Bump github.com/slackhq/nebula from 1.9.7 to 1.10.1

[dependabot]

Bumps github.com/slackhq/nebula from 1.9.7 to 1.10.1.

Release notes

Sourced from github.com/slackhq/nebula's releases.

Release v1.10.1

See the v1.10.1 milestone for a complete list of changes.

Fixed

• Fix a bug where an unsafe route derived from the system route table could be lost on a config reload. (#1573)
• Fix the PEM banner for ECDSA P256 public keys. (#1552)
• Fix a regression on Windows from 1.9.x where nebula could fall back to a less performant UDP listener if non-critical ioctls failed. (#1568)
• Fix a bug in handshake processing when a peer sends an unexpected public key. (#1566)

Added

• Add a config option to control accepting recv_error packets which defaults to always. (#1569)

Changed

• Various dependency updates. (#1541, #1549, #1550, #1557, #1558, #1560, #1561, #1570, #1571)

Release v1.10.0

See the v1.10.0 milestone for a complete list of changes.

NOTE: If you use unsafe_routes, please read the note in the Changed section about default_local_cidr_any. You may need to update your firewall rules in order to maintain connectivity.

Added

• Support for ipv6 and multiple ipv4/6 addresses in the overlay. A new v2 ASN.1 based certificate format. Certificates now have a unified interface for external implementations. (#1212, #1216, #1345, #1359, #1381, #1419, #1464, #1466, #1451, #1476, #1467, #1481, #1399, #1488, #1492, #1495, #1468, #1521, #1535, #1538)
• Add the ability to mark packets on linux to better target nebula packets in iptables/nftables. (#1331)
• Add ECMP support for unsafe_routes. (#1332)
• PKCS11 support for P256 keys when built with pkcs11 tag (#1153, #1482)

Changed

• NOTE: default_local_cidr_any now defaults to false, meaning that any firewall rule intended to target an unsafe_routes entry must explicitly declare it via the local_cidr field. This is almost always the intended behavior. This flag is deprecated and will be removed in a future release. (#1373)
• Improve logging when a relay is in use on an inbound packet. (#1533)
• Avoid fatal errors if rountines is > 1 on systems that don't support more than 1 routine. (#1531)
• Log a warning if a firewall rule contains an any that negates a more restrictive filter. (#1513)
• Accept encrypted CA passphrase from an environment variable. (#1421)
• Allow handshaking with any trusted remote. (#1509)
• Log only the count of blocklisted certificate fingerprints instead of the entire list. (#1525)
• Don't fatal when the ssh server is unable to be configured successfully. (#1520)
• Update to build against go v1.25. (#1483)
• Allow projects using nebula as a library with userspace networking to configure the logger and build version. (#1239)
• Upgrade to yaml.v3. (#1148, #1371, #1438, #1478)

... (truncated)

Changelog

Sourced from github.com/slackhq/nebula's changelog.

[1.10.1] - 2026-01-16

See the v1.10.1 milestone for a complete list of changes.

Fixed

• Fix a bug where an unsafe route derived from the system route table could be lost on a config reload. (#1573)
• Fix the PEM banner for ECDSA P256 public keys. (#1552)
• Fix a regression on Windows from 1.9.x where nebula could fall back to a less performant UDP listener if non-critical ioctls failed. (#1568)
• Fix a bug in handshake processing when a peer sends an unexpected public key. (#1566)

Added

• Add a config option to control accepting recv_error packets which defaults to always. (#1569)

Changed

• Various dependency updates. (#1541, #1549, #1550, #1557, #1558, #1560, #1561, #1570, #1571)

[1.10.0] - 2025-12-04

See the v1.10.0 milestone for a complete list of changes.

Added

• Support for ipv6 and multiple ipv4/6 addresses in the overlay. A new v2 ASN.1 based certificate format. Certificates now have a unified interface for external implementations. (#1212, #1216, #1345, #1359, #1381, #1419, #1464, #1466, #1451, #1476, #1467, #1481, #1399, #1488, #1492, #1495, #1468, #1521, #1535, #1538)
• Add the ability to mark packets on linux to better target nebula packets in iptables/nftables. (#1331)
• Add ECMP support for unsafe_routes. (#1332)
• PKCS11 support for P256 keys when built with pkcs11 tag (#1153, #1482)

Changed

• NOTE: default_local_cidr_any now defaults to false, meaning that any firewall rule intended to target an unsafe_routes entry must explicitly declare it via the local_cidr field. This is almost always the intended behavior. This flag is deprecated and will be removed in a future release. (#1373)
• Improve logging when a relay is in use on an inbound packet. (#1533)
• Avoid fatal errors if rountines is > 1 on systems that don't support more than 1 routine. (#1531)
• Log a warning if a firewall rule contains an any that negates a more restrictive filter. (#1513)
• Accept encrypted CA passphrase from an environment variable. (#1421)
• Allow handshaking with any trusted remote. (#1509)
• Log only the count of blocklisted certificate fingerprints instead of the entire list. (#1525)
• Don't fatal when the ssh server is unable to be configured successfully. (#1520)
• Update to build against go v1.25. (#1483)
• Allow projects using nebula as a library with userspace networking to configure the logger and build version. (#1239)
• Upgrade to yaml.v3. (#1148, #1371, #1438, #1478)

... (truncated)

Commits

• 72a4000 v1.10.1 (#1575)
• ac3bd9c Avoid losing system originated unsafe routes on reload (#1573)
• 88379b8 Bump golang.org/x/net in the golang-x-dependencies group (#1571)
• 1283ff0 Add option to control accepting recv_error (#1569)
• 523209e Bump github.com/miekg/dns from 1.1.68 to 1.1.69 (#1561)
• a4a6143 Bump google.golang.org/protobuf in the protobuf-dependencies group (#1560)
• 1b2d639 Bump actions/download-artifact from 6 to 7 (#1557)
• 9933970 Bump actions/upload-artifact from 5 to 6 (#1558)
• d7a3f01 Bump the golang-x-dependencies group across 1 directory with 4 updates (#1570)
• 69259e6 Quietly log error on UDP_NETRESET ioctl on Windows. (#1453) (#1568)
• Additional commits viewable in compare view

Most Recent Ignore Conditions Applied to This Pull Request

Dependency Name	Ignore Conditions
github.com/slackhq/nebula	[>= 1.7.a, < 1.8]

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)