Skip to content

Releases: slackhq/nebula

Release v1.9.5

06 Dec 14:59
v1.9.5
b55b901
Compare
Choose a tag to compare

Added

  • Gracefully ignore v2 certificates. (#1282)

Fixed

  • Fix relays that refuse to re-establish after one of the remote tunnel pairs breaks. (#1277)

Release v1.9.4

09 Sep 18:20
v1.9.4
ab81b62
Compare
Choose a tag to compare

Added

  • Support UDP dialing with gVisor. (#1181)

Changed

Fixed

  • Fix a bug on big endian hosts, like mips. (#1194)
  • Fix a rare panic if a local index collision happens. (#1191)
  • Fix integer wraparound in the calculation of handshake timeouts on 32-bit targets. (#1185)

Release v1.9.3

06 Jun 17:26
v1.9.3
b14bad5
Compare
Choose a tag to compare

Fixed

  • Initialize messageCounter to 2 instead of verifying later. (#1156)

Release v1.9.2

03 Jun 19:57
v1.9.2
249ae41
Compare
Choose a tag to compare

Fixed

  • Ensure messageCounter is set before handshake is complete. (#1154)

Release v1.9.1

29 May 18:15
v1.9.1
a92056a
Compare
Choose a tag to compare

Fixed

  • Fixed a potential deadlock in GetOrHandshake. (#1151)

Release v1.9.0

08 May 14:39
v1.9.0
50b24c1
Compare
Choose a tag to compare

Deprecated

  • This release adds a new setting default_local_cidr_any that defaults to
    true to match previous behavior, but will default to false in the next
    release (1.10). When set to false, local_cidr is matched correctly for
    firewall rules on hosts acting as unsafe routers, and should be set for any
    firewall rules you want to allow unsafe route hosts to access. See the issue
    and example config for more details. (#1071, #1099)

Added

  • Nebula now has an official Docker image nebulaoss/nebula that is
    distroless and contains just the nebula and nebula-cert binaries. You
    can find it here: https://hub.docker.com/r/nebulaoss/nebula (#1037)

  • Experimental binaries for loong64 are now provided. (#1003)

  • Added example service script for OpenRC. (#711)

  • The SSH daemon now supports inlined host keys. (#1054)

  • The SSH daemon now supports certificates with sshd.trusted_cas. (#1098)

Changed

Removed

  • Support for the deprecated local_range option has been removed. Please
    change to preferred_ranges (which is also now reloadable). (#1043)

  • We are now building with go1.22, which means that for Windows you need at
    least Windows 10 or Windows Server 2016. This is because support for earlier
    versions was removed in Go 1.21. See https://go.dev/doc/go1.21#windows (#981)

  • Removed vagrant example, as it was unmaintained. (#1129)

  • Removed Fedora and Arch nebula.service files, as they are maintained in the
    upstream repos. (#1128, #1132)

  • Remove the TCP round trip tracking metrics, as they never had correct data
    and were an experiment to begin with. (#1114)

Fixed

  • Fixed a potential deadlock introduced in 1.8.1. (#1112)

  • Fixed support for Linux when IPv6 has been disabled at the OS level. (#787)

  • DNS will return NXDOMAIN now when there are no results. (#845)

  • Allow :: in lighthouse.dns.host. (#1115)

  • Capitalization of NotAfter fixed in DNS TXT response. (#1127)

  • Don't log invalid certificates. It is untrusted data and can cause a large
    volume of logs. (#1116)

Release v1.8.2

08 Jan 20:57
v1.8.2
ea36949
Compare
Choose a tag to compare

Fixed

  • Fix multiple routines when listen.port is zero. This was a regression introduced in v1.6.0. (#1057)

Changed

  • Small dependency update for Noise. (#1038)

Release v1.8.1

19 Dec 20:23
v1.8.1
e5945a6
Compare
Choose a tag to compare

Security

Fixed

  • Fix a deadlock introduced in v1.8.0 that could occur during handshakes. (#1044)

  • Fix mobile builds. (#1035)

Release v1.8.0

06 Dec 19:48
v1.8.0
1d2f95e
Compare
Choose a tag to compare

Deprecated

  • The next minor release of Nebula, 1.9.0, will require at least Windows 10 or
    Windows Server 2016. This is because support for earlier versions was removed
    in Go 1.21. See https://go.dev/doc/go1.21#windows

Added

  • Linux: Notify systemd of service readiness. This should resolve timing issues
    with services that depend on Nebula being active. For an example of how to
    enable this, see: examples/service_scripts/nebula.service. (#929)

  • Windows: Use Registered IO (RIO) when possible. Testing on a Windows 11
    machine shows ~50x improvement in throughput. (#905)

  • NetBSD, OpenBSD: Added rudimentary support. (#916, #812)

  • FreeBSD: Add support for naming tun devices. (#903)

Changed

  • pki.disconnect_invalid will now default to true. This means that once a
    certificate expires, the tunnel will be disconnected. If you use SIGHUP to
    reload certificates without restarting Nebula, you should ensure all of your
    clients are on 1.7.0 or newer before you enable this feature. (#859)

  • Limit how often a busy tunnel can requery the lighthouse. The new config
    option timers.requery_wait_duration defaults to 60s. (#940)

  • The internal structures for hostmaps were refactored to reduce memory usage
    and the potential for subtle bugs. (#843, #938, #953, #954, #955)

  • Lots of dependency updates.

Fixed

  • Windows: Retry wintun device creation if it fails the first time. (#985)

  • Fix issues with firewall reject packets that could cause panics. (#957)

  • Fix relay migration during re-handshakes. (#964)

  • Various other refactors and fixes. (#935, #952, #972, #961, #996, #1002,
    #987, #1004, #1030, #1032, ...)

Release v1.7.2

01 Jun 15:29
v1.7.2
57eb80e
Compare
Choose a tag to compare

Fixed

  • Fix a freeze during config reload if the static_host_map config was changed. (#886)