netrelay: wait for endpoint close before Relay returns

The closer goroutine ran asynchronously on ctx cancellation, so the
"fully closed when Relay returns" guarantee was racy: callers could see
the function return before a and b were actually Close()d. Wait on a
done channel in the defer so the guarantee holds.

.github/workflows/proto-version-check.yml

@@ -0,0 +1,62 @@
+name: Proto Version Check
+
+on:
+  pull_request:
+    paths:
+      - "**/*.pb.go"
+
+jobs:
+  check-proto-versions:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check for proto tool version changes
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const files = await github.paginate(github.rest.pulls.listFiles, {
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              pull_number: context.issue.number,
+              per_page: 100,
+            });
+
+            const pbFiles = files.filter(f => f.filename.endsWith('.pb.go'));
+            const missingPatch = pbFiles.filter(f => !f.patch).map(f => f.filename);
+            if (missingPatch.length > 0) {
+              core.setFailed(
+                `Cannot inspect patch data for:\n` +
+                missingPatch.map(f => `- ${f}`).join('\n') +
+                `\nThis can happen with very large PRs. Verify proto versions manually.`
+              );
+              return;
+            }
+            const versionPattern = /^[+-]\s*\/\/\s+protoc(?:-gen-go)?\s+v[\d.]+/;
+            const violations = [];
+
+            for (const file of pbFiles) {
+              const changed = file.patch
+                .split('\n')
+                .filter(line => versionPattern.test(line));
+              if (changed.length > 0) {
+                violations.push({
+                  file: file.filename,
+                  lines: changed,
+                });
+              }
+            }
+
+            if (violations.length > 0) {
+              const details = violations.map(v =>
+                `${v.file}:\n${v.lines.map(l => '  ' + l).join('\n')}`
+              ).join('\n\n');
+
+              core.setFailed(
+                `Proto version strings changed in generated files.\n` +
+                `This usually means the wrong protoc or protoc-gen-go version was used.\n` +
+                `Regenerate with the matching tool versions.\n\n` +
+                details
+              );
+              return;
+            }
+
+            console.log('No proto version string changes detected');

.github/workflows/release.yml

@@ -9,7 +9,7 @@ on:
   pull_request:
 
 env:
-  SIGN_PIPE_VER: "v0.1.1"
+  SIGN_PIPE_VER: "v0.1.2"
   GORELEASER_VER: "v2.14.3"
   PRODUCT_NAME: "NetBird"
   COPYRIGHT: "NetBird GmbH"

.gitignore

@@ -33,5 +33,3 @@ infrastructure_files/setup-*.env
 vendor/
 /netbird
 client/netbird-electron/
-management/server/types/testdata/comparison/
-management/server/types/testdata/*.json

Makefile

@@ -5,7 +5,7 @@ GOLANGCI_LINT := $(shell pwd)/bin/golangci-lint
 $(GOLANGCI_LINT):
 	@echo "Installing golangci-lint..."
 	@mkdir -p ./bin
-	@GOBIN=$(shell pwd)/bin go install github.com/golangci/golangci-lint/cmd/golangci-lint@latest
+	@GOBIN=$(shell pwd)/bin go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@latest
 
 # Lint only changed files (fast, for pre-push)
 lint: $(GOLANGCI_LINT)

client/android/client.go

@@ -8,6 +8,7 @@ import (
 	"os"
 	"slices"
 	"sync"
+	"time"
 
 	"golang.org/x/exp/maps"
 
@@ -15,6 +16,7 @@ import (
 
 	"github.com/netbirdio/netbird/client/iface/device"
 	"github.com/netbirdio/netbird/client/internal"
+	"github.com/netbirdio/netbird/client/internal/debug"
 	"github.com/netbirdio/netbird/client/internal/dns"
 	"github.com/netbirdio/netbird/client/internal/listener"
 	"github.com/netbirdio/netbird/client/internal/peer"
@@ -26,6 +28,7 @@ import (
 	"github.com/netbirdio/netbird/formatter"
 	"github.com/netbirdio/netbird/route"
 	"github.com/netbirdio/netbird/shared/management/domain"
+	types "github.com/netbirdio/netbird/upload-server/types"
 )
 
 // ConnectionListener export internal Listener for mobile
@@ -68,7 +71,30 @@ type Client struct {
 	uiVersion             string
 	networkChangeListener listener.NetworkChangeListener
 
+	stateMu       sync.RWMutex
 	connectClient *internal.ConnectClient
+	config        *profilemanager.Config
+	cacheDir      string
+}
+
+func (c *Client) setState(cfg *profilemanager.Config, cacheDir string, cc *internal.ConnectClient) {
+	c.stateMu.Lock()
+	defer c.stateMu.Unlock()
+	c.config = cfg
+	c.cacheDir = cacheDir
+	c.connectClient = cc
+}
+
+func (c *Client) stateSnapshot() (*profilemanager.Config, string, *internal.ConnectClient) {
+	c.stateMu.RLock()
+	defer c.stateMu.RUnlock()
+	return c.config, c.cacheDir, c.connectClient
+}
+
+func (c *Client) getConnectClient() *internal.ConnectClient {
+	c.stateMu.RLock()
+	defer c.stateMu.RUnlock()
+	return c.connectClient
 }
 
 // NewClient instantiate a new Client
@@ -93,6 +119,7 @@ func (c *Client) Run(platformFiles PlatformFiles, urlOpener URLOpener, isAndroid
 
 	cfgFile := platformFiles.ConfigurationFilePath()
 	stateFile := platformFiles.StateFilePath()
+	cacheDir := platformFiles.CacheDir()
 
 	log.Infof("Starting client with config: %s, state: %s", cfgFile, stateFile)
 
@@ -124,8 +151,9 @@ func (c *Client) Run(platformFiles PlatformFiles, urlOpener URLOpener, isAndroid
 
 	// todo do not throw error in case of cancelled context
 	ctx = internal.CtxInitState(ctx)
-	c.connectClient = internal.NewConnectClient(ctx, cfg, c.recorder)
-	return c.connectClient.RunOnAndroid(c.tunAdapter, c.iFaceDiscover, c.networkChangeListener, slices.Clone(dns.items), dnsReadyListener, stateFile)
+	connectClient := internal.NewConnectClient(ctx, cfg, c.recorder)
+	c.setState(cfg, cacheDir, connectClient)
+	return connectClient.RunOnAndroid(c.tunAdapter, c.iFaceDiscover, c.networkChangeListener, slices.Clone(dns.items), dnsReadyListener, stateFile, cacheDir)
 }
 
 // RunWithoutLogin we apply this type of run function when the backed has been started without UI (i.e. after reboot).
@@ -135,6 +163,7 @@ func (c *Client) RunWithoutLogin(platformFiles PlatformFiles, dns *DNSList, dnsR
 
 	cfgFile := platformFiles.ConfigurationFilePath()
 	stateFile := platformFiles.StateFilePath()
+	cacheDir := platformFiles.CacheDir()
 
 	log.Infof("Starting client without login with config: %s, state: %s", cfgFile, stateFile)
 
@@ -157,8 +186,9 @@ func (c *Client) RunWithoutLogin(platformFiles PlatformFiles, dns *DNSList, dnsR
 
 	// todo do not throw error in case of cancelled context
 	ctx = internal.CtxInitState(ctx)
-	c.connectClient = internal.NewConnectClient(ctx, cfg, c.recorder)
-	return c.connectClient.RunOnAndroid(c.tunAdapter, c.iFaceDiscover, c.networkChangeListener, slices.Clone(dns.items), dnsReadyListener, stateFile)
+	connectClient := internal.NewConnectClient(ctx, cfg, c.recorder)
+	c.setState(cfg, cacheDir, connectClient)
+	return connectClient.RunOnAndroid(c.tunAdapter, c.iFaceDiscover, c.networkChangeListener, slices.Clone(dns.items), dnsReadyListener, stateFile, cacheDir)
 }
 
 // Stop the internal client and free the resources
@@ -173,11 +203,12 @@ func (c *Client) Stop() {
 }
 
 func (c *Client) RenewTun(fd int) error {
-	if c.connectClient == nil {
+	cc := c.getConnectClient()
+	if cc == nil {
 		return fmt.Errorf("engine not running")
 	}
 
-	e := c.connectClient.Engine()
+	e := cc.Engine()
 	if e == nil {
 		return fmt.Errorf("engine not initialized")
 	}
@@ -185,6 +216,73 @@ func (c *Client) RenewTun(fd int) error {
 	return e.RenewTun(fd)
 }
 
+// DebugBundle generates a debug bundle, uploads it, and returns the upload key.
+// It works both with and without a running engine.
+func (c *Client) DebugBundle(platformFiles PlatformFiles, anonymize bool) (string, error) {
+	cfg, cacheDir, cc := c.stateSnapshot()
+
+	// If the engine hasn't been started, load config from disk
+	if cfg == nil {
+		var err error
+		cfg, err = profilemanager.UpdateOrCreateConfig(profilemanager.ConfigInput{
+			ConfigPath: platformFiles.ConfigurationFilePath(),
+		})
+		if err != nil {
+			return "", fmt.Errorf("load config: %w", err)
+		}
+		cacheDir = platformFiles.CacheDir()
+	}
+
+	deps := debug.GeneratorDependencies{
+		InternalConfig: cfg,
+		StatusRecorder: c.recorder,
+		TempDir:        cacheDir,
+	}
+
+	if cc != nil {
+		resp, err := cc.GetLatestSyncResponse()
+		if err != nil {
+			log.Warnf("get latest sync response: %v", err)
+		}
+		deps.SyncResponse = resp
+
+		if e := cc.Engine(); e != nil {
+			if cm := e.GetClientMetrics(); cm != nil {
+				deps.ClientMetrics = cm
+			}
+		}
+	}
+
+	bundleGenerator := debug.NewBundleGenerator(
+		deps,
+		debug.BundleConfig{
+			Anonymize:         anonymize,
+			IncludeSystemInfo: true,
+		},
+	)
+
+	path, err := bundleGenerator.Generate()
+	if err != nil {
+		return "", fmt.Errorf("generate debug bundle: %w", err)
+	}
+	defer func() {
+		if err := os.Remove(path); err != nil {
+			log.Errorf("failed to remove debug bundle file: %v", err)
+		}
+	}()
+
+	uploadCtx, cancel := context.WithTimeout(context.Background(), 2*time.Minute)
+	defer cancel()
+
+	key, err := debug.UploadDebugBundle(uploadCtx, types.DefaultBundleURL, cfg.ManagementURL.String(), path)
+	if err != nil {
+		return "", fmt.Errorf("upload debug bundle: %w", err)
+	}
+
+	log.Infof("debug bundle uploaded with key %s", key)
+	return key, nil
+}
+
 // SetTraceLogLevel configure the logger to trace level
 func (c *Client) SetTraceLogLevel() {
 	log.SetLevel(log.TraceLevel)
@@ -214,12 +312,13 @@ func (c *Client) PeersList() *PeerInfoArray {
 }
 
 func (c *Client) Networks() *NetworkArray {
-	if c.connectClient == nil {
+	cc := c.getConnectClient()
+	if cc == nil {
 		log.Error("not connected")
 		return nil
 	}
 
-	engine := c.connectClient.Engine()
+	engine := cc.Engine()
 	if engine == nil {
 		log.Error("could not get engine")
 		return nil
@@ -300,7 +399,7 @@ func (c *Client) toggleRoute(command routeCommand) error {
 }
 
 func (c *Client) getRouteManager() (routemanager.Manager, error) {
-	client := c.connectClient
+	client := c.getConnectClient()
 	if client == nil {
 		return nil, fmt.Errorf("not connected")
 	}

client/android/platform_files.go

@@ -7,4 +7,5 @@ package android
 type PlatformFiles interface {
 	ConfigurationFilePath() string
 	StateFilePath() string
+	CacheDir() string
 }

client/cmd/root.go

@@ -75,6 +75,7 @@ var (
 	mtu                     uint16
 	profilesDisabled        bool
 	updateSettingsDisabled  bool
+	networksDisabled        bool
 
 	rootCmd = &cobra.Command{
 		Use:          "netbird",

client/cmd/service.go

@@ -44,10 +44,13 @@ func init() {
 	serviceCmd.AddCommand(runCmd, startCmd, stopCmd, restartCmd, svcStatusCmd, installCmd, uninstallCmd, reconfigureCmd, resetParamsCmd)
 	serviceCmd.PersistentFlags().BoolVar(&profilesDisabled, "disable-profiles", false, "Disables profiles feature. If enabled, the client will not be able to change or edit any profile. To persist this setting, use: netbird service install --disable-profiles")
 	serviceCmd.PersistentFlags().BoolVar(&updateSettingsDisabled, "disable-update-settings", false, "Disables update settings feature. If enabled, the client will not be able to change or edit any settings. To persist this setting, use: netbird service install --disable-update-settings")
+	serviceCmd.PersistentFlags().BoolVar(&networksDisabled, "disable-networks", false, "Disables network selection. If enabled, the client will not allow listing, selecting, or deselecting networks. To persist, use: netbird service install --disable-networks")
 
 	rootCmd.PersistentFlags().StringVarP(&serviceName, "service", "s", defaultServiceName, "Netbird system service name")
 	serviceEnvDesc := `Sets extra environment variables for the service. ` +
 		`You can specify a comma-separated list of KEY=VALUE pairs. ` +
+		`New keys are merged with previously saved env vars; existing keys are overwritten. ` +
+		`Use --service-env "" to clear all saved env vars. ` +
 		`E.g. --service-env NB_LOG_LEVEL=debug,CUSTOM_VAR=value`
 
 	installCmd.Flags().StringSliceVar(&serviceEnvVars, "service-env", nil, serviceEnvDesc)

client/cmd/service_controller.go

@@ -61,7 +61,7 @@ func (p *program) Start(svc service.Service) error {
 			}
 		}
 
-		serverInstance := server.New(p.ctx, util.FindFirstLogPath(logFiles), configPath, profilesDisabled, updateSettingsDisabled)
+		serverInstance := server.New(p.ctx, util.FindFirstLogPath(logFiles), configPath, profilesDisabled, updateSettingsDisabled, networksDisabled)
 		if err := serverInstance.Start(); err != nil {
 			log.Fatalf("failed to start daemon: %v", err)
 		}

client/cmd/service_installer.go

@@ -59,6 +59,10 @@ func buildServiceArguments() []string {
 		args = append(args, "--disable-update-settings")
 	}
 
+	if networksDisabled {
+		args = append(args, "--disable-networks")
+	}
+
 	return args
 }
 

client/cmd/service_params.go

@@ -28,6 +28,7 @@ type serviceParams struct {
 	LogFiles              []string          `json:"log_files,omitempty"`
 	DisableProfiles       bool              `json:"disable_profiles,omitempty"`
 	DisableUpdateSettings bool              `json:"disable_update_settings,omitempty"`
+	DisableNetworks       bool              `json:"disable_networks,omitempty"`
 	ServiceEnvVars        map[string]string `json:"service_env_vars,omitempty"`
 }
 
@@ -78,11 +79,12 @@ func currentServiceParams() *serviceParams {
 		LogFiles:              logFiles,
 		DisableProfiles:       profilesDisabled,
 		DisableUpdateSettings: updateSettingsDisabled,
+		DisableNetworks:       networksDisabled,
 	}
 
 	if len(serviceEnvVars) > 0 {
 		parsed, err := parseServiceEnvVars(serviceEnvVars)
-		if err == nil && len(parsed) > 0 {
+		if err == nil {
 			params.ServiceEnvVars = parsed
 		}
 	}
@@ -142,31 +144,46 @@ func applyServiceParams(cmd *cobra.Command, params *serviceParams) {
 		updateSettingsDisabled = params.DisableUpdateSettings
 	}
 
+	if !serviceCmd.PersistentFlags().Changed("disable-networks") {
+		networksDisabled = params.DisableNetworks
+	}
+
 	applyServiceEnvParams(cmd, params)
 }
 
 // applyServiceEnvParams merges saved service environment variables.
-// If --service-env was explicitly set, explicit values win on key conflict
-// but saved keys not in the explicit set are carried over.
+// If --service-env was explicitly set with values, explicit values win on key
+// conflict but saved keys not in the explicit set are carried over.
+// If --service-env was explicitly set to empty, all saved env vars are cleared.
 // If --service-env was not set, saved env vars are used entirely.
 func applyServiceEnvParams(cmd *cobra.Command, params *serviceParams) {
-	if len(params.ServiceEnvVars) == 0 {
-		return
-	}
-
 	if !cmd.Flags().Changed("service-env") {
-		// No explicit env vars: rebuild serviceEnvVars from saved params.
-		serviceEnvVars = envMapToSlice(params.ServiceEnvVars)
+		if len(params.ServiceEnvVars) > 0 {
+			// No explicit env vars: rebuild serviceEnvVars from saved params.
+			serviceEnvVars = envMapToSlice(params.ServiceEnvVars)
+		}
 		return
 	}
 
-	// Explicit env vars were provided: merge saved values underneath.
+	// Flag was explicitly set: parse what the user provided.
 	explicit, err := parseServiceEnvVars(serviceEnvVars)
 	if err != nil {
 		cmd.PrintErrf("Warning: parse explicit service env vars for merge: %v\n", err)
 		return
 	}
 
+	// If the user passed an empty value (e.g. --service-env ""), clear all
+	// saved env vars rather than merging.
+	if len(explicit) == 0 {
+		serviceEnvVars = nil
+		return
+	}
+
+	if len(params.ServiceEnvVars) == 0 {
+		return
+	}
+
+	// Merge saved values underneath explicit ones.
 	merged := make(map[string]string, len(params.ServiceEnvVars)+len(explicit))
 	maps.Copy(merged, params.ServiceEnvVars)
 	maps.Copy(merged, explicit) // explicit wins on conflict

client/cmd/service_params_test.go

@@ -327,6 +327,41 @@ func TestApplyServiceEnvParams_NotChanged(t *testing.T) {
 	assert.Equal(t, map[string]string{"FROM_SAVED": "val"}, result)
 }
 
+func TestApplyServiceEnvParams_ExplicitEmptyClears(t *testing.T) {
+	origServiceEnvVars := serviceEnvVars
+	t.Cleanup(func() { serviceEnvVars = origServiceEnvVars })
+
+	// Simulate --service-env "" which produces [""] in the slice.
+	serviceEnvVars = []string{""}
+
+	cmd := &cobra.Command{}
+	cmd.Flags().StringSlice("service-env", nil, "")
+	require.NoError(t, cmd.Flags().Set("service-env", ""))
+
+	saved := &serviceParams{
+		ServiceEnvVars: map[string]string{"OLD_VAR": "should_be_cleared"},
+	}
+
+	applyServiceEnvParams(cmd, saved)
+
+	assert.Nil(t, serviceEnvVars, "explicit empty --service-env should clear all saved env vars")
+}
+
+func TestCurrentServiceParams_EmptyEnvVarsAfterParse(t *testing.T) {
+	origServiceEnvVars := serviceEnvVars
+	t.Cleanup(func() { serviceEnvVars = origServiceEnvVars })
+
+	// Simulate --service-env "" which produces [""] in the slice.
+	serviceEnvVars = []string{""}
+
+	params := currentServiceParams()
+
+	// After parsing, the empty string is skipped, resulting in an empty map.
+	// The map should still be set (not nil) so it overwrites saved values.
+	assert.NotNil(t, params.ServiceEnvVars, "empty env vars should produce empty map, not nil")
+	assert.Empty(t, params.ServiceEnvVars, "no valid env vars should be parsed from empty string")
+}
+
 // TestServiceParams_FieldsCoveredInFunctions ensures that all serviceParams fields are
 // referenced in both currentServiceParams() and applyServiceParams(). If a new field is
 // added to serviceParams but not wired into these functions, this test fails.
@@ -500,6 +535,7 @@ func fieldToGlobalVar(field string) string {
 		"LogFiles":              "logFiles",
 		"DisableProfiles":       "profilesDisabled",
 		"DisableUpdateSettings": "updateSettingsDisabled",
+		"DisableNetworks":       "networksDisabled",
 		"ServiceEnvVars":        "serviceEnvVars",
 	}
 	if v, ok := m[field]; ok {

client/cmd/testutil_test.go

@@ -13,6 +13,8 @@ import (
 
 	"github.com/netbirdio/management-integrations/integrations"
 
+	nbcache "github.com/netbirdio/netbird/management/server/cache"
+
 	"github.com/netbirdio/netbird/management/internals/controllers/network_map/controller"
 	"github.com/netbirdio/netbird/management/internals/controllers/network_map/update_channel"
 	"github.com/netbirdio/netbird/management/internals/modules/peers"
@@ -100,9 +102,16 @@ func startManagement(t *testing.T, config *config.Config, testFile string) (*grp
 
 	jobManager := job.NewJobManager(nil, store, peersmanager)
 
-	iv, _ := integrations.NewIntegratedValidator(context.Background(), peersmanager, settingsManagerMock, eventStore)
+	ctx := context.Background()
 
-	metrics, err := telemetry.NewDefaultAppMetrics(context.Background())
+	cacheStore, err := nbcache.NewStore(ctx, 100*time.Millisecond, 300*time.Millisecond, 100)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	iv, _ := integrations.NewIntegratedValidator(ctx, peersmanager, settingsManagerMock, eventStore, cacheStore)
+
+	metrics, err := telemetry.NewDefaultAppMetrics(ctx)
 	require.NoError(t, err)
 
 	settingsMockManager := settings.NewMockManager(ctrl)
@@ -113,12 +122,11 @@ func startManagement(t *testing.T, config *config.Config, testFile string) (*grp
 		Return(&types.Settings{}, nil).
 		AnyTimes()
 
-	ctx := context.Background()
 	updateManager := update_channel.NewPeersUpdateManager(metrics)
 	requestBuffer := mgmt.NewAccountRequestBuffer(ctx, store)
 	networkMapController := controller.NewController(ctx, store, metrics, updateManager, requestBuffer, mgmt.MockIntegratedValidator{}, settingsMockManager, "netbird.cloud", port_forwarding.NewControllerMock(), manager.NewEphemeralManager(store, peersmanager), config)
 
-	accountManager, err := mgmt.BuildManager(context.Background(), config, store, networkMapController, jobManager, nil, "", eventStore, nil, false, iv, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManagerMock, false)
+	accountManager, err := mgmt.BuildManager(ctx, config, store, networkMapController, jobManager, nil, "", eventStore, nil, false, iv, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManagerMock, false, cacheStore)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -152,7 +160,7 @@ func startClientDaemon(
 	s := grpc.NewServer()
 
 	server := client.New(ctx,
-		"", "", false, false)
+		"", "", false, false, false)
 	if err := server.Start(); err != nil {
 		t.Fatal(err)
 	}

client/firewall/create_linux.go

@@ -56,6 +56,13 @@ func NewFirewall(iface IFaceMapper, stateManager *statemanager.Manager, flowLogg
 		return createUserspaceFirewall(iface, nil, disableServerRoutes, flowLogger, mtu)
 	}
 
+	// Native firewall handles packet filtering, but the userspace WireGuard bind
+	// needs a device filter for DNS interception hooks. Install a minimal
+	// hooks-only filter that passes all traffic through to the kernel firewall.
+	if err := iface.SetFilter(&uspfilter.HooksFilter{}); err != nil {
+		log.Warnf("failed to set hooks filter, DNS via memory hooks will not work: %v", err)
+	}
+
 	return fm, nil
 }
 

client/firewall/iptables/acl_linux.go

@@ -21,6 +21,10 @@ const (
 
 	// rules chains contains the effective ACL rules
 	chainNameInputRules = "NETBIRD-ACL-INPUT"
+
+	// mangleFwdKey is the entries map key for mangle FORWARD guard rules that prevent
+	// external DNAT from bypassing ACL rules.
+	mangleFwdKey = "MANGLE-FORWARD"
 )
 
 type aclEntries map[string][][]string
@@ -274,6 +278,12 @@ func (m *aclManager) cleanChains() error {
 		}
 	}
 
+	for _, rule := range m.entries[mangleFwdKey] {
+		if err := m.iptablesClient.DeleteIfExists(tableMangle, chainFORWARD, rule...); err != nil {
+			log.Errorf("failed to delete mangle FORWARD guard rule: %v, %s", rule, err)
+		}
+	}
+
 	for _, ipsetName := range m.ipsetStore.ipsetNames() {
 		if err := m.flushIPSet(ipsetName); err != nil {
 			if errors.Is(err, ipset.ErrSetNotExist) {
@@ -303,6 +313,10 @@ func (m *aclManager) createDefaultChains() error {
 	}
 
 	for chainName, rules := range m.entries {
+		// mangle FORWARD guard rules are handled separately below
+		if chainName == mangleFwdKey {
+			continue
+		}
 		for _, rule := range rules {
 			if err := m.iptablesClient.InsertUnique(tableName, chainName, 1, rule...); err != nil {
 				log.Debugf("failed to create input chain jump rule: %s", err)
@@ -322,6 +336,13 @@ func (m *aclManager) createDefaultChains() error {
 	}
 	clear(m.optionalEntries)
 
+	// Insert mangle FORWARD guard rules to prevent external DNAT bypass.
+	for _, rule := range m.entries[mangleFwdKey] {
+		if err := m.iptablesClient.AppendUnique(tableMangle, chainFORWARD, rule...); err != nil {
+			log.Errorf("failed to add mangle FORWARD guard rule: %v", err)
+		}
+	}
+
 	return nil
 }
 
@@ -343,6 +364,22 @@ func (m *aclManager) seedInitialEntries() {
 
 	m.appendToEntries("FORWARD", []string{"-o", m.wgIface.Name(), "-j", chainRTFWDOUT})
 	m.appendToEntries("FORWARD", []string{"-i", m.wgIface.Name(), "-j", chainRTFWDIN})
+
+	// Mangle FORWARD guard: when external DNAT redirects traffic from the wg interface, it
+	// traverses FORWARD instead of INPUT, bypassing ACL rules. ACCEPT rules in filter FORWARD
+	// can be inserted above ours. Mangle runs before filter, so these guard rules enforce the
+	// ACL mark check where it cannot be overridden.
+	m.appendToEntries(mangleFwdKey, []string{
+		"-i", m.wgIface.Name(),
+		"-m", "conntrack", "--ctstate", "RELATED,ESTABLISHED",
+		"-j", "ACCEPT",
+	})
+	m.appendToEntries(mangleFwdKey, []string{
+		"-i", m.wgIface.Name(),
+		"-m", "conntrack", "--ctstate", "DNAT",
+		"-m", "mark", "!", "--mark", fmt.Sprintf("%#x", nbnet.PreroutingFwmarkRedirected),
+		"-j", "DROP",
+	})
 }
 
 func (m *aclManager) seedInitialOptionalEntries() {

client/firewall/iptables/manager_linux.go

@@ -364,28 +364,6 @@ func (m *Manager) SetupEBPFProxyNoTrack(proxyPort, wgPort uint16) error {
 	return nil
 }
 
-// AddTProxyRule adds TPROXY redirect rules for the transparent proxy.
-func (m *Manager) AddTProxyRule(ruleID string, sources []netip.Prefix, dstPorts []uint16, redirectPort uint16) error {
-	m.mutex.Lock()
-	defer m.mutex.Unlock()
-
-	return m.router.AddTProxyRule(ruleID, sources, dstPorts, redirectPort)
-}
-
-// RemoveTProxyRule removes TPROXY redirect rules by ID.
-func (m *Manager) RemoveTProxyRule(ruleID string) error {
-	m.mutex.Lock()
-	defer m.mutex.Unlock()
-
-	return m.router.RemoveTProxyRule(ruleID)
-}
-
-// AddUDPInspectionHook is a no-op for iptables (kernel-mode firewall has no userspace packet hooks).
-func (m *Manager) AddUDPInspectionHook(_ uint16, _ func([]byte) bool) string { return "" }
-
-// RemoveUDPInspectionHook is a no-op for iptables.
-func (m *Manager) RemoveUDPInspectionHook(_ string) {}
-
 func (m *Manager) initNoTrackChain() error {
 	if err := m.cleanupNoTrackChain(); err != nil {
 		log.Debugf("cleanup notrack chain: %v", err)

client/firewall/iptables/router_linux.go

@@ -89,8 +89,6 @@ type router struct {
 
 	stateManager *statemanager.Manager
 	ipFwdState   *ipfwdstate.IPForwardingState
-
-	tproxyRules []tproxyRuleEntry
 }
 
 func newRouter(iptablesClient *iptables.IPTables, wgIface iFaceMapper, mtu uint16) (*router, error) {
@@ -1111,92 +1109,3 @@ func (r *router) addPrefixToIPSet(name string, prefix netip.Prefix) error {
 func (r *router) destroyIPSet(name string) error {
 	return ipset.Destroy(name)
 }
-
-// AddTProxyRule adds iptables nat PREROUTING REDIRECT rules for transparent proxy interception.
-// Traffic from sources on dstPorts arriving on the WG interface is redirected
-// to the transparent proxy listener on redirectPort.
-func (r *router) AddTProxyRule(ruleID string, sources []netip.Prefix, dstPorts []uint16, redirectPort uint16) error {
-	portStr := fmt.Sprintf("%d", redirectPort)
-
-	for _, proto := range []string{"tcp", "udp"} {
-		srcSpecs := r.buildSourceSpecs(sources)
-
-		for _, srcSpec := range srcSpecs {
-			if len(dstPorts) == 0 {
-				rule := append(srcSpec,
-					"-i", r.wgIface.Name(),
-					"-p", proto,
-					"-j", "REDIRECT",
-					"--to-ports", portStr,
-				)
-				if err := r.iptablesClient.AppendUnique(tableNat, chainRTRDR, rule...); err != nil {
-					return fmt.Errorf("add redirect rule %s/%s: %w", ruleID, proto, err)
-				}
-				r.tproxyRules = append(r.tproxyRules, tproxyRuleEntry{
-					ruleID: ruleID,
-					table:  tableNat,
-					chain:  chainRTRDR,
-					spec:   rule,
-				})
-			} else {
-				for _, port := range dstPorts {
-					rule := append(srcSpec,
-						"-i", r.wgIface.Name(),
-						"-p", proto,
-						"--dport", fmt.Sprintf("%d", port),
-						"-j", "REDIRECT",
-						"--to-ports", portStr,
-					)
-					if err := r.iptablesClient.AppendUnique(tableNat, chainRTRDR, rule...); err != nil {
-						return fmt.Errorf("add redirect rule %s/%s/%d: %w", ruleID, proto, port, err)
-					}
-					r.tproxyRules = append(r.tproxyRules, tproxyRuleEntry{
-						ruleID: ruleID,
-						table:  tableNat,
-						chain:  chainRTRDR,
-						spec:   rule,
-					})
-				}
-			}
-		}
-	}
-
-	return nil
-}
-
-// RemoveTProxyRule removes all iptables REDIRECT rules for the given ruleID.
-func (r *router) RemoveTProxyRule(ruleID string) error {
-	var remaining []tproxyRuleEntry
-	for _, entry := range r.tproxyRules {
-		if entry.ruleID != ruleID {
-			remaining = append(remaining, entry)
-			continue
-		}
-		if err := r.iptablesClient.DeleteIfExists(entry.table, entry.chain, entry.spec...); err != nil {
-			log.Debugf("remove tproxy rule %s: %v", ruleID, err)
-		}
-	}
-	r.tproxyRules = remaining
-
-	return nil
-}
-
-type tproxyRuleEntry struct {
-	ruleID string
-	table  string
-	chain  string
-	spec   []string
-}
-
-func (r *router) buildSourceSpecs(sources []netip.Prefix) [][]string {
-	if len(sources) == 0 {
-		return [][]string{{}} // empty spec = match any source
-	}
-
-	specs := make([][]string, 0, len(sources))
-	for _, src := range sources {
-		specs = append(specs, []string{"-s", src.String()})
-	}
-	return specs
-}
-

client/firewall/manager/firewall.go

@@ -180,22 +180,6 @@ type Manager interface {
 	// SetupEBPFProxyNoTrack creates static notrack rules for eBPF proxy loopback traffic.
 	// This prevents conntrack from interfering with WireGuard proxy communication.
 	SetupEBPFProxyNoTrack(proxyPort, wgPort uint16) error
-
-	// AddTProxyRule adds TPROXY redirect rules for specific source CIDRs and destination ports.
-	// Traffic from sources on dstPorts is redirected to the transparent proxy on redirectPort.
-	// Empty dstPorts means redirect all ports.
-	AddTProxyRule(ruleID string, sources []netip.Prefix, dstPorts []uint16, redirectPort uint16) error
-
-	// RemoveTProxyRule removes TPROXY redirect rules by ID.
-	RemoveTProxyRule(ruleID string) error
-
-	// AddUDPInspectionHook registers a hook that inspects UDP packets before forwarding.
-	// The hook receives the raw packet and returns true to drop it.
-	// Used for QUIC SNI-based blocking. Returns a hook ID for removal.
-	AddUDPInspectionHook(dstPort uint16, hook func(packet []byte) bool) string
-
-	// RemoveUDPInspectionHook removes a previously registered inspection hook.
-	RemoveUDPInspectionHook(hookID string)
 }
 
 func GenKey(format string, pair RouterPair) string {

client/firewall/nftables/manager_linux.go

@@ -482,28 +482,6 @@ func (m *Manager) SetupEBPFProxyNoTrack(proxyPort, wgPort uint16) error {
 	return nil
 }
 
-// AddTProxyRule adds TPROXY redirect rules for the transparent proxy.
-func (m *Manager) AddTProxyRule(ruleID string, sources []netip.Prefix, dstPorts []uint16, redirectPort uint16) error {
-	m.mutex.Lock()
-	defer m.mutex.Unlock()
-
-	return m.router.AddTProxyRule(ruleID, sources, dstPorts, redirectPort)
-}
-
-// RemoveTProxyRule removes TPROXY redirect rules by ID.
-func (m *Manager) RemoveTProxyRule(ruleID string) error {
-	m.mutex.Lock()
-	defer m.mutex.Unlock()
-
-	return m.router.RemoveTProxyRule(ruleID)
-}
-
-// AddUDPInspectionHook is a no-op for nftables (kernel-mode firewall has no userspace packet hooks).
-func (m *Manager) AddUDPInspectionHook(_ uint16, _ func([]byte) bool) string { return "" }
-
-// RemoveUDPInspectionHook is a no-op for nftables.
-func (m *Manager) RemoveUDPInspectionHook(_ string) {}
-
 func (m *Manager) initNoTrackChains(table *nftables.Table) error {
 	m.notrackOutputChain = m.rConn.AddChain(&nftables.Chain{
 		Name:     chainNameRawOutput,

client/firewall/nftables/router_linux.go

@@ -77,7 +77,6 @@ type router struct {
 	ipFwdState       *ipfwdstate.IPForwardingState
 	legacyManagement bool
 	mtu              uint16
-
 }
 
 func newRouter(workTable *nftables.Table, wgIface iFaceMapper, mtu uint16) (*router, error) {
@@ -2138,227 +2137,3 @@ func getIpSetExprs(ref refcounter.Ref[*nftables.Set], isSource bool) ([]expr.Any
 		},
 	}, nil
 }
-
-// AddTProxyRule adds nftables TPROXY redirect rules in the mangle prerouting chain.
-// Traffic from sources on dstPorts arriving on the WG interface is redirected to
-// the transparent proxy listener on redirectPort.
-// Separate rules are created for TCP and UDP protocols.
-func (r *router) AddTProxyRule(ruleID string, sources []netip.Prefix, dstPorts []uint16, redirectPort uint16) error {
-	if err := r.refreshRulesMap(); err != nil {
-		return fmt.Errorf(refreshRulesMapError, err)
-	}
-
-	// Use the nat redirect chain for DNAT rules.
-	// TPROXY doesn't work on WG kernel interfaces (socket assignment silently fails),
-	// so we use DNAT to 127.0.0.1:proxy_port instead. The proxy reads the original
-	// destination via SO_ORIGINAL_DST (conntrack).
-	chain := r.chains[chainNameRoutingRdr]
-	if chain == nil {
-		return fmt.Errorf("nat redirect chain not initialized")
-	}
-
-	for _, proto := range []uint8{unix.IPPROTO_TCP, unix.IPPROTO_UDP} {
-		protoName := "tcp"
-		if proto == unix.IPPROTO_UDP {
-			protoName = "udp"
-		}
-
-		ruleKey := fmt.Sprintf("tproxy-%s-%s", ruleID, protoName)
-
-		if existing, ok := r.rules[ruleKey]; ok && existing.Handle != 0 {
-			if err := r.decrementSetCounter(existing); err != nil {
-				log.Debugf("decrement set counter for %s: %v", ruleKey, err)
-			}
-			if err := r.conn.DelRule(existing); err != nil {
-				log.Debugf("remove existing tproxy rule %s: %v", ruleKey, err)
-			}
-			delete(r.rules, ruleKey)
-		}
-
-		exprs, err := r.buildRedirectExprs(proto, sources, dstPorts, redirectPort)
-		if err != nil {
-			return fmt.Errorf("build redirect exprs for %s: %w", protoName, err)
-		}
-
-		r.rules[ruleKey] = r.conn.AddRule(&nftables.Rule{
-			Table:    r.workTable,
-			Chain:    chain,
-			Exprs:    exprs,
-			UserData: []byte(ruleKey),
-		})
-	}
-
-	// Accept redirected packets in the ACL input chain. After REDIRECT, the
-	// destination port becomes the proxy port. Without this rule, the ACL filter
-	// drops the packet. We match on ct state dnat so only REDIRECT'd connections
-	// are accepted: direct connections to the proxy port are blocked.
-	inputAcceptKey := fmt.Sprintf("tproxy-%s-input", ruleID)
-	if _, ok := r.rules[inputAcceptKey]; !ok {
-		inputChain := &nftables.Chain{
-			Name:  "netbird-acl-input-rules",
-			Table: r.workTable,
-		}
-		r.rules[inputAcceptKey] = r.conn.InsertRule(&nftables.Rule{
-			Table: r.workTable,
-			Chain: inputChain,
-			Exprs: []expr.Any{
-				// Only accept connections that were REDIRECT'd (ct status dnat)
-				&expr.Ct{Register: 1, Key: expr.CtKeySTATUS},
-				&expr.Bitwise{
-					SourceRegister: 1,
-					DestRegister:   1,
-					Len:            4,
-					Mask:           binaryutil.NativeEndian.PutUint32(0x20), // IPS_DST_NAT
-					Xor:            binaryutil.NativeEndian.PutUint32(0),
-				},
-				&expr.Cmp{
-					Op:       expr.CmpOpNeq,
-					Register: 1,
-					Data:     binaryutil.NativeEndian.PutUint32(0),
-				},
-				// Accept both TCP and UDP redirected to the proxy port.
-				&expr.Payload{
-					DestRegister: 1,
-					Base:         expr.PayloadBaseTransportHeader,
-					Offset:       2,
-					Len:          2,
-				},
-				&expr.Cmp{
-					Op:       expr.CmpOpEq,
-					Register: 1,
-					Data:     binaryutil.BigEndian.PutUint16(redirectPort),
-				},
-				&expr.Verdict{Kind: expr.VerdictAccept},
-			},
-			UserData: []byte(inputAcceptKey),
-		})
-	}
-
-	if err := r.conn.Flush(); err != nil {
-		return fmt.Errorf("flush tproxy rules for %s: %w", ruleID, err)
-	}
-
-	return nil
-}
-
-// RemoveTProxyRule removes TPROXY redirect rules by ID (both TCP and UDP variants).
-func (r *router) RemoveTProxyRule(ruleID string) error {
-	if err := r.refreshRulesMap(); err != nil {
-		return fmt.Errorf(refreshRulesMapError, err)
-	}
-
-	var removed int
-	for _, suffix := range []string{"tcp", "udp", "input"} {
-		ruleKey := fmt.Sprintf("tproxy-%s-%s", ruleID, suffix)
-
-		rule, ok := r.rules[ruleKey]
-		if !ok {
-			continue
-		}
-
-		if rule.Handle == 0 {
-			delete(r.rules, ruleKey)
-			continue
-		}
-
-		if err := r.decrementSetCounter(rule); err != nil {
-			log.Debugf("decrement set counter for %s: %v", ruleKey, err)
-		}
-		if err := r.conn.DelRule(rule); err != nil {
-			log.Debugf("delete tproxy rule %s: %v", ruleKey, err)
-		}
-		delete(r.rules, ruleKey)
-		removed++
-	}
-
-	if removed > 0 {
-		if err := r.conn.Flush(); err != nil {
-			return fmt.Errorf("flush tproxy rule removal for %s: %w", ruleID, err)
-		}
-	}
-
-	return nil
-}
-
-// buildRedirectExprs builds nftables expressions for a REDIRECT rule.
-// Matches WG interface ingress, source CIDRs, destination ports, then REDIRECTs to the proxy port.
-func (r *router) buildRedirectExprs(proto uint8, sources []netip.Prefix, dstPorts []uint16, redirectPort uint16) ([]expr.Any, error) {
-	var exprs []expr.Any
-
-	exprs = append(exprs,
-		&expr.Meta{Key: expr.MetaKeyIIFNAME, Register: 1},
-		&expr.Cmp{Op: expr.CmpOpEq, Register: 1, Data: ifname(r.wgIface.Name())},
-	)
-
-	exprs = append(exprs,
-		&expr.Meta{Key: expr.MetaKeyL4PROTO, Register: 1},
-		&expr.Cmp{Op: expr.CmpOpEq, Register: 1, Data: []byte{proto}},
-	)
-
-	// Source CIDRs use the named ipset shared with route rules.
-	if len(sources) > 0 {
-		srcSet := firewall.NewPrefixSet(sources)
-		srcExprs, err := r.getIpSet(srcSet, sources, true)
-		if err != nil {
-			return nil, fmt.Errorf("get source ipset: %w", err)
-		}
-		exprs = append(exprs, srcExprs...)
-	}
-
-	if len(dstPorts) == 1 {
-		exprs = append(exprs,
-			&expr.Payload{
-				DestRegister: 1,
-				Base:         expr.PayloadBaseTransportHeader,
-				Offset:       2,
-				Len:          2,
-			},
-			&expr.Cmp{
-				Op:       expr.CmpOpEq,
-				Register: 1,
-				Data:     binaryutil.BigEndian.PutUint16(dstPorts[0]),
-			},
-		)
-	} else if len(dstPorts) > 1 {
-		setElements := make([]nftables.SetElement, len(dstPorts))
-		for i, p := range dstPorts {
-			setElements[i] = nftables.SetElement{Key: binaryutil.BigEndian.PutUint16(p)}
-		}
-		portSet := &nftables.Set{
-			Table:     r.workTable,
-			Anonymous: true,
-			Constant:  true,
-			KeyType:   nftables.TypeInetService,
-		}
-		if err := r.conn.AddSet(portSet, setElements); err != nil {
-			return nil, fmt.Errorf("create port set: %w", err)
-		}
-		exprs = append(exprs,
-			&expr.Payload{
-				DestRegister: 1,
-				Base:         expr.PayloadBaseTransportHeader,
-				Offset:       2,
-				Len:          2,
-			},
-			&expr.Lookup{
-				SourceRegister: 1,
-				SetName:        portSet.Name,
-				SetID:          portSet.ID,
-			},
-		)
-	}
-
-	// REDIRECT to local proxy port. Changes the destination to the interface's
-	// primary address + specified port. Conntrack tracks the original destination,
-	// readable via SO_ORIGINAL_DST.
-	exprs = append(exprs,
-		&expr.Immediate{Register: 1, Data: binaryutil.BigEndian.PutUint16(redirectPort)},
-		&expr.Redir{
-			RegisterProtoMin: 1,
-		},
-	)
-
-	return exprs, nil
-}
-
-

client/firewall/uspfilter/common/hooks.go

@@ -0,0 +1,37 @@
+package common
+
+import (
+	"net/netip"
+	"sync/atomic"
+)
+
+// PacketHook stores a registered hook for a specific IP:port.
+type PacketHook struct {
+	IP   netip.Addr
+	Port uint16
+	Fn   func([]byte) bool
+}
+
+// HookMatches checks if a packet's destination matches the hook and invokes it.
+func HookMatches(h *PacketHook, dstIP netip.Addr, dport uint16, packetData []byte) bool {
+	if h == nil {
+		return false
+	}
+	if h.IP == dstIP && h.Port == dport {
+		return h.Fn(packetData)
+	}
+	return false
+}
+
+// SetHook atomically stores a hook, handling nil removal.
+func SetHook(ptr *atomic.Pointer[PacketHook], ip netip.Addr, dPort uint16, hook func([]byte) bool) {
+	if hook == nil {
+		ptr.Store(nil)
+		return
+	}
+	ptr.Store(&PacketHook{
+		IP:   ip,
+		Port: dPort,
+		Fn:   hook,
+	})
+}

client/firewall/uspfilter/conntrack/cap_test.go

@@ -0,0 +1,125 @@
+package conntrack
+
+import (
+	"net/netip"
+	"testing"
+
+	"github.com/google/gopacket/layers"
+	"github.com/stretchr/testify/require"
+)
+
+func TestTCPCapEvicts(t *testing.T) {
+	t.Setenv(EnvTCPMaxEntries, "4")
+
+	tracker := NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
+	defer tracker.Close()
+	require.Equal(t, 4, tracker.maxEntries)
+
+	src := netip.MustParseAddr("100.64.0.1")
+	dst := netip.MustParseAddr("100.64.0.2")
+
+	for i := 0; i < 10; i++ {
+		tracker.TrackOutbound(src, dst, uint16(10000+i), 80, TCPSyn, 0)
+	}
+	require.LessOrEqual(t, len(tracker.connections), 4,
+		"TCP table must not exceed the configured cap")
+	require.Greater(t, len(tracker.connections), 0,
+		"some entries must remain after eviction")
+
+	// The most recently admitted flow must be present: eviction must make
+	// room for new entries, not silently drop them.
+	require.Contains(t, tracker.connections,
+		ConnKey{SrcIP: src, DstIP: dst, SrcPort: uint16(10009), DstPort: 80},
+		"newest TCP flow must be admitted after eviction")
+	// A pre-cap flow must have been evicted to fit the last one.
+	require.NotContains(t, tracker.connections,
+		ConnKey{SrcIP: src, DstIP: dst, SrcPort: uint16(10000), DstPort: 80},
+		"oldest TCP flow should have been evicted")
+}
+
+func TestTCPCapPrefersTombstonedForEviction(t *testing.T) {
+	t.Setenv(EnvTCPMaxEntries, "3")
+
+	tracker := NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
+	defer tracker.Close()
+
+	src := netip.MustParseAddr("100.64.0.1")
+	dst := netip.MustParseAddr("100.64.0.2")
+
+	// Fill to cap with 3 live connections.
+	for i := 0; i < 3; i++ {
+		tracker.TrackOutbound(src, dst, uint16(20000+i), 80, TCPSyn, 0)
+	}
+	require.Len(t, tracker.connections, 3)
+
+	// Tombstone one by sending RST through IsValidInbound.
+	tombstonedKey := ConnKey{SrcIP: src, DstIP: dst, SrcPort: 20001, DstPort: 80}
+	require.True(t, tracker.IsValidInbound(dst, src, 80, 20001, TCPRst|TCPAck, 0))
+	require.True(t, tracker.connections[tombstonedKey].IsTombstone())
+
+	// Another live connection forces eviction. The tombstone must go first.
+	tracker.TrackOutbound(src, dst, uint16(29999), 80, TCPSyn, 0)
+
+	_, tombstonedStillPresent := tracker.connections[tombstonedKey]
+	require.False(t, tombstonedStillPresent,
+		"tombstoned entry should be evicted before live entries")
+	require.LessOrEqual(t, len(tracker.connections), 3)
+
+	// Both live pre-cap entries must survive: eviction must prefer the
+	// tombstone, not just satisfy the size bound by dropping any entry.
+	require.Contains(t, tracker.connections,
+		ConnKey{SrcIP: src, DstIP: dst, SrcPort: uint16(20000), DstPort: 80},
+		"live entries must not be evicted while a tombstone exists")
+	require.Contains(t, tracker.connections,
+		ConnKey{SrcIP: src, DstIP: dst, SrcPort: uint16(20002), DstPort: 80},
+		"live entries must not be evicted while a tombstone exists")
+}
+
+func TestUDPCapEvicts(t *testing.T) {
+	t.Setenv(EnvUDPMaxEntries, "5")
+
+	tracker := NewUDPTracker(DefaultUDPTimeout, logger, flowLogger)
+	defer tracker.Close()
+	require.Equal(t, 5, tracker.maxEntries)
+
+	src := netip.MustParseAddr("100.64.0.1")
+	dst := netip.MustParseAddr("100.64.0.2")
+
+	for i := 0; i < 12; i++ {
+		tracker.TrackOutbound(src, dst, uint16(30000+i), 53, 0)
+	}
+	require.LessOrEqual(t, len(tracker.connections), 5)
+	require.Greater(t, len(tracker.connections), 0)
+
+	require.Contains(t, tracker.connections,
+		ConnKey{SrcIP: src, DstIP: dst, SrcPort: uint16(30011), DstPort: 53},
+		"newest UDP flow must be admitted after eviction")
+	require.NotContains(t, tracker.connections,
+		ConnKey{SrcIP: src, DstIP: dst, SrcPort: uint16(30000), DstPort: 53},
+		"oldest UDP flow should have been evicted")
+}
+
+func TestICMPCapEvicts(t *testing.T) {
+	t.Setenv(EnvICMPMaxEntries, "3")
+
+	tracker := NewICMPTracker(DefaultICMPTimeout, logger, flowLogger)
+	defer tracker.Close()
+	require.Equal(t, 3, tracker.maxEntries)
+
+	src := netip.MustParseAddr("100.64.0.1")
+	dst := netip.MustParseAddr("100.64.0.2")
+
+	echoReq := layers.CreateICMPv4TypeCode(uint8(layers.ICMPv4TypeEchoRequest), 0)
+	for i := 0; i < 8; i++ {
+		tracker.TrackOutbound(src, dst, uint16(i), echoReq, nil, 64)
+	}
+	require.LessOrEqual(t, len(tracker.connections), 3)
+	require.Greater(t, len(tracker.connections), 0)
+
+	require.Contains(t, tracker.connections,
+		ICMPConnKey{SrcIP: src, DstIP: dst, ID: uint16(7)},
+		"newest ICMP flow must be admitted after eviction")
+	require.NotContains(t, tracker.connections,
+		ICMPConnKey{SrcIP: src, DstIP: dst, ID: uint16(0)},
+		"oldest ICMP flow should have been evicted")
+}

client/firewall/uspfilter/conntrack/common.go

@@ -3,14 +3,61 @@ package conntrack
 import (
 	"fmt"
 	"net/netip"
+	"os"
+	"strconv"
 	"sync/atomic"
 	"time"
 
 	"github.com/google/uuid"
 
+	nblog "github.com/netbirdio/netbird/client/firewall/uspfilter/log"
 	nftypes "github.com/netbirdio/netbird/client/internal/netflow/types"
 )
 
+// evictSampleSize bounds how many map entries we scan per eviction call.
+// Keeps eviction O(1) even at cap under sustained load; the sampled-LRU
+// heuristic is good enough for a conntrack table that only overflows under
+// abuse.
+const evictSampleSize = 8
+
+// envDuration parses an os.Getenv(name) as a time.Duration. Falls back to
+// def on empty or invalid; logs a warning on invalid.
+func envDuration(logger *nblog.Logger, name string, def time.Duration) time.Duration {
+	v := os.Getenv(name)
+	if v == "" {
+		return def
+	}
+	d, err := time.ParseDuration(v)
+	if err != nil {
+		logger.Warn3("invalid %s=%q: %v, using default", name, v, err)
+		return def
+	}
+	if d <= 0 {
+		logger.Warn2("invalid %s=%q: must be positive, using default", name, v)
+		return def
+	}
+	return d
+}
+
+// envInt parses an os.Getenv(name) as an int. Falls back to def on empty,
+// invalid, or non-positive. Logs a warning on invalid input.
+func envInt(logger *nblog.Logger, name string, def int) int {
+	v := os.Getenv(name)
+	if v == "" {
+		return def
+	}
+	n, err := strconv.Atoi(v)
+	switch {
+	case err != nil:
+		logger.Warn3("invalid %s=%q: %v, using default", name, v, err)
+		return def
+	case n <= 0:
+		logger.Warn2("invalid %s=%q: must be positive, using default", name, v)
+		return def
+	}
+	return n
+}
+
 // BaseConnTrack provides common fields and locking for all connection types
 type BaseConnTrack struct {
 	FlowId    uuid.UUID

client/firewall/uspfilter/conntrack/defaults_desktop.go

@@ -0,0 +1,11 @@
+//go:build !ios && !android
+
+package conntrack
+
+// Default per-tracker entry caps on desktop/server platforms. These mirror
+// typical Linux netfilter nf_conntrack_max territory with ample headroom.
+const (
+	DefaultMaxTCPEntries  = 65536
+	DefaultMaxUDPEntries  = 16384
+	DefaultMaxICMPEntries = 2048
+)

client/firewall/uspfilter/conntrack/defaults_mobile.go

@@ -0,0 +1,13 @@
+//go:build ios || android
+
+package conntrack
+
+// Default per-tracker entry caps on mobile platforms. iOS network extensions
+// are capped at ~50 MB; Android runs under aggressive memory pressure. These
+// values keep conntrack footprint well under 5 MB worst case (TCPConnTrack
+// is ~200 B plus map overhead).
+const (
+	DefaultMaxTCPEntries  = 4096
+	DefaultMaxUDPEntries  = 2048
+	DefaultMaxICMPEntries = 512
+)

client/firewall/uspfilter/conntrack/icmp.go

@@ -44,6 +44,9 @@ type ICMPConnTrack struct {
 	ICMPCode uint8
 }
 
+// EnvICMPMaxEntries caps the ICMP conntrack table size.
+const EnvICMPMaxEntries = "NB_CONNTRACK_ICMP_MAX"
+
 // ICMPTracker manages ICMP connection states
 type ICMPTracker struct {
 	logger        *nblog.Logger
@@ -52,6 +55,7 @@ type ICMPTracker struct {
 	cleanupTicker *time.Ticker
 	tickerCancel  context.CancelFunc
 	mutex         sync.RWMutex
+	maxEntries    int
 	flowLogger    nftypes.FlowLogger
 }
 
@@ -135,6 +139,7 @@ func NewICMPTracker(timeout time.Duration, logger *nblog.Logger, flowLogger nfty
 		timeout:       timeout,
 		cleanupTicker: time.NewTicker(ICMPCleanupInterval),
 		tickerCancel:  cancel,
+		maxEntries:    envInt(logger, EnvICMPMaxEntries, DefaultMaxICMPEntries),
 		flowLogger:    flowLogger,
 	}
 
@@ -221,7 +226,9 @@ func (t *ICMPTracker) track(
 
 	// non echo requests don't need tracking
 	if typ != uint8(layers.ICMPv4TypeEchoRequest) {
-		t.logger.Trace3("New %s ICMP connection %s - %s", direction, key, icmpInfo)
+		if t.logger.Enabled(nblog.LevelTrace) {
+			t.logger.Trace3("New %s ICMP connection %s - %s", direction, key, icmpInfo)
+		}
 		t.sendStartEvent(direction, srcIP, dstIP, typ, code, ruleId, size)
 		return
 	}
@@ -240,10 +247,15 @@ func (t *ICMPTracker) track(
 	conn.UpdateCounters(direction, size)
 
 	t.mutex.Lock()
+	if t.maxEntries > 0 && len(t.connections) >= t.maxEntries {
+		t.evictOneLocked()
+	}
 	t.connections[key] = conn
 	t.mutex.Unlock()
 
-	t.logger.Trace3("New %s ICMP connection %s - %s", direction, key, icmpInfo)
+	if t.logger.Enabled(nblog.LevelTrace) {
+		t.logger.Trace3("New %s ICMP connection %s - %s", direction, key, icmpInfo)
+	}
 	t.sendEvent(nftypes.TypeStart, conn, ruleId)
 }
 
@@ -286,6 +298,34 @@ func (t *ICMPTracker) cleanupRoutine(ctx context.Context) {
 	}
 }
 
+// evictOneLocked removes one entry to make room. Caller must hold t.mutex.
+// Bounded sample scan: picks the oldest among up to evictSampleSize entries.
+func (t *ICMPTracker) evictOneLocked() {
+	var candKey ICMPConnKey
+	var candSeen int64
+	haveCand := false
+	sampled := 0
+
+	for k, c := range t.connections {
+		seen := c.lastSeen.Load()
+		if !haveCand || seen < candSeen {
+			candKey = k
+			candSeen = seen
+			haveCand = true
+		}
+		sampled++
+		if sampled >= evictSampleSize {
+			break
+		}
+	}
+	if haveCand {
+		if evicted := t.connections[candKey]; evicted != nil {
+			t.sendEvent(nftypes.TypeEnd, evicted, nil)
+		}
+		delete(t.connections, candKey)
+	}
+}
+
 func (t *ICMPTracker) cleanup() {
 	t.mutex.Lock()
 	defer t.mutex.Unlock()
@@ -294,8 +334,10 @@ func (t *ICMPTracker) cleanup() {
 		if conn.timeoutExceeded(t.timeout) {
 			delete(t.connections, key)
 
-			t.logger.Trace5("Removed ICMP connection %s (timeout) [in: %d Pkts/%d B out: %d Pkts/%d B]",
-				key, conn.PacketsRx.Load(), conn.BytesRx.Load(), conn.PacketsTx.Load(), conn.BytesTx.Load())
+			if t.logger.Enabled(nblog.LevelTrace) {
+				t.logger.Trace5("Removed ICMP connection %s (timeout) [in: %d Pkts/%d B out: %d Pkts/%d B]",
+					key, conn.PacketsRx.Load(), conn.BytesRx.Load(), conn.PacketsTx.Load(), conn.BytesTx.Load())
+			}
 			t.sendEvent(nftypes.TypeEnd, conn, nil)
 		}
 	}

client/firewall/uspfilter/conntrack/tcp.go

@@ -38,6 +38,27 @@ const (
 	TCPHandshakeTimeout = 60 * time.Second
 	// TCPCleanupInterval is how often we check for stale connections
 	TCPCleanupInterval = 5 * time.Minute
+	// FinWaitTimeout bounds FIN_WAIT_1 / FIN_WAIT_2 / CLOSING states.
+	// Matches Linux netfilter nf_conntrack_tcp_timeout_fin_wait.
+	FinWaitTimeout = 60 * time.Second
+	// CloseWaitTimeout bounds CLOSE_WAIT. Matches Linux default; apps
+	// holding CloseWait longer than this should bump the env var.
+	CloseWaitTimeout = 60 * time.Second
+	// LastAckTimeout bounds LAST_ACK. Matches Linux default.
+	LastAckTimeout = 30 * time.Second
+)
+
+// Env vars to override per-state teardown timeouts. Values parsed by
+// time.ParseDuration (e.g. "120s", "2m"). Invalid values fall back to the
+// defaults above with a warning.
+const (
+	EnvTCPFinWaitTimeout   = "NB_CONNTRACK_TCP_FIN_WAIT_TIMEOUT"
+	EnvTCPCloseWaitTimeout = "NB_CONNTRACK_TCP_CLOSE_WAIT_TIMEOUT"
+	EnvTCPLastAckTimeout   = "NB_CONNTRACK_TCP_LAST_ACK_TIMEOUT"
+
+	// EnvTCPMaxEntries caps the TCP conntrack table size. Oldest entries
+	// (tombstones first) are evicted when the cap is reached.
+	EnvTCPMaxEntries = "NB_CONNTRACK_TCP_MAX"
 )
 
 // TCPState represents the state of a TCP connection
@@ -133,14 +154,18 @@ func (t *TCPConnTrack) SetTombstone() {
 
 // TCPTracker manages TCP connection states
 type TCPTracker struct {
-	logger        *nblog.Logger
-	connections   map[ConnKey]*TCPConnTrack
-	mutex         sync.RWMutex
-	cleanupTicker *time.Ticker
-	tickerCancel  context.CancelFunc
-	timeout       time.Duration
-	waitTimeout   time.Duration
-	flowLogger    nftypes.FlowLogger
+	logger           *nblog.Logger
+	connections      map[ConnKey]*TCPConnTrack
+	mutex            sync.RWMutex
+	cleanupTicker    *time.Ticker
+	tickerCancel     context.CancelFunc
+	timeout          time.Duration
+	waitTimeout      time.Duration
+	finWaitTimeout   time.Duration
+	closeWaitTimeout time.Duration
+	lastAckTimeout   time.Duration
+	maxEntries       int
+	flowLogger       nftypes.FlowLogger
 }
 
 // NewTCPTracker creates a new TCP connection tracker
@@ -155,13 +180,17 @@ func NewTCPTracker(timeout time.Duration, logger *nblog.Logger, flowLogger nftyp
 	ctx, cancel := context.WithCancel(context.Background())
 
 	tracker := &TCPTracker{
-		logger:        logger,
-		connections:   make(map[ConnKey]*TCPConnTrack),
-		cleanupTicker: time.NewTicker(TCPCleanupInterval),
-		tickerCancel:  cancel,
-		timeout:       timeout,
-		waitTimeout:   waitTimeout,
-		flowLogger:    flowLogger,
+		logger:           logger,
+		connections:      make(map[ConnKey]*TCPConnTrack),
+		cleanupTicker:    time.NewTicker(TCPCleanupInterval),
+		tickerCancel:     cancel,
+		timeout:          timeout,
+		waitTimeout:      waitTimeout,
+		finWaitTimeout:   envDuration(logger, EnvTCPFinWaitTimeout, FinWaitTimeout),
+		closeWaitTimeout: envDuration(logger, EnvTCPCloseWaitTimeout, CloseWaitTimeout),
+		lastAckTimeout:   envDuration(logger, EnvTCPLastAckTimeout, LastAckTimeout),
+		maxEntries:       envInt(logger, EnvTCPMaxEntries, DefaultMaxTCPEntries),
+		flowLogger:       flowLogger,
 	}
 
 	go tracker.cleanupRoutine(ctx)
@@ -209,6 +238,12 @@ func (t *TCPTracker) track(srcIP, dstIP netip.Addr, srcPort, dstPort uint16, fla
 	if exists || flags&TCPSyn == 0 {
 		return
 	}
+	// Reject illegal SYN combinations (SYN+FIN, SYN+RST, …) so they don't
+	// create spurious conntrack entries. Not mandated by RFC 9293 but a
+	// common hardening (Linux netfilter/nftables rejects these too).
+	if !isValidFlagCombination(flags) {
+		return
+	}
 
 	conn := &TCPConnTrack{
 		BaseConnTrack: BaseConnTrack{
@@ -225,20 +260,65 @@ func (t *TCPTracker) track(srcIP, dstIP netip.Addr, srcPort, dstPort uint16, fla
 	conn.state.Store(int32(TCPStateNew))
 	conn.DNATOrigPort.Store(uint32(origPort))
 
-	if origPort != 0 {
-		t.logger.Trace4("New %s TCP connection: %s (port DNAT %d -> %d)", direction, key, origPort, dstPort)
-	} else {
-		t.logger.Trace2("New %s TCP connection: %s", direction, key)
+	if t.logger.Enabled(nblog.LevelTrace) {
+		if origPort != 0 {
+			t.logger.Trace4("New %s TCP connection: %s (port DNAT %d -> %d)", direction, key, origPort, dstPort)
+		} else {
+			t.logger.Trace2("New %s TCP connection: %s", direction, key)
+		}
 	}
 	t.updateState(key, conn, flags, direction, size)
 
 	t.mutex.Lock()
+	if t.maxEntries > 0 && len(t.connections) >= t.maxEntries {
+		t.evictOneLocked()
+	}
 	t.connections[key] = conn
 	t.mutex.Unlock()
 
 	t.sendEvent(nftypes.TypeStart, conn, ruleID)
 }
 
+// evictOneLocked removes one entry to make room. Caller must hold t.mutex.
+// Bounded scan: samples up to evictSampleSize pseudo-random entries (Go map
+// iteration order is randomized), preferring a tombstone. If no tombstone
+// found in the sample, evicts the oldest among the sampled entries. O(1)
+// worst case — cheap enough to run on every insert at cap during abuse.
+func (t *TCPTracker) evictOneLocked() {
+	var candKey ConnKey
+	var candSeen int64
+	haveCand := false
+	sampled := 0
+
+	for k, c := range t.connections {
+		if c.IsTombstone() {
+			delete(t.connections, k)
+			return
+		}
+		seen := c.lastSeen.Load()
+		if !haveCand || seen < candSeen {
+			candKey = k
+			candSeen = seen
+			haveCand = true
+		}
+		sampled++
+		if sampled >= evictSampleSize {
+			break
+		}
+	}
+	if haveCand {
+		if evicted := t.connections[candKey]; evicted != nil {
+			// TypeEnd is already emitted at the state transition to
+			// TimeWait and when a connection is tombstoned. Only emit
+			// here when we're reaping a still-active flow.
+			if evicted.GetState() != TCPStateTimeWait && !evicted.IsTombstone() {
+				t.sendEvent(nftypes.TypeEnd, evicted, nil)
+			}
+		}
+		delete(t.connections, candKey)
+	}
+}
+
 // IsValidInbound checks if an inbound TCP packet matches a tracked connection
 func (t *TCPTracker) IsValidInbound(srcIP, dstIP netip.Addr, srcPort, dstPort uint16, flags uint8, size int) bool {
 	key := ConnKey{
@@ -256,12 +336,19 @@ func (t *TCPTracker) IsValidInbound(srcIP, dstIP netip.Addr, srcPort, dstPort ui
 		return false
 	}
 
+	// Reject illegal flag combinations regardless of state. These never belong
+	// to a legitimate flow and must not advance or tear down state.
+	if !isValidFlagCombination(flags) {
+		if t.logger.Enabled(nblog.LevelWarn) {
+			t.logger.Warn3("TCP illegal flag combination %x for connection %s (state %s)", flags, key, conn.GetState())
+		}
+		return false
+	}
+
 	currentState := conn.GetState()
 	if !t.isValidStateForFlags(currentState, flags) {
-		t.logger.Warn3("TCP state %s is not valid with flags %x for connection %s", currentState, flags, key)
-		// allow all flags for established for now
-		if currentState == TCPStateEstablished {
-			return true
+		if t.logger.Enabled(nblog.LevelWarn) {
+			t.logger.Warn3("TCP state %s is not valid with flags %x for connection %s", currentState, flags, key)
 		}
 		return false
 	}
@@ -270,116 +357,208 @@ func (t *TCPTracker) IsValidInbound(srcIP, dstIP netip.Addr, srcPort, dstPort ui
 	return true
 }
 
-// updateState updates the TCP connection state based on flags
+// updateState updates the TCP connection state based on flags.
 func (t *TCPTracker) updateState(key ConnKey, conn *TCPConnTrack, flags uint8, packetDir nftypes.Direction, size int) {
-	conn.UpdateLastSeen()
 	conn.UpdateCounters(packetDir, size)
 
+	// Malformed flag combinations must not refresh lastSeen or drive state,
+	// otherwise spoofed packets keep a dead flow alive past its timeout.
+	if !isValidFlagCombination(flags) {
+		return
+	}
+
+	conn.UpdateLastSeen()
+
 	currentState := conn.GetState()
 
 	if flags&TCPRst != 0 {
-		if conn.CompareAndSwapState(currentState, TCPStateClosed) {
-			conn.SetTombstone()
-			t.logger.Trace6("TCP connection reset: %s (dir: %s) [in: %d Pkts/%d B, out: %d Pkts/%d B]",
-				key, packetDir, conn.PacketsRx.Load(), conn.BytesRx.Load(), conn.PacketsTx.Load(), conn.BytesTx.Load())
-			t.sendEvent(nftypes.TypeEnd, conn, nil)
-		}
+		// Hardening beyond RFC 9293 §3.10.7.4: without sequence tracking we
+		// cannot apply the RFC 5961 in-window RST check, so we conservatively
+		// reject RSTs that the spec would accept (TIME-WAIT with in-window
+		// SEQ, SynSent from same direction as own SYN, etc.).
+		t.handleRst(key, conn, currentState, packetDir)
 		return
 	}
 
-	var newState TCPState
-	switch currentState {
-	case TCPStateNew:
-		if flags&TCPSyn != 0 && flags&TCPAck == 0 {
-			if conn.Direction == nftypes.Egress {
-				newState = TCPStateSynSent
-			} else {
-				newState = TCPStateSynReceived
-			}
-		}
+	newState := nextState(currentState, conn.Direction, packetDir, flags)
+	if newState == 0 || !conn.CompareAndSwapState(currentState, newState) {
+		return
+	}
+	t.onTransition(key, conn, currentState, newState, packetDir)
+}
 
-	case TCPStateSynSent:
-		if flags&TCPSyn != 0 && flags&TCPAck != 0 {
-			if packetDir != conn.Direction {
-				newState = TCPStateEstablished
-			} else {
-				// Simultaneous open
-				newState = TCPStateSynReceived
-			}
-		}
+// handleRst processes a RST segment. Late RSTs in TimeWait and spoofed RSTs
+// from the SYN direction are ignored; otherwise the flow is tombstoned.
+func (t *TCPTracker) handleRst(key ConnKey, conn *TCPConnTrack, currentState TCPState, packetDir nftypes.Direction) {
+	// TimeWait exists to absorb late segments; don't let a late RST
+	// tombstone the entry and break same-4-tuple reuse.
+	if currentState == TCPStateTimeWait {
+		return
+	}
+	// A RST from the same direction as the SYN cannot be a legitimate
+	// response and must not tear down a half-open connection.
+	if currentState == TCPStateSynSent && packetDir == conn.Direction {
+		return
+	}
+	if !conn.CompareAndSwapState(currentState, TCPStateClosed) {
+		return
+	}
+	conn.SetTombstone()
+	if t.logger.Enabled(nblog.LevelTrace) {
+		t.logger.Trace6("TCP connection reset: %s (dir: %s) [in: %d Pkts/%d B, out: %d Pkts/%d B]",
+			key, packetDir, conn.PacketsRx.Load(), conn.BytesRx.Load(), conn.PacketsTx.Load(), conn.BytesTx.Load())
+	}
+	t.sendEvent(nftypes.TypeEnd, conn, nil)
+}
 
-	case TCPStateSynReceived:
-		if flags&TCPAck != 0 && flags&TCPSyn == 0 {
-			if packetDir == conn.Direction {
-				newState = TCPStateEstablished
-			}
-		}
+// stateTransition describes one state's transition logic. It receives the
+// packet's flags plus whether the packet direction matches the connection's
+// origin direction (same=true means same side as the SYN initiator). Return 0
+// for no transition.
+type stateTransition func(flags uint8, connDir nftypes.Direction, same bool) TCPState
 
-	case TCPStateEstablished:
-		if flags&TCPFin != 0 {
-			if packetDir == conn.Direction {
-				newState = TCPStateFinWait1
-			} else {
-				newState = TCPStateCloseWait
-			}
-		}
+// stateTable maps each state to its transition function. Centralized here so
+// nextState stays trivial and each rule is easy to read in isolation.
+var stateTable = map[TCPState]stateTransition{
+	TCPStateNew:         transNew,
+	TCPStateSynSent:     transSynSent,
+	TCPStateSynReceived: transSynReceived,
+	TCPStateEstablished: transEstablished,
+	TCPStateFinWait1:    transFinWait1,
+	TCPStateFinWait2:    transFinWait2,
+	TCPStateClosing:     transClosing,
+	TCPStateCloseWait:   transCloseWait,
+	TCPStateLastAck:     transLastAck,
+}
 
-	case TCPStateFinWait1:
-		if packetDir != conn.Direction {
-			switch {
-			case flags&TCPFin != 0 && flags&TCPAck != 0:
-				newState = TCPStateClosing
-			case flags&TCPFin != 0:
-				newState = TCPStateClosing
-			case flags&TCPAck != 0:
-				newState = TCPStateFinWait2
-			}
-		}
+// nextState returns the target TCP state for the given current state and
+// packet, or 0 if the packet does not trigger a transition.
+func nextState(currentState TCPState, connDir, packetDir nftypes.Direction, flags uint8) TCPState {
+	fn, ok := stateTable[currentState]
+	if !ok {
+		return 0
+	}
+	return fn(flags, connDir, packetDir == connDir)
+}
 
-	case TCPStateFinWait2:
-		if flags&TCPFin != 0 {
-			newState = TCPStateTimeWait
+func transNew(flags uint8, connDir nftypes.Direction, _ bool) TCPState {
+	if flags&TCPSyn != 0 && flags&TCPAck == 0 {
+		if connDir == nftypes.Egress {
+			return TCPStateSynSent
 		}
+		return TCPStateSynReceived
+	}
+	return 0
+}
 
-	case TCPStateClosing:
-		if flags&TCPAck != 0 {
-			newState = TCPStateTimeWait
+func transSynSent(flags uint8, _ nftypes.Direction, same bool) TCPState {
+	if flags&TCPSyn != 0 && flags&TCPAck != 0 {
+		if same {
+			return TCPStateSynReceived // simultaneous open
 		}
+		return TCPStateEstablished
+	}
+	return 0
+}
 
-	case TCPStateCloseWait:
-		if flags&TCPFin != 0 {
-			newState = TCPStateLastAck
-		}
+func transSynReceived(flags uint8, _ nftypes.Direction, same bool) TCPState {
+	if flags&TCPAck != 0 && flags&TCPSyn == 0 && same {
+		return TCPStateEstablished
+	}
+	return 0
+}
 
-	case TCPStateLastAck:
-		if flags&TCPAck != 0 {
-			newState = TCPStateClosed
-		}
+func transEstablished(flags uint8, _ nftypes.Direction, same bool) TCPState {
+	if flags&TCPFin == 0 {
+		return 0
+	}
+	if same {
+		return TCPStateFinWait1
+	}
+	return TCPStateCloseWait
+}
+
+// transFinWait1 handles the active-close peer response. A FIN carrying our
+// ACK piggybacked goes straight to TIME-WAIT (RFC 9293 §3.10.7.4, FIN-WAIT-1:
+// "if our FIN has been ACKed... enter the TIME-WAIT state"); a lone FIN moves
+// to CLOSING; a pure ACK of our FIN moves to FIN-WAIT-2.
+func transFinWait1(flags uint8, _ nftypes.Direction, same bool) TCPState {
+	if same {
+		return 0
+	}
+	if flags&TCPFin != 0 && flags&TCPAck != 0 {
+		return TCPStateTimeWait
+	}
+	switch {
+	case flags&TCPFin != 0:
+		return TCPStateClosing
+	case flags&TCPAck != 0:
+		return TCPStateFinWait2
+	}
+	return 0
+}
+
+// transFinWait2 ignores own-side FIN retransmits; only the peer's FIN advances.
+func transFinWait2(flags uint8, _ nftypes.Direction, same bool) TCPState {
+	if flags&TCPFin != 0 && !same {
+		return TCPStateTimeWait
+	}
+	return 0
+}
+
+// transClosing completes a simultaneous close on the peer's ACK.
+func transClosing(flags uint8, _ nftypes.Direction, same bool) TCPState {
+	if flags&TCPAck != 0 && !same {
+		return TCPStateTimeWait
+	}
+	return 0
+}
+
+// transCloseWait only advances to LastAck when WE send FIN, ignoring peer retransmits.
+func transCloseWait(flags uint8, _ nftypes.Direction, same bool) TCPState {
+	if flags&TCPFin != 0 && same {
+		return TCPStateLastAck
+	}
+	return 0
+}
+
+// transLastAck closes the flow only on the peer's ACK (not our own ACK retransmits).
+func transLastAck(flags uint8, _ nftypes.Direction, same bool) TCPState {
+	if flags&TCPAck != 0 && !same {
+		return TCPStateClosed
+	}
+	return 0
+}
+
+// onTransition handles logging and flow-event emission after a successful
+// state transition. TimeWait and Closed are terminal for flow accounting.
+func (t *TCPTracker) onTransition(key ConnKey, conn *TCPConnTrack, from, to TCPState, packetDir nftypes.Direction) {
+	traceOn := t.logger.Enabled(nblog.LevelTrace)
+	if traceOn {
+		t.logger.Trace4("TCP connection %s transitioned from %s to %s (dir: %s)", key, from, to, packetDir)
 	}
 
-	if newState != 0 && conn.CompareAndSwapState(currentState, newState) {
-		t.logger.Trace4("TCP connection %s transitioned from %s to %s (dir: %s)", key, currentState, newState, packetDir)
-
-		switch newState {
-		case TCPStateTimeWait:
+	switch to {
+	case TCPStateTimeWait:
+		if traceOn {
 			t.logger.Trace5("TCP connection %s completed [in: %d Pkts/%d B, out: %d Pkts/%d B]",
 				key, conn.PacketsRx.Load(), conn.BytesRx.Load(), conn.PacketsTx.Load(), conn.BytesTx.Load())
-			t.sendEvent(nftypes.TypeEnd, conn, nil)
-
-		case TCPStateClosed:
-			conn.SetTombstone()
+		}
+		t.sendEvent(nftypes.TypeEnd, conn, nil)
+	case TCPStateClosed:
+		conn.SetTombstone()
+		if traceOn {
 			t.logger.Trace5("TCP connection %s closed gracefully [in: %d Pkts/%d, B out: %d Pkts/%d B]",
 				key, conn.PacketsRx.Load(), conn.BytesRx.Load(), conn.PacketsTx.Load(), conn.BytesTx.Load())
-			t.sendEvent(nftypes.TypeEnd, conn, nil)
 		}
+		t.sendEvent(nftypes.TypeEnd, conn, nil)
 	}
 }
 
-// isValidStateForFlags checks if the TCP flags are valid for the current connection state
+// isValidStateForFlags checks if the TCP flags are valid for the current
+// connection state. Caller must have already verified the flag combination is
+// legal via isValidFlagCombination.
 func (t *TCPTracker) isValidStateForFlags(state TCPState, flags uint8) bool {
-	if !isValidFlagCombination(flags) {
-		return false
-	}
 	if flags&TCPRst != 0 {
 		if state == TCPStateSynSent {
 			return flags&TCPAck != 0
@@ -449,15 +628,24 @@ func (t *TCPTracker) cleanup() {
 			timeout = t.waitTimeout
 		case TCPStateEstablished:
 			timeout = t.timeout
+		case TCPStateFinWait1, TCPStateFinWait2, TCPStateClosing:
+			timeout = t.finWaitTimeout
+		case TCPStateCloseWait:
+			timeout = t.closeWaitTimeout
+		case TCPStateLastAck:
+			timeout = t.lastAckTimeout
 		default:
+			// SynSent / SynReceived / New
 			timeout = TCPHandshakeTimeout
 		}
 
 		if conn.timeoutExceeded(timeout) {
 			delete(t.connections, key)
 
-			t.logger.Trace6("Cleaned up timed-out TCP connection %s (%s) [in: %d Pkts/%d, B out: %d Pkts/%d B]",
-				key, conn.GetState(), conn.PacketsRx.Load(), conn.BytesRx.Load(), conn.PacketsTx.Load(), conn.BytesTx.Load())
+			if t.logger.Enabled(nblog.LevelTrace) {
+				t.logger.Trace6("Cleaned up timed-out TCP connection %s (%s) [in: %d Pkts/%d, B out: %d Pkts/%d B]",
+					key, conn.GetState(), conn.PacketsRx.Load(), conn.BytesRx.Load(), conn.PacketsTx.Load(), conn.BytesTx.Load())
+			}
 
 			// event already handled by state change
 			if currentState != TCPStateTimeWait {

client/firewall/uspfilter/conntrack/tcp_rst_bugs_test.go

@@ -0,0 +1,100 @@
+package conntrack
+
+import (
+	"net/netip"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+// RST hygiene tests: the tracker currently closes the flow on any RST that
+// matches the 4-tuple, regardless of direction or state. These tests cover
+// the minimum checks we want (no SEQ tracking).
+
+func TestTCPRstInSynSentWrongDirection(t *testing.T) {
+	tracker := NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
+	defer tracker.Close()
+
+	srcIP := netip.MustParseAddr("100.64.0.1")
+	dstIP := netip.MustParseAddr("100.64.0.2")
+	srcPort := uint16(12345)
+	dstPort := uint16(80)
+	key := ConnKey{SrcIP: srcIP, DstIP: dstIP, SrcPort: srcPort, DstPort: dstPort}
+
+	tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPSyn, 0)
+	conn := tracker.connections[key]
+	require.Equal(t, TCPStateSynSent, conn.GetState())
+
+	// A RST arriving in the same direction as the SYN (i.e. TrackOutbound)
+	// cannot be a legitimate response. It must not close the connection.
+	tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPRst|TCPAck, 0)
+	require.Equal(t, TCPStateSynSent, conn.GetState(),
+		"RST in same direction as SYN must not close connection")
+	require.False(t, conn.IsTombstone())
+}
+
+func TestTCPRstInTimeWaitIgnored(t *testing.T) {
+	tracker := NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
+	defer tracker.Close()
+
+	srcIP := netip.MustParseAddr("100.64.0.1")
+	dstIP := netip.MustParseAddr("100.64.0.2")
+	srcPort := uint16(12345)
+	dstPort := uint16(80)
+	key := ConnKey{SrcIP: srcIP, DstIP: dstIP, SrcPort: srcPort, DstPort: dstPort}
+
+	// Drive to TIME-WAIT via active close.
+	establishConnection(t, tracker, srcIP, dstIP, srcPort, dstPort)
+	tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPFin|TCPAck, 0)
+	require.True(t, tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPAck, 0))
+	require.True(t, tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPFin|TCPAck, 0))
+	tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPAck, 0)
+
+	conn := tracker.connections[key]
+	require.Equal(t, TCPStateTimeWait, conn.GetState())
+	require.False(t, conn.IsTombstone(), "TIME-WAIT must not be tombstoned")
+
+	// Late RST during TIME-WAIT must not tombstone the entry (TIME-WAIT
+	// exists to absorb late segments).
+	tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPRst, 0)
+	require.Equal(t, TCPStateTimeWait, conn.GetState(),
+		"RST in TIME-WAIT must not transition state")
+	require.False(t, conn.IsTombstone(),
+		"RST in TIME-WAIT must not tombstone the entry")
+}
+
+func TestTCPIllegalFlagCombos(t *testing.T) {
+	tracker := NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
+	defer tracker.Close()
+
+	srcIP := netip.MustParseAddr("100.64.0.1")
+	dstIP := netip.MustParseAddr("100.64.0.2")
+	srcPort := uint16(12345)
+	dstPort := uint16(80)
+	key := ConnKey{SrcIP: srcIP, DstIP: dstIP, SrcPort: srcPort, DstPort: dstPort}
+
+	establishConnection(t, tracker, srcIP, dstIP, srcPort, dstPort)
+	conn := tracker.connections[key]
+
+	// Illegal combos must be rejected and must not change state.
+	combos := []struct {
+		name  string
+		flags uint8
+	}{
+		{"SYN+RST", TCPSyn | TCPRst},
+		{"FIN+RST", TCPFin | TCPRst},
+		{"SYN+FIN", TCPSyn | TCPFin},
+		{"SYN+FIN+RST", TCPSyn | TCPFin | TCPRst},
+	}
+
+	for _, c := range combos {
+		t.Run(c.name, func(t *testing.T) {
+			before := conn.GetState()
+			valid := tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, c.flags, 0)
+			require.False(t, valid, "illegal flag combo must be rejected: %s", c.name)
+			require.Equal(t, before, conn.GetState(),
+				"illegal flag combo must not change state")
+			require.False(t, conn.IsTombstone())
+		})
+	}
+}

client/firewall/uspfilter/conntrack/tcp_state_bugs_test.go

@@ -0,0 +1,235 @@
+package conntrack
+
+import (
+	"net/netip"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/require"
+)
+
+// These tests exercise cases where the TCP state machine currently advances
+// on retransmitted or wrong-direction segments and tears the flow down
+// prematurely. They are expected to fail until the direction checks are added.
+
+func TestTCPCloseWaitRetransmittedPeerFIN(t *testing.T) {
+	tracker := NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
+	defer tracker.Close()
+
+	srcIP := netip.MustParseAddr("100.64.0.1")
+	dstIP := netip.MustParseAddr("100.64.0.2")
+	srcPort := uint16(12345)
+	dstPort := uint16(80)
+	key := ConnKey{SrcIP: srcIP, DstIP: dstIP, SrcPort: srcPort, DstPort: dstPort}
+
+	establishConnection(t, tracker, srcIP, dstIP, srcPort, dstPort)
+
+	// Peer sends FIN -> CloseWait (our app has not yet closed).
+	valid := tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPFin|TCPAck, 0)
+	require.True(t, valid)
+	conn := tracker.connections[key]
+	require.Equal(t, TCPStateCloseWait, conn.GetState())
+
+	// Peer retransmits their FIN (ACK may have been delayed). We have NOT
+	// sent our FIN yet, so state must remain CloseWait.
+	valid = tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPFin|TCPAck, 0)
+	require.True(t, valid, "retransmitted peer FIN must still be accepted")
+	require.Equal(t, TCPStateCloseWait, conn.GetState(),
+		"retransmitted peer FIN must not advance CloseWait to LastAck")
+
+	// Our app finally closes -> LastAck.
+	tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPFin|TCPAck, 0)
+	require.Equal(t, TCPStateLastAck, conn.GetState())
+
+	// Peer ACK closes.
+	valid = tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPAck, 0)
+	require.True(t, valid)
+	require.Equal(t, TCPStateClosed, conn.GetState())
+}
+
+func TestTCPFinWait2RetransmittedOwnFIN(t *testing.T) {
+	tracker := NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
+	defer tracker.Close()
+
+	srcIP := netip.MustParseAddr("100.64.0.1")
+	dstIP := netip.MustParseAddr("100.64.0.2")
+	srcPort := uint16(12345)
+	dstPort := uint16(80)
+	key := ConnKey{SrcIP: srcIP, DstIP: dstIP, SrcPort: srcPort, DstPort: dstPort}
+
+	establishConnection(t, tracker, srcIP, dstIP, srcPort, dstPort)
+
+	// We initiate close.
+	tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPFin|TCPAck, 0)
+	valid := tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPAck, 0)
+	require.True(t, valid)
+	conn := tracker.connections[key]
+	require.Equal(t, TCPStateFinWait2, conn.GetState())
+
+	// Stray retransmit of our own FIN (same direction as originator) must
+	// NOT advance FinWait2 to TimeWait; only the peer's FIN should.
+	tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPFin|TCPAck, 0)
+	require.Equal(t, TCPStateFinWait2, conn.GetState(),
+		"own FIN retransmit must not advance FinWait2 to TimeWait")
+
+	// Peer FIN -> TimeWait.
+	valid = tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPFin|TCPAck, 0)
+	require.True(t, valid)
+	require.Equal(t, TCPStateTimeWait, conn.GetState())
+}
+
+func TestTCPLastAckDirectionCheck(t *testing.T) {
+	tracker := NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
+	defer tracker.Close()
+
+	srcIP := netip.MustParseAddr("100.64.0.1")
+	dstIP := netip.MustParseAddr("100.64.0.2")
+	srcPort := uint16(12345)
+	dstPort := uint16(80)
+	key := ConnKey{SrcIP: srcIP, DstIP: dstIP, SrcPort: srcPort, DstPort: dstPort}
+
+	establishConnection(t, tracker, srcIP, dstIP, srcPort, dstPort)
+
+	// Drive to LastAck: peer FIN -> CloseWait, our FIN -> LastAck.
+	require.True(t, tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPFin|TCPAck, 0))
+	tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPFin|TCPAck, 0)
+	conn := tracker.connections[key]
+	require.Equal(t, TCPStateLastAck, conn.GetState())
+
+	// Our own ACK retransmit (same direction as originator) must NOT close.
+	tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPAck, 0)
+	require.Equal(t, TCPStateLastAck, conn.GetState(),
+		"own ACK retransmit in LastAck must not transition to Closed")
+
+	// Peer's ACK -> Closed.
+	require.True(t, tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPAck, 0))
+	require.Equal(t, TCPStateClosed, conn.GetState())
+}
+
+func TestTCPFinWait1OwnAckDoesNotAdvance(t *testing.T) {
+	tracker := NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
+	defer tracker.Close()
+
+	srcIP := netip.MustParseAddr("100.64.0.1")
+	dstIP := netip.MustParseAddr("100.64.0.2")
+	srcPort := uint16(12345)
+	dstPort := uint16(80)
+	key := ConnKey{SrcIP: srcIP, DstIP: dstIP, SrcPort: srcPort, DstPort: dstPort}
+
+	establishConnection(t, tracker, srcIP, dstIP, srcPort, dstPort)
+
+	tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPFin|TCPAck, 0)
+	conn := tracker.connections[key]
+	require.Equal(t, TCPStateFinWait1, conn.GetState())
+
+	// Our own ACK retransmit (same direction as originator) must not advance.
+	tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPAck, 0)
+	require.Equal(t, TCPStateFinWait1, conn.GetState(),
+		"own ACK in FinWait1 must not advance to FinWait2")
+}
+
+func TestTCPPerStateTeardownTimeouts(t *testing.T) {
+	// Verify cleanup reaps entries in each teardown state at the configured
+	// per-state timeout, not at the single handshake timeout.
+	t.Setenv(EnvTCPFinWaitTimeout, "50ms")
+	t.Setenv(EnvTCPCloseWaitTimeout, "80ms")
+	t.Setenv(EnvTCPLastAckTimeout, "30ms")
+
+	dstIP := netip.MustParseAddr("100.64.0.2")
+	dstPort := uint16(80)
+
+	// Drives a connection to the target state, forces its lastSeen well
+	// beyond the configured timeout, runs cleanup, and asserts reaping.
+	cases := []struct {
+		name string
+		// drive takes a fresh tracker and returns the conn key after
+		// transitioning the flow into the intended teardown state.
+		drive func(t *testing.T, tr *TCPTracker, srcIP netip.Addr, srcPort uint16) (ConnKey, TCPState)
+	}{
+		{
+			name: "FinWait1",
+			drive: func(t *testing.T, tr *TCPTracker, srcIP netip.Addr, srcPort uint16) (ConnKey, TCPState) {
+				establishConnection(t, tr, srcIP, dstIP, srcPort, dstPort)
+				tr.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPFin|TCPAck, 0) // → FinWait1
+				return ConnKey{SrcIP: srcIP, DstIP: dstIP, SrcPort: srcPort, DstPort: dstPort}, TCPStateFinWait1
+			},
+		},
+		{
+			name: "FinWait2",
+			drive: func(t *testing.T, tr *TCPTracker, srcIP netip.Addr, srcPort uint16) (ConnKey, TCPState) {
+				establishConnection(t, tr, srcIP, dstIP, srcPort, dstPort)
+				tr.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPFin|TCPAck, 0)              // FinWait1
+				require.True(t, tr.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPAck, 0))   // → FinWait2
+				return ConnKey{SrcIP: srcIP, DstIP: dstIP, SrcPort: srcPort, DstPort: dstPort}, TCPStateFinWait2
+			},
+		},
+		{
+			name: "CloseWait",
+			drive: func(t *testing.T, tr *TCPTracker, srcIP netip.Addr, srcPort uint16) (ConnKey, TCPState) {
+				establishConnection(t, tr, srcIP, dstIP, srcPort, dstPort)
+				require.True(t, tr.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPFin|TCPAck, 0)) // → CloseWait
+				return ConnKey{SrcIP: srcIP, DstIP: dstIP, SrcPort: srcPort, DstPort: dstPort}, TCPStateCloseWait
+			},
+		},
+		{
+			name: "LastAck",
+			drive: func(t *testing.T, tr *TCPTracker, srcIP netip.Addr, srcPort uint16) (ConnKey, TCPState) {
+				establishConnection(t, tr, srcIP, dstIP, srcPort, dstPort)
+				require.True(t, tr.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPFin|TCPAck, 0)) // CloseWait
+				tr.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPFin|TCPAck, 0)                   // → LastAck
+				return ConnKey{SrcIP: srcIP, DstIP: dstIP, SrcPort: srcPort, DstPort: dstPort}, TCPStateLastAck
+			},
+		},
+	}
+
+	// Use a unique source port per subtest so nothing aliases.
+	port := uint16(12345)
+	for _, c := range cases {
+		t.Run(c.name, func(t *testing.T) {
+			tracker := NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
+			defer tracker.Close()
+
+			require.Equal(t, 50*time.Millisecond, tracker.finWaitTimeout)
+			require.Equal(t, 80*time.Millisecond, tracker.closeWaitTimeout)
+			require.Equal(t, 30*time.Millisecond, tracker.lastAckTimeout)
+
+			srcIP := netip.MustParseAddr("100.64.0.1")
+			port++
+			key, wantState := c.drive(t, tracker, srcIP, port)
+			conn := tracker.connections[key]
+			require.NotNil(t, conn)
+			require.Equal(t, wantState, conn.GetState())
+
+			// Age the entry past the largest per-state timeout.
+			conn.lastSeen.Store(time.Now().Add(-500 * time.Millisecond).UnixNano())
+			tracker.cleanup()
+			_, exists := tracker.connections[key]
+			require.False(t, exists, "%s entry should be reaped", c.name)
+		})
+	}
+}
+
+func TestTCPEstablishedPSHACKInFinStates(t *testing.T) {
+	// Verifies FIN|PSH|ACK and bare ACK keepalives are not dropped in FIN
+	// teardown states, which some stacks emit during close.
+	tracker := NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
+	defer tracker.Close()
+
+	srcIP := netip.MustParseAddr("100.64.0.1")
+	dstIP := netip.MustParseAddr("100.64.0.2")
+	srcPort := uint16(12345)
+	dstPort := uint16(80)
+
+	establishConnection(t, tracker, srcIP, dstIP, srcPort, dstPort)
+
+	// Peer FIN -> CloseWait.
+	require.True(t, tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPFin|TCPAck, 0))
+
+	// Peer pushes trailing data + FIN|PSH|ACK (legal).
+	require.True(t, tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPFin|TCPPush|TCPAck, 100),
+		"FIN|PSH|ACK in CloseWait must be accepted")
+
+	// Bare ACK keepalive from peer in CloseWait must be accepted.
+	require.True(t, tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPAck, 0),
+		"bare ACK in CloseWait must be accepted")
+}

client/firewall/uspfilter/conntrack/udp.go

@@ -17,6 +17,9 @@ const (
 	DefaultUDPTimeout = 30 * time.Second
 	// UDPCleanupInterval is how often we check for stale connections
 	UDPCleanupInterval = 15 * time.Second
+
+	// EnvUDPMaxEntries caps the UDP conntrack table size.
+	EnvUDPMaxEntries = "NB_CONNTRACK_UDP_MAX"
 )
 
 // UDPConnTrack represents a UDP connection state
@@ -34,6 +37,7 @@ type UDPTracker struct {
 	cleanupTicker *time.Ticker
 	tickerCancel  context.CancelFunc
 	mutex         sync.RWMutex
+	maxEntries    int
 	flowLogger    nftypes.FlowLogger
 }
 
@@ -51,6 +55,7 @@ func NewUDPTracker(timeout time.Duration, logger *nblog.Logger, flowLogger nftyp
 		timeout:       timeout,
 		cleanupTicker: time.NewTicker(UDPCleanupInterval),
 		tickerCancel:  cancel,
+		maxEntries:    envInt(logger, EnvUDPMaxEntries, DefaultMaxUDPEntries),
 		flowLogger:    flowLogger,
 	}
 
@@ -117,13 +122,18 @@ func (t *UDPTracker) track(srcIP netip.Addr, dstIP netip.Addr, srcPort uint16, d
 	conn.UpdateCounters(direction, size)
 
 	t.mutex.Lock()
+	if t.maxEntries > 0 && len(t.connections) >= t.maxEntries {
+		t.evictOneLocked()
+	}
 	t.connections[key] = conn
 	t.mutex.Unlock()
 
-	if origPort != 0 {
-		t.logger.Trace4("New %s UDP connection: %s (port DNAT %d -> %d)", direction, key, origPort, dstPort)
-	} else {
-		t.logger.Trace2("New %s UDP connection: %s", direction, key)
+	if t.logger.Enabled(nblog.LevelTrace) {
+		if origPort != 0 {
+			t.logger.Trace4("New %s UDP connection: %s (port DNAT %d -> %d)", direction, key, origPort, dstPort)
+		} else {
+			t.logger.Trace2("New %s UDP connection: %s", direction, key)
+		}
 	}
 	t.sendEvent(nftypes.TypeStart, conn, ruleID)
 }
@@ -151,6 +161,34 @@ func (t *UDPTracker) IsValidInbound(srcIP netip.Addr, dstIP netip.Addr, srcPort
 	return true
 }
 
+// evictOneLocked removes one entry to make room. Caller must hold t.mutex.
+// Bounded sample: picks the oldest among up to evictSampleSize entries.
+func (t *UDPTracker) evictOneLocked() {
+	var candKey ConnKey
+	var candSeen int64
+	haveCand := false
+	sampled := 0
+
+	for k, c := range t.connections {
+		seen := c.lastSeen.Load()
+		if !haveCand || seen < candSeen {
+			candKey = k
+			candSeen = seen
+			haveCand = true
+		}
+		sampled++
+		if sampled >= evictSampleSize {
+			break
+		}
+	}
+	if haveCand {
+		if evicted := t.connections[candKey]; evicted != nil {
+			t.sendEvent(nftypes.TypeEnd, evicted, nil)
+		}
+		delete(t.connections, candKey)
+	}
+}
+
 // cleanupRoutine periodically removes stale connections
 func (t *UDPTracker) cleanupRoutine(ctx context.Context) {
 	defer t.cleanupTicker.Stop()
@@ -173,8 +211,10 @@ func (t *UDPTracker) cleanup() {
 		if conn.timeoutExceeded(t.timeout) {
 			delete(t.connections, key)
 
-			t.logger.Trace5("Removed UDP connection %s (timeout) [in: %d Pkts/%d B, out: %d Pkts/%d B]",
-				key, conn.PacketsRx.Load(), conn.BytesRx.Load(), conn.PacketsTx.Load(), conn.BytesTx.Load())
+			if t.logger.Enabled(nblog.LevelTrace) {
+				t.logger.Trace5("Removed UDP connection %s (timeout) [in: %d Pkts/%d B, out: %d Pkts/%d B]",
+					key, conn.PacketsRx.Load(), conn.BytesRx.Load(), conn.PacketsTx.Load(), conn.BytesTx.Load())
+			}
 			t.sendEvent(nftypes.TypeEnd, conn, nil)
 		}
 	}

client/firewall/uspfilter/filter.go

@@ -142,15 +142,8 @@ type Manager struct {
 	mssClampEnabled bool
 
 	// Only one hook per protocol is supported. Outbound direction only.
-	udpHookOut atomic.Pointer[packetHook]
-	tcpHookOut atomic.Pointer[packetHook]
-}
-
-// packetHook stores a registered hook for a specific IP:port.
-type packetHook struct {
-	ip   netip.Addr
-	port uint16
-	fn   func([]byte) bool
+	udpHookOut atomic.Pointer[common.PacketHook]
+	tcpHookOut atomic.Pointer[common.PacketHook]
 }
 
 // decoder for packages
@@ -641,45 +634,6 @@ func (m *Manager) SetupEBPFProxyNoTrack(proxyPort, wgPort uint16) error {
 	return m.nativeFirewall.SetupEBPFProxyNoTrack(proxyPort, wgPort)
 }
 
-// AddTProxyRule delegates to the native firewall for TPROXY rules.
-// In userspace mode (no native firewall), this is a no-op since the
-// forwarder intercepts traffic directly.
-func (m *Manager) AddTProxyRule(ruleID string, sources []netip.Prefix, dstPorts []uint16, redirectPort uint16) error {
-	if m.nativeFirewall == nil {
-		return nil
-	}
-	return m.nativeFirewall.AddTProxyRule(ruleID, sources, dstPorts, redirectPort)
-}
-
-// AddUDPInspectionHook registers a hook for QUIC/UDP inspection via the packet filter.
-func (m *Manager) AddUDPInspectionHook(dstPort uint16, hook func(packet []byte) bool) string {
-	m.SetUDPPacketHook(netip.Addr{}, dstPort, hook)
-	return "udp-inspection"
-}
-
-// RemoveUDPInspectionHook removes a previously registered inspection hook.
-func (m *Manager) RemoveUDPInspectionHook(_ string) {
-	m.SetUDPPacketHook(netip.Addr{}, 0, nil)
-}
-
-// RemoveTProxyRule delegates to the native firewall for TPROXY rules.
-func (m *Manager) RemoveTProxyRule(ruleID string) error {
-	if m.nativeFirewall == nil {
-		return nil
-	}
-	return m.nativeFirewall.RemoveTProxyRule(ruleID)
-}
-
-// IsLocalIP reports whether the given IP belongs to the local machine.
-func (m *Manager) IsLocalIP(ip netip.Addr) bool {
-	return m.localipmanager.IsLocalIP(ip)
-}
-
-// GetForwarder returns the userspace packet forwarder, or nil if not initialized.
-func (m *Manager) GetForwarder() *forwarder.Forwarder {
-	return m.forwarder.Load()
-}
-
 // UpdateSet updates the rule destinations associated with the given set
 // by merging the existing prefixes with the new ones, then deduplicating.
 func (m *Manager) UpdateSet(set firewall.Set, prefixes []netip.Prefix) error {
@@ -755,7 +709,9 @@ func (m *Manager) filterOutbound(packetData []byte, size int) bool {
 
 	srcIP, dstIP := m.extractIPs(d)
 	if !srcIP.IsValid() {
-		m.logger.Error1("Unknown network layer: %v", d.decoded[0])
+		if m.logger.Enabled(nblog.LevelError) {
+			m.logger.Error1("Unknown network layer: %v", d.decoded[0])
+		}
 		return false
 	}
 
@@ -854,7 +810,9 @@ func (m *Manager) clampTCPMSS(packetData []byte, d *decoder) bool {
 		return false
 	}
 
-	m.logger.Trace2("Clamped TCP MSS from %d to %d", currentMSS, m.mssClampValue)
+	if m.logger.Enabled(nblog.LevelTrace) {
+		m.logger.Trace2("Clamped TCP MSS from %d to %d", currentMSS, m.mssClampValue)
+	}
 	return true
 }
 
@@ -951,21 +909,11 @@ func (m *Manager) trackInbound(d *decoder, srcIP, dstIP netip.Addr, ruleID []byt
 }
 
 func (m *Manager) udpHooksDrop(dport uint16, dstIP netip.Addr, packetData []byte) bool {
-	return hookMatches(m.udpHookOut.Load(), dstIP, dport, packetData)
+	return common.HookMatches(m.udpHookOut.Load(), dstIP, dport, packetData)
 }
 
 func (m *Manager) tcpHooksDrop(dport uint16, dstIP netip.Addr, packetData []byte) bool {
-	return hookMatches(m.tcpHookOut.Load(), dstIP, dport, packetData)
-}
-
-func hookMatches(h *packetHook, dstIP netip.Addr, dport uint16, packetData []byte) bool {
-	if h == nil {
-		return false
-	}
-	if h.ip == dstIP && h.port == dport {
-		return h.fn(packetData)
-	}
-	return false
+	return common.HookMatches(m.tcpHookOut.Load(), dstIP, dport, packetData)
 }
 
 // filterInbound implements filtering logic for incoming packets.
@@ -987,8 +935,10 @@ func (m *Manager) filterInbound(packetData []byte, size int) bool {
 
 	// TODO: pass fragments of routed packets to forwarder
 	if fragment {
-		m.logger.Trace4("packet is a fragment: src=%v dst=%v id=%v flags=%v",
-			srcIP, dstIP, d.ip4.Id, d.ip4.Flags)
+		if m.logger.Enabled(nblog.LevelTrace) {
+			m.logger.Trace4("packet is a fragment: src=%v dst=%v id=%v flags=%v",
+				srcIP, dstIP, d.ip4.Id, d.ip4.Flags)
+		}
 		return false
 	}
 
@@ -1030,8 +980,10 @@ func (m *Manager) handleLocalTraffic(d *decoder, srcIP, dstIP netip.Addr, packet
 		pnum := getProtocolFromPacket(d)
 		srcPort, dstPort := getPortsFromPacket(d)
 
-		m.logger.Trace6("Dropping local packet (ACL denied): rule_id=%s proto=%v src=%s:%d dst=%s:%d",
-			ruleID, pnum, srcIP, srcPort, dstIP, dstPort)
+		if m.logger.Enabled(nblog.LevelTrace) {
+			m.logger.Trace6("Dropping local packet (ACL denied): rule_id=%s proto=%v src=%s:%d dst=%s:%d",
+				ruleID, pnum, srcIP, srcPort, dstIP, dstPort)
+		}
 
 		m.flowLogger.StoreEvent(nftypes.EventFields{
 			FlowID:     uuid.New(),
@@ -1081,8 +1033,10 @@ func (m *Manager) handleForwardedLocalTraffic(packetData []byte) bool {
 func (m *Manager) handleRoutedTraffic(d *decoder, srcIP, dstIP netip.Addr, packetData []byte, size int) bool {
 	// Drop if routing is disabled
 	if !m.routingEnabled.Load() {
-		m.logger.Trace2("Dropping routed packet (routing disabled): src=%s dst=%s",
-			srcIP, dstIP)
+		if m.logger.Enabled(nblog.LevelTrace) {
+			m.logger.Trace2("Dropping routed packet (routing disabled): src=%s dst=%s",
+				srcIP, dstIP)
+		}
 		return true
 	}
 
@@ -1099,8 +1053,10 @@ func (m *Manager) handleRoutedTraffic(d *decoder, srcIP, dstIP netip.Addr, packe
 	if !pass {
 		proto := getProtocolFromPacket(d)
 
-		m.logger.Trace6("Dropping routed packet (ACL denied): rule_id=%s proto=%v src=%s:%d dst=%s:%d",
-			ruleID, proto, srcIP, srcPort, dstIP, dstPort)
+		if m.logger.Enabled(nblog.LevelTrace) {
+			m.logger.Trace6("Dropping routed packet (ACL denied): rule_id=%s proto=%v src=%s:%d dst=%s:%d",
+				ruleID, proto, srcIP, srcPort, dstIP, dstPort)
+		}
 
 		m.flowLogger.StoreEvent(nftypes.EventFields{
 			FlowID:     uuid.New(),
@@ -1182,7 +1138,9 @@ func getPortsFromPacket(d *decoder) (srcPort, dstPort uint16) {
 // It returns true, true if the packet is a fragment and valid.
 func (m *Manager) isValidPacket(d *decoder, packetData []byte) (bool, bool) {
 	if err := d.parser.DecodeLayers(packetData, &d.decoded); err != nil {
-		m.logger.Trace1("couldn't decode packet, err: %s", err)
+		if m.logger.Enabled(nblog.LevelTrace) {
+			m.logger.Trace1("couldn't decode packet, err: %s", err)
+		}
 		return false, false
 	}
 
@@ -1376,28 +1334,12 @@ func (m *Manager) ruleMatches(rule *RouteRule, srcAddr, dstAddr netip.Addr, prot
 
 // SetUDPPacketHook sets the outbound UDP packet hook. Pass nil hook to remove.
 func (m *Manager) SetUDPPacketHook(ip netip.Addr, dPort uint16, hook func(packet []byte) bool) {
-	if hook == nil {
-		m.udpHookOut.Store(nil)
-		return
-	}
-	m.udpHookOut.Store(&packetHook{
-		ip:   ip,
-		port: dPort,
-		fn:   hook,
-	})
+	common.SetHook(&m.udpHookOut, ip, dPort, hook)
 }
 
 // SetTCPPacketHook sets the outbound TCP packet hook. Pass nil hook to remove.
 func (m *Manager) SetTCPPacketHook(ip netip.Addr, dPort uint16, hook func(packet []byte) bool) {
-	if hook == nil {
-		m.tcpHookOut.Store(nil)
-		return
-	}
-	m.tcpHookOut.Store(&packetHook{
-		ip:   ip,
-		port: dPort,
-		fn:   hook,
-	})
+	common.SetHook(&m.tcpHookOut, ip, dPort, hook)
 }
 
 // SetLogLevel sets the log level for the firewall manager

client/firewall/uspfilter/filter_test.go

@@ -202,9 +202,9 @@ func TestSetUDPPacketHook(t *testing.T) {
 
 	h := manager.udpHookOut.Load()
 	require.NotNil(t, h)
-	assert.Equal(t, netip.MustParseAddr("10.168.0.1"), h.ip)
-	assert.Equal(t, uint16(8000), h.port)
-	assert.True(t, h.fn(nil))
+	assert.Equal(t, netip.MustParseAddr("10.168.0.1"), h.IP)
+	assert.Equal(t, uint16(8000), h.Port)
+	assert.True(t, h.Fn(nil))
 	assert.True(t, called)
 
 	manager.SetUDPPacketHook(netip.MustParseAddr("10.168.0.1"), 8000, nil)
@@ -226,9 +226,9 @@ func TestSetTCPPacketHook(t *testing.T) {
 
 	h := manager.tcpHookOut.Load()
 	require.NotNil(t, h)
-	assert.Equal(t, netip.MustParseAddr("10.168.0.1"), h.ip)
-	assert.Equal(t, uint16(53), h.port)
-	assert.True(t, h.fn(nil))
+	assert.Equal(t, netip.MustParseAddr("10.168.0.1"), h.IP)
+	assert.Equal(t, uint16(53), h.Port)
+	assert.True(t, h.Fn(nil))
 	assert.True(t, called)
 
 	manager.SetTCPPacketHook(netip.MustParseAddr("10.168.0.1"), 53, nil)

client/firewall/uspfilter/forwarder/forwarder.go

@@ -7,7 +7,6 @@ import (
 	"net/netip"
 	"runtime"
 	"sync"
-	"sync/atomic"
 	"time"
 
 	log "github.com/sirupsen/logrus"
@@ -22,7 +21,6 @@ import (
 
 	"github.com/netbirdio/netbird/client/firewall/uspfilter/common"
 	"github.com/netbirdio/netbird/client/firewall/uspfilter/conntrack"
-	"github.com/netbirdio/netbird/client/inspect"
 	nblog "github.com/netbirdio/netbird/client/firewall/uspfilter/log"
 	nftypes "github.com/netbirdio/netbird/client/internal/netflow/types"
 )
@@ -48,10 +46,6 @@ type Forwarder struct {
 	netstack         bool
 	hasRawICMPAccess bool
 	pingSemaphore    chan struct{}
-	// proxy is the optional inspection engine.
-	// When set, TCP connections are handed to the engine for protocol detection
-	// and rule evaluation. Swapped atomically for lock-free hot-path access.
-	proxy atomic.Pointer[inspect.Proxy]
 }
 
 func New(iface common.IFaceMapper, logger *nblog.Logger, flowLogger nftypes.FlowLogger, netstack bool, mtu uint16) (*Forwarder, error) {
@@ -85,7 +79,7 @@ func New(iface common.IFaceMapper, logger *nblog.Logger, flowLogger nftypes.Flow
 	}
 
 	if err := s.AddProtocolAddress(nicID, protoAddr, stack.AddressProperties{}); err != nil {
-		return nil, fmt.Errorf("add protocol address: %s", err)
+		return nil, fmt.Errorf("failed to add protocol address: %s", err)
 	}
 
 	defaultSubnet, err := tcpip.NewSubnet(
@@ -161,13 +155,6 @@ func (f *Forwarder) InjectIncomingPacket(payload []byte) error {
 	return nil
 }
 
-// SetProxy sets the inspection engine. When set, TCP connections are handed
-// to it for protocol detection and rule evaluation instead of direct relay.
-// Pass nil to disable inspection.
-func (f *Forwarder) SetProxy(p *inspect.Proxy) {
-	f.proxy.Store(p)
-}
-
 // Stop gracefully shuts down the forwarder
 func (f *Forwarder) Stop() {
 	f.cancel()
@@ -180,25 +167,6 @@ func (f *Forwarder) Stop() {
 	f.stack.Wait()
 }
 
-// CheckUDPPacket inspects a UDP payload against proxy rules before injection.
-// This is called by the filter for QUIC SNI-based blocking.
-// Returns true if the packet should be allowed, false if it should be dropped.
-func (f *Forwarder) CheckUDPPacket(payload []byte, srcIP, dstIP netip.Addr, srcPort, dstPort uint16, ruleID []byte) bool {
-	p := f.proxy.Load()
-	if p == nil {
-		return true
-	}
-
-	dst := netip.AddrPortFrom(dstIP, dstPort)
-	src := inspect.SourceInfo{
-		IP:       srcIP,
-		PolicyID: inspect.PolicyID(ruleID),
-	}
-
-	action := p.HandleUDPPacket(payload, dst, src)
-	return action != inspect.ActionBlock
-}
-
 func (f *Forwarder) determineDialAddr(addr tcpip.Address) net.IP {
 	if f.netstack && f.ip.Equal(addr) {
 		return net.IPv4(127, 0, 0, 1)

client/firewall/uspfilter/forwarder/icmp.go

@@ -13,6 +13,7 @@ import (
 	"gvisor.dev/gvisor/pkg/tcpip/header"
 	"gvisor.dev/gvisor/pkg/tcpip/stack"
 
+	nblog "github.com/netbirdio/netbird/client/firewall/uspfilter/log"
 	nftypes "github.com/netbirdio/netbird/client/internal/netflow/types"
 )
 
@@ -92,8 +93,10 @@ func (f *Forwarder) forwardICMPPacket(id stack.TransportEndpointID, payload []by
 		return nil, fmt.Errorf("write ICMP packet: %w", err)
 	}
 
-	f.logger.Trace3("forwarder: Forwarded ICMP packet %v type %v code %v",
-		epID(id), icmpType, icmpCode)
+	if f.logger.Enabled(nblog.LevelTrace) {
+		f.logger.Trace3("forwarder: Forwarded ICMP packet %v type %v code %v",
+			epID(id), icmpType, icmpCode)
+	}
 
 	return conn, nil
 }
@@ -116,8 +119,10 @@ func (f *Forwarder) handleICMPViaSocket(flowID uuid.UUID, id stack.TransportEndp
 	txBytes := f.handleEchoResponse(conn, id)
 	rtt := time.Since(sendTime).Round(10 * time.Microsecond)
 
-	f.logger.Trace4("forwarder: Forwarded ICMP echo reply %v type %v code %v (rtt=%v, raw socket)",
-		epID(id), icmpType, icmpCode, rtt)
+	if f.logger.Enabled(nblog.LevelTrace) {
+		f.logger.Trace4("forwarder: Forwarded ICMP echo reply %v type %v code %v (rtt=%v, raw socket)",
+			epID(id), icmpType, icmpCode, rtt)
+	}
 
 	f.sendICMPEvent(nftypes.TypeEnd, flowID, id, icmpType, icmpCode, uint64(rxBytes), uint64(txBytes))
 }
@@ -198,13 +203,17 @@ func (f *Forwarder) handleICMPViaPing(flowID uuid.UUID, id stack.TransportEndpoi
 	}
 	rtt := time.Since(pingStart).Round(10 * time.Microsecond)
 
-	f.logger.Trace3("forwarder: Forwarded ICMP echo request %v type %v code %v",
-		epID(id), icmpType, icmpCode)
+	if f.logger.Enabled(nblog.LevelTrace) {
+		f.logger.Trace3("forwarder: Forwarded ICMP echo request %v type %v code %v",
+			epID(id), icmpType, icmpCode)
+	}
 
 	txBytes := f.synthesizeEchoReply(id, icmpData)
 
-	f.logger.Trace4("forwarder: Forwarded ICMP echo reply %v type %v code %v (rtt=%v, ping binary)",
-		epID(id), icmpType, icmpCode, rtt)
+	if f.logger.Enabled(nblog.LevelTrace) {
+		f.logger.Trace4("forwarder: Forwarded ICMP echo reply %v type %v code %v (rtt=%v, ping binary)",
+			epID(id), icmpType, icmpCode, rtt)
+	}
 
 	f.sendICMPEvent(nftypes.TypeEnd, flowID, id, icmpType, icmpCode, uint64(rxBytes), uint64(txBytes))
 }

client/firewall/uspfilter/forwarder/tcp.go

@@ -1,12 +1,9 @@
 package forwarder
 
 import (
-	"context"
 	"fmt"
-	"io"
 	"net"
 	"net/netip"
-	"sync"
 
 	"github.com/google/uuid"
 
@@ -16,94 +13,15 @@ import (
 	"gvisor.dev/gvisor/pkg/tcpip/transport/tcp"
 	"gvisor.dev/gvisor/pkg/waiter"
 
-	"github.com/netbirdio/netbird/client/inspect"
+	nblog "github.com/netbirdio/netbird/client/firewall/uspfilter/log"
 	nftypes "github.com/netbirdio/netbird/client/internal/netflow/types"
+	"github.com/netbirdio/netbird/util/netrelay"
 )
 
 // handleTCP is called by the TCP forwarder for new connections.
 func (f *Forwarder) handleTCP(r *tcp.ForwarderRequest) {
 	id := r.ID()
 
-	// If the inspection engine is configured, accept the connection first and hand it off.
-	if p := f.proxy.Load(); p != nil {
-		f.handleTCPWithInspection(r, id, p)
-		return
-	}
-
-	f.handleTCPDirect(r, id)
-}
-
-// handleTCPWithInspection accepts the connection and hands it to the inspection
-// engine. For allow decisions, the forwarder does its own relay (passthrough).
-// For block/inspect, the engine handles everything internally.
-func (f *Forwarder) handleTCPWithInspection(r *tcp.ForwarderRequest, id stack.TransportEndpointID, p *inspect.Proxy) {
-	flowID := uuid.New()
-	f.sendTCPEvent(nftypes.TypeStart, flowID, id, 0, 0, 0, 0)
-
-	wq := waiter.Queue{}
-	ep, epErr := r.CreateEndpoint(&wq)
-	if epErr != nil {
-		f.logger.Error1("forwarder: create TCP endpoint for inspection: %v", epErr)
-		r.Complete(true)
-		f.sendTCPEvent(nftypes.TypeEnd, flowID, id, 0, 0, 0, 0)
-		return
-	}
-	r.Complete(false)
-
-	inConn := gonet.NewTCPConn(&wq, ep)
-
-	srcIP := netip.AddrFrom4(id.RemoteAddress.As4())
-	dstIP := netip.AddrFrom4(id.LocalAddress.As4())
-	dst := netip.AddrPortFrom(dstIP, id.LocalPort)
-
-	var policyID []byte
-	if ruleID, ok := f.getRuleID(srcIP, dstIP, id.RemotePort, id.LocalPort); ok {
-		policyID = ruleID
-	}
-
-	src := inspect.SourceInfo{
-		IP:       srcIP,
-		PolicyID: inspect.PolicyID(policyID),
-	}
-
-	f.logger.Trace1("forwarder: handing TCP %v to inspection engine", epID(id))
-
-	go func() {
-		result, err := p.InspectTCP(f.ctx, inConn, dst, src)
-		if err != nil && err != inspect.ErrBlocked {
-			f.logger.Debug2("forwarder: inspection error for %v: %v", epID(id), err)
-		}
-
-		// Passthrough: engine returned allow, forwarder does the relay.
-		if result.PassthroughConn != nil {
-			dialAddr := fmt.Sprintf("%s:%d", f.determineDialAddr(id.LocalAddress), id.LocalPort)
-			outConn, dialErr := (&net.Dialer{}).DialContext(f.ctx, "tcp", dialAddr)
-			if dialErr != nil {
-				f.logger.Trace2("forwarder: passthrough dial error for %v: %v", epID(id), dialErr)
-				if closeErr := result.PassthroughConn.Close(); closeErr != nil {
-					f.logger.Debug1("forwarder: close passthrough conn: %v", closeErr)
-				}
-				ep.Close()
-				f.sendTCPEvent(nftypes.TypeEnd, flowID, id, 0, 0, 0, 0)
-				return
-			}
-			f.proxyTCPPassthrough(id, result.PassthroughConn, outConn, ep, flowID)
-			return
-		}
-
-		// Engine handled it (block/inspect/HTTP). Capture stats and clean up.
-		var rxPackets, txPackets uint64
-		if tcpStats, ok := ep.Stats().(*tcp.Stats); ok {
-			rxPackets = tcpStats.SegmentsSent.Value()
-			txPackets = tcpStats.SegmentsReceived.Value()
-		}
-		ep.Close()
-		f.sendTCPEvent(nftypes.TypeEnd, flowID, id, 0, 0, rxPackets, txPackets)
-	}()
-}
-
-// handleTCPDirect handles TCP connections with direct relay (no proxy).
-func (f *Forwarder) handleTCPDirect(r *tcp.ForwarderRequest, id stack.TransportEndpointID) {
 	flowID := uuid.New()
 
 	f.sendTCPEvent(nftypes.TypeStart, flowID, id, 0, 0, 0, 0)
@@ -119,10 +37,13 @@ func (f *Forwarder) handleTCPDirect(r *tcp.ForwarderRequest, id stack.TransportE
 	outConn, err := (&net.Dialer{}).DialContext(f.ctx, "tcp", dialAddr)
 	if err != nil {
 		r.Complete(true)
-		f.logger.Trace2("forwarder: dial error for %v: %v", epID(id), err)
+		if f.logger.Enabled(nblog.LevelTrace) {
+			f.logger.Trace2("forwarder: dial error for %v: %v", epID(id), err)
+		}
 		return
 	}
 
+	// Create wait queue for blocking syscalls
 	wq := waiter.Queue{}
 
 	ep, epErr := r.CreateEndpoint(&wq)
@@ -135,68 +56,28 @@ func (f *Forwarder) handleTCPDirect(r *tcp.ForwarderRequest, id stack.TransportE
 		return
 	}
 
+	// Complete the handshake
 	r.Complete(false)
 
 	inConn := gonet.NewTCPConn(&wq, ep)
 
 	success = true
-	f.logger.Trace1("forwarder: established TCP connection %v", epID(id))
+	if f.logger.Enabled(nblog.LevelTrace) {
+		f.logger.Trace1("forwarder: established TCP connection %v", epID(id))
+	}
 
 	go f.proxyTCP(id, inConn, outConn, ep, flowID)
 }
 
 func (f *Forwarder) proxyTCP(id stack.TransportEndpointID, inConn *gonet.TCPConn, outConn net.Conn, ep tcpip.Endpoint, flowID uuid.UUID) {
+	// netrelay.Relay copies bidirectionally with proper half-close propagation
+	// and fully closes both conns before returning.
+	bytesFromInToOut, bytesFromOutToIn := netrelay.Relay(f.ctx, inConn, outConn, netrelay.Options{
+		Logger: f.logger,
+	})
 
-	ctx, cancel := context.WithCancel(f.ctx)
-	defer cancel()
-
-	go func() {
-		<-ctx.Done()
-		if err := inConn.Close(); err != nil && !isClosedError(err) {
-			f.logger.Debug1("forwarder: inConn close error: %v", err)
-		}
-		if err := outConn.Close(); err != nil && !isClosedError(err) {
-			f.logger.Debug1("forwarder: outConn close error: %v", err)
-		}
-
-		ep.Close()
-	}()
-
-	var wg sync.WaitGroup
-	wg.Add(2)
-
-	var (
-		bytesFromInToOut int64 // bytes from client to server (tx for client)
-		bytesFromOutToIn int64 // bytes from server to client (rx for client)
-		errInToOut       error
-		errOutToIn       error
-	)
-
-	go func() {
-		bytesFromInToOut, errInToOut = io.Copy(outConn, inConn)
-		cancel()
-		wg.Done()
-	}()
-
-	go func() {
-
-		bytesFromOutToIn, errOutToIn = io.Copy(inConn, outConn)
-		cancel()
-		wg.Done()
-	}()
-
-	wg.Wait()
-
-	if errInToOut != nil {
-		if !isClosedError(errInToOut) {
-			f.logger.Error2("proxyTCP: copy error (in → out) for %s: %v", epID(id), errInToOut)
-		}
-	}
-	if errOutToIn != nil {
-		if !isClosedError(errOutToIn) {
-			f.logger.Error2("proxyTCP: copy error (out → in) for %s: %v", epID(id), errOutToIn)
-		}
-	}
+	// Close the netstack endpoint after both conns are drained.
+	ep.Close()
 
 	var rxPackets, txPackets uint64
 	if tcpStats, ok := ep.Stats().(*tcp.Stats); ok {
@@ -205,71 +86,13 @@ func (f *Forwarder) proxyTCP(id stack.TransportEndpointID, inConn *gonet.TCPConn
 		txPackets = tcpStats.SegmentsReceived.Value()
 	}
 
-	f.logger.Trace5("forwarder: Removed TCP connection %s [in: %d Pkts/%d B, out: %d Pkts/%d B]", epID(id), rxPackets, bytesFromOutToIn, txPackets, bytesFromInToOut)
+	if f.logger.Enabled(nblog.LevelTrace) {
+		f.logger.Trace5("forwarder: Removed TCP connection %s [in: %d Pkts/%d B, out: %d Pkts/%d B]", epID(id), rxPackets, bytesFromOutToIn, txPackets, bytesFromInToOut)
+	}
 
 	f.sendTCPEvent(nftypes.TypeEnd, flowID, id, uint64(bytesFromOutToIn), uint64(bytesFromInToOut), rxPackets, txPackets)
 }
 
-// proxyTCPPassthrough relays traffic between a peeked inbound connection
-// (from the inspection engine passthrough) and the outbound connection.
-// It accepts net.Conn for inConn since the inspection engine wraps it in a peekConn.
-func (f *Forwarder) proxyTCPPassthrough(id stack.TransportEndpointID, inConn net.Conn, outConn net.Conn, ep tcpip.Endpoint, flowID uuid.UUID) {
-	ctx, cancel := context.WithCancel(f.ctx)
-	defer cancel()
-
-	go func() {
-		<-ctx.Done()
-		if err := inConn.Close(); err != nil && !isClosedError(err) {
-			f.logger.Debug1("forwarder: passthrough inConn close: %v", err)
-		}
-		if err := outConn.Close(); err != nil && !isClosedError(err) {
-			f.logger.Debug1("forwarder: passthrough outConn close: %v", err)
-		}
-		ep.Close()
-	}()
-
-	var wg sync.WaitGroup
-	wg.Add(2)
-
-	var (
-		bytesIn  int64
-		bytesOut int64
-		errIn    error
-		errOut   error
-	)
-
-	go func() {
-		bytesIn, errIn = io.Copy(outConn, inConn)
-		cancel()
-		wg.Done()
-	}()
-
-	go func() {
-		bytesOut, errOut = io.Copy(inConn, outConn)
-		cancel()
-		wg.Done()
-	}()
-
-	wg.Wait()
-
-	if errIn != nil && !isClosedError(errIn) {
-		f.logger.Error2("proxyTCPPassthrough: copy error (in→out) for %s: %v", epID(id), errIn)
-	}
-	if errOut != nil && !isClosedError(errOut) {
-		f.logger.Error2("proxyTCPPassthrough: copy error (out→in) for %s: %v", epID(id), errOut)
-	}
-
-	var rxPackets, txPackets uint64
-	if tcpStats, ok := ep.Stats().(*tcp.Stats); ok {
-		rxPackets = tcpStats.SegmentsSent.Value()
-		txPackets = tcpStats.SegmentsReceived.Value()
-	}
-
-	f.logger.Trace5("forwarder: passthrough TCP %s [in: %d Pkts/%d B, out: %d Pkts/%d B]", epID(id), rxPackets, bytesOut, txPackets, bytesIn)
-
-	f.sendTCPEvent(nftypes.TypeEnd, flowID, id, uint64(bytesOut), uint64(bytesIn), rxPackets, txPackets)
-}
-
 func (f *Forwarder) sendTCPEvent(typ nftypes.Type, flowID uuid.UUID, id stack.TransportEndpointID, rxBytes, txBytes, rxPackets, txPackets uint64) {
 	srcIp := netip.AddrFrom4(id.RemoteAddress.As4())
 	dstIp := netip.AddrFrom4(id.LocalAddress.As4())

client/firewall/uspfilter/forwarder/udp.go

@@ -125,7 +125,9 @@ func (f *udpForwarder) cleanup() {
 				delete(f.conns, idle.id)
 				f.Unlock()
 
-				f.logger.Trace1("forwarder: cleaned up idle UDP connection %v", epID(idle.id))
+				if f.logger.Enabled(nblog.LevelTrace) {
+					f.logger.Trace1("forwarder: cleaned up idle UDP connection %v", epID(idle.id))
+				}
 			}
 		}
 	}
@@ -144,7 +146,9 @@ func (f *Forwarder) handleUDP(r *udp.ForwarderRequest) bool {
 	_, exists := f.udpForwarder.conns[id]
 	f.udpForwarder.RUnlock()
 	if exists {
-		f.logger.Trace1("forwarder: existing UDP connection for %v", epID(id))
+		if f.logger.Enabled(nblog.LevelTrace) {
+			f.logger.Trace1("forwarder: existing UDP connection for %v", epID(id))
+		}
 		return true
 	}
 
@@ -206,7 +210,9 @@ func (f *Forwarder) handleUDP(r *udp.ForwarderRequest) bool {
 	f.udpForwarder.Unlock()
 
 	success = true
-	f.logger.Trace1("forwarder: established UDP connection %v", epID(id))
+	if f.logger.Enabled(nblog.LevelTrace) {
+		f.logger.Trace1("forwarder: established UDP connection %v", epID(id))
+	}
 
 	go f.proxyUDP(connCtx, pConn, id, ep)
 	return true
@@ -265,7 +271,9 @@ func (f *Forwarder) proxyUDP(ctx context.Context, pConn *udpPacketConn, id stack
 		txPackets = udpStats.PacketsReceived.Value()
 	}
 
-	f.logger.Trace5("forwarder: Removed UDP connection %s [in: %d Pkts/%d B, out: %d Pkts/%d B]", epID(id), rxPackets, rxBytes, txPackets, txBytes)
+	if f.logger.Enabled(nblog.LevelTrace) {
+		f.logger.Trace5("forwarder: Removed UDP connection %s [in: %d Pkts/%d B, out: %d Pkts/%d B]", epID(id), rxPackets, rxBytes, txPackets, txBytes)
+	}
 
 	f.udpForwarder.Lock()
 	delete(f.udpForwarder.conns, id)

client/firewall/uspfilter/hooks_filter.go

@@ -0,0 +1,90 @@
+package uspfilter
+
+import (
+	"encoding/binary"
+	"net/netip"
+	"sync/atomic"
+
+	"github.com/netbirdio/netbird/client/firewall/uspfilter/common"
+	"github.com/netbirdio/netbird/client/iface/device"
+)
+
+const (
+	ipv4HeaderMinLen = 20
+	ipv4ProtoOffset  = 9
+	ipv4FlagsOffset  = 6
+	ipv4DstOffset    = 16
+	ipProtoUDP       = 17
+	ipProtoTCP       = 6
+	ipv4FragOffMask  = 0x1fff
+	// dstPortOffset is the offset of the destination port within a UDP or TCP header.
+	dstPortOffset = 2
+)
+
+// HooksFilter is a minimal packet filter that only handles outbound DNS hooks.
+// It is installed on the WireGuard interface when the userspace bind is active
+// but a full firewall filter (Manager) is not needed because a native kernel
+// firewall (nftables/iptables) handles packet filtering.
+type HooksFilter struct {
+	udpHook atomic.Pointer[common.PacketHook]
+	tcpHook atomic.Pointer[common.PacketHook]
+}
+
+var _ device.PacketFilter = (*HooksFilter)(nil)
+
+// FilterOutbound checks outbound packets for DNS hook matches.
+// Only IPv4 packets matching the registered hook IP:port are intercepted.
+// IPv6 and non-IP packets pass through unconditionally.
+func (f *HooksFilter) FilterOutbound(packetData []byte, _ int) bool {
+	if len(packetData) < ipv4HeaderMinLen {
+		return false
+	}
+
+	// Only process IPv4 packets, let everything else pass through.
+	if packetData[0]>>4 != 4 {
+		return false
+	}
+
+	ihl := int(packetData[0]&0x0f) * 4
+	if ihl < ipv4HeaderMinLen || len(packetData) < ihl+4 {
+		return false
+	}
+
+	// Skip non-first fragments: they don't carry L4 headers.
+	flagsAndOffset := binary.BigEndian.Uint16(packetData[ipv4FlagsOffset : ipv4FlagsOffset+2])
+	if flagsAndOffset&ipv4FragOffMask != 0 {
+		return false
+	}
+
+	dstIP, ok := netip.AddrFromSlice(packetData[ipv4DstOffset : ipv4DstOffset+4])
+	if !ok {
+		return false
+	}
+
+	proto := packetData[ipv4ProtoOffset]
+	dstPort := binary.BigEndian.Uint16(packetData[ihl+dstPortOffset : ihl+dstPortOffset+2])
+
+	switch proto {
+	case ipProtoUDP:
+		return common.HookMatches(f.udpHook.Load(), dstIP, dstPort, packetData)
+	case ipProtoTCP:
+		return common.HookMatches(f.tcpHook.Load(), dstIP, dstPort, packetData)
+	default:
+		return false
+	}
+}
+
+// FilterInbound allows all inbound packets (native firewall handles filtering).
+func (f *HooksFilter) FilterInbound([]byte, int) bool {
+	return false
+}
+
+// SetUDPPacketHook registers the UDP packet hook.
+func (f *HooksFilter) SetUDPPacketHook(ip netip.Addr, dPort uint16, hook func([]byte) bool) {
+	common.SetHook(&f.udpHook, ip, dPort, hook)
+}
+
+// SetTCPPacketHook registers the TCP packet hook.
+func (f *HooksFilter) SetTCPPacketHook(ip netip.Addr, dPort uint16, hook func([]byte) bool) {
+	common.SetHook(&f.tcpHook, ip, dPort, hook)
+}

client/firewall/uspfilter/log/log.go

@@ -53,16 +53,17 @@ var levelStrings = map[Level]string{
 }
 
 type logMessage struct {
-	level  Level
-	format string
-	arg1   any
-	arg2   any
-	arg3   any
-	arg4   any
-	arg5   any
-	arg6   any
-	arg7   any
-	arg8   any
+	level    Level
+	argCount uint8
+	format   string
+	arg1     any
+	arg2     any
+	arg3     any
+	arg4     any
+	arg5     any
+	arg6     any
+	arg7     any
+	arg8     any
 }
 
 // Logger is a high-performance, non-blocking logger
@@ -107,6 +108,13 @@ func (l *Logger) SetLevel(level Level) {
 	log.Debugf("Set uspfilter logger loglevel to %v", levelStrings[level])
 }
 
+// Enabled reports whether the given level is currently logged. Callers on the
+// hot path should guard log sites with this to avoid boxing arguments into
+// any when the level is off.
+func (l *Logger) Enabled(level Level) bool {
+	return l.level.Load() >= uint32(level)
+}
+
 func (l *Logger) Error(format string) {
 	if l.level.Load() >= uint32(LevelError) {
 		select {
@@ -155,7 +163,7 @@ func (l *Logger) Trace(format string) {
 func (l *Logger) Error1(format string, arg1 any) {
 	if l.level.Load() >= uint32(LevelError) {
 		select {
-		case l.msgChannel <- logMessage{level: LevelError, format: format, arg1: arg1}:
+		case l.msgChannel <- logMessage{level: LevelError, argCount: 1, format: format, arg1: arg1}:
 		default:
 		}
 	}
@@ -164,7 +172,16 @@ func (l *Logger) Error1(format string, arg1 any) {
 func (l *Logger) Error2(format string, arg1, arg2 any) {
 	if l.level.Load() >= uint32(LevelError) {
 		select {
-		case l.msgChannel <- logMessage{level: LevelError, format: format, arg1: arg1, arg2: arg2}:
+		case l.msgChannel <- logMessage{level: LevelError, argCount: 2, format: format, arg1: arg1, arg2: arg2}:
+		default:
+		}
+	}
+}
+
+func (l *Logger) Warn2(format string, arg1, arg2 any) {
+	if l.level.Load() >= uint32(LevelWarn) {
+		select {
+		case l.msgChannel <- logMessage{level: LevelWarn, argCount: 2, format: format, arg1: arg1, arg2: arg2}:
 		default:
 		}
 	}
@@ -173,7 +190,7 @@ func (l *Logger) Error2(format string, arg1, arg2 any) {
 func (l *Logger) Warn3(format string, arg1, arg2, arg3 any) {
 	if l.level.Load() >= uint32(LevelWarn) {
 		select {
-		case l.msgChannel <- logMessage{level: LevelWarn, format: format, arg1: arg1, arg2: arg2, arg3: arg3}:
+		case l.msgChannel <- logMessage{level: LevelWarn, argCount: 3, format: format, arg1: arg1, arg2: arg2, arg3: arg3}:
 		default:
 		}
 	}
@@ -182,7 +199,7 @@ func (l *Logger) Warn3(format string, arg1, arg2, arg3 any) {
 func (l *Logger) Warn4(format string, arg1, arg2, arg3, arg4 any) {
 	if l.level.Load() >= uint32(LevelWarn) {
 		select {
-		case l.msgChannel <- logMessage{level: LevelWarn, format: format, arg1: arg1, arg2: arg2, arg3: arg3, arg4: arg4}:
+		case l.msgChannel <- logMessage{level: LevelWarn, argCount: 4, format: format, arg1: arg1, arg2: arg2, arg3: arg3, arg4: arg4}:
 		default:
 		}
 	}
@@ -191,7 +208,7 @@ func (l *Logger) Warn4(format string, arg1, arg2, arg3, arg4 any) {
 func (l *Logger) Debug1(format string, arg1 any) {
 	if l.level.Load() >= uint32(LevelDebug) {
 		select {
-		case l.msgChannel <- logMessage{level: LevelDebug, format: format, arg1: arg1}:
+		case l.msgChannel <- logMessage{level: LevelDebug, argCount: 1, format: format, arg1: arg1}:
 		default:
 		}
 	}
@@ -200,7 +217,7 @@ func (l *Logger) Debug1(format string, arg1 any) {
 func (l *Logger) Debug2(format string, arg1, arg2 any) {
 	if l.level.Load() >= uint32(LevelDebug) {
 		select {
-		case l.msgChannel <- logMessage{level: LevelDebug, format: format, arg1: arg1, arg2: arg2}:
+		case l.msgChannel <- logMessage{level: LevelDebug, argCount: 2, format: format, arg1: arg1, arg2: arg2}:
 		default:
 		}
 	}
@@ -209,16 +226,59 @@ func (l *Logger) Debug2(format string, arg1, arg2 any) {
 func (l *Logger) Debug3(format string, arg1, arg2, arg3 any) {
 	if l.level.Load() >= uint32(LevelDebug) {
 		select {
-		case l.msgChannel <- logMessage{level: LevelDebug, format: format, arg1: arg1, arg2: arg2, arg3: arg3}:
+		case l.msgChannel <- logMessage{level: LevelDebug, argCount: 3, format: format, arg1: arg1, arg2: arg2, arg3: arg3}:
 		default:
 		}
 	}
 }
 
+// Debugf is the variadic shape. Dispatches to Debug/Debug1/Debug2/Debug3
+// to avoid allocating an args slice on the fast path when the arg count is
+// known (0-3). Args beyond 3 land on the general variadic path; callers on
+// the hot path should prefer DebugN for known counts.
+func (l *Logger) Debugf(format string, args ...any) {
+	if l.level.Load() < uint32(LevelDebug) {
+		return
+	}
+	switch len(args) {
+	case 0:
+		l.Debug(format)
+	case 1:
+		l.Debug1(format, args[0])
+	case 2:
+		l.Debug2(format, args[0], args[1])
+	case 3:
+		l.Debug3(format, args[0], args[1], args[2])
+	default:
+		l.sendVariadic(LevelDebug, format, args)
+	}
+}
+
+// sendVariadic packs a slice of arguments into a logMessage and non-blocking
+// enqueues it. Used for arg counts beyond the fixed-arity fast paths. Args
+// beyond the 8-arg slot limit are dropped so callers don't produce silently
+// empty log lines via uint8 wraparound in argCount.
+func (l *Logger) sendVariadic(level Level, format string, args []any) {
+	const maxArgs = 8
+	n := len(args)
+	if n > maxArgs {
+		n = maxArgs
+	}
+	msg := logMessage{level: level, argCount: uint8(n), format: format}
+	slots := [maxArgs]*any{&msg.arg1, &msg.arg2, &msg.arg3, &msg.arg4, &msg.arg5, &msg.arg6, &msg.arg7, &msg.arg8}
+	for i := 0; i < n; i++ {
+		*slots[i] = args[i]
+	}
+	select {
+	case l.msgChannel <- msg:
+	default:
+	}
+}
+
 func (l *Logger) Trace1(format string, arg1 any) {
 	if l.level.Load() >= uint32(LevelTrace) {
 		select {
-		case l.msgChannel <- logMessage{level: LevelTrace, format: format, arg1: arg1}:
+		case l.msgChannel <- logMessage{level: LevelTrace, argCount: 1, format: format, arg1: arg1}:
 		default:
 		}
 	}
@@ -227,7 +287,7 @@ func (l *Logger) Trace1(format string, arg1 any) {
 func (l *Logger) Trace2(format string, arg1, arg2 any) {
 	if l.level.Load() >= uint32(LevelTrace) {
 		select {
-		case l.msgChannel <- logMessage{level: LevelTrace, format: format, arg1: arg1, arg2: arg2}:
+		case l.msgChannel <- logMessage{level: LevelTrace, argCount: 2, format: format, arg1: arg1, arg2: arg2}:
 		default:
 		}
 	}
@@ -236,7 +296,7 @@ func (l *Logger) Trace2(format string, arg1, arg2 any) {
 func (l *Logger) Trace3(format string, arg1, arg2, arg3 any) {
 	if l.level.Load() >= uint32(LevelTrace) {
 		select {
-		case l.msgChannel <- logMessage{level: LevelTrace, format: format, arg1: arg1, arg2: arg2, arg3: arg3}:
+		case l.msgChannel <- logMessage{level: LevelTrace, argCount: 3, format: format, arg1: arg1, arg2: arg2, arg3: arg3}:
 		default:
 		}
 	}
@@ -245,7 +305,7 @@ func (l *Logger) Trace3(format string, arg1, arg2, arg3 any) {
 func (l *Logger) Trace4(format string, arg1, arg2, arg3, arg4 any) {
 	if l.level.Load() >= uint32(LevelTrace) {
 		select {
-		case l.msgChannel <- logMessage{level: LevelTrace, format: format, arg1: arg1, arg2: arg2, arg3: arg3, arg4: arg4}:
+		case l.msgChannel <- logMessage{level: LevelTrace, argCount: 4, format: format, arg1: arg1, arg2: arg2, arg3: arg3, arg4: arg4}:
 		default:
 		}
 	}
@@ -254,7 +314,7 @@ func (l *Logger) Trace4(format string, arg1, arg2, arg3, arg4 any) {
 func (l *Logger) Trace5(format string, arg1, arg2, arg3, arg4, arg5 any) {
 	if l.level.Load() >= uint32(LevelTrace) {
 		select {
-		case l.msgChannel <- logMessage{level: LevelTrace, format: format, arg1: arg1, arg2: arg2, arg3: arg3, arg4: arg4, arg5: arg5}:
+		case l.msgChannel <- logMessage{level: LevelTrace, argCount: 5, format: format, arg1: arg1, arg2: arg2, arg3: arg3, arg4: arg4, arg5: arg5}:
 		default:
 		}
 	}
@@ -263,7 +323,7 @@ func (l *Logger) Trace5(format string, arg1, arg2, arg3, arg4, arg5 any) {
 func (l *Logger) Trace6(format string, arg1, arg2, arg3, arg4, arg5, arg6 any) {
 	if l.level.Load() >= uint32(LevelTrace) {
 		select {
-		case l.msgChannel <- logMessage{level: LevelTrace, format: format, arg1: arg1, arg2: arg2, arg3: arg3, arg4: arg4, arg5: arg5, arg6: arg6}:
+		case l.msgChannel <- logMessage{level: LevelTrace, argCount: 6, format: format, arg1: arg1, arg2: arg2, arg3: arg3, arg4: arg4, arg5: arg5, arg6: arg6}:
 		default:
 		}
 	}
@@ -273,7 +333,7 @@ func (l *Logger) Trace6(format string, arg1, arg2, arg3, arg4, arg5, arg6 any) {
 func (l *Logger) Trace8(format string, arg1, arg2, arg3, arg4, arg5, arg6, arg7, arg8 any) {
 	if l.level.Load() >= uint32(LevelTrace) {
 		select {
-		case l.msgChannel <- logMessage{level: LevelTrace, format: format, arg1: arg1, arg2: arg2, arg3: arg3, arg4: arg4, arg5: arg5, arg6: arg6, arg7: arg7, arg8: arg8}:
+		case l.msgChannel <- logMessage{level: LevelTrace, argCount: 8, format: format, arg1: arg1, arg2: arg2, arg3: arg3, arg4: arg4, arg5: arg5, arg6: arg6, arg7: arg7, arg8: arg8}:
 		default:
 		}
 	}
@@ -286,35 +346,8 @@ func (l *Logger) formatMessage(buf *[]byte, msg logMessage) {
 	*buf = append(*buf, levelStrings[msg.level]...)
 	*buf = append(*buf, ' ')
 
-	// Count non-nil arguments for switch
-	argCount := 0
-	if msg.arg1 != nil {
-		argCount++
-		if msg.arg2 != nil {
-			argCount++
-			if msg.arg3 != nil {
-				argCount++
-				if msg.arg4 != nil {
-					argCount++
-					if msg.arg5 != nil {
-						argCount++
-						if msg.arg6 != nil {
-							argCount++
-							if msg.arg7 != nil {
-								argCount++
-								if msg.arg8 != nil {
-									argCount++
-								}
-							}
-						}
-					}
-				}
-			}
-		}
-	}
-
 	var formatted string
-	switch argCount {
+	switch msg.argCount {
 	case 0:
 		formatted = msg.format
 	case 1:

client/firewall/uspfilter/nat.go

@@ -11,6 +11,7 @@ import (
 	"github.com/google/gopacket/layers"
 
 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
+	nblog "github.com/netbirdio/netbird/client/firewall/uspfilter/log"
 )
 
 var ErrIPv4Only = errors.New("only IPv4 is supported for DNAT")
@@ -242,11 +243,15 @@ func (m *Manager) translateOutboundDNAT(packetData []byte, d *decoder) bool {
 	}
 
 	if err := m.rewritePacketIP(packetData, d, translatedIP, destinationIPOffset); err != nil {
-		m.logger.Error1("failed to rewrite packet destination: %v", err)
+		if m.logger.Enabled(nblog.LevelError) {
+			m.logger.Error1("failed to rewrite packet destination: %v", err)
+		}
 		return false
 	}
 
-	m.logger.Trace2("DNAT: %s -> %s", dstIP, translatedIP)
+	if m.logger.Enabled(nblog.LevelTrace) {
+		m.logger.Trace2("DNAT: %s -> %s", dstIP, translatedIP)
+	}
 	return true
 }
 
@@ -264,11 +269,15 @@ func (m *Manager) translateInboundReverse(packetData []byte, d *decoder) bool {
 	}
 
 	if err := m.rewritePacketIP(packetData, d, originalIP, sourceIPOffset); err != nil {
-		m.logger.Error1("failed to rewrite packet source: %v", err)
+		if m.logger.Enabled(nblog.LevelError) {
+			m.logger.Error1("failed to rewrite packet source: %v", err)
+		}
 		return false
 	}
 
-	m.logger.Trace2("Reverse DNAT: %s -> %s", srcIP, originalIP)
+	if m.logger.Enabled(nblog.LevelTrace) {
+		m.logger.Trace2("Reverse DNAT: %s -> %s", srcIP, originalIP)
+	}
 	return true
 }
 
@@ -521,7 +530,9 @@ func (m *Manager) applyPortRule(packetData []byte, d *decoder, srcIP, dstIP neti
 		}
 
 		if err := rewriteFn(packetData, d, rule.targetPort, destinationPortOffset); err != nil {
-			m.logger.Error1("failed to rewrite port: %v", err)
+			if m.logger.Enabled(nblog.LevelError) {
+				m.logger.Error1("failed to rewrite port: %v", err)
+			}
 			return false
 		}
 		d.dnatOrigPort = rule.origPort

client/iface/iface.go

@@ -217,7 +217,6 @@ func (w *WGIface) RemoveAllowedIP(peerKey string, allowedIP netip.Prefix) error
 // Close closes the tunnel interface
 func (w *WGIface) Close() error {
 	w.mu.Lock()
-	defer w.mu.Unlock()
 
 	var result *multierror.Error
 
@@ -225,7 +224,15 @@ func (w *WGIface) Close() error {
 		result = multierror.Append(result, fmt.Errorf("failed to free WireGuard proxy: %w", err))
 	}
 
-	if err := w.tun.Close(); err != nil {
+	// Release w.mu before calling w.tun.Close(): the underlying
+	// wireguard-go device.Close() waits for its send/receive goroutines
+	// to drain. Some of those goroutines re-enter WGIface methods that
+	// take w.mu (e.g. the packet filter DNS hook calls GetDevice()), so
+	// holding the mutex here would deadlock the shutdown path.
+	tun := w.tun
+	w.mu.Unlock()
+
+	if err := tun.Close(); err != nil {
 		result = multierror.Append(result, fmt.Errorf("failed to close wireguard interface %s: %w", w.Name(), err))
 	}
 

client/iface/iface_close_test.go

@@ -0,0 +1,113 @@
+//go:build !android
+
+package iface
+
+import (
+	"errors"
+	"sync"
+	"testing"
+	"time"
+
+	wgdevice "golang.zx2c4.com/wireguard/device"
+	"golang.zx2c4.com/wireguard/tun/netstack"
+
+	"github.com/netbirdio/netbird/client/iface/device"
+	"github.com/netbirdio/netbird/client/iface/udpmux"
+	"github.com/netbirdio/netbird/client/iface/wgaddr"
+	"github.com/netbirdio/netbird/client/iface/wgproxy"
+)
+
+// fakeTunDevice implements WGTunDevice and lets the test control when
+// Close() returns. It mimics the wireguard-go shutdown path, which blocks
+// until its goroutines drain. Some of those goroutines (e.g. the packet
+// filter DNS hook in client/internal/dns) call back into WGIface, so if
+// WGIface.Close() held w.mu across tun.Close() the shutdown would
+// deadlock.
+type fakeTunDevice struct {
+	closeStarted chan struct{}
+	unblockClose chan struct{}
+}
+
+func (f *fakeTunDevice) Create() (device.WGConfigurer, error) {
+	return nil, errors.New("not implemented")
+}
+func (f *fakeTunDevice) Up() (*udpmux.UniversalUDPMuxDefault, error) {
+	return nil, errors.New("not implemented")
+}
+func (f *fakeTunDevice) UpdateAddr(wgaddr.Address) error      { return nil }
+func (f *fakeTunDevice) WgAddress() wgaddr.Address            { return wgaddr.Address{} }
+func (f *fakeTunDevice) MTU() uint16                          { return DefaultMTU }
+func (f *fakeTunDevice) DeviceName() string                   { return "nb-close-test" }
+func (f *fakeTunDevice) FilteredDevice() *device.FilteredDevice { return nil }
+func (f *fakeTunDevice) Device() *wgdevice.Device             { return nil }
+func (f *fakeTunDevice) GetNet() *netstack.Net                { return nil }
+func (f *fakeTunDevice) GetICEBind() device.EndpointManager   { return nil }
+
+func (f *fakeTunDevice) Close() error {
+	close(f.closeStarted)
+	<-f.unblockClose
+	return nil
+}
+
+type fakeProxyFactory struct{}
+
+func (fakeProxyFactory) GetProxy() wgproxy.Proxy { return nil }
+func (fakeProxyFactory) GetProxyPort() uint16    { return 0 }
+func (fakeProxyFactory) Free() error             { return nil }
+
+// TestWGIface_CloseReleasesMutexBeforeTunClose guards against a deadlock
+// that surfaces as a macOS test-timeout in
+// TestDNSPermanent_updateUpstream: WGIface.Close() used to hold w.mu
+// while waiting for the wireguard-go device goroutines to finish, and
+// one of those goroutines (the DNS filter hook) calls back into
+// WGIface.GetDevice() which needs the same mutex. The fix is to drop
+// the lock before tun.Close() returns control.
+func TestWGIface_CloseReleasesMutexBeforeTunClose(t *testing.T) {
+	tun := &fakeTunDevice{
+		closeStarted: make(chan struct{}),
+		unblockClose: make(chan struct{}),
+	}
+	w := &WGIface{
+		tun:            tun,
+		wgProxyFactory: fakeProxyFactory{},
+	}
+
+	closeDone := make(chan error, 1)
+	go func() {
+		closeDone <- w.Close()
+	}()
+
+	select {
+	case <-tun.closeStarted:
+	case <-time.After(2 * time.Second):
+		close(tun.unblockClose)
+		t.Fatal("tun.Close() was never invoked")
+	}
+
+	// Simulate the WireGuard read goroutine calling back into WGIface
+	// via the packet filter's DNS hook. If Close() still held w.mu
+	// during tun.Close(), this would block until the test timeout.
+	getDeviceDone := make(chan struct{})
+	var wg sync.WaitGroup
+	wg.Add(1)
+	go func() {
+		defer wg.Done()
+		_ = w.GetDevice()
+		close(getDeviceDone)
+	}()
+
+	select {
+	case <-getDeviceDone:
+	case <-time.After(2 * time.Second):
+		close(tun.unblockClose)
+		wg.Wait()
+		t.Fatal("GetDevice() deadlocked while WGIface.Close was closing the tun")
+	}
+
+	close(tun.unblockClose)
+	select {
+	case <-closeDone:
+	case <-time.After(2 * time.Second):
+		t.Fatal("WGIface.Close() never returned after the tun was unblocked")
+	}
+}

client/iface/udpmux/universal.go

@@ -171,7 +171,7 @@ func (u *UDPConn) performFilterCheck(addr net.Addr) error {
 	}
 
 	if u.address.Network.Contains(a) {
-		log.Warnf("Address %s is part of the NetBird network %s, refusing to write", addr, u.address)
+		log.Warnf("address %s is part of the NetBird network %s, refusing to write", addr, u.address)
 		return fmt.Errorf("address %s is part of the NetBird network %s, refusing to write", addr, u.address)
 	}
 
@@ -181,7 +181,7 @@ func (u *UDPConn) performFilterCheck(addr net.Addr) error {
 		u.addrCache.Store(addr.String(), isRouted)
 		if isRouted {
 			// Extra log, as the error only shows up with ICE logging enabled
-			log.Infof("Address %s is part of routed network %s, refusing to write", addr, prefix)
+			log.Infof("address %s is part of routed network %s, refusing to write", addr, prefix)
 			return fmt.Errorf("address %s is part of routed network %s, refusing to write", addr, prefix)
 		}
 	}

client/inspect/config.go

@@ -1,212 +0,0 @@
-package inspect
-
-import (
-	"crypto"
-	"crypto/x509"
-	"net"
-	"net/netip"
-	"net/url"
-	"strings"
-
-	"github.com/netbirdio/netbird/client/internal/acl/id"
-	"github.com/netbirdio/netbird/shared/management/domain"
-)
-
-// InspectResult holds the outcome of connection inspection.
-type InspectResult struct {
-	// Action is the rule evaluation result.
-	Action Action
-	// PassthroughConn is the client connection with buffered peeked bytes.
-	// Non-nil only when Action is ActionAllow and the caller should relay
-	// (TLS passthrough or non-HTTP/TLS protocol). The caller takes ownership
-	// and is responsible for closing this connection.
-	PassthroughConn net.Conn
-}
-
-const (
-	// DefaultTProxyPort is the default TPROXY listener port for kernel mode.
-	// Override with NB_TPROXY_PORT environment variable.
-	DefaultTProxyPort = 22080
-)
-
-// Action determines how the proxy handles a matched connection.
-type Action string
-
-const (
-	// ActionAllow passes the connection through without decryption.
-	ActionAllow Action = "allow"
-	// ActionBlock denies the connection.
-	ActionBlock Action = "block"
-	// ActionInspect decrypts (MITM) and inspects the connection.
-	ActionInspect Action = "inspect"
-)
-
-// ProxyMode determines the proxy operating mode.
-type ProxyMode string
-
-const (
-	// ModeBuiltin uses the built-in proxy with rules and optional ICAP.
-	ModeBuiltin ProxyMode = "builtin"
-	// ModeEnvoy runs a local envoy sidecar for L7 processing.
-	// Go manages envoy lifecycle, config generation, and rule evaluation.
-	// USP path forwards via PROXY protocol v2; kernel path uses nftables redirect.
-	ModeEnvoy ProxyMode = "envoy"
-	// ModeExternal forwards all traffic to an external proxy.
-	ModeExternal ProxyMode = "external"
-)
-
-// PolicyID is the management policy identifier associated with a connection.
-type PolicyID []byte
-
-// MatchDomain reports whether target matches the pattern.
-// If pattern starts with "*.", it matches any subdomain (but not the base itself).
-// Otherwise it requires an exact match.
-func MatchDomain(pattern, target domain.Domain) bool {
-	p := pattern.PunycodeString()
-	t := target.PunycodeString()
-
-	if strings.HasPrefix(p, "*.") {
-		base := p[2:]
-		return strings.HasSuffix(t, "."+base)
-	}
-
-	return p == t
-}
-
-// SourceInfo carries source identity context for rule evaluation.
-// The source may be a direct WireGuard peer or a host behind
-// a site-to-site gateway.
-type SourceInfo struct {
-	// IP is the original source address from the packet.
-	IP netip.Addr
-	// PolicyID is the management policy that allowed this traffic
-	// through route ACLs.
-	PolicyID PolicyID
-}
-
-// ProtoType identifies a protocol handled by the proxy.
-type ProtoType string
-
-const (
-	ProtoHTTP      ProtoType = "http"
-	ProtoHTTPS     ProtoType = "https"
-	ProtoH2        ProtoType = "h2"
-	ProtoH3        ProtoType = "h3"
-	ProtoWebSocket ProtoType = "websocket"
-	ProtoOther     ProtoType = "other"
-)
-
-// Rule defines a proxy inspection/filtering rule.
-type Rule struct {
-	// ID uniquely identifies this rule.
-	ID id.RuleID
-	// Sources are the source CIDRs this rule applies to.
-	// Includes both direct peer IPs and routed networks behind gateways.
-	Sources []netip.Prefix
-	// Domains are the destination domain patterns to match (via SNI or Host header).
-	// Supports exact match ("example.com") and wildcard ("*.example.com").
-	Domains []domain.Domain
-	// Networks are the destination CIDRs to match.
-	Networks []netip.Prefix
-	// Ports are the destination ports to match. Empty means all ports.
-	Ports []uint16
-	// Protocols restricts which protocols this rule applies to.
-	// Empty means all protocols.
-	Protocols []ProtoType
-	// Paths are URL path patterns to match (HTTP only, requires inspect for HTTPS).
-	// Supports prefix ("/api/"), exact ("/login"), and wildcard ("/admin/*").
-	// Empty means all paths.
-	Paths []string
-	// Action determines what to do with matched connections.
-	Action Action
-	// Priority controls evaluation order. Lower values are evaluated first.
-	Priority int
-}
-
-// ICAPConfig holds ICAP service configuration.
-type ICAPConfig struct {
-	// ReqModURL is the ICAP REQMOD service URL (e.g., icap://server:1344/reqmod).
-	ReqModURL *url.URL
-	// RespModURL is the ICAP RESPMOD service URL (e.g., icap://server:1344/respmod).
-	RespModURL *url.URL
-	// MaxConnections is the connection pool size. Zero uses a default.
-	MaxConnections int
-}
-
-// TLSConfig holds the MITM CA configuration for TLS inspection.
-type TLSConfig struct {
-	// CA is the certificate authority used to sign dynamic certificates.
-	CA *x509.Certificate
-	// CAKey is the CA's private key.
-	CAKey crypto.PrivateKey
-}
-
-// Config holds the transparent proxy configuration.
-type Config struct {
-	// Enabled controls whether the proxy is active.
-	Enabled bool
-	// Mode selects built-in or external proxy operation.
-	Mode ProxyMode
-	// ExternalURL is the upstream proxy URL for ModeExternal.
-	// Supports http:// and socks5:// schemes.
-	ExternalURL *url.URL
-
-	// DefaultAction applies when no rule matches a connection.
-	DefaultAction Action
-
-	// RedirectSources are the source CIDRs whose traffic should be intercepted.
-	// Admin decides: "activate for these users/subnets."
-	// Used for both kernel TPROXY rules and userspace forwarder source filtering.
-	RedirectSources []netip.Prefix
-	// RedirectPorts are the destination ports to intercept. Empty means all ports.
-	RedirectPorts []uint16
-
-	// Rules are the proxy inspection/filtering rules, evaluated in Priority order.
-	Rules []Rule
-
-	// ICAP holds ICAP service configuration. Nil disables ICAP.
-	ICAP *ICAPConfig
-	// TLS holds the MITM CA. Nil means no MITM capability (ActionInspect rules ignored).
-	TLS *TLSConfig
-
-	// Envoy configuration (ModeEnvoy only)
-	Envoy *EnvoyConfig
-
-	// ListenAddr is the TPROXY listen address for kernel mode.
-	// Zero value disables the TPROXY listener.
-	ListenAddr netip.AddrPort
-	// WGNetwork is the WireGuard overlay network prefix.
-	// The proxy blocks dialing destinations inside this network.
-	WGNetwork netip.Prefix
-	// LocalIPChecker reports whether an IP belongs to the routing peer.
-	// Used to prevent SSRF to local services. May be nil.
-	LocalIPChecker LocalIPChecker
-}
-
-// EnvoyConfig holds configuration for the envoy sidecar mode.
-type EnvoyConfig struct {
-	// BinaryPath is the path to the envoy binary.
-	// Empty means search $PATH for "envoy".
-	BinaryPath string
-	// AdminPort is the port for envoy's admin API (health checks, stats).
-	// Zero means auto-assign.
-	AdminPort uint16
-	// Snippets are user-provided config fragments merged into the generated bootstrap.
-	Snippets *EnvoySnippets
-}
-
-// EnvoySnippets holds user-provided YAML fragments for envoy config customization.
-// Only safe snippet types are allowed: filters (HTTP and network) and clusters
-// needed as dependencies for filter services. Listeners and bootstrap overrides
-// are not exposed since we manage the listener and bootstrap.
-type EnvoySnippets struct {
-	// HTTPFilters is YAML injected into the HCM filter chain before the router filter.
-	// Used for ext_authz, rate limiting, Lua, Wasm, RBAC, JWT auth, etc.
-	HTTPFilters string
-	// NetworkFilters is YAML injected into the TLS filter chain before tcp_proxy.
-	// Used for network-level RBAC, rate limiting, ext_authz on raw TCP.
-	NetworkFilters string
-	// Clusters is YAML for additional upstream clusters referenced by filters.
-	// Needed when filters call external services (ext_authz backend, rate limit service).
-	Clusters string
-}

client/inspect/config_test.go

@@ -1,93 +0,0 @@
-package inspect
-
-import (
-	"testing"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-
-	"github.com/netbirdio/netbird/shared/management/domain"
-)
-
-func TestMatchDomain(t *testing.T) {
-	tests := []struct {
-		name    string
-		pattern string
-		target  string
-		want    bool
-	}{
-		{
-			name:    "exact match",
-			pattern: "example.com",
-			target:  "example.com",
-			want:    true,
-		},
-		{
-			name:    "exact no match",
-			pattern: "example.com",
-			target:  "other.com",
-			want:    false,
-		},
-		{
-			name:    "wildcard matches subdomain",
-			pattern: "*.example.com",
-			target:  "foo.example.com",
-			want:    true,
-		},
-		{
-			name:    "wildcard matches deep subdomain",
-			pattern: "*.example.com",
-			target:  "a.b.c.example.com",
-			want:    true,
-		},
-		{
-			name:    "wildcard does not match base",
-			pattern: "*.example.com",
-			target:  "example.com",
-			want:    false,
-		},
-		{
-			name:    "wildcard does not match unrelated",
-			pattern: "*.example.com",
-			target:  "foo.other.com",
-			want:    false,
-		},
-		{
-			name:    "case insensitive exact match",
-			pattern: "Example.COM",
-			target:  "example.com",
-			want:    true,
-		},
-		{
-			name:    "case insensitive wildcard match",
-			pattern: "*.Example.COM",
-			target:  "FOO.example.com",
-			want:    true,
-		},
-		{
-			name:    "wildcard does not match partial suffix",
-			pattern: "*.example.com",
-			target:  "notexample.com",
-			want:    false,
-		},
-		{
-			name:    "unicode domain punycode match",
-			pattern: "*.münchen.de",
-			target:  "sub.xn--mnchen-3ya.de",
-			want:    true,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			pattern, err := domain.FromString(tt.pattern)
-			require.NoError(t, err)
-
-			target, err := domain.FromString(tt.target)
-			require.NoError(t, err)
-
-			got := MatchDomain(pattern, target)
-			assert.Equal(t, tt.want, got)
-		})
-	}
-}

client/inspect/dialer_linux.go

@@ -1,25 +0,0 @@
-package inspect
-
-import (
-	"net"
-	"syscall"
-)
-
-// newOutboundDialer creates a net.Dialer that clears the socket fwmark.
-// In kernel TPROXY mode, accepted connections inherit the TPROXY fwmark.
-// Without clearing it, outbound connections from the proxy would match
-// the ip rule (fwmark -> local loopback) and loop back to the proxy
-// instead of reaching the real destination.
-func newOutboundDialer() net.Dialer {
-	return net.Dialer{
-		Control: func(_, _ string, c syscall.RawConn) error {
-			var sockErr error
-			if err := c.Control(func(fd uintptr) {
-				sockErr = syscall.SetsockoptInt(int(fd), syscall.SOL_SOCKET, syscall.SO_MARK, 0)
-			}); err != nil {
-				return err
-			}
-			return sockErr
-		},
-	}
-}

client/inspect/dialer_other.go

@@ -1,11 +0,0 @@
-//go:build !linux
-
-package inspect
-
-import "net"
-
-// newOutboundDialer returns a plain dialer on non-Linux platforms.
-// TPROXY is Linux-only, so no fwmark clearing is needed.
-func newOutboundDialer() net.Dialer {
-	return net.Dialer{}
-}

client/inspect/envoy.go

@@ -1,298 +0,0 @@
-package inspect
-
-import (
-	"context"
-	"fmt"
-	"io"
-	"net"
-	"net/http"
-	"net/netip"
-	"os"
-	"os/exec"
-	"path/filepath"
-	"strings"
-	"sync"
-	"time"
-
-	log "github.com/sirupsen/logrus"
-)
-
-const (
-	envoyStartTimeout   = 15 * time.Second
-	envoyHealthInterval = 500 * time.Millisecond
-	envoyStopTimeout    = 10 * time.Second
-	envoyDrainTime      = 5
-)
-
-// envoyManager manages the lifecycle of an envoy sidecar process.
-type envoyManager struct {
-	log        *log.Entry
-	cmd        *exec.Cmd
-	configPath string
-	listenPort uint16
-	adminPort  uint16
-	cancel     context.CancelFunc
-
-	blockPagePath string
-
-	mu      sync.Mutex
-	running bool
-}
-
-// startEnvoy finds the envoy binary, generates config, and spawns the process.
-// It blocks until envoy reports healthy or the timeout expires.
-func startEnvoy(ctx context.Context, logger *log.Entry, config Config) (*envoyManager, error) {
-	envCfg := config.Envoy
-	if envCfg == nil {
-		return nil, fmt.Errorf("envoy config is nil")
-	}
-
-	binaryPath, err := findEnvoyBinary(envCfg.BinaryPath)
-	if err != nil {
-		return nil, fmt.Errorf("find envoy binary: %w", err)
-	}
-
-	// Pick admin port
-	adminPort := envCfg.AdminPort
-	if adminPort == 0 {
-		p, err := findFreePort()
-		if err != nil {
-			return nil, fmt.Errorf("find free admin port: %w", err)
-		}
-		adminPort = p
-	}
-
-	// Pick listener port
-	listenPort, err := findFreePort()
-	if err != nil {
-		return nil, fmt.Errorf("find free listener port: %w", err)
-	}
-
-	// Use a private temp directory (0700) to prevent local attackers from
-	// replacing the config file between write and envoy read.
-	configDir, err := os.MkdirTemp("", "nb-envoy-*")
-	if err != nil {
-		return nil, fmt.Errorf("create envoy config directory: %w", err)
-	}
-
-	// Write the block page HTML for envoy's direct_response to reference.
-	blockPagePath := filepath.Join(configDir, "block.html")
-	blockHTML := fmt.Sprintf(blockPageHTML, "blocked domain", "this domain")
-	if err := os.WriteFile(blockPagePath, []byte(blockHTML), 0600); err != nil {
-		return nil, fmt.Errorf("write envoy block page: %w", err)
-	}
-
-	// Generate config with the block page path embedded.
-	bootstrap, err := generateBootstrap(config, listenPort, adminPort, blockPagePath)
-	if err != nil {
-		return nil, fmt.Errorf("generate envoy bootstrap: %w", err)
-	}
-
-	configPath := filepath.Join(configDir, "bootstrap.yaml")
-	if err := os.WriteFile(configPath, bootstrap, 0600); err != nil {
-		return nil, fmt.Errorf("write envoy config: %w", err)
-	}
-
-	ctx, cancel := context.WithCancel(ctx)
-
-	cmd := exec.CommandContext(ctx, binaryPath,
-		"-c", configPath,
-		"--drain-time-s", fmt.Sprintf("%d", envoyDrainTime),
-	)
-
-	// Pipe envoy output to our logger.
-	cmd.Stdout = &logWriter{entry: logger, level: log.DebugLevel}
-	cmd.Stderr = &logWriter{entry: logger, level: log.WarnLevel}
-
-	if err := cmd.Start(); err != nil {
-		cancel()
-		os.Remove(configPath)
-		return nil, fmt.Errorf("start envoy: %w", err)
-	}
-
-	mgr := &envoyManager{
-		log:           logger,
-		cmd:           cmd,
-		configPath:    configPath,
-		listenPort:    listenPort,
-		adminPort:     adminPort,
-		blockPagePath: blockPagePath,
-		cancel:        cancel,
-		running:       true,
-	}
-
-	// Wait for envoy to become healthy.
-	if err := mgr.waitHealthy(ctx); err != nil {
-		mgr.Stop()
-		return nil, fmt.Errorf("wait for envoy readiness: %w", err)
-	}
-
-	logger.Infof("inspect: envoy started (pid=%d, listen=%d, admin=%d)", cmd.Process.Pid, listenPort, adminPort)
-
-	// Monitor process exit in background.
-	go mgr.monitor()
-
-	return mgr, nil
-}
-
-// ListenAddr returns the address envoy listens on for forwarded connections.
-func (m *envoyManager) ListenAddr() netip.AddrPort {
-	return netip.AddrPortFrom(netip.AddrFrom4([4]byte{127, 0, 0, 1}), m.listenPort)
-}
-
-// AdminAddr returns the envoy admin API address.
-func (m *envoyManager) AdminAddr() string {
-	return fmt.Sprintf("127.0.0.1:%d", m.adminPort)
-}
-
-// Reload writes a new config and sends SIGHUP to envoy.
-func (m *envoyManager) Reload(config Config) error {
-	m.mu.Lock()
-	defer m.mu.Unlock()
-
-	if !m.running {
-		return fmt.Errorf("envoy is not running")
-	}
-
-	bootstrap, err := generateBootstrap(config, m.listenPort, m.adminPort, m.blockPagePath)
-	if err != nil {
-		return fmt.Errorf("generate envoy bootstrap: %w", err)
-	}
-
-	if err := os.WriteFile(m.configPath, bootstrap, 0600); err != nil {
-		return fmt.Errorf("write envoy config: %w", err)
-	}
-
-	if err := signalReload(m.cmd.Process); err != nil {
-		return fmt.Errorf("signal envoy reload: %w", err)
-	}
-
-	m.log.Debugf("inspect: envoy config reloaded")
-	return nil
-}
-
-// Healthy checks the envoy admin API /ready endpoint.
-func (m *envoyManager) Healthy() bool {
-	resp, err := http.Get(fmt.Sprintf("http://%s/ready", m.AdminAddr()))
-	if err != nil {
-		return false
-	}
-	defer resp.Body.Close()
-	return resp.StatusCode == http.StatusOK
-}
-
-// Stop terminates the envoy process and cleans up.
-func (m *envoyManager) Stop() {
-	m.mu.Lock()
-	defer m.mu.Unlock()
-
-	if !m.running {
-		return
-	}
-	m.running = false
-
-	m.cancel()
-
-	if m.cmd.Process != nil {
-		done := make(chan struct{})
-		go func() {
-			m.cmd.Wait()
-			close(done)
-		}()
-
-		select {
-		case <-done:
-		case <-time.After(envoyStopTimeout):
-			m.log.Warnf("inspect: envoy did not exit in %s, killing", envoyStopTimeout)
-			m.cmd.Process.Kill()
-			<-done
-		}
-	}
-
-	os.RemoveAll(filepath.Dir(m.configPath))
-	m.log.Infof("inspect: envoy stopped")
-}
-
-// waitHealthy polls the admin API until envoy is ready or timeout.
-func (m *envoyManager) waitHealthy(ctx context.Context) error {
-	deadline := time.After(envoyStartTimeout)
-	ticker := time.NewTicker(envoyHealthInterval)
-	defer ticker.Stop()
-
-	for {
-		select {
-		case <-ctx.Done():
-			return ctx.Err()
-		case <-deadline:
-			return fmt.Errorf("envoy not ready after %s", envoyStartTimeout)
-		case <-ticker.C:
-			if m.Healthy() {
-				return nil
-			}
-		}
-	}
-}
-
-// monitor watches for unexpected envoy exits.
-func (m *envoyManager) monitor() {
-	err := m.cmd.Wait()
-
-	m.mu.Lock()
-	wasRunning := m.running
-	m.running = false
-	m.mu.Unlock()
-
-	if wasRunning {
-		m.log.Errorf("inspect: envoy exited unexpectedly: %v", err)
-	}
-}
-
-// findEnvoyBinary resolves the envoy binary path.
-func findEnvoyBinary(configPath string) (string, error) {
-	if configPath != "" {
-		if _, err := os.Stat(configPath); err != nil {
-			return "", fmt.Errorf("envoy binary not found at %s: %w", configPath, err)
-		}
-		return configPath, nil
-	}
-
-	path, err := exec.LookPath("envoy")
-	if err != nil {
-		return "", fmt.Errorf("envoy not found in PATH: %w", err)
-	}
-	return path, nil
-}
-
-// findFreePort asks the OS for an available TCP port.
-func findFreePort() (uint16, error) {
-	ln, err := net.Listen("tcp", "127.0.0.1:0")
-	if err != nil {
-		return 0, err
-	}
-	port := uint16(ln.Addr().(*net.TCPAddr).Port)
-	ln.Close()
-	return port, nil
-}
-
-// logWriter adapts log.Entry to io.Writer for piping process output.
-type logWriter struct {
-	entry *log.Entry
-	level log.Level
-}
-
-func (w *logWriter) Write(p []byte) (int, error) {
-	msg := strings.TrimRight(string(p), "\n\r")
-	if msg == "" {
-		return len(p), nil
-	}
-	switch w.level {
-	case log.WarnLevel:
-		w.entry.Warn(msg)
-	default:
-		w.entry.Debug(msg)
-	}
-	return len(p), nil
-}
-
-// Ensure logWriter satisfies io.Writer.
-var _ io.Writer = (*logWriter)(nil)

client/inspect/envoy_config.go

@@ -1,382 +0,0 @@
-package inspect
-
-import (
-	"bytes"
-	"fmt"
-	"strings"
-	"text/template"
-)
-
-// envoyBootstrapTmpl generates the full envoy bootstrap with rule translation.
-// TLS rules become per-SNI filter chains; HTTP rules become per-domain virtual hosts.
-var envoyBootstrapTmpl = template.Must(template.New("bootstrap").Funcs(template.FuncMap{
-	"quote": func(s string) string { return fmt.Sprintf("%q", s) },
-}).Parse(`node:
-  id: netbird-inspect
-  cluster: netbird
-admin:
-  address:
-    socket_address:
-      address: 127.0.0.1
-      port_value: {{.AdminPort}}
-static_resources:
-  listeners:
-    - name: inspect_listener
-      address:
-        socket_address:
-          address: 127.0.0.1
-          port_value: {{.ListenPort}}
-      listener_filters:
-        - name: envoy.filters.listener.proxy_protocol
-          typed_config:
-            "@type": type.googleapis.com/envoy.extensions.filters.listener.proxy_protocol.v3.ProxyProtocol
-        - name: envoy.filters.listener.tls_inspector
-          typed_config:
-            "@type": type.googleapis.com/envoy.extensions.filters.listener.tls_inspector.v3.TlsInspector
-      filter_chains:
-{{- /* TLS filter chains: per-SNI block/allow + default */ -}}
-{{- range .TLSChains}}
-        - filter_chain_match:
-            transport_protocol: tls
-{{- if .ServerNames}}
-            server_names:
-{{- range .ServerNames}}
-              - {{quote .}}
-{{- end}}
-{{- end}}
-          filters:
-{{$.NetworkFiltersSnippet}}            - name: envoy.filters.network.tcp_proxy
-              typed_config:
-                "@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
-                stat_prefix: {{.StatPrefix}}
-                cluster: original_dst
-                access_log:
-                  - name: envoy.access_loggers.stderr
-                    typed_config:
-                      "@type": type.googleapis.com/envoy.extensions.access_loggers.stream.v3.StderrAccessLog
-                      log_format:
-                        text_format: "[%START_TIME%] tcp %DOWNSTREAM_REMOTE_ADDRESS% -> %UPSTREAM_HOST% %RESPONSE_FLAGS% %DURATION%ms\n"
-{{- end}}
-{{- /* Plain HTTP filter chain with per-domain virtual hosts */}}
-        - filters:
-            - name: envoy.filters.network.http_connection_manager
-              typed_config:
-                "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
-                stat_prefix: inspect_http
-                access_log:
-                  - name: envoy.access_loggers.stderr
-                    typed_config:
-                      "@type": type.googleapis.com/envoy.extensions.access_loggers.stream.v3.StderrAccessLog
-                      log_format:
-                        text_format: "[%START_TIME%] http %DOWNSTREAM_REMOTE_ADDRESS% %REQ(:AUTHORITY)% %REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %RESPONSE_CODE% %RESPONSE_FLAGS% %DURATION%ms\n"
-                http_filters:
-{{.HTTPFiltersSnippet}}                  - name: envoy.filters.http.router
-                    typed_config:
-                      "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
-                route_config:
-                  virtual_hosts:
-{{- range .VirtualHosts}}
-                    - name: {{.Name}}
-                      domains: [{{.DomainsStr}}]
-                      routes:
-{{- range .Routes}}
-                        - match:
-                            prefix: "{{if .PathPrefix}}{{.PathPrefix}}{{else}}/{{end}}"
-{{- if .Block}}
-                          direct_response:
-                            status: 403
-                            body:
-                              filename: "{{$.BlockPagePath}}"
-{{- else}}
-                          route:
-                            cluster: original_dst
-{{- end}}
-{{- end}}
-{{- end}}
-  clusters:
-    - name: original_dst
-      type: ORIGINAL_DST
-      lb_policy: CLUSTER_PROVIDED
-      connect_timeout: 10s
-{{.ExtraClusters}}`))
-
-// tlsChain represents a TLS filter chain entry for the template.
-// All TLS chains are passthrough (block decisions happen in Go before envoy).
-type tlsChain struct {
-	// ServerNames restricts this chain to specific SNIs. Empty is catch-all.
-	ServerNames []string
-	StatPrefix  string
-}
-
-// envoyRoute represents a single route entry within a virtual host.
-type envoyRoute struct {
-	// PathPrefix for envoy prefix match. Empty means catch-all "/".
-	PathPrefix string
-	Block      bool
-}
-
-// virtualHost represents an HTTP virtual host entry for the template.
-type virtualHost struct {
-	Name string
-	// DomainsStr is pre-formatted for the template: "a", "b".
-	DomainsStr string
-	Routes     []envoyRoute
-}
-
-type bootstrapData struct {
-	AdminPort             uint16
-	ListenPort            uint16
-	BlockPagePath         string
-	TLSChains             []tlsChain
-	VirtualHosts          []virtualHost
-	HTTPFiltersSnippet    string
-	NetworkFiltersSnippet string
-	ExtraClusters         string
-}
-
-// generateBootstrap produces the envoy bootstrap YAML from the inspect config.
-// Translates inspection rules into envoy-native per-SNI and per-domain routing.
-// blockPagePath is the path to the HTML block page file served by direct_response.
-func generateBootstrap(config Config, listenPort, adminPort uint16, blockPagePath string) ([]byte, error) {
-	data := bootstrapData{
-		AdminPort:     adminPort,
-		BlockPagePath: blockPagePath,
-		ListenPort:    listenPort,
-		TLSChains:     buildTLSChains(config),
-		VirtualHosts:  buildVirtualHosts(config),
-	}
-
-	if config.Envoy != nil && config.Envoy.Snippets != nil {
-		s := config.Envoy.Snippets
-		data.HTTPFiltersSnippet = indentSnippet(s.HTTPFilters, 18)
-		data.NetworkFiltersSnippet = indentSnippet(s.NetworkFilters, 12)
-		data.ExtraClusters = indentSnippet(s.Clusters, 4)
-	}
-
-	var buf bytes.Buffer
-	if err := envoyBootstrapTmpl.Execute(&buf, data); err != nil {
-		return nil, fmt.Errorf("execute bootstrap template: %w", err)
-	}
-
-	return buf.Bytes(), nil
-}
-
-// buildTLSChains translates inspection rules into envoy TLS filter chains.
-// Block rules -> per-SNI chain routing to blackhole.
-// Allow rules (when default=block) -> per-SNI chain routing to original_dst.
-// Default chain follows DefaultAction.
-func buildTLSChains(config Config) []tlsChain {
-	// TLS block decisions happen in Go before forwarding to envoy, so we only
-	// generate allow/passthrough chains here. Envoy can't cleanly close a TLS
-	// connection without completing a handshake, so blocked SNIs never reach envoy.
-	var allowed []string
-
-	for _, rule := range config.Rules {
-		if !ruleTouchesProtocol(rule, ProtoHTTPS, ProtoH2) {
-			continue
-		}
-		for _, d := range rule.Domains {
-			sni := d.PunycodeString()
-			if rule.Action == ActionAllow || rule.Action == ActionInspect {
-				allowed = append(allowed, sni)
-			}
-		}
-	}
-
-	var chains []tlsChain
-
-	if len(allowed) > 0 && config.DefaultAction == ActionBlock {
-		chains = append(chains, tlsChain{
-			ServerNames: allowed,
-			StatPrefix:  "tls_allowed",
-		})
-	}
-
-	// Default catch-all: passthrough (blocked SNIs never arrive here)
-	chains = append(chains, tlsChain{
-		StatPrefix: "tls_default",
-	})
-
-	return chains
-}
-
-// buildVirtualHosts translates inspection rules into envoy HTTP virtual hosts.
-// Groups rules by domain, generates per-path routes within each virtual host.
-func buildVirtualHosts(config Config) []virtualHost {
-	// Group rules by domain for per-domain virtual hosts.
-	type domainRules struct {
-		domains []string
-		routes  []envoyRoute
-	}
-
-	domainRouteMap := make(map[string][]envoyRoute)
-
-	for _, rule := range config.Rules {
-		if !ruleTouchesProtocol(rule, ProtoHTTP, ProtoWebSocket) {
-			continue
-		}
-		isBlock := rule.Action == ActionBlock
-
-		// Rules without domains or paths are handled by the default action.
-		if len(rule.Domains) == 0 && len(rule.Paths) == 0 {
-			continue
-		}
-
-		// Build routes for this rule's paths
-		var routes []envoyRoute
-		if len(rule.Paths) > 0 {
-			for _, p := range rule.Paths {
-				// Convert our path patterns to envoy prefix match.
-				// Strip trailing * for envoy prefix matching.
-				prefix := strings.TrimSuffix(p, "*")
-				routes = append(routes, envoyRoute{PathPrefix: prefix, Block: isBlock})
-			}
-		} else {
-			routes = append(routes, envoyRoute{Block: isBlock})
-		}
-
-		if len(rule.Domains) > 0 {
-			for _, d := range rule.Domains {
-				host := d.PunycodeString()
-				domainRouteMap[host] = append(domainRouteMap[host], routes...)
-			}
-		} else {
-			// No domain: applies to all, add to default host
-			domainRouteMap["*"] = append(domainRouteMap["*"], routes...)
-		}
-	}
-
-	var hosts []virtualHost
-	idx := 0
-
-	// Per-domain virtual hosts with path routes
-	for domain, routes := range domainRouteMap {
-		if domain == "*" {
-			continue
-		}
-		// Add a catch-all route after path-specific routes.
-		// The catch-all follows the default action.
-		routes = append(routes, envoyRoute{Block: config.DefaultAction == ActionBlock})
-
-		hosts = append(hosts, virtualHost{
-			Name:       fmt.Sprintf("domain_%d", idx),
-			DomainsStr: fmt.Sprintf("%q", domain),
-			Routes:     routes,
-		})
-		idx++
-	}
-
-	// Default virtual host (catch-all for unmatched domains)
-	defaultRoutes := domainRouteMap["*"]
-	defaultRoutes = append(defaultRoutes, envoyRoute{Block: config.DefaultAction == ActionBlock})
-	hosts = append(hosts, virtualHost{
-		Name:       "default",
-		DomainsStr: `"*"`,
-		Routes:     defaultRoutes,
-	})
-
-	return hosts
-}
-
-// ruleTouchesProtocol returns true if the rule's protocol list includes any of the given protocols,
-// or if the protocol list is empty (matches all).
-func ruleTouchesProtocol(rule Rule, protos ...ProtoType) bool {
-	if len(rule.Protocols) == 0 {
-		return true
-	}
-	for _, rp := range rule.Protocols {
-		for _, p := range protos {
-			if rp == p {
-				return true
-			}
-		}
-	}
-	return false
-}
-
-// indentSnippet prepends each line of the YAML snippet with the given number of spaces.
-// Returns empty string if snippet is empty.
-func indentSnippet(snippet string, spaces int) string {
-	if snippet == "" {
-		return ""
-	}
-
-	prefix := make([]byte, spaces)
-	for i := range prefix {
-		prefix[i] = ' '
-	}
-
-	var buf bytes.Buffer
-	for i, line := range bytes.Split([]byte(snippet), []byte("\n")) {
-		if i > 0 {
-			buf.WriteByte('\n')
-		}
-		if len(line) > 0 {
-			buf.Write(prefix)
-			buf.Write(line)
-		}
-	}
-	buf.WriteByte('\n')
-
-	return buf.String()
-}
-
-// ValidateSnippets checks that user-provided snippets are safe to inject
-// into the envoy config. Returns an error describing the first violation found.
-//
-// Validation rules:
-//   - Each snippet must be valid YAML (prevents syntax-level injection)
-//   - Snippets must not contain YAML document separators (--- or ...) that could
-//     break out of the indentation context
-//   - Snippets must only contain list items (starting with "- ") at the top level,
-//     matching what envoy expects for filters and clusters
-func ValidateSnippets(snippets *EnvoySnippets) error {
-	if snippets == nil {
-		return nil
-	}
-
-	fields := []struct {
-		name  string
-		value string
-	}{
-		{"http_filters", snippets.HTTPFilters},
-		{"network_filters", snippets.NetworkFilters},
-		{"clusters", snippets.Clusters},
-	}
-
-	for _, f := range fields {
-		if f.value == "" {
-			continue
-		}
-		if err := validateSnippetYAML(f.name, f.value); err != nil {
-			return err
-		}
-	}
-
-	return nil
-}
-
-func validateSnippetYAML(name, snippet string) error {
-	// Check for YAML document markers that could break template structure.
-	for _, line := range strings.Split(snippet, "\n") {
-		trimmed := strings.TrimSpace(line)
-		if trimmed == "---" || trimmed == "..." {
-			return fmt.Errorf("snippet %q: YAML document separators (--- or ...) are not allowed", name)
-		}
-	}
-
-	// Verify it's valid YAML by checking it doesn't cause template execution issues.
-	// We can't import yaml.v3 here without adding a dependency, so we do structural checks.
-
-	// Check for null bytes or control characters that could confuse YAML parsers.
-	for i, b := range []byte(snippet) {
-		if b == 0 {
-			return fmt.Errorf("snippet %q: null byte at position %d", name, i)
-		}
-		if b < 0x09 || (b > 0x0D && b < 0x20 && b != 0x1B) {
-			return fmt.Errorf("snippet %q: control character 0x%02x at position %d", name, b, i)
-		}
-	}
-
-	return nil
-}

client/inspect/envoy_forward.go

@@ -1,88 +0,0 @@
-package inspect
-
-import (
-	"context"
-	"encoding/binary"
-	"fmt"
-	"net"
-	"net/netip"
-)
-
-// PROXY protocol v2 constants (RFC 7239 / HAProxy spec)
-var proxyV2Signature = [12]byte{
-	0x0D, 0x0A, 0x0D, 0x0A, 0x00, 0x0D, 0x0A, 0x51,
-	0x55, 0x49, 0x54, 0x0A,
-}
-
-const (
-	proxyV2VersionCommand = 0x21 // version 2, PROXY command
-	proxyV2FamilyTCP4     = 0x11 // AF_INET, STREAM
-	proxyV2FamilyTCP6     = 0x21 // AF_INET6, STREAM
-)
-
-// forwardToEnvoy forwards a connection to the given envoy sidecar via PROXY protocol v2.
-// The caller provides the envoy manager snapshot to avoid accessing p.envoy without lock.
-func (p *Proxy) forwardToEnvoy(ctx context.Context, pconn *peekConn, dst netip.AddrPort, src SourceInfo, em *envoyManager) error {
-	envoyAddr := em.ListenAddr()
-
-	conn, err := (&net.Dialer{}).DialContext(ctx, "tcp", envoyAddr.String())
-	if err != nil {
-		return fmt.Errorf("dial envoy at %s: %w", envoyAddr, err)
-	}
-	defer func() {
-		if err := conn.Close(); err != nil {
-			p.log.Debugf("close envoy conn: %v", err)
-		}
-	}()
-
-	if err := writeProxyV2Header(conn, src.IP, dst); err != nil {
-		return fmt.Errorf("write PROXY v2 header: %w", err)
-	}
-
-	p.log.Tracef("envoy: forwarded %s -> %s via PROXY v2", src.IP, dst)
-
-	return relay(ctx, pconn, conn)
-}
-
-// writeProxyV2Header writes a PROXY protocol v2 header to w.
-// The header encodes the original source IP and the destination address:port.
-func writeProxyV2Header(w net.Conn, srcIP netip.Addr, dst netip.AddrPort) error {
-	srcIP = srcIP.Unmap()
-	dstIP := dst.Addr().Unmap()
-
-	var (
-		family byte
-		addrs  []byte
-	)
-
-	if srcIP.Is4() && dstIP.Is4() {
-		family = proxyV2FamilyTCP4
-		s4 := srcIP.As4()
-		d4 := dstIP.As4()
-		addrs = make([]byte, 12) // 4+4+2+2
-		copy(addrs[0:4], s4[:])
-		copy(addrs[4:8], d4[:])
-		binary.BigEndian.PutUint16(addrs[8:10], 0) // src port unknown
-		binary.BigEndian.PutUint16(addrs[10:12], dst.Port())
-	} else {
-		family = proxyV2FamilyTCP6
-		s16 := srcIP.As16()
-		d16 := dstIP.As16()
-		addrs = make([]byte, 36) // 16+16+2+2
-		copy(addrs[0:16], s16[:])
-		copy(addrs[16:32], d16[:])
-		binary.BigEndian.PutUint16(addrs[32:34], 0) // src port unknown
-		binary.BigEndian.PutUint16(addrs[34:36], dst.Port())
-	}
-
-	// Header: signature(12) + ver_cmd(1) + family(1) + len(2) + addrs
-	header := make([]byte, 16+len(addrs))
-	copy(header[0:12], proxyV2Signature[:])
-	header[12] = proxyV2VersionCommand
-	header[13] = family
-	binary.BigEndian.PutUint16(header[14:16], uint16(len(addrs)))
-	copy(header[16:], addrs)
-
-	_, err := w.Write(header)
-	return err
-}

client/inspect/envoy_signal.go

@@ -1,13 +0,0 @@
-//go:build !windows
-
-package inspect
-
-import (
-	"os"
-	"syscall"
-)
-
-// signalReload sends SIGHUP to the envoy process to trigger config reload.
-func signalReload(p *os.Process) error {
-	return p.Signal(syscall.SIGHUP)
-}

client/inspect/envoy_signal_windows.go

@@ -1,13 +0,0 @@
-//go:build windows
-
-package inspect
-
-import (
-	"fmt"
-	"os"
-)
-
-// signalReload is not supported on Windows. Envoy must be restarted.
-func signalReload(_ *os.Process) error {
-	return fmt.Errorf("envoy config reload via signal not supported on Windows")
-}

client/inspect/external.go

@@ -1,229 +0,0 @@
-package inspect
-
-import (
-	"bufio"
-	"context"
-	"encoding/base64"
-	"fmt"
-	"io"
-	"net"
-	"net/http"
-	"net/netip"
-	"net/url"
-	"time"
-)
-
-const (
-	externalDialTimeout = 10 * time.Second
-)
-
-// handleExternal forwards the connection to an external proxy.
-// For TLS connections, it uses HTTP CONNECT to tunnel through the proxy.
-// For HTTP connections, it rewrites the request to use the proxy.
-func (p *Proxy) handleExternal(ctx context.Context, pconn *peekConn, dst netip.AddrPort) error {
-	p.mu.RLock()
-	proxyURL := p.config.ExternalURL
-	p.mu.RUnlock()
-
-	if proxyURL == nil {
-		return fmt.Errorf("external proxy URL not configured")
-	}
-
-	switch proxyURL.Scheme {
-	case "http", "https":
-		return p.externalHTTPProxy(ctx, pconn, dst, proxyURL)
-	case "socks5":
-		return p.externalSOCKS5(ctx, pconn, dst, proxyURL)
-	default:
-		return fmt.Errorf("unsupported external proxy scheme: %s", proxyURL.Scheme)
-	}
-}
-
-// externalHTTPProxy tunnels through an HTTP proxy using CONNECT.
-func (p *Proxy) externalHTTPProxy(ctx context.Context, pconn *peekConn, dst netip.AddrPort, proxyURL *url.URL) error {
-	proxyAddr := proxyURL.Host
-	if _, _, err := net.SplitHostPort(proxyAddr); err != nil {
-		proxyAddr = net.JoinHostPort(proxyAddr, "8080")
-	}
-
-	proxyConn, err := (&net.Dialer{Timeout: externalDialTimeout}).DialContext(ctx, "tcp", proxyAddr)
-	if err != nil {
-		return fmt.Errorf("dial external proxy %s: %w", proxyAddr, err)
-	}
-	defer func() {
-		if err := proxyConn.Close(); err != nil {
-			p.log.Debugf("close external proxy conn: %v", err)
-		}
-	}()
-
-	connectReq := fmt.Sprintf("CONNECT %s HTTP/1.1\r\nHost: %s\r\n", dst.String(), dst.String())
-	if proxyURL.User != nil {
-		connectReq += "Proxy-Authorization: Basic " + basicAuth(proxyURL.User) + "\r\n"
-	}
-	connectReq += "\r\n"
-
-	if _, err := io.WriteString(proxyConn, connectReq); err != nil {
-		return fmt.Errorf("send CONNECT to proxy: %w", err)
-	}
-
-	resp, err := http.ReadResponse(bufio.NewReader(proxyConn), nil)
-	if err != nil {
-		return fmt.Errorf("read CONNECT response: %w", err)
-	}
-	if err := resp.Body.Close(); err != nil {
-		p.log.Debugf("close CONNECT resp body: %v", err)
-	}
-
-	if resp.StatusCode != http.StatusOK {
-		return fmt.Errorf("proxy CONNECT failed: %s", resp.Status)
-	}
-
-	return relay(ctx, pconn, proxyConn)
-}
-
-// externalSOCKS5 tunnels through a SOCKS5 proxy.
-func (p *Proxy) externalSOCKS5(ctx context.Context, pconn *peekConn, dst netip.AddrPort, proxyURL *url.URL) error {
-	proxyAddr := proxyURL.Host
-	if _, _, err := net.SplitHostPort(proxyAddr); err != nil {
-		proxyAddr = net.JoinHostPort(proxyAddr, "1080")
-	}
-
-	proxyConn, err := (&net.Dialer{Timeout: externalDialTimeout}).DialContext(ctx, "tcp", proxyAddr)
-	if err != nil {
-		return fmt.Errorf("dial SOCKS5 proxy %s: %w", proxyAddr, err)
-	}
-	defer func() {
-		if err := proxyConn.Close(); err != nil {
-			p.log.Debugf("close SOCKS5 proxy conn: %v", err)
-		}
-	}()
-
-	if err := socks5Handshake(proxyConn, dst, proxyURL.User); err != nil {
-		return fmt.Errorf("SOCKS5 handshake: %w", err)
-	}
-
-	return relay(ctx, pconn, proxyConn)
-}
-
-// socks5Handshake performs the SOCKS5 handshake to connect through the proxy.
-func socks5Handshake(conn net.Conn, dst netip.AddrPort, userinfo *url.Userinfo) error {
-	needAuth := userinfo != nil
-
-	// Greeting
-	var methods []byte
-	if needAuth {
-		methods = []byte{0x00, 0x02} // no auth, username/password
-	} else {
-		methods = []byte{0x00} // no auth
-	}
-	greeting := append([]byte{0x05, byte(len(methods))}, methods...)
-	if _, err := conn.Write(greeting); err != nil {
-		return fmt.Errorf("send greeting: %w", err)
-	}
-
-	// Server method selection
-	var methodResp [2]byte
-	if _, err := io.ReadFull(conn, methodResp[:]); err != nil {
-		return fmt.Errorf("read method selection: %w", err)
-	}
-	if methodResp[0] != 0x05 {
-		return fmt.Errorf("unexpected SOCKS version: %d", methodResp[0])
-	}
-
-	// Handle authentication if selected
-	if methodResp[1] == 0x02 {
-		if err := socks5Auth(conn, userinfo); err != nil {
-			return err
-		}
-	} else if methodResp[1] != 0x00 {
-		return fmt.Errorf("unsupported SOCKS5 auth method: %d", methodResp[1])
-	}
-
-	// Connection request
-	addr := dst.Addr()
-	var addrBytes []byte
-	if addr.Is4() {
-		a4 := addr.As4()
-		addrBytes = append([]byte{0x01}, a4[:]...) // IPv4
-	} else {
-		a16 := addr.As16()
-		addrBytes = append([]byte{0x04}, a16[:]...) // IPv6
-	}
-
-	port := dst.Port()
-	connectReq := append([]byte{0x05, 0x01, 0x00}, addrBytes...)
-	connectReq = append(connectReq, byte(port>>8), byte(port))
-
-	if _, err := conn.Write(connectReq); err != nil {
-		return fmt.Errorf("send connect request: %w", err)
-	}
-
-	// Read response (minimum 10 bytes for IPv4)
-	var respHeader [4]byte
-	if _, err := io.ReadFull(conn, respHeader[:]); err != nil {
-		return fmt.Errorf("read connect response: %w", err)
-	}
-	if respHeader[1] != 0x00 {
-		return fmt.Errorf("SOCKS5 connect failed: status %d", respHeader[1])
-	}
-
-	// Skip bound address
-	switch respHeader[3] {
-	case 0x01: // IPv4
-		var skip [4 + 2]byte
-		if _, err := io.ReadFull(conn, skip[:]); err != nil {
-			return fmt.Errorf("read SOCKS5 bound IPv4 address: %w", err)
-		}
-	case 0x04: // IPv6
-		var skip [16 + 2]byte
-		if _, err := io.ReadFull(conn, skip[:]); err != nil {
-			return fmt.Errorf("read SOCKS5 bound IPv6 address: %w", err)
-		}
-	case 0x03: // Domain
-		var dLen [1]byte
-		if _, err := io.ReadFull(conn, dLen[:]); err != nil {
-			return fmt.Errorf("read domain length: %w", err)
-		}
-		skip := make([]byte, int(dLen[0])+2)
-		if _, err := io.ReadFull(conn, skip); err != nil {
-			return fmt.Errorf("read SOCKS5 bound domain address: %w", err)
-		}
-	}
-
-	return nil
-}
-
-func socks5Auth(conn net.Conn, userinfo *url.Userinfo) error {
-	if userinfo == nil {
-		return fmt.Errorf("SOCKS5 auth required but no credentials provided")
-	}
-
-	user := userinfo.Username()
-	pass, _ := userinfo.Password()
-
-	// Username/password auth (RFC 1929)
-	auth := []byte{0x01, byte(len(user))}
-	auth = append(auth, []byte(user)...)
-	auth = append(auth, byte(len(pass)))
-	auth = append(auth, []byte(pass)...)
-
-	if _, err := conn.Write(auth); err != nil {
-		return fmt.Errorf("send auth: %w", err)
-	}
-
-	var resp [2]byte
-	if _, err := io.ReadFull(conn, resp[:]); err != nil {
-		return fmt.Errorf("read auth response: %w", err)
-	}
-	if resp[1] != 0x00 {
-		return fmt.Errorf("SOCKS5 auth failed: status %d", resp[1])
-	}
-
-	return nil
-}
-
-func basicAuth(userinfo *url.Userinfo) string {
-	user := userinfo.Username()
-	pass, _ := userinfo.Password()
-	return base64.StdEncoding.EncodeToString([]byte(user + ":" + pass))
-}

client/inspect/http.go

@@ -1,532 +0,0 @@
-package inspect
-
-import (
-	"bufio"
-	"context"
-	"fmt"
-	"io"
-	"net"
-	"net/http"
-	"net/netip"
-	"strings"
-	"sync"
-	"time"
-
-	"github.com/netbirdio/netbird/shared/management/domain"
-)
-
-const (
-	headerUpgrade  = "Upgrade"
-	valueWebSocket = "websocket"
-)
-
-// inspectHTTP runs the HTTP inspection pipeline on decrypted traffic.
-// It handles HTTP/1.1 (request-response loop), HTTP/2 (via Go stdlib reverse proxy),
-// and WebSocket upgrade detection.
-func (p *Proxy) inspectHTTP(ctx context.Context, client, remote net.Conn, dst netip.AddrPort, sni domain.Domain, src SourceInfo, proto string) error {
-	if proto == "h2" {
-		return p.inspectH2(ctx, client, remote, dst, sni, src)
-	}
-	return p.inspectH1(ctx, client, remote, dst, sni, src)
-}
-
-// inspectH1 handles HTTP/1.1 request-response inspection in a loop.
-func (p *Proxy) inspectH1(ctx context.Context, client, remote net.Conn, dst netip.AddrPort, sni domain.Domain, src SourceInfo) error {
-	clientReader := bufio.NewReader(client)
-	remoteReader := bufio.NewReader(remote)
-
-	for {
-		if ctx.Err() != nil {
-			return ctx.Err()
-		}
-
-		// Set idle timeout between requests to prevent connection hogging.
-		if err := client.SetReadDeadline(time.Now().Add(idleTimeout)); err != nil {
-			return fmt.Errorf("set idle deadline: %w", err)
-		}
-		req, err := http.ReadRequest(clientReader)
-		if err != nil {
-			if isClosedErr(err) {
-				return nil
-			}
-			return fmt.Errorf("read HTTP request: %w", err)
-		}
-		if err := client.SetReadDeadline(time.Time{}); err != nil {
-			return fmt.Errorf("clear read deadline: %w", err)
-		}
-
-		// Re-evaluate rules based on Host header if SNI was empty
-		host := hostFromRequest(req, sni)
-
-		// Domain fronting: Host header doesn't match TLS SNI
-		if isDomainFronting(req, sni) {
-			p.log.Debugf("domain fronting detected: SNI=%s Host=%s", sni.PunycodeString(), host.PunycodeString())
-			writeBlockResponse(client, req, host)
-			return ErrBlocked
-		}
-
-		proto := ProtoHTTP
-		if isWebSocketUpgrade(req) {
-			proto = ProtoWebSocket
-		}
-		action := p.evaluateAction(src.IP, host, dst, proto, req.URL.Path)
-		if action == ActionBlock {
-			p.log.Debugf("block: HTTP %s %s (host=%s)", req.Method, req.URL.Path, host.PunycodeString())
-			writeBlockResponse(client, req, host)
-			return ErrBlocked
-		}
-		p.log.Tracef("allow: HTTP %s %s (host=%s, action=%s)", req.Method, req.URL.Path, host.PunycodeString(), action)
-
-		// ICAP REQMOD: send request for inspection.
-		// Snapshot ICAP client under lock to avoid use-after-close races.
-		p.mu.RLock()
-		icap := p.icap
-		p.mu.RUnlock()
-		if icap != nil {
-			modified, err := icap.ReqMod(req)
-			if err != nil {
-				p.log.Debugf("ICAP REQMOD error for %s: %v", host.PunycodeString(), err)
-				// Fail-closed: block on ICAP error
-				writeBlockResponse(client, req, host)
-				return fmt.Errorf("ICAP REQMOD: %w", err)
-			}
-			req = modified
-		}
-
-		if isWebSocketUpgrade(req) {
-			return p.handleWebSocket(ctx, req, client, clientReader, remote, remoteReader)
-		}
-
-		removeHopByHopHeaders(req.Header)
-
-		if err := req.Write(remote); err != nil {
-			return fmt.Errorf("forward request: %w", err)
-		}
-
-		resp, err := http.ReadResponse(remoteReader, req)
-		if err != nil {
-			return fmt.Errorf("read HTTP response: %w", err)
-		}
-
-		// ICAP RESPMOD: send response for inspection
-		if icap != nil {
-			modified, err := icap.RespMod(req, resp)
-			if err != nil {
-				p.log.Debugf("ICAP RESPMOD error for %s: %v", host.PunycodeString(), err)
-				if err := resp.Body.Close(); err != nil {
-					p.log.Debugf("close resp body: %v", err)
-				}
-				writeBlockResponse(client, req, host)
-				return fmt.Errorf("ICAP RESPMOD: %w", err)
-			}
-			resp = modified
-		}
-
-		removeHopByHopHeaders(resp.Header)
-
-		if err := resp.Write(client); err != nil {
-			if closeErr := resp.Body.Close(); closeErr != nil {
-				p.log.Debugf("close resp body: %v", closeErr)
-			}
-			return fmt.Errorf("forward response: %w", err)
-		}
-		if err := resp.Body.Close(); err != nil {
-			p.log.Debugf("close resp body: %v", err)
-		}
-
-		// Connection: close means we're done
-		if resp.Close || req.Close {
-			return nil
-		}
-	}
-}
-
-// inspectH2 proxies HTTP/2 traffic using Go's http stack.
-// Client and remote are already-established TLS connections with h2 negotiated.
-func (p *Proxy) inspectH2(ctx context.Context, client, remote net.Conn, dst netip.AddrPort, sni domain.Domain, src SourceInfo) error {
-	// For h2 MITM inspection, we use a local http.Server reading from the client
-	// connection and an http.Transport writing to the remote connection.
-	//
-	// The transport is configured to use the existing TLS connection to the
-	// real server. The handler inspects each request/response pair.
-
-	transport := &http.Transport{
-		DialContext: func(_ context.Context, _, _ string) (net.Conn, error) {
-			return remote, nil
-		},
-		DialTLSContext: func(_ context.Context, _, _ string) (net.Conn, error) {
-			return remote, nil
-		},
-		ForceAttemptHTTP2: true,
-	}
-
-	handler := &h2InspectionHandler{
-		proxy:     p,
-		transport: transport,
-		dst:       dst,
-		sni:       sni,
-		src:       src,
-	}
-
-	server := &http.Server{
-		Handler: handler,
-	}
-
-	// Serve the single client connection.
-	// ServeConn blocks until the connection is done.
-	errCh := make(chan error, 1)
-	go func() {
-		// http.Server doesn't have a direct ServeConn for h2,
-		// so we use Serve with a single-connection listener.
-		ln := &singleConnListener{conn: client}
-		errCh <- server.Serve(ln)
-	}()
-
-	select {
-	case <-ctx.Done():
-		if err := server.Close(); err != nil {
-			p.log.Debugf("close h2 server: %v", err)
-		}
-		return ctx.Err()
-	case err := <-errCh:
-		if err == http.ErrServerClosed {
-			return nil
-		}
-		return err
-	}
-}
-
-// h2InspectionHandler inspects each HTTP/2 request/response pair.
-type h2InspectionHandler struct {
-	proxy     *Proxy
-	transport http.RoundTripper
-	dst       netip.AddrPort
-	sni       domain.Domain
-	src       SourceInfo
-}
-
-func (h *h2InspectionHandler) ServeHTTP(w http.ResponseWriter, req *http.Request) {
-	host := hostFromRequest(req, h.sni)
-
-	if isDomainFronting(req, h.sni) {
-		h.proxy.log.Debugf("domain fronting detected: SNI=%s Host=%s", h.sni.PunycodeString(), host.PunycodeString())
-		writeBlockPage(w, host)
-		return
-	}
-
-	action := h.proxy.evaluateAction(h.src.IP, host, h.dst, ProtoH2, req.URL.Path)
-	if action == ActionBlock {
-		h.proxy.log.Debugf("block: H2 %s %s (host=%s)", req.Method, req.URL.Path, host.PunycodeString())
-		writeBlockPage(w, host)
-		return
-	}
-
-	// ICAP REQMOD
-	if h.proxy.icap != nil {
-		modified, err := h.proxy.icap.ReqMod(req)
-		if err != nil {
-			h.proxy.log.Debugf("ICAP REQMOD error for %s: %v", host.PunycodeString(), err)
-			writeBlockPage(w, host)
-			return
-		}
-		req = modified
-	}
-
-	// Forward to upstream
-	req.URL.Scheme = "https"
-	req.URL.Host = h.sni.PunycodeString()
-	req.RequestURI = ""
-
-	resp, err := h.transport.RoundTrip(req)
-	if err != nil {
-		h.proxy.log.Debugf("h2 upstream error for %s: %v", host.PunycodeString(), err)
-		http.Error(w, "Bad Gateway", http.StatusBadGateway)
-		return
-	}
-	defer func() {
-		if err := resp.Body.Close(); err != nil {
-			h.proxy.log.Debugf("close h2 resp body: %v", err)
-		}
-	}()
-
-	// ICAP RESPMOD
-	if h.proxy.icap != nil {
-		modified, err := h.proxy.icap.RespMod(req, resp)
-		if err != nil {
-			h.proxy.log.Debugf("ICAP RESPMOD error for %s: %v", host.PunycodeString(), err)
-			writeBlockPage(w, host)
-			return
-		}
-		resp = modified
-	}
-
-	// Copy response headers and body
-	for k, vals := range resp.Header {
-		for _, v := range vals {
-			w.Header().Add(k, v)
-		}
-	}
-	w.WriteHeader(resp.StatusCode)
-	if _, err := io.Copy(w, resp.Body); err != nil {
-		h.proxy.log.Debugf("h2 response copy error: %v", err)
-	}
-}
-
-// handleWebSocket completes the WebSocket upgrade and relays frames bidirectionally.
-func (p *Proxy) handleWebSocket(ctx context.Context, req *http.Request, client io.ReadWriter, clientReader *bufio.Reader, remote io.ReadWriter, remoteReader *bufio.Reader) error {
-	if err := req.Write(remote); err != nil {
-		return fmt.Errorf("forward WebSocket upgrade: %w", err)
-	}
-
-	resp, err := http.ReadResponse(remoteReader, req)
-	if err != nil {
-		return fmt.Errorf("read WebSocket upgrade response: %w", err)
-	}
-
-	if err := resp.Write(client); err != nil {
-		if closeErr := resp.Body.Close(); closeErr != nil {
-			p.log.Debugf("close ws resp body: %v", closeErr)
-		}
-		return fmt.Errorf("forward WebSocket upgrade response: %w", err)
-	}
-	if err := resp.Body.Close(); err != nil {
-		p.log.Debugf("close ws resp body: %v", err)
-	}
-
-	if resp.StatusCode != http.StatusSwitchingProtocols {
-		return fmt.Errorf("WebSocket upgrade rejected: status %d", resp.StatusCode)
-	}
-
-	p.log.Tracef("allow: WebSocket upgrade for %s", req.Host)
-
-	// Relay WebSocket frames bidirectionally.
-	// clientReader/remoteReader may have buffered data.
-	clientConn := mergeReadWriter(clientReader, client)
-	remoteConn := mergeReadWriter(remoteReader, remote)
-
-	return relayRW(ctx, clientConn, remoteConn)
-}
-
-// hostFromRequest extracts a domain.Domain from the HTTP request Host header,
-// falling back to the SNI if Host is empty or an IP.
-func hostFromRequest(req *http.Request, fallback domain.Domain) domain.Domain {
-	host := req.Host
-	if host == "" {
-		return fallback
-	}
-
-	// Strip port if present
-	if h, _, err := net.SplitHostPort(host); err == nil {
-		host = h
-	}
-
-	// If it's an IP address, use the SNI fallback
-	if _, err := netip.ParseAddr(host); err == nil {
-		return fallback
-	}
-
-	d, err := domain.FromString(host)
-	if err != nil {
-		return fallback
-	}
-	return d
-}
-
-// isDomainFronting detects domain fronting: the Host header doesn't match the
-// SNI used during the TLS handshake. Only meaningful when SNI is non-empty
-// (i.e., we're in MITM mode and know the original SNI).
-func isDomainFronting(req *http.Request, sni domain.Domain) bool {
-	if sni == "" {
-		return false
-	}
-
-	host := hostFromRequest(req, "")
-	if host == "" {
-		return false
-	}
-
-	// Host should match SNI or be a subdomain of SNI
-	if host == sni {
-		return false
-	}
-
-	// Allow www.example.com when SNI is example.com
-	sniStr := sni.PunycodeString()
-	hostStr := host.PunycodeString()
-	if strings.HasSuffix(hostStr, "."+sniStr) {
-		return false
-	}
-
-	return true
-}
-
-func isWebSocketUpgrade(req *http.Request) bool {
-	return strings.EqualFold(req.Header.Get(headerUpgrade), valueWebSocket)
-}
-
-// writeBlockPage writes the styled HTML block page to an http.ResponseWriter (H2 path).
-func writeBlockPage(w http.ResponseWriter, host domain.Domain) {
-	hostname := host.PunycodeString()
-	body := fmt.Sprintf(blockPageHTML, hostname, hostname)
-	w.Header().Set("Content-Type", "text/html; charset=utf-8")
-	w.Header().Set("Cache-Control", "no-store")
-	w.WriteHeader(http.StatusForbidden)
-	io.WriteString(w, body)
-}
-
-func writeBlockResponse(w io.Writer, _ *http.Request, host domain.Domain) {
-	hostname := host.PunycodeString()
-	body := fmt.Sprintf(blockPageHTML, hostname, hostname)
-
-	resp := &http.Response{
-		StatusCode:    http.StatusForbidden,
-		ProtoMajor:    1,
-		ProtoMinor:    1,
-		Header:        make(http.Header),
-		ContentLength: int64(len(body)),
-		Body:          io.NopCloser(strings.NewReader(body)),
-	}
-	resp.Header.Set("Content-Type", "text/html; charset=utf-8")
-	resp.Header.Set("Connection", "close")
-	resp.Header.Set("Cache-Control", "no-store")
-	_ = resp.Write(w)
-}
-
-// blockPageHTML is the self-contained HTML block page.
-// Uses NetBird dark theme with orange accent. Two format args: page title domain, displayed domain.
-const blockPageHTML = `<!DOCTYPE html>
-<html lang="en">
-<head>
-<meta charset="utf-8">
-<meta name="viewport" content="width=device-width,initial-scale=1">
-<title>Blocked - %s</title>
-<style>
-*{margin:0;padding:0;box-sizing:border-box}
-body{background:#181a1d;color:#d1d5db;font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,sans-serif;min-height:100vh;display:flex;align-items:center;justify-content:center}
-.c{text-align:center;max-width:460px;padding:2rem}
-.shield{width:56px;height:56px;margin:0 auto 1.5rem;border-radius:16px;background:#2b2f33;display:flex;align-items:center;justify-content:center}
-.shield svg{width:28px;height:28px;color:#f68330}
-.code{font-size:.8rem;font-weight:500;color:#f68330;font-family:ui-monospace,monospace;letter-spacing:.05em;margin-bottom:.5rem}
-h1{font-size:1.5rem;font-weight:600;color:#f4f4f5;margin-bottom:.5rem}
-p{font-size:.95rem;line-height:1.5;color:#9ca3af;margin-bottom:1.75rem}
-.domain{display:inline-block;background:#25282d;border:1px solid #32363d;border-radius:6px;padding:.15rem .5rem;font-family:ui-monospace,monospace;font-size:.85rem;color:#d1d5db}
-.footer{font-size:.7rem;color:#6b7280;margin-top:2rem;letter-spacing:.03em}
-.footer a{color:#6b7280;text-decoration:none}
-.footer a:hover{color:#9ca3af}
-</style>
-</head>
-<body>
-<div class="c">
-<div class="shield"><svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" stroke-width="1.5" stroke="currentColor"><path stroke-linecap="round" stroke-linejoin="round" d="M12 9v3.75m0-10.036A11.959 11.959 0 0 1 3.598 6 11.99 11.99 0 0 0 3 9.75c0 5.592 3.824 10.29 9 11.622 5.176-1.332 9-6.03 9-11.622 0-1.31-.21-2.571-.598-3.751A11.96 11.96 0 0 0 12 3.714Z"/></svg></div>
-<div class="code">403 BLOCKED</div>
-<h1>Access Denied</h1>
-<p>This connection to <span class="domain">%s</span> has been blocked by your organization's network policy.</p>
-<div class="footer">Protected by <a href="https://netbird.io" target="_blank" rel="noopener">NetBird</a></div>
-</div>
-</body>
-</html>`
-
-// singleConnListener is a net.Listener that yields a single connection.
-type singleConnListener struct {
-	conn net.Conn
-	once sync.Once
-	ch   chan struct{}
-}
-
-func (l *singleConnListener) Accept() (net.Conn, error) {
-	var accepted bool
-	l.once.Do(func() {
-		l.ch = make(chan struct{})
-		accepted = true
-	})
-	if accepted {
-		return l.conn, nil
-	}
-	// Block until Close
-	<-l.ch
-	return nil, net.ErrClosed
-}
-
-func (l *singleConnListener) Close() error {
-	l.once.Do(func() {
-		l.ch = make(chan struct{})
-	})
-	select {
-	case <-l.ch:
-	default:
-		close(l.ch)
-	}
-	return nil
-}
-
-func (l *singleConnListener) Addr() net.Addr {
-	return l.conn.LocalAddr()
-}
-
-type readWriter struct {
-	io.Reader
-	io.Writer
-}
-
-func mergeReadWriter(r io.Reader, w io.Writer) io.ReadWriter {
-	return &readWriter{Reader: r, Writer: w}
-}
-
-// relayRW copies data bidirectionally between two ReadWriters.
-func relayRW(ctx context.Context, a, b io.ReadWriter) error {
-	ctx, cancel := context.WithCancel(ctx)
-	defer cancel()
-
-	errCh := make(chan error, 2)
-
-	go func() {
-		_, err := io.Copy(b, a)
-		cancel()
-		errCh <- err
-	}()
-
-	go func() {
-		_, err := io.Copy(a, b)
-		cancel()
-		errCh <- err
-	}()
-
-	var firstErr error
-	for range 2 {
-		if err := <-errCh; err != nil && firstErr == nil {
-			if !isClosedErr(err) {
-				firstErr = err
-			}
-		}
-	}
-
-	return firstErr
-}
-
-// hopByHopHeaders are HTTP/1.1 headers that apply to a single connection
-// and must not be forwarded by a proxy (RFC 7230, Section 6.1).
-var hopByHopHeaders = []string{
-	"Connection",
-	"Keep-Alive",
-	"Proxy-Authenticate",
-	"Proxy-Authorization",
-	"TE",
-	"Trailers",
-	"Transfer-Encoding",
-	"Upgrade",
-}
-
-// removeHopByHopHeaders strips hop-by-hop headers from h.
-// Also removes headers listed in the Connection header value.
-func removeHopByHopHeaders(h http.Header) {
-	// First, remove any headers named in the Connection header
-	for _, connHeader := range h["Connection"] {
-		for _, name := range strings.Split(connHeader, ",") {
-			h.Del(strings.TrimSpace(name))
-		}
-	}
-
-	for _, name := range hopByHopHeaders {
-		h.Del(name)
-	}
-}

client/inspect/icap.go

@@ -1,479 +0,0 @@
-package inspect
-
-import (
-	"bufio"
-	"bytes"
-	"fmt"
-	"io"
-	"net"
-	"net/http"
-	"net/textproto"
-	"net/url"
-	"strconv"
-	"strings"
-	"sync"
-	"time"
-
-	log "github.com/sirupsen/logrus"
-)
-
-const (
-	icapVersion     = "ICAP/1.0"
-	icapDefaultPort = "1344"
-	icapConnTimeout = 30 * time.Second
-	icapRWTimeout   = 60 * time.Second
-	icapMaxPoolSize = 8
-	icapIdleTimeout = 60 * time.Second
-	icapMaxRespSize = 4 * 1024 * 1024 // 4 MB
-)
-
-// ICAPClient implements an ICAP (RFC 3507) client with persistent connection pooling.
-type ICAPClient struct {
-	reqModURL  *url.URL
-	respModURL *url.URL
-	pool       chan *icapConn
-	mu         sync.Mutex
-	log        *log.Entry
-	maxPool    int
-}
-
-type icapConn struct {
-	conn    net.Conn
-	reader  *bufio.Reader
-	lastUse time.Time
-}
-
-// NewICAPClient creates an ICAP client. Either or both URLs may be nil
-// to disable that mode.
-func NewICAPClient(logger *log.Entry, cfg *ICAPConfig) *ICAPClient {
-	maxPool := cfg.MaxConnections
-	if maxPool <= 0 {
-		maxPool = icapMaxPoolSize
-	}
-
-	return &ICAPClient{
-		reqModURL:  cfg.ReqModURL,
-		respModURL: cfg.RespModURL,
-		pool:       make(chan *icapConn, maxPool),
-		log:        logger,
-		maxPool:    maxPool,
-	}
-}
-
-// ReqMod sends an HTTP request to the ICAP REQMOD service for inspection.
-// Returns the (possibly modified) request, or the original if ICAP returns 204.
-// Returns nil, nil if REQMOD is not configured.
-func (c *ICAPClient) ReqMod(req *http.Request) (*http.Request, error) {
-	if c.reqModURL == nil {
-		return req, nil
-	}
-
-	var reqBuf bytes.Buffer
-	if err := req.Write(&reqBuf); err != nil {
-		return nil, fmt.Errorf("serialize request: %w", err)
-	}
-
-	respBody, err := c.send("REQMOD", c.reqModURL, reqBuf.Bytes(), nil)
-	if err != nil {
-		return nil, err
-	}
-
-	if respBody == nil {
-		return req, nil
-	}
-
-	modified, err := http.ReadRequest(bufio.NewReader(bytes.NewReader(respBody)))
-	if err != nil {
-		return nil, fmt.Errorf("parse ICAP modified request: %w", err)
-	}
-	return modified, nil
-}
-
-// RespMod sends an HTTP response to the ICAP RESPMOD service for inspection.
-// Returns the (possibly modified) response, or the original if ICAP returns 204.
-// Returns nil, nil if RESPMOD is not configured.
-func (c *ICAPClient) RespMod(req *http.Request, resp *http.Response) (*http.Response, error) {
-	if c.respModURL == nil {
-		return resp, nil
-	}
-
-	var reqBuf bytes.Buffer
-	if err := req.Write(&reqBuf); err != nil {
-		return nil, fmt.Errorf("serialize request: %w", err)
-	}
-
-	var respBuf bytes.Buffer
-	if err := resp.Write(&respBuf); err != nil {
-		return nil, fmt.Errorf("serialize response: %w", err)
-	}
-
-	respBody, err := c.send("RESPMOD", c.respModURL, reqBuf.Bytes(), respBuf.Bytes())
-	if err != nil {
-		return nil, err
-	}
-
-	if respBody == nil {
-		// 204 No Content: ICAP server didn't modify the response.
-		// Reconstruct from the buffered copy since resp.Body was consumed by Write.
-		reconstructed, err := http.ReadResponse(bufio.NewReader(bytes.NewReader(respBuf.Bytes())), req)
-		if err != nil {
-			return nil, fmt.Errorf("reconstruct response after ICAP 204: %w", err)
-		}
-		return reconstructed, nil
-	}
-
-	modified, err := http.ReadResponse(bufio.NewReader(bytes.NewReader(respBody)), req)
-	if err != nil {
-		return nil, fmt.Errorf("parse ICAP modified response: %w", err)
-	}
-	return modified, nil
-}
-
-// Close drains and closes all pooled connections.
-func (c *ICAPClient) Close() {
-	close(c.pool)
-	for ic := range c.pool {
-		if err := ic.conn.Close(); err != nil {
-			c.log.Debugf("close ICAP connection: %v", err)
-		}
-	}
-}
-
-// send executes an ICAP request and returns the encapsulated body from the response.
-// Returns nil body for 204 No Content (no modification).
-// Retries once on stale pooled connection (EOF on read).
-func (c *ICAPClient) send(method string, serviceURL *url.URL, reqData, respData []byte) ([]byte, error) {
-	statusCode, headers, body, err := c.trySend(method, serviceURL, reqData, respData)
-	if err != nil && isStaleConnErr(err) {
-		// Retry once with a fresh connection (stale pool entry).
-		c.log.Debugf("ICAP %s: retrying after stale connection: %v", method, err)
-		statusCode, headers, body, err = c.trySend(method, serviceURL, reqData, respData)
-	}
-	if err != nil {
-		return nil, err
-	}
-
-	switch statusCode {
-	case 204:
-		return nil, nil
-	case 200:
-		return body, nil
-	default:
-		c.log.Debugf("ICAP %s returned status %d, headers: %v", method, statusCode, headers)
-		return nil, fmt.Errorf("ICAP %s: status %d", method, statusCode)
-	}
-}
-
-func (c *ICAPClient) trySend(method string, serviceURL *url.URL, reqData, respData []byte) (int, textproto.MIMEHeader, []byte, error) {
-	ic, err := c.getConn(serviceURL)
-	if err != nil {
-		return 0, nil, nil, fmt.Errorf("get ICAP connection: %w", err)
-	}
-
-	if err := c.writeRequest(ic, method, serviceURL, reqData, respData); err != nil {
-		if closeErr := ic.conn.Close(); closeErr != nil {
-			c.log.Debugf("close ICAP conn after write error: %v", closeErr)
-		}
-		return 0, nil, nil, fmt.Errorf("write ICAP %s: %w", method, err)
-	}
-
-	statusCode, headers, body, err := c.readResponse(ic)
-	if err != nil {
-		if closeErr := ic.conn.Close(); closeErr != nil {
-			c.log.Debugf("close ICAP conn after read error: %v", closeErr)
-		}
-		return 0, nil, nil, fmt.Errorf("read ICAP response: %w", err)
-	}
-
-	c.putConn(ic)
-	return statusCode, headers, body, nil
-}
-
-func isStaleConnErr(err error) bool {
-	if err == nil {
-		return false
-	}
-	s := err.Error()
-	return strings.Contains(s, "EOF") || strings.Contains(s, "broken pipe") || strings.Contains(s, "connection reset")
-}
-
-func (c *ICAPClient) writeRequest(ic *icapConn, method string, serviceURL *url.URL, reqData, respData []byte) error {
-	if err := ic.conn.SetWriteDeadline(time.Now().Add(icapRWTimeout)); err != nil {
-		return fmt.Errorf("set write deadline: %w", err)
-	}
-
-	// For RESPMOD, split the serialized HTTP response into headers and body.
-	// The body must be sent chunked per RFC 3507.
-	var respHdr, respBody []byte
-	if respData != nil {
-		if idx := bytes.Index(respData, []byte("\r\n\r\n")); idx >= 0 {
-			respHdr = respData[:idx+4] // include the \r\n\r\n separator
-			respBody = respData[idx+4:]
-		} else {
-			respHdr = respData
-		}
-	}
-
-	var buf bytes.Buffer
-
-	// Request line
-	fmt.Fprintf(&buf, "%s %s %s\r\n", method, serviceURL.String(), icapVersion)
-
-	// Headers
-	host := serviceURL.Host
-	fmt.Fprintf(&buf, "Host: %s\r\n", host)
-	fmt.Fprintf(&buf, "Connection: keep-alive\r\n")
-	fmt.Fprintf(&buf, "Allow: 204\r\n")
-
-	// Build Encapsulated header
-	offset := 0
-	var encapParts []string
-	if reqData != nil {
-		encapParts = append(encapParts, fmt.Sprintf("req-hdr=%d", offset))
-		offset += len(reqData)
-	}
-	if respHdr != nil {
-		encapParts = append(encapParts, fmt.Sprintf("res-hdr=%d", offset))
-		offset += len(respHdr)
-	}
-	if len(respBody) > 0 {
-		encapParts = append(encapParts, fmt.Sprintf("res-body=%d", offset))
-	} else {
-		encapParts = append(encapParts, fmt.Sprintf("null-body=%d", offset))
-	}
-	fmt.Fprintf(&buf, "Encapsulated: %s\r\n", strings.Join(encapParts, ", "))
-	fmt.Fprintf(&buf, "\r\n")
-
-	// Encapsulated sections
-	if reqData != nil {
-		buf.Write(reqData)
-	}
-	if respHdr != nil {
-		buf.Write(respHdr)
-	}
-	// Body in chunked encoding (only when there is an actual body section).
-	// Per RFC 3507 Section 4.4.1, null-body must not include any entity data.
-	if len(respBody) > 0 {
-		fmt.Fprintf(&buf, "%x\r\n", len(respBody))
-		buf.Write(respBody)
-		buf.WriteString("\r\n")
-		buf.WriteString("0\r\n\r\n")
-	}
-
-	_, err := ic.conn.Write(buf.Bytes())
-	return err
-}
-
-func (c *ICAPClient) readResponse(ic *icapConn) (int, textproto.MIMEHeader, []byte, error) {
-	if err := ic.conn.SetReadDeadline(time.Now().Add(icapRWTimeout)); err != nil {
-		return 0, nil, nil, fmt.Errorf("set read deadline: %w", err)
-	}
-
-	tp := textproto.NewReader(ic.reader)
-
-	// Status line: "ICAP/1.0 200 OK"
-	statusLine, err := tp.ReadLine()
-	if err != nil {
-		return 0, nil, nil, fmt.Errorf("read status line: %w", err)
-	}
-
-	statusCode, err := parseICAPStatus(statusLine)
-	if err != nil {
-		return 0, nil, nil, err
-	}
-
-	// Headers
-	headers, err := tp.ReadMIMEHeader()
-	if err != nil {
-		return statusCode, nil, nil, fmt.Errorf("read ICAP headers: %w", err)
-	}
-
-	if statusCode == 204 {
-		return statusCode, headers, nil, nil
-	}
-
-	// Read encapsulated body based on Encapsulated header
-	body, err := c.readEncapsulatedBody(ic.reader, headers)
-	if err != nil {
-		return statusCode, headers, nil, fmt.Errorf("read encapsulated body: %w", err)
-	}
-
-	return statusCode, headers, body, nil
-}
-
-func (c *ICAPClient) readEncapsulatedBody(r *bufio.Reader, headers textproto.MIMEHeader) ([]byte, error) {
-	encap := headers.Get("Encapsulated")
-	if encap == "" {
-		return nil, nil
-	}
-
-	// Find the body offset from the Encapsulated header.
-	// The last section with a non-zero offset is the body.
-	// Read everything from the reader as the encapsulated content.
-	var totalSize int
-	parts := strings.Split(encap, ",")
-	for _, part := range parts {
-		part = strings.TrimSpace(part)
-		eqIdx := strings.Index(part, "=")
-		if eqIdx < 0 {
-			continue
-		}
-		offset, err := strconv.Atoi(strings.TrimSpace(part[eqIdx+1:]))
-		if err != nil {
-			continue
-		}
-		if offset > totalSize {
-			totalSize = offset
-		}
-	}
-
-	// Read all available encapsulated data (headers + body)
-	// The body section uses chunked encoding per RFC 3507
-	var buf bytes.Buffer
-	if totalSize > 0 {
-		// Read the header sections (everything before the body offset)
-		headerBytes := make([]byte, totalSize)
-		if _, err := io.ReadFull(r, headerBytes); err != nil {
-			return nil, fmt.Errorf("read encapsulated headers: %w", err)
-		}
-		buf.Write(headerBytes)
-	}
-
-	// Read chunked body
-	chunked := newChunkedReader(r)
-	body, err := io.ReadAll(io.LimitReader(chunked, icapMaxRespSize))
-	if err != nil {
-		return nil, fmt.Errorf("read chunked body: %w", err)
-	}
-	buf.Write(body)
-
-	return buf.Bytes(), nil
-}
-
-func (c *ICAPClient) getConn(serviceURL *url.URL) (*icapConn, error) {
-	// Try to get a pooled connection
-	for {
-		select {
-		case ic := <-c.pool:
-			if time.Since(ic.lastUse) > icapIdleTimeout {
-				if err := ic.conn.Close(); err != nil {
-					c.log.Debugf("close idle ICAP connection: %v", err)
-				}
-				continue
-			}
-			return ic, nil
-		default:
-			return c.dialConn(serviceURL)
-		}
-	}
-}
-
-func (c *ICAPClient) putConn(ic *icapConn) {
-	c.mu.Lock()
-	defer c.mu.Unlock()
-
-	ic.lastUse = time.Now()
-	select {
-	case c.pool <- ic:
-	default:
-		// Pool full, close connection.
-		if err := ic.conn.Close(); err != nil {
-			c.log.Debugf("close excess ICAP connection: %v", err)
-		}
-	}
-}
-
-func (c *ICAPClient) dialConn(serviceURL *url.URL) (*icapConn, error) {
-	host := serviceURL.Host
-	if _, _, err := net.SplitHostPort(host); err != nil {
-		host = net.JoinHostPort(host, icapDefaultPort)
-	}
-
-	conn, err := net.DialTimeout("tcp", host, icapConnTimeout)
-	if err != nil {
-		return nil, fmt.Errorf("dial ICAP %s: %w", host, err)
-	}
-
-	return &icapConn{
-		conn:    conn,
-		reader:  bufio.NewReader(conn),
-		lastUse: time.Now(),
-	}, nil
-}
-
-func parseICAPStatus(line string) (int, error) {
-	// "ICAP/1.0 200 OK"
-	parts := strings.SplitN(line, " ", 3)
-	if len(parts) < 2 {
-		return 0, fmt.Errorf("malformed ICAP status line: %q", line)
-	}
-	code, err := strconv.Atoi(parts[1])
-	if err != nil {
-		return 0, fmt.Errorf("parse ICAP status code %q: %w", parts[1], err)
-	}
-	return code, nil
-}
-
-// chunkedReader reads ICAP chunked encoding (same as HTTP chunked, terminated by "0\r\n\r\n").
-type chunkedReader struct {
-	r         *bufio.Reader
-	remaining int
-	done      bool
-}
-
-func newChunkedReader(r *bufio.Reader) *chunkedReader {
-	return &chunkedReader{r: r}
-}
-
-func (cr *chunkedReader) Read(p []byte) (int, error) {
-	if cr.done {
-		return 0, io.EOF
-	}
-
-	if cr.remaining == 0 {
-		// Read chunk size line
-		line, err := cr.r.ReadString('\n')
-		if err != nil {
-			return 0, err
-		}
-		line = strings.TrimSpace(line)
-
-		// Strip any chunk extensions
-		if idx := strings.Index(line, ";"); idx >= 0 {
-			line = line[:idx]
-		}
-
-		size, err := strconv.ParseInt(line, 16, 64)
-		if err != nil {
-			return 0, fmt.Errorf("parse chunk size %q: %w", line, err)
-		}
-
-		if size == 0 {
-			cr.done = true
-			// Consume trailing \r\n
-			_, _ = cr.r.ReadString('\n')
-			return 0, io.EOF
-		}
-
-		if size < 0 || size > icapMaxRespSize {
-			return 0, fmt.Errorf("chunk size %d out of range (max %d)", size, icapMaxRespSize)
-		}
-
-		cr.remaining = int(size)
-	}
-
-	toRead := len(p)
-	if toRead > cr.remaining {
-		toRead = cr.remaining
-	}
-
-	n, err := cr.r.Read(p[:toRead])
-	cr.remaining -= n
-
-	if cr.remaining == 0 {
-		// Consume chunk-terminating \r\n
-		_, _ = cr.r.ReadString('\n')
-	}
-
-	return n, err
-}

client/inspect/listener.go

@@ -1,21 +0,0 @@
-//go:build !linux
-
-package inspect
-
-import (
-	"fmt"
-	"net"
-	"net/netip"
-
-	log "github.com/sirupsen/logrus"
-)
-
-// newTPROXYListener is not supported on non-Linux platforms.
-func newTPROXYListener(_ *log.Entry, addr netip.AddrPort, _ netip.Prefix) (net.Listener, error) {
-	return nil, fmt.Errorf("TPROXY listener not supported on this platform (requested %s)", addr)
-}
-
-// getOriginalDst is not supported on non-Linux platforms.
-func getOriginalDst(_ net.Conn) (netip.AddrPort, error) {
-	return netip.AddrPort{}, fmt.Errorf("SO_ORIGINAL_DST not supported on this platform")
-}

client/inspect/listener_linux.go

@@ -1,89 +0,0 @@
-package inspect
-
-import (
-	"fmt"
-	"net"
-	"net/netip"
-	"unsafe"
-
-	log "github.com/sirupsen/logrus"
-	"golang.org/x/sys/unix"
-)
-
-// newTPROXYListener creates a TCP listener for the transparent proxy.
-// After nftables REDIRECT, accepted connections have LocalAddr = WG_IP:proxy_port.
-// The original destination is retrieved via getsockopt(SO_ORIGINAL_DST).
-func newTPROXYListener(logger *log.Entry, addr netip.AddrPort, _ netip.Prefix) (net.Listener, error) {
-	ln, err := net.Listen("tcp", addr.String())
-	if err != nil {
-		return nil, fmt.Errorf("listen on %s: %w", addr, err)
-	}
-
-	logger.Infof("inspect: listener started on %s", ln.Addr())
-	return ln, nil
-}
-
-// getOriginalDst reads the original destination from conntrack via SO_ORIGINAL_DST.
-// This is set by the kernel when the connection was REDIRECT'd/DNAT'd.
-// Tries IPv4 first, then falls back to IPv6 (IP6T_SO_ORIGINAL_DST).
-func getOriginalDst(conn net.Conn) (netip.AddrPort, error) {
-	tc, ok := conn.(*net.TCPConn)
-	if !ok {
-		return netip.AddrPort{}, fmt.Errorf("not a TCPConn")
-	}
-
-	raw, err := tc.SyscallConn()
-	if err != nil {
-		return netip.AddrPort{}, fmt.Errorf("get syscall conn: %w", err)
-	}
-
-	var origDst netip.AddrPort
-	var sockErr error
-	if err := raw.Control(func(fd uintptr) {
-		// Try IPv4 first (SO_ORIGINAL_DST = 80)
-		var sa4 unix.RawSockaddrInet4
-		sa4Len := uint32(unsafe.Sizeof(sa4))
-		_, _, errno := unix.Syscall6(
-			unix.SYS_GETSOCKOPT,
-			fd,
-			unix.SOL_IP,
-			80, // SO_ORIGINAL_DST
-			uintptr(unsafe.Pointer(&sa4)),
-			uintptr(unsafe.Pointer(&sa4Len)),
-			0,
-		)
-		if errno == 0 {
-			addr := netip.AddrFrom4(sa4.Addr)
-			port := uint16(sa4.Port>>8) | uint16(sa4.Port<<8)
-			origDst = netip.AddrPortFrom(addr.Unmap(), port)
-			return
-		}
-
-		// Fall back to IPv6 (IP6T_SO_ORIGINAL_DST = 80 on SOL_IPV6)
-		var sa6 unix.RawSockaddrInet6
-		sa6Len := uint32(unsafe.Sizeof(sa6))
-		_, _, errno = unix.Syscall6(
-			unix.SYS_GETSOCKOPT,
-			fd,
-			unix.SOL_IPV6,
-			80, // IP6T_SO_ORIGINAL_DST
-			uintptr(unsafe.Pointer(&sa6)),
-			uintptr(unsafe.Pointer(&sa6Len)),
-			0,
-		)
-		if errno != 0 {
-			sockErr = fmt.Errorf("getsockopt SO_ORIGINAL_DST (v4 and v6): %w", errno)
-			return
-		}
-		addr := netip.AddrFrom16(sa6.Addr)
-		port := uint16(sa6.Port>>8) | uint16(sa6.Port<<8)
-		origDst = netip.AddrPortFrom(addr.Unmap(), port)
-	}); err != nil {
-		return netip.AddrPort{}, fmt.Errorf("control raw conn: %w", err)
-	}
-	if sockErr != nil {
-		return netip.AddrPort{}, sockErr
-	}
-
-	return origDst, nil
-}

client/inspect/mitm.go

@@ -1,200 +0,0 @@
-package inspect
-
-import (
-	"crypto"
-	"crypto/ecdsa"
-	"crypto/elliptic"
-	"crypto/rand"
-	"crypto/tls"
-	"crypto/x509"
-	"crypto/x509/pkix"
-	"fmt"
-	"math/big"
-	mrand "math/rand/v2"
-	"sync"
-	"time"
-)
-
-const (
-	// certCacheSize is the maximum number of cached leaf certificates.
-	certCacheSize = 1024
-	// certTTL is how long generated certificates remain valid.
-	certTTL = 24 * time.Hour
-)
-
-// certCache is a bounded LRU cache for generated TLS certificates.
-type certCache struct {
-	mu      sync.Mutex
-	entries map[string]*certEntry
-	// order tracks LRU eviction, most recent at end.
-	order   []string
-	maxSize int
-}
-
-type certEntry struct {
-	cert      *tls.Certificate
-	expiresAt time.Time
-}
-
-func newCertCache(maxSize int) *certCache {
-	return &certCache{
-		entries: make(map[string]*certEntry, maxSize),
-		order:   make([]string, 0, maxSize),
-		maxSize: maxSize,
-	}
-}
-
-func (c *certCache) get(hostname string) (*tls.Certificate, bool) {
-	c.mu.Lock()
-	defer c.mu.Unlock()
-
-	entry, ok := c.entries[hostname]
-	if !ok {
-		return nil, false
-	}
-
-	if time.Now().After(entry.expiresAt) {
-		c.removeLocked(hostname)
-		return nil, false
-	}
-
-	// Move to end (most recently used)
-	c.touchLocked(hostname)
-	return entry.cert, true
-}
-
-func (c *certCache) put(hostname string, cert *tls.Certificate) {
-	c.mu.Lock()
-	defer c.mu.Unlock()
-
-	// Jitter the TTL by +/- 20% to prevent thundering herd on expiry.
-	jitter := time.Duration(float64(certTTL) * (0.8 + 0.4*mrand.Float64()))
-
-	if _, exists := c.entries[hostname]; exists {
-		c.entries[hostname] = &certEntry{
-			cert:      cert,
-			expiresAt: time.Now().Add(jitter),
-		}
-		c.touchLocked(hostname)
-		return
-	}
-
-	// Evict oldest if at capacity
-	for len(c.entries) >= c.maxSize && len(c.order) > 0 {
-		c.removeLocked(c.order[0])
-	}
-
-	c.entries[hostname] = &certEntry{
-		cert:      cert,
-		expiresAt: time.Now().Add(jitter),
-	}
-	c.order = append(c.order, hostname)
-}
-
-func (c *certCache) touchLocked(hostname string) {
-	for i, h := range c.order {
-		if h == hostname {
-			c.order = append(c.order[:i], c.order[i+1:]...)
-			c.order = append(c.order, hostname)
-			return
-		}
-	}
-}
-
-func (c *certCache) removeLocked(hostname string) {
-	delete(c.entries, hostname)
-	for i, h := range c.order {
-		if h == hostname {
-			c.order = append(c.order[:i], c.order[i+1:]...)
-			return
-		}
-	}
-}
-
-// CertProvider generates TLS certificates on the fly, signed by a CA.
-// Generated certificates are cached in an LRU cache.
-type CertProvider struct {
-	ca    *x509.Certificate
-	caKey crypto.PrivateKey
-	cache *certCache
-}
-
-// NewCertProvider creates a certificate provider using the given CA.
-func NewCertProvider(ca *x509.Certificate, caKey crypto.PrivateKey) *CertProvider {
-	return &CertProvider{
-		ca:    ca,
-		caKey: caKey,
-		cache: newCertCache(certCacheSize),
-	}
-}
-
-// GetCertificate returns a TLS certificate for the given hostname,
-// generating and caching one if necessary.
-func (p *CertProvider) GetCertificate(hostname string) (*tls.Certificate, error) {
-	if cert, ok := p.cache.get(hostname); ok {
-		return cert, nil
-	}
-
-	cert, err := p.generateCert(hostname)
-	if err != nil {
-		return nil, fmt.Errorf("generate cert for %s: %w", hostname, err)
-	}
-
-	p.cache.put(hostname, cert)
-	return cert, nil
-}
-
-// GetTLSConfig returns a tls.Config that dynamically provides certificates
-// for any hostname using the MITM CA.
-func (p *CertProvider) GetTLSConfig() *tls.Config {
-	return &tls.Config{
-		GetCertificate: func(hello *tls.ClientHelloInfo) (*tls.Certificate, error) {
-			return p.GetCertificate(hello.ServerName)
-		},
-		NextProtos: []string{"h2", "http/1.1"},
-		MinVersion: tls.VersionTLS12,
-	}
-}
-
-func (p *CertProvider) generateCert(hostname string) (*tls.Certificate, error) {
-	serialNumber, err := rand.Int(rand.Reader, new(big.Int).Lsh(big.NewInt(1), 128))
-	if err != nil {
-		return nil, fmt.Errorf("generate serial number: %w", err)
-	}
-
-	now := time.Now()
-	template := &x509.Certificate{
-		SerialNumber: serialNumber,
-		Subject: pkix.Name{
-			CommonName: hostname,
-		},
-		NotBefore: now.Add(-5 * time.Minute),
-		NotAfter:  now.Add(certTTL),
-		KeyUsage:  x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment,
-		ExtKeyUsage: []x509.ExtKeyUsage{
-			x509.ExtKeyUsageServerAuth,
-		},
-		DNSNames: []string{hostname},
-	}
-
-	leafKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
-	if err != nil {
-		return nil, fmt.Errorf("generate leaf key: %w", err)
-	}
-
-	certDER, err := x509.CreateCertificate(rand.Reader, template, p.ca, &leafKey.PublicKey, p.caKey)
-	if err != nil {
-		return nil, fmt.Errorf("sign leaf certificate: %w", err)
-	}
-
-	leafCert, err := x509.ParseCertificate(certDER)
-	if err != nil {
-		return nil, fmt.Errorf("parse generated certificate: %w", err)
-	}
-
-	return &tls.Certificate{
-		Certificate: [][]byte{certDER, p.ca.Raw},
-		PrivateKey:  leafKey,
-		Leaf:        leafCert,
-	}, nil
-}

client/inspect/mitm_test.go

@@ -1,133 +0,0 @@
-package inspect
-
-import (
-	"crypto/ecdsa"
-	"crypto/elliptic"
-	"crypto/rand"
-	"crypto/tls"
-	"crypto/x509"
-	"crypto/x509/pkix"
-	"math/big"
-	"testing"
-	"time"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-)
-
-func generateTestCA(t *testing.T) (*x509.Certificate, *ecdsa.PrivateKey) {
-	t.Helper()
-
-	key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
-	require.NoError(t, err)
-
-	template := &x509.Certificate{
-		SerialNumber: big.NewInt(1),
-		Subject: pkix.Name{
-			CommonName: "Test CA",
-		},
-		NotBefore:             time.Now().Add(-time.Hour),
-		NotAfter:              time.Now().Add(24 * time.Hour),
-		KeyUsage:              x509.KeyUsageCertSign | x509.KeyUsageCRLSign,
-		BasicConstraintsValid: true,
-		IsCA:                  true,
-	}
-
-	certDER, err := x509.CreateCertificate(rand.Reader, template, template, &key.PublicKey, key)
-	require.NoError(t, err)
-
-	cert, err := x509.ParseCertificate(certDER)
-	require.NoError(t, err)
-
-	return cert, key
-}
-
-func TestCertProvider_GetCertificate(t *testing.T) {
-	ca, caKey := generateTestCA(t)
-	provider := NewCertProvider(ca, caKey)
-
-	cert, err := provider.GetCertificate("example.com")
-	require.NoError(t, err)
-	require.NotNil(t, cert)
-
-	// Verify the leaf certificate
-	assert.Equal(t, "example.com", cert.Leaf.Subject.CommonName)
-	assert.Contains(t, cert.Leaf.DNSNames, "example.com")
-
-	// Verify chain: leaf + CA
-	assert.Len(t, cert.Certificate, 2)
-
-	// Verify leaf is signed by our CA
-	pool := x509.NewCertPool()
-	pool.AddCert(ca)
-	_, err = cert.Leaf.Verify(x509.VerifyOptions{
-		Roots: pool,
-	})
-	require.NoError(t, err)
-}
-
-func TestCertProvider_CachesResults(t *testing.T) {
-	ca, caKey := generateTestCA(t)
-	provider := NewCertProvider(ca, caKey)
-
-	cert1, err := provider.GetCertificate("cached.example.com")
-	require.NoError(t, err)
-
-	cert2, err := provider.GetCertificate("cached.example.com")
-	require.NoError(t, err)
-
-	// Same pointer = cached
-	assert.Equal(t, cert1, cert2)
-}
-
-func TestCertProvider_DifferentHostsDifferentCerts(t *testing.T) {
-	ca, caKey := generateTestCA(t)
-	provider := NewCertProvider(ca, caKey)
-
-	cert1, err := provider.GetCertificate("a.example.com")
-	require.NoError(t, err)
-
-	cert2, err := provider.GetCertificate("b.example.com")
-	require.NoError(t, err)
-
-	assert.NotEqual(t, cert1.Leaf.SerialNumber, cert2.Leaf.SerialNumber)
-}
-
-func TestCertProvider_TLSConfigHandshake(t *testing.T) {
-	ca, caKey := generateTestCA(t)
-	provider := NewCertProvider(ca, caKey)
-
-	tlsConfig := provider.GetTLSConfig()
-	require.NotNil(t, tlsConfig)
-	require.NotNil(t, tlsConfig.GetCertificate)
-
-	// Simulate a ClientHelloInfo
-	hello := &tls.ClientHelloInfo{
-		ServerName: "handshake.example.com",
-	}
-
-	cert, err := tlsConfig.GetCertificate(hello)
-	require.NoError(t, err)
-	assert.Equal(t, "handshake.example.com", cert.Leaf.Subject.CommonName)
-}
-
-func TestCertCache_Eviction(t *testing.T) {
-	cache := newCertCache(3)
-
-	for i := range 5 {
-		hostname := string(rune('a'+i)) + ".example.com"
-		cache.put(hostname, &tls.Certificate{})
-	}
-
-	// Only 3 should remain (c, d, e - the most recent)
-	assert.Len(t, cache.entries, 3)
-
-	_, ok := cache.get("a.example.com")
-	assert.False(t, ok, "oldest entry should be evicted")
-
-	_, ok = cache.get("b.example.com")
-	assert.False(t, ok, "second oldest should be evicted")
-
-	_, ok = cache.get("e.example.com")
-	assert.True(t, ok, "newest entry should exist")
-}

client/inspect/peek.go

@@ -1,109 +0,0 @@
-package inspect
-
-import (
-	"bytes"
-	"fmt"
-	"io"
-	"net"
-)
-
-// peekConn wraps a net.Conn with a buffer that allows reading ahead
-// without consuming data. Subsequent Read calls return the buffered
-// bytes first, then read from the underlying connection.
-type peekConn struct {
-	net.Conn
-	buf bytes.Buffer
-	// peeked holds the raw bytes that were peeked, available for replay.
-	peeked []byte
-}
-
-// newPeekConn wraps conn for peek-ahead reading.
-func newPeekConn(conn net.Conn) *peekConn {
-	return &peekConn{Conn: conn}
-}
-
-// Peek reads exactly n bytes from the connection without consuming them.
-// The peeked bytes are replayed on subsequent Read calls.
-// Peek may only be called once; calling it again returns an error.
-func (c *peekConn) Peek(n int) ([]byte, error) {
-	if c.peeked != nil {
-		return nil, fmt.Errorf("peek already called")
-	}
-
-	buf := make([]byte, n)
-	if _, err := io.ReadFull(c.Conn, buf); err != nil {
-		return nil, fmt.Errorf("peek %d bytes: %w", n, err)
-	}
-
-	c.peeked = buf
-	c.buf.Write(buf)
-
-	return buf, nil
-}
-
-// PeekAll reads up to n bytes, returning whatever is available.
-// Unlike Peek, it does not require exactly n bytes.
-func (c *peekConn) PeekAll(n int) ([]byte, error) {
-	if c.peeked != nil {
-		return nil, fmt.Errorf("peek already called")
-	}
-
-	buf := make([]byte, n)
-	nr, err := c.Conn.Read(buf)
-	if nr > 0 {
-		c.peeked = buf[:nr]
-		c.buf.Write(c.peeked)
-	}
-	if err != nil && nr == 0 {
-		return nil, fmt.Errorf("peek: %w", err)
-	}
-
-	return c.peeked, nil
-}
-
-// PeekMore extends the peeked buffer to at least n total bytes.
-// The buffer is reset and refilled with the extended data.
-// The returned slice is the internal peeked buffer; callers must not
-// retain references from prior Peek/PeekMore calls after calling this.
-func (c *peekConn) PeekMore(n int) ([]byte, error) {
-	if len(c.peeked) >= n {
-		return c.peeked[:n], nil
-	}
-
-	remaining := n - len(c.peeked)
-	extra := make([]byte, remaining)
-	if _, err := io.ReadFull(c.Conn, extra); err != nil {
-		return nil, fmt.Errorf("peek more %d bytes: %w", remaining, err)
-	}
-
-	// Pre-allocate to avoid reallocation detaching previously returned slices.
-	combined := make([]byte, 0, n)
-	combined = append(combined, c.peeked...)
-	combined = append(combined, extra...)
-	c.peeked = combined
-	c.buf.Reset()
-	c.buf.Write(c.peeked)
-
-	return c.peeked, nil
-}
-
-// Peeked returns the bytes that were peeked so far, or nil if Peek hasn't been called.
-func (c *peekConn) Peeked() []byte {
-	return c.peeked
-}
-
-// Read returns buffered peek data first, then reads from the underlying connection.
-func (c *peekConn) Read(p []byte) (int, error) {
-	if c.buf.Len() > 0 {
-		return c.buf.Read(p)
-	}
-	return c.Conn.Read(p)
-}
-
-// reader returns an io.Reader that replays buffered bytes then reads from conn.
-func (c *peekConn) reader() io.Reader {
-	if c.buf.Len() > 0 {
-		return io.MultiReader(&c.buf, c.Conn)
-	}
-	return c.Conn
-}

client/inspect/proxy.go

@@ -1,482 +0,0 @@
-package inspect
-
-import (
-	"context"
-	"errors"
-	"fmt"
-	"net"
-	"net/netip"
-	"sync"
-	"time"
-
-	log "github.com/sirupsen/logrus"
-)
-
-// ErrBlocked is returned when a connection is denied by proxy policy.
-var ErrBlocked = errors.New("connection blocked by proxy policy")
-
-const (
-	// headerReadTimeout is the deadline for reading the initial protocol header.
-	// Prevents slow loris attacks where a client opens a connection but sends data slowly.
-	headerReadTimeout = 10 * time.Second
-
-	// idleTimeout is the deadline for idle connections between HTTP requests.
-	idleTimeout = 120 * time.Second
-)
-
-// Proxy is the inspection engine for traffic passing through a NetBird
-// routing peer. It handles protocol detection, rule evaluation, MITM TLS
-// decryption, ICAP delegation, and external proxy forwarding.
-type Proxy struct {
-	config Config
-	rules  *RuleEngine
-	certs  *CertProvider
-	icap   *ICAPClient
-	// envoy is nil unless mode is ModeEnvoy.
-	envoy *envoyManager
-	// dialer is the outbound dialer (with SO_MARK cleared on Linux).
-	dialer net.Dialer
-	log    *log.Entry
-	// wgNetwork is the WG overlay prefix; dial targets inside it are blocked.
-	wgNetwork netip.Prefix
-	// localIPs reports the routing peer's own IPs; dial targets are blocked.
-	localIPs LocalIPChecker
-	// listener is the TPROXY/REDIRECT listener for kernel mode.
-	listener net.Listener
-
-	mu     sync.RWMutex
-	ctx    context.Context
-	cancel context.CancelFunc
-}
-
-// LocalIPChecker reports whether an IP belongs to the local machine.
-type LocalIPChecker interface {
-	IsLocalIP(netip.Addr) bool
-}
-
-// New creates a transparent proxy with the given configuration.
-func New(ctx context.Context, logger *log.Entry, config Config) (*Proxy, error) {
-	ctx, cancel := context.WithCancel(ctx)
-
-	p := &Proxy{
-		config:    config,
-		rules:     NewRuleEngine(logger, config.DefaultAction),
-		dialer:    newOutboundDialer(),
-		log:       logger,
-		wgNetwork: config.WGNetwork,
-		localIPs:  config.LocalIPChecker,
-		ctx:       ctx,
-		cancel:    cancel,
-	}
-
-	p.rules.UpdateRules(config.Rules, config.DefaultAction)
-
-	// Initialize MITM certificate provider
-	if config.TLS != nil {
-		p.certs = NewCertProvider(config.TLS.CA, config.TLS.CAKey)
-	}
-
-	// Initialize ICAP client
-	if config.ICAP != nil {
-		p.icap = NewICAPClient(logger, config.ICAP)
-	}
-
-	// Start envoy sidecar if configured
-	if config.Mode == ModeEnvoy {
-		envoyLog := logger.WithField("sidecar", "envoy")
-		em, err := startEnvoy(ctx, envoyLog, config)
-		if err != nil {
-			cancel()
-			return nil, fmt.Errorf("start envoy sidecar: %w", err)
-		}
-		p.envoy = em
-	}
-
-	// Start TPROXY listener for kernel mode
-	if config.ListenAddr.IsValid() {
-		ln, err := newTPROXYListener(logger, config.ListenAddr, netip.Prefix{})
-		if err != nil {
-			cancel()
-			return nil, fmt.Errorf("start TPROXY listener on %s: %w", config.ListenAddr, err)
-		}
-		p.listener = ln
-		go p.acceptLoop(ln)
-	}
-
-	return p, nil
-}
-
-// HandleTCP is the entry point for TCP connections from the userspace forwarder.
-// It determines the protocol (TLS or plaintext HTTP), evaluates rules,
-// and either blocks, passes through, inspects, or forwards to an external proxy.
-func (p *Proxy) HandleTCP(ctx context.Context, clientConn net.Conn, dst netip.AddrPort, src SourceInfo) error {
-	defer func() {
-		if err := clientConn.Close(); err != nil {
-			p.log.Debugf("close client conn: %v", err)
-		}
-	}()
-
-	p.mu.RLock()
-	mode := p.config.Mode
-	p.mu.RUnlock()
-
-	if mode == ModeExternal {
-		pconn := newPeekConn(clientConn)
-		return p.handleExternal(ctx, pconn, dst)
-	}
-
-	// Envoy and builtin modes both peek the protocol header for rule evaluation.
-	// Envoy mode forwards non-blocked traffic to envoy; builtin mode handles all locally.
-	// TLS blocks are handled by Go (instant close) since envoy can't cleanly RST a TLS connection.
-
-	// Built-in and envoy mode: peek 5 bytes (TLS record header size) to determine protocol.
-	// Set a read deadline to prevent slow loris attacks.
-	if err := clientConn.SetReadDeadline(time.Now().Add(headerReadTimeout)); err != nil {
-		return fmt.Errorf("set read deadline: %w", err)
-	}
-	pconn := newPeekConn(clientConn)
-	header, err := pconn.Peek(5)
-	if err != nil {
-		return fmt.Errorf("peek protocol header: %w", err)
-	}
-	if err := clientConn.SetReadDeadline(time.Time{}); err != nil {
-		return fmt.Errorf("clear read deadline: %w", err)
-	}
-
-	if isTLSHandshake(header[0]) {
-		return p.handleTLS(ctx, pconn, dst, src)
-	}
-
-	if isHTTPMethod(header) {
-		return p.handlePlainHTTP(ctx, pconn, dst, src)
-	}
-
-	// Not TLS and not HTTP: evaluate rules with ProtoOther.
-	// If no rule explicitly allows "other", this falls through to the default action.
-	action := p.rules.Evaluate(src.IP, "", dst.Addr(), dst.Port(), ProtoOther, "")
-	if action == ActionAllow {
-		remote, err := p.dialTCP(ctx, dst)
-		if err != nil {
-			return fmt.Errorf("dial for passthrough: %w", err)
-		}
-		defer func() {
-			if err := remote.Close(); err != nil {
-				p.log.Debugf("close remote conn: %v", err)
-			}
-		}()
-		return relay(ctx, pconn, remote)
-	}
-
-	p.log.Debugf("block: non-HTTP/TLS to %s (action=%s, first bytes: %x)", dst, action, header)
-	return ErrBlocked
-}
-
-// InspectTCP evaluates rules for a TCP connection and returns the result.
-// Unlike HandleTCP, it can return early for allow decisions, letting the caller
-// handle the relay (USP forwarder passthrough optimization).
-//
-// When InspectResult.PassthroughConn is non-nil, ownership transfers to the caller:
-// the caller must close the connection and relay traffic. The engine does not close it.
-//
-// When PassthroughConn is nil, the engine handled everything internally
-// (block, inspect/MITM, or plain HTTP inspection) and closed the connection.
-func (p *Proxy) InspectTCP(ctx context.Context, clientConn net.Conn, dst netip.AddrPort, src SourceInfo) (InspectResult, error) {
-	p.mu.RLock()
-	mode := p.config.Mode
-	envoy := p.envoy
-	p.mu.RUnlock()
-
-	// External mode: handle internally, engine owns the connection.
-	if mode == ModeExternal {
-		defer func() {
-			if err := clientConn.Close(); err != nil {
-				p.log.Debugf("close client conn: %v", err)
-			}
-		}()
-		pconn := newPeekConn(clientConn)
-		err := p.handleExternal(ctx, pconn, dst)
-		return InspectResult{Action: ActionAllow}, err
-	}
-
-	// Peek protocol header.
-	if err := clientConn.SetReadDeadline(time.Now().Add(headerReadTimeout)); err != nil {
-		clientConn.Close()
-		return InspectResult{}, fmt.Errorf("set read deadline: %w", err)
-	}
-	pconn := newPeekConn(clientConn)
-	header, err := pconn.Peek(5)
-	if err != nil {
-		clientConn.Close()
-		return InspectResult{}, fmt.Errorf("peek protocol header: %w", err)
-	}
-	if err := clientConn.SetReadDeadline(time.Time{}); err != nil {
-		clientConn.Close()
-		return InspectResult{}, fmt.Errorf("clear read deadline: %w", err)
-	}
-
-	// TLS: may return passthrough for allow.
-	if isTLSHandshake(header[0]) {
-		result, err := p.inspectTLS(ctx, pconn, dst, src)
-		if err != nil && result.PassthroughConn == nil {
-			clientConn.Close()
-			return result, err
-		}
-		// Envoy mode: forward allowed TLS to envoy instead of returning passthrough.
-		if result.PassthroughConn != nil && envoy != nil {
-			defer clientConn.Close()
-			envoyErr := p.forwardToEnvoy(ctx, pconn, dst, src, envoy)
-			return InspectResult{Action: ActionAllow}, envoyErr
-		}
-		return result, err
-	}
-
-	// Plain HTTP: in envoy mode, forward to envoy for L7 processing.
-	// In builtin mode, inspect per-request locally.
-	if isHTTPMethod(header) {
-		defer func() {
-			if err := clientConn.Close(); err != nil {
-				p.log.Debugf("close client conn: %v", err)
-			}
-		}()
-		if envoy != nil {
-			err := p.forwardToEnvoy(ctx, pconn, dst, src, envoy)
-			return InspectResult{Action: ActionAllow}, err
-		}
-		err := p.handlePlainHTTP(ctx, pconn, dst, src)
-		return InspectResult{Action: ActionInspect}, err
-	}
-
-	// Other protocol: evaluate rules.
-	action := p.rules.Evaluate(src.IP, "", dst.Addr(), dst.Port(), ProtoOther, "")
-	if action == ActionAllow {
-		// Envoy mode: forward to envoy.
-		if envoy != nil {
-			defer clientConn.Close()
-			err := p.forwardToEnvoy(ctx, pconn, dst, src, envoy)
-			return InspectResult{Action: ActionAllow}, err
-		}
-		return InspectResult{Action: ActionAllow, PassthroughConn: pconn}, nil
-	}
-
-	p.log.Debugf("block: non-HTTP/TLS to %s (action=%s, first bytes: %x)", dst, action, header)
-	clientConn.Close()
-	return InspectResult{Action: ActionBlock}, ErrBlocked
-}
-
-// HandleUDPPacket inspects a UDP packet for QUIC Initial packets.
-// Returns the action to take: ActionAllow to continue normal forwarding,
-// ActionBlock to drop the packet.
-// Non-QUIC packets always return ActionAllow.
-func (p *Proxy) HandleUDPPacket(data []byte, dst netip.AddrPort, src SourceInfo) Action {
-	if len(data) < 5 {
-		return ActionAllow
-	}
-
-	// Check for QUIC Long Header
-	if data[0]&0x80 == 0 {
-		return ActionAllow
-	}
-
-	sni, err := ExtractQUICSNI(data)
-	if err != nil {
-		// Can't parse QUIC, allow through (could be non-QUIC UDP)
-		p.log.Tracef("QUIC SNI extraction failed for %s: %v", dst, err)
-		return ActionAllow
-	}
-
-	if sni == "" {
-		return ActionAllow
-	}
-
-	action := p.rules.Evaluate(src.IP, sni, dst.Addr(), dst.Port(), ProtoH3, "")
-
-	if action == ActionBlock {
-		p.log.Debugf("block: QUIC to %s (SNI=%s)", dst, sni.PunycodeString())
-		return ActionBlock
-	}
-
-	// QUIC can't be MITMed, treat Inspect as Allow
-	if action == ActionInspect {
-		p.log.Debugf("allow: QUIC to %s (SNI=%s), MITM not supported for QUIC", dst, sni.PunycodeString())
-	} else {
-		p.log.Tracef("allow: QUIC to %s (SNI=%s)", dst, sni.PunycodeString())
-	}
-
-	return ActionAllow
-}
-
-// handlePlainHTTP handles plaintext HTTP connections.
-func (p *Proxy) handlePlainHTTP(ctx context.Context, pconn *peekConn, dst netip.AddrPort, src SourceInfo) error {
-	remote, err := p.dialTCP(ctx, dst)
-	if err != nil {
-		return fmt.Errorf("dial %s: %w", dst, err)
-	}
-	defer func() {
-		if err := remote.Close(); err != nil {
-			p.log.Debugf("close remote for %s: %v", dst, err)
-		}
-	}()
-
-	// For plaintext HTTP, always inspect (we can see the traffic)
-	return p.inspectHTTP(ctx, pconn, remote, dst, "", src, "http/1.1")
-}
-
-// UpdateConfig replaces the inspection engine configuration at runtime.
-func (p *Proxy) UpdateConfig(config Config) {
-	p.log.Debugf("config update: mode=%s rules=%d default=%s has_tls=%v has_icap=%v",
-		config.Mode, len(config.Rules), config.DefaultAction, config.TLS != nil, config.ICAP != nil)
-
-	p.mu.Lock()
-
-	p.config = config
-	p.rules.UpdateRules(config.Rules, config.DefaultAction)
-
-	// Update MITM provider
-	if config.TLS != nil {
-		p.certs = NewCertProvider(config.TLS.CA, config.TLS.CAKey)
-	} else {
-		p.certs = nil
-	}
-
-	// Swap ICAP client under lock, close the old one outside to avoid blocking.
-	var oldICAP *ICAPClient
-	if config.ICAP != nil {
-		oldICAP = p.icap
-		p.icap = NewICAPClient(p.log, config.ICAP)
-	} else {
-		oldICAP = p.icap
-		p.icap = nil
-	}
-
-	// If switching away from envoy mode, clear and stop the old envoy.
-	var oldEnvoy *envoyManager
-	if config.Mode != ModeEnvoy && p.envoy != nil {
-		oldEnvoy = p.envoy
-		p.envoy = nil
-	}
-
-	envoy := p.envoy
-
-	p.mu.Unlock()
-
-	if oldICAP != nil {
-		oldICAP.Close()
-	}
-
-	if oldEnvoy != nil {
-		oldEnvoy.Stop()
-	}
-
-	// Reload envoy config if still in envoy mode.
-	if envoy != nil && config.Mode == ModeEnvoy {
-		if err := envoy.Reload(config); err != nil {
-			p.log.Errorf("inspect: envoy config reload: %v", err)
-		}
-	}
-}
-
-// Mode returns the current proxy operating mode.
-func (p *Proxy) Mode() ProxyMode {
-	p.mu.RLock()
-	defer p.mu.RUnlock()
-	return p.config.Mode
-}
-
-// ListenPort returns the port to use for kernel-mode nftables REDIRECT.
-// For builtin mode: the TPROXY listener port.
-// For envoy mode: the envoy listener port (nftables redirects directly to envoy).
-// Returns 0 if no listener is active.
-func (p *Proxy) ListenPort() uint16 {
-	p.mu.RLock()
-	envoy := p.envoy
-	p.mu.RUnlock()
-
-	if envoy != nil {
-		return envoy.listenPort
-	}
-	if p.listener == nil {
-		return 0
-	}
-	tcpAddr, ok := p.listener.Addr().(*net.TCPAddr)
-	if !ok {
-		return 0
-	}
-	return uint16(tcpAddr.Port)
-}
-
-// Close shuts down the proxy and releases resources.
-func (p *Proxy) Close() error {
-	p.cancel()
-
-	p.mu.Lock()
-	envoy := p.envoy
-	p.envoy = nil
-	icap := p.icap
-	p.icap = nil
-	p.mu.Unlock()
-
-	if envoy != nil {
-		envoy.Stop()
-	}
-
-	if p.listener != nil {
-		if err := p.listener.Close(); err != nil {
-			p.log.Debugf("close TPROXY listener: %v", err)
-		}
-	}
-
-	if icap != nil {
-		icap.Close()
-	}
-
-	return nil
-}
-
-// acceptLoop accepts connections from the redirected listener (kernel mode).
-// Connections arrive via nftables REDIRECT; original destination is read from conntrack.
-func (p *Proxy) acceptLoop(ln net.Listener) {
-	for {
-		conn, err := ln.Accept()
-		if err != nil {
-			if p.ctx.Err() != nil {
-				return
-			}
-			p.log.Debugf("accept error: %v", err)
-			continue
-		}
-
-		go func() {
-			// Read original destination from conntrack (SO_ORIGINAL_DST).
-			// nftables REDIRECT changes dst to the local WG IP:proxy_port,
-			// but conntrack preserves the real destination.
-			dstAddr, err := getOriginalDst(conn)
-			if err != nil {
-				p.log.Debugf("get original dst: %v", err)
-				if closeErr := conn.Close(); closeErr != nil {
-					p.log.Debugf("close conn: %v", closeErr)
-				}
-				return
-			}
-
-			p.log.Tracef("accepted: %s -> %s (original dst %s)",
-				conn.RemoteAddr(), conn.LocalAddr(), dstAddr)
-
-			srcAddr, err := netip.ParseAddrPort(conn.RemoteAddr().String())
-			if err != nil {
-				p.log.Debugf("parse source: %v", err)
-				if closeErr := conn.Close(); closeErr != nil {
-					p.log.Debugf("close conn: %v", closeErr)
-				}
-				return
-			}
-
-			src := SourceInfo{
-				IP: srcAddr.Addr().Unmap(),
-			}
-
-			if err := p.HandleTCP(p.ctx, conn, dstAddr, src); err != nil && !errors.Is(err, ErrBlocked) {
-				p.log.Debugf("connection to %s: %v", dstAddr, err)
-			}
-		}()
-	}
-}

client/inspect/quic.go

@@ -1,388 +0,0 @@
-package inspect
-
-import (
-	"crypto/aes"
-	"crypto/cipher"
-	"crypto/sha256"
-	"encoding/binary"
-	"fmt"
-	"io"
-
-	"golang.org/x/crypto/hkdf"
-
-	"github.com/netbirdio/netbird/shared/management/domain"
-)
-
-// QUIC version constants
-const (
-	quicV1Version uint32 = 0x00000001
-	quicV2Version uint32 = 0x6b3343cf
-)
-
-// quicV1Salt is the initial salt for QUIC v1 (RFC 9001 Section 5.2).
-var quicV1Salt = []byte{
-	0x38, 0x76, 0x2c, 0xf7, 0xf5, 0x59, 0x34, 0xb3,
-	0x4d, 0x17, 0x9a, 0xe6, 0xa4, 0xc8, 0x0c, 0xad,
-	0xcc, 0xbb, 0x7f, 0x0a,
-}
-
-// quicV2Salt is the initial salt for QUIC v2 (RFC 9369).
-var quicV2Salt = []byte{
-	0x0d, 0xed, 0xe3, 0xde, 0xf7, 0x00, 0xa6, 0xdb,
-	0x81, 0x93, 0x81, 0xbe, 0x6e, 0x26, 0x9d, 0xcb,
-	0xf9, 0xbd, 0x2e, 0xd9,
-}
-
-// ExtractQUICSNI extracts the SNI from a QUIC Initial packet.
-// The Initial packet's encryption uses well-known keys derived from the
-// Destination Connection ID, so any observer can decrypt it (by design).
-func ExtractQUICSNI(data []byte) (domain.Domain, error) {
-	if len(data) < 5 {
-		return "", fmt.Errorf("packet too short")
-	}
-
-	// Check for QUIC Long Header (form bit set)
-	if data[0]&0x80 == 0 {
-		return "", fmt.Errorf("not a QUIC long header packet")
-	}
-
-	// Version
-	version := binary.BigEndian.Uint32(data[1:5])
-
-	var salt []byte
-	var initialLabel, keyLabel, ivLabel, hpLabel string
-
-	switch version {
-	case quicV1Version:
-		salt = quicV1Salt
-		initialLabel = "client in"
-		keyLabel = "quic key"
-		ivLabel = "quic iv"
-		hpLabel = "quic hp"
-	case quicV2Version:
-		salt = quicV2Salt
-		initialLabel = "client in"
-		keyLabel = "quicv2 key"
-		ivLabel = "quicv2 iv"
-		hpLabel = "quicv2 hp"
-	default:
-		return "", fmt.Errorf("unsupported QUIC version: 0x%08x", version)
-	}
-
-	// Parse Long Header
-	if len(data) < 6 {
-		return "", fmt.Errorf("packet too short for DCID length")
-	}
-	dcidLen := int(data[5])
-	if len(data) < 6+dcidLen+1 {
-		return "", fmt.Errorf("packet too short for DCID")
-	}
-	dcid := data[6 : 6+dcidLen]
-
-	scidLenOff := 6 + dcidLen
-	scidLen := int(data[scidLenOff])
-	tokenLenOff := scidLenOff + 1 + scidLen
-
-	if tokenLenOff >= len(data) {
-		return "", fmt.Errorf("packet too short for token length")
-	}
-
-	// Token length is a variable-length integer
-	tokenLen, tokenLenSize, err := readVarInt(data[tokenLenOff:])
-	if err != nil {
-		return "", fmt.Errorf("read token length: %w", err)
-	}
-
-	payloadLenOff := tokenLenOff + tokenLenSize + int(tokenLen)
-	if payloadLenOff >= len(data) {
-		return "", fmt.Errorf("packet too short for payload length")
-	}
-
-	// Payload length is a variable-length integer
-	payloadLen, payloadLenSize, err := readVarInt(data[payloadLenOff:])
-	if err != nil {
-		return "", fmt.Errorf("read payload length: %w", err)
-	}
-
-	pnOffset := payloadLenOff + payloadLenSize
-	if pnOffset+4 > len(data) {
-		return "", fmt.Errorf("packet too short for packet number")
-	}
-
-	// Derive initial keys
-	clientKey, clientIV, clientHP, err := deriveInitialKeys(dcid, salt, initialLabel, keyLabel, ivLabel, hpLabel)
-	if err != nil {
-		return "", fmt.Errorf("derive initial keys: %w", err)
-	}
-
-	// Remove header protection
-	sampleOffset := pnOffset + 4 // sample starts 4 bytes after pn offset
-	if sampleOffset+16 > len(data) {
-		return "", fmt.Errorf("packet too short for HP sample")
-	}
-	sample := data[sampleOffset : sampleOffset+16]
-
-	hpBlock, err := aes.NewCipher(clientHP)
-	if err != nil {
-		return "", fmt.Errorf("create HP cipher: %w", err)
-	}
-
-	mask := make([]byte, 16)
-	hpBlock.Encrypt(mask, sample)
-
-	// Unmask header byte
-	header := make([]byte, len(data))
-	copy(header, data)
-	header[0] ^= mask[0] & 0x0f // Long header: low 4 bits
-
-	// Determine packet number length
-	pnLen := int(header[0]&0x03) + 1
-
-	// Unmask packet number
-	for i := 0; i < pnLen; i++ {
-		header[pnOffset+i] ^= mask[1+i]
-	}
-
-	// Reconstruct packet number
-	var pn uint32
-	for i := 0; i < pnLen; i++ {
-		pn = (pn << 8) | uint32(header[pnOffset+i])
-	}
-
-	// Build nonce
-	nonce := make([]byte, len(clientIV))
-	copy(nonce, clientIV)
-	for i := 0; i < 4; i++ {
-		nonce[len(nonce)-1-i] ^= byte(pn >> (8 * i))
-	}
-
-	// Decrypt payload
-	block, err := aes.NewCipher(clientKey)
-	if err != nil {
-		return "", fmt.Errorf("create AES cipher: %w", err)
-	}
-
-	aead, err := cipher.NewGCM(block)
-	if err != nil {
-		return "", fmt.Errorf("create AEAD: %w", err)
-	}
-
-	encryptedPayload := header[pnOffset+pnLen : pnOffset+int(payloadLen)]
-	aad := header[:pnOffset+pnLen]
-
-	plaintext, err := aead.Open(nil, nonce, encryptedPayload, aad)
-	if err != nil {
-		return "", fmt.Errorf("decrypt QUIC payload: %w", err)
-	}
-
-	// Parse CRYPTO frames to extract ClientHello
-	clientHello, err := extractCryptoFrames(plaintext)
-	if err != nil {
-		return "", fmt.Errorf("extract CRYPTO frames: %w", err)
-	}
-
-	info, err := parseHelloBody(clientHello)
-	return info.SNI, err
-}
-
-// deriveInitialKeys derives the client's initial encryption keys from the DCID.
-func deriveInitialKeys(dcid, salt []byte, initialLabel, keyLabel, ivLabel, hpLabel string) (key, iv, hp []byte, err error) {
-	// initial_secret = HKDF-Extract(salt, DCID)
-	initialSecret := hkdf.Extract(sha256.New, dcid, salt)
-
-	// client_initial_secret = HKDF-Expand-Label(initial_secret, initialLabel, "", 32)
-	clientSecret, err := hkdfExpandLabel(initialSecret, initialLabel, nil, 32)
-	if err != nil {
-		return nil, nil, nil, fmt.Errorf("derive client secret: %w", err)
-	}
-
-	// client_key = HKDF-Expand-Label(client_secret, keyLabel, "", 16)
-	key, err = hkdfExpandLabel(clientSecret, keyLabel, nil, 16)
-	if err != nil {
-		return nil, nil, nil, fmt.Errorf("derive key: %w", err)
-	}
-
-	// client_iv = HKDF-Expand-Label(client_secret, ivLabel, "", 12)
-	iv, err = hkdfExpandLabel(clientSecret, ivLabel, nil, 12)
-	if err != nil {
-		return nil, nil, nil, fmt.Errorf("derive IV: %w", err)
-	}
-
-	// client_hp = HKDF-Expand-Label(client_secret, hpLabel, "", 16)
-	hp, err = hkdfExpandLabel(clientSecret, hpLabel, nil, 16)
-	if err != nil {
-		return nil, nil, nil, fmt.Errorf("derive HP key: %w", err)
-	}
-
-	return key, iv, hp, nil
-}
-
-// hkdfExpandLabel implements TLS 1.3 HKDF-Expand-Label.
-func hkdfExpandLabel(secret []byte, label string, context []byte, length int) ([]byte, error) {
-	// HkdfLabel = struct {
-	//   uint16 length;
-	//   opaque label<7..255> = "tls13 " + Label;
-	//   opaque context<0..255> = Context;
-	// }
-	fullLabel := "tls13 " + label
-
-	hkdfLabel := make([]byte, 2+1+len(fullLabel)+1+len(context))
-	binary.BigEndian.PutUint16(hkdfLabel[0:2], uint16(length))
-	hkdfLabel[2] = byte(len(fullLabel))
-	copy(hkdfLabel[3:], fullLabel)
-	hkdfLabel[3+len(fullLabel)] = byte(len(context))
-	if len(context) > 0 {
-		copy(hkdfLabel[4+len(fullLabel):], context)
-	}
-
-	expander := hkdf.Expand(sha256.New, secret, hkdfLabel)
-	out := make([]byte, length)
-	if _, err := io.ReadFull(expander, out); err != nil {
-		return nil, err
-	}
-	return out, nil
-}
-
-// maxCryptoFrameSize limits total CRYPTO frame data to prevent memory exhaustion.
-const maxCryptoFrameSize = 64 * 1024
-
-// extractCryptoFrames reassembles CRYPTO frame data from QUIC frames.
-func extractCryptoFrames(frames []byte) ([]byte, error) {
-	var result []byte
-	pos := 0
-
-	for pos < len(frames) {
-		frameType := frames[pos]
-
-		switch {
-		case frameType == 0x00:
-			// PADDING frame
-			pos++
-
-		case frameType == 0x06:
-			// CRYPTO frame
-			pos++
-
-			offset, n, err := readVarInt(frames[pos:])
-			if err != nil {
-				return nil, fmt.Errorf("read crypto offset: %w", err)
-			}
-			pos += n
-			_ = offset // We assume ordered, offset 0 for Initial
-
-			dataLen, n, err := readVarInt(frames[pos:])
-			if err != nil {
-				return nil, fmt.Errorf("read crypto data length: %w", err)
-			}
-			pos += n
-
-			end := pos + int(dataLen)
-			if end > len(frames) {
-				return nil, fmt.Errorf("CRYPTO frame data truncated")
-			}
-
-			result = append(result, frames[pos:end]...)
-			if len(result) > maxCryptoFrameSize {
-				return nil, fmt.Errorf("CRYPTO frame data exceeds %d bytes", maxCryptoFrameSize)
-			}
-			pos = end
-
-		case frameType == 0x01:
-			// PING frame
-			pos++
-
-		case frameType == 0x02 || frameType == 0x03:
-			// ACK frame - skip
-			pos++
-			// Largest Acknowledged
-			_, n, err := readVarInt(frames[pos:])
-			if err != nil {
-				return nil, fmt.Errorf("read ACK: %w", err)
-			}
-			pos += n
-			// ACK Delay
-			_, n, err = readVarInt(frames[pos:])
-			if err != nil {
-				return nil, fmt.Errorf("read ACK delay: %w", err)
-			}
-			pos += n
-			// ACK Range Count
-			rangeCount, n, err := readVarInt(frames[pos:])
-			if err != nil {
-				return nil, fmt.Errorf("read ACK range count: %w", err)
-			}
-			pos += n
-			// First ACK Range
-			_, n, err = readVarInt(frames[pos:])
-			if err != nil {
-				return nil, fmt.Errorf("read first ACK range: %w", err)
-			}
-			pos += n
-			// Additional ranges
-			for i := uint64(0); i < rangeCount; i++ {
-				_, n, err = readVarInt(frames[pos:])
-				if err != nil {
-					return nil, fmt.Errorf("read ACK gap: %w", err)
-				}
-				pos += n
-				_, n, err = readVarInt(frames[pos:])
-				if err != nil {
-					return nil, fmt.Errorf("read ACK range: %w", err)
-				}
-				pos += n
-			}
-			// ECN counts for type 0x03
-			if frameType == 0x03 {
-				for range 3 {
-					_, n, err = readVarInt(frames[pos:])
-					if err != nil {
-						return nil, fmt.Errorf("read ECN count: %w", err)
-					}
-					pos += n
-				}
-			}
-
-		default:
-			// Unknown frame type, stop parsing
-			if len(result) > 0 {
-				return result, nil
-			}
-			return nil, fmt.Errorf("unknown QUIC frame type: 0x%02x at offset %d", frameType, pos)
-		}
-	}
-
-	if len(result) == 0 {
-		return nil, fmt.Errorf("no CRYPTO frames found")
-	}
-
-	return result, nil
-}
-
-// readVarInt reads a QUIC variable-length integer.
-// Returns (value, bytes consumed, error).
-func readVarInt(data []byte) (uint64, int, error) {
-	if len(data) == 0 {
-		return 0, 0, fmt.Errorf("empty data for varint")
-	}
-
-	prefix := data[0] >> 6
-	length := 1 << prefix
-
-	if len(data) < length {
-		return 0, 0, fmt.Errorf("varint truncated: need %d, have %d", length, len(data))
-	}
-
-	var val uint64
-	switch length {
-	case 1:
-		val = uint64(data[0] & 0x3f)
-	case 2:
-		val = uint64(binary.BigEndian.Uint16(data[:2])) & 0x3fff
-	case 4:
-		val = uint64(binary.BigEndian.Uint32(data[:4])) & 0x3fffffff
-	case 8:
-		val = binary.BigEndian.Uint64(data[:8]) & 0x3fffffffffffffff
-	}
-
-	return val, length, nil
-}

client/inspect/quic_test.go

@@ -1,99 +0,0 @@
-package inspect
-
-import (
-	"testing"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-)
-
-func TestReadVarInt(t *testing.T) {
-	tests := []struct {
-		name string
-		data []byte
-		want uint64
-		n    int
-	}{
-		{
-			name: "1 byte value",
-			data: []byte{0x25},
-			want: 37,
-			n:    1,
-		},
-		{
-			name: "2 byte value",
-			data: []byte{0x7b, 0xbd},
-			want: 15293,
-			n:    2,
-		},
-		{
-			name: "4 byte value",
-			data: []byte{0x9d, 0x7f, 0x3e, 0x7d},
-			want: 494878333,
-			n:    4,
-		},
-		{
-			name: "zero",
-			data: []byte{0x00},
-			want: 0,
-			n:    1,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			val, n, err := readVarInt(tt.data)
-			require.NoError(t, err)
-			assert.Equal(t, tt.want, val)
-			assert.Equal(t, tt.n, n)
-		})
-	}
-}
-
-func TestReadVarInt_Empty(t *testing.T) {
-	_, _, err := readVarInt(nil)
-	require.Error(t, err)
-}
-
-func TestReadVarInt_Truncated(t *testing.T) {
-	// 2-byte prefix but only 1 byte
-	_, _, err := readVarInt([]byte{0x40})
-	require.Error(t, err)
-}
-
-func TestExtractQUICSNI_NotLongHeader(t *testing.T) {
-	// Short header packet (form bit not set)
-	data := make([]byte, 100)
-	data[0] = 0x40 // short header
-
-	_, err := ExtractQUICSNI(data)
-	require.Error(t, err)
-	assert.Contains(t, err.Error(), "not a QUIC long header")
-}
-
-func TestExtractQUICSNI_UnsupportedVersion(t *testing.T) {
-	data := make([]byte, 100)
-	data[0] = 0xC0 // long header
-	// Version 0xdeadbeef
-	data[1] = 0xde
-	data[2] = 0xad
-	data[3] = 0xbe
-	data[4] = 0xef
-
-	_, err := ExtractQUICSNI(data)
-	require.Error(t, err)
-	assert.Contains(t, err.Error(), "unsupported QUIC version")
-}
-
-func TestExtractQUICSNI_TooShort(t *testing.T) {
-	_, err := ExtractQUICSNI([]byte{0xC0, 0x00})
-	require.Error(t, err)
-}
-
-func TestHkdfExpandLabel(t *testing.T) {
-	// Smoke test: ensure it returns the right length and doesn't error
-	secret := make([]byte, 32)
-	result, err := hkdfExpandLabel(secret, "quic key", nil, 16)
-	require.NoError(t, err)
-	assert.Len(t, result, 16)
-}

client/inspect/rules.go

@@ -1,253 +0,0 @@
-package inspect
-
-import (
-	"net/netip"
-	"slices"
-	"sort"
-	"strings"
-	"sync"
-
-	log "github.com/sirupsen/logrus"
-
-	"github.com/netbirdio/netbird/client/internal/acl/id"
-	"github.com/netbirdio/netbird/shared/management/domain"
-)
-
-// RuleEngine evaluates proxy rules against connection metadata.
-// It is safe for concurrent use.
-type RuleEngine struct {
-	mu    sync.RWMutex
-	rules []Rule
-	// defaultAction applies when no rule matches.
-	defaultAction Action
-	log           *log.Entry
-}
-
-// NewRuleEngine creates a rule engine with the given default action.
-func NewRuleEngine(logger *log.Entry, defaultAction Action) *RuleEngine {
-	return &RuleEngine{
-		defaultAction: defaultAction,
-		log:           logger,
-	}
-}
-
-// UpdateRules replaces the rule set and default action. Rules are sorted by priority.
-func (e *RuleEngine) UpdateRules(rules []Rule, defaultAction Action) {
-	sorted := make([]Rule, len(rules))
-	copy(sorted, rules)
-	sort.Slice(sorted, func(i, j int) bool {
-		return sorted[i].Priority < sorted[j].Priority
-	})
-
-	e.mu.Lock()
-	e.rules = sorted
-	e.defaultAction = defaultAction
-	e.mu.Unlock()
-}
-
-// EvalResult holds the outcome of a rule evaluation.
-type EvalResult struct {
-	Action Action
-	RuleID id.RuleID
-}
-
-// Evaluate determines the action for a connection based on the rule set.
-// Pass empty path for connection-level evaluation (TLS/SNI), non-empty for request-level (HTTP).
-func (e *RuleEngine) Evaluate(src netip.Addr, dstDomain domain.Domain, dstAddr netip.Addr, dstPort uint16, proto ProtoType, path string) Action {
-	r := e.EvaluateWithResult(src, dstDomain, dstAddr, dstPort, proto, path)
-	return r.Action
-}
-
-// EvaluateWithResult is like Evaluate but also returns the matched rule ID.
-func (e *RuleEngine) EvaluateWithResult(src netip.Addr, dstDomain domain.Domain, dstAddr netip.Addr, dstPort uint16, proto ProtoType, path string) EvalResult {
-	e.mu.RLock()
-	defer e.mu.RUnlock()
-
-	for i := range e.rules {
-		rule := &e.rules[i]
-		if e.ruleMatches(rule, src, dstDomain, dstAddr, dstPort, proto, path) {
-			e.log.Tracef("rule %s matched: action=%s src=%s domain=%s dst=%s:%d proto=%s path=%s",
-				rule.ID, rule.Action, src, dstDomain.SafeString(), dstAddr, dstPort, proto, path)
-			return EvalResult{Action: rule.Action, RuleID: rule.ID}
-		}
-	}
-
-	e.log.Tracef("no rule matched, default=%s: src=%s domain=%s dst=%s:%d proto=%s path=%s",
-		e.defaultAction, src, dstDomain.SafeString(), dstAddr, dstPort, proto, path)
-	return EvalResult{Action: e.defaultAction}
-}
-
-// HasPathRulesForDomain returns true if any rule matching the domain has non-empty Paths.
-// Used to force MITM inspection when path-level rules exist (paths are only visible after decryption).
-func (e *RuleEngine) HasPathRulesForDomain(dstDomain domain.Domain) bool {
-	e.mu.RLock()
-	defer e.mu.RUnlock()
-
-	for i := range e.rules {
-		if len(e.rules[i].Paths) > 0 && e.matchDomain(&e.rules[i], dstDomain) {
-			return true
-		}
-	}
-	return false
-}
-
-// ruleMatches checks whether all non-empty fields of a rule match.
-// Empty fields are treated as "match any".
-// All specified fields must match (AND logic).
-func (e *RuleEngine) ruleMatches(rule *Rule, src netip.Addr, dstDomain domain.Domain, dstAddr netip.Addr, dstPort uint16, proto ProtoType, path string) bool {
-	if !e.matchSource(rule, src) {
-		return false
-	}
-
-	if !e.matchDomain(rule, dstDomain) {
-		return false
-	}
-
-	if !e.matchNetwork(rule, dstAddr) {
-		return false
-	}
-
-	if !e.matchPort(rule, dstPort) {
-		return false
-	}
-
-	if !e.matchProtocol(rule, proto) {
-		return false
-	}
-
-	if !e.matchPaths(rule, path) {
-		return false
-	}
-
-	return true
-}
-
-// matchSource returns true if src matches any of the rule's source CIDRs,
-// or if no source CIDRs are specified (match any).
-func (e *RuleEngine) matchSource(rule *Rule, src netip.Addr) bool {
-	if len(rule.Sources) == 0 {
-		return true
-	}
-
-	for _, prefix := range rule.Sources {
-		if prefix.Contains(src) {
-			return true
-		}
-	}
-
-	return false
-}
-
-// matchDomain returns true if dstDomain matches any of the rule's domain patterns,
-// or if no domain patterns are specified (match any).
-func (e *RuleEngine) matchDomain(rule *Rule, dstDomain domain.Domain) bool {
-	if len(rule.Domains) == 0 {
-		return true
-	}
-
-	// If we have domain rules but no domain to match against (e.g., raw IP connection),
-	// the domain condition does not match.
-	if dstDomain == "" {
-		return false
-	}
-
-	for _, pattern := range rule.Domains {
-		if MatchDomain(pattern, dstDomain) {
-			return true
-		}
-	}
-
-	return false
-}
-
-// matchNetwork returns true if dstAddr is within any of the rule's destination CIDRs,
-// or if no destination CIDRs are specified (match any).
-func (e *RuleEngine) matchNetwork(rule *Rule, dstAddr netip.Addr) bool {
-	if len(rule.Networks) == 0 {
-		return true
-	}
-
-	for _, prefix := range rule.Networks {
-		if prefix.Contains(dstAddr) {
-			return true
-		}
-	}
-
-	return false
-}
-
-// matchProtocol returns true if proto matches any of the rule's protocols,
-// or if no protocols are specified (match any).
-func (e *RuleEngine) matchProtocol(rule *Rule, proto ProtoType) bool {
-	if len(rule.Protocols) == 0 {
-		return true
-	}
-
-	for _, p := range rule.Protocols {
-		if p == proto {
-			return true
-		}
-	}
-
-	return false
-}
-
-// matchPort returns true if dstPort matches any of the rule's destination ports,
-// or if no ports are specified (match any).
-func (e *RuleEngine) matchPort(rule *Rule, dstPort uint16) bool {
-	if len(rule.Ports) == 0 {
-		return true
-	}
-
-	return slices.Contains(rule.Ports, dstPort)
-}
-
-// matchPaths returns true if path matches any of the rule's path patterns,
-// or if no paths are specified (match any). Empty path (connection-level eval) matches all.
-func (e *RuleEngine) matchPaths(rule *Rule, path string) bool {
-	if len(rule.Paths) == 0 {
-		return true
-	}
-	// Connection-level (path=""): rules with paths don't match at connection level.
-	// HasPathRulesForDomain forces the connection to inspect, so paths are
-	// checked per-request once the HTTP request is visible.
-	if path == "" {
-		return false
-	}
-	for _, pattern := range rule.Paths {
-		if matchPath(pattern, path) {
-			return true
-		}
-	}
-	return false
-}
-
-// matchPath checks if a URL path matches a pattern.
-// Supports: exact ("/login"), prefix with wildcard ("/api/*"),
-// and contains ("*/admin/*"). A bare "*" matches everything.
-func matchPath(pattern, path string) bool {
-	if pattern == "*" {
-		return true
-	}
-
-	hasLeadingStar := strings.HasPrefix(pattern, "*")
-	hasTrailingStar := strings.HasSuffix(pattern, "*")
-
-	switch {
-	case hasLeadingStar && hasTrailingStar:
-		// */admin/* = contains
-		middle := strings.Trim(pattern, "*")
-		return strings.Contains(path, middle)
-	case hasTrailingStar:
-		// /api/* = prefix
-		prefix := strings.TrimSuffix(pattern, "*")
-		return strings.HasPrefix(path, prefix)
-	case hasLeadingStar:
-		// *.json = suffix
-		suffix := strings.TrimPrefix(pattern, "*")
-		return strings.HasSuffix(path, suffix)
-	default:
-		// exact
-		return path == pattern
-	}
-}

client/inspect/rules_test.go

@@ -1,338 +0,0 @@
-package inspect
-
-import (
-	"net/netip"
-	"testing"
-
-	log "github.com/sirupsen/logrus"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-
-	"github.com/netbirdio/netbird/client/internal/acl/id"
-	"github.com/netbirdio/netbird/shared/management/domain"
-)
-
-func testLogger() *log.Entry {
-	return log.WithField("test", true)
-}
-
-func mustDomain(t *testing.T, s string) domain.Domain {
-	t.Helper()
-	d, err := domain.FromString(s)
-	require.NoError(t, err)
-	return d
-}
-
-func TestRuleEngine_Evaluate(t *testing.T) {
-	tests := []struct {
-		name          string
-		rules         []Rule
-		defaultAction Action
-		src           netip.Addr
-		dstDomain     domain.Domain
-		dstAddr       netip.Addr
-		dstPort       uint16
-		want          Action
-	}{
-		{
-			name:          "no rules returns default allow",
-			defaultAction: ActionAllow,
-			src:           netip.MustParseAddr("10.0.0.1"),
-			dstAddr:       netip.MustParseAddr("1.2.3.4"),
-			dstPort:       443,
-			want:          ActionAllow,
-		},
-		{
-			name:          "no rules returns default block",
-			defaultAction: ActionBlock,
-			src:           netip.MustParseAddr("10.0.0.1"),
-			dstAddr:       netip.MustParseAddr("1.2.3.4"),
-			dstPort:       443,
-			want:          ActionBlock,
-		},
-		{
-			name:          "domain exact match blocks",
-			defaultAction: ActionAllow,
-			rules: []Rule{
-				{
-					ID:      id.RuleID("r1"),
-					Domains: []domain.Domain{mustDomain(t, "malware.example.com")},
-					Action:  ActionBlock,
-				},
-			},
-			src:       netip.MustParseAddr("10.0.0.1"),
-			dstDomain: mustDomain(t, "malware.example.com"),
-			dstAddr:   netip.MustParseAddr("1.2.3.4"),
-			dstPort:   443,
-			want:      ActionBlock,
-		},
-		{
-			name:          "domain wildcard match blocks",
-			defaultAction: ActionAllow,
-			rules: []Rule{
-				{
-					ID:      id.RuleID("r1"),
-					Domains: []domain.Domain{mustDomain(t, "*.evil.com")},
-					Action:  ActionBlock,
-				},
-			},
-			src:       netip.MustParseAddr("10.0.0.1"),
-			dstDomain: mustDomain(t, "phishing.evil.com"),
-			dstAddr:   netip.MustParseAddr("1.2.3.4"),
-			dstPort:   443,
-			want:      ActionBlock,
-		},
-		{
-			name:          "domain wildcard does not match base",
-			defaultAction: ActionAllow,
-			rules: []Rule{
-				{
-					ID:      id.RuleID("r1"),
-					Domains: []domain.Domain{mustDomain(t, "*.evil.com")},
-					Action:  ActionBlock,
-				},
-			},
-			src:       netip.MustParseAddr("10.0.0.1"),
-			dstDomain: mustDomain(t, "evil.com"),
-			dstAddr:   netip.MustParseAddr("1.2.3.4"),
-			dstPort:   443,
-			want:      ActionAllow,
-		},
-		{
-			name:          "case insensitive domain match",
-			defaultAction: ActionAllow,
-			rules: []Rule{
-				{
-					ID:      id.RuleID("r1"),
-					Domains: []domain.Domain{mustDomain(t, "Example.COM")},
-					Action:  ActionBlock,
-				},
-			},
-			src:       netip.MustParseAddr("10.0.0.1"),
-			dstDomain: mustDomain(t, "EXAMPLE.com"),
-			dstAddr:   netip.MustParseAddr("1.2.3.4"),
-			dstPort:   443,
-			want:      ActionBlock,
-		},
-		{
-			name:          "source CIDR match",
-			defaultAction: ActionAllow,
-			rules: []Rule{
-				{
-					ID:      id.RuleID("r1"),
-					Sources: []netip.Prefix{netip.MustParsePrefix("192.168.1.0/24")},
-					Action:  ActionInspect,
-				},
-			},
-			src:     netip.MustParseAddr("192.168.1.50"),
-			dstAddr: netip.MustParseAddr("1.2.3.4"),
-			dstPort: 443,
-			want:    ActionInspect,
-		},
-		{
-			name:          "source CIDR no match",
-			defaultAction: ActionAllow,
-			rules: []Rule{
-				{
-					ID:      id.RuleID("r1"),
-					Sources: []netip.Prefix{netip.MustParsePrefix("192.168.1.0/24")},
-					Action:  ActionBlock,
-				},
-			},
-			src:     netip.MustParseAddr("10.0.0.5"),
-			dstAddr: netip.MustParseAddr("1.2.3.4"),
-			dstPort: 443,
-			want:    ActionAllow,
-		},
-		{
-			name:          "destination network match",
-			defaultAction: ActionAllow,
-			rules: []Rule{
-				{
-					ID:       id.RuleID("r1"),
-					Networks: []netip.Prefix{netip.MustParsePrefix("10.0.0.0/8")},
-					Action:   ActionInspect,
-				},
-			},
-			src:     netip.MustParseAddr("192.168.1.1"),
-			dstAddr: netip.MustParseAddr("10.50.0.1"),
-			dstPort: 80,
-			want:    ActionInspect,
-		},
-		{
-			name:          "port match",
-			defaultAction: ActionAllow,
-			rules: []Rule{
-				{
-					ID:     id.RuleID("r1"),
-					Ports:  []uint16{443, 8443},
-					Action: ActionInspect,
-				},
-			},
-			src:     netip.MustParseAddr("10.0.0.1"),
-			dstAddr: netip.MustParseAddr("1.2.3.4"),
-			dstPort: 443,
-			want:    ActionInspect,
-		},
-		{
-			name:          "port no match",
-			defaultAction: ActionAllow,
-			rules: []Rule{
-				{
-					ID:     id.RuleID("r1"),
-					Ports:  []uint16{443, 8443},
-					Action: ActionBlock,
-				},
-			},
-			src:     netip.MustParseAddr("10.0.0.1"),
-			dstAddr: netip.MustParseAddr("1.2.3.4"),
-			dstPort: 22,
-			want:    ActionAllow,
-		},
-		{
-			name:          "priority ordering first match wins",
-			defaultAction: ActionAllow,
-			rules: []Rule{
-				{
-					ID:       id.RuleID("allow-internal"),
-					Domains:  []domain.Domain{mustDomain(t, "*.internal.corp")},
-					Action:   ActionAllow,
-					Priority: 1,
-				},
-				{
-					ID:       id.RuleID("inspect-all"),
-					Action:   ActionInspect,
-					Priority: 10,
-				},
-			},
-			src:       netip.MustParseAddr("10.0.0.1"),
-			dstDomain: mustDomain(t, "api.internal.corp"),
-			dstAddr:   netip.MustParseAddr("10.1.0.5"),
-			dstPort:   443,
-			want:      ActionAllow,
-		},
-		{
-			name:          "all fields must match (AND logic)",
-			defaultAction: ActionAllow,
-			rules: []Rule{
-				{
-					ID:      id.RuleID("r1"),
-					Sources: []netip.Prefix{netip.MustParsePrefix("192.168.1.0/24")},
-					Domains: []domain.Domain{mustDomain(t, "*.evil.com")},
-					Ports:   []uint16{443},
-					Action:  ActionBlock,
-				},
-			},
-			// Source matches, domain matches, but port doesn't
-			src:       netip.MustParseAddr("192.168.1.10"),
-			dstDomain: mustDomain(t, "phish.evil.com"),
-			dstAddr:   netip.MustParseAddr("1.2.3.4"),
-			dstPort:   8080,
-			want:      ActionAllow,
-		},
-		{
-			name:          "empty domain with domain rule does not match",
-			defaultAction: ActionAllow,
-			rules: []Rule{
-				{
-					ID:      id.RuleID("r1"),
-					Domains: []domain.Domain{mustDomain(t, "example.com")},
-					Action:  ActionBlock,
-				},
-			},
-			src:       netip.MustParseAddr("10.0.0.1"),
-			dstDomain: "", // raw IP connection, no SNI
-			dstAddr:   netip.MustParseAddr("1.2.3.4"),
-			dstPort:   443,
-			want:      ActionAllow,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			engine := NewRuleEngine(testLogger(), tt.defaultAction)
-			engine.UpdateRules(tt.rules, tt.defaultAction)
-
-			got := engine.Evaluate(tt.src, tt.dstDomain, tt.dstAddr, tt.dstPort, "", "")
-			assert.Equal(t, tt.want, got)
-		})
-	}
-}
-
-func TestRuleEngine_ProtocolMatching(t *testing.T) {
-	engine := NewRuleEngine(testLogger(), ActionAllow)
-	engine.UpdateRules([]Rule{
-		{
-			ID:        "block-websocket",
-			Protocols: []ProtoType{ProtoWebSocket},
-			Action:    ActionBlock,
-			Priority:  1,
-		},
-		{
-			ID:        "inspect-h2",
-			Protocols: []ProtoType{ProtoH2},
-			Action:    ActionInspect,
-			Priority:  2,
-		},
-	}, ActionAllow)
-
-	src := netip.MustParseAddr("10.0.0.1")
-	dst := netip.MustParseAddr("1.2.3.4")
-
-	// WebSocket: blocked by rule
-	assert.Equal(t, ActionBlock, engine.Evaluate(src, "", dst, 443, ProtoWebSocket, ""))
-
-	// HTTP/2: inspected by rule
-	assert.Equal(t, ActionInspect, engine.Evaluate(src, "", dst, 443, ProtoH2, ""))
-
-	// Plain HTTP: no protocol rule matches, default allow
-	assert.Equal(t, ActionAllow, engine.Evaluate(src, "", dst, 80, ProtoHTTP, ""))
-
-	// HTTPS: no protocol rule matches, default allow
-	assert.Equal(t, ActionAllow, engine.Evaluate(src, "", dst, 443, ProtoHTTPS, ""))
-
-	// QUIC/H3: no protocol rule matches, default allow
-	assert.Equal(t, ActionAllow, engine.Evaluate(src, "", dst, 443, ProtoH3, ""))
-
-	// Empty protocol (unknown): no protocol rule matches, default allow
-	assert.Equal(t, ActionAllow, engine.Evaluate(src, "", dst, 443, "", ""))
-}
-
-func TestRuleEngine_EmptyProtocolsMatchAll(t *testing.T) {
-	engine := NewRuleEngine(testLogger(), ActionAllow)
-	engine.UpdateRules([]Rule{
-		{
-			ID:     "block-all-protos",
-			Action: ActionBlock,
-			// No Protocols field = match all protocols
-			Priority: 1,
-		},
-	}, ActionAllow)
-
-	src := netip.MustParseAddr("10.0.0.1")
-	dst := netip.MustParseAddr("1.2.3.4")
-
-	assert.Equal(t, ActionBlock, engine.Evaluate(src, "", dst, 443, ProtoHTTP, ""))
-	assert.Equal(t, ActionBlock, engine.Evaluate(src, "", dst, 443, ProtoHTTPS, ""))
-	assert.Equal(t, ActionBlock, engine.Evaluate(src, "", dst, 443, ProtoWebSocket, ""))
-	assert.Equal(t, ActionBlock, engine.Evaluate(src, "", dst, 443, ProtoH2, ""))
-	assert.Equal(t, ActionBlock, engine.Evaluate(src, "", dst, 443, "", ""))
-}
-
-func TestRuleEngine_UpdateRulesSortsByPriority(t *testing.T) {
-	engine := NewRuleEngine(testLogger(), ActionAllow)
-
-	engine.UpdateRules([]Rule{
-		{ID: "c", Priority: 30, Action: ActionBlock},
-		{ID: "a", Priority: 10, Action: ActionInspect},
-		{ID: "b", Priority: 20, Action: ActionAllow},
-	}, ActionAllow)
-
-	engine.mu.RLock()
-	defer engine.mu.RUnlock()
-
-	require.Len(t, engine.rules, 3)
-	assert.Equal(t, id.RuleID("a"), engine.rules[0].ID)
-	assert.Equal(t, id.RuleID("b"), engine.rules[1].ID)
-	assert.Equal(t, id.RuleID("c"), engine.rules[2].ID)
-}

client/inspect/sni.go

@@ -1,287 +0,0 @@
-package inspect
-
-import (
-	"encoding/binary"
-	"fmt"
-	"io"
-
-	"github.com/netbirdio/netbird/shared/management/domain"
-)
-
-const (
-	recordTypeHandshake      = 0x16
-	handshakeTypeClientHello = 0x01
-	extensionTypeSNI         = 0x0000
-	extensionTypeALPN        = 0x0010
-	sniTypeHostName          = 0x00
-
-	// maxClientHelloSize is the maximum ClientHello size we'll read.
-	// Real-world ClientHellos are typically under 1KB but can reach ~16KB with
-	// many extensions (post-quantum key shares, etc.).
-	maxClientHelloSize = 16384
-)
-
-// ClientHelloInfo holds data extracted from a TLS ClientHello.
-type ClientHelloInfo struct {
-	SNI  domain.Domain
-	ALPN []string
-}
-
-// isTLSHandshake reports whether the first byte indicates a TLS handshake record.
-func isTLSHandshake(b byte) bool {
-	return b == recordTypeHandshake
-}
-
-// httpMethods lists the first bytes of valid HTTP method tokens.
-var httpMethods = [][]byte{
-	[]byte("GET "),
-	[]byte("POST"),
-	[]byte("PUT "),
-	[]byte("DELE"),
-	[]byte("HEAD"),
-	[]byte("OPTI"),
-	[]byte("PATC"),
-	[]byte("CONN"),
-	[]byte("TRAC"),
-}
-
-// isHTTPMethod reports whether the peeked bytes look like the start of an HTTP request.
-func isHTTPMethod(b []byte) bool {
-	if len(b) < 4 {
-		return false
-	}
-	for _, m := range httpMethods {
-		if b[0] == m[0] && b[1] == m[1] && b[2] == m[2] && b[3] == m[3] {
-			return true
-		}
-	}
-	return false
-}
-
-// parseClientHello reads a TLS ClientHello from r and returns SNI and ALPN.
-func parseClientHello(r io.Reader) (ClientHelloInfo, error) {
-	// TLS record header: type(1) + version(2) + length(2)
-	var recordHeader [5]byte
-	if _, err := io.ReadFull(r, recordHeader[:]); err != nil {
-		return ClientHelloInfo{}, fmt.Errorf("read TLS record header: %w", err)
-	}
-
-	if recordHeader[0] != recordTypeHandshake {
-		return ClientHelloInfo{}, fmt.Errorf("not a TLS handshake record (type=%d)", recordHeader[0])
-	}
-
-	recordLen := int(binary.BigEndian.Uint16(recordHeader[3:5]))
-	if recordLen < 4 || recordLen > maxClientHelloSize {
-		return ClientHelloInfo{}, fmt.Errorf("invalid TLS record length: %d", recordLen)
-	}
-
-	// Read the full handshake message
-	msg := make([]byte, recordLen)
-	if _, err := io.ReadFull(r, msg); err != nil {
-		return ClientHelloInfo{}, fmt.Errorf("read handshake message: %w", err)
-	}
-
-	return parseClientHelloMsg(msg)
-}
-
-// extractSNI reads a TLS ClientHello from r and returns the SNI hostname.
-// Returns empty domain if no SNI extension is present.
-func extractSNI(r io.Reader) (domain.Domain, error) {
-	info, err := parseClientHello(r)
-	return info.SNI, err
-}
-
-// extractSNIFromBytes parses SNI from raw bytes that start with the TLS record header.
-func extractSNIFromBytes(data []byte) (domain.Domain, error) {
-	info, err := parseClientHelloFromBytes(data)
-	return info.SNI, err
-}
-
-// parseClientHelloFromBytes parses a ClientHello from raw bytes starting with the TLS record header.
-func parseClientHelloFromBytes(data []byte) (ClientHelloInfo, error) {
-	if len(data) < 5 {
-		return ClientHelloInfo{}, fmt.Errorf("data too short for TLS record header")
-	}
-
-	if data[0] != recordTypeHandshake {
-		return ClientHelloInfo{}, fmt.Errorf("not a TLS handshake record (type=%d)", data[0])
-	}
-
-	recordLen := int(binary.BigEndian.Uint16(data[3:5]))
-	if recordLen < 4 {
-		return ClientHelloInfo{}, fmt.Errorf("invalid TLS record length: %d", recordLen)
-	}
-
-	end := 5 + recordLen
-	if end > len(data) {
-		return ClientHelloInfo{}, fmt.Errorf("TLS record truncated: need %d, have %d", end, len(data))
-	}
-
-	return parseClientHelloMsg(data[5:end])
-}
-
-// parseClientHelloMsg extracts SNI and ALPN from a raw ClientHello handshake message.
-// msg starts at the handshake type byte.
-func parseClientHelloMsg(msg []byte) (ClientHelloInfo, error) {
-	if len(msg) < 4 {
-		return ClientHelloInfo{}, fmt.Errorf("handshake message too short")
-	}
-
-	if msg[0] != handshakeTypeClientHello {
-		return ClientHelloInfo{}, fmt.Errorf("not a ClientHello (type=%d)", msg[0])
-	}
-
-	// Handshake header: type(1) + length(3)
-	helloLen := int(msg[1])<<16 | int(msg[2])<<8 | int(msg[3])
-	if helloLen+4 > len(msg) {
-		return ClientHelloInfo{}, fmt.Errorf("ClientHello truncated")
-	}
-
-	hello := msg[4 : 4+helloLen]
-	return parseHelloBody(hello)
-}
-
-// parseHelloBody parses the ClientHello body (after handshake header)
-// and extracts SNI and ALPN.
-func parseHelloBody(hello []byte) (ClientHelloInfo, error) {
-	// ClientHello structure:
-	// version(2) + random(32) + session_id_len(1) + session_id(var)
-	// + cipher_suites_len(2) + cipher_suites(var)
-	// + compression_len(1) + compression(var)
-	// + extensions_len(2) + extensions(var)
-
-	var info ClientHelloInfo
-
-	if len(hello) < 35 {
-		return info, fmt.Errorf("ClientHello body too short")
-	}
-
-	pos := 2 + 32 // skip version + random
-
-	// Skip session ID
-	if pos >= len(hello) {
-		return info, fmt.Errorf("ClientHello truncated at session ID")
-	}
-	sessionIDLen := int(hello[pos])
-	pos += 1 + sessionIDLen
-
-	// Skip cipher suites
-	if pos+2 > len(hello) {
-		return info, fmt.Errorf("ClientHello truncated at cipher suites")
-	}
-	cipherLen := int(binary.BigEndian.Uint16(hello[pos : pos+2]))
-	pos += 2 + cipherLen
-
-	// Skip compression methods
-	if pos >= len(hello) {
-		return info, fmt.Errorf("ClientHello truncated at compression")
-	}
-	compLen := int(hello[pos])
-	pos += 1 + compLen
-
-	// Extensions
-	if pos+2 > len(hello) {
-		return info, nil
-	}
-
-	extLen := int(binary.BigEndian.Uint16(hello[pos : pos+2]))
-	pos += 2
-
-	extEnd := pos + extLen
-	if extEnd > len(hello) {
-		return info, fmt.Errorf("extensions block truncated")
-	}
-
-	// Walk extensions looking for SNI and ALPN
-	for pos+4 <= extEnd {
-		extType := binary.BigEndian.Uint16(hello[pos : pos+2])
-		extDataLen := int(binary.BigEndian.Uint16(hello[pos+2 : pos+4]))
-		pos += 4
-
-		if pos+extDataLen > extEnd {
-			return info, fmt.Errorf("extension data truncated")
-		}
-
-		switch extType {
-		case extensionTypeSNI:
-			sni, err := parseSNIExtension(hello[pos : pos+extDataLen])
-			if err != nil {
-				return info, err
-			}
-			info.SNI = sni
-		case extensionTypeALPN:
-			info.ALPN = parseALPNExtension(hello[pos : pos+extDataLen])
-		}
-
-		pos += extDataLen
-	}
-
-	return info, nil
-}
-
-// parseALPNExtension parses the ALPN extension data and returns protocol names.
-// ALPN extension: list_length(2) + entries (each: len(1) + protocol_name(var))
-func parseALPNExtension(data []byte) []string {
-	if len(data) < 2 {
-		return nil
-	}
-
-	listLen := int(binary.BigEndian.Uint16(data[0:2]))
-	if listLen+2 > len(data) {
-		return nil
-	}
-
-	var protocols []string
-	pos := 2
-	end := 2 + listLen
-
-	for pos < end {
-		if pos >= len(data) {
-			break
-		}
-		nameLen := int(data[pos])
-		pos++
-		if pos+nameLen > end {
-			break
-		}
-		protocols = append(protocols, string(data[pos:pos+nameLen]))
-		pos += nameLen
-	}
-
-	return protocols
-}
-
-// parseSNIExtension parses the SNI extension data and returns the hostname.
-func parseSNIExtension(data []byte) (domain.Domain, error) {
-	// SNI extension: list_length(2) + entries
-	if len(data) < 2 {
-		return "", fmt.Errorf("SNI extension too short")
-	}
-
-	listLen := int(binary.BigEndian.Uint16(data[0:2]))
-	if listLen+2 > len(data) {
-		return "", fmt.Errorf("SNI list truncated")
-	}
-
-	pos := 2
-	end := 2 + listLen
-
-	for pos+3 <= end {
-		nameType := data[pos]
-		nameLen := int(binary.BigEndian.Uint16(data[pos+1 : pos+3]))
-		pos += 3
-
-		if pos+nameLen > end {
-			return "", fmt.Errorf("SNI name truncated")
-		}
-
-		if nameType == sniTypeHostName {
-			hostname := string(data[pos : pos+nameLen])
-			return domain.FromString(hostname)
-		}
-
-		pos += nameLen
-	}
-
-	return "", nil
-}

client/inspect/sni_test.go

@@ -1,109 +0,0 @@
-package inspect
-
-import (
-	"bytes"
-	"crypto/tls"
-	"net"
-	"testing"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-)
-
-func TestExtractSNI(t *testing.T) {
-	tests := []struct {
-		name    string
-		sni     string
-		wantSNI string
-		wantErr bool
-	}{
-		{
-			name:    "standard domain",
-			sni:     "example.com",
-			wantSNI: "example.com",
-		},
-		{
-			name:    "subdomain",
-			sni:     "api.staging.example.com",
-			wantSNI: "api.staging.example.com",
-		},
-		{
-			name:    "mixed case normalized to lowercase",
-			sni:     "Example.COM",
-			wantSNI: "example.com",
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			clientHello := buildClientHello(t, tt.sni)
-
-			sni, err := extractSNI(bytes.NewReader(clientHello))
-			if tt.wantErr {
-				require.Error(t, err)
-				return
-			}
-
-			require.NoError(t, err)
-			assert.Equal(t, tt.wantSNI, sni.PunycodeString())
-		})
-	}
-}
-
-func TestExtractSNI_NotTLS(t *testing.T) {
-	// HTTP request instead of TLS
-	data := []byte("GET / HTTP/1.1\r\nHost: example.com\r\n\r\n")
-	_, err := extractSNI(bytes.NewReader(data))
-	require.Error(t, err)
-	assert.Contains(t, err.Error(), "not a TLS handshake")
-}
-
-func TestExtractSNI_Truncated(t *testing.T) {
-	// Just the record header, no body
-	data := []byte{0x16, 0x03, 0x01, 0x00, 0x05}
-	_, err := extractSNI(bytes.NewReader(data))
-	require.Error(t, err)
-}
-
-func TestExtractSNIFromBytes(t *testing.T) {
-	clientHello := buildClientHello(t, "test.example.com")
-
-	sni, err := extractSNIFromBytes(clientHello)
-	require.NoError(t, err)
-	assert.Equal(t, "test.example.com", sni.PunycodeString())
-}
-
-// buildClientHello generates a real TLS ClientHello with the given SNI.
-func buildClientHello(t *testing.T, serverName string) []byte {
-	t.Helper()
-
-	// Use a pipe to capture the ClientHello bytes
-	clientConn, serverConn := net.Pipe()
-
-	done := make(chan []byte, 1)
-	go func() {
-		buf := make([]byte, 4096)
-		n, _ := serverConn.Read(buf)
-		done <- buf[:n]
-		serverConn.Close()
-	}()
-
-	tlsConn := tls.Client(clientConn, &tls.Config{
-		ServerName:         serverName,
-		InsecureSkipVerify: true,
-	})
-
-	// Trigger the handshake (will fail since server isn't TLS, but we capture the ClientHello)
-	go func() {
-		_ = tlsConn.Handshake()
-		tlsConn.Close()
-	}()
-
-	clientHello := <-done
-	clientConn.Close()
-
-	require.True(t, len(clientHello) > 5, "ClientHello too short")
-	require.Equal(t, byte(0x16), clientHello[0], "not a TLS handshake record")
-
-	return clientHello
-}

client/inspect/tls.go

@@ -1,287 +0,0 @@
-package inspect
-
-import (
-	"context"
-	"crypto/tls"
-	"fmt"
-	"io"
-	"net"
-	"net/netip"
-
-	"github.com/netbirdio/netbird/shared/management/domain"
-)
-
-// handleTLS processes a TLS connection for the kernel-mode path: extracts SNI,
-// evaluates rules, and handles the connection internally.
-// In envoy mode, allowed connections are forwarded to envoy instead of direct relay.
-func (p *Proxy) handleTLS(ctx context.Context, pconn *peekConn, dst netip.AddrPort, src SourceInfo) error {
-	result, err := p.inspectTLS(ctx, pconn, dst, src)
-	if err != nil {
-		return err
-	}
-
-	if result.PassthroughConn != nil {
-		p.mu.RLock()
-		envoy := p.envoy
-		p.mu.RUnlock()
-
-		if envoy != nil {
-			return p.forwardToEnvoy(ctx, pconn, dst, src, envoy)
-		}
-		return p.tlsPassthrough(ctx, pconn, dst, "")
-	}
-
-	return nil
-}
-
-// inspectTLS extracts SNI, evaluates rules, and returns the result.
-// For ActionAllow: returns the peekConn as PassthroughConn (caller relays).
-// For ActionBlock/ActionInspect: handles internally and returns nil PassthroughConn.
-func (p *Proxy) inspectTLS(ctx context.Context, pconn *peekConn, dst netip.AddrPort, src SourceInfo) (InspectResult, error) {
-	// The first 5 bytes (TLS record header) are already peeked.
-	// Extend to read the full TLS record so bytes remain in the buffer for passthrough.
-	peeked := pconn.Peeked()
-	recordLen := int(peeked[3])<<8 | int(peeked[4])
-	if _, err := pconn.PeekMore(5 + recordLen); err != nil {
-		return InspectResult{}, fmt.Errorf("read TLS record: %w", err)
-	}
-
-	hello, err := parseClientHelloFromBytes(pconn.Peeked())
-	if err != nil {
-		return InspectResult{}, fmt.Errorf("parse ClientHello: %w", err)
-	}
-
-	sni := hello.SNI
-	proto := protoFromALPN(hello.ALPN)
-	// Connection-level evaluation: pass empty path.
-	action := p.evaluateAction(src.IP, sni, dst, proto, "")
-
-	// If any rule for this domain has path patterns, force inspect so paths can
-	// be checked per-request after MITM decryption.
-	if action == ActionAllow && p.rules.HasPathRulesForDomain(sni) {
-		p.log.Debugf("upgrading to inspect for %s (path rules exist)", sni.PunycodeString())
-		action = ActionInspect
-	}
-
-	// Snapshot cert provider under lock for use in this connection.
-	p.mu.RLock()
-	certs := p.certs
-	p.mu.RUnlock()
-
-	switch action {
-	case ActionBlock:
-		p.log.Debugf("block: TLS to %s (SNI=%s)", dst, sni.PunycodeString())
-		if certs != nil {
-			return InspectResult{Action: ActionBlock}, p.tlsBlockPage(ctx, pconn, sni, certs)
-		}
-		return InspectResult{Action: ActionBlock}, ErrBlocked
-
-	case ActionAllow:
-		p.log.Tracef("allow: TLS passthrough to %s (SNI=%s)", dst, sni.PunycodeString())
-		return InspectResult{Action: ActionAllow, PassthroughConn: pconn}, nil
-
-	case ActionInspect:
-		if certs == nil {
-			p.log.Warnf("allow: %s (inspect requested but no MITM CA configured)", sni.PunycodeString())
-			return InspectResult{Action: ActionAllow, PassthroughConn: pconn}, nil
-		}
-		err := p.tlsMITM(ctx, pconn, dst, sni, src, certs)
-		return InspectResult{Action: ActionInspect}, err
-
-	default:
-		p.log.Warnf("block: unknown action %q for %s", action, sni.PunycodeString())
-		return InspectResult{Action: ActionBlock}, ErrBlocked
-	}
-}
-
-// tlsBlockPage completes a MITM TLS handshake with the client using a dynamic
-// certificate, then serves an HTTP 403 block page so the user sees a clear
-// message instead of a cryptic SSL error.
-func (p *Proxy) tlsBlockPage(ctx context.Context, pconn *peekConn, sni domain.Domain, certs *CertProvider) error {
-	hostname := sni.PunycodeString()
-
-	// Force HTTP/1.1 only: block pages are simple responses, no need for h2
-	tlsCfg := certs.GetTLSConfig()
-	tlsCfg.NextProtos = []string{"http/1.1"}
-	clientTLS := tls.Server(pconn, tlsCfg)
-	if err := clientTLS.HandshakeContext(ctx); err != nil {
-		// Client may not trust our CA, handshake fails. That's expected.
-		return fmt.Errorf("block page TLS handshake for %s: %w", hostname, err)
-	}
-	defer func() {
-		if err := clientTLS.Close(); err != nil {
-			p.log.Debugf("close block page TLS for %s: %v", hostname, err)
-		}
-	}()
-
-	writeBlockResponse(clientTLS, nil, sni)
-	return ErrBlocked
-}
-
-// tlsPassthrough connects to the destination and relays encrypted traffic
-// without decryption. The peeked ClientHello bytes are replayed.
-func (p *Proxy) tlsPassthrough(ctx context.Context, pconn *peekConn, dst netip.AddrPort, sni domain.Domain) error {
-	remote, err := p.dialTCP(ctx, dst)
-	if err != nil {
-		return fmt.Errorf("dial %s: %w", dst, err)
-	}
-	defer func() {
-		if err := remote.Close(); err != nil {
-			p.log.Debugf("close remote for %s: %v", dst, err)
-		}
-	}()
-
-	p.log.Tracef("allow: TLS passthrough to %s (SNI=%s)", dst, sni.PunycodeString())
-
-	return relay(ctx, pconn, remote)
-}
-
-// tlsMITM terminates the client TLS connection with a dynamic certificate,
-// establishes a new TLS connection to the real destination, and runs the
-// HTTP inspection pipeline on the decrypted traffic.
-func (p *Proxy) tlsMITM(ctx context.Context, pconn *peekConn, dst netip.AddrPort, sni domain.Domain, src SourceInfo, certs *CertProvider) error {
-	hostname := sni.PunycodeString()
-
-	// TLS handshake with client using dynamic cert
-	clientTLS := tls.Server(pconn, certs.GetTLSConfig())
-	if err := clientTLS.HandshakeContext(ctx); err != nil {
-		return fmt.Errorf("client TLS handshake for %s: %w", hostname, err)
-	}
-	defer func() {
-		if err := clientTLS.Close(); err != nil {
-			p.log.Debugf("close client TLS for %s: %v", hostname, err)
-		}
-	}()
-
-	// TLS connection to real destination
-	remoteTLS, err := p.dialTLS(ctx, dst, hostname)
-	if err != nil {
-		return fmt.Errorf("dial TLS %s (%s): %w", dst, hostname, err)
-	}
-	defer func() {
-		if err := remoteTLS.Close(); err != nil {
-			p.log.Debugf("close remote TLS for %s: %v", hostname, err)
-		}
-	}()
-
-	negotiatedProto := clientTLS.ConnectionState().NegotiatedProtocol
-	p.log.Tracef("inspect: MITM established for %s (proto=%s)", hostname, negotiatedProto)
-
-	return p.inspectHTTP(ctx, clientTLS, remoteTLS, dst, sni, src, negotiatedProto)
-}
-
-// dialTLS connects to the destination with TLS, verifying the real server certificate.
-func (p *Proxy) dialTLS(ctx context.Context, dst netip.AddrPort, serverName string) (net.Conn, error) {
-	rawConn, err := p.dialTCP(ctx, dst)
-	if err != nil {
-		return nil, err
-	}
-
-	tlsConn := tls.Client(rawConn, &tls.Config{
-		ServerName: serverName,
-		NextProtos: []string{"h2", "http/1.1"},
-		MinVersion: tls.VersionTLS12,
-	})
-
-	if err := tlsConn.HandshakeContext(ctx); err != nil {
-		if closeErr := rawConn.Close(); closeErr != nil {
-			p.log.Debugf("close raw conn after TLS handshake failure: %v", closeErr)
-		}
-		return nil, fmt.Errorf("TLS handshake with %s: %w", serverName, err)
-	}
-
-	return tlsConn, nil
-}
-
-// protoFromALPN maps TLS ALPN protocol names to proxy ProtoType.
-// Falls back to ProtoHTTPS when no recognized ALPN is present.
-func protoFromALPN(alpn []string) ProtoType {
-	for _, p := range alpn {
-		switch p {
-		case "h2":
-			return ProtoH2
-		case "h3": // unlikely in TLS, but handle anyway
-			return ProtoH3
-		}
-	}
-	// No ALPN or only "http/1.1": treat as HTTPS
-	return ProtoHTTPS
-}
-
-// relay copies data bidirectionally between client and remote until one
-// side closes or the context is cancelled.
-func relay(ctx context.Context, client, remote net.Conn) error {
-	ctx, cancel := context.WithCancel(ctx)
-	defer cancel()
-
-	errCh := make(chan error, 2)
-
-	go func() {
-		_, err := io.Copy(remote, client)
-		cancel()
-		errCh <- err
-	}()
-
-	go func() {
-		_, err := io.Copy(client, remote)
-		cancel()
-		errCh <- err
-	}()
-
-	var firstErr error
-	for range 2 {
-		if err := <-errCh; err != nil && firstErr == nil {
-			if !isClosedErr(err) {
-				firstErr = err
-			}
-		}
-	}
-
-	return firstErr
-}
-
-// evaluateAction runs rule evaluation and resolves the effective action.
-// Pass empty path for connection-level (TLS), non-empty for request-level (HTTP).
-func (p *Proxy) evaluateAction(src netip.Addr, sni domain.Domain, dst netip.AddrPort, proto ProtoType, path string) Action {
-	return p.rules.Evaluate(src, sni, dst.Addr(), dst.Port(), proto, path)
-}
-
-// dialTCP dials the destination, blocking connections to loopback, link-local,
-// multicast, and WG overlay network addresses.
-func (p *Proxy) dialTCP(ctx context.Context, dst netip.AddrPort) (net.Conn, error) {
-	ip := dst.Addr().Unmap()
-	if err := p.validateDialTarget(ip); err != nil {
-		return nil, fmt.Errorf("dial %s: %w", dst, err)
-	}
-	return p.dialer.DialContext(ctx, "tcp", dst.String())
-}
-
-// validateDialTarget blocks destinations that should never be dialed by the proxy.
-// Mirrors the route validation in systemops.validateRoute.
-func (p *Proxy) validateDialTarget(addr netip.Addr) error {
-	switch {
-	case !addr.IsValid():
-		return fmt.Errorf("invalid address")
-	case addr.IsLoopback():
-		return fmt.Errorf("loopback address not allowed")
-	case addr.IsLinkLocalUnicast(), addr.IsLinkLocalMulticast(), addr.IsInterfaceLocalMulticast():
-		return fmt.Errorf("link-local address not allowed")
-	case addr.IsMulticast():
-		return fmt.Errorf("multicast address not allowed")
-	case p.wgNetwork.IsValid() && p.wgNetwork.Contains(addr):
-		return fmt.Errorf("overlay network address not allowed")
-	case p.localIPs != nil && p.localIPs.IsLocalIP(addr):
-		return fmt.Errorf("local address not allowed")
-	}
-	return nil
-}
-
-func isClosedErr(err error) bool {
-	if err == nil {
-		return false
-	}
-	return err == io.EOF ||
-		err == io.ErrClosedPipe ||
-		err == net.ErrClosed ||
-		err == context.Canceled
-}

client/internal/connect.go

@@ -94,6 +94,7 @@ func (c *ConnectClient) RunOnAndroid(
 	dnsAddresses []netip.AddrPort,
 	dnsReadyListener dns.ReadyListener,
 	stateFilePath string,
+	cacheDir string,
 ) error {
 	// in case of non Android os these variables will be nil
 	mobileDependency := MobileDependency{
@@ -103,6 +104,7 @@ func (c *ConnectClient) RunOnAndroid(
 		HostDNSAddresses:      dnsAddresses,
 		DnsReadyListener:      dnsReadyListener,
 		StateFilePath:         stateFilePath,
+		TempDir:               cacheDir,
 	}
 	return c.run(mobileDependency, nil, "")
 }
@@ -338,6 +340,7 @@ func (c *ConnectClient) run(mobileDependency MobileDependency, runningChan chan
 			log.Error(err)
 			return wrapErr(err)
 		}
+		engineConfig.TempDir = mobileDependency.TempDir
 
 		relayManager := relayClient.NewManager(engineCtx, relayURLs, myPrivateKey.PublicKey().String(), engineConfig.MTU)
 		c.statusRecorder.SetRelayMgr(relayManager)
@@ -562,9 +565,6 @@ func createEngineConfig(key wgtypes.Key, config *profilemanager.Config, peerConf
 		MTU:     selectMTU(config.MTU, peerConfig.Mtu),
 		LogPath: logPath,
 
-		InspectionCACertPath: config.InspectionCACertPath,
-		InspectionCAKeyPath:  config.InspectionCAKeyPath,
-
 		ProfileConfig: config,
 	}
 

client/internal/debug/debug.go

@@ -16,7 +16,6 @@ import (
 	"path/filepath"
 	"runtime"
 	"runtime/pprof"
-	"slices"
 	"sort"
 	"strings"
 	"time"
@@ -31,7 +30,6 @@ import (
 	"github.com/netbirdio/netbird/client/internal/updater/installer"
 	nbstatus "github.com/netbirdio/netbird/client/status"
 	mgmProto "github.com/netbirdio/netbird/shared/management/proto"
-	"github.com/netbirdio/netbird/util"
 )
 
 const readmeContent = `Netbird debug bundle
@@ -234,6 +232,7 @@ type BundleGenerator struct {
 	statusRecorder *peer.Status
 	syncResponse   *mgmProto.SyncResponse
 	logPath        string
+	tempDir        string
 	cpuProfile     []byte
 	refreshStatus  func() // Optional callback to refresh status before bundle generation
 	clientMetrics  MetricsExporter
@@ -256,6 +255,7 @@ type GeneratorDependencies struct {
 	StatusRecorder *peer.Status
 	SyncResponse   *mgmProto.SyncResponse
 	LogPath        string
+	TempDir        string // Directory for temporary bundle zip files. If empty, os.TempDir() is used.
 	CPUProfile     []byte
 	RefreshStatus  func() // Optional callback to refresh status before bundle generation
 	ClientMetrics  MetricsExporter
@@ -275,6 +275,7 @@ func NewBundleGenerator(deps GeneratorDependencies, cfg BundleConfig) *BundleGen
 		statusRecorder: deps.StatusRecorder,
 		syncResponse:   deps.SyncResponse,
 		logPath:        deps.LogPath,
+		tempDir:        deps.TempDir,
 		cpuProfile:     deps.CPUProfile,
 		refreshStatus:  deps.RefreshStatus,
 		clientMetrics:  deps.ClientMetrics,
@@ -287,7 +288,7 @@ func NewBundleGenerator(deps GeneratorDependencies, cfg BundleConfig) *BundleGen
 
 // Generate creates a debug bundle and returns the location.
 func (g *BundleGenerator) Generate() (resp string, err error) {
-	bundlePath, err := os.CreateTemp("", "netbird.debug.*.zip")
+	bundlePath, err := os.CreateTemp(g.tempDir, "netbird.debug.*.zip")
 	if err != nil {
 		return "", fmt.Errorf("create zip file: %w", err)
 	}
@@ -373,15 +374,8 @@ func (g *BundleGenerator) createArchive() error {
 		log.Errorf("failed to add wg show output: %v", err)
 	}
 
-	if g.logPath != "" && !slices.Contains(util.SpecialLogs, g.logPath) {
-		if err := g.addLogfile(); err != nil {
-			log.Errorf("failed to add log file to debug bundle: %v", err)
-			if err := g.trySystemdLogFallback(); err != nil {
-				log.Errorf("failed to add systemd logs as fallback: %v", err)
-			}
-		}
-	} else if err := g.trySystemdLogFallback(); err != nil {
-		log.Errorf("failed to add systemd logs: %v", err)
+	if err := g.addPlatformLog(); err != nil {
+		log.Errorf("failed to add logs to debug bundle: %v", err)
 	}
 
 	if err := g.addUpdateLogs(); err != nil {

client/internal/debug/debug_android.go

@@ -0,0 +1,41 @@
+//go:build android
+
+package debug
+
+import (
+	"fmt"
+	"io"
+	"os/exec"
+
+	log "github.com/sirupsen/logrus"
+)
+
+func (g *BundleGenerator) addPlatformLog() error {
+	cmd := exec.Command("/system/bin/logcat", "-d")
+	stdout, err := cmd.StdoutPipe()
+	if err != nil {
+		return fmt.Errorf("logcat stdout pipe: %w", err)
+	}
+
+	if err := cmd.Start(); err != nil {
+		return fmt.Errorf("start logcat: %w", err)
+	}
+
+	var logReader io.Reader = stdout
+	if g.anonymize {
+		var pw *io.PipeWriter
+		logReader, pw = io.Pipe()
+		go anonymizeLog(stdout, pw, g.anonymizer)
+	}
+
+	if err := g.addFileToZip(logReader, "logcat.txt"); err != nil {
+		return fmt.Errorf("add logcat to zip: %w", err)
+	}
+
+	if err := cmd.Wait(); err != nil {
+		return fmt.Errorf("wait logcat: %w", err)
+	}
+
+	log.Debug("added logcat output to debug bundle")
+	return nil
+}

client/internal/debug/debug_nonandroid.go

@@ -0,0 +1,25 @@
+//go:build !android
+
+package debug
+
+import (
+	"slices"
+
+	log "github.com/sirupsen/logrus"
+
+	"github.com/netbirdio/netbird/util"
+)
+
+func (g *BundleGenerator) addPlatformLog() error {
+	if g.logPath != "" && !slices.Contains(util.SpecialLogs, g.logPath) {
+		if err := g.addLogfile(); err != nil {
+			log.Errorf("failed to add log file to debug bundle: %v", err)
+			if err := g.trySystemdLogFallback(); err != nil {
+				return err
+			}
+		}
+	} else if err := g.trySystemdLogFallback(); err != nil {
+		return err
+	}
+	return nil
+}

client/internal/engine.go

@@ -31,7 +31,6 @@ import (
 	"github.com/netbirdio/netbird/client/iface/device"
 	nbnetstack "github.com/netbirdio/netbird/client/iface/netstack"
 	"github.com/netbirdio/netbird/client/iface/udpmux"
-	"github.com/netbirdio/netbird/client/inspect"
 	"github.com/netbirdio/netbird/client/internal/acl"
 	"github.com/netbirdio/netbird/client/internal/debug"
 	"github.com/netbirdio/netbird/client/internal/dns"
@@ -137,16 +136,11 @@ type EngineConfig struct {
 
 	MTU uint16
 
-	// InspectionCACertPath is a local CA cert for transparent proxy MITM.
-	// Takes priority over management-pushed CA.
-	InspectionCACertPath string
-	// InspectionCAKeyPath is the corresponding private key.
-	InspectionCAKeyPath string
-
 	// for debug bundle generation
 	ProfileConfig *profilemanager.Config
 
 	LogPath string
+	TempDir string
 }
 
 // EngineServices holds the external service dependencies required by the Engine.
@@ -229,10 +223,6 @@ type Engine struct {
 	latestSyncResponse  *mgmProto.SyncResponse
 	flowManager         nftypes.FlowManager
 
-	// transparentProxy is the transparent forward proxy for traffic inspection.
-	transparentProxy    *inspect.Proxy
-	udpInspectionHookID string
-
 	// auto-update
 	updateManager *updater.Manager
 
@@ -1106,6 +1096,7 @@ func (e *Engine) handleBundle(params *mgmProto.BundleParameters) (*mgmProto.JobR
 		StatusRecorder: e.statusRecorder,
 		SyncResponse:   syncResponse,
 		LogPath:        e.config.LogPath,
+		TempDir:        e.config.TempDir,
 		ClientMetrics:  e.clientMetrics,
 		RefreshStatus: func() {
 			e.RunHealthProbes(true)
@@ -1283,9 +1274,6 @@ func (e *Engine) updateNetworkMap(networkMap *mgmProto.NetworkMap) error {
 	fwdEntries := toRouteDomains(e.config.WgPrivateKey.PublicKey().String(), routes)
 	e.updateDNSForwarder(dnsRouteFeatureFlag, fwdEntries)
 
-	// Transparent proxy
-	e.updateTransparentProxy(networkMap.GetTransparentProxyConfig())
-
 	// Ingress forward rules
 	forwardingRules, err := e.updateForwardRules(networkMap.GetForwardingRules())
 	if err != nil {
@@ -1709,8 +1697,6 @@ func (e *Engine) parseNATExternalIPMappings() []string {
 func (e *Engine) close() {
 	log.Debugf("removing Netbird interface %s", e.config.WgIfaceName)
 
-	e.stopTransparentProxy()
-
 	if e.wgInterface != nil {
 		if err := e.wgInterface.Close(); err != nil {
 			log.Errorf("failed closing Netbird interface %s %v", e.config.WgIfaceName, err)

client/internal/engine_test.go

@@ -55,6 +55,7 @@ import (
 	nbdns "github.com/netbirdio/netbird/dns"
 	"github.com/netbirdio/netbird/management/server"
 	"github.com/netbirdio/netbird/management/server/activity"
+	nbcache "github.com/netbirdio/netbird/management/server/cache"
 	"github.com/netbirdio/netbird/management/server/integrations/port_forwarding"
 	"github.com/netbirdio/netbird/management/server/permissions"
 	"github.com/netbirdio/netbird/management/server/settings"
@@ -1634,7 +1635,12 @@ func startManagement(t *testing.T, dataDir, testFile string) (*grpc.Server, stri
 	peersManager := peers.NewManager(store, permissionsManager)
 	jobManager := job.NewJobManager(nil, store, peersManager)
 
-	ia, _ := integrations.NewIntegratedValidator(context.Background(), peersManager, nil, eventStore)
+	cacheStore, err := nbcache.NewStore(context.Background(), 100*time.Millisecond, 300*time.Millisecond, 100)
+	if err != nil {
+		return nil, "", err
+	}
+
+	ia, _ := integrations.NewIntegratedValidator(context.Background(), peersManager, nil, eventStore, cacheStore)
 
 	metrics, err := telemetry.NewDefaultAppMetrics(context.Background())
 	require.NoError(t, err)
@@ -1656,7 +1662,7 @@ func startManagement(t *testing.T, dataDir, testFile string) (*grpc.Server, stri
 	updateManager := update_channel.NewPeersUpdateManager(metrics)
 	requestBuffer := server.NewAccountRequestBuffer(context.Background(), store)
 	networkMapController := controller.NewController(context.Background(), store, metrics, updateManager, requestBuffer, server.MockIntegratedValidator{}, settingsMockManager, "netbird.selfhosted", port_forwarding.NewControllerMock(), manager.NewEphemeralManager(store, peersManager), config)
-	accountManager, err := server.BuildManager(context.Background(), config, store, networkMapController, jobManager, nil, "", eventStore, nil, false, ia, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManager, false)
+	accountManager, err := server.BuildManager(context.Background(), config, store, networkMapController, jobManager, nil, "", eventStore, nil, false, ia, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManager, false, cacheStore)
 	if err != nil {
 		return nil, "", err
 	}

client/internal/engine_tproxy.go

@@ -1,571 +0,0 @@
-package internal
-
-import (
-	"crypto/ecdsa"
-	"crypto/elliptic"
-	"crypto/rand"
-	"crypto/x509"
-	"crypto/x509/pkix"
-	"encoding/pem"
-	"fmt"
-	"math/big"
-	"net/netip"
-	"net/url"
-	"os"
-	"strconv"
-	"time"
-
-	log "github.com/sirupsen/logrus"
-
-	"github.com/netbirdio/netbird/client/firewall/uspfilter/forwarder"
-	"github.com/netbirdio/netbird/client/inspect"
-	"github.com/netbirdio/netbird/client/internal/acl/id"
-	"github.com/netbirdio/netbird/shared/management/domain"
-	mgmProto "github.com/netbirdio/netbird/shared/management/proto"
-)
-
-// updateTransparentProxy processes transparent proxy configuration from the network map.
-func (e *Engine) updateTransparentProxy(cfg *mgmProto.TransparentProxyConfig) {
-	if cfg == nil || !cfg.Enabled {
-		if cfg == nil {
-			log.Tracef("inspect: config is nil")
-		} else {
-			log.Tracef("inspect: config disabled")
-		}
-		// Only stop if explicitly disabled. Don't stop on nil config to avoid
-		// a gap during policy edits where management briefly pushes empty config.
-		if cfg != nil && !cfg.Enabled {
-			e.stopTransparentProxy()
-		}
-		return
-	}
-
-	log.Debugf("inspect: config received: enabled=%v mode=%v default_action=%v rules=%d has_ca=%v",
-		cfg.Enabled, cfg.Mode, cfg.DefaultAction, len(cfg.Rules), len(cfg.CaCertPem) > 0)
-
-	// BlockInbound prevents adding TPROXY rules since kernel TPROXY bypasses ACLs.
-	// The userspace forwarder path still works as it operates within the forwarder hook.
-	if e.config.BlockInbound {
-		log.Warnf("inspect: BlockInbound is set, skipping redirect rules (userspace path still active)")
-	}
-
-	proxyConfig, err := toProxyConfig(cfg)
-	if err != nil {
-		log.Errorf("inspect: parse config: %v", err)
-		e.stopTransparentProxy()
-		return
-	}
-
-	// CA priority: local config > management-pushed > auto-generated self-signed.
-	// Local wins over mgmt to prevent compromised management from injecting a CA.
-	e.resolveInspectionCA(&proxyConfig)
-
-	if e.transparentProxy != nil {
-		// Mode change requires full recreate (envoy lifecycle, listener changes).
-		if proxyConfig.Mode != e.transparentProxy.Mode() {
-			log.Infof("inspect: mode changed to %s, recreating engine", proxyConfig.Mode)
-			e.stopTransparentProxy()
-		} else {
-			e.transparentProxy.UpdateConfig(proxyConfig)
-			e.syncTProxyRules(proxyConfig)
-			e.syncUDPInspectionHook()
-			return
-		}
-	}
-
-	if e.wgInterface != nil {
-		proxyConfig.WGNetwork = e.wgInterface.Address().Network
-		proxyConfig.ListenAddr = netip.AddrPortFrom(
-			e.wgInterface.Address().IP.Unmap(),
-			proxyConfig.ListenAddr.Port(),
-		)
-	}
-
-	// Pass local IP checker for SSRF prevention
-	if checker, ok := e.firewall.(inspect.LocalIPChecker); ok {
-		proxyConfig.LocalIPChecker = checker
-	}
-
-	p, err := inspect.New(e.ctx, log.WithField("component", "inspect"), proxyConfig)
-	if err != nil {
-		log.Errorf("inspect: start engine: %v", err)
-		return
-	}
-	e.transparentProxy = p
-
-	e.attachProxyToForwarder(p)
-	e.syncTProxyRules(proxyConfig)
-	e.syncUDPInspectionHook()
-
-	log.Infof("inspect: engine started (mode=%s, rules=%d)", proxyConfig.Mode, len(proxyConfig.Rules))
-}
-
-// stopTransparentProxy shuts down the transparent proxy and removes interception.
-func (e *Engine) stopTransparentProxy() {
-	if e.transparentProxy == nil {
-		return
-	}
-
-	e.attachProxyToForwarder(nil)
-	e.removeTProxyRule()
-	e.removeUDPInspectionHook()
-
-	if err := e.transparentProxy.Close(); err != nil {
-		log.Debugf("inspect: close engine: %v", err)
-	}
-	e.transparentProxy = nil
-
-	log.Info("inspect: engine stopped")
-}
-
-const tproxyRuleID = "tproxy-redirect"
-
-// syncTProxyRules adds a TPROXY rule via the firewall manager to intercept
-// matching traffic on the WG interface and redirect it to the proxy socket.
-func (e *Engine) syncTProxyRules(config inspect.Config) {
-	if e.config.BlockInbound {
-		e.removeTProxyRule()
-		return
-	}
-
-	var listenPort uint16
-	if e.transparentProxy != nil {
-		listenPort = e.transparentProxy.ListenPort()
-	}
-	if listenPort == 0 {
-		e.removeTProxyRule()
-		return
-	}
-
-	if e.firewall == nil {
-		return
-	}
-
-	dstPorts := make([]uint16, len(config.RedirectPorts))
-	copy(dstPorts, config.RedirectPorts)
-
-	log.Debugf("inspect: syncing redirect rules: listen port %d, redirect ports %v, sources %v",
-		listenPort, dstPorts, config.RedirectSources)
-
-	if err := e.firewall.AddTProxyRule(tproxyRuleID, config.RedirectSources, dstPorts, listenPort); err != nil {
-		log.Errorf("inspect: add redirect rule: %v", err)
-		return
-	}
-}
-
-// removeTProxyRule removes the TPROXY redirect rule.
-func (e *Engine) removeTProxyRule() {
-	if e.firewall == nil {
-		return
-	}
-	if err := e.firewall.RemoveTProxyRule(tproxyRuleID); err != nil {
-		log.Debugf("inspect: remove redirect rule: %v", err)
-	}
-}
-
-// syncUDPInspectionHook registers a UDP packet hook on port 443 for QUIC SNI blocking.
-// The hook is called by the USP filter for each UDP packet matching the port,
-// allowing the inspection engine to extract QUIC SNI and block by domain.
-func (e *Engine) syncUDPInspectionHook() {
-	e.removeUDPInspectionHook()
-
-	if e.firewall == nil || e.transparentProxy == nil {
-		return
-	}
-
-	p := e.transparentProxy
-	hookID := e.firewall.AddUDPInspectionHook(443, func(packet []byte) bool {
-		srcIP, dstIP, dstPort, udpPayload, ok := parseUDPPacket(packet)
-		if !ok {
-			return false
-		}
-
-		src := inspect.SourceInfo{IP: srcIP}
-		dst := netip.AddrPortFrom(dstIP, dstPort)
-		action := p.HandleUDPPacket(udpPayload, dst, src)
-		return action == inspect.ActionBlock
-	})
-
-	e.udpInspectionHookID = hookID
-	log.Debugf("inspect: registered UDP inspection hook on port 443 (id=%s)", hookID)
-}
-
-// removeUDPInspectionHook removes the QUIC inspection hook.
-func (e *Engine) removeUDPInspectionHook() {
-	if e.udpInspectionHookID == "" || e.firewall == nil {
-		return
-	}
-	e.firewall.RemoveUDPInspectionHook(e.udpInspectionHookID)
-	e.udpInspectionHookID = ""
-}
-
-// parseUDPPacket extracts source/destination IP, destination port, and UDP
-// payload from a raw IP packet. Supports both IPv4 and IPv6.
-func parseUDPPacket(packet []byte) (srcIP, dstIP netip.Addr, dstPort uint16, payload []byte, ok bool) {
-	if len(packet) < 1 {
-		return srcIP, dstIP, 0, nil, false
-	}
-
-	version := packet[0] >> 4
-
-	var udpOffset int
-	switch version {
-	case 4:
-		if len(packet) < 20 {
-			return srcIP, dstIP, 0, nil, false
-		}
-		ihl := int(packet[0]&0x0f) * 4
-		if len(packet) < ihl+8 {
-			return srcIP, dstIP, 0, nil, false
-		}
-		var srcOK, dstOK bool
-		srcIP, srcOK = netip.AddrFromSlice(packet[12:16])
-		dstIP, dstOK = netip.AddrFromSlice(packet[16:20])
-		if !srcOK || !dstOK {
-			return srcIP, dstIP, 0, nil, false
-		}
-		udpOffset = ihl
-
-	case 6:
-		// IPv6 fixed header is 40 bytes. Next header must be UDP (17).
-		if len(packet) < 48 { // 40 header + 8 UDP
-			return srcIP, dstIP, 0, nil, false
-		}
-		nextHeader := packet[6]
-		if nextHeader != 17 { // not UDP (may have extension headers)
-			return srcIP, dstIP, 0, nil, false
-		}
-		var srcOK, dstOK bool
-		srcIP, srcOK = netip.AddrFromSlice(packet[8:24])
-		dstIP, dstOK = netip.AddrFromSlice(packet[24:40])
-		if !srcOK || !dstOK {
-			return srcIP, dstIP, 0, nil, false
-		}
-		udpOffset = 40
-
-	default:
-		return srcIP, dstIP, 0, nil, false
-	}
-
-	srcIP = srcIP.Unmap()
-	dstIP = dstIP.Unmap()
-	dstPort = uint16(packet[udpOffset+2])<<8 | uint16(packet[udpOffset+3])
-	payload = packet[udpOffset+8:]
-
-	return srcIP, dstIP, dstPort, payload, true
-}
-
-// attachProxyToForwarder sets or clears the proxy on the userspace forwarder.
-func (e *Engine) attachProxyToForwarder(p *inspect.Proxy) {
-	type forwarderGetter interface {
-		GetForwarder() *forwarder.Forwarder
-	}
-
-	if fg, ok := e.firewall.(forwarderGetter); ok {
-		if fwd := fg.GetForwarder(); fwd != nil {
-			fwd.SetProxy(p)
-		}
-	}
-}
-
-// toProxyConfig converts a proto TransparentProxyConfig to the inspect.Config type.
-func toProxyConfig(cfg *mgmProto.TransparentProxyConfig) (inspect.Config, error) {
-	config := inspect.Config{
-		Enabled:       cfg.Enabled,
-		DefaultAction: toProxyAction(cfg.DefaultAction),
-	}
-
-	switch cfg.Mode {
-	case mgmProto.TransparentProxyMode_TP_MODE_ENVOY:
-		config.Mode = inspect.ModeEnvoy
-	case mgmProto.TransparentProxyMode_TP_MODE_EXTERNAL:
-		config.Mode = inspect.ModeExternal
-	default:
-		config.Mode = inspect.ModeBuiltin
-	}
-
-	if cfg.ExternalProxyUrl != "" {
-		u, err := url.Parse(cfg.ExternalProxyUrl)
-		if err != nil {
-			return inspect.Config{}, fmt.Errorf("parse external proxy URL: %w", err)
-		}
-		config.ExternalURL = u
-	}
-
-	for _, s := range cfg.RedirectSources {
-		prefix, err := netip.ParsePrefix(s)
-		if err != nil {
-			return inspect.Config{}, fmt.Errorf("parse redirect source %q: %w", s, err)
-		}
-		config.RedirectSources = append(config.RedirectSources, prefix)
-	}
-
-	for _, p := range cfg.RedirectPorts {
-		config.RedirectPorts = append(config.RedirectPorts, uint16(p))
-	}
-
-	// TPROXY listen port: fixed default, overridable via env var.
-	if config.Mode == inspect.ModeBuiltin {
-		port := uint16(inspect.DefaultTProxyPort)
-		if v := os.Getenv("NB_TPROXY_PORT"); v != "" {
-			if p, err := strconv.ParseUint(v, 10, 16); err == nil {
-				port = uint16(p)
-			} else {
-				log.Warnf("invalid NB_TPROXY_PORT %q, using default %d", v, inspect.DefaultTProxyPort)
-			}
-		}
-		config.ListenAddr = netip.AddrPortFrom(netip.IPv4Unspecified(), port)
-	}
-
-	for _, r := range cfg.Rules {
-		rule, err := toProxyRule(r)
-		if err != nil {
-			return inspect.Config{}, fmt.Errorf("parse rule %q: %w", r.Id, err)
-		}
-		config.Rules = append(config.Rules, rule)
-	}
-
-	if cfg.Icap != nil {
-		icapCfg, err := toICAPConfig(cfg.Icap)
-		if err != nil {
-			return inspect.Config{}, fmt.Errorf("parse ICAP config: %w", err)
-		}
-		config.ICAP = icapCfg
-	}
-
-	if len(cfg.CaCertPem) > 0 && len(cfg.CaKeyPem) > 0 {
-		tlsCfg, err := parseTLSConfig(cfg.CaCertPem, cfg.CaKeyPem)
-		if err != nil {
-			return inspect.Config{}, fmt.Errorf("parse TLS config: %w", err)
-		}
-		config.TLS = tlsCfg
-	}
-
-	if config.Mode == inspect.ModeEnvoy {
-		envCfg := &inspect.EnvoyConfig{
-			BinaryPath: cfg.EnvoyBinaryPath,
-			AdminPort:  uint16(cfg.EnvoyAdminPort),
-		}
-		if cfg.EnvoySnippets != nil {
-			envCfg.Snippets = &inspect.EnvoySnippets{
-				HTTPFilters:    cfg.EnvoySnippets.HttpFilters,
-				NetworkFilters: cfg.EnvoySnippets.NetworkFilters,
-				Clusters:       cfg.EnvoySnippets.Clusters,
-			}
-		}
-		config.Envoy = envCfg
-	}
-
-	return config, nil
-}
-
-func toProxyRule(r *mgmProto.TransparentProxyRule) (inspect.Rule, error) {
-	rule := inspect.Rule{
-		ID:       id.RuleID(r.Id),
-		Action:   toProxyAction(r.Action),
-		Priority: int(r.Priority),
-	}
-
-	for _, d := range r.Domains {
-		dom, err := domain.FromString(d)
-		if err != nil {
-			return inspect.Rule{}, fmt.Errorf("parse domain %q: %w", d, err)
-		}
-		rule.Domains = append(rule.Domains, dom)
-	}
-
-	for _, n := range r.Networks {
-		prefix, err := netip.ParsePrefix(n)
-		if err != nil {
-			return inspect.Rule{}, fmt.Errorf("parse network %q: %w", n, err)
-		}
-		rule.Networks = append(rule.Networks, prefix)
-	}
-
-	for _, p := range r.Ports {
-		rule.Ports = append(rule.Ports, uint16(p))
-	}
-
-	for _, proto := range r.Protocols {
-		rule.Protocols = append(rule.Protocols, toProxyProtoType(proto))
-	}
-
-	rule.Paths = r.Paths
-
-	return rule, nil
-}
-
-func toProxyProtoType(p mgmProto.TransparentProxyProtocol) inspect.ProtoType {
-	switch p {
-	case mgmProto.TransparentProxyProtocol_TP_PROTO_HTTP:
-		return inspect.ProtoHTTP
-	case mgmProto.TransparentProxyProtocol_TP_PROTO_HTTPS:
-		return inspect.ProtoHTTPS
-	case mgmProto.TransparentProxyProtocol_TP_PROTO_H2:
-		return inspect.ProtoH2
-	case mgmProto.TransparentProxyProtocol_TP_PROTO_H3:
-		return inspect.ProtoH3
-	case mgmProto.TransparentProxyProtocol_TP_PROTO_WEBSOCKET:
-		return inspect.ProtoWebSocket
-	case mgmProto.TransparentProxyProtocol_TP_PROTO_OTHER:
-		return inspect.ProtoOther
-	default:
-		return ""
-	}
-}
-
-func toProxyAction(a mgmProto.TransparentProxyAction) inspect.Action {
-	switch a {
-	case mgmProto.TransparentProxyAction_TP_ACTION_BLOCK:
-		return inspect.ActionBlock
-	case mgmProto.TransparentProxyAction_TP_ACTION_INSPECT:
-		return inspect.ActionInspect
-	default:
-		return inspect.ActionAllow
-	}
-}
-
-func toICAPConfig(cfg *mgmProto.TransparentProxyICAPConfig) (*inspect.ICAPConfig, error) {
-	icap := &inspect.ICAPConfig{
-		MaxConnections: int(cfg.MaxConnections),
-	}
-
-	if cfg.ReqmodUrl != "" {
-		u, err := url.Parse(cfg.ReqmodUrl)
-		if err != nil {
-			return nil, fmt.Errorf("parse ICAP reqmod URL: %w", err)
-		}
-		icap.ReqModURL = u
-	}
-
-	if cfg.RespmodUrl != "" {
-		u, err := url.Parse(cfg.RespmodUrl)
-		if err != nil {
-			return nil, fmt.Errorf("parse ICAP respmod URL: %w", err)
-		}
-		icap.RespModURL = u
-	}
-
-	return icap, nil
-}
-
-func parseTLSConfig(certPEM, keyPEM []byte) (*inspect.TLSConfig, error) {
-	block, _ := pem.Decode(certPEM)
-	if block == nil {
-		return nil, fmt.Errorf("decode CA certificate PEM")
-	}
-
-	cert, err := x509.ParseCertificate(block.Bytes)
-	if err != nil {
-		return nil, fmt.Errorf("parse CA certificate: %w", err)
-	}
-
-	keyBlock, _ := pem.Decode(keyPEM)
-	if keyBlock == nil {
-		return nil, fmt.Errorf("decode CA key PEM")
-	}
-
-	key, err := x509.ParseECPrivateKey(keyBlock.Bytes)
-	if err != nil {
-		// Try PKCS8 as fallback
-		pkcs8Key, pkcs8Err := x509.ParsePKCS8PrivateKey(keyBlock.Bytes)
-		if pkcs8Err != nil {
-			return nil, fmt.Errorf("parse CA private key (tried EC and PKCS8): %w", err)
-		}
-		return &inspect.TLSConfig{CA: cert, CAKey: pkcs8Key}, nil
-	}
-
-	return &inspect.TLSConfig{CA: cert, CAKey: key}, nil
-}
-
-// resolveInspectionCA sets the TLS config on the proxy config using priority:
-// 1. Local config file CA (InspectionCACertPath/InspectionCAKeyPath)
-// 2. Management-pushed CA (already parsed in toProxyConfig)
-// 3. Auto-generated self-signed CA (ephemeral, for testing)
-// Local always wins to prevent a compromised management server from injecting a CA.
-func (e *Engine) resolveInspectionCA(config *inspect.Config) {
-	// 1. Local CA from config file or env vars
-	certPath := e.config.InspectionCACertPath
-	keyPath := e.config.InspectionCAKeyPath
-	if certPath == "" {
-		certPath = os.Getenv("NB_INSPECTION_CA_CERT")
-	}
-	if keyPath == "" {
-		keyPath = os.Getenv("NB_INSPECTION_CA_KEY")
-	}
-	if certPath != "" && keyPath != "" {
-		certPEM, err := os.ReadFile(certPath)
-		if err != nil {
-			log.Errorf("read local inspection CA cert %s: %v", certPath, err)
-			return
-		}
-		keyPEM, err := os.ReadFile(keyPath)
-		if err != nil {
-			log.Errorf("read local inspection CA key %s: %v", keyPath, err)
-			return
-		}
-		tlsCfg, err := parseTLSConfig(certPEM, keyPEM)
-		if err != nil {
-			log.Errorf("parse local inspection CA: %v", err)
-			return
-		}
-		log.Infof("inspect: using local CA from %s", certPath)
-		config.TLS = tlsCfg
-		return
-	}
-
-	// 2. Management-pushed CA (already set by toProxyConfig)
-	if config.TLS != nil {
-		log.Infof("inspect: using management-pushed CA")
-		return
-	}
-
-	// 3. Auto-generate self-signed CA for testing / accept-cert UX
-	tlsCfg, err := generateSelfSignedCA()
-	if err != nil {
-		log.Errorf("generate self-signed inspection CA: %v", err)
-		return
-	}
-	log.Infof("inspect: using auto-generated self-signed CA (clients will see certificate warnings)")
-	config.TLS = tlsCfg
-}
-
-// generateSelfSignedCA creates an ephemeral ECDSA P-256 CA certificate.
-// Clients will see certificate warnings but can choose to accept.
-func generateSelfSignedCA() (*inspect.TLSConfig, error) {
-	key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
-	if err != nil {
-		return nil, fmt.Errorf("generate CA key: %w", err)
-	}
-
-	serial, err := rand.Int(rand.Reader, new(big.Int).Lsh(big.NewInt(1), 128))
-	if err != nil {
-		return nil, fmt.Errorf("generate serial: %w", err)
-	}
-
-	template := &x509.Certificate{
-		SerialNumber: serial,
-		Subject: pkix.Name{
-			Organization: []string{"NetBird Transparent Proxy"},
-			CommonName:   "NetBird Inspection CA (auto-generated)",
-		},
-		NotBefore:             time.Now().Add(-1 * time.Hour),
-		NotAfter:              time.Now().Add(365 * 24 * time.Hour),
-		KeyUsage:              x509.KeyUsageCertSign | x509.KeyUsageCRLSign,
-		BasicConstraintsValid: true,
-		IsCA:                  true,
-		MaxPathLen:            0,
-	}
-
-	certDER, err := x509.CreateCertificate(rand.Reader, template, template, &key.PublicKey, key)
-	if err != nil {
-		return nil, fmt.Errorf("create CA certificate: %w", err)
-	}
-
-	cert, err := x509.ParseCertificate(certDER)
-	if err != nil {
-		return nil, fmt.Errorf("parse generated CA certificate: %w", err)
-	}
-
-	return &inspect.TLSConfig{CA: cert, CAKey: key}, nil
-}

client/internal/engine_tproxy_test.go

@@ -1,279 +0,0 @@
-package internal
-
-import (
-	"testing"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-
-	"github.com/netbirdio/netbird/client/inspect"
-	mgmProto "github.com/netbirdio/netbird/shared/management/proto"
-)
-
-func TestToProxyConfig_Basic(t *testing.T) {
-	cfg := &mgmProto.TransparentProxyConfig{
-		Enabled:       true,
-		Mode:          mgmProto.TransparentProxyMode_TP_MODE_BUILTIN,
-		DefaultAction: mgmProto.TransparentProxyAction_TP_ACTION_ALLOW,
-		RedirectSources: []string{
-			"10.0.0.0/24",
-			"192.168.1.0/24",
-		},
-		RedirectPorts: []uint32{80, 443},
-		Rules: []*mgmProto.TransparentProxyRule{
-			{
-				Id:       "block-evil",
-				Domains:  []string{"*.evil.com", "malware.example.com"},
-				Action:   mgmProto.TransparentProxyAction_TP_ACTION_BLOCK,
-				Priority: 1,
-			},
-			{
-				Id:       "inspect-internal",
-				Domains:  []string{"*.internal.corp"},
-				Networks: []string{"10.1.0.0/16"},
-				Ports:    []uint32{443, 8443},
-				Action:   mgmProto.TransparentProxyAction_TP_ACTION_INSPECT,
-				Priority: 10,
-			},
-		},
-		ListenPort: 8443,
-	}
-
-	config, err := toProxyConfig(cfg)
-	require.NoError(t, err)
-
-	assert.True(t, config.Enabled)
-	assert.Equal(t, inspect.ModeBuiltin, config.Mode)
-	assert.Equal(t, inspect.ActionAllow, config.DefaultAction)
-
-	require.Len(t, config.RedirectSources, 2)
-	assert.Equal(t, "10.0.0.0/24", config.RedirectSources[0].String())
-	assert.Equal(t, "192.168.1.0/24", config.RedirectSources[1].String())
-
-	require.Len(t, config.RedirectPorts, 2)
-	assert.Equal(t, uint16(80), config.RedirectPorts[0])
-	assert.Equal(t, uint16(443), config.RedirectPorts[1])
-
-	require.Len(t, config.Rules, 2)
-
-	// Rule 1: block evil domains
-	assert.Equal(t, "block-evil", string(config.Rules[0].ID))
-	assert.Equal(t, inspect.ActionBlock, config.Rules[0].Action)
-	assert.Equal(t, 1, config.Rules[0].Priority)
-	require.Len(t, config.Rules[0].Domains, 2)
-	assert.Equal(t, "*.evil.com", config.Rules[0].Domains[0].PunycodeString())
-	assert.Equal(t, "malware.example.com", config.Rules[0].Domains[1].PunycodeString())
-
-	// Rule 2: inspect internal
-	assert.Equal(t, "inspect-internal", string(config.Rules[1].ID))
-	assert.Equal(t, inspect.ActionInspect, config.Rules[1].Action)
-	assert.Equal(t, 10, config.Rules[1].Priority)
-	require.Len(t, config.Rules[1].Networks, 1)
-	assert.Equal(t, "10.1.0.0/16", config.Rules[1].Networks[0].String())
-	require.Len(t, config.Rules[1].Ports, 2)
-
-	// Listen address
-	assert.True(t, config.ListenAddr.IsValid())
-	assert.Equal(t, uint16(8443), config.ListenAddr.Port())
-}
-
-func TestToProxyConfig_ExternalMode(t *testing.T) {
-	cfg := &mgmProto.TransparentProxyConfig{
-		Enabled:         true,
-		Mode:            mgmProto.TransparentProxyMode_TP_MODE_EXTERNAL,
-		ExternalProxyUrl: "http://proxy.corp:8080",
-		DefaultAction:   mgmProto.TransparentProxyAction_TP_ACTION_BLOCK,
-	}
-
-	config, err := toProxyConfig(cfg)
-	require.NoError(t, err)
-
-	assert.Equal(t, inspect.ModeExternal, config.Mode)
-	assert.Equal(t, inspect.ActionBlock, config.DefaultAction)
-	require.NotNil(t, config.ExternalURL)
-	assert.Equal(t, "http", config.ExternalURL.Scheme)
-	assert.Equal(t, "proxy.corp:8080", config.ExternalURL.Host)
-}
-
-func TestToProxyConfig_ICAP(t *testing.T) {
-	cfg := &mgmProto.TransparentProxyConfig{
-		Enabled: true,
-		Icap: &mgmProto.TransparentProxyICAPConfig{
-			ReqmodUrl:      "icap://icap-server:1344/reqmod",
-			RespmodUrl:     "icap://icap-server:1344/respmod",
-			MaxConnections: 16,
-		},
-	}
-
-	config, err := toProxyConfig(cfg)
-	require.NoError(t, err)
-
-	require.NotNil(t, config.ICAP)
-	assert.Equal(t, "icap", config.ICAP.ReqModURL.Scheme)
-	assert.Equal(t, "icap-server:1344", config.ICAP.ReqModURL.Host)
-	assert.Equal(t, "/reqmod", config.ICAP.ReqModURL.Path)
-	assert.Equal(t, "/respmod", config.ICAP.RespModURL.Path)
-	assert.Equal(t, 16, config.ICAP.MaxConnections)
-}
-
-func TestToProxyConfig_Empty(t *testing.T) {
-	cfg := &mgmProto.TransparentProxyConfig{
-		Enabled: true,
-	}
-
-	config, err := toProxyConfig(cfg)
-	require.NoError(t, err)
-
-	assert.True(t, config.Enabled)
-	assert.Equal(t, inspect.ModeBuiltin, config.Mode)
-	assert.Equal(t, inspect.ActionAllow, config.DefaultAction)
-	assert.Empty(t, config.RedirectSources)
-	assert.Empty(t, config.RedirectPorts)
-	assert.Empty(t, config.Rules)
-	assert.Nil(t, config.ICAP)
-	assert.Nil(t, config.TLS)
-	assert.False(t, config.ListenAddr.IsValid())
-}
-
-func TestToProxyConfig_InvalidSource(t *testing.T) {
-	cfg := &mgmProto.TransparentProxyConfig{
-		Enabled:         true,
-		RedirectSources: []string{"not-a-cidr"},
-	}
-
-	_, err := toProxyConfig(cfg)
-	require.Error(t, err)
-	assert.Contains(t, err.Error(), "parse redirect source")
-}
-
-func TestToProxyConfig_InvalidNetwork(t *testing.T) {
-	cfg := &mgmProto.TransparentProxyConfig{
-		Enabled: true,
-		Rules: []*mgmProto.TransparentProxyRule{
-			{
-				Id:       "bad",
-				Networks: []string{"not-a-cidr"},
-			},
-		},
-	}
-
-	_, err := toProxyConfig(cfg)
-	require.Error(t, err)
-	assert.Contains(t, err.Error(), "parse network")
-}
-
-func TestToProxyAction(t *testing.T) {
-	assert.Equal(t, inspect.ActionAllow, toProxyAction(mgmProto.TransparentProxyAction_TP_ACTION_ALLOW))
-	assert.Equal(t, inspect.ActionBlock, toProxyAction(mgmProto.TransparentProxyAction_TP_ACTION_BLOCK))
-	assert.Equal(t, inspect.ActionInspect, toProxyAction(mgmProto.TransparentProxyAction_TP_ACTION_INSPECT))
-	// Unknown defaults to allow
-	assert.Equal(t, inspect.ActionAllow, toProxyAction(99))
-}
-
-func TestParseUDPPacket_IPv4(t *testing.T) {
-	// Build a minimal IPv4/UDP packet: 20-byte IPv4 header + 8-byte UDP header + payload
-	packet := make([]byte, 20+8+4)
-
-	// IPv4 header: version=4, IHL=5 (20 bytes)
-	packet[0] = 0x45
-	// Protocol = UDP (17)
-	packet[9] = 17
-	// Source IP: 10.0.0.1
-	packet[12], packet[13], packet[14], packet[15] = 10, 0, 0, 1
-	// Dest IP: 192.168.1.1
-	packet[16], packet[17], packet[18], packet[19] = 192, 168, 1, 1
-	// UDP source port: 54321 (0xD431)
-	packet[20] = 0xD4
-	packet[21] = 0x31
-	// UDP dest port: 443 (0x01BB)
-	packet[22] = 0x01
-	packet[23] = 0xBB
-	// Payload
-	packet[28] = 0xDE
-	packet[29] = 0xAD
-	packet[30] = 0xBE
-	packet[31] = 0xEF
-
-	srcIP, dstIP, dstPort, payload, ok := parseUDPPacket(packet)
-	require.True(t, ok)
-	assert.Equal(t, "10.0.0.1", srcIP.String())
-	assert.Equal(t, "192.168.1.1", dstIP.String())
-	assert.Equal(t, uint16(443), dstPort)
-	assert.Equal(t, []byte{0xDE, 0xAD, 0xBE, 0xEF}, payload)
-}
-
-func TestParseUDPPacket_IPv6(t *testing.T) {
-	// Build a minimal IPv6/UDP packet: 40-byte IPv6 header + 8-byte UDP header + payload
-	packet := make([]byte, 40+8+4)
-
-	// Version = 6 (0x60 in high nibble)
-	packet[0] = 0x60
-	// Payload length: 8 (UDP header) + 4 (payload)
-	packet[4] = 0
-	packet[5] = 12
-	// Next header: UDP (17)
-	packet[6] = 17
-	// Source: 2001:db8::1
-	packet[8] = 0x20
-	packet[9] = 0x01
-	packet[10] = 0x0d
-	packet[11] = 0xb8
-	packet[23] = 0x01
-	// Dest: 2001:db8::2
-	packet[24] = 0x20
-	packet[25] = 0x01
-	packet[26] = 0x0d
-	packet[27] = 0xb8
-	packet[39] = 0x02
-	// UDP source port: 54321 (0xD431)
-	packet[40] = 0xD4
-	packet[41] = 0x31
-	// UDP dest port: 443 (0x01BB)
-	packet[42] = 0x01
-	packet[43] = 0xBB
-	// Payload
-	packet[48] = 0xCA
-	packet[49] = 0xFE
-	packet[50] = 0xBA
-	packet[51] = 0xBE
-
-	srcIP, dstIP, dstPort, payload, ok := parseUDPPacket(packet)
-	require.True(t, ok)
-	assert.Equal(t, "2001:db8::1", srcIP.String())
-	assert.Equal(t, "2001:db8::2", dstIP.String())
-	assert.Equal(t, uint16(443), dstPort)
-	assert.Equal(t, []byte{0xCA, 0xFE, 0xBA, 0xBE}, payload)
-}
-
-func TestParseUDPPacket_TooShort(t *testing.T) {
-	_, _, _, _, ok := parseUDPPacket(nil)
-	assert.False(t, ok)
-
-	_, _, _, _, ok = parseUDPPacket([]byte{0x45, 0x00})
-	assert.False(t, ok)
-}
-
-func TestParseUDPPacket_IPv6ExtensionHeader(t *testing.T) {
-	// IPv6 with next header != UDP should be rejected
-	packet := make([]byte, 48)
-	packet[0] = 0x60
-	packet[6] = 6 // TCP, not UDP
-	_, _, _, _, ok := parseUDPPacket(packet)
-	assert.False(t, ok, "should reject IPv6 packets with non-UDP next header")
-}
-
-func TestParseUDPPacket_IPv4MappedIPv6(t *testing.T) {
-	// IPv4 packet with normal addresses should Unmap correctly
-	packet := make([]byte, 28)
-	packet[0] = 0x45
-	packet[9] = 17
-	packet[12], packet[13], packet[14], packet[15] = 127, 0, 0, 1
-	packet[16], packet[17], packet[18], packet[19] = 10, 0, 0, 1
-	packet[22] = 0x01
-	packet[23] = 0xBB
-
-	srcIP, dstIP, _, _, ok := parseUDPPacket(packet)
-	require.True(t, ok)
-	assert.True(t, srcIP.Is4(), "should be plain IPv4, not mapped")
-	assert.True(t, dstIP.Is4(), "should be plain IPv4, not mapped")
-}

client/internal/mobile_dependency.go

@@ -22,4 +22,8 @@ type MobileDependency struct {
 	DnsManager     dns.IosDnsManager
 	FileDescriptor int32
 	StateFilePath  string
+
+	// TempDir is a writable directory for temporary files (e.g., debug bundle zip).
+	// On Android, this should be set to the app's cache directory.
+	TempDir string
 }

client/internal/netflow/conntrack/conntrack.go

@@ -7,7 +7,9 @@ import (
 	"fmt"
 	"net/netip"
 	"sync"
+	"time"
 
+	"github.com/cenkalti/backoff/v4"
 	"github.com/google/uuid"
 	log "github.com/sirupsen/logrus"
 	nfct "github.com/ti-mo/conntrack"
@@ -17,31 +19,64 @@ import (
 	nbnet "github.com/netbirdio/netbird/client/net"
 )
 
-const defaultChannelSize = 100
+const (
+	defaultChannelSize     = 100
+	reconnectInitInterval  = 5 * time.Second
+	reconnectMaxInterval   = 5 * time.Minute
+	reconnectRandomization = 0.5
+)
+
+// listener abstracts a netlink conntrack connection for testability.
+type listener interface {
+	Listen(evChan chan<- nfct.Event, numWorkers uint8, groups []netfilter.NetlinkGroup) (chan error, error)
+	Close() error
+}
 
 // ConnTrack manages kernel-based conntrack events
 type ConnTrack struct {
 	flowLogger nftypes.FlowLogger
 	iface      nftypes.IFaceMapper
 
-	conn *nfct.Conn
+	conn listener
 	mux  sync.Mutex
 
+	dial           func() (listener, error)
 	instanceID     uuid.UUID
 	started        bool
 	done           chan struct{}
 	sysctlModified bool
 }
 
+// DialFunc is a constructor for netlink conntrack connections.
+type DialFunc func() (listener, error)
+
+// Option configures a ConnTrack instance.
+type Option func(*ConnTrack)
+
+// WithDialer overrides the default netlink dialer, primarily for testing.
+func WithDialer(dial DialFunc) Option {
+	return func(c *ConnTrack) {
+		c.dial = dial
+	}
+}
+
+func defaultDial() (listener, error) {
+	return nfct.Dial(nil)
+}
+
 // New creates a new connection tracker that interfaces with the kernel's conntrack system
-func New(flowLogger nftypes.FlowLogger, iface nftypes.IFaceMapper) *ConnTrack {
-	return &ConnTrack{
+func New(flowLogger nftypes.FlowLogger, iface nftypes.IFaceMapper, opts ...Option) *ConnTrack {
+	ct := &ConnTrack{
 		flowLogger: flowLogger,
 		iface:      iface,
 		instanceID: uuid.New(),
-		started:    false,
+		dial:       defaultDial,
 		done:       make(chan struct{}, 1),
 	}
+	for _, opt := range opts {
+		opt(ct)
+	}
+	return ct
 }
 
 // Start begins tracking connections by listening for conntrack events. This method is idempotent.
@@ -59,8 +94,9 @@ func (c *ConnTrack) Start(enableCounters bool) error {
 		c.EnableAccounting()
 	}
 
-	conn, err := nfct.Dial(nil)
+	conn, err := c.dial()
 	if err != nil {
+		c.RestoreAccounting()
 		return fmt.Errorf("dial conntrack: %w", err)
 	}
 	c.conn = conn
@@ -76,9 +112,16 @@ func (c *ConnTrack) Start(enableCounters bool) error {
 			log.Errorf("Error closing conntrack connection: %v", err)
 		}
 		c.conn = nil
+		c.RestoreAccounting()
 		return fmt.Errorf("start conntrack listener: %w", err)
 	}
 
+	// Drain any stale stop signal from a previous cycle.
+	select {
+	case <-c.done:
+	default:
+	}
+
 	c.started = true
 
 	go c.receiverRoutine(events, errChan)
@@ -92,17 +135,98 @@ func (c *ConnTrack) receiverRoutine(events chan nfct.Event, errChan chan error)
 		case event := <-events:
 			c.handleEvent(event)
 		case err := <-errChan:
-			log.Errorf("Error from conntrack event listener: %v", err)
-			if err := c.conn.Close(); err != nil {
-				log.Errorf("Error closing conntrack connection: %v", err)
+			if events, errChan = c.handleListenerError(err); events == nil {
+				return
 			}
-			return
 		case <-c.done:
 			return
 		}
 	}
 }
 
+// handleListenerError closes the failed connection and attempts to reconnect.
+// Returns new channels on success, or nil if shutdown was requested.
+func (c *ConnTrack) handleListenerError(err error) (chan nfct.Event, chan error) {
+	log.Warnf("conntrack event listener failed: %v", err)
+	c.closeConn()
+	return c.reconnect()
+}
+
+func (c *ConnTrack) closeConn() {
+	c.mux.Lock()
+	defer c.mux.Unlock()
+
+	if c.conn != nil {
+		if err := c.conn.Close(); err != nil {
+			log.Debugf("close conntrack connection: %v", err)
+		}
+		c.conn = nil
+	}
+}
+
+// reconnect attempts to re-establish the conntrack netlink listener with exponential backoff.
+// Returns new channels on success, or nil if shutdown was requested.
+func (c *ConnTrack) reconnect() (chan nfct.Event, chan error) {
+	bo := &backoff.ExponentialBackOff{
+		InitialInterval:     reconnectInitInterval,
+		RandomizationFactor: reconnectRandomization,
+		Multiplier:          backoff.DefaultMultiplier,
+		MaxInterval:         reconnectMaxInterval,
+		MaxElapsedTime:      0, // retry indefinitely
+		Clock:               backoff.SystemClock,
+	}
+	bo.Reset()
+
+	for {
+		delay := bo.NextBackOff()
+		log.Infof("reconnecting conntrack listener in %s", delay)
+
+		select {
+		case <-c.done:
+			c.mux.Lock()
+			c.started = false
+			c.mux.Unlock()
+			return nil, nil
+		case <-time.After(delay):
+		}
+
+		conn, err := c.dial()
+		if err != nil {
+			log.Warnf("reconnect conntrack dial: %v", err)
+			continue
+		}
+
+		events := make(chan nfct.Event, defaultChannelSize)
+		errChan, err := conn.Listen(events, 1, []netfilter.NetlinkGroup{
+			netfilter.GroupCTNew,
+			netfilter.GroupCTDestroy,
+		})
+		if err != nil {
+			log.Warnf("reconnect conntrack listen: %v", err)
+			if closeErr := conn.Close(); closeErr != nil {
+				log.Debugf("close conntrack connection: %v", closeErr)
+			}
+			continue
+		}
+
+		c.mux.Lock()
+		if !c.started {
+			// Stop() ran while we were reconnecting.
+			c.mux.Unlock()
+			if closeErr := conn.Close(); closeErr != nil {
+				log.Debugf("close conntrack connection: %v", closeErr)
+			}
+			return nil, nil
+		}
+		c.conn = conn
+		c.mux.Unlock()
+
+		log.Infof("conntrack listener reconnected successfully")
+
+		return events, errChan
+	}
+}
+
 // Stop stops the connection tracking. This method is idempotent.
 func (c *ConnTrack) Stop() {
 	c.mux.Lock()
@@ -136,23 +260,27 @@ func (c *ConnTrack) Close() error {
 	c.mux.Lock()
 	defer c.mux.Unlock()
 
-	if c.started {
-		select {
-		case c.done <- struct{}{}:
-		default:
-		}
+	if !c.started {
+		return nil
 	}
 
+	select {
+	case c.done <- struct{}{}:
+	default:
+	}
+
+	c.started = false
+
+	var closeErr error
 	if c.conn != nil {
-		err := c.conn.Close()
+		closeErr = c.conn.Close()
 		c.conn = nil
-		c.started = false
+	}
 
-		c.RestoreAccounting()
+	c.RestoreAccounting()
 
-		if err != nil {
-			return fmt.Errorf("close conntrack: %w", err)
-		}
+	if closeErr != nil {
+		return fmt.Errorf("close conntrack: %w", closeErr)
 	}
 
 	return nil

client/internal/netflow/conntrack/conntrack_test.go

@@ -0,0 +1,224 @@
+//go:build linux && !android
+
+package conntrack
+
+import (
+	"sync/atomic"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	nfct "github.com/ti-mo/conntrack"
+	"github.com/ti-mo/netfilter"
+)
+
+type mockListener struct {
+	errChan  chan error
+	closed   atomic.Bool
+	closedCh chan struct{}
+}
+
+func newMockListener() *mockListener {
+	return &mockListener{
+		errChan:  make(chan error, 1),
+		closedCh: make(chan struct{}),
+	}
+}
+
+func (m *mockListener) Listen(evChan chan<- nfct.Event, _ uint8, _ []netfilter.NetlinkGroup) (chan error, error) {
+	return m.errChan, nil
+}
+
+func (m *mockListener) Close() error {
+	if m.closed.CompareAndSwap(false, true) {
+		close(m.closedCh)
+	}
+	return nil
+}
+
+func TestReconnectAfterError(t *testing.T) {
+	first := newMockListener()
+	second := newMockListener()
+	third := newMockListener()
+	listeners := []*mockListener{first, second, third}
+	callCount := atomic.Int32{}
+
+	ct := New(nil, nil, WithDialer(func() (listener, error) {
+		n := int(callCount.Add(1)) - 1
+		return listeners[n], nil
+	}))
+
+	err := ct.Start(false)
+	require.NoError(t, err)
+
+	// Inject an error on the first listener.
+	first.errChan <- assert.AnError
+
+	// Wait for reconnect to complete.
+	require.Eventually(t, func() bool {
+		return callCount.Load() >= 2
+	}, 15*time.Second, 100*time.Millisecond, "reconnect should dial a new connection")
+
+	// The first connection must have been closed.
+	select {
+	case <-first.closedCh:
+	case <-time.After(2 * time.Second):
+		t.Fatal("first connection was not closed")
+	}
+
+	// Verify the receiver is still running by injecting and handling a second error.
+	second.errChan <- assert.AnError
+
+	require.Eventually(t, func() bool {
+		return callCount.Load() >= 3
+	}, 15*time.Second, 100*time.Millisecond, "second reconnect should succeed")
+
+	ct.Stop()
+}
+
+func TestStopDuringReconnectBackoff(t *testing.T) {
+	mock := newMockListener()
+
+	ct := New(nil, nil, WithDialer(func() (listener, error) {
+		return mock, nil
+	}))
+
+	err := ct.Start(false)
+	require.NoError(t, err)
+
+	// Trigger an error so the receiver enters reconnect.
+	mock.errChan <- assert.AnError
+
+	// Wait for the error handler to close the old listener before calling Stop.
+	select {
+	case <-mock.closedCh:
+	case <-time.After(5 * time.Second):
+		t.Fatal("timed out waiting for reconnect to start")
+	}
+
+	// Stop while reconnecting.
+	ct.Stop()
+
+	ct.mux.Lock()
+	assert.False(t, ct.started, "started should be false after Stop")
+	assert.Nil(t, ct.conn, "conn should be nil after Stop")
+	ct.mux.Unlock()
+}
+
+func TestStopRaceWithReconnectDial(t *testing.T) {
+	first := newMockListener()
+	dialStarted := make(chan struct{})
+	dialProceed := make(chan struct{})
+	second := newMockListener()
+	callCount := atomic.Int32{}
+
+	ct := New(nil, nil, WithDialer(func() (listener, error) {
+		n := callCount.Add(1)
+		if n == 1 {
+			return first, nil
+		}
+		// Second dial: signal that we're in progress, wait for test to call Stop.
+		close(dialStarted)
+		<-dialProceed
+		return second, nil
+	}))
+
+	err := ct.Start(false)
+	require.NoError(t, err)
+
+	// Trigger error to enter reconnect.
+	first.errChan <- assert.AnError
+
+	// Wait for reconnect's second dial to begin.
+	select {
+	case <-dialStarted:
+	case <-time.After(15 * time.Second):
+		t.Fatal("timed out waiting for reconnect dial")
+	}
+
+	// Stop while dial is in progress (conn is nil at this point).
+	ct.Stop()
+
+	// Let the dial complete. reconnect should detect started==false and close the new conn.
+	close(dialProceed)
+
+	// The second connection should be closed (not leaked).
+	select {
+	case <-second.closedCh:
+	case <-time.After(2 * time.Second):
+		t.Fatal("second connection was leaked after Stop")
+	}
+
+	ct.mux.Lock()
+	assert.False(t, ct.started)
+	assert.Nil(t, ct.conn)
+	ct.mux.Unlock()
+}
+
+func TestCloseRaceWithReconnectDial(t *testing.T) {
+	first := newMockListener()
+	dialStarted := make(chan struct{})
+	dialProceed := make(chan struct{})
+	second := newMockListener()
+	callCount := atomic.Int32{}
+
+	ct := New(nil, nil, WithDialer(func() (listener, error) {
+		n := callCount.Add(1)
+		if n == 1 {
+			return first, nil
+		}
+		close(dialStarted)
+		<-dialProceed
+		return second, nil
+	}))
+
+	err := ct.Start(false)
+	require.NoError(t, err)
+
+	first.errChan <- assert.AnError
+
+	select {
+	case <-dialStarted:
+	case <-time.After(15 * time.Second):
+		t.Fatal("timed out waiting for reconnect dial")
+	}
+
+	// Close while dial is in progress (conn is nil).
+	require.NoError(t, ct.Close())
+
+	close(dialProceed)
+
+	// The second connection should be closed (not leaked).
+	select {
+	case <-second.closedCh:
+	case <-time.After(2 * time.Second):
+		t.Fatal("second connection was leaked after Close")
+	}
+
+	ct.mux.Lock()
+	assert.False(t, ct.started)
+	assert.Nil(t, ct.conn)
+	ct.mux.Unlock()
+}
+
+func TestStartIsIdempotent(t *testing.T) {
+	mock := newMockListener()
+	callCount := atomic.Int32{}
+
+	ct := New(nil, nil, WithDialer(func() (listener, error) {
+		callCount.Add(1)
+		return mock, nil
+	}))
+
+	err := ct.Start(false)
+	require.NoError(t, err)
+
+	// Second Start should be a no-op.
+	err = ct.Start(false)
+	require.NoError(t, err)
+
+	assert.Equal(t, int32(1), callCount.Load(), "dial should only be called once")
+
+	ct.Stop()
+}

client/internal/portforward/env.go

@@ -8,18 +8,27 @@ import (
 )
 
 const (
-	envDisableNATMapper = "NB_DISABLE_NAT_MAPPER"
+	envDisableNATMapper      = "NB_DISABLE_NAT_MAPPER"
+	envDisablePCPHealthCheck = "NB_DISABLE_PCP_HEALTH_CHECK"
 )
 
 func isDisabledByEnv() bool {
-	val := os.Getenv(envDisableNATMapper)
+	return parseBoolEnv(envDisableNATMapper)
+}
+
+func isHealthCheckDisabled() bool {
+	return parseBoolEnv(envDisablePCPHealthCheck)
+}
+
+func parseBoolEnv(key string) bool {
+	val := os.Getenv(key)
 	if val == "" {
 		return false
 	}
 
 	disabled, err := strconv.ParseBool(val)
 	if err != nil {
-		log.Warnf("failed to parse %s: %v", envDisableNATMapper, err)
+		log.Warnf("failed to parse %s: %v", key, err)
 		return false
 	}
 	return disabled

client/internal/portforward/manager.go

@@ -12,12 +12,15 @@ import (
 
 	"github.com/libp2p/go-nat"
 	log "github.com/sirupsen/logrus"
+
+	"github.com/netbirdio/netbird/client/internal/portforward/pcp"
 )
 
 const (
-	defaultMappingTTL  = 2 * time.Hour
-	discoveryTimeout   = 10 * time.Second
-	mappingDescription = "NetBird"
+	defaultMappingTTL   = 2 * time.Hour
+	healthCheckInterval = 1 * time.Minute
+	discoveryTimeout    = 10 * time.Second
+	mappingDescription  = "NetBird"
 )
 
 // upnpErrPermanentLeaseOnly matches UPnP error 725 in SOAP fault XML,
@@ -154,7 +157,7 @@ func (m *Manager) setup(ctx context.Context) (nat.NAT, *Mapping, error) {
 	discoverCtx, discoverCancel := context.WithTimeout(ctx, discoveryTimeout)
 	defer discoverCancel()
 
-	gateway, err := nat.DiscoverGateway(discoverCtx)
+	gateway, err := discoverGateway(discoverCtx)
 	if err != nil {
 		return nil, nil, fmt.Errorf("discover gateway: %w", err)
 	}
@@ -189,7 +192,6 @@ func (m *Manager) createMapping(ctx context.Context, gateway nat.NAT) (*Mapping,
 	externalIP, err := gateway.GetExternalAddress()
 	if err != nil {
 		log.Debugf("failed to get external address: %v", err)
-		// todo return with err?
 	}
 
 	mapping := &Mapping{
@@ -208,27 +210,87 @@ func (m *Manager) createMapping(ctx context.Context, gateway nat.NAT) (*Mapping,
 
 func (m *Manager) renewLoop(ctx context.Context, gateway nat.NAT, ttl time.Duration) {
 	if ttl == 0 {
-		// Permanent mappings don't expire, just wait for cancellation.
-		<-ctx.Done()
+		// Permanent mappings don't expire, just wait for cancellation
+		// but still run health checks for PCP gateways.
+		m.permanentLeaseLoop(ctx, gateway)
 		return
 	}
 
-	ticker := time.NewTicker(ttl / 2)
-	defer ticker.Stop()
+	renewTicker := time.NewTicker(ttl / 2)
+	healthTicker := time.NewTicker(healthCheckInterval)
+	defer renewTicker.Stop()
+	defer healthTicker.Stop()
 
 	for {
 		select {
 		case <-ctx.Done():
 			return
-		case <-ticker.C:
+		case <-renewTicker.C:
 			if err := m.renewMapping(ctx, gateway); err != nil {
 				log.Warnf("failed to renew port mapping: %v", err)
 				continue
 			}
+		case <-healthTicker.C:
+			if m.checkHealthAndRecreate(ctx, gateway) {
+				renewTicker.Reset(ttl / 2)
+			}
 		}
 	}
 }
 
+func (m *Manager) permanentLeaseLoop(ctx context.Context, gateway nat.NAT) {
+	healthTicker := time.NewTicker(healthCheckInterval)
+	defer healthTicker.Stop()
+
+	for {
+		select {
+		case <-ctx.Done():
+			return
+		case <-healthTicker.C:
+			m.checkHealthAndRecreate(ctx, gateway)
+		}
+	}
+}
+
+func (m *Manager) checkHealthAndRecreate(ctx context.Context, gateway nat.NAT) bool {
+	if isHealthCheckDisabled() {
+		return false
+	}
+
+	m.mappingLock.Lock()
+	hasMapping := m.mapping != nil
+	m.mappingLock.Unlock()
+
+	if !hasMapping {
+		return false
+	}
+
+	pcpNAT, ok := gateway.(*pcp.NAT)
+	if !ok {
+		return false
+	}
+
+	ctx, cancel := context.WithTimeout(ctx, 10*time.Second)
+	defer cancel()
+
+	epoch, serverRestarted, err := pcpNAT.CheckServerHealth(ctx)
+	if err != nil {
+		log.Debugf("PCP health check failed: %v", err)
+		return false
+	}
+
+	if serverRestarted {
+		log.Warnf("PCP server restart detected (epoch=%d), recreating port mapping", epoch)
+		if err := m.renewMapping(ctx, gateway); err != nil {
+			log.Errorf("failed to recreate port mapping after server restart: %v", err)
+			return false
+		}
+		return true
+	}
+
+	return false
+}
+
 func (m *Manager) renewMapping(ctx context.Context, gateway nat.NAT) error {
 	ctx, cancel := context.WithTimeout(ctx, 30*time.Second)
 	defer cancel()

client/internal/portforward/pcp/client.go

@@ -0,0 +1,408 @@
+package pcp
+
+import (
+	"context"
+	"crypto/rand"
+	"errors"
+	"fmt"
+	"net"
+	"net/netip"
+	"sync"
+	"time"
+
+	log "github.com/sirupsen/logrus"
+)
+
+const (
+	defaultTimeout     = 3 * time.Second
+	responseBufferSize = 128
+
+	// RFC 6887 Section 8.1.1 retry timing
+	initialRetryDelay = 3 * time.Second
+	maxRetryDelay     = 1024 * time.Second
+	maxRetries        = 4 // 3s + 6s + 12s + 24s = 45s total worst case
+)
+
+// Client is a PCP protocol client.
+// All methods are safe for concurrent use.
+type Client struct {
+	gateway netip.Addr
+	timeout time.Duration
+
+	mu sync.Mutex
+	// localIP caches the resolved local IP address.
+	localIP netip.Addr
+	// lastEpoch is the last observed server epoch value.
+	lastEpoch uint32
+	// epochTime tracks when lastEpoch was received for state loss detection.
+	epochTime time.Time
+	// externalIP caches the external IP from the last successful MAP response.
+	externalIP netip.Addr
+	// epochStateLost is set when epoch indicates server restart.
+	epochStateLost bool
+}
+
+// NewClient creates a new PCP client for the gateway at the given IP.
+func NewClient(gateway net.IP) *Client {
+	addr, ok := netip.AddrFromSlice(gateway)
+	if !ok {
+		log.Debugf("invalid gateway IP: %v", gateway)
+	}
+	return &Client{
+		gateway: addr.Unmap(),
+		timeout: defaultTimeout,
+	}
+}
+
+// NewClientWithTimeout creates a new PCP client with a custom timeout.
+func NewClientWithTimeout(gateway net.IP, timeout time.Duration) *Client {
+	addr, ok := netip.AddrFromSlice(gateway)
+	if !ok {
+		log.Debugf("invalid gateway IP: %v", gateway)
+	}
+	return &Client{
+		gateway: addr.Unmap(),
+		timeout: timeout,
+	}
+}
+
+// SetLocalIP sets the local IP address to use in PCP requests.
+func (c *Client) SetLocalIP(ip net.IP) {
+	addr, ok := netip.AddrFromSlice(ip)
+	if !ok {
+		log.Debugf("invalid local IP: %v", ip)
+	}
+	c.mu.Lock()
+	c.localIP = addr.Unmap()
+	c.mu.Unlock()
+}
+
+// Gateway returns the gateway IP address.
+func (c *Client) Gateway() net.IP {
+	return c.gateway.AsSlice()
+}
+
+// Announce sends a PCP ANNOUNCE request to discover PCP support.
+// Returns the server's epoch time on success.
+func (c *Client) Announce(ctx context.Context) (epoch uint32, err error) {
+	localIP, err := c.getLocalIP()
+	if err != nil {
+		return 0, fmt.Errorf("get local IP: %w", err)
+	}
+
+	req := buildAnnounceRequest(localIP)
+	resp, err := c.sendRequest(ctx, req)
+	if err != nil {
+		return 0, fmt.Errorf("send announce: %w", err)
+	}
+
+	parsed, err := parseResponse(resp)
+	if err != nil {
+		return 0, fmt.Errorf("parse announce response: %w", err)
+	}
+
+	if parsed.ResultCode != ResultSuccess {
+		return 0, fmt.Errorf("PCP ANNOUNCE failed: %s", ResultCodeString(parsed.ResultCode))
+	}
+
+	c.mu.Lock()
+	if c.updateEpochLocked(parsed.Epoch) {
+		log.Warnf("PCP server epoch indicates state loss - mappings may need refresh")
+	}
+	c.mu.Unlock()
+	return parsed.Epoch, nil
+}
+
+// AddPortMapping requests a port mapping from the PCP server.
+func (c *Client) AddPortMapping(ctx context.Context, protocol string, internalPort int, lifetime time.Duration) (*MapResponse, error) {
+	return c.addPortMappingWithHint(ctx, protocol, internalPort, internalPort, netip.Addr{}, lifetime)
+}
+
+// AddPortMappingWithHint requests a port mapping with suggested external port and IP.
+// Use lifetime <= 0 to delete a mapping.
+func (c *Client) AddPortMappingWithHint(ctx context.Context, protocol string, internalPort, suggestedExtPort int, suggestedExtIP net.IP, lifetime time.Duration) (*MapResponse, error) {
+	var extIP netip.Addr
+	if suggestedExtIP != nil {
+		var ok bool
+		extIP, ok = netip.AddrFromSlice(suggestedExtIP)
+		if !ok {
+			log.Debugf("invalid suggested external IP: %v", suggestedExtIP)
+		}
+		extIP = extIP.Unmap()
+	}
+	return c.addPortMappingWithHint(ctx, protocol, internalPort, suggestedExtPort, extIP, lifetime)
+}
+
+func (c *Client) addPortMappingWithHint(ctx context.Context, protocol string, internalPort, suggestedExtPort int, suggestedExtIP netip.Addr, lifetime time.Duration) (*MapResponse, error) {
+	localIP, err := c.getLocalIP()
+	if err != nil {
+		return nil, fmt.Errorf("get local IP: %w", err)
+	}
+
+	proto, err := protocolNumber(protocol)
+	if err != nil {
+		return nil, fmt.Errorf("parse protocol: %w", err)
+	}
+
+	var nonce [12]byte
+	if _, err := rand.Read(nonce[:]); err != nil {
+		return nil, fmt.Errorf("generate nonce: %w", err)
+	}
+
+	// Convert lifetime to seconds. Lifetime 0 means delete, so only apply
+	// default for positive durations that round to 0 seconds.
+	var lifetimeSec uint32
+	if lifetime > 0 {
+		lifetimeSec = uint32(lifetime.Seconds())
+		if lifetimeSec == 0 {
+			lifetimeSec = DefaultLifetime
+		}
+	}
+
+	req := buildMapRequest(localIP, nonce, proto, uint16(internalPort), uint16(suggestedExtPort), suggestedExtIP, lifetimeSec)
+
+	resp, err := c.sendRequest(ctx, req)
+	if err != nil {
+		return nil, fmt.Errorf("send map request: %w", err)
+	}
+
+	mapResp, err := parseMapResponse(resp)
+	if err != nil {
+		return nil, fmt.Errorf("parse map response: %w", err)
+	}
+
+	if mapResp.Nonce != nonce {
+		return nil, fmt.Errorf("nonce mismatch in response")
+	}
+
+	if mapResp.Protocol != proto {
+		return nil, fmt.Errorf("protocol mismatch: requested %d, got %d", proto, mapResp.Protocol)
+	}
+	if mapResp.InternalPort != uint16(internalPort) {
+		return nil, fmt.Errorf("internal port mismatch: requested %d, got %d", internalPort, mapResp.InternalPort)
+	}
+
+	if mapResp.ResultCode != ResultSuccess {
+		return nil, &Error{
+			Code:    mapResp.ResultCode,
+			Message: ResultCodeString(mapResp.ResultCode),
+		}
+	}
+
+	c.mu.Lock()
+	if c.updateEpochLocked(mapResp.Epoch) {
+		log.Warnf("PCP server epoch indicates state loss - mappings may need refresh")
+	}
+	c.cacheExternalIPLocked(mapResp.ExternalIP)
+	c.mu.Unlock()
+	return mapResp, nil
+}
+
+// DeletePortMapping removes a port mapping by requesting zero lifetime.
+func (c *Client) DeletePortMapping(ctx context.Context, protocol string, internalPort int) error {
+	if _, err := c.addPortMappingWithHint(ctx, protocol, internalPort, 0, netip.Addr{}, 0); err != nil {
+		var pcpErr *Error
+		if errors.As(err, &pcpErr) && pcpErr.Code == ResultNotAuthorized {
+			return nil
+		}
+		return fmt.Errorf("delete mapping: %w", err)
+	}
+	return nil
+}
+
+// GetExternalAddress returns the external IP address.
+// First checks for a cached value from previous MAP responses.
+// If not cached, creates a short-lived mapping to discover the external IP.
+func (c *Client) GetExternalAddress(ctx context.Context) (net.IP, error) {
+	c.mu.Lock()
+	if c.externalIP.IsValid() {
+		ip := c.externalIP.AsSlice()
+		c.mu.Unlock()
+		return ip, nil
+	}
+	c.mu.Unlock()
+
+	// Use an ephemeral port in the dynamic range (49152-65535).
+	// Port 0 is not valid with UDP/TCP protocols per RFC 6887.
+	ephemeralPort := 49152 + int(uint16(time.Now().UnixNano()))%(65535-49152)
+
+	// Use minimal lifetime (1 second) for discovery.
+	resp, err := c.AddPortMapping(ctx, "udp", ephemeralPort, time.Second)
+	if err != nil {
+		return nil, fmt.Errorf("create temporary mapping: %w", err)
+	}
+
+	if err := c.DeletePortMapping(ctx, "udp", ephemeralPort); err != nil {
+		log.Debugf("cleanup temporary PCP mapping: %v", err)
+	}
+
+	return resp.ExternalIP.AsSlice(), nil
+}
+
+// LastEpoch returns the last observed server epoch value.
+// A decrease in epoch indicates the server may have restarted and mappings may be lost.
+func (c *Client) LastEpoch() uint32 {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+	return c.lastEpoch
+}
+
+// EpochStateLost returns true if epoch state loss was detected and clears the flag.
+func (c *Client) EpochStateLost() bool {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+	lost := c.epochStateLost
+	c.epochStateLost = false
+	return lost
+}
+
+// updateEpoch updates the epoch tracking and detects potential state loss.
+// Returns true if state loss was detected (server likely restarted).
+// Caller must hold c.mu.
+func (c *Client) updateEpochLocked(newEpoch uint32) bool {
+	now := time.Now()
+	stateLost := false
+
+	// RFC 6887 Section 8.5: Detect invalid epoch indicating server state loss.
+	// client_delta = time since last response
+	// server_delta = epoch change since last response
+	// Invalid if: client_delta+2 < server_delta - server_delta/16
+	//         OR: server_delta+2 < client_delta - client_delta/16
+	// The +2 handles quantization, /16 (6.25%) handles clock drift.
+	if !c.epochTime.IsZero() && c.lastEpoch > 0 {
+		clientDelta := uint32(now.Sub(c.epochTime).Seconds())
+		serverDelta := newEpoch - c.lastEpoch
+
+		// Check for epoch going backwards or jumping unexpectedly.
+		// Subtraction is safe: serverDelta/16 is always <= serverDelta.
+		if clientDelta+2 < serverDelta-(serverDelta/16) ||
+			serverDelta+2 < clientDelta-(clientDelta/16) {
+			stateLost = true
+			c.epochStateLost = true
+		}
+	}
+
+	c.lastEpoch = newEpoch
+	c.epochTime = now
+	return stateLost
+}
+
+// cacheExternalIP stores the external IP from a successful MAP response.
+// Caller must hold c.mu.
+func (c *Client) cacheExternalIPLocked(ip netip.Addr) {
+	if ip.IsValid() && !ip.IsUnspecified() {
+		c.externalIP = ip
+	}
+}
+
+// sendRequest sends a PCP request with retries per RFC 6887 Section 8.1.1.
+func (c *Client) sendRequest(ctx context.Context, req []byte) ([]byte, error) {
+	addr := &net.UDPAddr{IP: c.gateway.AsSlice(), Port: Port}
+
+	var lastErr error
+	delay := initialRetryDelay
+
+	for range maxRetries {
+		resp, err := c.sendOnce(ctx, addr, req)
+		if err == nil {
+			return resp, nil
+		}
+		lastErr = err
+
+		if ctx.Err() != nil {
+			return nil, ctx.Err()
+		}
+
+		// RFC 6887 Section 8.1.1: RT = (1 + RAND) * MIN(2 * RTprev, MRT)
+		// RAND is random between -0.1 and +0.1
+		select {
+		case <-ctx.Done():
+			return nil, ctx.Err()
+		case <-time.After(retryDelayWithJitter(delay)):
+		}
+		delay = min(delay*2, maxRetryDelay)
+	}
+
+	return nil, fmt.Errorf("PCP request failed after %d retries: %w", maxRetries, lastErr)
+}
+
+// retryDelayWithJitter applies RFC 6887 jitter: multiply by (1 + RAND) where RAND is [-0.1, +0.1].
+func retryDelayWithJitter(d time.Duration) time.Duration {
+	var b [1]byte
+	_, _ = rand.Read(b[:])
+	// Convert byte to range [-0.1, +0.1]: (b/255 * 0.2) - 0.1
+	jitter := (float64(b[0])/255.0)*0.2 - 0.1
+	return time.Duration(float64(d) * (1 + jitter))
+}
+
+func (c *Client) sendOnce(ctx context.Context, addr *net.UDPAddr, req []byte) ([]byte, error) {
+	// Use ListenUDP instead of DialUDP to validate response source address per RFC 6887 §8.3.
+	conn, err := net.ListenUDP("udp", nil)
+	if err != nil {
+		return nil, fmt.Errorf("listen: %w", err)
+	}
+	defer func() {
+		if err := conn.Close(); err != nil {
+			log.Debugf("close UDP connection: %v", err)
+		}
+	}()
+
+	timeout := c.timeout
+	if deadline, ok := ctx.Deadline(); ok {
+		if remaining := time.Until(deadline); remaining < timeout {
+			timeout = remaining
+		}
+	}
+
+	if err := conn.SetDeadline(time.Now().Add(timeout)); err != nil {
+		return nil, fmt.Errorf("set deadline: %w", err)
+	}
+
+	if _, err := conn.WriteToUDP(req, addr); err != nil {
+		return nil, fmt.Errorf("write: %w", err)
+	}
+
+	resp := make([]byte, responseBufferSize)
+	n, from, err := conn.ReadFromUDP(resp)
+	if err != nil {
+		return nil, fmt.Errorf("read: %w", err)
+	}
+
+	// RFC 6887 §8.3: Validate response came from expected PCP server.
+	if !from.IP.Equal(addr.IP) {
+		return nil, fmt.Errorf("response from unexpected source %s (expected %s)", from.IP, addr.IP)
+	}
+
+	return resp[:n], nil
+}
+
+func (c *Client) getLocalIP() (netip.Addr, error) {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+
+	if !c.localIP.IsValid() {
+		return netip.Addr{}, fmt.Errorf("local IP not set for gateway %s", c.gateway)
+	}
+	return c.localIP, nil
+}
+
+func protocolNumber(protocol string) (uint8, error) {
+	switch protocol {
+	case "udp", "UDP":
+		return ProtoUDP, nil
+	case "tcp", "TCP":
+		return ProtoTCP, nil
+	default:
+		return 0, fmt.Errorf("unsupported protocol: %s", protocol)
+	}
+}
+
+// Error represents a PCP error response.
+type Error struct {
+	Code    uint8
+	Message string
+}
+
+func (e *Error) Error() string {
+	return fmt.Sprintf("PCP error: %s (%d)", e.Message, e.Code)
+}

client/internal/portforward/pcp/client_test.go

@@ -0,0 +1,187 @@
+package pcp
+
+import (
+	"context"
+	"net"
+	"net/netip"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestAddrConversion(t *testing.T) {
+	tests := []struct {
+		name string
+		addr netip.Addr
+	}{
+		{"IPv4", netip.MustParseAddr("192.168.1.100")},
+		{"IPv4 loopback", netip.MustParseAddr("127.0.0.1")},
+		{"IPv6", netip.MustParseAddr("2001:db8::1")},
+		{"IPv6 loopback", netip.MustParseAddr("::1")},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			b16 := addrTo16(tt.addr)
+
+			recovered := addrFrom16(b16)
+			assert.Equal(t, tt.addr, recovered, "address should round-trip")
+		})
+	}
+}
+
+func TestBuildAnnounceRequest(t *testing.T) {
+	clientIP := netip.MustParseAddr("192.168.1.100")
+	req := buildAnnounceRequest(clientIP)
+
+	require.Len(t, req, headerSize)
+	assert.Equal(t, byte(Version), req[0], "version")
+	assert.Equal(t, byte(OpAnnounce), req[1], "opcode")
+
+	// Check client IP is properly encoded as IPv4-mapped IPv6
+	assert.Equal(t, byte(0xff), req[18], "IPv4-mapped prefix byte 10")
+	assert.Equal(t, byte(0xff), req[19], "IPv4-mapped prefix byte 11")
+	assert.Equal(t, byte(192), req[20], "IP octet 1")
+	assert.Equal(t, byte(168), req[21], "IP octet 2")
+	assert.Equal(t, byte(1), req[22], "IP octet 3")
+	assert.Equal(t, byte(100), req[23], "IP octet 4")
+}
+
+func TestBuildMapRequest(t *testing.T) {
+	clientIP := netip.MustParseAddr("192.168.1.100")
+	nonce := [12]byte{1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12}
+	req := buildMapRequest(clientIP, nonce, ProtoUDP, 51820, 51820, netip.Addr{}, 3600)
+
+	require.Len(t, req, mapRequestSize)
+	assert.Equal(t, byte(Version), req[0], "version")
+	assert.Equal(t, byte(OpMap), req[1], "opcode")
+
+	// Lifetime at bytes 4-7
+	assert.Equal(t, uint32(3600), (uint32(req[4])<<24)|(uint32(req[5])<<16)|(uint32(req[6])<<8)|uint32(req[7]), "lifetime")
+
+	// Nonce at bytes 24-35
+	assert.Equal(t, nonce[:], req[24:36], "nonce")
+
+	// Protocol at byte 36
+	assert.Equal(t, byte(ProtoUDP), req[36], "protocol")
+
+	// Internal port at bytes 40-41
+	assert.Equal(t, uint16(51820), (uint16(req[40])<<8)|uint16(req[41]), "internal port")
+
+	// External port at bytes 42-43
+	assert.Equal(t, uint16(51820), (uint16(req[42])<<8)|uint16(req[43]), "external port")
+}
+
+func TestParseResponse(t *testing.T) {
+	// Construct a valid ANNOUNCE response
+	resp := make([]byte, headerSize)
+	resp[0] = Version
+	resp[1] = OpAnnounce | OpReply
+	// Result code = 0 (success)
+	// Lifetime = 0
+	// Epoch = 12345
+	resp[8] = 0
+	resp[9] = 0
+	resp[10] = 0x30
+	resp[11] = 0x39
+
+	parsed, err := parseResponse(resp)
+	require.NoError(t, err)
+	assert.Equal(t, uint8(Version), parsed.Version)
+	assert.Equal(t, uint8(OpAnnounce|OpReply), parsed.Opcode)
+	assert.Equal(t, uint8(ResultSuccess), parsed.ResultCode)
+	assert.Equal(t, uint32(12345), parsed.Epoch)
+}
+
+func TestParseResponseErrors(t *testing.T) {
+	t.Run("too short", func(t *testing.T) {
+		_, err := parseResponse([]byte{1, 2, 3})
+		assert.Error(t, err)
+	})
+
+	t.Run("wrong version", func(t *testing.T) {
+		resp := make([]byte, headerSize)
+		resp[0] = 1 // Wrong version
+		resp[1] = OpReply
+		_, err := parseResponse(resp)
+		assert.Error(t, err)
+	})
+
+	t.Run("missing reply bit", func(t *testing.T) {
+		resp := make([]byte, headerSize)
+		resp[0] = Version
+		resp[1] = OpAnnounce // Missing OpReply bit
+		_, err := parseResponse(resp)
+		assert.Error(t, err)
+	})
+}
+
+func TestResultCodeString(t *testing.T) {
+	assert.Equal(t, "SUCCESS", ResultCodeString(ResultSuccess))
+	assert.Equal(t, "NOT_AUTHORIZED", ResultCodeString(ResultNotAuthorized))
+	assert.Equal(t, "ADDRESS_MISMATCH", ResultCodeString(ResultAddressMismatch))
+	assert.Contains(t, ResultCodeString(255), "UNKNOWN")
+}
+
+func TestProtocolNumber(t *testing.T) {
+	proto, err := protocolNumber("udp")
+	require.NoError(t, err)
+	assert.Equal(t, uint8(ProtoUDP), proto)
+
+	proto, err = protocolNumber("tcp")
+	require.NoError(t, err)
+	assert.Equal(t, uint8(ProtoTCP), proto)
+
+	proto, err = protocolNumber("UDP")
+	require.NoError(t, err)
+	assert.Equal(t, uint8(ProtoUDP), proto)
+
+	_, err = protocolNumber("icmp")
+	assert.Error(t, err)
+}
+
+func TestClientCreation(t *testing.T) {
+	gateway := netip.MustParseAddr("192.168.1.1").AsSlice()
+
+	client := NewClient(gateway)
+	assert.Equal(t, net.IP(gateway), client.Gateway())
+	assert.Equal(t, defaultTimeout, client.timeout)
+
+	clientWithTimeout := NewClientWithTimeout(gateway, 5*time.Second)
+	assert.Equal(t, 5*time.Second, clientWithTimeout.timeout)
+}
+
+func TestNATType(t *testing.T) {
+	n := NewNAT(netip.MustParseAddr("192.168.1.1").AsSlice(), netip.MustParseAddr("192.168.1.100").AsSlice())
+	assert.Equal(t, "PCP", n.Type())
+}
+
+// Integration test - skipped unless PCP_TEST_GATEWAY env is set
+func TestClientIntegration(t *testing.T) {
+	t.Skip("Integration test - run manually with PCP_TEST_GATEWAY=<gateway-ip>")
+
+	gateway := netip.MustParseAddr("10.0.1.1").AsSlice()   // Change to your test gateway
+	localIP := netip.MustParseAddr("10.0.1.100").AsSlice() // Change to your local IP
+
+	client := NewClient(gateway)
+	client.SetLocalIP(localIP)
+	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
+	defer cancel()
+
+	// Test ANNOUNCE
+	epoch, err := client.Announce(ctx)
+	require.NoError(t, err)
+	t.Logf("Server epoch: %d", epoch)
+
+	// Test MAP
+	resp, err := client.AddPortMapping(ctx, "udp", 51820, 1*time.Hour)
+	require.NoError(t, err)
+	t.Logf("Mapping: internal=%d external=%d externalIP=%s",
+		resp.InternalPort, resp.ExternalPort, resp.ExternalIP)
+
+	// Cleanup
+	err = client.DeletePortMapping(ctx, "udp", 51820)
+	require.NoError(t, err)
+}

client/internal/portforward/pcp/nat.go

@@ -0,0 +1,209 @@
+package pcp
+
+import (
+	"context"
+	"fmt"
+	"net"
+	"net/netip"
+	"sync"
+	"time"
+
+	log "github.com/sirupsen/logrus"
+
+	"github.com/libp2p/go-nat"
+	"github.com/libp2p/go-netroute"
+)
+
+var _ nat.NAT = (*NAT)(nil)
+
+// NAT implements the go-nat NAT interface using PCP.
+// Supports dual-stack (IPv4 and IPv6) when available.
+// All methods are safe for concurrent use.
+//
+// TODO: IPv6 pinholes use the local IPv6 address. If the address changes
+// (e.g., due to SLAAC rotation or network change), the pinhole becomes stale
+// and needs to be recreated with the new address.
+type NAT struct {
+	client *Client
+
+	mu sync.RWMutex
+	// client6 is the IPv6 PCP client, nil if IPv6 is unavailable.
+	client6 *Client
+	// localIP6 caches the local IPv6 address used for PCP requests.
+	localIP6 netip.Addr
+}
+
+// NewNAT creates a new NAT instance backed by PCP.
+func NewNAT(gateway, localIP net.IP) *NAT {
+	client := NewClient(gateway)
+	client.SetLocalIP(localIP)
+	return &NAT{
+		client: client,
+	}
+}
+
+// Type returns "PCP" as the NAT type.
+func (n *NAT) Type() string {
+	return "PCP"
+}
+
+// GetDeviceAddress returns the gateway IP address.
+func (n *NAT) GetDeviceAddress() (net.IP, error) {
+	return n.client.Gateway(), nil
+}
+
+// GetExternalAddress returns the external IP address.
+func (n *NAT) GetExternalAddress() (net.IP, error) {
+	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
+	defer cancel()
+	return n.client.GetExternalAddress(ctx)
+}
+
+// GetInternalAddress returns the local IP address used to communicate with the gateway.
+func (n *NAT) GetInternalAddress() (net.IP, error) {
+	addr, err := n.client.getLocalIP()
+	if err != nil {
+		return nil, err
+	}
+	return addr.AsSlice(), nil
+}
+
+// AddPortMapping creates a port mapping on both IPv4 and IPv6 (if available).
+func (n *NAT) AddPortMapping(ctx context.Context, protocol string, internalPort int, _ string, timeout time.Duration) (int, error) {
+	resp, err := n.client.AddPortMapping(ctx, protocol, internalPort, timeout)
+	if err != nil {
+		return 0, fmt.Errorf("add mapping: %w", err)
+	}
+
+	n.mu.RLock()
+	client6 := n.client6
+	localIP6 := n.localIP6
+	n.mu.RUnlock()
+
+	if client6 == nil {
+		return int(resp.ExternalPort), nil
+	}
+
+	if _, err := client6.AddPortMapping(ctx, protocol, internalPort, timeout); err != nil {
+		log.Warnf("IPv6 PCP mapping failed (continuing with IPv4): %v", err)
+		return int(resp.ExternalPort), nil
+	}
+
+	log.Infof("created IPv6 PCP pinhole: %s:%d", localIP6, internalPort)
+	return int(resp.ExternalPort), nil
+}
+
+// DeletePortMapping removes a port mapping from both IPv4 and IPv6.
+func (n *NAT) DeletePortMapping(ctx context.Context, protocol string, internalPort int) error {
+	err := n.client.DeletePortMapping(ctx, protocol, internalPort)
+
+	n.mu.RLock()
+	client6 := n.client6
+	n.mu.RUnlock()
+
+	if client6 != nil {
+		if err6 := client6.DeletePortMapping(ctx, protocol, internalPort); err6 != nil {
+			log.Warnf("IPv6 PCP delete mapping failed: %v", err6)
+		}
+	}
+
+	if err != nil {
+		return fmt.Errorf("delete mapping: %w", err)
+	}
+	return nil
+}
+
+// CheckServerHealth sends an ANNOUNCE to verify the server is still responsive.
+// Returns the current epoch and whether the server may have restarted (epoch state loss detected).
+func (n *NAT) CheckServerHealth(ctx context.Context) (epoch uint32, serverRestarted bool, err error) {
+	epoch, err = n.client.Announce(ctx)
+	if err != nil {
+		return 0, false, fmt.Errorf("announce: %w", err)
+	}
+	return epoch, n.client.EpochStateLost(), nil
+}
+
+// DiscoverPCP attempts to discover a PCP-capable gateway.
+// Returns a NAT interface if PCP is supported, or an error otherwise.
+// Discovers both IPv4 and IPv6 gateways when available.
+func DiscoverPCP(ctx context.Context) (nat.NAT, error) {
+	gateway, localIP, err := getDefaultGateway()
+	if err != nil {
+		return nil, fmt.Errorf("get default gateway: %w", err)
+	}
+
+	client := NewClient(gateway)
+	client.SetLocalIP(localIP)
+	if _, err := client.Announce(ctx); err != nil {
+		return nil, fmt.Errorf("PCP announce: %w", err)
+	}
+
+	result := &NAT{client: client}
+	discoverIPv6(ctx, result)
+
+	return result, nil
+}
+
+func discoverIPv6(ctx context.Context, result *NAT) {
+	gateway6, localIP6, err := getDefaultGateway6()
+	if err != nil {
+		log.Debugf("IPv6 gateway discovery failed: %v", err)
+		return
+	}
+
+	client6 := NewClient(gateway6)
+	client6.SetLocalIP(localIP6)
+	if _, err := client6.Announce(ctx); err != nil {
+		log.Debugf("PCP IPv6 announce failed: %v", err)
+		return
+	}
+
+	addr, ok := netip.AddrFromSlice(localIP6)
+	if !ok {
+		log.Debugf("invalid IPv6 local IP: %v", localIP6)
+		return
+	}
+	result.mu.Lock()
+	result.client6 = client6
+	result.localIP6 = addr
+	result.mu.Unlock()
+	log.Debugf("PCP IPv6 gateway discovered: %s (local: %s)", gateway6, localIP6)
+}
+
+// getDefaultGateway returns the default IPv4 gateway and local IP using the system routing table.
+func getDefaultGateway() (gateway net.IP, localIP net.IP, err error) {
+	router, err := netroute.New()
+	if err != nil {
+		return nil, nil, err
+	}
+
+	_, gateway, localIP, err = router.Route(net.IPv4zero)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	if gateway == nil {
+		return nil, nil, nat.ErrNoNATFound
+	}
+
+	return gateway, localIP, nil
+}
+
+// getDefaultGateway6 returns the default IPv6 gateway IP address using the system routing table.
+func getDefaultGateway6() (gateway net.IP, localIP net.IP, err error) {
+	router, err := netroute.New()
+	if err != nil {
+		return nil, nil, err
+	}
+
+	_, gateway, localIP, err = router.Route(net.IPv6zero)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	if gateway == nil {
+		return nil, nil, nat.ErrNoNATFound
+	}
+
+	return gateway, localIP, nil
+}

client/internal/portforward/pcp/protocol.go

@@ -0,0 +1,225 @@
+// Package pcp implements the Port Control Protocol (RFC 6887).
+//
+// # Implemented Features
+//
+//   - ANNOUNCE opcode: Discovers PCP server support
+//   - MAP opcode: Creates/deletes port mappings (IPv4 NAT) and firewall pinholes (IPv6)
+//   - Dual-stack: Simultaneous IPv4 and IPv6 support via separate clients
+//   - Nonce validation: Prevents response spoofing
+//   - Epoch tracking: Detects server restarts per Section 8.5
+//   - RFC-compliant retry timing: 3s initial, exponential backoff to 1024s max (Section 8.1.1)
+//
+// # Not Implemented
+//
+//   - PEER opcode: For outbound peer connections (not needed for inbound NAT traversal)
+//   - THIRD_PARTY option: For managing mappings on behalf of other devices
+//   - PREFER_FAILURE option: Requires exact external port or fail (IPv4 NAT only, not needed for IPv6 pinholing)
+//   - FILTER option: To restrict remote peer addresses
+//
+// These optional features are omitted because the primary use case is simple
+// port forwarding for WireGuard, which only requires MAP with default behavior.
+package pcp
+
+import (
+	"encoding/binary"
+	"fmt"
+	"net/netip"
+)
+
+const (
+	// Version is the PCP protocol version (RFC 6887).
+	Version = 2
+
+	// Port is the standard PCP server port.
+	Port = 5351
+
+	// DefaultLifetime is the default requested mapping lifetime in seconds.
+	DefaultLifetime = 7200 // 2 hours
+
+	// Header sizes
+	headerSize     = 24
+	mapPayloadSize = 36
+	mapRequestSize = headerSize + mapPayloadSize // 60 bytes
+)
+
+// Opcodes
+const (
+	OpAnnounce = 0
+	OpMap      = 1
+	OpPeer     = 2
+	OpReply    = 0x80 // OR'd with opcode in responses
+)
+
+// Protocol numbers for MAP requests
+const (
+	ProtoUDP = 17
+	ProtoTCP = 6
+)
+
+// Result codes (RFC 6887 Section 7.4)
+const (
+	ResultSuccess              = 0
+	ResultUnsuppVersion        = 1
+	ResultNotAuthorized        = 2
+	ResultMalformedRequest     = 3
+	ResultUnsuppOpcode         = 4
+	ResultUnsuppOption         = 5
+	ResultMalformedOption      = 6
+	ResultNetworkFailure       = 7
+	ResultNoResources          = 8
+	ResultUnsuppProtocol       = 9
+	ResultUserExQuota          = 10
+	ResultCannotProvideExt     = 11
+	ResultAddressMismatch      = 12
+	ResultExcessiveRemotePeers = 13
+)
+
+// ResultCodeString returns a human-readable string for a result code.
+func ResultCodeString(code uint8) string {
+	switch code {
+	case ResultSuccess:
+		return "SUCCESS"
+	case ResultUnsuppVersion:
+		return "UNSUPP_VERSION"
+	case ResultNotAuthorized:
+		return "NOT_AUTHORIZED"
+	case ResultMalformedRequest:
+		return "MALFORMED_REQUEST"
+	case ResultUnsuppOpcode:
+		return "UNSUPP_OPCODE"
+	case ResultUnsuppOption:
+		return "UNSUPP_OPTION"
+	case ResultMalformedOption:
+		return "MALFORMED_OPTION"
+	case ResultNetworkFailure:
+		return "NETWORK_FAILURE"
+	case ResultNoResources:
+		return "NO_RESOURCES"
+	case ResultUnsuppProtocol:
+		return "UNSUPP_PROTOCOL"
+	case ResultUserExQuota:
+		return "USER_EX_QUOTA"
+	case ResultCannotProvideExt:
+		return "CANNOT_PROVIDE_EXTERNAL"
+	case ResultAddressMismatch:
+		return "ADDRESS_MISMATCH"
+	case ResultExcessiveRemotePeers:
+		return "EXCESSIVE_REMOTE_PEERS"
+	default:
+		return fmt.Sprintf("UNKNOWN(%d)", code)
+	}
+}
+
+// Response represents a parsed PCP response header.
+type Response struct {
+	Version    uint8
+	Opcode     uint8
+	ResultCode uint8
+	Lifetime   uint32
+	Epoch      uint32
+}
+
+// MapResponse contains the full response to a MAP request.
+type MapResponse struct {
+	Response
+	Nonce        [12]byte
+	Protocol     uint8
+	InternalPort uint16
+	ExternalPort uint16
+	ExternalIP   netip.Addr
+}
+
+// addrTo16 converts an address to its 16-byte IPv4-mapped IPv6 representation.
+func addrTo16(addr netip.Addr) [16]byte {
+	if addr.Is4() {
+		return netip.AddrFrom4(addr.As4()).As16()
+	}
+	return addr.As16()
+}
+
+// addrFrom16 extracts an address from a 16-byte representation, unmapping IPv4.
+func addrFrom16(b [16]byte) netip.Addr {
+	return netip.AddrFrom16(b).Unmap()
+}
+
+// buildAnnounceRequest creates a PCP ANNOUNCE request packet.
+func buildAnnounceRequest(clientIP netip.Addr) []byte {
+	req := make([]byte, headerSize)
+	req[0] = Version
+	req[1] = OpAnnounce
+	mapped := addrTo16(clientIP)
+	copy(req[8:24], mapped[:])
+	return req
+}
+
+// buildMapRequest creates a PCP MAP request packet.
+func buildMapRequest(clientIP netip.Addr, nonce [12]byte, protocol uint8, internalPort, suggestedExtPort uint16, suggestedExtIP netip.Addr, lifetime uint32) []byte {
+	req := make([]byte, mapRequestSize)
+
+	// Header
+	req[0] = Version
+	req[1] = OpMap
+	binary.BigEndian.PutUint32(req[4:8], lifetime)
+	mapped := addrTo16(clientIP)
+	copy(req[8:24], mapped[:])
+
+	// MAP payload
+	copy(req[24:36], nonce[:])
+	req[36] = protocol
+	binary.BigEndian.PutUint16(req[40:42], internalPort)
+	binary.BigEndian.PutUint16(req[42:44], suggestedExtPort)
+	if suggestedExtIP.IsValid() {
+		extMapped := addrTo16(suggestedExtIP)
+		copy(req[44:60], extMapped[:])
+	}
+
+	return req
+}
+
+// parseResponse parses the common PCP response header.
+func parseResponse(data []byte) (*Response, error) {
+	if len(data) < headerSize {
+		return nil, fmt.Errorf("response too short: %d bytes", len(data))
+	}
+
+	resp := &Response{
+		Version:    data[0],
+		Opcode:     data[1],
+		ResultCode: data[3], // Byte 2 is reserved, byte 3 is result code (RFC 6887 §7.2)
+		Lifetime:   binary.BigEndian.Uint32(data[4:8]),
+		Epoch:      binary.BigEndian.Uint32(data[8:12]),
+	}
+
+	if resp.Version != Version {
+		return nil, fmt.Errorf("unsupported PCP version: %d", resp.Version)
+	}
+
+	if resp.Opcode&OpReply == 0 {
+		return nil, fmt.Errorf("response missing reply bit: opcode=0x%02x", resp.Opcode)
+	}
+
+	return resp, nil
+}
+
+// parseMapResponse parses a complete MAP response.
+func parseMapResponse(data []byte) (*MapResponse, error) {
+	if len(data) < mapRequestSize {
+		return nil, fmt.Errorf("MAP response too short: %d bytes", len(data))
+	}
+
+	resp, err := parseResponse(data)
+	if err != nil {
+		return nil, fmt.Errorf("parse header: %w", err)
+	}
+
+	mapResp := &MapResponse{
+		Response:     *resp,
+		Protocol:     data[36],
+		InternalPort: binary.BigEndian.Uint16(data[40:42]),
+		ExternalPort: binary.BigEndian.Uint16(data[42:44]),
+		ExternalIP:   addrFrom16([16]byte(data[44:60])),
+	}
+	copy(mapResp.Nonce[:], data[24:36])
+
+	return mapResp, nil
+}

client/internal/portforward/state.go

@@ -0,0 +1,63 @@
+//go:build !js
+
+package portforward
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/libp2p/go-nat"
+	log "github.com/sirupsen/logrus"
+
+	"github.com/netbirdio/netbird/client/internal/portforward/pcp"
+)
+
+// discoverGateway is the function used for NAT gateway discovery.
+// It can be replaced in tests to avoid real network operations.
+// Tries PCP first, then falls back to NAT-PMP/UPnP.
+var discoverGateway = defaultDiscoverGateway
+
+func defaultDiscoverGateway(ctx context.Context) (nat.NAT, error) {
+	pcpGateway, err := pcp.DiscoverPCP(ctx)
+	if err == nil {
+		return pcpGateway, nil
+	}
+	log.Debugf("PCP discovery failed: %v, trying NAT-PMP/UPnP", err)
+
+	return nat.DiscoverGateway(ctx)
+}
+
+// State is persisted only for crash recovery cleanup
+type State struct {
+	InternalPort uint16 `json:"internal_port,omitempty"`
+	Protocol     string `json:"protocol,omitempty"`
+}
+
+func (s *State) Name() string {
+	return "port_forward_state"
+}
+
+// Cleanup implements statemanager.CleanableState for crash recovery
+func (s *State) Cleanup() error {
+	if s.InternalPort == 0 {
+		return nil
+	}
+
+	log.Infof("cleaning up stale port mapping for port %d", s.InternalPort)
+
+	ctx, cancel := context.WithTimeout(context.Background(), discoveryTimeout)
+	defer cancel()
+
+	gateway, err := discoverGateway(ctx)
+	if err != nil {
+		// Discovery failure is not an error - gateway may not exist
+		log.Debugf("cleanup: no gateway found: %v", err)
+		return nil
+	}
+
+	if err := gateway.DeletePortMapping(ctx, s.Protocol, int(s.InternalPort)); err != nil {
+		return fmt.Errorf("delete port mapping: %w", err)
+	}
+
+	return nil
+}

client/internal/profilemanager/config.go

@@ -97,9 +97,6 @@ type ConfigInput struct {
 	LazyConnectionEnabled *bool
 
 	MTU *uint16
-
-	InspectionCACertPath string
-	InspectionCAKeyPath  string
 }
 
 // Config Configuration type
@@ -174,13 +171,6 @@ type Config struct {
 	LazyConnectionEnabled bool
 
 	MTU uint16
-
-	// InspectionCACertPath is the path to a PEM CA certificate for transparent proxy MITM.
-	// Local CA takes priority over management-pushed CA.
-	InspectionCACertPath string
-
-	// InspectionCAKeyPath is the path to the PEM CA private key for transparent proxy MITM.
-	InspectionCAKeyPath string
 }
 
 var ConfigDirOverride string
@@ -613,17 +603,6 @@ func (config *Config) apply(input ConfigInput) (updated bool, err error) {
 		updated = true
 	}
 
-	if input.InspectionCACertPath != "" && input.InspectionCACertPath != config.InspectionCACertPath {
-		log.Infof("updating inspection CA cert path to %s", input.InspectionCACertPath)
-		config.InspectionCACertPath = input.InspectionCACertPath
-		updated = true
-	}
-	if input.InspectionCAKeyPath != "" && input.InspectionCAKeyPath != config.InspectionCAKeyPath {
-		log.Infof("updating inspection CA key path to %s", input.InspectionCAKeyPath)
-		config.InspectionCAKeyPath = input.InspectionCAKeyPath
-		updated = true
-	}
-
 	return updated, nil
 }
 

client/internal/routemanager/manager.go

@@ -168,6 +168,7 @@ func (m *DefaultManager) setupAndroidRoutes(config ManagerConfig) {
 			NetworkType: route.IPv4Network,
 		}
 		cr = append(cr, fakeIPRoute)
+		m.notifier.SetFakeIPRoute(fakeIPRoute)
 	}
 
 	m.notifier.SetInitialClientRoutes(cr, routesForComparison)

client/internal/routemanager/notifier/notifier_android.go

@@ -16,6 +16,7 @@ import (
 type Notifier struct {
 	initialRoutes []*route.Route
 	currentRoutes []*route.Route
+	fakeIPRoute   *route.Route
 
 	listener    listener.NetworkChangeListener
 	listenerMux sync.Mutex
@@ -31,13 +32,17 @@ func (n *Notifier) SetListener(listener listener.NetworkChangeListener) {
 	n.listener = listener
 }
 
-// SetInitialClientRoutes stores the full initial route set (including fake IP blocks)
-// and a separate comparison set (without fake IP blocks) for diff detection.
+// SetInitialClientRoutes stores the initial route sets for TUN configuration.
 func (n *Notifier) SetInitialClientRoutes(initialRoutes []*route.Route, routesForComparison []*route.Route) {
 	n.initialRoutes = filterStatic(initialRoutes)
 	n.currentRoutes = filterStatic(routesForComparison)
 }
 
+// SetFakeIPRoute stores the fake IP route to be included in every TUN rebuild.
+func (n *Notifier) SetFakeIPRoute(r *route.Route) {
+	n.fakeIPRoute = r
+}
+
 func (n *Notifier) OnNewRoutes(idMap route.HAMap) {
 	var newRoutes []*route.Route
 	for _, routes := range idMap {
@@ -69,7 +74,9 @@ func (n *Notifier) notify() {
 	}
 
 	allRoutes := slices.Clone(n.currentRoutes)
-	allRoutes = append(allRoutes, n.extraInitialRoutes()...)
+	if n.fakeIPRoute != nil {
+		allRoutes = append(allRoutes, n.fakeIPRoute)
+	}
 
 	routeStrings := n.routesToStrings(allRoutes)
 	sort.Strings(routeStrings)
@@ -78,23 +85,6 @@ func (n *Notifier) notify() {
 	}(n.listener)
 }
 
-// extraInitialRoutes returns initialRoutes whose network prefix is absent
-// from currentRoutes (e.g. the fake IP block added at setup time).
-func (n *Notifier) extraInitialRoutes() []*route.Route {
-	currentNets := make(map[netip.Prefix]struct{}, len(n.currentRoutes))
-	for _, r := range n.currentRoutes {
-		currentNets[r.Network] = struct{}{}
-	}
-
-	var extra []*route.Route
-	for _, r := range n.initialRoutes {
-		if _, ok := currentNets[r.Network]; !ok {
-			extra = append(extra, r)
-		}
-	}
-	return extra
-}
-
 func filterStatic(routes []*route.Route) []*route.Route {
 	out := make([]*route.Route, 0, len(routes))
 	for _, r := range routes {

client/internal/routemanager/notifier/notifier_ios.go

@@ -34,6 +34,10 @@ func (n *Notifier) SetInitialClientRoutes([]*route.Route, []*route.Route) {
 	// iOS doesn't care about initial routes
 }
 
+func (n *Notifier) SetFakeIPRoute(*route.Route) {
+	// Not used on iOS
+}
+
 func (n *Notifier) OnNewRoutes(route.HAMap) {
 	// Not used on iOS
 }

client/internal/routemanager/notifier/notifier_other.go

@@ -23,6 +23,10 @@ func (n *Notifier) SetInitialClientRoutes([]*route.Route, []*route.Route) {
 	// Not used on non-mobile platforms
 }
 
+func (n *Notifier) SetFakeIPRoute(*route.Route) {
+	// Not used on non-mobile platforms
+}
+
 func (n *Notifier) OnNewRoutes(idMap route.HAMap) {
 	// Not used on non-mobile platforms
 }

client/internal/routemanager/systemops/systemops_bsd_other.go

@@ -0,0 +1,10 @@
+//go:build (dragonfly || freebsd || netbsd || openbsd) && !darwin
+
+package systemops
+
+// Non-darwin BSDs don't support the IP_BOUND_IF + scoped default model. They
+// always fall through to the ref-counter exclusion-route path; these stubs
+// exist only so systemops_unix.go compiles.
+func (r *SysOps) setupAdvancedRouting() error   { return nil }
+func (r *SysOps) cleanupAdvancedRouting() error { return nil }
+func (r *SysOps) flushPlatformExtras() error    { return nil }

client/internal/routemanager/systemops/systemops_darwin.go

@@ -0,0 +1,241 @@
+//go:build darwin && !ios
+
+package systemops
+
+import (
+	"errors"
+	"fmt"
+	"net/netip"
+	"os"
+	"time"
+
+	"github.com/hashicorp/go-multierror"
+	log "github.com/sirupsen/logrus"
+	"golang.org/x/net/route"
+	"golang.org/x/sys/unix"
+
+	nberrors "github.com/netbirdio/netbird/client/errors"
+	"github.com/netbirdio/netbird/client/internal/routemanager/vars"
+	nbnet "github.com/netbirdio/netbird/client/net"
+)
+
+// scopedRouteBudget bounds retries for the scoped default route. Installing or
+// deleting it matters enough that we're willing to spend longer waiting for the
+// kernel reply than for per-prefix exclusion routes.
+const scopedRouteBudget = 5 * time.Second
+
+// setupAdvancedRouting installs an RTF_IFSCOPE default route per address family
+// pinned to the current physical egress, so IP_BOUND_IF scoped lookups can
+// resolve gateway'd destinations while the VPN's split default owns the
+// unscoped table.
+//
+// Timing note: this runs during routeManager.Init, which happens before the
+// VPN interface is created and before any peer routes propagate. The initial
+// mgmt / signal / relay TCP dials always fire before this runs, so those
+// sockets miss the IP_BOUND_IF binding and rely on the kernel's normal route
+// lookup, which at that point correctly picks the physical default. Those
+// already-established TCP flows keep their originally-selected interface for
+// their lifetime on Darwin because the kernel caches the egress route
+// per-socket at connect time; adding the VPN's 0/1 + 128/1 split default
+// afterwards does not migrate them since the original en0 default stays in
+// the table. Any subsequent reconnect via nbnet.NewDialer picks up the
+// populated bound-iface cache and gets IP_BOUND_IF set cleanly.
+func (r *SysOps) setupAdvancedRouting() error {
+	// Drop any previously-cached egress interface before reinstalling. On a
+	// refresh, a family that no longer resolves would otherwise keep the stale
+	// binding, causing new sockets to scope to an interface without a matching
+	// scoped default.
+	nbnet.ClearBoundInterfaces()
+
+	if err := r.flushScopedDefaults(); err != nil {
+		log.Warnf("flush residual scoped defaults: %v", err)
+	}
+
+	var merr *multierror.Error
+	installed := 0
+
+	for _, unspec := range []netip.Addr{netip.IPv4Unspecified(), netip.IPv6Unspecified()} {
+		ok, err := r.installScopedDefaultFor(unspec)
+		if err != nil {
+			merr = multierror.Append(merr, err)
+			continue
+		}
+		if ok {
+			installed++
+		}
+	}
+
+	if installed == 0 && merr != nil {
+		return nberrors.FormatErrorOrNil(merr)
+	}
+	if merr != nil {
+		log.Warnf("advanced routing setup partially succeeded: %v", nberrors.FormatErrorOrNil(merr))
+	}
+	return nil
+}
+
+// installScopedDefaultFor resolves the physical default nexthop for the given
+// address family, installs a scoped default via it, and caches the iface for
+// subsequent IP_BOUND_IF / IPV6_BOUND_IF socket binds.
+func (r *SysOps) installScopedDefaultFor(unspec netip.Addr) (bool, error) {
+	nexthop, err := GetNextHop(unspec)
+	if err != nil {
+		if errors.Is(err, vars.ErrRouteNotFound) {
+			return false, nil
+		}
+		return false, fmt.Errorf("get default nexthop for %s: %w", unspec, err)
+	}
+	if nexthop.Intf == nil {
+		return false, fmt.Errorf("unusable default nexthop for %s (no interface)", unspec)
+	}
+
+	if err := r.addScopedDefault(unspec, nexthop); err != nil {
+		return false, fmt.Errorf("add scoped default on %s: %w", nexthop.Intf.Name, err)
+	}
+
+	af := unix.AF_INET
+	if unspec.Is6() {
+		af = unix.AF_INET6
+	}
+	nbnet.SetBoundInterface(af, nexthop.Intf)
+	via := "point-to-point"
+	if nexthop.IP.IsValid() {
+		via = nexthop.IP.String()
+	}
+	log.Infof("installed scoped default route via %s on %s for %s", via, nexthop.Intf.Name, afOf(unspec))
+	return true, nil
+}
+
+func (r *SysOps) cleanupAdvancedRouting() error {
+	nbnet.ClearBoundInterfaces()
+	return r.flushScopedDefaults()
+}
+
+// flushPlatformExtras runs darwin-specific residual cleanup hooked into the
+// generic FlushMarkedRoutes path, so a crashed daemon's scoped defaults get
+// removed on the next boot regardless of whether a profile is brought up.
+func (r *SysOps) flushPlatformExtras() error {
+	return r.flushScopedDefaults()
+}
+
+// flushScopedDefaults removes any scoped default routes tagged with routeProtoFlag.
+// Safe to call at startup to clear residual entries from a prior session.
+func (r *SysOps) flushScopedDefaults() error {
+	rib, err := retryFetchRIB()
+	if err != nil {
+		return fmt.Errorf("fetch routing table: %w", err)
+	}
+
+	msgs, err := route.ParseRIB(route.RIBTypeRoute, rib)
+	if err != nil {
+		return fmt.Errorf("parse routing table: %w", err)
+	}
+
+	var merr *multierror.Error
+	removed := 0
+
+	for _, msg := range msgs {
+		rtMsg, ok := msg.(*route.RouteMessage)
+		if !ok {
+			continue
+		}
+		if rtMsg.Flags&routeProtoFlag == 0 {
+			continue
+		}
+		if rtMsg.Flags&unix.RTF_IFSCOPE == 0 {
+			continue
+		}
+
+		info, err := MsgToRoute(rtMsg)
+		if err != nil {
+			log.Debugf("skip scoped flush: %v", err)
+			continue
+		}
+		if !info.Dst.IsValid() || info.Dst.Bits() != 0 {
+			continue
+		}
+
+		if err := r.deleteScopedRoute(rtMsg); err != nil {
+			merr = multierror.Append(merr, fmt.Errorf("delete scoped default %s on index %d: %w",
+				info.Dst, rtMsg.Index, err))
+			continue
+		}
+		removed++
+		log.Debugf("flushed residual scoped default %s on index %d", info.Dst, rtMsg.Index)
+	}
+
+	if removed > 0 {
+		log.Infof("flushed %d residual scoped default route(s)", removed)
+	}
+	return nberrors.FormatErrorOrNil(merr)
+}
+
+func (r *SysOps) addScopedDefault(unspec netip.Addr, nexthop Nexthop) error {
+	return r.scopedRouteSocket(unix.RTM_ADD, unspec, nexthop)
+}
+
+func (r *SysOps) deleteScopedRoute(rtMsg *route.RouteMessage) error {
+	// Preserve identifying flags from the stored route (including RTF_GATEWAY
+	// only if present); kernel-set bits like RTF_DONE don't belong on RTM_DELETE.
+	keep := unix.RTF_UP | unix.RTF_STATIC | unix.RTF_GATEWAY | unix.RTF_IFSCOPE | routeProtoFlag
+	del := &route.RouteMessage{
+		Type:    unix.RTM_DELETE,
+		Flags:   rtMsg.Flags & keep,
+		Version: unix.RTM_VERSION,
+		Seq:     r.getSeq(),
+		Index:   rtMsg.Index,
+		Addrs:   rtMsg.Addrs,
+	}
+	return r.writeRouteMessage(del, scopedRouteBudget)
+}
+
+func (r *SysOps) scopedRouteSocket(action int, unspec netip.Addr, nexthop Nexthop) error {
+	flags := unix.RTF_UP | unix.RTF_STATIC | unix.RTF_IFSCOPE | routeProtoFlag
+
+	msg := &route.RouteMessage{
+		Type:    action,
+		Flags:   flags,
+		Version: unix.RTM_VERSION,
+		ID:      uintptr(os.Getpid()),
+		Seq:     r.getSeq(),
+		Index:   nexthop.Intf.Index,
+	}
+
+	const numAddrs = unix.RTAX_NETMASK + 1
+	addrs := make([]route.Addr, numAddrs)
+
+	dst, err := addrToRouteAddr(unspec)
+	if err != nil {
+		return fmt.Errorf("build destination: %w", err)
+	}
+	mask, err := prefixToRouteNetmask(netip.PrefixFrom(unspec, 0))
+	if err != nil {
+		return fmt.Errorf("build netmask: %w", err)
+	}
+	addrs[unix.RTAX_DST] = dst
+	addrs[unix.RTAX_NETMASK] = mask
+
+	if nexthop.IP.IsValid() {
+		msg.Flags |= unix.RTF_GATEWAY
+		gw, err := addrToRouteAddr(nexthop.IP.Unmap())
+		if err != nil {
+			return fmt.Errorf("build gateway: %w", err)
+		}
+		addrs[unix.RTAX_GATEWAY] = gw
+	} else {
+		addrs[unix.RTAX_GATEWAY] = &route.LinkAddr{
+			Index: nexthop.Intf.Index,
+			Name:  nexthop.Intf.Name,
+		}
+	}
+	msg.Addrs = addrs
+
+	return r.writeRouteMessage(msg, scopedRouteBudget)
+}
+
+func afOf(a netip.Addr) string {
+	if a.Is4() {
+		return "IPv4"
+	}
+	return "IPv6"
+}

client/internal/routemanager/systemops/systemops_generic.go

@@ -21,6 +21,7 @@ import (
 	"github.com/netbirdio/netbird/client/internal/routemanager/util"
 	"github.com/netbirdio/netbird/client/internal/routemanager/vars"
 	"github.com/netbirdio/netbird/client/internal/statemanager"
+	nbnet "github.com/netbirdio/netbird/client/net"
 	"github.com/netbirdio/netbird/client/net/hooks"
 )
 
@@ -31,8 +32,6 @@ var splitDefaultv4_2 = netip.PrefixFrom(netip.AddrFrom4([4]byte{128}), 1)
 var splitDefaultv6_1 = netip.PrefixFrom(netip.IPv6Unspecified(), 1)
 var splitDefaultv6_2 = netip.PrefixFrom(netip.AddrFrom16([16]byte{0x80}), 1)
 
-var ErrRoutingIsSeparate = errors.New("routing is separate")
-
 func (r *SysOps) setupRefCounter(initAddresses []net.IP, stateManager *statemanager.Manager) error {
 	stateManager.RegisterState(&ShutdownState{})
 
@@ -397,12 +396,16 @@ func ipToAddr(ip net.IP, intf *net.Interface) (netip.Addr, error) {
 }
 
 // IsAddrRouted checks if the candidate address would route to the vpn, in which case it returns true and the matched prefix.
+// When advanced routing is active the WG socket is bound to the physical interface (fwmark on linux,
+// IP_UNICAST_IF on windows, IP_BOUND_IF on darwin) and bypasses the main routing table, so the check is skipped.
 func IsAddrRouted(addr netip.Addr, vpnRoutes []netip.Prefix) (bool, netip.Prefix) {
-	localRoutes, err := hasSeparateRouting()
+	if nbnet.AdvancedRouting() {
+		return false, netip.Prefix{}
+	}
+
+	localRoutes, err := GetRoutesFromTable()
 	if err != nil {
-		if !errors.Is(err, ErrRoutingIsSeparate) {
-			log.Errorf("Failed to get routes: %v", err)
-		}
+		log.Errorf("Failed to get routes: %v", err)
 		return false, netip.Prefix{}
 	}
 

client/internal/routemanager/systemops/systemops_js.go

@@ -22,10 +22,6 @@ func GetRoutesFromTable() ([]netip.Prefix, error) {
 	return []netip.Prefix{}, nil
 }
 
-func hasSeparateRouting() ([]netip.Prefix, error) {
-	return []netip.Prefix{}, nil
-}
-
 // GetDetailedRoutesFromTable returns empty routes for WASM.
 func GetDetailedRoutesFromTable() ([]DetailedRoute, error) {
 	return []DetailedRoute{}, nil

client/internal/routemanager/systemops/systemops_linux.go

@@ -894,13 +894,6 @@ func getAddressFamily(prefix netip.Prefix) int {
 	return netlink.FAMILY_V6
 }
 
-func hasSeparateRouting() ([]netip.Prefix, error) {
-	if !nbnet.AdvancedRouting() {
-		return GetRoutesFromTable()
-	}
-	return nil, ErrRoutingIsSeparate
-}
-
 func isOpErr(err error) bool {
 	// EAFTNOSUPPORT when ipv6 is disabled via sysctl, EOPNOTSUPP when disabled in boot options or otherwise not supported
 	if errors.Is(err, syscall.EAFNOSUPPORT) || errors.Is(err, syscall.EOPNOTSUPP) {

client/internal/routemanager/systemops/systemops_nonlinux.go

@@ -48,10 +48,6 @@ func EnableIPForwarding() error {
 	return nil
 }
 
-func hasSeparateRouting() ([]netip.Prefix, error) {
-	return GetRoutesFromTable()
-}
-
 // GetIPRules returns IP rules for debugging (not supported on non-Linux platforms)
 func GetIPRules() ([]IPRule, error) {
 	log.Infof("IP rules collection is not supported on %s", runtime.GOOS)

client/internal/routemanager/systemops/systemops_unix.go

@@ -25,6 +25,9 @@ import (
 
 const (
 	envRouteProtoFlag = "NB_ROUTE_PROTO_FLAG"
+
+	// routeBudget bounds retries for per-prefix exclusion route programming.
+	routeBudget = 1 * time.Second
 )
 
 var routeProtoFlag int
@@ -41,26 +44,42 @@ func init() {
 }
 
 func (r *SysOps) SetupRouting(initAddresses []net.IP, stateManager *statemanager.Manager, advancedRouting bool) error {
+	if advancedRouting {
+		return r.setupAdvancedRouting()
+	}
+
+	log.Infof("Using legacy routing setup with ref counters")
 	return r.setupRefCounter(initAddresses, stateManager)
 }
 
 func (r *SysOps) CleanupRouting(stateManager *statemanager.Manager, advancedRouting bool) error {
+	if advancedRouting {
+		return r.cleanupAdvancedRouting()
+	}
+
 	return r.cleanupRefCounter(stateManager)
 }
 
 // FlushMarkedRoutes removes single IP exclusion routes marked with the configured RTF_PROTO flag.
+// On darwin it also flushes residual RTF_IFSCOPE scoped default routes so a
+// crashed prior session can't leave crud in the table.
 func (r *SysOps) FlushMarkedRoutes() error {
+	var merr *multierror.Error
+
+	if err := r.flushPlatformExtras(); err != nil {
+		merr = multierror.Append(merr, fmt.Errorf("flush platform extras: %w", err))
+	}
+
 	rib, err := retryFetchRIB()
 	if err != nil {
-		return fmt.Errorf("fetch routing table: %w", err)
+		return nberrors.FormatErrorOrNil(multierror.Append(merr, fmt.Errorf("fetch routing table: %w", err)))
 	}
 
 	msgs, err := route.ParseRIB(route.RIBTypeRoute, rib)
 	if err != nil {
-		return fmt.Errorf("parse routing table: %w", err)
+		return nberrors.FormatErrorOrNil(multierror.Append(merr, fmt.Errorf("parse routing table: %w", err)))
 	}
 
-	var merr *multierror.Error
 	flushedCount := 0
 
 	for _, msg := range msgs {
@@ -117,12 +136,12 @@ func (r *SysOps) routeSocket(action int, prefix netip.Prefix, nexthop Nexthop) e
 		return fmt.Errorf("invalid prefix: %s", prefix)
 	}
 
-	expBackOff := backoff.NewExponentialBackOff()
-	expBackOff.InitialInterval = 50 * time.Millisecond
-	expBackOff.MaxInterval = 500 * time.Millisecond
-	expBackOff.MaxElapsedTime = 1 * time.Second
+	msg, err := r.buildRouteMessage(action, prefix, nexthop)
+	if err != nil {
+		return fmt.Errorf("build route message: %w", err)
+	}
 
-	if err := backoff.Retry(r.routeOp(action, prefix, nexthop), expBackOff); err != nil {
+	if err := r.writeRouteMessage(msg, routeBudget); err != nil {
 		a := "add"
 		if action == unix.RTM_DELETE {
 			a = "remove"
@@ -132,50 +151,91 @@ func (r *SysOps) routeSocket(action int, prefix netip.Prefix, nexthop Nexthop) e
 	return nil
 }
 
-func (r *SysOps) routeOp(action int, prefix netip.Prefix, nexthop Nexthop) func() error {
-	operation := func() error {
-		fd, err := unix.Socket(syscall.AF_ROUTE, syscall.SOCK_RAW, syscall.AF_UNSPEC)
-		if err != nil {
-			return fmt.Errorf("open routing socket: %w", err)
+// writeRouteMessage sends a route message over AF_ROUTE and waits for the
+// kernel's matching reply, retrying transient failures until budget elapses.
+// Callers do not need to manage sockets or seq numbers themselves.
+func (r *SysOps) writeRouteMessage(msg *route.RouteMessage, budget time.Duration) error {
+	expBackOff := backoff.NewExponentialBackOff()
+	expBackOff.InitialInterval = 50 * time.Millisecond
+	expBackOff.MaxInterval = 500 * time.Millisecond
+	expBackOff.MaxElapsedTime = budget
+
+	return backoff.Retry(func() error { return routeMessageRoundtrip(msg) }, expBackOff)
+}
+
+func routeMessageRoundtrip(msg *route.RouteMessage) error {
+	fd, err := unix.Socket(syscall.AF_ROUTE, syscall.SOCK_RAW, syscall.AF_UNSPEC)
+	if err != nil {
+		return fmt.Errorf("open routing socket: %w", err)
+	}
+	defer func() {
+		if err := unix.Close(fd); err != nil && !errors.Is(err, unix.EBADF) {
+			log.Warnf("close routing socket: %v", err)
 		}
-		defer func() {
-			if err := unix.Close(fd); err != nil && !errors.Is(err, unix.EBADF) {
-				log.Warnf("failed to close routing socket: %v", err)
+	}()
+
+	tv := unix.Timeval{Sec: 1}
+	if err := unix.SetsockoptTimeval(fd, unix.SOL_SOCKET, unix.SO_RCVTIMEO, &tv); err != nil {
+		return backoff.Permanent(fmt.Errorf("set recv timeout: %w", err))
+	}
+
+	// AF_ROUTE is a broadcast channel: every route socket on the host sees
+	// every RTM_* event. With concurrent route programming the default
+	// per-socket queue overflows and our own reply gets dropped.
+	if err := unix.SetsockoptInt(fd, unix.SOL_SOCKET, unix.SO_RCVBUF, 1<<20); err != nil {
+		log.Debugf("set SO_RCVBUF on route socket: %v", err)
+	}
+
+	bytes, err := msg.Marshal()
+	if err != nil {
+		return backoff.Permanent(fmt.Errorf("marshal: %w", err))
+	}
+
+	if _, err = unix.Write(fd, bytes); err != nil {
+		if errors.Is(err, unix.ENOBUFS) || errors.Is(err, unix.EAGAIN) {
+			return fmt.Errorf("write: %w", err)
+		}
+		return backoff.Permanent(fmt.Errorf("write: %w", err))
+	}
+	return readRouteResponse(fd, msg.Type, msg.Seq)
+}
+
+// readRouteResponse reads from the AF_ROUTE socket until it sees a reply
+// matching our write (same type, seq, and pid). AF_ROUTE SOCK_RAW is a
+// broadcast channel: interface up/down, third-party route changes and neighbor
+// discovery events can all land between our write and read, so we must filter.
+func readRouteResponse(fd, wantType, wantSeq int) error {
+	pid := int32(os.Getpid())
+	resp := make([]byte, 2048)
+	deadline := time.Now().Add(time.Second)
+	for {
+		if time.Now().After(deadline) {
+			// Transient: under concurrent pressure the kernel can drop our reply
+			// from the socket buffer. Let backoff.Retry re-send with a fresh seq.
+			return fmt.Errorf("read: timeout waiting for route reply type=%d seq=%d", wantType, wantSeq)
+		}
+		n, err := unix.Read(fd, resp)
+		if err != nil {
+			if errors.Is(err, unix.EAGAIN) || errors.Is(err, unix.EWOULDBLOCK) {
+				// SO_RCVTIMEO fired while waiting; loop to re-check the absolute deadline.
+				continue
 			}
-		}()
-
-		msg, err := r.buildRouteMessage(action, prefix, nexthop)
-		if err != nil {
-			return backoff.Permanent(fmt.Errorf("build route message: %w", err))
+			return backoff.Permanent(fmt.Errorf("read: %w", err))
 		}
-
-		msgBytes, err := msg.Marshal()
-		if err != nil {
-			return backoff.Permanent(fmt.Errorf("marshal route message: %w", err))
+		if n < int(unsafe.Sizeof(unix.RtMsghdr{})) {
+			continue
 		}
-
-		if _, err = unix.Write(fd, msgBytes); err != nil {
-			if errors.Is(err, unix.ENOBUFS) || errors.Is(err, unix.EAGAIN) {
-				return fmt.Errorf("write: %w", err)
-			}
-			return backoff.Permanent(fmt.Errorf("write: %w", err))
+		hdr := (*unix.RtMsghdr)(unsafe.Pointer(&resp[0]))
+		// Darwin reflects the sender's pid on replies; matching (Type, Seq, Pid)
+		// uniquely identifies our own reply among broadcast traffic.
+		if int(hdr.Type) != wantType || int(hdr.Seq) != wantSeq || hdr.Pid != pid {
+			continue
 		}
-
-		respBuf := make([]byte, 2048)
-		n, err := unix.Read(fd, respBuf)
-		if err != nil {
-			return backoff.Permanent(fmt.Errorf("read route response: %w", err))
+		if hdr.Errno != 0 {
+			return backoff.Permanent(fmt.Errorf("kernel: %w", syscall.Errno(hdr.Errno)))
 		}
-
-		if n > 0 {
-			if err := r.parseRouteResponse(respBuf[:n]); err != nil {
-				return backoff.Permanent(err)
-			}
-		}
-
 		return nil
 	}
-	return operation
 }
 
 func (r *SysOps) buildRouteMessage(action int, prefix netip.Prefix, nexthop Nexthop) (msg *route.RouteMessage, err error) {
@@ -183,6 +243,7 @@ func (r *SysOps) buildRouteMessage(action int, prefix netip.Prefix, nexthop Next
 		Type:    action,
 		Flags:   unix.RTF_UP | routeProtoFlag,
 		Version: unix.RTM_VERSION,
+		ID:      uintptr(os.Getpid()),
 		Seq:     r.getSeq(),
 	}
 
@@ -221,19 +282,6 @@ func (r *SysOps) buildRouteMessage(action int, prefix netip.Prefix, nexthop Next
 	return msg, nil
 }
 
-func (r *SysOps) parseRouteResponse(buf []byte) error {
-	if len(buf) < int(unsafe.Sizeof(unix.RtMsghdr{})) {
-		return nil
-	}
-
-	rtMsg := (*unix.RtMsghdr)(unsafe.Pointer(&buf[0]))
-	if rtMsg.Errno != 0 {
-		return fmt.Errorf("parse: %d", rtMsg.Errno)
-	}
-
-	return nil
-}
-
 // addrToRouteAddr converts a netip.Addr to the appropriate route.Addr (*route.Inet4Addr or *route.Inet6Addr).
 func addrToRouteAddr(addr netip.Addr) (route.Addr, error) {
 	if addr.Is4() {

client/net/dialer_init_darwin.go

@@ -0,0 +1,5 @@
+package net
+
+func (d *Dialer) init() {
+	d.Dialer.Control = applyBoundIfToSocket
+}

client/net/dialer_init_generic.go

@@ -1,4 +1,4 @@
-//go:build !linux && !windows
+//go:build !linux && !windows && !darwin
 
 package net
 

client/net/env_android.go

@@ -1,24 +0,0 @@
-//go:build android
-
-package net
-
-// Init initializes the network environment for Android
-func Init() {
-	// No initialization needed on Android
-}
-
-// AdvancedRouting reports whether routing loops can be avoided without using exclusion routes.
-// Always returns true on Android since we cannot handle routes dynamically.
-func AdvancedRouting() bool {
-	return true
-}
-
-// SetVPNInterfaceName is a no-op on Android
-func SetVPNInterfaceName(name string) {
-	// No-op on Android - not needed for Android VPN service
-}
-
-// GetVPNInterfaceName returns empty string on Android
-func GetVPNInterfaceName() string {
-	return ""
-}