gen0sec · pigri · Jan 22, 2026 · Jan 21, 2026 · Jan 21, 2026 · Jan 21, 2026
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -10,55 +10,37 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - name: Cache target
-        uses: actions/cache@v4
-        with:
-          path: |
-            ~/.cargo/git/
-            ~/.cargo/registry/
-            target/
-          key: ${{ runner.os }}-synapse-${{ hashFiles('**/Cargo.toml') }}
-          restore-keys: ${{ runner.os }}-synapse
-      - name: Install package
+      - name: Build binary using Docker
+        shell: bash
         run: |
-          sudo apt-get update && sudo apt-get install -y git build-essential clang llvm libelf-dev libssl-dev \
-          zlib1g-dev libzstd-dev pkg-config libcap-dev binutils-multiarch-dev curl cmake ca-certificates libelf-dev libelf1 libssl3
-      - name: Install Rust toolchain
-        uses: dtolnay/rust-toolchain@stable
+          set -euxo pipefail
+          mkdir -p /tmp/build-output
+          docker build -t synapse-builder:latest -f pkg/docker/build.Dockerfile .
+          docker create --name synapse-build synapse-builder:latest
+          docker cp synapse-build:/output/synapse /tmp/build-output/synapse
+          docker rm synapse-build
+      - name: Upload binary artifact
+        uses: actions/upload-artifact@v4
         with:
-          toolchain: stable
-      - name: Build
-        run: cargo build --verbose
-      - name: Test
-        run: cargo test --verbose
-      # - name: Multi-core Test - Free github runners is not multi-core
-      #   run: cargo test --test multicore_test --verbose
+          name: synapse-amd64
+          path: /tmp/build-output/synapse
 
   build-arm64:
     name: Build arm64
     runs-on: ubuntu-24.04-arm
     steps:
       - uses: actions/checkout@v4
-      - name: Cache target
-        uses: actions/cache@v4
-        with:
-          path: |
-            ~/.cargo/git/
-            ~/.cargo/registry/
-            target/
-          key: ${{ runner.os }}-synapse-${{ hashFiles('**/Cargo.toml') }}
-          restore-keys: ${{ runner.os }}-synapse
-      - name: Install package
+      - name: Build binary using Docker
+        shell: bash
         run: |
-          sudo apt-get update && sudo apt-get install -y git build-essential clang llvm libelf-dev libssl-dev \
-          zlib1g-dev libzstd-dev pkg-config libcap-dev binutils-multiarch-dev curl cmake ca-certificates libelf-dev libelf1 libssl3
-      - name: Install Rust toolchain
-        uses: dtolnay/rust-toolchain@stable
+          set -euxo pipefail
+          mkdir -p /tmp/build-output
+          docker build -t synapse-builder:latest -f pkg/docker/build.Dockerfile .
+          docker create --name synapse-build synapse-builder:latest
+          docker cp synapse-build:/output/synapse /tmp/build-output/synapse
+          docker rm synapse-build
+      - name: Upload binary artifact
+        uses: actions/upload-artifact@v4
         with:
-          toolchain: stable
-      - name: Build
-        run: cargo build --verbose
-      - name: Test
-        run: cargo test --verbose
-      # - name: Multi-core Test - Free github runners is not multi-core
-      #   run: cargo test --test multicore_test --verbose
+          name: synapse-arm64
+          path: /tmp/build-output/synapse
diff --git a/.github/workflows/install-test.yml → .github/workflows/pkg-build.yml b/.github/workflows/install-test.yml → .github/workflows/pkg-build.yml
@@ -1,4 +1,4 @@
-name: Synapse Build
+name: Synapse DEB and RPM Build and test
 on:
   pull_request:
     branches:
@@ -13,13 +13,16 @@ jobs:
       - name: Check out repository code, branch='${{ github.ref }}'
         uses: actions/checkout@v4
 
-      - name: Building package
-        run: sudo ./builder.sh
-        working-directory: ./pkg/deb
+      - name: Build DEB using Docker
+        shell: bash
+        run: |
+          set -euxo pipefail
+          mkdir -p /tmp/deb-build-output
+          docker build -t synapse-builder-deb:latest -f pkg/deb/Dockerfile .
+          docker run -v "${GITHUB_WORKSPACE}:/tmp/repo" -v /tmp/deb-build-output:/tmp/output --rm synapse-builder-deb:latest
 
       - name: Installing package
-        run: sudo dpkg --install ./synapse*.deb
-        working-directory: ./pkg/deb
+        run: sudo dpkg --install /tmp/deb-build-output/synapse*.deb
 
       - name: Start Synapse service
         run: sudo systemctl start synapse

diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -108,6 +108,8 @@ port_check = "0.3.0"
 notify = "8.2.0"
 privdrop = "0.5.6"
 base16ct = { version = "0.3.0", features = ["alloc"] }
+nftables = "0.6"
+iptables = "0.5"
 actix-web = "4.12"
 actix-files = "0.6"
 instant-acme = "0.8"

diff --git a/Dockerfile b/Dockerfile
diff --git a/build.rs b/build.rs
@@ -31,10 +31,12 @@ fn main() {
             vmlinux_include.as_os_str(),
             OsStr::new("-I"),
             bpf_include.as_os_str(),
-            OsStr::new("-O2"),              // Enable level 2 optimizations
-            OsStr::new("-g"),               // Keep debug info for verifier
+            OsStr::new("-O3"),              // Maximum optimizations to reduce program size
+            OsStr::new("-fno-unroll-loops"), // Prevent loop unrolling to reduce instruction count
             OsStr::new("-Wall"),            // Enable all warnings
             OsStr::new("-Wextra"),          // Extra warnings
+            OsStr::new("-DBPF_NO_PRESERVE_ACCESS_INDEX"), // Disable preserve_access_index for older clang
+            OsStr::new("-Ubpf"),            // Undefine bpf macro to avoid conflict with struct netns_bpf bpf
         ])
         .build_and_generate(skel_path.to_str().expect("Invalid UTF-8 in path"))
         .expect("Failed to generate skeleton");