From f42b8aed90d1603afa725f32771e71f22c4e75bd Mon Sep 17 00:00:00 2001
From: Viktor Liu <viktor@netbird.io>
Date: Tue, 5 May 2026 18:37:24 +0200
Subject: [PATCH] Reject port 0 in NB_DNS_FIREWALL_PORTS and roll back firewall
 on DNS setup failure

---
 client/internal/dns/dnsfw/config.go      | 4 ++++
 client/internal/dns/dnsfw/config_test.go | 1 +
 client/internal/dns/host_windows.go      | 6 +++++-
 3 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/client/internal/dns/dnsfw/config.go b/client/internal/dns/dnsfw/config.go
index 0f4fb673a..ee7981603 100644
--- a/client/internal/dns/dnsfw/config.go
+++ b/client/internal/dns/dnsfw/config.go
@@ -49,6 +49,10 @@ func blockedPorts() []uint16 {
 			log.Warnf("dns firewall: ignoring invalid port %q in %s: %v", raw, EnvPorts, err)
 			continue
 		}
+		if port == 0 {
+			log.Warnf("dns firewall: ignoring port 0 in %s", EnvPorts)
+			continue
+		}
 		ports = append(ports, uint16(port))
 	}
 	if len(ports) == 0 {
diff --git a/client/internal/dns/dnsfw/config_test.go b/client/internal/dns/dnsfw/config_test.go
index 12b266cd4..3a7a9d283 100644
--- a/client/internal/dns/dnsfw/config_test.go
+++ b/client/internal/dns/dnsfw/config_test.go
@@ -20,6 +20,7 @@ func TestBlockedPorts(t *testing.T) {
 		{name: "override multi", ports: "53, 853 ,5353", setPorts: true, want: []uint16{53, 853, 5353}},
 		{name: "override empty disables", ports: "", setPorts: true, want: nil},
 		{name: "override invalid skipped", ports: "53,not-a-port,853", setPorts: true, want: []uint16{53, 853}},
+		{name: "override zero skipped", ports: "53,0,853", setPorts: true, want: []uint16{53, 853}},
 		{name: "override only invalid disables", ports: "abc", setPorts: true, want: nil},
 	}
 
diff --git a/client/internal/dns/host_windows.go b/client/internal/dns/host_windows.go
index 2a1cfed1f..d792d6882 100644
--- a/client/internal/dns/host_windows.go
+++ b/client/internal/dns/host_windows.go
@@ -221,7 +221,11 @@ func (r *registryConfigurator) applyRouteAll(config HostDNSConfig) error {
 			return fmt.Errorf("dns firewall: %w", err)
 		}
 		if err := r.addDNSSetupForAll(config.ServerIP); err != nil {
-			return fmt.Errorf("add dns setup: %w", err)
+			merr := multierror.Append(nil, fmt.Errorf("add dns setup: %w", err))
+			if dErr := r.dnsFirewall.Disable(); dErr != nil {
+				merr = multierror.Append(merr, fmt.Errorf("rollback dns firewall: %w", dErr))
+			}
+			return nberrors.FormatErrorOrNil(merr)
 		}
 		return nil
 	}