Organize example setup.env with sections (#928)

support IDP management configuration using configure.sh script

Add initial Zitadel configuration script

.github/workflows/golang-test-darwin.yml

@@ -17,7 +17,7 @@ jobs:
       - name: Install Go
         uses: actions/setup-go@v2
         with:
-          go-version: 1.19.x
+          go-version: "1.20.x"
       - name: Checkout code
         uses: actions/checkout@v2
 

.github/workflows/golang-test-linux.yml

@@ -20,7 +20,7 @@ jobs:
       - name: Install Go
         uses: actions/setup-go@v2
         with:
-          go-version: 1.19.x
+          go-version: "1.20.x"
 
 
       - name: Cache Go modules
@@ -49,7 +49,7 @@ jobs:
       - name: Install Go
         uses: actions/setup-go@v2
         with:
-          go-version: 1.19.x
+          go-version: "1.20.x"
 
 
       - name: Cache Go modules
@@ -70,27 +70,40 @@ jobs:
         run: go mod tidy
 
       - name: Generate Iface Test bin
-        run: go test -c -o iface-testing.bin ./iface/
+        run: CGO_ENABLED=0 go test -c -o iface-testing.bin ./iface/
+
+      - name: Generate Shared Sock Test bin
+        run: CGO_ENABLED=0 go test -c -o sharedsock-testing.bin ./sharedsock
 
       - name: Generate RouteManager Test bin
-        run: go test -c -o routemanager-testing.bin ./client/internal/routemanager/...
+        run: CGO_ENABLED=0 go test -c -o routemanager-testing.bin ./client/internal/routemanager/...
+
+      - name: Generate nftables Manager Test bin
+        run: CGO_ENABLED=0 go test -c -o nftablesmanager-testing.bin ./client/firewall/nftables/...
 
       - name: Generate Engine Test bin
-        run: go test -c -o engine-testing.bin ./client/internal
+        run: CGO_ENABLED=0 go test -c -o engine-testing.bin ./client/internal
 
       - name: Generate Peer Test bin
-        run: go test -c -o peer-testing.bin ./client/internal/peer/...
+        run: CGO_ENABLED=0 go test -c -o peer-testing.bin ./client/internal/peer/...
 
       - run: chmod +x *testing.bin
 
+      - name: Run Shared Sock tests in docker
+        run: docker run -t --cap-add=NET_ADMIN --privileged --rm -v $PWD:/ci -w /ci/sharedsock --entrypoint /busybox/sh gcr.io/distroless/base:debug -c /ci/sharedsock-testing.bin -test.timeout 5m -test.parallel 1
+
       - name: Run Iface tests in docker
         run: docker run -t --cap-add=NET_ADMIN --privileged --rm -v $PWD:/ci -w /ci/iface --entrypoint /busybox/sh gcr.io/distroless/base:debug -c /ci/iface-testing.bin -test.timeout 5m -test.parallel 1
 
+
       - name: Run RouteManager tests in docker
         run: docker run -t --cap-add=NET_ADMIN --privileged --rm -v $PWD:/ci -w /ci/client/internal/routemanager --entrypoint /busybox/sh gcr.io/distroless/base:debug -c /ci/routemanager-testing.bin  -test.timeout 5m -test.parallel 1
 
+      - name: Run nftables Manager tests in docker
+        run: docker run -t --cap-add=NET_ADMIN --privileged --rm -v $PWD:/ci -w /ci/client/firewall --entrypoint /busybox/sh gcr.io/distroless/base:debug -c /ci/nftablesmanager-testing.bin  -test.timeout 5m -test.parallel 1
+
       - name: Run Engine tests in docker
         run: docker run -t --cap-add=NET_ADMIN --privileged --rm -v $PWD:/ci -w /ci/client/internal --entrypoint /busybox/sh gcr.io/distroless/base:debug -c /ci/engine-testing.bin  -test.timeout 5m -test.parallel 1
 
       - name: Run Peer tests in docker
-        run: docker run -t --cap-add=NET_ADMIN --privileged --rm -v $PWD:/ci -w /ci/client/internal/peer  --entrypoint /busybox/sh gcr.io/distroless/base:debug -c /ci/peer-testing.bin  -test.timeout 5m -test.parallel 1
+        run: docker run -t --cap-add=NET_ADMIN --privileged --rm -v $PWD:/ci -w /ci/client/internal/peer  --entrypoint /busybox/sh gcr.io/distroless/base:debug -c /ci/peer-testing.bin  -test.timeout 5m -test.parallel 1

.github/workflows/golang-test-windows.yml

@@ -23,7 +23,7 @@ jobs:
         uses: actions/setup-go@v4
         id: go
         with:
-          go-version: 1.19.x
+          go-version: "1.20.x"
 
       - name: Download wintun
         uses: carlosperate/download-file-action@v2

.github/workflows/golangci-lint.yml

@@ -12,7 +12,7 @@ jobs:
       - name: Install Go
         uses: actions/setup-go@v2
         with:
-          go-version: 1.19.x
+          go-version: "1.20.x"
       - name: Install dependencies
         run: sudo apt update && sudo apt install -y -q libgtk-3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev
       - name: golangci-lint

.github/workflows/release.yml

@@ -9,7 +9,7 @@ on:
   pull_request:
 
 env:
-  SIGN_PIPE_VER: "v0.0.6"
+  SIGN_PIPE_VER: "v0.0.8"
   GORELEASER_VER: "v1.14.1"
 
 concurrency:
@@ -29,7 +29,7 @@ jobs:
         name: Set up Go
         uses: actions/setup-go@v2
         with:
-          go-version: 1.19
+          go-version: "1.20"
       -
         name: Cache Go modules
         uses: actions/cache@v1
@@ -100,7 +100,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v2
         with:
-          go-version: 1.19
+          go-version: "1.20"
       - name: Cache Go modules
         uses: actions/cache@v1
         with:
@@ -150,7 +150,7 @@ jobs:
         name: Set up Go
         uses: actions/setup-go@v2
         with:
-          go-version: 1.19
+          go-version: "1.20"
       -
         name: Cache Go modules
         uses: actions/cache@v1
@@ -195,7 +195,7 @@ jobs:
 
   trigger_darwin_signer:
     runs-on: ubuntu-latest
-    needs: release_ui_darwin
+    needs: [release,release_ui_darwin]
     if: startsWith(github.ref, 'refs/tags/')
     steps:
       - name: Trigger Darwin App binaries sign pipeline

.github/workflows/test-docker-compose-linux.yml

@@ -6,6 +6,7 @@ on:
       - main
   pull_request:
 
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}-${{ github.head_ref || github.actor_id }}
   cancel-in-progress: true
@@ -23,7 +24,7 @@ jobs:
       - name: Install Go
         uses: actions/setup-go@v2
         with:
-          go-version: 1.19.x
+          go-version: "1.20.x"
 
       - name: Cache Go modules
         uses: actions/cache@v2
@@ -48,6 +49,9 @@ jobs:
           CI_NETBIRD_AUTH_AUDIENCE: testing.ci
           CI_NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT: https://example.eu.auth0.com/.well-known/openid-configuration
           CI_NETBIRD_USE_AUTH0: true
+          CI_NETBIRD_MGMT_IDP: "none"
+          CI_NETBIRD_IDP_MGMT_CLIENT_ID: testing.client.id
+          CI_NETBIRD_IDP_MGMT_CLIENT_SECRET: testing.client.secret
 
       - name: check values
         working-directory: infrastructure_files
@@ -67,6 +71,9 @@ jobs:
           CI_NETBIRD_AUTH_USER_ID_CLAIM: "email"
           CI_NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE: "super"
           CI_NETBIRD_AUTH_DEVICE_AUTH_SCOPE: "openid email"
+          CI_NETBIRD_MGMT_IDP: "none"
+          CI_NETBIRD_IDP_MGMT_CLIENT_ID: testing.client.id
+          CI_NETBIRD_IDP_MGMT_CLIENT_SECRET: testing.client.secret
 
         run: |
           grep AUTH_CLIENT_ID docker-compose.yml | grep $CI_NETBIRD_AUTH_CLIENT_ID
@@ -83,10 +90,16 @@ jobs:
           grep -A 1 ProviderConfig management.json | grep Audience | grep $CI_NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE
           grep Scope management.json | grep "$CI_NETBIRD_AUTH_DEVICE_AUTH_SCOPE"
           grep UseIDToken management.json | grep false
+          grep -A 1 IdpManagerConfig management.json | grep ManagerType | grep $CI_NETBIRD_MGMT_IDP 
+          grep -A 3 IdpManagerConfig management.json | grep -A 1 ClientConfig | grep Issuer | grep $CI_NETBIRD_AUTH_AUTHORITY
+          grep -A 4 IdpManagerConfig management.json | grep -A 2 ClientConfig | grep TokenEndpoint | grep $CI_NETBIRD_AUTH_TOKEN_ENDPOINT
+          grep -A 5 IdpManagerConfig management.json | grep -A 3 ClientConfig | grep ClientID | grep $CI_NETBIRD_IDP_MGMT_CLIENT_ID
+          grep -A 6 IdpManagerConfig management.json | grep -A 4 ClientConfig | grep ClientSecret | grep $CI_NETBIRD_IDP_MGMT_CLIENT_SECRET
+          grep -A 7 IdpManagerConfig management.json | grep -A 5 ClientConfig | grep GrantType | grep client_credentials
 
       - name: run docker compose up
         working-directory: infrastructure_files
-        run: | 
+        run: |
           docker-compose up -d
           sleep 5
           docker-compose ps

.goreleaser.yaml

@@ -12,11 +12,7 @@ builds:
       - arm
       - amd64
       - arm64
-      - mips
       - 386
-    gomips:
-      - hardfloat
-      - softfloat
     ignore:
       - goos: windows
         goarch: arm64
@@ -30,6 +26,26 @@ builds:
     tags:
       - load_wgnt_from_rsrc
 
+  - id: netbird-static
+    dir: client
+    binary: netbird
+    env: [CGO_ENABLED=0]
+    goos:
+      - linux
+    goarch:
+      - mips
+      - mipsle
+      - mips64
+      - mips64le
+    gomips:
+      - hardfloat
+      - softfloat
+    ldflags:
+      - -s -w -X github.com/netbirdio/netbird/version.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
+    mod_timestamp: '{{ .CommitTimestamp }}'
+    tags:
+      - load_wgnt_from_rsrc
+
   - id: netbird-mgmt
     dir: management
     env:
@@ -67,6 +83,7 @@ builds:
 archives:
   - builds:
       - netbird
+      - netbird-static
 
 nfpms:
 
@@ -359,4 +376,4 @@ uploads:
     mode: archive
     target: https://pkgs.wiretrustee.com/yum/{{ .Arch }}{{ if .Arm }}{{ .Arm }}{{ end }}
     username: dev@wiretrustee.com
-    method: PUT
+    method: PUT

base62/base62.go

@@ -0,0 +1,59 @@
+package base62
+
+import (
+	"fmt"
+	"math"
+	"strings"
+)
+
+const (
+	alphabet = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"
+	base     = uint32(len(alphabet))
+)
+
+// Encode encodes a uint32 value to a base62 string.
+func Encode(num uint32) string {
+	if num == 0 {
+		return string(alphabet[0])
+	}
+
+	var encoded strings.Builder
+	remainder := uint32(0)
+
+	for num > 0 {
+		remainder = num % base
+		encoded.WriteByte(alphabet[remainder])
+		num /= base
+	}
+
+	// Reverse the encoded string
+	encodedString := encoded.String()
+	reversed := reverse(encodedString)
+	return reversed
+}
+
+// Decode decodes a base62 string to a uint32 value.
+func Decode(encoded string) (uint32, error) {
+	var decoded uint32
+	strLen := len(encoded)
+
+	for i, char := range encoded {
+		index := strings.IndexRune(alphabet, char)
+		if index < 0 {
+			return 0, fmt.Errorf("invalid character: %c", char)
+		}
+
+		decoded += uint32(index) * uint32(math.Pow(float64(base), float64(strLen-i-1)))
+	}
+
+	return decoded, nil
+}
+
+// Reverse a string.
+func reverse(s string) string {
+	runes := []rune(s)
+	for i, j := 0, len(runes)-1; i < j; i, j = i+1, j-1 {
+		runes[i], runes[j] = runes[j], runes[i]
+	}
+	return string(runes)
+}

base62/base62_test.go

@@ -0,0 +1,31 @@
+package base62
+
+import (
+	"testing"
+)
+
+func TestEncodeDecode(t *testing.T) {
+	tests := []struct {
+		num uint32
+	}{
+		{0},
+		{1},
+		{42},
+		{12345},
+		{99999},
+		{123456789},
+	}
+
+	for _, tt := range tests {
+		encoded := Encode(tt.num)
+		decoded, err := Decode(encoded)
+
+		if err != nil {
+			t.Errorf("Decode error: %v", err)
+		}
+
+		if decoded != tt.num {
+			t.Errorf("Decode(%v) = %v, want %v", encoded, decoded, tt.num)
+		}
+	}
+}

client/android/client.go

@@ -8,6 +8,7 @@ import (
 
 	"github.com/netbirdio/netbird/client/internal"
 	"github.com/netbirdio/netbird/client/internal/peer"
+	"github.com/netbirdio/netbird/client/internal/routemanager"
 	"github.com/netbirdio/netbird/client/internal/stdnet"
 	"github.com/netbirdio/netbird/client/system"
 	"github.com/netbirdio/netbird/formatter"
@@ -29,6 +30,11 @@ type IFaceDiscover interface {
 	stdnet.ExternalIFaceDiscover
 }
 
+// RouteListener export internal RouteListener for mobile
+type RouteListener interface {
+	routemanager.RouteListener
+}
+
 func init() {
 	formatter.SetLogcatFormatter(log.StandardLogger())
 }
@@ -42,10 +48,11 @@ type Client struct {
 	ctxCancel     context.CancelFunc
 	ctxCancelLock *sync.Mutex
 	deviceName    string
+	routeListener routemanager.RouteListener
 }
 
 // NewClient instantiate a new Client
-func NewClient(cfgFile, deviceName string, tunAdapter TunAdapter, iFaceDiscover IFaceDiscover) *Client {
+func NewClient(cfgFile, deviceName string, tunAdapter TunAdapter, iFaceDiscover IFaceDiscover, routeListener RouteListener) *Client {
 	lvl, _ := log.ParseLevel("trace")
 	log.SetLevel(lvl)
 
@@ -56,6 +63,7 @@ func NewClient(cfgFile, deviceName string, tunAdapter TunAdapter, iFaceDiscover
 		iFaceDiscover: iFaceDiscover,
 		recorder:      peer.NewRecorder(""),
 		ctxCancelLock: &sync.Mutex{},
+		routeListener: routeListener,
 	}
 }
 
@@ -85,7 +93,7 @@ func (c *Client) Run(urlOpener URLOpener) error {
 
 	// todo do not throw error in case of cancelled context
 	ctx = internal.CtxInitState(ctx)
-	return internal.RunClient(ctx, cfg, c.recorder, c.tunAdapter, c.iFaceDiscover)
+	return internal.RunClient(ctx, cfg, c.recorder, c.tunAdapter, c.iFaceDiscover, c.routeListener)
 }
 
 // Stop the internal client and free the resources

client/cmd/login.go

@@ -3,6 +3,7 @@ package cmd
 import (
 	"context"
 	"fmt"
+	"strings"
 	"time"
 
 	"github.com/skratchdot/open-golang/open"
@@ -15,6 +16,7 @@ import (
 
 	"github.com/netbirdio/netbird/client/internal"
 	"github.com/netbirdio/netbird/client/proto"
+	"github.com/netbirdio/netbird/client/system"
 )
 
 var loginCmd = &cobra.Command{
@@ -32,6 +34,11 @@ var loginCmd = &cobra.Command{
 
 		ctx := internal.CtxInitState(context.Background())
 
+		if hostName != "" {
+			// nolint
+			ctx = context.WithValue(ctx, system.DeviceNameCtxKey, hostName)
+		}
+
 		// workaround to run without service
 		if logFile == "console" {
 			err = handleRebrand(cmd)
@@ -39,12 +46,16 @@ var loginCmd = &cobra.Command{
 				return err
 			}
 
-			config, err := internal.UpdateOrCreateConfig(internal.ConfigInput{
+			ic := internal.ConfigInput{
 				ManagementURL: managementURL,
 				AdminURL:      adminURL,
 				ConfigPath:    configPath,
-				PreSharedKey:  &preSharedKey,
-			})
+			}
+			if preSharedKey != "" {
+				ic.PreSharedKey = &preSharedKey
+			}
+
+			config, err := internal.UpdateOrCreateConfig(ic)
 			if err != nil {
 				return fmt.Errorf("get config file: %v", err)
 			}
@@ -100,7 +111,7 @@ var loginCmd = &cobra.Command{
 		}
 
 		if loginResp.NeedsSSOLogin {
-			openURL(cmd, loginResp.VerificationURIComplete)
+			openURL(cmd, loginResp.VerificationURIComplete, loginResp.UserCode)
 
 			_, err = client.WaitSSOLogin(ctx, &proto.WaitSSOLoginRequest{UserCode: loginResp.UserCode})
 			if err != nil {
@@ -179,7 +190,7 @@ func foregroundGetTokenInfo(ctx context.Context, cmd *cobra.Command, config *int
 		return nil, fmt.Errorf("getting a request device code failed: %v", err)
 	}
 
-	openURL(cmd, flowInfo.VerificationURIComplete)
+	openURL(cmd, flowInfo.VerificationURIComplete, flowInfo.UserCode)
 
 	waitTimeout := time.Duration(flowInfo.ExpiresIn)
 	waitCTX, c := context.WithTimeout(context.TODO(), waitTimeout*time.Second)
@@ -193,11 +204,16 @@ func foregroundGetTokenInfo(ctx context.Context, cmd *cobra.Command, config *int
 	return &tokenInfo, nil
 }
 
-func openURL(cmd *cobra.Command, verificationURIComplete string) {
+func openURL(cmd *cobra.Command, verificationURIComplete, userCode string) {
+	var codeMsg string
+	if !strings.Contains(verificationURIComplete, userCode) {
+		codeMsg = fmt.Sprintf("and enter the code %s to authenticate.", userCode)
+	}
+
 	err := open.Run(verificationURIComplete)
 	cmd.Printf("Please do the SSO login in your browser. \n" +
 		"If your browser didn't open automatically, use this URL to log in:\n\n" +
-		" " + verificationURIComplete + " \n\n")
+		" " + verificationURIComplete + " " + codeMsg + " \n\n")
 	if err != nil {
 		cmd.Printf("Alternatively, you may want to use a setup key, see:\n\n https://www.netbird.io/docs/overview/setup-keys\n")
 	}

client/cmd/root.go

@@ -45,6 +45,7 @@ var (
 	managementURL           string
 	adminURL                string
 	setupKey                string
+	hostName                string
 	preSharedKey            string
 	natExternalIPs          []string
 	customDNSAddress        string
@@ -94,6 +95,7 @@ func init() {
 	rootCmd.PersistentFlags().StringVar(&logFile, "log-file", defaultLogFile, "sets Netbird log path. If console is specified the the log will be output to stdout")
 	rootCmd.PersistentFlags().StringVarP(&setupKey, "setup-key", "k", "", "Setup key obtained from the Management Service Dashboard (used to register peer)")
 	rootCmd.PersistentFlags().StringVar(&preSharedKey, "preshared-key", "", "Sets Wireguard PreSharedKey property. If set, then only peers that have the same key can communicate.")
+	rootCmd.PersistentFlags().StringVarP(&hostName, "hostname", "n", "", "Sets a custom hostname for the device")
 	rootCmd.AddCommand(serviceCmd)
 	rootCmd.AddCommand(upCmd)
 	rootCmd.AddCommand(downCmd)

client/cmd/status.go

@@ -249,7 +249,7 @@ func mapPeers(peers []*proto.PeerState) peersStateOutput {
 			IP:               pbPeerState.GetIP(),
 			PubKey:           pbPeerState.GetPubKey(),
 			Status:           pbPeerState.GetConnStatus(),
-			LastStatusUpdate: timeLocal.UTC(),
+			LastStatusUpdate: timeLocal,
 			ConnType:         connType,
 			Direct:           pbPeerState.GetDirect(),
 			IceCandidateType: iceCandidateType{

client/cmd/status_test.go

@@ -11,6 +11,15 @@ import (
 	"github.com/netbirdio/netbird/version"
 )
 
+func init() {
+	loc, err := time.LoadLocation("UTC")
+	if err != nil {
+		panic(err)
+	}
+
+	time.Local = loc
+}
+
 var resp = &proto.StatusResponse{
 	Status: "Connected",
 	FullStatus: &proto.FullStatus{

client/cmd/testutil.go

@@ -2,21 +2,23 @@ package cmd
 
 import (
 	"context"
-	"github.com/netbirdio/netbird/management/server/activity"
 	"net"
 	"path/filepath"
 	"testing"
 	"time"
 
+	"github.com/netbirdio/netbird/management/server/activity"
+
 	"github.com/netbirdio/netbird/util"
 
+	"google.golang.org/grpc"
+
 	clientProto "github.com/netbirdio/netbird/client/proto"
 	client "github.com/netbirdio/netbird/client/server"
 	mgmtProto "github.com/netbirdio/netbird/management/proto"
 	mgmt "github.com/netbirdio/netbird/management/server"
 	sigProto "github.com/netbirdio/netbird/signal/proto"
 	sig "github.com/netbirdio/netbird/signal/server"
-	"google.golang.org/grpc"
 )
 
 func startTestingServices(t *testing.T) string {
@@ -63,7 +65,7 @@ func startManagement(t *testing.T, config *mgmt.Config) (*grpc.Server, net.Liste
 		t.Fatal(err)
 	}
 	s := grpc.NewServer()
-	store, err := mgmt.NewFileStore(config.Datadir)
+	store, err := mgmt.NewFileStore(config.Datadir, nil)
 	if err != nil {
 		t.Fatal(err)
 	}

client/cmd/up.go

@@ -15,6 +15,7 @@ import (
 	"github.com/netbirdio/netbird/client/internal"
 	"github.com/netbirdio/netbird/client/internal/peer"
 	"github.com/netbirdio/netbird/client/proto"
+	"github.com/netbirdio/netbird/client/system"
 	"github.com/netbirdio/netbird/util"
 )
 
@@ -55,6 +56,11 @@ func upFunc(cmd *cobra.Command, args []string) error {
 
 	ctx := internal.CtxInitState(cmd.Context())
 
+	if hostName != "" {
+		// nolint
+		ctx = context.WithValue(ctx, system.DeviceNameCtxKey, hostName)
+	}
+
 	if foregroundMode {
 		return runInForegroundMode(ctx, cmd)
 	}
@@ -72,14 +78,18 @@ func runInForegroundMode(ctx context.Context, cmd *cobra.Command) error {
 		return err
 	}
 
-	config, err := internal.UpdateOrCreateConfig(internal.ConfigInput{
+	ic := internal.ConfigInput{
 		ManagementURL:    managementURL,
 		AdminURL:         adminURL,
 		ConfigPath:       configPath,
-		PreSharedKey:     &preSharedKey,
 		NATExternalIPs:   natExternalIPs,
 		CustomDNSAddress: customDNSAddressConverted,
-	})
+	}
+	if preSharedKey != "" {
+		ic.PreSharedKey = &preSharedKey
+	}
+
+	config, err := internal.UpdateOrCreateConfig(ic)
 	if err != nil {
 		return fmt.Errorf("get config file: %v", err)
 	}
@@ -94,7 +104,7 @@ func runInForegroundMode(ctx context.Context, cmd *cobra.Command) error {
 	var cancel context.CancelFunc
 	ctx, cancel = context.WithCancel(ctx)
 	SetupCloseHandler(ctx, cancel)
-	return internal.RunClient(ctx, config, peer.NewRecorder(config.ManagementURL.String()), nil, nil)
+	return internal.RunClient(ctx, config, peer.NewRecorder(config.ManagementURL.String()), nil, nil, nil)
 }
 
 func runInDaemonMode(ctx context.Context, cmd *cobra.Command) error {
@@ -166,7 +176,7 @@ func runInDaemonMode(ctx context.Context, cmd *cobra.Command) error {
 
 	if loginResp.NeedsSSOLogin {
 
-		openURL(cmd, loginResp.VerificationURIComplete)
+		openURL(cmd, loginResp.VerificationURIComplete, loginResp.UserCode)
 
 		_, err = client.WaitSSOLogin(ctx, &proto.WaitSSOLoginRequest{UserCode: loginResp.UserCode})
 		if err != nil {

client/firewall/firewall.go

@@ -13,22 +13,24 @@ type Rule interface {
 	GetRuleID() string
 }
 
-// Direction is the direction of the traffic
-type Direction int
+// RuleDirection is the traffic direction which a rule is applied
+type RuleDirection int
 
 const (
-	// DirectionSrc is the direction of the traffic from the source
-	DirectionSrc Direction = iota
-	// DirectionDst is the direction of the traffic from the destination
-	DirectionDst
+	// RuleDirectionIN applies to filters that handlers incoming traffic
+	RuleDirectionIN RuleDirection = iota
+	// RuleDirectionOUT applies to filters that handlers outgoing traffic
+	RuleDirectionOUT
 )
 
 // Action is the action to be taken on a rule
 type Action int
 
 const (
+	// ActionUnknown is a unknown action
+	ActionUnknown Action = iota
 	// ActionAccept is the action to accept a packet
-	ActionAccept Action = iota
+	ActionAccept
 	// ActionDrop is the action to drop a packet
 	ActionDrop
 )
@@ -39,10 +41,15 @@ const (
 // Netbird client for ACL and routing functionality
 type Manager interface {
 	// AddFiltering rule to the firewall
+	//
+	// If comment argument is empty firewall manager should set
+	// rule ID as comment for the rule
 	AddFiltering(
 		ip net.IP,
-		port *Port,
-		direction Direction,
+		proto Protocol,
+		sPort *Port,
+		dPort *Port,
+		direction RuleDirection,
 		action Action,
 		comment string,
 	) (Rule, error)

client/firewall/iptables/manager_linux.go

@@ -8,26 +8,43 @@ import (
 
 	"github.com/coreos/go-iptables/iptables"
 	"github.com/google/uuid"
+	log "github.com/sirupsen/logrus"
 
 	fw "github.com/netbirdio/netbird/client/firewall"
 )
 
 const (
-	// ChainFilterName is the name of the chain that is used for filtering by the Netbird client
-	ChainFilterName = "NETBIRD-ACL"
+	// ChainInputFilterName is the name of the chain that is used for filtering incoming packets
+	ChainInputFilterName = "NETBIRD-ACL-INPUT"
+
+	// ChainOutputFilterName is the name of the chain that is used for filtering outgoing packets
+	ChainOutputFilterName = "NETBIRD-ACL-OUTPUT"
 )
 
+// jumpNetbirdInputDefaultRule always added by manager to the input chain for all trafic from the Netbird interface
+var jumpNetbirdInputDefaultRule = []string{"-j", ChainInputFilterName}
+
+// jumpNetbirdOutputDefaultRule always added by manager to the output chain for all trafic from the Netbird interface
+var jumpNetbirdOutputDefaultRule = []string{"-j", ChainOutputFilterName}
+
+// dropAllDefaultRule in the Netbird chain
+var dropAllDefaultRule = []string{"-j", "DROP"}
+
 // Manager of iptables firewall
 type Manager struct {
 	mutex sync.Mutex
 
 	ipv4Client *iptables.IPTables
 	ipv6Client *iptables.IPTables
+
+	wgIfaceName string
 }
 
 // Create iptables firewall manager
-func Create() (*Manager, error) {
-	m := &Manager{}
+func Create(wgIfaceName string) (*Manager, error) {
+	m := &Manager{
+		wgIfaceName: wgIfaceName,
+	}
 
 	// init clients for booth ipv4 and ipv6
 	ipv4Client, err := iptables.NewWithProtocol(iptables.ProtocolIPv4)
@@ -38,118 +55,275 @@ func Create() (*Manager, error) {
 
 	ipv6Client, err := iptables.NewWithProtocol(iptables.ProtocolIPv6)
 	if err != nil {
-		return nil, fmt.Errorf("ip6tables is not installed in the system or not supported")
+		log.Errorf("ip6tables is not installed in the system or not supported: %v", err)
+	} else {
+		m.ipv6Client = ipv6Client
 	}
-	m.ipv6Client = ipv6Client
 
 	if err := m.Reset(); err != nil {
-		return nil, fmt.Errorf("failed to reset firewall: %s", err)
+		return nil, fmt.Errorf("failed to reset firewall: %v", err)
 	}
-
 	return m, nil
 }
 
 // AddFiltering rule to the firewall
+//
+// If comment is empty rule ID is used as comment
 func (m *Manager) AddFiltering(
 	ip net.IP,
-	port *fw.Port,
-	direction fw.Direction,
+	protocol fw.Protocol,
+	sPort *fw.Port,
+	dPort *fw.Port,
+	direction fw.RuleDirection,
 	action fw.Action,
 	comment string,
 ) (fw.Rule, error) {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
-	client := m.client(ip)
-	ok, err := client.ChainExists("filter", ChainFilterName)
+
+	client, err := m.client(ip)
 	if err != nil {
-		return nil, fmt.Errorf("failed to check if chain exists: %s", err)
-	}
-	if !ok {
-		if err := client.NewChain("filter", ChainFilterName); err != nil {
-			return nil, fmt.Errorf("failed to create chain: %s", err)
-		}
-	}
-	if port == nil || port.Values == nil || (port.IsRange && len(port.Values) != 2) {
-		return nil, fmt.Errorf("invalid port definition")
-	}
-	pv := strconv.Itoa(port.Values[0])
-	if port.IsRange {
-		pv += ":" + strconv.Itoa(port.Values[1])
-	}
-	specs := m.filterRuleSpecs("filter", ChainFilterName, ip, pv, direction, action, comment)
-	if err := client.AppendUnique("filter", ChainFilterName, specs...); err != nil {
 		return nil, err
 	}
-	rule := &Rule{
-		id:    uuid.New().String(),
-		specs: specs,
-		v6:    ip.To4() == nil,
+
+	var dPortVal, sPortVal string
+	if dPort != nil && dPort.Values != nil {
+		// TODO: we support only one port per rule in current implementation of ACLs
+		dPortVal = strconv.Itoa(dPort.Values[0])
 	}
-	return rule, nil
+	if sPort != nil && sPort.Values != nil {
+		sPortVal = strconv.Itoa(sPort.Values[0])
+	}
+
+	ruleID := uuid.New().String()
+	if comment == "" {
+		comment = ruleID
+	}
+
+	specs := m.filterRuleSpecs(
+		"filter",
+		ip,
+		string(protocol),
+		sPortVal,
+		dPortVal,
+		direction,
+		action,
+		comment,
+	)
+
+	if direction == fw.RuleDirectionOUT {
+		ok, err := client.Exists("filter", ChainOutputFilterName, specs...)
+		if err != nil {
+			return nil, fmt.Errorf("check is output rule already exists: %w", err)
+		}
+		if ok {
+			return nil, fmt.Errorf("input rule already exists")
+		}
+
+		if err := client.Insert("filter", ChainOutputFilterName, 1, specs...); err != nil {
+			return nil, err
+		}
+	} else {
+		ok, err := client.Exists("filter", ChainInputFilterName, specs...)
+		if err != nil {
+			return nil, fmt.Errorf("check is input rule already exists: %w", err)
+		}
+		if ok {
+			return nil, fmt.Errorf("input rule already exists")
+		}
+
+		if err := client.Insert("filter", ChainInputFilterName, 1, specs...); err != nil {
+			return nil, err
+		}
+	}
+
+	return &Rule{
+		id:    ruleID,
+		specs: specs,
+		dst:   direction == fw.RuleDirectionOUT,
+		v6:    ip.To4() == nil,
+	}, nil
 }
 
 // DeleteRule from the firewall by rule definition
 func (m *Manager) DeleteRule(rule fw.Rule) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
+
 	r, ok := rule.(*Rule)
 	if !ok {
 		return fmt.Errorf("invalid rule type")
 	}
+
 	client := m.ipv4Client
 	if r.v6 {
+		if m.ipv6Client == nil {
+			return fmt.Errorf("ipv6 is not supported")
+		}
 		client = m.ipv6Client
 	}
-	return client.Delete("filter", ChainFilterName, r.specs...)
+
+	if r.dst {
+		return client.Delete("filter", ChainOutputFilterName, r.specs...)
+	}
+	return client.Delete("filter", ChainInputFilterName, r.specs...)
 }
 
 // Reset firewall to the default state
 func (m *Manager) Reset() error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
-	if err := m.reset(m.ipv4Client, "filter", ChainFilterName); err != nil {
-		return fmt.Errorf("clean ipv4 firewall ACL chain: %w", err)
+
+	if err := m.reset(m.ipv4Client, "filter"); err != nil {
+		return fmt.Errorf("clean ipv4 firewall ACL input chain: %w", err)
 	}
-	if err := m.reset(m.ipv6Client, "filter", ChainFilterName); err != nil {
-		return fmt.Errorf("clean ipv6 firewall ACL chain: %w", err)
+	if m.ipv6Client != nil {
+		if err := m.reset(m.ipv6Client, "filter"); err != nil {
+			return fmt.Errorf("clean ipv6 firewall ACL input chain: %w", err)
+		}
 	}
+
 	return nil
 }
 
 // reset firewall chain, clear it and drop it
-func (m *Manager) reset(client *iptables.IPTables, table, chain string) error {
-	ok, err := client.ChainExists(table, chain)
+func (m *Manager) reset(client *iptables.IPTables, table string) error {
+	ok, err := client.ChainExists(table, ChainInputFilterName)
 	if err != nil {
-		return fmt.Errorf("failed to check if chain exists: %w", err)
+		return fmt.Errorf("failed to check if input chain exists: %w", err)
 	}
-	if !ok {
+	if ok {
+		specs := append([]string{"-i", m.wgIfaceName}, jumpNetbirdInputDefaultRule...)
+		if ok, err := client.Exists("filter", "INPUT", specs...); err != nil {
+			return err
+		} else if ok {
+			if err := client.Delete("filter", "INPUT", specs...); err != nil {
+				log.WithError(err).Errorf("failed to delete default input rule: %v", err)
+			}
+		}
+	}
+
+	ok, err = client.ChainExists(table, ChainOutputFilterName)
+	if err != nil {
+		return fmt.Errorf("failed to check if output chain exists: %w", err)
+	}
+	if ok {
+		specs := append([]string{"-o", m.wgIfaceName}, jumpNetbirdOutputDefaultRule...)
+		if ok, err := client.Exists("filter", "OUTPUT", specs...); err != nil {
+			return err
+		} else if ok {
+			if err := client.Delete("filter", "OUTPUT", specs...); err != nil {
+				log.WithError(err).Errorf("failed to delete default output rule: %v", err)
+			}
+		}
+	}
+
+	if err := client.ClearAndDeleteChain(table, ChainInputFilterName); err != nil {
+		log.Errorf("failed to clear and delete input chain: %v", err)
 		return nil
 	}
-	if err := client.ClearChain(table, ChainFilterName); err != nil {
-		return fmt.Errorf("failed to clear chain: %w", err)
+
+	if err := client.ClearAndDeleteChain(table, ChainOutputFilterName); err != nil {
+		log.Errorf("failed to clear and delete input chain: %v", err)
+		return nil
 	}
-	return client.DeleteChain(table, ChainFilterName)
+
+	return nil
 }
 
 // filterRuleSpecs returns the specs of a filtering rule
 func (m *Manager) filterRuleSpecs(
-	table string, chain string, ip net.IP, port string,
-	direction fw.Direction, action fw.Action, comment string,
+	table string, ip net.IP, protocol string, sPort, dPort string,
+	direction fw.RuleDirection, action fw.Action, comment string,
 ) (specs []string) {
-	if direction == fw.DirectionSrc {
-		specs = append(specs, "-s", ip.String())
+	matchByIP := true
+	// don't use IP matching if IP is ip 0.0.0.0
+	if s := ip.String(); s == "0.0.0.0" || s == "::" {
+		matchByIP = false
+	}
+	switch direction {
+	case fw.RuleDirectionIN:
+		if matchByIP {
+			specs = append(specs, "-s", ip.String())
+		}
+	case fw.RuleDirectionOUT:
+		if matchByIP {
+			specs = append(specs, "-d", ip.String())
+		}
+	}
+	if protocol != "all" {
+		specs = append(specs, "-p", protocol)
+	}
+	if sPort != "" {
+		specs = append(specs, "--sport", sPort)
+	}
+	if dPort != "" {
+		specs = append(specs, "--dport", dPort)
 	}
-	specs = append(specs, "-p", "tcp", "--dport", port)
 	specs = append(specs, "-j", m.actionToStr(action))
 	return append(specs, "-m", "comment", "--comment", comment)
 }
 
-// client returns corresponding iptables client for the given ip
-func (m *Manager) client(ip net.IP) *iptables.IPTables {
+// rawClient returns corresponding iptables client for the given ip
+func (m *Manager) rawClient(ip net.IP) (*iptables.IPTables, error) {
 	if ip.To4() != nil {
-		return m.ipv4Client
+		return m.ipv4Client, nil
 	}
-	return m.ipv6Client
+	if m.ipv6Client == nil {
+		return nil, fmt.Errorf("ipv6 is not supported")
+	}
+	return m.ipv6Client, nil
+}
+
+// client returns client with initialized chain and default rules
+func (m *Manager) client(ip net.IP) (*iptables.IPTables, error) {
+	client, err := m.rawClient(ip)
+	if err != nil {
+		return nil, err
+	}
+
+	ok, err := client.ChainExists("filter", ChainInputFilterName)
+	if err != nil {
+		return nil, fmt.Errorf("failed to check if chain exists: %w", err)
+	}
+
+	if !ok {
+		if err := client.NewChain("filter", ChainInputFilterName); err != nil {
+			return nil, fmt.Errorf("failed to create input chain: %w", err)
+		}
+
+		if err := client.AppendUnique("filter", ChainInputFilterName, dropAllDefaultRule...); err != nil {
+			return nil, fmt.Errorf("failed to create default drop all in netbird input chain: %w", err)
+		}
+
+		specs := append([]string{"-i", m.wgIfaceName}, jumpNetbirdInputDefaultRule...)
+		if err := client.AppendUnique("filter", "INPUT", specs...); err != nil {
+			return nil, fmt.Errorf("failed to create input chain jump rule: %w", err)
+		}
+
+	}
+
+	ok, err = client.ChainExists("filter", ChainOutputFilterName)
+	if err != nil {
+		return nil, fmt.Errorf("failed to check if chain exists: %w", err)
+	}
+
+	if !ok {
+		if err := client.NewChain("filter", ChainOutputFilterName); err != nil {
+			return nil, fmt.Errorf("failed to create output chain: %w", err)
+		}
+
+		if err := client.AppendUnique("filter", ChainOutputFilterName, dropAllDefaultRule...); err != nil {
+			return nil, fmt.Errorf("failed to create default drop all in netbird output chain: %w", err)
+		}
+
+		specs := append([]string{"-o", m.wgIfaceName}, jumpNetbirdOutputDefaultRule...)
+		if err := client.AppendUnique("filter", "OUTPUT", specs...); err != nil {
+			return nil, fmt.Errorf("failed to create output chain jump rule: %w", err)
+		}
+	}
+
+	return client, nil
 }
 
 func (m *Manager) actionToStr(action fw.Action) string {

client/firewall/iptables/manager_linux_test.go

@@ -1,105 +1,129 @@
 package iptables
 
 import (
+	"fmt"
 	"net"
 	"testing"
+	"time"
 
 	"github.com/coreos/go-iptables/iptables"
+	"github.com/stretchr/testify/require"
+
 	fw "github.com/netbirdio/netbird/client/firewall"
 )
 
-func TestNewManager(t *testing.T) {
+func TestIptablesManager(t *testing.T) {
 	ipv4Client, err := iptables.NewWithProtocol(iptables.ProtocolIPv4)
-	if err != nil {
-		t.Fatal(err)
-	}
+	require.NoError(t, err)
 
-	manager, err := Create()
-	if err != nil {
-		t.Fatal(err)
-	}
+	// just check on the local interface
+	manager, err := Create("lo")
+	require.NoError(t, err)
+	time.Sleep(time.Second)
+
+	defer func() {
+		if err := manager.Reset(); err != nil {
+			t.Errorf("clear the manager state: %v", err)
+		}
+		time.Sleep(time.Second)
+	}()
 
 	var rule1 fw.Rule
 	t.Run("add first rule", func(t *testing.T) {
 		ip := net.ParseIP("10.20.0.2")
-		port := &fw.Port{Proto: fw.PortProtocolTCP, Values: []int{8080}}
-		rule1, err = manager.AddFiltering(ip, port, fw.DirectionDst, fw.ActionAccept, "accept HTTP traffic")
-		if err != nil {
-			t.Errorf("failed to add rule: %v", err)
-		}
+		port := &fw.Port{Values: []int{8080}}
+		rule1, err = manager.AddFiltering(ip, "tcp", nil, port, fw.RuleDirectionOUT, fw.ActionAccept, "accept HTTP traffic")
+		require.NoError(t, err, "failed to add rule")
 
-		checkRuleSpecs(t, ipv4Client, true, rule1.(*Rule).specs...)
+		checkRuleSpecs(t, ipv4Client, ChainOutputFilterName, true, rule1.(*Rule).specs...)
 	})
 
 	var rule2 fw.Rule
 	t.Run("add second rule", func(t *testing.T) {
 		ip := net.ParseIP("10.20.0.3")
 		port := &fw.Port{
-			Proto:  fw.PortProtocolTCP,
 			Values: []int{8043: 8046},
 		}
 		rule2, err = manager.AddFiltering(
-			ip, port, fw.DirectionDst, fw.ActionAccept, "accept HTTPS traffic from ports range")
-		if err != nil {
-			t.Errorf("failed to add rule: %v", err)
-		}
+			ip, "tcp", port, nil, fw.RuleDirectionIN, fw.ActionAccept, "accept HTTPS traffic from ports range")
+		require.NoError(t, err, "failed to add rule")
 
-		checkRuleSpecs(t, ipv4Client, true, rule2.(*Rule).specs...)
+		checkRuleSpecs(t, ipv4Client, ChainInputFilterName, true, rule2.(*Rule).specs...)
 	})
 
 	t.Run("delete first rule", func(t *testing.T) {
 		if err := manager.DeleteRule(rule1); err != nil {
-			t.Errorf("failed to delete rule: %v", err)
+			require.NoError(t, err, "failed to delete rule")
 		}
 
-		checkRuleSpecs(t, ipv4Client, false, rule1.(*Rule).specs...)
+		checkRuleSpecs(t, ipv4Client, ChainOutputFilterName, false, rule1.(*Rule).specs...)
 	})
 
 	t.Run("delete second rule", func(t *testing.T) {
 		if err := manager.DeleteRule(rule2); err != nil {
-			t.Errorf("failed to delete rule: %v", err)
+			require.NoError(t, err, "failed to delete rule")
 		}
 
-		checkRuleSpecs(t, ipv4Client, false, rule2.(*Rule).specs...)
+		checkRuleSpecs(t, ipv4Client, ChainInputFilterName, false, rule2.(*Rule).specs...)
 	})
 
 	t.Run("reset check", func(t *testing.T) {
 		// add second rule
 		ip := net.ParseIP("10.20.0.3")
-		port := &fw.Port{Proto: fw.PortProtocolUDP, Values: []int{5353}}
-		_, err = manager.AddFiltering(ip, port, fw.DirectionDst, fw.ActionAccept, "accept Fake DNS traffic")
-		if err != nil {
-			t.Errorf("failed to add rule: %v", err)
-		}
+		port := &fw.Port{Values: []int{5353}}
+		_, err = manager.AddFiltering(ip, "udp", nil, port, fw.RuleDirectionOUT, fw.ActionAccept, "accept Fake DNS traffic")
+		require.NoError(t, err, "failed to add rule")
 
-		if err := manager.Reset(); err != nil {
-			t.Errorf("failed to reset: %v", err)
-		}
+		err = manager.Reset()
+		require.NoError(t, err, "failed to reset")
 
-		ok, err := ipv4Client.ChainExists("filter", ChainFilterName)
-		if err != nil {
-			t.Errorf("failed to drop chain: %v", err)
-		}
+		ok, err := ipv4Client.ChainExists("filter", ChainInputFilterName)
+		require.NoError(t, err, "failed check chain exists")
 
 		if ok {
-			t.Errorf("chain '%v' still exists after Reset", ChainFilterName)
+			require.NoErrorf(t, err, "chain '%v' still exists after Reset", ChainInputFilterName)
 		}
 	})
 }
 
-func checkRuleSpecs(t *testing.T, ipv4Client *iptables.IPTables, mustExists bool, rulespec ...string) {
-	exists, err := ipv4Client.Exists("filter", ChainFilterName, rulespec...)
-	if err != nil {
-		t.Errorf("failed to check rule: %v", err)
-		return
-	}
+func checkRuleSpecs(t *testing.T, ipv4Client *iptables.IPTables, chainName string, mustExists bool, rulespec ...string) {
+	exists, err := ipv4Client.Exists("filter", chainName, rulespec...)
+	require.NoError(t, err, "failed to check rule")
+	require.Falsef(t, !exists && mustExists, "rule '%v' does not exist", rulespec)
+	require.Falsef(t, exists && !mustExists, "rule '%v' exist", rulespec)
+}
 
-	if !exists && mustExists {
-		t.Errorf("rule '%v' does not exist", rulespec)
-		return
-	}
-	if exists && !mustExists {
-		t.Errorf("rule '%v' exist", rulespec)
-		return
+func TestIptablesCreatePerformance(t *testing.T) {
+	for _, testMax := range []int{10, 20, 30, 40, 50, 60, 70, 80, 90, 100, 200, 300, 400, 500, 600, 700, 800, 900, 1000} {
+		t.Run(fmt.Sprintf("Testing %d rules", testMax), func(t *testing.T) {
+			// just check on the local interface
+			manager, err := Create("lo")
+			require.NoError(t, err)
+			time.Sleep(time.Second)
+
+			defer func() {
+				if err := manager.Reset(); err != nil {
+					t.Errorf("clear the manager state: %v", err)
+				}
+				time.Sleep(time.Second)
+			}()
+
+			_, err = manager.client(net.ParseIP("10.20.0.100"))
+			require.NoError(t, err)
+
+			ip := net.ParseIP("10.20.0.100")
+			start := time.Now()
+			for i := 0; i < testMax; i++ {
+				port := &fw.Port{Values: []int{1000 + i}}
+				if i%2 == 0 {
+					_, err = manager.AddFiltering(ip, "tcp", nil, port, fw.RuleDirectionOUT, fw.ActionAccept, "accept HTTP traffic")
+				} else {
+					_, err = manager.AddFiltering(ip, "tcp", nil, port, fw.RuleDirectionIN, fw.ActionAccept, "accept HTTP traffic")
+				}
+
+				require.NoError(t, err, "failed to add rule")
+			}
+			t.Logf("execution avg per rule: %s", time.Since(start)/time.Duration(testMax))
+		})
 	}
 }

client/firewall/iptables/rule.go

@@ -4,6 +4,7 @@ package iptables
 type Rule struct {
 	id    string
 	specs []string
+	dst   bool
 	v6    bool
 }
 

client/firewall/nftables/manager_linux.go

@@ -0,0 +1,438 @@
+package nftables
+
+import (
+	"bytes"
+	"encoding/binary"
+	"fmt"
+	"net"
+	"net/netip"
+	"strings"
+	"sync"
+
+	"github.com/google/nftables"
+	"github.com/google/nftables/expr"
+	"github.com/google/uuid"
+	"golang.org/x/sys/unix"
+
+	fw "github.com/netbirdio/netbird/client/firewall"
+)
+
+const (
+	// FilterTableName is the name of the table that is used for filtering by the Netbird client
+	FilterTableName = "netbird-acl"
+
+	// FilterInputChainName is the name of the chain that is used for filtering incoming packets
+	FilterInputChainName = "netbird-acl-input-filter"
+
+	// FilterOutputChainName is the name of the chain that is used for filtering outgoing packets
+	FilterOutputChainName = "netbird-acl-output-filter"
+)
+
+// Manager of iptables firewall
+type Manager struct {
+	mutex sync.Mutex
+
+	conn      *nftables.Conn
+	tableIPv4 *nftables.Table
+	tableIPv6 *nftables.Table
+
+	filterInputChainIPv4  *nftables.Chain
+	filterOutputChainIPv4 *nftables.Chain
+
+	filterInputChainIPv6  *nftables.Chain
+	filterOutputChainIPv6 *nftables.Chain
+
+	wgIfaceName string
+}
+
+// Create nftables firewall manager
+func Create(wgIfaceName string) (*Manager, error) {
+	m := &Manager{
+		conn:        &nftables.Conn{},
+		wgIfaceName: wgIfaceName,
+	}
+
+	if err := m.Reset(); err != nil {
+		return nil, err
+	}
+
+	return m, nil
+}
+
+// AddFiltering rule to the firewall
+//
+// If comment argument is empty firewall manager should set
+// rule ID as comment for the rule
+func (m *Manager) AddFiltering(
+	ip net.IP,
+	proto fw.Protocol,
+	sPort *fw.Port,
+	dPort *fw.Port,
+	direction fw.RuleDirection,
+	action fw.Action,
+	comment string,
+) (fw.Rule, error) {
+	m.mutex.Lock()
+	defer m.mutex.Unlock()
+
+	var (
+		err   error
+		table *nftables.Table
+		chain *nftables.Chain
+	)
+
+	if direction == fw.RuleDirectionOUT {
+		table, chain, err = m.chain(
+			ip,
+			FilterOutputChainName,
+			nftables.ChainHookOutput,
+			nftables.ChainPriorityFilter,
+			nftables.ChainTypeFilter)
+	} else {
+		table, chain, err = m.chain(
+			ip,
+			FilterInputChainName,
+			nftables.ChainHookInput,
+			nftables.ChainPriorityFilter,
+			nftables.ChainTypeFilter)
+	}
+	if err != nil {
+		return nil, err
+	}
+
+	ifaceKey := expr.MetaKeyIIFNAME
+	if direction == fw.RuleDirectionOUT {
+		ifaceKey = expr.MetaKeyOIFNAME
+	}
+	expressions := []expr.Any{
+		&expr.Meta{Key: ifaceKey, Register: 1},
+		&expr.Cmp{
+			Op:       expr.CmpOpEq,
+			Register: 1,
+			Data:     ifname(m.wgIfaceName),
+		},
+	}
+
+	if proto != "all" {
+		expressions = append(expressions, &expr.Payload{
+			DestRegister: 1,
+			Base:         expr.PayloadBaseNetworkHeader,
+			Offset:       uint32(9),
+			Len:          uint32(1),
+		})
+
+		var protoData []byte
+		switch proto {
+		case fw.ProtocolTCP:
+			protoData = []byte{unix.IPPROTO_TCP}
+		case fw.ProtocolUDP:
+			protoData = []byte{unix.IPPROTO_UDP}
+		case fw.ProtocolICMP:
+			protoData = []byte{unix.IPPROTO_ICMP}
+		default:
+			return nil, fmt.Errorf("unsupported protocol: %s", proto)
+		}
+		expressions = append(expressions, &expr.Cmp{
+			Register: 1,
+			Op:       expr.CmpOpEq,
+			Data:     protoData,
+		})
+	}
+
+	// don't use IP matching if IP is ip 0.0.0.0
+	if s := ip.String(); s != "0.0.0.0" && s != "::" {
+		// source address position
+		var adrLen, adrOffset uint32
+		if ip.To4() == nil {
+			adrLen = 16
+			adrOffset = 8
+		} else {
+			adrLen = 4
+			adrOffset = 12
+		}
+
+		// change to destination address position if need
+		if direction == fw.RuleDirectionOUT {
+			adrOffset += adrLen
+		}
+
+		ipToAdd, _ := netip.AddrFromSlice(ip)
+		add := ipToAdd.Unmap()
+
+		expressions = append(expressions,
+			&expr.Payload{
+				DestRegister: 1,
+				Base:         expr.PayloadBaseNetworkHeader,
+				Offset:       adrOffset,
+				Len:          adrLen,
+			},
+			&expr.Cmp{
+				Op:       expr.CmpOpEq,
+				Register: 1,
+				Data:     add.AsSlice(),
+			},
+		)
+	}
+
+	if sPort != nil && len(sPort.Values) != 0 {
+		expressions = append(expressions,
+			&expr.Payload{
+				DestRegister: 1,
+				Base:         expr.PayloadBaseTransportHeader,
+				Offset:       0,
+				Len:          2,
+			},
+			&expr.Cmp{
+				Op:       expr.CmpOpEq,
+				Register: 1,
+				Data:     encodePort(*sPort),
+			},
+		)
+	}
+
+	if dPort != nil && len(dPort.Values) != 0 {
+		expressions = append(expressions,
+			&expr.Payload{
+				DestRegister: 1,
+				Base:         expr.PayloadBaseTransportHeader,
+				Offset:       2,
+				Len:          2,
+			},
+			&expr.Cmp{
+				Op:       expr.CmpOpEq,
+				Register: 1,
+				Data:     encodePort(*dPort),
+			},
+		)
+	}
+
+	if action == fw.ActionAccept {
+		expressions = append(expressions, &expr.Verdict{Kind: expr.VerdictAccept})
+	} else {
+		expressions = append(expressions, &expr.Verdict{Kind: expr.VerdictDrop})
+	}
+
+	id := uuid.New().String()
+	userData := []byte(strings.Join([]string{id, comment}, " "))
+
+	_ = m.conn.InsertRule(&nftables.Rule{
+		Table:    table,
+		Chain:    chain,
+		Position: 0,
+		Exprs:    expressions,
+		UserData: userData,
+	})
+
+	if err := m.conn.Flush(); err != nil {
+		return nil, err
+	}
+
+	list, err := m.conn.GetRules(table, chain)
+	if err != nil {
+		return nil, err
+	}
+
+	// Add the rule to the chain
+	rule := &Rule{id: id}
+	for _, r := range list {
+		if bytes.Equal(r.UserData, userData) {
+			rule.Rule = r
+			break
+		}
+	}
+	if rule.Rule == nil {
+		return nil, fmt.Errorf("rule not found")
+	}
+
+	return rule, nil
+}
+
+// chain returns the chain for the given IP address with specific settings
+func (m *Manager) chain(
+	ip net.IP,
+	name string,
+	hook nftables.ChainHook,
+	priority nftables.ChainPriority,
+	cType nftables.ChainType,
+) (*nftables.Table, *nftables.Chain, error) {
+	var err error
+
+	getChain := func(c *nftables.Chain, tf nftables.TableFamily) (*nftables.Chain, error) {
+		if c != nil {
+			return c, nil
+		}
+		return m.createChainIfNotExists(tf, name, hook, priority, cType)
+	}
+
+	if ip.To4() != nil {
+		if name == FilterInputChainName {
+			m.filterInputChainIPv4, err = getChain(m.filterInputChainIPv4, nftables.TableFamilyIPv4)
+			return m.tableIPv4, m.filterInputChainIPv4, err
+		}
+		m.filterOutputChainIPv4, err = getChain(m.filterOutputChainIPv4, nftables.TableFamilyIPv4)
+		return m.tableIPv4, m.filterOutputChainIPv4, err
+	}
+	if name == FilterInputChainName {
+		m.filterInputChainIPv6, err = getChain(m.filterInputChainIPv6, nftables.TableFamilyIPv6)
+		return m.tableIPv4, m.filterInputChainIPv6, err
+	}
+	m.filterOutputChainIPv6, err = getChain(m.filterOutputChainIPv6, nftables.TableFamilyIPv6)
+	return m.tableIPv4, m.filterOutputChainIPv6, err
+}
+
+// table returns the table for the given family of the IP address
+func (m *Manager) table(family nftables.TableFamily) (*nftables.Table, error) {
+	if family == nftables.TableFamilyIPv4 {
+		if m.tableIPv4 != nil {
+			return m.tableIPv4, nil
+		}
+
+		table, err := m.createTableIfNotExists(nftables.TableFamilyIPv4)
+		if err != nil {
+			return nil, err
+		}
+		m.tableIPv4 = table
+		return m.tableIPv4, nil
+	}
+
+	if m.tableIPv6 != nil {
+		return m.tableIPv6, nil
+	}
+
+	table, err := m.createTableIfNotExists(nftables.TableFamilyIPv6)
+	if err != nil {
+		return nil, err
+	}
+	m.tableIPv6 = table
+	return m.tableIPv6, nil
+}
+
+func (m *Manager) createTableIfNotExists(family nftables.TableFamily) (*nftables.Table, error) {
+	tables, err := m.conn.ListTablesOfFamily(family)
+	if err != nil {
+		return nil, fmt.Errorf("list of tables: %w", err)
+	}
+
+	for _, t := range tables {
+		if t.Name == FilterTableName {
+			return t, nil
+		}
+	}
+
+	return m.conn.AddTable(&nftables.Table{Name: FilterTableName, Family: nftables.TableFamilyIPv4}), nil
+}
+
+func (m *Manager) createChainIfNotExists(
+	family nftables.TableFamily,
+	name string,
+	hooknum nftables.ChainHook,
+	priority nftables.ChainPriority,
+	chainType nftables.ChainType,
+) (*nftables.Chain, error) {
+	table, err := m.table(family)
+	if err != nil {
+		return nil, err
+	}
+
+	chains, err := m.conn.ListChainsOfTableFamily(family)
+	if err != nil {
+		return nil, fmt.Errorf("list of chains: %w", err)
+	}
+
+	for _, c := range chains {
+		if c.Name == name && c.Table.Name == table.Name {
+			return c, nil
+		}
+	}
+
+	polAccept := nftables.ChainPolicyAccept
+	chain := &nftables.Chain{
+		Name:     name,
+		Table:    table,
+		Hooknum:  hooknum,
+		Priority: priority,
+		Type:     chainType,
+		Policy:   &polAccept,
+	}
+
+	chain = m.conn.AddChain(chain)
+
+	ifaceKey := expr.MetaKeyIIFNAME
+	if name == FilterOutputChainName {
+		ifaceKey = expr.MetaKeyOIFNAME
+	}
+	expressions := []expr.Any{
+		&expr.Meta{Key: ifaceKey, Register: 1},
+		&expr.Cmp{
+			Op:       expr.CmpOpEq,
+			Register: 1,
+			Data:     ifname(m.wgIfaceName),
+		},
+		&expr.Verdict{Kind: expr.VerdictDrop},
+	}
+	_ = m.conn.AddRule(&nftables.Rule{
+		Table: table,
+		Chain: chain,
+		Exprs: expressions,
+	})
+
+	if err := m.conn.Flush(); err != nil {
+		return nil, err
+	}
+
+	return chain, nil
+}
+
+// DeleteRule from the firewall by rule definition
+func (m *Manager) DeleteRule(rule fw.Rule) error {
+	nativeRule, ok := rule.(*Rule)
+	if !ok {
+		return fmt.Errorf("invalid rule type")
+	}
+
+	if err := m.conn.DelRule(nativeRule.Rule); err != nil {
+		return err
+	}
+
+	return m.conn.Flush()
+}
+
+// Reset firewall to the default state
+func (m *Manager) Reset() error {
+	m.mutex.Lock()
+	defer m.mutex.Unlock()
+
+	chains, err := m.conn.ListChains()
+	if err != nil {
+		return fmt.Errorf("list of chains: %w", err)
+	}
+	for _, c := range chains {
+		if c.Name == FilterInputChainName || c.Name == FilterOutputChainName {
+			m.conn.DelChain(c)
+		}
+	}
+
+	tables, err := m.conn.ListTables()
+	if err != nil {
+		return fmt.Errorf("list of tables: %w", err)
+	}
+	for _, t := range tables {
+		if t.Name == FilterTableName {
+			m.conn.DelTable(t)
+		}
+	}
+
+	return m.conn.Flush()
+}
+
+func encodePort(port fw.Port) []byte {
+	bs := make([]byte, 2)
+	binary.BigEndian.PutUint16(bs, uint16(port.Values[0]))
+	return bs
+}
+
+func ifname(n string) []byte {
+	b := make([]byte, 16)
+	copy(b, []byte(n+"\x00"))
+	return b
+}

client/firewall/nftables/manager_linux_test.go

@@ -0,0 +1,137 @@
+package nftables
+
+import (
+	"fmt"
+	"net"
+	"net/netip"
+	"testing"
+	"time"
+
+	"github.com/google/nftables"
+	"github.com/google/nftables/expr"
+	"github.com/stretchr/testify/require"
+	"golang.org/x/sys/unix"
+
+	fw "github.com/netbirdio/netbird/client/firewall"
+)
+
+func TestNftablesManager(t *testing.T) {
+	// just check on the local interface
+	manager, err := Create("lo")
+	require.NoError(t, err)
+	time.Sleep(time.Second)
+
+	defer func() {
+		err = manager.Reset()
+		require.NoError(t, err, "failed to reset")
+		time.Sleep(time.Second)
+	}()
+
+	ip := net.ParseIP("100.96.0.1")
+
+	testClient := &nftables.Conn{}
+
+	rule, err := manager.AddFiltering(
+		ip,
+		fw.ProtocolTCP,
+		nil,
+		&fw.Port{Values: []int{53}},
+		fw.RuleDirectionIN,
+		fw.ActionDrop,
+		"",
+	)
+	require.NoError(t, err, "failed to add rule")
+
+	rules, err := testClient.GetRules(manager.tableIPv4, manager.filterInputChainIPv4)
+	require.NoError(t, err, "failed to get rules")
+	// 1 regular rule and other "drop all rule" for the interface
+	require.Len(t, rules, 2, "expected 1 rule")
+
+	ipToAdd, _ := netip.AddrFromSlice(ip)
+	add := ipToAdd.Unmap()
+	expectedExprs := []expr.Any{
+		&expr.Meta{Key: expr.MetaKeyIIFNAME, Register: 1},
+		&expr.Cmp{
+			Op:       expr.CmpOpEq,
+			Register: 1,
+			Data:     ifname("lo"),
+		},
+		&expr.Payload{
+			DestRegister: 1,
+			Base:         expr.PayloadBaseNetworkHeader,
+			Offset:       uint32(9),
+			Len:          uint32(1),
+		},
+		&expr.Cmp{
+			Register: 1,
+			Op:       expr.CmpOpEq,
+			Data:     []byte{unix.IPPROTO_TCP},
+		},
+		&expr.Payload{
+			DestRegister: 1,
+			Base:         expr.PayloadBaseNetworkHeader,
+			Offset:       12,
+			Len:          4,
+		},
+		&expr.Cmp{
+			Op:       expr.CmpOpEq,
+			Register: 1,
+			Data:     add.AsSlice(),
+		},
+		&expr.Payload{
+			DestRegister: 1,
+			Base:         expr.PayloadBaseTransportHeader,
+			Offset:       2,
+			Len:          2,
+		},
+		&expr.Cmp{
+			Op:       expr.CmpOpEq,
+			Register: 1,
+			Data:     []byte{0, 53},
+		},
+		&expr.Verdict{Kind: expr.VerdictDrop},
+	}
+	require.ElementsMatch(t, rules[0].Exprs, expectedExprs, "expected the same expressions")
+
+	err = manager.DeleteRule(rule)
+	require.NoError(t, err, "failed to delete rule")
+
+	rules, err = testClient.GetRules(manager.tableIPv4, manager.filterInputChainIPv4)
+	require.NoError(t, err, "failed to get rules")
+	require.Len(t, rules, 1, "expected 1 rules after deleteion")
+
+	err = manager.Reset()
+	require.NoError(t, err, "failed to reset")
+}
+
+func TestNFtablesCreatePerformance(t *testing.T) {
+	for _, testMax := range []int{10, 20, 30, 40, 50, 60, 70, 80, 90, 100, 200, 300, 400, 500, 600, 700, 800, 900, 1000} {
+		t.Run(fmt.Sprintf("Testing %d rules", testMax), func(t *testing.T) {
+			// just check on the local interface
+			manager, err := Create("lo")
+			require.NoError(t, err)
+			time.Sleep(time.Second)
+
+			defer func() {
+				if err := manager.Reset(); err != nil {
+					t.Errorf("clear the manager state: %v", err)
+				}
+				time.Sleep(time.Second)
+			}()
+
+			ip := net.ParseIP("10.20.0.100")
+			start := time.Now()
+			for i := 0; i < testMax; i++ {
+				port := &fw.Port{Values: []int{1000 + i}}
+				if i%2 == 0 {
+					_, err = manager.AddFiltering(ip, "tcp", nil, port, fw.RuleDirectionOUT, fw.ActionAccept, "accept HTTP traffic")
+				} else {
+					_, err = manager.AddFiltering(ip, "tcp", nil, port, fw.RuleDirectionIN, fw.ActionAccept, "accept HTTP traffic")
+				}
+
+				require.NoError(t, err, "failed to add rule")
+			}
+			t.Logf("execution avg per rule: %s", time.Since(start)/time.Duration(testMax))
+		})
+	}
+}

client/firewall/nftables/rule_linux.go

@@ -0,0 +1,16 @@
+package nftables
+
+import (
+	"github.com/google/nftables"
+)
+
+// Rule to handle management of rules
+type Rule struct {
+	*nftables.Rule
+	id string
+}
+
+// GetRuleID returns the rule id
+func (r *Rule) GetRuleID() string {
+	return r.id
+}

client/firewall/port.go

@@ -1,14 +1,23 @@
 package firewall
 
-// PortProtocol is the protocol of the port
-type PortProtocol string
+// Protocol is the protocol of the port
+type Protocol string
 
 const (
-	// PortProtocolTCP is the TCP protocol
-	PortProtocolTCP PortProtocol = "tcp"
+	// ProtocolTCP is the TCP protocol
+	ProtocolTCP Protocol = "tcp"
 
-	// PortProtocolUDP is the UDP protocol
-	PortProtocolUDP PortProtocol = "udp"
+	// ProtocolUDP is the UDP protocol
+	ProtocolUDP Protocol = "udp"
+
+	// ProtocolICMP is the ICMP protocol
+	ProtocolICMP Protocol = "icmp"
+
+	// ProtocolALL cover all supported protocols
+	ProtocolALL Protocol = "all"
+
+	// ProtocolUnknown unknown protocol
+	ProtocolUnknown Protocol = "unknown"
 )
 
 // Port of the address for firewall rule
@@ -18,7 +27,4 @@ type Port struct {
 
 	// Values contains one value for single port, multiple values for the list of ports, or two values for the range of ports
 	Values []int
-
-	// Proto is the protocol of the port
-	Proto PortProtocol
 }

client/firewall/uspfilter/rule.go

@@ -0,0 +1,28 @@
+package uspfilter
+
+import (
+	"net"
+
+	"github.com/google/gopacket"
+
+	fw "github.com/netbirdio/netbird/client/firewall"
+)
+
+// Rule to handle management of rules
+type Rule struct {
+	id         string
+	ip         net.IP
+	ipLayer    gopacket.LayerType
+	matchByIP  bool
+	protoLayer gopacket.LayerType
+	direction  fw.RuleDirection
+	sPort      uint16
+	dPort      uint16
+	drop       bool
+	comment    string
+}
+
+// GetRuleID returns the rule id
+func (r *Rule) GetRuleID() string {
+	return r.id
+}

client/firewall/uspfilter/uspfilter.go

@@ -0,0 +1,298 @@
+package uspfilter
+
+import (
+	"fmt"
+	"net"
+	"sync"
+
+	"github.com/google/gopacket"
+	"github.com/google/gopacket/layers"
+	"github.com/google/uuid"
+	log "github.com/sirupsen/logrus"
+
+	fw "github.com/netbirdio/netbird/client/firewall"
+	"github.com/netbirdio/netbird/iface"
+)
+
+const layerTypeAll = 0
+
+// IFaceMapper defines subset methods of interface required for manager
+type IFaceMapper interface {
+	SetFiltering(iface.PacketFilter) error
+}
+
+// Manager userspace firewall manager
+type Manager struct {
+	outgoingRules []Rule
+	incomingRules []Rule
+	rulesIndex    map[string]int
+	wgNetwork     *net.IPNet
+	decoders      sync.Pool
+
+	mutex sync.RWMutex
+}
+
+// decoder for packages
+type decoder struct {
+	eth     layers.Ethernet
+	ip4     layers.IPv4
+	ip6     layers.IPv6
+	tcp     layers.TCP
+	udp     layers.UDP
+	icmp4   layers.ICMPv4
+	icmp6   layers.ICMPv6
+	decoded []gopacket.LayerType
+	parser  *gopacket.DecodingLayerParser
+}
+
+// Create userspace firewall manager constructor
+func Create(iface IFaceMapper) (*Manager, error) {
+	m := &Manager{
+		rulesIndex: make(map[string]int),
+		decoders: sync.Pool{
+			New: func() any {
+				d := &decoder{
+					decoded: []gopacket.LayerType{},
+				}
+				d.parser = gopacket.NewDecodingLayerParser(
+					layers.LayerTypeIPv4,
+					&d.eth, &d.ip4, &d.ip6, &d.icmp4, &d.icmp6, &d.tcp, &d.udp,
+				)
+				d.parser.IgnoreUnsupported = true
+				return d
+			},
+		},
+	}
+
+	if err := iface.SetFiltering(m); err != nil {
+		return nil, err
+	}
+	return m, nil
+}
+
+// AddFiltering rule to the firewall
+//
+// If comment argument is empty firewall manager should set
+// rule ID as comment for the rule
+func (m *Manager) AddFiltering(
+	ip net.IP,
+	proto fw.Protocol,
+	sPort *fw.Port,
+	dPort *fw.Port,
+	direction fw.RuleDirection,
+	action fw.Action,
+	comment string,
+) (fw.Rule, error) {
+	r := Rule{
+		id:        uuid.New().String(),
+		ip:        ip,
+		ipLayer:   layers.LayerTypeIPv6,
+		matchByIP: true,
+		direction: direction,
+		drop:      action == fw.ActionDrop,
+		comment:   comment,
+	}
+	if ipNormalized := ip.To4(); ipNormalized != nil {
+		r.ipLayer = layers.LayerTypeIPv4
+		r.ip = ipNormalized
+	}
+
+	if s := r.ip.String(); s == "0.0.0.0" || s == "::" {
+		r.matchByIP = false
+	}
+
+	if sPort != nil && len(sPort.Values) == 1 {
+		r.sPort = uint16(sPort.Values[0])
+	}
+
+	if dPort != nil && len(dPort.Values) == 1 {
+		r.dPort = uint16(dPort.Values[0])
+	}
+
+	switch proto {
+	case fw.ProtocolTCP:
+		r.protoLayer = layers.LayerTypeTCP
+	case fw.ProtocolUDP:
+		r.protoLayer = layers.LayerTypeUDP
+	case fw.ProtocolICMP:
+		r.protoLayer = layers.LayerTypeICMPv4
+		if r.ipLayer == layers.LayerTypeIPv6 {
+			r.protoLayer = layers.LayerTypeICMPv6
+		}
+	case fw.ProtocolALL:
+		r.protoLayer = layerTypeAll
+	}
+
+	m.mutex.Lock()
+	var p int
+	if direction == fw.RuleDirectionIN {
+		m.incomingRules = append(m.incomingRules, r)
+		p = len(m.incomingRules) - 1
+	} else {
+		m.outgoingRules = append(m.outgoingRules, r)
+		p = len(m.outgoingRules) - 1
+	}
+	m.rulesIndex[r.id] = p
+	m.mutex.Unlock()
+
+	return &r, nil
+}
+
+// DeleteRule from the firewall by rule definition
+func (m *Manager) DeleteRule(rule fw.Rule) error {
+	m.mutex.Lock()
+	defer m.mutex.Unlock()
+
+	r, ok := rule.(*Rule)
+	if !ok {
+		return fmt.Errorf("delete rule: invalid rule type: %T", rule)
+	}
+
+	p, ok := m.rulesIndex[r.id]
+	if !ok {
+		return fmt.Errorf("delete rule: no rule with such id: %v", r.id)
+	}
+	delete(m.rulesIndex, r.id)
+
+	var toUpdate []Rule
+	if r.direction == fw.RuleDirectionIN {
+		m.incomingRules = append(m.incomingRules[:p], m.incomingRules[p+1:]...)
+		toUpdate = m.incomingRules
+	} else {
+		m.outgoingRules = append(m.outgoingRules[:p], m.outgoingRules[p+1:]...)
+		toUpdate = m.outgoingRules
+	}
+
+	for i := 0; i < len(toUpdate); i++ {
+		m.rulesIndex[toUpdate[i].id] = i
+	}
+	return nil
+}
+
+// Reset firewall to the default state
+func (m *Manager) Reset() error {
+	m.mutex.Lock()
+	defer m.mutex.Unlock()
+
+	m.outgoingRules = m.outgoingRules[:0]
+	m.incomingRules = m.incomingRules[:0]
+	m.rulesIndex = make(map[string]int)
+
+	return nil
+}
+
+// DropOutgoing filter outgoing packets
+func (m *Manager) DropOutgoing(packetData []byte) bool {
+	return m.dropFilter(packetData, m.outgoingRules, false)
+}
+
+// DropIncoming filter incoming packets
+func (m *Manager) DropIncoming(packetData []byte) bool {
+	return m.dropFilter(packetData, m.incomingRules, true)
+}
+
+// dropFilter imlements same logic for booth direction of the traffic
+func (m *Manager) dropFilter(packetData []byte, rules []Rule, isIncomingPacket bool) bool {
+	m.mutex.RLock()
+	defer m.mutex.RUnlock()
+
+	d := m.decoders.Get().(*decoder)
+	defer m.decoders.Put(d)
+
+	if err := d.parser.DecodeLayers(packetData, &d.decoded); err != nil {
+		log.Tracef("couldn't decode layer, err: %s", err)
+		return true
+	}
+
+	if len(d.decoded) < 2 {
+		log.Tracef("not enough levels in network packet")
+		return true
+	}
+
+	ipLayer := d.decoded[0]
+
+	switch ipLayer {
+	case layers.LayerTypeIPv4:
+		if !m.wgNetwork.Contains(d.ip4.SrcIP) || !m.wgNetwork.Contains(d.ip4.DstIP) {
+			return false
+		}
+	case layers.LayerTypeIPv6:
+		if !m.wgNetwork.Contains(d.ip6.SrcIP) || !m.wgNetwork.Contains(d.ip6.DstIP) {
+			return false
+		}
+	default:
+		log.Errorf("unknown layer: %v", d.decoded[0])
+		return true
+	}
+	payloadLayer := d.decoded[1]
+
+	// check if IP address match by IP
+	for _, rule := range rules {
+		if rule.matchByIP {
+			switch ipLayer {
+			case layers.LayerTypeIPv4:
+				if isIncomingPacket {
+					if !d.ip4.SrcIP.Equal(rule.ip) {
+						continue
+					}
+				} else {
+					if !d.ip4.DstIP.Equal(rule.ip) {
+						continue
+					}
+				}
+			case layers.LayerTypeIPv6:
+				if isIncomingPacket {
+					if !d.ip6.SrcIP.Equal(rule.ip) {
+						continue
+					}
+				} else {
+					if !d.ip6.DstIP.Equal(rule.ip) {
+						continue
+					}
+				}
+			}
+		}
+
+		if rule.protoLayer == layerTypeAll {
+			return rule.drop
+		}
+
+		if payloadLayer != rule.protoLayer {
+			continue
+		}
+
+		switch payloadLayer {
+		case layers.LayerTypeTCP:
+			if rule.sPort == 0 && rule.dPort == 0 {
+				return rule.drop
+			}
+			if rule.sPort != 0 && rule.sPort == uint16(d.tcp.SrcPort) {
+				return rule.drop
+			}
+			if rule.dPort != 0 && rule.dPort == uint16(d.tcp.DstPort) {
+				return rule.drop
+			}
+		case layers.LayerTypeUDP:
+			if rule.sPort == 0 && rule.dPort == 0 {
+				return rule.drop
+			}
+			if rule.sPort != 0 && rule.sPort == uint16(d.udp.SrcPort) {
+				return rule.drop
+			}
+			if rule.dPort != 0 && rule.dPort == uint16(d.udp.DstPort) {
+				return rule.drop
+			}
+			return rule.drop
+		case layers.LayerTypeICMPv4, layers.LayerTypeICMPv6:
+			return rule.drop
+		}
+	}
+
+	// default policy is DROP ALL
+	return true
+}
+
+// SetNetwork of the wireguard interface to which filtering applied
+func (m *Manager) SetNetwork(network *net.IPNet) {
+	m.wgNetwork = network
+}

client/firewall/uspfilter/uspfilter_test.go

@@ -0,0 +1,275 @@
+package uspfilter
+
+import (
+	"fmt"
+	"net"
+	"testing"
+	"time"
+
+	"github.com/google/gopacket"
+	"github.com/google/gopacket/layers"
+	"github.com/stretchr/testify/require"
+
+	fw "github.com/netbirdio/netbird/client/firewall"
+	"github.com/netbirdio/netbird/iface"
+)
+
+type IFaceMock struct {
+	SetFilteringFunc func(iface.PacketFilter) error
+}
+
+func (i *IFaceMock) SetFiltering(iface iface.PacketFilter) error {
+	if i.SetFilteringFunc == nil {
+		return fmt.Errorf("not implemented")
+	}
+	return i.SetFilteringFunc(iface)
+}
+
+func TestManagerCreate(t *testing.T) {
+	ifaceMock := &IFaceMock{
+		SetFilteringFunc: func(iface.PacketFilter) error { return nil },
+	}
+
+	m, err := Create(ifaceMock)
+	if err != nil {
+		t.Errorf("failed to create Manager: %v", err)
+		return
+	}
+
+	if m == nil {
+		t.Error("Manager is nil")
+	}
+}
+
+func TestManagerAddFiltering(t *testing.T) {
+	isSetFilteringCalled := false
+	ifaceMock := &IFaceMock{
+		SetFilteringFunc: func(iface.PacketFilter) error {
+			isSetFilteringCalled = true
+			return nil
+		},
+	}
+
+	m, err := Create(ifaceMock)
+	if err != nil {
+		t.Errorf("failed to create Manager: %v", err)
+		return
+	}
+
+	ip := net.ParseIP("192.168.1.1")
+	proto := fw.ProtocolTCP
+	port := &fw.Port{Values: []int{80}}
+	direction := fw.RuleDirectionOUT
+	action := fw.ActionDrop
+	comment := "Test rule"
+
+	rule, err := m.AddFiltering(ip, proto, nil, port, direction, action, comment)
+	if err != nil {
+		t.Errorf("failed to add filtering: %v", err)
+		return
+	}
+
+	if rule == nil {
+		t.Error("Rule is nil")
+		return
+	}
+
+	if !isSetFilteringCalled {
+		t.Error("SetFiltering was not called")
+		return
+	}
+}
+
+func TestManagerDeleteRule(t *testing.T) {
+	ifaceMock := &IFaceMock{
+		SetFilteringFunc: func(iface.PacketFilter) error { return nil },
+	}
+
+	m, err := Create(ifaceMock)
+	if err != nil {
+		t.Errorf("failed to create Manager: %v", err)
+		return
+	}
+
+	ip := net.ParseIP("192.168.1.1")
+	proto := fw.ProtocolTCP
+	port := &fw.Port{Values: []int{80}}
+	direction := fw.RuleDirectionOUT
+	action := fw.ActionDrop
+	comment := "Test rule"
+
+	rule, err := m.AddFiltering(ip, proto, nil, port, direction, action, comment)
+	if err != nil {
+		t.Errorf("failed to add filtering: %v", err)
+		return
+	}
+
+	ip = net.ParseIP("192.168.1.1")
+	proto = fw.ProtocolTCP
+	port = &fw.Port{Values: []int{80}}
+	direction = fw.RuleDirectionIN
+	action = fw.ActionDrop
+	comment = "Test rule 2"
+
+	rule2, err := m.AddFiltering(ip, proto, nil, port, direction, action, comment)
+	if err != nil {
+		t.Errorf("failed to add filtering: %v", err)
+		return
+	}
+
+	err = m.DeleteRule(rule)
+	if err != nil {
+		t.Errorf("failed to delete rule: %v", err)
+		return
+	}
+
+	if idx, ok := m.rulesIndex[rule2.GetRuleID()]; !ok || len(m.incomingRules) != 1 || idx != 0 {
+		t.Errorf("rule2 is not in the rulesIndex")
+	}
+
+	err = m.DeleteRule(rule2)
+	if err != nil {
+		t.Errorf("failed to delete rule: %v", err)
+		return
+	}
+
+	if len(m.rulesIndex) != 0 || len(m.incomingRules) != 0 {
+		t.Errorf("rule1 still in the rulesIndex")
+	}
+}
+
+func TestManagerReset(t *testing.T) {
+	ifaceMock := &IFaceMock{
+		SetFilteringFunc: func(iface.PacketFilter) error { return nil },
+	}
+
+	m, err := Create(ifaceMock)
+	if err != nil {
+		t.Errorf("failed to create Manager: %v", err)
+		return
+	}
+
+	ip := net.ParseIP("192.168.1.1")
+	proto := fw.ProtocolTCP
+	port := &fw.Port{Values: []int{80}}
+	direction := fw.RuleDirectionOUT
+	action := fw.ActionDrop
+	comment := "Test rule"
+
+	_, err = m.AddFiltering(ip, proto, nil, port, direction, action, comment)
+	if err != nil {
+		t.Errorf("failed to add filtering: %v", err)
+		return
+	}
+
+	err = m.Reset()
+	if err != nil {
+		t.Errorf("failed to reset Manager: %v", err)
+		return
+	}
+
+	if len(m.rulesIndex) != 0 || len(m.outgoingRules) != 0 || len(m.incomingRules) != 0 {
+		t.Errorf("rules is not empty")
+	}
+}
+
+func TestNotMatchByIP(t *testing.T) {
+	ifaceMock := &IFaceMock{
+		SetFilteringFunc: func(iface.PacketFilter) error { return nil },
+	}
+
+	m, err := Create(ifaceMock)
+	if err != nil {
+		t.Errorf("failed to create Manager: %v", err)
+		return
+	}
+	m.wgNetwork = &net.IPNet{
+		IP:   net.ParseIP("100.10.0.0"),
+		Mask: net.CIDRMask(16, 32),
+	}
+
+	ip := net.ParseIP("0.0.0.0")
+	proto := fw.ProtocolUDP
+	direction := fw.RuleDirectionOUT
+	action := fw.ActionAccept
+	comment := "Test rule"
+
+	_, err = m.AddFiltering(ip, proto, nil, nil, direction, action, comment)
+	if err != nil {
+		t.Errorf("failed to add filtering: %v", err)
+		return
+	}
+
+	ipv4 := &layers.IPv4{
+		TTL:      64,
+		Version:  4,
+		SrcIP:    net.ParseIP("100.10.0.1"),
+		DstIP:    net.ParseIP("100.10.0.100"),
+		Protocol: layers.IPProtocolUDP,
+	}
+	udp := &layers.UDP{
+		SrcPort: 51334,
+		DstPort: 53,
+	}
+
+	if err := udp.SetNetworkLayerForChecksum(ipv4); err != nil {
+		t.Errorf("failed to set network layer for checksum: %v", err)
+		return
+	}
+	payload := gopacket.Payload([]byte("test"))
+
+	buf := gopacket.NewSerializeBuffer()
+	opts := gopacket.SerializeOptions{
+		ComputeChecksums: true,
+		FixLengths:       true,
+	}
+	if err = gopacket.SerializeLayers(buf, opts, ipv4, udp, payload); err != nil {
+		t.Errorf("failed to serialize packet: %v", err)
+		return
+	}
+
+	if m.dropFilter(buf.Bytes(), m.outgoingRules, false) {
+		t.Errorf("expected packet to be accepted")
+		return
+	}
+
+	if err = m.Reset(); err != nil {
+		t.Errorf("failed to reset Manager: %v", err)
+		return
+	}
+}
+
+func TestUSPFilterCreatePerformance(t *testing.T) {
+	for _, testMax := range []int{10, 20, 30, 40, 50, 60, 70, 80, 90, 100, 200, 300, 400, 500, 600, 700, 800, 900, 1000} {
+		t.Run(fmt.Sprintf("Testing %d rules", testMax), func(t *testing.T) {
+			// just check on the local interface
+			ifaceMock := &IFaceMock{
+				SetFilteringFunc: func(iface.PacketFilter) error { return nil },
+			}
+			manager, err := Create(ifaceMock)
+			require.NoError(t, err)
+			time.Sleep(time.Second)
+
+			defer func() {
+				if err := manager.Reset(); err != nil {
+					t.Errorf("clear the manager state: %v", err)
+				}
+				time.Sleep(time.Second)
+			}()
+
+			ip := net.ParseIP("10.20.0.100")
+			start := time.Now()
+			for i := 0; i < testMax; i++ {
+				port := &fw.Port{Values: []int{1000 + i}}
+				if i%2 == 0 {
+					_, err = manager.AddFiltering(ip, "tcp", nil, port, fw.RuleDirectionOUT, fw.ActionAccept, "accept HTTP traffic")
+				} else {
+					_, err = manager.AddFiltering(ip, "tcp", nil, port, fw.RuleDirectionIN, fw.ActionAccept, "accept HTTP traffic")
+				}
+
+				require.NoError(t, err, "failed to add rule")
+			}
+			t.Logf("execution avg per rule: %s", time.Since(start)/time.Duration(testMax))
+		})
+	}
+}

client/internal/acl/manager.go

@@ -0,0 +1,376 @@
+package acl
+
+import (
+	"fmt"
+	"net"
+	"strconv"
+	"sync"
+
+	log "github.com/sirupsen/logrus"
+
+	"github.com/netbirdio/netbird/client/firewall"
+	"github.com/netbirdio/netbird/client/ssh"
+	"github.com/netbirdio/netbird/iface"
+	mgmProto "github.com/netbirdio/netbird/management/proto"
+)
+
+// iFaceMapper defines subset methods of interface required for manager
+type iFaceMapper interface {
+	Name() string
+	IsUserspaceBind() bool
+	SetFiltering(iface.PacketFilter) error
+}
+
+// Manager is a ACL rules manager
+type Manager interface {
+	ApplyFiltering(networkMap *mgmProto.NetworkMap)
+	Stop()
+}
+
+// DefaultManager uses firewall manager to handle
+type DefaultManager struct {
+	manager    firewall.Manager
+	rulesPairs map[string][]firewall.Rule
+	mutex      sync.Mutex
+}
+
+// ApplyFiltering firewall rules to the local firewall manager processed by ACL policy.
+//
+// If allowByDefault is ture it appends allow ALL traffic rules to input and output chains.
+func (d *DefaultManager) ApplyFiltering(networkMap *mgmProto.NetworkMap) {
+	d.mutex.Lock()
+	defer d.mutex.Unlock()
+
+	if d.manager == nil {
+		log.Debug("firewall manager is not supported, skipping firewall rules")
+		return
+	}
+
+	rules, squashedProtocols := d.squashAcceptRules(networkMap)
+
+	enableSSH := (networkMap.PeerConfig != nil &&
+		networkMap.PeerConfig.SshConfig != nil &&
+		networkMap.PeerConfig.SshConfig.SshEnabled)
+	if _, ok := squashedProtocols[mgmProto.FirewallRule_ALL]; ok {
+		enableSSH = enableSSH && !ok
+	}
+	if _, ok := squashedProtocols[mgmProto.FirewallRule_TCP]; ok {
+		enableSSH = enableSSH && !ok
+	}
+
+	// if TCP protocol rules not squashed and SSH enabled
+	// we add default firewall rule which accepts connection to any peer
+	// in the network by SSH (TCP 22 port).
+	if enableSSH {
+		rules = append(rules, &mgmProto.FirewallRule{
+			PeerIP:    "0.0.0.0",
+			Direction: mgmProto.FirewallRule_IN,
+			Action:    mgmProto.FirewallRule_ACCEPT,
+			Protocol:  mgmProto.FirewallRule_TCP,
+			Port:      strconv.Itoa(ssh.DefaultSSHPort),
+		})
+	}
+
+	// if we got empty rules list but management not set networkMap.FirewallRulesIsEmpty flag
+	// we have old version of management without rules handling, we should allow all traffic
+	if len(networkMap.FirewallRules) == 0 && !networkMap.FirewallRulesIsEmpty {
+		log.Warn("this peer is connected to a NetBird Management service with an older version. Allowing all traffic from connected peers")
+		rules = append(rules,
+			&mgmProto.FirewallRule{
+				PeerIP:    "0.0.0.0",
+				Direction: mgmProto.FirewallRule_IN,
+				Action:    mgmProto.FirewallRule_ACCEPT,
+				Protocol:  mgmProto.FirewallRule_ALL,
+			},
+			&mgmProto.FirewallRule{
+				PeerIP:    "0.0.0.0",
+				Direction: mgmProto.FirewallRule_OUT,
+				Action:    mgmProto.FirewallRule_ACCEPT,
+				Protocol:  mgmProto.FirewallRule_ALL,
+			},
+		)
+	}
+
+	applyFailed := false
+	newRulePairs := make(map[string][]firewall.Rule)
+	for _, r := range rules {
+		rulePair, err := d.protoRuleToFirewallRule(r)
+		if err != nil {
+			log.Errorf("failed to apply firewall rule: %+v, %v", r, err)
+			applyFailed = true
+			break
+		}
+		newRulePairs[rulePair[0].GetRuleID()] = rulePair
+	}
+	if applyFailed {
+		log.Error("failed to apply firewall rules, rollback ACL to previous state")
+		for _, rules := range newRulePairs {
+			for _, rule := range rules {
+				if err := d.manager.DeleteRule(rule); err != nil {
+					log.Errorf("failed to delete new firewall rule (id: %v) during rollback: %v", rule.GetRuleID(), err)
+					continue
+				}
+			}
+		}
+		return
+	}
+
+	for pairID, rules := range d.rulesPairs {
+		if _, ok := newRulePairs[pairID]; !ok {
+			for _, rule := range rules {
+				if err := d.manager.DeleteRule(rule); err != nil {
+					log.Errorf("failed to delete firewall rule: %v", err)
+					continue
+				}
+			}
+			delete(d.rulesPairs, pairID)
+		}
+	}
+	d.rulesPairs = newRulePairs
+}
+
+// Stop ACL controller and clear firewall state
+func (d *DefaultManager) Stop() {
+	d.mutex.Lock()
+	defer d.mutex.Unlock()
+
+	if err := d.manager.Reset(); err != nil {
+		log.WithError(err).Error("reset firewall state")
+	}
+}
+
+func (d *DefaultManager) protoRuleToFirewallRule(r *mgmProto.FirewallRule) ([]firewall.Rule, error) {
+	ip := net.ParseIP(r.PeerIP)
+	if ip == nil {
+		return nil, fmt.Errorf("invalid IP address, skipping firewall rule")
+	}
+
+	protocol := convertToFirewallProtocol(r.Protocol)
+	if protocol == firewall.ProtocolUnknown {
+		return nil, fmt.Errorf("invalid protocol type: %d, skipping firewall rule", r.Protocol)
+	}
+
+	action := convertFirewallAction(r.Action)
+	if action == firewall.ActionUnknown {
+		return nil, fmt.Errorf("invalid action type: %d, skipping firewall rule", r.Action)
+	}
+
+	var port *firewall.Port
+	if r.Port != "" {
+		value, err := strconv.Atoi(r.Port)
+		if err != nil {
+			return nil, fmt.Errorf("invalid port, skipping firewall rule")
+		}
+		port = &firewall.Port{
+			Values: []int{value},
+		}
+	}
+
+	var rules []firewall.Rule
+	var err error
+	switch r.Direction {
+	case mgmProto.FirewallRule_IN:
+		rules, err = d.addInRules(ip, protocol, port, action, "")
+	case mgmProto.FirewallRule_OUT:
+		rules, err = d.addOutRules(ip, protocol, port, action, "")
+	default:
+		return nil, fmt.Errorf("invalid direction, skipping firewall rule")
+	}
+
+	if err != nil {
+		return nil, err
+	}
+
+	d.rulesPairs[rules[0].GetRuleID()] = rules
+	return rules, nil
+}
+
+func (d *DefaultManager) addInRules(ip net.IP, protocol firewall.Protocol, port *firewall.Port, action firewall.Action, comment string) ([]firewall.Rule, error) {
+	var rules []firewall.Rule
+	rule, err := d.manager.AddFiltering(ip, protocol, nil, port, firewall.RuleDirectionIN, action, comment)
+	if err != nil {
+		return nil, fmt.Errorf("failed to add firewall rule: %v", err)
+	}
+	rules = append(rules, rule)
+
+	if shouldSkipInvertedRule(protocol, port) {
+		return rules, nil
+	}
+
+	rule, err = d.manager.AddFiltering(ip, protocol, port, nil, firewall.RuleDirectionOUT, action, comment)
+	if err != nil {
+		return nil, fmt.Errorf("failed to add firewall rule: %v", err)
+	}
+
+	return append(rules, rule), nil
+}
+
+func (d *DefaultManager) addOutRules(ip net.IP, protocol firewall.Protocol, port *firewall.Port, action firewall.Action, comment string) ([]firewall.Rule, error) {
+	var rules []firewall.Rule
+	rule, err := d.manager.AddFiltering(ip, protocol, nil, port, firewall.RuleDirectionOUT, action, comment)
+	if err != nil {
+		return nil, fmt.Errorf("failed to add firewall rule: %v", err)
+	}
+	rules = append(rules, rule)
+
+	if shouldSkipInvertedRule(protocol, port) {
+		return rules, nil
+	}
+
+	rule, err = d.manager.AddFiltering(ip, protocol, port, nil, firewall.RuleDirectionIN, action, comment)
+	if err != nil {
+		return nil, fmt.Errorf("failed to add firewall rule: %v", err)
+	}
+
+	return append(rules, rule), nil
+}
+
+// squashAcceptRules does complex logic to convert many rules which allows connection by traffic type
+// to all peers in the network map to one rule which just accepts that type of the traffic.
+//
+// NOTE: It will not squash two rules for same protocol if one covers all peers in the network,
+// but other has port definitions or has drop policy.
+func (d *DefaultManager) squashAcceptRules(
+	networkMap *mgmProto.NetworkMap,
+) ([]*mgmProto.FirewallRule, map[mgmProto.FirewallRuleProtocol]struct{}) {
+	totalIPs := 0
+	for _, p := range networkMap.RemotePeers {
+		for range p.AllowedIps {
+			totalIPs++
+		}
+	}
+
+	type protoMatch map[mgmProto.FirewallRuleProtocol]map[string]int
+
+	in := protoMatch{}
+	out := protoMatch{}
+
+	// this function we use to do calculation, can we squash the rules by protocol or not.
+	// We summ amount of Peers IP for given protocol we found in original rules list.
+	// But we zeroed the IP's for protocol if:
+	// 1. Any of the rule has DROP action type.
+	// 2. Any of rule contains Port.
+	//
+	// We zeroed this to notify squash function that this protocol can't be squashed.
+	addRuleToCalculationMap := func(i int, r *mgmProto.FirewallRule, protocols protoMatch) {
+		drop := r.Action == mgmProto.FirewallRule_DROP || r.Port != ""
+		if drop {
+			protocols[r.Protocol] = map[string]int{}
+			return
+		}
+		if _, ok := protocols[r.Protocol]; !ok {
+			protocols[r.Protocol] = map[string]int{}
+		}
+		match := protocols[r.Protocol]
+
+		if _, ok := match[r.PeerIP]; ok {
+			return
+		}
+		match[r.PeerIP] = i
+	}
+
+	for i, r := range networkMap.FirewallRules {
+		// calculate squash for different directions
+		if r.Direction == mgmProto.FirewallRule_IN {
+			addRuleToCalculationMap(i, r, in)
+		} else {
+			addRuleToCalculationMap(i, r, out)
+		}
+	}
+
+	// order of squashing by protocol is important
+	// only for ther first element ALL, it must be done first
+	protocolOrders := []mgmProto.FirewallRuleProtocol{
+		mgmProto.FirewallRule_ALL,
+		mgmProto.FirewallRule_ICMP,
+		mgmProto.FirewallRule_TCP,
+		mgmProto.FirewallRule_UDP,
+	}
+
+	// trace which type of protocols was squashed
+	squashedRules := []*mgmProto.FirewallRule{}
+	squashedProtocols := map[mgmProto.FirewallRuleProtocol]struct{}{}
+	squash := func(matches protoMatch, direction mgmProto.FirewallRuleDirection) {
+		for _, protocol := range protocolOrders {
+			if ipset, ok := matches[protocol]; !ok || len(ipset) != totalIPs || len(ipset) < 2 {
+				// don't squash if :
+				// 1. Rules not cover all peers in the network
+				// 2. Rules cover only one peer in the network.
+				continue
+			}
+
+			// add special rule 0.0.0.0 which allows all IP's in our firewall implementations
+			squashedRules = append(squashedRules, &mgmProto.FirewallRule{
+				PeerIP:    "0.0.0.0",
+				Direction: direction,
+				Action:    mgmProto.FirewallRule_ACCEPT,
+				Protocol:  protocol,
+			})
+			squashedProtocols[protocol] = struct{}{}
+
+			if protocol == mgmProto.FirewallRule_ALL {
+				// if we have ALL traffic type squashed rule
+				// it allows all other type of traffic, so we can stop processing
+				break
+			}
+		}
+	}
+
+	squash(in, mgmProto.FirewallRule_IN)
+	squash(out, mgmProto.FirewallRule_OUT)
+
+	// if all protocol was squashed everything is allow and we can ignore all other rules
+	if _, ok := squashedProtocols[mgmProto.FirewallRule_ALL]; ok {
+		return squashedRules, squashedProtocols
+	}
+
+	if len(squashedRules) == 0 {
+		return networkMap.FirewallRules, squashedProtocols
+	}
+
+	var rules []*mgmProto.FirewallRule
+	// filter out rules which was squashed from final list
+	// if we also have other not squashed rules.
+	for i, r := range networkMap.FirewallRules {
+		if _, ok := squashedProtocols[r.Protocol]; ok {
+			if m, ok := in[r.Protocol]; ok && m[r.PeerIP] == i {
+				continue
+			} else if m, ok := out[r.Protocol]; ok && m[r.PeerIP] == i {
+				continue
+			}
+		}
+		rules = append(rules, r)
+	}
+
+	return append(rules, squashedRules...), squashedProtocols
+}
+
+func convertToFirewallProtocol(protocol mgmProto.FirewallRuleProtocol) firewall.Protocol {
+	switch protocol {
+	case mgmProto.FirewallRule_TCP:
+		return firewall.ProtocolTCP
+	case mgmProto.FirewallRule_UDP:
+		return firewall.ProtocolUDP
+	case mgmProto.FirewallRule_ICMP:
+		return firewall.ProtocolICMP
+	case mgmProto.FirewallRule_ALL:
+		return firewall.ProtocolALL
+	default:
+		return firewall.ProtocolUnknown
+	}
+}
+
+func shouldSkipInvertedRule(protocol firewall.Protocol, port *firewall.Port) bool {
+	return protocol == firewall.ProtocolALL || protocol == firewall.ProtocolICMP || port == nil
+}
+
+func convertFirewallAction(action mgmProto.FirewallRuleAction) firewall.Action {
+	switch action {
+	case mgmProto.FirewallRule_ACCEPT:
+		return firewall.ActionAccept
+	case mgmProto.FirewallRule_DROP:
+		return firewall.ActionDrop
+	default:
+		return firewall.ActionUnknown
+	}
+}

client/internal/acl/manager_create.go

@@ -0,0 +1,27 @@
+//go:build !linux
+
+package acl
+
+import (
+	"fmt"
+	"runtime"
+
+	"github.com/netbirdio/netbird/client/firewall"
+	"github.com/netbirdio/netbird/client/firewall/uspfilter"
+)
+
+// Create creates a firewall manager instance
+func Create(iface iFaceMapper) (manager *DefaultManager, err error) {
+	if iface.IsUserspaceBind() {
+		// use userspace packet filtering firewall
+		fm, err := uspfilter.Create(iface)
+		if err != nil {
+			return nil, err
+		}
+		return &DefaultManager{
+			manager:    fm,
+			rulesPairs: make(map[string][]firewall.Rule),
+		}, nil
+	}
+	return nil, fmt.Errorf("not implemented for this OS: %s", runtime.GOOS)
+}

client/internal/acl/manager_create_linux.go

@@ -0,0 +1,36 @@
+package acl
+
+import (
+	log "github.com/sirupsen/logrus"
+
+	"github.com/netbirdio/netbird/client/firewall"
+	"github.com/netbirdio/netbird/client/firewall/iptables"
+	"github.com/netbirdio/netbird/client/firewall/nftables"
+	"github.com/netbirdio/netbird/client/firewall/uspfilter"
+)
+
+// Create creates a firewall manager instance for the Linux
+func Create(iface iFaceMapper) (manager *DefaultManager, err error) {
+	var fm firewall.Manager
+	if iface.IsUserspaceBind() {
+		// use userspace packet filtering firewall
+		if fm, err = uspfilter.Create(iface); err != nil {
+			log.Debugf("failed to create userspace filtering firewall: %s", err)
+			return nil, err
+		}
+	} else {
+		if fm, err = nftables.Create(iface.Name()); err != nil {
+			log.Debugf("failed to create nftables manager: %s", err)
+			// fallback to iptables
+			if fm, err = iptables.Create(iface.Name()); err != nil {
+				log.Errorf("failed to create iptables manager: %s", err)
+				return nil, err
+			}
+		}
+	}
+
+	return &DefaultManager{
+		manager:    fm,
+		rulesPairs: make(map[string][]firewall.Rule),
+	}, nil
+}

client/internal/acl/manager_test.go

@@ -0,0 +1,330 @@
+package acl
+
+import (
+	"testing"
+
+	"github.com/golang/mock/gomock"
+
+	"github.com/netbirdio/netbird/client/internal/acl/mocks"
+	mgmProto "github.com/netbirdio/netbird/management/proto"
+)
+
+func TestDefaultManager(t *testing.T) {
+	networkMap := &mgmProto.NetworkMap{
+		FirewallRules: []*mgmProto.FirewallRule{
+			{
+				PeerIP:    "10.93.0.1",
+				Direction: mgmProto.FirewallRule_OUT,
+				Action:    mgmProto.FirewallRule_ACCEPT,
+				Protocol:  mgmProto.FirewallRule_TCP,
+				Port:      "80",
+			},
+			{
+				PeerIP:    "10.93.0.2",
+				Direction: mgmProto.FirewallRule_OUT,
+				Action:    mgmProto.FirewallRule_DROP,
+				Protocol:  mgmProto.FirewallRule_UDP,
+				Port:      "53",
+			},
+		},
+	}
+
+	ctrl := gomock.NewController(t)
+	defer ctrl.Finish()
+
+	iface := mocks.NewMockIFaceMapper(ctrl)
+	iface.EXPECT().IsUserspaceBind().Return(true)
+	// iface.EXPECT().Name().Return("lo")
+	iface.EXPECT().SetFiltering(gomock.Any())
+
+	// we receive one rule from the management so for testing purposes ignore it
+	acl, err := Create(iface)
+	if err != nil {
+		t.Errorf("create ACL manager: %v", err)
+		return
+	}
+	defer acl.Stop()
+
+	t.Run("apply firewall rules", func(t *testing.T) {
+		acl.ApplyFiltering(networkMap)
+
+		if len(acl.rulesPairs) != 2 {
+			t.Errorf("firewall rules not applied: %v", acl.rulesPairs)
+			return
+		}
+	})
+
+	t.Run("add extra rules", func(t *testing.T) {
+		// remove first rule
+		networkMap.FirewallRules = networkMap.FirewallRules[1:]
+		networkMap.FirewallRules = append(
+			networkMap.FirewallRules,
+			&mgmProto.FirewallRule{
+				PeerIP:    "10.93.0.3",
+				Direction: mgmProto.FirewallRule_IN,
+				Action:    mgmProto.FirewallRule_DROP,
+				Protocol:  mgmProto.FirewallRule_ICMP,
+			},
+		)
+
+		existedRulesID := map[string]struct{}{}
+		for id := range acl.rulesPairs {
+			existedRulesID[id] = struct{}{}
+		}
+
+		acl.ApplyFiltering(networkMap)
+
+		// we should have one old and one new rule in the existed rules
+		if len(acl.rulesPairs) != 2 {
+			t.Errorf("firewall rules not applied")
+			return
+		}
+
+		// check that old rules was removed
+		for id := range existedRulesID {
+			if _, ok := acl.rulesPairs[id]; ok {
+				t.Errorf("old rule was not removed")
+				return
+			}
+		}
+	})
+
+	t.Run("handle default rules", func(t *testing.T) {
+		networkMap.FirewallRules = networkMap.FirewallRules[:0]
+
+		networkMap.FirewallRulesIsEmpty = true
+		if acl.ApplyFiltering(networkMap); len(acl.rulesPairs) != 0 {
+			t.Errorf("rules should be empty if FirewallRulesIsEmpty is set, got: %v", len(acl.rulesPairs))
+			return
+		}
+
+		networkMap.FirewallRulesIsEmpty = false
+		acl.ApplyFiltering(networkMap)
+		if len(acl.rulesPairs) != 2 {
+			t.Errorf("rules should contain 2 rules if FirewallRulesIsEmpty is not set, got: %v", len(acl.rulesPairs))
+			return
+		}
+	})
+}
+
+func TestDefaultManagerSquashRules(t *testing.T) {
+	networkMap := &mgmProto.NetworkMap{
+		RemotePeers: []*mgmProto.RemotePeerConfig{
+			{AllowedIps: []string{"10.93.0.1"}},
+			{AllowedIps: []string{"10.93.0.2"}},
+			{AllowedIps: []string{"10.93.0.3"}},
+			{AllowedIps: []string{"10.93.0.4"}},
+		},
+		FirewallRules: []*mgmProto.FirewallRule{
+			{
+				PeerIP:    "10.93.0.1",
+				Direction: mgmProto.FirewallRule_IN,
+				Action:    mgmProto.FirewallRule_ACCEPT,
+				Protocol:  mgmProto.FirewallRule_ALL,
+			},
+			{
+				PeerIP:    "10.93.0.2",
+				Direction: mgmProto.FirewallRule_IN,
+				Action:    mgmProto.FirewallRule_ACCEPT,
+				Protocol:  mgmProto.FirewallRule_ALL,
+			},
+			{
+				PeerIP:    "10.93.0.3",
+				Direction: mgmProto.FirewallRule_IN,
+				Action:    mgmProto.FirewallRule_ACCEPT,
+				Protocol:  mgmProto.FirewallRule_ALL,
+			},
+			{
+				PeerIP:    "10.93.0.4",
+				Direction: mgmProto.FirewallRule_IN,
+				Action:    mgmProto.FirewallRule_ACCEPT,
+				Protocol:  mgmProto.FirewallRule_ALL,
+			},
+			{
+				PeerIP:    "10.93.0.1",
+				Direction: mgmProto.FirewallRule_OUT,
+				Action:    mgmProto.FirewallRule_ACCEPT,
+				Protocol:  mgmProto.FirewallRule_ALL,
+			},
+			{
+				PeerIP:    "10.93.0.2",
+				Direction: mgmProto.FirewallRule_OUT,
+				Action:    mgmProto.FirewallRule_ACCEPT,
+				Protocol:  mgmProto.FirewallRule_ALL,
+			},
+			{
+				PeerIP:    "10.93.0.3",
+				Direction: mgmProto.FirewallRule_OUT,
+				Action:    mgmProto.FirewallRule_ACCEPT,
+				Protocol:  mgmProto.FirewallRule_ALL,
+			},
+			{
+				PeerIP:    "10.93.0.4",
+				Direction: mgmProto.FirewallRule_OUT,
+				Action:    mgmProto.FirewallRule_ACCEPT,
+				Protocol:  mgmProto.FirewallRule_ALL,
+			},
+		},
+	}
+
+	manager := &DefaultManager{}
+	rules, _ := manager.squashAcceptRules(networkMap)
+	if len(rules) != 2 {
+		t.Errorf("rules should contain 2, got: %v", rules)
+		return
+	}
+
+	r := rules[0]
+	if r.PeerIP != "0.0.0.0" {
+		t.Errorf("IP should be 0.0.0.0, got: %v", r.PeerIP)
+		return
+	} else if r.Direction != mgmProto.FirewallRule_IN {
+		t.Errorf("direction should be IN, got: %v", r.Direction)
+		return
+	} else if r.Protocol != mgmProto.FirewallRule_ALL {
+		t.Errorf("protocol should be ALL, got: %v", r.Protocol)
+		return
+	} else if r.Action != mgmProto.FirewallRule_ACCEPT {
+		t.Errorf("action should be ACCEPT, got: %v", r.Action)
+		return
+	}
+
+	r = rules[1]
+	if r.PeerIP != "0.0.0.0" {
+		t.Errorf("IP should be 0.0.0.0, got: %v", r.PeerIP)
+		return
+	} else if r.Direction != mgmProto.FirewallRule_OUT {
+		t.Errorf("direction should be OUT, got: %v", r.Direction)
+		return
+	} else if r.Protocol != mgmProto.FirewallRule_ALL {
+		t.Errorf("protocol should be ALL, got: %v", r.Protocol)
+		return
+	} else if r.Action != mgmProto.FirewallRule_ACCEPT {
+		t.Errorf("action should be ACCEPT, got: %v", r.Action)
+		return
+	}
+}
+
+func TestDefaultManagerSquashRulesNoAffect(t *testing.T) {
+	networkMap := &mgmProto.NetworkMap{
+		RemotePeers: []*mgmProto.RemotePeerConfig{
+			{AllowedIps: []string{"10.93.0.1"}},
+			{AllowedIps: []string{"10.93.0.2"}},
+			{AllowedIps: []string{"10.93.0.3"}},
+			{AllowedIps: []string{"10.93.0.4"}},
+		},
+		FirewallRules: []*mgmProto.FirewallRule{
+			{
+				PeerIP:    "10.93.0.1",
+				Direction: mgmProto.FirewallRule_IN,
+				Action:    mgmProto.FirewallRule_ACCEPT,
+				Protocol:  mgmProto.FirewallRule_ALL,
+			},
+			{
+				PeerIP:    "10.93.0.2",
+				Direction: mgmProto.FirewallRule_IN,
+				Action:    mgmProto.FirewallRule_ACCEPT,
+				Protocol:  mgmProto.FirewallRule_ALL,
+			},
+			{
+				PeerIP:    "10.93.0.3",
+				Direction: mgmProto.FirewallRule_IN,
+				Action:    mgmProto.FirewallRule_ACCEPT,
+				Protocol:  mgmProto.FirewallRule_ALL,
+			},
+			{
+				PeerIP:    "10.93.0.4",
+				Direction: mgmProto.FirewallRule_IN,
+				Action:    mgmProto.FirewallRule_ACCEPT,
+				Protocol:  mgmProto.FirewallRule_TCP,
+			},
+			{
+				PeerIP:    "10.93.0.1",
+				Direction: mgmProto.FirewallRule_OUT,
+				Action:    mgmProto.FirewallRule_ACCEPT,
+				Protocol:  mgmProto.FirewallRule_ALL,
+			},
+			{
+				PeerIP:    "10.93.0.2",
+				Direction: mgmProto.FirewallRule_OUT,
+				Action:    mgmProto.FirewallRule_ACCEPT,
+				Protocol:  mgmProto.FirewallRule_ALL,
+			},
+			{
+				PeerIP:    "10.93.0.3",
+				Direction: mgmProto.FirewallRule_OUT,
+				Action:    mgmProto.FirewallRule_ACCEPT,
+				Protocol:  mgmProto.FirewallRule_ALL,
+			},
+			{
+				PeerIP:    "10.93.0.4",
+				Direction: mgmProto.FirewallRule_OUT,
+				Action:    mgmProto.FirewallRule_ACCEPT,
+				Protocol:  mgmProto.FirewallRule_UDP,
+			},
+		},
+	}
+
+	manager := &DefaultManager{}
+	if rules, _ := manager.squashAcceptRules(networkMap); len(rules) != len(networkMap.FirewallRules) {
+		t.Errorf("we should got same amount of rules as intput, got %v", len(rules))
+	}
+}
+
+func TestDefaultManagerEnableSSHRules(t *testing.T) {
+	networkMap := &mgmProto.NetworkMap{
+		PeerConfig: &mgmProto.PeerConfig{
+			SshConfig: &mgmProto.SSHConfig{
+				SshEnabled: true,
+			},
+		},
+		RemotePeers: []*mgmProto.RemotePeerConfig{
+			{AllowedIps: []string{"10.93.0.1"}},
+			{AllowedIps: []string{"10.93.0.2"}},
+			{AllowedIps: []string{"10.93.0.3"}},
+		},
+		FirewallRules: []*mgmProto.FirewallRule{
+			{
+				PeerIP:    "10.93.0.1",
+				Direction: mgmProto.FirewallRule_IN,
+				Action:    mgmProto.FirewallRule_ACCEPT,
+				Protocol:  mgmProto.FirewallRule_TCP,
+			},
+			{
+				PeerIP:    "10.93.0.2",
+				Direction: mgmProto.FirewallRule_IN,
+				Action:    mgmProto.FirewallRule_ACCEPT,
+				Protocol:  mgmProto.FirewallRule_TCP,
+			},
+			{
+				PeerIP:    "10.93.0.3",
+				Direction: mgmProto.FirewallRule_OUT,
+				Action:    mgmProto.FirewallRule_ACCEPT,
+				Protocol:  mgmProto.FirewallRule_UDP,
+			},
+		},
+	}
+
+	ctrl := gomock.NewController(t)
+	defer ctrl.Finish()
+
+	iface := mocks.NewMockIFaceMapper(ctrl)
+	iface.EXPECT().IsUserspaceBind().Return(true)
+	// iface.EXPECT().Name().Return("lo")
+	iface.EXPECT().SetFiltering(gomock.Any())
+
+	// we receive one rule from the management so for testing purposes ignore it
+	acl, err := Create(iface)
+	if err != nil {
+		t.Errorf("create ACL manager: %v", err)
+		return
+	}
+	defer acl.Stop()
+
+	acl.ApplyFiltering(networkMap)
+
+	if len(acl.rulesPairs) != 4 {
+		t.Errorf("expect 4 rules (last must be SSH), got: %d", len(acl.rulesPairs))
+		return
+	}
+}

client/internal/acl/mocks/iface_mapper.go

@@ -0,0 +1,77 @@
+// Code generated by MockGen. DO NOT EDIT.
+// Source: github.com/netbirdio/netbird/client/internal/acl (interfaces: IFaceMapper)
+
+// Package mocks is a generated GoMock package.
+package mocks
+
+import (
+	reflect "reflect"
+
+	gomock "github.com/golang/mock/gomock"
+	iface "github.com/netbirdio/netbird/iface"
+)
+
+// MockIFaceMapper is a mock of IFaceMapper interface.
+type MockIFaceMapper struct {
+	ctrl     *gomock.Controller
+	recorder *MockIFaceMapperMockRecorder
+}
+
+// MockIFaceMapperMockRecorder is the mock recorder for MockIFaceMapper.
+type MockIFaceMapperMockRecorder struct {
+	mock *MockIFaceMapper
+}
+
+// NewMockIFaceMapper creates a new mock instance.
+func NewMockIFaceMapper(ctrl *gomock.Controller) *MockIFaceMapper {
+	mock := &MockIFaceMapper{ctrl: ctrl}
+	mock.recorder = &MockIFaceMapperMockRecorder{mock}
+	return mock
+}
+
+// EXPECT returns an object that allows the caller to indicate expected use.
+func (m *MockIFaceMapper) EXPECT() *MockIFaceMapperMockRecorder {
+	return m.recorder
+}
+
+// IsUserspaceBind mocks base method.
+func (m *MockIFaceMapper) IsUserspaceBind() bool {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "IsUserspaceBind")
+	ret0, _ := ret[0].(bool)
+	return ret0
+}
+
+// IsUserspaceBind indicates an expected call of IsUserspaceBind.
+func (mr *MockIFaceMapperMockRecorder) IsUserspaceBind() *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "IsUserspaceBind", reflect.TypeOf((*MockIFaceMapper)(nil).IsUserspaceBind))
+}
+
+// Name mocks base method.
+func (m *MockIFaceMapper) Name() string {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "Name")
+	ret0, _ := ret[0].(string)
+	return ret0
+}
+
+// Name indicates an expected call of Name.
+func (mr *MockIFaceMapperMockRecorder) Name() *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Name", reflect.TypeOf((*MockIFaceMapper)(nil).Name))
+}
+
+// SetFiltering mocks base method.
+func (m *MockIFaceMapper) SetFiltering(arg0 iface.PacketFilter) error {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "SetFiltering", arg0)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// SetFiltering indicates an expected call of SetFiltering.
+func (mr *MockIFaceMapperMockRecorder) SetFiltering(arg0 interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SetFiltering", reflect.TypeOf((*MockIFaceMapper)(nil).SetFiltering), arg0)
+}

client/internal/connect.go

@@ -13,6 +13,7 @@ import (
 	gstatus "google.golang.org/grpc/status"
 
 	"github.com/netbirdio/netbird/client/internal/peer"
+	"github.com/netbirdio/netbird/client/internal/routemanager"
 	"github.com/netbirdio/netbird/client/internal/stdnet"
 	"github.com/netbirdio/netbird/client/ssh"
 	"github.com/netbirdio/netbird/client/system"
@@ -23,7 +24,7 @@ import (
 )
 
 // RunClient with main logic.
-func RunClient(ctx context.Context, config *Config, statusRecorder *peer.Status, tunAdapter iface.TunAdapter, iFaceDiscover stdnet.ExternalIFaceDiscover) error {
+func RunClient(ctx context.Context, config *Config, statusRecorder *peer.Status, tunAdapter iface.TunAdapter, iFaceDiscover stdnet.ExternalIFaceDiscover, routeListener routemanager.RouteListener) error {
 	backOff := &backoff.ExponentialBackOff{
 		InitialInterval:     time.Second,
 		RandomizationFactor: 1,
@@ -150,10 +151,11 @@ func RunClient(ctx context.Context, config *Config, statusRecorder *peer.Status,
 			return wrapErr(err)
 		}
 
-		md, err := newMobileDependency(tunAdapter, iFaceDiscover, mgmClient)
-		if err != nil {
-			log.Error(err)
-			return wrapErr(err)
+		// in case of non Android os these variables will be nil
+		md := MobileDependency{
+			TunAdapter:    tunAdapter,
+			IFaceDiscover: iFaceDiscover,
+			RouteListener: routeListener,
 		}
 
 		engine := NewEngine(engineCtx, cancel, signalClient, mgmClient, engineConfig, md, statusRecorder)

client/internal/dns/file_linux.go

@@ -32,6 +32,10 @@ func newFileConfigurator() (hostManager, error) {
 	return &fileConfigurator{}, nil
 }
 
+func (f *fileConfigurator) supportCustomPort() bool {
+	return false
+}
+
 func (f *fileConfigurator) applyDNSConfig(config hostDNSConfig) error {
 	backupFileExist := false
 	_, err := os.Stat(fileDefaultResolvConfBackupLocation)

client/internal/dns/host.go

@@ -10,6 +10,7 @@ import (
 type hostManager interface {
 	applyDNSConfig(config hostDNSConfig) error
 	restoreHostDNS() error
+	supportCustomPort() bool
 }
 
 type hostDNSConfig struct {
@@ -26,8 +27,9 @@ type domainConfig struct {
 }
 
 type mockHostConfigurator struct {
-	applyDNSConfigFunc func(config hostDNSConfig) error
-	restoreHostDNSFunc func() error
+	applyDNSConfigFunc    func(config hostDNSConfig) error
+	restoreHostDNSFunc    func() error
+	supportCustomPortFunc func() bool
 }
 
 func (m *mockHostConfigurator) applyDNSConfig(config hostDNSConfig) error {
@@ -44,10 +46,18 @@ func (m *mockHostConfigurator) restoreHostDNS() error {
 	return fmt.Errorf("method restoreHostDNS is not implemented")
 }
 
+func (m *mockHostConfigurator) supportCustomPort() bool {
+	if m.supportCustomPortFunc != nil {
+		return m.supportCustomPortFunc()
+	}
+	return false
+}
+
 func newNoopHostMocker() hostManager {
 	return &mockHostConfigurator{
-		applyDNSConfigFunc: func(config hostDNSConfig) error { return nil },
-		restoreHostDNSFunc: func() error { return nil },
+		applyDNSConfigFunc:    func(config hostDNSConfig) error { return nil },
+		restoreHostDNSFunc:    func() error { return nil },
+		supportCustomPortFunc: func() bool { return true },
 	}
 }
 

client/internal/dns/host_darwin.go

@@ -8,8 +8,9 @@ import (
 	"strconv"
 	"strings"
 
-	"github.com/netbirdio/netbird/iface"
 	log "github.com/sirupsen/logrus"
+
+	"github.com/netbirdio/netbird/iface"
 )
 
 const (
@@ -39,6 +40,10 @@ func newHostManager(_ *iface.WGIface) (hostManager, error) {
 	}, nil
 }
 
+func (s *systemConfigurator) supportCustomPort() bool {
+	return true
+}
+
 func (s *systemConfigurator) applyDNSConfig(config hostDNSConfig) error {
 	var err error
 

client/internal/dns/host_windows.go

@@ -4,9 +4,10 @@ import (
 	"fmt"
 	"strings"
 
-	"github.com/netbirdio/netbird/iface"
 	log "github.com/sirupsen/logrus"
 	"golang.org/x/sys/windows/registry"
+
+	"github.com/netbirdio/netbird/iface"
 )
 
 const (
@@ -42,6 +43,10 @@ func newHostManager(wgInterface *iface.WGIface) (hostManager, error) {
 	}, nil
 }
 
+func (s *registryConfigurator) supportCustomPort() bool {
+	return false
+}
+
 func (r *registryConfigurator) applyDNSConfig(config hostDNSConfig) error {
 	var err error
 	if config.routeAll {

client/internal/dns/local.go

@@ -2,10 +2,12 @@ package dns
 
 import (
 	"fmt"
-	"github.com/miekg/dns"
-	nbdns "github.com/netbirdio/netbird/dns"
-	log "github.com/sirupsen/logrus"
 	"sync"
+
+	"github.com/miekg/dns"
+	log "github.com/sirupsen/logrus"
+
+	nbdns "github.com/netbirdio/netbird/dns"
 )
 
 type registrationMap map[string]struct{}
@@ -15,6 +17,9 @@ type localResolver struct {
 	records       sync.Map
 }
 
+func (d *localResolver) stop() {
+}
+
 // ServeDNS handles a DNS request
 func (d *localResolver) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
 	log.Tracef("received question: %#v\n", r.Question[0])

client/internal/dns/network_manager_linux.go

@@ -11,8 +11,9 @@ import (
 	"github.com/godbus/dbus/v5"
 	"github.com/hashicorp/go-version"
 	"github.com/miekg/dns"
-	"github.com/netbirdio/netbird/iface"
 	log "github.com/sirupsen/logrus"
+
+	"github.com/netbirdio/netbird/iface"
 )
 
 const (
@@ -88,6 +89,10 @@ func newNetworkManagerDbusConfigurator(wgInterface *iface.WGIface) (hostManager,
 	}, nil
 }
 
+func (n *networkManagerDbusConfigurator) supportCustomPort() bool {
+	return false
+}
+
 func (n *networkManagerDbusConfigurator) applyDNSConfig(config hostDNSConfig) error {
 	connSettings, configVersion, err := n.getAppliedConnectionSettings()
 	if err != nil {

client/internal/dns/resolvconf_linux.go

@@ -5,8 +5,9 @@ import (
 	"os/exec"
 	"strings"
 
-	"github.com/netbirdio/netbird/iface"
 	log "github.com/sirupsen/logrus"
+
+	"github.com/netbirdio/netbird/iface"
 )
 
 const resolvconfCommand = "resolvconf"
@@ -21,6 +22,10 @@ func newResolvConfConfigurator(wgInterface *iface.WGIface) (hostManager, error)
 	}, nil
 }
 
+func (r *resolvconf) supportCustomPort() bool {
+	return false
+}
+
 func (r *resolvconf) applyDNSConfig(config hostDNSConfig) error {
 	var err error
 	if !config.routeAll {

client/internal/dns/server_nonandroid.go

@@ -13,9 +13,10 @@ import (
 
 	"github.com/miekg/dns"
 	"github.com/mitchellh/hashstructure/v2"
+	log "github.com/sirupsen/logrus"
+
 	nbdns "github.com/netbirdio/netbird/dns"
 	"github.com/netbirdio/netbird/iface"
-	log "github.com/sirupsen/logrus"
 )
 
 const (
@@ -25,15 +26,16 @@ const (
 	customIP    = "127.0.0.153"
 )
 
+type registeredHandlerMap map[string]handlerWithStop
+
 // DefaultServer dns server object
 type DefaultServer struct {
 	ctx                context.Context
 	ctxCancel          context.CancelFunc
-	upstreamCtxCancel  context.CancelFunc
 	mux                sync.Mutex
 	server             *dns.Server
 	dnsMux             *dns.ServeMux
-	dnsMuxMap          registrationMap
+	dnsMuxMap          registeredHandlerMap
 	localResolver      *localResolver
 	wgInterface        *iface.WGIface
 	hostManager        hostManager
@@ -46,9 +48,14 @@ type DefaultServer struct {
 	customAddress      *netip.AddrPort
 }
 
+type handlerWithStop interface {
+	dns.Handler
+	stop()
+}
+
 type muxUpdate struct {
 	domain  string
-	handler dns.Handler
+	handler handlerWithStop
 }
 
 // NewDefaultServer returns a new dns server
@@ -78,7 +85,7 @@ func NewDefaultServer(ctx context.Context, wgInterface *iface.WGIface, customAdd
 		ctxCancel: stop,
 		server:    dnsServer,
 		dnsMux:    mux,
-		dnsMuxMap: make(registrationMap),
+		dnsMuxMap: make(registeredHandlerMap),
 		localResolver: &localResolver{
 			registeredMap: make(registrationMap),
 		},
@@ -254,7 +261,14 @@ func (s *DefaultServer) applyConfiguration(update nbdns.Config) error {
 	s.updateLocalResolver(localRecords)
 	s.currentConfig = dnsConfigToHostDNSConfig(update, s.runtimeIP, s.runtimePort)
 
-	if err = s.hostManager.applyDNSConfig(s.currentConfig); err != nil {
+	hostUpdate := s.currentConfig
+	if s.runtimePort != defaultPort && !s.hostManager.supportCustomPort() {
+		log.Warnf("the DNS manager of this peer doesn't support custom port. Disabling primary DNS setup. " +
+			"Learn more at: https://netbird.io/docs/how-to-guides/nameservers#local-resolver")
+		hostUpdate.routeAll = false
+	}
+
+	if err = s.hostManager.applyDNSConfig(hostUpdate); err != nil {
 		log.Error(err)
 	}
 
@@ -289,10 +303,6 @@ func (s *DefaultServer) buildLocalHandlerUpdate(customZones []nbdns.CustomZone)
 }
 
 func (s *DefaultServer) buildUpstreamHandlerUpdate(nameServerGroups []*nbdns.NameServerGroup) ([]muxUpdate, error) {
-	// clean up the previous upstream resolver
-	if s.upstreamCtxCancel != nil {
-		s.upstreamCtxCancel()
-	}
 
 	var muxUpdates []muxUpdate
 	for _, nsGroup := range nameServerGroups {
@@ -301,10 +311,7 @@ func (s *DefaultServer) buildUpstreamHandlerUpdate(nameServerGroups []*nbdns.Nam
 			continue
 		}
 
-		var ctx context.Context
-		ctx, s.upstreamCtxCancel = context.WithCancel(s.ctx)
-
-		handler := newUpstreamResolver(ctx)
+		handler := newUpstreamResolver(s.ctx)
 		for _, ns := range nsGroup.NameServers {
 			if ns.NSType != nbdns.UDPNameServerType {
 				log.Warnf("skiping nameserver %s with type %s, this peer supports only %s",
@@ -315,6 +322,7 @@ func (s *DefaultServer) buildUpstreamHandlerUpdate(nameServerGroups []*nbdns.Nam
 		}
 
 		if len(handler.upstreamServers) == 0 {
+			handler.stop()
 			log.Errorf("received a nameserver group with an invalid nameserver list")
 			continue
 		}
@@ -338,11 +346,13 @@ func (s *DefaultServer) buildUpstreamHandlerUpdate(nameServerGroups []*nbdns.Nam
 		}
 
 		if len(nsGroup.Domains) == 0 {
+			handler.stop()
 			return nil, fmt.Errorf("received a non primary nameserver group with an empty domain list")
 		}
 
 		for _, domain := range nsGroup.Domains {
 			if domain == "" {
+				handler.stop()
 				return nil, fmt.Errorf("received a nameserver group with an empty domain element")
 			}
 			muxUpdates = append(muxUpdates, muxUpdate{
@@ -355,16 +365,20 @@ func (s *DefaultServer) buildUpstreamHandlerUpdate(nameServerGroups []*nbdns.Nam
 }
 
 func (s *DefaultServer) updateMux(muxUpdates []muxUpdate) {
-	muxUpdateMap := make(registrationMap)
+	muxUpdateMap := make(registeredHandlerMap)
 
 	for _, update := range muxUpdates {
 		s.registerMux(update.domain, update.handler)
-		muxUpdateMap[update.domain] = struct{}{}
+		muxUpdateMap[update.domain] = update.handler
+		if existingHandler, ok := s.dnsMuxMap[update.domain]; ok {
+			existingHandler.stop()
+		}
 	}
 
-	for key := range s.dnsMuxMap {
+	for key, existingHandler := range s.dnsMuxMap {
 		_, found := muxUpdateMap[key]
 		if !found {
+			existingHandler.stop()
 			s.deregisterMux(key)
 		}
 	}

client/internal/dns/server_test.go

@@ -41,21 +41,23 @@ func TestUpdateDNSServer(t *testing.T) {
 		},
 	}
 
+	dummyHandler := &localResolver{}
+
 	testCases := []struct {
 		name                string
-		initUpstreamMap     registrationMap
+		initUpstreamMap     registeredHandlerMap
 		initLocalMap        registrationMap
 		initSerial          uint64
 		inputSerial         uint64
 		inputUpdate         nbdns.Config
 		shouldFail          bool
-		expectedUpstreamMap registrationMap
+		expectedUpstreamMap registeredHandlerMap
 		expectedLocalMap    registrationMap
 	}{
 		{
 			name:            "Initial Config Should Succeed",
 			initLocalMap:    make(registrationMap),
-			initUpstreamMap: make(registrationMap),
+			initUpstreamMap: make(registeredHandlerMap),
 			initSerial:      0,
 			inputSerial:     1,
 			inputUpdate: nbdns.Config{
@@ -77,13 +79,13 @@ func TestUpdateDNSServer(t *testing.T) {
 					},
 				},
 			},
-			expectedUpstreamMap: registrationMap{"netbird.io": struct{}{}, "netbird.cloud": struct{}{}, nbdns.RootZone: struct{}{}},
+			expectedUpstreamMap: registeredHandlerMap{"netbird.io": dummyHandler, "netbird.cloud": dummyHandler, nbdns.RootZone: dummyHandler},
 			expectedLocalMap:    registrationMap{buildRecordKey(zoneRecords[0].Name, 1, 1): struct{}{}},
 		},
 		{
 			name:            "New Config Should Succeed",
 			initLocalMap:    registrationMap{"netbird.cloud": struct{}{}},
-			initUpstreamMap: registrationMap{buildRecordKey(zoneRecords[0].Name, 1, 1): struct{}{}},
+			initUpstreamMap: registeredHandlerMap{buildRecordKey(zoneRecords[0].Name, 1, 1): dummyHandler},
 			initSerial:      0,
 			inputSerial:     1,
 			inputUpdate: nbdns.Config{
@@ -101,13 +103,13 @@ func TestUpdateDNSServer(t *testing.T) {
 					},
 				},
 			},
-			expectedUpstreamMap: registrationMap{"netbird.io": struct{}{}, "netbird.cloud": struct{}{}},
+			expectedUpstreamMap: registeredHandlerMap{"netbird.io": dummyHandler, "netbird.cloud": dummyHandler},
 			expectedLocalMap:    registrationMap{buildRecordKey(zoneRecords[0].Name, 1, 1): struct{}{}},
 		},
 		{
 			name:            "Smaller Config Serial Should Be Skipped",
 			initLocalMap:    make(registrationMap),
-			initUpstreamMap: make(registrationMap),
+			initUpstreamMap: make(registeredHandlerMap),
 			initSerial:      2,
 			inputSerial:     1,
 			shouldFail:      true,
@@ -115,7 +117,7 @@ func TestUpdateDNSServer(t *testing.T) {
 		{
 			name:            "Empty NS Group Domain Or Not Primary Element Should Fail",
 			initLocalMap:    make(registrationMap),
-			initUpstreamMap: make(registrationMap),
+			initUpstreamMap: make(registeredHandlerMap),
 			initSerial:      0,
 			inputSerial:     1,
 			inputUpdate: nbdns.Config{
@@ -137,7 +139,7 @@ func TestUpdateDNSServer(t *testing.T) {
 		{
 			name:            "Invalid NS Group Nameservers list Should Fail",
 			initLocalMap:    make(registrationMap),
-			initUpstreamMap: make(registrationMap),
+			initUpstreamMap: make(registeredHandlerMap),
 			initSerial:      0,
 			inputSerial:     1,
 			inputUpdate: nbdns.Config{
@@ -159,7 +161,7 @@ func TestUpdateDNSServer(t *testing.T) {
 		{
 			name:            "Invalid Custom Zone Records list Should Fail",
 			initLocalMap:    make(registrationMap),
-			initUpstreamMap: make(registrationMap),
+			initUpstreamMap: make(registeredHandlerMap),
 			initSerial:      0,
 			inputSerial:     1,
 			inputUpdate: nbdns.Config{
@@ -181,21 +183,21 @@ func TestUpdateDNSServer(t *testing.T) {
 		{
 			name:                "Empty Config Should Succeed and Clean Maps",
 			initLocalMap:        registrationMap{"netbird.cloud": struct{}{}},
-			initUpstreamMap:     registrationMap{zoneRecords[0].Name: struct{}{}},
+			initUpstreamMap:     registeredHandlerMap{zoneRecords[0].Name: dummyHandler},
 			initSerial:          0,
 			inputSerial:         1,
 			inputUpdate:         nbdns.Config{ServiceEnable: true},
-			expectedUpstreamMap: make(registrationMap),
+			expectedUpstreamMap: make(registeredHandlerMap),
 			expectedLocalMap:    make(registrationMap),
 		},
 		{
 			name:                "Disabled Service Should clean map",
 			initLocalMap:        registrationMap{"netbird.cloud": struct{}{}},
-			initUpstreamMap:     registrationMap{zoneRecords[0].Name: struct{}{}},
+			initUpstreamMap:     registeredHandlerMap{zoneRecords[0].Name: dummyHandler},
 			initSerial:          0,
 			inputSerial:         1,
 			inputUpdate:         nbdns.Config{ServiceEnable: false},
-			expectedUpstreamMap: make(registrationMap),
+			expectedUpstreamMap: make(registeredHandlerMap),
 			expectedLocalMap:    make(registrationMap),
 		},
 	}
@@ -206,7 +208,7 @@ func TestUpdateDNSServer(t *testing.T) {
 			if err != nil {
 				t.Fatal(err)
 			}
-			wgIface, err := iface.NewWGIFace(fmt.Sprintf("utun230%d", n), fmt.Sprintf("100.66.100.%d/32", n+1), iface.DefaultMTU, nil, nil, newNet)
+			wgIface, err := iface.NewWGIFace(fmt.Sprintf("utun230%d", n), fmt.Sprintf("100.66.100.%d/32", n+1), iface.DefaultMTU, nil, newNet)
 			if err != nil {
 				t.Fatal(err)
 			}
@@ -431,7 +433,7 @@ func getDefaultServerWithNoHostManager(t *testing.T, addrPort string) *DefaultSe
 		ctxCancel: cancel,
 		server:    dnsServer,
 		dnsMux:    mux,
-		dnsMuxMap: make(registrationMap),
+		dnsMuxMap: make(registeredHandlerMap),
 		localResolver: &localResolver{
 			registeredMap: make(registrationMap),
 		},

client/internal/dns/systemd_linux.go

@@ -9,10 +9,11 @@ import (
 
 	"github.com/godbus/dbus/v5"
 	"github.com/miekg/dns"
-	nbdns "github.com/netbirdio/netbird/dns"
-	"github.com/netbirdio/netbird/iface"
 	log "github.com/sirupsen/logrus"
 	"golang.org/x/sys/unix"
+
+	nbdns "github.com/netbirdio/netbird/dns"
+	"github.com/netbirdio/netbird/iface"
 )
 
 const (
@@ -75,6 +76,10 @@ func newSystemdDbusConfigurator(wgInterface *iface.WGIface) (hostManager, error)
 	}, nil
 }
 
+func (s *systemdDbusConfigurator) supportCustomPort() bool {
+	return true
+}
+
 func (s *systemdDbusConfigurator) applyDNSConfig(config hostDNSConfig) error {
 	parsedIP, err := netip.ParseAddr(config.serverIP)
 	if err != nil {

client/internal/dns/upstream.go

@@ -3,24 +3,31 @@ package dns
 import (
 	"context"
 	"errors"
+	"fmt"
 	"net"
 	"sync"
 	"sync/atomic"
 	"time"
 
+	"github.com/cenkalti/backoff/v4"
 	"github.com/miekg/dns"
 	log "github.com/sirupsen/logrus"
 )
 
 const (
-	failsTillDeact   = int32(3)
-	reactivatePeriod = time.Minute
+	failsTillDeact   = int32(5)
+	reactivatePeriod = 30 * time.Second
 	upstreamTimeout  = 15 * time.Second
 )
 
+type upstreamClient interface {
+	ExchangeContext(ctx context.Context, m *dns.Msg, a string) (r *dns.Msg, rtt time.Duration, err error)
+}
+
 type upstreamResolver struct {
 	ctx              context.Context
-	upstreamClient   *dns.Client
+	cancel           context.CancelFunc
+	upstreamClient   upstreamClient
 	upstreamServers  []string
 	disabled         bool
 	failsCount       atomic.Int32
@@ -33,9 +40,11 @@ type upstreamResolver struct {
 	reactivate func()
 }
 
-func newUpstreamResolver(ctx context.Context) *upstreamResolver {
+func newUpstreamResolver(parentCTX context.Context) *upstreamResolver {
+	ctx, cancel := context.WithCancel(parentCTX)
 	return &upstreamResolver{
 		ctx:              ctx,
+		cancel:           cancel,
 		upstreamClient:   &dns.Client{},
 		upstreamTimeout:  upstreamTimeout,
 		reactivatePeriod: reactivatePeriod,
@@ -43,6 +52,11 @@ func newUpstreamResolver(ctx context.Context) *upstreamResolver {
 	}
 }
 
+func (u *upstreamResolver) stop() {
+	log.Debugf("stoping serving DNS for upstreams %s", u.upstreamServers)
+	u.cancel()
+}
+
 // ServeDNS handles a DNS request
 func (u *upstreamResolver) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
 	defer u.checkUpstreamFails()
@@ -107,28 +121,57 @@ func (u *upstreamResolver) checkUpstreamFails() {
 		log.Warnf("upstream resolving is disabled for %v", reactivatePeriod)
 		u.deactivate()
 		u.disabled = true
-		go u.waitUntilReactivation()
+		go u.waitUntilResponse()
 	}
 }
 
-// waitUntilReactivation reset fails counter and activates upstream resolving
-func (u *upstreamResolver) waitUntilReactivation() {
-	timer := time.NewTimer(u.reactivatePeriod)
-	defer func() {
-		if !timer.Stop() {
-			<-timer.C
-		}
-	}()
-
-	select {
-	case <-u.ctx.Done():
-		return
-	case <-timer.C:
-		log.Info("upstream resolving is reactivated")
-		u.failsCount.Store(0)
-		u.reactivate()
-		u.disabled = false
+// waitUntilResponse retries, in an exponential interval, querying the upstream servers until it gets a positive response
+func (u *upstreamResolver) waitUntilResponse() {
+	exponentialBackOff := &backoff.ExponentialBackOff{
+		InitialInterval:     500 * time.Millisecond,
+		RandomizationFactor: 0.5,
+		Multiplier:          1.1,
+		MaxInterval:         u.reactivatePeriod,
+		MaxElapsedTime:      0,
+		Stop:                backoff.Stop,
+		Clock:               backoff.SystemClock,
 	}
+
+	r := new(dns.Msg).SetQuestion("netbird.io.", dns.TypeA)
+
+	operation := func() error {
+		select {
+		case <-u.ctx.Done():
+			return backoff.Permanent(fmt.Errorf("exiting upstream retry loop for upstreams %s: parent context has been canceled", u.upstreamServers))
+		default:
+		}
+
+		var err error
+		for _, upstream := range u.upstreamServers {
+			ctx, cancel := context.WithTimeout(u.ctx, u.upstreamTimeout)
+			_, _, err = u.upstreamClient.ExchangeContext(ctx, r, upstream)
+
+			cancel()
+
+			if err == nil {
+				return nil
+			}
+		}
+
+		log.Tracef("checking connectivity with upstreams %s failed with error: %s. Retrying in %s", err, u.upstreamServers, exponentialBackOff.NextBackOff())
+		return fmt.Errorf("got an error from upstream check call")
+	}
+
+	err := backoff.Retry(operation, exponentialBackOff)
+	if err != nil {
+		log.Warn(err)
+		return
+	}
+
+	log.Infof("upstreams %s are responsive again. Adding them back to system", u.upstreamServers)
+	u.failsCount.Store(0)
+	u.reactivate()
+	u.disabled = false
 }
 
 // isTimeout returns true if the given error is a network timeout error.

client/internal/dns/upstream_test.go

@@ -2,10 +2,11 @@ package dns
 
 import (
 	"context"
-	"github.com/miekg/dns"
 	"strings"
 	"testing"
 	"time"
+
+	"github.com/miekg/dns"
 )
 
 func TestUpstreamResolver_ServeDNS(t *testing.T) {
@@ -106,8 +107,29 @@ func TestUpstreamResolver_ServeDNS(t *testing.T) {
 	}
 }
 
+type mockUpstreamResolver struct {
+	r   *dns.Msg
+	rtt time.Duration
+	err error
+}
+
+// ExchangeContext mock implementation of ExchangeContext from upstreamResolver
+func (c mockUpstreamResolver) ExchangeContext(_ context.Context, _ *dns.Msg, _ string) (r *dns.Msg, rtt time.Duration, err error) {
+	return c.r, c.rtt, c.err
+}
+
 func TestUpstreamResolver_DeactivationReactivation(t *testing.T) {
-	resolver := newUpstreamResolver(context.TODO())
+	resolver := &upstreamResolver{
+		ctx: context.TODO(),
+		upstreamClient: &mockUpstreamResolver{
+			err: nil,
+			r:   new(dns.Msg),
+			rtt: time.Millisecond,
+		},
+		upstreamTimeout:  upstreamTimeout,
+		reactivatePeriod: reactivatePeriod,
+		failsTillDeact:   failsTillDeact,
+	}
 	resolver.upstreamServers = []string{"0.0.0.0:-1"}
 	resolver.failsTillDeact = 0
 	resolver.reactivatePeriod = time.Microsecond * 100

client/internal/engine.go

@@ -3,6 +3,7 @@ package internal
 import (
 	"context"
 	"fmt"
+	"io"
 	"math/rand"
 	"net"
 	"net/netip"
@@ -16,6 +17,7 @@ import (
 	log "github.com/sirupsen/logrus"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 
+	"github.com/netbirdio/netbird/client/internal/acl"
 	"github.com/netbirdio/netbird/client/internal/dns"
 	"github.com/netbirdio/netbird/client/internal/peer"
 	"github.com/netbirdio/netbird/client/internal/proxy"
@@ -23,9 +25,11 @@ import (
 	nbssh "github.com/netbirdio/netbird/client/ssh"
 	nbdns "github.com/netbirdio/netbird/dns"
 	"github.com/netbirdio/netbird/iface"
+	"github.com/netbirdio/netbird/iface/bind"
 	mgm "github.com/netbirdio/netbird/management/client"
 	mgmProto "github.com/netbirdio/netbird/management/proto"
 	"github.com/netbirdio/netbird/route"
+	"github.com/netbirdio/netbird/sharedsock"
 	signal "github.com/netbirdio/netbird/signal/client"
 	sProto "github.com/netbirdio/netbird/signal/proto"
 	"github.com/netbirdio/netbird/util"
@@ -99,10 +103,8 @@ type Engine struct {
 
 	wgInterface *iface.WGIface
 
-	udpMux          ice.UDPMux
-	udpMuxSrflx     ice.UniversalUDPMux
-	udpMuxConn      *net.UDPConn
-	udpMuxConnSrflx *net.UDPConn
+	udpMux     *bind.UniversalUDPMuxDefault
+	udpMuxConn io.Closer
 
 	// networkSerial is the latest CurrentSerial (state ID) of the network sent by the Management service
 	networkSerial uint64
@@ -113,6 +115,7 @@ type Engine struct {
 	statusRecorder *peer.Status
 
 	routeManager routemanager.Manager
+	acl          acl.Manager
 
 	dnsServer dns.Server
 }
@@ -179,12 +182,20 @@ func (e *Engine) Start() error {
 	if err != nil {
 		log.Errorf("failed to create pion's stdnet: %s", err)
 	}
-	e.wgInterface, err = iface.NewWGIFace(wgIFaceName, wgAddr, iface.DefaultMTU, e.mobileDep.Routes, e.mobileDep.TunAdapter, transportNet)
+
+	e.wgInterface, err = iface.NewWGIFace(wgIFaceName, wgAddr, iface.DefaultMTU, e.mobileDep.TunAdapter, transportNet)
 	if err != nil {
 		log.Errorf("failed creating wireguard interface instance %s: [%s]", wgIFaceName, err.Error())
 		return err
 	}
 
+	routes, err := e.readInitialRoutes()
+	if err != nil {
+		return err
+	}
+	e.routeManager = routemanager.NewManager(e.ctx, e.config.WgPrivateKey.PublicKey().String(), e.wgInterface, e.statusRecorder, routes)
+	e.routeManager.SetRouteChangeListener(e.mobileDep.RouteListener)
+
 	err = e.wgInterface.Create()
 	if err != nil {
 		log.Errorf("failed creating tunnel interface %s: [%s]", wgIFaceName, err.Error())
@@ -206,36 +217,24 @@ func (e *Engine) Start() error {
 			e.close()
 			return err
 		}
-		e.udpMux = udpMux.UDPMuxDefault
-		e.udpMuxSrflx = udpMux
+		e.udpMux = udpMux
 		log.Infof("using userspace bind mode %s", udpMux.LocalAddr().String())
 	} else {
-		networkName := "udp"
-		if e.config.DisableIPv6Discovery {
-			networkName = "udp4"
-		}
-		e.udpMuxConn, err = net.ListenUDP(networkName, &net.UDPAddr{Port: e.config.UDPMuxPort})
+		rawSock, err := sharedsock.Listen(e.config.WgPort, sharedsock.NewIncomingSTUNFilter())
 		if err != nil {
-			log.Errorf("failed listening on UDP port %d: [%s]", e.config.UDPMuxPort, err.Error())
-			e.close()
 			return err
 		}
-		udpMuxParams := ice.UDPMuxParams{
-			UDPConn: e.udpMuxConn,
-			Net:     transportNet,
-		}
-		e.udpMux = ice.NewUDPMuxDefault(udpMuxParams)
-
-		e.udpMuxConnSrflx, err = net.ListenUDP(networkName, &net.UDPAddr{Port: e.config.UDPMuxSrflxPort})
-		if err != nil {
-			log.Errorf("failed listening on UDP port %d: [%s]", e.config.UDPMuxSrflxPort, err.Error())
-			e.close()
-			return err
-		}
-		e.udpMuxSrflx = ice.NewUniversalUDPMuxDefault(ice.UniversalUDPMuxParams{UDPConn: e.udpMuxConnSrflx, Net: transportNet})
+		mux := bind.NewUniversalUDPMuxDefault(bind.UniversalUDPMuxParams{UDPConn: rawSock, Net: transportNet})
+		go mux.ReadFromConn(e.ctx)
+		e.udpMuxConn = rawSock
+		e.udpMux = mux
 	}
 
-	e.routeManager = routemanager.NewManager(e.ctx, e.config.WgPrivateKey.PublicKey().String(), e.wgInterface, e.statusRecorder)
+	if acl, err := acl.Create(e.wgInterface); err != nil {
+		log.Errorf("failed to create ACL manager, policy will not work: %s", err.Error())
+	} else {
+		e.acl = acl
+	}
 
 	if e.dnsServer == nil {
 		// todo fix custom address
@@ -394,9 +393,6 @@ func SignalOfferAnswer(offerAnswer peer.OfferAnswer, myKey wgtypes.Key, remoteKe
 		return err
 	}
 
-	// indicates message support in gRPC
-	msg.Body.FeaturesSupported = []uint32{signal.DirectCheck}
-
 	err = s.Send(msg)
 	if err != nil {
 		return err
@@ -640,6 +636,9 @@ func (e *Engine) updateNetworkMap(networkMap *mgmProto.NetworkMap) error {
 		log.Errorf("failed to update dns server, err: %v", err)
 	}
 
+	if e.acl != nil {
+		e.acl.ApplyFiltering(networkMap)
+	}
 	e.networkSerial = serial
 	return nil
 }
@@ -824,8 +823,8 @@ func (e Engine) createPeerConn(pubKey string, allowedIPs string) (*peer.Conn, er
 		InterfaceBlackList:   e.config.IFaceBlackList,
 		DisableIPv6Discovery: e.config.DisableIPv6Discovery,
 		Timeout:              timeout,
-		UDPMux:               e.udpMux,
-		UDPMuxSrflx:          e.udpMuxSrflx,
+		UDPMux:               e.udpMux.UDPMuxDefault,
+		UDPMuxSrflx:          e.udpMux,
 		ProxyConfig:          proxyConfig,
 		LocalWgPort:          e.config.WgPort,
 		NATExternalIPs:       e.parseNATExternalIPMappings(),
@@ -918,18 +917,6 @@ func (e *Engine) receiveSignalEvents() {
 				}
 				conn.OnRemoteCandidate(candidate)
 			case sProto.Body_MODE:
-				protoMode := msg.GetBody().GetMode()
-				if protoMode == nil {
-					return fmt.Errorf("received an empty mode message")
-				}
-
-				err := conn.OnModeMessage(peer.ModeMessage{
-					Direct: protoMode.GetDirect(),
-				})
-				if err != nil {
-					log.Errorf("failed processing a mode message -> %s", err)
-					return err
-				}
 			}
 
 			return nil
@@ -1020,12 +1007,6 @@ func (e *Engine) close() {
 		}
 	}
 
-	if e.udpMuxConnSrflx != nil {
-		if err := e.udpMuxConnSrflx.Close(); err != nil {
-			log.Debugf("close server reflexive udp mux connection: %v", err)
-		}
-	}
-
 	if !isNil(e.sshServer) {
 		err := e.sshServer.Stop()
 		if err != nil {
@@ -1041,6 +1022,22 @@ func (e *Engine) close() {
 		e.dnsServer.Stop()
 	}
 
+	if e.acl != nil {
+		e.acl.Stop()
+	}
+}
+
+func (e *Engine) readInitialRoutes() ([]*route.Route, error) {
+	if runtime.GOOS != "android" {
+		return nil, nil
+	}
+
+	routesResp, err := e.mgmClient.GetRoutes()
+	if err != nil {
+		return nil, err
+	}
+	return toRoutes(routesResp), nil
+
 }
 
 func findIPFromInterfaceName(ifaceName string) (net.IP, error) {

client/internal/engine_test.go

@@ -3,8 +3,6 @@ package internal
 import (
 	"context"
 	"fmt"
-	"github.com/netbirdio/netbird/iface/bind"
-	"github.com/pion/transport/v2/stdnet"
 	"net"
 	"net/netip"
 	"os"
@@ -15,6 +13,7 @@ import (
 	"testing"
 	"time"
 
+	"github.com/pion/transport/v2/stdnet"
 	log "github.com/sirupsen/logrus"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@@ -29,6 +28,7 @@ import (
 	"github.com/netbirdio/netbird/client/system"
 	nbdns "github.com/netbirdio/netbird/dns"
 	"github.com/netbirdio/netbird/iface"
+	"github.com/netbirdio/netbird/iface/bind"
 	mgmt "github.com/netbirdio/netbird/management/client"
 	mgmtProto "github.com/netbirdio/netbird/management/proto"
 	"github.com/netbirdio/netbird/management/server"
@@ -213,11 +213,11 @@ func TestEngine_UpdateNetworkMap(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
-	engine.wgInterface, err = iface.NewWGIFace("utun102", "100.64.0.1/24", iface.DefaultMTU, nil, nil, newNet)
+	engine.wgInterface, err = iface.NewWGIFace("utun102", "100.64.0.1/24", iface.DefaultMTU, nil, newNet)
 	if err != nil {
 		t.Fatal(err)
 	}
-	engine.routeManager = routemanager.NewManager(ctx, key.PublicKey().String(), engine.wgInterface, engine.statusRecorder)
+	engine.routeManager = routemanager.NewManager(ctx, key.PublicKey().String(), engine.wgInterface, engine.statusRecorder, nil)
 	engine.dnsServer = &dns.MockServer{
 		UpdateDNSServerFunc: func(serial uint64, update nbdns.Config) error { return nil },
 	}
@@ -567,7 +567,7 @@ func TestEngine_UpdateNetworkMapWithRoutes(t *testing.T) {
 			if err != nil {
 				t.Fatal(err)
 			}
-			engine.wgInterface, err = iface.NewWGIFace(wgIfaceName, wgAddr, iface.DefaultMTU, nil, nil, newNet)
+			engine.wgInterface, err = iface.NewWGIFace(wgIfaceName, wgAddr, iface.DefaultMTU, nil, newNet)
 			assert.NoError(t, err, "shouldn't return error")
 			input := struct {
 				inputSerial uint64
@@ -736,7 +736,7 @@ func TestEngine_UpdateNetworkMapWithDNSUpdate(t *testing.T) {
 			if err != nil {
 				t.Fatal(err)
 			}
-			engine.wgInterface, err = iface.NewWGIFace(wgIfaceName, wgAddr, iface.DefaultMTU, nil, nil, newNet)
+			engine.wgInterface, err = iface.NewWGIFace(wgIfaceName, wgAddr, iface.DefaultMTU, nil, newNet)
 			assert.NoError(t, err, "shouldn't return error")
 
 			mockRouteManager := &routemanager.MockManager{
@@ -1039,7 +1039,7 @@ func startManagement(dataDir string) (*grpc.Server, string, error) {
 		return nil, "", err
 	}
 	s := grpc.NewServer(grpc.KeepaliveEnforcementPolicy(kaep), grpc.KeepaliveParams(kasp))
-	store, err := server.NewFileStore(config.Datadir)
+	store, err := server.NewFileStore(config.Datadir, nil)
 	if err != nil {
 		log.Fatalf("failed creating a store: %s: %v", config.Datadir, err)
 	}

client/internal/mobile_dependency.go

@@ -1,6 +1,7 @@
 package internal
 
 import (
+	"github.com/netbirdio/netbird/client/internal/routemanager"
 	"github.com/netbirdio/netbird/client/internal/stdnet"
 	"github.com/netbirdio/netbird/iface"
 )
@@ -9,5 +10,5 @@ import (
 type MobileDependency struct {
 	TunAdapter    iface.TunAdapter
 	IFaceDiscover stdnet.ExternalIFaceDiscover
-	Routes        []string
+	RouteListener routemanager.RouteListener
 }

client/internal/mobile_dependency_android.go

@@ -1,29 +0,0 @@
-package internal
-
-import (
-	"github.com/netbirdio/netbird/client/internal/stdnet"
-	"github.com/netbirdio/netbird/iface"
-	mgm "github.com/netbirdio/netbird/management/client"
-)
-
-func newMobileDependency(tunAdapter iface.TunAdapter, ifaceDiscover stdnet.ExternalIFaceDiscover, mgmClient *mgm.GrpcClient) (MobileDependency, error) {
-	md := MobileDependency{
-		TunAdapter:    tunAdapter,
-		IFaceDiscover: ifaceDiscover,
-	}
-	err := md.readMap(mgmClient)
-	return md, err
-}
-
-func (d *MobileDependency) readMap(mgmClient *mgm.GrpcClient) error {
-	routes, err := mgmClient.GetRoutes()
-	if err != nil {
-		return err
-	}
-
-	d.Routes = make([]string, len(routes))
-	for i, r := range routes {
-		d.Routes[i] = r.GetNetwork()
-	}
-	return nil
-}

client/internal/mobile_dependency_nonandroid.go

@@ -1,13 +0,0 @@
-//go:build !android
-
-package internal
-
-import (
-	"github.com/netbirdio/netbird/client/internal/stdnet"
-	"github.com/netbirdio/netbird/iface"
-	mgm "github.com/netbirdio/netbird/management/client"
-)
-
-func newMobileDependency(tunAdapter iface.TunAdapter, ifaceDiscover stdnet.ExternalIFaceDiscover, mgmClient *mgm.GrpcClient) (MobileDependency, error) {
-	return MobileDependency{}, nil
-}

client/internal/oauth.go

@@ -148,6 +148,11 @@ func (h *Hosted) RequestDeviceCode(ctx context.Context) (DeviceAuthInfo, error)
 		return DeviceAuthInfo{}, fmt.Errorf("unmarshaling response failed with error: %v", err)
 	}
 
+	// Fallback to the verification_uri if the IdP doesn't support verification_uri_complete
+	if deviceCode.VerificationURIComplete == "" {
+		deviceCode.VerificationURIComplete = deviceCode.VerificationURI
+	}
+
 	return deviceCode, err
 }
 

client/internal/peer/conn.go

@@ -14,11 +14,17 @@ import (
 	"github.com/netbirdio/netbird/client/internal/proxy"
 	"github.com/netbirdio/netbird/client/internal/stdnet"
 	"github.com/netbirdio/netbird/iface"
+	"github.com/netbirdio/netbird/iface/bind"
 	signal "github.com/netbirdio/netbird/signal/client"
 	sProto "github.com/netbirdio/netbird/signal/proto"
 	"github.com/netbirdio/netbird/version"
 )
 
+const (
+	iceKeepAliveDefault           = 4 * time.Second
+	iceDisconnectedTimeoutDefault = 6 * time.Second
+)
+
 // ConnConfig is a peer Connection configuration
 type ConnConfig struct {
 
@@ -149,17 +155,23 @@ func (conn *Conn) reCreateAgent() error {
 	if err != nil {
 		log.Errorf("failed to create pion's stdnet: %s", err)
 	}
+
+	iceKeepAlive := iceKeepAlive()
+	iceDisconnectedTimeout := iceDisconnectedTimeout()
+
 	agentConfig := &ice.AgentConfig{
-		MulticastDNSMode: ice.MulticastDNSModeDisabled,
-		NetworkTypes:     []ice.NetworkType{ice.NetworkTypeUDP4, ice.NetworkTypeUDP6},
-		Urls:             conn.config.StunTurn,
-		CandidateTypes:   []ice.CandidateType{ice.CandidateTypeHost, ice.CandidateTypeServerReflexive, ice.CandidateTypeRelay},
-		FailedTimeout:    &failedTimeout,
-		InterfaceFilter:  stdnet.InterfaceFilter(conn.config.InterfaceBlackList),
-		UDPMux:           conn.config.UDPMux,
-		UDPMuxSrflx:      conn.config.UDPMuxSrflx,
-		NAT1To1IPs:       conn.config.NATExternalIPs,
-		Net:              transportNet,
+		MulticastDNSMode:    ice.MulticastDNSModeDisabled,
+		NetworkTypes:        []ice.NetworkType{ice.NetworkTypeUDP4, ice.NetworkTypeUDP6},
+		Urls:                conn.config.StunTurn,
+		CandidateTypes:      conn.candidateTypes(),
+		FailedTimeout:       &failedTimeout,
+		InterfaceFilter:     stdnet.InterfaceFilter(conn.config.InterfaceBlackList),
+		UDPMux:              conn.config.UDPMux,
+		UDPMuxSrflx:         conn.config.UDPMuxSrflx,
+		NAT1To1IPs:          conn.config.NATExternalIPs,
+		Net:                 transportNet,
+		DisconnectedTimeout: &iceDisconnectedTimeout,
+		KeepaliveInterval:   &iceKeepAlive,
 	}
 
 	if conn.config.DisableIPv6Discovery {
@@ -190,6 +202,13 @@ func (conn *Conn) reCreateAgent() error {
 	return nil
 }
 
+func (conn *Conn) candidateTypes() []ice.CandidateType {
+	if hasICEForceRelayConn() {
+		return []ice.CandidateType{ice.CandidateTypeRelay}
+	}
+	return []ice.CandidateType{ice.CandidateTypeHost, ice.CandidateTypeServerReflexive, ice.CandidateTypeRelay}
+}
+
 // Open opens connection to the remote peer starting ICE candidate gathering process.
 // Blocks until connection has been closed or connection timeout.
 // ConnStatus will be set accordingly
@@ -315,88 +334,10 @@ func (conn *Conn) Open() error {
 	}
 }
 
-// useProxy determines whether a direct connection (without a go proxy) is possible
-//
-// There are 3 cases:
-//
-// * When neither candidate is from hard nat and one of the peers has a public IP
-//
-// * both peers are in the same private network
-//
-// * Local peer uses userspace interface with bind.ICEBind and is not relayed
-//
-// Please note, that this check happens when peers were already able to ping each other using ICE layer.
-func shouldUseProxy(pair *ice.CandidatePair, userspaceBind bool) bool {
-
-	if !isRelayCandidate(pair.Local) && userspaceBind {
-		log.Debugf("shouldn't use proxy because using Bind and the connection is not relayed")
-		return false
-	}
-
-	if !isHardNATCandidate(pair.Local) && isHostCandidateWithPublicIP(pair.Remote) {
-		log.Debugf("shouldn't use proxy because the local peer is not behind a hard NAT and the remote one has a public IP")
-		return false
-	}
-
-	if !isHardNATCandidate(pair.Remote) && isHostCandidateWithPublicIP(pair.Local) {
-		log.Debugf("shouldn't use proxy because the remote peer is not behind a hard NAT and the local one has a public IP")
-		return false
-	}
-
-	if isHostCandidateWithPrivateIP(pair.Local) && isHostCandidateWithPrivateIP(pair.Remote) && isSameNetworkPrefix(pair) {
-		log.Debugf("shouldn't use proxy because peers are in the same private /16 network")
-		return false
-	}
-
-	if (isPeerReflexiveCandidateWithPrivateIP(pair.Local) && isHostCandidateWithPrivateIP(pair.Remote) ||
-		isHostCandidateWithPrivateIP(pair.Local) && isPeerReflexiveCandidateWithPrivateIP(pair.Remote)) && isSameNetworkPrefix(pair) {
-		log.Debugf("shouldn't use proxy because peers are in the same private /16 network and one peer is peer reflexive")
-		return false
-	}
-
-	return true
-}
-
-func isSameNetworkPrefix(pair *ice.CandidatePair) bool {
-
-	localIP := net.ParseIP(pair.Local.Address())
-	remoteIP := net.ParseIP(pair.Remote.Address())
-	if localIP == nil || remoteIP == nil {
-		return false
-	}
-	// only consider /16 networks
-	mask := net.IPMask{255, 255, 0, 0}
-	return localIP.Mask(mask).Equal(remoteIP.Mask(mask))
-}
-
 func isRelayCandidate(candidate ice.Candidate) bool {
 	return candidate.Type() == ice.CandidateTypeRelay
 }
 
-func isHardNATCandidate(candidate ice.Candidate) bool {
-	return candidate.Type() == ice.CandidateTypeRelay || candidate.Type() == ice.CandidateTypePeerReflexive
-}
-
-func isHostCandidateWithPublicIP(candidate ice.Candidate) bool {
-	return candidate.Type() == ice.CandidateTypeHost && isPublicIP(candidate.Address())
-}
-
-func isHostCandidateWithPrivateIP(candidate ice.Candidate) bool {
-	return candidate.Type() == ice.CandidateTypeHost && !isPublicIP(candidate.Address())
-}
-
-func isPeerReflexiveCandidateWithPrivateIP(candidate ice.Candidate) bool {
-	return candidate.Type() == ice.CandidateTypePeerReflexive && !isPublicIP(candidate.Address())
-}
-
-func isPublicIP(address string) bool {
-	ip := net.ParseIP(address)
-	if ip == nil || ip.IsLoopback() || ip.IsLinkLocalUnicast() || ip.IsLinkLocalMulticast() || ip.IsPrivate() {
-		return false
-	}
-	return true
-}
-
 // startProxy starts proxying traffic from/to local Wireguard and sets connection status to StatusConnected
 func (conn *Conn) startProxy(remoteConn net.Conn, remoteWgPort int) error {
 	conn.mu.Lock()
@@ -409,7 +350,7 @@ func (conn *Conn) startProxy(remoteConn net.Conn, remoteWgPort int) error {
 	}
 
 	peerState := State{PubKey: conn.config.Key}
-	p := conn.getProxyWithMessageExchange(pair, remoteWgPort)
+	p := conn.getProxy(pair, remoteWgPort)
 	conn.proxy = p
 	err = p.Start(remoteConn)
 	if err != nil {
@@ -435,62 +376,35 @@ func (conn *Conn) startProxy(remoteConn net.Conn, remoteWgPort int) error {
 	return nil
 }
 
-func (conn *Conn) getProxyWithMessageExchange(pair *ice.CandidatePair, remoteWgPort int) proxy.Proxy {
-	useProxy := shouldUseProxy(pair, conn.config.UserspaceBind)
-	localDirectMode := !useProxy
-	remoteDirectMode := localDirectMode
-
-	if conn.meta.protoSupport.DirectCheck {
-		go conn.sendLocalDirectMode(localDirectMode)
-		// will block until message received or timeout
-		remoteDirectMode = conn.receiveRemoteDirectMode()
+// todo rename this method and the proxy package to something more appropriate
+func (conn *Conn) getProxy(pair *ice.CandidatePair, remoteWgPort int) proxy.Proxy {
+	if isRelayCandidate(pair.Local) {
+		return proxy.NewWireGuardProxy(conn.config.ProxyConfig)
 	}
 
-	if conn.config.UserspaceBind && localDirectMode {
-		return proxy.NewNoProxy(conn.config.ProxyConfig)
-	}
+	// To support old version's with direct mode we attempt to punch an additional role with the remote wireguard port
+	go conn.punchRemoteWGPort(pair, remoteWgPort)
 
-	if localDirectMode && remoteDirectMode {
-		return proxy.NewDirectNoProxy(conn.config.ProxyConfig, remoteWgPort)
-	}
-
-	log.Debugf("falling back to local proxy mode with peer %s", conn.config.Key)
-	return proxy.NewWireGuardProxy(conn.config.ProxyConfig)
+	return proxy.NewNoProxy(conn.config.ProxyConfig)
 }
 
-func (conn *Conn) sendLocalDirectMode(localMode bool) {
-	// todo what happens when we couldn't deliver this message?
-	// we could retry, etc but there is no guarantee
-
-	err := conn.sendSignalMessage(&sProto.Message{
-		Key:       conn.config.LocalKey,
-		RemoteKey: conn.config.Key,
-		Body: &sProto.Body{
-			Type: sProto.Body_MODE,
-			Mode: &sProto.Mode{
-				Direct: &localMode,
-			},
-			NetBirdVersion: version.NetbirdVersion(),
-		},
-	})
+func (conn *Conn) punchRemoteWGPort(pair *ice.CandidatePair, remoteWgPort int) {
+	// wait local endpoint configuration
+	time.Sleep(time.Second)
+	addr, err := net.ResolveUDPAddr("udp", fmt.Sprintf("%s:%d", pair.Remote.Address(), remoteWgPort))
 	if err != nil {
-		log.Errorf("failed to send local proxy mode to remote peer %s, error: %s", conn.config.Key, err)
+		log.Warnf("got an error while resolving the udp address, err: %s", err)
+		return
 	}
-}
 
-func (conn *Conn) receiveRemoteDirectMode() bool {
-	timeout := time.Second
-	timer := time.NewTimer(timeout)
-	defer timer.Stop()
-
-	select {
-	case receivedMSG := <-conn.remoteModeCh:
-		return receivedMSG.Direct
-	case <-timer.C:
-		// we didn't receive a message from remote so we assume that it supports the direct mode to keep the old behaviour
-		log.Debugf("timeout after %s while waiting for remote direct mode message from remote peer %s",
-			timeout, conn.config.Key)
-		return true
+	mux, ok := conn.config.UDPMuxSrflx.(*bind.UniversalUDPMuxDefault)
+	if !ok {
+		log.Warn("invalid udp mux conversion")
+		return
+	}
+	_, err = mux.GetSharedConn().WriteTo([]byte{0x6e, 0x62}, addr)
+	if err != nil {
+		log.Warnf("got an error while sending the punch packet, err: %s", err)
 	}
 }
 
@@ -714,16 +628,6 @@ func (conn *Conn) GetKey() string {
 	return conn.config.Key
 }
 
-// OnModeMessage unmarshall the payload message and send it to the mode message channel
-func (conn *Conn) OnModeMessage(message ModeMessage) error {
-	select {
-	case conn.remoteModeCh <- message:
-		return nil
-	default:
-		return fmt.Errorf("unable to process mode message: channel busy")
-	}
-}
-
 // RegisterProtoSupportMeta register supported proto message in the connection metadata
 func (conn *Conn) RegisterProtoSupportMeta(support []uint32) {
 	protoSupport := signal.ParseFeaturesSupported(support)

client/internal/peer/conn_test.go

@@ -9,11 +9,9 @@ import (
 
 	"github.com/magiconair/properties/assert"
 	"github.com/pion/ice/v2"
-	"golang.org/x/sync/errgroup"
 
 	"github.com/netbirdio/netbird/client/internal/proxy"
 	"github.com/netbirdio/netbird/iface"
-	sproto "github.com/netbirdio/netbird/signal/proto"
 )
 
 var connConf = ConnConfig{
@@ -170,310 +168,3 @@ func TestConn_Close(t *testing.T) {
 
 	wg.Wait()
 }
-
-type mockICECandidate struct {
-	ice.Candidate
-	AddressFunc func() string
-	TypeFunc    func() ice.CandidateType
-}
-
-// Address mocks and overwrite ice.Candidate Address method
-func (m *mockICECandidate) Address() string {
-	if m.AddressFunc != nil {
-		return m.AddressFunc()
-	}
-	return ""
-}
-
-// Type mocks and overwrite ice.Candidate Type method
-func (m *mockICECandidate) Type() ice.CandidateType {
-	if m.TypeFunc != nil {
-		return m.TypeFunc()
-	}
-	return ice.CandidateTypeUnspecified
-}
-
-func TestConn_ShouldUseProxy(t *testing.T) {
-	publicHostCandidate := &mockICECandidate{
-		AddressFunc: func() string {
-			return "8.8.8.8"
-		},
-		TypeFunc: func() ice.CandidateType {
-			return ice.CandidateTypeHost
-		},
-	}
-	privateHostCandidate := &mockICECandidate{
-		AddressFunc: func() string {
-			return "10.0.0.1"
-		},
-		TypeFunc: func() ice.CandidateType {
-			return ice.CandidateTypeHost
-		},
-	}
-
-	srflxCandidate := &mockICECandidate{
-		AddressFunc: func() string {
-			return "1.1.1.1"
-		},
-		TypeFunc: func() ice.CandidateType {
-			return ice.CandidateTypeServerReflexive
-		},
-	}
-
-	prflxCandidate := &mockICECandidate{
-		AddressFunc: func() string {
-			return "1.1.1.1"
-		},
-		TypeFunc: func() ice.CandidateType {
-			return ice.CandidateTypePeerReflexive
-		},
-	}
-
-	relayCandidate := &mockICECandidate{
-		AddressFunc: func() string {
-			return "1.1.1.1"
-		},
-		TypeFunc: func() ice.CandidateType {
-			return ice.CandidateTypeRelay
-		},
-	}
-
-	testCases := []struct {
-		name        string
-		candatePair *ice.CandidatePair
-		expected    bool
-	}{
-		{
-			name: "Use Proxy When Local Candidate Is Relay",
-			candatePair: &ice.CandidatePair{
-				Local:  relayCandidate,
-				Remote: privateHostCandidate,
-			},
-			expected: true,
-		},
-		{
-			name: "Use Proxy When Remote Candidate Is Relay",
-			candatePair: &ice.CandidatePair{
-				Local:  privateHostCandidate,
-				Remote: relayCandidate,
-			},
-			expected: true,
-		},
-		{
-			name: "Use Proxy When Local Candidate Is Peer Reflexive",
-			candatePair: &ice.CandidatePair{
-				Local:  prflxCandidate,
-				Remote: privateHostCandidate,
-			},
-			expected: true,
-		},
-		{
-			name: "Use Proxy When Remote Candidate Is Peer Reflexive",
-			candatePair: &ice.CandidatePair{
-				Local:  privateHostCandidate,
-				Remote: prflxCandidate,
-			},
-			expected: true,
-		},
-		{
-			name: "Don't Use Proxy When Local Candidate Is Public And Remote Is Private",
-			candatePair: &ice.CandidatePair{
-				Local:  publicHostCandidate,
-				Remote: privateHostCandidate,
-			},
-			expected: false,
-		},
-		{
-			name: "Don't Use Proxy When Remote Candidate Is Public And Local Is Private",
-			candatePair: &ice.CandidatePair{
-				Local:  privateHostCandidate,
-				Remote: publicHostCandidate,
-			},
-			expected: false,
-		},
-		{
-			name: "Don't Use Proxy When Local Candidate is Public And Remote Is Server Reflexive",
-			candatePair: &ice.CandidatePair{
-				Local:  publicHostCandidate,
-				Remote: srflxCandidate,
-			},
-			expected: false,
-		},
-		{
-			name: "Don't Use Proxy When Remote Candidate is Public And Local Is Server Reflexive",
-			candatePair: &ice.CandidatePair{
-				Local:  srflxCandidate,
-				Remote: publicHostCandidate,
-			},
-			expected: false,
-		},
-		{
-			name: "Don't Use Proxy When Both Candidates Are Public",
-			candatePair: &ice.CandidatePair{
-				Local:  publicHostCandidate,
-				Remote: publicHostCandidate,
-			},
-			expected: false,
-		},
-		{
-			name: "Don't Use Proxy When Both Candidates Are Private",
-			candatePair: &ice.CandidatePair{
-				Local:  privateHostCandidate,
-				Remote: privateHostCandidate,
-			},
-			expected: false,
-		},
-		{
-			name: "Don't Use Proxy When Both Candidates are in private network and one is peer reflexive",
-			candatePair: &ice.CandidatePair{
-				Local: &mockICECandidate{AddressFunc: func() string {
-					return "10.16.102.168"
-				},
-					TypeFunc: func() ice.CandidateType {
-						return ice.CandidateTypeHost
-					}},
-				Remote: &mockICECandidate{AddressFunc: func() string {
-					return "10.16.101.96"
-				},
-					TypeFunc: func() ice.CandidateType {
-						return ice.CandidateTypePeerReflexive
-					}},
-			},
-			expected: false,
-		},
-		{
-			name: "Should Use Proxy When Both Candidates are in private network and both are peer reflexive",
-			candatePair: &ice.CandidatePair{
-				Local: &mockICECandidate{AddressFunc: func() string {
-					return "10.16.102.168"
-				},
-					TypeFunc: func() ice.CandidateType {
-						return ice.CandidateTypePeerReflexive
-					}},
-				Remote: &mockICECandidate{AddressFunc: func() string {
-					return "10.16.101.96"
-				},
-					TypeFunc: func() ice.CandidateType {
-						return ice.CandidateTypePeerReflexive
-					}},
-			},
-			expected: true,
-		},
-	}
-
-	for _, testCase := range testCases {
-		t.Run(testCase.name, func(t *testing.T) {
-			result := shouldUseProxy(testCase.candatePair, false)
-			if result != testCase.expected {
-				t.Errorf("got a different result. Expected %t Got %t", testCase.expected, result)
-			}
-		})
-	}
-}
-
-func TestGetProxyWithMessageExchange(t *testing.T) {
-	publicHostCandidate := &mockICECandidate{
-		AddressFunc: func() string {
-			return "8.8.8.8"
-		},
-		TypeFunc: func() ice.CandidateType {
-			return ice.CandidateTypeHost
-		},
-	}
-	relayCandidate := &mockICECandidate{
-		AddressFunc: func() string {
-			return "1.1.1.1"
-		},
-		TypeFunc: func() ice.CandidateType {
-			return ice.CandidateTypeRelay
-		},
-	}
-
-	testCases := []struct {
-		name                   string
-		candatePair            *ice.CandidatePair
-		inputDirectModeSupport bool
-		inputRemoteModeMessage bool
-		expected               proxy.Type
-	}{
-		{
-			name: "Should Result In Using Wireguard Proxy When Local Eval Is Use Proxy",
-			candatePair: &ice.CandidatePair{
-				Local:  relayCandidate,
-				Remote: publicHostCandidate,
-			},
-			inputDirectModeSupport: true,
-			inputRemoteModeMessage: true,
-			expected:               proxy.TypeWireGuard,
-		},
-		{
-			name: "Should Result In Using Wireguard Proxy When Remote Eval Is Use Proxy",
-			candatePair: &ice.CandidatePair{
-				Local:  publicHostCandidate,
-				Remote: publicHostCandidate,
-			},
-			inputDirectModeSupport: true,
-			inputRemoteModeMessage: false,
-			expected:               proxy.TypeWireGuard,
-		},
-		{
-			name: "Should Result In Using Wireguard Proxy When Remote Direct Mode Support Is False And Local Eval Is Use Proxy",
-			candatePair: &ice.CandidatePair{
-				Local:  relayCandidate,
-				Remote: publicHostCandidate,
-			},
-			inputDirectModeSupport: false,
-			inputRemoteModeMessage: false,
-			expected:               proxy.TypeWireGuard,
-		},
-		{
-			name: "Should Result In Using Direct When Remote Direct Mode Support Is False And Local Eval Is No Use Proxy",
-			candatePair: &ice.CandidatePair{
-				Local:  publicHostCandidate,
-				Remote: publicHostCandidate,
-			},
-			inputDirectModeSupport: false,
-			inputRemoteModeMessage: false,
-			expected:               proxy.TypeDirectNoProxy,
-		},
-		{
-			name: "Should Result In Using Direct When Local And Remote Eval Is No Proxy",
-			candatePair: &ice.CandidatePair{
-				Local:  publicHostCandidate,
-				Remote: publicHostCandidate,
-			},
-			inputDirectModeSupport: true,
-			inputRemoteModeMessage: true,
-			expected:               proxy.TypeDirectNoProxy,
-		},
-	}
-	for _, testCase := range testCases {
-		t.Run(testCase.name, func(t *testing.T) {
-			g := errgroup.Group{}
-			conn, err := NewConn(connConf, nil, nil, nil)
-			if err != nil {
-				t.Fatal(err)
-			}
-			conn.meta.protoSupport.DirectCheck = testCase.inputDirectModeSupport
-			conn.SetSendSignalMessage(func(message *sproto.Message) error {
-				return nil
-			})
-
-			g.Go(func() error {
-				return conn.OnModeMessage(ModeMessage{
-					Direct: testCase.inputRemoteModeMessage,
-				})
-			})
-
-			resultProxy := conn.getProxyWithMessageExchange(testCase.candatePair, 1000)
-
-			err = g.Wait()
-			if err != nil {
-				t.Error(err)
-			}
-			if resultProxy.Type() != testCase.expected {
-				t.Errorf("result didn't match expected value: Expected: %s, Got: %s", testCase.expected, resultProxy.Type())
-			}
-		})
-	}
-}

client/internal/peer/env_config.go

@@ -0,0 +1,53 @@
+package peer
+
+import (
+	"os"
+	"strconv"
+	"strings"
+	"time"
+
+	log "github.com/sirupsen/logrus"
+)
+
+const (
+	envICEKeepAliveIntervalSec   = "NB_ICE_KEEP_ALIVE_INTERVAL_SEC"
+	envICEDisconnectedTimeoutSec = "NB_ICE_DISCONNECTED_TIMEOUT_SEC"
+	envICEForceRelayConn         = "NB_ICE_FORCE_RELAY_CONN"
+)
+
+func iceKeepAlive() time.Duration {
+	keepAliveEnv := os.Getenv(envICEKeepAliveIntervalSec)
+	if keepAliveEnv == "" {
+		return iceKeepAliveDefault
+	}
+
+	log.Debugf("setting ICE keep alive interval to %s seconds", keepAliveEnv)
+	keepAliveEnvSec, err := strconv.Atoi(keepAliveEnv)
+	if err != nil {
+		log.Warnf("invalid value %s set for %s, using default %v", keepAliveEnv, envICEKeepAliveIntervalSec, iceKeepAliveDefault)
+		return iceKeepAliveDefault
+	}
+
+	return time.Duration(keepAliveEnvSec) * time.Second
+}
+
+func iceDisconnectedTimeout() time.Duration {
+	disconnectedTimeoutEnv := os.Getenv(envICEDisconnectedTimeoutSec)
+	if disconnectedTimeoutEnv == "" {
+		return iceDisconnectedTimeoutDefault
+	}
+
+	log.Debugf("setting ICE disconnected timeout to %s seconds", disconnectedTimeoutEnv)
+	disconnectedTimeoutSec, err := strconv.Atoi(disconnectedTimeoutEnv)
+	if err != nil {
+		log.Warnf("invalid value %s set for %s, using default %v", disconnectedTimeoutEnv, envICEDisconnectedTimeoutSec, iceDisconnectedTimeoutDefault)
+		return iceDisconnectedTimeoutDefault
+	}
+
+	return time.Duration(disconnectedTimeoutSec) * time.Second
+}
+
+func hasICEForceRelayConn() bool {
+	disconnectedTimeoutEnv := os.Getenv(envICEForceRelayConn)
+	return strings.ToLower(disconnectedTimeoutEnv) == "true"
+}

client/internal/peer/status.go

@@ -78,6 +78,7 @@ func (d *Status) ReplaceOfflinePeers(replacement []State) {
 	defer d.mux.Unlock()
 	d.offlinePeers = make([]State, len(replacement))
 	copy(d.offlinePeers, replacement)
+	d.notifyPeerListChanged()
 }
 
 // AddPeer adds peer to Daemon status map
@@ -145,6 +146,11 @@ func (d *Status) UpdatePeerState(receivedState State) error {
 
 	d.peers[receivedState.PubKey] = peerState
 
+	if receivedState.ConnStatus == StatusConnecting ||
+		(receivedState.ConnStatus == StatusDisconnected && peerState.ConnStatus == StatusConnecting) {
+		return nil
+	}
+
 	ch, found := d.changeNotify[receivedState.PubKey]
 	if found && ch != nil {
 		close(ch)
@@ -308,7 +314,7 @@ func (d *Status) onConnectionChanged() {
 }
 
 func (d *Status) notifyPeerListChanged() {
-	d.notifier.peerListChanged(len(d.peers))
+	d.notifier.peerListChanged(len(d.peers) + len(d.offlinePeers))
 }
 
 func (d *Status) notifyAddressChanged() {

client/internal/proxy/direct.go

@@ -1,57 +0,0 @@
-package proxy
-
-import (
-	log "github.com/sirupsen/logrus"
-	"net"
-)
-
-// DirectNoProxy is used when there is no need for a proxy between ICE and WireGuard.
-// This is possible in either of these cases:
-// - peers are in the same local network
-// - one of the peers has a public static IP (host)
-// DirectNoProxy will just update remote peer with a remote host and fixed WireGuard port (r.g. 51820).
-// In order DirectNoProxy to work, WireGuard port has to be fixed for the time being.
-type DirectNoProxy struct {
-	config Config
-	// RemoteWgListenPort is a WireGuard port of a remote peer.
-	// It is used instead of the hardcoded 51820 port.
-	RemoteWgListenPort int
-}
-
-// NewDirectNoProxy creates a new DirectNoProxy with a provided config and remote peer's WireGuard listen port
-func NewDirectNoProxy(config Config, remoteWgPort int) *DirectNoProxy {
-	return &DirectNoProxy{config: config, RemoteWgListenPort: remoteWgPort}
-}
-
-// Close removes peer from the WireGuard interface
-func (p *DirectNoProxy) Close() error {
-	err := p.config.WgInterface.RemovePeer(p.config.RemoteKey)
-	if err != nil {
-		return err
-	}
-	return nil
-}
-
-// Start just updates WireGuard peer with the remote IP and default WireGuard port
-func (p *DirectNoProxy) Start(remoteConn net.Conn) error {
-
-	log.Debugf("using DirectNoProxy while connecting to peer %s", p.config.RemoteKey)
-	addr, err := net.ResolveUDPAddr("udp", remoteConn.RemoteAddr().String())
-	if err != nil {
-		return err
-	}
-	addr.Port = p.RemoteWgListenPort
-	err = p.config.WgInterface.UpdatePeer(p.config.RemoteKey, p.config.AllowedIps, DefaultWgKeepAlive,
-		addr, p.config.PreSharedKey)
-
-	if err != nil {
-		return err
-	}
-
-	return nil
-}
-
-// Type returns the type of this proxy
-func (p *DirectNoProxy) Type() Type {
-	return TypeDirectNoProxy
-}

client/internal/routemanager/client.go

@@ -71,7 +71,7 @@ func (c *clientNetwork) getRouterPeerStatuses() map[string]routerPeerStatus {
 }
 
 func (c *clientNetwork) getBestRouteFromStatuses(routePeerStatuses map[string]routerPeerStatus) string {
-	var chosen string
+	chosen := ""
 	chosenScore := 0
 
 	currID := ""
@@ -85,17 +85,26 @@ func (c *clientNetwork) getBestRouteFromStatuses(routePeerStatuses map[string]ro
 		if !found || !peerStatus.connected {
 			continue
 		}
+
 		if r.Metric < route.MaxMetric {
 			metricDiff := route.MaxMetric - r.Metric
 			tempScore = metricDiff * 10
 		}
+
 		if !peerStatus.relayed {
 			tempScore++
 		}
-		if !peerStatus.direct {
+
+		if peerStatus.direct {
 			tempScore++
 		}
-		if tempScore > chosenScore || (tempScore == chosenScore && currID == r.ID) {
+
+		if tempScore > chosenScore || (tempScore == chosenScore && r.ID == currID) {
+			chosen = r.ID
+			chosenScore = tempScore
+		}
+
+		if chosen == "" && currID == "" {
 			chosen = r.ID
 			chosenScore = tempScore
 		}
@@ -106,7 +115,9 @@ func (c *clientNetwork) getBestRouteFromStatuses(routePeerStatuses map[string]ro
 		for _, r := range c.routes {
 			peers = append(peers, r.Peer)
 		}
-		log.Warnf("no route was chosen for network %s because no peers from list %s were connected", c.network, peers)
+
+		log.Warnf("the network %s has not been assigned a routing peer as no peers from the list %s are currently connected", c.network, peers)
+
 	} else if chosen != currID {
 		log.Infof("new chosen route is %s with peer %s with score %d", chosen, c.routes[chosen].Peer, chosenScore)
 	}

client/internal/routemanager/client_test.go

@@ -0,0 +1,199 @@
+package routemanager
+
+import (
+	"net/netip"
+	"testing"
+
+	"github.com/netbirdio/netbird/route"
+)
+
+func TestGetBestrouteFromStatuses(t *testing.T) {
+
+	testCases := []struct {
+		name            string
+		statuses        map[string]routerPeerStatus
+		expectedRouteID string
+		currentRoute    *route.Route
+		existingRoutes  map[string]*route.Route
+	}{
+		{
+			name: "one route",
+			statuses: map[string]routerPeerStatus{
+				"route1": {
+					connected: true,
+					relayed:   false,
+					direct:    true,
+				},
+			},
+			existingRoutes: map[string]*route.Route{
+				"route1": {
+					ID:     "route1",
+					Metric: route.MaxMetric,
+					Peer:   "peer1",
+				},
+			},
+			currentRoute:    nil,
+			expectedRouteID: "route1",
+		},
+		{
+			name: "one connected routes with relayed and direct",
+			statuses: map[string]routerPeerStatus{
+				"route1": {
+					connected: true,
+					relayed:   true,
+					direct:    true,
+				},
+			},
+			existingRoutes: map[string]*route.Route{
+				"route1": {
+					ID:     "route1",
+					Metric: route.MaxMetric,
+					Peer:   "peer1",
+				},
+			},
+			currentRoute:    nil,
+			expectedRouteID: "route1",
+		},
+		{
+			name: "one connected routes with relayed and no direct",
+			statuses: map[string]routerPeerStatus{
+				"route1": {
+					connected: true,
+					relayed:   true,
+					direct:    false,
+				},
+			},
+			existingRoutes: map[string]*route.Route{
+				"route1": {
+					ID:     "route1",
+					Metric: route.MaxMetric,
+					Peer:   "peer1",
+				},
+			},
+			currentRoute:    nil,
+			expectedRouteID: "route1",
+		},
+		{
+			name: "no connected peers",
+			statuses: map[string]routerPeerStatus{
+				"route1": {
+					connected: false,
+					relayed:   false,
+					direct:    false,
+				},
+			},
+			existingRoutes: map[string]*route.Route{
+				"route1": {
+					ID:     "route1",
+					Metric: route.MaxMetric,
+					Peer:   "peer1",
+				},
+			},
+			currentRoute:    nil,
+			expectedRouteID: "",
+		},
+		{
+			name: "multiple connected peers with different metrics",
+			statuses: map[string]routerPeerStatus{
+				"route1": {
+					connected: true,
+					relayed:   false,
+					direct:    true,
+				},
+				"route2": {
+					connected: true,
+					relayed:   false,
+					direct:    true,
+				},
+			},
+			existingRoutes: map[string]*route.Route{
+				"route1": {
+					ID:     "route1",
+					Metric: 9000,
+					Peer:   "peer1",
+				},
+				"route2": {
+					ID:     "route2",
+					Metric: route.MaxMetric,
+					Peer:   "peer2",
+				},
+			},
+			currentRoute:    nil,
+			expectedRouteID: "route1",
+		},
+		{
+			name: "multiple connected peers with one relayed",
+			statuses: map[string]routerPeerStatus{
+				"route1": {
+					connected: true,
+					relayed:   false,
+					direct:    true,
+				},
+				"route2": {
+					connected: true,
+					relayed:   true,
+					direct:    true,
+				},
+			},
+			existingRoutes: map[string]*route.Route{
+				"route1": {
+					ID:     "route1",
+					Metric: route.MaxMetric,
+					Peer:   "peer1",
+				},
+				"route2": {
+					ID:     "route2",
+					Metric: route.MaxMetric,
+					Peer:   "peer2",
+				},
+			},
+			currentRoute:    nil,
+			expectedRouteID: "route1",
+		},
+		{
+			name: "multiple connected peers with one direct",
+			statuses: map[string]routerPeerStatus{
+				"route1": {
+					connected: true,
+					relayed:   false,
+					direct:    true,
+				},
+				"route2": {
+					connected: true,
+					relayed:   false,
+					direct:    false,
+				},
+			},
+			existingRoutes: map[string]*route.Route{
+				"route1": {
+					ID:     "route1",
+					Metric: route.MaxMetric,
+					Peer:   "peer1",
+				},
+				"route2": {
+					ID:     "route2",
+					Metric: route.MaxMetric,
+					Peer:   "peer2",
+				},
+			},
+			currentRoute:    nil,
+			expectedRouteID: "route1",
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			// create new clientNetwork
+			client := &clientNetwork{
+				network:     netip.MustParsePrefix("192.168.0.0/24"),
+				routes:      tc.existingRoutes,
+				chosenRoute: tc.currentRoute,
+			}
+
+			chosenRoute := client.getBestRouteFromStatuses(tc.statuses)
+			if chosenRoute != tc.expectedRouteID {
+				t.Errorf("expected routeID %s, got %s", tc.expectedRouteID, chosenRoute)
+			}
+		})
+	}
+}

client/internal/routemanager/manager.go

@@ -16,6 +16,7 @@ import (
 // Manager is a route manager interface
 type Manager interface {
 	UpdateRoutes(updateSerial uint64, newRoutes []*route.Route) error
+	SetRouteChangeListener(listener RouteListener)
 	Stop()
 }
 
@@ -29,12 +30,14 @@ type DefaultManager struct {
 	statusRecorder *peer.Status
 	wgInterface    *iface.WGIface
 	pubKey         string
+	notifier       *notifier
 }
 
 // NewManager returns a new route manager
-func NewManager(ctx context.Context, pubKey string, wgInterface *iface.WGIface, statusRecorder *peer.Status) *DefaultManager {
+func NewManager(ctx context.Context, pubKey string, wgInterface *iface.WGIface, statusRecorder *peer.Status, initialRoutes []*route.Route) *DefaultManager {
 	mCTX, cancel := context.WithCancel(ctx)
-	return &DefaultManager{
+
+	dm := &DefaultManager{
 		ctx:            mCTX,
 		stop:           cancel,
 		clientNetworks: make(map[string]*clientNetwork),
@@ -42,13 +45,25 @@ func NewManager(ctx context.Context, pubKey string, wgInterface *iface.WGIface,
 		statusRecorder: statusRecorder,
 		wgInterface:    wgInterface,
 		pubKey:         pubKey,
+		notifier:       newNotifier(),
 	}
+
+	if runtime.GOOS == "android" {
+		cr := dm.clientRoutes(initialRoutes)
+		dm.notifier.setInitialClientRoutes(cr)
+		networks := readRouteNetworks(cr)
+
+		// make sense to call before create interface
+		wgInterface.SetInitialRoutes(networks)
+	}
+	return dm
 }
 
 // Stop stops the manager watchers and clean firewall rules
 func (m *DefaultManager) Stop() {
 	m.stop()
 	m.serverRouter.cleanUp()
+	m.ctx = nil
 }
 
 // UpdateRoutes compares received routes with existing routes and remove, update or add them to the client and server maps
@@ -61,39 +76,10 @@ func (m *DefaultManager) UpdateRoutes(updateSerial uint64, newRoutes []*route.Ro
 		m.mux.Lock()
 		defer m.mux.Unlock()
 
-		newClientRoutesIDMap := make(map[string][]*route.Route)
-		newServerRoutesMap := make(map[string]*route.Route)
-		ownNetworkIDs := make(map[string]bool)
-
-		for _, newRoute := range newRoutes {
-			networkID := route.GetHAUniqueID(newRoute)
-			if newRoute.Peer == m.pubKey {
-				ownNetworkIDs[networkID] = true
-				// only linux is supported for now
-				if runtime.GOOS != "linux" {
-					log.Warnf("received a route to manage, but agent doesn't support router mode on %s OS", runtime.GOOS)
-					continue
-				}
-				newServerRoutesMap[newRoute.ID] = newRoute
-			}
-		}
-
-		for _, newRoute := range newRoutes {
-			networkID := route.GetHAUniqueID(newRoute)
-			if !ownNetworkIDs[networkID] {
-				// if prefix is too small, lets assume is a possible default route which is not yet supported
-				// we skip this route management
-				if newRoute.Network.Bits() < 7 {
-					log.Errorf("this agent version: %s, doesn't support default routes, received %s, skiping this route",
-						version.NetbirdVersion(), newRoute.Network)
-					continue
-				}
-				newClientRoutesIDMap[networkID] = append(newClientRoutesIDMap[networkID], newRoute)
-			}
-		}
+		newServerRoutesMap, newClientRoutesIDMap := m.classifiesRoutes(newRoutes)
 
 		m.updateClientNetworks(updateSerial, newClientRoutesIDMap)
-
+		m.notifier.onNewRoutes(newClientRoutesIDMap)
 		err := m.serverRouter.updateRoutes(newServerRoutesMap)
 		if err != nil {
 			return err
@@ -103,6 +89,11 @@ func (m *DefaultManager) UpdateRoutes(updateSerial uint64, newRoutes []*route.Ro
 	}
 }
 
+// SetRouteChangeListener set RouteListener for route change notifier
+func (m *DefaultManager) SetRouteChangeListener(listener RouteListener) {
+	m.notifier.setListener(listener)
+}
+
 func (m *DefaultManager) updateClientNetworks(updateSerial uint64, networks map[string][]*route.Route) {
 	// removing routes that do not exist as per the update from the Management service.
 	for id, client := range m.clientNetworks {
@@ -128,3 +119,55 @@ func (m *DefaultManager) updateClientNetworks(updateSerial uint64, networks map[
 		clientNetworkWatcher.sendUpdateToClientNetworkWatcher(update)
 	}
 }
+
+func (m *DefaultManager) classifiesRoutes(newRoutes []*route.Route) (map[string]*route.Route, map[string][]*route.Route) {
+	newClientRoutesIDMap := make(map[string][]*route.Route)
+	newServerRoutesMap := make(map[string]*route.Route)
+	ownNetworkIDs := make(map[string]bool)
+
+	for _, newRoute := range newRoutes {
+		networkID := route.GetHAUniqueID(newRoute)
+		if newRoute.Peer == m.pubKey {
+			ownNetworkIDs[networkID] = true
+			// only linux is supported for now
+			if runtime.GOOS != "linux" {
+				log.Warnf("received a route to manage, but agent doesn't support router mode on %s OS", runtime.GOOS)
+				continue
+			}
+			newServerRoutesMap[newRoute.ID] = newRoute
+		}
+	}
+
+	for _, newRoute := range newRoutes {
+		networkID := route.GetHAUniqueID(newRoute)
+		if !ownNetworkIDs[networkID] {
+			// if prefix is too small, lets assume is a possible default route which is not yet supported
+			// we skip this route management
+			if newRoute.Network.Bits() < 7 {
+				log.Errorf("this agent version: %s, doesn't support default routes, received %s, skiping this route",
+					version.NetbirdVersion(), newRoute.Network)
+				continue
+			}
+			newClientRoutesIDMap[networkID] = append(newClientRoutesIDMap[networkID], newRoute)
+		}
+	}
+
+	return newServerRoutesMap, newClientRoutesIDMap
+}
+
+func (m *DefaultManager) clientRoutes(initialRoutes []*route.Route) []*route.Route {
+	_, crMap := m.classifiesRoutes(initialRoutes)
+	rs := make([]*route.Route, 0)
+	for _, routes := range crMap {
+		rs = append(rs, routes...)
+	}
+	return rs
+}
+
+func readRouteNetworks(cr []*route.Route) []string {
+	routesNetworks := make([]string, 0)
+	for _, r := range cr {
+		routesNetworks = append(routesNetworks, r.Network.String())
+	}
+	return routesNetworks
+}

client/internal/routemanager/manager_test.go

@@ -397,7 +397,7 @@ func TestManagerUpdateRoutes(t *testing.T) {
 			if err != nil {
 				t.Fatal(err)
 			}
-			wgInterface, err := iface.NewWGIFace(fmt.Sprintf("utun43%d", n), "100.65.65.2/24", iface.DefaultMTU, nil, nil, newNet)
+			wgInterface, err := iface.NewWGIFace(fmt.Sprintf("utun43%d", n), "100.65.65.2/24", iface.DefaultMTU, nil, newNet)
 			require.NoError(t, err, "should create testing WGIface interface")
 			defer wgInterface.Close()
 
@@ -406,7 +406,7 @@ func TestManagerUpdateRoutes(t *testing.T) {
 
 			statusRecorder := peer.NewRecorder("https://mgm")
 			ctx := context.TODO()
-			routeManager := NewManager(ctx, localPeerKey, wgInterface, statusRecorder)
+			routeManager := NewManager(ctx, localPeerKey, wgInterface, statusRecorder, nil)
 			defer routeManager.Stop()
 
 			if len(testCase.inputInitRoutes) > 0 {

client/internal/routemanager/mock.go

@@ -1,7 +1,10 @@
 package routemanager
 
 import (
+	"context"
 	"fmt"
+
+	"github.com/netbirdio/netbird/iface"
 	"github.com/netbirdio/netbird/route"
 )
 
@@ -11,6 +14,11 @@ type MockManager struct {
 	StopFunc         func()
 }
 
+// InitialClientRoutesNetworks mock implementation of InitialClientRoutesNetworks from Manager interface
+func (m *MockManager) InitialClientRoutesNetworks() []string {
+	return nil
+}
+
 // UpdateRoutes mock implementation of UpdateRoutes from Manager interface
 func (m *MockManager) UpdateRoutes(updateSerial uint64, newRoutes []*route.Route) error {
 	if m.UpdateRoutesFunc != nil {
@@ -19,6 +27,15 @@ func (m *MockManager) UpdateRoutes(updateSerial uint64, newRoutes []*route.Route
 	return fmt.Errorf("method UpdateRoutes is not implemented")
 }
 
+// Start mock implementation of Start from Manager interface
+func (m *MockManager) Start(ctx context.Context, iface *iface.WGIface) {
+}
+
+// SetRouteChangeListener mock implementation of SetRouteChangeListener from Manager interface
+func (m *MockManager) SetRouteChangeListener(listener RouteListener) {
+
+}
+
 // Stop mock implementation of Stop from Manager interface
 func (m *MockManager) Stop() {
 	if m.StopFunc != nil {

client/internal/routemanager/notifier.go

@@ -0,0 +1,86 @@
+package routemanager
+
+import (
+	"sort"
+	"sync"
+
+	"github.com/netbirdio/netbird/route"
+)
+
+// RouteListener is a callback interface for mobile system
+type RouteListener interface {
+	// OnNewRouteSetting invoke when new route setting has been arrived
+	OnNewRouteSetting()
+}
+
+type notifier struct {
+	initialRouteRangers []string
+	routeRangers        []string
+
+	routeListener    RouteListener
+	routeListenerMux sync.Mutex
+}
+
+func newNotifier() *notifier {
+	return &notifier{}
+}
+
+func (n *notifier) setListener(listener RouteListener) {
+	n.routeListenerMux.Lock()
+	defer n.routeListenerMux.Unlock()
+	n.routeListener = listener
+}
+
+func (n *notifier) setInitialClientRoutes(clientRoutes []*route.Route) {
+	nets := make([]string, 0)
+	for _, r := range clientRoutes {
+		nets = append(nets, r.Network.String())
+	}
+	sort.Strings(nets)
+	n.initialRouteRangers = nets
+}
+
+func (n *notifier) onNewRoutes(idMap map[string][]*route.Route) {
+	newNets := make([]string, 0)
+	for _, routes := range idMap {
+		for _, r := range routes {
+			newNets = append(newNets, r.Network.String())
+		}
+	}
+
+	sort.Strings(newNets)
+	if !n.hasDiff(n.routeRangers, newNets) {
+		return
+	}
+
+	n.routeRangers = newNets
+
+	if !n.hasDiff(n.initialRouteRangers, newNets) {
+		return
+	}
+	n.notify()
+}
+
+func (n *notifier) notify() {
+	n.routeListenerMux.Lock()
+	defer n.routeListenerMux.Unlock()
+	if n.routeListener == nil {
+		return
+	}
+
+	go func(l RouteListener) {
+		l.OnNewRouteSetting()
+	}(n.routeListener)
+}
+
+func (n *notifier) hasDiff(a []string, b []string) bool {
+	if len(a) != len(b) {
+		return true
+	}
+	for i, v := range a {
+		if v != b[i] {
+			return true
+		}
+	}
+	return false
+}

client/internal/routemanager/systemops_linux.go

@@ -62,6 +62,16 @@ func removeFromRouteTable(prefix netip.Prefix) error {
 }
 
 func enableIPForwarding() error {
-	err := os.WriteFile(ipv4ForwardingPath, []byte("1"), 0644)
-	return err
+	bytes, err := os.ReadFile(ipv4ForwardingPath)
+	if err != nil {
+		return err
+	}
+
+	// check if it is already enabled
+	// see more: https://github.com/netbirdio/netbird/issues/872
+	if len(bytes) > 0 && bytes[0] == 49 {
+		return nil
+	}
+
+	return os.WriteFile(ipv4ForwardingPath, []byte("1"), 0644)
 }

client/internal/routemanager/systemops_nonandroid_test.go

@@ -37,7 +37,7 @@ func TestAddRemoveRoutes(t *testing.T) {
 			if err != nil {
 				t.Fatal(err)
 			}
-			wgInterface, err := iface.NewWGIFace(fmt.Sprintf("utun53%d", n), "100.65.75.2/24", iface.DefaultMTU, nil, nil, newNet)
+			wgInterface, err := iface.NewWGIFace(fmt.Sprintf("utun53%d", n), "100.65.75.2/24", iface.DefaultMTU, nil, newNet)
 			require.NoError(t, err, "should create testing WGIface interface")
 			defer wgInterface.Close()
 

client/main.go

@@ -1,8 +1,9 @@
 package main
 
 import (
-	"github.com/netbirdio/netbird/client/cmd"
 	"os"
+
+	"github.com/netbirdio/netbird/client/cmd"
 )
 
 func main() {

client/server/server.go

@@ -102,7 +102,7 @@ func (s *Server) Start() error {
 	}
 
 	go func() {
-		if err := internal.RunClient(ctx, config, s.statusRecorder, nil, nil); err != nil {
+		if err := internal.RunClient(ctx, config, s.statusRecorder, nil, nil, nil); err != nil {
 			log.Errorf("init connections: %v", err)
 		}
 	}()
@@ -236,7 +236,9 @@ func (s *Server) Login(callerCtx context.Context, msg *proto.LoginRequest) (*pro
 				}, nil
 			} else {
 				log.Warnf("canceling previous waiting execution")
-				s.oauthAuthFlow.waitCancel()
+				if s.oauthAuthFlow.waitCancel != nil {
+					s.oauthAuthFlow.waitCancel()
+				}
 			}
 		}
 
@@ -389,7 +391,7 @@ func (s *Server) Up(callerCtx context.Context, _ *proto.UpRequest) (*proto.UpRes
 	}
 
 	go func() {
-		if err := internal.RunClient(ctx, s.config, s.statusRecorder, nil, nil); err != nil {
+		if err := internal.RunClient(ctx, s.config, s.statusRecorder, nil, nil, nil); err != nil {
 			log.Errorf("run client connection: %v", err)
 			return
 		}

client/system/info.go

@@ -43,6 +43,15 @@ func extractUserAgent(ctx context.Context) string {
 	return ""
 }
 
+// extractDeviceName extracts device name from context or returns the default system name
+func extractDeviceName(ctx context.Context, defaultName string) string {
+	v, ok := ctx.Value(DeviceNameCtxKey).(string)
+	if !ok {
+		return defaultName
+	}
+	return v
+}
+
 // GetDesktopUIUserAgent returns the Desktop ui user agent
 func GetDesktopUIUserAgent() string {
 	return "netbird-desktop-ui/" + version.NetbirdVersion()

client/system/info_android.go

@@ -24,21 +24,13 @@ func GetInfo(ctx context.Context) *Info {
 	}
 
 	gio := &Info{Kernel: kernel, Core: osVersion(), Platform: "unknown", OS: "android", OSVersion: osVersion(), GoOS: runtime.GOOS, CPUs: runtime.NumCPU()}
-	gio.Hostname = extractDeviceName(ctx)
+	gio.Hostname = extractDeviceName(ctx, "android")
 	gio.WiretrusteeVersion = version.NetbirdVersion()
 	gio.UIVersion = extractUserAgent(ctx)
 
 	return gio
 }
 
-func extractDeviceName(ctx context.Context) string {
-	v, ok := ctx.Value(DeviceNameCtxKey).(string)
-	if !ok {
-		return "android"
-	}
-	return v
-}
-
 func uname() []string {
 	res := run("/system/bin/uname", "-a")
 	return strings.Split(res, " ")

client/system/info_darwin.go

@@ -32,7 +32,8 @@ func GetInfo(ctx context.Context) *Info {
 		swVersion = []byte(release)
 	}
 	gio := &Info{Kernel: sysName, OSVersion: strings.TrimSpace(string(swVersion)), Core: release, Platform: machine, OS: sysName, GoOS: runtime.GOOS, CPUs: runtime.NumCPU()}
-	gio.Hostname, _ = os.Hostname()
+	systemHostname, _ := os.Hostname()
+	gio.Hostname = extractDeviceName(ctx, systemHostname)
 	gio.WiretrusteeVersion = version.NetbirdVersion()
 	gio.UIVersion = extractUserAgent(ctx)
 

client/system/info_freebsd.go

@@ -24,7 +24,8 @@ func GetInfo(ctx context.Context) *Info {
 	osStr = strings.Replace(osStr, "\r\n", "", -1)
 	osInfo := strings.Split(osStr, " ")
 	gio := &Info{Kernel: osInfo[0], Core: osInfo[1], Platform: runtime.GOARCH, OS: osInfo[2], GoOS: runtime.GOOS, CPUs: runtime.NumCPU()}
-	gio.Hostname, _ = os.Hostname()
+	systemHostname, _ := os.Hostname()
+	gio.Hostname = extractDeviceName(ctx, systemHostname)
 	gio.WiretrusteeVersion = version.NetbirdVersion()
 	gio.UIVersion = extractUserAgent(ctx)
 

client/system/info_linux.go

@@ -50,7 +50,8 @@ func GetInfo(ctx context.Context) *Info {
 		osName = osInfo[3]
 	}
 	gio := &Info{Kernel: osInfo[0], Core: osInfo[1], Platform: osInfo[2], OS: osName, OSVersion: osVer, GoOS: runtime.GOOS, CPUs: runtime.NumCPU()}
-	gio.Hostname, _ = os.Hostname()
+	systemHostname, _ := os.Hostname()
+	gio.Hostname = extractDeviceName(ctx, systemHostname)
 	gio.WiretrusteeVersion = version.NetbirdVersion()
 	gio.UIVersion = extractUserAgent(ctx)
 

client/system/info_test.go

@@ -24,3 +24,12 @@ func Test_UIVersion(t *testing.T) {
 	got := GetInfo(ctx)
 	assert.Equal(t, want, got.UIVersion)
 }
+
+func Test_CustomHostname(t *testing.T) {
+	// nolint
+	ctx := context.WithValue(context.Background(), DeviceNameCtxKey, "custom-host")
+	want := "custom-host"
+
+	got := GetInfo(ctx)
+	assert.Equal(t, want, got.Hostname)
+}

client/system/info_windows.go

@@ -16,7 +16,8 @@ import (
 func GetInfo(ctx context.Context) *Info {
 	ver := getOSVersion()
 	gio := &Info{Kernel: "windows", OSVersion: ver, Core: ver, Platform: "unknown", OS: "windows", GoOS: runtime.GOOS, CPUs: runtime.NumCPU()}
-	gio.Hostname, _ = os.Hostname()
+	systemHostname, _ := os.Hostname()
+	gio.Hostname = extractDeviceName(ctx, systemHostname)
 	gio.WiretrusteeVersion = version.NetbirdVersion()
 	gio.UIVersion = extractUserAgent(ctx)
 

go.mod

@@ -1,11 +1,11 @@
 module github.com/netbirdio/netbird
 
-go 1.19
+go 1.20
 
 require (
 	github.com/cenkalti/backoff/v4 v4.1.3
 	github.com/golang-jwt/jwt v3.2.2+incompatible
-	github.com/golang/protobuf v1.5.2
+	github.com/golang/protobuf v1.5.3
 	github.com/google/uuid v1.3.0
 	github.com/gorilla/mux v1.8.0
 	github.com/kardianos/service v1.2.1-0.20210728001519-a323c3813bc7
@@ -18,17 +18,16 @@ require (
 	github.com/spf13/pflag v1.0.5
 	github.com/vishvananda/netlink v1.1.0
 	golang.org/x/crypto v0.7.0
-	golang.org/x/sys v0.6.0
+	golang.org/x/sys v0.8.0
 	golang.zx2c4.com/wireguard v0.0.0-20230223181233-21636207a675
 	golang.zx2c4.com/wireguard/wgctrl v0.0.0-20211215182854-7a385b3431de
-	golang.zx2c4.com/wireguard/windows v0.5.1
+	golang.zx2c4.com/wireguard/windows v0.5.3
 	google.golang.org/grpc v1.52.3
-	google.golang.org/protobuf v1.28.1
+	google.golang.org/protobuf v1.30.0
 	gopkg.in/natefinch/lumberjack.v2 v2.0.0
 )
 
 require (
-	codeberg.org/ac/base62 v0.0.0-20210305150220-e793b546833a
 	fyne.io/fyne/v2 v2.1.4
 	github.com/c-robinson/iplib v1.0.3
 	github.com/coreos/go-iptables v0.6.0
@@ -37,16 +36,19 @@ require (
 	github.com/getlantern/systray v1.2.1
 	github.com/gliderlabs/ssh v0.3.4
 	github.com/godbus/dbus/v5 v5.1.0
+	github.com/golang/mock v1.6.0
 	github.com/google/go-cmp v0.5.9
+	github.com/google/gopacket v1.1.19
 	github.com/google/nftables v0.0.0-20220808154552-2eca00135732
 	github.com/hashicorp/go-secure-stdlib/base62 v0.1.2
 	github.com/hashicorp/go-version v1.6.0
 	github.com/libp2p/go-netroute v0.2.0
 	github.com/magiconair/properties v1.8.5
 	github.com/mattn/go-sqlite3 v1.14.16
+	github.com/mdlayher/socket v0.4.0
 	github.com/miekg/dns v1.1.43
 	github.com/mitchellh/hashstructure/v2 v2.0.2
-	github.com/open-policy-agent/opa v0.49.0
+	github.com/okta/okta-sdk-golang/v2 v2.18.0
 	github.com/patrickmn/go-cache v2.1.0+incompatible
 	github.com/pion/logging v0.2.2
 	github.com/pion/stun v0.4.0
@@ -55,26 +57,27 @@ require (
 	github.com/rs/xid v1.3.0
 	github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966
 	github.com/stretchr/testify v1.8.1
+	go.opentelemetry.io/otel v1.11.1
 	go.opentelemetry.io/otel/exporters/prometheus v0.33.0
 	go.opentelemetry.io/otel/metric v0.33.0
 	go.opentelemetry.io/otel/sdk/metric v0.33.0
+	goauthentik.io/api/v3 v3.2023051.3
 	golang.org/x/exp v0.0.0-20220518171630-0b5c67f07fdf
-	golang.org/x/net v0.8.0
+	golang.org/x/net v0.10.0
 	golang.org/x/sync v0.1.0
-	golang.org/x/term v0.6.0
+	golang.org/x/term v0.8.0
 	gopkg.in/yaml.v3 v3.0.1
 )
 
 require (
-	github.com/BurntSushi/toml v0.4.1 // indirect
-	github.com/OneOfOne/xxhash v1.2.8 // indirect
+	github.com/BurntSushi/toml v1.2.1 // indirect
 	github.com/XiaoMi/pegasus-go-client v0.0.0-20210427083443-f3b6b08bc4c2 // indirect
-	github.com/agnivade/levenshtein v1.1.1 // indirect
 	github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/bradfitz/gomemcache v0.0.0-20220106215444-fb4bf637b56d // indirect
 	github.com/cespare/xxhash/v2 v2.1.2 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/dgraph-io/ristretto v0.1.1 // indirect
 	github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
 	github.com/fredbi/uri v0.0.0-20181227131451-3dcfdacbaaf3 // indirect
 	github.com/fsnotify/fsnotify v1.6.0 // indirect
@@ -84,23 +87,20 @@ require (
 	github.com/getlantern/hex v0.0.0-20190417191902-c6586a6fe0b7 // indirect
 	github.com/getlantern/hidden v0.0.0-20190325191715-f02dbb02be55 // indirect
 	github.com/getlantern/ops v0.0.0-20190325191751-d70cb0d6f85f // indirect
-	github.com/ghodss/yaml v1.0.0 // indirect
 	github.com/go-gl/gl v0.0.0-20210813123233-e4099ee2221f // indirect
 	github.com/go-gl/glfw/v3.3/glfw v0.0.0-20211024062804-40e447a793be // indirect
 	github.com/go-logr/logr v1.2.3 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-redis/redis/v8 v8.11.5 // indirect
 	github.com/go-stack/stack v1.8.0 // indirect
-	github.com/gobwas/glob v0.2.3 // indirect
 	github.com/goki/freetype v0.0.0-20181231101311-fa8a33aabaff // indirect
-	github.com/google/gopacket v1.1.19 // indirect
 	github.com/hashicorp/go-uuid v1.0.2 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
-	github.com/josharian/native v0.0.0-20200817173448-b6b71def0850 // indirect
+	github.com/josharian/native v1.0.0 // indirect
+	github.com/kelseyhightower/envconfig v1.4.0 // indirect
 	github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect
 	github.com/mdlayher/genetlink v1.1.0 // indirect
-	github.com/mdlayher/netlink v1.4.2 // indirect
-	github.com/mdlayher/socket v0.0.0-20211102153432-57e3fa563ecb // indirect
+	github.com/mdlayher/netlink v1.7.1 // indirect
 	github.com/nxadm/tail v1.4.8 // indirect
 	github.com/oxtoacart/bpool v0.0.0-20190530202638-03653db5a59c // indirect
 	github.com/pegasus-kv/thrift v0.13.0 // indirect
@@ -113,26 +113,25 @@ require (
 	github.com/prometheus/client_model v0.3.0 // indirect
 	github.com/prometheus/common v0.37.0 // indirect
 	github.com/prometheus/procfs v0.8.0 // indirect
-	github.com/rcrowley/go-metrics v0.0.0-20200313005456-10cdbea86bc0 // indirect
 	github.com/rogpeppe/go-internal v1.8.0 // indirect
 	github.com/spf13/cast v1.5.0 // indirect
 	github.com/srwiley/oksvg v0.0.0-20200311192757-870daf9aa564 // indirect
 	github.com/srwiley/rasterx v0.0.0-20200120212402-85cb7272f5e9 // indirect
-	github.com/tchap/go-patricia/v2 v2.3.1 // indirect
-	github.com/vishvananda/netns v0.0.0-20191106174202-0a2b9b5464df // indirect
-	github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
-	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
-	github.com/yashtewari/glob-intersection v0.1.0 // indirect
+	github.com/vishvananda/netns v0.0.0-20211101163701-50045581ed74 // indirect
 	github.com/yuin/goldmark v1.4.13 // indirect
-	go.opentelemetry.io/otel v1.11.1 // indirect
 	go.opentelemetry.io/otel/sdk v1.11.1 // indirect
 	go.opentelemetry.io/otel/trace v1.11.1 // indirect
-	golang.org/x/image v0.0.0-20200430140353-33d19683fad8 // indirect
+	golang.org/x/image v0.5.0 // indirect
 	golang.org/x/mod v0.8.0 // indirect
-	golang.org/x/text v0.8.0 // indirect
+	golang.org/x/oauth2 v0.8.0 // indirect
+	golang.org/x/text v0.9.0 // indirect
+	golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac // indirect
 	golang.org/x/tools v0.6.0 // indirect
-	golang.zx2c4.com/wintun v0.0.0-20211104114900-415007cec224 // indirect
+	golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 // indirect
+	google.golang.org/appengine v1.6.7 // indirect
 	google.golang.org/genproto v0.0.0-20221118155620-16455021b5e6 // indirect
+	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect
+	gopkg.in/square/go-jose.v2 v2.6.0 // indirect
 	gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect
 	gopkg.in/tomb.v2 v2.0.0-20161208151619-d5d1b5820637 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
@@ -143,3 +142,5 @@ require (
 replace github.com/kardianos/service => github.com/netbirdio/service v0.0.0-20230215170314-b923b89432b0
 
 replace github.com/getlantern/systray => github.com/netbirdio/systray v0.0.0-20221012095658-dc8eda872c0c
+
+replace golang.zx2c4.com/wireguard => github.com/netbirdio/wireguard-go v0.0.0-20230524172305-5a498a82b33f

go.sum

@@ -1,3 +1,4 @@
+bazil.org/fuse v0.0.0-20200407214033-5883e5a4b512/go.mod h1:FbcW6z/2VytnFDhZfumh8Ss8zxHE6qpMP5sHTRe0EaM=
 cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
 cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
 cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU=
@@ -19,6 +20,7 @@ cloud.google.com/go/bigquery v1.4.0/go.mod h1:S8dzgnTigyfTmLBfrtrhyYhwRxG72rYxvf
 cloud.google.com/go/bigquery v1.5.0/go.mod h1:snEHRnqQbz117VIFhE8bmtwIDY80NLUZUMb4Nv6dBIg=
 cloud.google.com/go/bigquery v1.7.0/go.mod h1://okPTzCYNXSlb24MZs83e2Do+h+VXtc4gLoIoXIAPc=
 cloud.google.com/go/bigquery v1.8.0/go.mod h1:J5hqkt3O0uAFnINi6JXValWIb1v0goeZM77hZzJN/fQ=
+cloud.google.com/go/compute/metadata v0.2.0/go.mod h1:zFmK7XCadkQkj6TtorcaGlCW1hT1fIilQDwofLpJ20k=
 cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE=
 cloud.google.com/go/datastore v1.1.0/go.mod h1:umbIZjpQpHh4hmRpGhH4tLFup+FVzqBi1b3c64qFpCk=
 cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I=
@@ -30,27 +32,33 @@ cloud.google.com/go/storage v1.5.0/go.mod h1:tpKbwo567HUNpVclU5sGELwQWBDZ8gh0Zeo
 cloud.google.com/go/storage v1.6.0/go.mod h1:N7U0C8pVQ/+NIKOBQyamJIeKQKkZ+mxpohlUTyfDhBk=
 cloud.google.com/go/storage v1.8.0/go.mod h1:Wv1Oy7z6Yz3DshWRJFhqM/UCfaWIRTdp0RXyy7KQOVs=
 cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9ullr3+Kg0=
-codeberg.org/ac/base62 v0.0.0-20210305150220-e793b546833a h1:U6cY/g6VSiy59vuvnBU6J/eSir0qVg4BeTnCDLaX+20=
-codeberg.org/ac/base62 v0.0.0-20210305150220-e793b546833a/go.mod h1:ykEpkLT4JtH3I4Rb4gwkDsNLfgUg803qRDeIX88t3e8=
 dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
 fyne.io/fyne/v2 v2.1.4 h1:bt1+28++kAzRzPB0GM2EuSV4cnl8rXNX4cjfd8G06Rc=
 fyne.io/fyne/v2 v2.1.4/go.mod h1:p+E/Dh+wPW8JwR2DVcsZ9iXgR9ZKde80+Y+40Is54AQ=
+github.com/Azure/go-autorest/autorest v0.9.0/go.mod h1:xyHB1BMZT0cuDHU7I0+g046+BFDTQ8rEZB0s4Yfa6bI=
+github.com/Azure/go-autorest/autorest/adal v0.5.0/go.mod h1:8Z9fGy2MpX0PvDjB1pEgQTmVqjGhiHBW7RJJEciWzS0=
+github.com/Azure/go-autorest/autorest/date v0.1.0/go.mod h1:plvfp3oPSKwf2DNjlBjWF/7vwR+cUD/ELuzDCXwHUVA=
+github.com/Azure/go-autorest/autorest/mocks v0.1.0/go.mod h1:OTyCOPRA2IgIlWxVYxBee2F5Gr4kF2zd2J5cFRaIDN0=
+github.com/Azure/go-autorest/autorest/mocks v0.2.0/go.mod h1:OTyCOPRA2IgIlWxVYxBee2F5Gr4kF2zd2J5cFRaIDN0=
+github.com/Azure/go-autorest/logger v0.1.0/go.mod h1:oExouG+K6PryycPJfVSxi/koC6LSNgds39diKLz7Vrc=
+github.com/Azure/go-autorest/tracing v0.5.0/go.mod h1:r/s2XiOKccPW3HrqB+W0TQzfbtp2fGCgRFtBroKn4Dk=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
-github.com/BurntSushi/toml v0.4.1 h1:GaI7EiDXDRfa8VshkTj7Fym7ha+y8/XxIgD2okUIjLw=
 github.com/BurntSushi/toml v0.4.1/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=
+github.com/BurntSushi/toml v1.2.1 h1:9F2/+DoOYIOksmaJFPw1tGFy1eDnIJXg+UHjuD8lTak=
+github.com/BurntSushi/toml v1.2.1/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
 github.com/Kodeworks/golang-image-ico v0.0.0-20141118225523-73f0f4cfade9/go.mod h1:7uhhqiBaR4CpN0k9rMjOtjpcfGd6DG2m04zQxKnWQ0I=
+github.com/Microsoft/go-winio v0.4.16-0.20201130162521-d1ffc52c7331/go.mod h1:XB6nPKklQyQ7GC9LdcBEcBl8PF76WugXOPRXwdLnMv0=
+github.com/Microsoft/go-winio v0.5.1/go.mod h1:JPGBdM1cNvN/6ISo+n8V5iA4v8pBzdOpzfwIujj1a84=
+github.com/Microsoft/hcsshim v0.8.14/go.mod h1:NtVKoYxQuTLx6gEq0L96c9Ju4JbRJ4nY2ow3VK6a9Lg=
 github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ=
-github.com/OneOfOne/xxhash v1.2.8 h1:31czK/TI9sNkxIKfaUfGlU47BAxQ0ztGgd9vPyqimf8=
-github.com/OneOfOne/xxhash v1.2.8/go.mod h1:eZbhyaAYD41SGSSsnmcpxVoRiQ/MPUTjUdIIOT9Um7Q=
+github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU=
 github.com/PuerkitoBio/purell v1.0.0/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0=
 github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0=
 github.com/PuerkitoBio/urlesc v0.0.0-20160726150825-5bd2802263f2/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE=
 github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE=
 github.com/XiaoMi/pegasus-go-client v0.0.0-20210427083443-f3b6b08bc4c2 h1:pami0oPhVosjOu/qRHepRmdjD6hGILF7DBr+qQZeP10=
 github.com/XiaoMi/pegasus-go-client v0.0.0-20210427083443-f3b6b08bc4c2/go.mod h1:jNIx5ykW1MroBuaTja9+VpglmaJOUzezumfhLlER3oY=
-github.com/agnivade/levenshtein v1.1.1 h1:QY8M92nrzkmr798gCo3kmMyqXFzdQVpxLlGPRBij0P8=
-github.com/agnivade/levenshtein v1.1.1/go.mod h1:veldBMzWxcCG2ZvUTKD2kJNRdCk5hVbJomOvKkmgYbo=
 github.com/akavel/rsrc v0.8.0/go.mod h1:uLoCtb9J+EyAqh+26kdrTgmzRBFPGOolLWKpdxkKq+c=
 github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
 github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
@@ -60,37 +68,71 @@ github.com/alecthomas/units v0.0.0-20190924025748-f65c72e2690d/go.mod h1:rBZYJk5
 github.com/allegro/bigcache/v3 v3.0.2 h1:AKZCw+5eAaVyNTBmI2fgyPVJhHkdWder3O9IrprcQfI=
 github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be h1:9AeTilPcZAjCFIImctFaOjnTIavg87rW78vTPkQqLI8=
 github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be/go.mod h1:ySMOLuWl6zY27l47sB3qLNK6tF2fkHG55UZxx8oIVo4=
-github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0 h1:jfIu9sQUG6Ig+0+Ap1h4unLjW6YQJpKZVmUzxsD4E/Q=
-github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0/go.mod h1:t2tdKJDJF9BV14lnkjHmOQgcvEKgtqs5a1N3LNdJhGE=
+github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY=
+github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8=
 github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY=
+github.com/bazelbuild/rules_go v0.30.0/go.mod h1:MC23Dc/wkXEyk3Wpq6lCqz0ZAYOZDw2DR5y3N1q2i7M=
 github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
 github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/bradfitz/gomemcache v0.0.0-20220106215444-fb4bf637b56d h1:pVrfxiGfwelyab6n21ZBkbkmbevaf+WvMIiR7sr97hw=
 github.com/bradfitz/gomemcache v0.0.0-20220106215444-fb4bf637b56d/go.mod h1:H0wQNHz2YrLsuXOZozoeDmnHXkNCRmMW0gwFWDfEZDA=
-github.com/bytecodealliance/wasmtime-go/v3 v3.0.2 h1:3uZCA/BLTIu+DqCfguByNMJa2HVHpXvjfy0Dy7g6fuA=
 github.com/c-robinson/iplib v1.0.3 h1:NG0UF0GoEsrC1/vyfX1Lx2Ss7CySWl3KqqXh3q4DdPU=
 github.com/c-robinson/iplib v1.0.3/go.mod h1:i3LuuFL1hRT5gFpBRnEydzw8R6yhGkF4szNDIbF8pgo=
+github.com/cenkalti/backoff v1.1.1-0.20190506075156-2146c9339422/go.mod h1:b6Nc7NRH5C4aCISLry0tLnTjcuTEvoiqcWDdsU0sOGM=
 github.com/cenkalti/backoff/v4 v4.1.0/go.mod h1:scbssz8iZGpm3xbr14ovlUdkxfGXNInqkPWOWmG2CLw=
 github.com/cenkalti/backoff/v4 v4.1.3 h1:cFAlzYUlVYDysBEH2T5hyJZMh3+5+WCBvSnK6Q8UtC4=
 github.com/cenkalti/backoff/v4 v4.1.3/go.mod h1:scbssz8iZGpm3xbr14ovlUdkxfGXNInqkPWOWmG2CLw=
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
-github.com/cespare/xxhash v1.1.0 h1:a6HrQnmkObjyL+Gs60czilIUGqrzKutQD6XZog3p+ko=
+github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc=
 github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/cespare/xxhash/v2 v2.1.2 h1:YRXhKfTDauu4ajMg1TPgFO5jnlC2HCbmLXMcTG5cbYE=
 github.com/cespare/xxhash/v2 v2.1.2/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
 github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
 github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
+github.com/cilium/ebpf v0.0.0-20200110133405-4032b1d8aae3/go.mod h1:MA5e5Lr8slmEg9bt0VpxxWqJlO4iwu3FBdHUzV7wQVg=
+github.com/cilium/ebpf v0.4.0/go.mod h1:4tRaxcgiL706VnOzHOdBlY8IEAIdxINsQBcU4xJJXRs=
 github.com/cilium/ebpf v0.5.0/go.mod h1:4tRaxcgiL706VnOzHOdBlY8IEAIdxINsQBcU4xJJXRs=
 github.com/cilium/ebpf v0.7.0/go.mod h1:/oI2+1shJiTGAMgl6/RgJr36Eo1jzrRcAWbcXO2usCA=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
 github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
+github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
+github.com/cncf/udpa/go v0.0.0-20210930031921-04548b0d99d4/go.mod h1:6pvJx4me5XPnfI9Z40ddWsdw2W/uZgQLFXToKeRcDiI=
+github.com/cncf/xds/go v0.0.0-20210312221358-fbca930ec8ed/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
+github.com/cncf/xds/go v0.0.0-20210922020428-25de7278fc84/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
+github.com/cncf/xds/go v0.0.0-20211001041855-01bcc9b48dfe/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
+github.com/cncf/xds/go v0.0.0-20211011173535-cb28da3451f1/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
+github.com/containerd/cgroups v0.0.0-20200531161412-0dbf7f05ba59/go.mod h1:pA0z1pT8KYB3TCXK/ocprsh7MAkoW8bZVzPdih9snmM=
+github.com/containerd/cgroups v1.0.1/go.mod h1:0SJrPIenamHDcZhEcJMNBB85rHcUsw4f25ZfBiPYRkU=
+github.com/containerd/console v0.0.0-20180822173158-c12b1e7919c1/go.mod h1:Tj/on1eG8kiEhd0+fhSDzsPAFESxzBBvdyEgyryXffw=
+github.com/containerd/console v1.0.1/go.mod h1:XUsP6YE/mKtz6bxc+I8UiKKTP04qjQL4qcS3XoQ5xkw=
+github.com/containerd/containerd v1.3.2/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA=
+github.com/containerd/containerd v1.4.12/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA=
+github.com/containerd/continuity v0.0.0-20190426062206-aaeac12a7ffc/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y=
+github.com/containerd/continuity v0.2.1/go.mod h1:wCYX+dRqZdImhGucXOqTQn05AhX6EUDaGEMUzTFFpLg=
+github.com/containerd/fifo v0.0.0-20190226154929-a9fb20d87448/go.mod h1:ODA38xgv3Kuk8dQz2ZQXpnv/UZZUHUCL7pnLehbXgQI=
+github.com/containerd/fifo v1.0.0/go.mod h1:ocF/ME1SX5b1AOlWi9r677YJmCPSwwWnQ9O123vzpE4=
+github.com/containerd/go-runc v0.0.0-20180907222934-5a6d9f37cfa3/go.mod h1:IV7qH3hrUgRmyYrtgEeGWJfWbgcHL9CSRruz2Vqcph0=
+github.com/containerd/go-runc v1.0.0/go.mod h1:cNU0ZbCgCQVZK4lgG3P+9tn9/PaJNmoDXPpoJhDR+Ok=
+github.com/containerd/ttrpc v0.0.0-20190828154514-0e0f228740de/go.mod h1:PvCDdDGpgqzQIzDW1TphrGLssLDZp2GuS+X5DkEJB8o=
+github.com/containerd/ttrpc v1.0.2/go.mod h1:UAxOpgT9ziI0gJrmKvgcZivgxOp8iFPSk8httJEt98Y=
+github.com/containerd/typeurl v0.0.0-20180627222232-a93fcdb778cd/go.mod h1:Cm3kwCdlkCfMSHURc+r6fwoGH6/F1hH3S4sg0rLFWPc=
+github.com/containerd/typeurl v1.0.2/go.mod h1:9trJWW2sRlGub4wZJRTW83VtbOLS6hwcDZXTn6oPz9s=
 github.com/coocood/freecache v1.2.1 h1:/v1CqMq45NFH9mp/Pt142reundeBM0dVUD3osQBeu/U=
+github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk=
+github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
 github.com/coreos/go-iptables v0.6.0 h1:is9qnZMPYjLd8LYqmm/qlE+wwEgJIkTYdhV3rfZo4jk=
 github.com/coreos/go-iptables v0.6.0/go.mod h1:Qe8Bv2Xik5FyTXwgIbLAnv2sWSBmvWdFETJConOQ//Q=
+github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
+github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
+github.com/coreos/go-systemd/v22 v22.0.0/go.mod h1:xO0FLkIi5MaZafQlIrOotqXZ90ih+1atmu1JpKERPPk=
+github.com/coreos/go-systemd/v22 v22.1.0/go.mod h1:xO0FLkIi5MaZafQlIrOotqXZ90ih+1atmu1JpKERPPk=
+github.com/coreos/go-systemd/v22 v22.3.2/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
+github.com/coreos/pkg v0.0.0-20180928190104-399ea9e2e55f/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA=
 github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
+github.com/cpuguy83/go-md2man/v2 v2.0.0/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
 github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/creack/pty v1.1.18 h1:n56/Zwd5o6whRC5PMGretI4IdRLlmBXYNjScPaBgsbY=
@@ -99,15 +141,18 @@ github.com/davecgh/go-spew v0.0.0-20151105211317-5215b55f46b2/go.mod h1:J7Y8YcW2
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/dgraph-io/badger/v3 v3.2103.5 h1:ylPa6qzbjYRQMU6jokoj4wzcaweHylt//CH0AKt0akg=
 github.com/dgraph-io/ristretto v0.1.1 h1:6CWw5tJNgpegArSHpNHJKldNeq03FQCwYvfMVWajOK8=
+github.com/dgraph-io/ristretto v0.1.1/go.mod h1:S1GPSBCYCIhmVNfcth17y2zZtQT6wzkzgwUve0VDWWA=
+github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
+github.com/dgryski/go-farm v0.0.0-20190423205320-6a90982ecee2/go.mod h1:SqUrOPUnsFjfmXRMNPybcSiG0BgUW2AuFH8PAnS2iTw=
 github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f h1:lO4WD4F/rVNCu3HqELle0jiPLLBs70cWOduZpkS1E78=
 github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f/go.mod h1:cuUVRXasLTGF7a8hSLbxyZXjz+1KgoB3wDUb6vlszIc=
-github.com/dgryski/trifles v0.0.0-20200323201526-dd97f9abfb48 h1:fRzb/w+pyskVMQ+UbP35JkH8yB7MYb4q/qhBarqZE6g=
-github.com/dgryski/trifles v0.0.0-20200323201526-dd97f9abfb48/go.mod h1:if7Fbed8SFyPtHLHbg49SI7NAdJiC5WIA09pe59rfAA=
+github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no=
+github.com/docker/go-units v0.4.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
 github.com/docker/spdystream v0.0.0-20160310174837-449fdfce4d96/go.mod h1:Qh8CwZgvJUkLughtfhJv5dyTYa91l1fOUCrgjqmcifM=
 github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE=
 github.com/dustin/go-humanize v1.0.0 h1:VSnTsYCnlFHaM2/igO1h6X3HA71jcobQuxemgkq4zYo=
+github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
 github.com/eko/gocache/v3 v3.1.1 h1:r3CBwLnqPkcK56h9Do2CWw1kZ4TeKK0wDE1Oo/YZnhs=
 github.com/eko/gocache/v3 v3.1.1/go.mod h1:UpP/LyHAioP/a/dizgl0MpgZ3A3CkS4NbG/mWkGTQ9M=
 github.com/elazarl/goproxy v0.0.0-20170405201442-c4fc26588b6e/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc=
@@ -116,12 +161,14 @@ github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb
 github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
+github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk=
+github.com/envoyproxy/go-control-plane v0.9.9-0.20210512163311-63b5d3c536b0/go.mod h1:hliV/p42l8fGbc6Y9bQ70uLwIvmJyVE5k4iMKlh8wCQ=
+github.com/envoyproxy/go-control-plane v0.10.2-0.20220325020618-49ff273808a1/go.mod h1:KJwIaB5Mv44NWtYuAOFCVOjcI94vtpEz2JU/D2v6IjE=
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
 github.com/evanphx/json-patch v4.2.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
 github.com/evanphx/json-patch v4.12.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
 github.com/fortytw2/leaktest v1.3.0 h1:u8491cBMTQ8ft8aeV+adlcytMZylmA5nnwwkRZjI8vw=
 github.com/fortytw2/leaktest v1.3.0/go.mod h1:jDsjWgpAGjm2CA7WthBh/CdZYEPF31XHquHwclZch5g=
-github.com/foxcpp/go-mockdns v0.0.0-20210729171921-fb145fc6f897 h1:E52jfcE64UG42SwLmrW0QByONfGynWuzBvm86BoB9z8=
 github.com/frankban/quicktest v1.11.3/go.mod h1:wRf/ReqHper53s+kmmSZizM8NamnL3IM0I9ntUbOk+k=
 github.com/frankban/quicktest v1.14.3 h1:FJKSZTDHjyhriyC81FLQ0LY93eSai0ZyR/ZIkd3ZUKE=
 github.com/fredbi/uri v0.0.0-20181227131451-3dcfdacbaaf3 h1:FDqhDm7pcsLhhWl1QtD8vlzI4mm59llRvNzrFg6/LAA=
@@ -144,7 +191,6 @@ github.com/getlantern/hidden v0.0.0-20190325191715-f02dbb02be55/go.mod h1:6mmzY2
 github.com/getlantern/ops v0.0.0-20190325191751-d70cb0d6f85f h1:wrYrQttPS8FHIRSlsrcuKazukx/xqO/PpLZzZXsF+EA=
 github.com/getlantern/ops v0.0.0-20190325191751-d70cb0d6f85f/go.mod h1:D5ao98qkA6pxftxoqzibIBBrLSUli+kYnJqrgBf9cIA=
 github.com/ghodss/yaml v0.0.0-20150909031657-73d445a93680/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
-github.com/ghodss/yaml v1.0.0 h1:wQHKEahhL6wmXdzwWG11gIVCkOv05bNOh+Rxn0yngAk=
 github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
 github.com/gin-contrib/sse v0.1.0/go.mod h1:RHrZQHXnP2xjPF+u1gW/2HnVO7nvIa9PG3Gm+fLHvGI=
 github.com/gin-gonic/gin v1.5.0/go.mod h1:Nd6IXA8m5kNZdNEHMBd93KT+mdY3+bewLgRvmCsR2Do=
@@ -189,14 +235,15 @@ github.com/go-redis/redis/v8 v8.11.5/go.mod h1:gREzHqY1hg6oD9ngVRbLStwAWKhA0FEgq
 github.com/go-stack/stack v1.8.0 h1:5SgMzNM5HxrEjV0ww2lTmX6E2Izsfxas4+YHWRs3Lsk=
 github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
 github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE=
-github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y=
-github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8=
+github.com/godbus/dbus/v5 v5.0.3/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/godbus/dbus/v5 v5.1.0 h1:4KLkAxT3aOY8Li4FRJe/KvhoNFFxo0m6fNuFUO8QJUk=
 github.com/godbus/dbus/v5 v5.1.0/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
+github.com/gofrs/flock v0.8.0/go.mod h1:F1TvTiK9OcQqauNUHlbJvyl9Qa1QvF/gOUDKA14jxHU=
 github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
+github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4=
 github.com/gogo/protobuf v1.2.2-0.20190723190241-65acae22fc9d/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o=
-github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
+github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
 github.com/goki/freetype v0.0.0-20181231101311-fa8a33aabaff h1:W71vTCKoxtdXgnm1ECDFkfQnpdqAO00zzGXLA5yaEX8=
 github.com/goki/freetype v0.0.0-20181231101311-fa8a33aabaff/go.mod h1:wfqRWLHRBsRgkp5dmbG56SA0DmVtwrF5N3oPdI8t+Aw=
@@ -205,10 +252,10 @@ github.com/golang-jwt/jwt v3.2.2+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzq
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 github.com/golang/glog v1.0.0 h1:nfP3RFugxnNRyKgeWd4oI1nYvXpxrx8ck8ZrcizshdQ=
 github.com/golang/groupcache v0.0.0-20160516000752-02826c3e7903/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
+github.com/golang/groupcache v0.0.0-20190129154638-5b532d6fd5ef/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
-github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE=
 github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
 github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
 github.com/golang/mock v1.3.1/go.mod h1:sBzyDLLjw3U8JLTeZvSv8jJB+tU5PVekmnlKIyFUx0Y=
@@ -217,6 +264,7 @@ github.com/golang/mock v1.4.1/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt
 github.com/golang/mock v1.4.3/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw=
 github.com/golang/mock v1.4.4/go.mod h1:l3mdAwkq5BuhzHwde/uurv3sEJeZMXNpwsxVWU71h+4=
 github.com/golang/mock v1.6.0 h1:ErTB+efbowRARo13NNdxyJji2egdxLGQhRaY+DUumQc=
+github.com/golang/mock v1.6.0/go.mod h1:p6yTPP+5HYm5mzsMV8JkE6ZKdX+/wYM6Hr+LicevLPs=
 github.com/golang/protobuf v0.0.0-20161109072736-4bd1920723d7/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
@@ -233,12 +281,13 @@ github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QD
 github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
 github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
 github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
-github.com/golang/protobuf v1.5.2 h1:ROPKBNFfQgOUMifHyP+KYbvpjbdoFNs+aK7DXlji0Tw=
 github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
-github.com/golang/snappy v0.0.4 h1:yAGX7huGHXlcLOEtBnF4w7FQwA26wojNCwOYAEhLjQM=
+github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg=
+github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
 github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
 github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
-github.com/google/flatbuffers v1.12.1 h1:MVlul7pQNoDzWRLTw5imwYsl+usrS1TXG2H4jg6ImGw=
+github.com/google/btree v1.0.1 h1:gK4Kx5IaGY9CD5sPJ36FHiBJ6ZXl0kilRiiCj+jdYp4=
+github.com/google/btree v1.0.1/go.mod h1:xXMiIv4Fb/0kKde4SpL7qlzvu5cMJDRkFDxJfI9uaxA=
 github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
 github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
 github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
@@ -247,9 +296,11 @@ github.com/google/go-cmp v0.4.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/
 github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
 github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/gofuzz v0.0.0-20161122191042-44d81051d367/go.mod h1:HP5RmnzzSNb993RKQDq4+1A4ia9nllfqcQFTQJedwGI=
@@ -270,6 +321,7 @@ github.com/google/pprof v0.0.0-20200430221834-fc25d7d30c6d/go.mod h1:ZgVRPoUq/hf
 github.com/google/pprof v0.0.0-20200708004538-1a94d8640e99/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
 github.com/google/pprof v0.0.0-20210407192527-94a9f03dee38/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
 github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
+github.com/google/subcommands v1.0.2-0.20190508160503-636abe8753b8/go.mod h1:ZjhPrFU+Olkh9WazFPsl27BQ4UPiG37m3yTrtFlrHVk=
 github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I=
@@ -277,12 +329,22 @@ github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+
 github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
 github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
 github.com/googleapis/gnostic v0.0.0-20170729233727-0c5108395e2d/go.mod h1:sJBsCZ4ayReDTBIg8b9dl28c5xFWyhBTVRp3pOg5EKY=
+github.com/googleapis/gnostic v0.4.0/go.mod h1:on+2t9HRStVgn95RSsFWFz+6Q0Snyqv1awfrALZdbtU=
 github.com/googleapis/gnostic v0.5.1/go.mod h1:6U4PtQXGIEt/Z3h5MAT7FNofLnw9vXk2cUuW7uA/OeU=
 github.com/googleapis/gnostic v0.5.5/go.mod h1:7+EbHbldMins07ALC74bsA81Ovc97DwqyJO1AENw9kA=
+github.com/gophercloud/gophercloud v0.1.0/go.mod h1:vxM41WHh5uqHVBMZHzuwNOHh8XEoIEcSTewFxm1c5g8=
 github.com/gopherjs/gopherjs v0.0.0-20220410123724-9e86199038b0 h1:fWY+zXdWhvWndXqnMj4SyC/vi8sK508OjhGCtMzsA9M=
 github.com/gorilla/mux v1.8.0 h1:i40aqfkR1h2SlN9hojwV5ZA91wcXFOvkdNIeFDP5koI=
 github.com/gorilla/mux v1.8.0/go.mod h1:DVbg23sWSpFRCP0SfiEN6jmj59UnW/n46BH5rLB71So=
+github.com/gorilla/websocket v1.4.0/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ=
 github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
+github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA=
+github.com/grpc-ecosystem/go-grpc-middleware v1.0.0/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs=
+github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk=
+github.com/grpc-ecosystem/grpc-gateway v1.9.0/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY=
+github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw=
+github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
+github.com/hashicorp/go-multierror v1.1.0/go.mod h1:spPvp8C1qA32ftKqdAHm4hHTbPw+vmowP0z+KUhOZdA=
 github.com/hashicorp/go-secure-stdlib/base62 v0.1.2 h1:ET4pqyjiGmY09R5y+rSd70J2w45CtbWDNvGqWp/R3Ng=
 github.com/hashicorp/go-secure-stdlib/base62 v0.1.2/go.mod h1:EdWO6czbmthiwZ3/PUsDV+UD1D5IRU4ActiaWGwt0Yw=
 github.com/hashicorp/go-uuid v1.0.2 h1:cfejS+Tpcp13yd5nYHWDI6qVCny6wyX2Mt5SGur2IGE=
@@ -291,16 +353,21 @@ github.com/hashicorp/go-version v1.6.0 h1:feTTfFNnjP967rlCxM/I9g701jU+RN74YKx2mO
 github.com/hashicorp/go-version v1.6.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA=
 github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
 github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
+github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
 github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
 github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
 github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
+github.com/imdario/mergo v0.3.5/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
+github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
 github.com/inconshreveable/mousetrap v1.0.1/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
 github.com/jackmordaunt/icns v0.0.0-20181231085925-4f16af745526/go.mod h1:UQkeMHVoNcyXYq9otUupF7/h/2tmHlhrS2zw7ZVvUqc=
+github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo=
 github.com/josephspurrier/goversioninfo v0.0.0-20200309025242-14b0ab84c6ca/go.mod h1:eJTEwMjXb7kZ633hO3Ln9mBUCOjX2+FlTljvpl9SYdE=
-github.com/josharian/native v0.0.0-20200817173448-b6b71def0850 h1:uhL5Gw7BINiiPAo24A2sxkcDI0Jt/sqp1v5xQCniEFA=
 github.com/josharian/native v0.0.0-20200817173448-b6b71def0850/go.mod h1:7X/raswPFr05uY3HiLlYeyQntB6OO7E/d2Cu7qoaN2w=
+github.com/josharian/native v1.0.0 h1:Ts/E8zCSEsG17dUqv7joXJFybuMLjQfWE04tsBODTxk=
+github.com/josharian/native v1.0.0/go.mod h1:7X/raswPFr05uY3HiLlYeyQntB6OO7E/d2Cu7qoaN2w=
 github.com/jpillora/backoff v1.0.0/go.mod h1:J/6gKK9jxlEcS3zixgDgUAsiuZ7yrSoa/FX5e0EB2j4=
 github.com/jsimonetti/rtnetlink v0.0.0-20190606172950-9527aa82566a/go.mod h1:Oz+70psSo5OFh8DBl0Zv2ACw7Esh6pPUphlvZG9x7uw=
 github.com/jsimonetti/rtnetlink v0.0.0-20200117123717-f846d4f6c1f4/go.mod h1:WGuG/smIU4J/54PblvSbh+xvCZmpJnFgr3ds6Z55XMQ=
@@ -310,7 +377,6 @@ github.com/jsimonetti/rtnetlink v0.0.0-20201220180245-69540ac93943/go.mod h1:z4c
 github.com/jsimonetti/rtnetlink v0.0.0-20210122163228-8d122574c736/go.mod h1:ZXpIyOK59ZnN7J0BV99cZUPmsqDRZ3eq5X+st7u/oSA=
 github.com/jsimonetti/rtnetlink v0.0.0-20210212075122-66c871082f2b/go.mod h1:8w9Rh8m+aHZIG69YPGGem1i5VzoyRC8nw2kA8B+ik5U=
 github.com/jsimonetti/rtnetlink v0.0.0-20210525051524-4cc836578190/go.mod h1:NmKSdU4VGSiv1bMsdqNALI4RSvvjtz65tTMCnD05qLo=
-github.com/jsimonetti/rtnetlink v0.0.0-20211022192332-93da33804786 h1:N527AHMa793TP5z5GNAn/VLPzlc0ewzWdeP/25gDfgQ=
 github.com/jsimonetti/rtnetlink v0.0.0-20211022192332-93da33804786/go.mod h1:v4hqbTdfQngbVSZJVWUhGE/lbTFf9jb+ygmNUDQMuOs=
 github.com/json-iterator/go v0.0.0-20180612202835-f2b4162afba3/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
 github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
@@ -324,11 +390,14 @@ github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/X
 github.com/jtolds/gls v4.20.0+incompatible h1:xdiiI2gbIgH/gLH7ADydsJ1uDOEzR8yvV7C0MuV77Wo=
 github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w=
 github.com/julienschmidt/httprouter v1.3.0/go.mod h1:JR6WtHb+2LUe8TCKY3cZOxFyyO8IZAc4RVcycCCAKdM=
+github.com/kelseyhightower/envconfig v1.4.0 h1:Im6hONhd3pLkfDFsbRgu68RDNkGF1r3dvMUtDTo2cv8=
+github.com/kelseyhightower/envconfig v1.4.0/go.mod h1:cccZRl6mQpaq41TPp5QxidR+Sa3axMbJDNb//FQX6Gg=
+github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q=
 github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00=
 github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
-github.com/klauspost/compress v1.13.6 h1:P76CopJELS0TiO2mebmnzgWaajssP/EszplttgQxcgc=
 github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
+github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/konsorten/go-windows-terminal-sequences v1.0.3/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
@@ -336,6 +405,7 @@ github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfn
 github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
 github.com/kr/pretty v0.3.0 h1:WgNl7dwNpEZ6jJ9k1snq4pZsg7DOEN8hP9Xw0Tsjwk0=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
+github.com/kr/pty v1.1.4-0.20190131011033-7dc38fb350b1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
@@ -343,11 +413,13 @@ github.com/leodido/go-urn v1.1.0/go.mod h1:+cyI34gQWZcE1eQU7NVgKkkzdXDQHr1dBMtdA
 github.com/libp2p/go-netroute v0.2.0 h1:0FpsbsvuSnAhXFnCY0VLFbJOzaK0VnP0r1QT/o4nWRE=
 github.com/libp2p/go-netroute v0.2.0/go.mod h1:Vio7LTzZ+6hoT4CMZi5/6CpY3Snzh2vgZhWgxMNwlQI=
 github.com/lucor/goinfo v0.0.0-20210802170112-c078a2b0f08b/go.mod h1:PRq09yoB+Q2OJReAmwzKivcYyremnibWGbK7WfftHzc=
+github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
 github.com/magiconair/properties v1.8.5 h1:b6kJs+EmPFMYGkow9GiUyCyOvIwYetYJ3fSaWak/Gls=
 github.com/magiconair/properties v1.8.5/go.mod h1:y3VJvCyxH9uVvJTWEGAELF3aiYNyPKd5NZ3oSwXrF60=
 github.com/mailru/easyjson v0.0.0-20160728113105-d5b7844b561a/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
 github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
 github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
+github.com/mattbaird/jsonpatch v0.0.0-20171005235357-81af80346b1a/go.mod h1:M1qoD/MqPgTZIk0EWKB38wE28ACRfVcn+cU08jyArI0=
 github.com/mattn/go-isatty v0.0.9/go.mod h1:YNRxwqDuOph6SZLI9vUUz6OYw3QyUt7WiY2yME+cCiQ=
 github.com/mattn/go-sqlite3 v1.14.16 h1:yOQRA0RpS5PFz/oikGwBEqvAWhWg5ufRz4ETLjwpU1Y=
 github.com/mattn/go-sqlite3 v1.14.16/go.mod h1:2eHXhiwb8IkHr+BDWZGa96P6+rkvnG63S2DGjv9HUNg=
@@ -355,7 +427,6 @@ github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5
 github.com/matttproud/golang_protobuf_extensions v1.0.4 h1:mmDVorXM7PCGKw94cs5zkfA9PSy5pEvNWRP0ET0TIVo=
 github.com/matttproud/golang_protobuf_extensions v1.0.4/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4=
 github.com/mdlayher/ethtool v0.0.0-20210210192532-2b88debcdd43/go.mod h1:+t7E0lkKfbBsebllff1xdTmyJt8lH37niI6kwFk9OTo=
-github.com/mdlayher/ethtool v0.0.0-20211028163843-288d040e9d60 h1:tHdB+hQRHU10CfcK0furo6rSNgZ38JT8uPh70c/pFD8=
 github.com/mdlayher/ethtool v0.0.0-20211028163843-288d040e9d60/go.mod h1:aYbhishWc4Ai3I2U4Gaa2n3kHWSwzme6EsG/46HRQbE=
 github.com/mdlayher/genetlink v1.0.0/go.mod h1:0rJ0h4itni50A86M2kHcgS85ttZazNt7a8H2a2cw0Gc=
 github.com/mdlayher/genetlink v1.1.0 h1:k2YQT3959rJOF7gOvhdfQ0lut7QMIZiuVlJANheoZ+E=
@@ -370,16 +441,19 @@ github.com/mdlayher/netlink v1.2.2-0.20210123213345-5cc92139ae3e/go.mod h1:bacnN
 github.com/mdlayher/netlink v1.3.0/go.mod h1:xK/BssKuwcRXHrtN04UBkwQ6dY9VviGGuriDdoPSWys=
 github.com/mdlayher/netlink v1.4.0/go.mod h1:dRJi5IABcZpBD2A3D0Mv/AiX8I9uDEu5oGkAVrekmf8=
 github.com/mdlayher/netlink v1.4.1/go.mod h1:e4/KuJ+s8UhfUpO9z00/fDZZmhSrs+oxyqAS9cNgn6Q=
-github.com/mdlayher/netlink v1.4.2 h1:3sbnJWe/LETovA7yRZIX3f9McVOWV3OySH6iIBxiFfI=
 github.com/mdlayher/netlink v1.4.2/go.mod h1:13VaingaArGUTUxFLf/iEovKxXji32JAtF858jZYEug=
+github.com/mdlayher/netlink v1.7.1 h1:FdUaT/e33HjEXagwELR8R3/KL1Fq5x3G5jgHLp/BTmg=
+github.com/mdlayher/netlink v1.7.1/go.mod h1:nKO5CSjE/DJjVhk/TNp6vCE1ktVxEA8VEh8drhZzxsQ=
 github.com/mdlayher/socket v0.0.0-20210307095302-262dc9984e00/go.mod h1:GAFlyu4/XV68LkQKYzKhIo/WW7j3Zi0YRAz/BOoanUc=
 github.com/mdlayher/socket v0.0.0-20211007213009-516dcbdf0267/go.mod h1:nFZ1EtZYK8Gi/k6QNu7z7CgO20i/4ExeQswwWuPmG/g=
-github.com/mdlayher/socket v0.0.0-20211102153432-57e3fa563ecb h1:2dC7L10LmTqlyMVzFJ00qM25lqESg9Z4u3GuEXN5iHY=
 github.com/mdlayher/socket v0.0.0-20211102153432-57e3fa563ecb/go.mod h1:nFZ1EtZYK8Gi/k6QNu7z7CgO20i/4ExeQswwWuPmG/g=
+github.com/mdlayher/socket v0.4.0 h1:280wsy40IC9M9q1uPGcLBwXpcTQDtoGwVt+BNoITxIw=
+github.com/mdlayher/socket v0.4.0/go.mod h1:xxFqz5GRCUN3UEOm9CZqEJsAbe1C8OwSK46NlmWuVoc=
 github.com/miekg/dns v1.1.43 h1:JKfpVSCB84vrAmHzyrsxB5NAr5kLoMXZArPSw7Qlgyg=
 github.com/miekg/dns v1.1.43/go.mod h1:+evo5L0630/F6ca/Z9+GAqzhjGyn8/c+TBaOyfEl0V4=
 github.com/mikioh/ipaddr v0.0.0-20190404000644-d465c8ab6721 h1:RlZweED6sbSArvlE924+mUcZuXKLBHA35U7LN621Bws=
 github.com/mikioh/ipaddr v0.0.0-20190404000644-d465c8ab6721/go.mod h1:Ickgr2WtCLZ2MDGd4Gr0geeCH5HybhRJbonOgQpvSxc=
+github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
 github.com/mitchellh/hashstructure/v2 v2.0.2 h1:vGKWl0YJqUNxE8d+h8f6NJLcCJrgbhC4NcD46KavDd4=
 github.com/mitchellh/hashstructure/v2 v2.0.2/go.mod h1:MG3aRVU/N29oo/V/IhBX8GR/zz4kQkprJgF2EVszyDE=
 github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
@@ -390,6 +464,7 @@ github.com/modern-go/reflect2 v0.0.0-20180320133207-05fbef0ca5da/go.mod h1:bx2lN
 github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
 github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
 github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
+github.com/mohae/deepcopy v0.0.0-20170308212314-bb9b5e7adda9/go.mod h1:TaXosZuwdSHYgviHp1DAtfrULt5eUgsSMsZf+YrPgl8=
 github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
 github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
 github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
@@ -398,13 +473,19 @@ github.com/netbirdio/service v0.0.0-20230215170314-b923b89432b0 h1:hirFRfx3grVA/
 github.com/netbirdio/service v0.0.0-20230215170314-b923b89432b0/go.mod h1:CIMRFEJVL+0DS1a3Nx06NaMn4Dz63Ng6O7dl0qH0zVM=
 github.com/netbirdio/systray v0.0.0-20221012095658-dc8eda872c0c h1:wK/s4nyZj/GF/kFJQjX6nqNfE0G3gcqd6hhnPCyp4sw=
 github.com/netbirdio/systray v0.0.0-20221012095658-dc8eda872c0c/go.mod h1:AecygODWIsBquJCJFop8MEQcJbWFfw/1yWbVabNgpCM=
+github.com/netbirdio/wireguard-go v0.0.0-20230524172305-5a498a82b33f h1:WQXGYCKPkNs1KusFTLieV73UVTNfZVyez4CFRvlOruM=
+github.com/netbirdio/wireguard-go v0.0.0-20230524172305-5a498a82b33f/go.mod h1:tqur9LnfstdR9ep2LaJT4lFUl0EjlHtge+gAjmsHUG4=
 github.com/nfnt/resize v0.0.0-20180221191011-83c6a9932646/go.mod h1:jpp1/29i3P1S/RLdc7JQKbRpFeM1dOBd8T9ki5s+AY8=
 github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
 github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A=
 github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE=
 github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU=
+github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U=
+github.com/okta/okta-sdk-golang/v2 v2.18.0 h1:cfDasMb7CShbZvOrF6n+DnLevWwiHgedWMGJ8M8xKDc=
+github.com/okta/okta-sdk-golang/v2 v2.18.0/go.mod h1:dz30v3ctAiMb7jpsCngGfQUAEGm1/NsWT92uTbNDQIs=
 github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
 github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
+github.com/onsi/ginkgo v1.8.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
 github.com/onsi/ginkgo v1.10.1/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
 github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk=
 github.com/onsi/ginkgo v1.14.0/go.mod h1:iSB4RoI2tjJc9BBv4NKIKWKya62Rps+oPG/Lv9klQyY=
@@ -414,20 +495,26 @@ github.com/onsi/ginkgo v1.16.5/go.mod h1:+E8gABHa3K6zRBolWtd+ROzc/U5bkGt0FwiG042
 github.com/onsi/ginkgo/v2 v2.0.0 h1:CcuG/HvWNkkaqCUpJifQY8z7qEMBJya6aLPx6ftGyjQ=
 github.com/onsi/ginkgo/v2 v2.0.0/go.mod h1:vw5CSIxN1JObi/U8gcbwft7ZxR2dgaR70JSE3/PpL4c=
 github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA=
+github.com/onsi/gomega v1.5.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
 github.com/onsi/gomega v1.7.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
 github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY=
 github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo=
 github.com/onsi/gomega v1.17.0/go.mod h1:HnhC7FXeEQY45zxNK3PPoIUhzk/80Xly9PcubAlGdZY=
 github.com/onsi/gomega v1.18.1 h1:M1GfJqGRrBrrGGsbxzV5dqM2U2ApXefZCQpkukxYRLE=
 github.com/onsi/gomega v1.18.1/go.mod h1:0q+aL8jAiMXy9hbwj2mr5GziHiwhAIQpFmmtT5hitRs=
-github.com/open-policy-agent/opa v0.49.0 h1:TIlpCT1B5FSm8Dqo/a4t23gKmHkQysC3+7W77F99P4k=
-github.com/open-policy-agent/opa v0.49.0/go.mod h1:WTLWtu498/QNTDkiHx76Xj7jaJUPvLJAPtdMkCcst0w=
+github.com/opencontainers/go-digest v0.0.0-20180430190053-c9281466c8b2/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s=
+github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
+github.com/opencontainers/runc v0.0.0-20190115041553-12f6a991201f/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U=
+github.com/opencontainers/runtime-spec v1.0.2/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
+github.com/opencontainers/runtime-spec v1.0.3-0.20211123151946-c2389c3cb60a/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
 github.com/oxtoacart/bpool v0.0.0-20190530202638-03653db5a59c h1:rp5dCmg/yLR3mgFuSOe4oEnDDmGLROTvMragMUXpTQw=
 github.com/oxtoacart/bpool v0.0.0-20190530202638-03653db5a59c/go.mod h1:X07ZCGwUbLaax7L0S3Tw4hpejzu63ZrrQiUe6W0hcy0=
 github.com/patrickmn/go-cache v2.1.0+incompatible h1:HRMgzkcYKYpi3C8ajMPV8OFXaaRUnok+kx1WdO15EQc=
 github.com/patrickmn/go-cache v2.1.0+incompatible/go.mod h1:3Qf8kWWT7OJRJbdiICTKqZju1ZixQ/KpMGzzAfe6+WQ=
 github.com/pegasus-kv/thrift v0.13.0 h1:4ESwaNoHImfbHa9RUGJiJZ4hrxorihZHk5aarYwY8d4=
 github.com/pegasus-kv/thrift v0.13.0/go.mod h1:Gl9NT/WHG6ABm6NsrbfE8LiJN0sAyneCrvB4qN4NPqQ=
+github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic=
+github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU=
 github.com/pion/dtls/v2 v2.2.6 h1:yXMxKr0Skd+Ub6A8UqXTRLSywskx93ooMRHsQUtd+Z4=
 github.com/pion/dtls/v2 v2.2.6/go.mod h1:t8fWJCIquY5rlQZwA2yWxUS1+OCrAdXrhVKXB5oD/wY=
 github.com/pion/ice/v2 v2.3.1 h1:FQCmUfZe2Jpe7LYStVBOP6z1DiSzbIateih3TztgTjc=
@@ -456,6 +543,7 @@ github.com/pmezard/go-difflib v0.0.0-20151028094244-d8ed2627bdf0/go.mod h1:iKH77
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
+github.com/prometheus/client_golang v0.9.3/go.mod h1:/TN21ttK/J9q6uSwhBd54HahCDft0ttaMvbicHlPoso=
 github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo=
 github.com/prometheus/client_golang v1.7.1/go.mod h1:PY5Wy2awLA44sXw4AOSfFBetzPP4j5+D6mVACh+pe2M=
 github.com/prometheus/client_golang v1.11.0/go.mod h1:Z6t4BnS23TR94PD6BsDNk8yVqroYurpAkEiz0P2BEV0=
@@ -468,21 +556,27 @@ github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:
 github.com/prometheus/client_model v0.2.0/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
 github.com/prometheus/client_model v0.3.0 h1:UBgGFHqYdG/TPFD1B1ogZywDqEkwp3fBMvqdiQ7Xew4=
 github.com/prometheus/client_model v0.3.0/go.mod h1:LDGWKZIo7rky3hgvBe+caln+Dr3dPggB5dvjtD7w9+w=
+github.com/prometheus/common v0.0.0-20181113130724-41aa239b4cce/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro=
+github.com/prometheus/common v0.4.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
 github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
 github.com/prometheus/common v0.10.0/go.mod h1:Tlit/dnDKsSWFlCLTWaA1cyBgKHSMdTB80sz/V91rCo=
 github.com/prometheus/common v0.26.0/go.mod h1:M7rCNAaPfAosfx8veZJCuw84e35h3Cfd9VFqTh1DIvc=
 github.com/prometheus/common v0.32.1/go.mod h1:vu+V0TpY+O6vW9J44gczi3Ap/oXXR10b+M/gUGO4Hls=
 github.com/prometheus/common v0.37.0 h1:ccBbHCgIiT9uSoFY0vX8H3zsNR5eLt17/RQLUvn8pXE=
 github.com/prometheus/common v0.37.0/go.mod h1:phzohg0JFMnBEFGxTDbfu3QyL5GI8gTQJFhYO5B3mfA=
+github.com/prometheus/procfs v0.0.0-20180125133057-cb4147076ac7/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
 github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
+github.com/prometheus/procfs v0.0.0-20190507164030-5867b95ac084/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
+github.com/prometheus/procfs v0.0.0-20190522114515-bc1a522cf7b1/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
 github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
 github.com/prometheus/procfs v0.1.3/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4OA4YeYWdaU=
 github.com/prometheus/procfs v0.6.0/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA=
 github.com/prometheus/procfs v0.7.3/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA=
 github.com/prometheus/procfs v0.8.0 h1:ODq8ZFEaYeCaZOJlZZdJA2AbQR98dSHSM1KW/You5mo=
 github.com/prometheus/procfs v0.8.0/go.mod h1:z7EfXMXOkbkqb9IINtpCn86r/to3BnA0uaxHdg830/4=
-github.com/rcrowley/go-metrics v0.0.0-20200313005456-10cdbea86bc0 h1:MkV+77GLUNo5oJ0jf870itWm3D0Sjh7+Za9gazKc5LQ=
-github.com/rcrowley/go-metrics v0.0.0-20200313005456-10cdbea86bc0/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4=
+github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40TwIPHuXU=
+github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg=
+github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ=
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
 github.com/rogpeppe/go-internal v1.8.0 h1:FCbCCtXNOY3UtUuHUYaghJg4y7Fd14rXifAYUAtL9R8=
 github.com/rogpeppe/go-internal v1.8.0/go.mod h1:WmiCO8CzOY8rg0OYDC4/i/2WRWAB6poM+XZ2dLUbcbE=
@@ -494,24 +588,33 @@ github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQD
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc=
 github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
+github.com/sirupsen/logrus v1.4.1/go.mod h1:ni0Sbl8bgC9z8RoU9G6nDWqqs/fq4eDPysMBDgk/93Q=
 github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
 github.com/sirupsen/logrus v1.6.0/go.mod h1:7uNnSEd1DgxDLC74fIahvMZmmYsHGZGEOFrfsX/uA88=
+github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
+github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
 github.com/sirupsen/logrus v1.9.0 h1:trlNQbNUG3OdDrDil03MCb1H2o9nJ1x4/5LYw7byDE0=
 github.com/sirupsen/logrus v1.9.0/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
 github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 h1:JIAuq3EEf9cgbU6AtGPK4CTG3Zf6CKMNqf0MHTggAUA=
 github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966/go.mod h1:sUM3LWHvSMaG192sy56D9F7CNvL7jUJVXoqM1QKLnog=
 github.com/smartystreets/assertions v1.13.0 h1:Dx1kYM01xsSqKPno3aqLnrwac2LetPvN23diwyr69Qs=
 github.com/smartystreets/goconvey v1.7.2 h1:9RBaZCeXEQ3UselpuwUQHltGVXvdwm6cv1hgR6gDIPg=
+github.com/soheilhy/cmux v0.1.4/go.mod h1:IM3LyeVVIOuxMH7sFAkER9+bJ4dT7Ms6E4xg4kGIyLM=
+github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
 github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ=
 github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk=
+github.com/spf13/cast v1.3.0/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE=
 github.com/spf13/cast v1.5.0 h1:rj3WzYc11XZaIZMPKmwP96zkFEnnAmV8s6XbB2aY32w=
 github.com/spf13/cast v1.5.0/go.mod h1:SpXXQ5YoyJw6s3/6cMTQuxvgRl3PCJiyaX9p6b155UU=
+github.com/spf13/cobra v1.0.0/go.mod h1:/6GTrnGXV9HjY+aR4k0oJ5tcvakLuG6EuKReYlHNrgE=
 github.com/spf13/cobra v1.6.1 h1:o94oiPyS4KD1mPy2fmcYYHHfCxLqYjJOhGsCHFZtEzA=
 github.com/spf13/cobra v1.6.1/go.mod h1:IOw/AERYS7UzyrGinqmz6HLUo219MORXGxhbaJUqzrY=
+github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo=
 github.com/spf13/pflag v0.0.0-20170130214245-9ff6c6923cff/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
 github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
 github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/viper v1.4.0/go.mod h1:PTJ7Z/lr49W6bUbkmS1V3by4uWynFiR9p7+dSq/yZzE=
 github.com/srwiley/oksvg v0.0.0-20200311192757-870daf9aa564 h1:HunZiaEKNGVdhTRQOVpMmj5MQnGnv+e8uZNu3xFLgyM=
 github.com/srwiley/oksvg v0.0.0-20200311192757-870daf9aa564/go.mod h1:afMbS0qvv1m5tfENCwnOdZGOF8RGR/FsZ7bvBxQGZG4=
 github.com/srwiley/rasterx v0.0.0-20200120212402-85cb7272f5e9 h1:m59mIOBO4kfcNCEzJNy71UkeF4XIx2EVmL9KLwDQdmM=
@@ -526,26 +629,28 @@ github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXf
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
+github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.1 h1:w7B6lhMri9wdJUVmEZPGGhZzrYTPvgJArz7wNPgYKsk=
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
-github.com/tchap/go-patricia/v2 v2.3.1 h1:6rQp39lgIYZ+MHmdEq4xzuk1t7OdC35z/xm0BGhTkes=
-github.com/tchap/go-patricia/v2 v2.3.1/go.mod h1:VZRHKAb53DLaG+nA9EaYYiaEx6YztwDlLElMsnSHD4k=
+github.com/syndtr/gocapability v0.0.0-20180916011248-d98352740cb2/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww=
+github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
+github.com/tv42/httpunix v0.0.0-20191220191345-2ba4b9c3382c/go.mod h1:hzIxponao9Kjc7aWznkXaL4U4TWaDSs8zcsY4Ka08nM=
+github.com/ugorji/go v1.1.4/go.mod h1:uQMGLiO92mf5W77hV/PUCpI3pbzQx3CRekS0kk+RGrc=
 github.com/ugorji/go v1.1.7/go.mod h1:kZn38zHttfInRq0xu/PH0az30d+z6vm202qpg1oXVMw=
 github.com/ugorji/go/codec v1.1.7/go.mod h1:Ax+UKWsSmolVDwsd+7N3ZtXu+yMGCf907BLYF3GoBXY=
+github.com/urfave/cli v1.22.2/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0=
 github.com/urfave/cli/v2 v2.3.0/go.mod h1:LJmUH05zAU44vOAcrfzZQKsZbVcdbOG8rtL3/XcUArI=
+github.com/vishvananda/netlink v1.0.1-0.20190930145447-2ec5bdc52b86/go.mod h1:+SR5DhBJrl6ZM7CoCKvpw5BKroDKQ+PJqOg65H/2ktk=
 github.com/vishvananda/netlink v1.1.0 h1:1iyaYNBLmP6L0220aDnYQpo1QEV4t4hJ+xEEhhJH8j0=
 github.com/vishvananda/netlink v1.1.0/go.mod h1:cTgwzPIzzgDAYoQrMm0EdrjRUBkTqKYppBueQtXaqoE=
-github.com/vishvananda/netns v0.0.0-20191106174202-0a2b9b5464df h1:OviZH7qLw/7ZovXvuNyL3XQl8UFofeikI1NW1Gypu7k=
 github.com/vishvananda/netns v0.0.0-20191106174202-0a2b9b5464df/go.mod h1:JP3t17pCcGlemwknint6hfoeCVQrEMVwxRLRjXpq+BU=
-github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb h1:zGWFAtiMcyryUHoUjUJX0/lt1H2+i2Ka2n+D3DImSNo=
-github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU=
-github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 h1:EzJWgHovont7NscjpAxXsDA8S8BMYve8Y5+7cuRE7R0=
-github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415/go.mod h1:GwrjFmJcFw6At/Gs6z4yjiIwzuJ1/+UwLxMQDVQXShQ=
-github.com/yashtewari/glob-intersection v0.1.0 h1:6gJvMYQlTDOL3dMsPF6J0+26vwX9MB8/1q3uAdhmTrg=
-github.com/yashtewari/glob-intersection v0.1.0/go.mod h1:LK7pIC3piUjovexikBbJ26Yml7g8xa5bsjfx2v1fwok=
+github.com/vishvananda/netns v0.0.0-20211101163701-50045581ed74 h1:gga7acRE695APm9hlsSMoOoE65U4/TcqNj90mc69Rlg=
+github.com/vishvananda/netns v0.0.0-20211101163701-50045581ed74/go.mod h1:DD4vA1DwXk04H54A1oHXtwZmA0grkVMdPxx/VGLCah0=
+github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU=
+github.com/xordataexchange/crypt v0.0.3-0.20170626215501-b2862e3d0a77/go.mod h1:aYKd//L2LvnjZzWKhF00oedf4jCCReLcmhLdhm1A27Q=
 github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
@@ -556,12 +661,13 @@ github.com/yuin/goldmark v1.4.0/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1
 github.com/yuin/goldmark v1.4.1/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
 github.com/yuin/goldmark v1.4.13 h1:fVcFKWvrslecOb/tg+Cc05dkeYx540o0FuFt3nUVDoE=
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
+go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU=
 go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=
 go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8=
 go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
 go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
 go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
-go.opencensus.io v0.23.0 h1:gqCw0LfLxScz8irSi8exQc7fyQ0fKQU/qnC/X8+V/1M=
+go.opencensus.io v0.23.0/go.mod h1:XItmlyltB5F7CS4xOC1DcqMoFqwtC6OG2xF7mCv7P7E=
 go.opentelemetry.io/otel v1.11.1 h1:4WLLAmcfkmDk2ukNXJyq3/kiz/3UzCaYq6PskJsaou4=
 go.opentelemetry.io/otel v1.11.1/go.mod h1:1nNhXBbWSD0nsL38H6btgnFN2k4i0sNLHNNMZMSbUGE=
 go.opentelemetry.io/otel/exporters/prometheus v0.33.0 h1:xXhPj7SLKWU5/Zd4Hxmd+X1C4jdmvc0Xy+kvjFx2z60=
@@ -574,17 +680,25 @@ go.opentelemetry.io/otel/sdk/metric v0.33.0 h1:oTqyWfksgKoJmbrs2q7O7ahkJzt+Ipeki
 go.opentelemetry.io/otel/sdk/metric v0.33.0/go.mod h1:xdypMeA21JBOvjjzDUtD0kzIcHO/SPez+a8HOzJPGp0=
 go.opentelemetry.io/otel/trace v1.11.1 h1:ofxdnzsNrGBYXbP7t7zpUK281+go5rF7dvdIZXF8gdQ=
 go.opentelemetry.io/otel/trace v1.11.1/go.mod h1:f/Q9G7vzk5u91PhbmKbg1Qn0rzH1LJ4vbPHFGkTPtOk=
+go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI=
+go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
+go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0=
+go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q=
+goauthentik.io/api/v3 v3.2023051.3 h1:NebAhD/TeTWNo/9X3/Uj+rM5fG1HaiLOlKTNLQv9Qq4=
+goauthentik.io/api/v3 v3.2023051.3/go.mod h1:nYECml4jGbp/541hj8GcylKQG1gVBsKppHy4+7G8u4U=
 golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
+golang.org/x/crypto v0.0.0-20190211182817-74369b46fc67/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20200220183623-bac4c82f6975/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20210616213533-5ff15b29337e/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
-golang.org/x/crypto v0.0.0-20211108221036-ceb1ce70b4fa/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.0.0-20211202192323-5770296d904e/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.5.0/go.mod h1:NK/OQwhpMQP3MwtdjgLlYHnH9ebylxKWv3e0fK+mkQU=
+golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58=
 golang.org/x/crypto v0.7.0 h1:AvwMYaRytfdeVt3u6mLaxYtErKYjxA2OXjJ1HHq6t3A=
 golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
@@ -601,8 +715,9 @@ golang.org/x/exp v0.0.0-20220518171630-0b5c67f07fdf h1:oXVg4h2qJDd9htKxb5SCpFBHL
 golang.org/x/exp v0.0.0-20220518171630-0b5c67f07fdf/go.mod h1:yh0Ynu2b5ZUe3MQfp2nM0ecK7wsgouWTDN0FNeJuIys=
 golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js=
 golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
-golang.org/x/image v0.0.0-20200430140353-33d19683fad8 h1:6WW6V3x1P/jokJBpRQYUJnMHRP6isStQwCozxnU7XQw=
 golang.org/x/image v0.0.0-20200430140353-33d19683fad8/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
+golang.org/x/image v0.5.0 h1:5JMiNunQeQw++mMOz48/ISeNu3Iweh/JaZU8ZLqHRrI=
+golang.org/x/image v0.5.0/go.mod h1:FVC7BI/5Ym8R25iw5OLsgshdUBbT1h5jZTpA+mvAdZ4=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
 golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
 golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
@@ -613,6 +728,7 @@ golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHl
 golang.org/x/lint v0.0.0-20191125180803-fdd1cda4f05f/go.mod h1:5qLYkcX4OjUUV8bRuDixDT3tpyyb+LUpUlRWLxfhWrs=
 golang.org/x/lint v0.0.0-20200130185559-910be7a94367/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
 golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
+golang.org/x/lint v0.0.0-20210508222113-6edffad5e616/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
 golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE=
 golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028/go.mod h1:E/iHnbuqvinMTCcRqshq8CkpyQDoeVncDDYHnLhea+o=
 golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc=
@@ -623,6 +739,7 @@ golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.5.1/go.mod h1:5OXOZSfqPIIbmVBIIKWRFfZjPR0E5r58TLhUjH0a2Ro=
+golang.org/x/mod v0.6.0-dev/go.mod h1:5OXOZSfqPIIbmVBIIKWRFfZjPR0E5r58TLhUjH0a2Ro=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/mod v0.8.0 h1:LUYupSeNrTNCGzR/hVBk2NHZO4hXcVaW1k4Qx7rjPx8=
 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
@@ -631,12 +748,14 @@ golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73r
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20181220203305-927f97764cc3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190501004415-9ce7a6920f09/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190522155817-f3200d17e092/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
 golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
 golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
@@ -676,7 +795,6 @@ golang.org/x/net v0.0.0-20210805182204-aaa1db679c0d/go.mod h1:9nx3DQGgdP8bBQD5qx
 golang.org/x/net v0.0.0-20210928044308-7d9f5e0b762b/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20211015210444-4f30a5c0130f/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20211020060615-d418f374d309/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.0.0-20211111083644-e5c967477495/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20211201190559-0a0e4e1bb54c/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20211208012354-db4efeb81f4b/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
@@ -686,16 +804,20 @@ golang.org/x/net v0.0.0-20220225172249-27dd8689420f/go.mod h1:CfG3xpIq0wQ8r1q4Su
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.1.0/go.mod h1:Cx3nUiGt4eDBEyega/BKRp+/AlGL8hYe7U9odMt2Cco=
 golang.org/x/net v0.5.0/go.mod h1:DivGGAXEgPSlEBzxGzZI+ZLohi+xUj054jfeKui00ws=
+golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
-golang.org/x/net v0.8.0 h1:Zrh2ngAOFYneWTAIAPethzeaQLuHwhuBkuV6ZiRnUaQ=
-golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc=
+golang.org/x/net v0.10.0 h1:X2//UzNDwYmtCLn7To6G58Wr6f5ahEAQgKNzv9Y951M=
+golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
+golang.org/x/oauth2 v0.0.0-20211005180243-6b3c2da341f1/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.0.0-20220223155221-ee480838109b/go.mod h1:DAh4E804XQdzx2j+YRIaUnCqCV2RuMz24cGBJ5QYIrc=
+golang.org/x/oauth2 v0.8.0 h1:6dkIjl3j3LtZ/O3sTgZTMsLKSftL/B8Zgq4huOIIUu8=
+golang.org/x/oauth2 v0.8.0/go.mod h1:yr7u4HXZRm1R1kBWqr/xKNqewf0plRYoB7sla+BCIXE=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -714,7 +836,9 @@ golang.org/x/sys v0.0.0-20170830134202-bb24a47a89ea/go.mod h1:STP8DvDyc/dI5b8T5h
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20181107165924-66b7b1311ac8/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190209173611-3b5209105503/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190411185658-b44545bcd369/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -734,14 +858,19 @@ golang.org/x/sys v0.0.0-20191001151750-bb3f8db39f24/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191008105621-543471e840be/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191010194322-b09406accb47/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191022100944-742c48ecaeb7/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191120155948-bd437916bb0e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191210023423-ac6580df4449/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200106162015-b016eb3dc98e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200113162924-86b910548bc1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200120151820-655fe14d7479/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200122134326-e047566fdf82/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200212091648-12a6c2dcc1e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200217220822-9197077df867/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200302150141-5c8b2ff67527/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -754,11 +883,13 @@ golang.org/x/sys v0.0.0-20200523222454-059865788121/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20200615200032-f1bc736245b1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200625212154-ddb9806d33ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200803210538-64077c9b5642/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200916030750-2334cc1a136f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201009025420-dfb3f7c4e634/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201015000850-e3ed0017c211/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201118182958-a01c418693c7/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20201201145000-ef89a241ccb3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201218084310-7d0127a74742/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210110051926-789bb1bd4061/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210112080510-489259a85091/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -784,7 +915,6 @@ golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20211019181941-9d821ace8654/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211025201205-69cdffdb9359/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211103235746-7861aae1554b/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20211110154304-99a53858aa08/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211124211545-fe61309f8881/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211205182925-97ca703d548d/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211214234402-4825e8c3871d/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
@@ -794,19 +924,21 @@ golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20221010170243-090e33056c14/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.4.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.6.0 h1:MVltZSvRTcU2ljQOhs94SXPftV6DCNnZViHeQps87pQ=
-golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.5.1-0.20230222185716-a3b23cc77e89/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.8.0 h1:EBmGv8NaZBZTWvrbjNoL6HVt+IVy3QDQpJs7VRIw3tU=
+golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.4.0/go.mod h1:9P2UbLfCdcvo3p/nzKvsmas4TnlujnuoV9hGgYzW1lQ=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
-golang.org/x/term v0.6.0 h1:clScbb1cHjoCkyRbWwBEUZ5H/tIFu5TAXIqaZD0Gcjw=
-golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U=
+golang.org/x/term v0.8.0 h1:n5xxQn2i3PC0yLAbjTpNT85q/Kgzcr2gIoX9OrJUols=
+golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
 golang.org/x/text v0.0.0-20160726164857-2910a502d2bf/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -819,11 +951,14 @@ golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.6.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
-golang.org/x/text v0.8.0 h1:57P1ETyNKtuIjB4SRd15iJxuhj8Gc416Y78H3qgMh68=
-golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
+golang.org/x/text v0.9.0 h1:2sjJmO8cDvYveuX97RDLsxlyUxLl+GHoLxBiRdHllBE=
+golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
+golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac h1:7zkz7BUtwNFFqcowJ+RIgu2MaV/MapERkDIy+mwPyjs=
+golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
+golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20181011042414-1f849cf54d09/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20181030221726-6c7e314b6563/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
@@ -871,9 +1006,11 @@ golang.org/x/tools v0.0.0-20200825202427-b303f430e36d/go.mod h1:njjCfa9FT2d7l9Bc
 golang.org/x/tools v0.0.0-20201224043029-2b0845dc783e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0=
+golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.1.7/go.mod h1:LGqMHiF4EqQNHR1JncWGqT5BVaXmza+X+BDGol+dOxo=
 golang.org/x/tools v0.1.8/go.mod h1:nABZi5QlRsZVlzPpHl034qft6wpY4eDcsTt5AaioBiU=
+golang.org/x/tools v0.1.9/go.mod h1:nABZi5QlRsZVlzPpHl034qft6wpY4eDcsTt5AaioBiU=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
 golang.org/x/tools v0.6.0 h1:BOw41kyTf3PuCW1pVQf8+Cyg8pMlkYB1oo9iJ6D/lKM=
 golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
@@ -881,16 +1018,12 @@ golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8T
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.zx2c4.com/go118/netip v0.0.0-20211111135330-a4a02eeacf9d/go.mod h1:5yyfuiqVIJ7t+3MqrpTQ+QqRkMWiESiyDvPNvKYCecg=
-golang.zx2c4.com/wintun v0.0.0-20211104114900-415007cec224 h1:Ug9qvr1myri/zFN6xL17LSCBGFDnphBBhzmILHsM5TY=
-golang.zx2c4.com/wintun v0.0.0-20211104114900-415007cec224/go.mod h1:deeaetjYA+DHMHg+sMSMI58GrEteJUUzzw7en6TJQcI=
-golang.zx2c4.com/wireguard v0.0.0-20211129173154-2dd424e2d808/go.mod h1:TjUWrnD5ATh7bFvmm/ALEJZQ4ivKbETb6pmyj1vUoNI=
-golang.zx2c4.com/wireguard v0.0.0-20230223181233-21636207a675 h1:/J/RVnr7ng4fWPRH3xa4WtBJ1Jp+Auu4YNLmGiPv5QU=
-golang.zx2c4.com/wireguard v0.0.0-20230223181233-21636207a675/go.mod h1:whfbyDBt09xhCYQWtO2+3UVjlaq6/9hDZrjg2ZE6SyA=
+golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 h1:B82qJJgjvYKsXS9jeunTOisW56dUokqW/FOteYJJ/yg=
+golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2/go.mod h1:deeaetjYA+DHMHg+sMSMI58GrEteJUUzzw7en6TJQcI=
 golang.zx2c4.com/wireguard/wgctrl v0.0.0-20211215182854-7a385b3431de h1:qDZ+lyO5jC9RNJ7ANJA0GWXk3pSn0Fu5SlcAIlgw+6w=
 golang.zx2c4.com/wireguard/wgctrl v0.0.0-20211215182854-7a385b3431de/go.mod h1:Q2XNgour4QSkFj0BWCkVlW0HWJwQgNMsMahpSlI0Eno=
-golang.zx2c4.com/wireguard/windows v0.5.1 h1:OnYw96PF+CsIMrqWo5QP3Q59q5hY1rFErk/yN3cS+JQ=
-golang.zx2c4.com/wireguard/windows v0.5.1/go.mod h1:EApyTk/ZNrkbZjurHL1nleDYnsPpJYBO7LZEBCyDAHk=
+golang.zx2c4.com/wireguard/windows v0.5.3 h1:On6j2Rpn3OEMXqBq00QEDC7bWSZrPIHKIus8eIuExIE=
+golang.zx2c4.com/wireguard/windows v0.5.3/go.mod h1:9TEe8TJmtwyQebdFwAkEWOPr3prrtqm+REGFifP60hI=
 google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE=
 google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M=
 google.golang.org/api v0.8.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg=
@@ -913,6 +1046,8 @@ google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7
 google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0=
 google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
 google.golang.org/appengine v1.6.6/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
+google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c=
+google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
 google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
 google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
 google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
@@ -926,6 +1061,7 @@ google.golang.org/genproto v0.0.0-20191115194625-c23dd37a84c9/go.mod h1:n3cpQtvx
 google.golang.org/genproto v0.0.0-20191216164720-4f79533eabd1/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
 google.golang.org/genproto v0.0.0-20191230161307-f3c370f40bfb/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
 google.golang.org/genproto v0.0.0-20200115191322-ca5a22157cba/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
+google.golang.org/genproto v0.0.0-20200117163144-32f20d992d24/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
 google.golang.org/genproto v0.0.0-20200122232147-0452cf42e150/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
 google.golang.org/genproto v0.0.0-20200204135345-fa8e72b47b90/go.mod h1:GmwEX6Z4W5gMy59cAlVYjN9JhxgbQH6Gn+gFDQe2lzA=
 google.golang.org/genproto v0.0.0-20200212174721-66ed5ce911ce/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
@@ -936,6 +1072,7 @@ google.golang.org/genproto v0.0.0-20200312145019-da6875a35672/go.mod h1:55QSHmfG
 google.golang.org/genproto v0.0.0-20200331122359-1ee6d9798940/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
 google.golang.org/genproto v0.0.0-20200430143042-b979b6f78d84/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
 google.golang.org/genproto v0.0.0-20200511104702-f5ebc3bea380/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
+google.golang.org/genproto v0.0.0-20200513103714-09dca8ec2884/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
 google.golang.org/genproto v0.0.0-20200515170657-fc4c6c6a6587/go.mod h1:YsZOwe1myG/8QRHRsmBRE1LrgQY60beZKjly0O1fX9U=
 google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo=
 google.golang.org/genproto v0.0.0-20200618031413-b414f8b61790/go.mod h1:jDfRM7FcilCzHH/e9qn6dsT145K34l5v+OpcnNgKAAA=
@@ -943,12 +1080,15 @@ google.golang.org/genproto v0.0.0-20200729003335-053ba62fc06f/go.mod h1:FWY/as6D
 google.golang.org/genproto v0.0.0-20200804131852-c06518451d9c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
 google.golang.org/genproto v0.0.0-20200825200019-8632dd797987/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
 google.golang.org/genproto v0.0.0-20201019141844-1ed22bb0c154/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
+google.golang.org/genproto v0.0.0-20210722135532-667f2b7c528f/go.mod h1:ob2IJxKrgPT52GcgX759i1sleT07tiKowYBGbczaW48=
 google.golang.org/genproto v0.0.0-20221118155620-16455021b5e6 h1:a2S6M0+660BgMNl++4JPlcAO/CjkqYItDEZwkoDQK7c=
 google.golang.org/genproto v0.0.0-20221118155620-16455021b5e6/go.mod h1:rZS5c/ZVYMaOGBfO68GWtjOw/eLaZM1X6iVtgjZ+EWg=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
 google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38=
+google.golang.org/grpc v1.21.0/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=
 google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=
 google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
+google.golang.org/grpc v1.23.1/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
 google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY=
 google.golang.org/grpc v1.26.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
 google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
@@ -957,6 +1097,11 @@ google.golang.org/grpc v1.28.0/go.mod h1:rpkK4SK4GF4Ach/+MFLZUBavHOvF2JJB5uozKKa
 google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3IjizoKk=
 google.golang.org/grpc v1.30.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
 google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
+google.golang.org/grpc v1.33.1/go.mod h1:fr5YgcSWrqhRRxogOsw7RzIpsmvOZ6IcH4kBYTpR3n0=
+google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc=
+google.golang.org/grpc v1.36.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU=
+google.golang.org/grpc v1.39.0/go.mod h1:PImNr+rS9TWYb2O4/emRugxiyHZ5JyHW5F+RPnDzfrE=
+google.golang.org/grpc v1.51.0-dev/go.mod h1:ZgQEeidpAuNRZ8iRrlBKXZQP1ghovWIVhdJRyCDK+GI=
 google.golang.org/grpc v1.52.3 h1:pf7sOysg4LdgBqduXveGKrcEwbStiK2rtfghdzlUYDQ=
 google.golang.org/grpc v1.52.3/go.mod h1:pu6fVzoFb+NBYNAvQL08ic+lvB2IojljRYuun5vorUY=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
@@ -972,14 +1117,16 @@ google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlba
 google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
 google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
-google.golang.org/protobuf v1.28.1 h1:d0NfwRgPtno5B1Wa6L2DAG+KivqkdutMf1UhdNx175w=
-google.golang.org/protobuf v1.28.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
+google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
+google.golang.org/protobuf v1.30.0 h1:kPPoIgf3TsEvrm0PFe15JQ+570QVxYzEvvHqChK+cng=
+google.golang.org/protobuf v1.30.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
 gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
 gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
 gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
 gopkg.in/go-playground/assert.v1 v1.2.1/go.mod h1:9RXL0bg/zibRAgZUYszZSwO/z8Y/a8bDuhia5mkpMnE=
@@ -987,10 +1134,14 @@ gopkg.in/go-playground/validator.v9 v9.29.1/go.mod h1:+c9/zcJMFNgbLvly1L1V+PpxWd
 gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
 gopkg.in/natefinch/lumberjack.v2 v2.0.0 h1:1Lc07Kr7qY4U2YPouBjpCLxpiyxIVoxqXgkXLknAOE8=
 gopkg.in/natefinch/lumberjack.v2 v2.0.0/go.mod h1:l0ndWWf7gzL7RNwBG7wST/UCcT4T24xpD6X8LsfU/+k=
+gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo=
+gopkg.in/square/go-jose.v2 v2.6.0 h1:NGk74WTnPKBNUhNzQX7PYcTLUjoq7mzKk2OKbvwk2iI=
+gopkg.in/square/go-jose.v2 v2.6.0/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ=
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
 gopkg.in/tomb.v2 v2.0.0-20161208151619-d5d1b5820637 h1:yiW+nvdHb9LVqSHQBXfZCieqV4fzYhNBql77zY0ykqs=
 gopkg.in/tomb.v2 v2.0.0-20161208151619-d5d1b5820637/go.mod h1:BHsqpu/nsuzkT5BpiH1EMZPLyqSMM8JbIavyFACoFNk=
+gopkg.in/yaml.v2 v2.0.0-20170812160011-eb3733d160e7/go.mod h1:JAlM8MvJe8wmxCU4Bli9HhUf9+ttbYbLASfIpnQbh74=
 gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.3/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
@@ -1005,6 +1156,10 @@ gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776/go.mod h1:K4uyk7z7BCEPqu6E+C
 gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81HFBacw=
+gotest.tools/v3 v3.4.0/go.mod h1:CtbdzLSsqVhDgMtKsx03ird5YTGB3ar27v0u/yKBW5g=
+gvisor.dev/gvisor v0.0.0-20221203005347-703fd9b7fbc0 h1:Wobr37noukisGxpKo5jAsLREcpj61RxrWYzD8uwveOY=
+gvisor.dev/gvisor v0.0.0-20221203005347-703fd9b7fbc0/go.mod h1:Dn5idtptoW1dIos9U6A2rpebLs/MtTwFacjKb8jLdQA=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
@@ -1015,18 +1170,25 @@ honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9
 honnef.co/go/tools v0.2.1/go.mod h1:lPVVZ2BS5TfnjLyizF7o7hv7j9/L+8cZY2hLyjP9cGY=
 honnef.co/go/tools v0.2.2 h1:MNh1AVMyVX23VUHE2O27jm6lNj3vjO5DexS4A1xvnzk=
 honnef.co/go/tools v0.2.2/go.mod h1:lPVVZ2BS5TfnjLyizF7o7hv7j9/L+8cZY2hLyjP9cGY=
+k8s.io/api v0.16.13/go.mod h1:QWu8UWSTiuQZMMeYjwLs6ILu5O74qKSJ0c+4vrchDxs=
 k8s.io/apimachinery v0.0.0-20191123233150-4c4803ed55e3/go.mod h1:b9qmWdKlLuU9EBh+06BtLcSf/Mu89rWL33naRxs1uZg=
+k8s.io/apimachinery v0.16.13/go.mod h1:4HMHS3mDHtVttspuuhrJ1GGr/0S9B6iWYWZ57KnnZqQ=
+k8s.io/apimachinery v0.16.14-rc.0/go.mod h1:4HMHS3mDHtVttspuuhrJ1GGr/0S9B6iWYWZ57KnnZqQ=
 k8s.io/apimachinery v0.23.5 h1:Va7dwhp8wgkUPWsEXk6XglXWU4IKYLKNlv8VkX7SDM0=
 k8s.io/apimachinery v0.23.5/go.mod h1:BEuFMMBaIbcOqVIJqNZJXGFTP4W6AycEpb5+m/97hrM=
+k8s.io/client-go v0.16.13/go.mod h1:UKvVT4cajC2iN7DCjLgT0KVY/cbY6DGdUCyRiIfws5M=
 k8s.io/gengo v0.0.0-20190128074634-0689ccc1d7d6/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=
 k8s.io/gengo v0.0.0-20210813121822-485abfe95c7c/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E=
 k8s.io/klog v0.0.0-20181102134211-b9b56d5dfc92/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk=
+k8s.io/klog v0.3.0/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk=
 k8s.io/klog v1.0.0/go.mod h1:4Bi6QPql/J/LkTDqv7R/cd3hPo4k2DG6Ptcz060Ez5I=
 k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE=
 k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y=
 k8s.io/klog/v2 v2.30.0/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0=
 k8s.io/kube-openapi v0.0.0-20191107075043-30be4d16710a/go.mod h1:1TqjTSzOxsLGIKfj0lK8EeCP7K1iUG65v09OM0/WG5E=
+k8s.io/kube-openapi v0.0.0-20200410163147-594e756bea31/go.mod h1:1TqjTSzOxsLGIKfj0lK8EeCP7K1iUG65v09OM0/WG5E=
 k8s.io/kube-openapi v0.0.0-20211115234752-e816edb12b65/go.mod h1:sX9MT8g7NVZM5lVL/j8QyCCJe8YSMW30QvGZWaCIDIk=
+k8s.io/utils v0.0.0-20190801114015-581e00157fb1/go.mod h1:sZAwmy6armz5eXlNoLmJcl4F1QuKu7sr+mFQ0byX7Ew=
 k8s.io/utils v0.0.0-20210802155522-efc7438f0176/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
 k8s.io/utils v0.0.0-20211116205334-6203023598ed/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
 rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=

iface/bind/bind.go

@@ -1,98 +1,132 @@
 package bind
 
 import (
-	"errors"
 	"fmt"
 	"net"
-	"net/netip"
+	"runtime"
 	"sync"
-	"syscall"
 
 	"github.com/pion/stun"
 	"github.com/pion/transport/v2"
 	log "github.com/sirupsen/logrus"
-	"golang.zx2c4.com/wireguard/conn"
+	"golang.org/x/net/ipv4"
+	wgConn "golang.zx2c4.com/wireguard/conn"
 )
 
-// ICEBind is the userspace implementation of WireGuard's conn.Bind interface using ice.UDPMux of the pion/ice library
-type ICEBind struct {
-	// below fields, initialized on open
-	ipv4   net.PacketConn
-	udpMux *UniversalUDPMuxDefault
-
-	// below are fields initialized on creation
-	transportNet transport.Net
-	mu           sync.Mutex
+type receiverCreator struct {
+	iceBind *ICEBind
+}
+
+func (rc receiverCreator) CreateIPv4ReceiverFn(msgPool *sync.Pool, pc *ipv4.PacketConn, conn *net.UDPConn) wgConn.ReceiveFunc {
+	return rc.iceBind.createIPv4ReceiverFn(msgPool, pc, conn)
+}
+
+type ICEBind struct {
+	*wgConn.StdNetBind
+
+	muUDPMux sync.Mutex
+
+	transportNet transport.Net
+	udpMux       *UniversalUDPMuxDefault
 }
 
-// NewICEBind create a new instance of ICEBind with a given transportNet function.
-// The transportNet can be nil.
 func NewICEBind(transportNet transport.Net) *ICEBind {
-	return &ICEBind{
+	ib := &ICEBind{
 		transportNet: transportNet,
-		mu:           sync.Mutex{},
 	}
+
+	rc := receiverCreator{
+		ib,
+	}
+	ib.StdNetBind = wgConn.NewStdNetBindWithReceiverCreator(rc)
+	return ib
 }
 
 // GetICEMux returns the ICE UDPMux that was created and used by ICEBind
-func (b *ICEBind) GetICEMux() (*UniversalUDPMuxDefault, error) {
-	b.mu.Lock()
-	defer b.mu.Unlock()
-	if b.udpMux == nil {
+func (s *ICEBind) GetICEMux() (*UniversalUDPMuxDefault, error) {
+	s.muUDPMux.Lock()
+	defer s.muUDPMux.Unlock()
+	if s.udpMux == nil {
 		return nil, fmt.Errorf("ICEBind has not been initialized yet")
 	}
 
-	return b.udpMux, nil
+	return s.udpMux, nil
 }
 
-// Open creates a WireGuard socket and an instance of UDPMux that is used to glue up ICE and WireGuard for hole punching
-func (b *ICEBind) Open(uport uint16) ([]conn.ReceiveFunc, uint16, error) {
-	b.mu.Lock()
-	defer b.mu.Unlock()
+func (s *ICEBind) createIPv4ReceiverFn(ipv4MsgsPool *sync.Pool, pc *ipv4.PacketConn, conn *net.UDPConn) wgConn.ReceiveFunc {
+	s.muUDPMux.Lock()
+	defer s.muUDPMux.Unlock()
 
-	if b.ipv4 != nil {
-		return nil, 0, conn.ErrBindAlreadyOpen
-	}
-
-	var err error
-	b.ipv4, _, err = listenNet("udp4", int(uport))
-	if err != nil && !errors.Is(err, syscall.EAFNOSUPPORT) {
-		return nil, 0, err
-	}
-
-	b.udpMux = NewUniversalUDPMuxDefault(UniversalUDPMuxParams{UDPConn: b.ipv4, Net: b.transportNet})
-
-	portAddr, err := netip.ParseAddrPort(b.ipv4.LocalAddr().String())
-	if err != nil {
-		return nil, 0, err
-	}
-
-	log.Infof("opened ICEBind on %s", b.ipv4.LocalAddr().String())
-
-	return []conn.ReceiveFunc{
-			b.makeReceiveIPv4(b.ipv4),
+	s.udpMux = NewUniversalUDPMuxDefault(
+		UniversalUDPMuxParams{
+			UDPConn: conn,
+			Net:     s.transportNet,
 		},
-		portAddr.Port(), nil
-}
-
-func listenNet(network string, port int) (net.PacketConn, int, error) {
-	c, err := net.ListenUDP(network, &net.UDPAddr{Port: port})
-	if err != nil {
-		return nil, 0, err
-	}
-
-	lAddr := c.LocalAddr()
-	uAddr, err := net.ResolveUDPAddr(
-		lAddr.Network(),
-		lAddr.String(),
 	)
-	if err != nil {
-		return nil, 0, err
+	return func(bufs [][]byte, sizes []int, eps []wgConn.Endpoint) (n int, err error) {
+		msgs := ipv4MsgsPool.Get().(*[]ipv4.Message)
+		defer ipv4MsgsPool.Put(msgs)
+		for i := range bufs {
+			(*msgs)[i].Buffers[0] = bufs[i]
+		}
+		var numMsgs int
+		if runtime.GOOS == "linux" {
+			numMsgs, err = pc.ReadBatch(*msgs, 0)
+			if err != nil {
+				return 0, err
+			}
+		} else {
+			msg := &(*msgs)[0]
+			msg.N, msg.NN, _, msg.Addr, err = conn.ReadMsgUDP(msg.Buffers[0], msg.OOB)
+			if err != nil {
+				return 0, err
+			}
+			numMsgs = 1
+		}
+		for i := 0; i < numMsgs; i++ {
+			msg := &(*msgs)[i]
+
+			// todo: handle err
+			ok, _ := s.filterOutStunMessages(msg.Buffers, msg.N, msg.Addr)
+			if ok {
+				sizes[i] = 0
+			} else {
+				sizes[i] = msg.N
+			}
+
+			addrPort := msg.Addr.(*net.UDPAddr).AddrPort()
+			ep := &wgConn.StdNetEndpoint{AddrPort: addrPort} // TODO: remove allocation
+			wgConn.GetSrcFromControl(msg.OOB[:msg.NN], ep)
+			eps[i] = ep
+		}
+		return numMsgs, nil
 	}
-	return c, uAddr.Port, nil
 }
 
-func parseSTUNMessage(raw []byte) (*stun.Message, error) {
+func (s *ICEBind) filterOutStunMessages(buffers [][]byte, n int, addr net.Addr) (bool, error) {
+	for i := range buffers {
+		if !stun.IsMessage(buffers[i]) {
+			continue
+		}
+
+		msg, err := s.parseSTUNMessage(buffers[i][:n])
+		if err != nil {
+			buffers[i] = []byte{}
+			return true, err
+		}
+
+		muxErr := s.udpMux.HandleSTUNMessage(msg, addr)
+		if muxErr != nil {
+			log.Warnf("failed to handle STUN packet")
+		}
+
+		buffers[i] = []byte{}
+		return true, nil
+	}
+	return false, nil
+}
+
+func (s *ICEBind) parseSTUNMessage(raw []byte) (*stun.Message, error) {
 	msg := &stun.Message{
 		Raw: raw,
 	}
@@ -102,107 +136,3 @@ func parseSTUNMessage(raw []byte) (*stun.Message, error) {
 
 	return msg, nil
 }
-
-func (b *ICEBind) makeReceiveIPv4(c net.PacketConn) conn.ReceiveFunc {
-	return func(buff []byte) (int, conn.Endpoint, error) {
-		n, endpoint, err := c.ReadFrom(buff)
-		if err != nil {
-			return 0, nil, err
-		}
-		e, err := netip.ParseAddrPort(endpoint.String())
-		if err != nil {
-			return 0, nil, err
-		}
-		if !stun.IsMessage(buff) {
-			// WireGuard traffic
-			return n, (conn.StdNetEndpoint)(netip.AddrPortFrom(e.Addr(), e.Port())), nil
-		}
-
-		msg, err := parseSTUNMessage(buff[:n])
-		if err != nil {
-			return 0, nil, err
-		}
-
-		err = b.udpMux.HandleSTUNMessage(msg, endpoint)
-		if err != nil {
-			log.Warnf("failed to handle packet")
-		}
-
-		// discard packets because they are STUN related
-		return 0, nil, nil //todo proper return
-	}
-}
-
-// Close closes the WireGuard socket and UDPMux
-func (b *ICEBind) Close() error {
-	b.mu.Lock()
-	defer b.mu.Unlock()
-
-	var err1, err2 error
-	if b.ipv4 != nil {
-		c := b.ipv4
-		b.ipv4 = nil
-		err1 = c.Close()
-	}
-
-	if b.udpMux != nil {
-		m := b.udpMux
-		b.udpMux = nil
-		err2 = m.Close()
-	}
-
-	if err1 != nil {
-		return err1
-	}
-
-	return err2
-}
-
-// SetMark sets the mark for each packet sent through this Bind.
-// This mark is passed to the kernel as the socket option SO_MARK.
-func (b *ICEBind) SetMark(mark uint32) error {
-	return nil
-}
-
-// Send bytes to the remote endpoint (peer)
-func (b *ICEBind) Send(buff []byte, endpoint conn.Endpoint) error {
-
-	nend, ok := endpoint.(conn.StdNetEndpoint)
-	if !ok {
-		return conn.ErrWrongEndpointType
-	}
-	addrPort := netip.AddrPort(nend)
-	_, err := b.ipv4.WriteTo(buff, &net.UDPAddr{
-		IP:   addrPort.Addr().AsSlice(),
-		Port: int(addrPort.Port()),
-		Zone: addrPort.Addr().Zone(),
-	})
-	return err
-}
-
-// ParseEndpoint creates a new endpoint from a string.
-func (b *ICEBind) ParseEndpoint(s string) (ep conn.Endpoint, err error) {
-	e, err := netip.ParseAddrPort(s)
-	return asEndpoint(e), err
-}
-
-// endpointPool contains a re-usable set of mapping from netip.AddrPort to Endpoint.
-// This exists to reduce allocations: Putting a netip.AddrPort in an Endpoint allocates,
-// but Endpoints are immutable, so we can re-use them.
-var endpointPool = sync.Pool{
-	New: func() any {
-		return make(map[netip.AddrPort]conn.Endpoint)
-	},
-}
-
-// asEndpoint returns an Endpoint containing ap.
-func asEndpoint(ap netip.AddrPort) conn.Endpoint {
-	m := endpointPool.Get().(map[netip.AddrPort]conn.Endpoint)
-	defer endpointPool.Put(m)
-	e, ok := m[ap]
-	if !ok {
-		e = conn.Endpoint(conn.StdNetEndpoint(ap))
-		m[ap] = e
-	}
-	return e
-}

iface/bind/udp_mux_universal.go

@@ -5,6 +5,7 @@ package bind
 */
 
 import (
+	"context"
 	"fmt"
 	"net"
 	"time"
@@ -68,6 +69,39 @@ func NewUniversalUDPMuxDefault(params UniversalUDPMuxParams) *UniversalUDPMuxDef
 	return m
 }
 
+// ReadFromConn reads from the m.params.UDPConn provided upon the creation. It expects STUN packets only, however, will
+// just ignore other packets printing an warning message.
+// It is a blocking method, consider running in a go routine.
+func (m *UniversalUDPMuxDefault) ReadFromConn(ctx context.Context) {
+	buf := make([]byte, 1500)
+	for {
+		select {
+		case <-ctx.Done():
+			log.Debugf("stopped reading from the UDPConn due to finished context")
+			return
+		default:
+			_, a, err := m.params.UDPConn.ReadFrom(buf)
+			if err != nil {
+				log.Errorf("error while reading packet %s", err)
+				continue
+			}
+			msg := &stun.Message{
+				Raw: buf,
+			}
+			err = msg.Decode()
+			if err != nil {
+				log.Warnf("error while parsing STUN message. The packet doesn't seem to be a STUN packet: %s", err)
+				continue
+			}
+
+			err = m.HandleSTUNMessage(msg, a)
+			if err != nil {
+				log.Errorf("error while handling STUn message: %s", err)
+			}
+		}
+	}
+}
+
 // udpConn is a wrapper around UDPMux conn that overrides ReadFrom and handles STUN/TURN packets
 type udpConn struct {
 	net.PacketConn
@@ -75,6 +109,11 @@ type udpConn struct {
 	logger logging.LeveledLogger
 }
 
+// GetSharedConn returns the shared udp conn
+func (m *UniversalUDPMuxDefault) GetSharedConn() net.PacketConn {
+	return m.params.UDPConn
+}
+
 // GetListenAddresses returns the listen addr of this UDP
 func (m *UniversalUDPMuxDefault) GetListenAddresses() []net.Addr {
 	return []net.Addr{m.LocalAddr()}
@@ -170,7 +209,7 @@ func (m *UniversalUDPMuxDefault) GetXORMappedAddr(serverAddr net.Addr, deadline
 
 	// otherwise, make a STUN request to discover the address
 	// or wait for already sent request to complete
-	waitAddrReceived, err := m.sendStun(serverAddr)
+	waitAddrReceived, err := m.sendSTUN(serverAddr)
 	if err != nil {
 		return nil, fmt.Errorf("%s: %s", "failed to send STUN packet", err)
 	}
@@ -179,23 +218,31 @@ func (m *UniversalUDPMuxDefault) GetXORMappedAddr(serverAddr net.Addr, deadline
 	select {
 	case <-waitAddrReceived:
 		// when channel closed, addr was obtained
+		var addr *stun.XORMappedAddress
 		m.mu.Lock()
-		mappedAddr := *m.xorMappedMap[serverAddr.String()]
+		// A very odd case that mappedAddr is nil.
+		// Can happen when the deadline property is larger than params.XORMappedAddrCacheTTL.
+		// Or when we don't receive a response to our m.sendSTUN request (the response is handled asynchronously) and
+		// the XORMapped expires meanwhile triggering a closure of the waitAddrReceived channel.
+		// We protect the code from panic here.
+		if mappedAddr, ok := m.xorMappedMap[serverAddr.String()]; ok {
+			addr = mappedAddr.addr
+		}
 		m.mu.Unlock()
-		if mappedAddr.addr == nil {
+		if addr == nil {
 			return nil, fmt.Errorf("no XOR address mapping")
 		}
-		return mappedAddr.addr, nil
+		return addr, nil
 	case <-time.After(deadline):
 		return nil, fmt.Errorf("timeout while waiting for XORMappedAddr")
 	}
 }
 
-// sendStun sends a STUN request via UDP conn.
+// sendSTUN sends a STUN request via UDP conn.
 //
 // The returned channel is closed when the STUN response has been received.
 // Method is safe for concurrent use.
-func (m *UniversalUDPMuxDefault) sendStun(serverAddr net.Addr) (chan struct{}, error) {
+func (m *UniversalUDPMuxDefault) sendSTUN(serverAddr net.Addr) (chan struct{}, error) {
 	m.mu.Lock()
 	defer m.mu.Unlock()
 

iface/device_wrapper.go

@@ -0,0 +1,90 @@
+package iface
+
+import (
+	"net"
+	"sync"
+
+	"golang.zx2c4.com/wireguard/tun"
+)
+
+// PacketFilter interface for firewall abilities
+type PacketFilter interface {
+	// DropOutgoing filter outgoing packets from host to external destinations
+	DropOutgoing(packetData []byte) bool
+
+	// DropIncoming filter incoming packets from external sources to host
+	DropIncoming(packetData []byte) bool
+
+	// SetNetwork of the wireguard interface to which filtering applied
+	SetNetwork(*net.IPNet)
+}
+
+// DeviceWrapper to override Read or Write of packets
+type DeviceWrapper struct {
+	tun.Device
+	filter PacketFilter
+	mutex  sync.RWMutex
+}
+
+// newDeviceWrapper constructor function
+func newDeviceWrapper(device tun.Device) *DeviceWrapper {
+	return &DeviceWrapper{
+		Device: device,
+	}
+}
+
+// Read wraps read method with filtering feature
+func (d *DeviceWrapper) Read(bufs [][]byte, sizes []int, offset int) (n int, err error) {
+	if n, err = d.Device.Read(bufs, sizes, offset); err != nil {
+		return 0, err
+	}
+	d.mutex.RLock()
+	filter := d.filter
+	d.mutex.RUnlock()
+
+	if filter == nil {
+		return
+	}
+
+	for i := 0; i < n; i++ {
+		if filter.DropOutgoing(bufs[i][offset : offset+sizes[i]]) {
+			bufs = append(bufs[:i], bufs[i+1:]...)
+			sizes = append(sizes[:i], sizes[i+1:]...)
+			n--
+			i--
+		}
+	}
+
+	return n, nil
+}
+
+// Write wraps write method with filtering feature
+func (d *DeviceWrapper) Write(bufs [][]byte, offset int) (int, error) {
+	d.mutex.RLock()
+	filter := d.filter
+	d.mutex.RUnlock()
+
+	if filter == nil {
+		return d.Device.Write(bufs, offset)
+	}
+
+	filteredBufs := make([][]byte, 0, len(bufs))
+	dropped := 0
+	for _, buf := range bufs {
+		if !filter.DropIncoming(buf[offset:]) {
+			filteredBufs = append(filteredBufs, buf)
+			dropped++
+		}
+	}
+
+	n, err := d.Device.Write(filteredBufs, offset)
+	n += dropped
+	return n, err
+}
+
+// SetFiltering sets packet filter to device
+func (d *DeviceWrapper) SetFiltering(filter PacketFilter) {
+	d.mutex.Lock()
+	d.filter = filter
+	d.mutex.Unlock()
+}

iface/device_wrapper_test.go

@@ -0,0 +1,216 @@
+package iface
+
+import (
+	"net"
+	"testing"
+
+	"github.com/golang/mock/gomock"
+	"github.com/google/gopacket"
+	"github.com/google/gopacket/layers"
+	mocks "github.com/netbirdio/netbird/iface/mocks"
+)
+
+func TestDeviceWrapperRead(t *testing.T) {
+	ctrl := gomock.NewController(t)
+	defer ctrl.Finish()
+
+	tun := mocks.NewMockDevice(ctrl)
+	filter := mocks.NewMockPacketFilter(ctrl)
+
+	mockBufs := [][]byte{{}}
+	mockSizes := []int{0}
+	mockOffset := 0
+
+	t.Run("read ICMP", func(t *testing.T) {
+		ipLayer := &layers.IPv4{
+			Version:  4,
+			TTL:      64,
+			Protocol: layers.IPProtocolICMPv4,
+			SrcIP:    net.IP{192, 168, 0, 1},
+			DstIP:    net.IP{100, 200, 0, 1},
+		}
+
+		icmpLayer := &layers.ICMPv4{
+			TypeCode: layers.CreateICMPv4TypeCode(layers.ICMPv4TypeEchoRequest, 0),
+			Id:       1,
+			Seq:      1,
+		}
+
+		buffer := gopacket.NewSerializeBuffer()
+		err := gopacket.SerializeLayers(buffer, gopacket.SerializeOptions{},
+			ipLayer,
+			icmpLayer,
+		)
+		if err != nil {
+			t.Errorf("serialize packet: %v", err)
+			return
+		}
+
+		tun.EXPECT().Read(mockBufs, mockSizes, mockOffset).
+			DoAndReturn(func(bufs [][]byte, sizes []int, offset int) (int, error) {
+				bufs[0] = buffer.Bytes()
+				sizes[0] = len(bufs[0])
+				return 1, nil
+			})
+
+		wrapped := newDeviceWrapper(tun)
+
+		bufs := [][]byte{{}}
+		sizes := []int{0}
+		offset := 0
+
+		n, err := wrapped.Read(bufs, sizes, offset)
+		if err != nil {
+			t.Errorf("unexpeted error: %v", err)
+			return
+		}
+		if n != 1 {
+			t.Errorf("expected n=1, got %d", n)
+			return
+		}
+	})
+
+	t.Run("write TCP", func(t *testing.T) {
+		ipLayer := &layers.IPv4{
+			Version:  4,
+			TTL:      64,
+			Protocol: layers.IPProtocolICMPv4,
+			SrcIP:    net.IP{100, 200, 0, 9},
+			DstIP:    net.IP{100, 200, 0, 10},
+		}
+
+		// create TCP layer packet
+		tcpLayer := &layers.TCP{
+			SrcPort: layers.TCPPort(34423),
+			DstPort: layers.TCPPort(8080),
+		}
+
+		buffer := gopacket.NewSerializeBuffer()
+		err := gopacket.SerializeLayers(buffer, gopacket.SerializeOptions{},
+			ipLayer,
+			tcpLayer,
+		)
+		if err != nil {
+			t.Errorf("serialize packet: %v", err)
+			return
+		}
+
+		mockBufs[0] = buffer.Bytes()
+		tun.EXPECT().Write(mockBufs, 0).Return(1, nil)
+
+		wrapped := newDeviceWrapper(tun)
+
+		bufs := [][]byte{buffer.Bytes()}
+
+		n, err := wrapped.Write(bufs, 0)
+		if err != nil {
+			t.Errorf("unexpeted error: %v", err)
+			return
+		}
+		if n != 1 {
+			t.Errorf("expected n=1, got %d", n)
+			return
+		}
+	})
+
+	t.Run("drop write UDP package", func(t *testing.T) {
+		ipLayer := &layers.IPv4{
+			Version:  4,
+			TTL:      64,
+			Protocol: layers.IPProtocolICMPv4,
+			SrcIP:    net.IP{100, 200, 0, 11},
+			DstIP:    net.IP{100, 200, 0, 20},
+		}
+
+		// create TCP layer packet
+		tcpLayer := &layers.UDP{
+			SrcPort: layers.UDPPort(27278),
+			DstPort: layers.UDPPort(53),
+		}
+
+		buffer := gopacket.NewSerializeBuffer()
+		err := gopacket.SerializeLayers(buffer, gopacket.SerializeOptions{},
+			ipLayer,
+			tcpLayer,
+		)
+		if err != nil {
+			t.Errorf("serialize packet: %v", err)
+			return
+		}
+
+		mockBufs = [][]byte{}
+
+		tun.EXPECT().Write(mockBufs, 0).Return(0, nil)
+		filter.EXPECT().DropOutput(gomock.Any()).Return(true)
+
+		wrapped := newDeviceWrapper(tun)
+		wrapped.filter = filter
+
+		bufs := [][]byte{buffer.Bytes()}
+
+		n, err := wrapped.Write(bufs, 0)
+		if err != nil {
+			t.Errorf("unexpeted error: %v", err)
+			return
+		}
+		if n != 0 {
+			t.Errorf("expected n=1, got %d", n)
+			return
+		}
+	})
+
+	t.Run("drop read UDP package", func(t *testing.T) {
+		ipLayer := &layers.IPv4{
+			Version:  4,
+			TTL:      64,
+			Protocol: layers.IPProtocolICMPv4,
+			SrcIP:    net.IP{100, 200, 0, 11},
+			DstIP:    net.IP{100, 200, 0, 20},
+		}
+
+		// create TCP layer packet
+		tcpLayer := &layers.UDP{
+			SrcPort: layers.UDPPort(19243),
+			DstPort: layers.UDPPort(1024),
+		}
+
+		buffer := gopacket.NewSerializeBuffer()
+		err := gopacket.SerializeLayers(buffer, gopacket.SerializeOptions{},
+			ipLayer,
+			tcpLayer,
+		)
+		if err != nil {
+			t.Errorf("serialize packet: %v", err)
+			return
+		}
+
+		mockBufs := [][]byte{{}}
+		mockSizes := []int{0}
+		mockOffset := 0
+
+		tun.EXPECT().Read(mockBufs, mockSizes, mockOffset).
+			DoAndReturn(func(bufs [][]byte, sizes []int, offset int) (int, error) {
+				bufs[0] = buffer.Bytes()
+				sizes[0] = len(bufs[0])
+				return 1, nil
+			})
+		filter.EXPECT().DropInput(gomock.Any()).Return(true)
+
+		wrapped := newDeviceWrapper(tun)
+		wrapped.filter = filter
+
+		bufs := [][]byte{{}}
+		sizes := []int{0}
+		offset := 0
+
+		n, err := wrapped.Read(bufs, sizes, offset)
+		if err != nil {
+			t.Errorf("unexpeted error: %v", err)
+			return
+		}
+		if n != 0 {
+			t.Errorf("expected n=0, got %d", n)
+			return
+		}
+	})
+}

iface/iface.go

@@ -1,6 +1,7 @@
 package iface
 
 import (
+	"fmt"
 	"net"
 	"sync"
 	"time"
@@ -118,3 +119,17 @@ func (w *WGIface) Close() error {
 	defer w.mu.Unlock()
 	return w.tun.Close()
 }
+
+// SetFiltering sets packet filters for the userspace impelemntation
+func (w *WGIface) SetFiltering(filter PacketFilter) error {
+	w.mu.Lock()
+	defer w.mu.Unlock()
+
+	if w.tun.wrapper == nil {
+		return fmt.Errorf("userspace packet filtering not handled on this device")
+	}
+
+	filter.SetNetwork(w.tun.address.Network)
+	w.tun.wrapper.SetFiltering(filter)
+	return nil
+}

iface/iface_android.go

@@ -7,7 +7,7 @@ import (
 )
 
 // NewWGIFace Creates a new WireGuard interface instance
-func NewWGIFace(ifaceName string, address string, mtu int, routes []string, tunAdapter TunAdapter, transportNet transport.Net) (*WGIface, error) {
+func NewWGIFace(ifaceName string, address string, mtu int, tunAdapter TunAdapter, transportNet transport.Net) (*WGIface, error) {
 	wgIFace := &WGIface{
 		mu: sync.Mutex{},
 	}
@@ -17,7 +17,7 @@ func NewWGIFace(ifaceName string, address string, mtu int, routes []string, tunA
 		return wgIFace, err
 	}
 
-	tun := newTunDevice(wgAddress, mtu, routes, tunAdapter, transportNet)
+	tun := newTunDevice(wgAddress, mtu, tunAdapter, transportNet)
 	wgIFace.tun = tun
 
 	wgIFace.configurer = newWGConfigurer(tun)
@@ -26,3 +26,8 @@ func NewWGIFace(ifaceName string, address string, mtu int, routes []string, tunA
 
 	return wgIFace, nil
 }
+
+// SetInitialRoutes store the given routes and on the tun creation will be used
+func (w *WGIface) SetInitialRoutes(routes []string) {
+	w.tun.SetRoutes(routes)
+}

iface/iface_nonandroid.go

@@ -9,7 +9,7 @@ import (
 )
 
 // NewWGIFace Creates a new WireGuard interface instance
-func NewWGIFace(iFaceName string, address string, mtu int, routes []string, tunAdapter TunAdapter, transportNet transport.Net) (*WGIface, error) {
+func NewWGIFace(iFaceName string, address string, mtu int, tunAdapter TunAdapter, transportNet transport.Net) (*WGIface, error) {
 	wgIFace := &WGIface{
 		mu: sync.Mutex{},
 	}
@@ -25,3 +25,8 @@ func NewWGIFace(iFaceName string, address string, mtu int, routes []string, tunA
 	wgIFace.userspaceBind = !WireGuardModuleIsLoaded()
 	return wgIFace, nil
 }
+
+// SetInitialRoutes unused function on non Android
+func (w *WGIface) SetInitialRoutes(routes []string) {
+
+}

iface/iface_test.go

@@ -39,7 +39,7 @@ func TestWGIface_UpdateAddr(t *testing.T) {
 		t.Fatal(err)
 	}
 
-	iface, err := NewWGIFace(ifaceName, addr, DefaultMTU, nil, nil, newNet)
+	iface, err := NewWGIFace(ifaceName, addr, DefaultMTU, nil, newNet)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -103,7 +103,7 @@ func Test_CreateInterface(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
-	iface, err := NewWGIFace(ifaceName, wgIP, DefaultMTU, nil, nil, newNet)
+	iface, err := NewWGIFace(ifaceName, wgIP, DefaultMTU, nil, newNet)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -136,7 +136,7 @@ func Test_Close(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
-	iface, err := NewWGIFace(ifaceName, wgIP, DefaultMTU, nil, nil, newNet)
+	iface, err := NewWGIFace(ifaceName, wgIP, DefaultMTU, nil, newNet)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -168,7 +168,7 @@ func Test_ConfigureInterface(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
-	iface, err := NewWGIFace(ifaceName, wgIP, DefaultMTU, nil, nil, newNet)
+	iface, err := NewWGIFace(ifaceName, wgIP, DefaultMTU, nil, newNet)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -219,7 +219,7 @@ func Test_UpdatePeer(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
-	iface, err := NewWGIFace(ifaceName, wgIP, DefaultMTU, nil, nil, newNet)
+	iface, err := NewWGIFace(ifaceName, wgIP, DefaultMTU, nil, newNet)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -282,7 +282,7 @@ func Test_RemovePeer(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
-	iface, err := NewWGIFace(ifaceName, wgIP, DefaultMTU, nil, nil, newNet)
+	iface, err := NewWGIFace(ifaceName, wgIP, DefaultMTU, nil, newNet)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -335,7 +335,7 @@ func Test_ConnectPeers(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
-	iface1, err := NewWGIFace(peer1ifaceName, peer1wgIP, DefaultMTU, nil, nil, newNet)
+	iface1, err := NewWGIFace(peer1ifaceName, peer1wgIP, DefaultMTU, nil, newNet)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -356,7 +356,7 @@ func Test_ConnectPeers(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
-	iface2, err := NewWGIFace(peer2ifaceName, peer2wgIP, DefaultMTU, nil, nil, newNet)
+	iface2, err := NewWGIFace(peer2ifaceName, peer2wgIP, DefaultMTU, nil, newNet)
 	if err != nil {
 		t.Fatal(err)
 	}

iface/mocks/filter.go

@@ -0,0 +1,75 @@
+// Code generated by MockGen. DO NOT EDIT.
+// Source: github.com/netbirdio/netbird/iface (interfaces: PacketFilter)
+
+// Package mocks is a generated GoMock package.
+package mocks
+
+import (
+	net "net"
+	reflect "reflect"
+
+	gomock "github.com/golang/mock/gomock"
+)
+
+// MockPacketFilter is a mock of PacketFilter interface.
+type MockPacketFilter struct {
+	ctrl     *gomock.Controller
+	recorder *MockPacketFilterMockRecorder
+}
+
+// MockPacketFilterMockRecorder is the mock recorder for MockPacketFilter.
+type MockPacketFilterMockRecorder struct {
+	mock *MockPacketFilter
+}
+
+// NewMockPacketFilter creates a new mock instance.
+func NewMockPacketFilter(ctrl *gomock.Controller) *MockPacketFilter {
+	mock := &MockPacketFilter{ctrl: ctrl}
+	mock.recorder = &MockPacketFilterMockRecorder{mock}
+	return mock
+}
+
+// EXPECT returns an object that allows the caller to indicate expected use.
+func (m *MockPacketFilter) EXPECT() *MockPacketFilterMockRecorder {
+	return m.recorder
+}
+
+// DropInput mocks base method.
+func (m *MockPacketFilter) DropOutgoing(arg0 []byte) bool {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "DropOutgoing", arg0)
+	ret0, _ := ret[0].(bool)
+	return ret0
+}
+
+// DropInput indicates an expected call of DropInput.
+func (mr *MockPacketFilterMockRecorder) DropInput(arg0 interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DropOutgoing", reflect.TypeOf((*MockPacketFilter)(nil).DropOutgoing), arg0)
+}
+
+// DropOutput mocks base method.
+func (m *MockPacketFilter) DropIncoming(arg0 []byte) bool {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "DropIncoming", arg0)
+	ret0, _ := ret[0].(bool)
+	return ret0
+}
+
+// DropOutput indicates an expected call of DropOutput.
+func (mr *MockPacketFilterMockRecorder) DropOutput(arg0 interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DropIncoming", reflect.TypeOf((*MockPacketFilter)(nil).DropIncoming), arg0)
+}
+
+// SetNetwork mocks base method.
+func (m *MockPacketFilter) SetNetwork(arg0 *net.IPNet) {
+	m.ctrl.T.Helper()
+	m.ctrl.Call(m, "SetNetwork", arg0)
+}
+
+// SetNetwork indicates an expected call of SetNetwork.
+func (mr *MockPacketFilterMockRecorder) SetNetwork(arg0 interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SetNetwork", reflect.TypeOf((*MockPacketFilter)(nil).SetNetwork), arg0)
+}

iface/mocks/tun.go

@@ -0,0 +1,152 @@
+// Code generated by MockGen. DO NOT EDIT.
+// Source: golang.zx2c4.com/wireguard/tun (interfaces: Device)
+
+// Package mocks is a generated GoMock package.
+package mocks
+
+import (
+	os "os"
+	reflect "reflect"
+
+	gomock "github.com/golang/mock/gomock"
+	tun "golang.zx2c4.com/wireguard/tun"
+)
+
+// MockDevice is a mock of Device interface.
+type MockDevice struct {
+	ctrl     *gomock.Controller
+	recorder *MockDeviceMockRecorder
+}
+
+// MockDeviceMockRecorder is the mock recorder for MockDevice.
+type MockDeviceMockRecorder struct {
+	mock *MockDevice
+}
+
+// NewMockDevice creates a new mock instance.
+func NewMockDevice(ctrl *gomock.Controller) *MockDevice {
+	mock := &MockDevice{ctrl: ctrl}
+	mock.recorder = &MockDeviceMockRecorder{mock}
+	return mock
+}
+
+// EXPECT returns an object that allows the caller to indicate expected use.
+func (m *MockDevice) EXPECT() *MockDeviceMockRecorder {
+	return m.recorder
+}
+
+// BatchSize mocks base method.
+func (m *MockDevice) BatchSize() int {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "BatchSize")
+	ret0, _ := ret[0].(int)
+	return ret0
+}
+
+// BatchSize indicates an expected call of BatchSize.
+func (mr *MockDeviceMockRecorder) BatchSize() *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "BatchSize", reflect.TypeOf((*MockDevice)(nil).BatchSize))
+}
+
+// Close mocks base method.
+func (m *MockDevice) Close() error {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "Close")
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// Close indicates an expected call of Close.
+func (mr *MockDeviceMockRecorder) Close() *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Close", reflect.TypeOf((*MockDevice)(nil).Close))
+}
+
+// Events mocks base method.
+func (m *MockDevice) Events() <-chan tun.Event {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "Events")
+	ret0, _ := ret[0].(<-chan tun.Event)
+	return ret0
+}
+
+// Events indicates an expected call of Events.
+func (mr *MockDeviceMockRecorder) Events() *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Events", reflect.TypeOf((*MockDevice)(nil).Events))
+}
+
+// File mocks base method.
+func (m *MockDevice) File() *os.File {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "File")
+	ret0, _ := ret[0].(*os.File)
+	return ret0
+}
+
+// File indicates an expected call of File.
+func (mr *MockDeviceMockRecorder) File() *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "File", reflect.TypeOf((*MockDevice)(nil).File))
+}
+
+// MTU mocks base method.
+func (m *MockDevice) MTU() (int, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "MTU")
+	ret0, _ := ret[0].(int)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// MTU indicates an expected call of MTU.
+func (mr *MockDeviceMockRecorder) MTU() *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "MTU", reflect.TypeOf((*MockDevice)(nil).MTU))
+}
+
+// Name mocks base method.
+func (m *MockDevice) Name() (string, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "Name")
+	ret0, _ := ret[0].(string)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// Name indicates an expected call of Name.
+func (mr *MockDeviceMockRecorder) Name() *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Name", reflect.TypeOf((*MockDevice)(nil).Name))
+}
+
+// Read mocks base method.
+func (m *MockDevice) Read(arg0 [][]byte, arg1 []int, arg2 int) (int, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "Read", arg0, arg1, arg2)
+	ret0, _ := ret[0].(int)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// Read indicates an expected call of Read.
+func (mr *MockDeviceMockRecorder) Read(arg0, arg1, arg2 interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Read", reflect.TypeOf((*MockDevice)(nil).Read), arg0, arg1, arg2)
+}
+
+// Write mocks base method.
+func (m *MockDevice) Write(arg0 [][]byte, arg1 int) (int, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "Write", arg0, arg1)
+	ret0, _ := ret[0].(int)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// Write indicates an expected call of Write.
+func (mr *MockDeviceMockRecorder) Write(arg0, arg1 interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Write", reflect.TypeOf((*MockDevice)(nil).Write), arg0, arg1)
+}

iface/tun_android.go

@@ -22,18 +22,22 @@ type tunDevice struct {
 	name    string
 	device  *device.Device
 	iceBind *bind.ICEBind
+	wrapper *DeviceWrapper
 }
 
-func newTunDevice(address WGAddress, mtu int, routes []string, tunAdapter TunAdapter, transportNet transport.Net) *tunDevice {
+func newTunDevice(address WGAddress, mtu int, tunAdapter TunAdapter, transportNet transport.Net) *tunDevice {
 	return &tunDevice{
 		address:    address,
 		mtu:        mtu,
-		routes:     routes,
 		tunAdapter: tunAdapter,
 		iceBind:    bind.NewICEBind(transportNet),
 	}
 }
 
+func (t *tunDevice) SetRoutes(routes []string) {
+	t.routes = routes
+}
+
 func (t *tunDevice) Create() error {
 	var err error
 	routesString := t.routesToString()
@@ -49,10 +53,13 @@ func (t *tunDevice) Create() error {
 		return err
 	}
 	t.name = name
+	t.wrapper = newDeviceWrapper(tunDevice)
 
 	log.Debugf("attaching to interface %v", name)
-	t.device = device.NewDevice(tunDevice, t.iceBind, device.NewLogger(device.LogLevelSilent, "[wiretrustee] "))
-	t.device.DisableSomeRoamingForBrokenMobileSemantics()
+	t.device = device.NewDevice(t.wrapper, t.iceBind, device.NewLogger(device.LogLevelSilent, "[wiretrustee] "))
+	// without this property mobile devices can discover remote endpoints if the configured one was wrong.
+	// this helps with support for the older NetBird clients that had a hardcoded direct mode
+	//t.device.DisableSomeRoamingForBrokenMobileSemantics()
 
 	err = t.device.Up()
 	if err != nil {

iface/tun_unix.go

@@ -23,6 +23,7 @@ type tunDevice struct {
 	netInterface NetInterface
 	iceBind      *bind.ICEBind
 	uapi         net.Listener
+	wrapper      *DeviceWrapper
 	close        chan struct{}
 }
 
@@ -90,9 +91,14 @@ func (c *tunDevice) createWithUserspace() (NetInterface, error) {
 	if err != nil {
 		return nil, err
 	}
+	c.wrapper = newDeviceWrapper(tunIface)
 
 	// We need to create a wireguard-go device and listen to configuration requests
-	tunDev := device.NewDevice(tunIface, c.iceBind, device.NewLogger(device.LogLevelSilent, "[netbird] "))
+	tunDev := device.NewDevice(
+		c.wrapper,
+		c.iceBind,
+		device.NewLogger(device.LogLevelSilent, "[netbird] "),
+	)
 	err = tunDev.Up()
 	if err != nil {
 		_ = tunIface.Close()

iface/tun_windows.go

@@ -3,9 +3,11 @@ package iface
 import (
 	"fmt"
 	"net"
+	"net/netip"
 
 	"github.com/pion/transport/v2"
 	log "github.com/sirupsen/logrus"
+	"golang.org/x/sys/windows"
 	"golang.zx2c4.com/wireguard/device"
 	"golang.zx2c4.com/wireguard/ipc"
 	"golang.zx2c4.com/wireguard/tun"
@@ -21,6 +23,7 @@ type tunDevice struct {
 	iceBind      *bind.ICEBind
 	mtu          int
 	uapi         net.Listener
+	wrapper      *DeviceWrapper
 	close        chan struct{}
 }
 
@@ -50,6 +53,7 @@ func (c *tunDevice) createWithUserspace() (NetInterface, error) {
 	if err != nil {
 		return nil, err
 	}
+	c.wrapper = newDeviceWrapper(tunIface)
 
 	// We need to create a wireguard-go device and listen to configuration requests
 	tunDev := device.NewDevice(tunIface, c.iceBind, device.NewLogger(device.LogLevelSilent, "[netbird] "))
@@ -59,6 +63,22 @@ func (c *tunDevice) createWithUserspace() (NetInterface, error) {
 		return nil, err
 	}
 
+	luid := winipcfg.LUID(tunIface.(*tun.NativeTun).LUID())
+
+	nbiface, err := luid.IPInterface(windows.AF_INET)
+	if err != nil {
+		_ = tunIface.Close()
+		return nil, fmt.Errorf("got error when getting ip interface %s", err)
+	}
+
+	nbiface.NLMTU = uint32(c.mtu)
+
+	err = nbiface.Set()
+	if err != nil {
+		_ = tunIface.Close()
+		return nil, fmt.Errorf("got error when getting setting the interface mtu: %s", err)
+	}
+
 	c.uapi, err = c.getUAPI(c.name)
 	if err != nil {
 		_ = tunIface.Close()
@@ -142,7 +162,7 @@ func (c *tunDevice) assignAddr() error {
 	tunDev := c.netInterface.(*tun.NativeTun)
 	luid := winipcfg.LUID(tunDev.LUID())
 	log.Debugf("adding address %s to interface: %s", c.address.IP, c.name)
-	return luid.SetIPAddresses([]net.IPNet{{c.address.IP, c.address.Network.Mask}})
+	return luid.SetIPAddresses([]netip.Prefix{netip.MustParsePrefix(c.address.String())})
 }
 
 // getUAPI returns a Listener

iface/wg_configurer_nonandroid.go

@@ -202,7 +202,7 @@ func (c *wGConfigurer) configure(config wgtypes.Config) error {
 	if err != nil {
 		return err
 	}
-	log.Debugf("got Wireguard device %s", c.deviceName)
+	log.Tracef("got Wireguard device %s", c.deviceName)
 
 	return wg.ConfigureDevice(c.deviceName, config)
 }

infrastructure_files/configure.sh

@@ -1,34 +1,29 @@
 #!/bin/bash
 
-if ! which curl > /dev/null 2>&1
-then
-    echo "This script uses curl fetch OpenID configuration from IDP."
-    echo "Please install curl and re-run the script https://curl.se/"
-    echo ""
-    exit 1
+if ! which curl >/dev/null 2>&1; then
+  echo "This script uses curl fetch OpenID configuration from IDP."
+  echo "Please install curl and re-run the script https://curl.se/"
+  echo ""
+  exit 1
 fi
 
-if ! which jq > /dev/null 2>&1
-then
-    echo "This script uses jq to load OpenID configuration from IDP."
-    echo "Please install jq and re-run the script https://stedolan.github.io/jq/"
-    echo ""
-    exit 1
+if ! which jq >/dev/null 2>&1; then
+  echo "This script uses jq to load OpenID configuration from IDP."
+  echo "Please install jq and re-run the script https://stedolan.github.io/jq/"
+  echo ""
+  exit 1
 fi
 
 source setup.env
 source base.setup.env
 
-if ! which envsubst > /dev/null 2>&1
-then
+if ! which envsubst >/dev/null 2>&1; then
   echo "envsubst is needed to run this script"
-  if [[ $(uname) == "Darwin" ]]
-  then
+  if [[ $(uname) == "Darwin" ]]; then
     echo "you can install it with homebrew (https://brew.sh):"
     echo "brew install gettext"
   else
-    if which apt-get > /dev/null 2>&1
-    then
+    if which apt-get >/dev/null 2>&1; then
       echo "you can install it by running"
       echo "apt-get update && apt-get install gettext-base"
     else
@@ -38,8 +33,7 @@ then
   exit 1
 fi
 
-if [[ "x-$NETBIRD_DOMAIN" == "x-" ]]
-then
+if [[ "x-$NETBIRD_DOMAIN" == "x-" ]]; then
   echo NETBIRD_DOMAIN is not set, please update your setup.env file
   echo If you are migrating from old versions, you migh need to update your variables prefixes from
   echo WIRETRUSTEE_.. TO NETBIRD_
@@ -47,8 +41,7 @@ then
 fi
 
 # local development or tests
-if [[ $NETBIRD_DOMAIN == "localhost" || $NETBIRD_DOMAIN == "127.0.0.1" ]]
-then
+if [[ $NETBIRD_DOMAIN == "localhost" || $NETBIRD_DOMAIN == "127.0.0.1" ]]; then
   export NETBIRD_MGMT_SINGLE_ACCOUNT_MODE_DOMAIN="netbird.selfhosted"
   export NETBIRD_MGMT_API_ENDPOINT=http://$NETBIRD_DOMAIN:$NETBIRD_MGMT_API_PORT
   unset NETBIRD_MGMT_API_CERT_FILE
@@ -56,9 +49,8 @@ then
 fi
 
 # if not provided, we generate a turn password
-if [[ "x-$TURN_PASSWORD" == "x-" ]]
-then
-  export TURN_PASSWORD=$(openssl rand -base64 32|sed 's/=//g')
+if [[ "x-$TURN_PASSWORD" == "x-" ]]; then
+  export TURN_PASSWORD=$(openssl rand -base64 32 | sed 's/=//g')
 fi
 
 MGMT_VOLUMENAME="${VOLUME_PREFIX}${MGMT_VOLUMESUFFIX}"
@@ -67,13 +59,13 @@ LETSENCRYPT_VOLUMENAME="${VOLUME_PREFIX}${LETSENCRYPT_VOLUMESUFFIX}"
 # if volume with wiretrustee- prefix already exists, use it, else create new with netbird-
 OLD_PREFIX='wiretrustee-'
 if docker volume ls | grep -q "${OLD_PREFIX}${MGMT_VOLUMESUFFIX}"; then
-    MGMT_VOLUMENAME="${OLD_PREFIX}${MGMT_VOLUMESUFFIX}"
+  MGMT_VOLUMENAME="${OLD_PREFIX}${MGMT_VOLUMESUFFIX}"
 fi
 if docker volume ls | grep -q "${OLD_PREFIX}${SIGNAL_VOLUMESUFFIX}"; then
-    SIGNAL_VOLUMENAME="${OLD_PREFIX}${SIGNAL_VOLUMESUFFIX}"
+  SIGNAL_VOLUMENAME="${OLD_PREFIX}${SIGNAL_VOLUMESUFFIX}"
 fi
 if docker volume ls | grep -q "${OLD_PREFIX}${LETSENCRYPT_VOLUMESUFFIX}"; then
-    LETSENCRYPT_VOLUMENAME="${OLD_PREFIX}${LETSENCRYPT_VOLUMESUFFIX}"
+  LETSENCRYPT_VOLUMENAME="${OLD_PREFIX}${LETSENCRYPT_VOLUMESUFFIX}"
 fi
 
 export MGMT_VOLUMENAME
@@ -83,47 +75,45 @@ export LETSENCRYPT_VOLUMENAME
 #backwards compatibility after migrating to generic OIDC with Auth0
 if [[ -z "${NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT}" ]]; then
 
-    if [[ -z "${NETBIRD_AUTH0_DOMAIN}" ]]; then
-       # not a backward compatible state
-       echo "NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT property must be set in the setup.env file"
-       exit 1
-    fi
+  if [[ -z "${NETBIRD_AUTH0_DOMAIN}" ]]; then
+    # not a backward compatible state
+    echo "NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT property must be set in the setup.env file"
+    exit 1
+  fi
 
-    echo "It seems like you provided an old setup.env file."
-    echo "Since the release of v0.8.10, we introduced a new set of properties."
-    echo "The script is backward compatible and will continue automatically."
-    echo "In the future versions it will be deprecated. Please refer to the documentation to learn about the changes http://netbird.io/docs/getting-started/self-hosting"
+  echo "It seems like you provided an old setup.env file."
+  echo "Since the release of v0.8.10, we introduced a new set of properties."
+  echo "The script is backward compatible and will continue automatically."
+  echo "In the future versions it will be deprecated. Please refer to the documentation to learn about the changes http://netbird.io/docs/getting-started/self-hosting"
 
-    export NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT="https://${NETBIRD_AUTH0_DOMAIN}/.well-known/openid-configuration"
-    export NETBIRD_USE_AUTH0="true"
-    export NETBIRD_AUTH_AUDIENCE=${NETBIRD_AUTH0_AUDIENCE}
-    export NETBIRD_AUTH_CLIENT_ID=${NETBIRD_AUTH0_CLIENT_ID}
+  export NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT="https://${NETBIRD_AUTH0_DOMAIN}/.well-known/openid-configuration"
+  export NETBIRD_USE_AUTH0="true"
+  export NETBIRD_AUTH_AUDIENCE=${NETBIRD_AUTH0_AUDIENCE}
+  export NETBIRD_AUTH_CLIENT_ID=${NETBIRD_AUTH0_CLIENT_ID}
 fi
 
 echo "loading OpenID configuration from ${NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT} to the openid-configuration.json file"
 curl "${NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT}" -q -o openid-configuration.json
 
-export NETBIRD_AUTH_AUTHORITY=$( jq -r  '.issuer' openid-configuration.json )
-export NETBIRD_AUTH_JWT_CERTS=$( jq -r  '.jwks_uri' openid-configuration.json )
-export NETBIRD_AUTH_SUPPORTED_SCOPES=$( jq -r '.scopes_supported | join(" ")' openid-configuration.json )
-export NETBIRD_AUTH_TOKEN_ENDPOINT=$( jq -r  '.token_endpoint' openid-configuration.json )
-export NETBIRD_AUTH_DEVICE_AUTH_ENDPOINT=$( jq -r  '.device_authorization_endpoint' openid-configuration.json )
+export NETBIRD_AUTH_AUTHORITY=$(jq -r '.issuer' openid-configuration.json)
+export NETBIRD_AUTH_JWT_CERTS=$(jq -r '.jwks_uri' openid-configuration.json)
+export NETBIRD_AUTH_SUPPORTED_SCOPES=$(jq -r '.scopes_supported | join(" ")' openid-configuration.json)
+export NETBIRD_AUTH_TOKEN_ENDPOINT=$(jq -r '.token_endpoint' openid-configuration.json)
+export NETBIRD_AUTH_DEVICE_AUTH_ENDPOINT=$(jq -r '.device_authorization_endpoint' openid-configuration.json)
 
-if [ $NETBIRD_USE_AUTH0 == "true" ]
-then
-    export NETBIRD_AUTH_SUPPORTED_SCOPES="openid profile email offline_access api email_verified"
+if [ "$NETBIRD_USE_AUTH0" == "true" ]; then
+  export NETBIRD_AUTH_SUPPORTED_SCOPES="openid profile email offline_access api email_verified"
 else
-    export NETBIRD_AUTH_SUPPORTED_SCOPES="openid profile email offline_access api"
+  export NETBIRD_AUTH_SUPPORTED_SCOPES="openid profile email offline_access api"
 fi
 
 if [[ ! -z "${NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID}" ]]; then
-    # user enabled Device Authorization Grant feature
-    export NETBIRD_AUTH_DEVICE_AUTH_PROVIDER="hosted"
+  # user enabled Device Authorization Grant feature
+  export NETBIRD_AUTH_DEVICE_AUTH_PROVIDER="hosted"
 fi
 
 # Check if letsencrypt was disabled
-if [[ "$NETBIRD_DISABLE_LETSENCRYPT" == "true" ]]
-then
+if [[ "$NETBIRD_DISABLE_LETSENCRYPT" == "true" ]]; then
   export NETBIRD_DASHBOARD_ENDPOINT="https://$NETBIRD_DOMAIN:443"
   export NETBIRD_SIGNAL_ENDPOINT="https://$NETBIRD_DOMAIN:$NETBIRD_SIGNAL_PORT"
 
@@ -145,8 +135,31 @@ then
   unset NETBIRD_MGMT_API_CERT_KEY_FILE
 fi
 
+# Check if management identity provider is set
+if [ -n "$NETBIRD_MGMT_IDP" ]; then
+  EXTRA_CONFIG={}
+
+  # extract extra config from all env prefixed with NETBIRD_IDP_MGMT_EXTRA_
+  for var in ${!NETBIRD_IDP_MGMT_EXTRA_*}; do
+    # convert key snake case to camel case
+    key=$(
+      echo "${var#NETBIRD_IDP_MGMT_EXTRA_}" | awk -F "_" \
+        '{for (i=1; i<=NF; i++) {output=output substr($i,1,1) tolower(substr($i,2))} print output}'
+    )
+    value="${!var}"
+
+   echo "$var"
+    EXTRA_CONFIG=$(jq --arg k "$key" --arg v "$value" '.[$k] = $v' <<<"$EXTRA_CONFIG")
+  done
+
+  export NETBIRD_MGMT_IDP
+  export NETBIRD_IDP_MGMT_CLIENT_ID
+  export NETBIRD_IDP_MGMT_CLIENT_SECRET
+  export NETBIRD_IDP_MGMT_EXTRA_CONFIG=$EXTRA_CONFIG
+fi
+
 env | grep NETBIRD
 
-envsubst < docker-compose.yml.tmpl > docker-compose.yml
-envsubst < management.json.tmpl > management.json
-envsubst < turnserver.conf.tmpl > turnserver.conf
+envsubst <docker-compose.yml.tmpl >docker-compose.yml
+envsubst <management.json.tmpl >management.json
+envsubst <turnserver.conf.tmpl >turnserver.conf

infrastructure_files/management.json.tmpl

@@ -38,7 +38,15 @@
         "OIDCConfigEndpoint":"$NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT"
     },
     "IdpManagerConfig": {
-        "Manager": "none"
+        "ManagerType": "$NETBIRD_MGMT_IDP",
+        "ClientConfig": {
+            "Issuer": "$NETBIRD_AUTH_AUTHORITY",
+            "TokenEndpoint": "$NETBIRD_AUTH_TOKEN_ENDPOINT",
+            "ClientID": "$NETBIRD_IDP_MGMT_CLIENT_ID",
+            "ClientSecret": "$NETBIRD_IDP_MGMT_CLIENT_SECRET",
+            "GrantType": "client_credentials"
+        },
+        "ExtraConfig": $NETBIRD_IDP_MGMT_EXTRA_CONFIG
      },
     "DeviceAuthorizationFlow": {
         "Provider": "$NETBIRD_AUTH_DEVICE_AUTH_PROVIDER",

infrastructure_files/nginx.tmpl.conf

@@ -0,0 +1,77 @@
+# This template enables proxying netbird behind Nginx.
+#
+# To modify this template for your own use,
+# change the ports for the services, set your
+# server_name (e.g. vpn.example.com) and insert
+# your own ssl certificates
+
+upstream dashboard {
+    # insert the http port of your dashboard container here
+    server 127.0.0.1:8011;
+
+    # Improve performance by keeping some connections alive.
+    keepalive 10;
+}
+upstream signal {
+    # insert the grpc port of your signal container here
+    server 127.0.0.1:10000;
+}
+upstream management {
+    # insert the grpc+http port of your signal container here
+    server 127.0.0.1:8012;
+}
+
+server {
+    # HTTP server config
+    listen 80;
+    server_name _;
+
+    # 301 redirect to HTTPS
+    location / {
+            return 301 https://$host$request_uri;
+    }
+}
+server {
+    # HTTPS server config
+    listen 443 ssl http2;
+    server_name _;
+
+    # This is necessary so that grpc connections do not get closed early
+    # see https://stackoverflow.com/a/67805465
+    client_header_timeout 1d;
+    client_body_timeout 1d;
+
+    proxy_set_header        X-Real-IP $remote_addr;
+    proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header        X-Scheme $scheme;
+    proxy_set_header        X-Forwarded-Proto https;
+    proxy_set_header        X-Forwarded-Host $host;
+
+    # Proxy dashboard
+    location / {
+        proxy_pass http://dashboard;
+    }
+    # Proxy Signal
+    location /signalexchange.SignalExchange/ {
+        grpc_pass grpc://signal;
+        #grpc_ssl_verify off;
+        grpc_read_timeout 1d;
+        grpc_send_timeout 1d;
+        grpc_socket_keepalive on;
+    }
+    # Proxy Management http endpoint
+    location /api {
+        proxy_pass http://management;
+    }
+    # Proxy Management grpc endpoint
+    location /management.ManagementService/ {
+        grpc_pass grpc://management;
+        #grpc_ssl_verify off;
+        grpc_read_timeout 1d;
+        grpc_send_timeout 1d;
+        grpc_socket_keepalive on;
+    }
+
+    ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
+    ssl_certificate_key /etc/ssl/certs/ssl-cert-snakeoil.pem;
+}

infrastructure_files/setup.env.example

@@ -15,14 +15,6 @@ NETBIRD_AUTH_CLIENT_ID=""
 # NETBIRD_AUTH_USER_ID_CLAIM=""
 # indicates whether to use Auth0 or not: true or false
 NETBIRD_USE_AUTH0="false"
-NETBIRD_AUTH_DEVICE_AUTH_PROVIDER="none"
-NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID=""
-# Some IDPs requires different audience, scopes and to use id token for device authorization flow
-# you can customize here:
-NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE=$NETBIRD_AUTH_AUDIENCE
-NETBIRD_AUTH_DEVICE_AUTH_SCOPE="openid"
-NETBIRD_AUTH_DEVICE_AUTH_USE_ID_TOKEN=false
-
 # if your IDP provider doesn't support fragmented URIs, configure custom
 # redirect and silent redirect URIs, these will be concatenated into your NETBIRD_DOMAIN domain.
 # NETBIRD_AUTH_REDIRECT_URI="/peers"
@@ -30,7 +22,25 @@ NETBIRD_AUTH_DEVICE_AUTH_USE_ID_TOKEN=false
 # Updates the preference to use id tokens instead of access token on dashboard
 # Okta and Gitlab IDPs can benefit from this
 # NETBIRD_TOKEN_SOURCE="idToken"
-
+# -------------------------------------------
+# OIDC Device Authorization Flow
+# -------------------------------------------
+NETBIRD_AUTH_DEVICE_AUTH_PROVIDER="none"
+NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID=""
+# Some IDPs requires different audience, scopes and to use id token for device authorization flow
+# you can customize here:
+NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE=$NETBIRD_AUTH_AUDIENCE
+NETBIRD_AUTH_DEVICE_AUTH_SCOPE="openid"
+NETBIRD_AUTH_DEVICE_AUTH_USE_ID_TOKEN=false
+# -------------------------------------------
+# IDP Management
+# -------------------------------------------
+# eg. zitadel, auth0, azure, keycloak
+NETBIRD_MGMT_IDP="none"
+# Some IDPs requires different client id and client secret for management api
+NETBIRD_IDP_MGMT_CLIENT_ID=$NETBIRD_AUTH_CLIENT_ID
+NETBIRD_IDP_MGMT_CLIENT_SECRET=""
+# NETBIRD_IDP_MGMT_EXTRA_ variables. See https://docs.netbird.io/selfhosted/identity-providers for more information about your IDP of choice.
 # -------------------------------------------
 # Letsencrypt
 # -------------------------------------------
@@ -39,7 +49,9 @@ NETBIRD_AUTH_DEVICE_AUTH_USE_ID_TOKEN=false
 NETBIRD_DISABLE_LETSENCRYPT=false
 # e.g. hello@mydomain.com
 NETBIRD_LETSENCRYPT_EMAIL=""
-
+# -------------------------------------------
+# Extra settings
+# -------------------------------------------
 # Disable anonymous metrics collection, see more information at https://netbird.io/docs/FAQ/metrics-collection
 NETBIRD_DISABLE_ANONYMOUS_METRICS=false
 # DNS DOMAIN configures the domain name used for peer resolution. By default it is netbird.selfhosted

infrastructure_files/tests/setup.env

@@ -16,4 +16,7 @@ NETBIRD_DISABLE_LETSENCRYPT=true
 NETBIRD_TOKEN_SOURCE="idToken"
 NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE="super"
 NETBIRD_AUTH_USER_ID_CLAIM="email"
-NETBIRD_AUTH_DEVICE_AUTH_SCOPE="openid email"
+NETBIRD_AUTH_DEVICE_AUTH_SCOPE="openid email"
+NETBIRD_MGMT_IDP=$CI_NETBIRD_MGMT_IDP
+NETBIRD_IDP_MGMT_CLIENT_ID=$CI_NETBIRD_IDP_MGMT_CLIENT_ID
+NETBIRD_IDP_MGMT_CLIENT_SECRET=$CI_NETBIRD_IDP_MGMT_CLIENT_SECRET

infrastructure_files/zitadel.sh

@@ -0,0 +1,122 @@
+#!/bin/bash
+
+set -e
+
+request_jwt_token() {
+  INSTANCE_URL=$1
+  BODY="grant_type=client_credentials&scope=urn:zitadel:iam:org:project:id:zitadel:aud&client_id=$ZITADEL_CLIENT_ID&client_secret=$ZITADEL_CLIENT_SECRET"
+
+  RESPONSE=$(
+    curl -X POST "$INSTANCE_URL/oauth/v2/token" \
+      -H "Content-Type: application/x-www-form-urlencoded" \
+      -d "$BODY"
+  )
+  echo "$RESPONSE" | jq -r '.access_token'
+}
+
+create_new_project() {
+  INSTANCE_URL=$1
+  ACCESS_TOKEN=$2
+  PROJECT_NAME="NETBIRD"
+
+  RESPONSE=$(
+    curl -X POST "$INSTANCE_URL/management/v1/projects" \
+      -H "Authorization: Bearer $ACCESS_TOKEN" \
+      -H "Content-Type: application/json" \
+      -d '{"name": "'"$PROJECT_NAME"'"}'
+  )
+  echo "$RESPONSE" | jq -r '.id'
+}
+
+create_new_application() {
+  INSTANCE_URL=$1
+  ACCESS_TOKEN=$2
+  APPLICATION_NAME="netbird"
+
+  RESPONSE=$(
+    curl -X POST "$INSTANCE_URL/management/v1/projects/$PROJECT_ID/apps/oidc" \
+      -H "Authorization: Bearer $ACCESS_TOKEN" \
+      -H "Content-Type: application/json" \
+      -d '{
+    "name": "'"$APPLICATION_NAME"'",
+    "redirectUris": [
+      "'"$BASE_REDIRECT_URL"'/auth"
+    ],
+    "RESPONSETypes": [
+      "OIDC_RESPONSE_TYPE_CODE"
+    ],
+    "grantTypes": [
+      "OIDC_GRANT_TYPE_AUTHORIZATION_CODE",
+      "OIDC_GRANT_TYPE_REFRESH_TOKEN"
+    ],
+    "appType": "OIDC_APP_TYPE_USER_AGENT",
+    "authMethodType": "OIDC_AUTH_METHOD_TYPE_NONE",
+    "postLogoutRedirectUris": [
+      "'"$BASE_REDIRECT_URL"'/silent-auth"
+    ],
+    "version": "OIDC_VERSION_1_0",
+    "devMode": '"$ZITADEL_DEV_MODE"',
+    "accessTokenType": "OIDC_TOKEN_TYPE_JWT",
+    "accessTokenRoleAssertion": true,
+    "skipNativeAppSuccessPage": true
+  }'
+  )
+  echo "$RESPONSE" | jq -r '.clientId'
+}
+
+configure_zitadel_instance() {
+  # extract zitadel instance url
+  INSTANCE_URL=$(echo "$NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT" | sed 's/\/\.well-known\/openid-configuration//')
+  DOC_URL="https://netbird.io/docs/integrations/identity-providers/self-hosted/using-netbird-with-zitadel#step-4-create-a-service-user"
+
+  echo ""
+  printf "configuring zitadel instance: $INSTANCE_URL \n \
+  before proceeding, please create a new service account for authorization by following the instructions (step 4 and 5
+  ) in the documentation at %s\n" "$DOC_URL"
+  echo "Please ensure that the new service account has 'Org Owner' permission in order for this to work."
+  echo ""
+
+  read -n 1 -s -r -p "press any key to continue..."
+  echo ""
+
+  # prompt the user to enter service account clientID
+  echo ""
+  read -r -p "enter service account ClientId: " ZITADEL_CLIENT_ID
+  echo ""
+
+  # Prompt the user to enter service account clientSecret
+  read -r -p "enter service account ClientSecret: " ZITADEL_CLIENT_SECRET
+  echo ""
+
+  # get an access token from zitadel
+  echo "retrieving access token from zitadel"
+  ACCESS_TOKEN=$(request_jwt_token "$INSTANCE_URL")
+  if [ "$ACCESS_TOKEN" = "null" ]; then
+    echo "failed requesting access token"
+    exit 1
+  fi
+
+  #  create the zitadel project
+  echo "creating new zitadel project"
+  PROJECT_ID=$(create_new_project "$INSTANCE_URL" "$ACCESS_TOKEN")
+  if [ "$PROJECT_ID" = "null" ]; then
+    echo "failed creating new zitadel project"
+    exit 1
+  fi
+
+  ZITADEL_DEV_MODE=false
+  if [[ $NETBIRD_DOMAIN == *"localhost"* ]]; then
+    BASE_REDIRECT_URL="http://$NETBIRD_DOMAIN"
+    ZITADEL_DEV_MODE=true
+  else
+    BASE_REDIRECT_URL="https://$NETBIRD_DOMAIN"
+  fi
+
+  # create zitadel spa application
+  echo "creating new zitadel spa application"
+  APPLICATION_CLIENT_ID=$(create_new_application "$INSTANCE_URL" "$ACCESS_TOKEN")
+  if [ "$APPLICATION_CLIENT_ID" = "null" ]; then
+    echo "failed creating new zitadel spa application"
+    exit 1
+  fi
+}

management/client/client.go

@@ -15,4 +15,5 @@ type Client interface {
 	Register(serverKey wgtypes.Key, setupKey string, jwtToken string, sysInfo *system.Info, sshKey []byte) (*proto.LoginResponse, error)
 	Login(serverKey wgtypes.Key, sysInfo *system.Info, sshKey []byte) (*proto.LoginResponse, error)
 	GetDeviceAuthorizationFlow(serverKey wgtypes.Key) (*proto.DeviceAuthorizationFlow, error)
+	GetRoutes() ([]*proto.Route, error)
 }

management/client/client_test.go

@@ -2,28 +2,31 @@ package client
 
 import (
 	"context"
-	"github.com/netbirdio/netbird/management/server/activity"
 	"net"
 	"path/filepath"
 	"sync"
 	"testing"
 	"time"
 
+	"github.com/netbirdio/netbird/management/server/activity"
+
 	"github.com/netbirdio/netbird/client/system"
 
+	log "github.com/sirupsen/logrus"
+	"github.com/stretchr/testify/assert"
+
 	"github.com/netbirdio/netbird/encryption"
 	"github.com/netbirdio/netbird/management/proto"
 	mgmtProto "github.com/netbirdio/netbird/management/proto"
 	mgmt "github.com/netbirdio/netbird/management/server"
 	"github.com/netbirdio/netbird/management/server/mock_server"
-	log "github.com/sirupsen/logrus"
-	"github.com/stretchr/testify/assert"
 
-	"github.com/netbirdio/netbird/util"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"
+
+	"github.com/netbirdio/netbird/util"
 )
 
 const ValidKey = "A2C8E62B-38F5-4553-B31E-DD66C696CEBB"
@@ -50,7 +53,7 @@ func startManagement(t *testing.T) (*grpc.Server, net.Listener) {
 		t.Fatal(err)
 	}
 	s := grpc.NewServer()
-	store, err := mgmt.NewFileStore(config.Datadir)
+	store, err := mgmt.NewFileStore(config.Datadir, nil)
 	if err != nil {
 		t.Fatal(err)
 	}

management/client/mock.go

@@ -56,3 +56,8 @@ func (m *MockClient) GetDeviceAuthorizationFlow(serverKey wgtypes.Key) (*proto.D
 	}
 	return m.GetDeviceAuthorizationFlowFunc(serverKey)
 }
+
+// GetRoutes mock implementation of GetRoutes from mgm.Client interface
+func (m *MockClient) GetRoutes() ([]*proto.Route, error) {
+	return nil, nil
+}

management/cmd/management.go

@@ -80,6 +80,7 @@ var (
 			if err != nil {
 				return fmt.Errorf("failed reading provided config file: %s: %v", mgmtConfig, err)
 			}
+			config.HttpConfig.IdpSignKeyRefreshEnabled = idpSignKeyRefreshEnabled
 
 			tlsEnabled := false
 			if mgmtLetsencryptDomain != "" || (config.HttpConfig.CertFile != "" && config.HttpConfig.CertKey != "") {
@@ -120,13 +121,6 @@ var (
 					return fmt.Errorf("failed creating datadir: %s: %v", config.Datadir, err)
 				}
 			}
-
-			store, err := server.NewFileStore(config.Datadir)
-			if err != nil {
-				return fmt.Errorf("failed creating Store: %s: %v", config.Datadir, err)
-			}
-			peersUpdateManager := server.NewPeersUpdateManager()
-
 			appMetrics, err := telemetry.NewDefaultAppMetrics(cmd.Context())
 			if err != nil {
 				return err
@@ -135,6 +129,11 @@ var (
 			if err != nil {
 				return err
 			}
+			store, err := server.NewFileStore(config.Datadir, appMetrics)
+			if err != nil {
+				return fmt.Errorf("failed creating Store: %s: %v", config.Datadir, err)
+			}
+			peersUpdateManager := server.NewPeersUpdateManager()
 
 			var idpManager idp.Manager
 			if config.IdpManagerConfig != nil {
@@ -186,6 +185,7 @@ var (
 				config.HttpConfig.AuthIssuer,
 				config.GetAuthAudiences(),
 				config.HttpConfig.AuthKeysLocation,
+				config.HttpConfig.IdpSignKeyRefreshEnabled,
 			)
 			if err != nil {
 				return fmt.Errorf("failed creating JWT validator: %v", err)
@@ -439,7 +439,7 @@ type OIDCConfigResponse struct {
 func fetchOIDCConfig(oidcEndpoint string) (OIDCConfigResponse, error) {
 	res, err := http.Get(oidcEndpoint)
 	if err != nil {
-		return OIDCConfigResponse{}, fmt.Errorf("failed fetching OIDC configuration fro mendpoint %s %v", oidcEndpoint, err)
+		return OIDCConfigResponse{}, fmt.Errorf("failed fetching OIDC configuration from endpoint %s %v", oidcEndpoint, err)
 	}
 
 	defer func() {

management/cmd/root.go

@@ -16,13 +16,14 @@ const (
 )
 
 var (
-	dnsDomain            string
-	mgmtDataDir          string
-	mgmtConfig           string
-	logLevel             string
-	logFile              string
-	disableMetrics       bool
-	disableSingleAccMode bool
+	dnsDomain                string
+	mgmtDataDir              string
+	mgmtConfig               string
+	logLevel                 string
+	logFile                  string
+	disableMetrics           bool
+	disableSingleAccMode     bool
+	idpSignKeyRefreshEnabled bool
 
 	rootCmd = &cobra.Command{
 		Use:          "netbird-mgmt",
@@ -54,6 +55,7 @@ func init() {
 	mgmtCmd.Flags().StringVar(&certKey, "cert-key", "", "Location of your SSL certificate private key. Can be used when you have an existing certificate and don't want a new certificate be generated automatically. If letsencrypt-domain is specified this property has no effect")
 	mgmtCmd.Flags().BoolVar(&disableMetrics, "disable-anonymous-metrics", false, "disables push of anonymous usage metrics to NetBird")
 	mgmtCmd.Flags().StringVar(&dnsDomain, "dns-domain", defaultSingleAccModeDomain, fmt.Sprintf("Domain used for peer resolution. This is appended to the peer's name, e.g. pi-server. %s. Max lenght is 192 characters to allow appending to a peer name with up to 63 characters.", defaultSingleAccModeDomain))
+	mgmtCmd.Flags().BoolVar(&idpSignKeyRefreshEnabled, "idp-sign-key-refresh-enabled", false, "Enable cache headers evaluation to determine signing key rotation period. This will refresh the signing key upon expiry.")
 	rootCmd.MarkFlagRequired("config") //nolint
 
 	rootCmd.PersistentFlags().StringVar(&logLevel, "log-level", "info", "")