From 9468e69c8c4642ebe7fbe574de89c16f466013cd Mon Sep 17 00:00:00 2001
From: Viktor Liu <viktor@netbird.io>
Date: Tue, 17 Jun 2025 21:44:07 +0200
Subject: [PATCH] Extract static error

---
 client/firewall/uspfilter/filter.go | 3 +--
 client/firewall/uspfilter/nat.go    | 7 +++++--
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/client/firewall/uspfilter/filter.go b/client/firewall/uspfilter/filter.go
index 3355256f2..7120d7d64 100644
--- a/client/firewall/uspfilter/filter.go
+++ b/client/firewall/uspfilter/filter.go
@@ -738,8 +738,7 @@ func (m *Manager) filterInbound(packetData []byte, size int) bool {
 		return false
 	}
 
-	translated := m.translateInboundReverse(packetData, d)
-	if translated {
+	if translated := m.translateInboundReverse(packetData, d); translated {
 		// Re-decode after translation to get original addresses
 		if err := d.parser.DecodeLayers(packetData, &d.decoded); err != nil {
 			m.logger.Error("Failed to re-decode packet after reverse DNAT: %v", err)
diff --git a/client/firewall/uspfilter/nat.go b/client/firewall/uspfilter/nat.go
index 686b62f98..4539f7da5 100644
--- a/client/firewall/uspfilter/nat.go
+++ b/client/firewall/uspfilter/nat.go
@@ -2,6 +2,7 @@ package uspfilter
 
 import (
 	"encoding/binary"
+	"errors"
 	"fmt"
 	"net/netip"
 
@@ -10,6 +11,8 @@ import (
 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
 )
 
+var ErrIPv4Only = errors.New("only IPv4 is supported for DNAT")
+
 func ipv4Checksum(header []byte) uint16 {
 	if len(header) < 20 {
 		return 0
@@ -245,7 +248,7 @@ func (m *Manager) translateInboundReverse(packetData []byte, d *decoder) bool {
 // rewritePacketDestination replaces destination IP in the packet
 func (m *Manager) rewritePacketDestination(packetData []byte, d *decoder, newIP netip.Addr) error {
 	if len(packetData) < 20 || d.decoded[0] != layers.LayerTypeIPv4 || !newIP.Is4() {
-		return fmt.Errorf("only IPv4 supported")
+		return ErrIPv4Only
 	}
 
 	var oldDst [4]byte
@@ -280,7 +283,7 @@ func (m *Manager) rewritePacketDestination(packetData []byte, d *decoder, newIP
 // rewritePacketSource replaces the source IP address in the packet
 func (m *Manager) rewritePacketSource(packetData []byte, d *decoder, newIP netip.Addr) error {
 	if len(packetData) < 20 || d.decoded[0] != layers.LayerTypeIPv4 || !newIP.Is4() {
-		return fmt.Errorf("only IPv4 supported")
+		return ErrIPv4Only
 	}
 
 	var oldSrc [4]byte