Fix log

.devcontainer/Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.23-bullseye
+FROM golang:1.21-bullseye
 
 RUN apt-get update && export DEBIAN_FRONTEND=noninteractive \
     && apt-get -y install --no-install-recommends\

.devcontainer/devcontainer.json

@@ -7,7 +7,7 @@
 	"features": {
 		"ghcr.io/devcontainers/features/docker-in-docker:2": {},
 		"ghcr.io/devcontainers/features/go:1": {
-			"version": "1.23"
+			"version": "1.21"
 		}
 	},
 	"workspaceFolder": "/workspaces/${localWorkspaceFolderBasename}",

.git-branches.toml

@@ -1,27 +0,0 @@
-# More info around this file at https://www.git-town.com/configuration-file
-
-[branches]
-main = "main"
-perennials = []
-perennial-regex = ""
-
-[create]
-new-branch-type = "feature"
-push-new-branches = false
-
-[hosting]
-dev-remote = "origin"
-# platform = ""
-# origin-hostname = ""
-
-[ship]
-delete-tracking-branch = false
-strategy = "squash-merge"
-
-[sync]
-feature-strategy = "merge"
-perennial-strategy = "rebase"
-prototype-strategy = "merge"
-push-hook = true
-tags = true
-upstream = false

.github/FUNDING.yml

@@ -1,3 +0,0 @@
-# These are supported funding model platforms
-
-github: [netbirdio]

.github/ISSUE_TEMPLATE/bug-issue-report.md

@@ -31,22 +31,14 @@ Please specify whether you use NetBird Cloud or self-host NetBird's control plan
 
 `netbird version`
 
-**Is any other VPN software installed?**
+**NetBird status -dA output:**
 
-If yes, which one?
+If applicable, add the `netbird status -dA' command output.
 
-**Debug output**
+**Do you face any (non-mobile) client issues?**
 
-To help us resolve the problem, please attach the following debug output
-
-  netbird status -dA
-
-As well as the file created by
-
-  netbird debug for 1m -AS
-
-  
-We advise reviewing the anonymized output for any remaining personal information.
+Please provide the file created by `netbird debug for 1m -AS`.
+We advise reviewing the anonymized files for any remaining PII.
 
 **Screenshots**
 
@@ -55,10 +47,3 @@ If applicable, add screenshots to help explain your problem.
 **Additional context**
 
 Add any other context about the problem here.
-
-**Have you tried these troubleshooting steps?**
-- [ ] Checked for newer NetBird versions
-- [ ] Searched for similar issues on GitHub (including closed ones)
-- [ ] Restarted the NetBird client
-- [ ] Disabled other VPN software
-- [ ] Checked firewall settings

.github/pull_request_template.md

@@ -2,10 +2,6 @@
 
 ## Issue ticket number and link
 
-## Stack
-
-<!-- branch-stack -->
-
 ### Checklist
 - [ ] Is it a bug fix
 - [ ] Is a typo/documentation fix

.github/workflows/git-town.yml

@@ -1,21 +0,0 @@
-name: Git Town
-
-on:
-  pull_request:
-    branches:
-      - '**'
-
-jobs:
-  git-town:
-    name: Display the branch stack
-    runs-on: ubuntu-latest
-
-    permissions:
-      contents: read
-      pull-requests: write
-
-    steps:
-      - uses: actions/checkout@v4
-      - uses: git-town/action@v1
-        with:
-          skip-single-stacks: true

.github/workflows/golang-test-darwin.yml

@@ -1,4 +1,4 @@
-name: "Darwin"
+name: Test Code Darwin
 
 on:
   push:
@@ -12,14 +12,15 @@ concurrency:
 
 jobs:
   test:
-    name: "Client / Unit"
+    strategy:
+      matrix:
+        store: ['sqlite']
     runs-on: macos-latest
     steps:
       - name: Install Go
         uses: actions/setup-go@v5
         with:
           go-version: "1.23.x"
-          cache: false
       - name: Checkout code
         uses: actions/checkout@v4
 
@@ -27,9 +28,8 @@ jobs:
         uses: actions/cache@v4
         with:
           path: ~/go/pkg/mod
-          key: macos-gotest-${{ hashFiles('**/go.sum') }}
+          key: macos-go-${{ hashFiles('**/go.sum') }}
           restore-keys: |
-            macos-gotest-
             macos-go-
 
       - name: Install libpcap
@@ -42,5 +42,4 @@ jobs:
         run: git --no-pager diff --exit-code
 
       - name: Test
-        run: NETBIRD_STORE_ENGINE=${{ matrix.store }} CI=true go test -tags=devcert -exec 'sudo --preserve-env=CI,NETBIRD_STORE_ENGINE' -timeout 5m -p 1 $(go list ./... | grep -v /management)
-
+        run: NETBIRD_STORE_ENGINE=${{ matrix.store }} CI=true go test -exec 'sudo --preserve-env=CI,NETBIRD_STORE_ENGINE' -timeout 5m -p 1 ./...

.github/workflows/golang-test-freebsd.yml

@@ -1,4 +1,5 @@
-name: "FreeBSD"
+
+name: Test Code FreeBSD
 
 on:
   push:
@@ -12,7 +13,6 @@ concurrency:
 
 jobs:
   test:
-    name: "Client / Unit"
     runs-on: ubuntu-22.04
     steps:
       - uses: actions/checkout@v4
@@ -22,24 +22,18 @@ jobs:
         with:
           usesh: true
           copyback: false
-          release: "14.2"
+          release: "14.1"
           prepare: |
-            pkg install -y curl pkgconf xorg
-            LATEST_VERSION=$(curl -s https://go.dev/VERSION?m=text|head -n 1)
-            GO_TARBALL="$LATEST_VERSION.freebsd-amd64.tar.gz"
-            GO_URL="https://go.dev/dl/$GO_TARBALL"
-            curl -vLO "$GO_URL"
-            tar -C /usr/local -vxzf "$GO_TARBALL"            
+            pkg install -y go
 
           # -x - to print all executed commands
           # -e - to faile on first error
           run: |
             set -e -x
-            export PATH=$PATH:/usr/local/go/bin:$HOME/go/bin
             time go build -o netbird client/main.go
             # check all component except management, since we do not support management server on freebsd
             time go test -timeout 1m -failfast ./base62/...
-            # NOTE: without -p1 `client/internal/dns` will fail because of `listen udp4 :33100: bind: address already in use`
+            # NOTE: without -p1 `client/internal/dns` will fail becasue of `listen udp4 :33100: bind: address already in use`
             time go test -timeout 8m -failfast -p 1 ./client/...
             time go test -timeout 1m -failfast ./dns/...
             time go test -timeout 1m -failfast ./encryption/...

.github/workflows/golang-test-linux.yml

@@ -1,4 +1,4 @@
-name: Linux
+name: Test Code Linux
 
 on:
   push:
@@ -11,125 +11,30 @@ concurrency:
   cancel-in-progress: true
 
 jobs:
-  build-cache:
-    name: "Build Cache"
-    runs-on: ubuntu-22.04
-    outputs:
-      management: ${{ steps.filter.outputs.management }}
-    steps:        
-      - name: Checkout code
-        uses: actions/checkout@v4
-
-      - uses: dorny/paths-filter@v3
-        id: filter
-        with:
-          filters: |
-              management:
-                - 'management/**'
-
-      - name: Install Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: "1.23.x"
-          cache: false
-
-      - name: Get Go environment
-        run: |
-          echo "cache=$(go env GOCACHE)" >> $GITHUB_ENV
-          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV     
-
-      - name: Cache Go modules
-        uses: actions/cache@v4
-        id: cache
-        with:
-          path: |
-            ${{ env.cache }}
-            ${{ env.modcache }}
-          key: ${{ runner.os }}-gotest-cache-${{ hashFiles('**/go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-gotest-cache-${{ hashFiles('**/go.sum') }}
-
-      - name: Install dependencies
-        if: steps.cache.outputs.cache-hit != 'true'
-        run: sudo apt update && sudo apt install -y -q libgtk-3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev gcc-multilib libpcap-dev
-
-      - name: Install 32-bit libpcap
-        if: steps.cache.outputs.cache-hit != 'true'
-        run: sudo dpkg --add-architecture i386 && sudo apt update && sudo apt-get install -y libpcap0.8-dev:i386
-
-      - name: Build client
-        if: steps.cache.outputs.cache-hit != 'true'
-        working-directory: client
-        run: CGO_ENABLED=1 go build .
-
-      - name: Build client 386
-        if: steps.cache.outputs.cache-hit != 'true'
-        working-directory: client
-        run: CGO_ENABLED=1 GOARCH=386 go build -o client-386 .
-
-      - name: Build management
-        if: steps.cache.outputs.cache-hit != 'true'
-        working-directory: management
-        run: CGO_ENABLED=1 go build .
-
-      - name: Build management 386
-        if: steps.cache.outputs.cache-hit != 'true'
-        working-directory: management
-        run: CGO_ENABLED=1 GOARCH=386 go build -o management-386 .
-
-      - name: Build signal
-        if: steps.cache.outputs.cache-hit != 'true'
-        working-directory: signal
-        run: CGO_ENABLED=1 go build .
-
-      - name: Build signal 386
-        if: steps.cache.outputs.cache-hit != 'true'
-        working-directory: signal
-        run: CGO_ENABLED=1 GOARCH=386 go build -o signal-386 .
-
-      - name: Build relay
-        if: steps.cache.outputs.cache-hit != 'true'
-        working-directory: relay
-        run: CGO_ENABLED=1 go build .
-
-      - name: Build relay 386
-        if: steps.cache.outputs.cache-hit != 'true'
-        working-directory: relay
-        run: CGO_ENABLED=1 GOARCH=386 go build -o relay-386 .
-
   test:
-    name: "Client / Unit"
-    needs: [build-cache]
     strategy:
-      fail-fast: false
       matrix:
         arch: [ '386','amd64' ]
+        store: [ 'sqlite', 'postgres']
     runs-on: ubuntu-22.04
     steps:
       - name: Install Go
         uses: actions/setup-go@v5
         with:
           go-version: "1.23.x"
-          cache: false
+
+
+      - name: Cache Go modules
+        uses: actions/cache@v4
+        with:
+          path: ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-
 
       - name: Checkout code
         uses: actions/checkout@v4
 
-      - name: Get Go environment
-        run: |
-          echo "cache=$(go env GOCACHE)" >> $GITHUB_ENV
-          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV     
-
-      - name: Cache Go modules
-        uses: actions/cache/restore@v4
-        with:
-          path: |
-            ${{ env.cache }}
-            ${{ env.modcache }}
-          key: ${{ runner.os }}-gotest-cache-${{ hashFiles('**/go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-gotest-cache-
-
       - name: Install dependencies
         run: sudo apt update && sudo apt install -y -q libgtk-3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev gcc-multilib libpcap-dev
 
@@ -144,99 +49,29 @@ jobs:
         run: git --no-pager diff --exit-code
 
       - name: Test
-        run: CGO_ENABLED=1 GOARCH=${{ matrix.arch }} CI=true go test -tags devcert -exec 'sudo' -timeout 10m -p 1 $(go list ./... | grep -v -e /management -e /signal -e /relay)
+        run: CGO_ENABLED=1 GOARCH=${{ matrix.arch }} NETBIRD_STORE_ENGINE=${{ matrix.store }} CI=true go test -exec 'sudo --preserve-env=CI,NETBIRD_STORE_ENGINE' -timeout 10m -p 1 ./...
 
   test_client_on_docker:
-    name: "Client (Docker) / Unit"
-    needs: [build-cache]
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-20.04
     steps:
       - name: Install Go
         uses: actions/setup-go@v5
         with:
           go-version: "1.23.x"
-          cache: false
+
+      - name: Cache Go modules
+        uses: actions/cache@v4
+        with:
+          path: ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-
 
       - name: Checkout code
         uses: actions/checkout@v4
 
-      - name: Get Go environment
-        id: go-env
-        run: |
-          echo "cache_dir=$(go env GOCACHE)" >> $GITHUB_OUTPUT
-          echo "modcache_dir=$(go env GOMODCACHE)" >> $GITHUB_OUTPUT
-
-      - name: Cache Go modules
-        uses: actions/cache/restore@v4
-        id: cache-restore
-        with:
-          path: |
-            ${{ steps.go-env.outputs.cache_dir }}
-            ${{ steps.go-env.outputs.modcache_dir }}
-          key: ${{ runner.os }}-gotest-cache-${{ hashFiles('**/go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-gotest-cache-
-
-      - name: Run tests in container
-        env:
-          HOST_GOCACHE: ${{ steps.go-env.outputs.cache_dir }}
-          HOST_GOMODCACHE: ${{ steps.go-env.outputs.modcache_dir }}
-        run: |
-          CONTAINER_GOCACHE="/root/.cache/go-build"
-          CONTAINER_GOMODCACHE="/go/pkg/mod"
-
-          docker run --rm \
-            --cap-add=NET_ADMIN \
-            --privileged \
-            -v $PWD:/app \
-            -w /app \
-            -v "${HOST_GOCACHE}:${CONTAINER_GOCACHE}" \
-            -v "${HOST_GOMODCACHE}:${CONTAINER_GOMODCACHE}" \
-            -e CGO_ENABLED=1 \
-            -e CI=true \
-            -e DOCKER_CI=true \
-            -e GOARCH=${GOARCH_TARGET} \
-            -e GOCACHE=${CONTAINER_GOCACHE} \
-            -e GOMODCACHE=${CONTAINER_GOMODCACHE} \
-            golang:1.23-alpine \
-            sh -c ' \
-              apk update; apk add --no-cache \
-                ca-certificates iptables ip6tables dbus dbus-dev libpcap-dev build-base; \
-              go test -buildvcs=false -tags devcert -v -timeout 10m -p 1 $(go list -buildvcs=false ./... | grep -v -e /management -e /signal -e /relay -e /client/ui -e /upload-server)
-            '
-
-  test_relay:
-    name: "Relay / Unit"
-    needs: [build-cache]
-    strategy:
-      fail-fast: false
-      matrix:
-        arch: [ '386','amd64' ]
-    runs-on: ubuntu-22.04
-    steps:
-      - name: Install Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: "1.23.x"
-          cache: false
-
-      - name: Checkout code
-        uses: actions/checkout@v4
-
-      - name: Get Go environment
-        run: |
-          echo "cache=$(go env GOCACHE)" >> $GITHUB_ENV
-          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV     
-
-      - name: Cache Go modules
-        uses: actions/cache/restore@v4
-        with:
-          path: |
-            ${{ env.cache }}
-            ${{ env.modcache }}
-          key: ${{ runner.os }}-gotest-cache-${{ hashFiles('**/go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-gotest-cache-
+      - name: Install dependencies
+        run: sudo apt update && sudo apt install -y -q libgtk-3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev gcc-multilib libpcap-dev
 
       - name: Install modules
         run: go mod tidy
@@ -244,317 +79,46 @@ jobs:
       - name: check git status
         run: git --no-pager diff --exit-code
 
-      - name: Test
-        run: |
-          CGO_ENABLED=1 GOARCH=${{ matrix.arch }} \
-          go test \
-            -exec 'sudo' \
-            -timeout 10m ./signal/...
+      - name: Generate Shared Sock Test bin
+        run: CGO_ENABLED=0 go test -c -o sharedsock-testing.bin ./sharedsock
 
-  test_signal:
-    name: "Signal / Unit"
-    needs: [build-cache]
-    strategy:
-      fail-fast: false
-      matrix:
-        arch: [ '386','amd64' ]
-    runs-on: ubuntu-22.04
-    steps:
-      - name: Install Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: "1.23.x"
-          cache: false
+      - name: Generate RouteManager Test bin
+        run: CGO_ENABLED=0 go test -c -o routemanager-testing.bin  ./client/internal/routemanager
 
-      - name: Checkout code
-        uses: actions/checkout@v4
+      - name: Generate SystemOps Test bin
+        run: CGO_ENABLED=1 go test -c -o systemops-testing.bin -tags netgo -ldflags '-w -extldflags "-static -ldbus-1 -lpcap"' ./client/internal/routemanager/systemops
 
-      - name: Get Go environment
-        run: |
-          echo "cache=$(go env GOCACHE)" >> $GITHUB_ENV
-          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV     
+      - name: Generate nftables Manager Test bin
+        run: CGO_ENABLED=0 go test -c -o nftablesmanager-testing.bin ./client/firewall/nftables/...
 
-      - name: Cache Go modules
-        uses: actions/cache/restore@v4
-        with:
-          path: |
-            ${{ env.cache }}
-            ${{ env.modcache }}
-          key: ${{ runner.os }}-gotest-cache-${{ hashFiles('**/go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-gotest-cache-
+      - name: Generate Engine Test bin
+        run: CGO_ENABLED=1 go test -c -o engine-testing.bin ./client/internal
 
-      - name: Install modules
-        run: go mod tidy
+      - name: Generate Peer Test bin
+        run: CGO_ENABLED=0 go test -c -o peer-testing.bin ./client/internal/peer/
 
-      - name: check git status
-        run: git --no-pager diff --exit-code
+      - run: chmod +x *testing.bin
 
-      - name: Test
-        run: |
-          CGO_ENABLED=1 GOARCH=${{ matrix.arch }} \
-          go test \
-            -exec 'sudo' \
-            -timeout 10m ./signal/...
+      - name: Run Shared Sock tests in docker
+        run: docker run -t --cap-add=NET_ADMIN --privileged --rm -v $PWD:/ci -w /ci/sharedsock --entrypoint /busybox/sh gcr.io/distroless/base:debug -c /ci/sharedsock-testing.bin -test.timeout 5m -test.parallel 1
 
-  test_management:
-    name: "Management / Unit"
-    needs: [ build-cache ]
-    strategy:
-      fail-fast: false
-      matrix:
-        arch: [ 'amd64' ]
-        store: [ 'sqlite', 'postgres', 'mysql' ]
-    runs-on: ubuntu-22.04
-    steps:
-      - name: Install Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: "1.23.x"
-          cache: false
+      - name: Run Iface tests in docker
+        run: docker run -t --cap-add=NET_ADMIN --privileged --rm -v $PWD:/netbird -v /tmp/cache:/tmp/cache -v /tmp/modcache:/tmp/modcache -w /netbird -e GOCACHE=/tmp/cache -e GOMODCACHE=/tmp/modcache -e CGO_ENABLED=0 golang:1.23-alpine go test  -test.timeout 5m -test.parallel 1 ./client/iface/...
 
-      - name: Checkout code
-        uses: actions/checkout@v4
+      - name: Run RouteManager tests in docker
+        run: docker run -t --cap-add=NET_ADMIN --privileged --rm -v $PWD:/ci -w /ci/client/internal/routemanager --entrypoint /busybox/sh gcr.io/distroless/base:debug -c /ci/routemanager-testing.bin  -test.timeout 5m -test.parallel 1
 
-      - name: Get Go environment
-        run: |
-          echo "cache=$(go env GOCACHE)" >> $GITHUB_ENV
-          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV     
+      - name: Run SystemOps tests in docker
+        run: docker run -t --cap-add=NET_ADMIN --privileged --rm -v $PWD:/ci -w /ci/client/internal/routemanager/systemops --entrypoint /busybox/sh gcr.io/distroless/base:debug -c /ci/systemops-testing.bin  -test.timeout 5m -test.parallel 1
 
-      - name: Cache Go modules
-        uses: actions/cache/restore@v4
-        with:
-          path: |
-            ${{ env.cache }}
-            ${{ env.modcache }}
-          key: ${{ runner.os }}-gotest-cache-${{ hashFiles('**/go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-gotest-cache-
+      - name: Run nftables Manager tests in docker
+        run: docker run -t --cap-add=NET_ADMIN --privileged --rm -v $PWD:/ci -w /ci/client/firewall --entrypoint /busybox/sh gcr.io/distroless/base:debug -c /ci/nftablesmanager-testing.bin  -test.timeout 5m -test.parallel 1
 
-      - name: Install modules
-        run: go mod tidy
+      - name: Run Engine tests in docker with file store
+        run: docker run -t --cap-add=NET_ADMIN --privileged --rm -v $PWD:/ci -w /ci/client/internal -e NETBIRD_STORE_ENGINE="jsonfile" --entrypoint /busybox/sh gcr.io/distroless/base:debug -c /ci/engine-testing.bin  -test.timeout 5m -test.parallel 1
 
-      - name: check git status
-        run: git --no-pager diff --exit-code
+      - name: Run Engine tests in docker with sqlite store
+        run: docker run -t --cap-add=NET_ADMIN --privileged --rm -v $PWD:/ci -w /ci/client/internal -e NETBIRD_STORE_ENGINE="sqlite" --entrypoint /busybox/sh gcr.io/distroless/base:debug -c /ci/engine-testing.bin  -test.timeout 5m -test.parallel 1
 
-      - name: Login to Docker hub
-        if: matrix.store == 'mysql' && (github.repository == github.head.repo.full_name || !github.head_ref)
-        uses: docker/login-action@v1
-        with:
-          username: ${{ secrets.DOCKER_USER }}
-          password: ${{ secrets.DOCKER_TOKEN }}
-
-      - name: download mysql image
-        if: matrix.store == 'mysql'
-        run: docker pull mlsmaycon/warmed-mysql:8
-
-      - name: Test
-        run: |          
-          CGO_ENABLED=1 GOARCH=${{ matrix.arch }} \
-          NETBIRD_STORE_ENGINE=${{ matrix.store }} \
-            CI=true \
-          go test -tags=devcert \
-            -exec "sudo --preserve-env=CI,NETBIRD_STORE_ENGINE" \
-            -timeout 20m ./management/...
-
-  benchmark:
-    name: "Management / Benchmark"
-    needs: [ build-cache ]
-    if: ${{ needs.build-cache.outputs.management == 'true' || github.event_name != 'pull_request' }}
-    strategy:
-      fail-fast: false
-      matrix:
-        arch: [ 'amd64' ]
-        store: [ 'sqlite', 'postgres' ]
-    runs-on: ubuntu-22.04
-    steps:
-      - name: Install Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: "1.23.x"
-          cache: false
-
-      - name: Checkout code
-        uses: actions/checkout@v4
-
-      - name: Get Go environment
-        run: |
-          echo "cache=$(go env GOCACHE)" >> $GITHUB_ENV
-          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV     
-
-      - name: Cache Go modules
-        uses: actions/cache/restore@v4
-        with:
-          path: |
-            ${{ env.cache }}
-            ${{ env.modcache }}
-          key: ${{ runner.os }}-gotest-cache-${{ hashFiles('**/go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-gotest-cache-
-
-      - name: Install modules
-        run: go mod tidy
-
-      - name: check git status
-        run: git --no-pager diff --exit-code
-
-      - name: Login to Docker hub
-        if: matrix.store == 'mysql' && (github.repository == github.head.repo.full_name || !github.head_ref)
-        uses: docker/login-action@v1
-        with:
-          username: ${{ secrets.DOCKER_USER }}
-          password: ${{ secrets.DOCKER_TOKEN }}
-
-      - name: download mysql image
-        if: matrix.store == 'mysql'
-        run: docker pull mlsmaycon/warmed-mysql:8
-
-      - name: Test
-        run: |
-          CGO_ENABLED=1 GOARCH=${{ matrix.arch }} \
-          NETBIRD_STORE_ENGINE=${{ matrix.store }} \
-          CI=true \
-          go test -tags devcert -run=^$ -bench=. \
-          -exec 'sudo --preserve-env=CI,NETBIRD_STORE_ENGINE' \
-          -timeout 20m ./management/...
-
-  api_benchmark:
-    name: "Management / Benchmark (API)"
-    needs: [ build-cache ]
-    if: ${{ needs.build-cache.outputs.management == 'true' || github.event_name != 'pull_request' }}
-    strategy:
-      fail-fast: false
-      matrix:
-        arch: [ 'amd64' ]
-        store: [ 'sqlite', 'postgres' ]
-    runs-on: ubuntu-22.04
-    steps:
-      - name: Create Docker network
-        run: docker network create promnet
-
-      - name: Start Prometheus Pushgateway
-        run: docker run -d --name pushgateway --network promnet -p 9091:9091 prom/pushgateway
-
-      - name: Start Prometheus (for Pushgateway forwarding)
-        run: |
-          echo '
-          global:
-            scrape_interval: 15s
-          scrape_configs:
-            - job_name: "pushgateway"
-              static_configs:
-                - targets: ["pushgateway:9091"]
-          remote_write:
-            - url: ${{ secrets.GRAFANA_URL }}
-              basic_auth:
-                username: ${{ secrets.GRAFANA_USER }}
-                password: ${{ secrets.GRAFANA_API_KEY }}
-          ' > prometheus.yml
-
-          docker run -d --name prometheus --network promnet \
-            -v $PWD/prometheus.yml:/etc/prometheus/prometheus.yml \
-            -p 9090:9090 \
-            prom/prometheus
-
-      - name: Install Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: "1.23.x"
-          cache: false
-
-      - name: Checkout code
-        uses: actions/checkout@v4
-
-      - name: Get Go environment
-        run: |
-          echo "cache=$(go env GOCACHE)" >> $GITHUB_ENV
-          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV     
-
-      - name: Cache Go modules
-        uses: actions/cache/restore@v4
-        with:
-          path: |
-            ${{ env.cache }}
-            ${{ env.modcache }}
-          key: ${{ runner.os }}-gotest-cache-${{ hashFiles('**/go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-gotest-cache-
-
-      - name: Install modules
-        run: go mod tidy
-
-      - name: check git status
-        run: git --no-pager diff --exit-code
-
-      - name: Login to Docker hub
-        if: matrix.store == 'mysql' && (github.repository == github.head.repo.full_name || !github.head_ref)
-        uses: docker/login-action@v1
-        with:
-          username: ${{ secrets.DOCKER_USER }}
-          password: ${{ secrets.DOCKER_TOKEN }}
-
-      - name: download mysql image
-        if: matrix.store == 'mysql'
-        run: docker pull mlsmaycon/warmed-mysql:8
-
-      - name: Test
-        run: |
-          CGO_ENABLED=1 GOARCH=${{ matrix.arch }} \
-          NETBIRD_STORE_ENGINE=${{ matrix.store }} \
-          CI=true \
-          GIT_BRANCH=${{ github.ref_name }} \
-          go test -tags=benchmark \
-            -run=^$ \
-            -bench=. \
-            -exec 'sudo --preserve-env=CI,NETBIRD_STORE_ENGINE,GIT_BRANCH,GITHUB_RUN_ID' \
-            -timeout 20m ./management/...
-
-  api_integration_test:
-    name: "Management / Integration"
-    needs: [ build-cache ]
-    if: ${{ needs.build-cache.outputs.management == 'true' || github.event_name != 'pull_request' }}
-    strategy:
-      fail-fast: false
-      matrix:
-        arch: [ 'amd64' ]
-        store: [ 'sqlite', 'postgres']
-    runs-on: ubuntu-22.04
-    steps:
-      - name: Install Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: "1.23.x"
-          cache: false
-
-      - name: Checkout code
-        uses: actions/checkout@v4
-
-      - name: Get Go environment
-        run: |
-          echo "cache=$(go env GOCACHE)" >> $GITHUB_ENV
-          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV     
-
-      - name: Cache Go modules
-        uses: actions/cache/restore@v4
-        with:
-          path: |
-            ${{ env.cache }}
-            ${{ env.modcache }}
-          key: ${{ runner.os }}-gotest-cache-${{ hashFiles('**/go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-gotest-cache-
-
-      - name: Install modules
-        run: go mod tidy
-
-      - name: check git status
-        run: git --no-pager diff --exit-code
-
-      - name: Test
-        run: |
-          CGO_ENABLED=1 GOARCH=${{ matrix.arch }} \
-          NETBIRD_STORE_ENGINE=${{ matrix.store }} \
-          CI=true \
-          go test -tags=integration \
-          -exec 'sudo --preserve-env=CI,NETBIRD_STORE_ENGINE' \
-          -timeout 20m ./management/...
+      - name: Run Peer tests in docker
+        run: docker run -t --cap-add=NET_ADMIN --privileged --rm -v $PWD:/ci -w /ci/client/internal/peer  --entrypoint /busybox/sh gcr.io/distroless/base:debug -c /ci/peer-testing.bin  -test.timeout 5m -test.parallel 1

.github/workflows/golang-test-windows.yml

@@ -1,4 +1,4 @@
-name: "Windows"
+name: Test Code Windows
 
 on:
   push:
@@ -14,7 +14,6 @@ concurrency:
 
 jobs:
   test:
-    name: "Client / Unit"
     runs-on: windows-latest
     steps:
       - name: Checkout code
@@ -25,23 +24,6 @@ jobs:
         id: go
         with:
           go-version: "1.23.x"
-          cache: false
-
-      - name: Get Go environment
-        run: |
-          echo "cache=$(go env GOCACHE)" >> $env:GITHUB_ENV
-          echo "modcache=$(go env GOMODCACHE)" >> $env:GITHUB_ENV
-
-      - name: Cache Go modules
-        uses: actions/cache@v4
-        with:
-          path: |
-            ${{ env.cache }}
-            ${{ env.modcache }}
-          key: ${{ runner.os }}-gotest-${{ hashFiles('**/go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-gotest-
-            ${{ runner.os }}-go-
 
       - name: Download wintun
         uses: carlosperate/download-file-action@v2
@@ -60,13 +42,11 @@ jobs:
       - run: choco install -y sysinternals --ignore-checksums
       - run: choco install -y mingw
 
-      - run: PsExec64 -s -w ${{ github.workspace }} C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe env -w GOMODCACHE=${{ env.cache }}
-      - run: PsExec64 -s -w ${{ github.workspace }} C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe env -w GOCACHE=${{ env.modcache }}
-      - run: PsExec64 -s -w ${{ github.workspace }} C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe mod tidy
-      - run: echo "files=$(go list ./... | ForEach-Object { $_ } | Where-Object { $_ -notmatch '/management' })" >> $env:GITHUB_ENV
+      - run: PsExec64 -s -w ${{ github.workspace }} C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe env -w GOMODCACHE=C:\Users\runneradmin\go\pkg\mod
+      - run: PsExec64 -s -w ${{ github.workspace }} C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe env -w GOCACHE=C:\Users\runneradmin\AppData\Local\go-build
 
       - name: test
-        run: PsExec64 -s -w ${{ github.workspace }} cmd.exe /c "C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe test -tags=devcert -timeout 10m -p 1 ${{ env.files }} > test-out.txt 2>&1"
+        run: PsExec64 -s -w ${{ github.workspace }} cmd.exe /c "C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe test -timeout 10m -p 1 ./... > test-out.txt 2>&1"
       - name: test output
         if: ${{ always() }}
         run: Get-Content test-out.txt

.github/workflows/golangci-lint.yml

@@ -1,4 +1,4 @@
-name: Lint
+name: golangci-lint
 on: [pull_request]
 
 permissions:
@@ -19,7 +19,7 @@ jobs:
       - name: codespell
         uses: codespell-project/actions-codespell@v2
         with:
-          ignore_words_list: erro,clienta,hastable,iif,groupd,testin,groupe
+          ignore_words_list: erro,clienta,hastable,iif,groupd
           skip: go.mod,go.sum
           only_warn: 1
   golangci:
@@ -27,14 +27,7 @@ jobs:
       fail-fast: false
       matrix:
         os: [macos-latest, windows-latest, ubuntu-latest]
-        include:
-          - os: macos-latest
-            display_name: Darwin
-          - os: windows-latest
-            display_name: Windows
-          - os: ubuntu-latest
-            display_name: Linux
-    name: ${{ matrix.display_name }}
+    name: lint
     runs-on: ${{ matrix.os }}
     timeout-minutes: 15
     steps:
@@ -53,7 +46,7 @@ jobs:
         if: matrix.os == 'ubuntu-latest'
         run: sudo apt update && sudo apt install -y -q libgtk-3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev libpcap-dev
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@v4
+        uses: golangci/golangci-lint-action@v3
         with:
           version: latest
-          args: --timeout=12m --out-format colored-line-number
+          args: --timeout=12m

.github/workflows/mobile-build-validation.yml

@@ -1,4 +1,4 @@
-name: Mobile
+name: Mobile build validation
 
 on:
   push:
@@ -12,7 +12,6 @@ concurrency:
 
 jobs:
   android_build:
-    name: "Android / Build"
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
@@ -48,7 +47,6 @@ jobs:
           CGO_ENABLED: 0
           ANDROID_NDK_HOME: /usr/local/lib/android/sdk/ndk/23.1.7779620
   ios_build:
-    name: "iOS / Build"
     runs-on: macos-latest
     steps:
       - name: Checkout repository

.github/workflows/release.yml

@@ -9,10 +9,10 @@ on:
   pull_request:
 
 env:
-  SIGN_PIPE_VER: "v0.0.18"
+  SIGN_PIPE_VER: "v0.0.16"
   GORELEASER_VER: "v2.3.2"
   PRODUCT_NAME: "NetBird"
-  COPYRIGHT: "NetBird GmbH"
+  COPYRIGHT: "Wiretrustee UG (haftungsbeschreankt)"
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}-${{ github.head_ref || github.actor_id }}
@@ -71,7 +71,7 @@ jobs:
       - name: Install goversioninfo
         run: go install github.com/josephspurrier/goversioninfo/cmd/goversioninfo@233067e
       - name: Generate windows syso amd64
-        run: goversioninfo  -icon client/ui/assets/netbird.ico -manifest client/manifest.xml -product-name ${{ env.PRODUCT_NAME }} -copyright "${{ env.COPYRIGHT }}" -ver-major ${{ steps.semver_parser.outputs.major }} -ver-minor ${{ steps.semver_parser.outputs.minor }} -ver-patch ${{ steps.semver_parser.outputs.patch }} -ver-build 0 -file-version ${{ steps.semver_parser.outputs.fullversion }}.0 -product-version ${{ steps.semver_parser.outputs.fullversion }}.0 -o client/resources_windows_amd64.syso
+        run: goversioninfo  -icon client/ui/netbird.ico -manifest client/manifest.xml -product-name ${{ env.PRODUCT_NAME }} -copyright "${{ env.COPYRIGHT }}" -ver-major ${{ steps.semver_parser.outputs.major }} -ver-minor ${{ steps.semver_parser.outputs.minor }} -ver-patch ${{ steps.semver_parser.outputs.patch }} -ver-build 0 -file-version ${{ steps.semver_parser.outputs.fullversion }}.0 -product-version ${{ steps.semver_parser.outputs.fullversion }}.0 -o client/resources_windows_amd64.syso
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@v4
         with:
@@ -87,25 +87,25 @@ jobs:
         with:
           name: release
           path: dist/
-          retention-days: 7
+          retention-days: 3
       - name: upload linux packages
         uses: actions/upload-artifact@v4
         with:
           name: linux-packages
           path: dist/netbird_linux**
-          retention-days: 7
+          retention-days: 3
       - name: upload windows packages
         uses: actions/upload-artifact@v4
         with:
           name: windows-packages
           path: dist/netbird_windows**
-          retention-days: 7
+          retention-days: 3
       - name: upload macos packages
         uses: actions/upload-artifact@v4
         with:
           name: macos-packages
           path: dist/netbird_darwin**
-          retention-days: 7
+          retention-days: 3
 
   release_ui:
     runs-on: ubuntu-latest
@@ -150,7 +150,7 @@ jobs:
       - name: Install goversioninfo
         run: go install github.com/josephspurrier/goversioninfo/cmd/goversioninfo@233067e
       - name: Generate windows syso amd64
-        run: goversioninfo -64 -icon client/ui/assets/netbird.ico -manifest client/ui/manifest.xml -product-name ${{ env.PRODUCT_NAME }}-"UI" -copyright "${{ env.COPYRIGHT }}" -ver-major ${{ steps.semver_parser.outputs.major }} -ver-minor ${{ steps.semver_parser.outputs.minor }} -ver-patch ${{ steps.semver_parser.outputs.patch }} -ver-build 0 -file-version ${{ steps.semver_parser.outputs.fullversion }}.0 -product-version ${{ steps.semver_parser.outputs.fullversion }}.0 -o client/ui/resources_windows_amd64.syso
+        run: goversioninfo -64 -icon client/ui/netbird.ico -manifest client/ui/manifest.xml -product-name ${{ env.PRODUCT_NAME }}-"UI" -copyright "${{ env.COPYRIGHT }}" -ver-major ${{ steps.semver_parser.outputs.major }} -ver-minor ${{ steps.semver_parser.outputs.minor }} -ver-patch ${{ steps.semver_parser.outputs.patch }} -ver-build 0 -file-version ${{ steps.semver_parser.outputs.fullversion }}.0 -product-version ${{ steps.semver_parser.outputs.fullversion }}.0 -o client/ui/resources_windows_amd64.syso
 
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@v4

.github/workflows/test-infrastructure-files.yml

@@ -20,7 +20,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        store: [ 'sqlite', 'postgres', 'mysql' ]
+        store: [ 'sqlite', 'postgres' ]
     services:
       postgres:
         image: ${{ (matrix.store == 'postgres') && 'postgres' || '' }}
@@ -34,19 +34,6 @@ jobs:
           --health-timeout 5s
         ports:
           - 5432:5432
-      mysql:
-        image: ${{ (matrix.store == 'mysql') && 'mysql' || '' }}
-        env:
-          MYSQL_USER: netbird
-          MYSQL_PASSWORD: mysql
-          MYSQL_ROOT_PASSWORD: mysqlroot
-          MYSQL_DATABASE: netbird
-        options: >-
-          --health-cmd "mysqladmin ping --silent"
-          --health-interval 10s
-          --health-timeout 5s
-        ports:
-          - 3306:3306
     steps:
       - name: Set Database Connection String
         run: |
@@ -55,11 +42,6 @@ jobs:
           else
             echo "NETBIRD_STORE_ENGINE_POSTGRES_DSN==" >> $GITHUB_ENV
           fi
-          if [ "${{ matrix.store }}" == "mysql" ]; then
-            echo "NETBIRD_STORE_ENGINE_MYSQL_DSN=netbird:mysql@tcp($(hostname -I | awk '{print $1}'):3306)/netbird" >> $GITHUB_ENV
-          else
-            echo "NETBIRD_STORE_ENGINE_MYSQL_DSN==" >> $GITHUB_ENV
-          fi
 
       - name: Install jq
         run: sudo apt-get install -y jq
@@ -102,7 +84,6 @@ jobs:
           CI_NETBIRD_AUTH_SUPPORTED_SCOPES: "openid profile email offline_access api email_verified"
           CI_NETBIRD_STORE_CONFIG_ENGINE: ${{ matrix.store }}
           NETBIRD_STORE_ENGINE_POSTGRES_DSN: ${{ env.NETBIRD_STORE_ENGINE_POSTGRES_DSN }}
-          NETBIRD_STORE_ENGINE_MYSQL_DSN: ${{ env.NETBIRD_STORE_ENGINE_MYSQL_DSN }}
           CI_NETBIRD_MGMT_IDP_SIGNKEY_REFRESH: false
 
       - name: check values
@@ -131,7 +112,6 @@ jobs:
           CI_NETBIRD_SIGNAL_PORT: 12345
           CI_NETBIRD_STORE_CONFIG_ENGINE: ${{ matrix.store }}
           NETBIRD_STORE_ENGINE_POSTGRES_DSN: '${{ env.NETBIRD_STORE_ENGINE_POSTGRES_DSN }}$'
-          NETBIRD_STORE_ENGINE_MYSQL_DSN: '${{ env.NETBIRD_STORE_ENGINE_MYSQL_DSN }}$'
           CI_NETBIRD_MGMT_IDP_SIGNKEY_REFRESH: false
           CI_NETBIRD_TURN_EXTERNAL_IP: "1.2.3.4"
 
@@ -169,7 +149,6 @@ jobs:
           grep -A 10 PKCEAuthorizationFlow management.json | grep -A 10 ProviderConfig | grep Scope | grep "$CI_NETBIRD_AUTH_SUPPORTED_SCOPES"
           grep -A 10 PKCEAuthorizationFlow management.json | grep -A 10 ProviderConfig | grep -A 3 RedirectURLs | grep "http://localhost:53000"
           grep "external-ip" turnserver.conf | grep $CI_NETBIRD_TURN_EXTERNAL_IP
-          grep "NETBIRD_STORE_ENGINE_MYSQL_DSN=$NETBIRD_STORE_ENGINE_MYSQL_DSN" docker-compose.yml
           grep NETBIRD_STORE_ENGINE_POSTGRES_DSN docker-compose.yml | egrep "$NETBIRD_STORE_ENGINE_POSTGRES_DSN"
           # check relay values
           grep "NB_EXPOSED_ADDRESS=$CI_NETBIRD_DOMAIN:33445" docker-compose.yml
@@ -178,7 +157,6 @@ jobs:
           grep -A 10 'relay:' docker-compose.yml | egrep 'NB_AUTH_SECRET=.+$'
           grep -A 7 Relay management.json | grep "rel://$CI_NETBIRD_DOMAIN:33445"
           grep -A 7 Relay management.json | egrep '"Secret": ".+"'
-          grep DisablePromptLogin management.json | grep 'true'
 
       - name: Install modules
         run: go mod tidy

.gitignore

@@ -29,4 +29,3 @@ infrastructure_files/setup.env
 infrastructure_files/setup-*.env
 .vscode
 .DS_Store
-vendor/

.golangci.yaml

@@ -103,7 +103,7 @@ linters:
     - predeclared # predeclared finds code that shadows one of Go's predeclared identifiers
     - revive # Fast, configurable, extensible, flexible, and beautiful linter for Go. Drop-in replacement of golint.
     - sqlclosecheck # checks that sql.Rows and sql.Stmt are closed
-    # - thelper # thelper detects Go test helpers without t.Helper() call and checks the consistency of test helpers.
+    - thelper # thelper detects Go test helpers without t.Helper() call and checks the consistency of test helpers.
     - wastedassign # wastedassign finds wasted assignment statements
 issues:
   # Maximum count of issues with the same text.

.goreleaser.yaml

@@ -96,20 +96,6 @@ builds:
       - -s -w -X github.com/netbirdio/netbird/version.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
     mod_timestamp: "{{ .CommitTimestamp }}"
 
-  - id: netbird-upload
-    dir: upload-server
-    env: [CGO_ENABLED=0]
-    binary: netbird-upload
-    goos:
-      - linux
-    goarch:
-      - amd64
-      - arm64
-      - arm
-    ldflags:
-      - -s -w -X github.com/netbirdio/netbird/version.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
-    mod_timestamp: "{{ .CommitTimestamp }}"
-
 universal_binaries:
   - id: netbird
 
@@ -193,51 +179,6 @@ dockers:
       - "--label=org.opencontainers.image.revision={{.FullCommit}}"
       - "--label=org.opencontainers.image.version={{.Version}}"
       - "--label=maintainer=dev@netbird.io"
-
-  - image_templates:
-      - netbirdio/netbird:{{ .Version }}-rootless-amd64
-    ids:
-      - netbird
-    goarch: amd64
-    use: buildx
-    dockerfile: client/Dockerfile-rootless
-    build_flag_templates:
-      - "--platform=linux/amd64"
-      - "--label=org.opencontainers.image.created={{.Date}}"
-      - "--label=org.opencontainers.image.title={{.ProjectName}}"
-      - "--label=org.opencontainers.image.version={{.Version}}"
-      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=maintainer=dev@netbird.io"
-  - image_templates:
-      - netbirdio/netbird:{{ .Version }}-rootless-arm64v8
-    ids:
-      - netbird
-    goarch: arm64
-    use: buildx
-    dockerfile: client/Dockerfile-rootless
-    build_flag_templates:
-      - "--platform=linux/arm64"
-      - "--label=org.opencontainers.image.created={{.Date}}"
-      - "--label=org.opencontainers.image.title={{.ProjectName}}"
-      - "--label=org.opencontainers.image.version={{.Version}}"
-      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=maintainer=dev@netbird.io"
-  - image_templates:
-      - netbirdio/netbird:{{ .Version }}-rootless-arm
-    ids:
-      - netbird
-    goarch: arm
-    goarm: 6
-    use: buildx
-    dockerfile: client/Dockerfile-rootless
-    build_flag_templates:
-      - "--platform=linux/arm"
-      - "--label=org.opencontainers.image.created={{.Date}}"
-      - "--label=org.opencontainers.image.title={{.ProjectName}}"
-      - "--label=org.opencontainers.image.version={{.Version}}"
-      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=maintainer=dev@netbird.io"
-
   - image_templates:
       - netbirdio/relay:{{ .Version }}-amd64
     ids:
@@ -423,52 +364,6 @@ dockers:
       - "--label=org.opencontainers.image.revision={{.FullCommit}}"
       - "--label=org.opencontainers.image.version={{.Version}}"
       - "--label=maintainer=dev@netbird.io"
-  - image_templates:
-      - netbirdio/upload:{{ .Version }}-amd64
-    ids:
-      - netbird-upload
-    goarch: amd64
-    use: buildx
-    dockerfile: upload-server/Dockerfile
-    build_flag_templates:
-      - "--platform=linux/amd64"
-      - "--label=org.opencontainers.image.created={{.Date}}"
-      - "--label=org.opencontainers.image.title={{.ProjectName}}"
-      - "--label=org.opencontainers.image.version={{.Version}}"
-      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.version={{.Version}}"
-      - "--label=maintainer=dev@netbird.io"
-  - image_templates:
-      - netbirdio/upload:{{ .Version }}-arm64v8
-    ids:
-      - netbird-upload
-    goarch: arm64
-    use: buildx
-    dockerfile: upload-server/Dockerfile
-    build_flag_templates:
-      - "--platform=linux/arm64"
-      - "--label=org.opencontainers.image.created={{.Date}}"
-      - "--label=org.opencontainers.image.title={{.ProjectName}}"
-      - "--label=org.opencontainers.image.version={{.Version}}"
-      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.version={{.Version}}"
-      - "--label=maintainer=dev@netbird.io"
-  - image_templates:
-      - netbirdio/upload:{{ .Version }}-arm
-    ids:
-      - netbird-upload
-    goarch: arm
-    goarm: 6
-    use: buildx
-    dockerfile: upload-server/Dockerfile
-    build_flag_templates:
-      - "--platform=linux/arm"
-      - "--label=org.opencontainers.image.created={{.Date}}"
-      - "--label=org.opencontainers.image.title={{.ProjectName}}"
-      - "--label=org.opencontainers.image.version={{.Version}}"
-      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.version={{.Version}}"
-      - "--label=maintainer=dev@netbird.io"
 docker_manifests:
   - name_template: netbirdio/netbird:{{ .Version }}
     image_templates:
@@ -482,18 +377,6 @@ docker_manifests:
       - netbirdio/netbird:{{ .Version }}-arm
       - netbirdio/netbird:{{ .Version }}-amd64
 
-  - name_template: netbirdio/netbird:{{ .Version }}-rootless
-    image_templates:
-      - netbirdio/netbird:{{ .Version }}-rootless-arm64v8
-      - netbirdio/netbird:{{ .Version }}-rootless-arm
-      - netbirdio/netbird:{{ .Version }}-rootless-amd64
-
-  - name_template: netbirdio/netbird:rootless-latest
-    image_templates:
-      - netbirdio/netbird:{{ .Version }}-rootless-arm64v8
-      - netbirdio/netbird:{{ .Version }}-rootless-arm
-      - netbirdio/netbird:{{ .Version }}-rootless-amd64
-
   - name_template: netbirdio/relay:{{ .Version }}
     image_templates:
       - netbirdio/relay:{{ .Version }}-arm64v8
@@ -535,17 +418,7 @@ docker_manifests:
       - netbirdio/management:{{ .Version }}-debug-arm64v8
       - netbirdio/management:{{ .Version }}-debug-arm
       - netbirdio/management:{{ .Version }}-debug-amd64
-  - name_template: netbirdio/upload:{{ .Version }}
-    image_templates:
-      - netbirdio/upload:{{ .Version }}-arm64v8
-      - netbirdio/upload:{{ .Version }}-arm
-      - netbirdio/upload:{{ .Version }}-amd64
 
-  - name_template: netbirdio/upload:latest
-    image_templates:
-      - netbirdio/upload:{{ .Version }}-arm64v8
-      - netbirdio/upload:{{ .Version }}-arm
-      - netbirdio/upload:{{ .Version }}-amd64
 brews:
   - ids:
       - default

.goreleaser_ui.yaml

@@ -50,12 +50,10 @@ nfpms:
       - netbird-ui
     formats:
       - deb
-    scripts:
-      postinstall: "release_files/ui-post-install.sh"
     contents:
-      - src: client/ui/build/netbird.desktop
+      - src: client/ui/netbird.desktop
         dst: /usr/share/applications/netbird.desktop
-      - src: client/ui/assets/netbird.png
+      - src: client/ui/netbird-systemtray-connected.png
         dst: /usr/share/pixmaps/netbird.png
     dependencies:
       - netbird
@@ -69,12 +67,10 @@ nfpms:
       - netbird-ui
     formats:
       - rpm
-    scripts:
-      postinstall: "release_files/ui-post-install.sh"
     contents:
-      - src: client/ui/build/netbird.desktop
+      - src: client/ui/netbird.desktop
         dst: /usr/share/applications/netbird.desktop
-      - src: client/ui/assets/netbird.png
+      - src: client/ui/netbird-systemtray-connected.png
         dst: /usr/share/pixmaps/netbird.png
     dependencies:
       - netbird

AUTHORS

@@ -1,3 +1,3 @@
 Mikhail Bragin (https://github.com/braginini)
 Maycon Santos (https://github.com/mlsmaycon)
-NetBird GmbH
+Wiretrustee UG (haftungsbeschränkt)

CONTRIBUTOR_LICENSE_AGREEMENT.md

@@ -1,64 +1,148 @@
-##  Contributor License Agreement
+#  Contributor License Agreement
 
-This Contributor License Agreement (referred to as the "Agreement") is entered into by the individual 
-submitting this Agreement and NetBird GmbH, c/o Max-Beer-Straße 2-4 Münzstraße 12 10178 Berlin, Germany, 
-referred to as "NetBird" (collectively, the "Parties"). The Agreement outlines the terms and conditions 
-under which NetBird may utilize software contributions provided by the Contributor for inclusion in 
-its software development projects. By submitting this Agreement, the Contributor confirms their acceptance 
-of the terms and conditions outlined below. The Contributor further represents that they are authorized to 
-complete this process as described herein.
+We are incredibly thankful for the contributions we receive from the community.
+We require our external contributors to sign a Contributor License Agreement ("CLA") in
+order to ensure that our projects remain licensed under Free and Open Source licenses such
+as BSD-3 while allowing Wiretrustee to build a sustainable business.
+
+Wiretrustee is committed to having a true Open Source Software ("OSS") license for
+our software. A CLA enables Wiretrustee to safely commercialize our products
+while keeping a standard OSS license with all the rights that license grants to users: the
+ability to use the project in their own projects or businesses, to republish modified
+source, or to completely fork the project.
+
+This page gives a human-friendly summary of our CLA, details on why we require a CLA, how
+contributors can sign our CLA, and more. You may view the full legal CLA document (below).
+
+# Human-friendly summary
+
+This is a human-readable summary of (and not a substitute for) the full agreement (below).
+This highlights only some of key terms of the CLA. It has no legal value and you should
+carefully review all the terms of the actual CLA before agreeing.
+
+<li>Grant of copyright license. You give Wiretrustee permission to use your copyrighted work
+in commercial products.
+</li>
+
+<li>Grant of patent license. If your contributed work uses a patent, you give Wiretrustee a
+license to use that patent including within commercial products. You also agree that you
+have permission to grant this license.
+</li>
+
+<li>No Warranty or Support Obligations.
+By making a contribution, you are not obligating yourself to provide support for the
+contribution, and you are not taking on any warranty obligations or providing any
+assurances about how it will perform.
+</li>
+
+The CLA does not change the terms of the standard open source license used by our software
+such as BSD-3 or MIT.
+You are still free to use our projects within your own projects or businesses, republish
+modified source, and more.
+Please reference the appropriate license for the project you're contributing to to learn
+more.
+
+# Why require a CLA?
+
+Agreeing to a CLA explicitly states that you are entitled to provide a contribution, that you cannot withdraw permission
+to use your contribution at a later date, and that Wiretrustee has permission to use your contribution in our commercial
+products.
+
+This removes any ambiguities or uncertainties caused by not having a CLA and allows users and customers to confidently
+adopt our projects. At the same time, the CLA ensures that all contributions to our open source projects are licensed
+under the project's respective open source license, such as BSD-3.
+
+Requiring a CLA is a common and well-accepted practice in open source. Major open source projects require CLAs such as
+Apache Software Foundation projects, Facebook projects (such as React), Google projects (including Go), Python, Django,
+and more. Each of these projects remains licensed under permissive OSS licenses such as MIT, Apache, BSD, and more.
+
+# Signing the CLA
+
+Open a pull request ("PR") to any of our open source projects to sign the CLA. A bot will comment on the PR asking you
+to sign the CLA if you haven't already.
+
+Follow the steps given by the bot to sign the CLA. This will require you to log in with GitHub (we only request public
+information from your account) and to fill in a few additional details such as your name and email address. We will only
+use this information for CLA tracking; none of your submitted information will be used for marketing purposes.
+
+You only have to sign the CLA once. Once you've signed the CLA, future contributions to any Wiretrustee project will not
+require you to sign again.
+
+# Legal Terms and Agreement
+
+In order to clarify the intellectual property license granted with Contributions from any person or entity, Wiretrustee
+UG (haftungsbeschränkt) ("Wiretrustee") must have a Contributor License Agreement ("CLA") on file that has been signed
+by each Contributor, indicating agreement to the license terms below. This license does not change your rights to use
+your own Contributions for any other purpose.
+
+You accept and agree to the following terms and conditions for Your present and future Contributions submitted to
+Wiretrustee. Except for the license granted herein to Wiretrustee and recipients of software distributed by Wiretrustee,
+You reserve all right, title, and interest in and to Your Contributions.
+
+1. Definitions.
+
+    ```
+   "You" (or "Your") shall mean the copyright owner or legal entity authorized by the copyright owner 
+   that is making this Agreement with Wiretrustee. For legal entities, the entity making a Contribution and all other 
+   entities that control, are controlled by, or are under common control with that entity are considered 
+   to be a single Contributor. For the purposes of this definition, "control" means (i) the power, direct or indirect,
+    to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty 
+   percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity.
+   ```
+   ```
+    "Contribution" shall mean any original work of authorship, including any modifications or additions to 
+   an existing work, that is or previously has been intentionally submitted by You to Wiretrustee for inclusion in, 
+   or documentation of, any of the products owned or managed by Wiretrustee (the "Work"). 
+   For the purposes of this definition, "submitted" means any form of electronic, verbal, or written communication 
+   sent to Wiretrustee or its representatives, including but not limited to communication on electronic mailing lists, 
+   source code control systems, and issue tracking systems that are managed by, or on behalf of, 
+   Wiretrustee for the purpose of discussing and improving the Work, but excluding communication that is conspicuously 
+   marked or otherwise designated in writing by You as "Not a Contribution."
+   ```
+
+2. Grant of Copyright License. Subject to the terms and conditions of this Agreement, You hereby grant to Wiretrustee
+   and to recipients of software distributed by Wiretrustee a perpetual, worldwide, non-exclusive, no-charge,
+   royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly
+   perform, sublicense, and distribute Your Contributions and such derivative works.
 
 
-## 1 Preamble
-In order to clarify the IP Rights situation with regard to Contributions from any person or entity, NetBird 
-must have a contributor license agreement on file to be signed by each Contributor, containing the license 
-terms below. This license serves as protection for both the Contributor as well as NetBird and its software users; 
-it does not change Contributor’s rights to use his/her own Contributions for any other purpose.
+3. Grant of Patent License. Subject to the terms and conditions of this Agreement, You hereby grant to Wiretrustee and
+   to recipients of software distributed by Wiretrustee a perpetual, worldwide, non-exclusive, no-charge, royalty-free,
+   irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import,
+   and otherwise transfer the Work, where such license applies only to those patent claims licensable by You that are
+   necessarily infringed by Your Contribution(s) alone or by combination of Your Contribution(s) with the Work to which
+   such Contribution(s) was submitted. If any entity institutes patent litigation against You or any other entity (
+   including a cross-claim or counterclaim in a lawsuit) alleging that your Contribution, or the Work to which you have
+   contributed, constitutes direct or contributory patent infringement, then any patent licenses granted to that entity
+   under this Agreement for that Contribution or Work shall terminate as of the date such litigation is filed.
 
-## 2 Definitions
-2.1 “IP Rights” shall mean all industrial and intellectual property rights, whether registered or not registered, whether created by Contributor or acquired by Contributor from third parties, and similar rights, including (but not limited to) semiconductor property rights, design rights, copyrights (including in the form of database rights and rights to software), all neighbouring rights (Leistungsschutzrechte), trademarks, service marks, titles, internet domain names, trade names and other labelling rights, rights deriving from corresponding applications and registrations of such rights as well as any licenses (Nutzungsrechte) under and entitlements to any such intellectual and industrial property rights.
 
-2.2 "Contribution" shall mean any original work of authorship, including any modifications or additions to an existing work, that is or previously has been intentionally Submitted by Contributor to NetBird for inclusion in, or documentation of any Work. 
+4. You represent that you are legally entitled to grant the above license. If your employer(s) has rights to
+   intellectual property that you create that includes your Contributions, you represent that you have received
+   permission to make Contributions on behalf of that employer, that you will have received permission from your current
+   and future employers for all future Contributions, that your applicable employer has waived such rights for all of
+   your current and future Contributions to Wiretrustee, or that your employer has executed a separate Corporate CLA
+   with Wiretrustee.
 
-2.3 "Contributor" shall mean the copyright owner or legal entity authorized by the copyright owner that is concluding this Agreement with NetBird. For legal entities, the entity making a Contribution and all other entities that control, are controlled by, or are under common control with that entity are considered to be a single Contributor. For the purposes of this definition, "control" means (i) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity.
 
-2.4 "Submitted" shall mean any form of electronic, verbal, or written communication sent to NetBird or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, NetBird for the purpose of discussing and improving the Work, but excluding communication that is marked or otherwise designated in writing by Contributor as "Not a Contribution".
+5. You represent that each of Your Contributions is Your original creation (see section 7 for submissions on behalf of
+   others). You represent that Your Contribution submissions include complete details of any third-party license or
+   other restriction (including, but not limited to, related patents and trademarks) of which you are personally aware
+   and which are associated with any part of Your Contributions.
 
-2.5 "Work" means any of the products owned or managed by NetBird, in particular, but not exclusively, software.
 
-## 3 Licenses 
-3.1 Subject to the terms and conditions of this agreement, Contributor hereby grants to NetBird and to recipients of software distributed by NetBird a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable license to reproduce by any means and in any form, in whole or in part, permanently or temporarily, the Contributions (including loading, displaying, executing, transmitting or storing works for the purpose of executing and processing data or transferring them to video, audio and other data carriers), including the right to distribute, display and present such Contributions and make them available to the public (e.g. via the internet) and to transmit and display such Contributions by any means. The license also includes the right to modify, translate, adapt, edit and otherwise alter the Contributions and to use these results in the same manner as the original Contributions and derivative works. Except for licenses in patents acc. to Sec. 3, such license refers to any IP Rights in the Contributions and derivative works. The Contributor acknowledges that NetBird is not required to credit them by name for their Contribution and agrees to waive any moral rights associated with their Contribution in relation to NetBird or its sublicensees.
+6. You are not expected to provide support for Your Contributions, except to the extent You desire to provide support.
+   You may provide support for free, for a fee, or not at all. Unless required by applicable law or agreed to in
+   writing, You provide Your Contributions on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+   express or implied, including, without limitation, any warranties or conditions of TITLE, NON- INFRINGEMENT,
+   MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE.
 
-3.2 Subject to the terms and conditions of this agreement, Contributor hereby grants to NetBird and to recipients of software distributed by NetBird a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license in the Contributions to make, have made, use, sell, offer to sell, import, and otherwise transfer the Work, where such license applies only to those patent claims licensable by the Contributor which are necessarily infringed by Contributor‘s Contribution(s) alone or by combination of Contributor’s Contribution(s) with the Work to which such Contribution(s) was Submitted. 
 
-3.3 NetBird hereby accepts such licenses. 
+7. Should You wish to submit work that is not Your original creation, You may submit it to Wiretrustee separately from
+   any Contribution, identifying the complete details of its source and of any license or other restriction (including,
+   but not limited to, related patents, trademarks, and license agreements) of which you are personally aware, and
+   conspicuously marking the work as "Submitted on behalf of a third-party: [named here]".
 
-## 4 Contributor’s Representations
-4.1 Contributor represents that Contributor is legally entitled to grant the above license. If Contributor’s employer has IP Rights to Contributor’s Contributions, Contributor represent that he/she has received permission to make Contributions on behalf of such employer, that such employer has waived such IP Rights to the Contributions of Contributor to NetBird, or that such employer has executed a separate contributor license agreement with NetBird.
-
-4.2 Contributor represents that any Contribution is his/her original creation. 
-
-4.3 Contributor represents to his/her best knowledge that any Contribution does not violate any third party IP Rights.
-
-4.4 Contributor represents that any Contribution submission includes complete details of any third-party license or other restriction (including, but not limited to, related patents and trademarks) of which Contributor is personally aware and which are associated with any part of the Contribution.
-
-4.5 The Contributor represents that their Contribution does not include any work distributed under a copyleft license.
-
-## 5 Information obligation
-Contributor agrees to notify NetBird of any facts or circumstances of which Contributor become aware that would make these representations inaccurate in any respect.
-
-## 6 Submission of Third-Party works
-Should Contributor wish to submit work that is not Contributor’s original creation, Contributor may submit it to NetBird separately from any Contribution, identifying the complete details of its source and of any license or other restriction (including, but not limited to, related patents, trademarks, and license agreements) of which Contributor are personally aware, and conspicuously marking the work as "Submitted on behalf of a third-party: [named here]".
-
-## 7 No Consideration
-Unless compensation is mandatory under statutory law, no compensation for any license under this agreement shall be payable. 
-
-## 8 Final Provisions
-8.1 Laws. This Agreement is governed by the laws of the Federal Republic of Germany. 
-
-8.2 Venue. Place of jurisdiction shall, to the extent legally permissible, be Berlin, Germany. 
-
-8.3 Severability. If any provision in this agreement is unlawful, invalid or ineffective, it shall not affect the enforceability or effectiveness of the remainder of this agreement. The parties agree to replace any unlawful, invalid or ineffective provision with a provision that comes as close as possible to the commercial intent and purpose of the original provision. This section also applies accordingly to any gaps in the contract. 
-
-8.4 Variations. Any variations, amendments or supplements to this Agreement must be in writing. This also applies to any variation of this Section 8.4.
 
+8. You agree to notify Wiretrustee of any facts or circumstances of which you become aware that would make these
+   representations inaccurate in any respect.

LICENSE

@@ -1,6 +1,6 @@
 BSD 3-Clause License
 
-Copyright (c) 2022 NetBird GmbH & AUTHORS
+Copyright (c) 2022 Wiretrustee UG (haftungsbeschränkt) & AUTHORS
 
 Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
 
@@ -10,4 +10,4 @@ Redistribution and use in source and binary forms, with or without modification,
 
 3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.
 
-THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

README.md

@@ -1,6 +1,11 @@
-<div align="center">
+<p align="center">
+ <strong>:hatching_chick: New Release! Device Posture Checks.</strong>
+  <a href="https://docs.netbird.io/how-to/manage-posture-checks">
+       Learn more
+     </a>   
+</p>
 <br/>
-  <br/>
+<div align="center">
 <p align="center">
   <img width="234" src="docs/media/logo-full.png"/>
 </p>
@@ -12,12 +17,8 @@
        <img src="https://img.shields.io/badge/license-BSD--3-blue" />
      </a> 
     <br>
-    <a href="https://join.slack.com/t/netbirdio/shared_invite/zt-31rofwmxc-27akKd0Le0vyRpBcwXkP0g">
+    <a href="https://join.slack.com/t/netbirdio/shared_invite/zt-2p5zwhm4g-8fHollzrQa5y4PZF5AEpvQ">
         <img src="https://img.shields.io/badge/slack-@netbird-red.svg?logo=slack"/>
-     </a>  
-     <br>
-    <a href="https://gurubase.io/g/netbird">
-        <img src="https://img.shields.io/badge/Gurubase-Ask%20NetBird%20Guru-006BFF"/>
      </a>    
   </p>
 </div>
@@ -29,14 +30,10 @@
   <br/>
   See <a href="https://netbird.io/docs/">Documentation</a>
   <br/>
-   Join our <a href="https://join.slack.com/t/netbirdio/shared_invite/zt-31rofwmxc-27akKd0Le0vyRpBcwXkP0g">Slack channel</a>
+   Join our <a href="https://join.slack.com/t/netbirdio/shared_invite/zt-2p5zwhm4g-8fHollzrQa5y4PZF5AEpvQ">Slack channel</a>
   <br/>
  
 </strong>
-<br>
-<a href="https://github.com/netbirdio/kubernetes-operator">
-    New: NetBird Kubernetes Operator
-  </a> 
 </p>
 
 <br>
@@ -57,16 +54,16 @@
 
 ### Key features
 
-| Connectivity | Management | Security | Automation| Platforms |
-|----|----|----|----|----|
-| <ul><li>- \[x] Kernel WireGuard</ul></li> | <ul><li>- \[x] [Admin Web UI](https://github.com/netbirdio/dashboard)</ul></li> | <ul><li>- \[x] [SSO & MFA support](https://docs.netbird.io/how-to/installation#running-net-bird-with-sso-login)</ul></li> | <ul><li>- \[x] [Public API](https://docs.netbird.io/api)</ul></li> | <ul><li>- \[x] Linux</ul></li> |
-| <ul><li>- \[x] Peer-to-peer connections</ul></li> | <ul><li>- \[x] Auto peer discovery and configuration</ui></li> | <ul><li>- \[x] [Access control - groups & rules](https://docs.netbird.io/how-to/manage-network-access)</ui></li> | <ul><li>- \[x] [Setup keys for bulk network provisioning](https://docs.netbird.io/how-to/register-machines-using-setup-keys)</ui></li> | <ul><li>- \[x] Mac</ui></li> |
-| <ul><li>- \[x] Connection relay fallback</ui></li> | <ul><li>- \[x] [IdP integrations](https://docs.netbird.io/selfhosted/identity-providers)</ui></li> | <ul><li>- \[x] [Activity logging](https://docs.netbird.io/how-to/audit-events-logging)</ui></li> | <ul><li>- \[x] [Self-hosting quickstart script](https://docs.netbird.io/selfhosted/selfhosted-quickstart)</ui></li> | <ul><li>- \[x] Windows</ui></li> |
-| <ul><li>- \[x] [Routes to external networks](https://docs.netbird.io/how-to/routing-traffic-to-private-networks)</ui></li> | <ul><li>- \[x] [Private DNS](https://docs.netbird.io/how-to/manage-dns-in-your-network)</ui></li> | <ul><li>- \[x] [Device posture checks](https://docs.netbird.io/how-to/manage-posture-checks)</ui></li> | <ul><li>- \[x] IdP groups sync with JWT</ui></li> | <ul><li>- \[x] Android</ui></li> |
-| <ul><li>- \[x] NAT traversal with BPF</ui></li> | <ul><li>- \[x] [Multiuser support](https://docs.netbird.io/how-to/add-users-to-your-network)</ui></li> | <ul><li>- \[x] Peer-to-peer encryption</ui></li> || <ul><li>- \[x] iOS</ui></li> |
-||| <ul><li>- \[x] [Quantum-resistance with Rosenpass](https://netbird.io/knowledge-hub/the-first-quantum-resistant-mesh-vpn)</ui></li> || <ul><li>- \[x] OpenWRT</ui></li> |
-||| <ul><li>- \[x] [Periodic re-authentication](https://docs.netbird.io/how-to/enforce-periodic-user-authentication)</ui></li> || <ul><li>- \[x] [Serverless](https://docs.netbird.io/how-to/netbird-on-faas)</ui></li> |
-||||| <ul><li>- \[x] Docker</ui></li> |
+| Connectivity                                                                                                                 | Management                                                                                               | Security                                                                                                                              | Automation                                                                                                                               | Platforms                                                                               |
+|------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------|
+| <ul><li> - \[x] Kernel WireGuard </ul></li>                                                                                  | <ul><li> - \[x] [Admin Web UI](https://github.com/netbirdio/dashboard) </ul></li>                        | <ul><li> - \[x] [SSO & MFA support](https://docs.netbird.io/how-to/installation#running-net-bird-with-sso-login) </ul></li>           | <ul><li> - \[x] [Public API](https://docs.netbird.io/api) </ul></li>                                                                     | <ul><li> - \[x] Linux </ul></li>                                                        |
+| <ul><li> - \[x] Peer-to-peer connections </ul></li>                                                                          | <ul><li> - \[x] Auto peer discovery and configuration </ul></li>                                         | <ul><li> - \[x] [Access control - groups & rules](https://docs.netbird.io/how-to/manage-network-access) </ul></li>                    | <ul><li> - \[x] [Setup keys for bulk network provisioning](https://docs.netbird.io/how-to/register-machines-using-setup-keys) </ul></li> | <ul><li> - \[x] Mac </ul></li>                                                          |
+| <ul><li> - \[x] Connection relay fallback </ul></li>                                                                         | <ul><li> - \[x] [IdP integrations](https://docs.netbird.io/selfhosted/identity-providers) </ul></li>     | <ul><li> - \[x] [Activity logging](https://docs.netbird.io/how-to/monitor-system-and-network-activity) </ul></li>                     | <ul><li> - \[x] [Self-hosting quickstart script](https://docs.netbird.io/selfhosted/selfhosted-quickstart) </ul></li>                    | <ul><li> - \[x] Windows </ul></li>                                                      |
+| <ul><li> - \[x] [Routes to external networks](https://docs.netbird.io/how-to/routing-traffic-to-private-networks) </ul></li> | <ul><li> - \[x] [Private DNS](https://docs.netbird.io/how-to/manage-dns-in-your-network) </ul></li>      | <ul><li> - \[x] [Device posture checks](https://docs.netbird.io/how-to/manage-posture-checks) </ul></li>                              | <ul><li> - \[x] IdP groups sync with JWT </ul></li>                                                                                      | <ul><li> - \[x] Android </ul></li>                                                      |
+| <ul><li> - \[x] NAT traversal with BPF </ul></li>                                                                            | <ul><li> - \[x] [Multiuser support](https://docs.netbird.io/how-to/add-users-to-your-network) </ul></li> | <ul><li> -  \[x] Peer-to-peer encryption </ul></li>                                                                                   |                                                                                                                                          | <ul><li> - \[x] iOS </ul></li>                                                          |
+|                                                                                                                              |                                                                                                          | <ul><li> - \[x] [Quantum-resistance with Rosenpass](https://netbird.io/knowledge-hub/the-first-quantum-resistant-mesh-vpn) </ul></li> |                                                                                                                                          | <ul><li> - \[x] OpenWRT </ul></li>                                                      |
+|                                                                                                                              |                                                                                                          | <ui><li> - \[x] [Periodic re-authentication](https://docs.netbird.io/how-to/enforce-periodic-user-authentication)</ul></li>           |                                                                                                                                          | <ul><li> - \[x] [Serverless](https://docs.netbird.io/how-to/netbird-on-faas) </ul></li> |
+|                                                                                                                              |                                                                                                          |                                                                                                                                       |                                                                                                                                          | <ul><li> - \[x] Docker </ul></li>                                                       |
 
 ### Quickstart with NetBird Cloud
 

buf.gen.yaml

@@ -1,7 +0,0 @@
-# For details on buf.gen.yaml configuration, visit https://buf.build/docs/configuration/v2/buf-gen-yaml/
-version: v2
-plugins:
-  - remote: buf.build/protocolbuffers/go:v1.35.1
-    out: .
-  - remote: buf.build/grpc/go:v1.5.1
-    out: .

buf.yaml

@@ -1,10 +0,0 @@
-# For details on buf.yaml configuration, visit https://buf.build/docs/configuration/v2/buf-yaml
-version: v2
-modules:
-  - path: proto
-lint:
-  use:
-    - BASIC
-breaking:
-  use:
-    - FILE

client/Dockerfile

@@ -1,6 +1,5 @@
-FROM alpine:3.21.3
-# iproute2: busybox doesn't display ip rules properly
-RUN apk add --no-cache ca-certificates ip6tables iproute2 iptables
+FROM alpine:3.20
+RUN apk add --no-cache ca-certificates iptables ip6tables
 ENV NB_FOREGROUND_MODE=true
 ENTRYPOINT [ "/usr/local/bin/netbird","up"]
-COPY netbird /usr/local/bin/netbird
+COPY netbird /usr/local/bin/netbird

client/Dockerfile-rootless

@@ -1,17 +0,0 @@
-FROM alpine:3.21.0
-
-COPY netbird /usr/local/bin/netbird
-
-RUN apk add --no-cache ca-certificates \
-    && adduser -D -h /var/lib/netbird netbird
-WORKDIR /var/lib/netbird
-USER netbird:netbird
-
-ENV NB_FOREGROUND_MODE=true
-ENV NB_USE_NETSTACK_MODE=true
-ENV NB_ENABLE_NETSTACK_LOCAL_FORWARDING=true
-ENV NB_CONFIG=config.json
-ENV NB_DAEMON_ADDR=unix://netbird.sock
-ENV NB_DISABLE_DNS=true
-
-ENTRYPOINT [ "/usr/local/bin/netbird", "up" ]

client/android/login.go

@@ -162,7 +162,7 @@ func (a *Auth) login(urlOpener URLOpener) error {
 
 	// check if we need to generate JWT token
 	err := a.withBackOff(a.ctx, func() (err error) {
-		needsLogin, err = internal.IsLoginRequired(a.ctx, a.config)
+		needsLogin, err = internal.IsLoginRequired(a.ctx, a.config.PrivateKey, a.config.ManagementURL, a.config.SSHKey)
 		return
 	})
 	if err != nil {

client/anonymize/anonymize.go

@@ -12,8 +12,6 @@ import (
 	"strings"
 )
 
-const anonTLD = ".domain"
-
 type Anonymizer struct {
 	ipAnonymizer     map[netip.Addr]netip.Addr
 	domainAnonymizer map[string]string
@@ -21,12 +19,10 @@ type Anonymizer struct {
 	currentAnonIPv6  netip.Addr
 	startAnonIPv4    netip.Addr
 	startAnonIPv6    netip.Addr
-
-	domainKeyRegex *regexp.Regexp
 }
 
 func DefaultAddresses() (netip.Addr, netip.Addr) {
-	// 198.51.100.0, 100::
+	// 192.51.100.0, 100::
 	return netip.AddrFrom4([4]byte{198, 51, 100, 0}), netip.AddrFrom16([16]byte{0x01})
 }
 
@@ -38,8 +34,6 @@ func NewAnonymizer(startIPv4, startIPv6 netip.Addr) *Anonymizer {
 		currentAnonIPv6:  startIPv6,
 		startAnonIPv4:    startIPv4,
 		startAnonIPv6:    startIPv6,
-
-		domainKeyRegex: regexp.MustCompile(`\bdomain=([^\s,:"]+)`),
 	}
 }
 
@@ -89,39 +83,29 @@ func (a *Anonymizer) AnonymizeIPString(ip string) string {
 }
 
 func (a *Anonymizer) AnonymizeDomain(domain string) string {
-	baseDomain := domain
-	hasDot := strings.HasSuffix(domain, ".")
-	if hasDot {
-		baseDomain = domain[:len(domain)-1]
-	}
-
-	if strings.HasSuffix(baseDomain, "netbird.io") ||
-		strings.HasSuffix(baseDomain, "netbird.selfhosted") ||
-		strings.HasSuffix(baseDomain, "netbird.cloud") ||
-		strings.HasSuffix(baseDomain, "netbird.stage") ||
-		strings.HasSuffix(baseDomain, anonTLD) {
+	if strings.HasSuffix(domain, "netbird.io") ||
+		strings.HasSuffix(domain, "netbird.selfhosted") ||
+		strings.HasSuffix(domain, "netbird.cloud") ||
+		strings.HasSuffix(domain, "netbird.stage") ||
+		strings.HasSuffix(domain, ".domain") {
 		return domain
 	}
 
-	parts := strings.Split(baseDomain, ".")
+	parts := strings.Split(domain, ".")
 	if len(parts) < 2 {
 		return domain
 	}
 
-	baseForLookup := parts[len(parts)-2] + "." + parts[len(parts)-1]
+	baseDomain := parts[len(parts)-2] + "." + parts[len(parts)-1]
 
-	anonymized, ok := a.domainAnonymizer[baseForLookup]
+	anonymized, ok := a.domainAnonymizer[baseDomain]
 	if !ok {
-		anonymizedBase := "anon-" + generateRandomString(5) + anonTLD
-		a.domainAnonymizer[baseForLookup] = anonymizedBase
+		anonymizedBase := "anon-" + generateRandomString(5) + ".domain"
+		a.domainAnonymizer[baseDomain] = anonymizedBase
 		anonymized = anonymizedBase
 	}
 
-	result := strings.Replace(baseDomain, baseForLookup, anonymized, 1)
-	if hasDot {
-		result += "."
-	}
-	return result
+	return strings.Replace(domain, baseDomain, anonymized, 1)
 }
 
 func (a *Anonymizer) AnonymizeURI(uri string) string {
@@ -168,22 +152,27 @@ func (a *Anonymizer) AnonymizeString(str string) string {
 	return str
 }
 
-// AnonymizeSchemeURI finds and anonymizes URIs with ws, wss, rel, rels, stun, stuns, turn, and turns schemes.
+// AnonymizeSchemeURI finds and anonymizes URIs with stun, stuns, turn, and turns schemes.
 func (a *Anonymizer) AnonymizeSchemeURI(text string) string {
-	re := regexp.MustCompile(`(?i)\b(wss?://|rels?://|stuns?:|turns?:|https?://)\S+\b`)
+	re := regexp.MustCompile(`(?i)\b(stuns?:|turns?:|https?://)\S+\b`)
 
 	return re.ReplaceAllStringFunc(text, a.AnonymizeURI)
 }
 
+// AnonymizeDNSLogLine anonymizes domain names in DNS log entries by replacing them with a random string.
 func (a *Anonymizer) AnonymizeDNSLogLine(logEntry string) string {
-	return a.domainKeyRegex.ReplaceAllStringFunc(logEntry, func(match string) string {
-		parts := strings.SplitN(match, "=", 2)
+	domainPattern := `dns\.Question{Name:"([^"]+)",`
+	domainRegex := regexp.MustCompile(domainPattern)
+
+	return domainRegex.ReplaceAllStringFunc(logEntry, func(match string) string {
+		parts := strings.Split(match, `"`)
 		if len(parts) >= 2 {
 			domain := parts[1]
-			if strings.HasSuffix(domain, anonTLD) {
+			if strings.HasSuffix(domain, ".domain") {
 				return match
 			}
-			return "domain=" + a.AnonymizeDomain(domain)
+			randomDomain := generateRandomString(10) + ".domain"
+			return strings.Replace(match, domain, randomDomain, 1)
 		}
 		return match
 	})
@@ -212,8 +201,6 @@ func isWellKnown(addr netip.Addr) bool {
 		"2606:4700:4700::1111", "2606:4700:4700::1001", // Cloudflare DNS IPv6
 		"9.9.9.9", "149.112.112.112", // Quad9 DNS IPv4
 		"2620:fe::fe", "2620:fe::9", // Quad9 DNS IPv6
-
-		"128.0.0.0", "8000::", // 2nd split subnet for default routes
 	}
 
 	if slices.Contains(wellKnown, addr.String()) {

client/anonymize/anonymize_test.go

@@ -46,59 +46,11 @@ func TestAnonymizeIP(t *testing.T) {
 
 func TestAnonymizeDNSLogLine(t *testing.T) {
 	anonymizer := anonymize.NewAnonymizer(netip.Addr{}, netip.Addr{})
-	tests := []struct {
-		name     string
-		input    string
-		original string
-		expect   string
-	}{
-		{
-			name:     "Basic domain with trailing content",
-			input:    "received DNS request for DNS forwarder: domain=example.com: something happened with code=123",
-			original: "example.com",
-			expect:   `received DNS request for DNS forwarder: domain=anon-[a-zA-Z0-9]+\.domain: something happened with code=123`,
-		},
-		{
-			name:     "Domain with trailing dot",
-			input:    "domain=example.com. processing request with status=pending",
-			original: "example.com",
-			expect:   `domain=anon-[a-zA-Z0-9]+\.domain\. processing request with status=pending`,
-		},
-		{
-			name:     "Multiple domains in log",
-			input:    "forward domain=first.com status=ok, redirect to domain=second.com port=443",
-			original: "first.com", // testing just one is sufficient as AnonymizeDomain is tested separately
-			expect:   `forward domain=anon-[a-zA-Z0-9]+\.domain status=ok, redirect to domain=anon-[a-zA-Z0-9]+\.domain port=443`,
-		},
-		{
-			name:     "Already anonymized domain",
-			input:    "got request domain=anon-xyz123.domain from=client1 to=server2",
-			original: "", // nothing should be anonymized
-			expect:   `got request domain=anon-xyz123\.domain from=client1 to=server2`,
-		},
-		{
-			name:     "Subdomain with trailing dot",
-			input:    "domain=sub.example.com. next_hop=10.0.0.1 proto=udp",
-			original: "example.com",
-			expect:   `domain=sub\.anon-[a-zA-Z0-9]+\.domain\. next_hop=10\.0\.0\.1 proto=udp`,
-		},
-		{
-			name:     "Handler chain pattern log",
-			input:    "pattern: domain=example.com. original: domain=*.example.com. wildcard=true priority=100",
-			original: "example.com",
-			expect:   `pattern: domain=anon-[a-zA-Z0-9]+\.domain\. original: domain=\*\.anon-[a-zA-Z0-9]+\.domain\. wildcard=true priority=100`,
-		},
-	}
+	testLog := `2024-04-23T20:01:11+02:00 TRAC client/internal/dns/local.go:25: received question: dns.Question{Name:"example.com", Qtype:0x1c, Qclass:0x1}`
 
-	for _, tc := range tests {
-		t.Run(tc.name, func(t *testing.T) {
-			result := anonymizer.AnonymizeDNSLogLine(tc.input)
-			if tc.original != "" {
-				assert.NotContains(t, result, tc.original)
-			}
-			assert.Regexp(t, tc.expect, result)
-		})
-	}
+	result := anonymizer.AnonymizeDNSLogLine(testLog)
+	require.NotEqual(t, testLog, result)
+	assert.NotContains(t, result, "example.com")
 }
 
 func TestAnonymizeDomain(t *testing.T) {
@@ -115,36 +67,18 @@ func TestAnonymizeDomain(t *testing.T) {
 			`^anon-[a-zA-Z0-9]+\.domain$`,
 			true,
 		},
-		{
-			"Domain with Trailing Dot",
-			"example.com.",
-			`^anon-[a-zA-Z0-9]+\.domain.$`,
-			true,
-		},
 		{
 			"Subdomain",
 			"sub.example.com",
 			`^sub\.anon-[a-zA-Z0-9]+\.domain$`,
 			true,
 		},
-		{
-			"Subdomain with Trailing Dot",
-			"sub.example.com.",
-			`^sub\.anon-[a-zA-Z0-9]+\.domain.$`,
-			true,
-		},
 		{
 			"Protected Domain",
 			"netbird.io",
 			`^netbird\.io$`,
 			false,
 		},
-		{
-			"Protected Domain with Trailing Dot",
-			"netbird.io.",
-			`^netbird\.io.$`,
-			false,
-		},
 	}
 
 	for _, tc := range tests {
@@ -206,16 +140,8 @@ func TestAnonymizeSchemeURI(t *testing.T) {
 		expect string
 	}{
 		{"STUN URI in text", "Connection made via stun:example.com", `Connection made via stun:anon-[a-zA-Z0-9]+\.domain`},
-		{"STUNS URI in message", "Secure connection to stuns:example.com:443", `Secure connection to stuns:anon-[a-zA-Z0-9]+\.domain:443`},
 		{"TURN URI in log", "Failed attempt turn:some.example.com:3478?transport=tcp: retrying", `Failed attempt turn:some.anon-[a-zA-Z0-9]+\.domain:3478\?transport=tcp: retrying`},
-		{"TURNS URI in message", "Secure connection to turns:example.com:5349", `Secure connection to turns:anon-[a-zA-Z0-9]+\.domain:5349`},
-		{"HTTP URI in text", "Visit http://example.com for more", `Visit http://anon-[a-zA-Z0-9]+\.domain for more`},
-		{"HTTPS URI in CAPS", "Visit HTTPS://example.com for more", `Visit https://anon-[a-zA-Z0-9]+\.domain for more`},
 		{"HTTPS URI in message", "Visit https://example.com for more", `Visit https://anon-[a-zA-Z0-9]+\.domain for more`},
-		{"WS URI in log", "Connection established to ws://example.com:8080", `Connection established to ws://anon-[a-zA-Z0-9]+\.domain:8080`},
-		{"WSS URI in message", "Secure connection to wss://example.com", `Secure connection to wss://anon-[a-zA-Z0-9]+\.domain`},
-		{"Rel URI in text", "Relaying to rel://example.com", `Relaying to rel://anon-[a-zA-Z0-9]+\.domain`},
-		{"Rels URI in message", "Relaying to rels://example.com", `Relaying to rels://anon-[a-zA-Z0-9]+\.domain`},
 	}
 
 	for _, tc := range tests {

client/cmd/debug.go

@@ -3,7 +3,6 @@ package cmd
 import (
 	"context"
 	"fmt"
-	"strings"
 	"time"
 
 	log "github.com/sirupsen/logrus"
@@ -11,12 +10,8 @@ import (
 	"google.golang.org/grpc/status"
 
 	"github.com/netbirdio/netbird/client/internal"
-	"github.com/netbirdio/netbird/client/internal/debug"
-	"github.com/netbirdio/netbird/client/internal/peer"
 	"github.com/netbirdio/netbird/client/proto"
 	"github.com/netbirdio/netbird/client/server"
-	nbstatus "github.com/netbirdio/netbird/client/status"
-	mgmProto "github.com/netbirdio/netbird/management/proto"
 )
 
 const errCloseConnection = "Failed to close connection: %v"
@@ -66,15 +61,6 @@ var forCmd = &cobra.Command{
 	RunE:    runForDuration,
 }
 
-var persistenceCmd = &cobra.Command{
-	Use:     "persistence [on|off]",
-	Short:   "Set network map memory persistence",
-	Long:    `Configure whether the latest network map should persist in memory. When enabled, the last known network map will be kept in memory.`,
-	Example: "  netbird debug persistence on",
-	Args:    cobra.ExactArgs(1),
-	RunE:    setNetworkMapPersistence,
-}
-
 func debugBundle(cmd *cobra.Command, _ []string) error {
 	conn, err := getClient(cmd)
 	if err != nil {
@@ -87,27 +73,16 @@ func debugBundle(cmd *cobra.Command, _ []string) error {
 	}()
 
 	client := proto.NewDaemonServiceClient(conn)
-	request := &proto.DebugBundleRequest{
+	resp, err := client.DebugBundle(cmd.Context(), &proto.DebugBundleRequest{
 		Anonymize:  anonymizeFlag,
-		Status:     getStatusOutput(cmd, anonymizeFlag),
+		Status:     getStatusOutput(cmd),
 		SystemInfo: debugSystemInfoFlag,
-	}
-	if debugUploadBundle {
-		request.UploadURL = debugUploadBundleURL
-	}
-	resp, err := client.DebugBundle(cmd.Context(), request)
+	})
 	if err != nil {
 		return fmt.Errorf("failed to bundle debug: %v", status.Convert(err).Message())
 	}
-	cmd.Printf("Local file:\n%s\n", resp.GetPath())
 
-	if resp.GetUploadFailureReason() != "" {
-		return fmt.Errorf("upload failed: %s", resp.GetUploadFailureReason())
-	}
-
-	if debugUploadBundle {
-		cmd.Printf("Upload file key:\n%s\n", resp.GetUploadedKey())
-	}
+	cmd.Println(resp.GetPath())
 
 	return nil
 }
@@ -196,13 +171,6 @@ func runForDuration(cmd *cobra.Command, args []string) error {
 
 	time.Sleep(1 * time.Second)
 
-	// Enable network map persistence before bringing the service up
-	if _, err := client.SetNetworkMapPersistence(cmd.Context(), &proto.SetNetworkMapPersistenceRequest{
-		Enabled: true,
-	}); err != nil {
-		return fmt.Errorf("failed to enable network map persistence: %v", status.Convert(err).Message())
-	}
-
 	if _, err := client.Up(cmd.Context(), &proto.UpRequest{}); err != nil {
 		return fmt.Errorf("failed to up: %v", status.Convert(err).Message())
 	}
@@ -211,7 +179,7 @@ func runForDuration(cmd *cobra.Command, args []string) error {
 	time.Sleep(3 * time.Second)
 
 	headerPostUp := fmt.Sprintf("----- Netbird post-up - Timestamp: %s", time.Now().Format(time.RFC3339))
-	statusOutput := fmt.Sprintf("%s\n%s", headerPostUp, getStatusOutput(cmd, anonymizeFlag))
+	statusOutput := fmt.Sprintf("%s\n%s", headerPostUp, getStatusOutput(cmd))
 
 	if waitErr := waitForDurationOrCancel(cmd.Context(), duration, cmd); waitErr != nil {
 		return waitErr
@@ -221,16 +189,13 @@ func runForDuration(cmd *cobra.Command, args []string) error {
 	cmd.Println("Creating debug bundle...")
 
 	headerPreDown := fmt.Sprintf("----- Netbird pre-down - Timestamp: %s - Duration: %s", time.Now().Format(time.RFC3339), duration)
-	statusOutput = fmt.Sprintf("%s\n%s\n%s", statusOutput, headerPreDown, getStatusOutput(cmd, anonymizeFlag))
-	request := &proto.DebugBundleRequest{
+	statusOutput = fmt.Sprintf("%s\n%s\n%s", statusOutput, headerPreDown, getStatusOutput(cmd))
+
+	resp, err := client.DebugBundle(cmd.Context(), &proto.DebugBundleRequest{
 		Anonymize:  anonymizeFlag,
 		Status:     statusOutput,
 		SystemInfo: debugSystemInfoFlag,
-	}
-	if debugUploadBundle {
-		request.UploadURL = debugUploadBundleURL
-	}
-	resp, err := client.DebugBundle(cmd.Context(), request)
+	})
 	if err != nil {
 		return fmt.Errorf("failed to bundle debug: %v", status.Convert(err).Message())
 	}
@@ -249,56 +214,18 @@ func runForDuration(cmd *cobra.Command, args []string) error {
 		cmd.Println("Log level restored to", initialLogLevel.GetLevel())
 	}
 
-	cmd.Printf("Local file:\n%s\n", resp.GetPath())
-
-	if resp.GetUploadFailureReason() != "" {
-		return fmt.Errorf("upload failed: %s", resp.GetUploadFailureReason())
-	}
-
-	if debugUploadBundle {
-		cmd.Printf("Upload file key:\n%s\n", resp.GetUploadedKey())
-	}
+	cmd.Println(resp.GetPath())
 
 	return nil
 }
 
-func setNetworkMapPersistence(cmd *cobra.Command, args []string) error {
-	conn, err := getClient(cmd)
-	if err != nil {
-		return err
-	}
-	defer func() {
-		if err := conn.Close(); err != nil {
-			log.Errorf(errCloseConnection, err)
-		}
-	}()
-
-	persistence := strings.ToLower(args[0])
-	if persistence != "on" && persistence != "off" {
-		return fmt.Errorf("invalid persistence value: %s. Use 'on' or 'off'", args[0])
-	}
-
-	client := proto.NewDaemonServiceClient(conn)
-	_, err = client.SetNetworkMapPersistence(cmd.Context(), &proto.SetNetworkMapPersistenceRequest{
-		Enabled: persistence == "on",
-	})
-	if err != nil {
-		return fmt.Errorf("failed to set network map persistence: %v", status.Convert(err).Message())
-	}
-
-	cmd.Printf("Network map persistence set to: %s\n", persistence)
-	return nil
-}
-
-func getStatusOutput(cmd *cobra.Command, anon bool) string {
+func getStatusOutput(cmd *cobra.Command) string {
 	var statusOutputString string
 	statusResp, err := getStatus(cmd.Context())
 	if err != nil {
 		cmd.PrintErrf("Failed to get status: %v\n", err)
 	} else {
-		statusOutputString = nbstatus.ParseToFullDetailSummary(
-			nbstatus.ConvertToStatusOutputOverview(statusResp, anon, "", nil, nil, nil),
-		)
+		statusOutputString = parseToFullDetailSummary(convertToStatusOutputOverview(statusResp))
 	}
 	return statusOutputString
 }
@@ -344,34 +271,3 @@ func formatDuration(d time.Duration) string {
 	s := d / time.Second
 	return fmt.Sprintf("%02d:%02d:%02d", h, m, s)
 }
-
-func generateDebugBundle(config *internal.Config, recorder *peer.Status, connectClient *internal.ConnectClient, logFilePath string) {
-	var networkMap *mgmProto.NetworkMap
-	var err error
-
-	if connectClient != nil {
-		networkMap, err = connectClient.GetLatestNetworkMap()
-		if err != nil {
-			log.Warnf("Failed to get latest network map: %v", err)
-		}
-	}
-
-	bundleGenerator := debug.NewBundleGenerator(
-		debug.GeneratorDependencies{
-			InternalConfig: config,
-			StatusRecorder: recorder,
-			NetworkMap:     networkMap,
-			LogFile:        logFilePath,
-		},
-		debug.BundleConfig{
-			IncludeSystemInfo: true,
-		},
-	)
-
-	path, err := bundleGenerator.Generate()
-	if err != nil {
-		log.Errorf("Failed to generate debug bundle: %v", err)
-		return
-	}
-	log.Infof("Generated debug bundle from SIGUSR1 at: %s", path)
-}

client/cmd/debug_unix.go

@@ -1,39 +0,0 @@
-//go:build unix
-
-package cmd
-
-import (
-	"context"
-	"os"
-	"os/signal"
-	"syscall"
-
-	log "github.com/sirupsen/logrus"
-
-	"github.com/netbirdio/netbird/client/internal"
-	"github.com/netbirdio/netbird/client/internal/peer"
-)
-
-func SetupDebugHandler(
-	ctx context.Context,
-	config *internal.Config,
-	recorder *peer.Status,
-	connectClient *internal.ConnectClient,
-	logFilePath string,
-) {
-	usr1Ch := make(chan os.Signal, 1)
-
-	signal.Notify(usr1Ch, syscall.SIGUSR1)
-
-	go func() {
-		for {
-			select {
-			case <-ctx.Done():
-				return
-			case <-usr1Ch:
-				log.Info("Received SIGUSR1. Triggering debug bundle generation.")
-				go generateDebugBundle(config, recorder, connectClient, logFilePath)
-			}
-		}
-	}()
-}

client/cmd/debug_windows.go

@@ -1,126 +0,0 @@
-package cmd
-
-import (
-	"context"
-	"errors"
-	"os"
-	"strconv"
-	"time"
-
-	log "github.com/sirupsen/logrus"
-	"golang.org/x/sys/windows"
-
-	"github.com/netbirdio/netbird/client/internal"
-	"github.com/netbirdio/netbird/client/internal/peer"
-)
-
-const (
-	envListenEvent        = "NB_LISTEN_DEBUG_EVENT"
-	debugTriggerEventName = `Global\NetbirdDebugTriggerEvent`
-
-	waitTimeout = 5 * time.Second
-)
-
-// SetupDebugHandler sets up a Windows event to listen for a signal to generate a debug bundle.
-// Example usage with PowerShell:
-// $evt = [System.Threading.EventWaitHandle]::OpenExisting("Global\NetbirdDebugTriggerEvent")
-// $evt.Set()
-// $evt.Close()
-func SetupDebugHandler(
-	ctx context.Context,
-	config *internal.Config,
-	recorder *peer.Status,
-	connectClient *internal.ConnectClient,
-	logFilePath string,
-) {
-	env := os.Getenv(envListenEvent)
-	if env == "" {
-		return
-	}
-
-	listenEvent, err := strconv.ParseBool(env)
-	if err != nil {
-		log.Errorf("Failed to parse %s: %v", envListenEvent, err)
-		return
-	}
-	if !listenEvent {
-		return
-	}
-
-	eventNamePtr, err := windows.UTF16PtrFromString(debugTriggerEventName)
-	if err != nil {
-		log.Errorf("Failed to convert event name '%s' to UTF16: %v", debugTriggerEventName, err)
-		return
-	}
-
-	// TODO: restrict access by ACL
-	eventHandle, err := windows.CreateEvent(nil, 1, 0, eventNamePtr)
-	if err != nil {
-		if errors.Is(err, windows.ERROR_ALREADY_EXISTS) {
-			log.Warnf("Debug trigger event '%s' already exists. Attempting to open.", debugTriggerEventName)
-			// SYNCHRONIZE is needed for WaitForSingleObject, EVENT_MODIFY_STATE for ResetEvent.
-			eventHandle, err = windows.OpenEvent(windows.SYNCHRONIZE|windows.EVENT_MODIFY_STATE, false, eventNamePtr)
-			if err != nil {
-				log.Errorf("Failed to open existing debug trigger event '%s': %v", debugTriggerEventName, err)
-				return
-			}
-			log.Infof("Successfully opened existing debug trigger event '%s'.", debugTriggerEventName)
-		} else {
-			log.Errorf("Failed to create debug trigger event '%s': %v", debugTriggerEventName, err)
-			return
-		}
-	}
-
-	if eventHandle == windows.InvalidHandle {
-		log.Errorf("Obtained an invalid handle for debug trigger event '%s'", debugTriggerEventName)
-		return
-	}
-
-	log.Infof("Debug handler waiting for signal on event: %s", debugTriggerEventName)
-
-	go waitForEvent(ctx, config, recorder, connectClient, logFilePath, eventHandle)
-}
-
-func waitForEvent(
-	ctx context.Context,
-	config *internal.Config,
-	recorder *peer.Status,
-	connectClient *internal.ConnectClient,
-	logFilePath string,
-	eventHandle windows.Handle,
-) {
-	defer func() {
-		if err := windows.CloseHandle(eventHandle); err != nil {
-			log.Errorf("Failed to close debug event handle '%s': %v", debugTriggerEventName, err)
-		}
-	}()
-
-	for {
-		if ctx.Err() != nil {
-			return
-		}
-
-		status, err := windows.WaitForSingleObject(eventHandle, uint32(waitTimeout.Milliseconds()))
-
-		switch status {
-		case windows.WAIT_OBJECT_0:
-			log.Info("Received signal on debug event. Triggering debug bundle generation.")
-
-			// reset the event so it can be triggered again later (manual reset == 1)
-			if err := windows.ResetEvent(eventHandle); err != nil {
-				log.Errorf("Failed to reset debug event '%s': %v", debugTriggerEventName, err)
-			}
-
-			go generateDebugBundle(config, recorder, connectClient, logFilePath)
-		case uint32(windows.WAIT_TIMEOUT):
-
-		default:
-			log.Errorf("Unexpected status %d from WaitForSingleObject for debug event '%s': %v", status, debugTriggerEventName, err)
-			select {
-			case <-time.After(5 * time.Second):
-			case <-ctx.Done():
-				return
-			}
-		}
-	}
-}

client/cmd/forwarding_rules.go

@@ -1,98 +0,0 @@
-package cmd
-
-import (
-	"fmt"
-	"sort"
-
-	"github.com/spf13/cobra"
-	"google.golang.org/grpc/status"
-
-	"github.com/netbirdio/netbird/client/proto"
-)
-
-var forwardingRulesCmd = &cobra.Command{
-	Use:   "forwarding",
-	Short: "List forwarding rules",
-	Long:  `Commands to list forwarding rules.`,
-}
-
-var forwardingRulesListCmd = &cobra.Command{
-	Use:     "list",
-	Aliases: []string{"ls"},
-	Short:   "List forwarding rules",
-	Example: "  netbird forwarding list",
-	Long:    "Commands to list forwarding rules.",
-	RunE:    listForwardingRules,
-}
-
-func listForwardingRules(cmd *cobra.Command, _ []string) error {
-	conn, err := getClient(cmd)
-	if err != nil {
-		return err
-	}
-	defer conn.Close()
-
-	client := proto.NewDaemonServiceClient(conn)
-	resp, err := client.ForwardingRules(cmd.Context(), &proto.EmptyRequest{})
-	if err != nil {
-		return fmt.Errorf("failed to list network: %v", status.Convert(err).Message())
-	}
-
-	if len(resp.GetRules()) == 0 {
-		cmd.Println("No forwarding rules available.")
-		return nil
-	}
-
-	printForwardingRules(cmd, resp.GetRules())
-	return nil
-}
-
-func printForwardingRules(cmd *cobra.Command, rules []*proto.ForwardingRule) {
-	cmd.Println("Available forwarding rules:")
-
-	// Sort rules by translated address
-	sort.Slice(rules, func(i, j int) bool {
-		if rules[i].GetTranslatedAddress() != rules[j].GetTranslatedAddress() {
-			return rules[i].GetTranslatedAddress() < rules[j].GetTranslatedAddress()
-		}
-		if rules[i].GetProtocol() != rules[j].GetProtocol() {
-			return rules[i].GetProtocol() < rules[j].GetProtocol()
-		}
-
-		return getFirstPort(rules[i].GetDestinationPort()) < getFirstPort(rules[j].GetDestinationPort())
-	})
-
-	var lastIP string
-	for _, rule := range rules {
-		dPort := portToString(rule.GetDestinationPort())
-		tPort := portToString(rule.GetTranslatedPort())
-		if lastIP != rule.GetTranslatedAddress() {
-			lastIP = rule.GetTranslatedAddress()
-			cmd.Printf("\nTranslated peer: %s\n", rule.GetTranslatedHostname())
-		}
-
-		cmd.Printf("  Local %s/%s to %s:%s\n", rule.GetProtocol(), dPort, rule.GetTranslatedAddress(), tPort)
-	}
-}
-
-func getFirstPort(portInfo *proto.PortInfo) int {
-	switch v := portInfo.PortSelection.(type) {
-	case *proto.PortInfo_Port:
-		return int(v.Port)
-	case *proto.PortInfo_Range_:
-		return int(v.Range.GetStart())
-	default:
-		return 0
-	}
-}
-
-func portToString(translatedPort *proto.PortInfo) string {
-	switch v := translatedPort.PortSelection.(type) {
-	case *proto.PortInfo_Port:
-		return fmt.Sprintf("%d", v.Port)
-	case *proto.PortInfo_Range_:
-		return fmt.Sprintf("%d-%d", v.Range.GetStart(), v.Range.GetEnd())
-	default:
-		return "No port specified"
-	}
-}

client/cmd/login.go

@@ -19,10 +19,6 @@ import (
 	"github.com/netbirdio/netbird/util"
 )
 
-func init() {
-	loginCmd.PersistentFlags().BoolVar(&noBrowser, noBrowserFlag, false, noBrowserDesc)
-}
-
 var loginCmd = &cobra.Command{
 	Use:   "login",
 	Short: "login to the Netbird Management Service (first run)",
@@ -55,9 +51,6 @@ var loginCmd = &cobra.Command{
 				return err
 			}
 
-			// update host's static platform and system information
-			system.UpdateStaticInfo()
-
 			ic := internal.ConfigInput{
 				ManagementURL: managementURL,
 				AdminURL:      adminURL,
@@ -92,17 +85,11 @@ var loginCmd = &cobra.Command{
 
 		client := proto.NewDaemonServiceClient(conn)
 
-		var dnsLabelsReq []string
-		if dnsLabelsValidated != nil {
-			dnsLabelsReq = dnsLabelsValidated.ToSafeStringList()
-		}
-
 		loginRequest := proto.LoginRequest{
 			SetupKey:             providedSetupKey,
 			ManagementUrl:        managementURL,
 			IsLinuxDesktopClient: isLinuxRunningDesktop(),
 			Hostname:             hostName,
-			DnsLabels:            dnsLabelsReq,
 		}
 
 		if rootCmd.PersistentFlags().Changed(preSharedKeyFlag) {
@@ -134,7 +121,7 @@ var loginCmd = &cobra.Command{
 		}
 
 		if loginResp.NeedsSSOLogin {
-			openURL(cmd, loginResp.VerificationURIComplete, loginResp.UserCode, noBrowser)
+			openURL(cmd, loginResp.VerificationURIComplete, loginResp.UserCode)
 
 			_, err = client.WaitSSOLogin(ctx, &proto.WaitSSOLoginRequest{UserCode: loginResp.UserCode, Hostname: hostName})
 			if err != nil {
@@ -205,7 +192,7 @@ func foregroundGetTokenInfo(ctx context.Context, cmd *cobra.Command, config *int
 		return nil, fmt.Errorf("getting a request OAuth flow info failed: %v", err)
 	}
 
-	openURL(cmd, flowInfo.VerificationURIComplete, flowInfo.UserCode, noBrowser)
+	openURL(cmd, flowInfo.VerificationURIComplete, flowInfo.UserCode)
 
 	waitTimeout := time.Duration(flowInfo.ExpiresIn) * time.Second
 	waitCTX, c := context.WithTimeout(context.TODO(), waitTimeout)
@@ -219,27 +206,19 @@ func foregroundGetTokenInfo(ctx context.Context, cmd *cobra.Command, config *int
 	return &tokenInfo, nil
 }
 
-func openURL(cmd *cobra.Command, verificationURIComplete, userCode string, noBrowser bool) {
+func openURL(cmd *cobra.Command, verificationURIComplete, userCode string) {
 	var codeMsg string
 	if userCode != "" && !strings.Contains(verificationURIComplete, userCode) {
 		codeMsg = fmt.Sprintf("and enter the code %s to authenticate.", userCode)
 	}
 
-	if noBrowser {
-		cmd.Println("Use this URL to log in:\n\n" + verificationURIComplete + " " + codeMsg)
-	} else {
-		cmd.Println("Please do the SSO login in your browser. \n" +
-			"If your browser didn't open automatically, use this URL to log in:\n\n" +
-			verificationURIComplete + " " + codeMsg)
-	}
-
+	cmd.Println("Please do the SSO login in your browser. \n" +
+		"If your browser didn't open automatically, use this URL to log in:\n\n" +
+		verificationURIComplete + " " + codeMsg)
 	cmd.Println("")
-
-	if !noBrowser {
-		if err := open.Run(verificationURIComplete); err != nil {
-			cmd.Println("\nAlternatively, you may want to use a setup key, see:\n\n" +
-				"https://docs.netbird.io/how-to/register-machines-using-setup-keys")
-		}
+	if err := open.Run(verificationURIComplete); err != nil {
+		cmd.Println("\nAlternatively, you may want to use a setup key, see:\n\n" +
+			"https://docs.netbird.io/how-to/register-machines-using-setup-keys")
 	}
 }
 

client/cmd/networks.go

@@ -1,173 +0,0 @@
-package cmd
-
-import (
-	"fmt"
-	"strings"
-
-	"github.com/spf13/cobra"
-	"google.golang.org/grpc/status"
-
-	"github.com/netbirdio/netbird/client/proto"
-)
-
-var appendFlag bool
-
-var networksCMD = &cobra.Command{
-	Use:     "networks",
-	Aliases: []string{"routes"},
-	Short:   "Manage networks",
-	Long:    `Commands to list, select, or deselect networks. Replaces the "routes" command.`,
-}
-
-var routesListCmd = &cobra.Command{
-	Use:     "list",
-	Aliases: []string{"ls"},
-	Short:   "List networks",
-	Example: "  netbird networks list",
-	Long:    "List all available network routes.",
-	RunE:    networksList,
-}
-
-var routesSelectCmd = &cobra.Command{
-	Use:     "select network...|all",
-	Short:   "Select network",
-	Long:    "Select a list of networks by identifiers or 'all' to clear all selections and to accept all (including new) networks.\nDefault mode is replace, use -a to append to already selected networks.",
-	Example: "  netbird networks select all\n  netbird networks select route1 route2\n  netbird routes select -a route3",
-	Args:    cobra.MinimumNArgs(1),
-	RunE:    networksSelect,
-}
-
-var routesDeselectCmd = &cobra.Command{
-	Use:     "deselect network...|all",
-	Short:   "Deselect networks",
-	Long:    "Deselect previously selected networks by identifiers or 'all' to disable accepting any networks.",
-	Example: "  netbird networks deselect all\n  netbird networks deselect route1 route2",
-	Args:    cobra.MinimumNArgs(1),
-	RunE:    networksDeselect,
-}
-
-func init() {
-	routesSelectCmd.PersistentFlags().BoolVarP(&appendFlag, "append", "a", false, "Append to current network selection instead of replacing")
-}
-
-func networksList(cmd *cobra.Command, _ []string) error {
-	conn, err := getClient(cmd)
-	if err != nil {
-		return err
-	}
-	defer conn.Close()
-
-	client := proto.NewDaemonServiceClient(conn)
-	resp, err := client.ListNetworks(cmd.Context(), &proto.ListNetworksRequest{})
-	if err != nil {
-		return fmt.Errorf("failed to list network: %v", status.Convert(err).Message())
-	}
-
-	if len(resp.Routes) == 0 {
-		cmd.Println("No networks available.")
-		return nil
-	}
-
-	printNetworks(cmd, resp)
-
-	return nil
-}
-
-func printNetworks(cmd *cobra.Command, resp *proto.ListNetworksResponse) {
-	cmd.Println("Available Networks:")
-	for _, route := range resp.Routes {
-		printNetwork(cmd, route)
-	}
-}
-
-func printNetwork(cmd *cobra.Command, route *proto.Network) {
-	selectedStatus := getSelectedStatus(route)
-	domains := route.GetDomains()
-
-	if len(domains) > 0 {
-		printDomainRoute(cmd, route, domains, selectedStatus)
-	} else {
-		printNetworkRoute(cmd, route, selectedStatus)
-	}
-}
-
-func getSelectedStatus(route *proto.Network) string {
-	if route.GetSelected() {
-		return "Selected"
-	}
-	return "Not Selected"
-}
-
-func printDomainRoute(cmd *cobra.Command, route *proto.Network, domains []string, selectedStatus string) {
-	cmd.Printf("\n  - ID: %s\n    Domains: %s\n    Status: %s\n", route.GetID(), strings.Join(domains, ", "), selectedStatus)
-	resolvedIPs := route.GetResolvedIPs()
-
-	if len(resolvedIPs) > 0 {
-		printResolvedIPs(cmd, domains, resolvedIPs)
-	} else {
-		cmd.Printf("    Resolved IPs: -\n")
-	}
-}
-
-func printNetworkRoute(cmd *cobra.Command, route *proto.Network, selectedStatus string) {
-	cmd.Printf("\n  - ID: %s\n    Network: %s\n    Status: %s\n", route.GetID(), route.GetRange(), selectedStatus)
-}
-
-func printResolvedIPs(cmd *cobra.Command, _ []string, resolvedIPs map[string]*proto.IPList) {
-	cmd.Printf("    Resolved IPs:\n")
-	for resolvedDomain, ipList := range resolvedIPs {
-		cmd.Printf("      [%s]: %s\n", resolvedDomain, strings.Join(ipList.GetIps(), ", "))
-	}
-}
-
-func networksSelect(cmd *cobra.Command, args []string) error {
-	conn, err := getClient(cmd)
-	if err != nil {
-		return err
-	}
-	defer conn.Close()
-
-	client := proto.NewDaemonServiceClient(conn)
-	req := &proto.SelectNetworksRequest{
-		NetworkIDs: args,
-	}
-
-	if len(args) == 1 && args[0] == "all" {
-		req.All = true
-	} else if appendFlag {
-		req.Append = true
-	}
-
-	if _, err := client.SelectNetworks(cmd.Context(), req); err != nil {
-		return fmt.Errorf("failed to select networks: %v", status.Convert(err).Message())
-	}
-
-	cmd.Println("Networks selected successfully.")
-
-	return nil
-}
-
-func networksDeselect(cmd *cobra.Command, args []string) error {
-	conn, err := getClient(cmd)
-	if err != nil {
-		return err
-	}
-	defer conn.Close()
-
-	client := proto.NewDaemonServiceClient(conn)
-	req := &proto.SelectNetworksRequest{
-		NetworkIDs: args,
-	}
-
-	if len(args) == 1 && args[0] == "all" {
-		req.All = true
-	}
-
-	if _, err := client.DeselectNetworks(cmd.Context(), req); err != nil {
-		return fmt.Errorf("failed to deselect networks: %v", status.Convert(err).Message())
-	}
-
-	cmd.Println("Networks deselected successfully.")
-
-	return nil
-}

client/cmd/pprof.go

@@ -1,33 +0,0 @@
-//go:build pprof
-// +build pprof
-
-package cmd
-
-import (
-	"net/http"
-	_ "net/http/pprof"
-	"os"
-
-	log "github.com/sirupsen/logrus"
-)
-
-func init() {
-	addr := pprofAddr()
-	go pprof(addr)
-}
-
-func pprofAddr() string {
-	listenAddr := os.Getenv("NB_PPROF_ADDR")
-	if listenAddr == "" {
-		return "localhost:6969"
-	}
-
-	return listenAddr
-}
-
-func pprof(listenAddr string) {
-	log.Infof("listening pprof on: %s\n", listenAddr)
-	if err := http.ListenAndServe(listenAddr, nil); err != nil {
-		log.Fatalf("Failed to start pprof: %v", err)
-	}
-}

client/cmd/root.go

@@ -22,7 +22,6 @@ import (
 	"google.golang.org/grpc/credentials/insecure"
 
 	"github.com/netbirdio/netbird/client/internal"
-	"github.com/netbirdio/netbird/upload-server/types"
 )
 
 const (
@@ -39,9 +38,6 @@ const (
 	extraIFaceBlackListFlag = "extra-iface-blacklist"
 	dnsRouteIntervalFlag    = "dns-router-interval"
 	systemInfoFlag          = "system-info"
-	blockLANAccessFlag      = "block-lan-access"
-	uploadBundle            = "upload-bundle"
-	uploadBundleURL         = "upload-bundle-url"
 )
 
 var (
@@ -77,9 +73,6 @@ var (
 	anonymizeFlag           bool
 	debugSystemInfoFlag     bool
 	dnsRouteInterval        time.Duration
-	blockLANAccess          bool
-	debugUploadBundle       bool
-	debugUploadBundleURL    string
 
 	rootCmd = &cobra.Command{
 		Use:          "netbird",
@@ -149,23 +142,19 @@ func init() {
 	rootCmd.AddCommand(loginCmd)
 	rootCmd.AddCommand(versionCmd)
 	rootCmd.AddCommand(sshCmd)
-	rootCmd.AddCommand(networksCMD)
-	rootCmd.AddCommand(forwardingRulesCmd)
+	rootCmd.AddCommand(routesCmd)
 	rootCmd.AddCommand(debugCmd)
 
 	serviceCmd.AddCommand(runCmd, startCmd, stopCmd, restartCmd) // service control commands are subcommands of service
 	serviceCmd.AddCommand(installCmd, uninstallCmd)              // service installer commands are subcommands of service
 
-	networksCMD.AddCommand(routesListCmd)
-	networksCMD.AddCommand(routesSelectCmd, routesDeselectCmd)
-
-	forwardingRulesCmd.AddCommand(forwardingRulesListCmd)
+	routesCmd.AddCommand(routesListCmd)
+	routesCmd.AddCommand(routesSelectCmd, routesDeselectCmd)
 
 	debugCmd.AddCommand(debugBundleCmd)
 	debugCmd.AddCommand(logCmd)
 	logCmd.AddCommand(logLevelCmd)
 	debugCmd.AddCommand(forCmd)
-	debugCmd.AddCommand(persistenceCmd)
 
 	upCmd.PersistentFlags().StringSliceVar(&natExternalIPs, externalIPMapFlag, nil,
 		`Sets external IPs maps between local addresses and interfaces.`+
@@ -185,9 +174,7 @@ func init() {
 	upCmd.PersistentFlags().BoolVar(&serverSSHAllowed, serverSSHAllowedFlag, false, "Allow SSH server on peer. If enabled, the SSH server will be permitted")
 	upCmd.PersistentFlags().BoolVar(&autoConnectDisabled, disableAutoConnectFlag, false, "Disables auto-connect feature. If enabled, then the client won't connect automatically when the service starts.")
 
-	debugCmd.PersistentFlags().BoolVarP(&debugSystemInfoFlag, systemInfoFlag, "S", true, "Adds system information to the debug bundle")
-	debugCmd.PersistentFlags().BoolVarP(&debugUploadBundle, uploadBundle, "U", false, fmt.Sprintf("Uploads the debug bundle to a server from URL defined by %s", uploadBundleURL))
-	debugCmd.PersistentFlags().StringVar(&debugUploadBundleURL, uploadBundleURL, types.DefaultBundleURL, "Service URL to get an URL to upload the debug bundle")
+	debugCmd.PersistentFlags().BoolVarP(&debugSystemInfoFlag, systemInfoFlag, "S", false, "Adds system information to the debug bundle")
 }
 
 // SetupCloseHandler handles SIGTERM signal and exits with success

client/cmd/route.go

@@ -0,0 +1,174 @@
+package cmd
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/spf13/cobra"
+	"google.golang.org/grpc/status"
+
+	"github.com/netbirdio/netbird/client/proto"
+)
+
+var appendFlag bool
+
+var routesCmd = &cobra.Command{
+	Use:   "routes",
+	Short: "Manage network routes",
+	Long:  `Commands to list, select, or deselect network routes.`,
+}
+
+var routesListCmd = &cobra.Command{
+	Use:     "list",
+	Aliases: []string{"ls"},
+	Short:   "List routes",
+	Example: "  netbird routes list",
+	Long:    "List all available network routes.",
+	RunE:    routesList,
+}
+
+var routesSelectCmd = &cobra.Command{
+	Use:     "select route...|all",
+	Short:   "Select routes",
+	Long:    "Select a list of routes by identifiers or 'all' to clear all selections and to accept all (including new) routes.\nDefault mode is replace, use -a to append to already selected routes.",
+	Example: "  netbird routes select all\n  netbird routes select route1 route2\n  netbird routes select -a route3",
+	Args:    cobra.MinimumNArgs(1),
+	RunE:    routesSelect,
+}
+
+var routesDeselectCmd = &cobra.Command{
+	Use:     "deselect route...|all",
+	Short:   "Deselect routes",
+	Long:    "Deselect previously selected routes by identifiers or 'all' to disable accepting any routes.",
+	Example: "  netbird routes deselect all\n  netbird routes deselect route1 route2",
+	Args:    cobra.MinimumNArgs(1),
+	RunE:    routesDeselect,
+}
+
+func init() {
+	routesSelectCmd.PersistentFlags().BoolVarP(&appendFlag, "append", "a", false, "Append to current route selection instead of replacing")
+}
+
+func routesList(cmd *cobra.Command, _ []string) error {
+	conn, err := getClient(cmd)
+	if err != nil {
+		return err
+	}
+	defer conn.Close()
+
+	client := proto.NewDaemonServiceClient(conn)
+	resp, err := client.ListRoutes(cmd.Context(), &proto.ListRoutesRequest{})
+	if err != nil {
+		return fmt.Errorf("failed to list routes: %v", status.Convert(err).Message())
+	}
+
+	if len(resp.Routes) == 0 {
+		cmd.Println("No routes available.")
+		return nil
+	}
+
+	printRoutes(cmd, resp)
+
+	return nil
+}
+
+func printRoutes(cmd *cobra.Command, resp *proto.ListRoutesResponse) {
+	cmd.Println("Available Routes:")
+	for _, route := range resp.Routes {
+		printRoute(cmd, route)
+	}
+}
+
+func printRoute(cmd *cobra.Command, route *proto.Route) {
+	selectedStatus := getSelectedStatus(route)
+	domains := route.GetDomains()
+
+	if len(domains) > 0 {
+		printDomainRoute(cmd, route, domains, selectedStatus)
+	} else {
+		printNetworkRoute(cmd, route, selectedStatus)
+	}
+}
+
+func getSelectedStatus(route *proto.Route) string {
+	if route.GetSelected() {
+		return "Selected"
+	}
+	return "Not Selected"
+}
+
+func printDomainRoute(cmd *cobra.Command, route *proto.Route, domains []string, selectedStatus string) {
+	cmd.Printf("\n  - ID: %s\n    Domains: %s\n    Status: %s\n", route.GetID(), strings.Join(domains, ", "), selectedStatus)
+	resolvedIPs := route.GetResolvedIPs()
+
+	if len(resolvedIPs) > 0 {
+		printResolvedIPs(cmd, domains, resolvedIPs)
+	} else {
+		cmd.Printf("    Resolved IPs: -\n")
+	}
+}
+
+func printNetworkRoute(cmd *cobra.Command, route *proto.Route, selectedStatus string) {
+	cmd.Printf("\n  - ID: %s\n    Network: %s\n    Status: %s\n", route.GetID(), route.GetNetwork(), selectedStatus)
+}
+
+func printResolvedIPs(cmd *cobra.Command, domains []string, resolvedIPs map[string]*proto.IPList) {
+	cmd.Printf("    Resolved IPs:\n")
+	for _, domain := range domains {
+		if ipList, exists := resolvedIPs[domain]; exists {
+			cmd.Printf("      [%s]: %s\n", domain, strings.Join(ipList.GetIps(), ", "))
+		}
+	}
+}
+
+func routesSelect(cmd *cobra.Command, args []string) error {
+	conn, err := getClient(cmd)
+	if err != nil {
+		return err
+	}
+	defer conn.Close()
+
+	client := proto.NewDaemonServiceClient(conn)
+	req := &proto.SelectRoutesRequest{
+		RouteIDs: args,
+	}
+
+	if len(args) == 1 && args[0] == "all" {
+		req.All = true
+	} else if appendFlag {
+		req.Append = true
+	}
+
+	if _, err := client.SelectRoutes(cmd.Context(), req); err != nil {
+		return fmt.Errorf("failed to select routes: %v", status.Convert(err).Message())
+	}
+
+	cmd.Println("Routes selected successfully.")
+
+	return nil
+}
+
+func routesDeselect(cmd *cobra.Command, args []string) error {
+	conn, err := getClient(cmd)
+	if err != nil {
+		return err
+	}
+	defer conn.Close()
+
+	client := proto.NewDaemonServiceClient(conn)
+	req := &proto.SelectRoutesRequest{
+		RouteIDs: args,
+	}
+
+	if len(args) == 1 && args[0] == "all" {
+		req.All = true
+	}
+
+	if _, err := client.DeselectRoutes(cmd.Context(), req); err != nil {
+		return fmt.Errorf("failed to deselect routes: %v", status.Convert(err).Message())
+	}
+
+	cmd.Println("Routes deselected successfully.")
+
+	return nil
+}

client/cmd/service.go

@@ -2,7 +2,6 @@ package cmd
 
 import (
 	"context"
-	"sync"
 
 	"github.com/kardianos/service"
 	log "github.com/sirupsen/logrus"
@@ -14,11 +13,10 @@ import (
 )
 
 type program struct {
-	ctx              context.Context
-	cancel           context.CancelFunc
-	serv             *grpc.Server
-	serverInstance   *server.Server
-	serverInstanceMu sync.Mutex
+	ctx            context.Context
+	cancel         context.CancelFunc
+	serv           *grpc.Server
+	serverInstance *server.Server
 }
 
 func newProgram(ctx context.Context, cancel context.CancelFunc) *program {

client/cmd/service_controller.go

@@ -16,17 +16,12 @@ import (
 
 	"github.com/netbirdio/netbird/client/proto"
 	"github.com/netbirdio/netbird/client/server"
-	"github.com/netbirdio/netbird/client/system"
 	"github.com/netbirdio/netbird/util"
 )
 
 func (p *program) Start(svc service.Service) error {
 	// Start should not block. Do the actual work async.
 	log.Info("starting Netbird service") //nolint
-
-	// Collect static system and platform information
-	system.UpdateStaticInfo()
-
 	// in any case, even if configuration does not exists we run daemon to serve CLI gRPC API.
 	p.serv = grpc.NewServer()
 
@@ -66,9 +61,7 @@ func (p *program) Start(svc service.Service) error {
 		}
 		proto.RegisterDaemonServiceServer(p.serv, serverInstance)
 
-		p.serverInstanceMu.Lock()
 		p.serverInstance = serverInstance
-		p.serverInstanceMu.Unlock()
 
 		log.Printf("started daemon server: %v", split[1])
 		if err := p.serv.Serve(listen); err != nil {
@@ -79,7 +72,6 @@ func (p *program) Start(svc service.Service) error {
 }
 
 func (p *program) Stop(srv service.Service) error {
-	p.serverInstanceMu.Lock()
 	if p.serverInstance != nil {
 		in := new(proto.DownRequest)
 		_, err := p.serverInstance.Down(p.ctx, in)
@@ -87,7 +79,6 @@ func (p *program) Stop(srv service.Service) error {
 			log.Errorf("failed to stop daemon: %v", err)
 		}
 	}
-	p.serverInstanceMu.Unlock()
 
 	p.cancel()
 
@@ -120,7 +111,6 @@ var runCmd = &cobra.Command{
 
 		ctx, cancel := context.WithCancel(cmd.Context())
 		SetupCloseHandler(ctx, cancel)
-		SetupDebugHandler(ctx, nil, nil, nil, logFile)
 
 		s, err := newSVC(newProgram(ctx, cancel), newSVCConfig())
 		if err != nil {

client/cmd/ssh.go

@@ -9,6 +9,7 @@ import (
 	"strings"
 	"syscall"
 
+	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 
 	"github.com/netbirdio/netbird/client/internal"
@@ -72,7 +73,7 @@ var sshCmd = &cobra.Command{
 		go func() {
 			// blocking
 			if err := runSSH(sshctx, host, []byte(config.SSHKey), cmd); err != nil {
-				cmd.Printf("Error: %v\n", err)
+				log.Debug(err)
 				os.Exit(1)
 			}
 			cancel()

client/cmd/state.go

@@ -1,181 +0,0 @@
-package cmd
-
-import (
-	"fmt"
-
-	log "github.com/sirupsen/logrus"
-	"github.com/spf13/cobra"
-	"google.golang.org/grpc/status"
-
-	"github.com/netbirdio/netbird/client/proto"
-)
-
-var (
-	allFlag bool
-)
-
-var stateCmd = &cobra.Command{
-	Use:   "state",
-	Short: "Manage daemon state",
-	Long:  "Provides commands for managing and inspecting the Netbird daemon state.",
-}
-
-var stateListCmd = &cobra.Command{
-	Use:     "list",
-	Aliases: []string{"ls"},
-	Short:   "List all stored states",
-	Long:    "Lists all registered states with their status and basic information.",
-	Example: "  netbird state list",
-	RunE:    stateList,
-}
-
-var stateCleanCmd = &cobra.Command{
-	Use:   "clean [state-name]",
-	Short: "Clean stored states",
-	Long: `Clean specific state or all states. The daemon must not be running.
-This will perform cleanup operations and remove the state.`,
-	Example: `  netbird state clean dns_state
-  netbird state clean --all`,
-	RunE: stateClean,
-	PreRunE: func(cmd *cobra.Command, args []string) error {
-		// Check mutual exclusivity between --all flag and state-name argument
-		if allFlag && len(args) > 0 {
-			return fmt.Errorf("cannot specify both --all flag and state name")
-		}
-		if !allFlag && len(args) != 1 {
-			return fmt.Errorf("requires a state name argument or --all flag")
-		}
-		return nil
-	},
-}
-
-var stateDeleteCmd = &cobra.Command{
-	Use:   "delete [state-name]",
-	Short: "Delete stored states",
-	Long: `Delete specific state or all states from storage. The daemon must not be running.
-This will remove the state without performing any cleanup operations.`,
-	Example: `  netbird state delete dns_state
-  netbird state delete --all`,
-	RunE: stateDelete,
-	PreRunE: func(cmd *cobra.Command, args []string) error {
-		// Check mutual exclusivity between --all flag and state-name argument
-		if allFlag && len(args) > 0 {
-			return fmt.Errorf("cannot specify both --all flag and state name")
-		}
-		if !allFlag && len(args) != 1 {
-			return fmt.Errorf("requires a state name argument or --all flag")
-		}
-		return nil
-	},
-}
-
-func init() {
-	rootCmd.AddCommand(stateCmd)
-	stateCmd.AddCommand(stateListCmd, stateCleanCmd, stateDeleteCmd)
-
-	stateCleanCmd.Flags().BoolVarP(&allFlag, "all", "a", false, "Clean all states")
-	stateDeleteCmd.Flags().BoolVarP(&allFlag, "all", "a", false, "Delete all states")
-}
-
-func stateList(cmd *cobra.Command, _ []string) error {
-	conn, err := getClient(cmd)
-	if err != nil {
-		return err
-	}
-	defer func() {
-		if err := conn.Close(); err != nil {
-			log.Errorf(errCloseConnection, err)
-		}
-	}()
-
-	client := proto.NewDaemonServiceClient(conn)
-	resp, err := client.ListStates(cmd.Context(), &proto.ListStatesRequest{})
-	if err != nil {
-		return fmt.Errorf("failed to list states: %v", status.Convert(err).Message())
-	}
-
-	cmd.Printf("\nStored states:\n\n")
-	for _, state := range resp.States {
-		cmd.Printf("- %s\n", state.Name)
-	}
-
-	return nil
-}
-
-func stateClean(cmd *cobra.Command, args []string) error {
-	var stateName string
-	if !allFlag {
-		stateName = args[0]
-	}
-
-	conn, err := getClient(cmd)
-	if err != nil {
-		return err
-	}
-	defer func() {
-		if err := conn.Close(); err != nil {
-			log.Errorf(errCloseConnection, err)
-		}
-	}()
-
-	client := proto.NewDaemonServiceClient(conn)
-	resp, err := client.CleanState(cmd.Context(), &proto.CleanStateRequest{
-		StateName: stateName,
-		All:       allFlag,
-	})
-	if err != nil {
-		return fmt.Errorf("failed to clean state: %v", status.Convert(err).Message())
-	}
-
-	if resp.CleanedStates == 0 {
-		cmd.Println("No states were cleaned")
-		return nil
-	}
-
-	if allFlag {
-		cmd.Printf("Successfully cleaned %d states\n", resp.CleanedStates)
-	} else {
-		cmd.Printf("Successfully cleaned state %q\n", stateName)
-	}
-
-	return nil
-}
-
-func stateDelete(cmd *cobra.Command, args []string) error {
-	var stateName string
-	if !allFlag {
-		stateName = args[0]
-	}
-
-	conn, err := getClient(cmd)
-	if err != nil {
-		return err
-	}
-	defer func() {
-		if err := conn.Close(); err != nil {
-			log.Errorf(errCloseConnection, err)
-		}
-	}()
-
-	client := proto.NewDaemonServiceClient(conn)
-	resp, err := client.DeleteState(cmd.Context(), &proto.DeleteStateRequest{
-		StateName: stateName,
-		All:       allFlag,
-	})
-	if err != nil {
-		return fmt.Errorf("failed to delete state: %v", status.Convert(err).Message())
-	}
-
-	if resp.DeletedStates == 0 {
-		cmd.Println("No states were deleted")
-		return nil
-	}
-
-	if allFlag {
-		cmd.Printf("Successfully deleted %d states\n", resp.DeletedStates)
-	} else {
-		cmd.Printf("Successfully deleted state %q\n", stateName)
-	}
-
-	return nil
-}

client/cmd/status.go

@@ -2,20 +2,105 @@ package cmd
 
 import (
 	"context"
+	"encoding/json"
 	"fmt"
 	"net"
 	"net/netip"
+	"os"
+	"runtime"
+	"sort"
 	"strings"
+	"time"
 
 	"github.com/spf13/cobra"
 	"google.golang.org/grpc/status"
+	"gopkg.in/yaml.v3"
 
+	"github.com/netbirdio/netbird/client/anonymize"
 	"github.com/netbirdio/netbird/client/internal"
+	"github.com/netbirdio/netbird/client/internal/peer"
 	"github.com/netbirdio/netbird/client/proto"
-	nbstatus "github.com/netbirdio/netbird/client/status"
 	"github.com/netbirdio/netbird/util"
+	"github.com/netbirdio/netbird/version"
 )
 
+type peerStateDetailOutput struct {
+	FQDN                   string           `json:"fqdn" yaml:"fqdn"`
+	IP                     string           `json:"netbirdIp" yaml:"netbirdIp"`
+	PubKey                 string           `json:"publicKey" yaml:"publicKey"`
+	Status                 string           `json:"status" yaml:"status"`
+	LastStatusUpdate       time.Time        `json:"lastStatusUpdate" yaml:"lastStatusUpdate"`
+	ConnType               string           `json:"connectionType" yaml:"connectionType"`
+	IceCandidateType       iceCandidateType `json:"iceCandidateType" yaml:"iceCandidateType"`
+	IceCandidateEndpoint   iceCandidateType `json:"iceCandidateEndpoint" yaml:"iceCandidateEndpoint"`
+	RelayAddress           string           `json:"relayAddress" yaml:"relayAddress"`
+	LastWireguardHandshake time.Time        `json:"lastWireguardHandshake" yaml:"lastWireguardHandshake"`
+	TransferReceived       int64            `json:"transferReceived" yaml:"transferReceived"`
+	TransferSent           int64            `json:"transferSent" yaml:"transferSent"`
+	Latency                time.Duration    `json:"latency" yaml:"latency"`
+	RosenpassEnabled       bool             `json:"quantumResistance" yaml:"quantumResistance"`
+	Routes                 []string         `json:"routes" yaml:"routes"`
+}
+
+type peersStateOutput struct {
+	Total     int                     `json:"total" yaml:"total"`
+	Connected int                     `json:"connected" yaml:"connected"`
+	Details   []peerStateDetailOutput `json:"details" yaml:"details"`
+}
+
+type signalStateOutput struct {
+	URL       string `json:"url" yaml:"url"`
+	Connected bool   `json:"connected" yaml:"connected"`
+	Error     string `json:"error" yaml:"error"`
+}
+
+type managementStateOutput struct {
+	URL       string `json:"url" yaml:"url"`
+	Connected bool   `json:"connected" yaml:"connected"`
+	Error     string `json:"error" yaml:"error"`
+}
+
+type relayStateOutputDetail struct {
+	URI       string `json:"uri" yaml:"uri"`
+	Available bool   `json:"available" yaml:"available"`
+	Error     string `json:"error" yaml:"error"`
+}
+
+type relayStateOutput struct {
+	Total     int                      `json:"total" yaml:"total"`
+	Available int                      `json:"available" yaml:"available"`
+	Details   []relayStateOutputDetail `json:"details" yaml:"details"`
+}
+
+type iceCandidateType struct {
+	Local  string `json:"local" yaml:"local"`
+	Remote string `json:"remote" yaml:"remote"`
+}
+
+type nsServerGroupStateOutput struct {
+	Servers []string `json:"servers" yaml:"servers"`
+	Domains []string `json:"domains" yaml:"domains"`
+	Enabled bool     `json:"enabled" yaml:"enabled"`
+	Error   string   `json:"error" yaml:"error"`
+}
+
+type statusOutputOverview struct {
+	Peers               peersStateOutput           `json:"peers" yaml:"peers"`
+	CliVersion          string                     `json:"cliVersion" yaml:"cliVersion"`
+	DaemonVersion       string                     `json:"daemonVersion" yaml:"daemonVersion"`
+	ManagementState     managementStateOutput      `json:"management" yaml:"management"`
+	SignalState         signalStateOutput          `json:"signal" yaml:"signal"`
+	Relays              relayStateOutput           `json:"relays" yaml:"relays"`
+	IP                  string                     `json:"netbirdIp" yaml:"netbirdIp"`
+	PubKey              string                     `json:"publicKey" yaml:"publicKey"`
+	KernelInterface     bool                       `json:"usesKernelInterface" yaml:"usesKernelInterface"`
+	FQDN                string                     `json:"fqdn" yaml:"fqdn"`
+	RosenpassEnabled    bool                       `json:"quantumResistance" yaml:"quantumResistance"`
+	RosenpassPermissive bool                       `json:"quantumResistancePermissive" yaml:"quantumResistancePermissive"`
+	Routes              []string                   `json:"routes" yaml:"routes"`
+	NSServerGroups      []nsServerGroupStateOutput `json:"dnsServers" yaml:"dnsServers"`
+}
+
 var (
 	detailFlag           bool
 	ipv4Flag             bool
@@ -86,17 +171,18 @@ func statusFunc(cmd *cobra.Command, args []string) error {
 		return nil
 	}
 
-	var outputInformationHolder = nbstatus.ConvertToStatusOutputOverview(resp, anonymizeFlag, statusFilter, prefixNamesFilter, prefixNamesFilterMap, ipsFilterMap)
+	outputInformationHolder := convertToStatusOutputOverview(resp)
+
 	var statusOutputString string
 	switch {
 	case detailFlag:
-		statusOutputString = nbstatus.ParseToFullDetailSummary(outputInformationHolder)
+		statusOutputString = parseToFullDetailSummary(outputInformationHolder)
 	case jsonFlag:
-		statusOutputString, err = nbstatus.ParseToJSON(outputInformationHolder)
+		statusOutputString, err = parseToJSON(outputInformationHolder)
 	case yamlFlag:
-		statusOutputString, err = nbstatus.ParseToYAML(outputInformationHolder)
+		statusOutputString, err = parseToYAML(outputInformationHolder)
 	default:
-		statusOutputString = nbstatus.ParseGeneralSummary(outputInformationHolder, false, false, false)
+		statusOutputString = parseGeneralSummary(outputInformationHolder, false, false, false)
 	}
 
 	if err != nil {
@@ -126,6 +212,7 @@ func getStatus(ctx context.Context) (*proto.StatusResponse, error) {
 }
 
 func parseFilters() error {
+
 	switch strings.ToLower(statusFilter) {
 	case "", "disconnected", "connected":
 		if strings.ToLower(statusFilter) != "" {
@@ -162,6 +249,173 @@ func enableDetailFlagWhenFilterFlag() {
 	}
 }
 
+func convertToStatusOutputOverview(resp *proto.StatusResponse) statusOutputOverview {
+	pbFullStatus := resp.GetFullStatus()
+
+	managementState := pbFullStatus.GetManagementState()
+	managementOverview := managementStateOutput{
+		URL:       managementState.GetURL(),
+		Connected: managementState.GetConnected(),
+		Error:     managementState.Error,
+	}
+
+	signalState := pbFullStatus.GetSignalState()
+	signalOverview := signalStateOutput{
+		URL:       signalState.GetURL(),
+		Connected: signalState.GetConnected(),
+		Error:     signalState.Error,
+	}
+
+	relayOverview := mapRelays(pbFullStatus.GetRelays())
+	peersOverview := mapPeers(resp.GetFullStatus().GetPeers())
+
+	overview := statusOutputOverview{
+		Peers:               peersOverview,
+		CliVersion:          version.NetbirdVersion(),
+		DaemonVersion:       resp.GetDaemonVersion(),
+		ManagementState:     managementOverview,
+		SignalState:         signalOverview,
+		Relays:              relayOverview,
+		IP:                  pbFullStatus.GetLocalPeerState().GetIP(),
+		PubKey:              pbFullStatus.GetLocalPeerState().GetPubKey(),
+		KernelInterface:     pbFullStatus.GetLocalPeerState().GetKernelInterface(),
+		FQDN:                pbFullStatus.GetLocalPeerState().GetFqdn(),
+		RosenpassEnabled:    pbFullStatus.GetLocalPeerState().GetRosenpassEnabled(),
+		RosenpassPermissive: pbFullStatus.GetLocalPeerState().GetRosenpassPermissive(),
+		Routes:              pbFullStatus.GetLocalPeerState().GetRoutes(),
+		NSServerGroups:      mapNSGroups(pbFullStatus.GetDnsServers()),
+	}
+
+	if anonymizeFlag {
+		anonymizer := anonymize.NewAnonymizer(anonymize.DefaultAddresses())
+		anonymizeOverview(anonymizer, &overview)
+	}
+
+	return overview
+}
+
+func mapRelays(relays []*proto.RelayState) relayStateOutput {
+	var relayStateDetail []relayStateOutputDetail
+
+	var relaysAvailable int
+	for _, relay := range relays {
+		available := relay.GetAvailable()
+		relayStateDetail = append(relayStateDetail,
+			relayStateOutputDetail{
+				URI:       relay.URI,
+				Available: available,
+				Error:     relay.GetError(),
+			},
+		)
+
+		if available {
+			relaysAvailable++
+		}
+	}
+
+	return relayStateOutput{
+		Total:     len(relays),
+		Available: relaysAvailable,
+		Details:   relayStateDetail,
+	}
+}
+
+func mapNSGroups(servers []*proto.NSGroupState) []nsServerGroupStateOutput {
+	mappedNSGroups := make([]nsServerGroupStateOutput, 0, len(servers))
+	for _, pbNsGroupServer := range servers {
+		mappedNSGroups = append(mappedNSGroups, nsServerGroupStateOutput{
+			Servers: pbNsGroupServer.GetServers(),
+			Domains: pbNsGroupServer.GetDomains(),
+			Enabled: pbNsGroupServer.GetEnabled(),
+			Error:   pbNsGroupServer.GetError(),
+		})
+	}
+	return mappedNSGroups
+}
+
+func mapPeers(peers []*proto.PeerState) peersStateOutput {
+	var peersStateDetail []peerStateDetailOutput
+	peersConnected := 0
+	for _, pbPeerState := range peers {
+		localICE := ""
+		remoteICE := ""
+		localICEEndpoint := ""
+		remoteICEEndpoint := ""
+		relayServerAddress := ""
+		connType := ""
+		lastHandshake := time.Time{}
+		transferReceived := int64(0)
+		transferSent := int64(0)
+
+		isPeerConnected := pbPeerState.ConnStatus == peer.StatusConnected.String()
+		if skipDetailByFilters(pbPeerState, isPeerConnected) {
+			continue
+		}
+		if isPeerConnected {
+			peersConnected++
+
+			localICE = pbPeerState.GetLocalIceCandidateType()
+			remoteICE = pbPeerState.GetRemoteIceCandidateType()
+			localICEEndpoint = pbPeerState.GetLocalIceCandidateEndpoint()
+			remoteICEEndpoint = pbPeerState.GetRemoteIceCandidateEndpoint()
+			connType = "P2P"
+			if pbPeerState.Relayed {
+				connType = "Relayed"
+			}
+			relayServerAddress = pbPeerState.GetRelayAddress()
+			lastHandshake = pbPeerState.GetLastWireguardHandshake().AsTime().Local()
+			transferReceived = pbPeerState.GetBytesRx()
+			transferSent = pbPeerState.GetBytesTx()
+		}
+
+		timeLocal := pbPeerState.GetConnStatusUpdate().AsTime().Local()
+		peerState := peerStateDetailOutput{
+			IP:               pbPeerState.GetIP(),
+			PubKey:           pbPeerState.GetPubKey(),
+			Status:           pbPeerState.GetConnStatus(),
+			LastStatusUpdate: timeLocal,
+			ConnType:         connType,
+			IceCandidateType: iceCandidateType{
+				Local:  localICE,
+				Remote: remoteICE,
+			},
+			IceCandidateEndpoint: iceCandidateType{
+				Local:  localICEEndpoint,
+				Remote: remoteICEEndpoint,
+			},
+			RelayAddress:           relayServerAddress,
+			FQDN:                   pbPeerState.GetFqdn(),
+			LastWireguardHandshake: lastHandshake,
+			TransferReceived:       transferReceived,
+			TransferSent:           transferSent,
+			Latency:                pbPeerState.GetLatency().AsDuration(),
+			RosenpassEnabled:       pbPeerState.GetRosenpassEnabled(),
+			Routes:                 pbPeerState.GetRoutes(),
+		}
+
+		peersStateDetail = append(peersStateDetail, peerState)
+	}
+
+	sortPeersByIP(peersStateDetail)
+
+	peersOverview := peersStateOutput{
+		Total:     len(peersStateDetail),
+		Connected: peersConnected,
+		Details:   peersStateDetail,
+	}
+	return peersOverview
+}
+
+func sortPeersByIP(peersStateDetail []peerStateDetailOutput) {
+	if len(peersStateDetail) > 0 {
+		sort.SliceStable(peersStateDetail, func(i, j int) bool {
+			iAddr, _ := netip.ParseAddr(peersStateDetail[i].IP)
+			jAddr, _ := netip.ParseAddr(peersStateDetail[j].IP)
+			return iAddr.Compare(jAddr) == -1
+		})
+	}
+}
+
 func parseInterfaceIP(interfaceIP string) string {
 	ip, _, err := net.ParseCIDR(interfaceIP)
 	if err != nil {
@@ -169,3 +423,434 @@ func parseInterfaceIP(interfaceIP string) string {
 	}
 	return fmt.Sprintf("%s\n", ip)
 }
+
+func parseToJSON(overview statusOutputOverview) (string, error) {
+	jsonBytes, err := json.Marshal(overview)
+	if err != nil {
+		return "", fmt.Errorf("json marshal failed")
+	}
+	return string(jsonBytes), err
+}
+
+func parseToYAML(overview statusOutputOverview) (string, error) {
+	yamlBytes, err := yaml.Marshal(overview)
+	if err != nil {
+		return "", fmt.Errorf("yaml marshal failed")
+	}
+	return string(yamlBytes), nil
+}
+
+func parseGeneralSummary(overview statusOutputOverview, showURL bool, showRelays bool, showNameServers bool) string {
+	var managementConnString string
+	if overview.ManagementState.Connected {
+		managementConnString = "Connected"
+		if showURL {
+			managementConnString = fmt.Sprintf("%s to %s", managementConnString, overview.ManagementState.URL)
+		}
+	} else {
+		managementConnString = "Disconnected"
+		if overview.ManagementState.Error != "" {
+			managementConnString = fmt.Sprintf("%s, reason: %s", managementConnString, overview.ManagementState.Error)
+		}
+	}
+
+	var signalConnString string
+	if overview.SignalState.Connected {
+		signalConnString = "Connected"
+		if showURL {
+			signalConnString = fmt.Sprintf("%s to %s", signalConnString, overview.SignalState.URL)
+		}
+	} else {
+		signalConnString = "Disconnected"
+		if overview.SignalState.Error != "" {
+			signalConnString = fmt.Sprintf("%s, reason: %s", signalConnString, overview.SignalState.Error)
+		}
+	}
+
+	interfaceTypeString := "Userspace"
+	interfaceIP := overview.IP
+	if overview.KernelInterface {
+		interfaceTypeString = "Kernel"
+	} else if overview.IP == "" {
+		interfaceTypeString = "N/A"
+		interfaceIP = "N/A"
+	}
+
+	var relaysString string
+	if showRelays {
+		for _, relay := range overview.Relays.Details {
+			available := "Available"
+			reason := ""
+			if !relay.Available {
+				available = "Unavailable"
+				reason = fmt.Sprintf(", reason: %s", relay.Error)
+			}
+			relaysString += fmt.Sprintf("\n  [%s] is %s%s", relay.URI, available, reason)
+		}
+	} else {
+		relaysString = fmt.Sprintf("%d/%d Available", overview.Relays.Available, overview.Relays.Total)
+	}
+
+	routes := "-"
+	if len(overview.Routes) > 0 {
+		sort.Strings(overview.Routes)
+		routes = strings.Join(overview.Routes, ", ")
+	}
+
+	var dnsServersString string
+	if showNameServers {
+		for _, nsServerGroup := range overview.NSServerGroups {
+			enabled := "Available"
+			if !nsServerGroup.Enabled {
+				enabled = "Unavailable"
+			}
+			errorString := ""
+			if nsServerGroup.Error != "" {
+				errorString = fmt.Sprintf(", reason: %s", nsServerGroup.Error)
+				errorString = strings.TrimSpace(errorString)
+			}
+
+			domainsString := strings.Join(nsServerGroup.Domains, ", ")
+			if domainsString == "" {
+				domainsString = "." // Show "." for the default zone
+			}
+			dnsServersString += fmt.Sprintf(
+				"\n  [%s] for [%s] is %s%s",
+				strings.Join(nsServerGroup.Servers, ", "),
+				domainsString,
+				enabled,
+				errorString,
+			)
+		}
+	} else {
+		dnsServersString = fmt.Sprintf("%d/%d Available", countEnabled(overview.NSServerGroups), len(overview.NSServerGroups))
+	}
+
+	rosenpassEnabledStatus := "false"
+	if overview.RosenpassEnabled {
+		rosenpassEnabledStatus = "true"
+		if overview.RosenpassPermissive {
+			rosenpassEnabledStatus = "true (permissive)" //nolint:gosec
+		}
+	}
+
+	peersCountString := fmt.Sprintf("%d/%d Connected", overview.Peers.Connected, overview.Peers.Total)
+
+	goos := runtime.GOOS
+	goarch := runtime.GOARCH
+	goarm := ""
+	if goarch == "arm" {
+		goarm = fmt.Sprintf(" (ARMv%s)", os.Getenv("GOARM"))
+	}
+
+	summary := fmt.Sprintf(
+		"OS: %s\n"+
+			"Daemon version: %s\n"+
+			"CLI version: %s\n"+
+			"Management: %s\n"+
+			"Signal: %s\n"+
+			"Relays: %s\n"+
+			"Nameservers: %s\n"+
+			"FQDN: %s\n"+
+			"NetBird IP: %s\n"+
+			"Interface type: %s\n"+
+			"Quantum resistance: %s\n"+
+			"Routes: %s\n"+
+			"Peers count: %s\n",
+		fmt.Sprintf("%s/%s%s", goos, goarch, goarm),
+		overview.DaemonVersion,
+		version.NetbirdVersion(),
+		managementConnString,
+		signalConnString,
+		relaysString,
+		dnsServersString,
+		overview.FQDN,
+		interfaceIP,
+		interfaceTypeString,
+		rosenpassEnabledStatus,
+		routes,
+		peersCountString,
+	)
+	return summary
+}
+
+func parseToFullDetailSummary(overview statusOutputOverview) string {
+	parsedPeersString := parsePeers(overview.Peers, overview.RosenpassEnabled, overview.RosenpassPermissive)
+	summary := parseGeneralSummary(overview, true, true, true)
+
+	return fmt.Sprintf(
+		"Peers detail:"+
+			"%s\n"+
+			"%s",
+		parsedPeersString,
+		summary,
+	)
+}
+
+func parsePeers(peers peersStateOutput, rosenpassEnabled, rosenpassPermissive bool) string {
+	var (
+		peersString = ""
+	)
+
+	for _, peerState := range peers.Details {
+
+		localICE := "-"
+		if peerState.IceCandidateType.Local != "" {
+			localICE = peerState.IceCandidateType.Local
+		}
+
+		remoteICE := "-"
+		if peerState.IceCandidateType.Remote != "" {
+			remoteICE = peerState.IceCandidateType.Remote
+		}
+
+		localICEEndpoint := "-"
+		if peerState.IceCandidateEndpoint.Local != "" {
+			localICEEndpoint = peerState.IceCandidateEndpoint.Local
+		}
+
+		remoteICEEndpoint := "-"
+		if peerState.IceCandidateEndpoint.Remote != "" {
+			remoteICEEndpoint = peerState.IceCandidateEndpoint.Remote
+		}
+
+		rosenpassEnabledStatus := "false"
+		if rosenpassEnabled {
+			if peerState.RosenpassEnabled {
+				rosenpassEnabledStatus = "true"
+			} else {
+				if rosenpassPermissive {
+					rosenpassEnabledStatus = "false (remote didn't enable quantum resistance)"
+				} else {
+					rosenpassEnabledStatus = "false (connection won't work without a permissive mode)"
+				}
+			}
+		} else {
+			if peerState.RosenpassEnabled {
+				rosenpassEnabledStatus = "false (connection might not work without a remote permissive mode)"
+			}
+		}
+
+		routes := "-"
+		if len(peerState.Routes) > 0 {
+			sort.Strings(peerState.Routes)
+			routes = strings.Join(peerState.Routes, ", ")
+		}
+
+		peerString := fmt.Sprintf(
+			"\n %s:\n"+
+				"  NetBird IP: %s\n"+
+				"  Public key: %s\n"+
+				"  Status: %s\n"+
+				"  -- detail --\n"+
+				"  Connection type: %s\n"+
+				"  ICE candidate (Local/Remote): %s/%s\n"+
+				"  ICE candidate endpoints (Local/Remote): %s/%s\n"+
+				"  Relay server address: %s\n"+
+				"  Last connection update: %s\n"+
+				"  Last WireGuard handshake: %s\n"+
+				"  Transfer status (received/sent) %s/%s\n"+
+				"  Quantum resistance: %s\n"+
+				"  Routes: %s\n"+
+				"  Latency: %s\n",
+			peerState.FQDN,
+			peerState.IP,
+			peerState.PubKey,
+			peerState.Status,
+			peerState.ConnType,
+			localICE,
+			remoteICE,
+			localICEEndpoint,
+			remoteICEEndpoint,
+			peerState.RelayAddress,
+			timeAgo(peerState.LastStatusUpdate),
+			timeAgo(peerState.LastWireguardHandshake),
+			toIEC(peerState.TransferReceived),
+			toIEC(peerState.TransferSent),
+			rosenpassEnabledStatus,
+			routes,
+			peerState.Latency.String(),
+		)
+
+		peersString += peerString
+	}
+	return peersString
+}
+
+func skipDetailByFilters(peerState *proto.PeerState, isConnected bool) bool {
+	statusEval := false
+	ipEval := false
+	nameEval := false
+
+	if statusFilter != "" {
+		lowerStatusFilter := strings.ToLower(statusFilter)
+		if lowerStatusFilter == "disconnected" && isConnected {
+			statusEval = true
+		} else if lowerStatusFilter == "connected" && !isConnected {
+			statusEval = true
+		}
+	}
+
+	if len(ipsFilter) > 0 {
+		_, ok := ipsFilterMap[peerState.IP]
+		if !ok {
+			ipEval = true
+		}
+	}
+
+	if len(prefixNamesFilter) > 0 {
+		for prefixNameFilter := range prefixNamesFilterMap {
+			if !strings.HasPrefix(peerState.Fqdn, prefixNameFilter) {
+				nameEval = true
+				break
+			}
+		}
+	}
+
+	return statusEval || ipEval || nameEval
+}
+
+func toIEC(b int64) string {
+	const unit = 1024
+	if b < unit {
+		return fmt.Sprintf("%d B", b)
+	}
+	div, exp := int64(unit), 0
+	for n := b / unit; n >= unit; n /= unit {
+		div *= unit
+		exp++
+	}
+	return fmt.Sprintf("%.1f %ciB",
+		float64(b)/float64(div), "KMGTPE"[exp])
+}
+
+func countEnabled(dnsServers []nsServerGroupStateOutput) int {
+	count := 0
+	for _, server := range dnsServers {
+		if server.Enabled {
+			count++
+		}
+	}
+	return count
+}
+
+// timeAgo returns a string representing the duration since the provided time in a human-readable format.
+func timeAgo(t time.Time) string {
+	if t.IsZero() || t.Equal(time.Unix(0, 0)) {
+		return "-"
+	}
+	duration := time.Since(t)
+	switch {
+	case duration < time.Second:
+		return "Now"
+	case duration < time.Minute:
+		seconds := int(duration.Seconds())
+		if seconds == 1 {
+			return "1 second ago"
+		}
+		return fmt.Sprintf("%d seconds ago", seconds)
+	case duration < time.Hour:
+		minutes := int(duration.Minutes())
+		seconds := int(duration.Seconds()) % 60
+		if minutes == 1 {
+			if seconds == 1 {
+				return "1 minute, 1 second ago"
+			} else if seconds > 0 {
+				return fmt.Sprintf("1 minute, %d seconds ago", seconds)
+			}
+			return "1 minute ago"
+		}
+		if seconds > 0 {
+			return fmt.Sprintf("%d minutes, %d seconds ago", minutes, seconds)
+		}
+		return fmt.Sprintf("%d minutes ago", minutes)
+	case duration < 24*time.Hour:
+		hours := int(duration.Hours())
+		minutes := int(duration.Minutes()) % 60
+		if hours == 1 {
+			if minutes == 1 {
+				return "1 hour, 1 minute ago"
+			} else if minutes > 0 {
+				return fmt.Sprintf("1 hour, %d minutes ago", minutes)
+			}
+			return "1 hour ago"
+		}
+		if minutes > 0 {
+			return fmt.Sprintf("%d hours, %d minutes ago", hours, minutes)
+		}
+		return fmt.Sprintf("%d hours ago", hours)
+	}
+
+	days := int(duration.Hours()) / 24
+	hours := int(duration.Hours()) % 24
+	if days == 1 {
+		if hours == 1 {
+			return "1 day, 1 hour ago"
+		} else if hours > 0 {
+			return fmt.Sprintf("1 day, %d hours ago", hours)
+		}
+		return "1 day ago"
+	}
+	if hours > 0 {
+		return fmt.Sprintf("%d days, %d hours ago", days, hours)
+	}
+	return fmt.Sprintf("%d days ago", days)
+}
+
+func anonymizePeerDetail(a *anonymize.Anonymizer, peer *peerStateDetailOutput) {
+	peer.FQDN = a.AnonymizeDomain(peer.FQDN)
+	if localIP, port, err := net.SplitHostPort(peer.IceCandidateEndpoint.Local); err == nil {
+		peer.IceCandidateEndpoint.Local = fmt.Sprintf("%s:%s", a.AnonymizeIPString(localIP), port)
+	}
+	if remoteIP, port, err := net.SplitHostPort(peer.IceCandidateEndpoint.Remote); err == nil {
+		peer.IceCandidateEndpoint.Remote = fmt.Sprintf("%s:%s", a.AnonymizeIPString(remoteIP), port)
+	}
+
+	peer.RelayAddress = a.AnonymizeURI(peer.RelayAddress)
+
+	for i, route := range peer.Routes {
+		peer.Routes[i] = a.AnonymizeIPString(route)
+	}
+
+	for i, route := range peer.Routes {
+		peer.Routes[i] = a.AnonymizeRoute(route)
+	}
+}
+
+func anonymizeOverview(a *anonymize.Anonymizer, overview *statusOutputOverview) {
+	for i, peer := range overview.Peers.Details {
+		peer := peer
+		anonymizePeerDetail(a, &peer)
+		overview.Peers.Details[i] = peer
+	}
+
+	overview.ManagementState.URL = a.AnonymizeURI(overview.ManagementState.URL)
+	overview.ManagementState.Error = a.AnonymizeString(overview.ManagementState.Error)
+	overview.SignalState.URL = a.AnonymizeURI(overview.SignalState.URL)
+	overview.SignalState.Error = a.AnonymizeString(overview.SignalState.Error)
+
+	overview.IP = a.AnonymizeIPString(overview.IP)
+	for i, detail := range overview.Relays.Details {
+		detail.URI = a.AnonymizeURI(detail.URI)
+		detail.Error = a.AnonymizeString(detail.Error)
+		overview.Relays.Details[i] = detail
+	}
+
+	for i, nsGroup := range overview.NSServerGroups {
+		for j, domain := range nsGroup.Domains {
+			overview.NSServerGroups[i].Domains[j] = a.AnonymizeDomain(domain)
+		}
+		for j, ns := range nsGroup.Servers {
+			host, port, err := net.SplitHostPort(ns)
+			if err == nil {
+				overview.NSServerGroups[i].Servers[j] = fmt.Sprintf("%s:%s", a.AnonymizeIPString(host), port)
+			}
+		}
+	}
+
+	for i, route := range overview.Routes {
+		overview.Routes[i] = a.AnonymizeRoute(route)
+	}
+
+	overview.FQDN = a.AnonymizeDomain(overview.FQDN)
+}

client/cmd/status_test.go

@@ -1,11 +1,575 @@
 package cmd
 
 import (
+	"bytes"
+	"encoding/json"
+	"fmt"
+	"runtime"
 	"testing"
+	"time"
 
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"google.golang.org/protobuf/types/known/durationpb"
+	"google.golang.org/protobuf/types/known/timestamppb"
+
+	"github.com/netbirdio/netbird/client/proto"
+	"github.com/netbirdio/netbird/version"
 )
 
+func init() {
+	loc, err := time.LoadLocation("UTC")
+	if err != nil {
+		panic(err)
+	}
+
+	time.Local = loc
+}
+
+var resp = &proto.StatusResponse{
+	Status: "Connected",
+	FullStatus: &proto.FullStatus{
+		Peers: []*proto.PeerState{
+			{
+				IP:                         "192.168.178.101",
+				PubKey:                     "Pubkey1",
+				Fqdn:                       "peer-1.awesome-domain.com",
+				ConnStatus:                 "Connected",
+				ConnStatusUpdate:           timestamppb.New(time.Date(2001, time.Month(1), 1, 1, 1, 1, 0, time.UTC)),
+				Relayed:                    false,
+				LocalIceCandidateType:      "",
+				RemoteIceCandidateType:     "",
+				LocalIceCandidateEndpoint:  "",
+				RemoteIceCandidateEndpoint: "",
+				LastWireguardHandshake:     timestamppb.New(time.Date(2001, time.Month(1), 1, 1, 1, 2, 0, time.UTC)),
+				BytesRx:                    200,
+				BytesTx:                    100,
+				Routes: []string{
+					"10.1.0.0/24",
+				},
+				Latency: durationpb.New(time.Duration(10000000)),
+			},
+			{
+				IP:                         "192.168.178.102",
+				PubKey:                     "Pubkey2",
+				Fqdn:                       "peer-2.awesome-domain.com",
+				ConnStatus:                 "Connected",
+				ConnStatusUpdate:           timestamppb.New(time.Date(2002, time.Month(2), 2, 2, 2, 2, 0, time.UTC)),
+				Relayed:                    true,
+				LocalIceCandidateType:      "relay",
+				RemoteIceCandidateType:     "prflx",
+				LocalIceCandidateEndpoint:  "10.0.0.1:10001",
+				RemoteIceCandidateEndpoint: "10.0.10.1:10002",
+				LastWireguardHandshake:     timestamppb.New(time.Date(2002, time.Month(2), 2, 2, 2, 3, 0, time.UTC)),
+				BytesRx:                    2000,
+				BytesTx:                    1000,
+				Latency:                    durationpb.New(time.Duration(10000000)),
+			},
+		},
+		ManagementState: &proto.ManagementState{
+			URL:       "my-awesome-management.com:443",
+			Connected: true,
+			Error:     "",
+		},
+		SignalState: &proto.SignalState{
+			URL:       "my-awesome-signal.com:443",
+			Connected: true,
+			Error:     "",
+		},
+		Relays: []*proto.RelayState{
+			{
+				URI:       "stun:my-awesome-stun.com:3478",
+				Available: true,
+				Error:     "",
+			},
+			{
+				URI:       "turns:my-awesome-turn.com:443?transport=tcp",
+				Available: false,
+				Error:     "context: deadline exceeded",
+			},
+		},
+		LocalPeerState: &proto.LocalPeerState{
+			IP:              "192.168.178.100/16",
+			PubKey:          "Some-Pub-Key",
+			KernelInterface: true,
+			Fqdn:            "some-localhost.awesome-domain.com",
+			Routes: []string{
+				"10.10.0.0/24",
+			},
+		},
+		DnsServers: []*proto.NSGroupState{
+			{
+				Servers: []string{
+					"8.8.8.8:53",
+				},
+				Domains: nil,
+				Enabled: true,
+				Error:   "",
+			},
+			{
+				Servers: []string{
+					"1.1.1.1:53",
+					"2.2.2.2:53",
+				},
+				Domains: []string{
+					"example.com",
+					"example.net",
+				},
+				Enabled: false,
+				Error:   "timeout",
+			},
+		},
+	},
+	DaemonVersion: "0.14.1",
+}
+
+var overview = statusOutputOverview{
+	Peers: peersStateOutput{
+		Total:     2,
+		Connected: 2,
+		Details: []peerStateDetailOutput{
+			{
+				IP:               "192.168.178.101",
+				PubKey:           "Pubkey1",
+				FQDN:             "peer-1.awesome-domain.com",
+				Status:           "Connected",
+				LastStatusUpdate: time.Date(2001, 1, 1, 1, 1, 1, 0, time.UTC),
+				ConnType:         "P2P",
+				IceCandidateType: iceCandidateType{
+					Local:  "",
+					Remote: "",
+				},
+				IceCandidateEndpoint: iceCandidateType{
+					Local:  "",
+					Remote: "",
+				},
+				LastWireguardHandshake: time.Date(2001, 1, 1, 1, 1, 2, 0, time.UTC),
+				TransferReceived:       200,
+				TransferSent:           100,
+				Routes: []string{
+					"10.1.0.0/24",
+				},
+				Latency: time.Duration(10000000),
+			},
+			{
+				IP:               "192.168.178.102",
+				PubKey:           "Pubkey2",
+				FQDN:             "peer-2.awesome-domain.com",
+				Status:           "Connected",
+				LastStatusUpdate: time.Date(2002, 2, 2, 2, 2, 2, 0, time.UTC),
+				ConnType:         "Relayed",
+				IceCandidateType: iceCandidateType{
+					Local:  "relay",
+					Remote: "prflx",
+				},
+				IceCandidateEndpoint: iceCandidateType{
+					Local:  "10.0.0.1:10001",
+					Remote: "10.0.10.1:10002",
+				},
+				LastWireguardHandshake: time.Date(2002, 2, 2, 2, 2, 3, 0, time.UTC),
+				TransferReceived:       2000,
+				TransferSent:           1000,
+				Latency:                time.Duration(10000000),
+			},
+		},
+	},
+	CliVersion:    version.NetbirdVersion(),
+	DaemonVersion: "0.14.1",
+	ManagementState: managementStateOutput{
+		URL:       "my-awesome-management.com:443",
+		Connected: true,
+		Error:     "",
+	},
+	SignalState: signalStateOutput{
+		URL:       "my-awesome-signal.com:443",
+		Connected: true,
+		Error:     "",
+	},
+	Relays: relayStateOutput{
+		Total:     2,
+		Available: 1,
+		Details: []relayStateOutputDetail{
+			{
+				URI:       "stun:my-awesome-stun.com:3478",
+				Available: true,
+				Error:     "",
+			},
+			{
+				URI:       "turns:my-awesome-turn.com:443?transport=tcp",
+				Available: false,
+				Error:     "context: deadline exceeded",
+			},
+		},
+	},
+	IP:              "192.168.178.100/16",
+	PubKey:          "Some-Pub-Key",
+	KernelInterface: true,
+	FQDN:            "some-localhost.awesome-domain.com",
+	NSServerGroups: []nsServerGroupStateOutput{
+		{
+			Servers: []string{
+				"8.8.8.8:53",
+			},
+			Domains: nil,
+			Enabled: true,
+			Error:   "",
+		},
+		{
+			Servers: []string{
+				"1.1.1.1:53",
+				"2.2.2.2:53",
+			},
+			Domains: []string{
+				"example.com",
+				"example.net",
+			},
+			Enabled: false,
+			Error:   "timeout",
+		},
+	},
+	Routes: []string{
+		"10.10.0.0/24",
+	},
+}
+
+func TestConversionFromFullStatusToOutputOverview(t *testing.T) {
+	convertedResult := convertToStatusOutputOverview(resp)
+
+	assert.Equal(t, overview, convertedResult)
+}
+
+func TestSortingOfPeers(t *testing.T) {
+	peers := []peerStateDetailOutput{
+		{
+			IP: "192.168.178.104",
+		},
+		{
+			IP: "192.168.178.102",
+		},
+		{
+			IP: "192.168.178.101",
+		},
+		{
+			IP: "192.168.178.105",
+		},
+		{
+			IP: "192.168.178.103",
+		},
+	}
+
+	sortPeersByIP(peers)
+
+	assert.Equal(t, peers[3].IP, "192.168.178.104")
+}
+
+func TestParsingToJSON(t *testing.T) {
+	jsonString, _ := parseToJSON(overview)
+
+	//@formatter:off
+	expectedJSONString := `
+        {
+          "peers": {
+            "total": 2,
+            "connected": 2,
+            "details": [
+              {
+                "fqdn": "peer-1.awesome-domain.com",
+                "netbirdIp": "192.168.178.101",
+                "publicKey": "Pubkey1",
+                "status": "Connected",
+                "lastStatusUpdate": "2001-01-01T01:01:01Z",
+                "connectionType": "P2P",
+                "iceCandidateType": {
+                  "local": "",
+                  "remote": ""
+                },
+                "iceCandidateEndpoint": {
+                  "local": "",
+                  "remote": ""
+                },
+				"relayAddress": "",
+                "lastWireguardHandshake": "2001-01-01T01:01:02Z",
+                "transferReceived": 200,
+                "transferSent": 100,
+				"latency": 10000000,
+                "quantumResistance": false,
+                "routes": [
+                  "10.1.0.0/24"
+                ]
+              },
+              {
+                "fqdn": "peer-2.awesome-domain.com",
+                "netbirdIp": "192.168.178.102",
+                "publicKey": "Pubkey2",
+                "status": "Connected",
+                "lastStatusUpdate": "2002-02-02T02:02:02Z",
+                "connectionType": "Relayed",
+                "iceCandidateType": {
+                  "local": "relay",
+                  "remote": "prflx"
+                },
+                "iceCandidateEndpoint": {
+                  "local": "10.0.0.1:10001",
+                  "remote": "10.0.10.1:10002"
+                },
+				"relayAddress": "",
+                "lastWireguardHandshake": "2002-02-02T02:02:03Z",
+                "transferReceived": 2000,
+                "transferSent": 1000,
+				"latency": 10000000,
+                "quantumResistance": false,
+                "routes": null
+              }
+            ]
+          },
+          "cliVersion": "development",
+          "daemonVersion": "0.14.1",
+          "management": {
+            "url": "my-awesome-management.com:443",
+            "connected": true,
+            "error": ""
+          },
+          "signal": {
+            "url": "my-awesome-signal.com:443",
+            "connected": true,
+            "error": ""
+          },
+          "relays": {
+            "total": 2,
+            "available": 1,
+            "details": [
+              {
+                "uri": "stun:my-awesome-stun.com:3478",
+                "available": true,
+                "error": ""
+              },
+              {
+                "uri": "turns:my-awesome-turn.com:443?transport=tcp",
+                "available": false,
+                "error": "context: deadline exceeded"
+              }
+            ]
+          },
+          "netbirdIp": "192.168.178.100/16",
+          "publicKey": "Some-Pub-Key",
+          "usesKernelInterface": true,
+          "fqdn": "some-localhost.awesome-domain.com",
+          "quantumResistance": false,
+          "quantumResistancePermissive": false,
+          "routes": [
+            "10.10.0.0/24"
+          ],
+          "dnsServers": [
+            {
+              "servers": [
+                "8.8.8.8:53"
+              ],
+              "domains": null,
+              "enabled": true,
+              "error": ""
+            },
+            {
+              "servers": [
+                "1.1.1.1:53",
+                "2.2.2.2:53"
+              ],
+              "domains": [
+                "example.com",
+                "example.net"
+              ],
+              "enabled": false,
+              "error": "timeout"
+            }
+          ]
+        }`
+	// @formatter:on
+
+	var expectedJSON bytes.Buffer
+	require.NoError(t, json.Compact(&expectedJSON, []byte(expectedJSONString)))
+
+	assert.Equal(t, expectedJSON.String(), jsonString)
+}
+
+func TestParsingToYAML(t *testing.T) {
+	yaml, _ := parseToYAML(overview)
+
+	expectedYAML :=
+		`peers:
+    total: 2
+    connected: 2
+    details:
+        - fqdn: peer-1.awesome-domain.com
+          netbirdIp: 192.168.178.101
+          publicKey: Pubkey1
+          status: Connected
+          lastStatusUpdate: 2001-01-01T01:01:01Z
+          connectionType: P2P
+          iceCandidateType:
+            local: ""
+            remote: ""
+          iceCandidateEndpoint:
+            local: ""
+            remote: ""
+          relayAddress: ""
+          lastWireguardHandshake: 2001-01-01T01:01:02Z
+          transferReceived: 200
+          transferSent: 100
+          latency: 10ms
+          quantumResistance: false
+          routes:
+            - 10.1.0.0/24
+        - fqdn: peer-2.awesome-domain.com
+          netbirdIp: 192.168.178.102
+          publicKey: Pubkey2
+          status: Connected
+          lastStatusUpdate: 2002-02-02T02:02:02Z
+          connectionType: Relayed
+          iceCandidateType:
+            local: relay
+            remote: prflx
+          iceCandidateEndpoint:
+            local: 10.0.0.1:10001
+            remote: 10.0.10.1:10002
+          relayAddress: ""
+          lastWireguardHandshake: 2002-02-02T02:02:03Z
+          transferReceived: 2000
+          transferSent: 1000
+          latency: 10ms
+          quantumResistance: false
+          routes: []
+cliVersion: development
+daemonVersion: 0.14.1
+management:
+    url: my-awesome-management.com:443
+    connected: true
+    error: ""
+signal:
+    url: my-awesome-signal.com:443
+    connected: true
+    error: ""
+relays:
+    total: 2
+    available: 1
+    details:
+        - uri: stun:my-awesome-stun.com:3478
+          available: true
+          error: ""
+        - uri: turns:my-awesome-turn.com:443?transport=tcp
+          available: false
+          error: 'context: deadline exceeded'
+netbirdIp: 192.168.178.100/16
+publicKey: Some-Pub-Key
+usesKernelInterface: true
+fqdn: some-localhost.awesome-domain.com
+quantumResistance: false
+quantumResistancePermissive: false
+routes:
+    - 10.10.0.0/24
+dnsServers:
+    - servers:
+        - 8.8.8.8:53
+      domains: []
+      enabled: true
+      error: ""
+    - servers:
+        - 1.1.1.1:53
+        - 2.2.2.2:53
+      domains:
+        - example.com
+        - example.net
+      enabled: false
+      error: timeout
+`
+
+	assert.Equal(t, expectedYAML, yaml)
+}
+
+func TestParsingToDetail(t *testing.T) {
+	// Calculate time ago based on the fixture dates
+	lastConnectionUpdate1 := timeAgo(overview.Peers.Details[0].LastStatusUpdate)
+	lastHandshake1 := timeAgo(overview.Peers.Details[0].LastWireguardHandshake)
+	lastConnectionUpdate2 := timeAgo(overview.Peers.Details[1].LastStatusUpdate)
+	lastHandshake2 := timeAgo(overview.Peers.Details[1].LastWireguardHandshake)
+
+	detail := parseToFullDetailSummary(overview)
+
+	expectedDetail := fmt.Sprintf(
+		`Peers detail:
+ peer-1.awesome-domain.com:
+  NetBird IP: 192.168.178.101
+  Public key: Pubkey1
+  Status: Connected
+  -- detail --
+  Connection type: P2P
+  ICE candidate (Local/Remote): -/-
+  ICE candidate endpoints (Local/Remote): -/-
+  Relay server address: 
+  Last connection update: %s
+  Last WireGuard handshake: %s
+  Transfer status (received/sent) 200 B/100 B
+  Quantum resistance: false
+  Routes: 10.1.0.0/24
+  Latency: 10ms
+
+ peer-2.awesome-domain.com:
+  NetBird IP: 192.168.178.102
+  Public key: Pubkey2
+  Status: Connected
+  -- detail --
+  Connection type: Relayed
+  ICE candidate (Local/Remote): relay/prflx
+  ICE candidate endpoints (Local/Remote): 10.0.0.1:10001/10.0.10.1:10002
+  Relay server address: 
+  Last connection update: %s
+  Last WireGuard handshake: %s
+  Transfer status (received/sent) 2.0 KiB/1000 B
+  Quantum resistance: false
+  Routes: -
+  Latency: 10ms
+
+OS: %s/%s
+Daemon version: 0.14.1
+CLI version: %s
+Management: Connected to my-awesome-management.com:443
+Signal: Connected to my-awesome-signal.com:443
+Relays: 
+  [stun:my-awesome-stun.com:3478] is Available
+  [turns:my-awesome-turn.com:443?transport=tcp] is Unavailable, reason: context: deadline exceeded
+Nameservers: 
+  [8.8.8.8:53] for [.] is Available
+  [1.1.1.1:53, 2.2.2.2:53] for [example.com, example.net] is Unavailable, reason: timeout
+FQDN: some-localhost.awesome-domain.com
+NetBird IP: 192.168.178.100/16
+Interface type: Kernel
+Quantum resistance: false
+Routes: 10.10.0.0/24
+Peers count: 2/2 Connected
+`, lastConnectionUpdate1, lastHandshake1, lastConnectionUpdate2, lastHandshake2, runtime.GOOS, runtime.GOARCH, overview.CliVersion)
+
+	assert.Equal(t, expectedDetail, detail)
+}
+
+func TestParsingToShortVersion(t *testing.T) {
+	shortVersion := parseGeneralSummary(overview, false, false, false)
+
+	expectedString := fmt.Sprintf("OS: %s/%s", runtime.GOOS, runtime.GOARCH) + `
+Daemon version: 0.14.1
+CLI version: development
+Management: Connected
+Signal: Connected
+Relays: 1/2 Available
+Nameservers: 1/2 Available
+FQDN: some-localhost.awesome-domain.com
+NetBird IP: 192.168.178.100/16
+Interface type: Kernel
+Quantum resistance: false
+Routes: 10.10.0.0/24
+Peers count: 2/2 Connected
+`
+
+	assert.Equal(t, expectedString, shortVersion)
+}
+
 func TestParsingOfIP(t *testing.T) {
 	InterfaceIP := "192.168.178.123/16"
 
@@ -13,3 +577,31 @@ func TestParsingOfIP(t *testing.T) {
 
 	assert.Equal(t, "192.168.178.123\n", parsedIP)
 }
+
+func TestTimeAgo(t *testing.T) {
+	now := time.Now()
+
+	cases := []struct {
+		name     string
+		input    time.Time
+		expected string
+	}{
+		{"Now", now, "Now"},
+		{"Seconds ago", now.Add(-10 * time.Second), "10 seconds ago"},
+		{"One minute ago", now.Add(-1 * time.Minute), "1 minute ago"},
+		{"Minutes and seconds ago", now.Add(-(1*time.Minute + 30*time.Second)), "1 minute, 30 seconds ago"},
+		{"One hour ago", now.Add(-1 * time.Hour), "1 hour ago"},
+		{"Hours and minutes ago", now.Add(-(2*time.Hour + 15*time.Minute)), "2 hours, 15 minutes ago"},
+		{"One day ago", now.Add(-24 * time.Hour), "1 day ago"},
+		{"Multiple days ago", now.Add(-(72*time.Hour + 20*time.Minute)), "3 days ago"},
+		{"Zero time", time.Time{}, "-"},
+		{"Unix zero time", time.Unix(0, 0), "-"},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			result := timeAgo(tc.input)
+			assert.Equal(t, tc.expected, result, "Failed %s", tc.name)
+		})
+	}
+}

client/cmd/system.go

@@ -1,31 +0,0 @@
-package cmd
-
-// Flag constants for system configuration
-const (
-	disableClientRoutesFlag = "disable-client-routes"
-	disableServerRoutesFlag = "disable-server-routes"
-	disableDNSFlag          = "disable-dns"
-	disableFirewallFlag     = "disable-firewall"
-)
-
-var (
-	disableClientRoutes bool
-	disableServerRoutes bool
-	disableDNS          bool
-	disableFirewall     bool
-)
-
-func init() {
-	// Add system flags to upCmd
-	upCmd.PersistentFlags().BoolVar(&disableClientRoutes, disableClientRoutesFlag, false,
-		"Disable client routes. If enabled, the client won't process client routes received from the management service.")
-
-	upCmd.PersistentFlags().BoolVar(&disableServerRoutes, disableServerRoutesFlag, false,
-		"Disable server routes. If enabled, the client won't act as a router for server routes received from the management service.")
-
-	upCmd.PersistentFlags().BoolVar(&disableDNS, disableDNSFlag, false,
-		"Disable DNS. If enabled, the client won't configure DNS settings.")
-
-	upCmd.PersistentFlags().BoolVar(&disableFirewall, disableFirewallFlag, false,
-		"Disable firewall configuration. If enabled, the client won't modify firewall rules.")
-}

client/cmd/testutil_test.go

@@ -6,17 +6,11 @@ import (
 	"testing"
 	"time"
 
-	"github.com/golang/mock/gomock"
 	"github.com/stretchr/testify/require"
 	"go.opentelemetry.io/otel"
 
 	"github.com/netbirdio/netbird/management/server/activity"
-	"github.com/netbirdio/netbird/management/server/integrations/port_forwarding"
-	"github.com/netbirdio/netbird/management/server/permissions"
-	"github.com/netbirdio/netbird/management/server/settings"
-	"github.com/netbirdio/netbird/management/server/store"
 	"github.com/netbirdio/netbird/management/server/telemetry"
-	"github.com/netbirdio/netbird/management/server/types"
 
 	"github.com/netbirdio/netbird/util"
 
@@ -34,7 +28,7 @@ import (
 
 func startTestingServices(t *testing.T) string {
 	t.Helper()
-	config := &types.Config{}
+	config := &mgmt.Config{}
 	_, err := util.ReadJson("../testdata/management.json", config)
 	if err != nil {
 		t.Fatal(err)
@@ -69,7 +63,7 @@ func startSignal(t *testing.T) (*grpc.Server, net.Listener) {
 	return s, lis
 }
 
-func startManagement(t *testing.T, config *types.Config, testFile string) (*grpc.Server, net.Listener) {
+func startManagement(t *testing.T, config *mgmt.Config, testFile string) (*grpc.Server, net.Listener) {
 	t.Helper()
 
 	lis, err := net.Listen("tcp", ":0")
@@ -77,7 +71,7 @@ func startManagement(t *testing.T, config *types.Config, testFile string) (*grpc
 		t.Fatal(err)
 	}
 	s := grpc.NewServer()
-	store, cleanUp, err := store.NewTestStoreFromSQL(context.Background(), testFile, t.TempDir())
+	store, cleanUp, err := mgmt.NewTestStoreFromSQL(context.Background(), testFile, t.TempDir())
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -92,24 +86,14 @@ func startManagement(t *testing.T, config *types.Config, testFile string) (*grpc
 
 	metrics, err := telemetry.NewDefaultAppMetrics(context.Background())
 	require.NoError(t, err)
-	ctrl := gomock.NewController(t)
-	t.Cleanup(ctrl.Finish)
 
-	settingsMockManager := settings.NewMockManager(ctrl)
-	permissionsManagerMock := permissions.NewMockManager(ctrl)
-
-	settingsMockManager.EXPECT().
-		GetSettings(gomock.Any(), gomock.Any(), gomock.Any()).
-		Return(&types.Settings{}, nil).
-		AnyTimes()
-
-	accountManager, err := mgmt.BuildManager(context.Background(), store, peersUpdateManager, nil, "", "netbird.selfhosted", eventStore, nil, false, iv, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManagerMock)
+	accountManager, err := mgmt.BuildManager(context.Background(), store, peersUpdateManager, nil, "", "netbird.selfhosted", eventStore, nil, false, iv, metrics)
 	if err != nil {
 		t.Fatal(err)
 	}
 
-	secretsManager := mgmt.NewTimeBasedAuthSecretsManager(peersUpdateManager, config.TURNConfig, config.Relay, settingsMockManager)
-	mgmtServer, err := mgmt.NewServer(context.Background(), config, accountManager, settingsMockManager, peersUpdateManager, secretsManager, nil, nil, nil)
+	secretsManager := mgmt.NewTimeBasedAuthSecretsManager(peersUpdateManager, config.TURNConfig, config.Relay)
+	mgmtServer, err := mgmt.NewServer(context.Background(), config, accountManager, peersUpdateManager, secretsManager, nil, nil)
 	if err != nil {
 		t.Fatal(err)
 	}

client/cmd/trace.go

@@ -1,137 +0,0 @@
-package cmd
-
-import (
-	"fmt"
-	"math/rand"
-	"strings"
-
-	"github.com/spf13/cobra"
-	"google.golang.org/grpc/status"
-
-	"github.com/netbirdio/netbird/client/proto"
-)
-
-var traceCmd = &cobra.Command{
-	Use:   "trace <direction> <source-ip> <dest-ip>",
-	Short: "Trace a packet through the firewall",
-	Example: `
-  netbird debug trace in 192.168.1.10 10.10.0.2 -p tcp --sport 12345 --dport 443 --syn --ack
-  netbird debug trace out 10.10.0.1 8.8.8.8 -p udp  --dport 53
-  netbird debug trace in 10.10.0.2 10.10.0.1 -p icmp --type 8 --code 0
-  netbird debug trace in 100.64.1.1 self -p tcp --dport 80`,
-	Args: cobra.ExactArgs(3),
-	RunE: tracePacket,
-}
-
-func init() {
-	debugCmd.AddCommand(traceCmd)
-
-	traceCmd.Flags().StringP("protocol", "p", "tcp", "Protocol (tcp/udp/icmp)")
-	traceCmd.Flags().Uint16("sport", 0, "Source port")
-	traceCmd.Flags().Uint16("dport", 0, "Destination port")
-	traceCmd.Flags().Uint8("icmp-type", 0, "ICMP type")
-	traceCmd.Flags().Uint8("icmp-code", 0, "ICMP code")
-	traceCmd.Flags().Bool("syn", false, "TCP SYN flag")
-	traceCmd.Flags().Bool("ack", false, "TCP ACK flag")
-	traceCmd.Flags().Bool("fin", false, "TCP FIN flag")
-	traceCmd.Flags().Bool("rst", false, "TCP RST flag")
-	traceCmd.Flags().Bool("psh", false, "TCP PSH flag")
-	traceCmd.Flags().Bool("urg", false, "TCP URG flag")
-}
-
-func tracePacket(cmd *cobra.Command, args []string) error {
-	direction := strings.ToLower(args[0])
-	if direction != "in" && direction != "out" {
-		return fmt.Errorf("invalid direction: use 'in' or 'out'")
-	}
-
-	protocol := cmd.Flag("protocol").Value.String()
-	if protocol != "tcp" && protocol != "udp" && protocol != "icmp" {
-		return fmt.Errorf("invalid protocol: use tcp/udp/icmp")
-	}
-
-	sport, err := cmd.Flags().GetUint16("sport")
-	if err != nil {
-		return fmt.Errorf("invalid source port: %v", err)
-	}
-	dport, err := cmd.Flags().GetUint16("dport")
-	if err != nil {
-		return fmt.Errorf("invalid destination port: %v", err)
-	}
-
-	// For TCP/UDP, generate random ephemeral port (49152-65535) if not specified
-	if protocol != "icmp" {
-		if sport == 0 {
-			sport = uint16(rand.Intn(16383) + 49152)
-		}
-		if dport == 0 {
-			dport = uint16(rand.Intn(16383) + 49152)
-		}
-	}
-
-	var tcpFlags *proto.TCPFlags
-	if protocol == "tcp" {
-		syn, _ := cmd.Flags().GetBool("syn")
-		ack, _ := cmd.Flags().GetBool("ack")
-		fin, _ := cmd.Flags().GetBool("fin")
-		rst, _ := cmd.Flags().GetBool("rst")
-		psh, _ := cmd.Flags().GetBool("psh")
-		urg, _ := cmd.Flags().GetBool("urg")
-
-		tcpFlags = &proto.TCPFlags{
-			Syn: syn,
-			Ack: ack,
-			Fin: fin,
-			Rst: rst,
-			Psh: psh,
-			Urg: urg,
-		}
-	}
-
-	icmpType, _ := cmd.Flags().GetUint32("icmp-type")
-	icmpCode, _ := cmd.Flags().GetUint32("icmp-code")
-
-	conn, err := getClient(cmd)
-	if err != nil {
-		return err
-	}
-	defer conn.Close()
-
-	client := proto.NewDaemonServiceClient(conn)
-	resp, err := client.TracePacket(cmd.Context(), &proto.TracePacketRequest{
-		SourceIp:        args[1],
-		DestinationIp:   args[2],
-		Protocol:        protocol,
-		SourcePort:      uint32(sport),
-		DestinationPort: uint32(dport),
-		Direction:       direction,
-		TcpFlags:        tcpFlags,
-		IcmpType:        &icmpType,
-		IcmpCode:        &icmpCode,
-	})
-	if err != nil {
-		return fmt.Errorf("trace failed: %v", status.Convert(err).Message())
-	}
-
-	printTrace(cmd, args[1], args[2], protocol, sport, dport, resp)
-	return nil
-}
-
-func printTrace(cmd *cobra.Command, src, dst, proto string, sport, dport uint16, resp *proto.TracePacketResponse) {
-	cmd.Printf("Packet trace %s:%d -> %s:%d (%s)\n\n", src, sport, dst, dport, strings.ToUpper(proto))
-
-	for _, stage := range resp.Stages {
-		if stage.ForwardingDetails != nil {
-			cmd.Printf("%s: %s [%s]\n", stage.Name, stage.Message, *stage.ForwardingDetails)
-		} else {
-			cmd.Printf("%s: %s\n", stage.Name, stage.Message)
-		}
-	}
-
-	disposition := map[bool]string{
-		true:  "\033[32mALLOWED\033[0m", // Green
-		false: "\033[31mDENIED\033[0m",  // Red
-	}[resp.FinalDisposition]
-
-	cmd.Printf("\nFinal disposition: %s\n", disposition)
-}

client/cmd/up.go

@@ -20,7 +20,6 @@ import (
 	"github.com/netbirdio/netbird/client/internal/peer"
 	"github.com/netbirdio/netbird/client/proto"
 	"github.com/netbirdio/netbird/client/system"
-	"github.com/netbirdio/netbird/management/domain"
 	"github.com/netbirdio/netbird/util"
 )
 
@@ -30,20 +29,9 @@ const (
 	interfaceInputType
 )
 
-const (
-	dnsLabelsFlag = "extra-dns-labels"
-
-	noBrowserFlag = "no-browser"
-	noBrowserDesc = "do not open the browser for SSO login"
-)
-
 var (
-	foregroundMode     bool
-	dnsLabels          []string
-	dnsLabelsValidated domain.List
-	noBrowser          bool
-
-	upCmd = &cobra.Command{
+	foregroundMode bool
+	upCmd          = &cobra.Command{
 		Use:   "up",
 		Short: "install, login and start Netbird client",
 		RunE:  upFunc,
@@ -60,18 +48,6 @@ func init() {
 	)
 	upCmd.PersistentFlags().StringSliceVar(&extraIFaceBlackList, extraIFaceBlackListFlag, nil, "Extra list of default interfaces to ignore for listening")
 	upCmd.PersistentFlags().DurationVar(&dnsRouteInterval, dnsRouteIntervalFlag, time.Minute, "DNS route update interval")
-	upCmd.PersistentFlags().BoolVar(&blockLANAccess, blockLANAccessFlag, false, "Block access to local networks (LAN) when using this peer as a router or exit node")
-
-	upCmd.PersistentFlags().StringSliceVar(&dnsLabels, dnsLabelsFlag, nil,
-		`Sets DNS labels`+
-			`You can specify a comma-separated list of up to 32 labels. `+
-			`An empty string "" clears the previous configuration. `+
-			`E.g. --extra-dns-labels vpc1 or --extra-dns-labels vpc1,mgmt1 `+
-			`or --extra-dns-labels ""`,
-	)
-
-	upCmd.PersistentFlags().BoolVar(&noBrowser, noBrowserFlag, false, noBrowserDesc)
-
 }
 
 func upFunc(cmd *cobra.Command, args []string) error {
@@ -90,11 +66,6 @@ func upFunc(cmd *cobra.Command, args []string) error {
 		return err
 	}
 
-	dnsLabelsValidated, err = validateDnsLabels(dnsLabels)
-	if err != nil {
-		return err
-	}
-
 	ctx := internal.CtxInitState(cmd.Context())
 
 	if hostName != "" {
@@ -126,7 +97,6 @@ func runInForegroundMode(ctx context.Context, cmd *cobra.Command) error {
 		NATExternalIPs:      natExternalIPs,
 		CustomDNSAddress:    customDNSAddressConverted,
 		ExtraIFaceBlackList: extraIFaceBlackList,
-		DNSLabels:           dnsLabelsValidated,
 	}
 
 	if cmd.Flag(enableRosenpassFlag).Changed {
@@ -177,23 +147,6 @@ func runInForegroundMode(ctx context.Context, cmd *cobra.Command) error {
 		ic.DNSRouteInterval = &dnsRouteInterval
 	}
 
-	if cmd.Flag(disableClientRoutesFlag).Changed {
-		ic.DisableClientRoutes = &disableClientRoutes
-	}
-	if cmd.Flag(disableServerRoutesFlag).Changed {
-		ic.DisableServerRoutes = &disableServerRoutes
-	}
-	if cmd.Flag(disableDNSFlag).Changed {
-		ic.DisableDNS = &disableDNS
-	}
-	if cmd.Flag(disableFirewallFlag).Changed {
-		ic.DisableFirewall = &disableFirewall
-	}
-
-	if cmd.Flag(blockLANAccessFlag).Changed {
-		ic.BlockLANAccess = &blockLANAccess
-	}
-
 	providedSetupKey, err := getSetupKey()
 	if err != nil {
 		return err
@@ -219,9 +172,7 @@ func runInForegroundMode(ctx context.Context, cmd *cobra.Command) error {
 	r.GetFullStatus()
 
 	connectClient := internal.NewConnectClient(ctx, config, r)
-	SetupDebugHandler(ctx, config, r, connectClient, "")
-
-	return connectClient.Run(nil)
+	return connectClient.Run()
 }
 
 func runInDaemonMode(ctx context.Context, cmd *cobra.Command) error {
@@ -271,8 +222,6 @@ func runInDaemonMode(ctx context.Context, cmd *cobra.Command) error {
 		IsLinuxDesktopClient: isLinuxRunningDesktop(),
 		Hostname:             hostName,
 		ExtraIFaceBlacklist:  extraIFaceBlackList,
-		DnsLabels:            dnsLabels,
-		CleanDNSLabels:       dnsLabels != nil && len(dnsLabels) == 0,
 	}
 
 	if rootCmd.PersistentFlags().Changed(preSharedKeyFlag) {
@@ -315,23 +264,6 @@ func runInDaemonMode(ctx context.Context, cmd *cobra.Command) error {
 		loginRequest.DnsRouteInterval = durationpb.New(dnsRouteInterval)
 	}
 
-	if cmd.Flag(disableClientRoutesFlag).Changed {
-		loginRequest.DisableClientRoutes = &disableClientRoutes
-	}
-	if cmd.Flag(disableServerRoutesFlag).Changed {
-		loginRequest.DisableServerRoutes = &disableServerRoutes
-	}
-	if cmd.Flag(disableDNSFlag).Changed {
-		loginRequest.DisableDns = &disableDNS
-	}
-	if cmd.Flag(disableFirewallFlag).Changed {
-		loginRequest.DisableFirewall = &disableFirewall
-	}
-
-	if cmd.Flag(blockLANAccessFlag).Changed {
-		loginRequest.BlockLanAccess = &blockLANAccess
-	}
-
 	var loginErr error
 
 	var loginResp *proto.LoginResponse
@@ -358,7 +290,7 @@ func runInDaemonMode(ctx context.Context, cmd *cobra.Command) error {
 
 	if loginResp.NeedsSSOLogin {
 
-		openURL(cmd, loginResp.VerificationURIComplete, loginResp.UserCode, noBrowser)
+		openURL(cmd, loginResp.VerificationURIComplete, loginResp.UserCode)
 
 		_, err = client.WaitSSOLogin(ctx, &proto.WaitSSOLoginRequest{UserCode: loginResp.UserCode, Hostname: hostName})
 		if err != nil {
@@ -463,24 +395,6 @@ func parseCustomDNSAddress(modified bool) ([]byte, error) {
 	return parsed, nil
 }
 
-func validateDnsLabels(labels []string) (domain.List, error) {
-	var (
-		domains domain.List
-		err     error
-	)
-
-	if len(labels) == 0 {
-		return domains, nil
-	}
-
-	domains, err = domain.ValidateDomains(labels)
-	if err != nil {
-		return nil, fmt.Errorf("failed to validate dns labels: %v", err)
-	}
-
-	return domains, nil
-}
-
 func isValidAddrPort(input string) bool {
 	if input == "" {
 		return true

client/configs/configs.go

@@ -1,24 +0,0 @@
-package configs
-
-import (
-	"os"
-	"path/filepath"
-	"runtime"
-)
-
-var StateDir string
-
-func init() {
-	StateDir = os.Getenv("NB_STATE_DIR")
-	if StateDir != "" {
-		return
-	}
-	switch runtime.GOOS {
-	case "windows":
-		StateDir = filepath.Join(os.Getenv("PROGRAMDATA"), "Netbird")
-	case "darwin", "linux":
-		StateDir = "/var/lib/netbird"
-	case "freebsd", "openbsd", "netbsd", "dragonfly":
-		StateDir = "/var/db/netbird"
-	}
-}

client/embed/doc.go

@@ -1,167 +0,0 @@
-// Package embed provides a way to embed the NetBird client directly
-// into Go programs without requiring a separate NetBird client installation.
-package embed
-
-// Basic Usage:
-//
-//	client, err := embed.New(embed.Options{
-//	    DeviceName:    "my-service",
-//	    SetupKey:      os.Getenv("NB_SETUP_KEY"),
-//	    ManagementURL: os.Getenv("NB_MANAGEMENT_URL"),
-//	})
-//	if err != nil {
-//	    log.Fatal(err)
-//	}
-//
-//	ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
-//	defer cancel()
-//	if err := client.Start(ctx); err != nil {
-//	    log.Fatal(err)
-//	}
-//
-// Complete HTTP Server Example:
-//
-//	package main
-//
-//	import (
-//	    "context"
-//	    "fmt"
-//	    "log"
-//	    "net/http"
-//	    "os"
-//	    "os/signal"
-//	    "syscall"
-//	    "time"
-//
-//	    netbird "github.com/netbirdio/netbird/client/embed"
-//	)
-//
-//	func main() {
-//	    // Create client with setup key and device name
-//	    client, err := netbird.New(netbird.Options{
-//	        DeviceName:    "http-server",
-//	        SetupKey:      os.Getenv("NB_SETUP_KEY"),
-//	        ManagementURL: os.Getenv("NB_MANAGEMENT_URL"),
-//	        LogOutput:     io.Discard,
-//	    })
-//	    if err != nil {
-//	        log.Fatal(err)
-//	    }
-//
-//	    // Start with timeout
-//	    ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
-//	    defer cancel()
-//	    if err := client.Start(ctx); err != nil {
-//	        log.Fatal(err)
-//	    }
-//
-//	    // Create HTTP server
-//	    mux := http.NewServeMux()
-//	    mux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
-//	        fmt.Printf("Request from %s: %s %s\n", r.RemoteAddr, r.Method, r.URL.Path)
-//	        fmt.Fprintf(w, "Hello from netbird!")
-//	    })
-//
-//	    // Listen on netbird network
-//	    l, err := client.ListenTCP(":8080")
-//	    if err != nil {
-//	        log.Fatal(err)
-//	    }
-//
-//	    server := &http.Server{Handler: mux}
-//	    go func() {
-//	        if err := server.Serve(l); !errors.Is(err, http.ErrServerClosed) {
-//	            log.Printf("HTTP server error: %v", err)
-//	        }
-//	    }()
-//
-//	    log.Printf("HTTP server listening on netbird network port 8080")
-//
-//	    // Handle shutdown
-//	    stop := make(chan os.Signal, 1)
-//	    signal.Notify(stop, syscall.SIGINT, syscall.SIGTERM)
-//	    <-stop
-//
-//	    shutdownCtx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
-//	    defer cancel()
-//
-//	    if err := server.Shutdown(shutdownCtx); err != nil {
-//	        log.Printf("HTTP shutdown error: %v", err)
-//	    }
-//	    if err := client.Stop(shutdownCtx); err != nil {
-//	        log.Printf("Netbird shutdown error: %v", err)
-//	    }
-//	}
-//
-// Complete HTTP Client Example:
-//
-//	package main
-//
-//	import (
-//	    "context"
-//	    "fmt"
-//	    "io"
-//	    "log"
-//	    "os"
-//	    "time"
-//
-//	    netbird "github.com/netbirdio/netbird/client/embed"
-//	)
-//
-//	func main() {
-//	    // Create client with setup key and device name
-//	    client, err := netbird.New(netbird.Options{
-//	        DeviceName:    "http-client",
-//	        SetupKey:      os.Getenv("NB_SETUP_KEY"),
-//	        ManagementURL: os.Getenv("NB_MANAGEMENT_URL"),
-//	        LogOutput:     io.Discard,
-//	    })
-//	    if err != nil {
-//	        log.Fatal(err)
-//	    }
-//
-//	    // Start with timeout
-//	    ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
-//	    defer cancel()
-//
-//	    if err := client.Start(ctx); err != nil {
-//	        log.Fatal(err)
-//	    }
-//
-//	    // Create HTTP client that uses netbird network
-//	    httpClient := client.NewHTTPClient()
-//	    httpClient.Timeout = 10 * time.Second
-//
-//	    // Make request to server in netbird network
-//	    target := os.Getenv("NB_TARGET")
-//	    resp, err := httpClient.Get(target)
-//	    if err != nil {
-//	        log.Fatal(err)
-//	    }
-//	    defer resp.Body.Close()
-//
-//	    // Read and print response
-//	    body, err := io.ReadAll(resp.Body)
-//	    if err != nil {
-//	        log.Fatal(err)
-//	    }
-//
-//	    fmt.Printf("Response from server: %s\n", string(body))
-//
-//	    // Clean shutdown
-//	    shutdownCtx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
-//	    defer cancel()
-//
-//	    if err := client.Stop(shutdownCtx); err != nil {
-//	        log.Printf("Netbird shutdown error: %v", err)
-//	    }
-//	}
-//
-// The package provides several methods for network operations:
-//   - Dial: Creates outbound connections
-//   - ListenTCP: Creates TCP listeners
-//   - ListenUDP: Creates UDP listeners
-//
-// By default, the embed package uses userspace networking mode, which doesn't
-// require root/admin privileges. For production deployments, consider setting
-// appropriate config and state paths for persistence.

client/embed/embed.go

@@ -1,293 +0,0 @@
-package embed
-
-import (
-	"context"
-	"errors"
-	"fmt"
-	"io"
-	"net"
-	"net/http"
-	"net/netip"
-	"os"
-	"sync"
-
-	"github.com/sirupsen/logrus"
-	wgnetstack "golang.zx2c4.com/wireguard/tun/netstack"
-
-	"github.com/netbirdio/netbird/client/iface/netstack"
-	"github.com/netbirdio/netbird/client/internal"
-	"github.com/netbirdio/netbird/client/internal/peer"
-	"github.com/netbirdio/netbird/client/system"
-)
-
-var ErrClientAlreadyStarted = errors.New("client already started")
-var ErrClientNotStarted = errors.New("client not started")
-
-// Client manages a netbird embedded client instance
-type Client struct {
-	deviceName string
-	config     *internal.Config
-	mu         sync.Mutex
-	cancel     context.CancelFunc
-	setupKey   string
-	connect    *internal.ConnectClient
-}
-
-// Options configures a new Client
-type Options struct {
-	// DeviceName is this peer's name in the network
-	DeviceName string
-	// SetupKey is used for authentication
-	SetupKey string
-	// ManagementURL overrides the default management server URL
-	ManagementURL string
-	// PreSharedKey is the pre-shared key for the WireGuard interface
-	PreSharedKey string
-	// LogOutput is the output destination for logs (defaults to os.Stderr if nil)
-	LogOutput io.Writer
-	// LogLevel sets the logging level (defaults to info if empty)
-	LogLevel string
-	// NoUserspace disables the userspace networking mode. Needs admin/root privileges
-	NoUserspace bool
-	// ConfigPath is the path to the netbird config file. If empty, the config will be stored in memory and not persisted.
-	ConfigPath string
-	// StatePath is the path to the netbird state file
-	StatePath string
-	// DisableClientRoutes disables the client routes
-	DisableClientRoutes bool
-}
-
-// New creates a new netbird embedded client
-func New(opts Options) (*Client, error) {
-	if opts.LogOutput != nil {
-		logrus.SetOutput(opts.LogOutput)
-	}
-
-	if opts.LogLevel != "" {
-		level, err := logrus.ParseLevel(opts.LogLevel)
-		if err != nil {
-			return nil, fmt.Errorf("parse log level: %w", err)
-		}
-		logrus.SetLevel(level)
-	}
-
-	if !opts.NoUserspace {
-		if err := os.Setenv(netstack.EnvUseNetstackMode, "true"); err != nil {
-			return nil, fmt.Errorf("setenv: %w", err)
-		}
-		if err := os.Setenv(netstack.EnvSkipProxy, "true"); err != nil {
-			return nil, fmt.Errorf("setenv: %w", err)
-		}
-	}
-
-	if opts.StatePath != "" {
-		// TODO: Disable state if path not provided
-		if err := os.Setenv("NB_DNS_STATE_FILE", opts.StatePath); err != nil {
-			return nil, fmt.Errorf("setenv: %w", err)
-		}
-	}
-
-	t := true
-	var config *internal.Config
-	var err error
-	input := internal.ConfigInput{
-		ConfigPath:          opts.ConfigPath,
-		ManagementURL:       opts.ManagementURL,
-		PreSharedKey:        &opts.PreSharedKey,
-		DisableServerRoutes: &t,
-		DisableClientRoutes: &opts.DisableClientRoutes,
-	}
-	if opts.ConfigPath != "" {
-		config, err = internal.UpdateOrCreateConfig(input)
-	} else {
-		config, err = internal.CreateInMemoryConfig(input)
-	}
-	if err != nil {
-		return nil, fmt.Errorf("create config: %w", err)
-	}
-
-	return &Client{
-		deviceName: opts.DeviceName,
-		setupKey:   opts.SetupKey,
-		config:     config,
-	}, nil
-}
-
-// Start begins client operation and blocks until the engine has been started successfully or a startup error occurs.
-// Pass a context with a deadline to limit the time spent waiting for the engine to start.
-func (c *Client) Start(startCtx context.Context) error {
-	c.mu.Lock()
-	defer c.mu.Unlock()
-	if c.cancel != nil {
-		return ErrClientAlreadyStarted
-	}
-
-	ctx := internal.CtxInitState(context.Background())
-	// nolint:staticcheck
-	ctx = context.WithValue(ctx, system.DeviceNameCtxKey, c.deviceName)
-	if err := internal.Login(ctx, c.config, c.setupKey, ""); err != nil {
-		return fmt.Errorf("login: %w", err)
-	}
-
-	recorder := peer.NewRecorder(c.config.ManagementURL.String())
-	client := internal.NewConnectClient(ctx, c.config, recorder)
-
-	// either startup error (permanent backoff err) or nil err (successful engine up)
-	// TODO: make after-startup backoff err available
-	run := make(chan struct{}, 1)
-	clientErr := make(chan error, 1)
-	go func() {
-		if err := client.Run(run); err != nil {
-			clientErr <- err
-		}
-	}()
-
-	select {
-	case <-startCtx.Done():
-		if stopErr := client.Stop(); stopErr != nil {
-			return fmt.Errorf("stop error after context done. Stop error: %w. Context done: %w", stopErr, startCtx.Err())
-		}
-		return startCtx.Err()
-	case err := <-clientErr:
-		return fmt.Errorf("startup: %w", err)
-	case <-run:
-	}
-
-	c.connect = client
-
-	return nil
-}
-
-// Stop gracefully stops the client.
-// Pass a context with a deadline to limit the time spent waiting for the engine to stop.
-func (c *Client) Stop(ctx context.Context) error {
-	c.mu.Lock()
-	defer c.mu.Unlock()
-
-	if c.connect == nil {
-		return ErrClientNotStarted
-	}
-
-	done := make(chan error, 1)
-	go func() {
-		done <- c.connect.Stop()
-	}()
-
-	select {
-	case <-ctx.Done():
-		c.cancel = nil
-		return ctx.Err()
-	case err := <-done:
-		c.cancel = nil
-		if err != nil {
-			return fmt.Errorf("stop: %w", err)
-		}
-		return nil
-	}
-}
-
-// Dial dials a network address in the netbird network.
-// Not applicable if the userspace networking mode is disabled.
-func (c *Client) Dial(ctx context.Context, network, address string) (net.Conn, error) {
-	c.mu.Lock()
-	connect := c.connect
-	if connect == nil {
-		c.mu.Unlock()
-		return nil, ErrClientNotStarted
-	}
-	c.mu.Unlock()
-
-	engine := connect.Engine()
-	if engine == nil {
-		return nil, errors.New("engine not started")
-	}
-
-	nsnet, err := engine.GetNet()
-	if err != nil {
-		return nil, fmt.Errorf("get net: %w", err)
-	}
-
-	return nsnet.DialContext(ctx, network, address)
-}
-
-// ListenTCP listens on the given address in the netbird network
-// Not applicable if the userspace networking mode is disabled.
-func (c *Client) ListenTCP(address string) (net.Listener, error) {
-	nsnet, addr, err := c.getNet()
-	if err != nil {
-		return nil, err
-	}
-
-	_, port, err := net.SplitHostPort(address)
-	if err != nil {
-		return nil, fmt.Errorf("split host port: %w", err)
-	}
-	listenAddr := fmt.Sprintf("%s:%s", addr, port)
-
-	tcpAddr, err := net.ResolveTCPAddr("tcp", listenAddr)
-	if err != nil {
-		return nil, fmt.Errorf("resolve: %w", err)
-	}
-	return nsnet.ListenTCP(tcpAddr)
-}
-
-// ListenUDP listens on the given address in the netbird network
-// Not applicable if the userspace networking mode is disabled.
-func (c *Client) ListenUDP(address string) (net.PacketConn, error) {
-	nsnet, addr, err := c.getNet()
-	if err != nil {
-		return nil, err
-	}
-
-	_, port, err := net.SplitHostPort(address)
-	if err != nil {
-		return nil, fmt.Errorf("split host port: %w", err)
-	}
-	listenAddr := fmt.Sprintf("%s:%s", addr, port)
-
-	udpAddr, err := net.ResolveUDPAddr("udp", listenAddr)
-	if err != nil {
-		return nil, fmt.Errorf("resolve: %w", err)
-	}
-
-	return nsnet.ListenUDP(udpAddr)
-}
-
-// NewHTTPClient returns a configured http.Client that uses the netbird network for requests.
-// Not applicable if the userspace networking mode is disabled.
-func (c *Client) NewHTTPClient() *http.Client {
-	transport := &http.Transport{
-		DialContext: c.Dial,
-	}
-
-	return &http.Client{
-		Transport: transport,
-	}
-}
-
-func (c *Client) getNet() (*wgnetstack.Net, netip.Addr, error) {
-	c.mu.Lock()
-	connect := c.connect
-	if connect == nil {
-		c.mu.Unlock()
-		return nil, netip.Addr{}, errors.New("client not started")
-	}
-	c.mu.Unlock()
-
-	engine := connect.Engine()
-	if engine == nil {
-		return nil, netip.Addr{}, errors.New("engine not started")
-	}
-
-	addr, err := engine.Address()
-	if err != nil {
-		return nil, netip.Addr{}, fmt.Errorf("engine address: %w", err)
-	}
-
-	nsnet, err := engine.GetNet()
-	if err != nil {
-		return nil, netip.Addr{}, fmt.Errorf("get net: %w", err)
-	}
-
-	return nsnet, addr, nil
-}

client/firewall/create.go

@@ -10,18 +10,17 @@ import (
 
 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/firewall/uspfilter"
-	nftypes "github.com/netbirdio/netbird/client/internal/netflow/types"
 	"github.com/netbirdio/netbird/client/internal/statemanager"
 )
 
 // NewFirewall creates a firewall manager instance
-func NewFirewall(iface IFaceMapper, _ *statemanager.Manager, flowLogger nftypes.FlowLogger, disableServerRoutes bool) (firewall.Manager, error) {
+func NewFirewall(iface IFaceMapper, _ *statemanager.Manager) (firewall.Manager, error) {
 	if !iface.IsUserspaceBind() {
 		return nil, fmt.Errorf("not implemented for this OS: %s", runtime.GOOS)
 	}
 
 	// use userspace packet filtering firewall
-	fm, err := uspfilter.Create(iface, disableServerRoutes, flowLogger)
+	fm, err := uspfilter.Create(iface)
 	if err != nil {
 		return nil, err
 	}

client/firewall/create_linux.go

@@ -15,7 +15,6 @@ import (
 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
 	nbnftables "github.com/netbirdio/netbird/client/firewall/nftables"
 	"github.com/netbirdio/netbird/client/firewall/uspfilter"
-	nftypes "github.com/netbirdio/netbird/client/internal/netflow/types"
 	"github.com/netbirdio/netbird/client/internal/statemanager"
 )
 
@@ -34,12 +33,12 @@ const SKIP_NFTABLES_ENV = "NB_SKIP_NFTABLES_CHECK"
 // FWType is the type for the firewall type
 type FWType int
 
-func NewFirewall(iface IFaceMapper, stateManager *statemanager.Manager, flowLogger nftypes.FlowLogger, disableServerRoutes bool) (firewall.Manager, error) {
+func NewFirewall(iface IFaceMapper, stateManager *statemanager.Manager) (firewall.Manager, error) {
 	// on the linux system we try to user nftables or iptables
 	// in any case, because we need to allow netbird interface traffic
 	// so we use AllowNetbird traffic from these firewall managers
 	// for the userspace packet filtering firewall
-	fm, err := createNativeFirewall(iface, stateManager, disableServerRoutes)
+	fm, err := createNativeFirewall(iface, stateManager)
 
 	if !iface.IsUserspaceBind() {
 		return fm, err
@@ -48,10 +47,10 @@ func NewFirewall(iface IFaceMapper, stateManager *statemanager.Manager, flowLogg
 	if err != nil {
 		log.Warnf("failed to create native firewall: %v. Proceeding with userspace", err)
 	}
-	return createUserspaceFirewall(iface, fm, disableServerRoutes, flowLogger)
+	return createUserspaceFirewall(iface, fm)
 }
 
-func createNativeFirewall(iface IFaceMapper, stateManager *statemanager.Manager, routes bool) (firewall.Manager, error) {
+func createNativeFirewall(iface IFaceMapper, stateManager *statemanager.Manager) (firewall.Manager, error) {
 	fm, err := createFW(iface)
 	if err != nil {
 		return nil, fmt.Errorf("create firewall: %s", err)
@@ -78,12 +77,12 @@ func createFW(iface IFaceMapper) (firewall.Manager, error) {
 	}
 }
 
-func createUserspaceFirewall(iface IFaceMapper, fm firewall.Manager, disableServerRoutes bool, flowLogger nftypes.FlowLogger) (firewall.Manager, error) {
+func createUserspaceFirewall(iface IFaceMapper, fm firewall.Manager) (firewall.Manager, error) {
 	var errUsp error
 	if fm != nil {
-		fm, errUsp = uspfilter.CreateWithNativeFirewall(iface, fm, disableServerRoutes, flowLogger)
+		fm, errUsp = uspfilter.CreateWithNativeFirewall(iface, fm)
 	} else {
-		fm, errUsp = uspfilter.Create(iface, disableServerRoutes, flowLogger)
+		fm, errUsp = uspfilter.Create(iface)
 	}
 
 	if errUsp != nil {

client/firewall/iface.go

@@ -1,18 +1,13 @@
 package firewall
 
 import (
-	wgdevice "golang.zx2c4.com/wireguard/device"
-
 	"github.com/netbirdio/netbird/client/iface/device"
-	"github.com/netbirdio/netbird/client/iface/wgaddr"
 )
 
 // IFaceMapper defines subset methods of interface required for manager
 type IFaceMapper interface {
 	Name() string
-	Address() wgaddr.Address
+	Address() device.WGAddress
 	IsUserspaceBind() bool
 	SetFilter(device.PacketFilter) error
-	GetDevice() *device.FilteredDevice
-	GetWGDevice() *wgdevice.Device
 }

client/firewall/iptables/acl_linux.go

@@ -3,7 +3,7 @@ package iptables
 import (
 	"fmt"
 	"net"
-	"slices"
+	"strconv"
 
 	"github.com/coreos/go-iptables/iptables"
 	"github.com/google/uuid"
@@ -19,7 +19,8 @@ const (
 	tableName = "filter"
 
 	// rules chains contains the effective ACL rules
-	chainNameInputRules = "NETBIRD-ACL-INPUT"
+	chainNameInputRules  = "NETBIRD-ACL-INPUT"
+	chainNameOutputRules = "NETBIRD-ACL-OUTPUT"
 )
 
 type aclEntries map[string][][]string
@@ -30,8 +31,10 @@ type entry struct {
 }
 
 type aclManager struct {
-	iptablesClient  *iptables.IPTables
-	wgIface         iFaceMapper
+	iptablesClient     *iptables.IPTables
+	wgIface            iFaceMapper
+	routingFwChainName string
+
 	entries         aclEntries
 	optionalEntries map[string][]entry
 	ipsetStore      *ipsetStore
@@ -39,10 +42,12 @@ type aclManager struct {
 	stateManager *statemanager.Manager
 }
 
-func newAclManager(iptablesClient *iptables.IPTables, wgIface iFaceMapper) (*aclManager, error) {
+func newAclManager(iptablesClient *iptables.IPTables, wgIface iFaceMapper, routingFwChainName string) (*aclManager, error) {
 	m := &aclManager{
-		iptablesClient:  iptablesClient,
-		wgIface:         wgIface,
+		iptablesClient:     iptablesClient,
+		wgIface:            wgIface,
+		routingFwChainName: routingFwChainName,
+
 		entries:         make(map[string][][]string),
 		optionalEntries: make(map[string][]entry),
 		ipsetStore:      newIpsetStore(),
@@ -75,27 +80,32 @@ func (m *aclManager) init(stateManager *statemanager.Manager) error {
 }
 
 func (m *aclManager) AddPeerFiltering(
-	id []byte,
 	ip net.IP,
 	protocol firewall.Protocol,
 	sPort *firewall.Port,
 	dPort *firewall.Port,
+	direction firewall.RuleDirection,
 	action firewall.Action,
 	ipsetName string,
 ) ([]firewall.Rule, error) {
-	chain := chainNameInputRules
+	var dPortVal, sPortVal string
+	if dPort != nil && dPort.Values != nil {
+		// TODO: we support only one port per rule in current implementation of ACLs
+		dPortVal = strconv.Itoa(dPort.Values[0])
+	}
+	if sPort != nil && sPort.Values != nil {
+		sPortVal = strconv.Itoa(sPort.Values[0])
+	}
 
-	ipsetName = transformIPsetName(ipsetName, sPort, dPort)
-	specs := filterRuleSpecs(ip, string(protocol), sPort, dPort, action, ipsetName)
+	var chain string
+	if direction == firewall.RuleDirectionOUT {
+		chain = chainNameOutputRules
+	} else {
+		chain = chainNameInputRules
+	}
 
-	mangleSpecs := slices.Clone(specs)
-	mangleSpecs = append(mangleSpecs,
-		"-i", m.wgIface.Name(),
-		"-m", "addrtype", "--dst-type", "LOCAL",
-		"-j", "MARK", "--set-xmark", fmt.Sprintf("%#x", nbnet.PreroutingFwmarkRedirected),
-	)
-
-	specs = append(specs, "-j", actionToStr(action))
+	ipsetName = transformIPsetName(ipsetName, sPortVal, dPortVal)
+	specs := filterRuleSpecs(ip, string(protocol), sPortVal, dPortVal, direction, action, ipsetName)
 	if ipsetName != "" {
 		if ipList, ipsetExists := m.ipsetStore.ipset(ipsetName); ipsetExists {
 			if err := ipset.Add(ipsetName, ip.String()); err != nil {
@@ -127,7 +137,7 @@ func (m *aclManager) AddPeerFiltering(
 		m.ipsetStore.addIpList(ipsetName, ipList)
 	}
 
-	ok, err := m.iptablesClient.Exists(tableFilter, chain, specs...)
+	ok, err := m.iptablesClient.Exists("filter", chain, specs...)
 	if err != nil {
 		return nil, fmt.Errorf("failed to check rule: %w", err)
 	}
@@ -135,22 +145,16 @@ func (m *aclManager) AddPeerFiltering(
 		return nil, fmt.Errorf("rule already exists")
 	}
 
-	if err := m.iptablesClient.Append(tableFilter, chain, specs...); err != nil {
+	if err := m.iptablesClient.Append("filter", chain, specs...); err != nil {
 		return nil, err
 	}
 
-	if err := m.iptablesClient.Append(tableMangle, chainRTPRE, mangleSpecs...); err != nil {
-		log.Errorf("failed to add mangle rule: %v", err)
-		mangleSpecs = nil
-	}
-
 	rule := &Rule{
-		ruleID:      uuid.New().String(),
-		specs:       specs,
-		mangleSpecs: mangleSpecs,
-		ipsetName:   ipsetName,
-		ip:          ip.String(),
-		chain:       chain,
+		ruleID:    uuid.New().String(),
+		specs:     specs,
+		ipsetName: ipsetName,
+		ip:        ip.String(),
+		chain:     chain,
 	}
 
 	m.updateState()
@@ -193,12 +197,6 @@ func (m *aclManager) DeletePeerRule(rule firewall.Rule) error {
 		return fmt.Errorf("failed to delete rule: %s, %v: %w", r.chain, r.specs, err)
 	}
 
-	if r.mangleSpecs != nil {
-		if err := m.iptablesClient.Delete(tableMangle, chainRTPRE, r.mangleSpecs...); err != nil {
-			log.Errorf("failed to delete mangle rule: %v", err)
-		}
-	}
-
 	m.updateState()
 
 	return nil
@@ -216,7 +214,28 @@ func (m *aclManager) Reset() error {
 
 // todo write less destructive cleanup mechanism
 func (m *aclManager) cleanChains() error {
-	ok, err := m.iptablesClient.ChainExists(tableName, chainNameInputRules)
+	ok, err := m.iptablesClient.ChainExists(tableName, chainNameOutputRules)
+	if err != nil {
+		log.Debugf("failed to list chains: %s", err)
+		return err
+	}
+	if ok {
+		rules := m.entries["OUTPUT"]
+		for _, rule := range rules {
+			err := m.iptablesClient.DeleteIfExists(tableName, "OUTPUT", rule...)
+			if err != nil {
+				log.Errorf("failed to delete rule: %v, %s", rule, err)
+			}
+		}
+
+		err = m.iptablesClient.ClearAndDeleteChain(tableName, chainNameOutputRules)
+		if err != nil {
+			log.Debugf("failed to clear and delete %s chain: %s", chainNameOutputRules, err)
+			return err
+		}
+	}
+
+	ok, err = m.iptablesClient.ChainExists(tableName, chainNameInputRules)
 	if err != nil {
 		log.Debugf("failed to list chains: %s", err)
 		return err
@@ -276,6 +295,12 @@ func (m *aclManager) createDefaultChains() error {
 		return err
 	}
 
+	// chain netbird-acl-output-rules
+	if err := m.iptablesClient.NewChain(tableName, chainNameOutputRules); err != nil {
+		log.Debugf("failed to create '%s' chain: %s", chainNameOutputRules, err)
+		return err
+	}
+
 	for chainName, rules := range m.entries {
 		for _, rule := range rules {
 			if err := m.iptablesClient.InsertUnique(tableName, chainName, 1, rule...); err != nil {
@@ -304,28 +329,40 @@ func (m *aclManager) createDefaultChains() error {
 
 // The existing FORWARD rules/policies decide outbound traffic towards our interface.
 // In case the FORWARD policy is set to "drop", we add an established/related rule to allow return traffic for the inbound rule.
+
+// The OUTPUT chain gets an extra rule to allow traffic to any set up routes, the return traffic is handled by the INPUT related/established rule.
 func (m *aclManager) seedInitialEntries() {
+
 	established := getConntrackEstablished()
 
 	m.appendToEntries("INPUT", []string{"-i", m.wgIface.Name(), "-j", "DROP"})
 	m.appendToEntries("INPUT", []string{"-i", m.wgIface.Name(), "-j", chainNameInputRules})
 	m.appendToEntries("INPUT", append([]string{"-i", m.wgIface.Name()}, established...))
 
-	// Inbound is handled by our ACLs, the rest is dropped.
-	// For outbound we respect the FORWARD policy. However, we need to allow established/related traffic for inbound rules.
-	m.appendToEntries("FORWARD", []string{"-i", m.wgIface.Name(), "-j", "DROP"})
+	m.appendToEntries("OUTPUT", []string{"-o", m.wgIface.Name(), "-j", "DROP"})
+	m.appendToEntries("OUTPUT", []string{"-o", m.wgIface.Name(), "-j", chainNameOutputRules})
+	m.appendToEntries("OUTPUT", []string{"-o", m.wgIface.Name(), "!", "-d", m.wgIface.Address().String(), "-j", "ACCEPT"})
+	m.appendToEntries("OUTPUT", append([]string{"-o", m.wgIface.Name()}, established...))
 
-	m.appendToEntries("FORWARD", []string{"-o", m.wgIface.Name(), "-j", chainRTFWDOUT})
-	m.appendToEntries("FORWARD", []string{"-i", m.wgIface.Name(), "-j", chainRTFWDIN})
+	m.appendToEntries("FORWARD", []string{"-i", m.wgIface.Name(), "-j", "DROP"})
+	m.appendToEntries("FORWARD", []string{"-i", m.wgIface.Name(), "-j", m.routingFwChainName})
+	m.appendToEntries("FORWARD", append([]string{"-o", m.wgIface.Name()}, established...))
 }
 
 func (m *aclManager) seedInitialOptionalEntries() {
 	m.optionalEntries["FORWARD"] = []entry{
 		{
-			spec:     []string{"-m", "mark", "--mark", fmt.Sprintf("%#x", nbnet.PreroutingFwmarkRedirected), "-j", "ACCEPT"},
+			spec:     []string{"-m", "mark", "--mark", fmt.Sprintf("%#x", nbnet.PreroutingFwmark), "-j", chainNameInputRules},
 			position: 2,
 		},
 	}
+
+	m.optionalEntries["PREROUTING"] = []entry{
+		{
+			spec:     []string{"-t", "mangle", "-i", m.wgIface.Name(), "-m", "addrtype", "--dst-type", "LOCAL", "-j", "MARK", "--set-mark", fmt.Sprintf("%#x", nbnet.PreroutingFwmark)},
+			position: 1,
+		},
+	}
 }
 
 func (m *aclManager) appendToEntries(chainName string, spec []string) {
@@ -359,26 +396,42 @@ func (m *aclManager) updateState() {
 }
 
 // filterRuleSpecs returns the specs of a filtering rule
-func filterRuleSpecs(ip net.IP, protocol string, sPort, dPort *firewall.Port, action firewall.Action, ipsetName string) (specs []string) {
+func filterRuleSpecs(
+	ip net.IP, protocol string, sPort, dPort string, direction firewall.RuleDirection, action firewall.Action, ipsetName string,
+) (specs []string) {
 	matchByIP := true
 	// don't use IP matching if IP is ip 0.0.0.0
 	if ip.String() == "0.0.0.0" {
 		matchByIP = false
 	}
-
-	if matchByIP {
-		if ipsetName != "" {
-			specs = append(specs, "-m", "set", "--set", ipsetName, "src")
-		} else {
-			specs = append(specs, "-s", ip.String())
+	switch direction {
+	case firewall.RuleDirectionIN:
+		if matchByIP {
+			if ipsetName != "" {
+				specs = append(specs, "-m", "set", "--set", ipsetName, "src")
+			} else {
+				specs = append(specs, "-s", ip.String())
+			}
+		}
+	case firewall.RuleDirectionOUT:
+		if matchByIP {
+			if ipsetName != "" {
+				specs = append(specs, "-m", "set", "--set", ipsetName, "dst")
+			} else {
+				specs = append(specs, "-d", ip.String())
+			}
 		}
 	}
 	if protocol != "all" {
 		specs = append(specs, "-p", protocol)
 	}
-	specs = append(specs, applyPort("--sport", sPort)...)
-	specs = append(specs, applyPort("--dport", dPort)...)
-	return specs
+	if sPort != "" {
+		specs = append(specs, "--sport", sPort)
+	}
+	if dPort != "" {
+		specs = append(specs, "--dport", dPort)
+	}
+	return append(specs, "-j", actionToStr(action))
 }
 
 func actionToStr(action firewall.Action) string {
@@ -388,15 +441,15 @@ func actionToStr(action firewall.Action) string {
 	return "DROP"
 }
 
-func transformIPsetName(ipsetName string, sPort, dPort *firewall.Port) string {
+func transformIPsetName(ipsetName string, sPort, dPort string) string {
 	switch {
 	case ipsetName == "":
 		return ""
-	case sPort != nil && dPort != nil:
+	case sPort != "" && dPort != "":
 		return ipsetName + "-sport-dport"
-	case sPort != nil:
+	case sPort != "":
 		return ipsetName + "-sport"
-	case dPort != nil:
+	case dPort != "":
 		return ipsetName + "-dport"
 	default:
 		return ipsetName

client/firewall/iptables/manager_linux.go

@@ -13,7 +13,7 @@ import (
 
 	nberrors "github.com/netbirdio/netbird/client/errors"
 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
-	"github.com/netbirdio/netbird/client/iface/wgaddr"
+	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/internal/statemanager"
 )
 
@@ -31,7 +31,7 @@ type Manager struct {
 // iFaceMapper defines subset methods of interface required for manager
 type iFaceMapper interface {
 	Name() string
-	Address() wgaddr.Address
+	Address() iface.WGAddress
 	IsUserspaceBind() bool
 }
 
@@ -52,7 +52,7 @@ func Create(wgIface iFaceMapper) (*Manager, error) {
 		return nil, fmt.Errorf("create router: %w", err)
 	}
 
-	m.aclMgr, err = newAclManager(iptablesClient, wgIface)
+	m.aclMgr, err = newAclManager(iptablesClient, wgIface, chainRTFWD)
 	if err != nil {
 		return nil, fmt.Errorf("create acl manager: %w", err)
 	}
@@ -83,11 +83,9 @@ func (m *Manager) Init(stateManager *statemanager.Manager) error {
 	}
 
 	// persist early to ensure cleanup of chains
-	go func() {
-		if err := stateManager.PersistState(context.Background()); err != nil {
-			log.Errorf("failed to persist state: %v", err)
-		}
-	}()
+	if err := stateManager.PersistState(context.Background()); err != nil {
+		log.Errorf("failed to persist state: %v", err)
+	}
 
 	return nil
 }
@@ -96,36 +94,37 @@ func (m *Manager) Init(stateManager *statemanager.Manager) error {
 //
 // Comment will be ignored because some system this feature is not supported
 func (m *Manager) AddPeerFiltering(
-	id []byte,
 	ip net.IP,
-	proto firewall.Protocol,
+	protocol firewall.Protocol,
 	sPort *firewall.Port,
 	dPort *firewall.Port,
+	direction firewall.RuleDirection,
 	action firewall.Action,
 	ipsetName string,
+	comment string,
 ) ([]firewall.Rule, error) {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
 
-	return m.aclMgr.AddPeerFiltering(id, ip, proto, sPort, dPort, action, ipsetName)
+	return m.aclMgr.AddPeerFiltering(ip, protocol, sPort, dPort, direction, action, ipsetName)
 }
 
 func (m *Manager) AddRouteFiltering(
-	id []byte,
 	sources []netip.Prefix,
-	destination firewall.Network,
+	destination netip.Prefix,
 	proto firewall.Protocol,
-	sPort, dPort *firewall.Port,
+	sPort *firewall.Port,
+	dPort *firewall.Port,
 	action firewall.Action,
 ) (firewall.Rule, error) {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
 
-	if destination.IsPrefix() && !destination.Prefix.Addr().Is4() {
-		return nil, fmt.Errorf("unsupported IP version: %s", destination.Prefix.Addr().String())
+	if !destination.Addr().Is4() {
+		return nil, fmt.Errorf("unsupported IP version: %s", destination.Addr().String())
 	}
 
-	return m.router.AddRouteFiltering(id, sources, destination, proto, sPort, dPort, action)
+	return m.router.AddRouteFiltering(sources, destination, proto, sPort, dPort, action)
 }
 
 // DeletePeerRule from the firewall by rule definition
@@ -166,7 +165,7 @@ func (m *Manager) SetLegacyManagement(isLegacy bool) error {
 }
 
 // Reset firewall to the default state
-func (m *Manager) Close(stateManager *statemanager.Manager) error {
+func (m *Manager) Reset(stateManager *statemanager.Manager) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
 
@@ -196,60 +195,34 @@ func (m *Manager) AllowNetbird() error {
 	}
 
 	_, err := m.AddPeerFiltering(
-		nil,
-		net.IP{0, 0, 0, 0},
+		net.ParseIP("0.0.0.0"),
 		"all",
 		nil,
 		nil,
+		firewall.RuleDirectionIN,
 		firewall.ActionAccept,
 		"",
+		"",
 	)
 	if err != nil {
-		return fmt.Errorf("allow netbird interface traffic: %w", err)
+		return fmt.Errorf("failed to allow netbird interface traffic: %w", err)
 	}
-	return nil
+	_, err = m.AddPeerFiltering(
+		net.ParseIP("0.0.0.0"),
+		"all",
+		nil,
+		nil,
+		firewall.RuleDirectionOUT,
+		firewall.ActionAccept,
+		"",
+		"",
+	)
+	return err
 }
 
 // Flush doesn't need to be implemented for this manager
 func (m *Manager) Flush() error { return nil }
 
-// SetLogLevel sets the log level for the firewall manager
-func (m *Manager) SetLogLevel(log.Level) {
-	// not supported
-}
-
-func (m *Manager) EnableRouting() error {
-	return nil
-}
-
-func (m *Manager) DisableRouting() error {
-	return nil
-}
-
-// AddDNATRule adds a DNAT rule
-func (m *Manager) AddDNATRule(rule firewall.ForwardRule) (firewall.Rule, error) {
-	m.mutex.Lock()
-	defer m.mutex.Unlock()
-
-	return m.router.AddDNATRule(rule)
-}
-
-// DeleteDNATRule deletes a DNAT rule
-func (m *Manager) DeleteDNATRule(rule firewall.Rule) error {
-	m.mutex.Lock()
-	defer m.mutex.Unlock()
-
-	return m.router.DeleteDNATRule(rule)
-}
-
-// UpdateSet updates the set with the given prefixes
-func (m *Manager) UpdateSet(set firewall.Set, prefixes []netip.Prefix) error {
-	m.mutex.Lock()
-	defer m.mutex.Unlock()
-
-	return m.router.UpdateSet(set, prefixes)
-}
-
 func getConntrackEstablished() []string {
 	return []string{"-m", "conntrack", "--ctstate", "RELATED,ESTABLISHED", "-j", "ACCEPT"}
 }

client/firewall/iptables/manager_linux_test.go

@@ -10,15 +10,15 @@ import (
 	"github.com/stretchr/testify/require"
 
 	fw "github.com/netbirdio/netbird/client/firewall/manager"
-	"github.com/netbirdio/netbird/client/iface/wgaddr"
+	"github.com/netbirdio/netbird/client/iface"
 )
 
 var ifaceMock = &iFaceMock{
 	NameFunc: func() string {
 		return "lo"
 	},
-	AddressFunc: func() wgaddr.Address {
-		return wgaddr.Address{
+	AddressFunc: func() iface.WGAddress {
+		return iface.WGAddress{
 			IP: net.ParseIP("10.20.0.1"),
 			Network: &net.IPNet{
 				IP:   net.ParseIP("10.20.0.0"),
@@ -31,7 +31,7 @@ var ifaceMock = &iFaceMock{
 // iFaceMapper defines subset methods of interface required for manager
 type iFaceMock struct {
 	NameFunc    func() string
-	AddressFunc func() wgaddr.Address
+	AddressFunc func() iface.WGAddress
 }
 
 func (i *iFaceMock) Name() string {
@@ -41,7 +41,7 @@ func (i *iFaceMock) Name() string {
 	panic("NameFunc is not set")
 }
 
-func (i *iFaceMock) Address() wgaddr.Address {
+func (i *iFaceMock) Address() iface.WGAddress {
 	if i.AddressFunc != nil {
 		return i.AddressFunc()
 	}
@@ -62,20 +62,33 @@ func TestIptablesManager(t *testing.T) {
 	time.Sleep(time.Second)
 
 	defer func() {
-		err := manager.Close(nil)
+		err := manager.Reset(nil)
 		require.NoError(t, err, "clear the manager state")
 
 		time.Sleep(time.Second)
 	}()
 
+	var rule1 []fw.Rule
+	t.Run("add first rule", func(t *testing.T) {
+		ip := net.ParseIP("10.20.0.2")
+		port := &fw.Port{Values: []int{8080}}
+		rule1, err = manager.AddPeerFiltering(ip, "tcp", nil, port, fw.RuleDirectionOUT, fw.ActionAccept, "", "accept HTTP traffic")
+		require.NoError(t, err, "failed to add rule")
+
+		for _, r := range rule1 {
+			checkRuleSpecs(t, ipv4Client, chainNameOutputRules, true, r.(*Rule).specs...)
+		}
+
+	})
+
 	var rule2 []fw.Rule
 	t.Run("add second rule", func(t *testing.T) {
 		ip := net.ParseIP("10.20.0.3")
 		port := &fw.Port{
-			IsRange: true,
-			Values:  []uint16{8043, 8046},
+			Values: []int{8043: 8046},
 		}
-		rule2, err = manager.AddPeerFiltering(nil, ip, "tcp", port, nil, fw.ActionAccept, "")
+		rule2, err = manager.AddPeerFiltering(
+			ip, "tcp", port, nil, fw.RuleDirectionIN, fw.ActionAccept, "", "accept HTTPS traffic from ports range")
 		require.NoError(t, err, "failed to add rule")
 
 		for _, r := range rule2 {
@@ -84,6 +97,15 @@ func TestIptablesManager(t *testing.T) {
 		}
 	})
 
+	t.Run("delete first rule", func(t *testing.T) {
+		for _, r := range rule1 {
+			err := manager.DeletePeerRule(r)
+			require.NoError(t, err, "failed to delete rule")
+
+			checkRuleSpecs(t, ipv4Client, chainNameOutputRules, false, r.(*Rule).specs...)
+		}
+	})
+
 	t.Run("delete second rule", func(t *testing.T) {
 		for _, r := range rule2 {
 			err := manager.DeletePeerRule(r)
@@ -96,29 +118,32 @@ func TestIptablesManager(t *testing.T) {
 	t.Run("reset check", func(t *testing.T) {
 		// add second rule
 		ip := net.ParseIP("10.20.0.3")
-		port := &fw.Port{Values: []uint16{5353}}
-		_, err = manager.AddPeerFiltering(nil, ip, "udp", nil, port, fw.ActionAccept, "")
+		port := &fw.Port{Values: []int{5353}}
+		_, err = manager.AddPeerFiltering(ip, "udp", nil, port, fw.RuleDirectionOUT, fw.ActionAccept, "", "accept Fake DNS traffic")
 		require.NoError(t, err, "failed to add rule")
 
-		err = manager.Close(nil)
+		err = manager.Reset(nil)
 		require.NoError(t, err, "failed to reset")
 
 		ok, err := ipv4Client.ChainExists("filter", chainNameInputRules)
 		require.NoError(t, err, "failed check chain exists")
 
 		if ok {
-			require.NoErrorf(t, err, "chain '%v' still exists after Close", chainNameInputRules)
+			require.NoErrorf(t, err, "chain '%v' still exists after Reset", chainNameInputRules)
 		}
 	})
 }
 
 func TestIptablesManagerIPSet(t *testing.T) {
+	ipv4Client, err := iptables.NewWithProtocol(iptables.ProtocolIPv4)
+	require.NoError(t, err)
+
 	mock := &iFaceMock{
 		NameFunc: func() string {
 			return "lo"
 		},
-		AddressFunc: func() wgaddr.Address {
-			return wgaddr.Address{
+		AddressFunc: func() iface.WGAddress {
+			return iface.WGAddress{
 				IP: net.ParseIP("10.20.0.1"),
 				Network: &net.IPNet{
 					IP:   net.ParseIP("10.20.0.0"),
@@ -136,19 +161,39 @@ func TestIptablesManagerIPSet(t *testing.T) {
 	time.Sleep(time.Second)
 
 	defer func() {
-		err := manager.Close(nil)
+		err := manager.Reset(nil)
 		require.NoError(t, err, "clear the manager state")
 
 		time.Sleep(time.Second)
 	}()
 
+	var rule1 []fw.Rule
+	t.Run("add first rule with set", func(t *testing.T) {
+		ip := net.ParseIP("10.20.0.2")
+		port := &fw.Port{Values: []int{8080}}
+		rule1, err = manager.AddPeerFiltering(
+			ip, "tcp", nil, port, fw.RuleDirectionOUT,
+			fw.ActionAccept, "default", "accept HTTP traffic",
+		)
+		require.NoError(t, err, "failed to add rule")
+
+		for _, r := range rule1 {
+			checkRuleSpecs(t, ipv4Client, chainNameOutputRules, true, r.(*Rule).specs...)
+			require.Equal(t, r.(*Rule).ipsetName, "default-dport", "ipset name must be set")
+			require.Equal(t, r.(*Rule).ip, "10.20.0.2", "ipset IP must be set")
+		}
+	})
+
 	var rule2 []fw.Rule
 	t.Run("add second rule", func(t *testing.T) {
 		ip := net.ParseIP("10.20.0.3")
 		port := &fw.Port{
-			Values: []uint16{443},
+			Values: []int{443},
 		}
-		rule2, err = manager.AddPeerFiltering(nil, ip, "tcp", port, nil, fw.ActionAccept, "default")
+		rule2, err = manager.AddPeerFiltering(
+			ip, "tcp", port, nil, fw.RuleDirectionIN, fw.ActionAccept,
+			"default", "accept HTTPS traffic from ports range",
+		)
 		for _, r := range rule2 {
 			require.NoError(t, err, "failed to add rule")
 			require.Equal(t, r.(*Rule).ipsetName, "default-sport", "ipset name must be set")
@@ -156,6 +201,15 @@ func TestIptablesManagerIPSet(t *testing.T) {
 		}
 	})
 
+	t.Run("delete first rule", func(t *testing.T) {
+		for _, r := range rule1 {
+			err := manager.DeletePeerRule(r)
+			require.NoError(t, err, "failed to delete rule")
+
+			require.NotContains(t, manager.aclMgr.ipsetStore.ipsets, r.(*Rule).ruleID, "rule must be removed form the ruleset index")
+		}
+	})
+
 	t.Run("delete second rule", func(t *testing.T) {
 		for _, r := range rule2 {
 			err := manager.DeletePeerRule(r)
@@ -166,7 +220,7 @@ func TestIptablesManagerIPSet(t *testing.T) {
 	})
 
 	t.Run("reset check", func(t *testing.T) {
-		err = manager.Close(nil)
+		err = manager.Reset(nil)
 		require.NoError(t, err, "failed to reset")
 	})
 }
@@ -184,8 +238,8 @@ func TestIptablesCreatePerformance(t *testing.T) {
 		NameFunc: func() string {
 			return "lo"
 		},
-		AddressFunc: func() wgaddr.Address {
-			return wgaddr.Address{
+		AddressFunc: func() iface.WGAddress {
+			return iface.WGAddress{
 				IP: net.ParseIP("10.20.0.1"),
 				Network: &net.IPNet{
 					IP:   net.ParseIP("10.20.0.0"),
@@ -204,7 +258,7 @@ func TestIptablesCreatePerformance(t *testing.T) {
 			time.Sleep(time.Second)
 
 			defer func() {
-				err := manager.Close(nil)
+				err := manager.Reset(nil)
 				require.NoError(t, err, "clear the manager state")
 
 				time.Sleep(time.Second)
@@ -215,8 +269,12 @@ func TestIptablesCreatePerformance(t *testing.T) {
 			ip := net.ParseIP("10.20.0.100")
 			start := time.Now()
 			for i := 0; i < testMax; i++ {
-				port := &fw.Port{Values: []uint16{uint16(1000 + i)}}
-				_, err = manager.AddPeerFiltering(nil, ip, "tcp", nil, port, fw.ActionAccept, "")
+				port := &fw.Port{Values: []int{1000 + i}}
+				if i%2 == 0 {
+					_, err = manager.AddPeerFiltering(ip, "tcp", nil, port, fw.RuleDirectionOUT, fw.ActionAccept, "", "accept HTTP traffic")
+				} else {
+					_, err = manager.AddPeerFiltering(ip, "tcp", nil, port, fw.RuleDirectionIN, fw.ActionAccept, "", "accept HTTP traffic")
+				}
 
 				require.NoError(t, err, "failed to add rule")
 			}

client/firewall/iptables/router_linux.go

@@ -15,60 +15,41 @@ import (
 
 	nberrors "github.com/netbirdio/netbird/client/errors"
 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
-	nbid "github.com/netbirdio/netbird/client/internal/acl/id"
-	"github.com/netbirdio/netbird/client/internal/routemanager/ipfwdstate"
+	"github.com/netbirdio/netbird/client/internal/acl/id"
 	"github.com/netbirdio/netbird/client/internal/routemanager/refcounter"
 	"github.com/netbirdio/netbird/client/internal/statemanager"
-	nbnet "github.com/netbirdio/netbird/util/net"
+)
+
+const (
+	ipv4Nat = "netbird-rt-nat"
 )
 
 // constants needed to manage and create iptable rules
 const (
-	tableFilter = "filter"
-	tableNat    = "nat"
-	tableMangle = "mangle"
-
+	tableFilter             = "filter"
+	tableNat                = "nat"
 	chainPOSTROUTING        = "POSTROUTING"
-	chainPREROUTING         = "PREROUTING"
 	chainRTNAT              = "NETBIRD-RT-NAT"
-	chainRTFWDIN            = "NETBIRD-RT-FWD-IN"
-	chainRTFWDOUT           = "NETBIRD-RT-FWD-OUT"
-	chainRTPRE              = "NETBIRD-RT-PRE"
-	chainRTRDR              = "NETBIRD-RT-RDR"
+	chainRTFWD              = "NETBIRD-RT-FWD"
 	routingFinalForwardJump = "ACCEPT"
 	routingFinalNatJump     = "MASQUERADE"
 
-	jumpManglePre  = "jump-mangle-pre"
-	jumpNatPre     = "jump-nat-pre"
-	jumpNatPost    = "jump-nat-post"
-	markManglePre  = "mark-mangle-pre"
-	markManglePost = "mark-mangle-post"
-	matchSet       = "--match-set"
-
-	dnatSuffix = "_dnat"
-	snatSuffix = "_snat"
-	fwdSuffix  = "_fwd"
+	matchSet = "--match-set"
 )
 
-type ruleInfo struct {
-	chain string
-	table string
-	rule  []string
-}
-
 type routeFilteringRuleParams struct {
-	Source      firewall.Network
-	Destination firewall.Network
+	Sources     []netip.Prefix
+	Destination netip.Prefix
 	Proto       firewall.Protocol
 	SPort       *firewall.Port
 	DPort       *firewall.Port
 	Direction   firewall.RuleDirection
 	Action      firewall.Action
+	SetName     string
 }
 
 type routeRules map[string][]string
 
-// the ipset library currently does not support comments, so we use the name only (string)
 type ipsetCounter = refcounter.Counter[string, []netip.Prefix, struct{}]
 
 type router struct {
@@ -79,7 +60,6 @@ type router struct {
 	legacyManagement bool
 
 	stateManager *statemanager.Manager
-	ipFwdState   *ipfwdstate.IPForwardingState
 }
 
 func newRouter(iptablesClient *iptables.IPTables, wgIface iFaceMapper) (*router, error) {
@@ -87,7 +67,6 @@ func newRouter(iptablesClient *iptables.IPTables, wgIface iFaceMapper) (*router,
 		iptablesClient: iptablesClient,
 		rules:          make(map[string][]string),
 		wgIface:        wgIface,
-		ipFwdState:     ipfwdstate.NewIPForwardingState(),
 	}
 
 	r.ipsetCounter = refcounter.New(
@@ -117,59 +96,44 @@ func (r *router) init(stateManager *statemanager.Manager) error {
 		return fmt.Errorf("create containers: %w", err)
 	}
 
-	if err := r.setupDataPlaneMark(); err != nil {
-		log.Errorf("failed to set up data plane mark: %v", err)
-	}
-
 	r.updateState()
 
 	return nil
 }
 
 func (r *router) AddRouteFiltering(
-	id []byte,
 	sources []netip.Prefix,
-	destination firewall.Network,
+	destination netip.Prefix,
 	proto firewall.Protocol,
 	sPort *firewall.Port,
 	dPort *firewall.Port,
 	action firewall.Action,
 ) (firewall.Rule, error) {
-	ruleKey := nbid.GenerateRouteRuleKey(sources, destination, proto, sPort, dPort, action)
+	ruleKey := id.GenerateRouteRuleKey(sources, destination, proto, sPort, dPort, action)
 	if _, ok := r.rules[string(ruleKey)]; ok {
 		return ruleKey, nil
 	}
 
-	var source firewall.Network
+	var setName string
 	if len(sources) > 1 {
-		source.Set = firewall.NewPrefixSet(sources)
-	} else if len(sources) > 0 {
-		source.Prefix = sources[0]
+		setName = firewall.GenerateSetName(sources)
+		if _, err := r.ipsetCounter.Increment(setName, sources); err != nil {
+			return nil, fmt.Errorf("create or get ipset: %w", err)
+		}
 	}
 
 	params := routeFilteringRuleParams{
-		Source:      source,
+		Sources:     sources,
 		Destination: destination,
 		Proto:       proto,
 		SPort:       sPort,
 		DPort:       dPort,
 		Action:      action,
+		SetName:     setName,
 	}
 
-	rule, err := r.genRouteRuleSpec(params, sources)
-	if err != nil {
-		return nil, fmt.Errorf("generate route rule spec: %w", err)
-	}
-
-	// Insert DROP rules at the beginning, append ACCEPT rules at the end
-	if action == firewall.ActionDrop {
-		// after the established rule
-		err = r.iptablesClient.Insert(tableFilter, chainRTFWDIN, 2, rule...)
-	} else {
-		err = r.iptablesClient.Append(tableFilter, chainRTFWDIN, rule...)
-	}
-
-	if err != nil {
+	rule := genRouteFilteringRuleSpec(params)
+	if err := r.iptablesClient.Append(tableFilter, chainRTFWD, rule...); err != nil {
 		return nil, fmt.Errorf("add route rule: %v", err)
 	}
 
@@ -181,16 +145,20 @@ func (r *router) AddRouteFiltering(
 }
 
 func (r *router) DeleteRouteRule(rule firewall.Rule) error {
-	ruleKey := rule.ID()
+	ruleKey := rule.GetRuleID()
 
 	if rule, exists := r.rules[ruleKey]; exists {
-		if err := r.iptablesClient.Delete(tableFilter, chainRTFWDIN, rule...); err != nil {
+		setName := r.findSetNameInRule(rule)
+
+		if err := r.iptablesClient.Delete(tableFilter, chainRTFWD, rule...); err != nil {
 			return fmt.Errorf("delete route rule: %v", err)
 		}
 		delete(r.rules, ruleKey)
 
-		if err := r.decrementSetCounter(rule); err != nil {
-			return fmt.Errorf("decrement ipset counter: %w", err)
+		if setName != "" {
+			if _, err := r.ipsetCounter.Decrement(setName); err != nil {
+				return fmt.Errorf("failed to remove ipset: %w", err)
+			}
 		}
 	} else {
 		log.Debugf("route rule %s not found", ruleKey)
@@ -201,26 +169,13 @@ func (r *router) DeleteRouteRule(rule firewall.Rule) error {
 	return nil
 }
 
-func (r *router) decrementSetCounter(rule []string) error {
-	sets := r.findSets(rule)
-	var merr *multierror.Error
-	for _, setName := range sets {
-		if _, err := r.ipsetCounter.Decrement(setName); err != nil {
-			merr = multierror.Append(merr, fmt.Errorf("decrement counter: %w", err))
-		}
-	}
-
-	return nberrors.FormatErrorOrNil(merr)
-}
-
-func (r *router) findSets(rule []string) []string {
-	var sets []string
+func (r *router) findSetNameInRule(rule []string) string {
 	for i, arg := range rule {
 		if arg == "-m" && i+3 < len(rule) && rule[i+1] == "set" && rule[i+2] == matchSet {
-			sets = append(sets, rule[i+3])
+			return rule[i+3]
 		}
 	}
-	return sets
+	return ""
 }
 
 func (r *router) createIpSet(setName string, sources []netip.Prefix) error {
@@ -241,17 +196,11 @@ func (r *router) deleteIpSet(setName string) error {
 	if err := ipset.Destroy(setName); err != nil {
 		return fmt.Errorf("destroy set %s: %w", setName, err)
 	}
-
-	log.Debugf("Deleted unused ipset %s", setName)
 	return nil
 }
 
 // AddNatRule inserts an iptables rule pair into the nat chain
 func (r *router) AddNatRule(pair firewall.RouterPair) error {
-	if err := r.ipFwdState.RequestForwarding(); err != nil {
-		return err
-	}
-
 	if r.legacyManagement {
 		log.Warnf("This peer is connected to a NetBird Management service with an older version. Allowing all traffic for %s", pair.Destination)
 		if err := r.addLegacyRouteRule(pair); err != nil {
@@ -278,18 +227,12 @@ func (r *router) AddNatRule(pair firewall.RouterPair) error {
 
 // RemoveNatRule removes an iptables rule pair from forwarding and nat chains
 func (r *router) RemoveNatRule(pair firewall.RouterPair) error {
-	if err := r.ipFwdState.ReleaseForwarding(); err != nil {
-		log.Errorf("%v", err)
+	if err := r.removeNatRule(pair); err != nil {
+		return fmt.Errorf("remove nat rule: %w", err)
 	}
 
-	if pair.Masquerade {
-		if err := r.removeNatRule(pair); err != nil {
-			return fmt.Errorf("remove nat rule: %w", err)
-		}
-
-		if err := r.removeNatRule(firewall.GetInversePair(pair)); err != nil {
-			return fmt.Errorf("remove inverse nat rule: %w", err)
-		}
+	if err := r.removeNatRule(firewall.GetInversePair(pair)); err != nil {
+		return fmt.Errorf("remove inverse nat rule: %w", err)
 	}
 
 	if err := r.removeLegacyRouteRule(pair); err != nil {
@@ -310,7 +253,7 @@ func (r *router) addLegacyRouteRule(pair firewall.RouterPair) error {
 	}
 
 	rule := []string{"-s", pair.Source.String(), "-d", pair.Destination.String(), "-j", routingFinalForwardJump}
-	if err := r.iptablesClient.Append(tableFilter, chainRTFWDIN, rule...); err != nil {
+	if err := r.iptablesClient.Append(tableFilter, chainRTFWD, rule...); err != nil {
 		return fmt.Errorf("add legacy forwarding rule %s -> %s: %v", pair.Source, pair.Destination, err)
 	}
 
@@ -323,14 +266,12 @@ func (r *router) removeLegacyRouteRule(pair firewall.RouterPair) error {
 	ruleKey := firewall.GenKey(firewall.ForwardingFormat, pair)
 
 	if rule, exists := r.rules[ruleKey]; exists {
-		if err := r.iptablesClient.DeleteIfExists(tableFilter, chainRTFWDIN, rule...); err != nil {
+		if err := r.iptablesClient.DeleteIfExists(tableFilter, chainRTFWD, rule...); err != nil {
 			return fmt.Errorf("remove legacy forwarding rule %s -> %s: %v", pair.Source, pair.Destination, err)
 		}
 		delete(r.rules, ruleKey)
-
-		if err := r.decrementSetCounter(rule); err != nil {
-			return fmt.Errorf("decrement ipset counter: %w", err)
-		}
+	} else {
+		log.Debugf("legacy forwarding rule %s not found", ruleKey)
 	}
 
 	return nil
@@ -353,7 +294,7 @@ func (r *router) RemoveAllLegacyRouteRules() error {
 		if !strings.HasPrefix(k, firewall.ForwardingFormatPrefix) {
 			continue
 		}
-		if err := r.iptablesClient.DeleteIfExists(tableFilter, chainRTFWDIN, rule...); err != nil {
+		if err := r.iptablesClient.DeleteIfExists(tableFilter, chainRTFWD, rule...); err != nil {
 			merr = multierror.Append(merr, fmt.Errorf("remove legacy forwarding rule: %v", err))
 		} else {
 			delete(r.rules, k)
@@ -370,43 +311,36 @@ func (r *router) Reset() error {
 	if err := r.cleanUpDefaultForwardRules(); err != nil {
 		merr = multierror.Append(merr, err)
 	}
+	r.rules = make(map[string][]string)
 
 	if err := r.ipsetCounter.Flush(); err != nil {
 		merr = multierror.Append(merr, err)
 	}
 
-	if err := r.cleanupDataPlaneMark(); err != nil {
-		merr = multierror.Append(merr, err)
-	}
-
-	r.rules = make(map[string][]string)
 	r.updateState()
 
 	return nberrors.FormatErrorOrNil(merr)
 }
 
 func (r *router) cleanUpDefaultForwardRules() error {
-	if err := r.cleanJumpRules(); err != nil {
-		return fmt.Errorf("clean jump rules: %w", err)
+	err := r.cleanJumpRules()
+	if err != nil {
+		return err
 	}
 
 	log.Debug("flushing routing related tables")
-	for _, chainInfo := range []struct {
-		chain string
-		table string
-	}{
-		{chainRTFWDIN, tableFilter},
-		{chainRTFWDOUT, tableFilter},
-		{chainRTPRE, tableMangle},
-		{chainRTNAT, tableNat},
-		{chainRTRDR, tableNat},
-	} {
-		ok, err := r.iptablesClient.ChainExists(chainInfo.table, chainInfo.chain)
+	for _, chain := range []string{chainRTFWD, chainRTNAT} {
+		table := r.getTableForChain(chain)
+
+		ok, err := r.iptablesClient.ChainExists(table, chain)
 		if err != nil {
-			return fmt.Errorf("check chain %s in table %s: %w", chainInfo.chain, chainInfo.table, err)
+			log.Errorf("failed check chain %s, error: %v", chain, err)
+			return err
 		} else if ok {
-			if err = r.iptablesClient.ClearAndDeleteChain(chainInfo.table, chainInfo.chain); err != nil {
-				return fmt.Errorf("clear and delete chain %s in table %s: %w", chainInfo.chain, chainInfo.table, err)
+			err = r.iptablesClient.ClearAndDeleteChain(table, chain)
+			if err != nil {
+				log.Errorf("failed cleaning chain %s, error: %v", chain, err)
+				return err
 			}
 		}
 	}
@@ -415,33 +349,16 @@ func (r *router) cleanUpDefaultForwardRules() error {
 }
 
 func (r *router) createContainers() error {
-	for _, chainInfo := range []struct {
-		chain string
-		table string
-	}{
-		{chainRTFWDIN, tableFilter},
-		{chainRTFWDOUT, tableFilter},
-		{chainRTPRE, tableMangle},
-		{chainRTNAT, tableNat},
-		{chainRTRDR, tableNat},
-	} {
-		if err := r.iptablesClient.NewChain(chainInfo.table, chainInfo.chain); err != nil {
-			return fmt.Errorf("create chain %s in table %s: %w", chainInfo.chain, chainInfo.table, err)
+	for _, chain := range []string{chainRTFWD, chainRTNAT} {
+		if err := r.createAndSetupChain(chain); err != nil {
+			return fmt.Errorf("create chain %s: %w", chain, err)
 		}
 	}
 
-	if err := r.insertEstablishedRule(chainRTFWDIN); err != nil {
+	if err := r.insertEstablishedRule(chainRTFWD); err != nil {
 		return fmt.Errorf("insert established rule: %w", err)
 	}
 
-	if err := r.insertEstablishedRule(chainRTFWDOUT); err != nil {
-		return fmt.Errorf("insert established rule: %w", err)
-	}
-
-	if err := r.addPostroutingRules(); err != nil {
-		return fmt.Errorf("add static nat rules: %w", err)
-	}
-
 	if err := r.addJumpRules(); err != nil {
 		return fmt.Errorf("add jump rules: %w", err)
 	}
@@ -449,83 +366,23 @@ func (r *router) createContainers() error {
 	return nil
 }
 
-// setupDataPlaneMark configures the fwmark for the data plane
-func (r *router) setupDataPlaneMark() error {
-	var merr *multierror.Error
-	preRule := []string{
-		"-i", r.wgIface.Name(),
-		"-m", "conntrack", "--ctstate", "NEW",
-		"-j", "CONNMARK", "--set-mark", fmt.Sprintf("%#x", nbnet.DataPlaneMarkIn),
-	}
+func (r *router) createAndSetupChain(chain string) error {
+	table := r.getTableForChain(chain)
 
-	if err := r.iptablesClient.AppendUnique(tableMangle, chainPREROUTING, preRule...); err != nil {
-		merr = multierror.Append(merr, fmt.Errorf("add mangle prerouting rule: %w", err))
-	} else {
-		r.rules[markManglePre] = preRule
+	if err := r.iptablesClient.NewChain(table, chain); err != nil {
+		return fmt.Errorf("failed creating chain %s, error: %v", chain, err)
 	}
 
-	postRule := []string{
-		"-o", r.wgIface.Name(),
-		"-m", "conntrack", "--ctstate", "NEW",
-		"-j", "CONNMARK", "--set-mark", fmt.Sprintf("%#x", nbnet.DataPlaneMarkOut),
-	}
-
-	if err := r.iptablesClient.AppendUnique(tableMangle, chainPOSTROUTING, postRule...); err != nil {
-		merr = multierror.Append(merr, fmt.Errorf("add mangle postrouting rule: %w", err))
-	} else {
-		r.rules[markManglePost] = postRule
-	}
-
-	return nberrors.FormatErrorOrNil(merr)
-}
-
-func (r *router) cleanupDataPlaneMark() error {
-	var merr *multierror.Error
-	if preRule, exists := r.rules[markManglePre]; exists {
-		if err := r.iptablesClient.DeleteIfExists(tableMangle, chainPREROUTING, preRule...); err != nil {
-			merr = multierror.Append(merr, fmt.Errorf("remove mangle prerouting rule: %w", err))
-		} else {
-			delete(r.rules, markManglePre)
-		}
-	}
-
-	if postRule, exists := r.rules[markManglePost]; exists {
-		if err := r.iptablesClient.DeleteIfExists(tableMangle, chainPOSTROUTING, postRule...); err != nil {
-			merr = multierror.Append(merr, fmt.Errorf("remove mangle postrouting rule: %w", err))
-		} else {
-			delete(r.rules, markManglePost)
-		}
-	}
-
-	return nberrors.FormatErrorOrNil(merr)
-}
-
-func (r *router) addPostroutingRules() error {
-	// First rule for outbound masquerade
-	rule1 := []string{
-		"-m", "mark", "--mark", fmt.Sprintf("%#x", nbnet.PreroutingFwmarkMasquerade),
-		"!", "-o", "lo",
-		"-j", routingFinalNatJump,
-	}
-	if err := r.iptablesClient.Append(tableNat, chainRTNAT, rule1...); err != nil {
-		return fmt.Errorf("add outbound masquerade rule: %v", err)
-	}
-	r.rules["static-nat-outbound"] = rule1
-
-	// Second rule for return traffic masquerade
-	rule2 := []string{
-		"-m", "mark", "--mark", fmt.Sprintf("%#x", nbnet.PreroutingFwmarkMasqueradeReturn),
-		"-o", r.wgIface.Name(),
-		"-j", routingFinalNatJump,
-	}
-	if err := r.iptablesClient.Append(tableNat, chainRTNAT, rule2...); err != nil {
-		return fmt.Errorf("add return masquerade rule: %v", err)
-	}
-	r.rules["static-nat-return"] = rule2
-
 	return nil
 }
 
+func (r *router) getTableForChain(chain string) string {
+	if chain == chainRTNAT {
+		return tableNat
+	}
+	return tableFilter
+}
+
 func (r *router) insertEstablishedRule(chain string) error {
 	establishedRule := getConntrackEstablished()
 
@@ -541,54 +398,25 @@ func (r *router) insertEstablishedRule(chain string) error {
 }
 
 func (r *router) addJumpRules() error {
-	// Jump to nat chain
-	natRule := []string{"-j", chainRTNAT}
-	if err := r.iptablesClient.Insert(tableNat, chainPOSTROUTING, 1, natRule...); err != nil {
-		return fmt.Errorf("add nat postrouting jump rule: %v", err)
+	rule := []string{"-j", chainRTNAT}
+	err := r.iptablesClient.Insert(tableNat, chainPOSTROUTING, 1, rule...)
+	if err != nil {
+		return err
 	}
-	r.rules[jumpNatPost] = natRule
-
-	// Jump to mangle prerouting chain
-	preRule := []string{"-j", chainRTPRE}
-	if err := r.iptablesClient.Insert(tableMangle, chainPREROUTING, 1, preRule...); err != nil {
-		return fmt.Errorf("add mangle prerouting jump rule: %v", err)
-	}
-	r.rules[jumpManglePre] = preRule
-
-	// Jump to nat prerouting chain
-	rdrRule := []string{"-j", chainRTRDR}
-	if err := r.iptablesClient.Insert(tableNat, chainPREROUTING, 1, rdrRule...); err != nil {
-		return fmt.Errorf("add nat prerouting jump rule: %v", err)
-	}
-	r.rules[jumpNatPre] = rdrRule
+	r.rules[ipv4Nat] = rule
 
 	return nil
 }
 
 func (r *router) cleanJumpRules() error {
-	for _, ruleKey := range []string{jumpNatPost, jumpManglePre, jumpNatPre} {
-		if rule, exists := r.rules[ruleKey]; exists {
-			var table, chain string
-			switch ruleKey {
-			case jumpNatPost:
-				table = tableNat
-				chain = chainPOSTROUTING
-			case jumpManglePre:
-				table = tableMangle
-				chain = chainPREROUTING
-			case jumpNatPre:
-				table = tableNat
-				chain = chainPREROUTING
-			default:
-				return fmt.Errorf("unknown jump rule: %s", ruleKey)
-			}
-
-			if err := r.iptablesClient.DeleteIfExists(table, chain, rule...); err != nil {
-				return fmt.Errorf("delete rule from chain %s in table %s, err: %v", chain, table, err)
-			}
-			delete(r.rules, ruleKey)
+	rule, found := r.rules[ipv4Nat]
+	if found {
+		err := r.iptablesClient.DeleteIfExists(tableNat, chainPOSTROUTING, rule...)
+		if err != nil {
+			return fmt.Errorf("failed cleaning rule from chain %s, err: %v", chainPOSTROUTING, err)
 		}
 	}
+
 	return nil
 }
 
@@ -596,51 +424,19 @@ func (r *router) addNatRule(pair firewall.RouterPair) error {
 	ruleKey := firewall.GenKey(firewall.NatFormat, pair)
 
 	if rule, exists := r.rules[ruleKey]; exists {
-		if err := r.iptablesClient.DeleteIfExists(tableMangle, chainRTPRE, rule...); err != nil {
-			return fmt.Errorf("error while removing existing marking rule for %s: %v", pair.Destination, err)
+		if err := r.iptablesClient.DeleteIfExists(tableNat, chainRTNAT, rule...); err != nil {
+			return fmt.Errorf("error while removing existing NAT rule for %s: %v", pair.Destination, err)
 		}
 		delete(r.rules, ruleKey)
 	}
 
-	markValue := nbnet.PreroutingFwmarkMasquerade
-	if pair.Inverse {
-		markValue = nbnet.PreroutingFwmarkMasqueradeReturn
-	}
-
-	rule := []string{"-i", r.wgIface.Name()}
-	if pair.Inverse {
-		rule = []string{"!", "-i", r.wgIface.Name()}
-	}
-
-	rule = append(rule,
-		"-m", "conntrack",
-		"--ctstate", "NEW",
-	)
-	sourceExp, err := r.applyNetwork("-s", pair.Source, nil)
-	if err != nil {
-		return fmt.Errorf("apply network -s: %w", err)
-	}
-	destExp, err := r.applyNetwork("-d", pair.Destination, nil)
-	if err != nil {
-		return fmt.Errorf("apply network -d: %w", err)
-	}
-
-	rule = append(rule, sourceExp...)
-	rule = append(rule, destExp...)
-	rule = append(rule,
-		"-j", "MARK", "--set-mark", fmt.Sprintf("%#x", markValue),
-	)
-
-	// Ensure nat rules come first, so the mark can be overwritten.
-	// Currently overwritten by the dst-type LOCAL rules for redirected traffic.
-	if err := r.iptablesClient.Insert(tableMangle, chainRTPRE, 1, rule...); err != nil {
-		// TODO: rollback ipset counter
-		return fmt.Errorf("error while adding marking rule for %s: %v", pair.Destination, err)
+	rule := genRuleSpec(routingFinalNatJump, pair.Source, pair.Destination, r.wgIface.Name(), pair.Inverse)
+	if err := r.iptablesClient.Append(tableNat, chainRTNAT, rule...); err != nil {
+		return fmt.Errorf("error while appending new NAT rule for %s: %v", pair.Destination, err)
 	}
 
 	r.rules[ruleKey] = rule
 
-	r.updateState()
 	return nil
 }
 
@@ -648,19 +444,15 @@ func (r *router) removeNatRule(pair firewall.RouterPair) error {
 	ruleKey := firewall.GenKey(firewall.NatFormat, pair)
 
 	if rule, exists := r.rules[ruleKey]; exists {
-		if err := r.iptablesClient.DeleteIfExists(tableMangle, chainRTPRE, rule...); err != nil {
-			return fmt.Errorf("error while removing marking rule for %s: %v", pair.Destination, err)
+		if err := r.iptablesClient.DeleteIfExists(tableNat, chainRTNAT, rule...); err != nil {
+			return fmt.Errorf("error while removing existing nat rule for %s: %v", pair.Destination, err)
 		}
-		delete(r.rules, ruleKey)
 
-		if err := r.decrementSetCounter(rule); err != nil {
-			return fmt.Errorf("decrement ipset counter: %w", err)
-		}
+		delete(r.rules, ruleKey)
 	} else {
-		log.Debugf("marking rule %s not found", ruleKey)
+		log.Debugf("nat rule %s not found", ruleKey)
 	}
 
-	r.updateState()
 	return nil
 }
 
@@ -690,152 +482,27 @@ func (r *router) updateState() {
 	}
 }
 
-func (r *router) AddDNATRule(rule firewall.ForwardRule) (firewall.Rule, error) {
-	if err := r.ipFwdState.RequestForwarding(); err != nil {
-		return nil, err
+func genRuleSpec(jump string, source, destination netip.Prefix, intf string, inverse bool) []string {
+	intdir := "-i"
+	lointdir := "-o"
+	if inverse {
+		intdir = "-o"
+		lointdir = "-i"
 	}
-
-	ruleKey := rule.ID()
-	if _, exists := r.rules[ruleKey+dnatSuffix]; exists {
-		return rule, nil
-	}
-
-	toDestination := rule.TranslatedAddress.String()
-	switch {
-	case len(rule.TranslatedPort.Values) == 0:
-		// no translated port, use original port
-	case len(rule.TranslatedPort.Values) == 1:
-		toDestination += fmt.Sprintf(":%d", rule.TranslatedPort.Values[0])
-	case rule.TranslatedPort.IsRange && len(rule.TranslatedPort.Values) == 2:
-		// need the "/originalport" suffix to avoid dnat port randomization
-		toDestination += fmt.Sprintf(":%d-%d/%d", rule.TranslatedPort.Values[0], rule.TranslatedPort.Values[1], rule.DestinationPort.Values[0])
-	default:
-		return nil, fmt.Errorf("invalid translated port: %v", rule.TranslatedPort)
-	}
-
-	proto := strings.ToLower(string(rule.Protocol))
-
-	rules := make(map[string]ruleInfo, 3)
-
-	// DNAT rule
-	dnatRule := []string{
-		"!", "-i", r.wgIface.Name(),
-		"-p", proto,
-		"-j", "DNAT",
-		"--to-destination", toDestination,
-	}
-	dnatRule = append(dnatRule, applyPort("--dport", &rule.DestinationPort)...)
-	rules[ruleKey+dnatSuffix] = ruleInfo{
-		table: tableNat,
-		chain: chainRTRDR,
-		rule:  dnatRule,
-	}
-
-	// SNAT rule
-	snatRule := []string{
-		"-o", r.wgIface.Name(),
-		"-p", proto,
-		"-d", rule.TranslatedAddress.String(),
-		"-j", "MASQUERADE",
-	}
-	snatRule = append(snatRule, applyPort("--dport", &rule.TranslatedPort)...)
-	rules[ruleKey+snatSuffix] = ruleInfo{
-		table: tableNat,
-		chain: chainRTNAT,
-		rule:  snatRule,
-	}
-
-	// Forward filtering rule, if fwd policy is DROP
-	forwardRule := []string{
-		"-o", r.wgIface.Name(),
-		"-p", proto,
-		"-d", rule.TranslatedAddress.String(),
-		"-j", "ACCEPT",
-	}
-	forwardRule = append(forwardRule, applyPort("--dport", &rule.TranslatedPort)...)
-	rules[ruleKey+fwdSuffix] = ruleInfo{
-		table: tableFilter,
-		chain: chainRTFWDOUT,
-		rule:  forwardRule,
-	}
-
-	for key, ruleInfo := range rules {
-		if err := r.iptablesClient.Append(ruleInfo.table, ruleInfo.chain, ruleInfo.rule...); err != nil {
-			if rollbackErr := r.rollbackRules(rules); rollbackErr != nil {
-				log.Errorf("rollback failed: %v", rollbackErr)
-			}
-			return nil, fmt.Errorf("add rule %s: %w", key, err)
-		}
-		r.rules[key] = ruleInfo.rule
-	}
-
-	r.updateState()
-	return rule, nil
+	return []string{intdir, intf, "!", lointdir, "lo", "-s", source.String(), "-d", destination.String(), "-j", jump}
 }
 
-func (r *router) rollbackRules(rules map[string]ruleInfo) error {
-	var merr *multierror.Error
-	for key, ruleInfo := range rules {
-		if err := r.iptablesClient.DeleteIfExists(ruleInfo.table, ruleInfo.chain, ruleInfo.rule...); err != nil {
-			merr = multierror.Append(merr, fmt.Errorf("rollback rule %s: %w", key, err))
-			// On rollback error, add to rules map for next cleanup
-			r.rules[key] = ruleInfo.rule
-		}
-	}
-	if merr != nil {
-		r.updateState()
-	}
-	return nberrors.FormatErrorOrNil(merr)
-}
-
-func (r *router) DeleteDNATRule(rule firewall.Rule) error {
-	if err := r.ipFwdState.ReleaseForwarding(); err != nil {
-		log.Errorf("%v", err)
-	}
-
-	ruleKey := rule.ID()
-
-	var merr *multierror.Error
-	if dnatRule, exists := r.rules[ruleKey+dnatSuffix]; exists {
-		if err := r.iptablesClient.Delete(tableNat, chainRTRDR, dnatRule...); err != nil {
-			merr = multierror.Append(merr, fmt.Errorf("delete DNAT rule: %w", err))
-		}
-		delete(r.rules, ruleKey+dnatSuffix)
-	}
-
-	if snatRule, exists := r.rules[ruleKey+snatSuffix]; exists {
-		if err := r.iptablesClient.Delete(tableNat, chainRTNAT, snatRule...); err != nil {
-			merr = multierror.Append(merr, fmt.Errorf("delete SNAT rule: %w", err))
-		}
-		delete(r.rules, ruleKey+snatSuffix)
-	}
-
-	if fwdRule, exists := r.rules[ruleKey+fwdSuffix]; exists {
-		if err := r.iptablesClient.Delete(tableFilter, chainRTFWDIN, fwdRule...); err != nil {
-			merr = multierror.Append(merr, fmt.Errorf("delete forward rule: %w", err))
-		}
-		delete(r.rules, ruleKey+fwdSuffix)
-	}
-
-	r.updateState()
-	return nberrors.FormatErrorOrNil(merr)
-}
-
-func (r *router) genRouteRuleSpec(params routeFilteringRuleParams, sources []netip.Prefix) ([]string, error) {
+func genRouteFilteringRuleSpec(params routeFilteringRuleParams) []string {
 	var rule []string
 
-	sourceExp, err := r.applyNetwork("-s", params.Source, sources)
-	if err != nil {
-		return nil, fmt.Errorf("apply network -s: %w", err)
-
-	}
-	destExp, err := r.applyNetwork("-d", params.Destination, nil)
-	if err != nil {
-		return nil, fmt.Errorf("apply network -d: %w", err)
+	if params.SetName != "" {
+		rule = append(rule, "-m", "set", matchSet, params.SetName, "src")
+	} else if len(params.Sources) > 0 {
+		source := params.Sources[0]
+		rule = append(rule, "-s", source.String())
 	}
 
-	rule = append(rule, sourceExp...)
-	rule = append(rule, destExp...)
+	rule = append(rule, "-d", params.Destination.String())
 
 	if params.Proto != firewall.ProtocolALL {
 		rule = append(rule, "-p", strings.ToLower(string(params.Proto)))
@@ -845,47 +512,7 @@ func (r *router) genRouteRuleSpec(params routeFilteringRuleParams, sources []net
 
 	rule = append(rule, "-j", actionToStr(params.Action))
 
-	return rule, nil
-}
-
-func (r *router) applyNetwork(flag string, network firewall.Network, prefixes []netip.Prefix) ([]string, error) {
-	direction := "src"
-	if flag == "-d" {
-		direction = "dst"
-	}
-
-	if network.IsSet() {
-		if _, err := r.ipsetCounter.Increment(network.Set.HashedName(), prefixes); err != nil {
-			return nil, fmt.Errorf("create or get ipset: %w", err)
-		}
-
-		return []string{"-m", "set", matchSet, network.Set.HashedName(), direction}, nil
-	}
-	if network.IsPrefix() {
-		return []string{flag, network.Prefix.String()}, nil
-	}
-
-	// nolint:nilnil
-	return nil, nil
-}
-
-func (r *router) UpdateSet(set firewall.Set, prefixes []netip.Prefix) error {
-	var merr *multierror.Error
-	for _, prefix := range prefixes {
-		// TODO: Implement IPv6 support
-		if prefix.Addr().Is6() {
-			log.Tracef("skipping IPv6 prefix %s: IPv6 support not yet implemented", prefix)
-			continue
-		}
-		if err := ipset.AddPrefix(set.HashedName(), prefix); err != nil {
-			merr = multierror.Append(merr, fmt.Errorf("increment ipset counter: %w", err))
-		}
-	}
-	if merr == nil {
-		log.Debugf("updated set %s with prefixes %v", set.HashedName(), prefixes)
-	}
-
-	return nberrors.FormatErrorOrNil(merr)
+	return rule
 }
 
 func applyPort(flag string, port *firewall.Port) []string {
@@ -900,10 +527,10 @@ func applyPort(flag string, port *firewall.Port) []string {
 	if len(port.Values) > 1 {
 		portList := make([]string, len(port.Values))
 		for i, p := range port.Values {
-			portList[i] = strconv.Itoa(int(p))
+			portList[i] = strconv.Itoa(p)
 		}
 		return []string{"-m", "multiport", flag, strings.Join(portList, ",")}
 	}
 
-	return []string{flag, strconv.Itoa(int(port.Values[0]))}
+	return []string{flag, strconv.Itoa(port.Values[0])}
 }

client/firewall/iptables/router_linux_test.go

@@ -3,18 +3,17 @@
 package iptables
 
 import (
-	"fmt"
 	"net/netip"
 	"os/exec"
 	"testing"
 
 	"github.com/coreos/go-iptables/iptables"
+	log "github.com/sirupsen/logrus"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 
 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/firewall/test"
-	nbnet "github.com/netbirdio/netbird/util/net"
 )
 
 func isIptablesSupported() bool {
@@ -35,44 +34,37 @@ func TestIptablesManager_RestoreOrCreateContainers(t *testing.T) {
 	require.NoError(t, manager.init(nil))
 
 	defer func() {
-		assert.NoError(t, manager.Reset(), "shouldn't return error")
+		_ = manager.Reset()
 	}()
 
-	// Now 5 rules:
-	// 1. established rule forward in
-	// 2. estbalished rule forward out
-	// 3. jump rule to POST nat chain
-	// 4. jump rule to PRE mangle chain
-	// 5. jump rule to PRE nat chain
-	// 6. static outbound masquerade rule
-	// 7. static return masquerade rule
-	// 8. mangle prerouting mark rule
-	// 9. mangle postrouting mark rule
-	require.Len(t, manager.rules, 9, "should have created rules map")
+	require.Len(t, manager.rules, 2, "should have created rules map")
 
-	exists, err := manager.iptablesClient.Exists(tableNat, chainPOSTROUTING, "-j", chainRTNAT)
+	exists, err := manager.iptablesClient.Exists(tableNat, chainPOSTROUTING, manager.rules[ipv4Nat]...)
 	require.NoError(t, err, "should be able to query the iptables %s table and %s chain", tableNat, chainPOSTROUTING)
-	require.True(t, exists, "postrouting jump rule should exist")
-
-	exists, err = manager.iptablesClient.Exists(tableMangle, chainPREROUTING, "-j", chainRTPRE)
-	require.NoError(t, err, "should be able to query the iptables %s table and %s chain", tableMangle, chainPREROUTING)
-	require.True(t, exists, "prerouting jump rule should exist")
+	require.True(t, exists, "postrouting rule should exist")
 
 	pair := firewall.RouterPair{
 		ID:          "abc",
-		Source:      firewall.Network{Prefix: netip.MustParsePrefix("100.100.100.1/32")},
-		Destination: firewall.Network{Prefix: netip.MustParsePrefix("100.100.100.0/24")},
+		Source:      netip.MustParsePrefix("100.100.100.1/32"),
+		Destination: netip.MustParsePrefix("100.100.100.0/24"),
 		Masquerade:  true,
 	}
+	forward4Rule := []string{"-s", pair.Source.String(), "-d", pair.Destination.String(), "-j", routingFinalForwardJump}
 
-	err = manager.AddNatRule(pair)
-	require.NoError(t, err, "adding NAT rule should not return error")
+	err = manager.iptablesClient.Insert(tableFilter, chainRTFWD, 1, forward4Rule...)
+	require.NoError(t, err, "inserting rule should not return error")
+
+	nat4Rule := genRuleSpec(routingFinalNatJump, pair.Source, pair.Destination, ifaceMock.Name(), false)
+
+	err = manager.iptablesClient.Insert(tableNat, chainRTNAT, 1, nat4Rule...)
+	require.NoError(t, err, "inserting rule should not return error")
 
 	err = manager.Reset()
 	require.NoError(t, err, "shouldn't return error")
 }
 
 func TestIptablesManager_AddNatRule(t *testing.T) {
+
 	if !isIptablesSupported() {
 		t.SkipNow()
 	}
@@ -87,66 +79,52 @@ func TestIptablesManager_AddNatRule(t *testing.T) {
 			require.NoError(t, manager.init(nil))
 
 			defer func() {
-				assert.NoError(t, manager.Reset(), "shouldn't return error")
+				err := manager.Reset()
+				if err != nil {
+					log.Errorf("failed to reset iptables manager: %s", err)
+				}
 			}()
 
 			err = manager.AddNatRule(testCase.InputPair)
-			require.NoError(t, err, "marking rule should be inserted")
+			require.NoError(t, err, "forwarding pair should be inserted")
 
 			natRuleKey := firewall.GenKey(firewall.NatFormat, testCase.InputPair)
-			markingRule := []string{
-				"-i", ifaceMock.Name(),
-				"-m", "conntrack",
-				"--ctstate", "NEW",
-				"-s", testCase.InputPair.Source.String(),
-				"-d", testCase.InputPair.Destination.String(),
-				"-j", "MARK", "--set-mark",
-				fmt.Sprintf("%#x", nbnet.PreroutingFwmarkMasquerade),
-			}
+			natRule := genRuleSpec(routingFinalNatJump, testCase.InputPair.Source, testCase.InputPair.Destination, ifaceMock.Name(), false)
 
-			exists, err := iptablesClient.Exists(tableMangle, chainRTPRE, markingRule...)
-			require.NoError(t, err, "should be able to query the iptables %s table and %s chain", tableMangle, chainRTPRE)
+			exists, err := iptablesClient.Exists(tableNat, chainRTNAT, natRule...)
+			require.NoError(t, err, "should be able to query the iptables %s table and %s chain", tableNat, chainRTNAT)
 			if testCase.InputPair.Masquerade {
-				require.True(t, exists, "marking rule should be created")
-				foundRule, found := manager.rules[natRuleKey]
-				require.True(t, found, "marking rule should exist in the map")
-				require.Equal(t, markingRule, foundRule, "stored marking rule should match")
+				require.True(t, exists, "nat rule should be created")
+				foundNatRule, foundNat := manager.rules[natRuleKey]
+				require.True(t, foundNat, "nat rule should exist in the map")
+				require.Equal(t, natRule[:4], foundNatRule[:4], "stored nat rule should match")
 			} else {
-				require.False(t, exists, "marking rule should not be created")
-				_, found := manager.rules[natRuleKey]
-				require.False(t, found, "marking rule should not exist in the map")
+				require.False(t, exists, "nat rule should not be created")
+				_, foundNat := manager.rules[natRuleKey]
+				require.False(t, foundNat, "nat rule should not exist in the map")
 			}
 
-			// Check inverse rule
-			inversePair := firewall.GetInversePair(testCase.InputPair)
-			inverseRuleKey := firewall.GenKey(firewall.NatFormat, inversePair)
-			inverseMarkingRule := []string{
-				"!", "-i", ifaceMock.Name(),
-				"-m", "conntrack",
-				"--ctstate", "NEW",
-				"-s", inversePair.Source.String(),
-				"-d", inversePair.Destination.String(),
-				"-j", "MARK", "--set-mark",
-				fmt.Sprintf("%#x", nbnet.PreroutingFwmarkMasqueradeReturn),
-			}
+			inNatRuleKey := firewall.GenKey(firewall.NatFormat, firewall.GetInversePair(testCase.InputPair))
+			inNatRule := genRuleSpec(routingFinalNatJump, firewall.GetInversePair(testCase.InputPair).Source, firewall.GetInversePair(testCase.InputPair).Destination, ifaceMock.Name(), true)
 
-			exists, err = iptablesClient.Exists(tableMangle, chainRTPRE, inverseMarkingRule...)
-			require.NoError(t, err, "should be able to query the iptables %s table and %s chain", tableMangle, chainRTPRE)
+			exists, err = iptablesClient.Exists(tableNat, chainRTNAT, inNatRule...)
+			require.NoError(t, err, "should be able to query the iptables %s table and %s chain", tableNat, chainRTNAT)
 			if testCase.InputPair.Masquerade {
-				require.True(t, exists, "inverse marking rule should be created")
-				foundRule, found := manager.rules[inverseRuleKey]
-				require.True(t, found, "inverse marking rule should exist in the map")
-				require.Equal(t, inverseMarkingRule, foundRule, "stored inverse marking rule should match")
+				require.True(t, exists, "income nat rule should be created")
+				foundNatRule, foundNat := manager.rules[inNatRuleKey]
+				require.True(t, foundNat, "income nat rule should exist in the map")
+				require.Equal(t, inNatRule[:4], foundNatRule[:4], "stored income nat rule should match")
 			} else {
-				require.False(t, exists, "inverse marking rule should not be created")
-				_, found := manager.rules[inverseRuleKey]
-				require.False(t, found, "inverse marking rule should not exist in the map")
+				require.False(t, exists, "nat rule should not be created")
+				_, foundNat := manager.rules[inNatRuleKey]
+				require.False(t, foundNat, "income nat rule should not exist in the map")
 			}
 		})
 	}
 }
 
 func TestIptablesManager_RemoveNatRule(t *testing.T) {
+
 	if !isIptablesSupported() {
 		t.SkipNow()
 	}
@@ -159,52 +137,42 @@ func TestIptablesManager_RemoveNatRule(t *testing.T) {
 			require.NoError(t, err, "shouldn't return error")
 			require.NoError(t, manager.init(nil))
 			defer func() {
-				assert.NoError(t, manager.Reset(), "shouldn't return error")
+				_ = manager.Reset()
 			}()
 
-			err = manager.AddNatRule(testCase.InputPair)
-			require.NoError(t, err, "should add NAT rule without error")
+			require.NoError(t, err, "shouldn't return error")
+
+			natRuleKey := firewall.GenKey(firewall.NatFormat, testCase.InputPair)
+			natRule := genRuleSpec(routingFinalNatJump, testCase.InputPair.Source, testCase.InputPair.Destination, ifaceMock.Name(), false)
+
+			err = iptablesClient.Insert(tableNat, chainRTNAT, 1, natRule...)
+			require.NoError(t, err, "inserting rule should not return error")
+
+			inNatRuleKey := firewall.GenKey(firewall.NatFormat, firewall.GetInversePair(testCase.InputPair))
+			inNatRule := genRuleSpec(routingFinalNatJump, firewall.GetInversePair(testCase.InputPair).Source, firewall.GetInversePair(testCase.InputPair).Destination, ifaceMock.Name(), true)
+
+			err = iptablesClient.Insert(tableNat, chainRTNAT, 1, inNatRule...)
+			require.NoError(t, err, "inserting rule should not return error")
+
+			err = manager.Reset()
+			require.NoError(t, err, "shouldn't return error")
 
 			err = manager.RemoveNatRule(testCase.InputPair)
 			require.NoError(t, err, "shouldn't return error")
 
-			natRuleKey := firewall.GenKey(firewall.NatFormat, testCase.InputPair)
-			markingRule := []string{
-				"-i", ifaceMock.Name(),
-				"-m", "conntrack",
-				"--ctstate", "NEW",
-				"-s", testCase.InputPair.Source.String(),
-				"-d", testCase.InputPair.Destination.String(),
-				"-j", "MARK", "--set-mark",
-				fmt.Sprintf("%#x", nbnet.PreroutingFwmarkMasquerade),
-			}
-
-			exists, err := iptablesClient.Exists(tableMangle, chainRTPRE, markingRule...)
-			require.NoError(t, err, "should be able to query the iptables %s table and %s chain", tableMangle, chainRTPRE)
-			require.False(t, exists, "marking rule should not exist")
+			exists, err := iptablesClient.Exists(tableNat, chainRTNAT, natRule...)
+			require.NoError(t, err, "should be able to query the iptables %s table and %s chain", tableNat, chainRTNAT)
+			require.False(t, exists, "nat rule should not exist")
 
 			_, found := manager.rules[natRuleKey]
-			require.False(t, found, "marking rule should not exist in the manager map")
+			require.False(t, found, "nat rule should exist in the manager map")
 
-			// Check inverse rule removal
-			inversePair := firewall.GetInversePair(testCase.InputPair)
-			inverseRuleKey := firewall.GenKey(firewall.NatFormat, inversePair)
-			inverseMarkingRule := []string{
-				"!", "-i", ifaceMock.Name(),
-				"-m", "conntrack",
-				"--ctstate", "NEW",
-				"-s", inversePair.Source.String(),
-				"-d", inversePair.Destination.String(),
-				"-j", "MARK", "--set-mark",
-				fmt.Sprintf("%#x", nbnet.PreroutingFwmarkMasqueradeReturn),
-			}
+			exists, err = iptablesClient.Exists(tableNat, chainRTNAT, inNatRule...)
+			require.NoError(t, err, "should be able to query the iptables %s table and %s chain", tableNat, chainRTNAT)
+			require.False(t, exists, "income nat rule should not exist")
 
-			exists, err = iptablesClient.Exists(tableMangle, chainRTPRE, inverseMarkingRule...)
-			require.NoError(t, err, "should be able to query the iptables %s table and %s chain", tableMangle, chainRTPRE)
-			require.False(t, exists, "inverse marking rule should not exist")
-
-			_, found = manager.rules[inverseRuleKey]
-			require.False(t, found, "inverse marking rule should not exist in the map")
+			_, found = manager.rules[inNatRuleKey]
+			require.False(t, found, "income nat rule should exist in the manager map")
 		})
 	}
 }
@@ -243,7 +211,7 @@ func TestRouter_AddRouteFiltering(t *testing.T) {
 			destination: netip.MustParsePrefix("10.0.0.0/24"),
 			proto:       firewall.ProtocolTCP,
 			sPort:       nil,
-			dPort:       &firewall.Port{Values: []uint16{80}},
+			dPort:       &firewall.Port{Values: []int{80}},
 			direction:   firewall.RuleDirectionIN,
 			action:      firewall.ActionAccept,
 			expectSet:   false,
@@ -256,7 +224,7 @@ func TestRouter_AddRouteFiltering(t *testing.T) {
 			},
 			destination: netip.MustParsePrefix("10.0.0.0/8"),
 			proto:       firewall.ProtocolUDP,
-			sPort:       &firewall.Port{Values: []uint16{1024, 2048}, IsRange: true},
+			sPort:       &firewall.Port{Values: []int{1024, 2048}, IsRange: true},
 			dPort:       nil,
 			direction:   firewall.RuleDirectionOUT,
 			action:      firewall.ActionDrop,
@@ -289,7 +257,7 @@ func TestRouter_AddRouteFiltering(t *testing.T) {
 			sources:     []netip.Prefix{netip.MustParsePrefix("172.16.0.0/12")},
 			destination: netip.MustParsePrefix("192.168.0.0/16"),
 			proto:       firewall.ProtocolTCP,
-			sPort:       &firewall.Port{Values: []uint16{80, 443, 8080}},
+			sPort:       &firewall.Port{Values: []int{80, 443, 8080}},
 			dPort:       nil,
 			direction:   firewall.RuleDirectionOUT,
 			action:      firewall.ActionAccept,
@@ -301,7 +269,7 @@ func TestRouter_AddRouteFiltering(t *testing.T) {
 			destination: netip.MustParsePrefix("10.0.0.0/24"),
 			proto:       firewall.ProtocolUDP,
 			sPort:       nil,
-			dPort:       &firewall.Port{Values: []uint16{5000, 5100}, IsRange: true},
+			dPort:       &firewall.Port{Values: []int{5000, 5100}, IsRange: true},
 			direction:   firewall.RuleDirectionIN,
 			action:      firewall.ActionDrop,
 			expectSet:   false,
@@ -311,8 +279,8 @@ func TestRouter_AddRouteFiltering(t *testing.T) {
 			sources:     []netip.Prefix{netip.MustParsePrefix("10.0.0.0/24")},
 			destination: netip.MustParsePrefix("172.16.0.0/16"),
 			proto:       firewall.ProtocolTCP,
-			sPort:       &firewall.Port{Values: []uint16{1024, 65535}, IsRange: true},
-			dPort:       &firewall.Port{Values: []uint16{22}},
+			sPort:       &firewall.Port{Values: []int{1024, 65535}, IsRange: true},
+			dPort:       &firewall.Port{Values: []int{22}},
 			direction:   firewall.RuleDirectionOUT,
 			action:      firewall.ActionAccept,
 			expectSet:   false,
@@ -332,44 +300,38 @@ func TestRouter_AddRouteFiltering(t *testing.T) {
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			ruleKey, err := r.AddRouteFiltering(nil, tt.sources, firewall.Network{Prefix: tt.destination}, tt.proto, tt.sPort, tt.dPort, tt.action)
+			ruleKey, err := r.AddRouteFiltering(tt.sources, tt.destination, tt.proto, tt.sPort, tt.dPort, tt.action)
 			require.NoError(t, err, "AddRouteFiltering failed")
 
 			// Check if the rule is in the internal map
-			rule, ok := r.rules[ruleKey.ID()]
+			rule, ok := r.rules[ruleKey.GetRuleID()]
 			assert.True(t, ok, "Rule not found in internal map")
 
 			// Log the internal rule
 			t.Logf("Internal rule: %v", rule)
 
 			// Check if the rule exists in iptables
-			exists, err := iptablesClient.Exists(tableFilter, chainRTFWDIN, rule...)
+			exists, err := iptablesClient.Exists(tableFilter, chainRTFWD, rule...)
 			assert.NoError(t, err, "Failed to check rule existence")
 			assert.True(t, exists, "Rule not found in iptables")
 
-			var source firewall.Network
-			if len(tt.sources) > 1 {
-				source.Set = firewall.NewPrefixSet(tt.sources)
-			} else if len(tt.sources) > 0 {
-				source.Prefix = tt.sources[0]
-			}
 			// Verify rule content
 			params := routeFilteringRuleParams{
-				Source:      source,
-				Destination: firewall.Network{Prefix: tt.destination},
+				Sources:     tt.sources,
+				Destination: tt.destination,
 				Proto:       tt.proto,
 				SPort:       tt.sPort,
 				DPort:       tt.dPort,
 				Action:      tt.action,
+				SetName:     "",
 			}
 
-			expectedRule, err := r.genRouteRuleSpec(params, nil)
-			require.NoError(t, err, "Failed to generate expected rule spec")
+			expectedRule := genRouteFilteringRuleSpec(params)
 
 			if tt.expectSet {
-				setName := firewall.NewPrefixSet(tt.sources).HashedName()
-				expectedRule, err = r.genRouteRuleSpec(params, nil)
-				require.NoError(t, err, "Failed to generate expected rule spec with set")
+				setName := firewall.GenerateSetName(tt.sources)
+				params.SetName = setName
+				expectedRule = genRouteFilteringRuleSpec(params)
 
 				// Check if the set was created
 				_, exists := r.ipsetCounter.Get(setName)
@@ -384,62 +346,3 @@ func TestRouter_AddRouteFiltering(t *testing.T) {
 		})
 	}
 }
-
-func TestFindSetNameInRule(t *testing.T) {
-	r := &router{}
-
-	testCases := []struct {
-		name     string
-		rule     []string
-		expected []string
-	}{
-		{
-			name: "Basic rule with two sets",
-			rule: []string{
-				"-A", "NETBIRD-RT-FWD-IN", "-p", "tcp", "-m", "set", "--match-set", "nb-2e5a2a05", "src",
-				"-m", "set", "--match-set", "nb-349ae051", "dst", "-m", "tcp", "--dport", "8080", "-j", "ACCEPT",
-			},
-			expected: []string{"nb-2e5a2a05", "nb-349ae051"},
-		},
-		{
-			name:     "No sets",
-			rule:     []string{"-A", "NETBIRD-RT-FWD-IN", "-p", "tcp", "-j", "ACCEPT"},
-			expected: []string{},
-		},
-		{
-			name: "Multiple sets with different positions",
-			rule: []string{
-				"-m", "set", "--match-set", "set1", "src", "-p", "tcp",
-				"-m", "set", "--match-set", "set-abc123", "dst", "-j", "ACCEPT",
-			},
-			expected: []string{"set1", "set-abc123"},
-		},
-		{
-			name:     "Boundary case - sequence appears at end",
-			rule:     []string{"-p", "tcp", "-m", "set", "--match-set", "final-set"},
-			expected: []string{"final-set"},
-		},
-		{
-			name:     "Incomplete pattern - missing set name",
-			rule:     []string{"-p", "tcp", "-m", "set", "--match-set"},
-			expected: []string{},
-		},
-	}
-
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			result := r.findSets(tc.rule)
-
-			if len(result) != len(tc.expected) {
-				t.Errorf("Expected %d sets, got %d. Sets found: %v", len(tc.expected), len(result), result)
-				return
-			}
-
-			for i, set := range result {
-				if set != tc.expected[i] {
-					t.Errorf("Expected set %q at position %d, got %q", tc.expected[i], i, set)
-				}
-			}
-		})
-	}
-}

client/firewall/iptables/rule.go

@@ -5,13 +5,12 @@ type Rule struct {
 	ruleID    string
 	ipsetName string
 
-	specs       []string
-	mangleSpecs []string
-	ip          string
-	chain       string
+	specs []string
+	ip    string
+	chain string
 }
 
 // GetRuleID returns the rule id
-func (r *Rule) ID() string {
+func (r *Rule) GetRuleID() string {
 	return r.ruleID
 }

client/firewall/iptables/rulestore_linux.go

@@ -37,11 +37,6 @@ func (s *ipList) UnmarshalJSON(data []byte) error {
 		return err
 	}
 	s.ips = temp.IPs
-
-	if temp.IPs == nil {
-		temp.IPs = make(map[string]struct{})
-	}
-
 	return nil
 }
 
@@ -94,10 +89,5 @@ func (s *ipsetStore) UnmarshalJSON(data []byte) error {
 		return err
 	}
 	s.ipsets = temp.IPSets
-
-	if temp.IPSets == nil {
-		temp.IPSets = make(map[string]*ipList)
-	}
-
 	return nil
 }

client/firewall/iptables/state_linux.go

@@ -4,20 +4,21 @@ import (
 	"fmt"
 	"sync"
 
-	"github.com/netbirdio/netbird/client/iface/wgaddr"
+	"github.com/netbirdio/netbird/client/iface"
+	"github.com/netbirdio/netbird/client/iface/device"
 )
 
 type InterfaceState struct {
-	NameStr       string         `json:"name"`
-	WGAddress     wgaddr.Address `json:"wg_address"`
-	UserspaceBind bool           `json:"userspace_bind"`
+	NameStr       string          `json:"name"`
+	WGAddress     iface.WGAddress `json:"wg_address"`
+	UserspaceBind bool            `json:"userspace_bind"`
 }
 
 func (i *InterfaceState) Name() string {
 	return i.NameStr
 }
 
-func (i *InterfaceState) Address() wgaddr.Address {
+func (i *InterfaceState) Address() device.WGAddress {
 	return i.WGAddress
 }
 
@@ -61,7 +62,7 @@ func (s *ShutdownState) Cleanup() error {
 		ipt.aclMgr.ipsetStore = s.ACLIPsetStore
 	}
 
-	if err := ipt.Close(nil); err != nil {
+	if err := ipt.Reset(nil); err != nil {
 		return fmt.Errorf("reset iptables manager: %w", err)
 	}
 

client/firewall/manager/firewall.go

@@ -1,10 +1,13 @@
 package manager
 
 import (
+	"crypto/sha256"
+	"encoding/hex"
 	"fmt"
 	"net"
 	"net/netip"
 	"sort"
+	"strings"
 
 	log "github.com/sirupsen/logrus"
 
@@ -14,7 +17,6 @@ import (
 const (
 	ForwardingFormatPrefix = "netbird-fwd-"
 	ForwardingFormat       = "netbird-fwd-%s-%t"
-	PreroutingFormat       = "netbird-prerouting-%s-%t"
 	NatFormat              = "netbird-nat-%s-%t"
 )
 
@@ -23,8 +25,8 @@ const (
 // Each firewall type for different OS can use different type
 // of the properties to hold data of the created rule
 type Rule interface {
-	// ID returns the rule id
-	ID() string
+	// GetRuleID returns the rule id
+	GetRuleID() string
 }
 
 // RuleDirection is the traffic direction which a rule is applied
@@ -40,18 +42,6 @@ const (
 // Action is the action to be taken on a rule
 type Action int
 
-// String returns the string representation of the action
-func (a Action) String() string {
-	switch a {
-	case ActionAccept:
-		return "accept"
-	case ActionDrop:
-		return "drop"
-	default:
-		return "unknown"
-	}
-}
-
 const (
 	// ActionAccept is the action to accept a packet
 	ActionAccept Action = iota
@@ -59,33 +49,6 @@ const (
 	ActionDrop
 )
 
-// Network is a rule destination, either a set or a prefix
-type Network struct {
-	Set    Set
-	Prefix netip.Prefix
-}
-
-// String returns the string representation of the destination
-func (d Network) String() string {
-	if d.Prefix.IsValid() {
-		return d.Prefix.String()
-	}
-	if d.IsSet() {
-		return d.Set.HashedName()
-	}
-	return "<invalid network>"
-}
-
-// IsSet returns true if the destination is a set
-func (d Network) IsSet() bool {
-	return d.Set != Set{}
-}
-
-// IsPrefix returns true if the destination is a valid prefix
-func (d Network) IsPrefix() bool {
-	return d.Prefix.IsValid()
-}
-
 // Manager is the high level abstraction of a firewall manager
 //
 // It declares methods which handle actions required by the
@@ -101,13 +64,14 @@ type Manager interface {
 	// If comment argument is empty firewall manager should set
 	// rule ID as comment for the rule
 	AddPeerFiltering(
-		id []byte,
 		ip net.IP,
 		proto Protocol,
 		sPort *Port,
 		dPort *Port,
+		direction RuleDirection,
 		action Action,
 		ipsetName string,
+		comment string,
 	) ([]Rule, error)
 
 	// DeletePeerRule from the firewall by rule definition
@@ -116,14 +80,7 @@ type Manager interface {
 	// IsServerRouteSupported returns true if the firewall supports server side routing operations
 	IsServerRouteSupported() bool
 
-	AddRouteFiltering(
-		id []byte,
-		sources []netip.Prefix,
-		destination Network,
-		proto Protocol,
-		sPort, dPort *Port,
-		action Action,
-	) (Rule, error)
+	AddRouteFiltering(source []netip.Prefix, destination netip.Prefix, proto Protocol, sPort *Port, dPort *Port, action Action) (Rule, error)
 
 	// DeleteRouteRule deletes a routing rule
 	DeleteRouteRule(rule Rule) error
@@ -137,26 +94,11 @@ type Manager interface {
 	// SetLegacyManagement sets the legacy management mode
 	SetLegacyManagement(legacy bool) error
 
-	// Close closes the firewall manager
-	Close(stateManager *statemanager.Manager) error
+	// Reset firewall to the default state
+	Reset(stateManager *statemanager.Manager) error
 
 	// Flush the changes to firewall controller
 	Flush() error
-
-	SetLogLevel(log.Level)
-
-	EnableRouting() error
-
-	DisableRouting() error
-
-	// AddDNATRule adds a DNAT rule
-	AddDNATRule(ForwardRule) (Rule, error)
-
-	// DeleteDNATRule deletes a DNAT rule
-	DeleteDNATRule(Rule) error
-
-	// UpdateSet updates the set with the given prefixes
-	UpdateSet(hash Set, prefixes []netip.Prefix) error
 }
 
 func GenKey(format string, pair RouterPair) string {
@@ -191,6 +133,22 @@ func SetLegacyManagement(router LegacyManager, isLegacy bool) error {
 	return nil
 }
 
+// GenerateSetName generates a unique name for an ipset based on the given sources.
+func GenerateSetName(sources []netip.Prefix) string {
+	// sort for consistent naming
+	SortPrefixes(sources)
+
+	var sourcesStr strings.Builder
+	for _, src := range sources {
+		sourcesStr.WriteString(src.String())
+	}
+
+	hash := sha256.Sum256([]byte(sourcesStr.String()))
+	shortHash := hex.EncodeToString(hash[:])[:8]
+
+	return fmt.Sprintf("nb-%s", shortHash)
+}
+
 // MergeIPRanges merges overlapping IP ranges and returns a slice of non-overlapping netip.Prefix
 func MergeIPRanges(prefixes []netip.Prefix) []netip.Prefix {
 	if len(prefixes) == 0 {

client/firewall/manager/firewall_test.go

@@ -20,8 +20,8 @@ func TestGenerateSetName(t *testing.T) {
 			netip.MustParsePrefix("192.168.1.0/24"),
 		}
 
-		result1 := manager.NewPrefixSet(prefixes1)
-		result2 := manager.NewPrefixSet(prefixes2)
+		result1 := manager.GenerateSetName(prefixes1)
+		result2 := manager.GenerateSetName(prefixes2)
 
 		if result1 != result2 {
 			t.Errorf("Different orders produced different hashes: %s != %s", result1, result2)
@@ -34,9 +34,9 @@ func TestGenerateSetName(t *testing.T) {
 			netip.MustParsePrefix("10.0.0.0/8"),
 		}
 
-		result := manager.NewPrefixSet(prefixes)
+		result := manager.GenerateSetName(prefixes)
 
-		matched, err := regexp.MatchString(`^nb-[0-9a-f]{8}$`, result.HashedName())
+		matched, err := regexp.MatchString(`^nb-[0-9a-f]{8}$`, result)
 		if err != nil {
 			t.Fatalf("Error matching regex: %v", err)
 		}
@@ -46,8 +46,8 @@ func TestGenerateSetName(t *testing.T) {
 	})
 
 	t.Run("Empty input produces consistent result", func(t *testing.T) {
-		result1 := manager.NewPrefixSet([]netip.Prefix{})
-		result2 := manager.NewPrefixSet([]netip.Prefix{})
+		result1 := manager.GenerateSetName([]netip.Prefix{})
+		result2 := manager.GenerateSetName([]netip.Prefix{})
 
 		if result1 != result2 {
 			t.Errorf("Empty input produced inconsistent results: %s != %s", result1, result2)
@@ -64,8 +64,8 @@ func TestGenerateSetName(t *testing.T) {
 			netip.MustParsePrefix("192.168.1.0/24"),
 		}
 
-		result1 := manager.NewPrefixSet(prefixes1)
-		result2 := manager.NewPrefixSet(prefixes2)
+		result1 := manager.GenerateSetName(prefixes1)
+		result2 := manager.GenerateSetName(prefixes2)
 
 		if result1 != result2 {
 			t.Errorf("Different orders of IPv4 and IPv6 produced different hashes: %s != %s", result1, result2)

client/firewall/manager/forward_rule.go

@@ -1,27 +0,0 @@
-package manager
-
-import (
-	"fmt"
-	"net/netip"
-)
-
-// ForwardRule todo figure out better place to this to avoid circular imports
-type ForwardRule struct {
-	Protocol          Protocol
-	DestinationPort   Port
-	TranslatedAddress netip.Addr
-	TranslatedPort    Port
-}
-
-func (r ForwardRule) ID() string {
-	id := fmt.Sprintf("%s;%s;%s;%s",
-		r.Protocol,
-		r.DestinationPort.String(),
-		r.TranslatedAddress.String(),
-		r.TranslatedPort.String())
-	return id
-}
-
-func (r ForwardRule) String() string {
-	return fmt.Sprintf("protocol: %s, destinationPort: %s, translatedAddress: %s, translatedPort: %s", r.Protocol, r.DestinationPort.String(), r.TranslatedAddress.String(), r.TranslatedPort.String())
-}

client/firewall/manager/port.go

@@ -1,37 +1,36 @@
 package manager
 
 import (
-	"fmt"
 	"strconv"
 )
 
+// Protocol is the protocol of the port
+type Protocol string
+
+const (
+	// ProtocolTCP is the TCP protocol
+	ProtocolTCP Protocol = "tcp"
+
+	// ProtocolUDP is the UDP protocol
+	ProtocolUDP Protocol = "udp"
+
+	// ProtocolICMP is the ICMP protocol
+	ProtocolICMP Protocol = "icmp"
+
+	// ProtocolALL cover all supported protocols
+	ProtocolALL Protocol = "all"
+
+	// ProtocolUnknown unknown protocol
+	ProtocolUnknown Protocol = "unknown"
+)
+
 // Port of the address for firewall rule
-// todo Move Protocol and Port and RouterPair to the Firwall package or a separate package
 type Port struct {
 	// IsRange is true Values contains two values, the first is the start port, the second is the end port
 	IsRange bool
 
 	// Values contains one value for single port, multiple values for the list of ports, or two values for the range of ports
-	Values []uint16
-}
-
-func NewPort(ports ...int) (*Port, error) {
-	if len(ports) == 0 {
-		return nil, fmt.Errorf("no port provided")
-	}
-
-	ports16 := make([]uint16, len(ports))
-	for i, port := range ports {
-		if port < 1 || port > 65535 {
-			return nil, fmt.Errorf("invalid port number: %d (must be between 1-65535)", port)
-		}
-		ports16[i] = uint16(port)
-	}
-
-	return &Port{
-		IsRange: len(ports) > 1,
-		Values:  ports16,
-	}, nil
+	Values []int
 }
 
 // String interface implementation
@@ -41,11 +40,7 @@ func (p *Port) String() string {
 		if ports != "" {
 			ports += ","
 		}
-		ports += strconv.Itoa(int(port))
+		ports += strconv.Itoa(port)
 	}
-	if p.IsRange {
-		ports = "range:" + ports
-	}
-
 	return ports
 }

client/firewall/manager/protocol.go

@@ -1,19 +0,0 @@
-package manager
-
-// Protocol is the protocol of the port
-// todo Move Protocol and Port and RouterPair to the Firwall package or a separate package
-type Protocol string
-
-const (
-	// ProtocolTCP is the TCP protocol
-	ProtocolTCP Protocol = "tcp"
-
-	// ProtocolUDP is the UDP protocol
-	ProtocolUDP Protocol = "udp"
-
-	// ProtocolICMP is the ICMP protocol
-	ProtocolICMP Protocol = "icmp"
-
-	// ProtocolALL cover all supported protocols
-	ProtocolALL Protocol = "all"
-)

client/firewall/manager/routerpair.go

@@ -1,13 +1,15 @@
 package manager
 
 import (
+	"net/netip"
+
 	"github.com/netbirdio/netbird/route"
 )
 
 type RouterPair struct {
 	ID          route.ID
-	Source      Network
-	Destination Network
+	Source      netip.Prefix
+	Destination netip.Prefix
 	Masquerade  bool
 	Inverse     bool
 }

client/firewall/manager/set.go

@@ -1,74 +0,0 @@
-package manager
-
-import (
-	"crypto/sha256"
-	"encoding/hex"
-	"fmt"
-	"net/netip"
-	"slices"
-
-	log "github.com/sirupsen/logrus"
-
-	"github.com/netbirdio/netbird/management/domain"
-)
-
-type Set struct {
-	hash    [4]byte
-	comment string
-}
-
-// String returns the string representation of the set: hashed name and comment
-func (h Set) String() string {
-	if h.comment == "" {
-		return h.HashedName()
-	}
-	return h.HashedName() + ": " + h.comment
-}
-
-// HashedName returns the string representation of the hash
-func (h Set) HashedName() string {
-	return fmt.Sprintf(
-		"nb-%s",
-		hex.EncodeToString(h.hash[:]),
-	)
-}
-
-// Comment returns the comment of the set
-func (h Set) Comment() string {
-	return h.comment
-}
-
-// NewPrefixSet generates a unique name for an ipset based on the given prefixes.
-func NewPrefixSet(prefixes []netip.Prefix) Set {
-	// sort for consistent naming
-	SortPrefixes(prefixes)
-
-	hash := sha256.New()
-	for _, src := range prefixes {
-		bytes, err := src.MarshalBinary()
-		if err != nil {
-			log.Warnf("failed to marshal prefix %s: %v", src, err)
-		}
-		hash.Write(bytes)
-	}
-	var set Set
-	copy(set.hash[:], hash.Sum(nil)[:4])
-
-	return set
-}
-
-// NewDomainSet generates a unique name for an ipset based on the given domains.
-func NewDomainSet(domains domain.List) Set {
-	slices.Sort(domains)
-
-	hash := sha256.New()
-	for _, d := range domains {
-		hash.Write([]byte(d.PunycodeString()))
-	}
-	set := Set{
-		comment: domains.SafeString(),
-	}
-	copy(set.hash[:], hash.Sum(nil)[:4])
-
-	return set
-}

client/firewall/nftables/acl_linux.go

@@ -2,9 +2,10 @@ package nftables
 
 import (
 	"bytes"
+	"encoding/binary"
 	"fmt"
 	"net"
-	"slices"
+	"net/netip"
 	"strconv"
 	"strings"
 	"time"
@@ -22,13 +23,14 @@ import (
 const (
 
 	// rules chains contains the effective ACL rules
-	chainNameInputRules = "netbird-acl-input-rules"
+	chainNameInputRules  = "netbird-acl-input-rules"
+	chainNameOutputRules = "netbird-acl-output-rules"
 
 	// filter chains contains the rules that jump to the rules chains
-	chainNameInputFilter       = "netbird-acl-input-filter"
-	chainNameForwardFilter     = "netbird-acl-forward-filter"
-	chainNameManglePrerouting  = "netbird-mangle-prerouting"
-	chainNameManglePostrouting = "netbird-mangle-postrouting"
+	chainNameInputFilter   = "netbird-acl-input-filter"
+	chainNameOutputFilter  = "netbird-acl-output-filter"
+	chainNameForwardFilter = "netbird-acl-forward-filter"
+	chainNamePrerouting    = "netbird-rt-prerouting"
 
 	allowNetbirdInputRuleID = "allow Netbird incoming traffic"
 )
@@ -45,9 +47,9 @@ type AclManager struct {
 	wgIface            iFaceMapper
 	routingFwChainName string
 
-	workTable       *nftables.Table
-	chainInputRules *nftables.Chain
-	chainPrerouting *nftables.Chain
+	workTable        *nftables.Table
+	chainInputRules  *nftables.Chain
+	chainOutputRules *nftables.Chain
 
 	ipsetStore *ipsetStore
 	rules      map[string]*Rule
@@ -85,13 +87,14 @@ func (m *AclManager) init(workTable *nftables.Table) error {
 // If comment argument is empty firewall manager should set
 // rule ID as comment for the rule
 func (m *AclManager) AddPeerFiltering(
-	id []byte,
 	ip net.IP,
 	proto firewall.Protocol,
 	sPort *firewall.Port,
 	dPort *firewall.Port,
+	direction firewall.RuleDirection,
 	action firewall.Action,
 	ipsetName string,
+	comment string,
 ) ([]firewall.Rule, error) {
 	var ipset *nftables.Set
 	if ipsetName != "" {
@@ -103,7 +106,7 @@ func (m *AclManager) AddPeerFiltering(
 	}
 
 	newRules := make([]firewall.Rule, 0, 2)
-	ioRule, err := m.addIOFiltering(ip, proto, sPort, dPort, action, ipset)
+	ioRule, err := m.addIOFiltering(ip, proto, sPort, dPort, direction, action, ipset, comment)
 	if err != nil {
 		return nil, err
 	}
@@ -120,32 +123,23 @@ func (m *AclManager) DeletePeerRule(rule firewall.Rule) error {
 	}
 
 	if r.nftSet == nil {
-		if err := m.rConn.DelRule(r.nftRule); err != nil {
+		err := m.rConn.DelRule(r.nftRule)
+		if err != nil {
 			log.Errorf("failed to delete rule: %v", err)
 		}
-		if r.mangleRule != nil {
-			if err := m.rConn.DelRule(r.mangleRule); err != nil {
-				log.Errorf("failed to delete mangle rule: %v", err)
-			}
-		}
-		delete(m.rules, r.ID())
+		delete(m.rules, r.GetRuleID())
 		return m.rConn.Flush()
 	}
 
 	ips, ok := m.ipsetStore.ips(r.nftSet.Name)
 	if !ok {
-		if err := m.rConn.DelRule(r.nftRule); err != nil {
+		err := m.rConn.DelRule(r.nftRule)
+		if err != nil {
 			log.Errorf("failed to delete rule: %v", err)
 		}
-		if r.mangleRule != nil {
-			if err := m.rConn.DelRule(r.mangleRule); err != nil {
-				log.Errorf("failed to delete mangle rule: %v", err)
-			}
-		}
-		delete(m.rules, r.ID())
+		delete(m.rules, r.GetRuleID())
 		return m.rConn.Flush()
 	}
-
 	if _, ok := ips[r.ip.String()]; ok {
 		err := m.sConn.SetDeleteElements(r.nftSet, []nftables.SetElement{{Key: r.ip.To4()}})
 		if err != nil {
@@ -164,20 +158,16 @@ func (m *AclManager) DeletePeerRule(rule firewall.Rule) error {
 		return nil
 	}
 
-	if err := m.rConn.DelRule(r.nftRule); err != nil {
+	err := m.rConn.DelRule(r.nftRule)
+	if err != nil {
 		log.Errorf("failed to delete rule: %v", err)
 	}
-	if r.mangleRule != nil {
-		if err := m.rConn.DelRule(r.mangleRule); err != nil {
-			log.Errorf("failed to delete mangle rule: %v", err)
-		}
-	}
-
-	if err := m.rConn.Flush(); err != nil {
+	err = m.rConn.Flush()
+	if err != nil {
 		return err
 	}
 
-	delete(m.rules, r.ID())
+	delete(m.rules, r.GetRuleID())
 	m.ipsetStore.DeleteReferenceFromIpSet(r.nftSet.Name)
 
 	if m.ipsetStore.HasReferenceToSet(r.nftSet.Name) {
@@ -226,6 +216,38 @@ func (m *AclManager) createDefaultAllowRules() error {
 		Exprs:    expIn,
 	})
 
+	expOut := []expr.Any{
+		&expr.Payload{
+			DestRegister: 1,
+			Base:         expr.PayloadBaseNetworkHeader,
+			Offset:       16,
+			Len:          4,
+		},
+		// mask
+		&expr.Bitwise{
+			SourceRegister: 1,
+			DestRegister:   1,
+			Len:            4,
+			Mask:           []byte{0, 0, 0, 0},
+			Xor:            []byte{0, 0, 0, 0},
+		},
+		// net address
+		&expr.Cmp{
+			Register: 1,
+			Data:     []byte{0, 0, 0, 0},
+		},
+		&expr.Verdict{
+			Kind: expr.VerdictAccept,
+		},
+	}
+
+	_ = m.rConn.InsertRule(&nftables.Rule{
+		Table:    m.workTable,
+		Chain:    m.chainOutputRules,
+		Position: 0,
+		Exprs:    expOut,
+	})
+
 	if err := m.rConn.Flush(); err != nil {
 		return fmt.Errorf(flushError, err)
 	}
@@ -240,32 +262,25 @@ func (m *AclManager) Flush() error {
 		return err
 	}
 
-	if err := m.refreshRuleHandles(m.chainInputRules, false); err != nil {
+	if err := m.refreshRuleHandles(m.chainInputRules); err != nil {
 		log.Errorf("failed to refresh rule handles ipv4 input chain: %v", err)
 	}
-	if err := m.refreshRuleHandles(m.chainPrerouting, true); err != nil {
-		log.Errorf("failed to refresh rule handles prerouting chain: %v", err)
+
+	if err := m.refreshRuleHandles(m.chainOutputRules); err != nil {
+		log.Errorf("failed to refresh rule handles IPv4 output chain: %v", err)
 	}
 
 	return nil
 }
 
-func (m *AclManager) addIOFiltering(
-	ip net.IP,
-	proto firewall.Protocol,
-	sPort *firewall.Port,
-	dPort *firewall.Port,
-	action firewall.Action,
-	ipset *nftables.Set,
-) (*Rule, error) {
-	ruleId := generatePeerRuleId(ip, sPort, dPort, action, ipset)
+func (m *AclManager) addIOFiltering(ip net.IP, proto firewall.Protocol, sPort *firewall.Port, dPort *firewall.Port, direction firewall.RuleDirection, action firewall.Action, ipset *nftables.Set, comment string) (*Rule, error) {
+	ruleId := generatePeerRuleId(ip, sPort, dPort, direction, action, ipset)
 	if r, ok := m.rules[ruleId]; ok {
 		return &Rule{
-			nftRule:    r.nftRule,
-			mangleRule: r.mangleRule,
-			nftSet:     r.nftSet,
-			ruleID:     r.ruleID,
-			ip:         ip,
+			r.nftRule,
+			r.nftSet,
+			r.ruleID,
+			ip,
 		}, nil
 	}
 
@@ -297,6 +312,9 @@ func (m *AclManager) addIOFiltering(
 	if !bytes.HasPrefix(anyIP, rawIP) {
 		// source address position
 		addrOffset := uint32(12)
+		if direction == firewall.RuleDirectionOUT {
+			addrOffset += 4 // is ipv4 address length
+		}
 
 		expressions = append(expressions,
 			&expr.Payload{
@@ -326,100 +344,73 @@ func (m *AclManager) addIOFiltering(
 		}
 	}
 
-	expressions = append(expressions, applyPort(sPort, true)...)
-	expressions = append(expressions, applyPort(dPort, false)...)
+	if sPort != nil && len(sPort.Values) != 0 {
+		expressions = append(expressions,
+			&expr.Payload{
+				DestRegister: 1,
+				Base:         expr.PayloadBaseTransportHeader,
+				Offset:       0,
+				Len:          2,
+			},
+			&expr.Cmp{
+				Op:       expr.CmpOpEq,
+				Register: 1,
+				Data:     encodePort(*sPort),
+			},
+		)
+	}
 
-	mainExpressions := slices.Clone(expressions)
+	if dPort != nil && len(dPort.Values) != 0 {
+		expressions = append(expressions,
+			&expr.Payload{
+				DestRegister: 1,
+				Base:         expr.PayloadBaseTransportHeader,
+				Offset:       2,
+				Len:          2,
+			},
+			&expr.Cmp{
+				Op:       expr.CmpOpEq,
+				Register: 1,
+				Data:     encodePort(*dPort),
+			},
+		)
+	}
 
 	switch action {
 	case firewall.ActionAccept:
-		mainExpressions = append(mainExpressions, &expr.Verdict{Kind: expr.VerdictAccept})
+		expressions = append(expressions, &expr.Verdict{Kind: expr.VerdictAccept})
 	case firewall.ActionDrop:
-		mainExpressions = append(mainExpressions, &expr.Verdict{Kind: expr.VerdictDrop})
+		expressions = append(expressions, &expr.Verdict{Kind: expr.VerdictDrop})
 	}
 
-	userData := []byte(ruleId)
+	userData := []byte(strings.Join([]string{ruleId, comment}, " "))
 
-	chain := m.chainInputRules
+	var chain *nftables.Chain
+	if direction == firewall.RuleDirectionIN {
+		chain = m.chainInputRules
+	} else {
+		chain = m.chainOutputRules
+	}
 	nftRule := m.rConn.AddRule(&nftables.Rule{
 		Table:    m.workTable,
 		Chain:    chain,
-		Exprs:    mainExpressions,
+		Exprs:    expressions,
 		UserData: userData,
 	})
 
-	if err := m.rConn.Flush(); err != nil {
-		return nil, fmt.Errorf(flushError, err)
-	}
-
 	rule := &Rule{
-		nftRule:    nftRule,
-		mangleRule: m.createPreroutingRule(expressions, userData),
-		nftSet:     ipset,
-		ruleID:     ruleId,
-		ip:         ip,
+		nftRule: nftRule,
+		nftSet:  ipset,
+		ruleID:  ruleId,
+		ip:      ip,
 	}
 	m.rules[ruleId] = rule
 	if ipset != nil {
 		m.ipsetStore.AddReferenceToIpset(ipset.Name)
 	}
-
 	return rule, nil
 }
 
-func (m *AclManager) createPreroutingRule(expressions []expr.Any, userData []byte) *nftables.Rule {
-	if m.chainPrerouting == nil {
-		log.Warn("prerouting chain is not created")
-		return nil
-	}
-
-	preroutingExprs := slices.Clone(expressions)
-
-	// interface
-	preroutingExprs = append([]expr.Any{
-		&expr.Meta{
-			Key:      expr.MetaKeyIIFNAME,
-			Register: 1,
-		},
-		&expr.Cmp{
-			Op:       expr.CmpOpEq,
-			Register: 1,
-			Data:     ifname(m.wgIface.Name()),
-		},
-	}, preroutingExprs...)
-
-	// local destination and mark
-	preroutingExprs = append(preroutingExprs,
-		&expr.Fib{
-			Register:       1,
-			ResultADDRTYPE: true,
-			FlagDADDR:      true,
-		},
-		&expr.Cmp{
-			Op:       expr.CmpOpEq,
-			Register: 1,
-			Data:     binaryutil.NativeEndian.PutUint32(unix.RTN_LOCAL),
-		},
-
-		&expr.Immediate{
-			Register: 1,
-			Data:     binaryutil.NativeEndian.PutUint32(nbnet.PreroutingFwmarkRedirected),
-		},
-		&expr.Meta{
-			Key:            expr.MetaKeyMARK,
-			Register:       1,
-			SourceRegister: true,
-		},
-	)
-
-	return m.rConn.AddRule(&nftables.Rule{
-		Table:    m.workTable,
-		Chain:    m.chainPrerouting,
-		Exprs:    preroutingExprs,
-		UserData: userData,
-	})
-}
-
 func (m *AclManager) createDefaultChains() (err error) {
 	// chainNameInputRules
 	chain := m.createChain(chainNameInputRules)
@@ -430,6 +421,15 @@ func (m *AclManager) createDefaultChains() (err error) {
 	}
 	m.chainInputRules = chain
 
+	// chainNameOutputRules
+	chain = m.createChain(chainNameOutputRules)
+	err = m.rConn.Flush()
+	if err != nil {
+		log.Debugf("failed to create chain (%s): %s", chainNameOutputRules, err)
+		return err
+	}
+	m.chainOutputRules = chain
+
 	// netbird-acl-input-filter
 	// type filter hook input priority filter; policy accept;
 	chain = m.createFilterChainWithHook(chainNameInputFilter, nftables.ChainHookInput)
@@ -441,6 +441,18 @@ func (m *AclManager) createDefaultChains() (err error) {
 		return err
 	}
 
+	// netbird-acl-output-filter
+	// type filter hook output priority filter; policy accept;
+	chain = m.createFilterChainWithHook(chainNameOutputFilter, nftables.ChainHookOutput)
+	m.addFwdAllow(chain, expr.MetaKeyOIFNAME)
+	m.addJumpRule(chain, m.chainOutputRules.Name, expr.MetaKeyOIFNAME) // to netbird-acl-output-rules
+	m.addDropExpressions(chain, expr.MetaKeyOIFNAME)
+	err = m.rConn.Flush()
+	if err != nil {
+		log.Debugf("failed to create chain (%s): %s", chainNameOutputFilter, err)
+		return err
+	}
+
 	// netbird-acl-forward-filter
 	chainFwFilter := m.createFilterChainWithHook(chainNameForwardFilter, nftables.ChainHookForward)
 	m.addJumpRulesToRtForward(chainFwFilter) // to netbird-rt-fwd
@@ -463,15 +475,15 @@ func (m *AclManager) createDefaultChains() (err error) {
 // go through the input filter as well. This will enable e.g. Docker services to keep working by accessing the
 // netbird peer IP.
 func (m *AclManager) allowRedirectedTraffic(chainFwFilter *nftables.Chain) error {
-	// Chain is created by route manager
-	// TODO: move creation to a common place
-	m.chainPrerouting = &nftables.Chain{
-		Name:     chainNameManglePrerouting,
+	preroutingChain := m.rConn.AddChain(&nftables.Chain{
+		Name:     chainNamePrerouting,
 		Table:    m.workTable,
 		Type:     nftables.ChainTypeFilter,
 		Hooknum:  nftables.ChainHookPrerouting,
 		Priority: nftables.ChainPriorityMangle,
-	}
+	})
+
+	m.addPreroutingRule(preroutingChain)
 
 	m.addFwmarkToForward(chainFwFilter)
 
@@ -482,6 +494,43 @@ func (m *AclManager) allowRedirectedTraffic(chainFwFilter *nftables.Chain) error
 	return nil
 }
 
+func (m *AclManager) addPreroutingRule(preroutingChain *nftables.Chain) {
+	m.rConn.AddRule(&nftables.Rule{
+		Table: m.workTable,
+		Chain: preroutingChain,
+		Exprs: []expr.Any{
+			&expr.Meta{
+				Key:      expr.MetaKeyIIFNAME,
+				Register: 1,
+			},
+			&expr.Cmp{
+				Op:       expr.CmpOpEq,
+				Register: 1,
+				Data:     ifname(m.wgIface.Name()),
+			},
+			&expr.Fib{
+				Register:       1,
+				ResultADDRTYPE: true,
+				FlagDADDR:      true,
+			},
+			&expr.Cmp{
+				Op:       expr.CmpOpEq,
+				Register: 1,
+				Data:     binaryutil.NativeEndian.PutUint32(unix.RTN_LOCAL),
+			},
+			&expr.Immediate{
+				Register: 1,
+				Data:     binaryutil.NativeEndian.PutUint32(nbnet.PreroutingFwmark),
+			},
+			&expr.Meta{
+				Key:            expr.MetaKeyMARK,
+				Register:       1,
+				SourceRegister: true,
+			},
+		},
+	})
+}
+
 func (m *AclManager) addFwmarkToForward(chainFwFilter *nftables.Chain) {
 	m.rConn.InsertRule(&nftables.Rule{
 		Table: m.workTable,
@@ -494,10 +543,11 @@ func (m *AclManager) addFwmarkToForward(chainFwFilter *nftables.Chain) {
 			&expr.Cmp{
 				Op:       expr.CmpOpEq,
 				Register: 1,
-				Data:     binaryutil.NativeEndian.PutUint32(nbnet.PreroutingFwmarkRedirected),
+				Data:     binaryutil.NativeEndian.PutUint32(nbnet.PreroutingFwmark),
 			},
 			&expr.Verdict{
-				Kind: expr.VerdictAccept,
+				Kind:  expr.VerdictJump,
+				Chain: m.chainInputRules.Name,
 			},
 		},
 	})
@@ -569,6 +619,45 @@ func (m *AclManager) addDropExpressions(chain *nftables.Chain, ifaceKey expr.Met
 	return nil
 }
 
+func (m *AclManager) addFwdAllow(chain *nftables.Chain, iifname expr.MetaKey) {
+	ip, _ := netip.AddrFromSlice(m.wgIface.Address().Network.IP.To4())
+	dstOp := expr.CmpOpNeq
+	expressions := []expr.Any{
+		&expr.Meta{Key: iifname, Register: 1},
+		&expr.Cmp{
+			Op:       expr.CmpOpEq,
+			Register: 1,
+			Data:     ifname(m.wgIface.Name()),
+		},
+		&expr.Payload{
+			DestRegister: 2,
+			Base:         expr.PayloadBaseNetworkHeader,
+			Offset:       16,
+			Len:          4,
+		},
+		&expr.Bitwise{
+			SourceRegister: 2,
+			DestRegister:   2,
+			Len:            4,
+			Xor:            []byte{0x0, 0x0, 0x0, 0x0},
+			Mask:           m.wgIface.Address().Network.Mask,
+		},
+		&expr.Cmp{
+			Op:       dstOp,
+			Register: 2,
+			Data:     ip.Unmap().AsSlice(),
+		},
+		&expr.Verdict{
+			Kind: expr.VerdictAccept,
+		},
+	}
+	_ = m.rConn.AddRule(&nftables.Rule{
+		Table: chain.Table,
+		Chain: chain,
+		Exprs: expressions,
+	})
+}
+
 func (m *AclManager) addJumpRule(chain *nftables.Chain, to string, ifaceKey expr.MetaKey) {
 	expressions := []expr.Any{
 		&expr.Meta{Key: ifaceKey, Register: 1},
@@ -644,7 +733,6 @@ func (m *AclManager) flushWithBackoff() (err error) {
 	for i := 0; ; i++ {
 		err = m.rConn.Flush()
 		if err != nil {
-			log.Debugf("failed to flush nftables: %v", err)
 			if !strings.Contains(err.Error(), "busy") {
 				return
 			}
@@ -661,7 +749,7 @@ func (m *AclManager) flushWithBackoff() (err error) {
 	return
 }
 
-func (m *AclManager) refreshRuleHandles(chain *nftables.Chain, mangle bool) error {
+func (m *AclManager) refreshRuleHandles(chain *nftables.Chain) error {
 	if m.workTable == nil || chain == nil {
 		return nil
 	}
@@ -678,19 +766,22 @@ func (m *AclManager) refreshRuleHandles(chain *nftables.Chain, mangle bool) erro
 		split := bytes.Split(rule.UserData, []byte(" "))
 		r, ok := m.rules[string(split[0])]
 		if ok {
-			if mangle {
-				*r.mangleRule = *rule
-			} else {
-				*r.nftRule = *rule
-			}
+			*r.nftRule = *rule
 		}
 	}
 
 	return nil
 }
 
-func generatePeerRuleId(ip net.IP, sPort *firewall.Port, dPort *firewall.Port, action firewall.Action, ipset *nftables.Set) string {
-	rulesetID := ":"
+func generatePeerRuleId(
+	ip net.IP,
+	sPort *firewall.Port,
+	dPort *firewall.Port,
+	direction firewall.RuleDirection,
+	action firewall.Action,
+	ipset *nftables.Set,
+) string {
+	rulesetID := ":" + strconv.Itoa(int(direction)) + ":"
 	if sPort != nil {
 		rulesetID += sPort.String()
 	}
@@ -706,6 +797,12 @@ func generatePeerRuleId(ip net.IP, sPort *firewall.Port, dPort *firewall.Port, a
 	return "set:" + ipset.Name + rulesetID
 }
 
+func encodePort(port firewall.Port) []byte {
+	bs := make([]byte, 2)
+	binary.BigEndian.PutUint16(bs, uint16(port.Values[0]))
+	return bs
+}
+
 func ifname(n string) []byte {
 	b := make([]byte, 16)
 	copy(b, n+"\x00")

client/firewall/nftables/manager_linux.go

@@ -14,7 +14,7 @@ import (
 	log "github.com/sirupsen/logrus"
 
 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
-	"github.com/netbirdio/netbird/client/iface/wgaddr"
+	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/internal/statemanager"
 )
 
@@ -29,7 +29,7 @@ const (
 // iFaceMapper defines subset methods of interface required for manager
 type iFaceMapper interface {
 	Name() string
-	Address() wgaddr.Address
+	Address() iface.WGAddress
 	IsUserspaceBind() bool
 }
 
@@ -87,7 +87,7 @@ func (m *Manager) Init(stateManager *statemanager.Manager) error {
 	// We only need to record minimal interface state for potential recreation.
 	// Unlike iptables, which requires tracking individual rules, nftables maintains
 	// a known state (our netbird table plus a few static rules). This allows for easy
-	// cleanup using Close() without needing to store specific rules.
+	// cleanup using Reset() without needing to store specific rules.
 	if err := stateManager.UpdateState(&ShutdownState{
 		InterfaceState: &InterfaceState{
 			NameStr:       m.wgIface.Name(),
@@ -99,11 +99,9 @@ func (m *Manager) Init(stateManager *statemanager.Manager) error {
 	}
 
 	// persist early
-	go func() {
-		if err := stateManager.PersistState(context.Background()); err != nil {
-			log.Errorf("failed to persist state: %v", err)
-		}
-	}()
+	if err := stateManager.PersistState(context.Background()); err != nil {
+		log.Errorf("failed to persist state: %v", err)
+	}
 
 	return nil
 }
@@ -113,13 +111,14 @@ func (m *Manager) Init(stateManager *statemanager.Manager) error {
 // If comment argument is empty firewall manager should set
 // rule ID as comment for the rule
 func (m *Manager) AddPeerFiltering(
-	id []byte,
 	ip net.IP,
 	proto firewall.Protocol,
 	sPort *firewall.Port,
 	dPort *firewall.Port,
+	direction firewall.RuleDirection,
 	action firewall.Action,
 	ipsetName string,
+	comment string,
 ) ([]firewall.Rule, error) {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
@@ -129,25 +128,18 @@ func (m *Manager) AddPeerFiltering(
 		return nil, fmt.Errorf("unsupported IP version: %s", ip.String())
 	}
 
-	return m.aclManager.AddPeerFiltering(id, ip, proto, sPort, dPort, action, ipsetName)
+	return m.aclManager.AddPeerFiltering(ip, proto, sPort, dPort, direction, action, ipsetName, comment)
 }
 
-func (m *Manager) AddRouteFiltering(
-	id []byte,
-	sources []netip.Prefix,
-	destination firewall.Network,
-	proto firewall.Protocol,
-	sPort, dPort *firewall.Port,
-	action firewall.Action,
-) (firewall.Rule, error) {
+func (m *Manager) AddRouteFiltering(sources []netip.Prefix, destination netip.Prefix, proto firewall.Protocol, sPort *firewall.Port, dPort *firewall.Port, action firewall.Action) (firewall.Rule, error) {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
 
-	if destination.IsPrefix() && !destination.Prefix.Addr().Is4() {
-		return nil, fmt.Errorf("unsupported IP version: %s", destination.Prefix.Addr().String())
+	if !destination.Addr().Is4() {
+		return nil, fmt.Errorf("unsupported IP version: %s", destination.Addr().String())
 	}
 
-	return m.router.AddRouteFiltering(id, sources, destination, proto, sPort, dPort, action)
+	return m.router.AddRouteFiltering(sources, destination, proto, sPort, dPort, action)
 }
 
 // DeletePeerRule from the firewall by rule definition
@@ -205,7 +197,7 @@ func (m *Manager) AllowNetbird() error {
 
 	var chain *nftables.Chain
 	for _, c := range chains {
-		if c.Table.Name == tableNameFilter && c.Name == chainNameInput {
+		if c.Table.Name == tableNameFilter && c.Name == chainNameForward {
 			chain = c
 			break
 		}
@@ -241,8 +233,8 @@ func (m *Manager) SetLegacyManagement(isLegacy bool) error {
 	return firewall.SetLegacyManagement(m.router, isLegacy)
 }
 
-// Close closes the firewall manager
-func (m *Manager) Close(stateManager *statemanager.Manager) error {
+// Reset firewall to the default state
+func (m *Manager) Reset(stateManager *statemanager.Manager) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
 
@@ -282,7 +274,7 @@ func (m *Manager) resetNetbirdInputRules() error {
 
 func (m *Manager) deleteNetbirdInputRules(chains []*nftables.Chain) {
 	for _, c := range chains {
-		if c.Table.Name == tableNameFilter && c.Name == chainNameInput {
+		if c.Table.Name == "filter" && c.Name == "INPUT" {
 			rules, err := m.rConn.GetRules(c.Table, c)
 			if err != nil {
 				log.Errorf("get rules for chain %q: %v", c.Name, err)
@@ -318,19 +310,6 @@ func (m *Manager) cleanupNetbirdTables() error {
 	return nil
 }
 
-// SetLogLevel sets the log level for the firewall manager
-func (m *Manager) SetLogLevel(log.Level) {
-	// not supported
-}
-
-func (m *Manager) EnableRouting() error {
-	return nil
-}
-
-func (m *Manager) DisableRouting() error {
-	return nil
-}
-
 // Flush rule/chain/set operations from the buffer
 //
 // Method also get all rules after flush and refreshes handle values in the rulesets
@@ -342,30 +321,6 @@ func (m *Manager) Flush() error {
 	return m.aclManager.Flush()
 }
 
-// AddDNATRule adds a DNAT rule
-func (m *Manager) AddDNATRule(rule firewall.ForwardRule) (firewall.Rule, error) {
-	m.mutex.Lock()
-	defer m.mutex.Unlock()
-
-	return m.router.AddDNATRule(rule)
-}
-
-// DeleteDNATRule deletes a DNAT rule
-func (m *Manager) DeleteDNATRule(rule firewall.Rule) error {
-	m.mutex.Lock()
-	defer m.mutex.Unlock()
-
-	return m.router.DeleteDNATRule(rule)
-}
-
-// UpdateSet updates the set with the given prefixes
-func (m *Manager) UpdateSet(set firewall.Set, prefixes []netip.Prefix) error {
-	m.mutex.Lock()
-	defer m.mutex.Unlock()
-
-	return m.router.UpdateSet(set, prefixes)
-}
-
 func (m *Manager) createWorkTable() (*nftables.Table, error) {
 	tables, err := m.rConn.ListTablesOfFamily(nftables.TableFamilyIPv4)
 	if err != nil {
@@ -394,9 +349,7 @@ func (m *Manager) applyAllowNetbirdRules(chain *nftables.Chain) {
 				Register: 1,
 				Data:     ifname(m.wgIface.Name()),
 			},
-			&expr.Verdict{
-				Kind: expr.VerdictAccept,
-			},
+			&expr.Verdict{},
 		},
 		UserData: []byte(allowNetbirdInputRuleID),
 	}

client/firewall/nftables/manager_linux_test.go

@@ -1,11 +1,9 @@
 package nftables
 
 import (
-	"bytes"
 	"fmt"
 	"net"
 	"net/netip"
-	"os/exec"
 	"testing"
 	"time"
 
@@ -16,15 +14,15 @@ import (
 	"golang.org/x/sys/unix"
 
 	fw "github.com/netbirdio/netbird/client/firewall/manager"
-	"github.com/netbirdio/netbird/client/iface/wgaddr"
+	"github.com/netbirdio/netbird/client/iface"
 )
 
 var ifaceMock = &iFaceMock{
 	NameFunc: func() string {
 		return "lo"
 	},
-	AddressFunc: func() wgaddr.Address {
-		return wgaddr.Address{
+	AddressFunc: func() iface.WGAddress {
+		return iface.WGAddress{
 			IP: net.ParseIP("100.96.0.1"),
 			Network: &net.IPNet{
 				IP:   net.ParseIP("100.96.0.0"),
@@ -37,7 +35,7 @@ var ifaceMock = &iFaceMock{
 // iFaceMapper defines subset methods of interface required for manager
 type iFaceMock struct {
 	NameFunc    func() string
-	AddressFunc func() wgaddr.Address
+	AddressFunc func() iface.WGAddress
 }
 
 func (i *iFaceMock) Name() string {
@@ -47,7 +45,7 @@ func (i *iFaceMock) Name() string {
 	panic("NameFunc is not set")
 }
 
-func (i *iFaceMock) Address() wgaddr.Address {
+func (i *iFaceMock) Address() iface.WGAddress {
 	if i.AddressFunc != nil {
 		return i.AddressFunc()
 	}
@@ -65,7 +63,7 @@ func TestNftablesManager(t *testing.T) {
 	time.Sleep(time.Second * 3)
 
 	defer func() {
-		err = manager.Close(nil)
+		err = manager.Reset(nil)
 		require.NoError(t, err, "failed to reset")
 		time.Sleep(time.Second)
 	}()
@@ -74,7 +72,16 @@ func TestNftablesManager(t *testing.T) {
 
 	testClient := &nftables.Conn{}
 
-	rule, err := manager.AddPeerFiltering(nil, ip, fw.ProtocolTCP, nil, &fw.Port{Values: []uint16{53}}, fw.ActionDrop, "")
+	rule, err := manager.AddPeerFiltering(
+		ip,
+		fw.ProtocolTCP,
+		nil,
+		&fw.Port{Values: []int{53}},
+		fw.RuleDirectionIN,
+		fw.ActionDrop,
+		"",
+		"",
+	)
 	require.NoError(t, err, "failed to add rule")
 
 	err = manager.Flush()
@@ -107,7 +114,7 @@ func TestNftablesManager(t *testing.T) {
 			Kind: expr.VerdictAccept,
 		},
 	}
-	compareExprsIgnoringCounters(t, rules[0].Exprs, expectedExprs1)
+	require.ElementsMatch(t, rules[0].Exprs, expectedExprs1, "expected the same expressions")
 
 	ipToAdd, _ := netip.AddrFromSlice(ip)
 	add := ipToAdd.Unmap()
@@ -162,7 +169,7 @@ func TestNftablesManager(t *testing.T) {
 	// established rule remains
 	require.Len(t, rules, 1, "expected 1 rules after deletion")
 
-	err = manager.Close(nil)
+	err = manager.Reset(nil)
 	require.NoError(t, err, "failed to reset")
 }
 
@@ -171,8 +178,8 @@ func TestNFtablesCreatePerformance(t *testing.T) {
 		NameFunc: func() string {
 			return "lo"
 		},
-		AddressFunc: func() wgaddr.Address {
-			return wgaddr.Address{
+		AddressFunc: func() iface.WGAddress {
+			return iface.WGAddress{
 				IP: net.ParseIP("100.96.0.1"),
 				Network: &net.IPNet{
 					IP:   net.ParseIP("100.96.0.0"),
@@ -191,7 +198,7 @@ func TestNFtablesCreatePerformance(t *testing.T) {
 			time.Sleep(time.Second * 3)
 
 			defer func() {
-				if err := manager.Close(nil); err != nil {
+				if err := manager.Reset(nil); err != nil {
 					t.Errorf("clear the manager state: %v", err)
 				}
 				time.Sleep(time.Second)
@@ -200,8 +207,12 @@ func TestNFtablesCreatePerformance(t *testing.T) {
 			ip := net.ParseIP("10.20.0.100")
 			start := time.Now()
 			for i := 0; i < testMax; i++ {
-				port := &fw.Port{Values: []uint16{uint16(1000 + i)}}
-				_, err = manager.AddPeerFiltering(nil, ip, "tcp", nil, port, fw.ActionAccept, "")
+				port := &fw.Port{Values: []int{1000 + i}}
+				if i%2 == 0 {
+					_, err = manager.AddPeerFiltering(ip, "tcp", nil, port, fw.RuleDirectionOUT, fw.ActionAccept, "", "accept HTTP traffic")
+				} else {
+					_, err = manager.AddPeerFiltering(ip, "tcp", nil, port, fw.RuleDirectionIN, fw.ActionAccept, "", "accept HTTP traffic")
+				}
 				require.NoError(t, err, "failed to add rule")
 
 				if i%100 == 0 {
@@ -214,112 +225,3 @@ func TestNFtablesCreatePerformance(t *testing.T) {
 		})
 	}
 }
-
-func runIptablesSave(t *testing.T) (string, string) {
-	t.Helper()
-	var stdout, stderr bytes.Buffer
-	cmd := exec.Command("iptables-save")
-	cmd.Stdout = &stdout
-	cmd.Stderr = &stderr
-
-	err := cmd.Run()
-	require.NoError(t, err, "iptables-save failed to run")
-
-	return stdout.String(), stderr.String()
-}
-
-func verifyIptablesOutput(t *testing.T, stdout, stderr string) {
-	t.Helper()
-	// Check for any incompatibility warnings
-	require.NotContains(t,
-		stderr,
-		"incompatible",
-		"iptables-save produced compatibility warning. Full stderr: %s",
-		stderr,
-	)
-
-	// Verify standard tables are present
-	expectedTables := []string{
-		"*filter",
-		"*nat",
-		"*mangle",
-	}
-
-	for _, table := range expectedTables {
-		require.Contains(t,
-			stdout,
-			table,
-			"iptables-save output missing expected table: %s\nFull stdout: %s",
-			table,
-			stdout,
-		)
-	}
-}
-
-func TestNftablesManagerCompatibilityWithIptables(t *testing.T) {
-	if check() != NFTABLES {
-		t.Skip("nftables not supported on this system")
-	}
-
-	if _, err := exec.LookPath("iptables-save"); err != nil {
-		t.Skipf("iptables-save not available on this system: %v", err)
-	}
-
-	// First ensure iptables-nft tables exist by running iptables-save
-	stdout, stderr := runIptablesSave(t)
-	verifyIptablesOutput(t, stdout, stderr)
-
-	manager, err := Create(ifaceMock)
-	require.NoError(t, err, "failed to create manager")
-	require.NoError(t, manager.Init(nil))
-
-	t.Cleanup(func() {
-		err := manager.Close(nil)
-		require.NoError(t, err, "failed to reset manager state")
-
-		// Verify iptables output after reset
-		stdout, stderr := runIptablesSave(t)
-		verifyIptablesOutput(t, stdout, stderr)
-	})
-
-	ip := net.ParseIP("100.96.0.1")
-	_, err = manager.AddPeerFiltering(nil, ip, fw.ProtocolTCP, nil, &fw.Port{Values: []uint16{80}}, fw.ActionAccept, "")
-	require.NoError(t, err, "failed to add peer filtering rule")
-
-	_, err = manager.AddRouteFiltering(
-		nil,
-		[]netip.Prefix{netip.MustParsePrefix("192.168.2.0/24")},
-		fw.Network{Prefix: netip.MustParsePrefix("10.1.0.0/24")},
-		fw.ProtocolTCP,
-		nil,
-		&fw.Port{Values: []uint16{443}},
-		fw.ActionAccept,
-	)
-	require.NoError(t, err, "failed to add route filtering rule")
-
-	pair := fw.RouterPair{
-		Source:      fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
-		Destination: fw.Network{Prefix: netip.MustParsePrefix("10.0.0.0/24")},
-		Masquerade:  true,
-	}
-	err = manager.AddNatRule(pair)
-	require.NoError(t, err, "failed to add NAT rule")
-
-	stdout, stderr = runIptablesSave(t)
-	verifyIptablesOutput(t, stdout, stderr)
-}
-
-func compareExprsIgnoringCounters(t *testing.T, got, want []expr.Any) {
-	t.Helper()
-	require.Equal(t, len(got), len(want), "expression count mismatch")
-
-	for i := range got {
-		if _, isCounter := got[i].(*expr.Counter); isCounter {
-			_, wantIsCounter := want[i].(*expr.Counter)
-			require.True(t, wantIsCounter, "expected Counter at index %d", i)
-			continue
-		}
-
-		require.Equal(t, got[i], want[i], "expression mismatch at index %d", i)
-	}
-}

client/firewall/nftables/router_linux_test.go

@@ -10,7 +10,6 @@ import (
 
 	"github.com/coreos/go-iptables/iptables"
 	"github.com/google/nftables"
-	"github.com/google/nftables/binaryutil"
 	"github.com/google/nftables/expr"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@@ -33,87 +32,100 @@ func TestNftablesManager_AddNatRule(t *testing.T) {
 		t.Skip("nftables not supported on this OS")
 	}
 
+	table, err := createWorkTable()
+	require.NoError(t, err, "Failed to create work table")
+
+	defer deleteWorkTable()
+
 	for _, testCase := range test.InsertRuleTestCases {
 		t.Run(testCase.Name, func(t *testing.T) {
-			// need fw manager to init both acl mgr and router for all chains to be present
-			manager, err := Create(ifaceMock)
-			t.Cleanup(func() {
-				require.NoError(t, manager.Close(nil))
-			})
-			require.NoError(t, err)
-			require.NoError(t, manager.Init(nil))
+			manager, err := newRouter(table, ifaceMock)
+			require.NoError(t, err, "failed to create router")
+			require.NoError(t, manager.init(table))
 
 			nftablesTestingClient := &nftables.Conn{}
 
-			rtr := manager.router
-			err = rtr.AddNatRule(testCase.InputPair)
+			defer func(manager *router) {
+				require.NoError(t, manager.Reset(), "failed to reset rules")
+			}(manager)
+
+			require.NoError(t, err, "shouldn't return error")
+
+			err = manager.AddNatRule(testCase.InputPair)
 			require.NoError(t, err, "pair should be inserted")
 
-			t.Cleanup(func() {
-				require.NoError(t, rtr.RemoveNatRule(testCase.InputPair), "failed to remove rule")
-			})
+			defer func(manager *router, pair firewall.RouterPair) {
+				require.NoError(t, manager.RemoveNatRule(pair), "failed to remove rule")
+			}(manager, testCase.InputPair)
 
 			if testCase.InputPair.Masquerade {
-				// Build expected expressions for connection tracking
-				conntrackExprs := []expr.Any{
-					&expr.Ct{
-						Key:      expr.CtKeySTATE,
-						Register: 1,
-					},
-					&expr.Bitwise{
-						SourceRegister: 1,
-						DestRegister:   1,
-						Len:            4,
-						Mask:           binaryutil.NativeEndian.PutUint32(expr.CtStateBitNEW),
-						Xor:            binaryutil.NativeEndian.PutUint32(0),
-					},
-					&expr.Cmp{
-						Op:       expr.CmpOpNeq,
-						Register: 1,
-						Data:     []byte{0, 0, 0, 0},
-					},
-				}
-
-				// Build interface matching expression
-				ifaceExprs := []expr.Any{
-					&expr.Meta{
-						Key:      expr.MetaKeyIIFNAME,
-						Register: 1,
-					},
+				sourceExp := generateCIDRMatcherExpressions(true, testCase.InputPair.Source)
+				destExp := generateCIDRMatcherExpressions(false, testCase.InputPair.Destination)
+				testingExpression := append(sourceExp, destExp...) //nolint:gocritic
+				testingExpression = append(testingExpression,
+					&expr.Meta{Key: expr.MetaKeyIIFNAME, Register: 1},
 					&expr.Cmp{
 						Op:       expr.CmpOpEq,
 						Register: 1,
 						Data:     ifname(ifaceMock.Name()),
 					},
-				}
+					&expr.Meta{Key: expr.MetaKeyOIFNAME, Register: 1},
+					&expr.Cmp{
+						Op:       expr.CmpOpNeq,
+						Register: 1,
+						Data:     ifname("lo"),
+					},
+				)
 
-				// Build CIDR matching expressions
-				sourceExp := applyPrefix(testCase.InputPair.Source.Prefix, true)
-				destExp := applyPrefix(testCase.InputPair.Destination.Prefix, false)
-
-				// Combine all expressions in the correct order
-				// nolint:gocritic
-				testingExpression := append(conntrackExprs, ifaceExprs...)
-				testingExpression = append(testingExpression, sourceExp...)
-				testingExpression = append(testingExpression, destExp...)
-
-				natRuleKey := firewall.GenKey(firewall.PreroutingFormat, testCase.InputPair)
+				natRuleKey := firewall.GenKey(firewall.NatFormat, testCase.InputPair)
 				found := 0
-				for _, chain := range rtr.chains {
-					if chain.Name == chainNameManglePrerouting {
-						rules, err := nftablesTestingClient.GetRules(chain.Table, chain)
-						require.NoError(t, err, "should list rules for %s table and %s chain", chain.Table.Name, chain.Name)
-						for _, rule := range rules {
-							if len(rule.UserData) > 0 && string(rule.UserData) == natRuleKey {
-								// Compare expressions up to the mark setting expressions
-								require.ElementsMatchf(t, rule.Exprs[:len(testingExpression)], testingExpression, "prerouting nat rule elements should match")
-								found = 1
-							}
+				for _, chain := range manager.chains {
+					rules, err := nftablesTestingClient.GetRules(chain.Table, chain)
+					require.NoError(t, err, "should list rules for %s table and %s chain", chain.Table.Name, chain.Name)
+					for _, rule := range rules {
+						if len(rule.UserData) > 0 && string(rule.UserData) == natRuleKey {
+							require.ElementsMatchf(t, rule.Exprs[:len(testingExpression)], testingExpression, "nat rule elements should match")
+							found = 1
 						}
 					}
 				}
-				require.Equal(t, 1, found, "should find at least 1 rule in prerouting chain")
+				require.Equal(t, 1, found, "should find at least 1 rule to test")
 			}
+
+			if testCase.InputPair.Masquerade {
+				sourceExp := generateCIDRMatcherExpressions(true, testCase.InputPair.Source)
+				destExp := generateCIDRMatcherExpressions(false, testCase.InputPair.Destination)
+				testingExpression := append(sourceExp, destExp...) //nolint:gocritic
+				testingExpression = append(testingExpression,
+					&expr.Meta{Key: expr.MetaKeyOIFNAME, Register: 1},
+					&expr.Cmp{
+						Op:       expr.CmpOpEq,
+						Register: 1,
+						Data:     ifname(ifaceMock.Name()),
+					},
+					&expr.Meta{Key: expr.MetaKeyIIFNAME, Register: 1},
+					&expr.Cmp{
+						Op:       expr.CmpOpNeq,
+						Register: 1,
+						Data:     ifname("lo"),
+					},
+				)
+
+				inNatRuleKey := firewall.GenKey(firewall.NatFormat, firewall.GetInversePair(testCase.InputPair))
+				found := 0
+				for _, chain := range manager.chains {
+					rules, err := nftablesTestingClient.GetRules(chain.Table, chain)
+					require.NoError(t, err, "should list rules for %s table and %s chain", chain.Table.Name, chain.Name)
+					for _, rule := range rules {
+						if len(rule.UserData) > 0 && string(rule.UserData) == inNatRuleKey {
+							require.ElementsMatchf(t, rule.Exprs[:len(testingExpression)], testingExpression, "income nat rule elements should match")
+							found = 1
+						}
+					}
+				}
+				require.Equal(t, 1, found, "should find at least 1 rule to test")
+			}
+
 		})
 	}
 }
@@ -123,66 +135,68 @@ func TestNftablesManager_RemoveNatRule(t *testing.T) {
 		t.Skip("nftables not supported on this OS")
 	}
 
+	table, err := createWorkTable()
+	require.NoError(t, err, "Failed to create work table")
+
+	defer deleteWorkTable()
+
 	for _, testCase := range test.RemoveRuleTestCases {
 		t.Run(testCase.Name, func(t *testing.T) {
-			manager, err := Create(ifaceMock)
-			t.Cleanup(func() {
-				require.NoError(t, manager.Close(nil))
+			manager, err := newRouter(table, ifaceMock)
+			require.NoError(t, err, "failed to create router")
+			require.NoError(t, manager.init(table))
+
+			nftablesTestingClient := &nftables.Conn{}
+
+			defer func(manager *router) {
+				require.NoError(t, manager.Reset(), "failed to reset rules")
+			}(manager)
+
+			sourceExp := generateCIDRMatcherExpressions(true, testCase.InputPair.Source)
+			destExp := generateCIDRMatcherExpressions(false, testCase.InputPair.Destination)
+
+			natExp := append(sourceExp, append(destExp, &expr.Counter{}, &expr.Masq{})...) //nolint:gocritic
+			natRuleKey := firewall.GenKey(firewall.NatFormat, testCase.InputPair)
+
+			insertedNat := nftablesTestingClient.InsertRule(&nftables.Rule{
+				Table:    manager.workTable,
+				Chain:    manager.chains[chainNameRoutingNat],
+				Exprs:    natExp,
+				UserData: []byte(natRuleKey),
 			})
-			require.NoError(t, err)
-			require.NoError(t, manager.Init(nil))
 
-			rtr := manager.router
+			sourceExp = generateCIDRMatcherExpressions(true, firewall.GetInversePair(testCase.InputPair).Source)
+			destExp = generateCIDRMatcherExpressions(false, firewall.GetInversePair(testCase.InputPair).Destination)
 
-			// First add the NAT rule using the router's method
-			err = rtr.AddNatRule(testCase.InputPair)
-			require.NoError(t, err, "should add NAT rule")
+			natExp = append(sourceExp, append(destExp, &expr.Counter{}, &expr.Masq{})...) //nolint:gocritic
+			inNatRuleKey := firewall.GenKey(firewall.NatFormat, firewall.GetInversePair(testCase.InputPair))
 
-			// Verify the rule was added
-			natRuleKey := firewall.GenKey(firewall.PreroutingFormat, testCase.InputPair)
-			found := false
-			rules, err := rtr.conn.GetRules(rtr.workTable, rtr.chains[chainNameManglePrerouting])
-			require.NoError(t, err, "should list rules")
-			for _, rule := range rules {
-				if len(rule.UserData) > 0 && string(rule.UserData) == natRuleKey {
-					found = true
-					break
-				}
-			}
-			require.True(t, found, "NAT rule should exist before removal")
+			insertedInNat := nftablesTestingClient.InsertRule(&nftables.Rule{
+				Table:    manager.workTable,
+				Chain:    manager.chains[chainNameRoutingNat],
+				Exprs:    natExp,
+				UserData: []byte(inNatRuleKey),
+			})
 
-			// Now remove the rule
-			err = rtr.RemoveNatRule(testCase.InputPair)
-			require.NoError(t, err, "shouldn't return error when removing rule")
+			err = nftablesTestingClient.Flush()
+			require.NoError(t, err, "shouldn't return error")
 
-			// Verify the rule was removed
-			found = false
-			rules, err = rtr.conn.GetRules(rtr.workTable, rtr.chains[chainNameManglePrerouting])
-			require.NoError(t, err, "should list rules after removal")
-			for _, rule := range rules {
-				if len(rule.UserData) > 0 && string(rule.UserData) == natRuleKey {
-					found = true
-					break
-				}
-			}
-			require.False(t, found, "NAT rule should not exist after removal")
+			err = manager.Reset()
+			require.NoError(t, err, "shouldn't return error")
 
-			// Verify the static postrouting rules still exist
-			rules, err = rtr.conn.GetRules(rtr.workTable, rtr.chains[chainNameRoutingNat])
-			require.NoError(t, err, "should list postrouting rules")
-			foundCounter := false
-			for _, rule := range rules {
-				for _, e := range rule.Exprs {
-					if _, ok := e.(*expr.Counter); ok {
-						foundCounter = true
-						break
+			err = manager.RemoveNatRule(testCase.InputPair)
+			require.NoError(t, err, "shouldn't return error")
+
+			for _, chain := range manager.chains {
+				rules, err := nftablesTestingClient.GetRules(chain.Table, chain)
+				require.NoError(t, err, "should list rules for %s table and %s chain", chain.Table.Name, chain.Name)
+				for _, rule := range rules {
+					if len(rule.UserData) > 0 {
+						require.NotEqual(t, insertedNat.UserData, rule.UserData, "nat rule should not exist")
+						require.NotEqual(t, insertedInNat.UserData, rule.UserData, "income nat rule should not exist")
 					}
 				}
-				if foundCounter {
-					break
-				}
 			}
-			require.True(t, foundCounter, "static postrouting rule should remain")
 		})
 	}
 }
@@ -222,7 +236,7 @@ func TestRouter_AddRouteFiltering(t *testing.T) {
 			destination: netip.MustParsePrefix("10.0.0.0/24"),
 			proto:       firewall.ProtocolTCP,
 			sPort:       nil,
-			dPort:       &firewall.Port{Values: []uint16{80}},
+			dPort:       &firewall.Port{Values: []int{80}},
 			direction:   firewall.RuleDirectionIN,
 			action:      firewall.ActionAccept,
 			expectSet:   false,
@@ -235,7 +249,7 @@ func TestRouter_AddRouteFiltering(t *testing.T) {
 			},
 			destination: netip.MustParsePrefix("10.0.0.0/8"),
 			proto:       firewall.ProtocolUDP,
-			sPort:       &firewall.Port{Values: []uint16{1024, 2048}, IsRange: true},
+			sPort:       &firewall.Port{Values: []int{1024, 2048}, IsRange: true},
 			dPort:       nil,
 			direction:   firewall.RuleDirectionOUT,
 			action:      firewall.ActionDrop,
@@ -268,7 +282,7 @@ func TestRouter_AddRouteFiltering(t *testing.T) {
 			sources:     []netip.Prefix{netip.MustParsePrefix("172.16.0.0/12")},
 			destination: netip.MustParsePrefix("192.168.0.0/16"),
 			proto:       firewall.ProtocolTCP,
-			sPort:       &firewall.Port{Values: []uint16{80, 443, 8080}},
+			sPort:       &firewall.Port{Values: []int{80, 443, 8080}},
 			dPort:       nil,
 			direction:   firewall.RuleDirectionOUT,
 			action:      firewall.ActionAccept,
@@ -280,7 +294,7 @@ func TestRouter_AddRouteFiltering(t *testing.T) {
 			destination: netip.MustParsePrefix("10.0.0.0/24"),
 			proto:       firewall.ProtocolUDP,
 			sPort:       nil,
-			dPort:       &firewall.Port{Values: []uint16{5000, 5100}, IsRange: true},
+			dPort:       &firewall.Port{Values: []int{5000, 5100}, IsRange: true},
 			direction:   firewall.RuleDirectionIN,
 			action:      firewall.ActionDrop,
 			expectSet:   false,
@@ -290,8 +304,8 @@ func TestRouter_AddRouteFiltering(t *testing.T) {
 			sources:     []netip.Prefix{netip.MustParsePrefix("10.0.0.0/24")},
 			destination: netip.MustParsePrefix("172.16.0.0/16"),
 			proto:       firewall.ProtocolTCP,
-			sPort:       &firewall.Port{Values: []uint16{1024, 65535}, IsRange: true},
-			dPort:       &firewall.Port{Values: []uint16{22}},
+			sPort:       &firewall.Port{Values: []int{1024, 65535}, IsRange: true},
+			dPort:       &firewall.Port{Values: []int{22}},
 			direction:   firewall.RuleDirectionOUT,
 			action:      firewall.ActionAccept,
 			expectSet:   false,
@@ -311,7 +325,7 @@ func TestRouter_AddRouteFiltering(t *testing.T) {
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			ruleKey, err := r.AddRouteFiltering(nil, tt.sources, firewall.Network{Prefix: tt.destination}, tt.proto, tt.sPort, tt.dPort, tt.action)
+			ruleKey, err := r.AddRouteFiltering(tt.sources, tt.destination, tt.proto, tt.sPort, tt.dPort, tt.action)
 			require.NoError(t, err, "AddRouteFiltering failed")
 
 			t.Cleanup(func() {
@@ -319,7 +333,7 @@ func TestRouter_AddRouteFiltering(t *testing.T) {
 			})
 
 			// Check if the rule is in the internal map
-			rule, ok := r.rules[ruleKey.ID()]
+			rule, ok := r.rules[ruleKey.GetRuleID()]
 			assert.True(t, ok, "Rule not found in internal map")
 
 			t.Log("Internal rule expressions:")
@@ -336,7 +350,7 @@ func TestRouter_AddRouteFiltering(t *testing.T) {
 
 			var nftRule *nftables.Rule
 			for _, rule := range rules {
-				if string(rule.UserData) == ruleKey.ID() {
+				if string(rule.UserData) == ruleKey.GetRuleID() {
 					nftRule = rule
 					break
 				}
@@ -441,8 +455,8 @@ func TestNftablesCreateIpSet(t *testing.T) {
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			setName := firewall.NewPrefixSet(tt.sources).HashedName()
-			set, err := r.createIpSet(setName, setInput{prefixes: tt.sources})
+			setName := firewall.GenerateSetName(tt.sources)
+			set, err := r.createIpSet(setName, tt.sources)
 			if err != nil {
 				t.Logf("Failed to create IP set: %v", err)
 				printNftSets()
@@ -595,20 +609,16 @@ func containsPort(exprs []expr.Any, port *firewall.Port, isSource bool) bool {
 			if ex.Base == expr.PayloadBaseTransportHeader && ex.Offset == offset && ex.Len == 2 {
 				payloadFound = true
 			}
-		case *expr.Range:
-			if port.IsRange && len(port.Values) == 2 {
-				fromPort := binary.BigEndian.Uint16(ex.FromData)
-				toPort := binary.BigEndian.Uint16(ex.ToData)
-				if fromPort == port.Values[0] && toPort == port.Values[1] {
+		case *expr.Cmp:
+			if port.IsRange {
+				if ex.Op == expr.CmpOpGte || ex.Op == expr.CmpOpLte {
 					portMatchFound = true
 				}
-			}
-		case *expr.Cmp:
-			if !port.IsRange {
+			} else {
 				if ex.Op == expr.CmpOpEq && len(ex.Data) == 2 {
 					portValue := binary.BigEndian.Uint16(ex.Data)
 					for _, p := range port.Values {
-						if p == portValue {
+						if uint16(p) == portValue {
 							portMatchFound = true
 							break
 						}

client/firewall/nftables/rule_linux.go

@@ -8,14 +8,13 @@ import (
 
 // Rule to handle management of rules
 type Rule struct {
-	nftRule    *nftables.Rule
-	mangleRule *nftables.Rule
-	nftSet     *nftables.Set
-	ruleID     string
-	ip         net.IP
+	nftRule *nftables.Rule
+	nftSet  *nftables.Set
+	ruleID  string
+	ip      net.IP
 }
 
 // GetRuleID returns the rule id
-func (r *Rule) ID() string {
+func (r *Rule) GetRuleID() string {
 	return r.ruleID
 }

client/firewall/nftables/state.go

@@ -0,0 +1 @@
+package nftables

client/firewall/nftables/state_linux.go

@@ -3,20 +3,21 @@ package nftables
 import (
 	"fmt"
 
-	"github.com/netbirdio/netbird/client/iface/wgaddr"
+	"github.com/netbirdio/netbird/client/iface"
+	"github.com/netbirdio/netbird/client/iface/device"
 )
 
 type InterfaceState struct {
-	NameStr       string         `json:"name"`
-	WGAddress     wgaddr.Address `json:"wg_address"`
-	UserspaceBind bool           `json:"userspace_bind"`
+	NameStr       string          `json:"name"`
+	WGAddress     iface.WGAddress `json:"wg_address"`
+	UserspaceBind bool            `json:"userspace_bind"`
 }
 
 func (i *InterfaceState) Name() string {
 	return i.NameStr
 }
 
-func (i *InterfaceState) Address() wgaddr.Address {
+func (i *InterfaceState) Address() device.WGAddress {
 	return i.WGAddress
 }
 
@@ -38,7 +39,7 @@ func (s *ShutdownState) Cleanup() error {
 		return fmt.Errorf("create nftables manager: %w", err)
 	}
 
-	if err := nft.Close(nil); err != nil {
+	if err := nft.Reset(nil); err != nil {
 		return fmt.Errorf("reset nftables manager: %w", err)
 	}
 

client/firewall/test/cases_linux.go

@@ -15,8 +15,8 @@ var (
 			Name: "Insert Forwarding IPV4 Rule",
 			InputPair: firewall.RouterPair{
 				ID:          "zxa",
-				Source:      firewall.Network{Prefix: netip.MustParsePrefix("100.100.100.1/32")},
-				Destination: firewall.Network{Prefix: netip.MustParsePrefix("100.100.200.0/24")},
+				Source:      netip.MustParsePrefix("100.100.100.1/32"),
+				Destination: netip.MustParsePrefix("100.100.200.0/24"),
 				Masquerade:  false,
 			},
 		},
@@ -24,8 +24,8 @@ var (
 			Name: "Insert Forwarding And Nat IPV4 Rules",
 			InputPair: firewall.RouterPair{
 				ID:          "zxa",
-				Source:      firewall.Network{Prefix: netip.MustParsePrefix("100.100.100.1/32")},
-				Destination: firewall.Network{Prefix: netip.MustParsePrefix("100.100.200.0/24")},
+				Source:      netip.MustParsePrefix("100.100.100.1/32"),
+				Destination: netip.MustParsePrefix("100.100.200.0/24"),
 				Masquerade:  true,
 			},
 		},
@@ -40,8 +40,8 @@ var (
 			Name: "Remove Forwarding And Nat IPV4 Rules",
 			InputPair: firewall.RouterPair{
 				ID:          "zxa",
-				Source:      firewall.Network{Prefix: netip.MustParsePrefix("100.100.100.1/32")},
-				Destination: firewall.Network{Prefix: netip.MustParsePrefix("100.100.200.0/24")},
+				Source:      netip.MustParsePrefix("100.100.100.1/32"),
+				Destination: netip.MustParsePrefix("100.100.200.0/24"),
 				Masquerade:  true,
 			},
 		},

client/firewall/uspfilter/allow_netbird.go

@@ -2,50 +2,18 @@
 
 package uspfilter
 
-import (
-	"context"
-	"net/netip"
-	"time"
+import "github.com/netbirdio/netbird/client/internal/statemanager"
 
-	log "github.com/sirupsen/logrus"
-
-	"github.com/netbirdio/netbird/client/internal/statemanager"
-)
-
-// Close cleans up the firewall manager by removing all rules and closing trackers
-func (m *Manager) Close(stateManager *statemanager.Manager) error {
+// Reset firewall to the default state
+func (m *Manager) Reset(stateManager *statemanager.Manager) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
 
-	m.outgoingRules = make(map[netip.Addr]RuleSet)
-	m.incomingRules = make(map[netip.Addr]RuleSet)
-
-	if m.udpTracker != nil {
-		m.udpTracker.Close()
-	}
-
-	if m.icmpTracker != nil {
-		m.icmpTracker.Close()
-	}
-
-	if m.tcpTracker != nil {
-		m.tcpTracker.Close()
-	}
-
-	if fwder := m.forwarder.Load(); fwder != nil {
-		fwder.Stop()
-	}
-
-	if m.logger != nil {
-		ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second)
-		defer cancel()
-		if err := m.logger.Stop(ctx); err != nil {
-			log.Errorf("failed to shutdown logger: %v", err)
-		}
-	}
+	m.outgoingRules = make(map[string]RuleSet)
+	m.incomingRules = make(map[string]RuleSet)
 
 	if m.nativeFirewall != nil {
-		return m.nativeFirewall.Close(stateManager)
+		return m.nativeFirewall.Reset(stateManager)
 	}
 	return nil
 }

client/firewall/uspfilter/allow_netbird_windows.go

@@ -1,12 +1,9 @@
 package uspfilter
 
 import (
-	"context"
 	"fmt"
-	"net/netip"
 	"os/exec"
 	"syscall"
-	"time"
 
 	log "github.com/sirupsen/logrus"
 
@@ -21,37 +18,13 @@ const (
 	firewallRuleName        = "Netbird"
 )
 
-// Close cleans up the firewall manager by removing all rules and closing trackers
-func (m *Manager) Close(*statemanager.Manager) error {
+// Reset firewall to the default state
+func (m *Manager) Reset(*statemanager.Manager) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
 
-	m.outgoingRules = make(map[netip.Addr]RuleSet)
-	m.incomingRules = make(map[netip.Addr]RuleSet)
-
-	if m.udpTracker != nil {
-		m.udpTracker.Close()
-	}
-
-	if m.icmpTracker != nil {
-		m.icmpTracker.Close()
-	}
-
-	if m.tcpTracker != nil {
-		m.tcpTracker.Close()
-	}
-
-	if fwder := m.forwarder.Load(); fwder != nil {
-		fwder.Stop()
-	}
-
-	if m.logger != nil {
-		ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second)
-		defer cancel()
-		if err := m.logger.Stop(ctx); err != nil {
-			log.Errorf("failed to shutdown logger: %v", err)
-		}
-	}
+	m.outgoingRules = make(map[string]RuleSet)
+	m.incomingRules = make(map[string]RuleSet)
 
 	if !isWindowsFirewallReachable() {
 		return nil

client/firewall/uspfilter/common/iface.go

@@ -1,16 +0,0 @@
-package common
-
-import (
-	wgdevice "golang.zx2c4.com/wireguard/device"
-
-	"github.com/netbirdio/netbird/client/iface/device"
-	"github.com/netbirdio/netbird/client/iface/wgaddr"
-)
-
-// IFaceMapper defines subset methods of interface required for manager
-type IFaceMapper interface {
-	SetFilter(device.PacketFilter) error
-	Address() wgaddr.Address
-	GetWGDevice() *wgdevice.Device
-	GetDevice() *device.FilteredDevice
-}

client/firewall/uspfilter/conntrack/common.go

@@ -1,66 +0,0 @@
-package conntrack
-
-import (
-	"fmt"
-	"net/netip"
-	"sync/atomic"
-	"time"
-
-	"github.com/google/uuid"
-
-	nftypes "github.com/netbirdio/netbird/client/internal/netflow/types"
-)
-
-// BaseConnTrack provides common fields and locking for all connection types
-type BaseConnTrack struct {
-	FlowId    uuid.UUID
-	Direction nftypes.Direction
-	SourceIP  netip.Addr
-	DestIP    netip.Addr
-	lastSeen  atomic.Int64
-	PacketsTx atomic.Uint64
-	PacketsRx atomic.Uint64
-	BytesTx   atomic.Uint64
-	BytesRx   atomic.Uint64
-}
-
-// these small methods will be inlined by the compiler
-
-// UpdateLastSeen safely updates the last seen timestamp
-func (b *BaseConnTrack) UpdateLastSeen() {
-	b.lastSeen.Store(time.Now().UnixNano())
-}
-
-// UpdateCounters safely updates the packet and byte counters
-func (b *BaseConnTrack) UpdateCounters(direction nftypes.Direction, bytes int) {
-	if direction == nftypes.Egress {
-		b.PacketsTx.Add(1)
-		b.BytesTx.Add(uint64(bytes))
-	} else {
-		b.PacketsRx.Add(1)
-		b.BytesRx.Add(uint64(bytes))
-	}
-}
-
-// GetLastSeen safely gets the last seen timestamp
-func (b *BaseConnTrack) GetLastSeen() time.Time {
-	return time.Unix(0, b.lastSeen.Load())
-}
-
-// timeoutExceeded checks if the connection has exceeded the given timeout
-func (b *BaseConnTrack) timeoutExceeded(timeout time.Duration) bool {
-	lastSeen := time.Unix(0, b.lastSeen.Load())
-	return time.Since(lastSeen) > timeout
-}
-
-// ConnKey uniquely identifies a connection
-type ConnKey struct {
-	SrcIP   netip.Addr
-	DstIP   netip.Addr
-	SrcPort uint16
-	DstPort uint16
-}
-
-func (c ConnKey) String() string {
-	return fmt.Sprintf("%s:%d -> %s:%d", c.SrcIP.Unmap(), c.SrcPort, c.DstIP.Unmap(), c.DstPort)
-}

client/firewall/uspfilter/conntrack/common_test.go

@@ -1,67 +0,0 @@
-package conntrack
-
-import (
-	"net/netip"
-	"testing"
-
-	"github.com/sirupsen/logrus"
-
-	"github.com/netbirdio/netbird/client/firewall/uspfilter/log"
-	"github.com/netbirdio/netbird/client/internal/netflow"
-)
-
-var logger = log.NewFromLogrus(logrus.StandardLogger())
-var flowLogger = netflow.NewManager(nil, []byte{}, nil).GetLogger()
-
-// Memory pressure tests
-func BenchmarkMemoryPressure(b *testing.B) {
-	b.Run("TCPHighLoad", func(b *testing.B) {
-		tracker := NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
-		defer tracker.Close()
-
-		// Generate different IPs
-		srcIPs := make([]netip.Addr, 100)
-		dstIPs := make([]netip.Addr, 100)
-		for i := 0; i < 100; i++ {
-			srcIPs[i] = netip.AddrFrom4([4]byte{192, 168, byte(i / 256), byte(i % 256)})
-			dstIPs[i] = netip.AddrFrom4([4]byte{10, 0, byte(i / 256), byte(i % 256)})
-		}
-
-		b.ResetTimer()
-		for i := 0; i < b.N; i++ {
-			srcIdx := i % len(srcIPs)
-			dstIdx := (i + 1) % len(dstIPs)
-			tracker.TrackOutbound(srcIPs[srcIdx], dstIPs[dstIdx], uint16(i%65535), 80, TCPSyn, 0)
-
-			// Simulate some valid inbound packets
-			if i%3 == 0 {
-				tracker.IsValidInbound(dstIPs[dstIdx], srcIPs[srcIdx], 80, uint16(i%65535), TCPAck, 0)
-			}
-		}
-	})
-
-	b.Run("UDPHighLoad", func(b *testing.B) {
-		tracker := NewUDPTracker(DefaultUDPTimeout, logger, flowLogger)
-		defer tracker.Close()
-
-		// Generate different IPs
-		srcIPs := make([]netip.Addr, 100)
-		dstIPs := make([]netip.Addr, 100)
-		for i := 0; i < 100; i++ {
-			srcIPs[i] = netip.AddrFrom4([4]byte{192, 168, byte(i / 256), byte(i % 256)})
-			dstIPs[i] = netip.AddrFrom4([4]byte{10, 0, byte(i / 256), byte(i % 256)})
-		}
-
-		b.ResetTimer()
-		for i := 0; i < b.N; i++ {
-			srcIdx := i % len(srcIPs)
-			dstIdx := (i + 1) % len(dstIPs)
-			tracker.TrackOutbound(srcIPs[srcIdx], dstIPs[dstIdx], uint16(i%65535), 80, 0)
-
-			// Simulate some valid inbound packets
-			if i%3 == 0 {
-				tracker.IsValidInbound(dstIPs[dstIdx], srcIPs[srcIdx], 80, uint16(i%65535), 0)
-			}
-		}
-	})
-}

client/firewall/uspfilter/conntrack/icmp.go

@@ -1,246 +0,0 @@
-package conntrack
-
-import (
-	"context"
-	"fmt"
-	"net/netip"
-	"sync"
-	"time"
-
-	"github.com/google/gopacket/layers"
-	"github.com/google/uuid"
-
-	nblog "github.com/netbirdio/netbird/client/firewall/uspfilter/log"
-	nftypes "github.com/netbirdio/netbird/client/internal/netflow/types"
-)
-
-const (
-	// DefaultICMPTimeout is the default timeout for ICMP connections
-	DefaultICMPTimeout = 30 * time.Second
-	// ICMPCleanupInterval is how often we check for stale ICMP connections
-	ICMPCleanupInterval = 15 * time.Second
-)
-
-// ICMPConnKey uniquely identifies an ICMP connection
-type ICMPConnKey struct {
-	SrcIP netip.Addr
-	DstIP netip.Addr
-	ID    uint16
-}
-
-func (i ICMPConnKey) String() string {
-	return fmt.Sprintf("%s -> %s (id %d)", i.SrcIP, i.DstIP, i.ID)
-}
-
-// ICMPConnTrack represents an ICMP connection state
-type ICMPConnTrack struct {
-	BaseConnTrack
-	ICMPType uint8
-	ICMPCode uint8
-}
-
-// ICMPTracker manages ICMP connection states
-type ICMPTracker struct {
-	logger        *nblog.Logger
-	connections   map[ICMPConnKey]*ICMPConnTrack
-	timeout       time.Duration
-	cleanupTicker *time.Ticker
-	tickerCancel  context.CancelFunc
-	mutex         sync.RWMutex
-	flowLogger    nftypes.FlowLogger
-}
-
-// NewICMPTracker creates a new ICMP connection tracker
-func NewICMPTracker(timeout time.Duration, logger *nblog.Logger, flowLogger nftypes.FlowLogger) *ICMPTracker {
-	if timeout == 0 {
-		timeout = DefaultICMPTimeout
-	}
-
-	ctx, cancel := context.WithCancel(context.Background())
-
-	tracker := &ICMPTracker{
-		logger:        logger,
-		connections:   make(map[ICMPConnKey]*ICMPConnTrack),
-		timeout:       timeout,
-		cleanupTicker: time.NewTicker(ICMPCleanupInterval),
-		tickerCancel:  cancel,
-		flowLogger:    flowLogger,
-	}
-
-	go tracker.cleanupRoutine(ctx)
-	return tracker
-}
-
-func (t *ICMPTracker) updateIfExists(srcIP netip.Addr, dstIP netip.Addr, id uint16, direction nftypes.Direction, size int) (ICMPConnKey, bool) {
-	key := ICMPConnKey{
-		SrcIP: srcIP,
-		DstIP: dstIP,
-		ID:    id,
-	}
-
-	t.mutex.RLock()
-	conn, exists := t.connections[key]
-	t.mutex.RUnlock()
-
-	if exists {
-		conn.UpdateLastSeen()
-		conn.UpdateCounters(direction, size)
-
-		return key, true
-	}
-
-	return key, false
-}
-
-// TrackOutbound records an outbound ICMP connection
-func (t *ICMPTracker) TrackOutbound(srcIP netip.Addr, dstIP netip.Addr, id uint16, typecode layers.ICMPv4TypeCode, size int) {
-	if _, exists := t.updateIfExists(dstIP, srcIP, id, nftypes.Egress, size); !exists {
-		// if (inverted direction) conn is not tracked, track this direction
-		t.track(srcIP, dstIP, id, typecode, nftypes.Egress, nil, size)
-	}
-}
-
-// TrackInbound records an inbound ICMP Echo Request
-func (t *ICMPTracker) TrackInbound(srcIP netip.Addr, dstIP netip.Addr, id uint16, typecode layers.ICMPv4TypeCode, ruleId []byte, size int) {
-	t.track(srcIP, dstIP, id, typecode, nftypes.Ingress, ruleId, size)
-}
-
-// track is the common implementation for tracking both inbound and outbound ICMP connections
-func (t *ICMPTracker) track(srcIP netip.Addr, dstIP netip.Addr, id uint16, typecode layers.ICMPv4TypeCode, direction nftypes.Direction, ruleId []byte, size int) {
-	key, exists := t.updateIfExists(srcIP, dstIP, id, direction, size)
-	if exists {
-		return
-	}
-
-	typ, code := typecode.Type(), typecode.Code()
-
-	// non echo requests don't need tracking
-	if typ != uint8(layers.ICMPv4TypeEchoRequest) {
-		t.logger.Trace("New %s ICMP connection %s type %d code %d", direction, key, typ, code)
-		t.sendStartEvent(direction, srcIP, dstIP, typ, code, ruleId, size)
-		return
-	}
-
-	conn := &ICMPConnTrack{
-		BaseConnTrack: BaseConnTrack{
-			FlowId:    uuid.New(),
-			Direction: direction,
-			SourceIP:  srcIP,
-			DestIP:    dstIP,
-		},
-		ICMPType: typ,
-		ICMPCode: code,
-	}
-	conn.UpdateLastSeen()
-	conn.UpdateCounters(direction, size)
-
-	t.mutex.Lock()
-	t.connections[key] = conn
-	t.mutex.Unlock()
-
-	t.logger.Trace("New %s ICMP connection %s type %d code %d", direction, key, typ, code)
-	t.sendEvent(nftypes.TypeStart, conn, ruleId)
-}
-
-// IsValidInbound checks if an inbound ICMP Echo Reply matches a tracked request
-func (t *ICMPTracker) IsValidInbound(srcIP netip.Addr, dstIP netip.Addr, id uint16, icmpType uint8, size int) bool {
-	if icmpType != uint8(layers.ICMPv4TypeEchoReply) {
-		return false
-	}
-
-	key := ICMPConnKey{
-		SrcIP: dstIP,
-		DstIP: srcIP,
-		ID:    id,
-	}
-
-	t.mutex.RLock()
-	conn, exists := t.connections[key]
-	t.mutex.RUnlock()
-
-	if !exists || conn.timeoutExceeded(t.timeout) {
-		return false
-	}
-
-	conn.UpdateLastSeen()
-	conn.UpdateCounters(nftypes.Ingress, size)
-
-	return true
-}
-
-func (t *ICMPTracker) cleanupRoutine(ctx context.Context) {
-	defer t.tickerCancel()
-
-	for {
-		select {
-		case <-t.cleanupTicker.C:
-			t.cleanup()
-		case <-ctx.Done():
-			return
-		}
-	}
-}
-
-func (t *ICMPTracker) cleanup() {
-	t.mutex.Lock()
-	defer t.mutex.Unlock()
-
-	for key, conn := range t.connections {
-		if conn.timeoutExceeded(t.timeout) {
-			delete(t.connections, key)
-
-			t.logger.Trace("Removed ICMP connection %s (timeout) [in: %d Pkts/%d B out: %d Pkts/%d B]",
-				key, conn.PacketsRx.Load(), conn.BytesRx.Load(), conn.PacketsTx.Load(), conn.BytesTx.Load())
-			t.sendEvent(nftypes.TypeEnd, conn, nil)
-		}
-	}
-}
-
-// Close stops the cleanup routine and releases resources
-func (t *ICMPTracker) Close() {
-	t.tickerCancel()
-
-	t.mutex.Lock()
-	t.connections = nil
-	t.mutex.Unlock()
-}
-
-func (t *ICMPTracker) sendEvent(typ nftypes.Type, conn *ICMPConnTrack, ruleID []byte) {
-	t.flowLogger.StoreEvent(nftypes.EventFields{
-		FlowID:    conn.FlowId,
-		Type:      typ,
-		RuleID:    ruleID,
-		Direction: conn.Direction,
-		Protocol:  nftypes.ICMP, // TODO: adjust for IPv6/icmpv6
-		SourceIP:  conn.SourceIP,
-		DestIP:    conn.DestIP,
-		ICMPType:  conn.ICMPType,
-		ICMPCode:  conn.ICMPCode,
-		RxPackets: conn.PacketsRx.Load(),
-		TxPackets: conn.PacketsTx.Load(),
-		RxBytes:   conn.BytesRx.Load(),
-		TxBytes:   conn.BytesTx.Load(),
-	})
-}
-
-func (t *ICMPTracker) sendStartEvent(direction nftypes.Direction, srcIP netip.Addr, dstIP netip.Addr, typ uint8, code uint8, ruleID []byte, size int) {
-	fields := nftypes.EventFields{
-		FlowID:    uuid.New(),
-		Type:      nftypes.TypeStart,
-		RuleID:    ruleID,
-		Direction: direction,
-		Protocol:  nftypes.ICMP,
-		SourceIP:  srcIP,
-		DestIP:    dstIP,
-		ICMPType:  typ,
-		ICMPCode:  code,
-	}
-	if direction == nftypes.Ingress {
-		fields.RxPackets = 1
-		fields.RxBytes = uint64(size)
-	} else {
-		fields.TxPackets = 1
-		fields.TxBytes = uint64(size)
-	}
-	t.flowLogger.StoreEvent(fields)
-}

client/firewall/uspfilter/conntrack/icmp_test.go

@@ -1,39 +0,0 @@
-package conntrack
-
-import (
-	"net/netip"
-	"testing"
-)
-
-func BenchmarkICMPTracker(b *testing.B) {
-	b.Run("TrackOutbound", func(b *testing.B) {
-		tracker := NewICMPTracker(DefaultICMPTimeout, logger, flowLogger)
-		defer tracker.Close()
-
-		srcIP := netip.MustParseAddr("192.168.1.1")
-		dstIP := netip.MustParseAddr("192.168.1.2")
-
-		b.ResetTimer()
-		for i := 0; i < b.N; i++ {
-			tracker.TrackOutbound(srcIP, dstIP, uint16(i%65535), 0, 0)
-		}
-	})
-
-	b.Run("IsValidInbound", func(b *testing.B) {
-		tracker := NewICMPTracker(DefaultICMPTimeout, logger, flowLogger)
-		defer tracker.Close()
-
-		srcIP := netip.MustParseAddr("192.168.1.1")
-		dstIP := netip.MustParseAddr("192.168.1.2")
-
-		// Pre-populate some connections
-		for i := 0; i < 1000; i++ {
-			tracker.TrackOutbound(srcIP, dstIP, uint16(i), 0, 0)
-		}
-
-		b.ResetTimer()
-		for i := 0; i < b.N; i++ {
-			tracker.IsValidInbound(dstIP, srcIP, uint16(i%1000), 0, 0)
-		}
-	})
-}

client/firewall/uspfilter/conntrack/tcp.go

@@ -1,492 +0,0 @@
-package conntrack
-
-// TODO: Send RST packets for invalid/timed-out connections
-
-import (
-	"context"
-	"net/netip"
-	"sync"
-	"sync/atomic"
-	"time"
-
-	"github.com/google/uuid"
-
-	nblog "github.com/netbirdio/netbird/client/firewall/uspfilter/log"
-	nftypes "github.com/netbirdio/netbird/client/internal/netflow/types"
-)
-
-const (
-	// MSL (Maximum Segment Lifetime) is typically 2 minutes
-	MSL = 2 * time.Minute
-	// TimeWaitTimeout (TIME-WAIT) should last 2*MSL
-	TimeWaitTimeout = 2 * MSL
-)
-
-const (
-	TCPFin  uint8 = 0x01
-	TCPSyn  uint8 = 0x02
-	TCPRst  uint8 = 0x04
-	TCPPush uint8 = 0x08
-	TCPAck  uint8 = 0x10
-	TCPUrg  uint8 = 0x20
-)
-
-const (
-	// DefaultTCPTimeout is the default timeout for established TCP connections
-	DefaultTCPTimeout = 3 * time.Hour
-	// TCPHandshakeTimeout is timeout for TCP handshake completion
-	TCPHandshakeTimeout = 60 * time.Second
-	// TCPCleanupInterval is how often we check for stale connections
-	TCPCleanupInterval = 5 * time.Minute
-)
-
-// TCPState represents the state of a TCP connection
-type TCPState int32
-
-func (s TCPState) String() string {
-	switch s {
-	case TCPStateNew:
-		return "New"
-	case TCPStateSynSent:
-		return "SYN Sent"
-	case TCPStateSynReceived:
-		return "SYN Received"
-	case TCPStateEstablished:
-		return "Established"
-	case TCPStateFinWait1:
-		return "FIN Wait 1"
-	case TCPStateFinWait2:
-		return "FIN Wait 2"
-	case TCPStateClosing:
-		return "Closing"
-	case TCPStateTimeWait:
-		return "Time Wait"
-	case TCPStateCloseWait:
-		return "Close Wait"
-	case TCPStateLastAck:
-		return "Last ACK"
-	case TCPStateClosed:
-		return "Closed"
-	default:
-		return "Unknown"
-	}
-}
-
-const (
-	TCPStateNew TCPState = iota
-	TCPStateSynSent
-	TCPStateSynReceived
-	TCPStateEstablished
-	TCPStateFinWait1
-	TCPStateFinWait2
-	TCPStateClosing
-	TCPStateTimeWait
-	TCPStateCloseWait
-	TCPStateLastAck
-	TCPStateClosed
-)
-
-// TCPConnTrack represents a TCP connection state
-type TCPConnTrack struct {
-	BaseConnTrack
-	SourcePort uint16
-	DestPort   uint16
-	state      atomic.Int32
-	tombstone  atomic.Bool
-}
-
-// GetState safely retrieves the current state
-func (t *TCPConnTrack) GetState() TCPState {
-	return TCPState(t.state.Load())
-}
-
-// SetState safely updates the current state
-func (t *TCPConnTrack) SetState(state TCPState) {
-	t.state.Store(int32(state))
-}
-
-// CompareAndSwapState atomically changes the state from old to new if current == old
-func (t *TCPConnTrack) CompareAndSwapState(old, newState TCPState) bool {
-	return t.state.CompareAndSwap(int32(old), int32(newState))
-}
-
-// IsTombstone safely checks if the connection is marked for deletion
-func (t *TCPConnTrack) IsTombstone() bool {
-	return t.tombstone.Load()
-}
-
-// SetTombstone safely marks the connection for deletion
-func (t *TCPConnTrack) SetTombstone() {
-	t.tombstone.Store(true)
-}
-
-// TCPTracker manages TCP connection states
-type TCPTracker struct {
-	logger        *nblog.Logger
-	connections   map[ConnKey]*TCPConnTrack
-	mutex         sync.RWMutex
-	cleanupTicker *time.Ticker
-	tickerCancel  context.CancelFunc
-	timeout       time.Duration
-	waitTimeout   time.Duration
-	flowLogger    nftypes.FlowLogger
-}
-
-// NewTCPTracker creates a new TCP connection tracker
-func NewTCPTracker(timeout time.Duration, logger *nblog.Logger, flowLogger nftypes.FlowLogger) *TCPTracker {
-	waitTimeout := TimeWaitTimeout
-	if timeout == 0 {
-		timeout = DefaultTCPTimeout
-	} else {
-		waitTimeout = timeout / 45
-	}
-
-	ctx, cancel := context.WithCancel(context.Background())
-
-	tracker := &TCPTracker{
-		logger:        logger,
-		connections:   make(map[ConnKey]*TCPConnTrack),
-		cleanupTicker: time.NewTicker(TCPCleanupInterval),
-		tickerCancel:  cancel,
-		timeout:       timeout,
-		waitTimeout:   waitTimeout,
-		flowLogger:    flowLogger,
-	}
-
-	go tracker.cleanupRoutine(ctx)
-	return tracker
-}
-
-func (t *TCPTracker) updateIfExists(srcIP, dstIP netip.Addr, srcPort, dstPort uint16, flags uint8, direction nftypes.Direction, size int) (ConnKey, bool) {
-	key := ConnKey{
-		SrcIP:   srcIP,
-		DstIP:   dstIP,
-		SrcPort: srcPort,
-		DstPort: dstPort,
-	}
-
-	t.mutex.RLock()
-	conn, exists := t.connections[key]
-	t.mutex.RUnlock()
-
-	if exists {
-		t.updateState(key, conn, flags, direction, size)
-		return key, true
-	}
-
-	return key, false
-}
-
-// TrackOutbound records an outbound TCP connection
-func (t *TCPTracker) TrackOutbound(srcIP, dstIP netip.Addr, srcPort, dstPort uint16, flags uint8, size int) {
-	if _, exists := t.updateIfExists(dstIP, srcIP, dstPort, srcPort, flags, nftypes.Egress, size); !exists {
-		// if (inverted direction) conn is not tracked, track this direction
-		t.track(srcIP, dstIP, srcPort, dstPort, flags, nftypes.Egress, nil, size)
-	}
-}
-
-// TrackInbound processes an inbound TCP packet and updates connection state
-func (t *TCPTracker) TrackInbound(srcIP, dstIP netip.Addr, srcPort, dstPort uint16, flags uint8, ruleID []byte, size int) {
-	t.track(srcIP, dstIP, srcPort, dstPort, flags, nftypes.Ingress, ruleID, size)
-}
-
-// track is the common implementation for tracking both inbound and outbound connections
-func (t *TCPTracker) track(srcIP, dstIP netip.Addr, srcPort, dstPort uint16, flags uint8, direction nftypes.Direction, ruleID []byte, size int) {
-	key, exists := t.updateIfExists(srcIP, dstIP, srcPort, dstPort, flags, direction, size)
-	if exists || flags&TCPSyn == 0 {
-		return
-	}
-
-	conn := &TCPConnTrack{
-		BaseConnTrack: BaseConnTrack{
-			FlowId:    uuid.New(),
-			Direction: direction,
-			SourceIP:  srcIP,
-			DestIP:    dstIP,
-		},
-		SourcePort: srcPort,
-		DestPort:   dstPort,
-	}
-
-	conn.tombstone.Store(false)
-	conn.state.Store(int32(TCPStateNew))
-
-	t.logger.Trace("New %s TCP connection: %s", direction, key)
-	t.updateState(key, conn, flags, direction, size)
-
-	t.mutex.Lock()
-	t.connections[key] = conn
-	t.mutex.Unlock()
-
-	t.sendEvent(nftypes.TypeStart, conn, ruleID)
-}
-
-// IsValidInbound checks if an inbound TCP packet matches a tracked connection
-func (t *TCPTracker) IsValidInbound(srcIP, dstIP netip.Addr, srcPort, dstPort uint16, flags uint8, size int) bool {
-	key := ConnKey{
-		SrcIP:   dstIP,
-		DstIP:   srcIP,
-		SrcPort: dstPort,
-		DstPort: srcPort,
-	}
-
-	t.mutex.RLock()
-	conn, exists := t.connections[key]
-	t.mutex.RUnlock()
-
-	if !exists || conn.IsTombstone() {
-		return false
-	}
-
-	currentState := conn.GetState()
-	if !t.isValidStateForFlags(currentState, flags) {
-		t.logger.Warn("TCP state %s is not valid with flags %x for connection %s", currentState, flags, key)
-		// allow all flags for established for now
-		if currentState == TCPStateEstablished {
-			return true
-		}
-		return false
-	}
-
-	t.updateState(key, conn, flags, nftypes.Ingress, size)
-	return true
-}
-
-// updateState updates the TCP connection state based on flags
-func (t *TCPTracker) updateState(key ConnKey, conn *TCPConnTrack, flags uint8, packetDir nftypes.Direction, size int) {
-	conn.UpdateLastSeen()
-	conn.UpdateCounters(packetDir, size)
-
-	currentState := conn.GetState()
-
-	if flags&TCPRst != 0 {
-		if conn.CompareAndSwapState(currentState, TCPStateClosed) {
-			conn.SetTombstone()
-			t.logger.Trace("TCP connection reset: %s (dir: %s) [in: %d Pkts/%d B, out: %d Pkts/%d B]",
-				key, packetDir, conn.PacketsRx.Load(), conn.BytesRx.Load(), conn.PacketsTx.Load(), conn.BytesTx.Load())
-			t.sendEvent(nftypes.TypeEnd, conn, nil)
-		}
-		return
-	}
-
-	var newState TCPState
-	switch currentState {
-	case TCPStateNew:
-		if flags&TCPSyn != 0 && flags&TCPAck == 0 {
-			if conn.Direction == nftypes.Egress {
-				newState = TCPStateSynSent
-			} else {
-				newState = TCPStateSynReceived
-			}
-		}
-
-	case TCPStateSynSent:
-		if flags&TCPSyn != 0 && flags&TCPAck != 0 {
-			if packetDir != conn.Direction {
-				newState = TCPStateEstablished
-			} else {
-				// Simultaneous open
-				newState = TCPStateSynReceived
-			}
-		}
-
-	case TCPStateSynReceived:
-		if flags&TCPAck != 0 && flags&TCPSyn == 0 {
-			if packetDir == conn.Direction {
-				newState = TCPStateEstablished
-			}
-		}
-
-	case TCPStateEstablished:
-		if flags&TCPFin != 0 {
-			if packetDir == conn.Direction {
-				newState = TCPStateFinWait1
-			} else {
-				newState = TCPStateCloseWait
-			}
-		}
-
-	case TCPStateFinWait1:
-		if packetDir != conn.Direction {
-			switch {
-			case flags&TCPFin != 0 && flags&TCPAck != 0:
-				newState = TCPStateClosing
-			case flags&TCPFin != 0:
-				newState = TCPStateClosing
-			case flags&TCPAck != 0:
-				newState = TCPStateFinWait2
-			}
-		}
-
-	case TCPStateFinWait2:
-		if flags&TCPFin != 0 {
-			newState = TCPStateTimeWait
-		}
-
-	case TCPStateClosing:
-		if flags&TCPAck != 0 {
-			newState = TCPStateTimeWait
-		}
-
-	case TCPStateCloseWait:
-		if flags&TCPFin != 0 {
-			newState = TCPStateLastAck
-		}
-
-	case TCPStateLastAck:
-		if flags&TCPAck != 0 {
-			newState = TCPStateClosed
-		}
-	}
-
-	if newState != 0 && conn.CompareAndSwapState(currentState, newState) {
-		t.logger.Trace("TCP connection %s transitioned from %s to %s (dir: %s)", key, currentState, newState, packetDir)
-
-		switch newState {
-		case TCPStateTimeWait:
-			t.logger.Trace("TCP connection %s completed [in: %d Pkts/%d B, out: %d Pkts/%d B]",
-				key, conn.PacketsRx.Load(), conn.BytesRx.Load(), conn.PacketsTx.Load(), conn.BytesTx.Load())
-			t.sendEvent(nftypes.TypeEnd, conn, nil)
-
-		case TCPStateClosed:
-			conn.SetTombstone()
-			t.logger.Trace("TCP connection %s closed gracefully [in: %d Pkts/%d, B out: %d Pkts/%d B]",
-				key, conn.PacketsRx.Load(), conn.BytesRx.Load(), conn.PacketsTx.Load(), conn.BytesTx.Load())
-			t.sendEvent(nftypes.TypeEnd, conn, nil)
-		}
-	}
-}
-
-// isValidStateForFlags checks if the TCP flags are valid for the current connection state
-func (t *TCPTracker) isValidStateForFlags(state TCPState, flags uint8) bool {
-	if !isValidFlagCombination(flags) {
-		return false
-	}
-	if flags&TCPRst != 0 {
-		if state == TCPStateSynSent {
-			return flags&TCPAck != 0
-		}
-		return true
-	}
-
-	switch state {
-	case TCPStateNew:
-		return flags&TCPSyn != 0 && flags&TCPAck == 0
-	case TCPStateSynSent:
-		// TODO: support simultaneous open
-		return flags&TCPSyn != 0 && flags&TCPAck != 0
-	case TCPStateSynReceived:
-		return flags&TCPAck != 0
-	case TCPStateEstablished:
-		return flags&TCPAck != 0
-	case TCPStateFinWait1:
-		return flags&TCPFin != 0 || flags&TCPAck != 0
-	case TCPStateFinWait2:
-		return flags&TCPFin != 0 || flags&TCPAck != 0
-	case TCPStateClosing:
-		// In CLOSING state, we should accept the final ACK
-		return flags&TCPAck != 0
-	case TCPStateTimeWait:
-		// In TIME_WAIT, we might see retransmissions
-		return flags&TCPAck != 0
-	case TCPStateCloseWait:
-		return flags&TCPFin != 0 || flags&TCPAck != 0
-	case TCPStateLastAck:
-		return flags&TCPAck != 0
-	case TCPStateClosed:
-		// Accept retransmitted ACKs in closed state, the final ACK might be lost and the peer will retransmit their FIN-ACK
-		return flags&TCPAck != 0
-	}
-	return false
-}
-
-func (t *TCPTracker) cleanupRoutine(ctx context.Context) {
-	defer t.cleanupTicker.Stop()
-
-	for {
-		select {
-		case <-t.cleanupTicker.C:
-			t.cleanup()
-		case <-ctx.Done():
-			return
-		}
-	}
-}
-
-func (t *TCPTracker) cleanup() {
-	t.mutex.Lock()
-	defer t.mutex.Unlock()
-
-	for key, conn := range t.connections {
-		if conn.IsTombstone() {
-			// Clean up tombstoned connections without sending an event
-			delete(t.connections, key)
-			continue
-		}
-
-		var timeout time.Duration
-		currentState := conn.GetState()
-		switch currentState {
-		case TCPStateTimeWait:
-			timeout = t.waitTimeout
-		case TCPStateEstablished:
-			timeout = t.timeout
-		default:
-			timeout = TCPHandshakeTimeout
-		}
-
-		if conn.timeoutExceeded(timeout) {
-			delete(t.connections, key)
-
-			t.logger.Trace("Cleaned up timed-out TCP connection %s (%s) [in: %d Pkts/%d, B out: %d Pkts/%d B]",
-				key, conn.GetState(), conn.PacketsRx.Load(), conn.BytesRx.Load(), conn.PacketsTx.Load(), conn.BytesTx.Load())
-
-			// event already handled by state change
-			if currentState != TCPStateTimeWait {
-				t.sendEvent(nftypes.TypeEnd, conn, nil)
-			}
-		}
-	}
-}
-
-// Close stops the cleanup routine and releases resources
-func (t *TCPTracker) Close() {
-	t.tickerCancel()
-
-	// Clean up all remaining IPs
-	t.mutex.Lock()
-	t.connections = nil
-	t.mutex.Unlock()
-}
-
-func isValidFlagCombination(flags uint8) bool {
-	// Invalid: SYN+FIN
-	if flags&TCPSyn != 0 && flags&TCPFin != 0 {
-		return false
-	}
-
-	// Invalid: RST with SYN or FIN
-	if flags&TCPRst != 0 && (flags&TCPSyn != 0 || flags&TCPFin != 0) {
-		return false
-	}
-
-	return true
-}
-
-func (t *TCPTracker) sendEvent(typ nftypes.Type, conn *TCPConnTrack, ruleID []byte) {
-	t.flowLogger.StoreEvent(nftypes.EventFields{
-		FlowID:     conn.FlowId,
-		Type:       typ,
-		RuleID:     ruleID,
-		Direction:  conn.Direction,
-		Protocol:   nftypes.TCP,
-		SourceIP:   conn.SourceIP,
-		DestIP:     conn.DestIP,
-		SourcePort: conn.SourcePort,
-		DestPort:   conn.DestPort,
-		RxPackets:  conn.PacketsRx.Load(),
-		TxPackets:  conn.PacketsTx.Load(),
-		RxBytes:    conn.BytesRx.Load(),
-		TxBytes:    conn.BytesTx.Load(),
-	})
-}

client/firewall/uspfilter/conntrack/tcp_bench_test.go

@@ -1,83 +0,0 @@
-package conntrack
-
-import (
-	"net/netip"
-	"testing"
-	"time"
-)
-
-func BenchmarkTCPTracker(b *testing.B) {
-	b.Run("TrackOutbound", func(b *testing.B) {
-		tracker := NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
-		defer tracker.Close()
-
-		srcIP := netip.MustParseAddr("192.168.1.1")
-		dstIP := netip.MustParseAddr("192.168.1.2")
-
-		b.ResetTimer()
-		for i := 0; i < b.N; i++ {
-			tracker.TrackOutbound(srcIP, dstIP, uint16(i%65535), 80, TCPSyn, 0)
-		}
-	})
-
-	b.Run("IsValidInbound", func(b *testing.B) {
-		tracker := NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
-		defer tracker.Close()
-
-		srcIP := netip.MustParseAddr("192.168.1.1")
-		dstIP := netip.MustParseAddr("192.168.1.2")
-
-		// Pre-populate some connections
-		for i := 0; i < 1000; i++ {
-			tracker.TrackOutbound(srcIP, dstIP, uint16(i), 80, TCPSyn, 0)
-		}
-
-		b.ResetTimer()
-		for i := 0; i < b.N; i++ {
-			tracker.IsValidInbound(dstIP, srcIP, 80, uint16(i%1000), TCPAck|TCPSyn, 0)
-		}
-	})
-
-	b.Run("ConcurrentAccess", func(b *testing.B) {
-		tracker := NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
-		defer tracker.Close()
-
-		srcIP := netip.MustParseAddr("192.168.1.1")
-		dstIP := netip.MustParseAddr("192.168.1.2")
-
-		b.RunParallel(func(pb *testing.PB) {
-			i := 0
-			for pb.Next() {
-				if i%2 == 0 {
-					tracker.TrackOutbound(srcIP, dstIP, uint16(i%65535), 80, TCPSyn, 0)
-				} else {
-					tracker.IsValidInbound(dstIP, srcIP, 80, uint16(i%65535), TCPAck|TCPSyn, 0)
-				}
-				i++
-			}
-		})
-	})
-}
-
-// Benchmark connection cleanup
-func BenchmarkCleanup(b *testing.B) {
-	b.Run("TCPCleanup", func(b *testing.B) {
-		tracker := NewTCPTracker(100*time.Millisecond, logger, flowLogger)
-		defer tracker.Close()
-
-		// Pre-populate with expired connections
-		srcIP := netip.MustParseAddr("192.168.1.1")
-		dstIP := netip.MustParseAddr("192.168.1.2")
-		for i := 0; i < 10000; i++ {
-			tracker.TrackOutbound(srcIP, dstIP, uint16(i), 80, TCPSyn, 0)
-		}
-
-		// Wait for connections to expire
-		time.Sleep(200 * time.Millisecond)
-
-		b.ResetTimer()
-		for i := 0; i < b.N; i++ {
-			tracker.cleanup()
-		}
-	})
-}

client/firewall/uspfilter/conntrack/tcp_test.go

@@ -1,660 +0,0 @@
-package conntrack
-
-import (
-	"net/netip"
-	"testing"
-	"time"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-)
-
-func TestTCPStateMachine(t *testing.T) {
-	tracker := NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
-	defer tracker.Close()
-
-	srcIP := netip.MustParseAddr("100.64.0.1")
-	dstIP := netip.MustParseAddr("100.64.0.2")
-	srcPort := uint16(12345)
-	dstPort := uint16(80)
-
-	t.Run("Security Tests", func(t *testing.T) {
-		tests := []struct {
-			name     string
-			flags    uint8
-			wantDrop bool
-			desc     string
-		}{
-			{
-				name:     "Block unsolicited SYN-ACK",
-				flags:    TCPSyn | TCPAck,
-				wantDrop: true,
-				desc:     "Should block SYN-ACK without prior SYN",
-			},
-			{
-				name:     "Block invalid SYN-FIN",
-				flags:    TCPSyn | TCPFin,
-				wantDrop: true,
-				desc:     "Should block invalid SYN-FIN combination",
-			},
-			{
-				name:     "Block unsolicited RST",
-				flags:    TCPRst,
-				wantDrop: true,
-				desc:     "Should block RST without connection",
-			},
-			{
-				name:     "Block unsolicited ACK",
-				flags:    TCPAck,
-				wantDrop: true,
-				desc:     "Should block ACK without connection",
-			},
-			{
-				name:     "Block data without connection",
-				flags:    TCPAck | TCPPush,
-				wantDrop: true,
-				desc:     "Should block data without established connection",
-			},
-		}
-
-		for _, tt := range tests {
-			t.Run(tt.name, func(t *testing.T) {
-				isValid := tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, tt.flags, 0)
-				require.Equal(t, !tt.wantDrop, isValid, tt.desc)
-			})
-		}
-	})
-
-	t.Run("Connection Flow Tests", func(t *testing.T) {
-		tests := []struct {
-			name string
-			test func(*testing.T)
-			desc string
-		}{
-			{
-				name: "Normal Handshake",
-				test: func(t *testing.T) {
-					t.Helper()
-
-					// Send initial SYN
-					tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPSyn, 0)
-
-					// Receive SYN-ACK
-					valid := tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPSyn|TCPAck, 0)
-					require.True(t, valid, "SYN-ACK should be allowed")
-
-					// Send ACK
-					tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPAck, 0)
-
-					// Test data transfer
-					valid = tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPPush|TCPAck, 0)
-					require.True(t, valid, "Data should be allowed after handshake")
-				},
-			},
-			{
-				name: "Normal Close",
-				test: func(t *testing.T) {
-					t.Helper()
-
-					// First establish connection
-					establishConnection(t, tracker, srcIP, dstIP, srcPort, dstPort)
-
-					// Send FIN
-					tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPFin|TCPAck, 0)
-
-					// Receive ACK for FIN
-					valid := tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPAck, 0)
-					require.True(t, valid, "ACK for FIN should be allowed")
-
-					// Receive FIN from other side
-					valid = tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPFin|TCPAck, 0)
-					require.True(t, valid, "FIN should be allowed")
-
-					// Send final ACK
-					tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPAck, 0)
-				},
-			},
-			{
-				name: "RST During Connection",
-				test: func(t *testing.T) {
-					t.Helper()
-
-					// First establish connection
-					establishConnection(t, tracker, srcIP, dstIP, srcPort, dstPort)
-
-					// Receive RST
-					valid := tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPRst, 0)
-					require.True(t, valid, "RST should be allowed for established connection")
-				},
-			},
-			{
-				name: "Simultaneous Close",
-				test: func(t *testing.T) {
-					t.Helper()
-
-					// First establish connection
-					establishConnection(t, tracker, srcIP, dstIP, srcPort, dstPort)
-
-					// Both sides send FIN+ACK
-					tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPFin|TCPAck, 0)
-					valid := tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPFin|TCPAck, 0)
-					require.True(t, valid, "Simultaneous FIN should be allowed")
-
-					// Both sides send final ACK
-					tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPAck, 0)
-					valid = tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPAck, 0)
-					require.True(t, valid, "Final ACKs should be allowed")
-				},
-			},
-		}
-
-		for _, tt := range tests {
-			t.Run(tt.name, func(t *testing.T) {
-				t.Helper()
-
-				tracker = NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
-				tt.test(t)
-			})
-		}
-	})
-}
-
-func TestRSTHandling(t *testing.T) {
-	tracker := NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
-	defer tracker.Close()
-
-	srcIP := netip.MustParseAddr("100.64.0.1")
-	dstIP := netip.MustParseAddr("100.64.0.2")
-	srcPort := uint16(12345)
-	dstPort := uint16(80)
-
-	tests := []struct {
-		name       string
-		setupState func()
-		sendRST    func()
-		wantValid  bool
-		desc       string
-	}{
-		{
-			name: "RST in established",
-			setupState: func() {
-				// Establish connection first
-				tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPSyn, 0)
-				tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPSyn|TCPAck, 0)
-				tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPAck, 0)
-			},
-			sendRST: func() {
-				tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPRst, 0)
-			},
-			wantValid: true,
-			desc:      "Should accept RST for established connection",
-		},
-		{
-			name:       "RST without connection",
-			setupState: func() {},
-			sendRST: func() {
-				tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPRst, 0)
-			},
-			wantValid: false,
-			desc:      "Should reject RST without connection",
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			tt.setupState()
-			tt.sendRST()
-
-			// Verify connection state is as expected
-			key := ConnKey{
-				SrcIP:   srcIP,
-				DstIP:   dstIP,
-				SrcPort: srcPort,
-				DstPort: dstPort,
-			}
-			conn := tracker.connections[key]
-			if tt.wantValid {
-				require.NotNil(t, conn)
-				require.Equal(t, TCPStateClosed, conn.GetState())
-			}
-		})
-	}
-}
-
-func TestTCPRetransmissions(t *testing.T) {
-	tracker := NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
-	defer tracker.Close()
-
-	srcIP := netip.MustParseAddr("100.64.0.1")
-	dstIP := netip.MustParseAddr("100.64.0.2")
-	srcPort := uint16(12345)
-	dstPort := uint16(80)
-
-	// Test SYN retransmission
-	t.Run("SYN Retransmission", func(t *testing.T) {
-		// Initial SYN
-		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPSyn, 0)
-
-		// Retransmit SYN (should not affect the state machine)
-		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPSyn, 0)
-
-		// Verify we're still in SYN-SENT state
-		key := ConnKey{
-			SrcIP:   srcIP,
-			DstIP:   dstIP,
-			SrcPort: srcPort,
-			DstPort: dstPort,
-		}
-		conn := tracker.connections[key]
-		require.NotNil(t, conn)
-		require.Equal(t, TCPStateSynSent, conn.GetState())
-
-		// Complete the handshake
-		valid := tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPSyn|TCPAck, 0)
-		require.True(t, valid)
-		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPAck, 0)
-
-		// Verify we're in ESTABLISHED state
-		require.Equal(t, TCPStateEstablished, conn.GetState())
-	})
-
-	// Test ACK retransmission in established state
-	t.Run("ACK Retransmission", func(t *testing.T) {
-		tracker = NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
-
-		// Establish connection
-		establishConnection(t, tracker, srcIP, dstIP, srcPort, dstPort)
-
-		// Get connection object
-		key := ConnKey{
-			SrcIP:   srcIP,
-			DstIP:   dstIP,
-			SrcPort: srcPort,
-			DstPort: dstPort,
-		}
-		conn := tracker.connections[key]
-		require.NotNil(t, conn)
-		require.Equal(t, TCPStateEstablished, conn.GetState())
-
-		// Retransmit ACK
-		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPAck, 0)
-
-		// State should remain ESTABLISHED
-		require.Equal(t, TCPStateEstablished, conn.GetState())
-	})
-
-	// Test FIN retransmission
-	t.Run("FIN Retransmission", func(t *testing.T) {
-		tracker = NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
-
-		// Establish connection
-		establishConnection(t, tracker, srcIP, dstIP, srcPort, dstPort)
-
-		// Get connection object
-		key := ConnKey{
-			SrcIP:   srcIP,
-			DstIP:   dstIP,
-			SrcPort: srcPort,
-			DstPort: dstPort,
-		}
-		conn := tracker.connections[key]
-		require.NotNil(t, conn)
-
-		// Send FIN
-		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPFin|TCPAck, 0)
-		require.Equal(t, TCPStateFinWait1, conn.GetState())
-
-		// Retransmit FIN (should not change state)
-		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPFin|TCPAck, 0)
-		require.Equal(t, TCPStateFinWait1, conn.GetState())
-
-		// Receive ACK for FIN
-		valid := tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPAck, 0)
-		require.True(t, valid)
-		require.Equal(t, TCPStateFinWait2, conn.GetState())
-	})
-}
-
-func TestTCPDataTransfer(t *testing.T) {
-	tracker := NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
-	defer tracker.Close()
-
-	srcIP := netip.MustParseAddr("100.64.0.1")
-	dstIP := netip.MustParseAddr("100.64.0.2")
-	srcPort := uint16(12345)
-	dstPort := uint16(80)
-
-	t.Run("Data Transfer", func(t *testing.T) {
-		establishConnection(t, tracker, srcIP, dstIP, srcPort, dstPort)
-
-		// Get connection object
-		key := ConnKey{
-			SrcIP:   srcIP,
-			DstIP:   dstIP,
-			SrcPort: srcPort,
-			DstPort: dstPort,
-		}
-		conn := tracker.connections[key]
-		require.NotNil(t, conn)
-
-		// Send data
-		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPPush|TCPAck, 1000)
-
-		// Receive ACK for data
-		valid := tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPAck, 100)
-		require.True(t, valid)
-
-		// Receive data
-		valid = tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPPush|TCPAck, 1500)
-		require.True(t, valid)
-
-		// Send ACK for received data
-		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPAck, 100)
-
-		// State should remain ESTABLISHED
-		require.Equal(t, TCPStateEstablished, conn.GetState())
-
-		assert.Equal(t, uint64(1300), conn.BytesTx.Load())
-		assert.Equal(t, uint64(1700), conn.BytesRx.Load())
-		assert.Equal(t, uint64(4), conn.PacketsTx.Load())
-		assert.Equal(t, uint64(3), conn.PacketsRx.Load())
-	})
-}
-
-func TestTCPHalfClosedConnections(t *testing.T) {
-	tracker := NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
-	defer tracker.Close()
-
-	srcIP := netip.MustParseAddr("100.64.0.1")
-	dstIP := netip.MustParseAddr("100.64.0.2")
-	srcPort := uint16(12345)
-	dstPort := uint16(80)
-
-	// Test half-closed connection: local end closes, remote end continues sending data
-	t.Run("Local Close, Remote Data", func(t *testing.T) {
-		establishConnection(t, tracker, srcIP, dstIP, srcPort, dstPort)
-
-		key := ConnKey{
-			SrcIP:   srcIP,
-			DstIP:   dstIP,
-			SrcPort: srcPort,
-			DstPort: dstPort,
-		}
-		conn := tracker.connections[key]
-		require.NotNil(t, conn)
-
-		// Send FIN
-		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPFin|TCPAck, 0)
-		require.Equal(t, TCPStateFinWait1, conn.GetState())
-
-		// Receive ACK for FIN
-		valid := tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPAck, 0)
-		require.True(t, valid)
-		require.Equal(t, TCPStateFinWait2, conn.GetState())
-
-		// Remote end can still send data
-		valid = tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPPush|TCPAck, 1000)
-		require.True(t, valid)
-
-		// We can still ACK their data
-		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPAck, 0)
-
-		// Receive FIN from remote end
-		valid = tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPFin|TCPAck, 0)
-		require.True(t, valid)
-		require.Equal(t, TCPStateTimeWait, conn.GetState())
-
-		// Send final ACK
-		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPAck, 0)
-
-		// State should remain TIME-WAIT (waiting for possible retransmissions)
-		require.Equal(t, TCPStateTimeWait, conn.GetState())
-	})
-
-	// Test half-closed connection: remote end closes, local end continues sending data
-	t.Run("Remote Close, Local Data", func(t *testing.T) {
-		tracker = NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
-
-		// Establish connection
-		establishConnection(t, tracker, srcIP, dstIP, srcPort, dstPort)
-
-		// Get connection object
-		key := ConnKey{
-			SrcIP:   srcIP,
-			DstIP:   dstIP,
-			SrcPort: srcPort,
-			DstPort: dstPort,
-		}
-		conn := tracker.connections[key]
-		require.NotNil(t, conn)
-
-		// Receive FIN from remote
-		valid := tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPFin|TCPAck, 0)
-		require.True(t, valid)
-		require.Equal(t, TCPStateCloseWait, conn.GetState())
-
-		// We can still send data
-		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPPush|TCPAck, 1000)
-
-		// Remote can still ACK our data
-		valid = tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPAck, 0)
-		require.True(t, valid)
-
-		// Send our FIN
-		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPFin|TCPAck, 0)
-		require.Equal(t, TCPStateLastAck, conn.GetState())
-
-		// Receive final ACK
-		valid = tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPAck, 0)
-		require.True(t, valid)
-		require.Equal(t, TCPStateClosed, conn.GetState())
-	})
-}
-
-func TestTCPAbnormalSequences(t *testing.T) {
-	tracker := NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
-	defer tracker.Close()
-
-	srcIP := netip.MustParseAddr("100.64.0.1")
-	dstIP := netip.MustParseAddr("100.64.0.2")
-	srcPort := uint16(12345)
-	dstPort := uint16(80)
-
-	// Test handling of unsolicited RST in various states
-	t.Run("Unsolicited RST in SYN-SENT", func(t *testing.T) {
-		// Send SYN
-		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPSyn, 0)
-
-		// Receive unsolicited RST (without proper ACK)
-		valid := tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPRst, 0)
-		require.False(t, valid, "RST without proper ACK in SYN-SENT should be rejected")
-
-		// Receive RST with proper ACK
-		valid = tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPRst|TCPAck, 0)
-		require.True(t, valid, "RST with proper ACK in SYN-SENT should be accepted")
-
-		key := ConnKey{
-			SrcIP:   srcIP,
-			DstIP:   dstIP,
-			SrcPort: srcPort,
-			DstPort: dstPort,
-		}
-		conn := tracker.connections[key]
-		require.Equal(t, TCPStateClosed, conn.GetState())
-		require.True(t, conn.IsTombstone())
-	})
-}
-
-func TestTCPTimeoutHandling(t *testing.T) {
-	// Create tracker with a very short timeout for testing
-	shortTimeout := 100 * time.Millisecond
-	tracker := NewTCPTracker(shortTimeout, logger, flowLogger)
-	defer tracker.Close()
-
-	srcIP := netip.MustParseAddr("100.64.0.1")
-	dstIP := netip.MustParseAddr("100.64.0.2")
-	srcPort := uint16(12345)
-	dstPort := uint16(80)
-
-	t.Run("Connection Timeout", func(t *testing.T) {
-		// Establish a connection
-		establishConnection(t, tracker, srcIP, dstIP, srcPort, dstPort)
-
-		// Get connection object
-		key := ConnKey{
-			SrcIP:   srcIP,
-			DstIP:   dstIP,
-			SrcPort: srcPort,
-			DstPort: dstPort,
-		}
-		conn := tracker.connections[key]
-		require.NotNil(t, conn)
-		require.Equal(t, TCPStateEstablished, conn.GetState())
-
-		// Wait for the connection to timeout
-		time.Sleep(2 * shortTimeout)
-
-		// Force cleanup
-		tracker.cleanup()
-
-		// Connection should be removed
-		_, exists := tracker.connections[key]
-		require.False(t, exists, "Connection should be removed after timeout")
-	})
-
-	t.Run("TIME_WAIT Timeout", func(t *testing.T) {
-		tracker = NewTCPTracker(shortTimeout, logger, flowLogger)
-
-		establishConnection(t, tracker, srcIP, dstIP, srcPort, dstPort)
-
-		key := ConnKey{
-			SrcIP:   srcIP,
-			DstIP:   dstIP,
-			SrcPort: srcPort,
-			DstPort: dstPort,
-		}
-		conn := tracker.connections[key]
-		require.NotNil(t, conn)
-
-		// Complete the connection close to enter TIME_WAIT
-		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPFin|TCPAck, 0)
-		tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPAck, 0)
-		tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPFin|TCPAck, 0)
-		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPAck, 0)
-
-		require.Equal(t, TCPStateTimeWait, conn.GetState())
-
-		// TIME_WAIT should have its own timeout value (usually 2*MSL)
-		// For the test, we're using a short timeout
-		time.Sleep(2 * shortTimeout)
-
-		tracker.cleanup()
-
-		// Connection should be removed
-		_, exists := tracker.connections[key]
-		require.False(t, exists, "Connection should be removed after TIME_WAIT timeout")
-	})
-}
-
-func TestSynFlood(t *testing.T) {
-	tracker := NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
-	defer tracker.Close()
-
-	srcIP := netip.MustParseAddr("100.64.0.1")
-	dstIP := netip.MustParseAddr("100.64.0.2")
-	basePort := uint16(10000)
-	dstPort := uint16(80)
-
-	// Create a large number of SYN packets to simulate a SYN flood
-	for i := uint16(0); i < 1000; i++ {
-		tracker.TrackOutbound(srcIP, dstIP, basePort+i, dstPort, TCPSyn, 0)
-	}
-
-	// Check that we're tracking all connections
-	require.Equal(t, 1000, len(tracker.connections))
-
-	// Now simulate SYN timeout
-	var oldConns int
-	tracker.mutex.Lock()
-	for _, conn := range tracker.connections {
-		if conn.GetState() == TCPStateSynSent {
-			// Make the connection appear old
-			conn.lastSeen.Store(time.Now().Add(-TCPHandshakeTimeout - time.Second).UnixNano())
-			oldConns++
-		}
-	}
-	tracker.mutex.Unlock()
-	require.Equal(t, 1000, oldConns)
-
-	// Run cleanup
-	tracker.cleanup()
-
-	// Check that stale connections were cleaned up
-	require.Equal(t, 0, len(tracker.connections))
-}
-
-func TestTCPInboundInitiatedConnection(t *testing.T) {
-	tracker := NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
-	defer tracker.Close()
-
-	clientIP := netip.MustParseAddr("100.64.0.1")
-	serverIP := netip.MustParseAddr("100.64.0.2")
-	clientPort := uint16(12345)
-	serverPort := uint16(80)
-
-	// 1. Client sends SYN (we receive it as inbound)
-	tracker.TrackInbound(clientIP, serverIP, clientPort, serverPort, TCPSyn, nil, 100)
-
-	key := ConnKey{
-		SrcIP:   clientIP,
-		DstIP:   serverIP,
-		SrcPort: clientPort,
-		DstPort: serverPort,
-	}
-
-	tracker.mutex.RLock()
-	conn := tracker.connections[key]
-	tracker.mutex.RUnlock()
-
-	require.NotNil(t, conn)
-	require.Equal(t, TCPStateSynReceived, conn.GetState(), "Connection should be in SYN-RECEIVED state after inbound SYN")
-
-	// 2. Server sends SYN-ACK response
-	tracker.TrackOutbound(serverIP, clientIP, serverPort, clientPort, TCPSyn|TCPAck, 100)
-
-	// 3. Client sends ACK to complete handshake
-	tracker.TrackInbound(clientIP, serverIP, clientPort, serverPort, TCPAck, nil, 100)
-	require.Equal(t, TCPStateEstablished, conn.GetState(), "Connection should be ESTABLISHED after handshake completion")
-
-	// 4. Test data transfer
-	// Client sends data
-	tracker.TrackInbound(clientIP, serverIP, clientPort, serverPort, TCPPush|TCPAck, nil, 1000)
-
-	// Server sends ACK for data
-	tracker.TrackOutbound(serverIP, clientIP, serverPort, clientPort, TCPAck, 100)
-
-	// Server sends data
-	tracker.TrackOutbound(serverIP, clientIP, serverPort, clientPort, TCPPush|TCPAck, 1500)
-
-	// Client sends ACK for data
-	tracker.TrackInbound(clientIP, serverIP, clientPort, serverPort, TCPAck, nil, 100)
-
-	// Verify state and counters
-	require.Equal(t, TCPStateEstablished, conn.GetState())
-	assert.Equal(t, uint64(1300), conn.BytesRx.Load()) // 3 packets * 100 + 1000 data
-	assert.Equal(t, uint64(1700), conn.BytesTx.Load()) // 2 packets * 100 + 1500 data
-	assert.Equal(t, uint64(4), conn.PacketsRx.Load())  // SYN, ACK, Data
-	assert.Equal(t, uint64(3), conn.PacketsTx.Load())  // SYN-ACK, Data
-}
-
-// Helper to establish a TCP connection
-func establishConnection(t *testing.T, tracker *TCPTracker, srcIP, dstIP netip.Addr, srcPort, dstPort uint16) {
-	t.Helper()
-
-	tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPSyn, 100)
-
-	valid := tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPSyn|TCPAck, 100)
-	require.True(t, valid, "SYN-ACK should be allowed")
-
-	tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPAck, 100)
-}

client/firewall/uspfilter/conntrack/udp.go

@@ -1,220 +0,0 @@
-package conntrack
-
-import (
-	"context"
-	"net/netip"
-	"sync"
-	"time"
-
-	"github.com/google/uuid"
-
-	nblog "github.com/netbirdio/netbird/client/firewall/uspfilter/log"
-	nftypes "github.com/netbirdio/netbird/client/internal/netflow/types"
-)
-
-const (
-	// DefaultUDPTimeout is the default timeout for UDP connections
-	DefaultUDPTimeout = 30 * time.Second
-	// UDPCleanupInterval is how often we check for stale connections
-	UDPCleanupInterval = 15 * time.Second
-)
-
-// UDPConnTrack represents a UDP connection state
-type UDPConnTrack struct {
-	BaseConnTrack
-	SourcePort uint16
-	DestPort   uint16
-}
-
-// UDPTracker manages UDP connection states
-type UDPTracker struct {
-	logger        *nblog.Logger
-	connections   map[ConnKey]*UDPConnTrack
-	timeout       time.Duration
-	cleanupTicker *time.Ticker
-	tickerCancel  context.CancelFunc
-	mutex         sync.RWMutex
-	flowLogger    nftypes.FlowLogger
-}
-
-// NewUDPTracker creates a new UDP connection tracker
-func NewUDPTracker(timeout time.Duration, logger *nblog.Logger, flowLogger nftypes.FlowLogger) *UDPTracker {
-	if timeout == 0 {
-		timeout = DefaultUDPTimeout
-	}
-
-	ctx, cancel := context.WithCancel(context.Background())
-
-	tracker := &UDPTracker{
-		logger:        logger,
-		connections:   make(map[ConnKey]*UDPConnTrack),
-		timeout:       timeout,
-		cleanupTicker: time.NewTicker(UDPCleanupInterval),
-		tickerCancel:  cancel,
-		flowLogger:    flowLogger,
-	}
-
-	go tracker.cleanupRoutine(ctx)
-	return tracker
-}
-
-// TrackOutbound records an outbound UDP connection
-func (t *UDPTracker) TrackOutbound(srcIP netip.Addr, dstIP netip.Addr, srcPort uint16, dstPort uint16, size int) {
-	if _, exists := t.updateIfExists(dstIP, srcIP, dstPort, srcPort, nftypes.Egress, size); !exists {
-		// if (inverted direction) conn is not tracked, track this direction
-		t.track(srcIP, dstIP, srcPort, dstPort, nftypes.Egress, nil, size)
-	}
-}
-
-// TrackInbound records an inbound UDP connection
-func (t *UDPTracker) TrackInbound(srcIP netip.Addr, dstIP netip.Addr, srcPort uint16, dstPort uint16, ruleID []byte, size int) {
-	t.track(srcIP, dstIP, srcPort, dstPort, nftypes.Ingress, ruleID, size)
-}
-
-func (t *UDPTracker) updateIfExists(srcIP netip.Addr, dstIP netip.Addr, srcPort uint16, dstPort uint16, direction nftypes.Direction, size int) (ConnKey, bool) {
-	key := ConnKey{
-		SrcIP:   srcIP,
-		DstIP:   dstIP,
-		SrcPort: srcPort,
-		DstPort: dstPort,
-	}
-
-	t.mutex.RLock()
-	conn, exists := t.connections[key]
-	t.mutex.RUnlock()
-
-	if exists {
-		conn.UpdateLastSeen()
-		conn.UpdateCounters(direction, size)
-		return key, true
-	}
-
-	return key, false
-}
-
-// track is the common implementation for tracking both inbound and outbound connections
-func (t *UDPTracker) track(srcIP netip.Addr, dstIP netip.Addr, srcPort uint16, dstPort uint16, direction nftypes.Direction, ruleID []byte, size int) {
-	key, exists := t.updateIfExists(srcIP, dstIP, srcPort, dstPort, direction, size)
-	if exists {
-		return
-	}
-
-	conn := &UDPConnTrack{
-		BaseConnTrack: BaseConnTrack{
-			FlowId:    uuid.New(),
-			Direction: direction,
-			SourceIP:  srcIP,
-			DestIP:    dstIP,
-		},
-		SourcePort: srcPort,
-		DestPort:   dstPort,
-	}
-	conn.UpdateLastSeen()
-	conn.UpdateCounters(direction, size)
-
-	t.mutex.Lock()
-	t.connections[key] = conn
-	t.mutex.Unlock()
-
-	t.logger.Trace("New %s UDP connection: %s", direction, key)
-	t.sendEvent(nftypes.TypeStart, conn, ruleID)
-}
-
-// IsValidInbound checks if an inbound packet matches a tracked connection
-func (t *UDPTracker) IsValidInbound(srcIP netip.Addr, dstIP netip.Addr, srcPort uint16, dstPort uint16, size int) bool {
-	key := ConnKey{
-		SrcIP:   dstIP,
-		DstIP:   srcIP,
-		SrcPort: dstPort,
-		DstPort: srcPort,
-	}
-
-	t.mutex.RLock()
-	conn, exists := t.connections[key]
-	t.mutex.RUnlock()
-
-	if !exists || conn.timeoutExceeded(t.timeout) {
-		return false
-	}
-
-	conn.UpdateLastSeen()
-	conn.UpdateCounters(nftypes.Ingress, size)
-
-	return true
-}
-
-// cleanupRoutine periodically removes stale connections
-func (t *UDPTracker) cleanupRoutine(ctx context.Context) {
-	defer t.cleanupTicker.Stop()
-
-	for {
-		select {
-		case <-t.cleanupTicker.C:
-			t.cleanup()
-		case <-ctx.Done():
-			return
-		}
-	}
-}
-
-func (t *UDPTracker) cleanup() {
-	t.mutex.Lock()
-	defer t.mutex.Unlock()
-
-	for key, conn := range t.connections {
-		if conn.timeoutExceeded(t.timeout) {
-			delete(t.connections, key)
-
-			t.logger.Trace("Removed UDP connection %s (timeout) [in: %d Pkts/%d B, out: %d Pkts/%d B]",
-				key, conn.PacketsRx.Load(), conn.BytesRx.Load(), conn.PacketsTx.Load(), conn.BytesTx.Load())
-			t.sendEvent(nftypes.TypeEnd, conn, nil)
-		}
-	}
-}
-
-// Close stops the cleanup routine and releases resources
-func (t *UDPTracker) Close() {
-	t.tickerCancel()
-
-	t.mutex.Lock()
-	t.connections = nil
-	t.mutex.Unlock()
-}
-
-// GetConnection safely retrieves a connection state
-func (t *UDPTracker) GetConnection(srcIP netip.Addr, srcPort uint16, dstIP netip.Addr, dstPort uint16) (*UDPConnTrack, bool) {
-	t.mutex.RLock()
-	defer t.mutex.RUnlock()
-
-	key := ConnKey{
-		SrcIP:   srcIP,
-		DstIP:   dstIP,
-		SrcPort: srcPort,
-		DstPort: dstPort,
-	}
-	conn, exists := t.connections[key]
-	return conn, exists
-}
-
-// Timeout returns the configured timeout duration for the tracker
-func (t *UDPTracker) Timeout() time.Duration {
-	return t.timeout
-}
-
-func (t *UDPTracker) sendEvent(typ nftypes.Type, conn *UDPConnTrack, ruleID []byte) {
-	t.flowLogger.StoreEvent(nftypes.EventFields{
-		FlowID:     conn.FlowId,
-		Type:       typ,
-		RuleID:     ruleID,
-		Direction:  conn.Direction,
-		Protocol:   nftypes.UDP,
-		SourceIP:   conn.SourceIP,
-		DestIP:     conn.DestIP,
-		SourcePort: conn.SourcePort,
-		DestPort:   conn.DestPort,
-		RxPackets:  conn.PacketsRx.Load(),
-		TxPackets:  conn.PacketsTx.Load(),
-		RxBytes:    conn.BytesRx.Load(),
-		TxBytes:    conn.BytesTx.Load(),
-	})
-}

client/firewall/uspfilter/conntrack/udp_test.go

@@ -1,252 +0,0 @@
-package conntrack
-
-import (
-	"context"
-	"net/netip"
-	"testing"
-	"time"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-)
-
-func TestNewUDPTracker(t *testing.T) {
-	tests := []struct {
-		name        string
-		timeout     time.Duration
-		wantTimeout time.Duration
-	}{
-		{
-			name:        "with custom timeout",
-			timeout:     1 * time.Minute,
-			wantTimeout: 1 * time.Minute,
-		},
-		{
-			name:        "with zero timeout uses default",
-			timeout:     0,
-			wantTimeout: DefaultUDPTimeout,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			tracker := NewUDPTracker(tt.timeout, logger, flowLogger)
-			assert.NotNil(t, tracker)
-			assert.Equal(t, tt.wantTimeout, tracker.timeout)
-			assert.NotNil(t, tracker.connections)
-			assert.NotNil(t, tracker.cleanupTicker)
-			assert.NotNil(t, tracker.tickerCancel)
-		})
-	}
-}
-
-func TestUDPTracker_TrackOutbound(t *testing.T) {
-	tracker := NewUDPTracker(DefaultUDPTimeout, logger, flowLogger)
-	defer tracker.Close()
-
-	srcIP := netip.MustParseAddr("192.168.1.2")
-	dstIP := netip.MustParseAddr("192.168.1.3")
-	srcPort := uint16(12345)
-	dstPort := uint16(53)
-
-	tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, 0)
-
-	// Verify connection was tracked
-	key := ConnKey{
-		SrcIP:   srcIP,
-		DstIP:   dstIP,
-		SrcPort: srcPort,
-		DstPort: dstPort,
-	}
-	conn, exists := tracker.connections[key]
-	require.True(t, exists)
-	assert.True(t, conn.SourceIP.Compare(srcIP) == 0)
-	assert.True(t, conn.DestIP.Compare(dstIP) == 0)
-	assert.Equal(t, srcPort, conn.SourcePort)
-	assert.Equal(t, dstPort, conn.DestPort)
-	assert.WithinDuration(t, time.Now(), conn.GetLastSeen(), 1*time.Second)
-}
-
-func TestUDPTracker_IsValidInbound(t *testing.T) {
-	tracker := NewUDPTracker(1*time.Second, logger, flowLogger)
-	defer tracker.Close()
-
-	srcIP := netip.MustParseAddr("192.168.1.2")
-	dstIP := netip.MustParseAddr("192.168.1.3")
-	srcPort := uint16(12345)
-	dstPort := uint16(53)
-
-	// Track outbound connection
-	tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, 0)
-
-	tests := []struct {
-		name    string
-		srcIP   netip.Addr
-		dstIP   netip.Addr
-		srcPort uint16
-		dstPort uint16
-		sleep   time.Duration
-		want    bool
-	}{
-		{
-			name:    "valid inbound response",
-			srcIP:   dstIP,   // Original destination is now source
-			dstIP:   srcIP,   // Original source is now destination
-			srcPort: dstPort, // Original destination port is now source
-			dstPort: srcPort, // Original source port is now destination
-			sleep:   0,
-			want:    true,
-		},
-		{
-			name:    "invalid source IP",
-			srcIP:   netip.MustParseAddr("192.168.1.4"),
-			dstIP:   srcIP,
-			srcPort: dstPort,
-			dstPort: srcPort,
-			sleep:   0,
-			want:    false,
-		},
-		{
-			name:    "invalid destination IP",
-			srcIP:   dstIP,
-			dstIP:   netip.MustParseAddr("192.168.1.4"),
-			srcPort: dstPort,
-			dstPort: srcPort,
-			sleep:   0,
-			want:    false,
-		},
-		{
-			name:    "invalid source port",
-			srcIP:   dstIP,
-			dstIP:   srcIP,
-			srcPort: 54321,
-			dstPort: srcPort,
-			sleep:   0,
-			want:    false,
-		},
-		{
-			name:    "invalid destination port",
-			srcIP:   dstIP,
-			dstIP:   srcIP,
-			srcPort: dstPort,
-			dstPort: 54321,
-			sleep:   0,
-			want:    false,
-		},
-		{
-			name:    "expired connection",
-			srcIP:   dstIP,
-			dstIP:   srcIP,
-			srcPort: dstPort,
-			dstPort: srcPort,
-			sleep:   2 * time.Second, // Longer than tracker timeout
-			want:    false,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			if tt.sleep > 0 {
-				time.Sleep(tt.sleep)
-			}
-			got := tracker.IsValidInbound(tt.srcIP, tt.dstIP, tt.srcPort, tt.dstPort, 0)
-			assert.Equal(t, tt.want, got)
-		})
-	}
-}
-
-func TestUDPTracker_Cleanup(t *testing.T) {
-	// Use shorter intervals for testing
-	timeout := 50 * time.Millisecond
-	cleanupInterval := 25 * time.Millisecond
-
-	ctx, tickerCancel := context.WithCancel(context.Background())
-	defer tickerCancel()
-
-	// Create tracker with custom cleanup interval
-	tracker := &UDPTracker{
-		connections:   make(map[ConnKey]*UDPConnTrack),
-		timeout:       timeout,
-		cleanupTicker: time.NewTicker(cleanupInterval),
-		tickerCancel:  tickerCancel,
-		logger:        logger,
-		flowLogger:    flowLogger,
-	}
-
-	// Start cleanup routine
-	go tracker.cleanupRoutine(ctx)
-
-	// Add some connections
-	connections := []struct {
-		srcIP   netip.Addr
-		dstIP   netip.Addr
-		srcPort uint16
-		dstPort uint16
-	}{
-		{
-			srcIP:   netip.MustParseAddr("192.168.1.2"),
-			dstIP:   netip.MustParseAddr("192.168.1.3"),
-			srcPort: 12345,
-			dstPort: 53,
-		},
-		{
-			srcIP:   netip.MustParseAddr("192.168.1.4"),
-			dstIP:   netip.MustParseAddr("192.168.1.5"),
-			srcPort: 12346,
-			dstPort: 53,
-		},
-	}
-
-	for _, conn := range connections {
-		tracker.TrackOutbound(conn.srcIP, conn.dstIP, conn.srcPort, conn.dstPort, 0)
-	}
-
-	// Verify initial connections
-	assert.Len(t, tracker.connections, 2)
-
-	// Wait for connection timeout and cleanup interval
-	time.Sleep(timeout + 2*cleanupInterval)
-
-	tracker.mutex.RLock()
-	connCount := len(tracker.connections)
-	tracker.mutex.RUnlock()
-
-	// Verify connections were cleaned up
-	assert.Equal(t, 0, connCount, "Expected all connections to be cleaned up")
-
-	// Properly close the tracker
-	tracker.Close()
-}
-
-func BenchmarkUDPTracker(b *testing.B) {
-	b.Run("TrackOutbound", func(b *testing.B) {
-		tracker := NewUDPTracker(DefaultUDPTimeout, logger, flowLogger)
-		defer tracker.Close()
-
-		srcIP := netip.MustParseAddr("192.168.1.1")
-		dstIP := netip.MustParseAddr("192.168.1.2")
-
-		b.ResetTimer()
-		for i := 0; i < b.N; i++ {
-			tracker.TrackOutbound(srcIP, dstIP, uint16(i%65535), 80, 0)
-		}
-	})
-
-	b.Run("IsValidInbound", func(b *testing.B) {
-		tracker := NewUDPTracker(DefaultUDPTimeout, logger, flowLogger)
-		defer tracker.Close()
-
-		srcIP := netip.MustParseAddr("192.168.1.1")
-		dstIP := netip.MustParseAddr("192.168.1.2")
-
-		// Pre-populate some connections
-		for i := 0; i < 1000; i++ {
-			tracker.TrackOutbound(srcIP, dstIP, uint16(i), 80, 0)
-		}
-
-		b.ResetTimer()
-		for i := 0; i < b.N; i++ {
-			tracker.IsValidInbound(dstIP, srcIP, 80, uint16(i%1000), 0)
-		}
-	})
-}

client/firewall/uspfilter/forwarder/endpoint.go

@@ -1,90 +0,0 @@
-package forwarder
-
-import (
-	"fmt"
-
-	wgdevice "golang.zx2c4.com/wireguard/device"
-	"gvisor.dev/gvisor/pkg/tcpip"
-	"gvisor.dev/gvisor/pkg/tcpip/header"
-	"gvisor.dev/gvisor/pkg/tcpip/stack"
-
-	nblog "github.com/netbirdio/netbird/client/firewall/uspfilter/log"
-)
-
-// endpoint implements stack.LinkEndpoint and handles integration with the wireguard device
-type endpoint struct {
-	logger     *nblog.Logger
-	dispatcher stack.NetworkDispatcher
-	device     *wgdevice.Device
-	mtu        uint32
-}
-
-func (e *endpoint) Attach(dispatcher stack.NetworkDispatcher) {
-	e.dispatcher = dispatcher
-}
-
-func (e *endpoint) IsAttached() bool {
-	return e.dispatcher != nil
-}
-
-func (e *endpoint) MTU() uint32 {
-	return e.mtu
-}
-
-func (e *endpoint) Capabilities() stack.LinkEndpointCapabilities {
-	return stack.CapabilityNone
-}
-
-func (e *endpoint) MaxHeaderLength() uint16 {
-	return 0
-}
-
-func (e *endpoint) LinkAddress() tcpip.LinkAddress {
-	return ""
-}
-
-func (e *endpoint) WritePackets(pkts stack.PacketBufferList) (int, tcpip.Error) {
-	var written int
-	for _, pkt := range pkts.AsSlice() {
-		netHeader := header.IPv4(pkt.NetworkHeader().View().AsSlice())
-
-		data := stack.PayloadSince(pkt.NetworkHeader())
-		if data == nil {
-			continue
-		}
-
-		// Send the packet through WireGuard
-		address := netHeader.DestinationAddress()
-		err := e.device.CreateOutboundPacket(data.AsSlice(), address.AsSlice())
-		if err != nil {
-			e.logger.Error("CreateOutboundPacket: %v", err)
-			continue
-		}
-		written++
-	}
-
-	return written, nil
-}
-
-func (e *endpoint) Wait() {
-	// not required
-}
-
-func (e *endpoint) ARPHardwareType() header.ARPHardwareType {
-	return header.ARPHardwareNone
-}
-
-func (e *endpoint) AddHeader(*stack.PacketBuffer) {
-	// not required
-}
-
-func (e *endpoint) ParseHeader(*stack.PacketBuffer) bool {
-	return true
-}
-
-type epID stack.TransportEndpointID
-
-func (i epID) String() string {
-	// src and remote is swapped
-	return fmt.Sprintf("%s:%d -> %s:%d", i.RemoteAddress, i.RemotePort, i.LocalAddress, i.LocalPort)
-}

client/firewall/uspfilter/forwarder/forwarder.go

@@ -1,206 +0,0 @@
-package forwarder
-
-import (
-	"context"
-	"fmt"
-	"net"
-	"net/netip"
-	"runtime"
-	"sync"
-
-	log "github.com/sirupsen/logrus"
-	"gvisor.dev/gvisor/pkg/buffer"
-	"gvisor.dev/gvisor/pkg/tcpip"
-	"gvisor.dev/gvisor/pkg/tcpip/header"
-	"gvisor.dev/gvisor/pkg/tcpip/network/ipv4"
-	"gvisor.dev/gvisor/pkg/tcpip/stack"
-	"gvisor.dev/gvisor/pkg/tcpip/transport/icmp"
-	"gvisor.dev/gvisor/pkg/tcpip/transport/tcp"
-	"gvisor.dev/gvisor/pkg/tcpip/transport/udp"
-
-	"github.com/netbirdio/netbird/client/firewall/uspfilter/common"
-	"github.com/netbirdio/netbird/client/firewall/uspfilter/conntrack"
-	nblog "github.com/netbirdio/netbird/client/firewall/uspfilter/log"
-	nftypes "github.com/netbirdio/netbird/client/internal/netflow/types"
-)
-
-const (
-	defaultReceiveWindow = 32768
-	defaultMaxInFlight   = 1024
-	iosReceiveWindow     = 16384
-	iosMaxInFlight       = 256
-)
-
-type Forwarder struct {
-	logger     *nblog.Logger
-	flowLogger nftypes.FlowLogger
-	// ruleIdMap is used to store the rule ID for a given connection
-	ruleIdMap    sync.Map
-	stack        *stack.Stack
-	endpoint     *endpoint
-	udpForwarder *udpForwarder
-	ctx          context.Context
-	cancel       context.CancelFunc
-	ip           net.IP
-	netstack     bool
-}
-
-func New(iface common.IFaceMapper, logger *nblog.Logger, flowLogger nftypes.FlowLogger, netstack bool) (*Forwarder, error) {
-	s := stack.New(stack.Options{
-		NetworkProtocols: []stack.NetworkProtocolFactory{ipv4.NewProtocol},
-		TransportProtocols: []stack.TransportProtocolFactory{
-			tcp.NewProtocol,
-			udp.NewProtocol,
-			icmp.NewProtocol4,
-		},
-		HandleLocal: false,
-	})
-
-	mtu, err := iface.GetDevice().MTU()
-	if err != nil {
-		return nil, fmt.Errorf("get MTU: %w", err)
-	}
-	nicID := tcpip.NICID(1)
-	endpoint := &endpoint{
-		logger: logger,
-		device: iface.GetWGDevice(),
-		mtu:    uint32(mtu),
-	}
-
-	if err := s.CreateNIC(nicID, endpoint); err != nil {
-		return nil, fmt.Errorf("failed to create NIC: %v", err)
-	}
-
-	ones, _ := iface.Address().Network.Mask.Size()
-	protoAddr := tcpip.ProtocolAddress{
-		Protocol: ipv4.ProtocolNumber,
-		AddressWithPrefix: tcpip.AddressWithPrefix{
-			Address:   tcpip.AddrFromSlice(iface.Address().IP.To4()),
-			PrefixLen: ones,
-		},
-	}
-
-	if err := s.AddProtocolAddress(nicID, protoAddr, stack.AddressProperties{}); err != nil {
-		return nil, fmt.Errorf("failed to add protocol address: %s", err)
-	}
-
-	defaultSubnet, err := tcpip.NewSubnet(
-		tcpip.AddrFrom4([4]byte{0, 0, 0, 0}),
-		tcpip.MaskFromBytes([]byte{0, 0, 0, 0}),
-	)
-	if err != nil {
-		return nil, fmt.Errorf("creating default subnet: %w", err)
-	}
-
-	if err := s.SetPromiscuousMode(nicID, true); err != nil {
-		return nil, fmt.Errorf("set promiscuous mode: %s", err)
-	}
-	if err := s.SetSpoofing(nicID, true); err != nil {
-		return nil, fmt.Errorf("set spoofing: %s", err)
-	}
-
-	s.SetRouteTable([]tcpip.Route{
-		{
-			Destination: defaultSubnet,
-			NIC:         nicID,
-		},
-	})
-
-	ctx, cancel := context.WithCancel(context.Background())
-	f := &Forwarder{
-		logger:       logger,
-		flowLogger:   flowLogger,
-		stack:        s,
-		endpoint:     endpoint,
-		udpForwarder: newUDPForwarder(mtu, logger, flowLogger),
-		ctx:          ctx,
-		cancel:       cancel,
-		netstack:     netstack,
-		ip:           iface.Address().IP,
-	}
-
-	receiveWindow := defaultReceiveWindow
-	maxInFlight := defaultMaxInFlight
-	if runtime.GOOS == "ios" {
-		receiveWindow = iosReceiveWindow
-		maxInFlight = iosMaxInFlight
-	}
-
-	tcpForwarder := tcp.NewForwarder(s, receiveWindow, maxInFlight, f.handleTCP)
-	s.SetTransportProtocolHandler(tcp.ProtocolNumber, tcpForwarder.HandlePacket)
-
-	udpForwarder := udp.NewForwarder(s, f.handleUDP)
-	s.SetTransportProtocolHandler(udp.ProtocolNumber, udpForwarder.HandlePacket)
-
-	s.SetTransportProtocolHandler(icmp.ProtocolNumber4, f.handleICMP)
-
-	log.Debugf("forwarder: Initialization complete with NIC %d", nicID)
-	return f, nil
-}
-
-func (f *Forwarder) InjectIncomingPacket(payload []byte) error {
-	if len(payload) < header.IPv4MinimumSize {
-		return fmt.Errorf("packet too small: %d bytes", len(payload))
-	}
-
-	pkt := stack.NewPacketBuffer(stack.PacketBufferOptions{
-		Payload: buffer.MakeWithData(payload),
-	})
-	defer pkt.DecRef()
-
-	if f.endpoint.dispatcher != nil {
-		f.endpoint.dispatcher.DeliverNetworkPacket(ipv4.ProtocolNumber, pkt)
-	}
-	return nil
-}
-
-// Stop gracefully shuts down the forwarder
-func (f *Forwarder) Stop() {
-	f.cancel()
-
-	if f.udpForwarder != nil {
-		f.udpForwarder.Stop()
-	}
-
-	f.stack.Close()
-	f.stack.Wait()
-}
-
-func (f *Forwarder) determineDialAddr(addr tcpip.Address) net.IP {
-	if f.netstack && f.ip.Equal(addr.AsSlice()) {
-		return net.IPv4(127, 0, 0, 1)
-	}
-	return addr.AsSlice()
-}
-
-func (f *Forwarder) RegisterRuleID(srcIP, dstIP netip.Addr, srcPort, dstPort uint16, ruleID []byte) {
-	key := buildKey(srcIP, dstIP, srcPort, dstPort)
-	f.ruleIdMap.LoadOrStore(key, ruleID)
-}
-
-func (f *Forwarder) getRuleID(srcIP, dstIP netip.Addr, srcPort, dstPort uint16) ([]byte, bool) {
-
-	if value, ok := f.ruleIdMap.Load(buildKey(srcIP, dstIP, srcPort, dstPort)); ok {
-		return value.([]byte), true
-	} else if value, ok := f.ruleIdMap.Load(buildKey(dstIP, srcIP, dstPort, srcPort)); ok {
-		return value.([]byte), true
-	}
-
-	return nil, false
-}
-
-func (f *Forwarder) DeleteRuleID(srcIP, dstIP netip.Addr, srcPort, dstPort uint16) {
-	if _, ok := f.ruleIdMap.LoadAndDelete(buildKey(srcIP, dstIP, srcPort, dstPort)); ok {
-		return
-	}
-	f.ruleIdMap.LoadAndDelete(buildKey(dstIP, srcIP, dstPort, srcPort))
-}
-
-func buildKey(srcIP, dstIP netip.Addr, srcPort, dstPort uint16) conntrack.ConnKey {
-	return conntrack.ConnKey{
-		SrcIP:   srcIP,
-		DstIP:   dstIP,
-		SrcPort: srcPort,
-		DstPort: dstPort,
-	}
-}

client/firewall/uspfilter/forwarder/icmp.go

@@ -1,154 +0,0 @@
-package forwarder
-
-import (
-	"context"
-	"net"
-	"net/netip"
-	"time"
-
-	"github.com/google/uuid"
-	"gvisor.dev/gvisor/pkg/tcpip/header"
-	"gvisor.dev/gvisor/pkg/tcpip/stack"
-
-	nftypes "github.com/netbirdio/netbird/client/internal/netflow/types"
-)
-
-// handleICMP handles ICMP packets from the network stack
-func (f *Forwarder) handleICMP(id stack.TransportEndpointID, pkt stack.PacketBufferPtr) bool {
-	icmpHdr := header.ICMPv4(pkt.TransportHeader().View().AsSlice())
-	icmpType := uint8(icmpHdr.Type())
-	icmpCode := uint8(icmpHdr.Code())
-
-	if header.ICMPv4Type(icmpType) == header.ICMPv4EchoReply {
-		// dont process our own replies
-		return true
-	}
-
-	flowID := uuid.New()
-	f.sendICMPEvent(nftypes.TypeStart, flowID, id, icmpType, icmpCode, 0, 0)
-
-	ctx, cancel := context.WithTimeout(f.ctx, 5*time.Second)
-	defer cancel()
-
-	lc := net.ListenConfig{}
-	// TODO: support non-root
-	conn, err := lc.ListenPacket(ctx, "ip4:icmp", "0.0.0.0")
-	if err != nil {
-		f.logger.Error("forwarder: Failed to create ICMP socket for %v: %v", epID(id), err)
-
-		// This will make netstack reply on behalf of the original destination, that's ok for now
-		return false
-	}
-	defer func() {
-		if err := conn.Close(); err != nil {
-			f.logger.Debug("forwarder: Failed to close ICMP socket: %v", err)
-		}
-	}()
-
-	dstIP := f.determineDialAddr(id.LocalAddress)
-	dst := &net.IPAddr{IP: dstIP}
-
-	fullPacket := stack.PayloadSince(pkt.TransportHeader())
-	payload := fullPacket.AsSlice()
-
-	if _, err = conn.WriteTo(payload, dst); err != nil {
-		f.logger.Error("forwarder: Failed to write ICMP packet for %v: %v", epID(id), err)
-		return true
-	}
-
-	f.logger.Trace("forwarder: Forwarded ICMP packet %v type %v code %v",
-		epID(id), icmpHdr.Type(), icmpHdr.Code())
-
-	// For Echo Requests, send and handle response
-	if header.ICMPv4Type(icmpType) == header.ICMPv4Echo {
-		rxBytes := pkt.Size()
-		txBytes := f.handleEchoResponse(icmpHdr, conn, id)
-		f.sendICMPEvent(nftypes.TypeEnd, flowID, id, icmpType, icmpCode, uint64(rxBytes), uint64(txBytes))
-	}
-
-	// For other ICMP types (Time Exceeded, Destination Unreachable, etc) do nothing
-	return true
-}
-
-func (f *Forwarder) handleEchoResponse(icmpHdr header.ICMPv4, conn net.PacketConn, id stack.TransportEndpointID) int {
-	if err := conn.SetReadDeadline(time.Now().Add(5 * time.Second)); err != nil {
-		f.logger.Error("forwarder: Failed to set read deadline for ICMP response: %v", err)
-		return 0
-	}
-
-	response := make([]byte, f.endpoint.mtu)
-	n, _, err := conn.ReadFrom(response)
-	if err != nil {
-		if !isTimeout(err) {
-			f.logger.Error("forwarder: Failed to read ICMP response: %v", err)
-		}
-		return 0
-	}
-
-	ipHdr := make([]byte, header.IPv4MinimumSize)
-	ip := header.IPv4(ipHdr)
-	ip.Encode(&header.IPv4Fields{
-		TotalLength: uint16(header.IPv4MinimumSize + n),
-		TTL:         64,
-		Protocol:    uint8(header.ICMPv4ProtocolNumber),
-		SrcAddr:     id.LocalAddress,
-		DstAddr:     id.RemoteAddress,
-	})
-	ip.SetChecksum(^ip.CalculateChecksum())
-
-	fullPacket := make([]byte, 0, len(ipHdr)+n)
-	fullPacket = append(fullPacket, ipHdr...)
-	fullPacket = append(fullPacket, response[:n]...)
-
-	if err := f.InjectIncomingPacket(fullPacket); err != nil {
-		f.logger.Error("forwarder: Failed to inject ICMP response: %v", err)
-
-		return 0
-	}
-
-	f.logger.Trace("forwarder: Forwarded ICMP echo reply for %v type %v code %v",
-		epID(id), icmpHdr.Type(), icmpHdr.Code())
-
-	return len(fullPacket)
-}
-
-// sendICMPEvent stores flow events for ICMP packets
-func (f *Forwarder) sendICMPEvent(typ nftypes.Type, flowID uuid.UUID, id stack.TransportEndpointID, icmpType, icmpCode uint8, rxBytes, txBytes uint64) {
-	var rxPackets, txPackets uint64
-	if rxBytes > 0 {
-		rxPackets = 1
-	}
-	if txBytes > 0 {
-		txPackets = 1
-	}
-
-	srcIp := netip.AddrFrom4(id.RemoteAddress.As4())
-	dstIp := netip.AddrFrom4(id.LocalAddress.As4())
-
-	fields := nftypes.EventFields{
-		FlowID:    flowID,
-		Type:      typ,
-		Direction: nftypes.Ingress,
-		Protocol:  nftypes.ICMP,
-		// TODO: handle ipv6
-		SourceIP: srcIp,
-		DestIP:   dstIp,
-		ICMPType: icmpType,
-		ICMPCode: icmpCode,
-
-		RxBytes:   rxBytes,
-		TxBytes:   txBytes,
-		RxPackets: rxPackets,
-		TxPackets: txPackets,
-	}
-
-	if typ == nftypes.TypeStart {
-		if ruleId, ok := f.getRuleID(srcIp, dstIp, id.RemotePort, id.LocalPort); ok {
-			fields.RuleID = ruleId
-		}
-	} else {
-		f.DeleteRuleID(srcIp, dstIp, id.RemotePort, id.LocalPort)
-	}
-
-	f.flowLogger.StoreEvent(fields)
-}

client/firewall/uspfilter/forwarder/tcp.go

@@ -1,164 +0,0 @@
-package forwarder
-
-import (
-	"context"
-	"fmt"
-	"io"
-	"net"
-	"net/netip"
-	"sync"
-
-	"github.com/google/uuid"
-
-	"gvisor.dev/gvisor/pkg/tcpip"
-	"gvisor.dev/gvisor/pkg/tcpip/adapters/gonet"
-	"gvisor.dev/gvisor/pkg/tcpip/stack"
-	"gvisor.dev/gvisor/pkg/tcpip/transport/tcp"
-	"gvisor.dev/gvisor/pkg/waiter"
-
-	nftypes "github.com/netbirdio/netbird/client/internal/netflow/types"
-)
-
-// handleTCP is called by the TCP forwarder for new connections.
-func (f *Forwarder) handleTCP(r *tcp.ForwarderRequest) {
-	id := r.ID()
-
-	flowID := uuid.New()
-
-	f.sendTCPEvent(nftypes.TypeStart, flowID, id, 0, 0, 0, 0)
-	var success bool
-	defer func() {
-		if !success {
-			f.sendTCPEvent(nftypes.TypeEnd, flowID, id, 0, 0, 0, 0)
-		}
-	}()
-
-	dialAddr := fmt.Sprintf("%s:%d", f.determineDialAddr(id.LocalAddress), id.LocalPort)
-
-	outConn, err := (&net.Dialer{}).DialContext(f.ctx, "tcp", dialAddr)
-	if err != nil {
-		r.Complete(true)
-		f.logger.Trace("forwarder: dial error for %v: %v", epID(id), err)
-		return
-	}
-
-	// Create wait queue for blocking syscalls
-	wq := waiter.Queue{}
-
-	ep, epErr := r.CreateEndpoint(&wq)
-	if epErr != nil {
-		f.logger.Error("forwarder: failed to create TCP endpoint: %v", epErr)
-		if err := outConn.Close(); err != nil {
-			f.logger.Debug("forwarder: outConn close error: %v", err)
-		}
-		r.Complete(true)
-		return
-	}
-
-	// Complete the handshake
-	r.Complete(false)
-
-	inConn := gonet.NewTCPConn(&wq, ep)
-
-	success = true
-	f.logger.Trace("forwarder: established TCP connection %v", epID(id))
-
-	go f.proxyTCP(id, inConn, outConn, ep, flowID)
-}
-
-func (f *Forwarder) proxyTCP(id stack.TransportEndpointID, inConn *gonet.TCPConn, outConn net.Conn, ep tcpip.Endpoint, flowID uuid.UUID) {
-
-	ctx, cancel := context.WithCancel(f.ctx)
-	defer cancel()
-
-	go func() {
-		<-ctx.Done()
-		// Close connections and endpoint.
-		if err := inConn.Close(); err != nil && !isClosedError(err) {
-			f.logger.Debug("forwarder: inConn close error: %v", err)
-		}
-		if err := outConn.Close(); err != nil && !isClosedError(err) {
-			f.logger.Debug("forwarder: outConn close error: %v", err)
-		}
-
-		ep.Close()
-	}()
-
-	var wg sync.WaitGroup
-	wg.Add(2)
-
-	var (
-		bytesFromInToOut int64 // bytes from client to server (tx for client)
-		bytesFromOutToIn int64 // bytes from server to client (rx for client)
-		errInToOut       error
-		errOutToIn       error
-	)
-
-	go func() {
-		bytesFromInToOut, errInToOut = io.Copy(outConn, inConn)
-		cancel()
-		wg.Done()
-	}()
-
-	go func() {
-
-		bytesFromOutToIn, errOutToIn = io.Copy(inConn, outConn)
-		cancel()
-		wg.Done()
-	}()
-
-	wg.Wait()
-
-	if errInToOut != nil {
-		if !isClosedError(errInToOut) {
-			f.logger.Error("proxyTCP: copy error (in -> out): %v", errInToOut)
-		}
-	}
-	if errOutToIn != nil {
-		if !isClosedError(errOutToIn) {
-			f.logger.Error("proxyTCP: copy error (out -> in): %v", errOutToIn)
-		}
-	}
-
-	var rxPackets, txPackets uint64
-	if tcpStats, ok := ep.Stats().(*tcp.Stats); ok {
-		// fields are flipped since this is the in conn
-		rxPackets = tcpStats.SegmentsSent.Value()
-		txPackets = tcpStats.SegmentsReceived.Value()
-	}
-
-	f.logger.Trace("forwarder: Removed TCP connection %s [in: %d Pkts/%d B, out: %d Pkts/%d B]", epID(id), rxPackets, bytesFromOutToIn, txPackets, bytesFromInToOut)
-
-	f.sendTCPEvent(nftypes.TypeEnd, flowID, id, uint64(bytesFromOutToIn), uint64(bytesFromInToOut), rxPackets, txPackets)
-}
-
-func (f *Forwarder) sendTCPEvent(typ nftypes.Type, flowID uuid.UUID, id stack.TransportEndpointID, rxBytes, txBytes, rxPackets, txPackets uint64) {
-	srcIp := netip.AddrFrom4(id.RemoteAddress.As4())
-	dstIp := netip.AddrFrom4(id.LocalAddress.As4())
-
-	fields := nftypes.EventFields{
-		FlowID:    flowID,
-		Type:      typ,
-		Direction: nftypes.Ingress,
-		Protocol:  nftypes.TCP,
-		// TODO: handle ipv6
-		SourceIP:   srcIp,
-		DestIP:     dstIp,
-		SourcePort: id.RemotePort,
-		DestPort:   id.LocalPort,
-		RxBytes:    rxBytes,
-		TxBytes:    txBytes,
-		RxPackets:  rxPackets,
-		TxPackets:  txPackets,
-	}
-
-	if typ == nftypes.TypeStart {
-		if ruleId, ok := f.getRuleID(srcIp, dstIp, id.RemotePort, id.LocalPort); ok {
-			fields.RuleID = ruleId
-		}
-	} else {
-		f.DeleteRuleID(srcIp, dstIp, id.RemotePort, id.LocalPort)
-	}
-
-	f.flowLogger.StoreEvent(fields)
-}

client/firewall/uspfilter/forwarder/udp.go

@@ -1,360 +0,0 @@
-package forwarder
-
-import (
-	"context"
-	"errors"
-	"fmt"
-	"net"
-	"net/netip"
-	"sync"
-	"sync/atomic"
-	"time"
-
-	"github.com/google/uuid"
-	"gvisor.dev/gvisor/pkg/tcpip"
-	"gvisor.dev/gvisor/pkg/tcpip/adapters/gonet"
-	"gvisor.dev/gvisor/pkg/tcpip/stack"
-	"gvisor.dev/gvisor/pkg/tcpip/transport/udp"
-	"gvisor.dev/gvisor/pkg/waiter"
-
-	nblog "github.com/netbirdio/netbird/client/firewall/uspfilter/log"
-	nftypes "github.com/netbirdio/netbird/client/internal/netflow/types"
-)
-
-const (
-	udpTimeout = 30 * time.Second
-)
-
-type udpPacketConn struct {
-	conn     *gonet.UDPConn
-	outConn  net.Conn
-	lastSeen atomic.Int64
-	cancel   context.CancelFunc
-	ep       tcpip.Endpoint
-	flowID   uuid.UUID
-}
-
-type udpForwarder struct {
-	sync.RWMutex
-	logger     *nblog.Logger
-	flowLogger nftypes.FlowLogger
-	conns      map[stack.TransportEndpointID]*udpPacketConn
-	bufPool    sync.Pool
-	ctx        context.Context
-	cancel     context.CancelFunc
-}
-
-type idleConn struct {
-	id   stack.TransportEndpointID
-	conn *udpPacketConn
-}
-
-func newUDPForwarder(mtu int, logger *nblog.Logger, flowLogger nftypes.FlowLogger) *udpForwarder {
-	ctx, cancel := context.WithCancel(context.Background())
-	f := &udpForwarder{
-		logger:     logger,
-		flowLogger: flowLogger,
-		conns:      make(map[stack.TransportEndpointID]*udpPacketConn),
-		ctx:        ctx,
-		cancel:     cancel,
-		bufPool: sync.Pool{
-			New: func() any {
-				b := make([]byte, mtu)
-				return &b
-			},
-		},
-	}
-	go f.cleanup()
-	return f
-}
-
-// Stop stops the UDP forwarder and all active connections
-func (f *udpForwarder) Stop() {
-	f.cancel()
-
-	f.Lock()
-	defer f.Unlock()
-
-	for id, conn := range f.conns {
-		conn.cancel()
-		if err := conn.conn.Close(); err != nil {
-			f.logger.Debug("forwarder: UDP conn close error for %v: %v", epID(id), err)
-		}
-		if err := conn.outConn.Close(); err != nil {
-			f.logger.Debug("forwarder: UDP outConn close error for %v: %v", epID(id), err)
-		}
-
-		conn.ep.Close()
-		delete(f.conns, id)
-	}
-}
-
-// cleanup periodically removes idle UDP connections
-func (f *udpForwarder) cleanup() {
-	ticker := time.NewTicker(time.Minute)
-	defer ticker.Stop()
-
-	for {
-		select {
-		case <-f.ctx.Done():
-			return
-		case <-ticker.C:
-			var idleConns []idleConn
-
-			f.RLock()
-			for id, conn := range f.conns {
-				if conn.getIdleDuration() > udpTimeout {
-					idleConns = append(idleConns, idleConn{id, conn})
-				}
-			}
-			f.RUnlock()
-
-			for _, idle := range idleConns {
-				idle.conn.cancel()
-				if err := idle.conn.conn.Close(); err != nil {
-					f.logger.Debug("forwarder: UDP conn close error for %v: %v", epID(idle.id), err)
-				}
-				if err := idle.conn.outConn.Close(); err != nil {
-					f.logger.Debug("forwarder: UDP outConn close error for %v: %v", epID(idle.id), err)
-				}
-
-				idle.conn.ep.Close()
-
-				f.Lock()
-				delete(f.conns, idle.id)
-				f.Unlock()
-
-				f.logger.Trace("forwarder: cleaned up idle UDP connection %v", epID(idle.id))
-			}
-		}
-	}
-}
-
-// handleUDP is called by the UDP forwarder for new packets
-func (f *Forwarder) handleUDP(r *udp.ForwarderRequest) {
-	if f.ctx.Err() != nil {
-		f.logger.Trace("forwarder: context done, dropping UDP packet")
-		return
-	}
-
-	id := r.ID()
-
-	f.udpForwarder.RLock()
-	_, exists := f.udpForwarder.conns[id]
-	f.udpForwarder.RUnlock()
-	if exists {
-		f.logger.Trace("forwarder: existing UDP connection for %v", epID(id))
-		return
-	}
-
-	flowID := uuid.New()
-
-	f.sendUDPEvent(nftypes.TypeStart, flowID, id, 0, 0, 0, 0)
-	var success bool
-	defer func() {
-		if !success {
-			f.sendUDPEvent(nftypes.TypeEnd, flowID, id, 0, 0, 0, 0)
-		}
-	}()
-
-	dstAddr := fmt.Sprintf("%s:%d", f.determineDialAddr(id.LocalAddress), id.LocalPort)
-	outConn, err := (&net.Dialer{}).DialContext(f.ctx, "udp", dstAddr)
-	if err != nil {
-		f.logger.Debug("forwarder: UDP dial error for %v: %v", epID(id), err)
-		// TODO: Send ICMP error message
-		return
-	}
-
-	// Create wait queue for blocking syscalls
-	wq := waiter.Queue{}
-	ep, epErr := r.CreateEndpoint(&wq)
-	if epErr != nil {
-		f.logger.Debug("forwarder: failed to create UDP endpoint: %v", epErr)
-		if err := outConn.Close(); err != nil {
-			f.logger.Debug("forwarder: UDP outConn close error for %v: %v", epID(id), err)
-		}
-		return
-	}
-
-	inConn := gonet.NewUDPConn(f.stack, &wq, ep)
-	connCtx, connCancel := context.WithCancel(f.ctx)
-
-	pConn := &udpPacketConn{
-		conn:    inConn,
-		outConn: outConn,
-		cancel:  connCancel,
-		ep:      ep,
-		flowID:  flowID,
-	}
-	pConn.updateLastSeen()
-
-	f.udpForwarder.Lock()
-	// Double-check no connection was created while we were setting up
-	if _, exists := f.udpForwarder.conns[id]; exists {
-		f.udpForwarder.Unlock()
-		pConn.cancel()
-		if err := inConn.Close(); err != nil {
-			f.logger.Debug("forwarder: UDP inConn close error for %v: %v", epID(id), err)
-		}
-		if err := outConn.Close(); err != nil {
-			f.logger.Debug("forwarder: UDP outConn close error for %v: %v", epID(id), err)
-		}
-		return
-	}
-	f.udpForwarder.conns[id] = pConn
-	f.udpForwarder.Unlock()
-
-	success = true
-	f.logger.Trace("forwarder: established UDP connection %v", epID(id))
-
-	go f.proxyUDP(connCtx, pConn, id, ep)
-}
-
-func (f *Forwarder) proxyUDP(ctx context.Context, pConn *udpPacketConn, id stack.TransportEndpointID, ep tcpip.Endpoint) {
-
-	ctx, cancel := context.WithCancel(f.ctx)
-	defer cancel()
-
-	go func() {
-		<-ctx.Done()
-
-		pConn.cancel()
-		if err := pConn.conn.Close(); err != nil && !isClosedError(err) {
-			f.logger.Debug("forwarder: UDP inConn close error for %v: %v", epID(id), err)
-		}
-		if err := pConn.outConn.Close(); err != nil && !isClosedError(err) {
-			f.logger.Debug("forwarder: UDP outConn close error for %v: %v", epID(id), err)
-		}
-
-		ep.Close()
-	}()
-
-	var wg sync.WaitGroup
-	wg.Add(2)
-
-	var txBytes, rxBytes int64
-	var outboundErr, inboundErr error
-
-	// outbound->inbound: copy from pConn.conn to pConn.outConn
-	go func() {
-		defer wg.Done()
-		txBytes, outboundErr = pConn.copy(ctx, pConn.conn, pConn.outConn, &f.udpForwarder.bufPool, "outbound->inbound")
-	}()
-
-	// inbound->outbound: copy from pConn.outConn to pConn.conn
-	go func() {
-		defer wg.Done()
-		rxBytes, inboundErr = pConn.copy(ctx, pConn.outConn, pConn.conn, &f.udpForwarder.bufPool, "inbound->outbound")
-	}()
-
-	wg.Wait()
-
-	if outboundErr != nil && !isClosedError(outboundErr) {
-		f.logger.Error("proxyUDP: copy error (outbound->inbound): %v", outboundErr)
-	}
-	if inboundErr != nil && !isClosedError(inboundErr) {
-		f.logger.Error("proxyUDP: copy error (inbound->outbound): %v", inboundErr)
-	}
-
-	var rxPackets, txPackets uint64
-	if udpStats, ok := ep.Stats().(*tcpip.TransportEndpointStats); ok {
-		// fields are flipped since this is the in conn
-		rxPackets = udpStats.PacketsSent.Value()
-		txPackets = udpStats.PacketsReceived.Value()
-	}
-
-	f.logger.Trace("forwarder: Removed UDP connection %s [in: %d Pkts/%d B, out: %d Pkts/%d B]", epID(id), rxPackets, rxBytes, txPackets, txBytes)
-
-	f.udpForwarder.Lock()
-	delete(f.udpForwarder.conns, id)
-	f.udpForwarder.Unlock()
-
-	f.sendUDPEvent(nftypes.TypeEnd, pConn.flowID, id, uint64(rxBytes), uint64(txBytes), rxPackets, txPackets)
-}
-
-// sendUDPEvent stores flow events for UDP connections
-func (f *Forwarder) sendUDPEvent(typ nftypes.Type, flowID uuid.UUID, id stack.TransportEndpointID, rxBytes, txBytes, rxPackets, txPackets uint64) {
-	srcIp := netip.AddrFrom4(id.RemoteAddress.As4())
-	dstIp := netip.AddrFrom4(id.LocalAddress.As4())
-
-	fields := nftypes.EventFields{
-		FlowID:    flowID,
-		Type:      typ,
-		Direction: nftypes.Ingress,
-		Protocol:  nftypes.UDP,
-		// TODO: handle ipv6
-		SourceIP:   srcIp,
-		DestIP:     dstIp,
-		SourcePort: id.RemotePort,
-		DestPort:   id.LocalPort,
-		RxBytes:    rxBytes,
-		TxBytes:    txBytes,
-		RxPackets:  rxPackets,
-		TxPackets:  txPackets,
-	}
-
-	if typ == nftypes.TypeStart {
-		if ruleId, ok := f.getRuleID(srcIp, dstIp, id.RemotePort, id.LocalPort); ok {
-			fields.RuleID = ruleId
-		}
-	} else {
-		f.DeleteRuleID(srcIp, dstIp, id.RemotePort, id.LocalPort)
-	}
-
-	f.flowLogger.StoreEvent(fields)
-}
-
-func (c *udpPacketConn) updateLastSeen() {
-	c.lastSeen.Store(time.Now().UnixNano())
-}
-
-func (c *udpPacketConn) getIdleDuration() time.Duration {
-	lastSeen := time.Unix(0, c.lastSeen.Load())
-	return time.Since(lastSeen)
-}
-
-// copy reads from src and writes to dst.
-func (c *udpPacketConn) copy(ctx context.Context, dst net.Conn, src net.Conn, bufPool *sync.Pool, direction string) (int64, error) {
-	bufp := bufPool.Get().(*[]byte)
-	defer bufPool.Put(bufp)
-	buffer := *bufp
-	var totalBytes int64 = 0
-
-	for {
-		if ctx.Err() != nil {
-			return totalBytes, ctx.Err()
-		}
-
-		if err := src.SetDeadline(time.Now().Add(udpTimeout)); err != nil {
-			return totalBytes, fmt.Errorf("set read deadline: %w", err)
-		}
-
-		n, err := src.Read(buffer)
-		if err != nil {
-			if isTimeout(err) {
-				continue
-			}
-			return totalBytes, fmt.Errorf("read from %s: %w", direction, err)
-		}
-
-		nWritten, err := dst.Write(buffer[:n])
-		if err != nil {
-			return totalBytes, fmt.Errorf("write to %s: %w", direction, err)
-		}
-
-		totalBytes += int64(nWritten)
-		c.updateLastSeen()
-	}
-}
-
-func isClosedError(err error) bool {
-	return errors.Is(err, net.ErrClosed) || errors.Is(err, context.Canceled)
-}
-
-func isTimeout(err error) bool {
-	var netErr net.Error
-	if errors.As(err, &netErr) {
-		return netErr.Timeout()
-	}
-	return false
-}

client/firewall/uspfilter/localip.go

@@ -1,160 +0,0 @@
-package uspfilter
-
-import (
-	"fmt"
-	"net"
-	"net/netip"
-	"sync"
-
-	log "github.com/sirupsen/logrus"
-
-	"github.com/netbirdio/netbird/client/firewall/uspfilter/common"
-)
-
-type localIPManager struct {
-	mu sync.RWMutex
-
-	// fixed-size high array for upper byte of a IPv4 address
-	ipv4Bitmap [256]*ipv4LowBitmap
-}
-
-// ipv4LowBitmap is a map for the low 16 bits of a IPv4 address
-type ipv4LowBitmap struct {
-	bitmap [8192]uint32
-}
-
-func newLocalIPManager() *localIPManager {
-	return &localIPManager{}
-}
-
-func (m *localIPManager) setBitmapBit(ip net.IP) {
-	ipv4 := ip.To4()
-	if ipv4 == nil {
-		return
-	}
-	high := uint16(ipv4[0])
-	low := (uint16(ipv4[1]) << 8) | (uint16(ipv4[2]) << 4) | uint16(ipv4[3])
-
-	index := low / 32
-	bit := low % 32
-
-	if m.ipv4Bitmap[high] == nil {
-		m.ipv4Bitmap[high] = &ipv4LowBitmap{}
-	}
-
-	m.ipv4Bitmap[high].bitmap[index] |= 1 << bit
-}
-
-func (m *localIPManager) setBitInBitmap(ip net.IP, bitmap *[256]*ipv4LowBitmap, ipv4Set map[string]struct{}, ipv4Addresses *[]string) {
-	if ipv4 := ip.To4(); ipv4 != nil {
-		high := uint16(ipv4[0])
-		low := (uint16(ipv4[1]) << 8) | (uint16(ipv4[2]) << 4) | uint16(ipv4[3])
-
-		if bitmap[high] == nil {
-			bitmap[high] = &ipv4LowBitmap{}
-		}
-
-		index := low / 32
-		bit := low % 32
-		bitmap[high].bitmap[index] |= 1 << bit
-
-		ipStr := ipv4.String()
-		if _, exists := ipv4Set[ipStr]; !exists {
-			ipv4Set[ipStr] = struct{}{}
-			*ipv4Addresses = append(*ipv4Addresses, ipStr)
-		}
-	}
-}
-
-func (m *localIPManager) checkBitmapBit(ip []byte) bool {
-	high := uint16(ip[0])
-	low := (uint16(ip[1]) << 8) | (uint16(ip[2]) << 4) | uint16(ip[3])
-
-	if m.ipv4Bitmap[high] == nil {
-		return false
-	}
-
-	index := low / 32
-	bit := low % 32
-	return (m.ipv4Bitmap[high].bitmap[index] & (1 << bit)) != 0
-}
-
-func (m *localIPManager) processIP(ip net.IP, bitmap *[256]*ipv4LowBitmap, ipv4Set map[string]struct{}, ipv4Addresses *[]string) error {
-	m.setBitInBitmap(ip, bitmap, ipv4Set, ipv4Addresses)
-	return nil
-}
-
-func (m *localIPManager) processInterface(iface net.Interface, bitmap *[256]*ipv4LowBitmap, ipv4Set map[string]struct{}, ipv4Addresses *[]string) {
-	addrs, err := iface.Addrs()
-	if err != nil {
-		log.Debugf("get addresses for interface %s failed: %v", iface.Name, err)
-		return
-	}
-
-	for _, addr := range addrs {
-		var ip net.IP
-		switch v := addr.(type) {
-		case *net.IPNet:
-			ip = v.IP
-		case *net.IPAddr:
-			ip = v.IP
-		default:
-			continue
-		}
-
-		if err := m.processIP(ip, bitmap, ipv4Set, ipv4Addresses); err != nil {
-			log.Debugf("process IP failed: %v", err)
-		}
-	}
-}
-
-func (m *localIPManager) UpdateLocalIPs(iface common.IFaceMapper) (err error) {
-	defer func() {
-		if r := recover(); r != nil {
-			err = fmt.Errorf("panic: %v", r)
-		}
-	}()
-
-	var newIPv4Bitmap [256]*ipv4LowBitmap
-	ipv4Set := make(map[string]struct{})
-	var ipv4Addresses []string
-
-	// 127.0.0.0/8
-	newIPv4Bitmap[127] = &ipv4LowBitmap{}
-	for i := 0; i < 8192; i++ {
-		newIPv4Bitmap[127].bitmap[i] = 0xFFFFFFFF
-	}
-
-	if iface != nil {
-		if err := m.processIP(iface.Address().IP, &newIPv4Bitmap, ipv4Set, &ipv4Addresses); err != nil {
-			return err
-		}
-	}
-
-	interfaces, err := net.Interfaces()
-	if err != nil {
-		log.Warnf("failed to get interfaces: %v", err)
-	} else {
-		for _, intf := range interfaces {
-			m.processInterface(intf, &newIPv4Bitmap, ipv4Set, &ipv4Addresses)
-		}
-	}
-
-	m.mu.Lock()
-	m.ipv4Bitmap = newIPv4Bitmap
-	m.mu.Unlock()
-
-	log.Debugf("Local IPv4 addresses: %v", ipv4Addresses)
-	return nil
-}
-
-func (m *localIPManager) IsLocalIP(ip netip.Addr) bool {
-	if !ip.Is4() {
-		return false
-	}
-
-	m.mu.RLock()
-	defer m.mu.RUnlock()
-
-	return m.checkBitmapBit(ip.AsSlice())
-}

client/firewall/uspfilter/localip_test.go

@@ -1,281 +0,0 @@
-package uspfilter
-
-import (
-	"net"
-	"net/netip"
-	"testing"
-
-	"github.com/stretchr/testify/require"
-
-	"github.com/netbirdio/netbird/client/iface/wgaddr"
-)
-
-func TestLocalIPManager(t *testing.T) {
-	tests := []struct {
-		name      string
-		setupAddr wgaddr.Address
-		testIP    netip.Addr
-		expected  bool
-	}{
-		{
-			name: "Localhost range",
-			setupAddr: wgaddr.Address{
-				IP: net.ParseIP("192.168.1.1"),
-				Network: &net.IPNet{
-					IP:   net.ParseIP("192.168.1.0"),
-					Mask: net.CIDRMask(24, 32),
-				},
-			},
-			testIP:   netip.MustParseAddr("127.0.0.2"),
-			expected: true,
-		},
-		{
-			name: "Localhost standard address",
-			setupAddr: wgaddr.Address{
-				IP: net.ParseIP("192.168.1.1"),
-				Network: &net.IPNet{
-					IP:   net.ParseIP("192.168.1.0"),
-					Mask: net.CIDRMask(24, 32),
-				},
-			},
-			testIP:   netip.MustParseAddr("127.0.0.1"),
-			expected: true,
-		},
-		{
-			name: "Localhost range edge",
-			setupAddr: wgaddr.Address{
-				IP: net.ParseIP("192.168.1.1"),
-				Network: &net.IPNet{
-					IP:   net.ParseIP("192.168.1.0"),
-					Mask: net.CIDRMask(24, 32),
-				},
-			},
-			testIP:   netip.MustParseAddr("127.255.255.255"),
-			expected: true,
-		},
-		{
-			name: "Local IP matches",
-			setupAddr: wgaddr.Address{
-				IP: net.ParseIP("192.168.1.1"),
-				Network: &net.IPNet{
-					IP:   net.ParseIP("192.168.1.0"),
-					Mask: net.CIDRMask(24, 32),
-				},
-			},
-			testIP:   netip.MustParseAddr("192.168.1.1"),
-			expected: true,
-		},
-		{
-			name: "Local IP doesn't match",
-			setupAddr: wgaddr.Address{
-				IP: net.ParseIP("192.168.1.1"),
-				Network: &net.IPNet{
-					IP:   net.ParseIP("192.168.1.0"),
-					Mask: net.CIDRMask(24, 32),
-				},
-			},
-			testIP:   netip.MustParseAddr("192.168.1.2"),
-			expected: false,
-		},
-		{
-			name: "Local IP doesn't match - addresses 32 apart",
-			setupAddr: wgaddr.Address{
-				IP: net.ParseIP("192.168.1.1"),
-				Network: &net.IPNet{
-					IP:   net.ParseIP("192.168.1.0"),
-					Mask: net.CIDRMask(24, 32),
-				},
-			},
-			testIP:   netip.MustParseAddr("192.168.1.33"),
-			expected: false,
-		},
-		{
-			name: "IPv6 address",
-			setupAddr: wgaddr.Address{
-				IP: net.ParseIP("fe80::1"),
-				Network: &net.IPNet{
-					IP:   net.ParseIP("fe80::"),
-					Mask: net.CIDRMask(64, 128),
-				},
-			},
-			testIP:   netip.MustParseAddr("fe80::1"),
-			expected: false,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			manager := newLocalIPManager()
-
-			mock := &IFaceMock{
-				AddressFunc: func() wgaddr.Address {
-					return tt.setupAddr
-				},
-			}
-
-			err := manager.UpdateLocalIPs(mock)
-			require.NoError(t, err)
-
-			result := manager.IsLocalIP(tt.testIP)
-			require.Equal(t, tt.expected, result)
-		})
-	}
-}
-
-func TestLocalIPManager_AllInterfaces(t *testing.T) {
-	manager := newLocalIPManager()
-	mock := &IFaceMock{}
-
-	// Get actual local interfaces
-	interfaces, err := net.Interfaces()
-	require.NoError(t, err)
-
-	var tests []struct {
-		ip       string
-		expected bool
-	}
-
-	// Add all local interface IPs to test cases
-	for _, iface := range interfaces {
-		addrs, err := iface.Addrs()
-		require.NoError(t, err)
-
-		for _, addr := range addrs {
-			var ip net.IP
-			switch v := addr.(type) {
-			case *net.IPNet:
-				ip = v.IP
-			case *net.IPAddr:
-				ip = v.IP
-			default:
-				continue
-			}
-
-			if ip4 := ip.To4(); ip4 != nil {
-				tests = append(tests, struct {
-					ip       string
-					expected bool
-				}{
-					ip:       ip4.String(),
-					expected: true,
-				})
-			}
-		}
-	}
-
-	// Add some external IPs as negative test cases
-	externalIPs := []string{
-		"8.8.8.8",
-		"1.1.1.1",
-		"208.67.222.222",
-	}
-	for _, ip := range externalIPs {
-		tests = append(tests, struct {
-			ip       string
-			expected bool
-		}{
-			ip:       ip,
-			expected: false,
-		})
-	}
-
-	require.NotEmpty(t, tests, "No test cases generated")
-
-	err = manager.UpdateLocalIPs(mock)
-	require.NoError(t, err)
-
-	t.Logf("Testing %d IPs", len(tests))
-	for _, tt := range tests {
-		t.Run(tt.ip, func(t *testing.T) {
-			result := manager.IsLocalIP(netip.MustParseAddr(tt.ip))
-			require.Equal(t, tt.expected, result, "IP: %s", tt.ip)
-		})
-	}
-}
-
-// MapImplementation is a version using map[string]struct{}
-type MapImplementation struct {
-	localIPs map[string]struct{}
-}
-
-func BenchmarkIPChecks(b *testing.B) {
-	interfaces := make([]net.IP, 16)
-	for i := range interfaces {
-		interfaces[i] = net.IPv4(10, 0, byte(i>>8), byte(i))
-	}
-
-	// Setup bitmap
-	bitmapManager := newLocalIPManager()
-	for _, ip := range interfaces[:8] { // Add half of IPs
-		bitmapManager.setBitmapBit(ip)
-	}
-
-	// Setup map version
-	mapManager := &MapImplementation{
-		localIPs: make(map[string]struct{}),
-	}
-	for _, ip := range interfaces[:8] {
-		mapManager.localIPs[ip.String()] = struct{}{}
-	}
-
-	b.Run("Bitmap_Hit", func(b *testing.B) {
-		ip := interfaces[4]
-		b.ResetTimer()
-		for i := 0; i < b.N; i++ {
-			bitmapManager.checkBitmapBit(ip)
-		}
-	})
-
-	b.Run("Bitmap_Miss", func(b *testing.B) {
-		ip := interfaces[12]
-		b.ResetTimer()
-		for i := 0; i < b.N; i++ {
-			bitmapManager.checkBitmapBit(ip)
-		}
-	})
-
-	b.Run("Map_Hit", func(b *testing.B) {
-		ip := interfaces[4]
-		b.ResetTimer()
-		for i := 0; i < b.N; i++ {
-			// nolint:gosimple
-			_, _ = mapManager.localIPs[ip.String()]
-		}
-	})
-
-	b.Run("Map_Miss", func(b *testing.B) {
-		ip := interfaces[12]
-		b.ResetTimer()
-		for i := 0; i < b.N; i++ {
-			// nolint:gosimple
-			_, _ = mapManager.localIPs[ip.String()]
-		}
-	})
-}
-
-func BenchmarkWGPosition(b *testing.B) {
-	wgIP := net.ParseIP("10.10.0.1")
-
-	// Create two managers - one checks WG IP first, other checks it last
-	b.Run("WG_First", func(b *testing.B) {
-		bm := newLocalIPManager()
-		bm.setBitmapBit(wgIP)
-		b.ResetTimer()
-		for i := 0; i < b.N; i++ {
-			bm.checkBitmapBit(wgIP)
-		}
-	})
-
-	b.Run("WG_Last", func(b *testing.B) {
-		bm := newLocalIPManager()
-		// Fill with other IPs first
-		for i := 0; i < 15; i++ {
-			bm.setBitmapBit(net.IPv4(10, 0, byte(i>>8), byte(i)))
-		}
-		bm.setBitmapBit(wgIP) // Add WG IP last
-		b.ResetTimer()
-		for i := 0; i < b.N; i++ {
-			bm.checkBitmapBit(wgIP)
-		}
-	})
-}

client/firewall/uspfilter/log/log.go

@@ -1,252 +0,0 @@
-// Package log provides a high-performance, non-blocking logger for userspace networking
-package log
-
-import (
-	"context"
-	"fmt"
-	"io"
-	"sync"
-	"sync/atomic"
-	"time"
-
-	log "github.com/sirupsen/logrus"
-)
-
-const (
-	maxBatchSize         = 1024 * 16
-	maxMessageSize       = 1024 * 2
-	defaultFlushInterval = 2 * time.Second
-	logChannelSize       = 1000
-)
-
-type Level uint32
-
-const (
-	LevelPanic Level = iota
-	LevelFatal
-	LevelError
-	LevelWarn
-	LevelInfo
-	LevelDebug
-	LevelTrace
-)
-
-var levelStrings = map[Level]string{
-	LevelPanic: "PANC",
-	LevelFatal: "FATL",
-	LevelError: "ERRO",
-	LevelWarn:  "WARN",
-	LevelInfo:  "INFO",
-	LevelDebug: "DEBG",
-	LevelTrace: "TRAC",
-}
-
-type logMessage struct {
-	level  Level
-	format string
-	args   []any
-}
-
-// Logger is a high-performance, non-blocking logger
-type Logger struct {
-	output     io.Writer
-	level      atomic.Uint32
-	msgChannel chan logMessage
-	shutdown   chan struct{}
-	closeOnce  sync.Once
-	wg         sync.WaitGroup
-	bufPool    sync.Pool
-}
-
-// NewFromLogrus creates a new Logger that writes to the same output as the given logrus logger
-func NewFromLogrus(logrusLogger *log.Logger) *Logger {
-	l := &Logger{
-		output:     logrusLogger.Out,
-		msgChannel: make(chan logMessage, logChannelSize),
-		shutdown:   make(chan struct{}),
-		bufPool: sync.Pool{
-			New: func() any {
-				b := make([]byte, 0, maxMessageSize)
-				return &b
-			},
-		},
-	}
-
-	logrusLevel := logrusLogger.GetLevel()
-	l.level.Store(uint32(logrusLevel))
-	level := levelStrings[Level(logrusLevel)]
-	log.Debugf("New uspfilter logger created with loglevel %v", level)
-
-	l.wg.Add(1)
-	go l.worker()
-
-	return l
-}
-
-// SetLevel sets the logging level
-func (l *Logger) SetLevel(level Level) {
-	l.level.Store(uint32(level))
-	log.Debugf("Set uspfilter logger loglevel to %v", levelStrings[level])
-}
-
-func (l *Logger) log(level Level, format string, args ...any) {
-	select {
-	case l.msgChannel <- logMessage{level: level, format: format, args: args}:
-	default:
-	}
-}
-
-// Error logs a message at error level
-func (l *Logger) Error(format string, args ...any) {
-	if l.level.Load() >= uint32(LevelError) {
-		l.log(LevelError, format, args...)
-	}
-}
-
-// Warn logs a message at warning level
-func (l *Logger) Warn(format string, args ...any) {
-	if l.level.Load() >= uint32(LevelWarn) {
-		l.log(LevelWarn, format, args...)
-	}
-}
-
-// Info logs a message at info level
-func (l *Logger) Info(format string, args ...any) {
-	if l.level.Load() >= uint32(LevelInfo) {
-		l.log(LevelInfo, format, args...)
-	}
-}
-
-// Debug logs a message at debug level
-func (l *Logger) Debug(format string, args ...any) {
-	if l.level.Load() >= uint32(LevelDebug) {
-		l.log(LevelDebug, format, args...)
-	}
-}
-
-// Trace logs a message at trace level
-func (l *Logger) Trace(format string, args ...any) {
-	if l.level.Load() >= uint32(LevelTrace) {
-		l.log(LevelTrace, format, args...)
-	}
-}
-
-func (l *Logger) formatMessage(buf *[]byte, level Level, format string, args ...any) {
-	*buf = (*buf)[:0]
-	*buf = time.Now().AppendFormat(*buf, "2006-01-02T15:04:05-07:00")
-	*buf = append(*buf, ' ')
-	*buf = append(*buf, levelStrings[level]...)
-	*buf = append(*buf, ' ')
-
-	var msg string
-	if len(args) > 0 {
-		msg = fmt.Sprintf(format, args...)
-	} else {
-		msg = format
-	}
-	*buf = append(*buf, msg...)
-	*buf = append(*buf, '\n')
-
-	if len(*buf) > maxMessageSize {
-		*buf = (*buf)[:maxMessageSize]
-	}
-}
-
-// processMessage handles a single log message and adds it to the buffer
-func (l *Logger) processMessage(msg logMessage, buffer *[]byte) {
-	bufp := l.bufPool.Get().(*[]byte)
-	defer l.bufPool.Put(bufp)
-
-	l.formatMessage(bufp, msg.level, msg.format, msg.args...)
-
-	if len(*buffer)+len(*bufp) > maxBatchSize {
-		_, _ = l.output.Write(*buffer)
-		*buffer = (*buffer)[:0]
-	}
-	*buffer = append(*buffer, *bufp...)
-}
-
-// flushBuffer writes the accumulated buffer to output
-func (l *Logger) flushBuffer(buffer *[]byte) {
-	if len(*buffer) > 0 {
-		_, _ = l.output.Write(*buffer)
-		*buffer = (*buffer)[:0]
-	}
-}
-
-// processBatch processes as many messages as possible without blocking
-func (l *Logger) processBatch(buffer *[]byte) {
-	for len(*buffer) < maxBatchSize {
-		select {
-		case msg := <-l.msgChannel:
-			l.processMessage(msg, buffer)
-		default:
-			return
-		}
-	}
-}
-
-// handleShutdown manages the graceful shutdown sequence with timeout
-func (l *Logger) handleShutdown(buffer *[]byte) {
-	ctx, cancel := context.WithTimeout(context.Background(), 500*time.Millisecond)
-	defer cancel()
-
-	for {
-		select {
-		case msg := <-l.msgChannel:
-			l.processMessage(msg, buffer)
-		case <-ctx.Done():
-			l.flushBuffer(buffer)
-			return
-		}
-
-		if len(l.msgChannel) == 0 {
-			l.flushBuffer(buffer)
-			return
-		}
-	}
-}
-
-// worker is the main goroutine that processes log messages
-func (l *Logger) worker() {
-	defer l.wg.Done()
-
-	ticker := time.NewTicker(defaultFlushInterval)
-	defer ticker.Stop()
-
-	buffer := make([]byte, 0, maxBatchSize)
-
-	for {
-		select {
-		case <-l.shutdown:
-			l.handleShutdown(&buffer)
-			return
-		case <-ticker.C:
-			l.flushBuffer(&buffer)
-		case msg := <-l.msgChannel:
-			l.processMessage(msg, &buffer)
-			l.processBatch(&buffer)
-		}
-	}
-}
-
-// Stop gracefully shuts down the logger
-func (l *Logger) Stop(ctx context.Context) error {
-	done := make(chan struct{})
-
-	l.closeOnce.Do(func() {
-		close(l.shutdown)
-	})
-
-	go func() {
-		l.wg.Wait()
-		close(done)
-	}()
-
-	select {
-	case <-ctx.Done():
-		return ctx.Err()
-	case <-done:
-		return nil
-	}
-}

client/firewall/uspfilter/log/log_test.go

@@ -1,121 +0,0 @@
-package log_test
-
-import (
-	"context"
-	"testing"
-	"time"
-
-	"github.com/sirupsen/logrus"
-
-	"github.com/netbirdio/netbird/client/firewall/uspfilter/log"
-)
-
-type discard struct{}
-
-func (d *discard) Write(p []byte) (n int, err error) {
-	return len(p), nil
-}
-
-func BenchmarkLogger(b *testing.B) {
-	simpleMessage := "Connection established"
-
-	conntrackMessage := "TCP connection %s:%d -> %s:%d state changed to %d"
-	srcIP := "192.168.1.1"
-	srcPort := uint16(12345)
-	dstIP := "10.0.0.1"
-	dstPort := uint16(443)
-	state := 4 // TCPStateEstablished
-
-	complexMessage := "Packet inspection result: protocol=%s, direction=%s, flags=0x%x, sequence=%d, acknowledged=%d, payload_size=%d, fragmented=%v, connection_id=%s"
-	protocol := "TCP"
-	direction := "outbound"
-	flags := uint16(0x18) // ACK + PSH
-	sequence := uint32(123456789)
-	acknowledged := uint32(987654321)
-	payloadSize := 1460
-	fragmented := false
-	connID := "f7a12b3e-c456-7890-d123-456789abcdef"
-
-	b.Run("SimpleMessage", func(b *testing.B) {
-		logger := createTestLogger()
-		defer cleanupLogger(logger)
-
-		b.ResetTimer()
-		for i := 0; i < b.N; i++ {
-			logger.Trace(simpleMessage)
-		}
-	})
-
-	b.Run("ConntrackMessage", func(b *testing.B) {
-		logger := createTestLogger()
-		defer cleanupLogger(logger)
-
-		b.ResetTimer()
-		for i := 0; i < b.N; i++ {
-			logger.Trace(conntrackMessage, srcIP, srcPort, dstIP, dstPort, state)
-		}
-	})
-
-	b.Run("ComplexMessage", func(b *testing.B) {
-		logger := createTestLogger()
-		defer cleanupLogger(logger)
-
-		b.ResetTimer()
-		for i := 0; i < b.N; i++ {
-			logger.Trace(complexMessage, protocol, direction, flags, sequence, acknowledged, payloadSize, fragmented, connID)
-		}
-	})
-}
-
-// BenchmarkLoggerParallel tests the logger under concurrent load
-func BenchmarkLoggerParallel(b *testing.B) {
-	logger := createTestLogger()
-	defer cleanupLogger(logger)
-
-	conntrackMessage := "TCP connection %s:%d -> %s:%d state changed to %d"
-	srcIP := "192.168.1.1"
-	srcPort := uint16(12345)
-	dstIP := "10.0.0.1"
-	dstPort := uint16(443)
-	state := 4
-
-	b.ResetTimer()
-	b.RunParallel(func(pb *testing.PB) {
-		for pb.Next() {
-			logger.Trace(conntrackMessage, srcIP, srcPort, dstIP, dstPort, state)
-		}
-	})
-}
-
-// BenchmarkLoggerBurst tests how the logger handles bursts of messages
-func BenchmarkLoggerBurst(b *testing.B) {
-	logger := createTestLogger()
-	defer cleanupLogger(logger)
-
-	conntrackMessage := "TCP connection %s:%d -> %s:%d state changed to %d"
-	srcIP := "192.168.1.1"
-	srcPort := uint16(12345)
-	dstIP := "10.0.0.1"
-	dstPort := uint16(443)
-	state := 4
-
-	b.ResetTimer()
-	for i := 0; i < b.N; i++ {
-		for j := 0; j < 100; j++ {
-			logger.Trace(conntrackMessage, srcIP, srcPort, dstIP, dstPort, state)
-		}
-	}
-}
-
-func createTestLogger() *log.Logger {
-	logrusLogger := logrus.New()
-	logrusLogger.SetOutput(&discard{})
-	logrusLogger.SetLevel(logrus.TraceLevel)
-	return log.NewFromLogrus(logrusLogger)
-}
-
-func cleanupLogger(logger *log.Logger) {
-	ctx, cancel := context.WithTimeout(context.Background(), 100*time.Millisecond)
-	defer cancel()
-	_ = logger.Stop(ctx)
-}