Tags: granthbr/firezone
Tags
fix(ci): Use `Developer ID Installer` cert to sign pkg (firezone#8796) Apple requires standalone-distributed `PKG` installers to be signed with a Developer ID Installer certificate. Fixes https://github.com/firezone/firezone/actions/runs/14497960810/job/40670440720#step:6:3500 --------- Signed-off-by: Jamil <jamilbk@users.noreply.github.com>
chore: fixup changelog for latest releases (firezone#8788) Signed-off-by: Thomas Eizinger <thomas@eizinger.io> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
feat(portal): Add Oban (firezone#8786) Our current bespoke job system, while it's worked out well so far, has the following shortcomings: - No retry logic - No robust to guarantee job isolation / uniqueness without resorting to row-level locking - No support for cron-based scheduling This PR adds the boilerplate required to get started with [Oban](https://hexdocs.pm/oban/Oban.html), the job management system for Elixir.
chore: fixup changelog for latest releases (firezone#8788) Signed-off-by: Thomas Eizinger <thomas@eizinger.io> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
feat(portal): Add Oban (firezone#8786) Our current bespoke job system, while it's worked out well so far, has the following shortcomings: - No retry logic - No robust to guarantee job isolation / uniqueness without resorting to row-level locking - No support for cron-based scheduling This PR adds the boilerplate required to get started with [Oban](https://hexdocs.pm/oban/Oban.html), the job management system for Elixir.
chore: fixup changelog for latest releases (firezone#8788) Signed-off-by: Thomas Eizinger <thomas@eizinger.io> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
fix(gateway): Apply more specific firewall rules on start (firezone#8483 ) On some Linux distributions (Amazon Linux 2023), the default `iptables` install includes a blanket deny rule in the `FORWARD` chain that prevents packets from the tunnel interface from ever leaving the host. To fix this, we ensure our `FORWARD` chain rules are inserted with priority 1 which takes precedence over the blanket-deny rule. We also update our MASQUERADE in the NAT table to apply only to the CIDR range possible for Gateway tunnel IPs, as opposed to the default `0.0.0.0/0`. Fixes firezone#8481
chore(gui-client): improve error message when serde fails (firezone#8461 ) Resolves: firezone#8441
fix(connlib): always update `TunConfig` on any changes (firezone#8453) Currently, we are only emitting updates to the `TunConfig` when the routes or the DNS servers change. This isn't correct, we should also emit updates for it when the IPs or the search-domain changes. In order to achieve that, we create a new `TunConfig` based on the existing one every time we receive an `InterfaceConfig` update. Depending on our current state, we may create an entirely new `TunConfig` or create a new one where we copy the fields in from the new `InterfaceConfig`. We then unconditionally call `maybe_update_tun_config` which does the necessary work to only emit updates when things actually changed. To ensure this works in all cases and the latest update is always reflected on the TUN device, we also extend the proptests to assert the latest search domain. Fixes: firezone#8451
fix(connlib): always update `TunConfig` on any changes (firezone#8453) Currently, we are only emitting updates to the `TunConfig` when the routes or the DNS servers change. This isn't correct, we should also emit updates for it when the IPs or the search-domain changes. In order to achieve that, we create a new `TunConfig` based on the existing one every time we receive an `InterfaceConfig` update. Depending on our current state, we may create an entirely new `TunConfig` or create a new one where we copy the fields in from the new `InterfaceConfig`. We then unconditionally call `maybe_update_tun_config` which does the necessary work to only emit updates when things actually changed. To ensure this works in all cases and the latest update is always reflected on the TUN device, we also extend the proptests to assert the latest search domain. Fixes: firezone#8451
PreviousNext