remove duplicate PolicyID from FirewallRule struct

Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>
Merge branch 'feature/flow' into restore-pr-3440
2026-06-02 22:19:54 +00:00 · 2025-03-14 14:08:36 +03:00 · 2025-03-14 14:03:11 +03:00 · 2025-03-14 18:57:23 +08:00 · 2025-03-14 01:36:46 +08:00 · 2025-03-11 15:06:24 +03:00
26 changed files with 316 additions and 351 deletions
--- a/README.md
+++ b/README.md
@@ -12,7 +12,7 @@
       <img src="https://img.shields.io/badge/license-BSD--3-blue" />
     </a> 
    <br>
-    <a href="https://join.slack.com/t/netbirdio/shared_invite/zt-2utg2ncdz-W7LEB6toRBLE1Jca37dYpg">
+    <a href="https://join.slack.com/t/netbirdio/shared_invite/zt-31rofwmxc-27akKd0Le0vyRpBcwXkP0g">
        <img src="https://img.shields.io/badge/slack-@netbird-red.svg?logo=slack"/>
     </a>  
     <br>
@@ -29,7 +29,7 @@
  <br/>
  See <a href="https://netbird.io/docs/">Documentation</a>
  <br/>
-   Join our <a href="https://join.slack.com/t/netbirdio/shared_invite/zt-2utg2ncdz-W7LEB6toRBLE1Jca37dYpg">Slack channel</a>
+   Join our <a href="https://join.slack.com/t/netbirdio/shared_invite/zt-31rofwmxc-27akKd0Le0vyRpBcwXkP0g">Slack channel</a>
  <br/>
 
 </strong>
--- a/client/internal/acl/manager.go
+++ b/client/internal/acl/manager.go
@@ -240,7 +240,7 @@ func (d *DefaultManager) applyRouteACL(rule *mgmProto.RouteFirewallRule) (id.Rul

 	dPorts := convertPortInfo(rule.PortInfo)

-	addedRule, err := d.firewall.AddRouteFiltering(rule.Id, sources, destination, protocol, nil, dPorts, action)
+	addedRule, err := d.firewall.AddRouteFiltering(rule.PolicyID, sources, destination, protocol, nil, dPorts, action)
 	if err != nil {
 		return "", fmt.Errorf("add route rule: %w", err)
 	}
@@ -289,11 +289,11 @@ func (d *DefaultManager) protoRuleToFirewallRule(
 	var rules []firewall.Rule
 	switch r.Direction {
 	case mgmProto.RuleDirection_IN:
-		rules, err = d.addInRules(r.Id, ip, protocol, port, action, ipsetName)
+		rules, err = d.addInRules(r.PolicyID, ip, protocol, port, action, ipsetName)
 	case mgmProto.RuleDirection_OUT:
 		// TODO: Remove this soon. Outbound rules are obsolete.
 		// We only maintain this for return traffic (inbound dir) which is now handled by the stateful firewall already
-		rules, err = d.addOutRules(r.Id, ip, protocol, port, action, ipsetName)
+		rules, err = d.addOutRules(r.PolicyID, ip, protocol, port, action, ipsetName)
 	default:
 		return "", nil, fmt.Errorf("invalid direction, skipping firewall rule")
 	}
--- a/client/internal/netflow/logger/logger.go
+++ b/client/internal/netflow/logger/logger.go
@@ -2,6 +2,7 @@ package logger

 import (
 	"context"
+	"net"
 	"sync"
 	"sync/atomic"
 	"time"
@@ -23,15 +24,18 @@ type Logger struct {
 	rcvChan        atomic.Pointer[rcvChan]
 	cancelReceiver context.CancelFunc
 	statusRecorder *peer.Status
+	wgIfaceIPNet   net.IPNet
 	Store          types.Store
 }

-func New(ctx context.Context, statusRecorder *peer.Status) *Logger {
+func New(ctx context.Context, statusRecorder *peer.Status, wgIfaceIPNet net.IPNet) *Logger {
+
 	ctx, cancel := context.WithCancel(ctx)
 	return &Logger{
 		ctx:            ctx,
 		cancel:         cancel,
 		statusRecorder: statusRecorder,
+		wgIfaceIPNet:   wgIfaceIPNet,
 		Store:          store.NewMemoryStore(),
 	}
 }
@@ -83,9 +87,17 @@ func (l *Logger) startReceiver() {
 				EventFields: *eventFields,
 				Timestamp:   time.Now(),
 			}
-			srcResId, dstResId := l.statusRecorder.CheckRoutes(event.SourceIP, event.DestIP, event.Direction)
-			event.SourceResourceID = []byte(srcResId)
-			event.DestResourceID = []byte(dstResId)
+
+			if event.Direction == types.Ingress {
+				if !l.wgIfaceIPNet.Contains(net.IP(event.SourceIP.AsSlice())) {
+					event.SourceResourceID = []byte(l.statusRecorder.CheckRoutes(event.SourceIP))
+				}
+			} else if event.Direction == types.Egress {
+				if !l.wgIfaceIPNet.Contains(net.IP(event.DestIP.AsSlice())) {
+					event.DestResourceID = []byte(l.statusRecorder.CheckRoutes(event.DestIP))
+				}
+			}
+
 			l.Store.StoreEvent(&event)
 		}
 	}
--- a/client/internal/netflow/logger/logger_test.go
+++ b/client/internal/netflow/logger/logger_test.go
@@ -2,6 +2,7 @@ package logger_test

 import (
 	"context"
+	"net"
 	"testing"
 	"time"

@@ -12,7 +13,7 @@ import (
 )

 func TestStore(t *testing.T) {
-	logger := logger.New(context.Background(), nil)
+	logger := logger.New(context.Background(), nil, net.IPNet{})
 	logger.Enable()

 	event := types.EventFields{
--- a/client/internal/netflow/manager.go
+++ b/client/internal/netflow/manager.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"net"
 	"runtime"
 	"sync"
 	"time"
@@ -33,7 +34,11 @@ type Manager struct {

 // NewManager creates a new netflow manager
 func NewManager(ctx context.Context, iface nftypes.IFaceMapper, publicKey []byte, statusRecorder *peer.Status) *Manager {
-	flowLogger := logger.New(ctx, statusRecorder)
+	var ipNet net.IPNet
+	if iface != nil {
+		ipNet = *iface.Address().Network
+	}
+	flowLogger := logger.New(ctx, statusRecorder, ipNet)

 	var ct nftypes.ConnTracker
 	if runtime.GOOS == "linux" && iface != nil && !iface.IsUserspaceBind() {
--- a/client/internal/peer/route.go
+++ b/client/internal/peer/route.go
@@ -5,8 +5,6 @@ import (
 	"sync"

 	log "github.com/sirupsen/logrus"
-
-	nftypes "github.com/netbirdio/netbird/client/internal/netflow/types"
 )

 type routeIDLookup struct {
@@ -38,7 +36,6 @@ func (r *routeIDLookup) RemoveRemoteRouteID(route netip.Prefix) {
 }

 func (r *routeIDLookup) AddResolvedIP(resourceID string, route netip.Prefix) {
-
 	r.resolvedIPs.Store(route.Addr(), resourceID)
 }

@@ -46,55 +43,31 @@ func (r *routeIDLookup) RemoveResolvedIP(route netip.Prefix) {
 	r.resolvedIPs.Delete(route.Addr())
 }

-func (r *routeIDLookup) Lookup(src, dst netip.Addr, direction nftypes.Direction) (srcResourceID, dstResourceID string) {
-
-	// check resolved ip's first
-	resId, ok := r.resolvedIPs.Load(src)
+func (r *routeIDLookup) Lookup(ip netip.Addr) string {
+	resId, ok := r.resolvedIPs.Load(ip)
 	if ok {
-		srcResourceID = resId.(string)
-	} else {
-		resId, ok := r.resolvedIPs.Load(dst)
-		if ok {
-			dstResourceID = resId.(string)
-		}
+		return resId.(string)
 	}

-	switch direction {
-	case nftypes.Ingress:
-		if srcResourceID == "" || dstResourceID == "" {
-			r.localMap.Range(func(key, value interface{}) bool {
-				if srcResourceID == "" && key.(netip.Prefix).Contains(src) {
-					srcResourceID = value.(string)
+	var resourceID string
+	r.localMap.Range(func(key, value interface{}) bool {
+		if key.(netip.Prefix).Contains(ip) {
+			resourceID = value.(string)
+			return false

-				} else if dstResourceID == "" && key.(netip.Prefix).Contains(dst) {
-					dstResourceID = value.(string)
-				}
-
-				if srcResourceID != "" && dstResourceID != "" {
-					return false
-				}
-
-				return true
-			})
 		}
-	case nftypes.Egress:
-		if srcResourceID == "" || dstResourceID == "" {
-			r.remoteMap.Range(func(key, value interface{}) bool {
-				if srcResourceID == "" && key.(netip.Prefix).Contains(src) {
-					srcResourceID = value.(string)
+		return true
+	})

-				} else if dstResourceID == "" && key.(netip.Prefix).Contains(dst) {
-					dstResourceID = value.(string)
-				}
-
-				if srcResourceID != "" && dstResourceID != "" {
-					return false
-				}
-
-				return true
-			})
-		}
+	if resourceID == "" {
+		r.remoteMap.Range(func(key, value interface{}) bool {
+			if key.(netip.Prefix).Contains(ip) {
+				resourceID = value.(string)
+				return false
+			}
+			return true
+		})
 	}

-	return srcResourceID, dstResourceID
+	return resourceID
 }
--- a/client/internal/peer/status.go
+++ b/client/internal/peer/status.go
@@ -17,7 +17,6 @@ import (
 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/iface/configurer"
 	"github.com/netbirdio/netbird/client/internal/ingressgw"
-	nftypes "github.com/netbirdio/netbird/client/internal/netflow/types"
 	"github.com/netbirdio/netbird/client/internal/relay"
 	"github.com/netbirdio/netbird/client/proto"
 	"github.com/netbirdio/netbird/management/domain"
@@ -365,12 +364,11 @@ func (d *Status) RemovePeerStateRoute(peer string, route string) error {

 // CheckRoutes checks if the source and destination addresses are within the same route
 // and returns the resource ID of the route that contains the addresses
-func (d *Status) CheckRoutes(src, dst netip.Addr, direction nftypes.Direction) (srcResId string, dstResId string) {
+func (d *Status) CheckRoutes(ip netip.Addr) (resId string) {
 	if d == nil {
 		return
 	}
-
-	return d.routeIDLookup.Lookup(src, dst, direction)
+	return d.routeIDLookup.Lookup(ip)
 }

 func (d *Status) UpdatePeerICEState(receivedState State) error {
--- a/management/proto/management.pb.go
+++ b/management/proto/management.pb.go
@@ -2738,8 +2738,8 @@ type FirewallRule struct {
 	Protocol  RuleProtocol  `protobuf:"varint,4,opt,name=Protocol,proto3,enum=management.RuleProtocol" json:"Protocol,omitempty"`
 	Port      string        `protobuf:"bytes,5,opt,name=Port,proto3" json:"Port,omitempty"`
 	PortInfo  *PortInfo     `protobuf:"bytes,6,opt,name=PortInfo,proto3" json:"PortInfo,omitempty"`
-	// Id is the unique rule Id
-	Id []byte `protobuf:"bytes,7,opt,name=id,proto3" json:"id,omitempty"`
+	// PolicyID is the ID of the policy that this rule belongs to
+	PolicyID []byte `protobuf:"bytes,7,opt,name=PolicyID,proto3" json:"PolicyID,omitempty"`
 }

 func (x *FirewallRule) Reset() {
@@ -2816,9 +2816,9 @@ func (x *FirewallRule) GetPortInfo() *PortInfo {
 	return nil
 }

-func (x *FirewallRule) GetId() []byte {
+func (x *FirewallRule) GetPolicyID() []byte {
 	if x != nil {
-		return x.Id
+		return x.PolicyID
 	}
 	return nil
 }
@@ -3028,8 +3028,8 @@ type RouteFirewallRule struct {
 	Domains []string `protobuf:"bytes,7,rep,name=domains,proto3" json:"domains,omitempty"`
 	// CustomProtocol is a custom protocol ID.
 	CustomProtocol uint32 `protobuf:"varint,8,opt,name=customProtocol,proto3" json:"customProtocol,omitempty"`
-	// Id is the unique rule Id
-	Id []byte `protobuf:"bytes,9,opt,name=id,proto3" json:"id,omitempty"`
+	// PolicyID is the ID of the policy that this rule belongs to
+	PolicyID []byte `protobuf:"bytes,9,opt,name=PolicyID,proto3" json:"PolicyID,omitempty"`
 }

 func (x *RouteFirewallRule) Reset() {
@@ -3120,9 +3120,9 @@ func (x *RouteFirewallRule) GetCustomProtocol() uint32 {
 	return 0
 }

-func (x *RouteFirewallRule) GetId() []byte {
+func (x *RouteFirewallRule) GetPolicyID() []byte {
 	if x != nil {
-		return x.Id
+		return x.PolicyID
 	}
 	return nil
 }
@@ -3633,7 +3633,7 @@ var file_management_proto_rawDesc = []byte{
 	0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x49, 0x50, 0x12, 0x16, 0x0a, 0x06, 0x4e, 0x53,
 	0x54, 0x79, 0x70, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x03, 0x52, 0x06, 0x4e, 0x53, 0x54, 0x79,
 	0x70, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x50, 0x6f, 0x72, 0x74, 0x18, 0x03, 0x20, 0x01, 0x28, 0x03,
-	0x52, 0x04, 0x50, 0x6f, 0x72, 0x74, 0x22, 0x9b, 0x02, 0x0a, 0x0c, 0x46, 0x69, 0x72, 0x65, 0x77,
+	0x52, 0x04, 0x50, 0x6f, 0x72, 0x74, 0x22, 0xa7, 0x02, 0x0a, 0x0c, 0x46, 0x69, 0x72, 0x65, 0x77,
 	0x61, 0x6c, 0x6c, 0x52, 0x75, 0x6c, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x50, 0x65, 0x65, 0x72, 0x49,
 	0x50, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x50, 0x65, 0x65, 0x72, 0x49, 0x50, 0x12,
 	0x37, 0x0a, 0x09, 0x44, 0x69, 0x72, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x02, 0x20, 0x01,
@@ -3650,104 +3650,106 @@ var file_management_proto_rawDesc = []byte{
 	0x72, 0x74, 0x12, 0x30, 0x0a, 0x08, 0x50, 0x6f, 0x72, 0x74, 0x49, 0x6e, 0x66, 0x6f, 0x18, 0x06,
 	0x20, 0x01, 0x28, 0x0b, 0x32, 0x14, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e,
 	0x74, 0x2e, 0x50, 0x6f, 0x72, 0x74, 0x49, 0x6e, 0x66, 0x6f, 0x52, 0x08, 0x50, 0x6f, 0x72, 0x74,
-	0x49, 0x6e, 0x66, 0x6f, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x07, 0x20, 0x01, 0x28, 0x0c,
-	0x52, 0x02, 0x69, 0x64, 0x22, 0x38, 0x0a, 0x0e, 0x4e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x41,
-	0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x12, 0x14, 0x0a, 0x05, 0x6e, 0x65, 0x74, 0x49, 0x50, 0x18,
-	0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x6e, 0x65, 0x74, 0x49, 0x50, 0x12, 0x10, 0x0a, 0x03,
-	0x6d, 0x61, 0x63, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6d, 0x61, 0x63, 0x22, 0x1e,
-	0x0a, 0x06, 0x43, 0x68, 0x65, 0x63, 0x6b, 0x73, 0x12, 0x14, 0x0a, 0x05, 0x46, 0x69, 0x6c, 0x65,
-	0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x09, 0x52, 0x05, 0x46, 0x69, 0x6c, 0x65, 0x73, 0x22, 0x96,
-	0x01, 0x0a, 0x08, 0x50, 0x6f, 0x72, 0x74, 0x49, 0x6e, 0x66, 0x6f, 0x12, 0x14, 0x0a, 0x04, 0x70,
-	0x6f, 0x72, 0x74, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0d, 0x48, 0x00, 0x52, 0x04, 0x70, 0x6f, 0x72,
-	0x74, 0x12, 0x32, 0x0a, 0x05, 0x72, 0x61, 0x6e, 0x67, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b,
-	0x32, 0x1a, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x50, 0x6f,
-	0x72, 0x74, 0x49, 0x6e, 0x66, 0x6f, 0x2e, 0x52, 0x61, 0x6e, 0x67, 0x65, 0x48, 0x00, 0x52, 0x05,
-	0x72, 0x61, 0x6e, 0x67, 0x65, 0x1a, 0x2f, 0x0a, 0x05, 0x52, 0x61, 0x6e, 0x67, 0x65, 0x12, 0x14,
-	0x0a, 0x05, 0x73, 0x74, 0x61, 0x72, 0x74, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x05, 0x73,
-	0x74, 0x61, 0x72, 0x74, 0x12, 0x10, 0x0a, 0x03, 0x65, 0x6e, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28,
-	0x0d, 0x52, 0x03, 0x65, 0x6e, 0x64, 0x42, 0x0f, 0x0a, 0x0d, 0x70, 0x6f, 0x72, 0x74, 0x53, 0x65,
-	0x6c, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x22, 0xe1, 0x02, 0x0a, 0x11, 0x52, 0x6f, 0x75, 0x74,
-	0x65, 0x46, 0x69, 0x72, 0x65, 0x77, 0x61, 0x6c, 0x6c, 0x52, 0x75, 0x6c, 0x65, 0x12, 0x22, 0x0a,
-	0x0c, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x18, 0x01, 0x20,
-	0x03, 0x28, 0x09, 0x52, 0x0c, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x52, 0x61, 0x6e, 0x67, 0x65,
-	0x73, 0x12, 0x2e, 0x0a, 0x06, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28,
-	0x0e, 0x32, 0x16, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x52,
-	0x75, 0x6c, 0x65, 0x41, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x06, 0x61, 0x63, 0x74, 0x69, 0x6f,
-	0x6e, 0x12, 0x20, 0x0a, 0x0b, 0x64, 0x65, 0x73, 0x74, 0x69, 0x6e, 0x61, 0x74, 0x69, 0x6f, 0x6e,
-	0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x64, 0x65, 0x73, 0x74, 0x69, 0x6e, 0x61, 0x74,
-	0x69, 0x6f, 0x6e, 0x12, 0x34, 0x0a, 0x08, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x18,
-	0x04, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x18, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65,
-	0x6e, 0x74, 0x2e, 0x52, 0x75, 0x6c, 0x65, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x52,
-	0x08, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x12, 0x30, 0x0a, 0x08, 0x70, 0x6f, 0x72,
-	0x74, 0x49, 0x6e, 0x66, 0x6f, 0x18, 0x05, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x14, 0x2e, 0x6d, 0x61,
-	0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x50, 0x6f, 0x72, 0x74, 0x49, 0x6e, 0x66,
-	0x6f, 0x52, 0x08, 0x70, 0x6f, 0x72, 0x74, 0x49, 0x6e, 0x66, 0x6f, 0x12, 0x1c, 0x0a, 0x09, 0x69,
-	0x73, 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x18, 0x06, 0x20, 0x01, 0x28, 0x08, 0x52, 0x09,
-	0x69, 0x73, 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x12, 0x18, 0x0a, 0x07, 0x64, 0x6f, 0x6d,
-	0x61, 0x69, 0x6e, 0x73, 0x18, 0x07, 0x20, 0x03, 0x28, 0x09, 0x52, 0x07, 0x64, 0x6f, 0x6d, 0x61,
-	0x69, 0x6e, 0x73, 0x12, 0x26, 0x0a, 0x0e, 0x63, 0x75, 0x73, 0x74, 0x6f, 0x6d, 0x50, 0x72, 0x6f,
-	0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x18, 0x08, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x0e, 0x63, 0x75, 0x73,
-	0x74, 0x6f, 0x6d, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x12, 0x0e, 0x0a, 0x02, 0x69,
-	0x64, 0x18, 0x09, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x02, 0x69, 0x64, 0x22, 0xf2, 0x01, 0x0a, 0x0e,
-	0x46, 0x6f, 0x72, 0x77, 0x61, 0x72, 0x64, 0x69, 0x6e, 0x67, 0x52, 0x75, 0x6c, 0x65, 0x12, 0x34,
-	0x0a, 0x08, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0e,
-	0x32, 0x18, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x52, 0x75,
-	0x6c, 0x65, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x52, 0x08, 0x70, 0x72, 0x6f, 0x74,
-	0x6f, 0x63, 0x6f, 0x6c, 0x12, 0x3e, 0x0a, 0x0f, 0x64, 0x65, 0x73, 0x74, 0x69, 0x6e, 0x61, 0x74,
-	0x69, 0x6f, 0x6e, 0x50, 0x6f, 0x72, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x14, 0x2e,
-	0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x50, 0x6f, 0x72, 0x74, 0x49,
-	0x6e, 0x66, 0x6f, 0x52, 0x0f, 0x64, 0x65, 0x73, 0x74, 0x69, 0x6e, 0x61, 0x74, 0x69, 0x6f, 0x6e,
-	0x50, 0x6f, 0x72, 0x74, 0x12, 0x2c, 0x0a, 0x11, 0x74, 0x72, 0x61, 0x6e, 0x73, 0x6c, 0x61, 0x74,
-	0x65, 0x64, 0x41, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0c, 0x52,
-	0x11, 0x74, 0x72, 0x61, 0x6e, 0x73, 0x6c, 0x61, 0x74, 0x65, 0x64, 0x41, 0x64, 0x64, 0x72, 0x65,
-	0x73, 0x73, 0x12, 0x3c, 0x0a, 0x0e, 0x74, 0x72, 0x61, 0x6e, 0x73, 0x6c, 0x61, 0x74, 0x65, 0x64,
-	0x50, 0x6f, 0x72, 0x74, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x14, 0x2e, 0x6d, 0x61, 0x6e,
-	0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x50, 0x6f, 0x72, 0x74, 0x49, 0x6e, 0x66, 0x6f,
-	0x52, 0x0e, 0x74, 0x72, 0x61, 0x6e, 0x73, 0x6c, 0x61, 0x74, 0x65, 0x64, 0x50, 0x6f, 0x72, 0x74,
-	0x2a, 0x4c, 0x0a, 0x0c, 0x52, 0x75, 0x6c, 0x65, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c,
-	0x12, 0x0b, 0x0a, 0x07, 0x55, 0x4e, 0x4b, 0x4e, 0x4f, 0x57, 0x4e, 0x10, 0x00, 0x12, 0x07, 0x0a,
-	0x03, 0x41, 0x4c, 0x4c, 0x10, 0x01, 0x12, 0x07, 0x0a, 0x03, 0x54, 0x43, 0x50, 0x10, 0x02, 0x12,
-	0x07, 0x0a, 0x03, 0x55, 0x44, 0x50, 0x10, 0x03, 0x12, 0x08, 0x0a, 0x04, 0x49, 0x43, 0x4d, 0x50,
-	0x10, 0x04, 0x12, 0x0a, 0x0a, 0x06, 0x43, 0x55, 0x53, 0x54, 0x4f, 0x4d, 0x10, 0x05, 0x2a, 0x20,
-	0x0a, 0x0d, 0x52, 0x75, 0x6c, 0x65, 0x44, 0x69, 0x72, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x12,
-	0x06, 0x0a, 0x02, 0x49, 0x4e, 0x10, 0x00, 0x12, 0x07, 0x0a, 0x03, 0x4f, 0x55, 0x54, 0x10, 0x01,
-	0x2a, 0x22, 0x0a, 0x0a, 0x52, 0x75, 0x6c, 0x65, 0x41, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x0a,
-	0x0a, 0x06, 0x41, 0x43, 0x43, 0x45, 0x50, 0x54, 0x10, 0x00, 0x12, 0x08, 0x0a, 0x04, 0x44, 0x52,
-	0x4f, 0x50, 0x10, 0x01, 0x32, 0x90, 0x04, 0x0a, 0x11, 0x4d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d,
-	0x65, 0x6e, 0x74, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x45, 0x0a, 0x05, 0x4c, 0x6f,
-	0x67, 0x69, 0x6e, 0x12, 0x1c, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74,
-	0x2e, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65, 0x64, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67,
-	0x65, 0x1a, 0x1c, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45,
-	0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65, 0x64, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x22,
-	0x00, 0x12, 0x46, 0x0a, 0x04, 0x53, 0x79, 0x6e, 0x63, 0x12, 0x1c, 0x2e, 0x6d, 0x61, 0x6e, 0x61,
+	0x49, 0x6e, 0x66, 0x6f, 0x12, 0x1a, 0x0a, 0x08, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x49, 0x44,
+	0x18, 0x07, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x08, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x49, 0x44,
+	0x22, 0x38, 0x0a, 0x0e, 0x4e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x41, 0x64, 0x64, 0x72, 0x65,
+	0x73, 0x73, 0x12, 0x14, 0x0a, 0x05, 0x6e, 0x65, 0x74, 0x49, 0x50, 0x18, 0x01, 0x20, 0x01, 0x28,
+	0x09, 0x52, 0x05, 0x6e, 0x65, 0x74, 0x49, 0x50, 0x12, 0x10, 0x0a, 0x03, 0x6d, 0x61, 0x63, 0x18,
+	0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6d, 0x61, 0x63, 0x22, 0x1e, 0x0a, 0x06, 0x43, 0x68,
+	0x65, 0x63, 0x6b, 0x73, 0x12, 0x14, 0x0a, 0x05, 0x46, 0x69, 0x6c, 0x65, 0x73, 0x18, 0x01, 0x20,
+	0x03, 0x28, 0x09, 0x52, 0x05, 0x46, 0x69, 0x6c, 0x65, 0x73, 0x22, 0x96, 0x01, 0x0a, 0x08, 0x50,
+	0x6f, 0x72, 0x74, 0x49, 0x6e, 0x66, 0x6f, 0x12, 0x14, 0x0a, 0x04, 0x70, 0x6f, 0x72, 0x74, 0x18,
+	0x01, 0x20, 0x01, 0x28, 0x0d, 0x48, 0x00, 0x52, 0x04, 0x70, 0x6f, 0x72, 0x74, 0x12, 0x32, 0x0a,
+	0x05, 0x72, 0x61, 0x6e, 0x67, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x6d,
+	0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x50, 0x6f, 0x72, 0x74, 0x49, 0x6e,
+	0x66, 0x6f, 0x2e, 0x52, 0x61, 0x6e, 0x67, 0x65, 0x48, 0x00, 0x52, 0x05, 0x72, 0x61, 0x6e, 0x67,
+	0x65, 0x1a, 0x2f, 0x0a, 0x05, 0x52, 0x61, 0x6e, 0x67, 0x65, 0x12, 0x14, 0x0a, 0x05, 0x73, 0x74,
+	0x61, 0x72, 0x74, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x05, 0x73, 0x74, 0x61, 0x72, 0x74,
+	0x12, 0x10, 0x0a, 0x03, 0x65, 0x6e, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x03, 0x65,
+	0x6e, 0x64, 0x42, 0x0f, 0x0a, 0x0d, 0x70, 0x6f, 0x72, 0x74, 0x53, 0x65, 0x6c, 0x65, 0x63, 0x74,
+	0x69, 0x6f, 0x6e, 0x22, 0xed, 0x02, 0x0a, 0x11, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x46, 0x69, 0x72,
+	0x65, 0x77, 0x61, 0x6c, 0x6c, 0x52, 0x75, 0x6c, 0x65, 0x12, 0x22, 0x0a, 0x0c, 0x73, 0x6f, 0x75,
+	0x72, 0x63, 0x65, 0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x09, 0x52,
+	0x0c, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x12, 0x2e, 0x0a,
+	0x06, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x16, 0x2e,
+	0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x52, 0x75, 0x6c, 0x65, 0x41,
+	0x63, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x06, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x20, 0x0a,
+	0x0b, 0x64, 0x65, 0x73, 0x74, 0x69, 0x6e, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x03, 0x20, 0x01,
+	0x28, 0x09, 0x52, 0x0b, 0x64, 0x65, 0x73, 0x74, 0x69, 0x6e, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12,
+	0x34, 0x0a, 0x08, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x18, 0x04, 0x20, 0x01, 0x28,
+	0x0e, 0x32, 0x18, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x52,
+	0x75, 0x6c, 0x65, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x52, 0x08, 0x70, 0x72, 0x6f,
+	0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x12, 0x30, 0x0a, 0x08, 0x70, 0x6f, 0x72, 0x74, 0x49, 0x6e, 0x66,
+	0x6f, 0x18, 0x05, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x14, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65,
+	0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x50, 0x6f, 0x72, 0x74, 0x49, 0x6e, 0x66, 0x6f, 0x52, 0x08, 0x70,
+	0x6f, 0x72, 0x74, 0x49, 0x6e, 0x66, 0x6f, 0x12, 0x1c, 0x0a, 0x09, 0x69, 0x73, 0x44, 0x79, 0x6e,
+	0x61, 0x6d, 0x69, 0x63, 0x18, 0x06, 0x20, 0x01, 0x28, 0x08, 0x52, 0x09, 0x69, 0x73, 0x44, 0x79,
+	0x6e, 0x61, 0x6d, 0x69, 0x63, 0x12, 0x18, 0x0a, 0x07, 0x64, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x73,
+	0x18, 0x07, 0x20, 0x03, 0x28, 0x09, 0x52, 0x07, 0x64, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x73, 0x12,
+	0x26, 0x0a, 0x0e, 0x63, 0x75, 0x73, 0x74, 0x6f, 0x6d, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f,
+	0x6c, 0x18, 0x08, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x0e, 0x63, 0x75, 0x73, 0x74, 0x6f, 0x6d, 0x50,
+	0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x12, 0x1a, 0x0a, 0x08, 0x50, 0x6f, 0x6c, 0x69, 0x63,
+	0x79, 0x49, 0x44, 0x18, 0x09, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x08, 0x50, 0x6f, 0x6c, 0x69, 0x63,
+	0x79, 0x49, 0x44, 0x22, 0xf2, 0x01, 0x0a, 0x0e, 0x46, 0x6f, 0x72, 0x77, 0x61, 0x72, 0x64, 0x69,
+	0x6e, 0x67, 0x52, 0x75, 0x6c, 0x65, 0x12, 0x34, 0x0a, 0x08, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63,
+	0x6f, 0x6c, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x18, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67,
+	0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x52, 0x75, 0x6c, 0x65, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63,
+	0x6f, 0x6c, 0x52, 0x08, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x12, 0x3e, 0x0a, 0x0f,
+	0x64, 0x65, 0x73, 0x74, 0x69, 0x6e, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x50, 0x6f, 0x72, 0x74, 0x18,
+	0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x14, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65,
+	0x6e, 0x74, 0x2e, 0x50, 0x6f, 0x72, 0x74, 0x49, 0x6e, 0x66, 0x6f, 0x52, 0x0f, 0x64, 0x65, 0x73,
+	0x74, 0x69, 0x6e, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x50, 0x6f, 0x72, 0x74, 0x12, 0x2c, 0x0a, 0x11,
+	0x74, 0x72, 0x61, 0x6e, 0x73, 0x6c, 0x61, 0x74, 0x65, 0x64, 0x41, 0x64, 0x64, 0x72, 0x65, 0x73,
+	0x73, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x11, 0x74, 0x72, 0x61, 0x6e, 0x73, 0x6c, 0x61,
+	0x74, 0x65, 0x64, 0x41, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x12, 0x3c, 0x0a, 0x0e, 0x74, 0x72,
+	0x61, 0x6e, 0x73, 0x6c, 0x61, 0x74, 0x65, 0x64, 0x50, 0x6f, 0x72, 0x74, 0x18, 0x04, 0x20, 0x01,
+	0x28, 0x0b, 0x32, 0x14, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e,
+	0x50, 0x6f, 0x72, 0x74, 0x49, 0x6e, 0x66, 0x6f, 0x52, 0x0e, 0x74, 0x72, 0x61, 0x6e, 0x73, 0x6c,
+	0x61, 0x74, 0x65, 0x64, 0x50, 0x6f, 0x72, 0x74, 0x2a, 0x4c, 0x0a, 0x0c, 0x52, 0x75, 0x6c, 0x65,
+	0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x12, 0x0b, 0x0a, 0x07, 0x55, 0x4e, 0x4b, 0x4e,
+	0x4f, 0x57, 0x4e, 0x10, 0x00, 0x12, 0x07, 0x0a, 0x03, 0x41, 0x4c, 0x4c, 0x10, 0x01, 0x12, 0x07,
+	0x0a, 0x03, 0x54, 0x43, 0x50, 0x10, 0x02, 0x12, 0x07, 0x0a, 0x03, 0x55, 0x44, 0x50, 0x10, 0x03,
+	0x12, 0x08, 0x0a, 0x04, 0x49, 0x43, 0x4d, 0x50, 0x10, 0x04, 0x12, 0x0a, 0x0a, 0x06, 0x43, 0x55,
+	0x53, 0x54, 0x4f, 0x4d, 0x10, 0x05, 0x2a, 0x20, 0x0a, 0x0d, 0x52, 0x75, 0x6c, 0x65, 0x44, 0x69,
+	0x72, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x06, 0x0a, 0x02, 0x49, 0x4e, 0x10, 0x00, 0x12,
+	0x07, 0x0a, 0x03, 0x4f, 0x55, 0x54, 0x10, 0x01, 0x2a, 0x22, 0x0a, 0x0a, 0x52, 0x75, 0x6c, 0x65,
+	0x41, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x0a, 0x0a, 0x06, 0x41, 0x43, 0x43, 0x45, 0x50, 0x54,
+	0x10, 0x00, 0x12, 0x08, 0x0a, 0x04, 0x44, 0x52, 0x4f, 0x50, 0x10, 0x01, 0x32, 0x90, 0x04, 0x0a,
+	0x11, 0x4d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x53, 0x65, 0x72, 0x76, 0x69,
+	0x63, 0x65, 0x12, 0x45, 0x0a, 0x05, 0x4c, 0x6f, 0x67, 0x69, 0x6e, 0x12, 0x1c, 0x2e, 0x6d, 0x61,
+	0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74,
+	0x65, 0x64, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x1a, 0x1c, 0x2e, 0x6d, 0x61, 0x6e, 0x61,
 	0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65, 0x64,
-	0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x1a, 0x1c, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65,
-	0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65, 0x64, 0x4d, 0x65,
-	0x73, 0x73, 0x61, 0x67, 0x65, 0x22, 0x00, 0x30, 0x01, 0x12, 0x42, 0x0a, 0x0c, 0x47, 0x65, 0x74,
-	0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x4b, 0x65, 0x79, 0x12, 0x11, 0x2e, 0x6d, 0x61, 0x6e, 0x61,
-	0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x1a, 0x1d, 0x2e, 0x6d,
-	0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72,
-	0x4b, 0x65, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x33, 0x0a,
-	0x09, 0x69, 0x73, 0x48, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x79, 0x12, 0x11, 0x2e, 0x6d, 0x61, 0x6e,
-	0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x1a, 0x11, 0x2e,
-	0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79,
-	0x22, 0x00, 0x12, 0x5a, 0x0a, 0x1a, 0x47, 0x65, 0x74, 0x44, 0x65, 0x76, 0x69, 0x63, 0x65, 0x41,
-	0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x46, 0x6c, 0x6f, 0x77,
-	0x12, 0x1c, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6e,
-	0x63, 0x72, 0x79, 0x70, 0x74, 0x65, 0x64, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x1a, 0x1c,
-	0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6e, 0x63, 0x72,
-	0x79, 0x70, 0x74, 0x65, 0x64, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x22, 0x00, 0x12, 0x58,
-	0x0a, 0x18, 0x47, 0x65, 0x74, 0x50, 0x4b, 0x43, 0x45, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69,
-	0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x46, 0x6c, 0x6f, 0x77, 0x12, 0x1c, 0x2e, 0x6d, 0x61, 0x6e,
-	0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65,
-	0x64, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x1a, 0x1c, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67,
+	0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x22, 0x00, 0x12, 0x46, 0x0a, 0x04, 0x53, 0x79, 0x6e,
+	0x63, 0x12, 0x1c, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45,
+	0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65, 0x64, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x1a,
+	0x1c, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6e, 0x63,
+	0x72, 0x79, 0x70, 0x74, 0x65, 0x64, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x22, 0x00, 0x30,
+	0x01, 0x12, 0x42, 0x0a, 0x0c, 0x47, 0x65, 0x74, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x4b, 0x65,
+	0x79, 0x12, 0x11, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45,
+	0x6d, 0x70, 0x74, 0x79, 0x1a, 0x1d, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e,
+	0x74, 0x2e, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f,
+	0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x33, 0x0a, 0x09, 0x69, 0x73, 0x48, 0x65, 0x61, 0x6c, 0x74,
+	0x68, 0x79, 0x12, 0x11, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e,
+	0x45, 0x6d, 0x70, 0x74, 0x79, 0x1a, 0x11, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65,
+	0x6e, 0x74, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x22, 0x00, 0x12, 0x5a, 0x0a, 0x1a, 0x47, 0x65,
+	0x74, 0x44, 0x65, 0x76, 0x69, 0x63, 0x65, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61,
+	0x74, 0x69, 0x6f, 0x6e, 0x46, 0x6c, 0x6f, 0x77, 0x12, 0x1c, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67,
 	0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65, 0x64, 0x4d,
-	0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x22, 0x00, 0x12, 0x3d, 0x0a, 0x08, 0x53, 0x79, 0x6e, 0x63,
-	0x4d, 0x65, 0x74, 0x61, 0x12, 0x1c, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e,
-	0x74, 0x2e, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65, 0x64, 0x4d, 0x65, 0x73, 0x73, 0x61,
-	0x67, 0x65, 0x1a, 0x11, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e,
-	0x45, 0x6d, 0x70, 0x74, 0x79, 0x22, 0x00, 0x42, 0x08, 0x5a, 0x06, 0x2f, 0x70, 0x72, 0x6f, 0x74,
-	0x6f, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+	0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x1a, 0x1c, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d,
+	0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65, 0x64, 0x4d, 0x65, 0x73,
+	0x73, 0x61, 0x67, 0x65, 0x22, 0x00, 0x12, 0x58, 0x0a, 0x18, 0x47, 0x65, 0x74, 0x50, 0x4b, 0x43,
+	0x45, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x46, 0x6c,
+	0x6f, 0x77, 0x12, 0x1c, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e,
+	0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65, 0x64, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65,
+	0x1a, 0x1c, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6e,
+	0x63, 0x72, 0x79, 0x70, 0x74, 0x65, 0x64, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x22, 0x00,
+	0x12, 0x3d, 0x0a, 0x08, 0x53, 0x79, 0x6e, 0x63, 0x4d, 0x65, 0x74, 0x61, 0x12, 0x1c, 0x2e, 0x6d,
+	0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70,
+	0x74, 0x65, 0x64, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x1a, 0x11, 0x2e, 0x6d, 0x61, 0x6e,
+	0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x22, 0x00, 0x42,
+	0x08, 0x5a, 0x06, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f,
+	0x33,
 }

 var (
--- a/management/proto/management.proto
+++ b/management/proto/management.proto
@@ -449,8 +449,8 @@ message FirewallRule {
  string Port = 5;
  PortInfo PortInfo = 6;

-  // Id is the unique rule Id
-  bytes id = 7;
+  // PolicyID is the ID of the policy that this rule belongs to
+  bytes PolicyID = 7;
 }

 message NetworkAddress {
@@ -501,8 +501,8 @@ message RouteFirewallRule {
  // CustomProtocol is a custom protocol ID.
  uint32 customProtocol = 8;

-  // Id is the unique rule Id
-  bytes id = 9;
+  // PolicyID is the ID of the policy that this rule belongs to
+  bytes PolicyID = 9;
 }

 message ForwardingRule {
--- a/management/server/account_test.go
+++ b/management/server/account_test.go
@@ -385,7 +385,7 @@ func TestAccount_GetPeerNetworkMap(t *testing.T) {
 		}

 		customZone := account.GetPeersCustomZone(context.Background(), "netbird.io")
-		networkMap := account.GetPeerNetworkMap(context.Background(), testCase.peerID, customZone, validatedPeers, account.GetResourcePoliciesMap(), account.GetResourceRoutersMap(), account.GetPeersGroupsMap(), account.GetGroupsPolicyMap(), nil)
+		networkMap := account.GetPeerNetworkMap(context.Background(), testCase.peerID, customZone, validatedPeers, account.GetResourcePoliciesMap(), account.GetResourceRoutersMap(), nil)
 		assert.Len(t, networkMap.Peers, len(testCase.expectedPeers))
 		assert.Len(t, networkMap.OfflinePeers, len(testCase.expectedOfflinePeers))
 	}
--- a/management/server/grpcserver.go
+++ b/management/server/grpcserver.go
@@ -19,7 +19,6 @@ import (
 	"google.golang.org/grpc/status"

 	integrationsConfig "github.com/netbirdio/management-integrations/integrations/config"
-
 	"github.com/netbirdio/netbird/encryption"
 	"github.com/netbirdio/netbird/management/proto"
 	"github.com/netbirdio/netbird/management/server/account"
@@ -636,13 +635,14 @@ func toSyncResponse(ctx context.Context, config *Config, peer *nbpeer.Peer, turn

 	response.NetworkMap.PeerConfig = response.PeerConfig

-	allPeers := appendRemotePeerConfig(networkMap.Peers, dnsName)
+	allPeers := make([]*proto.RemotePeerConfig, 0, len(networkMap.Peers)+len(networkMap.OfflinePeers))
+	allPeers = appendRemotePeerConfig(allPeers, networkMap.Peers, dnsName)
 	response.RemotePeers = allPeers
 	response.NetworkMap.RemotePeers = allPeers
 	response.RemotePeersIsEmpty = len(allPeers) == 0
 	response.NetworkMap.RemotePeersIsEmpty = response.RemotePeersIsEmpty

-	response.NetworkMap.OfflinePeers = appendRemotePeerConfig(networkMap.OfflinePeers, dnsName)
+	response.NetworkMap.OfflinePeers = appendRemotePeerConfig(nil, networkMap.OfflinePeers, dnsName)

 	firewallRules := toProtocolFirewallRules(networkMap.FirewallRules)
 	response.NetworkMap.FirewallRules = firewallRules
@@ -663,18 +663,15 @@ func toSyncResponse(ctx context.Context, config *Config, peer *nbpeer.Peer, turn
 	return response
 }

-func appendRemotePeerConfig(peers []*nbpeer.Peer, dnsName string) []*proto.RemotePeerConfig {
-	dst := make([]*proto.RemotePeerConfig, len(peers))
-
-	for i, rPeer := range peers {
-		dst[i] = &proto.RemotePeerConfig{
+func appendRemotePeerConfig(dst []*proto.RemotePeerConfig, peers []*nbpeer.Peer, dnsName string) []*proto.RemotePeerConfig {
+	for _, rPeer := range peers {
+		dst = append(dst, &proto.RemotePeerConfig{
 			WgPubKey:   rPeer.Key,
 			AllowedIps: []string{rPeer.IP.String() + "/32"},
 			SshConfig:  &proto.SSHConfig{SshPubKey: []byte(rPeer.SSHKey)},
 			Fqdn:       rPeer.FQDN(dnsName),
-		}
+		})
 	}
-
 	return dst
 }

--- a/management/server/http/handlers/networks/handler.go
+++ b/management/server/http/handlers/networks/handler.go
@@ -289,7 +289,7 @@ func (h *handler) collectIDsInNetwork(ctx context.Context, accountID, userID, ne
 }

 func (h *handler) generateNetworkResponse(networks []*types.Network, routers map[string][]*routerTypes.NetworkRouter, resourceIDs map[string][]string, groups map[string]*nbtypes.Group, account *nbtypes.Account) []*api.Network {
-	var networkResponse []*api.Network
+	networkResponse := make([]*api.Network, 0, len(networks))
 	for _, network := range networks {
 		routerIDs, peerCounter := getRouterIDs(network, routers, groups)
 		policyIDs := account.GetPoliciesAppliedInNetwork(network.ID)
--- a/management/server/http/handlers/networks/resources_handler.go
+++ b/management/server/http/handlers/networks/resources_handler.go
@@ -89,7 +89,7 @@ func (h *resourceHandler) getAllResourcesInAccount(w http.ResponseWriter, r *htt

 	grpsInfoMap := groups.ToGroupsInfoMap(grps, 0)

-	var resourcesResponse []*api.NetworkResource
+	resourcesResponse := make([]*api.NetworkResource, 0, len(resources))
 	for _, resource := range resources {
 		resourcesResponse = append(resourcesResponse, resource.ToAPIResponse(grpsInfoMap[resource.ID]))
 	}
--- a/management/server/http/handlers/networks/routers_handler.go
+++ b/management/server/http/handlers/networks/routers_handler.go
@@ -48,7 +48,7 @@ func (h *routersHandler) getAllRouters(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	var routersResponse []*api.NetworkRouter
+	routersResponse := make([]*api.NetworkRouter, 0, len(routers))
 	for _, router := range routers {
 		routersResponse = append(routersResponse, router.ToAPIResponse())
 	}
--- a/management/server/http/handlers/peers/peers_handler.go
+++ b/management/server/http/handlers/peers/peers_handler.go
@@ -281,7 +281,7 @@ func (h *Handler) GetAccessiblePeers(w http.ResponseWriter, r *http.Request) {
 	dnsDomain := h.accountManager.GetDNSDomain()

 	customZone := account.GetPeersCustomZone(r.Context(), dnsDomain)
-	netMap := account.GetPeerNetworkMap(r.Context(), peerID, customZone, validPeers, account.GetResourcePoliciesMap(), account.GetResourceRoutersMap(), account.GetPeersGroupsMap(), account.GetGroupsPolicyMap(), nil)
+	netMap := account.GetPeerNetworkMap(r.Context(), peerID, customZone, validPeers, account.GetResourcePoliciesMap(), account.GetResourceRoutersMap(), nil)

 	util.WriteJSONObject(r.Context(), w, toAccessiblePeers(netMap, dnsDomain))
 }
--- a/management/server/networks/resources/types/resource.go
+++ b/management/server/networks/resources/types/resource.go
@@ -20,9 +20,9 @@ import (
 type NetworkResourceType string

 const (
-	Host   NetworkResourceType = "host"
-	Subnet NetworkResourceType = "subnet"
-	Domain NetworkResourceType = "domain"
+	host   NetworkResourceType = "host"
+	subnet NetworkResourceType = "subnet"
+	domain NetworkResourceType = "domain"
 )

 func (p NetworkResourceType) String() string {
@@ -66,7 +66,7 @@ func NewNetworkResource(accountID, networkID, name, description, address string,

 func (n *NetworkResource) ToAPIResponse(groups []api.GroupMinimum) *api.NetworkResource {
 	addr := n.Prefix.String()
-	if n.Type == Domain {
+	if n.Type == domain {
 		addr = n.Domain
 	}

@@ -125,7 +125,7 @@ func (n *NetworkResource) ToRoute(peer *nbpeer.Peer, router *routerTypes.Network
 		AccessControlGroups: nil,
 	}

-	if n.Type == Host || n.Type == Subnet {
+	if n.Type == host || n.Type == subnet {
 		r.Network = n.Prefix

 		r.NetworkType = route.IPv4Network
@@ -134,7 +134,7 @@ func (n *NetworkResource) ToRoute(peer *nbpeer.Peer, router *routerTypes.Network
 		}
 	}

-	if n.Type == Domain {
+	if n.Type == domain {
 		domainList, err := nbDomain.FromStringList([]string{n.Domain})
 		if err != nil {
 			return nil
@@ -157,18 +157,18 @@ func (n *NetworkResource) EventMeta(network *networkTypes.Network) map[string]an
 func GetResourceType(address string) (NetworkResourceType, string, netip.Prefix, error) {
 	if prefix, err := netip.ParsePrefix(address); err == nil {
 		if prefix.Bits() == 32 || prefix.Bits() == 128 {
-			return Host, "", prefix, nil
+			return host, "", prefix, nil
 		}
-		return Subnet, "", prefix, nil
+		return subnet, "", prefix, nil
 	}

 	if ip, err := netip.ParseAddr(address); err == nil {
-		return Host, "", netip.PrefixFrom(ip, ip.BitLen()), nil
+		return host, "", netip.PrefixFrom(ip, ip.BitLen()), nil
 	}

 	domainRegex := regexp.MustCompile(`^(\*\.)?([a-zA-Z0-9-]+\.)+[a-zA-Z]{2,}$`)
 	if domainRegex.MatchString(address) {
-		return Domain, address, netip.Prefix{}, nil
+		return domain, address, netip.Prefix{}, nil
 	}

 	return "", "", netip.Prefix{}, errors.New("not a valid host, subnet, or domain")
--- a/management/server/networks/resources/types/resource_test.go
+++ b/management/server/networks/resources/types/resource_test.go
@@ -14,15 +14,15 @@ func TestGetResourceType(t *testing.T) {
 		expectedPrefix netip.Prefix
 	}{
 		// Valid host IPs
-		{"1.1.1.1", Host, false, "", netip.MustParsePrefix("1.1.1.1/32")},
-		{"1.1.1.1/32", Host, false, "", netip.MustParsePrefix("1.1.1.1/32")},
+		{"1.1.1.1", host, false, "", netip.MustParsePrefix("1.1.1.1/32")},
+		{"1.1.1.1/32", host, false, "", netip.MustParsePrefix("1.1.1.1/32")},
 		// Valid subnets
-		{"192.168.1.0/24", Subnet, false, "", netip.MustParsePrefix("192.168.1.0/24")},
-		{"10.0.0.0/16", Subnet, false, "", netip.MustParsePrefix("10.0.0.0/16")},
+		{"192.168.1.0/24", subnet, false, "", netip.MustParsePrefix("192.168.1.0/24")},
+		{"10.0.0.0/16", subnet, false, "", netip.MustParsePrefix("10.0.0.0/16")},
 		// Valid domains
-		{"example.com", Domain, false, "example.com", netip.Prefix{}},
-		{"*.example.com", Domain, false, "*.example.com", netip.Prefix{}},
-		{"sub.example.com", Domain, false, "sub.example.com", netip.Prefix{}},
+		{"example.com", domain, false, "example.com", netip.Prefix{}},
+		{"*.example.com", domain, false, "*.example.com", netip.Prefix{}},
+		{"sub.example.com", domain, false, "sub.example.com", netip.Prefix{}},
 		// Invalid inputs
 		{"invalid", "", true, "", netip.Prefix{}},
 		{"1.1.1.1/abc", "", true, "", netip.Prefix{}},
@@ -32,7 +32,7 @@ func TestGetResourceType(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.input, func(t *testing.T) {
 			result, domain, prefix, err := GetResourceType(tt.input)
-
+      
 			if result != tt.expectedType {
 				t.Errorf("Expected type %v, got %v", tt.expectedType, result)
 			}
--- a/management/server/peer.go
+++ b/management/server/peer.go
@@ -83,7 +83,7 @@ func (am *DefaultAccountManager) GetPeers(ctx context.Context, accountID, userID

 	// fetch all the peers that have access to the user's peers
 	for _, peer := range peers {
-		aclPeers, _ := account.GetPeerConnectionResources(ctx, peer.ID, approvedPeersMap, account.GetPeersGroupsMap(), account.GetGroupsPolicyMap())
+		aclPeers, _ := account.GetPeerConnectionResources(ctx, peer.ID, approvedPeersMap)
 		for _, p := range aclPeers {
 			peersMap[p.ID] = p
 		}
@@ -418,7 +418,7 @@ func (am *DefaultAccountManager) GetNetworkMap(ctx context.Context, peerID strin
 		return nil, err
 	}

-	networkMap := account.GetPeerNetworkMap(ctx, peer.ID, customZone, validatedPeers, account.GetResourcePoliciesMap(), account.GetResourceRoutersMap(), account.GetPeersGroupsMap(), account.GetGroupsPolicyMap(), nil)
+	networkMap := account.GetPeerNetworkMap(ctx, peer.ID, customZone, validatedPeers, account.GetResourcePoliciesMap(), account.GetResourceRoutersMap(), nil)

 	proxyNetworkMap, ok := proxyNetworkMaps[peer.ID]
 	if ok {
@@ -1029,7 +1029,7 @@ func (am *DefaultAccountManager) getValidatedPeerWithMap(ctx context.Context, is
 		return nil, nil, nil, err
 	}

-	networkMap := account.GetPeerNetworkMap(ctx, peer.ID, customZone, approvedPeersMap, account.GetResourcePoliciesMap(), account.GetResourceRoutersMap(), account.GetPeersGroupsMap(), account.GetGroupsPolicyMap(), am.metrics.AccountManagerMetrics())
+	networkMap := account.GetPeerNetworkMap(ctx, peer.ID, customZone, approvedPeersMap, account.GetResourcePoliciesMap(), account.GetResourceRoutersMap(), am.metrics.AccountManagerMetrics())

 	proxyNetworkMap, ok := proxyNetworkMaps[peer.ID]
 	if ok {
@@ -1140,7 +1140,7 @@ func (am *DefaultAccountManager) GetPeer(ctx context.Context, accountID, peerID,
 	}

 	for _, p := range userPeers {
-		aclPeers, _ := account.GetPeerConnectionResources(ctx, p.ID, approvedPeersMap, account.GetPeersGroupsMap(), account.GetGroupsPolicyMap())
+		aclPeers, _ := account.GetPeerConnectionResources(ctx, p.ID, approvedPeersMap)
 		for _, aclPeer := range aclPeers {
 			if aclPeer.ID == peerID {
 				return peer, nil
@@ -1175,8 +1175,6 @@ func (am *DefaultAccountManager) UpdateAccountPeers(ctx context.Context, account
 	customZone := account.GetPeersCustomZone(ctx, am.dnsDomain)
 	resourcePolicies := account.GetResourcePoliciesMap()
 	routers := account.GetResourceRoutersMap()
-	peersGroups := account.GetPeersGroupsMap()
-	groupsPolicies := account.GetGroupsPolicyMap()

 	proxyNetworkMaps, err := am.proxyController.GetProxyNetworkMaps(ctx, accountID)
 	if err != nil {
@@ -1202,7 +1200,7 @@ func (am *DefaultAccountManager) UpdateAccountPeers(ctx context.Context, account
 				return
 			}

-			remotePeerNetworkMap := account.GetPeerNetworkMap(ctx, p.ID, customZone, approvedPeersMap, resourcePolicies, routers, peersGroups, groupsPolicies, am.metrics.AccountManagerMetrics())
+			remotePeerNetworkMap := account.GetPeerNetworkMap(ctx, p.ID, customZone, approvedPeersMap, resourcePolicies, routers, am.metrics.AccountManagerMetrics())

 			proxyNetworkMap, ok := proxyNetworkMaps[p.ID]
 			if ok {
@@ -1271,7 +1269,7 @@ func (am *DefaultAccountManager) UpdateAccountPeer(ctx context.Context, accountI
 		return
 	}

-	remotePeerNetworkMap := account.GetPeerNetworkMap(ctx, peerId, customZone, approvedPeersMap, resourcePolicies, routers, account.GetPeersGroupsMap(), account.GetGroupsPolicyMap(), am.metrics.AccountManagerMetrics())
+	remotePeerNetworkMap := account.GetPeerNetworkMap(ctx, peerId, customZone, approvedPeersMap, resourcePolicies, routers, am.metrics.AccountManagerMetrics())

 	proxyNetworkMap, ok := proxyNetworkMaps[peer.ID]
 	if ok {
--- a/management/server/peer_test.go
+++ b/management/server/peer_test.go
@@ -934,13 +934,13 @@ func BenchmarkUpdateAccountPeers(b *testing.B) {
 		minMsPerOpCICD  float64
 		maxMsPerOpCICD  float64
 	}{
-		// {"Small", 50, 5, 90, 120, 90, 120},
-		// {"Medium", 500, 100, 110, 150, 120, 260},
-		// {"Large", 5000, 200, 800, 1700, 2500, 5000},
-		// {"Small single", 50, 10, 90, 120, 90, 120},
-		// {"Medium single", 500, 10, 110, 170, 120, 200},
+		{"Small", 50, 5, 90, 120, 90, 120},
+		{"Medium", 500, 100, 110, 150, 120, 260},
+		{"Large", 5000, 200, 800, 1700, 2500, 5000},
+		{"Small single", 50, 10, 90, 120, 90, 120},
+		{"Medium single", 500, 10, 110, 170, 120, 200},
 		{"Large 5", 5000, 15, 1300, 2100, 4900, 7000},
-		// {"Extra Large", 5000, 2000, 1300, 2400, 3000, 6400},
+		{"Extra Large", 2000, 2000, 1300, 2400, 3000, 6400},
 	}

 	log.SetOutput(io.Discard)
@@ -948,7 +948,6 @@ func BenchmarkUpdateAccountPeers(b *testing.B) {

 	for _, bc := range benchCases {
 		b.Run(bc.name, func(b *testing.B) {
-			b.Setenv("NB_GET_ACCOUNT_BUFFER_INTERVAL", "0")
 			manager, accountID, _, err := setupTestAccountManager(b, bc.peers, bc.groups)
 			if err != nil {
 				b.Fatalf("Failed to setup test account manager: %v", err)
--- a/management/server/policy.go
+++ b/management/server/policy.go
@@ -262,6 +262,7 @@ func toProtocolFirewallRules(rules []*types.FirewallRule) []*proto.FirewallRule
 			Protocol:  getProtoProtocol(rule.Protocol),
 			Port:      rule.Port,
 			PortInfo:  rule.PortRange.ToProto(),
+			PolicyID:  []byte(rule.PolicyID),
 		}
 	}
 	return result
--- a/management/server/policy_test.go
+++ b/management/server/policy_test.go
@@ -4,11 +4,11 @@ import (
 	"context"
 	"fmt"
 	"net"
+	"slices"
 	"testing"
 	"time"

 	"github.com/stretchr/testify/assert"
-	"golang.org/x/exp/slices"

 	nbpeer "github.com/netbirdio/netbird/management/server/peer"
 	"github.com/netbirdio/netbird/management/server/posture"
@@ -158,14 +158,14 @@ func TestAccount_getPeersByPolicy(t *testing.T) {

 	t.Run("check that all peers get map", func(t *testing.T) {
 		for _, p := range account.Peers {
-			peers, firewallRules := account.GetPeerConnectionResources(context.Background(), p.ID, validatedPeers, account.GetPeersGroupsMap(), account.GetGroupsPolicyMap())
+			peers, firewallRules := account.GetPeerConnectionResources(context.Background(), p.ID, validatedPeers)
 			assert.GreaterOrEqual(t, len(peers), 2, "minimum number peers should present")
 			assert.GreaterOrEqual(t, len(firewallRules), 2, "minimum number of firewall rules should present")
 		}
 	})

 	t.Run("check first peer map details", func(t *testing.T) {
-		peers, firewallRules := account.GetPeerConnectionResources(context.Background(), "peerB", validatedPeers, account.GetPeersGroupsMap(), account.GetGroupsPolicyMap())
+		peers, firewallRules := account.GetPeerConnectionResources(context.Background(), "peerB", validatedPeers)
 		assert.Len(t, peers, 7)
 		assert.Contains(t, peers, account.Peers["peerA"])
 		assert.Contains(t, peers, account.Peers["peerC"])
@@ -182,6 +182,7 @@ func TestAccount_getPeersByPolicy(t *testing.T) {
 				Action:    "accept",
 				Protocol:  "all",
 				Port:      "",
+				PolicyID:  "RuleDefault",
 			},
 			{
 				PeerIP:    "0.0.0.0",
@@ -189,6 +190,7 @@ func TestAccount_getPeersByPolicy(t *testing.T) {
 				Action:    "accept",
 				Protocol:  "all",
 				Port:      "",
+				PolicyID:  "RuleDefault",
 			},
 			{
 				PeerIP:    "100.65.14.88",
@@ -196,6 +198,7 @@ func TestAccount_getPeersByPolicy(t *testing.T) {
 				Action:    "accept",
 				Protocol:  "all",
 				Port:      "",
+				PolicyID:  "RuleSwarm",
 			},
 			{
 				PeerIP:    "100.65.14.88",
@@ -203,6 +206,7 @@ func TestAccount_getPeersByPolicy(t *testing.T) {
 				Action:    "accept",
 				Protocol:  "all",
 				Port:      "",
+				PolicyID:  "RuleSwarm",
 			},
 			{
 				PeerIP:    "100.65.62.5",
@@ -210,6 +214,7 @@ func TestAccount_getPeersByPolicy(t *testing.T) {
 				Action:    "accept",
 				Protocol:  "all",
 				Port:      "",
+				PolicyID:  "RuleSwarm",
 			},
 			{
 				PeerIP:    "100.65.62.5",
@@ -217,6 +222,7 @@ func TestAccount_getPeersByPolicy(t *testing.T) {
 				Action:    "accept",
 				Protocol:  "all",
 				Port:      "",
+				PolicyID:  "RuleSwarm",
 			},

 			{
@@ -225,6 +231,7 @@ func TestAccount_getPeersByPolicy(t *testing.T) {
 				Action:    "accept",
 				Protocol:  "all",
 				Port:      "",
+				PolicyID:  "RuleSwarm",
 			},
 			{
 				PeerIP:    "100.65.32.206",
@@ -232,6 +239,7 @@ func TestAccount_getPeersByPolicy(t *testing.T) {
 				Action:    "accept",
 				Protocol:  "all",
 				Port:      "",
+				PolicyID:  "RuleSwarm",
 			},

 			{
@@ -240,6 +248,7 @@ func TestAccount_getPeersByPolicy(t *testing.T) {
 				Action:    "accept",
 				Protocol:  "all",
 				Port:      "",
+				PolicyID:  "RuleSwarm",
 			},
 			{
 				PeerIP:    "100.65.250.202",
@@ -247,6 +256,7 @@ func TestAccount_getPeersByPolicy(t *testing.T) {
 				Action:    "accept",
 				Protocol:  "all",
 				Port:      "",
+				PolicyID:  "RuleSwarm",
 			},

 			{
@@ -255,6 +265,7 @@ func TestAccount_getPeersByPolicy(t *testing.T) {
 				Action:    "accept",
 				Protocol:  "all",
 				Port:      "",
+				PolicyID:  "RuleSwarm",
 			},
 			{
 				PeerIP:    "100.65.13.186",
@@ -262,6 +273,7 @@ func TestAccount_getPeersByPolicy(t *testing.T) {
 				Action:    "accept",
 				Protocol:  "all",
 				Port:      "",
+				PolicyID:  "RuleSwarm",
 			},

 			{
@@ -270,6 +282,7 @@ func TestAccount_getPeersByPolicy(t *testing.T) {
 				Action:    "accept",
 				Protocol:  "all",
 				Port:      "",
+				PolicyID:  "RuleSwarm",
 			},
 			{
 				PeerIP:    "100.65.29.55",
@@ -277,6 +290,7 @@ func TestAccount_getPeersByPolicy(t *testing.T) {
 				Action:    "accept",
 				Protocol:  "all",
 				Port:      "",
+				PolicyID:  "RuleSwarm",
 			},
 		}
 		assert.Len(t, firewallRules, len(epectedFirewallRules))
@@ -394,7 +408,7 @@ func TestAccount_getPeersByPolicyDirect(t *testing.T) {
 	}

 	t.Run("check first peer map", func(t *testing.T) {
-		peers, firewallRules := account.GetPeerConnectionResources(context.Background(), "peerB", approvedPeers, account.GetPeersGroupsMap(), account.GetGroupsPolicyMap())
+		peers, firewallRules := account.GetPeerConnectionResources(context.Background(), "peerB", approvedPeers)
 		assert.Contains(t, peers, account.Peers["peerC"])

 		epectedFirewallRules := []*types.FirewallRule{
@@ -404,6 +418,7 @@ func TestAccount_getPeersByPolicyDirect(t *testing.T) {
 				Action:    "accept",
 				Protocol:  "all",
 				Port:      "",
+				PolicyID:  "RuleSwarm",
 			},
 			{
 				PeerIP:    "100.65.254.139",
@@ -411,6 +426,7 @@ func TestAccount_getPeersByPolicyDirect(t *testing.T) {
 				Action:    "accept",
 				Protocol:  "all",
 				Port:      "",
+				PolicyID:  "RuleSwarm",
 			},
 		}
 		assert.Len(t, firewallRules, len(epectedFirewallRules))
@@ -422,7 +438,7 @@ func TestAccount_getPeersByPolicyDirect(t *testing.T) {
 	})

 	t.Run("check second peer map", func(t *testing.T) {
-		peers, firewallRules := account.GetPeerConnectionResources(context.Background(), "peerC", approvedPeers, account.GetPeersGroupsMap(), account.GetGroupsPolicyMap())
+		peers, firewallRules := account.GetPeerConnectionResources(context.Background(), "peerC", approvedPeers)
 		assert.Contains(t, peers, account.Peers["peerB"])

 		epectedFirewallRules := []*types.FirewallRule{
@@ -432,6 +448,7 @@ func TestAccount_getPeersByPolicyDirect(t *testing.T) {
 				Action:    "accept",
 				Protocol:  "all",
 				Port:      "",
+				PolicyID:  "RuleSwarm",
 			},
 			{
 				PeerIP:    "100.65.80.39",
@@ -439,6 +456,7 @@ func TestAccount_getPeersByPolicyDirect(t *testing.T) {
 				Action:    "accept",
 				Protocol:  "all",
 				Port:      "",
+				PolicyID:  "RuleSwarm",
 			},
 		}
 		assert.Len(t, firewallRules, len(epectedFirewallRules))
@@ -452,7 +470,7 @@ func TestAccount_getPeersByPolicyDirect(t *testing.T) {
 	account.Policies[1].Rules[0].Bidirectional = false

 	t.Run("check first peer map directional only", func(t *testing.T) {
-		peers, firewallRules := account.GetPeerConnectionResources(context.Background(), "peerB", approvedPeers, account.GetPeersGroupsMap(), account.GetGroupsPolicyMap())
+		peers, firewallRules := account.GetPeerConnectionResources(context.Background(), "peerB", approvedPeers)
 		assert.Contains(t, peers, account.Peers["peerC"])

 		epectedFirewallRules := []*types.FirewallRule{
@@ -462,6 +480,7 @@ func TestAccount_getPeersByPolicyDirect(t *testing.T) {
 				Action:    "accept",
 				Protocol:  "all",
 				Port:      "",
+				PolicyID:  "RuleSwarm",
 			},
 		}
 		assert.Len(t, firewallRules, len(epectedFirewallRules))
@@ -473,7 +492,7 @@ func TestAccount_getPeersByPolicyDirect(t *testing.T) {
 	})

 	t.Run("check second peer map directional only", func(t *testing.T) {
-		peers, firewallRules := account.GetPeerConnectionResources(context.Background(), "peerC", approvedPeers, account.GetPeersGroupsMap(), account.GetGroupsPolicyMap())
+		peers, firewallRules := account.GetPeerConnectionResources(context.Background(), "peerC", approvedPeers)
 		assert.Contains(t, peers, account.Peers["peerB"])

 		epectedFirewallRules := []*types.FirewallRule{
@@ -483,6 +502,7 @@ func TestAccount_getPeersByPolicyDirect(t *testing.T) {
 				Action:    "accept",
 				Protocol:  "all",
 				Port:      "",
+				PolicyID:  "RuleSwarm",
 			},
 		}
 		assert.Len(t, firewallRules, len(epectedFirewallRules))
@@ -493,7 +513,6 @@ func TestAccount_getPeersByPolicyDirect(t *testing.T) {
 		}
 	})
 }
-
 func TestAccount_getPeersByPolicyPostureChecks(t *testing.T) {
 	account := &types.Account{
 		Peers: map[string]*nbpeer.Peer{
@@ -670,7 +689,7 @@ func TestAccount_getPeersByPolicyPostureChecks(t *testing.T) {
 	t.Run("verify peer's network map with default group peer list", func(t *testing.T) {
 		// peerB doesn't fulfill the NB posture check but is included in the destination group Swarm,
 		// will establish a connection with all source peers satisfying the NB posture check.
-		peers, firewallRules := account.GetPeerConnectionResources(context.Background(), "peerB", approvedPeers, account.GetPeersGroupsMap(), account.GetGroupsPolicyMap())
+		peers, firewallRules := account.GetPeerConnectionResources(context.Background(), "peerB", approvedPeers)
 		assert.Len(t, peers, 4)
 		assert.Len(t, firewallRules, 4)
 		assert.Contains(t, peers, account.Peers["peerA"])
@@ -680,7 +699,7 @@ func TestAccount_getPeersByPolicyPostureChecks(t *testing.T) {

 		// peerC satisfy the NB posture check, should establish connection to all destination group peer's
 		// We expect a single permissive firewall rule which all outgoing connections
-		peers, firewallRules = account.GetPeerConnectionResources(context.Background(), "peerC", approvedPeers, account.GetPeersGroupsMap(), account.GetGroupsPolicyMap())
+		peers, firewallRules = account.GetPeerConnectionResources(context.Background(), "peerC", approvedPeers)
 		assert.Len(t, peers, len(account.Groups["GroupSwarm"].Peers))
 		assert.Len(t, firewallRules, 1)
 		expectedFirewallRules := []*types.FirewallRule{
@@ -690,13 +709,14 @@ func TestAccount_getPeersByPolicyPostureChecks(t *testing.T) {
 				Action:    "accept",
 				Protocol:  "tcp",
 				Port:      "80",
+				PolicyID:  "RuleSwarm",
 			},
 		}
 		assert.ElementsMatch(t, firewallRules, expectedFirewallRules)

 		// peerE doesn't fulfill the NB posture check and exists in only destination group Swarm,
 		// all source group peers satisfying the NB posture check should establish connection
-		peers, firewallRules = account.GetPeerConnectionResources(context.Background(), "peerE", approvedPeers, account.GetPeersGroupsMap(), account.GetGroupsPolicyMap())
+		peers, firewallRules = account.GetPeerConnectionResources(context.Background(), "peerE", approvedPeers)
 		assert.Len(t, peers, 4)
 		assert.Len(t, firewallRules, 4)
 		assert.Contains(t, peers, account.Peers["peerA"])
@@ -706,7 +726,7 @@ func TestAccount_getPeersByPolicyPostureChecks(t *testing.T) {

 		// peerI doesn't fulfill the OS version posture check and exists in only destination group Swarm,
 		// all source group peers satisfying the NB posture check should establish connection
-		peers, firewallRules = account.GetPeerConnectionResources(context.Background(), "peerI", approvedPeers, account.GetPeersGroupsMap(), account.GetGroupsPolicyMap())
+		peers, firewallRules = account.GetPeerConnectionResources(context.Background(), "peerI", approvedPeers)
 		assert.Len(t, peers, 4)
 		assert.Len(t, firewallRules, 4)
 		assert.Contains(t, peers, account.Peers["peerA"])
@@ -721,19 +741,19 @@ func TestAccount_getPeersByPolicyPostureChecks(t *testing.T) {

 		// peerB doesn't satisfy the NB posture check, and doesn't exist in destination group peer's
 		// no connection should be established to any peer of destination group
-		peers, firewallRules := account.GetPeerConnectionResources(context.Background(), "peerB", approvedPeers, account.GetPeersGroupsMap(), account.GetGroupsPolicyMap())
+		peers, firewallRules := account.GetPeerConnectionResources(context.Background(), "peerB", approvedPeers)
 		assert.Len(t, peers, 0)
 		assert.Len(t, firewallRules, 0)

 		// peerI doesn't satisfy the OS version posture check, and doesn't exist in destination group peer's
 		// no connection should be established to any peer of destination group
-		peers, firewallRules = account.GetPeerConnectionResources(context.Background(), "peerI", approvedPeers, account.GetPeersGroupsMap(), account.GetGroupsPolicyMap())
+		peers, firewallRules = account.GetPeerConnectionResources(context.Background(), "peerI", approvedPeers)
 		assert.Len(t, peers, 0)
 		assert.Len(t, firewallRules, 0)

 		// peerC satisfy the NB posture check, should establish connection to all destination group peer's
 		// We expect a single permissive firewall rule which all outgoing connections
-		peers, firewallRules = account.GetPeerConnectionResources(context.Background(), "peerC", approvedPeers, account.GetPeersGroupsMap(), account.GetGroupsPolicyMap())
+		peers, firewallRules = account.GetPeerConnectionResources(context.Background(), "peerC", approvedPeers)
 		assert.Len(t, peers, len(account.Groups["GroupSwarm"].Peers))
 		assert.Len(t, firewallRules, len(account.Groups["GroupSwarm"].Peers))

@@ -748,14 +768,14 @@ func TestAccount_getPeersByPolicyPostureChecks(t *testing.T) {

 		// peerE doesn't fulfill the NB posture check and exists in only destination group Swarm,
 		// all source group peers satisfying the NB posture check should establish connection
-		peers, firewallRules = account.GetPeerConnectionResources(context.Background(), "peerE", approvedPeers, account.GetPeersGroupsMap(), account.GetGroupsPolicyMap())
+		peers, firewallRules = account.GetPeerConnectionResources(context.Background(), "peerE", approvedPeers)
 		assert.Len(t, peers, 3)
 		assert.Len(t, firewallRules, 3)
 		assert.Contains(t, peers, account.Peers["peerA"])
 		assert.Contains(t, peers, account.Peers["peerC"])
 		assert.Contains(t, peers, account.Peers["peerD"])

-		peers, firewallRules = account.GetPeerConnectionResources(context.Background(), "peerA", approvedPeers, account.GetPeersGroupsMap(), account.GetGroupsPolicyMap())
+		peers, firewallRules = account.GetPeerConnectionResources(context.Background(), "peerA", approvedPeers)
 		assert.Len(t, peers, 5)
 		// assert peers from Group Swarm
 		assert.Contains(t, peers, account.Peers["peerD"])
@@ -773,6 +793,7 @@ func TestAccount_getPeersByPolicyPostureChecks(t *testing.T) {
 				Action:    "accept",
 				Protocol:  "tcp",
 				Port:      "80",
+				PolicyID:  "RuleSwarm",
 			},
 			{
 				PeerIP:    "100.65.32.206",
@@ -780,6 +801,7 @@ func TestAccount_getPeersByPolicyPostureChecks(t *testing.T) {
 				Action:    "accept",
 				Protocol:  "tcp",
 				Port:      "80",
+				PolicyID:  "RuleSwarm",
 			},
 			{
 				PeerIP:    "100.65.13.186",
@@ -787,6 +809,7 @@ func TestAccount_getPeersByPolicyPostureChecks(t *testing.T) {
 				Action:    "accept",
 				Protocol:  "tcp",
 				Port:      "80",
+				PolicyID:  "RuleSwarm",
 			},
 			{
 				PeerIP:    "100.65.29.55",
@@ -794,6 +817,7 @@ func TestAccount_getPeersByPolicyPostureChecks(t *testing.T) {
 				Action:    "accept",
 				Protocol:  "tcp",
 				Port:      "80",
+				PolicyID:  "RuleSwarm",
 			},
 			{
 				PeerIP:    "100.65.254.139",
@@ -801,6 +825,7 @@ func TestAccount_getPeersByPolicyPostureChecks(t *testing.T) {
 				Action:    "accept",
 				Protocol:  "tcp",
 				Port:      "80",
+				PolicyID:  "RuleSwarm",
 			},
 			{
 				PeerIP:    "100.65.62.5",
@@ -808,6 +833,7 @@ func TestAccount_getPeersByPolicyPostureChecks(t *testing.T) {
 				Action:    "accept",
 				Protocol:  "tcp",
 				Port:      "80",
+				PolicyID:  "RuleSwarm",
 			},
 		}
 		assert.Len(t, firewallRules, len(expectedFirewallRules))
--- a/management/server/route.go
+++ b/management/server/route.go
@@ -388,6 +388,7 @@ func toProtocolRoutesFirewallRules(rules []*types.RouteFirewallRule) []*proto.Ro
 			Protocol:     getProtoProtocol(rule.Protocol),
 			PortInfo:     getProtoPortInfo(rule),
 			IsDynamic:    rule.IsDynamic,
+			PolicyID:     []byte(rule.PolicyID),
 		}
 	}

--- a/management/server/store/sql_store.go
+++ b/management/server/store/sql_store.go
@@ -2185,6 +2185,7 @@ func (s *SqlStore) GetPeerByIP(ctx context.Context, lockStrength LockingStrength
 	result := s.db.Clauses(clause.Locking{Strength: string(lockStrength)}).
 		First(&peer, "account_id = ? AND ip = ?", accountID, jsonValue)
 	if result.Error != nil {
+		log.WithContext(ctx).Errorf("failed to get peer from the store: %s", result.Error)
 		return nil, status.Errorf(status.Internal, "failed to get peer from store")
 	}

--- a/management/server/types/account.go
+++ b/management/server/types/account.go
@@ -225,8 +225,6 @@ func (a *Account) GetPeerNetworkMap(
 	validatedPeersMap map[string]struct{},
 	resourcePolicies map[string][]*Policy,
 	routers map[string]map[string]*routerTypes.NetworkRouter,
-	peersGroups map[string][]string,
-	groupsPolicies map[string]map[string]*Policy,
 	metrics *telemetry.AccountManagerMetrics,
 ) *NetworkMap {
 	start := time.Now()
@@ -244,7 +242,7 @@ func (a *Account) GetPeerNetworkMap(
 		}
 	}

-	aclPeers, firewallRules := a.GetPeerConnectionResources(ctx, peerID, validatedPeersMap, peersGroups, groupsPolicies)
+	aclPeers, firewallRules := a.GetPeerConnectionResources(ctx, peerID, validatedPeersMap)
 	// exclude expired peers
 	var peersToConnect []*nbpeer.Peer
 	var expiredPeers []*nbpeer.Peer
@@ -947,54 +945,37 @@ func (a *Account) UserGroupsRemoveFromPeers(userID string, groups ...string) map
 // GetPeerConnectionResources for a given peer
 //
 // This function returns the list of peers and firewall rules that are applicable to a given peer.
-func (a *Account) GetPeerConnectionResources(
-	ctx context.Context,
-	peerID string,
-	validatedPeersMap map[string]struct{},
-	peersGroups map[string][]string,
-	groupsPolicies map[string]map[string]*Policy,
-) ([]*nbpeer.Peer, []*FirewallRule) {
+func (a *Account) GetPeerConnectionResources(ctx context.Context, peerID string, validatedPeersMap map[string]struct{}) ([]*nbpeer.Peer, []*FirewallRule) {
 	generateResources, getAccumulatedResources := a.connResourcesGenerator(ctx)
-	groups, ok := peersGroups[peerID]
-	if !ok {
-		return nil, nil
-	}
-
-	for _, group := range groups {
-		policiesPerGroup, ok := groupsPolicies[group]
-		if !ok {
+	for _, policy := range a.Policies {
+		if !policy.Enabled {
 			continue
 		}
-		for _, policy := range policiesPerGroup {
-			if !policy.Enabled {
+
+		for _, rule := range policy.Rules {
+			if !rule.Enabled {
 				continue
 			}

-			for _, rule := range policy.Rules {
-				if !rule.Enabled {
-					continue
-				}
-
-				sourcePeers, peerInSources := a.getAllPeersFromGroups(ctx, rule.Sources, peerID, policy.SourcePostureChecks, validatedPeersMap)
-				destinationPeers, peerInDestinations := a.getAllPeersFromGroups(ctx, rule.Destinations, peerID, nil, validatedPeersMap)
-
-				if rule.Bidirectional {
-					if peerInSources {
-						generateResources(rule, destinationPeers, FirewallRuleDirectionIN)
-					}
-					if peerInDestinations {
-						generateResources(rule, sourcePeers, FirewallRuleDirectionOUT)
-					}
-				}
+			sourcePeers, peerInSources := a.getAllPeersFromGroups(ctx, rule.Sources, peerID, policy.SourcePostureChecks, validatedPeersMap)
+			destinationPeers, peerInDestinations := a.getAllPeersFromGroups(ctx, rule.Destinations, peerID, nil, validatedPeersMap)

+			if rule.Bidirectional {
 				if peerInSources {
-					generateResources(rule, destinationPeers, FirewallRuleDirectionOUT)
+					generateResources(rule, destinationPeers, FirewallRuleDirectionIN)
 				}
-
 				if peerInDestinations {
-					generateResources(rule, sourcePeers, FirewallRuleDirectionIN)
+					generateResources(rule, sourcePeers, FirewallRuleDirectionOUT)
 				}
 			}
+
+			if peerInSources {
+				generateResources(rule, destinationPeers, FirewallRuleDirectionOUT)
+			}
+
+			if peerInDestinations {
+				generateResources(rule, sourcePeers, FirewallRuleDirectionIN)
+			}
 		}
 	}

@@ -1006,7 +987,7 @@ func (a *Account) GetPeerConnectionResources(
 // The generator function is used to generate the list of peers and firewall rules that are applicable to a given peer.
 // It safe to call the generator function multiple times for same peer and different rules no duplicates will be
 // generated. The accumulator function returns the result of all the generator calls.
-func (a *Account) connResourcesGenerator(ctx context.Context) (func(*PolicyRule, map[string]*nbpeer.Peer, int), func() ([]*nbpeer.Peer, []*FirewallRule)) {
+func (a *Account) connResourcesGenerator(ctx context.Context) (func(*PolicyRule, []*nbpeer.Peer, int), func() ([]*nbpeer.Peer, []*FirewallRule)) {
 	rulesExists := make(map[string]struct{})
 	peersExists := make(map[string]struct{})
 	rules := make([]*FirewallRule, 0)
@@ -1018,7 +999,7 @@ func (a *Account) connResourcesGenerator(ctx context.Context) (func(*PolicyRule,
 		all = &Group{}
 	}

-	return func(rule *PolicyRule, groupPeers map[string]*nbpeer.Peer, direction int) {
+	return func(rule *PolicyRule, groupPeers []*nbpeer.Peer, direction int) {
 			isAll := (len(all.Peers) - 1) == len(groupPeers)
 			for _, peer := range groupPeers {
 				if peer == nil {
@@ -1031,6 +1012,7 @@ func (a *Account) connResourcesGenerator(ctx context.Context) (func(*PolicyRule,
 				}

 				fr := FirewallRule{
+					PolicyID:  rule.ID,
 					PeerIP:    peer.IP.String(),
 					Direction: direction,
 					Action:    string(rule.Action),
@@ -1071,38 +1053,32 @@ func (a *Account) connResourcesGenerator(ctx context.Context) (func(*PolicyRule,
 //
 // Important: Posture checks are applicable only to source group peers,
 // for destination group peers, call this method with an empty list of sourcePostureChecksIDs
-func (a *Account) getAllPeersFromGroups(ctx context.Context, groups []string, peerID string, sourcePostureChecksIDs []string, validatedPeersMap map[string]struct{}) (map[string]*nbpeer.Peer, bool) {
+func (a *Account) getAllPeersFromGroups(ctx context.Context, groups []string, peerID string, sourcePostureChecksIDs []string, validatedPeersMap map[string]struct{}) ([]*nbpeer.Peer, bool) {
 	peerInGroups := false
-	filteredPeers := make(map[string]*nbpeer.Peer)
-	for _, groupID := range groups {
-		group := a.GetGroup(groupID)
-		for _, p := range group.Peers {
-			peer, ok := a.Peers[p]
-			if !ok || peer == nil {
-				continue
-			}
-
-			if _, ok := filteredPeers[p]; ok {
-				continue
-			}
-
-			// validate the peer based on policy posture checks applied
-			isValid := a.validatePostureChecksOnPeer(ctx, sourcePostureChecksIDs, peer.ID)
-			if !isValid {
-				continue
-			}
-
-			if _, ok := validatedPeersMap[peer.ID]; !ok {
-				continue
-			}
-
-			if peer.ID == peerID {
-				peerInGroups = true
-				continue
-			}
-
-			filteredPeers[p] = peer
+	uniquePeerIDs := a.getUniquePeerIDsFromGroupsIDs(ctx, groups)
+	filteredPeers := make([]*nbpeer.Peer, 0, len(uniquePeerIDs))
+	for _, p := range uniquePeerIDs {
+		peer, ok := a.Peers[p]
+		if !ok || peer == nil {
+			continue
 		}
+
+		// validate the peer based on policy posture checks applied
+		isValid := a.validatePostureChecksOnPeer(ctx, sourcePostureChecksIDs, peer.ID)
+		if !isValid {
+			continue
+		}
+
+		if _, ok := validatedPeersMap[peer.ID]; !ok {
+			continue
+		}
+
+		if peer.ID == peerID {
+			peerInGroups = true
+			continue
+		}
+
+		filteredPeers = append(filteredPeers, peer)
 	}

 	return filteredPeers, peerInGroups
@@ -1343,7 +1319,7 @@ func (a *Account) GetResourcePoliciesMap() map[string][]*Policy {
 func (a *Account) GetNetworkResourcesRoutesToSync(ctx context.Context, peerID string, resourcePolicies map[string][]*Policy, routers map[string]map[string]*routerTypes.NetworkRouter) (bool, []*route.Route, map[string]struct{}) {
 	var isRoutingPeer bool
 	var routes []*route.Route
-	allSourcePeers := make(map[string]struct{})
+	allSourcePeers := make(map[string]struct{}, len(a.Peers))

 	for _, resource := range a.NetworkResources {
 		if !resource.Enabled {
@@ -1367,7 +1343,7 @@ func (a *Account) GetNetworkResourcesRoutesToSync(ctx context.Context, peerID st
 				for _, pID := range a.getPostureValidPeers(peers, policy.SourcePostureChecks) {
 					allSourcePeers[pID] = struct{}{}
 				}
-			} else if _, ok := peers[peerID]; ok && a.validatePostureChecksOnPeer(ctx, policy.SourcePostureChecks, peerID) {
+			} else if slices.Contains(peers, peerID) && a.validatePostureChecksOnPeer(ctx, policy.SourcePostureChecks, peerID) {
 				// add routes for the resource if the peer is in the distribution group
 				for peerId, router := range networkRoutingPeers {
 					routes = append(routes, a.getNetworkResourcesRoutes(resource, peerId, router, resourcePolicies)...)
@@ -1383,9 +1359,9 @@ func (a *Account) GetNetworkResourcesRoutesToSync(ctx context.Context, peerID st
 	return isRoutingPeer, routes, allSourcePeers
 }

-func (a *Account) getPostureValidPeers(inputPeers map[string]struct{}, postureChecksIDs []string) []string {
+func (a *Account) getPostureValidPeers(inputPeers []string, postureChecksIDs []string) []string {
 	var dest []string
-	for peerID := range inputPeers {
+	for _, peerID := range inputPeers {
 		if a.validatePostureChecksOnPeer(context.Background(), postureChecksIDs, peerID) {
 			dest = append(dest, peerID)
 		}
@@ -1393,7 +1369,7 @@ func (a *Account) getPostureValidPeers(inputPeers map[string]struct{}, postureCh
 	return dest
 }

-func (a *Account) getUniquePeerIDsFromGroupsIDs(ctx context.Context, groups []string) map[string]struct{} {
+func (a *Account) getUniquePeerIDsFromGroupsIDs(ctx context.Context, groups []string) []string {
 	peerIDs := make(map[string]struct{}, len(groups)) // we expect at least one peer per group as initial capacity
 	for _, groupID := range groups {
 		group := a.GetGroup(groupID)
@@ -1402,21 +1378,21 @@ func (a *Account) getUniquePeerIDsFromGroupsIDs(ctx context.Context, groups []st
 			continue
 		}

-		// if group.IsGroupAll() || len(groups) == 1 {
-		// 	return group.Peers
-		// }
+		if group.IsGroupAll() || len(groups) == 1 {
+			return group.Peers
+		}

 		for _, peerID := range group.Peers {
 			peerIDs[peerID] = struct{}{}
 		}
 	}

-	// ids := make([]string, 0, len(peerIDs))
-	// for peerID := range peerIDs {
-	// 	ids = append(ids, peerID)
-	// }
+	ids := make([]string, 0, len(peerIDs))
+	for peerID := range peerIDs {
+		ids = append(ids, peerID)
+	}

-	return peerIDs
+	return ids
 }

 // getNetworkResources filters and returns a list of network resources associated with the given network ID.
@@ -1591,35 +1567,3 @@ func (a *Account) AddAllGroup() error {
 	}
 	return nil
 }
-
-func (a *Account) GetPeersGroupsMap() map[string][]string {
-	groups := make(map[string][]string, len(a.Groups))
-	for _, group := range a.Groups {
-		for _, peerID := range group.Peers {
-			groups[peerID] = append(groups[peerID], group.ID)
-		}
-	}
-	return groups
-}
-
-func (a *Account) GetGroupsPolicyMap() map[string]map[string]*Policy {
-	policies := make(map[string]map[string]*Policy, len(a.Groups))
-	for _, policy := range a.Policies {
-		for _, rules := range policy.Rules {
-			for _, src := range rules.Sources {
-				if policies[src] == nil {
-					policies[src] = make(map[string]*Policy)
-				}
-				policies[src][policy.ID] = policy
-			}
-			for _, dest := range rules.Destinations {
-				if policies[dest] == nil {
-					policies[dest] = make(map[string]*Policy)
-				}
-				policies[dest][policy.ID] = policy
-			}
-		}
-	}
-
-	return policies
-}
--- a/management/server/types/firewall_rule.go
+++ b/management/server/types/firewall_rule.go
@@ -20,6 +20,9 @@ const (

 // FirewallRule is a rule of the firewall.
 type FirewallRule struct {
+	// PolicyID is the ID of the policy this rule is derived from
+	PolicyID string
+
 	// PeerIP of the peer
 	PeerIP string

@@ -58,6 +61,7 @@ func generateRouteFirewallRules(ctx context.Context, route *nbroute.Route, rule
 	}

 	baseRule := RouteFirewallRule{
+		PolicyID:     rule.PolicyID,
 		SourceRanges: sourceRanges,
 		Action:       string(rule.Action),
 		Destination:  route.Network.String(),
--- a/management/server/types/route_firewall_rule.go
+++ b/management/server/types/route_firewall_rule.go
@@ -6,6 +6,9 @@ import (

 // RouteFirewallRule a firewall rule applicable for a routed network.
 type RouteFirewallRule struct {
+	// PolicyID is the ID of the policy this rule is derived from
+	PolicyID string
+
 	// SourceRanges IP ranges of the routing peers.
 	SourceRanges []string
Author	SHA1	Message	Date
bcmmbaga	70398ea125	remove duplicate PolicyID from FirewallRule struct Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>	2025-03-14 14:08:36 +03:00
bcmmbaga	9fa75e0ac5	Merge branch 'feature/flow' into restore-pr-3440	2025-03-14 14:03:11 +03:00
hakansa	64f27aee55	[client] add resource id fields to netflow events (#3445 ) * [client] add resource id fields to netflow events	2025-03-14 18:57:23 +08:00
hakansa	78b86e0beb	[management] fix force-push to feature/flow branch (#3500 )	2025-03-14 01:36:46 +08:00
bcmmbaga	18871b554f	Merge branch 'main' into feature/flow	2025-03-11 15:06:24 +03:00
Pascal Fischer	67ae871ce4	[management] return empty array instead of null on networks endpoints (#3480 )	2025-03-11 00:20:54 +01:00
Maycon Santos	39ff5e833a	[misc] Update slack invite link (#3479 )	2025-03-11 00:12:11 +01:00
Viktor Liu	89a55bcf4e	Add policy IDs to firewall rules (#3440 )	2025-03-05 14:12:14 +01:00