[client] Log lock acquisition time in receive message handling (#5393 )

* Log lock acquisition time in receive message handling * use offerAnswer.SessionID for session id
[ios] Ensure route settlement on iOS before handling DNS responses (#5360 )
2026-05-08 17:59:56 +00:00 · 2026-02-19 19:18:47 +01:00 · 2026-02-19 18:53:10 +01:00 · 2026-02-19 18:34:28 +01:00 · 2026-02-19 11:23:42 +01:00 · 2026-02-19 08:14:11 +01:00
22 changed files with 1915 additions and 278 deletions
--- a/.github/workflows/golang-test-linux.yml
+++ b/.github/workflows/golang-test-linux.yml
@@ -409,12 +409,19 @@ jobs:
        run: git --no-pager diff --exit-code
      - name: Login to Docker hub
-        if: matrix.store == 'mysql' && (github.repository == github.head.repo.full_name || !github.head_ref)
+        if: github.event.pull_request && github.event.pull_request.head.repo && github.event.pull_request.head.repo.full_name == '' || github.repository == github.event.pull_request.head.repo.full_name || !github.head_ref
-        uses: docker/login-action@v1
+        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKER_USER }}
          password: ${{ secrets.DOCKER_TOKEN }}
      - name: docker login for root user
        if: github.event.pull_request && github.event.pull_request.head.repo && github.event.pull_request.head.repo.full_name == '' || github.repository == github.event.pull_request.head.repo.full_name || !github.head_ref
        env:
          DOCKER_USER: ${{ secrets.DOCKER_USER }}
          DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
        run: echo "$DOCKER_TOKEN" | sudo docker login --username "$DOCKER_USER" --password-stdin
      - name: download mysql image
        if: matrix.store == 'mysql'
        run: docker pull mlsmaycon/warmed-mysql:8
@@ -497,15 +504,18 @@ jobs:
        run: git --no-pager diff --exit-code
      - name: Login to Docker hub
-        if: matrix.store == 'mysql' && (github.repository == github.head.repo.full_name || !github.head_ref)
+        if: github.event.pull_request && github.event.pull_request.head.repo && github.event.pull_request.head.repo.full_name == '' || github.repository == github.event.pull_request.head.repo.full_name || !github.head_ref
-        uses: docker/login-action@v1
+        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKER_USER }}
          password: ${{ secrets.DOCKER_TOKEN }}
-      - name: download mysql image
+      - name: docker login for root user
-        if: matrix.store == 'mysql'
+        if: github.event.pull_request && github.event.pull_request.head.repo && github.event.pull_request.head.repo.full_name == '' || github.repository == github.event.pull_request.head.repo.full_name || !github.head_ref
-        run: docker pull mlsmaycon/warmed-mysql:8
+        env:
          DOCKER_USER: ${{ secrets.DOCKER_USER }}
          DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
        run: echo "$DOCKER_TOKEN" | sudo docker login --username "$DOCKER_USER" --password-stdin
      - name: Test
        run: |
@@ -586,15 +596,18 @@ jobs:
        run: git --no-pager diff --exit-code
      - name: Login to Docker hub
-        if: matrix.store == 'mysql' && (github.repository == github.head.repo.full_name || !github.head_ref)
+        if: github.event.pull_request && github.event.pull_request.head.repo && github.event.pull_request.head.repo.full_name == '' || github.repository == github.event.pull_request.head.repo.full_name || !github.head_ref
-        uses: docker/login-action@v1
+        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKER_USER }}
          password: ${{ secrets.DOCKER_TOKEN }}
-      - name: download mysql image
+      - name: docker login for root user
-        if: matrix.store == 'mysql'
+        if: github.event.pull_request && github.event.pull_request.head.repo && github.event.pull_request.head.repo.full_name == '' || github.repository == github.event.pull_request.head.repo.full_name || !github.head_ref
-        run: docker pull mlsmaycon/warmed-mysql:8
+        env:
          DOCKER_USER: ${{ secrets.DOCKER_USER }}
          DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
        run: echo "$DOCKER_TOKEN" | sudo docker login --username "$DOCKER_USER" --password-stdin
      - name: Test
        run: |
--- a/client/internal/dns/host_darwin.go
+++ b/client/internal/dns/host_darwin.go
@@ -14,6 +14,8 @@ import (
 	"strings"
 	"sync"
 	"github.com/hashicorp/go-multierror"
 	nberrors "github.com/netbirdio/netbird/client/errors"
 	log "github.com/sirupsen/logrus"
 	"golang.org/x/exp/maps"
@@ -22,6 +24,7 @@ import (
 const (
 	netbirdDNSStateKeyFormat            = "State:/Network/Service/NetBird-%s/DNS"
 	netbirdDNSStateKeyIndexedFormat     = "State:/Network/Service/NetBird-%s-%d/DNS"
 	globalIPv4State                     = "State:/Network/Global/IPv4"
 	primaryServiceStateKeyFormat        = "State:/Network/Service/%s/DNS"
 	keySupplementalMatchDomains         = "SupplementalMatchDomains"
@@ -35,6 +38,14 @@ const (
 	searchSuffix                        = "Search"
 	matchSuffix                         = "Match"
 	localSuffix                         = "Local"
 	// maxDomainsPerResolverEntry is the max number of domains per scutil resolver key.
 	// scutil's d.add has maxArgs=101 (key + * + 99 values), so 99 is the hard cap.
 	maxDomainsPerResolverEntry = 50
 	// maxDomainBytesPerResolverEntry is the max total bytes of domain strings per key.
 	// scutil has an undocumented ~2048 byte value buffer; we stay well under it.
 	maxDomainBytesPerResolverEntry = 1500
 )
 type systemConfigurator struct {
@@ -84,28 +95,23 @@ func (s *systemConfigurator) applyDNSConfig(config HostDNSConfig, stateManager *
 		searchDomains = append(searchDomains, strings.TrimSuffix(""+dConf.Domain, "."))
 	}
-	matchKey := getKeyWithInput(netbirdDNSStateKeyFormat, matchSuffix)
+	if err := s.removeKeysContaining(matchSuffix); err != nil {
-	var err error
+		log.Warnf("failed to remove old match keys: %v", err)
 	if len(matchDomains) != 0 {
 		err = s.addMatchDomains(matchKey, strings.Join(matchDomains, " "), config.ServerIP, config.ServerPort)
 	} else {
 		log.Infof("removing match domains from the system")
 		err = s.removeKeyFromSystemConfig(matchKey)
 	}
-	if err != nil {
+	if len(matchDomains) != 0 {
-		return fmt.Errorf("add match domains: %w", err)
+		if err := s.addBatchedDomains(matchSuffix, matchDomains, config.ServerIP, config.ServerPort, false); err != nil {
 			return fmt.Errorf("add match domains: %w", err)
 		}
 	}
 	s.updateState(stateManager)
-	searchKey := getKeyWithInput(netbirdDNSStateKeyFormat, searchSuffix)
+	if err := s.removeKeysContaining(searchSuffix); err != nil {
-	if len(searchDomains) != 0 {
+		log.Warnf("failed to remove old search keys: %v", err)
 		err = s.addSearchDomains(searchKey, strings.Join(searchDomains, " "), config.ServerIP, config.ServerPort)
 	} else {
 		log.Infof("removing search domains from the system")
 		err = s.removeKeyFromSystemConfig(searchKey)
 	}
-	if err != nil {
+	if len(searchDomains) != 0 {
-		return fmt.Errorf("add search domains: %w", err)
+		if err := s.addBatchedDomains(searchSuffix, searchDomains, config.ServerIP, config.ServerPort, true); err != nil {
 			return fmt.Errorf("add search domains: %w", err)
 		}
 	}
 	s.updateState(stateManager)
@@ -149,8 +155,7 @@ func (s *systemConfigurator) restoreHostDNS() error {
 func (s *systemConfigurator) getRemovableKeysWithDefaults() []string {
 	if len(s.createdKeys) == 0 {
-		// return defaults for startup calls
+		return s.discoverExistingKeys()
 		return []string{getKeyWithInput(netbirdDNSStateKeyFormat, searchSuffix), getKeyWithInput(netbirdDNSStateKeyFormat, matchSuffix)}
 	}
 	keys := make([]string, 0, len(s.createdKeys))
@@ -160,6 +165,47 @@ func (s *systemConfigurator) getRemovableKeysWithDefaults() []string {
 	return keys
 }
 // discoverExistingKeys probes scutil for all NetBird DNS keys that may exist.
 // This handles the case where createdKeys is empty (e.g., state file lost after unclean shutdown).
 func (s *systemConfigurator) discoverExistingKeys() []string {
 	dnsKeys, err := getSystemDNSKeys()
 	if err != nil {
 		log.Errorf("failed to get system DNS keys: %v", err)
 		return nil
 	}
 	var keys []string
 	for _, suffix := range []string{searchSuffix, matchSuffix, localSuffix} {
 		key := getKeyWithInput(netbirdDNSStateKeyFormat, suffix)
 		if strings.Contains(dnsKeys, key) {
 			keys = append(keys, key)
 		}
 	}
 	for _, suffix := range []string{searchSuffix, matchSuffix} {
 		for i := 0; ; i++ {
 			key := fmt.Sprintf(netbirdDNSStateKeyIndexedFormat, suffix, i)
 			if !strings.Contains(dnsKeys, key) {
 				break
 			}
 			keys = append(keys, key)
 		}
 	}
 	return keys
 }
 // getSystemDNSKeys gets all DNS keys
 func getSystemDNSKeys() (string, error) {
 	command := "list .*DNS\nquit\n"
 	out, err := runSystemConfigCommand(command)
 	if err != nil {
 		return "", err
 	}
 	return string(out), nil
 }
 func (s *systemConfigurator) removeKeyFromSystemConfig(key string) error {
 	line := buildRemoveKeyOperation(key)
 	_, err := runSystemConfigCommand(wrapCommand(line))
@@ -184,12 +230,11 @@ func (s *systemConfigurator) addLocalDNS() error {
 		return nil
 	}
-	if err := s.addSearchDomains(
+	domainsStr := strings.Join(s.systemDNSSettings.Domains, " ")
-		localKey,
+	if err := s.addDNSState(localKey, domainsStr, s.systemDNSSettings.ServerIP, s.systemDNSSettings.ServerPort, true); err != nil {
-		strings.Join(s.systemDNSSettings.Domains, " "), s.systemDNSSettings.ServerIP, s.systemDNSSettings.ServerPort,
+		return fmt.Errorf("add local dns state: %w", err)
 	); err != nil {
 		return fmt.Errorf("add search domains: %w", err)
 	}
 	s.createdKeys[localKey] = struct{}{}
 	return nil
 }
@@ -280,28 +325,77 @@ func (s *systemConfigurator) getOriginalNameservers() []netip.Addr {
 	return slices.Clone(s.origNameservers)
 }
-func (s *systemConfigurator) addSearchDomains(key, domains string, ip netip.Addr, port int) error {
+// splitDomainsIntoBatches splits domains into batches respecting both element count and byte size limits.
-	err := s.addDNSState(key, domains, ip, port, true)
+func splitDomainsIntoBatches(domains []string) [][]string {
-	if err != nil {
+	if len(domains) == 0 {
-		return fmt.Errorf("add dns state: %w", err)
+		return nil
 	}
-	log.Infof("added %d search domains to the state. Domain list: %s", len(strings.Split(domains, " ")), domains)
+	var batches [][]string
 	var current []string
 	currentBytes := 0
-	s.createdKeys[key] = struct{}{}
+	for _, d := range domains {
 		domainLen := len(d)
 		newBytes := currentBytes + domainLen
 		if currentBytes > 0 {
 			newBytes++ // space separator
 		}
-	return nil
+		if len(current) > 0 && (len(current) >= maxDomainsPerResolverEntry || newBytes > maxDomainBytesPerResolverEntry) {
 			batches = append(batches, current)
 			current = nil
 			currentBytes = 0
 		}
 		current = append(current, d)
 		if currentBytes > 0 {
 			currentBytes += 1 + domainLen
 		} else {
 			currentBytes = domainLen
 		}
 	}
 	if len(current) > 0 {
 		batches = append(batches, current)
 	}
 	return batches
 }
-func (s *systemConfigurator) addMatchDomains(key, domains string, dnsServer netip.Addr, port int) error {
+// removeKeysContaining removes all created keys that contain the given substring.
-	err := s.addDNSState(key, domains, dnsServer, port, false)
+func (s *systemConfigurator) removeKeysContaining(suffix string) error {
-	if err != nil {
+	var toRemove []string
-		return fmt.Errorf("add dns state: %w", err)
+	for key := range s.createdKeys {
 		if strings.Contains(key, suffix) {
 			toRemove = append(toRemove, key)
 		}
 	}
 	var multiErr *multierror.Error
 	for _, key := range toRemove {
 		if err := s.removeKeyFromSystemConfig(key); err != nil {
 			multiErr = multierror.Append(multiErr, fmt.Errorf("couldn't remove key %s: %w", key, err))
 		}
 	}
 	return nberrors.FormatErrorOrNil(multiErr)
 }
 // addBatchedDomains splits domains into batches and creates indexed scutil keys for each batch.
 func (s *systemConfigurator) addBatchedDomains(suffix string, domains []string, ip netip.Addr, port int, enableSearch bool) error {
 	batches := splitDomainsIntoBatches(domains)
 	for i, batch := range batches {
 		key := fmt.Sprintf(netbirdDNSStateKeyIndexedFormat, suffix, i)
 		domainsStr := strings.Join(batch, " ")
 		if err := s.addDNSState(key, domainsStr, ip, port, enableSearch); err != nil {
 			return fmt.Errorf("add dns state for batch %d: %w", i, err)
 		}
 		s.createdKeys[key] = struct{}{}
 	}
-	log.Infof("added %d match domains to the state. Domain list: %s", len(strings.Split(domains, " ")), domains)
+	log.Infof("added %d %s domains across %d resolver entries", len(domains), suffix, len(batches))
 	s.createdKeys[key] = struct{}{}
 	return nil
 }
@@ -364,7 +458,6 @@ func (s *systemConfigurator) flushDNSCache() error {
 	if out, err := cmd.CombinedOutput(); err != nil {
 		return fmt.Errorf("restart mDNSResponder: %w, output: %s", err, out)
 	}
 	log.Info("flushed DNS cache")
 	return nil
 }
--- a/client/internal/dns/host_darwin_test.go
+++ b/client/internal/dns/host_darwin_test.go
@@ -3,7 +3,10 @@
 package dns
 import (
 	"bufio"
 	"bytes"
 	"context"
 	"fmt"
 	"net/netip"
 	"os/exec"
 	"path/filepath"
@@ -49,17 +52,22 @@ func TestDarwinDNSUncleanShutdownCleanup(t *testing.T) {
 	require.NoError(t, sm.PersistState(context.Background()))
 	searchKey := getKeyWithInput(netbirdDNSStateKeyFormat, searchSuffix)
 	matchKey := getKeyWithInput(netbirdDNSStateKeyFormat, matchSuffix)
 	localKey := getKeyWithInput(netbirdDNSStateKeyFormat, localSuffix)
 	// Collect all created keys for cleanup verification
 	createdKeys := make([]string, 0, len(configurator.createdKeys))
 	for key := range configurator.createdKeys {
 		createdKeys = append(createdKeys, key)
 	}
 	defer func() {
-		for _, key := range []string{searchKey, matchKey, localKey} {
+		for _, key := range createdKeys {
 			_ = removeTestDNSKey(key)
 		}
 		_ = removeTestDNSKey(localKey)
 	}()
-	for _, key := range []string{searchKey, matchKey, localKey} {
+	for _, key := range createdKeys {
 		exists, err := checkDNSKeyExists(key)
 		require.NoError(t, err)
 		if exists {
@@ -83,13 +91,223 @@ func TestDarwinDNSUncleanShutdownCleanup(t *testing.T) {
 	err = shutdownState.Cleanup()
 	require.NoError(t, err)
-	for _, key := range []string{searchKey, matchKey, localKey} {
+	for _, key := range createdKeys {
 		exists, err := checkDNSKeyExists(key)
 		require.NoError(t, err)
 		assert.False(t, exists, "Key %s should NOT exist after cleanup", key)
 	}
 }
 // generateShortDomains generates domains like a.com, b.com, ..., aa.com, ab.com, etc.
 func generateShortDomains(count int) []string {
 	domains := make([]string, 0, count)
 	for i := range count {
 		label := ""
 		n := i
 		for {
 			label = string(rune('a'+n%26)) + label
 			n = n/26 - 1
 			if n < 0 {
 				break
 			}
 		}
 		domains = append(domains, label+".com")
 	}
 	return domains
 }
 // generateLongDomains generates domains like subdomain-000.department.organization-name.example.com
 func generateLongDomains(count int) []string {
 	domains := make([]string, 0, count)
 	for i := range count {
 		domains = append(domains, fmt.Sprintf("subdomain-%03d.department.organization-name.example.com", i))
 	}
 	return domains
 }
 // readDomainsFromKey reads the SupplementalMatchDomains array back from scutil for a given key.
 func readDomainsFromKey(t *testing.T, key string) []string {
 	t.Helper()
 	cmd := exec.Command(scutilPath)
 	cmd.Stdin = strings.NewReader(fmt.Sprintf("open\nshow %s\nquit\n", key))
 	out, err := cmd.Output()
 	require.NoError(t, err, "scutil show should succeed")
 	var domains []string
 	inArray := false
 	scanner := bufio.NewScanner(bytes.NewReader(out))
 	for scanner.Scan() {
 		line := strings.TrimSpace(scanner.Text())
 		if strings.HasPrefix(line, "SupplementalMatchDomains") && strings.Contains(line, "<array>") {
 			inArray = true
 			continue
 		}
 		if inArray {
 			if line == "}" {
 				break
 			}
 			// lines look like: "0 : a.com"
 			parts := strings.SplitN(line, " : ", 2)
 			if len(parts) == 2 {
 				domains = append(domains, parts[1])
 			}
 		}
 	}
 	require.NoError(t, scanner.Err())
 	return domains
 }
 func TestSplitDomainsIntoBatches(t *testing.T) {
 	tests := []struct {
 		name            string
 		domains         []string
 		expectedCount   int
 		checkAllPresent bool
 	}{
 		{
 			name:          "empty",
 			domains:       nil,
 			expectedCount: 0,
 		},
 		{
 			name:            "under_limit",
 			domains:         generateShortDomains(10),
 			expectedCount:   1,
 			checkAllPresent: true,
 		},
 		{
 			name:            "at_element_limit",
 			domains:         generateShortDomains(50),
 			expectedCount:   1,
 			checkAllPresent: true,
 		},
 		{
 			name:            "over_element_limit",
 			domains:         generateShortDomains(51),
 			expectedCount:   2,
 			checkAllPresent: true,
 		},
 		{
 			name:            "triple_element_limit",
 			domains:         generateShortDomains(150),
 			expectedCount:   3,
 			checkAllPresent: true,
 		},
 		{
 			name:            "long_domains_hit_byte_limit",
 			domains:         generateLongDomains(50),
 			checkAllPresent: true,
 		},
 		{
 			name:            "500_short_domains",
 			domains:         generateShortDomains(500),
 			expectedCount:   10,
 			checkAllPresent: true,
 		},
 		{
 			name:            "500_long_domains",
 			domains:         generateLongDomains(500),
 			checkAllPresent: true,
 		},
 	}
 	for _, tc := range tests {
 		t.Run(tc.name, func(t *testing.T) {
 			batches := splitDomainsIntoBatches(tc.domains)
 			if tc.expectedCount > 0 {
 				assert.Len(t, batches, tc.expectedCount, "expected %d batches", tc.expectedCount)
 			}
 			// Verify each batch respects limits
 			for i, batch := range batches {
 				assert.LessOrEqual(t, len(batch), maxDomainsPerResolverEntry,
 					"batch %d exceeds element limit", i)
 				totalBytes := 0
 				for j, d := range batch {
 					if j > 0 {
 						totalBytes++
 					}
 					totalBytes += len(d)
 				}
 				assert.LessOrEqual(t, totalBytes, maxDomainBytesPerResolverEntry,
 					"batch %d exceeds byte limit (%d bytes)", i, totalBytes)
 			}
 			if tc.checkAllPresent {
 				var all []string
 				for _, batch := range batches {
 					all = append(all, batch...)
 				}
 				assert.Equal(t, tc.domains, all, "all domains should be present in order")
 			}
 		})
 	}
 }
 // TestMatchDomainBatching writes increasing numbers of domains via the batching mechanism
 // and verifies all domains are readable across multiple scutil keys.
 func TestMatchDomainBatching(t *testing.T) {
 	if testing.Short() {
 		t.Skip("skipping scutil integration test in short mode")
 	}
 	testCases := []struct {
 		name      string
 		count     int
 		generator func(int) []string
 	}{
 		{"short_10", 10, generateShortDomains},
 		{"short_50", 50, generateShortDomains},
 		{"short_100", 100, generateShortDomains},
 		{"short_200", 200, generateShortDomains},
 		{"short_500", 500, generateShortDomains},
 		{"long_10", 10, generateLongDomains},
 		{"long_50", 50, generateLongDomains},
 		{"long_100", 100, generateLongDomains},
 		{"long_200", 200, generateLongDomains},
 		{"long_500", 500, generateLongDomains},
 	}
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
 			configurator := &systemConfigurator{
 				createdKeys: make(map[string]struct{}),
 			}
 			defer func() {
 				for key := range configurator.createdKeys {
 					_ = removeTestDNSKey(key)
 				}
 			}()
 			domains := tc.generator(tc.count)
 			err := configurator.addBatchedDomains(matchSuffix, domains, netip.MustParseAddr("100.64.0.1"), 53, false)
 			require.NoError(t, err)
 			batches := splitDomainsIntoBatches(domains)
 			t.Logf("wrote %d domains across %d batched keys", tc.count, len(batches))
 			// Read back all domains from all batched keys
 			var got []string
 			for i := range batches {
 				key := fmt.Sprintf(netbirdDNSStateKeyIndexedFormat, matchSuffix, i)
 				exists, err := checkDNSKeyExists(key)
 				require.NoError(t, err)
 				require.True(t, exists, "key %s should exist", key)
 				got = append(got, readDomainsFromKey(t, key)...)
 			}
 			t.Logf("read back %d/%d domains from %d keys", len(got), tc.count, len(batches))
 			assert.Equal(t, tc.count, len(got), "all domains should be readable")
 			assert.Equal(t, domains, got, "domains should match in order")
 		})
 	}
 }
 func checkDNSKeyExists(key string) (bool, error) {
 	cmd := exec.Command(scutilPath)
 	cmd.Stdin = strings.NewReader("show " + key + "\nquit\n")
@@ -158,15 +376,15 @@ func setupTestConfigurator(t *testing.T) (*systemConfigurator, *statemanager.Man
 		createdKeys: make(map[string]struct{}),
 	}
 	searchKey := getKeyWithInput(netbirdDNSStateKeyFormat, searchSuffix)
 	matchKey := getKeyWithInput(netbirdDNSStateKeyFormat, matchSuffix)
 	localKey := getKeyWithInput(netbirdDNSStateKeyFormat, localSuffix)
 	cleanup := func() {
 		_ = sm.Stop(context.Background())
-		for _, key := range []string{searchKey, matchKey, localKey} {
+		for key := range configurator.createdKeys {
 			_ = removeTestDNSKey(key)
 		}
 		// Also clean up old-format keys and local key in case they exist
 		_ = removeTestDNSKey(getKeyWithInput(netbirdDNSStateKeyFormat, searchSuffix))
 		_ = removeTestDNSKey(getKeyWithInput(netbirdDNSStateKeyFormat, matchSuffix))
 		_ = removeTestDNSKey(getKeyWithInput(netbirdDNSStateKeyFormat, localSuffix))
 	}
 	return configurator, sm, cleanup
--- a/client/internal/engine.go
+++ b/client/internal/engine.go
@@ -28,8 +28,8 @@ import (
 	"github.com/netbirdio/netbird/client/firewall"
 	firewallManager "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/iface"
 	nbnetstack "github.com/netbirdio/netbird/client/iface/netstack"
 	"github.com/netbirdio/netbird/client/iface/device"
 	nbnetstack "github.com/netbirdio/netbird/client/iface/netstack"
 	"github.com/netbirdio/netbird/client/iface/udpmux"
 	"github.com/netbirdio/netbird/client/internal/acl"
 	"github.com/netbirdio/netbird/client/internal/debug"
@@ -1562,8 +1562,10 @@ func (e *Engine) receiveSignalEvents() {
 		defer e.shutdownWg.Done()
 		// connect to a stream of messages coming from the signal server
 		err := e.signal.Receive(e.ctx, func(msg *sProto.Message) error {
 			start := time.Now()
 			e.syncMsgMux.Lock()
 			defer e.syncMsgMux.Unlock()
 			gotLock := time.Since(start)
 			// Check context INSIDE lock to ensure atomicity with shutdown
 			if e.ctx.Err() != nil {
@@ -1587,6 +1589,8 @@ func (e *Engine) receiveSignalEvents() {
 					return err
 				}
 				log.Debugf("receiveMSG: took %s to get lock for peer %s with session id %s", gotLock, msg.Key, offerAnswer.SessionID)
 				if msg.Body.Type == sProto.Body_OFFER {
 					conn.OnRemoteOffer(*offerAnswer)
 				} else {
--- a/client/internal/routemanager/dnsinterceptor/handler.go
+++ b/client/internal/routemanager/dnsinterceptor/handler.go
@@ -351,6 +351,11 @@ func (d *DnsInterceptor) writeMsg(w dns.ResponseWriter, r *dns.Msg, logger *log.
 				logger.Errorf("failed to update domain prefixes: %v", err)
 			}
 			// Allow time for route changes to be applied before sending
 			// the DNS response (relevant on iOS where setTunnelNetworkSettings
 			// is asynchronous).
 			waitForRouteSettlement(logger)
 			d.replaceIPsInDNSResponse(r, newPrefixes, logger)
 		}
 	}
--- a/client/internal/routemanager/dnsinterceptor/handler_ios.go
+++ b/client/internal/routemanager/dnsinterceptor/handler_ios.go
@@ -0,0 +1,20 @@
 //go:build ios
 package dnsinterceptor
 import (
 	"time"
 	log "github.com/sirupsen/logrus"
 )
 const routeSettleDelay = 500 * time.Millisecond
 // waitForRouteSettlement introduces a short delay on iOS to allow
 // setTunnelNetworkSettings to apply route changes before the DNS
 // response reaches the application. Without this, the first request
 // to a newly resolved domain may bypass the tunnel.
 func waitForRouteSettlement(logger *log.Entry) {
 	logger.Tracef("waiting %v for iOS route settlement", routeSettleDelay)
 	time.Sleep(routeSettleDelay)
 }
--- a/client/internal/routemanager/dnsinterceptor/handler_nonios.go
+++ b/client/internal/routemanager/dnsinterceptor/handler_nonios.go
@@ -0,0 +1,12 @@
 //go:build !ios
 package dnsinterceptor
 import log "github.com/sirupsen/logrus"
 func waitForRouteSettlement(_ *log.Entry) {
 	// No-op on non-iOS platforms: route changes are applied synchronously by
 	// the kernel, so no settlement delay is needed before the DNS response
 	// reaches the application. The delay is only required on iOS where
 	// setTunnelNetworkSettings applies routes asynchronously.
 }
--- a/combined/config-simple.yaml.example
+++ b/combined/config-simple.yaml.example
@@ -1,111 +0,0 @@
 # NetBird Combined Server Configuration
 # Copy this file to config.yaml and customize for your deployment
 #
 # This is a Management server with optional embedded Signal, Relay, and STUN services.
 # By default, all services run locally. You can use external services instead by
 # setting the corresponding override fields.
 #
 # Architecture:
 #   - Management: Always runs locally (this IS the management server)
 #   - Signal: Local by default; set 'signalUri' to use external (disables local)
 #   - Relay: Local by default; set 'relays' to use external (disables local)
 #   - STUN: Local on port 3478 by default; set 'stuns' to use external instead
 server:
  # Main HTTP/gRPC port for all services (Management, Signal, Relay)
  listenAddress: ":443"
  # Public address that peers will use to connect to this server
  # Used for relay connections and management DNS domain
  # Format: protocol://hostname:port (e.g., https://server.mycompany.com:443)
  exposedAddress: "https://server.mycompany.com:443"
  # STUN server ports (defaults to [3478] if not specified; set 'stuns' to use external)
  # stunPorts:
  #   - 3478
  # Metrics endpoint port
  metricsPort: 9090
  # Healthcheck endpoint address
  healthcheckAddress: ":9000"
  # Logging configuration
  logLevel: "info"    # Default log level for all components: panic, fatal, error, warn, info, debug, trace
  logFile: "console"  # "console" or path to log file
  # TLS configuration (optional)
  tls:
    certFile: ""
    keyFile: ""
    letsencrypt:
      enabled: false
      dataDir: ""
      domains: []
      email: ""
      awsRoute53: false
  # Shared secret for relay authentication (required when running local relay)
  authSecret: "your-secret-key-here"
  # Data directory for all services
  dataDir: "/var/lib/netbird/"
  # ============================================================================
  # External Service Overrides (optional)
  # Use these to point to external Signal, Relay, or STUN servers instead of
  # running them locally. When set, the corresponding local service is disabled.
  # ============================================================================
  # External STUN servers - disables local STUN server
  # stuns:
  #   - uri: "stun:stun.example.com:3478"
  #   - uri: "stun:stun.example.com:3479"
  # External relay servers - disables local relay server
  # relays:
  #   addresses:
  #     - "rels://relay.example.com:443"
  #   credentialsTTL: "12h"
  #   secret: "relay-shared-secret"
  # External signal server - disables local signal server
  # signalUri: "https://signal.example.com:443"
  # ============================================================================
  # Management Settings
  # ============================================================================
  # Metrics and updates
  disableAnonymousMetrics: false
  disableGeoliteUpdate: false
  # Embedded authentication/identity provider (Dex) configuration (always enabled)
  auth:
    # OIDC issuer URL - must be publicly accessible
    issuer: "https://server.mycompany.com/oauth2"
    localAuthDisabled: false
    signKeyRefreshEnabled: false
    # OAuth2 redirect URIs for dashboard
    dashboardRedirectURIs:
      - "https://app.netbird.io/nb-auth"
      - "https://app.netbird.io/nb-silent-auth"
    # OAuth2 redirect URIs for CLI
    cliRedirectURIs:
      - "http://localhost:53000/"
    # Optional initial admin user
    # owner:
    #   email: "admin@example.com"
    #   password: "initial-password"
  # Store configuration
  store:
    engine: "sqlite"  # sqlite, postgres, or mysql
    dsn: ""  # Connection string for postgres or mysql
    encryptionKey: ""
  # Reverse proxy settings (optional)
  # reverseProxy:
  #   trustedHTTPProxies: []
  #   trustedHTTPProxiesCount: 0
  #   trustedPeers: []
--- a/combined/config.yaml.example
+++ b/combined/config.yaml.example
@@ -1,11 +1,29 @@
-# Simplified Combined NetBird Server Configuration
+# NetBird Combined Server Configuration
 # Copy this file to config.yaml and customize for your deployment
 #
 # This is a Management server with optional embedded Signal, Relay, and STUN services.
 # By default, all services run locally. You can use external services instead by
 # setting the corresponding override fields.
 #
 # Architecture:
 #   - Management: Always runs locally (this IS the management server)
 #   - Signal: Local by default; set 'signalUri' to use external (disables local)
 #   - Relay: Local by default; set 'relays' to use external (disables local)
 #   - STUN: Local on port 3478 by default; set 'stuns' to use external instead
 # Server-wide settings
 server:
  # Main HTTP/gRPC port for all services (Management, Signal, Relay)
  listenAddress: ":443"
  # Public address that peers will use to connect to this server
  # Used for relay connections and management DNS domain
  # Format: protocol://hostname:port (e.g., https://server.mycompany.com:443)
  exposedAddress: "https://server.mycompany.com:443"
  # STUN server ports (defaults to [3478] if not specified; set 'stuns' to use external)
  # stunPorts:
  #   - 3478
  # Metrics endpoint port
  metricsPort: 9090
@@ -13,7 +31,7 @@ server:
  healthcheckAddress: ":9000"
  # Logging configuration
-  logLevel: "info"    # panic, fatal, error, warn, info, debug, trace
+  logLevel: "info"    # Default log level for all components: panic, fatal, error, warn, info, debug, trace
  logFile: "console"  # "console" or path to log file
  # TLS configuration (optional)
@@ -27,53 +45,45 @@ server:
      email: ""
      awsRoute53: false
-# Relay service configuration
+  # Shared secret for relay authentication (required when running local relay)
 relay:
  # Enable/disable the relay service
  enabled: true
  # Public address that peers will use to connect to this relay
  # Format: hostname:port or ip:port
  exposedAddress: "relay.example.com:443"
  # Shared secret for relay authentication (required when enabled)
  authSecret: "your-secret-key-here"
-  # Log level for relay (reserved for future use, currently uses global log level)
+  # Data directory for all services
  logLevel: "info"
  # Embedded STUN server (optional)
  stun:
    enabled: false
    ports: [3478]
    logLevel: "info"
 # Signal service configuration
 signal:
  # Enable/disable the signal service
  enabled: true
  # Log level for signal (reserved for future use, currently uses global log level)
  logLevel: "info"
 # Management service configuration
 management:
  # Enable/disable the management service
  enabled: true
  # Data directory for management service
  dataDir: "/var/lib/netbird/"
-  # DNS domain for the management server
+  # ============================================================================
-  dnsDomain: ""
+  # External Service Overrides (optional)
  # Use these to point to external Signal, Relay, or STUN servers instead of
  # running them locally. When set, the corresponding local service is disabled.
  # ============================================================================
  # External STUN servers - disables local STUN server
  # stuns:
  #   - uri: "stun:stun.example.com:3478"
  #   - uri: "stun:stun.example.com:3479"
  # External relay servers - disables local relay server
  # relays:
  #   addresses:
  #     - "rels://relay.example.com:443"
  #   credentialsTTL: "12h"
  #   secret: "relay-shared-secret"
  # External signal server - disables local signal server
  # signalUri: "https://signal.example.com:443"
  # ============================================================================
  # Management Settings
  # ============================================================================
  # Metrics and updates
  disableAnonymousMetrics: false
  disableGeoliteUpdate: false
  # Embedded authentication/identity provider (Dex) configuration (always enabled)
  auth:
    # OIDC issuer URL - must be publicly accessible
-    issuer: "https://management.example.com/oauth2"
+    issuer: "https://example.com/oauth2"
    localAuthDisabled: false
    signKeyRefreshEnabled: false
    # OAuth2 redirect URIs for dashboard
@@ -88,28 +98,14 @@ management:
    #   email: "admin@example.com"
    #   password: "initial-password"
  # External STUN servers (for client config)
  stuns: []
  #  - uri: "stun:stun.example.com:3478"
  # External relay servers (for client config)
  relays:
    addresses: []
    #  - "rels://relay.example.com:443"
    credentialsTTL: "12h"
    secret: ""
  # External signal server URI (for client config)
  signalUri: ""
  # Store configuration
  store:
    engine: "sqlite"  # sqlite, postgres, or mysql
    dsn: ""  # Connection string for postgres or mysql
    encryptionKey: ""
-  # Reverse proxy settings
+  # Reverse proxy settings (optional)
-  reverseProxy:
+  # reverseProxy:
-    trustedHTTPProxies: []
+  #   trustedHTTPProxies: []
-    trustedHTTPProxiesCount: 0
+  #   trustedHTTPProxiesCount: 0
-    trustedPeers: []
+  #   trustedPeers: []
--- a/formatter/txt/formatter.go
+++ b/formatter/txt/formatter.go
@@ -1,8 +1,6 @@
 package txt
 import (
 	"time"
 	"github.com/sirupsen/logrus"
 	"github.com/netbirdio/netbird/formatter/levels"
@@ -18,7 +16,7 @@ type TextFormatter struct {
 func NewTextFormatter() *TextFormatter {
 	return &TextFormatter{
 		levelDesc:       levels.ValidLevelDesc,
-		timestampFormat: time.RFC3339, // or RFC3339
+		timestampFormat: "2006-01-02T15:04:05.000Z07:00",
 	}
 }
--- a/formatter/txt/formatter_test.go
+++ b/formatter/txt/formatter_test.go
@@ -21,6 +21,6 @@ func TestLogTextFormat(t *testing.T) {
 	result, _ := formatter.Format(someEntry)
 	parsedString := string(result)
-	expectedString := "^2021-02-21T01:10:30Z WARN \\[(att1: 1, att2: 2|att2: 2, att1: 1)\\] some/fancy/path.go:46: Some Message\\s+$"
+	expectedString := "^2021-02-21T01:10:30.000Z WARN \\[(att1: 1, att2: 2|att2: 2, att1: 1)\\] some/fancy/path.go:46: Some Message\\s+$"
 	assert.Regexp(t, expectedString, parsedString)
 }
--- a/go.mod
+++ b/go.mod
@@ -93,10 +93,10 @@ require (
 	github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966
 	github.com/songgao/water v0.0.0-20200317203138-2b4b6d7c09d8
 	github.com/stretchr/testify v1.11.1
-	github.com/testcontainers/testcontainers-go v0.31.0
+	github.com/testcontainers/testcontainers-go v0.37.0
-	github.com/testcontainers/testcontainers-go/modules/mysql v0.31.0
+	github.com/testcontainers/testcontainers-go/modules/mysql v0.37.0
-	github.com/testcontainers/testcontainers-go/modules/postgres v0.31.0
+	github.com/testcontainers/testcontainers-go/modules/postgres v0.37.0
-	github.com/testcontainers/testcontainers-go/modules/redis v0.31.0
+	github.com/testcontainers/testcontainers-go/modules/redis v0.37.0
 	github.com/things-go/go-socks5 v0.0.4
 	github.com/ti-mo/conntrack v0.5.1
 	github.com/ti-mo/netfilter v0.5.2
@@ -142,7 +142,6 @@ require (
 	github.com/Masterminds/semver/v3 v3.3.0 // indirect
 	github.com/Masterminds/sprig/v3 v3.3.0 // indirect
 	github.com/Microsoft/go-winio v0.6.2 // indirect
 	github.com/Microsoft/hcsshim v0.12.3 // indirect
 	github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be // indirect
 	github.com/apapsch/go-jsonmerge/v2 v2.0.0 // indirect
 	github.com/awnumar/memcall v0.4.0 // indirect
@@ -166,16 +165,16 @@ require (
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/caddyserver/zerossl v0.1.3 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/containerd/containerd v1.7.29 // indirect
 	github.com/containerd/log v0.1.0 // indirect
 	github.com/containerd/platforms v0.2.1 // indirect
 	github.com/cpuguy83/dockercfg v0.3.2 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
 	github.com/distribution/reference v0.6.0 // indirect
-	github.com/docker/docker v26.1.5+incompatible // indirect
+	github.com/docker/docker v28.0.1+incompatible // indirect
 	github.com/docker/go-connections v0.5.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
 	github.com/ebitengine/purego v0.8.2 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/fredbi/uri v1.1.1 // indirect
 	github.com/fyne-io/gl-js v0.2.0 // indirect
@@ -221,9 +220,10 @@ require (
 	github.com/lib/pq v1.10.9 // indirect
 	github.com/libdns/libdns v0.2.2 // indirect
 	github.com/lufia/plan9stats v0.0.0-20240513124658-fba389f38bae // indirect
-	github.com/magiconair/properties v1.8.7 // indirect
+	github.com/magiconair/properties v1.8.10 // indirect
 	github.com/mattermost/xml-roundtrip-validator v0.1.0 // indirect
 	github.com/mattn/go-sqlite3 v1.14.32 // indirect
 	github.com/mdelapenya/tlscert v0.2.0 // indirect
 	github.com/mdlayher/genetlink v1.3.2 // indirect
 	github.com/mdlayher/netlink v1.7.3-0.20250113171957-fbb4dce95f42 // indirect
 	github.com/mholt/acmez/v2 v2.0.1 // indirect
@@ -242,7 +242,7 @@ require (
 	github.com/nxadm/tail v1.4.8 // indirect
 	github.com/onsi/ginkgo/v2 v2.9.5 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
-	github.com/opencontainers/image-spec v1.1.0 // indirect
+	github.com/opencontainers/image-spec v1.1.1 // indirect
 	github.com/pion/dtls/v2 v2.2.10 // indirect
 	github.com/pion/dtls/v3 v3.0.9 // indirect
 	github.com/pion/mdns/v2 v2.0.7 // indirect
@@ -256,6 +256,7 @@ require (
 	github.com/prometheus/procfs v0.16.1 // indirect
 	github.com/russellhaering/goxmldsig v1.5.0 // indirect
 	github.com/rymdport/portal v0.4.2 // indirect
 	github.com/shirou/gopsutil/v4 v4.25.1 // indirect
 	github.com/shoenig/go-m1cpu v0.1.6 // indirect
 	github.com/shopspring/decimal v1.4.0 // indirect
 	github.com/spf13/cast v1.7.0 // indirect
--- a/go.sum
+++ b/go.sum
@@ -33,8 +33,6 @@ github.com/Masterminds/sprig/v3 v3.3.0 h1:mQh0Yrg1XPo6vjYXgtf5OtijNAKJRNcTdOOGZe
 github.com/Masterminds/sprig/v3 v3.3.0/go.mod h1:Zy1iXRYNqNLUolqCpL4uhk6SHUMAOSCzdgBfDb35Lz0=
 github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY=
 github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=
 github.com/Microsoft/hcsshim v0.12.3 h1:LS9NXqXhMoqNCplK1ApmVSfB4UnVLRDWRapB6EIlxE0=
 github.com/Microsoft/hcsshim v0.12.3/go.mod h1:Iyl1WVpZzr+UkzjekHZbV8o5Z9ZkxNGx6CtY2Qg/JVQ=
 github.com/RaveNoX/go-jsoncommentstrip v1.0.0/go.mod h1:78ihd09MekBnJnxpICcwzCMzGrKSKYe4AqU6PDYYpjk=
 github.com/TheJumpCloud/jcapi-go v3.0.0+incompatible h1:hqcTK6ZISdip65SR792lwYJTa/axESA0889D3UlZbLo=
 github.com/TheJumpCloud/jcapi-go v3.0.0+incompatible/go.mod h1:6B1nuc1MUs6c62ODZDl7hVE5Pv7O2XGSkgg2olnq34I=
@@ -109,8 +107,6 @@ github.com/cilium/ebpf v0.15.0 h1:7NxJhNiBT3NG8pZJ3c+yfrVdHY8ScgKD27sScgjLMMk=
 github.com/cilium/ebpf v0.15.0/go.mod h1:DHp1WyrLeiBh19Cf/tfiSMhqheEiK8fXFZ4No0P1Hso=
 github.com/coder/websocket v1.8.14 h1:9L0p0iKiNOibykf283eHkKUHHrpG7f65OE3BhhO7v9g=
 github.com/coder/websocket v1.8.14/go.mod h1:NX3SzP+inril6yawo5CQXx8+fk145lPDC6pumgx0mVg=
 github.com/containerd/containerd v1.7.29 h1:90fWABQsaN9mJhGkoVnuzEY+o1XDPbg9BTC9QTAHnuE=
 github.com/containerd/containerd v1.7.29/go.mod h1:azUkWcOvHrWvaiUjSQH0fjzuHIwSPg1WL5PshGP4Szs=
 github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I=
 github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo=
 github.com/containerd/platforms v0.2.1 h1:zvwtM3rz2YHPQsF2CHYM8+KtB5dvhISiXh5ZpSBQv6A=
@@ -135,12 +131,14 @@ github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f h1:lO4WD4F/r
 github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f/go.mod h1:cuUVRXasLTGF7a8hSLbxyZXjz+1KgoB3wDUb6vlszIc=
 github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk=
 github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
-github.com/docker/docker v26.1.5+incompatible h1:NEAxTwEjxV6VbBMBoGG3zPqbiJosIApZjxlbrG9q3/g=
+github.com/docker/docker v28.0.1+incompatible h1:FCHjSRdXhNRFjlHMTv4jUNlIBbTeRjrWfeFuJp7jpo0=
-github.com/docker/docker v26.1.5+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/docker/docker v28.0.1+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj1Br63c=
 github.com/docker/go-connections v0.5.0/go.mod h1:ov60Kzw0kKElRwhNs9UlUHAE/F9Fe6GLaXnqyDdmEXc=
 github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=
 github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
 github.com/ebitengine/purego v0.8.2 h1:jPPGWs2sZ1UgOSgD2bClL0MJIqu58nOmIcBuXr62z1I=
 github.com/ebitengine/purego v0.8.2/go.mod h1:iIjxzd6CiRiOG0UyXP+V1+jWqUXVjPKLAI0mRfJZTmQ=
 github.com/eko/gocache/lib/v4 v4.2.0 h1:MNykyi5Xw+5Wu3+PUrvtOCaKSZM1nUSVftbzmeC7Yuw=
 github.com/eko/gocache/lib/v4 v4.2.0/go.mod h1:7ViVmbU+CzDHzRpmB4SXKyyzyuJ8A3UW3/cszpcqB4M=
 github.com/eko/gocache/store/go_cache/v4 v4.2.2 h1:tAI9nl6TLoJyKG1ujF0CS0n/IgTEMl+NivxtR5R3/hw=
@@ -195,8 +193,6 @@ github.com/go-playground/locales v0.12.1/go.mod h1:IUMDtCfWo/w/mtMfIE/IG2K+Ey3yg
 github.com/go-playground/universal-translator v0.16.0/go.mod h1:1AnU7NaIRDWWzGEKwgtJRd2xk99HeFyHw3yid4rvQIY=
 github.com/go-quicktest/qt v1.101.0 h1:O1K29Txy5P2OK0dGo59b7b0LR6wKfIhttaAhHUyn7eI=
 github.com/go-quicktest/qt v1.101.0/go.mod h1:14Bz/f7NwaXPtdYEgzsx46kqSxVwTbzVZsDC26tQJow=
 github.com/go-redis/redis/v8 v8.11.5 h1:AcZZR7igkdvfVmQTPnu9WE37LRrO/YrBH5zWyjDC0oI=
 github.com/go-redis/redis/v8 v8.11.5/go.mod h1:gREzHqY1hg6oD9ngVRbLStwAWKhA0FEgq8Jd4h5lpwo=
 github.com/go-sql-driver/mysql v1.7.0/go.mod h1:OXbVy3sEdcQ2Doequ6Z5BW6fXNQTmx+9S1MCJN5yJMI=
 github.com/go-sql-driver/mysql v1.9.3 h1:U/N249h2WzJ3Ukj8SowVFjdtZKfu9vlLZxjPXV1aweo=
 github.com/go-sql-driver/mysql v1.9.3/go.mod h1:qn46aNg1333BRMNU69Lq93t8du/dwxI64Gl8i5p1WMU=
@@ -357,13 +353,15 @@ github.com/lrh3321/ipset-go v0.0.0-20250619021614-54a0a98ace81/go.mod h1:RD8ML/Y
 github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0/go.mod h1:zJYVVT2jmtg6P3p1VtQj7WsuWi/y4VnjVBn7F8KPB3I=
 github.com/lufia/plan9stats v0.0.0-20240513124658-fba389f38bae h1:dIZY4ULFcto4tAFlj1FYZl8ztUZ13bdq+PLY+NOfbyI=
 github.com/lufia/plan9stats v0.0.0-20240513124658-fba389f38bae/go.mod h1:ilwx/Dta8jXAgpFYFvSWEMwxmbWXyiUHkd5FwyKhb5k=
-github.com/magiconair/properties v1.8.7 h1:IeQXZAiQcpL9mgcAe1Nu6cX9LLw6ExEHKjN0VQdvPDY=
+github.com/magiconair/properties v1.8.10 h1:s31yESBquKXCV9a/ScB3ESkOjUYYv+X0rg8SYxI99mE=
-github.com/magiconair/properties v1.8.7/go.mod h1:Dhd985XPs7jluiymwWYZ0G4Z61jb3vdS329zhj2hYo0=
+github.com/magiconair/properties v1.8.10/go.mod h1:Dhd985XPs7jluiymwWYZ0G4Z61jb3vdS329zhj2hYo0=
 github.com/mattermost/xml-roundtrip-validator v0.1.0 h1:RXbVD2UAl7A7nOTR4u7E3ILa4IbtvKBHw64LDsmu9hU=
 github.com/mattermost/xml-roundtrip-validator v0.1.0/go.mod h1:qccnGMcpgwcNaBnxqpJpWWUiPNr5H3O8eDgGV9gT5To=
 github.com/mattn/go-isatty v0.0.9/go.mod h1:YNRxwqDuOph6SZLI9vUUz6OYw3QyUt7WiY2yME+cCiQ=
 github.com/mattn/go-sqlite3 v1.14.32 h1:JD12Ag3oLy1zQA+BNn74xRgaBbdhbNIDYvQUEuuErjs=
 github.com/mattn/go-sqlite3 v1.14.32/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y=
 github.com/mdelapenya/tlscert v0.2.0 h1:7H81W6Z/4weDvZBNOfQte5GpIMo0lGYEeWbkGp5LJHI=
 github.com/mdelapenya/tlscert v0.2.0/go.mod h1:O4njj3ELLnJjGdkN7M/vIVCpZ+Cf0L6muqOG4tLSl8o=
 github.com/mdlayher/genetlink v1.3.2 h1:KdrNKe+CTu+IbZnm/GVUMXSqBBLqcGpRDa0xkQy56gw=
 github.com/mdlayher/genetlink v1.3.2/go.mod h1:tcC3pkCrPUGIKKsCsp0B3AdaaKuHtaxoJRz3cc+528o=
 github.com/mdlayher/netlink v1.7.3-0.20250113171957-fbb4dce95f42 h1:A1Cq6Ysb0GM0tpKMbdCXCIfBclan4oHk1Jb+Hrejirg=
@@ -437,13 +435,12 @@ github.com/onsi/gomega v1.27.6 h1:ENqfyGeS5AX/rlXDd/ETokDz93u0YufY1Pgxuy/PvWE=
 github.com/onsi/gomega v1.27.6/go.mod h1:PIQNjfQwkP3aQAH7lf7j87O/5FiNr+ZR8+ipb+qQlhg=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
-github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug=
+github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJwooC2xJA040=
-github.com/opencontainers/image-spec v1.1.0/go.mod h1:W4s4sFTMaBeK1BQLXbG4AdM2szdn85PY75RI83NrTrM=
+github.com/opencontainers/image-spec v1.1.1/go.mod h1:qpqAh3Dmcf36wStyyWU+kCeDgrGnAve2nCC8+7h8Q0M=
 github.com/oschwald/maxminddb-golang v1.12.0 h1:9FnTOD0YOhP7DGxGsq4glzpGy5+w7pq50AS6wALUMYs=
 github.com/oschwald/maxminddb-golang v1.12.0/go.mod h1:q0Nob5lTCqyQ8WT6FYgS1L7PXKVVbgiymefNwIjPzgY=
 github.com/patrickmn/go-cache v2.1.0+incompatible h1:HRMgzkcYKYpi3C8ajMPV8OFXaaRUnok+kx1WdO15EQc=
 github.com/patrickmn/go-cache v2.1.0+incompatible/go.mod h1:3Qf8kWWT7OJRJbdiICTKqZju1ZixQ/KpMGzzAfe6+WQ=
 github.com/pelletier/go-toml v1.9.5 h1:4yBQzkHv+7BHq2PQUZF3Mx0IYxG7LsP222s7Agd3ve8=
 github.com/pelletier/go-toml/v2 v2.0.9 h1:uH2qQXheeefCCkuBBSLi7jCiSmj3VRh2+Goq2N7Xxu0=
 github.com/pelletier/go-toml/v2 v2.0.9/go.mod h1:tJU2Z3ZkXwnxa4DPO899bsyIoywizdUvyaeZurnPPDc=
 github.com/petermattis/goid v0.0.0-20250303134427-723919f7f203 h1:E7Kmf11E4K7B5hDti2K2NqPb1nlYlGYsu02S1JNd/Bs=
@@ -513,6 +510,8 @@ github.com/rymdport/portal v0.4.2 h1:7jKRSemwlTyVHHrTGgQg7gmNPJs88xkbKcIL3NlcmSU
 github.com/rymdport/portal v0.4.2/go.mod h1:kFF4jslnJ8pD5uCi17brj/ODlfIidOxlgUDTO5ncnC4=
 github.com/shirou/gopsutil/v3 v3.24.4 h1:dEHgzZXt4LMNm+oYELpzl9YCqV65Yr/6SfrvgRBtXeU=
 github.com/shirou/gopsutil/v3 v3.24.4/go.mod h1:lTd2mdiOspcqLgAnr9/nGi71NkeMpWKdmhuxm9GusH8=
 github.com/shirou/gopsutil/v4 v4.25.1 h1:QSWkTc+fu9LTAWfkZwZ6j8MSUk4A2LV7rbH0ZqmLjXs=
 github.com/shirou/gopsutil/v4 v4.25.1/go.mod h1:RoUCUpndaJFtT+2zsZzzmhvbfGoDCJ7nFXKJf8GqJbI=
 github.com/shoenig/go-m1cpu v0.1.6 h1:nxdKQNcEB6vzgA2E2bvzKIYRuNj7XNJ4S/aRSwKzFtM=
 github.com/shoenig/go-m1cpu v0.1.6/go.mod h1:1JJMcUBvfNwpq05QDQVAnx3gUHr9IYF7GNg9SUEw2VQ=
 github.com/shoenig/test v0.6.4 h1:kVTaSd7WLz5WZ2IaoM0RSzRsUD+m8wRR+5qvntpn4LU=
@@ -554,14 +553,14 @@ github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXl
 github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
 github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
-github.com/testcontainers/testcontainers-go v0.31.0 h1:W0VwIhcEVhRflwL9as3dhY6jXjVCA27AkmbnZ+UTh3U=
+github.com/testcontainers/testcontainers-go v0.37.0 h1:L2Qc0vkTw2EHWQ08djon0D2uw7Z/PtHS/QzZZ5Ra/hg=
-github.com/testcontainers/testcontainers-go v0.31.0/go.mod h1:D2lAoA0zUFiSY+eAflqK5mcUx/A5hrrORaEQrd0SefI=
+github.com/testcontainers/testcontainers-go v0.37.0/go.mod h1:QPzbxZhQ6Bclip9igjLFj6z0hs01bU8lrl2dHQmgFGM=
-github.com/testcontainers/testcontainers-go/modules/mysql v0.31.0 h1:790+S8ewZYCbG+o8IiFlZ8ZZ33XbNO6zV9qhU6xhlRk=
+github.com/testcontainers/testcontainers-go/modules/mysql v0.37.0 h1:LqUos1oR5iuuzorFnSvxsHNdYdCHB/DfI82CuT58wbI=
-github.com/testcontainers/testcontainers-go/modules/mysql v0.31.0/go.mod h1:REFmO+lSG9S6uSBEwIMZCxeI36uhScjTwChYADeO3JA=
+github.com/testcontainers/testcontainers-go/modules/mysql v0.37.0/go.mod h1:vHEEHx5Kf+uq5hveaVAMrTzPY8eeRZcKcl23MRw5Tkc=
-github.com/testcontainers/testcontainers-go/modules/postgres v0.31.0 h1:isAwFS3KNKRbJMbWv+wolWqOFUECmjYZ+sIRZCIBc/E=
+github.com/testcontainers/testcontainers-go/modules/postgres v0.37.0 h1:hsVwFkS6s+79MbKEO+W7A1wNIw1fmkMtF4fg83m6kbc=
-github.com/testcontainers/testcontainers-go/modules/postgres v0.31.0/go.mod h1:ZNYY8vumNCEG9YI59A9d6/YaMY49uwRhmeU563EzFGw=
+github.com/testcontainers/testcontainers-go/modules/postgres v0.37.0/go.mod h1:Qj/eGbRbO/rEYdcRLmN+bEojzatP/+NS1y8ojl2PQsc=
-github.com/testcontainers/testcontainers-go/modules/redis v0.31.0 h1:5X6GhOdLwV86zcW8sxppJAMtsDC9u+r9tb3biBc9GKs=
+github.com/testcontainers/testcontainers-go/modules/redis v0.37.0 h1:9HIY28I9ME/Zmb+zey1p/I1mto5+5ch0wLX+nJdOsQ4=
-github.com/testcontainers/testcontainers-go/modules/redis v0.31.0/go.mod h1:dKi5xBwy1k4u8yb3saQHu7hMEJwewHXxzbcMAuLiA6o=
+github.com/testcontainers/testcontainers-go/modules/redis v0.37.0/go.mod h1:Abu9g/25Qv+FkYVx3U4Voaynou1c+7D0HIhaQJXvk6E=
 github.com/things-go/go-socks5 v0.0.4 h1:jMQjIc+qhD4z9cITOMnBiwo9dDmpGuXmBlkRFrl/qD0=
 github.com/things-go/go-socks5 v0.0.4/go.mod h1:sh4K6WHrmHZpjxLTCHyYtXYH8OUuD+yZun41NomR1IQ=
 github.com/ti-mo/conntrack v0.5.1 h1:opEwkFICnDbQc0BUXl73PHBK0h23jEIFVjXsqvF4GY0=
@@ -851,7 +850,7 @@ gorm.io/driver/sqlite v1.5.7/go.mod h1:U+J8craQU6Fzkcvu8oLeAQmi50TkwPEhHDEjQZXDa
 gorm.io/gorm v1.25.7/go.mod h1:hbnx/Oo0ChWMn1BIhpy1oYozzpM15i4YPuHDmfYtwg8=
 gorm.io/gorm v1.25.12 h1:I0u8i2hWQItBq1WfE0o2+WuL9+8L21K9e2HHSTE/0f8=
 gorm.io/gorm v1.25.12/go.mod h1:xh7N7RHfYlNc5EmcI/El95gXusucDrQnHXe0+CgWcLQ=
-gotest.tools/v3 v3.5.0 h1:Ljk6PdHdOhAb5aDMWXjDLMMhph+BpztA4v1QdqEW2eY=
+gotest.tools/v3 v3.5.1 h1:EENdUnS3pdur5nybKYIh2Vfgc8IUNBjxDPSjtiJcOzU=
-gotest.tools/v3 v3.5.0/go.mod h1:isy3WKz7GK6uNw/sbHzfKBLvlvXwUyV06n6brMxxopU=
+gotest.tools/v3 v3.5.1/go.mod h1:isy3WKz7GK6uNw/sbHzfKBLvlvXwUyV06n6brMxxopU=
 gvisor.dev/gvisor v0.0.0-20251031020517-ecfcdd2f171c h1:pfzmXIkkDgydR4ZRP+e1hXywZfYR21FA0Fbk6ptMkiA=
 gvisor.dev/gvisor v0.0.0-20251031020517-ecfcdd2f171c/go.mod h1:/mc6CfwbOm5KKmqoV7Qx20Q+Ja8+vO4g7FuCdlVoAfQ=
--- a/infrastructure_files/migrate.sh
+++ b/infrastructure_files/migrate.sh
--- a/management/server/cache/store_test.go
+++ b/management/server/cache/store_test.go
@@ -7,8 +7,6 @@ import (
 	"github.com/eko/gocache/lib/v4/store"
 	"github.com/redis/go-redis/v9"
 	"github.com/testcontainers/testcontainers-go"
 	testcontainersredis "github.com/testcontainers/testcontainers-go/modules/redis"
 	"github.com/netbirdio/netbird/management/server/cache"
@@ -50,7 +48,7 @@ func TestRedisStoreConnectionFailure(t *testing.T) {
 func TestRedisStoreConnectionSuccess(t *testing.T) {
 	ctx := context.Background()
-	redisContainer, err := testcontainersredis.RunContainer(ctx, testcontainers.WithImage("redis:7"))
+	redisContainer, err := testcontainersredis.Run(ctx, "redis:7")
 	if err != nil {
 		t.Fatalf("couldn't start redis container: %s", err)
 	}
--- a/management/server/store/sql_store_test.go
+++ b/management/server/store/sql_store_test.go
@@ -1360,6 +1360,9 @@ func TestSqlStore_GetGroupsByIDs(t *testing.T) {
 }
 func TestSqlStore_CreateGroup(t *testing.T) {
 	if os.Getenv("CI") == "true" {
 		t.Log("Skipping MySQL test on CI")
 	}
 	t.Setenv("NETBIRD_STORE_ENGINE", string(types.MysqlStoreEngine))
 	store, cleanup, err := NewTestStoreFromSQL(context.Background(), "../testdata/extended-store.sql", t.TempDir())
 	t.Cleanup(cleanup)
--- a/management/server/testutil/store.go
+++ b/management/server/testutil/store.go
@@ -32,8 +32,8 @@ func CreateMysqlTestContainer() (func(), string, error) {
 	}
 	var err error
-	mysqlContainer, err = mysql.RunContainer(ctx,
+	mysqlContainer, err = mysql.Run(ctx,
-		testcontainers.WithImage("mlsmaycon/warmed-mysql:8"),
+		"mlsmaycon/warmed-mysql:8",
 		mysql.WithDatabase("testing"),
 		mysql.WithUsername("root"),
 		mysql.WithPassword("testing"),
@@ -78,8 +78,8 @@ func CreatePostgresTestContainer() (func(), string, error) {
 	}
 	var err error
-	pgContainer, err = postgres.RunContainer(ctx,
+	pgContainer, err = postgres.Run(ctx,
-		testcontainers.WithImage("postgres:16-alpine"),
+		"postgres:16-alpine",
 		postgres.WithDatabase("netbird"),
 		postgres.WithUsername("root"),
 		postgres.WithPassword("netbird"),
@@ -120,7 +120,7 @@ func noOpCleanup() {
 func CreateRedisTestContainer() (func(), string, error) {
 	ctx := context.Background()
-	redisContainer, err := testcontainersredis.RunContainer(ctx, testcontainers.WithImage("redis:7"))
+	redisContainer, err := testcontainersredis.Run(ctx, "redis:7")
 	if err != nil {
 		return nil, "", err
 	}
--- a/management/server/user.go
+++ b/management/server/user.go
@@ -737,6 +737,14 @@ func (am *DefaultAccountManager) processUserUpdate(ctx context.Context, transact
 		return false, nil, nil, nil, status.Errorf(status.InvalidArgument, "provided user update is nil")
 	}
 	if initiatorUserId != activity.SystemInitiator {
 		freshInitiator, err := transaction.GetUserByUserID(ctx, store.LockingStrengthUpdate, initiatorUserId)
 		if err != nil {
 			return false, nil, nil, nil, fmt.Errorf("failed to re-read initiator user in transaction: %w", err)
 		}
 		initiatorUser = freshInitiator
 	}
 	oldUser, isNewUser, err := getUserOrCreateIfNotExists(ctx, transaction, accountID, update, addIfNotExists)
 	if err != nil {
 		return false, nil, nil, nil, err
@@ -864,7 +872,10 @@ func validateUserUpdate(groupsMap map[string]*types.Group, initiatorUser, oldUse
 		return nil
 	}
-	// @todo double check these
+	if !initiatorUser.HasAdminPower() {
 		return status.Errorf(status.PermissionDenied, "only admins and owners can update users")
 	}
 	if initiatorUser.HasAdminPower() && initiatorUser.Id == update.Id && oldUser.Blocked != update.Blocked {
 		return status.Errorf(status.PermissionDenied, "admins can't block or unblock themselves")
 	}
--- a/management/server/user_test.go
+++ b/management/server/user_test.go
@@ -2031,3 +2031,87 @@ func TestUser_Operations_WithEmbeddedIDP(t *testing.T) {
 		t.Logf("Duplicate email error: %v", err)
 	})
 }
 func TestValidateUserUpdate_RejectsNonAdminInitiator(t *testing.T) {
 	groupsMap := map[string]*types.Group{}
 	initiator := &types.User{
 		Id:   "initiator",
 		Role: types.UserRoleUser,
 	}
 	oldUser := &types.User{
 		Id:   "target",
 		Role: types.UserRoleUser,
 	}
 	update := &types.User{
 		Id:   "target",
 		Role: types.UserRoleOwner,
 	}
 	err := validateUserUpdate(groupsMap, initiator, oldUser, update)
 	require.Error(t, err, "regular user should not be able to promote to owner")
 	assert.Contains(t, err.Error(), "only admins and owners can update users")
 }
 func TestProcessUserUpdate_RejectsStaleInitiatorRole(t *testing.T) {
 	s, cleanup, err := store.NewTestStoreFromSQL(context.Background(), "", t.TempDir())
 	require.NoError(t, err)
 	t.Cleanup(cleanup)
 	account := newAccountWithId(context.Background(), "account1", "owner1", "", "", "", false)
 	adminID := "admin1"
 	account.Users[adminID] = types.NewAdminUser(adminID)
 	targetID := "target1"
 	account.Users[targetID] = types.NewRegularUser(targetID, "", "")
 	require.NoError(t, s.SaveAccount(context.Background(), account))
 	demotedAdmin, err := s.GetUserByUserID(context.Background(), store.LockingStrengthNone, adminID)
 	require.NoError(t, err)
 	demotedAdmin.Role = types.UserRoleUser
 	require.NoError(t, s.SaveUser(context.Background(), demotedAdmin))
 	staleInitiator := &types.User{
 		Id:        adminID,
 		AccountID: account.Id,
 		Role:      types.UserRoleAdmin,
 	}
 	permissionsManager := permissions.NewManager(s)
 	am := DefaultAccountManager{
 		Store:              s,
 		eventStore:         &activity.InMemoryEventStore{},
 		permissionsManager: permissionsManager,
 	}
 	settings, err := s.GetAccountSettings(context.Background(), store.LockingStrengthNone, account.Id)
 	require.NoError(t, err)
 	groups, err := s.GetAccountGroups(context.Background(), store.LockingStrengthNone, account.Id)
 	require.NoError(t, err)
 	groupsMap := make(map[string]*types.Group, len(groups))
 	for _, g := range groups {
 		groupsMap[g.ID] = g
 	}
 	update := &types.User{
 		Id:   targetID,
 		Role: types.UserRoleAdmin,
 	}
 	err = s.ExecuteInTransaction(context.Background(), func(tx store.Store) error {
 		_, _, _, _, txErr := am.processUserUpdate(
 			context.Background(), tx, groupsMap, account.Id, adminID, staleInitiator, update, false, settings,
 		)
 		return txErr
 	})
 	require.Error(t, err, "processUserUpdate should reject stale initiator whose role was demoted")
 	assert.Contains(t, err.Error(), "only admins and owners can update users")
 	targetUser, err := s.GetUserByUserID(context.Background(), store.LockingStrengthNone, targetID)
 	require.NoError(t, err)
 	assert.Equal(t, types.UserRoleUser, targetUser.Role)
 }
--- a/relay/server/listener/quic/listener.go
+++ b/relay/server/listener/quic/listener.go
@@ -11,6 +11,7 @@ import (
 	log "github.com/sirupsen/logrus"
 	"github.com/netbirdio/netbird/relay/protocol"
 	nbRelay "github.com/netbirdio/netbird/shared/relay"
 )
 const Proto protocol.Protocol = "quic"
@@ -27,7 +28,7 @@ type Listener struct {
 func (l *Listener) Listen(acceptFn func(conn net.Conn)) error {
 	quicCfg := &quic.Config{
 		EnableDatagrams:   true,
-		InitialPacketSize: 1452,
+		InitialPacketSize: nbRelay.QUICInitialPacketSize,
 	}
 	listener, err := quic.ListenAddr(l.Address, l.TLSConfig, quicCfg)
 	if err != nil {
--- a/shared/relay/client/dialer/quic/quic.go
+++ b/shared/relay/client/dialer/quic/quic.go
@@ -12,6 +12,7 @@ import (
 	log "github.com/sirupsen/logrus"
 	nbnet "github.com/netbirdio/netbird/client/net"
 	nbRelay "github.com/netbirdio/netbird/shared/relay"
 	quictls "github.com/netbirdio/netbird/shared/relay/tls"
 )
@@ -42,7 +43,7 @@ func (d Dialer) Dial(ctx context.Context, address string) (net.Conn, error) {
 		KeepAlivePeriod:   30 * time.Second,
 		MaxIdleTimeout:    4 * time.Minute,
 		EnableDatagrams:   true,
-		InitialPacketSize: 1452,
+		InitialPacketSize: nbRelay.QUICInitialPacketSize,
 	}
 	udpConn, err := nbnet.ListenUDP("udp", &net.UDPAddr{IP: net.IPv4zero, Port: 0})
--- a/shared/relay/constants.go
+++ b/shared/relay/constants.go
@@ -3,4 +3,9 @@ package relay
 const (
 	// WebSocketURLPath is the path for the websocket relay connection
 	WebSocketURLPath = "/relay"
 	// QUICInitialPacketSize is the conservative initial QUIC packet size (bytes)
 	// for unknown-path PMTU, per RFC 9000 §14: 1280 (IPv6 min MTU) − 40 (IPv6
 	// header) − 8 (UDP header) = 1232. DPLPMTUD may probe larger sizes later.
 	QUICInitialPacketSize = 1232
 )
Author	SHA1	Message	Date
Maycon Santos	f117fc7509	[client] Log lock acquisition time in receive message handling (#5393 ) * Log lock acquisition time in receive message handling * use offerAnswer.SessionID for session id	2026-02-19 19:18:47 +01:00
Zoltan Papp	fc6b93ae59	[ios] Ensure route settlement on iOS before handling DNS responses (#5360 ) * Ensure route settlement on iOS before handling DNS responses to prevent bypassing the tunnel. * add more logs * rollback debug changes * rollback changes * [client] Improve logging and add comments for iOS route settlement logic - Switch iOS route settlement log level from Debug to Trace for finer control. - Add clarifying comments for `waitForRouteSettlement` on non-iOS platforms. --------- Co-authored-by: mlsmaycon <mlsmaycon@gmail.com>	2026-02-19 18:53:10 +01:00
Vlad	564fa4ab04	[management] fix possible race condition on user role change (#5395 )	2026-02-19 18:34:28 +01:00
Maycon Santos	a6db88fbd2	[misc] Update timestamp format with milliseconds (#5387 ) * Update timestamp format with milliseconds * fix tests	2026-02-19 11:23:42 +01:00
Misha Bragin	4b5294e596	[self-hosted] remove unused config example (#5383 )	2026-02-19 08:14:11 +01:00
shuuri-labs	a322dce42a	[self-hosted] create migration script for pre v0.65.0 to post v0.65.0 (combined) (#5350 )	2026-02-18 20:59:55 +01:00
Maycon Santos	d1ead2265b	[client] Batch macOS DNS domains to avoid truncation (#5368 ) * [client] Batch macOS DNS domains across multiple scutil keys to avoid truncation scutil has undocumented limits: 99-element cap on d.add arrays and ~2048 byte value buffer for SupplementalMatchDomains. Users with 60+ domains hit silent domain loss. This applies the same batching approach used on Windows (nrptMaxDomainsPerRule=50), splitting domains into indexed resolver keys (NetBird-Match-0, NetBird-Match-1, etc.) with 50-element and 1500-byte limits per key. * check for all keys on getRemovableKeysWithDefaults * use multi error	2026-02-18 19:14:09 +01:00
Maycon Santos	bbca74476e	[management] docker login on management tests (#5323 )	2026-02-18 16:11:17 +01:00
Zoltan Papp	318cf59d66	[relay] reduce QUIC initial packet size to 1280 (IPv6 min MTU) (#5374 ) * [relay] reduce QUIC initial packet size to 1280 (IPv6 min MTU) * adjust QUIC initial packet size to 1232 based on RFC 9000 §14	2026-02-18 10:58:14 +01:00