slackhq/nebula v1.10.0

Release v1.10.0

on GitHub

See the v1.10.0 milestone for a complete list of changes.

Added

• Support for ipv6 and multiple ipv4/6 addresses in the overlay.
  A new v2 ASN.1 based certificate format.
  Certificates now have a unified interface for external implementations.
  (#1212, #1216, #1345, #1359, #1381, #1419, #1464, #1466, #1451, #1476, #1467, #1481, #1399, #1488, #1492, #1495, #1468, #1521, #1535, #1538)
• Add the ability to mark packets on linux to better target nebula packets in iptables/nftables. (#1331)
• Add ECMP support for unsafe_routes. (#1332)
• PKCS11 support for P256 keys when built with pkcs11 tag (#1153, #1482)

Changed

• NOTE: default_local_cidr_any now defaults to false, meaning that any firewall rule
  intended to target an unsafe_routes entry must explicitly declare it via the
  local_cidr field. This is almost always the intended behavior. This flag is
  deprecated and will be removed in a future release. (#1373)
• Improve logging when a relay is in use on an inbound packet. (#1533)
• Avoid fatal errors if rountines is > 1 on systems that don't support more than 1 routine. (#1531)
• Log a warning if a firewall rule contains an any that negates a more restrictive filter. (#1513)
• Accept encrypted CA passphrase from an environment variable. (#1421)
• Allow handshaking with any trusted remote. (#1509)
• Log only the count of blocklisted certificate fingerprints instead of the entire list. (#1525)
• Don't fatal when the ssh server is unable to be configured successfully. (#1520)
• Update to build against go v1.25. (#1483)
• Allow projects using nebula as a library with userspace networking to configure the logger and build version. (#1239)
• Upgrade to yaml.v3. (#1148, #1371, #1438, #1478)

Fixed

• Fix a potential bug with udp ipv4 only on darwin. (#1532)
• Improve lost packet statistics. (#1441, #1537)
• Honor remote_allow_list in hole punch response. (#1186)
• Fix a panic when tun.use_system_route_table is true and a route lacks a destination. (#1437)
• Fix an issue when tun.use_system_route_table: true could result in heavy CPU utilization when many thousands of routes
  are present. (#1326)
• Fix tests for 32 bit machines. (#1394)
• Fix a possible 32bit integer underflow in config handling. (#1353)
• Fix moving a udp address from one vpn address to another in the static_host_map
  which could cause rapid re-handshaking with an incorrect remote. (#1259)
• Improve smoke tests in environments where the docker network is not the default. (#1347)