27b8e83aa5
Use ErrKernelModuleMissing when missing kernel module string is detected
2026-03-11 13:35:56 +00:00
eb9f1b4e36
Revert mod changes
2026-03-02 23:19:53 +00:00
a62220d7b6
give up on kernel modules checks
2026-03-02 23:17:08 +00:00
594b1db98b
Require xt_CONNMARK and define its kernel config values
2026-02-28 15:13:23 +00:00
bfc8136bc9
Fourth fallback, use DROP temporarily instead of REJECT
2026-02-27 12:17:12 +00:00
1fd4cc511a
Fix kernel module names
2026-02-27 12:16:54 +00:00
af0bc3e224
allow custom chain name targets
2026-02-26 23:18:44 +00:00
302f1f11f7
only use kernel modules error as context to an actual error, not as a requirement since some systems don't show what they support reliably
2026-02-26 23:14:40 +00:00
f654dece66
Reject output public ip traffic for 1s as another fallback
2026-02-26 23:10:37 +00:00
a37354426b
Fallback to accepting only NEW output public traffic if conntrack netlink isn't supported
2026-02-26 23:08:32 +00:00
dfac2b2f1a
Flush conntrack on every firewall enabling
2026-02-26 23:01:27 +00:00
6467f3b4ad
Flush using AF_UNSPEC and netfilter package
2026-02-26 23:01:27 +00:00
2bb4deccd5
feat(firewall): atomic iptables operations
...
- all operations rollback on failure
- disabling the firewall means rolling back to its state before enabling it
- aligns with nftables atomicity feature
2026-02-26 22:58:52 +00:00
0d0c0fb143
feat(dns): update block files after DNS server is up for a faster bootup
2026-02-26 18:45:52 +00:00
885e491bb7
chore(dns): clarify "ready" dns message when DNS server is up and being used
2026-02-26 18:45:52 +00:00
e75ae21dcd
fix(mod): probe searches for features built-in the kernel
2026-02-26 18:45:52 +00:00
4b8dc8ded7
fix(privado): update servers data using JSON API
...
- Fixes #3159
- Fixes #2118
- Fixes #2657
2026-02-25 16:02:52 +00:00
0eeee5c496
chore(pmtud): clarify debug logs and fix log error message
2026-02-25 04:23:56 +00:00
d21953f62e
chore(firewall): split apart iptables specific code in internal/firewall/iptables
2026-02-25 04:23:53 +00:00
034f8f6331
hotfix(netlink): specify IP family for conntrack calls and make conntrack failure a warning
2026-02-25 02:44:07 +00:00
01487b5caf
feat(protonvpn): add suggestions on some port forwarding errors
2026-02-23 21:19:08 +00:00
625a63e7c2
fix(firewall): flush conntrack table after enabling firewall at container start
...
- prevent leaks for connections made the first ~10 milliseconds when Gluetun starts
- seems critical, but in practice this very rarely happen and it very hard to reproduce
2026-02-22 13:31:38 +00:00
0c3e5d94d8
change!(server): auth is now required for all routes ( #2980 )
2026-02-20 18:10:53 +01:00
d586793169
fix(all): increase global http client timeout to 35s and precise lower timeouts where needed
...
- Fix DNS blocklists slow downloads, fix #3102
- Leave 35s timeout for updaters
- Set timeouts to 1s for local calls
- Set timeouts to 5s for LAN VPN calls and small external calls
- Set timeouts to 10s external VPN API calls
2026-02-20 16:40:51 +00:00
c5eacac644
chore(pmtud/tcp): remove unused TCP flags
2026-02-20 16:25:14 +00:00
7fbf2cbee3
hotfix(pmtud/tcp): return an error if no MSS destination server worked
2026-02-20 16:25:02 +00:00
1dee183a70
chore(pmtud/tcp): silently discard IPv6 network unreachable errors
2026-02-20 16:24:25 +00:00
c66d8bed00
hotfix(pmtud/tcp): fix code for IPv6 destinations
2026-02-20 16:23:40 +00:00
73b3e2c88a
chore(pmtud/tcp): remove unused test code
2026-02-20 15:37:56 +00:00
ea87c0a2aa
hotfix(pmtud): lower min MTU to MSS-matching-MTU minus 100 in case MSS is very small
2026-02-19 22:39:24 +00:00
2192874de8
hotfix(pmtud/icmp): ignore non echo messages instead of returning an error
2026-02-19 18:05:48 +00:00
007c5159f4
hotfix(pmtud): increase TCP margin from 150 to 300 compared to ICMP found MTU
2026-02-19 17:24:06 +00:00
c6b211ef9b
feat(pmtud/tcp): support mixed IPv4 and IPv6 TCP servers
...
- Add default cloudflare and google tls ipv6 servers to default tcp servers
- update integration test to try against both ipv4 and ipv6 servers
2026-02-19 17:11:16 +00:00
1c43a045d1
hotfix(pmtud/tcp): fix timeout apply per network call, not globally
2026-02-19 17:10:30 +00:00
56b9e108be
chore(pmtud/tcp): add :53 TCP servers to the default list
2026-02-19 17:10:30 +00:00
67b66bba9e
hotfix(pmtud/icmp): set IPv6 dont fragment options just in case
2026-02-19 17:10:30 +00:00
8d86470905
feat(pmtud/tcp): use the TCP server with highest MSS to run MTU tests
2026-02-19 14:03:46 +00:00
fb85ae79d1
chore(pmtud/tcp): move test helpers in helpers_test.go
2026-02-19 13:20:59 +00:00
783616f61d
chore(pmtud/tcp): close connections with an RST packet on context cancelation
2026-02-19 13:20:59 +00:00
bc79901f1e
chore(pmtud/tcp): restrict temp firewall rules to source ip and source port
2026-02-19 13:20:58 +00:00
1c56189abc
hotfix(pmtud/tcp): fix rare race condition
2026-02-18 19:07:31 +00:00
224618337c
hotfix(pmtud/tcp): respect MSS from server into account
2026-02-18 18:32:31 +00:00
183d351b58
chore(pmtud/icmp): do not use net.ErrClosed when inappropriate
2026-02-17 21:46:24 +00:00
04d7cef294
hotfix(pmtud/tcp): block kernel from racing to send RST packets
...
- this makes PMTUD TCP reliable
- this only works on kernels with the mark module
- on kernels without the mark module, the icmp pmtud mtu found is used
2026-02-17 21:46:24 +00:00
5f903d1fbf
chore(pmtud): remove calls to syscall in favor of unix and windows
...
- syscall is deprecated and is not kept up-to-date
- each OS is inherently different hence the syscall being deprecated
2026-02-17 21:46:04 +00:00
d43eb1658f
chore(firewall): support TCP flags for future changes
2026-02-17 19:38:20 +00:00
36dfd5b631
hotfix(pmtud): do not try every address for ICMP PMTUD
2026-02-16 23:54:38 +00:00
f81b8342d6
hotfix(pmtud/tcp): temporary test fix
2026-02-16 23:54:38 +00:00
cdec25da52
feat(pmtud/tcp): generate MTU test data to mimic TLS if possible to avoid being blocked
2026-02-16 19:57:12 +00:00
201d1041f4
hotfix(pmtud/tcp): send MTU data in first and only ACK packet
...
- less likely to be flagged
- correct using TCP fast-open
2026-02-16 19:56:14 +00:00
Quentin McGaw