mirror of https://github.com/outbackdingo/firezone.git synced 2026-01-27 18:18:55 +00:00

Files

Thomas Eizinger 9cce4fd637 fix(gateway): don't route packets from expired NAT sessions (#8124 )

When we receive an inbound packet from the TUN device on the Gateway, we
make a lookup in the NAT table to see if it needs to be translated back
to a DNS proxy IP.

At present, non-existence of such a NAT entry results in the packet
being sent entirely unmodified because that is what needs to happen for
CIDR resources. Whilst that is important, the same code path is
currently being executed for DNS resources whose NAT session expired!
Those packets should be dropped instead which is what we do with this
PR.

To differentiate between not having a NAT session at all or whether a
previous one existed but is expired now, we keep around all previous
"outside" tuples of NAT sessions around. Those are only very small in
their memory-footprint. The entire NAT table is scoped to a connection
to the given peer and will thus eventually freed once the peer
disconnects. This allows us to reliably and cheaply detect, whether a
packet is using an expired NAT session. This check must be cheap because
all traffic of CIDR resources and the Internet resource needs to perform
this check such that we know that they don't have to be translated.

This might be the source of some of the "Source not allowed" errors we
have been seeing in client logs.

2025-02-14 08:21:23 +00:00

.cargo

docs(connlib): add profiling instructions (#6643 )

2024-09-10 14:00:00 +00:00

bin-shared

fix(connlib): split TUN send & recv into separate threads (#8117 )

2025-02-14 05:32:51 +00:00

connlib

fix(gateway): don't route packets from expired NAT sessions (#8124 )

2025-02-14 08:21:23 +00:00

dns-over-tcp

refactor(rust): stringify errors early (#8033 )

2025-02-06 14:18:35 +00:00

gateway

ci: Release Gateway 1.4.4 (#8096 )

2025-02-11 07:22:27 -08:00

gui-client

ci: Bump GUI clients to 1.4.5 (#8113 )

2025-02-12 20:56:27 +00:00

headless-client

fix(connlib): run all callbacks on a separate thread (#8126 )

2025-02-14 06:54:35 +00:00

ip-packet

fix(connlib): use a buffer pool for the GSO queue (#7749 )

2025-01-13 19:24:52 +00:00

logging

fix(rust): only use ANSI colors if the output supports it (#8070 )

2025-02-10 04:39:18 +00:00

phoenix-channel

chore(phoenix-channel): log the portal's IP address on connect (#8088 )

2025-02-11 07:11:08 +00:00

relay

feat(relay): add SOFTWARE attribute (#8076 )

2025-02-11 03:34:38 +00:00

socket-factory

refactor(rust): stringify errors early (#8033 )

2025-02-06 14:18:35 +00:00

telemetry

fix(telemetry): always clear previous Sentry session (#8075 )

2025-02-11 00:54:35 +00:00

tests

chore(rust): share edition key via workspace table (#7451 )

2024-12-03 00:28:06 +00:00

tun

fix(connlib): split TUN send & recv into separate threads (#8117 )

2025-02-14 05:32:51 +00:00

.dockerignore

refactor(portal): Don't pin session token to user_agent or remote_ip (#2195 )

2023-09-30 07:40:57 -07:00

.gitignore

Implement basic STUN server (#1603 )

2023-05-10 07:58:32 -07:00

Cargo.lock

fix(connlib): run all callbacks on a separate thread (#8126 )

2025-02-14 06:54:35 +00:00

Cargo.toml

fix(connlib): run all callbacks on a separate thread (#8126 )

2025-02-14 06:54:35 +00:00

clippy.toml

fix(gui-client): initialise sentry-tracing for IPC service (#7363 )

2024-11-18 22:40:01 +00:00

Cross.toml

build(rust): configure cargo cross to passthrough GITHUB_SHA (#7410 )

2024-11-28 22:58:59 +00:00

deny.toml

build(deps): Bump tauri from 2.2.3 to 2.2.5 in /rust in the tauri group (#7877 )

2025-01-29 21:49:17 +00:00

docker-compose-dev.yml

chore(docker): local dev docker-compose (#4748 )

2024-05-06 23:43:00 +00:00

docker-init-gateway.sh

fix(gateway): always masquerade for docker-deployed gateways (#6169 )

2024-08-07 03:00:50 +00:00

docker-init-relay.sh

feat(relay): add ec2 metadata discovery (#6617 )

2024-09-12 12:28:55 -06:00

docker-init.sh

fix(gateway): always masquerade for docker-deployed gateways (#6169 )

2024-08-07 03:00:50 +00:00

Dockerfile

build(deps): Bump tauri from 2.2.3 to 2.2.5 in /rust in the tauri group (#7877 )

2025-01-29 21:49:17 +00:00

Dockerfile-rpm

chore(ci): build RPM package (#7190 )

2024-11-01 18:06:09 +00:00

README.md

docs(rust): fix profiling command (#7547 )

2024-12-18 13:01:23 +00:00

rust-toolchain.toml

chore: bump Rust to 1.84 (#7719 )

2025-01-12 17:32:48 +00:00

README.md

Rust development guide

Firezone uses Rust for all data plane components. This directory contains the Linux and Windows clients, and low-level networking implementations related to STUN/TURN.

We target the last stable release of Rust using rust-toolchain.toml. If you are using rustup, that is automatically handled for you. Otherwise, ensure you have the latest stable version of Rust installed.

Reading Client logs

The Client logs are written as JSONL for machine-readability.

To make them more human-friendly, pipe them through jq like this:

cd path/to/logs  # e.g. `$HOME/.cache/dev.firezone.client/data/logs` on Linux
cat *.log | jq -r '"\(.time) \(.severity) \(.message)"'

Resulting in, e.g.

2024-04-01T18:25:47.237661392Z INFO started log
2024-04-01T18:25:47.238193266Z INFO GIT_VERSION = 1.0.0-pre.11-35-gcc0d43531
2024-04-01T18:25:48.295243016Z INFO No token / actor_name on disk, starting in signed-out state
2024-04-01T18:25:48.295360641Z INFO null

Benchmarking on Linux

The recommended way for benchmarking any of the Rust components is Linux' perf utility. For example, to attach to a running application, do:

Ensure the binary you are profiling is compiled with the release profile.
sudo perf record -g --freq 10000 --pid $(pgrep <your-binary>).
Run the speed test or whatever load-inducing task you want to measure.
sudo perf script > profile.perf
Open profiler.firefox.com and load profile.perf

Instead of attaching to a process with --pid, you can also specify the path to executable directly. That is useful if you want to capture perf data for a test or a micro-benchmark.