commit 4612244716eebe80c6fcceeaab9742b58cb6863834f8197c92e75f9f8e3663a3 Author: Richard Rahl Date: Tue Sep 10 09:33:03 2024 +0000 - update to 1.9.4: * Support UDP dialing with gVisor * Make some Nebula state programmatically available via control object * Switch internal representation of IPs to netip, to prepare for IPv6 support * Various dependency updates * Fix a bug on big endian hosts, like mips * Fix a rare panic if a local index collision happens * Fix integer wraparound in the calculation of handshake timeouts on 32-bit - build the binaries non statically - remove enable-pie.patch as it's not needed anymore, since we build the binaries manually, not using the Makefile anymore OBS-URL: https://build.opensuse.org/package/show/network:vpn/nebula?expand=0&rev=11 diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/_service b/_service new file mode 100644 index 0000000..3f2841a --- /dev/null +++ b/_service @@ -0,0 +1,20 @@ + + + + https://github.com/slackhq/nebula.git + git + refs/tags/v1.9.4 + @PARENT_TAG@ + v(.*) + yes + + + *.tar + gz + + + *.tar.gz + zst + + + diff --git a/enable-pie.patch b/enable-pie.patch new file mode 100644 index 0000000..a0a0d25 --- /dev/null +++ b/enable-pie.patch @@ -0,0 +1,12 @@ +diff -rub nebula/Makefile nebula-patched/Makefile +--- nebula/Makefile 2024-04-09 08:35:28.559936158 +0200 ++++ nebula-patched/Makefile 2024-04-09 08:59:08.363591927 +0200 +@@ -96,7 +96,7 @@ + + release-boringcrypto: build/nebula-linux-$(shell go env GOARCH)-boringcrypto.tar.gz + +-BUILD_ARGS = -trimpath ++BUILD_ARGS = -trimpath -buildmode=pie + + bin-windows: build/windows-amd64/nebula.exe build/windows-amd64/nebula-cert.exe + mv $? . diff --git a/nebula-1.9.3.tar.gz b/nebula-1.9.3.tar.gz new file mode 100644 index 0000000..d4d5bb1 --- /dev/null +++ b/nebula-1.9.3.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:2fa15dcdc9f06787adf3c452b740c2836b1457ea3dd5a49872d96bf74f5b346a +size 2300352 diff --git a/nebula-1.9.4.tar.gz b/nebula-1.9.4.tar.gz new file mode 100644 index 0000000..a746549 --- /dev/null +++ b/nebula-1.9.4.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:8c21d82be965b86a2e0a7a033284e6a1424eb5b13f7986a7fbe87db178f06f7f +size 2366912 diff --git a/nebula.changes b/nebula.changes new file mode 100644 index 0000000..85bd06d --- /dev/null +++ b/nebula.changes @@ -0,0 +1,58 @@ +------------------------------------------------------------------- +Tue Sep 10 08:26:36 UTC 2024 - Richard Rahl + +- update to 1.9.4: + * Support UDP dialing with gVisor + * Make some Nebula state programmatically available via control object + * Switch internal representation of IPs to netip, to prepare for IPv6 support + * Various dependency updates + * Fix a bug on big endian hosts, like mips + * Fix a rare panic if a local index collision happens + * Fix integer wraparound in the calculation of handshake timeouts on 32-bit +- build the binaries non statically +- remove enable-pie.patch as it's not needed anymore, since we build the binaries + manually, not using the Makefile anymore + +------------------------------------------------------------------- +Fri Jun 7 06:10:38 UTC 2024 - Richard Rahl + +- update to version 1.9.3: + * Initialize messageCounter to 2 instead of verifying later + +------------------------------------------------------------------- +Mon Jun 3 23:08:15 UTC 2024 - Richard Rahl + +- update to version 1.9.2: + * Ensure messageCounter is set before handshake is complete + +------------------------------------------------------------------- +Wed May 29 21:39:44 UTC 2024 - Richard Rahl + +- update to version 1.9.1: + * Fixed a potential deadlock in GetOrHandshake + +------------------------------------------------------------------- +Thu May 16 23:07:47 UTC 2024 - Richard Rahl + +- update to version 1.9.0: + * This release adds a new setting default_local_cidr_any that defaults to + true to match previous behavior, but will default to false in the next + release (1.10) + * Added example service script for OpenRC + * The SSH daemon now supports inlined host keys + * The SSH daemon now supports certificates with sshd.trusted_cas + * Config setting tun.unsafe_routes is now reloadable + * Support for the deprecated local_range option has been removed + * Remove the TCP round trip tracking metrics, as they never had correct data + * Fixed a potential deadlock introduced in 1.8.1 + * Fixed support for Linux when IPv6 has been disabled at the OS level + * DNS will return NXDOMAIN now when there are no results + * Allow :: in lighthouse.dns.host + * Capitalization of NotAfter fixed in DNS TXT response + * Don't log invalid certificates. It is untrusted data and can cause a large + volume of logs + +------------------------------------------------------------------- +Tue Apr 9 06:08:08 UTC 2024 - Richard Rahl + +- initial packaging diff --git a/nebula.service b/nebula.service new file mode 100644 index 0000000..15c4547 --- /dev/null +++ b/nebula.service @@ -0,0 +1,30 @@ +[Unit] +Description=Nebula overlay networking tool +Wants=basic.target network-online.target nss-lookup.target time-sync.target +After=basic.target network.target network-online.target +Before=sshd.service +AssertDirectoryNotEmpty=/etc/nebula + +[Service] +Type=notify +NotifyAccess=main +SyslogIdentifier=nebula +ExecReload=/bin/kill -HUP $MAINPID +ExecStart=/usr/sbin/nebula -config /etc/nebula/config.yml +Restart=always +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +PrivateDevices=true +ProtectClock=true +ProtectControlGroups=true +ProtectHome=true +ProtectHostname=true +ProtectKernelLogs=true +ProtectKernelModules=true +ProtectKernelTunables=true +RestrictRealtime=true +# give permission to TUN +BindPaths=/dev/net/tun +DeviceAllow=/dev/net/tun rw + +[Install] +WantedBy=multi-user.target diff --git a/nebula.spec b/nebula.spec new file mode 100644 index 0000000..460e628 --- /dev/null +++ b/nebula.spec @@ -0,0 +1,84 @@ +# +# spec file for package nebula +# +# Copyright (c) 2024 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +Name: nebula +Version: 1.9.4 +Release: 0 +Summary: A scalable overlay networking tool +License: MIT +URL: https://github.com/slackhq/nebula +Source0: %{name}-%{version}.tar.gz +Source1: vendor.tar.zst +Source2: %{name}.service +BuildRequires: git-core +BuildRequires: golang-packaging +BuildRequires: zstd +BuildRequires: golang(API) = 1.22 + +%description +Nebula is a scalable overlay networking tool with a focus on performance, +simplicity and security. It lets you seamlessly connect computers anywhere +in the world. It can be used to connect a small number of computers, +but is also able to connect tens of thousands of computers. + +%package cert +Summary: Seperate %{name}-cert package + +%description cert +This package only includes the %{name}-cert binary. + +%prep +%autosetup -a1 + +%build +go build -buildmode=pie -mod=vendor -ldflags "-X main.Build=%{version}-dirty" -o %{name} ./cmd/%{name} +go build -buildmode=pie -mod=vendor -ldflags "-X main.Build=%{version}-dirty" -o %{name}-cert ./cmd/%{name}-cert + +%install +install -Dm0755 -t %{buildroot}%{_sbindir} %{name} +install -Dm0755 -t %{buildroot}%{_bindir} %{name}-cert +install -Dm0644 -t %{buildroot}%{_unitdir} %{SOURCE2} +install -d %{buildroot}%{_sysconfdir}/%{name} + +%pre +%service_add_pre %{name}.service + +%post +%service_add_post %{name}.service + +%preun +%service_del_preun %{name}.service + +%postun +%service_del_postun %{name}.service + +%check +%make_build test + +%files +%license LICENSE +%doc AUTHORS CHANGELOG.md LOGGING.md README.md SECURITY.md examples/config.yml +%{_sbindir}/%{name} +%{_unitdir}/%{name}.service +%{_sysconfdir}/%{name} + +%files cert +%license LICENSE +%{_bindir}/%{name}-cert + +%changelog diff --git a/vendor.tar.zst b/vendor.tar.zst new file mode 100644 index 0000000..4c3c2ef --- /dev/null +++ b/vendor.tar.zst @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:52641345356545ef4d9c04b4d50107bb2371790062d8e21b08c327af2462720e +size 2536177