release.md
Define ACL policies that permit traffic between egress endpoints across networks.
ACL policies can now target individual IPs inside an egress range using the ip ACL target type.
A built-in catalog simplifies domain-based egress for common SaaS and cloud providers.
GET /api/v1/egress/presets (AWS, Azure, Google, Salesforce, and more).preset_id; the server can resolve AWS IP ranges automatically.Just-In-Time (JIT) access can now be scoped to user groups per network.
Forward Netmaker audit events to your security stack from Integrations.
/api/v1/integrations/siem/{provider}).Networks can designate a default enrollment key for simplified device onboarding.
This release introduces schema changes to the following core entities:
Impact:
π Action Required:
For detailed upgrade steps, refer to the official upgrade documentation:
Netclient registration UX β Host registration over OAuth/basic auth now returns clear websocket close reasons on failure (auth errors, missing access, posture violations, and server errors).
User group management β Streamlined user role permissions and group updates, role-downgrade handling.
Orphan reference cleanup β Removes stale network references left behind after resource deletion.
Scalability & reliability β Optimized node status calculation, offline-status hooks, zombie/orphan node cleanup, and ACL cache race fixes.
API hardening β Auth rate limiting on REST endpoints and activity-log permission fixes.
Egress improvements β CIDR validation for ACL egress IPs, multi-domain egress routing, and domain-answer handling for preset-based egress.
Failover removed β Legacy per-node failover APIs and CLI commands have been removed in favor of gateway-based patterns.
IPv6-only machines
Netclients cannot currently auto-upgrade on IPv6-only systems.
Multi-network join performance
Multi-network netclient joins using an enrollment key still require optimization.
systemd-resolved DNS limitation
On systems using systemd-resolved in uplink mode, only the first 3 entries in resolv.conf are honored; additional entries are ignored. This may cause DNS resolution issues. Stub mode is recommended.
Windows Desktop App + mixed gateway modes
When the Windows Desktop App is connected to both:
the gateway monitoring component may disconnect from the Split Tunnel Gateway.