Jay Wren
f29e21b411
don't register metrics in loops
2025-11-19 13:25:25 -05:00
Jay Wren
8b32382cd9
zero copy even with virtioheder
2025-11-19 12:03:38 -05:00
Jay Wren
518a78c9d2
preallocate nonce buffer
2025-11-18 14:19:05 -05:00
Jay Wren
7c3708561d
instruments
2025-11-14 14:43:51 -05:00
Jay Wren
a62ffca975
fix 32bit
2025-11-13 15:10:51 -05:00
Jay Wren
226787ea1f
prealloc them buffers
2025-11-11 15:20:50 -05:00
Jay Wren
b2bc6a09ca
write in batches
2025-11-11 15:06:45 -05:00
Jay Wren
0f9b33aa36
reduce copying
2025-11-11 14:51:53 -05:00
Jay Wren
ef0a022375
more nonblocking
2025-11-11 14:22:40 -05:00
Jay Wren
b68e504865
hrm
2025-11-11 13:15:30 -05:00
Jay Wren
3344a840d1
just using the wg library works
2025-11-11 10:55:39 -05:00
Jay Wren
2bc9863e66
only wg tun, no batching
2025-11-10 16:54:00 -05:00
Wade Simmons
97b3972c11
honor remote_allow_list in hole punch response ( #1186 )
...
* honor remote_allow_ilst in hole punch response
When we receive a "hole punch notification" from a Lighthouse, we send
a hole punch packet to every remote of that host, even if we don't
include those remotes in our "remote_allow_list". Change the logic here
to check if the remote IP is in our allow list before sending the hole
punch packet.
* fix for netip
* cleanup
2025-11-10 13:52:40 -05:00
Jack Doan
0f305d5397
don't block startup on failure to configure SSH ( #1520 )
2025-11-05 10:41:56 -06:00
Jack Doan
01909f4715
try to make certificate addition/removal reloadable in some cases ( #1468 )
...
* try to make certificate addition/removal reloadable in some cases
* very spicy change to respond to handshakes with cert versions we cannot match with a cert that we can indeed match
* even spicier change to rehandshake if we detect our cert is lower-version than our peer, and we have a newer-version cert available
* make tryRehandshake easier to understand
2025-11-03 19:38:44 -06:00
Jack Doan
770147264d
fix make bench ( #1510 )
2025-10-21 11:32:34 -05:00
dependabot[bot]
fa8c013b97
Bump github.com/miekg/dns from 1.1.65 to 1.1.68 ( #1444 )
...
Bumps [github.com/miekg/dns](https://github.com/miekg/dns ) from 1.1.65 to 1.1.68.
- [Changelog](https://github.com/miekg/dns/blob/master/Makefile.release )
- [Commits](https://github.com/miekg/dns/compare/v1.1.65...v1.1.68 )
---
updated-dependencies:
- dependency-name: github.com/miekg/dns
dependency-version: 1.1.68
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-10-13 16:41:51 -04:00
dependabot[bot]
2710f2af06
Bump github.com/kardianos/service from 1.2.2 to 1.2.4 ( #1433 )
...
Bumps [github.com/kardianos/service](https://github.com/kardianos/service ) from 1.2.2 to 1.2.4.
- [Commits](https://github.com/kardianos/service/compare/v1.2.2...v1.2.4 )
---
updated-dependencies:
- dependency-name: github.com/kardianos/service
dependency-version: 1.2.4
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-10-13 15:58:15 -04:00
dependabot[bot]
ad6d3e6bac
Bump the golang-x-dependencies group across 1 directory with 5 updates ( #1409 )
...
Bumps the golang-x-dependencies group with 3 updates in the / directory: [golang.org/x/crypto](https://github.com/golang/crypto ), [golang.org/x/net](https://github.com/golang/net ) and [golang.org/x/sync](https://github.com/golang/sync ).
Updates `golang.org/x/crypto` from 0.37.0 to 0.38.0
- [Commits](https://github.com/golang/crypto/compare/v0.37.0...v0.38.0 )
Updates `golang.org/x/net` from 0.39.0 to 0.40.0
- [Commits](https://github.com/golang/net/compare/v0.39.0...v0.40.0 )
Updates `golang.org/x/sync` from 0.13.0 to 0.14.0
- [Commits](https://github.com/golang/sync/compare/v0.13.0...v0.14.0 )
Updates `golang.org/x/sys` from 0.32.0 to 0.33.0
- [Commits](https://github.com/golang/sys/compare/v0.32.0...v0.33.0 )
Updates `golang.org/x/term` from 0.31.0 to 0.32.0
- [Commits](https://github.com/golang/term/compare/v0.31.0...v0.32.0 )
---
updated-dependencies:
- dependency-name: golang.org/x/crypto
dependency-version: 0.38.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: golang-x-dependencies
- dependency-name: golang.org/x/net
dependency-version: 0.40.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: golang-x-dependencies
- dependency-name: golang.org/x/sync
dependency-version: 0.14.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: golang-x-dependencies
- dependency-name: golang.org/x/sys
dependency-version: 0.33.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: golang-x-dependencies
- dependency-name: golang.org/x/term
dependency-version: 0.32.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: golang-x-dependencies
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-10-13 15:54:38 -04:00
dependabot[bot]
2b0aa74e85
Bump github.com/prometheus/client_golang from 1.22.0 to 1.23.2 ( #1470 )
...
Bumps [github.com/prometheus/client_golang](https://github.com/prometheus/client_golang ) from 1.22.0 to 1.23.2.
- [Release notes](https://github.com/prometheus/client_golang/releases )
- [Changelog](https://github.com/prometheus/client_golang/blob/main/CHANGELOG.md )
- [Commits](https://github.com/prometheus/client_golang/compare/v1.22.0...v1.23.2 )
---
updated-dependencies:
- dependency-name: github.com/prometheus/client_golang
dependency-version: 1.23.2
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-10-13 15:16:24 -04:00
dependabot[bot]
b126d88963
Bump github.com/gaissmai/bart from 0.20.4 to 0.25.0 ( #1471 )
...
Bumps [github.com/gaissmai/bart](https://github.com/gaissmai/bart ) from 0.20.4 to 0.25.0.
- [Release notes](https://github.com/gaissmai/bart/releases )
- [Commits](https://github.com/gaissmai/bart/compare/v0.20.4...v0.25.0 )
---
updated-dependencies:
- dependency-name: github.com/gaissmai/bart
dependency-version: 0.25.0
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-10-13 15:15:07 -04:00
Nate Brown
45c1d3eab3
Support for multi proto tun device on OpenBSD ( #1495 )
2025-10-08 16:56:42 -05:00
Gary Guo
634181ba66
Fix incorrect CIDR construction in hostmap ( #1493 )
...
* Fix incorrect CIDR construction in hostmap
* Introduce a regression test for incorrect hostmap CIDR
2025-10-08 11:02:36 -05:00
Nate Brown
eb89839d13
Support for multi proto tun device on NetBSD ( #1492 )
2025-10-07 20:17:50 -05:00
Nate Brown
fb7f0c3657
Use x/net/route to manage routes directly ( #1488 )
2025-10-03 10:59:53 -05:00
sl274
b1f53d8d25
Support IPv6 tunneling in FreeBSD ( #1399 )
...
Recent merge of cert-v2 support introduced the ability to tunnel IPv6. However, FreeBSD's IPv6 tunneling does not work for 2 reasons:
* The ifconfig commands did not work for IPv6 addresses
* The tunnel device was not configured for link-layer mode, so it only supported IPv4
This PR improves FreeBSD tunneling support in 3 ways:
* Use ioctl instead of exec'ing ifconfig to configure the interface, with additional logic to support IPv6
* Configure the tunnel in link-layer mode, allowing IPv6 traffic
* Use readv() and writev() to communicate with the tunnel device, to avoid the need to copy the packet buffer
2025-10-02 21:54:30 -05:00
Jack Doan
8824eeaea2
helper functions to more correctly marshal curve 25519 public keys ( #1481 )
2025-10-02 13:56:41 -05:00
dependabot[bot]
071589f7c7
Bump actions/setup-go from 5 to 6 ( #1469 )
...
* Bump actions/setup-go from 5 to 6
Bumps [actions/setup-go](https://github.com/actions/setup-go ) from 5 to 6.
- [Release notes](https://github.com/actions/setup-go/releases )
- [Commits](https://github.com/actions/setup-go/compare/v5...v6 )
---
updated-dependencies:
- dependency-name: actions/setup-go
dependency-version: '6'
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com >
* Hardcode the last one to go v1.25
---------
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Nate Brown <nbrown.us@gmail.com >
2025-10-02 00:05:12 -05:00
Jack Doan
f1e992f6dd
don't require a detailsVpnAddr in a HostUpdateNotification ( #1472 )
...
* don't require a detailsVpnAddr in a HostUpdateNotification
* don't send our own addr on HostUpdateNotification for v2
2025-09-29 13:43:12 -05:00
Jack Doan
1ea5f776d7
update to go 1.25, use the cool new ECDSA key marshalling functions ( #1483 )
...
* update to go 1.25, use the cool new ECDSA key marshalling functions
* bonk the runners
* actually bump go.mod
* bump golangci-lint
2025-09-29 13:02:25 -05:00
Henry Graham
4cdeb284ef
Set CKA_VALUE_LEN attribute in DeriveNoise ( #1482 )
2025-09-25 13:24:52 -05:00
Jack Doan
5cccd39465
update RemoteList.vpnAddrs when we complete a handshake ( #1467 )
2025-09-10 09:44:25 -05:00
Jack Doan
8196c22b5a
store lighthouses as a slice ( #1473 )
...
* store lighthouses as a slice. If you have fewer than 16 lighthouses (and fewer than 16 vpnaddrs on a host, I guess), it's faster
2025-09-10 09:43:25 -05:00
Jack Doan
65cc253c19
prevent linux from assigning ipv6 link-local addresses ( #1476 )
2025-09-09 13:25:23 -05:00
Wade Simmons
73cfa7b5b1
add firewall tests for ipv6 ( #1451 )
...
Test things like cidr and local_cidr with ipv6 addresses, to ensure
everything is working correctly.
2025-09-08 13:57:36 -04:00
Jack Doan
768325c9b4
cert-v2 chores ( #1466 )
2025-09-05 15:08:22 -05:00
Jack Doan
932e329164
Don't delete static host mappings for non-primary IPs ( #1464 )
...
* Don't delete a vpnaddr if it's part of a certificate that contains a vpnaddr that's in the static host map
* remove unused arg from ConnectionManager.shouldSwapPrimary()
2025-09-04 14:49:40 -05:00
Jack Doan
4bea299265
don't send recv errors for packets outside the connection window anymore ( #1463 )
...
* don't send recv errors for packets outside the connection window anymore
* Pull in fix from #1459 , add my opinion on maxRecvError
* remove recv_error counter entirely
2025-09-03 11:52:52 -05:00
Wade Simmons
5cff83b282
netlink: ignore route updates with no destination ( #1437 )
...
Currently we assume each route update must have a destination, but we
should check that it is set before we try to use it.
See: #1436
2025-08-25 13:05:35 -05:00
Wade Simmons
7da79685ff
fix lighthouse.calculated_remotes parsing ( #1438 )
...
gofmt / Run gofmt (push) Successful in 27s
smoke-extra / Run extra smoke tests (push) Failing after 21s
smoke / Run multi node smoke test (push) Failing after 1m21s
Build and test / Build all and test on ubuntu-linux (push) Failing after 18m9s
Build and test / Build and test on linux with boringcrypto (push) Failing after 2m16s
Build and test / Build and test on linux with pkcs11 (push) Failing after 2m41s
Build and test / Build and test on macos-latest (push) Has been cancelled
Build and test / Build and test on windows-latest (push) Has been cancelled
This was broken with the change to yaml.v3:
- https://github.com/slackhq/nebula/pull/1148
We forgot to update these references to `map[string]any`.
Without this fix, Nebula crashes with an error like this:
{"error":"config `lighthouse.calculated_remotes` has invalid type: map[string]interface {}","level":"error","msg":"Invalid lighthouse.calculated_remotes","time":"2025-07-29T15:50:06.479499Z"}
2025-07-29 13:12:07 -04:00
brad-defined
91eff03418
Update slack OSS invite link ( #1435 )
gofmt / Run gofmt (push) Successful in 38s
smoke-extra / Run extra smoke tests (push) Failing after 21s
smoke / Run multi node smoke test (push) Failing after 1m21s
Build and test / Build all and test on ubuntu-linux (push) Failing after 19m47s
Build and test / Build and test on linux with boringcrypto (push) Failing after 2m24s
Build and test / Build and test on linux with pkcs11 (push) Failing after 2m29s
Build and test / Build and test on macos-latest (push) Has been cancelled
Build and test / Build and test on windows-latest (push) Has been cancelled
2025-07-15 16:05:28 -04:00
Nate Brown
52623820c2
Drop inactive tunnels ( #1427 )
2025-07-03 09:58:37 -05:00
Nate Brown
c2420642a0
Darwin udp fix ( #1428 )
2025-07-02 15:50:22 -05:00
brad-defined
b3a1f7b0a3
Disable UDP receive error returns due to ICMP messages on Windows. ( #1412 ) ( #1415 )
2025-07-02 11:37:41 -04:00
brad-defined
94142aded5
Fix relay migration panic by covering every possible relay state ( #1414 )
2025-07-02 08:48:02 -04:00
brad-defined
b158eb0c4c
Use a list for relay IPs instead of a map ( #1423 )
...
* Use a list for relay IPs instead of a map
* linter
2025-07-02 08:47:05 -04:00
dependabot[bot]
e4b7dbcfb0
Bump dario.cat/mergo from 1.0.1 to 1.0.2 ( #1408 )
...
Bumps [dario.cat/mergo](https://github.com/imdario/mergo ) from 1.0.1 to 1.0.2.
- [Release notes](https://github.com/imdario/mergo/releases )
- [Commits](https://github.com/imdario/mergo/compare/v1.0.1...v1.0.2 )
---
updated-dependencies:
- dependency-name: dario.cat/mergo
dependency-version: 1.0.2
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-07-01 23:30:40 -05:00
dependabot[bot]
882edf11d7
Bump github.com/vishvananda/netlink from 1.3.0 to 1.3.1 ( #1407 )
...
Bumps [github.com/vishvananda/netlink](https://github.com/vishvananda/netlink ) from 1.3.0 to 1.3.1.
- [Release notes](https://github.com/vishvananda/netlink/releases )
- [Commits](https://github.com/vishvananda/netlink/compare/v1.3.0...v1.3.1 )
---
updated-dependencies:
- dependency-name: github.com/vishvananda/netlink
dependency-version: 1.3.1
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-07-01 23:29:15 -05:00
dependabot[bot]
d34c2b8e06
Bump golangci/golangci-lint-action from 7 to 8 ( #1400 )
...
* Bump golangci/golangci-lint-action from 7 to 8
Bumps [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action ) from 7 to 8.
- [Release notes](https://github.com/golangci/golangci-lint-action/releases )
- [Commits](https://github.com/golangci/golangci-lint-action/compare/v7...v8 )
---
updated-dependencies:
- dependency-name: golangci/golangci-lint-action
dependency-version: '8'
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com >
* bump golangci-lint version
---------
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Wade Simmons <wsimmons@slack-corp.com >
2025-07-01 23:25:24 -05:00
brad-defined
442a52879b
Fix off by one error in IPv6 packet parser ( #1419 )
gofmt / Run gofmt (push) Successful in 39s
smoke-extra / Run extra smoke tests (push) Failing after 21s
smoke / Run multi node smoke test (push) Failing after 1m21s
Build and test / Build all and test on ubuntu-linux (push) Failing after 18m35s
Build and test / Build and test on linux with boringcrypto (push) Failing after 2m36s
Build and test / Build and test on linux with pkcs11 (push) Failing after 2m28s
Build and test / Build and test on macos-latest (push) Has been cancelled
Build and test / Build and test on windows-latest (push) Has been cancelled
2025-06-11 15:15:15 -04:00
