Rename interface to firewaller

Code cleaning in firewall package
Add forwarding commandline command
2026-03-31 14:44:34 -04:00 · 2025-01-27 10:41:25 +01:00 · 2025-01-25 20:29:06 +01:00 · 2025-01-24 18:42:14 +01:00 · 2025-01-24 17:37:59 +01:00 · 2025-01-24 16:08:00 +01:00
49 changed files with 2728 additions and 1425 deletions
--- a/client/cmd/forwarding_rules.go
+++ b/client/cmd/forwarding_rules.go
@@ -0,0 +1,90 @@
+package cmd
+
+import (
+	"fmt"
+	"sort"
+	"strings"
+
+	"github.com/spf13/cobra"
+	"google.golang.org/grpc/status"
+
+	"github.com/netbirdio/netbird/client/proto"
+)
+
+var forwardingRulesCmd = &cobra.Command{
+	Use:   "forwarding",
+	Short: "List forwarding rules",
+	Long:  `Commands to list forwarding rules.`,
+	RunE:  listForwardingRules,
+}
+
+func listForwardingRules(cmd *cobra.Command, _ []string) error {
+	conn, err := getClient(cmd)
+	if err != nil {
+		return err
+	}
+	defer conn.Close()
+
+	client := proto.NewDaemonServiceClient(conn)
+	resp, err := client.ForwardingRules(cmd.Context(), &proto.EmptyRequest{})
+	if err != nil {
+		return fmt.Errorf("failed to list network: %v", status.Convert(err).Message())
+	}
+
+	if len(resp.GetRules()) == 0 {
+		cmd.Println("No forwarding rules available.")
+		return nil
+	}
+
+	printForwardingRules(cmd, resp.GetRules())
+	return nil
+}
+
+func printForwardingRules(cmd *cobra.Command, rules []*proto.ForwardingRule) {
+	cmd.Println("Available forwarding rules:")
+
+	// Sort rules by translated address
+	sort.Slice(rules, func(i, j int) bool {
+		if rules[i].GetTranslatedAddress() != rules[j].GetTranslatedAddress() {
+			return rules[i].GetTranslatedAddress() < rules[j].GetTranslatedAddress()
+		}
+		if rules[i].GetProtocol() != rules[j].GetProtocol() {
+			return rules[i].GetProtocol() < rules[j].GetProtocol()
+		}
+
+		return getFirstPort(rules[i].GetDestinationPort()) < getFirstPort(rules[j].GetDestinationPort())
+	})
+
+	var lastIP string
+	for _, rule := range rules {
+		dPort := portToString(rule.GetDestinationPort())
+		tPort := portToString(rule.GetTranslatedPort())
+		if lastIP != rule.GetTranslatedAddress() {
+			lastIP = rule.GetTranslatedAddress()
+			cmd.Printf("\nTranslated peer: %s\n", rule.GetTranslatedAddress())
+		}
+		cmd.Printf("  ports (%s): %s to %s\n", strings.ToUpper(rule.GetProtocol()), dPort, tPort)
+	}
+}
+
+func getFirstPort(portInfo *proto.PortInfo) int {
+	switch v := portInfo.PortSelection.(type) {
+	case *proto.PortInfo_Port:
+		return int(v.Port)
+	case *proto.PortInfo_Range_:
+		return int(v.Range.GetStart())
+	default:
+		return 0
+	}
+}
+
+func portToString(translatedPort *proto.PortInfo) string {
+	switch v := translatedPort.PortSelection.(type) {
+	case *proto.PortInfo_Port:
+		return fmt.Sprintf("%d", v.Port)
+	case *proto.PortInfo_Range_:
+		return fmt.Sprintf("%d:%d", v.Range.GetStart(), v.Range.GetEnd())
+	default:
+		return "No port specified"
+	}
+}
--- a/client/cmd/root.go
+++ b/client/cmd/root.go
@@ -145,6 +145,7 @@ func init() {
 	rootCmd.AddCommand(versionCmd)
 	rootCmd.AddCommand(sshCmd)
 	rootCmd.AddCommand(networksCMD)
+	rootCmd.AddCommand(forwardingRulesCmd)
 	rootCmd.AddCommand(debugCmd)

 	serviceCmd.AddCommand(runCmd, startCmd, stopCmd, restartCmd) // service control commands are subcommands of service
--- a/client/firewall/factory.go
+++ b/client/firewall/factory.go
@@ -8,13 +8,13 @@ import (

 	log "github.com/sirupsen/logrus"

-	firewall "github.com/netbirdio/netbird/client/firewall/manager"
+	"github.com/netbirdio/netbird/client/firewall/firewaller"
 	"github.com/netbirdio/netbird/client/firewall/uspfilter"
 	"github.com/netbirdio/netbird/client/internal/statemanager"
 )

 // NewFirewall creates a firewall manager instance
-func NewFirewall(iface IFaceMapper, _ *statemanager.Manager) (firewall.Manager, error) {
+func NewFirewall(iface IFaceMapper, _ *statemanager.Manager) (firewaller.Firewall, error) {
 	if !iface.IsUserspaceBind() {
 		return nil, fmt.Errorf("not implemented for this OS: %s", runtime.GOOS)
 	}
--- a/client/firewall/factory_linux.go
+++ b/client/firewall/factory_linux.go
@@ -11,8 +11,8 @@ import (
 	"github.com/google/nftables"
 	log "github.com/sirupsen/logrus"

+	"github.com/netbirdio/netbird/client/firewall/firewaller"
 	nbiptables "github.com/netbirdio/netbird/client/firewall/iptables"
-	firewall "github.com/netbirdio/netbird/client/firewall/manager"
 	nbnftables "github.com/netbirdio/netbird/client/firewall/nftables"
 	"github.com/netbirdio/netbird/client/firewall/uspfilter"
 	"github.com/netbirdio/netbird/client/internal/statemanager"
@@ -33,7 +33,7 @@ const SKIP_NFTABLES_ENV = "NB_SKIP_NFTABLES_CHECK"
 // FWType is the type for the firewall type
 type FWType int

-func NewFirewall(iface IFaceMapper, stateManager *statemanager.Manager) (firewall.Manager, error) {
+func NewFirewall(iface IFaceMapper, stateManager *statemanager.Manager) (firewaller.Firewall, error) {
 	// on the linux system we try to user nftables or iptables
 	// in any case, because we need to allow netbird interface traffic
 	// so we use AllowNetbird traffic from these firewall managers
@@ -50,7 +50,7 @@ func NewFirewall(iface IFaceMapper, stateManager *statemanager.Manager) (firewal
 	return createUserspaceFirewall(iface, fm)
 }

-func createNativeFirewall(iface IFaceMapper, stateManager *statemanager.Manager) (firewall.Manager, error) {
+func createNativeFirewall(iface IFaceMapper, stateManager *statemanager.Manager) (firewaller.Firewall, error) {
 	fm, err := createFW(iface)
 	if err != nil {
 		return nil, fmt.Errorf("create firewall: %s", err)
@@ -63,7 +63,7 @@ func createNativeFirewall(iface IFaceMapper, stateManager *statemanager.Manager)
 	return fm, nil
 }

-func createFW(iface IFaceMapper) (firewall.Manager, error) {
+func createFW(iface IFaceMapper) (firewaller.Firewall, error) {
 	switch check() {
 	case IPTABLES:
 		log.Info("creating an iptables firewall manager")
@@ -77,7 +77,7 @@ func createFW(iface IFaceMapper) (firewall.Manager, error) {
 	}
 }

-func createUserspaceFirewall(iface IFaceMapper, fm firewall.Manager) (firewall.Manager, error) {
+func createUserspaceFirewall(iface IFaceMapper, fm firewaller.Firewall) (firewaller.Firewall, error) {
 	var errUsp error
 	if fm != nil {
 		fm, errUsp = uspfilter.CreateWithNativeFirewall(iface, fm)
--- a/client/firewall/firewaller/firewall.go
+++ b/client/firewall/firewaller/firewall.go
@@ -0,0 +1,67 @@
+package firewaller
+
+import (
+	"net"
+	"net/netip"
+
+	"github.com/netbirdio/netbird/client/firewall/types"
+	"github.com/netbirdio/netbird/client/internal/statemanager"
+)
+
+// Firewall is the high level abstraction of a firewall manager
+//
+// It declares methods which handle actions required by the
+// Netbird client for ACL and routing functionality
+type Firewall interface {
+	Init(stateManager *statemanager.Manager) error
+
+	// AllowNetbird allows netbird interface traffic
+	AllowNetbird() error
+
+	// AddPeerFiltering adds a rule to the firewall
+	//
+	// If comment argument is empty firewall manager should set
+	// rule ID as comment for the rule
+	AddPeerFiltering(
+		ip net.IP,
+		proto types.Protocol,
+		sPort *types.Port,
+		dPort *types.Port,
+		action types.Action,
+		ipsetName string,
+		comment string,
+	) ([]types.Rule, error)
+
+	// DeletePeerRule from the firewall by rule definition
+	DeletePeerRule(rule types.Rule) error
+
+	// IsServerRouteSupported returns true if the firewall supports server side routing operations
+	IsServerRouteSupported() bool
+
+	AddRouteFiltering(source []netip.Prefix, destination netip.Prefix, proto types.Protocol, sPort *types.Port, dPort *types.Port, action types.Action) (types.Rule, error)
+
+	// DeleteRouteRule deletes a routing rule
+	DeleteRouteRule(rule types.Rule) error
+
+	// AddNatRule inserts a routing NAT rule
+	AddNatRule(pair types.RouterPair) error
+
+	// RemoveNatRule removes a routing NAT rule
+	RemoveNatRule(pair types.RouterPair) error
+
+	// SetLegacyManagement sets the legacy management mode
+	SetLegacyManagement(legacy bool) error
+
+	// Reset firewall to the default state
+	Reset(stateManager *statemanager.Manager) error
+
+	// Flush the changes to firewall controller
+	Flush() error
+
+	// AddDNATRule adds a DNAT rule
+	AddDNATRule(types.ForwardRule) (types.Rule, error)
+
+	// DeleteDNATRule deletes a DNAT rule
+	// todo: do you need a string ID or the complete rule?
+	DeleteDNATRule(types.Rule) error
+}
--- a/client/firewall/iptables/acl_linux.go
+++ b/client/firewall/iptables/acl_linux.go
@@ -10,7 +10,7 @@ import (
 	"github.com/nadoo/ipset"
 	log "github.com/sirupsen/logrus"

-	firewall "github.com/netbirdio/netbird/client/firewall/manager"
+	"github.com/netbirdio/netbird/client/firewall/types"
 	"github.com/netbirdio/netbird/client/internal/statemanager"
 	nbnet "github.com/netbirdio/netbird/util/net"
 )
@@ -80,12 +80,12 @@ func (m *aclManager) init(stateManager *statemanager.Manager) error {

 func (m *aclManager) AddPeerFiltering(
 	ip net.IP,
-	protocol firewall.Protocol,
-	sPort *firewall.Port,
-	dPort *firewall.Port,
-	action firewall.Action,
+	protocol types.Protocol,
+	sPort *types.Port,
+	dPort *types.Port,
+	action types.Action,
 	ipsetName string,
-) ([]firewall.Rule, error) {
+) ([]types.Rule, error) {
 	var dPortVal, sPortVal string
 	if dPort != nil && dPort.Values != nil {
 		// TODO: we support only one port per rule in current implementation of ACLs
@@ -107,7 +107,7 @@ func (m *aclManager) AddPeerFiltering(
 			// if ruleset already exists it means we already have the firewall rule
 			// so we need to update IPs in the ruleset and return new fw.Rule object for ACL manager.
 			ipList.addIP(ip.String())
-			return []firewall.Rule{&Rule{
+			return []types.Rule{&Rule{
 				ruleID:    uuid.New().String(),
 				ipsetName: ipsetName,
 				ip:        ip.String(),
@@ -152,11 +152,11 @@ func (m *aclManager) AddPeerFiltering(

 	m.updateState()

-	return []firewall.Rule{rule}, nil
+	return []types.Rule{rule}, nil
 }

 // DeletePeerRule from the firewall by rule definition
-func (m *aclManager) DeletePeerRule(rule firewall.Rule) error {
+func (m *aclManager) DeletePeerRule(rule types.Rule) error {
 	r, ok := rule.(*Rule)
 	if !ok {
 		return fmt.Errorf("invalid rule type")
@@ -354,7 +354,7 @@ func (m *aclManager) updateState() {
 }

 // filterRuleSpecs returns the specs of a filtering rule
-func filterRuleSpecs(ip net.IP, protocol, sPort, dPort string, action firewall.Action, ipsetName string) (specs []string) {
+func filterRuleSpecs(ip net.IP, protocol, sPort, dPort string, action types.Action, ipsetName string) (specs []string) {
 	matchByIP := true
 	// don't use IP matching if IP is ip 0.0.0.0
 	if ip.String() == "0.0.0.0" {
@@ -380,8 +380,8 @@ func filterRuleSpecs(ip net.IP, protocol, sPort, dPort string, action firewall.A
 	return append(specs, "-j", actionToStr(action))
 }

-func actionToStr(action firewall.Action) string {
-	if action == firewall.ActionAccept {
+func actionToStr(action types.Action) string {
+	if action == types.ActionAccept {
 		return "ACCEPT"
 	}
 	return "DROP"
--- a/client/firewall/iptables/manager_linux.go
+++ b/client/firewall/iptables/manager_linux.go
@@ -12,7 +12,8 @@ import (
 	log "github.com/sirupsen/logrus"

 	nberrors "github.com/netbirdio/netbird/client/errors"
-	firewall "github.com/netbirdio/netbird/client/firewall/manager"
+	"github.com/netbirdio/netbird/client/firewall/legacy"
+	"github.com/netbirdio/netbird/client/firewall/types"
 	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/internal/statemanager"
 )
@@ -97,13 +98,13 @@ func (m *Manager) Init(stateManager *statemanager.Manager) error {
 // Comment will be ignored because some system this feature is not supported
 func (m *Manager) AddPeerFiltering(
 	ip net.IP,
-	protocol firewall.Protocol,
-	sPort *firewall.Port,
-	dPort *firewall.Port,
-	action firewall.Action,
+	protocol types.Protocol,
+	sPort *types.Port,
+	dPort *types.Port,
+	action types.Action,
 	ipsetName string,
 	_ string,
-) ([]firewall.Rule, error) {
+) ([]types.Rule, error) {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

@@ -113,11 +114,11 @@ func (m *Manager) AddPeerFiltering(
 func (m *Manager) AddRouteFiltering(
 	sources []netip.Prefix,
 	destination netip.Prefix,
-	proto firewall.Protocol,
-	sPort *firewall.Port,
-	dPort *firewall.Port,
-	action firewall.Action,
-) (firewall.Rule, error) {
+	proto types.Protocol,
+	sPort *types.Port,
+	dPort *types.Port,
+	action types.Action,
+) (types.Rule, error) {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

@@ -129,14 +130,14 @@ func (m *Manager) AddRouteFiltering(
 }

 // DeletePeerRule from the firewall by rule definition
-func (m *Manager) DeletePeerRule(rule firewall.Rule) error {
+func (m *Manager) DeletePeerRule(rule types.Rule) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

 	return m.aclMgr.DeletePeerRule(rule)
 }

-func (m *Manager) DeleteRouteRule(rule firewall.Rule) error {
+func (m *Manager) DeleteRouteRule(rule types.Rule) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

@@ -147,14 +148,14 @@ func (m *Manager) IsServerRouteSupported() bool {
 	return true
 }

-func (m *Manager) AddNatRule(pair firewall.RouterPair) error {
+func (m *Manager) AddNatRule(pair types.RouterPair) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

 	return m.router.AddNatRule(pair)
 }

-func (m *Manager) RemoveNatRule(pair firewall.RouterPair) error {
+func (m *Manager) RemoveNatRule(pair types.RouterPair) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

@@ -162,7 +163,7 @@ func (m *Manager) RemoveNatRule(pair firewall.RouterPair) error {
 }

 func (m *Manager) SetLegacyManagement(isLegacy bool) error {
-	return firewall.SetLegacyManagement(m.router, isLegacy)
+	return legacy.SetLegacyRouter(m.router, isLegacy)
 }

 // Reset firewall to the default state
@@ -200,7 +201,7 @@ func (m *Manager) AllowNetbird() error {
 		"all",
 		nil,
 		nil,
-		firewall.ActionAccept,
+		types.ActionAccept,
 		"",
 		"",
 	)
@@ -213,6 +214,15 @@ func (m *Manager) AllowNetbird() error {
 // Flush doesn't need to be implemented for this manager
 func (m *Manager) Flush() error { return nil }

+func (m *Manager) AddDNATRule(rule types.ForwardRule) (types.Rule, error) {
+	return nil, fmt.Errorf("not implemented")
+}
+
+// DeleteDNATRule deletes a DNAT rule
+func (m *Manager) DeleteDNATRule(rule types.Rule) error {
+	return nil
+}
+
 func getConntrackEstablished() []string {
 	return []string{"-m", "conntrack", "--ctstate", "RELATED,ESTABLISHED", "-j", "ACCEPT"}
 }
--- a/client/firewall/iptables/manager_linux_test.go
+++ b/client/firewall/iptables/manager_linux_test.go
@@ -9,7 +9,7 @@ import (
 	"github.com/coreos/go-iptables/iptables"
 	"github.com/stretchr/testify/require"

-	fw "github.com/netbirdio/netbird/client/firewall/manager"
+	"github.com/netbirdio/netbird/client/firewall/types"
 	"github.com/netbirdio/netbird/client/iface"
 )

@@ -68,13 +68,13 @@ func TestIptablesManager(t *testing.T) {
 		time.Sleep(time.Second)
 	}()

-	var rule2 []fw.Rule
+	var rule2 []types.Rule
 	t.Run("add second rule", func(t *testing.T) {
 		ip := net.ParseIP("10.20.0.3")
-		port := &fw.Port{
+		port := &types.Port{
 			Values: []int{8043: 8046},
 		}
-		rule2, err = manager.AddPeerFiltering(ip, "tcp", port, nil, fw.ActionAccept, "", "accept HTTPS traffic from ports range")
+		rule2, err = manager.AddPeerFiltering(ip, "tcp", port, nil, types.ActionAccept, "", "accept HTTPS traffic from ports range")
 		require.NoError(t, err, "failed to add rule")

 		for _, r := range rule2 {
@@ -95,8 +95,8 @@ func TestIptablesManager(t *testing.T) {
 	t.Run("reset check", func(t *testing.T) {
 		// add second rule
 		ip := net.ParseIP("10.20.0.3")
-		port := &fw.Port{Values: []int{5353}}
-		_, err = manager.AddPeerFiltering(ip, "udp", nil, port, fw.ActionAccept, "", "accept Fake DNS traffic")
+		port := &types.Port{Values: []int{5353}}
+		_, err = manager.AddPeerFiltering(ip, "udp", nil, port, types.ActionAccept, "", "accept Fake DNS traffic")
 		require.NoError(t, err, "failed to add rule")

 		err = manager.Reset(nil)
@@ -141,13 +141,13 @@ func TestIptablesManagerIPSet(t *testing.T) {
 		time.Sleep(time.Second)
 	}()

-	var rule2 []fw.Rule
+	var rule2 []types.Rule
 	t.Run("add second rule", func(t *testing.T) {
 		ip := net.ParseIP("10.20.0.3")
-		port := &fw.Port{
+		port := &types.Port{
 			Values: []int{443},
 		}
-		rule2, err = manager.AddPeerFiltering(ip, "tcp", port, nil, fw.ActionAccept, "default", "accept HTTPS traffic from ports range")
+		rule2, err = manager.AddPeerFiltering(ip, "tcp", port, nil, types.ActionAccept, "default", "accept HTTPS traffic from ports range")
 		for _, r := range rule2 {
 			require.NoError(t, err, "failed to add rule")
 			require.Equal(t, r.(*Rule).ipsetName, "default-sport", "ipset name must be set")
@@ -214,8 +214,8 @@ func TestIptablesCreatePerformance(t *testing.T) {
 			ip := net.ParseIP("10.20.0.100")
 			start := time.Now()
 			for i := 0; i < testMax; i++ {
-				port := &fw.Port{Values: []int{1000 + i}}
-				_, err = manager.AddPeerFiltering(ip, "tcp", nil, port, fw.ActionAccept, "", "accept HTTP traffic")
+				port := &types.Port{Values: []int{1000 + i}}
+				_, err = manager.AddPeerFiltering(ip, "tcp", nil, port, types.ActionAccept, "", "accept HTTP traffic")

 				require.NoError(t, err, "failed to add rule")
 			}
--- a/client/firewall/iptables/router_linux.go
+++ b/client/firewall/iptables/router_linux.go
@@ -14,7 +14,7 @@ import (
 	log "github.com/sirupsen/logrus"

 	nberrors "github.com/netbirdio/netbird/client/errors"
-	firewall "github.com/netbirdio/netbird/client/firewall/manager"
+	"github.com/netbirdio/netbird/client/firewall/types"
 	"github.com/netbirdio/netbird/client/internal/acl/id"
 	"github.com/netbirdio/netbird/client/internal/routemanager/refcounter"
 	"github.com/netbirdio/netbird/client/internal/statemanager"
@@ -42,11 +42,11 @@ const (
 type routeFilteringRuleParams struct {
 	Sources     []netip.Prefix
 	Destination netip.Prefix
-	Proto       firewall.Protocol
-	SPort       *firewall.Port
-	DPort       *firewall.Port
-	Direction   firewall.RuleDirection
-	Action      firewall.Action
+	Proto       types.Protocol
+	SPort       *types.Port
+	DPort       *types.Port
+	Direction   types.RuleDirection
+	Action      types.Action
 	SetName     string
 }

@@ -106,11 +106,11 @@ func (r *router) init(stateManager *statemanager.Manager) error {
 func (r *router) AddRouteFiltering(
 	sources []netip.Prefix,
 	destination netip.Prefix,
-	proto firewall.Protocol,
-	sPort *firewall.Port,
-	dPort *firewall.Port,
-	action firewall.Action,
-) (firewall.Rule, error) {
+	proto types.Protocol,
+	sPort *types.Port,
+	dPort *types.Port,
+	action types.Action,
+) (types.Rule, error) {
 	ruleKey := id.GenerateRouteRuleKey(sources, destination, proto, sPort, dPort, action)
 	if _, ok := r.rules[string(ruleKey)]; ok {
 		return ruleKey, nil
@@ -118,7 +118,7 @@ func (r *router) AddRouteFiltering(

 	var setName string
 	if len(sources) > 1 {
-		setName = firewall.GenerateSetName(sources)
+		setName = types.GenerateSetName(sources)
 		if _, err := r.ipsetCounter.Increment(setName, sources); err != nil {
 			return nil, fmt.Errorf("create or get ipset: %w", err)
 		}
@@ -146,7 +146,7 @@ func (r *router) AddRouteFiltering(
 	return ruleKey, nil
 }

-func (r *router) DeleteRouteRule(rule firewall.Rule) error {
+func (r *router) DeleteRouteRule(rule types.Rule) error {
 	ruleKey := rule.GetRuleID()

 	if rule, exists := r.rules[ruleKey]; exists {
@@ -202,7 +202,7 @@ func (r *router) deleteIpSet(setName string) error {
 }

 // AddNatRule inserts an iptables rule pair into the nat chain
-func (r *router) AddNatRule(pair firewall.RouterPair) error {
+func (r *router) AddNatRule(pair types.RouterPair) error {
 	if r.legacyManagement {
 		log.Warnf("This peer is connected to a NetBird Management service with an older version. Allowing all traffic for %s", pair.Destination)
 		if err := r.addLegacyRouteRule(pair); err != nil {
@@ -218,7 +218,7 @@ func (r *router) AddNatRule(pair firewall.RouterPair) error {
 		return fmt.Errorf("add nat rule: %w", err)
 	}

-	if err := r.addNatRule(firewall.GetInversePair(pair)); err != nil {
+	if err := r.addNatRule(types.GetInversePair(pair)); err != nil {
 		return fmt.Errorf("add inverse nat rule: %w", err)
 	}

@@ -228,12 +228,12 @@ func (r *router) AddNatRule(pair firewall.RouterPair) error {
 }

 // RemoveNatRule removes an iptables rule pair from forwarding and nat chains
-func (r *router) RemoveNatRule(pair firewall.RouterPair) error {
+func (r *router) RemoveNatRule(pair types.RouterPair) error {
 	if err := r.removeNatRule(pair); err != nil {
 		return fmt.Errorf("remove nat rule: %w", err)
 	}

-	if err := r.removeNatRule(firewall.GetInversePair(pair)); err != nil {
+	if err := r.removeNatRule(types.GetInversePair(pair)); err != nil {
 		return fmt.Errorf("remove inverse nat rule: %w", err)
 	}

@@ -247,8 +247,8 @@ func (r *router) RemoveNatRule(pair firewall.RouterPair) error {
 }

 // addLegacyRouteRule adds a legacy routing rule for mgmt servers pre route acls
-func (r *router) addLegacyRouteRule(pair firewall.RouterPair) error {
-	ruleKey := firewall.GenKey(firewall.ForwardingFormat, pair)
+func (r *router) addLegacyRouteRule(pair types.RouterPair) error {
+	ruleKey := types.GenRuleKey(types.ForwardingFormat, pair)

 	if err := r.removeLegacyRouteRule(pair); err != nil {
 		return err
@@ -264,8 +264,8 @@ func (r *router) addLegacyRouteRule(pair firewall.RouterPair) error {
 	return nil
 }

-func (r *router) removeLegacyRouteRule(pair firewall.RouterPair) error {
-	ruleKey := firewall.GenKey(firewall.ForwardingFormat, pair)
+func (r *router) removeLegacyRouteRule(pair types.RouterPair) error {
+	ruleKey := types.GenRuleKey(types.ForwardingFormat, pair)

 	if rule, exists := r.rules[ruleKey]; exists {
 		if err := r.iptablesClient.DeleteIfExists(tableFilter, chainRTFWD, rule...); err != nil {
@@ -293,7 +293,7 @@ func (r *router) SetLegacyManagement(isLegacy bool) {
 func (r *router) RemoveAllLegacyRouteRules() error {
 	var merr *multierror.Error
 	for k, rule := range r.rules {
-		if !strings.HasPrefix(k, firewall.ForwardingFormatPrefix) {
+		if !strings.HasPrefix(k, types.ForwardingFormatPrefix) {
 			continue
 		}
 		if err := r.iptablesClient.DeleteIfExists(tableFilter, chainRTFWD, rule...); err != nil {
@@ -478,8 +478,8 @@ func (r *router) cleanJumpRules() error {
 	return nil
 }

-func (r *router) addNatRule(pair firewall.RouterPair) error {
-	ruleKey := firewall.GenKey(firewall.NatFormat, pair)
+func (r *router) addNatRule(pair types.RouterPair) error {
+	ruleKey := types.GenRuleKey(types.NatFormat, pair)

 	if rule, exists := r.rules[ruleKey]; exists {
 		if err := r.iptablesClient.DeleteIfExists(tableMangle, chainRTPRE, rule...); err != nil {
@@ -514,8 +514,8 @@ func (r *router) addNatRule(pair firewall.RouterPair) error {
 	return nil
 }

-func (r *router) removeNatRule(pair firewall.RouterPair) error {
-	ruleKey := firewall.GenKey(firewall.NatFormat, pair)
+func (r *router) removeNatRule(pair types.RouterPair) error {
+	ruleKey := types.GenRuleKey(types.NatFormat, pair)

 	if rule, exists := r.rules[ruleKey]; exists {
 		if err := r.iptablesClient.DeleteIfExists(tableMangle, chainRTPRE, rule...); err != nil {
@@ -567,7 +567,7 @@ func genRouteFilteringRuleSpec(params routeFilteringRuleParams) []string {

 	rule = append(rule, "-d", params.Destination.String())

-	if params.Proto != firewall.ProtocolALL {
+	if params.Proto != types.ProtocolALL {
 		rule = append(rule, "-p", strings.ToLower(string(params.Proto)))
 		rule = append(rule, applyPort("--sport", params.SPort)...)
 		rule = append(rule, applyPort("--dport", params.DPort)...)
@@ -578,7 +578,7 @@ func genRouteFilteringRuleSpec(params routeFilteringRuleParams) []string {
 	return rule
 }

-func applyPort(flag string, port *firewall.Port) []string {
+func applyPort(flag string, port *types.Port) []string {
 	if port == nil {
 		return nil
 	}
--- a/client/firewall/iptables/router_linux_test.go
+++ b/client/firewall/iptables/router_linux_test.go
@@ -12,8 +12,8 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"

-	firewall "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/firewall/test"
+	"github.com/netbirdio/netbird/client/firewall/types"
 	nbnet "github.com/netbirdio/netbird/util/net"
 )

@@ -54,7 +54,7 @@ func TestIptablesManager_RestoreOrCreateContainers(t *testing.T) {
 	require.NoError(t, err, "should be able to query the iptables %s table and %s chain", tableMangle, chainPREROUTING)
 	require.True(t, exists, "prerouting jump rule should exist")

-	pair := firewall.RouterPair{
+	pair := types.RouterPair{
 		ID:          "abc",
 		Source:      netip.MustParsePrefix("100.100.100.1/32"),
 		Destination: netip.MustParsePrefix("100.100.100.0/24"),
@@ -89,7 +89,7 @@ func TestIptablesManager_AddNatRule(t *testing.T) {
 			err = manager.AddNatRule(testCase.InputPair)
 			require.NoError(t, err, "marking rule should be inserted")

-			natRuleKey := firewall.GenKey(firewall.NatFormat, testCase.InputPair)
+			natRuleKey := types.GenRuleKey(types.NatFormat, testCase.InputPair)
 			markingRule := []string{
 				"-i", ifaceMock.Name(),
 				"-m", "conntrack",
@@ -114,8 +114,8 @@ func TestIptablesManager_AddNatRule(t *testing.T) {
 			}

 			// Check inverse rule
-			inversePair := firewall.GetInversePair(testCase.InputPair)
-			inverseRuleKey := firewall.GenKey(firewall.NatFormat, inversePair)
+			inversePair := types.GetInversePair(testCase.InputPair)
+			inverseRuleKey := types.GenRuleKey(types.NatFormat, inversePair)
 			inverseMarkingRule := []string{
 				"!", "-i", ifaceMock.Name(),
 				"-m", "conntrack",
@@ -164,7 +164,7 @@ func TestIptablesManager_RemoveNatRule(t *testing.T) {
 			err = manager.RemoveNatRule(testCase.InputPair)
 			require.NoError(t, err, "shouldn't return error")

-			natRuleKey := firewall.GenKey(firewall.NatFormat, testCase.InputPair)
+			natRuleKey := types.GenRuleKey(types.NatFormat, testCase.InputPair)
 			markingRule := []string{
 				"-i", ifaceMock.Name(),
 				"-m", "conntrack",
@@ -183,8 +183,8 @@ func TestIptablesManager_RemoveNatRule(t *testing.T) {
 			require.False(t, found, "marking rule should not exist in the manager map")

 			// Check inverse rule removal
-			inversePair := firewall.GetInversePair(testCase.InputPair)
-			inverseRuleKey := firewall.GenKey(firewall.NatFormat, inversePair)
+			inversePair := types.GetInversePair(testCase.InputPair)
+			inverseRuleKey := types.GenRuleKey(types.NatFormat, inversePair)
 			inverseMarkingRule := []string{
 				"!", "-i", ifaceMock.Name(),
 				"-m", "conntrack",
@@ -226,22 +226,22 @@ func TestRouter_AddRouteFiltering(t *testing.T) {
 		name        string
 		sources     []netip.Prefix
 		destination netip.Prefix
-		proto       firewall.Protocol
-		sPort       *firewall.Port
-		dPort       *firewall.Port
-		direction   firewall.RuleDirection
-		action      firewall.Action
+		proto       types.Protocol
+		sPort       *types.Port
+		dPort       *types.Port
+		direction   types.RuleDirection
+		action      types.Action
 		expectSet   bool
 	}{
 		{
 			name:        "Basic TCP rule with single source",
 			sources:     []netip.Prefix{netip.MustParsePrefix("192.168.1.0/24")},
 			destination: netip.MustParsePrefix("10.0.0.0/24"),
-			proto:       firewall.ProtocolTCP,
+			proto:       types.ProtocolTCP,
 			sPort:       nil,
-			dPort:       &firewall.Port{Values: []int{80}},
-			direction:   firewall.RuleDirectionIN,
-			action:      firewall.ActionAccept,
+			dPort:       &types.Port{Values: []int{80}},
+			direction:   types.RuleDirectionIN,
+			action:      types.ActionAccept,
 			expectSet:   false,
 		},
 		{
@@ -251,77 +251,77 @@ func TestRouter_AddRouteFiltering(t *testing.T) {
 				netip.MustParsePrefix("192.168.0.0/16"),
 			},
 			destination: netip.MustParsePrefix("10.0.0.0/8"),
-			proto:       firewall.ProtocolUDP,
-			sPort:       &firewall.Port{Values: []int{1024, 2048}, IsRange: true},
+			proto:       types.ProtocolUDP,
+			sPort:       &types.Port{Values: []int{1024, 2048}, IsRange: true},
 			dPort:       nil,
-			direction:   firewall.RuleDirectionOUT,
-			action:      firewall.ActionDrop,
+			direction:   types.RuleDirectionOUT,
+			action:      types.ActionDrop,
 			expectSet:   true,
 		},
 		{
 			name:        "All protocols rule",
 			sources:     []netip.Prefix{netip.MustParsePrefix("10.0.0.0/8")},
 			destination: netip.MustParsePrefix("0.0.0.0/0"),
-			proto:       firewall.ProtocolALL,
+			proto:       types.ProtocolALL,
 			sPort:       nil,
 			dPort:       nil,
-			direction:   firewall.RuleDirectionIN,
-			action:      firewall.ActionAccept,
+			direction:   types.RuleDirectionIN,
+			action:      types.ActionAccept,
 			expectSet:   false,
 		},
 		{
 			name:        "ICMP rule",
 			sources:     []netip.Prefix{netip.MustParsePrefix("192.168.0.0/16")},
 			destination: netip.MustParsePrefix("10.0.0.0/8"),
-			proto:       firewall.ProtocolICMP,
+			proto:       types.ProtocolICMP,
 			sPort:       nil,
 			dPort:       nil,
-			direction:   firewall.RuleDirectionIN,
-			action:      firewall.ActionAccept,
+			direction:   types.RuleDirectionIN,
+			action:      types.ActionAccept,
 			expectSet:   false,
 		},
 		{
 			name:        "TCP rule with multiple source ports",
 			sources:     []netip.Prefix{netip.MustParsePrefix("172.16.0.0/12")},
 			destination: netip.MustParsePrefix("192.168.0.0/16"),
-			proto:       firewall.ProtocolTCP,
-			sPort:       &firewall.Port{Values: []int{80, 443, 8080}},
+			proto:       types.ProtocolTCP,
+			sPort:       &types.Port{Values: []int{80, 443, 8080}},
 			dPort:       nil,
-			direction:   firewall.RuleDirectionOUT,
-			action:      firewall.ActionAccept,
+			direction:   types.RuleDirectionOUT,
+			action:      types.ActionAccept,
 			expectSet:   false,
 		},
 		{
 			name:        "UDP rule with single IP and port range",
 			sources:     []netip.Prefix{netip.MustParsePrefix("192.168.1.1/32")},
 			destination: netip.MustParsePrefix("10.0.0.0/24"),
-			proto:       firewall.ProtocolUDP,
+			proto:       types.ProtocolUDP,
 			sPort:       nil,
-			dPort:       &firewall.Port{Values: []int{5000, 5100}, IsRange: true},
-			direction:   firewall.RuleDirectionIN,
-			action:      firewall.ActionDrop,
+			dPort:       &types.Port{Values: []int{5000, 5100}, IsRange: true},
+			direction:   types.RuleDirectionIN,
+			action:      types.ActionDrop,
 			expectSet:   false,
 		},
 		{
 			name:        "TCP rule with source and destination ports",
 			sources:     []netip.Prefix{netip.MustParsePrefix("10.0.0.0/24")},
 			destination: netip.MustParsePrefix("172.16.0.0/16"),
-			proto:       firewall.ProtocolTCP,
-			sPort:       &firewall.Port{Values: []int{1024, 65535}, IsRange: true},
-			dPort:       &firewall.Port{Values: []int{22}},
-			direction:   firewall.RuleDirectionOUT,
-			action:      firewall.ActionAccept,
+			proto:       types.ProtocolTCP,
+			sPort:       &types.Port{Values: []int{1024, 65535}, IsRange: true},
+			dPort:       &types.Port{Values: []int{22}},
+			direction:   types.RuleDirectionOUT,
+			action:      types.ActionAccept,
 			expectSet:   false,
 		},
 		{
 			name:        "Drop all incoming traffic",
 			sources:     []netip.Prefix{netip.MustParsePrefix("0.0.0.0/0")},
 			destination: netip.MustParsePrefix("192.168.0.0/24"),
-			proto:       firewall.ProtocolALL,
+			proto:       types.ProtocolALL,
 			sPort:       nil,
 			dPort:       nil,
-			direction:   firewall.RuleDirectionIN,
-			action:      firewall.ActionDrop,
+			direction:   types.RuleDirectionIN,
+			action:      types.ActionDrop,
 			expectSet:   false,
 		},
 	}
@@ -357,7 +357,7 @@ func TestRouter_AddRouteFiltering(t *testing.T) {
 			expectedRule := genRouteFilteringRuleSpec(params)

 			if tt.expectSet {
-				setName := firewall.GenerateSetName(tt.sources)
+				setName := types.GenerateSetName(tt.sources)
 				params.SetName = setName
 				expectedRule = genRouteFilteringRuleSpec(params)

--- a/client/firewall/legacy/router.go
+++ b/client/firewall/legacy/router.go
@@ -0,0 +1,35 @@
+package legacy
+
+import (
+	"fmt"
+
+	"github.com/sirupsen/logrus"
+)
+
+// Router defines the interface for legacy management operations
+type Router interface {
+	RemoveAllLegacyRouteRules() error
+	GetLegacyManagement() bool
+	SetLegacyManagement(bool)
+}
+
+// SetLegacyRouter sets the route manager to use legacy management
+func SetLegacyRouter(router Router, isLegacy bool) error {
+	oldLegacy := router.GetLegacyManagement()
+
+	if oldLegacy != isLegacy {
+		router.SetLegacyManagement(isLegacy)
+		logrus.Debugf("Set legacy management to %v", isLegacy)
+	}
+
+	// client reconnected to a newer mgmt, we need to clean up the legacy rules
+	if !isLegacy && oldLegacy {
+		if err := router.RemoveAllLegacyRouteRules(); err != nil {
+			return fmt.Errorf("remove legacy routing rules: %v", err)
+		}
+
+		logrus.Debugf("Legacy routing rules removed")
+	}
+
+	return nil
+}
--- a/client/firewall/manager/firewall.go
+++ b/client/firewall/manager/firewall.go
@@ -1,189 +0,0 @@
-package manager
-
-import (
-	"crypto/sha256"
-	"encoding/hex"
-	"fmt"
-	"net"
-	"net/netip"
-	"sort"
-	"strings"
-
-	log "github.com/sirupsen/logrus"
-
-	"github.com/netbirdio/netbird/client/internal/statemanager"
-)
-
-const (
-	ForwardingFormatPrefix = "netbird-fwd-"
-	ForwardingFormat       = "netbird-fwd-%s-%t"
-	PreroutingFormat       = "netbird-prerouting-%s-%t"
-	NatFormat              = "netbird-nat-%s-%t"
-)
-
-// Rule abstraction should be implemented by each firewall manager
-//
-// Each firewall type for different OS can use different type
-// of the properties to hold data of the created rule
-type Rule interface {
-	// GetRuleID returns the rule id
-	GetRuleID() string
-}
-
-// RuleDirection is the traffic direction which a rule is applied
-type RuleDirection int
-
-const (
-	// RuleDirectionIN applies to filters that handlers incoming traffic
-	RuleDirectionIN RuleDirection = iota
-	// RuleDirectionOUT applies to filters that handlers outgoing traffic
-	RuleDirectionOUT
-)
-
-// Action is the action to be taken on a rule
-type Action int
-
-const (
-	// ActionAccept is the action to accept a packet
-	ActionAccept Action = iota
-	// ActionDrop is the action to drop a packet
-	ActionDrop
-)
-
-// Manager is the high level abstraction of a firewall manager
-//
-// It declares methods which handle actions required by the
-// Netbird client for ACL and routing functionality
-type Manager interface {
-	Init(stateManager *statemanager.Manager) error
-
-	// AllowNetbird allows netbird interface traffic
-	AllowNetbird() error
-
-	// AddPeerFiltering adds a rule to the firewall
-	//
-	// If comment argument is empty firewall manager should set
-	// rule ID as comment for the rule
-	AddPeerFiltering(
-		ip net.IP,
-		proto Protocol,
-		sPort *Port,
-		dPort *Port,
-		action Action,
-		ipsetName string,
-		comment string,
-	) ([]Rule, error)
-
-	// DeletePeerRule from the firewall by rule definition
-	DeletePeerRule(rule Rule) error
-
-	// IsServerRouteSupported returns true if the firewall supports server side routing operations
-	IsServerRouteSupported() bool
-
-	AddRouteFiltering(source []netip.Prefix, destination netip.Prefix, proto Protocol, sPort *Port, dPort *Port, action Action) (Rule, error)
-
-	// DeleteRouteRule deletes a routing rule
-	DeleteRouteRule(rule Rule) error
-
-	// AddNatRule inserts a routing NAT rule
-	AddNatRule(pair RouterPair) error
-
-	// RemoveNatRule removes a routing NAT rule
-	RemoveNatRule(pair RouterPair) error
-
-	// SetLegacyManagement sets the legacy management mode
-	SetLegacyManagement(legacy bool) error
-
-	// Reset firewall to the default state
-	Reset(stateManager *statemanager.Manager) error
-
-	// Flush the changes to firewall controller
-	Flush() error
-}
-
-func GenKey(format string, pair RouterPair) string {
-	return fmt.Sprintf(format, pair.ID, pair.Inverse)
-}
-
-// LegacyManager defines the interface for legacy management operations
-type LegacyManager interface {
-	RemoveAllLegacyRouteRules() error
-	GetLegacyManagement() bool
-	SetLegacyManagement(bool)
-}
-
-// SetLegacyManagement sets the route manager to use legacy management
-func SetLegacyManagement(router LegacyManager, isLegacy bool) error {
-	oldLegacy := router.GetLegacyManagement()
-
-	if oldLegacy != isLegacy {
-		router.SetLegacyManagement(isLegacy)
-		log.Debugf("Set legacy management to %v", isLegacy)
-	}
-
-	// client reconnected to a newer mgmt, we need to clean up the legacy rules
-	if !isLegacy && oldLegacy {
-		if err := router.RemoveAllLegacyRouteRules(); err != nil {
-			return fmt.Errorf("remove legacy routing rules: %v", err)
-		}
-
-		log.Debugf("Legacy routing rules removed")
-	}
-
-	return nil
-}
-
-// GenerateSetName generates a unique name for an ipset based on the given sources.
-func GenerateSetName(sources []netip.Prefix) string {
-	// sort for consistent naming
-	SortPrefixes(sources)
-
-	var sourcesStr strings.Builder
-	for _, src := range sources {
-		sourcesStr.WriteString(src.String())
-	}
-
-	hash := sha256.Sum256([]byte(sourcesStr.String()))
-	shortHash := hex.EncodeToString(hash[:])[:8]
-
-	return fmt.Sprintf("nb-%s", shortHash)
-}
-
-// MergeIPRanges merges overlapping IP ranges and returns a slice of non-overlapping netip.Prefix
-func MergeIPRanges(prefixes []netip.Prefix) []netip.Prefix {
-	if len(prefixes) == 0 {
-		return prefixes
-	}
-
-	merged := []netip.Prefix{prefixes[0]}
-	for _, prefix := range prefixes[1:] {
-		last := merged[len(merged)-1]
-		if last.Contains(prefix.Addr()) {
-			// If the current prefix is contained within the last merged prefix, skip it
-			continue
-		}
-		if prefix.Contains(last.Addr()) {
-			// If the current prefix contains the last merged prefix, replace it
-			merged[len(merged)-1] = prefix
-		} else {
-			// Otherwise, add the current prefix to the merged list
-			merged = append(merged, prefix)
-		}
-	}
-
-	return merged
-}
-
-// SortPrefixes sorts the given slice of netip.Prefix in place.
-// It sorts first by IP address, then by prefix length (most specific to least specific).
-func SortPrefixes(prefixes []netip.Prefix) {
-	sort.Slice(prefixes, func(i, j int) bool {
-		addrCmp := prefixes[i].Addr().Compare(prefixes[j].Addr())
-		if addrCmp != 0 {
-			return addrCmp < 0
-		}
-
-		// If IP addresses are the same, compare prefix lengths (longer prefixes first)
-		return prefixes[i].Bits() > prefixes[j].Bits()
-	})
-}
--- a/client/firewall/manager/firewall_test.go
+++ b/client/firewall/manager/firewall_test.go
@@ -1,192 +0,0 @@
-package manager_test
-
-import (
-	"net/netip"
-	"reflect"
-	"regexp"
-	"testing"
-
-	"github.com/netbirdio/netbird/client/firewall/manager"
-)
-
-func TestGenerateSetName(t *testing.T) {
-	t.Run("Different orders result in same hash", func(t *testing.T) {
-		prefixes1 := []netip.Prefix{
-			netip.MustParsePrefix("192.168.1.0/24"),
-			netip.MustParsePrefix("10.0.0.0/8"),
-		}
-		prefixes2 := []netip.Prefix{
-			netip.MustParsePrefix("10.0.0.0/8"),
-			netip.MustParsePrefix("192.168.1.0/24"),
-		}
-
-		result1 := manager.GenerateSetName(prefixes1)
-		result2 := manager.GenerateSetName(prefixes2)
-
-		if result1 != result2 {
-			t.Errorf("Different orders produced different hashes: %s != %s", result1, result2)
-		}
-	})
-
-	t.Run("Result format is correct", func(t *testing.T) {
-		prefixes := []netip.Prefix{
-			netip.MustParsePrefix("192.168.1.0/24"),
-			netip.MustParsePrefix("10.0.0.0/8"),
-		}
-
-		result := manager.GenerateSetName(prefixes)
-
-		matched, err := regexp.MatchString(`^nb-[0-9a-f]{8}$`, result)
-		if err != nil {
-			t.Fatalf("Error matching regex: %v", err)
-		}
-		if !matched {
-			t.Errorf("Result format is incorrect: %s", result)
-		}
-	})
-
-	t.Run("Empty input produces consistent result", func(t *testing.T) {
-		result1 := manager.GenerateSetName([]netip.Prefix{})
-		result2 := manager.GenerateSetName([]netip.Prefix{})
-
-		if result1 != result2 {
-			t.Errorf("Empty input produced inconsistent results: %s != %s", result1, result2)
-		}
-	})
-
-	t.Run("IPv4 and IPv6 mixing", func(t *testing.T) {
-		prefixes1 := []netip.Prefix{
-			netip.MustParsePrefix("192.168.1.0/24"),
-			netip.MustParsePrefix("2001:db8::/32"),
-		}
-		prefixes2 := []netip.Prefix{
-			netip.MustParsePrefix("2001:db8::/32"),
-			netip.MustParsePrefix("192.168.1.0/24"),
-		}
-
-		result1 := manager.GenerateSetName(prefixes1)
-		result2 := manager.GenerateSetName(prefixes2)
-
-		if result1 != result2 {
-			t.Errorf("Different orders of IPv4 and IPv6 produced different hashes: %s != %s", result1, result2)
-		}
-	})
-}
-
-func TestMergeIPRanges(t *testing.T) {
-	tests := []struct {
-		name     string
-		input    []netip.Prefix
-		expected []netip.Prefix
-	}{
-		{
-			name:     "Empty input",
-			input:    []netip.Prefix{},
-			expected: []netip.Prefix{},
-		},
-		{
-			name: "Single range",
-			input: []netip.Prefix{
-				netip.MustParsePrefix("192.168.1.0/24"),
-			},
-			expected: []netip.Prefix{
-				netip.MustParsePrefix("192.168.1.0/24"),
-			},
-		},
-		{
-			name: "Two non-overlapping ranges",
-			input: []netip.Prefix{
-				netip.MustParsePrefix("192.168.1.0/24"),
-				netip.MustParsePrefix("10.0.0.0/8"),
-			},
-			expected: []netip.Prefix{
-				netip.MustParsePrefix("192.168.1.0/24"),
-				netip.MustParsePrefix("10.0.0.0/8"),
-			},
-		},
-		{
-			name: "One range containing another",
-			input: []netip.Prefix{
-				netip.MustParsePrefix("192.168.0.0/16"),
-				netip.MustParsePrefix("192.168.1.0/24"),
-			},
-			expected: []netip.Prefix{
-				netip.MustParsePrefix("192.168.0.0/16"),
-			},
-		},
-		{
-			name: "One range containing another (different order)",
-			input: []netip.Prefix{
-				netip.MustParsePrefix("192.168.1.0/24"),
-				netip.MustParsePrefix("192.168.0.0/16"),
-			},
-			expected: []netip.Prefix{
-				netip.MustParsePrefix("192.168.0.0/16"),
-			},
-		},
-		{
-			name: "Overlapping ranges",
-			input: []netip.Prefix{
-				netip.MustParsePrefix("192.168.1.0/24"),
-				netip.MustParsePrefix("192.168.1.128/25"),
-			},
-			expected: []netip.Prefix{
-				netip.MustParsePrefix("192.168.1.0/24"),
-			},
-		},
-		{
-			name: "Overlapping ranges (different order)",
-			input: []netip.Prefix{
-				netip.MustParsePrefix("192.168.1.128/25"),
-				netip.MustParsePrefix("192.168.1.0/24"),
-			},
-			expected: []netip.Prefix{
-				netip.MustParsePrefix("192.168.1.0/24"),
-			},
-		},
-		{
-			name: "Multiple overlapping ranges",
-			input: []netip.Prefix{
-				netip.MustParsePrefix("192.168.0.0/16"),
-				netip.MustParsePrefix("192.168.1.0/24"),
-				netip.MustParsePrefix("192.168.2.0/24"),
-				netip.MustParsePrefix("192.168.1.128/25"),
-			},
-			expected: []netip.Prefix{
-				netip.MustParsePrefix("192.168.0.0/16"),
-			},
-		},
-		{
-			name: "Partially overlapping ranges",
-			input: []netip.Prefix{
-				netip.MustParsePrefix("192.168.0.0/23"),
-				netip.MustParsePrefix("192.168.1.0/24"),
-				netip.MustParsePrefix("192.168.2.0/25"),
-			},
-			expected: []netip.Prefix{
-				netip.MustParsePrefix("192.168.0.0/23"),
-				netip.MustParsePrefix("192.168.2.0/25"),
-			},
-		},
-		{
-			name: "IPv6 ranges",
-			input: []netip.Prefix{
-				netip.MustParsePrefix("2001:db8::/32"),
-				netip.MustParsePrefix("2001:db8:1::/48"),
-				netip.MustParsePrefix("2001:db8:2::/48"),
-			},
-			expected: []netip.Prefix{
-				netip.MustParsePrefix("2001:db8::/32"),
-			},
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			result := manager.MergeIPRanges(tt.input)
-			if !reflect.DeepEqual(result, tt.expected) {
-				t.Errorf("MergeIPRanges() = %v, want %v", result, tt.expected)
-			}
-		})
-	}
-}
--- a/client/firewall/nftables/acl_linux.go
+++ b/client/firewall/nftables/acl_linux.go
@@ -15,7 +15,7 @@ import (
 	log "github.com/sirupsen/logrus"
 	"golang.org/x/sys/unix"

-	firewall "github.com/netbirdio/netbird/client/firewall/manager"
+	"github.com/netbirdio/netbird/client/firewall/types"
 	nbnet "github.com/netbirdio/netbird/util/net"
 )

@@ -84,13 +84,13 @@ func (m *AclManager) init(workTable *nftables.Table) error {
 // rule ID as comment for the rule
 func (m *AclManager) AddPeerFiltering(
 	ip net.IP,
-	proto firewall.Protocol,
-	sPort *firewall.Port,
-	dPort *firewall.Port,
-	action firewall.Action,
+	proto types.Protocol,
+	sPort *types.Port,
+	dPort *types.Port,
+	action types.Action,
 	ipsetName string,
 	comment string,
-) ([]firewall.Rule, error) {
+) ([]types.Rule, error) {
 	var ipset *nftables.Set
 	if ipsetName != "" {
 		var err error
@@ -100,7 +100,7 @@ func (m *AclManager) AddPeerFiltering(
 		}
 	}

-	newRules := make([]firewall.Rule, 0, 2)
+	newRules := make([]types.Rule, 0, 2)
 	ioRule, err := m.addIOFiltering(ip, proto, sPort, dPort, action, ipset, comment)
 	if err != nil {
 		return nil, err
@@ -111,7 +111,7 @@ func (m *AclManager) AddPeerFiltering(
 }

 // DeletePeerRule from the firewall by rule definition
-func (m *AclManager) DeletePeerRule(rule firewall.Rule) error {
+func (m *AclManager) DeletePeerRule(rule types.Rule) error {
 	r, ok := rule.(*Rule)
 	if !ok {
 		return fmt.Errorf("invalid rule type")
@@ -234,10 +234,10 @@ func (m *AclManager) Flush() error {

 func (m *AclManager) addIOFiltering(
 	ip net.IP,
-	proto firewall.Protocol,
-	sPort *firewall.Port,
-	dPort *firewall.Port,
-	action firewall.Action,
+	proto types.Protocol,
+	sPort *types.Port,
+	dPort *types.Port,
+	action types.Action,
 	ipset *nftables.Set,
 	comment string,
 ) (*Rule, error) {
@@ -253,7 +253,7 @@ func (m *AclManager) addIOFiltering(

 	var expressions []expr.Any

-	if proto != firewall.ProtocolALL {
+	if proto != types.ProtocolALL {
 		expressions = append(expressions, &expr.Payload{
 			DestRegister: 1,
 			Base:         expr.PayloadBaseNetworkHeader,
@@ -341,9 +341,9 @@ func (m *AclManager) addIOFiltering(
 	}

 	switch action {
-	case firewall.ActionAccept:
+	case types.ActionAccept:
 		expressions = append(expressions, &expr.Verdict{Kind: expr.VerdictAccept})
-	case firewall.ActionDrop:
+	case types.ActionDrop:
 		expressions = append(expressions, &expr.Verdict{Kind: expr.VerdictDrop})
 	}

@@ -672,7 +672,7 @@ func (m *AclManager) refreshRuleHandles(chain *nftables.Chain) error {
 	return nil
 }

-func generatePeerRuleId(ip net.IP, sPort *firewall.Port, dPort *firewall.Port, action firewall.Action, ipset *nftables.Set) string {
+func generatePeerRuleId(ip net.IP, sPort *types.Port, dPort *types.Port, action types.Action, ipset *nftables.Set) string {
 	rulesetID := ":"
 	if sPort != nil {
 		rulesetID += sPort.String()
@@ -689,7 +689,7 @@ func generatePeerRuleId(ip net.IP, sPort *firewall.Port, dPort *firewall.Port, a
 	return "set:" + ipset.Name + rulesetID
 }

-func encodePort(port firewall.Port) []byte {
+func encodePort(port types.Port) []byte {
 	bs := make([]byte, 2)
 	binary.BigEndian.PutUint16(bs, uint16(port.Values[0]))
 	return bs
@@ -701,13 +701,13 @@ func ifname(n string) []byte {
 	return b
 }

-func protoToInt(protocol firewall.Protocol) (uint8, error) {
+func protoToInt(protocol types.Protocol) (uint8, error) {
 	switch protocol {
-	case firewall.ProtocolTCP:
+	case types.ProtocolTCP:
 		return unix.IPPROTO_TCP, nil
-	case firewall.ProtocolUDP:
+	case types.ProtocolUDP:
 		return unix.IPPROTO_UDP, nil
-	case firewall.ProtocolICMP:
+	case types.ProtocolICMP:
 		return unix.IPPROTO_ICMP, nil
 	}

--- a/client/firewall/nftables/manager_linux.go
+++ b/client/firewall/nftables/manager_linux.go
@@ -13,7 +13,8 @@ import (
 	"github.com/google/nftables/expr"
 	log "github.com/sirupsen/logrus"

-	firewall "github.com/netbirdio/netbird/client/firewall/manager"
+	"github.com/netbirdio/netbird/client/firewall/legacy"
+	"github.com/netbirdio/netbird/client/firewall/types"
 	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/internal/statemanager"
 )
@@ -114,13 +115,13 @@ func (m *Manager) Init(stateManager *statemanager.Manager) error {
 // rule ID as comment for the rule
 func (m *Manager) AddPeerFiltering(
 	ip net.IP,
-	proto firewall.Protocol,
-	sPort *firewall.Port,
-	dPort *firewall.Port,
-	action firewall.Action,
+	proto types.Protocol,
+	sPort *types.Port,
+	dPort *types.Port,
+	action types.Action,
 	ipsetName string,
 	comment string,
-) ([]firewall.Rule, error) {
+) ([]types.Rule, error) {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

@@ -135,11 +136,11 @@ func (m *Manager) AddPeerFiltering(
 func (m *Manager) AddRouteFiltering(
 	sources []netip.Prefix,
 	destination netip.Prefix,
-	proto firewall.Protocol,
-	sPort *firewall.Port,
-	dPort *firewall.Port,
-	action firewall.Action,
-) (firewall.Rule, error) {
+	proto types.Protocol,
+	sPort *types.Port,
+	dPort *types.Port,
+	action types.Action,
+) (types.Rule, error) {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

@@ -151,7 +152,7 @@ func (m *Manager) AddRouteFiltering(
 }

 // DeletePeerRule from the firewall by rule definition
-func (m *Manager) DeletePeerRule(rule firewall.Rule) error {
+func (m *Manager) DeletePeerRule(rule types.Rule) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

@@ -159,7 +160,7 @@ func (m *Manager) DeletePeerRule(rule firewall.Rule) error {
 }

 // DeleteRouteRule deletes a routing rule
-func (m *Manager) DeleteRouteRule(rule firewall.Rule) error {
+func (m *Manager) DeleteRouteRule(rule types.Rule) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

@@ -170,14 +171,14 @@ func (m *Manager) IsServerRouteSupported() bool {
 	return true
 }

-func (m *Manager) AddNatRule(pair firewall.RouterPair) error {
+func (m *Manager) AddNatRule(pair types.RouterPair) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

 	return m.router.AddNatRule(pair)
 }

-func (m *Manager) RemoveNatRule(pair firewall.RouterPair) error {
+func (m *Manager) RemoveNatRule(pair types.RouterPair) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

@@ -238,7 +239,7 @@ func (m *Manager) AllowNetbird() error {

 // SetLegacyManagement sets the route manager to use legacy management
 func (m *Manager) SetLegacyManagement(isLegacy bool) error {
-	return firewall.SetLegacyManagement(m.router, isLegacy)
+	return legacy.SetLegacyRouter(m.router, isLegacy)
 }

 // Reset firewall to the default state
@@ -329,6 +330,19 @@ func (m *Manager) Flush() error {
 	return m.aclManager.Flush()
 }

+// AddDNATRule adds a DNAT rule
+func (m *Manager) AddDNATRule(rule types.ForwardRule) (types.Rule, error) {
+	r := &Rule{
+		ruleID: rule.GetRuleID(),
+	}
+	return r, nil
+}
+
+// DeleteDNATRule deletes a DNAT rule
+func (m *Manager) DeleteDNATRule(rule types.Rule) error {
+	return nil
+}
+
 func (m *Manager) createWorkTable() (*nftables.Table, error) {
 	tables, err := m.rConn.ListTablesOfFamily(nftables.TableFamilyIPv4)
 	if err != nil {
--- a/client/firewall/nftables/manager_linux_test.go
+++ b/client/firewall/nftables/manager_linux_test.go
@@ -15,7 +15,7 @@ import (
 	"github.com/stretchr/testify/require"
 	"golang.org/x/sys/unix"

-	fw "github.com/netbirdio/netbird/client/firewall/manager"
+	"github.com/netbirdio/netbird/client/firewall/types"
 	"github.com/netbirdio/netbird/client/iface"
 )

@@ -74,7 +74,7 @@ func TestNftablesManager(t *testing.T) {

 	testClient := &nftables.Conn{}

-	rule, err := manager.AddPeerFiltering(ip, fw.ProtocolTCP, nil, &fw.Port{Values: []int{53}}, fw.ActionDrop, "", "")
+	rule, err := manager.AddPeerFiltering(ip, types.ProtocolTCP, nil, &types.Port{Values: []int{53}}, types.ActionDrop, "", "")
 	require.NoError(t, err, "failed to add rule")

 	err = manager.Flush()
@@ -200,8 +200,8 @@ func TestNFtablesCreatePerformance(t *testing.T) {
 			ip := net.ParseIP("10.20.0.100")
 			start := time.Now()
 			for i := 0; i < testMax; i++ {
-				port := &fw.Port{Values: []int{1000 + i}}
-				_, err = manager.AddPeerFiltering(ip, "tcp", nil, port, fw.ActionAccept, "", "accept HTTP traffic")
+				port := &types.Port{Values: []int{1000 + i}}
+				_, err = manager.AddPeerFiltering(ip, "tcp", nil, port, types.ActionAccept, "", "accept HTTP traffic")
 				require.NoError(t, err, "failed to add rule")

 				if i%100 == 0 {
@@ -283,20 +283,20 @@ func TestNftablesManagerCompatibilityWithIptables(t *testing.T) {
 	})

 	ip := net.ParseIP("100.96.0.1")
-	_, err = manager.AddPeerFiltering(ip, fw.ProtocolTCP, nil, &fw.Port{Values: []int{80}}, fw.ActionAccept, "", "test rule")
+	_, err = manager.AddPeerFiltering(ip, types.ProtocolTCP, nil, &types.Port{Values: []int{80}}, types.ActionAccept, "", "test rule")
 	require.NoError(t, err, "failed to add peer filtering rule")

 	_, err = manager.AddRouteFiltering(
 		[]netip.Prefix{netip.MustParsePrefix("192.168.2.0/24")},
 		netip.MustParsePrefix("10.1.0.0/24"),
-		fw.ProtocolTCP,
+		types.ProtocolTCP,
 		nil,
-		&fw.Port{Values: []int{443}},
-		fw.ActionAccept,
+		&types.Port{Values: []int{443}},
+		types.ActionAccept,
 	)
 	require.NoError(t, err, "failed to add route filtering rule")

-	pair := fw.RouterPair{
+	pair := types.RouterPair{
 		Source:      netip.MustParsePrefix("192.168.1.0/24"),
 		Destination: netip.MustParsePrefix("10.0.0.0/24"),
 		Masquerade:  true,
--- a/client/firewall/nftables/router_linux.go
+++ b/client/firewall/nftables/router_linux.go
@@ -18,7 +18,7 @@ import (
 	log "github.com/sirupsen/logrus"

 	nberrors "github.com/netbirdio/netbird/client/errors"
-	firewall "github.com/netbirdio/netbird/client/firewall/manager"
+	"github.com/netbirdio/netbird/client/firewall/types"
 	"github.com/netbirdio/netbird/client/internal/acl/id"
 	"github.com/netbirdio/netbird/client/internal/routemanager/refcounter"
 	nbnet "github.com/netbirdio/netbird/util/net"
@@ -167,11 +167,11 @@ func (r *router) createContainers() error {
 func (r *router) AddRouteFiltering(
 	sources []netip.Prefix,
 	destination netip.Prefix,
-	proto firewall.Protocol,
-	sPort *firewall.Port,
-	dPort *firewall.Port,
-	action firewall.Action,
-) (firewall.Rule, error) {
+	proto types.Protocol,
+	sPort *types.Port,
+	dPort *types.Port,
+	action types.Action,
+) (types.Rule, error) {

 	ruleKey := id.GenerateRouteRuleKey(sources, destination, proto, sPort, dPort, action)
 	if _, ok := r.rules[string(ruleKey)]; ok {
@@ -200,7 +200,7 @@ func (r *router) AddRouteFiltering(
 	exprs = append(exprs, generateCIDRMatcherExpressions(false, destination)...)

 	// Handle protocol
-	if proto != firewall.ProtocolALL {
+	if proto != types.ProtocolALL {
 		protoNum, err := protoToInt(proto)
 		if err != nil {
 			return nil, fmt.Errorf("convert protocol to number: %w", err)
@@ -219,7 +219,7 @@ func (r *router) AddRouteFiltering(
 	exprs = append(exprs, &expr.Counter{})

 	var verdict expr.VerdictKind
-	if action == firewall.ActionAccept {
+	if action == types.ActionAccept {
 		verdict = expr.VerdictAccept
 	} else {
 		verdict = expr.VerdictDrop
@@ -248,7 +248,7 @@ func (r *router) AddRouteFiltering(
 }

 func (r *router) getIpSetExprs(sources []netip.Prefix, exprs []expr.Any) ([]expr.Any, error) {
-	setName := firewall.GenerateSetName(sources)
+	setName := types.GenerateSetName(sources)
 	ref, err := r.ipsetCounter.Increment(setName, sources)
 	if err != nil {
 		return nil, fmt.Errorf("create or get ipset for sources: %w", err)
@@ -270,7 +270,7 @@ func (r *router) getIpSetExprs(sources []netip.Prefix, exprs []expr.Any) ([]expr
 	return exprs, nil
 }

-func (r *router) DeleteRouteRule(rule firewall.Rule) error {
+func (r *router) DeleteRouteRule(rule types.Rule) error {
 	if err := r.refreshRulesMap(); err != nil {
 		return fmt.Errorf(refreshRulesMapError, err)
 	}
@@ -307,7 +307,7 @@ func (r *router) DeleteRouteRule(rule firewall.Rule) error {

 func (r *router) createIpSet(setName string, sources []netip.Prefix) (*nftables.Set, error) {
 	// overlapping prefixes will result in an error, so we need to merge them
-	sources = firewall.MergeIPRanges(sources)
+	sources = mergeIPRanges(sources)

 	set := &nftables.Set{
 		Name:  setName,
@@ -403,7 +403,7 @@ func (r *router) deleteNftRule(rule *nftables.Rule, ruleKey string) error {
 }

 // AddNatRule appends a nftables rule pair to the nat chain
-func (r *router) AddNatRule(pair firewall.RouterPair) error {
+func (r *router) AddNatRule(pair types.RouterPair) error {
 	if err := r.refreshRulesMap(); err != nil {
 		return fmt.Errorf(refreshRulesMapError, err)
 	}
@@ -420,7 +420,7 @@ func (r *router) AddNatRule(pair firewall.RouterPair) error {
 			return fmt.Errorf("add nat rule: %w", err)
 		}

-		if err := r.addNatRule(firewall.GetInversePair(pair)); err != nil {
+		if err := r.addNatRule(types.GetInversePair(pair)); err != nil {
 			return fmt.Errorf("add inverse nat rule: %w", err)
 		}
 	}
@@ -433,7 +433,7 @@ func (r *router) AddNatRule(pair firewall.RouterPair) error {
 }

 // addNatRule inserts a nftables rule to the conn client flush queue
-func (r *router) addNatRule(pair firewall.RouterPair) error {
+func (r *router) addNatRule(pair types.RouterPair) error {
 	sourceExp := generateCIDRMatcherExpressions(true, pair.Source)
 	destExp := generateCIDRMatcherExpressions(false, pair.Destination)

@@ -494,7 +494,7 @@ func (r *router) addNatRule(pair firewall.RouterPair) error {
 		},
 	)

-	ruleKey := firewall.GenKey(firewall.PreroutingFormat, pair)
+	ruleKey := types.GenRuleKey(types.PreroutingFormat, pair)

 	if _, exists := r.rules[ruleKey]; exists {
 		if err := r.removeNatRule(pair); err != nil {
@@ -584,7 +584,7 @@ func (r *router) addPostroutingRules() error {
 }

 // addLegacyRouteRule adds a legacy routing rule for mgmt servers pre route acls
-func (r *router) addLegacyRouteRule(pair firewall.RouterPair) error {
+func (r *router) addLegacyRouteRule(pair types.RouterPair) error {
 	sourceExp := generateCIDRMatcherExpressions(true, pair.Source)
 	destExp := generateCIDRMatcherExpressions(false, pair.Destination)

@@ -597,7 +597,7 @@ func (r *router) addLegacyRouteRule(pair firewall.RouterPair) error {

 	expression := append(sourceExp, append(destExp, exprs...)...) // nolint:gocritic

-	ruleKey := firewall.GenKey(firewall.ForwardingFormat, pair)
+	ruleKey := types.GenRuleKey(types.ForwardingFormat, pair)

 	if _, exists := r.rules[ruleKey]; exists {
 		if err := r.removeLegacyRouteRule(pair); err != nil {
@@ -615,8 +615,8 @@ func (r *router) addLegacyRouteRule(pair firewall.RouterPair) error {
 }

 // removeLegacyRouteRule removes a legacy routing rule for mgmt servers pre route acls
-func (r *router) removeLegacyRouteRule(pair firewall.RouterPair) error {
-	ruleKey := firewall.GenKey(firewall.ForwardingFormat, pair)
+func (r *router) removeLegacyRouteRule(pair types.RouterPair) error {
+	ruleKey := types.GenRuleKey(types.ForwardingFormat, pair)

 	if rule, exists := r.rules[ruleKey]; exists {
 		if err := r.conn.DelRule(rule); err != nil {
@@ -651,7 +651,7 @@ func (r *router) RemoveAllLegacyRouteRules() error {

 	var merr *multierror.Error
 	for k, rule := range r.rules {
-		if !strings.HasPrefix(k, firewall.ForwardingFormatPrefix) {
+		if !strings.HasPrefix(k, types.ForwardingFormatPrefix) {
 			continue
 		}
 		if err := r.conn.DelRule(rule); err != nil {
@@ -829,7 +829,7 @@ func (r *router) removeAcceptForwardRulesIptables(ipt *iptables.IPTables) error
 }

 // RemoveNatRule removes the prerouting mark rule
-func (r *router) RemoveNatRule(pair firewall.RouterPair) error {
+func (r *router) RemoveNatRule(pair types.RouterPair) error {
 	if err := r.refreshRulesMap(); err != nil {
 		return fmt.Errorf(refreshRulesMapError, err)
 	}
@@ -838,7 +838,7 @@ func (r *router) RemoveNatRule(pair firewall.RouterPair) error {
 		return fmt.Errorf("remove prerouting rule: %w", err)
 	}

-	if err := r.removeNatRule(firewall.GetInversePair(pair)); err != nil {
+	if err := r.removeNatRule(types.GetInversePair(pair)); err != nil {
 		return fmt.Errorf("remove inverse prerouting rule: %w", err)
 	}

@@ -854,8 +854,8 @@ func (r *router) RemoveNatRule(pair firewall.RouterPair) error {
 	return nil
 }

-func (r *router) removeNatRule(pair firewall.RouterPair) error {
-	ruleKey := firewall.GenKey(firewall.PreroutingFormat, pair)
+func (r *router) removeNatRule(pair types.RouterPair) error {
+	ruleKey := types.GenRuleKey(types.PreroutingFormat, pair)

 	if rule, exists := r.rules[ruleKey]; exists {
 		err := r.conn.DelRule(rule)
@@ -931,7 +931,7 @@ func generateCIDRMatcherExpressions(source bool, prefix netip.Prefix) []expr.Any
 	}
 }

-func applyPort(port *firewall.Port, isSource bool) []expr.Any {
+func applyPort(port *types.Port, isSource bool) []expr.Any {
 	if port == nil {
 		return nil
 	}
@@ -987,3 +987,27 @@ func applyPort(port *firewall.Port, isSource bool) []expr.Any {

 	return exprs
 }
+
+func mergeIPRanges(prefixes []netip.Prefix) []netip.Prefix {
+	if len(prefixes) == 0 {
+		return prefixes
+	}
+
+	merged := []netip.Prefix{prefixes[0]}
+	for _, prefix := range prefixes[1:] {
+		last := merged[len(merged)-1]
+		if last.Contains(prefix.Addr()) {
+			// If the current prefix is contained within the last merged prefix, skip it
+			continue
+		}
+		if prefix.Contains(last.Addr()) {
+			// If the current prefix contains the last merged prefix, replace it
+			merged[len(merged)-1] = prefix
+		} else {
+			// Otherwise, add the current prefix to the merged list
+			merged = append(merged, prefix)
+		}
+	}
+
+	return merged
+}
--- a/client/firewall/nftables/router_linux_test.go
+++ b/client/firewall/nftables/router_linux_test.go
@@ -6,6 +6,7 @@ import (
 	"encoding/binary"
 	"net/netip"
 	"os/exec"
+	"reflect"
 	"testing"

 	"github.com/coreos/go-iptables/iptables"
@@ -15,8 +16,8 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"

-	firewall "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/firewall/test"
+	"github.com/netbirdio/netbird/client/firewall/types"
 )

 const (
@@ -97,7 +98,7 @@ func TestNftablesManager_AddNatRule(t *testing.T) {
 				testingExpression = append(testingExpression, sourceExp...)
 				testingExpression = append(testingExpression, destExp...)

-				natRuleKey := firewall.GenKey(firewall.PreroutingFormat, testCase.InputPair)
+				natRuleKey := types.GenRuleKey(types.PreroutingFormat, testCase.InputPair)
 				found := 0
 				for _, chain := range rtr.chains {
 					if chain.Name == chainNamePrerouting {
@@ -139,7 +140,7 @@ func TestNftablesManager_RemoveNatRule(t *testing.T) {
 			require.NoError(t, err, "should add NAT rule")

 			// Verify the rule was added
-			natRuleKey := firewall.GenKey(firewall.PreroutingFormat, testCase.InputPair)
+			natRuleKey := types.GenRuleKey(types.PreroutingFormat, testCase.InputPair)
 			found := false
 			rules, err := rtr.conn.GetRules(rtr.workTable, rtr.chains[chainNamePrerouting])
 			require.NoError(t, err, "should list rules")
@@ -209,22 +210,22 @@ func TestRouter_AddRouteFiltering(t *testing.T) {
 		name        string
 		sources     []netip.Prefix
 		destination netip.Prefix
-		proto       firewall.Protocol
-		sPort       *firewall.Port
-		dPort       *firewall.Port
-		direction   firewall.RuleDirection
-		action      firewall.Action
+		proto       types.Protocol
+		sPort       *types.Port
+		dPort       *types.Port
+		direction   types.RuleDirection
+		action      types.Action
 		expectSet   bool
 	}{
 		{
 			name:        "Basic TCP rule with single source",
 			sources:     []netip.Prefix{netip.MustParsePrefix("192.168.1.0/24")},
 			destination: netip.MustParsePrefix("10.0.0.0/24"),
-			proto:       firewall.ProtocolTCP,
+			proto:       types.ProtocolTCP,
 			sPort:       nil,
-			dPort:       &firewall.Port{Values: []int{80}},
-			direction:   firewall.RuleDirectionIN,
-			action:      firewall.ActionAccept,
+			dPort:       &types.Port{Values: []int{80}},
+			direction:   types.RuleDirectionIN,
+			action:      types.ActionAccept,
 			expectSet:   false,
 		},
 		{
@@ -234,77 +235,77 @@ func TestRouter_AddRouteFiltering(t *testing.T) {
 				netip.MustParsePrefix("192.168.0.0/16"),
 			},
 			destination: netip.MustParsePrefix("10.0.0.0/8"),
-			proto:       firewall.ProtocolUDP,
-			sPort:       &firewall.Port{Values: []int{1024, 2048}, IsRange: true},
+			proto:       types.ProtocolUDP,
+			sPort:       &types.Port{Values: []int{1024, 2048}, IsRange: true},
 			dPort:       nil,
-			direction:   firewall.RuleDirectionOUT,
-			action:      firewall.ActionDrop,
+			direction:   types.RuleDirectionOUT,
+			action:      types.ActionDrop,
 			expectSet:   true,
 		},
 		{
 			name:        "All protocols rule",
 			sources:     []netip.Prefix{netip.MustParsePrefix("10.0.0.0/8")},
 			destination: netip.MustParsePrefix("0.0.0.0/0"),
-			proto:       firewall.ProtocolALL,
+			proto:       types.ProtocolALL,
 			sPort:       nil,
 			dPort:       nil,
-			direction:   firewall.RuleDirectionIN,
-			action:      firewall.ActionAccept,
+			direction:   types.RuleDirectionIN,
+			action:      types.ActionAccept,
 			expectSet:   false,
 		},
 		{
 			name:        "ICMP rule",
 			sources:     []netip.Prefix{netip.MustParsePrefix("192.168.0.0/16")},
 			destination: netip.MustParsePrefix("10.0.0.0/8"),
-			proto:       firewall.ProtocolICMP,
+			proto:       types.ProtocolICMP,
 			sPort:       nil,
 			dPort:       nil,
-			direction:   firewall.RuleDirectionIN,
-			action:      firewall.ActionAccept,
+			direction:   types.RuleDirectionIN,
+			action:      types.ActionAccept,
 			expectSet:   false,
 		},
 		{
 			name:        "TCP rule with multiple source ports",
 			sources:     []netip.Prefix{netip.MustParsePrefix("172.16.0.0/12")},
 			destination: netip.MustParsePrefix("192.168.0.0/16"),
-			proto:       firewall.ProtocolTCP,
-			sPort:       &firewall.Port{Values: []int{80, 443, 8080}},
+			proto:       types.ProtocolTCP,
+			sPort:       &types.Port{Values: []int{80, 443, 8080}},
 			dPort:       nil,
-			direction:   firewall.RuleDirectionOUT,
-			action:      firewall.ActionAccept,
+			direction:   types.RuleDirectionOUT,
+			action:      types.ActionAccept,
 			expectSet:   false,
 		},
 		{
 			name:        "UDP rule with single IP and port range",
 			sources:     []netip.Prefix{netip.MustParsePrefix("192.168.1.1/32")},
 			destination: netip.MustParsePrefix("10.0.0.0/24"),
-			proto:       firewall.ProtocolUDP,
+			proto:       types.ProtocolUDP,
 			sPort:       nil,
-			dPort:       &firewall.Port{Values: []int{5000, 5100}, IsRange: true},
-			direction:   firewall.RuleDirectionIN,
-			action:      firewall.ActionDrop,
+			dPort:       &types.Port{Values: []int{5000, 5100}, IsRange: true},
+			direction:   types.RuleDirectionIN,
+			action:      types.ActionDrop,
 			expectSet:   false,
 		},
 		{
 			name:        "TCP rule with source and destination ports",
 			sources:     []netip.Prefix{netip.MustParsePrefix("10.0.0.0/24")},
 			destination: netip.MustParsePrefix("172.16.0.0/16"),
-			proto:       firewall.ProtocolTCP,
-			sPort:       &firewall.Port{Values: []int{1024, 65535}, IsRange: true},
-			dPort:       &firewall.Port{Values: []int{22}},
-			direction:   firewall.RuleDirectionOUT,
-			action:      firewall.ActionAccept,
+			proto:       types.ProtocolTCP,
+			sPort:       &types.Port{Values: []int{1024, 65535}, IsRange: true},
+			dPort:       &types.Port{Values: []int{22}},
+			direction:   types.RuleDirectionOUT,
+			action:      types.ActionAccept,
 			expectSet:   false,
 		},
 		{
 			name:        "Drop all incoming traffic",
 			sources:     []netip.Prefix{netip.MustParsePrefix("0.0.0.0/0")},
 			destination: netip.MustParsePrefix("192.168.0.0/24"),
-			proto:       firewall.ProtocolALL,
+			proto:       types.ProtocolALL,
 			sPort:       nil,
 			dPort:       nil,
-			direction:   firewall.RuleDirectionIN,
-			action:      firewall.ActionDrop,
+			direction:   types.RuleDirectionIN,
+			action:      types.ActionDrop,
 			expectSet:   false,
 		},
 	}
@@ -441,7 +442,7 @@ func TestNftablesCreateIpSet(t *testing.T) {

 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			setName := firewall.GenerateSetName(tt.sources)
+			setName := types.GenerateSetName(tt.sources)
 			set, err := r.createIpSet(setName, tt.sources)
 			if err != nil {
 				t.Logf("Failed to create IP set: %v", err)
@@ -506,7 +507,7 @@ func TestNftablesCreateIpSet(t *testing.T) {
 	}
 }

-func verifyRule(t *testing.T, rule *nftables.Rule, sources []netip.Prefix, destination netip.Prefix, proto firewall.Protocol, sPort, dPort *firewall.Port, direction firewall.RuleDirection, action firewall.Action, expectSet bool) {
+func verifyRule(t *testing.T, rule *nftables.Rule, sources []netip.Prefix, destination netip.Prefix, proto types.Protocol, sPort, dPort *types.Port, direction types.RuleDirection, action types.Action, expectSet bool) {
 	t.Helper()

 	assert.NotNil(t, rule, "Rule should not be nil")
@@ -515,21 +516,21 @@ func verifyRule(t *testing.T, rule *nftables.Rule, sources []netip.Prefix, desti
 	if expectSet {
 		assert.True(t, containsSetLookup(rule.Exprs), "Rule should contain set lookup for multiple sources")
 	} else if len(sources) == 1 && sources[0].Bits() != 0 {
-		if direction == firewall.RuleDirectionIN {
+		if direction == types.RuleDirectionIN {
 			assert.True(t, containsCIDRMatcher(rule.Exprs, sources[0], true), "Rule should contain source CIDR matcher for %s", sources[0])
 		} else {
 			assert.True(t, containsCIDRMatcher(rule.Exprs, sources[0], false), "Rule should contain destination CIDR matcher for %s", sources[0])
 		}
 	}

-	if direction == firewall.RuleDirectionIN {
+	if direction == types.RuleDirectionIN {
 		assert.True(t, containsCIDRMatcher(rule.Exprs, destination, false), "Rule should contain destination CIDR matcher for %s", destination)
 	} else {
 		assert.True(t, containsCIDRMatcher(rule.Exprs, destination, true), "Rule should contain source CIDR matcher for %s", destination)
 	}

 	// Verify protocol
-	if proto != firewall.ProtocolALL {
+	if proto != types.ProtocolALL {
 		assert.True(t, containsProtocol(rule.Exprs, proto), "Rule should contain protocol matcher for %s", proto)
 	}

@@ -582,7 +583,7 @@ func containsCIDRMatcher(exprs []expr.Any, prefix netip.Prefix, isSource bool) b
 	return (payloadFound && bitwiseFound && cmpFound) || prefix.Bits() == 0
 }

-func containsPort(exprs []expr.Any, port *firewall.Port, isSource bool) bool {
+func containsPort(exprs []expr.Any, port *types.Port, isSource bool) bool {
 	var offset uint32 = 2 // Default offset for destination port
 	if isSource {
 		offset = 0 // Offset for source port
@@ -619,7 +620,7 @@ func containsPort(exprs []expr.Any, port *firewall.Port, isSource bool) bool {
 	return false
 }

-func containsProtocol(exprs []expr.Any, proto firewall.Protocol) bool {
+func containsProtocol(exprs []expr.Any, proto types.Protocol) bool {
 	var metaFound, cmpFound bool
 	expectedProto, _ := protoToInt(proto)
 	for _, e := range exprs {
@@ -637,13 +638,13 @@ func containsProtocol(exprs []expr.Any, proto firewall.Protocol) bool {
 	return metaFound && cmpFound
 }

-func containsAction(exprs []expr.Any, action firewall.Action) bool {
+func containsAction(exprs []expr.Any, action types.Action) bool {
 	for _, e := range exprs {
 		if verdict, ok := e.(*expr.Verdict); ok {
 			switch action {
-			case firewall.ActionAccept:
+			case types.ActionAccept:
 				return verdict.Kind == expr.VerdictAccept
-			case firewall.ActionDrop:
+			case types.ActionDrop:
 				return verdict.Kind == expr.VerdictDrop
 			}
 		}
@@ -714,3 +715,121 @@ func deleteWorkTable() {
 		}
 	}
 }
+
+func TestMergeIPRanges(t *testing.T) {
+	tests := []struct {
+		name     string
+		input    []netip.Prefix
+		expected []netip.Prefix
+	}{
+		{
+			name:     "Empty input",
+			input:    []netip.Prefix{},
+			expected: []netip.Prefix{},
+		},
+		{
+			name: "Single range",
+			input: []netip.Prefix{
+				netip.MustParsePrefix("192.168.1.0/24"),
+			},
+			expected: []netip.Prefix{
+				netip.MustParsePrefix("192.168.1.0/24"),
+			},
+		},
+		{
+			name: "Two non-overlapping ranges",
+			input: []netip.Prefix{
+				netip.MustParsePrefix("192.168.1.0/24"),
+				netip.MustParsePrefix("10.0.0.0/8"),
+			},
+			expected: []netip.Prefix{
+				netip.MustParsePrefix("192.168.1.0/24"),
+				netip.MustParsePrefix("10.0.0.0/8"),
+			},
+		},
+		{
+			name: "One range containing another",
+			input: []netip.Prefix{
+				netip.MustParsePrefix("192.168.0.0/16"),
+				netip.MustParsePrefix("192.168.1.0/24"),
+			},
+			expected: []netip.Prefix{
+				netip.MustParsePrefix("192.168.0.0/16"),
+			},
+		},
+		{
+			name: "One range containing another (different order)",
+			input: []netip.Prefix{
+				netip.MustParsePrefix("192.168.1.0/24"),
+				netip.MustParsePrefix("192.168.0.0/16"),
+			},
+			expected: []netip.Prefix{
+				netip.MustParsePrefix("192.168.0.0/16"),
+			},
+		},
+		{
+			name: "Overlapping ranges",
+			input: []netip.Prefix{
+				netip.MustParsePrefix("192.168.1.0/24"),
+				netip.MustParsePrefix("192.168.1.128/25"),
+			},
+			expected: []netip.Prefix{
+				netip.MustParsePrefix("192.168.1.0/24"),
+			},
+		},
+		{
+			name: "Overlapping ranges (different order)",
+			input: []netip.Prefix{
+				netip.MustParsePrefix("192.168.1.128/25"),
+				netip.MustParsePrefix("192.168.1.0/24"),
+			},
+			expected: []netip.Prefix{
+				netip.MustParsePrefix("192.168.1.0/24"),
+			},
+		},
+		{
+			name: "Multiple overlapping ranges",
+			input: []netip.Prefix{
+				netip.MustParsePrefix("192.168.0.0/16"),
+				netip.MustParsePrefix("192.168.1.0/24"),
+				netip.MustParsePrefix("192.168.2.0/24"),
+				netip.MustParsePrefix("192.168.1.128/25"),
+			},
+			expected: []netip.Prefix{
+				netip.MustParsePrefix("192.168.0.0/16"),
+			},
+		},
+		{
+			name: "Partially overlapping ranges",
+			input: []netip.Prefix{
+				netip.MustParsePrefix("192.168.0.0/23"),
+				netip.MustParsePrefix("192.168.1.0/24"),
+				netip.MustParsePrefix("192.168.2.0/25"),
+			},
+			expected: []netip.Prefix{
+				netip.MustParsePrefix("192.168.0.0/23"),
+				netip.MustParsePrefix("192.168.2.0/25"),
+			},
+		},
+		{
+			name: "IPv6 ranges",
+			input: []netip.Prefix{
+				netip.MustParsePrefix("2001:db8::/32"),
+				netip.MustParsePrefix("2001:db8:1::/48"),
+				netip.MustParsePrefix("2001:db8:2::/48"),
+			},
+			expected: []netip.Prefix{
+				netip.MustParsePrefix("2001:db8::/32"),
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := mergeIPRanges(tt.input)
+			if !reflect.DeepEqual(result, tt.expected) {
+				t.Errorf("MergeIPRanges() = %v, want %v", result, tt.expected)
+			}
+		})
+	}
+}
--- a/client/firewall/test/cases_linux.go
+++ b/client/firewall/test/cases_linux.go
@@ -3,7 +3,7 @@ package test
 import (
 	"net/netip"

-	firewall "github.com/netbirdio/netbird/client/firewall/manager"
+	firewall "github.com/netbirdio/netbird/client/firewall/types"
 )

 var (
--- a/client/firewall/types/forward_rule.go
+++ b/client/firewall/types/forward_rule.go
@@ -0,0 +1,25 @@
+package types
+
+import (
+	"fmt"
+	"net/netip"
+)
+
+type ForwardRule struct {
+	Protocol          Protocol
+	DestinationPort   Port
+	TranslatedAddress netip.Addr
+	TranslatedPort    Port
+}
+
+func (r ForwardRule) GetRuleID() string {
+	return fmt.Sprintf("%s;%s;%s;%s",
+		r.Protocol,
+		r.DestinationPort.String(),
+		r.TranslatedAddress.String(),
+		r.TranslatedPort.String())
+}
+
+func (r ForwardRule) String() string {
+	return fmt.Sprintf("protocol: %s, destinationPort: %s, translatedAddress: %s, translatedPort: %s", r.Protocol, r.DestinationPort.String(), r.TranslatedAddress.String(), r.TranslatedPort.String())
+}
--- a/client/firewall/types/ipset.go
+++ b/client/firewall/types/ipset.go
@@ -0,0 +1,25 @@
+package types
+
+import (
+	"crypto/sha256"
+	"encoding/hex"
+	"fmt"
+	"net/netip"
+	"strings"
+)
+
+// GenerateSetName generates a unique name for an ipset based on the given sources.
+func GenerateSetName(sources []netip.Prefix) string {
+	// sort for consistent naming
+	SortPrefixes(sources)
+
+	var sourcesStr strings.Builder
+	for _, src := range sources {
+		sourcesStr.WriteString(src.String())
+	}
+
+	hash := sha256.Sum256([]byte(sourcesStr.String()))
+	shortHash := hex.EncodeToString(hash[:])[:8]
+
+	return fmt.Sprintf("nb-%s", shortHash)
+}
--- a/client/firewall/types/ipset_test.go
+++ b/client/firewall/types/ipset_test.go
@@ -0,0 +1,71 @@
+package types
+
+import (
+	"net/netip"
+	"regexp"
+	"testing"
+)
+
+func TestGenerateSetName(t *testing.T) {
+	t.Run("Different orders result in same hash", func(t *testing.T) {
+		prefixes1 := []netip.Prefix{
+			netip.MustParsePrefix("192.168.1.0/24"),
+			netip.MustParsePrefix("10.0.0.0/8"),
+		}
+		prefixes2 := []netip.Prefix{
+			netip.MustParsePrefix("10.0.0.0/8"),
+			netip.MustParsePrefix("192.168.1.0/24"),
+		}
+
+		result1 := GenerateSetName(prefixes1)
+		result2 := GenerateSetName(prefixes2)
+
+		if result1 != result2 {
+			t.Errorf("Different orders produced different hashes: %s != %s", result1, result2)
+		}
+	})
+
+	t.Run("Result format is correct", func(t *testing.T) {
+		prefixes := []netip.Prefix{
+			netip.MustParsePrefix("192.168.1.0/24"),
+			netip.MustParsePrefix("10.0.0.0/8"),
+		}
+
+		result := GenerateSetName(prefixes)
+
+		matched, err := regexp.MatchString(`^nb-[0-9a-f]{8}$`, result)
+		if err != nil {
+			t.Fatalf("Error matching regex: %v", err)
+		}
+		if !matched {
+			t.Errorf("Result format is incorrect: %s", result)
+		}
+	})
+
+	t.Run("Empty input produces consistent result", func(t *testing.T) {
+		result1 := GenerateSetName([]netip.Prefix{})
+		result2 := GenerateSetName([]netip.Prefix{})
+
+		if result1 != result2 {
+			t.Errorf("Empty input produced inconsistent results: %s != %s", result1, result2)
+		}
+	})
+
+	t.Run("IPv4 and IPv6 mixing", func(t *testing.T) {
+		prefixes1 := []netip.Prefix{
+			netip.MustParsePrefix("192.168.1.0/24"),
+			netip.MustParsePrefix("2001:db8::/32"),
+		}
+		prefixes2 := []netip.Prefix{
+			netip.MustParsePrefix("2001:db8::/32"),
+			netip.MustParsePrefix("192.168.1.0/24"),
+		}
+
+		result1 := GenerateSetName(prefixes1)
+		result2 := GenerateSetName(prefixes2)
+
+		if result1 != result2 {
+			t.Errorf("Different orders of IPv4 and IPv6 produced different hashes: %s != %s", result1, result2)
+		}
+	})
+}
--- a/client/firewall/types/netip.go
+++ b/client/firewall/types/netip.go
@@ -0,0 +1,20 @@
+package types
+
+import (
+	"net/netip"
+	"sort"
+)
+
+// SortPrefixes sorts the given slice of netip.Prefix in place.
+// It sorts first by IP address, then by prefix length (most specific to least specific).
+func SortPrefixes(prefixes []netip.Prefix) {
+	sort.Slice(prefixes, func(i, j int) bool {
+		addrCmp := prefixes[i].Addr().Compare(prefixes[j].Addr())
+		if addrCmp != 0 {
+			return addrCmp < 0
+		}
+
+		// If IP addresses are the same, compare prefix lengths (longer prefixes first)
+		return prefixes[i].Bits() > prefixes[j].Bits()
+	})
+}
--- a/client/firewall/manager/port.go
+++ b/client/firewall/manager/port.go
@@ -1,29 +1,9 @@
-package manager
+package types

 import (
 	"strconv"
 )

-// Protocol is the protocol of the port
-type Protocol string
-
-const (
-	// ProtocolTCP is the TCP protocol
-	ProtocolTCP Protocol = "tcp"
-
-	// ProtocolUDP is the UDP protocol
-	ProtocolUDP Protocol = "udp"
-
-	// ProtocolICMP is the ICMP protocol
-	ProtocolICMP Protocol = "icmp"
-
-	// ProtocolALL cover all supported protocols
-	ProtocolALL Protocol = "all"
-
-	// ProtocolUnknown unknown protocol
-	ProtocolUnknown Protocol = "unknown"
-)
-
 // Port of the address for firewall rule
 type Port struct {
 	// IsRange is true Values contains two values, the first is the start port, the second is the end port
--- a/client/firewall/types/protocol.go
+++ b/client/firewall/types/protocol.go
@@ -0,0 +1,21 @@
+package types
+
+// Protocol is the protocol of the port
+type Protocol string
+
+const (
+	// ProtocolTCP is the TCP protocol
+	ProtocolTCP Protocol = "tcp"
+
+	// ProtocolUDP is the UDP protocol
+	ProtocolUDP Protocol = "udp"
+
+	// ProtocolICMP is the ICMP protocol
+	ProtocolICMP Protocol = "icmp"
+
+	// ProtocolALL cover all supported protocols
+	ProtocolALL Protocol = "all"
+
+	// ProtocolUnknown unknown protocol
+	ProtocolUnknown Protocol = "unknown"
+)
--- a/client/firewall/manager/routerpair.go
+++ b/client/firewall/manager/routerpair.go
@@ -1,4 +1,4 @@
-package manager
+package types

 import (
 	"net/netip"
--- a/client/firewall/types/rule.go
+++ b/client/firewall/types/rule.go
@@ -0,0 +1,43 @@
+package types
+
+import "fmt"
+
+const (
+	PreroutingFormat       = "netbird-prerouting-%s-%t"
+	NatFormat              = "netbird-nat-%s-%t"
+	ForwardingFormat       = "netbird-fwd-%s-%t"
+	ForwardingFormatPrefix = "netbird-fwd-"
+)
+
+// Rule abstraction should be implemented by each firewall manager
+//
+// Each firewall type for different OS can use different type
+// of the properties to hold data of the created rule
+type Rule interface {
+	// GetRuleID returns the rule id
+	GetRuleID() string
+}
+
+// RuleDirection is the traffic direction which a rule is applied
+type RuleDirection int
+
+const (
+	// RuleDirectionIN applies to filters that handlers incoming traffic
+	RuleDirectionIN RuleDirection = iota
+	// RuleDirectionOUT applies to filters that handlers outgoing traffic
+	RuleDirectionOUT
+)
+
+// Action is the action to be taken on a rule
+type Action int
+
+const (
+	// ActionAccept is the action to accept a packet
+	ActionAccept Action = iota
+	// ActionDrop is the action to drop a packet
+	ActionDrop
+)
+
+func GenRuleKey(format string, pair RouterPair) string {
+	return fmt.Sprintf(format, pair.ID, pair.Inverse)
+}
--- a/client/firewall/uspfilter/uspfilter.go
+++ b/client/firewall/uspfilter/uspfilter.go
@@ -13,7 +13,8 @@ import (
 	"github.com/google/uuid"
 	log "github.com/sirupsen/logrus"

-	firewall "github.com/netbirdio/netbird/client/firewall/manager"
+	firewall "github.com/netbirdio/netbird/client/firewall/firewaller"
+	"github.com/netbirdio/netbird/client/firewall/types"
 	"github.com/netbirdio/netbird/client/firewall/uspfilter/conntrack"
 	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/iface/device"
@@ -46,7 +47,7 @@ type Manager struct {
 	wgNetwork      *net.IPNet
 	decoders       sync.Pool
 	wgIface        IFaceMapper
-	nativeFirewall firewall.Manager
+	nativeFirewall firewall.Firewall

 	mutex sync.RWMutex

@@ -74,7 +75,7 @@ func Create(iface IFaceMapper) (*Manager, error) {
 	return create(iface)
 }

-func CreateWithNativeFirewall(iface IFaceMapper, nativeFirewall firewall.Manager) (*Manager, error) {
+func CreateWithNativeFirewall(iface IFaceMapper, nativeFirewall firewall.Firewall) (*Manager, error) {
 	mgr, err := create(iface)
 	if err != nil {
 		return nil, err
@@ -134,7 +135,7 @@ func (m *Manager) IsServerRouteSupported() bool {
 	}
 }

-func (m *Manager) AddNatRule(pair firewall.RouterPair) error {
+func (m *Manager) AddNatRule(pair types.RouterPair) error {
 	if m.nativeFirewall == nil {
 		return errRouteNotSupported
 	}
@@ -142,7 +143,7 @@ func (m *Manager) AddNatRule(pair firewall.RouterPair) error {
 }

 // RemoveNatRule removes a routing firewall rule
-func (m *Manager) RemoveNatRule(pair firewall.RouterPair) error {
+func (m *Manager) RemoveNatRule(pair types.RouterPair) error {
 	if m.nativeFirewall == nil {
 		return errRouteNotSupported
 	}
@@ -155,19 +156,19 @@ func (m *Manager) RemoveNatRule(pair firewall.RouterPair) error {
 // rule ID as comment for the rule
 func (m *Manager) AddPeerFiltering(
 	ip net.IP,
-	proto firewall.Protocol,
-	sPort *firewall.Port,
-	dPort *firewall.Port,
-	action firewall.Action,
+	proto types.Protocol,
+	sPort *types.Port,
+	dPort *types.Port,
+	action types.Action,
 	_ string,
 	comment string,
-) ([]firewall.Rule, error) {
+) ([]types.Rule, error) {
 	r := Rule{
 		id:        uuid.New().String(),
 		ip:        ip,
 		ipLayer:   layers.LayerTypeIPv6,
 		matchByIP: true,
-		drop:      action == firewall.ActionDrop,
+		drop:      action == types.ActionDrop,
 		comment:   comment,
 	}
 	if ipNormalized := ip.To4(); ipNormalized != nil {
@@ -188,16 +189,16 @@ func (m *Manager) AddPeerFiltering(
 	}

 	switch proto {
-	case firewall.ProtocolTCP:
+	case types.ProtocolTCP:
 		r.protoLayer = layers.LayerTypeTCP
-	case firewall.ProtocolUDP:
+	case types.ProtocolUDP:
 		r.protoLayer = layers.LayerTypeUDP
-	case firewall.ProtocolICMP:
+	case types.ProtocolICMP:
 		r.protoLayer = layers.LayerTypeICMPv4
 		if r.ipLayer == layers.LayerTypeIPv6 {
 			r.protoLayer = layers.LayerTypeICMPv6
 		}
-	case firewall.ProtocolALL:
+	case types.ProtocolALL:
 		r.protoLayer = layerTypeAll
 	}

@@ -207,17 +208,17 @@ func (m *Manager) AddPeerFiltering(
 	}
 	m.incomingRules[r.ip.String()][r.id] = r
 	m.mutex.Unlock()
-	return []firewall.Rule{&r}, nil
+	return []types.Rule{&r}, nil
 }

-func (m *Manager) AddRouteFiltering(sources []netip.Prefix, destination netip.Prefix, proto firewall.Protocol, sPort *firewall.Port, dPort *firewall.Port, action firewall.Action) (firewall.Rule, error) {
+func (m *Manager) AddRouteFiltering(sources []netip.Prefix, destination netip.Prefix, proto types.Protocol, sPort *types.Port, dPort *types.Port, action types.Action) (types.Rule, error) {
 	if m.nativeFirewall == nil {
 		return nil, errRouteNotSupported
 	}
 	return m.nativeFirewall.AddRouteFiltering(sources, destination, proto, sPort, dPort, action)
 }

-func (m *Manager) DeleteRouteRule(rule firewall.Rule) error {
+func (m *Manager) DeleteRouteRule(rule types.Rule) error {
 	if m.nativeFirewall == nil {
 		return errRouteNotSupported
 	}
@@ -225,7 +226,7 @@ func (m *Manager) DeleteRouteRule(rule firewall.Rule) error {
 }

 // DeletePeerRule from the firewall by rule definition
-func (m *Manager) DeletePeerRule(rule firewall.Rule) error {
+func (m *Manager) DeletePeerRule(rule types.Rule) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

@@ -253,6 +254,16 @@ func (m *Manager) SetLegacyManagement(isLegacy bool) error {
 // Flush doesn't need to be implemented for this manager
 func (m *Manager) Flush() error { return nil }

+// AddDNATRule adds a DNAT rule
+func (m *Manager) AddDNATRule(rule types.ForwardRule) (types.Rule, error) {
+	return nil, fmt.Errorf("not implemented")
+}
+
+// DeleteDNATRule deletes a DNAT rule
+func (m *Manager) DeleteDNATRule(rule types.Rule) error {
+	return nil
+}
+
 // DropOutgoing filter outgoing packets
 func (m *Manager) DropOutgoing(packetData []byte) bool {
 	return m.processOutgoingHooks(packetData)
--- a/client/firewall/uspfilter/uspfilter_bench_test.go
+++ b/client/firewall/uspfilter/uspfilter_bench_test.go
@@ -12,7 +12,7 @@ import (
 	"github.com/google/gopacket/layers"
 	"github.com/stretchr/testify/require"

-	fw "github.com/netbirdio/netbird/client/firewall/manager"
+	"github.com/netbirdio/netbird/client/firewall/types"
 	"github.com/netbirdio/netbird/client/firewall/uspfilter/conntrack"
 	"github.com/netbirdio/netbird/client/iface/device"
 )
@@ -90,8 +90,8 @@ func BenchmarkCoreFiltering(b *testing.B) {
 			stateful: false,
 			setupFunc: func(m *Manager) {
 				// Single rule allowing all traffic
-				_, err := m.AddPeerFiltering(net.ParseIP("0.0.0.0"), fw.ProtocolALL, nil, nil,
-					fw.ActionAccept, "", "allow all")
+				_, err := m.AddPeerFiltering(net.ParseIP("0.0.0.0"), types.ProtocolALL, nil, nil,
+					types.ActionAccept, "", "allow all")
 				require.NoError(b, err)
 			},
 			desc: "Baseline: Single 'allow all' rule without connection tracking",
@@ -111,10 +111,10 @@ func BenchmarkCoreFiltering(b *testing.B) {
 				// Add explicit rules matching return traffic pattern
 				for i := 0; i < 1000; i++ { // Simulate realistic ruleset size
 					ip := generateRandomIPs(1)[0]
-					_, err := m.AddPeerFiltering(ip, fw.ProtocolTCP,
-						&fw.Port{Values: []int{1024 + i}},
-						&fw.Port{Values: []int{80}},
-						fw.ActionAccept, "", "explicit return")
+					_, err := m.AddPeerFiltering(ip, types.ProtocolTCP,
+						&types.Port{Values: []int{1024 + i}},
+						&types.Port{Values: []int{80}},
+						types.ActionAccept, "", "explicit return")
 					require.NoError(b, err)
 				}
 			},
@@ -125,8 +125,8 @@ func BenchmarkCoreFiltering(b *testing.B) {
 			stateful: true,
 			setupFunc: func(m *Manager) {
 				// Add some basic rules but rely on state for established connections
-				_, err := m.AddPeerFiltering(net.ParseIP("0.0.0.0"), fw.ProtocolTCP, nil, nil,
-					fw.ActionDrop, "", "default drop")
+				_, err := m.AddPeerFiltering(net.ParseIP("0.0.0.0"), types.ProtocolTCP, nil, nil,
+					types.ActionDrop, "", "default drop")
 				require.NoError(b, err)
 			},
 			desc: "Connection tracking with established connections",
@@ -587,10 +587,10 @@ func BenchmarkLongLivedConnections(b *testing.B) {
 			// Setup initial state based on scenario
 			if sc.rules {
 				// Single rule to allow all return traffic from port 80
-				_, err := manager.AddPeerFiltering(net.ParseIP("0.0.0.0"), fw.ProtocolTCP,
-					&fw.Port{Values: []int{80}},
+				_, err := manager.AddPeerFiltering(net.ParseIP("0.0.0.0"), types.ProtocolTCP,
+					&types.Port{Values: []int{80}},
 					nil,
-					fw.ActionAccept, "", "return traffic")
+					types.ActionAccept, "", "return traffic")
 				require.NoError(b, err)
 			}

@@ -678,10 +678,10 @@ func BenchmarkShortLivedConnections(b *testing.B) {
 			// Setup initial state based on scenario
 			if sc.rules {
 				// Single rule to allow all return traffic from port 80
-				_, err := manager.AddPeerFiltering(net.ParseIP("0.0.0.0"), fw.ProtocolTCP,
-					&fw.Port{Values: []int{80}},
+				_, err := manager.AddPeerFiltering(net.ParseIP("0.0.0.0"), types.ProtocolTCP,
+					&types.Port{Values: []int{80}},
 					nil,
-					fw.ActionAccept, "", "return traffic")
+					types.ActionAccept, "", "return traffic")
 				require.NoError(b, err)
 			}

@@ -796,10 +796,10 @@ func BenchmarkParallelLongLivedConnections(b *testing.B) {

 			// Setup initial state based on scenario
 			if sc.rules {
-				_, err := manager.AddPeerFiltering(net.ParseIP("0.0.0.0"), fw.ProtocolTCP,
-					&fw.Port{Values: []int{80}},
+				_, err := manager.AddPeerFiltering(net.ParseIP("0.0.0.0"), types.ProtocolTCP,
+					&types.Port{Values: []int{80}},
 					nil,
-					fw.ActionAccept, "", "return traffic")
+					types.ActionAccept, "", "return traffic")
 				require.NoError(b, err)
 			}

@@ -883,10 +883,10 @@ func BenchmarkParallelShortLivedConnections(b *testing.B) {
 			})

 			if sc.rules {
-				_, err := manager.AddPeerFiltering(net.ParseIP("0.0.0.0"), fw.ProtocolTCP,
-					&fw.Port{Values: []int{80}},
+				_, err := manager.AddPeerFiltering(net.ParseIP("0.0.0.0"), types.ProtocolTCP,
+					&types.Port{Values: []int{80}},
 					nil,
-					fw.ActionAccept, "", "return traffic")
+					types.ActionAccept, "", "return traffic")
 				require.NoError(b, err)
 			}

--- a/client/firewall/uspfilter/uspfilter_test.go
+++ b/client/firewall/uspfilter/uspfilter_test.go
@@ -11,7 +11,7 @@ import (
 	"github.com/google/gopacket/layers"
 	"github.com/stretchr/testify/require"

-	fw "github.com/netbirdio/netbird/client/firewall/manager"
+	"github.com/netbirdio/netbird/client/firewall/types"
 	"github.com/netbirdio/netbird/client/firewall/uspfilter/conntrack"
 	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/iface/device"
@@ -43,12 +43,12 @@ func TestManagerCreate(t *testing.T) {

 	m, err := Create(ifaceMock)
 	if err != nil {
-		t.Errorf("failed to create Manager: %v", err)
+		t.Errorf("failed to create Firewall: %v", err)
 		return
 	}

 	if m == nil {
-		t.Error("Manager is nil")
+		t.Error("Firewall is nil")
 	}
 }

@@ -63,14 +63,14 @@ func TestManagerAddPeerFiltering(t *testing.T) {

 	m, err := Create(ifaceMock)
 	if err != nil {
-		t.Errorf("failed to create Manager: %v", err)
+		t.Errorf("failed to create Firewall: %v", err)
 		return
 	}

 	ip := net.ParseIP("192.168.1.1")
-	proto := fw.ProtocolTCP
-	port := &fw.Port{Values: []int{80}}
-	action := fw.ActionDrop
+	proto := types.ProtocolTCP
+	port := &types.Port{Values: []int{80}}
+	action := types.ActionDrop
 	comment := "Test rule"

 	rule, err := m.AddPeerFiltering(ip, proto, nil, port, action, "", comment)
@@ -97,14 +97,14 @@ func TestManagerDeleteRule(t *testing.T) {

 	m, err := Create(ifaceMock)
 	if err != nil {
-		t.Errorf("failed to create Manager: %v", err)
+		t.Errorf("failed to create Firewall: %v", err)
 		return
 	}

 	ip := net.ParseIP("192.168.1.1")
-	proto := fw.ProtocolTCP
-	port := &fw.Port{Values: []int{80}}
-	action := fw.ActionDrop
+	proto := types.ProtocolTCP
+	port := &types.Port{Values: []int{80}}
+	action := types.ActionDrop
 	comment := "Test rule 2"

 	rule2, err := m.AddPeerFiltering(ip, proto, nil, port, action, "", comment)
@@ -138,7 +138,7 @@ func TestAddUDPPacketHook(t *testing.T) {
 	tests := []struct {
 		name       string
 		in         bool
-		expDir     fw.RuleDirection
+		expDir     types.RuleDirection
 		ip         net.IP
 		dPort      uint16
 		hook       func([]byte) bool
@@ -147,7 +147,7 @@ func TestAddUDPPacketHook(t *testing.T) {
 		{
 			name:   "Test Outgoing UDP Packet Hook",
 			in:     false,
-			expDir: fw.RuleDirectionOUT,
+			expDir: types.RuleDirectionOUT,
 			ip:     net.IPv4(10, 168, 0, 1),
 			dPort:  8000,
 			hook:   func([]byte) bool { return true },
@@ -155,7 +155,7 @@ func TestAddUDPPacketHook(t *testing.T) {
 		{
 			name:   "Test Incoming UDP Packet Hook",
 			in:     true,
-			expDir: fw.RuleDirectionIN,
+			expDir: types.RuleDirectionIN,
 			ip:     net.IPv6loopback,
 			dPort:  9000,
 			hook:   func([]byte) bool { return false },
@@ -217,14 +217,14 @@ func TestManagerReset(t *testing.T) {

 	m, err := Create(ifaceMock)
 	if err != nil {
-		t.Errorf("failed to create Manager: %v", err)
+		t.Errorf("failed to create Firewall: %v", err)
 		return
 	}

 	ip := net.ParseIP("192.168.1.1")
-	proto := fw.ProtocolTCP
-	port := &fw.Port{Values: []int{80}}
-	action := fw.ActionDrop
+	proto := types.ProtocolTCP
+	port := &types.Port{Values: []int{80}}
+	action := types.ActionDrop
 	comment := "Test rule"

 	_, err = m.AddPeerFiltering(ip, proto, nil, port, action, "", comment)
@@ -235,7 +235,7 @@ func TestManagerReset(t *testing.T) {

 	err = m.Reset(nil)
 	if err != nil {
-		t.Errorf("failed to reset Manager: %v", err)
+		t.Errorf("failed to reset Firewall: %v", err)
 		return
 	}

@@ -251,7 +251,7 @@ func TestNotMatchByIP(t *testing.T) {

 	m, err := Create(ifaceMock)
 	if err != nil {
-		t.Errorf("failed to create Manager: %v", err)
+		t.Errorf("failed to create Firewall: %v", err)
 		return
 	}
 	m.wgNetwork = &net.IPNet{
@@ -260,8 +260,8 @@ func TestNotMatchByIP(t *testing.T) {
 	}

 	ip := net.ParseIP("0.0.0.0")
-	proto := fw.ProtocolUDP
-	action := fw.ActionAccept
+	proto := types.ProtocolUDP
+	action := types.ActionAccept
 	comment := "Test rule"

 	_, err = m.AddPeerFiltering(ip, proto, nil, nil, action, "", comment)
@@ -304,7 +304,7 @@ func TestNotMatchByIP(t *testing.T) {
 	}

 	if err = m.Reset(nil); err != nil {
-		t.Errorf("failed to reset Manager: %v", err)
+		t.Errorf("failed to reset Firewall: %v", err)
 		return
 	}
 }
@@ -319,7 +319,7 @@ func TestRemovePacketHook(t *testing.T) {
 	// creating manager instance
 	manager, err := Create(iface)
 	if err != nil {
-		t.Fatalf("Failed to create Manager: %s", err)
+		t.Fatalf("Failed to create Firewall: %s", err)
 	}
 	defer func() {
 		require.NoError(t, manager.Reset(nil))
@@ -463,8 +463,8 @@ func TestUSPFilterCreatePerformance(t *testing.T) {
 			ip := net.ParseIP("10.20.0.100")
 			start := time.Now()
 			for i := 0; i < testMax; i++ {
-				port := &fw.Port{Values: []int{1000 + i}}
-				_, err = manager.AddPeerFiltering(ip, "tcp", nil, port, fw.ActionAccept, "", "accept HTTP traffic")
+				port := &types.Port{Values: []int{1000 + i}}
+				_, err = manager.AddPeerFiltering(ip, "tcp", nil, port, types.ActionAccept, "", "accept HTTP traffic")

 				require.NoError(t, err, "failed to add rule")
 			}
--- a/client/internal/acl/id/id.go
+++ b/client/internal/acl/id/id.go
@@ -7,7 +7,7 @@ import (
 	"net/netip"
 	"strconv"

-	"github.com/netbirdio/netbird/client/firewall/manager"
+	"github.com/netbirdio/netbird/client/firewall/types"
 )

 type RuleID string
@@ -19,12 +19,12 @@ func (r RuleID) GetRuleID() string {
 func GenerateRouteRuleKey(
 	sources []netip.Prefix,
 	destination netip.Prefix,
-	proto manager.Protocol,
-	sPort *manager.Port,
-	dPort *manager.Port,
-	action manager.Action,
+	proto types.Protocol,
+	sPort *types.Port,
+	dPort *types.Port,
+	action types.Action,
 ) RuleID {
-	manager.SortPrefixes(sources)
+	types.SortPrefixes(sources)

 	h := sha256.New()

--- a/client/internal/acl/manager.go
+++ b/client/internal/acl/manager.go
@@ -15,7 +15,8 @@ import (
 	log "github.com/sirupsen/logrus"

 	nberrors "github.com/netbirdio/netbird/client/errors"
-	firewall "github.com/netbirdio/netbird/client/firewall/manager"
+	"github.com/netbirdio/netbird/client/firewall/firewaller"
+	"github.com/netbirdio/netbird/client/firewall/types"
 	"github.com/netbirdio/netbird/client/internal/acl/id"
 	"github.com/netbirdio/netbird/client/ssh"
 	mgmProto "github.com/netbirdio/netbird/management/proto"
@@ -30,17 +31,17 @@ type Manager interface {

 // DefaultManager uses firewall manager to handle
 type DefaultManager struct {
-	firewall       firewall.Manager
+	firewall       firewaller.Firewall
 	ipsetCounter   int
-	peerRulesPairs map[id.RuleID][]firewall.Rule
+	peerRulesPairs map[id.RuleID][]types.Rule
 	routeRules     map[id.RuleID]struct{}
 	mutex          sync.Mutex
 }

-func NewDefaultManager(fm firewall.Manager) *DefaultManager {
+func NewDefaultManager(fm firewaller.Firewall) *DefaultManager {
 	return &DefaultManager{
 		firewall:       fm,
-		peerRulesPairs: make(map[id.RuleID][]firewall.Rule),
+		peerRulesPairs: make(map[id.RuleID][]types.Rule),
 		routeRules:     make(map[id.RuleID]struct{}),
 	}
 }
@@ -132,7 +133,7 @@ func (d *DefaultManager) applyPeerACLs(networkMap *mgmProto.NetworkMap) {
 		)
 	}

-	newRulePairs := make(map[id.RuleID][]firewall.Rule)
+	newRulePairs := make(map[id.RuleID][]types.Rule)
 	ipsetByRuleSelectors := make(map[string]string)

 	for _, r := range rules {
@@ -251,7 +252,7 @@ func (d *DefaultManager) applyRouteACL(rule *mgmProto.RouteFirewallRule) (id.Rul
 func (d *DefaultManager) protoRuleToFirewallRule(
 	r *mgmProto.FirewallRule,
 	ipsetName string,
-) (id.RuleID, []firewall.Rule, error) {
+) (id.RuleID, []types.Rule, error) {
 	ip := net.ParseIP(r.PeerIP)
 	if ip == nil {
 		return "", nil, fmt.Errorf("invalid IP address, skipping firewall rule")
@@ -267,13 +268,13 @@ func (d *DefaultManager) protoRuleToFirewallRule(
 		return "", nil, fmt.Errorf("skipping firewall rule: %s", err)
 	}

-	var port *firewall.Port
+	var port *types.Port
 	if r.Port != "" {
 		value, err := strconv.Atoi(r.Port)
 		if err != nil {
 			return "", nil, fmt.Errorf("invalid port, skipping firewall rule")
 		}
-		port = &firewall.Port{
+		port = &types.Port{
 			Values: []int{value},
 		}
 	}
@@ -283,7 +284,7 @@ func (d *DefaultManager) protoRuleToFirewallRule(
 		return ruleID, rulesPair, nil
 	}

-	var rules []firewall.Rule
+	var rules []types.Rule
 	switch r.Direction {
 	case mgmProto.RuleDirection_IN:
 		rules, err = d.addInRules(ip, protocol, port, action, ipsetName, "")
@@ -304,12 +305,12 @@ func (d *DefaultManager) protoRuleToFirewallRule(

 func (d *DefaultManager) addInRules(
 	ip net.IP,
-	protocol firewall.Protocol,
-	port *firewall.Port,
-	action firewall.Action,
+	protocol types.Protocol,
+	port *types.Port,
+	action types.Action,
 	ipsetName string,
 	comment string,
-) ([]firewall.Rule, error) {
+) ([]types.Rule, error) {
 	rule, err := d.firewall.AddPeerFiltering(ip, protocol, nil, port, action, ipsetName, comment)
 	if err != nil {
 		return nil, fmt.Errorf("add firewall rule: %w", err)
@@ -320,12 +321,12 @@ func (d *DefaultManager) addInRules(

 func (d *DefaultManager) addOutRules(
 	ip net.IP,
-	protocol firewall.Protocol,
-	port *firewall.Port,
-	action firewall.Action,
+	protocol types.Protocol,
+	port *types.Port,
+	action types.Action,
 	ipsetName string,
 	comment string,
-) ([]firewall.Rule, error) {
+) ([]types.Rule, error) {
 	if shouldSkipInvertedRule(protocol, port) {
 		return nil, nil
 	}
@@ -341,10 +342,10 @@ func (d *DefaultManager) addOutRules(
 // getPeerRuleID() returns unique ID for the rule based on its parameters.
 func (d *DefaultManager) getPeerRuleID(
 	ip net.IP,
-	proto firewall.Protocol,
+	proto types.Protocol,
 	direction int,
-	port *firewall.Port,
-	action firewall.Action,
+	port *types.Port,
+	action types.Action,
 	comment string,
 ) id.RuleID {
 	idStr := ip.String() + string(proto) + strconv.Itoa(direction) + strconv.Itoa(int(action)) + comment
@@ -491,7 +492,7 @@ func (d *DefaultManager) getRuleGroupingSelector(rule *mgmProto.FirewallRule) st
 	return fmt.Sprintf("%v:%v:%v:%s", strconv.Itoa(int(rule.Direction)), rule.Action, rule.Protocol, rule.Port)
 }

-func (d *DefaultManager) rollBack(newRulePairs map[id.RuleID][]firewall.Rule) {
+func (d *DefaultManager) rollBack(newRulePairs map[id.RuleID][]types.Rule) {
 	log.Debugf("rollback ACL to previous state")
 	for _, rules := range newRulePairs {
 		for _, rule := range rules {
@@ -502,49 +503,49 @@ func (d *DefaultManager) rollBack(newRulePairs map[id.RuleID][]firewall.Rule) {
 	}
 }

-func convertToFirewallProtocol(protocol mgmProto.RuleProtocol) (firewall.Protocol, error) {
+func convertToFirewallProtocol(protocol mgmProto.RuleProtocol) (types.Protocol, error) {
 	switch protocol {
 	case mgmProto.RuleProtocol_TCP:
-		return firewall.ProtocolTCP, nil
+		return types.ProtocolTCP, nil
 	case mgmProto.RuleProtocol_UDP:
-		return firewall.ProtocolUDP, nil
+		return types.ProtocolUDP, nil
 	case mgmProto.RuleProtocol_ICMP:
-		return firewall.ProtocolICMP, nil
+		return types.ProtocolICMP, nil
 	case mgmProto.RuleProtocol_ALL:
-		return firewall.ProtocolALL, nil
+		return types.ProtocolALL, nil
 	default:
-		return firewall.ProtocolALL, fmt.Errorf("invalid protocol type: %s", protocol.String())
+		return types.ProtocolALL, fmt.Errorf("invalid protocol type: %s", protocol.String())
 	}
 }

-func shouldSkipInvertedRule(protocol firewall.Protocol, port *firewall.Port) bool {
-	return protocol == firewall.ProtocolALL || protocol == firewall.ProtocolICMP || port == nil
+func shouldSkipInvertedRule(protocol types.Protocol, port *types.Port) bool {
+	return protocol == types.ProtocolALL || protocol == types.ProtocolICMP || port == nil
 }

-func convertFirewallAction(action mgmProto.RuleAction) (firewall.Action, error) {
+func convertFirewallAction(action mgmProto.RuleAction) (types.Action, error) {
 	switch action {
 	case mgmProto.RuleAction_ACCEPT:
-		return firewall.ActionAccept, nil
+		return types.ActionAccept, nil
 	case mgmProto.RuleAction_DROP:
-		return firewall.ActionDrop, nil
+		return types.ActionDrop, nil
 	default:
-		return firewall.ActionDrop, fmt.Errorf("invalid action type: %d", action)
+		return types.ActionDrop, fmt.Errorf("invalid action type: %d", action)
 	}
 }

-func convertPortInfo(portInfo *mgmProto.PortInfo) *firewall.Port {
+func convertPortInfo(portInfo *mgmProto.PortInfo) *types.Port {
 	if portInfo == nil {
 		return nil
 	}

 	if portInfo.GetPort() != 0 {
-		return &firewall.Port{
+		return &types.Port{
 			Values: []int{int(portInfo.GetPort())},
 		}
 	}

 	if portInfo.GetRange() != nil {
-		return &firewall.Port{
+		return &types.Port{
 			IsRange: true,
 			Values:  []int{int(portInfo.GetRange().Start), int(portInfo.GetRange().End)},
 		}
--- a/client/internal/acl/manager_test.go
+++ b/client/internal/acl/manager_test.go
@@ -7,7 +7,6 @@ import (
 	"github.com/golang/mock/gomock"

 	"github.com/netbirdio/netbird/client/firewall"
-	"github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/internal/acl/mocks"
 	mgmProto "github.com/netbirdio/netbird/management/proto"
@@ -56,7 +55,7 @@ func TestDefaultManager(t *testing.T) {
 		t.Errorf("create firewall: %v", err)
 		return
 	}
-	defer func(fw manager.Manager) {
+	defer func(fw firewaller.Firewall) {
 		_ = fw.Reset(nil)
 	}(fw)
 	acl := NewDefaultManager(fw)
@@ -349,7 +348,7 @@ func TestDefaultManagerEnableSSHRules(t *testing.T) {
 		t.Errorf("create firewall: %v", err)
 		return
 	}
-	defer func(fw manager.Manager) {
+	defer func(fw firewaller.Firewall) {
 		_ = fw.Reset(nil)
 	}(fw)
 	acl := NewDefaultManager(fw)
--- a/client/internal/dnsfwd/manager.go
+++ b/client/internal/dnsfwd/manager.go
@@ -9,7 +9,8 @@ import (
 	log "github.com/sirupsen/logrus"

 	nberrors "github.com/netbirdio/netbird/client/errors"
-	firewall "github.com/netbirdio/netbird/client/firewall/manager"
+	"github.com/netbirdio/netbird/client/firewall/firewaller"
+	"github.com/netbirdio/netbird/client/firewall/types"
 )

 const (
@@ -19,13 +20,13 @@ const (
 )

 type Manager struct {
-	firewall firewall.Manager
+	firewall firewaller.Firewall

-	fwRules      []firewall.Rule
+	fwRules      []types.Rule
 	dnsForwarder *DNSForwarder
 }

-func NewManager(fw firewall.Manager) *Manager {
+func NewManager(fw firewaller.Firewall) *Manager {
 	return &Manager{
 		firewall: fw,
 	}
@@ -79,7 +80,7 @@ func (m *Manager) Stop(ctx context.Context) error {
 }

 func (h *Manager) allowDNSFirewall() error {
-	dport := &firewall.Port{
+	dport := &types.Port{
 		IsRange: false,
 		Values:  []int{ListenPort},
 	}
@@ -88,7 +89,7 @@ func (h *Manager) allowDNSFirewall() error {
 		return nil
 	}

-	dnsRules, err := h.firewall.AddPeerFiltering(net.IP{0, 0, 0, 0}, firewall.ProtocolUDP, nil, dport, firewall.ActionAccept, "", "")
+	dnsRules, err := h.firewall.AddPeerFiltering(net.IP{0, 0, 0, 0}, types.ProtocolUDP, nil, dport, types.ActionAccept, "", "")
 	if err != nil {
 		log.Errorf("failed to add allow DNS router rules, err: %v", err)
 		return err
--- a/client/internal/engine.go
+++ b/client/internal/engine.go
@@ -25,7 +25,8 @@ import (

 	nberrors "github.com/netbirdio/netbird/client/errors"
 	"github.com/netbirdio/netbird/client/firewall"
-	"github.com/netbirdio/netbird/client/firewall/manager"
+	"github.com/netbirdio/netbird/client/firewall/firewaller"
+	"github.com/netbirdio/netbird/client/firewall/types"
 	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/iface/bind"
 	"github.com/netbirdio/netbird/client/iface/device"
@@ -33,6 +34,7 @@ import (
 	"github.com/netbirdio/netbird/client/internal/acl"
 	"github.com/netbirdio/netbird/client/internal/dns"
 	"github.com/netbirdio/netbird/client/internal/dnsfwd"
+	"github.com/netbirdio/netbird/client/internal/ingressgw"
 	"github.com/netbirdio/netbird/client/internal/networkmonitor"
 	"github.com/netbirdio/netbird/client/internal/peer"
 	"github.com/netbirdio/netbird/client/internal/peer/guard"
@@ -168,10 +170,11 @@ type Engine struct {

 	statusRecorder *peer.Status

-	firewall      manager.Manager
-	routeManager  routemanager.Manager
-	acl           acl.Manager
-	dnsForwardMgr *dnsfwd.Manager
+	firewall          firewaller.Firewall
+	routeManager      routemanager.Manager
+	acl               acl.Manager
+	dnsForwardMgr     *dnsfwd.Manager
+	ingressGatewayMgr *ingressgw.Manager

 	dnsServer dns.Server

@@ -291,6 +294,13 @@ func (e *Engine) Stop() error {
 	// stop/restore DNS first so dbus and friends don't complain because of a missing interface
 	e.stopDNSServer()

+	if e.ingressGatewayMgr != nil {
+		if err := e.ingressGatewayMgr.Close(); err != nil {
+			log.Warnf("failed to cleanup forward rules: %v", err)
+		}
+		e.ingressGatewayMgr = nil
+	}
+
 	if e.routeManager != nil {
 		e.routeManager.Stop(e.stateManager)
 	}
@@ -495,15 +505,15 @@ func (e *Engine) initFirewall() error {
 	}

 	rosenpassPort := e.rpManager.GetAddress().Port
-	port := manager.Port{Values: []int{rosenpassPort}}
+	port := types.Port{Values: []int{rosenpassPort}}

 	// this rule is static and will be torn down on engine down by the firewall manager
 	if _, err := e.firewall.AddPeerFiltering(
 		net.IP{0, 0, 0, 0},
-		manager.ProtocolUDP,
+		types.ProtocolUDP,
 		nil,
 		&port,
-		manager.ActionAccept,
+		types.ActionAccept,
 		"",
 		"",
 	); err != nil {
@@ -531,10 +541,10 @@ func (e *Engine) blockLanAccess() {
 		if _, err := e.firewall.AddRouteFiltering(
 			[]netip.Prefix{v4},
 			network,
-			manager.ProtocolALL,
+			types.ProtocolALL,
 			nil,
 			nil,
-			manager.ActionDrop,
+			types.ActionDrop,
 		); err != nil {
 			merr = multierror.Append(merr, fmt.Errorf("add fw rule for network %s: %w", network, err))
 		}
@@ -925,6 +935,11 @@ func (e *Engine) updateNetworkMap(networkMap *mgmProto.NetworkMap) error {
 		log.Errorf("failed to update clientRoutes, err: %v", err)
 	}

+	// Ingress forward rules
+	if err := e.updateForwardRules(networkMap.GetForwardingRules()); err != nil {
+		log.Errorf("failed to update forward rules, err: %v", err)
+	}
+
 	log.Debugf("got peers update from Management Service, total peers to connect to = %d", len(networkMap.GetRemotePeers()))

 	e.updateOfflinePeers(networkMap.GetOfflinePeers())
@@ -1737,6 +1752,73 @@ func (e *Engine) updateDNSForwarder(enabled bool, domains []string) {
 	}
 }

+func (e *Engine) updateForwardRules(rules []*mgmProto.ForwardingRule) error {
+	if e.firewall == nil {
+		log.Warn("firewall is disabled, not updating forwarding rules")
+		return nil
+	}
+
+	// todo delete this before merge
+	defer e.mocForwardRules()
+
+	if len(rules) == 0 && e.ingressGatewayMgr != nil {
+		err := e.ingressGatewayMgr.Close()
+		e.ingressGatewayMgr = nil
+		e.statusRecorder.SetIngressGwMgr(nil)
+		return err
+	}
+
+	if e.ingressGatewayMgr == nil {
+		mgr := ingressgw.NewManager(e.firewall)
+		e.ingressGatewayMgr = mgr
+		e.statusRecorder.SetIngressGwMgr(mgr)
+	}
+
+	var merr *multierror.Error
+	forwardingRules := make([]types.ForwardRule, 0, len(rules))
+	for _, rule := range rules {
+		proto, err := convertToFirewallProtocol(rule.GetProtocol())
+		if err != nil {
+			merr = multierror.Append(merr, fmt.Errorf("failed to convert protocol '%s': %w", rule.GetProtocol(), err))
+			continue
+		}
+
+		dstPortInfo := convertPortInfo(rule.GetDestinationPort())
+		if dstPortInfo == nil {
+			merr = multierror.Append(merr, fmt.Errorf("dstPort is nil"))
+			continue
+		}
+
+		translateIP, err := convertToIP(rule.GetTranslatedAddress())
+		if err != nil {
+			merr = multierror.Append(merr, fmt.Errorf("failed to convert translated address '%s': %w", rule.GetTranslatedAddress(), err))
+			continue
+		}
+
+		translatePort := convertPortInfo(rule.GetTranslatedPort())
+		if translatePort == nil {
+			merr = multierror.Append(merr, fmt.Errorf("translatePort is nil"))
+			continue
+		}
+
+		forwardRule := types.ForwardRule{
+			Protocol:          proto,
+			DestinationPort:   *dstPortInfo,
+			TranslatedAddress: translateIP,
+			TranslatedPort:    *translatePort,
+		}
+
+		forwardingRules = append(forwardingRules, forwardRule)
+	}
+
+	log.Infof("updating forwarding rules: %d", len(forwardingRules))
+	if err := e.ingressGatewayMgr.Update(forwardingRules); err != nil {
+		log.Errorf("failed to update forwarding rules: %v", err)
+	}
+
+	return nberrors.FormatErrorOrNil(merr)
+}
+
 // isChecksEqual checks if two slices of checks are equal.
 func isChecksEqual(checks []*mgmProto.Checks, oChecks []*mgmProto.Checks) bool {
 	for _, check := range checks {
--- a/client/internal/engine_moc.go
+++ b/client/internal/engine_moc.go
@@ -0,0 +1,210 @@
+package internal
+
+import (
+	"net/netip"
+
+	log "github.com/sirupsen/logrus"
+
+	"github.com/netbirdio/netbird/client/firewall/types"
+	"github.com/netbirdio/netbird/client/internal/ingressgw"
+)
+
+func (e *Engine) mocForwardRules() {
+	if e.ingressGatewayMgr == nil {
+		e.ingressGatewayMgr = ingressgw.NewManager(e.firewall)
+	}
+	err := e.ingressGatewayMgr.Update(
+		[]types.ForwardRule{
+			{
+				Protocol:          "tcp",
+				DestinationPort:   types.Port{IsRange: false, Values: []int{10000}},
+				TranslatedAddress: netip.MustParseAddr("100.64.31.206"),
+				TranslatedPort:    types.Port{IsRange: false, Values: []int{20000}},
+			},
+			{
+				Protocol:          "udp",
+				DestinationPort:   types.Port{IsRange: true, Values: []int{10100, 10199}},
+				TranslatedAddress: netip.MustParseAddr("100.64.10.206"),
+				TranslatedPort:    types.Port{IsRange: true, Values: []int{20100, 20199}},
+			},
+			{
+				Protocol:          "tcp",
+				DestinationPort:   types.Port{IsRange: true, Values: []int{10200, 10299}},
+				TranslatedAddress: netip.MustParseAddr("100.64.31.206"),
+				TranslatedPort:    types.Port{IsRange: true, Values: []int{20200, 20299}},
+			},
+			{
+				Protocol:          "udp",
+				DestinationPort:   types.Port{IsRange: true, Values: []int{10300, 10399}},
+				TranslatedAddress: netip.MustParseAddr("100.64.10.206"),
+				TranslatedPort:    types.Port{IsRange: true, Values: []int{20300, 20399}},
+			},
+			{
+				Protocol:          "tcp",
+				DestinationPort:   types.Port{IsRange: true, Values: []int{10100, 10199}},
+				TranslatedAddress: netip.MustParseAddr("100.64.10.206"),
+				TranslatedPort:    types.Port{IsRange: true, Values: []int{20100, 20199}},
+			},
+			{
+				Protocol:          "tcp",
+				DestinationPort:   types.Port{IsRange: true, Values: []int{10400, 10499}},
+				TranslatedAddress: netip.MustParseAddr("100.64.31.206"),
+				TranslatedPort:    types.Port{IsRange: true, Values: []int{20400, 20499}},
+			},
+			{
+				Protocol:          "udp",
+				DestinationPort:   types.Port{IsRange: true, Values: []int{10500, 10599}},
+				TranslatedAddress: netip.MustParseAddr("100.64.10.206"),
+				TranslatedPort:    types.Port{IsRange: true, Values: []int{20500, 20599}},
+			},
+			{
+				Protocol:          "tcp",
+				DestinationPort:   types.Port{IsRange: true, Values: []int{10600, 10699}},
+				TranslatedAddress: netip.MustParseAddr("100.64.31.206"),
+				TranslatedPort:    types.Port{IsRange: true, Values: []int{20600, 20699}},
+			},
+			{
+				Protocol:          "udp",
+				DestinationPort:   types.Port{IsRange: true, Values: []int{10700, 10799}},
+				TranslatedAddress: netip.MustParseAddr("100.64.10.206"),
+				TranslatedPort:    types.Port{IsRange: true, Values: []int{20700, 20799}},
+			},
+			{
+				Protocol:          "tcp",
+				DestinationPort:   types.Port{IsRange: true, Values: []int{10800, 10899}},
+				TranslatedAddress: netip.MustParseAddr("100.64.31.206"),
+				TranslatedPort:    types.Port{IsRange: true, Values: []int{20800, 20899}},
+			},
+			{
+				Protocol:          "udp",
+				DestinationPort:   types.Port{IsRange: true, Values: []int{10900, 10999}},
+				TranslatedAddress: netip.MustParseAddr("100.64.10.206"),
+				TranslatedPort:    types.Port{IsRange: true, Values: []int{20900, 20999}},
+			},
+			{
+				Protocol:          "tcp",
+				DestinationPort:   types.Port{IsRange: true, Values: []int{11000, 11099}},
+				TranslatedAddress: netip.MustParseAddr("100.64.31.206"),
+				TranslatedPort:    types.Port{IsRange: true, Values: []int{21000, 21099}},
+			},
+			{
+				Protocol:          "udp",
+				DestinationPort:   types.Port{IsRange: true, Values: []int{11100, 11199}},
+				TranslatedAddress: netip.MustParseAddr("100.64.10.206"),
+				TranslatedPort:    types.Port{IsRange: true, Values: []int{21100, 21199}},
+			},
+			{
+				Protocol:          "tcp",
+				DestinationPort:   types.Port{IsRange: true, Values: []int{11200, 11299}},
+				TranslatedAddress: netip.MustParseAddr("100.64.31.206"),
+				TranslatedPort:    types.Port{IsRange: true, Values: []int{21200, 21299}},
+			},
+			{
+				Protocol:          "udp",
+				DestinationPort:   types.Port{IsRange: true, Values: []int{11300, 11399}},
+				TranslatedAddress: netip.MustParseAddr("100.64.10.206"),
+				TranslatedPort:    types.Port{IsRange: true, Values: []int{21300, 21399}},
+			},
+			{
+				Protocol:          "tcp",
+				DestinationPort:   types.Port{IsRange: true, Values: []int{11400, 11499}},
+				TranslatedAddress: netip.MustParseAddr("100.64.31.206"),
+				TranslatedPort:    types.Port{IsRange: true, Values: []int{21400, 21499}},
+			},
+			{
+				Protocol:          "udp",
+				DestinationPort:   types.Port{IsRange: true, Values: []int{11500, 11599}},
+				TranslatedAddress: netip.MustParseAddr("100.64.10.206"),
+				TranslatedPort:    types.Port{IsRange: true, Values: []int{21500, 21599}},
+			},
+			{
+				Protocol:          "tcp",
+				DestinationPort:   types.Port{IsRange: true, Values: []int{11600, 11699}},
+				TranslatedAddress: netip.MustParseAddr("100.64.31.206"),
+				TranslatedPort:    types.Port{IsRange: true, Values: []int{21600, 21699}},
+			},
+			{
+				Protocol:          "udp",
+				DestinationPort:   types.Port{IsRange: true, Values: []int{11700, 11799}},
+				TranslatedAddress: netip.MustParseAddr("100.64.10.206"),
+				TranslatedPort:    types.Port{IsRange: true, Values: []int{21700, 21799}},
+			},
+			{
+				Protocol:          "tcp",
+				DestinationPort:   types.Port{IsRange: true, Values: []int{11800, 11899}},
+				TranslatedAddress: netip.MustParseAddr("100.64.31.206"),
+				TranslatedPort:    types.Port{IsRange: true, Values: []int{21800, 21899}},
+			},
+			{
+				Protocol:          "udp",
+				DestinationPort:   types.Port{IsRange: true, Values: []int{11900, 11999}},
+				TranslatedAddress: netip.MustParseAddr("100.64.10.206"),
+				TranslatedPort:    types.Port{IsRange: true, Values: []int{21900, 21999}},
+			},
+			{
+				Protocol:          "udp",
+				DestinationPort:   types.Port{IsRange: true, Values: []int{12000, 12099}},
+				TranslatedAddress: netip.MustParseAddr("100.64.31.206"),
+				TranslatedPort:    types.Port{IsRange: true, Values: []int{22000, 22099}},
+			},
+			{
+				Protocol:          "udp",
+				DestinationPort:   types.Port{IsRange: true, Values: []int{12100, 12199}},
+				TranslatedAddress: netip.MustParseAddr("100.64.10.206"),
+				TranslatedPort:    types.Port{IsRange: true, Values: []int{22100, 22199}},
+			},
+			{
+				Protocol:          "tcp",
+				DestinationPort:   types.Port{IsRange: true, Values: []int{12200, 12299}},
+				TranslatedAddress: netip.MustParseAddr("100.64.31.206"),
+				TranslatedPort:    types.Port{IsRange: true, Values: []int{22200, 22299}},
+			},
+			{
+				Protocol:          "udp",
+				DestinationPort:   types.Port{IsRange: true, Values: []int{12300, 12399}},
+				TranslatedAddress: netip.MustParseAddr("100.64.10.206"),
+				TranslatedPort:    types.Port{IsRange: true, Values: []int{22300, 22399}},
+			},
+			{
+				Protocol:          "tcp",
+				DestinationPort:   types.Port{IsRange: true, Values: []int{12400, 12499}},
+				TranslatedAddress: netip.MustParseAddr("100.64.31.206"),
+				TranslatedPort:    types.Port{IsRange: true, Values: []int{22400, 22499}},
+			},
+			{
+				Protocol:          "udp",
+				DestinationPort:   types.Port{IsRange: true, Values: []int{12500, 12599}},
+				TranslatedAddress: netip.MustParseAddr("100.64.10.206"),
+				TranslatedPort:    types.Port{IsRange: true, Values: []int{22500, 22599}},
+			},
+			{
+				Protocol:          "udp",
+				DestinationPort:   types.Port{IsRange: true, Values: []int{12600, 12699}},
+				TranslatedAddress: netip.MustParseAddr("100.64.31.206"),
+				TranslatedPort:    types.Port{IsRange: true, Values: []int{22600, 22699}},
+			},
+			{
+				Protocol:          "udp",
+				DestinationPort:   types.Port{IsRange: true, Values: []int{12700, 12799}},
+				TranslatedAddress: netip.MustParseAddr("100.64.10.206"),
+				TranslatedPort:    types.Port{IsRange: true, Values: []int{22700, 22799}},
+			},
+			{
+				Protocol:          "tcp",
+				DestinationPort:   types.Port{IsRange: true, Values: []int{12800, 12899}},
+				TranslatedAddress: netip.MustParseAddr("100.64.31.206"),
+				TranslatedPort:    types.Port{IsRange: true, Values: []int{22800, 22899}},
+			},
+			{
+				Protocol:          "udp",
+				DestinationPort:   types.Port{IsRange: true, Values: []int{12900, 12999}},
+				TranslatedAddress: netip.MustParseAddr("100.64.10.206"),
+				TranslatedPort:    types.Port{IsRange: true, Values: []int{22900, 22999}},
+			},
+		},
+	)
+
+	if err != nil {
+		log.Errorf("failed to update forwarding rules: %v", err)
+	}
+}
--- a/client/internal/ingressgw/manager.go
+++ b/client/internal/ingressgw/manager.go
@@ -0,0 +1,99 @@
+package ingressgw
+
+import (
+	"fmt"
+	"sync"
+
+	"github.com/hashicorp/go-multierror"
+	log "github.com/sirupsen/logrus"
+
+	nberrors "github.com/netbirdio/netbird/client/errors"
+	"github.com/netbirdio/netbird/client/firewall/firewaller"
+	"github.com/netbirdio/netbird/client/firewall/types"
+)
+
+type RulePair struct {
+	types.ForwardRule
+	types.Rule
+}
+
+type Manager struct {
+	firewall firewaller.Firewall
+
+	rules   map[string]RulePair // keys is the ID of the ForwardRule
+	rulesMu sync.Mutex
+}
+
+func NewManager(firewall firewaller.Firewall) *Manager {
+	return &Manager{
+		firewall: firewall,
+		rules:    make(map[string]RulePair),
+	}
+}
+
+func (h *Manager) Update(forwardRules []types.ForwardRule) error {
+	h.rulesMu.Lock()
+	defer h.rulesMu.Unlock()
+
+	var mErr *multierror.Error
+	toDelete := make(map[string]RulePair)
+	for id, r := range h.rules {
+		toDelete[id] = r
+	}
+
+	// Process new/updated rules
+	for _, fwdRule := range forwardRules {
+		id := fwdRule.GetRuleID()
+		if _, ok := h.rules[id]; ok {
+			delete(toDelete, id)
+			continue
+		}
+
+		rule, err := h.firewall.AddDNATRule(fwdRule)
+		if err != nil {
+			mErr = multierror.Append(mErr, fmt.Errorf("failed to add forward rule '%s': %v", fwdRule.String(), err))
+			continue
+		}
+		log.Infof("added forward rule '%s'", fwdRule)
+		h.rules[id] = RulePair{
+			ForwardRule: fwdRule,
+			Rule:        rule,
+		}
+	}
+
+	// Remove deleted rules
+	for id, rulePair := range toDelete {
+		if err := h.firewall.DeleteDNATRule(rulePair.Rule); err != nil {
+			mErr = multierror.Append(mErr, fmt.Errorf("failed to delete forward rule '%s': %v", rulePair.ForwardRule.String(), err))
+		}
+		delete(h.rules, id)
+	}
+
+	return nberrors.FormatErrorOrNil(mErr)
+}
+
+func (h *Manager) Close() error {
+	h.rulesMu.Lock()
+	defer h.rulesMu.Unlock()
+
+	log.Infof("clean up all forward rules (%d)", len(h.rules))
+	var mErr *multierror.Error
+	for _, rule := range h.rules {
+		if err := h.firewall.DeleteDNATRule(rule.Rule); err != nil {
+			mErr = multierror.Append(mErr, fmt.Errorf("failed to delete forward rule '%s': %v", rule, err))
+		}
+	}
+	return nberrors.FormatErrorOrNil(mErr)
+}
+
+func (h *Manager) Rules() []types.ForwardRule {
+	h.rulesMu.Lock()
+	defer h.rulesMu.Unlock()
+
+	rules := make([]types.ForwardRule, 0, len(h.rules))
+	for _, rulePair := range h.rules {
+		rules = append(rules, rulePair.ForwardRule)
+	}
+
+	return rules
+}
--- a/client/internal/message_convert.go
+++ b/client/internal/message_convert.go
@@ -0,0 +1,64 @@
+package internal
+
+import (
+	"errors"
+	"fmt"
+	"net"
+	"net/netip"
+
+	"github.com/netbirdio/netbird/client/firewall/types"
+	mgmProto "github.com/netbirdio/netbird/management/proto"
+)
+
+func convertToFirewallProtocol(protocol mgmProto.RuleProtocol) (types.Protocol, error) {
+	switch protocol {
+	case mgmProto.RuleProtocol_TCP:
+		return types.ProtocolTCP, nil
+	case mgmProto.RuleProtocol_UDP:
+		return types.ProtocolUDP, nil
+	case mgmProto.RuleProtocol_ICMP:
+		return types.ProtocolICMP, nil
+	case mgmProto.RuleProtocol_ALL:
+		return types.ProtocolALL, nil
+	default:
+		return types.ProtocolALL, fmt.Errorf("invalid protocol type: %s", protocol.String())
+	}
+}
+
+// convertPortInfo todo: write validation for portInfo
+func convertPortInfo(portInfo *mgmProto.PortInfo) *types.Port {
+	if portInfo == nil {
+		return nil
+	}
+
+	if portInfo.GetPort() != 0 {
+		return &types.Port{
+			Values: []int{int(portInfo.GetPort())},
+		}
+	}
+
+	if portInfo.GetRange() != nil {
+		return &types.Port{
+			IsRange: true,
+			Values:  []int{int(portInfo.GetRange().Start), int(portInfo.GetRange().End)},
+		}
+	}
+
+	return nil
+}
+
+func convertToIP(rawIP []byte) (netip.Addr, error) {
+	if rawIP == nil {
+		return netip.Addr{}, errors.New("input bytes cannot be nil")
+	}
+
+	if len(rawIP) != net.IPv4len && len(rawIP) != net.IPv6len {
+		return netip.Addr{}, fmt.Errorf("invalid IP length: %d", len(rawIP))
+	}
+
+	if len(rawIP) == net.IPv4len {
+		return netip.AddrFrom4([4]byte(rawIP)), nil
+	}
+
+	return netip.AddrFrom16([16]byte(rawIP)), nil
+}
--- a/client/internal/peer/status.go
+++ b/client/internal/peer/status.go
@@ -11,7 +11,9 @@ import (
 	"google.golang.org/grpc/codes"
 	gstatus "google.golang.org/grpc/status"

+	firewall "github.com/netbirdio/netbird/client/firewall/types"
 	"github.com/netbirdio/netbird/client/iface/configurer"
+	"github.com/netbirdio/netbird/client/internal/ingressgw"
 	"github.com/netbirdio/netbird/client/internal/relay"
 	"github.com/netbirdio/netbird/management/domain"
 	relayClient "github.com/netbirdio/netbird/relay/client"
@@ -157,6 +159,8 @@ type Status struct {
 	peerListChangedForNotification bool

 	relayMgr *relayClient.Manager
+
+	ingressGwMgr *ingressgw.Manager
 }

 // NewRecorder returns a new Status instance
@@ -177,6 +181,12 @@ func (d *Status) SetRelayMgr(manager *relayClient.Manager) {
 	d.relayMgr = manager
 }

+func (d *Status) SetIngressGwMgr(ingressGwMgr *ingressgw.Manager) {
+	d.mux.Lock()
+	defer d.mux.Unlock()
+	d.ingressGwMgr = ingressGwMgr
+}
+
 // ReplaceOfflinePeers replaces
 func (d *Status) ReplaceOfflinePeers(replacement []State) {
 	d.mux.Lock()
@@ -718,6 +728,16 @@ func (d *Status) GetRelayStates() []relay.ProbeResult {
 	return append(relayStates, relayState)
 }

+func (d *Status) ForwardingRules() []firewall.ForwardRule {
+	d.mux.Lock()
+	defer d.mux.Unlock()
+	if d.ingressGwMgr == nil {
+		return nil
+	}
+
+	return d.ingressGwMgr.Rules()
+}
+
 func (d *Status) GetDNSStates() []NSGroupState {
 	d.mux.Lock()
 	defer d.mux.Unlock()
--- a/client/internal/routemanager/manager.go
+++ b/client/internal/routemanager/manager.go
@@ -14,7 +14,7 @@ import (
 	log "github.com/sirupsen/logrus"
 	"golang.org/x/exp/maps"

-	firewall "github.com/netbirdio/netbird/client/firewall/manager"
+	"github.com/netbirdio/netbird/client/firewall/firewaller"
 	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/iface/configurer"
 	"github.com/netbirdio/netbird/client/iface/netstack"
@@ -44,7 +44,7 @@ type Manager interface {
 	GetClientRoutesWithNetID() map[route.NetID][]*route.Route
 	SetRouteChangeListener(listener listener.NetworkChangeListener)
 	InitialRouteRange() []string
-	EnableServerRouter(firewall firewall.Manager) error
+	EnableServerRouter(firewall firewaller.Firewall) error
 	Stop(stateManager *statemanager.Manager)
 }

@@ -214,7 +214,7 @@ func (m *DefaultManager) initSelector() *routeselector.RouteSelector {
 	return routeselector.NewRouteSelector()
 }

-func (m *DefaultManager) EnableServerRouter(firewall firewall.Manager) error {
+func (m *DefaultManager) EnableServerRouter(firewall firewaller.Firewall) error {
 	if m.disableServerRoutes {
 		log.Info("server routes are disabled")
 		return nil
--- a/client/internal/routemanager/mock.go
+++ b/client/internal/routemanager/mock.go
@@ -3,7 +3,7 @@ package routemanager
 import (
 	"context"

-	firewall "github.com/netbirdio/netbird/client/firewall/manager"
+	"github.com/netbirdio/netbird/client/firewall/firewaller"
 	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/internal/listener"
 	"github.com/netbirdio/netbird/client/internal/routeselector"
@@ -78,7 +78,7 @@ func (m *MockManager) SetRouteChangeListener(listener listener.NetworkChangeList

 }

-func (m *MockManager) EnableServerRouter(firewall firewall.Manager) error {
+func (m *MockManager) EnableServerRouter(firewall firewaller.Firewall) error {
 	panic("implement me")
 }

--- a/client/internal/routemanager/server_android.go
+++ b/client/internal/routemanager/server_android.go
@@ -6,7 +6,6 @@ import (
 	"context"
 	"fmt"

-	firewall "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/internal/peer"
 	"github.com/netbirdio/netbird/route"
@@ -22,6 +21,6 @@ func (r serverRouter) updateRoutes(map[route.ID]*route.Route) error {
 	return nil
 }

-func newServerRouter(context.Context, iface.IWGIface, firewall.Manager, *peer.Status) (*serverRouter, error) {
+func newServerRouter(context.Context, iface.IWGIface, firewaller.Firewall, *peer.Status) (*serverRouter, error) {
 	return nil, fmt.Errorf("server route not supported on this os")
 }
--- a/client/internal/routemanager/server_nonandroid.go
+++ b/client/internal/routemanager/server_nonandroid.go
@@ -10,7 +10,8 @@ import (

 	log "github.com/sirupsen/logrus"

-	firewall "github.com/netbirdio/netbird/client/firewall/manager"
+	"github.com/netbirdio/netbird/client/firewall/firewaller"
+	"github.com/netbirdio/netbird/client/firewall/types"
 	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/internal/peer"
 	"github.com/netbirdio/netbird/client/internal/routemanager/systemops"
@@ -21,12 +22,12 @@ type serverRouter struct {
 	mux            sync.Mutex
 	ctx            context.Context
 	routes         map[route.ID]*route.Route
-	firewall       firewall.Manager
+	firewall       firewaller.Firewall
 	wgInterface    iface.IWGIface
 	statusRecorder *peer.Status
 }

-func newServerRouter(ctx context.Context, wgInterface iface.IWGIface, firewall firewall.Manager, statusRecorder *peer.Status) (*serverRouter, error) {
+func newServerRouter(ctx context.Context, wgInterface iface.IWGIface, firewall firewaller.Firewall, statusRecorder *peer.Status) (*serverRouter, error) {
 	return &serverRouter{
 		ctx:            ctx,
 		routes:         make(map[route.ID]*route.Route),
@@ -167,7 +168,7 @@ func (m *serverRouter) cleanUp() {
 	m.statusRecorder.UpdateLocalPeerState(state)
 }

-func routeToRouterPair(route *route.Route) (firewall.RouterPair, error) {
+func routeToRouterPair(route *route.Route) (types.RouterPair, error) {
 	// TODO: add ipv6
 	source := getDefaultPrefix(route.Network)

@@ -177,7 +178,7 @@ func routeToRouterPair(route *route.Route) (firewall.RouterPair, error) {
 		destination = getDefaultPrefix(destination)
 	}

-	return firewall.RouterPair{
+	return types.RouterPair{
 		ID:          route.ID,
 		Source:      source,
 		Destination: destination,
--- a/client/proto/daemon.pb.go
+++ b/client/proto/daemon.pb.go
--- a/client/proto/daemon.proto
+++ b/client/proto/daemon.proto
@@ -8,6 +8,8 @@ option go_package = "/proto";

 package daemon;

+message EmptyRequest {}
+
 service DaemonService {
  // Login uses setup key to prepare configuration for the daemon.
  rpc Login(LoginRequest) returns (LoginResponse) {}
@@ -37,6 +39,8 @@ service DaemonService {
  // Deselect specific routes
  rpc DeselectNetworks(SelectNetworksRequest) returns (SelectNetworksResponse) {}

+  rpc ForwardingRules(EmptyRequest) returns (ForwardingRulesResponse) {}
+
  // DebugBundle creates a debug bundle
  rpc DebugBundle(DebugBundleRequest) returns (DebugBundleResponse) {}

@@ -251,6 +255,7 @@ message FullStatus {
  repeated NSGroupState dns_servers = 6;
 }

+// Networks
 message ListNetworksRequest {
 }

@@ -271,7 +276,6 @@ message IPList {
  repeated string ips = 1;
 }

-
 message Network {
  string ID = 1;
  string range = 2;
@@ -280,6 +284,32 @@ message Network {
  map<string, IPList> resolvedIPs = 5;
 }

+// ForwardingRules
+message PortInfo {
+  oneof portSelection {
+    uint32 port = 1;
+    Range range = 2;
+  }
+
+  message Range {
+    uint32 start = 1;
+    uint32 end = 2;
+  }
+}
+
+message ForwardingRule {
+  string protocol = 1;
+  PortInfo destinationPort = 2;
+  string translatedAddress = 3;
+  PortInfo translatedPort = 4;
+}
+
+message ForwardingRulesResponse {
+  repeated ForwardingRule rules = 1;
+}
+
+
+// DebugBundler
 message DebugBundleRequest {
  bool anonymize = 1;
  string status = 2;
--- a/client/proto/daemon_grpc.pb.go
+++ b/client/proto/daemon_grpc.pb.go
@@ -37,6 +37,7 @@ type DaemonServiceClient interface {
 	SelectNetworks(ctx context.Context, in *SelectNetworksRequest, opts ...grpc.CallOption) (*SelectNetworksResponse, error)
 	// Deselect specific routes
 	DeselectNetworks(ctx context.Context, in *SelectNetworksRequest, opts ...grpc.CallOption) (*SelectNetworksResponse, error)
+	ForwardingRules(ctx context.Context, in *EmptyRequest, opts ...grpc.CallOption) (*ForwardingRulesResponse, error)
 	// DebugBundle creates a debug bundle
 	DebugBundle(ctx context.Context, in *DebugBundleRequest, opts ...grpc.CallOption) (*DebugBundleResponse, error)
 	// GetLogLevel gets the log level of the daemon
@@ -142,6 +143,15 @@ func (c *daemonServiceClient) DeselectNetworks(ctx context.Context, in *SelectNe
 	return out, nil
 }

+func (c *daemonServiceClient) ForwardingRules(ctx context.Context, in *EmptyRequest, opts ...grpc.CallOption) (*ForwardingRulesResponse, error) {
+	out := new(ForwardingRulesResponse)
+	err := c.cc.Invoke(ctx, "/daemon.DaemonService/ForwardingRules", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
 func (c *daemonServiceClient) DebugBundle(ctx context.Context, in *DebugBundleRequest, opts ...grpc.CallOption) (*DebugBundleResponse, error) {
 	out := new(DebugBundleResponse)
 	err := c.cc.Invoke(ctx, "/daemon.DaemonService/DebugBundle", in, out, opts...)
@@ -228,6 +238,7 @@ type DaemonServiceServer interface {
 	SelectNetworks(context.Context, *SelectNetworksRequest) (*SelectNetworksResponse, error)
 	// Deselect specific routes
 	DeselectNetworks(context.Context, *SelectNetworksRequest) (*SelectNetworksResponse, error)
+	ForwardingRules(context.Context, *EmptyRequest) (*ForwardingRulesResponse, error)
 	// DebugBundle creates a debug bundle
 	DebugBundle(context.Context, *DebugBundleRequest) (*DebugBundleResponse, error)
 	// GetLogLevel gets the log level of the daemon
@@ -276,6 +287,9 @@ func (UnimplementedDaemonServiceServer) SelectNetworks(context.Context, *SelectN
 func (UnimplementedDaemonServiceServer) DeselectNetworks(context.Context, *SelectNetworksRequest) (*SelectNetworksResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method DeselectNetworks not implemented")
 }
+func (UnimplementedDaemonServiceServer) ForwardingRules(context.Context, *EmptyRequest) (*ForwardingRulesResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method ForwardingRules not implemented")
+}
 func (UnimplementedDaemonServiceServer) DebugBundle(context.Context, *DebugBundleRequest) (*DebugBundleResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method DebugBundle not implemented")
 }
@@ -472,6 +486,24 @@ func _DaemonService_DeselectNetworks_Handler(srv interface{}, ctx context.Contex
 	return interceptor(ctx, in, info, handler)
 }

+func _DaemonService_ForwardingRules_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(EmptyRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(DaemonServiceServer).ForwardingRules(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/daemon.DaemonService/ForwardingRules",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(DaemonServiceServer).ForwardingRules(ctx, req.(*EmptyRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
 func _DaemonService_DebugBundle_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
 	in := new(DebugBundleRequest)
 	if err := dec(in); err != nil {
@@ -641,6 +673,10 @@ var DaemonService_ServiceDesc = grpc.ServiceDesc{
 			MethodName: "DeselectNetworks",
 			Handler:    _DaemonService_DeselectNetworks_Handler,
 		},
+		{
+			MethodName: "ForwardingRules",
+			Handler:    _DaemonService_ForwardingRules_Handler,
+		},
 		{
 			MethodName: "DebugBundle",
 			Handler:    _DaemonService_DebugBundle_Handler,
--- a/client/server/forwardingrules.go
+++ b/client/server/forwardingrules.go
@@ -0,0 +1,46 @@
+package server
+
+import (
+	"context"
+
+	firewall "github.com/netbirdio/netbird/client/firewall/types"
+	"github.com/netbirdio/netbird/client/proto"
+)
+
+func (s *Server) ForwardingRules(context.Context, *proto.EmptyRequest) (*proto.ForwardingRulesResponse, error) {
+	s.mutex.Lock()
+	defer s.mutex.Unlock()
+
+	rules := s.statusRecorder.ForwardingRules()
+
+	responseRules := make([]*proto.ForwardingRule, 0, len(rules))
+	for _, rule := range rules {
+
+		respRule := &proto.ForwardingRule{
+			Protocol:          string(rule.Protocol),
+			DestinationPort:   portToProto(rule.DestinationPort),
+			TranslatedAddress: rule.TranslatedAddress.String(),
+			TranslatedPort:    portToProto(rule.TranslatedPort),
+		}
+		responseRules = append(responseRules, respRule)
+
+	}
+
+	return &proto.ForwardingRulesResponse{Rules: responseRules}, nil
+}
+
+func portToProto(port firewall.Port) *proto.PortInfo {
+	var portInfo proto.PortInfo
+
+	if !port.IsRange {
+		portInfo.PortSelection = &proto.PortInfo_Port{Port: uint32(port.Values[0])}
+	} else {
+		portInfo.PortSelection = &proto.PortInfo_Range_{
+			Range: &proto.PortInfo_Range{
+				Start: uint32(port.Values[0]),
+				End:   uint32(port.Values[1]),
+			},
+		}
+	}
+	return &portInfo
+}
--- a/management/proto/management.pb.go
+++ b/management/proto/management.pb.go
@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
 // 	protoc-gen-go v1.26.0
-// 	protoc        v4.24.3
+// 	protoc        v3.21.12
 // source: management.proto

 package proto
@@ -1599,7 +1599,8 @@ type NetworkMap struct {
 	// RoutesFirewallRules represents a list of routes firewall rules to be applied to peer
 	RoutesFirewallRules []*RouteFirewallRule `protobuf:"bytes,10,rep,name=routesFirewallRules,proto3" json:"routesFirewallRules,omitempty"`
 	// RoutesFirewallRulesIsEmpty indicates whether RouteFirewallRule array is empty or not to bypass protobuf null and empty array equality.
-	RoutesFirewallRulesIsEmpty bool `protobuf:"varint,11,opt,name=routesFirewallRulesIsEmpty,proto3" json:"routesFirewallRulesIsEmpty,omitempty"`
+	RoutesFirewallRulesIsEmpty bool              `protobuf:"varint,11,opt,name=routesFirewallRulesIsEmpty,proto3" json:"routesFirewallRulesIsEmpty,omitempty"`
+	ForwardingRules            []*ForwardingRule `protobuf:"bytes,12,rep,name=forwardingRules,proto3" json:"forwardingRules,omitempty"`
 }

 func (x *NetworkMap) Reset() {
@@ -1711,6 +1712,13 @@ func (x *NetworkMap) GetRoutesFirewallRulesIsEmpty() bool {
 	return false
 }

+func (x *NetworkMap) GetForwardingRules() []*ForwardingRule {
+	if x != nil {
+		return x.ForwardingRules
+	}
+	return nil
+}
+
 // RemotePeerConfig represents a configuration of a remote peer.
 // The properties are used to configure WireGuard Peers sections
 type RemotePeerConfig struct {
@@ -2988,6 +2996,82 @@ func (x *RouteFirewallRule) GetCustomProtocol() uint32 {
 	return 0
 }

+type ForwardingRule struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	// Protocol of the forwarding rule
+	Protocol RuleProtocol `protobuf:"varint,1,opt,name=protocol,proto3,enum=management.RuleProtocol" json:"protocol,omitempty"`
+	// portInfo is the ingress destination port information, where the traffic arrives in the gateway node
+	DestinationPort *PortInfo `protobuf:"bytes,2,opt,name=destinationPort,proto3" json:"destinationPort,omitempty"`
+	// IP address of the translated address (remote peer) to send traffic to
+	// todo type pending
+	TranslatedAddress []byte `protobuf:"bytes,3,opt,name=translatedAddress,proto3" json:"translatedAddress,omitempty"`
+	// Translated port information, where the traffic should be forwarded to
+	TranslatedPort *PortInfo `protobuf:"bytes,4,opt,name=translatedPort,proto3" json:"translatedPort,omitempty"`
+}
+
+func (x *ForwardingRule) Reset() {
+	*x = ForwardingRule{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_management_proto_msgTypes[37]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *ForwardingRule) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*ForwardingRule) ProtoMessage() {}
+
+func (x *ForwardingRule) ProtoReflect() protoreflect.Message {
+	mi := &file_management_proto_msgTypes[37]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use ForwardingRule.ProtoReflect.Descriptor instead.
+func (*ForwardingRule) Descriptor() ([]byte, []int) {
+	return file_management_proto_rawDescGZIP(), []int{37}
+}
+
+func (x *ForwardingRule) GetProtocol() RuleProtocol {
+	if x != nil {
+		return x.Protocol
+	}
+	return RuleProtocol_UNKNOWN
+}
+
+func (x *ForwardingRule) GetDestinationPort() *PortInfo {
+	if x != nil {
+		return x.DestinationPort
+	}
+	return nil
+}
+
+func (x *ForwardingRule) GetTranslatedAddress() []byte {
+	if x != nil {
+		return x.TranslatedAddress
+	}
+	return nil
+}
+
+func (x *ForwardingRule) GetTranslatedPort() *PortInfo {
+	if x != nil {
+		return x.TranslatedPort
+	}
+	return nil
+}
+
 type PortInfo_Range struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
@@ -3000,7 +3084,7 @@ type PortInfo_Range struct {
 func (x *PortInfo_Range) Reset() {
 	*x = PortInfo_Range{}
 	if protoimpl.UnsafeEnabled {
-		mi := &file_management_proto_msgTypes[37]
+		mi := &file_management_proto_msgTypes[38]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
@@ -3013,7 +3097,7 @@ func (x *PortInfo_Range) String() string {
 func (*PortInfo_Range) ProtoMessage() {}

 func (x *PortInfo_Range) ProtoReflect() protoreflect.Message {
-	mi := &file_management_proto_msgTypes[37]
+	mi := &file_management_proto_msgTypes[38]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -3243,7 +3327,7 @@ var file_management_proto_rawDesc = []byte{
 	0x6f, 0x6e, 0x45, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x64, 0x18, 0x05, 0x20, 0x01, 0x28, 0x08, 0x52,
 	0x1f, 0x52, 0x6f, 0x75, 0x74, 0x69, 0x6e, 0x67, 0x50, 0x65, 0x65, 0x72, 0x44, 0x6e, 0x73, 0x52,
 	0x65, 0x73, 0x6f, 0x6c, 0x75, 0x74, 0x69, 0x6f, 0x6e, 0x45, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x64,
-	0x22, 0xf3, 0x04, 0x0a, 0x0a, 0x4e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x4d, 0x61, 0x70, 0x12,
+	0x22, 0xb9, 0x05, 0x0a, 0x0a, 0x4e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x4d, 0x61, 0x70, 0x12,
 	0x16, 0x0a, 0x06, 0x53, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x18, 0x01, 0x20, 0x01, 0x28, 0x04, 0x52,
 	0x06, 0x53, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x12, 0x36, 0x0a, 0x0a, 0x70, 0x65, 0x65, 0x72, 0x43,
 	0x6f, 0x6e, 0x66, 0x69, 0x67, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x16, 0x2e, 0x6d, 0x61,
@@ -3282,215 +3366,235 @@ var file_management_proto_rawDesc = []byte{
 	0x46, 0x69, 0x72, 0x65, 0x77, 0x61, 0x6c, 0x6c, 0x52, 0x75, 0x6c, 0x65, 0x73, 0x49, 0x73, 0x45,
 	0x6d, 0x70, 0x74, 0x79, 0x18, 0x0b, 0x20, 0x01, 0x28, 0x08, 0x52, 0x1a, 0x72, 0x6f, 0x75, 0x74,
 	0x65, 0x73, 0x46, 0x69, 0x72, 0x65, 0x77, 0x61, 0x6c, 0x6c, 0x52, 0x75, 0x6c, 0x65, 0x73, 0x49,
-	0x73, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x22, 0x97, 0x01, 0x0a, 0x10, 0x52, 0x65, 0x6d, 0x6f, 0x74,
-	0x65, 0x50, 0x65, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x1a, 0x0a, 0x08, 0x77,
-	0x67, 0x50, 0x75, 0x62, 0x4b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x77,
-	0x67, 0x50, 0x75, 0x62, 0x4b, 0x65, 0x79, 0x12, 0x1e, 0x0a, 0x0a, 0x61, 0x6c, 0x6c, 0x6f, 0x77,
-	0x65, 0x64, 0x49, 0x70, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0a, 0x61, 0x6c, 0x6c,
-	0x6f, 0x77, 0x65, 0x64, 0x49, 0x70, 0x73, 0x12, 0x33, 0x0a, 0x09, 0x73, 0x73, 0x68, 0x43, 0x6f,
-	0x6e, 0x66, 0x69, 0x67, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x15, 0x2e, 0x6d, 0x61, 0x6e,
-	0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x53, 0x53, 0x48, 0x43, 0x6f, 0x6e, 0x66, 0x69,
-	0x67, 0x52, 0x09, 0x73, 0x73, 0x68, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x12, 0x0a, 0x04,
-	0x66, 0x71, 0x64, 0x6e, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x66, 0x71, 0x64, 0x6e,
-	0x22, 0x49, 0x0a, 0x09, 0x53, 0x53, 0x48, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x1e, 0x0a,
-	0x0a, 0x73, 0x73, 0x68, 0x45, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28,
-	0x08, 0x52, 0x0a, 0x73, 0x73, 0x68, 0x45, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x64, 0x12, 0x1c, 0x0a,
-	0x09, 0x73, 0x73, 0x68, 0x50, 0x75, 0x62, 0x4b, 0x65, 0x79, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0c,
-	0x52, 0x09, 0x73, 0x73, 0x68, 0x50, 0x75, 0x62, 0x4b, 0x65, 0x79, 0x22, 0x20, 0x0a, 0x1e, 0x44,
+	0x73, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x12, 0x44, 0x0a, 0x0f, 0x66, 0x6f, 0x72, 0x77, 0x61, 0x72,
+	0x64, 0x69, 0x6e, 0x67, 0x52, 0x75, 0x6c, 0x65, 0x73, 0x18, 0x0c, 0x20, 0x03, 0x28, 0x0b, 0x32,
+	0x1a, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x46, 0x6f, 0x72,
+	0x77, 0x61, 0x72, 0x64, 0x69, 0x6e, 0x67, 0x52, 0x75, 0x6c, 0x65, 0x52, 0x0f, 0x66, 0x6f, 0x72,
+	0x77, 0x61, 0x72, 0x64, 0x69, 0x6e, 0x67, 0x52, 0x75, 0x6c, 0x65, 0x73, 0x22, 0x97, 0x01, 0x0a,
+	0x10, 0x52, 0x65, 0x6d, 0x6f, 0x74, 0x65, 0x50, 0x65, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69,
+	0x67, 0x12, 0x1a, 0x0a, 0x08, 0x77, 0x67, 0x50, 0x75, 0x62, 0x4b, 0x65, 0x79, 0x18, 0x01, 0x20,
+	0x01, 0x28, 0x09, 0x52, 0x08, 0x77, 0x67, 0x50, 0x75, 0x62, 0x4b, 0x65, 0x79, 0x12, 0x1e, 0x0a,
+	0x0a, 0x61, 0x6c, 0x6c, 0x6f, 0x77, 0x65, 0x64, 0x49, 0x70, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28,
+	0x09, 0x52, 0x0a, 0x61, 0x6c, 0x6c, 0x6f, 0x77, 0x65, 0x64, 0x49, 0x70, 0x73, 0x12, 0x33, 0x0a,
+	0x09, 0x73, 0x73, 0x68, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b,
+	0x32, 0x15, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x53, 0x53,
+	0x48, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, 0x09, 0x73, 0x73, 0x68, 0x43, 0x6f, 0x6e, 0x66,
+	0x69, 0x67, 0x12, 0x12, 0x0a, 0x04, 0x66, 0x71, 0x64, 0x6e, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09,
+	0x52, 0x04, 0x66, 0x71, 0x64, 0x6e, 0x22, 0x49, 0x0a, 0x09, 0x53, 0x53, 0x48, 0x43, 0x6f, 0x6e,
+	0x66, 0x69, 0x67, 0x12, 0x1e, 0x0a, 0x0a, 0x73, 0x73, 0x68, 0x45, 0x6e, 0x61, 0x62, 0x6c, 0x65,
+	0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0a, 0x73, 0x73, 0x68, 0x45, 0x6e, 0x61, 0x62,
+	0x6c, 0x65, 0x64, 0x12, 0x1c, 0x0a, 0x09, 0x73, 0x73, 0x68, 0x50, 0x75, 0x62, 0x4b, 0x65, 0x79,
+	0x18, 0x02, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x09, 0x73, 0x73, 0x68, 0x50, 0x75, 0x62, 0x4b, 0x65,
+	0x79, 0x22, 0x20, 0x0a, 0x1e, 0x44, 0x65, 0x76, 0x69, 0x63, 0x65, 0x41, 0x75, 0x74, 0x68, 0x6f,
+	0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x46, 0x6c, 0x6f, 0x77, 0x52, 0x65, 0x71, 0x75,
+	0x65, 0x73, 0x74, 0x22, 0xbf, 0x01, 0x0a, 0x17, 0x44, 0x65, 0x76, 0x69, 0x63, 0x65, 0x41, 0x75,
+	0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x46, 0x6c, 0x6f, 0x77, 0x12,
+	0x48, 0x0a, 0x08, 0x50, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28,
+	0x0e, 0x32, 0x2c, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x44,
 	0x65, 0x76, 0x69, 0x63, 0x65, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69,
-	0x6f, 0x6e, 0x46, 0x6c, 0x6f, 0x77, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x22, 0xbf, 0x01,
-	0x0a, 0x17, 0x44, 0x65, 0x76, 0x69, 0x63, 0x65, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a,
-	0x61, 0x74, 0x69, 0x6f, 0x6e, 0x46, 0x6c, 0x6f, 0x77, 0x12, 0x48, 0x0a, 0x08, 0x50, 0x72, 0x6f,
-	0x76, 0x69, 0x64, 0x65, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x2c, 0x2e, 0x6d, 0x61,
-	0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x44, 0x65, 0x76, 0x69, 0x63, 0x65, 0x41,
-	0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x46, 0x6c, 0x6f, 0x77,
-	0x2e, 0x70, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x52, 0x08, 0x50, 0x72, 0x6f, 0x76, 0x69,
-	0x64, 0x65, 0x72, 0x12, 0x42, 0x0a, 0x0e, 0x50, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x43,
-	0x6f, 0x6e, 0x66, 0x69, 0x67, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x6d, 0x61,
-	0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x50, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65,
-	0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, 0x0e, 0x50, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65,
-	0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x22, 0x16, 0x0a, 0x08, 0x70, 0x72, 0x6f, 0x76, 0x69,
-	0x64, 0x65, 0x72, 0x12, 0x0a, 0x0a, 0x06, 0x48, 0x4f, 0x53, 0x54, 0x45, 0x44, 0x10, 0x00, 0x22,
-	0x1e, 0x0a, 0x1c, 0x50, 0x4b, 0x43, 0x45, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61,
-	0x74, 0x69, 0x6f, 0x6e, 0x46, 0x6c, 0x6f, 0x77, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x22,
-	0x5b, 0x0a, 0x15, 0x50, 0x4b, 0x43, 0x45, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61,
-	0x74, 0x69, 0x6f, 0x6e, 0x46, 0x6c, 0x6f, 0x77, 0x12, 0x42, 0x0a, 0x0e, 0x50, 0x72, 0x6f, 0x76,
-	0x69, 0x64, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b,
-	0x32, 0x1a, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x50, 0x72,
-	0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, 0x0e, 0x50, 0x72,
-	0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x22, 0xea, 0x02, 0x0a,
-	0x0e, 0x50, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12,
-	0x1a, 0x0a, 0x08, 0x43, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x49, 0x44, 0x18, 0x01, 0x20, 0x01, 0x28,
-	0x09, 0x52, 0x08, 0x43, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x49, 0x44, 0x12, 0x22, 0x0a, 0x0c, 0x43,
-	0x6c, 0x69, 0x65, 0x6e, 0x74, 0x53, 0x65, 0x63, 0x72, 0x65, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28,
-	0x09, 0x52, 0x0c, 0x43, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x53, 0x65, 0x63, 0x72, 0x65, 0x74, 0x12,
-	0x16, 0x0a, 0x06, 0x44, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52,
-	0x06, 0x44, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x12, 0x1a, 0x0a, 0x08, 0x41, 0x75, 0x64, 0x69, 0x65,
-	0x6e, 0x63, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x41, 0x75, 0x64, 0x69, 0x65,
-	0x6e, 0x63, 0x65, 0x12, 0x2e, 0x0a, 0x12, 0x44, 0x65, 0x76, 0x69, 0x63, 0x65, 0x41, 0x75, 0x74,
-	0x68, 0x45, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52,
-	0x12, 0x44, 0x65, 0x76, 0x69, 0x63, 0x65, 0x41, 0x75, 0x74, 0x68, 0x45, 0x6e, 0x64, 0x70, 0x6f,
-	0x69, 0x6e, 0x74, 0x12, 0x24, 0x0a, 0x0d, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x45, 0x6e, 0x64, 0x70,
-	0x6f, 0x69, 0x6e, 0x74, 0x18, 0x06, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0d, 0x54, 0x6f, 0x6b, 0x65,
-	0x6e, 0x45, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x12, 0x14, 0x0a, 0x05, 0x53, 0x63, 0x6f,
-	0x70, 0x65, 0x18, 0x07, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x53, 0x63, 0x6f, 0x70, 0x65, 0x12,
-	0x1e, 0x0a, 0x0a, 0x55, 0x73, 0x65, 0x49, 0x44, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x18, 0x08, 0x20,
-	0x01, 0x28, 0x08, 0x52, 0x0a, 0x55, 0x73, 0x65, 0x49, 0x44, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x12,
-	0x34, 0x0a, 0x15, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e,
-	0x45, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x18, 0x09, 0x20, 0x01, 0x28, 0x09, 0x52, 0x15,
-	0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x45, 0x6e, 0x64,
-	0x70, 0x6f, 0x69, 0x6e, 0x74, 0x12, 0x22, 0x0a, 0x0c, 0x52, 0x65, 0x64, 0x69, 0x72, 0x65, 0x63,
-	0x74, 0x55, 0x52, 0x4c, 0x73, 0x18, 0x0a, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0c, 0x52, 0x65, 0x64,
-	0x69, 0x72, 0x65, 0x63, 0x74, 0x55, 0x52, 0x4c, 0x73, 0x22, 0xed, 0x01, 0x0a, 0x05, 0x52, 0x6f,
-	0x75, 0x74, 0x65, 0x12, 0x0e, 0x0a, 0x02, 0x49, 0x44, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52,
-	0x02, 0x49, 0x44, 0x12, 0x18, 0x0a, 0x07, 0x4e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x18, 0x02,
-	0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x4e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x12, 0x20, 0x0a,
-	0x0b, 0x4e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x54, 0x79, 0x70, 0x65, 0x18, 0x03, 0x20, 0x01,
-	0x28, 0x03, 0x52, 0x0b, 0x4e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x54, 0x79, 0x70, 0x65, 0x12,
-	0x12, 0x0a, 0x04, 0x50, 0x65, 0x65, 0x72, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x50,
-	0x65, 0x65, 0x72, 0x12, 0x16, 0x0a, 0x06, 0x4d, 0x65, 0x74, 0x72, 0x69, 0x63, 0x18, 0x05, 0x20,
-	0x01, 0x28, 0x03, 0x52, 0x06, 0x4d, 0x65, 0x74, 0x72, 0x69, 0x63, 0x12, 0x1e, 0x0a, 0x0a, 0x4d,
-	0x61, 0x73, 0x71, 0x75, 0x65, 0x72, 0x61, 0x64, 0x65, 0x18, 0x06, 0x20, 0x01, 0x28, 0x08, 0x52,
-	0x0a, 0x4d, 0x61, 0x73, 0x71, 0x75, 0x65, 0x72, 0x61, 0x64, 0x65, 0x12, 0x14, 0x0a, 0x05, 0x4e,
-	0x65, 0x74, 0x49, 0x44, 0x18, 0x07, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x4e, 0x65, 0x74, 0x49,
-	0x44, 0x12, 0x18, 0x0a, 0x07, 0x44, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x73, 0x18, 0x08, 0x20, 0x03,
-	0x28, 0x09, 0x52, 0x07, 0x44, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x73, 0x12, 0x1c, 0x0a, 0x09, 0x6b,
-	0x65, 0x65, 0x70, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x18, 0x09, 0x20, 0x01, 0x28, 0x08, 0x52, 0x09,
-	0x6b, 0x65, 0x65, 0x70, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x22, 0xb4, 0x01, 0x0a, 0x09, 0x44, 0x4e,
-	0x53, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x24, 0x0a, 0x0d, 0x53, 0x65, 0x72, 0x76, 0x69,
-	0x63, 0x65, 0x45, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0d,
-	0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x45, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x12, 0x47, 0x0a,
-	0x10, 0x4e, 0x61, 0x6d, 0x65, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x47, 0x72, 0x6f, 0x75, 0x70,
-	0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x1b, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65,
-	0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x4e, 0x61, 0x6d, 0x65, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x47,
-	0x72, 0x6f, 0x75, 0x70, 0x52, 0x10, 0x4e, 0x61, 0x6d, 0x65, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72,
-	0x47, 0x72, 0x6f, 0x75, 0x70, 0x73, 0x12, 0x38, 0x0a, 0x0b, 0x43, 0x75, 0x73, 0x74, 0x6f, 0x6d,
-	0x5a, 0x6f, 0x6e, 0x65, 0x73, 0x18, 0x03, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x16, 0x2e, 0x6d, 0x61,
-	0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x43, 0x75, 0x73, 0x74, 0x6f, 0x6d, 0x5a,
-	0x6f, 0x6e, 0x65, 0x52, 0x0b, 0x43, 0x75, 0x73, 0x74, 0x6f, 0x6d, 0x5a, 0x6f, 0x6e, 0x65, 0x73,
-	0x22, 0x58, 0x0a, 0x0a, 0x43, 0x75, 0x73, 0x74, 0x6f, 0x6d, 0x5a, 0x6f, 0x6e, 0x65, 0x12, 0x16,
-	0x0a, 0x06, 0x44, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06,
-	0x44, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x12, 0x32, 0x0a, 0x07, 0x52, 0x65, 0x63, 0x6f, 0x72, 0x64,
-	0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x18, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65,
-	0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x53, 0x69, 0x6d, 0x70, 0x6c, 0x65, 0x52, 0x65, 0x63, 0x6f, 0x72,
-	0x64, 0x52, 0x07, 0x52, 0x65, 0x63, 0x6f, 0x72, 0x64, 0x73, 0x22, 0x74, 0x0a, 0x0c, 0x53, 0x69,
-	0x6d, 0x70, 0x6c, 0x65, 0x52, 0x65, 0x63, 0x6f, 0x72, 0x64, 0x12, 0x12, 0x0a, 0x04, 0x4e, 0x61,
-	0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x12,
-	0x0a, 0x04, 0x54, 0x79, 0x70, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x03, 0x52, 0x04, 0x54, 0x79,
-	0x70, 0x65, 0x12, 0x14, 0x0a, 0x05, 0x43, 0x6c, 0x61, 0x73, 0x73, 0x18, 0x03, 0x20, 0x01, 0x28,
-	0x09, 0x52, 0x05, 0x43, 0x6c, 0x61, 0x73, 0x73, 0x12, 0x10, 0x0a, 0x03, 0x54, 0x54, 0x4c, 0x18,
-	0x04, 0x20, 0x01, 0x28, 0x03, 0x52, 0x03, 0x54, 0x54, 0x4c, 0x12, 0x14, 0x0a, 0x05, 0x52, 0x44,
-	0x61, 0x74, 0x61, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x52, 0x44, 0x61, 0x74, 0x61,
-	0x22, 0xb3, 0x01, 0x0a, 0x0f, 0x4e, 0x61, 0x6d, 0x65, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x47,
-	0x72, 0x6f, 0x75, 0x70, 0x12, 0x38, 0x0a, 0x0b, 0x4e, 0x61, 0x6d, 0x65, 0x53, 0x65, 0x72, 0x76,
-	0x65, 0x72, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x16, 0x2e, 0x6d, 0x61, 0x6e, 0x61,
-	0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x4e, 0x61, 0x6d, 0x65, 0x53, 0x65, 0x72, 0x76, 0x65,
-	0x72, 0x52, 0x0b, 0x4e, 0x61, 0x6d, 0x65, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x73, 0x12, 0x18,
-	0x0a, 0x07, 0x50, 0x72, 0x69, 0x6d, 0x61, 0x72, 0x79, 0x18, 0x02, 0x20, 0x01, 0x28, 0x08, 0x52,
-	0x07, 0x50, 0x72, 0x69, 0x6d, 0x61, 0x72, 0x79, 0x12, 0x18, 0x0a, 0x07, 0x44, 0x6f, 0x6d, 0x61,
-	0x69, 0x6e, 0x73, 0x18, 0x03, 0x20, 0x03, 0x28, 0x09, 0x52, 0x07, 0x44, 0x6f, 0x6d, 0x61, 0x69,
-	0x6e, 0x73, 0x12, 0x32, 0x0a, 0x14, 0x53, 0x65, 0x61, 0x72, 0x63, 0x68, 0x44, 0x6f, 0x6d, 0x61,
-	0x69, 0x6e, 0x73, 0x45, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x64, 0x18, 0x04, 0x20, 0x01, 0x28, 0x08,
-	0x52, 0x14, 0x53, 0x65, 0x61, 0x72, 0x63, 0x68, 0x44, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x73, 0x45,
-	0x6e, 0x61, 0x62, 0x6c, 0x65, 0x64, 0x22, 0x48, 0x0a, 0x0a, 0x4e, 0x61, 0x6d, 0x65, 0x53, 0x65,
-	0x72, 0x76, 0x65, 0x72, 0x12, 0x0e, 0x0a, 0x02, 0x49, 0x50, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09,
-	0x52, 0x02, 0x49, 0x50, 0x12, 0x16, 0x0a, 0x06, 0x4e, 0x53, 0x54, 0x79, 0x70, 0x65, 0x18, 0x02,
-	0x20, 0x01, 0x28, 0x03, 0x52, 0x06, 0x4e, 0x53, 0x54, 0x79, 0x70, 0x65, 0x12, 0x12, 0x0a, 0x04,
-	0x50, 0x6f, 0x72, 0x74, 0x18, 0x03, 0x20, 0x01, 0x28, 0x03, 0x52, 0x04, 0x50, 0x6f, 0x72, 0x74,
-	0x22, 0xd9, 0x01, 0x0a, 0x0c, 0x46, 0x69, 0x72, 0x65, 0x77, 0x61, 0x6c, 0x6c, 0x52, 0x75, 0x6c,
-	0x65, 0x12, 0x16, 0x0a, 0x06, 0x50, 0x65, 0x65, 0x72, 0x49, 0x50, 0x18, 0x01, 0x20, 0x01, 0x28,
-	0x09, 0x52, 0x06, 0x50, 0x65, 0x65, 0x72, 0x49, 0x50, 0x12, 0x37, 0x0a, 0x09, 0x44, 0x69, 0x72,
-	0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x19, 0x2e, 0x6d,
-	0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x52, 0x75, 0x6c, 0x65, 0x44, 0x69,
-	0x72, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x09, 0x44, 0x69, 0x72, 0x65, 0x63, 0x74, 0x69,
-	0x6f, 0x6e, 0x12, 0x2e, 0x0a, 0x06, 0x41, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x03, 0x20, 0x01,
-	0x28, 0x0e, 0x32, 0x16, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e,
-	0x52, 0x75, 0x6c, 0x65, 0x41, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x06, 0x41, 0x63, 0x74, 0x69,
-	0x6f, 0x6e, 0x12, 0x34, 0x0a, 0x08, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x18, 0x04,
-	0x20, 0x01, 0x28, 0x0e, 0x32, 0x18, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e,
-	0x74, 0x2e, 0x52, 0x75, 0x6c, 0x65, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x52, 0x08,
-	0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x12, 0x12, 0x0a, 0x04, 0x50, 0x6f, 0x72, 0x74,
-	0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x50, 0x6f, 0x72, 0x74, 0x22, 0x38, 0x0a, 0x0e,
-	0x4e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x41, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x12, 0x14,
-	0x0a, 0x05, 0x6e, 0x65, 0x74, 0x49, 0x50, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x6e,
-	0x65, 0x74, 0x49, 0x50, 0x12, 0x10, 0x0a, 0x03, 0x6d, 0x61, 0x63, 0x18, 0x02, 0x20, 0x01, 0x28,
-	0x09, 0x52, 0x03, 0x6d, 0x61, 0x63, 0x22, 0x1e, 0x0a, 0x06, 0x43, 0x68, 0x65, 0x63, 0x6b, 0x73,
-	0x12, 0x14, 0x0a, 0x05, 0x46, 0x69, 0x6c, 0x65, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x09, 0x52,
-	0x05, 0x46, 0x69, 0x6c, 0x65, 0x73, 0x22, 0x96, 0x01, 0x0a, 0x08, 0x50, 0x6f, 0x72, 0x74, 0x49,
-	0x6e, 0x66, 0x6f, 0x12, 0x14, 0x0a, 0x04, 0x70, 0x6f, 0x72, 0x74, 0x18, 0x01, 0x20, 0x01, 0x28,
-	0x0d, 0x48, 0x00, 0x52, 0x04, 0x70, 0x6f, 0x72, 0x74, 0x12, 0x32, 0x0a, 0x05, 0x72, 0x61, 0x6e,
-	0x67, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67,
-	0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x50, 0x6f, 0x72, 0x74, 0x49, 0x6e, 0x66, 0x6f, 0x2e, 0x52,
-	0x61, 0x6e, 0x67, 0x65, 0x48, 0x00, 0x52, 0x05, 0x72, 0x61, 0x6e, 0x67, 0x65, 0x1a, 0x2f, 0x0a,
-	0x05, 0x52, 0x61, 0x6e, 0x67, 0x65, 0x12, 0x14, 0x0a, 0x05, 0x73, 0x74, 0x61, 0x72, 0x74, 0x18,
-	0x01, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x05, 0x73, 0x74, 0x61, 0x72, 0x74, 0x12, 0x10, 0x0a, 0x03,
-	0x65, 0x6e, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x03, 0x65, 0x6e, 0x64, 0x42, 0x0f,
-	0x0a, 0x0d, 0x70, 0x6f, 0x72, 0x74, 0x53, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x22,
-	0xd1, 0x02, 0x0a, 0x11, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x46, 0x69, 0x72, 0x65, 0x77, 0x61, 0x6c,
-	0x6c, 0x52, 0x75, 0x6c, 0x65, 0x12, 0x22, 0x0a, 0x0c, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x52,
-	0x61, 0x6e, 0x67, 0x65, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0c, 0x73, 0x6f, 0x75,
-	0x72, 0x63, 0x65, 0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x12, 0x2e, 0x0a, 0x06, 0x61, 0x63, 0x74,
-	0x69, 0x6f, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x16, 0x2e, 0x6d, 0x61, 0x6e, 0x61,
-	0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x52, 0x75, 0x6c, 0x65, 0x41, 0x63, 0x74, 0x69, 0x6f,
-	0x6e, 0x52, 0x06, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x20, 0x0a, 0x0b, 0x64, 0x65, 0x73,
-	0x74, 0x69, 0x6e, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b,
-	0x64, 0x65, 0x73, 0x74, 0x69, 0x6e, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x34, 0x0a, 0x08, 0x70,
-	0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x18, 0x2e,
-	0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x52, 0x75, 0x6c, 0x65, 0x50,
-	0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x52, 0x08, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f,
-	0x6c, 0x12, 0x30, 0x0a, 0x08, 0x70, 0x6f, 0x72, 0x74, 0x49, 0x6e, 0x66, 0x6f, 0x18, 0x05, 0x20,
-	0x01, 0x28, 0x0b, 0x32, 0x14, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74,
-	0x2e, 0x50, 0x6f, 0x72, 0x74, 0x49, 0x6e, 0x66, 0x6f, 0x52, 0x08, 0x70, 0x6f, 0x72, 0x74, 0x49,
-	0x6e, 0x66, 0x6f, 0x12, 0x1c, 0x0a, 0x09, 0x69, 0x73, 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63,
-	0x18, 0x06, 0x20, 0x01, 0x28, 0x08, 0x52, 0x09, 0x69, 0x73, 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69,
-	0x63, 0x12, 0x18, 0x0a, 0x07, 0x64, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x73, 0x18, 0x07, 0x20, 0x03,
-	0x28, 0x09, 0x52, 0x07, 0x64, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x73, 0x12, 0x26, 0x0a, 0x0e, 0x63,
-	0x75, 0x73, 0x74, 0x6f, 0x6d, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x18, 0x08, 0x20,
-	0x01, 0x28, 0x0d, 0x52, 0x0e, 0x63, 0x75, 0x73, 0x74, 0x6f, 0x6d, 0x50, 0x72, 0x6f, 0x74, 0x6f,
-	0x63, 0x6f, 0x6c, 0x2a, 0x4c, 0x0a, 0x0c, 0x52, 0x75, 0x6c, 0x65, 0x50, 0x72, 0x6f, 0x74, 0x6f,
-	0x63, 0x6f, 0x6c, 0x12, 0x0b, 0x0a, 0x07, 0x55, 0x4e, 0x4b, 0x4e, 0x4f, 0x57, 0x4e, 0x10, 0x00,
-	0x12, 0x07, 0x0a, 0x03, 0x41, 0x4c, 0x4c, 0x10, 0x01, 0x12, 0x07, 0x0a, 0x03, 0x54, 0x43, 0x50,
-	0x10, 0x02, 0x12, 0x07, 0x0a, 0x03, 0x55, 0x44, 0x50, 0x10, 0x03, 0x12, 0x08, 0x0a, 0x04, 0x49,
-	0x43, 0x4d, 0x50, 0x10, 0x04, 0x12, 0x0a, 0x0a, 0x06, 0x43, 0x55, 0x53, 0x54, 0x4f, 0x4d, 0x10,
-	0x05, 0x2a, 0x20, 0x0a, 0x0d, 0x52, 0x75, 0x6c, 0x65, 0x44, 0x69, 0x72, 0x65, 0x63, 0x74, 0x69,
-	0x6f, 0x6e, 0x12, 0x06, 0x0a, 0x02, 0x49, 0x4e, 0x10, 0x00, 0x12, 0x07, 0x0a, 0x03, 0x4f, 0x55,
-	0x54, 0x10, 0x01, 0x2a, 0x22, 0x0a, 0x0a, 0x52, 0x75, 0x6c, 0x65, 0x41, 0x63, 0x74, 0x69, 0x6f,
-	0x6e, 0x12, 0x0a, 0x0a, 0x06, 0x41, 0x43, 0x43, 0x45, 0x50, 0x54, 0x10, 0x00, 0x12, 0x08, 0x0a,
-	0x04, 0x44, 0x52, 0x4f, 0x50, 0x10, 0x01, 0x32, 0x90, 0x04, 0x0a, 0x11, 0x4d, 0x61, 0x6e, 0x61,
-	0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x45, 0x0a,
-	0x05, 0x4c, 0x6f, 0x67, 0x69, 0x6e, 0x12, 0x1c, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d,
-	0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65, 0x64, 0x4d, 0x65, 0x73,
-	0x73, 0x61, 0x67, 0x65, 0x1a, 0x1c, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e,
-	0x74, 0x2e, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65, 0x64, 0x4d, 0x65, 0x73, 0x73, 0x61,
-	0x67, 0x65, 0x22, 0x00, 0x12, 0x46, 0x0a, 0x04, 0x53, 0x79, 0x6e, 0x63, 0x12, 0x1c, 0x2e, 0x6d,
-	0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70,
-	0x74, 0x65, 0x64, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x1a, 0x1c, 0x2e, 0x6d, 0x61, 0x6e,
-	0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65,
-	0x64, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x22, 0x00, 0x30, 0x01, 0x12, 0x42, 0x0a, 0x0c,
-	0x47, 0x65, 0x74, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x4b, 0x65, 0x79, 0x12, 0x11, 0x2e, 0x6d,
-	0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x1a,
-	0x1d, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x53, 0x65, 0x72,
-	0x76, 0x65, 0x72, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00,
-	0x12, 0x33, 0x0a, 0x09, 0x69, 0x73, 0x48, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x79, 0x12, 0x11, 0x2e,
-	0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79,
-	0x1a, 0x11, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6d,
-	0x70, 0x74, 0x79, 0x22, 0x00, 0x12, 0x5a, 0x0a, 0x1a, 0x47, 0x65, 0x74, 0x44, 0x65, 0x76, 0x69,
-	0x63, 0x65, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x46,
-	0x6c, 0x6f, 0x77, 0x12, 0x1c, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74,
-	0x2e, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65, 0x64, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67,
-	0x65, 0x1a, 0x1c, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45,
-	0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65, 0x64, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x22,
-	0x00, 0x12, 0x58, 0x0a, 0x18, 0x47, 0x65, 0x74, 0x50, 0x4b, 0x43, 0x45, 0x41, 0x75, 0x74, 0x68,
-	0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x46, 0x6c, 0x6f, 0x77, 0x12, 0x1c, 0x2e,
-	0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6e, 0x63, 0x72, 0x79,
-	0x70, 0x74, 0x65, 0x64, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x1a, 0x1c, 0x2e, 0x6d, 0x61,
-	0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74,
-	0x65, 0x64, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x22, 0x00, 0x12, 0x3d, 0x0a, 0x08, 0x53,
-	0x79, 0x6e, 0x63, 0x4d, 0x65, 0x74, 0x61, 0x12, 0x1c, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65,
+	0x6f, 0x6e, 0x46, 0x6c, 0x6f, 0x77, 0x2e, 0x70, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x52,
+	0x08, 0x50, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x12, 0x42, 0x0a, 0x0e, 0x50, 0x72, 0x6f,
+	0x76, 0x69, 0x64, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x18, 0x02, 0x20, 0x01, 0x28,
+	0x0b, 0x32, 0x1a, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x50,
+	0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, 0x0e, 0x50,
+	0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x22, 0x16, 0x0a,
+	0x08, 0x70, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x12, 0x0a, 0x0a, 0x06, 0x48, 0x4f, 0x53,
+	0x54, 0x45, 0x44, 0x10, 0x00, 0x22, 0x1e, 0x0a, 0x1c, 0x50, 0x4b, 0x43, 0x45, 0x41, 0x75, 0x74,
+	0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x46, 0x6c, 0x6f, 0x77, 0x52, 0x65,
+	0x71, 0x75, 0x65, 0x73, 0x74, 0x22, 0x5b, 0x0a, 0x15, 0x50, 0x4b, 0x43, 0x45, 0x41, 0x75, 0x74,
+	0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x46, 0x6c, 0x6f, 0x77, 0x12, 0x42,
+	0x0a, 0x0e, 0x50, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67,
+	0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d,
+	0x65, 0x6e, 0x74, 0x2e, 0x50, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66,
+	0x69, 0x67, 0x52, 0x0e, 0x50, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66,
+	0x69, 0x67, 0x22, 0xea, 0x02, 0x0a, 0x0e, 0x50, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x43,
+	0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x1a, 0x0a, 0x08, 0x43, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x49,
+	0x44, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x43, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x49,
+	0x44, 0x12, 0x22, 0x0a, 0x0c, 0x43, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x53, 0x65, 0x63, 0x72, 0x65,
+	0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0c, 0x43, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x53,
+	0x65, 0x63, 0x72, 0x65, 0x74, 0x12, 0x16, 0x0a, 0x06, 0x44, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x18,
+	0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x44, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x12, 0x1a, 0x0a,
+	0x08, 0x41, 0x75, 0x64, 0x69, 0x65, 0x6e, 0x63, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52,
+	0x08, 0x41, 0x75, 0x64, 0x69, 0x65, 0x6e, 0x63, 0x65, 0x12, 0x2e, 0x0a, 0x12, 0x44, 0x65, 0x76,
+	0x69, 0x63, 0x65, 0x41, 0x75, 0x74, 0x68, 0x45, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x18,
+	0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x12, 0x44, 0x65, 0x76, 0x69, 0x63, 0x65, 0x41, 0x75, 0x74,
+	0x68, 0x45, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x12, 0x24, 0x0a, 0x0d, 0x54, 0x6f, 0x6b,
+	0x65, 0x6e, 0x45, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x18, 0x06, 0x20, 0x01, 0x28, 0x09,
+	0x52, 0x0d, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x45, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x12,
+	0x14, 0x0a, 0x05, 0x53, 0x63, 0x6f, 0x70, 0x65, 0x18, 0x07, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05,
+	0x53, 0x63, 0x6f, 0x70, 0x65, 0x12, 0x1e, 0x0a, 0x0a, 0x55, 0x73, 0x65, 0x49, 0x44, 0x54, 0x6f,
+	0x6b, 0x65, 0x6e, 0x18, 0x08, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0a, 0x55, 0x73, 0x65, 0x49, 0x44,
+	0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x12, 0x34, 0x0a, 0x15, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69,
+	0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x45, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x18, 0x09,
+	0x20, 0x01, 0x28, 0x09, 0x52, 0x15, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74,
+	0x69, 0x6f, 0x6e, 0x45, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x12, 0x22, 0x0a, 0x0c, 0x52,
+	0x65, 0x64, 0x69, 0x72, 0x65, 0x63, 0x74, 0x55, 0x52, 0x4c, 0x73, 0x18, 0x0a, 0x20, 0x03, 0x28,
+	0x09, 0x52, 0x0c, 0x52, 0x65, 0x64, 0x69, 0x72, 0x65, 0x63, 0x74, 0x55, 0x52, 0x4c, 0x73, 0x22,
+	0xed, 0x01, 0x0a, 0x05, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x12, 0x0e, 0x0a, 0x02, 0x49, 0x44, 0x18,
+	0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x49, 0x44, 0x12, 0x18, 0x0a, 0x07, 0x4e, 0x65, 0x74,
+	0x77, 0x6f, 0x72, 0x6b, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x4e, 0x65, 0x74, 0x77,
+	0x6f, 0x72, 0x6b, 0x12, 0x20, 0x0a, 0x0b, 0x4e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x54, 0x79,
+	0x70, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x03, 0x52, 0x0b, 0x4e, 0x65, 0x74, 0x77, 0x6f, 0x72,
+	0x6b, 0x54, 0x79, 0x70, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x50, 0x65, 0x65, 0x72, 0x18, 0x04, 0x20,
+	0x01, 0x28, 0x09, 0x52, 0x04, 0x50, 0x65, 0x65, 0x72, 0x12, 0x16, 0x0a, 0x06, 0x4d, 0x65, 0x74,
+	0x72, 0x69, 0x63, 0x18, 0x05, 0x20, 0x01, 0x28, 0x03, 0x52, 0x06, 0x4d, 0x65, 0x74, 0x72, 0x69,
+	0x63, 0x12, 0x1e, 0x0a, 0x0a, 0x4d, 0x61, 0x73, 0x71, 0x75, 0x65, 0x72, 0x61, 0x64, 0x65, 0x18,
+	0x06, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0a, 0x4d, 0x61, 0x73, 0x71, 0x75, 0x65, 0x72, 0x61, 0x64,
+	0x65, 0x12, 0x14, 0x0a, 0x05, 0x4e, 0x65, 0x74, 0x49, 0x44, 0x18, 0x07, 0x20, 0x01, 0x28, 0x09,
+	0x52, 0x05, 0x4e, 0x65, 0x74, 0x49, 0x44, 0x12, 0x18, 0x0a, 0x07, 0x44, 0x6f, 0x6d, 0x61, 0x69,
+	0x6e, 0x73, 0x18, 0x08, 0x20, 0x03, 0x28, 0x09, 0x52, 0x07, 0x44, 0x6f, 0x6d, 0x61, 0x69, 0x6e,
+	0x73, 0x12, 0x1c, 0x0a, 0x09, 0x6b, 0x65, 0x65, 0x70, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x18, 0x09,
+	0x20, 0x01, 0x28, 0x08, 0x52, 0x09, 0x6b, 0x65, 0x65, 0x70, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x22,
+	0xb4, 0x01, 0x0a, 0x09, 0x44, 0x4e, 0x53, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x24, 0x0a,
+	0x0d, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x45, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x18, 0x01,
+	0x20, 0x01, 0x28, 0x08, 0x52, 0x0d, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x45, 0x6e, 0x61,
+	0x62, 0x6c, 0x65, 0x12, 0x47, 0x0a, 0x10, 0x4e, 0x61, 0x6d, 0x65, 0x53, 0x65, 0x72, 0x76, 0x65,
+	0x72, 0x47, 0x72, 0x6f, 0x75, 0x70, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x1b, 0x2e,
+	0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x4e, 0x61, 0x6d, 0x65, 0x53,
+	0x65, 0x72, 0x76, 0x65, 0x72, 0x47, 0x72, 0x6f, 0x75, 0x70, 0x52, 0x10, 0x4e, 0x61, 0x6d, 0x65,
+	0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x47, 0x72, 0x6f, 0x75, 0x70, 0x73, 0x12, 0x38, 0x0a, 0x0b,
+	0x43, 0x75, 0x73, 0x74, 0x6f, 0x6d, 0x5a, 0x6f, 0x6e, 0x65, 0x73, 0x18, 0x03, 0x20, 0x03, 0x28,
+	0x0b, 0x32, 0x16, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x43,
+	0x75, 0x73, 0x74, 0x6f, 0x6d, 0x5a, 0x6f, 0x6e, 0x65, 0x52, 0x0b, 0x43, 0x75, 0x73, 0x74, 0x6f,
+	0x6d, 0x5a, 0x6f, 0x6e, 0x65, 0x73, 0x22, 0x58, 0x0a, 0x0a, 0x43, 0x75, 0x73, 0x74, 0x6f, 0x6d,
+	0x5a, 0x6f, 0x6e, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x44, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x18, 0x01,
+	0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x44, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x12, 0x32, 0x0a, 0x07,
+	0x52, 0x65, 0x63, 0x6f, 0x72, 0x64, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x18, 0x2e,
+	0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x53, 0x69, 0x6d, 0x70, 0x6c,
+	0x65, 0x52, 0x65, 0x63, 0x6f, 0x72, 0x64, 0x52, 0x07, 0x52, 0x65, 0x63, 0x6f, 0x72, 0x64, 0x73,
+	0x22, 0x74, 0x0a, 0x0c, 0x53, 0x69, 0x6d, 0x70, 0x6c, 0x65, 0x52, 0x65, 0x63, 0x6f, 0x72, 0x64,
+	0x12, 0x12, 0x0a, 0x04, 0x4e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04,
+	0x4e, 0x61, 0x6d, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x54, 0x79, 0x70, 0x65, 0x18, 0x02, 0x20, 0x01,
+	0x28, 0x03, 0x52, 0x04, 0x54, 0x79, 0x70, 0x65, 0x12, 0x14, 0x0a, 0x05, 0x43, 0x6c, 0x61, 0x73,
+	0x73, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x43, 0x6c, 0x61, 0x73, 0x73, 0x12, 0x10,
+	0x0a, 0x03, 0x54, 0x54, 0x4c, 0x18, 0x04, 0x20, 0x01, 0x28, 0x03, 0x52, 0x03, 0x54, 0x54, 0x4c,
+	0x12, 0x14, 0x0a, 0x05, 0x52, 0x44, 0x61, 0x74, 0x61, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52,
+	0x05, 0x52, 0x44, 0x61, 0x74, 0x61, 0x22, 0xb3, 0x01, 0x0a, 0x0f, 0x4e, 0x61, 0x6d, 0x65, 0x53,
+	0x65, 0x72, 0x76, 0x65, 0x72, 0x47, 0x72, 0x6f, 0x75, 0x70, 0x12, 0x38, 0x0a, 0x0b, 0x4e, 0x61,
+	0x6d, 0x65, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32,
+	0x16, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x4e, 0x61, 0x6d,
+	0x65, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x52, 0x0b, 0x4e, 0x61, 0x6d, 0x65, 0x53, 0x65, 0x72,
+	0x76, 0x65, 0x72, 0x73, 0x12, 0x18, 0x0a, 0x07, 0x50, 0x72, 0x69, 0x6d, 0x61, 0x72, 0x79, 0x18,
+	0x02, 0x20, 0x01, 0x28, 0x08, 0x52, 0x07, 0x50, 0x72, 0x69, 0x6d, 0x61, 0x72, 0x79, 0x12, 0x18,
+	0x0a, 0x07, 0x44, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x73, 0x18, 0x03, 0x20, 0x03, 0x28, 0x09, 0x52,
+	0x07, 0x44, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x73, 0x12, 0x32, 0x0a, 0x14, 0x53, 0x65, 0x61, 0x72,
+	0x63, 0x68, 0x44, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x73, 0x45, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x64,
+	0x18, 0x04, 0x20, 0x01, 0x28, 0x08, 0x52, 0x14, 0x53, 0x65, 0x61, 0x72, 0x63, 0x68, 0x44, 0x6f,
+	0x6d, 0x61, 0x69, 0x6e, 0x73, 0x45, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x64, 0x22, 0x48, 0x0a, 0x0a,
+	0x4e, 0x61, 0x6d, 0x65, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x12, 0x0e, 0x0a, 0x02, 0x49, 0x50,
+	0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x49, 0x50, 0x12, 0x16, 0x0a, 0x06, 0x4e, 0x53,
+	0x54, 0x79, 0x70, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x03, 0x52, 0x06, 0x4e, 0x53, 0x54, 0x79,
+	0x70, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x50, 0x6f, 0x72, 0x74, 0x18, 0x03, 0x20, 0x01, 0x28, 0x03,
+	0x52, 0x04, 0x50, 0x6f, 0x72, 0x74, 0x22, 0xd9, 0x01, 0x0a, 0x0c, 0x46, 0x69, 0x72, 0x65, 0x77,
+	0x61, 0x6c, 0x6c, 0x52, 0x75, 0x6c, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x50, 0x65, 0x65, 0x72, 0x49,
+	0x50, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x50, 0x65, 0x65, 0x72, 0x49, 0x50, 0x12,
+	0x37, 0x0a, 0x09, 0x44, 0x69, 0x72, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x02, 0x20, 0x01,
+	0x28, 0x0e, 0x32, 0x19, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e,
+	0x52, 0x75, 0x6c, 0x65, 0x44, 0x69, 0x72, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x09, 0x44,
+	0x69, 0x72, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x2e, 0x0a, 0x06, 0x41, 0x63, 0x74, 0x69,
+	0x6f, 0x6e, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x16, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67,
+	0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x52, 0x75, 0x6c, 0x65, 0x41, 0x63, 0x74, 0x69, 0x6f, 0x6e,
+	0x52, 0x06, 0x41, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x34, 0x0a, 0x08, 0x50, 0x72, 0x6f, 0x74,
+	0x6f, 0x63, 0x6f, 0x6c, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x18, 0x2e, 0x6d, 0x61, 0x6e,
+	0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x52, 0x75, 0x6c, 0x65, 0x50, 0x72, 0x6f, 0x74,
+	0x6f, 0x63, 0x6f, 0x6c, 0x52, 0x08, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x12, 0x12,
+	0x0a, 0x04, 0x50, 0x6f, 0x72, 0x74, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x50, 0x6f,
+	0x72, 0x74, 0x22, 0x38, 0x0a, 0x0e, 0x4e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x41, 0x64, 0x64,
+	0x72, 0x65, 0x73, 0x73, 0x12, 0x14, 0x0a, 0x05, 0x6e, 0x65, 0x74, 0x49, 0x50, 0x18, 0x01, 0x20,
+	0x01, 0x28, 0x09, 0x52, 0x05, 0x6e, 0x65, 0x74, 0x49, 0x50, 0x12, 0x10, 0x0a, 0x03, 0x6d, 0x61,
+	0x63, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6d, 0x61, 0x63, 0x22, 0x1e, 0x0a, 0x06,
+	0x43, 0x68, 0x65, 0x63, 0x6b, 0x73, 0x12, 0x14, 0x0a, 0x05, 0x46, 0x69, 0x6c, 0x65, 0x73, 0x18,
+	0x01, 0x20, 0x03, 0x28, 0x09, 0x52, 0x05, 0x46, 0x69, 0x6c, 0x65, 0x73, 0x22, 0x96, 0x01, 0x0a,
+	0x08, 0x50, 0x6f, 0x72, 0x74, 0x49, 0x6e, 0x66, 0x6f, 0x12, 0x14, 0x0a, 0x04, 0x70, 0x6f, 0x72,
+	0x74, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0d, 0x48, 0x00, 0x52, 0x04, 0x70, 0x6f, 0x72, 0x74, 0x12,
+	0x32, 0x0a, 0x05, 0x72, 0x61, 0x6e, 0x67, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a,
+	0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x50, 0x6f, 0x72, 0x74,
+	0x49, 0x6e, 0x66, 0x6f, 0x2e, 0x52, 0x61, 0x6e, 0x67, 0x65, 0x48, 0x00, 0x52, 0x05, 0x72, 0x61,
+	0x6e, 0x67, 0x65, 0x1a, 0x2f, 0x0a, 0x05, 0x52, 0x61, 0x6e, 0x67, 0x65, 0x12, 0x14, 0x0a, 0x05,
+	0x73, 0x74, 0x61, 0x72, 0x74, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x05, 0x73, 0x74, 0x61,
+	0x72, 0x74, 0x12, 0x10, 0x0a, 0x03, 0x65, 0x6e, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0d, 0x52,
+	0x03, 0x65, 0x6e, 0x64, 0x42, 0x0f, 0x0a, 0x0d, 0x70, 0x6f, 0x72, 0x74, 0x53, 0x65, 0x6c, 0x65,
+	0x63, 0x74, 0x69, 0x6f, 0x6e, 0x22, 0xd1, 0x02, 0x0a, 0x11, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x46,
+	0x69, 0x72, 0x65, 0x77, 0x61, 0x6c, 0x6c, 0x52, 0x75, 0x6c, 0x65, 0x12, 0x22, 0x0a, 0x0c, 0x73,
+	0x6f, 0x75, 0x72, 0x63, 0x65, 0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28,
+	0x09, 0x52, 0x0c, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x12,
+	0x2e, 0x0a, 0x06, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0e, 0x32,
+	0x16, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x52, 0x75, 0x6c,
+	0x65, 0x41, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x06, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x12,
+	0x20, 0x0a, 0x0b, 0x64, 0x65, 0x73, 0x74, 0x69, 0x6e, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x03,
+	0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x64, 0x65, 0x73, 0x74, 0x69, 0x6e, 0x61, 0x74, 0x69, 0x6f,
+	0x6e, 0x12, 0x34, 0x0a, 0x08, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x18, 0x04, 0x20,
+	0x01, 0x28, 0x0e, 0x32, 0x18, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74,
+	0x2e, 0x52, 0x75, 0x6c, 0x65, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x52, 0x08, 0x70,
+	0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x12, 0x30, 0x0a, 0x08, 0x70, 0x6f, 0x72, 0x74, 0x49,
+	0x6e, 0x66, 0x6f, 0x18, 0x05, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x14, 0x2e, 0x6d, 0x61, 0x6e, 0x61,
+	0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x50, 0x6f, 0x72, 0x74, 0x49, 0x6e, 0x66, 0x6f, 0x52,
+	0x08, 0x70, 0x6f, 0x72, 0x74, 0x49, 0x6e, 0x66, 0x6f, 0x12, 0x1c, 0x0a, 0x09, 0x69, 0x73, 0x44,
+	0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x18, 0x06, 0x20, 0x01, 0x28, 0x08, 0x52, 0x09, 0x69, 0x73,
+	0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x12, 0x18, 0x0a, 0x07, 0x64, 0x6f, 0x6d, 0x61, 0x69,
+	0x6e, 0x73, 0x18, 0x07, 0x20, 0x03, 0x28, 0x09, 0x52, 0x07, 0x64, 0x6f, 0x6d, 0x61, 0x69, 0x6e,
+	0x73, 0x12, 0x26, 0x0a, 0x0e, 0x63, 0x75, 0x73, 0x74, 0x6f, 0x6d, 0x50, 0x72, 0x6f, 0x74, 0x6f,
+	0x63, 0x6f, 0x6c, 0x18, 0x08, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x0e, 0x63, 0x75, 0x73, 0x74, 0x6f,
+	0x6d, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x22, 0xf2, 0x01, 0x0a, 0x0e, 0x46, 0x6f,
+	0x72, 0x77, 0x61, 0x72, 0x64, 0x69, 0x6e, 0x67, 0x52, 0x75, 0x6c, 0x65, 0x12, 0x34, 0x0a, 0x08,
+	0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x18,
+	0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x52, 0x75, 0x6c, 0x65,
+	0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x52, 0x08, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63,
+	0x6f, 0x6c, 0x12, 0x3e, 0x0a, 0x0f, 0x64, 0x65, 0x73, 0x74, 0x69, 0x6e, 0x61, 0x74, 0x69, 0x6f,
+	0x6e, 0x50, 0x6f, 0x72, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x14, 0x2e, 0x6d, 0x61,
+	0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x50, 0x6f, 0x72, 0x74, 0x49, 0x6e, 0x66,
+	0x6f, 0x52, 0x0f, 0x64, 0x65, 0x73, 0x74, 0x69, 0x6e, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x50, 0x6f,
+	0x72, 0x74, 0x12, 0x2c, 0x0a, 0x11, 0x74, 0x72, 0x61, 0x6e, 0x73, 0x6c, 0x61, 0x74, 0x65, 0x64,
+	0x41, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x11, 0x74,
+	0x72, 0x61, 0x6e, 0x73, 0x6c, 0x61, 0x74, 0x65, 0x64, 0x41, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73,
+	0x12, 0x3c, 0x0a, 0x0e, 0x74, 0x72, 0x61, 0x6e, 0x73, 0x6c, 0x61, 0x74, 0x65, 0x64, 0x50, 0x6f,
+	0x72, 0x74, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x14, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67,
+	0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x50, 0x6f, 0x72, 0x74, 0x49, 0x6e, 0x66, 0x6f, 0x52, 0x0e,
+	0x74, 0x72, 0x61, 0x6e, 0x73, 0x6c, 0x61, 0x74, 0x65, 0x64, 0x50, 0x6f, 0x72, 0x74, 0x2a, 0x4c,
+	0x0a, 0x0c, 0x52, 0x75, 0x6c, 0x65, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x12, 0x0b,
+	0x0a, 0x07, 0x55, 0x4e, 0x4b, 0x4e, 0x4f, 0x57, 0x4e, 0x10, 0x00, 0x12, 0x07, 0x0a, 0x03, 0x41,
+	0x4c, 0x4c, 0x10, 0x01, 0x12, 0x07, 0x0a, 0x03, 0x54, 0x43, 0x50, 0x10, 0x02, 0x12, 0x07, 0x0a,
+	0x03, 0x55, 0x44, 0x50, 0x10, 0x03, 0x12, 0x08, 0x0a, 0x04, 0x49, 0x43, 0x4d, 0x50, 0x10, 0x04,
+	0x12, 0x0a, 0x0a, 0x06, 0x43, 0x55, 0x53, 0x54, 0x4f, 0x4d, 0x10, 0x05, 0x2a, 0x20, 0x0a, 0x0d,
+	0x52, 0x75, 0x6c, 0x65, 0x44, 0x69, 0x72, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x06, 0x0a,
+	0x02, 0x49, 0x4e, 0x10, 0x00, 0x12, 0x07, 0x0a, 0x03, 0x4f, 0x55, 0x54, 0x10, 0x01, 0x2a, 0x22,
+	0x0a, 0x0a, 0x52, 0x75, 0x6c, 0x65, 0x41, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x0a, 0x0a, 0x06,
+	0x41, 0x43, 0x43, 0x45, 0x50, 0x54, 0x10, 0x00, 0x12, 0x08, 0x0a, 0x04, 0x44, 0x52, 0x4f, 0x50,
+	0x10, 0x01, 0x32, 0x90, 0x04, 0x0a, 0x11, 0x4d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e,
+	0x74, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x45, 0x0a, 0x05, 0x4c, 0x6f, 0x67, 0x69,
+	0x6e, 0x12, 0x1c, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45,
+	0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65, 0x64, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x1a,
+	0x1c, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6e, 0x63,
+	0x72, 0x79, 0x70, 0x74, 0x65, 0x64, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x22, 0x00, 0x12,
+	0x46, 0x0a, 0x04, 0x53, 0x79, 0x6e, 0x63, 0x12, 0x1c, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65,
 	0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65, 0x64, 0x4d, 0x65,
-	0x73, 0x73, 0x61, 0x67, 0x65, 0x1a, 0x11, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65,
-	0x6e, 0x74, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x22, 0x00, 0x42, 0x08, 0x5a, 0x06, 0x2f, 0x70,
-	0x72, 0x6f, 0x74, 0x6f, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+	0x73, 0x73, 0x61, 0x67, 0x65, 0x1a, 0x1c, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65,
+	0x6e, 0x74, 0x2e, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65, 0x64, 0x4d, 0x65, 0x73, 0x73,
+	0x61, 0x67, 0x65, 0x22, 0x00, 0x30, 0x01, 0x12, 0x42, 0x0a, 0x0c, 0x47, 0x65, 0x74, 0x53, 0x65,
+	0x72, 0x76, 0x65, 0x72, 0x4b, 0x65, 0x79, 0x12, 0x11, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65,
+	0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x1a, 0x1d, 0x2e, 0x6d, 0x61, 0x6e,
+	0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x4b, 0x65,
+	0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x33, 0x0a, 0x09, 0x69,
+	0x73, 0x48, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x79, 0x12, 0x11, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67,
+	0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x1a, 0x11, 0x2e, 0x6d, 0x61,
+	0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x22, 0x00,
+	0x12, 0x5a, 0x0a, 0x1a, 0x47, 0x65, 0x74, 0x44, 0x65, 0x76, 0x69, 0x63, 0x65, 0x41, 0x75, 0x74,
+	0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x46, 0x6c, 0x6f, 0x77, 0x12, 0x1c,
+	0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6e, 0x63, 0x72,
+	0x79, 0x70, 0x74, 0x65, 0x64, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x1a, 0x1c, 0x2e, 0x6d,
+	0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70,
+	0x74, 0x65, 0x64, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x22, 0x00, 0x12, 0x58, 0x0a, 0x18,
+	0x47, 0x65, 0x74, 0x50, 0x4b, 0x43, 0x45, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61,
+	0x74, 0x69, 0x6f, 0x6e, 0x46, 0x6c, 0x6f, 0x77, 0x12, 0x1c, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67,
+	0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65, 0x64, 0x4d,
+	0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x1a, 0x1c, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d,
+	0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65, 0x64, 0x4d, 0x65, 0x73,
+	0x73, 0x61, 0x67, 0x65, 0x22, 0x00, 0x12, 0x3d, 0x0a, 0x08, 0x53, 0x79, 0x6e, 0x63, 0x4d, 0x65,
+	0x74, 0x61, 0x12, 0x1c, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e,
+	0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65, 0x64, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65,
+	0x1a, 0x11, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6d,
+	0x70, 0x74, 0x79, 0x22, 0x00, 0x42, 0x08, 0x5a, 0x06, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62,
+	0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
 }

 var (
@@ -3506,7 +3610,7 @@ func file_management_proto_rawDescGZIP() []byte {
 }

 var file_management_proto_enumTypes = make([]protoimpl.EnumInfo, 5)
-var file_management_proto_msgTypes = make([]protoimpl.MessageInfo, 38)
+var file_management_proto_msgTypes = make([]protoimpl.MessageInfo, 39)
 var file_management_proto_goTypes = []interface{}{
 	(RuleProtocol)(0),                      // 0: management.RuleProtocol
 	(RuleDirection)(0),                     // 1: management.RuleDirection
@@ -3550,8 +3654,9 @@ var file_management_proto_goTypes = []interface{}{
 	(*Checks)(nil),                         // 39: management.Checks
 	(*PortInfo)(nil),                       // 40: management.PortInfo
 	(*RouteFirewallRule)(nil),              // 41: management.RouteFirewallRule
-	(*PortInfo_Range)(nil),                 // 42: management.PortInfo.Range
-	(*timestamppb.Timestamp)(nil),          // 43: google.protobuf.Timestamp
+	(*ForwardingRule)(nil),                 // 42: management.ForwardingRule
+	(*PortInfo_Range)(nil),                 // 43: management.PortInfo.Range
+	(*timestamppb.Timestamp)(nil),          // 44: google.protobuf.Timestamp
 }
 var file_management_proto_depIdxs = []int32{
 	14, // 0: management.SyncRequest.meta:type_name -> management.PeerSystemMeta
@@ -3570,7 +3675,7 @@ var file_management_proto_depIdxs = []int32{
 	18, // 13: management.LoginResponse.wiretrusteeConfig:type_name -> management.WiretrusteeConfig
 	22, // 14: management.LoginResponse.peerConfig:type_name -> management.PeerConfig
 	39, // 15: management.LoginResponse.Checks:type_name -> management.Checks
-	43, // 16: management.ServerKeyResponse.expiresAt:type_name -> google.protobuf.Timestamp
+	44, // 16: management.ServerKeyResponse.expiresAt:type_name -> google.protobuf.Timestamp
 	19, // 17: management.WiretrusteeConfig.stuns:type_name -> management.HostConfig
 	21, // 18: management.WiretrusteeConfig.turns:type_name -> management.ProtectedHostConfig
 	19, // 19: management.WiretrusteeConfig.signal:type_name -> management.HostConfig
@@ -3585,40 +3690,44 @@ var file_management_proto_depIdxs = []int32{
 	24, // 28: management.NetworkMap.offlinePeers:type_name -> management.RemotePeerConfig
 	37, // 29: management.NetworkMap.FirewallRules:type_name -> management.FirewallRule
 	41, // 30: management.NetworkMap.routesFirewallRules:type_name -> management.RouteFirewallRule
-	25, // 31: management.RemotePeerConfig.sshConfig:type_name -> management.SSHConfig
-	4,  // 32: management.DeviceAuthorizationFlow.Provider:type_name -> management.DeviceAuthorizationFlow.provider
-	30, // 33: management.DeviceAuthorizationFlow.ProviderConfig:type_name -> management.ProviderConfig
-	30, // 34: management.PKCEAuthorizationFlow.ProviderConfig:type_name -> management.ProviderConfig
-	35, // 35: management.DNSConfig.NameServerGroups:type_name -> management.NameServerGroup
-	33, // 36: management.DNSConfig.CustomZones:type_name -> management.CustomZone
-	34, // 37: management.CustomZone.Records:type_name -> management.SimpleRecord
-	36, // 38: management.NameServerGroup.NameServers:type_name -> management.NameServer
-	1,  // 39: management.FirewallRule.Direction:type_name -> management.RuleDirection
-	2,  // 40: management.FirewallRule.Action:type_name -> management.RuleAction
-	0,  // 41: management.FirewallRule.Protocol:type_name -> management.RuleProtocol
-	42, // 42: management.PortInfo.range:type_name -> management.PortInfo.Range
-	2,  // 43: management.RouteFirewallRule.action:type_name -> management.RuleAction
-	0,  // 44: management.RouteFirewallRule.protocol:type_name -> management.RuleProtocol
-	40, // 45: management.RouteFirewallRule.portInfo:type_name -> management.PortInfo
-	5,  // 46: management.ManagementService.Login:input_type -> management.EncryptedMessage
-	5,  // 47: management.ManagementService.Sync:input_type -> management.EncryptedMessage
-	17, // 48: management.ManagementService.GetServerKey:input_type -> management.Empty
-	17, // 49: management.ManagementService.isHealthy:input_type -> management.Empty
-	5,  // 50: management.ManagementService.GetDeviceAuthorizationFlow:input_type -> management.EncryptedMessage
-	5,  // 51: management.ManagementService.GetPKCEAuthorizationFlow:input_type -> management.EncryptedMessage
-	5,  // 52: management.ManagementService.SyncMeta:input_type -> management.EncryptedMessage
-	5,  // 53: management.ManagementService.Login:output_type -> management.EncryptedMessage
-	5,  // 54: management.ManagementService.Sync:output_type -> management.EncryptedMessage
-	16, // 55: management.ManagementService.GetServerKey:output_type -> management.ServerKeyResponse
-	17, // 56: management.ManagementService.isHealthy:output_type -> management.Empty
-	5,  // 57: management.ManagementService.GetDeviceAuthorizationFlow:output_type -> management.EncryptedMessage
-	5,  // 58: management.ManagementService.GetPKCEAuthorizationFlow:output_type -> management.EncryptedMessage
-	17, // 59: management.ManagementService.SyncMeta:output_type -> management.Empty
-	53, // [53:60] is the sub-list for method output_type
-	46, // [46:53] is the sub-list for method input_type
-	46, // [46:46] is the sub-list for extension type_name
-	46, // [46:46] is the sub-list for extension extendee
-	0,  // [0:46] is the sub-list for field type_name
+	42, // 31: management.NetworkMap.forwardingRules:type_name -> management.ForwardingRule
+	25, // 32: management.RemotePeerConfig.sshConfig:type_name -> management.SSHConfig
+	4,  // 33: management.DeviceAuthorizationFlow.Provider:type_name -> management.DeviceAuthorizationFlow.provider
+	30, // 34: management.DeviceAuthorizationFlow.ProviderConfig:type_name -> management.ProviderConfig
+	30, // 35: management.PKCEAuthorizationFlow.ProviderConfig:type_name -> management.ProviderConfig
+	35, // 36: management.DNSConfig.NameServerGroups:type_name -> management.NameServerGroup
+	33, // 37: management.DNSConfig.CustomZones:type_name -> management.CustomZone
+	34, // 38: management.CustomZone.Records:type_name -> management.SimpleRecord
+	36, // 39: management.NameServerGroup.NameServers:type_name -> management.NameServer
+	1,  // 40: management.FirewallRule.Direction:type_name -> management.RuleDirection
+	2,  // 41: management.FirewallRule.Action:type_name -> management.RuleAction
+	0,  // 42: management.FirewallRule.Protocol:type_name -> management.RuleProtocol
+	43, // 43: management.PortInfo.range:type_name -> management.PortInfo.Range
+	2,  // 44: management.RouteFirewallRule.action:type_name -> management.RuleAction
+	0,  // 45: management.RouteFirewallRule.protocol:type_name -> management.RuleProtocol
+	40, // 46: management.RouteFirewallRule.portInfo:type_name -> management.PortInfo
+	0,  // 47: management.ForwardingRule.protocol:type_name -> management.RuleProtocol
+	40, // 48: management.ForwardingRule.destinationPort:type_name -> management.PortInfo
+	40, // 49: management.ForwardingRule.translatedPort:type_name -> management.PortInfo
+	5,  // 50: management.ManagementService.Login:input_type -> management.EncryptedMessage
+	5,  // 51: management.ManagementService.Sync:input_type -> management.EncryptedMessage
+	17, // 52: management.ManagementService.GetServerKey:input_type -> management.Empty
+	17, // 53: management.ManagementService.isHealthy:input_type -> management.Empty
+	5,  // 54: management.ManagementService.GetDeviceAuthorizationFlow:input_type -> management.EncryptedMessage
+	5,  // 55: management.ManagementService.GetPKCEAuthorizationFlow:input_type -> management.EncryptedMessage
+	5,  // 56: management.ManagementService.SyncMeta:input_type -> management.EncryptedMessage
+	5,  // 57: management.ManagementService.Login:output_type -> management.EncryptedMessage
+	5,  // 58: management.ManagementService.Sync:output_type -> management.EncryptedMessage
+	16, // 59: management.ManagementService.GetServerKey:output_type -> management.ServerKeyResponse
+	17, // 60: management.ManagementService.isHealthy:output_type -> management.Empty
+	5,  // 61: management.ManagementService.GetDeviceAuthorizationFlow:output_type -> management.EncryptedMessage
+	5,  // 62: management.ManagementService.GetPKCEAuthorizationFlow:output_type -> management.EncryptedMessage
+	17, // 63: management.ManagementService.SyncMeta:output_type -> management.Empty
+	57, // [57:64] is the sub-list for method output_type
+	50, // [50:57] is the sub-list for method input_type
+	50, // [50:50] is the sub-list for extension type_name
+	50, // [50:50] is the sub-list for extension extendee
+	0,  // [0:50] is the sub-list for field type_name
 }

 func init() { file_management_proto_init() }
@@ -4072,6 +4181,18 @@ func file_management_proto_init() {
 			}
 		}
 		file_management_proto_msgTypes[37].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*ForwardingRule); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_management_proto_msgTypes[38].Exporter = func(v interface{}, i int) interface{} {
 			switch v := v.(*PortInfo_Range); i {
 			case 0:
 				return &v.state
@@ -4094,7 +4215,7 @@ func file_management_proto_init() {
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
 			RawDescriptor: file_management_proto_rawDesc,
 			NumEnums:      5,
-			NumMessages:   38,
+			NumMessages:   39,
 			NumExtensions: 0,
 			NumServices:   1,
 		},
--- a/management/proto/management.proto
+++ b/management/proto/management.proto
@@ -273,6 +273,8 @@ message NetworkMap {

  // RoutesFirewallRulesIsEmpty indicates whether RouteFirewallRule array is empty or not to bypass protobuf null and empty array equality.
  bool routesFirewallRulesIsEmpty = 11;
+
+  repeated ForwardingRule forwardingRules = 12;
 }

 // RemotePeerConfig represents a configuration of a remote peer.
@@ -481,3 +483,17 @@ message RouteFirewallRule {
  uint32 customProtocol = 8;
 }

+message ForwardingRule {
+  // Protocol of the forwarding rule
+  RuleProtocol protocol = 1;
+
+  // portInfo is the ingress destination port information, where the traffic arrives in the gateway node
+  PortInfo destinationPort = 2;
+
+  // IP address of the translated address (remote peer) to send traffic to
+  // todo type pending
+  bytes translatedAddress = 3;
+
+  // Translated port information, where the traffic should be forwarded to
+  PortInfo translatedPort = 4;
+}
Author	SHA1	Message	Date
Zoltán Papp	f89994a988	Rename interface to firewaller	2025-01-27 10:41:25 +01:00
Zoltán Papp	efa8c17d27	Code cleaning in firewall package	2025-01-25 20:29:06 +01:00
Zoltán Papp	8185614362	Add forwarding commandline command	2025-01-24 18:42:14 +01:00
Zoltán Papp	cf0154d5fd	Fix rule id	2025-01-24 17:37:59 +01:00
Zoltán Papp	20bce65ab2	Fix error handling	2025-01-24 16:08:00 +01:00
Zoltán Papp	00b8f6ad8e	Change net.IP to netip.Addr	2025-01-24 15:03:38 +01:00
Zoltán Papp	4ad5c55795	Manage Forwarding rules	2025-01-24 12:48:52 +01:00