703 commits

This branch

This branch

All branches

Author	SHA1	Message	Date
JackDoan	36bbc515d2	log if UnsafeNetworks assignment changes across reload	2026-03-04 12:33:24 -06:00
JackDoan	09fe406dba	log if V1 and V2 certs have mismatched UnsafeNetworks	2026-03-04 12:33:24 -06:00
Nate Brown	d21baede1f	Nits and fix tests	2026-02-27 18:09:52 -06:00
Nate Brown	037459ef73	Review nits	2026-02-27 17:49:31 -06:00
Nate Brown	7655a10108	Remove thing	2026-02-27 16:51:40 -06:00
JackDoan	5cbccdc0fd	remove dead comment	2026-02-26 11:48:53 -06:00
JackDoan	629700fbb6	feedback	2026-02-26 10:58:10 -06:00
JackDoan	e4897b07c9	leftover cruft from merging	2026-02-26 10:49:05 -06:00
JackDoan	f7dd3c0ce4	moar test	2026-02-26 10:46:06 -06:00
JackDoan	009a4698a0	thanks clod!	2026-02-26 10:31:18 -06:00
JackDoan	34e817742b	thanks clod!	2026-02-26 10:26:16 -06:00
JackDoan	a881e4fdf8	fix test2	2026-02-20 12:10:14 -06:00
JackDoan	e77f49abb8	fix test	2026-02-20 12:00:21 -06:00
JackDoan	2319eb9492	remove notes	2026-02-20 11:57:43 -06:00
JackDoan	ae1b501468	oops	2026-02-20 11:29:46 -06:00
JackDoan	879b77d076	oops	2026-02-19 15:57:02 -06:00
JackDoan	dd786cddf1	appease CI	2026-02-19 14:59:32 -06:00
JackDoan	8f1d384eb8	think really hard	2026-02-19 14:55:49 -06:00
JackDoan	064153f0c2	split the client-snat-addr and the router-snat-addr to decrease confusion hopefully	2026-02-19 14:18:09 -06:00
JackDoan	25610225bb	crappy AI tests	2026-02-19 10:23:35 -06:00
JackDoan	92ee45ed13	tun tester more useful	2026-02-19 10:23:35 -06:00
JackDoan	37abdd7f96	it works again but linux is pickier than I thought, I need to refactor even more	2026-02-19 10:23:11 -06:00
JackDoan	7498c6846d	checkpt	2026-02-19 10:23:11 -06:00
JackDoan	27d764ba57	auto-assign snataddr on Mac+Windows	2026-02-19 10:23:11 -06:00
JackDoan	1cc257f997	bolt more stuff onto tun to help auto-assign snat addresses	2026-02-19 10:23:11 -06:00
JackDoan	83744a106d	checkpt	2026-02-19 10:23:11 -06:00
JackDoan	70399ea533	use in-Nebula SNAT to send IPv4 UnsafeNetworks traffic over an IPv6 overlay	2026-02-19 10:23:11 -06:00
Jack Doan	51308b845b	connection-track ICMP traffic (#1602) ... * connection-track ICMP and ICMPv6 traffic * icmpv6 only has identifier on echo	2026-02-18 23:19:37 -06:00
Wade Simmons	422fc2ad1e	go fix (#1608)	2026-02-17 11:42:14 -05:00
Wade Simmons	e8bb874e14	smoke-extra: try AMD-V workaround (#1610) ... * smoke-extra: try AMD-V workaround - https://github.com/slackhq/nebula/actions/runs/21995850645/job/63555492676?pr=1602 - https://github.com/actions/runner-images/issues/13202 - https://github.com/cri-o/packaging/pull/306/changes	2026-02-13 12:55:19 -06:00
Jack Doan	353ad1f271	firewall: icmp no longer requires a port spec (#1609)	2026-02-13 11:10:40 -06:00
Jack Doan	f573e8a266	Merge commit from fork ... Newly signed P256 based certificates will have their signature clamped to the low-s form. Update CHANGELOG.md	2026-02-06 14:26:51 -05:00
Jack Doan	42bee7cf17	Report if Nebula start fails because of tun device name (#1588) ... * specifically report if nebula start fails because of tun device name * close all routines when closing the tun	2026-01-28 10:03:36 -06:00
Caleb Jasik	02d8bcac68	Remove lighthouse goroutine leaks in lighthouse_test.go (#1589) ... Using <https://go.dev/doc/go1.26#goroutineleak-profiles> + Claude, I was able to run nebula's unit tests and e2e tests with the leak detector enabled. Added a TestMain that queries pprof to see if there are any reported goroutine leaks. I'd love to get some form of this in CI whenever go 1.26 comes out, though I'd also like to prove this is properly useful past the just five detections it got here. <details> <summary>TestMain</summary> ```go package nebula import ( "fmt" "os" "runtime/pprof" "strings" "testing" ) // TestMain runs after all tests and checks for goroutine leaks func TestMain(m *testing.M) { // Run all tests exitCode := m.Run() // Check for goroutine leaks after all tests complete prof := pprof.Lookup("goroutineleak") if prof != nil { var sb strings.Builder if err := prof.WriteTo(&sb, 2); err != nil { fmt.Fprintf(os.Stderr, "Failed to write goroutineleak profile: %v\n", err) os.Exit(1) } content := sb.String() leakedCount := strings.Count(content, "(leaked)") if leakedCount > 0 { fmt.Fprintf(os.Stderr, "\n=== GOROUTINE LEAK DETECTED ===\n") fmt.Fprintf(os.Stderr, "Found %d leaked goroutine(s) in package nebula\n\n", leakedCount) goros := strings.Split(content, "\n\n") for _, goro := range goros { if strings.Contains(goro, "(leaked)") { fmt.Fprintln(os.Stderr, goro) fmt.Fprintln(os.Stderr) } } os.Exit(1) } else { fmt.Println("✓ No goroutine leaks detected in package nebula") } } os.Exit(exitCode) } ``` </details> Also had to install go1.26rc2 and update the makefile to use that go binary + set ex: ```makefile test-goroutineleak: GOEXPERIMENT=goroutineleakprofile go1.26rc2 test -v ./... ```	2026-01-27 23:44:43 -06:00
Wade Simmons	0b02d982b2	v1.10.2 (#1584) ... Update CHANGELOG for Nebula v1.10.2	2026-01-21 12:42:34 -05:00
Wade Simmons	e1e92f017c	initialize routesFromSystem (#1580) ... This is a regression introduced by #1573. We need to initialize this map. Fixes: #1579	2026-01-20 11:15:20 -05:00
zhetaicheleba	e5f60fa54f	chore: fix some typos in comments (#1582) ... Signed-off-by: zhetaicheleba <taicheleba@outlook.com>	2026-01-20 11:03:31 -05:00
dependabot[bot]	bf49e78243	Bump github.com/sirupsen/logrus from 1.9.3 to 1.9.4 (#1581) ... Bumps [github.com/sirupsen/logrus](https://github.com/sirupsen/logrus) from 1.9.3 to 1.9.4. - [Release notes](https://github.com/sirupsen/logrus/releases) - [Changelog](https://github.com/sirupsen/logrus/blob/master/CHANGELOG.md) - [Commits](https://github.com/sirupsen/logrus/compare/v1.9.3...v1.9.4) --- updated-dependencies: - dependency-name: github.com/sirupsen/logrus dependency-version: 1.9.4 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-01-20 10:40:24 -05:00
Nate Brown	72a40007ea	v1.10.1 (#1575) ... Update CHANGELOG for Nebula v1.10.1	2026-01-16 10:33:54 -05:00
Nate Brown	ac3bd9cdd0	Avoid losing system originated unsafe routes on reload (#1573)	2026-01-15 13:48:17 -06:00
dependabot[bot]	88379b89f5	Bump golang.org/x/net in the golang-x-dependencies group (#1571) ... Bumps the golang-x-dependencies group with 1 update: [golang.org/x/net](https://github.com/golang/net). Updates `golang.org/x/net` from 0.48.0 to 0.49.0 - [Commits](https://github.com/golang/net/compare/v0.48.0...v0.49.0) --- updated-dependencies: - dependency-name: golang.org/x/net dependency-version: 0.49.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: golang-x-dependencies ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-01-13 00:02:44 -06:00
Nate Brown	1283ff0db4	Add option to control accepting recv_error (#1569)	2026-01-13 00:00:27 -06:00
dependabot[bot]	523209ec0b	Bump github.com/miekg/dns from 1.1.68 to 1.1.69 (#1561) ... Bumps [github.com/miekg/dns](https://github.com/miekg/dns) from 1.1.68 to 1.1.69. - [Commits](https://github.com/miekg/dns/compare/v1.1.68...v1.1.69) --- updated-dependencies: - dependency-name: github.com/miekg/dns dependency-version: 1.1.69 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-01-12 16:16:42 -05:00
dependabot[bot]	a4a6143b6a	Bump google.golang.org/protobuf in the protobuf-dependencies group (#1560) ... Bumps the protobuf-dependencies group with 1 update: google.golang.org/protobuf. Updates `google.golang.org/protobuf` from 1.36.10 to 1.36.11 --- updated-dependencies: - dependency-name: google.golang.org/protobuf dependency-version: 1.36.11 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: protobuf-dependencies ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-01-12 16:16:01 -05:00
dependabot[bot]	1b2d639b14	Bump actions/download-artifact from 6 to 7 (#1557) ... Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 6 to 7. - [Release notes](https://github.com/actions/download-artifact/releases) - [Commits](https://github.com/actions/download-artifact/compare/v6...v7) --- updated-dependencies: - dependency-name: actions/download-artifact dependency-version: '7' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-01-12 15:40:47 -05:00
dependabot[bot]	9933970e67	Bump actions/upload-artifact from 5 to 6 (#1558) ... Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 5 to 6. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](https://github.com/actions/upload-artifact/compare/v5...v6) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-01-12 15:40:13 -05:00
dependabot[bot]	d7a3f01465	Bump the golang-x-dependencies group across 1 directory with 4 updates (#1570) ... Bumps the golang-x-dependencies group with 1 update in the / directory: [golang.org/x/crypto](https://github.com/golang/crypto). Updates `golang.org/x/crypto` from 0.45.0 to 0.47.0 - [Commits](https://github.com/golang/crypto/compare/v0.45.0...v0.47.0) Updates `golang.org/x/net` from 0.47.0 to 0.48.0 - [Commits](https://github.com/golang/net/compare/v0.47.0...v0.48.0) Updates `golang.org/x/sys` from 0.39.0 to 0.40.0 - [Commits](https://github.com/golang/sys/compare/v0.39.0...v0.40.0) Updates `golang.org/x/term` from 0.38.0 to 0.39.0 - [Commits](https://github.com/golang/term/compare/v0.38.0...v0.39.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-version: 0.47.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: golang-x-dependencies - dependency-name: golang.org/x/net dependency-version: 0.48.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: golang-x-dependencies - dependency-name: golang.org/x/sys dependency-version: 0.40.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: golang-x-dependencies - dependency-name: golang.org/x/term dependency-version: 0.39.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: golang-x-dependencies ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-01-12 15:35:34 -05:00
Nate Brown	69259e6307	Quietly log error on UDP_NETRESET ioctl on Windows. (#1453) (#1568) ... Co-authored-by: brad-defined <77982333+brad-defined@users.noreply.github.com>	2026-01-09 10:35:09 -06:00
brad-defined	2f71d6b22d	Ensure pubkey coherency when rehydrating a handshake cert (#1566) ... * Ensure pubkey coherency when rehydrating a handshake cert * Include a check during handshakes after cert verification that the noise pubkey matches the cert pubkey.	2026-01-09 09:52:03 -05:00
Jack Doan	3ec527e42c	cert.MarshalSigningPublicKeyToPEM should emit the 'ECDSA' variant of the banner (#1552) ... * cert.MarshalSigningPublicKeyToPEM should emit the 'ECDSA' variant of the banner * oof owie ouch my tests	2025-12-10 10:39:36 -06:00