mirror of
https://github.com/outbackdingo/firezone.git
synced 2026-01-27 18:18:55 +00:00
375a1b5586
Currently, we refresh DNS mappings when: * We translate a packet for the first time * There are no more incoming packets for 120 seconds * There is at least 1 outoing packet in the last 10 seconds The idea was to coordinate with conntrack somehow, to expire DNS translation at the point where the NAT session of the OS stops being valid. That way, if the triggered DNS refresh changes the resolved IPs it would never kill the underlying connection. However, TCP sessions by default can last for up to 5 days! And I have no idea how long for ICMP. To prevent killing these connections, we assume that for TCP and ICMP packets will elicit a response within 1s. The DNS refresh for a translation mapping that hasn't seen any responses is thus delayed by 1s after the last packet has been sent out. To get an idea of how this works you can imagine it like this |last incoming packet|------ 120 seconds + x seconds ----|out going packet|----1 second ----|dns refresh| However this another case where dns refresh is triggered, in this case the same packet triggers the refresh period and the period where it was used in the last 10 seconds |last incoming packet|------ 111 seconds ----|out going packet|---- 9 seconds ----|dns refresh| The unit tests should also make clear of when we want to trigger dns refresh and when we don't. --------- Co-authored-by: Thomas Eizinger <thomas@eizinger.io>
Connlib
Firezone's connectivity library shared by all clients.
Building Connlib
You shouldn't need to build connlib directly; it's typically built as a dependency of one of the other Firezone components. See READMEs in those directories for relevant instructions.