diff --git a/trusted-network-gateway-2.2.1.tar.gz b/trusted-network-gateway-2.3.0.tar.gz similarity index 60% rename from trusted-network-gateway-2.2.1.tar.gz rename to trusted-network-gateway-2.3.0.tar.gz index 4bb2adfc1608acd1fa57bbc58691fc5c1ada6fe7..dba8ca1245501932a3eaac04c9198ba6fd3f815a 100644 Binary files a/trusted-network-gateway-2.2.1.tar.gz and b/trusted-network-gateway-2.3.0.tar.gz differ diff --git a/trusted-network-gateway.spec b/trusted-network-gateway.spec index c5c7e331e7fb13a4a9e3357e4dedb632b096037a..b11c01ff7762f2474daed286c62d072c5897981d 100644 --- a/trusted-network-gateway.spec +++ b/trusted-network-gateway.spec @@ -1,13 +1,13 @@ %global debug_package %{nil} Name: trusted-network-gateway -Version: 2.2.1 +Version: 2.3.0 Release: 1%{?dist} Summary: Trusted Network Gateway Group: Applications/System -License: ASL 2.0 -URL: www.alibaba.com -Source0: https://github.com/inclavare-containers/tng/releases/download/v{version}/trusted-network-gateway-%{version}.tar.gz +License: Apache-2.0 +URL: https://www.alibaba.com +Source0: https://github.com/inclavare-containers/tng/releases/download/v%{version}/trusted-network-gateway-%{version}.tar.gz Requires: curl iptables openssl iproute Recommends: attestation-agent @@ -48,7 +48,7 @@ A tool for establishing secure communication tunnels in confidential computing. %build # Build tng pushd src/ -cargo install --locked --path . --root %{_builddir}/%{name}-%{version}/install/tng/ +RUSTFLAGS="--cfg tokio_unstable" cargo install --locked --path ./tng/ --root %{_builddir}/%{name}-%{version}/install/tng/ popd @@ -72,6 +72,71 @@ install -p -m 755 src/dist/trusted-network-gateway.service %{buildroot}/usr/lib/ %changelog +* Wed Nov 5 2025 Kun Lai - 2.3.0-1 +- Fix TDX attestation failure: use canonical JSON serialization to ensure REPORT_DATA hash consistency in rats-cert +- Enable TCP keepalive (10s idle, 10s interval, 3 probes) for OHTTP tunnel connections to improve connection stability +- Set TCP_NODELAY on all TCP listeners to reduce latency for real-time services +- Add support for clients using "no_ra" when server requires attestation — returns key config with `attestation_info: None` instead of rejecting +- Cache OHTTP passport attestation responses within refresh interval to reduce AS load and improve performance +- Enable gzip/brotli/zstd compression for OHTTP responses (except ohttp-chunked-res) to reduce bandwidth usage +- Log OHTTP forwarding errors to stdout for improved operational visibility + + +* Mon Sep 29 2025 Kun Lai - 2.2.6-1 +- Standardize error handling with machine-readable codes and precise HTTP status mapping +- Honor AS token JWT exp and certificate validity in credential caching TTL calculation +- Migrate OHTTP routing from path-based to header-driven using x-tng-ohttp-api +- Use full URL as OHttpClient cache key for per-path service isolation +- Introduce test load balancer with path rewriting for integration testing +- Unify middleware order in OHTTP server for consistent processing + + +* Wed Sep 17 2025 Kun Lai - 2.2.5-1 +- Update to version v2.2.5 +- ohttp: Refactor code structure and rename encap/decap functions to use ohttp prefix +- ohttp: Introduce ohttp server and partial protocol support on egress side +- ohttp: Add support for client-side and server-side attestation (background check and passport models) +- ohttp: Handle HPKE expire_timestamp and attest.refresh_interval configuration +- ohttp: Add Content-Type and User-Agent headers in ohttp requests/responses +- ohttp: Add CORS configuration for egress +- ohttp: Fix socket mark handling in netfilter ingress type +- tng-wasm: Migrate from rats-tls to ohttp protocol; update Chinese documentation +- tng-wasm: Add build/run example documentation +- ra: Add support for passport model and attestation API in trustee 1.6.0 +- rats-rs: Use async verifier; deserialize and flatten tcb-status from coco as token +- rats-rs: Move from git submodule to Cargo dependency +- wasm: Support building as WASM module; align fetch() behavior with web standard +- ingress: Remove unused forward_http_request(); fix incorrect to_trusted_tunnel log value +- runtime: Merge tokio runtime with shutdown guard +- testsuite: Fix test filtering issues; ignore tng-wasm test coverage in report +- build: Add GitHub workflow for TNG SDK; fix npm package publishing in CI +- build: Add mac-cross-build target in Makefile +- deps: Unify crate versions across workspace +- cert_verifier: Remove unnecessary spawn_blocking() call +- run-test.sh: Adjust script to skip tng-wasm test reports +- Fix netlink warning on newer kernels in testing environment + + +* Thu Jul 3 2025 Kun Lai - 2.2.4-1 +- ingress/socks5: add dst_filters option for filtering destination domains +- egress: add direct_forward option to allow traffic forwarded directly + + +* Tue Jun 24 2025 Kun Lai - 2.2.3-1 +- ingress/netfilter: add matching dst ip address with ip rannge or ipset +- optimize network throughput +- cli: add --tokio-console option +- egress/transport: add timeout for waiting client tcp connection +- iptables: fix capturing traffics target to docker -p mapping port +- ingress/socks5: add "socks5" ingress type which expose a socks5 server to client + + +* Tue Jun 17 2025 Kun Lai - 2.2.2-1 +- egress/netfilter: Fix tng traffic not captured when tng client server run on same node. +- egress/netfilter: Fix behavior when capture_cgroup is empty and add check for cgroup v2. +- ingress/http_proxy: fix error when both domain and domain_regex are not set + + * Thu May 15 2025 Kun Lai - 2.2.1-1 - Fix broken trusted-network-gateway.service