Currently, we have a lot of stupid code to forward data from the
`{Client,Gateway}Tunnel` interface to `{Client,Gateway}State`. Recent
refactorings such as #6919 made it possible to get rid of this
forwarding layer by directly exposing `&mut TRoleState`.
To maintain some type-privacy, several functions are made generic to
accept `impl Into` or `impl TryInto`.
The ports < 1024 are reserved and should not be used for outbound TCP
connections. Generally, a port from the ephemeral port range should be
used for that.
To enforce this, we move the port range of the `dns_over_tcp::Client` to
const-generics. At present, `connlib` only uses a single port range so
we set those as the default too.
UDP DNS queries for upstream resolvers that happen to be resources need
to be sent through the tunnel. For that to work correctly, `connlib`
needs to rewrite the IP header such that the destination IP points to
the actual address of the DNS server.
Currently, this happens rather "late" in the processing of the packets,
i.e. after `try_handle_dns` has returned (where that decision is
actually made). This is rather confusing and also forces us to re-parse
the packet as a DNS packet at a later stage.
To avoid this, we move main functionality of
`maybe_mangle_dns_query_to_cidr_resource` into the branch where
`connlib`'s stub DNS resolver tells us that the query needs to be
forwarded via the tunnel.
With the upcoming support of TCP DNS queries, we will have a 2nd source
of IP packets that need to go through the tunnel: Packets emitted from
our internal TCP stack. Attempting to perform the same post-processing
on these TCP packets as we do with UDP is rather confusing, which is why
we want to remove this step from the `encapsulate` function.
Resolves: #5391.
Within `connlib`, the `encapsulate` and `decapsulate` functions on
`ClientState` and `GatewayState` are the entrypoint for sending and
receiving network traffic. For example, IP packets read from the TUN
device are processed using these functions.
Not all packets / traffic passed to these functions is meant to be
encrypted. Some of it is TURN traffic with relays, some of it is DNS
traffic that we intercept.
To clarify this, we rename these functions to `handle_tun_input` and
`handle_network_input`.
As part of this clarification, we also call `handle_timeout` in case we
don't emit a decrypted IP packet when handling network input. Once we
support DNS over TCP (#6944), some IP packets sent through the tunnel
will originate from DNS servers that we forwarded queries to. In that
case, those responses will be handled by `connlib`'s internal TCP stack
and thus not produce a decrypted IP packet. To correctly, advance the
state in this case, we mirror what we already do for `handle_tun_input`
and call `handle_timeout` if `handle_network_input` yields `None`.
When handling DNS queries, `connlib` tries to be as transparent as
possible. For this reason, we byte-for-byte forward the DNS response
from the upstream resolver to the original source socket. In #6999, we
started modelling these DNS queries as explicit tasks in preparation for
DNS over TCP and DNS over HTTPS.
As part of that, we create a DNS response for _every_ IO error we
encounter as part of the recursive query. This includes timeouts, i.e.
when we don't receive a response at all. That actually breaks the rule
of "be a transparent DNS proxy".
In this PR, we slightly refactor the handling of the DNS response to
explicitly match on `io::Errorkind::TimedOut` to not send a packet back,
thus mirroring the behaviour the DNS client would encounter without
Firezone being active.
- Added semi-transparent shadow to the button so that it's more visible
when text is overlapping it. Padding did not look well because it
required scrollbar to be moved inside the parent container and it looked
very ugly
- Replaced custom phx hook with a new native Tailwind component
Closes#5973
When performing recursive DNS queries over UDP, `connlib` needs to
remember the original source socket a particular query came from in
order to send the response back to the correct socket. Until now, this
was tracked in a separate `HashMap`, indexed by upstream server and
query ID.
When DNS queries are being retried, they may be resent using the same
query ID, causing "Unknown query" logs if the retry happens on a shorter
interval than the timeout of our recursive query.
We are already tracking a bunch of meta data along-side the actual
query, meaning we can just as easily add the original source socket to
that as well.
Once we add TCP DNS queries, we will need to track the handle of the TCP
socket in a similar manner.
This PR introduces a custom logging format for all Rust-components. It
is more or less a copy of `tracing_subscriber::fmt::format::Compact`
with the main difference that span-names don't get logged.
Spans are super useful because they allow us to record contextual
values, like the current connection ID, for a certain scope. What is IMO
less useful about them is that in the default formatter configuration,
active spans cause a right-drift of the actual log message.
The actual log message is still what most accurately describes, what
`connlib` is currently doing. Spans only add contextual information that
the reader may use for further understand what is happening. This
optional nature of the utility of spans IMO means that they should come
_after_ the actual log message.
Resolves: #7014.
This extracts the initial refactoring required for #6944. Currently,
`connlib` sends all DNS queries over the same UDP socket as all the p2p
traffic for gateways and relays. In an earlier design of `connlib`, we
already did something similar as we are doing here but using
`hickory_resolver` for the actual DNS resolution.
Instead of depending on hickory, we implement DNS resolution ourselves
by sending a UDP DNS query to the mapped upstream DNS server. There are
no retries, instead, we rely on the original DNS client to retry in case
a packet gets lost on the way.
Modelling recursive DNS queries as explicit events from the
`ClientState` is necessary for implement DNS over TCP and DNS over
HTTPS. In both cases, the query to the upstream server isn't as simple
as emitting a `Transmit`. By modelling the query as an `async fn` within
`Io`, it will be possible to perform them all in one place.
Resolves: #6297.
This brings us one step closer to completing #6140. In Firezone, users
can define custom upstream DNS servers that take priority over
system-defined DNS servers. The IPs of these servers could also be
resources, meaning the DNS queries must be sent through the WireGuard
tunnel to the gateway.
For UDP DNS queries, that is easy because each query is only a single
packet. For TCP DNS queries, we need to have a dedicated TCP-capable DNS
server that parses all incoming queries. If they are required to be
forwarded to the gateway, we then need a TCP-capable DNS client that can
send them to the actual upstream DNS server.
This PR implements such a DNS client. The design is tailored for what we
need in `connlib`: We maintain a permanent TCP connection to each
upstream DNS server and send queries to them. Most likely, users will
only have a handful of DNS servers defined. TCP requires a three-way
handshake before any application data can be sent, maintaining a
connection should therefore greatly improve DNS resolution latency.
DNS resolvers are encouraged to keep TCP connections open but may close
them if they run out of resources. We only re-connect once we have more
queries to send in order to not spam the resolver with connections.
Resolves: #7000.
---------
Signed-off-by: Thomas Eizinger <thomas@eizinger.io>
Closes#7008.
We already signed the GUI exe and the entire MSI package, but when
adding the IPC service we overlooked that one.
This PR:
- Modifies the signing script to accept multiple EXEs
- Modifies the Tauri bundle command to sign both exes
- Updates the changelog
Currently, we emit a single TRACE log for each DNS resource entry that
doesn't match. This is quite spammy and often not needed.
When debugging DNS resources, it is useful to know, which resources we
are matching against. To balance this, we now build a list of all DNS
resource domain patterns that we have and log a single "No resources
matched" log with that list in case none match.
Why:
* Without some type of notification, users do not realize that new
Gateway versions have been released and thus do not seem to be upgrading
their deployed Gateways.
This splits out the actual DNS server from #6944 into a separate crate.
At present, it only contains a DNS server. Later, we will likely add a
DNS client to it as well because the proptests and connlib itself will
need a user-space DNS TCP client.
The implementation uses `smoltcp` but that is entirely encapsulated. The
`Server` struct exposes only a high-level interface for
- feeding inbound packets as well as retrieving outbound packets
- retrieving parsed DNS queries and sending DNS responses
Related: #6140.
Bumps AGP to 8.7.0 to fix the following error with recent versions of
Android Studio / gradle:
```
Caused by: java.io.IOException: Cannot run program "rustc" (in directory "/Users/jamil/Developer/firezone/firezone/kotlin/android/app"): error=2, No such file or directory
at net.rubygrapefruit.platform.internal.DefaultProcessLauncher.start(DefaultProcessLauncher.java:25)
... 7 more
Caused by: java.io.IOException: error=2, No such file or directory
```
Also removes dead code and enables verbose output to make it easier to
catch problems like this in the future.
Why:
* A handful of 'show' pages were throwing errors for entities created
using the API. The reason was due to the fact that the
`created_by_actor` was not being preloaded and when the details on the
show page were being rendered. This commit updates the various pages to
preload the `created_by_actor` to allow for both API created entities
and UI created entities.
Bumps androidx.navigation:navigation-safe-args-gradle-plugin from 2.8.1
to 2.8.2.
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps androidx.navigation:navigation-testing from 2.8.1 to 2.8.2.
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps com.google.firebase:firebase-bom from 33.3.0 to 33.4.0.
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
With the introduction of `firezone-logging`, we provide a default filter
that silences irrelevant crates:
17ea827c03/rust/logging/src/lib.rs (L32-L40).
Thus, it is safe to just set the default filter to `info` for production
and `debug` for development.
Closes#6989
- The tunnel daemon (IPC service) now explicitly sets the ID file's
perms to 0o640, even if the file already exists.
- The GUI error is now non-fatal. If the file can't be read, we just
won't get the device ID in Sentry.
- More specific error message when the GUI fails to read the ID file
We attempted to set the tunnel daemon's umask, but this caused the smoke
tests to fail. Fixing the regression is more urgent than getting the
smoke tests to match local debugging.
---------
Co-authored-by: _ <ReactorScram@users.noreply.github.com>
This has been a long-standing issue.
The base PR fixes the issue for Firefox, and apparently all other
browsers will _not_ change your DNS server, only opportunistically
enable DoH if it finds your current servers to support it.
Bumps the navigation group in /kotlin/android with 2 updates:
androidx.navigation:navigation-fragment-ktx and
androidx.navigation:navigation-ui-ktx.
Updates `androidx.navigation:navigation-fragment-ktx` from 2.8.1 to
2.8.2
Updates `androidx.navigation:navigation-ui-ktx` from 2.8.1 to 2.8.2
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps the npm_and_yarn group in /website with 1 update:
[micromatch](https://github.com/micromatch/micromatch).
Updates `micromatch` from 4.0.7 to 4.0.8
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/micromatch/micromatch/releases">micromatch's
releases</a>.</em></p>
<blockquote>
<h2>4.0.8</h2>
<p>Ultimate release that fixes both CVE-2024-4067 and CVE-2024-4068. We
consider the issues low-priority, so even if you see automated scanners
saying otherwise, don't be scared.</p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/micromatch/micromatch/blob/master/CHANGELOG.md">micromatch's
changelog</a>.</em></p>
<blockquote>
<h2>[4.0.8] - 2024-08-22</h2>
<ul>
<li>backported CVE-2024-4067 fix (from v4.0.6) over to 4.x branch</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="8bd704ec0d"><code>8bd704e</code></a>
4.0.8</li>
<li><a
href="a0e68416a4"><code>a0e6841</code></a>
run verb to generate README documentation</li>
<li><a
href="4ec288484f"><code>4ec2884</code></a>
Merge branch 'v4' into hauserkristof-feature/v4.0.8</li>
<li><a
href="03aa805217"><code>03aa805</code></a>
Merge pull request <a
href="https://redirect.github.com/micromatch/micromatch/issues/266">#266</a>
from hauserkristof/feature/v4.0.8</li>
<li><a
href="814f5f70ef"><code>814f5f7</code></a>
lint</li>
<li><a
href="67fcce6a10"><code>67fcce6</code></a>
fix: CHANGELOG about braces & CVE-2024-4068, v4.0.5</li>
<li><a
href="113f2e3fa7"><code>113f2e3</code></a>
fix: CVE numbers in CHANGELOG</li>
<li><a
href="d9dbd9a266"><code>d9dbd9a</code></a>
feat: updated CHANGELOG</li>
<li><a
href="2ab13157f4"><code>2ab1315</code></a>
fix: use actions/setup-node@v4</li>
<li><a
href="1406ea38f3"><code>1406ea3</code></a>
feat: rework test to work on macos with node 10,12 and 14</li>
<li>Additional commits viewable in <a
href="https://github.com/micromatch/micromatch/compare/4.0.7...4.0.8">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/firezone/firezone/network/alerts).
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
With the latest version of `proptest-state-machine`, we no longer need
to use their traits because `Sequential::new` is now exposed. This makes
the overall things less magical because there is less indirection.
This incorporates the feedback from #6939 after a discussion with
@conectado. We agreed that the protocol should be more event-based,
where each message has its own event type. Events MAY appear in pairs or
other cardinality combinations, meaning semantically they could be seen
as requests and responses. In general though, due to the unreliable
nature of IP, it is better to view them as events. Events are typically
designed to be idempotent which is important to make this protocol work.
Using events also means it is not as easy to fall into the "trap" of
modelling requests / responses on the control protocol level.
