From 2a34f173c54a2978620b1af2f17fb49c291d6111 Mon Sep 17 00:00:00 2001
From: Viktor Liu <viktor@netbird.io>
Date: Fri, 10 Apr 2026 06:55:10 +0200
Subject: [PATCH] Anonymize SourcePrefixes in firewall rule debug output

---
 client/internal/debug/debug.go | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/client/internal/debug/debug.go b/client/internal/debug/debug.go
index ce86fd697..2c12cefca 100644
--- a/client/internal/debug/debug.go
+++ b/client/internal/debug/debug.go
@@ -1373,6 +1373,17 @@ func anonymizeFirewallRule(rule *mgmProto.FirewallRule, anonymizer *anonymize.An
 	if addr, err := netip.ParseAddr(rule.PeerIP); err == nil {
 		rule.PeerIP = anonymizer.AnonymizeIP(addr).String() //nolint:staticcheck
 	}
+
+	for i, raw := range rule.GetSourcePrefixes() {
+		p, err := netiputil.DecodePrefix(raw)
+		if err != nil {
+			continue
+		}
+		anonAddr := anonymizer.AnonymizeIP(p.Addr())
+		if b, err := netiputil.EncodePrefix(netip.PrefixFrom(anonAddr, p.Bits())); err == nil {
+			rule.SourcePrefixes[i] = b
+		}
+	}
 }
 
 func anonymizeRouteFirewallRule(rule *mgmProto.RouteFirewallRule, anonymizer *anonymize.Anonymizer) {