In order to bind a channel to an IPv4 peer, the client must have
previously made an IPv4 allocation. The same applies to IPv6. The relay
will enforce this and reject the channel binding if that isn't the case
but we shouldn't rely on this in the client code. Instead, we should not
attempt to bind a channel if we haven't previously made an allocation
for that IP family.
We always try to make an allocation for both IPv4 and IPv6 but not every
relay may operate in a dual-socket mode. Thus, it may only return an
IPv4 or an IPv6 address.
Initially, I thought it could be useful to keep the connection around in
case we want to do an ICE restart. We don't do that (yet) so for now,
the safer option is to just clean up all the state and let the upper
layers deal with reestablishing it.
This should hopefully fix the repeated emitting of the
`ConnectionFailed` event.
The user is already passing us a mutable buffer so we might as well give
them a `MutableIpPacket` to allow them to further mutate it.
Extracted out of #3391.
Currently, we retry STUN bindings at a fixed interval if we don't
receive a response. This results in very noise logs if we attempt to
contact an IPv6 STUN server but don't have an IPv6 interface.
I had an idea that is quite a big deal. Instead of manually discovering
host candidates by iterating interfaces and adding all of them, we
automatically generate host candidates every time we receive traffic on
from a certain interface. Initially, you might think that this is a
catch-22: How do we generate traffic without having host candidates? The
answer is: relays!
When we initiate a new connection using `snownet`, we add a list of STUN
and TURN servers. We will immediately attempt to talk to both of them,
sending STUN bindings to the former and ALLOCATE requests to the latter.
As the replies come in, we know, which interface they have been received
on. That particular interface is an excellent `host` candidate because
we've already proven connectivity to a STUN or TURN server. In fact, for
hole-punching, we will need to send traffic via that same interface to
reach the gateway (otherwise the `srflx` candidate won't work anyway).
There is only one "edge"-case in which this doesn't work: When you want
to make a connection between a client and a gateway on the same subnet
yet without connectivity to a relay. At that point, I'd argue that your
network topology is broken anyway. If you can't talk to a relay, you
probably also cannot talk to the portal, meaning the signaling protocol
also doesn't work.
Bumps [time](https://github.com/time-rs/time) from 0.3.31 to 0.3.32.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/time-rs/time/releases">time's
releases</a>.</em></p>
<blockquote>
<h2>v0.3.32</h2>
<p>See the <a
href="https://github.com/time-rs/time/blob/main/CHANGELOG.md">changelog</a>
for details.</p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/time-rs/time/blob/main/CHANGELOG.md">time's
changelog</a>.</em></p>
<blockquote>
<h2>0.3.32 [2024-02-01]</h2>
<h3>Added</h3>
<ul>
<li>Methods to replace the day of the year.
<ul>
<li><code>Date::replace_ordinal</code></li>
<li><code>PrimitiveDateTime::replace_ordinal</code></li>
<li><code>OffsetDateTime::replace_ordinal</code></li>
</ul>
</li>
<li>Modules to treat an <code>OffsetDateTime</code> as a Unix timestamp
with subsecond precision for serde.
<ul>
<li><code>time::serde::timestamp::milliseconds</code></li>
<li><code>time::serde::timestamp::microseconds</code></li>
<li><code>time::serde::timestamp::nanoseconds</code></li>
</ul>
</li>
</ul>
<h3>Changed</h3>
<ul>
<li><code>Duration::time_fn</code> is deprecated.</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="ff3255fbf0"><code>ff3255f</code></a>
v0.3.32 release</li>
<li><a
href="d3dd5c9542"><code>d3dd5c9</code></a>
Deprecate <code>Duration::time_fn</code></li>
<li><a
href="8a0dc706be"><code>8a0dc70</code></a>
Remove markdown files in favor of org-wide config</li>
<li><a
href="980878b1d1"><code>980878b</code></a>
Build docs using org-wide workflow, change audit</li>
<li><a
href="4baf6b3cdd"><code>4baf6b3</code></a>
Remove documentation of deprecated feature flag</li>
<li><a
href="be932d86ca"><code>be932d8</code></a>
Adds support to serialize and deserialize timestamps with different
resolutio...</li>
<li><a
href="bb397df38e"><code>bb397df</code></a>
Commit Cargo.lock</li>
<li><a
href="26b7c5f6bd"><code>26b7c5f</code></a>
Update alignment for <code>Parsed</code> in miri</li>
<li><a
href="6747ebe5f9"><code>6747ebe</code></a>
Update CI</li>
<li><a
href="589ff6be84"><code>589ff6b</code></a>
Update copyright year</li>
<li>Additional commits viewable in <a
href="https://github.com/time-rs/time/compare/v0.3.31...v0.3.32">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
The only semantic changes are:
- Add context to Windows errors
- Refactor some `bail!`'s that could be `context`'s
The rest is updating comments:
- Add `SAFETY: TODO` for unmarked unsafe blocks
- Elaborate on existing SAFETY comments
- Close completed TODOs
- Link in Github issues for open TODOs
- Mark invariants or inter-dependencies between files that aren't
captured by tests or types yet
---------
Signed-off-by: Reactor Scram <ReactorScram@users.noreply.github.com>
closes#3425
```[tasklist]
- [x] Switch to connlib-shared for BUNDLE_ID and stuff
- [x] Break out small things into other PRs if possible
- [x] Fix merge conflicts
```
---------
Signed-off-by: Reactor Scram <ReactorScram@users.noreply.github.com>
Co-authored-by: Gabi <gabrielalejandro7@gmail.com>
# Gateways
- [x] When Gateway Group is deleted all gateways should be disconnected
- [x] When Gateway Group is updated (eg. routing) broadcast to all
affected gateway to disconnect all the clients
- [x] When Gateway is deleted it should be disconnected
- [x] When Gateway Token is revoked all gateways that use it should be
disconnected
# Relays
- [x] When Relay Group is deleted all relays should be disconnected
- [x] When Relay is deleted it should be disconnected
- [x] When Relay Token is revoked all gateways that use it should be
disconnected
# Clients
- [x] Remove Delete Client button, show clients using the token on the
Actors page (#2669)
- [x] When client is deleted disconnect it
- [ ] ~When Gateway is offline broadcast to the Clients connected to it
it's status~
- [x] Persist `last_used_token_id` in Clients and show it in tokens UI
# Resources
- [x] When Resource is deleted it should be removed from all gateways
and clients
- [x] When Resource connection is removed it should be deleted from
removed gateway groups
- [x] When Resource is updated (eg. traffic filters) all it's
authorizations should removed
# Authentication
- [x] When Token is deleted related sessions are terminated
- [x] When an Actor is deleted or disabled it should be disconnected
from browser and client
- [x] When Identity is deleted it's sessions should be disconnected from
browser and client
- [x] ^ Ensure the same happens for identities during IdP sync
- [x] When IdP is disabled act like all actors for it are disabled?
- [x] When IdP is deleted act like all actors for it are deleted?
# Authorization
- [x] When Policy is created clients that gain access to a resource
should get an update
- [x] When Policy is deleted we need to all authorizations it's made
- [x] When Policy is disabled we need to all authorizations it's made
- [x] When Actor Group adds or removes a user, related policies should
be re-evaluated
- [x] ^ Ensure the same happens for identities during IdP sync
# Settings
- [x] Re-send init message to Client when DNS settings change
# Code
- [x] Crear way to see all available topics and messages, do not use
binary topics any more
---------
Co-authored-by: conectado <gabrielalejandro7@gmail.com>
Currently, we always try to allocate a channel when the user calls
`bind_channel`. This is a problem if we try to re-connect to a peer. The
channel binding will still be active so `bind_channel` needs to be a
no-op.
Resolves: #3475.
Currently, the `bound` flag is not considered when attempting to relay
data. This isn't actively harmful because the relay will drop them but
it causes warnings in the logs. This PR adds a check to make sure we
only try to relay data via channels that are bound. Additionally, we now
handle failed channel bind requests by clearing the local state.
Closes#3217. I just now noticed that one was assigned to me
The sorting is naive, just sorts the UTF-8 encoded bytes, so lowercase
resources come after all uppercase resources, and it's probably very
wrong for anything outside Latin-1 and English locale. If the names are
identical, resource ID tie-breaks.
It turns out that we need to do some post-processing of the
`Transmit.source` attribute from `str0m`. In its current state, `str0m`
may also set that to a server-reflexive address which is **not** a local
socket. There is a longer discussion around this here:
https://github.com/algesten/str0m/issues/453.
This depends on an unmerged PR in `str0m`:
https://github.com/algesten/str0m/pull/455.
`firezone-connection` was a working title that I never really quite
liked. Here is a proposal to rebrand it to `snownet`. That is a lot more
concise and derived from the fact that we are established a network of
connections using ICE.
Resolve the two TODOs mentioned in the code. As part of #3399, we
correctly are handling different combinations of available sockets and
requested addresses in the relay more gracefully. In particular, we
return whatever addresses we could allocate and only fail if we couldn't
allocate any at all.
The `Allocation` struct will extract whatever allocated addresses are
present in the response. Thus, it is safe for us to **always** request
both, an IPv4 and IPv6 address. A relay that only operates on one of
them will just return that one address.
Resolves: #3406.
We configure wireguard's keep-alive to 5 seconds and patch `boringtun`
to expose the time since the last packet, which will always be <
KEEP_ALIVE (5 seconds) if the connection is intact. The policy on what
to do on missed keep-alives is pushed to the upper layer. Instead of
acting on it, we simply expose a `stats` function that exposes the data.
An upper layer can then decide on what to do in the case on missed
keep-alives.
Resolves: #3372.
Traffic to and from the relay can happen over a socket that we are not
listening on. We should still accept this traffic and only bail out if
we would be passing it to one of the `IceAgent`s.
Adds a very basic connection timeout in case there is never a follow-up
with an `Answer`. This is mostly to prevent memory-leaks. I am also
hoping that we can add much more unit-tests in the same manner.
Test basic connectivity with the headless client after the portal API
restarts.
Based on top of #3364 to test that portal restarts don't cause a
cascading failure.
In case of symmetric NATs, `firezone-connection` needs to fallback to
using TURN to allow peers to communicate with each other. Usage of TURN
requires us to make an allocation on each TURN server and bind channels
for each socket that we expect the remote to send data from. Once set
up, `str0m`s ICE state machine will select a candidate pair for us which
in the case of symmetric NATs will be a pair of relay candidates.
Allocations and channels are what makes operating a TURN server
expensive. As a result, the spec requires those to be continuously
refreshed if they are still in use. `firezone-connection` handles this
in the `Allocation` state machine.
Last but not least, this PR also slightly changes the API to tell the
caller from which source socket it has to send the data. This is
important to make hole-punching work if we are listening on multiple
sockets.
This required making `allow_access` `async` which is ugly, but we can
fix it later like we did it with `set_peer_connection_request`, but
doing this ASAP otherwise this would block the `peers_by_ip` struct and
also block the executor a bunch of times and slow everything down.
Co-authored-by: Jamil <jamilbk@users.noreply.github.com>
Bumps [uuid](https://github.com/uuid-rs/uuid) from 1.6.1 to 1.7.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/uuid-rs/uuid/releases">uuid's
releases</a>.</em></p>
<blockquote>
<h2>1.7.0</h2>
<h2>What's Changed</h2>
<ul>
<li>Add missing test for invalid parse_str by <a
href="https://github.com/CXWorks"><code>@CXWorks</code></a> in <a
href="https://redirect.github.com/uuid-rs/uuid/pull/723">uuid-rs/uuid#723</a></li>
<li>Upgrade borsh unstable dependency to v1.0 and make it stable by <a
href="https://github.com/bgeron"><code>@bgeron</code></a> in <a
href="https://redirect.github.com/uuid-rs/uuid/pull/724">uuid-rs/uuid#724</a></li>
<li>Reduce the package size of uuid by <a
href="https://github.com/KodrAus"><code>@KodrAus</code></a> in <a
href="https://redirect.github.com/uuid-rs/uuid/pull/726">uuid-rs/uuid#726</a></li>
<li>Make use of newer Cargo features for specifying dependencies by <a
href="https://github.com/KodrAus"><code>@KodrAus</code></a> in <a
href="https://redirect.github.com/uuid-rs/uuid/pull/727">uuid-rs/uuid#727</a></li>
<li>Prepare for 1.7.0 release by <a
href="https://github.com/KodrAus"><code>@KodrAus</code></a> in <a
href="https://redirect.github.com/uuid-rs/uuid/pull/728">uuid-rs/uuid#728</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a href="https://github.com/CXWorks"><code>@CXWorks</code></a> made
their first contribution in <a
href="https://redirect.github.com/uuid-rs/uuid/pull/723">uuid-rs/uuid#723</a></li>
<li><a href="https://github.com/bgeron"><code>@bgeron</code></a> made
their first contribution in <a
href="https://redirect.github.com/uuid-rs/uuid/pull/724">uuid-rs/uuid#724</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/uuid-rs/uuid/compare/1.6.1...1.7.0">https://github.com/uuid-rs/uuid/compare/1.6.1...1.7.0</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="cefc353334"><code>cefc353</code></a>
Merge pull request <a
href="https://redirect.github.com/uuid-rs/uuid/issues/728">#728</a> from
uuid-rs/cargo/1.7.0</li>
<li><a
href="3255b5414b"><code>3255b54</code></a>
prepare for 1.7.0 release</li>
<li><a
href="403bb17c1a"><code>403bb17</code></a>
Merge pull request <a
href="https://redirect.github.com/uuid-rs/uuid/issues/727">#727</a> from
uuid-rs/chore/cargo-cleanup</li>
<li><a
href="b7c6e26fea"><code>b7c6e26</code></a>
make use of newer Cargo features for specifying dependencies</li>
<li><a
href="ed13c73c7c"><code>ed13c73</code></a>
Merge pull request <a
href="https://redirect.github.com/uuid-rs/uuid/issues/726">#726</a> from
uuid-rs/chore/pkg-size</li>
<li><a
href="2e92a3d45f"><code>2e92a3d</code></a>
Merge pull request <a
href="https://redirect.github.com/uuid-rs/uuid/issues/724">#724</a> from
bgeron/borsh-1</li>
<li><a
href="38f01ffccf"><code>38f01ff</code></a>
rename workflow</li>
<li><a
href="eab4b85919"><code>eab4b85</code></a>
reduce the package size of uuid</li>
<li><a
href="421d752847"><code>421d752</code></a>
Make the borsh feature work by itself, without having to specify private
feat...</li>
<li><a
href="2534949aa3"><code>2534949</code></a>
Continue making feature borsh stable, as suggested by <a
href="https://github.com/KordAus"><code>@KordAus</code></a></li>
<li>Additional commits viewable in <a
href="https://github.com/uuid-rs/uuid/compare/1.6.1...1.7.0">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps
[async-compression](https://github.com/Nullus157/async-compression) from
0.4.5 to 0.4.6.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/Nullus157/async-compression/releases">async-compression's
releases</a>.</em></p>
<blockquote>
<h2>async-compression: v0.4.6</h2>
<ul>
<li>Flush available data in decoder even when there's no incoming
input.</li>
<li>Return errors instead of panicking in all encode and decode
operations.</li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/Nullus157/async-compression/blob/main/CHANGELOG.md">async-compression's
changelog</a>.</em></p>
<blockquote>
<h2>0.4.6</h2>
<ul>
<li>Flush available data in decoder even when there's no incoming
input.</li>
<li>Return errors instead of panicking in all encode and decode
operations.</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="d913b2710c"><code>d913b27</code></a>
Merge pull request <a
href="https://redirect.github.com/Nullus157/async-compression/issues/257">#257</a>
from Nullus157/rel-046</li>
<li><a
href="ea4bb3cd22"><code>ea4bb3c</code></a>
Merge branch 'main' into rel-046</li>
<li><a
href="6e3996d821"><code>6e3996d</code></a>
Merge pull request <a
href="https://redirect.github.com/Nullus157/async-compression/issues/247">#247</a>
from Nullus157/fix-123</li>
<li><a
href="e323ad9c0c"><code>e323ad9</code></a>
chore: prepare release 0.4.6</li>
<li><a
href="db0d11f5f4"><code>db0d11f</code></a>
fix merge error</li>
<li><a
href="22ed0ac4ca"><code>22ed0ac</code></a>
flush data still available in the decoder when no input (<a
href="https://redirect.github.com/Nullus157/async-compression/issues/123">#123</a>)</li>
<li><a
href="7a57dfd374"><code>7a57dfd</code></a>
style: consistent use of io::Error* (<a
href="https://redirect.github.com/Nullus157/async-compression/issues/256">#256</a>)</li>
<li><a
href="5926e78444"><code>5926e78</code></a>
Merge pull request <a
href="https://redirect.github.com/Nullus157/async-compression/issues/255">#255</a>
from garypen/garypen/fewer-panics</li>
<li><a
href="3daaee7b7a"><code>3daaee7</code></a>
Add missing Use statements</li>
<li><a
href="cf7a1df61b"><code>cf7a1df</code></a>
Replacing panics with errors improves the usability of the crate</li>
<li>See full diff in <a
href="https://github.com/Nullus157/async-compression/compare/async-compression-v0.4.5...async-compression-v0.4.6">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [wintun](https://github.com/nulldotblack/wintun) from 0.3.2 to
0.4.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/nulldotblack/wintun/releases">wintun's
releases</a>.</em></p>
<blockquote>
<h2>v0.4.0</h2>
<h2>Added</h2>
<ul>
<li><code>Adapter::get_mtu</code>, <code>set_dns_servers</code>, and
<code>Adapter::get_active_network_interface_gateways</code>: <a
href="https://redirect.github.com/nulldotblack/wintun/pull/13">nulldotblack/wintun#13</a></li>
<li><code>Error::ShuttingDown</code>: <a
href="https://redirect.github.com/nulldotblack/wintun/pull/14">nulldotblack/wintun#14</a></li>
</ul>
<h3>Breaking Changes</h3>
<ul>
<li>Adding the <code>ShuttingDown</code> variant to
<code>wintun::Error</code> breaks exhastive matches on previous
versions. <code>wintun::Error</code> is now marked
<code>#[non_exhaustive]</code> to make future additions backwards
compatable</li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/nulldotblack/wintun/blob/main/CHANGELOG.md">wintun's
changelog</a>.</em></p>
<blockquote>
<h2>[0.4.0] - 2024-01-12</h2>
<h2>Added</h2>
<ul>
<li><code>Adapter::get_mtu</code>, <code>set_dns_servers</code>, and
<code>Adapter::get_active_network_interface_gateways</code>: <a
href="https://redirect.github.com/nulldotblack/wintun/pull/13">nulldotblack/wintun#13</a></li>
<li><code>Error::ShuttingDown</code>: <a
href="https://redirect.github.com/nulldotblack/wintun/pull/14">nulldotblack/wintun#14</a></li>
</ul>
<h3>Breaking Changes</h3>
<ul>
<li>Adding the <code>ShuttingDown</code> variant to
<code>wintun::Error</code> breaks exhastive matches on previous
versions. <code>wintun::Error</code> is now marked
<code>#[non_exhaustive]</code> to make future additions backwards
compatable</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li>See full diff in <a
href="https://github.com/nulldotblack/wintun/commits/v0.4.0">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions
</details>
---------
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Reactor Scram <ReactorScram@users.noreply.github.com>
Currently, `firezone-connection` can only handle connections on a LAN.
Via the use of a STUN server, we can discover our public IP and attempt
to direct, hole-punched connection across multiple subnets.
While working on #3288 I saw a few messages that we don't explicitly
handle from the portal.
This PR changes it so that we handle them correctly and we don't just
depend on coincidental behavior..
Some dns servers return NXDOMAIN for queries where the address exists
but there is no
answer for the given query type(e.g. AAAA-only records). This is not up
to spec and
musl PROPERLY assumes that means there is no record of any type. Saddly,
this happens even
with google DNS so we can expect it to happen everywhere. So we use
getaddrinfo to separate
requests for A and AAAA queries and preventing this.
Seems to work locally, though the exact situation where we have a record
that returns NXDOMAIN while it exists is easier to reproduce in staging,
we should test it after we merge.
Fixes#3215
With https://github.com/firezone/firezone/pull/3245, there is now a 2nd
place where we set the `remote_socket` field. Hence, for the log message
to be correct we need to compare whether the new socket actually differs
from the existing one.
Bumps [tokio-tungstenite](https://github.com/snapview/tokio-tungstenite)
from 0.20.1 to 0.21.0.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/snapview/tokio-tungstenite/blob/master/CHANGELOG.md">tokio-tungstenite's
changelog</a>.</em></p>
<blockquote>
<h1>0.21.0</h1>
<ul>
<li>Update TLS dependencies.</li>
<li>Update <code>tungstenite</code> to <code>0.21.0</code>.</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="52e59dd732"><code>52e59dd</code></a>
Release version 0.21.0</li>
<li><a
href="7b2cf20a10"><code>7b2cf20</code></a>
Update <code>rustls</code> to 0.22 and <code>tokio-rustls</code> to
0.25</li>
<li><a
href="ecf7a7ebae"><code>ecf7a7e</code></a>
Update <code>webpki-roots</code> to 0.26</li>
<li>See full diff in <a
href="https://github.com/snapview/tokio-tungstenite/compare/v0.20.1...v0.21.0">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Jamil <jamilbk@users.noreply.github.com>
It appears that sometimes, the dialer already considers the connection
as connected whilst the other party is still finishing the ICE
handshake. In that case, the dialer will start wireguard activity. Once
the tunnel is fully established, the dialer will then start to send data
which can lead to a `NotConnected` error in case the listener hasn't yet
finished the handshake and updated the state. This is only a local
inconsistency which we can fix by also updating the `remote_socket`
field based on activity on the wireguard tunnel.
For future debugging, we also raise the log level of `str0m` to see the
STUN messages that are being exchanged.
Fixes: #3178.
