Merge pull request #277 from LaurenceJJones/refactor/proxy-udp-buffer-pool

perf(proxy): add sync.Pool for UDP buffers
2026-04-11 04:16:40 +00:00 · 2026-04-09 13:09:06 -04:00 · 2026-04-09 15:59:03 +01:00
7 changed files with 84 additions and 450 deletions
--- a/clients/clients.go
+++ b/clients/clients.go
@@ -40,17 +40,13 @@ type WgConfig struct {
 }
 type Target struct {
-	SourcePrefix   string                 `json:"sourcePrefix"`
+	SourcePrefix   string      `json:"sourcePrefix"`
-	SourcePrefixes []string               `json:"sourcePrefixes"`
+	SourcePrefixes []string    `json:"sourcePrefixes"`
-	DestPrefix     string                 `json:"destPrefix"`
+	DestPrefix     string      `json:"destPrefix"`
-	RewriteTo      string                 `json:"rewriteTo,omitempty"`
+	RewriteTo      string      `json:"rewriteTo,omitempty"`
-	DisableIcmp    bool                   `json:"disableIcmp,omitempty"`
+	DisableIcmp    bool        `json:"disableIcmp,omitempty"`
-	PortRange      []PortRange            `json:"portRange,omitempty"`
+	PortRange      []PortRange `json:"portRange,omitempty"`
-	ResourceId     int                    `json:"resourceId,omitempty"`
+	ResourceId     int         `json:"resourceId,omitempty"`
 	Protocol       string                 `json:"protocol,omitempty"`    // for now practicably either http or https
 	HTTPTargets    []netstack2.HTTPTarget `json:"httpTargets,omitempty"` // for http protocol, list of downstream services to load balance across
 	TLSCert        string                 `json:"tlsCert,omitempty"`     // PEM-encoded certificate for incoming HTTPS termination
 	TLSKey         string                 `json:"tlsKey,omitempty"`      // PEM-encoded private key for incoming HTTPS termination
 }
 type PortRange struct {
@@ -78,18 +74,18 @@ type PeerReading struct {
 }
 type WireGuardService struct {
-	interfaceName        string
+	interfaceName string
-	mtu                  int
+	mtu           int
-	client               *websocket.Client
+	client        *websocket.Client
-	config               WgConfig
+	config        WgConfig
-	key                  wgtypes.Key
+	key           wgtypes.Key
-	newtId               string
+	newtId        string
-	lastReadings         map[string]PeerReading
+	lastReadings  map[string]PeerReading
-	mu                   sync.Mutex
+	mu            sync.Mutex
-	Port                 uint16
+	Port          uint16
-	host                 string
+	host          string
-	serverPubKey         string
+	serverPubKey  string
-	token                string
+	token         string
 	stopGetConfig        func()
 	pendingConfigChainId string
 	// Netstack fields
@@ -701,18 +697,7 @@ func (s *WireGuardService) syncTargets(desiredTargets []Target) error {
 				})
 			}
-			s.tnet.AddProxySubnetRule(netstack2.SubnetRule{
+			s.tnet.AddProxySubnetRule(sourcePrefix, destPrefix, target.RewriteTo, portRanges, target.DisableIcmp, target.ResourceId)
 				SourcePrefix: sourcePrefix,
 				DestPrefix:   destPrefix,
 				RewriteTo:    target.RewriteTo,
 				PortRanges:   portRanges,
 				DisableIcmp:  target.DisableIcmp,
 				ResourceId:   target.ResourceId,
 				Protocol:     target.Protocol,
 				HTTPTargets:  target.HTTPTargets,
 				TLSCert:      target.TLSCert,
 				TLSKey:       target.TLSKey,
 			})
 			logger.Info("Added target %s -> %s during sync", target.SourcePrefix, target.DestPrefix)
 		}
 	}
@@ -970,18 +955,7 @@ func (s *WireGuardService) ensureTargets(targets []Target) error {
 			if err != nil {
 				return fmt.Errorf("invalid CIDR %s: %v", sp, err)
 			}
-			s.tnet.AddProxySubnetRule(netstack2.SubnetRule{
+			s.tnet.AddProxySubnetRule(sourcePrefix, destPrefix, target.RewriteTo, portRanges, target.DisableIcmp, target.ResourceId)
 				SourcePrefix: sourcePrefix,
 				DestPrefix:   destPrefix,
 				RewriteTo:    target.RewriteTo,
 				PortRanges:   portRanges,
 				DisableIcmp:  target.DisableIcmp,
 				ResourceId:   target.ResourceId,
 				Protocol:     target.Protocol,
 				HTTPTargets:  target.HTTPTargets,
 				TLSCert:      target.TLSCert,
 				TLSKey:       target.TLSKey,
 			})
 			logger.Info("Added target subnet from %s to %s rewrite to %s with port ranges: %v", sp, target.DestPrefix, target.RewriteTo, target.PortRange)
 		}
 	}
@@ -1374,18 +1348,7 @@ func (s *WireGuardService) handleAddTarget(msg websocket.WSMessage) {
 				logger.Info("Invalid CIDR %s: %v", sp, err)
 				continue
 			}
-			s.tnet.AddProxySubnetRule(netstack2.SubnetRule{
+			s.tnet.AddProxySubnetRule(sourcePrefix, destPrefix, target.RewriteTo, portRanges, target.DisableIcmp, target.ResourceId)
 				SourcePrefix: sourcePrefix,
 				DestPrefix:   destPrefix,
 				RewriteTo:    target.RewriteTo,
 				PortRanges:   portRanges,
 				DisableIcmp:  target.DisableIcmp,
 				ResourceId:   target.ResourceId,
 				Protocol:     target.Protocol,
 				HTTPTargets:  target.HTTPTargets,
 				TLSCert:      target.TLSCert,
 				TLSKey:       target.TLSKey,
 			})
 			logger.Info("Added target subnet from %s to %s rewrite to %s with port ranges: %v", sp, target.DestPrefix, target.RewriteTo, target.PortRange)
 		}
 	}
@@ -1503,18 +1466,7 @@ func (s *WireGuardService) handleUpdateTarget(msg websocket.WSMessage) {
 				logger.Info("Invalid CIDR %s: %v", sp, err)
 				continue
 			}
-			s.tnet.AddProxySubnetRule(netstack2.SubnetRule{
+			s.tnet.AddProxySubnetRule(sourcePrefix, destPrefix, target.RewriteTo, portRanges, target.DisableIcmp, target.ResourceId)
 				SourcePrefix: sourcePrefix,
 				DestPrefix:   destPrefix,
 				RewriteTo:    target.RewriteTo,
 				PortRanges:   portRanges,
 				DisableIcmp:  target.DisableIcmp,
 				ResourceId:   target.ResourceId,
 				Protocol:     target.Protocol,
 				HTTPTargets:  target.HTTPTargets,
 				TLSCert:      target.TLSCert,
 				TLSKey:       target.TLSKey,
 			})
 			logger.Info("Added target subnet from %s to %s rewrite to %s with port ranges: %v", sp, target.DestPrefix, target.RewriteTo, target.PortRange)
 		}
 	}
--- a/netstack2/handlers.go
+++ b/netstack2/handlers.go
@@ -137,31 +137,14 @@ func (h *TCPHandler) InstallTCPHandler() error {
 // handleTCPConn handles a TCP connection by proxying it to the actual target
 func (h *TCPHandler) handleTCPConn(netstackConn *gonet.TCPConn, id stack.TransportEndpointID) {
-	// Extract source and target address from the connection ID first so they
+	defer netstackConn.Close()
-	// are available for HTTP routing before any defer is set up.
+
 	// Extract source and target address from the connection ID
 	srcIP := id.RemoteAddress.String()
 	srcPort := id.RemotePort
 	dstIP := id.LocalAddress.String()
 	dstPort := id.LocalPort
 	// For HTTP/HTTPS ports, look up the matching subnet rule. If the rule has
 	// Protocol configured, hand the connection off to the HTTP handler which
 	// takes full ownership of the lifecycle (the defer close must not be
 	// installed before this point).
 	if (dstPort == 80 || dstPort == 443) && h.proxyHandler != nil && h.proxyHandler.httpHandler != nil {
 		srcAddr, _ := netip.ParseAddr(srcIP)
 		dstAddr, _ := netip.ParseAddr(dstIP)
 		rule := h.proxyHandler.subnetLookup.Match(srcAddr, dstAddr, dstPort, tcp.ProtocolNumber)
 		if rule != nil && rule.Protocol != "" {
 			logger.Info("TCP Forwarder: Routing %s:%d -> %s:%d to HTTP handler (%s)",
 				srcIP, srcPort, dstIP, dstPort, rule.Protocol)
 			h.proxyHandler.httpHandler.HandleConn(netstackConn, rule)
 			return
 		}
 	}
 	defer netstackConn.Close()
 	logger.Info("TCP Forwarder: Handling connection %s:%d -> %s:%d", srcIP, srcPort, dstIP, dstPort)
 	// Check if there's a destination rewrite for this connection (e.g., localhost targets)
--- a/netstack2/http_handler.go
+++ b/netstack2/http_handler.go
@@ -1,312 +0,0 @@
 /* SPDX-License-Identifier: MIT
 *
 * Copyright (C) 2017-2025 WireGuard LLC. All Rights Reserved.
 */
 package netstack2
 import (
 	"context"
 	"crypto/tls"
 	"fmt"
 	"net"
 	"net/http"
 	"net/http/httputil"
 	"net/url"
 	"sync"
 	"github.com/fosrl/newt/logger"
 	"gvisor.dev/gvisor/pkg/tcpip/stack"
 )
 // ---------------------------------------------------------------------------
 // HTTPTarget
 // ---------------------------------------------------------------------------
 // HTTPTarget describes a single downstream HTTP or HTTPS service that the
 // proxy should forward requests to.
 type HTTPTarget struct {
 	DestAddr string `json:"destAddr"` // IP address or hostname of the downstream service
 	DestPort uint16 `json:"destPort"` // TCP port of the downstream service
 	Scheme string   `json:"scheme"` // When true the outbound leg uses HTTPS
 }
 // ---------------------------------------------------------------------------
 // HTTPHandler
 // ---------------------------------------------------------------------------
 // HTTPHandler intercepts TCP connections from the netstack forwarder on ports
 // 80 and 443 and services them as HTTP or HTTPS, reverse-proxying each request
 // to downstream targets specified by the matching SubnetRule.
 //
 // HTTP and raw TCP are fully separate: a connection is only routed here when
 // its SubnetRule has Protocol set ("http" or "https"). All other connections
 // on those ports fall through to the normal raw-TCP path.
 //
 // Incoming TLS termination (Protocol == "https") is performed per-connection
 // using the certificate and key stored in the rule, so different subnet rules
 // can present different certificates without sharing any state.
 //
 // Outbound connections to downstream targets honour HTTPTarget.UseHTTPS
 // independently of the incoming protocol.
 type HTTPHandler struct {
 	stack        *stack.Stack
 	proxyHandler *ProxyHandler
 	listener *chanListener
 	server   *http.Server
 	// proxyCache holds pre-built *httputil.ReverseProxy values keyed by the
 	// canonical target URL string ("scheme://host:port"). Building a proxy is
 	// cheap, but reusing one preserves the underlying http.Transport connection
 	// pool, which matters for throughput.
 	proxyCache sync.Map // map[string]*httputil.ReverseProxy
 	// tlsCache holds pre-parsed *tls.Config values keyed by the concatenation
 	// of the PEM certificate and key. Parsing a keypair is relatively expensive
 	// and the same cert is likely reused across many connections.
 	tlsCache sync.Map // map[string]*tls.Config
 }
 // ---------------------------------------------------------------------------
 // chanListener – net.Listener backed by a channel
 // ---------------------------------------------------------------------------
 // chanListener implements net.Listener by receiving net.Conn values over a
 // buffered channel. This lets the netstack TCP forwarder hand off connections
 // directly to a running http.Server without any real OS socket.
 type chanListener struct {
 	connCh chan net.Conn
 	closed chan struct{}
 	once   sync.Once
 }
 func newChanListener() *chanListener {
 	return &chanListener{
 		connCh: make(chan net.Conn, 128),
 		closed: make(chan struct{}),
 	}
 }
 // Accept blocks until a connection is available or the listener is closed.
 func (l *chanListener) Accept() (net.Conn, error) {
 	select {
 	case conn, ok := <-l.connCh:
 		if !ok {
 			return nil, net.ErrClosed
 		}
 		return conn, nil
 	case <-l.closed:
 		return nil, net.ErrClosed
 	}
 }
 // Close shuts down the listener; subsequent Accept calls return net.ErrClosed.
 func (l *chanListener) Close() error {
 	l.once.Do(func() { close(l.closed) })
 	return nil
 }
 // Addr returns a placeholder address (the listener has no real OS socket).
 func (l *chanListener) Addr() net.Addr {
 	return &net.TCPAddr{}
 }
 // send delivers conn to the listener. Returns false if the listener is already
 // closed, in which case the caller is responsible for closing conn.
 func (l *chanListener) send(conn net.Conn) bool {
 	select {
 	case l.connCh <- conn:
 		return true
 	case <-l.closed:
 		return false
 	}
 }
 // ---------------------------------------------------------------------------
 // httpConnCtx – conn wrapper that carries a SubnetRule through the listener
 // ---------------------------------------------------------------------------
 // httpConnCtx wraps a net.Conn so the matching SubnetRule can be passed
 // through the chanListener into the http.Server's ConnContext callback,
 // making it available to request handlers via the request context.
 type httpConnCtx struct {
 	net.Conn
 	rule *SubnetRule
 }
 // connCtxKey is the unexported context key used to store a *SubnetRule on the
 // per-connection context created by http.Server.ConnContext.
 type connCtxKey struct{}
 // ---------------------------------------------------------------------------
 // Constructor and lifecycle
 // ---------------------------------------------------------------------------
 // NewHTTPHandler creates an HTTPHandler attached to the given stack and
 // ProxyHandler. Call Start to begin serving connections.
 func NewHTTPHandler(s *stack.Stack, ph *ProxyHandler) *HTTPHandler {
 	return &HTTPHandler{
 		stack:        s,
 		proxyHandler: ph,
 	}
 }
 // Start launches the internal http.Server that services connections delivered
 // via HandleConn. The server runs for the lifetime of the HTTPHandler; call
 // Close to stop it.
 func (h *HTTPHandler) Start() error {
 	h.listener = newChanListener()
 	h.server = &http.Server{
 		Handler: http.HandlerFunc(h.handleRequest),
 		// ConnContext runs once per accepted connection and attaches the
 		// SubnetRule carried by httpConnCtx to the connection's context so
 		// that handleRequest can retrieve it without any global state.
 		ConnContext: func(ctx context.Context, c net.Conn) context.Context {
 			if cc, ok := c.(*httpConnCtx); ok {
 				return context.WithValue(ctx, connCtxKey{}, cc.rule)
 			}
 			return ctx
 		},
 	}
 	go func() {
 		if err := h.server.Serve(h.listener); err != nil && err != http.ErrServerClosed {
 			logger.Error("HTTP handler: server exited unexpectedly: %v", err)
 		}
 	}()
 	logger.Info("HTTP handler: ready — routing determined per SubnetRule on ports 80/443")
 	return nil
 }
 // HandleConn accepts a TCP connection from the netstack forwarder together
 // with the SubnetRule that matched it. The HTTP handler takes full ownership
 // of the connection's lifecycle; the caller must NOT close conn after this call.
 //
 // When rule.Protocol is "https", TLS termination is performed on conn using
 // the certificate and key stored in rule.TLSCert and rule.TLSKey before the
 // connection is passed to the HTTP server. The HTTP server itself is always
 // plain-HTTP; TLS is fully unwrapped at this layer.
 func (h *HTTPHandler) HandleConn(conn net.Conn, rule *SubnetRule) {
 	var effectiveConn net.Conn = conn
 	if rule.Protocol == "https" {
 		tlsCfg, err := h.getTLSConfig(rule)
 		if err != nil {
 			logger.Error("HTTP handler: cannot build TLS config for connection from %s: %v",
 				conn.RemoteAddr(), err)
 			conn.Close()
 			return
 		}
 		// tls.Server wraps the raw conn; the TLS handshake is deferred until
 		// the first Read, which the http.Server will trigger naturally.
 		effectiveConn = tls.Server(conn, tlsCfg)
 	}
 	wrapped := &httpConnCtx{Conn: effectiveConn, rule: rule}
 	if !h.listener.send(wrapped) {
 		// Listener is already closed — clean up the orphaned connection.
 		effectiveConn.Close()
 	}
 }
 // Close gracefully shuts down the HTTP server and the underlying channel
 // listener, causing the goroutine started in Start to exit.
 func (h *HTTPHandler) Close() error {
 	if h.server != nil {
 		if err := h.server.Close(); err != nil {
 			return err
 		}
 	}
 	if h.listener != nil {
 		h.listener.Close()
 	}
 	return nil
 }
 // ---------------------------------------------------------------------------
 // Internal helpers
 // ---------------------------------------------------------------------------
 // getTLSConfig returns a *tls.Config for the cert/key pair in rule, using a
 // cache to avoid re-parsing the same keypair on every connection.
 // The cache key is the concatenation of the PEM cert and key strings, so
 // different rules that happen to share the same material hit the same entry.
 func (h *HTTPHandler) getTLSConfig(rule *SubnetRule) (*tls.Config, error) {
 	cacheKey := rule.TLSCert + "|" + rule.TLSKey
 	if v, ok := h.tlsCache.Load(cacheKey); ok {
 		return v.(*tls.Config), nil
 	}
 	cert, err := tls.X509KeyPair([]byte(rule.TLSCert), []byte(rule.TLSKey))
 	if err != nil {
 		return nil, fmt.Errorf("failed to parse TLS keypair: %w", err)
 	}
 	cfg := &tls.Config{
 		Certificates: []tls.Certificate{cert},
 	}
 	// LoadOrStore is safe under concurrent calls: if two goroutines race here
 	// both will produce a valid config; the loser's work is discarded.
 	actual, _ := h.tlsCache.LoadOrStore(cacheKey, cfg)
 	return actual.(*tls.Config), nil
 }
 // getProxy returns a cached *httputil.ReverseProxy for the given target,
 // creating one on first use. Reusing the proxy preserves its http.Transport
 // connection pool, avoiding repeated TCP/TLS handshakes to the downstream.
 func (h *HTTPHandler) getProxy(target HTTPTarget) *httputil.ReverseProxy {
 	scheme := target.Scheme
 	cacheKey := fmt.Sprintf("%s://%s:%d", scheme, target.DestAddr, target.DestPort)
 	if v, ok := h.proxyCache.Load(cacheKey); ok {
 		return v.(*httputil.ReverseProxy)
 	}
 	targetURL := &url.URL{
 		Scheme: scheme,
 		Host:   fmt.Sprintf("%s:%d", target.DestAddr, target.DestPort),
 	}
 	proxy := httputil.NewSingleHostReverseProxy(targetURL)
 	if target.Scheme == "https" {
 		// Allow self-signed certificates on downstream HTTPS targets.
 		proxy.Transport = &http.Transport{
 			TLSClientConfig: &tls.Config{
 				InsecureSkipVerify: true, //nolint:gosec // downstream self-signed certs are a supported configuration
 			},
 		}
 	}
 	proxy.ErrorHandler = func(w http.ResponseWriter, r *http.Request, err error) {
 		logger.Error("HTTP handler: upstream error (%s %s -> %s): %v",
 			r.Method, r.URL.RequestURI(), cacheKey, err)
 		http.Error(w, "Bad Gateway", http.StatusBadGateway)
 	}
 	actual, _ := h.proxyCache.LoadOrStore(cacheKey, proxy)
 	return actual.(*httputil.ReverseProxy)
 }
 // handleRequest is the http.Handler entry point. It retrieves the SubnetRule
 // attached to the connection by ConnContext, selects the first configured
 // downstream target, and forwards the request via the cached ReverseProxy.
 //
 // TODO: add host/path-based routing across multiple HTTPTargets once the
 // configuration model evolves beyond a single target per rule.
 func (h *HTTPHandler) handleRequest(w http.ResponseWriter, r *http.Request) {
 	rule, _ := r.Context().Value(connCtxKey{}).(*SubnetRule)
 	if rule == nil || len(rule.HTTPTargets) == 0 {
 		logger.Error("HTTP handler: no downstream targets for request %s %s", r.Method, r.URL.RequestURI())
 		http.Error(w, "no targets configured", http.StatusBadGateway)
 		return
 	}
 	target := rule.HTTPTargets[0]
 	scheme := target.Scheme
 	logger.Info("HTTP handler: %s %s -> %s://%s:%d",
 		r.Method, r.URL.RequestURI(), scheme, target.DestAddr, target.DestPort)
 	h.getProxy(target).ServeHTTP(w, r)
 }
--- a/netstack2/proxy.go
+++ b/netstack2/proxy.go
@@ -53,14 +53,6 @@ type SubnetRule struct {
 	RewriteTo    string       // Optional rewrite address for DNAT - can be IP/CIDR or domain name
 	PortRanges   []PortRange  // empty slice means all ports allowed
 	ResourceId   int          // Optional resource ID from the server for access logging
 	// HTTP proxy configuration (optional).
 	// When Protocol is non-empty the TCP connection is handled by HTTPHandler
 	// instead of the raw TCP forwarder.
 	Protocol    string       // "", "http", or "https" — controls the incoming (client-facing) protocol
 	HTTPTargets []HTTPTarget // downstream services to proxy requests to
 	TLSCert     string       // PEM-encoded certificate for incoming HTTPS termination
 	TLSKey      string       // PEM-encoded private key for incoming HTTPS termination
 }
 // GetAllRules returns a copy of all subnet rules
@@ -122,7 +114,6 @@ type ProxyHandler struct {
 	tcpHandler        *TCPHandler
 	udpHandler        *UDPHandler
 	icmpHandler       *ICMPHandler
 	httpHandler       *HTTPHandler
 	subnetLookup      *SubnetLookup
 	natTable          map[connKey]*natState
 	reverseNatTable   map[reverseConnKey]*natState // Reverse lookup map for O(1) reply packet NAT
@@ -173,21 +164,12 @@ func NewProxyHandler(options ProxyHandlerOptions) (*ProxyHandler, error) {
 		}),
 	}
-	// Initialize TCP handler if enabled. The HTTP handler piggybacks on the
+	// Initialize TCP handler if enabled
 	// TCP forwarder — TCPHandler.handleTCPConn checks the subnet rule for
 	// ports 80/443 and routes matching connections to the HTTP handler, so
 	// the HTTP handler is always initialised alongside TCP.
 	if options.EnableTCP {
 		handler.tcpHandler = NewTCPHandler(handler.proxyStack, handler)
 		if err := handler.tcpHandler.InstallTCPHandler(); err != nil {
 			return nil, fmt.Errorf("failed to install TCP handler: %v", err)
 		}
 		handler.httpHandler = NewHTTPHandler(handler.proxyStack, handler)
 		if err := handler.httpHandler.Start(); err != nil {
 			return nil, fmt.Errorf("failed to start HTTP handler: %v", err)
 		}
 		logger.Debug("ProxyHandler: HTTP handler enabled")
 	}
 	// Initialize UDP handler if enabled
@@ -226,14 +208,16 @@ func NewProxyHandler(options ProxyHandlerOptions) (*ProxyHandler, error) {
 	return handler, nil
 }
-// AddSubnetRule adds a subnet rule to the proxy handler.
+// AddSubnetRule adds a subnet with optional port restrictions to the proxy handler
-// HTTP proxy behaviour is configured via rule.Protocol, rule.HTTPTargets,
+// sourcePrefix: The IP prefix of the peer sending the data
-// rule.TLSCert, and rule.TLSKey; leave Protocol empty for raw TCP/UDP.
+// destPrefix: The IP prefix of the destination
-func (p *ProxyHandler) AddSubnetRule(rule SubnetRule) {
+// rewriteTo: Optional address to rewrite destination to - can be IP/CIDR or domain name
 // If portRanges is nil or empty, all ports are allowed for this subnet
 func (p *ProxyHandler) AddSubnetRule(sourcePrefix, destPrefix netip.Prefix, rewriteTo string, portRanges []PortRange, disableIcmp bool, resourceId int) {
 	if p == nil || !p.enabled {
 		return
 	}
-	p.subnetLookup.AddSubnet(rule)
+	p.subnetLookup.AddSubnet(sourcePrefix, destPrefix, rewriteTo, portRanges, disableIcmp, resourceId)
 }
 // RemoveSubnetRule removes a subnet from the proxy handler
@@ -810,11 +794,6 @@ func (p *ProxyHandler) Close() error {
 		p.accessLogger.Close()
 	}
 	// Shut down HTTP handler
 	if p.httpHandler != nil {
 		p.httpHandler.Close()
 	}
 	// Close ICMP replies channel
 	if p.icmpReplies != nil {
 		close(p.icmpReplies)
--- a/netstack2/subnet_lookup.go
+++ b/netstack2/subnet_lookup.go
@@ -44,18 +44,24 @@ func prefixEqual(a, b netip.Prefix) bool {
 	return a.Masked() == b.Masked()
 }
-// AddSubnet adds a subnet rule to the lookup table.
+// AddSubnet adds a subnet rule with source and destination prefixes and optional port restrictions
-// If rule.PortRanges is nil or empty, all ports are allowed.
+// If portRanges is nil or empty, all ports are allowed for this subnet
-// rule.RewriteTo can be either an IP/CIDR (e.g., "192.168.1.1/32") or a domain name (e.g., "example.com").
+// rewriteTo can be either an IP/CIDR (e.g., "192.168.1.1/32") or a domain name (e.g., "example.com")
-// HTTP proxy behaviour is driven by rule.Protocol, rule.HTTPTargets, rule.TLSCert, and rule.TLSKey.
+func (sl *SubnetLookup) AddSubnet(sourcePrefix, destPrefix netip.Prefix, rewriteTo string, portRanges []PortRange, disableIcmp bool, resourceId int) {
 func (sl *SubnetLookup) AddSubnet(rule SubnetRule) {
 	sl.mu.Lock()
 	defer sl.mu.Unlock()
-	rulePtr := &rule
+	rule := &SubnetRule{
 		SourcePrefix: sourcePrefix,
 		DestPrefix:   destPrefix,
 		DisableIcmp:  disableIcmp,
 		RewriteTo:    rewriteTo,
 		PortRanges:   portRanges,
 		ResourceId:   resourceId,
 	}
 	// Canonicalize source prefix to handle host bits correctly
-	canonicalSourcePrefix := rule.SourcePrefix.Masked()
+	canonicalSourcePrefix := sourcePrefix.Masked()
 	// Get or create destination trie for this source prefix
 	destTriePtr, exists := sl.sourceTrie.Get(canonicalSourcePrefix)
@@ -70,12 +76,12 @@ func (sl *SubnetLookup) AddSubnet(rule SubnetRule) {
 	// Canonicalize destination prefix to handle host bits correctly
 	// BART masks prefixes internally, so we need to match that behavior in our bookkeeping
-	canonicalDestPrefix := rule.DestPrefix.Masked()
+	canonicalDestPrefix := destPrefix.Masked()
 	// Add rule to destination trie
 	// Original behavior: overwrite if same (sourcePrefix, destPrefix) exists
 	// Store as single-element slice to match original overwrite behavior
-	destTriePtr.trie.Insert(canonicalDestPrefix, []*SubnetRule{rulePtr})
+	destTriePtr.trie.Insert(canonicalDestPrefix, []*SubnetRule{rule})
 	// Update destTriePtr.rules - remove old rule with same canonical prefix if exists, then add new one
 	// Use canonical comparison to handle cases like 10.0.0.5/24 vs 10.0.0.0/24
@@ -85,7 +91,7 @@ func (sl *SubnetLookup) AddSubnet(rule SubnetRule) {
 			newRules = append(newRules, r)
 		}
 	}
-	newRules = append(newRules, rulePtr)
+	newRules = append(newRules, rule)
 	destTriePtr.rules = newRules
 }
--- a/netstack2/tun.go
+++ b/netstack2/tun.go
@@ -351,13 +351,13 @@ func (net *Net) ListenUDP(laddr *net.UDPAddr) (*gonet.UDPConn, error) {
 	return net.DialUDP(laddr, nil)
 }
-// AddProxySubnetRule adds a subnet rule to the proxy handler.
+// AddProxySubnetRule adds a subnet rule to the proxy handler
-// HTTP proxy behaviour is configured via rule.Protocol, rule.HTTPTargets,
+// If portRanges is nil or empty, all ports are allowed for this subnet
-// rule.TLSCert, and rule.TLSKey; leave Protocol empty for raw TCP/UDP.
+// rewriteTo can be either an IP/CIDR (e.g., "192.168.1.1/32") or a domain name (e.g., "example.com")
-func (net *Net) AddProxySubnetRule(rule SubnetRule) {
+func (net *Net) AddProxySubnetRule(sourcePrefix, destPrefix netip.Prefix, rewriteTo string, portRanges []PortRange, disableIcmp bool, resourceId int) {
 	tun := (*netTun)(net)
 	if tun.proxyHandler != nil {
-		tun.proxyHandler.AddSubnetRule(rule)
+		tun.proxyHandler.AddSubnetRule(sourcePrefix, destPrefix, rewriteTo, portRanges, disableIcmp, resourceId)
 	}
 }
--- a/proxy/manager.go
+++ b/proxy/manager.go
@@ -23,9 +23,30 @@ import (
 const (
 	errUnsupportedProtoFmt = "unsupported protocol: %s"
-	maxUDPPacketSize       = 65507
+	maxUDPPacketSize       = 65507 // Maximum UDP packet size
 )
 // udpBufferPool provides reusable buffers for UDP packet handling.
 // This reduces GC pressure from frequent large allocations.
 var udpBufferPool = sync.Pool{
 	New: func() any {
 		buf := make([]byte, maxUDPPacketSize)
 		return &buf
 	},
 }
 // getUDPBuffer retrieves a buffer from the pool.
 func getUDPBuffer() *[]byte {
 	return udpBufferPool.Get().(*[]byte)
 }
 // putUDPBuffer clears and returns a buffer to the pool.
 func putUDPBuffer(buf *[]byte) {
 	// Clear the buffer to prevent data leakage
 	clear(*buf)
 	udpBufferPool.Put(buf)
 }
 // Target represents a proxy target with its address and port
 type Target struct {
 	Address string
@@ -555,7 +576,9 @@ func (pm *ProxyManager) handleTCPProxy(listener net.Listener, targetAddr string)
 }
 func (pm *ProxyManager) handleUDPProxy(conn *gonet.UDPConn, targetAddr string) {
-	buffer := make([]byte, maxUDPPacketSize) // Max UDP packet size
+	bufPtr := getUDPBuffer()
 	defer putUDPBuffer(bufPtr)
 	buffer := *bufPtr
 	clientConns := make(map[string]*net.UDPConn)
 	var clientsMutex sync.RWMutex
@@ -638,7 +661,10 @@ func (pm *ProxyManager) handleUDPProxy(conn *gonet.UDPConn, targetAddr string) {
 			go func(clientKey string, targetConn *net.UDPConn, remoteAddr net.Addr, tunnelID string) {
 				start := time.Now()
 				result := "success"
 				bufPtr := getUDPBuffer()
 				defer func() {
 					// Return buffer to pool first
 					putUDPBuffer(bufPtr)
 					// Always clean up when this goroutine exits
 					clientsMutex.Lock()
 					if storedConn, exists := clientConns[clientKey]; exists && storedConn == targetConn {
@@ -653,7 +679,7 @@ func (pm *ProxyManager) handleUDPProxy(conn *gonet.UDPConn, targetAddr string) {
 					telemetry.IncProxyConnectionEvent(context.Background(), tunnelID, "udp", telemetry.ProxyConnectionClosed)
 				}()
-				buffer := make([]byte, maxUDPPacketSize)
+				buffer := *bufPtr
 				for {
 					n, _, err := targetConn.ReadFromUDP(buffer)
 					if err != nil {