Wade Simmons
5dd566e220
also support fips140v1.26
...
This will be inprocess soon
2026-04-30 15:21:58 -04:00
Wade Simmons
b79fdc272a
better default
2026-04-28 13:12:57 -04:00
Wade Simmons
d4d747f219
no longer need go1.26 with this fix
2026-04-28 13:12:22 -04:00
Wade Simmons
4ff9e97dce
Revert "need go1.26"
...
This reverts commit 65450f9d21
2026-04-28 13:12:10 -04:00
Wade Simmons
bdbd483063
Revert "bump linter to support go1.26"
...
This reverts commit 1403473e4b
2026-04-28 13:11:36 -04:00
Wade Simmons
1403473e4b
bump linter to support go1.26
2026-04-28 12:03:31 -04:00
Wade Simmons
ae58085032
cleanup, no GODEBUG needed
2026-04-28 11:58:43 -04:00
Wade Simmons
65450f9d21
need go1.26
2026-04-27 17:18:04 -04:00
Wade Simmons
f9532f4244
requires go1.26
2026-04-27 17:16:28 -04:00
Wade Simmons
fcfbec4710
log the fips140 mode and version
...
Requires go1.26 for fips140.Version()
2026-04-27 16:43:35 -04:00
Wade Simmons
e6eeb3709b
fix smoke tests
2026-04-27 16:27:58 -04:00
Wade Simmons
ef8b700474
fix mismerge
2026-04-27 16:24:34 -04:00
Wade Simmons
243cf4a7c5
Revert "cleanup"
...
This reverts commit 08ee2ab35f
2026-04-27 16:22:09 -04:00
Wade Simmons
08ee2ab35f
cleanup
2026-04-27 14:18:17 -04:00
Wade Simmons
2d5d86f24d
Merge remote-tracking branch 'origin/master' into fips140
2026-04-27 14:13:47 -04:00
Nate Brown
1ab1f71dba
Make stats a server we can reconfigure and start/stop ( #1670 )
gofmt / Run gofmt (push) Failing after 2s
smoke-extra / Run extra smoke tests (push) Failing after 2s
smoke / Run multi node smoke test (push) Failing after 3s
Build and test / Build all and test on ubuntu-linux (push) Failing after 2s
Build and test / Build and test on linux with boringcrypto (push) Failing after 3s
Build and test / Build and test on linux with pkcs11 (push) Failing after 2s
Build and test / Build and test on macos-latest (push) Has been cancelled
Build and test / Build and test on windows-latest (push) Has been cancelled
2026-04-27 12:25:24 -05:00
Nate Brown
d0f02ba873
Switch to slog, remove logrus ( #1672 )
2026-04-27 09:41:47 -05:00
Jack Doan
5f890dbc34
noise: only type-assert once ( #1691 )
gofmt / Run gofmt (push) Failing after 2s
smoke-extra / Run extra smoke tests (push) Failing after 2s
smoke / Run multi node smoke test (push) Failing after 3s
Build and test / Build all and test on ubuntu-linux (push) Failing after 2s
Build and test / Build and test on linux with boringcrypto (push) Failing after 3s
Build and test / Build and test on linux with pkcs11 (push) Failing after 2s
Build and test / Build and test on macos-latest (push) Has been cancelled
Build and test / Build and test on windows-latest (push) Has been cancelled
2026-04-24 13:12:42 -05:00
brad-defined
db85d61c23
SSH handshake in goroutine and defer close ( #1640 )
...
gofmt / Run gofmt (push) Failing after 2s
smoke-extra / Run extra smoke tests (push) Failing after 3s
smoke / Run multi node smoke test (push) Failing after 2s
Build and test / Build all and test on ubuntu-linux (push) Failing after 3s
Build and test / Build and test on linux with boringcrypto (push) Failing after 2s
Build and test / Build and test on linux with pkcs11 (push) Failing after 2s
Build and test / Build and test on macos-latest (push) Has been cancelled
Build and test / Build and test on windows-latest (push) Has been cancelled
* SSH handshake in goroutine and defer close
2026-04-23 14:53:52 -04:00
Nate Brown
db9218b0be
Another shot at the flakey smoke test ( #1688 )
2026-04-23 13:51:15 -05:00
Nate Brown
5f00ab4b74
Fix e2e tests writing after the tester tun is closed causing a panic ( #1681 )
gofmt / Run gofmt (push) Failing after 3s
smoke-extra / Run extra smoke tests (push) Failing after 3s
smoke / Run multi node smoke test (push) Failing after 3s
Build and test / Build all and test on ubuntu-linux (push) Failing after 2s
Build and test / Build and test on linux with boringcrypto (push) Failing after 3s
Build and test / Build and test on linux with pkcs11 (push) Failing after 2s
Build and test / Build and test on macos-latest (push) Has been cancelled
Build and test / Build and test on windows-latest (push) Has been cancelled
2026-04-22 17:18:06 -05:00
Guy Nesher
2a1cc62001
fix: guard QueryCert against panic on short/empty QNAME ( #1635 )
...
* fix: guard QueryCert against panic on short/empty QNAME
QueryCert slices data[:len(data)-1] to strip a trailing dot, which
panics when data is empty (slice bounds [:-1]). Add a length check
to return early for inputs shorter than a minimal valid "x." form.
While miekg/dns currently rejects wire-format packets that would
produce an empty QNAME, the Nebula code should not rely on library
behavior for crash safety.
Made-with: Cursor
* fix merge conflicts
---------
Co-authored-by: JackDoan <me@jackdoan.com >
2026-04-22 12:42:14 -05:00
John Maguire
e753e6e93c
Immediate Lighthouse update after reconfig/reconnect ( #1645 )
gofmt / Run gofmt (push) Failing after 3s
smoke-extra / Run extra smoke tests (push) Failing after 3s
smoke / Run multi node smoke test (push) Failing after 2s
Build and test / Build all and test on ubuntu-linux (push) Failing after 3s
Build and test / Build and test on linux with boringcrypto (push) Failing after 3s
Build and test / Build and test on linux with pkcs11 (push) Failing after 2s
Build and test / Build and test on macos-latest (push) Has been cancelled
Build and test / Build and test on windows-latest (push) Has been cancelled
2026-04-21 16:33:32 -04:00
John Maguire
32a7c04498
Return NODATA instead of NXDOMAIN for missing record types ( #1668 )
...
The DNS responder was setting RCODE=NXDOMAIN (Name Error) any time the
answer section was empty, including for names that exist in the
lighthouse but lack a record of the requested type (e.g. an AAAA query
for a v4-only host). Per RFC 2308 §2.1, NXDOMAIN means "the domain
referred to by the QNAME does not exist", and per RFC 2308 §2.2 a name
that exists with no record of the requested type must be answered with
RCODE=NOERROR and an empty answer section (NODATA).
The practical fallout: busybox ping in Alpine issues AAAA first, treats
NXDOMAIN as a hard failure, and never falls through to A. Returning
NODATA lets the resolver continue to the A query as it should.
Track whether any queried A/AAAA name is known in either map and only
set RcodeNameError when no queried name exists at all.
2026-04-21 16:32:48 -04:00
Nate Brown
8c50fc3f60
Plug the conntrack cache ticker leak and nebula-service log.Fatal calls ( #1669 )
2026-04-21 13:19:54 -05:00
Nate Brown
2f4532f102
No more dns globals, proper cleanup on shutdown ( #1667 )
2026-04-21 12:41:10 -05:00
Nate Brown
8c71f2f3f9
FreeBSD tun needs to be non blocking as well ( #1666 )
2026-04-21 10:45:46 -05:00
Nate Brown
3d34cc9b74
Try to make smoke less flakey ( #1663 )
gofmt / Run gofmt (push) Failing after 3s
smoke-extra / Run extra smoke tests (push) Failing after 2s
smoke / Run multi node smoke test (push) Failing after 3s
Build and test / Build all and test on ubuntu-linux (push) Failing after 3s
Build and test / Build and test on linux with boringcrypto (push) Failing after 2s
Build and test / Build and test on linux with pkcs11 (push) Failing after 3s
Build and test / Build and test on macos-latest (push) Has been cancelled
Build and test / Build and test on windows-latest (push) Has been cancelled
2026-04-20 16:38:14 -05:00
Jack Doan
e80b9830a3
Remove more os.Exit calls and give a more reliable wait for stop function (attempt 3) ( #1661 )
2026-04-20 16:08:26 -05:00
Nate Brown
49e3c4649b
Try the hot new DefinedNet openbsd78 box ( #1657 )
gofmt / Run gofmt (push) Failing after 4s
smoke-extra / Run extra smoke tests (push) Failing after 2s
smoke / Run multi node smoke test (push) Failing after 3s
Build and test / Build all and test on ubuntu-linux (push) Failing after 3s
Build and test / Build and test on linux with boringcrypto (push) Failing after 2s
Build and test / Build and test on linux with pkcs11 (push) Failing after 3s
Build and test / Build and test on macos-latest (push) Has been cancelled
Build and test / Build and test on windows-latest (push) Has been cancelled
2026-04-17 09:18:23 -05:00
dependabot[bot]
72c04b90bd
Bump golang.zx2c4.com/wireguard/windows in the zx2c4-dependencies group ( #1652 )
...
gofmt / Run gofmt (push) Failing after 3s
smoke-extra / Run extra smoke tests (push) Failing after 3s
smoke / Run multi node smoke test (push) Failing after 2s
Build and test / Build all and test on ubuntu-linux (push) Failing after 2s
Build and test / Build and test on linux with boringcrypto (push) Failing after 3s
Build and test / Build and test on linux with pkcs11 (push) Failing after 2s
Build and test / Build and test on macos-latest (push) Has been cancelled
Build and test / Build and test on windows-latest (push) Has been cancelled
Bumps the zx2c4-dependencies group with 1 update: golang.zx2c4.com/wireguard/windows.
Updates `golang.zx2c4.com/wireguard/windows` from 0.5.3 to 0.6.1
---
updated-dependencies:
- dependency-name: golang.zx2c4.com/wireguard/windows
dependency-version: 0.6.1
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: zx2c4-dependencies
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-15 13:27:14 -05:00
dependabot[bot]
36ab1dbb97
Bump the golang-x-dependencies group across 1 directory with 5 updates ( #1629 )
...
Bumps the golang-x-dependencies group with 3 updates in the / directory: [golang.org/x/crypto](https://github.com/golang/crypto ), [golang.org/x/net](https://github.com/golang/net ) and [golang.org/x/sync](https://github.com/golang/sync ).
Updates `golang.org/x/crypto` from 0.47.0 to 0.48.0
- [Commits](https://github.com/golang/crypto/compare/v0.47.0...v0.48.0 )
Updates `golang.org/x/net` from 0.49.0 to 0.51.0
- [Commits](https://github.com/golang/net/compare/v0.49.0...v0.51.0 )
Updates `golang.org/x/sync` from 0.19.0 to 0.20.0
- [Commits](https://github.com/golang/sync/compare/v0.19.0...v0.20.0 )
Updates `golang.org/x/sys` from 0.40.0 to 0.41.0
- [Commits](https://github.com/golang/sys/compare/v0.40.0...v0.41.0 )
Updates `golang.org/x/term` from 0.39.0 to 0.40.0
- [Commits](https://github.com/golang/term/compare/v0.39.0...v0.40.0 )
---
updated-dependencies:
- dependency-name: golang.org/x/crypto
dependency-version: 0.48.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: golang-x-dependencies
- dependency-name: golang.org/x/net
dependency-version: 0.51.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: golang-x-dependencies
- dependency-name: golang.org/x/sync
dependency-version: 0.20.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: golang-x-dependencies
- dependency-name: golang.org/x/sys
dependency-version: 0.41.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: golang-x-dependencies
- dependency-name: golang.org/x/term
dependency-version: 0.40.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: golang-x-dependencies
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-15 13:02:29 -05:00
dependabot[bot]
f77fe74192
Bump github.com/miekg/pkcs11 ( #1586 )
...
Bumps [github.com/miekg/pkcs11](https://github.com/miekg/pkcs11 ) from 1.1.2-0.20231115102856-9078ad6b9d4b to 1.1.2.
- [Changelog](https://github.com/miekg/pkcs11/blob/master/release.go )
- [Commits](https://github.com/miekg/pkcs11/commits/v1.1.2 )
---
updated-dependencies:
- dependency-name: github.com/miekg/pkcs11
dependency-version: 1.1.2
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-15 12:27:19 -05:00
dependabot[bot]
24c9c704a0
Bump github.com/miekg/dns from 1.1.70 to 1.1.72 ( #1587 )
...
Bumps [github.com/miekg/dns](https://github.com/miekg/dns ) from 1.1.70 to 1.1.72.
- [Commits](https://github.com/miekg/dns/compare/v1.1.70...v1.1.72 )
---
updated-dependencies:
- dependency-name: github.com/miekg/dns
dependency-version: 1.1.72
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-15 11:54:47 -05:00
Nate Brown
a5e81efe7b
Try rsync from somewhere else ( #1655 )
2026-04-15 09:23:33 -05:00
Jack Doan
b3194236aa
udp_linux: wrap socket operations with syscall.RawConn for clean teardown ( #1654 )
...
gofmt / Run gofmt (push) Failing after 3s
smoke-extra / Run extra smoke tests (push) Failing after 2s
smoke / Run multi node smoke test (push) Failing after 3s
Build and test / Build all and test on ubuntu-linux (push) Failing after 3s
Build and test / Build and test on linux with boringcrypto (push) Failing after 2s
Build and test / Build and test on linux with pkcs11 (push) Failing after 2s
Build and test / Build and test on macos-latest (push) Has been cancelled
Build and test / Build and test on windows-latest (push) Has been cancelled
remove runtime.LockOSThread() because it makes things worse now
remove the "custom" Write() method from tun_linux.go, the stdlib path via os.File performs better
We should change our guidance around number of routines, ~2 per thread (that you wish to use for Nebula) seems to be about right now
2026-04-14 18:25:24 -05:00
Nate Brown
3fae693c42
Additional e2e tests to assert current handshake behavior ( #1653 )
gofmt / Run gofmt (push) Failing after 3s
smoke-extra / Run extra smoke tests (push) Failing after 2s
smoke / Run multi node smoke test (push) Failing after 2s
Build and test / Build all and test on ubuntu-linux (push) Failing after 3s
Build and test / Build and test on linux with boringcrypto (push) Failing after 2s
Build and test / Build and test on linux with pkcs11 (push) Failing after 2s
Build and test / Build and test on macos-latest (push) Has been cancelled
Build and test / Build and test on windows-latest (push) Has been cancelled
2026-04-14 13:32:01 -05:00
John Maguire
0ad5c771e9
Refactor CA pool handling to use streaming ( #1644 )
...
gofmt / Run gofmt (push) Failing after 3s
smoke-extra / Run extra smoke tests (push) Failing after 3s
smoke / Run multi node smoke test (push) Failing after 3s
Build and test / Build all and test on ubuntu-linux (push) Failing after 2s
Build and test / Build and test on linux with boringcrypto (push) Failing after 3s
Build and test / Build and test on linux with pkcs11 (push) Failing after 2s
Build and test / Build and test on macos-latest (push) Has been cancelled
Build and test / Build and test on windows-latest (push) Has been cancelled
Co-authored-by: maggie44 <64841595+maggie44@users.noreply.github.com >
Co-authored-by: JackDoan <me@jackdoan.com >
2026-04-13 13:19:55 -04:00
Jay R. Wren
6727113b2b
gh workflow release: protect from ref_name attack ( #1650 )
...
gofmt / Run gofmt (push) Failing after 4s
smoke-extra / Run extra smoke tests (push) Failing after 3s
smoke / Run multi node smoke test (push) Failing after 3s
Build and test / Build all and test on ubuntu-linux (push) Failing after 2s
Build and test / Build and test on linux with boringcrypto (push) Failing after 3s
Build and test / Build and test on linux with pkcs11 (push) Failing after 2s
Build and test / Build and test on macos-latest (push) Has been cancelled
Build and test / Build and test on windows-latest (push) Has been cancelled
It is not likely, but better to be safe.
2026-04-06 12:24:28 -04:00
Jay R. Wren
f8587956ba
add sshd.sandbox_dir config option ( #1622 )
...
* add sshd.sandbox_dir config option
Sanitize SSH profile paths (ssh.go:514,683,719) — restrict os.Create(a[0]) to a safe directory.
Add a config option in the config file to specify the sandbox directory. For backwards compatibility, if the config is not specified, keep the current behavior.
* update default and example
* use os.TempDir() for sshd.sandbox_dir default
* split sandbox path validation into separate conditionals
Separate the combined && check in sshSanitizeFilePath into two distinct
conditionals with specific error messages: one for paths resolving to the
sandbox directory itself, and one for paths outside the sandbox.
Co-Authored-By: Claude <svc-devxp-claude@slack-corp.com >
* fix: trim leading zeros from p256 signature swap result
bigmod.Nat.Bytes() returns fixed-size 32-byte slices, but ASN.1 INTEGER
parsing strips leading zeros. This caused a flaky test failure (~1/256
chance) when the S value's high byte was zero.
Co-Authored-By: Claude <svc-devxp-claude@slack-corp.com >
---------
Co-authored-by: Claude <svc-devxp-claude@slack-corp.com >
2026-04-03 09:37:18 -04:00
John Maguire
951d368faf
Add a small link to DN Managed Nebula ( #1641 )
...
* Add a small link to DN Managed Nebula
Also link the mobile source code
2026-03-30 16:20:21 -04:00
Jack Doan
91d1f4675a
properly handle closetunnel packets ( #1638 )
2026-03-25 11:59:37 -05:00
John Maguire
9f1aef53fa
Fix dissector logic ( #1626 )
...
* Fix typo in Wireshark dissector
* Fix wireshark dissector prefs_changed logic
The previous logic had several issues:
- Changing only the port number (without toggling all_ports) would
not re-register the dissector on the new port.
- Turning all_ports off would remove all registrations but only
re-add the specific port inside a branch that also required
all_ports to have changed, and never updated default_settings.port.
Simplify to: remove all registrations, then register based on current
prefs, then update the cached state.
2026-03-23 11:15:40 -04:00
Jay R. Wren
1aa1a0476f
#ECCN:Open Source in CODEOWNERS ( #1632 )
...
gofmt / Run gofmt (push) Failing after 3s
smoke-extra / Run extra smoke tests (push) Failing after 3s
smoke / Run multi node smoke test (push) Failing after 2s
Build and test / Build all and test on ubuntu-linux (push) Failing after 3s
Build and test / Build and test on linux with boringcrypto (push) Failing after 2s
Build and test / Build and test on linux with pkcs11 (push) Failing after 3s
Build and test / Build and test on macos-latest (push) Has been cancelled
Build and test / Build and test on windows-latest (push) Has been cancelled
Salesforce is requesting this in all opensource repositories
2026-03-16 17:07:40 -04:00
Jay R. Wren
7760ccefba
fix logging copy pasta ( #1621 )
gofmt / Run gofmt (push) Failing after 3s
smoke-extra / Run extra smoke tests (push) Failing after 3s
smoke / Run multi node smoke test (push) Failing after 2s
Build and test / Build all and test on ubuntu-linux (push) Failing after 3s
Build and test / Build and test on linux with boringcrypto (push) Failing after 3s
Build and test / Build and test on linux with pkcs11 (push) Failing after 2s
Build and test / Build and test on macos-latest (push) Has been cancelled
Build and test / Build and test on windows-latest (push) Has been cancelled
2026-03-06 14:03:32 -05:00
Jack Doan
51308b845b
connection-track ICMP traffic ( #1602 )
...
gofmt / Run gofmt (push) Failing after 2s
smoke-extra / Run extra smoke tests (push) Failing after 3s
smoke / Run multi node smoke test (push) Failing after 2s
Build and test / Build all and test on ubuntu-linux (push) Failing after 2s
Build and test / Build and test on linux with boringcrypto (push) Failing after 2s
Build and test / Build and test on linux with pkcs11 (push) Failing after 2s
Build and test / Build and test on macos-latest (push) Has been cancelled
Build and test / Build and test on windows-latest (push) Has been cancelled
* connection-track ICMP and ICMPv6 traffic
* icmpv6 only has identifier on echo
2026-02-18 23:19:37 -06:00
Wade Simmons
422fc2ad1e
go fix ( #1608 )
gofmt / Run gofmt (push) Failing after 3s
smoke-extra / Run extra smoke tests (push) Failing after 2s
smoke / Run multi node smoke test (push) Failing after 2s
Build and test / Build all and test on ubuntu-linux (push) Failing after 2s
Build and test / Build and test on linux with boringcrypto (push) Failing after 3s
Build and test / Build and test on linux with pkcs11 (push) Failing after 2s
Build and test / Build and test on macos-latest (push) Has been cancelled
Build and test / Build and test on windows-latest (push) Has been cancelled
2026-02-17 11:42:14 -05:00
Wade Simmons
e8bb874e14
smoke-extra: try AMD-V workaround ( #1610 )
...
gofmt / Run gofmt (push) Failing after 3s
smoke-extra / Run extra smoke tests (push) Failing after 2s
smoke / Run multi node smoke test (push) Failing after 2s
Build and test / Build all and test on ubuntu-linux (push) Failing after 3s
Build and test / Build and test on linux with boringcrypto (push) Failing after 2s
Build and test / Build and test on linux with pkcs11 (push) Failing after 2s
Build and test / Build and test on macos-latest (push) Has been cancelled
Build and test / Build and test on windows-latest (push) Has been cancelled
* smoke-extra: try AMD-V workaround
- https://github.com/slackhq/nebula/actions/runs/21995850645/job/63555492676?pr=1602
- https://github.com/actions/runner-images/issues/13202
- https://github.com/cri-o/packaging/pull/306/changes
2026-02-13 12:55:19 -06:00
Jack Doan
353ad1f271
firewall: icmp no longer requires a port spec ( #1609 )
2026-02-13 11:10:40 -06:00
Jack Doan
f573e8a266
Merge commit from fork
...
gofmt / Run gofmt (push) Failing after 3s
smoke-extra / Run extra smoke tests (push) Failing after 2s
smoke / Run multi node smoke test (push) Failing after 3s
Build and test / Build all and test on ubuntu-linux (push) Failing after 2s
Build and test / Build and test on linux with boringcrypto (push) Failing after 3s
Build and test / Build and test on linux with pkcs11 (push) Failing after 2s
Build and test / Build and test on macos-latest (push) Has been cancelled
Build and test / Build and test on windows-latest (push) Has been cancelled
Newly signed P256 based certificates will have their signature clamped to the low-s form.
Update CHANGELOG.md
2026-02-06 14:26:51 -05:00
