Support port ranges

2026-05-03 15:46:38 +00:00 · 2025-01-23 16:35:18 +01:00
parent eb2ac039c7
commit 862d548d4d
18 changed files with 205 additions and 227 deletions
--- a/client/firewall/iptables/acl_linux.go
+++ b/client/firewall/iptables/acl_linux.go
@@ -4,7 +4,6 @@ import (
 	"fmt"
 	"net"
 	"slices"
-	"strconv"

 	"github.com/coreos/go-iptables/iptables"
 	"github.com/google/uuid"
@@ -87,19 +86,10 @@ func (m *aclManager) AddPeerFiltering(
 	action firewall.Action,
 	ipsetName string,
 ) ([]firewall.Rule, error) {
-	var dPortVal, sPortVal string
-	if dPort != nil && dPort.Values != nil {
-		// TODO: we support only one port per rule in current implementation of ACLs
-		dPortVal = strconv.Itoa(dPort.Values[0])
-	}
-	if sPort != nil && sPort.Values != nil {
-		sPortVal = strconv.Itoa(sPort.Values[0])
-	}
-
 	chain := chainNameInputRules

-	ipsetName = transformIPsetName(ipsetName, sPortVal, dPortVal)
-	specs := filterRuleSpecs(ip, string(protocol), sPortVal, dPortVal, action, ipsetName)
+	ipsetName = transformIPsetName(ipsetName, sPort, dPort)
+	specs := filterRuleSpecs(ip, string(protocol), sPort, dPort, action, ipsetName)

 	mangleSpecs := slices.Clone(specs)
 	mangleSpecs = append(mangleSpecs,
@@ -109,7 +99,6 @@ func (m *aclManager) AddPeerFiltering(
 	)

 	specs = append(specs, "-j", actionToStr(action))
-
 	if ipsetName != "" {
 		if ipList, ipsetExists := m.ipsetStore.ipset(ipsetName); ipsetExists {
 			if err := ipset.Add(ipsetName, ip.String()); err != nil {
@@ -370,7 +359,7 @@ func (m *aclManager) updateState() {
 }

 // filterRuleSpecs returns the specs of a filtering rule
-func filterRuleSpecs(ip net.IP, protocol, sPort, dPort string, action firewall.Action, ipsetName string) (specs []string) {
+func filterRuleSpecs(ip net.IP, protocol string, sPort, dPort *firewall.Port, action firewall.Action, ipsetName string) (specs []string) {
 	matchByIP := true
 	// don't use IP matching if IP is ip 0.0.0.0
 	if ip.String() == "0.0.0.0" {
@@ -387,12 +376,8 @@ func filterRuleSpecs(ip net.IP, protocol, sPort, dPort string, action firewall.A
 	if protocol != "all" {
 		specs = append(specs, "-p", protocol)
 	}
-	if sPort != "" {
-		specs = append(specs, "--sport", sPort)
-	}
-	if dPort != "" {
-		specs = append(specs, "--dport", dPort)
-	}
+	specs = append(specs, applyPort("--sport", sPort)...)
+	specs = append(specs, applyPort("--dport", dPort)...)
 	return specs
 }

@@ -403,15 +388,15 @@ func actionToStr(action firewall.Action) string {
 	return "DROP"
 }

-func transformIPsetName(ipsetName string, sPort, dPort string) string {
+func transformIPsetName(ipsetName string, sPort, dPort *firewall.Port) string {
 	switch {
 	case ipsetName == "":
 		return ""
-	case sPort != "" && dPort != "":
+	case sPort != nil && dPort != nil:
 		return ipsetName + "-sport-dport"
-	case sPort != "":
+	case sPort != nil:
 		return ipsetName + "-sport"
-	case dPort != "":
+	case dPort != nil:
 		return ipsetName + "-dport"
 	default:
 		return ipsetName
--- a/client/firewall/iptables/manager_linux_test.go
+++ b/client/firewall/iptables/manager_linux_test.go
@@ -72,7 +72,7 @@ func TestIptablesManager(t *testing.T) {
 	t.Run("add second rule", func(t *testing.T) {
 		ip := net.ParseIP("10.20.0.3")
 		port := &fw.Port{
-			Values: []int{8043: 8046},
+			Values: []uint16{8043: 8046},
 		}
 		rule2, err = manager.AddPeerFiltering(ip, "tcp", port, nil, fw.ActionAccept, "", "accept HTTPS traffic from ports range")
 		require.NoError(t, err, "failed to add rule")
@@ -95,7 +95,7 @@ func TestIptablesManager(t *testing.T) {
 	t.Run("reset check", func(t *testing.T) {
 		// add second rule
 		ip := net.ParseIP("10.20.0.3")
-		port := &fw.Port{Values: []int{5353}}
+		port := &fw.Port{Values: []uint16{5353}}
 		_, err = manager.AddPeerFiltering(ip, "udp", nil, port, fw.ActionAccept, "", "accept Fake DNS traffic")
 		require.NoError(t, err, "failed to add rule")

@@ -145,7 +145,7 @@ func TestIptablesManagerIPSet(t *testing.T) {
 	t.Run("add second rule", func(t *testing.T) {
 		ip := net.ParseIP("10.20.0.3")
 		port := &fw.Port{
-			Values: []int{443},
+			Values: []uint16{443},
 		}
 		rule2, err = manager.AddPeerFiltering(ip, "tcp", port, nil, fw.ActionAccept, "default", "accept HTTPS traffic from ports range")
 		for _, r := range rule2 {
@@ -214,7 +214,7 @@ func TestIptablesCreatePerformance(t *testing.T) {
 			ip := net.ParseIP("10.20.0.100")
 			start := time.Now()
 			for i := 0; i < testMax; i++ {
-				port := &fw.Port{Values: []int{1000 + i}}
+				port := &fw.Port{Values: []uint16{uint16(1000 + i)}}
 				_, err = manager.AddPeerFiltering(ip, "tcp", nil, port, fw.ActionAccept, "", "accept HTTP traffic")

 				require.NoError(t, err, "failed to add rule")
--- a/client/firewall/iptables/router_linux.go
+++ b/client/firewall/iptables/router_linux.go
@@ -590,10 +590,10 @@ func applyPort(flag string, port *firewall.Port) []string {
 	if len(port.Values) > 1 {
 		portList := make([]string, len(port.Values))
 		for i, p := range port.Values {
-			portList[i] = strconv.Itoa(p)
+			portList[i] = strconv.Itoa(int(p))
 		}
 		return []string{"-m", "multiport", flag, strings.Join(portList, ",")}
 	}

-	return []string{flag, strconv.Itoa(port.Values[0])}
+	return []string{flag, strconv.Itoa(int(port.Values[0]))}
 }
--- a/client/firewall/iptables/router_linux_test.go
+++ b/client/firewall/iptables/router_linux_test.go
@@ -239,7 +239,7 @@ func TestRouter_AddRouteFiltering(t *testing.T) {
 			destination: netip.MustParsePrefix("10.0.0.0/24"),
 			proto:       firewall.ProtocolTCP,
 			sPort:       nil,
-			dPort:       &firewall.Port{Values: []int{80}},
+			dPort:       &firewall.Port{Values: []uint16{80}},
 			direction:   firewall.RuleDirectionIN,
 			action:      firewall.ActionAccept,
 			expectSet:   false,
@@ -252,7 +252,7 @@ func TestRouter_AddRouteFiltering(t *testing.T) {
 			},
 			destination: netip.MustParsePrefix("10.0.0.0/8"),
 			proto:       firewall.ProtocolUDP,
-			sPort:       &firewall.Port{Values: []int{1024, 2048}, IsRange: true},
+			sPort:       &firewall.Port{Values: []uint16{1024, 2048}, IsRange: true},
 			dPort:       nil,
 			direction:   firewall.RuleDirectionOUT,
 			action:      firewall.ActionDrop,
@@ -285,7 +285,7 @@ func TestRouter_AddRouteFiltering(t *testing.T) {
 			sources:     []netip.Prefix{netip.MustParsePrefix("172.16.0.0/12")},
 			destination: netip.MustParsePrefix("192.168.0.0/16"),
 			proto:       firewall.ProtocolTCP,
-			sPort:       &firewall.Port{Values: []int{80, 443, 8080}},
+			sPort:       &firewall.Port{Values: []uint16{80, 443, 8080}},
 			dPort:       nil,
 			direction:   firewall.RuleDirectionOUT,
 			action:      firewall.ActionAccept,
@@ -297,7 +297,7 @@ func TestRouter_AddRouteFiltering(t *testing.T) {
 			destination: netip.MustParsePrefix("10.0.0.0/24"),
 			proto:       firewall.ProtocolUDP,
 			sPort:       nil,
-			dPort:       &firewall.Port{Values: []int{5000, 5100}, IsRange: true},
+			dPort:       &firewall.Port{Values: []uint16{5000, 5100}, IsRange: true},
 			direction:   firewall.RuleDirectionIN,
 			action:      firewall.ActionDrop,
 			expectSet:   false,
@@ -307,8 +307,8 @@ func TestRouter_AddRouteFiltering(t *testing.T) {
 			sources:     []netip.Prefix{netip.MustParsePrefix("10.0.0.0/24")},
 			destination: netip.MustParsePrefix("172.16.0.0/16"),
 			proto:       firewall.ProtocolTCP,
-			sPort:       &firewall.Port{Values: []int{1024, 65535}, IsRange: true},
-			dPort:       &firewall.Port{Values: []int{22}},
+			sPort:       &firewall.Port{Values: []uint16{1024, 65535}, IsRange: true},
+			dPort:       &firewall.Port{Values: []uint16{22}},
 			direction:   firewall.RuleDirectionOUT,
 			action:      firewall.ActionAccept,
 			expectSet:   false,
--- a/client/firewall/manager/port.go
+++ b/client/firewall/manager/port.go
@@ -30,7 +30,7 @@ type Port struct {
 	IsRange bool

 	// Values contains one value for single port, multiple values for the list of ports, or two values for the range of ports
-	Values []int
+	Values []uint16
 }

 // String interface implementation
@@ -40,7 +40,11 @@ func (p *Port) String() string {
 		if ports != "" {
 			ports += ","
 		}
-		ports += strconv.Itoa(port)
+		ports += strconv.Itoa(int(port))
 	}
+	if p.IsRange {
+		ports = "range:" + ports
+	}
+
 	return ports
 }
--- a/client/firewall/nftables/acl_linux.go
+++ b/client/firewall/nftables/acl_linux.go
@@ -327,37 +327,8 @@ func (m *AclManager) addIOFiltering(
 		}
 	}

-	if sPort != nil && len(sPort.Values) != 0 {
-		expressions = append(expressions,
-			&expr.Payload{
-				DestRegister: 1,
-				Base:         expr.PayloadBaseTransportHeader,
-				Offset:       0,
-				Len:          2,
-			},
-			&expr.Cmp{
-				Op:       expr.CmpOpEq,
-				Register: 1,
-				Data:     encodePort(*sPort),
-			},
-		)
-	}
-
-	if dPort != nil && len(dPort.Values) != 0 {
-		expressions = append(expressions,
-			&expr.Payload{
-				DestRegister: 1,
-				Base:         expr.PayloadBaseTransportHeader,
-				Offset:       2,
-				Len:          2,
-			},
-			&expr.Cmp{
-				Op:       expr.CmpOpEq,
-				Register: 1,
-				Data:     encodePort(*dPort),
-			},
-		)
-	}
+	expressions = append(expressions, applyPort(sPort, true)...)
+	expressions = append(expressions, applyPort(dPort, false)...)

 	mainExpressions := slices.Clone(expressions)

--- a/client/firewall/nftables/manager_linux_test.go
+++ b/client/firewall/nftables/manager_linux_test.go
@@ -74,7 +74,7 @@ func TestNftablesManager(t *testing.T) {

 	testClient := &nftables.Conn{}

-	rule, err := manager.AddPeerFiltering(ip, fw.ProtocolTCP, nil, &fw.Port{Values: []int{53}}, fw.ActionDrop, "", "")
+	rule, err := manager.AddPeerFiltering(ip, fw.ProtocolTCP, nil, &fw.Port{Values: []uint16{53}}, fw.ActionDrop, "", "")
 	require.NoError(t, err, "failed to add rule")

 	err = manager.Flush()
@@ -200,7 +200,7 @@ func TestNFtablesCreatePerformance(t *testing.T) {
 			ip := net.ParseIP("10.20.0.100")
 			start := time.Now()
 			for i := 0; i < testMax; i++ {
-				port := &fw.Port{Values: []int{1000 + i}}
+				port := &fw.Port{Values: []uint16{uint16(1000 + i)}}
 				_, err = manager.AddPeerFiltering(ip, "tcp", nil, port, fw.ActionAccept, "", "accept HTTP traffic")
 				require.NoError(t, err, "failed to add rule")

@@ -283,7 +283,7 @@ func TestNftablesManagerCompatibilityWithIptables(t *testing.T) {
 	})

 	ip := net.ParseIP("100.96.0.1")
-	_, err = manager.AddPeerFiltering(ip, fw.ProtocolTCP, nil, &fw.Port{Values: []int{80}}, fw.ActionAccept, "", "test rule")
+	_, err = manager.AddPeerFiltering(ip, fw.ProtocolTCP, nil, &fw.Port{Values: []uint16{80}}, fw.ActionAccept, "", "test rule")
 	require.NoError(t, err, "failed to add peer filtering rule")

 	_, err = manager.AddRouteFiltering(
@@ -291,7 +291,7 @@ func TestNftablesManagerCompatibilityWithIptables(t *testing.T) {
 		netip.MustParsePrefix("10.1.0.0/24"),
 		fw.ProtocolTCP,
 		nil,
-		&fw.Port{Values: []int{443}},
+		&fw.Port{Values: []uint16{443}},
 		fw.ActionAccept,
 	)
 	require.NoError(t, err, "failed to add route filtering rule")
--- a/client/firewall/nftables/router_linux.go
+++ b/client/firewall/nftables/router_linux.go
@@ -956,12 +956,12 @@ func applyPort(port *firewall.Port, isSource bool) []expr.Any {
 			&expr.Cmp{
 				Op:       expr.CmpOpGte,
 				Register: 1,
-				Data:     binaryutil.BigEndian.PutUint16(uint16(port.Values[0])),
+				Data:     binaryutil.BigEndian.PutUint16(port.Values[0]),
 			},
 			&expr.Cmp{
 				Op:       expr.CmpOpLte,
 				Register: 1,
-				Data:     binaryutil.BigEndian.PutUint16(uint16(port.Values[1])),
+				Data:     binaryutil.BigEndian.PutUint16(port.Values[1]),
 			},
 		)
 	} else {
@@ -980,7 +980,7 @@ func applyPort(port *firewall.Port, isSource bool) []expr.Any {
 			exprs = append(exprs, &expr.Cmp{
 				Op:       expr.CmpOpEq,
 				Register: 1,
-				Data:     binaryutil.BigEndian.PutUint16(uint16(p)),
+				Data:     binaryutil.BigEndian.PutUint16(p),
 			})
 		}
 	}
--- a/client/firewall/nftables/router_linux_test.go
+++ b/client/firewall/nftables/router_linux_test.go
@@ -222,7 +222,7 @@ func TestRouter_AddRouteFiltering(t *testing.T) {
 			destination: netip.MustParsePrefix("10.0.0.0/24"),
 			proto:       firewall.ProtocolTCP,
 			sPort:       nil,
-			dPort:       &firewall.Port{Values: []int{80}},
+			dPort:       &firewall.Port{Values: []uint16{80}},
 			direction:   firewall.RuleDirectionIN,
 			action:      firewall.ActionAccept,
 			expectSet:   false,
@@ -235,7 +235,7 @@ func TestRouter_AddRouteFiltering(t *testing.T) {
 			},
 			destination: netip.MustParsePrefix("10.0.0.0/8"),
 			proto:       firewall.ProtocolUDP,
-			sPort:       &firewall.Port{Values: []int{1024, 2048}, IsRange: true},
+			sPort:       &firewall.Port{Values: []uint16{1024, 2048}, IsRange: true},
 			dPort:       nil,
 			direction:   firewall.RuleDirectionOUT,
 			action:      firewall.ActionDrop,
@@ -268,7 +268,7 @@ func TestRouter_AddRouteFiltering(t *testing.T) {
 			sources:     []netip.Prefix{netip.MustParsePrefix("172.16.0.0/12")},
 			destination: netip.MustParsePrefix("192.168.0.0/16"),
 			proto:       firewall.ProtocolTCP,
-			sPort:       &firewall.Port{Values: []int{80, 443, 8080}},
+			sPort:       &firewall.Port{Values: []uint16{80, 443, 8080}},
 			dPort:       nil,
 			direction:   firewall.RuleDirectionOUT,
 			action:      firewall.ActionAccept,
@@ -280,7 +280,7 @@ func TestRouter_AddRouteFiltering(t *testing.T) {
 			destination: netip.MustParsePrefix("10.0.0.0/24"),
 			proto:       firewall.ProtocolUDP,
 			sPort:       nil,
-			dPort:       &firewall.Port{Values: []int{5000, 5100}, IsRange: true},
+			dPort:       &firewall.Port{Values: []uint16{5000, 5100}, IsRange: true},
 			direction:   firewall.RuleDirectionIN,
 			action:      firewall.ActionDrop,
 			expectSet:   false,
@@ -290,8 +290,8 @@ func TestRouter_AddRouteFiltering(t *testing.T) {
 			sources:     []netip.Prefix{netip.MustParsePrefix("10.0.0.0/24")},
 			destination: netip.MustParsePrefix("172.16.0.0/16"),
 			proto:       firewall.ProtocolTCP,
-			sPort:       &firewall.Port{Values: []int{1024, 65535}, IsRange: true},
-			dPort:       &firewall.Port{Values: []int{22}},
+			sPort:       &firewall.Port{Values: []uint16{1024, 65535}, IsRange: true},
+			dPort:       &firewall.Port{Values: []uint16{22}},
 			direction:   firewall.RuleDirectionOUT,
 			action:      firewall.ActionAccept,
 			expectSet:   false,
--- a/client/firewall/uspfilter/rule.go
+++ b/client/firewall/uspfilter/rule.go
@@ -4,6 +4,8 @@ import (
 	"net"

 	"github.com/google/gopacket"
+
+	firewall "github.com/netbirdio/netbird/client/firewall/manager"
 )

 // Rule to handle management of rules
@@ -13,8 +15,8 @@ type Rule struct {
 	ipLayer    gopacket.LayerType
 	matchByIP  bool
 	protoLayer gopacket.LayerType
-	sPort      uint16
-	dPort      uint16
+	sPort      *firewall.Port
+	dPort      *firewall.Port
 	drop       bool
 	comment    string

--- a/client/firewall/uspfilter/uspfilter.go
+++ b/client/firewall/uspfilter/uspfilter.go
@@ -179,13 +179,8 @@ func (m *Manager) AddPeerFiltering(
 		r.matchByIP = false
 	}

-	if sPort != nil && len(sPort.Values) == 1 {
-		r.sPort = uint16(sPort.Values[0])
-	}
-
-	if dPort != nil && len(dPort.Values) == 1 {
-		r.dPort = uint16(dPort.Values[0])
-	}
+	r.sPort = sPort
+	r.dPort = dPort

 	switch proto {
 	case firewall.ProtocolTCP:
@@ -364,7 +359,7 @@ func (m *Manager) checkUDPHooks(d *decoder, dstIP net.IP, packetData []byte) boo
 	for _, ipKey := range []string{dstIP.String(), "0.0.0.0", "::"} {
 		if rules, exists := m.outgoingRules[ipKey]; exists {
 			for _, rule := range rules {
-				if rule.udpHook != nil && (rule.dPort == 0 || rule.dPort == uint16(d.udp.DstPort)) {
+				if rule.udpHook != nil && portsMatch(rule.dPort, uint16(d.udp.DstPort)) {
 					return rule.udpHook(packetData)
 				}
 			}
@@ -484,6 +479,23 @@ func (m *Manager) applyRules(srcIP net.IP, packetData []byte, rules map[string]R
 	return true
 }

+func portsMatch(rulePort *firewall.Port, packetPort uint16) bool {
+	if rulePort == nil {
+		return true
+	}
+
+	if rulePort.IsRange {
+		return packetPort >= rulePort.Values[0] && packetPort <= rulePort.Values[1]
+	}
+
+	for _, p := range rulePort.Values {
+		if p == packetPort {
+			return true
+		}
+	}
+	return false
+}
+
 func validateRule(ip net.IP, packetData []byte, rules map[string]Rule, d *decoder) (bool, bool) {
 	payloadLayer := d.decoded[1]
 	for _, rule := range rules {
@@ -501,13 +513,7 @@ func validateRule(ip net.IP, packetData []byte, rules map[string]Rule, d *decode

 		switch payloadLayer {
 		case layers.LayerTypeTCP:
-			if rule.sPort == 0 && rule.dPort == 0 {
-				return rule.drop, true
-			}
-			if rule.sPort != 0 && rule.sPort == uint16(d.tcp.SrcPort) {
-				return rule.drop, true
-			}
-			if rule.dPort != 0 && rule.dPort == uint16(d.tcp.DstPort) {
+			if portsMatch(rule.sPort, uint16(d.tcp.SrcPort)) && portsMatch(rule.dPort, uint16(d.tcp.DstPort)) {
 				return rule.drop, true
 			}
 		case layers.LayerTypeUDP:
@@ -517,13 +523,7 @@ func validateRule(ip net.IP, packetData []byte, rules map[string]Rule, d *decode
 				return rule.udpHook(packetData), true
 			}

-			if rule.sPort == 0 && rule.dPort == 0 {
-				return rule.drop, true
-			}
-			if rule.sPort != 0 && rule.sPort == uint16(d.udp.SrcPort) {
-				return rule.drop, true
-			}
-			if rule.dPort != 0 && rule.dPort == uint16(d.udp.DstPort) {
+			if portsMatch(rule.sPort, uint16(d.tcp.SrcPort)) && portsMatch(rule.dPort, uint16(d.tcp.DstPort)) {
 				return rule.drop, true
 			}
 		case layers.LayerTypeICMPv4, layers.LayerTypeICMPv6:
@@ -548,7 +548,7 @@ func (m *Manager) AddUDPPacketHook(
 		id:         uuid.New().String(),
 		ip:         ip,
 		protoLayer: layers.LayerTypeUDP,
-		dPort:      dPort,
+		dPort:      &firewall.Port{Values: []uint16{dPort}},
 		ipLayer:    layers.LayerTypeIPv6,
 		comment:    fmt.Sprintf("UDP Hook direction: %v, ip:%v, dport:%d", in, ip, dPort),
 		udpHook:    hook,
--- a/client/firewall/uspfilter/uspfilter_bench_test.go
+++ b/client/firewall/uspfilter/uspfilter_bench_test.go
@@ -112,8 +112,8 @@ func BenchmarkCoreFiltering(b *testing.B) {
 				for i := 0; i < 1000; i++ { // Simulate realistic ruleset size
 					ip := generateRandomIPs(1)[0]
 					_, err := m.AddPeerFiltering(ip, fw.ProtocolTCP,
-						&fw.Port{Values: []int{1024 + i}},
-						&fw.Port{Values: []int{80}},
+						&fw.Port{Values: []uint16{uint16(1024 + i)}},
+						&fw.Port{Values: []uint16{80}},
 						fw.ActionAccept, "", "explicit return")
 					require.NoError(b, err)
 				}
@@ -588,7 +588,7 @@ func BenchmarkLongLivedConnections(b *testing.B) {
 			if sc.rules {
 				// Single rule to allow all return traffic from port 80
 				_, err := manager.AddPeerFiltering(net.ParseIP("0.0.0.0"), fw.ProtocolTCP,
-					&fw.Port{Values: []int{80}},
+					&fw.Port{Values: []uint16{80}},
 					nil,
 					fw.ActionAccept, "", "return traffic")
 				require.NoError(b, err)
@@ -679,7 +679,7 @@ func BenchmarkShortLivedConnections(b *testing.B) {
 			if sc.rules {
 				// Single rule to allow all return traffic from port 80
 				_, err := manager.AddPeerFiltering(net.ParseIP("0.0.0.0"), fw.ProtocolTCP,
-					&fw.Port{Values: []int{80}},
+					&fw.Port{Values: []uint16{80}},
 					nil,
 					fw.ActionAccept, "", "return traffic")
 				require.NoError(b, err)
@@ -797,7 +797,7 @@ func BenchmarkParallelLongLivedConnections(b *testing.B) {
 			// Setup initial state based on scenario
 			if sc.rules {
 				_, err := manager.AddPeerFiltering(net.ParseIP("0.0.0.0"), fw.ProtocolTCP,
-					&fw.Port{Values: []int{80}},
+					&fw.Port{Values: []uint16{80}},
 					nil,
 					fw.ActionAccept, "", "return traffic")
 				require.NoError(b, err)
@@ -884,7 +884,7 @@ func BenchmarkParallelShortLivedConnections(b *testing.B) {

 			if sc.rules {
 				_, err := manager.AddPeerFiltering(net.ParseIP("0.0.0.0"), fw.ProtocolTCP,
-					&fw.Port{Values: []int{80}},
+					&fw.Port{Values: []uint16{80}},
 					nil,
 					fw.ActionAccept, "", "return traffic")
 				require.NoError(b, err)
--- a/client/firewall/uspfilter/uspfilter_test.go
+++ b/client/firewall/uspfilter/uspfilter_test.go
@@ -69,7 +69,7 @@ func TestManagerAddPeerFiltering(t *testing.T) {

 	ip := net.ParseIP("192.168.1.1")
 	proto := fw.ProtocolTCP
-	port := &fw.Port{Values: []int{80}}
+	port := &fw.Port{Values: []uint16{80}}
 	action := fw.ActionDrop
 	comment := "Test rule"

@@ -103,7 +103,7 @@ func TestManagerDeleteRule(t *testing.T) {

 	ip := net.ParseIP("192.168.1.1")
 	proto := fw.ProtocolTCP
-	port := &fw.Port{Values: []int{80}}
+	port := &fw.Port{Values: []uint16{80}}
 	action := fw.ActionDrop
 	comment := "Test rule 2"

@@ -194,8 +194,8 @@ func TestAddUDPPacketHook(t *testing.T) {
 				t.Errorf("expected ip %s, got %s", tt.ip, addedRule.ip)
 				return
 			}
-			if tt.dPort != addedRule.dPort {
-				t.Errorf("expected dPort %d, got %d", tt.dPort, addedRule.dPort)
+			if tt.dPort != addedRule.dPort.Values[0] {
+				t.Errorf("expected dPort %d, got %d", tt.dPort, addedRule.dPort.Values[0])
 				return
 			}
 			if layers.LayerTypeUDP != addedRule.protoLayer {
@@ -223,7 +223,7 @@ func TestManagerReset(t *testing.T) {

 	ip := net.ParseIP("192.168.1.1")
 	proto := fw.ProtocolTCP
-	port := &fw.Port{Values: []int{80}}
+	port := &fw.Port{Values: []uint16{80}}
 	action := fw.ActionDrop
 	comment := "Test rule"

@@ -463,7 +463,7 @@ func TestUSPFilterCreatePerformance(t *testing.T) {
 			ip := net.ParseIP("10.20.0.100")
 			start := time.Now()
 			for i := 0; i < testMax; i++ {
-				port := &fw.Port{Values: []int{1000 + i}}
+				port := &fw.Port{Values: []uint16{uint16(1000 + i)}}
 				_, err = manager.AddPeerFiltering(ip, "tcp", nil, port, fw.ActionAccept, "", "accept HTTP traffic")

 				require.NoError(t, err, "failed to add rule")