24.12.001 changelog

24.12.001

Released on 20 December, 2024.

Server

Fixes

  • Network Interface reconciliation of routing tables and iptables rules previously only listened to changes coming from configuration. Now reconciliation events are considered from any change to netlink’s routing table, link state, or IP address assignments as well. Additionally reconciliation is clamped to also be evaluated periodically as a fallback.

Features

  • Controllers now scale the nf_conntrack sysctl setting for optimal values. Previously, Controllers serving large volumes of traffic could exhibit session exhaustion resulting in dropped packet messages in some cases.
  • User auditing events that occur over Bowtie tunnels now include additional address metadata about the public network address served by the tunneled interface.

Enhancements

  • Updated the base Controller appliance operating system to reflect the latest upstream package updates.

    The table below lists relevant user-facing packages that may impact custom configuration settings on deployed Controllers:

    Package Old Version New Version
    grafana 10.4.8 10.4.13
    linux 6.1.111 6.1.119
    loki 3.1.1 3.1.2
    python 3.11.9 3.11.10

    Vulnerabilities closed due to updated packages or backported patches include:

    Vulnerability Package Mitigation
    CVE-2024-48958 libarchive Updated to patched version
    CVE-2024-48957 libarchive Updated to patched version
    CVE-2024-8006 libpcap Updated to patched version
    CVE-2023-7256 libpcap Updated to patched version

    At the time of writing, a scan of all operating system dependencies yielded no outstanding critical vulnerabilities requiring immediate action.

    When upgrading your Controller, please bear the following release notes in mind:

    • This update includes an update from Linux kernel version 6.1.111 to 6.1.117. System services should continue to operate normally across kernel updates, but if you require that the system run on the newer kernel, you should follow-up with any update actions with a system reboot to run on the newer kernel, but this step is not required.
  • Additional system messages are included in Controller support bundles.

Client

Features

  • On Windows, DNS policy enforcement now uses a more energy efficient interface
  • On Windows, a new DNS supervisor strategy is implemented to improve performance and reduce energy use.
  • Device to Controller Check-ins and Tunnel Statistics are now recorded to the local data store. Approximately 24h of active check-in responses are stored, and approximately 2 days of tunnel statistics are stored. Configuration defaults are:
    • store_maximum_checkin_response_rows=1440. This is approximately 24 hours of 1 minute check-ins
    • store_maximum_tunnel_stats_rows=1728000. This is approximately 2 days of 1 second stats for 10 controllers
  • There is a new tunnel health checking mechanism. It uses a configurable persistent-keepalive on the tunnel interface to actively send zero-data length packets if the connection is quiet and bandwidth telemetry to passively determine tunnel health. The keepalive timer should match on the client and the controller. Enabling this feature requires environment variable configuration on every controller and client configuration on every client that you want to opt-in to tunnel rebuilds.

    This feature requires active data sent from the client and the controller. Persistent keepalives send a signed zero-length packet at a minimum interval on an otherwise quiet connection. You should set the persistent keepalives to the same value on clients and controllers.

    Set persistent keepalives on your controllers with this environment variable BOWTIE_WIREGUARD_PERSISTENT_KEEPALIVE=25

    Set persistent keepalives, and tunnel health failure boundaries on clients with these parameters:

    persistent-keepalive=25
unhealthy-tunnel-health-count=10
tunnel_rebuild_strategy=RebuildOnAllUnreachable

    This says “If telemetry counts are invalid for 25 * 10 seconds, then rebuild tunnels”

    Effectively, this will:

    • Rebuild tunnels on wake-from-sleep
    • Rebuild tunnels on implementation issues and severe network partitions

    It is our expectation that this feature will become stable and default soon when bandwidth and CPU costs of it’s operation decrease.

    There are two levels of enforcement. We currently recommend first trying tunnel_rebuild_strategy=RebuildOnAllUnreachable to opt into tunnel rebuild on failure.

  • A new experimental routing provider for Windows that should substantially reduce energy consumption has been added. To enable, set the routing-provider to net-io-api. This will likely become the default in future releases.

Documentation

Enhancements

  • Prevented support requests from being submitted twice at the same time and clean up the support tickets fields’ once submitted.

Meta Control Plane

Fixes

  • Updated client package macOS compatibility to reflect that versions 14 and 15 are supported.