From 44470abd5457ba22b7cddf4fd434a2df79bfcdad Mon Sep 17 00:00:00 2001 From: Owen Date: Fri, 12 Dec 2025 14:32:12 -0500 Subject: [PATCH 01/58] Print version before otel --- main.go | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/main.go b/main.go index d579357..5986546 100644 --- a/main.go +++ b/main.go @@ -388,6 +388,13 @@ func runNewtMain(ctx context.Context) { tlsClientCAs = append(tlsClientCAs, tlsClientCAsFlag...) } + if *version { + fmt.Println("Newt version " + newtVersion) + os.Exit(0) + } else { + logger.Info("Newt version %s", newtVersion) + } + logger.Init(nil) loggerLevel := util.ParseLogLevel(logLevel) logger.GetLogger().SetLevel(loggerLevel) @@ -439,13 +446,6 @@ func runNewtMain(ctx context.Context) { defer func() { _ = tel.Shutdown(context.Background()) }() } - if *version { - fmt.Println("Newt version " + newtVersion) - os.Exit(0) - } else { - logger.Info("Newt version %s", newtVersion) - } - if err := updates.CheckForUpdate("fosrl", "newt", newtVersion); err != nil { logger.Error("Error checking for updates: %v\n", err) } From 0637360b31aa30976052d2546d4d9c293c3aa7ca Mon Sep 17 00:00:00 2001 From: Owen Date: Mon, 15 Dec 2025 12:10:47 -0500 Subject: [PATCH 02/58] Fix healthcheck interval not resetting Ref PAN-158 --- healthcheck/healthcheck.go | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/healthcheck/healthcheck.go b/healthcheck/healthcheck.go index 23ca4bd..8de3008 100644 --- a/healthcheck/healthcheck.go +++ b/healthcheck/healthcheck.go @@ -58,7 +58,7 @@ type Target struct { LastCheck time.Time `json:"lastCheck"` LastError string `json:"lastError,omitempty"` CheckCount int `json:"checkCount"` - ticker *time.Ticker + timer *time.Timer ctx context.Context cancel context.CancelFunc } @@ -304,26 +304,26 @@ func (m *Monitor) monitorTarget(target *Target) { go m.callback(m.GetTargets()) } - // Set up ticker based on current status + // Set up timer based on current status interval := time.Duration(target.Config.Interval) * time.Second if target.Status == StatusUnhealthy { interval = time.Duration(target.Config.UnhealthyInterval) * time.Second } logger.Debug("Target %d: initial check interval set to %v", target.Config.ID, interval) - target.ticker = time.NewTicker(interval) - defer target.ticker.Stop() + target.timer = time.NewTimer(interval) + defer target.timer.Stop() for { select { case <-target.ctx.Done(): logger.Info("Stopping health check monitoring for target %d", target.Config.ID) return - case <-target.ticker.C: + case <-target.timer.C: oldStatus := target.Status m.performHealthCheck(target) - // Update ticker interval if status changed + // Update timer interval if status changed newInterval := time.Duration(target.Config.Interval) * time.Second if target.Status == StatusUnhealthy { newInterval = time.Duration(target.Config.UnhealthyInterval) * time.Second @@ -332,11 +332,12 @@ func (m *Monitor) monitorTarget(target *Target) { if newInterval != interval { logger.Debug("Target %d: updating check interval from %v to %v due to status change", target.Config.ID, interval, newInterval) - target.ticker.Stop() - target.ticker = time.NewTicker(newInterval) interval = newInterval } + // Reset timer for next check with current interval + target.timer.Reset(interval) + // Notify callback if status changed if oldStatus != target.Status && m.callback != nil { logger.Info("Target %d status changed: %s -> %s", From 004bb9b12ddc04269d18f1d6d2dd4bc5ccb11822 Mon Sep 17 00:00:00 2001 From: Owen Date: Mon, 15 Dec 2025 18:02:17 -0500 Subject: [PATCH 03/58] Allow proto restriction --- clients/clients.go | 2 ++ netstack2/proxy.go | 34 ++++++++++++++++++++++++---------- 2 files changed, 26 insertions(+), 10 deletions(-) diff --git a/clients/clients.go b/clients/clients.go index 9b17d07..7bc2669 100644 --- a/clients/clients.go +++ b/clients/clients.go @@ -46,6 +46,7 @@ type Target struct { type PortRange struct { Min uint16 `json:"min"` Max uint16 `json:"max"` + Protocol string `json:"protocol"` // "tcp" or "udp" } type Peer struct { @@ -701,6 +702,7 @@ func (s *WireGuardService) ensureTargets(targets []Target) error { portRanges = append(portRanges, netstack2.PortRange{ Min: pr.Min, Max: pr.Max, + Protocol: pr.Protocol, }) } diff --git a/netstack2/proxy.go b/netstack2/proxy.go index 77a9d23..3338cd0 100644 --- a/netstack2/proxy.go +++ b/netstack2/proxy.go @@ -22,10 +22,12 @@ import ( "gvisor.dev/gvisor/pkg/tcpip/transport/udp" ) -// PortRange represents an allowed range of ports (inclusive) +// PortRange represents an allowed range of ports (inclusive) with optional protocol filtering +// Protocol can be "tcp", "udp", or "" (empty string means both protocols) type PortRange struct { - Min uint16 - Max uint16 + Min uint16 + Max uint16 + Protocol string // "tcp", "udp", or "" for both } // SubnetRule represents a subnet with optional port restrictions and source address @@ -97,14 +99,16 @@ func (sl *SubnetLookup) RemoveSubnet(sourcePrefix, destPrefix netip.Prefix) { delete(sl.rules, key) } -// Match checks if a source IP, destination IP, and port match any subnet rule -// Returns the matched rule if BOTH: +// Match checks if a source IP, destination IP, port, and protocol match any subnet rule +// Returns the matched rule if ALL of these conditions are met: // - The source IP is in the rule's source prefix // - The destination IP is in the rule's destination prefix // - The port is in an allowed range (or no port restrictions exist) +// - The protocol matches (or the port range allows both protocols) // +// proto should be header.TCPProtocolNumber or header.UDPProtocolNumber // Returns nil if no rule matches -func (sl *SubnetLookup) Match(srcIP, dstIP netip.Addr, port uint16) *SubnetRule { +func (sl *SubnetLookup) Match(srcIP, dstIP netip.Addr, port uint16, proto tcpip.TransportProtocolNumber) *SubnetRule { sl.mu.RLock() defer sl.mu.RUnlock() @@ -125,10 +129,20 @@ func (sl *SubnetLookup) Match(srcIP, dstIP netip.Addr, port uint16) *SubnetRule return rule } - // Check if port is in any of the allowed ranges + // Check if port and protocol are in any of the allowed ranges for _, pr := range rule.PortRanges { if port >= pr.Min && port <= pr.Max { - return rule + // Check protocol compatibility + if pr.Protocol == "" { + // Empty protocol means allow both TCP and UDP + return rule + } + // Check if the packet protocol matches the port range protocol + if (pr.Protocol == "tcp" && proto == header.TCPProtocolNumber) || + (pr.Protocol == "udp" && proto == header.UDPProtocolNumber) { + return rule + } + // Port matches but protocol doesn't - continue checking other ranges } } } @@ -412,8 +426,8 @@ func (p *ProxyHandler) HandleIncomingPacket(packet []byte) bool { dstPort = 0 } - // Check if the source IP, destination IP, and port match any subnet rule - matchedRule := p.subnetLookup.Match(srcAddr, dstAddr, dstPort) + // Check if the source IP, destination IP, port, and protocol match any subnet rule + matchedRule := p.subnetLookup.Match(srcAddr, dstAddr, dstPort, protocol) if matchedRule != nil { // Check if we need to perform DNAT if matchedRule.RewriteTo != "" { From dc180abba90343d2a05490410bb2f48b67602521 Mon Sep 17 00:00:00 2001 From: Owen Date: Mon, 15 Dec 2025 22:11:57 -0500 Subject: [PATCH 04/58] Add test udp server and client --- udp_client.py | 49 +++++++++++++++++++++++++++++++++++++++++++ udp_server.py | 58 +++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 107 insertions(+) create mode 100644 udp_client.py create mode 100644 udp_server.py diff --git a/udp_client.py b/udp_client.py new file mode 100644 index 0000000..2909d13 --- /dev/null +++ b/udp_client.py @@ -0,0 +1,49 @@ +import socket +import sys + +# Argument parsing: Check if IP and Port are provided +if len(sys.argv) != 3: + print("Usage: python udp_client.py ") + # Example: python udp_client.py 127.0.0.1 12000 + sys.exit(1) + +HOST = sys.argv[1] +try: + PORT = int(sys.argv[2]) +except ValueError: + print("Error: HOST_PORT must be an integer.") + sys.exit(1) + +# The message to send to the server +MESSAGE = "Hello UDP Server! How are you?" + +# Create a UDP socket +try: + client_socket = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) +except socket.error as err: + print(f"Failed to create socket: {err}") + sys.exit() + +try: + print(f"Sending message to {HOST}:{PORT}...") + + # Send the message (data must be encoded to bytes) + client_socket.sendto(MESSAGE.encode('utf-8'), (HOST, PORT)) + + # Wait for the server's response (buffer size 1024 bytes) + data, server_address = client_socket.recvfrom(1024) + + # Decode and print the server's response + response = data.decode('utf-8') + print("-" * 30) + print(f"Received response from server {server_address[0]}:{server_address[1]}:") + print(f"-> Data: '{response}'") + +except socket.error as err: + print(f"Error during communication: {err}") + +finally: + # Close the socket + client_socket.close() + print("-" * 30) + print("Client finished and socket closed.") diff --git a/udp_server.py b/udp_server.py new file mode 100644 index 0000000..89aea28 --- /dev/null +++ b/udp_server.py @@ -0,0 +1,58 @@ +import socket +import sys + +# optionally take in some positional args for the port +if len(sys.argv) > 1: + try: + PORT = int(sys.argv[1]) + except ValueError: + print("Invalid port number. Using default port 12000.") + PORT = 12000 +else: + PORT = 12000 + +# Define the server host and port +HOST = '0.0.0.0' # Standard loopback interface address (localhost) + +# Create a UDP socket +try: + server_socket = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) +except socket.error as err: + print(f"Failed to create socket: {err}") + sys.exit() + +# Bind the socket to the address +try: + server_socket.bind((HOST, PORT)) + print(f"UDP Server listening on {HOST}:{PORT}") +except socket.error as err: + print(f"Bind failed: {err}") + server_socket.close() + sys.exit() + +# Wait for and process incoming data +while True: + try: + # Receive data and the client's address (buffer size 1024 bytes) + data, client_address = server_socket.recvfrom(1024) + + # Decode the data and print the message + message = data.decode('utf-8') + print("-" * 30) + print(f"Received message from {client_address[0]}:{client_address[1]}:") + print(f"-> Data: '{message}'") + + # Prepare the response message + response_message = f"Hello client! Server received: '{message.upper()}'" + + # Send the response back to the client + server_socket.sendto(response_message.encode('utf-8'), client_address) + print(f"Sent response back to client.") + + except Exception as e: + print(f"An error occurred: {e}") + break + +# Clean up (though usually unreachable in an infinite server loop) +server_socket.close() +print("Server stopped.") From 058330d41b37a7973ee14a73eda712fb01b56899 Mon Sep 17 00:00:00 2001 From: Owen Date: Tue, 16 Dec 2025 12:05:59 -0500 Subject: [PATCH 05/58] Icmp2 --- clients/clients.go | 1 + netstack2/handlers.go | 263 ++++++++++++++++++++++++++++++++++++++++++ netstack2/proxy.go | 78 ++++++++++++- netstack2/tun.go | 21 ++-- 4 files changed, 348 insertions(+), 15 deletions(-) diff --git a/clients/clients.go b/clients/clients.go index 9b17d07..c7fa9fc 100644 --- a/clients/clients.go +++ b/clients/clients.go @@ -594,6 +594,7 @@ func (s *WireGuardService) ensureWireguardInterface(wgconfig WgConfig) error { netstack2.NetTunOptions{ EnableTCPProxy: true, EnableUDPProxy: true, + EnableICMPProxy: true, }, ) if err != nil { diff --git a/netstack2/handlers.go b/netstack2/handlers.go index bdc9feb..df95e20 100644 --- a/netstack2/handlers.go +++ b/netstack2/handlers.go @@ -10,12 +10,17 @@ import ( "fmt" "io" "net" + "net/netip" "sync" "time" "github.com/fosrl/newt/logger" + "golang.org/x/net/icmp" + "golang.org/x/net/ipv4" "gvisor.dev/gvisor/pkg/tcpip" "gvisor.dev/gvisor/pkg/tcpip/adapters/gonet" + "gvisor.dev/gvisor/pkg/tcpip/checksum" + "gvisor.dev/gvisor/pkg/tcpip/header" "gvisor.dev/gvisor/pkg/tcpip/stack" "gvisor.dev/gvisor/pkg/tcpip/transport/tcp" "gvisor.dev/gvisor/pkg/tcpip/transport/udp" @@ -58,6 +63,9 @@ const ( // Buffer size for copying data bufferSize = 32 * 1024 + + // icmpTimeout is the default timeout for ICMP ping requests. + icmpTimeout = 5 * time.Second ) // TCPHandler handles TCP connections from netstack @@ -72,6 +80,12 @@ type UDPHandler struct { proxyHandler *ProxyHandler } +// ICMPHandler handles ICMP packets from netstack +type ICMPHandler struct { + stack *stack.Stack + proxyHandler *ProxyHandler +} + // NewTCPHandler creates a new TCP handler func NewTCPHandler(s *stack.Stack, ph *ProxyHandler) *TCPHandler { return &TCPHandler{stack: s, proxyHandler: ph} @@ -82,6 +96,11 @@ func NewUDPHandler(s *stack.Stack, ph *ProxyHandler) *UDPHandler { return &UDPHandler{stack: s, proxyHandler: ph} } +// NewICMPHandler creates a new ICMP handler +func NewICMPHandler(s *stack.Stack, ph *ProxyHandler) *ICMPHandler { + return &ICMPHandler{stack: s, proxyHandler: ph} +} + // InstallTCPHandler installs the TCP forwarder on the stack func (h *TCPHandler) InstallTCPHandler() error { tcpForwarder := tcp.NewForwarder(h.stack, defaultWndSize, maxConnAttempts, func(r *tcp.ForwarderRequest) { @@ -348,3 +367,247 @@ func copyPacketData(dst, src net.PacketConn, to net.Addr, timeout time.Duration) dst.SetReadDeadline(time.Now().Add(timeout)) } } + +// InstallICMPHandler installs the ICMP handler on the stack +func (h *ICMPHandler) InstallICMPHandler() error { + h.stack.SetTransportProtocolHandler(header.ICMPv4ProtocolNumber, h.handleICMPPacket) + logger.Info("ICMP Handler: Installed ICMP protocol handler") + return nil +} + +// handleICMPPacket handles incoming ICMP packets +func (h *ICMPHandler) handleICMPPacket(id stack.TransportEndpointID, pkt *stack.PacketBuffer) bool { + logger.Debug("ICMP Handler: Received ICMP packet from %s to %s", id.RemoteAddress, id.LocalAddress) + + // Get the ICMP header from the packet + icmpData := pkt.TransportHeader().Slice() + if len(icmpData) < header.ICMPv4MinimumSize { + logger.Debug("ICMP Handler: Packet too small for ICMP header: %d bytes", len(icmpData)) + return false + } + + icmpHdr := header.ICMPv4(icmpData) + icmpType := icmpHdr.Type() + icmpCode := icmpHdr.Code() + + logger.Debug("ICMP Handler: Type=%d, Code=%d, Ident=%d, Seq=%d", + icmpType, icmpCode, icmpHdr.Ident(), icmpHdr.Sequence()) + + // Only handle Echo Request (ping) + if icmpType != header.ICMPv4Echo { + logger.Debug("ICMP Handler: Ignoring non-echo ICMP type: %d", icmpType) + return false + } + + // Extract source and destination addresses + srcIP := id.RemoteAddress.String() + dstIP := id.LocalAddress.String() + + logger.Info("ICMP Handler: Echo Request from %s to %s (ident=%d, seq=%d)", + srcIP, dstIP, icmpHdr.Ident(), icmpHdr.Sequence()) + + // Convert to netip.Addr for subnet matching + srcAddr, err := netip.ParseAddr(srcIP) + if err != nil { + logger.Debug("ICMP Handler: Failed to parse source IP %s: %v", srcIP, err) + return false + } + dstAddr, err := netip.ParseAddr(dstIP) + if err != nil { + logger.Debug("ICMP Handler: Failed to parse dest IP %s: %v", dstIP, err) + return false + } + + // Check subnet rules (use port 0 for ICMP since it doesn't have ports) + if h.proxyHandler == nil { + logger.Debug("ICMP Handler: No proxy handler configured") + return false + } + + matchedRule := h.proxyHandler.subnetLookup.Match(srcAddr, dstAddr, 0) + if matchedRule == nil { + logger.Debug("ICMP Handler: No matching subnet rule for %s -> %s", srcIP, dstIP) + return false + } + + logger.Info("ICMP Handler: Matched subnet rule for %s -> %s", srcIP, dstIP) + + // Determine actual destination (with possible rewrite) + actualDstIP := dstIP + if matchedRule.RewriteTo != "" { + resolvedAddr, err := h.proxyHandler.resolveRewriteAddress(matchedRule.RewriteTo) + if err != nil { + logger.Info("ICMP Handler: Failed to resolve rewrite address %s: %v", matchedRule.RewriteTo, err) + } else { + actualDstIP = resolvedAddr.String() + logger.Info("ICMP Handler: Using rewritten destination %s (original: %s)", actualDstIP, dstIP) + } + } + + // Get the full ICMP payload (including the data after the header) + icmpPayload := pkt.Data().AsRange().ToSlice() + + // Handle the ping in a goroutine to avoid blocking + go h.proxyPing(srcIP, dstIP, actualDstIP, icmpHdr.Ident(), icmpHdr.Sequence(), icmpPayload) + + return true +} + +// proxyPing sends a ping to the actual destination and injects the reply back +func (h *ICMPHandler) proxyPing(srcIP, originalDstIP, actualDstIP string, ident, seq uint16, payload []byte) { + logger.Debug("ICMP Handler: Proxying ping from %s to %s (actual: %s), ident=%d, seq=%d", + srcIP, originalDstIP, actualDstIP, ident, seq) + + // Create ICMP connection to the actual destination + conn, err := icmp.ListenPacket("ip4:icmp", "0.0.0.0") + if err != nil { + logger.Info("ICMP Handler: Failed to create ICMP socket: %v", err) + // Try unprivileged ICMP (udp4) + conn, err = icmp.ListenPacket("udp4", "0.0.0.0") + if err != nil { + logger.Info("ICMP Handler: Failed to create unprivileged ICMP socket: %v", err) + return + } + logger.Debug("ICMP Handler: Using unprivileged ICMP socket") + } + defer conn.Close() + + // Build the ICMP echo request message + echoMsg := &icmp.Message{ + Type: ipv4.ICMPTypeEcho, + Code: 0, + Body: &icmp.Echo{ + ID: int(ident), + Seq: int(seq), + Data: payload, + }, + } + + msgBytes, err := echoMsg.Marshal(nil) + if err != nil { + logger.Info("ICMP Handler: Failed to marshal ICMP message: %v", err) + return + } + + // Resolve destination address + dst, err := net.ResolveIPAddr("ip4", actualDstIP) + if err != nil { + logger.Info("ICMP Handler: Failed to resolve destination %s: %v", actualDstIP, err) + return + } + + logger.Debug("ICMP Handler: Sending ping to %s", dst.String()) + + // Set deadline for the ping + conn.SetDeadline(time.Now().Add(icmpTimeout)) + + // Send the ping + _, err = conn.WriteTo(msgBytes, dst) + if err != nil { + logger.Info("ICMP Handler: Failed to send ping to %s: %v", actualDstIP, err) + return + } + + logger.Debug("ICMP Handler: Ping sent to %s, waiting for reply", actualDstIP) + + // Wait for reply + replyBuf := make([]byte, 1500) + n, peer, err := conn.ReadFrom(replyBuf) + if err != nil { + logger.Info("ICMP Handler: Failed to receive ping reply from %s: %v", actualDstIP, err) + return + } + + logger.Debug("ICMP Handler: Received %d bytes from %s", n, peer.String()) + + // Parse the reply + replyMsg, err := icmp.ParseMessage(1, replyBuf[:n]) + if err != nil { + logger.Info("ICMP Handler: Failed to parse ICMP reply: %v", err) + return + } + + // Check if it's an echo reply + if replyMsg.Type != ipv4.ICMPTypeEchoReply { + logger.Debug("ICMP Handler: Received non-echo-reply type: %v", replyMsg.Type) + return + } + + echoReply, ok := replyMsg.Body.(*icmp.Echo) + if !ok { + logger.Info("ICMP Handler: Invalid echo reply body type") + return + } + + logger.Info("ICMP Handler: Ping successful to %s, injecting reply (ident=%d, seq=%d)", + actualDstIP, echoReply.ID, echoReply.Seq) + + // Build the reply packet to inject back into the netstack + // The reply should appear to come from the original destination (before rewrite) + h.injectICMPReply(srcIP, originalDstIP, uint16(echoReply.ID), uint16(echoReply.Seq), echoReply.Data) +} + +// injectICMPReply creates an ICMP echo reply packet and queues it to be sent back through the tunnel +func (h *ICMPHandler) injectICMPReply(dstIP, srcIP string, ident, seq uint16, payload []byte) { + logger.Debug("ICMP Handler: Creating reply from %s to %s (ident=%d, seq=%d)", + srcIP, dstIP, ident, seq) + + // Parse addresses + srcAddr, err := netip.ParseAddr(srcIP) + if err != nil { + logger.Info("ICMP Handler: Failed to parse source IP for reply: %v", err) + return + } + dstAddr, err := netip.ParseAddr(dstIP) + if err != nil { + logger.Info("ICMP Handler: Failed to parse dest IP for reply: %v", err) + return + } + + // Calculate total packet size + ipHeaderLen := header.IPv4MinimumSize + icmpHeaderLen := header.ICMPv4MinimumSize + totalLen := ipHeaderLen + icmpHeaderLen + len(payload) + + // Create the packet buffer + pkt := make([]byte, totalLen) + + // Build IPv4 header + ipHdr := header.IPv4(pkt[:ipHeaderLen]) + ipHdr.Encode(&header.IPv4Fields{ + TotalLength: uint16(totalLen), + TTL: 64, + Protocol: uint8(header.ICMPv4ProtocolNumber), + SrcAddr: tcpip.AddrFrom4(srcAddr.As4()), + DstAddr: tcpip.AddrFrom4(dstAddr.As4()), + }) + ipHdr.SetChecksum(^ipHdr.CalculateChecksum()) + + // Build ICMP header + icmpHdr := header.ICMPv4(pkt[ipHeaderLen : ipHeaderLen+icmpHeaderLen]) + icmpHdr.SetType(header.ICMPv4EchoReply) + icmpHdr.SetCode(0) + icmpHdr.SetIdent(ident) + icmpHdr.SetSequence(seq) + + // Copy payload + copy(pkt[ipHeaderLen+icmpHeaderLen:], payload) + + // Calculate ICMP checksum (covers ICMP header + payload) + icmpHdr.SetChecksum(0) + icmpData := pkt[ipHeaderLen:] + icmpHdr.SetChecksum(^checksum.Checksum(icmpData, 0)) + + logger.Debug("ICMP Handler: Built reply packet, total length=%d", totalLen) + + // Queue the packet to be sent back through the tunnel + if h.proxyHandler != nil { + if h.proxyHandler.QueueICMPReply(pkt) { + logger.Info("ICMP Handler: Queued echo reply packet for transmission") + } else { + logger.Info("ICMP Handler: Failed to queue echo reply packet") + } + } else { + logger.Info("ICMP Handler: Cannot queue reply - proxy handler not available") + } +} diff --git a/netstack2/proxy.go b/netstack2/proxy.go index 77a9d23..8ecc721 100644 --- a/netstack2/proxy.go +++ b/netstack2/proxy.go @@ -166,23 +166,27 @@ type ProxyHandler struct { proxyNotifyHandle *channel.NotificationHandle tcpHandler *TCPHandler udpHandler *UDPHandler + icmpHandler *ICMPHandler subnetLookup *SubnetLookup natTable map[connKey]*natState destRewriteTable map[destKey]netip.Addr // Maps original dest to rewritten dest for handler lookups natMu sync.RWMutex enabled bool + icmpReplies chan []byte // Channel for ICMP reply packets to be sent back through the tunnel + notifiable channel.Notification // Notification handler for triggering reads } // ProxyHandlerOptions configures the proxy handler type ProxyHandlerOptions struct { - EnableTCP bool - EnableUDP bool - MTU int + EnableTCP bool + EnableUDP bool + EnableICMP bool + MTU int } // NewProxyHandler creates a new proxy handler for promiscuous mode func NewProxyHandler(options ProxyHandlerOptions) (*ProxyHandler, error) { - if !options.EnableTCP && !options.EnableUDP { + if !options.EnableTCP && !options.EnableUDP && !options.EnableICMP { return nil, nil // No proxy needed } @@ -191,6 +195,7 @@ func NewProxyHandler(options ProxyHandlerOptions) (*ProxyHandler, error) { subnetLookup: NewSubnetLookup(), natTable: make(map[connKey]*natState), destRewriteTable: make(map[destKey]netip.Addr), + icmpReplies: make(chan []byte, 256), // Buffer for ICMP reply packets proxyEp: channel.New(1024, uint32(options.MTU), ""), proxyStack: stack.New(stack.Options{ NetworkProtocols: []stack.NetworkProtocolFactory{ @@ -222,6 +227,15 @@ func NewProxyHandler(options ProxyHandlerOptions) (*ProxyHandler, error) { } } + // Initialize ICMP handler if enabled + if options.EnableICMP { + handler.icmpHandler = NewICMPHandler(handler.proxyStack, handler) + if err := handler.icmpHandler.InstallICMPHandler(); err != nil { + return nil, fmt.Errorf("failed to install ICMP handler: %v", err) + } + logger.Info("ProxyHandler: ICMP handler enabled") + } + // // Example 1: Add a rule with no port restrictions (all ports allowed) // // This accepts all traffic FROM 10.0.0.0/24 TO 10.20.20.0/24 // sourceSubnet := netip.MustParsePrefix("10.0.0.0/24") @@ -329,6 +343,9 @@ func (p *ProxyHandler) Initialize(notifiable channel.Notification) error { return nil } + // Store notifiable for triggering notifications on ICMP replies + p.notifiable = notifiable + // Add notification handler p.proxyNotifyHandle = p.proxyEp.AddNotify(notifiable) @@ -407,14 +424,21 @@ func (p *ProxyHandler) HandleIncomingPacket(packet []byte) bool { } udpHeader := header.UDP(packet[headerLen:]) dstPort = udpHeader.DestinationPort() - default: - // For other protocols (ICMP, etc.), use port 0 (must match rules with no port restrictions) + case header.ICMPv4ProtocolNumber: + // ICMP doesn't have ports, use port 0 (must match rules with no port restrictions) dstPort = 0 + logger.Debug("HandleIncomingPacket: ICMP packet from %s to %s", srcAddr, dstAddr) + default: + // For other protocols, use port 0 (must match rules with no port restrictions) + dstPort = 0 + logger.Debug("HandleIncomingPacket: Unknown protocol %d from %s to %s", protocol, srcAddr, dstAddr) } // Check if the source IP, destination IP, and port match any subnet rule matchedRule := p.subnetLookup.Match(srcAddr, dstAddr, dstPort) if matchedRule != nil { + logger.Debug("HandleIncomingPacket: Matched rule for %s -> %s (proto=%d, port=%d)", + srcAddr, dstAddr, protocol, dstPort) // Check if we need to perform DNAT if matchedRule.RewriteTo != "" { // Create connection tracking key using original destination @@ -501,9 +525,12 @@ func (p *ProxyHandler) HandleIncomingPacket(packet []byte) bool { Payload: buffer.MakeWithData(packet), }) p.proxyEp.InjectInbound(header.IPv4ProtocolNumber, pkb) + logger.Debug("HandleIncomingPacket: Injected packet into proxy stack (proto=%d)", protocol) return true } + logger.Debug("HandleIncomingPacket: No matching rule for %s -> %s (proto=%d, port=%d)", + srcAddr, dstAddr, protocol, dstPort) return false } @@ -626,6 +653,15 @@ func (p *ProxyHandler) ReadOutgoingPacket() *buffer.View { return nil } + // First check for ICMP reply packets (non-blocking) + select { + case icmpReply := <-p.icmpReplies: + logger.Debug("ReadOutgoingPacket: Returning ICMP reply packet (%d bytes)", len(icmpReply)) + return buffer.NewViewWithData(icmpReply) + default: + // No ICMP reply available, continue to check proxy endpoint + } + pkt := p.proxyEp.Read() if pkt != nil { view := pkt.ToView() @@ -655,6 +691,11 @@ func (p *ProxyHandler) ReadOutgoingPacket() *buffer.View { srcPort = udpHeader.SourcePort() dstPort = udpHeader.DestinationPort() } + case header.ICMPv4ProtocolNumber: + // ICMP packets don't need NAT translation in our implementation + // since we construct reply packets with the correct addresses + logger.Debug("ReadOutgoingPacket: ICMP packet from %s to %s", srcIP, dstIP) + return view } // Look up NAT state for reverse translation @@ -688,12 +729,37 @@ func (p *ProxyHandler) ReadOutgoingPacket() *buffer.View { return nil } +// QueueICMPReply queues an ICMP reply packet to be sent back through the tunnel +func (p *ProxyHandler) QueueICMPReply(packet []byte) bool { + if p == nil || !p.enabled { + return false + } + + select { + case p.icmpReplies <- packet: + logger.Debug("QueueICMPReply: Queued ICMP reply packet (%d bytes)", len(packet)) + // Trigger notification so WriteNotify picks up the packet + if p.notifiable != nil { + p.notifiable.WriteNotify() + } + return true + default: + logger.Info("QueueICMPReply: ICMP reply channel full, dropping packet") + return false + } +} + // Close cleans up the proxy handler resources func (p *ProxyHandler) Close() error { if p == nil || !p.enabled { return nil } + // Close ICMP replies channel + if p.icmpReplies != nil { + close(p.icmpReplies) + } + if p.proxyStack != nil { p.proxyStack.RemoveNIC(1) p.proxyStack.Close() diff --git a/netstack2/tun.go b/netstack2/tun.go index 4bcea65..71eeff2 100644 --- a/netstack2/tun.go +++ b/netstack2/tun.go @@ -56,15 +56,17 @@ type Net netTun // NetTunOptions contains options for creating a NetTUN device type NetTunOptions struct { - EnableTCPProxy bool - EnableUDPProxy bool + EnableTCPProxy bool + EnableUDPProxy bool + EnableICMPProxy bool } // CreateNetTUN creates a new TUN device with netstack without proxying func CreateNetTUN(localAddresses, dnsServers []netip.Addr, mtu int) (tun.Device, *Net, error) { return CreateNetTUNWithOptions(localAddresses, dnsServers, mtu, NetTunOptions{ - EnableTCPProxy: true, - EnableUDPProxy: true, + EnableTCPProxy: true, + EnableUDPProxy: true, + EnableICMPProxy: true, }) } @@ -84,13 +86,14 @@ func CreateNetTUNWithOptions(localAddresses, dnsServers []netip.Addr, mtu int, o mtu: mtu, } - // Initialize proxy handler if TCP or UDP proxying is enabled - if options.EnableTCPProxy || options.EnableUDPProxy { + // Initialize proxy handler if TCP, UDP, or ICMP proxying is enabled + if options.EnableTCPProxy || options.EnableUDPProxy || options.EnableICMPProxy { var err error dev.proxyHandler, err = NewProxyHandler(ProxyHandlerOptions{ - EnableTCP: options.EnableTCPProxy, - EnableUDP: options.EnableUDPProxy, - MTU: mtu, + EnableTCP: options.EnableTCPProxy, + EnableUDP: options.EnableUDPProxy, + EnableICMP: options.EnableICMPProxy, + MTU: mtu, }) if err != nil { return nil, nil, fmt.Errorf("failed to create proxy handler: %v", err) From 55be2a52a55b585ec6e224325759a3b05743ff99 Mon Sep 17 00:00:00 2001 From: Owen Date: Tue, 16 Dec 2025 12:23:12 -0500 Subject: [PATCH 06/58] Handle reply correctly --- netstack2/handlers.go | 61 +++++++++++++++++++++++++++---------------- 1 file changed, 38 insertions(+), 23 deletions(-) diff --git a/netstack2/handlers.go b/netstack2/handlers.go index df95e20..d6a861c 100644 --- a/netstack2/handlers.go +++ b/netstack2/handlers.go @@ -508,35 +508,50 @@ func (h *ICMPHandler) proxyPing(srcIP, originalDstIP, actualDstIP string, ident, return } - logger.Debug("ICMP Handler: Ping sent to %s, waiting for reply", actualDstIP) + logger.Debug("ICMP Handler: Ping sent to %s, waiting for reply (ident=%d, seq=%d)", actualDstIP, ident, seq) - // Wait for reply + // Wait for reply - loop to filter out non-matching packets (like our own echo request) replyBuf := make([]byte, 1500) - n, peer, err := conn.ReadFrom(replyBuf) - if err != nil { - logger.Info("ICMP Handler: Failed to receive ping reply from %s: %v", actualDstIP, err) - return - } + var echoReply *icmp.Echo + + for { + n, peer, err := conn.ReadFrom(replyBuf) + if err != nil { + logger.Info("ICMP Handler: Failed to receive ping reply from %s: %v", actualDstIP, err) + return + } - logger.Debug("ICMP Handler: Received %d bytes from %s", n, peer.String()) + logger.Debug("ICMP Handler: Received %d bytes from %s", n, peer.String()) - // Parse the reply - replyMsg, err := icmp.ParseMessage(1, replyBuf[:n]) - if err != nil { - logger.Info("ICMP Handler: Failed to parse ICMP reply: %v", err) - return - } + // Parse the reply + replyMsg, err := icmp.ParseMessage(1, replyBuf[:n]) + if err != nil { + logger.Debug("ICMP Handler: Failed to parse ICMP message: %v", err) + continue + } - // Check if it's an echo reply - if replyMsg.Type != ipv4.ICMPTypeEchoReply { - logger.Debug("ICMP Handler: Received non-echo-reply type: %v", replyMsg.Type) - return - } + // Check if it's an echo reply (type 0), not an echo request (type 8) + if replyMsg.Type != ipv4.ICMPTypeEchoReply { + logger.Debug("ICMP Handler: Received non-echo-reply type: %v (expected echo reply), continuing to wait", replyMsg.Type) + continue + } - echoReply, ok := replyMsg.Body.(*icmp.Echo) - if !ok { - logger.Info("ICMP Handler: Invalid echo reply body type") - return + reply, ok := replyMsg.Body.(*icmp.Echo) + if !ok { + logger.Debug("ICMP Handler: Invalid echo reply body type, continuing to wait") + continue + } + + // Verify the ident and sequence match what we sent + if reply.ID != int(ident) || reply.Seq != int(seq) { + logger.Debug("ICMP Handler: Reply ident/seq mismatch: got ident=%d seq=%d, want ident=%d seq=%d", + reply.ID, reply.Seq, ident, seq) + continue + } + + // Found matching reply + echoReply = reply + break } logger.Info("ICMP Handler: Ping successful to %s, injecting reply (ident=%d, seq=%d)", From 6e9249e6645b8e78e5744990106481eba56e7ae3 Mon Sep 17 00:00:00 2001 From: Owen Date: Tue, 16 Dec 2025 13:47:45 -0500 Subject: [PATCH 07/58] Add disable icmp --- netstack2/proxy.go | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/netstack2/proxy.go b/netstack2/proxy.go index 8ecc721..ced91f9 100644 --- a/netstack2/proxy.go +++ b/netstack2/proxy.go @@ -41,6 +41,7 @@ type PortRange struct { type SubnetRule struct { SourcePrefix netip.Prefix // Source IP prefix (who is sending) DestPrefix netip.Prefix // Destination IP prefix (where it's going) + DisableIcmp bool // If true, ICMP traffic is blocked for this subnet RewriteTo string // Optional rewrite address for DNAT - can be IP/CIDR or domain name PortRanges []PortRange // empty slice means all ports allowed } @@ -437,7 +438,7 @@ func (p *ProxyHandler) HandleIncomingPacket(packet []byte) bool { // Check if the source IP, destination IP, and port match any subnet rule matchedRule := p.subnetLookup.Match(srcAddr, dstAddr, dstPort) if matchedRule != nil { - logger.Debug("HandleIncomingPacket: Matched rule for %s -> %s (proto=%d, port=%d)", + logger.Debug("HandleIncomingPacket: Matched rule for %s -> %s (proto=%d, port=%d)", srcAddr, dstAddr, protocol, dstPort) // Check if we need to perform DNAT if matchedRule.RewriteTo != "" { @@ -529,7 +530,7 @@ func (p *ProxyHandler) HandleIncomingPacket(packet []byte) bool { return true } - logger.Debug("HandleIncomingPacket: No matching rule for %s -> %s (proto=%d, port=%d)", + logger.Debug("HandleIncomingPacket: No matching rule for %s -> %s (proto=%d, port=%d)", srcAddr, dstAddr, protocol, dstPort) return false } From a9b84c8c090f5ff112034ca6df4764fc544d9630 Mon Sep 17 00:00:00 2001 From: Owen Date: Tue, 16 Dec 2025 16:30:14 -0500 Subject: [PATCH 08/58] Disabling icmp ping --- clients/clients.go | 25 ++++++++++++++----------- netstack2/handlers.go | 6 +++--- netstack2/proxy.go | 16 +++++++++++----- netstack2/tun.go | 4 ++-- 4 files changed, 30 insertions(+), 21 deletions(-) diff --git a/clients/clients.go b/clients/clients.go index a945985..7ef953f 100644 --- a/clients/clients.go +++ b/clients/clients.go @@ -40,12 +40,13 @@ type Target struct { SourcePrefix string `json:"sourcePrefix"` DestPrefix string `json:"destPrefix"` RewriteTo string `json:"rewriteTo,omitempty"` + DisableIcmp bool `json:"disableIcmp,omitempty"` PortRange []PortRange `json:"portRange,omitempty"` } type PortRange struct { - Min uint16 `json:"min"` - Max uint16 `json:"max"` + Min uint16 `json:"min"` + Max uint16 `json:"max"` Protocol string `json:"protocol"` // "tcp" or "udp" } @@ -593,8 +594,8 @@ func (s *WireGuardService) ensureWireguardInterface(wgconfig WgConfig) error { s.dns, s.mtu, netstack2.NetTunOptions{ - EnableTCPProxy: true, - EnableUDPProxy: true, + EnableTCPProxy: true, + EnableUDPProxy: true, EnableICMPProxy: true, }, ) @@ -701,13 +702,13 @@ func (s *WireGuardService) ensureTargets(targets []Target) error { var portRanges []netstack2.PortRange for _, pr := range target.PortRange { portRanges = append(portRanges, netstack2.PortRange{ - Min: pr.Min, - Max: pr.Max, + Min: pr.Min, + Max: pr.Max, Protocol: pr.Protocol, }) } - s.tnet.AddProxySubnetRule(sourcePrefix, destPrefix, target.RewriteTo, portRanges) + s.tnet.AddProxySubnetRule(sourcePrefix, destPrefix, target.RewriteTo, portRanges, target.DisableIcmp) logger.Info("Added target subnet from %s to %s rewrite to %s with port ranges: %v", target.SourcePrefix, target.DestPrefix, target.RewriteTo, target.PortRange) } @@ -1095,10 +1096,11 @@ func (s *WireGuardService) handleAddTarget(msg websocket.WSMessage) { portRanges = append(portRanges, netstack2.PortRange{ Min: pr.Min, Max: pr.Max, + Protocol: pr.Protocol, }) } - s.tnet.AddProxySubnetRule(sourcePrefix, destPrefix, target.RewriteTo, portRanges) + s.tnet.AddProxySubnetRule(sourcePrefix, destPrefix, target.RewriteTo, portRanges, target.DisableIcmp) logger.Info("Added target subnet from %s to %s rewrite to %s with port ranges: %v", target.SourcePrefix, target.DestPrefix, target.RewriteTo, target.PortRange) } @@ -1210,12 +1212,13 @@ func (s *WireGuardService) handleUpdateTarget(msg websocket.WSMessage) { var portRanges []netstack2.PortRange for _, pr := range target.PortRange { portRanges = append(portRanges, netstack2.PortRange{ - Min: pr.Min, - Max: pr.Max, + Min: pr.Min, + Max: pr.Max, + Protocol: pr.Protocol, }) } - s.tnet.AddProxySubnetRule(sourcePrefix, destPrefix, target.RewriteTo, portRanges) + s.tnet.AddProxySubnetRule(sourcePrefix, destPrefix, target.RewriteTo, portRanges, target.DisableIcmp) logger.Info("Added target subnet from %s to %s rewrite to %s with port ranges: %v", target.SourcePrefix, target.DestPrefix, target.RewriteTo, target.PortRange) } } diff --git a/netstack2/handlers.go b/netstack2/handlers.go index d6a861c..722a33d 100644 --- a/netstack2/handlers.go +++ b/netstack2/handlers.go @@ -424,7 +424,7 @@ func (h *ICMPHandler) handleICMPPacket(id stack.TransportEndpointID, pkt *stack. return false } - matchedRule := h.proxyHandler.subnetLookup.Match(srcAddr, dstAddr, 0) + matchedRule := h.proxyHandler.subnetLookup.Match(srcAddr, dstAddr, 0, header.ICMPv4ProtocolNumber) if matchedRule == nil { logger.Debug("ICMP Handler: No matching subnet rule for %s -> %s", srcIP, dstIP) return false @@ -446,7 +446,7 @@ func (h *ICMPHandler) handleICMPPacket(id stack.TransportEndpointID, pkt *stack. // Get the full ICMP payload (including the data after the header) icmpPayload := pkt.Data().AsRange().ToSlice() - + // Handle the ping in a goroutine to avoid blocking go h.proxyPing(srcIP, dstIP, actualDstIP, icmpHdr.Ident(), icmpHdr.Sequence(), icmpPayload) @@ -513,7 +513,7 @@ func (h *ICMPHandler) proxyPing(srcIP, originalDstIP, actualDstIP string, ident, // Wait for reply - loop to filter out non-matching packets (like our own echo request) replyBuf := make([]byte, 1500) var echoReply *icmp.Echo - + for { n, peer, err := conn.ReadFrom(replyBuf) if err != nil { diff --git a/netstack2/proxy.go b/netstack2/proxy.go index 90ec15e..fefb18d 100644 --- a/netstack2/proxy.go +++ b/netstack2/proxy.go @@ -70,7 +70,7 @@ func NewSubnetLookup() *SubnetLookup { // AddSubnet adds a subnet rule with source and destination prefixes and optional port restrictions // If portRanges is nil or empty, all ports are allowed for this subnet // rewriteTo can be either an IP/CIDR (e.g., "192.168.1.1/32") or a domain name (e.g., "example.com") -func (sl *SubnetLookup) AddSubnet(sourcePrefix, destPrefix netip.Prefix, rewriteTo string, portRanges []PortRange) { +func (sl *SubnetLookup) AddSubnet(sourcePrefix, destPrefix netip.Prefix, rewriteTo string, portRanges []PortRange, disableIcmp bool) { sl.mu.Lock() defer sl.mu.Unlock() @@ -82,6 +82,7 @@ func (sl *SubnetLookup) AddSubnet(sourcePrefix, destPrefix netip.Prefix, rewrite sl.rules[key] = &SubnetRule{ SourcePrefix: sourcePrefix, DestPrefix: destPrefix, + DisableIcmp: disableIcmp, RewriteTo: rewriteTo, PortRanges: portRanges, } @@ -124,6 +125,11 @@ func (sl *SubnetLookup) Match(srcIP, dstIP netip.Addr, port uint16, proto tcpip. continue } + if rule.DisableIcmp && (proto == header.ICMPv4ProtocolNumber || proto == header.ICMPv6ProtocolNumber) { + // ICMP is disabled for this subnet + return nil + } + // Both IPs match - now check port restrictions // If no port ranges specified, all ports are allowed if len(rule.PortRanges) == 0 { @@ -187,8 +193,8 @@ type ProxyHandler struct { destRewriteTable map[destKey]netip.Addr // Maps original dest to rewritten dest for handler lookups natMu sync.RWMutex enabled bool - icmpReplies chan []byte // Channel for ICMP reply packets to be sent back through the tunnel - notifiable channel.Notification // Notification handler for triggering reads + icmpReplies chan []byte // Channel for ICMP reply packets to be sent back through the tunnel + notifiable channel.Notification // Notification handler for triggering reads } // ProxyHandlerOptions configures the proxy handler @@ -275,11 +281,11 @@ func NewProxyHandler(options ProxyHandlerOptions) (*ProxyHandler, error) { // destPrefix: The IP prefix of the destination // rewriteTo: Optional address to rewrite destination to - can be IP/CIDR or domain name // If portRanges is nil or empty, all ports are allowed for this subnet -func (p *ProxyHandler) AddSubnetRule(sourcePrefix, destPrefix netip.Prefix, rewriteTo string, portRanges []PortRange) { +func (p *ProxyHandler) AddSubnetRule(sourcePrefix, destPrefix netip.Prefix, rewriteTo string, portRanges []PortRange, disableIcmp bool) { if p == nil || !p.enabled { return } - p.subnetLookup.AddSubnet(sourcePrefix, destPrefix, rewriteTo, portRanges) + p.subnetLookup.AddSubnet(sourcePrefix, destPrefix, rewriteTo, portRanges, disableIcmp) } // RemoveSubnetRule removes a subnet from the proxy handler diff --git a/netstack2/tun.go b/netstack2/tun.go index 71eeff2..e743f1e 100644 --- a/netstack2/tun.go +++ b/netstack2/tun.go @@ -354,10 +354,10 @@ func (net *Net) ListenUDP(laddr *net.UDPAddr) (*gonet.UDPConn, error) { // AddProxySubnetRule adds a subnet rule to the proxy handler // If portRanges is nil or empty, all ports are allowed for this subnet // rewriteTo can be either an IP/CIDR (e.g., "192.168.1.1/32") or a domain name (e.g., "example.com") -func (net *Net) AddProxySubnetRule(sourcePrefix, destPrefix netip.Prefix, rewriteTo string, portRanges []PortRange) { +func (net *Net) AddProxySubnetRule(sourcePrefix, destPrefix netip.Prefix, rewriteTo string, portRanges []PortRange, disableIcmp bool) { tun := (*netTun)(net) if tun.proxyHandler != nil { - tun.proxyHandler.AddSubnetRule(sourcePrefix, destPrefix, rewriteTo, portRanges) + tun.proxyHandler.AddSubnetRule(sourcePrefix, destPrefix, rewriteTo, portRanges, disableIcmp) } } From 3783a12055087ccf125d080f907f3f239d2e3fcb Mon Sep 17 00:00:00 2001 From: Owen Date: Tue, 16 Dec 2025 17:05:36 -0500 Subject: [PATCH 09/58] Add fallback to non privileged ping --- Dockerfile | 2 +- netstack2/handlers.go | 159 ++++++++++++++++++++++++++++++------------ 2 files changed, 117 insertions(+), 44 deletions(-) diff --git a/Dockerfile b/Dockerfile index ad11376..8eab800 100644 --- a/Dockerfile +++ b/Dockerfile @@ -20,7 +20,7 @@ RUN CGO_ENABLED=0 GOOS=linux go build -ldflags="-s -w" -o /newt FROM alpine:3.23 AS runner -RUN apk --no-cache add ca-certificates tzdata +RUN apk --no-cache add ca-certificates tzdata ping COPY --from=builder /newt /usr/local/bin/ COPY entrypoint.sh / diff --git a/netstack2/handlers.go b/netstack2/handlers.go index 722a33d..014d872 100644 --- a/netstack2/handlers.go +++ b/netstack2/handlers.go @@ -11,6 +11,7 @@ import ( "io" "net" "net/netip" + "os/exec" "sync" "time" @@ -458,20 +459,66 @@ func (h *ICMPHandler) proxyPing(srcIP, originalDstIP, actualDstIP string, ident, logger.Debug("ICMP Handler: Proxying ping from %s to %s (actual: %s), ident=%d, seq=%d", srcIP, originalDstIP, actualDstIP, ident, seq) - // Create ICMP connection to the actual destination + // Try three methods in order: ip4:icmp -> udp4 -> ping command + // Track which method succeeded so we can handle identifier matching correctly + method, success := h.tryICMPMethods(actualDstIP, ident, seq, payload) + + if !success { + logger.Info("ICMP Handler: All ping methods failed for %s", actualDstIP) + return + } + + logger.Info("ICMP Handler: Ping successful to %s using %s, injecting reply (ident=%d, seq=%d)", + actualDstIP, method, ident, seq) + + // Build the reply packet to inject back into the netstack + // The reply should appear to come from the original destination (before rewrite) + h.injectICMPReply(srcIP, originalDstIP, ident, seq, payload) +} + +// tryICMPMethods tries all available ICMP methods in order +func (h *ICMPHandler) tryICMPMethods(actualDstIP string, ident, seq uint16, payload []byte) (string, bool) { + if h.tryRawICMP(actualDstIP, ident, seq, payload, false) { + return "raw ICMP", true + } + if h.tryUnprivilegedICMP(actualDstIP, ident, seq, payload) { + return "unprivileged ICMP", true + } + if h.tryPingCommand(actualDstIP, ident, seq, payload) { + return "ping command", true + } + return "", false +} + +// tryRawICMP attempts to ping using raw ICMP sockets (requires CAP_NET_RAW or root) +func (h *ICMPHandler) tryRawICMP(actualDstIP string, ident, seq uint16, payload []byte, ignoreIdent bool) bool { conn, err := icmp.ListenPacket("ip4:icmp", "0.0.0.0") if err != nil { - logger.Info("ICMP Handler: Failed to create ICMP socket: %v", err) - // Try unprivileged ICMP (udp4) - conn, err = icmp.ListenPacket("udp4", "0.0.0.0") - if err != nil { - logger.Info("ICMP Handler: Failed to create unprivileged ICMP socket: %v", err) - return - } - logger.Debug("ICMP Handler: Using unprivileged ICMP socket") + logger.Debug("ICMP Handler: Raw ICMP socket not available: %v", err) + return false } defer conn.Close() + logger.Debug("ICMP Handler: Using raw ICMP socket") + return h.sendAndReceiveICMP(conn, actualDstIP, ident, seq, payload, false, ignoreIdent) +} + +// tryUnprivilegedICMP attempts to ping using unprivileged ICMP (requires ping_group_range configured) +func (h *ICMPHandler) tryUnprivilegedICMP(actualDstIP string, ident, seq uint16, payload []byte) bool { + conn, err := icmp.ListenPacket("udp4", "0.0.0.0") + if err != nil { + logger.Debug("ICMP Handler: Unprivileged ICMP socket not available: %v", err) + return false + } + defer conn.Close() + + logger.Debug("ICMP Handler: Using unprivileged ICMP socket") + // Unprivileged ICMP doesn't let us control the identifier, so we ignore it in matching + return h.sendAndReceiveICMP(conn, actualDstIP, ident, seq, payload, true, true) +} + +// sendAndReceiveICMP sends an ICMP echo request and waits for the reply +func (h *ICMPHandler) sendAndReceiveICMP(conn *icmp.PacketConn, actualDstIP string, ident, seq uint16, payload []byte, isUnprivileged bool, ignoreIdent bool) bool { // Build the ICMP echo request message echoMsg := &icmp.Message{ Type: ipv4.ICMPTypeEcho, @@ -485,40 +532,45 @@ func (h *ICMPHandler) proxyPing(srcIP, originalDstIP, actualDstIP string, ident, msgBytes, err := echoMsg.Marshal(nil) if err != nil { - logger.Info("ICMP Handler: Failed to marshal ICMP message: %v", err) - return + logger.Debug("ICMP Handler: Failed to marshal ICMP message: %v", err) + return false } - // Resolve destination address - dst, err := net.ResolveIPAddr("ip4", actualDstIP) - if err != nil { - logger.Info("ICMP Handler: Failed to resolve destination %s: %v", actualDstIP, err) - return + // Resolve destination address based on socket type + var writeErr error + if isUnprivileged { + // For unprivileged ICMP, use UDP-style addressing + udpAddr := &net.UDPAddr{IP: net.ParseIP(actualDstIP)} + logger.Debug("ICMP Handler: Sending ping to %s (unprivileged)", udpAddr.String()) + conn.SetDeadline(time.Now().Add(icmpTimeout)) + _, writeErr = conn.WriteTo(msgBytes, udpAddr) + } else { + // For raw ICMP, use IP addressing + dst, err := net.ResolveIPAddr("ip4", actualDstIP) + if err != nil { + logger.Debug("ICMP Handler: Failed to resolve destination %s: %v", actualDstIP, err) + return false + } + logger.Debug("ICMP Handler: Sending ping to %s (raw)", dst.String()) + conn.SetDeadline(time.Now().Add(icmpTimeout)) + _, writeErr = conn.WriteTo(msgBytes, dst) } - logger.Debug("ICMP Handler: Sending ping to %s", dst.String()) - - // Set deadline for the ping - conn.SetDeadline(time.Now().Add(icmpTimeout)) - - // Send the ping - _, err = conn.WriteTo(msgBytes, dst) - if err != nil { - logger.Info("ICMP Handler: Failed to send ping to %s: %v", actualDstIP, err) - return + if writeErr != nil { + logger.Debug("ICMP Handler: Failed to send ping to %s: %v", actualDstIP, writeErr) + return false } logger.Debug("ICMP Handler: Ping sent to %s, waiting for reply (ident=%d, seq=%d)", actualDstIP, ident, seq) - // Wait for reply - loop to filter out non-matching packets (like our own echo request) + // Wait for reply - loop to filter out non-matching packets replyBuf := make([]byte, 1500) - var echoReply *icmp.Echo for { n, peer, err := conn.ReadFrom(replyBuf) if err != nil { - logger.Info("ICMP Handler: Failed to receive ping reply from %s: %v", actualDstIP, err) - return + logger.Debug("ICMP Handler: Failed to receive ping reply from %s: %v", actualDstIP, err) + return false } logger.Debug("ICMP Handler: Received %d bytes from %s", n, peer.String()) @@ -532,7 +584,7 @@ func (h *ICMPHandler) proxyPing(srcIP, originalDstIP, actualDstIP string, ident, // Check if it's an echo reply (type 0), not an echo request (type 8) if replyMsg.Type != ipv4.ICMPTypeEchoReply { - logger.Debug("ICMP Handler: Received non-echo-reply type: %v (expected echo reply), continuing to wait", replyMsg.Type) + logger.Debug("ICMP Handler: Received non-echo-reply type: %v, continuing to wait", replyMsg.Type) continue } @@ -542,24 +594,45 @@ func (h *ICMPHandler) proxyPing(srcIP, originalDstIP, actualDstIP string, ident, continue } - // Verify the ident and sequence match what we sent - if reply.ID != int(ident) || reply.Seq != int(seq) { - logger.Debug("ICMP Handler: Reply ident/seq mismatch: got ident=%d seq=%d, want ident=%d seq=%d", - reply.ID, reply.Seq, ident, seq) + // Verify the sequence matches what we sent + // For unprivileged ICMP, the kernel controls the identifier, so we only check sequence + if reply.Seq != int(seq) { + logger.Debug("ICMP Handler: Reply seq mismatch: got seq=%d, want seq=%d", reply.Seq, seq) + continue + } + + if !ignoreIdent && reply.ID != int(ident) { + logger.Debug("ICMP Handler: Reply ident mismatch: got ident=%d, want ident=%d", reply.ID, ident) continue } // Found matching reply - echoReply = reply - break + logger.Debug("ICMP Handler: Received valid echo reply") + return true + } +} + +// tryPingCommand attempts to ping using the system ping command (always works, but less control) +func (h *ICMPHandler) tryPingCommand(actualDstIP string, ident, seq uint16, payload []byte) bool { + logger.Debug("ICMP Handler: Attempting to use system ping command") + + ctx, cancel := context.WithTimeout(context.Background(), icmpTimeout) + defer cancel() + + // Send one ping with timeout + // -c 1: count = 1 packet + // -W 5: timeout = 5 seconds + // -q: quiet output (just summary) + cmd := exec.CommandContext(ctx, "ping", "-c", "1", "-W", "5", "-q", actualDstIP) + output, err := cmd.CombinedOutput() + + if err != nil { + logger.Debug("ICMP Handler: System ping command failed: %v, output: %s", err, string(output)) + return false } - logger.Info("ICMP Handler: Ping successful to %s, injecting reply (ident=%d, seq=%d)", - actualDstIP, echoReply.ID, echoReply.Seq) - - // Build the reply packet to inject back into the netstack - // The reply should appear to come from the original destination (before rewrite) - h.injectICMPReply(srcIP, originalDstIP, uint16(echoReply.ID), uint16(echoReply.Seq), echoReply.Data) + logger.Debug("ICMP Handler: System ping command succeeded") + return true } // injectICMPReply creates an ICMP echo reply packet and queues it to be sent back through the tunnel From b8349aab4edc9995ff6f11535440eb7a14c3f80a Mon Sep 17 00:00:00 2001 From: Owen Date: Tue, 16 Dec 2025 17:16:58 -0500 Subject: [PATCH 10/58] Install iputils not ping --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 8eab800..197ac84 100644 --- a/Dockerfile +++ b/Dockerfile @@ -20,7 +20,7 @@ RUN CGO_ENABLED=0 GOOS=linux go build -ldflags="-s -w" -o /newt FROM alpine:3.23 AS runner -RUN apk --no-cache add ca-certificates tzdata ping +RUN apk --no-cache add ca-certificates tzdata iputils COPY --from=builder /newt /usr/local/bin/ COPY entrypoint.sh / From 1cbf41e094a548e93c808944fb3f4f6dd05e11d6 Mon Sep 17 00:00:00 2001 From: Owen Date: Tue, 16 Dec 2025 18:32:31 -0500 Subject: [PATCH 11/58] Take 21820 from config --- clients.go | 4 ++-- clients/clients.go | 7 ++++++- holepunch/holepunch.go | 6 ++++-- main.go | 8 +++++++- 4 files changed, 19 insertions(+), 6 deletions(-) diff --git a/clients.go b/clients.go index 94586a2..e679432 100644 --- a/clients.go +++ b/clients.go @@ -63,7 +63,7 @@ func closeClients() { } } -func clientsHandleNewtConnection(publicKey string, endpoint string) { +func clientsHandleNewtConnection(publicKey string, endpoint string, relayPort uint16) { if !ready { return } @@ -77,7 +77,7 @@ func clientsHandleNewtConnection(publicKey string, endpoint string) { endpoint = strings.Join(parts[:len(parts)-1], ":") if wgService != nil { - wgService.StartHolepunch(publicKey, endpoint) + wgService.StartHolepunch(publicKey, endpoint, relayPort) } } diff --git a/clients/clients.go b/clients/clients.go index 7ef953f..4779915 100644 --- a/clients/clients.go +++ b/clients/clients.go @@ -270,16 +270,21 @@ func (s *WireGuardService) SetOnNetstackClose(callback func()) { } // StartHolepunch starts hole punching to a specific endpoint -func (s *WireGuardService) StartHolepunch(publicKey string, endpoint string) { +func (s *WireGuardService) StartHolepunch(publicKey string, endpoint string, relayPort uint16) { if s.holePunchManager == nil { logger.Warn("Hole punch manager not initialized") return } + if relayPort == 0 { + relayPort = 21820 + } + // Convert websocket.ExitNode to holepunch.ExitNode hpExitNodes := []holepunch.ExitNode{ { Endpoint: endpoint, + RelayPort: relayPort, PublicKey: publicKey, }, } diff --git a/holepunch/holepunch.go b/holepunch/holepunch.go index b6e0a6b..8ee8767 100644 --- a/holepunch/holepunch.go +++ b/holepunch/holepunch.go @@ -4,6 +4,7 @@ import ( "encoding/json" "fmt" "net" + "strconv" "sync" "time" @@ -19,6 +20,7 @@ import ( // ExitNode represents a WireGuard exit node for hole punching type ExitNode struct { Endpoint string `json:"endpoint"` + RelayPort uint16 `json:"relayPort"` PublicKey string `json:"publicKey"` } @@ -202,7 +204,7 @@ func (m *Manager) TriggerHolePunch() error { continue } - serverAddr := net.JoinHostPort(host, "21820") + serverAddr := net.JoinHostPort(host, strconv.Itoa(int(exitNode.RelayPort))) remoteAddr, err := net.ResolveUDPAddr("udp", serverAddr) if err != nil { logger.Error("Failed to resolve UDP address %s: %v", serverAddr, err) @@ -313,7 +315,7 @@ func (m *Manager) runMultipleExitNodes() { continue } - serverAddr := net.JoinHostPort(host, "21820") + serverAddr := net.JoinHostPort(host, strconv.Itoa(int(exitNode.RelayPort))) remoteAddr, err := net.ResolveUDPAddr("udp", serverAddr) if err != nil { logger.Error("Failed to resolve UDP address %s: %v", serverAddr, err) diff --git a/main.go b/main.go index 5986546..c41ea35 100644 --- a/main.go +++ b/main.go @@ -37,6 +37,7 @@ import ( type WgData struct { Endpoint string `json:"endpoint"` + RelayPort uint16 `json:"relayPort"` PublicKey string `json:"publicKey"` ServerIP string `json:"serverIP"` TunnelIP string `json:"tunnelIP"` @@ -691,7 +692,12 @@ func runNewtMain(ctx context.Context) { return } - clientsHandleNewtConnection(wgData.PublicKey, endpoint) + relayPort := wgData.RelayPort + if relayPort == 0 { + relayPort = 21820 + } + + clientsHandleNewtConnection(wgData.PublicKey, endpoint, relayPort) // Configure WireGuard config := fmt.Sprintf(`private_key=%s From ff7fe1275b2657ec34e7fea26975cceb809a30a5 Mon Sep 17 00:00:00 2001 From: Owen Date: Tue, 16 Dec 2025 18:32:31 -0500 Subject: [PATCH 12/58] Take 21820 from config --- clients.go | 4 ++-- clients/clients.go | 7 ++++++- holepunch/holepunch.go | 6 ++++-- main.go | 8 +++++++- 4 files changed, 19 insertions(+), 6 deletions(-) diff --git a/clients.go b/clients.go index 94586a2..e679432 100644 --- a/clients.go +++ b/clients.go @@ -63,7 +63,7 @@ func closeClients() { } } -func clientsHandleNewtConnection(publicKey string, endpoint string) { +func clientsHandleNewtConnection(publicKey string, endpoint string, relayPort uint16) { if !ready { return } @@ -77,7 +77,7 @@ func clientsHandleNewtConnection(publicKey string, endpoint string) { endpoint = strings.Join(parts[:len(parts)-1], ":") if wgService != nil { - wgService.StartHolepunch(publicKey, endpoint) + wgService.StartHolepunch(publicKey, endpoint, relayPort) } } diff --git a/clients/clients.go b/clients/clients.go index 9b17d07..17a5398 100644 --- a/clients/clients.go +++ b/clients/clients.go @@ -268,16 +268,21 @@ func (s *WireGuardService) SetOnNetstackClose(callback func()) { } // StartHolepunch starts hole punching to a specific endpoint -func (s *WireGuardService) StartHolepunch(publicKey string, endpoint string) { +func (s *WireGuardService) StartHolepunch(publicKey string, endpoint string, relayPort uint16) { if s.holePunchManager == nil { logger.Warn("Hole punch manager not initialized") return } + if relayPort == 0 { + relayPort = 21820 + } + // Convert websocket.ExitNode to holepunch.ExitNode hpExitNodes := []holepunch.ExitNode{ { Endpoint: endpoint, + RelayPort: relayPort, PublicKey: publicKey, }, } diff --git a/holepunch/holepunch.go b/holepunch/holepunch.go index b6e0a6b..8ee8767 100644 --- a/holepunch/holepunch.go +++ b/holepunch/holepunch.go @@ -4,6 +4,7 @@ import ( "encoding/json" "fmt" "net" + "strconv" "sync" "time" @@ -19,6 +20,7 @@ import ( // ExitNode represents a WireGuard exit node for hole punching type ExitNode struct { Endpoint string `json:"endpoint"` + RelayPort uint16 `json:"relayPort"` PublicKey string `json:"publicKey"` } @@ -202,7 +204,7 @@ func (m *Manager) TriggerHolePunch() error { continue } - serverAddr := net.JoinHostPort(host, "21820") + serverAddr := net.JoinHostPort(host, strconv.Itoa(int(exitNode.RelayPort))) remoteAddr, err := net.ResolveUDPAddr("udp", serverAddr) if err != nil { logger.Error("Failed to resolve UDP address %s: %v", serverAddr, err) @@ -313,7 +315,7 @@ func (m *Manager) runMultipleExitNodes() { continue } - serverAddr := net.JoinHostPort(host, "21820") + serverAddr := net.JoinHostPort(host, strconv.Itoa(int(exitNode.RelayPort))) remoteAddr, err := net.ResolveUDPAddr("udp", serverAddr) if err != nil { logger.Error("Failed to resolve UDP address %s: %v", serverAddr, err) diff --git a/main.go b/main.go index d579357..9fdec74 100644 --- a/main.go +++ b/main.go @@ -37,6 +37,7 @@ import ( type WgData struct { Endpoint string `json:"endpoint"` + RelayPort uint16 `json:"relayPort"` PublicKey string `json:"publicKey"` ServerIP string `json:"serverIP"` TunnelIP string `json:"tunnelIP"` @@ -691,7 +692,12 @@ func runNewtMain(ctx context.Context) { return } - clientsHandleNewtConnection(wgData.PublicKey, endpoint) + relayPort := wgData.RelayPort + if relayPort == 0 { + relayPort = 21820 + } + + clientsHandleNewtConnection(wgData.PublicKey, endpoint, relayPort) // Configure WireGuard config := fmt.Sprintf(`private_key=%s From 3305f711b9cfab614e87b5f706f56d60b72e3d52 Mon Sep 17 00:00:00 2001 From: Owen Date: Thu, 18 Dec 2025 10:29:37 -0500 Subject: [PATCH 13/58] Prevent sigsegv with bad address Fixes #210 Fixes #201 --- clients/clients.go | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/clients/clients.go b/clients/clients.go index 4779915..b2dca47 100644 --- a/clients/clients.go +++ b/clients/clients.go @@ -477,6 +477,8 @@ func (s *WireGuardService) handleConfig(msg websocket.WSMessage) { // Ensure the WireGuard interface and peers are configured if err := s.ensureWireguardInterface(config); err != nil { logger.Error("Failed to ensure WireGuard interface: %v", err) + logger.Error("Clients functionality will be disabled until the interface can be created") + return } if err := s.ensureWireguardPeers(config.Peers); err != nil { @@ -652,6 +654,11 @@ func (s *WireGuardService) ensureWireguardPeers(peers []Peer) error { // For netstack, we need to manage peers differently // We'll configure peers directly on the device using IPC + // Check if device is initialized + if s.device == nil { + return fmt.Errorf("WireGuard device is not initialized") + } + // First, clear all existing peers by getting current config and removing them currentConfig, err := s.device.IpcGet() if err != nil { From 9b015e9f7cbfddabc1e24e08dbe2fda01d411e88 Mon Sep 17 00:00:00 2001 From: Owen Date: Fri, 19 Dec 2025 10:54:21 -0500 Subject: [PATCH 14/58] Tie siteIds to exit node --- holepunch/holepunch.go | 46 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 46 insertions(+) diff --git a/holepunch/holepunch.go b/holepunch/holepunch.go index 8ee8767..e6a6cf3 100644 --- a/holepunch/holepunch.go +++ b/holepunch/holepunch.go @@ -22,6 +22,7 @@ type ExitNode struct { Endpoint string `json:"endpoint"` RelayPort uint16 `json:"relayPort"` PublicKey string `json:"publicKey"` + SiteIds []int `json:"siteIds,omitempty"` } // Manager handles UDP hole punching operations @@ -142,6 +143,51 @@ func (m *Manager) RemoveExitNode(endpoint string) bool { return true } +/* +RemoveExitNodesByPeer removes the peer ID from the SiteIds list in each exit node. +If the SiteIds list becomes empty after removal, the exit node is removed entirely. +Returns the number of exit nodes removed. +*/ +func (m *Manager) RemoveExitNodesByPeer(peerID int) int { + m.mu.Lock() + defer m.mu.Unlock() + + removed := 0 + for endpoint, node := range m.exitNodes { + // Remove peerID from SiteIds if present + newSiteIds := make([]int, 0, len(node.SiteIds)) + for _, id := range node.SiteIds { + if id != peerID { + newSiteIds = append(newSiteIds, id) + } + } + if len(newSiteIds) != len(node.SiteIds) { + node.SiteIds = newSiteIds + if len(node.SiteIds) == 0 { + delete(m.exitNodes, endpoint) + logger.Info("Removed exit node %s as no more site IDs remain after removing peer %d", endpoint, peerID) + removed++ + } else { + m.exitNodes[endpoint] = node + logger.Info("Removed peer %d from exit node %s site IDs", peerID, endpoint) + } + } + } + + if removed > 0 { + // Signal the goroutine to refresh if running + if m.running && m.updateChan != nil { + select { + case m.updateChan <- struct{}{}: + default: + // Channel full or closed, skip + } + } + } + + return removed +} + // GetExitNodes returns a copy of the current exit nodes func (m *Manager) GetExitNodes() []ExitNode { m.mu.Lock() From 3d5335f2cb5f1ce0c6b2e91f9f7d3872c26b7275 Mon Sep 17 00:00:00 2001 From: Owen Date: Sun, 21 Dec 2025 21:00:45 -0500 Subject: [PATCH 15/58] Add back release and binaries --- .github/workflows/cicd.yml | 48 +++++++++++++++++++------------------- 1 file changed, 24 insertions(+), 24 deletions(-) diff --git a/.github/workflows/cicd.yml b/.github/workflows/cicd.yml index f5dccf8..4d2e0e4 100644 --- a/.github/workflows/cicd.yml +++ b/.github/workflows/cicd.yml @@ -587,28 +587,28 @@ jobs: # sarif_file: trivy-ghcr.sarif # category: Image Vulnerability Scan - # - name: Build binaries - # env: - # CGO_ENABLED: "0" - # GOFLAGS: "-trimpath" - # run: | - # set -euo pipefail - # TAG_VAR="${TAG}" - # make go-build-release tag=$TAG_VAR - # shell: bash + - name: Build binaries + env: + CGO_ENABLED: "0" + GOFLAGS: "-trimpath" + run: | + set -euo pipefail + TAG_VAR="${TAG}" + make go-build-release tag=$TAG_VAR + shell: bash - # - name: Create GitHub Release - # uses: softprops/action-gh-release@5be0e66d93ac7ed76da52eca8bb058f665c3a5fe # v2.4.2 - # with: - # tag_name: ${{ env.TAG }} - # generate_release_notes: true - # prerelease: ${{ env.IS_RC == 'true' }} - # files: | - # bin/* - # fail_on_unmatched_files: true - # draft: true - # body: | - # ## Container Images - # - GHCR: `${{ env.GHCR_REF }}` - # - Docker Hub: `${{ env.DH_REF || 'N/A' }}` - # **Digest:** `${{ steps.build.outputs.digest }}` + - name: Create GitHub Release + uses: softprops/action-gh-release@5be0e66d93ac7ed76da52eca8bb058f665c3a5fe # v2.4.2 + with: + tag_name: ${{ env.TAG }} + generate_release_notes: true + prerelease: ${{ env.IS_RC == 'true' }} + files: | + bin/* + fail_on_unmatched_files: true + draft: true + body: | + ## Container Images + - GHCR: `${{ env.GHCR_REF }}` + - Docker Hub: `${{ env.DH_REF || 'N/A' }}` + **Digest:** `${{ steps.build.outputs.digest }}` From a21a8e90fa01c7089a710c0ce23da2c0d56291b2 Mon Sep 17 00:00:00 2001 From: Owen Date: Sun, 21 Dec 2025 21:00:45 -0500 Subject: [PATCH 16/58] Add back release and binaries --- .github/workflows/cicd.yml | 48 +++++++++++++++++++------------------- 1 file changed, 24 insertions(+), 24 deletions(-) diff --git a/.github/workflows/cicd.yml b/.github/workflows/cicd.yml index f5dccf8..4d2e0e4 100644 --- a/.github/workflows/cicd.yml +++ b/.github/workflows/cicd.yml @@ -587,28 +587,28 @@ jobs: # sarif_file: trivy-ghcr.sarif # category: Image Vulnerability Scan - # - name: Build binaries - # env: - # CGO_ENABLED: "0" - # GOFLAGS: "-trimpath" - # run: | - # set -euo pipefail - # TAG_VAR="${TAG}" - # make go-build-release tag=$TAG_VAR - # shell: bash + - name: Build binaries + env: + CGO_ENABLED: "0" + GOFLAGS: "-trimpath" + run: | + set -euo pipefail + TAG_VAR="${TAG}" + make go-build-release tag=$TAG_VAR + shell: bash - # - name: Create GitHub Release - # uses: softprops/action-gh-release@5be0e66d93ac7ed76da52eca8bb058f665c3a5fe # v2.4.2 - # with: - # tag_name: ${{ env.TAG }} - # generate_release_notes: true - # prerelease: ${{ env.IS_RC == 'true' }} - # files: | - # bin/* - # fail_on_unmatched_files: true - # draft: true - # body: | - # ## Container Images - # - GHCR: `${{ env.GHCR_REF }}` - # - Docker Hub: `${{ env.DH_REF || 'N/A' }}` - # **Digest:** `${{ steps.build.outputs.digest }}` + - name: Create GitHub Release + uses: softprops/action-gh-release@5be0e66d93ac7ed76da52eca8bb058f665c3a5fe # v2.4.2 + with: + tag_name: ${{ env.TAG }} + generate_release_notes: true + prerelease: ${{ env.IS_RC == 'true' }} + files: | + bin/* + fail_on_unmatched_files: true + draft: true + body: | + ## Container Images + - GHCR: `${{ env.GHCR_REF }}` + - Docker Hub: `${{ env.DH_REF || 'N/A' }}` + **Digest:** `${{ steps.build.outputs.digest }}` From 6c65cc8e5e6ecc93f3379bf20ac73d8d4bd52300 Mon Sep 17 00:00:00 2001 From: Owen Date: Sun, 21 Dec 2025 21:34:56 -0500 Subject: [PATCH 17/58] Fix makefile cicd binaries --- .github/workflows/cicd.yml | 2 +- Makefile | 12 ++++++++++++ 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/.github/workflows/cicd.yml b/.github/workflows/cicd.yml index 4d2e0e4..6474fb7 100644 --- a/.github/workflows/cicd.yml +++ b/.github/workflows/cicd.yml @@ -594,7 +594,7 @@ jobs: run: | set -euo pipefail TAG_VAR="${TAG}" - make go-build-release tag=$TAG_VAR + make -j 10 go-build-release tag=$TAG_VAR shell: bash - name: Create GitHub Release diff --git a/Makefile b/Makefile index bd174b6..e720189 100644 --- a/Makefile +++ b/Makefile @@ -27,6 +27,18 @@ docker-build-release: go-build-release-darwin-amd64 go-build-release-windows-amd64 \ go-build-release-freebsd-amd64 go-build-release-freebsd-arm64 +go-build-release: \ + go-build-release-linux-arm64 \ + go-build-release-linux-arm32-v7 \ + go-build-release-linux-arm32-v6 \ + go-build-release-linux-amd64 \ + go-build-release-linux-riscv64 \ + go-build-release-darwin-arm64 \ + go-build-release-darwin-amd64 \ + go-build-release-windows-amd64 \ + go-build-release-freebsd-amd64 \ + go-build-release-freebsd-arm64 + go-build-release-linux-arm64: CGO_ENABLED=0 GOOS=linux GOARCH=arm64 go build -o bin/newt_linux_arm64 From 5c94789d9a17714ab20da206d280679e6814dec5 Mon Sep 17 00:00:00 2001 From: Owen Date: Mon, 22 Dec 2025 14:31:44 -0500 Subject: [PATCH 18/58] Quiet up logs --- clients.go | 2 +- clients/clients.go | 16 +++++++++------- holepunch/holepunch.go | 4 ++-- main.go | 2 +- netstack2/handlers.go | 4 ++-- netstack2/proxy.go | 2 +- wgtester/wgtester.go | 17 +++++++---------- 7 files changed, 23 insertions(+), 24 deletions(-) diff --git a/clients.go b/clients.go index e679432..d650eeb 100644 --- a/clients.go +++ b/clients.go @@ -24,7 +24,7 @@ func setupClients(client *websocket.Client) { host = strings.TrimSuffix(host, "/") - logger.Info("Setting up clients with netstack2...") + logger.Debug("Setting up clients with netstack2...") // if useNativeInterface is true make sure we have permission to use native interface if useNativeInterface { diff --git a/clients/clients.go b/clients/clients.go index b2dca47..c19e7af 100644 --- a/clients/clients.go +++ b/clients/clients.go @@ -141,7 +141,7 @@ func NewWireGuardService(interfaceName string, port uint16, mtu int, host string // Add a reference for the hole punch manager (creator already has one reference for WireGuard) sharedBind.AddRef() - logger.Info("Created shared UDP socket on port %d (refcount: %d)", port, sharedBind.GetRefCount()) + logger.Debug("Created shared UDP socket on port %d (refcount: %d)", port, sharedBind.GetRefCount()) // Parse DNS addresses dnsAddrs := []netip.Addr{netip.MustParseAddr(dns)} @@ -294,7 +294,7 @@ func (s *WireGuardService) StartHolepunch(publicKey string, endpoint string, rel logger.Warn("Failed to start hole punch: %v", err) } - logger.Info("Starting hole punch to %s with public key: %s", endpoint, publicKey) + logger.Debug("Starting hole punch to %s with public key: %s", endpoint, publicKey) } // StartDirectUDPRelay starts a direct UDP relay from the main tunnel netstack to the clients' WireGuard. @@ -341,7 +341,7 @@ func (s *WireGuardService) StartDirectUDPRelay(tunnelIP string) error { // Set the netstack connection on the SharedBind so responses go back through the tunnel s.sharedBind.SetNetstackConn(listener) - logger.Info("Started direct UDP relay on %s:%d (bidirectional via SharedBind)", tunnelIP, s.Port) + logger.Debug("Started direct UDP relay on %s:%d (bidirectional via SharedBind)", tunnelIP, s.Port) // Start the relay goroutine to read from netstack and inject into SharedBind s.directRelayWg.Add(1) @@ -359,7 +359,7 @@ func (s *WireGuardService) runDirectUDPRelay(listener net.PacketConn) { // Note: Don't close listener here - it's also used by SharedBind for sending responses // It will be closed when the relay is stopped - logger.Info("Direct UDP relay started (bidirectional through SharedBind)") + logger.Debug("Direct UDP relay started (bidirectional through SharedBind)") buf := make([]byte, 65535) // Max UDP packet size @@ -445,7 +445,7 @@ func (s *WireGuardService) LoadRemoteConfig() error { "port": s.Port, }, 2*time.Second) - logger.Info("Requesting WireGuard configuration from remote server") + logger.Debug("Requesting WireGuard configuration from remote server") go s.periodicBandwidthCheck() return nil @@ -455,7 +455,7 @@ func (s *WireGuardService) handleConfig(msg websocket.WSMessage) { var config WgConfig logger.Debug("Received message: %v", msg) - logger.Info("Received WireGuard clients configuration from remote server") + logger.Debug("Received WireGuard clients configuration from remote server") jsonData, err := json.Marshal(msg.Data) if err != nil { @@ -488,6 +488,8 @@ func (s *WireGuardService) handleConfig(msg websocket.WSMessage) { if err := s.ensureTargets(config.Targets); err != nil { logger.Error("Failed to ensure WireGuard targets: %v", err) } + + logger.Info("Client connectivity setup. Ready to accept connections from clients!") } func (s *WireGuardService) ensureWireguardInterface(wgconfig WgConfig) error { @@ -635,7 +637,7 @@ func (s *WireGuardService) ensureWireguardInterface(wgconfig WgConfig) error { return fmt.Errorf("failed to bring up WireGuard device: %v", err) } - logger.Info("WireGuard netstack device created and configured") + logger.Debug("WireGuard netstack device created and configured") // Release the mutex before calling the callback s.mu.Unlock() diff --git a/holepunch/holepunch.go b/holepunch/holepunch.go index e6a6cf3..ab1d9e0 100644 --- a/holepunch/holepunch.go +++ b/holepunch/holepunch.go @@ -295,7 +295,7 @@ func (m *Manager) StartMultipleExitNodes(exitNodes []ExitNode) error { m.updateChan = make(chan struct{}, 1) m.mu.Unlock() - logger.Info("Starting UDP hole punch to %d exit nodes with shared bind", len(exitNodes)) + logger.Debug("Starting UDP hole punch to %d exit nodes with shared bind", len(exitNodes)) go m.runMultipleExitNodes() @@ -373,7 +373,7 @@ func (m *Manager) runMultipleExitNodes() { publicKey: exitNode.PublicKey, endpointName: exitNode.Endpoint, }) - logger.Info("Resolved exit node: %s -> %s", exitNode.Endpoint, remoteAddr.String()) + logger.Debug("Resolved exit node: %s -> %s", exitNode.Endpoint, remoteAddr.String()) } return resolvedNodes } diff --git a/main.go b/main.go index c41ea35..7d6cbff 100644 --- a/main.go +++ b/main.go @@ -420,7 +420,7 @@ func runNewtMain(ctx context.Context) { } if tel != nil { // Admin HTTP server (exposes /metrics when Prometheus exporter is enabled) - logger.Info("Starting metrics server on %s", tcfg.AdminAddr) + logger.Debug("Starting metrics server on %s", tcfg.AdminAddr) mux := http.NewServeMux() mux.HandleFunc("/healthz", func(w http.ResponseWriter, r *http.Request) { w.WriteHeader(200) }) if tel.PrometheusHandler != nil { diff --git a/netstack2/handlers.go b/netstack2/handlers.go index 014d872..75c58b2 100644 --- a/netstack2/handlers.go +++ b/netstack2/handlers.go @@ -372,7 +372,7 @@ func copyPacketData(dst, src net.PacketConn, to net.Addr, timeout time.Duration) // InstallICMPHandler installs the ICMP handler on the stack func (h *ICMPHandler) InstallICMPHandler() error { h.stack.SetTransportProtocolHandler(header.ICMPv4ProtocolNumber, h.handleICMPPacket) - logger.Info("ICMP Handler: Installed ICMP protocol handler") + logger.Debug("ICMP Handler: Installed ICMP protocol handler") return nil } @@ -600,7 +600,7 @@ func (h *ICMPHandler) sendAndReceiveICMP(conn *icmp.PacketConn, actualDstIP stri logger.Debug("ICMP Handler: Reply seq mismatch: got seq=%d, want seq=%d", reply.Seq, seq) continue } - + if !ignoreIdent && reply.ID != int(ident) { logger.Debug("ICMP Handler: Reply ident mismatch: got ident=%d, want ident=%d", reply.ID, ident) continue diff --git a/netstack2/proxy.go b/netstack2/proxy.go index fefb18d..7b741dd 100644 --- a/netstack2/proxy.go +++ b/netstack2/proxy.go @@ -254,7 +254,7 @@ func NewProxyHandler(options ProxyHandlerOptions) (*ProxyHandler, error) { if err := handler.icmpHandler.InstallICMPHandler(); err != nil { return nil, fmt.Errorf("failed to install ICMP handler: %v", err) } - logger.Info("ProxyHandler: ICMP handler enabled") + logger.Debug("ProxyHandler: ICMP handler enabled") } // // Example 1: Add a rule with no port restrictions (all ports allowed) diff --git a/wgtester/wgtester.go b/wgtester/wgtester.go index c76db64..ee88439 100644 --- a/wgtester/wgtester.go +++ b/wgtester/wgtester.go @@ -38,7 +38,6 @@ type Server struct { isRunning bool runningLock sync.Mutex newtID string - outputPrefix string useNetstack bool tnet interface{} // Will be *netstack2.Net when using netstack } @@ -50,7 +49,6 @@ func NewServer(serverAddr string, serverPort uint16, newtID string) *Server { serverPort: serverPort + 1, // use the next port for the server shutdownCh: make(chan struct{}), newtID: newtID, - outputPrefix: "[WGTester] ", useNetstack: false, tnet: nil, } @@ -63,7 +61,6 @@ func NewServerWithNetstack(serverAddr string, serverPort uint16, newtID string, serverPort: serverPort + 1, // use the next port for the server shutdownCh: make(chan struct{}), newtID: newtID, - outputPrefix: "[WGTester] ", useNetstack: true, tnet: tnet, } @@ -109,7 +106,7 @@ func (s *Server) Start() error { s.isRunning = true go s.handleConnections() - logger.Info("%sServer started on %s:%d", s.outputPrefix, s.serverAddr, s.serverPort) + logger.Debug("WGTester Server started on %s:%d", s.serverAddr, s.serverPort) return nil } @@ -127,7 +124,7 @@ func (s *Server) Stop() { s.conn.Close() } s.isRunning = false - logger.Info("%sServer stopped", s.outputPrefix) + logger.Info("WGTester Server stopped") } // RestartWithNetstack stops the current server and restarts it with netstack @@ -162,7 +159,7 @@ func (s *Server) handleConnections() { // Set read deadline to avoid blocking forever err := s.conn.SetReadDeadline(time.Now().Add(1 * time.Second)) if err != nil { - logger.Error("%sError setting read deadline: %v", s.outputPrefix, err) + logger.Error("Error setting read deadline: %v", err) continue } @@ -192,7 +189,7 @@ func (s *Server) handleConnections() { if err == io.EOF { return } - logger.Error("%sError reading from UDP: %v", s.outputPrefix, err) + logger.Error("Error reading from UDP: %v", err) } continue } @@ -224,7 +221,7 @@ func (s *Server) handleConnections() { copy(responsePacket[5:13], buffer[5:13]) // Log response being sent for debugging - // logger.Debug("%sSending response to %s", s.outputPrefix, addr.String()) + // logger.Debug("Sending response to %s", addr.String()) // Send the response packet - handle both regular UDP and netstack UDP if s.useNetstack { @@ -238,9 +235,9 @@ func (s *Server) handleConnections() { } if err != nil { - logger.Error("%sError sending response: %v", s.outputPrefix, err) + logger.Error("Error sending response: %v", err) } else { - // logger.Debug("%sResponse sent successfully", s.outputPrefix) + // logger.Debug("Response sent successfully") } } } From ca341a8bb07735a36e03e819c89616d68f2febfb Mon Sep 17 00:00:00 2001 From: Varun Narravula Date: Mon, 22 Dec 2025 15:05:49 -0800 Subject: [PATCH 19/58] chore(nix): sync version number with latest version --- flake.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/flake.nix b/flake.nix index 6d2f03f..112ec02 100644 --- a/flake.nix +++ b/flake.nix @@ -25,7 +25,7 @@ inherit (pkgs) lib; # Update version when releasing - version = "1.7.0"; + version = "1.8.0"; in { default = self.packages.${system}.pangolin-newt; From f078136b5afaea86fa5e423b52ddf860469b150c Mon Sep 17 00:00:00 2001 From: Varun Narravula Date: Mon, 22 Dec 2025 15:27:21 -0800 Subject: [PATCH 20/58] fix(nix): disable tests, set meta.mainProgram for package --- flake.nix | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/flake.nix b/flake.nix index 112ec02..03e2e5f 100644 --- a/flake.nix +++ b/flake.nix @@ -37,14 +37,26 @@ vendorHash = "sha256-5Xr6mwPtsqEliKeKv2rhhp6JC7u3coP4nnhIxGMqccU="; + nativeInstallCheckInputs = [ pkgs.versionCheckHook ]; + env = { CGO_ENABLED = 0; }; ldflags = [ + "-s" + "-w" "-X main.newtVersion=${version}" ]; + # Tests are broken due to a lack of Internet. + # Disable running `go test`, and instead do + # a simple version check instead. + doCheck = false; + doInstallCheck = true; + + versionCheckProgramArg = [ "-version" ]; + meta = { description = "A tunneling client for Pangolin"; homepage = "https://github.com/fosrl/newt"; @@ -52,6 +64,7 @@ maintainers = [ lib.maintainers.water-sucks ]; + mainProgram = "newt"; }; }; } From baf1b9b972ecca763d05ec9b28f26d4d65b14d5e Mon Sep 17 00:00:00 2001 From: Varun Narravula Date: Mon, 22 Dec 2025 15:27:49 -0800 Subject: [PATCH 21/58] ci: build nix package when go.mod is changed --- .github/workflows/nix-build.yml | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 .github/workflows/nix-build.yml diff --git a/.github/workflows/nix-build.yml b/.github/workflows/nix-build.yml new file mode 100644 index 0000000..a97bcbd --- /dev/null +++ b/.github/workflows/nix-build.yml @@ -0,0 +1,23 @@ +name: Build Nix package + +on: + workflow_dispatch: + pull_request: + paths: + - go.mod + - go.sum + +jobs: + nix-build: + runs-on: ubuntu-latest + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Install Nix + uses: DeterminateSystems/nix-installer-action@main + + - name: Build flake package + run: | + nix build .#pangolin-newt -L From 0e961761b86ec1dab25854cac605debde5bf0492 Mon Sep 17 00:00:00 2001 From: Varun Narravula Date: Mon, 22 Dec 2025 15:34:32 -0800 Subject: [PATCH 22/58] chore: add direnv and nix result dirs to gitignore --- .gitignore | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.gitignore b/.gitignore index ad2355b..e39f130 100644 --- a/.gitignore +++ b/.gitignore @@ -5,4 +5,6 @@ nohup.out *.iml certs/ newt_arm64 -key \ No newline at end of file +key +/.direnv/ +/result* From f9b6f36b4f9d43f7d7b1d30099f39796778a0d55 Mon Sep 17 00:00:00 2001 From: Varun Narravula Date: Mon, 22 Dec 2025 15:35:43 -0800 Subject: [PATCH 23/58] ci: update nix go vendor hash if needed for dependabot PRs --- .../workflows/nix-dependabot-update-hash.yml | 48 +++++++++++++++++++ 1 file changed, 48 insertions(+) create mode 100644 .github/workflows/nix-dependabot-update-hash.yml diff --git a/.github/workflows/nix-dependabot-update-hash.yml b/.github/workflows/nix-dependabot-update-hash.yml new file mode 100644 index 0000000..7e255f0 --- /dev/null +++ b/.github/workflows/nix-dependabot-update-hash.yml @@ -0,0 +1,48 @@ +name: Update Nix Package Hash On Dependabot PRs + +on: + pull_request: + types: [opened, synchronize] + branches: + - main + +jobs: + nix-update: + if: github.actor == 'dependabot[bot]' + runs-on: ubuntu-latest + + permissions: + contents: write + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + with: + ref: ${{ github.head_ref }} + token: ${{ secrets.GITHUB_TOKEN }} + + - name: Install Nix + uses: DeterminateSystems/nix-installer-action@main + + - name: Run nix-update + run: | + nix run nixpkgs#nix-update -- --flake pangolin-newt --no-src --version skip + + - name: Check for changes + id: changes + run: | + if git diff --quiet; then + echo "changed=false" >> "$GITHUB_OUTPUT" + else + echo "changed=true" >> "$GITHUB_OUTPUT" + fi + + - name: Commit and push changes + if: steps.changes.outputs.changed == 'true' + run: | + git config user.name "dependabot[bot]" + git config user.email "dependabot[bot]@users.noreply.github.com" + + git add . + git commit -m "chore(nix): fix hash for updated go dependencies" + git push From e1ee4dc8f21a27645f39d251515d6afd0f31304a Mon Sep 17 00:00:00 2001 From: Owen Date: Mon, 22 Dec 2025 21:32:40 -0500 Subject: [PATCH 24/58] Fix latest tag --- .github/workflows/cicd.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/cicd.yml b/.github/workflows/cicd.yml index 6474fb7..69b98b9 100644 --- a/.github/workflows/cicd.yml +++ b/.github/workflows/cicd.yml @@ -273,7 +273,7 @@ jobs: tags: | type=semver,pattern={{version}},value=${{ env.TAG }} type=semver,pattern={{major}}.{{minor}},value=${{ env.TAG }},enable=${{ env.PUBLISH_MINOR == 'true' && env.IS_RC != 'true' }} - type=raw,value=latest,enable=${{ env.PUBLISH_LATEST == 'true' && env.IS_RC != 'true' }} + type=raw,value=latest,enable=${{ env.IS_RC != 'true' }} flavor: | latest=false labels: | From 31d52ad3ff664aaae88120fe755b577e400f9c5e Mon Sep 17 00:00:00 2001 From: Owen Date: Tue, 23 Dec 2025 10:29:15 -0500 Subject: [PATCH 25/58] Quiet up HandleIncomingPacket --- netstack2/proxy.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/netstack2/proxy.go b/netstack2/proxy.go index 7b741dd..4583529 100644 --- a/netstack2/proxy.go +++ b/netstack2/proxy.go @@ -550,8 +550,8 @@ func (p *ProxyHandler) HandleIncomingPacket(packet []byte) bool { return true } - logger.Debug("HandleIncomingPacket: No matching rule for %s -> %s (proto=%d, port=%d)", - srcAddr, dstAddr, protocol, dstPort) + // logger.Debug("HandleIncomingPacket: No matching rule for %s -> %s (proto=%d, port=%d)", + // srcAddr, dstAddr, protocol, dstPort) return false } From d754cea397acda599028a9752cbf02e140b84a08 Mon Sep 17 00:00:00 2001 From: Owen Date: Tue, 23 Dec 2025 17:54:31 -0500 Subject: [PATCH 26/58] Dont run on v tags --- .github/workflows/cicd.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/cicd.yml b/.github/workflows/cicd.yml index 69b98b9..4edb510 100644 --- a/.github/workflows/cicd.yml +++ b/.github/workflows/cicd.yml @@ -11,7 +11,9 @@ permissions: on: push: tags: - - "*" + - "[0-9]+.[0-9]+.[0-9]+" + - "[0-9]+.[0-9]+.[0-9]+-rc.[0-9]+" + workflow_dispatch: inputs: version: From a701add8249811c01540797be08eb6f2c94ddb78 Mon Sep 17 00:00:00 2001 From: Owen Date: Wed, 24 Dec 2025 10:57:59 -0500 Subject: [PATCH 27/58] Reuse http client for each target Fixes #220 --- healthcheck/healthcheck.go | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/healthcheck/healthcheck.go b/healthcheck/healthcheck.go index 8de3008..9b23479 100644 --- a/healthcheck/healthcheck.go +++ b/healthcheck/healthcheck.go @@ -61,6 +61,7 @@ type Target struct { timer *time.Timer ctx context.Context cancel context.CancelFunc + client *http.Client } // StatusChangeCallback is called when any target's status changes @@ -185,6 +186,16 @@ func (m *Monitor) addTargetUnsafe(config Config) error { Status: StatusUnknown, ctx: ctx, cancel: cancel, + client: &http.Client{ + Transport: &http.Transport{ + TLSClientConfig: &tls.Config{ + // Configure TLS settings based on certificate enforcement + InsecureSkipVerify: !m.enforceCert, + // Use SNI TLS header if present + ServerName: config.TLSServerName, + }, + }, + }, } m.targets[config.ID] = target @@ -378,17 +389,6 @@ func (m *Monitor) performHealthCheck(target *Target) { ctx, cancel := context.WithTimeout(context.Background(), time.Duration(target.Config.Timeout)*time.Second) defer cancel() - client := &http.Client{ - Transport: &http.Transport{ - TLSClientConfig: &tls.Config{ - // Configure TLS settings based on certificate enforcement - InsecureSkipVerify: !m.enforceCert, - // Use SNI TLS header if present - ServerName: target.Config.TLSServerName, - }, - }, - } - req, err := http.NewRequestWithContext(ctx, target.Config.Method, url, nil) if err != nil { target.Status = StatusUnhealthy @@ -408,7 +408,7 @@ func (m *Monitor) performHealthCheck(target *Target) { } // Perform request - resp, err := client.Do(req) + resp, err := target.client.Do(req) if err != nil { target.Status = StatusUnhealthy target.LastError = fmt.Sprintf("request failed: %v", err) From 0168b4796e306ff1a3ec22bbc253d7fa9f6e98ca Mon Sep 17 00:00:00 2001 From: Owen Date: Tue, 30 Dec 2025 10:31:35 -0500 Subject: [PATCH 28/58] Add mobile subs for permission --- clients/permissions/permissions_android.go | 8 ++++++++ clients/permissions/permissions_darwin.go | 2 +- clients/permissions/permissions_ios.go | 8 ++++++++ clients/permissions/permissions_linux.go | 2 +- 4 files changed, 18 insertions(+), 2 deletions(-) create mode 100644 clients/permissions/permissions_android.go create mode 100644 clients/permissions/permissions_ios.go diff --git a/clients/permissions/permissions_android.go b/clients/permissions/permissions_android.go new file mode 100644 index 0000000..bbab38c --- /dev/null +++ b/clients/permissions/permissions_android.go @@ -0,0 +1,8 @@ +//go:build android + +package permissions + +// CheckNativeInterfacePermissions always allows permission on Android. +func CheckNativeInterfacePermissions() error { + return nil +} \ No newline at end of file diff --git a/clients/permissions/permissions_darwin.go b/clients/permissions/permissions_darwin.go index d14bef4..f5b48fd 100644 --- a/clients/permissions/permissions_darwin.go +++ b/clients/permissions/permissions_darwin.go @@ -1,4 +1,4 @@ -//go:build darwin +//go:build darwin && !ios package permissions diff --git a/clients/permissions/permissions_ios.go b/clients/permissions/permissions_ios.go new file mode 100644 index 0000000..d3a9cac --- /dev/null +++ b/clients/permissions/permissions_ios.go @@ -0,0 +1,8 @@ +//go:build ios + +package permissions + +// CheckNativeInterfacePermissions always allows permission on iOS. +func CheckNativeInterfacePermissions() error { + return nil +} \ No newline at end of file diff --git a/clients/permissions/permissions_linux.go b/clients/permissions/permissions_linux.go index e97ee6a..01b035a 100644 --- a/clients/permissions/permissions_linux.go +++ b/clients/permissions/permissions_linux.go @@ -1,4 +1,4 @@ -//go:build linux +//go:build linux && !android package permissions From c3fad797e566e8bdaf92488670d6f5c3009419ad Mon Sep 17 00:00:00 2001 From: Owen Date: Wed, 31 Dec 2025 15:43:16 -0500 Subject: [PATCH 29/58] Handle android and ios in routes --- network/route.go | 52 ++++++++++++++++++++---------------------------- 1 file changed, 22 insertions(+), 30 deletions(-) diff --git a/network/route.go b/network/route.go index eb850ee..d8b9940 100644 --- a/network/route.go +++ b/network/route.go @@ -217,21 +217,17 @@ func AddRoutes(remoteSubnets []string, interfaceName string) error { continue } - if runtime.GOOS == "darwin" { - if err := DarwinAddRoute(subnet, "", interfaceName); err != nil { - logger.Error("Failed to add Darwin route for subnet %s: %v", subnet, err) - return err - } - } else if runtime.GOOS == "windows" { - if err := WindowsAddRoute(subnet, "", interfaceName); err != nil { - logger.Error("Failed to add Windows route for subnet %s: %v", subnet, err) - return err - } - } else if runtime.GOOS == "linux" { - if err := LinuxAddRoute(subnet, "", interfaceName); err != nil { - logger.Error("Failed to add Linux route for subnet %s: %v", subnet, err) - return err - } + switch runtime.GOOS { + case "darwin": + return DarwinAddRoute(subnet, "", interfaceName) + case "windows": + return WindowsAddRoute(subnet, "", interfaceName) + case "linux": + return LinuxAddRoute(subnet, "", interfaceName) + case "android": + return nil + case "ios": + return nil } logger.Info("Added route for remote subnet: %s", subnet) @@ -258,21 +254,17 @@ func RemoveRoutes(remoteSubnets []string) error { } // Remove route based on operating system - if runtime.GOOS == "darwin" { - if err := DarwinRemoveRoute(subnet); err != nil { - logger.Error("Failed to remove Darwin route for subnet %s: %v", subnet, err) - return err - } - } else if runtime.GOOS == "windows" { - if err := WindowsRemoveRoute(subnet); err != nil { - logger.Error("Failed to remove Windows route for subnet %s: %v", subnet, err) - return err - } - } else if runtime.GOOS == "linux" { - if err := LinuxRemoveRoute(subnet); err != nil { - logger.Error("Failed to remove Linux route for subnet %s: %v", subnet, err) - return err - } + switch runtime.GOOS { + case "darwin": + return DarwinRemoveRoute(subnet) + case "windows": + return WindowsRemoveRoute(subnet) + case "linux": + return LinuxRemoveRoute(subnet) + case "android": + return nil + case "ios": + return nil } logger.Info("Removed route for remote subnet: %s", subnet) From 9bb4bbccb8a3b99953cae2d6afab82475c1353c9 Mon Sep 17 00:00:00 2001 From: Owen Date: Wed, 31 Dec 2025 15:58:04 -0500 Subject: [PATCH 30/58] Fix incrementor not updating; restrict routes to darwin --- network/route.go | 18 ++++++++++-------- network/settings.go | 2 +- 2 files changed, 11 insertions(+), 9 deletions(-) diff --git a/network/route.go b/network/route.go index d8b9940..b1b33c4 100644 --- a/network/route.go +++ b/network/route.go @@ -126,13 +126,14 @@ func LinuxRemoveRoute(destination string) error { // addRouteForServerIP adds an OS-specific route for the server IP func AddRouteForServerIP(serverIP, interfaceName string) error { - if err := AddRouteForNetworkConfig(serverIP); err != nil { - return err - } if interfaceName == "" { return nil } - if runtime.GOOS == "darwin" { + // TODO: does this also need to be ios? + if runtime.GOOS == "darwin" { // macos requires routes for each peer to be added but this messes with other platforms + if err := AddRouteForNetworkConfig(serverIP); err != nil { + return err + } return DarwinAddRoute(serverIP, "", interfaceName) } // else if runtime.GOOS == "windows" { @@ -145,13 +146,14 @@ func AddRouteForServerIP(serverIP, interfaceName string) error { // removeRouteForServerIP removes an OS-specific route for the server IP func RemoveRouteForServerIP(serverIP string, interfaceName string) error { - if err := RemoveRouteForNetworkConfig(serverIP); err != nil { - return err - } if interfaceName == "" { return nil } - if runtime.GOOS == "darwin" { + // TODO: does this also need to be ios? + if runtime.GOOS == "darwin" { // macos requires routes for each peer to be added but this messes with other platforms + if err := RemoveRouteForNetworkConfig(serverIP); err != nil { + return err + } return DarwinRemoveRoute(serverIP) } // else if runtime.GOOS == "windows" { diff --git a/network/settings.go b/network/settings.go index e7792e0..e361ba1 100644 --- a/network/settings.go +++ b/network/settings.go @@ -115,7 +115,7 @@ func RemoveIPv4IncludedRoute(route IPv4Route) { if r == route { networkSettings.IPv4IncludedRoutes = append(routes[:i], routes[i+1:]...) logger.Info("Removed IPv4 included route: %+v", route) - return + break } } incrementor++ From a62567997dc4731d2d1630d829e4789e7e897872 Mon Sep 17 00:00:00 2001 From: miloschwartz Date: Thu, 1 Jan 2026 17:29:02 -0500 Subject: [PATCH 31/58] quiet and logs and fix ios errors --- bind/shared_bind.go | 4 ++-- holepunch/tester.go | 4 ++-- network/interface.go | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/bind/shared_bind.go b/bind/shared_bind.go index f266cb0..3625a17 100644 --- a/bind/shared_bind.go +++ b/bind/shared_bind.go @@ -523,7 +523,7 @@ func (b *SharedBind) receiveIPv4Simple(conn *net.UDPConn, bufs [][]byte, sizes [ func (b *SharedBind) handleMagicPacket(data []byte, addr *net.UDPAddr) bool { // Check if this is a test request packet if len(data) >= MagicTestRequestLen && bytes.HasPrefix(data, MagicTestRequest) { - logger.Debug("Received magic test REQUEST from %s, sending response", addr.String()) + // logger.Debug("Received magic test REQUEST from %s, sending response", addr.String()) // Extract the random data portion to echo back echoData := data[len(MagicTestRequest) : len(MagicTestRequest)+MagicPacketDataLen] @@ -546,7 +546,7 @@ func (b *SharedBind) handleMagicPacket(data []byte, addr *net.UDPAddr) bool { // Check if this is a test response packet if len(data) >= MagicTestResponseLen && bytes.HasPrefix(data, MagicTestResponse) { - logger.Debug("Received magic test RESPONSE from %s", addr.String()) + // logger.Debug("Received magic test RESPONSE from %s", addr.String()) // Extract the echoed data echoData := data[len(MagicTestResponse) : len(MagicTestResponse)+MagicPacketDataLen] diff --git a/holepunch/tester.go b/holepunch/tester.go index 3bebc4d..6eff801 100644 --- a/holepunch/tester.go +++ b/holepunch/tester.go @@ -140,7 +140,7 @@ func (t *HolepunchTester) Stop() { // handleResponse is called by SharedBind when a magic response is received func (t *HolepunchTester) handleResponse(addr netip.AddrPort, echoData []byte) { - logger.Debug("Received magic response from %s", addr.String()) + // logger.Debug("Received magic response from %s", addr.String()) key := string(echoData) value, ok := t.pendingRequests.LoadAndDelete(key) @@ -152,7 +152,7 @@ func (t *HolepunchTester) handleResponse(addr netip.AddrPort, echoData []byte) { req := value.(*pendingRequest) rtt := time.Since(req.sentAt) - logger.Debug("Magic response matched pending request for %s (RTT: %v)", req.endpoint, rtt) + // logger.Debug("Magic response matched pending request for %s (RTT: %v)", req.endpoint, rtt) // Send RTT to the waiting goroutine (non-blocking) select { diff --git a/network/interface.go b/network/interface.go index e110ec1..5930830 100644 --- a/network/interface.go +++ b/network/interface.go @@ -44,9 +44,9 @@ func ConfigureInterface(interfaceName string, tunnelIp string, mtu int) error { return configureDarwin(interfaceName, ip, ipNet) case "windows": return configureWindows(interfaceName, ip, ipNet) - default: - return fmt.Errorf("unsupported operating system: %s", runtime.GOOS) } + + return nil } // waitForInterfaceUp polls the network interface until it's up or times out From b84d4657634293a3aa567f7472d1ef5daa5fcc78 Mon Sep 17 00:00:00 2001 From: Owen Date: Mon, 12 Jan 2026 12:31:38 -0800 Subject: [PATCH 32/58] Add noop for android ios --- network/interface.go | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/network/interface.go b/network/interface.go index e110ec1..3a82865 100644 --- a/network/interface.go +++ b/network/interface.go @@ -44,9 +44,13 @@ func ConfigureInterface(interfaceName string, tunnelIp string, mtu int) error { return configureDarwin(interfaceName, ip, ipNet) case "windows": return configureWindows(interfaceName, ip, ipNet) - default: - return fmt.Errorf("unsupported operating system: %s", runtime.GOOS) + case "android": + return nil + case "ios": + return nil } + + return nil } // waitForInterfaceUp polls the network interface until it's up or times out From 8c12db6dff25c6fbffb3420a219846db0a3f442b Mon Sep 17 00:00:00 2001 From: Owen Date: Mon, 12 Jan 2026 14:21:05 -0800 Subject: [PATCH 33/58] Try to improve cpu usage --- holepunch/tester.go | 89 ++++++++++++++++++++++++++++++++++++++------- 1 file changed, 75 insertions(+), 14 deletions(-) diff --git a/holepunch/tester.go b/holepunch/tester.go index 3bebc4d..babaac9 100644 --- a/holepunch/tester.go +++ b/holepunch/tester.go @@ -41,6 +41,12 @@ func DefaultTestOptions() TestConnectionOptions { } } +// cachedAddr holds a cached resolved UDP address +type cachedAddr struct { + addr *net.UDPAddr + resolvedAt time.Time +} + // HolepunchTester monitors holepunch connectivity using magic packets type HolepunchTester struct { sharedBind *bind.SharedBind @@ -53,6 +59,11 @@ type HolepunchTester struct { // Callback when connection status changes callback HolepunchStatusCallback + + // Address cache to avoid repeated DNS/UDP resolution + addrCache map[string]*cachedAddr + addrCacheMu sync.RWMutex + addrCacheTTL time.Duration // How long cached addresses are valid } // HolepunchStatus represents the status of a holepunch connection @@ -75,7 +86,9 @@ type pendingRequest struct { // NewHolepunchTester creates a new holepunch tester using the given SharedBind func NewHolepunchTester(sharedBind *bind.SharedBind) *HolepunchTester { return &HolepunchTester{ - sharedBind: sharedBind, + sharedBind: sharedBind, + addrCache: make(map[string]*cachedAddr), + addrCacheTTL: 5 * time.Minute, // Cache addresses for 5 minutes } } @@ -135,9 +148,67 @@ func (t *HolepunchTester) Stop() { return true }) + // Clear address cache + t.addrCacheMu.Lock() + t.addrCache = make(map[string]*cachedAddr) + t.addrCacheMu.Unlock() + logger.Debug("HolepunchTester stopped") } +// resolveEndpoint resolves an endpoint to a UDP address, using cache when possible +func (t *HolepunchTester) resolveEndpoint(endpoint string) (*net.UDPAddr, error) { + // Check cache first + t.addrCacheMu.RLock() + cached, ok := t.addrCache[endpoint] + ttl := t.addrCacheTTL + t.addrCacheMu.RUnlock() + + if ok && time.Since(cached.resolvedAt) < ttl { + return cached.addr, nil + } + + // Resolve the endpoint + host, err := util.ResolveDomain(endpoint) + if err != nil { + host = endpoint + } + + _, _, err = net.SplitHostPort(host) + if err != nil { + host = net.JoinHostPort(host, "21820") + } + + remoteAddr, err := net.ResolveUDPAddr("udp", host) + if err != nil { + return nil, fmt.Errorf("failed to resolve UDP address %s: %w", host, err) + } + + // Cache the result + t.addrCacheMu.Lock() + t.addrCache[endpoint] = &cachedAddr{ + addr: remoteAddr, + resolvedAt: time.Now(), + } + t.addrCacheMu.Unlock() + + return remoteAddr, nil +} + +// InvalidateCache removes a specific endpoint from the address cache +func (t *HolepunchTester) InvalidateCache(endpoint string) { + t.addrCacheMu.Lock() + delete(t.addrCache, endpoint) + t.addrCacheMu.Unlock() +} + +// ClearCache clears all cached addresses +func (t *HolepunchTester) ClearCache() { + t.addrCacheMu.Lock() + t.addrCache = make(map[string]*cachedAddr) + t.addrCacheMu.Unlock() +} + // handleResponse is called by SharedBind when a magic response is received func (t *HolepunchTester) handleResponse(addr netip.AddrPort, echoData []byte) { logger.Debug("Received magic response from %s", addr.String()) @@ -183,20 +254,10 @@ func (t *HolepunchTester) TestEndpoint(endpoint string, timeout time.Duration) T return result } - // Resolve the endpoint - host, err := util.ResolveDomain(endpoint) + // Resolve the endpoint (using cache) + remoteAddr, err := t.resolveEndpoint(endpoint) if err != nil { - host = endpoint - } - - _, _, err = net.SplitHostPort(host) - if err != nil { - host = net.JoinHostPort(host, "21820") - } - - remoteAddr, err := net.ResolveUDPAddr("udp", host) - if err != nil { - result.Error = fmt.Errorf("failed to resolve UDP address %s: %w", host, err) + result.Error = err return result } From 69952efe89f92156bab562636791d6621e49f385 Mon Sep 17 00:00:00 2001 From: Owen Date: Mon, 12 Jan 2026 16:01:15 -0800 Subject: [PATCH 34/58] Fix bug where not all routes are added --- network/route.go | 38 ++++++++++++++++++++++++-------------- 1 file changed, 24 insertions(+), 14 deletions(-) diff --git a/network/route.go b/network/route.go index b1b33c4..8aae063 100644 --- a/network/route.go +++ b/network/route.go @@ -221,15 +221,20 @@ func AddRoutes(remoteSubnets []string, interfaceName string) error { switch runtime.GOOS { case "darwin": - return DarwinAddRoute(subnet, "", interfaceName) + if err := DarwinAddRoute(subnet, "", interfaceName); err != nil { + logger.Error("Failed to add Darwin route for subnet %s: %v", subnet, err) + } case "windows": - return WindowsAddRoute(subnet, "", interfaceName) + if err := WindowsAddRoute(subnet, "", interfaceName); err != nil { + logger.Error("Failed to add Windows route for subnet %s: %v", subnet, err) + } case "linux": - return LinuxAddRoute(subnet, "", interfaceName) - case "android": - return nil - case "ios": - return nil + if err := LinuxAddRoute(subnet, "", interfaceName); err != nil { + logger.Error("Failed to add Linux route for subnet %s: %v", subnet, err) + } + case "android", "ios": + // Routes handled by the OS/VPN service + continue } logger.Info("Added route for remote subnet: %s", subnet) @@ -258,15 +263,20 @@ func RemoveRoutes(remoteSubnets []string) error { // Remove route based on operating system switch runtime.GOOS { case "darwin": - return DarwinRemoveRoute(subnet) + if err := DarwinRemoveRoute(subnet); err != nil { + logger.Error("Failed to remove Darwin route for subnet %s: %v", subnet, err) + } case "windows": - return WindowsRemoveRoute(subnet) + if err := WindowsRemoveRoute(subnet); err != nil { + logger.Error("Failed to remove Windows route for subnet %s: %v", subnet, err) + } case "linux": - return LinuxRemoveRoute(subnet) - case "android": - return nil - case "ios": - return nil + if err := LinuxRemoveRoute(subnet); err != nil { + logger.Error("Failed to remove Linux route for subnet %s: %v", subnet, err) + } + case "android", "ios": + // Routes handled by the OS/VPN service + continue } logger.Info("Removed route for remote subnet: %s", subnet) From 060d8764296114dc40c7316c41d32e2461cb289a Mon Sep 17 00:00:00 2001 From: Owen Date: Wed, 14 Jan 2026 17:09:27 -0800 Subject: [PATCH 35/58] Allow updating the intervals --- holepunch/holepunch.go | 77 +++++++++++++++++++++++++++++++----------- 1 file changed, 57 insertions(+), 20 deletions(-) diff --git a/holepunch/holepunch.go b/holepunch/holepunch.go index ab1d9e0..85679a9 100644 --- a/holepunch/holepunch.go +++ b/holepunch/holepunch.go @@ -38,21 +38,29 @@ type Manager struct { exitNodes map[string]ExitNode // key is endpoint updateChan chan struct{} // signals the goroutine to refresh exit nodes - sendHolepunchInterval time.Duration + sendHolepunchInterval time.Duration + sendHolepunchIntervalMin time.Duration + sendHolepunchIntervalMax time.Duration + defaultIntervalMin time.Duration + defaultIntervalMax time.Duration } -const sendHolepunchIntervalMax = 60 * time.Second -const sendHolepunchIntervalMin = 1 * time.Second +const defaultSendHolepunchIntervalMax = 60 * time.Second +const defaultSendHolepunchIntervalMin = 1 * time.Second // NewManager creates a new hole punch manager func NewManager(sharedBind *bind.SharedBind, ID string, clientType string, publicKey string) *Manager { return &Manager{ - sharedBind: sharedBind, - ID: ID, - clientType: clientType, - publicKey: publicKey, - exitNodes: make(map[string]ExitNode), - sendHolepunchInterval: sendHolepunchIntervalMin, + sharedBind: sharedBind, + ID: ID, + clientType: clientType, + publicKey: publicKey, + exitNodes: make(map[string]ExitNode), + sendHolepunchInterval: defaultSendHolepunchIntervalMin, + sendHolepunchIntervalMin: defaultSendHolepunchIntervalMin, + sendHolepunchIntervalMax: defaultSendHolepunchIntervalMax, + defaultIntervalMin: defaultSendHolepunchIntervalMin, + defaultIntervalMax: defaultSendHolepunchIntervalMax, } } @@ -200,17 +208,46 @@ func (m *Manager) GetExitNodes() []ExitNode { return nodes } -// ResetInterval resets the hole punch interval back to the minimum value, -// allowing it to climb back up through exponential backoff. -// This is useful when network conditions change or connectivity is restored. -func (m *Manager) ResetInterval() { +// SetServerHolepunchInterval sets custom min and max intervals for hole punching. +// This is useful for low power mode where longer intervals are desired. +func (m *Manager) SetServerHolepunchInterval(min, max time.Duration) { m.mu.Lock() defer m.mu.Unlock() - if m.sendHolepunchInterval != sendHolepunchIntervalMin { - m.sendHolepunchInterval = sendHolepunchIntervalMin - logger.Info("Reset hole punch interval to minimum (%v)", sendHolepunchIntervalMin) + m.sendHolepunchIntervalMin = min + m.sendHolepunchIntervalMax = max + m.sendHolepunchInterval = min + + logger.Info("Set hole punch intervals: min=%v, max=%v", min, max) + + // Signal the goroutine to apply the new interval if running + if m.running && m.updateChan != nil { + select { + case m.updateChan <- struct{}{}: + default: + // Channel full or closed, skip + } } +} + +// GetInterval returns the current min and max intervals +func (m *Manager) GetServerHolepunchInterval() (min, max time.Duration) { + m.mu.Lock() + defer m.mu.Unlock() + return m.sendHolepunchIntervalMin, m.sendHolepunchIntervalMax +} + +// ResetServerHolepunchInterval resets the hole punch interval back to the default values. +// This restores normal operation after low power mode or other custom settings. +func (m *Manager) ResetServerHolepunchInterval() { + m.mu.Lock() + defer m.mu.Unlock() + + m.sendHolepunchIntervalMin = m.defaultIntervalMin + m.sendHolepunchIntervalMax = m.defaultIntervalMax + m.sendHolepunchInterval = m.defaultIntervalMin + + logger.Info("Reset hole punch intervals to defaults: min=%v, max=%v", m.defaultIntervalMin, m.defaultIntervalMax) // Signal the goroutine to apply the new interval if running if m.running && m.updateChan != nil { @@ -393,7 +430,7 @@ func (m *Manager) runMultipleExitNodes() { // Start with minimum interval m.mu.Lock() - m.sendHolepunchInterval = sendHolepunchIntervalMin + m.sendHolepunchInterval = m.sendHolepunchIntervalMin m.mu.Unlock() ticker := time.NewTicker(m.sendHolepunchInterval) @@ -415,7 +452,7 @@ func (m *Manager) runMultipleExitNodes() { } // Reset interval to minimum on update m.mu.Lock() - m.sendHolepunchInterval = sendHolepunchIntervalMin + m.sendHolepunchInterval = m.sendHolepunchIntervalMin m.mu.Unlock() ticker.Reset(m.sendHolepunchInterval) // Send immediate hole punch to newly resolved nodes @@ -435,8 +472,8 @@ func (m *Manager) runMultipleExitNodes() { // Exponential backoff: double the interval up to max m.mu.Lock() newInterval := m.sendHolepunchInterval * 2 - if newInterval > sendHolepunchIntervalMax { - newInterval = sendHolepunchIntervalMax + if newInterval > m.sendHolepunchIntervalMax { + newInterval = m.sendHolepunchIntervalMax } if newInterval != m.sendHolepunchInterval { m.sendHolepunchInterval = newInterval From 91bfd69179ec3ad51f8338b42456de122258f89b Mon Sep 17 00:00:00 2001 From: Owen Date: Fri, 16 Jan 2026 17:54:05 -0800 Subject: [PATCH 36/58] Filter out no bandwidth peers --- clients/clients.go | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/clients/clients.go b/clients/clients.go index c19e7af..b7065fa 100644 --- a/clients/clients.go +++ b/clients/clients.go @@ -1035,21 +1035,22 @@ func (s *WireGuardService) processPeerBandwidth(publicKey string, rxBytes, txByt // Update the last reading s.lastReadings[publicKey] = currentReading - return &PeerBandwidth{ - PublicKey: publicKey, - BytesIn: bytesInMB, - BytesOut: bytesOutMB, + // Only return bandwidth data if there was an increase + if bytesInDiff > 0 || bytesOutDiff > 0 { + return &PeerBandwidth{ + PublicKey: publicKey, + BytesIn: bytesInMB, + BytesOut: bytesOutMB, + } } + + return nil } } - // For first reading or if readings are too close together, report 0 + // For first reading or if readings are too close together, don't report s.lastReadings[publicKey] = currentReading - return &PeerBandwidth{ - PublicKey: publicKey, - BytesIn: 0, - BytesOut: 0, - } + return nil } func (s *WireGuardService) reportPeerBandwidth() error { From dca29781f37b422cd9a23cdaa318071f998558c9 Mon Sep 17 00:00:00 2001 From: Owen Date: Sat, 17 Jan 2026 17:06:01 -0800 Subject: [PATCH 37/58] Rebind in shared bind --- bind/shared_bind.go | 65 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 65 insertions(+) diff --git a/bind/shared_bind.go b/bind/shared_bind.go index 3625a17..5716eb3 100644 --- a/bind/shared_bind.go +++ b/bind/shared_bind.go @@ -310,6 +310,71 @@ func (b *SharedBind) IsClosed() bool { return b.closed.Load() } +// GetPort returns the current UDP port the bind is using. +// This is useful when rebinding to try to reuse the same port. +func (b *SharedBind) GetPort() uint16 { + b.mu.RLock() + defer b.mu.RUnlock() + return b.port +} + +// Rebind replaces the underlying UDP connection with a new one. +// This is necessary when network connectivity changes (e.g., WiFi to cellular +// transition on macOS/iOS) and the old socket becomes stale. +// +// The caller is responsible for creating the new UDP connection and passing it here. +// After rebind, the caller should trigger a hole punch to re-establish NAT mappings. +func (b *SharedBind) Rebind(newConn *net.UDPConn) error { + if newConn == nil { + return fmt.Errorf("newConn cannot be nil") + } + + b.mu.Lock() + defer b.mu.Unlock() + + if b.closed.Load() { + return fmt.Errorf("bind is closed") + } + + // Close the old connection + if b.udpConn != nil { + logger.Debug("Closing old UDP connection during rebind") + b.udpConn.Close() + } + + // Set up the new connection + b.udpConn = newConn + + // Update packet connections for the new socket + if runtime.GOOS == "linux" || runtime.GOOS == "android" { + b.ipv4PC = ipv4.NewPacketConn(newConn) + b.ipv6PC = ipv6.NewPacketConn(newConn) + + // Re-initialize message buffers for batch operations + batchSize := wgConn.IdealBatchSize + b.ipv4Msgs = make([]ipv4.Message, batchSize) + for i := range b.ipv4Msgs { + b.ipv4Msgs[i].OOB = make([]byte, 0) + } + } else { + // For non-Linux platforms, still set up ipv4PC for consistency + b.ipv4PC = ipv4.NewPacketConn(newConn) + b.ipv6PC = ipv6.NewPacketConn(newConn) + } + + // Update the port + if addr, ok := newConn.LocalAddr().(*net.UDPAddr); ok { + b.port = uint16(addr.Port) + logger.Info("Rebound UDP socket to port %d", b.port) + } + + // Note: recvFuncs don't need to be recreated because they reference b.udpConn + // and b.ipv4PC through the SharedBind struct, which we just updated. + // The receive functions will automatically use the new connection on their next read. + + return nil +} + // SetMagicResponseCallback sets a callback function that will be called when // a magic test response packet is received. This is used for holepunch testing. // Pass nil to clear the callback. From ddde1758e5970f29ed088a41f930bc2f6d52c93b Mon Sep 17 00:00:00 2001 From: Owen Date: Sat, 17 Jan 2026 17:35:10 -0800 Subject: [PATCH 38/58] Try to close the socket first --- bind/shared_bind.go | 32 +++++++++++++++++++++++++++++++- 1 file changed, 31 insertions(+), 1 deletion(-) diff --git a/bind/shared_bind.go b/bind/shared_bind.go index 5716eb3..7f40d04 100644 --- a/bind/shared_bind.go +++ b/bind/shared_bind.go @@ -318,12 +318,41 @@ func (b *SharedBind) GetPort() uint16 { return b.port } +// CloseSocket closes the underlying UDP connection to release the port, +// but keeps the SharedBind in a state where it can accept a new connection via Rebind. +// This allows the caller to close the old socket first, then bind a new socket +// to the same port before calling Rebind. +// +// Returns the port that was being used, so the caller can attempt to rebind to it. +func (b *SharedBind) CloseSocket() (uint16, error) { + b.mu.Lock() + defer b.mu.Unlock() + + if b.closed.Load() { + return 0, fmt.Errorf("bind is closed") + } + + port := b.port + + // Close the old connection to release the port + if b.udpConn != nil { + logger.Debug("Closing UDP connection to release port %d", port) + b.udpConn.Close() + b.udpConn = nil + } + + return port, nil +} + // Rebind replaces the underlying UDP connection with a new one. // This is necessary when network connectivity changes (e.g., WiFi to cellular // transition on macOS/iOS) and the old socket becomes stale. // // The caller is responsible for creating the new UDP connection and passing it here. // After rebind, the caller should trigger a hole punch to re-establish NAT mappings. +// +// Note: Call CloseSocket() first if you need to rebind to the same port, as the +// old socket must be closed before a new socket can bind to the same port. func (b *SharedBind) Rebind(newConn *net.UDPConn) error { if newConn == nil { return fmt.Errorf("newConn cannot be nil") @@ -336,7 +365,8 @@ func (b *SharedBind) Rebind(newConn *net.UDPConn) error { return fmt.Errorf("bind is closed") } - // Close the old connection + // Close the old connection if it's still open + // (it may have already been closed via CloseSocket) if b.udpConn != nil { logger.Debug("Closing old UDP connection during rebind") b.udpConn.Close() From 3739c237c774f6d426e59ab49c5590c0ddeec085 Mon Sep 17 00:00:00 2001 From: Owen Date: Sat, 17 Jan 2026 17:59:24 -0800 Subject: [PATCH 39/58] Handle rebind in the polling function --- bind/shared_bind.go | 113 +++++++++++++++++++++++++++++++++++++------- 1 file changed, 95 insertions(+), 18 deletions(-) diff --git a/bind/shared_bind.go b/bind/shared_bind.go index 7f40d04..ae930bd 100644 --- a/bind/shared_bind.go +++ b/bind/shared_bind.go @@ -10,6 +10,7 @@ import ( "runtime" "sync" "sync/atomic" + "time" "github.com/fosrl/newt/logger" "golang.org/x/net/ipv4" @@ -144,6 +145,10 @@ type SharedBind struct { // Callback for magic test responses (used for holepunch testing) magicResponseCallback atomic.Pointer[func(addr netip.AddrPort, echoData []byte)] + + // Rebinding state - used to keep receive goroutines alive during socket transition + rebinding bool // true when socket is being replaced + rebindingCond *sync.Cond // signaled when rebind completes } // MagicResponseCallback is the function signature for magic packet response callbacks @@ -163,6 +168,9 @@ func New(udpConn *net.UDPConn) (*SharedBind, error) { closeChan: make(chan struct{}), } + // Initialize the rebinding condition variable + bind.rebindingCond = sync.NewCond(&bind.mu) + // Initialize reference count to 1 (the creator holds the first reference) bind.refCount.Store(1) @@ -324,6 +332,8 @@ func (b *SharedBind) GetPort() uint16 { // to the same port before calling Rebind. // // Returns the port that was being used, so the caller can attempt to rebind to it. +// Sets the rebinding flag so receive goroutines will wait for the new socket +// instead of exiting. func (b *SharedBind) CloseSocket() (uint16, error) { b.mu.Lock() defer b.mu.Unlock() @@ -334,9 +344,13 @@ func (b *SharedBind) CloseSocket() (uint16, error) { port := b.port + // Set rebinding flag BEFORE closing the socket so receive goroutines + // know to wait instead of exit + b.rebinding = true + // Close the old connection to release the port if b.udpConn != nil { - logger.Debug("Closing UDP connection to release port %d", port) + logger.Debug("Closing UDP connection to release port %d (rebinding)", port) b.udpConn.Close() b.udpConn = nil } @@ -398,9 +412,11 @@ func (b *SharedBind) Rebind(newConn *net.UDPConn) error { logger.Info("Rebound UDP socket to port %d", b.port) } - // Note: recvFuncs don't need to be recreated because they reference b.udpConn - // and b.ipv4PC through the SharedBind struct, which we just updated. - // The receive functions will automatically use the new connection on their next read. + // Clear the rebinding flag and wake up any waiting receive goroutines + b.rebinding = false + b.rebindingCond.Broadcast() + + logger.Debug("Rebind complete, signaled waiting receive goroutines") return nil } @@ -487,24 +503,77 @@ func (b *SharedBind) Open(uport uint16) ([]wgConn.ReceiveFunc, uint16, error) { // makeReceiveSocket creates a receive function for physical UDP socket packets func (b *SharedBind) makeReceiveSocket() wgConn.ReceiveFunc { return func(bufs [][]byte, sizes []int, eps []wgConn.Endpoint) (n int, err error) { - if b.closed.Load() { - return 0, net.ErrClosed - } + for { + if b.closed.Load() { + return 0, net.ErrClosed + } - b.mu.RLock() - conn := b.udpConn - pc := b.ipv4PC - b.mu.RUnlock() + b.mu.RLock() + conn := b.udpConn + pc := b.ipv4PC + b.mu.RUnlock() - if conn == nil { - return 0, net.ErrClosed - } + if conn == nil { + // Socket is nil - check if we're rebinding or truly closed + if b.closed.Load() { + return 0, net.ErrClosed + } - // Use batch reading on Linux for performance - if pc != nil && (runtime.GOOS == "linux" || runtime.GOOS == "android") { - return b.receiveIPv4Batch(pc, bufs, sizes, eps) + // Wait for rebind to complete + b.mu.Lock() + for b.rebinding && !b.closed.Load() { + logger.Debug("Receive goroutine waiting for socket rebind to complete") + b.rebindingCond.Wait() + } + b.mu.Unlock() + + // Check again after waking up + if b.closed.Load() { + return 0, net.ErrClosed + } + + // Loop back to retry with new socket + continue + } + + // Use batch reading on Linux for performance + var n int + var err error + if pc != nil && (runtime.GOOS == "linux" || runtime.GOOS == "android") { + n, err = b.receiveIPv4Batch(pc, bufs, sizes, eps) + } else { + n, err = b.receiveIPv4Simple(conn, bufs, sizes, eps) + } + + if err != nil { + // Check if this error is due to rebinding + b.mu.RLock() + rebinding := b.rebinding + b.mu.RUnlock() + + if rebinding { + logger.Debug("Receive got error during rebind, waiting for new socket: %v", err) + // Wait for rebind to complete and retry + b.mu.Lock() + for b.rebinding && !b.closed.Load() { + b.rebindingCond.Wait() + } + b.mu.Unlock() + + if b.closed.Load() { + return 0, net.ErrClosed + } + + // Retry with new socket + continue + } + + // Not rebinding, return the error + return 0, err + } + + return n, nil } - return b.receiveIPv4Simple(conn, bufs, sizes, eps) } } @@ -587,9 +656,17 @@ func (b *SharedBind) receiveIPv4Batch(pc *ipv4.PacketConn, bufs [][]byte, sizes // receiveIPv4Simple uses simple ReadFromUDP for non-Linux platforms func (b *SharedBind) receiveIPv4Simple(conn *net.UDPConn, bufs [][]byte, sizes []int, eps []wgConn.Endpoint) (int, error) { + // Set a read deadline so we can periodically check for rebind state + // This prevents blocking forever on a socket that's about to be closed + conn.SetReadDeadline(time.Now().Add(1 * time.Second)) for { n, addr, err := conn.ReadFromUDP(bufs[0]) if err != nil { + // Check if this is a timeout - if so, just return the error + // so the caller can check rebind state and retry + if netErr, ok := err.(net.Error); ok && netErr.Timeout() { + return 0, err + } return 0, err } From daa1a90e05813075d317d482c7fc8b28e4b32767 Mon Sep 17 00:00:00 2001 From: Owen Date: Sun, 18 Jan 2026 11:18:29 -0800 Subject: [PATCH 40/58] Dont block waiting for a rebind signal --- bind/shared_bind.go | 11 ++--------- 1 file changed, 2 insertions(+), 9 deletions(-) diff --git a/bind/shared_bind.go b/bind/shared_bind.go index ae930bd..502e401 100644 --- a/bind/shared_bind.go +++ b/bind/shared_bind.go @@ -10,7 +10,6 @@ import ( "runtime" "sync" "sync/atomic" - "time" "github.com/fosrl/newt/logger" "golang.org/x/net/ipv4" @@ -656,17 +655,11 @@ func (b *SharedBind) receiveIPv4Batch(pc *ipv4.PacketConn, bufs [][]byte, sizes // receiveIPv4Simple uses simple ReadFromUDP for non-Linux platforms func (b *SharedBind) receiveIPv4Simple(conn *net.UDPConn, bufs [][]byte, sizes []int, eps []wgConn.Endpoint) (int, error) { - // Set a read deadline so we can periodically check for rebind state - // This prevents blocking forever on a socket that's about to be closed - conn.SetReadDeadline(time.Now().Add(1 * time.Second)) + // No read deadline - we rely on socket close to unblock during rebind. + // The caller (makeReceiveSocket) handles rebind state when errors occur. for { n, addr, err := conn.ReadFromUDP(bufs[0]) if err != nil { - // Check if this is a timeout - if so, just return the error - // so the caller can check rebind state and retry - if netErr, ok := err.(net.Error); ok && netErr.Timeout() { - return 0, err - } return 0, err } From 43e1341352f1855c4fec72268b00c6f78ea3babb Mon Sep 17 00:00:00 2001 From: Owen Date: Sun, 18 Jan 2026 15:20:13 -0800 Subject: [PATCH 41/58] Disable metrics by default --- main.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.go b/main.go index 7d6cbff..4016ad3 100644 --- a/main.go +++ b/main.go @@ -344,7 +344,7 @@ func runNewtMain(ctx context.Context) { // Metrics/observability flags (mirror ENV if unset) if metricsEnabledEnv == "" { - flag.BoolVar(&metricsEnabled, "metrics", true, "Enable Prometheus /metrics exporter") + flag.BoolVar(&metricsEnabled, "metrics", false, "Enable Prometheus metrics exporter") } else { if v, err := strconv.ParseBool(metricsEnabledEnv); err == nil { metricsEnabled = v From 77d99f1722edb0e11878d1d78090ab5728b59507 Mon Sep 17 00:00:00 2001 From: Owen Date: Mon, 19 Jan 2026 17:11:48 -0800 Subject: [PATCH 42/58] Add stale bot --- .github/workflows/stale-bot.yml | 37 +++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 .github/workflows/stale-bot.yml diff --git a/.github/workflows/stale-bot.yml b/.github/workflows/stale-bot.yml new file mode 100644 index 0000000..4df7e93 --- /dev/null +++ b/.github/workflows/stale-bot.yml @@ -0,0 +1,37 @@ +name: Mark and Close Stale Issues + +on: + schedule: + - cron: '0 0 * * *' + workflow_dispatch: # Allow manual trigger + +permissions: + contents: write # only for delete-branch option + issues: write + pull-requests: write + +jobs: + stale: + runs-on: ubuntu-latest + steps: + - uses: actions/stale@997185467fa4f803885201cee163a9f38240193d # v10.1.1 + with: + days-before-stale: 14 + days-before-close: 14 + stale-issue-message: 'This issue has been automatically marked as stale due to 14 days of inactivity. It will be closed in 14 days if no further activity occurs.' + close-issue-message: 'This issue has been automatically closed due to inactivity. If you believe this is still relevant, please open a new issue with up-to-date information.' + stale-issue-label: 'stale' + + exempt-issue-labels: 'needs investigating, networking, new feature, reverse proxy, bug, api, authentication, documentation, enhancement, help wanted, good first issue, question' + + exempt-all-issue-assignees: true + + only-labels: '' + exempt-pr-labels: '' + days-before-pr-stale: -1 + days-before-pr-close: -1 + + operations-per-run: 100 + remove-stale-when-updated: true + delete-branch: false + enable-statistics: true From 6c3b85bb9aac7a81a865ffe76f355d09a818efe4 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 8 Dec 2025 09:36:51 +0000 Subject: [PATCH 43/58] chore(deps): bump docker/metadata-action from 5.9.0 to 5.10.0 Bumps [docker/metadata-action](https://github.com/docker/metadata-action) from 5.9.0 to 5.10.0. - [Release notes](https://github.com/docker/metadata-action/releases) - [Commits](https://github.com/docker/metadata-action/compare/318604b99e75e41977312d83839a89be02ca4893...c299e40c65443455700f0fdfc63efafe5b349051) --- updated-dependencies: - dependency-name: docker/metadata-action dependency-version: 5.10.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- .github/workflows/cicd.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/cicd.yml b/.github/workflows/cicd.yml index 4edb510..f1d2b16 100644 --- a/.github/workflows/cicd.yml +++ b/.github/workflows/cicd.yml @@ -269,7 +269,7 @@ jobs: } >> "$GITHUB_ENV" - name: Docker meta id: meta - uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 # v5.9.0 + uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0 with: images: ${{ env.IMAGE_LIST }} tags: | From d91228f636b1b25dde3ddd2f58d5a3b8925cc31f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 23 Dec 2025 02:33:57 +0000 Subject: [PATCH 44/58] chore(deps): bump actions/checkout from 5.0.0 to 6.0.1 Bumps [actions/checkout](https://github.com/actions/checkout) from 5.0.0 to 6.0.1. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/08c6903cd8c0fde910a37f88322edcfb5dd907a8...8e8c483db84b4bee98b60c0593521ed34d9990e8) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 6.0.1 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/cicd.yml | 4 ++-- .github/workflows/nix-build.yml | 2 +- .github/workflows/nix-dependabot-update-hash.yml | 2 +- .github/workflows/test.yml | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/cicd.yml b/.github/workflows/cicd.yml index f1d2b16..c3d1772 100644 --- a/.github/workflows/cicd.yml +++ b/.github/workflows/cicd.yml @@ -48,7 +48,7 @@ jobs: contents: write steps: - name: Checkout repository - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: fetch-depth: 0 @@ -92,7 +92,7 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: fetch-depth: 0 diff --git a/.github/workflows/nix-build.yml b/.github/workflows/nix-build.yml index a97bcbd..b516d28 100644 --- a/.github/workflows/nix-build.yml +++ b/.github/workflows/nix-build.yml @@ -13,7 +13,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@v6 - name: Install Nix uses: DeterminateSystems/nix-installer-action@main diff --git a/.github/workflows/nix-dependabot-update-hash.yml b/.github/workflows/nix-dependabot-update-hash.yml index 7e255f0..facb0db 100644 --- a/.github/workflows/nix-dependabot-update-hash.yml +++ b/.github/workflows/nix-dependabot-update-hash.yml @@ -16,7 +16,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@v6 with: ref: ${{ github.head_ref }} token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 7d0b8f6..7011d54 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -28,7 +28,7 @@ jobs: - go-build-release-windows-amd64 steps: - name: Checkout repository - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Set up Go uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 From 4ac33c824bdbceeb54fed01461c8a1bbd2c59bdc Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 15 Dec 2025 09:36:29 +0000 Subject: [PATCH 45/58] Bump actions/cache from 4.3.0 to 5.0.1 Bumps [actions/cache](https://github.com/actions/cache) from 4.3.0 to 5.0.1. - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](https://github.com/actions/cache/compare/0057852bfaa89a56745cba8c7296529d2fc39830...9255dc7a253b0ccc959486e2bca901246202afeb) --- updated-dependencies: - dependency-name: actions/cache dependency-version: 5.0.1 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/cicd.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/cicd.yml b/.github/workflows/cicd.yml index c3d1772..17ccd82 100644 --- a/.github/workflows/cicd.yml +++ b/.github/workflows/cicd.yml @@ -234,7 +234,7 @@ jobs: - name: Cache Go modules if: ${{ hashFiles('**/go.sum') != '' }} - uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 + uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1 with: path: | ~/.cache/go-build From cadbb50bdf49aa5f56146df853001e39591c9e66 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 22 Dec 2025 09:30:48 +0000 Subject: [PATCH 46/58] Bump actions/attest-build-provenance from 3.0.0 to 3.1.0 Bumps [actions/attest-build-provenance](https://github.com/actions/attest-build-provenance) from 3.0.0 to 3.1.0. - [Release notes](https://github.com/actions/attest-build-provenance/releases) - [Changelog](https://github.com/actions/attest-build-provenance/blob/main/RELEASE.md) - [Commits](https://github.com/actions/attest-build-provenance/compare/977bb373ede98d70efdf65b84cb5f73e068dcc2a...00014ed6ed5efc5b1ab7f7f34a39eb55d41aa4f8) --- updated-dependencies: - dependency-name: actions/attest-build-provenance dependency-version: 3.1.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- .github/workflows/cicd.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/cicd.yml b/.github/workflows/cicd.yml index 17ccd82..c883089 100644 --- a/.github/workflows/cicd.yml +++ b/.github/workflows/cicd.yml @@ -364,7 +364,7 @@ jobs: - name: Attest build provenance (GHCR) id: attest-ghcr - uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0 + uses: actions/attest-build-provenance@00014ed6ed5efc5b1ab7f7f34a39eb55d41aa4f8 # v3.1.0 with: subject-name: ${{ env.GHCR_IMAGE }} subject-digest: ${{ steps.build.outputs.digest }} @@ -374,7 +374,7 @@ jobs: - name: Attest build provenance (Docker Hub) continue-on-error: true id: attest-dh - uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0 + uses: actions/attest-build-provenance@00014ed6ed5efc5b1ab7f7f34a39eb55d41aa4f8 # v3.1.0 with: subject-name: index.docker.io/fosrl/${{ github.event.repository.name }} subject-digest: ${{ steps.build.outputs.digest }} From cdfc5733f07b889491b541c613fd59cc4ca62291 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 22 Dec 2025 09:30:52 +0000 Subject: [PATCH 47/58] Bump docker/setup-buildx-action from 3.11.1 to 3.12.0 Bumps [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) from 3.11.1 to 3.12.0. - [Release notes](https://github.com/docker/setup-buildx-action/releases) - [Commits](https://github.com/docker/setup-buildx-action/compare/e468171a9de216ec08956ac3ada2f0791b6bd435...8d2750c68a42422c14e847fe6c8ac0403b4cbd6f) --- updated-dependencies: - dependency-name: docker/setup-buildx-action dependency-version: 3.12.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- .github/workflows/cicd.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/cicd.yml b/.github/workflows/cicd.yml index c883089..fc4bfbf 100644 --- a/.github/workflows/cicd.yml +++ b/.github/workflows/cicd.yml @@ -104,7 +104,7 @@ jobs: uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 - name: Log in to Docker Hub uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 From ff825a51dda87861deadbe2bbd49d65053a2c435 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 25 Dec 2025 09:16:56 +0000 Subject: [PATCH 48/58] Bump the prod-minor-updates group across 1 directory with 14 updates Bumps the prod-minor-updates group with 8 updates in the / directory: | Package | From | To | | --- | --- | --- | | [go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp](https://github.com/open-telemetry/opentelemetry-go-contrib) | `0.63.0` | `0.64.0` | | [go.opentelemetry.io/contrib/instrumentation/runtime](https://github.com/open-telemetry/opentelemetry-go-contrib) | `0.63.0` | `0.64.0` | | [go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc](https://github.com/open-telemetry/opentelemetry-go) | `1.38.0` | `1.39.0` | | [go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc](https://github.com/open-telemetry/opentelemetry-go) | `1.38.0` | `1.39.0` | | [go.opentelemetry.io/otel/exporters/prometheus](https://github.com/open-telemetry/opentelemetry-go) | `0.60.0` | `0.61.0` | | [golang.org/x/crypto](https://github.com/golang/crypto) | `0.45.0` | `0.46.0` | | [golang.org/x/net](https://github.com/golang/net) | `0.47.0` | `0.48.0` | | software.sslmate.com/src/go-pkcs12 | `0.6.0` | `0.7.0` | Updates `go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp` from 0.63.0 to 0.64.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go-contrib/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/main/CHANGELOG.md) - [Commits](https://github.com/open-telemetry/opentelemetry-go-contrib/compare/zpages/v0.63.0...zpages/v0.64.0) Updates `go.opentelemetry.io/contrib/instrumentation/runtime` from 0.63.0 to 0.64.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go-contrib/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/main/CHANGELOG.md) - [Commits](https://github.com/open-telemetry/opentelemetry-go-contrib/compare/zpages/v0.63.0...zpages/v0.64.0) Updates `go.opentelemetry.io/otel` from 1.38.0 to 1.39.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/v1.38.0...v1.39.0) Updates `go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc` from 1.38.0 to 1.39.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/v1.38.0...v1.39.0) Updates `go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc` from 1.38.0 to 1.39.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/v1.38.0...v1.39.0) Updates `go.opentelemetry.io/otel/exporters/prometheus` from 0.60.0 to 0.61.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/exporters/prometheus/v0.60.0...exporters/prometheus/v0.61.0) Updates `go.opentelemetry.io/otel/metric` from 1.38.0 to 1.39.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/v1.38.0...v1.39.0) Updates `go.opentelemetry.io/otel/sdk` from 1.38.0 to 1.39.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/v1.38.0...v1.39.0) Updates `go.opentelemetry.io/otel/sdk/metric` from 1.38.0 to 1.39.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/v1.38.0...v1.39.0) Updates `golang.org/x/crypto` from 0.45.0 to 0.46.0 - [Commits](https://github.com/golang/crypto/compare/v0.45.0...v0.46.0) Updates `golang.org/x/net` from 0.47.0 to 0.48.0 - [Commits](https://github.com/golang/net/compare/v0.47.0...v0.48.0) Updates `golang.org/x/sys` from 0.38.0 to 0.39.0 - [Commits](https://github.com/golang/sys/compare/v0.38.0...v0.39.0) Updates `google.golang.org/grpc` from 1.76.0 to 1.77.0 - [Release notes](https://github.com/grpc/grpc-go/releases) - [Commits](https://github.com/grpc/grpc-go/compare/v1.76.0...v1.77.0) Updates `software.sslmate.com/src/go-pkcs12` from 0.6.0 to 0.7.0 --- updated-dependencies: - dependency-name: go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp dependency-version: 0.64.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: prod-minor-updates - dependency-name: go.opentelemetry.io/contrib/instrumentation/runtime dependency-version: 0.64.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: prod-minor-updates - dependency-name: go.opentelemetry.io/otel dependency-version: 1.39.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: prod-minor-updates - dependency-name: go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc dependency-version: 1.39.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: prod-minor-updates - dependency-name: go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc dependency-version: 1.39.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: prod-minor-updates - dependency-name: go.opentelemetry.io/otel/exporters/prometheus dependency-version: 0.61.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: prod-minor-updates - dependency-name: go.opentelemetry.io/otel/metric dependency-version: 1.39.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: prod-minor-updates - dependency-name: go.opentelemetry.io/otel/sdk dependency-version: 1.39.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: prod-minor-updates - dependency-name: go.opentelemetry.io/otel/sdk/metric dependency-version: 1.39.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: prod-minor-updates - dependency-name: golang.org/x/crypto dependency-version: 0.46.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: prod-minor-updates - dependency-name: golang.org/x/net dependency-version: 0.48.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: prod-minor-updates - dependency-name: golang.org/x/sys dependency-version: 0.39.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: prod-minor-updates - dependency-name: google.golang.org/grpc dependency-version: 1.77.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: prod-minor-updates - dependency-name: software.sslmate.com/src/go-pkcs12 dependency-version: 0.7.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: prod-minor-updates ... Signed-off-by: dependabot[bot] --- go.mod | 57 ++++++++++++++-------------- go.sum | 118 ++++++++++++++++++++++++++++----------------------------- 2 files changed, 86 insertions(+), 89 deletions(-) diff --git a/go.mod b/go.mod index ac634ed..65bc4f9 100644 --- a/go.mod +++ b/go.mod @@ -7,26 +7,26 @@ require ( github.com/gorilla/websocket v1.5.3 github.com/prometheus/client_golang v1.23.2 github.com/vishvananda/netlink v1.3.1 - go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.63.0 - go.opentelemetry.io/contrib/instrumentation/runtime v0.63.0 - go.opentelemetry.io/otel v1.38.0 - go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.38.0 - go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.38.0 - go.opentelemetry.io/otel/exporters/prometheus v0.60.0 - go.opentelemetry.io/otel/metric v1.38.0 - go.opentelemetry.io/otel/sdk v1.38.0 - go.opentelemetry.io/otel/sdk/metric v1.38.0 - golang.org/x/crypto v0.45.0 + go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.64.0 + go.opentelemetry.io/contrib/instrumentation/runtime v0.64.0 + go.opentelemetry.io/otel v1.39.0 + go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.39.0 + go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.39.0 + go.opentelemetry.io/otel/exporters/prometheus v0.61.0 + go.opentelemetry.io/otel/metric v1.39.0 + go.opentelemetry.io/otel/sdk v1.39.0 + go.opentelemetry.io/otel/sdk/metric v1.39.0 + golang.org/x/crypto v0.46.0 golang.org/x/exp v0.0.0-20251113190631-e25ba8c21ef6 - golang.org/x/net v0.47.0 - golang.org/x/sys v0.38.0 + golang.org/x/net v0.48.0 + golang.org/x/sys v0.39.0 golang.zx2c4.com/wireguard v0.0.0-20250521234502-f333402bd9cb golang.zx2c4.com/wireguard/wgctrl v0.0.0-20241231184526-a9ab2273dd10 golang.zx2c4.com/wireguard/windows v0.5.3 - google.golang.org/grpc v1.76.0 + google.golang.org/grpc v1.77.0 gopkg.in/yaml.v3 v3.0.1 gvisor.dev/gvisor v0.0.0-20250503011706-39ed1f5ac29c - software.sslmate.com/src/go-pkcs12 v0.6.0 + software.sslmate.com/src/go-pkcs12 v0.7.0 ) require ( @@ -44,8 +44,7 @@ require ( github.com/go-logr/stdr v1.2.2 // indirect github.com/google/btree v1.1.3 // indirect github.com/google/uuid v1.6.0 // indirect - github.com/grafana/regexp v0.0.0-20240518133315-a468a5bfb3bc // indirect - github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.2 // indirect + github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.3 // indirect github.com/moby/docker-image-spec v1.3.1 // indirect github.com/moby/sys/atomicwriter v0.1.0 // indirect github.com/moby/term v0.5.2 // indirect @@ -55,23 +54,23 @@ require ( github.com/opencontainers/image-spec v1.1.0 // indirect github.com/pkg/errors v0.9.1 // indirect github.com/prometheus/client_model v0.6.2 // indirect - github.com/prometheus/common v0.66.1 // indirect - github.com/prometheus/otlptranslator v0.0.2 // indirect - github.com/prometheus/procfs v0.17.0 // indirect + github.com/prometheus/common v0.67.4 // indirect + github.com/prometheus/otlptranslator v1.0.0 // indirect + github.com/prometheus/procfs v0.19.2 // indirect github.com/vishvananda/netns v0.0.5 // indirect - go.opentelemetry.io/auto/sdk v1.1.0 // indirect - go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.38.0 // indirect + go.opentelemetry.io/auto/sdk v1.2.1 // indirect + go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.39.0 // indirect go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.38.0 // indirect - go.opentelemetry.io/otel/trace v1.38.0 // indirect - go.opentelemetry.io/proto/otlp v1.7.1 // indirect - go.yaml.in/yaml/v2 v2.4.2 // indirect + go.opentelemetry.io/otel/trace v1.39.0 // indirect + go.opentelemetry.io/proto/otlp v1.9.0 // indirect + go.yaml.in/yaml/v2 v2.4.3 // indirect golang.org/x/mod v0.30.0 // indirect - golang.org/x/sync v0.18.0 // indirect - golang.org/x/text v0.31.0 // indirect + golang.org/x/sync v0.19.0 // indirect + golang.org/x/text v0.32.0 // indirect golang.org/x/time v0.12.0 // indirect golang.org/x/tools v0.39.0 // indirect golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 // indirect - google.golang.org/genproto/googleapis/api v0.0.0-20250825161204-c5933d9347a5 // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20250825161204-c5933d9347a5 // indirect - google.golang.org/protobuf v1.36.8 // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20251202230838-ff82c1b0f217 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20251202230838-ff82c1b0f217 // indirect + google.golang.org/protobuf v1.36.10 // indirect ) diff --git a/go.sum b/go.sum index 835b0e7..4a7852f 100644 --- a/go.sum +++ b/go.sum @@ -41,10 +41,8 @@ github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/gorilla/websocket v1.5.3 h1:saDtZ6Pbx/0u+bgYQ3q96pZgCzfhKXGPqt7kZ72aNNg= github.com/gorilla/websocket v1.5.3/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE= -github.com/grafana/regexp v0.0.0-20240518133315-a468a5bfb3bc h1:GN2Lv3MGO7AS6PrRoT6yV5+wkrOpcszoIsO4+4ds248= -github.com/grafana/regexp v0.0.0-20240518133315-a468a5bfb3bc/go.mod h1:+JKpmjMGhpgPL+rXZ5nsZieVzvarn86asRlBg4uNGnk= -github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.2 h1:8Tjv8EJ+pM1xP8mK6egEbD1OgnVTyacbefKhmbLhIhU= -github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.2/go.mod h1:pkJQ2tZHJ0aFOVEEot6oZmaVEZcRme73eIFmhiVuRWs= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.3 h1:NmZ1PKzSTQbuGHw9DGPFomqkkLWMC+vZCkfs+FHv1Vg= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.3/go.mod h1:zQrxl1YP88HQlA6i9c63DSVPFklWpGX4OWAc9bFuaH4= github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zttxdo= github.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYWRCY2AiWywWQ= github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= @@ -77,14 +75,14 @@ github.com/prometheus/client_golang v1.23.2 h1:Je96obch5RDVy3FDMndoUsjAhG5Edi49h github.com/prometheus/client_golang v1.23.2/go.mod h1:Tb1a6LWHB3/SPIzCoaDXI4I8UHKeFTEQ1YCr+0Gyqmg= github.com/prometheus/client_model v0.6.2 h1:oBsgwpGs7iVziMvrGhE53c/GrLUsZdHnqNwqPLxwZyk= github.com/prometheus/client_model v0.6.2/go.mod h1:y3m2F6Gdpfy6Ut/GBsUqTWZqCUvMVzSfMLjcu6wAwpE= -github.com/prometheus/common v0.66.1 h1:h5E0h5/Y8niHc5DlaLlWLArTQI7tMrsfQjHV+d9ZoGs= -github.com/prometheus/common v0.66.1/go.mod h1:gcaUsgf3KfRSwHY4dIMXLPV0K/Wg1oZ8+SbZk/HH/dA= -github.com/prometheus/otlptranslator v0.0.2 h1:+1CdeLVrRQ6Psmhnobldo0kTp96Rj80DRXRd5OSnMEQ= -github.com/prometheus/otlptranslator v0.0.2/go.mod h1:P8AwMgdD7XEr6QRUJ2QWLpiAZTgTE2UYgjlu3svompI= -github.com/prometheus/procfs v0.17.0 h1:FuLQ+05u4ZI+SS/w9+BWEM2TXiHKsUQ9TADiRH7DuK0= -github.com/prometheus/procfs v0.17.0/go.mod h1:oPQLaDAMRbA+u8H5Pbfq+dl3VDAvHxMUOVhe0wYB2zw= -github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII= -github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o= +github.com/prometheus/common v0.67.4 h1:yR3NqWO1/UyO1w2PhUvXlGQs/PtFmoveVO0KZ4+Lvsc= +github.com/prometheus/common v0.67.4/go.mod h1:gP0fq6YjjNCLssJCQp0yk4M8W6ikLURwkdd/YKtTbyI= +github.com/prometheus/otlptranslator v1.0.0 h1:s0LJW/iN9dkIH+EnhiD3BlkkP5QVIUVEoIwkU+A6qos= +github.com/prometheus/otlptranslator v1.0.0/go.mod h1:vRYWnXvI6aWGpsdY/mOT/cbeVRBlPWtBNDb7kGR3uKM= +github.com/prometheus/procfs v0.19.2 h1:zUMhqEW66Ex7OXIiDkll3tl9a1ZdilUOd/F6ZXw4Vws= +github.com/prometheus/procfs v0.19.2/go.mod h1:M0aotyiemPhBCM0z5w87kL22CxfcH05ZpYlu+b4J7mw= +github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ= +github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc= github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ= github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U= @@ -93,54 +91,54 @@ github.com/vishvananda/netlink v1.3.1 h1:3AEMt62VKqz90r0tmNhog0r/PpWKmrEShJU0wJW github.com/vishvananda/netlink v1.3.1/go.mod h1:ARtKouGSTGchR8aMwmkzC0qiNPrrWO5JS/XMVl45+b4= github.com/vishvananda/netns v0.0.5 h1:DfiHV+j8bA32MFM7bfEunvT8IAqQ/NzSJHtcmW5zdEY= github.com/vishvananda/netns v0.0.5/go.mod h1:SpkAiCQRtJ6TvvxPnOSyH3BMl6unz3xZlaprSwhNNJM= -go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA= -go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A= -go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.63.0 h1:RbKq8BG0FI8OiXhBfcRtqqHcZcka+gU3cskNuf05R18= -go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.63.0/go.mod h1:h06DGIukJOevXaj/xrNjhi/2098RZzcLTbc0jDAUbsg= -go.opentelemetry.io/contrib/instrumentation/runtime v0.63.0 h1:PeBoRj6af6xMI7qCupwFvTbbnd49V7n5YpG6pg8iDYQ= -go.opentelemetry.io/contrib/instrumentation/runtime v0.63.0/go.mod h1:ingqBCtMCe8I4vpz/UVzCW6sxoqgZB37nao91mLQ3Bw= -go.opentelemetry.io/otel v1.38.0 h1:RkfdswUDRimDg0m2Az18RKOsnI8UDzppJAtj01/Ymk8= -go.opentelemetry.io/otel v1.38.0/go.mod h1:zcmtmQ1+YmQM9wrNsTGV/q/uyusom3P8RxwExxkZhjM= -go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.38.0 h1:vl9obrcoWVKp/lwl8tRE33853I8Xru9HFbw/skNeLs8= -go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.38.0/go.mod h1:GAXRxmLJcVM3u22IjTg74zWBrRCKq8BnOqUVLodpcpw= -go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.38.0 h1:GqRJVj7UmLjCVyVJ3ZFLdPRmhDUp2zFmQe3RHIOsw24= -go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.38.0/go.mod h1:ri3aaHSmCTVYu2AWv44YMauwAQc0aqI9gHKIcSbI1pU= -go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.38.0 h1:lwI4Dc5leUqENgGuQImwLo4WnuXFPetmPpkLi2IrX54= -go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.38.0/go.mod h1:Kz/oCE7z5wuyhPxsXDuaPteSWqjSBD5YaSdbxZYGbGk= +go.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ64= +go.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.64.0 h1:ssfIgGNANqpVFCndZvcuyKbl0g+UAVcbBcqGkG28H0Y= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.64.0/go.mod h1:GQ/474YrbE4Jx8gZ4q5I4hrhUzM6UPzyrqJYV2AqPoQ= +go.opentelemetry.io/contrib/instrumentation/runtime v0.64.0 h1:/+/+UjlXjFcdDlXxKL1PouzX8Z2Vl0OxolRKeBEgYDw= +go.opentelemetry.io/contrib/instrumentation/runtime v0.64.0/go.mod h1:Ldm/PDuzY2DP7IypudopCR3OCOW42NJlN9+mNEroevo= +go.opentelemetry.io/otel v1.39.0 h1:8yPrr/S0ND9QEfTfdP9V+SiwT4E0G7Y5MO7p85nis48= +go.opentelemetry.io/otel v1.39.0/go.mod h1:kLlFTywNWrFyEdH0oj2xK0bFYZtHRYUdv1NklR/tgc8= +go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.39.0 h1:cEf8jF6WbuGQWUVcqgyWtTR0kOOAWY1DYZ+UhvdmQPw= +go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.39.0/go.mod h1:k1lzV5n5U3HkGvTCJHraTAGJ7MqsgL1wrGwTj1Isfiw= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.39.0 h1:f0cb2XPmrqn4XMy9PNliTgRKJgS5WcL/u0/WRYGz4t0= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.39.0/go.mod h1:vnakAaFckOMiMtOIhFI2MNH4FYrZzXCYxmb1LlhoGz8= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.39.0 h1:in9O8ESIOlwJAEGTkkf34DesGRAc/Pn8qJ7k3r/42LM= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.39.0/go.mod h1:Rp0EXBm5tfnv0WL+ARyO/PHBEaEAT8UUHQ6AGJcSq6c= go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.38.0 h1:aTL7F04bJHUlztTsNGJ2l+6he8c+y/b//eR0jjjemT4= go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.38.0/go.mod h1:kldtb7jDTeol0l3ewcmd8SDvx3EmIE7lyvqbasU3QC4= -go.opentelemetry.io/otel/exporters/prometheus v0.60.0 h1:cGtQxGvZbnrWdC2GyjZi0PDKVSLWP/Jocix3QWfXtbo= -go.opentelemetry.io/otel/exporters/prometheus v0.60.0/go.mod h1:hkd1EekxNo69PTV4OWFGZcKQiIqg0RfuWExcPKFvepk= -go.opentelemetry.io/otel/metric v1.38.0 h1:Kl6lzIYGAh5M159u9NgiRkmoMKjvbsKtYRwgfrA6WpA= -go.opentelemetry.io/otel/metric v1.38.0/go.mod h1:kB5n/QoRM8YwmUahxvI3bO34eVtQf2i4utNVLr9gEmI= -go.opentelemetry.io/otel/sdk v1.38.0 h1:l48sr5YbNf2hpCUj/FoGhW9yDkl+Ma+LrVl8qaM5b+E= -go.opentelemetry.io/otel/sdk v1.38.0/go.mod h1:ghmNdGlVemJI3+ZB5iDEuk4bWA3GkTpW+DOoZMYBVVg= -go.opentelemetry.io/otel/sdk/metric v1.38.0 h1:aSH66iL0aZqo//xXzQLYozmWrXxyFkBJ6qT5wthqPoM= -go.opentelemetry.io/otel/sdk/metric v1.38.0/go.mod h1:dg9PBnW9XdQ1Hd6ZnRz689CbtrUp0wMMs9iPcgT9EZA= -go.opentelemetry.io/otel/trace v1.38.0 h1:Fxk5bKrDZJUH+AMyyIXGcFAPah0oRcT+LuNtJrmcNLE= -go.opentelemetry.io/otel/trace v1.38.0/go.mod h1:j1P9ivuFsTceSWe1oY+EeW3sc+Pp42sO++GHkg4wwhs= -go.opentelemetry.io/proto/otlp v1.7.1 h1:gTOMpGDb0WTBOP8JaO72iL3auEZhVmAQg4ipjOVAtj4= -go.opentelemetry.io/proto/otlp v1.7.1/go.mod h1:b2rVh6rfI/s2pHWNlB7ILJcRALpcNDzKhACevjI+ZnE= +go.opentelemetry.io/otel/exporters/prometheus v0.61.0 h1:cCyZS4dr67d30uDyh8etKM2QyDsQ4zC9ds3bdbrVoD0= +go.opentelemetry.io/otel/exporters/prometheus v0.61.0/go.mod h1:iivMuj3xpR2DkUrUya3TPS/Z9h3dz7h01GxU+fQBRNg= +go.opentelemetry.io/otel/metric v1.39.0 h1:d1UzonvEZriVfpNKEVmHXbdf909uGTOQjA0HF0Ls5Q0= +go.opentelemetry.io/otel/metric v1.39.0/go.mod h1:jrZSWL33sD7bBxg1xjrqyDjnuzTUB0x1nBERXd7Ftcs= +go.opentelemetry.io/otel/sdk v1.39.0 h1:nMLYcjVsvdui1B/4FRkwjzoRVsMK8uL/cj0OyhKzt18= +go.opentelemetry.io/otel/sdk v1.39.0/go.mod h1:vDojkC4/jsTJsE+kh+LXYQlbL8CgrEcwmt1ENZszdJE= +go.opentelemetry.io/otel/sdk/metric v1.39.0 h1:cXMVVFVgsIf2YL6QkRF4Urbr/aMInf+2WKg+sEJTtB8= +go.opentelemetry.io/otel/sdk/metric v1.39.0/go.mod h1:xq9HEVH7qeX69/JnwEfp6fVq5wosJsY1mt4lLfYdVew= +go.opentelemetry.io/otel/trace v1.39.0 h1:2d2vfpEDmCJ5zVYz7ijaJdOF59xLomrvj7bjt6/qCJI= +go.opentelemetry.io/otel/trace v1.39.0/go.mod h1:88w4/PnZSazkGzz/w84VHpQafiU4EtqqlVdxWy+rNOA= +go.opentelemetry.io/proto/otlp v1.9.0 h1:l706jCMITVouPOqEnii2fIAuO3IVGBRPV5ICjceRb/A= +go.opentelemetry.io/proto/otlp v1.9.0/go.mod h1:xE+Cx5E/eEHw+ISFkwPLwCZefwVjY+pqKg1qcK03+/4= go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE= -go.yaml.in/yaml/v2 v2.4.2 h1:DzmwEr2rDGHl7lsFgAHxmNz/1NlQ7xLIrlN2h5d1eGI= -go.yaml.in/yaml/v2 v2.4.2/go.mod h1:081UH+NErpNdqlCXm3TtEran0rJZGxAYx9hb/ELlsPU= -golang.org/x/crypto v0.45.0 h1:jMBrvKuj23MTlT0bQEOBcAE0mjg8mK9RXFhRH6nyF3Q= -golang.org/x/crypto v0.45.0/go.mod h1:XTGrrkGJve7CYK7J8PEww4aY7gM3qMCElcJQ8n8JdX4= +go.yaml.in/yaml/v2 v2.4.3 h1:6gvOSjQoTB3vt1l+CU+tSyi/HOjfOjRLJ4YwYZGwRO0= +go.yaml.in/yaml/v2 v2.4.3/go.mod h1:zSxWcmIDjOzPXpjlTTbAsKokqkDNAVtZO0WOMiT90s8= +golang.org/x/crypto v0.46.0 h1:cKRW/pmt1pKAfetfu+RCEvjvZkA9RimPbh7bhFjGVBU= +golang.org/x/crypto v0.46.0/go.mod h1:Evb/oLKmMraqjZ2iQTwDwvCtJkczlDuTmdJXoZVzqU0= golang.org/x/exp v0.0.0-20251113190631-e25ba8c21ef6 h1:zfMcR1Cs4KNuomFFgGefv5N0czO2XZpUbxGUy8i8ug0= golang.org/x/exp v0.0.0-20251113190631-e25ba8c21ef6/go.mod h1:46edojNIoXTNOhySWIWdix628clX9ODXwPsQuG6hsK0= golang.org/x/mod v0.30.0 h1:fDEXFVZ/fmCKProc/yAXXUijritrDzahmwwefnjoPFk= golang.org/x/mod v0.30.0/go.mod h1:lAsf5O2EvJeSFMiBxXDki7sCgAxEUcZHXoXMKT4GJKc= -golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY= -golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU= -golang.org/x/sync v0.18.0 h1:kr88TuHDroi+UVf+0hZnirlk8o8T+4MrK6mr60WkH/I= -golang.org/x/sync v0.18.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI= +golang.org/x/net v0.48.0 h1:zyQRTTrjc33Lhh0fBgT/H3oZq9WuvRR5gPC70xpDiQU= +golang.org/x/net v0.48.0/go.mod h1:+ndRgGjkh8FGtu1w1FGbEC31if4VrNVMuKTgcAAnQRY= +golang.org/x/sync v0.19.0 h1:vV+1eWNmZ5geRlYjzm2adRgW2/mcpevXNg50YZtPCE4= +golang.org/x/sync v0.19.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI= golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc= -golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks= -golang.org/x/text v0.31.0 h1:aC8ghyu4JhP8VojJ2lEHBnochRno1sgL6nEi9WGFGMM= -golang.org/x/text v0.31.0/go.mod h1:tKRAlv61yKIjGGHX/4tP1LTbc13YSec1pxVEWXzfoeM= +golang.org/x/sys v0.39.0 h1:CvCKL8MeisomCi6qNZ+wbb0DN9E5AATixKsvNtMoMFk= +golang.org/x/sys v0.39.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks= +golang.org/x/text v0.32.0 h1:ZD01bjUt1FQ9WJ0ClOL5vxgxOI/sVCNgX1YtKwcY0mU= +golang.org/x/text v0.32.0/go.mod h1:o/rUWzghvpD5TXrTIBuJU77MTaN0ljMWE47kxGJQ7jY= golang.org/x/time v0.12.0 h1:ScB/8o8olJvc+CQPWrK3fPZNfh7qgwCrY0zJmoEQLSE= golang.org/x/time v0.12.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg= golang.org/x/tools v0.39.0 h1:ik4ho21kwuQln40uelmciQPp9SipgNDdrafrYA4TmQQ= @@ -155,14 +153,14 @@ golang.zx2c4.com/wireguard/windows v0.5.3 h1:On6j2Rpn3OEMXqBq00QEDC7bWSZrPIHKIus golang.zx2c4.com/wireguard/windows v0.5.3/go.mod h1:9TEe8TJmtwyQebdFwAkEWOPr3prrtqm+REGFifP60hI= gonum.org/v1/gonum v0.16.0 h1:5+ul4Swaf3ESvrOnidPp4GZbzf0mxVQpDCYUQE7OJfk= gonum.org/v1/gonum v0.16.0/go.mod h1:fef3am4MQ93R2HHpKnLk4/Tbh/s0+wqD5nfa6Pnwy4E= -google.golang.org/genproto/googleapis/api v0.0.0-20250825161204-c5933d9347a5 h1:BIRfGDEjiHRrk0QKZe3Xv2ieMhtgRGeLcZQ0mIVn4EY= -google.golang.org/genproto/googleapis/api v0.0.0-20250825161204-c5933d9347a5/go.mod h1:j3QtIyytwqGr1JUDtYXwtMXWPKsEa5LtzIFN1Wn5WvE= -google.golang.org/genproto/googleapis/rpc v0.0.0-20250825161204-c5933d9347a5 h1:eaY8u2EuxbRv7c3NiGK0/NedzVsCcV6hDuU5qPX5EGE= -google.golang.org/genproto/googleapis/rpc v0.0.0-20250825161204-c5933d9347a5/go.mod h1:M4/wBTSeyLxupu3W3tJtOgB14jILAS/XWPSSa3TAlJc= -google.golang.org/grpc v1.76.0 h1:UnVkv1+uMLYXoIz6o7chp59WfQUYA2ex/BXQ9rHZu7A= -google.golang.org/grpc v1.76.0/go.mod h1:Ju12QI8M6iQJtbcsV+awF5a4hfJMLi4X0JLo94ULZ6c= -google.golang.org/protobuf v1.36.8 h1:xHScyCOEuuwZEc6UtSOvPbAT4zRh0xcNRYekJwfqyMc= -google.golang.org/protobuf v1.36.8/go.mod h1:fuxRtAxBytpl4zzqUh6/eyUujkJdNiuEkXntxiD/uRU= +google.golang.org/genproto/googleapis/api v0.0.0-20251202230838-ff82c1b0f217 h1:fCvbg86sFXwdrl5LgVcTEvNC+2txB5mgROGmRL5mrls= +google.golang.org/genproto/googleapis/api v0.0.0-20251202230838-ff82c1b0f217/go.mod h1:+rXWjjaukWZun3mLfjmVnQi18E1AsFbDN9QdJ5YXLto= +google.golang.org/genproto/googleapis/rpc v0.0.0-20251202230838-ff82c1b0f217 h1:gRkg/vSppuSQoDjxyiGfN4Upv/h/DQmIR10ZU8dh4Ww= +google.golang.org/genproto/googleapis/rpc v0.0.0-20251202230838-ff82c1b0f217/go.mod h1:7i2o+ce6H/6BluujYR+kqX3GKH+dChPTQU19wjRPiGk= +google.golang.org/grpc v1.77.0 h1:wVVY6/8cGA6vvffn+wWK5ToddbgdU3d8MNENr4evgXM= +google.golang.org/grpc v1.77.0/go.mod h1:z0BY1iVj0q8E1uSQCjL9cppRj+gnZjzDnzV0dHhrNig= +google.golang.org/protobuf v1.36.10 h1:AYd7cD/uASjIL6Q9LiTjz8JLcrh/88q5UObnmY3aOOE= +google.golang.org/protobuf v1.36.10/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= @@ -172,5 +170,5 @@ gotest.tools/v3 v3.4.0 h1:ZazjZUfuVeZGLAmlKKuyv3IKP5orXcwtOwDQH6YVr6o= gotest.tools/v3 v3.4.0/go.mod h1:CtbdzLSsqVhDgMtKsx03ird5YTGB3ar27v0u/yKBW5g= gvisor.dev/gvisor v0.0.0-20250503011706-39ed1f5ac29c h1:m/r7OM+Y2Ty1sgBQ7Qb27VgIMBW8ZZhT4gLnUyDIhzI= gvisor.dev/gvisor v0.0.0-20250503011706-39ed1f5ac29c/go.mod h1:3r5CMtNQMKIvBlrmM9xWUNamjKBYPOWyXOjmg5Kts3g= -software.sslmate.com/src/go-pkcs12 v0.6.0 h1:f3sQittAeF+pao32Vb+mkli+ZyT+VwKaD014qFGq6oU= -software.sslmate.com/src/go-pkcs12 v0.6.0/go.mod h1:Qiz0EyvDRJjjxGyUQa2cCNZn/wMyzrRJ/qcDXOQazLI= +software.sslmate.com/src/go-pkcs12 v0.7.0 h1:Db8W44cB54TWD7stUFFSWxdfpdn6fZVcDl0w3R4RVM0= +software.sslmate.com/src/go-pkcs12 v0.7.0/go.mod h1:Qiz0EyvDRJjjxGyUQa2cCNZn/wMyzrRJ/qcDXOQazLI= From 9c57677493a088eeae7690995310749f0b1f7d5e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" Date: Thu, 25 Dec 2025 09:18:28 +0000 Subject: [PATCH 49/58] chore(nix): fix hash for updated go dependencies --- flake.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/flake.nix b/flake.nix index 03e2e5f..bfc4dc9 100644 --- a/flake.nix +++ b/flake.nix @@ -35,7 +35,7 @@ inherit version; src = pkgs.nix-gitignore.gitignoreSource [ ] ./.; - vendorHash = "sha256-5Xr6mwPtsqEliKeKv2rhhp6JC7u3coP4nnhIxGMqccU="; + vendorHash = "sha256-Sib6AUCpMgxlMpTc2Esvs+UU0yduVOxWUgT44FHAI+k="; nativeInstallCheckInputs = [ pkgs.versionCheckHook ]; From 1c9c98e2f695ae291d91bd29a62038a74982cc4c Mon Sep 17 00:00:00 2001 From: Owen Date: Mon, 19 Jan 2026 21:25:28 -0800 Subject: [PATCH 50/58] Show download script to update --- updates/updates.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/updates/updates.go b/updates/updates.go index 8d7de5e..21666ac 100644 --- a/updates/updates.go +++ b/updates/updates.go @@ -119,7 +119,7 @@ func CheckForUpdate(owner, repo, currentVersion string) error { // Check if update is available if currentVer.isNewer(latestVer) { - printUpdateBanner(currentVer.String(), latestVer.String(), release.HTMLURL) + printUpdateBanner(currentVer.String(), latestVer.String(), "curl -fsSL https://static.pangolin.net/get-newt.sh | bash") } return nil @@ -145,7 +145,7 @@ func printUpdateBanner(currentVersion, latestVersion, releaseURL string) { "â•‘ A newer version is available! Please update to get the" + padRight("", contentWidth-56) + "â•‘", "â•‘ latest features, bug fixes, and security improvements." + padRight("", contentWidth-56) + "â•‘", emptyLine, - "â•‘ Release URL: " + padRight(releaseURL, contentWidth-15) + "â•‘", + "â•‘ Update: " + padRight(releaseURL, contentWidth-10) + "â•‘", emptyLine, borderBot, } From 50fbfdc262bafa1b1db43d09a3545993901f2d91 Mon Sep 17 00:00:00 2001 From: Owen Date: Mon, 16 Feb 2026 17:54:19 -0800 Subject: [PATCH 51/58] Update example domain --- .env.example | 2 +- docker-compose.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.env.example b/.env.example index 0697458..7715a30 100644 --- a/.env.example +++ b/.env.example @@ -1,5 +1,5 @@ # Copy this file to .env and fill in your values # Required for connecting to Pangolin service -PANGOLIN_ENDPOINT=https://example.com +PANGOLIN_ENDPOINT=https://app.pangolin.net NEWT_ID=changeme-id NEWT_SECRET=changeme-secret \ No newline at end of file diff --git a/docker-compose.yml b/docker-compose.yml index 86f4ca1..b11082b 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -4,7 +4,7 @@ services: container_name: newt restart: unless-stopped environment: - - PANGOLIN_ENDPOINT=https://example.com + - PANGOLIN_ENDPOINT=https://app.pangolin.net - NEWT_ID=2ix2t8xk22ubpfy - NEWT_SECRET=nnisrfsdfc7prqsp9ewo1dvtvci50j5uiqotez00dgap0ii2 - LOG_LEVEL=DEBUG \ No newline at end of file From 2265b6138192e3f60d5e654434d106b81bae1514 Mon Sep 17 00:00:00 2001 From: Owen Date: Mon, 16 Feb 2026 17:55:17 -0800 Subject: [PATCH 52/58] Remove legacy ssh --- main.go | 96 --------------------------------------------------------- 1 file changed, 96 deletions(-) diff --git a/main.go b/main.go index 4016ad3..cf02e27 100644 --- a/main.go +++ b/main.go @@ -58,10 +58,6 @@ type ExitNodeData struct { ExitNodes []ExitNode `json:"exitNodes"` } -type SSHPublicKeyData struct { - PublicKey string `json:"publicKey"` -} - // ExitNode represents an exit node with an ID, endpoint, and weight. type ExitNode struct { ID int `json:"exitNodeId"` @@ -279,10 +275,6 @@ func runNewtMain(ctx context.Context) { // load the prefer endpoint just as a flag flag.StringVar(&preferEndpoint, "prefer-endpoint", "", "Prefer this endpoint for the connection (if set, will override the endpoint from the server)") - // if authorizedKeysFile == "" { - // flag.StringVar(&authorizedKeysFile, "authorized-keys-file", "~/.ssh/authorized_keys", "Path to authorized keys file (if unset, no keys will be authorized)") - // } - // Add new mTLS flags if tlsClientCert == "" { flag.StringVar(&tlsClientCert, "tls-client-cert-file", "", "Path to client certificate file (PEM/DER format)") @@ -1168,94 +1160,6 @@ persistent_keepalive_interval=5`, util.FixKey(privateKey.String()), util.FixKey( } }) - // EXPERIMENTAL: WHAT SHOULD WE DO ABOUT SECURITY? - client.RegisterHandler("newt/send/ssh/publicKey", func(msg websocket.WSMessage) { - logger.Debug("Received SSH public key request") - - var sshPublicKeyData SSHPublicKeyData - - jsonData, err := json.Marshal(msg.Data) - if err != nil { - logger.Info(fmtErrMarshaling, err) - return - } - if err := json.Unmarshal(jsonData, &sshPublicKeyData); err != nil { - logger.Info("Error unmarshaling SSH public key data: %v", err) - return - } - - sshPublicKey := sshPublicKeyData.PublicKey - - if authorizedKeysFile == "" { - logger.Debug("No authorized keys file set, skipping public key response") - return - } - - // Expand tilde to home directory if present - expandedPath := authorizedKeysFile - if strings.HasPrefix(authorizedKeysFile, "~/") { - homeDir, err := os.UserHomeDir() - if err != nil { - logger.Error("Failed to get user home directory: %v", err) - return - } - expandedPath = filepath.Join(homeDir, authorizedKeysFile[2:]) - } - - // if it is set but the file does not exist, create it - if _, err := os.Stat(expandedPath); os.IsNotExist(err) { - logger.Debug("Authorized keys file does not exist, creating it: %s", expandedPath) - if err := os.MkdirAll(filepath.Dir(expandedPath), 0755); err != nil { - logger.Error("Failed to create directory for authorized keys file: %v", err) - return - } - if _, err := os.Create(expandedPath); err != nil { - logger.Error("Failed to create authorized keys file: %v", err) - return - } - } - - // Check if the public key already exists in the file - fileContent, err := os.ReadFile(expandedPath) - if err != nil { - logger.Error("Failed to read authorized keys file: %v", err) - return - } - - // Check if the key already exists (trim whitespace for comparison) - existingKeys := strings.Split(string(fileContent), "\n") - keyAlreadyExists := false - trimmedNewKey := strings.TrimSpace(sshPublicKey) - - for _, existingKey := range existingKeys { - if strings.TrimSpace(existingKey) == trimmedNewKey && trimmedNewKey != "" { - keyAlreadyExists = true - break - } - } - - if keyAlreadyExists { - logger.Info("SSH public key already exists in authorized keys file, skipping") - return - } - - // append the public key to the authorized keys file - logger.Debug("Appending public key to authorized keys file: %s", sshPublicKey) - file, err := os.OpenFile(expandedPath, os.O_APPEND|os.O_WRONLY, 0644) - if err != nil { - logger.Error("Failed to open authorized keys file: %v", err) - return - } - defer file.Close() - - if _, err := file.WriteString(sshPublicKey + "\n"); err != nil { - logger.Error("Failed to write public key to authorized keys file: %v", err) - return - } - - logger.Info("SSH public key appended to authorized keys file") - }) - // Register handler for adding health check targets client.RegisterHandler("newt/healthcheck/add", func(msg websocket.WSMessage) { logger.Debug("Received health check add request: %+v", msg) From 5b884042cdd4444dde6167f4d9481b3c1a49106f Mon Sep 17 00:00:00 2001 From: Owen Date: Mon, 16 Feb 2026 20:04:24 -0800 Subject: [PATCH 53/58] Add basic newt command relay to auth daemon --- main.go | 148 ++++++++++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 145 insertions(+), 3 deletions(-) diff --git a/main.go b/main.go index cf02e27..ecf84eb 100644 --- a/main.go +++ b/main.go @@ -1,7 +1,9 @@ package main import ( + "bytes" "context" + "crypto/tls" "encoding/json" "errors" "flag" @@ -11,7 +13,6 @@ import ( "net/netip" "os" "os/signal" - "path/filepath" "strconv" "strings" "syscall" @@ -130,6 +131,7 @@ var ( preferEndpoint string healthMonitor *healthcheck.Monitor enforceHealthcheckCert bool + authDaemonKey string // Build/version (can be overridden via -ldflags "-X main.newtVersion=...") newtVersion = "version_replaceme" @@ -183,6 +185,7 @@ func runNewtMain(ctx context.Context) { updownScript = os.Getenv("UPDOWN_SCRIPT") interfaceName = os.Getenv("INTERFACE") portStr := os.Getenv("PORT") + authDaemonKey = os.Getenv("AUTH_DAEMON_KEY") // Metrics/observability env mirrors metricsEnabledEnv := os.Getenv("NEWT_METRICS_PROMETHEUS_ENABLED") @@ -371,6 +374,11 @@ func runNewtMain(ctx context.Context) { region = regionEnv } + // Auth daemon key flag + if authDaemonKey == "" { + flag.StringVar(&authDaemonKey, "auth-daemon-key", "", "Preshared key for auth daemon authentication") + } + // do a --version check version := flag.Bool("version", false, "Print the version") @@ -686,8 +694,8 @@ func runNewtMain(ctx context.Context) { relayPort := wgData.RelayPort if relayPort == 0 { - relayPort = 21820 - } + relayPort = 21820 + } clientsHandleNewtConnection(wgData.PublicKey, endpoint, relayPort) @@ -1315,6 +1323,140 @@ persistent_keepalive_interval=5`, util.FixKey(privateKey.String()), util.FixKey( } }) + // Register handler for SSH certificate issued events + client.RegisterHandler("newt/pam/connection", func(msg websocket.WSMessage) { + logger.Debug("Received SSH certificate issued message") + + // Define the structure of the incoming message + type SSHCertData struct { + TraceID string `json:"traceId"` + AgentPort int `json:"agentPort"` + AgentHost string `json:"agentHost"` + CACert string `json:"caCert"` + Username string `json:"username"` + NiceID string `json:"niceId"` + Metadata struct { + Sudo bool `json:"sudo"` + Homedir bool `json:"homedir"` + } `json:"metadata"` + } + + var certData SSHCertData + jsonData, err := json.Marshal(msg.Data) + if err != nil { + logger.Error("Error marshaling SSH cert data: %v", err) + return + } + + if err := json.Unmarshal(jsonData, &certData); err != nil { + logger.Error("Error unmarshaling SSH cert data: %v", err) + return + } + + // Check if auth daemon key is configured + if authDaemonKey == "" { + logger.Error("Auth daemon key not configured, cannot process SSH certificate") + // Send failure response back to cloud + err := client.SendMessage("newt/pam/connection/response", map[string]interface{}{ + "traceId": certData.TraceID, + "success": false, + "error": "auth daemon key not configured", + }) + if err != nil { + logger.Error("Failed to send SSH cert failure response: %v", err) + } + return + } + + // Prepare the request body for the auth daemon + requestBody := map[string]interface{}{ + "caCert": certData.CACert, + "niceId": certData.NiceID, + "username": certData.Username, + "metadata": map[string]interface{}{ + "sudo": certData.Metadata.Sudo, + "homedir": certData.Metadata.Homedir, + }, + } + + requestJSON, err := json.Marshal(requestBody) + if err != nil { + logger.Error("Failed to marshal auth daemon request: %v", err) + // Send failure response + client.SendMessage("newt/pam/ssh-cert-response", map[string]interface{}{ + "traceId": certData.TraceID, + "success": false, + "error": fmt.Sprintf("failed to marshal request: %v", err), + }) + return + } + + // Create HTTPS client that skips certificate verification + // (auth daemon uses self-signed cert) + httpClient := &http.Client{ + Transport: &http.Transport{ + TLSClientConfig: &tls.Config{ + InsecureSkipVerify: true, + }, + }, + Timeout: 10 * time.Second, + } + + // Make the request to the auth daemon + url := fmt.Sprintf("https://%s:%d/connection", certData.AgentHost, certData.AgentPort) + req, err := http.NewRequest("POST", url, bytes.NewBuffer(requestJSON)) + if err != nil { + logger.Error("Failed to create auth daemon request: %v", err) + client.SendMessage("newt/pam/connection/response", map[string]interface{}{ + "traceId": certData.TraceID, + "success": false, + "error": fmt.Sprintf("failed to create request: %v", err), + }) + return + } + + // Set headers + req.Header.Set("Content-Type", "application/json") + req.Header.Set("Authorization", "Bearer "+authDaemonKey) + + logger.Debug("Sending SSH cert to auth daemon at %s", url) + + // Send the request + resp, err := httpClient.Do(req) + if err != nil { + logger.Error("Failed to connect to auth daemon: %v", err) + client.SendMessage("newt/pam/connection/response", map[string]interface{}{ + "traceId": certData.TraceID, + "success": false, + "error": fmt.Sprintf("failed to connect to auth daemon: %v", err), + }) + return + } + defer resp.Body.Close() + + // Check response status + if resp.StatusCode != http.StatusOK { + logger.Error("Auth daemon returned non-OK status: %d", resp.StatusCode) + client.SendMessage("newt/pam/connection/response", map[string]interface{}{ + "traceId": certData.TraceID, + "success": false, + "error": fmt.Sprintf("auth daemon returned status %d", resp.StatusCode), + }) + return + } + + logger.Info("Successfully registered SSH certificate with auth daemon for user %s", certData.Username) + + // Send success response back to cloud + err = client.SendMessage("newt/pam/connection/response", map[string]interface{}{ + "traceId": certData.TraceID, + "success": true, + }) + if err != nil { + logger.Error("Failed to send SSH cert success response: %v", err) + } + }) + client.OnConnect(func() error { publicKey = privateKey.PublicKey() logger.Debug("Public key: %s", publicKey) From d98eaa88b36790dbef9c880960dfb904646f68c1 Mon Sep 17 00:00:00 2001 From: Owen Date: Mon, 16 Feb 2026 20:29:19 -0800 Subject: [PATCH 54/58] Add round trip tracking for any message --- main.go | 38 +++++++++++++++++++------------------- 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/main.go b/main.go index ecf84eb..24fd8bb 100644 --- a/main.go +++ b/main.go @@ -1329,7 +1329,7 @@ persistent_keepalive_interval=5`, util.FixKey(privateKey.String()), util.FixKey( // Define the structure of the incoming message type SSHCertData struct { - TraceID string `json:"traceId"` + MessageId string `json:"messageId"` AgentPort int `json:"agentPort"` AgentHost string `json:"agentHost"` CACert string `json:"caCert"` @@ -1357,9 +1357,9 @@ persistent_keepalive_interval=5`, util.FixKey(privateKey.String()), util.FixKey( if authDaemonKey == "" { logger.Error("Auth daemon key not configured, cannot process SSH certificate") // Send failure response back to cloud - err := client.SendMessage("newt/pam/connection/response", map[string]interface{}{ - "traceId": certData.TraceID, - "success": false, + err := client.SendMessage("ws/round-trip/complete", map[string]interface{}{ + "messageId": certData.MessageId, + "complete": true, "error": "auth daemon key not configured", }) if err != nil { @@ -1383,9 +1383,9 @@ persistent_keepalive_interval=5`, util.FixKey(privateKey.String()), util.FixKey( if err != nil { logger.Error("Failed to marshal auth daemon request: %v", err) // Send failure response - client.SendMessage("newt/pam/ssh-cert-response", map[string]interface{}{ - "traceId": certData.TraceID, - "success": false, + client.SendMessage("ws/round-trip/complete", map[string]interface{}{ + "messageId": certData.MessageId, + "complete": true, "error": fmt.Sprintf("failed to marshal request: %v", err), }) return @@ -1407,9 +1407,9 @@ persistent_keepalive_interval=5`, util.FixKey(privateKey.String()), util.FixKey( req, err := http.NewRequest("POST", url, bytes.NewBuffer(requestJSON)) if err != nil { logger.Error("Failed to create auth daemon request: %v", err) - client.SendMessage("newt/pam/connection/response", map[string]interface{}{ - "traceId": certData.TraceID, - "success": false, + client.SendMessage("ws/round-trip/complete", map[string]interface{}{ + "messageId": certData.MessageId, + "complete": true, "error": fmt.Sprintf("failed to create request: %v", err), }) return @@ -1425,9 +1425,9 @@ persistent_keepalive_interval=5`, util.FixKey(privateKey.String()), util.FixKey( resp, err := httpClient.Do(req) if err != nil { logger.Error("Failed to connect to auth daemon: %v", err) - client.SendMessage("newt/pam/connection/response", map[string]interface{}{ - "traceId": certData.TraceID, - "success": false, + client.SendMessage("ws/round-trip/complete", map[string]interface{}{ + "messageId": certData.MessageId, + "complete": true, "error": fmt.Sprintf("failed to connect to auth daemon: %v", err), }) return @@ -1437,9 +1437,9 @@ persistent_keepalive_interval=5`, util.FixKey(privateKey.String()), util.FixKey( // Check response status if resp.StatusCode != http.StatusOK { logger.Error("Auth daemon returned non-OK status: %d", resp.StatusCode) - client.SendMessage("newt/pam/connection/response", map[string]interface{}{ - "traceId": certData.TraceID, - "success": false, + client.SendMessage("ws/round-trip/complete", map[string]interface{}{ + "messageId": certData.MessageId, + "complete": true, "error": fmt.Sprintf("auth daemon returned status %d", resp.StatusCode), }) return @@ -1448,9 +1448,9 @@ persistent_keepalive_interval=5`, util.FixKey(privateKey.String()), util.FixKey( logger.Info("Successfully registered SSH certificate with auth daemon for user %s", certData.Username) // Send success response back to cloud - err = client.SendMessage("newt/pam/connection/response", map[string]interface{}{ - "traceId": certData.TraceID, - "success": true, + err = client.SendMessage("ws/round-trip/complete", map[string]interface{}{ + "messageId": certData.MessageId, + "complete": true, }) if err != nil { logger.Error("Failed to send SSH cert success response: %v", err) From 2cc957d55feff074efe6207dc0cfd177dbf2c994 Mon Sep 17 00:00:00 2001 From: miloschwartz Date: Mon, 16 Feb 2026 20:36:00 -0800 Subject: [PATCH 55/58] add auth daemon --- authdaemon/host_linux.go | 269 +++++++++++++++++++++++++++++++++++++++ authdaemon/host_stub.go | 32 +++++ authdaemon/principals.go | 28 ++++ authdaemon/routes.go | 92 +++++++++++++ authdaemon/server.go | 174 +++++++++++++++++++++++++ 5 files changed, 595 insertions(+) create mode 100644 authdaemon/host_linux.go create mode 100644 authdaemon/host_stub.go create mode 100644 authdaemon/principals.go create mode 100644 authdaemon/routes.go create mode 100644 authdaemon/server.go diff --git a/authdaemon/host_linux.go b/authdaemon/host_linux.go new file mode 100644 index 0000000..4416dd1 --- /dev/null +++ b/authdaemon/host_linux.go @@ -0,0 +1,269 @@ +//go:build linux + +package authdaemon + +import ( + "bufio" + "encoding/json" + "fmt" + "os" + "os/exec" + "os/user" + "path/filepath" + "strconv" + "strings" + + "github.com/fosrl/newt/logger" +) + +// writeCACertIfNotExists writes contents to path only if the file does not exist. +func writeCACertIfNotExists(path, contents string) error { + if _, err := os.Stat(path); err == nil { + logger.Debug("auth-daemon: CA cert already exists at %s, skipping write", path) + return nil + } + dir := filepath.Dir(path) + if err := os.MkdirAll(dir, 0755); err != nil { + return fmt.Errorf("mkdir %s: %w", dir, err) + } + contents = strings.TrimSpace(contents) + if contents != "" && !strings.HasSuffix(contents, "\n") { + contents += "\n" + } + if err := os.WriteFile(path, []byte(contents), 0644); err != nil { + return fmt.Errorf("write CA cert: %w", err) + } + logger.Info("auth-daemon: wrote CA cert to %s", path) + return nil +} + +// ensureSSHDTrustedUserCAKeys ensures sshd_config contains TrustedUserCAKeys caCertPath. +func ensureSSHDTrustedUserCAKeys(sshdConfigPath, caCertPath string) error { + if sshdConfigPath == "" { + sshdConfigPath = "/etc/ssh/sshd_config" + } + data, err := os.ReadFile(sshdConfigPath) + if err != nil { + return fmt.Errorf("read sshd_config: %w", err) + } + directive := "TrustedUserCAKeys " + caCertPath + lines := strings.Split(string(data), "\n") + found := false + for i, line := range lines { + trimmed := strings.TrimSpace(line) + // strip inline comment + if idx := strings.Index(trimmed, "#"); idx >= 0 { + trimmed = strings.TrimSpace(trimmed[:idx]) + } + if trimmed == "" { + continue + } + if strings.HasPrefix(trimmed, "TrustedUserCAKeys") { + if strings.TrimSpace(trimmed) == directive { + logger.Debug("auth-daemon: sshd_config already has TrustedUserCAKeys %s", caCertPath) + return nil + } + lines[i] = directive + found = true + break + } + } + if !found { + lines = append(lines, directive) + } + out := strings.Join(lines, "\n") + if !strings.HasSuffix(out, "\n") { + out += "\n" + } + if err := os.WriteFile(sshdConfigPath, []byte(out), 0644); err != nil { + return fmt.Errorf("write sshd_config: %w", err) + } + logger.Info("auth-daemon: updated %s with TrustedUserCAKeys %s", sshdConfigPath, caCertPath) + return nil +} + +// reloadSSHD runs the given shell command to reload sshd (e.g. "systemctl reload sshd"). +func reloadSSHD(reloadCmd string) error { + if reloadCmd == "" { + return nil + } + cmd := exec.Command("sh", "-c", reloadCmd) + if out, err := cmd.CombinedOutput(); err != nil { + return fmt.Errorf("reload sshd %q: %w (output: %s)", reloadCmd, err, string(out)) + } + logger.Info("auth-daemon: reloaded sshd") + return nil +} + +// writePrincipals updates the principals file at path: JSON object keyed by username, value is array of principals. Adds username and niceId to that user's list (deduped). +func writePrincipals(path, username, niceId string) error { + if path == "" { + return nil + } + username = strings.TrimSpace(username) + niceId = strings.TrimSpace(niceId) + if username == "" { + return nil + } + data := make(map[string][]string) + if raw, err := os.ReadFile(path); err == nil { + _ = json.Unmarshal(raw, &data) + } + list := data[username] + seen := make(map[string]struct{}, len(list)+2) + for _, p := range list { + seen[p] = struct{}{} + } + for _, p := range []string{username, niceId} { + if p == "" { + continue + } + if _, ok := seen[p]; !ok { + seen[p] = struct{}{} + list = append(list, p) + } + } + data[username] = list + body, err := json.Marshal(data) + if err != nil { + return fmt.Errorf("marshal principals: %w", err) + } + dir := filepath.Dir(path) + if err := os.MkdirAll(dir, 0755); err != nil { + return fmt.Errorf("mkdir %s: %w", dir, err) + } + if err := os.WriteFile(path, body, 0644); err != nil { + return fmt.Errorf("write principals: %w", err) + } + logger.Debug("auth-daemon: wrote principals to %s", path) + return nil +} + +// sudoGroup returns the name of the sudo group (wheel or sudo) that exists on the system. Prefers wheel. +func sudoGroup() string { + f, err := os.Open("/etc/group") + if err != nil { + return "sudo" + } + defer f.Close() + sc := bufio.NewScanner(f) + hasWheel := false + hasSudo := false + for sc.Scan() { + line := sc.Text() + if strings.HasPrefix(line, "wheel:") { + hasWheel = true + } + if strings.HasPrefix(line, "sudo:") { + hasSudo = true + } + } + if hasWheel { + return "wheel" + } + if hasSudo { + return "sudo" + } + return "sudo" +} + +// ensureUser creates the system user if missing, or reconciles sudo and homedir to match meta. +func ensureUser(username string, meta ConnectionMetadata) error { + if username == "" { + return nil + } + u, err := user.Lookup(username) + if err != nil { + if _, ok := err.(user.UnknownUserError); !ok { + return fmt.Errorf("lookup user %s: %w", username, err) + } + return createUser(username, meta) + } + return reconcileUser(u, meta) +} + +func createUser(username string, meta ConnectionMetadata) error { + args := []string{} + if meta.Homedir { + args = append(args, "-m") + } else { + args = append(args, "-M") + } + args = append(args, username) + cmd := exec.Command("useradd", args...) + if out, err := cmd.CombinedOutput(); err != nil { + return fmt.Errorf("useradd %s: %w (output: %s)", username, err, string(out)) + } + logger.Info("auth-daemon: created user %s (homedir=%v)", username, meta.Homedir) + if meta.Sudo { + group := sudoGroup() + cmd := exec.Command("usermod", "-aG", group, username) + if out, err := cmd.CombinedOutput(); err != nil { + logger.Warn("auth-daemon: usermod -aG %s %s: %v (output: %s)", group, username, err, string(out)) + } else { + logger.Info("auth-daemon: added %s to %s", username, group) + } + } + return nil +} + +func mustAtoi(s string) int { + n, _ := strconv.Atoi(s) + return n +} + +func reconcileUser(u *user.User, meta ConnectionMetadata) error { + group := sudoGroup() + inGroup, err := userInGroup(u.Username, group) + if err != nil { + logger.Warn("auth-daemon: check group %s: %v", group, err) + inGroup = false + } + if meta.Sudo && !inGroup { + cmd := exec.Command("usermod", "-aG", group, u.Username) + if out, err := cmd.CombinedOutput(); err != nil { + logger.Warn("auth-daemon: usermod -aG %s %s: %v (output: %s)", group, u.Username, err, string(out)) + } else { + logger.Info("auth-daemon: added %s to %s", u.Username, group) + } + } else if !meta.Sudo && inGroup { + cmd := exec.Command("gpasswd", "-d", u.Username, group) + if out, err := cmd.CombinedOutput(); err != nil { + logger.Warn("auth-daemon: gpasswd -d %s %s: %v (output: %s)", u.Username, group, err, string(out)) + } else { + logger.Info("auth-daemon: removed %s from %s", u.Username, group) + } + } + if meta.Homedir && u.HomeDir != "" { + if st, err := os.Stat(u.HomeDir); err != nil || !st.IsDir() { + if err := os.MkdirAll(u.HomeDir, 0755); err != nil { + logger.Warn("auth-daemon: mkdir %s: %v", u.HomeDir, err) + } else { + uid, gid := mustAtoi(u.Uid), mustAtoi(u.Gid) + _ = os.Chown(u.HomeDir, uid, gid) + logger.Info("auth-daemon: created home %s for %s", u.HomeDir, u.Username) + } + } + } + return nil +} + +func userInGroup(username, groupName string) (bool, error) { + // getent group wheel returns "wheel:x:10:user1,user2" + cmd := exec.Command("getent", "group", groupName) + out, err := cmd.Output() + if err != nil { + return false, err + } + parts := strings.SplitN(strings.TrimSpace(string(out)), ":", 4) + if len(parts) < 4 { + return false, nil + } + members := strings.Split(parts[3], ",") + for _, m := range members { + if strings.TrimSpace(m) == username { + return true, nil + } + } + return false, nil +} diff --git a/authdaemon/host_stub.go b/authdaemon/host_stub.go new file mode 100644 index 0000000..dfd09a5 --- /dev/null +++ b/authdaemon/host_stub.go @@ -0,0 +1,32 @@ +//go:build !linux + +package authdaemon + +import "fmt" + +var errLinuxOnly = fmt.Errorf("auth-daemon PAM agent is only supported on Linux") + +// writeCACertIfNotExists returns an error on non-Linux. +func writeCACertIfNotExists(path, contents string) error { + return errLinuxOnly +} + +// ensureSSHDTrustedUserCAKeys returns an error on non-Linux. +func ensureSSHDTrustedUserCAKeys(sshdConfigPath, caCertPath string) error { + return errLinuxOnly +} + +// reloadSSHD returns an error on non-Linux. +func reloadSSHD(reloadCmd string) error { + return errLinuxOnly +} + +// ensureUser returns an error on non-Linux. +func ensureUser(username string, meta ConnectionMetadata) error { + return errLinuxOnly +} + +// writePrincipals returns an error on non-Linux. +func writePrincipals(path, username, niceId string) error { + return errLinuxOnly +} diff --git a/authdaemon/principals.go b/authdaemon/principals.go new file mode 100644 index 0000000..cbfca80 --- /dev/null +++ b/authdaemon/principals.go @@ -0,0 +1,28 @@ +package authdaemon + +import ( + "encoding/json" + "fmt" + "os" +) + +// GetPrincipals reads the principals data file at path, looks up the given user, and returns that user's principals as a string slice. +// The file format is JSON: object with username keys and array-of-principals values, e.g. {"alice":["alice","usr-123"],"bob":["bob","usr-456"]}. +// If the user is not found or the file is missing, returns nil and nil. +func GetPrincipals(path, user string) ([]string, error) { + if path == "" { + return nil, fmt.Errorf("principals file path is required") + } + data, err := os.ReadFile(path) + if err != nil { + if os.IsNotExist(err) { + return nil, nil + } + return nil, fmt.Errorf("read principals file: %w", err) + } + var m map[string][]string + if err := json.Unmarshal(data, &m); err != nil { + return nil, fmt.Errorf("parse principals file: %w", err) + } + return m[user], nil +} diff --git a/authdaemon/routes.go b/authdaemon/routes.go new file mode 100644 index 0000000..d7ce880 --- /dev/null +++ b/authdaemon/routes.go @@ -0,0 +1,92 @@ +package authdaemon + +import ( + "encoding/json" + "net/http" + + "github.com/fosrl/newt/logger" +) + +// registerRoutes registers all API routes. Add new endpoints here. +func (s *Server) registerRoutes() { + s.mux.HandleFunc("/health", s.handleHealth) + s.mux.HandleFunc("/connection", s.handleConnection) +} + +// ConnectionMetadata is the metadata object in POST /connection. +type ConnectionMetadata struct { + Sudo bool `json:"sudo"` + Homedir bool `json:"homedir"` +} + +// ConnectionRequest is the JSON body for POST /connection. +type ConnectionRequest struct { + CaCert string `json:"caCert"` + NiceId string `json:"niceId"` + Username string `json:"username"` + Metadata ConnectionMetadata `json:"metadata"` +} + +// healthResponse is the JSON body for GET /health. +type healthResponse struct { + Status string `json:"status"` +} + +// handleHealth responds with 200 and {"status":"ok"}. +func (s *Server) handleHealth(w http.ResponseWriter, r *http.Request) { + if r.Method != http.MethodGet { + http.Error(w, "Method Not Allowed", http.StatusMethodNotAllowed) + return + } + w.Header().Set("Content-Type", "application/json") + _ = json.NewEncoder(w).Encode(healthResponse{Status: "ok"}) +} + +// ProcessConnection runs the same logic as POST /connection: CA cert, sshd config, user create/reconcile, principals. +// Use this when DisableHTTPS is true (e.g. embedded in Newt) instead of calling the API. +func (s *Server) ProcessConnection(req ConnectionRequest) { + logger.Info("connection: niceId=%q username=%q metadata.sudo=%v metadata.homedir=%v", + req.NiceId, req.Username, req.Metadata.Sudo, req.Metadata.Homedir) + + cfg := &s.cfg + if cfg.CACertPath != "" { + if err := writeCACertIfNotExists(cfg.CACertPath, req.CaCert); err != nil { + logger.Warn("auth-daemon: write CA cert: %v", err) + } + sshdConfig := cfg.SSHDConfigPath + if sshdConfig == "" { + sshdConfig = "/etc/ssh/sshd_config" + } + if err := ensureSSHDTrustedUserCAKeys(sshdConfig, cfg.CACertPath); err != nil { + logger.Warn("auth-daemon: sshd_config: %v", err) + } + if cfg.ReloadSSHCommand != "" { + if err := reloadSSHD(cfg.ReloadSSHCommand); err != nil { + logger.Warn("auth-daemon: reload sshd: %v", err) + } + } + } + if err := ensureUser(req.Username, req.Metadata); err != nil { + logger.Warn("auth-daemon: ensure user: %v", err) + } + if cfg.PrincipalsFilePath != "" { + if err := writePrincipals(cfg.PrincipalsFilePath, req.Username, req.NiceId); err != nil { + logger.Warn("auth-daemon: write principals: %v", err) + } + } +} + +// handleConnection accepts POST with connection payload and delegates to ProcessConnection. +func (s *Server) handleConnection(w http.ResponseWriter, r *http.Request) { + if r.Method != http.MethodPost { + http.Error(w, "Method Not Allowed", http.StatusMethodNotAllowed) + return + } + var req ConnectionRequest + if err := json.NewDecoder(r.Body).Decode(&req); err != nil { + http.Error(w, "Bad Request", http.StatusBadRequest) + return + } + s.ProcessConnection(req) + w.WriteHeader(http.StatusOK) +} diff --git a/authdaemon/server.go b/authdaemon/server.go new file mode 100644 index 0000000..83cb480 --- /dev/null +++ b/authdaemon/server.go @@ -0,0 +1,174 @@ +package authdaemon + +import ( + "context" + "crypto/ecdsa" + "crypto/elliptic" + "crypto/rand" + "crypto/subtle" + "crypto/tls" + "crypto/x509" + "crypto/x509/pkix" + "encoding/pem" + "fmt" + "math/big" + "net/http" + "os" + "runtime" + "strings" + "time" + + "github.com/fosrl/newt/logger" +) + +type Config struct { + // DisableHTTPS: when true, Run() does not start the HTTPS server (for embedded use inside Newt). Call ProcessConnection directly for connection events. + DisableHTTPS bool + Port int // Listen port for the HTTPS server. Required when DisableHTTPS is false. + PresharedKey string // Required when DisableHTTPS is false; used for HTTP auth (Authorization: Bearer or X-Preshared-Key: ). + CACertPath string // Where to write the CA cert (e.g. /etc/ssh/ca.pem). + SSHDConfigPath string // Path to sshd_config (e.g. /etc/ssh/sshd_config). Defaults to /etc/ssh/sshd_config when CACertPath is set. + ReloadSSHCommand string // Command to reload sshd after config change (e.g. "systemctl reload sshd"). Empty = no reload. + PrincipalsFilePath string // Path to the principals data file (JSON: username -> array of principals). Empty = do not store principals. +} + +type Server struct { + cfg Config + addr string + presharedKey string + mux *http.ServeMux + tlsCert tls.Certificate +} + +// generateTLSCert creates a self-signed certificate and key in memory (no disk). +func generateTLSCert() (tls.Certificate, error) { + key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + if err != nil { + return tls.Certificate{}, fmt.Errorf("generate key: %w", err) + } + serial, err := rand.Int(rand.Reader, new(big.Int).Lsh(big.NewInt(1), 128)) + if err != nil { + return tls.Certificate{}, fmt.Errorf("serial: %w", err) + } + tmpl := &x509.Certificate{ + SerialNumber: serial, + Subject: pkix.Name{ + CommonName: "localhost", + }, + NotBefore: time.Now(), + NotAfter: time.Now().Add(365 * 24 * time.Hour), + KeyUsage: x509.KeyUsageDigitalSignature, + ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}, + BasicConstraintsValid: true, + DNSNames: []string{"localhost", "127.0.0.1"}, + } + certDER, err := x509.CreateCertificate(rand.Reader, tmpl, tmpl, key.Public(), key) + if err != nil { + return tls.Certificate{}, fmt.Errorf("create certificate: %w", err) + } + keyDER, err := x509.MarshalECPrivateKey(key) + if err != nil { + return tls.Certificate{}, fmt.Errorf("marshal key: %w", err) + } + certPEM := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: certDER}) + keyPEM := pem.EncodeToMemory(&pem.Block{Type: "EC PRIVATE KEY", Bytes: keyDER}) + cert, err := tls.X509KeyPair(certPEM, keyPEM) + if err != nil { + return tls.Certificate{}, fmt.Errorf("x509 key pair: %w", err) + } + return cert, nil +} + +// authMiddleware wraps next and requires a valid preshared key on every request. +// Accepts Authorization: Bearer or X-Preshared-Key: . +func (s *Server) authMiddleware(next http.Handler) http.Handler { + return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + key := "" + if v := r.Header.Get("Authorization"); strings.HasPrefix(v, "Bearer ") { + key = strings.TrimSpace(strings.TrimPrefix(v, "Bearer ")) + } + if key == "" { + key = strings.TrimSpace(r.Header.Get("X-Preshared-Key")) + } + if key == "" || subtle.ConstantTimeCompare([]byte(key), []byte(s.presharedKey)) != 1 { + http.Error(w, "Unauthorized", http.StatusUnauthorized) + return + } + next.ServeHTTP(w, r) + }) +} + +// NewServer builds a new auth-daemon server from cfg. When DisableHTTPS is false, PresharedKey and Port are required. +func NewServer(cfg Config) (*Server, error) { + if runtime.GOOS != "linux" { + return nil, fmt.Errorf("auth-daemon is only supported on Linux, not %s", runtime.GOOS) + } + if !cfg.DisableHTTPS { + if cfg.PresharedKey == "" { + return nil, fmt.Errorf("preshared key is required when HTTPS is enabled") + } + if cfg.Port <= 0 { + return nil, fmt.Errorf("port must be positive when HTTPS is enabled") + } + } + s := &Server{cfg: cfg} + if !cfg.DisableHTTPS { + cert, err := generateTLSCert() + if err != nil { + return nil, err + } + s.addr = fmt.Sprintf(":%d", cfg.Port) + s.presharedKey = cfg.PresharedKey + s.mux = http.NewServeMux() + s.tlsCert = cert + s.registerRoutes() + } + return s, nil +} + +// Run starts the HTTPS server (unless DisableHTTPS) and blocks until ctx is cancelled or the server errors. +// When DisableHTTPS is true, Run() blocks on ctx only and does not listen; use ProcessConnection for connection events. +func (s *Server) Run(ctx context.Context) error { + if s.cfg.DisableHTTPS { + logger.Info("auth-daemon running (HTTPS disabled)") + <-ctx.Done() + s.cleanupPrincipalsFile() + return nil + } + tcfg := &tls.Config{ + Certificates: []tls.Certificate{s.tlsCert}, + MinVersion: tls.VersionTLS12, + } + handler := s.authMiddleware(s.mux) + srv := &http.Server{ + Addr: s.addr, + Handler: handler, + TLSConfig: tcfg, + ReadTimeout: 10 * time.Second, + WriteTimeout: 10 * time.Second, + ReadHeaderTimeout: 5 * time.Second, + IdleTimeout: 60 * time.Second, + } + go func() { + <-ctx.Done() + shutdownCtx, cancel := context.WithTimeout(context.Background(), 10*time.Second) + defer cancel() + if err := srv.Shutdown(shutdownCtx); err != nil { + logger.Warn("auth-daemon shutdown: %v", err) + } + }() + logger.Info("auth-daemon listening on https://127.0.0.1%s", s.addr) + if err := srv.ListenAndServeTLS("", ""); err != nil && err != http.ErrServerClosed { + return err + } + s.cleanupPrincipalsFile() + return nil +} + +func (s *Server) cleanupPrincipalsFile() { + if s.cfg.PrincipalsFilePath != "" { + if err := os.Remove(s.cfg.PrincipalsFilePath); err != nil && !os.IsNotExist(err) { + logger.Warn("auth-daemon: remove principals file: %v", err) + } + } +} From d256d6c746cd4c7f6435aa0a71cd99b4df6e3b6e Mon Sep 17 00:00:00 2001 From: miloschwartz Date: Mon, 16 Feb 2026 20:50:13 -0800 Subject: [PATCH 56/58] remove defaults --- authdaemon/connection.go | 27 ++++++++++++ authdaemon/host_linux.go | 89 ++++++++++------------------------------ authdaemon/host_stub.go | 12 +----- authdaemon/routes.go | 36 ---------------- authdaemon/server.go | 27 +++++++----- 5 files changed, 66 insertions(+), 125 deletions(-) create mode 100644 authdaemon/connection.go diff --git a/authdaemon/connection.go b/authdaemon/connection.go new file mode 100644 index 0000000..9d36e27 --- /dev/null +++ b/authdaemon/connection.go @@ -0,0 +1,27 @@ +package authdaemon + +import ( + "github.com/fosrl/newt/logger" +) + +// ProcessConnection runs the same logic as POST /connection: CA cert, user create/reconcile, principals. +// Use this when DisableHTTPS is true (e.g. embedded in Newt) instead of calling the API. +func (s *Server) ProcessConnection(req ConnectionRequest) { + logger.Info("connection: niceId=%q username=%q metadata.sudo=%v metadata.homedir=%v", + req.NiceId, req.Username, req.Metadata.Sudo, req.Metadata.Homedir) + + cfg := &s.cfg + if cfg.CACertPath != "" { + if err := writeCACertIfNotExists(cfg.CACertPath, req.CaCert, cfg.Force); err != nil { + logger.Warn("auth-daemon: write CA cert: %v", err) + } + } + if err := ensureUser(req.Username, req.Metadata); err != nil { + logger.Warn("auth-daemon: ensure user: %v", err) + } + if cfg.PrincipalsFilePath != "" { + if err := writePrincipals(cfg.PrincipalsFilePath, req.Username, req.NiceId); err != nil { + logger.Warn("auth-daemon: write principals: %v", err) + } + } +} diff --git a/authdaemon/host_linux.go b/authdaemon/host_linux.go index 4416dd1..82834f3 100644 --- a/authdaemon/host_linux.go +++ b/authdaemon/host_linux.go @@ -16,20 +16,33 @@ import ( "github.com/fosrl/newt/logger" ) -// writeCACertIfNotExists writes contents to path only if the file does not exist. -func writeCACertIfNotExists(path, contents string) error { - if _, err := os.Stat(path); err == nil { - logger.Debug("auth-daemon: CA cert already exists at %s, skipping write", path) - return nil +// writeCACertIfNotExists writes contents to path. If the file already exists: when force is false, skip; when force is true, overwrite only if content differs. +func writeCACertIfNotExists(path, contents string, force bool) error { + contents = strings.TrimSpace(contents) + if contents != "" && !strings.HasSuffix(contents, "\n") { + contents += "\n" + } + existing, err := os.ReadFile(path) + if err == nil { + existingStr := strings.TrimSpace(string(existing)) + if existingStr != "" && !strings.HasSuffix(existingStr, "\n") { + existingStr += "\n" + } + if existingStr == contents { + logger.Debug("auth-daemon: CA cert unchanged at %s, skipping write", path) + return nil + } + if !force { + logger.Debug("auth-daemon: CA cert already exists at %s, skipping write (Force disabled)", path) + return nil + } + } else if !os.IsNotExist(err) { + return fmt.Errorf("read %s: %w", path, err) } dir := filepath.Dir(path) if err := os.MkdirAll(dir, 0755); err != nil { return fmt.Errorf("mkdir %s: %w", dir, err) } - contents = strings.TrimSpace(contents) - if contents != "" && !strings.HasSuffix(contents, "\n") { - contents += "\n" - } if err := os.WriteFile(path, []byte(contents), 0644); err != nil { return fmt.Errorf("write CA cert: %w", err) } @@ -37,64 +50,6 @@ func writeCACertIfNotExists(path, contents string) error { return nil } -// ensureSSHDTrustedUserCAKeys ensures sshd_config contains TrustedUserCAKeys caCertPath. -func ensureSSHDTrustedUserCAKeys(sshdConfigPath, caCertPath string) error { - if sshdConfigPath == "" { - sshdConfigPath = "/etc/ssh/sshd_config" - } - data, err := os.ReadFile(sshdConfigPath) - if err != nil { - return fmt.Errorf("read sshd_config: %w", err) - } - directive := "TrustedUserCAKeys " + caCertPath - lines := strings.Split(string(data), "\n") - found := false - for i, line := range lines { - trimmed := strings.TrimSpace(line) - // strip inline comment - if idx := strings.Index(trimmed, "#"); idx >= 0 { - trimmed = strings.TrimSpace(trimmed[:idx]) - } - if trimmed == "" { - continue - } - if strings.HasPrefix(trimmed, "TrustedUserCAKeys") { - if strings.TrimSpace(trimmed) == directive { - logger.Debug("auth-daemon: sshd_config already has TrustedUserCAKeys %s", caCertPath) - return nil - } - lines[i] = directive - found = true - break - } - } - if !found { - lines = append(lines, directive) - } - out := strings.Join(lines, "\n") - if !strings.HasSuffix(out, "\n") { - out += "\n" - } - if err := os.WriteFile(sshdConfigPath, []byte(out), 0644); err != nil { - return fmt.Errorf("write sshd_config: %w", err) - } - logger.Info("auth-daemon: updated %s with TrustedUserCAKeys %s", sshdConfigPath, caCertPath) - return nil -} - -// reloadSSHD runs the given shell command to reload sshd (e.g. "systemctl reload sshd"). -func reloadSSHD(reloadCmd string) error { - if reloadCmd == "" { - return nil - } - cmd := exec.Command("sh", "-c", reloadCmd) - if out, err := cmd.CombinedOutput(); err != nil { - return fmt.Errorf("reload sshd %q: %w (output: %s)", reloadCmd, err, string(out)) - } - logger.Info("auth-daemon: reloaded sshd") - return nil -} - // writePrincipals updates the principals file at path: JSON object keyed by username, value is array of principals. Adds username and niceId to that user's list (deduped). func writePrincipals(path, username, niceId string) error { if path == "" { diff --git a/authdaemon/host_stub.go b/authdaemon/host_stub.go index dfd09a5..2fb4c1a 100644 --- a/authdaemon/host_stub.go +++ b/authdaemon/host_stub.go @@ -7,17 +7,7 @@ import "fmt" var errLinuxOnly = fmt.Errorf("auth-daemon PAM agent is only supported on Linux") // writeCACertIfNotExists returns an error on non-Linux. -func writeCACertIfNotExists(path, contents string) error { - return errLinuxOnly -} - -// ensureSSHDTrustedUserCAKeys returns an error on non-Linux. -func ensureSSHDTrustedUserCAKeys(sshdConfigPath, caCertPath string) error { - return errLinuxOnly -} - -// reloadSSHD returns an error on non-Linux. -func reloadSSHD(reloadCmd string) error { +func writeCACertIfNotExists(path, contents string, force bool) error { return errLinuxOnly } diff --git a/authdaemon/routes.go b/authdaemon/routes.go index d7ce880..2cccc54 100644 --- a/authdaemon/routes.go +++ b/authdaemon/routes.go @@ -3,8 +3,6 @@ package authdaemon import ( "encoding/json" "net/http" - - "github.com/fosrl/newt/logger" ) // registerRoutes registers all API routes. Add new endpoints here. @@ -42,40 +40,6 @@ func (s *Server) handleHealth(w http.ResponseWriter, r *http.Request) { _ = json.NewEncoder(w).Encode(healthResponse{Status: "ok"}) } -// ProcessConnection runs the same logic as POST /connection: CA cert, sshd config, user create/reconcile, principals. -// Use this when DisableHTTPS is true (e.g. embedded in Newt) instead of calling the API. -func (s *Server) ProcessConnection(req ConnectionRequest) { - logger.Info("connection: niceId=%q username=%q metadata.sudo=%v metadata.homedir=%v", - req.NiceId, req.Username, req.Metadata.Sudo, req.Metadata.Homedir) - - cfg := &s.cfg - if cfg.CACertPath != "" { - if err := writeCACertIfNotExists(cfg.CACertPath, req.CaCert); err != nil { - logger.Warn("auth-daemon: write CA cert: %v", err) - } - sshdConfig := cfg.SSHDConfigPath - if sshdConfig == "" { - sshdConfig = "/etc/ssh/sshd_config" - } - if err := ensureSSHDTrustedUserCAKeys(sshdConfig, cfg.CACertPath); err != nil { - logger.Warn("auth-daemon: sshd_config: %v", err) - } - if cfg.ReloadSSHCommand != "" { - if err := reloadSSHD(cfg.ReloadSSHCommand); err != nil { - logger.Warn("auth-daemon: reload sshd: %v", err) - } - } - } - if err := ensureUser(req.Username, req.Metadata); err != nil { - logger.Warn("auth-daemon: ensure user: %v", err) - } - if cfg.PrincipalsFilePath != "" { - if err := writePrincipals(cfg.PrincipalsFilePath, req.Username, req.NiceId); err != nil { - logger.Warn("auth-daemon: write principals: %v", err) - } - } -} - // handleConnection accepts POST with connection payload and delegates to ProcessConnection. func (s *Server) handleConnection(w http.ResponseWriter, r *http.Request) { if r.Method != http.MethodPost { diff --git a/authdaemon/server.go b/authdaemon/server.go index 83cb480..78aa908 100644 --- a/authdaemon/server.go +++ b/authdaemon/server.go @@ -24,12 +24,11 @@ import ( type Config struct { // DisableHTTPS: when true, Run() does not start the HTTPS server (for embedded use inside Newt). Call ProcessConnection directly for connection events. DisableHTTPS bool - Port int // Listen port for the HTTPS server. Required when DisableHTTPS is false. - PresharedKey string // Required when DisableHTTPS is false; used for HTTP auth (Authorization: Bearer or X-Preshared-Key: ). - CACertPath string // Where to write the CA cert (e.g. /etc/ssh/ca.pem). - SSHDConfigPath string // Path to sshd_config (e.g. /etc/ssh/sshd_config). Defaults to /etc/ssh/sshd_config when CACertPath is set. - ReloadSSHCommand string // Command to reload sshd after config change (e.g. "systemctl reload sshd"). Empty = no reload. - PrincipalsFilePath string // Path to the principals data file (JSON: username -> array of principals). Empty = do not store principals. + Port int // Required when DisableHTTPS is false. Listen port for the HTTPS server. No default. + PresharedKey string // Required when DisableHTTPS is false. HTTP auth (Authorization: Bearer or X-Preshared-Key: ). No default. + CACertPath string // Required. Where to write the CA cert (e.g. /etc/ssh/ca.pem). No default. + Force bool // If true, overwrite existing CA cert (and other items) when content differs. Default false. + PrincipalsFilePath string // Required. Path to the principals data file (JSON: username -> array of principals). No default. } type Server struct { @@ -98,18 +97,24 @@ func (s *Server) authMiddleware(next http.Handler) http.Handler { }) } -// NewServer builds a new auth-daemon server from cfg. When DisableHTTPS is false, PresharedKey and Port are required. +// NewServer builds a new auth-daemon server from cfg. Port, PresharedKey, CACertPath, and PrincipalsFilePath are required (no defaults). func NewServer(cfg Config) (*Server, error) { if runtime.GOOS != "linux" { return nil, fmt.Errorf("auth-daemon is only supported on Linux, not %s", runtime.GOOS) } if !cfg.DisableHTTPS { - if cfg.PresharedKey == "" { - return nil, fmt.Errorf("preshared key is required when HTTPS is enabled") - } if cfg.Port <= 0 { - return nil, fmt.Errorf("port must be positive when HTTPS is enabled") + return nil, fmt.Errorf("port is required and must be positive") } + if cfg.PresharedKey == "" { + return nil, fmt.Errorf("preshared key is required") + } + } + if cfg.CACertPath == "" { + return nil, fmt.Errorf("CACertPath is required") + } + if cfg.PrincipalsFilePath == "" { + return nil, fmt.Errorf("PrincipalsFilePath is required") } s := &Server{cfg: cfg} if !cfg.DisableHTTPS { From 00a5fa1f37ccdc8f1ad78db1cca09119c78c8f4d Mon Sep 17 00:00:00 2001 From: Owen Date: Tue, 17 Feb 2026 14:42:37 -0800 Subject: [PATCH 57/58] Add daemon into newt --- authdaemon.go | 151 +++++++++++++++++++++++ authdaemon/host_linux.go | 2 +- main.go | 257 +++++++++++++++++++++++++-------------- 3 files changed, 319 insertions(+), 91 deletions(-) create mode 100644 authdaemon.go diff --git a/authdaemon.go b/authdaemon.go new file mode 100644 index 0000000..5de92ad --- /dev/null +++ b/authdaemon.go @@ -0,0 +1,151 @@ +package main + +import ( + "context" + "errors" + "fmt" + "os" + "runtime" + + "github.com/fosrl/newt/authdaemon" + "github.com/fosrl/newt/logger" +) + +const ( + defaultPrincipalsPath = "/var/run/auth-daemon/principals" + defaultCACertPath = "/etc/ssh/ca.pem" +) + +var ( + errPresharedKeyRequired = errors.New("auth-daemon-key is required when --auth-daemon is enabled") + errRootRequired = errors.New("auth-daemon must be run as root (use sudo)") + authDaemonServer *authdaemon.Server // Global auth daemon server instance +) + +// startAuthDaemon initializes and starts the auth daemon in the background. +// It validates requirements (Linux, root, preshared key) and starts the server +// in a goroutine so it runs alongside normal newt operation. +func startAuthDaemon(ctx context.Context) error { + // Validation + if runtime.GOOS != "linux" { + return fmt.Errorf("auth-daemon is only supported on Linux, not %s", runtime.GOOS) + } + if os.Geteuid() != 0 { + return errRootRequired + } + + // Use defaults if not set + principalsFile := authDaemonPrincipalsFile + if principalsFile == "" { + principalsFile = defaultPrincipalsPath + } + caCertPath := authDaemonCACertPath + if caCertPath == "" { + caCertPath = defaultCACertPath + } + + // Create auth daemon server + cfg := authdaemon.Config{ + DisableHTTPS: true, // We run without HTTP server in newt + PresharedKey: "this-key-is-not-used", // Not used in embedded mode, but set to non-empty to satisfy validation + PrincipalsFilePath: principalsFile, + CACertPath: caCertPath, + Force: true, + } + + srv, err := authdaemon.NewServer(cfg) + if err != nil { + return fmt.Errorf("create auth daemon server: %w", err) + } + + authDaemonServer = srv + + // Start the auth daemon in a goroutine so it runs alongside newt + go func() { + logger.Info("Auth daemon starting (native mode, no HTTP server)") + if err := srv.Run(ctx); err != nil { + logger.Error("Auth daemon error: %v", err) + } + logger.Info("Auth daemon stopped") + }() + + return nil +} + + + +// runPrincipalsCmd executes the principals subcommand logic +func runPrincipalsCmd(args []string) { + opts := struct { + PrincipalsFile string + Username string + }{ + PrincipalsFile: defaultPrincipalsPath, + } + + // Parse flags manually + for i := 0; i < len(args); i++ { + switch args[i] { + case "--principals-file": + if i+1 >= len(args) { + fmt.Fprintf(os.Stderr, "Error: --principals-file requires a value\n") + os.Exit(1) + } + opts.PrincipalsFile = args[i+1] + i++ + case "--username": + if i+1 >= len(args) { + fmt.Fprintf(os.Stderr, "Error: --username requires a value\n") + os.Exit(1) + } + opts.Username = args[i+1] + i++ + case "--help", "-h": + printPrincipalsHelp() + os.Exit(0) + default: + fmt.Fprintf(os.Stderr, "Error: unknown flag: %s\n", args[i]) + printPrincipalsHelp() + os.Exit(1) + } + } + + // Validation + if opts.Username == "" { + fmt.Fprintf(os.Stderr, "Error: username is required\n") + printPrincipalsHelp() + os.Exit(1) + } + + // Get principals + list, err := authdaemon.GetPrincipals(opts.PrincipalsFile, opts.Username) + if err != nil { + fmt.Fprintf(os.Stderr, "Error: %v\n", err) + os.Exit(1) + } + if len(list) == 0 { + fmt.Println("") + return + } + for _, principal := range list { + fmt.Println(principal) + } +} + +func printPrincipalsHelp() { + fmt.Fprintf(os.Stderr, `Usage: newt principals [flags] + +Output principals for a username (for AuthorizedPrincipalsCommand in sshd_config). +Read the principals file and print principals that match the given username, one per line. +Configure in sshd_config with AuthorizedPrincipalsCommand and %%u for the username. + +Flags: + --principals-file string Path to the principals file (default "%s") + --username string Username to look up (required) + --help, -h Show this help message + +Example: + newt principals --username alice + +`, defaultPrincipalsPath) +} \ No newline at end of file diff --git a/authdaemon/host_linux.go b/authdaemon/host_linux.go index 82834f3..76f8712 100644 --- a/authdaemon/host_linux.go +++ b/authdaemon/host_linux.go @@ -138,7 +138,7 @@ func ensureUser(username string, meta ConnectionMetadata) error { } func createUser(username string, meta ConnectionMetadata) error { - args := []string{} + args := []string{"-s", "/bin/bash"} if meta.Homedir { args = append(args, "-m") } else { diff --git a/main.go b/main.go index 24fd8bb..3ea52d4 100644 --- a/main.go +++ b/main.go @@ -18,6 +18,7 @@ import ( "syscall" "time" + "github.com/fosrl/newt/authdaemon" "github.com/fosrl/newt/docker" "github.com/fosrl/newt/healthcheck" "github.com/fosrl/newt/logger" @@ -132,6 +133,9 @@ var ( healthMonitor *healthcheck.Monitor enforceHealthcheckCert bool authDaemonKey string + authDaemonPrincipalsFile string + authDaemonCACertPath string + authDaemonEnabled bool // Build/version (can be overridden via -ldflags "-X main.newtVersion=...") newtVersion = "version_replaceme" @@ -154,6 +158,28 @@ var ( ) func main() { + // Check for subcommands first (only principals exits early) + if len(os.Args) > 1 { + switch os.Args[1] { + case "auth-daemon": + // Run principals subcommand only if the next argument is "principals" + if len(os.Args) > 2 && os.Args[2] == "principals" { + runPrincipalsCmd(os.Args[3:]) + return + } + + // auth-daemon subcommand without "principals" - show help + fmt.Println("Error: auth-daemon subcommand requires 'principals' argument") + fmt.Println() + fmt.Println("Usage:") + fmt.Println(" newt auth-daemon principals [options]") + fmt.Println() + + // If not "principals", exit the switch to continue with normal execution + return + } + } + // Check if we're running as a Windows service if isWindowsService() { runService("NewtWireguardService", false, os.Args[1:]) @@ -185,7 +211,10 @@ func runNewtMain(ctx context.Context) { updownScript = os.Getenv("UPDOWN_SCRIPT") interfaceName = os.Getenv("INTERFACE") portStr := os.Getenv("PORT") - authDaemonKey = os.Getenv("AUTH_DAEMON_KEY") + authDaemonKey = os.Getenv("AD_KEY") + authDaemonPrincipalsFile = os.Getenv("AD_PRINCIPALS_FILE") + authDaemonCACertPath = os.Getenv("AD_CA_CERT_PATH") + authDaemonEnabledEnv := os.Getenv("AUTH_DAEMON_ENABLED") // Metrics/observability env mirrors metricsEnabledEnv := os.Getenv("NEWT_METRICS_PROMETHEUS_ENABLED") @@ -374,9 +403,22 @@ func runNewtMain(ctx context.Context) { region = regionEnv } - // Auth daemon key flag + // Auth daemon flags if authDaemonKey == "" { - flag.StringVar(&authDaemonKey, "auth-daemon-key", "", "Preshared key for auth daemon authentication") + flag.StringVar(&authDaemonKey, "ad-preshared-key", "", "Preshared key for auth daemon authentication (required when --auth-daemon is true)") + } + if authDaemonPrincipalsFile == "" { + flag.StringVar(&authDaemonPrincipalsFile, "ad-principals-file", "/var/run/auth-daemon/principals", "Path to the principals file for auth daemon") + } + if authDaemonCACertPath == "" { + flag.StringVar(&authDaemonCACertPath, "ad-ca-cert-path", "/etc/ssh/ca.pem", "Path to the CA certificate file for auth daemon") + } + if authDaemonEnabledEnv == "" { + flag.BoolVar(&authDaemonEnabled, "auth-daemon", false, "Enable auth daemon mode (runs alongside normal newt operation)") + } else { + if v, err := strconv.ParseBool(authDaemonEnabledEnv); err == nil { + authDaemonEnabled = v + } } // do a --version check @@ -398,6 +440,13 @@ func runNewtMain(ctx context.Context) { logger.Init(nil) loggerLevel := util.ParseLogLevel(logLevel) + + // Start auth daemon if enabled + if authDaemonEnabled { + if err := startAuthDaemon(ctx); err != nil { + logger.Fatal("Failed to start auth daemon: %v", err) + } + } logger.GetLogger().SetLevel(loggerLevel) // Initialize telemetry after flags are parsed (so flags override env) @@ -1329,7 +1378,7 @@ persistent_keepalive_interval=5`, util.FixKey(privateKey.String()), util.FixKey( // Define the structure of the incoming message type SSHCertData struct { - MessageId string `json:"messageId"` + MessageId int `json:"messageId"` AgentPort int `json:"agentPort"` AgentHost string `json:"agentHost"` CACert string `json:"caCert"` @@ -1348,109 +1397,137 @@ persistent_keepalive_interval=5`, util.FixKey(privateKey.String()), util.FixKey( return } + // print the received data for debugging + logger.Debug("Received SSH cert data: %s", string(jsonData)) + if err := json.Unmarshal(jsonData, &certData); err != nil { logger.Error("Error unmarshaling SSH cert data: %v", err) return } - // Check if auth daemon key is configured - if authDaemonKey == "" { - logger.Error("Auth daemon key not configured, cannot process SSH certificate") - // Send failure response back to cloud - err := client.SendMessage("ws/round-trip/complete", map[string]interface{}{ - "messageId": certData.MessageId, - "complete": true, - "error": "auth daemon key not configured", - }) - if err != nil { - logger.Error("Failed to send SSH cert failure response: %v", err) - } - return - } + // Check if we're running the auth daemon internally + if authDaemonServer != nil { + // Call ProcessConnection directly when running internally + logger.Debug("Calling internal auth daemon ProcessConnection for user %s", certData.Username) - // Prepare the request body for the auth daemon - requestBody := map[string]interface{}{ - "caCert": certData.CACert, - "niceId": certData.NiceID, - "username": certData.Username, - "metadata": map[string]interface{}{ - "sudo": certData.Metadata.Sudo, - "homedir": certData.Metadata.Homedir, - }, - } - - requestJSON, err := json.Marshal(requestBody) - if err != nil { - logger.Error("Failed to marshal auth daemon request: %v", err) - // Send failure response - client.SendMessage("ws/round-trip/complete", map[string]interface{}{ - "messageId": certData.MessageId, - "complete": true, - "error": fmt.Sprintf("failed to marshal request: %v", err), - }) - return - } - - // Create HTTPS client that skips certificate verification - // (auth daemon uses self-signed cert) - httpClient := &http.Client{ - Transport: &http.Transport{ - TLSClientConfig: &tls.Config{ - InsecureSkipVerify: true, + authDaemonServer.ProcessConnection(authdaemon.ConnectionRequest{ + CaCert: certData.CACert, + NiceId: certData.NiceID, + Username: certData.Username, + Metadata: authdaemon.ConnectionMetadata{ + Sudo: certData.Metadata.Sudo, + Homedir: certData.Metadata.Homedir, }, - }, - Timeout: 10 * time.Second, - } - - // Make the request to the auth daemon - url := fmt.Sprintf("https://%s:%d/connection", certData.AgentHost, certData.AgentPort) - req, err := http.NewRequest("POST", url, bytes.NewBuffer(requestJSON)) - if err != nil { - logger.Error("Failed to create auth daemon request: %v", err) - client.SendMessage("ws/round-trip/complete", map[string]interface{}{ - "messageId": certData.MessageId, - "complete": true, - "error": fmt.Sprintf("failed to create request: %v", err), }) - return - } - // Set headers - req.Header.Set("Content-Type", "application/json") - req.Header.Set("Authorization", "Bearer "+authDaemonKey) - - logger.Debug("Sending SSH cert to auth daemon at %s", url) - - // Send the request - resp, err := httpClient.Do(req) - if err != nil { - logger.Error("Failed to connect to auth daemon: %v", err) - client.SendMessage("ws/round-trip/complete", map[string]interface{}{ + // Send success response back to cloud + err = client.SendMessage("ws/round-trip/complete", map[string]interface{}{ "messageId": certData.MessageId, - "complete": true, - "error": fmt.Sprintf("failed to connect to auth daemon: %v", err), + "complete": true, }) - return - } - defer resp.Body.Close() - // Check response status - if resp.StatusCode != http.StatusOK { - logger.Error("Auth daemon returned non-OK status: %d", resp.StatusCode) - client.SendMessage("ws/round-trip/complete", map[string]interface{}{ - "messageId": certData.MessageId, - "complete": true, - "error": fmt.Sprintf("auth daemon returned status %d", resp.StatusCode), - }) - return - } + logger.Info("Successfully processed connection via internal auth daemon for user %s", certData.Username) + } else { + // External auth daemon mode - make HTTP request + // Check if auth daemon key is configured + if authDaemonKey == "" { + logger.Error("Auth daemon key not configured, cannot communicate with daemon") + // Send failure response back to cloud + err := client.SendMessage("ws/round-trip/complete", map[string]interface{}{ + "messageId": certData.MessageId, + "complete": true, + "error": "auth daemon key not configured", + }) + if err != nil { + logger.Error("Failed to send SSH cert failure response: %v", err) + } + return + } - logger.Info("Successfully registered SSH certificate with auth daemon for user %s", certData.Username) + // Prepare the request body for the auth daemon + requestBody := map[string]interface{}{ + "caCert": certData.CACert, + "niceId": certData.NiceID, + "username": certData.Username, + "metadata": map[string]interface{}{ + "sudo": certData.Metadata.Sudo, + "homedir": certData.Metadata.Homedir, + }, + } + + requestJSON, err := json.Marshal(requestBody) + if err != nil { + logger.Error("Failed to marshal auth daemon request: %v", err) + // Send failure response + client.SendMessage("ws/round-trip/complete", map[string]interface{}{ + "messageId": certData.MessageId, + "complete": true, + "error": fmt.Sprintf("failed to marshal request: %v", err), + }) + return + } + + // Create HTTPS client that skips certificate verification + // (auth daemon uses self-signed cert) + httpClient := &http.Client{ + Transport: &http.Transport{ + TLSClientConfig: &tls.Config{ + InsecureSkipVerify: true, + }, + }, + Timeout: 10 * time.Second, + } + + // Make the request to the auth daemon + url := fmt.Sprintf("https://%s:%d/connection", certData.AgentHost, certData.AgentPort) + req, err := http.NewRequest("POST", url, bytes.NewBuffer(requestJSON)) + if err != nil { + logger.Error("Failed to create auth daemon request: %v", err) + client.SendMessage("ws/round-trip/complete", map[string]interface{}{ + "messageId": certData.MessageId, + "complete": true, + "error": fmt.Sprintf("failed to create request: %v", err), + }) + return + } + + // Set headers + req.Header.Set("Content-Type", "application/json") + req.Header.Set("Authorization", "Bearer "+authDaemonKey) + + logger.Debug("Sending SSH cert to auth daemon at %s", url) + + // Send the request + resp, err := httpClient.Do(req) + if err != nil { + logger.Error("Failed to connect to auth daemon: %v", err) + client.SendMessage("ws/round-trip/complete", map[string]interface{}{ + "messageId": certData.MessageId, + "complete": true, + "error": fmt.Sprintf("failed to connect to auth daemon: %v", err), + }) + return + } + defer resp.Body.Close() + + // Check response status + if resp.StatusCode != http.StatusOK { + logger.Error("Auth daemon returned non-OK status: %d", resp.StatusCode) + client.SendMessage("ws/round-trip/complete", map[string]interface{}{ + "messageId": certData.MessageId, + "complete": true, + "error": fmt.Sprintf("auth daemon returned status %d", resp.StatusCode), + }) + return + } + + logger.Info("Successfully registered SSH certificate with external auth daemon for user %s", certData.Username) + } // Send success response back to cloud err = client.SendMessage("ws/round-trip/complete", map[string]interface{}{ "messageId": certData.MessageId, - "complete": true, + "complete": true, }) if err != nil { logger.Error("Failed to send SSH cert success response: %v", err) From b7af49d7598d651f522c1358b59af8759b9a6e26 Mon Sep 17 00:00:00 2001 From: miloschwartz Date: Tue, 17 Feb 2026 21:01:10 -0800 Subject: [PATCH 58/58] fix flag --- main.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.go b/main.go index 3ea52d4..42dfb99 100644 --- a/main.go +++ b/main.go @@ -405,7 +405,7 @@ func runNewtMain(ctx context.Context) { // Auth daemon flags if authDaemonKey == "" { - flag.StringVar(&authDaemonKey, "ad-preshared-key", "", "Preshared key for auth daemon authentication (required when --auth-daemon is true)") + flag.StringVar(&authDaemonKey, "ad-pre-shared-key", "", "Pre-shared key for auth daemon authentication") } if authDaemonPrincipalsFile == "" { flag.StringVar(&authDaemonPrincipalsFile, "ad-principals-file", "/var/run/auth-daemon/principals", "Path to the principals file for auth daemon")