Proposal for code cleaning

This reverts commit 189321f09d.

.github/workflows/golang-test-darwin.yml

@@ -17,7 +17,7 @@ jobs:
       - name: Install Go
         uses: actions/setup-go@v2
         with:
-          go-version: "1.20.x"
+          go-version: 1.19.x
       - name: Checkout code
         uses: actions/checkout@v2
 

.github/workflows/golang-test-linux.yml

@@ -20,7 +20,7 @@ jobs:
       - name: Install Go
         uses: actions/setup-go@v2
         with:
-          go-version: "1.20.x"
+          go-version: 1.19.x
 
 
       - name: Cache Go modules
@@ -49,7 +49,7 @@ jobs:
       - name: Install Go
         uses: actions/setup-go@v2
         with:
-          go-version: "1.20.x"
+          go-version: 1.19.x
 
 
       - name: Cache Go modules
@@ -70,40 +70,27 @@ jobs:
         run: go mod tidy
 
       - name: Generate Iface Test bin
-        run: CGO_ENABLED=0 go test -c -o iface-testing.bin ./iface/
-
-      - name: Generate Shared Sock Test bin
-        run: CGO_ENABLED=0 go test -c -o sharedsock-testing.bin ./sharedsock
+        run: go test -c -o iface-testing.bin ./iface/
 
       - name: Generate RouteManager Test bin
-        run: CGO_ENABLED=0 go test -c -o routemanager-testing.bin ./client/internal/routemanager/...
-
-      - name: Generate nftables Manager Test bin
-        run: CGO_ENABLED=0 go test -c -o nftablesmanager-testing.bin ./client/firewall/nftables/...
+        run: go test -c -o routemanager-testing.bin ./client/internal/routemanager/...
 
       - name: Generate Engine Test bin
-        run: CGO_ENABLED=0 go test -c -o engine-testing.bin ./client/internal
+        run: go test -c -o engine-testing.bin ./client/internal
 
       - name: Generate Peer Test bin
-        run: CGO_ENABLED=0 go test -c -o peer-testing.bin ./client/internal/peer/...
+        run: go test -c -o peer-testing.bin ./client/internal/peer/...
 
       - run: chmod +x *testing.bin
 
-      - name: Run Shared Sock tests in docker
-        run: docker run -t --cap-add=NET_ADMIN --privileged --rm -v $PWD:/ci -w /ci/sharedsock --entrypoint /busybox/sh gcr.io/distroless/base:debug -c /ci/sharedsock-testing.bin -test.timeout 5m -test.parallel 1
-
       - name: Run Iface tests in docker
         run: docker run -t --cap-add=NET_ADMIN --privileged --rm -v $PWD:/ci -w /ci/iface --entrypoint /busybox/sh gcr.io/distroless/base:debug -c /ci/iface-testing.bin -test.timeout 5m -test.parallel 1
 
-
       - name: Run RouteManager tests in docker
         run: docker run -t --cap-add=NET_ADMIN --privileged --rm -v $PWD:/ci -w /ci/client/internal/routemanager --entrypoint /busybox/sh gcr.io/distroless/base:debug -c /ci/routemanager-testing.bin  -test.timeout 5m -test.parallel 1
 
-      - name: Run nftables Manager tests in docker
-        run: docker run -t --cap-add=NET_ADMIN --privileged --rm -v $PWD:/ci -w /ci/client/firewall --entrypoint /busybox/sh gcr.io/distroless/base:debug -c /ci/nftablesmanager-testing.bin  -test.timeout 5m -test.parallel 1
-
       - name: Run Engine tests in docker
         run: docker run -t --cap-add=NET_ADMIN --privileged --rm -v $PWD:/ci -w /ci/client/internal --entrypoint /busybox/sh gcr.io/distroless/base:debug -c /ci/engine-testing.bin  -test.timeout 5m -test.parallel 1
 
       - name: Run Peer tests in docker
-        run: docker run -t --cap-add=NET_ADMIN --privileged --rm -v $PWD:/ci -w /ci/client/internal/peer  --entrypoint /busybox/sh gcr.io/distroless/base:debug -c /ci/peer-testing.bin  -test.timeout 5m -test.parallel 1
+        run: docker run -t --cap-add=NET_ADMIN --privileged --rm -v $PWD:/ci -w /ci/client/internal/peer  --entrypoint /busybox/sh gcr.io/distroless/base:debug -c /ci/peer-testing.bin  -test.timeout 5m -test.parallel 1

.github/workflows/golang-test-windows.yml

@@ -23,7 +23,7 @@ jobs:
         uses: actions/setup-go@v4
         id: go
         with:
-          go-version: "1.20.x"
+          go-version: 1.19.x
 
       - name: Download wintun
         uses: carlosperate/download-file-action@v2

.github/workflows/golangci-lint.yml

@@ -12,7 +12,7 @@ jobs:
       - name: Install Go
         uses: actions/setup-go@v2
         with:
-          go-version: "1.20.x"
+          go-version: 1.19.x
       - name: Install dependencies
         run: sudo apt update && sudo apt install -y -q libgtk-3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev
       - name: golangci-lint

.github/workflows/release.yml

@@ -7,19 +7,9 @@ on:
     branches:
       - main
   pull_request:
-    paths:
-      - 'go.mod'
-      - 'go.sum'
-      - '.goreleaser.yml'
-      - '.goreleaser_ui.yaml'
-      - '.goreleaser_ui_darwin.yaml'
-      - '.github/workflows/release.yml'
-      - 'release_files/**'
-      - '**/Dockerfile'
-      - '**/Dockerfile.*'
 
 env:
-  SIGN_PIPE_VER: "v0.0.8"
+  SIGN_PIPE_VER: "v0.0.6"
   GORELEASER_VER: "v1.14.1"
 
 concurrency:
@@ -39,7 +29,7 @@ jobs:
         name: Set up Go
         uses: actions/setup-go@v2
         with:
-          go-version: "1.20"
+          go-version: 1.19
       -
         name: Cache Go modules
         uses: actions/cache@v1
@@ -110,7 +100,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v2
         with:
-          go-version: "1.20"
+          go-version: 1.19
       - name: Cache Go modules
         uses: actions/cache@v1
         with:
@@ -126,7 +116,7 @@ jobs:
         run: git --no-pager diff --exit-code
 
       - name: Install dependencies
-        run: sudo apt update && sudo apt install -y -q libappindicator3-dev gir1.2-appindicator3-0.1 libxxf86vm-dev gcc-mingw-w64-x86-64
+        run: sudo apt update && sudo apt install -y -q libgtk-3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev gcc-mingw-w64-x86-64
       - name: Install rsrc
         run: go install github.com/akavel/rsrc@v0.10.2
       - name: Generate windows rsrc
@@ -160,7 +150,7 @@ jobs:
         name: Set up Go
         uses: actions/setup-go@v2
         with:
-          go-version: "1.20"
+          go-version: 1.19
       -
         name: Cache Go modules
         uses: actions/cache@v1
@@ -205,7 +195,7 @@ jobs:
 
   trigger_darwin_signer:
     runs-on: ubuntu-latest
-    needs: [release,release_ui_darwin]
+    needs: release_ui_darwin
     if: startsWith(github.ref, 'refs/tags/')
     steps:
       - name: Trigger Darwin App binaries sign pipeline
@@ -215,4 +205,4 @@ jobs:
           repo: netbirdio/sign-pipelines
           ref: ${{ env.SIGN_PIPE_VER }}
           token: ${{ secrets.SIGN_GITHUB_TOKEN }}
-          inputs: '{ "tag": "${{ github.ref }}" }'
+          inputs: '{ "tag": "${{ github.ref }}" }'

.github/workflows/test-docker-compose-linux.yml

@@ -1,21 +1,17 @@
-name: Test Infrastructure files
+name: Test Docker Compose Linux
 
 on:
   push:
     branches:
       - main
   pull_request:
-    paths:
-      - 'infrastructure_files/**'
-      - '.github/workflows/test-infrastructure-files.yml'
-
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}-${{ github.head_ref || github.actor_id }}
   cancel-in-progress: true
 
 jobs:
-  test-docker-compose:
+  test:
     runs-on: ubuntu-latest
     steps:
       - name: Install jq
@@ -27,7 +23,7 @@ jobs:
       - name: Install Go
         uses: actions/setup-go@v2
         with:
-          go-version: "1.20.x"
+          go-version: 1.19.x
 
       - name: Cache Go modules
         uses: actions/cache@v2
@@ -38,7 +34,7 @@ jobs:
             ${{ runner.os }}-go-
 
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v2
 
       - name: cp setup.env
         run: cp infrastructure_files/tests/setup.env infrastructure_files/
@@ -49,21 +45,15 @@ jobs:
         env:
           CI_NETBIRD_DOMAIN: localhost
           CI_NETBIRD_AUTH_CLIENT_ID: testing.client.id
-          CI_NETBIRD_AUTH_CLIENT_SECRET: testing.client.secret
           CI_NETBIRD_AUTH_AUDIENCE: testing.ci
           CI_NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT: https://example.eu.auth0.com/.well-known/openid-configuration
           CI_NETBIRD_USE_AUTH0: true
-          CI_NETBIRD_MGMT_IDP: "none"
-          CI_NETBIRD_IDP_MGMT_CLIENT_ID: testing.client.id
-          CI_NETBIRD_IDP_MGMT_CLIENT_SECRET: testing.client.secret
-          CI_NETBIRD_AUTH_SUPPORTED_SCOPES: "openid profile email offline_access api email_verified"
 
       - name: check values
         working-directory: infrastructure_files
         env:
           CI_NETBIRD_DOMAIN: localhost
           CI_NETBIRD_AUTH_CLIENT_ID: testing.client.id
-          CI_NETBIRD_AUTH_CLIENT_SECRET: testing.client.secret
           CI_NETBIRD_AUTH_AUDIENCE: testing.ci
           CI_NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT: https://example.eu.auth0.com/.well-known/openid-configuration
           CI_NETBIRD_USE_AUTH0: true
@@ -72,19 +62,14 @@ jobs:
           CI_NETBIRD_AUTH_JWT_CERTS: https://example.eu.auth0.com/.well-known/jwks.json
           CI_NETBIRD_AUTH_TOKEN_ENDPOINT: https://example.eu.auth0.com/oauth/token
           CI_NETBIRD_AUTH_DEVICE_AUTH_ENDPOINT: https://example.eu.auth0.com/oauth/device/code
-          CI_NETBIRD_AUTH_PKCE_AUTHORIZATION_ENDPOINT: https://example.eu.auth0.com/authorize
           CI_NETBIRD_AUTH_REDIRECT_URI: "/peers"
           CI_NETBIRD_TOKEN_SOURCE: "idToken"
           CI_NETBIRD_AUTH_USER_ID_CLAIM: "email"
           CI_NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE: "super"
           CI_NETBIRD_AUTH_DEVICE_AUTH_SCOPE: "openid email"
-          CI_NETBIRD_MGMT_IDP: "none"
-          CI_NETBIRD_IDP_MGMT_CLIENT_ID: testing.client.id
-          CI_NETBIRD_IDP_MGMT_CLIENT_SECRET: testing.client.secret
 
         run: |
           grep AUTH_CLIENT_ID docker-compose.yml | grep $CI_NETBIRD_AUTH_CLIENT_ID
-          grep AUTH_CLIENT_SECRET docker-compose.yml | grep $CI_NETBIRD_AUTH_CLIENT_SECRET
           grep AUTH_AUTHORITY docker-compose.yml | grep $CI_NETBIRD_AUTH_AUTHORITY
           grep AUTH_AUDIENCE docker-compose.yml | grep $CI_NETBIRD_AUTH_AUDIENCE
           grep AUTH_SUPPORTED_SCOPES docker-compose.yml | grep "$CI_NETBIRD_AUTH_SUPPORTED_SCOPES"
@@ -95,25 +80,13 @@ jobs:
           grep LETSENCRYPT_DOMAIN docker-compose.yml | egrep 'LETSENCRYPT_DOMAIN=$'
           grep NETBIRD_TOKEN_SOURCE docker-compose.yml | grep $CI_NETBIRD_TOKEN_SOURCE
           grep AuthUserIDClaim management.json | grep $CI_NETBIRD_AUTH_USER_ID_CLAIM
-          grep -A 3 DeviceAuthorizationFlow management.json | grep -A 1 ProviderConfig | grep Audience | grep $CI_NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE
-          grep -A 8 DeviceAuthorizationFlow management.json | grep -A 6 ProviderConfig | grep Scope | grep "$CI_NETBIRD_AUTH_DEVICE_AUTH_SCOPE"
+          grep -A 1 ProviderConfig management.json | grep Audience | grep $CI_NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE
+          grep Scope management.json | grep "$CI_NETBIRD_AUTH_DEVICE_AUTH_SCOPE"
           grep UseIDToken management.json | grep false
-          grep -A 1 IdpManagerConfig management.json | grep ManagerType | grep $CI_NETBIRD_MGMT_IDP 
-          grep -A 3 IdpManagerConfig management.json | grep -A 1 ClientConfig | grep Issuer | grep $CI_NETBIRD_AUTH_AUTHORITY
-          grep -A 4 IdpManagerConfig management.json | grep -A 2 ClientConfig | grep TokenEndpoint | grep $CI_NETBIRD_AUTH_TOKEN_ENDPOINT
-          grep -A 5 IdpManagerConfig management.json | grep -A 3 ClientConfig | grep ClientID | grep $CI_NETBIRD_IDP_MGMT_CLIENT_ID
-          grep -A 6 IdpManagerConfig management.json | grep -A 4 ClientConfig | grep ClientSecret | grep $CI_NETBIRD_IDP_MGMT_CLIENT_SECRET
-          grep -A 7 IdpManagerConfig management.json | grep -A 5 ClientConfig | grep GrantType | grep client_credentials
-          grep -A 2 PKCEAuthorizationFlow management.json | grep -A 1 ProviderConfig | grep Audience | grep $CI_NETBIRD_AUTH_AUDIENCE
-          grep -A 3 PKCEAuthorizationFlow management.json | grep -A 2 ProviderConfig | grep ClientID | grep $CI_NETBIRD_AUTH_CLIENT_ID
-          grep -A 4 PKCEAuthorizationFlow management.json | grep -A 3 ProviderConfig | grep ClientSecret | grep $CI_NETBIRD_AUTH_CLIENT_SECRET
-          grep -A 5 PKCEAuthorizationFlow management.json | grep -A 4 ProviderConfig | grep AuthorizationEndpoint | grep $CI_NETBIRD_AUTH_PKCE_AUTHORIZATION_ENDPOINT
-          grep -A 6 PKCEAuthorizationFlow management.json | grep -A 5 ProviderConfig | grep TokenEndpoint | grep $CI_NETBIRD_AUTH_TOKEN_ENDPOINT
-          grep -A 7 PKCEAuthorizationFlow management.json | grep -A 6 ProviderConfig | grep Scope | grep "$CI_NETBIRD_AUTH_SUPPORTED_SCOPES"
 
       - name: run docker compose up
         working-directory: infrastructure_files
-        run: |
+        run: | 
           docker-compose up -d
           sleep 5
           docker-compose ps
@@ -124,28 +97,3 @@ jobs:
           count=$(docker compose ps --format json | jq '.[] | select(.Project | contains("infrastructure_files")) | .State' | grep -c running)
           test $count -eq 4
         working-directory: infrastructure_files
-
-  test-getting-started-script:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Install jq
-        run: sudo apt-get install -y jq
-
-      - name: Checkout code
-        uses: actions/checkout@v3
-
-      - name: run script
-        run: NETBIRD_DOMAIN=use-ip bash -x infrastructure_files/getting-started-with-zitadel.sh
-
-      - name: test Caddy file gen
-        run: test -f Caddyfile
-      - name: test docker-compose file gen
-        run: test -f docker-compose.yml
-      - name: test management.json file gen
-        run: test -f management.json
-      - name: test turnserver.conf file gen
-        run: test -f turnserver.conf
-      - name: test zitadel.env file gen
-        run: test -f zitadel.env
-      - name: test dashboard.env file gen
-        run: test -f dashboard.env

.github/workflows/update-docs.yml

@@ -1,22 +0,0 @@
-name: update docs
-
-on:
-  push:
-    tags:
-      - 'v*'
-    paths:
-      - 'management/server/http/api/openapi.yml'
-
-jobs:
-  trigger_docs_api_update:
-    runs-on: ubuntu-latest
-    if: startsWith(github.ref, 'refs/tags/')
-    steps:
-      - name: Trigger API pages generation
-        uses: benc-uk/workflow-dispatch@v1
-        with:
-          workflow: generate api pages
-          repo: netbirdio/docs
-          ref: "refs/heads/main"
-          token: ${{ secrets.SIGN_GITHUB_TOKEN }}
-          inputs: '{ "tag": "${{ github.ref }}" }'

.gitignore

@@ -7,15 +7,8 @@ bin/
 conf.json
 http-cmds.sh
 infrastructure_files/management.json
-infrastructure_files/management-*.json
 infrastructure_files/docker-compose.yml
-infrastructure_files/openid-configuration.json
-infrastructure_files/turnserver.conf
-management/management
-client/client
-client/client.exe
 *.syso
 client/.distfiles/
 infrastructure_files/setup.env
-infrastructure_files/setup-*.env
 .vscode

.goreleaser.yaml

@@ -12,7 +12,11 @@ builds:
       - arm
       - amd64
       - arm64
+      - mips
       - 386
+    gomips:
+      - hardfloat
+      - softfloat
     ignore:
       - goos: windows
         goarch: arm64
@@ -26,26 +30,6 @@ builds:
     tags:
       - load_wgnt_from_rsrc
 
-  - id: netbird-static
-    dir: client
-    binary: netbird
-    env: [CGO_ENABLED=0]
-    goos:
-      - linux
-    goarch:
-      - mips
-      - mipsle
-      - mips64
-      - mips64le
-    gomips:
-      - hardfloat
-      - softfloat
-    ldflags:
-      - -s -w -X github.com/netbirdio/netbird/version.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
-    mod_timestamp: '{{ .CommitTimestamp }}'
-    tags:
-      - load_wgnt_from_rsrc
-
   - id: netbird-mgmt
     dir: management
     env:
@@ -83,7 +67,6 @@ builds:
 archives:
   - builds:
       - netbird
-      - netbird-static
 
 nfpms:
 
@@ -376,14 +359,4 @@ uploads:
     mode: archive
     target: https://pkgs.wiretrustee.com/yum/{{ .Arch }}{{ if .Arm }}{{ .Arm }}{{ end }}
     username: dev@wiretrustee.com
-    method: PUT
-
-checksum:
-  extra_files:
-    - glob: ./infrastructure_files/getting-started-with-zitadel.sh
-    - glob: ./release_files/install.sh
-
-release:
-  extra_files:
-    - glob: ./infrastructure_files/getting-started-with-zitadel.sh
-    - glob: ./release_files/install.sh
+    method: PUT

.goreleaser_ui.yaml

@@ -11,8 +11,6 @@ builds:
       - amd64
     ldflags:
       - -s -w -X github.com/netbirdio/netbird/version.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
-    tags:
-      - legacy_appindicator
     mod_timestamp: '{{ .CommitTimestamp }}'
 
   - id: netbird-ui-windows
@@ -57,6 +55,9 @@ nfpms:
       - src: client/ui/disconnected.png
         dst: /usr/share/pixmaps/netbird.png
     dependencies:
+      - libayatana-appindicator3-1
+      - libgtk-3-dev
+      - libappindicator3-dev
       - netbird
 
   - maintainer: Netbird <dev@netbird.io>
@@ -74,6 +75,9 @@ nfpms:
       - src: client/ui/disconnected.png
         dst: /usr/share/pixmaps/netbird.png
     dependencies:
+      - libayatana-appindicator3-1
+      - libgtk-3-dev
+      - libappindicator3-dev
       - netbird
 
 uploads:

README.md

@@ -59,7 +59,7 @@ NetBird uses [NAT traversal techniques](https://en.wikipedia.org/wiki/Interactiv
 - \[x] Network Activity Monitoring.
 
 **Coming soon:**
-- \[ ] Mobile clients.
+-  \[ ] Mobile clients.
 
 ### Secure peer-to-peer VPN with SSO and MFA in minutes
 
@@ -70,9 +70,9 @@ For stable versions, see [releases](https://github.com/netbirdio/netbird/release
 
 ### Start using NetBird
 -  Hosted version: [https://app.netbird.io/](https://app.netbird.io/).
--  See our documentation for [Quickstart Guide](https://docs.netbird.io/how-to/getting-started).
--  If you are looking to self-host NetBird, check our [Self-Hosting Guide](https://docs.netbird.io/selfhosted/selfhosted-guide).
--  Step-by-step [Installation Guide](https://docs.netbird.io/how-to/getting-started#installation) for different platforms.
+-  See our documentation for [Quickstart Guide](https://netbird.io/docs/getting-started/quickstart).
+-  If you are looking to self-host NetBird, check our [Self-Hosting Guide](https://netbird.io/docs/getting-started/self-hosting).
+-  Step-by-step [Installation Guide](https://netbird.io/docs/getting-started/installation) for different platforms.
 -  Web UI [repository](https://github.com/netbirdio/dashboard).
 -  5 min [demo video](https://youtu.be/Tu9tPsUWaY0) on YouTube.
 
@@ -91,7 +91,7 @@ For stable versions, see [releases](https://github.com/netbirdio/netbird/release
   <img src="https://netbird.io/docs/img/architecture/high-level-dia.png" width="700"/>
 </p>
 
-See a complete [architecture overview](https://docs.netbird.io/about-netbird/how-netbird-works#architecture) for details.
+See a complete [architecture overview](https://netbird.io/docs/overview/architecture) for details.
 
 ### Roadmap
 -  [Public Roadmap](https://github.com/netbirdio/netbird/projects/2)

base62/base62.go

@@ -1,59 +0,0 @@
-package base62
-
-import (
-	"fmt"
-	"math"
-	"strings"
-)
-
-const (
-	alphabet = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"
-	base     = uint32(len(alphabet))
-)
-
-// Encode encodes a uint32 value to a base62 string.
-func Encode(num uint32) string {
-	if num == 0 {
-		return string(alphabet[0])
-	}
-
-	var encoded strings.Builder
-	remainder := uint32(0)
-
-	for num > 0 {
-		remainder = num % base
-		encoded.WriteByte(alphabet[remainder])
-		num /= base
-	}
-
-	// Reverse the encoded string
-	encodedString := encoded.String()
-	reversed := reverse(encodedString)
-	return reversed
-}
-
-// Decode decodes a base62 string to a uint32 value.
-func Decode(encoded string) (uint32, error) {
-	var decoded uint32
-	strLen := len(encoded)
-
-	for i, char := range encoded {
-		index := strings.IndexRune(alphabet, char)
-		if index < 0 {
-			return 0, fmt.Errorf("invalid character: %c", char)
-		}
-
-		decoded += uint32(index) * uint32(math.Pow(float64(base), float64(strLen-i-1)))
-	}
-
-	return decoded, nil
-}
-
-// Reverse a string.
-func reverse(s string) string {
-	runes := []rune(s)
-	for i, j := 0, len(runes)-1; i < j; i, j = i+1, j-1 {
-		runes[i], runes[j] = runes[j], runes[i]
-	}
-	return string(runes)
-}

base62/base62_test.go

@@ -1,31 +0,0 @@
-package base62
-
-import (
-	"testing"
-)
-
-func TestEncodeDecode(t *testing.T) {
-	tests := []struct {
-		num uint32
-	}{
-		{0},
-		{1},
-		{42},
-		{12345},
-		{99999},
-		{123456789},
-	}
-
-	for _, tt := range tests {
-		encoded := Encode(tt.num)
-		decoded, err := Decode(encoded)
-
-		if err != nil {
-			t.Errorf("Decode error: %v", err)
-		}
-
-		if decoded != tt.num {
-			t.Errorf("Decode(%v) = %v, want %v", encoded, decoded, tt.num)
-		}
-	}
-}

client/android/client.go

@@ -7,9 +7,7 @@ import (
 	log "github.com/sirupsen/logrus"
 
 	"github.com/netbirdio/netbird/client/internal"
-	"github.com/netbirdio/netbird/client/internal/dns"
 	"github.com/netbirdio/netbird/client/internal/peer"
-	"github.com/netbirdio/netbird/client/internal/routemanager"
 	"github.com/netbirdio/netbird/client/internal/stdnet"
 	"github.com/netbirdio/netbird/client/system"
 	"github.com/netbirdio/netbird/formatter"
@@ -31,16 +29,6 @@ type IFaceDiscover interface {
 	stdnet.ExternalIFaceDiscover
 }
 
-// RouteListener export internal RouteListener for mobile
-type RouteListener interface {
-	routemanager.RouteListener
-}
-
-// DnsReadyListener export internal dns ReadyListener for mobile
-type DnsReadyListener interface {
-	dns.ReadyListener
-}
-
 func init() {
 	formatter.SetLogcatFormatter(log.StandardLogger())
 }
@@ -54,12 +42,13 @@ type Client struct {
 	ctxCancel     context.CancelFunc
 	ctxCancelLock *sync.Mutex
 	deviceName    string
-	routeListener routemanager.RouteListener
-	onHostDnsFn   func([]string)
 }
 
 // NewClient instantiate a new Client
-func NewClient(cfgFile, deviceName string, tunAdapter TunAdapter, iFaceDiscover IFaceDiscover, routeListener RouteListener) *Client {
+func NewClient(cfgFile, deviceName string, tunAdapter TunAdapter, iFaceDiscover IFaceDiscover) *Client {
+	lvl, _ := log.ParseLevel("trace")
+	log.SetLevel(lvl)
+
 	return &Client{
 		cfgFile:       cfgFile,
 		deviceName:    deviceName,
@@ -67,12 +56,11 @@ func NewClient(cfgFile, deviceName string, tunAdapter TunAdapter, iFaceDiscover
 		iFaceDiscover: iFaceDiscover,
 		recorder:      peer.NewRecorder(""),
 		ctxCancelLock: &sync.Mutex{},
-		routeListener: routeListener,
 	}
 }
 
 // Run start the internal client. It is a blocker function
-func (c *Client) Run(urlOpener URLOpener, dns *DNSList, dnsReadyListener DnsReadyListener) error {
+func (c *Client) Run(urlOpener URLOpener) error {
 	cfg, err := internal.UpdateOrCreateConfig(internal.ConfigInput{
 		ConfigPath: c.cfgFile,
 	})
@@ -97,8 +85,7 @@ func (c *Client) Run(urlOpener URLOpener, dns *DNSList, dnsReadyListener DnsRead
 
 	// todo do not throw error in case of cancelled context
 	ctx = internal.CtxInitState(ctx)
-	c.onHostDnsFn = func([]string) {}
-	return internal.RunClientMobile(ctx, cfg, c.recorder, c.tunAdapter, c.iFaceDiscover, c.routeListener, dns.items, dnsReadyListener)
+	return internal.RunClient(ctx, cfg, c.recorder, c.tunAdapter, c.iFaceDiscover)
 }
 
 // Stop the internal client and free the resources
@@ -112,11 +99,6 @@ func (c *Client) Stop() {
 	c.ctxCancel()
 }
 
-// SetTraceLogLevel configure the logger to trace level
-func (c *Client) SetTraceLogLevel() {
-	log.SetLevel(log.TraceLevel)
-}
-
 // PeersList return with the list of the PeerInfos
 func (c *Client) PeersList() *PeerInfoArray {
 
@@ -128,23 +110,14 @@ func (c *Client) PeersList() *PeerInfoArray {
 			p.IP,
 			p.FQDN,
 			p.ConnStatus.String(),
+			p.Direct,
 		}
 		peerInfos[n] = pi
 	}
+
 	return &PeerInfoArray{items: peerInfos}
 }
 
-// OnUpdatedHostDNS update the DNS servers addresses for root zones
-func (c *Client) OnUpdatedHostDNS(list *DNSList) error {
-	dnsServer, err := dns.GetServerDns()
-	if err != nil {
-		return err
-	}
-
-	dnsServer.OnUpdatedHostDNSServer(list.items)
-	return nil
-}
-
 // SetConnectionListener set the network connection listener
 func (c *Client) SetConnectionListener(listener ConnectionListener) {
 	c.recorder.SetConnectionListener(listener)

client/android/dns_list.go

@@ -1,26 +0,0 @@
-package android
-
-import "fmt"
-
-// DNSList is a wrapper of []string
-type DNSList struct {
-	items []string
-}
-
-// Add new DNS address to the collection
-func (array *DNSList) Add(s string) {
-	array.items = append(array.items, s)
-}
-
-// Get return an element of the collection
-func (array *DNSList) Get(i int) (string, error) {
-	if i >= len(array.items) || i < 0 {
-		return "", fmt.Errorf("out of range")
-	}
-	return array.items[i], nil
-}
-
-// Size return with the size of the collection
-func (array *DNSList) Size() int {
-	return len(array.items)
-}

client/android/dns_list_test.go

@@ -1,24 +0,0 @@
-package android
-
-import "testing"
-
-func TestDNSList_Get(t *testing.T) {
-	l := DNSList{
-		items: make([]string, 1),
-	}
-
-	_, err := l.Get(0)
-	if err != nil {
-		t.Errorf("invalid error: %s", err)
-	}
-
-	_, err = l.Get(-1)
-	if err == nil {
-		t.Errorf("expected error but got nil")
-	}
-
-	_, err = l.Get(1)
-	if err == nil {
-		t.Errorf("expected error but got nil")
-	}
-}

client/android/gomobile.go

@@ -1,5 +0,0 @@
-package android
-
-import _ "golang.org/x/mobile/bind"
-
-// to keep our CI/CD that checks go.mod and go.sum files happy, we need to import the package above

client/android/login.go

@@ -6,14 +6,15 @@ import (
 	"time"
 
 	"github.com/cenkalti/backoff/v4"
+
 	log "github.com/sirupsen/logrus"
 	"google.golang.org/grpc/codes"
 	gstatus "google.golang.org/grpc/status"
 
 	"github.com/netbirdio/netbird/client/cmd"
-	"github.com/netbirdio/netbird/client/internal"
-	"github.com/netbirdio/netbird/client/internal/auth"
 	"github.com/netbirdio/netbird/client/system"
+
+	"github.com/netbirdio/netbird/client/internal"
 )
 
 // SSOListener is async listener for mobile framework
@@ -86,15 +87,9 @@ func (a *Auth) saveConfigIfSSOSupported() (bool, error) {
 	err := a.withBackOff(a.ctx, func() (err error) {
 		_, err = internal.GetDeviceAuthorizationFlowInfo(a.ctx, a.config.PrivateKey, a.config.ManagementURL)
 		if s, ok := gstatus.FromError(err); ok && s.Code() == codes.NotFound {
-			_, err = internal.GetPKCEAuthorizationFlowInfo(a.ctx, a.config.PrivateKey, a.config.ManagementURL)
-			if s, ok := gstatus.FromError(err); ok && s.Code() == codes.NotFound {
-				supportsSSO = false
-				err = nil
-			}
-
-			return err
+			supportsSSO = false
+			err = nil
 		}
-
 		return err
 	})
 
@@ -188,15 +183,27 @@ func (a *Auth) login(urlOpener URLOpener) error {
 	return nil
 }
 
-func (a *Auth) foregroundGetTokenInfo(urlOpener URLOpener) (*auth.TokenInfo, error) {
-	oAuthFlow, err := auth.NewOAuthFlow(a.ctx, a.config)
+func (a *Auth) foregroundGetTokenInfo(urlOpener URLOpener) (*internal.TokenInfo, error) {
+	providerConfig, err := internal.GetDeviceAuthorizationFlowInfo(a.ctx, a.config.PrivateKey, a.config.ManagementURL)
 	if err != nil {
-		return nil, err
+		s, ok := gstatus.FromError(err)
+		if ok && s.Code() == codes.NotFound {
+			return nil, fmt.Errorf("no SSO provider returned from management. " +
+				"If you are using hosting Netbird see documentation at " +
+				"https://github.com/netbirdio/netbird/tree/main/management for details")
+		} else if ok && s.Code() == codes.Unimplemented {
+			return nil, fmt.Errorf("the management server, %s, does not support SSO providers, "+
+				"please update your servver or use Setup Keys to login", a.config.ManagementURL)
+		} else {
+			return nil, fmt.Errorf("getting device authorization flow info failed with error: %v", err)
+		}
 	}
 
-	flowInfo, err := oAuthFlow.RequestAuthInfo(context.TODO())
+	hostedClient := internal.NewHostedDeviceFlow(providerConfig.ProviderConfig)
+
+	flowInfo, err := hostedClient.RequestDeviceCode(context.TODO())
 	if err != nil {
-		return nil, fmt.Errorf("getting a request OAuth flow info failed: %v", err)
+		return nil, fmt.Errorf("getting a request device code failed: %v", err)
 	}
 
 	go urlOpener.Open(flowInfo.VerificationURIComplete)
@@ -204,7 +211,7 @@ func (a *Auth) foregroundGetTokenInfo(urlOpener URLOpener) (*auth.TokenInfo, err
 	waitTimeout := time.Duration(flowInfo.ExpiresIn)
 	waitCTX, cancel := context.WithTimeout(a.ctx, waitTimeout*time.Second)
 	defer cancel()
-	tokenInfo, err := oAuthFlow.WaitToken(waitCTX, flowInfo)
+	tokenInfo, err := hostedClient.WaitToken(waitCTX, flowInfo)
 	if err != nil {
 		return nil, fmt.Errorf("waiting for browser login failed: %v", err)
 	}

client/android/peer_notifier.go

@@ -5,6 +5,7 @@ type PeerInfo struct {
 	IP         string
 	FQDN       string
 	ConnStatus string // Todo replace to enum
+	Direct     bool
 }
 
 // PeerInfoCollection made for Java layer to get non default types as collection

client/cmd/login.go

@@ -3,8 +3,6 @@ package cmd
 import (
 	"context"
 	"fmt"
-	"github.com/netbirdio/netbird/client/internal/auth"
-	"strings"
 	"time"
 
 	"github.com/skratchdot/open-golang/open"
@@ -17,7 +15,6 @@ import (
 
 	"github.com/netbirdio/netbird/client/internal"
 	"github.com/netbirdio/netbird/client/proto"
-	"github.com/netbirdio/netbird/client/system"
 )
 
 var loginCmd = &cobra.Command{
@@ -35,11 +32,6 @@ var loginCmd = &cobra.Command{
 
 		ctx := internal.CtxInitState(context.Background())
 
-		if hostName != "" {
-			// nolint
-			ctx = context.WithValue(ctx, system.DeviceNameCtxKey, hostName)
-		}
-
 		// workaround to run without service
 		if logFile == "console" {
 			err = handleRebrand(cmd)
@@ -47,16 +39,12 @@ var loginCmd = &cobra.Command{
 				return err
 			}
 
-			ic := internal.ConfigInput{
+			config, err := internal.UpdateOrCreateConfig(internal.ConfigInput{
 				ManagementURL: managementURL,
 				AdminURL:      adminURL,
 				ConfigPath:    configPath,
-			}
-			if preSharedKey != "" {
-				ic.PreSharedKey = &preSharedKey
-			}
-
-			config, err := internal.UpdateOrCreateConfig(ic)
+				PreSharedKey:  &preSharedKey,
+			})
 			if err != nil {
 				return fmt.Errorf("get config file: %v", err)
 			}
@@ -112,7 +100,7 @@ var loginCmd = &cobra.Command{
 		}
 
 		if loginResp.NeedsSSOLogin {
-			openURL(cmd, loginResp.VerificationURIComplete, loginResp.UserCode)
+			openURL(cmd, loginResp.VerificationURIComplete)
 
 			_, err = client.WaitSSOLogin(ctx, &proto.WaitSSOLoginRequest{UserCode: loginResp.UserCode})
 			if err != nil {
@@ -164,24 +152,40 @@ func foregroundLogin(ctx context.Context, cmd *cobra.Command, config *internal.C
 	return nil
 }
 
-func foregroundGetTokenInfo(ctx context.Context, cmd *cobra.Command, config *internal.Config) (*auth.TokenInfo, error) {
-	oAuthFlow, err := auth.NewOAuthFlow(ctx, config)
+func foregroundGetTokenInfo(ctx context.Context, cmd *cobra.Command, config *internal.Config) (*internal.TokenInfo, error) {
+	providerConfig, err := internal.GetDeviceAuthorizationFlowInfo(ctx, config.PrivateKey, config.ManagementURL)
 	if err != nil {
-		return nil, err
+		s, ok := gstatus.FromError(err)
+		if ok && s.Code() == codes.NotFound {
+			return nil, fmt.Errorf("no SSO provider returned from management. " +
+				"If you are using hosting Netbird see documentation at " +
+				"https://github.com/netbirdio/netbird/tree/main/management for details")
+		} else if ok && s.Code() == codes.Unimplemented {
+			mgmtURL := managementURL
+			if mgmtURL == "" {
+				mgmtURL = internal.DefaultManagementURL
+			}
+			return nil, fmt.Errorf("the management server, %s, does not support SSO providers, "+
+				"please update your servver or use Setup Keys to login", mgmtURL)
+		} else {
+			return nil, fmt.Errorf("getting device authorization flow info failed with error: %v", err)
+		}
 	}
 
-	flowInfo, err := oAuthFlow.RequestAuthInfo(context.TODO())
+	hostedClient := internal.NewHostedDeviceFlow(providerConfig.ProviderConfig)
+
+	flowInfo, err := hostedClient.RequestDeviceCode(context.TODO())
 	if err != nil {
-		return nil, fmt.Errorf("getting a request OAuth flow info failed: %v", err)
+		return nil, fmt.Errorf("getting a request device code failed: %v", err)
 	}
 
-	openURL(cmd, flowInfo.VerificationURIComplete, flowInfo.UserCode)
+	openURL(cmd, flowInfo.VerificationURIComplete)
 
 	waitTimeout := time.Duration(flowInfo.ExpiresIn)
 	waitCTX, c := context.WithTimeout(context.TODO(), waitTimeout*time.Second)
 	defer c()
 
-	tokenInfo, err := oAuthFlow.WaitToken(waitCTX, flowInfo)
+	tokenInfo, err := hostedClient.WaitToken(waitCTX, flowInfo)
 	if err != nil {
 		return nil, fmt.Errorf("waiting for browser login failed: %v", err)
 	}
@@ -189,18 +193,11 @@ func foregroundGetTokenInfo(ctx context.Context, cmd *cobra.Command, config *int
 	return &tokenInfo, nil
 }
 
-func openURL(cmd *cobra.Command, verificationURIComplete, userCode string) {
-	var codeMsg string
-	if userCode != "" {
-		if !strings.Contains(verificationURIComplete, userCode) {
-			codeMsg = fmt.Sprintf("and enter the code %s to authenticate.", userCode)
-		}
-	}
-
+func openURL(cmd *cobra.Command, verificationURIComplete string) {
 	err := open.Run(verificationURIComplete)
 	cmd.Printf("Please do the SSO login in your browser. \n" +
 		"If your browser didn't open automatically, use this URL to log in:\n\n" +
-		" " + verificationURIComplete + " " + codeMsg + " \n\n")
+		" " + verificationURIComplete + " \n\n")
 	if err != nil {
 		cmd.Printf("Alternatively, you may want to use a setup key, see:\n\n https://www.netbird.io/docs/overview/setup-keys\n")
 	}

client/cmd/root.go

@@ -45,7 +45,6 @@ var (
 	managementURL           string
 	adminURL                string
 	setupKey                string
-	hostName                string
 	preSharedKey            string
 	natExternalIPs          []string
 	customDNSAddress        string
@@ -95,7 +94,6 @@ func init() {
 	rootCmd.PersistentFlags().StringVar(&logFile, "log-file", defaultLogFile, "sets Netbird log path. If console is specified the the log will be output to stdout")
 	rootCmd.PersistentFlags().StringVarP(&setupKey, "setup-key", "k", "", "Setup key obtained from the Management Service Dashboard (used to register peer)")
 	rootCmd.PersistentFlags().StringVar(&preSharedKey, "preshared-key", "", "Sets Wireguard PreSharedKey property. If set, then only peers that have the same key can communicate.")
-	rootCmd.PersistentFlags().StringVarP(&hostName, "hostname", "n", "", "Sets a custom hostname for the device")
 	rootCmd.AddCommand(serviceCmd)
 	rootCmd.AddCommand(upCmd)
 	rootCmd.AddCommand(downCmd)

client/cmd/ssh.go

@@ -73,8 +73,7 @@ var sshCmd = &cobra.Command{
 		go func() {
 			// blocking
 			if err := runSSH(sshctx, host, []byte(config.SSHKey), cmd); err != nil {
-				log.Debug(err)
-				os.Exit(1)
+				log.Print(err)
 			}
 			cancel()
 		}()
@@ -93,10 +92,12 @@ func runSSH(ctx context.Context, addr string, pemKey []byte, cmd *cobra.Command)
 	c, err := nbssh.DialWithKey(fmt.Sprintf("%s:%d", addr, port), user, pemKey)
 	if err != nil {
 		cmd.Printf("Error: %v\n", err)
-		cmd.Printf("Couldn't connect. Please check the connection status or if the ssh server is enabled on the other peer" +
-			"You can verify the connection by running:\n\n" +
-			" netbird status\n\n")
-		return err
+		cmd.Printf("Couldn't connect. " +
+			"You might be disconnected from the NetBird network, or the NetBird agent isn't running.\n" +
+			"Run the status command: \n\n" +
+			" netbird status\n\n" +
+			"It might also be that the SSH server is disabled on the agent you are trying to connect to.\n")
+		return nil
 	}
 	go func() {
 		<-ctx.Done()

client/cmd/status.go

@@ -249,7 +249,7 @@ func mapPeers(peers []*proto.PeerState) peersStateOutput {
 			IP:               pbPeerState.GetIP(),
 			PubKey:           pbPeerState.GetPubKey(),
 			Status:           pbPeerState.GetConnStatus(),
-			LastStatusUpdate: timeLocal,
+			LastStatusUpdate: timeLocal.UTC(),
 			ConnType:         connType,
 			Direct:           pbPeerState.GetDirect(),
 			IceCandidateType: iceCandidateType{

client/cmd/status_test.go

@@ -11,15 +11,6 @@ import (
 	"github.com/netbirdio/netbird/version"
 )
 
-func init() {
-	loc, err := time.LoadLocation("UTC")
-	if err != nil {
-		panic(err)
-	}
-
-	time.Local = loc
-}
-
 var resp = &proto.StatusResponse{
 	Status: "Connected",
 	FullStatus: &proto.FullStatus{

client/cmd/testutil.go

@@ -2,23 +2,21 @@ package cmd
 
 import (
 	"context"
+	"github.com/netbirdio/netbird/management/server/activity"
 	"net"
 	"path/filepath"
 	"testing"
 	"time"
 
-	"github.com/netbirdio/netbird/management/server/activity"
-
 	"github.com/netbirdio/netbird/util"
 
-	"google.golang.org/grpc"
-
 	clientProto "github.com/netbirdio/netbird/client/proto"
 	client "github.com/netbirdio/netbird/client/server"
 	mgmtProto "github.com/netbirdio/netbird/management/proto"
 	mgmt "github.com/netbirdio/netbird/management/server"
 	sigProto "github.com/netbirdio/netbird/signal/proto"
 	sig "github.com/netbirdio/netbird/signal/server"
+	"google.golang.org/grpc"
 )
 
 func startTestingServices(t *testing.T) string {
@@ -65,7 +63,7 @@ func startManagement(t *testing.T, config *mgmt.Config) (*grpc.Server, net.Liste
 		t.Fatal(err)
 	}
 	s := grpc.NewServer()
-	store, err := mgmt.NewFileStore(config.Datadir, nil)
+	store, err := mgmt.NewFileStore(config.Datadir)
 	if err != nil {
 		t.Fatal(err)
 	}

client/cmd/up.go

@@ -15,7 +15,6 @@ import (
 	"github.com/netbirdio/netbird/client/internal"
 	"github.com/netbirdio/netbird/client/internal/peer"
 	"github.com/netbirdio/netbird/client/proto"
-	"github.com/netbirdio/netbird/client/system"
 	"github.com/netbirdio/netbird/util"
 )
 
@@ -56,11 +55,6 @@ func upFunc(cmd *cobra.Command, args []string) error {
 
 	ctx := internal.CtxInitState(cmd.Context())
 
-	if hostName != "" {
-		// nolint
-		ctx = context.WithValue(ctx, system.DeviceNameCtxKey, hostName)
-	}
-
 	if foregroundMode {
 		return runInForegroundMode(ctx, cmd)
 	}
@@ -78,18 +72,14 @@ func runInForegroundMode(ctx context.Context, cmd *cobra.Command) error {
 		return err
 	}
 
-	ic := internal.ConfigInput{
+	config, err := internal.UpdateOrCreateConfig(internal.ConfigInput{
 		ManagementURL:    managementURL,
 		AdminURL:         adminURL,
 		ConfigPath:       configPath,
+		PreSharedKey:     &preSharedKey,
 		NATExternalIPs:   natExternalIPs,
 		CustomDNSAddress: customDNSAddressConverted,
-	}
-	if preSharedKey != "" {
-		ic.PreSharedKey = &preSharedKey
-	}
-
-	config, err := internal.UpdateOrCreateConfig(ic)
+	})
 	if err != nil {
 		return fmt.Errorf("get config file: %v", err)
 	}
@@ -104,7 +94,7 @@ func runInForegroundMode(ctx context.Context, cmd *cobra.Command) error {
 	var cancel context.CancelFunc
 	ctx, cancel = context.WithCancel(ctx)
 	SetupCloseHandler(ctx, cancel)
-	return internal.RunClient(ctx, config, peer.NewRecorder(config.ManagementURL.String()))
+	return internal.RunClient(ctx, config, peer.NewRecorder(config.ManagementURL.String()), nil, nil)
 }
 
 func runInDaemonMode(ctx context.Context, cmd *cobra.Command) error {
@@ -176,7 +166,7 @@ func runInDaemonMode(ctx context.Context, cmd *cobra.Command) error {
 
 	if loginResp.NeedsSSOLogin {
 
-		openURL(cmd, loginResp.VerificationURIComplete, loginResp.UserCode)
+		openURL(cmd, loginResp.VerificationURIComplete)
 
 		_, err = client.WaitSSOLogin(ctx, &proto.WaitSSOLoginRequest{UserCode: loginResp.UserCode})
 		if err != nil {

client/firewall/firewall.go

@@ -13,24 +13,22 @@ type Rule interface {
 	GetRuleID() string
 }
 
-// RuleDirection is the traffic direction which a rule is applied
-type RuleDirection int
+// Direction is the direction of the traffic
+type Direction int
 
 const (
-	// RuleDirectionIN applies to filters that handlers incoming traffic
-	RuleDirectionIN RuleDirection = iota
-	// RuleDirectionOUT applies to filters that handlers outgoing traffic
-	RuleDirectionOUT
+	// DirectionSrc is the direction of the traffic from the source
+	DirectionSrc Direction = iota
+	// DirectionDst is the direction of the traffic from the destination
+	DirectionDst
 )
 
 // Action is the action to be taken on a rule
 type Action int
 
 const (
-	// ActionUnknown is a unknown action
-	ActionUnknown Action = iota
 	// ActionAccept is the action to accept a packet
-	ActionAccept
+	ActionAccept Action = iota
 	// ActionDrop is the action to drop a packet
 	ActionDrop
 )
@@ -41,17 +39,11 @@ const (
 // Netbird client for ACL and routing functionality
 type Manager interface {
 	// AddFiltering rule to the firewall
-	//
-	// If comment argument is empty firewall manager should set
-	// rule ID as comment for the rule
 	AddFiltering(
 		ip net.IP,
-		proto Protocol,
-		sPort *Port,
-		dPort *Port,
-		direction RuleDirection,
+		port *Port,
+		direction Direction,
 		action Action,
-		ipsetName string,
 		comment string,
 	) (Rule, error)
 
@@ -61,8 +53,5 @@ type Manager interface {
 	// Reset firewall to the default state
 	Reset() error
 
-	// Flush the changes to firewall controller
-	Flush() error
-
 	// TODO: migrate routemanager firewal actions to this interface
 }

client/firewall/iptables/manager_linux.go

@@ -8,205 +8,83 @@ import (
 
 	"github.com/coreos/go-iptables/iptables"
 	"github.com/google/uuid"
-	"github.com/nadoo/ipset"
-	log "github.com/sirupsen/logrus"
 
 	fw "github.com/netbirdio/netbird/client/firewall"
-	"github.com/netbirdio/netbird/iface"
 )
 
 const (
-	// ChainInputFilterName is the name of the chain that is used for filtering incoming packets
-	ChainInputFilterName = "NETBIRD-ACL-INPUT"
-
-	// ChainOutputFilterName is the name of the chain that is used for filtering outgoing packets
-	ChainOutputFilterName = "NETBIRD-ACL-OUTPUT"
+	// ChainFilterName is the name of the chain that is used for filtering by the Netbird client
+	ChainFilterName = "NETBIRD-ACL"
 )
 
-// dropAllDefaultRule in the Netbird chain
-var dropAllDefaultRule = []string{"-j", "DROP"}
-
 // Manager of iptables firewall
 type Manager struct {
 	mutex sync.Mutex
 
 	ipv4Client *iptables.IPTables
 	ipv6Client *iptables.IPTables
-
-	inputDefaultRuleSpecs  []string
-	outputDefaultRuleSpecs []string
-	wgIface                iFaceMapper
-
-	rulesets map[string]ruleset
-}
-
-// iFaceMapper defines subset methods of interface required for manager
-type iFaceMapper interface {
-	Name() string
-	Address() iface.WGAddress
-}
-
-type ruleset struct {
-	rule *Rule
-	ips  map[string]string
 }
 
 // Create iptables firewall manager
-func Create(wgIface iFaceMapper) (*Manager, error) {
-	m := &Manager{
-		wgIface: wgIface,
-		inputDefaultRuleSpecs: []string{
-			"-i", wgIface.Name(), "-j", ChainInputFilterName, "-s", wgIface.Address().String()},
-		outputDefaultRuleSpecs: []string{
-			"-o", wgIface.Name(), "-j", ChainOutputFilterName, "-d", wgIface.Address().String()},
-		rulesets: make(map[string]ruleset),
-	}
-
-	if err := ipset.Init(); err != nil {
-		return nil, fmt.Errorf("init ipset: %w", err)
-	}
+func Create() (*Manager, error) {
+	m := &Manager{}
 
 	// init clients for booth ipv4 and ipv6
 	ipv4Client, err := iptables.NewWithProtocol(iptables.ProtocolIPv4)
 	if err != nil {
 		return nil, fmt.Errorf("iptables is not installed in the system or not supported")
 	}
-	if isIptablesClientAvailable(ipv4Client) {
-		m.ipv4Client = ipv4Client
-	}
+	m.ipv4Client = ipv4Client
 
 	ipv6Client, err := iptables.NewWithProtocol(iptables.ProtocolIPv6)
 	if err != nil {
-		log.Errorf("ip6tables is not installed in the system or not supported: %v", err)
-	} else {
-		if isIptablesClientAvailable(ipv6Client) {
-			m.ipv6Client = ipv6Client
-		}
+		return nil, fmt.Errorf("ip6tables is not installed in the system or not supported")
 	}
+	m.ipv6Client = ipv6Client
 
 	if err := m.Reset(); err != nil {
-		return nil, fmt.Errorf("failed to reset firewall: %v", err)
+		return nil, fmt.Errorf("failed to reset firewall: %s", err)
 	}
+
 	return m, nil
 }
 
-func isIptablesClientAvailable(client *iptables.IPTables) bool {
-	_, err := client.ListChains("filter")
-	return err == nil
-}
-
 // AddFiltering rule to the firewall
-//
-// If comment is empty rule ID is used as comment
 func (m *Manager) AddFiltering(
 	ip net.IP,
-	protocol fw.Protocol,
-	sPort *fw.Port,
-	dPort *fw.Port,
-	direction fw.RuleDirection,
+	port *fw.Port,
+	direction fw.Direction,
 	action fw.Action,
-	ipsetName string,
 	comment string,
 ) (fw.Rule, error) {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
-
-	client, err := m.client(ip)
+	client := m.client(ip)
+	ok, err := client.ChainExists("filter", ChainFilterName)
 	if err != nil {
+		return nil, fmt.Errorf("failed to check if chain exists: %s", err)
+	}
+	if !ok {
+		if err := client.NewChain("filter", ChainFilterName); err != nil {
+			return nil, fmt.Errorf("failed to create chain: %s", err)
+		}
+	}
+	if port == nil || port.Values == nil || (port.IsRange && len(port.Values) != 2) {
+		return nil, fmt.Errorf("invalid port definition")
+	}
+	pv := strconv.Itoa(port.Values[0])
+	if port.IsRange {
+		pv += ":" + strconv.Itoa(port.Values[1])
+	}
+	specs := m.filterRuleSpecs("filter", ChainFilterName, ip, pv, direction, action, comment)
+	if err := client.AppendUnique("filter", ChainFilterName, specs...); err != nil {
 		return nil, err
 	}
-
-	var dPortVal, sPortVal string
-	if dPort != nil && dPort.Values != nil {
-		// TODO: we support only one port per rule in current implementation of ACLs
-		dPortVal = strconv.Itoa(dPort.Values[0])
-	}
-	if sPort != nil && sPort.Values != nil {
-		sPortVal = strconv.Itoa(sPort.Values[0])
-	}
-	ipsetName = m.transformIPsetName(ipsetName, sPortVal, dPortVal)
-
-	ruleID := uuid.New().String()
-	if comment == "" {
-		comment = ruleID
-	}
-
-	if ipsetName != "" {
-		rs, rsExists := m.rulesets[ipsetName]
-		if !rsExists {
-			if err := ipset.Flush(ipsetName); err != nil {
-				log.Errorf("flush ipset %q before use it: %v", ipsetName, err)
-			}
-			if err := ipset.Create(ipsetName); err != nil {
-				return nil, fmt.Errorf("failed to create ipset: %w", err)
-			}
-		}
-
-		if err := ipset.Add(ipsetName, ip.String()); err != nil {
-			return nil, fmt.Errorf("failed to add IP to ipset: %w", err)
-		}
-
-		if rsExists {
-			// if ruleset already exists it means we already have the firewall rule
-			// so we need to update IPs in the ruleset and return new fw.Rule object for ACL manager.
-			rs.ips[ip.String()] = ruleID
-			return &Rule{
-				ruleID:    ruleID,
-				ipsetName: ipsetName,
-				ip:        ip.String(),
-				dst:       direction == fw.RuleDirectionOUT,
-				v6:        ip.To4() == nil,
-			}, nil
-		}
-		// this is new ipset so we need to create firewall rule for it
-	}
-
-	specs := m.filterRuleSpecs("filter", ip, string(protocol), sPortVal, dPortVal,
-		direction, action, comment, ipsetName)
-
-	if direction == fw.RuleDirectionOUT {
-		ok, err := client.Exists("filter", ChainOutputFilterName, specs...)
-		if err != nil {
-			return nil, fmt.Errorf("check is output rule already exists: %w", err)
-		}
-		if ok {
-			return nil, fmt.Errorf("input rule already exists")
-		}
-
-		if err := client.Insert("filter", ChainOutputFilterName, 1, specs...); err != nil {
-			return nil, err
-		}
-	} else {
-		ok, err := client.Exists("filter", ChainInputFilterName, specs...)
-		if err != nil {
-			return nil, fmt.Errorf("check is input rule already exists: %w", err)
-		}
-		if ok {
-			return nil, fmt.Errorf("input rule already exists")
-		}
-
-		if err := client.Insert("filter", ChainInputFilterName, 1, specs...); err != nil {
-			return nil, err
-		}
-	}
-
 	rule := &Rule{
-		ruleID:    ruleID,
-		specs:     specs,
-		ipsetName: ipsetName,
-		ip:        ip.String(),
-		dst:       direction == fw.RuleDirectionOUT,
-		v6:        ip.To4() == nil,
+		id:    uuid.New().String(),
+		specs: specs,
+		v6:    ip.To4() == nil,
 	}
-	if ipsetName != "" {
-		// ipset name is defined and it means that this rule was created
-		// for it, need to assosiate it with ruleset
-		m.rulesets[ipsetName] = ruleset{
-			rule: rule,
-			ips:  map[string]string{rule.ip: ruleID},
-		}
-	}
-
 	return rule, nil
 }
 
@@ -214,224 +92,64 @@ func (m *Manager) AddFiltering(
 func (m *Manager) DeleteRule(rule fw.Rule) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
-
 	r, ok := rule.(*Rule)
 	if !ok {
 		return fmt.Errorf("invalid rule type")
 	}
-
 	client := m.ipv4Client
 	if r.v6 {
-		if m.ipv6Client == nil {
-			return fmt.Errorf("ipv6 is not supported")
-		}
 		client = m.ipv6Client
 	}
-
-	if rs, ok := m.rulesets[r.ipsetName]; ok {
-		// delete IP from ruleset IPs list and ipset
-		if _, ok := rs.ips[r.ip]; ok {
-			if err := ipset.Del(r.ipsetName, r.ip); err != nil {
-				return fmt.Errorf("failed to delete ip from ipset: %w", err)
-			}
-			delete(rs.ips, r.ip)
-		}
-
-		// if after delete, set still contains other IPs,
-		// no need to delete firewall rule and we should exit here
-		if len(rs.ips) != 0 {
-			return nil
-		}
-
-		// we delete last IP from the set, that means we need to delete
-		// set itself and assosiated firewall rule too
-		delete(m.rulesets, r.ipsetName)
-
-		if err := ipset.Destroy(r.ipsetName); err != nil {
-			log.Errorf("delete empty ipset: %v", err)
-		}
-		r = rs.rule
-	}
-
-	if r.dst {
-		return client.Delete("filter", ChainOutputFilterName, r.specs...)
-	}
-	return client.Delete("filter", ChainInputFilterName, r.specs...)
+	return client.Delete("filter", ChainFilterName, r.specs...)
 }
 
 // Reset firewall to the default state
 func (m *Manager) Reset() error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
-
-	if err := m.reset(m.ipv4Client, "filter"); err != nil {
-		return fmt.Errorf("clean ipv4 firewall ACL input chain: %w", err)
+	if err := m.reset(m.ipv4Client, "filter", ChainFilterName); err != nil {
+		return fmt.Errorf("clean ipv4 firewall ACL chain: %w", err)
 	}
-	if m.ipv6Client != nil {
-		if err := m.reset(m.ipv6Client, "filter"); err != nil {
-			return fmt.Errorf("clean ipv6 firewall ACL input chain: %w", err)
-		}
+	if err := m.reset(m.ipv6Client, "filter", ChainFilterName); err != nil {
+		return fmt.Errorf("clean ipv6 firewall ACL chain: %w", err)
 	}
-
 	return nil
 }
 
-// Flush doesn't need to be implemented for this manager
-func (m *Manager) Flush() error { return nil }
-
 // reset firewall chain, clear it and drop it
-func (m *Manager) reset(client *iptables.IPTables, table string) error {
-	ok, err := client.ChainExists(table, ChainInputFilterName)
+func (m *Manager) reset(client *iptables.IPTables, table, chain string) error {
+	ok, err := client.ChainExists(table, chain)
 	if err != nil {
-		return fmt.Errorf("failed to check if input chain exists: %w", err)
+		return fmt.Errorf("failed to check if chain exists: %w", err)
 	}
-	if ok {
-		if ok, err := client.Exists("filter", "INPUT", m.inputDefaultRuleSpecs...); err != nil {
-			return err
-		} else if ok {
-			if err := client.Delete("filter", "INPUT", m.inputDefaultRuleSpecs...); err != nil {
-				log.WithError(err).Errorf("failed to delete default input rule: %v", err)
-			}
-		}
-	}
-
-	ok, err = client.ChainExists(table, ChainOutputFilterName)
-	if err != nil {
-		return fmt.Errorf("failed to check if output chain exists: %w", err)
-	}
-	if ok {
-		if ok, err := client.Exists("filter", "OUTPUT", m.outputDefaultRuleSpecs...); err != nil {
-			return err
-		} else if ok {
-			if err := client.Delete("filter", "OUTPUT", m.outputDefaultRuleSpecs...); err != nil {
-				log.WithError(err).Errorf("failed to delete default output rule: %v", err)
-			}
-		}
-	}
-
-	if err := client.ClearAndDeleteChain(table, ChainInputFilterName); err != nil {
-		log.Errorf("failed to clear and delete input chain: %v", err)
+	if !ok {
 		return nil
 	}
-
-	if err := client.ClearAndDeleteChain(table, ChainOutputFilterName); err != nil {
-		log.Errorf("failed to clear and delete input chain: %v", err)
-		return nil
+	if err := client.ClearChain(table, ChainFilterName); err != nil {
+		return fmt.Errorf("failed to clear chain: %w", err)
 	}
-
-	for ipsetName := range m.rulesets {
-		if err := ipset.Flush(ipsetName); err != nil {
-			log.Errorf("flush ipset %q during reset: %v", ipsetName, err)
-		}
-		if err := ipset.Destroy(ipsetName); err != nil {
-			log.Errorf("delete ipset %q during reset: %v", ipsetName, err)
-		}
-		delete(m.rulesets, ipsetName)
-	}
-
-	return nil
+	return client.DeleteChain(table, ChainFilterName)
 }
 
 // filterRuleSpecs returns the specs of a filtering rule
 func (m *Manager) filterRuleSpecs(
-	table string, ip net.IP, protocol string, sPort, dPort string,
-	direction fw.RuleDirection, action fw.Action, comment string,
-	ipsetName string,
+	table string, chain string, ip net.IP, port string,
+	direction fw.Direction, action fw.Action, comment string,
 ) (specs []string) {
-	matchByIP := true
-	// don't use IP matching if IP is ip 0.0.0.0
-	if s := ip.String(); s == "0.0.0.0" || s == "::" {
-		matchByIP = false
-	}
-	switch direction {
-	case fw.RuleDirectionIN:
-		if matchByIP {
-			if ipsetName != "" {
-				specs = append(specs, "-m", "set", "--set", ipsetName, "src")
-			} else {
-				specs = append(specs, "-s", ip.String())
-			}
-		}
-	case fw.RuleDirectionOUT:
-		if matchByIP {
-			if ipsetName != "" {
-				specs = append(specs, "-m", "set", "--set", ipsetName, "dst")
-			} else {
-				specs = append(specs, "-d", ip.String())
-			}
-		}
-	}
-	if protocol != "all" {
-		specs = append(specs, "-p", protocol)
-	}
-	if sPort != "" {
-		specs = append(specs, "--sport", sPort)
-	}
-	if dPort != "" {
-		specs = append(specs, "--dport", dPort)
+	if direction == fw.DirectionSrc {
+		specs = append(specs, "-s", ip.String())
 	}
+	specs = append(specs, "-p", "tcp", "--dport", port)
 	specs = append(specs, "-j", m.actionToStr(action))
 	return append(specs, "-m", "comment", "--comment", comment)
 }
 
-// rawClient returns corresponding iptables client for the given ip
-func (m *Manager) rawClient(ip net.IP) (*iptables.IPTables, error) {
+// client returns corresponding iptables client for the given ip
+func (m *Manager) client(ip net.IP) *iptables.IPTables {
 	if ip.To4() != nil {
-		return m.ipv4Client, nil
+		return m.ipv4Client
 	}
-	if m.ipv6Client == nil {
-		return nil, fmt.Errorf("ipv6 is not supported")
-	}
-	return m.ipv6Client, nil
-}
-
-// client returns client with initialized chain and default rules
-func (m *Manager) client(ip net.IP) (*iptables.IPTables, error) {
-	client, err := m.rawClient(ip)
-	if err != nil {
-		return nil, err
-	}
-
-	ok, err := client.ChainExists("filter", ChainInputFilterName)
-	if err != nil {
-		return nil, fmt.Errorf("failed to check if chain exists: %w", err)
-	}
-
-	if !ok {
-		if err := client.NewChain("filter", ChainInputFilterName); err != nil {
-			return nil, fmt.Errorf("failed to create input chain: %w", err)
-		}
-
-		if err := client.AppendUnique("filter", ChainInputFilterName, dropAllDefaultRule...); err != nil {
-			return nil, fmt.Errorf("failed to create default drop all in netbird input chain: %w", err)
-		}
-
-		if err := client.AppendUnique("filter", "INPUT", m.inputDefaultRuleSpecs...); err != nil {
-			return nil, fmt.Errorf("failed to create input chain jump rule: %w", err)
-		}
-
-	}
-
-	ok, err = client.ChainExists("filter", ChainOutputFilterName)
-	if err != nil {
-		return nil, fmt.Errorf("failed to check if chain exists: %w", err)
-	}
-
-	if !ok {
-		if err := client.NewChain("filter", ChainOutputFilterName); err != nil {
-			return nil, fmt.Errorf("failed to create output chain: %w", err)
-		}
-
-		if err := client.AppendUnique("filter", ChainOutputFilterName, dropAllDefaultRule...); err != nil {
-			return nil, fmt.Errorf("failed to create default drop all in netbird output chain: %w", err)
-		}
-
-		if err := client.AppendUnique("filter", "OUTPUT", m.outputDefaultRuleSpecs...); err != nil {
-			return nil, fmt.Errorf("failed to create output chain jump rule: %w", err)
-		}
-	}
-
-	return client, nil
+	return m.ipv6Client
 }
 
 func (m *Manager) actionToStr(action fw.Action) string {
@@ -440,16 +158,3 @@ func (m *Manager) actionToStr(action fw.Action) string {
 	}
 	return "DROP"
 }
-
-func (m *Manager) transformIPsetName(ipsetName string, sPort, dPort string) string {
-	if ipsetName == "" {
-		return ""
-	} else if sPort != "" && dPort != "" {
-		return ipsetName + "-sport-dport"
-	} else if sPort != "" {
-		return ipsetName + "-sport"
-	} else if dPort != "" {
-		return ipsetName + "-dport"
-	}
-	return ipsetName
-}

client/firewall/iptables/manager_linux_test.go

@@ -1,261 +1,105 @@
 package iptables
 
 import (
-	"fmt"
 	"net"
 	"testing"
-	"time"
 
 	"github.com/coreos/go-iptables/iptables"
-	"github.com/stretchr/testify/require"
-
 	fw "github.com/netbirdio/netbird/client/firewall"
-	"github.com/netbirdio/netbird/iface"
 )
 
-// iFaceMapper defines subset methods of interface required for manager
-type iFaceMock struct {
-	NameFunc    func() string
-	AddressFunc func() iface.WGAddress
-}
-
-func (i *iFaceMock) Name() string {
-	if i.NameFunc != nil {
-		return i.NameFunc()
-	}
-	panic("NameFunc is not set")
-}
-
-func (i *iFaceMock) Address() iface.WGAddress {
-	if i.AddressFunc != nil {
-		return i.AddressFunc()
-	}
-	panic("AddressFunc is not set")
-}
-
-func TestIptablesManager(t *testing.T) {
+func TestNewManager(t *testing.T) {
 	ipv4Client, err := iptables.NewWithProtocol(iptables.ProtocolIPv4)
-	require.NoError(t, err)
-
-	mock := &iFaceMock{
-		NameFunc: func() string {
-			return "lo"
-		},
-		AddressFunc: func() iface.WGAddress {
-			return iface.WGAddress{
-				IP: net.ParseIP("10.20.0.1"),
-				Network: &net.IPNet{
-					IP:   net.ParseIP("10.20.0.0"),
-					Mask: net.IPv4Mask(255, 255, 255, 0),
-				},
-			}
-		},
+	if err != nil {
+		t.Fatal(err)
 	}
 
-	// just check on the local interface
-	manager, err := Create(mock)
-	require.NoError(t, err)
-
-	time.Sleep(time.Second)
-
-	defer func() {
-		err := manager.Reset()
-		require.NoError(t, err, "clear the manager state")
-
-		time.Sleep(time.Second)
-	}()
+	manager, err := Create()
+	if err != nil {
+		t.Fatal(err)
+	}
 
 	var rule1 fw.Rule
 	t.Run("add first rule", func(t *testing.T) {
 		ip := net.ParseIP("10.20.0.2")
-		port := &fw.Port{Values: []int{8080}}
-		rule1, err = manager.AddFiltering(ip, "tcp", nil, port, fw.RuleDirectionOUT, fw.ActionAccept, "", "accept HTTP traffic")
-		require.NoError(t, err, "failed to add rule")
+		port := &fw.Port{Proto: fw.PortProtocolTCP, Values: []int{8080}}
+		rule1, err = manager.AddFiltering(ip, port, fw.DirectionDst, fw.ActionAccept, "accept HTTP traffic")
+		if err != nil {
+			t.Errorf("failed to add rule: %v", err)
+		}
 
-		checkRuleSpecs(t, ipv4Client, ChainOutputFilterName, true, rule1.(*Rule).specs...)
+		checkRuleSpecs(t, ipv4Client, true, rule1.(*Rule).specs...)
 	})
 
 	var rule2 fw.Rule
 	t.Run("add second rule", func(t *testing.T) {
 		ip := net.ParseIP("10.20.0.3")
 		port := &fw.Port{
+			Proto:  fw.PortProtocolTCP,
 			Values: []int{8043: 8046},
 		}
 		rule2, err = manager.AddFiltering(
-			ip, "tcp", port, nil, fw.RuleDirectionIN, fw.ActionAccept, "", "accept HTTPS traffic from ports range")
-		require.NoError(t, err, "failed to add rule")
+			ip, port, fw.DirectionDst, fw.ActionAccept, "accept HTTPS traffic from ports range")
+		if err != nil {
+			t.Errorf("failed to add rule: %v", err)
+		}
 
-		checkRuleSpecs(t, ipv4Client, ChainInputFilterName, true, rule2.(*Rule).specs...)
+		checkRuleSpecs(t, ipv4Client, true, rule2.(*Rule).specs...)
 	})
 
 	t.Run("delete first rule", func(t *testing.T) {
-		err := manager.DeleteRule(rule1)
-		require.NoError(t, err, "failed to delete rule")
+		if err := manager.DeleteRule(rule1); err != nil {
+			t.Errorf("failed to delete rule: %v", err)
+		}
 
-		checkRuleSpecs(t, ipv4Client, ChainOutputFilterName, false, rule1.(*Rule).specs...)
+		checkRuleSpecs(t, ipv4Client, false, rule1.(*Rule).specs...)
 	})
 
 	t.Run("delete second rule", func(t *testing.T) {
-		err := manager.DeleteRule(rule2)
-		require.NoError(t, err, "failed to delete rule")
+		if err := manager.DeleteRule(rule2); err != nil {
+			t.Errorf("failed to delete rule: %v", err)
+		}
 
-		require.Empty(t, manager.rulesets, "rulesets index after removed second rule must be empty")
+		checkRuleSpecs(t, ipv4Client, false, rule2.(*Rule).specs...)
 	})
 
 	t.Run("reset check", func(t *testing.T) {
 		// add second rule
 		ip := net.ParseIP("10.20.0.3")
-		port := &fw.Port{Values: []int{5353}}
-		_, err = manager.AddFiltering(ip, "udp", nil, port, fw.RuleDirectionOUT, fw.ActionAccept, "", "accept Fake DNS traffic")
-		require.NoError(t, err, "failed to add rule")
+		port := &fw.Port{Proto: fw.PortProtocolUDP, Values: []int{5353}}
+		_, err = manager.AddFiltering(ip, port, fw.DirectionDst, fw.ActionAccept, "accept Fake DNS traffic")
+		if err != nil {
+			t.Errorf("failed to add rule: %v", err)
+		}
 
-		err = manager.Reset()
-		require.NoError(t, err, "failed to reset")
+		if err := manager.Reset(); err != nil {
+			t.Errorf("failed to reset: %v", err)
+		}
 
-		ok, err := ipv4Client.ChainExists("filter", ChainInputFilterName)
-		require.NoError(t, err, "failed check chain exists")
+		ok, err := ipv4Client.ChainExists("filter", ChainFilterName)
+		if err != nil {
+			t.Errorf("failed to drop chain: %v", err)
+		}
 
 		if ok {
-			require.NoErrorf(t, err, "chain '%v' still exists after Reset", ChainInputFilterName)
+			t.Errorf("chain '%v' still exists after Reset", ChainFilterName)
 		}
 	})
 }
 
-func TestIptablesManagerIPSet(t *testing.T) {
-	ipv4Client, err := iptables.NewWithProtocol(iptables.ProtocolIPv4)
-	require.NoError(t, err)
-
-	mock := &iFaceMock{
-		NameFunc: func() string {
-			return "lo"
-		},
-		AddressFunc: func() iface.WGAddress {
-			return iface.WGAddress{
-				IP: net.ParseIP("10.20.0.1"),
-				Network: &net.IPNet{
-					IP:   net.ParseIP("10.20.0.0"),
-					Mask: net.IPv4Mask(255, 255, 255, 0),
-				},
-			}
-		},
+func checkRuleSpecs(t *testing.T, ipv4Client *iptables.IPTables, mustExists bool, rulespec ...string) {
+	exists, err := ipv4Client.Exists("filter", ChainFilterName, rulespec...)
+	if err != nil {
+		t.Errorf("failed to check rule: %v", err)
+		return
 	}
 
-	// just check on the local interface
-	manager, err := Create(mock)
-	require.NoError(t, err)
-
-	time.Sleep(time.Second)
-
-	defer func() {
-		err := manager.Reset()
-		require.NoError(t, err, "clear the manager state")
-
-		time.Sleep(time.Second)
-	}()
-
-	var rule1 fw.Rule
-	t.Run("add first rule with set", func(t *testing.T) {
-		ip := net.ParseIP("10.20.0.2")
-		port := &fw.Port{Values: []int{8080}}
-		rule1, err = manager.AddFiltering(
-			ip, "tcp", nil, port, fw.RuleDirectionOUT,
-			fw.ActionAccept, "default", "accept HTTP traffic",
-		)
-		require.NoError(t, err, "failed to add rule")
-
-		checkRuleSpecs(t, ipv4Client, ChainOutputFilterName, true, rule1.(*Rule).specs...)
-		require.Equal(t, rule1.(*Rule).ipsetName, "default-dport", "ipset name must be set")
-		require.Equal(t, rule1.(*Rule).ip, "10.20.0.2", "ipset IP must be set")
-	})
-
-	var rule2 fw.Rule
-	t.Run("add second rule", func(t *testing.T) {
-		ip := net.ParseIP("10.20.0.3")
-		port := &fw.Port{
-			Values: []int{443},
-		}
-		rule2, err = manager.AddFiltering(
-			ip, "tcp", port, nil, fw.RuleDirectionIN, fw.ActionAccept,
-			"default", "accept HTTPS traffic from ports range",
-		)
-		require.NoError(t, err, "failed to add rule")
-		require.Equal(t, rule2.(*Rule).ipsetName, "default-sport", "ipset name must be set")
-		require.Equal(t, rule2.(*Rule).ip, "10.20.0.3", "ipset IP must be set")
-	})
-
-	t.Run("delete first rule", func(t *testing.T) {
-		err := manager.DeleteRule(rule1)
-		require.NoError(t, err, "failed to delete rule")
-
-		require.NotContains(t, manager.rulesets, rule1.(*Rule).ruleID, "rule must be removed form the ruleset index")
-	})
-
-	t.Run("delete second rule", func(t *testing.T) {
-		err := manager.DeleteRule(rule2)
-		require.NoError(t, err, "failed to delete rule")
-
-		require.Empty(t, manager.rulesets, "rulesets index after removed second rule must be empty")
-	})
-
-	t.Run("reset check", func(t *testing.T) {
-		err = manager.Reset()
-		require.NoError(t, err, "failed to reset")
-	})
-}
-
-func checkRuleSpecs(t *testing.T, ipv4Client *iptables.IPTables, chainName string, mustExists bool, rulespec ...string) {
-	exists, err := ipv4Client.Exists("filter", chainName, rulespec...)
-	require.NoError(t, err, "failed to check rule")
-	require.Falsef(t, !exists && mustExists, "rule '%v' does not exist", rulespec)
-	require.Falsef(t, exists && !mustExists, "rule '%v' exist", rulespec)
-}
-
-func TestIptablesCreatePerformance(t *testing.T) {
-	mock := &iFaceMock{
-		NameFunc: func() string {
-			return "lo"
-		},
-		AddressFunc: func() iface.WGAddress {
-			return iface.WGAddress{
-				IP: net.ParseIP("10.20.0.1"),
-				Network: &net.IPNet{
-					IP:   net.ParseIP("10.20.0.0"),
-					Mask: net.IPv4Mask(255, 255, 255, 0),
-				},
-			}
-		},
+	if !exists && mustExists {
+		t.Errorf("rule '%v' does not exist", rulespec)
+		return
 	}
-
-	for _, testMax := range []int{10, 20, 30, 40, 50, 60, 70, 80, 90, 100, 200, 300, 400, 500, 600, 700, 800, 900, 1000} {
-		t.Run(fmt.Sprintf("Testing %d rules", testMax), func(t *testing.T) {
-			// just check on the local interface
-			manager, err := Create(mock)
-			require.NoError(t, err)
-			time.Sleep(time.Second)
-
-			defer func() {
-				err := manager.Reset()
-				require.NoError(t, err, "clear the manager state")
-
-				time.Sleep(time.Second)
-			}()
-
-			_, err = manager.client(net.ParseIP("10.20.0.100"))
-			require.NoError(t, err)
-
-			ip := net.ParseIP("10.20.0.100")
-			start := time.Now()
-			for i := 0; i < testMax; i++ {
-				port := &fw.Port{Values: []int{1000 + i}}
-				if i%2 == 0 {
-					_, err = manager.AddFiltering(ip, "tcp", nil, port, fw.RuleDirectionOUT, fw.ActionAccept, "", "accept HTTP traffic")
-				} else {
-					_, err = manager.AddFiltering(ip, "tcp", nil, port, fw.RuleDirectionIN, fw.ActionAccept, "", "accept HTTP traffic")
-				}
-
-				require.NoError(t, err, "failed to add rule")
-			}
-			t.Logf("execution avg per rule: %s", time.Since(start)/time.Duration(testMax))
-		})
+	if exists && !mustExists {
+		t.Errorf("rule '%v' exist", rulespec)
+		return
 	}
 }

client/firewall/iptables/rule.go

@@ -2,16 +2,12 @@ package iptables
 
 // Rule to handle management of rules
 type Rule struct {
-	ruleID    string
-	ipsetName string
-
+	id    string
 	specs []string
-	ip    string
-	dst   bool
 	v6    bool
 }
 
 // GetRuleID returns the rule id
 func (r *Rule) GetRuleID() string {
-	return r.ruleID
+	return r.id
 }

client/firewall/nftables/manager_linux.go

@@ -1,758 +0,0 @@
-package nftables
-
-import (
-	"bytes"
-	"encoding/binary"
-	"fmt"
-	"net"
-	"net/netip"
-	"strconv"
-	"strings"
-	"sync"
-	"time"
-
-	"github.com/google/nftables"
-	"github.com/google/nftables/expr"
-	log "github.com/sirupsen/logrus"
-	"golang.org/x/sys/unix"
-
-	fw "github.com/netbirdio/netbird/client/firewall"
-	"github.com/netbirdio/netbird/iface"
-)
-
-const (
-	// FilterTableName is the name of the table that is used for filtering by the Netbird client
-	FilterTableName = "netbird-acl"
-
-	// FilterInputChainName is the name of the chain that is used for filtering incoming packets
-	FilterInputChainName = "netbird-acl-input-filter"
-
-	// FilterOutputChainName is the name of the chain that is used for filtering outgoing packets
-	FilterOutputChainName = "netbird-acl-output-filter"
-)
-
-var anyIP = []byte{0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}
-
-// Manager of iptables firewall
-type Manager struct {
-	mutex sync.Mutex
-
-	rConn     *nftables.Conn
-	sConn     *nftables.Conn
-	tableIPv4 *nftables.Table
-	tableIPv6 *nftables.Table
-
-	filterInputChainIPv4  *nftables.Chain
-	filterOutputChainIPv4 *nftables.Chain
-
-	filterInputChainIPv6  *nftables.Chain
-	filterOutputChainIPv6 *nftables.Chain
-
-	rulesetManager *rulesetManager
-	setRemovedIPs  map[string]struct{}
-	setRemoved     map[string]*nftables.Set
-
-	wgIface iFaceMapper
-}
-
-// iFaceMapper defines subset methods of interface required for manager
-type iFaceMapper interface {
-	Name() string
-	Address() iface.WGAddress
-}
-
-// Create nftables firewall manager
-func Create(wgIface iFaceMapper) (*Manager, error) {
-	// sConn is used for creating sets and adding/removing elements from them
-	// it's differ then rConn (which does create new conn for each flush operation)
-	// and is permanent. Using same connection for booth type of operations
-	// overloads netlink with high amount of rules ( > 10000)
-	sConn, err := nftables.New(nftables.AsLasting())
-	if err != nil {
-		return nil, err
-	}
-
-	m := &Manager{
-		rConn: &nftables.Conn{},
-		sConn: sConn,
-
-		rulesetManager: newRuleManager(),
-		setRemovedIPs:  map[string]struct{}{},
-		setRemoved:     map[string]*nftables.Set{},
-
-		wgIface: wgIface,
-	}
-
-	if err := m.Reset(); err != nil {
-		return nil, err
-	}
-
-	return m, nil
-}
-
-// AddFiltering rule to the firewall
-//
-// If comment argument is empty firewall manager should set
-// rule ID as comment for the rule
-func (m *Manager) AddFiltering(
-	ip net.IP,
-	proto fw.Protocol,
-	sPort *fw.Port,
-	dPort *fw.Port,
-	direction fw.RuleDirection,
-	action fw.Action,
-	ipsetName string,
-	comment string,
-) (fw.Rule, error) {
-	m.mutex.Lock()
-	defer m.mutex.Unlock()
-
-	var (
-		err   error
-		ipset *nftables.Set
-		table *nftables.Table
-		chain *nftables.Chain
-	)
-
-	if direction == fw.RuleDirectionOUT {
-		table, chain, err = m.chain(
-			ip,
-			FilterOutputChainName,
-			nftables.ChainHookOutput,
-			nftables.ChainPriorityFilter,
-			nftables.ChainTypeFilter)
-	} else {
-		table, chain, err = m.chain(
-			ip,
-			FilterInputChainName,
-			nftables.ChainHookInput,
-			nftables.ChainPriorityFilter,
-			nftables.ChainTypeFilter)
-	}
-	if err != nil {
-		return nil, err
-	}
-
-	rawIP := ip.To4()
-	if rawIP == nil {
-		rawIP = ip.To16()
-	}
-
-	rulesetID := m.getRulesetID(ip, proto, sPort, dPort, direction, action, ipsetName)
-
-	if ipsetName != "" {
-		// if we already have set with given name, just add ip to the set
-		// and return rule with new ID in other case let's create rule
-		// with fresh created set and set element
-
-		var isSetNew bool
-		ipset, err = m.rConn.GetSetByName(table, ipsetName)
-		if err != nil {
-			if ipset, err = m.createSet(table, rawIP, ipsetName); err != nil {
-				return nil, fmt.Errorf("get set name: %v", err)
-			}
-			isSetNew = true
-		}
-
-		if err := m.sConn.SetAddElements(ipset, []nftables.SetElement{{Key: rawIP}}); err != nil {
-			return nil, fmt.Errorf("add set element for the first time: %v", err)
-		}
-		if err := m.sConn.Flush(); err != nil {
-			return nil, fmt.Errorf("flush add elements: %v", err)
-		}
-
-		if !isSetNew {
-			// if we already have nftables rules with set for given direction
-			// just add new rule to the ruleset and return new fw.Rule object
-
-			if ruleset, ok := m.rulesetManager.getRuleset(rulesetID); ok {
-				return m.rulesetManager.addRule(ruleset, rawIP)
-			}
-			// if ipset exists but it is not linked to rule for given direction
-			// create new rule for direction and bind ipset to it later
-		}
-	}
-
-	ifaceKey := expr.MetaKeyIIFNAME
-	if direction == fw.RuleDirectionOUT {
-		ifaceKey = expr.MetaKeyOIFNAME
-	}
-	expressions := []expr.Any{
-		&expr.Meta{Key: ifaceKey, Register: 1},
-		&expr.Cmp{
-			Op:       expr.CmpOpEq,
-			Register: 1,
-			Data:     ifname(m.wgIface.Name()),
-		},
-	}
-
-	if proto != "all" {
-		expressions = append(expressions, &expr.Payload{
-			DestRegister: 1,
-			Base:         expr.PayloadBaseNetworkHeader,
-			Offset:       uint32(9),
-			Len:          uint32(1),
-		})
-
-		var protoData []byte
-		switch proto {
-		case fw.ProtocolTCP:
-			protoData = []byte{unix.IPPROTO_TCP}
-		case fw.ProtocolUDP:
-			protoData = []byte{unix.IPPROTO_UDP}
-		case fw.ProtocolICMP:
-			protoData = []byte{unix.IPPROTO_ICMP}
-		default:
-			return nil, fmt.Errorf("unsupported protocol: %s", proto)
-		}
-		expressions = append(expressions, &expr.Cmp{
-			Register: 1,
-			Op:       expr.CmpOpEq,
-			Data:     protoData,
-		})
-	}
-
-	// check if rawIP contains zeroed IPv4 0.0.0.0 or same IPv6 value
-	// in that case not add IP match expression into the rule definition
-	if !bytes.HasPrefix(anyIP, rawIP) {
-		// source address position
-		addrLen := uint32(len(rawIP))
-		addrOffset := uint32(12)
-		if addrLen == 16 {
-			addrOffset = 8
-		}
-
-		// change to destination address position if need
-		if direction == fw.RuleDirectionOUT {
-			addrOffset += addrLen
-		}
-
-		expressions = append(expressions,
-			&expr.Payload{
-				DestRegister: 1,
-				Base:         expr.PayloadBaseNetworkHeader,
-				Offset:       addrOffset,
-				Len:          addrLen,
-			},
-		)
-		// add individual IP for match if no ipset defined
-		if ipset == nil {
-			expressions = append(expressions,
-				&expr.Cmp{
-					Op:       expr.CmpOpEq,
-					Register: 1,
-					Data:     rawIP,
-				},
-			)
-		} else {
-			expressions = append(expressions,
-				&expr.Lookup{
-					SourceRegister: 1,
-					SetName:        ipsetName,
-					SetID:          ipset.ID,
-				},
-			)
-		}
-	}
-
-	if sPort != nil && len(sPort.Values) != 0 {
-		expressions = append(expressions,
-			&expr.Payload{
-				DestRegister: 1,
-				Base:         expr.PayloadBaseTransportHeader,
-				Offset:       0,
-				Len:          2,
-			},
-			&expr.Cmp{
-				Op:       expr.CmpOpEq,
-				Register: 1,
-				Data:     encodePort(*sPort),
-			},
-		)
-	}
-
-	if dPort != nil && len(dPort.Values) != 0 {
-		expressions = append(expressions,
-			&expr.Payload{
-				DestRegister: 1,
-				Base:         expr.PayloadBaseTransportHeader,
-				Offset:       2,
-				Len:          2,
-			},
-			&expr.Cmp{
-				Op:       expr.CmpOpEq,
-				Register: 1,
-				Data:     encodePort(*dPort),
-			},
-		)
-	}
-
-	if action == fw.ActionAccept {
-		expressions = append(expressions, &expr.Verdict{Kind: expr.VerdictAccept})
-	} else {
-		expressions = append(expressions, &expr.Verdict{Kind: expr.VerdictDrop})
-	}
-
-	userData := []byte(strings.Join([]string{rulesetID, comment}, " "))
-
-	rule := m.rConn.InsertRule(&nftables.Rule{
-		Table:    table,
-		Chain:    chain,
-		Position: 0,
-		Exprs:    expressions,
-		UserData: userData,
-	})
-	if err := m.rConn.Flush(); err != nil {
-		return nil, fmt.Errorf("flush insert rule: %v", err)
-	}
-
-	ruleset := m.rulesetManager.createRuleset(rulesetID, rule, ipset)
-	return m.rulesetManager.addRule(ruleset, rawIP)
-}
-
-// getRulesetID returns ruleset ID based on given parameters
-func (m *Manager) getRulesetID(
-	ip net.IP,
-	proto fw.Protocol,
-	sPort *fw.Port,
-	dPort *fw.Port,
-	direction fw.RuleDirection,
-	action fw.Action,
-	ipsetName string,
-) string {
-	rulesetID := ":" + strconv.Itoa(int(direction)) + ":"
-	if sPort != nil {
-		rulesetID += sPort.String()
-	}
-	rulesetID += ":"
-	if dPort != nil {
-		rulesetID += dPort.String()
-	}
-	rulesetID += ":"
-	rulesetID += strconv.Itoa(int(action))
-	if ipsetName == "" {
-		return "ip:" + ip.String() + rulesetID
-	}
-	return "set:" + ipsetName + rulesetID
-}
-
-// createSet in given table by name
-func (m *Manager) createSet(
-	table *nftables.Table,
-	rawIP []byte,
-	name string,
-) (*nftables.Set, error) {
-	keyType := nftables.TypeIPAddr
-	if len(rawIP) == 16 {
-		keyType = nftables.TypeIP6Addr
-	}
-	// else we create new ipset and continue creating rule
-	ipset := &nftables.Set{
-		Name:    name,
-		Table:   table,
-		Dynamic: true,
-		KeyType: keyType,
-	}
-
-	if err := m.rConn.AddSet(ipset, nil); err != nil {
-		return nil, fmt.Errorf("create set: %v", err)
-	}
-
-	if err := m.rConn.Flush(); err != nil {
-		return nil, fmt.Errorf("flush created set: %v", err)
-	}
-
-	return ipset, nil
-}
-
-// chain returns the chain for the given IP address with specific settings
-func (m *Manager) chain(
-	ip net.IP,
-	name string,
-	hook nftables.ChainHook,
-	priority nftables.ChainPriority,
-	cType nftables.ChainType,
-) (*nftables.Table, *nftables.Chain, error) {
-	var err error
-
-	getChain := func(c *nftables.Chain, tf nftables.TableFamily) (*nftables.Chain, error) {
-		if c != nil {
-			return c, nil
-		}
-		return m.createChainIfNotExists(tf, name, hook, priority, cType)
-	}
-
-	if ip.To4() != nil {
-		if name == FilterInputChainName {
-			m.filterInputChainIPv4, err = getChain(m.filterInputChainIPv4, nftables.TableFamilyIPv4)
-			return m.tableIPv4, m.filterInputChainIPv4, err
-		}
-		m.filterOutputChainIPv4, err = getChain(m.filterOutputChainIPv4, nftables.TableFamilyIPv4)
-		return m.tableIPv4, m.filterOutputChainIPv4, err
-	}
-	if name == FilterInputChainName {
-		m.filterInputChainIPv6, err = getChain(m.filterInputChainIPv6, nftables.TableFamilyIPv6)
-		return m.tableIPv4, m.filterInputChainIPv6, err
-	}
-	m.filterOutputChainIPv6, err = getChain(m.filterOutputChainIPv6, nftables.TableFamilyIPv6)
-	return m.tableIPv4, m.filterOutputChainIPv6, err
-}
-
-// table returns the table for the given family of the IP address
-func (m *Manager) table(family nftables.TableFamily) (*nftables.Table, error) {
-	if family == nftables.TableFamilyIPv4 {
-		if m.tableIPv4 != nil {
-			return m.tableIPv4, nil
-		}
-
-		table, err := m.createTableIfNotExists(nftables.TableFamilyIPv4)
-		if err != nil {
-			return nil, err
-		}
-		m.tableIPv4 = table
-		return m.tableIPv4, nil
-	}
-
-	if m.tableIPv6 != nil {
-		return m.tableIPv6, nil
-	}
-
-	table, err := m.createTableIfNotExists(nftables.TableFamilyIPv6)
-	if err != nil {
-		return nil, err
-	}
-	m.tableIPv6 = table
-	return m.tableIPv6, nil
-}
-
-func (m *Manager) createTableIfNotExists(family nftables.TableFamily) (*nftables.Table, error) {
-	tables, err := m.rConn.ListTablesOfFamily(family)
-	if err != nil {
-		return nil, fmt.Errorf("list of tables: %w", err)
-	}
-
-	for _, t := range tables {
-		if t.Name == FilterTableName {
-			return t, nil
-		}
-	}
-
-	table := m.rConn.AddTable(&nftables.Table{Name: FilterTableName, Family: nftables.TableFamilyIPv4})
-	if err := m.rConn.Flush(); err != nil {
-		return nil, err
-	}
-	return table, nil
-}
-
-func (m *Manager) createChainIfNotExists(
-	family nftables.TableFamily,
-	name string,
-	hooknum nftables.ChainHook,
-	priority nftables.ChainPriority,
-	chainType nftables.ChainType,
-) (*nftables.Chain, error) {
-	table, err := m.table(family)
-	if err != nil {
-		return nil, err
-	}
-
-	chains, err := m.rConn.ListChainsOfTableFamily(family)
-	if err != nil {
-		return nil, fmt.Errorf("list of chains: %w", err)
-	}
-
-	for _, c := range chains {
-		if c.Name == name && c.Table.Name == table.Name {
-			return c, nil
-		}
-	}
-
-	polAccept := nftables.ChainPolicyAccept
-	chain := &nftables.Chain{
-		Name:     name,
-		Table:    table,
-		Hooknum:  hooknum,
-		Priority: priority,
-		Type:     chainType,
-		Policy:   &polAccept,
-	}
-
-	chain = m.rConn.AddChain(chain)
-
-	ifaceKey := expr.MetaKeyIIFNAME
-	shiftDSTAddr := 0
-	if name == FilterOutputChainName {
-		ifaceKey = expr.MetaKeyOIFNAME
-		shiftDSTAddr = 1
-	}
-
-	expressions := []expr.Any{
-		&expr.Meta{Key: ifaceKey, Register: 1},
-		&expr.Cmp{
-			Op:       expr.CmpOpEq,
-			Register: 1,
-			Data:     ifname(m.wgIface.Name()),
-		},
-	}
-
-	mask, _ := netip.AddrFromSlice(m.wgIface.Address().Network.Mask)
-	if m.wgIface.Address().IP.To4() == nil {
-		ip, _ := netip.AddrFromSlice(m.wgIface.Address().Network.IP.To16())
-		expressions = append(expressions,
-			&expr.Payload{
-				DestRegister: 2,
-				Base:         expr.PayloadBaseNetworkHeader,
-				Offset:       uint32(8 + (16 * shiftDSTAddr)),
-				Len:          16,
-			},
-			&expr.Bitwise{
-				SourceRegister: 2,
-				DestRegister:   2,
-				Len:            16,
-				Xor:            []byte{0x0, 0x0, 0x0, 0x0},
-				Mask:           mask.Unmap().AsSlice(),
-			},
-			&expr.Cmp{
-				Op:       expr.CmpOpNeq,
-				Register: 2,
-				Data:     ip.Unmap().AsSlice(),
-			},
-			&expr.Verdict{Kind: expr.VerdictAccept},
-		)
-	} else {
-		ip, _ := netip.AddrFromSlice(m.wgIface.Address().Network.IP.To4())
-		expressions = append(expressions,
-			&expr.Payload{
-				DestRegister: 2,
-				Base:         expr.PayloadBaseNetworkHeader,
-				Offset:       uint32(12 + (4 * shiftDSTAddr)),
-				Len:          4,
-			},
-			&expr.Bitwise{
-				SourceRegister: 2,
-				DestRegister:   2,
-				Len:            4,
-				Xor:            []byte{0x0, 0x0, 0x0, 0x0},
-				Mask:           m.wgIface.Address().Network.Mask,
-			},
-			&expr.Cmp{
-				Op:       expr.CmpOpNeq,
-				Register: 2,
-				Data:     ip.Unmap().AsSlice(),
-			},
-			&expr.Verdict{Kind: expr.VerdictAccept},
-		)
-	}
-
-	_ = m.rConn.AddRule(&nftables.Rule{
-		Table: table,
-		Chain: chain,
-		Exprs: expressions,
-	})
-
-	expressions = []expr.Any{
-		&expr.Meta{Key: ifaceKey, Register: 1},
-		&expr.Cmp{
-			Op:       expr.CmpOpEq,
-			Register: 1,
-			Data:     ifname(m.wgIface.Name()),
-		},
-		&expr.Verdict{Kind: expr.VerdictDrop},
-	}
-	_ = m.rConn.AddRule(&nftables.Rule{
-		Table: table,
-		Chain: chain,
-		Exprs: expressions,
-	})
-
-	if err := m.rConn.Flush(); err != nil {
-		return nil, err
-	}
-
-	return chain, nil
-}
-
-// DeleteRule from the firewall by rule definition
-func (m *Manager) DeleteRule(rule fw.Rule) error {
-	m.mutex.Lock()
-	defer m.mutex.Unlock()
-
-	nativeRule, ok := rule.(*Rule)
-	if !ok {
-		return fmt.Errorf("invalid rule type")
-	}
-
-	if nativeRule.nftRule == nil {
-		return nil
-	}
-
-	if nativeRule.nftSet != nil {
-		// call twice of delete set element raises error
-		// so we need to check if element is already removed
-		key := fmt.Sprintf("%s:%v", nativeRule.nftSet.Name, nativeRule.ip)
-		if _, ok := m.setRemovedIPs[key]; !ok {
-			err := m.sConn.SetDeleteElements(nativeRule.nftSet, []nftables.SetElement{{Key: nativeRule.ip}})
-			if err != nil {
-				log.Errorf("delete elements for set %q: %v", nativeRule.nftSet.Name, err)
-			}
-			if err := m.sConn.Flush(); err != nil {
-				return err
-			}
-			m.setRemovedIPs[key] = struct{}{}
-		}
-	}
-
-	if m.rulesetManager.deleteRule(nativeRule) {
-		// deleteRule indicates that we still have IP in the ruleset
-		// it means we should not remove the nftables rule but need to update set
-		// so we prepare IP to be removed from set on the next flush call
-		return nil
-	}
-
-	// ruleset doesn't contain IP anymore (or contains only one), remove nft rule
-	if err := m.rConn.DelRule(nativeRule.nftRule); err != nil {
-		log.Errorf("failed to delete rule: %v", err)
-	}
-	if err := m.rConn.Flush(); err != nil {
-		return err
-	}
-	nativeRule.nftRule = nil
-
-	if nativeRule.nftSet != nil {
-		if _, ok := m.setRemoved[nativeRule.nftSet.Name]; !ok {
-			m.setRemoved[nativeRule.nftSet.Name] = nativeRule.nftSet
-		}
-		nativeRule.nftSet = nil
-	}
-
-	return nil
-}
-
-// Reset firewall to the default state
-func (m *Manager) Reset() error {
-	m.mutex.Lock()
-	defer m.mutex.Unlock()
-
-	chains, err := m.rConn.ListChains()
-	if err != nil {
-		return fmt.Errorf("list of chains: %w", err)
-	}
-	for _, c := range chains {
-		if c.Name == FilterInputChainName || c.Name == FilterOutputChainName {
-			m.rConn.DelChain(c)
-		}
-	}
-
-	tables, err := m.rConn.ListTables()
-	if err != nil {
-		return fmt.Errorf("list of tables: %w", err)
-	}
-	for _, t := range tables {
-		if t.Name == FilterTableName {
-			m.rConn.DelTable(t)
-		}
-	}
-
-	return m.rConn.Flush()
-}
-
-// Flush rule/chain/set operations from the buffer
-//
-// Method also get all rules after flush and refreshes handle values in the rulesets
-func (m *Manager) Flush() error {
-	m.mutex.Lock()
-	defer m.mutex.Unlock()
-
-	if err := m.flushWithBackoff(); err != nil {
-		return err
-	}
-
-	// set must be removed after flush rule changes
-	// otherwise we will get error
-	for _, s := range m.setRemoved {
-		m.rConn.FlushSet(s)
-		m.rConn.DelSet(s)
-	}
-
-	if len(m.setRemoved) > 0 {
-		if err := m.flushWithBackoff(); err != nil {
-			return err
-		}
-	}
-
-	m.setRemovedIPs = map[string]struct{}{}
-	m.setRemoved = map[string]*nftables.Set{}
-
-	if err := m.refreshRuleHandles(m.tableIPv4, m.filterInputChainIPv4); err != nil {
-		log.Errorf("failed to refresh rule handles ipv4 input chain: %v", err)
-	}
-
-	if err := m.refreshRuleHandles(m.tableIPv4, m.filterOutputChainIPv4); err != nil {
-		log.Errorf("failed to refresh rule handles IPv4 output chain: %v", err)
-	}
-
-	if err := m.refreshRuleHandles(m.tableIPv6, m.filterInputChainIPv6); err != nil {
-		log.Errorf("failed to refresh rule handles IPv6 input chain: %v", err)
-	}
-
-	if err := m.refreshRuleHandles(m.tableIPv6, m.filterOutputChainIPv6); err != nil {
-		log.Errorf("failed to refresh rule handles IPv6 output chain: %v", err)
-	}
-
-	return nil
-}
-
-func (m *Manager) flushWithBackoff() (err error) {
-	backoff := 4
-	backoffTime := 1000 * time.Millisecond
-	for i := 0; ; i++ {
-		err = m.rConn.Flush()
-		if err != nil {
-			if !strings.Contains(err.Error(), "busy") {
-				return
-			}
-			log.Error("failed to flush nftables, retrying...")
-			if i == backoff-1 {
-				return err
-			}
-			time.Sleep(backoffTime)
-			backoffTime = backoffTime * 2
-			continue
-		}
-		break
-	}
-	return
-}
-
-func (m *Manager) refreshRuleHandles(table *nftables.Table, chain *nftables.Chain) error {
-	if table == nil || chain == nil {
-		return nil
-	}
-
-	list, err := m.rConn.GetRules(table, chain)
-	if err != nil {
-		return err
-	}
-
-	for _, rule := range list {
-		if len(rule.UserData) != 0 {
-			if err := m.rulesetManager.setNftRuleHandle(rule); err != nil {
-				log.Errorf("failed to set rule handle: %v", err)
-			}
-		}
-	}
-
-	return nil
-}
-
-func encodePort(port fw.Port) []byte {
-	bs := make([]byte, 2)
-	binary.BigEndian.PutUint16(bs, uint16(port.Values[0]))
-	return bs
-}
-
-func ifname(n string) []byte {
-	b := make([]byte, 16)
-	copy(b, []byte(n+"\x00"))
-	return b
-}

client/firewall/nftables/manager_linux_test.go

@@ -1,207 +0,0 @@
-package nftables
-
-import (
-	"fmt"
-	"net"
-	"net/netip"
-	"testing"
-	"time"
-
-	"github.com/google/nftables"
-	"github.com/google/nftables/expr"
-	"github.com/stretchr/testify/require"
-	"golang.org/x/sys/unix"
-
-	fw "github.com/netbirdio/netbird/client/firewall"
-	"github.com/netbirdio/netbird/iface"
-)
-
-// iFaceMapper defines subset methods of interface required for manager
-type iFaceMock struct {
-	NameFunc    func() string
-	AddressFunc func() iface.WGAddress
-}
-
-func (i *iFaceMock) Name() string {
-	if i.NameFunc != nil {
-		return i.NameFunc()
-	}
-	panic("NameFunc is not set")
-}
-
-func (i *iFaceMock) Address() iface.WGAddress {
-	if i.AddressFunc != nil {
-		return i.AddressFunc()
-	}
-	panic("AddressFunc is not set")
-}
-
-func TestNftablesManager(t *testing.T) {
-	mock := &iFaceMock{
-		NameFunc: func() string {
-			return "lo"
-		},
-		AddressFunc: func() iface.WGAddress {
-			return iface.WGAddress{
-				IP: net.ParseIP("100.96.0.1"),
-				Network: &net.IPNet{
-					IP:   net.ParseIP("100.96.0.0"),
-					Mask: net.IPv4Mask(255, 255, 255, 0),
-				},
-			}
-		},
-	}
-
-	// just check on the local interface
-	manager, err := Create(mock)
-	require.NoError(t, err)
-	time.Sleep(time.Second * 3)
-
-	defer func() {
-		err = manager.Reset()
-		require.NoError(t, err, "failed to reset")
-		time.Sleep(time.Second)
-	}()
-
-	ip := net.ParseIP("100.96.0.1")
-
-	testClient := &nftables.Conn{}
-
-	rule, err := manager.AddFiltering(
-		ip,
-		fw.ProtocolTCP,
-		nil,
-		&fw.Port{Values: []int{53}},
-		fw.RuleDirectionIN,
-		fw.ActionDrop,
-		"",
-		"",
-	)
-	require.NoError(t, err, "failed to add rule")
-
-	err = manager.Flush()
-	require.NoError(t, err, "failed to flush")
-
-	rules, err := testClient.GetRules(manager.tableIPv4, manager.filterInputChainIPv4)
-	require.NoError(t, err, "failed to get rules")
-
-	// test expectations:
-	// 1) regular rule
-	// 2) "accept extra routed traffic rule" for the interface
-	// 3) "drop all rule" for the interface
-	require.Len(t, rules, 3, "expected 3 rules")
-
-	ipToAdd, _ := netip.AddrFromSlice(ip)
-	add := ipToAdd.Unmap()
-	expectedExprs := []expr.Any{
-		&expr.Meta{Key: expr.MetaKeyIIFNAME, Register: 1},
-		&expr.Cmp{
-			Op:       expr.CmpOpEq,
-			Register: 1,
-			Data:     ifname("lo"),
-		},
-		&expr.Payload{
-			DestRegister: 1,
-			Base:         expr.PayloadBaseNetworkHeader,
-			Offset:       uint32(9),
-			Len:          uint32(1),
-		},
-		&expr.Cmp{
-			Register: 1,
-			Op:       expr.CmpOpEq,
-			Data:     []byte{unix.IPPROTO_TCP},
-		},
-		&expr.Payload{
-			DestRegister: 1,
-			Base:         expr.PayloadBaseNetworkHeader,
-			Offset:       12,
-			Len:          4,
-		},
-		&expr.Cmp{
-			Op:       expr.CmpOpEq,
-			Register: 1,
-			Data:     add.AsSlice(),
-		},
-		&expr.Payload{
-			DestRegister: 1,
-			Base:         expr.PayloadBaseTransportHeader,
-			Offset:       2,
-			Len:          2,
-		},
-		&expr.Cmp{
-			Op:       expr.CmpOpEq,
-			Register: 1,
-			Data:     []byte{0, 53},
-		},
-		&expr.Verdict{Kind: expr.VerdictDrop},
-	}
-	require.ElementsMatch(t, rules[0].Exprs, expectedExprs, "expected the same expressions")
-
-	err = manager.DeleteRule(rule)
-	require.NoError(t, err, "failed to delete rule")
-
-	err = manager.Flush()
-	require.NoError(t, err, "failed to flush")
-
-	rules, err = testClient.GetRules(manager.tableIPv4, manager.filterInputChainIPv4)
-	require.NoError(t, err, "failed to get rules")
-	// test expectations:
-	// 1) "accept extra routed traffic rule" for the interface
-	// 2) "drop all rule" for the interface
-	require.Len(t, rules, 2, "expected 2 rules after deleteion")
-
-	err = manager.Reset()
-	require.NoError(t, err, "failed to reset")
-}
-
-func TestNFtablesCreatePerformance(t *testing.T) {
-	mock := &iFaceMock{
-		NameFunc: func() string {
-			return "lo"
-		},
-		AddressFunc: func() iface.WGAddress {
-			return iface.WGAddress{
-				IP: net.ParseIP("100.96.0.1"),
-				Network: &net.IPNet{
-					IP:   net.ParseIP("100.96.0.0"),
-					Mask: net.IPv4Mask(255, 255, 255, 0),
-				},
-			}
-		},
-	}
-
-	for _, testMax := range []int{10, 20, 30, 40, 50, 60, 70, 80, 90, 100, 200, 300, 400, 500, 600, 700, 800, 900, 1000} {
-		t.Run(fmt.Sprintf("Testing %d rules", testMax), func(t *testing.T) {
-			// just check on the local interface
-			manager, err := Create(mock)
-			require.NoError(t, err)
-			time.Sleep(time.Second * 3)
-
-			defer func() {
-				if err := manager.Reset(); err != nil {
-					t.Errorf("clear the manager state: %v", err)
-				}
-				time.Sleep(time.Second)
-			}()
-
-			ip := net.ParseIP("10.20.0.100")
-			start := time.Now()
-			for i := 0; i < testMax; i++ {
-				port := &fw.Port{Values: []int{1000 + i}}
-				if i%2 == 0 {
-					_, err = manager.AddFiltering(ip, "tcp", nil, port, fw.RuleDirectionOUT, fw.ActionAccept, "", "accept HTTP traffic")
-				} else {
-					_, err = manager.AddFiltering(ip, "tcp", nil, port, fw.RuleDirectionIN, fw.ActionAccept, "", "accept HTTP traffic")
-				}
-				require.NoError(t, err, "failed to add rule")
-
-				if i%100 == 0 {
-					err = manager.Flush()
-					require.NoError(t, err, "failed to flush")
-				}
-			}
-
-			t.Logf("execution avg per rule: %s", time.Since(start)/time.Duration(testMax))
-		})
-	}
-}

client/firewall/nftables/rule_linux.go

@@ -1,19 +0,0 @@
-package nftables
-
-import (
-	"github.com/google/nftables"
-)
-
-// Rule to handle management of rules
-type Rule struct {
-	nftRule *nftables.Rule
-	nftSet  *nftables.Set
-
-	ruleID string
-	ip     []byte
-}
-
-// GetRuleID returns the rule id
-func (r *Rule) GetRuleID() string {
-	return r.ruleID
-}

client/firewall/nftables/ruleset_linux.go

@@ -1,115 +0,0 @@
-package nftables
-
-import (
-	"bytes"
-	"fmt"
-
-	"github.com/google/nftables"
-	"github.com/rs/xid"
-)
-
-// nftRuleset links native firewall rule and ipset to ACL generated rules
-type nftRuleset struct {
-	nftRule     *nftables.Rule
-	nftSet      *nftables.Set
-	issuedRules map[string]*Rule
-	rulesetID   string
-}
-
-type rulesetManager struct {
-	rulesets map[string]*nftRuleset
-
-	nftSetName2rulesetID   map[string]string
-	issuedRuleID2rulesetID map[string]string
-}
-
-func newRuleManager() *rulesetManager {
-	return &rulesetManager{
-		rulesets: map[string]*nftRuleset{},
-
-		nftSetName2rulesetID:   map[string]string{},
-		issuedRuleID2rulesetID: map[string]string{},
-	}
-}
-
-func (r *rulesetManager) getRuleset(rulesetID string) (*nftRuleset, bool) {
-	ruleset, ok := r.rulesets[rulesetID]
-	return ruleset, ok
-}
-
-func (r *rulesetManager) createRuleset(
-	rulesetID string,
-	nftRule *nftables.Rule,
-	nftSet *nftables.Set,
-) *nftRuleset {
-	ruleset := nftRuleset{
-		rulesetID:   rulesetID,
-		nftRule:     nftRule,
-		nftSet:      nftSet,
-		issuedRules: map[string]*Rule{},
-	}
-	r.rulesets[ruleset.rulesetID] = &ruleset
-	if nftSet != nil {
-		r.nftSetName2rulesetID[nftSet.Name] = ruleset.rulesetID
-	}
-	return &ruleset
-}
-
-func (r *rulesetManager) addRule(
-	ruleset *nftRuleset,
-	ip []byte,
-) (*Rule, error) {
-	if _, ok := r.rulesets[ruleset.rulesetID]; !ok {
-		return nil, fmt.Errorf("ruleset not found")
-	}
-
-	rule := Rule{
-		nftRule: ruleset.nftRule,
-		nftSet:  ruleset.nftSet,
-		ruleID:  xid.New().String(),
-		ip:      ip,
-	}
-
-	ruleset.issuedRules[rule.ruleID] = &rule
-	r.issuedRuleID2rulesetID[rule.ruleID] = ruleset.rulesetID
-
-	return &rule, nil
-}
-
-// deleteRule from ruleset and returns true if contains other rules
-func (r *rulesetManager) deleteRule(rule *Rule) bool {
-	rulesetID, ok := r.issuedRuleID2rulesetID[rule.ruleID]
-	if !ok {
-		return false
-	}
-
-	ruleset := r.rulesets[rulesetID]
-	if ruleset.nftRule == nil {
-		return false
-	}
-	delete(r.issuedRuleID2rulesetID, rule.ruleID)
-	delete(ruleset.issuedRules, rule.ruleID)
-
-	if len(ruleset.issuedRules) == 0 {
-		delete(r.rulesets, ruleset.rulesetID)
-		if rule.nftSet != nil {
-			delete(r.nftSetName2rulesetID, rule.nftSet.Name)
-		}
-		return false
-	}
-	return true
-}
-
-// setNftRuleHandle finds rule by userdata which contains rulesetID and updates it's handle number
-//
-// This is important to do, because after we add rule to the nftables we can't update it until
-// we set correct handle value to it.
-func (r *rulesetManager) setNftRuleHandle(nftRule *nftables.Rule) error {
-	split := bytes.Split(nftRule.UserData, []byte(" "))
-	ruleset, ok := r.rulesets[string(split[0])]
-	if !ok {
-		return fmt.Errorf("ruleset not found")
-	}
-	*ruleset.nftRule = *nftRule
-	return nil
-}

client/firewall/nftables/ruleset_linux_test.go

@@ -1,122 +0,0 @@
-package nftables
-
-import (
-	"testing"
-
-	"github.com/google/nftables"
-	"github.com/stretchr/testify/require"
-)
-
-func TestRulesetManager_createRuleset(t *testing.T) {
-	// Create a ruleset manager.
-	rulesetManager := newRuleManager()
-
-	// Create a ruleset.
-	rulesetID := "ruleset-1"
-	nftRule := nftables.Rule{
-		UserData: []byte(rulesetID),
-	}
-	ruleset := rulesetManager.createRuleset(rulesetID, &nftRule, nil)
-	require.NotNil(t, ruleset, "createRuleset() failed")
-	require.Equal(t, ruleset.rulesetID, rulesetID, "rulesetID is incorrect")
-	require.Equal(t, ruleset.nftRule, &nftRule, "nftRule is incorrect")
-}
-
-func TestRulesetManager_addRule(t *testing.T) {
-	// Create a ruleset manager.
-	rulesetManager := newRuleManager()
-
-	// Create a ruleset.
-	rulesetID := "ruleset-1"
-	nftRule := nftables.Rule{}
-	ruleset := rulesetManager.createRuleset(rulesetID, &nftRule, nil)
-
-	// Add a rule to the ruleset.
-	ip := []byte("192.168.1.1")
-	rule, err := rulesetManager.addRule(ruleset, ip)
-	require.NoError(t, err, "addRule() failed")
-	require.NotNil(t, rule, "rule should not be nil")
-	require.NotEqual(t, rule.ruleID, "ruleID is empty")
-	require.EqualValues(t, rule.ip, ip, "ip is incorrect")
-	require.Contains(t, ruleset.issuedRules, rule.ruleID, "ruleID already exists in ruleset")
-	require.Contains(t, rulesetManager.issuedRuleID2rulesetID, rule.ruleID, "ruleID already exists in ruleset manager")
-
-	ruleset2 := &nftRuleset{
-		rulesetID: "ruleset-2",
-	}
-	_, err = rulesetManager.addRule(ruleset2, ip)
-	require.Error(t, err, "addRule() should have failed")
-}
-
-func TestRulesetManager_deleteRule(t *testing.T) {
-	// Create a ruleset manager.
-	rulesetManager := newRuleManager()
-
-	// Create a ruleset.
-	rulesetID := "ruleset-1"
-	nftRule := nftables.Rule{}
-	ruleset := rulesetManager.createRuleset(rulesetID, &nftRule, nil)
-
-	// Add a rule to the ruleset.
-	ip := []byte("192.168.1.1")
-	rule, err := rulesetManager.addRule(ruleset, ip)
-	require.NoError(t, err, "addRule() failed")
-	require.NotNil(t, rule, "rule should not be nil")
-
-	ip2 := []byte("192.168.1.1")
-	rule2, err := rulesetManager.addRule(ruleset, ip2)
-	require.NoError(t, err, "addRule() failed")
-	require.NotNil(t, rule2, "rule should not be nil")
-
-	hasNext := rulesetManager.deleteRule(rule)
-	require.True(t, hasNext, "deleteRule() should have returned true")
-
-	// Check that the rule is no longer in the manager.
-	require.NotContains(t, rulesetManager.issuedRuleID2rulesetID, rule.ruleID, "rule should have been deleted")
-
-	hasNext = rulesetManager.deleteRule(rule2)
-	require.False(t, hasNext, "deleteRule() should have returned false")
-}
-
-func TestRulesetManager_setNftRuleHandle(t *testing.T) {
-	// Create a ruleset manager.
-	rulesetManager := newRuleManager()
-	// Create a ruleset.
-	rulesetID := "ruleset-1"
-	nftRule := nftables.Rule{}
-	ruleset := rulesetManager.createRuleset(rulesetID, &nftRule, nil)
-	// Add a rule to the ruleset.
-	ip := []byte("192.168.0.1")
-
-	rule, err := rulesetManager.addRule(ruleset, ip)
-	require.NoError(t, err, "addRule() failed")
-	require.NotNil(t, rule, "rule should not be nil")
-
-	nftRuleCopy := nftRule
-	nftRuleCopy.Handle = 2
-	nftRuleCopy.UserData = []byte(rulesetID)
-	err = rulesetManager.setNftRuleHandle(&nftRuleCopy)
-	require.NoError(t, err, "setNftRuleHandle() failed")
-	// check correct work with references
-	require.Equal(t, nftRule.Handle, uint64(2), "nftRule.Handle is incorrect")
-}
-
-func TestRulesetManager_getRuleset(t *testing.T) {
-	// Create a ruleset manager.
-	rulesetManager := newRuleManager()
-	// Create a ruleset.
-	rulesetID := "ruleset-1"
-	nftRule := nftables.Rule{}
-	nftSet := nftables.Set{
-		ID: 2,
-	}
-	ruleset := rulesetManager.createRuleset(rulesetID, &nftRule, &nftSet)
-	require.NotNil(t, ruleset, "createRuleset() failed")
-
-	find, ok := rulesetManager.getRuleset(rulesetID)
-	require.True(t, ok, "getRuleset() failed")
-	require.Equal(t, ruleset, find, "getRulesetBySetID() failed")
-
-	_, ok = rulesetManager.getRuleset("does-not-exist")
-	require.False(t, ok, "getRuleset() failed")
-}

client/firewall/port.go

@@ -1,27 +1,14 @@
 package firewall
 
-import (
-	"strconv"
-)
-
-// Protocol is the protocol of the port
-type Protocol string
+// PortProtocol is the protocol of the port
+type PortProtocol string
 
 const (
-	// ProtocolTCP is the TCP protocol
-	ProtocolTCP Protocol = "tcp"
+	// PortProtocolTCP is the TCP protocol
+	PortProtocolTCP PortProtocol = "tcp"
 
-	// ProtocolUDP is the UDP protocol
-	ProtocolUDP Protocol = "udp"
-
-	// ProtocolICMP is the ICMP protocol
-	ProtocolICMP Protocol = "icmp"
-
-	// ProtocolALL cover all supported protocols
-	ProtocolALL Protocol = "all"
-
-	// ProtocolUnknown unknown protocol
-	ProtocolUnknown Protocol = "unknown"
+	// PortProtocolUDP is the UDP protocol
+	PortProtocolUDP PortProtocol = "udp"
 )
 
 // Port of the address for firewall rule
@@ -31,16 +18,7 @@ type Port struct {
 
 	// Values contains one value for single port, multiple values for the list of ports, or two values for the range of ports
 	Values []int
-}
 
-// String interface implementation
-func (p *Port) String() string {
-	var ports string
-	for _, port := range p.Values {
-		if ports != "" {
-			ports += ","
-		}
-		ports += strconv.Itoa(port)
-	}
-	return ports
+	// Proto is the protocol of the port
+	Proto PortProtocol
 }

client/firewall/uspfilter/rule.go

@@ -1,30 +0,0 @@
-package uspfilter
-
-import (
-	"net"
-
-	"github.com/google/gopacket"
-
-	fw "github.com/netbirdio/netbird/client/firewall"
-)
-
-// Rule to handle management of rules
-type Rule struct {
-	id         string
-	ip         net.IP
-	ipLayer    gopacket.LayerType
-	matchByIP  bool
-	protoLayer gopacket.LayerType
-	direction  fw.RuleDirection
-	sPort      uint16
-	dPort      uint16
-	drop       bool
-	comment    string
-
-	udpHook func([]byte) bool
-}
-
-// GetRuleID returns the rule id
-func (r *Rule) GetRuleID() string {
-	return r.id
-}

client/firewall/uspfilter/uspfilter.go

@@ -1,377 +0,0 @@
-package uspfilter
-
-import (
-	"fmt"
-	"net"
-	"sync"
-
-	"github.com/google/gopacket"
-	"github.com/google/gopacket/layers"
-	"github.com/google/uuid"
-	log "github.com/sirupsen/logrus"
-
-	fw "github.com/netbirdio/netbird/client/firewall"
-	"github.com/netbirdio/netbird/iface"
-)
-
-const layerTypeAll = 0
-
-// IFaceMapper defines subset methods of interface required for manager
-type IFaceMapper interface {
-	SetFilter(iface.PacketFilter) error
-}
-
-// RuleSet is a set of rules grouped by a string key
-type RuleSet map[string]Rule
-
-// Manager userspace firewall manager
-type Manager struct {
-	outgoingRules map[string]RuleSet
-	incomingRules map[string]RuleSet
-	wgNetwork     *net.IPNet
-	decoders      sync.Pool
-
-	mutex sync.RWMutex
-}
-
-// decoder for packages
-type decoder struct {
-	eth     layers.Ethernet
-	ip4     layers.IPv4
-	ip6     layers.IPv6
-	tcp     layers.TCP
-	udp     layers.UDP
-	icmp4   layers.ICMPv4
-	icmp6   layers.ICMPv6
-	decoded []gopacket.LayerType
-	parser  *gopacket.DecodingLayerParser
-}
-
-// Create userspace firewall manager constructor
-func Create(iface IFaceMapper) (*Manager, error) {
-	m := &Manager{
-		decoders: sync.Pool{
-			New: func() any {
-				d := &decoder{
-					decoded: []gopacket.LayerType{},
-				}
-				d.parser = gopacket.NewDecodingLayerParser(
-					layers.LayerTypeIPv4,
-					&d.eth, &d.ip4, &d.ip6, &d.icmp4, &d.icmp6, &d.tcp, &d.udp,
-				)
-				d.parser.IgnoreUnsupported = true
-				return d
-			},
-		},
-		outgoingRules: make(map[string]RuleSet),
-		incomingRules: make(map[string]RuleSet),
-	}
-
-	if err := iface.SetFilter(m); err != nil {
-		return nil, err
-	}
-	return m, nil
-}
-
-// AddFiltering rule to the firewall
-//
-// If comment argument is empty firewall manager should set
-// rule ID as comment for the rule
-func (m *Manager) AddFiltering(
-	ip net.IP,
-	proto fw.Protocol,
-	sPort *fw.Port,
-	dPort *fw.Port,
-	direction fw.RuleDirection,
-	action fw.Action,
-	ipsetName string,
-	comment string,
-) (fw.Rule, error) {
-	r := Rule{
-		id:        uuid.New().String(),
-		ip:        ip,
-		ipLayer:   layers.LayerTypeIPv6,
-		matchByIP: true,
-		direction: direction,
-		drop:      action == fw.ActionDrop,
-		comment:   comment,
-	}
-	if ipNormalized := ip.To4(); ipNormalized != nil {
-		r.ipLayer = layers.LayerTypeIPv4
-		r.ip = ipNormalized
-	}
-
-	if s := r.ip.String(); s == "0.0.0.0" || s == "::" {
-		r.matchByIP = false
-	}
-
-	if sPort != nil && len(sPort.Values) == 1 {
-		r.sPort = uint16(sPort.Values[0])
-	}
-
-	if dPort != nil && len(dPort.Values) == 1 {
-		r.dPort = uint16(dPort.Values[0])
-	}
-
-	switch proto {
-	case fw.ProtocolTCP:
-		r.protoLayer = layers.LayerTypeTCP
-	case fw.ProtocolUDP:
-		r.protoLayer = layers.LayerTypeUDP
-	case fw.ProtocolICMP:
-		r.protoLayer = layers.LayerTypeICMPv4
-		if r.ipLayer == layers.LayerTypeIPv6 {
-			r.protoLayer = layers.LayerTypeICMPv6
-		}
-	case fw.ProtocolALL:
-		r.protoLayer = layerTypeAll
-	}
-
-	m.mutex.Lock()
-	if direction == fw.RuleDirectionIN {
-		if _, ok := m.incomingRules[r.ip.String()]; !ok {
-			m.incomingRules[r.ip.String()] = make(RuleSet)
-		}
-		m.incomingRules[r.ip.String()][r.id] = r
-	} else {
-		if _, ok := m.outgoingRules[r.ip.String()]; !ok {
-			m.outgoingRules[r.ip.String()] = make(RuleSet)
-		}
-		m.outgoingRules[r.ip.String()][r.id] = r
-	}
-	m.mutex.Unlock()
-
-	return &r, nil
-}
-
-// DeleteRule from the firewall by rule definition
-func (m *Manager) DeleteRule(rule fw.Rule) error {
-	m.mutex.Lock()
-	defer m.mutex.Unlock()
-
-	r, ok := rule.(*Rule)
-	if !ok {
-		return fmt.Errorf("delete rule: invalid rule type: %T", rule)
-	}
-
-	if r.direction == fw.RuleDirectionIN {
-		_, ok := m.incomingRules[r.ip.String()][r.id]
-		if !ok {
-			return fmt.Errorf("delete rule: no rule with such id: %v", r.id)
-		}
-		delete(m.incomingRules[r.ip.String()], r.id)
-	} else {
-		_, ok := m.outgoingRules[r.ip.String()][r.id]
-		if !ok {
-			return fmt.Errorf("delete rule: no rule with such id: %v", r.id)
-		}
-		delete(m.outgoingRules[r.ip.String()], r.id)
-	}
-
-	return nil
-}
-
-// Reset firewall to the default state
-func (m *Manager) Reset() error {
-	m.mutex.Lock()
-	defer m.mutex.Unlock()
-
-	m.outgoingRules = make(map[string]RuleSet)
-	m.incomingRules = make(map[string]RuleSet)
-
-	return nil
-}
-
-// Flush doesn't need to be implemented for this manager
-func (m *Manager) Flush() error { return nil }
-
-// DropOutgoing filter outgoing packets
-func (m *Manager) DropOutgoing(packetData []byte) bool {
-	return m.dropFilter(packetData, m.outgoingRules, false)
-}
-
-// DropIncoming filter incoming packets
-func (m *Manager) DropIncoming(packetData []byte) bool {
-	return m.dropFilter(packetData, m.incomingRules, true)
-}
-
-// dropFilter imlements same logic for booth direction of the traffic
-func (m *Manager) dropFilter(packetData []byte, rules map[string]RuleSet, isIncomingPacket bool) bool {
-	m.mutex.RLock()
-	defer m.mutex.RUnlock()
-
-	d := m.decoders.Get().(*decoder)
-	defer m.decoders.Put(d)
-
-	if err := d.parser.DecodeLayers(packetData, &d.decoded); err != nil {
-		log.Tracef("couldn't decode layer, err: %s", err)
-		return true
-	}
-
-	if len(d.decoded) < 2 {
-		log.Tracef("not enough levels in network packet")
-		return true
-	}
-
-	ipLayer := d.decoded[0]
-
-	switch ipLayer {
-	case layers.LayerTypeIPv4:
-		if !m.wgNetwork.Contains(d.ip4.SrcIP) || !m.wgNetwork.Contains(d.ip4.DstIP) {
-			return false
-		}
-	case layers.LayerTypeIPv6:
-		if !m.wgNetwork.Contains(d.ip6.SrcIP) || !m.wgNetwork.Contains(d.ip6.DstIP) {
-			return false
-		}
-	default:
-		log.Errorf("unknown layer: %v", d.decoded[0])
-		return true
-	}
-
-	var ip net.IP
-	switch ipLayer {
-	case layers.LayerTypeIPv4:
-		if isIncomingPacket {
-			ip = d.ip4.SrcIP
-		} else {
-			ip = d.ip4.DstIP
-		}
-	case layers.LayerTypeIPv6:
-		if isIncomingPacket {
-			ip = d.ip6.SrcIP
-		} else {
-			ip = d.ip6.DstIP
-		}
-	}
-
-	filter, ok := validateRule(ip, packetData, rules[ip.String()], d)
-	if ok {
-		return filter
-	}
-	filter, ok = validateRule(ip, packetData, rules["0.0.0.0"], d)
-	if ok {
-		return filter
-	}
-	filter, ok = validateRule(ip, packetData, rules["::"], d)
-	if ok {
-		return filter
-	}
-
-	// default policy is DROP ALL
-	return true
-}
-
-func validateRule(ip net.IP, packetData []byte, rules map[string]Rule, d *decoder) (bool, bool) {
-	payloadLayer := d.decoded[1]
-	for _, rule := range rules {
-		if rule.matchByIP && !ip.Equal(rule.ip) {
-			continue
-		}
-
-		if rule.protoLayer == layerTypeAll {
-			return rule.drop, true
-		}
-
-		if payloadLayer != rule.protoLayer {
-			continue
-		}
-
-		switch payloadLayer {
-		case layers.LayerTypeTCP:
-			if rule.sPort == 0 && rule.dPort == 0 {
-				return rule.drop, true
-			}
-			if rule.sPort != 0 && rule.sPort == uint16(d.tcp.SrcPort) {
-				return rule.drop, true
-			}
-			if rule.dPort != 0 && rule.dPort == uint16(d.tcp.DstPort) {
-				return rule.drop, true
-			}
-		case layers.LayerTypeUDP:
-			// if rule has UDP hook (and if we are here we match this rule)
-			// we ignore rule.drop and call this hook
-			if rule.udpHook != nil {
-				return rule.udpHook(packetData), true
-			}
-
-			if rule.sPort == 0 && rule.dPort == 0 {
-				return rule.drop, true
-			}
-			if rule.sPort != 0 && rule.sPort == uint16(d.udp.SrcPort) {
-				return rule.drop, true
-			}
-			if rule.dPort != 0 && rule.dPort == uint16(d.udp.DstPort) {
-				return rule.drop, true
-			}
-			return rule.drop, true
-		case layers.LayerTypeICMPv4, layers.LayerTypeICMPv6:
-			return rule.drop, true
-		}
-	}
-	return false, false
-}
-
-// SetNetwork of the wireguard interface to which filtering applied
-func (m *Manager) SetNetwork(network *net.IPNet) {
-	m.wgNetwork = network
-}
-
-// AddUDPPacketHook calls hook when UDP packet from given direction matched
-//
-// Hook function returns flag which indicates should be the matched package dropped or not
-func (m *Manager) AddUDPPacketHook(
-	in bool, ip net.IP, dPort uint16, hook func([]byte) bool,
-) string {
-	r := Rule{
-		id:         uuid.New().String(),
-		ip:         ip,
-		protoLayer: layers.LayerTypeUDP,
-		dPort:      dPort,
-		ipLayer:    layers.LayerTypeIPv6,
-		direction:  fw.RuleDirectionOUT,
-		comment:    fmt.Sprintf("UDP Hook direction: %v, ip:%v, dport:%d", in, ip, dPort),
-		udpHook:    hook,
-	}
-
-	if ip.To4() != nil {
-		r.ipLayer = layers.LayerTypeIPv4
-	}
-
-	m.mutex.Lock()
-	if in {
-		r.direction = fw.RuleDirectionIN
-		if _, ok := m.incomingRules[r.ip.String()]; !ok {
-			m.incomingRules[r.ip.String()] = make(map[string]Rule)
-		}
-		m.incomingRules[r.ip.String()][r.id] = r
-	} else {
-		if _, ok := m.outgoingRules[r.ip.String()]; !ok {
-			m.outgoingRules[r.ip.String()] = make(map[string]Rule)
-		}
-		m.outgoingRules[r.ip.String()][r.id] = r
-	}
-
-	m.mutex.Unlock()
-
-	return r.id
-}
-
-// RemovePacketHook removes packet hook by given ID
-func (m *Manager) RemovePacketHook(hookID string) error {
-	for _, arr := range m.incomingRules {
-		for _, r := range arr {
-			if r.id == hookID {
-				return m.DeleteRule(&r)
-			}
-		}
-	}
-	for _, arr := range m.outgoingRules {
-		for _, r := range arr {
-			if r.id == hookID {
-				return m.DeleteRule(&r)
-			}
-		}
-	}
-	return fmt.Errorf("hook with given id not found")
-}

client/firewall/uspfilter/uspfilter_test.go

@@ -1,403 +0,0 @@
-package uspfilter
-
-import (
-	"fmt"
-	"net"
-	"testing"
-	"time"
-
-	"github.com/google/gopacket"
-	"github.com/google/gopacket/layers"
-	"github.com/stretchr/testify/require"
-
-	fw "github.com/netbirdio/netbird/client/firewall"
-	"github.com/netbirdio/netbird/iface"
-)
-
-type IFaceMock struct {
-	SetFilterFunc func(iface.PacketFilter) error
-}
-
-func (i *IFaceMock) SetFilter(iface iface.PacketFilter) error {
-	if i.SetFilterFunc == nil {
-		return fmt.Errorf("not implemented")
-	}
-	return i.SetFilterFunc(iface)
-}
-
-func TestManagerCreate(t *testing.T) {
-	ifaceMock := &IFaceMock{
-		SetFilterFunc: func(iface.PacketFilter) error { return nil },
-	}
-
-	m, err := Create(ifaceMock)
-	if err != nil {
-		t.Errorf("failed to create Manager: %v", err)
-		return
-	}
-
-	if m == nil {
-		t.Error("Manager is nil")
-	}
-}
-
-func TestManagerAddFiltering(t *testing.T) {
-	isSetFilterCalled := false
-	ifaceMock := &IFaceMock{
-		SetFilterFunc: func(iface.PacketFilter) error {
-			isSetFilterCalled = true
-			return nil
-		},
-	}
-
-	m, err := Create(ifaceMock)
-	if err != nil {
-		t.Errorf("failed to create Manager: %v", err)
-		return
-	}
-
-	ip := net.ParseIP("192.168.1.1")
-	proto := fw.ProtocolTCP
-	port := &fw.Port{Values: []int{80}}
-	direction := fw.RuleDirectionOUT
-	action := fw.ActionDrop
-	comment := "Test rule"
-
-	rule, err := m.AddFiltering(ip, proto, nil, port, direction, action, "", comment)
-	if err != nil {
-		t.Errorf("failed to add filtering: %v", err)
-		return
-	}
-
-	if rule == nil {
-		t.Error("Rule is nil")
-		return
-	}
-
-	if !isSetFilterCalled {
-		t.Error("SetFilter was not called")
-		return
-	}
-}
-
-func TestManagerDeleteRule(t *testing.T) {
-	ifaceMock := &IFaceMock{
-		SetFilterFunc: func(iface.PacketFilter) error { return nil },
-	}
-
-	m, err := Create(ifaceMock)
-	if err != nil {
-		t.Errorf("failed to create Manager: %v", err)
-		return
-	}
-
-	ip := net.ParseIP("192.168.1.1")
-	proto := fw.ProtocolTCP
-	port := &fw.Port{Values: []int{80}}
-	direction := fw.RuleDirectionOUT
-	action := fw.ActionDrop
-	comment := "Test rule"
-
-	rule, err := m.AddFiltering(ip, proto, nil, port, direction, action, "", comment)
-	if err != nil {
-		t.Errorf("failed to add filtering: %v", err)
-		return
-	}
-
-	ip = net.ParseIP("192.168.1.1")
-	proto = fw.ProtocolTCP
-	port = &fw.Port{Values: []int{80}}
-	direction = fw.RuleDirectionIN
-	action = fw.ActionDrop
-	comment = "Test rule 2"
-
-	rule2, err := m.AddFiltering(ip, proto, nil, port, direction, action, "", comment)
-	if err != nil {
-		t.Errorf("failed to add filtering: %v", err)
-		return
-	}
-
-	err = m.DeleteRule(rule)
-	if err != nil {
-		t.Errorf("failed to delete rule: %v", err)
-		return
-	}
-
-	if _, ok := m.incomingRules[ip.String()][rule2.GetRuleID()]; !ok {
-		t.Errorf("rule2 is not in the incomingRules")
-	}
-
-	err = m.DeleteRule(rule2)
-	if err != nil {
-		t.Errorf("failed to delete rule: %v", err)
-		return
-	}
-
-	if _, ok := m.incomingRules[ip.String()][rule2.GetRuleID()]; ok {
-		t.Errorf("rule2 is not in the incomingRules")
-	}
-}
-
-func TestAddUDPPacketHook(t *testing.T) {
-	tests := []struct {
-		name       string
-		in         bool
-		expDir     fw.RuleDirection
-		ip         net.IP
-		dPort      uint16
-		hook       func([]byte) bool
-		expectedID string
-	}{
-		{
-			name:   "Test Outgoing UDP Packet Hook",
-			in:     false,
-			expDir: fw.RuleDirectionOUT,
-			ip:     net.IPv4(10, 168, 0, 1),
-			dPort:  8000,
-			hook:   func([]byte) bool { return true },
-		},
-		{
-			name:   "Test Incoming UDP Packet Hook",
-			in:     true,
-			expDir: fw.RuleDirectionIN,
-			ip:     net.IPv6loopback,
-			dPort:  9000,
-			hook:   func([]byte) bool { return false },
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			manager := &Manager{
-				incomingRules: map[string]RuleSet{},
-				outgoingRules: map[string]RuleSet{},
-			}
-
-			manager.AddUDPPacketHook(tt.in, tt.ip, tt.dPort, tt.hook)
-
-			var addedRule Rule
-			if tt.in {
-				if len(manager.incomingRules[tt.ip.String()]) != 1 {
-					t.Errorf("expected 1 incoming rule, got %d", len(manager.incomingRules))
-					return
-				}
-				for _, rule := range manager.incomingRules[tt.ip.String()] {
-					addedRule = rule
-				}
-			} else {
-				if len(manager.outgoingRules) != 1 {
-					t.Errorf("expected 1 outgoing rule, got %d", len(manager.outgoingRules))
-					return
-				}
-				for _, rule := range manager.outgoingRules[tt.ip.String()] {
-					addedRule = rule
-				}
-			}
-
-			if !tt.ip.Equal(addedRule.ip) {
-				t.Errorf("expected ip %s, got %s", tt.ip, addedRule.ip)
-				return
-			}
-			if tt.dPort != addedRule.dPort {
-				t.Errorf("expected dPort %d, got %d", tt.dPort, addedRule.dPort)
-				return
-			}
-			if layers.LayerTypeUDP != addedRule.protoLayer {
-				t.Errorf("expected protoLayer %s, got %s", layers.LayerTypeUDP, addedRule.protoLayer)
-				return
-			}
-			if tt.expDir != addedRule.direction {
-				t.Errorf("expected direction %d, got %d", tt.expDir, addedRule.direction)
-				return
-			}
-			if addedRule.udpHook == nil {
-				t.Errorf("expected udpHook to be set")
-				return
-			}
-		})
-	}
-}
-
-func TestManagerReset(t *testing.T) {
-	ifaceMock := &IFaceMock{
-		SetFilterFunc: func(iface.PacketFilter) error { return nil },
-	}
-
-	m, err := Create(ifaceMock)
-	if err != nil {
-		t.Errorf("failed to create Manager: %v", err)
-		return
-	}
-
-	ip := net.ParseIP("192.168.1.1")
-	proto := fw.ProtocolTCP
-	port := &fw.Port{Values: []int{80}}
-	direction := fw.RuleDirectionOUT
-	action := fw.ActionDrop
-	comment := "Test rule"
-
-	_, err = m.AddFiltering(ip, proto, nil, port, direction, action, "", comment)
-	if err != nil {
-		t.Errorf("failed to add filtering: %v", err)
-		return
-	}
-
-	err = m.Reset()
-	if err != nil {
-		t.Errorf("failed to reset Manager: %v", err)
-		return
-	}
-
-	if len(m.outgoingRules) != 0 || len(m.incomingRules) != 0 {
-		t.Errorf("rules is not empty")
-	}
-}
-
-func TestNotMatchByIP(t *testing.T) {
-	ifaceMock := &IFaceMock{
-		SetFilterFunc: func(iface.PacketFilter) error { return nil },
-	}
-
-	m, err := Create(ifaceMock)
-	if err != nil {
-		t.Errorf("failed to create Manager: %v", err)
-		return
-	}
-	m.wgNetwork = &net.IPNet{
-		IP:   net.ParseIP("100.10.0.0"),
-		Mask: net.CIDRMask(16, 32),
-	}
-
-	ip := net.ParseIP("0.0.0.0")
-	proto := fw.ProtocolUDP
-	direction := fw.RuleDirectionOUT
-	action := fw.ActionAccept
-	comment := "Test rule"
-
-	_, err = m.AddFiltering(ip, proto, nil, nil, direction, action, "", comment)
-	if err != nil {
-		t.Errorf("failed to add filtering: %v", err)
-		return
-	}
-
-	ipv4 := &layers.IPv4{
-		TTL:      64,
-		Version:  4,
-		SrcIP:    net.ParseIP("100.10.0.1"),
-		DstIP:    net.ParseIP("100.10.0.100"),
-		Protocol: layers.IPProtocolUDP,
-	}
-	udp := &layers.UDP{
-		SrcPort: 51334,
-		DstPort: 53,
-	}
-
-	if err := udp.SetNetworkLayerForChecksum(ipv4); err != nil {
-		t.Errorf("failed to set network layer for checksum: %v", err)
-		return
-	}
-	payload := gopacket.Payload([]byte("test"))
-
-	buf := gopacket.NewSerializeBuffer()
-	opts := gopacket.SerializeOptions{
-		ComputeChecksums: true,
-		FixLengths:       true,
-	}
-	if err = gopacket.SerializeLayers(buf, opts, ipv4, udp, payload); err != nil {
-		t.Errorf("failed to serialize packet: %v", err)
-		return
-	}
-
-	if m.dropFilter(buf.Bytes(), m.outgoingRules, false) {
-		t.Errorf("expected packet to be accepted")
-		return
-	}
-
-	if err = m.Reset(); err != nil {
-		t.Errorf("failed to reset Manager: %v", err)
-		return
-	}
-}
-
-// TestRemovePacketHook tests the functionality of the RemovePacketHook method
-func TestRemovePacketHook(t *testing.T) {
-	// creating mock iface
-	iface := &IFaceMock{
-		SetFilterFunc: func(iface.PacketFilter) error { return nil },
-	}
-
-	// creating manager instance
-	manager, err := Create(iface)
-	if err != nil {
-		t.Fatalf("Failed to create Manager: %s", err)
-	}
-
-	// Add a UDP packet hook
-	hookFunc := func(data []byte) bool { return true }
-	hookID := manager.AddUDPPacketHook(false, net.IPv4(192, 168, 0, 1), 8080, hookFunc)
-
-	// Assert the hook is added by finding it in the manager's outgoing rules
-	found := false
-	for _, arr := range manager.outgoingRules {
-		for _, rule := range arr {
-			if rule.id == hookID {
-				found = true
-				break
-			}
-		}
-	}
-
-	if !found {
-		t.Fatalf("The hook was not added properly.")
-	}
-
-	// Now remove the packet hook
-	err = manager.RemovePacketHook(hookID)
-	if err != nil {
-		t.Fatalf("Failed to remove hook: %s", err)
-	}
-
-	// Assert the hook is removed by checking it in the manager's outgoing rules
-	for _, arr := range manager.outgoingRules {
-		for _, rule := range arr {
-			if rule.id == hookID {
-				t.Fatalf("The hook was not removed properly.")
-			}
-		}
-	}
-}
-
-func TestUSPFilterCreatePerformance(t *testing.T) {
-	for _, testMax := range []int{10, 20, 30, 40, 50, 60, 70, 80, 90, 100, 200, 300, 400, 500, 600, 700, 800, 900, 1000} {
-		t.Run(fmt.Sprintf("Testing %d rules", testMax), func(t *testing.T) {
-			// just check on the local interface
-			ifaceMock := &IFaceMock{
-				SetFilterFunc: func(iface.PacketFilter) error { return nil },
-			}
-			manager, err := Create(ifaceMock)
-			require.NoError(t, err)
-			time.Sleep(time.Second)
-
-			defer func() {
-				if err := manager.Reset(); err != nil {
-					t.Errorf("clear the manager state: %v", err)
-				}
-				time.Sleep(time.Second)
-			}()
-
-			ip := net.ParseIP("10.20.0.100")
-			start := time.Now()
-			for i := 0; i < testMax; i++ {
-				port := &fw.Port{Values: []int{1000 + i}}
-				if i%2 == 0 {
-					_, err = manager.AddFiltering(ip, "tcp", nil, port, fw.RuleDirectionOUT, fw.ActionAccept, "", "accept HTTP traffic")
-				} else {
-					_, err = manager.AddFiltering(ip, "tcp", nil, port, fw.RuleDirectionIN, fw.ActionAccept, "", "accept HTTP traffic")
-				}
-
-				require.NoError(t, err, "failed to add rule")
-			}
-			t.Logf("execution avg per rule: %s", time.Since(start)/time.Duration(testMax))
-		})
-	}
-}

client/internal/acl/manager.go

@@ -1,493 +0,0 @@
-package acl
-
-import (
-	"crypto/md5"
-	"encoding/hex"
-	"fmt"
-	"net"
-	"strconv"
-	"sync"
-	"time"
-
-	log "github.com/sirupsen/logrus"
-
-	"github.com/netbirdio/netbird/client/firewall"
-	"github.com/netbirdio/netbird/client/ssh"
-	"github.com/netbirdio/netbird/iface"
-	mgmProto "github.com/netbirdio/netbird/management/proto"
-)
-
-// IFaceMapper defines subset methods of interface required for manager
-type IFaceMapper interface {
-	Name() string
-	Address() iface.WGAddress
-	IsUserspaceBind() bool
-	SetFilter(iface.PacketFilter) error
-}
-
-// Manager is a ACL rules manager
-type Manager interface {
-	ApplyFiltering(networkMap *mgmProto.NetworkMap)
-	Stop()
-}
-
-// DefaultManager uses firewall manager to handle
-type DefaultManager struct {
-	manager      firewall.Manager
-	ipsetCounter int
-	rulesPairs   map[string][]firewall.Rule
-	mutex        sync.Mutex
-}
-
-type ipsetInfo struct {
-	name    string
-	ipCount int
-}
-
-func newDefaultManager(fm firewall.Manager) *DefaultManager {
-	return &DefaultManager{
-		manager:    fm,
-		rulesPairs: make(map[string][]firewall.Rule),
-	}
-}
-
-// ApplyFiltering firewall rules to the local firewall manager processed by ACL policy.
-//
-// If allowByDefault is ture it appends allow ALL traffic rules to input and output chains.
-func (d *DefaultManager) ApplyFiltering(networkMap *mgmProto.NetworkMap) {
-	d.mutex.Lock()
-	defer d.mutex.Unlock()
-
-	start := time.Now()
-	defer func() {
-		total := 0
-		for _, pairs := range d.rulesPairs {
-			total += len(pairs)
-		}
-		log.Infof(
-			"ACL rules processed in: %v, total rules count: %d",
-			time.Since(start), total)
-	}()
-
-	if d.manager == nil {
-		log.Debug("firewall manager is not supported, skipping firewall rules")
-		return
-	}
-
-	defer func() {
-		if err := d.manager.Flush(); err != nil {
-			log.Error("failed to flush firewall rules: ", err)
-		}
-	}()
-
-	rules, squashedProtocols := d.squashAcceptRules(networkMap)
-
-	enableSSH := (networkMap.PeerConfig != nil &&
-		networkMap.PeerConfig.SshConfig != nil &&
-		networkMap.PeerConfig.SshConfig.SshEnabled)
-	if _, ok := squashedProtocols[mgmProto.FirewallRule_ALL]; ok {
-		enableSSH = enableSSH && !ok
-	}
-	if _, ok := squashedProtocols[mgmProto.FirewallRule_TCP]; ok {
-		enableSSH = enableSSH && !ok
-	}
-
-	// if TCP protocol rules not squashed and SSH enabled
-	// we add default firewall rule which accepts connection to any peer
-	// in the network by SSH (TCP 22 port).
-	if enableSSH {
-		rules = append(rules, &mgmProto.FirewallRule{
-			PeerIP:    "0.0.0.0",
-			Direction: mgmProto.FirewallRule_IN,
-			Action:    mgmProto.FirewallRule_ACCEPT,
-			Protocol:  mgmProto.FirewallRule_TCP,
-			Port:      strconv.Itoa(ssh.DefaultSSHPort),
-		})
-	}
-
-	// if we got empty rules list but management not set networkMap.FirewallRulesIsEmpty flag
-	// we have old version of management without rules handling, we should allow all traffic
-	if len(networkMap.FirewallRules) == 0 && !networkMap.FirewallRulesIsEmpty {
-		log.Warn("this peer is connected to a NetBird Management service with an older version. Allowing all traffic from connected peers")
-		rules = append(rules,
-			&mgmProto.FirewallRule{
-				PeerIP:    "0.0.0.0",
-				Direction: mgmProto.FirewallRule_IN,
-				Action:    mgmProto.FirewallRule_ACCEPT,
-				Protocol:  mgmProto.FirewallRule_ALL,
-			},
-			&mgmProto.FirewallRule{
-				PeerIP:    "0.0.0.0",
-				Direction: mgmProto.FirewallRule_OUT,
-				Action:    mgmProto.FirewallRule_ACCEPT,
-				Protocol:  mgmProto.FirewallRule_ALL,
-			},
-		)
-	}
-
-	applyFailed := false
-	newRulePairs := make(map[string][]firewall.Rule)
-	ipsetByRuleSelectors := make(map[string]*ipsetInfo)
-
-	// calculate which IP's can be grouped in by which ipset
-	// to do that we use rule selector (which is just rule properties without IP's)
-	for _, r := range rules {
-		selector := d.getRuleGroupingSelector(r)
-		ipset, ok := ipsetByRuleSelectors[selector]
-		if !ok {
-			ipset = &ipsetInfo{}
-		}
-
-		ipset.ipCount++
-		ipsetByRuleSelectors[selector] = ipset
-	}
-
-	for _, r := range rules {
-		// if this rule is member of rule selection with more than DefaultIPsCountForSet
-		// it's IP address can be used in the ipset for firewall manager which supports it
-		ipset := ipsetByRuleSelectors[d.getRuleGroupingSelector(r)]
-		ipsetName := ""
-		if ipset.name == "" {
-			d.ipsetCounter++
-			ipset.name = fmt.Sprintf("nb%07d", d.ipsetCounter)
-		}
-		ipsetName = ipset.name
-		pairID, rulePair, err := d.protoRuleToFirewallRule(r, ipsetName)
-		if err != nil {
-			log.Errorf("failed to apply firewall rule: %+v, %v", r, err)
-			applyFailed = true
-			break
-		}
-		newRulePairs[pairID] = rulePair
-	}
-	if applyFailed {
-		log.Error("failed to apply firewall rules, rollback ACL to previous state")
-		for _, rules := range newRulePairs {
-			for _, rule := range rules {
-				if err := d.manager.DeleteRule(rule); err != nil {
-					log.Errorf("failed to delete new firewall rule (id: %v) during rollback: %v", rule.GetRuleID(), err)
-					continue
-				}
-			}
-		}
-		return
-	}
-
-	for pairID, rules := range d.rulesPairs {
-		if _, ok := newRulePairs[pairID]; !ok {
-			for _, rule := range rules {
-				if err := d.manager.DeleteRule(rule); err != nil {
-					log.Errorf("failed to delete firewall rule: %v", err)
-					continue
-				}
-			}
-			delete(d.rulesPairs, pairID)
-		}
-	}
-	d.rulesPairs = newRulePairs
-}
-
-// Stop ACL controller and clear firewall state
-func (d *DefaultManager) Stop() {
-	d.mutex.Lock()
-	defer d.mutex.Unlock()
-
-	if err := d.manager.Reset(); err != nil {
-		log.WithError(err).Error("reset firewall state")
-	}
-}
-
-func (d *DefaultManager) protoRuleToFirewallRule(
-	r *mgmProto.FirewallRule,
-	ipsetName string,
-) (string, []firewall.Rule, error) {
-	ip := net.ParseIP(r.PeerIP)
-	if ip == nil {
-		return "", nil, fmt.Errorf("invalid IP address, skipping firewall rule")
-	}
-
-	protocol := convertToFirewallProtocol(r.Protocol)
-	if protocol == firewall.ProtocolUnknown {
-		return "", nil, fmt.Errorf("invalid protocol type: %d, skipping firewall rule", r.Protocol)
-	}
-
-	action := convertFirewallAction(r.Action)
-	if action == firewall.ActionUnknown {
-		return "", nil, fmt.Errorf("invalid action type: %d, skipping firewall rule", r.Action)
-	}
-
-	var port *firewall.Port
-	if r.Port != "" {
-		value, err := strconv.Atoi(r.Port)
-		if err != nil {
-			return "", nil, fmt.Errorf("invalid port, skipping firewall rule")
-		}
-		port = &firewall.Port{
-			Values: []int{value},
-		}
-	}
-
-	ruleID := d.getRuleID(ip, protocol, int(r.Direction), port, action, "")
-	if rulesPair, ok := d.rulesPairs[ruleID]; ok {
-		return ruleID, rulesPair, nil
-	}
-
-	var rules []firewall.Rule
-	var err error
-	switch r.Direction {
-	case mgmProto.FirewallRule_IN:
-		rules, err = d.addInRules(ip, protocol, port, action, ipsetName, "")
-	case mgmProto.FirewallRule_OUT:
-		rules, err = d.addOutRules(ip, protocol, port, action, ipsetName, "")
-	default:
-		return "", nil, fmt.Errorf("invalid direction, skipping firewall rule")
-	}
-
-	if err != nil {
-		return "", nil, err
-	}
-
-	d.rulesPairs[ruleID] = rules
-	return ruleID, rules, nil
-}
-
-func (d *DefaultManager) addInRules(
-	ip net.IP,
-	protocol firewall.Protocol,
-	port *firewall.Port,
-	action firewall.Action,
-	ipsetName string,
-	comment string,
-) ([]firewall.Rule, error) {
-	var rules []firewall.Rule
-	rule, err := d.manager.AddFiltering(
-		ip, protocol, nil, port, firewall.RuleDirectionIN, action, ipsetName, comment)
-	if err != nil {
-		return nil, fmt.Errorf("failed to add firewall rule: %v", err)
-	}
-	rules = append(rules, rule)
-
-	if shouldSkipInvertedRule(protocol, port) {
-		return rules, nil
-	}
-
-	rule, err = d.manager.AddFiltering(
-		ip, protocol, port, nil, firewall.RuleDirectionOUT, action, ipsetName, comment)
-	if err != nil {
-		return nil, fmt.Errorf("failed to add firewall rule: %v", err)
-	}
-
-	return append(rules, rule), nil
-}
-
-func (d *DefaultManager) addOutRules(
-	ip net.IP,
-	protocol firewall.Protocol,
-	port *firewall.Port,
-	action firewall.Action,
-	ipsetName string,
-	comment string,
-) ([]firewall.Rule, error) {
-	var rules []firewall.Rule
-	rule, err := d.manager.AddFiltering(
-		ip, protocol, nil, port, firewall.RuleDirectionOUT, action, ipsetName, comment)
-	if err != nil {
-		return nil, fmt.Errorf("failed to add firewall rule: %v", err)
-	}
-	rules = append(rules, rule)
-
-	if shouldSkipInvertedRule(protocol, port) {
-		return rules, nil
-	}
-
-	rule, err = d.manager.AddFiltering(
-		ip, protocol, port, nil, firewall.RuleDirectionIN, action, ipsetName, comment)
-	if err != nil {
-		return nil, fmt.Errorf("failed to add firewall rule: %v", err)
-	}
-
-	return append(rules, rule), nil
-}
-
-// getRuleID() returns unique ID for the rule based on its parameters.
-func (d *DefaultManager) getRuleID(
-	ip net.IP,
-	proto firewall.Protocol,
-	direction int,
-	port *firewall.Port,
-	action firewall.Action,
-	comment string,
-) string {
-	idStr := ip.String() + string(proto) + strconv.Itoa(direction) + strconv.Itoa(int(action)) + comment
-	if port != nil {
-		idStr += port.String()
-	}
-
-	return hex.EncodeToString(md5.New().Sum([]byte(idStr)))
-}
-
-// squashAcceptRules does complex logic to convert many rules which allows connection by traffic type
-// to all peers in the network map to one rule which just accepts that type of the traffic.
-//
-// NOTE: It will not squash two rules for same protocol if one covers all peers in the network,
-// but other has port definitions or has drop policy.
-func (d *DefaultManager) squashAcceptRules(
-	networkMap *mgmProto.NetworkMap,
-) ([]*mgmProto.FirewallRule, map[mgmProto.FirewallRuleProtocol]struct{}) {
-	totalIPs := 0
-	for _, p := range append(networkMap.RemotePeers, networkMap.OfflinePeers...) {
-		for range p.AllowedIps {
-			totalIPs++
-		}
-	}
-
-	type protoMatch map[mgmProto.FirewallRuleProtocol]map[string]int
-
-	in := protoMatch{}
-	out := protoMatch{}
-
-	// trace which type of protocols was squashed
-	squashedRules := []*mgmProto.FirewallRule{}
-	squashedProtocols := map[mgmProto.FirewallRuleProtocol]struct{}{}
-
-	// this function we use to do calculation, can we squash the rules by protocol or not.
-	// We summ amount of Peers IP for given protocol we found in original rules list.
-	// But we zeroed the IP's for protocol if:
-	// 1. Any of the rule has DROP action type.
-	// 2. Any of rule contains Port.
-	//
-	// We zeroed this to notify squash function that this protocol can't be squashed.
-	addRuleToCalculationMap := func(i int, r *mgmProto.FirewallRule, protocols protoMatch) {
-		drop := r.Action == mgmProto.FirewallRule_DROP || r.Port != ""
-		if drop {
-			protocols[r.Protocol] = map[string]int{}
-			return
-		}
-		if _, ok := protocols[r.Protocol]; !ok {
-			protocols[r.Protocol] = map[string]int{}
-		}
-
-		// special case, when we recieve this all network IP address
-		// it means that rules for that protocol was already optimized on the
-		// management side
-		if r.PeerIP == "0.0.0.0" {
-			squashedRules = append(squashedRules, r)
-			squashedProtocols[r.Protocol] = struct{}{}
-			return
-		}
-
-		ipset := protocols[r.Protocol]
-
-		if _, ok := ipset[r.PeerIP]; ok {
-			return
-		}
-		ipset[r.PeerIP] = i
-	}
-
-	for i, r := range networkMap.FirewallRules {
-		// calculate squash for different directions
-		if r.Direction == mgmProto.FirewallRule_IN {
-			addRuleToCalculationMap(i, r, in)
-		} else {
-			addRuleToCalculationMap(i, r, out)
-		}
-	}
-
-	// order of squashing by protocol is important
-	// only for ther first element ALL, it must be done first
-	protocolOrders := []mgmProto.FirewallRuleProtocol{
-		mgmProto.FirewallRule_ALL,
-		mgmProto.FirewallRule_ICMP,
-		mgmProto.FirewallRule_TCP,
-		mgmProto.FirewallRule_UDP,
-	}
-
-	squash := func(matches protoMatch, direction mgmProto.FirewallRuleDirection) {
-		for _, protocol := range protocolOrders {
-			if ipset, ok := matches[protocol]; !ok || len(ipset) != totalIPs || len(ipset) < 2 {
-				// don't squash if :
-				// 1. Rules not cover all peers in the network
-				// 2. Rules cover only one peer in the network.
-				continue
-			}
-
-			// add special rule 0.0.0.0 which allows all IP's in our firewall implementations
-			squashedRules = append(squashedRules, &mgmProto.FirewallRule{
-				PeerIP:    "0.0.0.0",
-				Direction: direction,
-				Action:    mgmProto.FirewallRule_ACCEPT,
-				Protocol:  protocol,
-			})
-			squashedProtocols[protocol] = struct{}{}
-
-			if protocol == mgmProto.FirewallRule_ALL {
-				// if we have ALL traffic type squashed rule
-				// it allows all other type of traffic, so we can stop processing
-				break
-			}
-		}
-	}
-
-	squash(in, mgmProto.FirewallRule_IN)
-	squash(out, mgmProto.FirewallRule_OUT)
-
-	// if all protocol was squashed everything is allow and we can ignore all other rules
-	if _, ok := squashedProtocols[mgmProto.FirewallRule_ALL]; ok {
-		return squashedRules, squashedProtocols
-	}
-
-	if len(squashedRules) == 0 {
-		return networkMap.FirewallRules, squashedProtocols
-	}
-
-	var rules []*mgmProto.FirewallRule
-	// filter out rules which was squashed from final list
-	// if we also have other not squashed rules.
-	for i, r := range networkMap.FirewallRules {
-		if _, ok := squashedProtocols[r.Protocol]; ok {
-			if m, ok := in[r.Protocol]; ok && m[r.PeerIP] == i {
-				continue
-			} else if m, ok := out[r.Protocol]; ok && m[r.PeerIP] == i {
-				continue
-			}
-		}
-		rules = append(rules, r)
-	}
-
-	return append(rules, squashedRules...), squashedProtocols
-}
-
-// getRuleGroupingSelector takes all rule properties except IP address to build selector
-func (d *DefaultManager) getRuleGroupingSelector(rule *mgmProto.FirewallRule) string {
-	return fmt.Sprintf("%v:%v:%v:%s", strconv.Itoa(int(rule.Direction)), rule.Action, rule.Protocol, rule.Port)
-}
-
-func convertToFirewallProtocol(protocol mgmProto.FirewallRuleProtocol) firewall.Protocol {
-	switch protocol {
-	case mgmProto.FirewallRule_TCP:
-		return firewall.ProtocolTCP
-	case mgmProto.FirewallRule_UDP:
-		return firewall.ProtocolUDP
-	case mgmProto.FirewallRule_ICMP:
-		return firewall.ProtocolICMP
-	case mgmProto.FirewallRule_ALL:
-		return firewall.ProtocolALL
-	default:
-		return firewall.ProtocolUnknown
-	}
-}
-
-func shouldSkipInvertedRule(protocol firewall.Protocol, port *firewall.Port) bool {
-	return protocol == firewall.ProtocolALL || protocol == firewall.ProtocolICMP || port == nil
-}
-
-func convertFirewallAction(action mgmProto.FirewallRuleAction) firewall.Action {
-	switch action {
-	case mgmProto.FirewallRule_ACCEPT:
-		return firewall.ActionAccept
-	case mgmProto.FirewallRule_DROP:
-		return firewall.ActionDrop
-	default:
-		return firewall.ActionUnknown
-	}
-}

client/internal/acl/manager_create.go

@@ -1,23 +0,0 @@
-//go:build !linux
-
-package acl
-
-import (
-	"fmt"
-	"runtime"
-
-	"github.com/netbirdio/netbird/client/firewall/uspfilter"
-)
-
-// Create creates a firewall manager instance
-func Create(iface IFaceMapper) (manager *DefaultManager, err error) {
-	if iface.IsUserspaceBind() {
-		// use userspace packet filtering firewall
-		fm, err := uspfilter.Create(iface)
-		if err != nil {
-			return nil, err
-		}
-		return newDefaultManager(fm), nil
-	}
-	return nil, fmt.Errorf("not implemented for this OS: %s", runtime.GOOS)
-}

client/internal/acl/manager_create_linux.go

@@ -1,33 +0,0 @@
-package acl
-
-import (
-	log "github.com/sirupsen/logrus"
-
-	"github.com/netbirdio/netbird/client/firewall"
-	"github.com/netbirdio/netbird/client/firewall/iptables"
-	"github.com/netbirdio/netbird/client/firewall/nftables"
-	"github.com/netbirdio/netbird/client/firewall/uspfilter"
-)
-
-// Create creates a firewall manager instance for the Linux
-func Create(iface IFaceMapper) (manager *DefaultManager, err error) {
-	var fm firewall.Manager
-	if iface.IsUserspaceBind() {
-		// use userspace packet filtering firewall
-		if fm, err = uspfilter.Create(iface); err != nil {
-			log.Debugf("failed to create userspace filtering firewall: %s", err)
-			return nil, err
-		}
-	} else {
-		if fm, err = nftables.Create(iface); err != nil {
-			log.Debugf("failed to create nftables manager: %s", err)
-			// fallback to iptables
-			if fm, err = iptables.Create(iface); err != nil {
-				log.Errorf("failed to create iptables manager: %s", err)
-				return nil, err
-			}
-		}
-	}
-
-	return newDefaultManager(fm), nil
-}

client/internal/acl/manager_test.go

@@ -1,333 +0,0 @@
-package acl
-
-import (
-	"testing"
-
-	"github.com/golang/mock/gomock"
-
-	"github.com/netbirdio/netbird/client/internal/acl/mocks"
-	mgmProto "github.com/netbirdio/netbird/management/proto"
-)
-
-func TestDefaultManager(t *testing.T) {
-	networkMap := &mgmProto.NetworkMap{
-		FirewallRules: []*mgmProto.FirewallRule{
-			{
-				PeerIP:    "10.93.0.1",
-				Direction: mgmProto.FirewallRule_OUT,
-				Action:    mgmProto.FirewallRule_ACCEPT,
-				Protocol:  mgmProto.FirewallRule_TCP,
-				Port:      "80",
-			},
-			{
-				PeerIP:    "10.93.0.2",
-				Direction: mgmProto.FirewallRule_OUT,
-				Action:    mgmProto.FirewallRule_DROP,
-				Protocol:  mgmProto.FirewallRule_UDP,
-				Port:      "53",
-			},
-		},
-	}
-
-	ctrl := gomock.NewController(t)
-	defer ctrl.Finish()
-
-	iface := mocks.NewMockIFaceMapper(ctrl)
-	iface.EXPECT().IsUserspaceBind().Return(true)
-	// iface.EXPECT().Name().Return("lo")
-	iface.EXPECT().SetFilter(gomock.Any())
-
-	// we receive one rule from the management so for testing purposes ignore it
-	acl, err := Create(iface)
-	if err != nil {
-		t.Errorf("create ACL manager: %v", err)
-		return
-	}
-	defer acl.Stop()
-
-	t.Run("apply firewall rules", func(t *testing.T) {
-		acl.ApplyFiltering(networkMap)
-
-		if len(acl.rulesPairs) != 2 {
-			t.Errorf("firewall rules not applied: %v", acl.rulesPairs)
-			return
-		}
-	})
-
-	t.Run("add extra rules", func(t *testing.T) {
-		existedPairs := map[string]struct{}{}
-		for id := range acl.rulesPairs {
-			existedPairs[id] = struct{}{}
-		}
-
-		// remove first rule
-		networkMap.FirewallRules = networkMap.FirewallRules[1:]
-		networkMap.FirewallRules = append(
-			networkMap.FirewallRules,
-			&mgmProto.FirewallRule{
-				PeerIP:    "10.93.0.3",
-				Direction: mgmProto.FirewallRule_IN,
-				Action:    mgmProto.FirewallRule_DROP,
-				Protocol:  mgmProto.FirewallRule_ICMP,
-			},
-		)
-
-		acl.ApplyFiltering(networkMap)
-
-		// we should have one old and one new rule in the existed rules
-		if len(acl.rulesPairs) != 2 {
-			t.Errorf("firewall rules not applied")
-			return
-		}
-
-		// check that old rule was removed
-		previousCount := 0
-		for id := range acl.rulesPairs {
-			if _, ok := existedPairs[id]; ok {
-				previousCount++
-			}
-		}
-		if previousCount != 1 {
-			t.Errorf("old rule was not removed")
-		}
-	})
-
-	t.Run("handle default rules", func(t *testing.T) {
-		networkMap.FirewallRules = networkMap.FirewallRules[:0]
-
-		networkMap.FirewallRulesIsEmpty = true
-		if acl.ApplyFiltering(networkMap); len(acl.rulesPairs) != 0 {
-			t.Errorf("rules should be empty if FirewallRulesIsEmpty is set, got: %v", len(acl.rulesPairs))
-			return
-		}
-
-		networkMap.FirewallRulesIsEmpty = false
-		acl.ApplyFiltering(networkMap)
-		if len(acl.rulesPairs) != 2 {
-			t.Errorf("rules should contain 2 rules if FirewallRulesIsEmpty is not set, got: %v", len(acl.rulesPairs))
-			return
-		}
-	})
-}
-
-func TestDefaultManagerSquashRules(t *testing.T) {
-	networkMap := &mgmProto.NetworkMap{
-		RemotePeers: []*mgmProto.RemotePeerConfig{
-			{AllowedIps: []string{"10.93.0.1"}},
-			{AllowedIps: []string{"10.93.0.2"}},
-			{AllowedIps: []string{"10.93.0.3"}},
-			{AllowedIps: []string{"10.93.0.4"}},
-		},
-		FirewallRules: []*mgmProto.FirewallRule{
-			{
-				PeerIP:    "10.93.0.1",
-				Direction: mgmProto.FirewallRule_IN,
-				Action:    mgmProto.FirewallRule_ACCEPT,
-				Protocol:  mgmProto.FirewallRule_ALL,
-			},
-			{
-				PeerIP:    "10.93.0.2",
-				Direction: mgmProto.FirewallRule_IN,
-				Action:    mgmProto.FirewallRule_ACCEPT,
-				Protocol:  mgmProto.FirewallRule_ALL,
-			},
-			{
-				PeerIP:    "10.93.0.3",
-				Direction: mgmProto.FirewallRule_IN,
-				Action:    mgmProto.FirewallRule_ACCEPT,
-				Protocol:  mgmProto.FirewallRule_ALL,
-			},
-			{
-				PeerIP:    "10.93.0.4",
-				Direction: mgmProto.FirewallRule_IN,
-				Action:    mgmProto.FirewallRule_ACCEPT,
-				Protocol:  mgmProto.FirewallRule_ALL,
-			},
-			{
-				PeerIP:    "10.93.0.1",
-				Direction: mgmProto.FirewallRule_OUT,
-				Action:    mgmProto.FirewallRule_ACCEPT,
-				Protocol:  mgmProto.FirewallRule_ALL,
-			},
-			{
-				PeerIP:    "10.93.0.2",
-				Direction: mgmProto.FirewallRule_OUT,
-				Action:    mgmProto.FirewallRule_ACCEPT,
-				Protocol:  mgmProto.FirewallRule_ALL,
-			},
-			{
-				PeerIP:    "10.93.0.3",
-				Direction: mgmProto.FirewallRule_OUT,
-				Action:    mgmProto.FirewallRule_ACCEPT,
-				Protocol:  mgmProto.FirewallRule_ALL,
-			},
-			{
-				PeerIP:    "10.93.0.4",
-				Direction: mgmProto.FirewallRule_OUT,
-				Action:    mgmProto.FirewallRule_ACCEPT,
-				Protocol:  mgmProto.FirewallRule_ALL,
-			},
-		},
-	}
-
-	manager := &DefaultManager{}
-	rules, _ := manager.squashAcceptRules(networkMap)
-	if len(rules) != 2 {
-		t.Errorf("rules should contain 2, got: %v", rules)
-		return
-	}
-
-	r := rules[0]
-	if r.PeerIP != "0.0.0.0" {
-		t.Errorf("IP should be 0.0.0.0, got: %v", r.PeerIP)
-		return
-	} else if r.Direction != mgmProto.FirewallRule_IN {
-		t.Errorf("direction should be IN, got: %v", r.Direction)
-		return
-	} else if r.Protocol != mgmProto.FirewallRule_ALL {
-		t.Errorf("protocol should be ALL, got: %v", r.Protocol)
-		return
-	} else if r.Action != mgmProto.FirewallRule_ACCEPT {
-		t.Errorf("action should be ACCEPT, got: %v", r.Action)
-		return
-	}
-
-	r = rules[1]
-	if r.PeerIP != "0.0.0.0" {
-		t.Errorf("IP should be 0.0.0.0, got: %v", r.PeerIP)
-		return
-	} else if r.Direction != mgmProto.FirewallRule_OUT {
-		t.Errorf("direction should be OUT, got: %v", r.Direction)
-		return
-	} else if r.Protocol != mgmProto.FirewallRule_ALL {
-		t.Errorf("protocol should be ALL, got: %v", r.Protocol)
-		return
-	} else if r.Action != mgmProto.FirewallRule_ACCEPT {
-		t.Errorf("action should be ACCEPT, got: %v", r.Action)
-		return
-	}
-}
-
-func TestDefaultManagerSquashRulesNoAffect(t *testing.T) {
-	networkMap := &mgmProto.NetworkMap{
-		RemotePeers: []*mgmProto.RemotePeerConfig{
-			{AllowedIps: []string{"10.93.0.1"}},
-			{AllowedIps: []string{"10.93.0.2"}},
-			{AllowedIps: []string{"10.93.0.3"}},
-			{AllowedIps: []string{"10.93.0.4"}},
-		},
-		FirewallRules: []*mgmProto.FirewallRule{
-			{
-				PeerIP:    "10.93.0.1",
-				Direction: mgmProto.FirewallRule_IN,
-				Action:    mgmProto.FirewallRule_ACCEPT,
-				Protocol:  mgmProto.FirewallRule_ALL,
-			},
-			{
-				PeerIP:    "10.93.0.2",
-				Direction: mgmProto.FirewallRule_IN,
-				Action:    mgmProto.FirewallRule_ACCEPT,
-				Protocol:  mgmProto.FirewallRule_ALL,
-			},
-			{
-				PeerIP:    "10.93.0.3",
-				Direction: mgmProto.FirewallRule_IN,
-				Action:    mgmProto.FirewallRule_ACCEPT,
-				Protocol:  mgmProto.FirewallRule_ALL,
-			},
-			{
-				PeerIP:    "10.93.0.4",
-				Direction: mgmProto.FirewallRule_IN,
-				Action:    mgmProto.FirewallRule_ACCEPT,
-				Protocol:  mgmProto.FirewallRule_TCP,
-			},
-			{
-				PeerIP:    "10.93.0.1",
-				Direction: mgmProto.FirewallRule_OUT,
-				Action:    mgmProto.FirewallRule_ACCEPT,
-				Protocol:  mgmProto.FirewallRule_ALL,
-			},
-			{
-				PeerIP:    "10.93.0.2",
-				Direction: mgmProto.FirewallRule_OUT,
-				Action:    mgmProto.FirewallRule_ACCEPT,
-				Protocol:  mgmProto.FirewallRule_ALL,
-			},
-			{
-				PeerIP:    "10.93.0.3",
-				Direction: mgmProto.FirewallRule_OUT,
-				Action:    mgmProto.FirewallRule_ACCEPT,
-				Protocol:  mgmProto.FirewallRule_ALL,
-			},
-			{
-				PeerIP:    "10.93.0.4",
-				Direction: mgmProto.FirewallRule_OUT,
-				Action:    mgmProto.FirewallRule_ACCEPT,
-				Protocol:  mgmProto.FirewallRule_UDP,
-			},
-		},
-	}
-
-	manager := &DefaultManager{}
-	if rules, _ := manager.squashAcceptRules(networkMap); len(rules) != len(networkMap.FirewallRules) {
-		t.Errorf("we should got same amount of rules as intput, got %v", len(rules))
-	}
-}
-
-func TestDefaultManagerEnableSSHRules(t *testing.T) {
-	networkMap := &mgmProto.NetworkMap{
-		PeerConfig: &mgmProto.PeerConfig{
-			SshConfig: &mgmProto.SSHConfig{
-				SshEnabled: true,
-			},
-		},
-		RemotePeers: []*mgmProto.RemotePeerConfig{
-			{AllowedIps: []string{"10.93.0.1"}},
-			{AllowedIps: []string{"10.93.0.2"}},
-			{AllowedIps: []string{"10.93.0.3"}},
-		},
-		FirewallRules: []*mgmProto.FirewallRule{
-			{
-				PeerIP:    "10.93.0.1",
-				Direction: mgmProto.FirewallRule_IN,
-				Action:    mgmProto.FirewallRule_ACCEPT,
-				Protocol:  mgmProto.FirewallRule_TCP,
-			},
-			{
-				PeerIP:    "10.93.0.2",
-				Direction: mgmProto.FirewallRule_IN,
-				Action:    mgmProto.FirewallRule_ACCEPT,
-				Protocol:  mgmProto.FirewallRule_TCP,
-			},
-			{
-				PeerIP:    "10.93.0.3",
-				Direction: mgmProto.FirewallRule_OUT,
-				Action:    mgmProto.FirewallRule_ACCEPT,
-				Protocol:  mgmProto.FirewallRule_UDP,
-			},
-		},
-	}
-
-	ctrl := gomock.NewController(t)
-	defer ctrl.Finish()
-
-	iface := mocks.NewMockIFaceMapper(ctrl)
-	iface.EXPECT().IsUserspaceBind().Return(true)
-	// iface.EXPECT().Name().Return("lo")
-	iface.EXPECT().SetFilter(gomock.Any())
-
-	// we receive one rule from the management so for testing purposes ignore it
-	acl, err := Create(iface)
-	if err != nil {
-		t.Errorf("create ACL manager: %v", err)
-		return
-	}
-	defer acl.Stop()
-
-	acl.ApplyFiltering(networkMap)
-
-	if len(acl.rulesPairs) != 4 {
-		t.Errorf("expect 4 rules (last must be SSH), got: %d", len(acl.rulesPairs))
-		return
-	}
-}

client/internal/acl/mocks/README.md

@@ -1,7 +0,0 @@
-## Mocks
-
-To generate (or refresh) mocks from acl package please install [mockgen](https://github.com/golang/mock).
-Run this command from the `./client/internal/acl` folder to update iface mapper interface mock:
-```bash
-mockgen -destination mocks/iface_mapper.go -package mocks . IFaceMapper
-```

client/internal/acl/mocks/iface_mapper.go

@@ -1,91 +0,0 @@
-// Code generated by MockGen. DO NOT EDIT.
-// Source: github.com/netbirdio/netbird/client/internal/acl (interfaces: IFaceMapper)
-
-// Package mocks is a generated GoMock package.
-package mocks
-
-import (
-	reflect "reflect"
-
-	gomock "github.com/golang/mock/gomock"
-	iface "github.com/netbirdio/netbird/iface"
-)
-
-// MockIFaceMapper is a mock of IFaceMapper interface.
-type MockIFaceMapper struct {
-	ctrl     *gomock.Controller
-	recorder *MockIFaceMapperMockRecorder
-}
-
-// MockIFaceMapperMockRecorder is the mock recorder for MockIFaceMapper.
-type MockIFaceMapperMockRecorder struct {
-	mock *MockIFaceMapper
-}
-
-// NewMockIFaceMapper creates a new mock instance.
-func NewMockIFaceMapper(ctrl *gomock.Controller) *MockIFaceMapper {
-	mock := &MockIFaceMapper{ctrl: ctrl}
-	mock.recorder = &MockIFaceMapperMockRecorder{mock}
-	return mock
-}
-
-// EXPECT returns an object that allows the caller to indicate expected use.
-func (m *MockIFaceMapper) EXPECT() *MockIFaceMapperMockRecorder {
-	return m.recorder
-}
-
-// Address mocks base method.
-func (m *MockIFaceMapper) Address() iface.WGAddress {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "Address")
-	ret0, _ := ret[0].(iface.WGAddress)
-	return ret0
-}
-
-// Address indicates an expected call of Address.
-func (mr *MockIFaceMapperMockRecorder) Address() *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Address", reflect.TypeOf((*MockIFaceMapper)(nil).Address))
-}
-
-// IsUserspaceBind mocks base method.
-func (m *MockIFaceMapper) IsUserspaceBind() bool {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "IsUserspaceBind")
-	ret0, _ := ret[0].(bool)
-	return ret0
-}
-
-// IsUserspaceBind indicates an expected call of IsUserspaceBind.
-func (mr *MockIFaceMapperMockRecorder) IsUserspaceBind() *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "IsUserspaceBind", reflect.TypeOf((*MockIFaceMapper)(nil).IsUserspaceBind))
-}
-
-// Name mocks base method.
-func (m *MockIFaceMapper) Name() string {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "Name")
-	ret0, _ := ret[0].(string)
-	return ret0
-}
-
-// Name indicates an expected call of Name.
-func (mr *MockIFaceMapperMockRecorder) Name() *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Name", reflect.TypeOf((*MockIFaceMapper)(nil).Name))
-}
-
-// SetFilter mocks base method.
-func (m *MockIFaceMapper) SetFilter(arg0 iface.PacketFilter) error {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "SetFilter", arg0)
-	ret0, _ := ret[0].(error)
-	return ret0
-}
-
-// SetFilter indicates an expected call of SetFilter.
-func (mr *MockIFaceMapperMockRecorder) SetFilter(arg0 interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SetFilter", reflect.TypeOf((*MockIFaceMapper)(nil).SetFilter), arg0)
-}

client/internal/auth/device_flow.go

@@ -1,202 +0,0 @@
-package auth
-
-import (
-	"context"
-	"encoding/json"
-	"fmt"
-	"github.com/netbirdio/netbird/client/internal"
-	"io"
-	"net/http"
-	"net/url"
-	"strings"
-	"time"
-)
-
-// HostedGrantType grant type for device flow on Hosted
-const (
-	HostedGrantType = "urn:ietf:params:oauth:grant-type:device_code"
-)
-
-var _ OAuthFlow = &DeviceAuthorizationFlow{}
-
-// DeviceAuthorizationFlow implements the OAuthFlow interface,
-// for the Device Authorization Flow.
-type DeviceAuthorizationFlow struct {
-	providerConfig internal.DeviceAuthProviderConfig
-
-	HTTPClient HTTPClient
-}
-
-// RequestDeviceCodePayload used for request device code payload for auth0
-type RequestDeviceCodePayload struct {
-	Audience string `json:"audience"`
-	ClientID string `json:"client_id"`
-	Scope    string `json:"scope"`
-}
-
-// TokenRequestPayload used for requesting the auth0 token
-type TokenRequestPayload struct {
-	GrantType    string `json:"grant_type"`
-	DeviceCode   string `json:"device_code,omitempty"`
-	ClientID     string `json:"client_id"`
-	RefreshToken string `json:"refresh_token,omitempty"`
-}
-
-// TokenRequestResponse used for parsing Hosted token's response
-type TokenRequestResponse struct {
-	Error            string `json:"error"`
-	ErrorDescription string `json:"error_description"`
-	TokenInfo
-}
-
-// NewDeviceAuthorizationFlow returns device authorization flow client
-func NewDeviceAuthorizationFlow(config internal.DeviceAuthProviderConfig) (*DeviceAuthorizationFlow, error) {
-	httpTransport := http.DefaultTransport.(*http.Transport).Clone()
-	httpTransport.MaxIdleConns = 5
-
-	httpClient := &http.Client{
-		Timeout:   10 * time.Second,
-		Transport: httpTransport,
-	}
-
-	return &DeviceAuthorizationFlow{
-		providerConfig: config,
-		HTTPClient:     httpClient,
-	}, nil
-}
-
-// GetClientID returns the provider client id
-func (d *DeviceAuthorizationFlow) GetClientID(ctx context.Context) string {
-	return d.providerConfig.ClientID
-}
-
-// RequestAuthInfo requests a device code login flow information from Hosted
-func (d *DeviceAuthorizationFlow) RequestAuthInfo(ctx context.Context) (AuthFlowInfo, error) {
-	form := url.Values{}
-	form.Add("client_id", d.providerConfig.ClientID)
-	form.Add("audience", d.providerConfig.Audience)
-	form.Add("scope", d.providerConfig.Scope)
-	req, err := http.NewRequest("POST", d.providerConfig.DeviceAuthEndpoint,
-		strings.NewReader(form.Encode()))
-	if err != nil {
-		return AuthFlowInfo{}, fmt.Errorf("creating request failed with error: %v", err)
-	}
-	req.Header.Add("Content-Type", "application/x-www-form-urlencoded")
-
-	res, err := d.HTTPClient.Do(req)
-	if err != nil {
-		return AuthFlowInfo{}, fmt.Errorf("doing request failed with error: %v", err)
-	}
-
-	defer res.Body.Close()
-	body, err := io.ReadAll(res.Body)
-	if err != nil {
-		return AuthFlowInfo{}, fmt.Errorf("reading body failed with error: %v", err)
-	}
-
-	if res.StatusCode != 200 {
-		return AuthFlowInfo{}, fmt.Errorf("request device code returned status %d error: %s", res.StatusCode, string(body))
-	}
-
-	deviceCode := AuthFlowInfo{}
-	err = json.Unmarshal(body, &deviceCode)
-	if err != nil {
-		return AuthFlowInfo{}, fmt.Errorf("unmarshaling response failed with error: %v", err)
-	}
-
-	// Fallback to the verification_uri if the IdP doesn't support verification_uri_complete
-	if deviceCode.VerificationURIComplete == "" {
-		deviceCode.VerificationURIComplete = deviceCode.VerificationURI
-	}
-
-	return deviceCode, err
-}
-
-func (d *DeviceAuthorizationFlow) requestToken(info AuthFlowInfo) (TokenRequestResponse, error) {
-	form := url.Values{}
-	form.Add("client_id", d.providerConfig.ClientID)
-	form.Add("grant_type", HostedGrantType)
-	form.Add("device_code", info.DeviceCode)
-
-	req, err := http.NewRequest("POST", d.providerConfig.TokenEndpoint, strings.NewReader(form.Encode()))
-	if err != nil {
-		return TokenRequestResponse{}, fmt.Errorf("failed to create request access token: %v", err)
-	}
-	req.Header.Add("Content-Type", "application/x-www-form-urlencoded")
-
-	res, err := d.HTTPClient.Do(req)
-	if err != nil {
-		return TokenRequestResponse{}, fmt.Errorf("failed to request access token with error: %v", err)
-	}
-
-	defer func() {
-		err := res.Body.Close()
-		if err != nil {
-			return
-		}
-	}()
-
-	body, err := io.ReadAll(res.Body)
-	if err != nil {
-		return TokenRequestResponse{}, fmt.Errorf("failed reading access token response body with error: %v", err)
-	}
-
-	if res.StatusCode > 499 {
-		return TokenRequestResponse{}, fmt.Errorf("access token response returned code: %s", string(body))
-	}
-
-	tokenResponse := TokenRequestResponse{}
-	err = json.Unmarshal(body, &tokenResponse)
-	if err != nil {
-		return TokenRequestResponse{}, fmt.Errorf("parsing token response failed with error: %v", err)
-	}
-
-	return tokenResponse, nil
-}
-
-// WaitToken waits user's login and authorize the app. Once the user's authorize
-// it retrieves the access token from Hosted's endpoint and validates it before returning
-func (d *DeviceAuthorizationFlow) WaitToken(ctx context.Context, info AuthFlowInfo) (TokenInfo, error) {
-	interval := time.Duration(info.Interval) * time.Second
-	ticker := time.NewTicker(interval)
-	for {
-		select {
-		case <-ctx.Done():
-			return TokenInfo{}, ctx.Err()
-		case <-ticker.C:
-
-			tokenResponse, err := d.requestToken(info)
-			if err != nil {
-				return TokenInfo{}, fmt.Errorf("parsing token response failed with error: %v", err)
-			}
-
-			if tokenResponse.Error != "" {
-				if tokenResponse.Error == "authorization_pending" {
-					continue
-				} else if tokenResponse.Error == "slow_down" {
-					interval = interval + (3 * time.Second)
-					ticker.Reset(interval)
-					continue
-				}
-
-				return TokenInfo{}, fmt.Errorf(tokenResponse.ErrorDescription)
-			}
-
-			tokenInfo := TokenInfo{
-				AccessToken:  tokenResponse.AccessToken,
-				TokenType:    tokenResponse.TokenType,
-				RefreshToken: tokenResponse.RefreshToken,
-				IDToken:      tokenResponse.IDToken,
-				ExpiresIn:    tokenResponse.ExpiresIn,
-				UseIDToken:   d.providerConfig.UseIDToken,
-			}
-
-			err = isValidAccessToken(tokenInfo.GetTokenToUse(), d.providerConfig.Audience)
-			if err != nil {
-				return TokenInfo{}, fmt.Errorf("validate access token failed with error: %v", err)
-			}
-
-			return tokenInfo, err
-		}
-	}
-}

client/internal/auth/oauth.go

@@ -1,90 +0,0 @@
-package auth
-
-import (
-	"context"
-	"fmt"
-	"net/http"
-
-	log "github.com/sirupsen/logrus"
-	"google.golang.org/grpc/codes"
-	gstatus "google.golang.org/grpc/status"
-
-	"github.com/netbirdio/netbird/client/internal"
-)
-
-// OAuthFlow represents an interface for authorization using different OAuth 2.0 flows
-type OAuthFlow interface {
-	RequestAuthInfo(ctx context.Context) (AuthFlowInfo, error)
-	WaitToken(ctx context.Context, info AuthFlowInfo) (TokenInfo, error)
-	GetClientID(ctx context.Context) string
-}
-
-// HTTPClient http client interface for API calls
-type HTTPClient interface {
-	Do(req *http.Request) (*http.Response, error)
-}
-
-// AuthFlowInfo holds information for the OAuth 2.0  authorization flow
-type AuthFlowInfo struct {
-	DeviceCode              string `json:"device_code"`
-	UserCode                string `json:"user_code"`
-	VerificationURI         string `json:"verification_uri"`
-	VerificationURIComplete string `json:"verification_uri_complete"`
-	ExpiresIn               int    `json:"expires_in"`
-	Interval                int    `json:"interval"`
-}
-
-// Claims used when validating the access token
-type Claims struct {
-	Audience interface{} `json:"aud"`
-}
-
-// TokenInfo holds information of issued access token
-type TokenInfo struct {
-	AccessToken  string `json:"access_token"`
-	RefreshToken string `json:"refresh_token"`
-	IDToken      string `json:"id_token"`
-	TokenType    string `json:"token_type"`
-	ExpiresIn    int    `json:"expires_in"`
-	UseIDToken   bool   `json:"-"`
-}
-
-// GetTokenToUse returns either the access or id token based on UseIDToken field
-func (t TokenInfo) GetTokenToUse() string {
-	if t.UseIDToken {
-		return t.IDToken
-	}
-	return t.AccessToken
-}
-
-// NewOAuthFlow initializes and returns the appropriate OAuth flow based on the management configuration.
-func NewOAuthFlow(ctx context.Context, config *internal.Config) (OAuthFlow, error) {
-	log.Debug("getting device authorization flow info")
-
-	// Try to initialize the Device Authorization Flow
-	deviceFlowInfo, err := internal.GetDeviceAuthorizationFlowInfo(ctx, config.PrivateKey, config.ManagementURL)
-	if err == nil {
-		return NewDeviceAuthorizationFlow(deviceFlowInfo.ProviderConfig)
-	}
-
-	log.Debugf("getting device authorization flow info failed with error: %v", err)
-	log.Debugf("falling back to pkce authorization flow info")
-
-	// If Device Authorization Flow failed, try the PKCE Authorization Flow
-	pkceFlowInfo, err := internal.GetPKCEAuthorizationFlowInfo(ctx, config.PrivateKey, config.ManagementURL)
-	if err != nil {
-		s, ok := gstatus.FromError(err)
-		if ok && s.Code() == codes.NotFound {
-			return nil, fmt.Errorf("no SSO provider returned from management. " +
-				"If you are using hosting Netbird see documentation at " +
-				"https://github.com/netbirdio/netbird/tree/main/management for details")
-		} else if ok && s.Code() == codes.Unimplemented {
-			return nil, fmt.Errorf("the management server, %s, does not support SSO providers, "+
-				"please update your server or use Setup Keys to login", config.ManagementURL)
-		} else {
-			return nil, fmt.Errorf("getting pkce authorization flow info failed with error: %v", err)
-		}
-	}
-
-	return NewPKCEAuthorizationFlow(pkceFlowInfo.ProviderConfig)
-}

client/internal/auth/pkce_flow.go

@@ -1,245 +0,0 @@
-package auth
-
-import (
-	"context"
-	"crypto/sha256"
-	"crypto/subtle"
-	"encoding/base64"
-	"fmt"
-	"html/template"
-	"net"
-	"net/http"
-	"net/url"
-	"strings"
-	"time"
-
-	log "github.com/sirupsen/logrus"
-	"golang.org/x/oauth2"
-
-	"github.com/netbirdio/netbird/client/internal"
-	"github.com/netbirdio/netbird/client/internal/templates"
-)
-
-var _ OAuthFlow = &PKCEAuthorizationFlow{}
-
-const (
-	queryState                = "state"
-	queryCode                 = "code"
-	queryError                = "error"
-	queryErrorDesc            = "error_description"
-	defaultPKCETimeoutSeconds = 300
-)
-
-// PKCEAuthorizationFlow implements the OAuthFlow interface for
-// the Authorization Code Flow with PKCE.
-type PKCEAuthorizationFlow struct {
-	providerConfig internal.PKCEAuthProviderConfig
-	state          string
-	codeVerifier   string
-	oAuthConfig    *oauth2.Config
-}
-
-// NewPKCEAuthorizationFlow returns new PKCE authorization code flow.
-func NewPKCEAuthorizationFlow(config internal.PKCEAuthProviderConfig) (*PKCEAuthorizationFlow, error) {
-	var availableRedirectURL string
-
-	// find the first available redirect URL
-	for _, redirectURL := range config.RedirectURLs {
-		if !isRedirectURLPortUsed(redirectURL) {
-			availableRedirectURL = redirectURL
-			break
-		}
-	}
-
-	if availableRedirectURL == "" {
-		return nil, fmt.Errorf("no available port found from configured redirect URLs: %q", config.RedirectURLs)
-	}
-
-	cfg := &oauth2.Config{
-		ClientID:     config.ClientID,
-		ClientSecret: config.ClientSecret,
-		Endpoint: oauth2.Endpoint{
-			AuthURL:  config.AuthorizationEndpoint,
-			TokenURL: config.TokenEndpoint,
-		},
-		RedirectURL: availableRedirectURL,
-		Scopes:      strings.Split(config.Scope, " "),
-	}
-
-	return &PKCEAuthorizationFlow{
-		providerConfig: config,
-		oAuthConfig:    cfg,
-	}, nil
-}
-
-// GetClientID returns the provider client id
-func (p *PKCEAuthorizationFlow) GetClientID(_ context.Context) string {
-	return p.providerConfig.ClientID
-}
-
-// RequestAuthInfo requests a authorization code login flow information.
-func (p *PKCEAuthorizationFlow) RequestAuthInfo(_ context.Context) (AuthFlowInfo, error) {
-	state, err := randomBytesInHex(24)
-	if err != nil {
-		return AuthFlowInfo{}, fmt.Errorf("could not generate random state: %v", err)
-	}
-	p.state = state
-
-	codeVerifier, err := randomBytesInHex(64)
-	if err != nil {
-		return AuthFlowInfo{}, fmt.Errorf("could not create a code verifier: %v", err)
-	}
-	p.codeVerifier = codeVerifier
-
-	codeChallenge := createCodeChallenge(codeVerifier)
-	authURL := p.oAuthConfig.AuthCodeURL(
-		state,
-		oauth2.SetAuthURLParam("code_challenge_method", "S256"),
-		oauth2.SetAuthURLParam("code_challenge", codeChallenge),
-		oauth2.SetAuthURLParam("audience", p.providerConfig.Audience),
-	)
-
-	return AuthFlowInfo{
-		VerificationURIComplete: authURL,
-		ExpiresIn:               defaultPKCETimeoutSeconds,
-	}, nil
-}
-
-// WaitToken waits for the OAuth token in the PKCE Authorization Flow.
-// It starts an HTTP server to receive the OAuth token callback and waits for the token or an error.
-// Once the token is received, it is converted to TokenInfo and validated before returning.
-func (p *PKCEAuthorizationFlow) WaitToken(ctx context.Context, _ AuthFlowInfo) (TokenInfo, error) {
-	tokenChan := make(chan *oauth2.Token, 1)
-	errChan := make(chan error, 1)
-
-	go p.startServer(tokenChan, errChan)
-
-	select {
-	case <-ctx.Done():
-		return TokenInfo{}, ctx.Err()
-	case token := <-tokenChan:
-		return p.handleOAuthToken(token)
-	case err := <-errChan:
-		return TokenInfo{}, err
-	}
-}
-
-func (p *PKCEAuthorizationFlow) startServer(tokenChan chan<- *oauth2.Token, errChan chan<- error) {
-	parsedURL, err := url.Parse(p.oAuthConfig.RedirectURL)
-	if err != nil {
-		errChan <- fmt.Errorf("failed to parse redirect URL: %v", err)
-		return
-	}
-	port := parsedURL.Port()
-
-	server := http.Server{Addr: fmt.Sprintf(":%s", port)}
-	defer func() {
-		if err := server.Shutdown(context.Background()); err != nil {
-			log.Errorf("error while shutting down pkce flow server: %v", err)
-		}
-	}()
-
-	http.HandleFunc("/", func(w http.ResponseWriter, req *http.Request) {
-		tokenValidatorFunc := func() (*oauth2.Token, error) {
-			query := req.URL.Query()
-
-			if authError := query.Get(queryError); authError != "" {
-				authErrorDesc := query.Get(queryErrorDesc)
-				return nil, fmt.Errorf("%s.%s", authError, authErrorDesc)
-			}
-
-			// Prevent timing attacks on state
-			if state := query.Get(queryState); subtle.ConstantTimeCompare([]byte(p.state), []byte(state)) == 0 {
-				return nil, fmt.Errorf("invalid state")
-			}
-
-			code := query.Get(queryCode)
-			if code == "" {
-				return nil, fmt.Errorf("missing code")
-			}
-
-			return p.oAuthConfig.Exchange(
-				req.Context(),
-				code,
-				oauth2.SetAuthURLParam("code_verifier", p.codeVerifier),
-			)
-		}
-
-		token, err := tokenValidatorFunc()
-		if err != nil {
-			renderPKCEFlowTmpl(w, err)
-			errChan <- fmt.Errorf("PKCE authorization flow failed: %v", err)
-			return
-		}
-
-		renderPKCEFlowTmpl(w, nil)
-		tokenChan <- token
-	})
-
-	if err := server.ListenAndServe(); err != nil {
-		errChan <- err
-	}
-}
-
-func (p *PKCEAuthorizationFlow) handleOAuthToken(token *oauth2.Token) (TokenInfo, error) {
-	tokenInfo := TokenInfo{
-		AccessToken:  token.AccessToken,
-		RefreshToken: token.RefreshToken,
-		TokenType:    token.TokenType,
-		ExpiresIn:    token.Expiry.Second(),
-		UseIDToken:   p.providerConfig.UseIDToken,
-	}
-	if idToken, ok := token.Extra("id_token").(string); ok {
-		tokenInfo.IDToken = idToken
-	}
-
-	if err := isValidAccessToken(tokenInfo.GetTokenToUse(), p.providerConfig.Audience); err != nil {
-		return TokenInfo{}, fmt.Errorf("validate access token failed with error: %v", err)
-	}
-
-	return tokenInfo, nil
-}
-
-func createCodeChallenge(codeVerifier string) string {
-	sha2 := sha256.Sum256([]byte(codeVerifier))
-	return base64.RawURLEncoding.EncodeToString(sha2[:])
-}
-
-// isRedirectURLPortUsed checks if the port used in the redirect URL is in use.
-func isRedirectURLPortUsed(redirectURL string) bool {
-	parsedURL, err := url.Parse(redirectURL)
-	if err != nil {
-		log.Errorf("failed to parse redirect URL: %v", err)
-		return true
-	}
-
-	addr := fmt.Sprintf(":%s", parsedURL.Port())
-	conn, err := net.DialTimeout("tcp", addr, 3*time.Second)
-	if err != nil {
-		return false
-	}
-	defer func() {
-		if err := conn.Close(); err != nil {
-			log.Errorf("error while closing the connection: %v", err)
-		}
-	}()
-
-	return true
-}
-
-func renderPKCEFlowTmpl(w http.ResponseWriter, authError error) {
-	tmpl, err := template.New("pkce-auth-flow").Parse(templates.PKCEAuthMsgTmpl)
-	if err != nil {
-		http.Error(w, err.Error(), http.StatusInternalServerError)
-		return
-	}
-
-	data := make(map[string]string)
-	if authError != nil {
-		data["Error"] = authError.Error()
-	}
-
-	if err := tmpl.Execute(w, data); err != nil {
-		http.Error(w, err.Error(), http.StatusInternalServerError)
-	}
-}

client/internal/auth/util.go

@@ -1,62 +0,0 @@
-package auth
-
-import (
-	"crypto/rand"
-	"encoding/base64"
-	"encoding/hex"
-	"encoding/json"
-	"fmt"
-	"io"
-	"reflect"
-	"strings"
-)
-
-func randomBytesInHex(count int) (string, error) {
-	buf := make([]byte, count)
-	_, err := io.ReadFull(rand.Reader, buf)
-	if err != nil {
-		return "", fmt.Errorf("could not generate %d random bytes: %v", count, err)
-	}
-
-	return hex.EncodeToString(buf), nil
-}
-
-// isValidAccessToken is a simple validation of the access token
-func isValidAccessToken(token string, audience string) error {
-	if token == "" {
-		return fmt.Errorf("token received is empty")
-	}
-
-	encodedClaims := strings.Split(token, ".")[1]
-	claimsString, err := base64.RawURLEncoding.DecodeString(encodedClaims)
-	if err != nil {
-		return err
-	}
-
-	claims := Claims{}
-	err = json.Unmarshal(claimsString, &claims)
-	if err != nil {
-		return err
-	}
-
-	if claims.Audience == nil {
-		return fmt.Errorf("required token field audience is absent")
-	}
-
-	// Audience claim of JWT can be a string or an array of strings
-	typ := reflect.TypeOf(claims.Audience)
-	switch typ.Kind() {
-	case reflect.String:
-		if claims.Audience == audience {
-			return nil
-		}
-	case reflect.Slice:
-		for _, aud := range claims.Audience.([]interface{}) {
-			if audience == aud {
-				return nil
-			}
-		}
-	}
-
-	return fmt.Errorf("invalid JWT token audience field")
-}

client/internal/config.go

@@ -215,12 +215,10 @@ func update(input ConfigInput) (*Config, error) {
 	}
 
 	if input.PreSharedKey != nil && config.PreSharedKey != *input.PreSharedKey {
-		if *input.PreSharedKey != "" {
-			log.Infof("new pre-shared key provides, updated to %s (old value %s)",
-				*input.PreSharedKey, config.PreSharedKey)
-			config.PreSharedKey = *input.PreSharedKey
-			refresh = true
-		}
+		log.Infof("new pre-shared key provided, updated to %s (old value %s)",
+			*input.PreSharedKey, config.PreSharedKey)
+		config.PreSharedKey = *input.PreSharedKey
+		refresh = true
 	}
 
 	if config.SSHKey == "" {

client/internal/config_test.go

@@ -63,22 +63,7 @@ func TestGetConfig(t *testing.T) {
 	assert.Equal(t, config.ManagementURL.String(), managementURL)
 	assert.Equal(t, config.PreSharedKey, preSharedKey)
 
-	// case 4: new empty pre-shared key config -> fetch it
-	newPreSharedKey := ""
-	config, err = UpdateOrCreateConfig(ConfigInput{
-		ManagementURL: managementURL,
-		AdminURL:      adminURL,
-		ConfigPath:    path,
-		PreSharedKey:  &newPreSharedKey,
-	})
-	if err != nil {
-		return
-	}
-
-	assert.Equal(t, config.ManagementURL.String(), managementURL)
-	assert.Equal(t, config.PreSharedKey, preSharedKey)
-
-	// case 5: existing config, but new managementURL has been provided -> update config
+	// case 4: existing config, but new managementURL has been provided -> update config
 	newManagementURL := "https://test.newManagement.url:33071"
 	config, err = UpdateOrCreateConfig(ConfigInput{
 		ManagementURL: newManagementURL,

client/internal/connect.go

@@ -12,9 +12,7 @@ import (
 	"google.golang.org/grpc/codes"
 	gstatus "google.golang.org/grpc/status"
 
-	"github.com/netbirdio/netbird/client/internal/dns"
 	"github.com/netbirdio/netbird/client/internal/peer"
-	"github.com/netbirdio/netbird/client/internal/routemanager"
 	"github.com/netbirdio/netbird/client/internal/stdnet"
 	"github.com/netbirdio/netbird/client/ssh"
 	"github.com/netbirdio/netbird/client/system"
@@ -25,24 +23,7 @@ import (
 )
 
 // RunClient with main logic.
-func RunClient(ctx context.Context, config *Config, statusRecorder *peer.Status) error {
-	return runClient(ctx, config, statusRecorder, MobileDependency{})
-}
-
-// RunClientMobile with main logic on mobile system
-func RunClientMobile(ctx context.Context, config *Config, statusRecorder *peer.Status, tunAdapter iface.TunAdapter, iFaceDiscover stdnet.ExternalIFaceDiscover, routeListener routemanager.RouteListener, dnsAddresses []string, dnsReadyListener dns.ReadyListener) error {
-	// in case of non Android os these variables will be nil
-	mobileDependency := MobileDependency{
-		TunAdapter:       tunAdapter,
-		IFaceDiscover:    iFaceDiscover,
-		RouteListener:    routeListener,
-		HostDNSAddresses: dnsAddresses,
-		DnsReadyListener: dnsReadyListener,
-	}
-	return runClient(ctx, config, statusRecorder, mobileDependency)
-}
-
-func runClient(ctx context.Context, config *Config, statusRecorder *peer.Status, mobileDependency MobileDependency) error {
+func RunClient(ctx context.Context, config *Config, statusRecorder *peer.Status, tunAdapter iface.TunAdapter, iFaceDiscover stdnet.ExternalIFaceDiscover) error {
 	backOff := &backoff.ExponentialBackOff{
 		InitialInterval:     time.Second,
 		RandomizationFactor: 1,
@@ -163,13 +144,13 @@ func runClient(ctx context.Context, config *Config, statusRecorder *peer.Status,
 
 		peerConfig := loginResp.GetPeerConfig()
 
-		engineConfig, err := createEngineConfig(myPrivateKey, config, peerConfig)
+		engineConfig, err := createEngineConfig(myPrivateKey, config, peerConfig, tunAdapter, iFaceDiscover)
 		if err != nil {
 			log.Error(err)
 			return wrapErr(err)
 		}
 
-		engine := NewEngine(engineCtx, cancel, signalClient, mgmClient, engineConfig, mobileDependency, statusRecorder)
+		engine := NewEngine(engineCtx, cancel, signalClient, mgmClient, engineConfig, statusRecorder)
 		err = engine.Start()
 		if err != nil {
 			log.Errorf("error while starting Netbird Connection Engine: %s", err)
@@ -213,10 +194,13 @@ func runClient(ctx context.Context, config *Config, statusRecorder *peer.Status,
 }
 
 // createEngineConfig converts configuration received from Management Service to EngineConfig
-func createEngineConfig(key wgtypes.Key, config *Config, peerConfig *mgmProto.PeerConfig) (*EngineConfig, error) {
+func createEngineConfig(key wgtypes.Key, config *Config, peerConfig *mgmProto.PeerConfig, tunAdapter iface.TunAdapter, iFaceDiscover stdnet.ExternalIFaceDiscover) (*EngineConfig, error) {
+
 	engineConf := &EngineConfig{
 		WgIfaceName:          config.WgIface,
 		WgAddr:               peerConfig.Address,
+		TunAdapter:           tunAdapter,
+		IFaceDiscover:        iFaceDiscover,
 		IFaceBlackList:       config.IFaceBlackList,
 		DisableIPv6Discovery: config.DisableIPv6Discovery,
 		WgPrivateKey:         key,

client/internal/device_auth.go

@@ -16,11 +16,11 @@ import (
 // DeviceAuthorizationFlow represents Device Authorization Flow information
 type DeviceAuthorizationFlow struct {
 	Provider       string
-	ProviderConfig DeviceAuthProviderConfig
+	ProviderConfig ProviderConfig
 }
 
-// DeviceAuthProviderConfig has all attributes needed to initiate a device authorization flow
-type DeviceAuthProviderConfig struct {
+// ProviderConfig has all attributes needed to initiate a device authorization flow
+type ProviderConfig struct {
 	// ClientID An IDP application client id
 	ClientID string
 	// ClientSecret An IDP application client secret
@@ -88,7 +88,7 @@ func GetDeviceAuthorizationFlowInfo(ctx context.Context, privateKey string, mgmU
 	deviceAuthorizationFlow := DeviceAuthorizationFlow{
 		Provider: protoDeviceAuthorizationFlow.Provider.String(),
 
-		ProviderConfig: DeviceAuthProviderConfig{
+		ProviderConfig: ProviderConfig{
 			Audience:           protoDeviceAuthorizationFlow.GetProviderConfig().GetAudience(),
 			ClientID:           protoDeviceAuthorizationFlow.GetProviderConfig().GetClientID(),
 			ClientSecret:       protoDeviceAuthorizationFlow.GetProviderConfig().GetClientSecret(),
@@ -105,7 +105,7 @@ func GetDeviceAuthorizationFlowInfo(ctx context.Context, privateKey string, mgmU
 		deviceAuthorizationFlow.ProviderConfig.Scope = "openid"
 	}
 
-	err = isDeviceAuthProviderConfigValid(deviceAuthorizationFlow.ProviderConfig)
+	err = isProviderConfigValid(deviceAuthorizationFlow.ProviderConfig)
 	if err != nil {
 		return DeviceAuthorizationFlow{}, err
 	}
@@ -113,7 +113,7 @@ func GetDeviceAuthorizationFlowInfo(ctx context.Context, privateKey string, mgmU
 	return deviceAuthorizationFlow, nil
 }
 
-func isDeviceAuthProviderConfigValid(config DeviceAuthProviderConfig) error {
+func isProviderConfigValid(config ProviderConfig) error {
 	errorMSGFormat := "invalid provider configuration received from management: %s value is empty. Contact your NetBird administrator"
 	if config.Audience == "" {
 		return fmt.Errorf(errorMSGFormat, "Audience")

client/internal/dns/dbus_linux.go

@@ -1,5 +1,3 @@
-//go:build !android
-
 package dns
 
 import (

client/internal/dns/file_linux.go

@@ -1,5 +1,3 @@
-//go:build !android
-
 package dns
 
 import (
@@ -15,8 +13,7 @@ const (
 	fileGeneratedResolvConfSearchBeginContent = "search "
 	fileGeneratedResolvConfContentFormat      = fileGeneratedResolvConfContentHeader +
 		"\n# If needed you can restore the original file by copying back %s\n\nnameserver %s\n" +
-		fileGeneratedResolvConfSearchBeginContent + "%s\n\n" +
-		"%s\n"
+		fileGeneratedResolvConfSearchBeginContent + "%s\n"
 )
 
 const (
@@ -35,10 +32,6 @@ func newFileConfigurator() (hostManager, error) {
 	return &fileConfigurator{}, nil
 }
 
-func (f *fileConfigurator) supportCustomPort() bool {
-	return false
-}
-
 func (f *fileConfigurator) applyDNSConfig(config hostDNSConfig) error {
 	backupFileExist := false
 	_, err := os.Stat(fileDefaultResolvConfBackupLocation)
@@ -92,12 +85,7 @@ func (f *fileConfigurator) applyDNSConfig(config hostDNSConfig) error {
 		searchDomains += " " + dConf.domain
 		appendedDomains++
 	}
-
-	originalContent, err := os.ReadFile(fileDefaultResolvConfBackupLocation)
-	if err != nil {
-		log.Errorf("Could not read existing resolv.conf")
-	}
-	content := fmt.Sprintf(fileGeneratedResolvConfContentFormat, fileDefaultResolvConfBackupLocation, config.serverIP, searchDomains, string(originalContent))
+	content := fmt.Sprintf(fileGeneratedResolvConfContentFormat, fileDefaultResolvConfBackupLocation, config.serverIP, searchDomains)
 	err = writeDNSConfig(content, defaultResolvConfPath, f.originalPerms)
 	if err != nil {
 		err = f.restore()

client/internal/dns/host.go

@@ -10,7 +10,6 @@ import (
 type hostManager interface {
 	applyDNSConfig(config hostDNSConfig) error
 	restoreHostDNS() error
-	supportCustomPort() bool
 }
 
 type hostDNSConfig struct {
@@ -27,9 +26,8 @@ type domainConfig struct {
 }
 
 type mockHostConfigurator struct {
-	applyDNSConfigFunc    func(config hostDNSConfig) error
-	restoreHostDNSFunc    func() error
-	supportCustomPortFunc func() bool
+	applyDNSConfigFunc func(config hostDNSConfig) error
+	restoreHostDNSFunc func() error
 }
 
 func (m *mockHostConfigurator) applyDNSConfig(config hostDNSConfig) error {
@@ -46,18 +44,10 @@ func (m *mockHostConfigurator) restoreHostDNS() error {
 	return fmt.Errorf("method restoreHostDNS is not implemented")
 }
 
-func (m *mockHostConfigurator) supportCustomPort() bool {
-	if m.supportCustomPortFunc != nil {
-		return m.supportCustomPortFunc()
-	}
-	return false
-}
-
 func newNoopHostMocker() hostManager {
 	return &mockHostConfigurator{
-		applyDNSConfigFunc:    func(config hostDNSConfig) error { return nil },
-		restoreHostDNSFunc:    func() error { return nil },
-		supportCustomPortFunc: func() bool { return true },
+		applyDNSConfigFunc: func(config hostDNSConfig) error { return nil },
+		restoreHostDNSFunc: func() error { return nil },
 	}
 }
 

client/internal/dns/host_android.go

@@ -1,20 +0,0 @@
-package dns
-
-type androidHostManager struct {
-}
-
-func newHostManager(wgInterface WGIface) (hostManager, error) {
-	return &androidHostManager{}, nil
-}
-
-func (a androidHostManager) applyDNSConfig(config hostDNSConfig) error {
-	return nil
-}
-
-func (a androidHostManager) restoreHostDNS() error {
-	return nil
-}
-
-func (a androidHostManager) supportCustomPort() bool {
-	return false
-}

client/internal/dns/host_darwin.go

@@ -8,6 +8,7 @@ import (
 	"strconv"
 	"strings"
 
+	"github.com/netbirdio/netbird/iface"
 	log "github.com/sirupsen/logrus"
 )
 
@@ -32,16 +33,12 @@ type systemConfigurator struct {
 	createdKeys      map[string]struct{}
 }
 
-func newHostManager(_ WGIface) (hostManager, error) {
+func newHostManager(_ *iface.WGIface) (hostManager, error) {
 	return &systemConfigurator{
 		createdKeys: make(map[string]struct{}),
 	}, nil
 }
 
-func (s *systemConfigurator) supportCustomPort() bool {
-	return true
-}
-
 func (s *systemConfigurator) applyDNSConfig(config hostDNSConfig) error {
 	var err error
 
@@ -182,11 +179,12 @@ func (s *systemConfigurator) addDNSState(state, domains, dnsServer string, port
 }
 
 func (s *systemConfigurator) addDNSSetupForAll(dnsServer string, port int) error {
-	primaryServiceKey, existingNameserver := s.getPrimaryService()
+	primaryServiceKey := s.getPrimaryService()
 	if primaryServiceKey == "" {
 		return fmt.Errorf("couldn't find the primary service key")
 	}
-	err := s.addDNSSetup(getKeyWithInput(primaryServiceSetupKeyFormat, primaryServiceKey), dnsServer, port, existingNameserver)
+
+	err := s.addDNSSetup(getKeyWithInput(primaryServiceSetupKeyFormat, primaryServiceKey), dnsServer, port)
 	if err != nil {
 		return err
 	}
@@ -195,32 +193,27 @@ func (s *systemConfigurator) addDNSSetupForAll(dnsServer string, port int) error
 	return nil
 }
 
-func (s *systemConfigurator) getPrimaryService() (string, string) {
+func (s *systemConfigurator) getPrimaryService() string {
 	line := buildCommandLine("show", globalIPv4State, "")
 	stdinCommands := wrapCommand(line)
 	b, err := runSystemConfigCommand(stdinCommands)
 	if err != nil {
 		log.Error("got error while sending the command: ", err)
-		return "", ""
+		return ""
 	}
 	scanner := bufio.NewScanner(bytes.NewReader(b))
-	primaryService := ""
-	router := ""
 	for scanner.Scan() {
 		text := scanner.Text()
 		if strings.Contains(text, "PrimaryService") {
-			primaryService = strings.TrimSpace(strings.Split(text, ":")[1])
-		}
-		if strings.Contains(text, "Router") {
-			router = strings.TrimSpace(strings.Split(text, ":")[1])
+			return strings.TrimSpace(strings.Split(text, ":")[1])
 		}
 	}
-	return primaryService, router
+	return ""
 }
 
-func (s *systemConfigurator) addDNSSetup(setupKey, dnsServer string, port int, existingDNSServer string) error {
+func (s *systemConfigurator) addDNSSetup(setupKey, dnsServer string, port int) error {
 	lines := buildAddCommandLine(keySupplementalMatchDomainsNoSearch, digitSymbol+strconv.Itoa(0))
-	lines += buildAddCommandLine(keyServerAddresses, arraySymbol+dnsServer+" "+existingDNSServer)
+	lines += buildAddCommandLine(keyServerAddresses, arraySymbol+dnsServer)
 	lines += buildAddCommandLine(keyServerPort, digitSymbol+strconv.Itoa(port))
 	addDomainCommand := buildCreateStateWithOperation(setupKey, lines)
 	stdinCommands := wrapCommand(addDomainCommand)

client/internal/dns/host_linux.go

@@ -1,14 +1,12 @@
-//go:build !android
-
 package dns
 
 import (
 	"bufio"
 	"fmt"
+	"github.com/netbirdio/netbird/iface"
+	log "github.com/sirupsen/logrus"
 	"os"
 	"strings"
-
-	log "github.com/sirupsen/logrus"
 )
 
 const (
@@ -25,7 +23,7 @@ const (
 
 type osManagerType int
 
-func newHostManager(wgInterface WGIface) (hostManager, error) {
+func newHostManager(wgInterface *iface.WGIface) (hostManager, error) {
 	osManager, err := getOSDNSManagerType()
 	if err != nil {
 		return nil, err

client/internal/dns/host_windows.go

@@ -4,6 +4,7 @@ import (
 	"fmt"
 	"strings"
 
+	"github.com/netbirdio/netbird/iface"
 	log "github.com/sirupsen/logrus"
 	"golang.org/x/sys/windows/registry"
 )
@@ -31,7 +32,7 @@ type registryConfigurator struct {
 	existingSearchDomains []string
 }
 
-func newHostManager(wgInterface WGIface) (hostManager, error) {
+func newHostManager(wgInterface *iface.WGIface) (hostManager, error) {
 	guid, err := wgInterface.GetInterfaceGUIDString()
 	if err != nil {
 		return nil, err
@@ -41,10 +42,6 @@ func newHostManager(wgInterface WGIface) (hostManager, error) {
 	}, nil
 }
 
-func (s *registryConfigurator) supportCustomPort() bool {
-	return false
-}
-
 func (r *registryConfigurator) applyDNSConfig(config hostDNSConfig) error {
 	var err error
 	if config.routeAll {

client/internal/dns/local.go

@@ -2,12 +2,10 @@ package dns
 
 import (
 	"fmt"
-	"sync"
-
 	"github.com/miekg/dns"
-	log "github.com/sirupsen/logrus"
-
 	nbdns "github.com/netbirdio/netbird/dns"
+	log "github.com/sirupsen/logrus"
+	"sync"
 )
 
 type registrationMap map[string]struct{}
@@ -17,12 +15,9 @@ type localResolver struct {
 	records       sync.Map
 }
 
-func (d *localResolver) stop() {
-}
-
 // ServeDNS handles a DNS request
 func (d *localResolver) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
-	log.Tracef("received question: %#v", r.Question[0])
+	log.Tracef("received question: %#v\n", r.Question[0])
 	replyMessage := &dns.Msg{}
 	replyMessage.SetReply(r)
 	replyMessage.RecursionAvailable = true

client/internal/dns/mockServer.go

@@ -7,17 +7,16 @@ import (
 
 // MockServer is the mock instance of a dns server
 type MockServer struct {
-	InitializeFunc      func() error
+	StartFunc           func()
 	StopFunc            func()
 	UpdateDNSServerFunc func(serial uint64, update nbdns.Config) error
 }
 
-// Initialize mock implementation of Initialize from Server interface
-func (m *MockServer) Initialize() error {
-	if m.InitializeFunc != nil {
-		return m.InitializeFunc()
+// Start mock implementation of Start from Server interface
+func (m *MockServer) Start() {
+	if m.StartFunc != nil {
+		m.StartFunc()
 	}
-	return nil
 }
 
 // Stop mock implementation of Stop from Server interface
@@ -27,15 +26,6 @@ func (m *MockServer) Stop() {
 	}
 }
 
-func (m *MockServer) DnsIP() string {
-	return ""
-}
-
-func (m *MockServer) OnUpdatedHostDNSServer(strings []string) {
-	//TODO implement me
-	panic("implement me")
-}
-
 // UpdateDNSServer mock implementation of UpdateDNSServer from Server interface
 func (m *MockServer) UpdateDNSServer(serial uint64, update nbdns.Config) error {
 	if m.UpdateDNSServerFunc != nil {

client/internal/dns/network_manager_linux.go

@@ -1,5 +1,3 @@
-//go:build !android
-
 package dns
 
 import (
@@ -13,6 +11,7 @@ import (
 	"github.com/godbus/dbus/v5"
 	"github.com/hashicorp/go-version"
 	"github.com/miekg/dns"
+	"github.com/netbirdio/netbird/iface"
 	log "github.com/sirupsen/logrus"
 )
 
@@ -70,7 +69,7 @@ func (s networkManagerConnSettings) cleanDeprecatedSettings() {
 	}
 }
 
-func newNetworkManagerDbusConfigurator(wgInterface WGIface) (hostManager, error) {
+func newNetworkManagerDbusConfigurator(wgInterface *iface.WGIface) (hostManager, error) {
 	obj, closeConn, err := getDbusObject(networkManagerDest, networkManagerDbusObjectNode)
 	if err != nil {
 		return nil, err
@@ -89,10 +88,6 @@ func newNetworkManagerDbusConfigurator(wgInterface WGIface) (hostManager, error)
 	}, nil
 }
 
-func (n *networkManagerDbusConfigurator) supportCustomPort() bool {
-	return false
-}
-
 func (n *networkManagerDbusConfigurator) applyDNSConfig(config hostDNSConfig) error {
 	connSettings, configVersion, err := n.getAppliedConnectionSettings()
 	if err != nil {

client/internal/dns/resolvconf_linux.go

@@ -1,13 +1,11 @@
-//go:build !android
-
 package dns
 
 import (
 	"fmt"
-	"os"
 	"os/exec"
 	"strings"
 
+	"github.com/netbirdio/netbird/iface"
 	log "github.com/sirupsen/logrus"
 )
 
@@ -17,16 +15,12 @@ type resolvconf struct {
 	ifaceName string
 }
 
-func newResolvConfConfigurator(wgInterface WGIface) (hostManager, error) {
+func newResolvConfConfigurator(wgInterface *iface.WGIface) (hostManager, error) {
 	return &resolvconf{
 		ifaceName: wgInterface.Name(),
 	}, nil
 }
 
-func (r *resolvconf) supportCustomPort() bool {
-	return false
-}
-
 func (r *resolvconf) applyDNSConfig(config hostDNSConfig) error {
 	var err error
 	if !config.routeAll {
@@ -60,11 +54,7 @@ func (r *resolvconf) applyDNSConfig(config hostDNSConfig) error {
 		appendedDomains++
 	}
 
-	originalContent, err := os.ReadFile(fileDefaultResolvConfBackupLocation)
-	if err != nil {
-		log.Errorf("Could not read existing resolv.conf")
-	}
-	content := fmt.Sprintf(fileGeneratedResolvConfContentFormat, fileDefaultResolvConfBackupLocation, config.serverIP, searchDomains, string(originalContent))
+	content := fmt.Sprintf(fileGeneratedResolvConfContentFormat, fileDefaultResolvConfBackupLocation, config.serverIP, searchDomains)
 
 	err = r.applyConfig(content)
 	if err != nil {

client/internal/dns/response_writer.go

@@ -1,103 +0,0 @@
-package dns
-
-import (
-	"fmt"
-	"net"
-
-	"github.com/google/gopacket"
-	"github.com/google/gopacket/layers"
-	"github.com/miekg/dns"
-	"golang.zx2c4.com/wireguard/tun"
-)
-
-type responseWriter struct {
-	local  net.Addr
-	remote net.Addr
-	packet gopacket.Packet
-	device tun.Device
-}
-
-// LocalAddr returns the net.Addr of the server
-func (r *responseWriter) LocalAddr() net.Addr {
-	return r.local
-}
-
-// RemoteAddr returns the net.Addr of the client that sent the current request.
-func (r *responseWriter) RemoteAddr() net.Addr {
-	return r.remote
-}
-
-// WriteMsg writes a reply back to the client.
-func (r *responseWriter) WriteMsg(msg *dns.Msg) error {
-	buff, err := msg.Pack()
-	if err != nil {
-		return err
-	}
-	_, err = r.Write(buff)
-	return err
-}
-
-// Write writes a raw buffer back to the client.
-func (r *responseWriter) Write(data []byte) (int, error) {
-	var ip gopacket.SerializableLayer
-
-	// Get the UDP layer
-	udpLayer := r.packet.Layer(layers.LayerTypeUDP)
-	udp := udpLayer.(*layers.UDP)
-
-	// Swap the source and destination addresses for the response
-	udp.SrcPort, udp.DstPort = udp.DstPort, udp.SrcPort
-
-	// Check if it's an IPv4 packet
-	if ipv4Layer := r.packet.Layer(layers.LayerTypeIPv4); ipv4Layer != nil {
-		ipv4 := ipv4Layer.(*layers.IPv4)
-		ipv4.SrcIP, ipv4.DstIP = ipv4.DstIP, ipv4.SrcIP
-		ip = ipv4
-	} else if ipv6Layer := r.packet.Layer(layers.LayerTypeIPv6); ipv6Layer != nil {
-		ipv6 := ipv6Layer.(*layers.IPv6)
-		ipv6.SrcIP, ipv6.DstIP = ipv6.DstIP, ipv6.SrcIP
-		ip = ipv6
-	}
-
-	if err := udp.SetNetworkLayerForChecksum(ip.(gopacket.NetworkLayer)); err != nil {
-		return 0, fmt.Errorf("failed to set network layer for checksum: %v", err)
-	}
-
-	// Serialize the packet
-	buffer := gopacket.NewSerializeBuffer()
-	options := gopacket.SerializeOptions{
-		ComputeChecksums: true,
-		FixLengths:       true,
-	}
-
-	payload := gopacket.Payload(data)
-	err := gopacket.SerializeLayers(buffer, options, ip, udp, payload)
-	if err != nil {
-		return 0, fmt.Errorf("failed to serialize packet: %v", err)
-	}
-
-	send := buffer.Bytes()
-	sendBuffer := make([]byte, 40, len(send)+40)
-	sendBuffer = append(sendBuffer, send...)
-
-	return r.device.Write([][]byte{sendBuffer}, 40)
-}
-
-// Close closes the connection.
-func (r *responseWriter) Close() error {
-	return nil
-}
-
-// TsigStatus returns the status of the Tsig.
-func (r *responseWriter) TsigStatus() error {
-	return nil
-}
-
-// TsigTimersOnly sets the tsig timers only boolean.
-func (r *responseWriter) TsigTimersOnly(bool) {
-}
-
-// Hijack lets the caller take over the connection.
-// After a call to Hijack(), the DNS package will not do anything with the connection.
-func (r *responseWriter) Hijack() {
-}

client/internal/dns/response_writer_test.go

@@ -1,93 +0,0 @@
-package dns
-
-import (
-	"net"
-	"testing"
-
-	"github.com/golang/mock/gomock"
-	"github.com/google/gopacket"
-	"github.com/google/gopacket/layers"
-	"github.com/miekg/dns"
-
-	"github.com/netbirdio/netbird/iface/mocks"
-)
-
-func TestResponseWriterLocalAddr(t *testing.T) {
-	ctrl := gomock.NewController(t)
-	defer ctrl.Finish()
-
-	device := mocks.NewMockDevice(ctrl)
-	device.EXPECT().Write(gomock.Any(), gomock.Any())
-
-	request := &dns.Msg{
-		Question: []dns.Question{{
-			Name:   "google.com.",
-			Qtype:  dns.TypeA,
-			Qclass: dns.TypeA,
-		}},
-	}
-
-	replyMessage := &dns.Msg{}
-	replyMessage.SetReply(request)
-	replyMessage.RecursionAvailable = true
-	replyMessage.Rcode = dns.RcodeSuccess
-	replyMessage.Answer = []dns.RR{
-		&dns.A{
-			A: net.IPv4(8, 8, 8, 8),
-		},
-	}
-
-	ipv4 := &layers.IPv4{
-		Protocol: layers.IPProtocolUDP,
-		SrcIP:    net.IPv4(127, 0, 0, 1),
-		DstIP:    net.IPv4(127, 0, 0, 2),
-	}
-	udp := &layers.UDP{
-		DstPort: 53,
-		SrcPort: 45223,
-	}
-	if err := udp.SetNetworkLayerForChecksum(ipv4); err != nil {
-		t.Error("failed to set network layer for checksum")
-		return
-	}
-
-	// Serialize the packet
-	buffer := gopacket.NewSerializeBuffer()
-	options := gopacket.SerializeOptions{
-		ComputeChecksums: true,
-		FixLengths:       true,
-	}
-
-	requestData, err := request.Pack()
-	if err != nil {
-		t.Errorf("got an error while packing the request message, error: %v", err)
-		return
-	}
-	payload := gopacket.Payload(requestData)
-
-	if err := gopacket.SerializeLayers(buffer, options, ipv4, udp, payload); err != nil {
-		t.Errorf("failed to serialize packet: %v", err)
-		return
-	}
-
-	rw := &responseWriter{
-		local: &net.UDPAddr{
-			IP:   net.IPv4(127, 0, 0, 1),
-			Port: 55223,
-		},
-		remote: &net.UDPAddr{
-			IP:   net.IPv4(127, 0, 0, 1),
-			Port: 53,
-		},
-		packet: gopacket.NewPacket(
-			buffer.Bytes(),
-			layers.LayerTypeIPv4,
-			gopacket.Default,
-		),
-		device: device,
-	}
-	if err := rw.WriteMsg(replyMessage); err != nil {
-		t.Errorf("got an error while writing the local resolver response, error: %v", err)
-		return
-	}
-}

client/internal/dns/server.go

@@ -1,469 +1,10 @@
 package dns
 
-import (
-	"context"
-	"fmt"
-	"net/netip"
-	"sync"
-
-	"github.com/miekg/dns"
-	"github.com/mitchellh/hashstructure/v2"
-	log "github.com/sirupsen/logrus"
-
-	nbdns "github.com/netbirdio/netbird/dns"
-)
-
-// ReadyListener is a notification mechanism what indicate the server is ready to handle host dns address changes
-type ReadyListener interface {
-	OnReady()
-}
+import nbdns "github.com/netbirdio/netbird/dns"
 
 // Server is a dns server interface
 type Server interface {
-	Initialize() error
+	Start()
 	Stop()
-	DnsIP() string
 	UpdateDNSServer(serial uint64, update nbdns.Config) error
-	OnUpdatedHostDNSServer(strings []string)
-}
-
-type registeredHandlerMap map[string]handlerWithStop
-
-// DefaultServer dns server object
-type DefaultServer struct {
-	ctx                context.Context
-	ctxCancel          context.CancelFunc
-	mux                sync.Mutex
-	service            service
-	dnsMuxMap          registeredHandlerMap
-	localResolver      *localResolver
-	wgInterface        WGIface
-	hostManager        hostManager
-	updateSerial       uint64
-	previousConfigHash uint64
-	currentConfig      hostDNSConfig
-
-	// permanent related properties
-	permanent        bool
-	hostsDnsList     []string
-	hostsDnsListLock sync.Mutex
-}
-
-type handlerWithStop interface {
-	dns.Handler
-	stop()
-}
-
-type muxUpdate struct {
-	domain  string
-	handler handlerWithStop
-}
-
-// NewDefaultServer returns a new dns server
-func NewDefaultServer(ctx context.Context, wgInterface WGIface, customAddress string) (*DefaultServer, error) {
-	var addrPort *netip.AddrPort
-	if customAddress != "" {
-		parsedAddrPort, err := netip.ParseAddrPort(customAddress)
-		if err != nil {
-			return nil, fmt.Errorf("unable to parse the custom dns address, got error: %s", err)
-		}
-		addrPort = &parsedAddrPort
-	}
-
-	var dnsService service
-	if wgInterface.IsUserspaceBind() {
-		dnsService = newServiceViaMemory(wgInterface)
-	} else {
-		dnsService = newServiceViaListener(wgInterface, addrPort)
-	}
-
-	return newDefaultServer(ctx, wgInterface, dnsService), nil
-}
-
-// NewDefaultServerPermanentUpstream returns a new dns server. It optimized for mobile systems
-func NewDefaultServerPermanentUpstream(ctx context.Context, wgInterface WGIface, hostsDnsList []string) *DefaultServer {
-	log.Debugf("host dns address list is: %v", hostsDnsList)
-	ds := newDefaultServer(ctx, wgInterface, newServiceViaMemory(wgInterface))
-	ds.permanent = true
-	ds.hostsDnsList = hostsDnsList
-	ds.addHostRootZone()
-	setServerDns(ds)
-	return ds
-}
-
-func newDefaultServer(ctx context.Context, wgInterface WGIface, dnsService service) *DefaultServer {
-	ctx, stop := context.WithCancel(ctx)
-	defaultServer := &DefaultServer{
-		ctx:       ctx,
-		ctxCancel: stop,
-		service:   dnsService,
-		dnsMuxMap: make(registeredHandlerMap),
-		localResolver: &localResolver{
-			registeredMap: make(registrationMap),
-		},
-		wgInterface: wgInterface,
-	}
-
-	return defaultServer
-}
-
-// Initialize instantiate host manager and the dns service
-func (s *DefaultServer) Initialize() (err error) {
-	s.mux.Lock()
-	defer s.mux.Unlock()
-
-	if s.hostManager != nil {
-		return nil
-	}
-
-	if s.permanent {
-		err = s.service.Listen()
-		if err != nil {
-			return err
-		}
-	}
-
-	s.hostManager, err = newHostManager(s.wgInterface)
-	return
-}
-
-// DnsIP returns the DNS resolver server IP address
-//
-// When kernel space interface used it return real DNS server listener IP address
-// For bind interface, fake DNS resolver address returned (second last IP address from Nebird network)
-func (s *DefaultServer) DnsIP() string {
-	return s.service.RuntimeIP()
-}
-
-// Stop stops the server
-func (s *DefaultServer) Stop() {
-	s.mux.Lock()
-	defer s.mux.Unlock()
-	s.ctxCancel()
-
-	if s.hostManager != nil {
-		err := s.hostManager.restoreHostDNS()
-		if err != nil {
-			log.Error(err)
-		}
-	}
-
-	s.service.Stop()
-}
-
-// OnUpdatedHostDNSServer update the DNS servers addresses for root zones
-// It will be applied if the mgm server do not enforce DNS settings for root zone
-func (s *DefaultServer) OnUpdatedHostDNSServer(hostsDnsList []string) {
-	s.hostsDnsListLock.Lock()
-	defer s.hostsDnsListLock.Unlock()
-
-	s.hostsDnsList = hostsDnsList
-	_, ok := s.dnsMuxMap[nbdns.RootZone]
-	if ok {
-		log.Debugf("on new host DNS config but skip to apply it")
-		return
-	}
-	log.Debugf("update host DNS settings: %+v", hostsDnsList)
-	s.addHostRootZone()
-}
-
-// UpdateDNSServer processes an update received from the management service
-func (s *DefaultServer) UpdateDNSServer(serial uint64, update nbdns.Config) error {
-	select {
-	case <-s.ctx.Done():
-		log.Infof("not updating DNS server as context is closed")
-		return s.ctx.Err()
-	default:
-		if serial < s.updateSerial {
-			return fmt.Errorf("not applying dns update, error: "+
-				"network update is %d behind the last applied update", s.updateSerial-serial)
-		}
-		s.mux.Lock()
-		defer s.mux.Unlock()
-
-		if s.hostManager == nil {
-			return fmt.Errorf("dns service is not initialized yet")
-		}
-
-		hash, err := hashstructure.Hash(update, hashstructure.FormatV2, &hashstructure.HashOptions{
-			ZeroNil:         true,
-			IgnoreZeroValue: true,
-			SlicesAsSets:    true,
-			UseStringer:     true,
-		})
-		if err != nil {
-			log.Errorf("unable to hash the dns configuration update, got error: %s", err)
-		}
-
-		if s.previousConfigHash == hash {
-			log.Debugf("not applying the dns configuration update as there is nothing new")
-			s.updateSerial = serial
-			return nil
-		}
-
-		if err := s.applyConfiguration(update); err != nil {
-			return err
-		}
-
-		s.updateSerial = serial
-		s.previousConfigHash = hash
-
-		return nil
-	}
-}
-
-func (s *DefaultServer) applyConfiguration(update nbdns.Config) error {
-	// is the service should be disabled, we stop the listener or fake resolver
-	// and proceed with a regular update to clean up the handlers and records
-	if update.ServiceEnable {
-		_ = s.service.Listen()
-	} else if !s.permanent {
-		s.service.Stop()
-	}
-
-	localMuxUpdates, localRecords, err := s.buildLocalHandlerUpdate(update.CustomZones)
-	if err != nil {
-		return fmt.Errorf("not applying dns update, error: %v", err)
-	}
-	upstreamMuxUpdates, err := s.buildUpstreamHandlerUpdate(update.NameServerGroups)
-	if err != nil {
-		return fmt.Errorf("not applying dns update, error: %v", err)
-	}
-	muxUpdates := append(localMuxUpdates, upstreamMuxUpdates...)
-
-	s.updateMux(muxUpdates)
-	s.updateLocalResolver(localRecords)
-	s.currentConfig = dnsConfigToHostDNSConfig(update, s.service.RuntimeIP(), s.service.RuntimePort())
-
-	hostUpdate := s.currentConfig
-	if s.service.RuntimePort() != defaultPort && !s.hostManager.supportCustomPort() {
-		log.Warnf("the DNS manager of this peer doesn't support custom port. Disabling primary DNS setup. " +
-			"Learn more at: https://netbird.io/docs/how-to-guides/nameservers#local-resolver")
-		hostUpdate.routeAll = false
-	}
-
-	if err = s.hostManager.applyDNSConfig(hostUpdate); err != nil {
-		log.Error(err)
-	}
-
-	return nil
-}
-
-func (s *DefaultServer) buildLocalHandlerUpdate(customZones []nbdns.CustomZone) ([]muxUpdate, map[string]nbdns.SimpleRecord, error) {
-	var muxUpdates []muxUpdate
-	localRecords := make(map[string]nbdns.SimpleRecord, 0)
-
-	for _, customZone := range customZones {
-
-		if len(customZone.Records) == 0 {
-			return nil, nil, fmt.Errorf("received an empty list of records")
-		}
-
-		muxUpdates = append(muxUpdates, muxUpdate{
-			domain:  customZone.Domain,
-			handler: s.localResolver,
-		})
-
-		for _, record := range customZone.Records {
-			var class uint16 = dns.ClassINET
-			if record.Class != nbdns.DefaultClass {
-				return nil, nil, fmt.Errorf("received an invalid class type: %s", record.Class)
-			}
-			key := buildRecordKey(record.Name, class, uint16(record.Type))
-			localRecords[key] = record
-		}
-	}
-	return muxUpdates, localRecords, nil
-}
-
-func (s *DefaultServer) buildUpstreamHandlerUpdate(nameServerGroups []*nbdns.NameServerGroup) ([]muxUpdate, error) {
-
-	var muxUpdates []muxUpdate
-	for _, nsGroup := range nameServerGroups {
-		if len(nsGroup.NameServers) == 0 {
-			log.Warn("received a nameserver group with empty nameserver list")
-			continue
-		}
-
-		handler := newUpstreamResolver(s.ctx)
-		for _, ns := range nsGroup.NameServers {
-			if ns.NSType != nbdns.UDPNameServerType {
-				log.Warnf("skiping nameserver %s with type %s, this peer supports only %s",
-					ns.IP.String(), ns.NSType.String(), nbdns.UDPNameServerType.String())
-				continue
-			}
-			handler.upstreamServers = append(handler.upstreamServers, getNSHostPort(ns))
-		}
-
-		if len(handler.upstreamServers) == 0 {
-			handler.stop()
-			log.Errorf("received a nameserver group with an invalid nameserver list")
-			continue
-		}
-
-		// when upstream fails to resolve domain several times over all it servers
-		// it will calls this hook to exclude self from the configuration and
-		// reapply DNS settings, but it not touch the original configuration and serial number
-		// because it is temporal deactivation until next try
-		//
-		// after some period defined by upstream it trys to reactivate self by calling this hook
-		// everything we need here is just to re-apply current configuration because it already
-		// contains this upstream settings (temporal deactivation not removed it)
-		handler.deactivate, handler.reactivate = s.upstreamCallbacks(nsGroup, handler)
-
-		if nsGroup.Primary {
-			muxUpdates = append(muxUpdates, muxUpdate{
-				domain:  nbdns.RootZone,
-				handler: handler,
-			})
-			continue
-		}
-
-		if len(nsGroup.Domains) == 0 {
-			handler.stop()
-			return nil, fmt.Errorf("received a non primary nameserver group with an empty domain list")
-		}
-
-		for _, domain := range nsGroup.Domains {
-			if domain == "" {
-				handler.stop()
-				return nil, fmt.Errorf("received a nameserver group with an empty domain element")
-			}
-			muxUpdates = append(muxUpdates, muxUpdate{
-				domain:  domain,
-				handler: handler,
-			})
-		}
-	}
-	return muxUpdates, nil
-}
-
-func (s *DefaultServer) updateMux(muxUpdates []muxUpdate) {
-	muxUpdateMap := make(registeredHandlerMap)
-
-	var isContainRootUpdate bool
-
-	for _, update := range muxUpdates {
-		s.service.RegisterMux(update.domain, update.handler)
-		muxUpdateMap[update.domain] = update.handler
-		if existingHandler, ok := s.dnsMuxMap[update.domain]; ok {
-			existingHandler.stop()
-		}
-
-		if update.domain == nbdns.RootZone {
-			isContainRootUpdate = true
-		}
-	}
-
-	for key, existingHandler := range s.dnsMuxMap {
-		_, found := muxUpdateMap[key]
-		if !found {
-			if !isContainRootUpdate && key == nbdns.RootZone {
-				s.hostsDnsListLock.Lock()
-				s.addHostRootZone()
-				s.hostsDnsListLock.Unlock()
-				existingHandler.stop()
-			} else {
-				existingHandler.stop()
-				s.service.DeregisterMux(key)
-			}
-		}
-	}
-
-	s.dnsMuxMap = muxUpdateMap
-}
-
-func (s *DefaultServer) updateLocalResolver(update map[string]nbdns.SimpleRecord) {
-	for key := range s.localResolver.registeredMap {
-		_, found := update[key]
-		if !found {
-			s.localResolver.deleteRecord(key)
-		}
-	}
-
-	updatedMap := make(registrationMap)
-	for key, record := range update {
-		err := s.localResolver.registerRecord(record)
-		if err != nil {
-			log.Warnf("got an error while registering the record (%s), error: %v", record.String(), err)
-		}
-		updatedMap[key] = struct{}{}
-	}
-
-	s.localResolver.registeredMap = updatedMap
-}
-
-func getNSHostPort(ns nbdns.NameServer) string {
-	return fmt.Sprintf("%s:%d", ns.IP.String(), ns.Port)
-}
-
-// upstreamCallbacks returns two functions, the first one is used to deactivate
-// the upstream resolver from the configuration, the second one is used to
-// reactivate it. Not allowed to call reactivate before deactivate.
-func (s *DefaultServer) upstreamCallbacks(
-	nsGroup *nbdns.NameServerGroup,
-	handler dns.Handler,
-) (deactivate func(), reactivate func()) {
-	var removeIndex map[string]int
-	deactivate = func() {
-		s.mux.Lock()
-		defer s.mux.Unlock()
-
-		l := log.WithField("nameservers", nsGroup.NameServers)
-		l.Info("temporary deactivate nameservers group due timeout")
-
-		removeIndex = make(map[string]int)
-		for _, domain := range nsGroup.Domains {
-			removeIndex[domain] = -1
-		}
-		if nsGroup.Primary {
-			removeIndex[nbdns.RootZone] = -1
-			s.currentConfig.routeAll = false
-		}
-
-		for i, item := range s.currentConfig.domains {
-			if _, found := removeIndex[item.domain]; found {
-				s.currentConfig.domains[i].disabled = true
-				s.service.DeregisterMux(item.domain)
-				removeIndex[item.domain] = i
-			}
-		}
-		if err := s.hostManager.applyDNSConfig(s.currentConfig); err != nil {
-			l.WithError(err).Error("fail to apply nameserver deactivation on the host")
-		}
-	}
-	reactivate = func() {
-		s.mux.Lock()
-		defer s.mux.Unlock()
-
-		for domain, i := range removeIndex {
-			if i == -1 || i >= len(s.currentConfig.domains) || s.currentConfig.domains[i].domain != domain {
-				continue
-			}
-			s.currentConfig.domains[i].disabled = false
-			s.service.RegisterMux(domain, handler)
-		}
-
-		l := log.WithField("nameservers", nsGroup.NameServers)
-		l.Debug("reactivate temporary disabled nameserver group")
-
-		if nsGroup.Primary {
-			s.currentConfig.routeAll = true
-		}
-		if err := s.hostManager.applyDNSConfig(s.currentConfig); err != nil {
-			l.WithError(err).Error("reactivate temporary disabled nameserver group, DNS update apply")
-		}
-	}
-	return
-}
-
-func (s *DefaultServer) addHostRootZone() {
-	handler := newUpstreamResolver(s.ctx)
-	handler.upstreamServers = make([]string, len(s.hostsDnsList))
-	for n, ua := range s.hostsDnsList {
-		handler.upstreamServers[n] = fmt.Sprintf("%s:53", ua)
-	}
-	handler.deactivate = func() {}
-	handler.reactivate = func() {}
-	s.service.RegisterMux(nbdns.RootZone, handler)
 }

client/internal/dns/server_android.go

@@ -0,0 +1,32 @@
+package dns
+
+import (
+	"context"
+
+	nbdns "github.com/netbirdio/netbird/dns"
+	"github.com/netbirdio/netbird/iface"
+)
+
+// DefaultServer dummy dns server
+type DefaultServer struct {
+}
+
+// NewDefaultServer On Android the DNS feature is not supported yet
+func NewDefaultServer(ctx context.Context, wgInterface *iface.WGIface, customAddress string) (*DefaultServer, error) {
+	return &DefaultServer{}, nil
+}
+
+// Start dummy implementation
+func (s DefaultServer) Start() {
+
+}
+
+// Stop dummy implementation
+func (s DefaultServer) Stop() {
+
+}
+
+// UpdateDNSServer dummy implementation
+func (s DefaultServer) UpdateDNSServer(serial uint64, update nbdns.Config) error {
+	return nil
+}

client/internal/dns/server_export.go

@@ -1,29 +0,0 @@
-package dns
-
-import (
-	"fmt"
-	"sync"
-)
-
-var (
-	mutex  sync.Mutex
-	server Server
-)
-
-// GetServerDns export the DNS server instance in static way. It used by the Mobile client
-func GetServerDns() (Server, error) {
-	mutex.Lock()
-	if server == nil {
-		mutex.Unlock()
-		return nil, fmt.Errorf("DNS server not instantiated yet")
-	}
-	s := server
-	mutex.Unlock()
-	return s, nil
-}
-
-func setServerDns(newServerServer Server) {
-	mutex.Lock()
-	server = newServerServer
-	defer mutex.Unlock()
-}

client/internal/dns/server_export_test.go

@@ -1,24 +0,0 @@
-package dns
-
-import (
-	"testing"
-)
-
-func TestGetServerDns(t *testing.T) {
-	_, err := GetServerDns()
-	if err == nil {
-		t.Errorf("invalid dns server instance")
-	}
-
-	srv := &MockServer{}
-	setServerDns(srv)
-
-	srvB, err := GetServerDns()
-	if err != nil {
-		t.Errorf("invalid dns server instance: %s", err)
-	}
-
-	if srvB != srv {
-		t.Errorf("missmatch dns instances")
-	}
-}

client/internal/dns/server_nonandroid.go

@@ -0,0 +1,465 @@
+//go:build !android
+
+package dns
+
+import (
+	"context"
+	"fmt"
+	"net"
+	"net/netip"
+	"runtime"
+	"sync"
+	"time"
+
+	"github.com/miekg/dns"
+	"github.com/mitchellh/hashstructure/v2"
+	nbdns "github.com/netbirdio/netbird/dns"
+	"github.com/netbirdio/netbird/iface"
+	log "github.com/sirupsen/logrus"
+)
+
+const (
+	defaultPort = 53
+	customPort  = 5053
+	defaultIP   = "127.0.0.1"
+	customIP    = "127.0.0.153"
+)
+
+// DefaultServer dns server object
+type DefaultServer struct {
+	ctx                context.Context
+	ctxCancel          context.CancelFunc
+	upstreamCtxCancel  context.CancelFunc
+	mux                sync.Mutex
+	server             *dns.Server
+	dnsMux             *dns.ServeMux
+	dnsMuxMap          registrationMap
+	localResolver      *localResolver
+	wgInterface        *iface.WGIface
+	hostManager        hostManager
+	updateSerial       uint64
+	listenerIsRunning  bool
+	runtimePort        int
+	runtimeIP          string
+	previousConfigHash uint64
+	currentConfig      hostDNSConfig
+	customAddress      *netip.AddrPort
+}
+
+type muxUpdate struct {
+	domain  string
+	handler dns.Handler
+}
+
+// NewDefaultServer returns a new dns server
+func NewDefaultServer(ctx context.Context, wgInterface *iface.WGIface, customAddress string) (*DefaultServer, error) {
+	mux := dns.NewServeMux()
+
+	dnsServer := &dns.Server{
+		Net:     "udp",
+		Handler: mux,
+		UDPSize: 65535,
+	}
+
+	ctx, stop := context.WithCancel(ctx)
+
+	var addrPort *netip.AddrPort
+	if customAddress != "" {
+		parsedAddrPort, err := netip.ParseAddrPort(customAddress)
+		if err != nil {
+			stop()
+			return nil, fmt.Errorf("unable to parse the custom dns address, got error: %s", err)
+		}
+		addrPort = &parsedAddrPort
+	}
+
+	defaultServer := &DefaultServer{
+		ctx:       ctx,
+		ctxCancel: stop,
+		server:    dnsServer,
+		dnsMux:    mux,
+		dnsMuxMap: make(registrationMap),
+		localResolver: &localResolver{
+			registeredMap: make(registrationMap),
+		},
+		wgInterface:   wgInterface,
+		runtimePort:   defaultPort,
+		customAddress: addrPort,
+	}
+
+	hostmanager, err := newHostManager(wgInterface)
+	if err != nil {
+		stop()
+		return nil, err
+	}
+	defaultServer.hostManager = hostmanager
+	return defaultServer, err
+}
+
+// Start runs the listener in a go routine
+func (s *DefaultServer) Start() {
+	if s.customAddress != nil {
+		s.runtimeIP = s.customAddress.Addr().String()
+		s.runtimePort = int(s.customAddress.Port())
+	} else {
+		ip, port, err := s.getFirstListenerAvailable()
+		if err != nil {
+			log.Error(err)
+			return
+		}
+		s.runtimeIP = ip
+		s.runtimePort = port
+	}
+
+	s.server.Addr = fmt.Sprintf("%s:%d", s.runtimeIP, s.runtimePort)
+
+	log.Debugf("starting dns on %s", s.server.Addr)
+
+	go func() {
+		s.setListenerStatus(true)
+		defer s.setListenerStatus(false)
+
+		err := s.server.ListenAndServe()
+		if err != nil {
+			log.Errorf("dns server running with %d port returned an error: %v. Will not retry", s.runtimePort, err)
+		}
+	}()
+}
+
+func (s *DefaultServer) getFirstListenerAvailable() (string, int, error) {
+	ips := []string{defaultIP, customIP}
+	if runtime.GOOS != "darwin" && s.wgInterface != nil {
+		ips = append([]string{s.wgInterface.Address().IP.String()}, ips...)
+	}
+	ports := []int{defaultPort, customPort}
+	for _, port := range ports {
+		for _, ip := range ips {
+			addrString := fmt.Sprintf("%s:%d", ip, port)
+			udpAddr := net.UDPAddrFromAddrPort(netip.MustParseAddrPort(addrString))
+			probeListener, err := net.ListenUDP("udp", udpAddr)
+			if err == nil {
+				err = probeListener.Close()
+				if err != nil {
+					log.Errorf("got an error closing the probe listener, error: %s", err)
+				}
+				return ip, port, nil
+			}
+			log.Warnf("binding dns on %s is not available, error: %s", addrString, err)
+		}
+	}
+	return "", 0, fmt.Errorf("unable to find an unused ip and port combination. IPs tested: %v and ports %v", ips, ports)
+}
+
+func (s *DefaultServer) setListenerStatus(running bool) {
+	s.listenerIsRunning = running
+}
+
+// Stop stops the server
+func (s *DefaultServer) Stop() {
+	s.mux.Lock()
+	defer s.mux.Unlock()
+	s.ctxCancel()
+
+	err := s.hostManager.restoreHostDNS()
+	if err != nil {
+		log.Error(err)
+	}
+
+	err = s.stopListener()
+	if err != nil {
+		log.Error(err)
+	}
+}
+
+func (s *DefaultServer) stopListener() error {
+	if !s.listenerIsRunning {
+		return nil
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+
+	err := s.server.ShutdownContext(ctx)
+	if err != nil {
+		return fmt.Errorf("stopping dns server listener returned an error: %v", err)
+	}
+	return nil
+}
+
+// UpdateDNSServer processes an update received from the management service
+func (s *DefaultServer) UpdateDNSServer(serial uint64, update nbdns.Config) error {
+	select {
+	case <-s.ctx.Done():
+		log.Infof("not updating DNS server as context is closed")
+		return s.ctx.Err()
+	default:
+		if serial < s.updateSerial {
+			return fmt.Errorf("not applying dns update, error: "+
+				"network update is %d behind the last applied update", s.updateSerial-serial)
+		}
+		s.mux.Lock()
+		defer s.mux.Unlock()
+
+		hash, err := hashstructure.Hash(update, hashstructure.FormatV2, &hashstructure.HashOptions{
+			ZeroNil:         true,
+			IgnoreZeroValue: true,
+			SlicesAsSets:    true,
+			UseStringer:     true,
+		})
+		if err != nil {
+			log.Errorf("unable to hash the dns configuration update, got error: %s", err)
+		}
+
+		if s.previousConfigHash == hash {
+			log.Debugf("not applying the dns configuration update as there is nothing new")
+			s.updateSerial = serial
+			return nil
+		}
+
+		if err := s.applyConfiguration(update); err != nil {
+			return err
+		}
+
+		s.updateSerial = serial
+		s.previousConfigHash = hash
+
+		return nil
+	}
+}
+
+func (s *DefaultServer) applyConfiguration(update nbdns.Config) error {
+	// is the service should be disabled, we stop the listener
+	// and proceed with a regular update to clean up the handlers and records
+	if !update.ServiceEnable {
+		err := s.stopListener()
+		if err != nil {
+			log.Error(err)
+		}
+	} else if !s.listenerIsRunning {
+		s.Start()
+	}
+
+	localMuxUpdates, localRecords, err := s.buildLocalHandlerUpdate(update.CustomZones)
+	if err != nil {
+		return fmt.Errorf("not applying dns update, error: %v", err)
+	}
+	upstreamMuxUpdates, err := s.buildUpstreamHandlerUpdate(update.NameServerGroups)
+	if err != nil {
+		return fmt.Errorf("not applying dns update, error: %v", err)
+	}
+
+	muxUpdates := append(localMuxUpdates, upstreamMuxUpdates...)
+
+	s.updateMux(muxUpdates)
+	s.updateLocalResolver(localRecords)
+	s.currentConfig = dnsConfigToHostDNSConfig(update, s.runtimeIP, s.runtimePort)
+
+	if err = s.hostManager.applyDNSConfig(s.currentConfig); err != nil {
+		log.Error(err)
+	}
+
+	return nil
+}
+
+func (s *DefaultServer) buildLocalHandlerUpdate(customZones []nbdns.CustomZone) ([]muxUpdate, map[string]nbdns.SimpleRecord, error) {
+	var muxUpdates []muxUpdate
+	localRecords := make(map[string]nbdns.SimpleRecord, 0)
+
+	for _, customZone := range customZones {
+
+		if len(customZone.Records) == 0 {
+			return nil, nil, fmt.Errorf("received an empty list of records")
+		}
+
+		muxUpdates = append(muxUpdates, muxUpdate{
+			domain:  customZone.Domain,
+			handler: s.localResolver,
+		})
+
+		for _, record := range customZone.Records {
+			var class uint16 = dns.ClassINET
+			if record.Class != nbdns.DefaultClass {
+				return nil, nil, fmt.Errorf("received an invalid class type: %s", record.Class)
+			}
+			key := buildRecordKey(record.Name, class, uint16(record.Type))
+			localRecords[key] = record
+		}
+	}
+	return muxUpdates, localRecords, nil
+}
+
+func (s *DefaultServer) buildUpstreamHandlerUpdate(nameServerGroups []*nbdns.NameServerGroup) ([]muxUpdate, error) {
+	// clean up the previous upstream resolver
+	if s.upstreamCtxCancel != nil {
+		s.upstreamCtxCancel()
+	}
+
+	var muxUpdates []muxUpdate
+	for _, nsGroup := range nameServerGroups {
+		if len(nsGroup.NameServers) == 0 {
+			log.Warn("received a nameserver group with empty nameserver list")
+			continue
+		}
+
+		var ctx context.Context
+		ctx, s.upstreamCtxCancel = context.WithCancel(s.ctx)
+
+		handler := newUpstreamResolver(ctx)
+		for _, ns := range nsGroup.NameServers {
+			if ns.NSType != nbdns.UDPNameServerType {
+				log.Warnf("skiping nameserver %s with type %s, this peer supports only %s",
+					ns.IP.String(), ns.NSType.String(), nbdns.UDPNameServerType.String())
+				continue
+			}
+			handler.upstreamServers = append(handler.upstreamServers, getNSHostPort(ns))
+		}
+
+		if len(handler.upstreamServers) == 0 {
+			log.Errorf("received a nameserver group with an invalid nameserver list")
+			continue
+		}
+
+		// when upstream fails to resolve domain several times over all it servers
+		// it will calls this hook to exclude self from the configuration and
+		// reapply DNS settings, but it not touch the original configuration and serial number
+		// because it is temporal deactivation until next try
+		//
+		// after some period defined by upstream it trys to reactivate self by calling this hook
+		// everything we need here is just to re-apply current configuration because it already
+		// contains this upstream settings (temporal deactivation not removed it)
+		handler.deactivate, handler.reactivate = s.upstreamCallbacks(nsGroup, handler)
+
+		if nsGroup.Primary {
+			muxUpdates = append(muxUpdates, muxUpdate{
+				domain:  nbdns.RootZone,
+				handler: handler,
+			})
+			continue
+		}
+
+		if len(nsGroup.Domains) == 0 {
+			return nil, fmt.Errorf("received a non primary nameserver group with an empty domain list")
+		}
+
+		for _, domain := range nsGroup.Domains {
+			if domain == "" {
+				return nil, fmt.Errorf("received a nameserver group with an empty domain element")
+			}
+			muxUpdates = append(muxUpdates, muxUpdate{
+				domain:  domain,
+				handler: handler,
+			})
+		}
+	}
+	return muxUpdates, nil
+}
+
+func (s *DefaultServer) updateMux(muxUpdates []muxUpdate) {
+	muxUpdateMap := make(registrationMap)
+
+	for _, update := range muxUpdates {
+		s.registerMux(update.domain, update.handler)
+		muxUpdateMap[update.domain] = struct{}{}
+	}
+
+	for key := range s.dnsMuxMap {
+		_, found := muxUpdateMap[key]
+		if !found {
+			s.deregisterMux(key)
+		}
+	}
+
+	s.dnsMuxMap = muxUpdateMap
+}
+
+func (s *DefaultServer) updateLocalResolver(update map[string]nbdns.SimpleRecord) {
+	for key := range s.localResolver.registeredMap {
+		_, found := update[key]
+		if !found {
+			s.localResolver.deleteRecord(key)
+		}
+	}
+
+	updatedMap := make(registrationMap)
+	for key, record := range update {
+		err := s.localResolver.registerRecord(record)
+		if err != nil {
+			log.Warnf("got an error while registering the record (%s), error: %v", record.String(), err)
+		}
+		updatedMap[key] = struct{}{}
+	}
+
+	s.localResolver.registeredMap = updatedMap
+}
+
+func getNSHostPort(ns nbdns.NameServer) string {
+	return fmt.Sprintf("%s:%d", ns.IP.String(), ns.Port)
+}
+
+func (s *DefaultServer) registerMux(pattern string, handler dns.Handler) {
+	s.dnsMux.Handle(pattern, handler)
+}
+
+func (s *DefaultServer) deregisterMux(pattern string) {
+	s.dnsMux.HandleRemove(pattern)
+}
+
+// upstreamCallbacks returns two functions, the first one is used to deactivate
+// the upstream resolver from the configuration, the second one is used to
+// reactivate it. Not allowed to call reactivate before deactivate.
+func (s *DefaultServer) upstreamCallbacks(
+	nsGroup *nbdns.NameServerGroup,
+	handler dns.Handler,
+) (deactivate func(), reactivate func()) {
+	var removeIndex map[string]int
+	deactivate = func() {
+		s.mux.Lock()
+		defer s.mux.Unlock()
+
+		l := log.WithField("nameservers", nsGroup.NameServers)
+		l.Info("temporary deactivate nameservers group due timeout")
+
+		removeIndex = make(map[string]int)
+		for _, domain := range nsGroup.Domains {
+			removeIndex[domain] = -1
+		}
+		if nsGroup.Primary {
+			removeIndex[nbdns.RootZone] = -1
+			s.currentConfig.routeAll = false
+		}
+
+		for i, item := range s.currentConfig.domains {
+			if _, found := removeIndex[item.domain]; found {
+				s.currentConfig.domains[i].disabled = true
+				s.deregisterMux(item.domain)
+				removeIndex[item.domain] = i
+			}
+		}
+		if err := s.hostManager.applyDNSConfig(s.currentConfig); err != nil {
+			l.WithError(err).Error("fail to apply nameserver deactivation on the host")
+		}
+	}
+	reactivate = func() {
+		s.mux.Lock()
+		defer s.mux.Unlock()
+
+		for domain, i := range removeIndex {
+			if i == -1 || i >= len(s.currentConfig.domains) || s.currentConfig.domains[i].domain != domain {
+				continue
+			}
+			s.currentConfig.domains[i].disabled = false
+			s.registerMux(domain, handler)
+		}
+
+		l := log.WithField("nameservers", nsGroup.NameServers)
+		l.Debug("reactivate temporary disabled nameserver group")
+
+		if nsGroup.Primary {
+			s.currentConfig.routeAll = true
+		}
+		if err := s.hostManager.applyDNSConfig(s.currentConfig); err != nil {
+			l.WithError(err).Error("reactivate temporary disabled nameserver group, DNS update apply")
+		}
+	}
+	return
+}

client/internal/dns/server_test.go

@@ -5,59 +5,18 @@ import (
 	"fmt"
 	"net"
 	"net/netip"
-	"os"
 	"strings"
 	"testing"
 	"time"
 
-	"github.com/golang/mock/gomock"
-	log "github.com/sirupsen/logrus"
-
-	"github.com/netbirdio/netbird/client/firewall/uspfilter"
 	"github.com/netbirdio/netbird/client/internal/stdnet"
+
+	"github.com/miekg/dns"
+
 	nbdns "github.com/netbirdio/netbird/dns"
-	"github.com/netbirdio/netbird/formatter"
 	"github.com/netbirdio/netbird/iface"
-	pfmock "github.com/netbirdio/netbird/iface/mocks"
 )
 
-type mocWGIface struct {
-	filter iface.PacketFilter
-}
-
-func (w *mocWGIface) Name() string {
-	panic("implement me")
-}
-
-func (w *mocWGIface) Address() iface.WGAddress {
-	ip, network, _ := net.ParseCIDR("100.66.100.0/24")
-	return iface.WGAddress{
-		IP:      ip,
-		Network: network,
-	}
-}
-
-func (w *mocWGIface) GetFilter() iface.PacketFilter {
-	return w.filter
-}
-
-func (w *mocWGIface) GetDevice() *iface.DeviceWrapper {
-	panic("implement me")
-}
-
-func (w *mocWGIface) GetInterfaceGUIDString() (string, error) {
-	panic("implement me")
-}
-
-func (w *mocWGIface) IsUserspaceBind() bool {
-	return false
-}
-
-func (w *mocWGIface) SetFilter(filter iface.PacketFilter) error {
-	w.filter = filter
-	return nil
-}
-
 var zoneRecords = []nbdns.SimpleRecord{
 	{
 		Name:  "peera.netbird.cloud",
@@ -68,11 +27,6 @@ var zoneRecords = []nbdns.SimpleRecord{
 	},
 }
 
-func init() {
-	log.SetLevel(log.TraceLevel)
-	formatter.SetTextFormatter(log.StandardLogger())
-}
-
 func TestUpdateDNSServer(t *testing.T) {
 	nameServers := []nbdns.NameServer{
 		{
@@ -87,23 +41,21 @@ func TestUpdateDNSServer(t *testing.T) {
 		},
 	}
 
-	dummyHandler := &localResolver{}
-
 	testCases := []struct {
 		name                string
-		initUpstreamMap     registeredHandlerMap
+		initUpstreamMap     registrationMap
 		initLocalMap        registrationMap
 		initSerial          uint64
 		inputSerial         uint64
 		inputUpdate         nbdns.Config
 		shouldFail          bool
-		expectedUpstreamMap registeredHandlerMap
+		expectedUpstreamMap registrationMap
 		expectedLocalMap    registrationMap
 	}{
 		{
 			name:            "Initial Config Should Succeed",
 			initLocalMap:    make(registrationMap),
-			initUpstreamMap: make(registeredHandlerMap),
+			initUpstreamMap: make(registrationMap),
 			initSerial:      0,
 			inputSerial:     1,
 			inputUpdate: nbdns.Config{
@@ -125,13 +77,13 @@ func TestUpdateDNSServer(t *testing.T) {
 					},
 				},
 			},
-			expectedUpstreamMap: registeredHandlerMap{"netbird.io": dummyHandler, "netbird.cloud": dummyHandler, nbdns.RootZone: dummyHandler},
+			expectedUpstreamMap: registrationMap{"netbird.io": struct{}{}, "netbird.cloud": struct{}{}, nbdns.RootZone: struct{}{}},
 			expectedLocalMap:    registrationMap{buildRecordKey(zoneRecords[0].Name, 1, 1): struct{}{}},
 		},
 		{
 			name:            "New Config Should Succeed",
 			initLocalMap:    registrationMap{"netbird.cloud": struct{}{}},
-			initUpstreamMap: registeredHandlerMap{buildRecordKey(zoneRecords[0].Name, 1, 1): dummyHandler},
+			initUpstreamMap: registrationMap{buildRecordKey(zoneRecords[0].Name, 1, 1): struct{}{}},
 			initSerial:      0,
 			inputSerial:     1,
 			inputUpdate: nbdns.Config{
@@ -149,13 +101,13 @@ func TestUpdateDNSServer(t *testing.T) {
 					},
 				},
 			},
-			expectedUpstreamMap: registeredHandlerMap{"netbird.io": dummyHandler, "netbird.cloud": dummyHandler},
+			expectedUpstreamMap: registrationMap{"netbird.io": struct{}{}, "netbird.cloud": struct{}{}},
 			expectedLocalMap:    registrationMap{buildRecordKey(zoneRecords[0].Name, 1, 1): struct{}{}},
 		},
 		{
 			name:            "Smaller Config Serial Should Be Skipped",
 			initLocalMap:    make(registrationMap),
-			initUpstreamMap: make(registeredHandlerMap),
+			initUpstreamMap: make(registrationMap),
 			initSerial:      2,
 			inputSerial:     1,
 			shouldFail:      true,
@@ -163,7 +115,7 @@ func TestUpdateDNSServer(t *testing.T) {
 		{
 			name:            "Empty NS Group Domain Or Not Primary Element Should Fail",
 			initLocalMap:    make(registrationMap),
-			initUpstreamMap: make(registeredHandlerMap),
+			initUpstreamMap: make(registrationMap),
 			initSerial:      0,
 			inputSerial:     1,
 			inputUpdate: nbdns.Config{
@@ -185,7 +137,7 @@ func TestUpdateDNSServer(t *testing.T) {
 		{
 			name:            "Invalid NS Group Nameservers list Should Fail",
 			initLocalMap:    make(registrationMap),
-			initUpstreamMap: make(registeredHandlerMap),
+			initUpstreamMap: make(registrationMap),
 			initSerial:      0,
 			inputSerial:     1,
 			inputUpdate: nbdns.Config{
@@ -207,7 +159,7 @@ func TestUpdateDNSServer(t *testing.T) {
 		{
 			name:            "Invalid Custom Zone Records list Should Fail",
 			initLocalMap:    make(registrationMap),
-			initUpstreamMap: make(registeredHandlerMap),
+			initUpstreamMap: make(registrationMap),
 			initSerial:      0,
 			inputSerial:     1,
 			inputUpdate: nbdns.Config{
@@ -229,21 +181,21 @@ func TestUpdateDNSServer(t *testing.T) {
 		{
 			name:                "Empty Config Should Succeed and Clean Maps",
 			initLocalMap:        registrationMap{"netbird.cloud": struct{}{}},
-			initUpstreamMap:     registeredHandlerMap{zoneRecords[0].Name: dummyHandler},
+			initUpstreamMap:     registrationMap{zoneRecords[0].Name: struct{}{}},
 			initSerial:          0,
 			inputSerial:         1,
 			inputUpdate:         nbdns.Config{ServiceEnable: true},
-			expectedUpstreamMap: make(registeredHandlerMap),
+			expectedUpstreamMap: make(registrationMap),
 			expectedLocalMap:    make(registrationMap),
 		},
 		{
 			name:                "Disabled Service Should clean map",
 			initLocalMap:        registrationMap{"netbird.cloud": struct{}{}},
-			initUpstreamMap:     registeredHandlerMap{zoneRecords[0].Name: dummyHandler},
+			initUpstreamMap:     registrationMap{zoneRecords[0].Name: struct{}{}},
 			initSerial:          0,
 			inputSerial:         1,
 			inputUpdate:         nbdns.Config{ServiceEnable: false},
-			expectedUpstreamMap: make(registeredHandlerMap),
+			expectedUpstreamMap: make(registrationMap),
 			expectedLocalMap:    make(registrationMap),
 		},
 	}
@@ -272,10 +224,6 @@ func TestUpdateDNSServer(t *testing.T) {
 			if err != nil {
 				t.Fatal(err)
 			}
-			err = dnsServer.Initialize()
-			if err != nil {
-				t.Fatal(err)
-			}
 			defer func() {
 				err = dnsServer.hostManager.restoreHostDNS()
 				if err != nil {
@@ -286,6 +234,8 @@ func TestUpdateDNSServer(t *testing.T) {
 			dnsServer.dnsMuxMap = testCase.initUpstreamMap
 			dnsServer.localResolver.registeredMap = testCase.initLocalMap
 			dnsServer.updateSerial = testCase.initSerial
+			// pretend we are running
+			dnsServer.listenerIsRunning = true
 
 			err = dnsServer.UpdateDNSServer(testCase.inputSerial, testCase.inputUpdate)
 			if err != nil {
@@ -320,133 +270,6 @@ func TestUpdateDNSServer(t *testing.T) {
 	}
 }
 
-func TestDNSFakeResolverHandleUpdates(t *testing.T) {
-	ov := os.Getenv("NB_WG_KERNEL_DISABLED")
-	defer os.Setenv("NB_WG_KERNEL_DISABLED", ov)
-
-	_ = os.Setenv("NB_WG_KERNEL_DISABLED", "true")
-	newNet, err := stdnet.NewNet(nil)
-	if err != nil {
-		t.Errorf("create stdnet: %v", err)
-		return
-	}
-
-	wgIface, err := iface.NewWGIFace("utun2301", "100.66.100.1/32", iface.DefaultMTU, nil, newNet)
-	if err != nil {
-		t.Errorf("build interface wireguard: %v", err)
-		return
-	}
-
-	err = wgIface.Create()
-	if err != nil {
-		t.Errorf("crate and init wireguard interface: %v", err)
-		return
-	}
-	defer func() {
-		if err = wgIface.Close(); err != nil {
-			t.Logf("close wireguard interface: %v", err)
-		}
-	}()
-
-	ctrl := gomock.NewController(t)
-	defer ctrl.Finish()
-
-	_, ipNet, err := net.ParseCIDR("100.66.100.1/32")
-	if err != nil {
-		t.Errorf("parse CIDR: %v", err)
-		return
-	}
-
-	packetfilter := pfmock.NewMockPacketFilter(ctrl)
-	packetfilter.EXPECT().DropOutgoing(gomock.Any()).AnyTimes()
-	packetfilter.EXPECT().AddUDPPacketHook(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any())
-	packetfilter.EXPECT().RemovePacketHook(gomock.Any())
-	packetfilter.EXPECT().SetNetwork(ipNet)
-
-	if err := wgIface.SetFilter(packetfilter); err != nil {
-		t.Errorf("set packet filter: %v", err)
-		return
-	}
-
-	dnsServer, err := NewDefaultServer(context.Background(), wgIface, "")
-	if err != nil {
-		t.Errorf("create DNS server: %v", err)
-		return
-	}
-
-	err = dnsServer.Initialize()
-	if err != nil {
-		t.Errorf("run DNS server: %v", err)
-		return
-	}
-	defer func() {
-		if err = dnsServer.hostManager.restoreHostDNS(); err != nil {
-			t.Logf("restore DNS settings on the host: %v", err)
-			return
-		}
-	}()
-
-	dnsServer.dnsMuxMap = registeredHandlerMap{zoneRecords[0].Name: &localResolver{}}
-	dnsServer.localResolver.registeredMap = registrationMap{"netbird.cloud": struct{}{}}
-	dnsServer.updateSerial = 0
-
-	nameServers := []nbdns.NameServer{
-		{
-			IP:     netip.MustParseAddr("8.8.8.8"),
-			NSType: nbdns.UDPNameServerType,
-			Port:   53,
-		},
-		{
-			IP:     netip.MustParseAddr("8.8.4.4"),
-			NSType: nbdns.UDPNameServerType,
-			Port:   53,
-		},
-	}
-
-	update := nbdns.Config{
-		ServiceEnable: true,
-		CustomZones: []nbdns.CustomZone{
-			{
-				Domain:  "netbird.cloud",
-				Records: zoneRecords,
-			},
-		},
-		NameServerGroups: []*nbdns.NameServerGroup{
-			{
-				Domains:     []string{"netbird.io"},
-				NameServers: nameServers,
-			},
-			{
-				NameServers: nameServers,
-				Primary:     true,
-			},
-		},
-	}
-
-	// Start the server with regular configuration
-	if err := dnsServer.UpdateDNSServer(1, update); err != nil {
-		t.Fatalf("update dns server should not fail, got error: %v", err)
-		return
-	}
-
-	update2 := update
-	update2.ServiceEnable = false
-	// Disable the server, stop the listener
-	if err := dnsServer.UpdateDNSServer(2, update2); err != nil {
-		t.Fatalf("update dns server should not fail, got error: %v", err)
-		return
-	}
-
-	update3 := update2
-	update3.NameServerGroups = update3.NameServerGroups[:1]
-	// But service still get updates and we checking that we handle
-	// internal state in the right way
-	if err := dnsServer.UpdateDNSServer(3, update3); err != nil {
-		t.Fatalf("update dns server should not fail, got error: %v", err)
-		return
-	}
-}
-
 func TestDNSServerStartStop(t *testing.T) {
 	testCases := []struct {
 		name     string
@@ -463,23 +286,21 @@ func TestDNSServerStartStop(t *testing.T) {
 
 	for _, testCase := range testCases {
 		t.Run(testCase.name, func(t *testing.T) {
-			dnsServer, err := NewDefaultServer(context.Background(), &mocWGIface{}, testCase.addrPort)
-			if err != nil {
-				t.Fatalf("%v", err)
-			}
+			dnsServer := getDefaultServerWithNoHostManager(t, testCase.addrPort)
+
 			dnsServer.hostManager = newNoopHostMocker()
-			err = dnsServer.service.Listen()
-			if err != nil {
-				t.Fatalf("dns server is not running: %s", err)
-			}
+			dnsServer.Start()
 			time.Sleep(100 * time.Millisecond)
+			if !dnsServer.listenerIsRunning {
+				t.Fatal("dns server listener is not running")
+			}
 			defer dnsServer.Stop()
-			err = dnsServer.localResolver.registerRecord(zoneRecords[0])
+			err := dnsServer.localResolver.registerRecord(zoneRecords[0])
 			if err != nil {
 				t.Error(err)
 			}
 
-			dnsServer.service.RegisterMux("netbird.cloud", dnsServer.localResolver)
+			dnsServer.dnsMux.Handle("netbird.cloud", dnsServer.localResolver)
 
 			resolver := &net.Resolver{
 				PreferGo: true,
@@ -487,7 +308,7 @@ func TestDNSServerStartStop(t *testing.T) {
 					d := net.Dialer{
 						Timeout: time.Second * 5,
 					}
-					addr := fmt.Sprintf("%s:%d", dnsServer.service.RuntimeIP(), dnsServer.service.RuntimePort())
+					addr := fmt.Sprintf("%s:%d", dnsServer.runtimeIP, dnsServer.runtimePort)
 					conn, err := d.DialContext(ctx, network, addr)
 					if err != nil {
 						t.Log(err)
@@ -522,7 +343,7 @@ func TestDNSServerStartStop(t *testing.T) {
 func TestDNSServerUpstreamDeactivateCallback(t *testing.T) {
 	hostManager := &mockHostConfigurator{}
 	server := DefaultServer{
-		service: newServiceViaMemory(&mocWGIface{}),
+		dnsMux: dns.DefaultServeMux,
 		localResolver: &localResolver{
 			registeredMap: make(registrationMap),
 		},
@@ -585,237 +406,35 @@ func TestDNSServerUpstreamDeactivateCallback(t *testing.T) {
 	}
 }
 
-func TestDNSPermanent_updateHostDNS_emptyUpstream(t *testing.T) {
-	wgIFace, err := createWgInterfaceWithBind(t)
-	if err != nil {
-		t.Fatal("failed to initialize wg interface")
+func getDefaultServerWithNoHostManager(t *testing.T, addrPort string) *DefaultServer {
+	mux := dns.NewServeMux()
+
+	var parsedAddrPort *netip.AddrPort
+	if addrPort != "" {
+		parsed, err := netip.ParseAddrPort(addrPort)
+		if err != nil {
+			t.Fatal(err)
+		}
+		parsedAddrPort = &parsed
 	}
-	defer wgIFace.Close()
 
-	var dnsList []string
-	dnsServer := NewDefaultServerPermanentUpstream(context.Background(), wgIFace, dnsList)
-	err = dnsServer.Initialize()
-	if err != nil {
-		t.Errorf("failed to initialize DNS server: %v", err)
-		return
+	dnsServer := &dns.Server{
+		Net:     "udp",
+		Handler: mux,
+		UDPSize: 65535,
 	}
-	defer dnsServer.Stop()
 
-	dnsServer.OnUpdatedHostDNSServer([]string{"8.8.8.8"})
+	ctx, cancel := context.WithCancel(context.TODO())
 
-	resolver := newDnsResolver(dnsServer.service.RuntimeIP(), dnsServer.service.RuntimePort())
-	_, err = resolver.LookupHost(context.Background(), "netbird.io")
-	if err != nil {
-		t.Errorf("failed to resolve: %s", err)
-	}
-}
-
-func TestDNSPermanent_updateUpstream(t *testing.T) {
-	wgIFace, err := createWgInterfaceWithBind(t)
-	if err != nil {
-		t.Fatal("failed to initialize wg interface")
-	}
-	defer wgIFace.Close()
-
-	dnsServer := NewDefaultServerPermanentUpstream(context.Background(), wgIFace, []string{"8.8.8.8"})
-	err = dnsServer.Initialize()
-	if err != nil {
-		t.Errorf("failed to initialize DNS server: %v", err)
-		return
-	}
-	defer dnsServer.Stop()
-
-	// check initial state
-	resolver := newDnsResolver(dnsServer.service.RuntimeIP(), dnsServer.service.RuntimePort())
-	_, err = resolver.LookupHost(context.Background(), "netbird.io")
-	if err != nil {
-		t.Errorf("failed to resolve: %s", err)
-	}
-
-	update := nbdns.Config{
-		ServiceEnable: true,
-		CustomZones: []nbdns.CustomZone{
-			{
-				Domain:  "netbird.cloud",
-				Records: zoneRecords,
-			},
-		},
-		NameServerGroups: []*nbdns.NameServerGroup{
-			{
-				NameServers: []nbdns.NameServer{
-					{
-						IP:     netip.MustParseAddr("8.8.4.4"),
-						NSType: nbdns.UDPNameServerType,
-						Port:   53,
-					},
-				},
-				Enabled: true,
-				Primary: true,
-			},
-		},
-	}
-
-	err = dnsServer.UpdateDNSServer(1, update)
-	if err != nil {
-		t.Errorf("failed to update dns server: %s", err)
-	}
-
-	_, err = resolver.LookupHost(context.Background(), "netbird.io")
-	if err != nil {
-		t.Errorf("failed to resolve: %s", err)
-	}
-	ips, err := resolver.LookupHost(context.Background(), zoneRecords[0].Name)
-	if err != nil {
-		t.Fatalf("failed resolve zone record: %v", err)
-	}
-	if ips[0] != zoneRecords[0].RData {
-		t.Fatalf("invalid zone record: %v", err)
-	}
-
-	update2 := nbdns.Config{
-		ServiceEnable: true,
-		CustomZones: []nbdns.CustomZone{
-			{
-				Domain:  "netbird.cloud",
-				Records: zoneRecords,
-			},
-		},
-		NameServerGroups: []*nbdns.NameServerGroup{},
-	}
-
-	err = dnsServer.UpdateDNSServer(2, update2)
-	if err != nil {
-		t.Errorf("failed to update dns server: %s", err)
-	}
-
-	_, err = resolver.LookupHost(context.Background(), "netbird.io")
-	if err != nil {
-		t.Errorf("failed to resolve: %s", err)
-	}
-
-	ips, err = resolver.LookupHost(context.Background(), zoneRecords[0].Name)
-	if err != nil {
-		t.Fatalf("failed resolve zone record: %v", err)
-	}
-	if ips[0] != zoneRecords[0].RData {
-		t.Fatalf("invalid zone record: %v", err)
-	}
-}
-
-func TestDNSPermanent_matchOnly(t *testing.T) {
-	wgIFace, err := createWgInterfaceWithBind(t)
-	if err != nil {
-		t.Fatal("failed to initialize wg interface")
-	}
-	defer wgIFace.Close()
-
-	dnsServer := NewDefaultServerPermanentUpstream(context.Background(), wgIFace, []string{"8.8.8.8"})
-	err = dnsServer.Initialize()
-	if err != nil {
-		t.Errorf("failed to initialize DNS server: %v", err)
-		return
-	}
-	defer dnsServer.Stop()
-
-	// check initial state
-	resolver := newDnsResolver(dnsServer.service.RuntimeIP(), dnsServer.service.RuntimePort())
-	_, err = resolver.LookupHost(context.Background(), "netbird.io")
-	if err != nil {
-		t.Errorf("failed to resolve: %s", err)
-	}
-
-	update := nbdns.Config{
-		ServiceEnable: true,
-		CustomZones: []nbdns.CustomZone{
-			{
-				Domain:  "netbird.cloud",
-				Records: zoneRecords,
-			},
-		},
-		NameServerGroups: []*nbdns.NameServerGroup{
-			{
-				NameServers: []nbdns.NameServer{
-					{
-						IP:     netip.MustParseAddr("8.8.4.4"),
-						NSType: nbdns.UDPNameServerType,
-						Port:   53,
-					},
-				},
-				Domains: []string{"customdomain.com"},
-				Primary: false,
-			},
-		},
-	}
-
-	err = dnsServer.UpdateDNSServer(1, update)
-	if err != nil {
-		t.Errorf("failed to update dns server: %s", err)
-	}
-
-	_, err = resolver.LookupHost(context.Background(), "netbird.io")
-	if err != nil {
-		t.Errorf("failed to resolve: %s", err)
-	}
-	ips, err := resolver.LookupHost(context.Background(), zoneRecords[0].Name)
-	if err != nil {
-		t.Fatalf("failed resolve zone record: %v", err)
-	}
-	if ips[0] != zoneRecords[0].RData {
-		t.Fatalf("invalid zone record: %v", err)
-	}
-	_, err = resolver.LookupHost(context.Background(), "customdomain.com")
-	if err != nil {
-		t.Errorf("failed to resolve: %s", err)
-	}
-}
-
-func createWgInterfaceWithBind(t *testing.T) (*iface.WGIface, error) {
-	ov := os.Getenv("NB_WG_KERNEL_DISABLED")
-	defer os.Setenv("NB_WG_KERNEL_DISABLED", ov)
-
-	_ = os.Setenv("NB_WG_KERNEL_DISABLED", "true")
-	newNet, err := stdnet.NewNet(nil)
-	if err != nil {
-		t.Fatalf("create stdnet: %v", err)
-		return nil, nil
-	}
-
-	wgIface, err := iface.NewWGIFace("utun2301", "100.66.100.2/24", iface.DefaultMTU, nil, newNet)
-	if err != nil {
-		t.Fatalf("build interface wireguard: %v", err)
-		return nil, err
-	}
-
-	err = wgIface.Create()
-	if err != nil {
-		t.Fatalf("crate and init wireguard interface: %v", err)
-		return nil, err
-	}
-
-	pf, err := uspfilter.Create(wgIface)
-	if err != nil {
-		t.Fatalf("failed to create uspfilter: %v", err)
-		return nil, err
-	}
-
-	err = wgIface.SetFilter(pf)
-	if err != nil {
-		t.Fatalf("set packet filter: %v", err)
-		return nil, err
-	}
-
-	return wgIface, nil
-}
-
-func newDnsResolver(ip string, port int) *net.Resolver {
-	return &net.Resolver{
-		PreferGo: true,
-		Dial: func(ctx context.Context, network, address string) (net.Conn, error) {
-			d := net.Dialer{
-				Timeout: time.Second * 3,
-			}
-			addr := fmt.Sprintf("%s:%d", ip, port)
-			return d.DialContext(ctx, network, addr)
-		},
+	return &DefaultServer{
+		ctx:       ctx,
+		ctxCancel: cancel,
+		server:    dnsServer,
+		dnsMux:    mux,
+		dnsMuxMap: make(registrationMap),
+		localResolver: &localResolver{
+			registeredMap: make(registrationMap),
+		},
+		customAddress: parsedAddrPort,
 	}
 }

client/internal/dns/service.go

@@ -1,18 +0,0 @@
-package dns
-
-import (
-	"github.com/miekg/dns"
-)
-
-const (
-	defaultPort = 53
-)
-
-type service interface {
-	Listen() error
-	Stop()
-	RegisterMux(domain string, handler dns.Handler)
-	DeregisterMux(key string)
-	RuntimePort() int
-	RuntimeIP() string
-}

client/internal/dns/service_listener.go

@@ -1,145 +0,0 @@
-package dns
-
-import (
-	"context"
-	"fmt"
-	"net"
-	"net/netip"
-	"runtime"
-	"sync"
-	"time"
-
-	"github.com/miekg/dns"
-	log "github.com/sirupsen/logrus"
-)
-
-const (
-	customPort = 5053
-	defaultIP  = "127.0.0.1"
-	customIP   = "127.0.0.153"
-)
-
-type serviceViaListener struct {
-	wgInterface       WGIface
-	dnsMux            *dns.ServeMux
-	customAddr        *netip.AddrPort
-	server            *dns.Server
-	runtimeIP         string
-	runtimePort       int
-	listenerIsRunning bool
-	listenerFlagLock  sync.Mutex
-}
-
-func newServiceViaListener(wgIface WGIface, customAddr *netip.AddrPort) *serviceViaListener {
-	mux := dns.NewServeMux()
-
-	s := &serviceViaListener{
-		wgInterface: wgIface,
-		dnsMux:      mux,
-		customAddr:  customAddr,
-		server: &dns.Server{
-			Net:     "udp",
-			Handler: mux,
-			UDPSize: 65535,
-		},
-	}
-	return s
-}
-
-func (s *serviceViaListener) Listen() error {
-	s.listenerFlagLock.Lock()
-	defer s.listenerFlagLock.Unlock()
-
-	if s.listenerIsRunning {
-		return nil
-	}
-
-	var err error
-	s.runtimeIP, s.runtimePort, err = s.evalRuntimeAddress()
-	if err != nil {
-		log.Errorf("failed to eval runtime address: %s", err)
-		return err
-	}
-	s.server.Addr = fmt.Sprintf("%s:%d", s.runtimeIP, s.runtimePort)
-
-	log.Debugf("starting dns on %s", s.server.Addr)
-	go func() {
-		s.setListenerStatus(true)
-		defer s.setListenerStatus(false)
-
-		err := s.server.ListenAndServe()
-		if err != nil {
-			log.Errorf("dns server running with %d port returned an error: %v. Will not retry", s.runtimePort, err)
-		}
-	}()
-	return nil
-}
-
-func (s *serviceViaListener) Stop() {
-	s.listenerFlagLock.Lock()
-	defer s.listenerFlagLock.Unlock()
-
-	if !s.listenerIsRunning {
-		return
-	}
-
-	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
-	defer cancel()
-
-	err := s.server.ShutdownContext(ctx)
-	if err != nil {
-		log.Errorf("stopping dns server listener returned an error: %v", err)
-	}
-}
-
-func (s *serviceViaListener) RegisterMux(pattern string, handler dns.Handler) {
-	s.dnsMux.Handle(pattern, handler)
-}
-
-func (s *serviceViaListener) DeregisterMux(pattern string) {
-	s.dnsMux.HandleRemove(pattern)
-}
-
-func (s *serviceViaListener) RuntimePort() int {
-	return s.runtimePort
-}
-
-func (s *serviceViaListener) RuntimeIP() string {
-	return s.runtimeIP
-}
-
-func (s *serviceViaListener) setListenerStatus(running bool) {
-	s.listenerIsRunning = running
-}
-
-func (s *serviceViaListener) getFirstListenerAvailable() (string, int, error) {
-	ips := []string{defaultIP, customIP}
-	if runtime.GOOS != "darwin" {
-		ips = append([]string{s.wgInterface.Address().IP.String()}, ips...)
-	}
-	ports := []int{defaultPort, customPort}
-	for _, port := range ports {
-		for _, ip := range ips {
-			addrString := fmt.Sprintf("%s:%d", ip, port)
-			udpAddr := net.UDPAddrFromAddrPort(netip.MustParseAddrPort(addrString))
-			probeListener, err := net.ListenUDP("udp", udpAddr)
-			if err == nil {
-				err = probeListener.Close()
-				if err != nil {
-					log.Errorf("got an error closing the probe listener, error: %s", err)
-				}
-				return ip, port, nil
-			}
-			log.Warnf("binding dns on %s is not available, error: %s", addrString, err)
-		}
-	}
-	return "", 0, fmt.Errorf("unable to find an unused ip and port combination. IPs tested: %v and ports %v", ips, ports)
-}
-
-func (s *serviceViaListener) evalRuntimeAddress() (string, int, error) {
-	if s.customAddr != nil {
-		return s.customAddr.Addr().String(), int(s.customAddr.Port()), nil
-	}
-
-	return s.getFirstListenerAvailable()
-}

client/internal/dns/service_memory.go

@@ -1,139 +0,0 @@
-package dns
-
-import (
-	"fmt"
-	"math/big"
-	"net"
-	"sync"
-
-	"github.com/google/gopacket"
-	"github.com/google/gopacket/layers"
-	"github.com/miekg/dns"
-	log "github.com/sirupsen/logrus"
-)
-
-type serviceViaMemory struct {
-	wgInterface       WGIface
-	dnsMux            *dns.ServeMux
-	runtimeIP         string
-	runtimePort       int
-	udpFilterHookID   string
-	listenerIsRunning bool
-	listenerFlagLock  sync.Mutex
-}
-
-func newServiceViaMemory(wgIface WGIface) *serviceViaMemory {
-	s := &serviceViaMemory{
-		wgInterface: wgIface,
-		dnsMux:      dns.NewServeMux(),
-
-		runtimeIP:   getLastIPFromNetwork(wgIface.Address().Network, 1),
-		runtimePort: defaultPort,
-	}
-	return s
-}
-
-func (s *serviceViaMemory) Listen() error {
-	s.listenerFlagLock.Lock()
-	defer s.listenerFlagLock.Unlock()
-
-	if s.listenerIsRunning {
-		return nil
-	}
-
-	var err error
-	s.udpFilterHookID, err = s.filterDNSTraffic()
-	if err != nil {
-		return err
-	}
-	s.listenerIsRunning = true
-
-	log.Debugf("dns service listening on: %s", s.RuntimeIP())
-	return nil
-}
-
-func (s *serviceViaMemory) Stop() {
-	s.listenerFlagLock.Lock()
-	defer s.listenerFlagLock.Unlock()
-
-	if !s.listenerIsRunning {
-		return
-	}
-
-	if err := s.wgInterface.GetFilter().RemovePacketHook(s.udpFilterHookID); err != nil {
-		log.Errorf("unable to remove DNS packet hook: %s", err)
-	}
-
-	s.listenerIsRunning = false
-}
-
-func (s *serviceViaMemory) RegisterMux(pattern string, handler dns.Handler) {
-	s.dnsMux.Handle(pattern, handler)
-}
-
-func (s *serviceViaMemory) DeregisterMux(pattern string) {
-	s.dnsMux.HandleRemove(pattern)
-}
-
-func (s *serviceViaMemory) RuntimePort() int {
-	return s.runtimePort
-}
-
-func (s *serviceViaMemory) RuntimeIP() string {
-	return s.runtimeIP
-}
-
-func (s *serviceViaMemory) filterDNSTraffic() (string, error) {
-	filter := s.wgInterface.GetFilter()
-	if filter == nil {
-		return "", fmt.Errorf("can't set DNS filter, filter not initialized")
-	}
-
-	firstLayerDecoder := layers.LayerTypeIPv4
-	if s.wgInterface.Address().Network.IP.To4() == nil {
-		firstLayerDecoder = layers.LayerTypeIPv6
-	}
-
-	hook := func(packetData []byte) bool {
-		// Decode the packet
-		packet := gopacket.NewPacket(packetData, firstLayerDecoder, gopacket.Default)
-
-		// Get the UDP layer
-		udpLayer := packet.Layer(layers.LayerTypeUDP)
-		udp := udpLayer.(*layers.UDP)
-
-		msg := new(dns.Msg)
-		if err := msg.Unpack(udp.Payload); err != nil {
-			log.Tracef("parse DNS request: %v", err)
-			return true
-		}
-
-		writer := responseWriter{
-			packet: packet,
-			device: s.wgInterface.GetDevice().Device,
-		}
-		go s.dnsMux.ServeDNS(&writer, msg)
-		return true
-	}
-
-	return filter.AddUDPPacketHook(false, net.ParseIP(s.runtimeIP), uint16(s.runtimePort), hook), nil
-}
-
-func getLastIPFromNetwork(network *net.IPNet, fromEnd int) string {
-	// Calculate the last IP in the CIDR range
-	var endIP net.IP
-	for i := 0; i < len(network.IP); i++ {
-		endIP = append(endIP, network.IP[i]|^network.Mask[i])
-	}
-
-	// convert to big.Int
-	endInt := big.NewInt(0)
-	endInt.SetBytes(endIP)
-
-	// subtract fromEnd from the last ip
-	fromEndBig := big.NewInt(int64(fromEnd))
-	resultInt := big.NewInt(0)
-	resultInt.Sub(endInt, fromEndBig)
-
-	return net.IP(resultInt.Bytes()).String()
-}

client/internal/dns/service_memory_test.go

@@ -1,31 +0,0 @@
-package dns
-
-import (
-	"net"
-	"testing"
-)
-
-func TestGetLastIPFromNetwork(t *testing.T) {
-	tests := []struct {
-		addr string
-		ip   string
-	}{
-		{"2001:db8::/32", "2001:db8:ffff:ffff:ffff:ffff:ffff:fffe"},
-		{"192.168.0.0/30", "192.168.0.2"},
-		{"192.168.0.0/16", "192.168.255.254"},
-		{"192.168.0.0/24", "192.168.0.254"},
-	}
-
-	for _, tt := range tests {
-		_, ipnet, err := net.ParseCIDR(tt.addr)
-		if err != nil {
-			t.Errorf("Error parsing CIDR: %v", err)
-			return
-		}
-
-		lastIP := getLastIPFromNetwork(ipnet, 1)
-		if lastIP != tt.ip {
-			t.Errorf("wrong IP address, expected %s: got %s", tt.ip, lastIP)
-		}
-	}
-}

client/internal/dns/systemd_linux.go

@@ -1,5 +1,3 @@
-//go:build !android
-
 package dns
 
 import (
@@ -11,10 +9,10 @@ import (
 
 	"github.com/godbus/dbus/v5"
 	"github.com/miekg/dns"
+	nbdns "github.com/netbirdio/netbird/dns"
+	"github.com/netbirdio/netbird/iface"
 	log "github.com/sirupsen/logrus"
 	"golang.org/x/sys/unix"
-
-	nbdns "github.com/netbirdio/netbird/dns"
 )
 
 const (
@@ -52,7 +50,7 @@ type systemdDbusLinkDomainsInput struct {
 	MatchOnly bool
 }
 
-func newSystemdDbusConfigurator(wgInterface WGIface) (hostManager, error) {
+func newSystemdDbusConfigurator(wgInterface *iface.WGIface) (hostManager, error) {
 	iface, err := net.InterfaceByName(wgInterface.Name())
 	if err != nil {
 		return nil, err
@@ -77,10 +75,6 @@ func newSystemdDbusConfigurator(wgInterface WGIface) (hostManager, error) {
 	}, nil
 }
 
-func (s *systemdDbusConfigurator) supportCustomPort() bool {
-	return true
-}
-
 func (s *systemdDbusConfigurator) applyDNSConfig(config hostDNSConfig) error {
 	parsedIP, err := netip.ParseAddr(config.serverIP)
 	if err != nil {

client/internal/dns/upstream.go

@@ -3,31 +3,24 @@ package dns
 import (
 	"context"
 	"errors"
-	"fmt"
 	"net"
 	"sync"
 	"sync/atomic"
 	"time"
 
-	"github.com/cenkalti/backoff/v4"
 	"github.com/miekg/dns"
 	log "github.com/sirupsen/logrus"
 )
 
 const (
-	failsTillDeact   = int32(5)
-	reactivatePeriod = 30 * time.Second
+	failsTillDeact   = int32(3)
+	reactivatePeriod = time.Minute
 	upstreamTimeout  = 15 * time.Second
 )
 
-type upstreamClient interface {
-	ExchangeContext(ctx context.Context, m *dns.Msg, a string) (r *dns.Msg, rtt time.Duration, err error)
-}
-
 type upstreamResolver struct {
 	ctx              context.Context
-	cancel           context.CancelFunc
-	upstreamClient   upstreamClient
+	upstreamClient   *dns.Client
 	upstreamServers  []string
 	disabled         bool
 	failsCount       atomic.Int32
@@ -40,11 +33,9 @@ type upstreamResolver struct {
 	reactivate func()
 }
 
-func newUpstreamResolver(parentCTX context.Context) *upstreamResolver {
-	ctx, cancel := context.WithCancel(parentCTX)
+func newUpstreamResolver(ctx context.Context) *upstreamResolver {
 	return &upstreamResolver{
 		ctx:              ctx,
-		cancel:           cancel,
 		upstreamClient:   &dns.Client{},
 		upstreamTimeout:  upstreamTimeout,
 		reactivatePeriod: reactivatePeriod,
@@ -52,11 +43,6 @@ func newUpstreamResolver(parentCTX context.Context) *upstreamResolver {
 	}
 }
 
-func (u *upstreamResolver) stop() {
-	log.Debugf("stoping serving DNS for upstreams %s", u.upstreamServers)
-	u.cancel()
-}
-
 // ServeDNS handles a DNS request
 func (u *upstreamResolver) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
 	defer u.checkUpstreamFails()
@@ -121,57 +107,28 @@ func (u *upstreamResolver) checkUpstreamFails() {
 		log.Warnf("upstream resolving is disabled for %v", reactivatePeriod)
 		u.deactivate()
 		u.disabled = true
-		go u.waitUntilResponse()
+		go u.waitUntilReactivation()
 	}
 }
 
-// waitUntilResponse retries, in an exponential interval, querying the upstream servers until it gets a positive response
-func (u *upstreamResolver) waitUntilResponse() {
-	exponentialBackOff := &backoff.ExponentialBackOff{
-		InitialInterval:     500 * time.Millisecond,
-		RandomizationFactor: 0.5,
-		Multiplier:          1.1,
-		MaxInterval:         u.reactivatePeriod,
-		MaxElapsedTime:      0,
-		Stop:                backoff.Stop,
-		Clock:               backoff.SystemClock,
-	}
-
-	r := new(dns.Msg).SetQuestion("netbird.io.", dns.TypeA)
-
-	operation := func() error {
-		select {
-		case <-u.ctx.Done():
-			return backoff.Permanent(fmt.Errorf("exiting upstream retry loop for upstreams %s: parent context has been canceled", u.upstreamServers))
-		default:
+// waitUntilReactivation reset fails counter and activates upstream resolving
+func (u *upstreamResolver) waitUntilReactivation() {
+	timer := time.NewTimer(u.reactivatePeriod)
+	defer func() {
+		if !timer.Stop() {
+			<-timer.C
 		}
+	}()
 
-		var err error
-		for _, upstream := range u.upstreamServers {
-			ctx, cancel := context.WithTimeout(u.ctx, u.upstreamTimeout)
-			_, _, err = u.upstreamClient.ExchangeContext(ctx, r, upstream)
-
-			cancel()
-
-			if err == nil {
-				return nil
-			}
-		}
-
-		log.Tracef("checking connectivity with upstreams %s failed with error: %s. Retrying in %s", err, u.upstreamServers, exponentialBackOff.NextBackOff())
-		return fmt.Errorf("got an error from upstream check call")
-	}
-
-	err := backoff.Retry(operation, exponentialBackOff)
-	if err != nil {
-		log.Warn(err)
+	select {
+	case <-u.ctx.Done():
 		return
+	case <-timer.C:
+		log.Info("upstream resolving is reactivated")
+		u.failsCount.Store(0)
+		u.reactivate()
+		u.disabled = false
 	}
-
-	log.Infof("upstreams %s are responsive again. Adding them back to system", u.upstreamServers)
-	u.failsCount.Store(0)
-	u.reactivate()
-	u.disabled = false
 }
 
 // isTimeout returns true if the given error is a network timeout error.

client/internal/dns/upstream_test.go

@@ -2,11 +2,10 @@ package dns
 
 import (
 	"context"
+	"github.com/miekg/dns"
 	"strings"
 	"testing"
 	"time"
-
-	"github.com/miekg/dns"
 )
 
 func TestUpstreamResolver_ServeDNS(t *testing.T) {
@@ -107,29 +106,8 @@ func TestUpstreamResolver_ServeDNS(t *testing.T) {
 	}
 }
 
-type mockUpstreamResolver struct {
-	r   *dns.Msg
-	rtt time.Duration
-	err error
-}
-
-// ExchangeContext mock implementation of ExchangeContext from upstreamResolver
-func (c mockUpstreamResolver) ExchangeContext(_ context.Context, _ *dns.Msg, _ string) (r *dns.Msg, rtt time.Duration, err error) {
-	return c.r, c.rtt, c.err
-}
-
 func TestUpstreamResolver_DeactivationReactivation(t *testing.T) {
-	resolver := &upstreamResolver{
-		ctx: context.TODO(),
-		upstreamClient: &mockUpstreamResolver{
-			err: nil,
-			r:   new(dns.Msg),
-			rtt: time.Millisecond,
-		},
-		upstreamTimeout:  upstreamTimeout,
-		reactivatePeriod: reactivatePeriod,
-		failsTillDeact:   failsTillDeact,
-	}
+	resolver := newUpstreamResolver(context.TODO())
 	resolver.upstreamServers = []string{"0.0.0.0:-1"}
 	resolver.failsTillDeact = 0
 	resolver.reactivatePeriod = time.Microsecond * 100

client/internal/dns/wgiface.go

@@ -1,14 +0,0 @@
-//go:build !windows
-
-package dns
-
-import "github.com/netbirdio/netbird/iface"
-
-// WGIface defines subset methods of interface required for manager
-type WGIface interface {
-	Name() string
-	Address() iface.WGAddress
-	IsUserspaceBind() bool
-	GetFilter() iface.PacketFilter
-	GetDevice() *iface.DeviceWrapper
-}

client/internal/dns/wgiface_windows.go

@@ -1,13 +0,0 @@
-package dns
-
-import "github.com/netbirdio/netbird/iface"
-
-// WGIface defines subset methods of interface required for manager
-type WGIface interface {
-	Name() string
-	Address() iface.WGAddress
-	IsUserspaceBind() bool
-	GetFilter() iface.PacketFilter
-	GetDevice() *iface.DeviceWrapper
-	GetInterfaceGUIDString() (string, error)
-}

client/internal/engine.go

@@ -3,7 +3,6 @@ package internal
 import (
 	"context"
 	"fmt"
-	"io"
 	"math/rand"
 	"net"
 	"net/netip"
@@ -17,19 +16,16 @@ import (
 	log "github.com/sirupsen/logrus"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 
-	"github.com/netbirdio/netbird/client/internal/acl"
 	"github.com/netbirdio/netbird/client/internal/dns"
 	"github.com/netbirdio/netbird/client/internal/peer"
 	"github.com/netbirdio/netbird/client/internal/routemanager"
-	"github.com/netbirdio/netbird/client/internal/wgproxy"
+	"github.com/netbirdio/netbird/client/internal/stdnet"
 	nbssh "github.com/netbirdio/netbird/client/ssh"
 	nbdns "github.com/netbirdio/netbird/dns"
 	"github.com/netbirdio/netbird/iface"
-	"github.com/netbirdio/netbird/iface/bind"
 	mgm "github.com/netbirdio/netbird/management/client"
 	mgmProto "github.com/netbirdio/netbird/management/proto"
 	"github.com/netbirdio/netbird/route"
-	"github.com/netbirdio/netbird/sharedsock"
 	signal "github.com/netbirdio/netbird/signal/client"
 	sProto "github.com/netbirdio/netbird/signal/proto"
 	"github.com/netbirdio/netbird/util"
@@ -50,6 +46,10 @@ var ErrResetConnection = fmt.Errorf("reset connection")
 type EngineConfig struct {
 	WgPort      int
 	WgIfaceName string
+	// TunAdapter is option. It is necessary for mobile version.
+	TunAdapter iface.TunAdapter
+
+	IFaceDiscover stdnet.ExternalIFaceDiscover
 
 	// WgAddr is a Wireguard local address (Netbird Network IP)
 	WgAddr string
@@ -89,9 +89,7 @@ type Engine struct {
 	// syncMsgMux is used to guarantee sequential Management Service message processing
 	syncMsgMux *sync.Mutex
 
-	config    *EngineConfig
-	mobileDep MobileDependency
-
+	config *EngineConfig
 	// STUNs is a list of STUN servers used by ICE
 	STUNs []*ice.URL
 	// TURNs is a list of STUN servers used by ICE
@@ -101,11 +99,12 @@ type Engine struct {
 
 	ctx context.Context
 
-	wgInterface    *iface.WGIface
-	wgProxyFactory *wgproxy.Factory
+	wgInterface *iface.WGIface
 
-	udpMux     *bind.UniversalUDPMuxDefault
-	udpMuxConn io.Closer
+	udpMux          ice.UDPMux
+	udpMuxSrflx     ice.UniversalUDPMux
+	udpMuxConn      *net.UDPConn
+	udpMuxConnSrflx *net.UDPConn
 
 	// networkSerial is the latest CurrentSerial (state ID) of the network sent by the Management service
 	networkSerial uint64
@@ -116,7 +115,6 @@ type Engine struct {
 	statusRecorder *peer.Status
 
 	routeManager routemanager.Manager
-	acl          acl.Manager
 
 	dnsServer dns.Server
 }
@@ -131,9 +129,8 @@ type Peer struct {
 func NewEngine(
 	ctx context.Context, cancel context.CancelFunc,
 	signalClient signal.Client, mgmClient mgm.Client,
-	config *EngineConfig, mobileDep MobileDependency, statusRecorder *peer.Status,
+	config *EngineConfig, statusRecorder *peer.Status,
 ) *Engine {
-
 	return &Engine{
 		ctx:            ctx,
 		cancel:         cancel,
@@ -142,13 +139,11 @@ func NewEngine(
 		peerConns:      make(map[string]*peer.Conn),
 		syncMsgMux:     &sync.Mutex{},
 		config:         config,
-		mobileDep:      mobileDep,
 		STUNs:          []*ice.URL{},
 		TURNs:          []*ice.URL{},
 		networkSerial:  0,
 		sshServerFunc:  nbssh.DefaultSSHServer,
 		statusRecorder: statusRecorder,
-		wgProxyFactory: wgproxy.NewFactory(config.WgPort),
 	}
 }
 
@@ -183,48 +178,15 @@ func (e *Engine) Start() error {
 	var err error
 	transportNet, err := e.newStdNet()
 	if err != nil {
-		log.Errorf("failed to create pion's stdnet: %s", err)
+		log.Warnf("failed to create pion's stdnet: %s", err)
 	}
-
-	e.wgInterface, err = iface.NewWGIFace(wgIFaceName, wgAddr, iface.DefaultMTU, e.mobileDep.TunAdapter, transportNet)
+	e.wgInterface, err = iface.NewWGIFace(wgIFaceName, wgAddr, iface.DefaultMTU, e.config.TunAdapter, transportNet)
 	if err != nil {
 		log.Errorf("failed creating wireguard interface instance %s: [%s]", wgIFaceName, err.Error())
 		return err
 	}
 
-	var routes []*route.Route
-
-	if runtime.GOOS == "android" {
-		routes, err = e.readInitialSettings()
-		if err != nil {
-			return err
-		}
-		if e.dnsServer == nil {
-			e.dnsServer = dns.NewDefaultServerPermanentUpstream(e.ctx, e.wgInterface, e.mobileDep.HostDNSAddresses)
-			go e.mobileDep.DnsReadyListener.OnReady()
-		}
-	} else {
-		// todo fix custom address
-		if e.dnsServer == nil {
-			e.dnsServer, err = dns.NewDefaultServer(e.ctx, e.wgInterface, e.config.CustomDNSAddress)
-			if err != nil {
-				e.close()
-				return err
-			}
-		}
-	}
-
-	e.routeManager = routemanager.NewManager(e.ctx, e.config.WgPrivateKey.PublicKey().String(), e.wgInterface, e.statusRecorder, routes)
-	e.routeManager.SetRouteChangeListener(e.mobileDep.RouteListener)
-
-	if runtime.GOOS != "android" {
-		err = e.wgInterface.Create()
-	} else {
-		err = e.wgInterface.CreateOnMobile(iface.MobileIFaceArguments{
-			Routes: e.routeManager.InitialRouteRange(),
-			Dns:    e.dnsServer.DnsIP(),
-		})
-	}
+	err = e.wgInterface.Create()
 	if err != nil {
 		log.Errorf("failed creating tunnel interface %s: [%s]", wgIFaceName, err.Error())
 		e.close()
@@ -245,29 +207,45 @@ func (e *Engine) Start() error {
 			e.close()
 			return err
 		}
-		e.udpMux = udpMux
+		e.udpMux = udpMux.UDPMuxDefault
+		e.udpMuxSrflx = udpMux
 		log.Infof("using userspace bind mode %s", udpMux.LocalAddr().String())
 	} else {
-		rawSock, err := sharedsock.Listen(e.config.WgPort, sharedsock.NewIncomingSTUNFilter())
+		networkName := "udp"
+		if e.config.DisableIPv6Discovery {
+			networkName = "udp4"
+		}
+		e.udpMuxConn, err = net.ListenUDP(networkName, &net.UDPAddr{Port: e.config.UDPMuxPort})
 		if err != nil {
+			log.Errorf("failed listening on UDP port %d: [%s]", e.config.UDPMuxPort, err.Error())
+			e.close()
 			return err
 		}
-		mux := bind.NewUniversalUDPMuxDefault(bind.UniversalUDPMuxParams{UDPConn: rawSock, Net: transportNet})
-		go mux.ReadFromConn(e.ctx)
-		e.udpMuxConn = rawSock
-		e.udpMux = mux
+		udpMuxParams := ice.UDPMuxParams{
+			UDPConn: e.udpMuxConn,
+			Net:     transportNet,
+		}
+		e.udpMux = ice.NewUDPMuxDefault(udpMuxParams)
+
+		e.udpMuxConnSrflx, err = net.ListenUDP(networkName, &net.UDPAddr{Port: e.config.UDPMuxSrflxPort})
+		if err != nil {
+			log.Errorf("failed listening on UDP port %d: [%s]", e.config.UDPMuxSrflxPort, err.Error())
+			e.close()
+			return err
+		}
+		e.udpMuxSrflx = ice.NewUniversalUDPMuxDefault(ice.UniversalUDPMuxParams{UDPConn: e.udpMuxConnSrflx, Net: transportNet})
 	}
 
-	if acl, err := acl.Create(e.wgInterface); err != nil {
-		log.Errorf("failed to create ACL manager, policy will not work: %s", err.Error())
-	} else {
-		e.acl = acl
-	}
+	e.routeManager = routemanager.NewManager(e.ctx, e.config.WgPrivateKey.PublicKey().String(), e.wgInterface, e.statusRecorder)
 
-	err = e.dnsServer.Initialize()
-	if err != nil {
-		e.close()
-		return err
+	if e.dnsServer == nil {
+		// todo fix custom address
+		dnsServer, err := dns.NewDefaultServer(e.ctx, e.wgInterface, e.config.CustomDNSAddress)
+		if err != nil {
+			e.close()
+			return err
+		}
+		e.dnsServer = dnsServer
 	}
 
 	e.receiveSignalEvents()
@@ -285,7 +263,7 @@ func (e *Engine) modifyPeers(peersUpdate []*mgmProto.RemotePeerConfig) error {
 	for _, p := range peersUpdate {
 		peerPubKey := p.GetWgPubKey()
 		if peerConn, ok := e.peerConns[peerPubKey]; ok {
-			if peerConn.WgConfig().AllowedIps != strings.Join(p.AllowedIps, ",") {
+			if peerConn.GetConf().ProxyConfig.AllowedIps != strings.Join(p.AllowedIps, ",") {
 				modified = append(modified, p)
 				continue
 			}
@@ -417,6 +395,9 @@ func SignalOfferAnswer(offerAnswer peer.OfferAnswer, myKey wgtypes.Key, remoteKe
 		return err
 	}
 
+	// indicates message support in gRPC
+	msg.Body.FeaturesSupported = []uint32{signal.DirectCheck}
+
 	err = s.Send(msg)
 	if err != nil {
 		return err
@@ -610,7 +591,6 @@ func (e *Engine) updateNetworkMap(networkMap *mgmProto.NetworkMap) error {
 	// cleanup request, most likely our peer has been deleted
 	if networkMap.GetRemotePeersIsEmpty() {
 		err := e.removeAllPeers()
-		e.statusRecorder.FinishPeerListModifications()
 		if err != nil {
 			return err
 		}
@@ -630,8 +610,6 @@ func (e *Engine) updateNetworkMap(networkMap *mgmProto.NetworkMap) error {
 			return err
 		}
 
-		e.statusRecorder.FinishPeerListModifications()
-
 		// update SSHServer by adding remote peer SSH keys
 		if !isNil(e.sshServer) {
 			for _, config := range networkMap.GetRemotePeers() {
@@ -663,9 +641,6 @@ func (e *Engine) updateNetworkMap(networkMap *mgmProto.NetworkMap) error {
 		log.Errorf("failed to update dns server, err: %v", err)
 	}
 
-	if e.acl != nil {
-		e.acl.ApplyFiltering(networkMap)
-	}
 	e.networkSerial = serial
 	return nil
 }
@@ -767,13 +742,17 @@ func (e *Engine) addNewPeer(peerConfig *mgmProto.RemotePeerConfig) error {
 		}
 		e.peerConns[peerKey] = conn
 
-		err = e.statusRecorder.AddPeer(peerKey, peerConfig.Fqdn)
+		err = e.statusRecorder.AddPeer(peerKey)
 		if err != nil {
 			log.Warnf("error adding peer %s to status recorder, got error: %v", peerKey, err)
 		}
 
 		go e.connWorker(conn, peerKey)
 	}
+	err := e.statusRecorder.UpdatePeerFQDN(peerKey, peerConfig.Fqdn)
+	if err != nil {
+		log.Warnf("error updating peer's %s fqdn in the status recorder, got error: %v", peerKey, err)
+	}
 	return nil
 }
 
@@ -798,7 +777,9 @@ func (e *Engine) connWorker(conn *peer.Conn, peerKey string) {
 
 		// we might have received new STUN and TURN servers meanwhile, so update them
 		e.syncMsgMux.Lock()
-		conn.UpdateStunTurn(append(e.STUNs, e.TURNs...))
+		conf := conn.GetConf()
+		conf.StunTurn = append(e.STUNs, e.TURNs...)
+		conn.UpdateConf(conf)
 		e.syncMsgMux.Unlock()
 
 		err := conn.Open()
@@ -814,27 +795,19 @@ func (e *Engine) connWorker(conn *peer.Conn, peerKey string) {
 	}
 }
 
-func (e *Engine) peerExists(peerKey string) bool {
+func (e Engine) peerExists(peerKey string) bool {
 	e.syncMsgMux.Lock()
 	defer e.syncMsgMux.Unlock()
 	_, ok := e.peerConns[peerKey]
 	return ok
 }
 
-func (e *Engine) createPeerConn(pubKey string, allowedIPs string) (*peer.Conn, error) {
+func (e Engine) createPeerConn(pubKey string, allowedIPs string) (*peer.Conn, error) {
 	log.Debugf("creating peer connection %s", pubKey)
 	var stunTurn []*ice.URL
 	stunTurn = append(stunTurn, e.STUNs...)
 	stunTurn = append(stunTurn, e.TURNs...)
 
-	wgConfig := peer.WgConfig{
-		RemoteKey:    pubKey,
-		WgListenPort: e.config.WgPort,
-		WgInterface:  e.wgInterface,
-		AllowedIps:   allowedIPs,
-		PreSharedKey: e.config.PreSharedKey,
-	}
-
 	// randomize connection timeout
 	timeout := time.Duration(rand.Intn(PeerConnectionTimeoutMax-PeerConnectionTimeoutMin)+PeerConnectionTimeoutMin) * time.Millisecond
 	config := peer.ConnConfig{
@@ -844,15 +817,14 @@ func (e *Engine) createPeerConn(pubKey string, allowedIPs string) (*peer.Conn, e
 		InterfaceBlackList:   e.config.IFaceBlackList,
 		DisableIPv6Discovery: e.config.DisableIPv6Discovery,
 		Timeout:              timeout,
-		UDPMux:               e.udpMux.UDPMuxDefault,
-		UDPMuxSrflx:          e.udpMux,
-		WgConfig:             wgConfig,
+		UDPMux:               e.udpMux,
+		UDPMuxSrflx:          e.udpMuxSrflx,
 		LocalWgPort:          e.config.WgPort,
 		NATExternalIPs:       e.parseNATExternalIPMappings(),
-		UserspaceBind:        e.wgInterface.IsUserspaceBind(),
+		AllowedIPs:           allowedIPs,
 	}
 
-	peerConn, err := peer.NewConn(config, e.statusRecorder, e.wgProxyFactory, e.mobileDep.TunAdapter, e.mobileDep.IFaceDiscover)
+	peerConn, err := peer.NewConn(config, e.wgInterface, e.statusRecorder, e.config.TunAdapter, e.config.IFaceDiscover)
 	if err != nil {
 		return nil, err
 	}
@@ -938,6 +910,18 @@ func (e *Engine) receiveSignalEvents() {
 				}
 				conn.OnRemoteCandidate(candidate)
 			case sProto.Body_MODE:
+				protoMode := msg.GetBody().GetMode()
+				if protoMode == nil {
+					return fmt.Errorf("received an empty mode message")
+				}
+
+				err := conn.OnModeMessage(peer.ModeMessage{
+					Direct: protoMode.GetDirect(),
+				})
+				if err != nil {
+					log.Errorf("failed processing a mode message -> %s", err)
+					return err
+				}
 			}
 
 			return nil
@@ -1009,10 +993,6 @@ func (e *Engine) parseNATExternalIPMappings() []string {
 }
 
 func (e *Engine) close() {
-	if err := e.wgProxyFactory.Free(); err != nil {
-		log.Errorf("failed closing ebpf proxy: %s", err)
-	}
-
 	log.Debugf("removing Netbird interface %s", e.config.WgIfaceName)
 	if e.wgInterface != nil {
 		if err := e.wgInterface.Close(); err != nil {
@@ -1032,6 +1012,12 @@ func (e *Engine) close() {
 		}
 	}
 
+	if e.udpMuxConnSrflx != nil {
+		if err := e.udpMuxConnSrflx.Close(); err != nil {
+			log.Debugf("close server reflexive udp mux connection: %v", err)
+		}
+	}
+
 	if !isNil(e.sshServer) {
 		err := e.sshServer.Stop()
 		if err != nil {
@@ -1047,18 +1033,6 @@ func (e *Engine) close() {
 		e.dnsServer.Stop()
 	}
 
-	if e.acl != nil {
-		e.acl.Stop()
-	}
-}
-
-func (e *Engine) readInitialSettings() ([]*route.Route, error) {
-	netMap, err := e.mgmClient.GetNetworkMap()
-	if err != nil {
-		return nil, err
-	}
-	routes := toRoutes(netMap.GetRoutes())
-	return routes, nil
 }
 
 func findIPFromInterfaceName(ifaceName string) (net.IP, error) {

client/internal/engine_stdnet_android.go

@@ -3,5 +3,5 @@ package internal
 import "github.com/netbirdio/netbird/client/internal/stdnet"
 
 func (e *Engine) newStdNet() (*stdnet.Net, error) {
-	return stdnet.NewNetWithDiscover(e.mobileDep.IFaceDiscover, e.config.IFaceBlackList)
+	return stdnet.NewNetWithDiscover(e.config.IFaceDiscover, e.config.IFaceBlackList)
 }

client/internal/engine_test.go

@@ -3,6 +3,8 @@ package internal
 import (
 	"context"
 	"fmt"
+	"github.com/netbirdio/netbird/iface/bind"
+	"github.com/pion/transport/v2/stdnet"
 	"net"
 	"net/netip"
 	"os"
@@ -13,7 +15,6 @@ import (
 	"testing"
 	"time"
 
-	"github.com/pion/transport/v2/stdnet"
 	log "github.com/sirupsen/logrus"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@@ -28,7 +29,6 @@ import (
 	"github.com/netbirdio/netbird/client/system"
 	nbdns "github.com/netbirdio/netbird/dns"
 	"github.com/netbirdio/netbird/iface"
-	"github.com/netbirdio/netbird/iface/bind"
 	mgmt "github.com/netbirdio/netbird/management/client"
 	mgmtProto "github.com/netbirdio/netbird/management/proto"
 	"github.com/netbirdio/netbird/management/server"
@@ -74,7 +74,7 @@ func TestEngine_SSH(t *testing.T) {
 		WgAddr:       "100.64.0.1/24",
 		WgPrivateKey: key,
 		WgPort:       33100,
-	}, MobileDependency{}, peer.NewRecorder("https://mgm"))
+	}, peer.NewRecorder("https://mgm"))
 
 	engine.dnsServer = &dns.MockServer{
 		UpdateDNSServerFunc: func(serial uint64, update nbdns.Config) error { return nil },
@@ -208,7 +208,7 @@ func TestEngine_UpdateNetworkMap(t *testing.T) {
 		WgAddr:       "100.64.0.1/24",
 		WgPrivateKey: key,
 		WgPort:       33100,
-	}, MobileDependency{}, peer.NewRecorder("https://mgm"))
+	}, peer.NewRecorder("https://mgm"))
 	newNet, err := stdnet.NewNet()
 	if err != nil {
 		t.Fatal(err)
@@ -217,7 +217,7 @@ func TestEngine_UpdateNetworkMap(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
-	engine.routeManager = routemanager.NewManager(ctx, key.PublicKey().String(), engine.wgInterface, engine.statusRecorder, nil)
+	engine.routeManager = routemanager.NewManager(ctx, key.PublicKey().String(), engine.wgInterface, engine.statusRecorder)
 	engine.dnsServer = &dns.MockServer{
 		UpdateDNSServerFunc: func(serial uint64, update nbdns.Config) error { return nil },
 	}
@@ -367,9 +367,9 @@ func TestEngine_UpdateNetworkMap(t *testing.T) {
 					t.Errorf("expecting Engine.peerConns to contain peer %s", p)
 				}
 				expectedAllowedIPs := strings.Join(p.AllowedIps, ",")
-				if conn.WgConfig().AllowedIps != expectedAllowedIPs {
+				if conn.GetConf().ProxyConfig.AllowedIps != expectedAllowedIPs {
 					t.Errorf("expecting peer %s to have AllowedIPs= %s, got %s", p.GetWgPubKey(),
-						expectedAllowedIPs, conn.WgConfig().AllowedIps)
+						expectedAllowedIPs, conn.GetConf().ProxyConfig.AllowedIps)
 				}
 			}
 		})
@@ -404,7 +404,7 @@ func TestEngine_Sync(t *testing.T) {
 		WgAddr:       "100.64.0.1/24",
 		WgPrivateKey: key,
 		WgPort:       33100,
-	}, MobileDependency{}, peer.NewRecorder("https://mgm"))
+	}, peer.NewRecorder("https://mgm"))
 
 	engine.dnsServer = &dns.MockServer{
 		UpdateDNSServerFunc: func(serial uint64, update nbdns.Config) error { return nil },
@@ -562,7 +562,7 @@ func TestEngine_UpdateNetworkMapWithRoutes(t *testing.T) {
 				WgAddr:       wgAddr,
 				WgPrivateKey: key,
 				WgPort:       33100,
-			}, MobileDependency{}, peer.NewRecorder("https://mgm"))
+			}, peer.NewRecorder("https://mgm"))
 			newNet, err := stdnet.NewNet()
 			if err != nil {
 				t.Fatal(err)
@@ -731,7 +731,7 @@ func TestEngine_UpdateNetworkMapWithDNSUpdate(t *testing.T) {
 				WgAddr:       wgAddr,
 				WgPrivateKey: key,
 				WgPort:       33100,
-			}, MobileDependency{}, peer.NewRecorder("https://mgm"))
+			}, peer.NewRecorder("https://mgm"))
 			newNet, err := stdnet.NewNet()
 			if err != nil {
 				t.Fatal(err)
@@ -1000,7 +1000,7 @@ func createEngine(ctx context.Context, cancel context.CancelFunc, setupKey strin
 		WgPort:       wgPort,
 	}
 
-	return NewEngine(ctx, cancel, signalClient, mgmtClient, conf, MobileDependency{}, peer.NewRecorder("https://mgm")), nil
+	return NewEngine(ctx, cancel, signalClient, mgmtClient, conf, peer.NewRecorder("https://mgm")), nil
 }
 
 func startSignal() (*grpc.Server, string, error) {
@@ -1039,7 +1039,7 @@ func startManagement(dataDir string) (*grpc.Server, string, error) {
 		return nil, "", err
 	}
 	s := grpc.NewServer(grpc.KeepaliveEnforcementPolicy(kaep), grpc.KeepaliveParams(kasp))
-	store, err := server.NewFileStore(config.Datadir, nil)
+	store, err := server.NewFileStore(config.Datadir)
 	if err != nil {
 		log.Fatalf("failed creating a store: %s: %v", config.Datadir, err)
 	}

client/internal/mobile_dependency.go

@@ -1,17 +0,0 @@
-package internal
-
-import (
-	"github.com/netbirdio/netbird/client/internal/dns"
-	"github.com/netbirdio/netbird/client/internal/routemanager"
-	"github.com/netbirdio/netbird/client/internal/stdnet"
-	"github.com/netbirdio/netbird/iface"
-)
-
-// MobileDependency collect all dependencies for mobile platform
-type MobileDependency struct {
-	TunAdapter       iface.TunAdapter
-	IFaceDiscover    stdnet.ExternalIFaceDiscover
-	RouteListener    routemanager.RouteListener
-	HostDNSAddresses []string
-	DnsReadyListener dns.ReadyListener
-}

client/internal/oauth.go

@@ -0,0 +1,281 @@
+package internal
+
+import (
+	"context"
+	"encoding/base64"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+	"net/url"
+	"reflect"
+	"strings"
+	"time"
+)
+
+// OAuthClient is a OAuth client interface for various idp providers
+type OAuthClient interface {
+	RequestDeviceCode(ctx context.Context) (DeviceAuthInfo, error)
+	WaitToken(ctx context.Context, info DeviceAuthInfo) (TokenInfo, error)
+	GetClientID(ctx context.Context) string
+}
+
+// HTTPClient http client interface for API calls
+type HTTPClient interface {
+	Do(req *http.Request) (*http.Response, error)
+}
+
+// DeviceAuthInfo holds information for the OAuth device login flow
+type DeviceAuthInfo struct {
+	DeviceCode              string `json:"device_code"`
+	UserCode                string `json:"user_code"`
+	VerificationURI         string `json:"verification_uri"`
+	VerificationURIComplete string `json:"verification_uri_complete"`
+	ExpiresIn               int    `json:"expires_in"`
+	Interval                int    `json:"interval"`
+}
+
+// HostedGrantType grant type for device flow on Hosted
+const (
+	HostedGrantType    = "urn:ietf:params:oauth:grant-type:device_code"
+	HostedRefreshGrant = "refresh_token"
+)
+
+// Hosted client
+type Hosted struct {
+	providerConfig ProviderConfig
+
+	HTTPClient HTTPClient
+}
+
+// RequestDeviceCodePayload used for request device code payload for auth0
+type RequestDeviceCodePayload struct {
+	Audience string `json:"audience"`
+	ClientID string `json:"client_id"`
+	Scope    string `json:"scope"`
+}
+
+// TokenRequestPayload used for requesting the auth0 token
+type TokenRequestPayload struct {
+	GrantType    string `json:"grant_type"`
+	DeviceCode   string `json:"device_code,omitempty"`
+	ClientID     string `json:"client_id"`
+	RefreshToken string `json:"refresh_token,omitempty"`
+}
+
+// TokenRequestResponse used for parsing Hosted token's response
+type TokenRequestResponse struct {
+	Error            string `json:"error"`
+	ErrorDescription string `json:"error_description"`
+	TokenInfo
+}
+
+// Claims used when validating the access token
+type Claims struct {
+	Audience interface{} `json:"aud"`
+}
+
+// TokenInfo holds information of issued access token
+type TokenInfo struct {
+	AccessToken  string `json:"access_token"`
+	RefreshToken string `json:"refresh_token"`
+	IDToken      string `json:"id_token"`
+	TokenType    string `json:"token_type"`
+	ExpiresIn    int    `json:"expires_in"`
+	UseIDToken   bool   `json:"-"`
+}
+
+// GetTokenToUse returns either the access or id token based on UseIDToken field
+func (t TokenInfo) GetTokenToUse() string {
+	if t.UseIDToken {
+		return t.IDToken
+	}
+	return t.AccessToken
+}
+
+// NewHostedDeviceFlow returns an Hosted OAuth client
+func NewHostedDeviceFlow(config ProviderConfig) *Hosted {
+	httpTransport := http.DefaultTransport.(*http.Transport).Clone()
+	httpTransport.MaxIdleConns = 5
+
+	httpClient := &http.Client{
+		Timeout:   10 * time.Second,
+		Transport: httpTransport,
+	}
+
+	return &Hosted{
+		providerConfig: config,
+		HTTPClient:     httpClient,
+	}
+}
+
+// GetClientID returns the provider client id
+func (h *Hosted) GetClientID(ctx context.Context) string {
+	return h.providerConfig.ClientID
+}
+
+// RequestDeviceCode requests a device code login flow information from Hosted
+func (h *Hosted) RequestDeviceCode(ctx context.Context) (DeviceAuthInfo, error) {
+	form := url.Values{}
+	form.Add("client_id", h.providerConfig.ClientID)
+	form.Add("audience", h.providerConfig.Audience)
+	form.Add("scope", h.providerConfig.Scope)
+	req, err := http.NewRequest("POST", h.providerConfig.DeviceAuthEndpoint,
+		strings.NewReader(form.Encode()))
+	if err != nil {
+		return DeviceAuthInfo{}, fmt.Errorf("creating request failed with error: %v", err)
+	}
+	req.Header.Add("Content-Type", "application/x-www-form-urlencoded")
+
+	res, err := h.HTTPClient.Do(req)
+	if err != nil {
+		return DeviceAuthInfo{}, fmt.Errorf("doing request failed with error: %v", err)
+	}
+
+	defer res.Body.Close()
+	body, err := io.ReadAll(res.Body)
+	if err != nil {
+		return DeviceAuthInfo{}, fmt.Errorf("reading body failed with error: %v", err)
+	}
+
+	if res.StatusCode != 200 {
+		return DeviceAuthInfo{}, fmt.Errorf("request device code returned status %d error: %s", res.StatusCode, string(body))
+	}
+
+	deviceCode := DeviceAuthInfo{}
+	err = json.Unmarshal(body, &deviceCode)
+	if err != nil {
+		return DeviceAuthInfo{}, fmt.Errorf("unmarshaling response failed with error: %v", err)
+	}
+
+	return deviceCode, err
+}
+
+func (h *Hosted) requestToken(info DeviceAuthInfo) (TokenRequestResponse, error) {
+	form := url.Values{}
+	form.Add("client_id", h.providerConfig.ClientID)
+	form.Add("grant_type", HostedGrantType)
+	form.Add("device_code", info.DeviceCode)
+	req, err := http.NewRequest("POST", h.providerConfig.TokenEndpoint, strings.NewReader(form.Encode()))
+	if err != nil {
+		return TokenRequestResponse{}, fmt.Errorf("failed to create request access token: %v", err)
+	}
+
+	req.Header.Add("Content-Type", "application/x-www-form-urlencoded")
+
+	res, err := h.HTTPClient.Do(req)
+	if err != nil {
+		return TokenRequestResponse{}, fmt.Errorf("failed to request access token with error: %v", err)
+	}
+
+	defer func() {
+		err := res.Body.Close()
+		if err != nil {
+			return
+		}
+	}()
+
+	body, err := io.ReadAll(res.Body)
+	if err != nil {
+		return TokenRequestResponse{}, fmt.Errorf("failed reading access token response body with error: %v", err)
+	}
+
+	if res.StatusCode > 499 {
+		return TokenRequestResponse{}, fmt.Errorf("access token response returned code: %s", string(body))
+	}
+
+	tokenResponse := TokenRequestResponse{}
+	err = json.Unmarshal(body, &tokenResponse)
+	if err != nil {
+		return TokenRequestResponse{}, fmt.Errorf("parsing token response failed with error: %v", err)
+	}
+
+	return tokenResponse, nil
+}
+
+// WaitToken waits user's login and authorize the app. Once the user's authorize
+// it retrieves the access token from Hosted's endpoint and validates it before returning
+func (h *Hosted) WaitToken(ctx context.Context, info DeviceAuthInfo) (TokenInfo, error) {
+	interval := time.Duration(info.Interval) * time.Second
+	ticker := time.NewTicker(interval)
+	for {
+		select {
+		case <-ctx.Done():
+			return TokenInfo{}, ctx.Err()
+		case <-ticker.C:
+
+			tokenResponse, err := h.requestToken(info)
+			if err != nil {
+				return TokenInfo{}, fmt.Errorf("parsing token response failed with error: %v", err)
+			}
+
+			if tokenResponse.Error != "" {
+				if tokenResponse.Error == "authorization_pending" {
+					continue
+				} else if tokenResponse.Error == "slow_down" {
+					interval = interval + (3 * time.Second)
+					ticker.Reset(interval)
+					continue
+				}
+
+				return TokenInfo{}, fmt.Errorf(tokenResponse.ErrorDescription)
+			}
+
+			tokenInfo := TokenInfo{
+				AccessToken:  tokenResponse.AccessToken,
+				TokenType:    tokenResponse.TokenType,
+				RefreshToken: tokenResponse.RefreshToken,
+				IDToken:      tokenResponse.IDToken,
+				ExpiresIn:    tokenResponse.ExpiresIn,
+				UseIDToken:   h.providerConfig.UseIDToken,
+			}
+
+			err = isValidAccessToken(tokenInfo.GetTokenToUse(), h.providerConfig.Audience)
+			if err != nil {
+				return TokenInfo{}, fmt.Errorf("validate access token failed with error: %v", err)
+			}
+
+			return tokenInfo, err
+		}
+	}
+}
+
+// isValidAccessToken is a simple validation of the access token
+func isValidAccessToken(token string, audience string) error {
+	if token == "" {
+		return fmt.Errorf("token received is empty")
+	}
+
+	encodedClaims := strings.Split(token, ".")[1]
+	claimsString, err := base64.RawURLEncoding.DecodeString(encodedClaims)
+	if err != nil {
+		return err
+	}
+
+	claims := Claims{}
+	err = json.Unmarshal(claimsString, &claims)
+	if err != nil {
+		return err
+	}
+
+	if claims.Audience == nil {
+		return fmt.Errorf("required token field audience is absent")
+	}
+
+	// Audience claim of JWT can be a string or an array of strings
+	typ := reflect.TypeOf(claims.Audience)
+	switch typ.Kind() {
+	case reflect.String:
+		if claims.Audience == audience {
+			return nil
+		}
+	case reflect.Slice:
+		for _, aud := range claims.Audience.([]interface{}) {
+			if audience == aud {
+				return nil
+			}
+		}
+	}
+
+	return fmt.Errorf("invalid JWT token audience field")
+}

client/internal/oauth_test.go

@@ -1,17 +1,17 @@
-package auth
+package internal
 
 import (
 	"context"
 	"fmt"
-	"github.com/golang-jwt/jwt"
-	"github.com/netbirdio/netbird/client/internal"
-	"github.com/stretchr/testify/require"
 	"io"
 	"net/http"
 	"net/url"
 	"strings"
 	"testing"
 	"time"
+
+	"github.com/golang-jwt/jwt"
+	"github.com/stretchr/testify/require"
 )
 
 type mockHTTPClient struct {
@@ -53,7 +53,7 @@ func TestHosted_RequestDeviceCode(t *testing.T) {
 		testingErrFunc   require.ErrorAssertionFunc
 		expectedErrorMSG string
 		testingFunc      require.ComparisonAssertionFunc
-		expectedOut      AuthFlowInfo
+		expectedOut      DeviceAuthInfo
 		expectedMSG      string
 		expectPayload    string
 	}
@@ -92,7 +92,7 @@ func TestHosted_RequestDeviceCode(t *testing.T) {
 		testingFunc:      require.EqualValues,
 		expectPayload:    expectPayload,
 	}
-	testCase4Out := AuthFlowInfo{ExpiresIn: 10}
+	testCase4Out := DeviceAuthInfo{ExpiresIn: 10}
 	testCase4 := test{
 		name:           "Got Device Code",
 		inputResBody:   fmt.Sprintf("{\"expires_in\":%d}", testCase4Out.ExpiresIn),
@@ -113,8 +113,8 @@ func TestHosted_RequestDeviceCode(t *testing.T) {
 				err:     testCase.inputReqError,
 			}
 
-			deviceFlow := &DeviceAuthorizationFlow{
-				providerConfig: internal.DeviceAuthProviderConfig{
+			hosted := Hosted{
+				providerConfig: ProviderConfig{
 					Audience:           expectedAudience,
 					ClientID:           expectedClientID,
 					Scope:              expectedScope,
@@ -125,7 +125,7 @@ func TestHosted_RequestDeviceCode(t *testing.T) {
 				HTTPClient: &httpClient,
 			}
 
-			authInfo, err := deviceFlow.RequestAuthInfo(context.TODO())
+			authInfo, err := hosted.RequestDeviceCode(context.TODO())
 			testCase.testingErrFunc(t, err, testCase.expectedErrorMSG)
 
 			require.EqualValues(t, expectPayload, httpClient.reqBody, "payload should match")
@@ -145,7 +145,7 @@ func TestHosted_WaitToken(t *testing.T) {
 		inputMaxReqs      int
 		inputCountResBody string
 		inputTimeout      time.Duration
-		inputInfo         AuthFlowInfo
+		inputInfo         DeviceAuthInfo
 		inputAudience     string
 		testingErrFunc    require.ErrorAssertionFunc
 		expectedErrorMSG  string
@@ -155,7 +155,7 @@ func TestHosted_WaitToken(t *testing.T) {
 		expectPayload     string
 	}
 
-	defaultInfo := AuthFlowInfo{
+	defaultInfo := DeviceAuthInfo{
 		DeviceCode: "test",
 		ExpiresIn:  10,
 		Interval:   1,
@@ -278,8 +278,8 @@ func TestHosted_WaitToken(t *testing.T) {
 				countResBody: testCase.inputCountResBody,
 			}
 
-			deviceFlow := DeviceAuthorizationFlow{
-				providerConfig: internal.DeviceAuthProviderConfig{
+			hosted := Hosted{
+				providerConfig: ProviderConfig{
 					Audience:           testCase.inputAudience,
 					ClientID:           clientID,
 					TokenEndpoint:      "test.hosted.com/token",
@@ -287,12 +287,11 @@ func TestHosted_WaitToken(t *testing.T) {
 					Scope:              "openid",
 					UseIDToken:         false,
 				},
-				HTTPClient: &httpClient,
-			}
+				HTTPClient: &httpClient}
 
 			ctx, cancel := context.WithTimeout(context.TODO(), testCase.inputTimeout)
 			defer cancel()
-			tokenInfo, err := deviceFlow.WaitToken(ctx, testCase.inputInfo)
+			tokenInfo, err := hosted.WaitToken(ctx, testCase.inputInfo)
 			testCase.testingErrFunc(t, err, testCase.expectedErrorMSG)
 
 			require.EqualValues(t, testCase.expectPayload, httpClient.reqBody, "payload should match")

client/internal/peer/conn.go

@@ -10,32 +10,15 @@ import (
 
 	"github.com/pion/ice/v2"
 	log "github.com/sirupsen/logrus"
-	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 
+	"github.com/netbirdio/netbird/client/internal/proxy"
 	"github.com/netbirdio/netbird/client/internal/stdnet"
-	"github.com/netbirdio/netbird/client/internal/wgproxy"
 	"github.com/netbirdio/netbird/iface"
-	"github.com/netbirdio/netbird/iface/bind"
 	signal "github.com/netbirdio/netbird/signal/client"
 	sProto "github.com/netbirdio/netbird/signal/proto"
 	"github.com/netbirdio/netbird/version"
 )
 
-const (
-	iceKeepAliveDefault           = 4 * time.Second
-	iceDisconnectedTimeoutDefault = 6 * time.Second
-
-	defaultWgKeepAlive = 25 * time.Second
-)
-
-type WgConfig struct {
-	WgListenPort int
-	RemoteKey    string
-	WgInterface  *iface.WGIface
-	AllowedIps   string
-	PreSharedKey *wgtypes.Key
-}
-
 // ConnConfig is a peer Connection configuration
 type ConnConfig struct {
 
@@ -54,8 +37,6 @@ type ConnConfig struct {
 
 	Timeout time.Duration
 
-	WgConfig WgConfig
-
 	UDPMux      ice.UDPMux
 	UDPMuxSrflx ice.UniversalUDPMux
 
@@ -63,8 +44,7 @@ type ConnConfig struct {
 
 	NATExternalIPs []string
 
-	// UsesBind indicates whether the WireGuard interface is userspace and uses bind.ICEBind
-	UserspaceBind bool
+	AllowedIPs string
 }
 
 // OfferAnswer represents a session establishment offer or answer
@@ -109,12 +89,11 @@ type Conn struct {
 
 	statusRecorder *Status
 
-	wgProxyFactory *wgproxy.Factory
-	wgProxy        wgproxy.Proxy
-
+	proxy        proxy.Proxy
 	remoteModeCh chan ModeMessage
 	meta         meta
 
+	wgIface       *iface.WGIface
 	adapter       iface.TunAdapter
 	iFaceDiscover stdnet.ExternalIFaceDiscover
 }
@@ -135,19 +114,14 @@ func (conn *Conn) GetConf() ConnConfig {
 	return conn.config
 }
 
-// WgConfig returns the WireGuard config
-func (conn *Conn) WgConfig() WgConfig {
-	return conn.config.WgConfig
-}
-
-// UpdateStunTurn update the turn and stun addresses
-func (conn *Conn) UpdateStunTurn(turnStun []*ice.URL) {
-	conn.config.StunTurn = turnStun
+// UpdateConf updates the connection config
+func (conn *Conn) UpdateConf(conf ConnConfig) {
+	conn.config = conf
 }
 
 // NewConn creates a new not opened Conn to the remote peer.
 // To establish a connection run Conn.Open
-func NewConn(config ConnConfig, statusRecorder *Status, wgProxyFactory *wgproxy.Factory, adapter iface.TunAdapter, iFaceDiscover stdnet.ExternalIFaceDiscover) (*Conn, error) {
+func NewConn(config ConnConfig, wgIface *iface.WGIface, statusRecorder *Status, adapter iface.TunAdapter, iFaceDiscover stdnet.ExternalIFaceDiscover) (*Conn, error) {
 	return &Conn{
 		config:         config,
 		mu:             sync.Mutex{},
@@ -157,9 +131,9 @@ func NewConn(config ConnConfig, statusRecorder *Status, wgProxyFactory *wgproxy.
 		remoteAnswerCh: make(chan OfferAnswer),
 		statusRecorder: statusRecorder,
 		remoteModeCh:   make(chan ModeMessage, 1),
-		wgProxyFactory: wgProxyFactory,
 		adapter:        adapter,
 		iFaceDiscover:  iFaceDiscover,
+		wgIface:        wgIface,
 	}, nil
 }
 
@@ -172,25 +146,19 @@ func (conn *Conn) reCreateAgent() error {
 	var err error
 	transportNet, err := conn.newStdNet()
 	if err != nil {
-		log.Errorf("failed to create pion's stdnet: %s", err)
+		log.Warnf("failed to create pion's stdnet: %s", err)
 	}
-
-	iceKeepAlive := iceKeepAlive()
-	iceDisconnectedTimeout := iceDisconnectedTimeout()
-
 	agentConfig := &ice.AgentConfig{
-		MulticastDNSMode:    ice.MulticastDNSModeDisabled,
-		NetworkTypes:        []ice.NetworkType{ice.NetworkTypeUDP4, ice.NetworkTypeUDP6},
-		Urls:                conn.config.StunTurn,
-		CandidateTypes:      conn.candidateTypes(),
-		FailedTimeout:       &failedTimeout,
-		InterfaceFilter:     stdnet.InterfaceFilter(conn.config.InterfaceBlackList),
-		UDPMux:              conn.config.UDPMux,
-		UDPMuxSrflx:         conn.config.UDPMuxSrflx,
-		NAT1To1IPs:          conn.config.NATExternalIPs,
-		Net:                 transportNet,
-		DisconnectedTimeout: &iceDisconnectedTimeout,
-		KeepaliveInterval:   &iceKeepAlive,
+		MulticastDNSMode: ice.MulticastDNSModeDisabled,
+		NetworkTypes:     []ice.NetworkType{ice.NetworkTypeUDP4, ice.NetworkTypeUDP6},
+		Urls:             conn.config.StunTurn,
+		CandidateTypes:   []ice.CandidateType{ice.CandidateTypeHost, ice.CandidateTypeServerReflexive, ice.CandidateTypeRelay},
+		FailedTimeout:    &failedTimeout,
+		InterfaceFilter:  stdnet.InterfaceFilter(conn.config.InterfaceBlackList),
+		UDPMux:           conn.config.UDPMux,
+		UDPMuxSrflx:      conn.config.UDPMuxSrflx,
+		NAT1To1IPs:       conn.config.NATExternalIPs,
+		Net:              transportNet,
 	}
 
 	if conn.config.DisableIPv6Discovery {
@@ -221,25 +189,18 @@ func (conn *Conn) reCreateAgent() error {
 	return nil
 }
 
-func (conn *Conn) candidateTypes() []ice.CandidateType {
-	if hasICEForceRelayConn() {
-		return []ice.CandidateType{ice.CandidateTypeRelay}
-	}
-	return []ice.CandidateType{ice.CandidateTypeHost, ice.CandidateTypeServerReflexive, ice.CandidateTypeRelay}
-}
-
 // Open opens connection to the remote peer starting ICE candidate gathering process.
 // Blocks until connection has been closed or connection timeout.
 // ConnStatus will be set accordingly
 func (conn *Conn) Open() error {
 	log.Debugf("trying to connect to peer %s", conn.config.Key)
 
-	peerState := State{
-		PubKey:           conn.config.Key,
-		IP:               strings.Split(conn.config.WgConfig.AllowedIps, "/")[0],
-		ConnStatusUpdate: time.Now(),
-		ConnStatus:       conn.status,
-	}
+	peerState := State{PubKey: conn.config.Key}
+
+	peerState.IP = strings.Split(conn.config.AllowedIPs, "/")[0]
+	peerState.ConnStatusUpdate = time.Now()
+	peerState.ConnStatus = conn.status
+
 	err := conn.statusRecorder.UpdatePeerState(peerState)
 	if err != nil {
 		log.Warnf("erro while updating the state of peer %s,err: %v", conn.config.Key, err)
@@ -294,11 +255,10 @@ func (conn *Conn) Open() error {
 	defer conn.notifyDisconnected()
 	conn.mu.Unlock()
 
-	peerState = State{
-		PubKey:           conn.config.Key,
-		ConnStatus:       conn.status,
-		ConnStatusUpdate: time.Now(),
-	}
+	peerState = State{PubKey: conn.config.Key}
+
+	peerState.ConnStatus = conn.status
+	peerState.ConnStatusUpdate = time.Now()
 	err = conn.statusRecorder.UpdatePeerState(peerState)
 	if err != nil {
 		log.Warnf("erro while updating the state of peer %s,err: %v", conn.config.Key, err)
@@ -329,12 +289,19 @@ func (conn *Conn) Open() error {
 		remoteWgPort = remoteOfferAnswer.WgListenPort
 	}
 	// the ice connection has been established successfully so we are ready to start the proxy
-	remoteAddr, err := conn.configureConnection(remoteConn, remoteWgPort)
+	err = conn.startProxy(remoteConn, remoteWgPort)
 	if err != nil {
 		return err
 	}
 
-	log.Infof("connected to peer %s, endpoint address: %s", conn.config.Key, remoteAddr.String())
+	if conn.proxy.Type() == proxy.TypeDirectNoProxy {
+		host, _, _ := net.SplitHostPort(remoteConn.LocalAddr().String())
+		rhost, _, _ := net.SplitHostPort(remoteConn.RemoteAddr().String())
+		// direct Wireguard connection
+		log.Infof("directly connected to peer %s [laddr <-> raddr] [%s:%d <-> %s:%d]", conn.config.Key, host, conn.config.LocalWgPort, rhost, remoteWgPort)
+	} else {
+		log.Infof("connected to peer %s [laddr <-> raddr] [%s <-> %s]", conn.config.Key, remoteConn.LocalAddr().String(), remoteConn.RemoteAddr().String())
+	}
 
 	// wait until connection disconnected or has been closed externally (upper layer, e.g. engine)
 	select {
@@ -347,83 +314,177 @@ func (conn *Conn) Open() error {
 	}
 }
 
+// useProxy determines whether a direct connection (without a go proxy) is possible
+//
+// There are 3 cases:
+//
+// * When neither candidate is from hard nat and one of the peers has a public IP
+//
+// * both peers are in the same private network
+//
+// * Local peer uses userspace interface with bind.ICEBind and is not relayed
+//
+// Please note, that this check happens when peers were already able to ping each other using ICE layer.
+func shouldUseProxy(pair *ice.CandidatePair, userspaceBind bool) bool {
+
+	if !isRelayCandidate(pair.Local) && userspaceBind {
+		return false
+	}
+
+	if !isHardNATCandidate(pair.Local) && isHostCandidateWithPublicIP(pair.Remote) {
+		return false
+	}
+
+	if !isHardNATCandidate(pair.Remote) && isHostCandidateWithPublicIP(pair.Local) {
+		return false
+	}
+
+	if isHostCandidateWithPrivateIP(pair.Local) && isHostCandidateWithPrivateIP(pair.Remote) && isSameNetworkPrefix(pair) {
+		return false
+	}
+
+	return true
+}
+
+func isSameNetworkPrefix(pair *ice.CandidatePair) bool {
+
+	localIPStr, _, err := net.SplitHostPort(pair.Local.Address())
+	if err != nil {
+		return false
+	}
+	remoteIPStr, _, err := net.SplitHostPort(pair.Remote.Address())
+	if err != nil {
+		return false
+	}
+	localIP := net.ParseIP(localIPStr)
+	remoteIP := net.ParseIP(remoteIPStr)
+	if localIP == nil || remoteIP == nil {
+		return false
+	}
+	// only consider /16 networks
+	mask := net.IPMask{255, 255, 0, 0}
+	return localIP.Mask(mask).Equal(remoteIP.Mask(mask))
+}
+
 func isRelayCandidate(candidate ice.Candidate) bool {
 	return candidate.Type() == ice.CandidateTypeRelay
 }
 
-// configureConnection starts proxying traffic from/to local Wireguard and sets connection status to StatusConnected
-func (conn *Conn) configureConnection(remoteConn net.Conn, remoteWgPort int) (net.Addr, error) {
+func isHardNATCandidate(candidate ice.Candidate) bool {
+	return candidate.Type() == ice.CandidateTypeRelay || candidate.Type() == ice.CandidateTypePeerReflexive
+}
+
+func isHostCandidateWithPublicIP(candidate ice.Candidate) bool {
+	return candidate.Type() == ice.CandidateTypeHost && isPublicIP(candidate.Address())
+}
+
+func isHostCandidateWithPrivateIP(candidate ice.Candidate) bool {
+	return candidate.Type() == ice.CandidateTypeHost && !isPublicIP(candidate.Address())
+}
+
+func isPublicIP(address string) bool {
+	ip := net.ParseIP(address)
+	if ip.IsLoopback() || ip.IsLinkLocalUnicast() || ip.IsLinkLocalMulticast() || ip.IsPrivate() {
+		return false
+	}
+	return true
+}
+
+// startProxy starts proxying traffic from/to local Wireguard and sets connection status to StatusConnected
+func (conn *Conn) startProxy(remoteConn net.Conn, remoteWgPort int) error {
 	conn.mu.Lock()
 	defer conn.mu.Unlock()
 
+	var pair *ice.CandidatePair
 	pair, err := conn.agent.GetSelectedCandidatePair()
 	if err != nil {
-		return nil, err
+		return err
 	}
 
-	var endpoint net.Addr
-	if isRelayCandidate(pair.Local) {
-		log.Debugf("setup relay connection")
-		conn.wgProxy = conn.wgProxyFactory.GetProxy()
-		endpoint, err = conn.wgProxy.AddTurnConn(remoteConn)
-		if err != nil {
-			return nil, err
-		}
-	} else {
-		// To support old version's with direct mode we attempt to punch an additional role with the remote wireguard port
-		go conn.punchRemoteWGPort(pair, remoteWgPort)
-		endpoint = remoteConn.RemoteAddr()
-	}
-
-	endpointUdpAddr, _ := net.ResolveUDPAddr(endpoint.Network(), endpoint.String())
-
-	err = conn.config.WgConfig.WgInterface.UpdatePeer(conn.config.WgConfig.RemoteKey, conn.config.WgConfig.AllowedIps, defaultWgKeepAlive, endpointUdpAddr, conn.config.WgConfig.PreSharedKey)
+	peerState := State{PubKey: conn.config.Key}
+	p := conn.getProxyWithMessageExchange(pair, remoteWgPort)
+	conn.proxy = p
+	err = p.Start(remoteConn)
 	if err != nil {
-		if conn.wgProxy != nil {
-			_ = conn.wgProxy.CloseConn()
-		}
-		return nil, err
+		return err
 	}
 
 	conn.status = StatusConnected
 
-	peerState := State{
-		PubKey:                 conn.config.Key,
-		ConnStatus:             conn.status,
-		ConnStatusUpdate:       time.Now(),
-		LocalIceCandidateType:  pair.Local.Type().String(),
-		RemoteIceCandidateType: pair.Remote.Type().String(),
-		Direct:                 !isRelayCandidate(pair.Local),
-	}
+	peerState.ConnStatus = conn.status
+	peerState.ConnStatusUpdate = time.Now()
+	peerState.LocalIceCandidateType = pair.Local.Type().String()
+	peerState.RemoteIceCandidateType = pair.Remote.Type().String()
 	if pair.Local.Type() == ice.CandidateTypeRelay || pair.Remote.Type() == ice.CandidateTypeRelay {
 		peerState.Relayed = true
 	}
+	peerState.Direct = p.Type() == proxy.TypeDirectNoProxy
 
 	err = conn.statusRecorder.UpdatePeerState(peerState)
 	if err != nil {
 		log.Warnf("unable to save peer's state, got error: %v", err)
 	}
 
-	return endpoint, nil
+	return nil
 }
 
-func (conn *Conn) punchRemoteWGPort(pair *ice.CandidatePair, remoteWgPort int) {
-	// wait local endpoint configuration
-	time.Sleep(time.Second)
-	addr, err := net.ResolveUDPAddr("udp", fmt.Sprintf("%s:%d", pair.Remote.Address(), remoteWgPort))
-	if err != nil {
-		log.Warnf("got an error while resolving the udp address, err: %s", err)
-		return
+func (conn *Conn) getProxyWithMessageExchange(pair *ice.CandidatePair, remoteWgPort int) proxy.Proxy {
+	useProxy := shouldUseProxy(pair, conn.wgIface.IsUserspaceBind())
+	localDirectMode := !useProxy
+	remoteDirectMode := localDirectMode
+
+	if conn.meta.protoSupport.DirectCheck {
+		go conn.sendLocalDirectMode(localDirectMode)
+		// will block until message received or timeout
+		remoteDirectMode = conn.receiveRemoteDirectMode()
 	}
 
-	mux, ok := conn.config.UDPMuxSrflx.(*bind.UniversalUDPMuxDefault)
-	if !ok {
-		log.Warn("invalid udp mux conversion")
-		return
+	if conn.wgIface.IsUserspaceBind() && localDirectMode {
+		return proxy.NewNoProxy(conn.config.ProxyConfig)
 	}
-	_, err = mux.GetSharedConn().WriteTo([]byte{0x6e, 0x62}, addr)
+
+	if localDirectMode && remoteDirectMode {
+		//wgInterface *iface.WGIface, remoteKey string, allowedIps string, preSharedKey *wgtypes.Key, remoteWgPort int)
+		return proxy.NewDirectNoProxy(conn.wgIface, conn.config.Key, conn.config.AllowedIPs, remoteWgPort)
+	}
+
+	log.Debugf("falling back to local proxy mode with peer %s", conn.config.Key)
+	return proxy.NewWireGuardProxy(conn.config.ProxyConfig)
+}
+
+func (conn *Conn) sendLocalDirectMode(localMode bool) {
+	// todo what happens when we couldn't deliver this message?
+	// we could retry, etc but there is no guarantee
+
+	err := conn.sendSignalMessage(&sProto.Message{
+		Key:       conn.config.LocalKey,
+		RemoteKey: conn.config.Key,
+		Body: &sProto.Body{
+			Type: sProto.Body_MODE,
+			Mode: &sProto.Mode{
+				Direct: &localMode,
+			},
+			NetBirdVersion: version.NetbirdVersion(),
+		},
+	})
 	if err != nil {
-		log.Warnf("got an error while sending the punch packet, err: %s", err)
+		log.Errorf("failed to send local proxy mode to remote peer %s, error: %s", conn.config.Key, err)
+	}
+}
+
+func (conn *Conn) receiveRemoteDirectMode() bool {
+	timeout := time.Second
+	timer := time.NewTimer(timeout)
+	defer timer.Stop()
+
+	select {
+	case receivedMSG := <-conn.remoteModeCh:
+		return receivedMSG.Direct
+	case <-timer.C:
+		// we didn't receive a message from remote so we assume that it supports the direct mode to keep the old behaviour
+		log.Debugf("timeout after %s while waiting for remote direct mode message from remote peer %s",
+			timeout, conn.config.Key)
+		return true
 	}
 }
 
@@ -433,22 +494,22 @@ func (conn *Conn) cleanup() error {
 	conn.mu.Lock()
 	defer conn.mu.Unlock()
 
-	var err1, err2, err3 error
 	if conn.agent != nil {
-		err1 = conn.agent.Close()
-		if err1 == nil {
-			conn.agent = nil
+		err := conn.agent.Close()
+		if err != nil {
+			return err
 		}
+		conn.agent = nil
 	}
 
-	if conn.wgProxy != nil {
-		err2 = conn.wgProxy.CloseConn()
-		conn.wgProxy = nil
+	if conn.proxy != nil {
+		err := conn.proxy.Close()
+		if err != nil {
+			return err
+		}
+		conn.proxy = nil
 	}
 
-	// todo: is it problem if we try to remove a peer what is never existed?
-	err3 = conn.config.WgConfig.WgInterface.RemovePeer(conn.config.WgConfig.RemoteKey)
-
 	if conn.notifyDisconnected != nil {
 		conn.notifyDisconnected()
 		conn.notifyDisconnected = nil
@@ -456,11 +517,10 @@ func (conn *Conn) cleanup() error {
 
 	conn.status = StatusDisconnected
 
-	peerState := State{
-		PubKey:           conn.config.Key,
-		ConnStatus:       conn.status,
-		ConnStatusUpdate: time.Now(),
-	}
+	peerState := State{PubKey: conn.config.Key}
+	peerState.ConnStatus = conn.status
+	peerState.ConnStatusUpdate = time.Now()
+
 	err := conn.statusRecorder.UpdatePeerState(peerState)
 	if err != nil {
 		// pretty common error because by that time Engine can already remove the peer and status won't be available.
@@ -469,13 +529,8 @@ func (conn *Conn) cleanup() error {
 	}
 
 	log.Debugf("cleaned up connection to peer %s", conn.config.Key)
-	if err1 != nil {
-		return err1
-	}
-	if err2 != nil {
-		return err2
-	}
-	return err3
+
+	return nil
 }
 
 // SetSignalOffer sets a handler function to be triggered by Conn when a new connection offer has to be signalled to the remote peer
@@ -653,6 +708,16 @@ func (conn *Conn) GetKey() string {
 	return conn.config.Key
 }
 
+// OnModeMessage unmarshall the payload message and send it to the mode message channel
+func (conn *Conn) OnModeMessage(message ModeMessage) error {
+	select {
+	case conn.remoteModeCh <- message:
+		return nil
+	default:
+		return fmt.Errorf("unable to process mode message: channel busy")
+	}
+}
+
 // RegisterProtoSupportMeta register supported proto message in the connection metadata
 func (conn *Conn) RegisterProtoSupportMeta(support []uint32) {
 	protoSupport := signal.ParseFeaturesSupported(support)

client/internal/peer/conn_test.go

@@ -1,16 +1,18 @@
 package peer
 
 import (
+	"github.com/netbirdio/netbird/client/internal/stdnet"
 	"sync"
 	"testing"
 	"time"
 
 	"github.com/magiconair/properties/assert"
 	"github.com/pion/ice/v2"
+	"golang.org/x/sync/errgroup"
 
-	"github.com/netbirdio/netbird/client/internal/stdnet"
-	"github.com/netbirdio/netbird/client/internal/wgproxy"
+	"github.com/netbirdio/netbird/client/internal/proxy"
 	"github.com/netbirdio/netbird/iface"
+	sproto "github.com/netbirdio/netbird/signal/proto"
 )
 
 var connConf = ConnConfig{
@@ -19,6 +21,7 @@ var connConf = ConnConfig{
 	StunTurn:           []*ice.URL{},
 	InterfaceBlackList: nil,
 	Timeout:            time.Second,
+	ProxyConfig:        proxy.Config{},
 	LocalWgPort:        51820,
 }
 
@@ -35,11 +38,7 @@ func TestNewConn_interfaceFilter(t *testing.T) {
 }
 
 func TestConn_GetKey(t *testing.T) {
-	wgProxyFactory := wgproxy.NewFactory(connConf.LocalWgPort)
-	defer func() {
-		_ = wgProxyFactory.Free()
-	}()
-	conn, err := NewConn(connConf, nil, wgProxyFactory, nil, nil)
+	conn, err := NewConn(connConf, nil, nil, nil)
 	if err != nil {
 		return
 	}
@@ -50,11 +49,8 @@ func TestConn_GetKey(t *testing.T) {
 }
 
 func TestConn_OnRemoteOffer(t *testing.T) {
-	wgProxyFactory := wgproxy.NewFactory(connConf.LocalWgPort)
-	defer func() {
-		_ = wgProxyFactory.Free()
-	}()
-	conn, err := NewConn(connConf, NewRecorder("https://mgm"), wgProxyFactory, nil, nil)
+
+	conn, err := NewConn(connConf, NewRecorder("https://mgm"), nil, nil)
 	if err != nil {
 		return
 	}
@@ -87,11 +83,8 @@ func TestConn_OnRemoteOffer(t *testing.T) {
 }
 
 func TestConn_OnRemoteAnswer(t *testing.T) {
-	wgProxyFactory := wgproxy.NewFactory(connConf.LocalWgPort)
-	defer func() {
-		_ = wgProxyFactory.Free()
-	}()
-	conn, err := NewConn(connConf, NewRecorder("https://mgm"), wgProxyFactory, nil, nil)
+
+	conn, err := NewConn(connConf, NewRecorder("https://mgm"), nil, nil)
 	if err != nil {
 		return
 	}
@@ -123,11 +116,8 @@ func TestConn_OnRemoteAnswer(t *testing.T) {
 	wg.Wait()
 }
 func TestConn_Status(t *testing.T) {
-	wgProxyFactory := wgproxy.NewFactory(connConf.LocalWgPort)
-	defer func() {
-		_ = wgProxyFactory.Free()
-	}()
-	conn, err := NewConn(connConf, NewRecorder("https://mgm"), wgProxyFactory, nil, nil)
+
+	conn, err := NewConn(connConf, NewRecorder("https://mgm"), nil, nil)
 	if err != nil {
 		return
 	}
@@ -153,11 +143,8 @@ func TestConn_Status(t *testing.T) {
 }
 
 func TestConn_Close(t *testing.T) {
-	wgProxyFactory := wgproxy.NewFactory(connConf.LocalWgPort)
-	defer func() {
-		_ = wgProxyFactory.Free()
-	}()
-	conn, err := NewConn(connConf, NewRecorder("https://mgm"), wgProxyFactory, nil, nil)
+
+	conn, err := NewConn(connConf, NewRecorder("https://mgm"), nil, nil)
 	if err != nil {
 		return
 	}
@@ -182,3 +169,274 @@ func TestConn_Close(t *testing.T) {
 
 	wg.Wait()
 }
+
+type mockICECandidate struct {
+	ice.Candidate
+	AddressFunc func() string
+	TypeFunc    func() ice.CandidateType
+}
+
+// Address mocks and overwrite ice.Candidate Address method
+func (m *mockICECandidate) Address() string {
+	if m.AddressFunc != nil {
+		return m.AddressFunc()
+	}
+	return ""
+}
+
+// Type mocks and overwrite ice.Candidate Type method
+func (m *mockICECandidate) Type() ice.CandidateType {
+	if m.TypeFunc != nil {
+		return m.TypeFunc()
+	}
+	return ice.CandidateTypeUnspecified
+}
+
+func TestConn_ShouldUseProxy(t *testing.T) {
+	publicHostCandidate := &mockICECandidate{
+		AddressFunc: func() string {
+			return "8.8.8.8"
+		},
+		TypeFunc: func() ice.CandidateType {
+			return ice.CandidateTypeHost
+		},
+	}
+	privateHostCandidate := &mockICECandidate{
+		AddressFunc: func() string {
+			return "10.0.0.1:44576"
+		},
+		TypeFunc: func() ice.CandidateType {
+			return ice.CandidateTypeHost
+		},
+	}
+
+	srflxCandidate := &mockICECandidate{
+		AddressFunc: func() string {
+			return "1.1.1.1"
+		},
+		TypeFunc: func() ice.CandidateType {
+			return ice.CandidateTypeServerReflexive
+		},
+	}
+
+	prflxCandidate := &mockICECandidate{
+		AddressFunc: func() string {
+			return "1.1.1.1"
+		},
+		TypeFunc: func() ice.CandidateType {
+			return ice.CandidateTypePeerReflexive
+		},
+	}
+
+	relayCandidate := &mockICECandidate{
+		AddressFunc: func() string {
+			return "1.1.1.1"
+		},
+		TypeFunc: func() ice.CandidateType {
+			return ice.CandidateTypeRelay
+		},
+	}
+
+	testCases := []struct {
+		name        string
+		candatePair *ice.CandidatePair
+		expected    bool
+	}{
+		{
+			name: "Use Proxy When Local Candidate Is Relay",
+			candatePair: &ice.CandidatePair{
+				Local:  relayCandidate,
+				Remote: privateHostCandidate,
+			},
+			expected: true,
+		},
+		{
+			name: "Use Proxy When Remote Candidate Is Relay",
+			candatePair: &ice.CandidatePair{
+				Local:  privateHostCandidate,
+				Remote: relayCandidate,
+			},
+			expected: true,
+		},
+		{
+			name: "Use Proxy When Local Candidate Is Peer Reflexive",
+			candatePair: &ice.CandidatePair{
+				Local:  prflxCandidate,
+				Remote: privateHostCandidate,
+			},
+			expected: true,
+		},
+		{
+			name: "Use Proxy When Remote Candidate Is Peer Reflexive",
+			candatePair: &ice.CandidatePair{
+				Local:  privateHostCandidate,
+				Remote: prflxCandidate,
+			},
+			expected: true,
+		},
+		{
+			name: "Don't Use Proxy When Local Candidate Is Public And Remote Is Private",
+			candatePair: &ice.CandidatePair{
+				Local:  publicHostCandidate,
+				Remote: privateHostCandidate,
+			},
+			expected: false,
+		},
+		{
+			name: "Don't Use Proxy When Remote Candidate Is Public And Local Is Private",
+			candatePair: &ice.CandidatePair{
+				Local:  privateHostCandidate,
+				Remote: publicHostCandidate,
+			},
+			expected: false,
+		},
+		{
+			name: "Don't Use Proxy When Local Candidate is Public And Remote Is Server Reflexive",
+			candatePair: &ice.CandidatePair{
+				Local:  publicHostCandidate,
+				Remote: srflxCandidate,
+			},
+			expected: false,
+		},
+		{
+			name: "Don't Use Proxy When Remote Candidate is Public And Local Is Server Reflexive",
+			candatePair: &ice.CandidatePair{
+				Local:  srflxCandidate,
+				Remote: publicHostCandidate,
+			},
+			expected: false,
+		},
+		{
+			name: "Don't Use Proxy When Both Candidates Are Public",
+			candatePair: &ice.CandidatePair{
+				Local:  publicHostCandidate,
+				Remote: publicHostCandidate,
+			},
+			expected: false,
+		},
+		{
+			name: "Don't Use Proxy When Both Candidates Are Private",
+			candatePair: &ice.CandidatePair{
+				Local:  privateHostCandidate,
+				Remote: privateHostCandidate,
+			},
+			expected: false,
+		},
+	}
+
+	for _, testCase := range testCases {
+		t.Run(testCase.name, func(t *testing.T) {
+			result := shouldUseProxy(testCase.candatePair, false)
+			if result != testCase.expected {
+				t.Errorf("got a different result. Expected %t Got %t", testCase.expected, result)
+			}
+		})
+	}
+}
+
+func TestGetProxyWithMessageExchange(t *testing.T) {
+	publicHostCandidate := &mockICECandidate{
+		AddressFunc: func() string {
+			return "8.8.8.8"
+		},
+		TypeFunc: func() ice.CandidateType {
+			return ice.CandidateTypeHost
+		},
+	}
+	relayCandidate := &mockICECandidate{
+		AddressFunc: func() string {
+			return "1.1.1.1"
+		},
+		TypeFunc: func() ice.CandidateType {
+			return ice.CandidateTypeRelay
+		},
+	}
+
+	testCases := []struct {
+		name                   string
+		candatePair            *ice.CandidatePair
+		inputDirectModeSupport bool
+		inputRemoteModeMessage bool
+		expected               proxy.Type
+	}{
+		{
+			name: "Should Result In Using Wireguard Proxy When Local Eval Is Use Proxy",
+			candatePair: &ice.CandidatePair{
+				Local:  relayCandidate,
+				Remote: publicHostCandidate,
+			},
+			inputDirectModeSupport: true,
+			inputRemoteModeMessage: true,
+			expected:               proxy.TypeWireGuard,
+		},
+		{
+			name: "Should Result In Using Wireguard Proxy When Remote Eval Is Use Proxy",
+			candatePair: &ice.CandidatePair{
+				Local:  publicHostCandidate,
+				Remote: publicHostCandidate,
+			},
+			inputDirectModeSupport: true,
+			inputRemoteModeMessage: false,
+			expected:               proxy.TypeWireGuard,
+		},
+		{
+			name: "Should Result In Using Wireguard Proxy When Remote Direct Mode Support Is False And Local Eval Is Use Proxy",
+			candatePair: &ice.CandidatePair{
+				Local:  relayCandidate,
+				Remote: publicHostCandidate,
+			},
+			inputDirectModeSupport: false,
+			inputRemoteModeMessage: false,
+			expected:               proxy.TypeWireGuard,
+		},
+		{
+			name: "Should Result In Using Direct When Remote Direct Mode Support Is False And Local Eval Is No Use Proxy",
+			candatePair: &ice.CandidatePair{
+				Local:  publicHostCandidate,
+				Remote: publicHostCandidate,
+			},
+			inputDirectModeSupport: false,
+			inputRemoteModeMessage: false,
+			expected:               proxy.TypeDirectNoProxy,
+		},
+		{
+			name: "Should Result In Using Direct When Local And Remote Eval Is No Proxy",
+			candatePair: &ice.CandidatePair{
+				Local:  publicHostCandidate,
+				Remote: publicHostCandidate,
+			},
+			inputDirectModeSupport: true,
+			inputRemoteModeMessage: true,
+			expected:               proxy.TypeDirectNoProxy,
+		},
+	}
+	for _, testCase := range testCases {
+		t.Run(testCase.name, func(t *testing.T) {
+			g := errgroup.Group{}
+			conn, err := NewConn(connConf, nil, nil, nil)
+			if err != nil {
+				t.Fatal(err)
+			}
+			conn.meta.protoSupport.DirectCheck = testCase.inputDirectModeSupport
+			conn.SetSendSignalMessage(func(message *sproto.Message) error {
+				return nil
+			})
+
+			g.Go(func() error {
+				return conn.OnModeMessage(ModeMessage{
+					Direct: testCase.inputRemoteModeMessage,
+				})
+			})
+
+			resultProxy := conn.getProxyWithMessageExchange(testCase.candatePair, 1000)
+
+			err = g.Wait()
+			if err != nil {
+				t.Error(err)
+			}
+			if resultProxy.Type() != testCase.expected {
+				t.Errorf("result didn't match expected value: Expected: %s, Got: %s", testCase.expected, resultProxy.Type())
+			}
+		})
+	}
+}

client/internal/peer/env_config.go

@@ -1,53 +0,0 @@
-package peer
-
-import (
-	"os"
-	"strconv"
-	"strings"
-	"time"
-
-	log "github.com/sirupsen/logrus"
-)
-
-const (
-	envICEKeepAliveIntervalSec   = "NB_ICE_KEEP_ALIVE_INTERVAL_SEC"
-	envICEDisconnectedTimeoutSec = "NB_ICE_DISCONNECTED_TIMEOUT_SEC"
-	envICEForceRelayConn         = "NB_ICE_FORCE_RELAY_CONN"
-)
-
-func iceKeepAlive() time.Duration {
-	keepAliveEnv := os.Getenv(envICEKeepAliveIntervalSec)
-	if keepAliveEnv == "" {
-		return iceKeepAliveDefault
-	}
-
-	log.Debugf("setting ICE keep alive interval to %s seconds", keepAliveEnv)
-	keepAliveEnvSec, err := strconv.Atoi(keepAliveEnv)
-	if err != nil {
-		log.Warnf("invalid value %s set for %s, using default %v", keepAliveEnv, envICEKeepAliveIntervalSec, iceKeepAliveDefault)
-		return iceKeepAliveDefault
-	}
-
-	return time.Duration(keepAliveEnvSec) * time.Second
-}
-
-func iceDisconnectedTimeout() time.Duration {
-	disconnectedTimeoutEnv := os.Getenv(envICEDisconnectedTimeoutSec)
-	if disconnectedTimeoutEnv == "" {
-		return iceDisconnectedTimeoutDefault
-	}
-
-	log.Debugf("setting ICE disconnected timeout to %s seconds", disconnectedTimeoutEnv)
-	disconnectedTimeoutSec, err := strconv.Atoi(disconnectedTimeoutEnv)
-	if err != nil {
-		log.Warnf("invalid value %s set for %s, using default %v", disconnectedTimeoutEnv, envICEDisconnectedTimeoutSec, iceDisconnectedTimeoutDefault)
-		return iceDisconnectedTimeoutDefault
-	}
-
-	return time.Duration(disconnectedTimeoutSec) * time.Second
-}
-
-func hasICEForceRelayConn() bool {
-	disconnectedTimeoutEnv := os.Getenv(envICEForceRelayConn)
-	return strings.ToLower(disconnectedTimeoutEnv) == "true"
-}

client/internal/peer/status.go

@@ -59,11 +59,6 @@ type Status struct {
 	mgmAddress      string
 	signalAddress   string
 	notifier        *notifier
-
-	// To reduce the number of notification invocation this bool will be true when need to call the notification
-	// Some Peer actions mostly used by in a batch when the network map has been synchronized. In these type of events
-	// set to true this variable and at the end of the processing we will reset it by the FinishPeerListModifications()
-	peerListChangedForNotification bool
 }
 
 // NewRecorder returns a new Status instance
@@ -83,13 +78,10 @@ func (d *Status) ReplaceOfflinePeers(replacement []State) {
 	defer d.mux.Unlock()
 	d.offlinePeers = make([]State, len(replacement))
 	copy(d.offlinePeers, replacement)
-
-	// todo we should set to true in case if the list changed only
-	d.peerListChangedForNotification = true
 }
 
 // AddPeer adds peer to Daemon status map
-func (d *Status) AddPeer(peerPubKey string, fqdn string) error {
+func (d *Status) AddPeer(peerPubKey string) error {
 	d.mux.Lock()
 	defer d.mux.Unlock()
 
@@ -97,12 +89,7 @@ func (d *Status) AddPeer(peerPubKey string, fqdn string) error {
 	if ok {
 		return errors.New("peer already exist")
 	}
-	d.peers[peerPubKey] = State{
-		PubKey:     peerPubKey,
-		ConnStatus: StatusDisconnected,
-		FQDN:       fqdn,
-	}
-	d.peerListChangedForNotification = true
+	d.peers[peerPubKey] = State{PubKey: peerPubKey, ConnStatus: StatusDisconnected}
 	return nil
 }
 
@@ -124,13 +111,13 @@ func (d *Status) RemovePeer(peerPubKey string) error {
 	defer d.mux.Unlock()
 
 	_, ok := d.peers[peerPubKey]
-	if !ok {
-		return errors.New("no peer with to remove")
+	if ok {
+		delete(d.peers, peerPubKey)
+		return nil
 	}
 
-	delete(d.peers, peerPubKey)
-	d.peerListChangedForNotification = true
-	return nil
+	d.notifyPeerListChanged()
+	return errors.New("no peer with to remove")
 }
 
 // UpdatePeerState updates peer status
@@ -147,8 +134,6 @@ func (d *Status) UpdatePeerState(receivedState State) error {
 		peerState.IP = receivedState.IP
 	}
 
-	skipNotification := shouldSkipNotify(receivedState, peerState)
-
 	if receivedState.ConnStatus != peerState.ConnStatus {
 		peerState.ConnStatus = receivedState.ConnStatus
 		peerState.ConnStatusUpdate = receivedState.ConnStatusUpdate
@@ -160,10 +145,6 @@ func (d *Status) UpdatePeerState(receivedState State) error {
 
 	d.peers[receivedState.PubKey] = peerState
 
-	if skipNotification {
-		return nil
-	}
-
 	ch, found := d.changeNotify[receivedState.PubKey]
 	if found && ch != nil {
 		close(ch)
@@ -174,19 +155,6 @@ func (d *Status) UpdatePeerState(receivedState State) error {
 	return nil
 }
 
-func shouldSkipNotify(new, curr State) bool {
-	switch {
-	case new.ConnStatus == StatusConnecting:
-		return true
-	case new.ConnStatus == StatusDisconnected && curr.ConnStatus == StatusConnecting:
-		return true
-	case new.ConnStatus == StatusDisconnected && curr.ConnStatus == StatusDisconnected:
-		return curr.IP != ""
-	default:
-		return false
-	}
-}
-
 // UpdatePeerFQDN update peer's state fqdn only
 func (d *Status) UpdatePeerFQDN(peerPubKey, fqdn string) error {
 	d.mux.Lock()
@@ -200,21 +168,8 @@ func (d *Status) UpdatePeerFQDN(peerPubKey, fqdn string) error {
 	peerState.FQDN = fqdn
 	d.peers[peerPubKey] = peerState
 
-	return nil
-}
-
-// FinishPeerListModifications this event invoke the notification
-func (d *Status) FinishPeerListModifications() {
-	d.mux.Lock()
-
-	if !d.peerListChangedForNotification {
-		d.mux.Unlock()
-		return
-	}
-	d.peerListChangedForNotification = false
-	d.mux.Unlock()
-
 	d.notifyPeerListChanged()
+	return nil
 }
 
 // GetPeerStateChangeNotifier returns a change notifier channel for a peer
@@ -353,7 +308,7 @@ func (d *Status) onConnectionChanged() {
 }
 
 func (d *Status) notifyPeerListChanged() {
-	d.notifier.peerListChanged(len(d.peers) + len(d.offlinePeers))
+	d.notifier.peerListChanged(len(d.peers))
 }
 
 func (d *Status) notifyAddressChanged() {

client/internal/peer/status_test.go

@@ -9,13 +9,13 @@ import (
 func TestAddPeer(t *testing.T) {
 	key := "abc"
 	status := NewRecorder("https://mgm")
-	err := status.AddPeer(key, "abc.netbird")
+	err := status.AddPeer(key)
 	assert.NoError(t, err, "shouldn't return error")
 
 	_, exists := status.peers[key]
 	assert.True(t, exists, "value was found")
 
-	err = status.AddPeer(key, "abc.netbird")
+	err = status.AddPeer(key)
 
 	assert.Error(t, err, "should return error on duplicate")
 }
@@ -23,7 +23,7 @@ func TestAddPeer(t *testing.T) {
 func TestGetPeer(t *testing.T) {
 	key := "abc"
 	status := NewRecorder("https://mgm")
-	err := status.AddPeer(key, "abc.netbird")
+	err := status.AddPeer(key)
 	assert.NoError(t, err, "shouldn't return error")
 
 	peerStatus, err := status.GetPeer(key)

client/internal/pkce_auth.go

@@ -1,128 +0,0 @@
-package internal
-
-import (
-	"context"
-	"fmt"
-	"net/url"
-
-	log "github.com/sirupsen/logrus"
-	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
-	"google.golang.org/grpc/codes"
-	"google.golang.org/grpc/status"
-
-	mgm "github.com/netbirdio/netbird/management/client"
-)
-
-// PKCEAuthorizationFlow represents PKCE Authorization Flow information
-type PKCEAuthorizationFlow struct {
-	ProviderConfig PKCEAuthProviderConfig
-}
-
-// PKCEAuthProviderConfig has all attributes needed to initiate pkce authorization flow
-type PKCEAuthProviderConfig struct {
-	// ClientID An IDP application client id
-	ClientID string
-	// ClientSecret An IDP application client secret
-	ClientSecret string
-	// Audience An Audience for to authorization validation
-	Audience string
-	// TokenEndpoint is the endpoint of an IDP manager where clients can obtain access token
-	TokenEndpoint string
-	// AuthorizationEndpoint is the endpoint of an IDP manager where clients can obtain authorization code
-	AuthorizationEndpoint string
-	// Scopes provides the scopes to be included in the token request
-	Scope string
-	// RedirectURL handles authorization code from IDP manager
-	RedirectURLs []string
-	// UseIDToken indicates if the id token should be used for authentication
-	UseIDToken bool
-}
-
-// GetPKCEAuthorizationFlowInfo initialize a PKCEAuthorizationFlow instance and return with it
-func GetPKCEAuthorizationFlowInfo(ctx context.Context, privateKey string, mgmURL *url.URL) (PKCEAuthorizationFlow, error) {
-	// validate our peer's Wireguard PRIVATE key
-	myPrivateKey, err := wgtypes.ParseKey(privateKey)
-	if err != nil {
-		log.Errorf("failed parsing Wireguard key %s: [%s]", privateKey, err.Error())
-		return PKCEAuthorizationFlow{}, err
-	}
-
-	var mgmTLSEnabled bool
-	if mgmURL.Scheme == "https" {
-		mgmTLSEnabled = true
-	}
-
-	log.Debugf("connecting to Management Service %s", mgmURL.String())
-	mgmClient, err := mgm.NewClient(ctx, mgmURL.Host, myPrivateKey, mgmTLSEnabled)
-	if err != nil {
-		log.Errorf("failed connecting to Management Service %s %v", mgmURL.String(), err)
-		return PKCEAuthorizationFlow{}, err
-	}
-	log.Debugf("connected to the Management service %s", mgmURL.String())
-
-	defer func() {
-		err = mgmClient.Close()
-		if err != nil {
-			log.Warnf("failed to close the Management service client %v", err)
-		}
-	}()
-
-	serverKey, err := mgmClient.GetServerPublicKey()
-	if err != nil {
-		log.Errorf("failed while getting Management Service public key: %v", err)
-		return PKCEAuthorizationFlow{}, err
-	}
-
-	protoPKCEAuthorizationFlow, err := mgmClient.GetPKCEAuthorizationFlow(*serverKey)
-	if err != nil {
-		if s, ok := status.FromError(err); ok && s.Code() == codes.NotFound {
-			log.Warnf("server couldn't find pkce flow, contact admin: %v", err)
-			return PKCEAuthorizationFlow{}, err
-		}
-		log.Errorf("failed to retrieve pkce flow: %v", err)
-		return PKCEAuthorizationFlow{}, err
-	}
-
-	authFlow := PKCEAuthorizationFlow{
-		ProviderConfig: PKCEAuthProviderConfig{
-			Audience:              protoPKCEAuthorizationFlow.GetProviderConfig().GetAudience(),
-			ClientID:              protoPKCEAuthorizationFlow.GetProviderConfig().GetClientID(),
-			ClientSecret:          protoPKCEAuthorizationFlow.GetProviderConfig().GetClientSecret(),
-			TokenEndpoint:         protoPKCEAuthorizationFlow.GetProviderConfig().GetTokenEndpoint(),
-			AuthorizationEndpoint: protoPKCEAuthorizationFlow.GetProviderConfig().GetAuthorizationEndpoint(),
-			Scope:                 protoPKCEAuthorizationFlow.GetProviderConfig().GetScope(),
-			RedirectURLs:          protoPKCEAuthorizationFlow.GetProviderConfig().GetRedirectURLs(),
-			UseIDToken:            protoPKCEAuthorizationFlow.GetProviderConfig().GetUseIDToken(),
-		},
-	}
-
-	err = isPKCEProviderConfigValid(authFlow.ProviderConfig)
-	if err != nil {
-		return PKCEAuthorizationFlow{}, err
-	}
-
-	return authFlow, nil
-}
-
-func isPKCEProviderConfigValid(config PKCEAuthProviderConfig) error {
-	errorMSGFormat := "invalid provider configuration received from management: %s value is empty. Contact your NetBird administrator"
-	if config.Audience == "" {
-		return fmt.Errorf(errorMSGFormat, "Audience")
-	}
-	if config.ClientID == "" {
-		return fmt.Errorf(errorMSGFormat, "Client ID")
-	}
-	if config.TokenEndpoint == "" {
-		return fmt.Errorf(errorMSGFormat, "Token Endpoint")
-	}
-	if config.AuthorizationEndpoint == "" {
-		return fmt.Errorf(errorMSGFormat, "Authorization Auth Endpoint")
-	}
-	if config.Scope == "" {
-		return fmt.Errorf(errorMSGFormat, "PKCE Auth Scopes")
-	}
-	if config.RedirectURLs == nil {
-		return fmt.Errorf(errorMSGFormat, "PKCE Redirect URLs")
-	}
-	return nil
-}

client/internal/proxy/direct.go

@@ -0,0 +1,67 @@
+package proxy
+
+import (
+	"net"
+
+	log "github.com/sirupsen/logrus"
+
+	"github.com/netbirdio/netbird/iface"
+)
+
+// DirectNoProxy is used when there is no need for a proxy between ICE and WireGuard.
+// This is possible in either of these cases:
+// - peers are in the same local network
+// - one of the peers has a public static IP (host)
+// DirectNoProxy will just update remote peer with a remote host and fixed WireGuard port (r.g. 51820).
+// In order DirectNoProxy to work, WireGuard port has to be fixed for the time being.
+type DirectNoProxy struct {
+	wgInterface *iface.WGIface
+
+	remoteKey  string
+	allowedIps string
+
+	// RemoteWgListenPort is a WireGuard port of a remote peer.
+	// It is used instead of the hardcoded 51820 port.
+	remoteWgListenPort int
+}
+
+// NewDirectNoProxy creates a new DirectNoProxy with a provided config and remote peer's WireGuard listen port
+func NewDirectNoProxy(wgInterface *iface.WGIface, remoteKey string, allowedIps string, remoteWgPort int) *DirectNoProxy {
+	return &DirectNoProxy{
+		wgInterface:        wgInterface,
+		remoteKey:          remoteKey,
+		allowedIps:         allowedIps,
+		remoteWgListenPort: remoteWgPort}
+}
+
+// Close removes peer from the WireGuard interface
+func (p *DirectNoProxy) Close() error {
+	err := p.wgInterface.RemovePeer(p.remoteKey)
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+// Start just updates WireGuard peer with the remote IP and default WireGuard port
+func (p *DirectNoProxy) Start(remoteConn net.Conn) error {
+
+	log.Debugf("using DirectNoProxy while connecting to peer %s", p.remoteKey)
+	addr, err := net.ResolveUDPAddr("udp", remoteConn.RemoteAddr().String())
+	if err != nil {
+		return err
+	}
+	addr.Port = p.remoteWgListenPort
+	err = p.wgInterface.UpdatePeer(p.remoteKey, p.allowedIps, addr)
+
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// Type returns the type of this proxy
+func (p *DirectNoProxy) Type() Type {
+	return TypeDirectNoProxy
+}

client/internal/proxy/dummy.go

@@ -0,0 +1,72 @@
+package proxy
+
+import (
+	"context"
+	log "github.com/sirupsen/logrus"
+	"net"
+	"time"
+)
+
+// DummyProxy just sends pings to the RemoteKey peer and reads responses
+type DummyProxy struct {
+	conn   net.Conn
+	remote string
+	ctx    context.Context
+	cancel context.CancelFunc
+}
+
+func NewDummyProxy(remote string) *DummyProxy {
+	p := &DummyProxy{remote: remote}
+	p.ctx, p.cancel = context.WithCancel(context.Background())
+	return p
+}
+
+func (p *DummyProxy) Close() error {
+	p.cancel()
+	return nil
+}
+
+func (p *DummyProxy) Start(remoteConn net.Conn) error {
+	p.conn = remoteConn
+	go func() {
+		buf := make([]byte, 1500)
+		for {
+			select {
+			case <-p.ctx.Done():
+				return
+			default:
+				_, err := p.conn.Read(buf)
+				if err != nil {
+					log.Errorf("error while reading RemoteKey %s proxy %v", p.remote, err)
+					return
+				}
+				//log.Debugf("received %s from %s", string(buf[:n]), p.remote)
+			}
+
+		}
+	}()
+
+	go func() {
+		for {
+			select {
+			case <-p.ctx.Done():
+				return
+			default:
+				_, err := p.conn.Write([]byte("hello"))
+				//log.Debugf("sent ping to %s", p.remote)
+				if err != nil {
+					log.Errorf("error while writing to RemoteKey %s proxy %v", p.remote, err)
+					return
+				}
+				time.Sleep(5 * time.Second)
+			}
+		}
+
+	}()
+
+	return nil
+}
+
+func (p *DummyProxy) Type() Type {
+	return TypeDummy
+}

client/internal/proxy/noproxy.go

@@ -0,0 +1,42 @@
+package proxy
+
+import (
+	log "github.com/sirupsen/logrus"
+	"net"
+)
+
+// NoProxy is used just to configure WireGuard without any local proxy in between.
+// Used when the WireGuard interface is userspace and uses bind.ICEBind
+type NoProxy struct {
+	config Config
+}
+
+// NewNoProxy creates a new NoProxy with a provided config
+func NewNoProxy(config Config) *NoProxy {
+	return &NoProxy{config: config}
+}
+
+// Close removes peer from the WireGuard interface
+func (p *NoProxy) Close() error {
+	err := p.config.WgInterface.RemovePeer(p.config.RemoteKey)
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+// Start just updates WireGuard peer with the remote address
+func (p *NoProxy) Start(remoteConn net.Conn) error {
+
+	log.Debugf("using NoProxy to connect to peer %s at %s", p.config.RemoteKey, remoteConn.RemoteAddr().String())
+	addr, err := net.ResolveUDPAddr("udp", remoteConn.RemoteAddr().String())
+	if err != nil {
+		return err
+	}
+	return p.config.WgInterface.UpdatePeer(p.config.RemoteKey, p.config.AllowedIps, DefaultWgKeepAlive,
+		addr, p.config.PreSharedKey)
+}
+
+func (p *NoProxy) Type() Type {
+	return TypeNoProxy
+}

client/internal/proxy/proxy.go

@@ -0,0 +1,22 @@
+package proxy
+
+import (
+	"io"
+	"net"
+)
+
+type Type string
+
+const (
+	TypeDirectNoProxy Type = "DirectNoProxy"
+	TypeWireGuard     Type = "WireGuard"
+	TypeDummy         Type = "Dummy"
+	TypeNoProxy       Type = "NoProxy"
+)
+
+type Proxy interface {
+	io.Closer
+	// Start creates a local remoteConn and starts proxying data from/to remoteConn
+	Start(remoteConn net.Conn) error
+	Type() Type
+}

client/internal/proxy/wireguard.go

@@ -0,0 +1,128 @@
+package proxy
+
+import (
+	"context"
+	log "github.com/sirupsen/logrus"
+	"net"
+)
+
+// WireGuardProxy proxies
+type WireGuardProxy struct {
+	ctx    context.Context
+	cancel context.CancelFunc
+
+	config Config
+
+	remoteConn net.Conn
+	localConn  net.Conn
+}
+
+func NewWireGuardProxy(config Config) *WireGuardProxy {
+	p := &WireGuardProxy{config: config}
+	p.ctx, p.cancel = context.WithCancel(context.Background())
+	return p
+}
+
+func (p *WireGuardProxy) updateEndpoint() error {
+	udpAddr, err := net.ResolveUDPAddr(p.localConn.LocalAddr().Network(), p.localConn.LocalAddr().String())
+	if err != nil {
+		return err
+	}
+	// add local proxy connection as a Wireguard peer
+	err = p.config.WgInterface.UpdatePeer(p.config.RemoteKey, p.config.AllowedIps, DefaultWgKeepAlive,
+		udpAddr, p.config.PreSharedKey)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (p *WireGuardProxy) Start(remoteConn net.Conn) error {
+	p.remoteConn = remoteConn
+
+	var err error
+	p.localConn, err = net.Dial("udp", p.config.WgListenAddr)
+	if err != nil {
+		log.Errorf("failed dialing to local Wireguard port %s", err)
+		return err
+	}
+
+	err = p.updateEndpoint()
+	if err != nil {
+		log.Errorf("error while updating Wireguard peer endpoint [%s] %v", p.config.RemoteKey, err)
+		return err
+	}
+
+	go p.proxyToRemote()
+	go p.proxyToLocal()
+
+	return nil
+}
+
+func (p *WireGuardProxy) Close() error {
+	p.cancel()
+	if c := p.localConn; c != nil {
+		err := p.localConn.Close()
+		if err != nil {
+			return err
+		}
+	}
+	err := p.config.WgInterface.RemovePeer(p.config.RemoteKey)
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+// proxyToRemote proxies everything from Wireguard to the RemoteKey peer
+// blocks
+func (p *WireGuardProxy) proxyToRemote() {
+
+	buf := make([]byte, 1500)
+	for {
+		select {
+		case <-p.ctx.Done():
+			log.Debugf("stopped proxying to remote peer %s due to closed connection", p.config.RemoteKey)
+			return
+		default:
+			n, err := p.localConn.Read(buf)
+			if err != nil {
+				continue
+			}
+
+			_, err = p.remoteConn.Write(buf[:n])
+			if err != nil {
+				continue
+			}
+		}
+	}
+}
+
+// proxyToLocal proxies everything from the RemoteKey peer to local Wireguard
+// blocks
+func (p *WireGuardProxy) proxyToLocal() {
+
+	buf := make([]byte, 1500)
+	for {
+		select {
+		case <-p.ctx.Done():
+			log.Debugf("stopped proxying from remote peer %s due to closed connection", p.config.RemoteKey)
+			return
+		default:
+			n, err := p.remoteConn.Read(buf)
+			if err != nil {
+				continue
+			}
+
+			_, err = p.localConn.Write(buf[:n])
+			if err != nil {
+				continue
+			}
+		}
+	}
+}
+
+func (p *WireGuardProxy) Type() Type {
+	return TypeWireGuard
+}

client/internal/routemanager/client.go

@@ -71,7 +71,7 @@ func (c *clientNetwork) getRouterPeerStatuses() map[string]routerPeerStatus {
 }
 
 func (c *clientNetwork) getBestRouteFromStatuses(routePeerStatuses map[string]routerPeerStatus) string {
-	chosen := ""
+	var chosen string
 	chosenScore := 0
 
 	currID := ""
@@ -85,26 +85,17 @@ func (c *clientNetwork) getBestRouteFromStatuses(routePeerStatuses map[string]ro
 		if !found || !peerStatus.connected {
 			continue
 		}
-
 		if r.Metric < route.MaxMetric {
 			metricDiff := route.MaxMetric - r.Metric
 			tempScore = metricDiff * 10
 		}
-
 		if !peerStatus.relayed {
 			tempScore++
 		}
-
-		if peerStatus.direct {
+		if !peerStatus.direct {
 			tempScore++
 		}
-
-		if tempScore > chosenScore || (tempScore == chosenScore && r.ID == currID) {
-			chosen = r.ID
-			chosenScore = tempScore
-		}
-
-		if chosen == "" && currID == "" {
+		if tempScore > chosenScore || (tempScore == chosenScore && currID == r.ID) {
 			chosen = r.ID
 			chosenScore = tempScore
 		}
@@ -115,9 +106,7 @@ func (c *clientNetwork) getBestRouteFromStatuses(routePeerStatuses map[string]ro
 		for _, r := range c.routes {
 			peers = append(peers, r.Peer)
 		}
-
-		log.Warnf("the network %s has not been assigned a routing peer as no peers from the list %s are currently connected", c.network, peers)
-
+		log.Warnf("no route was chosen for network %s because no peers from list %s were connected", c.network, peers)
 	} else if chosen != currID {
 		log.Infof("new chosen route is %s with peer %s with score %d", chosen, c.routes[chosen].Peer, chosenScore)
 	}

client/internal/routemanager/client_test.go

@@ -1,199 +0,0 @@
-package routemanager
-
-import (
-	"net/netip"
-	"testing"
-
-	"github.com/netbirdio/netbird/route"
-)
-
-func TestGetBestrouteFromStatuses(t *testing.T) {
-
-	testCases := []struct {
-		name            string
-		statuses        map[string]routerPeerStatus
-		expectedRouteID string
-		currentRoute    *route.Route
-		existingRoutes  map[string]*route.Route
-	}{
-		{
-			name: "one route",
-			statuses: map[string]routerPeerStatus{
-				"route1": {
-					connected: true,
-					relayed:   false,
-					direct:    true,
-				},
-			},
-			existingRoutes: map[string]*route.Route{
-				"route1": {
-					ID:     "route1",
-					Metric: route.MaxMetric,
-					Peer:   "peer1",
-				},
-			},
-			currentRoute:    nil,
-			expectedRouteID: "route1",
-		},
-		{
-			name: "one connected routes with relayed and direct",
-			statuses: map[string]routerPeerStatus{
-				"route1": {
-					connected: true,
-					relayed:   true,
-					direct:    true,
-				},
-			},
-			existingRoutes: map[string]*route.Route{
-				"route1": {
-					ID:     "route1",
-					Metric: route.MaxMetric,
-					Peer:   "peer1",
-				},
-			},
-			currentRoute:    nil,
-			expectedRouteID: "route1",
-		},
-		{
-			name: "one connected routes with relayed and no direct",
-			statuses: map[string]routerPeerStatus{
-				"route1": {
-					connected: true,
-					relayed:   true,
-					direct:    false,
-				},
-			},
-			existingRoutes: map[string]*route.Route{
-				"route1": {
-					ID:     "route1",
-					Metric: route.MaxMetric,
-					Peer:   "peer1",
-				},
-			},
-			currentRoute:    nil,
-			expectedRouteID: "route1",
-		},
-		{
-			name: "no connected peers",
-			statuses: map[string]routerPeerStatus{
-				"route1": {
-					connected: false,
-					relayed:   false,
-					direct:    false,
-				},
-			},
-			existingRoutes: map[string]*route.Route{
-				"route1": {
-					ID:     "route1",
-					Metric: route.MaxMetric,
-					Peer:   "peer1",
-				},
-			},
-			currentRoute:    nil,
-			expectedRouteID: "",
-		},
-		{
-			name: "multiple connected peers with different metrics",
-			statuses: map[string]routerPeerStatus{
-				"route1": {
-					connected: true,
-					relayed:   false,
-					direct:    true,
-				},
-				"route2": {
-					connected: true,
-					relayed:   false,
-					direct:    true,
-				},
-			},
-			existingRoutes: map[string]*route.Route{
-				"route1": {
-					ID:     "route1",
-					Metric: 9000,
-					Peer:   "peer1",
-				},
-				"route2": {
-					ID:     "route2",
-					Metric: route.MaxMetric,
-					Peer:   "peer2",
-				},
-			},
-			currentRoute:    nil,
-			expectedRouteID: "route1",
-		},
-		{
-			name: "multiple connected peers with one relayed",
-			statuses: map[string]routerPeerStatus{
-				"route1": {
-					connected: true,
-					relayed:   false,
-					direct:    true,
-				},
-				"route2": {
-					connected: true,
-					relayed:   true,
-					direct:    true,
-				},
-			},
-			existingRoutes: map[string]*route.Route{
-				"route1": {
-					ID:     "route1",
-					Metric: route.MaxMetric,
-					Peer:   "peer1",
-				},
-				"route2": {
-					ID:     "route2",
-					Metric: route.MaxMetric,
-					Peer:   "peer2",
-				},
-			},
-			currentRoute:    nil,
-			expectedRouteID: "route1",
-		},
-		{
-			name: "multiple connected peers with one direct",
-			statuses: map[string]routerPeerStatus{
-				"route1": {
-					connected: true,
-					relayed:   false,
-					direct:    true,
-				},
-				"route2": {
-					connected: true,
-					relayed:   false,
-					direct:    false,
-				},
-			},
-			existingRoutes: map[string]*route.Route{
-				"route1": {
-					ID:     "route1",
-					Metric: route.MaxMetric,
-					Peer:   "peer1",
-				},
-				"route2": {
-					ID:     "route2",
-					Metric: route.MaxMetric,
-					Peer:   "peer2",
-				},
-			},
-			currentRoute:    nil,
-			expectedRouteID: "route1",
-		},
-	}
-
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			// create new clientNetwork
-			client := &clientNetwork{
-				network:     netip.MustParsePrefix("192.168.0.0/24"),
-				routes:      tc.existingRoutes,
-				chosenRoute: tc.currentRoute,
-			}
-
-			chosenRoute := client.getBestRouteFromStatuses(tc.statuses)
-			if chosenRoute != tc.expectedRouteID {
-				t.Errorf("expected routeID %s, got %s", tc.expectedRouteID, chosenRoute)
-			}
-		})
-	}
-}