Releases: slackhq/nebula
Release v1.9.3
Fixed
- Initialize messageCounter to 2 instead of verifying later. (#1156)
Release v1.9.2
Fixed
- Ensure messageCounter is set before handshake is complete. (#1154)
Release v1.9.1
Fixed
- Fixed a potential deadlock in GetOrHandshake. (#1151)
Release v1.9.0
Deprecated
- This release adds a new setting
default_local_cidr_any
that defaults to
true to match previous behavior, but will default to false in the next
release (1.10). When set to false,local_cidr
is matched correctly for
firewall rules on hosts acting as unsafe routers, and should be set for any
firewall rules you want to allow unsafe route hosts to access. See the issue
and example config for more details. (#1071, #1099)
Added
-
Nebula now has an official Docker image
nebulaoss/nebula
that is
distroless and contains just thenebula
andnebula-cert
binaries. You
can find it here: https://hub.docker.com/r/nebulaoss/nebula (#1037) -
Experimental binaries for
loong64
are now provided. (#1003) -
Added example service script for OpenRC. (#711)
-
The SSH daemon now supports inlined host keys. (#1054)
-
The SSH daemon now supports certificates with
sshd.trusted_cas
. (#1098)
Changed
-
Config setting
tun.unsafe_routes
is now reloadable. (#1083) -
Small documentation and internal improvements. (#1065, #1067, #1069, #1108,
#1109, #1111, #1135) -
Various dependency updates. (#1139, #1138, #1134, #1133, #1126, #1123, #1110,
#1094, #1092, #1087, #1086, #1085, #1072, #1063, #1059, #1055, #1053, #1047,
#1046, #1034, #1022)
Removed
-
Support for the deprecated
local_range
option has been removed. Please
change topreferred_ranges
(which is also now reloadable). (#1043) -
We are now building with go1.22, which means that for Windows you need at
least Windows 10 or Windows Server 2016. This is because support for earlier
versions was removed in Go 1.21. See https://go.dev/doc/go1.21#windows (#981) -
Removed vagrant example, as it was unmaintained. (#1129)
-
Removed Fedora and Arch nebula.service files, as they are maintained in the
upstream repos. (#1128, #1132) -
Remove the TCP round trip tracking metrics, as they never had correct data
and were an experiment to begin with. (#1114)
Fixed
-
Fixed a potential deadlock introduced in 1.8.1. (#1112)
-
Fixed support for Linux when IPv6 has been disabled at the OS level. (#787)
-
DNS will return NXDOMAIN now when there are no results. (#845)
-
Allow
::
inlighthouse.dns.host
. (#1115) -
Capitalization of
NotAfter
fixed in DNS TXT response. (#1127) -
Don't log invalid certificates. It is untrusted data and can cause a large
volume of logs. (#1116)
Release v1.8.2
Release v1.8.1
Release v1.8.0
Deprecated
- The next minor release of Nebula, 1.9.0, will require at least Windows 10 or
Windows Server 2016. This is because support for earlier versions was removed
in Go 1.21. See https://go.dev/doc/go1.21#windows
Added
-
Linux: Notify systemd of service readiness. This should resolve timing issues
with services that depend on Nebula being active. For an example of how to
enable this, see:examples/service_scripts/nebula.service
. (#929) -
Windows: Use Registered IO (RIO) when possible. Testing on a Windows 11
machine shows ~50x improvement in throughput. (#905) -
FreeBSD: Add support for naming tun devices. (#903)
Changed
-
pki.disconnect_invalid
will now default to true. This means that once a
certificate expires, the tunnel will be disconnected. If you use SIGHUP to
reload certificates without restarting Nebula, you should ensure all of your
clients are on 1.7.0 or newer before you enable this feature. (#859) -
Limit how often a busy tunnel can requery the lighthouse. The new config
optiontimers.requery_wait_duration
defaults to60s
. (#940) -
The internal structures for hostmaps were refactored to reduce memory usage
and the potential for subtle bugs. (#843, #938, #953, #954, #955) -
Lots of dependency updates.
Fixed
Release v1.7.2
Fixed
- Fix a freeze during config reload if the
static_host_map
config was changed. (#886)
Release v1.7.1
Fixed
- Fix IPv4 addresses returned by
static_host_map
DNS lookup queries being treated as IPv6 addresses. (#877)
Release v1.7.0
Added
-
nebula-cert ca
now supports encrypting the CA's private key with a passphrase. Pass-encrypt
in order to be prompted for a passphrase. Encryption is performed using AES-256-GCM and Argon2id for KDF. KDF parameters default to RFC recommendations, but can be overridden via CLI flags-argon-memory
,-argon-parallelism
, and-argon-iterations
. (#386) -
Support for curve P256 and BoringCrypto has been added. See README section "Curve P256 and BoringCrypto" for more details. (#865, #861, #769, #856, #803)
-
New firewall rule
local_cidr
. This could be used to filter destinations when usingunsafe_routes
. (#507) -
Add
unsafe_route
optioninstall
. This controls whether the route is installed in the systems routing table. (#831) -
Add
tun.use_system_route_table
option. Set to true to manage unsafe routes directly on the system route table with gateway routes instead of in Nebula configuration files. This is only supported on Linux. (#839) -
The metric
certificate.ttl_seconds
is now exposed via stats. (#782) -
Add
punchy.respond_delay
option. This allows you to change the delay before attempting punchy.respond. Default is 5 seconds. (#721) -
Added SSH commands to allow the capture of a mutex profile. (#737)
-
You can now set
lighthouse.calculated_remotes
to make it possible to do handshakes without a lighthouse in certain configurations. (#759) -
The firewall can be configured to send REJECT replies instead of the default DROP behavior. (#738)
-
For macOS, an example launchd configuration file is now provided. (#762)
Changed
-
Lighthouses and other
static_host_map
entries that use DNS names will now be automatically refreshed to detect when the IP address changes. (#796) -
Lighthouses send ACK replies back to clients so that they do not fall into connection testing as often by clients. (#851, #408)
-
Allow the
listen.host
option to contain a hostname. (#825) -
When Nebula switches to a new certificate (such as via SIGHUP), we now rehandshake with all existing tunnels. This allows firewall groups to be updated and
pki.disconnect_invalid
to know about the new certificate expiration time. (#838, #857, #842, #840, #835, #828, #820, #807)
Fixed
-
Always disconnect blocklisted hosts, even if
pki.disconnect_invalid
is not set. (#858) -
Dependencies updated and go1.20 required. (#780, #824, #855, #854)
-
Fix possible race condition with relays. (#827)
-
FreeBSD: Fix connection to the localhost's own Nebula IP. (#808)
-
Normalize and document some common log field values. (#837, #811)
-
Fix crash if you set unlucky values for the firewall timeout configuration options. (#802)
-
Make DNS queries case insensitive. (#793)
-
Update example systemd configurations to want
nss-lookup
. (#791) -
Errors with SSH commands now go to the SSH tunnel instead of stderr. (#757)
-
Fix a hang when shutting down Android. (#772)