MainActor violation crash. Ultimately, the root cause of this issue was not abiding to strict Swift6 concurrency checks by using unsafe code: even when the UserDefaults themselves were `nonisolated(unsafe)` and bypassed the checks, it was not the case for Apple PencilKit framework ultimately initialised in wrong context. Note: There are a few ways to fix, we're settling on Combine pattern as it's used elsewhere in the codebase (e.g. in Store). For other solutions, see: https://stackoverflow.com/questions/74729010/swift-concurrency-notification-callbacks-on-mainactor-objects |
||
|
Thomas Eizinger
|
ffce55376f |
chore(connlib): add time-related tests to l3-udp-dns-client (#10913)
This module didn't have any tests yet so I generated some with Claude and trimmed them down to a meaningful set. |
||
|
Thomas Eizinger
|
aa4a08889b |
test(connlib): set TCP connections as connected after roaming (#10910)
TCP connections have a keep-alive mechanism and therefore will automatically trigger a new connection to a resource after roaming. We need to model this in our tests by setting the resource as connected whenever we reset the network state. |
||
|
Thomas Eizinger
|
ea5e734254 |
test(connlib): fix off-by-1 second error in NAT table test (#10912)
A CI failure uncovered that we have an off-by-1 second error in our NAT table test. The mapping only expires after the last packet seen + the protocol TTL, not after the first sent one + protocol TTL. --------- Signed-off-by: Thomas Eizinger <thomas@eizinger.io> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> |
||
|
Thomas Eizinger
|
01e16e87d6 |
feat(connlib): support DoH (#10876)
Building on top of a series of refactors and smaller features, this PR enables connlib to send DNS queries over HTTPS to one or more configured DoH providers. A DoH server itself is addressed via a domain which first needs to be resolved before it can be contacted. The RFC recommends to perform this bootstrapping using the system DNS resolvers. For connlib, this is a bit tricky because the system resolvers may already be set to connlib's sentinel servers by the time we need to bootstrap the DoH clients. Therefore, we maintain a dedicated UDP DNS client inside connlib's `Io` component which is always configured with the latest system DNS resolvers known to connlib. The actual bootstrapping of a DoH client happens in the following cases: 1. Our TUN device configuration changes and the configured DNS servers mapping contains DoH upstreams. 2. We need to make a DNS query to a DoH server but don't have a client yet. The first case ensures we bootstrap the DoH clients as early as possible. The latter case ensures we have a self-healing behaviour in case the TCP connection to the DoH server breaks (in which case the DoH client will be de-allocated). Once the DoH client is initialized, making queries with it is a trivial act of sending an HTTP request and parsing the HTTP response. Within connlib, this now requires almost no special handling apart from a new `dns::Upstream` type that differentiates between Do53 servers (addressed by a `SocketAddr`) and DoH servers (addressed by a `Url`). Related: #10764 Related: #10788 Related: #10850 Related: #10851 Related: #10856 Related: #10857 Related: #10871 Related: #10872 Related: #10875 Related: #10881 Resolves: #10790 |
||
|
Thomas Eizinger
|
9b0ae92b29 |
feat(gateway): extend ICE timeout (#10887)
Currently, a `snownet` Client and Server always have the same ICE timeout configuration. This doesn't necessarily have to be the case. A Gateway cannot establish connections to a Client anyway and thus, we can have much laxer requirements on when we detect that a Client has disappeared (without saying "goodbye"). Extending the idle and default ICE timeout values should hopefully reduce the number of false-positive disconnects that users may experience where a Gateway cuts a connection because it believes the Client is gone when in reality, perhaps a few STUN packets just got lost or backed up. Changing the ICE timeout exposes a few corner-cases in how we track and use time within `snownet`. In particular, it is now obviously possible for a Gateway to still retain the connection state of a Client whilst the Client has long disconnected but now reconnects using the same ICE credentials and private key. Our proptests uncovered some state misalignment in that scenario due to some remaining time impurity within `boringtun` (see https://github.com/firezone/boringtun/pull/126 for details). In addition, our idle state transitions needed to be updated to also take into account candidate changes on both sides in order to achieve a deterministic outcome. |
||
|
Thomas Eizinger
|
ccee476daa |
fix(snownet): allow direct connections on port 3478 (#10907)
When a NAT between the Client and Gateway remaps the source port to 3478, it is tricky to de-multiplex that p2p traffic from the packets we receive from a relay. Currently, we handle this edge-case by dropping these packets which effectively forces a fallback to a relayed connection. Remapping onto exactly this port is likely to be quite rare in practice which is why this behaviour was implemented in the first place. We can however do better than that by remembering, which relays we have previously been connected to. That is because the problem with traffic on port 3478 isn't so much the correct handling in case it _is_ p2p traffic: We can simply check whether the IP is one of the relays we are connected to. The problem is the mis-classification as p2p traffic in case they are packets from a relay that we have disconnected from, causing a log-spam of "unknown packet". To gracefully handle this, we now remember up to 64 relay IPs that we have been connected to in the past. This ensures we can correctly classify traffic from previous relays as such and drop the packet whilst at the same time continuing processing of packets from unknown origins which likely then is p2p traffic. The effect of this is that we can now establish direct connections to peers, even if a NAT inbetween remaps their source port to 3478. To make this fix easier, we precede it with a refactoring of introducing an `Allocations` container for the map of `Allocations`. This allows us to easily track, when we remove a value from the map and then remember the relay's IPs. This came up as part of test failures in #10887. --------- Signed-off-by: Thomas Eizinger <thomas@eizinger.io> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> |
||
|
Thomas Eizinger
|
35b28692de |
feat(gateway): improve state tracking of DNS resource NAT (#10868)
Right now, the state tracking within the DNS resource NAT table is pretty simple: - We map from inside to outside and back - When we see a TCP RST, we remove it immediately To improve our logs a bit and make the NAT table more robust, we extend it by: - Tracking last inbound and outbound packet - Tracking FIN and RST flags This allows us to fully observe e.g. a TCP shutdown where both parties send TCP FIN. It also allows us to remove entries that have never been confirmed after a shorter amount of time. Resolves: #10795 --------- Signed-off-by: Thomas Eizinger <thomas@eizinger.io> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> |