Replace retired ubuntu 20.04 runner

.github/ISSUE_TEMPLATE/bug-issue-report.md

@@ -37,21 +37,16 @@ If yes, which one?
 
 **Debug output**
 
-To help us resolve the problem, please attach the following anonymized status output
+To help us resolve the problem, please attach the following debug output
 
   netbird status -dA
 
-Create and upload a debug bundle, and share the returned file key:
-
-  netbird debug for 1m -AS -U
-
-*Uploaded files are automatically deleted after 30 days.*
-
-
-Alternatively, create the file only and attach it here manually:
+As well as the file created by
 
   netbird debug for 1m -AS
 
+  
+We advise reviewing the anonymized output for any remaining personal information.
 
 **Screenshots**
 
@@ -62,10 +57,8 @@ If applicable, add screenshots to help explain your problem.
 Add any other context about the problem here.
 
 **Have you tried these troubleshooting steps?**
-- [ ] Reviewed [client troubleshooting](https://docs.netbird.io/how-to/troubleshooting-client) (if applicable)
 - [ ] Checked for newer NetBird versions
 - [ ] Searched for similar issues on GitHub (including closed ones)
 - [ ] Restarted the NetBird client
 - [ ] Disabled other VPN software
 - [ ] Checked firewall settings
-

.github/pull_request_template.md

@@ -13,5 +13,3 @@
 - [ ] It is a refactor
 - [ ] Created tests that fail without the change (if possible)
 - [ ] Extended the README / documentation, if necessary
-
-> By submitting this pull request, you confirm that you have read and agree to the terms of the [Contributor License Agreement](https://github.com/netbirdio/netbird/blob/main/CONTRIBUTOR_LICENSE_AGREEMENT.md).

.github/workflows/git-town.yml

@@ -16,6 +16,6 @@ jobs:
 
     steps:
       - uses: actions/checkout@v4
-      - uses: git-town/action@v1.2.1
+      - uses: git-town/action@v1
         with:
-          skip-single-stacks: true
+          skip-single-stacks: true

.github/workflows/golang-test-linux.yml

@@ -146,65 +146,6 @@ jobs:
       - name: Test
         run: CGO_ENABLED=1 GOARCH=${{ matrix.arch }} CI=true go test -tags devcert -exec 'sudo' -timeout 10m -p 1 $(go list ./... | grep -v -e /management -e /signal -e /relay)
 
-  test_client_on_docker:
-    name: "Client (Docker) / Unit"
-    needs: [build-cache]
-    runs-on: ubuntu-22.04
-    steps:
-      - name: Install Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: "1.23.x"
-          cache: false
-
-      - name: Checkout code
-        uses: actions/checkout@v4
-
-      - name: Get Go environment
-        id: go-env
-        run: |
-          echo "cache_dir=$(go env GOCACHE)" >> $GITHUB_OUTPUT
-          echo "modcache_dir=$(go env GOMODCACHE)" >> $GITHUB_OUTPUT
-
-      - name: Cache Go modules
-        uses: actions/cache/restore@v4
-        id: cache-restore
-        with:
-          path: |
-            ${{ steps.go-env.outputs.cache_dir }}
-            ${{ steps.go-env.outputs.modcache_dir }}
-          key: ${{ runner.os }}-gotest-cache-${{ hashFiles('**/go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-gotest-cache-
-
-      - name: Run tests in container
-        env:
-          HOST_GOCACHE: ${{ steps.go-env.outputs.cache_dir }}
-          HOST_GOMODCACHE: ${{ steps.go-env.outputs.modcache_dir }}
-        run: |
-          CONTAINER_GOCACHE="/root/.cache/go-build"
-          CONTAINER_GOMODCACHE="/go/pkg/mod"
-
-          docker run --rm \
-            --cap-add=NET_ADMIN \
-            --privileged \
-            -v $PWD:/app \
-            -w /app \
-            -v "${HOST_GOCACHE}:${CONTAINER_GOCACHE}" \
-            -v "${HOST_GOMODCACHE}:${CONTAINER_GOMODCACHE}" \
-            -e CGO_ENABLED=1 \
-            -e CI=true \
-            -e DOCKER_CI=true \
-            -e GOARCH=${GOARCH_TARGET} \
-            -e GOCACHE=${CONTAINER_GOCACHE} \
-            -e GOMODCACHE=${CONTAINER_GOMODCACHE} \
-            golang:1.23-alpine \
-            sh -c ' \
-              apk update; apk add --no-cache \
-                ca-certificates iptables ip6tables dbus dbus-dev libpcap-dev build-base; \
-              go test -buildvcs=false -tags devcert -v -timeout 10m -p 1 $(go list -buildvcs=false ./... | grep -v -e /management -e /signal -e /relay -e /client/ui -e /upload-server)
-            '
-
   test_relay:
     name: "Relay / Unit"
     needs: [build-cache]
@@ -223,10 +164,6 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v4
 
-      - name: Install dependencies
-        if: steps.cache.outputs.cache-hit != 'true'
-        run: sudo apt update && sudo apt install -y gcc-multilib g++-multilib libc6-dev-i386
-
       - name: Get Go environment
         run: |
           echo "cache=$(go env GOCACHE)" >> $GITHUB_ENV
@@ -242,6 +179,13 @@ jobs:
           restore-keys: |
             ${{ runner.os }}-gotest-cache-
 
+      - name: Install dependencies
+        run: sudo apt update && sudo apt install -y -q libgtk-3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev gcc-multilib libpcap-dev
+
+      - name: Install 32-bit libpcap
+        if: matrix.arch == '386'
+        run: sudo dpkg --add-architecture i386 && sudo apt update && sudo apt-get install -y libpcap0.8-dev:i386
+
       - name: Install modules
         run: go mod tidy
 
@@ -273,10 +217,6 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v4
 
-      - name: Install dependencies
-        if: steps.cache.outputs.cache-hit != 'true'
-        run: sudo apt update && sudo apt install -y gcc-multilib g++-multilib libc6-dev-i386
-
       - name: Get Go environment
         run: |
           echo "cache=$(go env GOCACHE)" >> $GITHUB_ENV
@@ -292,6 +232,13 @@ jobs:
           restore-keys: |
             ${{ runner.os }}-gotest-cache-
 
+      - name: Install dependencies
+        run: sudo apt update && sudo apt install -y -q libgtk-3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev gcc-multilib libpcap-dev
+
+      - name: Install 32-bit libpcap
+        if: matrix.arch == '386'
+        run: sudo dpkg --add-architecture i386 && sudo apt update && sudo apt-get install -y libpcap0.8-dev:i386
+
       - name: Install modules
         run: go mod tidy
 
@@ -339,6 +286,13 @@ jobs:
           restore-keys: |
             ${{ runner.os }}-gotest-cache-
 
+      - name: Install dependencies
+        run: sudo apt update && sudo apt install -y -q libgtk-3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev gcc-multilib libpcap-dev
+
+      - name: Install 32-bit libpcap
+        if: matrix.arch == '386'
+        run: sudo dpkg --add-architecture i386 && sudo apt update && sudo apt-get install -y libpcap0.8-dev:i386
+
       - name: Install modules
         run: go mod tidy
 
@@ -400,6 +354,13 @@ jobs:
           restore-keys: |
             ${{ runner.os }}-gotest-cache-
 
+      - name: Install dependencies
+        run: sudo apt update && sudo apt install -y -q libgtk-3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev gcc-multilib libpcap-dev
+
+      - name: Install 32-bit libpcap
+        if: matrix.arch == '386'
+        run: sudo dpkg --add-architecture i386 && sudo apt update && sudo apt-get install -y libpcap0.8-dev:i386
+
       - name: Install modules
         run: go mod tidy
 
@@ -424,7 +385,7 @@ jobs:
           CI=true \
           go test -tags devcert -run=^$ -bench=. \
           -exec 'sudo --preserve-env=CI,NETBIRD_STORE_ENGINE' \
-          -timeout 20m ./management/...
+          -timeout 20m ./...
 
   api_benchmark:
     name: "Management / Benchmark (API)"
@@ -488,6 +449,13 @@ jobs:
           restore-keys: |
             ${{ runner.os }}-gotest-cache-
 
+      - name: Install dependencies
+        run: sudo apt update && sudo apt install -y -q libgtk-3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev gcc-multilib libpcap-dev
+
+      - name: Install 32-bit libpcap
+        if: matrix.arch == '386'
+        run: sudo dpkg --add-architecture i386 && sudo apt update && sudo apt-get install -y libpcap0.8-dev:i386
+
       - name: Install modules
         run: go mod tidy
 
@@ -552,6 +520,13 @@ jobs:
           restore-keys: |
             ${{ runner.os }}-gotest-cache-
 
+      - name: Install dependencies
+        run: sudo apt update && sudo apt install -y -q libgtk-3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev gcc-multilib libpcap-dev
+
+      - name: Install 32-bit libpcap
+        if: matrix.arch == '386'
+        run: sudo dpkg --add-architecture i386 && sudo apt update && sudo apt-get install -y libpcap0.8-dev:i386
+
       - name: Install modules
         run: go mod tidy
 
@@ -566,3 +541,85 @@ jobs:
           go test -tags=integration \
           -exec 'sudo --preserve-env=CI,NETBIRD_STORE_ENGINE' \
           -timeout 20m ./management/...
+
+  test_client_on_docker:
+    name: "Client (Docker) / Unit"
+    needs: [ build-cache ]
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Install Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: "1.23.x"
+          cache: false
+
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Get Go environment
+        run: |
+          echo "cache=$(go env GOCACHE)" >> $GITHUB_ENV
+          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV     
+
+      - name: Cache Go modules
+        uses: actions/cache/restore@v4
+        with:
+          path: |
+            ${{ env.cache }}
+            ${{ env.modcache }}
+          key: ${{ runner.os }}-gotest-cache-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-gotest-cache-
+
+      - name: Install dependencies
+        run: sudo apt update && sudo apt install -y -q libgtk-3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev gcc-multilib libpcap-dev
+
+      - name: Install modules
+        run: go mod tidy
+
+      - name: check git status
+        run: git --no-pager diff --exit-code
+
+      - name: Generate Shared Sock Test bin
+        run: CGO_ENABLED=0 go test -c -o sharedsock-testing.bin ./sharedsock
+
+      - name: Generate RouteManager Test bin
+        run: CGO_ENABLED=0 go test -c -o routemanager-testing.bin  ./client/internal/routemanager
+
+      - name: Generate SystemOps Test bin
+        run: CGO_ENABLED=1 go test -c -o systemops-testing.bin -tags netgo -ldflags '-w -extldflags "-static -ldbus-1 -lpcap"' ./client/internal/routemanager/systemops
+
+      - name: Generate nftables Manager Test bin
+        run: CGO_ENABLED=0 go test -c -o nftablesmanager-testing.bin ./client/firewall/nftables/...
+
+      - name: Generate Engine Test bin
+        run: CGO_ENABLED=1 go test -c -o engine-testing.bin ./client/internal
+
+      - name: Generate Peer Test bin
+        run: CGO_ENABLED=0 go test -c -o peer-testing.bin ./client/internal/peer/
+
+      - run: chmod +x *testing.bin
+
+      - name: Run Shared Sock tests in docker
+        run: docker run -t --cap-add=NET_ADMIN --privileged --rm -v $PWD:/ci -w /ci/sharedsock --entrypoint /busybox/sh gcr.io/distroless/base:debug -c /ci/sharedsock-testing.bin -test.timeout 5m -test.parallel 1
+
+      - name: Run Iface tests in docker
+        run: docker run -t --cap-add=NET_ADMIN --privileged --rm -v $PWD:/netbird -v /tmp/cache:/tmp/cache -v /tmp/modcache:/tmp/modcache -w /netbird -e GOCACHE=/tmp/cache -e GOMODCACHE=/tmp/modcache -e CGO_ENABLED=0 golang:1.23-alpine go test  -test.timeout 5m -test.parallel 1 ./client/iface/...
+
+      - name: Run RouteManager tests in docker
+        run: docker run -t --cap-add=NET_ADMIN --privileged --rm -v $PWD:/ci -w /ci/client/internal/routemanager --entrypoint /busybox/sh gcr.io/distroless/base:debug -c /ci/routemanager-testing.bin  -test.timeout 5m -test.parallel 1
+
+      - name: Run SystemOps tests in docker
+        run: docker run -t --cap-add=NET_ADMIN --privileged --rm -v $PWD:/ci -w /ci/client/internal/routemanager/systemops --entrypoint /busybox/sh gcr.io/distroless/base:debug -c /ci/systemops-testing.bin  -test.timeout 5m -test.parallel 1
+
+      - name: Run nftables Manager tests in docker
+        run: docker run -t --cap-add=NET_ADMIN --privileged --rm -v $PWD:/ci -w /ci/client/firewall --entrypoint /busybox/sh gcr.io/distroless/base:debug -c /ci/nftablesmanager-testing.bin  -test.timeout 5m -test.parallel 1
+
+      - name: Run Engine tests in docker with file store
+        run: docker run -t --cap-add=NET_ADMIN --privileged --rm -v $PWD:/ci -w /ci/client/internal -e NETBIRD_STORE_ENGINE="jsonfile" --entrypoint /busybox/sh gcr.io/distroless/base:debug -c /ci/engine-testing.bin  -test.timeout 5m -test.parallel 1
+
+      - name: Run Engine tests in docker with sqlite store
+        run: docker run -t --cap-add=NET_ADMIN --privileged --rm -v $PWD:/ci -w /ci/client/internal -e NETBIRD_STORE_ENGINE="sqlite" --entrypoint /busybox/sh gcr.io/distroless/base:debug -c /ci/engine-testing.bin  -test.timeout 5m -test.parallel 1
+
+      - name: Run Peer tests in docker
+        run: docker run -t --cap-add=NET_ADMIN --privileged --rm -v $PWD:/ci -w /ci/client/internal/peer  --entrypoint /busybox/sh gcr.io/distroless/base:debug -c /ci/peer-testing.bin  -test.timeout 5m -test.parallel 1

.github/workflows/golangci-lint.yml

@@ -21,6 +21,7 @@ jobs:
         with:
           ignore_words_list: erro,clienta,hastable,iif,groupd,testin,groupe
           skip: go.mod,go.sum
+          only_warn: 1
   golangci:
     strategy:
       fail-fast: false

.github/workflows/mobile-build-validation.yml

@@ -43,7 +43,7 @@ jobs:
       - name: gomobile init
         run: gomobile init
       - name: build android netbird lib
-        run: PATH=$PATH:$(go env GOPATH) gomobile bind -o $GITHUB_WORKSPACE/netbird.aar -javapkg=io.netbird.gomobile -ldflags="-checklinkname=0 -X golang.zx2c4.com/wireguard/ipc.socketDirectory=/data/data/io.netbird.client/cache/wireguard -X github.com/netbirdio/netbird/version.version=buildtest"  $GITHUB_WORKSPACE/client/android
+        run: PATH=$PATH:$(go env GOPATH) gomobile bind -o $GITHUB_WORKSPACE/netbird.aar -javapkg=io.netbird.gomobile -ldflags="-X golang.zx2c4.com/wireguard/ipc.socketDirectory=/data/data/io.netbird.client/cache/wireguard -X github.com/netbirdio/netbird/version.version=buildtest"  $GITHUB_WORKSPACE/client/android
         env:
           CGO_ENABLED: 0
           ANDROID_NDK_HOME: /usr/local/lib/android/sdk/ndk/23.1.7779620

.github/workflows/release.yml

@@ -9,7 +9,7 @@ on:
   pull_request:
 
 env:
-  SIGN_PIPE_VER: "v0.0.21"
+  SIGN_PIPE_VER: "v0.0.18"
   GORELEASER_VER: "v2.3.2"
   PRODUCT_NAME: "NetBird"
   COPYRIGHT: "NetBird GmbH"
@@ -65,13 +65,6 @@ jobs:
         with:
           username: ${{ secrets.DOCKER_USER }}
           password: ${{ secrets.DOCKER_TOKEN }}
-      - name: Log in to the GitHub container registry
-        if: github.event_name != 'pull_request'
-        uses: docker/login-action@v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.CI_DOCKER_PUSH_GITHUB_TOKEN }}
       - name: Install OS build dependencies
         run: sudo apt update && sudo apt install -y -q gcc-arm-linux-gnueabihf gcc-aarch64-linux-gnu
 
@@ -231,17 +224,3 @@ jobs:
           ref: ${{ env.SIGN_PIPE_VER }}
           token: ${{ secrets.SIGN_GITHUB_TOKEN }}
           inputs: '{ "tag": "${{ github.ref }}", "skipRelease": false }'
-
-  post_on_forum:
-    runs-on: ubuntu-latest
-    continue-on-error: true
-    needs: [trigger_signer]
-    steps:
-      - uses: Codixer/discourse-topic-github-release-action@v2.0.1
-        with:
-          discourse-api-key: ${{ secrets.DISCOURSE_RELEASES_API_KEY }}
-          discourse-base-url: https://forum.netbird.io
-          discourse-author-username: NetBird
-          discourse-category: 17
-          discourse-tags:
-            releases          

.github/workflows/test-infrastructure-files.yml

@@ -134,7 +134,6 @@ jobs:
           NETBIRD_STORE_ENGINE_MYSQL_DSN: '${{ env.NETBIRD_STORE_ENGINE_MYSQL_DSN }}$'
           CI_NETBIRD_MGMT_IDP_SIGNKEY_REFRESH: false
           CI_NETBIRD_TURN_EXTERNAL_IP: "1.2.3.4"
-          CI_NETBIRD_MGMT_DISABLE_DEFAULT_POLICY: false
 
         run: |
           set -x
@@ -173,15 +172,13 @@ jobs:
           grep "NETBIRD_STORE_ENGINE_MYSQL_DSN=$NETBIRD_STORE_ENGINE_MYSQL_DSN" docker-compose.yml
           grep NETBIRD_STORE_ENGINE_POSTGRES_DSN docker-compose.yml | egrep "$NETBIRD_STORE_ENGINE_POSTGRES_DSN"
           # check relay values
-          grep "NB_EXPOSED_ADDRESS=rels://$CI_NETBIRD_DOMAIN:33445" docker-compose.yml
+          grep "NB_EXPOSED_ADDRESS=$CI_NETBIRD_DOMAIN:33445" docker-compose.yml
           grep "NB_LISTEN_ADDRESS=:33445" docker-compose.yml
           grep '33445:33445' docker-compose.yml
           grep -A 10 'relay:' docker-compose.yml | egrep 'NB_AUTH_SECRET=.+$'
-          grep -A 7 Relay management.json | grep "rels://$CI_NETBIRD_DOMAIN:33445"
+          grep -A 7 Relay management.json | grep "rel://$CI_NETBIRD_DOMAIN:33445"
           grep -A 7 Relay management.json | egrep '"Secret": ".+"'
           grep DisablePromptLogin management.json | grep 'true'
-          grep LoginFlag management.json | grep 0
-          grep DisableDefaultPolicy management.json | grep "$CI_NETBIRD_MGMT_DISABLE_DEFAULT_POLICY"
 
       - name: Install modules
         run: go mod tidy

.goreleaser.yaml

@@ -96,20 +96,6 @@ builds:
       - -s -w -X github.com/netbirdio/netbird/version.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
     mod_timestamp: "{{ .CommitTimestamp }}"
 
-  - id: netbird-upload
-    dir: upload-server
-    env: [CGO_ENABLED=0]
-    binary: netbird-upload
-    goos:
-      - linux
-    goarch:
-      - amd64
-      - arm64
-      - arm
-    ldflags:
-      - -s -w -X github.com/netbirdio/netbird/version.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
-    mod_timestamp: "{{ .CommitTimestamp }}"
-
 universal_binaries:
   - id: netbird
 
@@ -149,7 +135,6 @@ nfpms:
 dockers:
   - image_templates:
       - netbirdio/netbird:{{ .Version }}-amd64
-      - ghcr.io/netbirdio/netbird:{{ .Version }}-amd64
     ids:
       - netbird
     goarch: amd64
@@ -165,7 +150,6 @@ dockers:
       - "--label=maintainer=dev@netbird.io"
   - image_templates:
       - netbirdio/netbird:{{ .Version }}-arm64v8
-      - ghcr.io/netbirdio/netbird:{{ .Version }}-arm64v8
     ids:
       - netbird
     goarch: arm64
@@ -177,11 +161,10 @@ dockers:
       - "--label=org.opencontainers.image.title={{.ProjectName}}"
       - "--label=org.opencontainers.image.version={{.Version}}"
       - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
       - "--label=maintainer=dev@netbird.io"
   - image_templates:
       - netbirdio/netbird:{{ .Version }}-arm
-      - ghcr.io/netbirdio/netbird:{{ .Version }}-arm
     ids:
       - netbird
     goarch: arm
@@ -194,12 +177,11 @@ dockers:
       - "--label=org.opencontainers.image.title={{.ProjectName}}"
       - "--label=org.opencontainers.image.version={{.Version}}"
       - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
       - "--label=maintainer=dev@netbird.io"
 
   - image_templates:
       - netbirdio/netbird:{{ .Version }}-rootless-amd64
-      - ghcr.io/netbirdio/netbird:{{ .Version }}-rootless-amd64
     ids:
       - netbird
     goarch: amd64
@@ -211,11 +193,9 @@ dockers:
       - "--label=org.opencontainers.image.title={{.ProjectName}}"
       - "--label=org.opencontainers.image.version={{.Version}}"
       - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
       - "--label=maintainer=dev@netbird.io"
   - image_templates:
       - netbirdio/netbird:{{ .Version }}-rootless-arm64v8
-      - ghcr.io/netbirdio/netbird:{{ .Version }}-rootless-arm64v8
     ids:
       - netbird
     goarch: arm64
@@ -227,11 +207,9 @@ dockers:
       - "--label=org.opencontainers.image.title={{.ProjectName}}"
       - "--label=org.opencontainers.image.version={{.Version}}"
       - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
       - "--label=maintainer=dev@netbird.io"
   - image_templates:
       - netbirdio/netbird:{{ .Version }}-rootless-arm
-      - ghcr.io/netbirdio/netbird:{{ .Version }}-rootless-arm
     ids:
       - netbird
     goarch: arm
@@ -244,12 +222,10 @@ dockers:
       - "--label=org.opencontainers.image.title={{.ProjectName}}"
       - "--label=org.opencontainers.image.version={{.Version}}"
       - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
       - "--label=maintainer=dev@netbird.io"
 
   - image_templates:
       - netbirdio/relay:{{ .Version }}-amd64
-      - ghcr.io/netbirdio/relay:{{ .Version }}-amd64
     ids:
       - netbird-relay
     goarch: amd64
@@ -261,11 +237,10 @@ dockers:
       - "--label=org.opencontainers.image.title={{.ProjectName}}"
       - "--label=org.opencontainers.image.version={{.Version}}"
       - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
       - "--label=maintainer=dev@netbird.io"
   - image_templates:
       - netbirdio/relay:{{ .Version }}-arm64v8
-      - ghcr.io/netbirdio/relay:{{ .Version }}-arm64v8
     ids:
       - netbird-relay
     goarch: arm64
@@ -277,11 +252,10 @@ dockers:
       - "--label=org.opencontainers.image.title={{.ProjectName}}"
       - "--label=org.opencontainers.image.version={{.Version}}"
       - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
       - "--label=maintainer=dev@netbird.io"
   - image_templates:
       - netbirdio/relay:{{ .Version }}-arm
-      - ghcr.io/netbirdio/relay:{{ .Version }}-arm
     ids:
       - netbird-relay
     goarch: arm
@@ -294,11 +268,10 @@ dockers:
       - "--label=org.opencontainers.image.title={{.ProjectName}}"
       - "--label=org.opencontainers.image.version={{.Version}}"
       - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
       - "--label=maintainer=dev@netbird.io"
   - image_templates:
       - netbirdio/signal:{{ .Version }}-amd64
-      - ghcr.io/netbirdio/signal:{{ .Version }}-amd64
     ids:
       - netbird-signal
     goarch: amd64
@@ -310,11 +283,10 @@ dockers:
       - "--label=org.opencontainers.image.title={{.ProjectName}}"
       - "--label=org.opencontainers.image.version={{.Version}}"
       - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
       - "--label=maintainer=dev@netbird.io"
   - image_templates:
       - netbirdio/signal:{{ .Version }}-arm64v8
-      - ghcr.io/netbirdio/signal:{{ .Version }}-arm64v8
     ids:
       - netbird-signal
     goarch: arm64
@@ -326,11 +298,10 @@ dockers:
       - "--label=org.opencontainers.image.title={{.ProjectName}}"
       - "--label=org.opencontainers.image.version={{.Version}}"
       - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
       - "--label=maintainer=dev@netbird.io"
   - image_templates:
       - netbirdio/signal:{{ .Version }}-arm
-      - ghcr.io/netbirdio/signal:{{ .Version }}-arm
     ids:
       - netbird-signal
     goarch: arm
@@ -343,11 +314,10 @@ dockers:
       - "--label=org.opencontainers.image.title={{.ProjectName}}"
       - "--label=org.opencontainers.image.version={{.Version}}"
       - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
       - "--label=maintainer=dev@netbird.io"
   - image_templates:
       - netbirdio/management:{{ .Version }}-amd64
-      - ghcr.io/netbirdio/management:{{ .Version }}-amd64
     ids:
       - netbird-mgmt
     goarch: amd64
@@ -359,11 +329,10 @@ dockers:
       - "--label=org.opencontainers.image.title={{.ProjectName}}"
       - "--label=org.opencontainers.image.version={{.Version}}"
       - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
       - "--label=maintainer=dev@netbird.io"
   - image_templates:
       - netbirdio/management:{{ .Version }}-arm64v8
-      - ghcr.io/netbirdio/management:{{ .Version }}-arm64v8
     ids:
       - netbird-mgmt
     goarch: arm64
@@ -375,11 +344,10 @@ dockers:
       - "--label=org.opencontainers.image.title={{.ProjectName}}"
       - "--label=org.opencontainers.image.version={{.Version}}"
       - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
       - "--label=maintainer=dev@netbird.io"
   - image_templates:
       - netbirdio/management:{{ .Version }}-arm
-      - ghcr.io/netbirdio/management:{{ .Version }}-arm
     ids:
       - netbird-mgmt
     goarch: arm
@@ -392,11 +360,10 @@ dockers:
       - "--label=org.opencontainers.image.title={{.ProjectName}}"
       - "--label=org.opencontainers.image.version={{.Version}}"
       - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
       - "--label=maintainer=dev@netbird.io"
   - image_templates:
       - netbirdio/management:{{ .Version }}-debug-amd64
-      - ghcr.io/netbirdio/management:{{ .Version }}-debug-amd64
     ids:
       - netbird-mgmt
     goarch: amd64
@@ -408,11 +375,10 @@ dockers:
       - "--label=org.opencontainers.image.title={{.ProjectName}}"
       - "--label=org.opencontainers.image.version={{.Version}}"
       - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
       - "--label=maintainer=dev@netbird.io"
   - image_templates:
       - netbirdio/management:{{ .Version }}-debug-arm64v8
-      - ghcr.io/netbirdio/management:{{ .Version }}-debug-arm64v8
     ids:
       - netbird-mgmt
     goarch: arm64
@@ -424,12 +390,11 @@ dockers:
       - "--label=org.opencontainers.image.title={{.ProjectName}}"
       - "--label=org.opencontainers.image.version={{.Version}}"
       - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
       - "--label=maintainer=dev@netbird.io"
 
   - image_templates:
       - netbirdio/management:{{ .Version }}-debug-arm
-      - ghcr.io/netbirdio/management:{{ .Version }}-debug-arm
     ids:
       - netbird-mgmt
     goarch: arm
@@ -442,56 +407,7 @@ dockers:
       - "--label=org.opencontainers.image.title={{.ProjectName}}"
       - "--label=org.opencontainers.image.version={{.Version}}"
       - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
-      - "--label=maintainer=dev@netbird.io"
-  - image_templates:
-      - netbirdio/upload:{{ .Version }}-amd64
-      - ghcr.io/netbirdio/upload:{{ .Version }}-amd64
-    ids:
-      - netbird-upload
-    goarch: amd64
-    use: buildx
-    dockerfile: upload-server/Dockerfile
-    build_flag_templates:
-      - "--platform=linux/amd64"
-      - "--label=org.opencontainers.image.created={{.Date}}"
-      - "--label=org.opencontainers.image.title={{.ProjectName}}"
       - "--label=org.opencontainers.image.version={{.Version}}"
-      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
-      - "--label=maintainer=dev@netbird.io"
-  - image_templates:
-      - netbirdio/upload:{{ .Version }}-arm64v8
-      - ghcr.io/netbirdio/upload:{{ .Version }}-arm64v8
-    ids:
-      - netbird-upload
-    goarch: arm64
-    use: buildx
-    dockerfile: upload-server/Dockerfile
-    build_flag_templates:
-      - "--platform=linux/arm64"
-      - "--label=org.opencontainers.image.created={{.Date}}"
-      - "--label=org.opencontainers.image.title={{.ProjectName}}"
-      - "--label=org.opencontainers.image.version={{.Version}}"
-      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
-      - "--label=maintainer=dev@netbird.io"
-  - image_templates:
-      - netbirdio/upload:{{ .Version }}-arm
-      - ghcr.io/netbirdio/upload:{{ .Version }}-arm
-    ids:
-      - netbird-upload
-    goarch: arm
-    goarm: 6
-    use: buildx
-    dockerfile: upload-server/Dockerfile
-    build_flag_templates:
-      - "--platform=linux/arm"
-      - "--label=org.opencontainers.image.created={{.Date}}"
-      - "--label=org.opencontainers.image.title={{.ProjectName}}"
-      - "--label=org.opencontainers.image.version={{.Version}}"
-      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
       - "--label=maintainer=dev@netbird.io"
 docker_manifests:
   - name_template: netbirdio/netbird:{{ .Version }}
@@ -559,95 +475,7 @@ docker_manifests:
       - netbirdio/management:{{ .Version }}-debug-arm64v8
       - netbirdio/management:{{ .Version }}-debug-arm
       - netbirdio/management:{{ .Version }}-debug-amd64
-  - name_template: netbirdio/upload:{{ .Version }}
-    image_templates:
-      - netbirdio/upload:{{ .Version }}-arm64v8
-      - netbirdio/upload:{{ .Version }}-arm
-      - netbirdio/upload:{{ .Version }}-amd64
 
-  - name_template: netbirdio/upload:latest
-    image_templates:
-      - netbirdio/upload:{{ .Version }}-arm64v8
-      - netbirdio/upload:{{ .Version }}-arm
-      - netbirdio/upload:{{ .Version }}-amd64
-
-  - name_template: ghcr.io/netbirdio/netbird:{{ .Version }}
-    image_templates:
-      - ghcr.io/netbirdio/netbird:{{ .Version }}-arm64v8
-      - ghcr.io/netbirdio/netbird:{{ .Version }}-arm
-      - ghcr.io/netbirdio/netbird:{{ .Version }}-amd64
-
-  - name_template: ghcr.io/netbirdio/netbird:latest
-    image_templates:
-      - ghcr.io/netbirdio/netbird:{{ .Version }}-arm64v8
-      - ghcr.io/netbirdio/netbird:{{ .Version }}-arm
-      - ghcr.io/netbirdio/netbird:{{ .Version }}-amd64
-
-  - name_template: ghcr.io/netbirdio/netbird:{{ .Version }}-rootless
-    image_templates:
-      - ghcr.io/netbirdio/netbird:{{ .Version }}-rootless-arm64v8
-      - ghcr.io/netbirdio/netbird:{{ .Version }}-rootless-arm
-      - ghcr.io/netbirdio/netbird:{{ .Version }}-rootless-amd64
-
-  - name_template: ghcr.io/netbirdio/netbird:rootless-latest
-    image_templates:
-      - ghcr.io/netbirdio/netbird:{{ .Version }}-rootless-arm64v8
-      - ghcr.io/netbirdio/netbird:{{ .Version }}-rootless-arm
-      - ghcr.io/netbirdio/netbird:{{ .Version }}-rootless-amd64
-
-  - name_template: ghcr.io/netbirdio/relay:{{ .Version }}
-    image_templates:
-      - ghcr.io/netbirdio/relay:{{ .Version }}-arm64v8
-      - ghcr.io/netbirdio/relay:{{ .Version }}-arm
-      - ghcr.io/netbirdio/relay:{{ .Version }}-amd64
-
-  - name_template: ghcr.io/netbirdio/relay:latest
-    image_templates:
-      - ghcr.io/netbirdio/relay:{{ .Version }}-arm64v8
-      - ghcr.io/netbirdio/relay:{{ .Version }}-arm
-      - ghcr.io/netbirdio/relay:{{ .Version }}-amd64
-
-  - name_template: ghcr.io/netbirdio/signal:{{ .Version }}
-    image_templates:
-      - ghcr.io/netbirdio/signal:{{ .Version }}-arm64v8
-      - ghcr.io/netbirdio/signal:{{ .Version }}-arm
-      - ghcr.io/netbirdio/signal:{{ .Version }}-amd64
-
-  - name_template: ghcr.io/netbirdio/signal:latest
-    image_templates:
-      - ghcr.io/netbirdio/signal:{{ .Version }}-arm64v8
-      - ghcr.io/netbirdio/signal:{{ .Version }}-arm
-      - ghcr.io/netbirdio/signal:{{ .Version }}-amd64
-
-  - name_template: ghcr.io/netbirdio/management:{{ .Version }}
-    image_templates:
-      - ghcr.io/netbirdio/management:{{ .Version }}-arm64v8
-      - ghcr.io/netbirdio/management:{{ .Version }}-arm
-      - ghcr.io/netbirdio/management:{{ .Version }}-amd64
-
-  - name_template: ghcr.io/netbirdio/management:latest
-    image_templates:
-      - ghcr.io/netbirdio/management:{{ .Version }}-arm64v8
-      - ghcr.io/netbirdio/management:{{ .Version }}-arm
-      - ghcr.io/netbirdio/management:{{ .Version }}-amd64
-
-  - name_template: ghcr.io/netbirdio/management:debug-latest
-    image_templates:
-      - ghcr.io/netbirdio/management:{{ .Version }}-debug-arm64v8
-      - ghcr.io/netbirdio/management:{{ .Version }}-debug-arm
-      - ghcr.io/netbirdio/management:{{ .Version }}-debug-amd64
-
-  - name_template: ghcr.io/netbirdio/upload:{{ .Version }}
-    image_templates:
-      - ghcr.io/netbirdio/upload:{{ .Version }}-arm64v8
-      - ghcr.io/netbirdio/upload:{{ .Version }}-arm
-      - ghcr.io/netbirdio/upload:{{ .Version }}-amd64
-
-  - name_template: ghcr.io/netbirdio/upload:latest
-    image_templates:
-      - ghcr.io/netbirdio/upload:{{ .Version }}-arm64v8
-      - ghcr.io/netbirdio/upload:{{ .Version }}-arm
-      - ghcr.io/netbirdio/upload:{{ .Version }}-amd64
 brews:
   - ids:
       - default

README.md

@@ -12,11 +12,8 @@
        <img src="https://img.shields.io/badge/license-BSD--3-blue" />
      </a> 
     <br>
-    <a href="https://docs.netbird.io/slack-url">
+    <a href="https://join.slack.com/t/netbirdio/shared_invite/zt-31rofwmxc-27akKd0Le0vyRpBcwXkP0g">
         <img src="https://img.shields.io/badge/slack-@netbird-red.svg?logo=slack"/>
-     </a>
-    <a href="https://forum.netbird.io">
-        <img src="https://img.shields.io/badge/community forum-@netbird-red.svg?logo=discourse"/>
      </a>  
      <br>
     <a href="https://gurubase.io/g/netbird">
@@ -32,13 +29,13 @@
   <br/>
   See <a href="https://netbird.io/docs/">Documentation</a>
   <br/>
-   Join our <a href="https://docs.netbird.io/slack-url">Slack channel</a> or our <a href="https://forum.netbird.io">Community forum</a>
+   Join our <a href="https://join.slack.com/t/netbirdio/shared_invite/zt-31rofwmxc-27akKd0Le0vyRpBcwXkP0g">Slack channel</a>
   <br/>
  
 </strong>
 <br>
-<a href="https://registry.terraform.io/providers/netbirdio/netbird/latest">
-    New: NetBird terraform provider
+<a href="https://github.com/netbirdio/kubernetes-operator">
+    New: NetBird Kubernetes Operator
   </a> 
 </p>
 
@@ -50,9 +47,10 @@
 
 **Secure.** NetBird enables secure remote access by applying granular access policies while allowing you to manage them intuitively from a single place. Works universally on any infrastructure.
 
-### Open Source Network Security in a Single Platform
+### Open-Source Network Security in a Single Platform
 
-<img width="1188" alt="centralized-network-management 1" src="https://github.com/user-attachments/assets/c28cc8e4-15d2-4d2f-bb97-a6433db39d56" />
+
+![netbird_2](https://github.com/netbirdio/netbird/assets/700848/46bc3b73-508d-4a0e-bb9a-f465d68646ab)
 
 ### NetBird on Lawrence Systems (Video)
 [![Watch the video](https://img.youtube.com/vi/Kwrff6h0rEw/0.jpg)](https://www.youtube.com/watch?v=Kwrff6h0rEw)

client/Dockerfile

@@ -1,9 +1,5 @@
 FROM alpine:3.21.3
-# iproute2: busybox doesn't display ip rules properly
-RUN apk add --no-cache ca-certificates ip6tables iproute2 iptables
-
-ARG NETBIRD_BINARY=netbird
-COPY ${NETBIRD_BINARY} /usr/local/bin/netbird
-
+RUN apk add --no-cache ca-certificates iptables ip6tables
 ENV NB_FOREGROUND_MODE=true
 ENTRYPOINT [ "/usr/local/bin/netbird","up"]
+COPY netbird /usr/local/bin/netbird

client/Dockerfile-rootless

@@ -1,7 +1,6 @@
 FROM alpine:3.21.0
 
-ARG NETBIRD_BINARY=netbird
-COPY ${NETBIRD_BINARY} /usr/local/bin/netbird
+COPY netbird /usr/local/bin/netbird
 
 RUN apk add --no-cache ca-certificates \
     && adduser -D -h /var/lib/netbird netbird

client/android/client.go

@@ -59,14 +59,10 @@ type Client struct {
 	deviceName            string
 	uiVersion             string
 	networkChangeListener listener.NetworkChangeListener
-
-	connectClient *internal.ConnectClient
 }
 
 // NewClient instantiate a new Client
-func NewClient(cfgFile string, androidSDKVersion int, deviceName string, uiVersion string, tunAdapter TunAdapter, iFaceDiscover IFaceDiscover, networkChangeListener NetworkChangeListener) *Client {
-	execWorkaround(androidSDKVersion)
-
+func NewClient(cfgFile, deviceName string, uiVersion string, tunAdapter TunAdapter, iFaceDiscover IFaceDiscover, networkChangeListener NetworkChangeListener) *Client {
 	net.SetAndroidProtectSocketFn(tunAdapter.ProtectSocket)
 	return &Client{
 		cfgFile:               cfgFile,
@@ -110,8 +106,8 @@ func (c *Client) Run(urlOpener URLOpener, dns *DNSList, dnsReadyListener DnsRead
 
 	// todo do not throw error in case of cancelled context
 	ctx = internal.CtxInitState(ctx)
-	c.connectClient = internal.NewConnectClient(ctx, cfg, c.recorder)
-	return c.connectClient.RunOnAndroid(c.tunAdapter, c.iFaceDiscover, c.networkChangeListener, dns.items, dnsReadyListener)
+	connectClient := internal.NewConnectClient(ctx, cfg, c.recorder)
+	return connectClient.RunOnAndroid(c.tunAdapter, c.iFaceDiscover, c.networkChangeListener, dns.items, dnsReadyListener)
 }
 
 // RunWithoutLogin we apply this type of run function when the backed has been started without UI (i.e. after reboot).
@@ -136,8 +132,8 @@ func (c *Client) RunWithoutLogin(dns *DNSList, dnsReadyListener DnsReadyListener
 
 	// todo do not throw error in case of cancelled context
 	ctx = internal.CtxInitState(ctx)
-	c.connectClient = internal.NewConnectClient(ctx, cfg, c.recorder)
-	return c.connectClient.RunOnAndroid(c.tunAdapter, c.iFaceDiscover, c.networkChangeListener, dns.items, dnsReadyListener)
+	connectClient := internal.NewConnectClient(ctx, cfg, c.recorder)
+	return connectClient.RunOnAndroid(c.tunAdapter, c.iFaceDiscover, c.networkChangeListener, dns.items, dnsReadyListener)
 }
 
 // Stop the internal client and free the resources
@@ -178,55 +174,6 @@ func (c *Client) PeersList() *PeerInfoArray {
 	return &PeerInfoArray{items: peerInfos}
 }
 
-func (c *Client) Networks() *NetworkArray {
-	if c.connectClient == nil {
-		log.Error("not connected")
-		return nil
-	}
-
-	engine := c.connectClient.Engine()
-	if engine == nil {
-		log.Error("could not get engine")
-		return nil
-	}
-
-	routeManager := engine.GetRouteManager()
-	if routeManager == nil {
-		log.Error("could not get route manager")
-		return nil
-	}
-
-	networkArray := &NetworkArray{
-		items: make([]Network, 0),
-	}
-
-	for id, routes := range routeManager.GetClientRoutesWithNetID() {
-		if len(routes) == 0 {
-			continue
-		}
-
-		r := routes[0]
-		netStr := r.Network.String()
-		if r.IsDynamic() {
-			netStr = r.Domains.SafeString()
-		}
-
-		peer, err := c.recorder.GetPeer(routes[0].Peer)
-		if err != nil {
-			log.Errorf("could not get peer info for %s: %v", routes[0].Peer, err)
-			continue
-		}
-		network := Network{
-			Name:    string(id),
-			Network: netStr,
-			Peer:    peer.FQDN,
-			Status:  peer.ConnStatus.String(),
-		}
-		networkArray.Add(network)
-	}
-	return networkArray
-}
-
 // OnUpdatedHostDNS update the DNS servers addresses for root zones
 func (c *Client) OnUpdatedHostDNS(list *DNSList) error {
 	dnsServer, err := dns.GetServerDns()

client/android/exec.go

@@ -1,26 +0,0 @@
-//go:build android
-
-package android
-
-import (
-	"fmt"
-	_ "unsafe"
-)
-
-// https://github.com/golang/go/pull/69543/commits/aad6b3b32c81795f86bc4a9e81aad94899daf520
-// In Android version 11 and earlier, pidfd-related system calls
-// are not allowed by the seccomp policy, which causes crashes due
-// to SIGSYS signals.
-
-//go:linkname checkPidfdOnce os.checkPidfdOnce
-var checkPidfdOnce func() error
-
-func execWorkaround(androidSDKVersion int) {
-	if androidSDKVersion > 30 { // above Android 11
-		return
-	}
-
-	checkPidfdOnce = func() error {
-		return fmt.Errorf("unsupported Android version")
-	}
-}

client/android/networks.go

@@ -1,27 +0,0 @@
-//go:build android
-
-package android
-
-type Network struct {
-	Name    string
-	Network string
-	Peer    string
-	Status  string
-}
-
-type NetworkArray struct {
-	items []Network
-}
-
-func (array *NetworkArray) Add(s Network) *NetworkArray {
-	array.items = append(array.items, s)
-	return array
-}
-
-func (array *NetworkArray) Get(i int) *Network {
-	return &array.items[i]
-}
-
-func (array *NetworkArray) Size() int {
-	return len(array.items)
-}

client/android/peer_notifier.go

@@ -7,23 +7,30 @@ type PeerInfo struct {
 	ConnStatus string // Todo replace to enum
 }
 
-// PeerInfoArray is a wrapper of []PeerInfo
+// PeerInfoCollection made for Java layer to get non default types as collection
+type PeerInfoCollection interface {
+	Add(s string) PeerInfoCollection
+	Get(i int) string
+	Size() int
+}
+
+// PeerInfoArray is the implementation of the PeerInfoCollection
 type PeerInfoArray struct {
 	items []PeerInfo
 }
 
 // Add new PeerInfo to the collection
-func (array *PeerInfoArray) Add(s PeerInfo) *PeerInfoArray {
+func (array PeerInfoArray) Add(s PeerInfo) PeerInfoArray {
 	array.items = append(array.items, s)
 	return array
 }
 
 // Get return an element of the collection
-func (array *PeerInfoArray) Get(i int) *PeerInfo {
+func (array PeerInfoArray) Get(i int) *PeerInfo {
 	return &array.items[i]
 }
 
 // Size return with the size of the collection
-func (array *PeerInfoArray) Size() int {
+func (array PeerInfoArray) Size() int {
 	return len(array.items)
 }

client/android/preferences.go

@@ -4,12 +4,12 @@ import (
 	"github.com/netbirdio/netbird/client/internal"
 )
 
-// Preferences exports a subset of the internal config for gomobile
+// Preferences export a subset of the internal config for gomobile
 type Preferences struct {
 	configInput internal.ConfigInput
 }
 
-// NewPreferences creates a new Preferences instance
+// NewPreferences create new Preferences instance
 func NewPreferences(configPath string) *Preferences {
 	ci := internal.ConfigInput{
 		ConfigPath: configPath,
@@ -17,7 +17,7 @@ func NewPreferences(configPath string) *Preferences {
 	return &Preferences{ci}
 }
 
-// GetManagementURL reads URL from config file
+// GetManagementURL read url from config file
 func (p *Preferences) GetManagementURL() (string, error) {
 	if p.configInput.ManagementURL != "" {
 		return p.configInput.ManagementURL, nil
@@ -30,12 +30,12 @@ func (p *Preferences) GetManagementURL() (string, error) {
 	return cfg.ManagementURL.String(), err
 }
 
-// SetManagementURL stores the given URL and waits for commit
+// SetManagementURL store the given url and wait for commit
 func (p *Preferences) SetManagementURL(url string) {
 	p.configInput.ManagementURL = url
 }
 
-// GetAdminURL reads URL from config file
+// GetAdminURL read url from config file
 func (p *Preferences) GetAdminURL() (string, error) {
 	if p.configInput.AdminURL != "" {
 		return p.configInput.AdminURL, nil
@@ -48,12 +48,12 @@ func (p *Preferences) GetAdminURL() (string, error) {
 	return cfg.AdminURL.String(), err
 }
 
-// SetAdminURL stores the given URL and waits for commit
+// SetAdminURL store the given url and wait for commit
 func (p *Preferences) SetAdminURL(url string) {
 	p.configInput.AdminURL = url
 }
 
-// GetPreSharedKey reads pre-shared key from config file
+// GetPreSharedKey read preshared key from config file
 func (p *Preferences) GetPreSharedKey() (string, error) {
 	if p.configInput.PreSharedKey != nil {
 		return *p.configInput.PreSharedKey, nil
@@ -66,160 +66,12 @@ func (p *Preferences) GetPreSharedKey() (string, error) {
 	return cfg.PreSharedKey, err
 }
 
-// SetPreSharedKey stores the given key and waits for commit
+// SetPreSharedKey store the given key and wait for commit
 func (p *Preferences) SetPreSharedKey(key string) {
 	p.configInput.PreSharedKey = &key
 }
 
-// SetRosenpassEnabled stores whether Rosenpass is enabled
-func (p *Preferences) SetRosenpassEnabled(enabled bool) {
-	p.configInput.RosenpassEnabled = &enabled
-}
-
-// GetRosenpassEnabled reads Rosenpass enabled status from config file
-func (p *Preferences) GetRosenpassEnabled() (bool, error) {
-	if p.configInput.RosenpassEnabled != nil {
-		return *p.configInput.RosenpassEnabled, nil
-	}
-
-	cfg, err := internal.ReadConfig(p.configInput.ConfigPath)
-	if err != nil {
-		return false, err
-	}
-	return cfg.RosenpassEnabled, err
-}
-
-// SetRosenpassPermissive stores the given permissive setting and waits for commit
-func (p *Preferences) SetRosenpassPermissive(permissive bool) {
-	p.configInput.RosenpassPermissive = &permissive
-}
-
-// GetRosenpassPermissive reads Rosenpass permissive setting from config file
-func (p *Preferences) GetRosenpassPermissive() (bool, error) {
-	if p.configInput.RosenpassPermissive != nil {
-		return *p.configInput.RosenpassPermissive, nil
-	}
-
-	cfg, err := internal.ReadConfig(p.configInput.ConfigPath)
-	if err != nil {
-		return false, err
-	}
-	return cfg.RosenpassPermissive, err
-}
-
-// GetDisableClientRoutes reads disable client routes setting from config file
-func (p *Preferences) GetDisableClientRoutes() (bool, error) {
-	if p.configInput.DisableClientRoutes != nil {
-		return *p.configInput.DisableClientRoutes, nil
-	}
-
-	cfg, err := internal.ReadConfig(p.configInput.ConfigPath)
-	if err != nil {
-		return false, err
-	}
-	return cfg.DisableClientRoutes, err
-}
-
-// SetDisableClientRoutes stores the given value and waits for commit
-func (p *Preferences) SetDisableClientRoutes(disable bool) {
-	p.configInput.DisableClientRoutes = &disable
-}
-
-// GetDisableServerRoutes reads disable server routes setting from config file
-func (p *Preferences) GetDisableServerRoutes() (bool, error) {
-	if p.configInput.DisableServerRoutes != nil {
-		return *p.configInput.DisableServerRoutes, nil
-	}
-
-	cfg, err := internal.ReadConfig(p.configInput.ConfigPath)
-	if err != nil {
-		return false, err
-	}
-	return cfg.DisableServerRoutes, err
-}
-
-// SetDisableServerRoutes stores the given value and waits for commit
-func (p *Preferences) SetDisableServerRoutes(disable bool) {
-	p.configInput.DisableServerRoutes = &disable
-}
-
-// GetDisableDNS reads disable DNS setting from config file
-func (p *Preferences) GetDisableDNS() (bool, error) {
-	if p.configInput.DisableDNS != nil {
-		return *p.configInput.DisableDNS, nil
-	}
-
-	cfg, err := internal.ReadConfig(p.configInput.ConfigPath)
-	if err != nil {
-		return false, err
-	}
-	return cfg.DisableDNS, err
-}
-
-// SetDisableDNS stores the given value and waits for commit
-func (p *Preferences) SetDisableDNS(disable bool) {
-	p.configInput.DisableDNS = &disable
-}
-
-// GetDisableFirewall reads disable firewall setting from config file
-func (p *Preferences) GetDisableFirewall() (bool, error) {
-	if p.configInput.DisableFirewall != nil {
-		return *p.configInput.DisableFirewall, nil
-	}
-
-	cfg, err := internal.ReadConfig(p.configInput.ConfigPath)
-	if err != nil {
-		return false, err
-	}
-	return cfg.DisableFirewall, err
-}
-
-// SetDisableFirewall stores the given value and waits for commit
-func (p *Preferences) SetDisableFirewall(disable bool) {
-	p.configInput.DisableFirewall = &disable
-}
-
-// GetServerSSHAllowed reads server SSH allowed setting from config file
-func (p *Preferences) GetServerSSHAllowed() (bool, error) {
-	if p.configInput.ServerSSHAllowed != nil {
-		return *p.configInput.ServerSSHAllowed, nil
-	}
-
-	cfg, err := internal.ReadConfig(p.configInput.ConfigPath)
-	if err != nil {
-		return false, err
-	}
-	if cfg.ServerSSHAllowed == nil {
-		// Default to false for security on Android
-		return false, nil
-	}
-	return *cfg.ServerSSHAllowed, err
-}
-
-// SetServerSSHAllowed stores the given value and waits for commit
-func (p *Preferences) SetServerSSHAllowed(allowed bool) {
-	p.configInput.ServerSSHAllowed = &allowed
-}
-
-// GetBlockInbound reads block inbound setting from config file
-func (p *Preferences) GetBlockInbound() (bool, error) {
-	if p.configInput.BlockInbound != nil {
-		return *p.configInput.BlockInbound, nil
-	}
-
-	cfg, err := internal.ReadConfig(p.configInput.ConfigPath)
-	if err != nil {
-		return false, err
-	}
-	return cfg.BlockInbound, err
-}
-
-// SetBlockInbound stores the given value and waits for commit
-func (p *Preferences) SetBlockInbound(block bool) {
-	p.configInput.BlockInbound = &block
-}
-
-// Commit writes out the changes to the config file
+// Commit write out the changes into config file
 func (p *Preferences) Commit() error {
 	_, err := internal.UpdateOrCreateConfig(p.configInput)
 	return err

client/anonymize/anonymize.go

@@ -69,22 +69,6 @@ func (a *Anonymizer) AnonymizeIP(ip netip.Addr) netip.Addr {
 	return a.ipAnonymizer[ip]
 }
 
-func (a *Anonymizer) AnonymizeUDPAddr(addr net.UDPAddr) net.UDPAddr {
-	// Convert IP to netip.Addr
-	ip, ok := netip.AddrFromSlice(addr.IP)
-	if !ok {
-		return addr
-	}
-
-	anonIP := a.AnonymizeIP(ip)
-
-	return net.UDPAddr{
-		IP:   anonIP.AsSlice(),
-		Port: addr.Port,
-		Zone: addr.Zone,
-	}
-}
-
 // isInAnonymizedRange checks if an IP is within the range of already assigned anonymized IPs
 func (a *Anonymizer) isInAnonymizedRange(ip netip.Addr) bool {
 	if ip.Is4() && ip.Compare(a.startAnonIPv4) >= 0 && ip.Compare(a.currentAnonIPv4) <= 0 {

client/cmd/debug.go

@@ -17,18 +17,10 @@ import (
 	"github.com/netbirdio/netbird/client/server"
 	nbstatus "github.com/netbirdio/netbird/client/status"
 	mgmProto "github.com/netbirdio/netbird/management/proto"
-	"github.com/netbirdio/netbird/upload-server/types"
 )
 
 const errCloseConnection = "Failed to close connection: %v"
 
-var (
-	logFileCount        uint32
-	systemInfoFlag      bool
-	uploadBundleFlag    bool
-	uploadBundleURLFlag string
-)
-
 var debugCmd = &cobra.Command{
 	Use:   "debug",
 	Short: "Debugging commands",
@@ -95,28 +87,16 @@ func debugBundle(cmd *cobra.Command, _ []string) error {
 	}()
 
 	client := proto.NewDaemonServiceClient(conn)
-	request := &proto.DebugBundleRequest{
-		Anonymize:    anonymizeFlag,
-		Status:       getStatusOutput(cmd, anonymizeFlag),
-		SystemInfo:   systemInfoFlag,
-		LogFileCount: logFileCount,
-	}
-	if uploadBundleFlag {
-		request.UploadURL = uploadBundleURLFlag
-	}
-	resp, err := client.DebugBundle(cmd.Context(), request)
+	resp, err := client.DebugBundle(cmd.Context(), &proto.DebugBundleRequest{
+		Anonymize:  anonymizeFlag,
+		Status:     getStatusOutput(cmd, anonymizeFlag),
+		SystemInfo: debugSystemInfoFlag,
+	})
 	if err != nil {
 		return fmt.Errorf("failed to bundle debug: %v", status.Convert(err).Message())
 	}
-	cmd.Printf("Local file:\n%s\n", resp.GetPath())
 
-	if resp.GetUploadFailureReason() != "" {
-		return fmt.Errorf("upload failed: %s", resp.GetUploadFailureReason())
-	}
-
-	if uploadBundleFlag {
-		cmd.Printf("Upload file key:\n%s\n", resp.GetUploadedKey())
-	}
+	cmd.Println(resp.GetPath())
 
 	return nil
 }
@@ -231,20 +211,23 @@ func runForDuration(cmd *cobra.Command, args []string) error {
 
 	headerPreDown := fmt.Sprintf("----- Netbird pre-down - Timestamp: %s - Duration: %s", time.Now().Format(time.RFC3339), duration)
 	statusOutput = fmt.Sprintf("%s\n%s\n%s", statusOutput, headerPreDown, getStatusOutput(cmd, anonymizeFlag))
-	request := &proto.DebugBundleRequest{
-		Anonymize:    anonymizeFlag,
-		Status:       statusOutput,
-		SystemInfo:   systemInfoFlag,
-		LogFileCount: logFileCount,
-	}
-	if uploadBundleFlag {
-		request.UploadURL = uploadBundleURLFlag
-	}
-	resp, err := client.DebugBundle(cmd.Context(), request)
+
+	resp, err := client.DebugBundle(cmd.Context(), &proto.DebugBundleRequest{
+		Anonymize:  anonymizeFlag,
+		Status:     statusOutput,
+		SystemInfo: debugSystemInfoFlag,
+	})
 	if err != nil {
 		return fmt.Errorf("failed to bundle debug: %v", status.Convert(err).Message())
 	}
 
+	// Disable network map persistence after creating the debug bundle
+	if _, err := client.SetNetworkMapPersistence(cmd.Context(), &proto.SetNetworkMapPersistenceRequest{
+		Enabled: false,
+	}); err != nil {
+		return fmt.Errorf("failed to disable network map persistence: %v", status.Convert(err).Message())
+	}
+
 	if stateWasDown {
 		if _, err := client.Down(cmd.Context(), &proto.DownRequest{}); err != nil {
 			return fmt.Errorf("failed to down: %v", status.Convert(err).Message())
@@ -259,15 +242,7 @@ func runForDuration(cmd *cobra.Command, args []string) error {
 		cmd.Println("Log level restored to", initialLogLevel.GetLevel())
 	}
 
-	cmd.Printf("Local file:\n%s\n", resp.GetPath())
-
-	if resp.GetUploadFailureReason() != "" {
-		return fmt.Errorf("upload failed: %s", resp.GetUploadFailureReason())
-	}
-
-	if uploadBundleFlag {
-		cmd.Printf("Upload file key:\n%s\n", resp.GetUploadedKey())
-	}
+	cmd.Println(resp.GetPath())
 
 	return nil
 }
@@ -307,7 +282,7 @@ func getStatusOutput(cmd *cobra.Command, anon bool) string {
 		cmd.PrintErrf("Failed to get status: %v\n", err)
 	} else {
 		statusOutputString = nbstatus.ParseToFullDetailSummary(
-			nbstatus.ConvertToStatusOutputOverview(statusResp, anon, "", nil, nil, nil, ""),
+			nbstatus.ConvertToStatusOutputOverview(statusResp, anon, "", nil, nil, nil),
 		)
 	}
 	return statusOutputString
@@ -385,15 +360,3 @@ func generateDebugBundle(config *internal.Config, recorder *peer.Status, connect
 	}
 	log.Infof("Generated debug bundle from SIGUSR1 at: %s", path)
 }
-
-func init() {
-	debugBundleCmd.Flags().Uint32VarP(&logFileCount, "log-file-count", "C", 1, "Number of rotated log files to include in debug bundle")
-	debugBundleCmd.Flags().BoolVarP(&systemInfoFlag, "system-info", "S", true, "Adds system information to the debug bundle")
-	debugBundleCmd.Flags().BoolVarP(&uploadBundleFlag, "upload-bundle", "U", false, "Uploads the debug bundle to a server")
-	debugBundleCmd.Flags().StringVar(&uploadBundleURLFlag, "upload-bundle-url", types.DefaultBundleURL, "Service URL to get an URL to upload the debug bundle")
-
-	forCmd.Flags().Uint32VarP(&logFileCount, "log-file-count", "C", 1, "Number of rotated log files to include in debug bundle")
-	forCmd.Flags().BoolVarP(&systemInfoFlag, "system-info", "S", true, "Adds system information to the debug bundle")
-	forCmd.Flags().BoolVarP(&uploadBundleFlag, "upload-bundle", "U", false, "Uploads the debug bundle to a server")
-	forCmd.Flags().StringVar(&uploadBundleURLFlag, "upload-bundle-url", types.DefaultBundleURL, "Service URL to get an URL to upload the debug bundle")
-}

client/cmd/login.go

@@ -4,7 +4,6 @@ import (
 	"context"
 	"fmt"
 	"os"
-	"runtime"
 	"strings"
 	"time"
 
@@ -56,9 +55,6 @@ var loginCmd = &cobra.Command{
 				return err
 			}
 
-			// update host's static platform and system information
-			system.UpdateStaticInfo()
-
 			ic := internal.ConfigInput{
 				ManagementURL: managementURL,
 				AdminURL:      adminURL,
@@ -99,11 +95,11 @@ var loginCmd = &cobra.Command{
 		}
 
 		loginRequest := proto.LoginRequest{
-			SetupKey:            providedSetupKey,
-			ManagementUrl:       managementURL,
-			IsUnixDesktopClient: isUnixRunningDesktop(),
-			Hostname:            hostName,
-			DnsLabels:           dnsLabelsReq,
+			SetupKey:             providedSetupKey,
+			ManagementUrl:        managementURL,
+			IsLinuxDesktopClient: isLinuxRunningDesktop(),
+			Hostname:             hostName,
+			DnsLabels:            dnsLabelsReq,
 		}
 
 		if rootCmd.PersistentFlags().Changed(preSharedKeyFlag) {
@@ -196,7 +192,7 @@ func foregroundLogin(ctx context.Context, cmd *cobra.Command, config *internal.C
 }
 
 func foregroundGetTokenInfo(ctx context.Context, cmd *cobra.Command, config *internal.Config) (*auth.TokenInfo, error) {
-	oAuthFlow, err := auth.NewOAuthFlow(ctx, config, isUnixRunningDesktop())
+	oAuthFlow, err := auth.NewOAuthFlow(ctx, config, isLinuxRunningDesktop())
 	if err != nil {
 		return nil, err
 	}
@@ -244,10 +240,7 @@ func openURL(cmd *cobra.Command, verificationURIComplete, userCode string, noBro
 	}
 }
 
-// isUnixRunningDesktop checks if a Linux OS is running desktop environment
-func isUnixRunningDesktop() bool {
-	if runtime.GOOS != "linux" && runtime.GOOS != "freebsd" {
-		return false
-	}
+// isLinuxRunningDesktop checks if a Linux OS is running desktop environment
+func isLinuxRunningDesktop() bool {
 	return os.Getenv("DESKTOP_SESSION") != "" || os.Getenv("XDG_CURRENT_DESKTOP") != ""
 }

client/cmd/root.go

@@ -25,19 +25,20 @@ import (
 )
 
 const (
-	externalIPMapFlag        = "external-ip-map"
-	dnsResolverAddress       = "dns-resolver-address"
-	enableRosenpassFlag      = "enable-rosenpass"
-	rosenpassPermissiveFlag  = "rosenpass-permissive"
-	preSharedKeyFlag         = "preshared-key"
-	interfaceNameFlag        = "interface-name"
-	wireguardPortFlag        = "wireguard-port"
-	networkMonitorFlag       = "network-monitor"
-	disableAutoConnectFlag   = "disable-auto-connect"
-	serverSSHAllowedFlag     = "allow-server-ssh"
-	extraIFaceBlackListFlag  = "extra-iface-blacklist"
-	dnsRouteIntervalFlag     = "dns-router-interval"
-	enableLazyConnectionFlag = "enable-lazy-connection"
+	externalIPMapFlag       = "external-ip-map"
+	dnsResolverAddress      = "dns-resolver-address"
+	enableRosenpassFlag     = "enable-rosenpass"
+	rosenpassPermissiveFlag = "rosenpass-permissive"
+	preSharedKeyFlag        = "preshared-key"
+	interfaceNameFlag       = "interface-name"
+	wireguardPortFlag       = "wireguard-port"
+	networkMonitorFlag      = "network-monitor"
+	disableAutoConnectFlag  = "disable-auto-connect"
+	serverSSHAllowedFlag    = "allow-server-ssh"
+	extraIFaceBlackListFlag = "extra-iface-blacklist"
+	dnsRouteIntervalFlag    = "dns-router-interval"
+	systemInfoFlag          = "system-info"
+	blockLANAccessFlag      = "block-lan-access"
 )
 
 var (
@@ -71,8 +72,9 @@ var (
 	autoConnectDisabled     bool
 	extraIFaceBlackList     []string
 	anonymizeFlag           bool
+	debugSystemInfoFlag     bool
 	dnsRouteInterval        time.Duration
-	lazyConnEnabled         bool
+	blockLANAccess          bool
 
 	rootCmd = &cobra.Command{
 		Use:          "netbird",
@@ -177,8 +179,8 @@ func init() {
 	upCmd.PersistentFlags().BoolVar(&rosenpassPermissive, rosenpassPermissiveFlag, false, "[Experimental] Enable Rosenpass in permissive mode to allow this peer to accept WireGuard connections without requiring Rosenpass functionality from peers that do not have Rosenpass enabled.")
 	upCmd.PersistentFlags().BoolVar(&serverSSHAllowed, serverSSHAllowedFlag, false, "Allow SSH server on peer. If enabled, the SSH server will be permitted")
 	upCmd.PersistentFlags().BoolVar(&autoConnectDisabled, disableAutoConnectFlag, false, "Disables auto-connect feature. If enabled, then the client won't connect automatically when the service starts.")
-	upCmd.PersistentFlags().BoolVar(&lazyConnEnabled, enableLazyConnectionFlag, false, "[Experimental] Enable the lazy connection feature. If enabled, the client will establish connections on-demand. Note: this setting may be overridden by management configuration.")
 
+	debugCmd.PersistentFlags().BoolVarP(&debugSystemInfoFlag, systemInfoFlag, "S", true, "Adds system information to the debug bundle")
 }
 
 // SetupCloseHandler handles SIGTERM signal and exits with success

client/cmd/service.go

@@ -2,7 +2,6 @@ package cmd
 
 import (
 	"context"
-	"runtime"
 	"sync"
 
 	"github.com/kardianos/service"
@@ -28,19 +27,12 @@ func newProgram(ctx context.Context, cancel context.CancelFunc) *program {
 }
 
 func newSVCConfig() *service.Config {
-	config := &service.Config{
+	return &service.Config{
 		Name:        serviceName,
 		DisplayName: "Netbird",
-		Description: "Netbird mesh network client",
+		Description: "A WireGuard-based mesh network that connects your devices into a single private network.",
 		Option:      make(service.KeyValue),
-		EnvVars:     make(map[string]string),
 	}
-
-	if runtime.GOOS == "linux" {
-		config.EnvVars["SYSTEMD_UNIT"] = serviceName
-	}
-
-	return config
 }
 
 func newSVC(prg *program, conf *service.Config) (service.Service, error) {

client/cmd/service_controller.go

@@ -16,17 +16,12 @@ import (
 
 	"github.com/netbirdio/netbird/client/proto"
 	"github.com/netbirdio/netbird/client/server"
-	"github.com/netbirdio/netbird/client/system"
 	"github.com/netbirdio/netbird/util"
 )
 
 func (p *program) Start(svc service.Service) error {
 	// Start should not block. Do the actual work async.
 	log.Info("starting Netbird service") //nolint
-
-	// Collect static system and platform information
-	system.UpdateStaticInfo()
-
 	// in any case, even if configuration does not exists we run daemon to serve CLI gRPC API.
 	p.serv = grpc.NewServer()
 

client/cmd/service_installer.go

@@ -39,7 +39,7 @@ var installCmd = &cobra.Command{
 			svcConfig.Arguments = append(svcConfig.Arguments, "--management-url", managementURL)
 		}
 
-		if logFile != "" {
+		if logFile != "console" {
 			svcConfig.Arguments = append(svcConfig.Arguments, "--log-file", logFile)
 		}
 

client/cmd/status.go

@@ -26,7 +26,6 @@ var (
 	statusFilter         string
 	ipsFilterMap         map[string]struct{}
 	prefixNamesFilterMap map[string]struct{}
-	connectionTypeFilter string
 )
 
 var statusCmd = &cobra.Command{
@@ -45,8 +44,7 @@ func init() {
 	statusCmd.MarkFlagsMutuallyExclusive("detail", "json", "yaml", "ipv4")
 	statusCmd.PersistentFlags().StringSliceVar(&ipsFilter, "filter-by-ips", []string{}, "filters the detailed output by a list of one or more IPs, e.g., --filter-by-ips 100.64.0.100,100.64.0.200")
 	statusCmd.PersistentFlags().StringSliceVar(&prefixNamesFilter, "filter-by-names", []string{}, "filters the detailed output by a list of one or more peer FQDN or hostnames, e.g., --filter-by-names peer-a,peer-b.netbird.cloud")
-	statusCmd.PersistentFlags().StringVar(&statusFilter, "filter-by-status", "", "filters the detailed output by connection status(idle|connecting|connected), e.g., --filter-by-status connected")
-	statusCmd.PersistentFlags().StringVar(&connectionTypeFilter, "filter-by-connection-type", "", "filters the detailed output by connection type (P2P|Relayed), e.g., --filter-by-connection-type P2P")
+	statusCmd.PersistentFlags().StringVar(&statusFilter, "filter-by-status", "", "filters the detailed output by connection status(connected|disconnected), e.g., --filter-by-status connected")
 }
 
 func statusFunc(cmd *cobra.Command, args []string) error {
@@ -71,10 +69,7 @@ func statusFunc(cmd *cobra.Command, args []string) error {
 		return err
 	}
 
-	status := resp.GetStatus()
-
-	if status == string(internal.StatusNeedsLogin) || status == string(internal.StatusLoginFailed) ||
-		status == string(internal.StatusSessionExpired) {
+	if resp.GetStatus() == string(internal.StatusNeedsLogin) || resp.GetStatus() == string(internal.StatusLoginFailed) {
 		cmd.Printf("Daemon status: %s\n\n"+
 			"Run UP command to log in with SSO (interactive login):\n\n"+
 			" netbird up \n\n"+
@@ -91,7 +86,7 @@ func statusFunc(cmd *cobra.Command, args []string) error {
 		return nil
 	}
 
-	var outputInformationHolder = nbstatus.ConvertToStatusOutputOverview(resp, anonymizeFlag, statusFilter, prefixNamesFilter, prefixNamesFilterMap, ipsFilterMap, connectionTypeFilter)
+	var outputInformationHolder = nbstatus.ConvertToStatusOutputOverview(resp, anonymizeFlag, statusFilter, prefixNamesFilter, prefixNamesFilterMap, ipsFilterMap)
 	var statusOutputString string
 	switch {
 	case detailFlag:
@@ -122,7 +117,7 @@ func getStatus(ctx context.Context) (*proto.StatusResponse, error) {
 	}
 	defer conn.Close()
 
-	resp, err := proto.NewDaemonServiceClient(conn).Status(ctx, &proto.StatusRequest{GetFullPeerStatus: true, ShouldRunProbes: true})
+	resp, err := proto.NewDaemonServiceClient(conn).Status(ctx, &proto.StatusRequest{GetFullPeerStatus: true})
 	if err != nil {
 		return nil, fmt.Errorf("status failed: %v", status.Convert(err).Message())
 	}
@@ -132,12 +127,12 @@ func getStatus(ctx context.Context) (*proto.StatusResponse, error) {
 
 func parseFilters() error {
 	switch strings.ToLower(statusFilter) {
-	case "", "idle", "connecting", "connected":
+	case "", "disconnected", "connected":
 		if strings.ToLower(statusFilter) != "" {
 			enableDetailFlagWhenFilterFlag()
 		}
 	default:
-		return fmt.Errorf("wrong status filter, should be one of connected|connecting|idle, got: %s", statusFilter)
+		return fmt.Errorf("wrong status filter, should be one of connected|disconnected, got: %s", statusFilter)
 	}
 
 	if len(ipsFilter) > 0 {
@@ -158,15 +153,6 @@ func parseFilters() error {
 		enableDetailFlagWhenFilterFlag()
 	}
 
-	switch strings.ToLower(connectionTypeFilter) {
-	case "", "p2p", "relayed":
-		if strings.ToLower(connectionTypeFilter) != "" {
-			enableDetailFlagWhenFilterFlag()
-		}
-	default:
-		return fmt.Errorf("wrong connection-type filter, should be one of P2P|Relayed, got: %s", connectionTypeFilter)
-	}
-
 	return nil
 }
 

client/cmd/system.go

@@ -6,8 +6,6 @@ const (
 	disableServerRoutesFlag = "disable-server-routes"
 	disableDNSFlag          = "disable-dns"
 	disableFirewallFlag     = "disable-firewall"
-	blockLANAccessFlag      = "block-lan-access"
-	blockInboundFlag        = "block-inbound"
 )
 
 var (
@@ -15,8 +13,6 @@ var (
 	disableServerRoutes bool
 	disableDNS          bool
 	disableFirewall     bool
-	blockLANAccess      bool
-	blockInbound        bool
 )
 
 func init() {
@@ -32,11 +28,4 @@ func init() {
 
 	upCmd.PersistentFlags().BoolVar(&disableFirewall, disableFirewallFlag, false,
 		"Disable firewall configuration. If enabled, the client won't modify firewall rules.")
-
-	upCmd.PersistentFlags().BoolVar(&blockLANAccess, blockLANAccessFlag, false,
-		"Block access to local networks (LAN) when using this peer as a router or exit node")
-
-	upCmd.PersistentFlags().BoolVar(&blockInbound, blockInboundFlag, false,
-		"Block inbound connections. If enabled, the client will not allow any inbound connections to the local machine nor routed networks.\n"+
-			"This overrides any policies received from the management service.")
 }

client/cmd/testutil_test.go

@@ -98,18 +98,13 @@ func startManagement(t *testing.T, config *types.Config, testFile string) (*grpc
 	settingsMockManager := settings.NewMockManager(ctrl)
 	permissionsManagerMock := permissions.NewMockManager(ctrl)
 
-	settingsMockManager.EXPECT().
-		GetSettings(gomock.Any(), gomock.Any(), gomock.Any()).
-		Return(&types.Settings{}, nil).
-		AnyTimes()
-
-	accountManager, err := mgmt.BuildManager(context.Background(), store, peersUpdateManager, nil, "", "netbird.selfhosted", eventStore, nil, false, iv, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManagerMock, false)
+	accountManager, err := mgmt.BuildManager(context.Background(), store, peersUpdateManager, nil, "", "netbird.selfhosted", eventStore, nil, false, iv, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManagerMock)
 	if err != nil {
 		t.Fatal(err)
 	}
 
 	secretsManager := mgmt.NewTimeBasedAuthSecretsManager(peersUpdateManager, config.TURNConfig, config.Relay, settingsMockManager)
-	mgmtServer, err := mgmt.NewServer(context.Background(), config, accountManager, settingsMockManager, peersUpdateManager, secretsManager, nil, nil, nil, &mgmt.MockIntegratedValidator{})
+	mgmtServer, err := mgmt.NewServer(context.Background(), config, accountManager, settingsMockManager, peersUpdateManager, secretsManager, nil, nil, nil)
 	if err != nil {
 		t.Fatal(err)
 	}

client/cmd/trace.go

@@ -17,7 +17,7 @@ var traceCmd = &cobra.Command{
 	Example: `
   netbird debug trace in 192.168.1.10 10.10.0.2 -p tcp --sport 12345 --dport 443 --syn --ack
   netbird debug trace out 10.10.0.1 8.8.8.8 -p udp  --dport 53
-  netbird debug trace in 10.10.0.2 10.10.0.1 -p icmp --icmp-type 8 --icmp-code 0
+  netbird debug trace in 10.10.0.2 10.10.0.1 -p icmp --type 8 --code 0
   netbird debug trace in 100.64.1.1 self -p tcp --dport 80`,
 	Args: cobra.ExactArgs(3),
 	RunE: tracePacket,
@@ -118,7 +118,7 @@ func tracePacket(cmd *cobra.Command, args []string) error {
 }
 
 func printTrace(cmd *cobra.Command, src, dst, proto string, sport, dport uint16, resp *proto.TracePacketResponse) {
-	cmd.Printf("Packet trace %s:%d → %s:%d (%s)\n\n", src, sport, dst, dport, strings.ToUpper(proto))
+	cmd.Printf("Packet trace %s:%d -> %s:%d (%s)\n\n", src, sport, dst, dport, strings.ToUpper(proto))
 
 	for _, stage := range resp.Stages {
 		if stage.ForwardingDetails != nil {

client/cmd/up.go

@@ -55,11 +55,12 @@ func init() {
 	upCmd.PersistentFlags().StringVar(&interfaceName, interfaceNameFlag, iface.WgInterfaceDefault, "Wireguard interface name")
 	upCmd.PersistentFlags().Uint16Var(&wireguardPort, wireguardPortFlag, iface.DefaultWgPort, "Wireguard interface listening port")
 	upCmd.PersistentFlags().BoolVarP(&networkMonitor, networkMonitorFlag, "N", networkMonitor,
-		`Manage network monitoring. Defaults to true on Windows and macOS, false on Linux and FreeBSD. `+
+		`Manage network monitoring. Defaults to true on Windows and macOS, false on Linux. `+
 			`E.g. --network-monitor=false to disable or --network-monitor=true to enable.`,
 	)
 	upCmd.PersistentFlags().StringSliceVar(&extraIFaceBlackList, extraIFaceBlackListFlag, nil, "Extra list of default interfaces to ignore for listening")
 	upCmd.PersistentFlags().DurationVar(&dnsRouteInterval, dnsRouteIntervalFlag, time.Minute, "DNS route update interval")
+	upCmd.PersistentFlags().BoolVar(&blockLANAccess, blockLANAccessFlag, false, "Block access to local networks (LAN) when using this peer as a router or exit node")
 
 	upCmd.PersistentFlags().StringSliceVar(&dnsLabels, dnsLabelsFlag, nil,
 		`Sets DNS labels`+
@@ -118,9 +119,79 @@ func runInForegroundMode(ctx context.Context, cmd *cobra.Command) error {
 		return err
 	}
 
-	ic, err := setupConfig(customDNSAddressConverted, cmd)
-	if err != nil {
-		return fmt.Errorf("setup config: %v", err)
+	ic := internal.ConfigInput{
+		ManagementURL:       managementURL,
+		AdminURL:            adminURL,
+		ConfigPath:          configPath,
+		NATExternalIPs:      natExternalIPs,
+		CustomDNSAddress:    customDNSAddressConverted,
+		ExtraIFaceBlackList: extraIFaceBlackList,
+		DNSLabels:           dnsLabelsValidated,
+	}
+
+	if cmd.Flag(enableRosenpassFlag).Changed {
+		ic.RosenpassEnabled = &rosenpassEnabled
+	}
+
+	if cmd.Flag(rosenpassPermissiveFlag).Changed {
+		ic.RosenpassPermissive = &rosenpassPermissive
+	}
+
+	if cmd.Flag(serverSSHAllowedFlag).Changed {
+		ic.ServerSSHAllowed = &serverSSHAllowed
+	}
+
+	if cmd.Flag(interfaceNameFlag).Changed {
+		if err := parseInterfaceName(interfaceName); err != nil {
+			return err
+		}
+		ic.InterfaceName = &interfaceName
+	}
+
+	if cmd.Flag(wireguardPortFlag).Changed {
+		p := int(wireguardPort)
+		ic.WireguardPort = &p
+	}
+
+	if cmd.Flag(networkMonitorFlag).Changed {
+		ic.NetworkMonitor = &networkMonitor
+	}
+
+	if rootCmd.PersistentFlags().Changed(preSharedKeyFlag) {
+		ic.PreSharedKey = &preSharedKey
+	}
+
+	if cmd.Flag(disableAutoConnectFlag).Changed {
+		ic.DisableAutoConnect = &autoConnectDisabled
+
+		if autoConnectDisabled {
+			cmd.Println("Autoconnect has been disabled. The client won't connect automatically when the service starts.")
+		}
+
+		if !autoConnectDisabled {
+			cmd.Println("Autoconnect has been enabled. The client will connect automatically when the service starts.")
+		}
+	}
+
+	if cmd.Flag(dnsRouteIntervalFlag).Changed {
+		ic.DNSRouteInterval = &dnsRouteInterval
+	}
+
+	if cmd.Flag(disableClientRoutesFlag).Changed {
+		ic.DisableClientRoutes = &disableClientRoutes
+	}
+	if cmd.Flag(disableServerRoutesFlag).Changed {
+		ic.DisableServerRoutes = &disableServerRoutes
+	}
+	if cmd.Flag(disableDNSFlag).Changed {
+		ic.DisableDNS = &disableDNS
+	}
+	if cmd.Flag(disableFirewallFlag).Changed {
+		ic.DisableFirewall = &disableFirewall
+	}
+
+	if cmd.Flag(blockLANAccessFlag).Changed {
+		ic.BlockLANAccess = &blockLANAccess
 	}
 
 	providedSetupKey, err := getSetupKey()
@@ -128,7 +199,7 @@ func runInForegroundMode(ctx context.Context, cmd *cobra.Command) error {
 		return err
 	}
 
-	config, err := internal.UpdateOrCreateConfig(*ic)
+	config, err := internal.UpdateOrCreateConfig(ic)
 	if err != nil {
 		return fmt.Errorf("get config file: %v", err)
 	}
@@ -187,153 +258,21 @@ func runInDaemonMode(ctx context.Context, cmd *cobra.Command) error {
 
 	providedSetupKey, err := getSetupKey()
 	if err != nil {
-		return fmt.Errorf("get setup key: %v", err)
+		return err
 	}
 
-	loginRequest, err := setupLoginRequest(providedSetupKey, customDNSAddressConverted, cmd)
-	if err != nil {
-		return fmt.Errorf("setup login request: %v", err)
-	}
-
-	var loginErr error
-	var loginResp *proto.LoginResponse
-
-	err = WithBackOff(func() error {
-		var backOffErr error
-		loginResp, backOffErr = client.Login(ctx, loginRequest)
-		if s, ok := gstatus.FromError(backOffErr); ok && (s.Code() == codes.InvalidArgument ||
-			s.Code() == codes.PermissionDenied ||
-			s.Code() == codes.NotFound ||
-			s.Code() == codes.Unimplemented) {
-			loginErr = backOffErr
-			return nil
-		}
-		return backOffErr
-	})
-	if err != nil {
-		return fmt.Errorf("login backoff cycle failed: %v", err)
-	}
-
-	if loginErr != nil {
-		return fmt.Errorf("login failed: %v", loginErr)
-	}
-
-	if loginResp.NeedsSSOLogin {
-
-		openURL(cmd, loginResp.VerificationURIComplete, loginResp.UserCode, noBrowser)
-
-		_, err = client.WaitSSOLogin(ctx, &proto.WaitSSOLoginRequest{UserCode: loginResp.UserCode, Hostname: hostName})
-		if err != nil {
-			return fmt.Errorf("waiting sso login failed with: %v", err)
-		}
-	}
-
-	if _, err := client.Up(ctx, &proto.UpRequest{}); err != nil {
-		return fmt.Errorf("call service up method: %v", err)
-	}
-	cmd.Println("Connected")
-	return nil
-}
-
-func setupConfig(customDNSAddressConverted []byte, cmd *cobra.Command) (*internal.ConfigInput, error) {
-	ic := internal.ConfigInput{
-		ManagementURL:       managementURL,
-		AdminURL:            adminURL,
-		ConfigPath:          configPath,
-		NATExternalIPs:      natExternalIPs,
-		CustomDNSAddress:    customDNSAddressConverted,
-		ExtraIFaceBlackList: extraIFaceBlackList,
-		DNSLabels:           dnsLabelsValidated,
-	}
-
-	if cmd.Flag(enableRosenpassFlag).Changed {
-		ic.RosenpassEnabled = &rosenpassEnabled
-	}
-
-	if cmd.Flag(rosenpassPermissiveFlag).Changed {
-		ic.RosenpassPermissive = &rosenpassPermissive
-	}
-
-	if cmd.Flag(serverSSHAllowedFlag).Changed {
-		ic.ServerSSHAllowed = &serverSSHAllowed
-	}
-
-	if cmd.Flag(interfaceNameFlag).Changed {
-		if err := parseInterfaceName(interfaceName); err != nil {
-			return nil, err
-		}
-		ic.InterfaceName = &interfaceName
-	}
-
-	if cmd.Flag(wireguardPortFlag).Changed {
-		p := int(wireguardPort)
-		ic.WireguardPort = &p
-	}
-
-	if cmd.Flag(networkMonitorFlag).Changed {
-		ic.NetworkMonitor = &networkMonitor
-	}
-
-	if rootCmd.PersistentFlags().Changed(preSharedKeyFlag) {
-		ic.PreSharedKey = &preSharedKey
-	}
-
-	if cmd.Flag(disableAutoConnectFlag).Changed {
-		ic.DisableAutoConnect = &autoConnectDisabled
-
-		if autoConnectDisabled {
-			cmd.Println("Autoconnect has been disabled. The client won't connect automatically when the service starts.")
-		}
-
-		if !autoConnectDisabled {
-			cmd.Println("Autoconnect has been enabled. The client will connect automatically when the service starts.")
-		}
-	}
-
-	if cmd.Flag(dnsRouteIntervalFlag).Changed {
-		ic.DNSRouteInterval = &dnsRouteInterval
-	}
-
-	if cmd.Flag(disableClientRoutesFlag).Changed {
-		ic.DisableClientRoutes = &disableClientRoutes
-	}
-	if cmd.Flag(disableServerRoutesFlag).Changed {
-		ic.DisableServerRoutes = &disableServerRoutes
-	}
-	if cmd.Flag(disableDNSFlag).Changed {
-		ic.DisableDNS = &disableDNS
-	}
-	if cmd.Flag(disableFirewallFlag).Changed {
-		ic.DisableFirewall = &disableFirewall
-	}
-
-	if cmd.Flag(blockLANAccessFlag).Changed {
-		ic.BlockLANAccess = &blockLANAccess
-	}
-
-	if cmd.Flag(blockInboundFlag).Changed {
-		ic.BlockInbound = &blockInbound
-	}
-
-	if cmd.Flag(enableLazyConnectionFlag).Changed {
-		ic.LazyConnectionEnabled = &lazyConnEnabled
-	}
-	return &ic, nil
-}
-
-func setupLoginRequest(providedSetupKey string, customDNSAddressConverted []byte, cmd *cobra.Command) (*proto.LoginRequest, error) {
 	loginRequest := proto.LoginRequest{
-		SetupKey:            providedSetupKey,
-		ManagementUrl:       managementURL,
-		AdminURL:            adminURL,
-		NatExternalIPs:      natExternalIPs,
-		CleanNATExternalIPs: natExternalIPs != nil && len(natExternalIPs) == 0,
-		CustomDNSAddress:    customDNSAddressConverted,
-		IsUnixDesktopClient: isUnixRunningDesktop(),
-		Hostname:            hostName,
-		ExtraIFaceBlacklist: extraIFaceBlackList,
-		DnsLabels:           dnsLabels,
-		CleanDNSLabels:      dnsLabels != nil && len(dnsLabels) == 0,
+		SetupKey:             providedSetupKey,
+		ManagementUrl:        managementURL,
+		AdminURL:             adminURL,
+		NatExternalIPs:       natExternalIPs,
+		CleanNATExternalIPs:  natExternalIPs != nil && len(natExternalIPs) == 0,
+		CustomDNSAddress:     customDNSAddressConverted,
+		IsLinuxDesktopClient: isLinuxRunningDesktop(),
+		Hostname:             hostName,
+		ExtraIFaceBlacklist:  extraIFaceBlackList,
+		DnsLabels:            dnsLabels,
+		CleanDNSLabels:       dnsLabels != nil && len(dnsLabels) == 0,
 	}
 
 	if rootCmd.PersistentFlags().Changed(preSharedKeyFlag) {
@@ -358,7 +297,7 @@ func setupLoginRequest(providedSetupKey string, customDNSAddressConverted []byte
 
 	if cmd.Flag(interfaceNameFlag).Changed {
 		if err := parseInterfaceName(interfaceName); err != nil {
-			return nil, err
+			return err
 		}
 		loginRequest.InterfaceName = &interfaceName
 	}
@@ -393,14 +332,45 @@ func setupLoginRequest(providedSetupKey string, customDNSAddressConverted []byte
 		loginRequest.BlockLanAccess = &blockLANAccess
 	}
 
-	if cmd.Flag(blockInboundFlag).Changed {
-		loginRequest.BlockInbound = &blockInbound
+	var loginErr error
+
+	var loginResp *proto.LoginResponse
+
+	err = WithBackOff(func() error {
+		var backOffErr error
+		loginResp, backOffErr = client.Login(ctx, &loginRequest)
+		if s, ok := gstatus.FromError(backOffErr); ok && (s.Code() == codes.InvalidArgument ||
+			s.Code() == codes.PermissionDenied ||
+			s.Code() == codes.NotFound ||
+			s.Code() == codes.Unimplemented) {
+			loginErr = backOffErr
+			return nil
+		}
+		return backOffErr
+	})
+	if err != nil {
+		return fmt.Errorf("login backoff cycle failed: %v", err)
 	}
 
-	if cmd.Flag(enableLazyConnectionFlag).Changed {
-		loginRequest.LazyConnectionEnabled = &lazyConnEnabled
+	if loginErr != nil {
+		return fmt.Errorf("login failed: %v", loginErr)
 	}
-	return &loginRequest, nil
+
+	if loginResp.NeedsSSOLogin {
+
+		openURL(cmd, loginResp.VerificationURIComplete, loginResp.UserCode, noBrowser)
+
+		_, err = client.WaitSSOLogin(ctx, &proto.WaitSSOLoginRequest{UserCode: loginResp.UserCode, Hostname: hostName})
+		if err != nil {
+			return fmt.Errorf("waiting sso login failed with: %v", err)
+		}
+	}
+
+	if _, err := client.Up(ctx, &proto.UpRequest{}); err != nil {
+		return fmt.Errorf("call service up method: %v", err)
+	}
+	cmd.Println("Connected")
+	return nil
 }
 
 func validateNATExternalIPs(list []string) error {

client/firewall/iptables/manager_linux.go

@@ -113,16 +113,17 @@ func (m *Manager) AddPeerFiltering(
 func (m *Manager) AddRouteFiltering(
 	id []byte,
 	sources []netip.Prefix,
-	destination firewall.Network,
+	destination netip.Prefix,
 	proto firewall.Protocol,
-	sPort, dPort *firewall.Port,
+	sPort *firewall.Port,
+	dPort *firewall.Port,
 	action firewall.Action,
 ) (firewall.Rule, error) {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
 
-	if destination.IsPrefix() && !destination.Prefix.Addr().Is4() {
-		return nil, fmt.Errorf("unsupported IP version: %s", destination.Prefix.Addr().String())
+	if !destination.Addr().Is4() {
+		return nil, fmt.Errorf("unsupported IP version: %s", destination.Addr().String())
 	}
 
 	return m.router.AddRouteFiltering(id, sources, destination, proto, sPort, dPort, action)
@@ -147,10 +148,6 @@ func (m *Manager) IsServerRouteSupported() bool {
 	return true
 }
 
-func (m *Manager) IsStateful() bool {
-	return true
-}
-
 func (m *Manager) AddNatRule(pair firewall.RouterPair) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
@@ -202,7 +199,7 @@ func (m *Manager) AllowNetbird() error {
 	_, err := m.AddPeerFiltering(
 		nil,
 		net.IP{0, 0, 0, 0},
-		firewall.ProtocolALL,
+		"all",
 		nil,
 		nil,
 		firewall.ActionAccept,
@@ -223,16 +220,10 @@ func (m *Manager) SetLogLevel(log.Level) {
 }
 
 func (m *Manager) EnableRouting() error {
-	if err := m.router.ipFwdState.RequestForwarding(); err != nil {
-		return fmt.Errorf("enable IP forwarding: %w", err)
-	}
 	return nil
 }
 
 func (m *Manager) DisableRouting() error {
-	if err := m.router.ipFwdState.ReleaseForwarding(); err != nil {
-		return fmt.Errorf("disable IP forwarding: %w", err)
-	}
 	return nil
 }
 
@@ -252,14 +243,6 @@ func (m *Manager) DeleteDNATRule(rule firewall.Rule) error {
 	return m.router.DeleteDNATRule(rule)
 }
 
-// UpdateSet updates the set with the given prefixes
-func (m *Manager) UpdateSet(set firewall.Set, prefixes []netip.Prefix) error {
-	m.mutex.Lock()
-	defer m.mutex.Unlock()
-
-	return m.router.UpdateSet(set, prefixes)
-}
-
 func getConntrackEstablished() []string {
 	return []string{"-m", "conntrack", "--ctstate", "RELATED,ESTABLISHED", "-j", "ACCEPT"}
 }

client/firewall/iptables/manager_linux_test.go

@@ -2,7 +2,7 @@ package iptables
 
 import (
 	"fmt"
-	"net/netip"
+	"net"
 	"testing"
 	"time"
 
@@ -19,8 +19,11 @@ var ifaceMock = &iFaceMock{
 	},
 	AddressFunc: func() wgaddr.Address {
 		return wgaddr.Address{
-			IP:      netip.MustParseAddr("10.20.0.1"),
-			Network: netip.MustParsePrefix("10.20.0.0/24"),
+			IP: net.ParseIP("10.20.0.1"),
+			Network: &net.IPNet{
+				IP:   net.ParseIP("10.20.0.0"),
+				Mask: net.IPv4Mask(255, 255, 255, 0),
+			},
 		}
 	},
 }
@@ -67,12 +70,12 @@ func TestIptablesManager(t *testing.T) {
 
 	var rule2 []fw.Rule
 	t.Run("add second rule", func(t *testing.T) {
-		ip := netip.MustParseAddr("10.20.0.3")
+		ip := net.ParseIP("10.20.0.3")
 		port := &fw.Port{
 			IsRange: true,
 			Values:  []uint16{8043, 8046},
 		}
-		rule2, err = manager.AddPeerFiltering(nil, ip.AsSlice(), "tcp", port, nil, fw.ActionAccept, "")
+		rule2, err = manager.AddPeerFiltering(nil, ip, "tcp", port, nil, fw.ActionAccept, "")
 		require.NoError(t, err, "failed to add rule")
 
 		for _, r := range rule2 {
@@ -92,9 +95,9 @@ func TestIptablesManager(t *testing.T) {
 
 	t.Run("reset check", func(t *testing.T) {
 		// add second rule
-		ip := netip.MustParseAddr("10.20.0.3")
+		ip := net.ParseIP("10.20.0.3")
 		port := &fw.Port{Values: []uint16{5353}}
-		_, err = manager.AddPeerFiltering(nil, ip.AsSlice(), "udp", nil, port, fw.ActionAccept, "")
+		_, err = manager.AddPeerFiltering(nil, ip, "udp", nil, port, fw.ActionAccept, "")
 		require.NoError(t, err, "failed to add rule")
 
 		err = manager.Close(nil)
@@ -116,8 +119,11 @@ func TestIptablesManagerIPSet(t *testing.T) {
 		},
 		AddressFunc: func() wgaddr.Address {
 			return wgaddr.Address{
-				IP:      netip.MustParseAddr("10.20.0.1"),
-				Network: netip.MustParsePrefix("10.20.0.0/24"),
+				IP: net.ParseIP("10.20.0.1"),
+				Network: &net.IPNet{
+					IP:   net.ParseIP("10.20.0.0"),
+					Mask: net.IPv4Mask(255, 255, 255, 0),
+				},
 			}
 		},
 	}
@@ -138,11 +144,11 @@ func TestIptablesManagerIPSet(t *testing.T) {
 
 	var rule2 []fw.Rule
 	t.Run("add second rule", func(t *testing.T) {
-		ip := netip.MustParseAddr("10.20.0.3")
+		ip := net.ParseIP("10.20.0.3")
 		port := &fw.Port{
 			Values: []uint16{443},
 		}
-		rule2, err = manager.AddPeerFiltering(nil, ip.AsSlice(), "tcp", port, nil, fw.ActionAccept, "default")
+		rule2, err = manager.AddPeerFiltering(nil, ip, "tcp", port, nil, fw.ActionAccept, "default")
 		for _, r := range rule2 {
 			require.NoError(t, err, "failed to add rule")
 			require.Equal(t, r.(*Rule).ipsetName, "default-sport", "ipset name must be set")
@@ -180,8 +186,11 @@ func TestIptablesCreatePerformance(t *testing.T) {
 		},
 		AddressFunc: func() wgaddr.Address {
 			return wgaddr.Address{
-				IP:      netip.MustParseAddr("10.20.0.1"),
-				Network: netip.MustParsePrefix("10.20.0.0/24"),
+				IP: net.ParseIP("10.20.0.1"),
+				Network: &net.IPNet{
+					IP:   net.ParseIP("10.20.0.0"),
+					Mask: net.IPv4Mask(255, 255, 255, 0),
+				},
 			}
 		},
 	}
@@ -203,11 +212,11 @@ func TestIptablesCreatePerformance(t *testing.T) {
 
 			require.NoError(t, err)
 
-			ip := netip.MustParseAddr("10.20.0.100")
+			ip := net.ParseIP("10.20.0.100")
 			start := time.Now()
 			for i := 0; i < testMax; i++ {
 				port := &fw.Port{Values: []uint16{uint16(1000 + i)}}
-				_, err = manager.AddPeerFiltering(nil, ip.AsSlice(), "tcp", nil, port, fw.ActionAccept, "")
+				_, err = manager.AddPeerFiltering(nil, ip, "tcp", nil, port, fw.ActionAccept, "")
 
 				require.NoError(t, err, "failed to add rule")
 			}

client/firewall/iptables/router_linux.go

@@ -57,18 +57,18 @@ type ruleInfo struct {
 }
 
 type routeFilteringRuleParams struct {
-	Source      firewall.Network
-	Destination firewall.Network
+	Sources     []netip.Prefix
+	Destination netip.Prefix
 	Proto       firewall.Protocol
 	SPort       *firewall.Port
 	DPort       *firewall.Port
 	Direction   firewall.RuleDirection
 	Action      firewall.Action
+	SetName     string
 }
 
 type routeRules map[string][]string
 
-// the ipset library currently does not support comments, so we use the name only (string)
 type ipsetCounter = refcounter.Counter[string, []netip.Prefix, struct{}]
 
 type router struct {
@@ -129,7 +129,7 @@ func (r *router) init(stateManager *statemanager.Manager) error {
 func (r *router) AddRouteFiltering(
 	id []byte,
 	sources []netip.Prefix,
-	destination firewall.Network,
+	destination netip.Prefix,
 	proto firewall.Protocol,
 	sPort *firewall.Port,
 	dPort *firewall.Port,
@@ -140,28 +140,27 @@ func (r *router) AddRouteFiltering(
 		return ruleKey, nil
 	}
 
-	var source firewall.Network
+	var setName string
 	if len(sources) > 1 {
-		source.Set = firewall.NewPrefixSet(sources)
-	} else if len(sources) > 0 {
-		source.Prefix = sources[0]
+		setName = firewall.GenerateSetName(sources)
+		if _, err := r.ipsetCounter.Increment(setName, sources); err != nil {
+			return nil, fmt.Errorf("create or get ipset: %w", err)
+		}
 	}
 
 	params := routeFilteringRuleParams{
-		Source:      source,
+		Sources:     sources,
 		Destination: destination,
 		Proto:       proto,
 		SPort:       sPort,
 		DPort:       dPort,
 		Action:      action,
+		SetName:     setName,
 	}
 
-	rule, err := r.genRouteRuleSpec(params, sources)
-	if err != nil {
-		return nil, fmt.Errorf("generate route rule spec: %w", err)
-	}
-
+	rule := genRouteFilteringRuleSpec(params)
 	// Insert DROP rules at the beginning, append ACCEPT rules at the end
+	var err error
 	if action == firewall.ActionDrop {
 		// after the established rule
 		err = r.iptablesClient.Insert(tableFilter, chainRTFWDIN, 2, rule...)
@@ -184,13 +183,17 @@ func (r *router) DeleteRouteRule(rule firewall.Rule) error {
 	ruleKey := rule.ID()
 
 	if rule, exists := r.rules[ruleKey]; exists {
+		setName := r.findSetNameInRule(rule)
+
 		if err := r.iptablesClient.Delete(tableFilter, chainRTFWDIN, rule...); err != nil {
 			return fmt.Errorf("delete route rule: %v", err)
 		}
 		delete(r.rules, ruleKey)
 
-		if err := r.decrementSetCounter(rule); err != nil {
-			return fmt.Errorf("decrement ipset counter: %w", err)
+		if setName != "" {
+			if _, err := r.ipsetCounter.Decrement(setName); err != nil {
+				return fmt.Errorf("failed to remove ipset: %w", err)
+			}
 		}
 	} else {
 		log.Debugf("route rule %s not found", ruleKey)
@@ -201,26 +204,13 @@ func (r *router) DeleteRouteRule(rule firewall.Rule) error {
 	return nil
 }
 
-func (r *router) decrementSetCounter(rule []string) error {
-	sets := r.findSets(rule)
-	var merr *multierror.Error
-	for _, setName := range sets {
-		if _, err := r.ipsetCounter.Decrement(setName); err != nil {
-			merr = multierror.Append(merr, fmt.Errorf("decrement counter: %w", err))
-		}
-	}
-
-	return nberrors.FormatErrorOrNil(merr)
-}
-
-func (r *router) findSets(rule []string) []string {
-	var sets []string
+func (r *router) findSetNameInRule(rule []string) string {
 	for i, arg := range rule {
 		if arg == "-m" && i+3 < len(rule) && rule[i+1] == "set" && rule[i+2] == matchSet {
-			sets = append(sets, rule[i+3])
+			return rule[i+3]
 		}
 	}
-	return sets
+	return ""
 }
 
 func (r *router) createIpSet(setName string, sources []netip.Prefix) error {
@@ -241,13 +231,15 @@ func (r *router) deleteIpSet(setName string) error {
 	if err := ipset.Destroy(setName); err != nil {
 		return fmt.Errorf("destroy set %s: %w", setName, err)
 	}
-
-	log.Debugf("Deleted unused ipset %s", setName)
 	return nil
 }
 
 // AddNatRule inserts an iptables rule pair into the nat chain
 func (r *router) AddNatRule(pair firewall.RouterPair) error {
+	if err := r.ipFwdState.RequestForwarding(); err != nil {
+		return err
+	}
+
 	if r.legacyManagement {
 		log.Warnf("This peer is connected to a NetBird Management service with an older version. Allowing all traffic for %s", pair.Destination)
 		if err := r.addLegacyRouteRule(pair); err != nil {
@@ -274,14 +266,16 @@ func (r *router) AddNatRule(pair firewall.RouterPair) error {
 
 // RemoveNatRule removes an iptables rule pair from forwarding and nat chains
 func (r *router) RemoveNatRule(pair firewall.RouterPair) error {
-	if pair.Masquerade {
-		if err := r.removeNatRule(pair); err != nil {
-			return fmt.Errorf("remove nat rule: %w", err)
-		}
+	if err := r.ipFwdState.ReleaseForwarding(); err != nil {
+		log.Errorf("%v", err)
+	}
 
-		if err := r.removeNatRule(firewall.GetInversePair(pair)); err != nil {
-			return fmt.Errorf("remove inverse nat rule: %w", err)
-		}
+	if err := r.removeNatRule(pair); err != nil {
+		return fmt.Errorf("remove nat rule: %w", err)
+	}
+
+	if err := r.removeNatRule(firewall.GetInversePair(pair)); err != nil {
+		return fmt.Errorf("remove inverse nat rule: %w", err)
 	}
 
 	if err := r.removeLegacyRouteRule(pair); err != nil {
@@ -319,10 +313,8 @@ func (r *router) removeLegacyRouteRule(pair firewall.RouterPair) error {
 			return fmt.Errorf("remove legacy forwarding rule %s -> %s: %v", pair.Source, pair.Destination, err)
 		}
 		delete(r.rules, ruleKey)
-
-		if err := r.decrementSetCounter(rule); err != nil {
-			return fmt.Errorf("decrement ipset counter: %w", err)
-		}
+	} else {
+		log.Debugf("legacy forwarding rule %s not found", ruleKey)
 	}
 
 	return nil
@@ -607,26 +599,12 @@ func (r *router) addNatRule(pair firewall.RouterPair) error {
 	rule = append(rule,
 		"-m", "conntrack",
 		"--ctstate", "NEW",
-	)
-	sourceExp, err := r.applyNetwork("-s", pair.Source, nil)
-	if err != nil {
-		return fmt.Errorf("apply network -s: %w", err)
-	}
-	destExp, err := r.applyNetwork("-d", pair.Destination, nil)
-	if err != nil {
-		return fmt.Errorf("apply network -d: %w", err)
-	}
-
-	rule = append(rule, sourceExp...)
-	rule = append(rule, destExp...)
-	rule = append(rule,
+		"-s", pair.Source.String(),
+		"-d", pair.Destination.String(),
 		"-j", "MARK", "--set-mark", fmt.Sprintf("%#x", markValue),
 	)
 
-	// Ensure nat rules come first, so the mark can be overwritten.
-	// Currently overwritten by the dst-type LOCAL rules for redirected traffic.
-	if err := r.iptablesClient.Insert(tableMangle, chainRTPRE, 1, rule...); err != nil {
-		// TODO: rollback ipset counter
+	if err := r.iptablesClient.Append(tableMangle, chainRTPRE, rule...); err != nil {
 		return fmt.Errorf("error while adding marking rule for %s: %v", pair.Destination, err)
 	}
 
@@ -644,10 +622,6 @@ func (r *router) removeNatRule(pair firewall.RouterPair) error {
 			return fmt.Errorf("error while removing marking rule for %s: %v", pair.Destination, err)
 		}
 		delete(r.rules, ruleKey)
-
-		if err := r.decrementSetCounter(rule); err != nil {
-			return fmt.Errorf("decrement ipset counter: %w", err)
-		}
 	} else {
 		log.Debugf("marking rule %s not found", ruleKey)
 	}
@@ -813,21 +787,17 @@ func (r *router) DeleteDNATRule(rule firewall.Rule) error {
 	return nberrors.FormatErrorOrNil(merr)
 }
 
-func (r *router) genRouteRuleSpec(params routeFilteringRuleParams, sources []netip.Prefix) ([]string, error) {
+func genRouteFilteringRuleSpec(params routeFilteringRuleParams) []string {
 	var rule []string
 
-	sourceExp, err := r.applyNetwork("-s", params.Source, sources)
-	if err != nil {
-		return nil, fmt.Errorf("apply network -s: %w", err)
-
-	}
-	destExp, err := r.applyNetwork("-d", params.Destination, nil)
-	if err != nil {
-		return nil, fmt.Errorf("apply network -d: %w", err)
+	if params.SetName != "" {
+		rule = append(rule, "-m", "set", matchSet, params.SetName, "src")
+	} else if len(params.Sources) > 0 {
+		source := params.Sources[0]
+		rule = append(rule, "-s", source.String())
 	}
 
-	rule = append(rule, sourceExp...)
-	rule = append(rule, destExp...)
+	rule = append(rule, "-d", params.Destination.String())
 
 	if params.Proto != firewall.ProtocolALL {
 		rule = append(rule, "-p", strings.ToLower(string(params.Proto)))
@@ -837,47 +807,7 @@ func (r *router) genRouteRuleSpec(params routeFilteringRuleParams, sources []net
 
 	rule = append(rule, "-j", actionToStr(params.Action))
 
-	return rule, nil
-}
-
-func (r *router) applyNetwork(flag string, network firewall.Network, prefixes []netip.Prefix) ([]string, error) {
-	direction := "src"
-	if flag == "-d" {
-		direction = "dst"
-	}
-
-	if network.IsSet() {
-		if _, err := r.ipsetCounter.Increment(network.Set.HashedName(), prefixes); err != nil {
-			return nil, fmt.Errorf("create or get ipset: %w", err)
-		}
-
-		return []string{"-m", "set", matchSet, network.Set.HashedName(), direction}, nil
-	}
-	if network.IsPrefix() {
-		return []string{flag, network.Prefix.String()}, nil
-	}
-
-	// nolint:nilnil
-	return nil, nil
-}
-
-func (r *router) UpdateSet(set firewall.Set, prefixes []netip.Prefix) error {
-	var merr *multierror.Error
-	for _, prefix := range prefixes {
-		// TODO: Implement IPv6 support
-		if prefix.Addr().Is6() {
-			log.Tracef("skipping IPv6 prefix %s: IPv6 support not yet implemented", prefix)
-			continue
-		}
-		if err := ipset.AddPrefix(set.HashedName(), prefix); err != nil {
-			merr = multierror.Append(merr, fmt.Errorf("increment ipset counter: %w", err))
-		}
-	}
-	if merr == nil {
-		log.Debugf("updated set %s with prefixes %v", set.HashedName(), prefixes)
-	}
-
-	return nberrors.FormatErrorOrNil(merr)
+	return rule
 }
 
 func applyPort(flag string, port *firewall.Port) []string {

client/firewall/iptables/router_linux_test.go

@@ -60,8 +60,8 @@ func TestIptablesManager_RestoreOrCreateContainers(t *testing.T) {
 
 	pair := firewall.RouterPair{
 		ID:          "abc",
-		Source:      firewall.Network{Prefix: netip.MustParsePrefix("100.100.100.1/32")},
-		Destination: firewall.Network{Prefix: netip.MustParsePrefix("100.100.100.0/24")},
+		Source:      netip.MustParsePrefix("100.100.100.1/32"),
+		Destination: netip.MustParsePrefix("100.100.100.0/24"),
 		Masquerade:  true,
 	}
 
@@ -332,7 +332,7 @@ func TestRouter_AddRouteFiltering(t *testing.T) {
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			ruleKey, err := r.AddRouteFiltering(nil, tt.sources, firewall.Network{Prefix: tt.destination}, tt.proto, tt.sPort, tt.dPort, tt.action)
+			ruleKey, err := r.AddRouteFiltering(nil, tt.sources, tt.destination, tt.proto, tt.sPort, tt.dPort, tt.action)
 			require.NoError(t, err, "AddRouteFiltering failed")
 
 			// Check if the rule is in the internal map
@@ -347,29 +347,23 @@ func TestRouter_AddRouteFiltering(t *testing.T) {
 			assert.NoError(t, err, "Failed to check rule existence")
 			assert.True(t, exists, "Rule not found in iptables")
 
-			var source firewall.Network
-			if len(tt.sources) > 1 {
-				source.Set = firewall.NewPrefixSet(tt.sources)
-			} else if len(tt.sources) > 0 {
-				source.Prefix = tt.sources[0]
-			}
 			// Verify rule content
 			params := routeFilteringRuleParams{
-				Source:      source,
-				Destination: firewall.Network{Prefix: tt.destination},
+				Sources:     tt.sources,
+				Destination: tt.destination,
 				Proto:       tt.proto,
 				SPort:       tt.sPort,
 				DPort:       tt.dPort,
 				Action:      tt.action,
+				SetName:     "",
 			}
 
-			expectedRule, err := r.genRouteRuleSpec(params, nil)
-			require.NoError(t, err, "Failed to generate expected rule spec")
+			expectedRule := genRouteFilteringRuleSpec(params)
 
 			if tt.expectSet {
-				setName := firewall.NewPrefixSet(tt.sources).HashedName()
-				expectedRule, err = r.genRouteRuleSpec(params, nil)
-				require.NoError(t, err, "Failed to generate expected rule spec with set")
+				setName := firewall.GenerateSetName(tt.sources)
+				params.SetName = setName
+				expectedRule = genRouteFilteringRuleSpec(params)
 
 				// Check if the set was created
 				_, exists := r.ipsetCounter.Get(setName)
@@ -384,62 +378,3 @@ func TestRouter_AddRouteFiltering(t *testing.T) {
 		})
 	}
 }
-
-func TestFindSetNameInRule(t *testing.T) {
-	r := &router{}
-
-	testCases := []struct {
-		name     string
-		rule     []string
-		expected []string
-	}{
-		{
-			name: "Basic rule with two sets",
-			rule: []string{
-				"-A", "NETBIRD-RT-FWD-IN", "-p", "tcp", "-m", "set", "--match-set", "nb-2e5a2a05", "src",
-				"-m", "set", "--match-set", "nb-349ae051", "dst", "-m", "tcp", "--dport", "8080", "-j", "ACCEPT",
-			},
-			expected: []string{"nb-2e5a2a05", "nb-349ae051"},
-		},
-		{
-			name:     "No sets",
-			rule:     []string{"-A", "NETBIRD-RT-FWD-IN", "-p", "tcp", "-j", "ACCEPT"},
-			expected: []string{},
-		},
-		{
-			name: "Multiple sets with different positions",
-			rule: []string{
-				"-m", "set", "--match-set", "set1", "src", "-p", "tcp",
-				"-m", "set", "--match-set", "set-abc123", "dst", "-j", "ACCEPT",
-			},
-			expected: []string{"set1", "set-abc123"},
-		},
-		{
-			name:     "Boundary case - sequence appears at end",
-			rule:     []string{"-p", "tcp", "-m", "set", "--match-set", "final-set"},
-			expected: []string{"final-set"},
-		},
-		{
-			name:     "Incomplete pattern - missing set name",
-			rule:     []string{"-p", "tcp", "-m", "set", "--match-set"},
-			expected: []string{},
-		},
-	}
-
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			result := r.findSets(tc.rule)
-
-			if len(result) != len(tc.expected) {
-				t.Errorf("Expected %d sets, got %d. Sets found: %v", len(tc.expected), len(result), result)
-				return
-			}
-
-			for i, set := range result {
-				if set != tc.expected[i] {
-					t.Errorf("Expected set %q at position %d, got %q", tc.expected[i], i, set)
-				}
-			}
-		})
-	}
-}

client/firewall/manager/firewall.go

@@ -1,10 +1,13 @@
 package manager
 
 import (
+	"crypto/sha256"
+	"encoding/hex"
 	"fmt"
 	"net"
 	"net/netip"
 	"sort"
+	"strings"
 
 	log "github.com/sirupsen/logrus"
 
@@ -40,18 +43,6 @@ const (
 // Action is the action to be taken on a rule
 type Action int
 
-// String returns the string representation of the action
-func (a Action) String() string {
-	switch a {
-	case ActionAccept:
-		return "accept"
-	case ActionDrop:
-		return "drop"
-	default:
-		return "unknown"
-	}
-}
-
 const (
 	// ActionAccept is the action to accept a packet
 	ActionAccept Action = iota
@@ -59,33 +50,6 @@ const (
 	ActionDrop
 )
 
-// Network is a rule destination, either a set or a prefix
-type Network struct {
-	Set    Set
-	Prefix netip.Prefix
-}
-
-// String returns the string representation of the destination
-func (d Network) String() string {
-	if d.Prefix.IsValid() {
-		return d.Prefix.String()
-	}
-	if d.IsSet() {
-		return d.Set.HashedName()
-	}
-	return "<invalid network>"
-}
-
-// IsSet returns true if the destination is a set
-func (d Network) IsSet() bool {
-	return d.Set != Set{}
-}
-
-// IsPrefix returns true if the destination is a valid prefix
-func (d Network) IsPrefix() bool {
-	return d.Prefix.IsValid()
-}
-
 // Manager is the high level abstraction of a firewall manager
 //
 // It declares methods which handle actions required by the
@@ -116,14 +80,13 @@ type Manager interface {
 	// IsServerRouteSupported returns true if the firewall supports server side routing operations
 	IsServerRouteSupported() bool
 
-	IsStateful() bool
-
 	AddRouteFiltering(
 		id []byte,
 		sources []netip.Prefix,
-		destination Network,
+		destination netip.Prefix,
 		proto Protocol,
-		sPort, dPort *Port,
+		sPort *Port,
+		dPort *Port,
 		action Action,
 	) (Rule, error)
 
@@ -156,9 +119,6 @@ type Manager interface {
 
 	// DeleteDNATRule deletes a DNAT rule
 	DeleteDNATRule(Rule) error
-
-	// UpdateSet updates the set with the given prefixes
-	UpdateSet(hash Set, prefixes []netip.Prefix) error
 }
 
 func GenKey(format string, pair RouterPair) string {
@@ -193,6 +153,22 @@ func SetLegacyManagement(router LegacyManager, isLegacy bool) error {
 	return nil
 }
 
+// GenerateSetName generates a unique name for an ipset based on the given sources.
+func GenerateSetName(sources []netip.Prefix) string {
+	// sort for consistent naming
+	SortPrefixes(sources)
+
+	var sourcesStr strings.Builder
+	for _, src := range sources {
+		sourcesStr.WriteString(src.String())
+	}
+
+	hash := sha256.Sum256([]byte(sourcesStr.String()))
+	shortHash := hex.EncodeToString(hash[:])[:8]
+
+	return fmt.Sprintf("nb-%s", shortHash)
+}
+
 // MergeIPRanges merges overlapping IP ranges and returns a slice of non-overlapping netip.Prefix
 func MergeIPRanges(prefixes []netip.Prefix) []netip.Prefix {
 	if len(prefixes) == 0 {

client/firewall/manager/firewall_test.go

@@ -20,8 +20,8 @@ func TestGenerateSetName(t *testing.T) {
 			netip.MustParsePrefix("192.168.1.0/24"),
 		}
 
-		result1 := manager.NewPrefixSet(prefixes1)
-		result2 := manager.NewPrefixSet(prefixes2)
+		result1 := manager.GenerateSetName(prefixes1)
+		result2 := manager.GenerateSetName(prefixes2)
 
 		if result1 != result2 {
 			t.Errorf("Different orders produced different hashes: %s != %s", result1, result2)
@@ -34,9 +34,9 @@ func TestGenerateSetName(t *testing.T) {
 			netip.MustParsePrefix("10.0.0.0/8"),
 		}
 
-		result := manager.NewPrefixSet(prefixes)
+		result := manager.GenerateSetName(prefixes)
 
-		matched, err := regexp.MatchString(`^nb-[0-9a-f]{8}$`, result.HashedName())
+		matched, err := regexp.MatchString(`^nb-[0-9a-f]{8}$`, result)
 		if err != nil {
 			t.Fatalf("Error matching regex: %v", err)
 		}
@@ -46,8 +46,8 @@ func TestGenerateSetName(t *testing.T) {
 	})
 
 	t.Run("Empty input produces consistent result", func(t *testing.T) {
-		result1 := manager.NewPrefixSet([]netip.Prefix{})
-		result2 := manager.NewPrefixSet([]netip.Prefix{})
+		result1 := manager.GenerateSetName([]netip.Prefix{})
+		result2 := manager.GenerateSetName([]netip.Prefix{})
 
 		if result1 != result2 {
 			t.Errorf("Empty input produced inconsistent results: %s != %s", result1, result2)
@@ -64,8 +64,8 @@ func TestGenerateSetName(t *testing.T) {
 			netip.MustParsePrefix("192.168.1.0/24"),
 		}
 
-		result1 := manager.NewPrefixSet(prefixes1)
-		result2 := manager.NewPrefixSet(prefixes2)
+		result1 := manager.GenerateSetName(prefixes1)
+		result2 := manager.GenerateSetName(prefixes2)
 
 		if result1 != result2 {
 			t.Errorf("Different orders of IPv4 and IPv6 produced different hashes: %s != %s", result1, result2)

client/firewall/manager/routerpair.go

@@ -1,13 +1,15 @@
 package manager
 
 import (
+	"net/netip"
+
 	"github.com/netbirdio/netbird/route"
 )
 
 type RouterPair struct {
 	ID          route.ID
-	Source      Network
-	Destination Network
+	Source      netip.Prefix
+	Destination netip.Prefix
 	Masquerade  bool
 	Inverse     bool
 }

client/firewall/manager/set.go

@@ -1,74 +0,0 @@
-package manager
-
-import (
-	"crypto/sha256"
-	"encoding/hex"
-	"fmt"
-	"net/netip"
-	"slices"
-
-	log "github.com/sirupsen/logrus"
-
-	"github.com/netbirdio/netbird/management/domain"
-)
-
-type Set struct {
-	hash    [4]byte
-	comment string
-}
-
-// String returns the string representation of the set: hashed name and comment
-func (h Set) String() string {
-	if h.comment == "" {
-		return h.HashedName()
-	}
-	return h.HashedName() + ": " + h.comment
-}
-
-// HashedName returns the string representation of the hash
-func (h Set) HashedName() string {
-	return fmt.Sprintf(
-		"nb-%s",
-		hex.EncodeToString(h.hash[:]),
-	)
-}
-
-// Comment returns the comment of the set
-func (h Set) Comment() string {
-	return h.comment
-}
-
-// NewPrefixSet generates a unique name for an ipset based on the given prefixes.
-func NewPrefixSet(prefixes []netip.Prefix) Set {
-	// sort for consistent naming
-	SortPrefixes(prefixes)
-
-	hash := sha256.New()
-	for _, src := range prefixes {
-		bytes, err := src.MarshalBinary()
-		if err != nil {
-			log.Warnf("failed to marshal prefix %s: %v", src, err)
-		}
-		hash.Write(bytes)
-	}
-	var set Set
-	copy(set.hash[:], hash.Sum(nil)[:4])
-
-	return set
-}
-
-// NewDomainSet generates a unique name for an ipset based on the given domains.
-func NewDomainSet(domains domain.List) Set {
-	slices.Sort(domains)
-
-	hash := sha256.New()
-	for _, d := range domains {
-		hash.Write([]byte(d.PunycodeString()))
-	}
-	set := Set{
-		comment: domains.SafeString(),
-	}
-	copy(set.hash[:], hash.Sum(nil)[:4])
-
-	return set
-}

client/firewall/nftables/manager_linux.go

@@ -135,16 +135,17 @@ func (m *Manager) AddPeerFiltering(
 func (m *Manager) AddRouteFiltering(
 	id []byte,
 	sources []netip.Prefix,
-	destination firewall.Network,
+	destination netip.Prefix,
 	proto firewall.Protocol,
-	sPort, dPort *firewall.Port,
+	sPort *firewall.Port,
+	dPort *firewall.Port,
 	action firewall.Action,
 ) (firewall.Rule, error) {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
 
-	if destination.IsPrefix() && !destination.Prefix.Addr().Is4() {
-		return nil, fmt.Errorf("unsupported IP version: %s", destination.Prefix.Addr().String())
+	if !destination.Addr().Is4() {
+		return nil, fmt.Errorf("unsupported IP version: %s", destination.Addr().String())
 	}
 
 	return m.router.AddRouteFiltering(id, sources, destination, proto, sPort, dPort, action)
@@ -170,10 +171,6 @@ func (m *Manager) IsServerRouteSupported() bool {
 	return true
 }
 
-func (m *Manager) IsStateful() bool {
-	return true
-}
-
 func (m *Manager) AddNatRule(pair firewall.RouterPair) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
@@ -245,7 +242,7 @@ func (m *Manager) SetLegacyManagement(isLegacy bool) error {
 	return firewall.SetLegacyManagement(m.router, isLegacy)
 }
 
-// Close closes the firewall manager
+// Reset firewall to the default state
 func (m *Manager) Close(stateManager *statemanager.Manager) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
@@ -328,16 +325,10 @@ func (m *Manager) SetLogLevel(log.Level) {
 }
 
 func (m *Manager) EnableRouting() error {
-	if err := m.router.ipFwdState.RequestForwarding(); err != nil {
-		return fmt.Errorf("enable IP forwarding: %w", err)
-	}
 	return nil
 }
 
 func (m *Manager) DisableRouting() error {
-	if err := m.router.ipFwdState.ReleaseForwarding(); err != nil {
-		return fmt.Errorf("disable IP forwarding: %w", err)
-	}
 	return nil
 }
 
@@ -368,14 +359,6 @@ func (m *Manager) DeleteDNATRule(rule firewall.Rule) error {
 	return m.router.DeleteDNATRule(rule)
 }
 
-// UpdateSet updates the set with the given prefixes
-func (m *Manager) UpdateSet(set firewall.Set, prefixes []netip.Prefix) error {
-	m.mutex.Lock()
-	defer m.mutex.Unlock()
-
-	return m.router.UpdateSet(set, prefixes)
-}
-
 func (m *Manager) createWorkTable() (*nftables.Table, error) {
 	tables, err := m.rConn.ListTablesOfFamily(nftables.TableFamilyIPv4)
 	if err != nil {

client/firewall/nftables/manager_linux_test.go

@@ -3,6 +3,7 @@ package nftables
 import (
 	"bytes"
 	"fmt"
+	"net"
 	"net/netip"
 	"os/exec"
 	"testing"
@@ -24,8 +25,11 @@ var ifaceMock = &iFaceMock{
 	},
 	AddressFunc: func() wgaddr.Address {
 		return wgaddr.Address{
-			IP:      netip.MustParseAddr("100.96.0.1"),
-			Network: netip.MustParsePrefix("100.96.0.0/16"),
+			IP: net.ParseIP("100.96.0.1"),
+			Network: &net.IPNet{
+				IP:   net.ParseIP("100.96.0.0"),
+				Mask: net.IPv4Mask(255, 255, 255, 0),
+			},
 		}
 	},
 }
@@ -66,11 +70,11 @@ func TestNftablesManager(t *testing.T) {
 		time.Sleep(time.Second)
 	}()
 
-	ip := netip.MustParseAddr("100.96.0.1").Unmap()
+	ip := net.ParseIP("100.96.0.1")
 
 	testClient := &nftables.Conn{}
 
-	rule, err := manager.AddPeerFiltering(nil, ip.AsSlice(), fw.ProtocolTCP, nil, &fw.Port{Values: []uint16{53}}, fw.ActionDrop, "")
+	rule, err := manager.AddPeerFiltering(nil, ip, fw.ProtocolTCP, nil, &fw.Port{Values: []uint16{53}}, fw.ActionDrop, "")
 	require.NoError(t, err, "failed to add rule")
 
 	err = manager.Flush()
@@ -105,6 +109,8 @@ func TestNftablesManager(t *testing.T) {
 	}
 	compareExprsIgnoringCounters(t, rules[0].Exprs, expectedExprs1)
 
+	ipToAdd, _ := netip.AddrFromSlice(ip)
+	add := ipToAdd.Unmap()
 	expectedExprs2 := []expr.Any{
 		&expr.Payload{
 			DestRegister: 1,
@@ -126,7 +132,7 @@ func TestNftablesManager(t *testing.T) {
 		&expr.Cmp{
 			Op:       expr.CmpOpEq,
 			Register: 1,
-			Data:     ip.AsSlice(),
+			Data:     add.AsSlice(),
 		},
 		&expr.Payload{
 			DestRegister: 1,
@@ -167,8 +173,11 @@ func TestNFtablesCreatePerformance(t *testing.T) {
 		},
 		AddressFunc: func() wgaddr.Address {
 			return wgaddr.Address{
-				IP:      netip.MustParseAddr("100.96.0.1"),
-				Network: netip.MustParsePrefix("100.96.0.0/16"),
+				IP: net.ParseIP("100.96.0.1"),
+				Network: &net.IPNet{
+					IP:   net.ParseIP("100.96.0.0"),
+					Mask: net.IPv4Mask(255, 255, 255, 0),
+				},
 			}
 		},
 	}
@@ -188,11 +197,11 @@ func TestNFtablesCreatePerformance(t *testing.T) {
 				time.Sleep(time.Second)
 			}()
 
-			ip := netip.MustParseAddr("10.20.0.100")
+			ip := net.ParseIP("10.20.0.100")
 			start := time.Now()
 			for i := 0; i < testMax; i++ {
 				port := &fw.Port{Values: []uint16{uint16(1000 + i)}}
-				_, err = manager.AddPeerFiltering(nil, ip.AsSlice(), "tcp", nil, port, fw.ActionAccept, "")
+				_, err = manager.AddPeerFiltering(nil, ip, "tcp", nil, port, fw.ActionAccept, "")
 				require.NoError(t, err, "failed to add rule")
 
 				if i%100 == 0 {
@@ -273,14 +282,14 @@ func TestNftablesManagerCompatibilityWithIptables(t *testing.T) {
 		verifyIptablesOutput(t, stdout, stderr)
 	})
 
-	ip := netip.MustParseAddr("100.96.0.1")
-	_, err = manager.AddPeerFiltering(nil, ip.AsSlice(), fw.ProtocolTCP, nil, &fw.Port{Values: []uint16{80}}, fw.ActionAccept, "")
+	ip := net.ParseIP("100.96.0.1")
+	_, err = manager.AddPeerFiltering(nil, ip, fw.ProtocolTCP, nil, &fw.Port{Values: []uint16{80}}, fw.ActionAccept, "")
 	require.NoError(t, err, "failed to add peer filtering rule")
 
 	_, err = manager.AddRouteFiltering(
 		nil,
 		[]netip.Prefix{netip.MustParsePrefix("192.168.2.0/24")},
-		fw.Network{Prefix: netip.MustParsePrefix("10.1.0.0/24")},
+		netip.MustParsePrefix("10.1.0.0/24"),
 		fw.ProtocolTCP,
 		nil,
 		&fw.Port{Values: []uint16{443}},
@@ -289,8 +298,8 @@ func TestNftablesManagerCompatibilityWithIptables(t *testing.T) {
 	require.NoError(t, err, "failed to add route filtering rule")
 
 	pair := fw.RouterPair{
-		Source:      fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
-		Destination: fw.Network{Prefix: netip.MustParsePrefix("10.0.0.0/24")},
+		Source:      netip.MustParsePrefix("192.168.1.0/24"),
+		Destination: netip.MustParsePrefix("10.0.0.0/24"),
 		Masquerade:  true,
 	}
 	err = manager.AddNatRule(pair)

client/firewall/nftables/router_linux.go

@@ -10,6 +10,7 @@ import (
 	"strings"
 
 	"github.com/coreos/go-iptables/iptables"
+	"github.com/davecgh/go-spew/spew"
 	"github.com/google/nftables"
 	"github.com/google/nftables/binaryutil"
 	"github.com/google/nftables/expr"
@@ -43,14 +44,9 @@ const (
 const refreshRulesMapError = "refresh rules map: %w"
 
 var (
-	errFilterTableNotFound = fmt.Errorf("'filter' table not found")
+	errFilterTableNotFound = fmt.Errorf("nftables: 'filter' table not found")
 )
 
-type setInput struct {
-	set      firewall.Set
-	prefixes []netip.Prefix
-}
-
 type router struct {
 	conn        *nftables.Conn
 	workTable   *nftables.Table
@@ -58,7 +54,7 @@ type router struct {
 	chains      map[string]*nftables.Chain
 	// rules is useful to avoid duplicates and to get missing attributes that we don't have when adding new rules
 	rules        map[string]*nftables.Rule
-	ipsetCounter *refcounter.Counter[string, setInput, *nftables.Set]
+	ipsetCounter *refcounter.Counter[string, []netip.Prefix, *nftables.Set]
 
 	wgIface          iFaceMapper
 	ipFwdState       *ipfwdstate.IPForwardingState
@@ -167,7 +163,7 @@ func (r *router) removeNatPreroutingRules() error {
 func (r *router) loadFilterTable() (*nftables.Table, error) {
 	tables, err := r.conn.ListTablesOfFamily(nftables.TableFamilyIPv4)
 	if err != nil {
-		return nil, fmt.Errorf("unable to list tables: %v", err)
+		return nil, fmt.Errorf("nftables: unable to list tables: %v", err)
 	}
 
 	for _, table := range tables {
@@ -320,7 +316,7 @@ func (r *router) setupDataPlaneMark() error {
 func (r *router) AddRouteFiltering(
 	id []byte,
 	sources []netip.Prefix,
-	destination firewall.Network,
+	destination netip.Prefix,
 	proto firewall.Protocol,
 	sPort *firewall.Port,
 	dPort *firewall.Port,
@@ -335,29 +331,23 @@ func (r *router) AddRouteFiltering(
 	chain := r.chains[chainNameRoutingFw]
 	var exprs []expr.Any
 
-	var source firewall.Network
 	switch {
 	case len(sources) == 1 && sources[0].Bits() == 0:
 		// If it's 0.0.0.0/0, we don't need to add any source matching
 	case len(sources) == 1:
 		// If there's only one source, we can use it directly
-		source.Prefix = sources[0]
+		exprs = append(exprs, generateCIDRMatcherExpressions(true, sources[0])...)
 	default:
-		// If there are multiple sources, use a set
-		source.Set = firewall.NewPrefixSet(sources)
+		// If there are multiple sources, create or get an ipset
+		var err error
+		exprs, err = r.getIpSetExprs(sources, exprs)
+		if err != nil {
+			return nil, fmt.Errorf("get ipset expressions: %w", err)
+		}
 	}
 
-	sourceExp, err := r.applyNetwork(source, sources, true)
-	if err != nil {
-		return nil, fmt.Errorf("apply source: %w", err)
-	}
-	exprs = append(exprs, sourceExp...)
-
-	destExp, err := r.applyNetwork(destination, nil, false)
-	if err != nil {
-		return nil, fmt.Errorf("apply destination: %w", err)
-	}
-	exprs = append(exprs, destExp...)
+	// Handle destination
+	exprs = append(exprs, generateCIDRMatcherExpressions(false, destination)...)
 
 	// Handle protocol
 	if proto != firewall.ProtocolALL {
@@ -401,27 +391,39 @@ func (r *router) AddRouteFiltering(
 		rule = r.conn.AddRule(rule)
 	}
 
+	log.Tracef("Adding route rule %s", spew.Sdump(rule))
 	if err := r.conn.Flush(); err != nil {
 		return nil, fmt.Errorf(flushError, err)
 	}
 
 	r.rules[string(ruleKey)] = rule
 
-	log.Debugf("added route rule: sources=%v, destination=%v, proto=%v, sPort=%v, dPort=%v, action=%v", sources, destination, proto, sPort, dPort, action)
+	log.Debugf("nftables: added route rule: sources=%v, destination=%v, proto=%v, sPort=%v, dPort=%v, action=%v", sources, destination, proto, sPort, dPort, action)
 
 	return ruleKey, nil
 }
 
-func (r *router) getIpSet(set firewall.Set, prefixes []netip.Prefix, isSource bool) ([]expr.Any, error) {
-	ref, err := r.ipsetCounter.Increment(set.HashedName(), setInput{
-		set:      set,
-		prefixes: prefixes,
-	})
+func (r *router) getIpSetExprs(sources []netip.Prefix, exprs []expr.Any) ([]expr.Any, error) {
+	setName := firewall.GenerateSetName(sources)
+	ref, err := r.ipsetCounter.Increment(setName, sources)
 	if err != nil {
-		return nil, fmt.Errorf("create or get ipset: %w", err)
+		return nil, fmt.Errorf("create or get ipset for sources: %w", err)
 	}
 
-	return getIpSetExprs(ref, isSource)
+	exprs = append(exprs,
+		&expr.Payload{
+			DestRegister: 1,
+			Base:         expr.PayloadBaseNetworkHeader,
+			Offset:       12,
+			Len:          4,
+		},
+		&expr.Lookup{
+			SourceRegister: 1,
+			SetName:        ref.Out.Name,
+			SetID:          ref.Out.ID,
+		},
+	)
+	return exprs, nil
 }
 
 func (r *router) DeleteRouteRule(rule firewall.Rule) error {
@@ -440,54 +442,42 @@ func (r *router) DeleteRouteRule(rule firewall.Rule) error {
 		return fmt.Errorf("route rule %s has no handle", ruleKey)
 	}
 
+	setName := r.findSetNameInRule(nftRule)
+
 	if err := r.deleteNftRule(nftRule, ruleKey); err != nil {
 		return fmt.Errorf("delete: %w", err)
 	}
 
+	if setName != "" {
+		if _, err := r.ipsetCounter.Decrement(setName); err != nil {
+			return fmt.Errorf("decrement ipset reference: %w", err)
+		}
+	}
+
 	if err := r.conn.Flush(); err != nil {
 		return fmt.Errorf(flushError, err)
 	}
 
-	if err := r.decrementSetCounter(nftRule); err != nil {
-		return fmt.Errorf("decrement set counter: %w", err)
-	}
-
 	return nil
 }
 
-func (r *router) createIpSet(setName string, input setInput) (*nftables.Set, error) {
+func (r *router) createIpSet(setName string, sources []netip.Prefix) (*nftables.Set, error) {
 	// overlapping prefixes will result in an error, so we need to merge them
-	prefixes := firewall.MergeIPRanges(input.prefixes)
+	sources = firewall.MergeIPRanges(sources)
 
-	nfset := &nftables.Set{
-		Name:    setName,
-		Comment: input.set.Comment(),
-		Table:   r.workTable,
+	set := &nftables.Set{
+		Name:  setName,
+		Table: r.workTable,
 		// required for prefixes
 		Interval: true,
 		KeyType:  nftables.TypeIPAddr,
 	}
 
-	elements := convertPrefixesToSet(prefixes)
-	if err := r.conn.AddSet(nfset, elements); err != nil {
-		return nil, fmt.Errorf("error adding elements to set %s: %w", setName, err)
-	}
-
-	if err := r.conn.Flush(); err != nil {
-		return nil, fmt.Errorf("flush error: %w", err)
-	}
-
-	log.Printf("Created new ipset: %s with %d elements", setName, len(elements)/2)
-
-	return nfset, nil
-}
-
-func convertPrefixesToSet(prefixes []netip.Prefix) []nftables.SetElement {
 	var elements []nftables.SetElement
-	for _, prefix := range prefixes {
+	for _, prefix := range sources {
 		// TODO: Implement IPv6 support
 		if prefix.Addr().Is6() {
-			log.Tracef("skipping IPv6 prefix %s: IPv6 support not yet implemented", prefix)
+			log.Printf("Skipping IPv6 prefix %s: IPv6 support not yet implemented", prefix)
 			continue
 		}
 
@@ -503,7 +493,18 @@ func convertPrefixesToSet(prefixes []netip.Prefix) []nftables.SetElement {
 			nftables.SetElement{Key: lastIP.AsSlice(), IntervalEnd: true},
 		)
 	}
-	return elements
+
+	if err := r.conn.AddSet(set, elements); err != nil {
+		return nil, fmt.Errorf("error adding elements to set %s: %w", setName, err)
+	}
+
+	if err := r.conn.Flush(); err != nil {
+		return nil, fmt.Errorf("flush error: %w", err)
+	}
+
+	log.Printf("Created new ipset: %s with %d elements", setName, len(elements)/2)
+
+	return set, nil
 }
 
 // calculateLastIP determines the last IP in a given prefix.
@@ -527,8 +528,8 @@ func uint32ToBytes(ip uint32) [4]byte {
 	return b
 }
 
-func (r *router) deleteIpSet(setName string, nfset *nftables.Set) error {
-	r.conn.DelSet(nfset)
+func (r *router) deleteIpSet(setName string, set *nftables.Set) error {
+	r.conn.DelSet(set)
 	if err := r.conn.Flush(); err != nil {
 		return fmt.Errorf(flushError, err)
 	}
@@ -537,27 +538,13 @@ func (r *router) deleteIpSet(setName string, nfset *nftables.Set) error {
 	return nil
 }
 
-func (r *router) decrementSetCounter(rule *nftables.Rule) error {
-	sets := r.findSets(rule)
-
-	var merr *multierror.Error
-	for _, setName := range sets {
-		if _, err := r.ipsetCounter.Decrement(setName); err != nil {
-			merr = multierror.Append(merr, fmt.Errorf("decrement set counter: %w", err))
-		}
-	}
-
-	return nberrors.FormatErrorOrNil(merr)
-}
-
-func (r *router) findSets(rule *nftables.Rule) []string {
-	var sets []string
+func (r *router) findSetNameInRule(rule *nftables.Rule) string {
 	for _, e := range rule.Exprs {
 		if lookup, ok := e.(*expr.Lookup); ok {
-			sets = append(sets, lookup.SetName)
+			return lookup.SetName
 		}
 	}
-	return sets
+	return ""
 }
 
 func (r *router) deleteNftRule(rule *nftables.Rule, ruleKey string) error {
@@ -573,6 +560,10 @@ func (r *router) deleteNftRule(rule *nftables.Rule, ruleKey string) error {
 
 // AddNatRule appends a nftables rule pair to the nat chain
 func (r *router) AddNatRule(pair firewall.RouterPair) error {
+	if err := r.ipFwdState.RequestForwarding(); err != nil {
+		return err
+	}
+
 	if err := r.refreshRulesMap(); err != nil {
 		return fmt.Errorf(refreshRulesMapError, err)
 	}
@@ -595,8 +586,7 @@ func (r *router) AddNatRule(pair firewall.RouterPair) error {
 	}
 
 	if err := r.conn.Flush(); err != nil {
-		// TODO: rollback ipset counter
-		return fmt.Errorf("insert rules for %s: %v", pair.Destination, err)
+		return fmt.Errorf("nftables: insert rules for %s: %v", pair.Destination, err)
 	}
 
 	return nil
@@ -604,22 +594,19 @@ func (r *router) AddNatRule(pair firewall.RouterPair) error {
 
 // addNatRule inserts a nftables rule to the conn client flush queue
 func (r *router) addNatRule(pair firewall.RouterPair) error {
-	sourceExp, err := r.applyNetwork(pair.Source, nil, true)
-	if err != nil {
-		return fmt.Errorf("apply source: %w", err)
-	}
-
-	destExp, err := r.applyNetwork(pair.Destination, nil, false)
-	if err != nil {
-		return fmt.Errorf("apply destination: %w", err)
-	}
+	sourceExp := generateCIDRMatcherExpressions(true, pair.Source)
+	destExp := generateCIDRMatcherExpressions(false, pair.Destination)
 
 	op := expr.CmpOpEq
 	if pair.Inverse {
 		op = expr.CmpOpNeq
 	}
 
-	exprs := []expr.Any{
+	// We only care about NEW connections to mark them and later identify them in the postrouting chain for masquerading.
+	// Masquerading will take care of the conntrack state, which means we won't need to mark established connections.
+	exprs := getCtNewExprs()
+	exprs = append(exprs,
+		// interface matching
 		&expr.Meta{
 			Key:      expr.MetaKeyIIFNAME,
 			Register: 1,
@@ -629,10 +616,7 @@ func (r *router) addNatRule(pair firewall.RouterPair) error {
 			Register: 1,
 			Data:     ifname(r.wgIface.Name()),
 		},
-	}
-	// We only care about NEW connections to mark them and later identify them in the postrouting chain for masquerading.
-	// Masquerading will take care of the conntrack state, which means we won't need to mark established connections.
-	exprs = append(exprs, getCtNewExprs()...)
+	)
 
 	exprs = append(exprs, sourceExp...)
 	exprs = append(exprs, destExp...)
@@ -662,9 +646,7 @@ func (r *router) addNatRule(pair firewall.RouterPair) error {
 		}
 	}
 
-	// Ensure nat rules come first, so the mark can be overwritten.
-	// Currently overwritten by the dst-type LOCAL rules for redirected traffic.
-	r.rules[ruleKey] = r.conn.InsertRule(&nftables.Rule{
+	r.rules[ruleKey] = r.conn.AddRule(&nftables.Rule{
 		Table:    r.workTable,
 		Chain:    r.chains[chainNameManglePrerouting],
 		Exprs:    exprs,
@@ -747,15 +729,8 @@ func (r *router) addPostroutingRules() error {
 
 // addLegacyRouteRule adds a legacy routing rule for mgmt servers pre route acls
 func (r *router) addLegacyRouteRule(pair firewall.RouterPair) error {
-	sourceExp, err := r.applyNetwork(pair.Source, nil, true)
-	if err != nil {
-		return fmt.Errorf("apply source: %w", err)
-	}
-
-	destExp, err := r.applyNetwork(pair.Destination, nil, false)
-	if err != nil {
-		return fmt.Errorf("apply destination: %w", err)
-	}
+	sourceExp := generateCIDRMatcherExpressions(true, pair.Source)
+	destExp := generateCIDRMatcherExpressions(false, pair.Destination)
 
 	exprs := []expr.Any{
 		&expr.Counter{},
@@ -764,8 +739,7 @@ func (r *router) addLegacyRouteRule(pair firewall.RouterPair) error {
 		},
 	}
 
-	exprs = append(exprs, sourceExp...)
-	exprs = append(exprs, destExp...)
+	expression := append(sourceExp, append(destExp, exprs...)...) // nolint:gocritic
 
 	ruleKey := firewall.GenKey(firewall.ForwardingFormat, pair)
 
@@ -778,7 +752,7 @@ func (r *router) addLegacyRouteRule(pair firewall.RouterPair) error {
 	r.rules[ruleKey] = r.conn.AddRule(&nftables.Rule{
 		Table:    r.workTable,
 		Chain:    r.chains[chainNameRoutingFw],
-		Exprs:    exprs,
+		Exprs:    expression,
 		UserData: []byte(ruleKey),
 	})
 	return nil
@@ -793,13 +767,11 @@ func (r *router) removeLegacyRouteRule(pair firewall.RouterPair) error {
 			return fmt.Errorf("remove legacy forwarding rule %s -> %s: %v", pair.Source, pair.Destination, err)
 		}
 
-		log.Debugf("removed legacy forwarding rule %s -> %s", pair.Source, pair.Destination)
+		log.Debugf("nftables: removed legacy forwarding rule %s -> %s", pair.Source, pair.Destination)
 
 		delete(r.rules, ruleKey)
-
-		if err := r.decrementSetCounter(rule); err != nil {
-			return fmt.Errorf("decrement set counter: %w", err)
-		}
+	} else {
+		log.Debugf("nftables: legacy forwarding rule %s not found", ruleKey)
 	}
 
 	return nil
@@ -1002,18 +974,20 @@ func (r *router) removeAcceptForwardRulesIptables(ipt *iptables.IPTables) error
 
 // RemoveNatRule removes the prerouting mark rule
 func (r *router) RemoveNatRule(pair firewall.RouterPair) error {
+	if err := r.ipFwdState.ReleaseForwarding(); err != nil {
+		log.Errorf("%v", err)
+	}
+
 	if err := r.refreshRulesMap(); err != nil {
 		return fmt.Errorf(refreshRulesMapError, err)
 	}
 
-	if pair.Masquerade {
-		if err := r.removeNatRule(pair); err != nil {
-			return fmt.Errorf("remove prerouting rule: %w", err)
-		}
+	if err := r.removeNatRule(pair); err != nil {
+		return fmt.Errorf("remove prerouting rule: %w", err)
+	}
 
-		if err := r.removeNatRule(firewall.GetInversePair(pair)); err != nil {
-			return fmt.Errorf("remove inverse prerouting rule: %w", err)
-		}
+	if err := r.removeNatRule(firewall.GetInversePair(pair)); err != nil {
+		return fmt.Errorf("remove inverse prerouting rule: %w", err)
 	}
 
 	if err := r.removeLegacyRouteRule(pair); err != nil {
@@ -1021,10 +995,10 @@ func (r *router) RemoveNatRule(pair firewall.RouterPair) error {
 	}
 
 	if err := r.conn.Flush(); err != nil {
-		// TODO: rollback set counter
-		return fmt.Errorf("remove nat rules rule %s: %v", pair.Destination, err)
+		return fmt.Errorf("nftables: received error while applying rule removal for %s: %v", pair.Destination, err)
 	}
 
+	log.Debugf("nftables: removed nat rules for %s", pair.Destination)
 	return nil
 }
 
@@ -1032,19 +1006,16 @@ func (r *router) removeNatRule(pair firewall.RouterPair) error {
 	ruleKey := firewall.GenKey(firewall.PreroutingFormat, pair)
 
 	if rule, exists := r.rules[ruleKey]; exists {
-		if err := r.conn.DelRule(rule); err != nil {
+		err := r.conn.DelRule(rule)
+		if err != nil {
 			return fmt.Errorf("remove prerouting rule %s -> %s: %v", pair.Source, pair.Destination, err)
 		}
 
-		log.Debugf("removed prerouting rule %s -> %s", pair.Source, pair.Destination)
+		log.Debugf("nftables: removed prerouting rule %s -> %s", pair.Source, pair.Destination)
 
 		delete(r.rules, ruleKey)
-
-		if err := r.decrementSetCounter(rule); err != nil {
-			return fmt.Errorf("decrement set counter: %w", err)
-		}
 	} else {
-		log.Debugf("prerouting rule %s not found", ruleKey)
+		log.Debugf("nftables: prerouting rule %s not found", ruleKey)
 	}
 
 	return nil
@@ -1056,7 +1027,7 @@ func (r *router) refreshRulesMap() error {
 	for _, chain := range r.chains {
 		rules, err := r.conn.GetRules(chain.Table, chain)
 		if err != nil {
-			return fmt.Errorf(" unable to list rules: %v", err)
+			return fmt.Errorf("nftables: unable to list rules: %v", err)
 		}
 		for _, rule := range rules {
 			if len(rule.UserData) > 0 {
@@ -1330,54 +1301,13 @@ func (r *router) DeleteDNATRule(rule firewall.Rule) error {
 	return nberrors.FormatErrorOrNil(merr)
 }
 
-func (r *router) UpdateSet(set firewall.Set, prefixes []netip.Prefix) error {
-	nfset, err := r.conn.GetSetByName(r.workTable, set.HashedName())
-	if err != nil {
-		return fmt.Errorf("get set %s: %w", set.HashedName(), err)
-	}
-
-	elements := convertPrefixesToSet(prefixes)
-	if err := r.conn.SetAddElements(nfset, elements); err != nil {
-		return fmt.Errorf("add elements to set %s: %w", set.HashedName(), err)
-	}
-
-	if err := r.conn.Flush(); err != nil {
-		return fmt.Errorf(flushError, err)
-	}
-
-	log.Debugf("updated set %s with prefixes %v", set.HashedName(), prefixes)
-
-	return nil
-}
-
-// applyNetwork generates nftables expressions for networks (CIDR) or sets
-func (r *router) applyNetwork(
-	network firewall.Network,
-	setPrefixes []netip.Prefix,
-	isSource bool,
-) ([]expr.Any, error) {
-	if network.IsSet() {
-		exprs, err := r.getIpSet(network.Set, setPrefixes, isSource)
-		if err != nil {
-			return nil, fmt.Errorf("source: %w", err)
-		}
-		return exprs, nil
-	}
-
-	if network.IsPrefix() {
-		return applyPrefix(network.Prefix, isSource), nil
-	}
-
-	return nil, nil
-}
-
-// applyPrefix generates nftables expressions for a CIDR prefix
-func applyPrefix(prefix netip.Prefix, isSource bool) []expr.Any {
-	// dst offset
-	offset := uint32(16)
-	if isSource {
-		// src offset
-		offset = 12
+// generateCIDRMatcherExpressions generates nftables expressions that matches a CIDR
+func generateCIDRMatcherExpressions(source bool, prefix netip.Prefix) []expr.Any {
+	var offset uint32
+	if source {
+		offset = 12 // src offset
+	} else {
+		offset = 16 // dst offset
 	}
 
 	ones := prefix.Bits()
@@ -1485,27 +1415,3 @@ func getCtNewExprs() []expr.Any {
 		},
 	}
 }
-
-func getIpSetExprs(ref refcounter.Ref[*nftables.Set], isSource bool) ([]expr.Any, error) {
-
-	// dst offset
-	offset := uint32(16)
-	if isSource {
-		// src offset
-		offset = 12
-	}
-
-	return []expr.Any{
-		&expr.Payload{
-			DestRegister: 1,
-			Base:         expr.PayloadBaseNetworkHeader,
-			Offset:       offset,
-			Len:          4,
-		},
-		&expr.Lookup{
-			SourceRegister: 1,
-			SetName:        ref.Out.Name,
-			SetID:          ref.Out.ID,
-		},
-	}, nil
-}

client/firewall/nftables/router_linux_test.go

@@ -88,8 +88,8 @@ func TestNftablesManager_AddNatRule(t *testing.T) {
 				}
 
 				// Build CIDR matching expressions
-				sourceExp := applyPrefix(testCase.InputPair.Source.Prefix, true)
-				destExp := applyPrefix(testCase.InputPair.Destination.Prefix, false)
+				sourceExp := generateCIDRMatcherExpressions(true, testCase.InputPair.Source)
+				destExp := generateCIDRMatcherExpressions(false, testCase.InputPair.Destination)
 
 				// Combine all expressions in the correct order
 				// nolint:gocritic
@@ -311,7 +311,7 @@ func TestRouter_AddRouteFiltering(t *testing.T) {
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			ruleKey, err := r.AddRouteFiltering(nil, tt.sources, firewall.Network{Prefix: tt.destination}, tt.proto, tt.sPort, tt.dPort, tt.action)
+			ruleKey, err := r.AddRouteFiltering(nil, tt.sources, tt.destination, tt.proto, tt.sPort, tt.dPort, tt.action)
 			require.NoError(t, err, "AddRouteFiltering failed")
 
 			t.Cleanup(func() {
@@ -441,8 +441,8 @@ func TestNftablesCreateIpSet(t *testing.T) {
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			setName := firewall.NewPrefixSet(tt.sources).HashedName()
-			set, err := r.createIpSet(setName, setInput{prefixes: tt.sources})
+			setName := firewall.GenerateSetName(tt.sources)
+			set, err := r.createIpSet(setName, tt.sources)
 			if err != nil {
 				t.Logf("Failed to create IP set: %v", err)
 				printNftSets()

client/firewall/test/cases_linux.go

@@ -15,8 +15,8 @@ var (
 			Name: "Insert Forwarding IPV4 Rule",
 			InputPair: firewall.RouterPair{
 				ID:          "zxa",
-				Source:      firewall.Network{Prefix: netip.MustParsePrefix("100.100.100.1/32")},
-				Destination: firewall.Network{Prefix: netip.MustParsePrefix("100.100.200.0/24")},
+				Source:      netip.MustParsePrefix("100.100.100.1/32"),
+				Destination: netip.MustParsePrefix("100.100.200.0/24"),
 				Masquerade:  false,
 			},
 		},
@@ -24,8 +24,8 @@ var (
 			Name: "Insert Forwarding And Nat IPV4 Rules",
 			InputPair: firewall.RouterPair{
 				ID:          "zxa",
-				Source:      firewall.Network{Prefix: netip.MustParsePrefix("100.100.100.1/32")},
-				Destination: firewall.Network{Prefix: netip.MustParsePrefix("100.100.200.0/24")},
+				Source:      netip.MustParsePrefix("100.100.100.1/32"),
+				Destination: netip.MustParsePrefix("100.100.200.0/24"),
 				Masquerade:  true,
 			},
 		},
@@ -40,8 +40,8 @@ var (
 			Name: "Remove Forwarding And Nat IPV4 Rules",
 			InputPair: firewall.RouterPair{
 				ID:          "zxa",
-				Source:      firewall.Network{Prefix: netip.MustParsePrefix("100.100.100.1/32")},
-				Destination: firewall.Network{Prefix: netip.MustParsePrefix("100.100.200.0/24")},
+				Source:      netip.MustParsePrefix("100.100.100.1/32"),
+				Destination: netip.MustParsePrefix("100.100.200.0/24"),
 				Masquerade:  true,
 			},
 		},

client/firewall/uspfilter/allow_netbird.go

@@ -12,7 +12,7 @@ import (
 	"github.com/netbirdio/netbird/client/internal/statemanager"
 )
 
-// Close cleans up the firewall manager by removing all rules and closing trackers
+// Reset firewall to the default state
 func (m *Manager) Close(stateManager *statemanager.Manager) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

client/firewall/uspfilter/allow_netbird_windows.go

@@ -10,6 +10,7 @@ import (
 
 	log "github.com/sirupsen/logrus"
 
+	"github.com/netbirdio/netbird/client/firewall/uspfilter/conntrack"
 	"github.com/netbirdio/netbird/client/internal/statemanager"
 )
 
@@ -21,7 +22,7 @@ const (
 	firewallRuleName        = "Netbird"
 )
 
-// Close cleans up the firewall manager by removing all rules and closing trackers
+// Reset firewall to the default state
 func (m *Manager) Close(*statemanager.Manager) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
@@ -31,14 +32,17 @@ func (m *Manager) Close(*statemanager.Manager) error {
 
 	if m.udpTracker != nil {
 		m.udpTracker.Close()
+		m.udpTracker = conntrack.NewUDPTracker(conntrack.DefaultUDPTimeout, m.logger, m.flowLogger)
 	}
 
 	if m.icmpTracker != nil {
 		m.icmpTracker.Close()
+		m.icmpTracker = conntrack.NewICMPTracker(conntrack.DefaultICMPTimeout, m.logger, m.flowLogger)
 	}
 
 	if m.tcpTracker != nil {
 		m.tcpTracker.Close()
+		m.tcpTracker = conntrack.NewTCPTracker(conntrack.DefaultTCPTimeout, m.logger, m.flowLogger)
 	}
 
 	if fwder := m.forwarder.Load(); fwder != nil {

client/firewall/uspfilter/conntrack/common.go

@@ -62,5 +62,5 @@ type ConnKey struct {
 }
 
 func (c ConnKey) String() string {
-	return fmt.Sprintf("%s:%d → %s:%d", c.SrcIP.Unmap(), c.SrcPort, c.DstIP.Unmap(), c.DstPort)
+	return fmt.Sprintf("%s:%d -> %s:%d", c.SrcIP.Unmap(), c.SrcPort, c.DstIP.Unmap(), c.DstPort)
 }

client/firewall/uspfilter/conntrack/icmp.go

@@ -3,7 +3,6 @@ package conntrack
 import (
 	"context"
 	"fmt"
-	"net"
 	"net/netip"
 	"sync"
 	"time"
@@ -20,10 +19,6 @@ const (
 	DefaultICMPTimeout = 30 * time.Second
 	// ICMPCleanupInterval is how often we check for stale ICMP connections
 	ICMPCleanupInterval = 15 * time.Second
-
-	// MaxICMPPayloadLength is the maximum length of ICMP payload we consider for original packet info,
-	// which includes the IP header (20 bytes) and transport header (8 bytes)
-	MaxICMPPayloadLength = 28
 )
 
 // ICMPConnKey uniquely identifies an ICMP connection
@@ -34,7 +29,7 @@ type ICMPConnKey struct {
 }
 
 func (i ICMPConnKey) String() string {
-	return fmt.Sprintf("%s → %s (id %d)", i.SrcIP, i.DstIP, i.ID)
+	return fmt.Sprintf("%s -> %s (id %d)", i.SrcIP, i.DstIP, i.ID)
 }
 
 // ICMPConnTrack represents an ICMP connection state
@@ -55,72 +50,6 @@ type ICMPTracker struct {
 	flowLogger    nftypes.FlowLogger
 }
 
-// ICMPInfo holds ICMP type, code, and payload for lazy string formatting in logs
-type ICMPInfo struct {
-	TypeCode    layers.ICMPv4TypeCode
-	PayloadData [MaxICMPPayloadLength]byte
-	// actual length of valid data
-	PayloadLen int
-}
-
-// String implements fmt.Stringer for lazy evaluation in log messages
-func (info ICMPInfo) String() string {
-	if info.isErrorMessage() && info.PayloadLen >= MaxICMPPayloadLength {
-		if origInfo := info.parseOriginalPacket(); origInfo != "" {
-			return fmt.Sprintf("%s (original: %s)", info.TypeCode, origInfo)
-		}
-	}
-
-	return info.TypeCode.String()
-}
-
-// isErrorMessage returns true if this ICMP type carries original packet info
-func (info ICMPInfo) isErrorMessage() bool {
-	typ := info.TypeCode.Type()
-	return typ == 3 || // Destination Unreachable
-		typ == 5 || // Redirect
-		typ == 11 || // Time Exceeded
-		typ == 12 // Parameter Problem
-}
-
-// parseOriginalPacket extracts info about the original packet from ICMP payload
-func (info ICMPInfo) parseOriginalPacket() string {
-	if info.PayloadLen < MaxICMPPayloadLength {
-		return ""
-	}
-
-	// TODO: handle IPv6
-	if version := (info.PayloadData[0] >> 4) & 0xF; version != 4 {
-		return ""
-	}
-
-	protocol := info.PayloadData[9]
-	srcIP := net.IP(info.PayloadData[12:16])
-	dstIP := net.IP(info.PayloadData[16:20])
-
-	transportData := info.PayloadData[20:]
-
-	switch nftypes.Protocol(protocol) {
-	case nftypes.TCP:
-		srcPort := uint16(transportData[0])<<8 | uint16(transportData[1])
-		dstPort := uint16(transportData[2])<<8 | uint16(transportData[3])
-		return fmt.Sprintf("TCP %s:%d → %s:%d", srcIP, srcPort, dstIP, dstPort)
-
-	case nftypes.UDP:
-		srcPort := uint16(transportData[0])<<8 | uint16(transportData[1])
-		dstPort := uint16(transportData[2])<<8 | uint16(transportData[3])
-		return fmt.Sprintf("UDP %s:%d → %s:%d", srcIP, srcPort, dstIP, dstPort)
-
-	case nftypes.ICMP:
-		icmpType := transportData[0]
-		icmpCode := transportData[1]
-		return fmt.Sprintf("ICMP %s → %s (type %d code %d)", srcIP, dstIP, icmpType, icmpCode)
-
-	default:
-		return fmt.Sprintf("Proto %d %s → %s", protocol, srcIP, dstIP)
-	}
-}
-
 // NewICMPTracker creates a new ICMP connection tracker
 func NewICMPTracker(timeout time.Duration, logger *nblog.Logger, flowLogger nftypes.FlowLogger) *ICMPTracker {
 	if timeout == 0 {
@@ -164,64 +93,30 @@ func (t *ICMPTracker) updateIfExists(srcIP netip.Addr, dstIP netip.Addr, id uint
 }
 
 // TrackOutbound records an outbound ICMP connection
-func (t *ICMPTracker) TrackOutbound(
-	srcIP netip.Addr,
-	dstIP netip.Addr,
-	id uint16,
-	typecode layers.ICMPv4TypeCode,
-	payload []byte,
-	size int,
-) {
+func (t *ICMPTracker) TrackOutbound(srcIP netip.Addr, dstIP netip.Addr, id uint16, typecode layers.ICMPv4TypeCode, size int) {
 	if _, exists := t.updateIfExists(dstIP, srcIP, id, nftypes.Egress, size); !exists {
 		// if (inverted direction) conn is not tracked, track this direction
-		t.track(srcIP, dstIP, id, typecode, nftypes.Egress, nil, payload, size)
+		t.track(srcIP, dstIP, id, typecode, nftypes.Egress, nil, size)
 	}
 }
 
 // TrackInbound records an inbound ICMP Echo Request
-func (t *ICMPTracker) TrackInbound(
-	srcIP netip.Addr,
-	dstIP netip.Addr,
-	id uint16,
-	typecode layers.ICMPv4TypeCode,
-	ruleId []byte,
-	payload []byte,
-	size int,
-) {
-	t.track(srcIP, dstIP, id, typecode, nftypes.Ingress, ruleId, payload, size)
+func (t *ICMPTracker) TrackInbound(srcIP netip.Addr, dstIP netip.Addr, id uint16, typecode layers.ICMPv4TypeCode, ruleId []byte, size int) {
+	t.track(srcIP, dstIP, id, typecode, nftypes.Ingress, ruleId, size)
 }
 
 // track is the common implementation for tracking both inbound and outbound ICMP connections
-func (t *ICMPTracker) track(
-	srcIP netip.Addr,
-	dstIP netip.Addr,
-	id uint16,
-	typecode layers.ICMPv4TypeCode,
-	direction nftypes.Direction,
-	ruleId []byte,
-	payload []byte,
-	size int,
-) {
+func (t *ICMPTracker) track(srcIP netip.Addr, dstIP netip.Addr, id uint16, typecode layers.ICMPv4TypeCode, direction nftypes.Direction, ruleId []byte, size int) {
 	key, exists := t.updateIfExists(srcIP, dstIP, id, direction, size)
 	if exists {
 		return
 	}
 
 	typ, code := typecode.Type(), typecode.Code()
-	icmpInfo := ICMPInfo{
-		TypeCode: typecode,
-	}
-	if len(payload) > 0 {
-		icmpInfo.PayloadLen = len(payload)
-		if icmpInfo.PayloadLen > MaxICMPPayloadLength {
-			icmpInfo.PayloadLen = MaxICMPPayloadLength
-		}
-		copy(icmpInfo.PayloadData[:], payload[:icmpInfo.PayloadLen])
-	}
 
 	// non echo requests don't need tracking
 	if typ != uint8(layers.ICMPv4TypeEchoRequest) {
-		t.logger.Trace("New %s ICMP connection %s - %s", direction, key, icmpInfo)
+		t.logger.Trace("New %s ICMP connection %s type %d code %d", direction, key, typ, code)
 		t.sendStartEvent(direction, srcIP, dstIP, typ, code, ruleId, size)
 		return
 	}
@@ -243,7 +138,7 @@ func (t *ICMPTracker) track(
 	t.connections[key] = conn
 	t.mutex.Unlock()
 
-	t.logger.Trace("New %s ICMP connection %s - %s", direction, key, icmpInfo)
+	t.logger.Trace("New %s ICMP connection %s type %d code %d", direction, key, typ, code)
 	t.sendEvent(nftypes.TypeStart, conn, ruleId)
 }
 

client/firewall/uspfilter/conntrack/icmp_test.go

@@ -15,7 +15,7 @@ func BenchmarkICMPTracker(b *testing.B) {
 
 		b.ResetTimer()
 		for i := 0; i < b.N; i++ {
-			tracker.TrackOutbound(srcIP, dstIP, uint16(i%65535), 0, []byte{}, 0)
+			tracker.TrackOutbound(srcIP, dstIP, uint16(i%65535), 0, 0)
 		}
 	})
 
@@ -28,7 +28,7 @@ func BenchmarkICMPTracker(b *testing.B) {
 
 		// Pre-populate some connections
 		for i := 0; i < 1000; i++ {
-			tracker.TrackOutbound(srcIP, dstIP, uint16(i), 0, []byte{}, 0)
+			tracker.TrackOutbound(srcIP, dstIP, uint16(i), 0, 0)
 		}
 
 		b.ResetTimer()

client/firewall/uspfilter/forwarder/endpoint.go

@@ -86,5 +86,5 @@ type epID stack.TransportEndpointID
 
 func (i epID) String() string {
 	// src and remote is swapped
-	return fmt.Sprintf("%s:%d → %s:%d", i.RemoteAddress, i.RemotePort, i.LocalAddress, i.LocalPort)
+	return fmt.Sprintf("%s:%d -> %s:%d", i.RemoteAddress, i.RemotePort, i.LocalAddress, i.LocalPort)
 }

client/firewall/uspfilter/forwarder/forwarder.go

@@ -4,9 +4,7 @@ import (
 	"context"
 	"fmt"
 	"net"
-	"net/netip"
 	"runtime"
-	"sync"
 
 	log "github.com/sirupsen/logrus"
 	"gvisor.dev/gvisor/pkg/buffer"
@@ -19,7 +17,6 @@ import (
 	"gvisor.dev/gvisor/pkg/tcpip/transport/udp"
 
 	"github.com/netbirdio/netbird/client/firewall/uspfilter/common"
-	"github.com/netbirdio/netbird/client/firewall/uspfilter/conntrack"
 	nblog "github.com/netbirdio/netbird/client/firewall/uspfilter/log"
 	nftypes "github.com/netbirdio/netbird/client/internal/netflow/types"
 )
@@ -32,16 +29,14 @@ const (
 )
 
 type Forwarder struct {
-	logger     *nblog.Logger
-	flowLogger nftypes.FlowLogger
-	// ruleIdMap is used to store the rule ID for a given connection
-	ruleIdMap    sync.Map
+	logger       *nblog.Logger
+	flowLogger   nftypes.FlowLogger
 	stack        *stack.Stack
 	endpoint     *endpoint
 	udpForwarder *udpForwarder
 	ctx          context.Context
 	cancel       context.CancelFunc
-	ip           tcpip.Address
+	ip           net.IP
 	netstack     bool
 }
 
@@ -71,11 +66,12 @@ func New(iface common.IFaceMapper, logger *nblog.Logger, flowLogger nftypes.Flow
 		return nil, fmt.Errorf("failed to create NIC: %v", err)
 	}
 
+	ones, _ := iface.Address().Network.Mask.Size()
 	protoAddr := tcpip.ProtocolAddress{
 		Protocol: ipv4.ProtocolNumber,
 		AddressWithPrefix: tcpip.AddressWithPrefix{
-			Address:   tcpip.AddrFromSlice(iface.Address().IP.AsSlice()),
-			PrefixLen: iface.Address().Network.Bits(),
+			Address:   tcpip.AddrFromSlice(iface.Address().IP.To4()),
+			PrefixLen: ones,
 		},
 	}
 
@@ -115,7 +111,7 @@ func New(iface common.IFaceMapper, logger *nblog.Logger, flowLogger nftypes.Flow
 		ctx:          ctx,
 		cancel:       cancel,
 		netstack:     netstack,
-		ip:           tcpip.AddrFromSlice(iface.Address().IP.AsSlice()),
+		ip:           iface.Address().IP,
 	}
 
 	receiveWindow := defaultReceiveWindow
@@ -166,39 +162,8 @@ func (f *Forwarder) Stop() {
 }
 
 func (f *Forwarder) determineDialAddr(addr tcpip.Address) net.IP {
-	if f.netstack && f.ip.Equal(addr) {
+	if f.netstack && f.ip.Equal(addr.AsSlice()) {
 		return net.IPv4(127, 0, 0, 1)
 	}
 	return addr.AsSlice()
 }
-
-func (f *Forwarder) RegisterRuleID(srcIP, dstIP netip.Addr, srcPort, dstPort uint16, ruleID []byte) {
-	key := buildKey(srcIP, dstIP, srcPort, dstPort)
-	f.ruleIdMap.LoadOrStore(key, ruleID)
-}
-
-func (f *Forwarder) getRuleID(srcIP, dstIP netip.Addr, srcPort, dstPort uint16) ([]byte, bool) {
-	if value, ok := f.ruleIdMap.Load(buildKey(srcIP, dstIP, srcPort, dstPort)); ok {
-		return value.([]byte), true
-	} else if value, ok := f.ruleIdMap.Load(buildKey(dstIP, srcIP, dstPort, srcPort)); ok {
-		return value.([]byte), true
-	}
-
-	return nil, false
-}
-
-func (f *Forwarder) DeleteRuleID(srcIP, dstIP netip.Addr, srcPort, dstPort uint16) {
-	if _, ok := f.ruleIdMap.LoadAndDelete(buildKey(srcIP, dstIP, srcPort, dstPort)); ok {
-		return
-	}
-	f.ruleIdMap.LoadAndDelete(buildKey(dstIP, srcIP, dstPort, srcPort))
-}
-
-func buildKey(srcIP, dstIP netip.Addr, srcPort, dstPort uint16) conntrack.ConnKey {
-	return conntrack.ConnKey{
-		SrcIP:   srcIP,
-		DstIP:   dstIP,
-		SrcPort: srcPort,
-		DstPort: dstPort,
-	}
-}

client/firewall/uspfilter/forwarder/icmp.go

@@ -25,7 +25,7 @@ func (f *Forwarder) handleICMP(id stack.TransportEndpointID, pkt stack.PacketBuf
 	}
 
 	flowID := uuid.New()
-	f.sendICMPEvent(nftypes.TypeStart, flowID, id, icmpType, icmpCode, 0, 0)
+	f.sendICMPEvent(nftypes.TypeStart, flowID, id, icmpType, icmpCode)
 
 	ctx, cancel := context.WithTimeout(f.ctx, 5*time.Second)
 	defer cancel()
@@ -34,14 +34,14 @@ func (f *Forwarder) handleICMP(id stack.TransportEndpointID, pkt stack.PacketBuf
 	// TODO: support non-root
 	conn, err := lc.ListenPacket(ctx, "ip4:icmp", "0.0.0.0")
 	if err != nil {
-		f.logger.Error("forwarder: Failed to create ICMP socket for %v: %v", epID(id), err)
+		f.logger.Error("Failed to create ICMP socket for %v: %v", epID(id), err)
 
 		// This will make netstack reply on behalf of the original destination, that's ok for now
 		return false
 	}
 	defer func() {
 		if err := conn.Close(); err != nil {
-			f.logger.Debug("forwarder: Failed to close ICMP socket: %v", err)
+			f.logger.Debug("Failed to close ICMP socket: %v", err)
 		}
 	}()
 
@@ -52,37 +52,36 @@ func (f *Forwarder) handleICMP(id stack.TransportEndpointID, pkt stack.PacketBuf
 	payload := fullPacket.AsSlice()
 
 	if _, err = conn.WriteTo(payload, dst); err != nil {
-		f.logger.Error("forwarder: Failed to write ICMP packet for %v: %v", epID(id), err)
+		f.logger.Error("Failed to write ICMP packet for %v: %v", epID(id), err)
 		return true
 	}
 
-	f.logger.Trace("forwarder: Forwarded ICMP packet %v type %v code %v",
+	f.logger.Trace("Forwarded ICMP packet %v type %v code %v",
 		epID(id), icmpHdr.Type(), icmpHdr.Code())
 
 	// For Echo Requests, send and handle response
 	if header.ICMPv4Type(icmpType) == header.ICMPv4Echo {
-		rxBytes := pkt.Size()
-		txBytes := f.handleEchoResponse(icmpHdr, conn, id)
-		f.sendICMPEvent(nftypes.TypeEnd, flowID, id, icmpType, icmpCode, uint64(rxBytes), uint64(txBytes))
+		f.handleEchoResponse(icmpHdr, conn, id)
+		f.sendICMPEvent(nftypes.TypeEnd, flowID, id, icmpType, icmpCode)
 	}
 
 	// For other ICMP types (Time Exceeded, Destination Unreachable, etc) do nothing
 	return true
 }
 
-func (f *Forwarder) handleEchoResponse(icmpHdr header.ICMPv4, conn net.PacketConn, id stack.TransportEndpointID) int {
+func (f *Forwarder) handleEchoResponse(icmpHdr header.ICMPv4, conn net.PacketConn, id stack.TransportEndpointID) {
 	if err := conn.SetReadDeadline(time.Now().Add(5 * time.Second)); err != nil {
-		f.logger.Error("forwarder: Failed to set read deadline for ICMP response: %v", err)
-		return 0
+		f.logger.Error("Failed to set read deadline for ICMP response: %v", err)
+		return
 	}
 
 	response := make([]byte, f.endpoint.mtu)
 	n, _, err := conn.ReadFrom(response)
 	if err != nil {
 		if !isTimeout(err) {
-			f.logger.Error("forwarder: Failed to read ICMP response: %v", err)
+			f.logger.Error("Failed to read ICMP response: %v", err)
 		}
-		return 0
+		return
 	}
 
 	ipHdr := make([]byte, header.IPv4MinimumSize)
@@ -101,54 +100,28 @@ func (f *Forwarder) handleEchoResponse(icmpHdr header.ICMPv4, conn net.PacketCon
 	fullPacket = append(fullPacket, response[:n]...)
 
 	if err := f.InjectIncomingPacket(fullPacket); err != nil {
-		f.logger.Error("forwarder: Failed to inject ICMP response: %v", err)
+		f.logger.Error("Failed to inject ICMP response: %v", err)
 
-		return 0
+		return
 	}
 
-	f.logger.Trace("forwarder: Forwarded ICMP echo reply for %v type %v code %v",
+	f.logger.Trace("Forwarded ICMP echo reply for %v type %v code %v",
 		epID(id), icmpHdr.Type(), icmpHdr.Code())
-
-	return len(fullPacket)
 }
 
 // sendICMPEvent stores flow events for ICMP packets
-func (f *Forwarder) sendICMPEvent(typ nftypes.Type, flowID uuid.UUID, id stack.TransportEndpointID, icmpType, icmpCode uint8, rxBytes, txBytes uint64) {
-	var rxPackets, txPackets uint64
-	if rxBytes > 0 {
-		rxPackets = 1
-	}
-	if txBytes > 0 {
-		txPackets = 1
-	}
-
-	srcIp := netip.AddrFrom4(id.RemoteAddress.As4())
-	dstIp := netip.AddrFrom4(id.LocalAddress.As4())
-
-	fields := nftypes.EventFields{
+func (f *Forwarder) sendICMPEvent(typ nftypes.Type, flowID uuid.UUID, id stack.TransportEndpointID, icmpType, icmpCode uint8) {
+	f.flowLogger.StoreEvent(nftypes.EventFields{
 		FlowID:    flowID,
 		Type:      typ,
 		Direction: nftypes.Ingress,
 		Protocol:  nftypes.ICMP,
 		// TODO: handle ipv6
-		SourceIP: srcIp,
-		DestIP:   dstIp,
+		SourceIP: netip.AddrFrom4(id.RemoteAddress.As4()),
+		DestIP:   netip.AddrFrom4(id.LocalAddress.As4()),
 		ICMPType: icmpType,
 		ICMPCode: icmpCode,
 
-		RxBytes:   rxBytes,
-		TxBytes:   txBytes,
-		RxPackets: rxPackets,
-		TxPackets: txPackets,
-	}
-
-	if typ == nftypes.TypeStart {
-		if ruleId, ok := f.getRuleID(srcIp, dstIp, id.RemotePort, id.LocalPort); ok {
-			fields.RuleID = ruleId
-		}
-	} else {
-		f.DeleteRuleID(srcIp, dstIp, id.RemotePort, id.LocalPort)
-	}
-
-	f.flowLogger.StoreEvent(fields)
+		// TODO: get packets/bytes
+	})
 }

client/firewall/uspfilter/forwarder/tcp.go

@@ -6,10 +6,8 @@ import (
 	"io"
 	"net"
 	"net/netip"
-	"sync"
 
 	"github.com/google/uuid"
-
 	"gvisor.dev/gvisor/pkg/tcpip"
 	"gvisor.dev/gvisor/pkg/tcpip/adapters/gonet"
 	"gvisor.dev/gvisor/pkg/tcpip/stack"
@@ -25,11 +23,11 @@ func (f *Forwarder) handleTCP(r *tcp.ForwarderRequest) {
 
 	flowID := uuid.New()
 
-	f.sendTCPEvent(nftypes.TypeStart, flowID, id, 0, 0, 0, 0)
+	f.sendTCPEvent(nftypes.TypeStart, flowID, id, nil)
 	var success bool
 	defer func() {
 		if !success {
-			f.sendTCPEvent(nftypes.TypeEnd, flowID, id, 0, 0, 0, 0)
+			f.sendTCPEvent(nftypes.TypeEnd, flowID, id, nil)
 		}
 	}()
 
@@ -67,97 +65,67 @@ func (f *Forwarder) handleTCP(r *tcp.ForwarderRequest) {
 }
 
 func (f *Forwarder) proxyTCP(id stack.TransportEndpointID, inConn *gonet.TCPConn, outConn net.Conn, ep tcpip.Endpoint, flowID uuid.UUID) {
+	defer func() {
+		if err := inConn.Close(); err != nil {
+			f.logger.Debug("forwarder: inConn close error: %v", err)
+		}
+		if err := outConn.Close(); err != nil {
+			f.logger.Debug("forwarder: outConn close error: %v", err)
+		}
+		ep.Close()
 
+		f.sendTCPEvent(nftypes.TypeEnd, flowID, id, ep)
+	}()
+
+	// Create context for managing the proxy goroutines
 	ctx, cancel := context.WithCancel(f.ctx)
 	defer cancel()
 
-	go func() {
-		<-ctx.Done()
-		// Close connections and endpoint.
-		if err := inConn.Close(); err != nil && !isClosedError(err) {
-			f.logger.Debug("forwarder: inConn close error: %v", err)
-		}
-		if err := outConn.Close(); err != nil && !isClosedError(err) {
-			f.logger.Debug("forwarder: outConn close error: %v", err)
-		}
-
-		ep.Close()
-	}()
-
-	var wg sync.WaitGroup
-	wg.Add(2)
-
-	var (
-		bytesFromInToOut int64 // bytes from client to server (tx for client)
-		bytesFromOutToIn int64 // bytes from server to client (rx for client)
-		errInToOut       error
-		errOutToIn       error
-	)
+	errChan := make(chan error, 2)
 
 	go func() {
-		bytesFromInToOut, errInToOut = io.Copy(outConn, inConn)
-		cancel()
-		wg.Done()
+		_, err := io.Copy(outConn, inConn)
+		errChan <- err
 	}()
 
 	go func() {
-
-		bytesFromOutToIn, errOutToIn = io.Copy(inConn, outConn)
-		cancel()
-		wg.Done()
+		_, err := io.Copy(inConn, outConn)
+		errChan <- err
 	}()
 
-	wg.Wait()
-
-	if errInToOut != nil {
-		if !isClosedError(errInToOut) {
-			f.logger.Error("proxyTCP: copy error (in → out) for %s: %v", epID(id), errInToOut)
+	select {
+	case <-ctx.Done():
+		f.logger.Trace("forwarder: tearing down TCP connection %v due to context done", epID(id))
+		return
+	case err := <-errChan:
+		if err != nil && !isClosedError(err) {
+			f.logger.Error("proxyTCP: copy error: %v", err)
 		}
+		f.logger.Trace("forwarder: tearing down TCP connection %v", epID(id))
+		return
 	}
-	if errOutToIn != nil {
-		if !isClosedError(errOutToIn) {
-			f.logger.Error("proxyTCP: copy error (out → in) for %s: %v", epID(id), errOutToIn)
-		}
-	}
-
-	var rxPackets, txPackets uint64
-	if tcpStats, ok := ep.Stats().(*tcp.Stats); ok {
-		// fields are flipped since this is the in conn
-		rxPackets = tcpStats.SegmentsSent.Value()
-		txPackets = tcpStats.SegmentsReceived.Value()
-	}
-
-	f.logger.Trace("forwarder: Removed TCP connection %s [in: %d Pkts/%d B, out: %d Pkts/%d B]", epID(id), rxPackets, bytesFromOutToIn, txPackets, bytesFromInToOut)
-
-	f.sendTCPEvent(nftypes.TypeEnd, flowID, id, uint64(bytesFromOutToIn), uint64(bytesFromInToOut), rxPackets, txPackets)
 }
 
-func (f *Forwarder) sendTCPEvent(typ nftypes.Type, flowID uuid.UUID, id stack.TransportEndpointID, rxBytes, txBytes, rxPackets, txPackets uint64) {
-	srcIp := netip.AddrFrom4(id.RemoteAddress.As4())
-	dstIp := netip.AddrFrom4(id.LocalAddress.As4())
-
+func (f *Forwarder) sendTCPEvent(typ nftypes.Type, flowID uuid.UUID, id stack.TransportEndpointID, ep tcpip.Endpoint) {
 	fields := nftypes.EventFields{
 		FlowID:    flowID,
 		Type:      typ,
 		Direction: nftypes.Ingress,
 		Protocol:  nftypes.TCP,
 		// TODO: handle ipv6
-		SourceIP:   srcIp,
-		DestIP:     dstIp,
+		SourceIP:   netip.AddrFrom4(id.RemoteAddress.As4()),
+		DestIP:     netip.AddrFrom4(id.LocalAddress.As4()),
 		SourcePort: id.RemotePort,
 		DestPort:   id.LocalPort,
-		RxBytes:    rxBytes,
-		TxBytes:    txBytes,
-		RxPackets:  rxPackets,
-		TxPackets:  txPackets,
 	}
 
-	if typ == nftypes.TypeStart {
-		if ruleId, ok := f.getRuleID(srcIp, dstIp, id.RemotePort, id.LocalPort); ok {
-			fields.RuleID = ruleId
+	if ep != nil {
+		if tcpStats, ok := ep.Stats().(*tcp.Stats); ok {
+			// fields are flipped since this is the in conn
+			// TODO: get bytes
+			fields.RxPackets = tcpStats.SegmentsSent.Value()
+			fields.TxPackets = tcpStats.SegmentsReceived.Value()
 		}
-	} else {
-		f.DeleteRuleID(srcIp, dstIp, id.RemotePort, id.LocalPort)
 	}
 
 	f.flowLogger.StoreEvent(fields)

client/firewall/uspfilter/forwarder/udp.go

@@ -149,11 +149,11 @@ func (f *Forwarder) handleUDP(r *udp.ForwarderRequest) {
 
 	flowID := uuid.New()
 
-	f.sendUDPEvent(nftypes.TypeStart, flowID, id, 0, 0, 0, 0)
+	f.sendUDPEvent(nftypes.TypeStart, flowID, id, nil)
 	var success bool
 	defer func() {
 		if !success {
-			f.sendUDPEvent(nftypes.TypeEnd, flowID, id, 0, 0, 0, 0)
+			f.sendUDPEvent(nftypes.TypeEnd, flowID, id, nil)
 		}
 	}()
 
@@ -199,6 +199,7 @@ func (f *Forwarder) handleUDP(r *udp.ForwarderRequest) {
 		if err := outConn.Close(); err != nil {
 			f.logger.Debug("forwarder: UDP outConn close error for %v: %v", epID(id), err)
 		}
+
 		return
 	}
 	f.udpForwarder.conns[id] = pConn
@@ -211,94 +212,68 @@ func (f *Forwarder) handleUDP(r *udp.ForwarderRequest) {
 }
 
 func (f *Forwarder) proxyUDP(ctx context.Context, pConn *udpPacketConn, id stack.TransportEndpointID, ep tcpip.Endpoint) {
-
-	ctx, cancel := context.WithCancel(f.ctx)
-	defer cancel()
-
-	go func() {
-		<-ctx.Done()
-
+	defer func() {
 		pConn.cancel()
-		if err := pConn.conn.Close(); err != nil && !isClosedError(err) {
+		if err := pConn.conn.Close(); err != nil {
 			f.logger.Debug("forwarder: UDP inConn close error for %v: %v", epID(id), err)
 		}
-		if err := pConn.outConn.Close(); err != nil && !isClosedError(err) {
+		if err := pConn.outConn.Close(); err != nil {
 			f.logger.Debug("forwarder: UDP outConn close error for %v: %v", epID(id), err)
 		}
 
 		ep.Close()
+
+		f.udpForwarder.Lock()
+		delete(f.udpForwarder.conns, id)
+		f.udpForwarder.Unlock()
+
+		f.sendUDPEvent(nftypes.TypeEnd, pConn.flowID, id, ep)
 	}()
 
-	var wg sync.WaitGroup
-	wg.Add(2)
+	errChan := make(chan error, 2)
 
-	var txBytes, rxBytes int64
-	var outboundErr, inboundErr error
-
-	// outbound->inbound: copy from pConn.conn to pConn.outConn
 	go func() {
-		defer wg.Done()
-		txBytes, outboundErr = pConn.copy(ctx, pConn.conn, pConn.outConn, &f.udpForwarder.bufPool, "outbound->inbound")
+		errChan <- pConn.copy(ctx, pConn.conn, pConn.outConn, &f.udpForwarder.bufPool, "outbound->inbound")
 	}()
 
-	// inbound->outbound: copy from pConn.outConn to pConn.conn
 	go func() {
-		defer wg.Done()
-		rxBytes, inboundErr = pConn.copy(ctx, pConn.outConn, pConn.conn, &f.udpForwarder.bufPool, "inbound->outbound")
+		errChan <- pConn.copy(ctx, pConn.outConn, pConn.conn, &f.udpForwarder.bufPool, "inbound->outbound")
 	}()
 
-	wg.Wait()
-
-	if outboundErr != nil && !isClosedError(outboundErr) {
-		f.logger.Error("proxyUDP: copy error (outbound→inbound) for %s: %v", epID(id), outboundErr)
+	select {
+	case <-ctx.Done():
+		f.logger.Trace("forwarder: tearing down UDP connection %v due to context done", epID(id))
+		return
+	case err := <-errChan:
+		if err != nil && !isClosedError(err) {
+			f.logger.Error("proxyUDP: copy error: %v", err)
+		}
+		f.logger.Trace("forwarder: tearing down UDP connection %v", epID(id))
+		return
 	}
-	if inboundErr != nil && !isClosedError(inboundErr) {
-		f.logger.Error("proxyUDP: copy error (inbound→outbound) for %s: %v", epID(id), inboundErr)
-	}
-
-	var rxPackets, txPackets uint64
-	if udpStats, ok := ep.Stats().(*tcpip.TransportEndpointStats); ok {
-		// fields are flipped since this is the in conn
-		rxPackets = udpStats.PacketsSent.Value()
-		txPackets = udpStats.PacketsReceived.Value()
-	}
-
-	f.logger.Trace("forwarder: Removed UDP connection %s [in: %d Pkts/%d B, out: %d Pkts/%d B]", epID(id), rxPackets, rxBytes, txPackets, txBytes)
-
-	f.udpForwarder.Lock()
-	delete(f.udpForwarder.conns, id)
-	f.udpForwarder.Unlock()
-
-	f.sendUDPEvent(nftypes.TypeEnd, pConn.flowID, id, uint64(rxBytes), uint64(txBytes), rxPackets, txPackets)
 }
 
 // sendUDPEvent stores flow events for UDP connections
-func (f *Forwarder) sendUDPEvent(typ nftypes.Type, flowID uuid.UUID, id stack.TransportEndpointID, rxBytes, txBytes, rxPackets, txPackets uint64) {
-	srcIp := netip.AddrFrom4(id.RemoteAddress.As4())
-	dstIp := netip.AddrFrom4(id.LocalAddress.As4())
-
+func (f *Forwarder) sendUDPEvent(typ nftypes.Type, flowID uuid.UUID, id stack.TransportEndpointID, ep tcpip.Endpoint) {
 	fields := nftypes.EventFields{
 		FlowID:    flowID,
 		Type:      typ,
 		Direction: nftypes.Ingress,
 		Protocol:  nftypes.UDP,
 		// TODO: handle ipv6
-		SourceIP:   srcIp,
-		DestIP:     dstIp,
+		SourceIP:   netip.AddrFrom4(id.RemoteAddress.As4()),
+		DestIP:     netip.AddrFrom4(id.LocalAddress.As4()),
 		SourcePort: id.RemotePort,
 		DestPort:   id.LocalPort,
-		RxBytes:    rxBytes,
-		TxBytes:    txBytes,
-		RxPackets:  rxPackets,
-		TxPackets:  txPackets,
 	}
 
-	if typ == nftypes.TypeStart {
-		if ruleId, ok := f.getRuleID(srcIp, dstIp, id.RemotePort, id.LocalPort); ok {
-			fields.RuleID = ruleId
+	if ep != nil {
+		if tcpStats, ok := ep.Stats().(*tcpip.TransportEndpointStats); ok {
+			// fields are flipped since this is the in conn
+			// TODO: get bytes
+			fields.RxPackets = tcpStats.PacketsSent.Value()
+			fields.TxPackets = tcpStats.PacketsReceived.Value()
 		}
-	} else {
-		f.DeleteRuleID(srcIp, dstIp, id.RemotePort, id.LocalPort)
 	}
 
 	f.flowLogger.StoreEvent(fields)
@@ -313,20 +288,18 @@ func (c *udpPacketConn) getIdleDuration() time.Duration {
 	return time.Since(lastSeen)
 }
 
-// copy reads from src and writes to dst.
-func (c *udpPacketConn) copy(ctx context.Context, dst net.Conn, src net.Conn, bufPool *sync.Pool, direction string) (int64, error) {
+func (c *udpPacketConn) copy(ctx context.Context, dst net.Conn, src net.Conn, bufPool *sync.Pool, direction string) error {
 	bufp := bufPool.Get().(*[]byte)
 	defer bufPool.Put(bufp)
 	buffer := *bufp
-	var totalBytes int64 = 0
 
 	for {
 		if ctx.Err() != nil {
-			return totalBytes, ctx.Err()
+			return ctx.Err()
 		}
 
 		if err := src.SetDeadline(time.Now().Add(udpTimeout)); err != nil {
-			return totalBytes, fmt.Errorf("set read deadline: %w", err)
+			return fmt.Errorf("set read deadline: %w", err)
 		}
 
 		n, err := src.Read(buffer)
@@ -334,15 +307,14 @@ func (c *udpPacketConn) copy(ctx context.Context, dst net.Conn, src net.Conn, bu
 			if isTimeout(err) {
 				continue
 			}
-			return totalBytes, fmt.Errorf("read from %s: %w", direction, err)
+			return fmt.Errorf("read from %s: %w", direction, err)
 		}
 
-		nWritten, err := dst.Write(buffer[:n])
+		_, err = dst.Write(buffer[:n])
 		if err != nil {
-			return totalBytes, fmt.Errorf("write to %s: %w", direction, err)
+			return fmt.Errorf("write to %s: %w", direction, err)
 		}
 
-		totalBytes += int64(nWritten)
 		c.updateLastSeen()
 	}
 }

client/firewall/uspfilter/localip.go

@@ -45,26 +45,24 @@ func (m *localIPManager) setBitmapBit(ip net.IP) {
 	m.ipv4Bitmap[high].bitmap[index] |= 1 << bit
 }
 
-func (m *localIPManager) setBitInBitmap(ip netip.Addr, bitmap *[256]*ipv4LowBitmap, ipv4Set map[netip.Addr]struct{}, ipv4Addresses *[]netip.Addr) {
-	if !ip.Is4() {
-		return
-	}
-	ipv4 := ip.AsSlice()
+func (m *localIPManager) setBitInBitmap(ip net.IP, bitmap *[256]*ipv4LowBitmap, ipv4Set map[string]struct{}, ipv4Addresses *[]string) {
+	if ipv4 := ip.To4(); ipv4 != nil {
+		high := uint16(ipv4[0])
+		low := (uint16(ipv4[1]) << 8) | (uint16(ipv4[2]) << 4) | uint16(ipv4[3])
 
-	high := uint16(ipv4[0])
-	low := (uint16(ipv4[1]) << 8) | (uint16(ipv4[2]) << 4) | uint16(ipv4[3])
+		if bitmap[high] == nil {
+			bitmap[high] = &ipv4LowBitmap{}
+		}
 
-	if bitmap[high] == nil {
-		bitmap[high] = &ipv4LowBitmap{}
-	}
+		index := low / 32
+		bit := low % 32
+		bitmap[high].bitmap[index] |= 1 << bit
 
-	index := low / 32
-	bit := low % 32
-	bitmap[high].bitmap[index] |= 1 << bit
-
-	if _, exists := ipv4Set[ip]; !exists {
-		ipv4Set[ip] = struct{}{}
-		*ipv4Addresses = append(*ipv4Addresses, ip)
+		ipStr := ipv4.String()
+		if _, exists := ipv4Set[ipStr]; !exists {
+			ipv4Set[ipStr] = struct{}{}
+			*ipv4Addresses = append(*ipv4Addresses, ipStr)
+		}
 	}
 }
 
@@ -81,12 +79,12 @@ func (m *localIPManager) checkBitmapBit(ip []byte) bool {
 	return (m.ipv4Bitmap[high].bitmap[index] & (1 << bit)) != 0
 }
 
-func (m *localIPManager) processIP(ip netip.Addr, bitmap *[256]*ipv4LowBitmap, ipv4Set map[netip.Addr]struct{}, ipv4Addresses *[]netip.Addr) error {
+func (m *localIPManager) processIP(ip net.IP, bitmap *[256]*ipv4LowBitmap, ipv4Set map[string]struct{}, ipv4Addresses *[]string) error {
 	m.setBitInBitmap(ip, bitmap, ipv4Set, ipv4Addresses)
 	return nil
 }
 
-func (m *localIPManager) processInterface(iface net.Interface, bitmap *[256]*ipv4LowBitmap, ipv4Set map[netip.Addr]struct{}, ipv4Addresses *[]netip.Addr) {
+func (m *localIPManager) processInterface(iface net.Interface, bitmap *[256]*ipv4LowBitmap, ipv4Set map[string]struct{}, ipv4Addresses *[]string) {
 	addrs, err := iface.Addrs()
 	if err != nil {
 		log.Debugf("get addresses for interface %s failed: %v", iface.Name, err)
@@ -104,13 +102,7 @@ func (m *localIPManager) processInterface(iface net.Interface, bitmap *[256]*ipv
 			continue
 		}
 
-		addr, ok := netip.AddrFromSlice(ip)
-		if !ok {
-			log.Warnf("invalid IP address %s in interface %s", ip.String(), iface.Name)
-			continue
-		}
-
-		if err := m.processIP(addr.Unmap(), bitmap, ipv4Set, ipv4Addresses); err != nil {
+		if err := m.processIP(ip, bitmap, ipv4Set, ipv4Addresses); err != nil {
 			log.Debugf("process IP failed: %v", err)
 		}
 	}
@@ -124,8 +116,8 @@ func (m *localIPManager) UpdateLocalIPs(iface common.IFaceMapper) (err error) {
 	}()
 
 	var newIPv4Bitmap [256]*ipv4LowBitmap
-	ipv4Set := make(map[netip.Addr]struct{})
-	var ipv4Addresses []netip.Addr
+	ipv4Set := make(map[string]struct{})
+	var ipv4Addresses []string
 
 	// 127.0.0.0/8
 	newIPv4Bitmap[127] = &ipv4LowBitmap{}

client/firewall/uspfilter/localip_test.go

@@ -20,8 +20,11 @@ func TestLocalIPManager(t *testing.T) {
 		{
 			name: "Localhost range",
 			setupAddr: wgaddr.Address{
-				IP:      netip.MustParseAddr("192.168.1.1"),
-				Network: netip.MustParsePrefix("192.168.1.0/24"),
+				IP: net.ParseIP("192.168.1.1"),
+				Network: &net.IPNet{
+					IP:   net.ParseIP("192.168.1.0"),
+					Mask: net.CIDRMask(24, 32),
+				},
 			},
 			testIP:   netip.MustParseAddr("127.0.0.2"),
 			expected: true,
@@ -29,8 +32,11 @@ func TestLocalIPManager(t *testing.T) {
 		{
 			name: "Localhost standard address",
 			setupAddr: wgaddr.Address{
-				IP:      netip.MustParseAddr("192.168.1.1"),
-				Network: netip.MustParsePrefix("192.168.1.0/24"),
+				IP: net.ParseIP("192.168.1.1"),
+				Network: &net.IPNet{
+					IP:   net.ParseIP("192.168.1.0"),
+					Mask: net.CIDRMask(24, 32),
+				},
 			},
 			testIP:   netip.MustParseAddr("127.0.0.1"),
 			expected: true,
@@ -38,8 +44,11 @@ func TestLocalIPManager(t *testing.T) {
 		{
 			name: "Localhost range edge",
 			setupAddr: wgaddr.Address{
-				IP:      netip.MustParseAddr("192.168.1.1"),
-				Network: netip.MustParsePrefix("192.168.1.0/24"),
+				IP: net.ParseIP("192.168.1.1"),
+				Network: &net.IPNet{
+					IP:   net.ParseIP("192.168.1.0"),
+					Mask: net.CIDRMask(24, 32),
+				},
 			},
 			testIP:   netip.MustParseAddr("127.255.255.255"),
 			expected: true,
@@ -47,8 +56,11 @@ func TestLocalIPManager(t *testing.T) {
 		{
 			name: "Local IP matches",
 			setupAddr: wgaddr.Address{
-				IP:      netip.MustParseAddr("192.168.1.1"),
-				Network: netip.MustParsePrefix("192.168.1.0/24"),
+				IP: net.ParseIP("192.168.1.1"),
+				Network: &net.IPNet{
+					IP:   net.ParseIP("192.168.1.0"),
+					Mask: net.CIDRMask(24, 32),
+				},
 			},
 			testIP:   netip.MustParseAddr("192.168.1.1"),
 			expected: true,
@@ -56,8 +68,11 @@ func TestLocalIPManager(t *testing.T) {
 		{
 			name: "Local IP doesn't match",
 			setupAddr: wgaddr.Address{
-				IP:      netip.MustParseAddr("192.168.1.1"),
-				Network: netip.MustParsePrefix("192.168.1.0/24"),
+				IP: net.ParseIP("192.168.1.1"),
+				Network: &net.IPNet{
+					IP:   net.ParseIP("192.168.1.0"),
+					Mask: net.CIDRMask(24, 32),
+				},
 			},
 			testIP:   netip.MustParseAddr("192.168.1.2"),
 			expected: false,
@@ -65,8 +80,11 @@ func TestLocalIPManager(t *testing.T) {
 		{
 			name: "Local IP doesn't match - addresses 32 apart",
 			setupAddr: wgaddr.Address{
-				IP:      netip.MustParseAddr("192.168.1.1"),
-				Network: netip.MustParsePrefix("192.168.1.0/24"),
+				IP: net.ParseIP("192.168.1.1"),
+				Network: &net.IPNet{
+					IP:   net.ParseIP("192.168.1.0"),
+					Mask: net.CIDRMask(24, 32),
+				},
 			},
 			testIP:   netip.MustParseAddr("192.168.1.33"),
 			expected: false,
@@ -74,8 +92,11 @@ func TestLocalIPManager(t *testing.T) {
 		{
 			name: "IPv6 address",
 			setupAddr: wgaddr.Address{
-				IP:      netip.MustParseAddr("fe80::1"),
-				Network: netip.MustParsePrefix("192.168.1.0/24"),
+				IP: net.ParseIP("fe80::1"),
+				Network: &net.IPNet{
+					IP:   net.ParseIP("fe80::"),
+					Mask: net.CIDRMask(64, 128),
+				},
 			},
 			testIP:   netip.MustParseAddr("fe80::1"),
 			expected: false,

client/firewall/uspfilter/nat.go

@@ -1,408 +0,0 @@
-package uspfilter
-
-import (
-	"encoding/binary"
-	"errors"
-	"fmt"
-	"net/netip"
-
-	"github.com/google/gopacket/layers"
-
-	firewall "github.com/netbirdio/netbird/client/firewall/manager"
-)
-
-var ErrIPv4Only = errors.New("only IPv4 is supported for DNAT")
-
-func ipv4Checksum(header []byte) uint16 {
-	if len(header) < 20 {
-		return 0
-	}
-
-	var sum1, sum2 uint32
-
-	// Parallel processing - unroll and compute two sums simultaneously
-	sum1 += uint32(binary.BigEndian.Uint16(header[0:2]))
-	sum2 += uint32(binary.BigEndian.Uint16(header[2:4]))
-	sum1 += uint32(binary.BigEndian.Uint16(header[4:6]))
-	sum2 += uint32(binary.BigEndian.Uint16(header[6:8]))
-	sum1 += uint32(binary.BigEndian.Uint16(header[8:10]))
-	// Skip checksum field at [10:12]
-	sum2 += uint32(binary.BigEndian.Uint16(header[12:14]))
-	sum1 += uint32(binary.BigEndian.Uint16(header[14:16]))
-	sum2 += uint32(binary.BigEndian.Uint16(header[16:18]))
-	sum1 += uint32(binary.BigEndian.Uint16(header[18:20]))
-
-	sum := sum1 + sum2
-
-	// Handle remaining bytes for headers > 20 bytes
-	for i := 20; i < len(header)-1; i += 2 {
-		sum += uint32(binary.BigEndian.Uint16(header[i : i+2]))
-	}
-
-	if len(header)%2 == 1 {
-		sum += uint32(header[len(header)-1]) << 8
-	}
-
-	// Optimized carry fold - single iteration handles most cases
-	sum = (sum & 0xFFFF) + (sum >> 16)
-	if sum > 0xFFFF {
-		sum++
-	}
-
-	return ^uint16(sum)
-}
-
-func icmpChecksum(data []byte) uint16 {
-	var sum1, sum2, sum3, sum4 uint32
-	i := 0
-
-	// Process 16 bytes at once with 4 parallel accumulators
-	for i <= len(data)-16 {
-		sum1 += uint32(binary.BigEndian.Uint16(data[i : i+2]))
-		sum2 += uint32(binary.BigEndian.Uint16(data[i+2 : i+4]))
-		sum3 += uint32(binary.BigEndian.Uint16(data[i+4 : i+6]))
-		sum4 += uint32(binary.BigEndian.Uint16(data[i+6 : i+8]))
-		sum1 += uint32(binary.BigEndian.Uint16(data[i+8 : i+10]))
-		sum2 += uint32(binary.BigEndian.Uint16(data[i+10 : i+12]))
-		sum3 += uint32(binary.BigEndian.Uint16(data[i+12 : i+14]))
-		sum4 += uint32(binary.BigEndian.Uint16(data[i+14 : i+16]))
-		i += 16
-	}
-
-	sum := sum1 + sum2 + sum3 + sum4
-
-	// Handle remaining bytes
-	for i < len(data)-1 {
-		sum += uint32(binary.BigEndian.Uint16(data[i : i+2]))
-		i += 2
-	}
-
-	if len(data)%2 == 1 {
-		sum += uint32(data[len(data)-1]) << 8
-	}
-
-	sum = (sum & 0xFFFF) + (sum >> 16)
-	if sum > 0xFFFF {
-		sum++
-	}
-
-	return ^uint16(sum)
-}
-
-type biDNATMap struct {
-	forward map[netip.Addr]netip.Addr
-	reverse map[netip.Addr]netip.Addr
-}
-
-func newBiDNATMap() *biDNATMap {
-	return &biDNATMap{
-		forward: make(map[netip.Addr]netip.Addr),
-		reverse: make(map[netip.Addr]netip.Addr),
-	}
-}
-
-func (b *biDNATMap) set(original, translated netip.Addr) {
-	b.forward[original] = translated
-	b.reverse[translated] = original
-}
-
-func (b *biDNATMap) delete(original netip.Addr) {
-	if translated, exists := b.forward[original]; exists {
-		delete(b.forward, original)
-		delete(b.reverse, translated)
-	}
-}
-
-func (b *biDNATMap) getTranslated(original netip.Addr) (netip.Addr, bool) {
-	translated, exists := b.forward[original]
-	return translated, exists
-}
-
-func (b *biDNATMap) getOriginal(translated netip.Addr) (netip.Addr, bool) {
-	original, exists := b.reverse[translated]
-	return original, exists
-}
-
-func (m *Manager) AddInternalDNATMapping(originalAddr, translatedAddr netip.Addr) error {
-	if !originalAddr.IsValid() || !translatedAddr.IsValid() {
-		return fmt.Errorf("invalid IP addresses")
-	}
-
-	if m.localipmanager.IsLocalIP(translatedAddr) {
-		return fmt.Errorf("cannot map to local IP: %s", translatedAddr)
-	}
-
-	m.dnatMutex.Lock()
-	defer m.dnatMutex.Unlock()
-
-	// Initialize both maps together if either is nil
-	if m.dnatMappings == nil || m.dnatBiMap == nil {
-		m.dnatMappings = make(map[netip.Addr]netip.Addr)
-		m.dnatBiMap = newBiDNATMap()
-	}
-
-	m.dnatMappings[originalAddr] = translatedAddr
-	m.dnatBiMap.set(originalAddr, translatedAddr)
-
-	if len(m.dnatMappings) == 1 {
-		m.dnatEnabled.Store(true)
-	}
-
-	return nil
-}
-
-// RemoveInternalDNATMapping removes a 1:1 IP address mapping
-func (m *Manager) RemoveInternalDNATMapping(originalAddr netip.Addr) error {
-	m.dnatMutex.Lock()
-	defer m.dnatMutex.Unlock()
-
-	if _, exists := m.dnatMappings[originalAddr]; !exists {
-		return fmt.Errorf("mapping not found for: %s", originalAddr)
-	}
-
-	delete(m.dnatMappings, originalAddr)
-	m.dnatBiMap.delete(originalAddr)
-	if len(m.dnatMappings) == 0 {
-		m.dnatEnabled.Store(false)
-	}
-
-	return nil
-}
-
-// getDNATTranslation returns the translated address if a mapping exists
-func (m *Manager) getDNATTranslation(addr netip.Addr) (netip.Addr, bool) {
-	if !m.dnatEnabled.Load() {
-		return addr, false
-	}
-
-	m.dnatMutex.RLock()
-	translated, exists := m.dnatBiMap.getTranslated(addr)
-	m.dnatMutex.RUnlock()
-	return translated, exists
-}
-
-// findReverseDNATMapping finds original address for return traffic
-func (m *Manager) findReverseDNATMapping(translatedAddr netip.Addr) (netip.Addr, bool) {
-	if !m.dnatEnabled.Load() {
-		return translatedAddr, false
-	}
-
-	m.dnatMutex.RLock()
-	original, exists := m.dnatBiMap.getOriginal(translatedAddr)
-	m.dnatMutex.RUnlock()
-	return original, exists
-}
-
-// translateOutboundDNAT applies DNAT translation to outbound packets
-func (m *Manager) translateOutboundDNAT(packetData []byte, d *decoder) bool {
-	if !m.dnatEnabled.Load() {
-		return false
-	}
-
-	if len(packetData) < 20 || d.decoded[0] != layers.LayerTypeIPv4 {
-		return false
-	}
-
-	dstIP := netip.AddrFrom4([4]byte{packetData[16], packetData[17], packetData[18], packetData[19]})
-
-	translatedIP, exists := m.getDNATTranslation(dstIP)
-	if !exists {
-		return false
-	}
-
-	if err := m.rewritePacketDestination(packetData, d, translatedIP); err != nil {
-		m.logger.Error("Failed to rewrite packet destination: %v", err)
-		return false
-	}
-
-	m.logger.Trace("DNAT: %s -> %s", dstIP, translatedIP)
-	return true
-}
-
-// translateInboundReverse applies reverse DNAT to inbound return traffic
-func (m *Manager) translateInboundReverse(packetData []byte, d *decoder) bool {
-	if !m.dnatEnabled.Load() {
-		return false
-	}
-
-	if len(packetData) < 20 || d.decoded[0] != layers.LayerTypeIPv4 {
-		return false
-	}
-
-	srcIP := netip.AddrFrom4([4]byte{packetData[12], packetData[13], packetData[14], packetData[15]})
-
-	originalIP, exists := m.findReverseDNATMapping(srcIP)
-	if !exists {
-		return false
-	}
-
-	if err := m.rewritePacketSource(packetData, d, originalIP); err != nil {
-		m.logger.Error("Failed to rewrite packet source: %v", err)
-		return false
-	}
-
-	m.logger.Trace("Reverse DNAT: %s -> %s", srcIP, originalIP)
-	return true
-}
-
-// rewritePacketDestination replaces destination IP in the packet
-func (m *Manager) rewritePacketDestination(packetData []byte, d *decoder, newIP netip.Addr) error {
-	if len(packetData) < 20 || d.decoded[0] != layers.LayerTypeIPv4 || !newIP.Is4() {
-		return ErrIPv4Only
-	}
-
-	var oldDst [4]byte
-	copy(oldDst[:], packetData[16:20])
-	newDst := newIP.As4()
-
-	copy(packetData[16:20], newDst[:])
-
-	ipHeaderLen := int(d.ip4.IHL) * 4
-	if ipHeaderLen < 20 || ipHeaderLen > len(packetData) {
-		return fmt.Errorf("invalid IP header length")
-	}
-
-	binary.BigEndian.PutUint16(packetData[10:12], 0)
-	ipChecksum := ipv4Checksum(packetData[:ipHeaderLen])
-	binary.BigEndian.PutUint16(packetData[10:12], ipChecksum)
-
-	if len(d.decoded) > 1 {
-		switch d.decoded[1] {
-		case layers.LayerTypeTCP:
-			m.updateTCPChecksum(packetData, ipHeaderLen, oldDst[:], newDst[:])
-		case layers.LayerTypeUDP:
-			m.updateUDPChecksum(packetData, ipHeaderLen, oldDst[:], newDst[:])
-		case layers.LayerTypeICMPv4:
-			m.updateICMPChecksum(packetData, ipHeaderLen)
-		}
-	}
-
-	return nil
-}
-
-// rewritePacketSource replaces the source IP address in the packet
-func (m *Manager) rewritePacketSource(packetData []byte, d *decoder, newIP netip.Addr) error {
-	if len(packetData) < 20 || d.decoded[0] != layers.LayerTypeIPv4 || !newIP.Is4() {
-		return ErrIPv4Only
-	}
-
-	var oldSrc [4]byte
-	copy(oldSrc[:], packetData[12:16])
-	newSrc := newIP.As4()
-
-	copy(packetData[12:16], newSrc[:])
-
-	ipHeaderLen := int(d.ip4.IHL) * 4
-	if ipHeaderLen < 20 || ipHeaderLen > len(packetData) {
-		return fmt.Errorf("invalid IP header length")
-	}
-
-	binary.BigEndian.PutUint16(packetData[10:12], 0)
-	ipChecksum := ipv4Checksum(packetData[:ipHeaderLen])
-	binary.BigEndian.PutUint16(packetData[10:12], ipChecksum)
-
-	if len(d.decoded) > 1 {
-		switch d.decoded[1] {
-		case layers.LayerTypeTCP:
-			m.updateTCPChecksum(packetData, ipHeaderLen, oldSrc[:], newSrc[:])
-		case layers.LayerTypeUDP:
-			m.updateUDPChecksum(packetData, ipHeaderLen, oldSrc[:], newSrc[:])
-		case layers.LayerTypeICMPv4:
-			m.updateICMPChecksum(packetData, ipHeaderLen)
-		}
-	}
-
-	return nil
-}
-
-func (m *Manager) updateTCPChecksum(packetData []byte, ipHeaderLen int, oldIP, newIP []byte) {
-	tcpStart := ipHeaderLen
-	if len(packetData) < tcpStart+18 {
-		return
-	}
-
-	checksumOffset := tcpStart + 16
-	oldChecksum := binary.BigEndian.Uint16(packetData[checksumOffset : checksumOffset+2])
-	newChecksum := incrementalUpdate(oldChecksum, oldIP, newIP)
-	binary.BigEndian.PutUint16(packetData[checksumOffset:checksumOffset+2], newChecksum)
-}
-
-func (m *Manager) updateUDPChecksum(packetData []byte, ipHeaderLen int, oldIP, newIP []byte) {
-	udpStart := ipHeaderLen
-	if len(packetData) < udpStart+8 {
-		return
-	}
-
-	checksumOffset := udpStart + 6
-	oldChecksum := binary.BigEndian.Uint16(packetData[checksumOffset : checksumOffset+2])
-
-	if oldChecksum == 0 {
-		return
-	}
-
-	newChecksum := incrementalUpdate(oldChecksum, oldIP, newIP)
-	binary.BigEndian.PutUint16(packetData[checksumOffset:checksumOffset+2], newChecksum)
-}
-
-func (m *Manager) updateICMPChecksum(packetData []byte, ipHeaderLen int) {
-	icmpStart := ipHeaderLen
-	if len(packetData) < icmpStart+8 {
-		return
-	}
-
-	icmpData := packetData[icmpStart:]
-	binary.BigEndian.PutUint16(icmpData[2:4], 0)
-	checksum := icmpChecksum(icmpData)
-	binary.BigEndian.PutUint16(icmpData[2:4], checksum)
-}
-
-// incrementalUpdate performs incremental checksum update per RFC 1624
-func incrementalUpdate(oldChecksum uint16, oldBytes, newBytes []byte) uint16 {
-	sum := uint32(^oldChecksum)
-
-	// Fast path for IPv4 addresses (4 bytes) - most common case
-	if len(oldBytes) == 4 && len(newBytes) == 4 {
-		sum += uint32(^binary.BigEndian.Uint16(oldBytes[0:2]))
-		sum += uint32(^binary.BigEndian.Uint16(oldBytes[2:4]))
-		sum += uint32(binary.BigEndian.Uint16(newBytes[0:2]))
-		sum += uint32(binary.BigEndian.Uint16(newBytes[2:4]))
-	} else {
-		// Fallback for other lengths
-		for i := 0; i < len(oldBytes)-1; i += 2 {
-			sum += uint32(^binary.BigEndian.Uint16(oldBytes[i : i+2]))
-		}
-		if len(oldBytes)%2 == 1 {
-			sum += uint32(^oldBytes[len(oldBytes)-1]) << 8
-		}
-
-		for i := 0; i < len(newBytes)-1; i += 2 {
-			sum += uint32(binary.BigEndian.Uint16(newBytes[i : i+2]))
-		}
-		if len(newBytes)%2 == 1 {
-			sum += uint32(newBytes[len(newBytes)-1]) << 8
-		}
-	}
-
-	sum = (sum & 0xFFFF) + (sum >> 16)
-	if sum > 0xFFFF {
-		sum++
-	}
-
-	return ^uint16(sum)
-}
-
-// AddDNATRule adds a DNAT rule (delegates to native firewall for port forwarding)
-func (m *Manager) AddDNATRule(rule firewall.ForwardRule) (firewall.Rule, error) {
-	if m.nativeFirewall == nil {
-		return nil, errNatNotSupported
-	}
-	return m.nativeFirewall.AddDNATRule(rule)
-}
-
-// DeleteDNATRule deletes a DNAT rule (delegates to native firewall)
-func (m *Manager) DeleteDNATRule(rule firewall.Rule) error {
-	if m.nativeFirewall == nil {
-		return errNatNotSupported
-	}
-	return m.nativeFirewall.DeleteDNATRule(rule)
-}

client/firewall/uspfilter/nat_bench_test.go

@@ -1,416 +0,0 @@
-package uspfilter
-
-import (
-	"fmt"
-	"net/netip"
-	"testing"
-
-	"github.com/google/gopacket"
-	"github.com/google/gopacket/layers"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-
-	log "github.com/sirupsen/logrus"
-
-	"github.com/netbirdio/netbird/client/iface/device"
-)
-
-// BenchmarkDNATTranslation measures the performance of DNAT operations
-func BenchmarkDNATTranslation(b *testing.B) {
-	scenarios := []struct {
-		name        string
-		proto       layers.IPProtocol
-		setupDNAT   bool
-		description string
-	}{
-		{
-			name:        "tcp_with_dnat",
-			proto:       layers.IPProtocolTCP,
-			setupDNAT:   true,
-			description: "TCP packet with DNAT translation enabled",
-		},
-		{
-			name:        "tcp_without_dnat",
-			proto:       layers.IPProtocolTCP,
-			setupDNAT:   false,
-			description: "TCP packet without DNAT (baseline)",
-		},
-		{
-			name:        "udp_with_dnat",
-			proto:       layers.IPProtocolUDP,
-			setupDNAT:   true,
-			description: "UDP packet with DNAT translation enabled",
-		},
-		{
-			name:        "udp_without_dnat",
-			proto:       layers.IPProtocolUDP,
-			setupDNAT:   false,
-			description: "UDP packet without DNAT (baseline)",
-		},
-		{
-			name:        "icmp_with_dnat",
-			proto:       layers.IPProtocolICMPv4,
-			setupDNAT:   true,
-			description: "ICMP packet with DNAT translation enabled",
-		},
-		{
-			name:        "icmp_without_dnat",
-			proto:       layers.IPProtocolICMPv4,
-			setupDNAT:   false,
-			description: "ICMP packet without DNAT (baseline)",
-		},
-	}
-
-	for _, sc := range scenarios {
-		b.Run(sc.name, func(b *testing.B) {
-			manager, err := Create(&IFaceMock{
-				SetFilterFunc: func(device.PacketFilter) error { return nil },
-			}, false, flowLogger)
-			require.NoError(b, err)
-			defer func() {
-				require.NoError(b, manager.Close(nil))
-			}()
-
-			// Set logger to error level to reduce noise during benchmarking
-			manager.SetLogLevel(log.ErrorLevel)
-			defer func() {
-				// Restore to info level after benchmark
-				manager.SetLogLevel(log.InfoLevel)
-			}()
-
-			// Setup DNAT mapping if needed
-			originalIP := netip.MustParseAddr("192.168.1.100")
-			translatedIP := netip.MustParseAddr("10.0.0.100")
-
-			if sc.setupDNAT {
-				err := manager.AddInternalDNATMapping(originalIP, translatedIP)
-				require.NoError(b, err)
-			}
-
-			// Create test packets
-			srcIP := netip.MustParseAddr("172.16.0.1")
-			outboundPacket := generateDNATTestPacket(b, srcIP, originalIP, sc.proto, 12345, 80)
-
-			// Pre-establish connection for reverse DNAT test
-			if sc.setupDNAT {
-				manager.filterOutbound(outboundPacket, 0)
-			}
-
-			b.ResetTimer()
-
-			// Benchmark outbound DNAT translation
-			b.Run("outbound", func(b *testing.B) {
-				for i := 0; i < b.N; i++ {
-					// Create fresh packet each time since translation modifies it
-					packet := generateDNATTestPacket(b, srcIP, originalIP, sc.proto, 12345, 80)
-					manager.filterOutbound(packet, 0)
-				}
-			})
-
-			// Benchmark inbound reverse DNAT translation
-			if sc.setupDNAT {
-				b.Run("inbound_reverse", func(b *testing.B) {
-					for i := 0; i < b.N; i++ {
-						// Create fresh packet each time since translation modifies it
-						packet := generateDNATTestPacket(b, translatedIP, srcIP, sc.proto, 80, 12345)
-						manager.filterInbound(packet, 0)
-					}
-				})
-			}
-		})
-	}
-}
-
-// BenchmarkDNATConcurrency tests DNAT performance under concurrent load
-func BenchmarkDNATConcurrency(b *testing.B) {
-	manager, err := Create(&IFaceMock{
-		SetFilterFunc: func(device.PacketFilter) error { return nil },
-	}, false, flowLogger)
-	require.NoError(b, err)
-	defer func() {
-		require.NoError(b, manager.Close(nil))
-	}()
-
-	// Set logger to error level to reduce noise during benchmarking
-	manager.SetLogLevel(log.ErrorLevel)
-	defer func() {
-		// Restore to info level after benchmark
-		manager.SetLogLevel(log.InfoLevel)
-	}()
-
-	// Setup multiple DNAT mappings
-	numMappings := 100
-	originalIPs := make([]netip.Addr, numMappings)
-	translatedIPs := make([]netip.Addr, numMappings)
-
-	for i := 0; i < numMappings; i++ {
-		originalIPs[i] = netip.MustParseAddr(fmt.Sprintf("192.168.%d.%d", (i/254)+1, (i%254)+1))
-		translatedIPs[i] = netip.MustParseAddr(fmt.Sprintf("10.0.%d.%d", (i/254)+1, (i%254)+1))
-		err := manager.AddInternalDNATMapping(originalIPs[i], translatedIPs[i])
-		require.NoError(b, err)
-	}
-
-	srcIP := netip.MustParseAddr("172.16.0.1")
-
-	// Pre-generate packets
-	outboundPackets := make([][]byte, numMappings)
-	inboundPackets := make([][]byte, numMappings)
-	for i := 0; i < numMappings; i++ {
-		outboundPackets[i] = generateDNATTestPacket(b, srcIP, originalIPs[i], layers.IPProtocolTCP, 12345, 80)
-		inboundPackets[i] = generateDNATTestPacket(b, translatedIPs[i], srcIP, layers.IPProtocolTCP, 80, 12345)
-		// Establish connections
-		manager.filterOutbound(outboundPackets[i], 0)
-	}
-
-	b.ResetTimer()
-
-	b.Run("concurrent_outbound", func(b *testing.B) {
-		b.RunParallel(func(pb *testing.PB) {
-			i := 0
-			for pb.Next() {
-				idx := i % numMappings
-				packet := generateDNATTestPacket(b, srcIP, originalIPs[idx], layers.IPProtocolTCP, 12345, 80)
-				manager.filterOutbound(packet, 0)
-				i++
-			}
-		})
-	})
-
-	b.Run("concurrent_inbound", func(b *testing.B) {
-		b.RunParallel(func(pb *testing.PB) {
-			i := 0
-			for pb.Next() {
-				idx := i % numMappings
-				packet := generateDNATTestPacket(b, translatedIPs[idx], srcIP, layers.IPProtocolTCP, 80, 12345)
-				manager.filterInbound(packet, 0)
-				i++
-			}
-		})
-	})
-}
-
-// BenchmarkDNATScaling tests how DNAT performance scales with number of mappings
-func BenchmarkDNATScaling(b *testing.B) {
-	mappingCounts := []int{1, 10, 100, 1000}
-
-	for _, count := range mappingCounts {
-		b.Run(fmt.Sprintf("mappings_%d", count), func(b *testing.B) {
-			manager, err := Create(&IFaceMock{
-				SetFilterFunc: func(device.PacketFilter) error { return nil },
-			}, false, flowLogger)
-			require.NoError(b, err)
-			defer func() {
-				require.NoError(b, manager.Close(nil))
-			}()
-
-			// Set logger to error level to reduce noise during benchmarking
-			manager.SetLogLevel(log.ErrorLevel)
-			defer func() {
-				// Restore to info level after benchmark
-				manager.SetLogLevel(log.InfoLevel)
-			}()
-
-			// Setup DNAT mappings
-			for i := 0; i < count; i++ {
-				originalIP := netip.MustParseAddr(fmt.Sprintf("192.168.%d.%d", (i/254)+1, (i%254)+1))
-				translatedIP := netip.MustParseAddr(fmt.Sprintf("10.0.%d.%d", (i/254)+1, (i%254)+1))
-				err := manager.AddInternalDNATMapping(originalIP, translatedIP)
-				require.NoError(b, err)
-			}
-
-			// Test with the last mapping added (worst case for lookup)
-			srcIP := netip.MustParseAddr("172.16.0.1")
-			lastOriginal := netip.MustParseAddr(fmt.Sprintf("192.168.%d.%d", ((count-1)/254)+1, ((count-1)%254)+1))
-
-			b.ResetTimer()
-			for i := 0; i < b.N; i++ {
-				packet := generateDNATTestPacket(b, srcIP, lastOriginal, layers.IPProtocolTCP, 12345, 80)
-				manager.filterOutbound(packet, 0)
-			}
-		})
-	}
-}
-
-// generateDNATTestPacket creates a test packet for DNAT benchmarking
-func generateDNATTestPacket(tb testing.TB, srcIP, dstIP netip.Addr, proto layers.IPProtocol, srcPort, dstPort uint16) []byte {
-	tb.Helper()
-
-	ipv4 := &layers.IPv4{
-		TTL:      64,
-		Version:  4,
-		SrcIP:    srcIP.AsSlice(),
-		DstIP:    dstIP.AsSlice(),
-		Protocol: proto,
-	}
-
-	var transportLayer gopacket.SerializableLayer
-	switch proto {
-	case layers.IPProtocolTCP:
-		tcp := &layers.TCP{
-			SrcPort: layers.TCPPort(srcPort),
-			DstPort: layers.TCPPort(dstPort),
-			SYN:     true,
-		}
-		require.NoError(tb, tcp.SetNetworkLayerForChecksum(ipv4))
-		transportLayer = tcp
-	case layers.IPProtocolUDP:
-		udp := &layers.UDP{
-			SrcPort: layers.UDPPort(srcPort),
-			DstPort: layers.UDPPort(dstPort),
-		}
-		require.NoError(tb, udp.SetNetworkLayerForChecksum(ipv4))
-		transportLayer = udp
-	case layers.IPProtocolICMPv4:
-		icmp := &layers.ICMPv4{
-			TypeCode: layers.CreateICMPv4TypeCode(layers.ICMPv4TypeEchoRequest, 0),
-		}
-		transportLayer = icmp
-	}
-
-	buf := gopacket.NewSerializeBuffer()
-	opts := gopacket.SerializeOptions{ComputeChecksums: true, FixLengths: true}
-	err := gopacket.SerializeLayers(buf, opts, ipv4, transportLayer, gopacket.Payload("test"))
-	require.NoError(tb, err)
-	return buf.Bytes()
-}
-
-// BenchmarkChecksumUpdate specifically benchmarks checksum calculation performance
-func BenchmarkChecksumUpdate(b *testing.B) {
-	// Create test data for checksum calculations
-	testData := make([]byte, 64) // Typical packet size for checksum testing
-	for i := range testData {
-		testData[i] = byte(i)
-	}
-
-	b.Run("ipv4_checksum", func(b *testing.B) {
-		for i := 0; i < b.N; i++ {
-			_ = ipv4Checksum(testData[:20]) // IPv4 header is typically 20 bytes
-		}
-	})
-
-	b.Run("icmp_checksum", func(b *testing.B) {
-		for i := 0; i < b.N; i++ {
-			_ = icmpChecksum(testData)
-		}
-	})
-
-	b.Run("incremental_update", func(b *testing.B) {
-		oldBytes := []byte{192, 168, 1, 100}
-		newBytes := []byte{10, 0, 0, 100}
-		oldChecksum := uint16(0x1234)
-
-		for i := 0; i < b.N; i++ {
-			_ = incrementalUpdate(oldChecksum, oldBytes, newBytes)
-		}
-	})
-}
-
-// BenchmarkDNATMemoryAllocations checks for memory allocations in DNAT operations
-func BenchmarkDNATMemoryAllocations(b *testing.B) {
-	manager, err := Create(&IFaceMock{
-		SetFilterFunc: func(device.PacketFilter) error { return nil },
-	}, false, flowLogger)
-	require.NoError(b, err)
-	defer func() {
-		require.NoError(b, manager.Close(nil))
-	}()
-
-	// Set logger to error level to reduce noise during benchmarking
-	manager.SetLogLevel(log.ErrorLevel)
-	defer func() {
-		// Restore to info level after benchmark
-		manager.SetLogLevel(log.InfoLevel)
-	}()
-
-	originalIP := netip.MustParseAddr("192.168.1.100")
-	translatedIP := netip.MustParseAddr("10.0.0.100")
-	srcIP := netip.MustParseAddr("172.16.0.1")
-
-	err = manager.AddInternalDNATMapping(originalIP, translatedIP)
-	require.NoError(b, err)
-
-	packet := generateDNATTestPacket(b, srcIP, originalIP, layers.IPProtocolTCP, 12345, 80)
-
-	b.ResetTimer()
-	b.ReportAllocs()
-
-	for i := 0; i < b.N; i++ {
-		// Create fresh packet each time to isolate allocation testing
-		testPacket := make([]byte, len(packet))
-		copy(testPacket, packet)
-
-		// Parse the packet fresh each time to get a clean decoder
-		d := &decoder{decoded: []gopacket.LayerType{}}
-		d.parser = gopacket.NewDecodingLayerParser(
-			layers.LayerTypeIPv4,
-			&d.eth, &d.ip4, &d.ip6, &d.icmp4, &d.icmp6, &d.tcp, &d.udp,
-		)
-		d.parser.IgnoreUnsupported = true
-		err = d.parser.DecodeLayers(testPacket, &d.decoded)
-		assert.NoError(b, err)
-
-		manager.translateOutboundDNAT(testPacket, d)
-	}
-}
-
-// BenchmarkDirectIPExtraction tests the performance improvement of direct IP extraction
-func BenchmarkDirectIPExtraction(b *testing.B) {
-	// Create a test packet
-	srcIP := netip.MustParseAddr("172.16.0.1")
-	dstIP := netip.MustParseAddr("192.168.1.100")
-	packet := generateDNATTestPacket(b, srcIP, dstIP, layers.IPProtocolTCP, 12345, 80)
-
-	b.Run("direct_byte_access", func(b *testing.B) {
-		for i := 0; i < b.N; i++ {
-			// Direct extraction from packet bytes
-			_ = netip.AddrFrom4([4]byte{packet[16], packet[17], packet[18], packet[19]})
-		}
-	})
-
-	b.Run("decoder_extraction", func(b *testing.B) {
-		// Create decoder once for comparison
-		d := &decoder{decoded: []gopacket.LayerType{}}
-		d.parser = gopacket.NewDecodingLayerParser(
-			layers.LayerTypeIPv4,
-			&d.eth, &d.ip4, &d.ip6, &d.icmp4, &d.icmp6, &d.tcp, &d.udp,
-		)
-		d.parser.IgnoreUnsupported = true
-		err := d.parser.DecodeLayers(packet, &d.decoded)
-		assert.NoError(b, err)
-
-		for i := 0; i < b.N; i++ {
-			// Extract using decoder (traditional method)
-			dst, _ := netip.AddrFromSlice(d.ip4.DstIP)
-			_ = dst
-		}
-	})
-}
-
-// BenchmarkChecksumOptimizations compares optimized vs standard checksum implementations
-func BenchmarkChecksumOptimizations(b *testing.B) {
-	// Create test IPv4 header (20 bytes)
-	header := make([]byte, 20)
-	for i := range header {
-		header[i] = byte(i)
-	}
-	// Clear checksum field
-	header[10] = 0
-	header[11] = 0
-
-	b.Run("optimized_ipv4_checksum", func(b *testing.B) {
-		for i := 0; i < b.N; i++ {
-			_ = ipv4Checksum(header)
-		}
-	})
-
-	// Test incremental checksum updates
-	oldIP := []byte{192, 168, 1, 100}
-	newIP := []byte{10, 0, 0, 100}
-	oldChecksum := uint16(0x1234)
-
-	b.Run("optimized_incremental_update", func(b *testing.B) {
-		for i := 0; i < b.N; i++ {
-			_ = incrementalUpdate(oldChecksum, oldIP, newIP)
-		}
-	})
-}

client/firewall/uspfilter/nat_test.go

@@ -1,145 +0,0 @@
-package uspfilter
-
-import (
-	"net/netip"
-	"testing"
-
-	"github.com/google/gopacket"
-	"github.com/google/gopacket/layers"
-	"github.com/stretchr/testify/require"
-
-	"github.com/netbirdio/netbird/client/iface/device"
-)
-
-// TestDNATTranslationCorrectness verifies DNAT translation works correctly
-func TestDNATTranslationCorrectness(t *testing.T) {
-	manager, err := Create(&IFaceMock{
-		SetFilterFunc: func(device.PacketFilter) error { return nil },
-	}, false, flowLogger)
-	require.NoError(t, err)
-	defer func() {
-		require.NoError(t, manager.Close(nil))
-	}()
-
-	originalIP := netip.MustParseAddr("192.168.1.100")
-	translatedIP := netip.MustParseAddr("10.0.0.100")
-	srcIP := netip.MustParseAddr("172.16.0.1")
-
-	// Add DNAT mapping
-	err = manager.AddInternalDNATMapping(originalIP, translatedIP)
-	require.NoError(t, err)
-
-	testCases := []struct {
-		name     string
-		protocol layers.IPProtocol
-		srcPort  uint16
-		dstPort  uint16
-	}{
-		{"TCP", layers.IPProtocolTCP, 12345, 80},
-		{"UDP", layers.IPProtocolUDP, 12345, 53},
-		{"ICMP", layers.IPProtocolICMPv4, 0, 0},
-	}
-
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			// Test outbound DNAT translation
-			outboundPacket := generateDNATTestPacket(t, srcIP, originalIP, tc.protocol, tc.srcPort, tc.dstPort)
-			originalOutbound := make([]byte, len(outboundPacket))
-			copy(originalOutbound, outboundPacket)
-
-			// Process outbound packet (should translate destination)
-			translated := manager.translateOutboundDNAT(outboundPacket, parsePacket(t, outboundPacket))
-			require.True(t, translated, "Outbound packet should be translated")
-
-			// Verify destination IP was changed
-			dstIPAfter := netip.AddrFrom4([4]byte{outboundPacket[16], outboundPacket[17], outboundPacket[18], outboundPacket[19]})
-			require.Equal(t, translatedIP, dstIPAfter, "Destination IP should be translated")
-
-			// Test inbound reverse DNAT translation
-			inboundPacket := generateDNATTestPacket(t, translatedIP, srcIP, tc.protocol, tc.dstPort, tc.srcPort)
-			originalInbound := make([]byte, len(inboundPacket))
-			copy(originalInbound, inboundPacket)
-
-			// Process inbound packet (should reverse translate source)
-			reversed := manager.translateInboundReverse(inboundPacket, parsePacket(t, inboundPacket))
-			require.True(t, reversed, "Inbound packet should be reverse translated")
-
-			// Verify source IP was changed back to original
-			srcIPAfter := netip.AddrFrom4([4]byte{inboundPacket[12], inboundPacket[13], inboundPacket[14], inboundPacket[15]})
-			require.Equal(t, originalIP, srcIPAfter, "Source IP should be reverse translated")
-
-			// Test that checksums are recalculated correctly
-			if tc.protocol != layers.IPProtocolICMPv4 {
-				// For TCP/UDP, verify the transport checksum was updated
-				require.NotEqual(t, originalOutbound, outboundPacket, "Outbound packet should be modified")
-				require.NotEqual(t, originalInbound, inboundPacket, "Inbound packet should be modified")
-			}
-		})
-	}
-}
-
-// parsePacket helper to create a decoder for testing
-func parsePacket(t testing.TB, packetData []byte) *decoder {
-	t.Helper()
-	d := &decoder{
-		decoded: []gopacket.LayerType{},
-	}
-	d.parser = gopacket.NewDecodingLayerParser(
-		layers.LayerTypeIPv4,
-		&d.eth, &d.ip4, &d.ip6, &d.icmp4, &d.icmp6, &d.tcp, &d.udp,
-	)
-	d.parser.IgnoreUnsupported = true
-
-	err := d.parser.DecodeLayers(packetData, &d.decoded)
-	require.NoError(t, err)
-	return d
-}
-
-// TestDNATMappingManagement tests adding/removing DNAT mappings
-func TestDNATMappingManagement(t *testing.T) {
-	manager, err := Create(&IFaceMock{
-		SetFilterFunc: func(device.PacketFilter) error { return nil },
-	}, false, flowLogger)
-	require.NoError(t, err)
-	defer func() {
-		require.NoError(t, manager.Close(nil))
-	}()
-
-	originalIP := netip.MustParseAddr("192.168.1.100")
-	translatedIP := netip.MustParseAddr("10.0.0.100")
-
-	// Test adding mapping
-	err = manager.AddInternalDNATMapping(originalIP, translatedIP)
-	require.NoError(t, err)
-
-	// Verify mapping exists
-	result, exists := manager.getDNATTranslation(originalIP)
-	require.True(t, exists)
-	require.Equal(t, translatedIP, result)
-
-	// Test reverse lookup
-	reverseResult, exists := manager.findReverseDNATMapping(translatedIP)
-	require.True(t, exists)
-	require.Equal(t, originalIP, reverseResult)
-
-	// Test removing mapping
-	err = manager.RemoveInternalDNATMapping(originalIP)
-	require.NoError(t, err)
-
-	// Verify mapping no longer exists
-	_, exists = manager.getDNATTranslation(originalIP)
-	require.False(t, exists)
-
-	_, exists = manager.findReverseDNATMapping(translatedIP)
-	require.False(t, exists)
-
-	// Test error cases
-	err = manager.AddInternalDNATMapping(netip.Addr{}, translatedIP)
-	require.Error(t, err, "Should reject invalid original IP")
-
-	err = manager.AddInternalDNATMapping(originalIP, netip.Addr{})
-	require.Error(t, err, "Should reject invalid translated IP")
-
-	err = manager.RemoveInternalDNATMapping(originalIP)
-	require.Error(t, err, "Should error when removing non-existent mapping")
-}

client/firewall/uspfilter/rule.go

@@ -29,15 +29,14 @@ func (r *PeerRule) ID() string {
 }
 
 type RouteRule struct {
-	id           string
-	mgmtId       []byte
-	sources      []netip.Prefix
-	dstSet       firewall.Set
-	destinations []netip.Prefix
-	proto        firewall.Protocol
-	srcPort      *firewall.Port
-	dstPort      *firewall.Port
-	action       firewall.Action
+	id          string
+	mgmtId      []byte
+	sources     []netip.Prefix
+	destination netip.Prefix
+	proto       firewall.Protocol
+	srcPort     *firewall.Port
+	dstPort     *firewall.Port
+	action      firewall.Action
 }
 
 // ID returns the rule id

client/firewall/uspfilter/tracer.go

@@ -401,7 +401,7 @@ func (m *Manager) addForwardingResult(trace *PacketTrace, action, remoteAddr str
 
 func (m *Manager) traceOutbound(packetData []byte, trace *PacketTrace) *PacketTrace {
 	// will create or update the connection state
-	dropped := m.filterOutbound(packetData, 0)
+	dropped := m.processOutgoingHooks(packetData, 0)
 	if dropped {
 		trace.AddResult(StageCompleted, "Packet dropped by outgoing hook", false)
 	} else {

client/firewall/uspfilter/tracer_test.go

@@ -38,8 +38,11 @@ func TestTracePacket(t *testing.T) {
 			SetFilterFunc: func(device.PacketFilter) error { return nil },
 			AddressFunc: func() wgaddr.Address {
 				return wgaddr.Address{
-					IP:      netip.MustParseAddr("100.10.0.100"),
-					Network: netip.MustParsePrefix("100.10.0.0/16"),
+					IP: net.ParseIP("100.10.0.100"),
+					Network: &net.IPNet{
+						IP:   net.ParseIP("100.10.0.0"),
+						Mask: net.CIDRMask(16, 32),
+					},
 				}
 			},
 		}
@@ -195,12 +198,12 @@ func TestTracePacket(t *testing.T) {
 				m.forwarder.Store(&forwarder.Forwarder{})
 
 				src := netip.PrefixFrom(netip.AddrFrom4([4]byte{1, 1, 1, 1}), 32)
-				dst := netip.PrefixFrom(netip.AddrFrom4([4]byte{192, 168, 17, 2}), 32)
-				_, err := m.AddRouteFiltering(nil, []netip.Prefix{src}, fw.Network{Prefix: dst}, fw.ProtocolTCP, nil, &fw.Port{Values: []uint16{80}}, fw.ActionAccept)
+				dst := netip.PrefixFrom(netip.AddrFrom4([4]byte{172, 17, 0, 2}), 32)
+				_, err := m.AddRouteFiltering(nil, []netip.Prefix{src}, dst, fw.ProtocolTCP, nil, &fw.Port{Values: []uint16{80}}, fw.ActionAccept)
 				require.NoError(t, err)
 			},
 			packetBuilder: func() *PacketBuilder {
-				return createPacketBuilder("1.1.1.1", "192.168.17.2", "tcp", 12345, 80, fw.RuleDirectionIN)
+				return createPacketBuilder("1.1.1.1", "172.17.0.2", "tcp", 12345, 80, fw.RuleDirectionIN)
 			},
 			expectedStages: []PacketStage{
 				StageReceived,
@@ -219,12 +222,12 @@ func TestTracePacket(t *testing.T) {
 				m.nativeRouter.Store(false)
 
 				src := netip.PrefixFrom(netip.AddrFrom4([4]byte{1, 1, 1, 1}), 32)
-				dst := netip.PrefixFrom(netip.AddrFrom4([4]byte{192, 168, 17, 2}), 32)
-				_, err := m.AddRouteFiltering(nil, []netip.Prefix{src}, fw.Network{Prefix: dst}, fw.ProtocolTCP, nil, &fw.Port{Values: []uint16{80}}, fw.ActionDrop)
+				dst := netip.PrefixFrom(netip.AddrFrom4([4]byte{172, 17, 0, 2}), 32)
+				_, err := m.AddRouteFiltering(nil, []netip.Prefix{src}, dst, fw.ProtocolTCP, nil, &fw.Port{Values: []uint16{80}}, fw.ActionDrop)
 				require.NoError(t, err)
 			},
 			packetBuilder: func() *PacketBuilder {
-				return createPacketBuilder("1.1.1.1", "192.168.17.2", "tcp", 12345, 80, fw.RuleDirectionIN)
+				return createPacketBuilder("1.1.1.1", "172.17.0.2", "tcp", 12345, 80, fw.RuleDirectionIN)
 			},
 			expectedStages: []PacketStage{
 				StageReceived,
@@ -242,7 +245,7 @@ func TestTracePacket(t *testing.T) {
 				m.nativeRouter.Store(true)
 			},
 			packetBuilder: func() *PacketBuilder {
-				return createPacketBuilder("1.1.1.1", "192.168.17.2", "tcp", 12345, 80, fw.RuleDirectionIN)
+				return createPacketBuilder("1.1.1.1", "172.17.0.2", "tcp", 12345, 80, fw.RuleDirectionIN)
 			},
 			expectedStages: []PacketStage{
 				StageReceived,
@@ -260,7 +263,7 @@ func TestTracePacket(t *testing.T) {
 				m.routingEnabled.Store(false)
 			},
 			packetBuilder: func() *PacketBuilder {
-				return createPacketBuilder("1.1.1.1", "192.168.17.2", "tcp", 12345, 80, fw.RuleDirectionIN)
+				return createPacketBuilder("1.1.1.1", "172.17.0.2", "tcp", 12345, 80, fw.RuleDirectionIN)
 			},
 			expectedStages: []PacketStage{
 				StageReceived,
@@ -422,8 +425,8 @@ func TestTracePacket(t *testing.T) {
 
 			require.True(t, m.localipmanager.IsLocalIP(netip.MustParseAddr("100.10.0.100")),
 				"100.10.0.100 should be recognized as a local IP")
-			require.False(t, m.localipmanager.IsLocalIP(netip.MustParseAddr("192.168.17.2")),
-				"192.168.17.2 should not be recognized as a local IP")
+			require.False(t, m.localipmanager.IsLocalIP(netip.MustParseAddr("172.17.0.2")),
+				"172.17.0.2 should not be recognized as a local IP")
 
 			pb := tc.packetBuilder()
 

client/firewall/uspfilter/uspfilter.go

@@ -39,12 +39,8 @@ const (
 	// EnvForceUserspaceRouter forces userspace routing even if native routing is available.
 	EnvForceUserspaceRouter = "NB_FORCE_USERSPACE_ROUTER"
 
-	// EnvEnableLocalForwarding enables forwarding of local traffic to the native stack for internal (non-NetBird) interfaces.
-	// Default off as it might be security risk because sockets listening on localhost only will become accessible.
-	EnvEnableLocalForwarding = "NB_ENABLE_LOCAL_FORWARDING"
-
-	// EnvEnableNetstackLocalForwarding is an alias for EnvEnableLocalForwarding.
-	// In netstack mode, it enables forwarding of local traffic to the native stack for all interfaces.
+	// EnvEnableNetstackLocalForwarding enables forwarding of local traffic to the native stack when running netstack
+	// Leaving this on by default introduces a security risk as sockets on listening on localhost only will be accessible
 	EnvEnableNetstackLocalForwarding = "NB_ENABLE_NETSTACK_LOCAL_FORWARDING"
 )
 
@@ -53,10 +49,10 @@ var errNatNotSupported = errors.New("nat not supported with userspace firewall")
 // RuleSet is a set of rules grouped by a string key
 type RuleSet map[string]PeerRule
 
-type RouteRules []*RouteRule
+type RouteRules []RouteRule
 
 func (r RouteRules) Sort() {
-	slices.SortStableFunc(r, func(a, b *RouteRule) int {
+	slices.SortStableFunc(r, func(a, b RouteRule) int {
 		// Deny rules come first
 		if a.action == firewall.ActionDrop && b.action != firewall.ActionDrop {
 			return -1
@@ -75,6 +71,7 @@ type Manager struct {
 	// incomingRules is used for filtering and hooks
 	incomingRules  map[netip.Addr]RuleSet
 	routeRules     RouteRules
+	wgNetwork      *net.IPNet
 	decoders       sync.Pool
 	wgIface        common.IFaceMapper
 	nativeFirewall firewall.Manager
@@ -102,14 +99,6 @@ type Manager struct {
 	forwarder   atomic.Pointer[forwarder.Forwarder]
 	logger      *nblog.Logger
 	flowLogger  nftypes.FlowLogger
-
-	blockRule firewall.Rule
-
-	// Internal 1:1 DNAT
-	dnatEnabled  atomic.Bool
-	dnatMappings map[netip.Addr]netip.Addr
-	dnatMutex    sync.RWMutex
-	dnatBiMap    *biDNATMap
 }
 
 // decoder for packages
@@ -157,11 +146,6 @@ func parseCreateEnv() (bool, bool) {
 		if err != nil {
 			log.Warnf("failed to parse %s: %v", EnvEnableNetstackLocalForwarding, err)
 		}
-	} else if val := os.Getenv(EnvEnableLocalForwarding); val != "" {
-		enableLocalForwarding, err = strconv.ParseBool(val)
-		if err != nil {
-			log.Warnf("failed to parse %s: %v", EnvEnableLocalForwarding, err)
-		}
 	}
 
 	return disableConntrack, enableLocalForwarding
@@ -195,7 +179,6 @@ func create(iface common.IFaceMapper, nativeFirewall firewall.Manager, disableSe
 		flowLogger:          flowLogger,
 		netstack:            netstack.IsEnabled(),
 		localForwarding:     enableLocalForwarding,
-		dnatMappings:        make(map[netip.Addr]netip.Addr),
 	}
 	m.routingEnabled.Store(false)
 
@@ -218,35 +201,41 @@ func create(iface common.IFaceMapper, nativeFirewall firewall.Manager, disableSe
 		}
 	}
 
+	if err := m.blockInvalidRouted(iface); err != nil {
+		log.Errorf("failed to block invalid routed traffic: %v", err)
+	}
+
 	if err := iface.SetFilter(m); err != nil {
 		return nil, fmt.Errorf("set filter: %w", err)
 	}
 	return m, nil
 }
 
-func (m *Manager) blockInvalidRouted(iface common.IFaceMapper) (firewall.Rule, error) {
+func (m *Manager) blockInvalidRouted(iface common.IFaceMapper) error {
+	if m.forwarder.Load() == nil {
+		return nil
+	}
 	wgPrefix, err := netip.ParsePrefix(iface.Address().Network.String())
 	if err != nil {
-		return nil, fmt.Errorf("parse wireguard network: %w", err)
+		return fmt.Errorf("parse wireguard network: %w", err)
 	}
 	log.Debugf("blocking invalid routed traffic for %s", wgPrefix)
 
-	rule, err := m.addRouteFiltering(
+	if _, err := m.AddRouteFiltering(
 		nil,
 		[]netip.Prefix{netip.PrefixFrom(netip.IPv4Unspecified(), 0)},
-		firewall.Network{Prefix: wgPrefix},
+		wgPrefix,
 		firewall.ProtocolALL,
 		nil,
 		nil,
 		firewall.ActionDrop,
-	)
-	if err != nil {
-		return nil, fmt.Errorf("block wg nte : %w", err)
+	); err != nil {
+		return fmt.Errorf("block wg nte : %w", err)
 	}
 
 	// TODO: Block networks that we're a client of
 
-	return rule, nil
+	return nil
 }
 
 func (m *Manager) determineRouting() error {
@@ -284,7 +273,7 @@ func (m *Manager) determineRouting() error {
 
 		log.Info("userspace routing is forced")
 
-	case !m.netstack && m.nativeFirewall != nil:
+	case !m.netstack && m.nativeFirewall != nil && m.nativeFirewall.IsServerRouteSupported():
 		// if the OS supports routing natively, then we don't need to filter/route ourselves
 		// netstack mode won't support native routing as there is no interface
 
@@ -341,10 +330,6 @@ func (m *Manager) IsServerRouteSupported() bool {
 	return true
 }
 
-func (m *Manager) IsStateful() bool {
-	return m.stateful
-}
-
 func (m *Manager) AddNatRule(pair firewall.RouterPair) error {
 	if m.nativeRouter.Load() && m.nativeFirewall != nil {
 		return m.nativeFirewall.AddNatRule(pair)
@@ -428,23 +413,10 @@ func (m *Manager) AddPeerFiltering(
 func (m *Manager) AddRouteFiltering(
 	id []byte,
 	sources []netip.Prefix,
-	destination firewall.Network,
+	destination netip.Prefix,
 	proto firewall.Protocol,
-	sPort, dPort *firewall.Port,
-	action firewall.Action,
-) (firewall.Rule, error) {
-	m.mutex.Lock()
-	defer m.mutex.Unlock()
-
-	return m.addRouteFiltering(id, sources, destination, proto, sPort, dPort, action)
-}
-
-func (m *Manager) addRouteFiltering(
-	id []byte,
-	sources []netip.Prefix,
-	destination firewall.Network,
-	proto firewall.Protocol,
-	sPort, dPort *firewall.Port,
+	sPort *firewall.Port,
+	dPort *firewall.Port,
 	action firewall.Action,
 ) (firewall.Rule, error) {
 	if m.nativeRouter.Load() && m.nativeFirewall != nil {
@@ -454,39 +426,34 @@ func (m *Manager) addRouteFiltering(
 	ruleID := uuid.New().String()
 	rule := RouteRule{
 		// TODO: consolidate these IDs
-		id:      ruleID,
-		mgmtId:  id,
-		sources: sources,
-		dstSet:  destination.Set,
-		proto:   proto,
-		srcPort: sPort,
-		dstPort: dPort,
-		action:  action,
-	}
-	if destination.IsPrefix() {
-		rule.destinations = []netip.Prefix{destination.Prefix}
+		id:          ruleID,
+		mgmtId:      id,
+		sources:     sources,
+		destination: destination,
+		proto:       proto,
+		srcPort:     sPort,
+		dstPort:     dPort,
+		action:      action,
 	}
 
-	m.routeRules = append(m.routeRules, &rule)
+	m.mutex.Lock()
+	m.routeRules = append(m.routeRules, rule)
 	m.routeRules.Sort()
+	m.mutex.Unlock()
 
 	return &rule, nil
 }
 
 func (m *Manager) DeleteRouteRule(rule firewall.Rule) error {
-	m.mutex.Lock()
-	defer m.mutex.Unlock()
-
-	return m.deleteRouteRule(rule)
-}
-
-func (m *Manager) deleteRouteRule(rule firewall.Rule) error {
 	if m.nativeRouter.Load() && m.nativeFirewall != nil {
 		return m.nativeFirewall.DeleteRouteRule(rule)
 	}
 
+	m.mutex.Lock()
+	defer m.mutex.Unlock()
+
 	ruleID := rule.ID()
-	idx := slices.IndexFunc(m.routeRules, func(r *RouteRule) bool {
+	idx := slices.IndexFunc(m.routeRules, func(r RouteRule) bool {
 		return r.id == ruleID
 	})
 	if idx < 0 {
@@ -526,60 +493,30 @@ func (m *Manager) SetLegacyManagement(isLegacy bool) error {
 // Flush doesn't need to be implemented for this manager
 func (m *Manager) Flush() error { return nil }
 
-// UpdateSet updates the rule destinations associated with the given set
-// by merging the existing prefixes with the new ones, then deduplicating.
-func (m *Manager) UpdateSet(set firewall.Set, prefixes []netip.Prefix) error {
-	if m.nativeRouter.Load() && m.nativeFirewall != nil {
-		return m.nativeFirewall.UpdateSet(set, prefixes)
+// AddDNATRule adds a DNAT rule
+func (m *Manager) AddDNATRule(rule firewall.ForwardRule) (firewall.Rule, error) {
+	if m.nativeFirewall == nil {
+		return nil, errNatNotSupported
 	}
-
-	m.mutex.Lock()
-	defer m.mutex.Unlock()
-
-	var matches []*RouteRule
-	for _, rule := range m.routeRules {
-		if rule.dstSet == set {
-			matches = append(matches, rule)
-		}
-	}
-
-	if len(matches) == 0 {
-		return fmt.Errorf("no route rule found for set: %s", set)
-	}
-
-	destinations := matches[0].destinations
-	for _, prefix := range prefixes {
-		if prefix.Addr().Is4() {
-			destinations = append(destinations, prefix)
-		}
-	}
-
-	slices.SortFunc(destinations, func(a, b netip.Prefix) int {
-		cmp := a.Addr().Compare(b.Addr())
-		if cmp != 0 {
-			return cmp
-		}
-		return a.Bits() - b.Bits()
-	})
-
-	destinations = slices.Compact(destinations)
-
-	for _, rule := range matches {
-		rule.destinations = destinations
-	}
-	log.Debugf("updated set %s to prefixes %v", set.HashedName(), destinations)
-
-	return nil
+	return m.nativeFirewall.AddDNATRule(rule)
 }
 
-// FilterOutBound filters outgoing packets
-func (m *Manager) FilterOutbound(packetData []byte, size int) bool {
-	return m.filterOutbound(packetData, size)
+// DeleteDNATRule deletes a DNAT rule
+func (m *Manager) DeleteDNATRule(rule firewall.Rule) error {
+	if m.nativeFirewall == nil {
+		return errNatNotSupported
+	}
+	return m.nativeFirewall.DeleteDNATRule(rule)
 }
 
-// FilterInbound filters incoming packets
-func (m *Manager) FilterInbound(packetData []byte, size int) bool {
-	return m.filterInbound(packetData, size)
+// DropOutgoing filter outgoing packets
+func (m *Manager) DropOutgoing(packetData []byte, size int) bool {
+	return m.processOutgoingHooks(packetData, size)
+}
+
+// DropIncoming filter incoming packets
+func (m *Manager) DropIncoming(packetData []byte, size int) bool {
+	return m.dropFilter(packetData, size)
 }
 
 // UpdateLocalIPs updates the list of local IPs
@@ -587,7 +524,7 @@ func (m *Manager) UpdateLocalIPs() error {
 	return m.localipmanager.UpdateLocalIPs(m.wgIface)
 }
 
-func (m *Manager) filterOutbound(packetData []byte, size int) bool {
+func (m *Manager) processOutgoingHooks(packetData []byte, size int) bool {
 	d := m.decoders.Get().(*decoder)
 	defer m.decoders.Put(d)
 
@@ -609,8 +546,9 @@ func (m *Manager) filterOutbound(packetData []byte, size int) bool {
 		return true
 	}
 
-	m.trackOutbound(d, srcIP, dstIP, size)
-	m.translateOutboundDNAT(packetData, d)
+	if m.stateful {
+		m.trackOutbound(d, srcIP, dstIP, size)
+	}
 
 	return false
 }
@@ -662,7 +600,7 @@ func (m *Manager) trackOutbound(d *decoder, srcIP, dstIP netip.Addr, size int) {
 		flags := getTCPFlags(&d.tcp)
 		m.tcpTracker.TrackOutbound(srcIP, dstIP, uint16(d.tcp.SrcPort), uint16(d.tcp.DstPort), flags, size)
 	case layers.LayerTypeICMPv4:
-		m.icmpTracker.TrackOutbound(srcIP, dstIP, d.icmp4.Id, d.icmp4.TypeCode, d.icmp4.Payload, size)
+		m.icmpTracker.TrackOutbound(srcIP, dstIP, d.icmp4.Id, d.icmp4.TypeCode, size)
 	}
 }
 
@@ -675,7 +613,7 @@ func (m *Manager) trackInbound(d *decoder, srcIP, dstIP netip.Addr, ruleID []byt
 		flags := getTCPFlags(&d.tcp)
 		m.tcpTracker.TrackInbound(srcIP, dstIP, uint16(d.tcp.SrcPort), uint16(d.tcp.DstPort), flags, ruleID, size)
 	case layers.LayerTypeICMPv4:
-		m.icmpTracker.TrackInbound(srcIP, dstIP, d.icmp4.Id, d.icmp4.TypeCode, ruleID, d.icmp4.Payload, size)
+		m.icmpTracker.TrackInbound(srcIP, dstIP, d.icmp4.Id, d.icmp4.TypeCode, ruleID, size)
 	}
 }
 
@@ -714,9 +652,9 @@ func (m *Manager) udpHooksDrop(dport uint16, dstIP netip.Addr, packetData []byte
 	return false
 }
 
-// filterInbound implements filtering logic for incoming packets.
+// dropFilter implements filtering logic for incoming packets.
 // If it returns true, the packet should be dropped.
-func (m *Manager) filterInbound(packetData []byte, size int) bool {
+func (m *Manager) dropFilter(packetData []byte, size int) bool {
 	d := m.decoders.Get().(*decoder)
 	defer m.decoders.Put(d)
 
@@ -738,15 +676,8 @@ func (m *Manager) filterInbound(packetData []byte, size int) bool {
 		return false
 	}
 
-	if translated := m.translateInboundReverse(packetData, d); translated {
-		// Re-decode after translation to get original addresses
-		if err := d.parser.DecodeLayers(packetData, &d.decoded); err != nil {
-			m.logger.Error("Failed to re-decode packet after reverse DNAT: %v", err)
-			return true
-		}
-		srcIP, dstIP = m.extractIPs(d)
-	}
-
+	// For all inbound traffic, first check if it matches a tracked connection.
+	// This must happen before any other filtering because the packets are statefully tracked.
 	if m.stateful && m.isValidTrackedConnection(d, srcIP, dstIP, size) {
 		return false
 	}
@@ -786,10 +717,9 @@ func (m *Manager) handleLocalTraffic(d *decoder, srcIP, dstIP netip.Addr, packet
 		return true
 	}
 
-	// If requested we pass local traffic to internal interfaces to the forwarder.
-	// netstack doesn't have an interface to forward packets to the native stack so we always need to use the forwarder.
-	if m.localForwarding && (m.netstack || dstIP != m.wgIface.Address().IP) {
-		return m.handleForwardedLocalTraffic(packetData)
+	// if running in netstack mode we need to pass this to the forwarder
+	if m.netstack && m.localForwarding {
+		return m.handleNetstackLocalTraffic(packetData)
 	}
 
 	// track inbound packets to get the correct direction and session id for flows
@@ -799,7 +729,8 @@ func (m *Manager) handleLocalTraffic(d *decoder, srcIP, dstIP netip.Addr, packet
 	return false
 }
 
-func (m *Manager) handleForwardedLocalTraffic(packetData []byte) bool {
+func (m *Manager) handleNetstackLocalTraffic(packetData []byte) bool {
+
 	fwd := m.forwarder.Load()
 	if fwd == nil {
 		m.logger.Trace("Dropping local packet (forwarder not initialized)")
@@ -833,8 +764,7 @@ func (m *Manager) handleRoutedTraffic(d *decoder, srcIP, dstIP netip.Addr, packe
 	proto, pnum := getProtocolFromPacket(d)
 	srcPort, dstPort := getPortsFromPacket(d)
 
-	ruleID, pass := m.routeACLsPass(srcIP, dstIP, proto, srcPort, dstPort)
-	if !pass {
+	if ruleID, pass := m.routeACLsPass(srcIP, dstIP, proto, srcPort, dstPort); !pass {
 		m.logger.Trace("Dropping routed packet (ACL denied): rule_id=%s proto=%v src=%s:%d dst=%s:%d",
 			ruleID, pnum, srcIP, srcPort, dstIP, dstPort)
 
@@ -860,11 +790,8 @@ func (m *Manager) handleRoutedTraffic(d *decoder, srcIP, dstIP netip.Addr, packe
 	if fwd == nil {
 		m.logger.Trace("failed to forward routed packet (forwarder not initialized)")
 	} else {
-		fwd.RegisterRuleID(srcIP, dstIP, srcPort, dstPort, ruleID)
-
 		if err := fwd.InjectIncomingPacket(packetData); err != nil {
 			m.logger.Error("Failed to inject routed packet: %v", err)
-			fwd.DeleteRuleID(srcIP, dstIP, srcPort, dstPort)
 		}
 	}
 
@@ -1061,15 +988,8 @@ func (m *Manager) routeACLsPass(srcIP, dstIP netip.Addr, proto firewall.Protocol
 	return nil, false
 }
 
-func (m *Manager) ruleMatches(rule *RouteRule, srcAddr, dstAddr netip.Addr, proto firewall.Protocol, srcPort, dstPort uint16) bool {
-	destMatched := false
-	for _, dst := range rule.destinations {
-		if dst.Contains(dstAddr) {
-			destMatched = true
-			break
-		}
-	}
-	if !destMatched {
+func (m *Manager) ruleMatches(rule RouteRule, srcAddr, dstAddr netip.Addr, proto firewall.Protocol, srcPort, dstPort uint16) bool {
+	if !rule.destination.Contains(dstAddr) {
 		return false
 	}
 
@@ -1097,6 +1017,11 @@ func (m *Manager) ruleMatches(rule *RouteRule, srcAddr, dstAddr netip.Addr, prot
 	return true
 }
 
+// SetNetwork of the wireguard interface to which filtering applied
+func (m *Manager) SetNetwork(network *net.IPNet) {
+	m.wgNetwork = network
+}
+
 // AddUDPPacketHook calls hook when UDP packet from given direction matched
 //
 // Hook function returns flag which indicates should be the matched package dropped or not
@@ -1166,22 +1091,7 @@ func (m *Manager) EnableRouting() error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
 
-	if err := m.determineRouting(); err != nil {
-		return fmt.Errorf("determine routing: %w", err)
-	}
-
-	if m.forwarder.Load() == nil {
-		return nil
-	}
-
-	rule, err := m.blockInvalidRouted(m.wgIface)
-	if err != nil {
-		return fmt.Errorf("block invalid routed: %w", err)
-	}
-
-	m.blockRule = rule
-
-	return nil
+	return m.determineRouting()
 }
 
 func (m *Manager) DisableRouting() error {
@@ -1206,12 +1116,5 @@ func (m *Manager) DisableRouting() error {
 
 	log.Debug("forwarder stopped")
 
-	if m.blockRule != nil {
-		if err := m.deleteRouteRule(m.blockRule); err != nil {
-			return fmt.Errorf("delete block rule: %w", err)
-		}
-		m.blockRule = nil
-	}
-
 	return nil
 }

client/firewall/uspfilter/uspfilter_bench_test.go

@@ -174,6 +174,11 @@ func BenchmarkCoreFiltering(b *testing.B) {
 					require.NoError(b, manager.Close(nil))
 				})
 
+				manager.wgNetwork = &net.IPNet{
+					IP:   net.ParseIP("100.64.0.0"),
+					Mask: net.CIDRMask(10, 32),
+				}
+
 				// Apply scenario-specific setup
 				sc.setupFunc(manager)
 
@@ -188,13 +193,13 @@ func BenchmarkCoreFiltering(b *testing.B) {
 
 				// For stateful scenarios, establish the connection
 				if sc.stateful {
-					manager.filterOutbound(outbound, 0)
+					manager.processOutgoingHooks(outbound, 0)
 				}
 
 				// Measure inbound packet processing
 				b.ResetTimer()
 				for i := 0; i < b.N; i++ {
-					manager.filterInbound(inbound, 0)
+					manager.dropFilter(inbound, 0)
 				}
 			})
 		}
@@ -214,13 +219,18 @@ func BenchmarkStateScaling(b *testing.B) {
 				require.NoError(b, manager.Close(nil))
 			})
 
+			manager.wgNetwork = &net.IPNet{
+				IP:   net.ParseIP("100.64.0.0"),
+				Mask: net.CIDRMask(10, 32),
+			}
+
 			// Pre-populate connection table
 			srcIPs := generateRandomIPs(count)
 			dstIPs := generateRandomIPs(count)
 			for i := 0; i < count; i++ {
 				outbound := generatePacket(b, srcIPs[i], dstIPs[i],
 					uint16(1024+i), 80, layers.IPProtocolTCP)
-				manager.filterOutbound(outbound, 0)
+				manager.processOutgoingHooks(outbound, 0)
 			}
 
 			// Test packet
@@ -228,11 +238,11 @@ func BenchmarkStateScaling(b *testing.B) {
 			testIn := generatePacket(b, dstIPs[0], srcIPs[0], 80, 1024, layers.IPProtocolTCP)
 
 			// First establish our test connection
-			manager.filterOutbound(testOut, 0)
+			manager.processOutgoingHooks(testOut, 0)
 
 			b.ResetTimer()
 			for i := 0; i < b.N; i++ {
-				manager.filterInbound(testIn, 0)
+				manager.dropFilter(testIn, 0)
 			}
 		})
 	}
@@ -257,18 +267,23 @@ func BenchmarkEstablishmentOverhead(b *testing.B) {
 				require.NoError(b, manager.Close(nil))
 			})
 
+			manager.wgNetwork = &net.IPNet{
+				IP:   net.ParseIP("100.64.0.0"),
+				Mask: net.CIDRMask(10, 32),
+			}
+
 			srcIP := generateRandomIPs(1)[0]
 			dstIP := generateRandomIPs(1)[0]
 			outbound := generatePacket(b, srcIP, dstIP, 1024, 80, layers.IPProtocolTCP)
 			inbound := generatePacket(b, dstIP, srcIP, 80, 1024, layers.IPProtocolTCP)
 
 			if sc.established {
-				manager.filterOutbound(outbound, 0)
+				manager.processOutgoingHooks(outbound, 0)
 			}
 
 			b.ResetTimer()
 			for i := 0; i < b.N; i++ {
-				manager.filterInbound(inbound, 0)
+				manager.dropFilter(inbound, 0)
 			}
 		})
 	}
@@ -289,6 +304,10 @@ func BenchmarkRoutedNetworkReturn(b *testing.B) {
 			proto: layers.IPProtocolTCP,
 			state: "new",
 			setupFunc: func(m *Manager) {
+				m.wgNetwork = &net.IPNet{
+					IP:   net.ParseIP("100.64.0.0"),
+					Mask: net.CIDRMask(10, 32),
+				}
 				b.Setenv("NB_DISABLE_CONNTRACK", "1")
 			},
 			genPackets: func(srcIP, dstIP net.IP) ([]byte, []byte) {
@@ -302,6 +321,10 @@ func BenchmarkRoutedNetworkReturn(b *testing.B) {
 			proto: layers.IPProtocolTCP,
 			state: "established",
 			setupFunc: func(m *Manager) {
+				m.wgNetwork = &net.IPNet{
+					IP:   net.ParseIP("100.64.0.0"),
+					Mask: net.CIDRMask(10, 32),
+				}
 				b.Setenv("NB_DISABLE_CONNTRACK", "1")
 			},
 			genPackets: func(srcIP, dstIP net.IP) ([]byte, []byte) {
@@ -316,6 +339,10 @@ func BenchmarkRoutedNetworkReturn(b *testing.B) {
 			proto: layers.IPProtocolUDP,
 			state: "new",
 			setupFunc: func(m *Manager) {
+				m.wgNetwork = &net.IPNet{
+					IP:   net.ParseIP("100.64.0.0"),
+					Mask: net.CIDRMask(10, 32),
+				}
 				b.Setenv("NB_DISABLE_CONNTRACK", "1")
 			},
 			genPackets: func(srcIP, dstIP net.IP) ([]byte, []byte) {
@@ -329,6 +356,10 @@ func BenchmarkRoutedNetworkReturn(b *testing.B) {
 			proto: layers.IPProtocolUDP,
 			state: "established",
 			setupFunc: func(m *Manager) {
+				m.wgNetwork = &net.IPNet{
+					IP:   net.ParseIP("100.64.0.0"),
+					Mask: net.CIDRMask(10, 32),
+				}
 				b.Setenv("NB_DISABLE_CONNTRACK", "1")
 			},
 			genPackets: func(srcIP, dstIP net.IP) ([]byte, []byte) {
@@ -342,6 +373,10 @@ func BenchmarkRoutedNetworkReturn(b *testing.B) {
 			proto: layers.IPProtocolTCP,
 			state: "new",
 			setupFunc: func(m *Manager) {
+				m.wgNetwork = &net.IPNet{
+					IP:   net.ParseIP("0.0.0.0"),
+					Mask: net.CIDRMask(0, 32),
+				}
 				require.NoError(b, os.Unsetenv("NB_DISABLE_CONNTRACK"))
 			},
 			genPackets: func(srcIP, dstIP net.IP) ([]byte, []byte) {
@@ -355,6 +390,10 @@ func BenchmarkRoutedNetworkReturn(b *testing.B) {
 			proto: layers.IPProtocolTCP,
 			state: "established",
 			setupFunc: func(m *Manager) {
+				m.wgNetwork = &net.IPNet{
+					IP:   net.ParseIP("0.0.0.0"),
+					Mask: net.CIDRMask(0, 32),
+				}
 				require.NoError(b, os.Unsetenv("NB_DISABLE_CONNTRACK"))
 			},
 			genPackets: func(srcIP, dstIP net.IP) ([]byte, []byte) {
@@ -369,6 +408,10 @@ func BenchmarkRoutedNetworkReturn(b *testing.B) {
 			proto: layers.IPProtocolTCP,
 			state: "post_handshake",
 			setupFunc: func(m *Manager) {
+				m.wgNetwork = &net.IPNet{
+					IP:   net.ParseIP("0.0.0.0"),
+					Mask: net.CIDRMask(0, 32),
+				}
 				require.NoError(b, os.Unsetenv("NB_DISABLE_CONNTRACK"))
 			},
 			genPackets: func(srcIP, dstIP net.IP) ([]byte, []byte) {
@@ -383,6 +426,10 @@ func BenchmarkRoutedNetworkReturn(b *testing.B) {
 			proto: layers.IPProtocolUDP,
 			state: "new",
 			setupFunc: func(m *Manager) {
+				m.wgNetwork = &net.IPNet{
+					IP:   net.ParseIP("0.0.0.0"),
+					Mask: net.CIDRMask(0, 32),
+				}
 				require.NoError(b, os.Unsetenv("NB_DISABLE_CONNTRACK"))
 			},
 			genPackets: func(srcIP, dstIP net.IP) ([]byte, []byte) {
@@ -396,6 +443,10 @@ func BenchmarkRoutedNetworkReturn(b *testing.B) {
 			proto: layers.IPProtocolUDP,
 			state: "established",
 			setupFunc: func(m *Manager) {
+				m.wgNetwork = &net.IPNet{
+					IP:   net.ParseIP("0.0.0.0"),
+					Mask: net.CIDRMask(0, 32),
+				}
 				require.NoError(b, os.Unsetenv("NB_DISABLE_CONNTRACK"))
 			},
 			genPackets: func(srcIP, dstIP net.IP) ([]byte, []byte) {
@@ -426,25 +477,25 @@ func BenchmarkRoutedNetworkReturn(b *testing.B) {
 			// For stateful cases and established connections
 			if !strings.Contains(sc.name, "allow_non_wg") ||
 				(strings.Contains(sc.state, "established") || sc.state == "post_handshake") {
-				manager.filterOutbound(outbound, 0)
+				manager.processOutgoingHooks(outbound, 0)
 
 				// For TCP post-handshake, simulate full handshake
 				if sc.state == "post_handshake" {
 					// SYN
 					syn := generateTCPPacketWithFlags(b, srcIP, dstIP, 1024, 80, uint16(conntrack.TCPSyn))
-					manager.filterOutbound(syn, 0)
+					manager.processOutgoingHooks(syn, 0)
 					// SYN-ACK
 					synack := generateTCPPacketWithFlags(b, dstIP, srcIP, 80, 1024, uint16(conntrack.TCPSyn|conntrack.TCPAck))
-					manager.filterInbound(synack, 0)
+					manager.dropFilter(synack, 0)
 					// ACK
 					ack := generateTCPPacketWithFlags(b, srcIP, dstIP, 1024, 80, uint16(conntrack.TCPAck))
-					manager.filterOutbound(ack, 0)
+					manager.processOutgoingHooks(ack, 0)
 				}
 			}
 
 			b.ResetTimer()
 			for i := 0; i < b.N; i++ {
-				manager.filterInbound(inbound, 0)
+				manager.dropFilter(inbound, 0)
 			}
 		})
 	}
@@ -542,6 +593,11 @@ func BenchmarkLongLivedConnections(b *testing.B) {
 				require.NoError(b, manager.Close(nil))
 			})
 
+			manager.SetNetwork(&net.IPNet{
+				IP:   net.ParseIP("100.64.0.0"),
+				Mask: net.CIDRMask(10, 32),
+			})
+
 			// Setup initial state based on scenario
 			if sc.rules {
 				// Single rule to allow all return traffic from port 80
@@ -568,17 +624,17 @@ func BenchmarkLongLivedConnections(b *testing.B) {
 				// Initial SYN
 				syn := generateTCPPacketWithFlags(b, srcIPs[i], dstIPs[i],
 					uint16(1024+i), 80, uint16(conntrack.TCPSyn))
-				manager.filterOutbound(syn, 0)
+				manager.processOutgoingHooks(syn, 0)
 
 				// SYN-ACK
 				synack := generateTCPPacketWithFlags(b, dstIPs[i], srcIPs[i],
 					80, uint16(1024+i), uint16(conntrack.TCPSyn|conntrack.TCPAck))
-				manager.filterInbound(synack, 0)
+				manager.dropFilter(synack, 0)
 
 				// ACK
 				ack := generateTCPPacketWithFlags(b, srcIPs[i], dstIPs[i],
 					uint16(1024+i), 80, uint16(conntrack.TCPAck))
-				manager.filterOutbound(ack, 0)
+				manager.processOutgoingHooks(ack, 0)
 			}
 
 			// Prepare test packets simulating bidirectional traffic
@@ -599,9 +655,9 @@ func BenchmarkLongLivedConnections(b *testing.B) {
 
 				// Simulate bidirectional traffic
 				// First outbound data
-				manager.filterOutbound(outPackets[connIdx], 0)
+				manager.processOutgoingHooks(outPackets[connIdx], 0)
 				// Then inbound response - this is what we're actually measuring
-				manager.filterInbound(inPackets[connIdx], 0)
+				manager.dropFilter(inPackets[connIdx], 0)
 			}
 		})
 	}
@@ -625,6 +681,11 @@ func BenchmarkShortLivedConnections(b *testing.B) {
 				require.NoError(b, manager.Close(nil))
 			})
 
+			manager.SetNetwork(&net.IPNet{
+				IP:   net.ParseIP("100.64.0.0"),
+				Mask: net.CIDRMask(10, 32),
+			})
+
 			// Setup initial state based on scenario
 			if sc.rules {
 				// Single rule to allow all return traffic from port 80
@@ -700,19 +761,19 @@ func BenchmarkShortLivedConnections(b *testing.B) {
 				p := patterns[connIdx]
 
 				// Connection establishment
-				manager.filterOutbound(p.syn, 0)
-				manager.filterInbound(p.synAck, 0)
-				manager.filterOutbound(p.ack, 0)
+				manager.processOutgoingHooks(p.syn, 0)
+				manager.dropFilter(p.synAck, 0)
+				manager.processOutgoingHooks(p.ack, 0)
 
 				// Data transfer
-				manager.filterOutbound(p.request, 0)
-				manager.filterInbound(p.response, 0)
+				manager.processOutgoingHooks(p.request, 0)
+				manager.dropFilter(p.response, 0)
 
 				// Connection teardown
-				manager.filterOutbound(p.finClient, 0)
-				manager.filterInbound(p.ackServer, 0)
-				manager.filterInbound(p.finServer, 0)
-				manager.filterOutbound(p.ackClient, 0)
+				manager.processOutgoingHooks(p.finClient, 0)
+				manager.dropFilter(p.ackServer, 0)
+				manager.dropFilter(p.finServer, 0)
+				manager.processOutgoingHooks(p.ackClient, 0)
 			}
 		})
 	}
@@ -736,6 +797,11 @@ func BenchmarkParallelLongLivedConnections(b *testing.B) {
 				require.NoError(b, manager.Close(nil))
 			})
 
+			manager.SetNetwork(&net.IPNet{
+				IP:   net.ParseIP("100.64.0.0"),
+				Mask: net.CIDRMask(10, 32),
+			})
+
 			// Setup initial state based on scenario
 			if sc.rules {
 				_, err := manager.AddPeerFiltering(nil, net.ParseIP("0.0.0.0"), fw.ProtocolTCP, &fw.Port{Values: []uint16{80}}, nil, fw.ActionAccept, "")
@@ -760,15 +826,15 @@ func BenchmarkParallelLongLivedConnections(b *testing.B) {
 			for i := 0; i < sc.connCount; i++ {
 				syn := generateTCPPacketWithFlags(b, srcIPs[i], dstIPs[i],
 					uint16(1024+i), 80, uint16(conntrack.TCPSyn))
-				manager.filterOutbound(syn, 0)
+				manager.processOutgoingHooks(syn, 0)
 
 				synack := generateTCPPacketWithFlags(b, dstIPs[i], srcIPs[i],
 					80, uint16(1024+i), uint16(conntrack.TCPSyn|conntrack.TCPAck))
-				manager.filterInbound(synack, 0)
+				manager.dropFilter(synack, 0)
 
 				ack := generateTCPPacketWithFlags(b, srcIPs[i], dstIPs[i],
 					uint16(1024+i), 80, uint16(conntrack.TCPAck))
-				manager.filterOutbound(ack, 0)
+				manager.processOutgoingHooks(ack, 0)
 			}
 
 			// Pre-generate test packets
@@ -790,8 +856,8 @@ func BenchmarkParallelLongLivedConnections(b *testing.B) {
 					counter++
 
 					// Simulate bidirectional traffic
-					manager.filterOutbound(outPackets[connIdx], 0)
-					manager.filterInbound(inPackets[connIdx], 0)
+					manager.processOutgoingHooks(outPackets[connIdx], 0)
+					manager.dropFilter(inPackets[connIdx], 0)
 				}
 			})
 		})
@@ -816,6 +882,11 @@ func BenchmarkParallelShortLivedConnections(b *testing.B) {
 				require.NoError(b, manager.Close(nil))
 			})
 
+			manager.SetNetwork(&net.IPNet{
+				IP:   net.ParseIP("100.64.0.0"),
+				Mask: net.CIDRMask(10, 32),
+			})
+
 			if sc.rules {
 				_, err := manager.AddPeerFiltering(nil, net.ParseIP("0.0.0.0"), fw.ProtocolTCP, &fw.Port{Values: []uint16{80}}, nil, fw.ActionAccept, "")
 				require.NoError(b, err)
@@ -879,17 +950,17 @@ func BenchmarkParallelShortLivedConnections(b *testing.B) {
 					p := patterns[connIdx]
 
 					// Full connection lifecycle
-					manager.filterOutbound(p.syn, 0)
-					manager.filterInbound(p.synAck, 0)
-					manager.filterOutbound(p.ack, 0)
+					manager.processOutgoingHooks(p.syn, 0)
+					manager.dropFilter(p.synAck, 0)
+					manager.processOutgoingHooks(p.ack, 0)
 
-					manager.filterOutbound(p.request, 0)
-					manager.filterInbound(p.response, 0)
+					manager.processOutgoingHooks(p.request, 0)
+					manager.dropFilter(p.response, 0)
 
-					manager.filterOutbound(p.finClient, 0)
-					manager.filterInbound(p.ackServer, 0)
-					manager.filterInbound(p.finServer, 0)
-					manager.filterOutbound(p.ackClient, 0)
+					manager.processOutgoingHooks(p.finClient, 0)
+					manager.dropFilter(p.ackServer, 0)
+					manager.dropFilter(p.finServer, 0)
+					manager.processOutgoingHooks(p.ackClient, 0)
 				}
 			})
 		})
@@ -961,8 +1032,7 @@ func BenchmarkRouteACLs(b *testing.B) {
 	}
 
 	for _, r := range rules {
-		dst := fw.Network{Prefix: r.dest}
-		_, err := manager.AddRouteFiltering(nil, r.sources, dst, r.proto, nil, r.port, fw.ActionAccept)
+		_, err := manager.AddRouteFiltering(nil, r.sources, r.dest, r.proto, nil, r.port, fw.ActionAccept)
 		if err != nil {
 			b.Fatal(err)
 		}

client/firewall/uspfilter/uspfilter_filter_test.go

@@ -15,12 +15,15 @@ import (
 	"github.com/netbirdio/netbird/client/iface/device"
 	"github.com/netbirdio/netbird/client/iface/mocks"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
-	"github.com/netbirdio/netbird/management/domain"
 )
 
 func TestPeerACLFiltering(t *testing.T) {
-	localIP := netip.MustParseAddr("100.10.0.100")
-	wgNet := netip.MustParsePrefix("100.10.0.0/16")
+	localIP := net.ParseIP("100.10.0.100")
+	wgNet := &net.IPNet{
+		IP:   net.ParseIP("100.10.0.0"),
+		Mask: net.CIDRMask(16, 32),
+	}
+
 	ifaceMock := &IFaceMock{
 		SetFilterFunc: func(device.PacketFilter) error { return nil },
 		AddressFunc: func() wgaddr.Address {
@@ -39,6 +42,8 @@ func TestPeerACLFiltering(t *testing.T) {
 		require.NoError(t, manager.Close(nil))
 	})
 
+	manager.wgNetwork = wgNet
+
 	err = manager.UpdateLocalIPs()
 	require.NoError(t, err)
 
@@ -183,313 +188,16 @@ func TestPeerACLFiltering(t *testing.T) {
 			ruleAction:      fw.ActionAccept,
 			shouldBeBlocked: true,
 		},
-		{
-			name:            "Allow TCP traffic without port specification",
-			srcIP:           "100.10.0.1",
-			dstIP:           "100.10.0.100",
-			proto:           fw.ProtocolTCP,
-			srcPort:         12345,
-			dstPort:         443,
-			ruleIP:          "100.10.0.1",
-			ruleProto:       fw.ProtocolTCP,
-			ruleAction:      fw.ActionAccept,
-			shouldBeBlocked: false,
-		},
-		{
-			name:            "Allow UDP traffic without port specification",
-			srcIP:           "100.10.0.1",
-			dstIP:           "100.10.0.100",
-			proto:           fw.ProtocolUDP,
-			srcPort:         12345,
-			dstPort:         53,
-			ruleIP:          "100.10.0.1",
-			ruleProto:       fw.ProtocolUDP,
-			ruleAction:      fw.ActionAccept,
-			shouldBeBlocked: false,
-		},
-		{
-			name:            "TCP packet doesn't match UDP filter with same port",
-			srcIP:           "100.10.0.1",
-			dstIP:           "100.10.0.100",
-			proto:           fw.ProtocolTCP,
-			srcPort:         12345,
-			dstPort:         443,
-			ruleIP:          "100.10.0.1",
-			ruleProto:       fw.ProtocolUDP,
-			ruleDstPort:     &fw.Port{Values: []uint16{443}},
-			ruleAction:      fw.ActionAccept,
-			shouldBeBlocked: true,
-		},
-		{
-			name:            "UDP packet doesn't match TCP filter with same port",
-			srcIP:           "100.10.0.1",
-			dstIP:           "100.10.0.100",
-			proto:           fw.ProtocolUDP,
-			srcPort:         12345,
-			dstPort:         443,
-			ruleIP:          "100.10.0.1",
-			ruleProto:       fw.ProtocolTCP,
-			ruleDstPort:     &fw.Port{Values: []uint16{443}},
-			ruleAction:      fw.ActionAccept,
-			shouldBeBlocked: true,
-		},
-		{
-			name:            "ICMP packet doesn't match TCP filter",
-			srcIP:           "100.10.0.1",
-			dstIP:           "100.10.0.100",
-			proto:           fw.ProtocolICMP,
-			ruleIP:          "100.10.0.1",
-			ruleProto:       fw.ProtocolTCP,
-			ruleAction:      fw.ActionAccept,
-			shouldBeBlocked: true,
-		},
-		{
-			name:            "ICMP packet doesn't match UDP filter",
-			srcIP:           "100.10.0.1",
-			dstIP:           "100.10.0.100",
-			proto:           fw.ProtocolICMP,
-			ruleIP:          "100.10.0.1",
-			ruleProto:       fw.ProtocolUDP,
-			ruleAction:      fw.ActionAccept,
-			shouldBeBlocked: true,
-		},
-		{
-			name:            "Allow TCP traffic within port range",
-			srcIP:           "100.10.0.1",
-			dstIP:           "100.10.0.100",
-			proto:           fw.ProtocolTCP,
-			srcPort:         12345,
-			dstPort:         8080,
-			ruleIP:          "100.10.0.1",
-			ruleProto:       fw.ProtocolTCP,
-			ruleDstPort:     &fw.Port{IsRange: true, Values: []uint16{8000, 8100}},
-			ruleAction:      fw.ActionAccept,
-			shouldBeBlocked: false,
-		},
-		{
-			name:            "Block TCP traffic outside port range",
-			srcIP:           "100.10.0.1",
-			dstIP:           "100.10.0.100",
-			proto:           fw.ProtocolTCP,
-			srcPort:         12345,
-			dstPort:         7999,
-			ruleIP:          "100.10.0.1",
-			ruleProto:       fw.ProtocolTCP,
-			ruleDstPort:     &fw.Port{IsRange: true, Values: []uint16{8000, 8100}},
-			ruleAction:      fw.ActionAccept,
-			shouldBeBlocked: true,
-		},
-		{
-			name:            "Edge Case - Port at Range Boundary",
-			srcIP:           "100.10.0.1",
-			dstIP:           "100.10.0.100",
-			proto:           fw.ProtocolTCP,
-			srcPort:         12345,
-			dstPort:         8100,
-			ruleIP:          "100.10.0.1",
-			ruleProto:       fw.ProtocolTCP,
-			ruleDstPort:     &fw.Port{IsRange: true, Values: []uint16{8000, 8100}},
-			ruleAction:      fw.ActionAccept,
-			shouldBeBlocked: false,
-		},
-		{
-			name:            "UDP Port Range",
-			srcIP:           "100.10.0.1",
-			dstIP:           "100.10.0.100",
-			proto:           fw.ProtocolUDP,
-			srcPort:         12345,
-			dstPort:         5060,
-			ruleIP:          "100.10.0.1",
-			ruleProto:       fw.ProtocolUDP,
-			ruleDstPort:     &fw.Port{IsRange: true, Values: []uint16{5060, 5070}},
-			ruleAction:      fw.ActionAccept,
-			shouldBeBlocked: false,
-		},
-		{
-			name:            "Allow multiple destination ports",
-			srcIP:           "100.10.0.1",
-			dstIP:           "100.10.0.100",
-			proto:           fw.ProtocolTCP,
-			srcPort:         12345,
-			dstPort:         8080,
-			ruleIP:          "100.10.0.1",
-			ruleProto:       fw.ProtocolTCP,
-			ruleDstPort:     &fw.Port{Values: []uint16{80, 8080, 443}},
-			ruleAction:      fw.ActionAccept,
-			shouldBeBlocked: false,
-		},
-		{
-			name:            "Allow multiple source ports",
-			srcIP:           "100.10.0.1",
-			dstIP:           "100.10.0.100",
-			proto:           fw.ProtocolTCP,
-			srcPort:         12345,
-			dstPort:         80,
-			ruleIP:          "100.10.0.1",
-			ruleProto:       fw.ProtocolTCP,
-			ruleSrcPort:     &fw.Port{Values: []uint16{12345, 12346, 12347}},
-			ruleAction:      fw.ActionAccept,
-			shouldBeBlocked: false,
-		},
-		// New drop test cases
-		{
-			name:            "Drop TCP traffic from WG peer",
-			srcIP:           "100.10.0.1",
-			dstIP:           "100.10.0.100",
-			proto:           fw.ProtocolTCP,
-			srcPort:         12345,
-			dstPort:         443,
-			ruleIP:          "100.10.0.1",
-			ruleProto:       fw.ProtocolTCP,
-			ruleDstPort:     &fw.Port{Values: []uint16{443}},
-			ruleAction:      fw.ActionDrop,
-			shouldBeBlocked: true,
-		},
-		{
-			name:            "Drop UDP traffic from WG peer",
-			srcIP:           "100.10.0.1",
-			dstIP:           "100.10.0.100",
-			proto:           fw.ProtocolUDP,
-			srcPort:         12345,
-			dstPort:         53,
-			ruleIP:          "100.10.0.1",
-			ruleProto:       fw.ProtocolUDP,
-			ruleDstPort:     &fw.Port{Values: []uint16{53}},
-			ruleAction:      fw.ActionDrop,
-			shouldBeBlocked: true,
-		},
-		{
-			name:            "Drop ICMP traffic from WG peer",
-			srcIP:           "100.10.0.1",
-			dstIP:           "100.10.0.100",
-			proto:           fw.ProtocolICMP,
-			ruleIP:          "100.10.0.1",
-			ruleProto:       fw.ProtocolICMP,
-			ruleAction:      fw.ActionDrop,
-			shouldBeBlocked: true,
-		},
-		{
-			name:            "Drop all traffic from WG peer",
-			srcIP:           "100.10.0.1",
-			dstIP:           "100.10.0.100",
-			proto:           fw.ProtocolTCP,
-			srcPort:         12345,
-			dstPort:         443,
-			ruleIP:          "100.10.0.1",
-			ruleProto:       fw.ProtocolALL,
-			ruleAction:      fw.ActionDrop,
-			shouldBeBlocked: true,
-		},
-		{
-			name:            "Drop traffic from multiple source ports",
-			srcIP:           "100.10.0.1",
-			dstIP:           "100.10.0.100",
-			proto:           fw.ProtocolTCP,
-			srcPort:         12345,
-			dstPort:         80,
-			ruleIP:          "100.10.0.1",
-			ruleProto:       fw.ProtocolTCP,
-			ruleSrcPort:     &fw.Port{Values: []uint16{12345, 12346, 12347}},
-			ruleAction:      fw.ActionDrop,
-			shouldBeBlocked: true,
-		},
-		{
-			name:            "Drop multiple destination ports",
-			srcIP:           "100.10.0.1",
-			dstIP:           "100.10.0.100",
-			proto:           fw.ProtocolTCP,
-			srcPort:         12345,
-			dstPort:         8080,
-			ruleIP:          "100.10.0.1",
-			ruleProto:       fw.ProtocolTCP,
-			ruleDstPort:     &fw.Port{Values: []uint16{80, 8080, 443}},
-			ruleAction:      fw.ActionDrop,
-			shouldBeBlocked: true,
-		},
-		{
-			name:            "Drop TCP traffic within port range",
-			srcIP:           "100.10.0.1",
-			dstIP:           "100.10.0.100",
-			proto:           fw.ProtocolTCP,
-			srcPort:         12345,
-			dstPort:         8080,
-			ruleIP:          "100.10.0.1",
-			ruleProto:       fw.ProtocolTCP,
-			ruleDstPort:     &fw.Port{IsRange: true, Values: []uint16{8000, 8100}},
-			ruleAction:      fw.ActionDrop,
-			shouldBeBlocked: true,
-		},
-		{
-			name:            "Accept TCP traffic outside drop port range",
-			srcIP:           "100.10.0.1",
-			dstIP:           "100.10.0.100",
-			proto:           fw.ProtocolTCP,
-			srcPort:         12345,
-			dstPort:         7999,
-			ruleIP:          "100.10.0.1",
-			ruleProto:       fw.ProtocolTCP,
-			ruleDstPort:     &fw.Port{IsRange: true, Values: []uint16{8000, 8100}},
-			ruleAction:      fw.ActionDrop,
-			shouldBeBlocked: false,
-		},
-		{
-			name:            "Drop TCP traffic with source port range",
-			srcIP:           "100.10.0.1",
-			dstIP:           "100.10.0.100",
-			proto:           fw.ProtocolTCP,
-			srcPort:         32100,
-			dstPort:         80,
-			ruleIP:          "100.10.0.1",
-			ruleProto:       fw.ProtocolTCP,
-			ruleSrcPort:     &fw.Port{IsRange: true, Values: []uint16{32000, 33000}},
-			ruleAction:      fw.ActionDrop,
-			shouldBeBlocked: true,
-		},
-		{
-			name:            "Mixed rule - drop specific port but allow other ports",
-			srcIP:           "100.10.0.1",
-			dstIP:           "100.10.0.100",
-			proto:           fw.ProtocolTCP,
-			srcPort:         12345,
-			dstPort:         443,
-			ruleIP:          "100.10.0.1",
-			ruleProto:       fw.ProtocolTCP,
-			ruleDstPort:     &fw.Port{Values: []uint16{443}},
-			ruleAction:      fw.ActionDrop,
-			shouldBeBlocked: true,
-		},
 	}
 
 	t.Run("Implicit DROP (no rules)", func(t *testing.T) {
 		packet := createTestPacket(t, "100.10.0.1", "100.10.0.100", fw.ProtocolTCP, 12345, 443)
-		isDropped := manager.FilterInbound(packet, 0)
+		isDropped := manager.DropIncoming(packet, 0)
 		require.True(t, isDropped, "Packet should be dropped when no rules exist")
 	})
 
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
-
-			if tc.ruleAction == fw.ActionDrop {
-				// add general accept rule to test drop rule
-				// TODO: this only works because 0.0.0.0 is tested last, we need to implement order
-				rules, err := manager.AddPeerFiltering(
-					nil,
-					net.ParseIP("0.0.0.0"),
-					fw.ProtocolALL,
-					nil,
-					nil,
-					fw.ActionAccept,
-					"",
-				)
-				require.NoError(t, err)
-				require.NotEmpty(t, rules)
-				t.Cleanup(func() {
-					for _, rule := range rules {
-						require.NoError(t, manager.DeletePeerRule(rule))
-					}
-				})
-			}
-
 			rules, err := manager.AddPeerFiltering(
 				nil,
 				net.ParseIP(tc.ruleIP),
@@ -509,7 +217,7 @@ func TestPeerACLFiltering(t *testing.T) {
 			})
 
 			packet := createTestPacket(t, tc.srcIP, tc.dstIP, tc.proto, tc.srcPort, tc.dstPort)
-			isDropped := manager.FilterInbound(packet, 0)
+			isDropped := manager.DropIncoming(packet, 0)
 			require.Equal(t, tc.shouldBeBlocked, isDropped)
 		})
 	}
@@ -575,13 +283,14 @@ func setupRoutedManager(tb testing.TB, network string) *Manager {
 	dev := mocks.NewMockDevice(ctrl)
 	dev.EXPECT().MTU().Return(1500, nil).AnyTimes()
 
-	wgNet := netip.MustParsePrefix(network)
+	localIP, wgNet, err := net.ParseCIDR(network)
+	require.NoError(tb, err)
 
 	ifaceMock := &IFaceMock{
 		SetFilterFunc: func(device.PacketFilter) error { return nil },
 		AddressFunc: func() wgaddr.Address {
 			return wgaddr.Address{
-				IP:      wgNet.Addr(),
+				IP:      localIP,
 				Network: wgNet,
 			}
 		},
@@ -594,8 +303,8 @@ func setupRoutedManager(tb testing.TB, network string) *Manager {
 	}
 
 	manager, err := Create(ifaceMock, false, flowLogger)
-	require.NoError(tb, err)
 	require.NoError(tb, manager.EnableRouting())
+	require.NoError(tb, err)
 	require.NotNil(tb, manager)
 	require.True(tb, manager.routingEnabled.Load())
 	require.False(tb, manager.nativeRouter.Load())
@@ -612,7 +321,7 @@ func TestRouteACLFiltering(t *testing.T) {
 
 	type rule struct {
 		sources []netip.Prefix
-		dest    fw.Network
+		dest    netip.Prefix
 		proto   fw.Protocol
 		srcPort *fw.Port
 		dstPort *fw.Port
@@ -638,7 +347,7 @@ func TestRouteACLFiltering(t *testing.T) {
 			dstPort: 443,
 			rule: rule{
 				sources: []netip.Prefix{netip.MustParsePrefix("100.10.0.0/16")},
-				dest:    fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
+				dest:    netip.MustParsePrefix("192.168.1.0/24"),
 				proto:   fw.ProtocolTCP,
 				dstPort: &fw.Port{Values: []uint16{443}},
 				action:  fw.ActionAccept,
@@ -654,7 +363,7 @@ func TestRouteACLFiltering(t *testing.T) {
 			dstPort: 443,
 			rule: rule{
 				sources: []netip.Prefix{netip.MustParsePrefix("0.0.0.0/0")},
-				dest:    fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
+				dest:    netip.MustParsePrefix("192.168.1.0/24"),
 				proto:   fw.ProtocolTCP,
 				dstPort: &fw.Port{Values: []uint16{443}},
 				action:  fw.ActionAccept,
@@ -670,7 +379,7 @@ func TestRouteACLFiltering(t *testing.T) {
 			dstPort: 443,
 			rule: rule{
 				sources: []netip.Prefix{netip.MustParsePrefix("0.0.0.0/0")},
-				dest:    fw.Network{Prefix: netip.MustParsePrefix("0.0.0.0/0")},
+				dest:    netip.MustParsePrefix("0.0.0.0/0"),
 				proto:   fw.ProtocolTCP,
 				dstPort: &fw.Port{Values: []uint16{443}},
 				action:  fw.ActionAccept,
@@ -686,7 +395,7 @@ func TestRouteACLFiltering(t *testing.T) {
 			dstPort: 53,
 			rule: rule{
 				sources: []netip.Prefix{netip.MustParsePrefix("100.10.0.0/16")},
-				dest:    fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
+				dest:    netip.MustParsePrefix("192.168.1.0/24"),
 				proto:   fw.ProtocolUDP,
 				dstPort: &fw.Port{Values: []uint16{53}},
 				action:  fw.ActionAccept,
@@ -700,7 +409,7 @@ func TestRouteACLFiltering(t *testing.T) {
 			proto: fw.ProtocolICMP,
 			rule: rule{
 				sources: []netip.Prefix{netip.MustParsePrefix("100.10.0.0/16")},
-				dest:    fw.Network{Prefix: netip.MustParsePrefix("0.0.0.0/0")},
+				dest:    netip.MustParsePrefix("0.0.0.0/0"),
 				proto:   fw.ProtocolICMP,
 				action:  fw.ActionAccept,
 			},
@@ -715,7 +424,7 @@ func TestRouteACLFiltering(t *testing.T) {
 			dstPort: 80,
 			rule: rule{
 				sources: []netip.Prefix{netip.MustParsePrefix("100.10.0.0/16")},
-				dest:    fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
+				dest:    netip.MustParsePrefix("192.168.1.0/24"),
 				proto:   fw.ProtocolALL,
 				dstPort: &fw.Port{Values: []uint16{80}},
 				action:  fw.ActionAccept,
@@ -731,7 +440,7 @@ func TestRouteACLFiltering(t *testing.T) {
 			dstPort: 8080,
 			rule: rule{
 				sources: []netip.Prefix{netip.MustParsePrefix("100.10.0.0/16")},
-				dest:    fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
+				dest:    netip.MustParsePrefix("192.168.1.0/24"),
 				proto:   fw.ProtocolTCP,
 				dstPort: &fw.Port{Values: []uint16{80}},
 				action:  fw.ActionAccept,
@@ -747,7 +456,7 @@ func TestRouteACLFiltering(t *testing.T) {
 			dstPort: 80,
 			rule: rule{
 				sources: []netip.Prefix{netip.MustParsePrefix("100.10.0.0/16")},
-				dest:    fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
+				dest:    netip.MustParsePrefix("192.168.1.0/24"),
 				proto:   fw.ProtocolTCP,
 				dstPort: &fw.Port{Values: []uint16{80}},
 				action:  fw.ActionAccept,
@@ -763,7 +472,7 @@ func TestRouteACLFiltering(t *testing.T) {
 			dstPort: 80,
 			rule: rule{
 				sources: []netip.Prefix{netip.MustParsePrefix("100.10.0.0/16")},
-				dest:    fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
+				dest:    netip.MustParsePrefix("192.168.1.0/24"),
 				proto:   fw.ProtocolTCP,
 				dstPort: &fw.Port{Values: []uint16{80}},
 				action:  fw.ActionAccept,
@@ -779,7 +488,7 @@ func TestRouteACLFiltering(t *testing.T) {
 			dstPort: 80,
 			rule: rule{
 				sources: []netip.Prefix{netip.MustParsePrefix("100.10.0.0/16")},
-				dest:    fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
+				dest:    netip.MustParsePrefix("192.168.1.0/24"),
 				proto:   fw.ProtocolTCP,
 				srcPort: &fw.Port{Values: []uint16{12345}},
 				action:  fw.ActionAccept,
@@ -798,7 +507,7 @@ func TestRouteACLFiltering(t *testing.T) {
 					netip.MustParsePrefix("100.10.0.0/16"),
 					netip.MustParsePrefix("172.16.0.0/16"),
 				},
-				dest:    fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
+				dest:    netip.MustParsePrefix("192.168.1.0/24"),
 				proto:   fw.ProtocolTCP,
 				dstPort: &fw.Port{Values: []uint16{80}},
 				action:  fw.ActionAccept,
@@ -812,7 +521,7 @@ func TestRouteACLFiltering(t *testing.T) {
 			proto: fw.ProtocolICMP,
 			rule: rule{
 				sources: []netip.Prefix{netip.MustParsePrefix("100.10.0.0/16")},
-				dest:    fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
+				dest:    netip.MustParsePrefix("192.168.1.0/24"),
 				proto:   fw.ProtocolALL,
 				action:  fw.ActionAccept,
 			},
@@ -827,13 +536,33 @@ func TestRouteACLFiltering(t *testing.T) {
 			dstPort: 80,
 			rule: rule{
 				sources: []netip.Prefix{netip.MustParsePrefix("100.10.0.0/16")},
-				dest:    fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
+				dest:    netip.MustParsePrefix("192.168.1.0/24"),
 				proto:   fw.ProtocolALL,
 				dstPort: &fw.Port{Values: []uint16{80}},
 				action:  fw.ActionAccept,
 			},
 			shouldPass: true,
 		},
+		{
+			name:  "Multiple source networks with mismatched protocol",
+			srcIP: "172.16.0.1",
+			dstIP: "192.168.1.100",
+			// Should not match TCP rule
+			proto:   fw.ProtocolUDP,
+			srcPort: 12345,
+			dstPort: 80,
+			rule: rule{
+				sources: []netip.Prefix{
+					netip.MustParsePrefix("100.10.0.0/16"),
+					netip.MustParsePrefix("172.16.0.0/16"),
+				},
+				dest:    netip.MustParsePrefix("192.168.1.0/24"),
+				proto:   fw.ProtocolTCP,
+				dstPort: &fw.Port{Values: []uint16{80}},
+				action:  fw.ActionAccept,
+			},
+			shouldPass: false,
+		},
 		{
 			name:    "Allow multiple destination ports",
 			srcIP:   "100.10.0.1",
@@ -843,7 +572,7 @@ func TestRouteACLFiltering(t *testing.T) {
 			dstPort: 8080,
 			rule: rule{
 				sources: []netip.Prefix{netip.MustParsePrefix("100.10.0.0/16")},
-				dest:    fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
+				dest:    netip.MustParsePrefix("192.168.1.0/24"),
 				proto:   fw.ProtocolTCP,
 				dstPort: &fw.Port{Values: []uint16{80, 8080, 443}},
 				action:  fw.ActionAccept,
@@ -859,7 +588,7 @@ func TestRouteACLFiltering(t *testing.T) {
 			dstPort: 80,
 			rule: rule{
 				sources: []netip.Prefix{netip.MustParsePrefix("100.10.0.0/16")},
-				dest:    fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
+				dest:    netip.MustParsePrefix("192.168.1.0/24"),
 				proto:   fw.ProtocolTCP,
 				srcPort: &fw.Port{Values: []uint16{12345, 12346, 12347}},
 				action:  fw.ActionAccept,
@@ -875,7 +604,7 @@ func TestRouteACLFiltering(t *testing.T) {
 			dstPort: 80,
 			rule: rule{
 				sources: []netip.Prefix{netip.MustParsePrefix("100.10.0.0/16")},
-				dest:    fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
+				dest:    netip.MustParsePrefix("192.168.1.0/24"),
 				proto:   fw.ProtocolALL,
 				srcPort: &fw.Port{Values: []uint16{12345}},
 				dstPort: &fw.Port{Values: []uint16{80}},
@@ -892,7 +621,7 @@ func TestRouteACLFiltering(t *testing.T) {
 			dstPort: 8080,
 			rule: rule{
 				sources: []netip.Prefix{netip.MustParsePrefix("100.10.0.0/16")},
-				dest:    fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
+				dest:    netip.MustParsePrefix("192.168.1.0/24"),
 				proto:   fw.ProtocolTCP,
 				dstPort: &fw.Port{
 					IsRange: true,
@@ -911,7 +640,7 @@ func TestRouteACLFiltering(t *testing.T) {
 			dstPort: 7999,
 			rule: rule{
 				sources: []netip.Prefix{netip.MustParsePrefix("100.10.0.0/16")},
-				dest:    fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
+				dest:    netip.MustParsePrefix("192.168.1.0/24"),
 				proto:   fw.ProtocolTCP,
 				dstPort: &fw.Port{
 					IsRange: true,
@@ -930,7 +659,7 @@ func TestRouteACLFiltering(t *testing.T) {
 			dstPort: 80,
 			rule: rule{
 				sources: []netip.Prefix{netip.MustParsePrefix("100.10.0.0/16")},
-				dest:    fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
+				dest:    netip.MustParsePrefix("192.168.1.0/24"),
 				proto:   fw.ProtocolTCP,
 				srcPort: &fw.Port{
 					IsRange: true,
@@ -949,7 +678,7 @@ func TestRouteACLFiltering(t *testing.T) {
 			dstPort: 443,
 			rule: rule{
 				sources: []netip.Prefix{netip.MustParsePrefix("100.10.0.0/16")},
-				dest:    fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
+				dest:    netip.MustParsePrefix("192.168.1.0/24"),
 				proto:   fw.ProtocolTCP,
 				srcPort: &fw.Port{
 					IsRange: true,
@@ -971,7 +700,7 @@ func TestRouteACLFiltering(t *testing.T) {
 			dstPort: 8100,
 			rule: rule{
 				sources: []netip.Prefix{netip.MustParsePrefix("100.10.0.0/16")},
-				dest:    fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
+				dest:    netip.MustParsePrefix("192.168.1.0/24"),
 				proto:   fw.ProtocolTCP,
 				dstPort: &fw.Port{
 					IsRange: true,
@@ -990,7 +719,7 @@ func TestRouteACLFiltering(t *testing.T) {
 			dstPort: 5060,
 			rule: rule{
 				sources: []netip.Prefix{netip.MustParsePrefix("100.10.0.0/16")},
-				dest:    fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
+				dest:    netip.MustParsePrefix("192.168.1.0/24"),
 				proto:   fw.ProtocolUDP,
 				dstPort: &fw.Port{
 					IsRange: true,
@@ -1009,7 +738,7 @@ func TestRouteACLFiltering(t *testing.T) {
 			dstPort: 8080,
 			rule: rule{
 				sources: []netip.Prefix{netip.MustParsePrefix("100.10.0.0/16")},
-				dest:    fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
+				dest:    netip.MustParsePrefix("192.168.1.0/24"),
 				proto:   fw.ProtocolALL,
 				dstPort: &fw.Port{
 					IsRange: true,
@@ -1028,7 +757,7 @@ func TestRouteACLFiltering(t *testing.T) {
 			dstPort: 443,
 			rule: rule{
 				sources: []netip.Prefix{netip.MustParsePrefix("100.10.0.0/16")},
-				dest:    fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
+				dest:    netip.MustParsePrefix("192.168.1.0/24"),
 				proto:   fw.ProtocolTCP,
 				dstPort: &fw.Port{Values: []uint16{443}},
 				action:  fw.ActionDrop,
@@ -1044,7 +773,7 @@ func TestRouteACLFiltering(t *testing.T) {
 			dstPort: 80,
 			rule: rule{
 				sources: []netip.Prefix{netip.MustParsePrefix("100.10.0.0/16")},
-				dest:    fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
+				dest:    netip.MustParsePrefix("192.168.1.0/24"),
 				proto:   fw.ProtocolALL,
 				action:  fw.ActionDrop,
 			},
@@ -1062,158 +791,17 @@ func TestRouteACLFiltering(t *testing.T) {
 					netip.MustParsePrefix("100.10.0.0/16"),
 					netip.MustParsePrefix("172.16.0.0/16"),
 				},
-				dest:    fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
+				dest:    netip.MustParsePrefix("192.168.1.0/24"),
 				proto:   fw.ProtocolTCP,
 				dstPort: &fw.Port{Values: []uint16{80}},
 				action:  fw.ActionDrop,
 			},
 			shouldPass: false,
 		},
-
-		{
-			name:    "Drop empty destination set",
-			srcIP:   "172.16.0.1",
-			dstIP:   "192.168.1.100",
-			proto:   fw.ProtocolTCP,
-			srcPort: 12345,
-			dstPort: 80,
-			rule: rule{
-				sources: []netip.Prefix{
-					netip.MustParsePrefix("172.16.0.0/16"),
-				},
-				dest:    fw.Network{Set: fw.Set{}},
-				proto:   fw.ProtocolTCP,
-				dstPort: &fw.Port{Values: []uint16{80}},
-				action:  fw.ActionAccept,
-			},
-			shouldPass: false,
-		},
-		{
-			name:    "Accept TCP traffic outside drop port range",
-			srcIP:   "100.10.0.1",
-			dstIP:   "192.168.1.100",
-			proto:   fw.ProtocolTCP,
-			srcPort: 12345,
-			dstPort: 7999,
-			rule: rule{
-				sources: []netip.Prefix{netip.MustParsePrefix("100.10.0.0/16")},
-				dest:    fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
-				proto:   fw.ProtocolTCP,
-				dstPort: &fw.Port{IsRange: true, Values: []uint16{8000, 8100}},
-				action:  fw.ActionDrop,
-			},
-			shouldPass: true,
-		},
-		{
-			name:    "Allow TCP traffic without port specification",
-			srcIP:   "100.10.0.1",
-			dstIP:   "192.168.1.100",
-			proto:   fw.ProtocolTCP,
-			srcPort: 12345,
-			dstPort: 443,
-			rule: rule{
-				sources: []netip.Prefix{netip.MustParsePrefix("100.10.0.0/16")},
-				dest:    fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
-				proto:   fw.ProtocolTCP,
-				action:  fw.ActionAccept,
-			},
-			shouldPass: true,
-		},
-		{
-			name:    "Allow UDP traffic without port specification",
-			srcIP:   "100.10.0.1",
-			dstIP:   "192.168.1.100",
-			proto:   fw.ProtocolUDP,
-			srcPort: 12345,
-			dstPort: 53,
-			rule: rule{
-				sources: []netip.Prefix{netip.MustParsePrefix("100.10.0.0/16")},
-				dest:    fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
-				proto:   fw.ProtocolUDP,
-				action:  fw.ActionAccept,
-			},
-			shouldPass: true,
-		},
-		{
-			name:    "TCP packet doesn't match UDP filter with same port",
-			srcIP:   "100.10.0.1",
-			dstIP:   "192.168.1.100",
-			proto:   fw.ProtocolTCP,
-			srcPort: 12345,
-			dstPort: 80,
-			rule: rule{
-				sources: []netip.Prefix{netip.MustParsePrefix("100.10.0.0/16")},
-				dest:    fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
-				proto:   fw.ProtocolUDP,
-				dstPort: &fw.Port{Values: []uint16{80}},
-				action:  fw.ActionAccept,
-			},
-			shouldPass: false,
-		},
-		{
-			name:    "UDP packet doesn't match TCP filter with same port",
-			srcIP:   "100.10.0.1",
-			dstIP:   "192.168.1.100",
-			proto:   fw.ProtocolUDP,
-			srcPort: 12345,
-			dstPort: 80,
-			rule: rule{
-				sources: []netip.Prefix{netip.MustParsePrefix("100.10.0.0/16")},
-				dest:    fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
-				proto:   fw.ProtocolTCP,
-				dstPort: &fw.Port{Values: []uint16{80}},
-				action:  fw.ActionAccept,
-			},
-			shouldPass: false,
-		},
-		{
-			name:  "ICMP packet doesn't match TCP filter",
-			srcIP: "100.10.0.1",
-			dstIP: "192.168.1.100",
-			proto: fw.ProtocolICMP,
-			rule: rule{
-				sources: []netip.Prefix{netip.MustParsePrefix("100.10.0.0/16")},
-				dest:    fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
-				proto:   fw.ProtocolTCP,
-				action:  fw.ActionAccept,
-			},
-			shouldPass: false,
-		},
-		{
-			name:  "ICMP packet doesn't match UDP filter",
-			srcIP: "100.10.0.1",
-			dstIP: "192.168.1.100",
-			proto: fw.ProtocolICMP,
-			rule: rule{
-				sources: []netip.Prefix{netip.MustParsePrefix("100.10.0.0/16")},
-				dest:    fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
-				proto:   fw.ProtocolUDP,
-				action:  fw.ActionAccept,
-			},
-			shouldPass: false,
-		},
 	}
 
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
-			if tc.rule.action == fw.ActionDrop {
-				// add general accept rule to test drop rule
-				rule, err := manager.AddRouteFiltering(
-					nil,
-					[]netip.Prefix{netip.MustParsePrefix("0.0.0.0/0")},
-					fw.Network{Prefix: netip.MustParsePrefix("0.0.0.0/0")},
-					fw.ProtocolALL,
-					nil,
-					nil,
-					fw.ActionAccept,
-				)
-				require.NoError(t, err)
-				require.NotNil(t, rule)
-				t.Cleanup(func() {
-					require.NoError(t, manager.DeleteRouteRule(rule))
-				})
-			}
-
 			rule, err := manager.AddRouteFiltering(
 				nil,
 				tc.rule.sources,
@@ -1233,7 +821,7 @@ func TestRouteACLFiltering(t *testing.T) {
 			srcIP := netip.MustParseAddr(tc.srcIP)
 			dstIP := netip.MustParseAddr(tc.dstIP)
 
-			// testing routeACLsPass only and not FilterInbound, as routed packets are dropped after being passed
+			// testing routeACLsPass only and not DropIncoming, as routed packets are dropped after being passed
 			// to the forwarder
 			_, isAllowed := manager.routeACLsPass(srcIP, dstIP, tc.proto, tc.srcPort, tc.dstPort)
 			require.Equal(t, tc.shouldPass, isAllowed)
@@ -1248,7 +836,7 @@ func TestRouteACLOrder(t *testing.T) {
 		name  string
 		rules []struct {
 			sources []netip.Prefix
-			dest    fw.Network
+			dest    netip.Prefix
 			proto   fw.Protocol
 			srcPort *fw.Port
 			dstPort *fw.Port
@@ -1269,7 +857,7 @@ func TestRouteACLOrder(t *testing.T) {
 			name: "Drop rules take precedence over accept",
 			rules: []struct {
 				sources []netip.Prefix
-				dest    fw.Network
+				dest    netip.Prefix
 				proto   fw.Protocol
 				srcPort *fw.Port
 				dstPort *fw.Port
@@ -1278,7 +866,7 @@ func TestRouteACLOrder(t *testing.T) {
 				{
 					// Accept rule added first
 					sources: []netip.Prefix{netip.MustParsePrefix("100.10.0.0/16")},
-					dest:    fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
+					dest:    netip.MustParsePrefix("192.168.1.0/24"),
 					proto:   fw.ProtocolTCP,
 					dstPort: &fw.Port{Values: []uint16{80, 443}},
 					action:  fw.ActionAccept,
@@ -1286,7 +874,7 @@ func TestRouteACLOrder(t *testing.T) {
 				{
 					// Drop rule added second but should be evaluated first
 					sources: []netip.Prefix{netip.MustParsePrefix("100.10.0.0/16")},
-					dest:    fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
+					dest:    netip.MustParsePrefix("192.168.1.0/24"),
 					proto:   fw.ProtocolTCP,
 					dstPort: &fw.Port{Values: []uint16{443}},
 					action:  fw.ActionDrop,
@@ -1324,7 +912,7 @@ func TestRouteACLOrder(t *testing.T) {
 			name: "Multiple drop rules take precedence",
 			rules: []struct {
 				sources []netip.Prefix
-				dest    fw.Network
+				dest    netip.Prefix
 				proto   fw.Protocol
 				srcPort *fw.Port
 				dstPort *fw.Port
@@ -1333,14 +921,14 @@ func TestRouteACLOrder(t *testing.T) {
 				{
 					// Accept all
 					sources: []netip.Prefix{netip.MustParsePrefix("0.0.0.0/0")},
-					dest:    fw.Network{Prefix: netip.MustParsePrefix("0.0.0.0/0")},
+					dest:    netip.MustParsePrefix("0.0.0.0/0"),
 					proto:   fw.ProtocolALL,
 					action:  fw.ActionAccept,
 				},
 				{
 					// Drop specific port
 					sources: []netip.Prefix{netip.MustParsePrefix("100.10.0.0/16")},
-					dest:    fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
+					dest:    netip.MustParsePrefix("192.168.1.0/24"),
 					proto:   fw.ProtocolTCP,
 					dstPort: &fw.Port{Values: []uint16{443}},
 					action:  fw.ActionDrop,
@@ -1348,7 +936,7 @@ func TestRouteACLOrder(t *testing.T) {
 				{
 					// Drop different port
 					sources: []netip.Prefix{netip.MustParsePrefix("100.10.0.0/16")},
-					dest:    fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
+					dest:    netip.MustParsePrefix("192.168.1.0/24"),
 					proto:   fw.ProtocolTCP,
 					dstPort: &fw.Port{Values: []uint16{80}},
 					action:  fw.ActionDrop,
@@ -1427,50 +1015,3 @@ func TestRouteACLOrder(t *testing.T) {
 		})
 	}
 }
-
-func TestRouteACLSet(t *testing.T) {
-	ifaceMock := &IFaceMock{
-		SetFilterFunc: func(device.PacketFilter) error { return nil },
-		AddressFunc: func() wgaddr.Address {
-			return wgaddr.Address{
-				IP:      netip.MustParseAddr("100.10.0.100"),
-				Network: netip.MustParsePrefix("100.10.0.0/16"),
-			}
-		},
-	}
-
-	manager, err := Create(ifaceMock, false, flowLogger)
-	require.NoError(t, err)
-	t.Cleanup(func() {
-		require.NoError(t, manager.Close(nil))
-	})
-
-	set := fw.NewDomainSet(domain.List{"example.org"})
-
-	// Add rule that uses the set (initially empty)
-	rule, err := manager.AddRouteFiltering(
-		nil,
-		[]netip.Prefix{netip.MustParsePrefix("0.0.0.0/0")},
-		fw.Network{Set: set},
-		fw.ProtocolTCP,
-		nil,
-		nil,
-		fw.ActionAccept,
-	)
-	require.NoError(t, err)
-	require.NotNil(t, rule)
-
-	srcIP := netip.MustParseAddr("100.10.0.1")
-	dstIP := netip.MustParseAddr("192.168.1.100")
-
-	// Check that traffic is dropped (empty set shouldn't match anything)
-	_, isAllowed := manager.routeACLsPass(srcIP, dstIP, fw.ProtocolTCP, 12345, 80)
-	require.False(t, isAllowed, "Empty set should not allow any traffic")
-
-	err = manager.UpdateSet(set, []netip.Prefix{netip.MustParsePrefix("192.168.1.0/24")})
-	require.NoError(t, err)
-
-	// Now the packet should be allowed
-	_, isAllowed = manager.routeACLsPass(srcIP, dstIP, fw.ProtocolTCP, 12345, 80)
-	require.True(t, isAllowed, "After set update, traffic to the added network should be allowed")
-}

client/firewall/uspfilter/uspfilter_test.go

@@ -20,7 +20,6 @@ import (
 	"github.com/netbirdio/netbird/client/iface/device"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 	"github.com/netbirdio/netbird/client/internal/netflow"
-	"github.com/netbirdio/netbird/management/domain"
 )
 
 var logger = log.NewFromLogrus(logrus.StandardLogger())
@@ -271,8 +270,11 @@ func TestNotMatchByIP(t *testing.T) {
 		SetFilterFunc: func(device.PacketFilter) error { return nil },
 		AddressFunc: func() wgaddr.Address {
 			return wgaddr.Address{
-				IP:      netip.MustParseAddr("100.10.0.100"),
-				Network: netip.MustParsePrefix("100.10.0.0/16"),
+				IP: net.ParseIP("100.10.0.100"),
+				Network: &net.IPNet{
+					IP:   net.ParseIP("100.10.0.0"),
+					Mask: net.CIDRMask(16, 32),
+				},
 			}
 		},
 	}
@@ -282,6 +284,10 @@ func TestNotMatchByIP(t *testing.T) {
 		t.Errorf("failed to create Manager: %v", err)
 		return
 	}
+	m.wgNetwork = &net.IPNet{
+		IP:   net.ParseIP("100.10.0.0"),
+		Mask: net.CIDRMask(16, 32),
+	}
 
 	ip := net.ParseIP("0.0.0.0")
 	proto := fw.ProtocolUDP
@@ -321,7 +327,7 @@ func TestNotMatchByIP(t *testing.T) {
 		return
 	}
 
-	if m.filterInbound(buf.Bytes(), 0) {
+	if m.dropFilter(buf.Bytes(), 0) {
 		t.Errorf("expected packet to be accepted")
 		return
 	}
@@ -389,6 +395,10 @@ func TestProcessOutgoingHooks(t *testing.T) {
 	}, false, flowLogger)
 	require.NoError(t, err)
 
+	manager.wgNetwork = &net.IPNet{
+		IP:   net.ParseIP("100.10.0.0"),
+		Mask: net.CIDRMask(16, 32),
+	}
 	manager.udpTracker.Close()
 	manager.udpTracker = conntrack.NewUDPTracker(100*time.Millisecond, logger, flowLogger)
 	defer func() {
@@ -447,7 +457,7 @@ func TestProcessOutgoingHooks(t *testing.T) {
 	require.NoError(t, err)
 
 	// Test hook gets called
-	result := manager.filterOutbound(buf.Bytes(), 0)
+	result := manager.processOutgoingHooks(buf.Bytes(), 0)
 	require.True(t, result)
 	require.True(t, hookCalled)
 
@@ -457,7 +467,7 @@ func TestProcessOutgoingHooks(t *testing.T) {
 	err = gopacket.SerializeLayers(buf, opts, ipv4)
 	require.NoError(t, err)
 
-	result = manager.filterOutbound(buf.Bytes(), 0)
+	result = manager.processOutgoingHooks(buf.Bytes(), 0)
 	require.False(t, result)
 }
 
@@ -498,6 +508,11 @@ func TestStatefulFirewall_UDPTracking(t *testing.T) {
 	}, false, flowLogger)
 	require.NoError(t, err)
 
+	manager.wgNetwork = &net.IPNet{
+		IP:   net.ParseIP("100.10.0.0"),
+		Mask: net.CIDRMask(16, 32),
+	}
+
 	manager.udpTracker.Close() // Close the existing tracker
 	manager.udpTracker = conntrack.NewUDPTracker(200*time.Millisecond, logger, flowLogger)
 	manager.decoders = sync.Pool{
@@ -553,7 +568,7 @@ func TestStatefulFirewall_UDPTracking(t *testing.T) {
 	require.NoError(t, err)
 
 	// Process outbound packet and verify connection tracking
-	drop := manager.FilterOutbound(outboundBuf.Bytes(), 0)
+	drop := manager.DropOutgoing(outboundBuf.Bytes(), 0)
 	require.False(t, drop, "Initial outbound packet should not be dropped")
 
 	// Verify connection was tracked
@@ -620,7 +635,7 @@ func TestStatefulFirewall_UDPTracking(t *testing.T) {
 	for _, cp := range checkPoints {
 		time.Sleep(cp.sleep)
 
-		drop = manager.filterInbound(inboundBuf.Bytes(), 0)
+		drop = manager.dropFilter(inboundBuf.Bytes(), 0)
 		require.Equal(t, cp.shouldAllow, !drop, cp.description)
 
 		// If the connection should still be valid, verify it exists
@@ -669,7 +684,7 @@ func TestStatefulFirewall_UDPTracking(t *testing.T) {
 	}
 
 	// Create a new outbound connection for invalid tests
-	drop = manager.filterOutbound(outboundBuf.Bytes(), 0)
+	drop = manager.processOutgoingHooks(outboundBuf.Bytes(), 0)
 	require.False(t, drop, "Second outbound packet should not be dropped")
 
 	for _, tc := range invalidCases {
@@ -691,208 +706,8 @@ func TestStatefulFirewall_UDPTracking(t *testing.T) {
 			require.NoError(t, err)
 
 			// Verify the invalid packet is dropped
-			drop = manager.filterInbound(testBuf.Bytes(), 0)
+			drop = manager.dropFilter(testBuf.Bytes(), 0)
 			require.True(t, drop, tc.description)
 		})
 	}
 }
-
-func TestUpdateSetMerge(t *testing.T) {
-	ifaceMock := &IFaceMock{
-		SetFilterFunc: func(device.PacketFilter) error { return nil },
-	}
-
-	manager, err := Create(ifaceMock, false, flowLogger)
-	require.NoError(t, err)
-	t.Cleanup(func() {
-		require.NoError(t, manager.Close(nil))
-	})
-
-	set := fw.NewDomainSet(domain.List{"example.org"})
-
-	initialPrefixes := []netip.Prefix{
-		netip.MustParsePrefix("10.0.0.0/24"),
-		netip.MustParsePrefix("192.168.1.0/24"),
-	}
-
-	rule, err := manager.AddRouteFiltering(
-		nil,
-		[]netip.Prefix{netip.MustParsePrefix("0.0.0.0/0")},
-		fw.Network{Set: set},
-		fw.ProtocolTCP,
-		nil,
-		nil,
-		fw.ActionAccept,
-	)
-	require.NoError(t, err)
-	require.NotNil(t, rule)
-
-	// Update the set with initial prefixes
-	err = manager.UpdateSet(set, initialPrefixes)
-	require.NoError(t, err)
-
-	// Test initial prefixes work
-	srcIP := netip.MustParseAddr("100.10.0.1")
-	dstIP1 := netip.MustParseAddr("10.0.0.100")
-	dstIP2 := netip.MustParseAddr("192.168.1.100")
-	dstIP3 := netip.MustParseAddr("172.16.0.100")
-
-	_, isAllowed1 := manager.routeACLsPass(srcIP, dstIP1, fw.ProtocolTCP, 12345, 80)
-	_, isAllowed2 := manager.routeACLsPass(srcIP, dstIP2, fw.ProtocolTCP, 12345, 80)
-	_, isAllowed3 := manager.routeACLsPass(srcIP, dstIP3, fw.ProtocolTCP, 12345, 80)
-
-	require.True(t, isAllowed1, "Traffic to 10.0.0.100 should be allowed")
-	require.True(t, isAllowed2, "Traffic to 192.168.1.100 should be allowed")
-	require.False(t, isAllowed3, "Traffic to 172.16.0.100 should be denied")
-
-	newPrefixes := []netip.Prefix{
-		netip.MustParsePrefix("172.16.0.0/16"),
-		netip.MustParsePrefix("10.1.0.0/24"),
-	}
-
-	err = manager.UpdateSet(set, newPrefixes)
-	require.NoError(t, err)
-
-	// Check that all original prefixes are still included
-	_, isAllowed1 = manager.routeACLsPass(srcIP, dstIP1, fw.ProtocolTCP, 12345, 80)
-	_, isAllowed2 = manager.routeACLsPass(srcIP, dstIP2, fw.ProtocolTCP, 12345, 80)
-	require.True(t, isAllowed1, "Traffic to 10.0.0.100 should still be allowed after update")
-	require.True(t, isAllowed2, "Traffic to 192.168.1.100 should still be allowed after update")
-
-	// Check that new prefixes are included
-	dstIP4 := netip.MustParseAddr("172.16.1.100")
-	dstIP5 := netip.MustParseAddr("10.1.0.50")
-
-	_, isAllowed4 := manager.routeACLsPass(srcIP, dstIP4, fw.ProtocolTCP, 12345, 80)
-	_, isAllowed5 := manager.routeACLsPass(srcIP, dstIP5, fw.ProtocolTCP, 12345, 80)
-
-	require.True(t, isAllowed4, "Traffic to new prefix 172.16.0.0/16 should be allowed")
-	require.True(t, isAllowed5, "Traffic to new prefix 10.1.0.0/24 should be allowed")
-
-	// Verify the rule has all prefixes
-	manager.mutex.RLock()
-	foundRule := false
-	for _, r := range manager.routeRules {
-		if r.id == rule.ID() {
-			foundRule = true
-			require.Len(t, r.destinations, len(initialPrefixes)+len(newPrefixes),
-				"Rule should have all prefixes merged")
-		}
-	}
-	manager.mutex.RUnlock()
-	require.True(t, foundRule, "Rule should be found")
-}
-
-func TestUpdateSetDeduplication(t *testing.T) {
-	ifaceMock := &IFaceMock{
-		SetFilterFunc: func(device.PacketFilter) error { return nil },
-	}
-
-	manager, err := Create(ifaceMock, false, flowLogger)
-	require.NoError(t, err)
-	t.Cleanup(func() {
-		require.NoError(t, manager.Close(nil))
-	})
-
-	set := fw.NewDomainSet(domain.List{"example.org"})
-
-	rule, err := manager.AddRouteFiltering(
-		nil,
-		[]netip.Prefix{netip.MustParsePrefix("0.0.0.0/0")},
-		fw.Network{Set: set},
-		fw.ProtocolTCP,
-		nil,
-		nil,
-		fw.ActionAccept,
-	)
-	require.NoError(t, err)
-	require.NotNil(t, rule)
-
-	initialPrefixes := []netip.Prefix{
-		netip.MustParsePrefix("10.0.0.0/24"),
-		netip.MustParsePrefix("10.0.0.0/24"), // Duplicate
-		netip.MustParsePrefix("192.168.1.0/24"),
-		netip.MustParsePrefix("192.168.1.0/24"), // Duplicate
-	}
-
-	err = manager.UpdateSet(set, initialPrefixes)
-	require.NoError(t, err)
-
-	// Check the internal state for deduplication
-	manager.mutex.RLock()
-	foundRule := false
-	for _, r := range manager.routeRules {
-		if r.id == rule.ID() {
-			foundRule = true
-			// Should have deduplicated to 2 prefixes
-			require.Len(t, r.destinations, 2, "Duplicate prefixes should be removed")
-
-			// Check the prefixes are correct
-			expectedPrefixes := []netip.Prefix{
-				netip.MustParsePrefix("10.0.0.0/24"),
-				netip.MustParsePrefix("192.168.1.0/24"),
-			}
-			for i, prefix := range expectedPrefixes {
-				require.True(t, r.destinations[i] == prefix,
-					"Prefix should match expected value")
-			}
-		}
-	}
-	manager.mutex.RUnlock()
-	require.True(t, foundRule, "Rule should be found")
-
-	// Test with overlapping prefixes of different sizes
-	overlappingPrefixes := []netip.Prefix{
-		netip.MustParsePrefix("10.0.0.0/16"),    // More general
-		netip.MustParsePrefix("10.0.0.0/24"),    // More specific (already exists)
-		netip.MustParsePrefix("192.168.0.0/16"), // More general
-		netip.MustParsePrefix("192.168.1.0/24"), // More specific (already exists)
-	}
-
-	err = manager.UpdateSet(set, overlappingPrefixes)
-	require.NoError(t, err)
-
-	// Check that all prefixes are included (no deduplication of overlapping prefixes)
-	manager.mutex.RLock()
-	for _, r := range manager.routeRules {
-		if r.id == rule.ID() {
-			// Should have all 4 prefixes (2 original + 2 new more general ones)
-			require.Len(t, r.destinations, 4,
-				"Overlapping prefixes should not be deduplicated")
-
-			// Verify they're sorted correctly (more specific prefixes should come first)
-			prefixes := make([]string, 0, len(r.destinations))
-			for _, p := range r.destinations {
-				prefixes = append(prefixes, p.String())
-			}
-
-			// Check sorted order
-			require.Equal(t, []string{
-				"10.0.0.0/16",
-				"10.0.0.0/24",
-				"192.168.0.0/16",
-				"192.168.1.0/24",
-			}, prefixes, "Prefixes should be sorted")
-		}
-	}
-	manager.mutex.RUnlock()
-
-	// Test functionality with all prefixes
-	testCases := []struct {
-		dstIP    netip.Addr
-		expected bool
-		desc     string
-	}{
-		{netip.MustParseAddr("10.0.0.100"), true, "IP in both /16 and /24"},
-		{netip.MustParseAddr("10.0.1.100"), true, "IP only in /16"},
-		{netip.MustParseAddr("192.168.1.100"), true, "IP in both /16 and /24"},
-		{netip.MustParseAddr("192.168.2.100"), true, "IP only in /16"},
-		{netip.MustParseAddr("172.16.0.100"), false, "IP not in any prefix"},
-	}
-
-	srcIP := netip.MustParseAddr("100.10.0.1")
-	for _, tc := range testCases {
-		_, isAllowed := manager.routeACLsPass(srcIP, tc.dstIP, fw.ProtocolTCP, 12345, 80)
-		require.Equal(t, tc.expected, isAllowed, tc.desc)
-	}
-}

client/iface/bind/activity.go

@@ -1,96 +0,0 @@
-package bind
-
-import (
-	"net/netip"
-	"sync"
-	"sync/atomic"
-	"time"
-
-	log "github.com/sirupsen/logrus"
-
-	"github.com/netbirdio/netbird/monotime"
-)
-
-const (
-	saveFrequency = int64(5 * time.Second)
-)
-
-type PeerRecord struct {
-	Address      netip.AddrPort
-	LastActivity atomic.Int64 // UnixNano timestamp
-}
-
-type ActivityRecorder struct {
-	mu         sync.RWMutex
-	peers      map[string]*PeerRecord         // publicKey to PeerRecord map
-	addrToPeer map[netip.AddrPort]*PeerRecord // address to PeerRecord map
-}
-
-func NewActivityRecorder() *ActivityRecorder {
-	return &ActivityRecorder{
-		peers:      make(map[string]*PeerRecord),
-		addrToPeer: make(map[netip.AddrPort]*PeerRecord),
-	}
-}
-
-// GetLastActivities returns a snapshot of peer last activity
-func (r *ActivityRecorder) GetLastActivities() map[string]monotime.Time {
-	r.mu.RLock()
-	defer r.mu.RUnlock()
-
-	activities := make(map[string]monotime.Time, len(r.peers))
-	for key, record := range r.peers {
-		monoTime := record.LastActivity.Load()
-		activities[key] = monotime.Time(monoTime)
-	}
-	return activities
-}
-
-// UpsertAddress adds or updates the address for a publicKey
-func (r *ActivityRecorder) UpsertAddress(publicKey string, address netip.AddrPort) {
-	r.mu.Lock()
-	defer r.mu.Unlock()
-
-	var record *PeerRecord
-	record, exists := r.peers[publicKey]
-	if exists {
-		delete(r.addrToPeer, record.Address)
-		record.Address = address
-	} else {
-		record = &PeerRecord{
-			Address: address,
-		}
-		record.LastActivity.Store(int64(monotime.Now()))
-		r.peers[publicKey] = record
-	}
-
-	r.addrToPeer[address] = record
-}
-
-func (r *ActivityRecorder) Remove(publicKey string) {
-	r.mu.Lock()
-	defer r.mu.Unlock()
-	if record, exists := r.peers[publicKey]; exists {
-		delete(r.addrToPeer, record.Address)
-		delete(r.peers, publicKey)
-	}
-}
-
-// record updates LastActivity for the given address using atomic store
-func (r *ActivityRecorder) record(address netip.AddrPort) {
-	r.mu.RLock()
-	record, ok := r.addrToPeer[address]
-	r.mu.RUnlock()
-	if !ok {
-		log.Warnf("could not find record for address %s", address)
-		return
-	}
-
-	now := int64(monotime.Now())
-	last := record.LastActivity.Load()
-	if now-last < saveFrequency {
-		return
-	}
-
-	_ = record.LastActivity.CompareAndSwap(last, now)
-}

client/iface/bind/activity_test.go

@@ -1,25 +0,0 @@
-package bind
-
-import (
-	"net/netip"
-	"testing"
-	"time"
-
-	"github.com/netbirdio/netbird/monotime"
-)
-
-func TestActivityRecorder_GetLastActivities(t *testing.T) {
-	peer := "peer1"
-	ar := NewActivityRecorder()
-	ar.UpsertAddress("peer1", netip.MustParseAddrPort("192.168.0.5:51820"))
-	activities := ar.GetLastActivities()
-
-	p, ok := activities[peer]
-	if !ok {
-		t.Fatalf("Expected activity for peer %s, but got none", peer)
-	}
-
-	if monotime.Since(p) > 5*time.Second {
-		t.Fatalf("Expected activity for peer %s to be recent, but got %v", peer, p)
-	}
-}

client/iface/bind/control.go

@@ -1,15 +0,0 @@
-package bind
-
-import (
-	wireguard "golang.zx2c4.com/wireguard/conn"
-
-	nbnet "github.com/netbirdio/netbird/util/net"
-)
-
-// TODO: This is most likely obsolete since the control fns should be called by the wrapped udpconn (ice_bind.go)
-func init() {
-	listener := nbnet.NewListener()
-	if listener.ListenConfig.Control != nil {
-		*wireguard.ControlFns = append(*wireguard.ControlFns, listener.ListenConfig.Control)
-	}
-}

client/iface/bind/control_android.go

@@ -0,0 +1,12 @@
+package bind
+
+import (
+	wireguard "golang.zx2c4.com/wireguard/conn"
+
+	nbnet "github.com/netbirdio/netbird/util/net"
+)
+
+func init() {
+	// ControlFns is not thread safe and should only be modified during init.
+	*wireguard.ControlFns = append(*wireguard.ControlFns, nbnet.ControlProtectSocket)
+}

client/iface/bind/ice_bind.go

@@ -1,7 +1,6 @@
 package bind
 
 import (
-	"encoding/binary"
 	"fmt"
 	"net"
 	"net/netip"
@@ -16,7 +15,6 @@ import (
 	wgConn "golang.zx2c4.com/wireguard/conn"
 
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
-	nbnet "github.com/netbirdio/netbird/util/net"
 )
 
 type RecvMessage struct {
@@ -53,24 +51,22 @@ type ICEBind struct {
 	closedChanMu sync.RWMutex // protect the closeChan recreation from reading from it.
 	closed       bool
 
-	muUDPMux         sync.Mutex
-	udpMux           *UniversalUDPMuxDefault
-	address          wgaddr.Address
-	activityRecorder *ActivityRecorder
+	muUDPMux sync.Mutex
+	udpMux   *UniversalUDPMuxDefault
+	address  wgaddr.Address
 }
 
 func NewICEBind(transportNet transport.Net, filterFn FilterFn, address wgaddr.Address) *ICEBind {
 	b, _ := wgConn.NewStdNetBind().(*wgConn.StdNetBind)
 	ib := &ICEBind{
-		StdNetBind:       b,
-		RecvChan:         make(chan RecvMessage, 1),
-		transportNet:     transportNet,
-		filterFn:         filterFn,
-		endpoints:        make(map[netip.Addr]net.Conn),
-		closedChan:       make(chan struct{}),
-		closed:           true,
-		address:          address,
-		activityRecorder: NewActivityRecorder(),
+		StdNetBind:   b,
+		RecvChan:     make(chan RecvMessage, 1),
+		transportNet: transportNet,
+		filterFn:     filterFn,
+		endpoints:    make(map[netip.Addr]net.Conn),
+		closedChan:   make(chan struct{}),
+		closed:       true,
+		address:      address,
 	}
 
 	rc := receiverCreator{
@@ -104,10 +100,6 @@ func (s *ICEBind) Close() error {
 	return s.StdNetBind.Close()
 }
 
-func (s *ICEBind) ActivityRecorder() *ActivityRecorder {
-	return s.activityRecorder
-}
-
 // GetICEMux returns the ICE UDPMux that was created and used by ICEBind
 func (s *ICEBind) GetICEMux() (*UniversalUDPMuxDefault, error) {
 	s.muUDPMux.Lock()
@@ -154,7 +146,7 @@ func (s *ICEBind) createIPv4ReceiverFn(pc *ipv4.PacketConn, conn *net.UDPConn, r
 
 	s.udpMux = NewUniversalUDPMuxDefault(
 		UniversalUDPMuxParams{
-			UDPConn:   nbnet.WrapUDPConn(conn),
+			UDPConn:   conn,
 			Net:       s.transportNet,
 			FilterFn:  s.filterFn,
 			WGAddress: s.address,
@@ -207,11 +199,6 @@ func (s *ICEBind) createIPv4ReceiverFn(pc *ipv4.PacketConn, conn *net.UDPConn, r
 				continue
 			}
 			addrPort := msg.Addr.(*net.UDPAddr).AddrPort()
-
-			if isTransportPkg(msg.Buffers, msg.N) {
-				s.activityRecorder.record(addrPort)
-			}
-
 			ep := &wgConn.StdNetEndpoint{AddrPort: addrPort} // TODO: remove allocation
 			wgConn.GetSrcFromControl(msg.OOB[:msg.NN], ep)
 			eps[i] = ep
@@ -270,13 +257,6 @@ func (c *ICEBind) receiveRelayed(buffs [][]byte, sizes []int, eps []wgConn.Endpo
 		copy(buffs[0], msg.Buffer)
 		sizes[0] = len(msg.Buffer)
 		eps[0] = wgConn.Endpoint(msg.Endpoint)
-
-		if isTransportPkg(buffs, sizes[0]) {
-			if ep, ok := eps[0].(*Endpoint); ok {
-				c.activityRecorder.record(ep.AddrPort)
-			}
-		}
-
 		return 1, nil
 	}
 }
@@ -292,19 +272,3 @@ func putMessages(msgs *[]ipv6.Message, msgsPool *sync.Pool) {
 	}
 	msgsPool.Put(msgs)
 }
-
-func isTransportPkg(buffers [][]byte, n int) bool {
-	// The first buffer should contain at least 4 bytes for type
-	if len(buffers[0]) < 4 {
-		return true
-	}
-
-	// WireGuard packet type is a little-endian uint32 at start
-	packetType := binary.LittleEndian.Uint32(buffers[0][:4])
-
-	// Check if packetType matches known WireGuard message types
-	if packetType == 4 && n > 32 {
-		return true
-	}
-	return false
-}

client/iface/bind/udp_mux.go

@@ -296,20 +296,14 @@ func (m *UDPMuxDefault) RemoveConnByUfrag(ufrag string) {
 		return
 	}
 
-	var allAddresses []string
+	m.addressMapMu.Lock()
+	defer m.addressMapMu.Unlock()
+
 	for _, c := range removedConns {
 		addresses := c.getAddresses()
-		allAddresses = append(allAddresses, addresses...)
-	}
-
-	m.addressMapMu.Lock()
-	for _, addr := range allAddresses {
-		delete(m.addressMap, addr)
-	}
-	m.addressMapMu.Unlock()
-
-	for _, addr := range allAddresses {
-		m.notifyAddressRemoval(addr)
+		for _, addr := range addresses {
+			delete(m.addressMap, addr)
+		}
 	}
 }
 
@@ -357,13 +351,14 @@ func (m *UDPMuxDefault) registerConnForAddress(conn *udpMuxedConn, addr string)
 	}
 
 	m.addressMapMu.Lock()
+	defer m.addressMapMu.Unlock()
+
 	existing, ok := m.addressMap[addr]
 	if !ok {
 		existing = []*udpMuxedConn{}
 	}
 	existing = append(existing, conn)
 	m.addressMap[addr] = existing
-	m.addressMapMu.Unlock()
 
 	log.Debugf("ICE: registered %s for %s", addr, conn.params.Key)
 }
@@ -391,12 +386,12 @@ func (m *UDPMuxDefault) HandleSTUNMessage(msg *stun.Message, addr net.Addr) erro
 	// If you are using the same socket for the Host and SRFLX candidates, it might be that there are more than one
 	// muxed connection - one for the SRFLX candidate and the other one for the HOST one.
 	// We will then forward STUN packets to each of these connections.
-	m.addressMapMu.RLock()
+	m.addressMapMu.Lock()
 	var destinationConnList []*udpMuxedConn
 	if storedConns, ok := m.addressMap[addr.String()]; ok {
 		destinationConnList = append(destinationConnList, storedConns...)
 	}
-	m.addressMapMu.RUnlock()
+	m.addressMapMu.Unlock()
 
 	var isIPv6 bool
 	if udpAddr, _ := addr.(*net.UDPAddr); udpAddr != nil && udpAddr.IP.To4() == nil {

client/iface/bind/udp_mux_generic.go

@@ -1,21 +0,0 @@
-//go:build !ios
-
-package bind
-
-import (
-	nbnet "github.com/netbirdio/netbird/util/net"
-)
-
-func (m *UDPMuxDefault) notifyAddressRemoval(addr string) {
-	wrapped, ok := m.params.UDPConn.(*UDPConn)
-	if !ok {
-		return
-	}
-
-	nbnetConn, ok := wrapped.GetPacketConn().(*nbnet.UDPConn)
-	if !ok {
-		return
-	}
-
-	nbnetConn.RemoveAddress(addr)
-}

client/iface/bind/udp_mux_ios.go

@@ -1,7 +0,0 @@
-//go:build ios
-
-package bind
-
-func (m *UDPMuxDefault) notifyAddressRemoval(addr string) {
-	// iOS doesn't support nbnet hooks, so this is a no-op
-}

client/iface/bind/udp_mux_universal.go

@@ -62,7 +62,7 @@ func NewUniversalUDPMuxDefault(params UniversalUDPMuxParams) *UniversalUDPMuxDef
 
 	// wrap UDP connection, process server reflexive messages
 	// before they are passed to the UDPMux connection handler (connWorker)
-	m.params.UDPConn = &UDPConn{
+	m.params.UDPConn = &udpConn{
 		PacketConn: params.UDPConn,
 		mux:        m,
 		logger:     params.Logger,
@@ -70,6 +70,7 @@ func NewUniversalUDPMuxDefault(params UniversalUDPMuxParams) *UniversalUDPMuxDef
 		address:    params.WGAddress,
 	}
 
+	// embed UDPMux
 	udpMuxParams := UDPMuxParams{
 		Logger:  params.Logger,
 		UDPConn: m.params.UDPConn,
@@ -113,8 +114,8 @@ func (m *UniversalUDPMuxDefault) ReadFromConn(ctx context.Context) {
 	}
 }
 
-// UDPConn is a wrapper around UDPMux conn that overrides ReadFrom and handles STUN/TURN packets
-type UDPConn struct {
+// udpConn is a wrapper around UDPMux conn that overrides ReadFrom and handles STUN/TURN packets
+type udpConn struct {
 	net.PacketConn
 	mux      *UniversalUDPMuxDefault
 	logger   logging.LeveledLogger
@@ -124,12 +125,7 @@ type UDPConn struct {
 	address   wgaddr.Address
 }
 
-// GetPacketConn returns the underlying PacketConn
-func (u *UDPConn) GetPacketConn() net.PacketConn {
-	return u.PacketConn
-}
-
-func (u *UDPConn) WriteTo(b []byte, addr net.Addr) (int, error) {
+func (u *udpConn) WriteTo(b []byte, addr net.Addr) (int, error) {
 	if u.filterFn == nil {
 		return u.PacketConn.WriteTo(b, addr)
 	}
@@ -141,21 +137,21 @@ func (u *UDPConn) WriteTo(b []byte, addr net.Addr) (int, error) {
 	return u.handleUncachedAddress(b, addr)
 }
 
-func (u *UDPConn) handleCachedAddress(isRouted bool, b []byte, addr net.Addr) (int, error) {
+func (u *udpConn) handleCachedAddress(isRouted bool, b []byte, addr net.Addr) (int, error) {
 	if isRouted {
 		return 0, fmt.Errorf("address %s is part of a routed network, refusing to write", addr)
 	}
 	return u.PacketConn.WriteTo(b, addr)
 }
 
-func (u *UDPConn) handleUncachedAddress(b []byte, addr net.Addr) (int, error) {
+func (u *udpConn) handleUncachedAddress(b []byte, addr net.Addr) (int, error) {
 	if err := u.performFilterCheck(addr); err != nil {
 		return 0, err
 	}
 	return u.PacketConn.WriteTo(b, addr)
 }
 
-func (u *UDPConn) performFilterCheck(addr net.Addr) error {
+func (u *udpConn) performFilterCheck(addr net.Addr) error {
 	host, err := getHostFromAddr(addr)
 	if err != nil {
 		log.Errorf("Failed to get host from address %s: %v", addr, err)
@@ -168,7 +164,7 @@ func (u *UDPConn) performFilterCheck(addr net.Addr) error {
 		return nil
 	}
 
-	if u.address.Network.Contains(a) {
+	if u.address.Network.Contains(a.AsSlice()) {
 		log.Warnf("Address %s is part of the NetBird network %s, refusing to write", addr, u.address)
 		return fmt.Errorf("address %s is part of the NetBird network %s, refusing to write", addr, u.address)
 	}

client/iface/configurer/common.go

@@ -1,17 +0,0 @@
-package configurer
-
-import (
-	"net"
-	"net/netip"
-)
-
-func prefixesToIPNets(prefixes []netip.Prefix) []net.IPNet {
-	ipNets := make([]net.IPNet, len(prefixes))
-	for i, prefix := range prefixes {
-		ipNets[i] = net.IPNet{
-			IP:   prefix.Addr().AsSlice(),                             // Convert netip.Addr to net.IP
-			Mask: net.CIDRMask(prefix.Bits(), prefix.Addr().BitLen()), // Create subnet mask
-		}
-	}
-	return ipNets
-}

client/iface/configurer/kernel_unix.go

@@ -5,18 +5,13 @@ package configurer
 import (
 	"fmt"
 	"net"
-	"net/netip"
 	"time"
 
 	log "github.com/sirupsen/logrus"
 	"golang.zx2c4.com/wireguard/wgctrl"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
-
-	"github.com/netbirdio/netbird/monotime"
 )
 
-var zeroKey wgtypes.Key
-
 type KernelConfigurer struct {
 	deviceName string
 }
@@ -48,7 +43,7 @@ func (c *KernelConfigurer) ConfigureInterface(privateKey string, port int) error
 	return nil
 }
 
-func (c *KernelConfigurer) UpdatePeer(peerKey string, allowedIps []netip.Prefix, keepAlive time.Duration, endpoint *net.UDPAddr, preSharedKey *wgtypes.Key) error {
+func (c *KernelConfigurer) UpdatePeer(peerKey string, allowedIps []net.IPNet, keepAlive time.Duration, endpoint *net.UDPAddr, preSharedKey *wgtypes.Key) error {
 	peerKeyParsed, err := wgtypes.ParseKey(peerKey)
 	if err != nil {
 		return err
@@ -57,7 +52,7 @@ func (c *KernelConfigurer) UpdatePeer(peerKey string, allowedIps []netip.Prefix,
 		PublicKey:         peerKeyParsed,
 		ReplaceAllowedIPs: false,
 		// don't replace allowed ips, wg will handle duplicated peer IP
-		AllowedIPs:                  prefixesToIPNets(allowedIps),
+		AllowedIPs:                  allowedIps,
 		PersistentKeepaliveInterval: &keepAlive,
 		Endpoint:                    endpoint,
 		PresharedKey:                preSharedKey,
@@ -94,10 +89,10 @@ func (c *KernelConfigurer) RemovePeer(peerKey string) error {
 	return nil
 }
 
-func (c *KernelConfigurer) AddAllowedIP(peerKey string, allowedIP netip.Prefix) error {
-	ipNet := net.IPNet{
-		IP:   allowedIP.Addr().AsSlice(),
-		Mask: net.CIDRMask(allowedIP.Bits(), allowedIP.Addr().BitLen()),
+func (c *KernelConfigurer) AddAllowedIP(peerKey string, allowedIP string) error {
+	_, ipNet, err := net.ParseCIDR(allowedIP)
+	if err != nil {
+		return err
 	}
 
 	peerKeyParsed, err := wgtypes.ParseKey(peerKey)
@@ -108,7 +103,7 @@ func (c *KernelConfigurer) AddAllowedIP(peerKey string, allowedIP netip.Prefix)
 		PublicKey:         peerKeyParsed,
 		UpdateOnly:        true,
 		ReplaceAllowedIPs: false,
-		AllowedIPs:        []net.IPNet{ipNet},
+		AllowedIPs:        []net.IPNet{*ipNet},
 	}
 
 	config := wgtypes.Config{
@@ -121,10 +116,10 @@ func (c *KernelConfigurer) AddAllowedIP(peerKey string, allowedIP netip.Prefix)
 	return nil
 }
 
-func (c *KernelConfigurer) RemoveAllowedIP(peerKey string, allowedIP netip.Prefix) error {
-	ipNet := net.IPNet{
-		IP:   allowedIP.Addr().AsSlice(),
-		Mask: net.CIDRMask(allowedIP.Bits(), allowedIP.Addr().BitLen()),
+func (c *KernelConfigurer) RemoveAllowedIP(peerKey string, allowedIP string) error {
+	_, ipNet, err := net.ParseCIDR(allowedIP)
+	if err != nil {
+		return fmt.Errorf("parse allowed IP: %w", err)
 	}
 
 	peerKeyParsed, err := wgtypes.ParseKey(peerKey)
@@ -192,11 +187,7 @@ func (c *KernelConfigurer) configure(config wgtypes.Config) error {
 	if err != nil {
 		return err
 	}
-	defer func() {
-		if err := wg.Close(); err != nil {
-			log.Errorf("Failed to close wgctrl client: %v", err)
-		}
-	}()
+	defer wg.Close()
 
 	// validate if device with name exists
 	_, err = wg.Device(c.deviceName)
@@ -210,75 +201,14 @@ func (c *KernelConfigurer) configure(config wgtypes.Config) error {
 func (c *KernelConfigurer) Close() {
 }
 
-func (c *KernelConfigurer) FullStats() (*Stats, error) {
-	wg, err := wgctrl.New()
+func (c *KernelConfigurer) GetStats(peerKey string) (WGStats, error) {
+	peer, err := c.getPeer(c.deviceName, peerKey)
 	if err != nil {
-		return nil, fmt.Errorf("wgctl: %w", err)
+		return WGStats{}, fmt.Errorf("get wireguard stats: %w", err)
 	}
-	defer func() {
-		err = wg.Close()
-		if err != nil {
-			log.Errorf("Got error while closing wgctl: %v", err)
-		}
-	}()
-
-	wgDevice, err := wg.Device(c.deviceName)
-	if err != nil {
-		return nil, fmt.Errorf("get device %s: %w", c.deviceName, err)
-	}
-	fullStats := &Stats{
-		DeviceName: wgDevice.Name,
-		PublicKey:  wgDevice.PublicKey.String(),
-		ListenPort: wgDevice.ListenPort,
-		FWMark:     wgDevice.FirewallMark,
-		Peers:      []Peer{},
-	}
-
-	for _, p := range wgDevice.Peers {
-		peer := Peer{
-			PublicKey:     p.PublicKey.String(),
-			AllowedIPs:    p.AllowedIPs,
-			TxBytes:       p.TransmitBytes,
-			RxBytes:       p.ReceiveBytes,
-			LastHandshake: p.LastHandshakeTime,
-			PresharedKey:  p.PresharedKey != zeroKey,
-		}
-		if p.Endpoint != nil {
-			peer.Endpoint = *p.Endpoint
-		}
-		fullStats.Peers = append(fullStats.Peers, peer)
-	}
-	return fullStats, nil
-}
-
-func (c *KernelConfigurer) GetStats() (map[string]WGStats, error) {
-	stats := make(map[string]WGStats)
-	wg, err := wgctrl.New()
-	if err != nil {
-		return nil, fmt.Errorf("wgctl: %w", err)
-	}
-	defer func() {
-		err = wg.Close()
-		if err != nil {
-			log.Errorf("Got error while closing wgctl: %v", err)
-		}
-	}()
-
-	wgDevice, err := wg.Device(c.deviceName)
-	if err != nil {
-		return nil, fmt.Errorf("get device %s: %w", c.deviceName, err)
-	}
-
-	for _, peer := range wgDevice.Peers {
-		stats[peer.PublicKey.String()] = WGStats{
-			LastHandshake: peer.LastHandshakeTime,
-			TxBytes:       peer.TransmitBytes,
-			RxBytes:       peer.ReceiveBytes,
-		}
-	}
-	return stats, nil
-}
-
-func (c *KernelConfigurer) LastActivities() map[string]monotime.Time {
-	return nil
+	return WGStats{
+		LastHandshake: peer.LastHandshakeTime,
+		TxBytes:       peer.TransmitBytes,
+		RxBytes:       peer.ReceiveBytes,
+	}, nil
 }

client/iface/configurer/name.go

@@ -3,4 +3,4 @@
 package configurer
 
 // WgInterfaceDefault is a default interface name of Netbird
-const WgInterfaceDefault = "nb0"
+const WgInterfaceDefault = "wt0"

client/iface/configurer/usp.go

@@ -1,11 +1,9 @@
 package configurer
 
 import (
-	"encoding/base64"
 	"encoding/hex"
 	"fmt"
 	"net"
-	"net/netip"
 	"os"
 	"runtime"
 	"strconv"
@@ -16,40 +14,22 @@ import (
 	"golang.zx2c4.com/wireguard/device"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 
-	"github.com/netbirdio/netbird/client/iface/bind"
-	"github.com/netbirdio/netbird/monotime"
 	nbnet "github.com/netbirdio/netbird/util/net"
 )
 
-const (
-	privateKey                  = "private_key"
-	ipcKeyLastHandshakeTimeSec  = "last_handshake_time_sec"
-	ipcKeyLastHandshakeTimeNsec = "last_handshake_time_nsec"
-	ipcKeyTxBytes               = "tx_bytes"
-	ipcKeyRxBytes               = "rx_bytes"
-	allowedIP                   = "allowed_ip"
-	endpoint                    = "endpoint"
-	fwmark                      = "fwmark"
-	listenPort                  = "listen_port"
-	publicKey                   = "public_key"
-	presharedKey                = "preshared_key"
-)
-
 var ErrAllowedIPNotFound = fmt.Errorf("allowed IP not found")
 
 type WGUSPConfigurer struct {
-	device           *device.Device
-	deviceName       string
-	activityRecorder *bind.ActivityRecorder
+	device     *device.Device
+	deviceName string
 
 	uapiListener net.Listener
 }
 
-func NewUSPConfigurer(device *device.Device, deviceName string, activityRecorder *bind.ActivityRecorder) *WGUSPConfigurer {
+func NewUSPConfigurer(device *device.Device, deviceName string) *WGUSPConfigurer {
 	wgCfg := &WGUSPConfigurer{
-		device:           device,
-		deviceName:       deviceName,
-		activityRecorder: activityRecorder,
+		device:     device,
+		deviceName: deviceName,
 	}
 	wgCfg.startUAPI()
 	return wgCfg
@@ -72,7 +52,7 @@ func (c *WGUSPConfigurer) ConfigureInterface(privateKey string, port int) error
 	return c.device.IpcSet(toWgUserspaceString(config))
 }
 
-func (c *WGUSPConfigurer) UpdatePeer(peerKey string, allowedIps []netip.Prefix, keepAlive time.Duration, endpoint *net.UDPAddr, preSharedKey *wgtypes.Key) error {
+func (c *WGUSPConfigurer) UpdatePeer(peerKey string, allowedIps []net.IPNet, keepAlive time.Duration, endpoint *net.UDPAddr, preSharedKey *wgtypes.Key) error {
 	peerKeyParsed, err := wgtypes.ParseKey(peerKey)
 	if err != nil {
 		return err
@@ -81,7 +61,7 @@ func (c *WGUSPConfigurer) UpdatePeer(peerKey string, allowedIps []netip.Prefix,
 		PublicKey:         peerKeyParsed,
 		ReplaceAllowedIPs: false,
 		// don't replace allowed ips, wg will handle duplicated peer IP
-		AllowedIPs:                  prefixesToIPNets(allowedIps),
+		AllowedIPs:                  allowedIps,
 		PersistentKeepaliveInterval: &keepAlive,
 		PresharedKey:                preSharedKey,
 		Endpoint:                    endpoint,
@@ -91,19 +71,7 @@ func (c *WGUSPConfigurer) UpdatePeer(peerKey string, allowedIps []netip.Prefix,
 		Peers: []wgtypes.PeerConfig{peer},
 	}
 
-	if ipcErr := c.device.IpcSet(toWgUserspaceString(config)); ipcErr != nil {
-		return ipcErr
-	}
-
-	if endpoint != nil {
-		addr, err := netip.ParseAddr(endpoint.IP.String())
-		if err != nil {
-			return fmt.Errorf("failed to parse endpoint address: %w", err)
-		}
-		addrPort := netip.AddrPortFrom(addr, uint16(endpoint.Port))
-		c.activityRecorder.UpsertAddress(peerKey, addrPort)
-	}
-	return nil
+	return c.device.IpcSet(toWgUserspaceString(config))
 }
 
 func (c *WGUSPConfigurer) RemovePeer(peerKey string) error {
@@ -120,16 +88,13 @@ func (c *WGUSPConfigurer) RemovePeer(peerKey string) error {
 	config := wgtypes.Config{
 		Peers: []wgtypes.PeerConfig{peer},
 	}
-	ipcErr := c.device.IpcSet(toWgUserspaceString(config))
-
-	c.activityRecorder.Remove(peerKey)
-	return ipcErr
+	return c.device.IpcSet(toWgUserspaceString(config))
 }
 
-func (c *WGUSPConfigurer) AddAllowedIP(peerKey string, allowedIP netip.Prefix) error {
-	ipNet := net.IPNet{
-		IP:   allowedIP.Addr().AsSlice(),
-		Mask: net.CIDRMask(allowedIP.Bits(), allowedIP.Addr().BitLen()),
+func (c *WGUSPConfigurer) AddAllowedIP(peerKey string, allowedIP string) error {
+	_, ipNet, err := net.ParseCIDR(allowedIP)
+	if err != nil {
+		return err
 	}
 
 	peerKeyParsed, err := wgtypes.ParseKey(peerKey)
@@ -140,7 +105,7 @@ func (c *WGUSPConfigurer) AddAllowedIP(peerKey string, allowedIP netip.Prefix) e
 		PublicKey:         peerKeyParsed,
 		UpdateOnly:        true,
 		ReplaceAllowedIPs: false,
-		AllowedIPs:        []net.IPNet{ipNet},
+		AllowedIPs:        []net.IPNet{*ipNet},
 	}
 
 	config := wgtypes.Config{
@@ -150,7 +115,7 @@ func (c *WGUSPConfigurer) AddAllowedIP(peerKey string, allowedIP netip.Prefix) e
 	return c.device.IpcSet(toWgUserspaceString(config))
 }
 
-func (c *WGUSPConfigurer) RemoveAllowedIP(peerKey string, allowedIP netip.Prefix) error {
+func (c *WGUSPConfigurer) RemoveAllowedIP(peerKey string, ip string) error {
 	ipc, err := c.device.IpcGet()
 	if err != nil {
 		return err
@@ -173,8 +138,6 @@ func (c *WGUSPConfigurer) RemoveAllowedIP(peerKey string, allowedIP netip.Prefix
 
 	foundPeer := false
 	removedAllowedIP := false
-	ip := allowedIP.String()
-
 	for _, line := range lines {
 		line = strings.TrimSpace(line)
 
@@ -197,8 +160,8 @@ func (c *WGUSPConfigurer) RemoveAllowedIP(peerKey string, allowedIP netip.Prefix
 
 		// Append the line to the output string
 		if foundPeer && strings.HasPrefix(line, "allowed_ip=") {
-			allowedIPStr := strings.TrimPrefix(line, "allowed_ip=")
-			_, ipNet, err := net.ParseCIDR(allowedIPStr)
+			allowedIP := strings.TrimPrefix(line, "allowed_ip=")
+			_, ipNet, err := net.ParseCIDR(allowedIP)
 			if err != nil {
 				return err
 			}
@@ -215,19 +178,6 @@ func (c *WGUSPConfigurer) RemoveAllowedIP(peerKey string, allowedIP netip.Prefix
 	return c.device.IpcSet(toWgUserspaceString(config))
 }
 
-func (c *WGUSPConfigurer) FullStats() (*Stats, error) {
-	ipcStr, err := c.device.IpcGet()
-	if err != nil {
-		return nil, fmt.Errorf("IpcGet failed: %w", err)
-	}
-
-	return parseStatus(c.deviceName, ipcStr)
-}
-
-func (c *WGUSPConfigurer) LastActivities() map[string]monotime.Time {
-	return c.activityRecorder.GetLastActivities()
-}
-
 // startUAPI starts the UAPI listener for managing the WireGuard interface via external tool
 func (t *WGUSPConfigurer) startUAPI() {
 	var err error
@@ -267,75 +217,91 @@ func (t *WGUSPConfigurer) Close() {
 	}
 }
 
-func (t *WGUSPConfigurer) GetStats() (map[string]WGStats, error) {
+func (t *WGUSPConfigurer) GetStats(peerKey string) (WGStats, error) {
 	ipc, err := t.device.IpcGet()
 	if err != nil {
-		return nil, fmt.Errorf("ipc get: %w", err)
+		return WGStats{}, fmt.Errorf("ipc get: %w", err)
 	}
 
-	return parseTransfers(ipc)
+	stats, err := findPeerInfo(ipc, peerKey, []string{
+		"last_handshake_time_sec",
+		"last_handshake_time_nsec",
+		"tx_bytes",
+		"rx_bytes",
+	})
+	if err != nil {
+		return WGStats{}, fmt.Errorf("find peer info: %w", err)
+	}
+
+	sec, err := strconv.ParseInt(stats["last_handshake_time_sec"], 10, 64)
+	if err != nil {
+		return WGStats{}, fmt.Errorf("parse handshake sec: %w", err)
+	}
+	nsec, err := strconv.ParseInt(stats["last_handshake_time_nsec"], 10, 64)
+	if err != nil {
+		return WGStats{}, fmt.Errorf("parse handshake nsec: %w", err)
+	}
+	txBytes, err := strconv.ParseInt(stats["tx_bytes"], 10, 64)
+	if err != nil {
+		return WGStats{}, fmt.Errorf("parse tx_bytes: %w", err)
+	}
+	rxBytes, err := strconv.ParseInt(stats["rx_bytes"], 10, 64)
+	if err != nil {
+		return WGStats{}, fmt.Errorf("parse rx_bytes: %w", err)
+	}
+
+	return WGStats{
+		LastHandshake: time.Unix(sec, nsec),
+		TxBytes:       txBytes,
+		RxBytes:       rxBytes,
+	}, nil
 }
 
-func parseTransfers(ipc string) (map[string]WGStats, error) {
-	stats := make(map[string]WGStats)
-	var (
-		currentKey   string
-		currentStats WGStats
-		hasPeer      bool
-	)
-	lines := strings.Split(ipc, "\n")
+func findPeerInfo(ipcInput string, peerKey string, searchConfigKeys []string) (map[string]string, error) {
+	peerKeyParsed, err := wgtypes.ParseKey(peerKey)
+	if err != nil {
+		return nil, fmt.Errorf("parse key: %w", err)
+	}
+
+	hexKey := hex.EncodeToString(peerKeyParsed[:])
+
+	lines := strings.Split(ipcInput, "\n")
+
+	configFound := map[string]string{}
+	foundPeer := false
 	for _, line := range lines {
 		line = strings.TrimSpace(line)
 
 		// If we're within the details of the found peer and encounter another public key,
 		// this means we're starting another peer's details. So, stop.
-		if strings.HasPrefix(line, "public_key=") {
-			peerID := strings.TrimPrefix(line, "public_key=")
-			h, err := hex.DecodeString(peerID)
-			if err != nil {
-				return nil, fmt.Errorf("decode peerID: %w", err)
-			}
-			currentKey = base64.StdEncoding.EncodeToString(h)
-			currentStats = WGStats{} // Reset stats for the new peer
-			hasPeer = true
-			stats[currentKey] = currentStats
-			continue
+		if strings.HasPrefix(line, "public_key=") && foundPeer {
+			break
 		}
 
-		if !hasPeer {
-			continue
+		// Identify the peer with the specific public key
+		if line == fmt.Sprintf("public_key=%s", hexKey) {
+			foundPeer = true
 		}
 
-		key := strings.SplitN(line, "=", 2)
-		if len(key) != 2 {
-			continue
-		}
-		switch key[0] {
-		case ipcKeyLastHandshakeTimeSec:
-			hs, err := toLastHandshake(key[1])
-			if err != nil {
-				return nil, err
+		for _, key := range searchConfigKeys {
+			if foundPeer && strings.HasPrefix(line, key+"=") {
+				v := strings.SplitN(line, "=", 2)
+				configFound[v[0]] = v[1]
 			}
-			currentStats.LastHandshake = hs
-			stats[currentKey] = currentStats
-		case ipcKeyRxBytes:
-			rxBytes, err := toBytes(key[1])
-			if err != nil {
-				return nil, fmt.Errorf("parse rx_bytes: %w", err)
-			}
-			currentStats.RxBytes = rxBytes
-			stats[currentKey] = currentStats
-		case ipcKeyTxBytes:
-			TxBytes, err := toBytes(key[1])
-			if err != nil {
-				return nil, fmt.Errorf("parse tx_bytes: %w", err)
-			}
-			currentStats.TxBytes = TxBytes
-			stats[currentKey] = currentStats
 		}
 	}
 
-	return stats, nil
+	// todo: use multierr
+	for _, key := range searchConfigKeys {
+		if _, ok := configFound[key]; !ok {
+			return configFound, fmt.Errorf("config key not found: %s", key)
+		}
+	}
+	if !foundPeer {
+		return nil, fmt.Errorf("%w: %s", ErrPeerNotFound, peerKey)
+	}
+
+	return configFound, nil
 }
 
 func toWgUserspaceString(wgCfg wgtypes.Config) string {
@@ -389,154 +355,9 @@ func toWgUserspaceString(wgCfg wgtypes.Config) string {
 	return sb.String()
 }
 
-func toLastHandshake(stringVar string) (time.Time, error) {
-	sec, err := strconv.ParseInt(stringVar, 10, 64)
-	if err != nil {
-		return time.Time{}, fmt.Errorf("parse handshake sec: %w", err)
-	}
-	return time.Unix(sec, 0), nil
-}
-
-func toBytes(s string) (int64, error) {
-	return strconv.ParseInt(s, 10, 64)
-}
-
 func getFwmark() int {
 	if nbnet.AdvancedRouting() {
 		return nbnet.ControlPlaneMark
 	}
 	return 0
 }
-
-func hexToWireguardKey(hexKey string) (wgtypes.Key, error) {
-	// Decode hex string to bytes
-	keyBytes, err := hex.DecodeString(hexKey)
-	if err != nil {
-		return wgtypes.Key{}, fmt.Errorf("failed to decode hex key: %w", err)
-	}
-
-	// Check if we have the right number of bytes (WireGuard keys are 32 bytes)
-	if len(keyBytes) != 32 {
-		return wgtypes.Key{}, fmt.Errorf("invalid key length: expected 32 bytes, got %d", len(keyBytes))
-	}
-
-	// Convert to wgtypes.Key
-	var key wgtypes.Key
-	copy(key[:], keyBytes)
-
-	return key, nil
-}
-
-func parseStatus(deviceName, ipcStr string) (*Stats, error) {
-	stats := &Stats{DeviceName: deviceName}
-	var currentPeer *Peer
-	for _, line := range strings.Split(strings.TrimSpace(ipcStr), "\n") {
-		if line == "" {
-			continue
-		}
-		parts := strings.SplitN(line, "=", 2)
-		if len(parts) != 2 {
-			continue
-		}
-		key := parts[0]
-		val := parts[1]
-
-		switch key {
-		case privateKey:
-			key, err := hexToWireguardKey(val)
-			if err != nil {
-				log.Errorf("failed to parse private key: %v", err)
-				continue
-			}
-			stats.PublicKey = key.PublicKey().String()
-		case publicKey:
-			// Save previous peer
-			if currentPeer != nil {
-				stats.Peers = append(stats.Peers, *currentPeer)
-			}
-			key, err := hexToWireguardKey(val)
-			if err != nil {
-				log.Errorf("failed to parse public key: %v", err)
-				continue
-			}
-			currentPeer = &Peer{
-				PublicKey: key.String(),
-			}
-		case listenPort:
-			if port, err := strconv.Atoi(val); err == nil {
-				stats.ListenPort = port
-			}
-		case fwmark:
-			if fwmark, err := strconv.Atoi(val); err == nil {
-				stats.FWMark = fwmark
-			}
-		case endpoint:
-			if currentPeer == nil {
-				continue
-			}
-
-			host, portStr, err := net.SplitHostPort(strings.Trim(val, "[]"))
-			if err != nil {
-				log.Errorf("failed to parse endpoint: %v", err)
-				continue
-			}
-			port, err := strconv.Atoi(portStr)
-			if err != nil {
-				log.Errorf("failed to parse endpoint port: %v", err)
-				continue
-			}
-			currentPeer.Endpoint = net.UDPAddr{
-				IP:   net.ParseIP(host),
-				Port: port,
-			}
-		case allowedIP:
-			if currentPeer == nil {
-				continue
-			}
-			_, ipnet, err := net.ParseCIDR(val)
-			if err == nil {
-				currentPeer.AllowedIPs = append(currentPeer.AllowedIPs, *ipnet)
-			}
-		case ipcKeyTxBytes:
-			if currentPeer == nil {
-				continue
-			}
-			rxBytes, err := toBytes(val)
-			if err != nil {
-				continue
-			}
-			currentPeer.TxBytes = rxBytes
-		case ipcKeyRxBytes:
-			if currentPeer == nil {
-				continue
-			}
-			rxBytes, err := toBytes(val)
-			if err != nil {
-				continue
-			}
-			currentPeer.RxBytes = rxBytes
-
-		case ipcKeyLastHandshakeTimeSec:
-			if currentPeer == nil {
-				continue
-			}
-
-			ts, err := toLastHandshake(val)
-			if err != nil {
-				continue
-			}
-			currentPeer.LastHandshake = ts
-		case presharedKey:
-			if currentPeer == nil {
-				continue
-			}
-			if val != "" {
-				currentPeer.PresharedKey = true
-			}
-		}
-	}
-	if currentPeer != nil {
-		stats.Peers = append(stats.Peers, *currentPeer)
-	}
-	return stats, nil
-}

client/iface/configurer/usp_test.go

@@ -2,8 +2,10 @@ package configurer
 
 import (
 	"encoding/hex"
+	"fmt"
 	"testing"
 
+	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 )
@@ -32,35 +34,58 @@ errno=0
 
 `
 
-func Test_parseTransfers(t *testing.T) {
+func Test_findPeerInfo(t *testing.T) {
 	tests := []struct {
-		name    string
-		peerKey string
-		want    WGStats
+		name       string
+		peerKey    string
+		searchKeys []string
+		want       map[string]string
+		wantErr    bool
 	}{
 		{
-			name:    "single",
-			peerKey: "b85996fecc9c7f1fc6d2572a76eda11d59bcd20be8e543b15ce4bd85a8e75a33",
-			want: WGStats{
-				TxBytes: 0,
-				RxBytes: 0,
+			name:       "single",
+			peerKey:    "58402e695ba1772b1cc9309755f043251ea77fdcf10fbe63989ceb7e19321376",
+			searchKeys: []string{"tx_bytes"},
+			want: map[string]string{
+				"tx_bytes": "38333",
 			},
+			wantErr: false,
 		},
 		{
-			name:    "multiple",
-			peerKey: "58402e695ba1772b1cc9309755f043251ea77fdcf10fbe63989ceb7e19321376",
-			want: WGStats{
-				TxBytes: 38333,
-				RxBytes: 2224,
+			name:       "multiple",
+			peerKey:    "58402e695ba1772b1cc9309755f043251ea77fdcf10fbe63989ceb7e19321376",
+			searchKeys: []string{"tx_bytes", "rx_bytes"},
+			want: map[string]string{
+				"tx_bytes": "38333",
+				"rx_bytes": "2224",
 			},
+			wantErr: false,
 		},
 		{
-			name:    "lastpeer",
-			peerKey: "662e14fd594556f522604703340351258903b64f35553763f19426ab2a515c58",
-			want: WGStats{
-				TxBytes: 1212111,
-				RxBytes: 1929999999,
+			name:       "lastpeer",
+			peerKey:    "662e14fd594556f522604703340351258903b64f35553763f19426ab2a515c58",
+			searchKeys: []string{"tx_bytes", "rx_bytes"},
+			want: map[string]string{
+				"tx_bytes": "1212111",
+				"rx_bytes": "1929999999",
 			},
+			wantErr: false,
+		},
+		{
+			name:       "peer not found",
+			peerKey:    "1111111111111111111111111111111111111111111111111111111111111111",
+			searchKeys: nil,
+			want:       nil,
+			wantErr:    true,
+		},
+		{
+			name:       "key not found",
+			peerKey:    "662e14fd594556f522604703340351258903b64f35553763f19426ab2a515c58",
+			searchKeys: []string{"tx_bytes", "unknown_key"},
+			want: map[string]string{
+				"tx_bytes": "1212111",
+			},
+			wantErr: true,
 		},
 	}
 	for _, tt := range tests {
@@ -71,19 +96,9 @@ func Test_parseTransfers(t *testing.T) {
 			key, err := wgtypes.NewKey(res)
 			require.NoError(t, err)
 
-			stats, err := parseTransfers(ipcFixture)
-			if err != nil {
-				require.NoError(t, err)
-				return
-			}
-
-			stat, ok := stats[key.String()]
-			if !ok {
-				require.True(t, ok)
-				return
-			}
-
-			require.Equal(t, tt.want, stat)
+			got, err := findPeerInfo(ipcFixture, key.String(), tt.searchKeys)
+			assert.Equalf(t, tt.wantErr, err != nil, fmt.Sprintf("findPeerInfo(%v, %v, %v)", ipcFixture, key.String(), tt.searchKeys))
+			assert.Equalf(t, tt.want, got, "findPeerInfo(%v, %v, %v)", ipcFixture, key.String(), tt.searchKeys)
 		})
 	}
 }

client/iface/configurer/wgshow.go

@@ -1,24 +0,0 @@
-package configurer
-
-import (
-	"net"
-	"time"
-)
-
-type Peer struct {
-	PublicKey     string
-	Endpoint      net.UDPAddr
-	AllowedIPs    []net.IPNet
-	TxBytes       int64
-	RxBytes       int64
-	LastHandshake time.Time
-	PresharedKey  bool
-}
-
-type Stats struct {
-	DeviceName string
-	PublicKey  string
-	ListenPort int
-	FWMark     int
-	Peers      []Peer
-}

client/iface/device/device_android.go

@@ -24,7 +24,6 @@ type WGTunDevice struct {
 	mtu        int
 	iceBind    *bind.ICEBind
 	tunAdapter TunAdapter
-	disableDNS bool
 
 	name           string
 	device         *device.Device
@@ -33,7 +32,7 @@ type WGTunDevice struct {
 	configurer     WGConfigurer
 }
 
-func NewTunDevice(address wgaddr.Address, port int, key string, mtu int, iceBind *bind.ICEBind, tunAdapter TunAdapter, disableDNS bool) *WGTunDevice {
+func NewTunDevice(address wgaddr.Address, port int, key string, mtu int, iceBind *bind.ICEBind, tunAdapter TunAdapter) *WGTunDevice {
 	return &WGTunDevice{
 		address:    address,
 		port:       port,
@@ -41,7 +40,6 @@ func NewTunDevice(address wgaddr.Address, port int, key string, mtu int, iceBind
 		mtu:        mtu,
 		iceBind:    iceBind,
 		tunAdapter: tunAdapter,
-		disableDNS: disableDNS,
 	}
 }
 
@@ -51,13 +49,6 @@ func (t *WGTunDevice) Create(routes []string, dns string, searchDomains []string
 	routesString := routesToString(routes)
 	searchDomainsToString := searchDomainsToString(searchDomains)
 
-	// Skip DNS configuration when DisableDNS is enabled
-	if t.disableDNS {
-		log.Info("DNS is disabled, skipping DNS and search domain configuration")
-		dns = ""
-		searchDomainsToString = ""
-	}
-
 	fd, err := t.tunAdapter.ConfigureInterface(t.address.String(), t.mtu, dns, searchDomainsToString, routesString)
 	if err != nil {
 		log.Errorf("failed to create Android interface: %s", err)
@@ -79,7 +70,7 @@ func (t *WGTunDevice) Create(routes []string, dns string, searchDomains []string
 	// this helps with support for the older NetBird clients that had a hardcoded direct mode
 	// t.device.DisableSomeRoamingForBrokenMobileSemantics()
 
-	t.configurer = configurer.NewUSPConfigurer(t.device, t.name, t.iceBind.ActivityRecorder())
+	t.configurer = configurer.NewUSPConfigurer(t.device, t.name)
 	err = t.configurer.ConfigureInterface(t.key, t.port)
 	if err != nil {
 		t.device.Close()

client/iface/device/device_darwin.go

@@ -61,7 +61,7 @@ func (t *TunDevice) Create() (WGConfigurer, error) {
 		return nil, fmt.Errorf("error assigning ip: %s", err)
 	}
 
-	t.configurer = configurer.NewUSPConfigurer(t.device, t.name, t.iceBind.ActivityRecorder())
+	t.configurer = configurer.NewUSPConfigurer(t.device, t.name)
 	err = t.configurer.ConfigureInterface(t.key, t.port)
 	if err != nil {
 		t.device.Close()

client/iface/device/device_filter.go

@@ -1,6 +1,7 @@
 package device
 
 import (
+	"net"
 	"net/netip"
 	"sync"
 
@@ -9,11 +10,11 @@ import (
 
 // PacketFilter interface for firewall abilities
 type PacketFilter interface {
-	// FilterOutbound filter outgoing packets from host to external destinations
-	FilterOutbound(packetData []byte, size int) bool
+	// DropOutgoing filter outgoing packets from host to external destinations
+	DropOutgoing(packetData []byte, size int) bool
 
-	// FilterInbound filter incoming packets from external sources to host
-	FilterInbound(packetData []byte, size int) bool
+	// DropIncoming filter incoming packets from external sources to host
+	DropIncoming(packetData []byte, size int) bool
 
 	// AddUDPPacketHook calls hook when UDP packet from given direction matched
 	//
@@ -23,6 +24,9 @@ type PacketFilter interface {
 
 	// RemovePacketHook removes hook by ID
 	RemovePacketHook(hookID string) error
+
+	// SetNetwork of the wireguard interface to which filtering applied
+	SetNetwork(*net.IPNet)
 }
 
 // FilteredDevice to override Read or Write of packets
@@ -54,7 +58,7 @@ func (d *FilteredDevice) Read(bufs [][]byte, sizes []int, offset int) (n int, er
 	}
 
 	for i := 0; i < n; i++ {
-		if filter.FilterOutbound(bufs[i][offset:offset+sizes[i]], sizes[i]) {
+		if filter.DropOutgoing(bufs[i][offset:offset+sizes[i]], sizes[i]) {
 			bufs = append(bufs[:i], bufs[i+1:]...)
 			sizes = append(sizes[:i], sizes[i+1:]...)
 			n--
@@ -78,7 +82,7 @@ func (d *FilteredDevice) Write(bufs [][]byte, offset int) (int, error) {
 	filteredBufs := make([][]byte, 0, len(bufs))
 	dropped := 0
 	for _, buf := range bufs {
-		if !filter.FilterInbound(buf[offset:], len(buf)) {
+		if !filter.DropIncoming(buf[offset:], len(buf)) {
 			filteredBufs = append(filteredBufs, buf)
 			dropped++
 		}

client/iface/device/device_filter_test.go

@@ -146,7 +146,7 @@ func TestDeviceWrapperRead(t *testing.T) {
 		tun.EXPECT().Write(mockBufs, 0).Return(0, nil)
 
 		filter := mocks.NewMockPacketFilter(ctrl)
-		filter.EXPECT().FilterInbound(gomock.Any(), gomock.Any()).Return(true)
+		filter.EXPECT().DropIncoming(gomock.Any(), gomock.Any()).Return(true)
 
 		wrapped := newDeviceFilter(tun)
 		wrapped.filter = filter
@@ -201,7 +201,7 @@ func TestDeviceWrapperRead(t *testing.T) {
 				return 1, nil
 			})
 		filter := mocks.NewMockPacketFilter(ctrl)
-		filter.EXPECT().FilterOutbound(gomock.Any(), gomock.Any()).Return(true)
+		filter.EXPECT().DropOutgoing(gomock.Any(), gomock.Any()).Return(true)
 
 		wrapped := newDeviceFilter(tun)
 		wrapped.filter = filter

client/iface/device/device_ios.go

@@ -71,7 +71,7 @@ func (t *TunDevice) Create() (WGConfigurer, error) {
 	// this helps with support for the older NetBird clients that had a hardcoded direct mode
 	// t.device.DisableSomeRoamingForBrokenMobileSemantics()
 
-	t.configurer = configurer.NewUSPConfigurer(t.device, t.name, t.iceBind.ActivityRecorder())
+	t.configurer = configurer.NewUSPConfigurer(t.device, t.name)
 	err = t.configurer.ConfigureInterface(t.key, t.port)
 	if err != nil {
 		t.device.Close()

client/iface/device/device_netstack.go

@@ -51,11 +51,7 @@ func (t *TunNetstackDevice) Create() (WGConfigurer, error) {
 	log.Info("create nbnetstack tun interface")
 
 	// TODO: get from service listener runtime IP
-	dnsAddr, err := nbnet.GetLastIPFromNetwork(t.address.Network, 1)
-	if err != nil {
-		return nil, fmt.Errorf("last ip: %w", err)
-	}
-
+	dnsAddr := nbnet.GetLastIPFromNetwork(t.address.Network, 1)
 	log.Debugf("netstack using address: %s", t.address.IP)
 	t.nsTun = nbnetstack.NewNetStackTun(t.listenAddress, t.address.IP, dnsAddr, t.mtu)
 	log.Debugf("netstack using dns address: %s", dnsAddr)
@@ -72,7 +68,7 @@ func (t *TunNetstackDevice) Create() (WGConfigurer, error) {
 		device.NewLogger(wgLogLevel(), "[netbird] "),
 	)
 
-	t.configurer = configurer.NewUSPConfigurer(t.device, t.name, t.iceBind.ActivityRecorder())
+	t.configurer = configurer.NewUSPConfigurer(t.device, t.name)
 	err = t.configurer.ConfigureInterface(t.key, t.port)
 	if err != nil {
 		_ = tunIface.Close()

client/iface/device/device_usp_unix.go

@@ -64,7 +64,7 @@ func (t *USPDevice) Create() (WGConfigurer, error) {
 		return nil, fmt.Errorf("error assigning ip: %s", err)
 	}
 
-	t.configurer = configurer.NewUSPConfigurer(t.device, t.name, t.iceBind.ActivityRecorder())
+	t.configurer = configurer.NewUSPConfigurer(t.device, t.name)
 	err = t.configurer.ConfigureInterface(t.key, t.port)
 	if err != nil {
 		t.device.Close()

client/iface/device/device_windows.go

@@ -94,7 +94,7 @@ func (t *TunDevice) Create() (WGConfigurer, error) {
 		return nil, fmt.Errorf("error assigning ip: %s", err)
 	}
 
-	t.configurer = configurer.NewUSPConfigurer(t.device, t.name, t.iceBind.ActivityRecorder())
+	t.configurer = configurer.NewUSPConfigurer(t.device, t.name)
 	err = t.configurer.ConfigureInterface(t.key, t.port)
 	if err != nil {
 		t.device.Close()

client/iface/device/interface.go

@@ -2,23 +2,19 @@ package device
 
 import (
 	"net"
-	"net/netip"
 	"time"
 
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 
 	"github.com/netbirdio/netbird/client/iface/configurer"
-	"github.com/netbirdio/netbird/monotime"
 )
 
 type WGConfigurer interface {
 	ConfigureInterface(privateKey string, port int) error
-	UpdatePeer(peerKey string, allowedIps []netip.Prefix, keepAlive time.Duration, endpoint *net.UDPAddr, preSharedKey *wgtypes.Key) error
+	UpdatePeer(peerKey string, allowedIps []net.IPNet, keepAlive time.Duration, endpoint *net.UDPAddr, preSharedKey *wgtypes.Key) error
 	RemovePeer(peerKey string) error
-	AddAllowedIP(peerKey string, allowedIP netip.Prefix) error
-	RemoveAllowedIP(peerKey string, allowedIP netip.Prefix) error
+	AddAllowedIP(peerKey string, allowedIP string) error
+	RemoveAllowedIP(peerKey string, allowedIP string) error
 	Close()
-	GetStats() (map[string]configurer.WGStats, error)
-	FullStats() (*configurer.Stats, error)
-	LastActivities() map[string]monotime.Time
+	GetStats(peerKey string) (configurer.WGStats, error)
 }

client/iface/device/wg_link_freebsd.go

@@ -64,15 +64,7 @@ func (l *wgLink) assignAddr(address wgaddr.Address) error {
 	}
 
 	ip := address.IP.String()
-
-	// Convert prefix length to hex netmask
-	prefixLen := address.Network.Bits()
-	if !address.IP.Is4() {
-		return fmt.Errorf("IPv6 not supported for interface assignment")
-	}
-
-	maskBits := uint32(0xffffffff) << (32 - prefixLen)
-	mask := fmt.Sprintf("0x%08x", maskBits)
+	mask := "0x" + address.Network.Mask.String()
 
 	log.Infof("assign addr %s mask %s to %s interface", ip, mask, l.name)
 

client/iface/iface.go

@@ -21,7 +21,6 @@ import (
 	"github.com/netbirdio/netbird/client/iface/device"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 	"github.com/netbirdio/netbird/client/iface/wgproxy"
-	"github.com/netbirdio/netbird/monotime"
 )
 
 const (
@@ -30,11 +29,6 @@ const (
 	WgInterfaceDefault = configurer.WgInterfaceDefault
 )
 
-var (
-	// ErrIfaceNotFound is returned when the WireGuard interface is not found
-	ErrIfaceNotFound = fmt.Errorf("wireguard interface not found")
-)
-
 type wgProxyFactory interface {
 	GetProxy() wgproxy.Proxy
 	Free() error
@@ -49,7 +43,6 @@ type WGIFaceOpts struct {
 	MobileArgs   *device.MobileIFaceArguments
 	TransportNet transport.Net
 	FilterFn     bind.FilterFn
-	DisableDNS   bool
 }
 
 // WGIface represents an interface instance
@@ -118,50 +111,38 @@ func (w *WGIface) UpdateAddr(newAddr string) error {
 }
 
 // UpdatePeer updates existing Wireguard Peer or creates a new one if doesn't exist
-// Endpoint is optional.
-// If allowedIps is given it will be added to the existing ones.
+// Endpoint is optional
 func (w *WGIface) UpdatePeer(peerKey string, allowedIps []netip.Prefix, keepAlive time.Duration, endpoint *net.UDPAddr, preSharedKey *wgtypes.Key) error {
 	w.mu.Lock()
 	defer w.mu.Unlock()
-	if w.configurer == nil {
-		return ErrIfaceNotFound
-	}
 
-	log.Debugf("updating interface %s peer %s, endpoint %s, allowedIPs %v", w.tun.DeviceName(), peerKey, endpoint, allowedIps)
-	return w.configurer.UpdatePeer(peerKey, allowedIps, keepAlive, endpoint, preSharedKey)
+	netIPNets := prefixesToIPNets(allowedIps)
+	log.Debugf("updating interface %s peer %s, endpoint %s", w.tun.DeviceName(), peerKey, endpoint)
+	return w.configurer.UpdatePeer(peerKey, netIPNets, keepAlive, endpoint, preSharedKey)
 }
 
 // RemovePeer removes a Wireguard Peer from the interface iface
 func (w *WGIface) RemovePeer(peerKey string) error {
 	w.mu.Lock()
 	defer w.mu.Unlock()
-	if w.configurer == nil {
-		return ErrIfaceNotFound
-	}
 
 	log.Debugf("Removing peer %s from interface %s ", peerKey, w.tun.DeviceName())
 	return w.configurer.RemovePeer(peerKey)
 }
 
 // AddAllowedIP adds a prefix to the allowed IPs list of peer
-func (w *WGIface) AddAllowedIP(peerKey string, allowedIP netip.Prefix) error {
+func (w *WGIface) AddAllowedIP(peerKey string, allowedIP string) error {
 	w.mu.Lock()
 	defer w.mu.Unlock()
-	if w.configurer == nil {
-		return ErrIfaceNotFound
-	}
 
 	log.Debugf("Adding allowed IP to interface %s and peer %s: allowed IP %s ", w.tun.DeviceName(), peerKey, allowedIP)
 	return w.configurer.AddAllowedIP(peerKey, allowedIP)
 }
 
 // RemoveAllowedIP removes a prefix from the allowed IPs list of peer
-func (w *WGIface) RemoveAllowedIP(peerKey string, allowedIP netip.Prefix) error {
+func (w *WGIface) RemoveAllowedIP(peerKey string, allowedIP string) error {
 	w.mu.Lock()
 	defer w.mu.Unlock()
-	if w.configurer == nil {
-		return ErrIfaceNotFound
-	}
 
 	log.Debugf("Removing allowed IP from interface %s and peer %s: allowed IP %s ", w.tun.DeviceName(), peerKey, allowedIP)
 	return w.configurer.RemoveAllowedIP(peerKey, allowedIP)
@@ -204,6 +185,7 @@ func (w *WGIface) SetFilter(filter device.PacketFilter) error {
 	}
 
 	w.filter = filter
+	w.filter.SetNetwork(w.tun.WgAddress().Network)
 
 	w.tun.FilteredDevice().SetFilter(filter)
 	return nil
@@ -230,32 +212,9 @@ func (w *WGIface) GetWGDevice() *wgdevice.Device {
 	return w.tun.Device()
 }
 
-// GetStats returns the last handshake time, rx and tx bytes
-func (w *WGIface) GetStats() (map[string]configurer.WGStats, error) {
-	if w.configurer == nil {
-		return nil, ErrIfaceNotFound
-	}
-	return w.configurer.GetStats()
-}
-
-func (w *WGIface) LastActivities() map[string]monotime.Time {
-	w.mu.Lock()
-	defer w.mu.Unlock()
-
-	if w.configurer == nil {
-		return nil
-	}
-
-	return w.configurer.LastActivities()
-
-}
-
-func (w *WGIface) FullStats() (*configurer.Stats, error) {
-	if w.configurer == nil {
-		return nil, ErrIfaceNotFound
-	}
-
-	return w.configurer.FullStats()
+// GetStats returns the last handshake time, rx and tx bytes for the given peer
+func (w *WGIface) GetStats(peerKey string) (configurer.WGStats, error) {
+	return w.configurer.GetStats(peerKey)
 }
 
 func (w *WGIface) waitUntilRemoved() error {
@@ -292,3 +251,14 @@ func (w *WGIface) GetNet() *netstack.Net {
 
 	return w.tun.GetNet()
 }
+
+func prefixesToIPNets(prefixes []netip.Prefix) []net.IPNet {
+	ipNets := make([]net.IPNet, len(prefixes))
+	for i, prefix := range prefixes {
+		ipNets[i] = net.IPNet{
+			IP:   net.IP(prefix.Addr().AsSlice()),                     // Convert netip.Addr to net.IP
+			Mask: net.CIDRMask(prefix.Bits(), prefix.Addr().BitLen()), // Create subnet mask
+		}
+	}
+	return ipNets
+}

client/iface/iface_new_android.go

@@ -18,7 +18,7 @@ func NewWGIFace(opts WGIFaceOpts) (*WGIface, error) {
 
 	wgIFace := &WGIface{
 		userspaceBind:  true,
-		tun:            device.NewTunDevice(wgAddress, opts.WGPort, opts.WGPrivKey, opts.MTU, iceBind, opts.MobileArgs.TunAdapter, opts.DisableDNS),
+		tun:            device.NewTunDevice(wgAddress, opts.WGPort, opts.WGPrivKey, opts.MTU, iceBind, opts.MobileArgs.TunAdapter),
 		wgProxyFactory: wgproxy.NewUSPFactory(iceBind),
 	}
 	return wgIFace, nil

client/iface/mocks/filter.go

@@ -5,6 +5,7 @@
 package mocks
 
 import (
+	net "net"
 	"net/netip"
 	reflect "reflect"
 
@@ -48,32 +49,32 @@ func (mr *MockPacketFilterMockRecorder) AddUDPPacketHook(arg0, arg1, arg2, arg3
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AddUDPPacketHook", reflect.TypeOf((*MockPacketFilter)(nil).AddUDPPacketHook), arg0, arg1, arg2, arg3)
 }
 
-// FilterInbound mocks base method.
-func (m *MockPacketFilter) FilterInbound(arg0 []byte, arg1 int) bool {
+// DropIncoming mocks base method.
+func (m *MockPacketFilter) DropIncoming(arg0 []byte, arg1 int) bool {
 	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "FilterInbound", arg0, arg1)
+	ret := m.ctrl.Call(m, "DropIncoming", arg0, arg1)
 	ret0, _ := ret[0].(bool)
 	return ret0
 }
 
-// FilterInbound indicates an expected call of FilterInbound.
-func (mr *MockPacketFilterMockRecorder) FilterInbound(arg0 interface{}, arg1 any) *gomock.Call {
+// DropIncoming indicates an expected call of DropIncoming.
+func (mr *MockPacketFilterMockRecorder) DropIncoming(arg0 interface{}, arg1 any) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "FilterInbound", reflect.TypeOf((*MockPacketFilter)(nil).FilterInbound), arg0, arg1)
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DropIncoming", reflect.TypeOf((*MockPacketFilter)(nil).DropIncoming), arg0, arg1)
 }
 
-// FilterOutbound mocks base method.
-func (m *MockPacketFilter) FilterOutbound(arg0 []byte, arg1 int) bool {
+// DropOutgoing mocks base method.
+func (m *MockPacketFilter) DropOutgoing(arg0 []byte, arg1 int) bool {
 	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "FilterOutbound", arg0, arg1)
+	ret := m.ctrl.Call(m, "DropOutgoing", arg0, arg1)
 	ret0, _ := ret[0].(bool)
 	return ret0
 }
 
-// FilterOutbound indicates an expected call of FilterOutbound.
-func (mr *MockPacketFilterMockRecorder) FilterOutbound(arg0 interface{}, arg1 any) *gomock.Call {
+// DropOutgoing indicates an expected call of DropOutgoing.
+func (mr *MockPacketFilterMockRecorder) DropOutgoing(arg0 interface{}, arg1 any) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "FilterOutbound", reflect.TypeOf((*MockPacketFilter)(nil).FilterOutbound), arg0, arg1)
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DropOutgoing", reflect.TypeOf((*MockPacketFilter)(nil).DropOutgoing), arg0, arg1)
 }
 
 // RemovePacketHook mocks base method.
@@ -89,3 +90,15 @@ func (mr *MockPacketFilterMockRecorder) RemovePacketHook(arg0 interface{}) *gomo
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "RemovePacketHook", reflect.TypeOf((*MockPacketFilter)(nil).RemovePacketHook), arg0)
 }
+
+// SetNetwork mocks base method.
+func (m *MockPacketFilter) SetNetwork(arg0 *net.IPNet) {
+	m.ctrl.T.Helper()
+	m.ctrl.Call(m, "SetNetwork", arg0)
+}
+
+// SetNetwork indicates an expected call of SetNetwork.
+func (mr *MockPacketFilterMockRecorder) SetNetwork(arg0 interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SetNetwork", reflect.TypeOf((*MockPacketFilter)(nil).SetNetwork), arg0)
+}

client/iface/mocks/iface/mocks/filter.go

@@ -46,32 +46,32 @@ func (mr *MockPacketFilterMockRecorder) AddUDPPacketHook(arg0, arg1, arg2, arg3
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AddUDPPacketHook", reflect.TypeOf((*MockPacketFilter)(nil).AddUDPPacketHook), arg0, arg1, arg2, arg3)
 }
 
-// FilterInbound mocks base method.
-func (m *MockPacketFilter) FilterInbound(arg0 []byte) bool {
+// DropIncoming mocks base method.
+func (m *MockPacketFilter) DropIncoming(arg0 []byte) bool {
 	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "FilterInbound", arg0)
+	ret := m.ctrl.Call(m, "DropIncoming", arg0)
 	ret0, _ := ret[0].(bool)
 	return ret0
 }
 
-// FilterInbound indicates an expected call of FilterInbound.
-func (mr *MockPacketFilterMockRecorder) FilterInbound(arg0 interface{}) *gomock.Call {
+// DropIncoming indicates an expected call of DropIncoming.
+func (mr *MockPacketFilterMockRecorder) DropIncoming(arg0 interface{}) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "FilterInbound", reflect.TypeOf((*MockPacketFilter)(nil).FilterInbound), arg0)
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DropIncoming", reflect.TypeOf((*MockPacketFilter)(nil).DropIncoming), arg0)
 }
 
-// FilterOutbound mocks base method.
-func (m *MockPacketFilter) FilterOutbound(arg0 []byte) bool {
+// DropOutgoing mocks base method.
+func (m *MockPacketFilter) DropOutgoing(arg0 []byte) bool {
 	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "FilterOutbound", arg0)
+	ret := m.ctrl.Call(m, "DropOutgoing", arg0)
 	ret0, _ := ret[0].(bool)
 	return ret0
 }
 
-// FilterOutbound indicates an expected call of FilterOutbound.
-func (mr *MockPacketFilterMockRecorder) FilterOutbound(arg0 interface{}) *gomock.Call {
+// DropOutgoing indicates an expected call of DropOutgoing.
+func (mr *MockPacketFilterMockRecorder) DropOutgoing(arg0 interface{}) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "FilterOutbound", reflect.TypeOf((*MockPacketFilter)(nil).FilterOutbound), arg0)
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DropOutgoing", reflect.TypeOf((*MockPacketFilter)(nil).DropOutgoing), arg0)
 }
 
 // SetNetwork mocks base method.

client/iface/netstack/tun.go

@@ -1,6 +1,8 @@
 package netstack
 
 import (
+	"fmt"
+	"net"
 	"net/netip"
 	"os"
 	"strconv"
@@ -13,8 +15,8 @@ import (
 const EnvSkipProxy = "NB_NETSTACK_SKIP_PROXY"
 
 type NetStackTun struct { //nolint:revive
-	address       netip.Addr
-	dnsAddress    netip.Addr
+	address       net.IP
+	dnsAddress    net.IP
 	mtu           int
 	listenAddress string
 
@@ -22,7 +24,7 @@ type NetStackTun struct { //nolint:revive
 	tundev tun.Device
 }
 
-func NewNetStackTun(listenAddress string, address netip.Addr, dnsAddress netip.Addr, mtu int) *NetStackTun {
+func NewNetStackTun(listenAddress string, address net.IP, dnsAddress net.IP, mtu int) *NetStackTun {
 	return &NetStackTun{
 		address:       address,
 		dnsAddress:    dnsAddress,
@@ -32,21 +34,28 @@ func NewNetStackTun(listenAddress string, address netip.Addr, dnsAddress netip.A
 }
 
 func (t *NetStackTun) Create() (tun.Device, *netstack.Net, error) {
+	addr, ok := netip.AddrFromSlice(t.address)
+	if !ok {
+		return nil, nil, fmt.Errorf("convert address to netip.Addr: %v", t.address)
+	}
+
+	dnsAddr, ok := netip.AddrFromSlice(t.dnsAddress)
+	if !ok {
+		return nil, nil, fmt.Errorf("convert dns address to netip.Addr: %v", t.dnsAddress)
+	}
+
 	nsTunDev, tunNet, err := netstack.CreateNetTUN(
-		[]netip.Addr{t.address},
-		[]netip.Addr{t.dnsAddress},
+		[]netip.Addr{addr.Unmap()},
+		[]netip.Addr{dnsAddr.Unmap()},
 		t.mtu)
 	if err != nil {
 		return nil, nil, err
 	}
 	t.tundev = nsTunDev
 
-	var skipProxy bool
-	if val := os.Getenv(EnvSkipProxy); val != "" {
-		skipProxy, err = strconv.ParseBool(val)
-		if err != nil {
-			log.Errorf("failed to parse %s: %s", EnvSkipProxy, err)
-		}
+	skipProxy, err := strconv.ParseBool(os.Getenv(EnvSkipProxy))
+	if err != nil {
+		log.Errorf("failed to parse %s: %s", EnvSkipProxy, err)
 	}
 	if skipProxy {
 		return nsTunDev, tunNet, nil

client/iface/wgaddr/address.go

@@ -2,27 +2,28 @@ package wgaddr
 
 import (
 	"fmt"
-	"net/netip"
+	"net"
 )
 
 // Address WireGuard parsed address
 type Address struct {
-	IP      netip.Addr
-	Network netip.Prefix
+	IP      net.IP
+	Network *net.IPNet
 }
 
 // ParseWGAddress parse a string ("1.2.3.4/24") address to WG Address
 func ParseWGAddress(address string) (Address, error) {
-	prefix, err := netip.ParsePrefix(address)
+	ip, network, err := net.ParseCIDR(address)
 	if err != nil {
 		return Address{}, err
 	}
 	return Address{
-		IP:      prefix.Addr().Unmap(),
-		Network: prefix.Masked(),
+		IP:      ip,
+		Network: network,
 	}, nil
 }
 
 func (addr Address) String() string {
-	return fmt.Sprintf("%s/%d", addr.IP.String(), addr.Network.Bits())
+	maskSize, _ := addr.Network.Mask.Size()
+	return fmt.Sprintf("%s/%d", addr.IP.String(), maskSize)
 }

client/iface/wgproxy/bind/proxy.go

@@ -12,7 +12,6 @@ import (
 	log "github.com/sirupsen/logrus"
 
 	"github.com/netbirdio/netbird/client/iface/bind"
-	"github.com/netbirdio/netbird/client/iface/wgproxy/listener"
 )
 
 type ProxyBind struct {
@@ -29,17 +28,6 @@ type ProxyBind struct {
 	pausedMu  sync.Mutex
 	paused    bool
 	isStarted bool
-
-	closeListener *listener.CloseListener
-}
-
-func NewProxyBind(bind *bind.ICEBind) *ProxyBind {
-	p := &ProxyBind{
-		Bind:          bind,
-		closeListener: listener.NewCloseListener(),
-	}
-
-	return p
 }
 
 // AddTurnConn adds a new connection to the bind.
@@ -66,10 +54,6 @@ func (p *ProxyBind) EndpointAddr() *net.UDPAddr {
 	}
 }
 
-func (p *ProxyBind) SetDisconnectListener(disconnected func()) {
-	p.closeListener.SetCloseListener(disconnected)
-}
-
 func (p *ProxyBind) Work() {
 	if p.remoteConn == nil {
 		return
@@ -112,9 +96,6 @@ func (p *ProxyBind) close() error {
 	if p.closed {
 		return nil
 	}
-
-	p.closeListener.SetCloseListener(nil)
-
 	p.closed = true
 
 	p.cancel()
@@ -141,7 +122,6 @@ func (p *ProxyBind) proxyToLocal(ctx context.Context) {
 			if ctx.Err() != nil {
 				return
 			}
-			p.closeListener.Notify()
 			log.Errorf("failed to read from remote conn: %s, %s", p.remoteConn.RemoteAddr(), err)
 			return
 		}

client/iface/wgproxy/ebpf/wrapper.go

@@ -11,8 +11,6 @@ import (
 	"sync"
 
 	log "github.com/sirupsen/logrus"
-
-	"github.com/netbirdio/netbird/client/iface/wgproxy/listener"
 )
 
 // ProxyWrapper help to keep the remoteConn instance for net.Conn.Close function call
@@ -28,15 +26,6 @@ type ProxyWrapper struct {
 	pausedMu  sync.Mutex
 	paused    bool
 	isStarted bool
-
-	closeListener *listener.CloseListener
-}
-
-func NewProxyWrapper(WgeBPFProxy *WGEBPFProxy) *ProxyWrapper {
-	return &ProxyWrapper{
-		WgeBPFProxy:   WgeBPFProxy,
-		closeListener: listener.NewCloseListener(),
-	}
 }
 
 func (p *ProxyWrapper) AddTurnConn(ctx context.Context, endpoint *net.UDPAddr, remoteConn net.Conn) error {
@@ -54,10 +43,6 @@ func (p *ProxyWrapper) EndpointAddr() *net.UDPAddr {
 	return p.wgEndpointAddr
 }
 
-func (p *ProxyWrapper) SetDisconnectListener(disconnected func()) {
-	p.closeListener.SetCloseListener(disconnected)
-}
-
 func (p *ProxyWrapper) Work() {
 	if p.remoteConn == nil {
 		return
@@ -92,8 +77,6 @@ func (e *ProxyWrapper) CloseConn() error {
 
 	e.cancel()
 
-	e.closeListener.SetCloseListener(nil)
-
 	if err := e.remoteConn.Close(); err != nil && !errors.Is(err, net.ErrClosed) {
 		return fmt.Errorf("failed to close remote conn: %w", err)
 	}
@@ -134,7 +117,6 @@ func (p *ProxyWrapper) readFromRemote(ctx context.Context, buf []byte) (int, err
 		if ctx.Err() != nil {
 			return 0, ctx.Err()
 		}
-		p.closeListener.Notify()
 		if !errors.Is(err, io.EOF) {
 			log.Errorf("failed to read from turn conn (endpoint: :%d): %s", p.wgEndpointAddr.Port, err)
 		}

client/iface/wgproxy/factory_kernel.go

@@ -36,8 +36,9 @@ func (w *KernelFactory) GetProxy() Proxy {
 		return udpProxy.NewWGUDPProxy(w.wgPort)
 	}
 
-	return ebpf.NewProxyWrapper(w.ebpfProxy)
-
+	return &ebpf.ProxyWrapper{
+		WgeBPFProxy: w.ebpfProxy,
+	}
 }
 
 func (w *KernelFactory) Free() error {

client/iface/wgproxy/factory_usp.go

@@ -20,7 +20,9 @@ func NewUSPFactory(iceBind *bind.ICEBind) *USPFactory {
 }
 
 func (w *USPFactory) GetProxy() Proxy {
-	return proxyBind.NewProxyBind(w.bind)
+	return &proxyBind.ProxyBind{
+		Bind: w.bind,
+	}
 }
 
 func (w *USPFactory) Free() error {

client/iface/wgproxy/listener/listener.go

@@ -1,19 +0,0 @@
-package listener
-
-type CloseListener struct {
-	listener func()
-}
-
-func NewCloseListener() *CloseListener {
-	return &CloseListener{}
-}
-
-func (c *CloseListener) SetCloseListener(listener func()) {
-	c.listener = listener
-}
-
-func (c *CloseListener) Notify() {
-	if c.listener != nil {
-		c.listener()
-	}
-}