JackDoan
f8b09a295d
ReadBatch is named Read now
2026-04-20 12:50:43 -05:00
JackDoan
f4907b6634
stuff
2026-04-20 11:57:48 -05:00
JackDoan
f34e8fe0e6
potential for bug
2026-04-20 11:09:29 -05:00
JackDoan
0f27b81f19
robot say this faster
2026-04-17 16:12:33 -05:00
JackDoan
dc581359dd
stupid checksum
2026-04-17 15:51:37 -05:00
JackDoan
60e556866a
holy crap 2x
2026-04-17 15:33:46 -05:00
JackDoan
1fd24a19c7
holy crap 2x
2026-04-17 14:56:18 -05:00
JackDoan
f60cbfdc71
pretty spicy
2026-04-17 14:00:18 -05:00
JackDoan
1dc30df88b
silly
2026-04-17 13:35:00 -05:00
JackDoan
a13afb2cf8
drain reads before batching
2026-04-17 12:56:20 -05:00
JackDoan
4a2134775d
checkpt
2026-04-17 12:27:50 -05:00
JackDoan
bd0a63a545
checkpt
2026-04-17 11:39:51 -05:00
JackDoan
f8f63c470a
checkpt
2026-04-17 11:39:46 -05:00
JackDoan
c05fa793a6
ReadBatch
2026-04-17 11:05:34 -05:00
JackDoan
5241bf6d16
no allocs
2026-04-17 10:29:46 -05:00
JackDoan
9d59cba7e1
first try
2026-04-17 10:25:05 -05:00
JackDoan
ba8da0e86c
fancy blocking writes
2026-04-16 13:43:13 -05:00
JackDoan
6b2e6d9f55
wait for goroutines to finish and for tun to actually be closed
2026-04-16 13:19:25 -05:00
JackDoan
183c1e3cfd
remove yellow squiggles
2026-04-16 12:28:49 -05:00
JackDoan
4a91f0b8d5
nbio for tun
2026-04-16 12:28:48 -05:00
JackDoan
e448eb1a8c
bugz
2026-04-16 12:28:30 -05:00
JackDoan
9dfa2a484c
bugz
2026-04-16 12:28:30 -05:00
Nate Brown
1cb5f9a00d
Remove more os.Exit calls and give a more reliable wait for stop function
2026-04-16 12:28:28 -05:00
JackDoan
2a0fd0be1d
checkpt
2026-04-16 12:26:35 -05:00
JackDoan
b644131fd7
remove yellow squiggles
2026-04-15 17:54:21 -05:00
JackDoan
9ac45a06cf
tun_linux.go: stdlib too slow, but can't use blocking IO and clean shutdown
2026-04-15 17:45:50 -05:00
dependabot[bot]
72c04b90bd
Bump golang.zx2c4.com/wireguard/windows in the zx2c4-dependencies group ( #1652 )
...
gofmt / Run gofmt (push) Failing after 3s
smoke-extra / Run extra smoke tests (push) Failing after 3s
smoke / Run multi node smoke test (push) Failing after 2s
Build and test / Build all and test on ubuntu-linux (push) Failing after 2s
Build and test / Build and test on linux with boringcrypto (push) Failing after 3s
Build and test / Build and test on linux with pkcs11 (push) Failing after 2s
Build and test / Build and test on macos-latest (push) Has been cancelled
Build and test / Build and test on windows-latest (push) Has been cancelled
Bumps the zx2c4-dependencies group with 1 update: golang.zx2c4.com/wireguard/windows.
Updates `golang.zx2c4.com/wireguard/windows` from 0.5.3 to 0.6.1
---
updated-dependencies:
- dependency-name: golang.zx2c4.com/wireguard/windows
dependency-version: 0.6.1
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: zx2c4-dependencies
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-15 13:27:14 -05:00
dependabot[bot]
36ab1dbb97
Bump the golang-x-dependencies group across 1 directory with 5 updates ( #1629 )
...
Bumps the golang-x-dependencies group with 3 updates in the / directory: [golang.org/x/crypto](https://github.com/golang/crypto ), [golang.org/x/net](https://github.com/golang/net ) and [golang.org/x/sync](https://github.com/golang/sync ).
Updates `golang.org/x/crypto` from 0.47.0 to 0.48.0
- [Commits](https://github.com/golang/crypto/compare/v0.47.0...v0.48.0 )
Updates `golang.org/x/net` from 0.49.0 to 0.51.0
- [Commits](https://github.com/golang/net/compare/v0.49.0...v0.51.0 )
Updates `golang.org/x/sync` from 0.19.0 to 0.20.0
- [Commits](https://github.com/golang/sync/compare/v0.19.0...v0.20.0 )
Updates `golang.org/x/sys` from 0.40.0 to 0.41.0
- [Commits](https://github.com/golang/sys/compare/v0.40.0...v0.41.0 )
Updates `golang.org/x/term` from 0.39.0 to 0.40.0
- [Commits](https://github.com/golang/term/compare/v0.39.0...v0.40.0 )
---
updated-dependencies:
- dependency-name: golang.org/x/crypto
dependency-version: 0.48.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: golang-x-dependencies
- dependency-name: golang.org/x/net
dependency-version: 0.51.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: golang-x-dependencies
- dependency-name: golang.org/x/sync
dependency-version: 0.20.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: golang-x-dependencies
- dependency-name: golang.org/x/sys
dependency-version: 0.41.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: golang-x-dependencies
- dependency-name: golang.org/x/term
dependency-version: 0.40.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: golang-x-dependencies
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-15 13:02:29 -05:00
dependabot[bot]
f77fe74192
Bump github.com/miekg/pkcs11 ( #1586 )
...
Bumps [github.com/miekg/pkcs11](https://github.com/miekg/pkcs11 ) from 1.1.2-0.20231115102856-9078ad6b9d4b to 1.1.2.
- [Changelog](https://github.com/miekg/pkcs11/blob/master/release.go )
- [Commits](https://github.com/miekg/pkcs11/commits/v1.1.2 )
---
updated-dependencies:
- dependency-name: github.com/miekg/pkcs11
dependency-version: 1.1.2
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-15 12:27:19 -05:00
dependabot[bot]
24c9c704a0
Bump github.com/miekg/dns from 1.1.70 to 1.1.72 ( #1587 )
...
Bumps [github.com/miekg/dns](https://github.com/miekg/dns ) from 1.1.70 to 1.1.72.
- [Commits](https://github.com/miekg/dns/compare/v1.1.70...v1.1.72 )
---
updated-dependencies:
- dependency-name: github.com/miekg/dns
dependency-version: 1.1.72
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-15 11:54:47 -05:00
Nate Brown
a5e81efe7b
Try rsync from somewhere else ( #1655 )
2026-04-15 09:23:33 -05:00
Jack Doan
b3194236aa
udp_linux: wrap socket operations with syscall.RawConn for clean teardown ( #1654 )
...
gofmt / Run gofmt (push) Failing after 3s
smoke-extra / Run extra smoke tests (push) Failing after 2s
smoke / Run multi node smoke test (push) Failing after 3s
Build and test / Build all and test on ubuntu-linux (push) Failing after 3s
Build and test / Build and test on linux with boringcrypto (push) Failing after 2s
Build and test / Build and test on linux with pkcs11 (push) Failing after 2s
Build and test / Build and test on macos-latest (push) Has been cancelled
Build and test / Build and test on windows-latest (push) Has been cancelled
remove runtime.LockOSThread() because it makes things worse now
remove the "custom" Write() method from tun_linux.go, the stdlib path via os.File performs better
We should change our guidance around number of routines, ~2 per thread (that you wish to use for Nebula) seems to be about right now
2026-04-14 18:25:24 -05:00
Nate Brown
3fae693c42
Additional e2e tests to assert current handshake behavior ( #1653 )
gofmt / Run gofmt (push) Failing after 3s
smoke-extra / Run extra smoke tests (push) Failing after 2s
smoke / Run multi node smoke test (push) Failing after 2s
Build and test / Build all and test on ubuntu-linux (push) Failing after 3s
Build and test / Build and test on linux with boringcrypto (push) Failing after 2s
Build and test / Build and test on linux with pkcs11 (push) Failing after 2s
Build and test / Build and test on macos-latest (push) Has been cancelled
Build and test / Build and test on windows-latest (push) Has been cancelled
2026-04-14 13:32:01 -05:00
John Maguire
0ad5c771e9
Refactor CA pool handling to use streaming ( #1644 )
...
gofmt / Run gofmt (push) Failing after 3s
smoke-extra / Run extra smoke tests (push) Failing after 3s
smoke / Run multi node smoke test (push) Failing after 3s
Build and test / Build all and test on ubuntu-linux (push) Failing after 2s
Build and test / Build and test on linux with boringcrypto (push) Failing after 3s
Build and test / Build and test on linux with pkcs11 (push) Failing after 2s
Build and test / Build and test on macos-latest (push) Has been cancelled
Build and test / Build and test on windows-latest (push) Has been cancelled
Co-authored-by: maggie44 <64841595+maggie44@users.noreply.github.com >
Co-authored-by: JackDoan <me@jackdoan.com >
2026-04-13 13:19:55 -04:00
Jay R. Wren
6727113b2b
gh workflow release: protect from ref_name attack ( #1650 )
...
gofmt / Run gofmt (push) Failing after 4s
smoke-extra / Run extra smoke tests (push) Failing after 3s
smoke / Run multi node smoke test (push) Failing after 3s
Build and test / Build all and test on ubuntu-linux (push) Failing after 2s
Build and test / Build and test on linux with boringcrypto (push) Failing after 3s
Build and test / Build and test on linux with pkcs11 (push) Failing after 2s
Build and test / Build and test on macos-latest (push) Has been cancelled
Build and test / Build and test on windows-latest (push) Has been cancelled
It is not likely, but better to be safe.
2026-04-06 12:24:28 -04:00
Jay R. Wren
f8587956ba
add sshd.sandbox_dir config option ( #1622 )
...
* add sshd.sandbox_dir config option
Sanitize SSH profile paths (ssh.go:514,683,719) — restrict os.Create(a[0]) to a safe directory.
Add a config option in the config file to specify the sandbox directory. For backwards compatibility, if the config is not specified, keep the current behavior.
* update default and example
* use os.TempDir() for sshd.sandbox_dir default
* split sandbox path validation into separate conditionals
Separate the combined && check in sshSanitizeFilePath into two distinct
conditionals with specific error messages: one for paths resolving to the
sandbox directory itself, and one for paths outside the sandbox.
Co-Authored-By: Claude <svc-devxp-claude@slack-corp.com >
* fix: trim leading zeros from p256 signature swap result
bigmod.Nat.Bytes() returns fixed-size 32-byte slices, but ASN.1 INTEGER
parsing strips leading zeros. This caused a flaky test failure (~1/256
chance) when the S value's high byte was zero.
Co-Authored-By: Claude <svc-devxp-claude@slack-corp.com >
---------
Co-authored-by: Claude <svc-devxp-claude@slack-corp.com >
2026-04-03 09:37:18 -04:00
John Maguire
951d368faf
Add a small link to DN Managed Nebula ( #1641 )
...
* Add a small link to DN Managed Nebula
Also link the mobile source code
2026-03-30 16:20:21 -04:00
Jack Doan
91d1f4675a
properly handle closetunnel packets ( #1638 )
2026-03-25 11:59:37 -05:00
John Maguire
9f1aef53fa
Fix dissector logic ( #1626 )
...
* Fix typo in Wireshark dissector
* Fix wireshark dissector prefs_changed logic
The previous logic had several issues:
- Changing only the port number (without toggling all_ports) would
not re-register the dissector on the new port.
- Turning all_ports off would remove all registrations but only
re-add the specific port inside a branch that also required
all_ports to have changed, and never updated default_settings.port.
Simplify to: remove all registrations, then register based on current
prefs, then update the cached state.
2026-03-23 11:15:40 -04:00
Jay R. Wren
1aa1a0476f
#ECCN:Open Source in CODEOWNERS ( #1632 )
...
gofmt / Run gofmt (push) Failing after 3s
smoke-extra / Run extra smoke tests (push) Failing after 3s
smoke / Run multi node smoke test (push) Failing after 2s
Build and test / Build all and test on ubuntu-linux (push) Failing after 3s
Build and test / Build and test on linux with boringcrypto (push) Failing after 2s
Build and test / Build and test on linux with pkcs11 (push) Failing after 3s
Build and test / Build and test on macos-latest (push) Has been cancelled
Build and test / Build and test on windows-latest (push) Has been cancelled
Salesforce is requesting this in all opensource repositories
2026-03-16 17:07:40 -04:00
Jay R. Wren
7760ccefba
fix logging copy pasta ( #1621 )
gofmt / Run gofmt (push) Failing after 3s
smoke-extra / Run extra smoke tests (push) Failing after 3s
smoke / Run multi node smoke test (push) Failing after 2s
Build and test / Build all and test on ubuntu-linux (push) Failing after 3s
Build and test / Build and test on linux with boringcrypto (push) Failing after 3s
Build and test / Build and test on linux with pkcs11 (push) Failing after 2s
Build and test / Build and test on macos-latest (push) Has been cancelled
Build and test / Build and test on windows-latest (push) Has been cancelled
2026-03-06 14:03:32 -05:00
Jack Doan
51308b845b
connection-track ICMP traffic ( #1602 )
...
gofmt / Run gofmt (push) Failing after 2s
smoke-extra / Run extra smoke tests (push) Failing after 3s
smoke / Run multi node smoke test (push) Failing after 2s
Build and test / Build all and test on ubuntu-linux (push) Failing after 2s
Build and test / Build and test on linux with boringcrypto (push) Failing after 2s
Build and test / Build and test on linux with pkcs11 (push) Failing after 2s
Build and test / Build and test on macos-latest (push) Has been cancelled
Build and test / Build and test on windows-latest (push) Has been cancelled
* connection-track ICMP and ICMPv6 traffic
* icmpv6 only has identifier on echo
2026-02-18 23:19:37 -06:00
Wade Simmons
422fc2ad1e
go fix ( #1608 )
gofmt / Run gofmt (push) Failing after 3s
smoke-extra / Run extra smoke tests (push) Failing after 2s
smoke / Run multi node smoke test (push) Failing after 2s
Build and test / Build all and test on ubuntu-linux (push) Failing after 2s
Build and test / Build and test on linux with boringcrypto (push) Failing after 3s
Build and test / Build and test on linux with pkcs11 (push) Failing after 2s
Build and test / Build and test on macos-latest (push) Has been cancelled
Build and test / Build and test on windows-latest (push) Has been cancelled
2026-02-17 11:42:14 -05:00
Wade Simmons
e8bb874e14
smoke-extra: try AMD-V workaround ( #1610 )
...
gofmt / Run gofmt (push) Failing after 3s
smoke-extra / Run extra smoke tests (push) Failing after 2s
smoke / Run multi node smoke test (push) Failing after 2s
Build and test / Build all and test on ubuntu-linux (push) Failing after 3s
Build and test / Build and test on linux with boringcrypto (push) Failing after 2s
Build and test / Build and test on linux with pkcs11 (push) Failing after 2s
Build and test / Build and test on macos-latest (push) Has been cancelled
Build and test / Build and test on windows-latest (push) Has been cancelled
* smoke-extra: try AMD-V workaround
- https://github.com/slackhq/nebula/actions/runs/21995850645/job/63555492676?pr=1602
- https://github.com/actions/runner-images/issues/13202
- https://github.com/cri-o/packaging/pull/306/changes
2026-02-13 12:55:19 -06:00
Jack Doan
353ad1f271
firewall: icmp no longer requires a port spec ( #1609 )
2026-02-13 11:10:40 -06:00
Jack Doan
f573e8a266
Merge commit from fork
...
gofmt / Run gofmt (push) Failing after 3s
smoke-extra / Run extra smoke tests (push) Failing after 2s
smoke / Run multi node smoke test (push) Failing after 3s
Build and test / Build all and test on ubuntu-linux (push) Failing after 2s
Build and test / Build and test on linux with boringcrypto (push) Failing after 3s
Build and test / Build and test on linux with pkcs11 (push) Failing after 2s
Build and test / Build and test on macos-latest (push) Has been cancelled
Build and test / Build and test on windows-latest (push) Has been cancelled
Newly signed P256 based certificates will have their signature clamped to the low-s form.
Update CHANGELOG.md
2026-02-06 14:26:51 -05:00
Jack Doan
42bee7cf17
Report if Nebula start fails because of tun device name ( #1588 )
...
gofmt / Run gofmt (push) Failing after 2s
smoke-extra / Run extra smoke tests (push) Failing after 2s
smoke / Run multi node smoke test (push) Failing after 2s
Build and test / Build all and test on ubuntu-linux (push) Failing after 2s
Build and test / Build and test on linux with boringcrypto (push) Failing after 2s
Build and test / Build and test on linux with pkcs11 (push) Failing after 2s
Build and test / Build and test on macos-latest (push) Has been cancelled
Build and test / Build and test on windows-latest (push) Has been cancelled
* specifically report if nebula start fails because of tun device name
* close all routines when closing the tun
2026-01-28 10:03:36 -06:00
Caleb Jasik
02d8bcac68
Remove lighthouse goroutine leaks in lighthouse_test.go ( #1589 )
...
gofmt / Run gofmt (push) Failing after 3s
smoke-extra / Run extra smoke tests (push) Failing after 2s
smoke / Run multi node smoke test (push) Failing after 2s
Build and test / Build all and test on ubuntu-linux (push) Failing after 3s
Build and test / Build and test on linux with boringcrypto (push) Failing after 2s
Build and test / Build and test on linux with pkcs11 (push) Failing after 2s
Build and test / Build and test on macos-latest (push) Has been cancelled
Build and test / Build and test on windows-latest (push) Has been cancelled
Using <https://go.dev/doc/go1.26#goroutineleak-profiles > + Claude, I was able to run nebula's unit tests and e2e tests with the leak detector enabled.
Added a TestMain that queries pprof to see if there are any reported goroutine leaks.
I'd love to get some form of this in CI whenever go 1.26 comes out, though I'd also like to prove this is properly useful past the just five detections it got here.
<details>
<summary>TestMain</summary>
```go
package nebula
import (
"fmt"
"os"
"runtime/pprof"
"strings"
"testing"
)
// TestMain runs after all tests and checks for goroutine leaks
func TestMain(m *testing.M) {
// Run all tests
exitCode := m.Run()
// Check for goroutine leaks after all tests complete
prof := pprof.Lookup("goroutineleak")
if prof != nil {
var sb strings.Builder
if err := prof.WriteTo(&sb, 2); err != nil {
fmt.Fprintf(os.Stderr, "Failed to write goroutineleak profile: %v\n", err)
os.Exit(1)
}
content := sb.String()
leakedCount := strings.Count(content, "(leaked)")
if leakedCount > 0 {
fmt.Fprintf(os.Stderr, "\n=== GOROUTINE LEAK DETECTED ===\n")
fmt.Fprintf(os.Stderr, "Found %d leaked goroutine(s) in package nebula\n\n", leakedCount)
goros := strings.Split(content, "\n\n")
for _, goro := range goros {
if strings.Contains(goro, "(leaked)") {
fmt.Fprintln(os.Stderr, goro)
fmt.Fprintln(os.Stderr)
}
}
os.Exit(1)
} else {
fmt.Println("✓ No goroutine leaks detected in package nebula")
}
}
os.Exit(exitCode)
}
```
</details>
Also had to install go1.26rc2 and update the makefile to use that go binary + set ex:
```makefile
test-goroutineleak:
GOEXPERIMENT=goroutineleakprofile go1.26rc2 test -v ./...
```
2026-01-27 23:44:43 -06:00
Wade Simmons
0b02d982b2
v1.10.2 ( #1584 )
...
gofmt / Run gofmt (push) Failing after 3s
smoke-extra / Run extra smoke tests (push) Failing after 2s
smoke / Run multi node smoke test (push) Failing after 3s
Build and test / Build all and test on ubuntu-linux (push) Failing after 2s
Build and test / Build and test on linux with boringcrypto (push) Failing after 2s
Build and test / Build and test on linux with pkcs11 (push) Failing after 2s
Build and test / Build and test on macos-latest (push) Has been cancelled
Build and test / Build and test on windows-latest (push) Has been cancelled
Update CHANGELOG for Nebula v1.10.2
2026-01-21 12:42:34 -05:00
Wade Simmons
e1e92f017c
initialize routesFromSystem ( #1580 )
...
gofmt / Run gofmt (push) Failing after 3s
smoke-extra / Run extra smoke tests (push) Failing after 2s
smoke / Run multi node smoke test (push) Failing after 3s
Build and test / Build all and test on ubuntu-linux (push) Failing after 2s
Build and test / Build and test on linux with boringcrypto (push) Failing after 2s
Build and test / Build and test on linux with pkcs11 (push) Failing after 2s
Build and test / Build and test on macos-latest (push) Has been cancelled
Build and test / Build and test on windows-latest (push) Has been cancelled
This is a regression introduced by #1573 . We need to initialize this
map.
Fixes : #1579
2026-01-20 11:15:20 -05:00
