You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
- Add the ability to mark packets on linux to better target nebula packets in iptables/nftables. (#1331)
21
+
- Add ECMP support for `unsafe_routes`. (#1332)
22
+
- PKCS11 support for P256 keys when built with `pkcs11` tag (#1153, #1482)
23
+
10
24
### Changed
11
25
12
-
-`default_local_cidr_any` now defaults to false, meaning that any firewall rule
26
+
-**NOTE**: `default_local_cidr_any` now defaults to false, meaning that any firewall rule
13
27
intended to target an `unsafe_routes` entry must explicitly declare it via the
14
28
`local_cidr` field. This is almost always the intended behavior. This flag is
15
-
deprecated and will be removed in a future release.
29
+
deprecated and will be removed in a future release. (#1373)
30
+
- Improve logging when a relay is in use on an inbound packet. (#1533)
31
+
- Avoid fatal errors if `rountines` is > 1 on systems that don't support more than 1 routine. (#1531)
32
+
- Log a warning if a firewall rule contains an `any` that negates a more restrictive filter. (#1513)
33
+
- Accept encrypted CA passphrase from an environment variable. (#1421)
34
+
- Allow handshaking with any trusted remote. (#1509)
35
+
- Log only the count of blocklisted certificate fingerprints instead of the entire list. (#1525)
36
+
- Don't fatal when the ssh server is unable to be configured successfully. (#1520)
37
+
- Update to build against go v1.25. (#1483)
38
+
- Allow projects using `nebula` as a library with userspace networking to configure the `logger` and build version. (#1239)
39
+
- Upgrade to `yaml.v3`. (#1148, #1371, #1438, #1478)
40
+
41
+
### Fixed
42
+
43
+
- Fix a potential bug with udp ipv4 only on darwin. (#1532)
44
+
- Improve lost packet statistics. (#1441, #1537)
45
+
- Honor `remote_allow_list` in hole punch response. (#1186)
46
+
- Fix a panic when `tun.use_system_route_table` is `true` and a route lacks a destination. (#1437)
47
+
- Fix an issue when `tun.use_system_route_table: true` could result in heavy CPU utilization when many thousands of routes
48
+
are present. (#1326)
49
+
- Fix tests for 32 bit machines. (#1394)
50
+
- Fix a possible 32bit integer underflow in config handling. (#1353)
51
+
- Fix moving a udp address from one vpn address to another in the `static_host_map`
52
+
which could cause rapid re-handshaking with an incorrect remote. (#1259)
53
+
- Improve smoke tests in environments where the docker network is not the default. (#1347)
54
+
55
+
## [1.9.7] - 2025-10-10
56
+
57
+
### Security
58
+
59
+
- Fix an issue where Nebula could incorrectly accept and process a packet from an erroneous source IP when the sender's
60
+
certificate is configured with unsafe_routes (cert v1/v2) or multiple IPs (cert v2). (#1494)
61
+
62
+
### Changed
63
+
64
+
- Disable sending `recv_error` messages when a packet is received outside the allowable counter window. (#1459)
65
+
- Improve error messages and remove some unnecessary fatal conditions in the Windows and generic udp listener. (#1453)
66
+
67
+
## [1.9.6] - 2025-7-15
68
+
69
+
### Added
70
+
71
+
- Support dropping inactive tunnels. This is disabled by default in this release but can be enabled with `tunnels.drop_inactive`. See example config for more details. (#1413)
72
+
73
+
### Fixed
74
+
75
+
- Fix Darwin freeze due to presence of some Network Extensions (#1426)
76
+
- Ensure the same relay tunnel is always used when multiple relay tunnels are present (#1422)
77
+
- Fix Windows freeze due to ICMP error handling (#1412)
78
+
- Fix relay migration panic (#1403)
79
+
80
+
## [1.9.5] - 2024-12-05
81
+
82
+
### Added
83
+
84
+
- Gracefully ignore v2 certificates. (#1282)
85
+
86
+
### Fixed
87
+
88
+
- Fix relays that refuse to re-establish after one of the remote tunnel pairs breaks. (#1277)
0 commit comments