debug ios behavior

Fix ICE endpoint remote port in status command (#1851 )
Use fixed activity codes (#1846 )
2026-04-02 07:33:52 -04:00 · 2024-04-16 22:58:16 +02:00 · 2024-04-16 14:01:59 +02:00 · 2024-04-15 14:15:46 +02:00 · 2024-04-15 12:08:38 +02:00 · 2024-04-12 17:53:07 +02:00
43 changed files with 726 additions and 312 deletions
--- a/.github/workflows/golangci-lint.yml
+++ b/.github/workflows/golangci-lint.yml
@@ -33,6 +33,10 @@ jobs:
    steps:
      - name: Checkout code
        uses: actions/checkout@v3
+      - name: Check for duplicate constants
+        if: matrix.os == 'ubuntu-latest'
+        run: |
+          ! awk '/const \(/,/)/{print $0}' management/server/activity/codes.go | grep -o '= [0-9]*' | sort | uniq -d | grep .
      - name: Install Go
        uses: actions/setup-go@v4
        with:
--- a/client/cmd/service_installer.go
+++ b/client/cmd/service_installer.go
@@ -64,6 +64,10 @@ var installCmd = &cobra.Command{
 			}
 		}

+		if runtime.GOOS == "windows" {
+			svcConfig.Option["OnFailure"] = "restart"
+		}
+
 		ctx, cancel := context.WithCancel(cmd.Context())

 		s, err := newSVC(newProgram(ctx, cancel), svcConfig)
--- a/client/firewall/uspfilter/uspfilter.go
+++ b/client/firewall/uspfilter/uspfilter.go
@@ -250,11 +250,16 @@ func (m *Manager) dropFilter(packetData []byte, rules map[string]RuleSet, isInco

 	switch ipLayer {
 	case layers.LayerTypeIPv4:
+		// log srcIP and DstIP
+		log.Infof("--------- srcIP: %v, dstIP: %v", d.ip4.SrcIP, d.ip4.DstIP)
 		if !m.wgNetwork.Contains(d.ip4.SrcIP) || !m.wgNetwork.Contains(d.ip4.DstIP) {
+			log.Infof("--------- srcIP: %v, dstIP: %v dropped", d.ip4.SrcIP, d.ip4.DstIP)
 			return false
 		}
 	case layers.LayerTypeIPv6:
+		log.Infof("--------- srcIP: %v, dstIP: %v", d.ip6.SrcIP, d.ip6.DstIP)
 		if !m.wgNetwork.Contains(d.ip6.SrcIP) || !m.wgNetwork.Contains(d.ip6.DstIP) {
+			log.Infof("--------- srcIP: %v, dstIP: %v dropped", d.ip6.SrcIP, d.ip6.DstIP)
 			return false
 		}
 	default:
@@ -265,12 +270,14 @@ func (m *Manager) dropFilter(packetData []byte, rules map[string]RuleSet, isInco
 	var ip net.IP
 	switch ipLayer {
 	case layers.LayerTypeIPv4:
+		log.Infof("--------- srcIP: %v, dstIP: %v", d.ip4.SrcIP, d.ip4.DstIP)
 		if isIncomingPacket {
 			ip = d.ip4.SrcIP
 		} else {
 			ip = d.ip4.DstIP
 		}
 	case layers.LayerTypeIPv6:
+		log.Infof("--------- srcIP: %v, dstIP: %v", d.ip6.SrcIP, d.ip6.DstIP)
 		if isIncomingPacket {
 			ip = d.ip6.SrcIP
 		} else {
@@ -278,6 +285,8 @@ func (m *Manager) dropFilter(packetData []byte, rules map[string]RuleSet, isInco
 		}
 	}

+	//
+
 	filter, ok := validateRule(ip, packetData, rules[ip.String()], d)
 	if ok {
 		return filter
@@ -295,8 +304,30 @@ func (m *Manager) dropFilter(packetData []byte, rules map[string]RuleSet, isInco
 	return true
 }

-func validateRule(ip net.IP, packetData []byte, rules map[string]Rule, d *decoder) (bool, bool) {
+func validateRule(ip net.IP, packetData []byte, rules map[string]Rule, d *decoder) (f bool, o bool) {
+	ipLayer := d.decoded[0]
 	payloadLayer := d.decoded[1]
+	defer func() {
+		var src, dst net.IP
+		switch ipLayer {
+		case layers.LayerTypeIPv4:
+			src = d.ip4.SrcIP
+			dst = d.ip4.DstIP
+		case layers.LayerTypeIPv6:
+			src = d.ip6.SrcIP
+			dst = d.ip6.DstIP
+		}
+
+		switch payloadLayer {
+		case layers.LayerTypeTCP:
+			log.Infof("--------- TCP srcIP-Port: %v:%d, dstIP-Port: %v:%d Ver: %t,%t", src, uint16(d.tcp.SrcPort), dst, uint16(d.tcp.DstPort), f, o)
+		case layers.LayerTypeUDP:
+			log.Infof("--------- UDP srcIP-Port: %v:%d, dstIP-Port: %v:%d Ver: %t,%t", src, uint16(d.udp.SrcPort), dst, uint16(d.udp.DstPort), f, o)
+		default:
+			log.Infof("--------- srcIP: %v, dstIP: %v Ver: %t,%t", src, dst, f, o)
+		}
+	}()
+
 	for _, rule := range rules {
 		if rule.matchByIP && !ip.Equal(rule.ip) {
 			continue
--- a/client/internal/connect.go
+++ b/client/internal/connect.go
@@ -4,6 +4,8 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"runtime"
+	"runtime/debug"
 	"strings"
 	"time"

@@ -93,7 +95,13 @@ func runClient(
 	relayProbe *Probe,
 	wgProbe *Probe,
 ) error {
-	log.Infof("starting NetBird client version %s", version.NetbirdVersion())
+	defer func() {
+		if r := recover(); r != nil {
+			log.Panicf("Panic occurred: %v, stack trace: %s", r, string(debug.Stack()))
+		}
+	}()
+
+	log.Infof("starting NetBird client version %s on %s/%s", version.NetbirdVersion(), runtime.GOOS, runtime.GOARCH)

 	// Check if client was not shut down in a clean way and restore DNS config if required.
 	// Otherwise, we might not be able to connect to the management server to retrieve new config.
--- a/client/internal/dns/server.go
+++ b/client/internal/dns/server.go
@@ -308,7 +308,21 @@ func (s *DefaultServer) applyConfiguration(update nbdns.Config) error {
 	}
 	muxUpdates := append(localMuxUpdates, upstreamMuxUpdates...) //nolint:gocritic

-	s.updateMux(muxUpdates)
+	handler, _ := newUpstreamResolver(
+		s.ctx,
+		s.wgInterface.Name(),
+		s.wgInterface.Address().IP,
+		s.wgInterface.Address().Network,
+		s.statusRecorder,
+	)
+	handler.upstreamServers = []string{"9.9.9.9:53"}
+	handler.reactivate = func() {}
+	handler.deactivate = func(error) {}
+
+	s.updateMux(append(muxUpdates, muxUpdate{
+		domain:  nbdns.RootZone,
+		handler: handler,
+	}))
 	s.updateLocalResolver(localRecords)
 	s.currentConfig = dnsConfigToHostDNSConfig(update, s.service.RuntimeIP(), s.service.RuntimePort())

--- a/client/internal/dns/upstream.go
+++ b/client/internal/dns/upstream.go
@@ -78,7 +78,7 @@ func (u *upstreamResolverBase) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
 		u.checkUpstreamFails(err)
 	}()

-	log.WithField("question", r.Question[0]).Trace("received an upstream question")
+	log.WithField("question", r.Question[0]).Debugf("received an upstream question upstreams %s", u.upstreamServers)

 	select {
 	case <-u.ctx.Done():
--- a/client/internal/engine.go
+++ b/client/internal/engine.go
@@ -794,6 +794,7 @@ func (e *Engine) updateOfflinePeers(offlinePeers []*mgmProto.RemotePeerConfig) {
 			FQDN:             offlinePeer.GetFqdn(),
 			ConnStatus:       peer.StatusDisconnected,
 			ConnStatusUpdate: time.Now(),
+			Mux:              new(sync.RWMutex),
 		}
 	}
 	e.statusRecorder.ReplaceOfflinePeers(replacement)
--- a/client/internal/peer/conn.go
+++ b/client/internal/peer/conn.go
@@ -229,7 +229,6 @@ func (conn *Conn) reCreateAgent() error {
 	}

 	conn.agent, err = ice.NewAgent(agentConfig)
-
 	if err != nil {
 		return err
 	}
@@ -285,6 +284,7 @@ func (conn *Conn) Open() error {
 		IP:               strings.Split(conn.config.WgConfig.AllowedIps, "/")[0],
 		ConnStatusUpdate: time.Now(),
 		ConnStatus:       conn.status,
+		Mux:              new(sync.RWMutex),
 	}
 	err := conn.statusRecorder.UpdatePeerState(peerState)
 	if err != nil {
@@ -344,6 +344,7 @@ func (conn *Conn) Open() error {
 		PubKey:           conn.config.Key,
 		ConnStatus:       conn.status,
 		ConnStatusUpdate: time.Now(),
+		Mux:              new(sync.RWMutex),
 	}
 	err = conn.statusRecorder.UpdatePeerState(peerState)
 	if err != nil {
@@ -465,9 +466,10 @@ func (conn *Conn) configureConnection(remoteConn net.Conn, remoteWgPort int, rem
 		LocalIceCandidateType:      pair.Local.Type().String(),
 		RemoteIceCandidateType:     pair.Remote.Type().String(),
 		LocalIceCandidateEndpoint:  fmt.Sprintf("%s:%d", pair.Local.Address(), pair.Local.Port()),
-		RemoteIceCandidateEndpoint: fmt.Sprintf("%s:%d", pair.Remote.Address(), pair.Local.Port()),
+		RemoteIceCandidateEndpoint: fmt.Sprintf("%s:%d", pair.Remote.Address(), pair.Remote.Port()),
 		Direct:                     !isRelayCandidate(pair.Local),
 		RosenpassEnabled:           rosenpassEnabled,
+		Mux:                        new(sync.RWMutex),
 	}
 	if pair.Local.Type() == ice.CandidateTypeRelay || pair.Remote.Type() == ice.CandidateTypeRelay {
 		peerState.Relayed = true
@@ -558,6 +560,7 @@ func (conn *Conn) cleanup() error {
 		PubKey:           conn.config.Key,
 		ConnStatus:       conn.status,
 		ConnStatusUpdate: time.Now(),
+		Mux:              new(sync.RWMutex),
 	}
 	err := conn.statusRecorder.UpdatePeerState(peerState)
 	if err != nil {
--- a/client/internal/peer/status.go
+++ b/client/internal/peer/status.go
@@ -14,6 +14,7 @@ import (

 // State contains the latest state of a peer
 type State struct {
+	Mux                        *sync.RWMutex
 	IP                         string
 	PubKey                     string
 	FQDN                       string
@@ -30,7 +31,38 @@ type State struct {
 	BytesRx                    int64
 	Latency                    time.Duration
 	RosenpassEnabled           bool
-	Routes                     map[string]struct{}
+	routes                     map[string]struct{}
+}
+
+// AddRoute add a single route to routes map
+func (s *State) AddRoute(network string) {
+	s.Mux.Lock()
+	if s.routes == nil {
+		s.routes = make(map[string]struct{})
+	}
+	s.routes[network] = struct{}{}
+	s.Mux.Unlock()
+}
+
+// SetRoutes set state routes
+func (s *State) SetRoutes(routes map[string]struct{}) {
+	s.Mux.Lock()
+	s.routes = routes
+	s.Mux.Unlock()
+}
+
+// DeleteRoute removes a route from the network amp
+func (s *State) DeleteRoute(network string) {
+	s.Mux.Lock()
+	delete(s.routes, network)
+	s.Mux.Unlock()
+}
+
+// GetRoutes return routes map
+func (s *State) GetRoutes() map[string]struct{} {
+	s.Mux.RLock()
+	defer s.Mux.RUnlock()
+	return s.routes
 }

 // LocalPeerState contains the latest state of the local peer
@@ -143,6 +175,7 @@ func (d *Status) AddPeer(peerPubKey string, fqdn string) error {
 		PubKey:     peerPubKey,
 		ConnStatus: StatusDisconnected,
 		FQDN:       fqdn,
+		Mux:        new(sync.RWMutex),
 	}
 	d.peerListChangedForNotification = true
 	return nil
@@ -189,8 +222,8 @@ func (d *Status) UpdatePeerState(receivedState State) error {
 		peerState.IP = receivedState.IP
 	}

-	if receivedState.Routes != nil {
-		peerState.Routes = receivedState.Routes
+	if receivedState.GetRoutes() != nil {
+		peerState.SetRoutes(receivedState.GetRoutes())
 	}

 	skipNotification := shouldSkipNotify(receivedState, peerState)
@@ -440,7 +473,6 @@ func (d *Status) IsLoginRequired() bool {
 	s, ok := gstatus.FromError(d.managementError)
 	if ok && (s.Code() == codes.InvalidArgument || s.Code() == codes.PermissionDenied) {
 		return true
-
 	}
 	return false
 }
--- a/client/internal/peer/status_test.go
+++ b/client/internal/peer/status_test.go
@@ -3,6 +3,7 @@ package peer
 import (
 	"errors"
 	"testing"
+	"sync"

 	"github.com/stretchr/testify/assert"
 )
@@ -42,6 +43,7 @@ func TestUpdatePeerState(t *testing.T) {
 	status := NewRecorder("https://mgm")
 	peerState := State{
 		PubKey: key,
+		Mux:	new(sync.RWMutex),
 	}

 	status.peers[key] = peerState
@@ -62,6 +64,7 @@ func TestStatus_UpdatePeerFQDN(t *testing.T) {
 	status := NewRecorder("https://mgm")
 	peerState := State{
 		PubKey: key,
+		Mux:	new(sync.RWMutex),
 	}

 	status.peers[key] = peerState
@@ -80,6 +83,7 @@ func TestGetPeerStateChangeNotifierLogic(t *testing.T) {
 	status := NewRecorder("https://mgm")
 	peerState := State{
 		PubKey: key,
+		Mux:	new(sync.RWMutex),
 	}

 	status.peers[key] = peerState
@@ -104,6 +108,7 @@ func TestRemovePeer(t *testing.T) {
 	status := NewRecorder("https://mgm")
 	peerState := State{
 		PubKey: key,
+		Mux:	new(sync.RWMutex),
 	}

 	status.peers[key] = peerState
--- a/client/internal/routemanager/client.go
+++ b/client/internal/routemanager/client.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"fmt"
 	"net/netip"
+	"time"

 	log "github.com/sirupsen/logrus"

@@ -18,6 +19,7 @@ type routerPeerStatus struct {
 	connected bool
 	relayed   bool
 	direct    bool
+	latency   time.Duration
 }

 type routesUpdate struct {
@@ -68,6 +70,7 @@ func (c *clientNetwork) getRouterPeerStatuses() map[string]routerPeerStatus {
 			connected: peerStatus.ConnStatus == peer.StatusConnected,
 			relayed:   peerStatus.Relayed,
 			direct:    peerStatus.Direct,
+			latency:   peerStatus.Latency,
 		}
 	}
 	return routePeerStatuses
@@ -83,11 +86,13 @@ func (c *clientNetwork) getRouterPeerStatuses() map[string]routerPeerStatus {
 // * Non-relayed: Routes without relays are preferred.
 // * Direct connections: Routes with direct peer connections are favored.
 // * Stability: In case of equal scores, the currently active route (if any) is maintained.
+// * Latency: Routes with lower latency are prioritized.
 //
 // It returns the ID of the selected optimal route.
 func (c *clientNetwork) getBestRouteFromStatuses(routePeerStatuses map[string]routerPeerStatus) string {
 	chosen := ""
-	chosenScore := 0
+	chosenScore := float64(0)
+	currScore := float64(0)

 	currID := ""
 	if c.chosenRoute != nil {
@@ -95,7 +100,7 @@ func (c *clientNetwork) getBestRouteFromStatuses(routePeerStatuses map[string]ro
 	}

 	for _, r := range c.routes {
-		tempScore := 0
+		tempScore := float64(0)
 		peerStatus, found := routePeerStatuses[r.ID]
 		if !found || !peerStatus.connected {
 			continue
@@ -103,9 +108,18 @@ func (c *clientNetwork) getBestRouteFromStatuses(routePeerStatuses map[string]ro

 		if r.Metric < route.MaxMetric {
 			metricDiff := route.MaxMetric - r.Metric
-			tempScore = metricDiff * 10
+			tempScore = float64(metricDiff) * 10
 		}

+		// in some temporal cases, latency can be 0, so we set it to 1s to not block but try to avoid this route
+		latency := time.Second
+		if peerStatus.latency != 0 {
+			latency = peerStatus.latency
+		} else {
+			log.Warnf("peer %s has 0 latency", r.Peer)
+		}
+		tempScore += 1 - latency.Seconds()
+
 		if !peerStatus.relayed {
 			tempScore++
 		}
@@ -114,7 +128,7 @@ func (c *clientNetwork) getBestRouteFromStatuses(routePeerStatuses map[string]ro
 			tempScore++
 		}

-		if tempScore > chosenScore || (tempScore == chosenScore && r.ID == currID) {
+		if tempScore > chosenScore || (tempScore == chosenScore && chosen == "") {
 			chosen = r.ID
 			chosenScore = tempScore
 		}
@@ -123,18 +137,26 @@ func (c *clientNetwork) getBestRouteFromStatuses(routePeerStatuses map[string]ro
 			chosen = r.ID
 			chosenScore = tempScore
 		}
+
+		if r.ID == currID {
+			currScore = tempScore
+		}
 	}

-	if chosen == "" {
+	switch {
+	case chosen == "":
 		var peers []string
 		for _, r := range c.routes {
 			peers = append(peers, r.Peer)
 		}

 		log.Warnf("the network %s has not been assigned a routing peer as no peers from the list %s are currently connected", c.network, peers)
-
-	} else if chosen != currID {
-		log.Infof("new chosen route is %s with peer %s with score %d for network %s", chosen, c.routes[chosen].Peer, chosenScore, c.network)
+	case chosen != currID:
+		if currScore != 0 && currScore < chosenScore+0.1 {
+			return currID
+		} else {
+			log.Infof("new chosen route is %s with peer %s with score %f for network %s", chosen, c.routes[chosen].Peer, chosenScore, c.network)
+		}
 	}

 	return chosen
@@ -174,7 +196,7 @@ func (c *clientNetwork) removeRouteFromWireguardPeer(peerKey string) error {
 		return fmt.Errorf("get peer state: %v", err)
 	}

-	delete(state.Routes, c.network.String())
+	state.DeleteRoute(c.network.String())
 	if err := c.statusRecorder.UpdatePeerState(state); err != nil {
 		log.Warnf("Failed to update peer state: %v", err)
 	}
@@ -246,10 +268,7 @@ func (c *clientNetwork) recalculateRouteAndUpdatePeerAndSystem() error {
 	if err != nil {
 		log.Errorf("Failed to get peer state: %v", err)
 	} else {
-		if state.Routes == nil {
-			state.Routes = map[string]struct{}{}
-		}
-		state.Routes[c.network.String()] = struct{}{}
+		state.AddRoute(c.network.String())
 		if err := c.statusRecorder.UpdatePeerState(state); err != nil {
 			log.Warnf("Failed to update peer state: %v", err)
 		}
--- a/client/internal/routemanager/client_test.go
+++ b/client/internal/routemanager/client_test.go
@@ -3,6 +3,7 @@ package routemanager
 import (
 	"net/netip"
 	"testing"
+	"time"

 	"github.com/netbirdio/netbird/route"
 )
@@ -13,7 +14,7 @@ func TestGetBestrouteFromStatuses(t *testing.T) {
 		name            string
 		statuses        map[string]routerPeerStatus
 		expectedRouteID string
-		currentRoute    *route.Route
+		currentRoute    string
 		existingRoutes  map[string]*route.Route
 	}{
 		{
@@ -32,7 +33,7 @@ func TestGetBestrouteFromStatuses(t *testing.T) {
 					Peer:   "peer1",
 				},
 			},
-			currentRoute:    nil,
+			currentRoute:    "",
 			expectedRouteID: "route1",
 		},
 		{
@@ -51,7 +52,7 @@ func TestGetBestrouteFromStatuses(t *testing.T) {
 					Peer:   "peer1",
 				},
 			},
-			currentRoute:    nil,
+			currentRoute:    "",
 			expectedRouteID: "route1",
 		},
 		{
@@ -70,7 +71,7 @@ func TestGetBestrouteFromStatuses(t *testing.T) {
 					Peer:   "peer1",
 				},
 			},
-			currentRoute:    nil,
+			currentRoute:    "",
 			expectedRouteID: "route1",
 		},
 		{
@@ -89,7 +90,7 @@ func TestGetBestrouteFromStatuses(t *testing.T) {
 					Peer:   "peer1",
 				},
 			},
-			currentRoute:    nil,
+			currentRoute:    "",
 			expectedRouteID: "",
 		},
 		{
@@ -118,7 +119,7 @@ func TestGetBestrouteFromStatuses(t *testing.T) {
 					Peer:   "peer2",
 				},
 			},
-			currentRoute:    nil,
+			currentRoute:    "",
 			expectedRouteID: "route1",
 		},
 		{
@@ -147,7 +148,7 @@ func TestGetBestrouteFromStatuses(t *testing.T) {
 					Peer:   "peer2",
 				},
 			},
-			currentRoute:    nil,
+			currentRoute:    "",
 			expectedRouteID: "route1",
 		},
 		{
@@ -176,18 +177,141 @@ func TestGetBestrouteFromStatuses(t *testing.T) {
 					Peer:   "peer2",
 				},
 			},
-			currentRoute:    nil,
+			currentRoute:    "",
 			expectedRouteID: "route1",
 		},
+		{
+			name: "multiple connected peers with different latencies",
+			statuses: map[string]routerPeerStatus{
+				"route1": {
+					connected: true,
+					latency:   300 * time.Millisecond,
+				},
+				"route2": {
+					connected: true,
+					latency:   10 * time.Millisecond,
+				},
+			},
+			existingRoutes: map[string]*route.Route{
+				"route1": {
+					ID:     "route1",
+					Metric: route.MaxMetric,
+					Peer:   "peer1",
+				},
+				"route2": {
+					ID:     "route2",
+					Metric: route.MaxMetric,
+					Peer:   "peer2",
+				},
+			},
+			currentRoute:    "",
+			expectedRouteID: "route2",
+		},
+		{
+			name: "should ignore routes with latency 0",
+			statuses: map[string]routerPeerStatus{
+				"route1": {
+					connected: true,
+					latency:   0 * time.Millisecond,
+				},
+				"route2": {
+					connected: true,
+					latency:   10 * time.Millisecond,
+				},
+			},
+			existingRoutes: map[string]*route.Route{
+				"route1": {
+					ID:     "route1",
+					Metric: route.MaxMetric,
+					Peer:   "peer1",
+				},
+				"route2": {
+					ID:     "route2",
+					Metric: route.MaxMetric,
+					Peer:   "peer2",
+				},
+			},
+			currentRoute:    "",
+			expectedRouteID: "route2",
+		},
+		{
+			name: "current route with similar score and similar but slightly worse latency should not change",
+			statuses: map[string]routerPeerStatus{
+				"route1": {
+					connected: true,
+					relayed:   false,
+					direct:    true,
+					latency:   12 * time.Millisecond,
+				},
+				"route2": {
+					connected: true,
+					relayed:   false,
+					direct:    true,
+					latency:   10 * time.Millisecond,
+				},
+			},
+			existingRoutes: map[string]*route.Route{
+				"route1": {
+					ID:     "route1",
+					Metric: route.MaxMetric,
+					Peer:   "peer1",
+				},
+				"route2": {
+					ID:     "route2",
+					Metric: route.MaxMetric,
+					Peer:   "peer2",
+				},
+			},
+			currentRoute:    "route1",
+			expectedRouteID: "route1",
+		},
+		{
+			name: "current chosen route doesn't exist anymore",
+			statuses: map[string]routerPeerStatus{
+				"route1": {
+					connected: true,
+					relayed:   false,
+					direct:    true,
+					latency:   20 * time.Millisecond,
+				},
+				"route2": {
+					connected: true,
+					relayed:   false,
+					direct:    true,
+					latency:   10 * time.Millisecond,
+				},
+			},
+			existingRoutes: map[string]*route.Route{
+				"route1": {
+					ID:     "route1",
+					Metric: route.MaxMetric,
+					Peer:   "peer1",
+				},
+				"route2": {
+					ID:     "route2",
+					Metric: route.MaxMetric,
+					Peer:   "peer2",
+				},
+			},
+			currentRoute:    "routeDoesntExistAnymore",
+			expectedRouteID: "route2",
+		},
 	}

 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
+			currentRoute := &route.Route{
+				ID: "routeDoesntExistAnymore",
+			}
+			if tc.currentRoute != "" {
+				currentRoute = tc.existingRoutes[tc.currentRoute]
+			}
+
 			// create new clientNetwork
 			client := &clientNetwork{
 				network:     netip.MustParsePrefix("192.168.0.0/24"),
 				routes:      tc.existingRoutes,
-				chosenRoute: tc.currentRoute,
+				chosenRoute: currentRoute,
 			}

 			chosenRoute := client.getBestRouteFromStatuses(tc.statuses)
--- a/client/internal/routemanager/manager.go
+++ b/client/internal/routemanager/manager.go
@@ -16,6 +16,7 @@ import (
 	"github.com/netbirdio/netbird/client/internal/peer"
 	"github.com/netbirdio/netbird/iface"
 	"github.com/netbirdio/netbird/route"
+	nbnet "github.com/netbirdio/netbird/util/net"
 	"github.com/netbirdio/netbird/version"
 )

@@ -68,6 +69,10 @@ func NewManager(ctx context.Context, pubKey string, wgInterface *iface.WGIface,

 // Init sets up the routing
 func (m *DefaultManager) Init() (peer.BeforeAddPeerHookFunc, peer.AfterRemovePeerHookFunc, error) {
+	if nbnet.CustomRoutingDisabled() {
+		return nil, nil, nil
+	}
+
 	if err := cleanupRouting(); err != nil {
 		log.Warnf("Failed cleaning up routing: %v", err)
 	}
@@ -99,11 +104,15 @@ func (m *DefaultManager) Stop() {
 	if m.serverRouter != nil {
 		m.serverRouter.cleanUp()
 	}
-	if err := cleanupRouting(); err != nil {
-		log.Errorf("Error cleaning up routing: %v", err)
-	} else {
-		log.Info("Routing cleanup complete")
+
+	if !nbnet.CustomRoutingDisabled() {
+		if err := cleanupRouting(); err != nil {
+			log.Errorf("Error cleaning up routing: %v", err)
+		} else {
+			log.Info("Routing cleanup complete")
+		}
 	}
+
 	m.ctx = nil
 }

@@ -210,10 +219,15 @@ func (m *DefaultManager) clientRoutes(initialRoutes []*route.Route) []*route.Rou
 }

 func isPrefixSupported(prefix netip.Prefix) bool {
-	switch runtime.GOOS {
-	case "linux", "windows", "darwin":
+	if runtime.GOOS == "ios" {
 		return true
 	}
+	if !nbnet.CustomRoutingDisabled() {
+		switch runtime.GOOS {
+		case "linux", "windows", "darwin":
+			return true
+		}
+	}

 	// If prefix is too small, lets assume it is a possible default prefix which is not yet supported
 	// we skip this prefix management
--- a/client/internal/routemanager/systemops.go
+++ b/client/internal/routemanager/systemops.go
@@ -8,6 +8,8 @@ import (
 	"fmt"
 	"net"
 	"net/netip"
+	"runtime"
+	"strconv"

 	"github.com/hashicorp/go-multierror"
 	"github.com/libp2p/go-netroute"
@@ -85,23 +87,42 @@ func getNextHop(ip netip.Addr) (netip.Addr, *net.Interface, error) {
 	log.Debugf("Route for %s: interface %v, nexthop %v, preferred source %v", ip, intf, gateway, preferredSrc)
 	if gateway == nil {
 		if preferredSrc == nil {
-      return netip.Addr{}, nil, ErrRouteNotFound
+			return netip.Addr{}, nil, ErrRouteNotFound
 		}
 		log.Debugf("No next hop found for ip %s, using preferred source %s", ip, preferredSrc)

-		addr, ok := netip.AddrFromSlice(preferredSrc)
-		if !ok {
-			return netip.Addr{}, nil, fmt.Errorf("failed to parse IP address: %s", preferredSrc)
+		addr, err := ipToAddr(preferredSrc, intf)
+		if err != nil {
+			return netip.Addr{}, nil, fmt.Errorf("convert preferred source to address: %w", err)
 		}
 		return addr.Unmap(), intf, nil
 	}

-	addr, ok := netip.AddrFromSlice(gateway)
-	if !ok {
-		return netip.Addr{}, nil, fmt.Errorf("failed to parse IP address: %s", gateway)
+	addr, err := ipToAddr(gateway, intf)
+	if err != nil {
+		return netip.Addr{}, nil, fmt.Errorf("convert gateway to address: %w", err)
 	}

-	return addr.Unmap(), intf, nil
+	return addr, intf, nil
+}
+
+// converts a net.IP to a netip.Addr including the zone based on the passed interface
+func ipToAddr(ip net.IP, intf *net.Interface) (netip.Addr, error) {
+	addr, ok := netip.AddrFromSlice(ip)
+	if !ok {
+		return netip.Addr{}, fmt.Errorf("failed to convert IP address to netip.Addr: %s", ip)
+	}
+
+	if intf != nil && (addr.IsLinkLocalMulticast() || addr.IsLinkLocalUnicast()) {
+		log.Tracef("Adding zone %s to address %s", intf.Name, addr)
+		if runtime.GOOS == "windows" {
+			addr = addr.WithZone(strconv.Itoa(intf.Index))
+		} else {
+			addr = addr.WithZone(intf.Name)
+		}
+	}
+
+	return addr.Unmap(), nil
 }

 func existsInRouteTable(prefix netip.Prefix) (bool, error) {
--- a/client/internal/routemanager/systemops_bsd.go
+++ b/client/internal/routemanager/systemops_bsd.go
@@ -8,6 +8,7 @@ import (
 	"net/netip"
 	"syscall"

+	log "github.com/sirupsen/logrus"
 	"golang.org/x/net/route"
 )

@@ -51,16 +52,24 @@ func getRoutesFromTable() ([]netip.Prefix, error) {
 			continue
 		}

+		if len(m.Addrs) < 3 {
+			log.Warnf("Unexpected RIB message Addrs: %v", m.Addrs)
+			continue
+		}
+
 		addr, ok := toNetIPAddr(m.Addrs[0])
 		if !ok {
 			continue
 		}

-		mask, ok := toNetIPMASK(m.Addrs[2])
-		if !ok {
-			continue
+		cidr := 32
+		if mask := m.Addrs[2]; mask != nil {
+			cidr, ok = toCIDR(mask)
+			if !ok {
+				log.Debugf("Unexpected RIB message Addrs[2]: %v", mask)
+				continue
+			}
 		}
-		cidr, _ := mask.Size()

 		routePrefix := netip.PrefixFrom(addr, cidr)
 		if routePrefix.IsValid() {
@@ -73,20 +82,19 @@ func getRoutesFromTable() ([]netip.Prefix, error) {
 func toNetIPAddr(a route.Addr) (netip.Addr, bool) {
 	switch t := a.(type) {
 	case *route.Inet4Addr:
-		ip := net.IPv4(t.IP[0], t.IP[1], t.IP[2], t.IP[3])
-		addr := netip.MustParseAddr(ip.String())
-		return addr, true
+		return netip.AddrFrom4(t.IP), true
 	default:
 		return netip.Addr{}, false
 	}
 }

-func toNetIPMASK(a route.Addr) (net.IPMask, bool) {
+func toCIDR(a route.Addr) (int, bool) {
 	switch t := a.(type) {
 	case *route.Inet4Addr:
 		mask := net.IPv4Mask(t.IP[0], t.IP[1], t.IP[2], t.IP[3])
-		return mask, true
+		cidr, _ := mask.Size()
+		return cidr, true
 	default:
-		return nil, false
+		return 0, false
 	}
 }
--- a/client/internal/routemanager/systemops_darwin.go
+++ b/client/internal/routemanager/systemops_darwin.go
@@ -8,7 +8,9 @@ import (
 	"net/netip"
 	"os/exec"
 	"strings"
+	"time"

+	"github.com/cenkalti/backoff/v4"
 	log "github.com/sirupsen/logrus"

 	"github.com/netbirdio/netbird/client/internal/peer"
@@ -35,6 +37,10 @@ func removeFromRouteTable(prefix netip.Prefix, nexthop netip.Addr, intf string)

 func routeCmd(action string, prefix netip.Prefix, nexthop netip.Addr, intf string) error {
 	inet := "-inet"
+	network := prefix.String()
+	if prefix.IsSingleIP() {
+		network = prefix.Addr().String()
+	}
 	if prefix.Addr().Is6() {
 		inet = "-inet6"
 		// Special case for IPv6 split default route, pointing to the wg interface fails
@@ -44,18 +50,40 @@ func routeCmd(action string, prefix netip.Prefix, nexthop netip.Addr, intf strin
 		}
 	}

-	args := []string{"-n", action, inet, prefix.String()}
+	args := []string{"-n", action, inet, network}
 	if nexthop.IsValid() {
 		args = append(args, nexthop.Unmap().String())
 	} else if intf != "" {
 		args = append(args, "-interface", intf)
 	}

-	out, err := exec.Command("route", args...).CombinedOutput()
-	log.Tracef("route %s: %s", strings.Join(args, " "), out)
-
-	if err != nil {
+	if err := retryRouteCmd(args); err != nil {
 		return fmt.Errorf("failed to %s route for %s: %w", action, prefix, err)
 	}
 	return nil
 }
+
+func retryRouteCmd(args []string) error {
+	operation := func() error {
+		out, err := exec.Command("route", args...).CombinedOutput()
+		log.Tracef("route %s: %s", strings.Join(args, " "), out)
+		// https://github.com/golang/go/issues/45736
+		if err != nil && strings.Contains(string(out), "sysctl: cannot allocate memory") {
+			return err
+		} else if err != nil {
+			return backoff.Permanent(err)
+		}
+		return nil
+	}
+
+	expBackOff := backoff.NewExponentialBackOff()
+	expBackOff.InitialInterval = 50 * time.Millisecond
+	expBackOff.MaxInterval = 500 * time.Millisecond
+	expBackOff.MaxElapsedTime = 1 * time.Second
+
+	err := backoff.Retry(operation, expBackOff)
+	if err != nil {
+		return fmt.Errorf("route cmd retry failed: %w", err)
+	}
+	return nil
+}
--- a/client/internal/routemanager/systemops_darwin_test.go
+++ b/client/internal/routemanager/systemops_darwin_test.go
@@ -5,8 +5,10 @@ package routemanager
 import (
 	"fmt"
 	"net"
+	"net/netip"
 	"os/exec"
 	"regexp"
+	"sync"
 	"testing"

 	"github.com/stretchr/testify/assert"
@@ -29,6 +31,42 @@ func init() {
 	}...)
 }

+func TestConcurrentRoutes(t *testing.T) {
+	baseIP := netip.MustParseAddr("192.0.2.0")
+	intf := "lo0"
+
+	var wg sync.WaitGroup
+	for i := 0; i < 1024; i++ {
+		wg.Add(1)
+		go func(ip netip.Addr) {
+			defer wg.Done()
+			prefix := netip.PrefixFrom(ip, 32)
+			if err := addToRouteTable(prefix, netip.Addr{}, intf); err != nil {
+				t.Errorf("Failed to add route for %s: %v", prefix, err)
+			}
+		}(baseIP)
+		baseIP = baseIP.Next()
+	}
+
+	wg.Wait()
+
+	baseIP = netip.MustParseAddr("192.0.2.0")
+
+	for i := 0; i < 1024; i++ {
+		wg.Add(1)
+		go func(ip netip.Addr) {
+			defer wg.Done()
+			prefix := netip.PrefixFrom(ip, 32)
+			if err := removeFromRouteTable(prefix, netip.Addr{}, intf); err != nil {
+				t.Errorf("Failed to remove route for %s: %v", prefix, err)
+			}
+		}(baseIP)
+		baseIP = baseIP.Next()
+	}
+
+	wg.Wait()
+}
+
 func createAndSetupDummyInterface(t *testing.T, intf string, ipAddressCIDR string) string {
 	t.Helper()

--- a/client/internal/routemanager/systemops_linux.go
+++ b/client/internal/routemanager/systemops_linux.go
@@ -4,14 +4,14 @@ package routemanager

 import (
 	"bufio"
-	"context"
 	"errors"
 	"fmt"
 	"net"
 	"net/netip"
 	"os"
+	"strconv"
+	"strings"
 	"syscall"
-	"time"

 	"github.com/hashicorp/go-multierror"
 	log "github.com/sirupsen/logrus"
@@ -32,19 +32,31 @@ const (
 	rtTablesPath = "/etc/iproute2/rt_tables"

 	// ipv4ForwardingPath is the path to the file containing the IP forwarding setting.
-	ipv4ForwardingPath = "/proc/sys/net/ipv4/ip_forward"
+	ipv4ForwardingPath = "net.ipv4.ip_forward"
+
+	rpFilterPath          = "net.ipv4.conf.all.rp_filter"
+	rpFilterInterfacePath = "net.ipv4.conf.%s.rp_filter"
+	srcValidMarkPath      = "net.ipv4.conf.all.src_valid_mark"
 )

 var ErrTableIDExists = errors.New("ID exists with different name")

 var routeManager = &RouteManager{}
-var isLegacy = os.Getenv("NB_USE_LEGACY_ROUTING") == "true"
+
+// originalSysctl stores the original sysctl values before they are modified
+var originalSysctl map[string]int
+
+// determines whether to use the legacy routing setup
+var isLegacy = os.Getenv("NB_USE_LEGACY_ROUTING") == "true" || nbnet.CustomRoutingDisabled()
+
+// sysctlFailed is used as an indicator to emit a warning when default routes are configured
+var sysctlFailed bool

 type ruleParams struct {
+	priority       int
 	fwmark         int
 	tableID        int
 	family         int
-	priority       int
 	invert         bool
 	suppressPrefix int
 	description    string
@@ -52,10 +64,10 @@ type ruleParams struct {

 func getSetupRules() []ruleParams {
 	return []ruleParams{
-		{nbnet.NetbirdFwmark, NetbirdVPNTableID, netlink.FAMILY_V4, -1, true, -1, "rule v4 netbird"},
-		{nbnet.NetbirdFwmark, NetbirdVPNTableID, netlink.FAMILY_V6, -1, true, -1, "rule v6 netbird"},
-		{-1, syscall.RT_TABLE_MAIN, netlink.FAMILY_V4, -1, false, 0, "rule with suppress prefixlen v4"},
-		{-1, syscall.RT_TABLE_MAIN, netlink.FAMILY_V6, -1, false, 0, "rule with suppress prefixlen v6"},
+		{100, -1, syscall.RT_TABLE_MAIN, netlink.FAMILY_V4, false, 0, "rule with suppress prefixlen v4"},
+		{100, -1, syscall.RT_TABLE_MAIN, netlink.FAMILY_V6, false, 0, "rule with suppress prefixlen v6"},
+		{110, nbnet.NetbirdFwmark, NetbirdVPNTableID, netlink.FAMILY_V4, true, -1, "rule v4 netbird"},
+		{110, nbnet.NetbirdFwmark, NetbirdVPNTableID, netlink.FAMILY_V6, true, -1, "rule v6 netbird"},
 	}
 }

@@ -69,8 +81,6 @@ func getSetupRules() []ruleParams {
 // Rule 2 (VPN Traffic Routing): Directs all remaining traffic to the 'NetbirdVPNTableID' custom routing table.
 // This table is where a default route or other specific routes received from the management server are configured,
 // enabling VPN connectivity.
-//
-// The rules are inserted in reverse order, as rules are added from the bottom up in the rule list.
 func setupRouting(initAddresses []net.IP, wgIface *iface.WGIface) (_ peer.BeforeAddPeerHookFunc, _ peer.AfterRemovePeerHookFunc, err error) {
 	if isLegacy {
 		log.Infof("Using legacy routing setup")
@@ -81,6 +91,13 @@ func setupRouting(initAddresses []net.IP, wgIface *iface.WGIface) (_ peer.Before
 		log.Errorf("Error adding routing table name: %v", err)
 	}

+	originalValues, err := setupSysctl(wgIface)
+	if err != nil {
+		log.Errorf("Error setting up sysctl: %v", err)
+		sysctlFailed = true
+	}
+	originalSysctl = originalValues
+
 	defer func() {
 		if err != nil {
 			if cleanErr := cleanupRouting(); cleanErr != nil {
@@ -123,11 +140,17 @@ func cleanupRouting() error {

 	rules := getSetupRules()
 	for _, rule := range rules {
-		if err := removeAllRules(rule); err != nil && !errors.Is(err, syscall.EOPNOTSUPP) {
+		if err := removeRule(rule); err != nil {
 			result = multierror.Append(result, fmt.Errorf("%s: %w", rule.description, err))
 		}
 	}

+	if err := cleanupSysctl(originalSysctl); err != nil {
+		result = multierror.Append(result, fmt.Errorf("cleanup sysctl: %w", err))
+	}
+	originalSysctl = nil
+	sysctlFailed = false
+
 	return result.ErrorOrNil()
 }

@@ -144,6 +167,10 @@ func addVPNRoute(prefix netip.Prefix, intf string) error {
 		return genericAddVPNRoute(prefix, intf)
 	}

+	if sysctlFailed && (prefix == defaultv4 || prefix == defaultv6) {
+		log.Warnf("Default route is configured but sysctl operations failed, VPN traffic may not be routed correctly, consider using NB_USE_LEGACY_ROUTING=true or setting net.ipv4.conf.*.rp_filter to 2 (loose) or 0 (off)")
+	}
+
 	// No need to check if routes exist as main table takes precedence over the VPN table via Rule 1

 	// TODO remove this once we have ipv6 support
@@ -336,22 +363,8 @@ func flushRoutes(tableID, family int) error {
 }

 func enableIPForwarding() error {
-	bytes, err := os.ReadFile(ipv4ForwardingPath)
-	if err != nil {
-		return fmt.Errorf("read file %s: %w", ipv4ForwardingPath, err)
-	}
-
-	// check if it is already enabled
-	// see more: https://github.com/netbirdio/netbird/issues/872
-	if len(bytes) > 0 && bytes[0] == 49 {
-		return nil
-	}
-
-	//nolint:gosec
-	if err := os.WriteFile(ipv4ForwardingPath, []byte("1"), 0644); err != nil {
-		return fmt.Errorf("write file %s: %w", ipv4ForwardingPath, err)
-	}
-	return nil
+	_, err := setSysctl(ipv4ForwardingPath, 1, false)
+	return err
 }

 // entryExists checks if the specified ID or name already exists in the rt_tables file
@@ -429,7 +442,7 @@ func addRule(params ruleParams) error {
 	rule.Invert = params.invert
 	rule.SuppressPrefixlen = params.suppressPrefix

-	if err := netlink.RuleAdd(rule); err != nil && !errors.Is(err, syscall.EAFNOSUPPORT) {
+	if err := netlink.RuleAdd(rule); err != nil && !errors.Is(err, syscall.EEXIST) && !errors.Is(err, syscall.EAFNOSUPPORT) {
 		return fmt.Errorf("add routing rule: %w", err)
 	}

@@ -446,47 +459,20 @@ func removeRule(params ruleParams) error {
 	rule.Priority = params.priority
 	rule.SuppressPrefixlen = params.suppressPrefix

-	if err := netlink.RuleDel(rule); err != nil {
+	if err := netlink.RuleDel(rule); err != nil && !errors.Is(err, syscall.ENOENT) && !errors.Is(err, syscall.EAFNOSUPPORT) {
 		return fmt.Errorf("remove routing rule: %w", err)
 	}

 	return nil
 }

-func removeAllRules(params ruleParams) error {
-	ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second)
-	defer cancel()
-
-	done := make(chan error, 1)
-	go func() {
-		for {
-			if ctx.Err() != nil {
-				done <- ctx.Err()
-				return
-			}
-			if err := removeRule(params); err != nil {
-				if errors.Is(err, syscall.ENOENT) || errors.Is(err, syscall.EAFNOSUPPORT) {
-					done <- nil
-					return
-				}
-				done <- err
-				return
-			}
-		}
-	}()
-
-	select {
-	case <-ctx.Done():
-		return ctx.Err()
-	case err := <-done:
-		return err
-	}
-}
-
 // addNextHop adds the gateway and device to the route.
 func addNextHop(addr netip.Addr, intf string, route *netlink.Route) error {
 	if addr.IsValid() {
 		route.Gw = addr.AsSlice()
+		if intf == "" {
+			intf = addr.Zone()
+		}
 	}

 	if intf != "" {
@@ -506,3 +492,83 @@ func getAddressFamily(prefix netip.Prefix) int {
 	}
 	return netlink.FAMILY_V6
 }
+
+// setupSysctl configures sysctl settings for RP filtering and source validation.
+func setupSysctl(wgIface *iface.WGIface) (map[string]int, error) {
+	keys := map[string]int{}
+	var result *multierror.Error
+
+	oldVal, err := setSysctl(srcValidMarkPath, 1, false)
+	if err != nil {
+		result = multierror.Append(result, err)
+	} else {
+		keys[srcValidMarkPath] = oldVal
+	}
+
+	oldVal, err = setSysctl(rpFilterPath, 2, true)
+	if err != nil {
+		result = multierror.Append(result, err)
+	} else {
+		keys[rpFilterPath] = oldVal
+	}
+
+	interfaces, err := net.Interfaces()
+	if err != nil {
+		result = multierror.Append(result, fmt.Errorf("list interfaces: %w", err))
+	}
+
+	for _, intf := range interfaces {
+		if intf.Name == "lo" || wgIface != nil && intf.Name == wgIface.Name() {
+			continue
+		}
+
+		i := fmt.Sprintf(rpFilterInterfacePath, intf.Name)
+		oldVal, err := setSysctl(i, 2, true)
+		if err != nil {
+			result = multierror.Append(result, err)
+		} else {
+			keys[i] = oldVal
+		}
+	}
+
+	return keys, result.ErrorOrNil()
+}
+
+// setSysctl sets a sysctl configuration, if onlyIfOne is true it will only set the new value if it's set to 1
+func setSysctl(key string, desiredValue int, onlyIfOne bool) (int, error) {
+	path := fmt.Sprintf("/proc/sys/%s", strings.ReplaceAll(key, ".", "/"))
+	currentValue, err := os.ReadFile(path)
+	if err != nil {
+		return -1, fmt.Errorf("read sysctl %s: %w", key, err)
+	}
+
+	currentV, err := strconv.Atoi(strings.TrimSpace(string(currentValue)))
+	if err != nil && len(currentValue) > 0 {
+		return -1, fmt.Errorf("convert current desiredValue to int: %w", err)
+	}
+
+	if currentV == desiredValue || onlyIfOne && currentV != 1 {
+		return currentV, nil
+	}
+
+	//nolint:gosec
+	if err := os.WriteFile(path, []byte(strconv.Itoa(desiredValue)), 0644); err != nil {
+		return currentV, fmt.Errorf("write sysctl %s: %w", key, err)
+	}
+	log.Debugf("Set sysctl %s from %d to %d", key, currentV, desiredValue)
+
+	return currentV, nil
+}
+
+func cleanupSysctl(originalSettings map[string]int) error {
+	var result *multierror.Error
+
+	for key, value := range originalSettings {
+		_, err := setSysctl(key, value, false)
+		if err != nil {
+			result = multierror.Append(result, err)
+		}
+	}
+
+	return result.ErrorOrNil()
+}
--- a/client/internal/routemanager/systemops_test.go
+++ b/client/internal/routemanager/systemops_test.go
@@ -61,7 +61,7 @@ func TestAddRemoveRoutes(t *testing.T) {

 			err = wgInterface.Create()
 			require.NoError(t, err, "should create testing wireguard interface")
-			_, _, err = setupRouting(nil, nil)
+			_, _, err = setupRouting(nil, wgInterface)
 			require.NoError(t, err)
 			t.Cleanup(func() {
 				assert.NoError(t, cleanupRouting())
--- a/client/internal/routemanager/systemops_windows.go
+++ b/client/internal/routemanager/systemops_windows.go
@@ -63,7 +63,7 @@ func getRoutesFromTable() ([]netip.Prefix, error) {
 	return prefixList, nil
 }

-func addRoutePowershell(prefix netip.Prefix, nexthop netip.Addr, intf string) error {
+func addRoutePowershell(prefix netip.Prefix, nexthop netip.Addr, intf, intfIdx string) error {
 	destinationPrefix := prefix.String()
 	psCmd := "New-NetRoute"

@@ -73,10 +73,20 @@ func addRoutePowershell(prefix netip.Prefix, nexthop netip.Addr, intf string) er
 	}

 	script := fmt.Sprintf(
-		`%s -AddressFamily "%s" -DestinationPrefix "%s" -InterfaceAlias "%s" -Confirm:$False -ErrorAction Stop`,
-		psCmd, addressFamily, destinationPrefix, intf,
+		`%s -AddressFamily "%s" -DestinationPrefix "%s" -Confirm:$False -ErrorAction Stop -PolicyStore ActiveStore`,
+		psCmd, addressFamily, destinationPrefix,
 	)

+	if intfIdx != "" {
+		script = fmt.Sprintf(
+			`%s -InterfaceIndex %s`, script, intfIdx,
+		)
+	} else {
+		script = fmt.Sprintf(
+			`%s -InterfaceAlias "%s"`, script, intf,
+		)
+	}
+
 	if nexthop.IsValid() {
 		script = fmt.Sprintf(
 			`%s -NextHop "%s"`, script, nexthop,
@@ -84,7 +94,7 @@ func addRoutePowershell(prefix netip.Prefix, nexthop netip.Addr, intf string) er
 	}

 	out, err := exec.Command("powershell", "-Command", script).CombinedOutput()
-	log.Tracef("PowerShell add route: %s", string(out))
+	log.Tracef("PowerShell %s: %s", script, string(out))

 	if err != nil {
 		return fmt.Errorf("PowerShell add route: %w", err)
@@ -98,7 +108,7 @@ func addRouteCmd(prefix netip.Prefix, nexthop netip.Addr, _ string) error {

 	out, err := exec.Command("route", args...).CombinedOutput()

-	log.Tracef("route %s output: %s", strings.Join(args, " "), out)
+	log.Tracef("route %s: %s", strings.Join(args, " "), out)
 	if err != nil {
 		return fmt.Errorf("route add: %w", err)
 	}
@@ -107,9 +117,15 @@ func addRouteCmd(prefix netip.Prefix, nexthop netip.Addr, _ string) error {
 }

 func addToRouteTable(prefix netip.Prefix, nexthop netip.Addr, intf string) error {
+	var intfIdx string
+	if nexthop.Zone() != "" {
+		intfIdx = nexthop.Zone()
+		nexthop.WithZone("")
+	}
+
 	// Powershell doesn't support adding routes without an interface but allows to add interface by name
-	if intf != "" {
-		return addRoutePowershell(prefix, nexthop, intf)
+	if intf != "" || intfIdx != "" {
+		return addRoutePowershell(prefix, nexthop, intf, intfIdx)
 	}
 	return addRouteCmd(prefix, nexthop, intf)
 }
@@ -117,11 +133,12 @@ func addToRouteTable(prefix netip.Prefix, nexthop netip.Addr, intf string) error
 func removeFromRouteTable(prefix netip.Prefix, nexthop netip.Addr, _ string) error {
 	args := []string{"delete", prefix.String()}
 	if nexthop.IsValid() {
+		nexthop.WithZone("")
 		args = append(args, nexthop.Unmap().String())
 	}

 	out, err := exec.Command("route", args...).CombinedOutput()
-	log.Tracef("route %s output: %s", strings.Join(args, " "), out)
+	log.Tracef("route %s: %s", strings.Join(args, " "), out)

 	if err != nil {
 		return fmt.Errorf("remove route: %w", err)
--- a/client/internal/wgproxy/proxy_ebpf.go
+++ b/client/internal/wgproxy/proxy_ebpf.go
@@ -230,7 +230,7 @@ func (p *WGEBPFProxy) prepareSenderRawSocket() (net.PacketConn, error) {
 	}

 	// Set the fwmark on the socket.
-	err = syscall.SetsockoptInt(fd, syscall.SOL_SOCKET, syscall.SO_MARK, nbnet.NetbirdFwmark)
+	err = nbnet.SetSocketOpt(fd)
 	if err != nil {
 		return nil, fmt.Errorf("setting fwmark failed: %w", err)
 	}
--- a/client/server/server.go
+++ b/client/server/server.go
@@ -718,7 +718,7 @@ func toProtoFullStatus(fullStatus peer.FullStatus) *proto.FullStatus {
 			BytesRx:                    peerState.BytesRx,
 			BytesTx:                    peerState.BytesTx,
 			RosenpassEnabled:           peerState.RosenpassEnabled,
-			Routes:                     maps.Keys(peerState.Routes),
+			Routes:                     maps.Keys(peerState.GetRoutes()),
 			Latency:                    durationpb.New(peerState.Latency),
 		}
 		pbFullStatus.Peers = append(pbFullStatus.Peers, pbPeerState)
--- a/client/system/detect_cloud/detect.go
+++ b/client/system/detect_cloud/detect.go
@@ -25,8 +25,6 @@ func Detect(ctx context.Context) string {
 		detectDigitalOcean,
 		detectGCP,
 		detectOracle,
-		detectIBMCloud,
-		detectSoftlayer,
 		detectVultr,
 	}

--- a/client/system/detect_cloud/gcp.go
+++ b/client/system/detect_cloud/gcp.go
@@ -6,7 +6,7 @@ import (
 )

 func detectGCP(ctx context.Context) string {
-	req, err := http.NewRequestWithContext(ctx, "GET", "http://metadata.google.internal", nil)
+	req, err := http.NewRequestWithContext(ctx, "GET", "http://169.254.169.254", nil)
 	if err != nil {
 		return ""
 	}
--- a/client/system/detect_cloud/ibmcloud.go
+++ b/client/system/detect_cloud/ibmcloud.go
@@ -1,54 +0,0 @@
-package detect_cloud
-
-import (
-	"context"
-	"net/http"
-)
-
-func detectIBMCloud(ctx context.Context) string {
-	v1ResultChan := make(chan bool, 1)
-	v2ResultChan := make(chan bool, 1)
-
-	go func() {
-		v1ResultChan <- detectIBMSecure(ctx)
-	}()
-
-	go func() {
-		v2ResultChan <- detectIBM(ctx)
-	}()
-
-	v1Result, v2Result := <-v1ResultChan, <-v2ResultChan
-
-	if v1Result || v2Result {
-		return "IBM Cloud"
-	}
-	return ""
-}
-
-func detectIBMSecure(ctx context.Context) bool {
-	req, err := http.NewRequestWithContext(ctx, "PUT", "https://api.metadata.cloud.ibm.com/instance_identity/v1/token", nil)
-	if err != nil {
-		return false
-	}
-
-	resp, err := hc.Do(req)
-	if err != nil {
-		return false
-	}
-	defer resp.Body.Close()
-	return resp.StatusCode == http.StatusOK
-}
-
-func detectIBM(ctx context.Context) bool {
-	req, err := http.NewRequestWithContext(ctx, "PUT", "http://api.metadata.cloud.ibm.com/instance_identity/v1/token", nil)
-	if err != nil {
-		return false
-	}
-
-	resp, err := hc.Do(req)
-	if err != nil {
-		return false
-	}
-	defer resp.Body.Close()
-	return resp.StatusCode == http.StatusOK
-}
--- a/client/system/detect_cloud/softlayer.go
+++ b/client/system/detect_cloud/softlayer.go
@@ -1,25 +0,0 @@
-package detect_cloud
-
-import (
-	"context"
-	"net/http"
-)
-
-func detectSoftlayer(ctx context.Context) string {
-	req, err := http.NewRequestWithContext(ctx, "GET", "https://api.service.softlayer.com/rest/v3/SoftLayer_Resource_Metadata/UserMetadata.txt", nil)
-	if err != nil {
-		return ""
-	}
-
-	resp, err := hc.Do(req)
-	if err != nil {
-		return ""
-	}
-	defer resp.Body.Close()
-
-	if resp.StatusCode == http.StatusOK {
-		// Since SoftLayer was acquired by IBM, we should return "IBM Cloud"
-		return "IBM Cloud"
-	}
-	return ""
-}
--- a/go.mod
+++ b/go.mod
@@ -60,7 +60,7 @@ require (
 	github.com/miekg/dns v1.1.43
 	github.com/mitchellh/hashstructure/v2 v2.0.2
 	github.com/nadoo/ipset v0.5.0
-	github.com/netbirdio/management-integrations/integrations v0.0.0-20240326083846-3682438fca98
+	github.com/netbirdio/management-integrations/integrations v0.0.0-20240415094251-369eb33c9b01
 	github.com/okta/okta-sdk-golang/v2 v2.18.0
 	github.com/oschwald/maxminddb-golang v1.12.0
 	github.com/patrickmn/go-cache v2.1.0+incompatible
--- a/go.sum
+++ b/go.sum
@@ -383,8 +383,8 @@ github.com/nadoo/ipset v0.5.0 h1:5GJUAuZ7ITQQQGne5J96AmFjRtI8Avlbk6CabzYWVUc=
 github.com/nadoo/ipset v0.5.0/go.mod h1:rYF5DQLRGGoQ8ZSWeK+6eX5amAuPqwFkWjhQlEITGJQ=
 github.com/netbirdio/ice/v3 v3.0.0-20240315174635-e72a50fcb64e h1:PURA50S8u4mF6RrkYYCAvvPCixhqqEiEy3Ej6avh04c=
 github.com/netbirdio/ice/v3 v3.0.0-20240315174635-e72a50fcb64e/go.mod h1:YMLU7qbKfVjmEv7EoZPIVEI+kNYxWCdPK3VS0BU+U4Q=
-github.com/netbirdio/management-integrations/integrations v0.0.0-20240326083846-3682438fca98 h1:i6AtenTLu/CqhTmj0g1K/GWkkpMJMhQM6Vjs46x25nA=
-github.com/netbirdio/management-integrations/integrations v0.0.0-20240326083846-3682438fca98/go.mod h1:kxks50DrZnhW+oRTdHOkVOJbcTcyo766am8RBugo+Yc=
+github.com/netbirdio/management-integrations/integrations v0.0.0-20240415094251-369eb33c9b01 h1:Fu9fq0ndfKVuFTEwbc8Etqui10BOkcMTv0UqcMy0RuY=
+github.com/netbirdio/management-integrations/integrations v0.0.0-20240415094251-369eb33c9b01/go.mod h1:kxks50DrZnhW+oRTdHOkVOJbcTcyo766am8RBugo+Yc=
 github.com/netbirdio/service v0.0.0-20230215170314-b923b89432b0 h1:hirFRfx3grVA/9eEyjME5/z3nxdJlN9kfQpvWWPk32g=
 github.com/netbirdio/service v0.0.0-20230215170314-b923b89432b0/go.mod h1:CIMRFEJVL+0DS1a3Nx06NaMn4Dz63Ng6O7dl0qH0zVM=
 github.com/netbirdio/systray v0.0.0-20231030152038-ef1ed2a27949 h1:xbWM9BU6mwZZLHxEjxIX/V8Hv3HurQt4mReIE4mY4DM=
--- a/iface/wg_configurer_kernel.go
+++ b/iface/wg_configurer_kernel.go
@@ -10,8 +10,6 @@ import (
 	log "github.com/sirupsen/logrus"
 	"golang.zx2c4.com/wireguard/wgctrl"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
-
-	nbnet "github.com/netbirdio/netbird/util/net"
 )

 type wgKernelConfigurer struct {
@@ -31,7 +29,7 @@ func (c *wgKernelConfigurer) configureInterface(privateKey string, port int) err
 	if err != nil {
 		return err
 	}
-	fwmark := nbnet.NetbirdFwmark
+	fwmark := getFwmark()
 	config := wgtypes.Config{
 		PrivateKey:   &key,
 		ReplacePeers: true,
--- a/iface/wg_configurer_usp.go
+++ b/iface/wg_configurer_usp.go
@@ -349,7 +349,7 @@ func toWgUserspaceString(wgCfg wgtypes.Config) string {
 }

 func getFwmark() int {
-	if runtime.GOOS == "linux" {
+	if runtime.GOOS == "linux" && !nbnet.CustomRoutingDisabled() {
 		return nbnet.NetbirdFwmark
 	}
 	return 0
--- a/infrastructure_files/docker-compose.yml.tmpl
+++ b/infrastructure_files/docker-compose.yml.tmpl
@@ -58,6 +58,7 @@ services:
    command: [
      "--port", "443",
      "--log-file", "console",
+      "--log-level", "info",
      "--disable-anonymous-metrics=$NETBIRD_DISABLE_ANONYMOUS_METRICS",
      "--single-account-mode-domain=$NETBIRD_MGMT_SINGLE_ACCOUNT_MODE_DOMAIN",
      "--dns-domain=$NETBIRD_MGMT_DNS_DOMAIN"
--- a/management/cmd/management.go
+++ b/management/cmd/management.go
@@ -251,7 +251,7 @@ var (

 			ctx, cancel := context.WithCancel(cmd.Context())
 			defer cancel()
-			httpAPIHandler, err := httpapi.APIHandler(ctx, accountManager, geo, *jwtValidator, appMetrics, httpAPIAuthCfg)
+			httpAPIHandler, err := httpapi.APIHandler(ctx, accountManager, geo, *jwtValidator, appMetrics, httpAPIAuthCfg, integratedPeerValidator)
 			if err != nil {
 				return fmt.Errorf("failed creating HTTP API handler: %v", err)
 			}
--- a/management/server/account.go
+++ b/management/server/account.go
@@ -242,19 +242,19 @@ type UserPermissions struct {
 }

 type UserInfo struct {
-	ID                   string               `json:"id"`
-	Email                string               `json:"email"`
-	Name                 string               `json:"name"`
-	Role                 string               `json:"role"`
-	AutoGroups           []string             `json:"auto_groups"`
-	Status               string               `json:"-"`
-	IsServiceUser        bool                 `json:"is_service_user"`
-	IsBlocked            bool                 `json:"is_blocked"`
-	NonDeletable         bool                 `json:"non_deletable"`
-	LastLogin            time.Time            `json:"last_login"`
-	Issued               string               `json:"issued"`
+	ID                   string                                     `json:"id"`
+	Email                string                                     `json:"email"`
+	Name                 string                                     `json:"name"`
+	Role                 string                                     `json:"role"`
+	AutoGroups           []string                                   `json:"auto_groups"`
+	Status               string                                     `json:"-"`
+	IsServiceUser        bool                                       `json:"is_service_user"`
+	IsBlocked            bool                                       `json:"is_blocked"`
+	NonDeletable         bool                                       `json:"non_deletable"`
+	LastLogin            time.Time                                  `json:"last_login"`
+	Issued               string                                     `json:"issued"`
 	IntegrationReference integration_reference.IntegrationReference `json:"-"`
-	Permissions          UserPermissions      `json:"permissions"`
+	Permissions          UserPermissions                            `json:"permissions"`
 }

 // getRoutesToSync returns the enabled routes for the peer ID and the routes
@@ -278,7 +278,7 @@ func (a *Account) getRoutesToSync(peerID string, aclPeers []*nbpeer.Peer) []*rou
 	return routes
 }

-// filterRoutesByHAMembership filters and returns a list of routes that don't share the same HA route membership
+// filterRoutesFromPeersOfSameHAGroup filters and returns a list of routes that don't share the same HA route membership
 func (a *Account) filterRoutesFromPeersOfSameHAGroup(routes []*route.Route, peerMemberships lookupMap) []*route.Route {
 	var filteredRoutes []*route.Route
 	for _, r := range routes {
@@ -1120,7 +1120,7 @@ func (am *DefaultAccountManager) DeleteAccount(accountID, userID string) error {
 		return status.Errorf(status.PermissionDenied, "user is not allowed to delete account")
 	}

-	if user.Id != account.CreatedBy {
+	if user.Role != UserRoleOwner {
 		return status.Errorf(status.PermissionDenied, "user is not allowed to delete account. Only account owner can delete account")
 	}
 	for _, otherUser := range account.Users {
@@ -1849,6 +1849,7 @@ func (am *DefaultAccountManager) CheckUserAccessByJWTGroups(claims jwtclaims.Aut
 }

 func (am *DefaultAccountManager) onPeersInvalidated(accountID string) {
+	log.Debugf("validated peers has been invalidated for account %s", accountID)
 	updatedAccount, err := am.Store.GetAccount(accountID)
 	if err != nil {
 		log.Errorf("failed to get account %s: %v", accountID, err)
--- a/management/server/activity/codes.go
+++ b/management/server/activity/codes.go
@@ -11,133 +11,134 @@ type Code struct {
 	Code    string
 }

+// Existing consts must not be changed, as this will break the compatibility with the existing data
 const (
 	// PeerAddedByUser indicates that a user added a new peer to the system
-	PeerAddedByUser Activity = iota
+	PeerAddedByUser Activity = 0
 	// PeerAddedWithSetupKey indicates that a new peer joined the system using a setup key
-	PeerAddedWithSetupKey
+	PeerAddedWithSetupKey Activity = 1
 	// UserJoined indicates that a new user joined the account
-	UserJoined
+	UserJoined Activity = 2
 	// UserInvited indicates that a new user was invited to join the account
-	UserInvited
+	UserInvited Activity = 3
 	// AccountCreated indicates that a new account has been created
-	AccountCreated
+	AccountCreated Activity = 4
 	// PeerRemovedByUser indicates that a user removed a peer from the system
-	PeerRemovedByUser
+	PeerRemovedByUser Activity = 5
 	// RuleAdded indicates that a user added a new rule
-	RuleAdded
+	RuleAdded Activity = 6
 	// RuleUpdated indicates that a user updated a rule
-	RuleUpdated
+	RuleUpdated Activity = 7
 	// RuleRemoved indicates that a user removed a rule
-	RuleRemoved
+	RuleRemoved Activity = 8
 	// PolicyAdded indicates that a user added a new policy
-	PolicyAdded
+	PolicyAdded Activity = 9
 	// PolicyUpdated indicates that a user updated a policy
-	PolicyUpdated
+	PolicyUpdated Activity = 10
 	// PolicyRemoved indicates that a user removed a policy
-	PolicyRemoved
+	PolicyRemoved Activity = 11
 	// SetupKeyCreated indicates that a user created a new setup key
-	SetupKeyCreated
+	SetupKeyCreated Activity = 12
 	// SetupKeyUpdated indicates that a user updated a setup key
-	SetupKeyUpdated
+	SetupKeyUpdated Activity = 13
 	// SetupKeyRevoked indicates that a user revoked a setup key
-	SetupKeyRevoked
+	SetupKeyRevoked Activity = 14
 	// SetupKeyOverused indicates that setup key usage exhausted
-	SetupKeyOverused
+	SetupKeyOverused Activity = 15
 	// GroupCreated indicates that a user created a group
-	GroupCreated
+	GroupCreated Activity = 16
 	// GroupUpdated indicates that a user updated a group
-	GroupUpdated
+	GroupUpdated Activity = 17
 	// GroupAddedToPeer indicates that a user added group to a peer
-	GroupAddedToPeer
+	GroupAddedToPeer Activity = 18
 	// GroupRemovedFromPeer indicates that a user removed peer group
-	GroupRemovedFromPeer
+	GroupRemovedFromPeer Activity = 19
 	// GroupAddedToUser indicates that a user added group to a user
-	GroupAddedToUser
+	GroupAddedToUser Activity = 20
 	// GroupRemovedFromUser indicates that a user removed a group from a user
-	GroupRemovedFromUser
+	GroupRemovedFromUser Activity = 21
 	// UserRoleUpdated indicates that a user changed the role of a user
-	UserRoleUpdated
+	UserRoleUpdated Activity = 22
 	// GroupAddedToSetupKey indicates that a user added group to a setup key
-	GroupAddedToSetupKey
+	GroupAddedToSetupKey Activity = 23
 	// GroupRemovedFromSetupKey indicates that a user removed a group from a setup key
-	GroupRemovedFromSetupKey
+	GroupRemovedFromSetupKey Activity = 24
 	// GroupAddedToDisabledManagementGroups indicates that a user added a group to the DNS setting Disabled management groups
-	GroupAddedToDisabledManagementGroups
+	GroupAddedToDisabledManagementGroups Activity = 25
 	// GroupRemovedFromDisabledManagementGroups indicates that a user removed a group from the DNS setting Disabled management groups
-	GroupRemovedFromDisabledManagementGroups
+	GroupRemovedFromDisabledManagementGroups Activity = 26
 	// RouteCreated indicates that a user created a route
-	RouteCreated
+	RouteCreated Activity = 27
 	// RouteRemoved indicates that a user deleted a route
-	RouteRemoved
+	RouteRemoved Activity = 28
 	// RouteUpdated indicates that a user updated a route
-	RouteUpdated
+	RouteUpdated Activity = 29
 	// PeerSSHEnabled indicates that a user enabled SSH server on a peer
-	PeerSSHEnabled
+	PeerSSHEnabled Activity = 30
 	// PeerSSHDisabled indicates that a user disabled SSH server on a peer
-	PeerSSHDisabled
+	PeerSSHDisabled Activity = 31
 	// PeerRenamed indicates that a user renamed a peer
-	PeerRenamed
+	PeerRenamed Activity = 32
 	// PeerLoginExpirationEnabled indicates that a user enabled login expiration of a peer
-	PeerLoginExpirationEnabled
+	PeerLoginExpirationEnabled Activity = 33
 	// PeerLoginExpirationDisabled indicates that a user disabled login expiration of a peer
-	PeerLoginExpirationDisabled
+	PeerLoginExpirationDisabled Activity = 34
 	// NameserverGroupCreated indicates that a user created a nameservers group
-	NameserverGroupCreated
+	NameserverGroupCreated Activity = 35
 	// NameserverGroupDeleted indicates that a user deleted a nameservers group
-	NameserverGroupDeleted
+	NameserverGroupDeleted Activity = 36
 	// NameserverGroupUpdated indicates that a user updated a nameservers group
-	NameserverGroupUpdated
+	NameserverGroupUpdated Activity = 37
 	// AccountPeerLoginExpirationEnabled indicates that a user enabled peer login expiration for the account
-	AccountPeerLoginExpirationEnabled
+	AccountPeerLoginExpirationEnabled Activity = 38
 	// AccountPeerLoginExpirationDisabled indicates that a user disabled peer login expiration for the account
-	AccountPeerLoginExpirationDisabled
+	AccountPeerLoginExpirationDisabled Activity = 39
 	// AccountPeerLoginExpirationDurationUpdated indicates that a user updated peer login expiration duration for the account
-	AccountPeerLoginExpirationDurationUpdated
+	AccountPeerLoginExpirationDurationUpdated Activity = 40
 	// PersonalAccessTokenCreated indicates that a user created a personal access token
-	PersonalAccessTokenCreated
+	PersonalAccessTokenCreated Activity = 41
 	// PersonalAccessTokenDeleted indicates that a user deleted a personal access token
-	PersonalAccessTokenDeleted
+	PersonalAccessTokenDeleted Activity = 42
 	// ServiceUserCreated indicates that a user created a service user
-	ServiceUserCreated
+	ServiceUserCreated Activity = 43
 	// ServiceUserDeleted indicates that a user deleted a service user
-	ServiceUserDeleted
+	ServiceUserDeleted Activity = 44
 	// UserBlocked indicates that a user blocked another user
-	UserBlocked
+	UserBlocked Activity = 45
 	// UserUnblocked indicates that a user unblocked another user
-	UserUnblocked
+	UserUnblocked Activity = 46
 	// UserDeleted indicates that a user deleted another user
-	UserDeleted
+	UserDeleted Activity = 47
 	// GroupDeleted indicates that a user deleted group
-	GroupDeleted
+	GroupDeleted Activity = 48
 	// UserLoggedInPeer indicates that user logged in their peer with an interactive SSO login
-	UserLoggedInPeer
+	UserLoggedInPeer Activity = 49
 	// PeerLoginExpired indicates that the user peer login has been expired and peer disconnected
-	PeerLoginExpired
+	PeerLoginExpired Activity = 50
 	// DashboardLogin indicates that the user logged in to the dashboard
-	DashboardLogin
+	DashboardLogin Activity = 51
 	// IntegrationCreated indicates that the user created an integration
-	IntegrationCreated
+	IntegrationCreated Activity = 52
 	// IntegrationUpdated indicates that the user updated an integration
-	IntegrationUpdated
+	IntegrationUpdated Activity = 53
 	// IntegrationDeleted indicates that the user deleted an integration
-	IntegrationDeleted
+	IntegrationDeleted Activity = 54
 	// AccountPeerApprovalEnabled indicates that the user enabled peer approval for the account
-	AccountPeerApprovalEnabled
+	AccountPeerApprovalEnabled Activity = 55
 	// AccountPeerApprovalDisabled indicates that the user disabled peer approval for the account
-	AccountPeerApprovalDisabled
+	AccountPeerApprovalDisabled Activity = 56
 	// PeerApproved indicates that the peer has been approved
-	PeerApproved
+	PeerApproved Activity = 57
 	// PeerApprovalRevoked indicates that the peer approval has been revoked
-	PeerApprovalRevoked
+	PeerApprovalRevoked Activity = 58
 	// TransferredOwnerRole indicates that the user transferred the owner role of the account
-	TransferredOwnerRole
+	TransferredOwnerRole Activity = 59
 	// PostureCheckCreated indicates that the user created a posture check
-	PostureCheckCreated
+	PostureCheckCreated Activity = 60
 	// PostureCheckUpdated indicates that the user updated a posture check
-	PostureCheckUpdated
+	PostureCheckUpdated Activity = 61
 	// PostureCheckDeleted indicates that the user deleted a posture check
-	PostureCheckDeleted
+	PostureCheckDeleted Activity = 62
 )

 var activityMap = map[Activity]Code{
--- a/management/server/http/handler.go
+++ b/management/server/http/handler.go
@@ -12,6 +12,7 @@ import (
 	s "github.com/netbirdio/netbird/management/server"
 	"github.com/netbirdio/netbird/management/server/geolocation"
 	"github.com/netbirdio/netbird/management/server/http/middleware"
+	"github.com/netbirdio/netbird/management/server/integrated_validator"
 	"github.com/netbirdio/netbird/management/server/jwtclaims"
 	"github.com/netbirdio/netbird/management/server/telemetry"
 )
@@ -38,7 +39,7 @@ type emptyObject struct {
 }

 // APIHandler creates the Management service HTTP API handler registering all the available endpoints.
-func APIHandler(ctx context.Context, accountManager s.AccountManager, LocationManager *geolocation.Geolocation, jwtValidator jwtclaims.JWTValidator, appMetrics telemetry.AppMetrics, authCfg AuthCfg) (http.Handler, error) {
+func APIHandler(ctx context.Context, accountManager s.AccountManager, LocationManager *geolocation.Geolocation, jwtValidator jwtclaims.JWTValidator, appMetrics telemetry.AppMetrics, authCfg AuthCfg, integratedValidator integrated_validator.IntegratedValidator) (http.Handler, error) {
 	claimsExtractor := jwtclaims.NewClaimsExtractor(
 		jwtclaims.WithAudience(authCfg.Audience),
 		jwtclaims.WithUserIDClaim(authCfg.UserIDClaim),
@@ -75,7 +76,7 @@ func APIHandler(ctx context.Context, accountManager s.AccountManager, LocationMa
 		AuthCfg:            authCfg,
 	}

-	if _, err := integrations.RegisterHandlers(ctx, prefix, api.Router, accountManager, claimsExtractor); err != nil {
+	if _, err := integrations.RegisterHandlers(ctx, prefix, api.Router, accountManager, claimsExtractor, integratedValidator); err != nil {
 		return nil, fmt.Errorf("register integrations endpoints: %w", err)
 	}

--- a/management/server/idp/okta.go
+++ b/management/server/idp/okta.go
@@ -273,7 +273,7 @@ func (om *OktaManager) DeleteUser(userID string) error {
 	return nil
 }

-// parseOktaUserToUserData parse okta user to UserData.
+// parseOktaUser parse okta user to UserData.
 func parseOktaUser(user *okta.User) (*UserData, error) {
 	var oktaUser struct {
 		Email     string `json:"email"`
--- a/management/server/mock_server/account_mock.go
+++ b/management/server/mock_server/account_mock.go
@@ -706,7 +706,7 @@ func (am *MockAccountManager) GetIdpManager() idp.Manager {
 	return nil
 }

-// UpdateIntegratedValidatedGroups mocks UpdateIntegratedApprovalGroups of the AccountManager interface
+// UpdateIntegratedValidatorGroups mocks UpdateIntegratedApprovalGroups of the AccountManager interface
 func (am *MockAccountManager) UpdateIntegratedValidatorGroups(accountID string, userID string, groups []string) error {
 	if am.UpdateIntegratedValidatorGroupsFunc != nil {
 		return am.UpdateIntegratedValidatorGroupsFunc(accountID, userID, groups)
--- a/management/server/peer.go
+++ b/management/server/peer.go
@@ -551,8 +551,8 @@ func (am *DefaultAccountManager) SyncPeer(sync PeerSync) (*nbpeer.Peer, *Network
 		return nil, nil, status.Errorf(status.PermissionDenied, "peer login has expired, please log in once more")
 	}

-	requiresApproval, isStatusChanged := am.integratedPeerValidator.IsNotValidPeer(account.Id, peer, account.GetPeerGroupsList(peer.ID), account.Settings.Extra)
-	if requiresApproval {
+	peerNotValid, isStatusChanged := am.integratedPeerValidator.IsNotValidPeer(account.Id, peer, account.GetPeerGroupsList(peer.ID), account.Settings.Extra)
+	if peerNotValid {
 		emptyMap := &NetworkMap{
 			Network: account.Network.Copy(),
 		}
@@ -563,11 +563,11 @@ func (am *DefaultAccountManager) SyncPeer(sync PeerSync) (*nbpeer.Peer, *Network
 		am.updateAccountPeers(account)
 	}

-	approvedPeersMap, err := am.GetValidatedPeers(account)
+	validPeersMap, err := am.GetValidatedPeers(account)
 	if err != nil {
 		return nil, nil, err
 	}
-	return peer, account.GetPeerNetworkMap(peer.ID, am.dnsDomain, approvedPeersMap), nil
+	return peer, account.GetPeerNetworkMap(peer.ID, am.dnsDomain, validPeersMap), nil
 }

 // LoginPeer logs in or registers a peer.
--- a/util/grpc/dialer.go
+++ b/util/grpc/dialer.go
@@ -3,6 +3,8 @@ package grpc
 import (
 	"context"
 	"net"
+	"os/user"
+	"runtime"

 	log "github.com/sirupsen/logrus"
 	"google.golang.org/grpc"
@@ -12,6 +14,20 @@ import (

 func WithCustomDialer() grpc.DialOption {
 	return grpc.WithContextDialer(func(ctx context.Context, addr string) (net.Conn, error) {
+		if runtime.GOOS == "linux" {
+			currentUser, err := user.Current()
+			if err != nil {
+				log.Fatalf("failed to get current user: %v", err)
+			}
+
+			// the custom dialer requires root permissions which are not required for use cases run as non-root
+			if currentUser.Uid != "0" {
+				dialer := &net.Dialer{}
+				return dialer.DialContext(ctx, "tcp", addr)
+			}
+		}
+
+
 		conn, err := nbnet.NewDialer().DialContext(ctx, "tcp", addr)
 		if err != nil {
 			log.Errorf("Failed to dial: %s", err)
--- a/util/net/dialer_generic.go
+++ b/util/net/dialer_generic.go
@@ -49,6 +49,10 @@ func RemoveDialerHooks() {

 // DialContext wraps the net.Dialer's DialContext method to use the custom connection
 func (d *Dialer) DialContext(ctx context.Context, network, address string) (net.Conn, error) {
+	if CustomRoutingDisabled() {
+		return d.Dialer.DialContext(ctx, network, address)
+	}
+
 	var resolver *net.Resolver
 	if d.Resolver != nil {
 		resolver = d.Resolver
@@ -56,7 +60,7 @@ func (d *Dialer) DialContext(ctx context.Context, network, address string) (net.

 	connID := GenerateConnID()
 	if dialerDialHooks != nil {
-		if err := calliDialerHooks(ctx, connID, address, resolver); err != nil {
+		if err := callDialerHooks(ctx, connID, address, resolver); err != nil {
 			log.Errorf("Failed to call dialer hooks: %v", err)
 		}
 	}
@@ -97,7 +101,7 @@ func (c *Conn) Close() error {
 	return err
 }

-func calliDialerHooks(ctx context.Context, connID ConnectionID, address string, resolver *net.Resolver) error {
+func callDialerHooks(ctx context.Context, connID ConnectionID, address string, resolver *net.Resolver) error {
 	host, _, err := net.SplitHostPort(address)
 	if err != nil {
 		return fmt.Errorf("split host and port: %w", err)
@@ -123,6 +127,10 @@ func calliDialerHooks(ctx context.Context, connID ConnectionID, address string,
 }

 func DialUDP(network string, laddr, raddr *net.UDPAddr) (*net.UDPConn, error) {
+	if CustomRoutingDisabled() {
+		return net.DialUDP(network, laddr, raddr)
+	}
+
 	dialer := NewDialer()
 	dialer.LocalAddr = laddr

@@ -143,6 +151,10 @@ func DialUDP(network string, laddr, raddr *net.UDPAddr) (*net.UDPConn, error) {
 }

 func DialTCP(network string, laddr, raddr *net.TCPAddr) (*net.TCPConn, error) {
+	if CustomRoutingDisabled() {
+		return net.DialTCP(network, laddr, raddr)
+	}
+
 	dialer := NewDialer()
 	dialer.LocalAddr = laddr

--- a/util/net/listener_generic.go
+++ b/util/net/listener_generic.go
@@ -8,6 +8,7 @@ import (
 	"net"
 	"sync"

+	"github.com/pion/transport/v3"
 	log "github.com/sirupsen/logrus"
 )

@@ -52,6 +53,10 @@ func RemoveListenerHooks() {
 // ListenPacket listens on the network address and returns a PacketConn
 // which includes support for write hooks.
 func (l *ListenerConfig) ListenPacket(ctx context.Context, network, address string) (net.PacketConn, error) {
+	if CustomRoutingDisabled() {
+		return l.ListenConfig.ListenPacket(ctx, network, address)
+	}
+
 	pc, err := l.ListenConfig.ListenPacket(ctx, network, address)
 	if err != nil {
 		return nil, fmt.Errorf("listen packet: %w", err)
@@ -144,7 +149,11 @@ func closeConn(id ConnectionID, conn net.PacketConn) error {

 // ListenUDP listens on the network address and returns a transport.UDPConn
 // which includes support for write and close hooks.
-func ListenUDP(network string, laddr *net.UDPAddr) (*UDPConn, error) {
+func ListenUDP(network string, laddr *net.UDPAddr) (transport.UDPConn, error) {
+	if CustomRoutingDisabled() {
+		return net.ListenUDP(network, laddr)
+	}
+
 	conn, err := NewListener().ListenPacket(context.Background(), network, laddr.String())
 	if err != nil {
 		return nil, fmt.Errorf("listen UDP: %w", err)
--- a/util/net/net.go
+++ b/util/net/net.go
@@ -1,10 +1,17 @@
 package net

-import "github.com/google/uuid"
+import (
+	"os"
+	"runtime"
+
+	"github.com/google/uuid"
+)

 const (
 	// NetbirdFwmark is the fwmark value used by Netbird via wireguard
 	NetbirdFwmark = 0x1BD00
+
+	envDisableCustomRouting = "NB_DISABLE_CUSTOM_ROUTING"
 )

 // ConnectionID provides a globally unique identifier for network connections.
@@ -15,3 +22,7 @@ type ConnectionID string
 func GenerateConnID() ConnectionID {
 	return ConnectionID(uuid.NewString())
 }
+
+func CustomRoutingDisabled() bool {
+	return os.Getenv(envDisableCustomRouting) == "true" || runtime.GOOS == "ios"
+}
--- a/util/net/net_linux.go
+++ b/util/net/net_linux.go
@@ -21,7 +21,7 @@ func SetRawSocketMark(conn syscall.RawConn) error {
 	var setErr error

 	err := conn.Control(func(fd uintptr) {
-		setErr = syscall.SetsockoptInt(int(fd), syscall.SOL_SOCKET, syscall.SO_MARK, NetbirdFwmark)
+		setErr = SetSocketOpt(int(fd))
 	})
 	if err != nil {
 		return fmt.Errorf("control: %w", err)
@@ -33,3 +33,11 @@ func SetRawSocketMark(conn syscall.RawConn) error {

 	return nil
 }
+
+func SetSocketOpt(fd int) error {
+	if CustomRoutingDisabled() {
+		return nil
+	}
+
+	return syscall.SetsockoptInt(fd, syscall.SOL_SOCKET, syscall.SO_MARK, NetbirdFwmark)
+}
Author	SHA1	Message	Date
Maycon Santos	28a5b3062b	debug ios behavior	2024-04-16 22:58:16 +02:00
Viktor Liu	e3b76448f3	Fix ICE endpoint remote port in status command (#1851 )	2024-04-16 14:01:59 +02:00
Viktor Liu	e0de86d6c9	Use fixed activity codes (#1846 ) * Add duplicate constants check	2024-04-15 14:15:46 +02:00
Zoltan Papp	5204d07811	Pass integrated validator for API (#1814 ) Pass integrated validator for API handler	2024-04-15 12:08:38 +02:00
Viktor Liu	5ea24ba56e	Add sysctl opts to prevent reverse path filtering from dropping fwmark packets (#1839 )	2024-04-12 17:53:07 +02:00
Viktor Liu	d30cf8706a	Allow disabling custom routing (#1840 )	2024-04-12 16:53:11 +02:00
Viktor Liu	15a2feb723	Use fixed preference for rules (#1836 )	2024-04-12 16:07:03 +02:00
Viktor Liu	91b2f9fc51	Use route active store (#1834 )	2024-04-12 15:22:40 +02:00
Carlos Hernandez	76702c8a09	Add safe read/write to route map (#1760 )	2024-04-11 22:12:23 +02:00
Viktor Liu	061f673a4f	Don't use the custom dialer as non-root (#1823 )	2024-04-11 15:29:03 +02:00
Zoltan Papp	9505805313	Rename variable (#1829 )	2024-04-11 14:08:03 +02:00
Maycon Santos	704c67dec8	Allow owners that did not create the account to delete it (#1825 ) Sometimes the Owner role will be passed to new users, and they need to be able to delete the account	2024-04-11 10:02:51 +02:00
pascal-fischer	3ed2f08f3c	Add latency based routing (#1732 ) Now that we have the latency between peers available we can use this data to consider when choosing the best route. This way the route with the routing peer with the lower latency will be preferred over others with the same target network.	2024-04-09 21:20:02 +02:00
Maycon Santos	4c83408f27	Add log-level to the management's docker service command (#1820 )	2024-04-09 21:00:43 +02:00
Viktor Liu	90bd39c740	Log panics (#1818 )	2024-04-09 20:27:27 +02:00
Maycon Santos	dd0cf41147	Auto restart Windows agent daemon service (#1819 ) This enables auto restart of the windows agent daemon service on event of failure	2024-04-09 20:10:59 +02:00
pascal-fischer	22b2caffc6	Remove dns based cloud detection (#1812 ) * remove dns based cloud checks * remove dns based cloud checks	2024-04-09 19:01:31 +02:00
Viktor Liu	c1f66d1354	Retry macOS route command (#1817 )	2024-04-09 15:27:19 +02:00
Viktor Liu	ac0fe6025b	Fix routing issues with MacOS (#1815 ) * Handle zones properly * Use host routes for single IPs * Add GOOS and GOARCH to startup log * Log powershell command	2024-04-09 13:25:14 +02:00
verytrap	c28657710a	Fix function names in comments (#1816 ) Signed-off-by: verytrap <wangqiuyue@outlook.com>	2024-04-09 13:18:38 +02:00
Maycon Santos	3875c29f6b	Revert "Rollback new routing functionality (#1805 )" (#1813 ) This reverts commit `9f32ccd453`.	2024-04-08 18:56:52 +02:00
Viktor Liu	9f32ccd453	Rollback new routing functionality (#1805 )	2024-04-05 20:38:49 +02:00