693 Commits

This Branch

This Branch

All Branches

Author	SHA1	Message	Date
JackDoan	b644131fd7	remove yellow squiggles	2026-04-15 17:54:21 -05:00
JackDoan	9ac45a06cf	tun_linux.go: stdlib too slow, but can't use blocking IO and clean shutdown	2026-04-15 17:45:50 -05:00
dependabot[bot]	72c04b90bd	Bump golang.zx2c4.com/wireguard/windows in the zx2c4-dependencies group (#1652) ... Bumps the zx2c4-dependencies group with 1 update: golang.zx2c4.com/wireguard/windows. Updates `golang.zx2c4.com/wireguard/windows` from 0.5.3 to 0.6.1 --- updated-dependencies: - dependency-name: golang.zx2c4.com/wireguard/windows dependency-version: 0.6.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: zx2c4-dependencies ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-04-15 13:27:14 -05:00
dependabot[bot]	36ab1dbb97	Bump the golang-x-dependencies group across 1 directory with 5 updates (#1629) ... Bumps the golang-x-dependencies group with 3 updates in the / directory: [golang.org/x/crypto](https://github.com/golang/crypto), [golang.org/x/net](https://github.com/golang/net) and [golang.org/x/sync](https://github.com/golang/sync). Updates `golang.org/x/crypto` from 0.47.0 to 0.48.0 - [Commits](https://github.com/golang/crypto/compare/v0.47.0...v0.48.0) Updates `golang.org/x/net` from 0.49.0 to 0.51.0 - [Commits](https://github.com/golang/net/compare/v0.49.0...v0.51.0) Updates `golang.org/x/sync` from 0.19.0 to 0.20.0 - [Commits](https://github.com/golang/sync/compare/v0.19.0...v0.20.0) Updates `golang.org/x/sys` from 0.40.0 to 0.41.0 - [Commits](https://github.com/golang/sys/compare/v0.40.0...v0.41.0) Updates `golang.org/x/term` from 0.39.0 to 0.40.0 - [Commits](https://github.com/golang/term/compare/v0.39.0...v0.40.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-version: 0.48.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: golang-x-dependencies - dependency-name: golang.org/x/net dependency-version: 0.51.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: golang-x-dependencies - dependency-name: golang.org/x/sync dependency-version: 0.20.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: golang-x-dependencies - dependency-name: golang.org/x/sys dependency-version: 0.41.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: golang-x-dependencies - dependency-name: golang.org/x/term dependency-version: 0.40.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: golang-x-dependencies ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-04-15 13:02:29 -05:00
dependabot[bot]	f77fe74192	Bump github.com/miekg/pkcs11 (#1586) ... Bumps [github.com/miekg/pkcs11](https://github.com/miekg/pkcs11) from 1.1.2-0.20231115102856-9078ad6b9d4b to 1.1.2. - [Changelog](https://github.com/miekg/pkcs11/blob/master/release.go) - [Commits](https://github.com/miekg/pkcs11/commits/v1.1.2) --- updated-dependencies: - dependency-name: github.com/miekg/pkcs11 dependency-version: 1.1.2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-04-15 12:27:19 -05:00
dependabot[bot]	24c9c704a0	Bump github.com/miekg/dns from 1.1.70 to 1.1.72 (#1587) ... Bumps [github.com/miekg/dns](https://github.com/miekg/dns) from 1.1.70 to 1.1.72. - [Commits](https://github.com/miekg/dns/compare/v1.1.70...v1.1.72) --- updated-dependencies: - dependency-name: github.com/miekg/dns dependency-version: 1.1.72 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-04-15 11:54:47 -05:00
Nate Brown	a5e81efe7b	Try rsync from somewhere else (#1655)	2026-04-15 09:23:33 -05:00
Jack Doan	b3194236aa	udp_linux: wrap socket operations with syscall.RawConn for clean teardown (#1654) ... remove runtime.LockOSThread() because it makes things worse now remove the "custom" Write() method from tun_linux.go, the stdlib path via os.File performs better We should change our guidance around number of routines, ~2 per thread (that you wish to use for Nebula) seems to be about right now	2026-04-14 18:25:24 -05:00
Nate Brown	3fae693c42	Additional e2e tests to assert current handshake behavior (#1653)	2026-04-14 13:32:01 -05:00
John Maguire	0ad5c771e9	Refactor CA pool handling to use streaming (#1644) ... Co-authored-by: maggie44 <64841595+maggie44@users.noreply.github.com> Co-authored-by: JackDoan <me@jackdoan.com>	2026-04-13 13:19:55 -04:00
Jay R. Wren	6727113b2b	gh workflow release: protect from ref_name attack (#1650) ... It is not likely, but better to be safe.	2026-04-06 12:24:28 -04:00
Jay R. Wren	f8587956ba	add sshd.sandbox_dir config option (#1622) ... * add sshd.sandbox_dir config option Sanitize SSH profile paths (ssh.go:514,683,719) — restrict os.Create(a[0]) to a safe directory. Add a config option in the config file to specify the sandbox directory. For backwards compatibility, if the config is not specified, keep the current behavior. * update default and example * use os.TempDir() for sshd.sandbox_dir default * split sandbox path validation into separate conditionals Separate the combined && check in sshSanitizeFilePath into two distinct conditionals with specific error messages: one for paths resolving to the sandbox directory itself, and one for paths outside the sandbox. Co-Authored-By: Claude <svc-devxp-claude@slack-corp.com> * fix: trim leading zeros from p256 signature swap result bigmod.Nat.Bytes() returns fixed-size 32-byte slices, but ASN.1 INTEGER parsing strips leading zeros. This caused a flaky test failure (~1/256 chance) when the S value's high byte was zero. Co-Authored-By: Claude <svc-devxp-claude@slack-corp.com> --------- Co-authored-by: Claude <svc-devxp-claude@slack-corp.com>	2026-04-03 09:37:18 -04:00
John Maguire	951d368faf	Add a small link to DN Managed Nebula (#1641) ... * Add a small link to DN Managed Nebula Also link the mobile source code	2026-03-30 16:20:21 -04:00
Jack Doan	91d1f4675a	properly handle closetunnel packets (#1638)	2026-03-25 11:59:37 -05:00
John Maguire	9f1aef53fa	Fix dissector logic (#1626) ... * Fix typo in Wireshark dissector * Fix wireshark dissector prefs_changed logic The previous logic had several issues: - Changing only the port number (without toggling all_ports) would not re-register the dissector on the new port. - Turning all_ports off would remove all registrations but only re-add the specific port inside a branch that also required all_ports to have changed, and never updated default_settings.port. Simplify to: remove all registrations, then register based on current prefs, then update the cached state.	2026-03-23 11:15:40 -04:00
Jay R. Wren	1aa1a0476f	#ECCN:Open Source in CODEOWNERS (#1632) ... Salesforce is requesting this in all opensource repositories	2026-03-16 17:07:40 -04:00
Jay R. Wren	7760ccefba	fix logging copy pasta (#1621)	2026-03-06 14:03:32 -05:00
Jack Doan	51308b845b	connection-track ICMP traffic (#1602) ... * connection-track ICMP and ICMPv6 traffic * icmpv6 only has identifier on echo	2026-02-18 23:19:37 -06:00
Wade Simmons	422fc2ad1e	go fix (#1608)	2026-02-17 11:42:14 -05:00
Wade Simmons	e8bb874e14	smoke-extra: try AMD-V workaround (#1610) ... * smoke-extra: try AMD-V workaround - https://github.com/slackhq/nebula/actions/runs/21995850645/job/63555492676?pr=1602 - https://github.com/actions/runner-images/issues/13202 - https://github.com/cri-o/packaging/pull/306/changes	2026-02-13 12:55:19 -06:00
Jack Doan	353ad1f271	firewall: icmp no longer requires a port spec (#1609)	2026-02-13 11:10:40 -06:00
Jack Doan	f573e8a266	Merge commit from fork ... Newly signed P256 based certificates will have their signature clamped to the low-s form. Update CHANGELOG.md v1.10.3	2026-02-06 14:26:51 -05:00
Jack Doan	42bee7cf17	Report if Nebula start fails because of tun device name (#1588) ... * specifically report if nebula start fails because of tun device name * close all routines when closing the tun	2026-01-28 10:03:36 -06:00
Caleb Jasik	02d8bcac68	Remove lighthouse goroutine leaks in lighthouse_test.go (#1589) ... Using <https://go.dev/doc/go1.26#goroutineleak-profiles> + Claude, I was able to run nebula's unit tests and e2e tests with the leak detector enabled. Added a TestMain that queries pprof to see if there are any reported goroutine leaks. I'd love to get some form of this in CI whenever go 1.26 comes out, though I'd also like to prove this is properly useful past the just five detections it got here. <details> <summary>TestMain</summary> ```go package nebula import ( "fmt" "os" "runtime/pprof" "strings" "testing" ) // TestMain runs after all tests and checks for goroutine leaks func TestMain(m *testing.M) { // Run all tests exitCode := m.Run() // Check for goroutine leaks after all tests complete prof := pprof.Lookup("goroutineleak") if prof != nil { var sb strings.Builder if err := prof.WriteTo(&sb, 2); err != nil { fmt.Fprintf(os.Stderr, "Failed to write goroutineleak profile: %v\n", err) os.Exit(1) } content := sb.String() leakedCount := strings.Count(content, "(leaked)") if leakedCount > 0 { fmt.Fprintf(os.Stderr, "\n=== GOROUTINE LEAK DETECTED ===\n") fmt.Fprintf(os.Stderr, "Found %d leaked goroutine(s) in package nebula\n\n", leakedCount) goros := strings.Split(content, "\n\n") for _, goro := range goros { if strings.Contains(goro, "(leaked)") { fmt.Fprintln(os.Stderr, goro) fmt.Fprintln(os.Stderr) } } os.Exit(1) } else { fmt.Println("✓ No goroutine leaks detected in package nebula") } } os.Exit(exitCode) } ``` </details> Also had to install go1.26rc2 and update the makefile to use that go binary + set ex: ```makefile test-goroutineleak: GOEXPERIMENT=goroutineleakprofile go1.26rc2 test -v ./... ```	2026-01-27 23:44:43 -06:00
Wade Simmons	0b02d982b2	v1.10.2 (#1584) ... Update CHANGELOG for Nebula v1.10.2 v1.10.2	2026-01-21 12:42:34 -05:00
Wade Simmons	e1e92f017c	initialize routesFromSystem (#1580) ... This is a regression introduced by #1573. We need to initialize this map. Fixes: #1579	2026-01-20 11:15:20 -05:00
zhetaicheleba	e5f60fa54f	chore: fix some typos in comments (#1582) ... Signed-off-by: zhetaicheleba <taicheleba@outlook.com>	2026-01-20 11:03:31 -05:00
dependabot[bot]	bf49e78243	Bump github.com/sirupsen/logrus from 1.9.3 to 1.9.4 (#1581) ... Bumps [github.com/sirupsen/logrus](https://github.com/sirupsen/logrus) from 1.9.3 to 1.9.4. - [Release notes](https://github.com/sirupsen/logrus/releases) - [Changelog](https://github.com/sirupsen/logrus/blob/master/CHANGELOG.md) - [Commits](https://github.com/sirupsen/logrus/compare/v1.9.3...v1.9.4) --- updated-dependencies: - dependency-name: github.com/sirupsen/logrus dependency-version: 1.9.4 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-01-20 10:40:24 -05:00
Nate Brown	72a40007ea	v1.10.1 (#1575) ... Update CHANGELOG for Nebula v1.10.1 v1.10.1	2026-01-16 10:33:54 -05:00
Nate Brown	ac3bd9cdd0	Avoid losing system originated unsafe routes on reload (#1573)	2026-01-15 13:48:17 -06:00
dependabot[bot]	88379b89f5	Bump golang.org/x/net in the golang-x-dependencies group (#1571) ... Bumps the golang-x-dependencies group with 1 update: [golang.org/x/net](https://github.com/golang/net). Updates `golang.org/x/net` from 0.48.0 to 0.49.0 - [Commits](https://github.com/golang/net/compare/v0.48.0...v0.49.0) --- updated-dependencies: - dependency-name: golang.org/x/net dependency-version: 0.49.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: golang-x-dependencies ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-01-13 00:02:44 -06:00
Nate Brown	1283ff0db4	Add option to control accepting recv_error (#1569)	2026-01-13 00:00:27 -06:00
dependabot[bot]	523209ec0b	Bump github.com/miekg/dns from 1.1.68 to 1.1.69 (#1561) ... Bumps [github.com/miekg/dns](https://github.com/miekg/dns) from 1.1.68 to 1.1.69. - [Commits](https://github.com/miekg/dns/compare/v1.1.68...v1.1.69) --- updated-dependencies: - dependency-name: github.com/miekg/dns dependency-version: 1.1.69 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-01-12 16:16:42 -05:00
dependabot[bot]	a4a6143b6a	Bump google.golang.org/protobuf in the protobuf-dependencies group (#1560) ... Bumps the protobuf-dependencies group with 1 update: google.golang.org/protobuf. Updates `google.golang.org/protobuf` from 1.36.10 to 1.36.11 --- updated-dependencies: - dependency-name: google.golang.org/protobuf dependency-version: 1.36.11 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: protobuf-dependencies ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-01-12 16:16:01 -05:00
dependabot[bot]	1b2d639b14	Bump actions/download-artifact from 6 to 7 (#1557) ... Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 6 to 7. - [Release notes](https://github.com/actions/download-artifact/releases) - [Commits](https://github.com/actions/download-artifact/compare/v6...v7) --- updated-dependencies: - dependency-name: actions/download-artifact dependency-version: '7' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-01-12 15:40:47 -05:00
dependabot[bot]	9933970e67	Bump actions/upload-artifact from 5 to 6 (#1558) ... Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 5 to 6. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](https://github.com/actions/upload-artifact/compare/v5...v6) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-01-12 15:40:13 -05:00
dependabot[bot]	d7a3f01465	Bump the golang-x-dependencies group across 1 directory with 4 updates (#1570) ... Bumps the golang-x-dependencies group with 1 update in the / directory: [golang.org/x/crypto](https://github.com/golang/crypto). Updates `golang.org/x/crypto` from 0.45.0 to 0.47.0 - [Commits](https://github.com/golang/crypto/compare/v0.45.0...v0.47.0) Updates `golang.org/x/net` from 0.47.0 to 0.48.0 - [Commits](https://github.com/golang/net/compare/v0.47.0...v0.48.0) Updates `golang.org/x/sys` from 0.39.0 to 0.40.0 - [Commits](https://github.com/golang/sys/compare/v0.39.0...v0.40.0) Updates `golang.org/x/term` from 0.38.0 to 0.39.0 - [Commits](https://github.com/golang/term/compare/v0.38.0...v0.39.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-version: 0.47.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: golang-x-dependencies - dependency-name: golang.org/x/net dependency-version: 0.48.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: golang-x-dependencies - dependency-name: golang.org/x/sys dependency-version: 0.40.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: golang-x-dependencies - dependency-name: golang.org/x/term dependency-version: 0.39.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: golang-x-dependencies ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-01-12 15:35:34 -05:00
Nate Brown	69259e6307	Quietly log error on UDP_NETRESET ioctl on Windows. (#1453) (#1568) ... Co-authored-by: brad-defined <77982333+brad-defined@users.noreply.github.com>	2026-01-09 10:35:09 -06:00
brad-defined	2f71d6b22d	Ensure pubkey coherency when rehydrating a handshake cert (#1566) ... * Ensure pubkey coherency when rehydrating a handshake cert * Include a check during handshakes after cert verification that the noise pubkey matches the cert pubkey.	2026-01-09 09:52:03 -05:00
Jack Doan	3ec527e42c	cert.MarshalSigningPublicKeyToPEM should emit the 'ECDSA' variant of the banner (#1552) ... * cert.MarshalSigningPublicKeyToPEM should emit the 'ECDSA' variant of the banner * oof owie ouch my tests	2025-12-10 10:39:36 -06:00
Nate Brown	2d16940232	Slight improvement to hot path benchmark, add a relay hot path benchmark (#1539)	2025-12-09 22:29:26 -06:00
dependabot[bot]	cba294ffa4	Bump actions/checkout from 5 to 6 (#1541) ... Bumps [actions/checkout](https://github.com/actions/checkout) from 5 to 6. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/v5...v6) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2025-12-09 22:25:48 -06:00
dependabot[bot]	48406f85da	Bump the golang-x-dependencies group with 3 updates (#1550) ... Bumps the golang-x-dependencies group with 3 updates: [golang.org/x/sync](https://github.com/golang/sync), [golang.org/x/sys](https://github.com/golang/sys) and [golang.org/x/term](https://github.com/golang/term). Updates `golang.org/x/sync` from 0.18.0 to 0.19.0 - [Commits](https://github.com/golang/sync/compare/v0.18.0...v0.19.0) Updates `golang.org/x/sys` from 0.38.0 to 0.39.0 - [Commits](https://github.com/golang/sys/compare/v0.38.0...v0.39.0) Updates `golang.org/x/term` from 0.37.0 to 0.38.0 - [Commits](https://github.com/golang/term/compare/v0.37.0...v0.38.0) --- updated-dependencies: - dependency-name: golang.org/x/sync dependency-version: 0.19.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: golang-x-dependencies - dependency-name: golang.org/x/sys dependency-version: 0.39.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: golang-x-dependencies - dependency-name: golang.org/x/term dependency-version: 0.38.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: golang-x-dependencies ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2025-12-09 22:19:53 -06:00
dependabot[bot]	14a1af132e	Bump Apple-Actions/import-codesign-certs from 5 to 6 (#1549) ... Bumps [Apple-Actions/import-codesign-certs](https://github.com/apple-actions/import-codesign-certs) from 5 to 6. - [Release notes](https://github.com/apple-actions/import-codesign-certs/releases) - [Commits](https://github.com/apple-actions/import-codesign-certs/compare/v5...v6) --- updated-dependencies: - dependency-name: Apple-Actions/import-codesign-certs dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2025-12-09 22:17:50 -06:00
Nate Brown	59e24b98bd	v1.10.0 (#1534) ... Update CHANGELOG for Nebula v1.10.0 v1.10.0	2025-12-04 14:42:31 -05:00
Nate Brown	56067afca2	Stab at better logging when a relay is being used (#1533)	2025-12-03 17:48:29 -06:00
Nate Brown	64f202fa17	Make 0.0.0.0/0 and ::/0 not mean any address family, add any for that (#1538)	2025-11-21 13:46:36 -06:00
Jack Doan	6d7cf611c9	improve nebula-cert sign version auto-select (#1535)	2025-11-20 13:27:27 -06:00
Nate Brown	83ae8077f5	No need to clear counter 0 (#1537)	2025-11-20 13:22:58 -06:00
Bryan Lee	12cf348c80	feat: support via gateway for v6 multihop for v4 routes (#1521) ... Co-authored-by: Nate Brown <nbrown.us@gmail.com>	2025-11-19 22:21:03 -06:00