mirror of https://github.com/outbackdingo/firezone.git synced 2026-01-27 18:18:55 +00:00

Files

Thomas Eizinger ea9796e346 feat(gateway): apply filter engine to inbound packets (#7702 )

The Gateway keeps some state for each client connection. Part of this
state are filters which can be controlled via the Firezone portal. Even
if no filters are set in the portal, the Gateway uses this data
structure to ensure only packets to allowed resources are forwarded. If
a resource is not allowed, its IP won't exist in the `IpNetworkTable` of
filters and thus won't be allowed.

When a Client disconnects, the Gateway cleans up this data structure and
thus all filters etc are gone. As soon as a Client reconnects, default
filters are installed (which don't allow anything) under the same IP
(the portal always assigns the same IP to Clients).

These filters are only applied on _outbound_ traffic (i.e. from the
Client towards Resources). As a result, packets arriving from Resources
to a Client will still be routed back, causing "Source not allowed"
errors on the client (which has lost all of its state when restarting).

To fix this, we apply the Gateway's filters also on the reverse path of
packets from Resources to Clients.

Resolves: #5568
Resolves: #7521
Resolves: #6091

2025-02-21 05:59:36 +00:00

.cargo

docs(connlib): add profiling instructions (#6643 )

2024-09-10 14:00:00 +00:00

bin-shared

test(windows): reduce expected BPS of WinTUN benchmark (#8171 )

2025-02-18 03:34:14 +00:00

connlib

feat(gateway): apply filter engine to inbound packets (#7702 )

2025-02-21 05:59:36 +00:00

dns-over-tcp

refactor(rust): stringify errors early (#8033 )

2025-02-06 14:18:35 +00:00

gateway

fix(phoenix-channel): report connection hiccups to upper layer (#8203 )

2025-02-20 00:54:43 +00:00

gui-client

fix(gui-client): use "Firezone" as the application name on Linux (#8223 )

2025-02-21 05:26:34 +00:00

headless-client

chore(gui-client): release v1.4.6 (#8211 )

2025-02-20 04:25:38 +00:00

ip-packet

fix(connlib): use a buffer pool for the GSO queue (#7749 )

2025-01-13 19:24:52 +00:00

logging

fix(rust): only use ANSI colors if the output supports it (#8070 )

2025-02-10 04:39:18 +00:00

phoenix-channel

feat(phoenix-channel): don't try to detect missing heartbeats (#8220 )

2025-02-21 05:42:49 +00:00

relay

fix(phoenix-channel): report connection hiccups to upper layer (#8203 )

2025-02-20 00:54:43 +00:00

socket-factory

refactor(rust): stringify errors early (#8033 )

2025-02-06 14:18:35 +00:00

telemetry

fix(gui-client): update telemetry context on new session (#8152 )

2025-02-17 03:29:08 +00:00

tests

chore(rust): share edition key via workspace table (#7451 )

2024-12-03 00:28:06 +00:00

tun

fix(connlib): split TUN send & recv into separate threads (#8117 )

2025-02-14 05:32:51 +00:00

.dockerignore

refactor(portal): Don't pin session token to user_agent or remote_ip (#2195 )

2023-09-30 07:40:57 -07:00

.gitignore

Implement basic STUN server (#1603 )

2023-05-10 07:58:32 -07:00

Cargo.lock

chore(gui-client): release v1.4.6 (#8211 )

2025-02-20 04:25:38 +00:00

Cargo.toml

refactor(gui-client): de-duplicate logging of IPC message errors (#8157 )

2025-02-17 14:21:52 +00:00

clippy.toml

fix(gui-client): initialise sentry-tracing for IPC service (#7363 )

2024-11-18 22:40:01 +00:00

Cross.toml

build(rust): configure cargo cross to passthrough GITHUB_SHA (#7410 )

2024-11-28 22:58:59 +00:00

deny.toml

build(deps): Bump tauri from 2.2.3 to 2.2.5 in /rust in the tauri group (#7877 )

2025-01-29 21:49:17 +00:00

docker-compose-dev.yml

chore(docker): local dev docker-compose (#4748 )

2024-05-06 23:43:00 +00:00

docker-init-gateway.sh

fix(gateway): always masquerade for docker-deployed gateways (#6169 )

2024-08-07 03:00:50 +00:00

docker-init-relay.sh

feat(relay): add ec2 metadata discovery (#6617 )

2024-09-12 12:28:55 -06:00

docker-init.sh

fix(gateway): always masquerade for docker-deployed gateways (#6169 )

2024-08-07 03:00:50 +00:00

Dockerfile

build(deps): Bump tauri from 2.2.3 to 2.2.5 in /rust in the tauri group (#7877 )

2025-01-29 21:49:17 +00:00

Dockerfile-rpm

chore(ci): build RPM package (#7190 )

2024-11-01 18:06:09 +00:00

README.md

docs(rust): fix profiling command (#7547 )

2024-12-18 13:01:23 +00:00

rust-toolchain.toml

chore: bump Rust to 1.84 (#7719 )

2025-01-12 17:32:48 +00:00

README.md

Rust development guide

Firezone uses Rust for all data plane components. This directory contains the Linux and Windows clients, and low-level networking implementations related to STUN/TURN.

We target the last stable release of Rust using rust-toolchain.toml. If you are using rustup, that is automatically handled for you. Otherwise, ensure you have the latest stable version of Rust installed.

Reading Client logs

The Client logs are written as JSONL for machine-readability.

To make them more human-friendly, pipe them through jq like this:

cd path/to/logs  # e.g. `$HOME/.cache/dev.firezone.client/data/logs` on Linux
cat *.log | jq -r '"\(.time) \(.severity) \(.message)"'

Resulting in, e.g.

2024-04-01T18:25:47.237661392Z INFO started log
2024-04-01T18:25:47.238193266Z INFO GIT_VERSION = 1.0.0-pre.11-35-gcc0d43531
2024-04-01T18:25:48.295243016Z INFO No token / actor_name on disk, starting in signed-out state
2024-04-01T18:25:48.295360641Z INFO null

Benchmarking on Linux

The recommended way for benchmarking any of the Rust components is Linux' perf utility. For example, to attach to a running application, do:

Ensure the binary you are profiling is compiled with the release profile.
sudo perf record -g --freq 10000 --pid $(pgrep <your-binary>).
Run the speed test or whatever load-inducing task you want to measure.
sudo perf script > profile.perf
Open profiler.firefox.com and load profile.perf

Instead of attaching to a process with --pid, you can also specify the path to executable directly. That is useful if you want to capture perf data for a test or a micro-benchmark.