v1.10 changelog

CHANGELOG.md

@@ -7,12 +7,49 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [1.10.0] - 2025-12-04
+
+### Added
+
+- Support for ipv6 and multiple ipv4/6 addresses in the overlay.
+  A new v2 ASN.1 based certificate format.
+  Certificates now have a unified interface for external implementations.
+  (#1212, #1216, #1345, #1359, #1381, #1419, #1464, #1466, #1451, #1476, #1467, #1481, #1399, #1488, #1492, #1495, #1468, #1521, #1535, #1538)
+  **TODO: External documentation link!**
+- Add the ability to mark packets on linux to better target nebula packets in iptables/nftables. (#1331)
+- Add ECMP support for `unsafe_routes`. (#1332)
+- PKCS11 support for P256 keys when built with `pkcs11` tag (#1153, #1482)
+
 ### Changed
 
+- Improve logging when a relay is in use on an inbound packet. (#1533)
+- Avoid fatal errors if `rountines` is > 1 on systems that don't support more than 1 routine. (#1531)
+- Log a warning if a firewall rule contains an `any` that negates a more restrictive filter. (#1513)
+- Accept encrypted CA passphrase from an environment variable. (#1421)
+- Allow handshaking with any trusted remote. (#1509)
+- Log only the count of blocklisted certificate fingerprints instead of the entire list. (#1525)
+- Don't fatal when the ssh server is unable to be configured successfully. (#1520)
+- Update to build against go v1.25. (#1483)
 - `default_local_cidr_any` now defaults to false, meaning that any firewall rule
   intended to target an `unsafe_routes` entry must explicitly declare it via the
   `local_cidr` field. This is almost always the intended behavior. This flag is
-  deprecated and will be removed in a future release.
+  deprecated and will be removed in a future release. (#1373)
+- Allow projects using `nebula` as a library with userspace networking to configure the `logger` and build version. (#1239) 
+- Upgrade to `yaml.v3`. (#1148, #1371, #1438, #1478)
+
+### Fixed
+
+- Fix a potential bug with udp ipv4 only on darwin. (#1532)
+- Improve lost packet statistics. (#1441, #1537)
+- Honor `remote_allow_list` in hole punch response. (#1186)
+- Fix a panic when `tun.use_system_route_table` is `true` and a route lacks a destination. (#1437) 
+- Fix an issue when `tun.use_system_route_table: true` could result in heavy CPU utilization when many thousands of routes
+  are present. (#1326) 
+- Fix tests for 32 bit machines. (#1394)
+- Fix a possible 32bit integer underflow in config handling. (#1353)
+- Fix moving a udp address from one vpn address to another in the `static_host_map`
+  which could cause rapid re-handshaking with an incorrect remote. (#1259)
+- Improve smoke tests in environments where the docker network is not the default. (#1347)
 
 ## [1.9.7] - 2025-10-10
 
@@ -24,7 +61,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Changed
 
 - Disable sending `recv_error` messages when a packet is received outside the allowable counter window. (#1459)
-- Improve error messages and remove some unnecessary fatal conditions in the Windows and generic udp listener. (#1543)
+- Improve error messages and remove some unnecessary fatal conditions in the Windows and generic udp listener. (#1453)
 
 ## [1.9.6] - 2025-7-15
 
@@ -706,7 +743,8 @@ created.)
 
 - Initial public release.
 
-[Unreleased]: https://github.com/slackhq/nebula/compare/v1.9.7...HEAD
+[Unreleased]: https://github.com/slackhq/nebula/compare/v1.10.0...HEAD
+[1.10.0]: https://github.com/slackhq/nebula/releases/tag/v1.10.0
 [1.9.7]: https://github.com/slackhq/nebula/releases/tag/v1.9.7
 [1.9.6]: https://github.com/slackhq/nebula/releases/tag/v1.9.6
 [1.9.5]: https://github.com/slackhq/nebula/releases/tag/v1.9.5