Skip to content

WolfStack v24.39.0

Choose a tag to compare

View all tags
@github-actions github-actions released this 12 Jun 09:40
· 65 commits to master since this release
v24.39.0
d256aea

v24.39.0: IPv6 phase 1+2 — manage WolfStack over IPv6, securely

Phase 1 (management plane):

  • New src/netaddr.rs: node/peer addresses stored BARE, bracketed only at
    URL/bind build time (bracket_host / host_port / strip_port /
    canonical_ip_str). v4 and hostnames pass through byte-identically.
  • --bind :: now yields [::]:port instead of the unparseable :::port.
  • ~60 inter-node + user-supplied URL, websocket, bind and connect sites
    bracket bare IPv6 literals.
  • Cluster address classification is v6-aware: ULA fc00::/7 treated as
    private, link-local fe80::/10 rejected as an advertised address.

Phase 2 (security parity):

  • Workload-block protection is dual-stack (IpAddr + family-matched CIDR);
    the stale-rule sweep heals ip6tables DROPs too.
  • Threat-intel v6 blocklist is now actually enforced, via a v6 companion
    ruleset applied alongside the v4 firewall — idempotent built-in jumps,
    never declares the built-in chains, so operator ip6tables rules survive.
  • IPv4-mapped (::ffff:a.b.c.d) peers from a dual-stack [::] socket are
    canonicalized at every security-decision site, so the brute-force
    blocker, trusted-IP allowlist and kernel block act on the real v4
    identity in the correct table (not a no-op ip6tables rule).

All opt-in: default bind stays 0.0.0.0; pure-v4 installs are unchanged and
the v6 firewall path only runs for WolfRouter/threat-intel users.
Runtime-tested netns-isolated on a dual-stack host: --bind :: serves over
[::1]; a v4 brute-forcer on the [::] socket is blocked as plain 127.0.0.1
in iptables; a v6 attacker in ip6tables; companion idempotent + preserves
operator rules. Not yet tested: multi-node v6 cluster join, threat-intel-
enabled v6 DROP enforcement.

Verifying this release

Each binary is signed via cosign keyless OIDC (no key distribution — signing identity is the GitHub Actions workflow itself, anchored to the Sigstore Fulcio CA and the Rekor transparency log) and ships with a SLSA build provenance attestation.

Verify the cosign signature:

cosign verify-blob \
  --bundle wolfstack-x86_64.cosign.bundle \
  --certificate-identity-regexp 'https://github.com/wolfsoftwaresystemsltd/WolfStack/\.github/workflows/release\.yml@.*' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  wolfstack-x86_64

Verify the build provenance:

gh attestation verify wolfstack-x86_64 --repo wolfsoftwaresystemsltd/WolfStack

Verify the SHA-256 checksum:

sha256sum -c SHA256SUMS

Artifacts

  • wolfstack-x86_64 / wolfstack-aarch64 — static musl binaries (Linux x86_64 and ARM64 / Raspberry Pi 4+).
  • wolfstack-<arch>.cosign.bundle — cosign signature bundle (cert + signature + Rekor entry).
  • SHA256SUMS — checksums for both binaries.

For per-version history see CHANGELOG.md.

Assets 7
Loading