Unify peer and route ACL filtering with multi-source peer rules

[management] enrich context in permissions manager (#6286 )
[management] Extend combined server initialization (#6156 )
2026-06-02 14:09:56 +00:00 · 2026-06-02 10:50:53 +02:00 · 2026-05-29 16:36:38 +02:00 · 2026-05-29 17:35:35 +03:00 · 2026-05-29 15:24:30 +02:00 · 2026-05-29 15:15:22 +02:00
491 changed files with 39587 additions and 12248 deletions
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -0,0 +1,45 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "daily"
+    open-pull-requests-limit: 15
+    groups:
+      actions:
+        patterns:
+          - "*"
+    ignore:
+      # git-town/action v1.3.x crashes on cyclic PR graphs (self-loop main->main
+      # fork PRs) via its topological-sort visualization. Pinned to v1.2.1 in
+      # git-town.yml; block v1.3.x until upstream tolerates cyclic edges.
+      - dependency-name: "git-town/action"
+        update-types:
+          - "version-update:semver-minor"
+          - "version-update:semver-major"
+
+  - package-ecosystem: "gomod"
+    directories:
+      - "/"
+    schedule:
+      interval: "daily"
+    open-pull-requests-limit: 15
+    groups:
+      aws-sdk:
+        patterns:
+          - "github.com/aws/aws-sdk-go-v2/*"
+      pion:
+        patterns:
+          - "github.com/pion/*"
+      gorm:
+        patterns:
+          - "gorm.io/*"
+      otel:
+        patterns:
+          - "go.opentelemetry.io/*"
+      testcontainers:
+        patterns:
+          - "github.com/testcontainers/testcontainers-go/*"
+      wireguard:
+        patterns:
+          - "golang.zx2c4.com/wireguard*"
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@@ -12,6 +12,7 @@
 - [ ] Is a feature enhancement
 - [ ] It is a refactor
 - [ ] Created tests that fail without the change (if possible)
+- [ ] This change does **not** modify the public API, gRPC protocols, functionality behavior, CLI / service flags, or introduce a new feature — **OR** I have discussed it with the NetBird team beforehand (link the issue / Slack thread in the description). See [CONTRIBUTING.md](https://github.com/netbirdio/netbird/blob/main/CONTRIBUTING.md#discuss-changes-with-the-netbird-team-first).

 > By submitting this pull request, you confirm that you have read and agree to the terms of the [Contributor License Agreement](https://github.com/netbirdio/netbird/blob/main/CONTRIBUTOR_LICENSE_AGREEMENT.md).

--- a/.github/workflows/check-license-dependencies.yml
+++ b/.github/workflows/check-license-dependencies.yml
@@ -2,16 +2,16 @@ name: Check License Dependencies

 on:
  push:
-    branches: [ main ]
+    branches: [main]
    paths:
-      - 'go.mod'
-      - 'go.sum'
-      - '.github/workflows/check-license-dependencies.yml'
+      - "go.mod"
+      - "go.sum"
+      - ".github/workflows/check-license-dependencies.yml"
  pull_request:
    paths:
-      - 'go.mod'
-      - 'go.sum'
-      - '.github/workflows/check-license-dependencies.yml'
+      - "go.mod"
+      - "go.sum"
+      - ".github/workflows/check-license-dependencies.yml"

 jobs:
  check-internal-dependencies:
@@ -19,7 +19,10 @@ jobs:
    runs-on: ubuntu-latest

    steps:
-      - uses: actions/checkout@v4
+      - name: Checkout code
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false

      - name: Check for problematic license dependencies
        run: |
@@ -56,55 +59,57 @@ jobs:
    runs-on: ubuntu-latest

    steps:
-    - uses: actions/checkout@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false

-    - name: Set up Go
-      uses: actions/setup-go@v5
-      with:
-        go-version-file: 'go.mod'
-        cache: true
+      - name: Set up Go
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+        with:
+          go-version-file: "go.mod"
+          cache: true

-    - name: Install go-licenses
-      run: go install github.com/google/go-licenses@v1.6.0
+      - name: Install go-licenses
+        run: go install github.com/google/go-licenses@v1.6.0

-    - name: Check for GPL/AGPL licensed dependencies
-      run: |
-        echo "Checking for GPL/AGPL/LGPL licensed dependencies..."
-        echo ""
-
-        # Check all Go packages for copyleft licenses, excluding internal netbird packages
-        COPYLEFT_DEPS=$(go-licenses report ./... 2>/dev/null | grep -E 'GPL|AGPL|LGPL' | grep -v 'github.com/netbirdio/netbird/' || true)
-
-        if [ -n "$COPYLEFT_DEPS" ]; then
-          echo "Found copyleft licensed dependencies:"
-          echo "$COPYLEFT_DEPS"
+      - name: Check for GPL/AGPL licensed dependencies
+        run: |
+          echo "Checking for GPL/AGPL/LGPL licensed dependencies..."
          echo ""

-          # Filter out dependencies that are only pulled in by internal AGPL packages
-          INCOMPATIBLE=""
-          while IFS=',' read -r package url license; do
-            if echo "$license" | grep -qE 'GPL-[0-9]|AGPL-[0-9]|LGPL-[0-9]'; then
-              # Find ALL packages that import this GPL package using go list
-              IMPORTERS=$(go list -json -deps ./... 2>/dev/null | jq -r "select(.Imports[]? == \"$package\") | .ImportPath")
+          # Check all Go packages for copyleft licenses, excluding internal netbird packages
+          COPYLEFT_DEPS=$(go-licenses report ./... 2>/dev/null | grep -E 'GPL|AGPL|LGPL' | grep -v 'github.com/netbirdio/netbird/' || true)

-              # Check if any importer is NOT in management/signal/relay
-              BSD_IMPORTER=$(echo "$IMPORTERS" | grep -v "github.com/netbirdio/netbird/\(management\|signal\|relay\|proxy\|combined\|tools/idp-migrate\)" | head -1)
-
-              if [ -n "$BSD_IMPORTER" ]; then
-                echo "❌ $package ($license) is imported by BSD-licensed code: $BSD_IMPORTER"
-                INCOMPATIBLE="${INCOMPATIBLE}${package},${url},${license}\n"
-              else
-                echo "✓ $package ($license) is only used by internal AGPL packages - OK"
-              fi
-            fi
-          done <<< "$COPYLEFT_DEPS"
-
-          if [ -n "$INCOMPATIBLE" ]; then
+          if [ -n "$COPYLEFT_DEPS" ]; then
+            echo "Found copyleft licensed dependencies:"
+            echo "$COPYLEFT_DEPS"
            echo ""
-            echo "❌ INCOMPATIBLE licenses found that are used by BSD-licensed code:"
-            echo -e "$INCOMPATIBLE"
-            exit 1
-          fi
-        fi

-        echo "✅ All external license dependencies are compatible with BSD-3-Clause"
+            # Filter out dependencies that are only pulled in by internal AGPL packages
+            INCOMPATIBLE=""
+            while IFS=',' read -r package url license; do
+              if echo "$license" | grep -qE 'GPL-[0-9]|AGPL-[0-9]|LGPL-[0-9]'; then
+                # Find ALL packages that import this GPL package using go list
+                IMPORTERS=$(go list -json -deps ./... 2>/dev/null | jq -r "select(.Imports[]? == \"$package\") | .ImportPath")
+
+                # Check if any importer is NOT in management/signal/relay
+                BSD_IMPORTER=$(echo "$IMPORTERS" | grep -v "github.com/netbirdio/netbird/\(management\|signal\|relay\|proxy\|combined\|tools/idp-migrate\)" | head -1)
+
+                if [ -n "$BSD_IMPORTER" ]; then
+                  echo "❌ $package ($license) is imported by BSD-licensed code: $BSD_IMPORTER"
+                  INCOMPATIBLE="${INCOMPATIBLE}${package},${url},${license}\n"
+                else
+                  echo "✓ $package ($license) is only used by internal AGPL packages - OK"
+                fi
+              fi
+            done <<< "$COPYLEFT_DEPS"
+
+            if [ -n "$INCOMPATIBLE" ]; then
+              echo ""
+              echo "❌ INCOMPATIBLE licenses found that are used by BSD-licensed code:"
+              echo -e "$INCOMPATIBLE"
+              exit 1
+            fi
+          fi
+
+          echo "✅ All external license dependencies are compatible with BSD-3-Clause"
--- a/.github/workflows/docs-ack.yml
+++ b/.github/workflows/docs-ack.yml
@@ -83,7 +83,7 @@ jobs:

      - name: Verify docs PR exists (and is open or merged)
        if: steps.validate.outputs.mode == 'added'
-        uses: actions/github-script@v7
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
        id: verify
        with:
          pr_number: ${{ steps.extract.outputs.pr_number }}
--- a/.github/workflows/forum.yml
+++ b/.github/workflows/forum.yml
@@ -8,11 +8,10 @@ jobs:
  post:
    runs-on: ubuntu-latest
    steps:
-      - uses: roots/discourse-topic-github-release-action@main
+      - uses: roots/discourse-topic-github-release-action@557d74ea05b6cc0c47f555c1d5d28a89d904005b # v1.1.0
        with:
          discourse-api-key: ${{ secrets.DISCOURSE_RELEASES_API_KEY }}
          discourse-base-url: https://forum.netbird.io
          discourse-author-username: NetBird
          discourse-category: 17
-          discourse-tags:
-            releases
+          discourse-tags: releases
--- a/.github/workflows/git-town.yml
+++ b/.github/workflows/git-town.yml
@@ -3,7 +3,7 @@ name: Git Town
 on:
  pull_request:
    branches:
-      - '**'
+      - "**"

 jobs:
  git-town:
@@ -15,7 +15,9 @@ jobs:
      pull-requests: write

    steps:
-      - uses: actions/checkout@v4
-      - uses: git-town/action@v1.2.1
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+      - uses: git-town/action@3d8b878379abb1ee393fb49865a28b4a6c2cd3b0 # v1.2.1
        with:
          skip-single-stacks: true
--- a/.github/workflows/golang-test-darwin.yml
+++ b/.github/workflows/golang-test-darwin.yml
@@ -16,16 +16,18 @@ jobs:
    runs-on: macos-latest
    steps:
      - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false

      - name: Install Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
        with:
          go-version-file: "go.mod"
          cache: false

      - name: Cache Go modules
-        uses: actions/cache@v4
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
        with:
          path: ~/go/pkg/mod
          key: macos-gotest-${{ hashFiles('**/go.sum') }}
@@ -44,4 +46,3 @@ jobs:

      - name: Test
        run: NETBIRD_STORE_ENGINE=${{ matrix.store }} CI=true go test -tags=devcert -exec 'sudo --preserve-env=CI,NETBIRD_STORE_ENGINE' -timeout 5m -p 1 $(go list ./... | grep -v -e /management -e /signal -e /relay -e /proxy -e /combined)
-
--- a/.github/workflows/golang-test-freebsd.yml
+++ b/.github/workflows/golang-test-freebsd.yml
@@ -15,20 +15,31 @@ jobs:
    name: "Client / Unit"
    runs-on: ubuntu-22.04
    steps:
-      - uses: actions/checkout@v4
+      - name: Checkout code
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Read Go version from go.mod
+        id: goversion
+        run: echo "version=$(awk '/^go / {print $2}' go.mod)" >> "$GITHUB_OUTPUT"
+
      - name: Test in FreeBSD
        id: test
-        uses: vmactions/freebsd-vm@v1
+        env:
+          GO_VERSION: ${{ steps.goversion.outputs.version }}
+        uses: vmactions/freebsd-vm@d1e65811565151536c0c894fff74f06351ed26e6 # v1.4.5
        with:
          usesh: true
          copyback: false
-          release: "14.2"
+          release: "15.0"
+          envs: "GO_VERSION"
          prepare: |
            pkg install -y curl pkgconf xorg
-            GO_TARBALL="go1.25.3.freebsd-amd64.tar.gz"
+            GO_TARBALL="go${GO_VERSION}.freebsd-amd64.tar.gz"
            GO_URL="https://go.dev/dl/$GO_TARBALL"
            curl -vLO "$GO_URL"
-            tar -C /usr/local -vxzf "$GO_TARBALL"            
+            tar -C /usr/local -vxzf "$GO_TARBALL"

          # -x - to print all executed commands
          # -e - to faile on first error
--- a/.github/workflows/golang-test-linux.yml
+++ b/.github/workflows/golang-test-linux.yml
@@ -18,9 +18,11 @@ jobs:
      management: ${{ steps.filter.outputs.management }}
    steps:
      - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false

-      - uses: dorny/paths-filter@v3
+      - uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1
        id: filter
        with:
          filters: |
@@ -28,7 +30,7 @@ jobs:
              - 'management/**'

      - name: Install Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
        with:
          go-version-file: "go.mod"
          cache: false
@@ -36,10 +38,10 @@ jobs:
      - name: Get Go environment
        run: |
          echo "cache=$(go env GOCACHE)" >> $GITHUB_ENV
-          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV     
+          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV

      - name: Cache Go modules
-        uses: actions/cache@v4
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
        id: cache
        with:
          path: |
@@ -113,14 +115,16 @@ jobs:
    strategy:
      fail-fast: false
      matrix:
-        arch: [ '386','amd64' ]
+        arch: ["386", "amd64"]
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false

      - name: Install Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
        with:
          go-version-file: "go.mod"
          cache: false
@@ -128,10 +132,10 @@ jobs:
      - name: Get Go environment
        run: |
          echo "cache=$(go env GOCACHE)" >> $GITHUB_ENV
-          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV     
+          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV

      - name: Cache Go modules
-        uses: actions/cache/restore@v4
+        uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
        with:
          path: |
            ${{ env.cache }}
@@ -154,18 +158,20 @@ jobs:
        run: git --no-pager diff --exit-code

      - name: Test
-        run: CGO_ENABLED=1 GOARCH=${{ matrix.arch }} CI=true go test -tags devcert -exec 'sudo' -timeout 10m -p 1 $(go list ./... | grep -v -e /management -e /signal -e /relay -e /proxy -e /combined)
+        run: CGO_ENABLED=1 GOARCH=${{ matrix.arch }} CI=true go test -tags "devcert integration" -exec 'sudo' -timeout 10m -p 1 $(go list ./... | grep -v -e /management -e /signal -e /relay -e /proxy -e /combined)

  test_client_on_docker:
    name: "Client (Docker) / Unit"
-    needs: [ build-cache ]
+    needs: [build-cache]
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false

      - name: Install Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
        with:
          go-version-file: "go.mod"
          cache: false
@@ -177,7 +183,7 @@ jobs:
          echo "modcache_dir=$(go env GOMODCACHE)" >> $GITHUB_OUTPUT

      - name: Cache Go modules
-        uses: actions/cache/restore@v4
+        uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
        id: cache-restore
        with:
          path: |
@@ -214,7 +220,7 @@ jobs:
            sh -c ' \
              apk update; apk add --no-cache \
                ca-certificates iptables ip6tables dbus dbus-dev libpcap-dev build-base; \
-              go test -buildvcs=false -tags devcert -v -timeout 10m -p 1 $(go list -buildvcs=false ./... | grep -v -e /management -e /signal -e /relay -e /proxy -e /combined -e /client/ui -e /upload-server)
+              go test -buildvcs=false -tags "devcert integration" -v -timeout 10m -p 1 $(go list -buildvcs=false ./... | grep -v -e /management -e /signal -e /relay -e /proxy -e /combined -e /client/ui -e /upload-server)
            '

  test_relay:
@@ -231,10 +237,12 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false

      - name: Install Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
        with:
          go-version-file: "go.mod"
          cache: false
@@ -246,10 +254,10 @@ jobs:
      - name: Get Go environment
        run: |
          echo "cache=$(go env GOCACHE)" >> $GITHUB_ENV
-          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV     
+          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV

      - name: Cache Go modules
-        uses: actions/cache/restore@v4
+        uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
        with:
          path: |
            ${{ env.cache }}
@@ -277,14 +285,16 @@ jobs:
    strategy:
      fail-fast: false
      matrix:
-        arch: [ '386','amd64' ]
+        arch: ["386", "amd64"]
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false

      - name: Install Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
        with:
          go-version-file: "go.mod"
          cache: false
@@ -298,7 +308,7 @@ jobs:
          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV

      - name: Cache Go modules
-        uses: actions/cache/restore@v4
+        uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
        with:
          path: |
            ${{ env.cache }}
@@ -324,14 +334,16 @@ jobs:
    strategy:
      fail-fast: false
      matrix:
-        arch: [ '386','amd64' ]
+        arch: ["386", "amd64"]
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false

      - name: Install Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
        with:
          go-version-file: "go.mod"
          cache: false
@@ -343,10 +355,10 @@ jobs:
      - name: Get Go environment
        run: |
          echo "cache=$(go env GOCACHE)" >> $GITHUB_ENV
-          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV     
+          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV

      - name: Cache Go modules
-        uses: actions/cache/restore@v4
+        uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
        with:
          path: |
            ${{ env.cache }}
@@ -370,19 +382,21 @@ jobs:

  test_management:
    name: "Management / Unit"
-    needs: [ build-cache ]
+    needs: [build-cache]
    strategy:
      fail-fast: false
      matrix:
-        arch: [ 'amd64' ]
-        store: [ 'sqlite', 'postgres', 'mysql' ]
+        arch: ["amd64"]
+        store: ["sqlite", "postgres", "mysql"]
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false

      - name: Install Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
        with:
          go-version-file: "go.mod"
          cache: false
@@ -390,10 +404,10 @@ jobs:
      - name: Get Go environment
        run: |
          echo "cache=$(go env GOCACHE)" >> $GITHUB_ENV
-          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV     
+          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV

      - name: Cache Go modules
-        uses: actions/cache/restore@v4
+        uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
        with:
          path: |
            ${{ env.cache }}
@@ -410,7 +424,7 @@ jobs:

      - name: Login to Docker hub
        if: github.event.pull_request && github.event.pull_request.head.repo && github.event.pull_request.head.repo.full_name == '' || github.repository == github.event.pull_request.head.repo.full_name || !github.head_ref
-        uses: docker/login-action@v3
+        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
        with:
          username: ${{ secrets.DOCKER_USER }}
          password: ${{ secrets.DOCKER_TOKEN }}
@@ -427,7 +441,7 @@ jobs:
        run: docker pull mlsmaycon/warmed-mysql:8

      - name: Test
-        run: |          
+        run: |
          CGO_ENABLED=1 GOARCH=${{ matrix.arch }} \
          NETBIRD_STORE_ENGINE=${{ matrix.store }} \
            CI=true \
@@ -437,13 +451,13 @@ jobs:

  benchmark:
    name: "Management / Benchmark"
-    needs: [ build-cache ]
+    needs: [build-cache]
    if: ${{ needs.build-cache.outputs.management == 'true' || github.event_name != 'pull_request' }}
    strategy:
      fail-fast: false
      matrix:
-        arch: [ 'amd64' ]
-        store: [ 'sqlite', 'postgres' ]
+        arch: ["amd64"]
+        store: ["sqlite", "postgres"]
    runs-on: ubuntu-22.04
    steps:
      - name: Create Docker network
@@ -474,10 +488,12 @@ jobs:
            prom/prometheus

      - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false

      - name: Install Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
        with:
          go-version-file: "go.mod"
          cache: false
@@ -485,10 +501,10 @@ jobs:
      - name: Get Go environment
        run: |
          echo "cache=$(go env GOCACHE)" >> $GITHUB_ENV
-          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV     
+          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV

      - name: Cache Go modules
-        uses: actions/cache/restore@v4
+        uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
        with:
          path: |
            ${{ env.cache }}
@@ -505,7 +521,7 @@ jobs:

      - name: Login to Docker hub
        if: github.event.pull_request && github.event.pull_request.head.repo && github.event.pull_request.head.repo.full_name == '' || github.repository == github.event.pull_request.head.repo.full_name || !github.head_ref
-        uses: docker/login-action@v3
+        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
        with:
          username: ${{ secrets.DOCKER_USER }}
          password: ${{ secrets.DOCKER_TOKEN }}
@@ -529,13 +545,13 @@ jobs:

  api_benchmark:
    name: "Management / Benchmark (API)"
-    needs: [ build-cache ]
+    needs: [build-cache]
    if: ${{ needs.build-cache.outputs.management == 'true' || github.event_name != 'pull_request' }}
    strategy:
      fail-fast: false
      matrix:
-        arch: [ 'amd64' ]
-        store: [ 'sqlite', 'postgres' ]
+        arch: ["amd64"]
+        store: ["sqlite", "postgres"]
    runs-on: ubuntu-22.04
    steps:
      - name: Create Docker network
@@ -566,10 +582,12 @@ jobs:
            prom/prometheus

      - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false

      - name: Install Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
        with:
          go-version-file: "go.mod"
          cache: false
@@ -577,10 +595,10 @@ jobs:
      - name: Get Go environment
        run: |
          echo "cache=$(go env GOCACHE)" >> $GITHUB_ENV
-          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV     
+          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV

      - name: Cache Go modules
-        uses: actions/cache/restore@v4
+        uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
        with:
          path: |
            ${{ env.cache }}
@@ -597,7 +615,7 @@ jobs:

      - name: Login to Docker hub
        if: github.event.pull_request && github.event.pull_request.head.repo && github.event.pull_request.head.repo.full_name == '' || github.repository == github.event.pull_request.head.repo.full_name || !github.head_ref
-        uses: docker/login-action@v3
+        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
        with:
          username: ${{ secrets.DOCKER_USER }}
          password: ${{ secrets.DOCKER_TOKEN }}
@@ -623,20 +641,22 @@ jobs:

  api_integration_test:
    name: "Management / Integration"
-    needs: [ build-cache ]
+    needs: [build-cache]
    if: ${{ needs.build-cache.outputs.management == 'true' || github.event_name != 'pull_request' }}
    strategy:
      fail-fast: false
      matrix:
-        arch: [ 'amd64' ]
-        store: [ 'sqlite', 'postgres']
+        arch: ["amd64"]
+        store: ["sqlite", "postgres"]
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false

      - name: Install Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
        with:
          go-version-file: "go.mod"
          cache: false
@@ -644,10 +664,10 @@ jobs:
      - name: Get Go environment
        run: |
          echo "cache=$(go env GOCACHE)" >> $GITHUB_ENV
-          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV     
+          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV

      - name: Cache Go modules
-        uses: actions/cache/restore@v4
+        uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
        with:
          path: |
            ${{ env.cache }}
--- a/.github/workflows/golang-test-windows.yml
+++ b/.github/workflows/golang-test-windows.yml
@@ -18,10 +18,12 @@ jobs:
    runs-on: windows-latest
    steps:
      - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false

      - name: Install Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
        id: go
        with:
          go-version-file: "go.mod"
@@ -33,7 +35,7 @@ jobs:
          echo "modcache=$(go env GOMODCACHE)" >> $env:GITHUB_ENV

      - name: Cache Go modules
-        uses: actions/cache@v4
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
        with:
          path: |
            ${{ env.cache }}
@@ -44,16 +46,15 @@ jobs:
            ${{ runner.os }}-go-

      - name: Download wintun
-        uses: carlosperate/download-file-action@v2
        id: download-wintun
+        uses: netbirdio/shared-actions/actions/win-download-and-verify@be5df6047383da2236e02243cceb857d8567c27e # v0.0.2
        with:
-          file-url: https://pkgs.netbird.io/wintun/wintun-0.14.1.zip
-          file-name: wintun.zip
-          location: ${{ env.downloadPath }}
-          sha256: '07c256185d6ee3652e09fa55c0b673e2624b565e02c4b9091c79ca7d2f24ef51'
+          url: https://pkgs.netbird.io/wintun/wintun-0.14.1.zip
+          destination: ${{ env.downloadPath }}\wintun.zip
+          sha256: 07c256185d6ee3652e09fa55c0b673e2624b565e02c4b9091c79ca7d2f24ef51

      - name: Decompressing wintun files
-        run: tar -zvxf "${{ steps.download-wintun.outputs.file-path }}" -C ${{ env.downloadPath }}
+        run: tar -xvf "${{ steps.download-wintun.outputs.file-path }}" -C ${{ env.downloadPath }}

      - run: mv ${{ env.downloadPath }}/wintun/bin/amd64/wintun.dll 'C:\Windows\System32\'

--- a/.github/workflows/golangci-lint.yml
+++ b/.github/workflows/golangci-lint.yml
@@ -15,11 +15,13 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
-        uses: actions/checkout@v4
-      - name: codespell
-        uses: codespell-project/actions-codespell@v2
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
-          ignore_words_list: erro,clienta,hastable,iif,groupd,testin,groupe,cros,ans,deriver,te,userA
+          persist-credentials: false
+      - name: codespell
+        uses: codespell-project/actions-codespell@8f01853be192eb0f849a5c7d721450e7a467c579 # v2.2
+        with:
+          ignore_words_list: erro,clienta,hastable,iif,groupd,testin,groupe,cros,ans,deriver,te,userA,ede,additionals
          skip: go.mod,go.sum,**/proxy/web/**
  golangci:
    strategy:
@@ -38,13 +40,15 @@ jobs:
    timeout-minutes: 15
    steps:
      - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
      - name: Check for duplicate constants
        if: matrix.os == 'ubuntu-latest'
        run: |
          ! awk '/const \(/,/)/{print $0}' management/server/activity/codes.go | grep -o '= [0-9]*' | sort | uniq -d | grep .
      - name: Install Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
        with:
          go-version-file: "go.mod"
          cache: false
@@ -52,7 +56,7 @@ jobs:
        if: matrix.os == 'ubuntu-latest'
        run: sudo apt update && sudo apt install -y -q libgtk-3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev libpcap-dev
      - name: golangci-lint
-        uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v8.0.0
+        uses: golangci/golangci-lint-action@82606bf257cbaff209d206a39f5134f0cfbfd2ee #v9.2.1
        with:
          version: latest
          skip-cache: true
--- a/.github/workflows/install-script-test.yml
+++ b/.github/workflows/install-script-test.yml
@@ -22,7 +22,9 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false

      - name: run install script
        env:
--- a/.github/workflows/mobile-build-validation.yml
+++ b/.github/workflows/mobile-build-validation.yml
@@ -16,23 +16,25 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
      - name: Install Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
        with:
          go-version-file: "go.mod"
      - name: Setup Android SDK
-        uses: android-actions/setup-android@v3
+        uses: android-actions/setup-android@40fd30fb8d7440372e1316f5d1809ec01dcd3699 # v4.0.1
        with:
          cmdline-tools-version: 8512546
      - name: Setup Java
-        uses: actions/setup-java@v4
+        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654
        with:
          java-version: "11"
          distribution: "adopt"
      - name: NDK Cache
        id: ndk-cache
-        uses: actions/cache@v4
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
        with:
          path: /usr/local/lib/android/sdk/ndk
          key: ndk-cache-23.1.7779620
@@ -52,9 +54,11 @@ jobs:
    runs-on: macos-latest
    steps:
      - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
      - name: Install Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
        with:
          go-version-file: "go.mod"
      - name: install gomobile
--- a/.github/workflows/pr-title-check.yml
+++ b/.github/workflows/pr-title-check.yml
@@ -9,7 +9,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Validate PR title prefix
-        uses: actions/github-script@v7
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
        with:
          script: |
            const title = context.payload.pull_request.title;
--- a/.github/workflows/proto-version-check.yml
+++ b/.github/workflows/proto-version-check.yml
@@ -10,7 +10,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Check for proto tool version changes
-        uses: actions/github-script@v7
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
        with:
          script: |
            const files = await github.paginate(github.rest.pulls.listFiles, {
@@ -20,34 +20,66 @@ jobs:
              per_page: 100,
            });

-            const pbFiles = files.filter(f => f.filename.endsWith('.pb.go'));
-            const missingPatch = pbFiles.filter(f => !f.patch).map(f => f.filename);
-            if (missingPatch.length > 0) {
-              core.setFailed(
-                `Cannot inspect patch data for:\n` +
-                missingPatch.map(f => `- ${f}`).join('\n') +
-                `\nThis can happen with very large PRs. Verify proto versions manually.`
-              );
+            const modifiedPbFiles = files.filter(
+              f => f.filename.endsWith('.pb.go') && f.status === 'modified'
+            );
+            if (modifiedPbFiles.length === 0) {
+              console.log('No modified .pb.go files to check');
              return;
            }
-            const versionPattern = /^[+-]\s*\/\/\s+protoc(?:-gen-go)?\s+v[\d.]+/;
-            const violations = [];

-            for (const file of pbFiles) {
-              const changed = file.patch
-                .split('\n')
-                .filter(line => versionPattern.test(line));
-              if (changed.length > 0) {
+            const versionPattern = /^\s*\/\/\s+protoc(?:-gen-go)?\s+v[\d.]+/;
+            const baseSha = context.payload.pull_request.base.sha;
+            const headSha = context.payload.pull_request.head.sha;
+
+            async function getVersionHeader(path, ref) {
+              try {
+                const res = await github.rest.repos.getContent({
+                  owner: context.repo.owner,
+                  repo: context.repo.repo,
+                  path,
+                  ref,
+                });
+                if (!res.data.content) {
+                  return { ok: false, reason: 'no inline content (file too large)' };
+                }
+                const content = Buffer.from(res.data.content, 'base64').toString('utf8');
+                const lines = content
+                  .split('\n')
+                  .slice(0, 20)
+                  .filter(line => versionPattern.test(line));
+                return { ok: true, lines };
+              } catch (e) {
+                return { ok: false, reason: e.message };
+              }
+            }
+
+            const violations = [];
+            for (const file of modifiedPbFiles) {
+              const [base, head] = await Promise.all([
+                getVersionHeader(file.filename, baseSha),
+                getVersionHeader(file.filename, headSha),
+              ]);
+              if (!base.ok || !head.ok) {
+                core.warning(
+                  `Skipping ${file.filename}: base=${base.ok ? 'ok' : base.reason}, head=${head.ok ? 'ok' : head.reason}`
+                );
+                continue;
+              }
+              if (base.lines.join('\n') !== head.lines.join('\n')) {
                violations.push({
                  file: file.filename,
-                  lines: changed,
+                  base: base.lines,
+                  head: head.lines,
                });
              }
            }

            if (violations.length > 0) {
              const details = violations.map(v =>
-                `${v.file}:\n${v.lines.map(l => '  ' + l).join('\n')}`
+                `${v.file}:\n` +
+                `  base:\n${v.base.map(l => '    ' + l).join('\n') || '    (none)'}\n` +
+                `  head:\n${v.head.map(l => '    ' + l).join('\n') || '    (none)'}`
              ).join('\n\n');

              core.setFailed(
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -9,7 +9,7 @@ on:
  pull_request:

 env:
-  SIGN_PIPE_VER: "v0.1.4"
+  SIGN_PIPE_VER: "v0.1.5"
  GORELEASER_VER: "v2.14.3"
  PRODUCT_NAME: "NetBird"
  COPYRIGHT: "NetBird GmbH"
@@ -24,7 +24,9 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false

      - name: Generate FreeBSD port diff
        run: bash release_files/freebsd-port-diff.sh
@@ -51,19 +53,26 @@ jobs:
          echo "Generated files for version: $VERSION"
          cat netbird-*.diff

+      - name: Read Go version from go.mod
+        id: goversion
+        run: echo "version=$(awk '/^go / {print $2}' go.mod)" >> "$GITHUB_OUTPUT"
+
      - name: Test FreeBSD port
        if: steps.check_diff.outputs.diff_exists == 'true'
-        uses: vmactions/freebsd-vm@v1
+        env:
+          GO_VERSION: ${{ steps.goversion.outputs.version }}
+        uses: vmactions/freebsd-vm@d1e65811565151536c0c894fff74f06351ed26e6 # v1.4.5
        with:
          usesh: true
          copyback: false
          release: "15.0"
+          envs: "GO_VERSION"
          prepare: |
            # Install required packages
-            pkg install -y git curl portlint go
+            pkg install -y git curl portlint

            # Install Go for building
-            GO_TARBALL="go1.25.5.freebsd-amd64.tar.gz"
+            GO_TARBALL="go${GO_VERSION}.freebsd-amd64.tar.gz"
            GO_URL="https://go.dev/dl/$GO_TARBALL"
            curl -LO "$GO_URL"
            tar -C /usr/local -xzf "$GO_TARBALL"
@@ -93,19 +102,19 @@ jobs:

            # Show patched Makefile
            version=$(cat security/netbird/Makefile | grep -E '^DISTVERSION=' | awk '{print $NF}')
-            
+
            cd /usr/ports/security/netbird
            export BATCH=yes
            make package
            pkg add ./work/pkg/netbird-*.pkg
-            
+
            netbird version | grep "$version"

            echo "FreeBSD port test completed successfully!"

      - name: Upload FreeBSD port files
        if: steps.check_diff.outputs.diff_exists == 'true'
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a #v7.0.1
        with:
          name: freebsd-port-files
          path: |
@@ -124,26 +133,25 @@ jobs:
    env:
      flags: ""
    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          fetch-depth: 0 # It is required for GoReleaser to work properly
+          persist-credentials: false
+
      - name: Parse semver string
        id: semver_parser
-        uses: booxmedialtd/ws-action-parse-semver@v1
-        with:
-          input_string: ${{ (startsWith(github.ref, 'refs/tags/v') && github.ref) || 'refs/tags/v0.0.0' }}
-          version_extractor_regex: '\/v(.*)$'
+        uses: netbirdio/shared-actions/actions/parse-semver@be5df6047383da2236e02243cceb857d8567c27e # v0.0.2

      - if: ${{ !startsWith(github.ref, 'refs/tags/v') }}
        run: echo "flags=--snapshot" >> $GITHUB_ENV
-      - name: Checkout
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0 # It is required for GoReleaser to work properly
      - name: Set up Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
        with:
          go-version-file: "go.mod"
          cache: false
      - name: Cache Go modules
-        uses: actions/cache@v4
+        uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
        with:
          path: |
            ~/go/pkg/mod
@@ -156,18 +164,18 @@ jobs:
      - name: check git status
        run: git --no-pager diff --exit-code
      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a #v4.0.0
      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd #v4.0.0
      - name: Login to Docker hub
        if: github.event_name != 'pull_request'
-        uses: docker/login-action@v1
+        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
        with:
          username: ${{ secrets.DOCKER_USER }}
          password: ${{ secrets.DOCKER_TOKEN }}
      - name: Log in to the GitHub container registry
        if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
-        uses: docker/login-action@v3
+        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
@@ -191,7 +199,7 @@ jobs:
        run: goversioninfo -arm -64 -icon client/ui/assets/netbird.ico -manifest client/manifest.xml -product-name ${{ env.PRODUCT_NAME }} -copyright "${{ env.COPYRIGHT }}" -ver-major ${{ steps.semver_parser.outputs.major }} -ver-minor ${{ steps.semver_parser.outputs.minor }} -ver-patch ${{ steps.semver_parser.outputs.patch }} -ver-build 0 -file-version ${{ steps.semver_parser.outputs.fullversion }}.0 -product-version ${{ steps.semver_parser.outputs.fullversion }}.0 -o client/resources_windows_arm64.syso
      - name: Run GoReleaser
        id: goreleaser
-        uses: goreleaser/goreleaser-action@v4
+        uses: goreleaser/goreleaser-action@4c6ab561adb47e50c45ef534e2155934e91c40c1 # v7.2.0
        with:
          version: ${{ env.GORELEASER_VER }}
          args: release --clean ${{ env.flags }}
@@ -282,28 +290,28 @@ jobs:
          } >> "$GITHUB_OUTPUT"
      - name: upload non tags for debug purposes
        id: upload_release
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a #v7.0.1
        with:
          name: release
          path: dist/
          retention-days: 7
      - name: upload linux packages
        id: upload_linux_packages
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a #v7.0.1
        with:
          name: linux-packages
          path: dist/netbird_linux**
          retention-days: 7
      - name: upload windows packages
        id: upload_windows_packages
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a #v7.0.1
        with:
          name: windows-packages
          path: dist/netbird_windows**
          retention-days: 7
      - name: upload macos packages
        id: upload_macos_packages
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a #v7.0.1
        with:
          name: macos-packages
          path: dist/netbird_darwin**
@@ -314,27 +322,26 @@ jobs:
    outputs:
      release_ui_artifact_url: ${{ steps.upload_release_ui.outputs.artifact-url }}
    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          fetch-depth: 0 # It is required for GoReleaser to work properly
+          persist-credentials: false
+
      - name: Parse semver string
        id: semver_parser
-        uses: booxmedialtd/ws-action-parse-semver@v1
-        with:
-          input_string: ${{ (startsWith(github.ref, 'refs/tags/v') && github.ref) || 'refs/tags/v0.0.0' }}
-          version_extractor_regex: '\/v(.*)$'
+        uses: netbirdio/shared-actions/actions/parse-semver@be5df6047383da2236e02243cceb857d8567c27e # v0.0.2

      - if: ${{ !startsWith(github.ref, 'refs/tags/v') }}
        run: echo "flags=--snapshot" >> $GITHUB_ENV
-      - name: Checkout
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0 # It is required for GoReleaser to work properly

      - name: Set up Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
        with:
          go-version-file: "go.mod"
          cache: false
      - name: Cache Go modules
-        uses: actions/cache@v4
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
        with:
          path: |
            ~/go/pkg/mod
@@ -375,7 +382,7 @@ jobs:
        run: goversioninfo -arm -64 -icon client/ui/assets/netbird.ico -manifest client/ui/manifest.xml -product-name ${{ env.PRODUCT_NAME }}-"UI" -copyright "${{ env.COPYRIGHT }}" -ver-major ${{ steps.semver_parser.outputs.major }} -ver-minor ${{ steps.semver_parser.outputs.minor }} -ver-patch ${{ steps.semver_parser.outputs.patch }} -ver-build 0 -file-version ${{ steps.semver_parser.outputs.fullversion }}.0 -product-version ${{ steps.semver_parser.outputs.fullversion }}.0 -o client/ui/resources_windows_arm64.syso

      - name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@v4
+        uses: goreleaser/goreleaser-action@4c6ab561adb47e50c45ef534e2155934e91c40c1 # v7.2.0
        with:
          version: ${{ env.GORELEASER_VER }}
          args: release --config .goreleaser_ui.yaml --clean ${{ env.flags }}
@@ -404,7 +411,7 @@ jobs:
        run: rm -f /tmp/gpg-rpm-signing-key.asc
      - name: upload non tags for debug purposes
        id: upload_release_ui
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a #v7.0.1
        with:
          name: release-ui
          path: dist/
@@ -418,16 +425,17 @@ jobs:
      - if: ${{ !startsWith(github.ref, 'refs/tags/v') }}
        run: echo "flags=--snapshot" >> $GITHUB_ENV
      - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          fetch-depth: 0 # It is required for GoReleaser to work properly
+          persist-credentials: false
      - name: Set up Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
        with:
          go-version-file: "go.mod"
          cache: false
      - name: Cache Go modules
-        uses: actions/cache@v4
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
        with:
          path: |
            ~/go/pkg/mod
@@ -441,7 +449,7 @@ jobs:
        run: git --no-pager diff --exit-code
      - name: Run GoReleaser
        id: goreleaser
-        uses: goreleaser/goreleaser-action@v4
+        uses: goreleaser/goreleaser-action@4c6ab561adb47e50c45ef534e2155934e91c40c1 # v7.2.0
        with:
          version: ${{ env.GORELEASER_VER }}
          args: release --config .goreleaser_ui_darwin.yaml --clean ${{ env.flags }}
@@ -449,7 +457,7 @@ jobs:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      - name: upload non tags for debug purposes
        id: upload_release_ui_darwin
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a #v7.0.1
        with:
          name: release-ui-darwin
          path: dist/
@@ -474,27 +482,26 @@ jobs:
      PackageWorkdir: netbird_windows_${{ matrix.arch }}
      downloadPath: '${{ github.workspace }}\temp'
    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
      - name: Parse semver string
        id: semver_parser
-        uses: booxmedialtd/ws-action-parse-semver@v1
-        with:
-          input_string: ${{ (startsWith(github.ref, 'refs/tags/v') && github.ref) || 'refs/tags/v0.0.0' }}
-          version_extractor_regex: '\/v(.*)$'
-
-      - name: Checkout
-        uses: actions/checkout@v4
+        uses: netbirdio/shared-actions/actions/parse-semver@be5df6047383da2236e02243cceb857d8567c27e # v0.0.2

      - name: Add 7-Zip to PATH
        run: echo "C:\Program Files\7-Zip" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append

      - name: Download release artifacts
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.1
        with:
          name: release
          path: release

      - name: Download UI release artifacts
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.1
        with:
          name: release-ui
          path: release-ui
@@ -514,29 +521,27 @@ jobs:
          Get-ChildItem $workdir

      - name: Download wintun
-        uses: carlosperate/download-file-action@v2
        id: download-wintun
+        uses: netbirdio/shared-actions/actions/win-download-and-verify@be5df6047383da2236e02243cceb857d8567c27e # v0.0.2
        with:
-          file-url: https://pkgs.netbird.io/wintun/wintun-0.14.1.zip
-          file-name: wintun.zip
-          location: ${{ env.downloadPath }}
-          sha256: '07c256185d6ee3652e09fa55c0b673e2624b565e02c4b9091c79ca7d2f24ef51'
+          url: https://pkgs.netbird.io/wintun/wintun-0.14.1.zip
+          destination: ${{ env.downloadPath }}\wintun.zip
+          sha256: 07c256185d6ee3652e09fa55c0b673e2624b565e02c4b9091c79ca7d2f24ef51

      - name: Decompress wintun files
-        run: tar -zvxf "${{ steps.download-wintun.outputs.file-path }}" -C ${{ env.downloadPath }}
+        run: tar -xvf "${{ env.downloadPath }}\wintun.zip" -C ${{ env.downloadPath }}

      - name: Move wintun.dll into dist
        run: mv ${{ env.downloadPath }}\wintun\bin\${{ matrix.wintun_arch }}\wintun.dll ${{ github.workspace }}\dist\${{ env.PackageWorkdir }}\

      - name: Download Mesa3D (amd64 only)
-        uses: carlosperate/download-file-action@v2
        id: download-mesa3d
        if: matrix.arch == 'amd64'
+        uses: netbirdio/shared-actions/actions/win-download-and-verify@be5df6047383da2236e02243cceb857d8567c27e # v0.0.2
        with:
-          file-url: https://downloads.fdossena.com/Projects/Mesa3D/Builds/MesaForWindows-x64-20.1.8.7z
-          file-name: mesa3d.7z
-          location: ${{ env.downloadPath }}
-          sha256: '71c7cb64ec229a1d6b8d62fa08e1889ed2bd17c0eeede8689daf0f25cb31d6b9'
+          url: https://pkgs.netbird.io/mesa3d/MesaForWindows-x64-20.1.8.7z
+          destination: ${{ env.downloadPath }}\mesa3d.7z
+          sha256: 71c7cb64ec229a1d6b8d62fa08e1889ed2bd17c0eeede8689daf0f25cb31d6b9

      - name: Extract Mesa3D driver (amd64 only)
        if: matrix.arch == 'amd64'
@@ -547,35 +552,38 @@ jobs:
        run: mv ${{ env.downloadPath }}\opengl32.dll ${{ github.workspace }}\dist\${{ env.PackageWorkdir }}\

      - name: Download EnVar plugin for NSIS
-        uses: carlosperate/download-file-action@v2
+        uses: netbirdio/shared-actions/actions/win-download-and-verify@be5df6047383da2236e02243cceb857d8567c27e # v0.0.2
        with:
-          file-url: https://nsis.sourceforge.io/mediawiki/images/7/7f/EnVar_plugin.zip
-          file-name: envar_plugin.zip
-          location: ${{ github.workspace }}
+          url: https://pkgs.netbird.io/nsis/EnVar_plugin.zip
+          destination: ${{ github.workspace }}\envar_plugin.zip
+          sha256: e9aa92de351345ed82795251d838f1ae9041ba35af9d381a5780c7843b01f56a

      - name: Extract EnVar plugin
        run: 7z x -o"${{ github.workspace }}/NSIS_Plugins" "${{ github.workspace }}/envar_plugin.zip"

      - name: Download ShellExecAsUser plugin for NSIS (amd64 only)
-        uses: carlosperate/download-file-action@v2
        if: matrix.arch == 'amd64'
+        uses: netbirdio/shared-actions/actions/win-download-and-verify@be5df6047383da2236e02243cceb857d8567c27e # v0.0.2
        with:
-          file-url: https://nsis.sourceforge.io/mediawiki/images/6/68/ShellExecAsUser_amd64-Unicode.7z
-          file-name: ShellExecAsUser_amd64-Unicode.7z
-          location: ${{ github.workspace }}
+          url: https://pkgs.netbird.io/nsis/ShellExecAsUser_amd64-Unicode.7z
+          destination: ${{ github.workspace }}\ShellExecAsUser_amd64-Unicode.7z
+          sha256: 0a55ea25c7330a92cec028eda8afcaf1b1a7092e0dfb77c21c8f654564b4ff9d

      - name: Extract ShellExecAsUser plugin (amd64 only)
        if: matrix.arch == 'amd64'
        run: 7z x -o"${{ github.workspace }}/NSIS_Plugins" "${{ github.workspace }}/ShellExecAsUser_amd64-Unicode.7z"

      - name: Build NSIS installer
-        uses: joncloud/makensis-action@v3.3
-        with:
-          additional-plugin-paths: ${{ github.workspace }}/NSIS_Plugins/Plugins
-          script-file: client/installer.nsis
-          arguments: "/V4 /DARCH=${{ matrix.arch }}"
+        shell: pwsh
        env:
          APPVER: ${{ steps.semver_parser.outputs.major }}.${{ steps.semver_parser.outputs.minor }}.${{ steps.semver_parser.outputs.patch }}.${{ github.run_id }}
+        run: |
+          $nsisPluginDir = "C:\Program Files (x86)\NSIS\Plugins\x86-unicode"
+          $srcPlugins    = "${{ github.workspace }}\NSIS_Plugins\Plugins"
+          Get-ChildItem -Path $srcPlugins -Recurse -Filter *.dll |
+            Copy-Item -Destination $nsisPluginDir -Force
+          & "C:\Program Files (x86)\NSIS\makensis.exe" /V4 "/DARCH=${{ matrix.arch }}" client\installer.nsis
+          if ($LASTEXITCODE -ne 0) { throw "makensis failed with exit code $LASTEXITCODE" }

      - name: Rename NSIS installer
        run: mv netbird-installer.exe netbird_installer_test_windows_${{ matrix.arch }}.exe
@@ -592,7 +600,7 @@ jobs:

      - name: Upload installer artifacts
        if: always()
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a #v7.0.1
        with:
          name: windows-installer-test-${{ matrix.arch }}
          path: |
@@ -611,7 +619,7 @@ jobs:
      pull-requests: write
    steps:
      - name: Create or update PR comment
-        uses: actions/github-script@v7
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
        env:
          RELEASE_RESULT: ${{ needs.release.result }}
          RELEASE_UI_RESULT: ${{ needs.release_ui.result }}
@@ -703,7 +711,7 @@ jobs:
    if: startsWith(github.ref, 'refs/tags/')
    steps:
      - name: Trigger binaries sign pipelines
-        uses: benc-uk/workflow-dispatch@v1
+        uses: benc-uk/workflow-dispatch@31e2b3319479a63f0ab15bf800eff9e913504e26 # v1.3.2
        with:
          workflow: Sign bin and installer
          repo: netbirdio/sign-pipelines
--- a/.github/workflows/sync-main.yml
+++ b/.github/workflows/sync-main.yml
@@ -14,9 +14,9 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Trigger main branch sync
-        uses: benc-uk/workflow-dispatch@v1
+        uses: benc-uk/workflow-dispatch@31e2b3319479a63f0ab15bf800eff9e913504e26 # v1.3.2
        with:
          workflow: sync-main.yml
          repo: ${{ secrets.UPSTREAM_REPO }}
          token: ${{ secrets.NC_GITHUB_TOKEN }}
-          inputs: '{ "sha": "${{ github.sha }}" }'
+          inputs: '{ "sha": "${{ github.sha }}" }'
--- a/.github/workflows/sync-tag.yml
+++ b/.github/workflows/sync-tag.yml
@@ -3,7 +3,7 @@ name: sync tag
 on:
  push:
    tags:
-      - 'v*'
+      - "v*"

 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}-${{ github.head_ref || github.actor_id }}
@@ -16,7 +16,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Trigger release tag sync
-        uses: benc-uk/workflow-dispatch@v1
+        uses: benc-uk/workflow-dispatch@31e2b3319479a63f0ab15bf800eff9e913504e26 # v1.3.2
        with:
          workflow: sync-tag.yml
          ref: main
@@ -29,7 +29,7 @@ jobs:
    if: github.event.created && !github.event.deleted && startsWith(github.ref, 'refs/tags/v') && !contains(github.ref_name, '-')
    steps:
      - name: Trigger android-client submodule bump
-        uses: benc-uk/workflow-dispatch@7a027648b88c2413826b6ddd6c76114894dc5ec4 # v1.3.1
+        uses: benc-uk/workflow-dispatch@31e2b3319479a63f0ab15bf800eff9e913504e26 # v1.3.2
        with:
          workflow: bump-netbird.yml
          ref: main
@@ -42,10 +42,10 @@ jobs:
    if: github.event.created && !github.event.deleted && startsWith(github.ref, 'refs/tags/v') && !contains(github.ref_name, '-')
    steps:
      - name: Trigger ios-client submodule bump
-        uses: benc-uk/workflow-dispatch@7a027648b88c2413826b6ddd6c76114894dc5ec4 # v1.3.1
+        uses: benc-uk/workflow-dispatch@31e2b3319479a63f0ab15bf800eff9e913504e26 # v1.3.2
        with:
          workflow: bump-netbird.yml
          ref: main
          repo: netbirdio/ios-client
          token: ${{ secrets.NC_GITHUB_TOKEN }}
-          inputs: '{ "tag": "${{ github.ref_name }}" }'
+          inputs: '{ "tag": "${{ github.ref_name }}" }'
--- a/.github/workflows/test-infrastructure-files.yml
+++ b/.github/workflows/test-infrastructure-files.yml
@@ -6,10 +6,10 @@ on:
      - main
  pull_request:
    paths:
-      - 'infrastructure_files/**'
-      - '.github/workflows/test-infrastructure-files.yml'
-      - 'management/cmd/**'
-      - 'signal/cmd/**'
+      - "infrastructure_files/**"
+      - ".github/workflows/test-infrastructure-files.yml"
+      - "management/cmd/**"
+      - "signal/cmd/**"

 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}-${{ github.head_ref || github.actor_id }}
@@ -20,7 +20,7 @@ jobs:
    runs-on: ubuntu-latest
    strategy:
      matrix:
-        store: [ 'sqlite', 'postgres', 'mysql' ]
+        store: ["sqlite", "postgres", "mysql"]
    services:
      postgres:
        image: ${{ (matrix.store == 'postgres') && 'postgres' || '' }}
@@ -68,15 +68,17 @@ jobs:
        run: sudo apt-get install -y curl

      - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false

      - name: Install Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
        with:
          go-version-file: "go.mod"

      - name: Cache Go modules
-        uses: actions/cache@v4
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
@@ -139,8 +141,8 @@ jobs:
          CI_NETBIRD_IDP_MGMT_CLIENT_SECRET: testing.client.secret
          CI_NETBIRD_SIGNAL_PORT: 12345
          CI_NETBIRD_STORE_CONFIG_ENGINE: ${{ matrix.store }}
-          NETBIRD_STORE_ENGINE_POSTGRES_DSN: '${{ env.NETBIRD_STORE_ENGINE_POSTGRES_DSN }}$'
-          NETBIRD_STORE_ENGINE_MYSQL_DSN: '${{ env.NETBIRD_STORE_ENGINE_MYSQL_DSN }}$'
+          NETBIRD_STORE_ENGINE_POSTGRES_DSN: "${{ env.NETBIRD_STORE_ENGINE_POSTGRES_DSN }}$"
+          NETBIRD_STORE_ENGINE_MYSQL_DSN: "${{ env.NETBIRD_STORE_ENGINE_MYSQL_DSN }}$"
          CI_NETBIRD_MGMT_IDP_SIGNKEY_REFRESH: false
          CI_NETBIRD_TURN_EXTERNAL_IP: "1.2.3.4"
          CI_NETBIRD_MGMT_DISABLE_DEFAULT_POLICY: false
@@ -254,7 +256,9 @@ jobs:
        run: sudo apt-get install -y jq

      - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false

      - name: run script with Zitadel PostgreSQL
        run: NETBIRD_DOMAIN=use-ip bash -x infrastructure_files/getting-started-with-zitadel.sh
--- a/.github/workflows/update-docs.yml
+++ b/.github/workflows/update-docs.yml
@@ -3,9 +3,9 @@ name: update docs
 on:
  push:
    tags:
-      - 'v*'
+      - "v*"
    paths:
-      - 'shared/management/http/api/openapi.yml'
+      - "shared/management/http/api/openapi.yml"

 jobs:
  trigger_docs_api_update:
@@ -13,10 +13,10 @@ jobs:
    if: startsWith(github.ref, 'refs/tags/')
    steps:
      - name: Trigger API pages generation
-        uses: benc-uk/workflow-dispatch@v1
+        uses: benc-uk/workflow-dispatch@31e2b3319479a63f0ab15bf800eff9e913504e26 # v1.3.2
        with:
          workflow: generate api pages
          repo: netbirdio/docs
          ref: "refs/heads/main"
          token: ${{ secrets.SIGN_GITHUB_TOKEN }}
-          inputs: '{ "tag": "${{ github.ref }}" }'
+          inputs: '{ "tag": "${{ github.ref }}" }'
--- a/.github/workflows/wasm-build-validation.yml
+++ b/.github/workflows/wasm-build-validation.yml
@@ -19,15 +19,17 @@ jobs:
      GOARCH: wasm
    steps:
      - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
      - name: Install Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
        with:
          go-version-file: "go.mod"
      - name: Install dependencies
        run: sudo apt update && sudo apt install -y -q libgtk-3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev libpcap-dev
      - name: Install golangci-lint
-        uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v8.0.0
+        uses: golangci/golangci-lint-action@82606bf257cbaff209d206a39f5134f0cfbfd2ee #v9.2.1
        with:
          version: latest
          install-mode: binary
@@ -42,9 +44,11 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
      - name: Install Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
        with:
          go-version-file: "go.mod"
      - name: Build Wasm client
@@ -65,4 +69,3 @@ jobs:
            echo "Wasm binary size (${SIZE_MB}MB) exceeds 56MB limit!"
            exit 1
          fi
-
--- a/.gitignore
+++ b/.gitignore
@@ -33,3 +33,4 @@ infrastructure_files/setup-*.env
 vendor/
 /netbird
 client/netbird-electron/
+management/server/types/testdata/
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -8,13 +8,14 @@ There are many ways that you can contribute:
 - Sharing use cases in slack or Reddit
 - Bug fix or feature enhancement

-If you haven't already, join our slack workspace [here](https://join.slack.com/t/netbirdio/shared_invite/zt-vrahf41g-ik1v7fV8du6t0RwxSrJ96A), we would love to discuss topics that need community contribution and enhancements to existing features.
+If you haven't already, join our slack workspace [here](https://docs.netbird.io/slack-url), we would love to discuss topics that need community contribution and enhancements to existing features.

 ## Contents

 - [Contributing to NetBird](#contributing-to-netbird)
    - [Contents](#contents)
    - [Code of conduct](#code-of-conduct)
+    - [Discuss changes with the NetBird team first](#discuss-changes-with-the-netbird-team-first)
    - [Directory structure](#directory-structure)
    - [Development setup](#development-setup)
        - [Requirements](#requirements)
@@ -33,6 +34,14 @@ Conduct which can be found in the file [CODE_OF_CONDUCT.md](CODE_OF_CONDUCT.md).
 By participating, you are expected to uphold this code. Please report
 unacceptable behavior to community@netbird.io.

+## Discuss changes with the NetBird team first
+
+Changes to the **public API**, **gRPC protocols**, **functionality behavior**, **CLI / service flags**, or **new features** should be discussed with the NetBird team before you start the work. These surfaces are part of NetBird's contract with operators, self-hosters, and downstream integrators, and changes to them have compatibility, security, and release-planning implications that benefit from an early conversation.
+
+Open an issue or reach out on [Slack](https://docs.netbird.io/slack-url) to talk through what you have in mind. We'll help shape the change, flag any constraints we know about, and confirm the direction so the PR review can focus on implementation rather than design.
+
+Typical bug fixes, internal refactors, documentation updates, and tests do not need pre-discussion — open the PR directly.
+
 ## Directory structure

 The NetBird project monorepo is organized to maintain most of its individual dependencies code within their directories, except for a few auxiliary or shared packages.
--- a/README.md
+++ b/README.md
@@ -1,147 +1,134 @@

 <div align="center">
-<br/>
-  <br/>
-<p align="center">
-  <img width="234" src="docs/media/logo-full.png"/>
-</p>
-  <p>
-   <a href="https://img.shields.io/badge/license-BSD--3-blue)">
-       <img src="https://sonarcloud.io/api/project_badges/measure?project=netbirdio_netbird&metric=alert_status" />
-     </a> 
-     <a href="https://github.com/netbirdio/netbird/blob/main/LICENSE">
-       <img src="https://img.shields.io/badge/license-BSD--3-blue" />
-     </a> 
-    <br>
+  <p align="center">
+    <img width="234" src="docs/media/logo-full.png" alt="NetBird logo"/>
+  </p>
+  <p align="center">
+    <a href="https://sonarcloud.io/dashboard?id=netbirdio_netbird">
+      <img src="https://sonarcloud.io/api/project_badges/measure?project=netbirdio_netbird&metric=alert_status" alt="SonarCloud alert status"/>
+    </a>
+    <a href="https://github.com/netbirdio/netbird/blob/main/LICENSE">
+      <img src="https://img.shields.io/badge/license-BSD--3-blue" alt="BSD-3 License"/>
+    </a>
    <a href="https://docs.netbird.io/slack-url">
-        <img src="https://img.shields.io/badge/slack-@netbird-red.svg?logo=slack"/>
-     </a>
+      <img src="https://img.shields.io/badge/slack-@netbird-red.svg?logo=slack" alt="NetBird Slack"/>
+    </a>
    <a href="https://forum.netbird.io">
-        <img src="https://img.shields.io/badge/community forum-@netbird-red.svg?logo=discourse"/>
-     </a>  
-     <br>
+      <img src="https://img.shields.io/badge/community%20forum-@netbird-red.svg?logo=discourse" alt="Community forum"/>
+    </a>
    <a href="https://gurubase.io/g/netbird">
-        <img src="https://img.shields.io/badge/Gurubase-Ask%20NetBird%20Guru-006BFF"/>
-     </a>    
+      <img src="https://img.shields.io/badge/Gurubase-Ask%20NetBird%20Guru-006BFF" alt="Gurubase: Ask NetBird Guru"/>
+    </a>
  </p>
 </div>

-
 <p align="center">
-<strong>
-  Start using NetBird at <a href="https://netbird.io/pricing">netbird.io</a>
+  <strong>
+    Start using NetBird at <a href="https://netbird.io/pricing">netbird.io</a>
+    <br/>
+    See <a href="https://netbird.io/docs/">Documentation</a>
+    <br/>
+    Join our <a href="https://docs.netbird.io/slack-url">Slack channel</a> or our <a href="https://forum.netbird.io">Community forum</a>
+  </strong>
  <br/>
-  See <a href="https://netbird.io/docs/">Documentation</a>
  <br/>
-   Join our <a href="https://docs.netbird.io/slack-url">Slack channel</a> or our <a href="https://forum.netbird.io">Community forum</a>
-  <br/>
- 
-</strong>
-<br>
-<strong>
-  🚀 <a href="https://careers.netbird.io">We are hiring! Join us at careers.netbird.io</a>
-</strong>
-<br>
-<br>
-<a href="https://registry.terraform.io/providers/netbirdio/netbird/latest">
-    New: NetBird terraform provider
-  </a> 
+  <strong>
+    🚀 <a href="https://careers.netbird.io">We are hiring! Join us at careers.netbird.io</a>
+  </strong>
 </p>

-<br>
-
 **NetBird combines a configuration-free peer-to-peer private network and a centralized access control system in a single platform, making it easy to create secure private networks for your organization or home.**

 **Connect.** NetBird creates a WireGuard-based overlay network that automatically connects your machines over an encrypted tunnel, leaving behind the hassle of opening ports, complex firewall rules, VPN gateways, and so forth.

 **Secure.** NetBird enables secure remote access by applying granular access policies while allowing you to manage them intuitively from a single place. Works universally on any infrastructure.

-### Open Source Network Security in a Single Platform
-
 https://github.com/user-attachments/assets/10cec749-bb56-4ab3-97af-4e38850108d2

-### Self-Host NetBird (Video)
+### Self-host NetBird (video)
+
 [![Watch the video](https://img.youtube.com/vi/bZAgpT6nzaQ/0.jpg)](https://youtu.be/bZAgpT6nzaQ)

 ### Key features

-| Connectivity | Management | Security | Automation| Platforms |
-|----|----|----|----|----|
-| <ul><li>- \[x] Kernel WireGuard</ul></li> | <ul><li>- \[x] [Admin Web UI](https://github.com/netbirdio/dashboard)</ul></li> | <ul><li>- \[x] [SSO & MFA support](https://docs.netbird.io/how-to/installation#running-net-bird-with-sso-login)</ul></li> | <ul><li>- \[x] [Public API](https://docs.netbird.io/api)</ul></li> | <ul><li>- \[x] Linux</ul></li> |
-| <ul><li>- \[x] Peer-to-peer connections</ul></li> | <ul><li>- \[x] Auto peer discovery and configuration</ui></li> | <ul><li>- \[x] [Access control - groups & rules](https://docs.netbird.io/how-to/manage-network-access)</ui></li> | <ul><li>- \[x] [Setup keys for bulk network provisioning](https://docs.netbird.io/how-to/register-machines-using-setup-keys)</ui></li> | <ul><li>- \[x] Mac</ui></li> |
-| <ul><li>- \[x] Connection relay fallback</ui></li> | <ul><li>- \[x] [IdP integrations](https://docs.netbird.io/selfhosted/identity-providers)</ui></li> | <ul><li>- \[x] [Activity logging](https://docs.netbird.io/how-to/audit-events-logging)</ui></li> | <ul><li>- \[x] [Self-hosting quickstart script](https://docs.netbird.io/selfhosted/selfhosted-quickstart)</ui></li> | <ul><li>- \[x] Windows</ui></li> |
-| <ul><li>- \[x] [Routes to external networks](https://docs.netbird.io/how-to/routing-traffic-to-private-networks)</ui></li> | <ul><li>- \[x] [Private DNS](https://docs.netbird.io/how-to/manage-dns-in-your-network)</ui></li> | <ul><li>- \[x] [Device posture checks](https://docs.netbird.io/how-to/manage-posture-checks)</ui></li> | <ul><li>- \[x] IdP groups sync with JWT</ui></li> | <ul><li>- \[x] Android</ui></li> |
-| <ul><li>- \[x] NAT traversal with BPF</ui></li> | <ul><li>- \[x] [Multiuser support](https://docs.netbird.io/how-to/add-users-to-your-network)</ui></li> | <ul><li>- \[x] Peer-to-peer encryption</ui></li> || <ul><li>- \[x] iOS</ui></li> |
-||| <ul><li>- \[x] [Quantum-resistance with Rosenpass](https://netbird.io/knowledge-hub/the-first-quantum-resistant-mesh-vpn)</ui></li> || <ul><li>- \[x] OpenWRT</ui></li> |
-||| <ul><li>- \[x] [Periodic re-authentication](https://docs.netbird.io/how-to/enforce-periodic-user-authentication)</ui></li> || <ul><li>- \[x] [Serverless](https://docs.netbird.io/how-to/netbird-on-faas)</ui></li> |
-||||| <ul><li>- \[x] Docker</ui></li> |
+| Connectivity | Management | Security | Automation | Platforms |
+|---|---|---|---|---|
+| ✓ [Kernel WireGuard](https://docs.netbird.io/about-netbird/why-wireguard-with-netbird) | ✓ [Admin Web UI](https://github.com/netbirdio/dashboard) | ✓ [SSO & MFA support](https://docs.netbird.io/how-to/installation#running-net-bird-with-sso-login) | ✓ [Public API](https://docs.netbird.io/api) | ✓ [Linux](https://docs.netbird.io/get-started/install/linux) |
+| ✓ [Peer-to-peer connections](https://docs.netbird.io/about-netbird/how-netbird-works) | ✓ Auto peer discovery and configuration | ✓ [Access control: groups & rules](https://docs.netbird.io/how-to/manage-network-access) | ✓ [Setup keys for bulk provisioning](https://docs.netbird.io/how-to/register-machines-using-setup-keys) | ✓ [macOS](https://docs.netbird.io/get-started/install/macos) |
+| ✓ Connection relay fallback | ✓ [IdP integrations](https://docs.netbird.io/selfhosted/identity-providers) | ✓ [Activity logging](https://docs.netbird.io/how-to/audit-events-logging) | ✓ [Self-hosting quickstart script](https://docs.netbird.io/selfhosted/selfhosted-quickstart) | ✓ [Windows](https://docs.netbird.io/get-started/install/windows) |
+| ✓ [Routes to external networks](https://docs.netbird.io/how-to/routing-traffic-to-private-networks) | ✓ [Private DNS](https://docs.netbird.io/how-to/manage-dns-in-your-network) | ✓ [Traffic events](https://docs.netbird.io/manage/activity/traffic-events-logging) | ✓ [IdP groups sync with JWT](https://docs.netbird.io/manage/team/idp-sync) | ✓ [Android](https://docs.netbird.io/get-started/install/android) |
+| ✓ [Domain-based DNS routes](https://docs.netbird.io/manage/dns/dns-aliases-for-routed-networks) | ✓ [Custom DNS zones](https://docs.netbird.io/manage/dns/custom-zones) | ✓ [Device posture checks](https://docs.netbird.io/how-to/manage-posture-checks) | ✓ [Terraform provider](https://registry.terraform.io/providers/netbirdio/netbird/latest) | ✓ [Android TV](https://docs.netbird.io/get-started/install/android-tv) |
+| ✓ [Exit nodes](https://docs.netbird.io/manage/network-routes/use-cases/exit-nodes) | ✓ [Multiuser support](https://docs.netbird.io/how-to/add-users-to-your-network) | ✓ Peer-to-peer encryption | ✓ [Ansible collection](https://github.com/netbirdio/ansible-netbird) | ✓ [iOS](https://docs.netbird.io/get-started/install/ios) |
+| ✓ [IPv6 dual-stack overlay](https://docs.netbird.io/manage/settings/ipv6) | ✓ [Multi-account profile switching](https://docs.netbird.io/client/profiles) | ✓ [SSH with central access policies](https://docs.netbird.io/manage/peers/ssh) | | ✓ [Apple TV](https://docs.netbird.io/get-started/install/tvos) |
+| ✓ [Browser SSH & RDP](https://docs.netbird.io/manage/peers/browser-client) | | ✓ [Quantum-resistance with Rosenpass](https://netbird.io/knowledge-hub/the-first-quantum-resistant-mesh-vpn) | | ✓ FreeBSD |
+| ✓ [Reverse proxy with auto-TLS](https://docs.netbird.io/manage/reverse-proxy) | | ✓ [Periodic re-authentication](https://docs.netbird.io/how-to/enforce-periodic-user-authentication) | | ✓ [pfSense](https://docs.netbird.io/get-started/install/pfsense) |
+| | | | | ✓ [OPNsense](https://docs.netbird.io/get-started/install/opnsense) |
+| | | | | ✓ [MikroTik RouterOS](https://docs.netbird.io/use-cases/homelab/client-on-mikrotik-router) |
+| | | | | ✓ OpenWRT |
+| | | | | ✓ [Synology](https://docs.netbird.io/get-started/install/synology) |
+| | | | | ✓ [TrueNAS](https://docs.netbird.io/get-started/install/truenas) |
+| | | | | ✓ [Proxmox](https://docs.netbird.io/get-started/install/proxmox-ve) |
+| | | | | ✓ [Raspberry Pi](https://docs.netbird.io/get-started/install/raspberrypi) |
+| | | | | ✓ [Serverless](https://docs.netbird.io/how-to/netbird-on-faas) |
+| | | | | ✓ [Container](https://docs.netbird.io/get-started/install/docker) |

 ### Quickstart with NetBird Cloud

- Download and install NetBird at [https://app.netbird.io/install](https://app.netbird.io/install)
- Follow the steps to sign-up with Google, Microsoft, GitHub or your email address.
- Check NetBird [admin UI](https://app.netbird.io/).
- Add more machines.
+- Download and install NetBird at [https://app.netbird.io/install](https://app.netbird.io/install).
+- Follow the steps to sign up with Google, Microsoft, GitHub or your email address.
+- Check the NetBird [admin UI](https://app.netbird.io/).

 ### Quickstart with self-hosted NetBird

-> This is the quickest way to try self-hosted NetBird. It should take around 5 minutes to get started if you already have a public domain and a VM.
-Follow the [Advanced guide with a custom identity provider](https://docs.netbird.io/selfhosted/selfhosted-guide#advanced-guide-with-a-custom-identity-provider) for installations with different IDPs.
+This is the quickest way to try self-hosted NetBird. It should take around 5 minutes to get started if you already have a public domain and a VM. Follow the [Advanced guide with a custom identity provider](https://docs.netbird.io/selfhosted/selfhosted-guide#advanced-guide-with-a-custom-identity-provider) for installations with different IdPs.

 **Infrastructure requirements:**
- A Linux VM with at least **1CPU** and **2GB** of memory.
- The VM should be publicly accessible on TCP ports **80** and **443** and UDP port: **3478**.
- **Public domain** name pointing to the VM.
+- A Linux VM with at least **1 CPU** and **2 GB** of memory.
+- The VM should be publicly accessible on TCP ports **80** and **443** and UDP port **3478**.
+- A **public domain** name pointing to the VM.

 **Software requirements:**
- Docker installed on the VM with the docker-compose plugin ([Docker installation guide](https://docs.docker.com/engine/install/)) or docker with docker-compose in version 2 or higher.
- [jq](https://jqlang.github.io/jq/) installed. In most distributions
-  Usually available in the official repositories and can be installed with `sudo apt install jq` or `sudo yum install jq`
- [curl](https://curl.se/) installed.
-  Usually available in the official repositories and can be installed with `sudo apt install curl` or `sudo yum install curl`
+- Docker with the Compose plugin (Compose v2 or higher). See the [Docker installation guide](https://docs.docker.com/engine/install/).

 **Steps**
 - Download and run the installation script:
 ```bash
 export NETBIRD_DOMAIN=netbird.example.com; curl -fsSL https://github.com/netbirdio/netbird/releases/latest/download/getting-started.sh | bash
 ```
- Once finished, you can manage the resources via `docker-compose`

 ### A bit on NetBird internals
-  Every machine in the network runs [NetBird Agent (or Client)](client/) that manages WireGuard.
-  Every agent connects to [Management Service](management/) that holds network state, manages peer IPs, and distributes network updates to agents (peers).
-  NetBird agent uses WebRTC ICE implemented in [pion/ice library](https://github.com/pion/ice) to discover connection candidates when establishing a peer-to-peer connection between machines.
-  Connection candidates are discovered with the help of [STUN](https://en.wikipedia.org/wiki/STUN) servers.
-  Agents negotiate a connection through [Signal Service](signal/) passing p2p encrypted messages with candidates.
-  Sometimes the NAT traversal is unsuccessful due to strict NATs (e.g. mobile carrier-grade NAT) and a p2p connection isn't possible. When this occurs the system falls back to a relay server called [TURN](https://en.wikipedia.org/wiki/Traversal_Using_Relays_around_NAT), and a secure WireGuard tunnel is established via the TURN server. 
- 
-[Coturn](https://github.com/coturn/coturn) is the one that has been successfully used for STUN and TURN in NetBird setups.
+- Every machine in the network runs the [NetBird agent](client/), which manages WireGuard.
+- Every agent connects to the [Management Service](management/), which holds network state, manages peer IPs, and distributes updates to agents.
+- Agents use ICE (via [pion/ice](https://github.com/pion/ice)) to discover connection candidates for peer-to-peer connections.
+- Candidates are discovered with the help of [STUN](https://en.wikipedia.org/wiki/STUN) servers.
+- Agents negotiate a connection through the [Signal Service](signal/), exchanging end-to-end encrypted messages with candidates.
+- When NAT traversal fails (e.g. mobile carrier-grade NAT) and a direct p2p connection isn't possible, the system falls back to a [Relay Service](relay/) and a secure WireGuard tunnel is established through it.

 <p float="left" align="middle">
-  <img src="https://docs.netbird.io/docs-static/img/about-netbird/high-level-dia.png" width="700"/>
+  <img src="https://docs.netbird.io/docs-static/img/about-netbird/high-level-dia.png" width="700" alt="NetBird high-level architecture diagram"/>
 </p>

 See a complete [architecture overview](https://docs.netbird.io/about-netbird/how-netbird-works#architecture) for details.

 ### Community projects
-  [NetBird installer script](https://github.com/physk/netbird-installer)
-  [NetBird ansible collection by Dominion Solutions](https://galaxy.ansible.com/ui/repo/published/dominion_solutions/netbird/)
-  [netbird-tui](https://github.com/n0pashkov/netbird-tui) — terminal UI for managing NetBird peers, routes, and settings
+- [NetBird installer script](https://github.com/physk/netbird-installer)
+- [netbird-tui](https://github.com/n0pashkov/netbird-tui) - terminal UI for managing NetBird peers, routes, and settings
+- [caddy-netbird](https://github.com/lixmal/caddy-netbird) - Caddy plugin that embeds a NetBird client for proxying HTTP and TCP/UDP traffic through NetBird networks

 **Note**: The `main` branch may be in an *unstable or even broken state* during development.
 For stable versions, see [releases](https://github.com/netbirdio/netbird/releases).

 ### Support acknowledgement

-In November 2022, NetBird joined the [StartUpSecure program](https://www.forschung-it-sicherheit-kommunikationssysteme.de/foerderung/bekanntmachungen/startup-secure) sponsored by The Federal Ministry of Education and Research of The Federal Republic of Germany. Together with [CISPA Helmholtz Center for Information Security](https://cispa.de/en) NetBird brings the security best practices and simplicity to private networking.
+In November 2022, NetBird joined the [StartUpSecure program](https://www.forschung-it-sicherheit-kommunikationssysteme.de/foerderung/bekanntmachungen/startup-secure) sponsored by the Federal Ministry of Education and Research of the Federal Republic of Germany. Together with the [CISPA Helmholtz Center for Information Security](https://cispa.de/en), NetBird brings security best practices and simplicity to private networking.

 ![CISPA_Logo_BLACK_EN_RZ_RGB (1)](https://user-images.githubusercontent.com/700848/203091324-c6d311a0-22b5-4b05-a288-91cbc6cdcc46.png)

-### Testimonials
-We use open-source technologies like [WireGuard®](https://www.wireguard.com/), [Pion ICE (WebRTC)](https://github.com/pion/ice), [Coturn](https://github.com/coturn/coturn), and [Rosenpass](https://rosenpass.eu). We very much appreciate the work these guys are doing and we'd greatly appreciate if you could support them in any way (e.g., by giving a star or a contribution).
+### Acknowledgements
+We build on open-source technologies like [WireGuard®](https://www.wireguard.com/), [Pion ICE](https://github.com/pion/ice), and [Rosenpass](https://rosenpass.eu). We greatly appreciate the work these projects are doing, and we'd love it if you could support them too (e.g., by starring or contributing).

 ### Legal
-This repository is licensed under BSD-3-Clause license that applies to all parts of the repository except for the directories management/, signal/ and relay/.
+This repository is licensed under the BSD-3-Clause license, which applies to all parts of the repository except for the directories management/, signal/ and relay/.
 Those directories are licensed under the GNU Affero General Public License version 3.0 (AGPLv3). See the respective LICENSE files inside each directory.

 _WireGuard_ and the _WireGuard_ logo are [registered trademarks](https://www.wireguard.com/trademark-policy/) of Jason A. Donenfeld.
--- a/client/android/client.go
+++ b/client/android/client.go
@@ -301,10 +301,11 @@ func (c *Client) PeersList() *PeerInfoArray {
 	peerInfos := make([]PeerInfo, len(fullStatus.Peers))
 	for n, p := range fullStatus.Peers {
 		pi := PeerInfo{
-			p.IP,
-			p.FQDN,
-			int(p.ConnStatus),
-			PeerRoutes{routes: maps.Keys(p.GetRoutes())},
+			IP:         p.IP,
+			IPv6:       p.IPv6,
+			FQDN:       p.FQDN,
+			ConnStatus: int(p.ConnStatus),
+			Routes:     PeerRoutes{routes: maps.Keys(p.GetRoutes())},
 		}
 		peerInfos[n] = pi
 	}
@@ -336,43 +337,84 @@ func (c *Client) Networks() *NetworkArray {
 		return nil
 	}

+	routesMap := routeManager.GetClientRoutesWithNetID()
+	v6Merged := route.V6ExitMergeSet(routesMap)
+	resolvedDomains := c.recorder.GetResolvedDomainsStates()
+
 	networkArray := &NetworkArray{
 		items: make([]Network, 0),
 	}

-	resolvedDomains := c.recorder.GetResolvedDomainsStates()
-
-	for id, routes := range routeManager.GetClientRoutesWithNetID() {
+	for id, routes := range routesMap {
 		if len(routes) == 0 {
 			continue
 		}
-
-		r := routes[0]
-		domains := c.getNetworkDomainsFromRoute(r, resolvedDomains)
-		netStr := r.Network.String()
-
-		if r.IsDynamic() {
-			netStr = r.Domains.SafeString()
-		}
-
-		routePeer, err := c.recorder.GetPeer(routes[0].Peer)
-		if err != nil {
-			log.Errorf("could not get peer info for %s: %v", routes[0].Peer, err)
+		if _, skip := v6Merged[id]; skip {
 			continue
 		}
-		network := Network{
-			Name:       string(id),
-			Network:    netStr,
-			Peer:       routePeer.FQDN,
-			Status:     routePeer.ConnStatus.String(),
-			IsSelected: routeSelector.IsSelected(id),
-			Domains:    domains,
+
+		network := c.buildNetwork(id, routes, routeSelector.IsSelected(id), resolvedDomains, v6Merged)
+		if network == nil {
+			continue
 		}
-		networkArray.Add(network)
+		networkArray.Add(*network)
 	}
 	return networkArray
 }

+func (c *Client) buildNetwork(id route.NetID, routes []*route.Route, selected bool, resolvedDomains map[domain.Domain]peer.ResolvedDomainInfo, v6Merged map[route.NetID]struct{}) *Network {
+	r := routes[0]
+	netStr := r.Network.String()
+	if r.IsDynamic() {
+		netStr = r.Domains.SafeString()
+	}
+
+	routePeer, err := c.findBestRoutePeer(routes)
+	if err != nil {
+		log.Errorf("could not get peer info for route %s: %v", id, err)
+		return nil
+	}
+
+	network := &Network{
+		Name:       string(id),
+		Network:    netStr,
+		Peer:       routePeer.FQDN,
+		Status:     routePeer.ConnStatus.String(),
+		IsSelected: selected,
+		Domains:    c.getNetworkDomainsFromRoute(r, resolvedDomains),
+	}
+
+	if route.IsV4DefaultRoute(r.Network) && route.HasV6ExitPair(id, v6Merged) {
+		network.Network = "0.0.0.0/0, ::/0"
+	}
+
+	return network
+}
+
+// findBestRoutePeer returns the peer actively routing traffic for the given
+// HA route group. Falls back to the first connected peer, then the first peer.
+func (c *Client) findBestRoutePeer(routes []*route.Route) (peer.State, error) {
+	netStr := routes[0].Network.String()
+
+	fullStatus := c.recorder.GetFullStatus()
+	for _, p := range fullStatus.Peers {
+		if _, ok := p.GetRoutes()[netStr]; ok {
+			return p, nil
+		}
+	}
+
+	for _, r := range routes {
+		p, err := c.recorder.GetPeer(r.Peer)
+		if err != nil {
+			continue
+		}
+		if p.ConnStatus == peer.StatusConnected {
+			return p, nil
+		}
+	}
+	return c.recorder.GetPeer(routes[0].Peer)
+}
+
 // OnUpdatedHostDNS update the DNS servers addresses for root zones
 func (c *Client) OnUpdatedHostDNS(list *DNSList) error {
 	dnsServer, err := dns.GetServerDns()
--- a/client/android/peer_notifier.go
+++ b/client/android/peer_notifier.go
@@ -14,6 +14,7 @@ const (
 // PeerInfo describe information about the peers. It designed for the UI usage
 type PeerInfo struct {
 	IP         string
+	IPv6       string
 	FQDN       string
 	ConnStatus int
 	Routes     PeerRoutes
--- a/client/android/preferences.go
+++ b/client/android/preferences.go
@@ -307,6 +307,24 @@ func (p *Preferences) SetBlockInbound(block bool) {
 	p.configInput.BlockInbound = &block
 }

+// GetDisableIPv6 reads disable IPv6 setting from config file
+func (p *Preferences) GetDisableIPv6() (bool, error) {
+	if p.configInput.DisableIPv6 != nil {
+		return *p.configInput.DisableIPv6, nil
+	}
+
+	cfg, err := profilemanager.ReadConfig(p.configInput.ConfigPath)
+	if err != nil {
+		return false, err
+	}
+	return cfg.DisableIPv6, err
+}
+
+// SetDisableIPv6 stores the given value and waits for commit
+func (p *Preferences) SetDisableIPv6(disable bool) {
+	p.configInput.DisableIPv6 = &disable
+}
+
 // Commit writes out the changes to the config file
 func (p *Preferences) Commit() error {
 	_, err := profilemanager.UpdateOrCreateConfig(p.configInput)
--- a/client/android/route_command.go
+++ b/client/android/route_command.go
@@ -18,9 +18,12 @@ func executeRouteToggle(id string, manager routemanager.Manager,
 	netID := route.NetID(id)
 	routes := []route.NetID{netID}

-	log.Debugf("%s with id: %s", operationName, id)
+	routesMap := manager.GetClientRoutesWithNetID()
+	routes = route.ExpandV6ExitPairs(routes, routesMap)

-	if err := routeOperation(routes, maps.Keys(manager.GetClientRoutesWithNetID())); err != nil {
+	log.Debugf("%s with ids: %v", operationName, routes)
+
+	if err := routeOperation(routes, maps.Keys(routesMap)); err != nil {
 		log.Debugf("error when %s: %s", operationName, err)
 		return fmt.Errorf("error %s: %w", operationName, err)
 	}
--- a/client/anonymize/anonymize.go
+++ b/client/anonymize/anonymize.go
@@ -9,6 +9,7 @@ import (
 	"net/url"
 	"regexp"
 	"slices"
+	"strconv"
 	"strings"
 )

@@ -26,8 +27,9 @@ type Anonymizer struct {
 }

 func DefaultAddresses() (netip.Addr, netip.Addr) {
-	// 198.51.100.0, 100::
-	return netip.AddrFrom4([4]byte{198, 51, 100, 0}), netip.AddrFrom16([16]byte{0x01})
+	// 198.51.100.0 (RFC 5737 TEST-NET-2), 2001:db8:ffff:: (RFC 3849 documentation, last /48)
+	// The old start 100:: (discard, RFC 6666) is now used for fake IPs on Android.
+	return netip.AddrFrom4([4]byte{198, 51, 100, 0}), netip.MustParseAddr("2001:db8:ffff::")
 }

 func NewAnonymizer(startIPv4, startIPv6 netip.Addr) *Anonymizer {
@@ -48,7 +50,7 @@ func (a *Anonymizer) AnonymizeIP(ip netip.Addr) netip.Addr {
 		ip.IsLinkLocalUnicast() ||
 		ip.IsLinkLocalMulticast() ||
 		ip.IsInterfaceLocalMulticast() ||
-		ip.IsPrivate() ||
+		(ip.Is4() && ip.IsPrivate()) ||
 		ip.IsUnspecified() ||
 		ip.IsMulticast() ||
 		isWellKnown(ip) ||
@@ -96,6 +98,11 @@ func (a *Anonymizer) isInAnonymizedRange(ip netip.Addr) bool {
 }

 func (a *Anonymizer) AnonymizeIPString(ip string) string {
+	// Handle CIDR notation (e.g. "2001:db8::/32")
+	if prefix, err := netip.ParsePrefix(ip); err == nil {
+		return a.AnonymizeIP(prefix.Addr()).String() + "/" + strconv.Itoa(prefix.Bits())
+	}
+
 	addr, err := netip.ParseAddr(ip)
 	if err != nil {
 		return ip
@@ -150,7 +157,7 @@ func (a *Anonymizer) AnonymizeURI(uri string) string {
 	if u.Opaque != "" {
 		host, port, err := net.SplitHostPort(u.Opaque)
 		if err == nil {
-			anonymizedHost = fmt.Sprintf("%s:%s", a.AnonymizeDomain(host), port)
+			anonymizedHost = net.JoinHostPort(a.AnonymizeDomain(host), port)
 		} else {
 			anonymizedHost = a.AnonymizeDomain(u.Opaque)
 		}
@@ -158,7 +165,7 @@ func (a *Anonymizer) AnonymizeURI(uri string) string {
 	} else if u.Host != "" {
 		host, port, err := net.SplitHostPort(u.Host)
 		if err == nil {
-			anonymizedHost = fmt.Sprintf("%s:%s", a.AnonymizeDomain(host), port)
+			anonymizedHost = net.JoinHostPort(a.AnonymizeDomain(host), port)
 		} else {
 			anonymizedHost = a.AnonymizeDomain(u.Host)
 		}
--- a/client/anonymize/anonymize_test.go
+++ b/client/anonymize/anonymize_test.go
@@ -13,7 +13,7 @@ import (

 func TestAnonymizeIP(t *testing.T) {
 	startIPv4 := netip.MustParseAddr("198.51.100.0")
-	startIPv6 := netip.MustParseAddr("100::")
+	startIPv6 := netip.MustParseAddr("2001:db8:ffff::")
 	anonymizer := anonymize.NewAnonymizer(startIPv4, startIPv6)

 	tests := []struct {
@@ -26,9 +26,9 @@ func TestAnonymizeIP(t *testing.T) {
 		{"Second Public IPv4", "4.3.2.1", "198.51.100.1"},
 		{"Repeated IPv4", "1.2.3.4", "198.51.100.0"},
 		{"Private IPv4", "192.168.1.1", "192.168.1.1"},
-		{"First Public IPv6", "2607:f8b0:4005:805::200e", "100::"},
-		{"Second Public IPv6", "a::b", "100::1"},
-		{"Repeated IPv6", "2607:f8b0:4005:805::200e", "100::"},
+		{"First Public IPv6", "2607:f8b0:4005:805::200e", "2001:db8:ffff::"},
+		{"Second Public IPv6", "a::b", "2001:db8:ffff::1"},
+		{"Repeated IPv6", "2607:f8b0:4005:805::200e", "2001:db8:ffff::"},
 		{"Private IPv6", "fe80::1", "fe80::1"},
 		{"In Range IPv4", "198.51.100.2", "198.51.100.2"},
 	}
@@ -274,17 +274,27 @@ func TestAnonymizeString_IPAddresses(t *testing.T) {
 		{
 			name:   "IPv6 Address",
 			input:  "Access attempted from 2001:db8::ff00:42",
-			expect: "Access attempted from 100::",
+			expect: "Access attempted from 2001:db8:ffff::",
 		},
 		{
 			name:   "IPv6 Address with Port",
 			input:  "Access attempted from [2001:db8::ff00:42]:8080",
-			expect: "Access attempted from [100::]:8080",
+			expect: "Access attempted from [2001:db8:ffff::]:8080",
 		},
 		{
 			name:   "Both IPv4 and IPv6",
 			input:  "IPv4: 142.108.0.1 and IPv6: 2001:db8::ff00:43",
-			expect: "IPv4: 198.51.100.1 and IPv6: 100::1",
+			expect: "IPv4: 198.51.100.1 and IPv6: 2001:db8:ffff::1",
+		},
+		{
+			name:   "STUN URI with IPv6",
+			input:  "Connecting to stun:[2001:db8::ff00:42]:3478",
+			expect: "Connecting to stun:[2001:db8:ffff::]:3478",
+		},
+		{
+			name:   "HTTPS URI with IPv6",
+			input:  "Visit https://[2001:db8::ff00:42]:443/path",
+			expect: "Visit https://[2001:db8:ffff::]:443/path",
 		},
 	}

--- a/client/cmd/root.go
+++ b/client/cmd/root.go
@@ -143,7 +143,7 @@ func init() {
 	rootCmd.PersistentFlags().StringVar(&preSharedKey, preSharedKeyFlag, "", "Sets WireGuard PreSharedKey property. If set, then only peers that have the same key can communicate.")
 	rootCmd.PersistentFlags().StringVarP(&hostName, "hostname", "n", "", "Sets a custom hostname for the device")
 	rootCmd.PersistentFlags().BoolVarP(&anonymizeFlag, "anonymize", "A", false, "anonymize IP addresses and non-netbird.io domains in logs and status output")
-	rootCmd.PersistentFlags().StringVarP(&configPath, "config", "c", defaultConfigPath, "Overrides the default profile file location")
+	rootCmd.PersistentFlags().StringVarP(&configPath, "config", "c", profilemanager.DefaultConfigPath, "Overrides the default profile file location")

 	rootCmd.AddCommand(upCmd)
 	rootCmd.AddCommand(downCmd)
--- a/client/cmd/ssh.go
+++ b/client/cmd/ssh.go
@@ -523,7 +523,7 @@ func parseHostnameAndCommand(args []string) error {
 }

 func runSSH(ctx context.Context, addr string, cmd *cobra.Command) error {
-	target := fmt.Sprintf("%s:%d", addr, port)
+	target := net.JoinHostPort(strings.Trim(addr, "[]"), strconv.Itoa(port))
 	c, err := sshclient.Dial(ctx, target, username, sshclient.DialOptions{
 		KnownHostsFile:     knownHostsFile,
 		IdentityFile:       identityFile,
@@ -787,10 +787,10 @@ func isUnixSocket(path string) bool {
 	return strings.HasPrefix(path, "/") || strings.HasPrefix(path, "./")
 }

-// normalizeLocalHost converts "*" to "0.0.0.0" for binding to all interfaces.
+// normalizeLocalHost converts "*" to "" for binding to all interfaces (dual-stack).
 func normalizeLocalHost(host string) string {
 	if host == "*" {
-		return "0.0.0.0"
+		return ""
 	}
 	return host
 }
--- a/client/cmd/ssh_test.go
+++ b/client/cmd/ssh_test.go
@@ -527,10 +527,10 @@ func TestParsePortForward(t *testing.T) {
 		{
 			name:           "wildcard bind all interfaces",
 			spec:           "*:8080:localhost:80",
-			expectedLocal:  "0.0.0.0:8080",
+			expectedLocal:  ":8080",
 			expectedRemote: "localhost:80",
 			expectError:    false,
-			description:    "Wildcard * should bind to all interfaces (0.0.0.0)",
+			description:    "Wildcard * should bind to all interfaces (dual-stack)",
 		},
 		{
 			name:           "wildcard for port only",
--- a/client/cmd/status.go
+++ b/client/cmd/status.go
@@ -20,6 +20,7 @@ import (
 var (
 	detailFlag           bool
 	ipv4Flag             bool
+	ipv6Flag             bool
 	jsonFlag             bool
 	yamlFlag             bool
 	ipsFilter            []string
@@ -42,15 +43,16 @@ func init() {
 	ipsFilterMap = make(map[string]struct{})
 	prefixNamesFilterMap = make(map[string]struct{})
 	statusCmd.PersistentFlags().BoolVarP(&detailFlag, "detail", "d", false, "display detailed status information in human-readable format")
-	statusCmd.PersistentFlags().BoolVar(&jsonFlag, "json", false, "display detailed status information in json format")
-	statusCmd.PersistentFlags().BoolVar(&yamlFlag, "yaml", false, "display detailed status information in yaml format")
-	statusCmd.PersistentFlags().BoolVar(&ipv4Flag, "ipv4", false, "display only NetBird IPv4 of this peer, e.g., --ipv4 will output 100.64.0.33")
-	statusCmd.MarkFlagsMutuallyExclusive("detail", "json", "yaml", "ipv4")
-	statusCmd.PersistentFlags().StringSliceVar(&ipsFilter, "filter-by-ips", []string{}, "filters the detailed output by a list of one or more IPs, e.g., --filter-by-ips 100.64.0.100,100.64.0.200")
-	statusCmd.PersistentFlags().StringSliceVar(&prefixNamesFilter, "filter-by-names", []string{}, "filters the detailed output by a list of one or more peer FQDN or hostnames, e.g., --filter-by-names peer-a,peer-b.netbird.cloud")
-	statusCmd.PersistentFlags().StringVar(&statusFilter, "filter-by-status", "", "filters the detailed output by connection status(idle|connecting|connected), e.g., --filter-by-status connected")
-	statusCmd.PersistentFlags().StringVar(&connectionTypeFilter, "filter-by-connection-type", "", "filters the detailed output by connection type (P2P|Relayed), e.g., --filter-by-connection-type P2P")
-	statusCmd.PersistentFlags().StringVar(&checkFlag, "check", "", "run a health check and exit with code 0 on success, 1 on failure (live|ready|startup)")
+	statusCmd.PersistentFlags().BoolVarP(&jsonFlag, "json", "j", false, "display detailed status information in json format")
+	statusCmd.PersistentFlags().BoolVarP(&yamlFlag, "yaml", "y", false, "display detailed status information in yaml format")
+	statusCmd.PersistentFlags().BoolVarP(&ipv4Flag, "ipv4", "4", false, "display only NetBird IPv4 of this peer, e.g., --ipv4 will output 100.64.0.33")
+	statusCmd.PersistentFlags().BoolVarP(&ipv6Flag, "ipv6", "6", false, "display only NetBird IPv6 of this peer")
+	statusCmd.MarkFlagsMutuallyExclusive("detail", "json", "yaml", "ipv4", "ipv6")
+	statusCmd.PersistentFlags().StringSliceVarP(&ipsFilter, "filter-by-ips", "I", []string{}, "filters the detailed output by a list of one or more IPs (v4 or v6), e.g., --filter-by-ips 100.64.0.100,fd00::1")
+	statusCmd.PersistentFlags().StringSliceVarP(&prefixNamesFilter, "filter-by-names", "N", []string{}, "filters the detailed output by a list of one or more peer FQDN or hostnames, e.g., --filter-by-names peer-a,peer-b.netbird.cloud")
+	statusCmd.PersistentFlags().StringVarP(&statusFilter, "filter-by-status", "S", "", "filters the detailed output by connection status(idle|connecting|connected), e.g., --filter-by-status connected")
+	statusCmd.PersistentFlags().StringVarP(&connectionTypeFilter, "filter-by-connection-type", "T", "", "filters the detailed output by connection type (P2P|Relayed), e.g., --filter-by-connection-type P2P")
+	statusCmd.PersistentFlags().StringVarP(&checkFlag, "check", "C", "", "run a health check and exit with code 0 on success, 1 on failure (live|ready|startup)")
 }

 func statusFunc(cmd *cobra.Command, args []string) error {
@@ -101,6 +103,14 @@ func statusFunc(cmd *cobra.Command, args []string) error {
 		return nil
 	}

+	if ipv6Flag {
+		ipv6 := resp.GetFullStatus().GetLocalPeerState().GetIpv6()
+		if ipv6 != "" {
+			cmd.Print(parseInterfaceIP(ipv6))
+		}
+		return nil
+	}
+
 	pm := profilemanager.NewProfileManager()
 	var profName string
 	if activeProf, err := pm.GetActiveProfile(); err == nil {
--- a/client/cmd/system.go
+++ b/client/cmd/system.go
@@ -8,6 +8,7 @@ const (
 	disableFirewallFlag     = "disable-firewall"
 	blockLANAccessFlag      = "block-lan-access"
 	blockInboundFlag        = "block-inbound"
+	disableIPv6Flag         = "disable-ipv6"
 )

 var (
@@ -17,6 +18,7 @@ var (
 	disableFirewall     bool
 	blockLANAccess      bool
 	blockInbound        bool
+	disableIPv6         bool
 )

 func init() {
@@ -39,4 +41,7 @@ func init() {
 	upCmd.PersistentFlags().BoolVar(&blockInbound, blockInboundFlag, false,
 		"Block inbound connections. If enabled, the client will not allow any inbound connections to the local machine nor routed networks.\n"+
 			"This overrides any policies received from the management service.")
+
+	upCmd.PersistentFlags().BoolVar(&disableIPv6, disableIPv6Flag, false,
+		"Disable IPv6 overlay. If enabled, the client won't request or use an IPv6 overlay address.")
 }
--- a/client/cmd/testutil_test.go
+++ b/client/cmd/testutil_test.go
@@ -11,7 +11,7 @@ import (
 	"go.opentelemetry.io/otel"
 	"google.golang.org/grpc"

-	"github.com/netbirdio/management-integrations/integrations"
+	"github.com/netbirdio/netbird/management/server/integrations/integrated_validator/validator"

 	nbcache "github.com/netbirdio/netbird/management/server/cache"

@@ -109,7 +109,7 @@ func startManagement(t *testing.T, config *config.Config, testFile string) (*grp
 		t.Fatal(err)
 	}

-	iv, _ := integrations.NewIntegratedValidator(ctx, peersmanager, settingsManagerMock, eventStore, cacheStore)
+	iv, _ := validator.NewIntegratedValidator(ctx, peersmanager, settingsManagerMock, eventStore, cacheStore)

 	metrics, err := telemetry.NewDefaultAppMetrics(ctx)
 	require.NoError(t, err)
--- a/client/cmd/up.go
+++ b/client/cmd/up.go
@@ -435,6 +435,10 @@ func setupSetConfigReq(customDNSAddressConverted []byte, cmd *cobra.Command, pro
 		req.BlockInbound = &blockInbound
 	}

+	if cmd.Flag(disableIPv6Flag).Changed {
+		req.DisableIpv6 = &disableIPv6
+	}
+
 	if cmd.Flag(enableLazyConnectionFlag).Changed {
 		req.LazyConnectionEnabled = &lazyConnEnabled
 	}
@@ -552,6 +556,10 @@ func setupConfig(customDNSAddressConverted []byte, cmd *cobra.Command, configFil
 		ic.BlockInbound = &blockInbound
 	}

+	if cmd.Flag(disableIPv6Flag).Changed {
+		ic.DisableIPv6 = &disableIPv6
+	}
+
 	if cmd.Flag(enableLazyConnectionFlag).Changed {
 		ic.LazyConnectionEnabled = &lazyConnEnabled
 	}
@@ -666,6 +674,10 @@ func setupLoginRequest(providedSetupKey string, customDNSAddressConverted []byte
 		loginRequest.BlockInbound = &blockInbound
 	}

+	if cmd.Flag(disableIPv6Flag).Changed {
+		loginRequest.DisableIpv6 = &disableIPv6
+	}
+
 	if cmd.Flag(enableLazyConnectionFlag).Changed {
 		loginRequest.LazyConnectionEnabled = &lazyConnEnabled
 	}
--- a/client/embed/embed.go
+++ b/client/embed/embed.go
@@ -12,6 +12,7 @@ import (
 	"sync"

 	"github.com/sirupsen/logrus"
+	wgdevice "golang.zx2c4.com/wireguard/device"
 	wgnetstack "golang.zx2c4.com/wireguard/tun/netstack"

 	"github.com/netbirdio/netbird/client/iface"
@@ -80,8 +81,16 @@ type Options struct {
 	StatePath string
 	// DisableClientRoutes disables the client routes
 	DisableClientRoutes bool
+	// DisableIPv6 disables IPv6 overlay addressing
+	DisableIPv6 bool
 	// BlockInbound blocks all inbound connections from peers
 	BlockInbound bool
+	// BlockLANAccess blocks the embedded peer from reaching the host's
+	// LAN (RFC 1918, link-local, loopback) when it's used as a routing
+	// peer. Mirrors profilemanager.ConfigInput.BlockLANAccess. Useful
+	// when the embedded client must never act as a stepping stone into
+	// the host's local network (e.g. the proxy's overlay peer).
+	BlockLANAccess bool
 	// WireguardPort is the port for the tunnel interface. Use 0 for a random port.
 	WireguardPort *int
 	// MTU is the MTU for the tunnel interface.
@@ -92,6 +101,26 @@ type Options struct {
 	MTU *uint16
 	// DNSLabels defines additional DNS labels configured in the peer.
 	DNSLabels []string
+	// Performance configures the tunnel's buffer pool cap and batch size.
+	Performance Performance
+}
+
+// Performance configures the embedded client's tunnel memory/throughput knobs.
+//
+// These settings are process-global: any non-nil field also becomes the
+// default for Clients constructed by later embed.New calls in the same
+// process. Nil fields are ignored.
+type Performance struct {
+	// PreallocatedBuffersPerPool caps the per-tunnel buffer pool. Zero
+	// leaves the pool unbounded. Lower values trade throughput for a
+	// tighter memory ceiling. May also be changed on a running Client via
+	// Client.SetPerformance, provided this field was nonzero at construction.
+	PreallocatedBuffersPerPool *uint32
+	// MaxBatchSize overrides the number of packets the tunnel reads or
+	// writes per syscall, which also bounds eager buffer allocation per
+	// worker. Zero uses the platform default. Applied at construction
+	// only; ignored by Client.SetPerformance.
+	MaxBatchSize *uint32
 }

 // validateCredentials checks that exactly one credential type is provided
@@ -171,7 +200,9 @@ func New(opts Options) (*Client, error) {
 		PreSharedKey:        &opts.PreSharedKey,
 		DisableServerRoutes: &t,
 		DisableClientRoutes: &opts.DisableClientRoutes,
+		DisableIPv6:         &opts.DisableIPv6,
 		BlockInbound:        &opts.BlockInbound,
+		BlockLANAccess:      &opts.BlockLANAccess,
 		WireguardPort:       opts.WireguardPort,
 		MTU:                 opts.MTU,
 		DNSLabels:           parsedLabels,
@@ -189,6 +220,13 @@ func New(opts Options) (*Client, error) {
 		config.PrivateKey = opts.PrivateKey
 	}

+	if opts.Performance.PreallocatedBuffersPerPool != nil {
+		wgdevice.SetPreallocatedBuffersPerPool(*opts.Performance.PreallocatedBuffersPerPool)
+	}
+	if opts.Performance.MaxBatchSize != nil {
+		wgdevice.SetMaxBatchSizeOverride(*opts.Performance.MaxBatchSize)
+	}
+
 	return &Client{
 		deviceName: opts.DeviceName,
 		setupKey:   opts.SetupKey,
@@ -333,7 +371,7 @@ func (c *Client) ListenTCP(address string) (net.Listener, error) {
 	if err != nil {
 		return nil, fmt.Errorf("split host port: %w", err)
 	}
-	listenAddr := fmt.Sprintf("%s:%s", addr, port)
+	listenAddr := net.JoinHostPort(addr.String(), port)

 	tcpAddr, err := net.ResolveTCPAddr("tcp", listenAddr)
 	if err != nil {
@@ -354,7 +392,7 @@ func (c *Client) ListenUDP(address string) (net.PacketConn, error) {
 	if err != nil {
 		return nil, fmt.Errorf("split host port: %w", err)
 	}
-	listenAddr := fmt.Sprintf("%s:%s", addr, port)
+	listenAddr := net.JoinHostPort(addr.String(), port)

 	udpAddr, err := net.ResolveUDPAddr("udp", listenAddr)
 	if err != nil {
@@ -402,6 +440,21 @@ func (c *Client) Expose(ctx context.Context, req ExposeRequest) (*ExposeSession,
 	}, nil
 }

+// IdentityForIP looks up a remote peer by its tunnel IP using the
+// embedded client's status recorder. Returns the peer's WireGuard public
+// key and FQDN. ok=false means the IP isn't in this client's peer
+// roster — callers should treat that as "unknown peer".
+func (c *Client) IdentityForIP(ip netip.Addr) (pubKey, fqdn string, ok bool) {
+	if !ip.IsValid() || c.recorder == nil {
+		return "", "", false
+	}
+	state, found := c.recorder.PeerStateByIP(ip.String())
+	if !found {
+		return "", "", false
+	}
+	return state.PubKey, state.FQDN, true
+}
+
 // Status returns the current status of the client.
 func (c *Client) Status() (peer.FullStatus, error) {
 	c.mu.Lock()
@@ -470,6 +523,25 @@ func (c *Client) VerifySSHHostKey(peerAddress string, key []byte) error {
 	return sshcommon.VerifyHostKey(storedKey, key, peerAddress)
 }

+// SetPerformance retunes a running Client. Only PreallocatedBuffersPerPool
+// takes effect, and only when it was nonzero at construction;
+// MaxBatchSize is construction-only and returns an error if set here.
+//
+// Returns ErrClientNotStarted / ErrEngineNotStarted if the Client is not
+// running yet.
+func (c *Client) SetPerformance(t Performance) error {
+	if t.MaxBatchSize != nil {
+		return errors.New("MaxBatchSize is construction-only and cannot be changed at runtime")
+	}
+	engine, err := c.getEngine()
+	if err != nil {
+		return err
+	}
+	return engine.SetPerformance(internal.Performance{
+		PreallocatedBuffersPerPool: t.PreallocatedBuffersPerPool,
+	})
+}
+
 // StartCapture begins capturing packets on this client's tunnel device.
 // Only one capture can be active at a time; starting a new one stops the previous.
 // Call StopCapture (or CaptureSession.Stop) to end it.
--- a/client/firewall/create.go
+++ b/client/firewall/create.go
@@ -21,7 +21,7 @@ func NewFirewall(iface IFaceMapper, _ *statemanager.Manager, flowLogger nftypes.
 	}

 	// use userspace packet filtering firewall
-	fm, err := uspfilter.Create(iface, disableServerRoutes, flowLogger, mtu)
+	fm, err := uspfilter.Create(iface, nil, disableServerRoutes, flowLogger, mtu)
 	if err != nil {
 		return nil, err
 	}
--- a/client/firewall/create_linux.go
+++ b/client/firewall/create_linux.go
@@ -29,47 +29,80 @@ const (
 	NFTABLES
 )

-// SKIP_NFTABLES_ENV is the environment variable to skip nftables check
-const SKIP_NFTABLES_ENV = "NB_SKIP_NFTABLES_CHECK"
+// SkipNftablesEnv is the environment variable to skip nftables check
+const SkipNftablesEnv = "NB_SKIP_NFTABLES_CHECK"
+
+// errNoFirewallManager indicates no kernel firewall backend is present,
+// as opposed to a backend that exists but failed to create or initialize.
+var errNoFirewallManager = errors.New("no firewall manager found")

 // FWType is the type for the firewall type
 type FWType int

 func NewFirewall(iface IFaceMapper, stateManager *statemanager.Manager, flowLogger nftypes.FlowLogger, disableServerRoutes bool, mtu uint16) (firewall.Manager, error) {
-	// We run in userspace mode and force userspace firewall was requested. We don't attempt native firewall.
+	// We run in userspace mode and force userspace firewall was requested.
 	if iface.IsUserspaceBind() && forceUserspaceFirewall() {
+		nativeFw, err := createNativeFirewall(iface, stateManager, disableServerRoutes, mtu)
+		if err != nil {
+			log.Warnf("failed to create native firewall: %v. Proceeding without it", err)
+		}
+
 		log.Info("forcing userspace firewall")
-		return createUserspaceFirewall(iface, nil, disableServerRoutes, flowLogger, mtu)
+		return createUserspaceFirewall(iface, nativeFw, disableServerRoutes, flowLogger, mtu)
 	}

 	// Use native firewall for either kernel or userspace, the interface appears identical to netfilter
 	fm, err := createNativeFirewall(iface, stateManager, disableServerRoutes, mtu)
-
-	// Kernel cannot fall back to anything else, need to return error
-	if !iface.IsUserspaceBind() {
-		return fm, err
-	}
-
-	// Fall back to the userspace packet filter if native is unavailable
-	if err != nil {
-		log.Warnf("failed to create native firewall: %v. Proceeding with userspace", err)
+	switch {
+	case err == nil && !iface.IsUserspaceBind():
+		// Nothing to do, fall through
+	case err == nil && iface.IsUserspaceBind():
+		// Native firewall handles packet filtering, but the userspace WireGuard bind
+		// needs a device filter for DNS interception hooks. Install a minimal
+		// hooks-only filter that passes all traffic through to the kernel firewall.
+		if err := iface.SetFilter(&uspfilter.HooksFilter{}); err != nil {
+			log.Warnf("failed to set hooks filter, DNS via memory hooks will not work: %v", err)
+		}
+	case err != nil && !iface.IsUserspaceBind():
+		// Kernel cannot fall back to anything else, need to return error
+		return nil, err
+	case err != nil && iface.IsUserspaceBind():
+		// Fall back to the userspace packet filter if native is unavailable
+		logNativeFirewallUnavailable(err)
 		return createUserspaceFirewall(iface, nil, disableServerRoutes, flowLogger, mtu)
 	}

-	// Native firewall handles packet filtering, but the userspace WireGuard bind
-	// needs a device filter for DNS interception hooks. Install a minimal
-	// hooks-only filter that passes all traffic through to the kernel firewall.
-	if err := iface.SetFilter(&uspfilter.HooksFilter{}); err != nil {
-		log.Warnf("failed to set hooks filter, DNS via memory hooks will not work: %v", err)
-	}
-
 	return fm, nil
 }

+// createUserspaceFirewall builds the userspace packet filter, optionally
+// backed by a native firewall, and allows netbird interface traffic.
+func createUserspaceFirewall(iface IFaceMapper, nativeFw firewall.Manager, disableServerRoutes bool, flowLogger nftypes.FlowLogger, mtu uint16) (firewall.Manager, error) {
+	fm, err := uspfilter.Create(iface, nativeFw, disableServerRoutes, flowLogger, mtu)
+	if err != nil {
+		return nil, err
+	}
+
+	if err := fm.AllowNetbird(); err != nil {
+		log.Errorf("failed to allow netbird interface traffic: %v", err)
+	}
+	return fm, nil
+}
+
+// logNativeFirewallUnavailable logs the fallback to userspace at info level
+// when no kernel firewall backend exists, and at warn level otherwise.
+func logNativeFirewallUnavailable(err error) {
+	if errors.Is(err, errNoFirewallManager) {
+		log.Infof("no native firewall backend available: %v. Proceeding with userspace", err)
+	} else {
+		log.Warnf("failed to create native firewall: %v. Proceeding with userspace", err)
+	}
+}
+
 func createNativeFirewall(iface IFaceMapper, stateManager *statemanager.Manager, routes bool, mtu uint16) (firewall.Manager, error) {
 	fm, err := createFW(iface, mtu)
 	if err != nil {
-		return nil, fmt.Errorf("create firewall: %s", err)
+		return nil, fmt.Errorf("create firewall: %w", err)
 	}

 	if err = fm.Init(stateManager); err != nil {
@@ -88,29 +121,10 @@ func createFW(iface IFaceMapper, mtu uint16) (firewall.Manager, error) {
 		log.Info("creating an nftables firewall manager")
 		return nbnftables.Create(iface, mtu)
 	default:
-		log.Info("no firewall manager found, trying to use userspace packet filtering firewall")
-		return nil, errors.New("no firewall manager found")
+		return nil, errNoFirewallManager
 	}
 }

-func createUserspaceFirewall(iface IFaceMapper, fm firewall.Manager, disableServerRoutes bool, flowLogger nftypes.FlowLogger, mtu uint16) (firewall.Manager, error) {
-	var errUsp error
-	if fm != nil {
-		fm, errUsp = uspfilter.CreateWithNativeFirewall(iface, fm, disableServerRoutes, flowLogger, mtu)
-	} else {
-		fm, errUsp = uspfilter.Create(iface, disableServerRoutes, flowLogger, mtu)
-	}
-
-	if errUsp != nil {
-		return nil, fmt.Errorf("create userspace firewall: %s", errUsp)
-	}
-
-	if err := fm.AllowNetbird(); err != nil {
-		log.Errorf("failed to allow netbird interface traffic: %v", err)
-	}
-	return fm, nil
-}
-
 // check returns the firewall type based on common lib checks. It returns UNKNOWN if no firewall is found.
 func check() FWType {
 	useIPTABLES := false
@@ -132,35 +146,38 @@ func check() FWType {
 		}
 	}

-	nf := nftables.Conn{}
-	if chains, err := nf.ListChains(); err == nil && os.Getenv(SKIP_NFTABLES_ENV) != "true" {
-		if !useIPTABLES {
-			return NFTABLES
-		}
-
-		// search for chains where table is filter
-		// if we find one, we assume that nftables manager can be used with iptables
-		for _, chain := range chains {
-			if chain.Table.Name == "filter" {
+	// Honor the skip env before probing nftables at all.
+	if os.Getenv(SkipNftablesEnv) != "true" {
+		nf := nftables.Conn{}
+		if chains, err := nf.ListChains(); err == nil {
+			if !useIPTABLES {
 				return NFTABLES
 			}
-		}

-		// check tables for the following constraints:
-		// 1. there is no chain in nftables for the filter table and there is at least one chain in iptables, we assume that nftables manager can not be used
-		// 2. there is no tables or more than one table, we assume that nftables manager can be used
-		// 3. there is only one table and its name is filter, we assume that nftables manager can not be used, since there was no chain in it
-		// 4. if we find an error we log and continue with iptables check
-		nbTablesList, err := nf.ListTables()
-		switch {
-		case err == nil && len(iptablesChains) > 0:
-			return IPTABLES
-		case err == nil && len(nbTablesList) != 1:
-			return NFTABLES
-		case err == nil && len(nbTablesList) == 1 && nbTablesList[0].Name == "filter":
-			return IPTABLES
-		case err != nil:
-			log.Errorf("failed to list nftables tables on fw manager discovery: %s", err)
+			// search for chains where table is filter
+			// if we find one, we assume that nftables manager can be used with iptables
+			for _, chain := range chains {
+				if chain.Table.Name == "filter" {
+					return NFTABLES
+				}
+			}
+
+			// check tables for the following constraints:
+			// 1. there is no chain in nftables for the filter table and there is at least one chain in iptables, we assume that nftables manager can not be used
+			// 2. there is no tables or more than one table, we assume that nftables manager can be used
+			// 3. there is only one table and its name is filter, we assume that nftables manager can not be used, since there was no chain in it
+			// 4. if we find an error we log and continue with iptables check
+			nbTablesList, err := nf.ListTables()
+			switch {
+			case err == nil && len(iptablesChains) > 0:
+				return IPTABLES
+			case err == nil && len(nbTablesList) != 1:
+				return NFTABLES
+			case err == nil && len(nbTablesList) == 1 && nbTablesList[0].Name == "filter":
+				return IPTABLES
+			case err != nil:
+				log.Errorf("failed to list nftables tables on fw manager discovery: %s", err)
+			}
 		}
 	}

--- a/client/firewall/iptables/acl_linux.go
+++ b/client/firewall/iptables/acl_linux.go
@@ -1,529 +0,0 @@
-package iptables
-
-import (
-	"errors"
-	"fmt"
-	"net"
-	"slices"
-
-	"github.com/coreos/go-iptables/iptables"
-	"github.com/google/uuid"
-	ipset "github.com/lrh3321/ipset-go"
-	log "github.com/sirupsen/logrus"
-
-	firewall "github.com/netbirdio/netbird/client/firewall/manager"
-	"github.com/netbirdio/netbird/client/internal/statemanager"
-	nbnet "github.com/netbirdio/netbird/client/net"
-)
-
-const (
-	tableName = "filter"
-
-	// rules chains contains the effective ACL rules
-	chainNameInputRules = "NETBIRD-ACL-INPUT"
-
-	// mangleFwdKey is the entries map key for mangle FORWARD guard rules that prevent
-	// external DNAT from bypassing ACL rules.
-	mangleFwdKey = "MANGLE-FORWARD"
-)
-
-type aclEntries map[string][][]string
-
-type entry struct {
-	spec     []string
-	position int
-}
-
-type aclManager struct {
-	iptablesClient  *iptables.IPTables
-	wgIface         iFaceMapper
-	entries         aclEntries
-	optionalEntries map[string][]entry
-	ipsetStore      *ipsetStore
-
-	stateManager *statemanager.Manager
-}
-
-func newAclManager(iptablesClient *iptables.IPTables, wgIface iFaceMapper) (*aclManager, error) {
-	return &aclManager{
-		iptablesClient:  iptablesClient,
-		wgIface:         wgIface,
-		entries:         make(map[string][][]string),
-		optionalEntries: make(map[string][]entry),
-		ipsetStore:      newIpsetStore(),
-	}, nil
-}
-
-func (m *aclManager) init(stateManager *statemanager.Manager) error {
-	m.stateManager = stateManager
-
-	m.seedInitialEntries()
-	m.seedInitialOptionalEntries()
-
-	if err := m.cleanChains(); err != nil {
-		return fmt.Errorf("clean chains: %w", err)
-	}
-
-	if err := m.createDefaultChains(); err != nil {
-		return fmt.Errorf("create default chains: %w", err)
-	}
-
-	m.updateState()
-
-	return nil
-}
-
-func (m *aclManager) AddPeerFiltering(
-	id []byte,
-	ip net.IP,
-	protocol firewall.Protocol,
-	sPort *firewall.Port,
-	dPort *firewall.Port,
-	action firewall.Action,
-	ipsetName string,
-) ([]firewall.Rule, error) {
-	chain := chainNameInputRules
-
-	ipsetName = transformIPsetName(ipsetName, sPort, dPort, action)
-	specs := filterRuleSpecs(ip, string(protocol), sPort, dPort, action, ipsetName)
-
-	mangleSpecs := slices.Clone(specs)
-	mangleSpecs = append(mangleSpecs,
-		"-i", m.wgIface.Name(),
-		"-m", "addrtype", "--dst-type", "LOCAL",
-		"-j", "MARK", "--set-xmark", fmt.Sprintf("%#x", nbnet.PreroutingFwmarkRedirected),
-	)
-
-	specs = append(specs, "-j", actionToStr(action))
-	if ipsetName != "" {
-		if ipList, ipsetExists := m.ipsetStore.ipset(ipsetName); ipsetExists {
-			if err := m.addToIPSet(ipsetName, ip); err != nil {
-				return nil, fmt.Errorf("add IP to ipset: %w", err)
-			}
-			// if ruleset already exists it means we already have the firewall rule
-			// so we need to update IPs in the ruleset and return new fw.Rule object for ACL manager.
-			ipList.addIP(ip.String())
-			return []firewall.Rule{&Rule{
-				ruleID:    uuid.New().String(),
-				ipsetName: ipsetName,
-				ip:        ip.String(),
-				chain:     chain,
-				specs:     specs,
-			}}, nil
-		}
-
-		if err := m.flushIPSet(ipsetName); err != nil {
-			if errors.Is(err, ipset.ErrSetNotExist) {
-				log.Debugf("flush ipset %s before use: %v", ipsetName, err)
-			} else {
-				log.Errorf("flush ipset %s before use: %v", ipsetName, err)
-			}
-		}
-		if err := m.createIPSet(ipsetName); err != nil {
-			return nil, fmt.Errorf("create ipset: %w", err)
-		}
-		if err := m.addToIPSet(ipsetName, ip); err != nil {
-			return nil, fmt.Errorf("add IP to ipset: %w", err)
-		}
-
-		ipList := newIpList(ip.String())
-		m.ipsetStore.addIpList(ipsetName, ipList)
-	}
-
-	ok, err := m.iptablesClient.Exists(tableFilter, chain, specs...)
-	if err != nil {
-		return nil, fmt.Errorf("failed to check rule: %w", err)
-	}
-	if ok {
-		return nil, fmt.Errorf("rule already exists")
-	}
-
-	// Insert DROP rules at the beginning, append ACCEPT rules at the end
-	if action == firewall.ActionDrop {
-		// Insert at the beginning of the chain (position 1)
-		err = m.iptablesClient.Insert(tableFilter, chain, 1, specs...)
-	} else {
-		err = m.iptablesClient.Append(tableFilter, chain, specs...)
-	}
-	if err != nil {
-		return nil, err
-	}
-
-	if err := m.iptablesClient.Append(tableMangle, chainRTPRE, mangleSpecs...); err != nil {
-		log.Errorf("failed to add mangle rule: %v", err)
-		mangleSpecs = nil
-	}
-
-	rule := &Rule{
-		ruleID:      uuid.New().String(),
-		specs:       specs,
-		mangleSpecs: mangleSpecs,
-		ipsetName:   ipsetName,
-		ip:          ip.String(),
-		chain:       chain,
-	}
-
-	m.updateState()
-
-	return []firewall.Rule{rule}, nil
-}
-
-// DeletePeerRule from the firewall by rule definition
-func (m *aclManager) DeletePeerRule(rule firewall.Rule) error {
-	r, ok := rule.(*Rule)
-	if !ok {
-		return fmt.Errorf("invalid rule type")
-	}
-
-	shouldDestroyIpset := false
-	if ipsetList, ok := m.ipsetStore.ipset(r.ipsetName); ok {
-		// delete IP from ruleset IPs list and ipset
-		if _, ok := ipsetList.ips[r.ip]; ok {
-			ip := net.ParseIP(r.ip)
-			if ip == nil {
-				return fmt.Errorf("parse IP %s", r.ip)
-			}
-			if err := m.delFromIPSet(r.ipsetName, ip); err != nil {
-				return fmt.Errorf("delete ip from ipset: %w", err)
-			}
-			delete(ipsetList.ips, r.ip)
-		}
-
-		// if after delete, set still contains other IPs,
-		// no need to delete firewall rule and we should exit here
-		if len(ipsetList.ips) != 0 {
-			return nil
-		}
-
-		// we delete last IP from the set, that means we need to delete
-		// set itself and associated firewall rule too
-		m.ipsetStore.deleteIpset(r.ipsetName)
-		shouldDestroyIpset = true
-	}
-
-	if err := m.iptablesClient.Delete(tableName, r.chain, r.specs...); err != nil {
-		return fmt.Errorf("failed to delete rule: %s, %v: %w", r.chain, r.specs, err)
-	}
-
-	if r.mangleSpecs != nil {
-		if err := m.iptablesClient.Delete(tableMangle, chainRTPRE, r.mangleSpecs...); err != nil {
-			log.Errorf("failed to delete mangle rule: %v", err)
-		}
-	}
-
-	if shouldDestroyIpset {
-		if err := m.destroyIPSet(r.ipsetName); err != nil {
-			if errors.Is(err, ipset.ErrBusy) || errors.Is(err, ipset.ErrSetNotExist) {
-				log.Debugf("destroy empty ipset: %v", err)
-			} else {
-				log.Errorf("destroy empty ipset: %v", err)
-			}
-		}
-	}
-
-	m.updateState()
-
-	return nil
-}
-
-func (m *aclManager) Reset() error {
-	if err := m.cleanChains(); err != nil {
-		return fmt.Errorf("clean chains: %w", err)
-	}
-
-	m.updateState()
-
-	return nil
-}
-
-// todo write less destructive cleanup mechanism
-func (m *aclManager) cleanChains() error {
-	ok, err := m.iptablesClient.ChainExists(tableName, chainNameInputRules)
-	if err != nil {
-		log.Debugf("failed to list chains: %s", err)
-		return err
-	}
-	if ok {
-		for _, rule := range m.entries["INPUT"] {
-			err := m.iptablesClient.DeleteIfExists(tableName, "INPUT", rule...)
-			if err != nil {
-				log.Errorf("failed to delete rule: %v, %s", rule, err)
-			}
-		}
-
-		for _, rule := range m.entries["FORWARD"] {
-			err := m.iptablesClient.DeleteIfExists(tableName, "FORWARD", rule...)
-			if err != nil {
-				log.Errorf("failed to delete rule: %v, %s", rule, err)
-			}
-		}
-
-		err = m.iptablesClient.ClearAndDeleteChain(tableName, chainNameInputRules)
-		if err != nil {
-			log.Debugf("failed to clear and delete %s chain: %s", chainNameInputRules, err)
-			return err
-		}
-	}
-
-	ok, err = m.iptablesClient.ChainExists("mangle", "PREROUTING")
-	if err != nil {
-		return fmt.Errorf("list chains: %w", err)
-	}
-	if ok {
-		for _, rule := range m.entries["PREROUTING"] {
-			err := m.iptablesClient.DeleteIfExists("mangle", "PREROUTING", rule...)
-			if err != nil {
-				log.Errorf("failed to delete rule: %v, %s", rule, err)
-			}
-		}
-	}
-
-	for _, rule := range m.entries[mangleFwdKey] {
-		if err := m.iptablesClient.DeleteIfExists(tableMangle, chainFORWARD, rule...); err != nil {
-			log.Errorf("failed to delete mangle FORWARD guard rule: %v, %s", rule, err)
-		}
-	}
-
-	for _, ipsetName := range m.ipsetStore.ipsetNames() {
-		if err := m.flushIPSet(ipsetName); err != nil {
-			if errors.Is(err, ipset.ErrSetNotExist) {
-				log.Debugf("flush ipset %q during reset: %v", ipsetName, err)
-			} else {
-				log.Errorf("flush ipset %q during reset: %v", ipsetName, err)
-			}
-		}
-		if err := m.destroyIPSet(ipsetName); err != nil {
-			if errors.Is(err, ipset.ErrBusy) || errors.Is(err, ipset.ErrSetNotExist) {
-				log.Debugf("destroy ipset %q during reset: %v", ipsetName, err)
-			} else {
-				log.Errorf("destroy ipset %q during reset: %v", ipsetName, err)
-			}
-		}
-		m.ipsetStore.deleteIpset(ipsetName)
-	}
-
-	return nil
-}
-
-func (m *aclManager) createDefaultChains() error {
-	// chain netbird-acl-input-rules
-	if err := m.iptablesClient.NewChain(tableName, chainNameInputRules); err != nil {
-		log.Debugf("failed to create '%s' chain: %s", chainNameInputRules, err)
-		return err
-	}
-
-	for chainName, rules := range m.entries {
-		// mangle FORWARD guard rules are handled separately below
-		if chainName == mangleFwdKey {
-			continue
-		}
-		for _, rule := range rules {
-			if err := m.iptablesClient.InsertUnique(tableName, chainName, 1, rule...); err != nil {
-				log.Debugf("failed to create input chain jump rule: %s", err)
-				return err
-			}
-		}
-	}
-
-	for chainName, entries := range m.optionalEntries {
-		for _, entry := range entries {
-			if err := m.iptablesClient.InsertUnique(tableName, chainName, entry.position, entry.spec...); err != nil {
-				log.Errorf("failed to insert optional entry %v: %v", entry.spec, err)
-				continue
-			}
-			m.entries[chainName] = append(m.entries[chainName], entry.spec)
-		}
-	}
-	clear(m.optionalEntries)
-
-	// Insert mangle FORWARD guard rules to prevent external DNAT bypass.
-	for _, rule := range m.entries[mangleFwdKey] {
-		if err := m.iptablesClient.AppendUnique(tableMangle, chainFORWARD, rule...); err != nil {
-			log.Errorf("failed to add mangle FORWARD guard rule: %v", err)
-		}
-	}
-
-	return nil
-}
-
-// seedInitialEntries adds default rules to the entries map, rules are inserted on pos 1, hence the order is reversed.
-// We want to make sure our traffic is not dropped by existing rules.
-
-// The existing FORWARD rules/policies decide outbound traffic towards our interface.
-// In case the FORWARD policy is set to "drop", we add an established/related rule to allow return traffic for the inbound rule.
-func (m *aclManager) seedInitialEntries() {
-	established := getConntrackEstablished()
-
-	m.appendToEntries("INPUT", []string{"-i", m.wgIface.Name(), "-j", "DROP"})
-	m.appendToEntries("INPUT", []string{"-i", m.wgIface.Name(), "-j", chainNameInputRules})
-	m.appendToEntries("INPUT", append([]string{"-i", m.wgIface.Name()}, established...))
-
-	// Inbound is handled by our ACLs, the rest is dropped.
-	// For outbound we respect the FORWARD policy. However, we need to allow established/related traffic for inbound rules.
-	m.appendToEntries("FORWARD", []string{"-i", m.wgIface.Name(), "-j", "DROP"})
-
-	m.appendToEntries("FORWARD", []string{"-o", m.wgIface.Name(), "-j", chainRTFWDOUT})
-	m.appendToEntries("FORWARD", []string{"-i", m.wgIface.Name(), "-j", chainRTFWDIN})
-
-	// Mangle FORWARD guard: when external DNAT redirects traffic from the wg interface, it
-	// traverses FORWARD instead of INPUT, bypassing ACL rules. ACCEPT rules in filter FORWARD
-	// can be inserted above ours. Mangle runs before filter, so these guard rules enforce the
-	// ACL mark check where it cannot be overridden.
-	m.appendToEntries(mangleFwdKey, []string{
-		"-i", m.wgIface.Name(),
-		"-m", "conntrack", "--ctstate", "RELATED,ESTABLISHED",
-		"-j", "ACCEPT",
-	})
-	m.appendToEntries(mangleFwdKey, []string{
-		"-i", m.wgIface.Name(),
-		"-m", "conntrack", "--ctstate", "DNAT",
-		"-m", "mark", "!", "--mark", fmt.Sprintf("%#x", nbnet.PreroutingFwmarkRedirected),
-		"-j", "DROP",
-	})
-}
-
-func (m *aclManager) seedInitialOptionalEntries() {
-	m.optionalEntries["FORWARD"] = []entry{
-		{
-			spec:     []string{"-m", "mark", "--mark", fmt.Sprintf("%#x", nbnet.PreroutingFwmarkRedirected), "-j", "ACCEPT"},
-			position: 2,
-		},
-	}
-}
-
-func (m *aclManager) appendToEntries(chainName string, spec []string) {
-	m.entries[chainName] = append(m.entries[chainName], spec)
-}
-
-func (m *aclManager) updateState() {
-	if m.stateManager == nil {
-		return
-	}
-
-	var currentState *ShutdownState
-	if existing := m.stateManager.GetState(currentState); existing != nil {
-		if existingState, ok := existing.(*ShutdownState); ok {
-			currentState = existingState
-		}
-	}
-	if currentState == nil {
-		currentState = &ShutdownState{}
-	}
-
-	currentState.Lock()
-	defer currentState.Unlock()
-
-	currentState.ACLEntries = m.entries
-	currentState.ACLIPsetStore = m.ipsetStore
-
-	if err := m.stateManager.UpdateState(currentState); err != nil {
-		log.Errorf("failed to update state: %v", err)
-	}
-}
-
-// filterRuleSpecs returns the specs of a filtering rule
-func filterRuleSpecs(ip net.IP, protocol string, sPort, dPort *firewall.Port, action firewall.Action, ipsetName string) (specs []string) {
-	// don't use IP matching if IP is 0.0.0.0
-	matchByIP := !ip.IsUnspecified()
-
-	if matchByIP {
-		if ipsetName != "" {
-			specs = append(specs, "-m", "set", "--set", ipsetName, "src")
-		} else {
-			specs = append(specs, "-s", ip.String())
-		}
-	}
-	if protocol != "all" {
-		specs = append(specs, "-p", protocol)
-	}
-	specs = append(specs, applyPort("--sport", sPort)...)
-	specs = append(specs, applyPort("--dport", dPort)...)
-	return specs
-}
-
-func actionToStr(action firewall.Action) string {
-	if action == firewall.ActionAccept {
-		return "ACCEPT"
-	}
-	return "DROP"
-}
-
-func transformIPsetName(ipsetName string, sPort, dPort *firewall.Port, action firewall.Action) string {
-	if ipsetName == "" {
-		return ""
-	}
-
-	actionSuffix := ""
-	if action == firewall.ActionDrop {
-		actionSuffix = "-drop"
-	}
-
-	switch {
-	case sPort != nil && dPort != nil:
-		return ipsetName + "-sport-dport" + actionSuffix
-	case sPort != nil:
-		return ipsetName + "-sport" + actionSuffix
-	case dPort != nil:
-		return ipsetName + "-dport" + actionSuffix
-	default:
-		return ipsetName + actionSuffix
-	}
-}
-
-func (m *aclManager) createIPSet(name string) error {
-	opts := ipset.CreateOptions{
-		Replace: true,
-	}
-
-	if err := ipset.Create(name, ipset.TypeHashNet, opts); err != nil {
-		return fmt.Errorf("create ipset %s: %w", name, err)
-	}
-
-	log.Debugf("created ipset %s with type hash:net", name)
-	return nil
-}
-
-func (m *aclManager) addToIPSet(name string, ip net.IP) error {
-	cidr := uint8(32)
-	if ip.To4() == nil {
-		cidr = 128
-	}
-
-	entry := &ipset.Entry{
-		IP:      ip,
-		CIDR:    cidr,
-		Replace: true,
-	}
-
-	if err := ipset.Add(name, entry); err != nil {
-		return fmt.Errorf("add IP to ipset %s: %w", name, err)
-	}
-
-	return nil
-}
-
-func (m *aclManager) delFromIPSet(name string, ip net.IP) error {
-	cidr := uint8(32)
-	if ip.To4() == nil {
-		cidr = 128
-	}
-
-	entry := &ipset.Entry{
-		IP:   ip,
-		CIDR: cidr,
-	}
-
-	if err := ipset.Del(name, entry); err != nil {
-		return fmt.Errorf("delete IP from ipset %s: %w", name, err)
-	}
-
-	return nil
-}
-
-func (m *aclManager) flushIPSet(name string) error {
-	return ipset.Flush(name)
-}
-
-func (m *aclManager) destroyIPSet(name string) error {
-	return ipset.Destroy(name)
-}
--- a/client/firewall/iptables/chains_linux.go
+++ b/client/firewall/iptables/chains_linux.go
@@ -0,0 +1,352 @@
+//go:build !android
+
+package iptables
+
+import (
+	"fmt"
+
+	"github.com/hashicorp/go-multierror"
+	log "github.com/sirupsen/logrus"
+
+	nberrors "github.com/netbirdio/netbird/client/errors"
+	firewall "github.com/netbirdio/netbird/client/firewall/manager"
+	nbnet "github.com/netbirdio/netbird/client/net"
+)
+
+func (r *family) createContainers() error {
+	for _, chainInfo := range []struct {
+		chain string
+		table string
+	}{
+		{chainRTFwdIn, tableFilter},
+		{chainRTFwdOut, tableFilter},
+		{chainRTPre, tableMangle},
+		{chainRTNAT, tableNat},
+		{chainRTRdr, tableNat},
+		{chainRTMSSClamp, tableMangle},
+	} {
+		// Fallback: clear chains that survived an unclean shutdown.
+		if ok, _ := r.iptablesClient.ChainExists(chainInfo.table, chainInfo.chain); ok {
+			if err := r.iptablesClient.ClearAndDeleteChain(chainInfo.table, chainInfo.chain); err != nil {
+				log.Warnf("clear stale chain %s in %s: %v", chainInfo.chain, chainInfo.table, err)
+			}
+		}
+		if err := r.iptablesClient.NewChain(chainInfo.table, chainInfo.chain); err != nil {
+			return fmt.Errorf("create chain %s in table %s: %w", chainInfo.chain, chainInfo.table, err)
+		}
+	}
+
+	if err := r.insertEstablishedRule(chainRTFwdIn); err != nil {
+		return fmt.Errorf("insert established rule: %w", err)
+	}
+
+	if err := r.insertEstablishedRule(chainRTFwdOut); err != nil {
+		return fmt.Errorf("insert established rule: %w", err)
+	}
+
+	if err := r.addPostroutingRules(); err != nil {
+		return fmt.Errorf("add static nat rules: %w", err)
+	}
+
+	if err := r.addJumpRules(); err != nil {
+		return fmt.Errorf("add jump rules: %w", err)
+	}
+
+	if err := r.addMSSClampingRules(); err != nil {
+		log.Errorf("failed to add MSS clamping rules: %s", err)
+	}
+
+	return nil
+}
+
+func (r *family) addJumpRules() error {
+	// Jump to nat chain
+	natRule := []string{"-j", chainRTNAT}
+	if err := r.iptablesClient.Insert(tableNat, chainPostrouting, 1, natRule...); err != nil {
+		return fmt.Errorf("add nat postrouting jump rule: %w", err)
+	}
+	r.rules[jumpNATPost] = natRule
+
+	// Jump to mangle prerouting chain
+	preRule := []string{"-j", chainRTPre}
+	if err := r.iptablesClient.Insert(tableMangle, chainPrerouting, 1, preRule...); err != nil {
+		return fmt.Errorf("add mangle prerouting jump rule: %w", err)
+	}
+	r.rules[jumpManglePre] = preRule
+
+	// Jump to nat prerouting chain
+	rdrRule := []string{"-j", chainRTRdr}
+	if err := r.iptablesClient.Insert(tableNat, chainPrerouting, 1, rdrRule...); err != nil {
+		return fmt.Errorf("add nat prerouting jump rule: %w", err)
+	}
+	r.rules[jumpNATPre] = rdrRule
+
+	return nil
+}
+
+func (r *family) setupDataPlaneMark() error {
+	var merr *multierror.Error
+	preRule := []string{
+		"-i", r.wgIface.Name(),
+		"-m", "conntrack", "--ctstate", "NEW",
+		"-j", "CONNMARK", "--set-mark", fmt.Sprintf("%#x", nbnet.DataPlaneMarkIn),
+	}
+
+	if err := r.iptablesClient.AppendUnique(tableMangle, chainPrerouting, preRule...); err != nil {
+		merr = multierror.Append(merr, fmt.Errorf("add mangle prerouting rule: %w", err))
+	} else {
+		r.rules[markManglePre] = preRule
+	}
+
+	postRule := []string{
+		"-o", r.wgIface.Name(),
+		"-m", "conntrack", "--ctstate", "NEW",
+		"-j", "CONNMARK", "--set-mark", fmt.Sprintf("%#x", nbnet.DataPlaneMarkOut),
+	}
+
+	if err := r.iptablesClient.AppendUnique(tableMangle, chainPostrouting, postRule...); err != nil {
+		merr = multierror.Append(merr, fmt.Errorf("add mangle postrouting rule: %w", err))
+	} else {
+		r.rules[markManglePost] = postRule
+	}
+
+	return nberrors.FormatErrorOrNil(merr)
+}
+
+// seedInitialEntries adds default rules to the entries map. Rules are
+// inserted at position 1, so the order here is reversed.
+//
+// Existing FORWARD policy decides outbound traffic towards our
+// interface. If FORWARD policy is "drop", we add an
+// established/related rule to allow return traffic for inbound rules.
+func (r *family) seedInitialEntries() {
+	established := getConntrackEstablished()
+
+	r.appendToEntries(chainInput, []string{"-i", r.wgIface.Name(), "-j", "DROP"})
+	r.appendToEntries(chainInput, []string{"-i", r.wgIface.Name(), "-j", chainACLInput})
+	r.appendToEntries(chainInput, append([]string{"-i", r.wgIface.Name()}, established...))
+
+	r.appendToEntries(chainForward, []string{"-i", r.wgIface.Name(), "-j", "DROP"})
+	r.appendToEntries(chainForward, []string{"-o", r.wgIface.Name(), "-j", chainRTFwdOut})
+	r.appendToEntries(chainForward, []string{"-i", r.wgIface.Name(), "-j", chainRTFwdIn})
+
+	// Mangle FORWARD guard: when external DNAT redirects traffic from
+	// the wg interface, it traverses FORWARD instead of INPUT,
+	// bypassing ACL rules. ACCEPT rules in filter FORWARD can be
+	// inserted above ours. Mangle runs before filter, so these guard
+	// rules enforce the ACL mark check where it cannot be overridden.
+	r.appendToEntries(mangleForwardKey, []string{
+		"-i", r.wgIface.Name(),
+		"-m", "conntrack", "--ctstate", "RELATED,ESTABLISHED",
+		"-j", "ACCEPT",
+	})
+	r.appendToEntries(mangleForwardKey, []string{
+		"-i", r.wgIface.Name(),
+		"-m", "conntrack", "--ctstate", "DNAT",
+		"-m", "mark", "!", "--mark", fmt.Sprintf("%#x", nbnet.PreroutingFwmarkRedirected),
+		"-j", "DROP",
+	})
+}
+
+func (r *family) seedInitialOptionalEntries() {
+	r.optionalEntries[chainForward] = []entry{
+		{
+			spec:     []string{"-m", "mark", "--mark", fmt.Sprintf("%#x", nbnet.PreroutingFwmarkRedirected), "-j", "ACCEPT"},
+			position: 2,
+		},
+	}
+}
+
+func (r *family) appendToEntries(chain chainKey, spec ruleSpec) {
+	r.entries[chain] = append(r.entries[chain], spec)
+}
+
+func (r *family) createDefaultChains() error {
+	if err := r.iptablesClient.NewChain(tableName, chainACLInput); err != nil {
+		return fmt.Errorf("create %s chain: %w", chainACLInput, err)
+	}
+
+	for chain, rules := range r.entries {
+		// mangle FORWARD guard rules are handled separately below
+		if chain == mangleForwardKey {
+			continue
+		}
+		for _, rule := range rules {
+			if err := r.iptablesClient.InsertUnique(tableName, string(chain), 1, rule...); err != nil {
+				return fmt.Errorf("insert jump rule into %s: %w", chain, err)
+			}
+		}
+	}
+
+	for chain, entries := range r.optionalEntries {
+		for _, entry := range entries {
+			if err := r.iptablesClient.InsertUnique(tableName, string(chain), entry.position, entry.spec...); err != nil {
+				log.Errorf("failed to insert optional entry %v: %v", entry.spec, err)
+				continue
+			}
+			r.entries[chain] = append(r.entries[chain], entry.spec)
+		}
+	}
+	clear(r.optionalEntries)
+
+	// Insert mangle FORWARD guard rules to prevent external DNAT bypass.
+	for _, rule := range r.entries[mangleForwardKey] {
+		if err := r.iptablesClient.AppendUnique(tableMangle, chainForward, rule...); err != nil {
+			log.Errorf("failed to add mangle FORWARD guard rule: %v", err)
+		}
+	}
+
+	return nil
+}
+
+func (r *family) cleanUpDefaultForwardRules() error {
+	var merr *multierror.Error
+
+	// cleanJumpRules removes the OUTPUT jump to NETBIRD-NAT-OUTPUT among
+	// the others, so the chain below deletes cleanly instead of failing
+	// with "device or resource busy".
+	if err := r.cleanJumpRules(); err != nil {
+		merr = multierror.Append(merr, fmt.Errorf("clean jump rules: %w", err))
+	}
+
+	for _, chainInfo := range []struct {
+		chain string
+		table string
+	}{
+		{chainRTFwdIn, tableFilter},
+		{chainRTFwdOut, tableFilter},
+		{chainRTPre, tableMangle},
+		{chainRTNAT, tableNat},
+		{chainRTRdr, tableNat},
+		{chainNATOutput, tableNat},
+		{chainRTMSSClamp, tableMangle},
+	} {
+		ok, err := r.iptablesClient.ChainExists(chainInfo.table, chainInfo.chain)
+		if err != nil {
+			merr = multierror.Append(merr, fmt.Errorf("check chain %s in table %s: %w", chainInfo.chain, chainInfo.table, err))
+			continue
+		}
+		if ok {
+			if err := r.iptablesClient.ClearAndDeleteChain(chainInfo.table, chainInfo.chain); err != nil {
+				merr = multierror.Append(merr, fmt.Errorf("clear and delete chain %s in table %s: %w", chainInfo.chain, chainInfo.table, err))
+			}
+		}
+	}
+
+	return nberrors.FormatErrorOrNil(merr)
+}
+
+func (r *family) cleanJumpRules() error {
+	// locations maps each tracked jump rule to the built-in table and
+	// chain it was inserted into.
+	locations := map[firewall.RuleID]struct{ table, chain string }{
+		jumpNATPost:   {tableNat, chainPostrouting},
+		jumpManglePre: {tableMangle, chainPrerouting},
+		jumpNATPre:    {tableNat, chainPrerouting},
+		jumpMSSClamp:  {tableMangle, chainForward},
+		jumpNATOutput: {tableNat, chainOutput},
+	}
+
+	var merr *multierror.Error
+	for ruleID, loc := range locations {
+		rule, exists := r.rules[ruleID]
+		if !exists {
+			continue
+		}
+		if err := r.iptablesClient.DeleteIfExists(loc.table, loc.chain, rule...); err != nil {
+			merr = multierror.Append(merr, fmt.Errorf("delete rule from chain %s in table %s: %w", loc.chain, loc.table, err))
+			continue
+		}
+		delete(r.rules, ruleID)
+	}
+	return nberrors.FormatErrorOrNil(merr)
+}
+
+func (r *family) cleanAclChains() error {
+	var merr *multierror.Error
+
+	if err := r.cleanInputAclChain(); err != nil {
+		merr = multierror.Append(merr, err)
+	}
+
+	if err := r.cleanPreroutingEntries(); err != nil {
+		merr = multierror.Append(merr, err)
+	}
+
+	for _, rule := range r.entries[mangleForwardKey] {
+		if err := r.iptablesClient.DeleteIfExists(tableMangle, chainForward, rule...); err != nil {
+			merr = multierror.Append(merr, fmt.Errorf("delete mangle %s guard rule %v: %w", chainForward, rule, err))
+		}
+	}
+
+	return nberrors.FormatErrorOrNil(merr)
+}
+
+func (r *family) cleanInputAclChain() error {
+	ok, err := r.iptablesClient.ChainExists(tableName, chainACLInput)
+	if err != nil {
+		return fmt.Errorf("check chain %s: %w", chainACLInput, err)
+	}
+	if !ok {
+		return nil
+	}
+
+	var merr *multierror.Error
+	for _, rule := range r.entries[chainInput] {
+		if err := r.iptablesClient.DeleteIfExists(tableName, chainInput, rule...); err != nil {
+			merr = multierror.Append(merr, fmt.Errorf("delete %s rule %v: %w", chainInput, rule, err))
+		}
+	}
+
+	for _, rule := range r.entries[chainForward] {
+		if err := r.iptablesClient.DeleteIfExists(tableName, chainForward, rule...); err != nil {
+			merr = multierror.Append(merr, fmt.Errorf("delete %s rule %v: %w", chainForward, rule, err))
+		}
+	}
+
+	if err := r.iptablesClient.ClearAndDeleteChain(tableName, chainACLInput); err != nil {
+		merr = multierror.Append(merr, fmt.Errorf("clear and delete %s chain: %w", chainACLInput, err))
+	}
+
+	return nberrors.FormatErrorOrNil(merr)
+}
+
+func (r *family) cleanPreroutingEntries() error {
+	ok, err := r.iptablesClient.ChainExists(tableMangle, chainPrerouting)
+	if err != nil {
+		return fmt.Errorf("check chain %s in %s: %w", chainPrerouting, tableMangle, err)
+	}
+	if !ok {
+		return nil
+	}
+
+	var merr *multierror.Error
+	for _, rule := range r.entries[chainPrerouting] {
+		if err := r.iptablesClient.DeleteIfExists(tableMangle, chainPrerouting, rule...); err != nil {
+			merr = multierror.Append(merr, fmt.Errorf("delete %s rule %v: %w", chainPrerouting, rule, err))
+		}
+	}
+
+	return nberrors.FormatErrorOrNil(merr)
+}
+
+func (r *family) cleanupDataPlaneMark() error {
+	var merr *multierror.Error
+	if preRule, exists := r.rules[markManglePre]; exists {
+		if err := r.iptablesClient.DeleteIfExists(tableMangle, chainPrerouting, preRule...); err != nil {
+			merr = multierror.Append(merr, fmt.Errorf("remove mangle prerouting rule: %w", err))
+		} else {
+			delete(r.rules, markManglePre)
+		}
+	}
+
+	if postRule, exists := r.rules[markManglePost]; exists {
+		if err := r.iptablesClient.DeleteIfExists(tableMangle, chainPostrouting, postRule...); err != nil {
+			merr = multierror.Append(merr, fmt.Errorf("remove mangle postrouting rule: %w", err))
+		} else {
+			delete(r.rules, markManglePost)
+		}
+	}
+
+	return nberrors.FormatErrorOrNil(merr)
+}
--- a/client/firewall/iptables/dnat_linux.go
+++ b/client/firewall/iptables/dnat_linux.go
@@ -0,0 +1,285 @@
+//go:build !android
+
+package iptables
+
+import (
+	"fmt"
+	"net/netip"
+	"strconv"
+	"strings"
+
+	"github.com/hashicorp/go-multierror"
+	log "github.com/sirupsen/logrus"
+
+	nberrors "github.com/netbirdio/netbird/client/errors"
+	firewall "github.com/netbirdio/netbird/client/firewall/manager"
+)
+
+func (r *family) AddDNATRule(rule firewall.ForwardRule) (firewall.Rule, error) {
+	ruleID := rule.ID()
+	if _, exists := r.rules[ruleID+dnatSuffix]; exists {
+		return rule, nil
+	}
+
+	toDestination := rule.TranslatedAddress.String()
+	switch {
+	case len(rule.TranslatedPort.Values) == 0:
+		// no translated port, use original port
+	case len(rule.TranslatedPort.Values) == 1:
+		toDestination += fmt.Sprintf(":%d", rule.TranslatedPort.Values[0])
+	case rule.TranslatedPort.IsRange && len(rule.TranslatedPort.Values) == 2:
+		// need the "/originalport" suffix to avoid dnat port randomization
+		toDestination += fmt.Sprintf(":%d-%d/%d", rule.TranslatedPort.Values[0], rule.TranslatedPort.Values[1], rule.DestinationPort.Values[0])
+	default:
+		return nil, fmt.Errorf("invalid translated port: %v", rule.TranslatedPort)
+	}
+
+	proto := strings.ToLower(string(rule.Protocol))
+
+	rules := make(map[firewall.RuleID]ruleInfo, 3)
+
+	// DNAT rule
+	dnatRule := []string{
+		"!", "-i", r.wgIface.Name(),
+		"-p", proto,
+		"-j", "DNAT",
+		"--to-destination", toDestination,
+	}
+	dnatRule = append(dnatRule, applyPort("--dport", &rule.DestinationPort)...)
+	rules[ruleID+dnatSuffix] = ruleInfo{
+		table: tableNat,
+		chain: chainRTRdr,
+		rule:  dnatRule,
+	}
+
+	// SNAT rule
+	snatRule := []string{
+		"-o", r.wgIface.Name(),
+		"-p", proto,
+		"-d", rule.TranslatedAddress.String(),
+		"-j", "MASQUERADE",
+	}
+	snatRule = append(snatRule, applyPort("--dport", &rule.TranslatedPort)...)
+	rules[ruleID+snatSuffix] = ruleInfo{
+		table: tableNat,
+		chain: chainRTNAT,
+		rule:  snatRule,
+	}
+
+	// Forward filtering rule, if fwd policy is DROP
+	forwardRule := []string{
+		"-o", r.wgIface.Name(),
+		"-p", proto,
+		"-d", rule.TranslatedAddress.String(),
+		"-j", "ACCEPT",
+	}
+	forwardRule = append(forwardRule, applyPort("--dport", &rule.TranslatedPort)...)
+	rules[ruleID+fwdSuffix] = ruleInfo{
+		table: tableFilter,
+		chain: chainRTFwdOut,
+		rule:  forwardRule,
+	}
+
+	// Request forwarding once the rule is about to be installed, releasing
+	// it if installation fails so the refcount tracks the real rules.
+	if err := r.ipFwdState.RequestForwarding(); err != nil {
+		return nil, err
+	}
+
+	for key, ruleInfo := range rules {
+		if err := r.iptablesClient.Append(ruleInfo.table, ruleInfo.chain, ruleInfo.rule...); err != nil {
+			if rollbackErr := r.rollbackRules(rules); rollbackErr != nil {
+				log.Errorf("rollback failed: %v", rollbackErr)
+			}
+			r.releaseForwarding()
+			return nil, fmt.Errorf("add rule %s: %w", key, err)
+		}
+		r.rules[key] = ruleInfo.rule
+	}
+
+	r.updateState()
+	return rule, nil
+}
+
+func (r *family) rollbackRules(rules map[firewall.RuleID]ruleInfo) error {
+	var merr *multierror.Error
+	for key, ruleInfo := range rules {
+		if err := r.iptablesClient.DeleteIfExists(ruleInfo.table, ruleInfo.chain, ruleInfo.rule...); err != nil {
+			merr = multierror.Append(merr, fmt.Errorf("rollback rule %s: %w", key, err))
+			// On rollback error, add to rules map for next cleanup
+			r.rules[key] = ruleInfo.rule
+		}
+	}
+	if merr != nil {
+		r.updateState()
+	}
+	return nberrors.FormatErrorOrNil(merr)
+}
+
+func (r *family) DeleteDNATRule(rule firewall.Rule) error {
+	ruleID := rule.ID()
+
+	var merr *multierror.Error
+	var found bool
+	if dnatRule, exists := r.rules[ruleID+dnatSuffix]; exists {
+		found = true
+		if err := r.iptablesClient.Delete(tableNat, chainRTRdr, dnatRule...); err != nil {
+			merr = multierror.Append(merr, fmt.Errorf("delete DNAT rule: %w", err))
+		}
+		delete(r.rules, ruleID+dnatSuffix)
+	}
+
+	if snatRule, exists := r.rules[ruleID+snatSuffix]; exists {
+		found = true
+		if err := r.iptablesClient.Delete(tableNat, chainRTNAT, snatRule...); err != nil {
+			merr = multierror.Append(merr, fmt.Errorf("delete SNAT rule: %w", err))
+		}
+		delete(r.rules, ruleID+snatSuffix)
+	}
+
+	if fwdRule, exists := r.rules[ruleID+fwdSuffix]; exists {
+		found = true
+		if err := r.iptablesClient.Delete(tableFilter, chainRTFwdOut, fwdRule...); err != nil {
+			merr = multierror.Append(merr, fmt.Errorf("delete forward rule: %w", err))
+		}
+		delete(r.rules, ruleID+fwdSuffix)
+	}
+
+	r.updateState()
+
+	// Release once, only if the rule was present and removed.
+	if merr == nil && found {
+		r.releaseForwarding()
+	}
+
+	return nberrors.FormatErrorOrNil(merr)
+}
+
+// releaseForwarding drops one IP forwarding reference, logging any error.
+func (r *family) releaseForwarding() {
+	if err := r.ipFwdState.ReleaseForwarding(); err != nil {
+		log.Errorf("release IP forwarding: %v", err)
+	}
+}
+
+func (r *family) AddInboundDNAT(localAddr netip.Addr, protocol firewall.Protocol, originalPort, translatedPort uint16) error {
+	ruleID := firewall.RuleID(fmt.Sprintf("inbound-dnat-%s-%s-%d-%d", localAddr.String(), protocol, originalPort, translatedPort))
+
+	if _, exists := r.rules[ruleID]; exists {
+		return nil
+	}
+
+	dnatRule := []string{
+		"-i", r.wgIface.Name(),
+		"-p", strings.ToLower(protoForFamily(protocol, r.v6)),
+		"--dport", strconv.Itoa(int(originalPort)),
+		"-d", localAddr.String(),
+		"-m", "addrtype", "--dst-type", "LOCAL",
+		"-j", "DNAT",
+		"--to-destination", ":" + strconv.Itoa(int(translatedPort)),
+	}
+
+	info := ruleInfo{
+		table: tableNat,
+		chain: chainRTRdr,
+		rule:  dnatRule,
+	}
+
+	if err := r.iptablesClient.Append(info.table, info.chain, info.rule...); err != nil {
+		return fmt.Errorf("add inbound DNAT rule: %w", err)
+	}
+	r.rules[ruleID] = info.rule
+
+	r.updateState()
+	return nil
+}
+
+// RemoveInboundDNAT removes an inbound DNAT rule.
+func (r *family) RemoveInboundDNAT(localAddr netip.Addr, protocol firewall.Protocol, originalPort, translatedPort uint16) error {
+	ruleID := firewall.RuleID(fmt.Sprintf("inbound-dnat-%s-%s-%d-%d", localAddr.String(), protocol, originalPort, translatedPort))
+
+	if dnatRule, exists := r.rules[ruleID]; exists {
+		if err := r.iptablesClient.Delete(tableNat, chainRTRdr, dnatRule...); err != nil {
+			return fmt.Errorf("delete inbound DNAT rule: %w", err)
+		}
+		delete(r.rules, ruleID)
+	}
+
+	r.updateState()
+	return nil
+}
+
+// ensureNATOutputChain lazily creates the OUTPUT NAT chain and jump rule on first use.
+func (r *family) ensureNATOutputChain() error {
+	if _, exists := r.rules[jumpNATOutput]; exists {
+		return nil
+	}
+
+	chainExists, err := r.iptablesClient.ChainExists(tableNat, chainNATOutput)
+	if err != nil {
+		return fmt.Errorf("check chain %s: %w", chainNATOutput, err)
+	}
+	if !chainExists {
+		if err := r.iptablesClient.NewChain(tableNat, chainNATOutput); err != nil {
+			return fmt.Errorf("create chain %s: %w", chainNATOutput, err)
+		}
+	}
+
+	jumpRule := []string{"-j", chainNATOutput}
+	if err := r.iptablesClient.Insert(tableNat, chainOutput, 1, jumpRule...); err != nil {
+		if !chainExists {
+			if delErr := r.iptablesClient.ClearAndDeleteChain(tableNat, chainNATOutput); delErr != nil {
+				log.Warnf("failed to rollback chain %s: %v", chainNATOutput, delErr)
+			}
+		}
+		return fmt.Errorf("add OUTPUT jump rule: %w", err)
+	}
+	r.rules[jumpNATOutput] = jumpRule
+
+	r.updateState()
+	return nil
+}
+
+// AddOutputDNAT adds an OUTPUT chain DNAT rule for locally-generated traffic.
+func (r *family) AddOutputDNAT(localAddr netip.Addr, protocol firewall.Protocol, originalPort, translatedPort uint16) error {
+	ruleID := firewall.RuleID(fmt.Sprintf("output-dnat-%s-%s-%d-%d", localAddr.String(), protocol, originalPort, translatedPort))
+
+	if _, exists := r.rules[ruleID]; exists {
+		return nil
+	}
+
+	if err := r.ensureNATOutputChain(); err != nil {
+		return err
+	}
+
+	dnatRule := []string{
+		"-p", strings.ToLower(protoForFamily(protocol, localAddr.Is6())),
+		"--dport", strconv.Itoa(int(originalPort)),
+		"-d", localAddr.String(),
+		"-j", "DNAT",
+		"--to-destination", ":" + strconv.Itoa(int(translatedPort)),
+	}
+
+	if err := r.iptablesClient.Append(tableNat, chainNATOutput, dnatRule...); err != nil {
+		return fmt.Errorf("add output DNAT rule: %w", err)
+	}
+	r.rules[ruleID] = dnatRule
+
+	r.updateState()
+	return nil
+}
+
+// RemoveOutputDNAT removes an OUTPUT chain DNAT rule.
+func (r *family) RemoveOutputDNAT(localAddr netip.Addr, protocol firewall.Protocol, originalPort, translatedPort uint16) error {
+	ruleID := firewall.RuleID(fmt.Sprintf("output-dnat-%s-%s-%d-%d", localAddr.String(), protocol, originalPort, translatedPort))
+
+	if dnatRule, exists := r.rules[ruleID]; exists {
+		if err := r.iptablesClient.Delete(tableNat, chainNATOutput, dnatRule...); err != nil {
+			return fmt.Errorf("delete output DNAT rule: %w", err)
+		}
+		delete(r.rules, ruleID)
+	}
+
+	r.updateState()
+	return nil
+}
--- a/client/firewall/iptables/family_linux.go
+++ b/client/firewall/iptables/family_linux.go
@@ -0,0 +1,246 @@
+//go:build !android
+
+package iptables
+
+import (
+	"fmt"
+	"net/netip"
+
+	"github.com/coreos/go-iptables/iptables"
+	"github.com/hashicorp/go-multierror"
+	log "github.com/sirupsen/logrus"
+
+	nberrors "github.com/netbirdio/netbird/client/errors"
+	firewall "github.com/netbirdio/netbird/client/firewall/manager"
+	nbid "github.com/netbirdio/netbird/client/internal/acl/id"
+	"github.com/netbirdio/netbird/client/internal/routemanager/ipfwdstate"
+	"github.com/netbirdio/netbird/client/internal/routemanager/refcounter"
+	"github.com/netbirdio/netbird/client/internal/statemanager"
+)
+
+// constants needed to manage and create iptable rules
+const (
+	tableFilter = "filter"
+	tableName   = tableFilter
+	tableNat    = "nat"
+	tableMangle = "mangle"
+
+	// chainACLInput is the peer ACL chain that holds installed
+	// peer-filtering rules.
+	chainACLInput = "NETBIRD-ACL-INPUT"
+
+	// mangleForwardKey is the entries map key for mangle FORWARD guard
+	// rules that prevent external DNAT from bypassing ACL rules.
+	mangleForwardKey chainKey = "MANGLE-FORWARD"
+
+	chainInput              = "INPUT"
+	chainPostrouting        = "POSTROUTING"
+	chainPrerouting         = "PREROUTING"
+	chainForward            = "FORWARD"
+	chainRTNAT              = "NETBIRD-RT-NAT"
+	chainRTFwdIn            = "NETBIRD-RT-FWD-IN"
+	chainRTFwdOut           = "NETBIRD-RT-FWD-OUT"
+	chainRTPre              = "NETBIRD-RT-PRE"
+	chainRTRdr              = "NETBIRD-RT-RDR"
+	chainNATOutput          = "NETBIRD-NAT-OUTPUT"
+	chainRTMSSClamp         = "NETBIRD-RT-MSSCLAMP"
+
+	jumpManglePre  = "jump-mangle-pre"
+	jumpNATPre     = "jump-nat-pre"
+	jumpNATPost    = "jump-nat-post"
+	jumpNATOutput  = "jump-nat-output"
+	jumpMSSClamp   = "jump-mss-clamp"
+	markManglePre  = "mark-mangle-pre"
+	markManglePost = "mark-mangle-post"
+	matchSet       = "--match-set"
+
+	dnatSuffix firewall.RuleID = "_dnat"
+	snatSuffix firewall.RuleID = "_snat"
+	fwdSuffix  firewall.RuleID = "_fwd"
+
+	// ipv4TCPHeaderSize is the minimum IPv4 (20) + TCP (20) header size for MSS calculation.
+	ipv4TCPHeaderSize = 40
+	// ipv6TCPHeaderSize is the minimum IPv6 (40) + TCP (20) header size for MSS calculation.
+	ipv6TCPHeaderSize = 60
+)
+
+type ruleInfo struct {
+	chain string
+	table string
+	rule  []string
+}
+
+type routeRules map[firewall.RuleID][]string
+
+// ruleSpec is a single iptables rule expressed as its argument list
+// (e.g. {"-i", "wg0", "-j", "DROP"}).
+type ruleSpec []string
+
+// chainKey identifies the chain a seeded entry belongs to. It holds
+// built-in chain names ("INPUT", "FORWARD", "PREROUTING") plus the
+// synthetic mangleForwardKey bucket for the mangle FORWARD guard rules.
+type chainKey string
+
+// aclEntries maps a chain to the rules seeded into it to jump into or
+// guard the netbird ACL chains.
+type aclEntries map[chainKey][]ruleSpec
+
+type entry struct {
+	spec     ruleSpec
+	position int
+}
+
+// ipsetCounter is the shared hash:net refcounter used by peer and
+// route ACLs alike. The ipset library does not support comments, so
+// the key is just the set name (string).
+type ipsetCounter = refcounter.Counter[string, []netip.Prefix, struct{}]
+
+// family holds the per-address-family iptables state. One instance
+// handles route ACLs, peer ACLs, NAT, DNAT, and MSS clamping for a
+// single family; the top-level Manager owns one for v4 and another
+// for v6.
+type family struct {
+	iptablesClient *iptables.IPTables
+	wgIface        iFaceMapper
+	v6             bool
+
+	// Peer ACL chain bookkeeping.
+	entries         aclEntries
+	optionalEntries map[chainKey][]entry
+
+	// filters holds peer + route filter rules keyed by content hash.
+	// AddFilterRule writes here; DeleteFilterRule looks up by id.
+	filters      map[nbid.RuleID]*Rule
+	ipsetCounter *ipsetCounter
+
+	// rules holds NAT, jump, and MSS-clamping rules (auxiliary
+	// plumbing that isn't a filter rule).
+	rules routeRules
+
+	// Routing / NAT.
+	legacyManagement bool
+	mtu              uint16
+	ipFwdState       *ipfwdstate.IPForwardingState
+
+	stateManager *statemanager.Manager
+}
+
+func newFamily(iptablesClient *iptables.IPTables, wgIface iFaceMapper, mtu uint16) (*family, error) {
+	r := &family{
+		iptablesClient:  iptablesClient,
+		wgIface:         wgIface,
+		v6:              iptablesClient.Proto() == iptables.ProtocolIPv6,
+		entries:         make(aclEntries),
+		optionalEntries: make(map[chainKey][]entry),
+		filters:         make(map[nbid.RuleID]*Rule),
+		rules:           make(routeRules),
+		mtu:             mtu,
+		ipFwdState:      ipfwdstate.NewIPForwardingState(),
+	}
+
+	r.ipsetCounter = refcounter.New(
+		func(name string, sources []netip.Prefix) (struct{}, error) {
+			return struct{}{}, r.createIpSet(name, sources)
+		},
+		func(name string, _ struct{}) error {
+			return r.deleteIpSet(name)
+		},
+	)
+
+	return r, nil
+}
+
+// init wires the family to the state manager and installs both the
+// route ACL containers and the peer ACL chain skeleton.
+func (r *family) init(stateManager *statemanager.Manager) error {
+	r.stateManager = stateManager
+
+	if err := r.cleanUpDefaultForwardRules(); err != nil {
+		log.Errorf("failed to clean up rules from FORWARD chain: %s", err)
+	}
+
+	if err := r.createContainers(); err != nil {
+		return fmt.Errorf("create containers: %w", err)
+	}
+
+	if err := r.setupDataPlaneMark(); err != nil {
+		log.Errorf("failed to set up data plane mark: %v", err)
+	}
+
+	r.seedInitialEntries()
+	r.seedInitialOptionalEntries()
+
+	if err := r.cleanAclChains(); err != nil {
+		return fmt.Errorf("clean acl chains: %w", err)
+	}
+	if err := r.createDefaultChains(); err != nil {
+		return fmt.Errorf("create default chains: %w", err)
+	}
+
+	r.updateState()
+
+	return nil
+}
+
+// Reset tears down all firewall state owned by this family. ACL
+// chain cleanup runs before route-chain cleanup because the route
+// chains are still referenced by FORWARD jumps installed during
+// seedInitialEntries; deleting them first would trip EBUSY.
+func (r *family) Reset() error {
+	var merr *multierror.Error
+
+	if err := r.cleanAclChains(); err != nil {
+		merr = multierror.Append(merr, err)
+	}
+
+	if err := r.cleanUpDefaultForwardRules(); err != nil {
+		merr = multierror.Append(merr, err)
+	}
+
+	if err := r.ipsetCounter.Flush(); err != nil {
+		merr = multierror.Append(merr, err)
+	}
+
+	if err := r.cleanupDataPlaneMark(); err != nil {
+		merr = multierror.Append(merr, err)
+	}
+
+	clear(r.rules)
+	clear(r.filters)
+	r.updateState()
+
+	return nberrors.FormatErrorOrNil(merr)
+}
+
+func (r *family) updateState() {
+	if r.stateManager == nil {
+		return
+	}
+
+	var currentState *ShutdownState
+	if existing := r.stateManager.GetState(currentState); existing != nil {
+		if existingState, ok := existing.(*ShutdownState); ok {
+			currentState = existingState
+		}
+	}
+	if currentState == nil {
+		currentState = &ShutdownState{}
+	}
+
+	currentState.Lock()
+	defer currentState.Unlock()
+
+	if r.v6 {
+		currentState.RouteRules6 = r.rules
+		currentState.RouteIPsetCounter6 = r.ipsetCounter
+		currentState.ACLEntries6 = r.entries
+	} else {
+		currentState.RouteRules = r.rules
+		currentState.RouteIPsetCounter = r.ipsetCounter
+		currentState.ACLEntries = r.entries
+	}
+
+	if err := r.stateManager.UpdateState(currentState); err != nil {
+		log.Errorf("failed to update state: %v", err)
+	}
+}
--- a/client/firewall/iptables/filter_linux.go
+++ b/client/firewall/iptables/filter_linux.go
@@ -0,0 +1,341 @@
+//go:build !android
+
+package iptables
+
+import (
+	"fmt"
+	"net/netip"
+	"slices"
+	"strconv"
+	"strings"
+
+	"github.com/hashicorp/go-multierror"
+	log "github.com/sirupsen/logrus"
+
+	nberrors "github.com/netbirdio/netbird/client/errors"
+	firewall "github.com/netbirdio/netbird/client/firewall/manager"
+	nbid "github.com/netbirdio/netbird/client/internal/acl/id"
+	nbnet "github.com/netbirdio/netbird/client/net"
+)
+
+// AddFilterRule installs a packet-filtering rule. With destination
+// empty, the rule goes to the peer ACL input chain plus a paired
+// mangle PREROUTING rule for the redirect mark. With destination set
+// (prefix or named set), it goes to the route ACL forward chain.
+// Multi-source rules collapse to one iptables rule via the shared
+// hash:net ipset.
+func (r *family) AddFilterRule(
+	id []byte,
+	sources []netip.Prefix,
+	destination firewall.Network,
+	proto firewall.Protocol,
+	sPort *firewall.Port,
+	dPort *firewall.Port,
+	action firewall.Action,
+) (firewall.Rule, error) {
+	ruleID := nbid.GenerateRuleID(sources, destination, proto, sPort, dPort, action)
+	if existing, ok := r.filters[ruleID]; ok {
+		return existing, nil
+	}
+
+	srcMatch, err := r.applySourceMatch(sourceNetwork(sources), sources)
+	if err != nil {
+		return nil, fmt.Errorf("apply source match: %w", err)
+	}
+
+	rule, err := r.installFilterRule(ruleID, srcMatch, destination, proto, sPort, dPort, action)
+	if err != nil {
+		r.dropSourceMatch(srcMatch)
+		return nil, err
+	}
+
+	r.filters[ruleID] = rule
+	r.updateState()
+	return rule, nil
+}
+
+func (r *family) hasRule(id nbid.RuleID) bool {
+	_, ok := r.filters[id]
+	return ok
+}
+
+// hasDNATRule reports whether this family owns the DNAT rule set for
+// the given user id. DNAT rules live in r.rules under the well-known
+// "<id>_dnat" key; the lookup here is used by Manager.DeleteDNATRule
+// to pick the right family.
+func (r *family) hasDNATRule(id firewall.RuleID) bool {
+	_, ok := r.rules[id+dnatSuffix]
+	return ok
+}
+
+// DeleteFilterRule removes a previously installed filter rule. The
+// rule's stored chain/table identify where to delete from; source set
+// references are recovered from the spec via findSets and dropped
+// from the shared ipset counter.
+func (r *family) DeleteFilterRule(rule firewall.Rule) error {
+	ruleID := rule.ID()
+	pr, ok := r.filters[ruleID]
+	if !ok {
+		log.Debugf("filter rule %s not found", ruleID)
+		return nil
+	}
+
+	// DeleteIfExists keeps both deletes idempotent so a retry after a
+	// partial failure does not error on the half that was already removed.
+	var merr *multierror.Error
+	if err := r.iptablesClient.DeleteIfExists(tableFilter, pr.chain, pr.specs...); err != nil {
+		merr = multierror.Append(merr, fmt.Errorf("delete rule from %s: %w", pr.chain, err))
+	}
+	if pr.mangleSpecs != nil {
+		if err := r.iptablesClient.DeleteIfExists(tableMangle, chainRTPre, pr.mangleSpecs...); err != nil {
+			merr = multierror.Append(merr, fmt.Errorf("delete mangle rule: %w", err))
+		}
+	}
+	if merr != nil {
+		// Leave the rule tracked so the caller retries the remaining half.
+		return nberrors.FormatErrorOrNil(merr)
+	}
+
+	r.dropSourceMatch(pr.specs)
+	delete(r.filters, ruleID)
+	r.updateState()
+	return nil
+}
+
+// findSets scans an iptables rule spec for "-m set --match-set <name>
+// <dir>" fragments and returns the named sets in occurrence order.
+// Used at delete time to drop ipsetCounter references.
+func findSets(rule []string) []string {
+	var sets []string
+	for i, arg := range rule {
+		if arg == "-m" && i+3 < len(rule) && rule[i+1] == "set" && rule[i+2] == matchSet {
+			sets = append(sets, rule[i+3])
+		}
+	}
+	return sets
+}
+
+// sourceNetwork classifies a source-prefix list into the firewall.Network
+// shape the rest of the spec-builder consumes: empty for match-any, a
+// single prefix inline, or an ipset for multiple sources.
+func sourceNetwork(sources []netip.Prefix) firewall.Network {
+	switch {
+	case len(sources) == 0:
+		return firewall.Network{}
+	case len(sources) == 1 && sources[0].Bits() == 0:
+		return firewall.Network{}
+	case len(sources) == 1:
+		return firewall.Network{Prefix: sources[0]}
+	default:
+		return firewall.Network{Set: firewall.NewPrefixSet(sources)}
+	}
+}
+
+// applySourceMatch returns the iptables match fragment for the rule's
+// source. For a Set it increments the shared ipset's refcount; for a
+// Prefix it emits a direct -s match; for the wildcard it returns nil.
+func (r *family) applySourceMatch(network firewall.Network, prefixes []netip.Prefix) ([]string, error) {
+	switch {
+	case network.IsSet():
+		if r.ipsetCounter == nil {
+			return nil, fmt.Errorf("multi-source peer rule requires shared ipset counter")
+		}
+		name := r.ipsetName(network.Set.HashedName())
+		if _, err := r.ipsetCounter.Increment(name, prefixes); err != nil {
+			return nil, fmt.Errorf("ipset increment %s: %w", name, err)
+		}
+		return []string{"-m", "set", matchSet, name, "src"}, nil
+	case network.IsPrefix():
+		return []string{"-s", network.Prefix.String()}, nil
+	default:
+		return nil, nil
+	}
+}
+
+// dropSourceMatch undoes whatever applySourceMatch reserved. Safe to
+// call when the spec is empty or holds only inline matchers. Decrement
+// errors are logged but not returned: the filter rule has already been
+// deleted at that point and we don't want to leak the deletion.
+func (r *family) dropSourceMatch(srcMatch []string) {
+	if r.ipsetCounter == nil {
+		return
+	}
+	for _, name := range findSets(srcMatch) {
+		if _, err := r.ipsetCounter.Decrement(name); err != nil {
+			log.Errorf("rollback ipset decrement %s: %v", name, err)
+		}
+	}
+}
+
+// decrementSetCounter drops ipset references owned by a raw rule spec
+// stored in r.rules (NAT / legacy route entries). It returns an error
+// aggregate so the caller surfaces decrement failures.
+func (r *family) decrementSetCounter(rule []string) error {
+	if r.ipsetCounter == nil {
+		return nil
+	}
+	var merr *multierror.Error
+	for _, name := range findSets(rule) {
+		if _, err := r.ipsetCounter.Decrement(name); err != nil {
+			merr = multierror.Append(merr, fmt.Errorf("decrement counter: %w", err))
+		}
+	}
+	return nberrors.FormatErrorOrNil(merr)
+}
+
+// installFilterRule assembles and writes one iptables filter-chain
+// rule. With destination empty the rule lands in the peer ACL input
+// chain and a paired mangle PREROUTING rule is added for the redirect
+// mark. With destination set the rule lands in the route ACL forward
+// chain and there is no mangle pairing.
+func (r *family) installFilterRule(
+	ruleID nbid.RuleID,
+	srcMatch []string,
+	destination firewall.Network,
+	protocol firewall.Protocol,
+	sPort, dPort *firewall.Port,
+	action firewall.Action,
+) (*Rule, error) {
+	isRoute := !destination.IsZero()
+
+	proto := protoForFamily(protocol, r.v6)
+
+	specs := slices.Clone(srcMatch)
+	var destExp []string
+	if isRoute {
+		var err error
+		destExp, err = r.applyNetwork("-d", destination, nil)
+		if err != nil {
+			return nil, fmt.Errorf("apply network -d: %w", err)
+		}
+		specs = append(specs, destExp...)
+	}
+	specs = append(specs, filterMatchSpecs(proto, sPort, dPort)...)
+
+	var mangleSpecs []string
+	if !isRoute {
+		mangleSpecs = slices.Clone(specs)
+		mangleSpecs = append(mangleSpecs,
+			"-i", r.wgIface.Name(),
+			"-m", "addrtype", "--dst-type", "LOCAL",
+			"-j", "MARK", "--set-xmark", fmt.Sprintf("%#x", nbnet.PreroutingFwmarkRedirected),
+		)
+	}
+
+	specs = append(specs, "-j", actionToStr(action))
+
+	chain := chainACLInput
+	if isRoute {
+		chain = chainRTFwdIn
+	}
+
+	// Peer ACL drops are inserted at position 1 so they precede the
+	// chain's catch-all; route ACL drops are inserted at position 2
+	// to sit immediately after the established/related accept rule.
+	var err error
+	if action == firewall.ActionDrop {
+		pos := 1
+		if isRoute {
+			pos = 2
+		}
+		err = r.iptablesClient.Insert(tableFilter, chain, pos, specs...)
+	} else {
+		err = r.iptablesClient.Append(tableFilter, chain, specs...)
+	}
+	if err != nil {
+		r.dropSourceMatch(destExp)
+		return nil, fmt.Errorf("install filter rule on %s: %w", chain, err)
+	}
+
+	// The mangle redirect-mark rule is best effort: the filter rule itself
+	// is what enforces the ACL, so a mangle failure must not undo it. Drop
+	// the spec so teardown does not try to remove a rule that was not added.
+	if mangleSpecs != nil {
+		if err := r.iptablesClient.Append(tableMangle, chainRTPre, mangleSpecs...); err != nil {
+			log.Errorf("add mangle rule: %v", err)
+			mangleSpecs = nil
+		}
+	}
+
+	return &Rule{
+		id:          ruleID,
+		specs:       specs,
+		mangleSpecs: mangleSpecs,
+		chain:       chain,
+		v6:          r.v6,
+	}, nil
+}
+
+// applyNetwork resolves a firewall.Network into the iptables match
+// fragment for the given direction flag (-s or -d). Set networks
+// increment the shared ipset refcount; prefixes emit a direct match;
+// an empty network returns no spec ("match any").
+func (r *family) applyNetwork(flag string, network firewall.Network, prefixes []netip.Prefix) ([]string, error) {
+	direction := "src"
+	if flag == "-d" {
+		direction = "dst"
+	}
+
+	if network.IsSet() {
+		name := r.ipsetName(network.Set.HashedName())
+		if _, err := r.ipsetCounter.Increment(name, prefixes); err != nil {
+			return nil, fmt.Errorf("create or get ipset: %w", err)
+		}
+
+		return []string{"-m", "set", matchSet, name, direction}, nil
+	}
+	if network.IsPrefix() {
+		return []string{flag, network.Prefix.String()}, nil
+	}
+
+	// nolint:nilnil
+	return nil, nil
+}
+
+// protoForFamily translates ICMP to ICMPv6 for ip6tables.
+// ip6tables requires "ipv6-icmp" (or "icmpv6") instead of "icmp".
+func protoForFamily(protocol firewall.Protocol, v6 bool) string {
+	if v6 && protocol == firewall.ProtocolICMP {
+		return "ipv6-icmp"
+	}
+	return string(protocol)
+}
+
+// filterMatchSpecs returns the proto/port match fragment for a
+// filtering rule. The source match (-s or -m set) is built by the
+// caller and prepended.
+func filterMatchSpecs(protocol string, sPort, dPort *firewall.Port) (specs []string) {
+	if protocol != "all" {
+		specs = append(specs, "-p", protocol)
+	}
+	specs = append(specs, applyPort("--sport", sPort)...)
+	specs = append(specs, applyPort("--dport", dPort)...)
+	return specs
+}
+
+func actionToStr(action firewall.Action) string {
+	if action == firewall.ActionAccept {
+		return "ACCEPT"
+	}
+	return "DROP"
+}
+
+func applyPort(flag string, port *firewall.Port) []string {
+	if port == nil {
+		return nil
+	}
+
+	if port.IsRange && len(port.Values) == 2 {
+		return []string{flag, fmt.Sprintf("%d:%d", port.Values[0], port.Values[1])}
+	}
+
+	if len(port.Values) > 1 {
+		portList := make([]string, len(port.Values))
+		for i, p := range port.Values {
+			portList[i] = strconv.Itoa(int(p))
+		}
+		return []string{"-m", "multiport", flag, strings.Join(portList, ",")}
+	}
+
+	return []string{flag, strconv.Itoa(int(port.Values[0]))}
+}
--- a/client/firewall/iptables/ipset_linux.go
+++ b/client/firewall/iptables/ipset_linux.go
@@ -0,0 +1,104 @@
+//go:build !android
+
+package iptables
+
+import (
+	"fmt"
+	"net/netip"
+
+	"github.com/hashicorp/go-multierror"
+	"github.com/lrh3321/ipset-go"
+	log "github.com/sirupsen/logrus"
+
+	nberrors "github.com/netbirdio/netbird/client/errors"
+	firewall "github.com/netbirdio/netbird/client/firewall/manager"
+)
+
+func (r *family) createIpSet(setName string, sources []netip.Prefix) error {
+	if err := r.createIPSet(setName); err != nil {
+		return fmt.Errorf("create set %s: %w", setName, err)
+	}
+
+	for _, prefix := range sources {
+		if err := r.addPrefixToIPSet(setName, prefix); err != nil {
+			// The refcounter records nothing when this callback errors,
+			// so destroy the set or it leaks in the kernel. A partial
+			// source set would also fail-open for deny rules, so the
+			// rule must fail rather than install with a missing source.
+			if derr := r.destroyIPSet(setName); derr != nil {
+				log.Warnf("rollback ipset %s after add failure: %v", setName, derr)
+			}
+			return fmt.Errorf("add element to set %s: %w", setName, err)
+		}
+	}
+
+	return nil
+}
+
+func (r *family) deleteIpSet(setName string) error {
+	if err := r.destroyIPSet(setName); err != nil {
+		return fmt.Errorf("destroy set %s: %w", setName, err)
+	}
+
+	log.Debugf("deleted unused ipset %s", setName)
+	return nil
+}
+
+func (r *family) UpdateSet(set firewall.Set, prefixes []netip.Prefix) error {
+	name := r.ipsetName(set.HashedName())
+	var merr *multierror.Error
+	for _, prefix := range prefixes {
+		if err := r.addPrefixToIPSet(name, prefix); err != nil {
+			merr = multierror.Append(merr, fmt.Errorf("add prefix to ipset: %w", err))
+		}
+	}
+	if merr == nil {
+		log.Debugf("updated set %s with prefixes %v", name, prefixes)
+	}
+
+	return nberrors.FormatErrorOrNil(merr)
+}
+
+func (r *family) ipsetName(name string) string {
+	if r.v6 {
+		return name + "-v6"
+	}
+	return name
+}
+
+func (r *family) createIPSet(name string) error {
+	opts := ipset.CreateOptions{
+		Replace: true,
+	}
+	if r.v6 {
+		opts.Family = ipset.FamilyIPV6
+	}
+
+	if err := ipset.Create(name, ipset.TypeHashNet, opts); err != nil {
+		return fmt.Errorf("create ipset %s: %w", name, err)
+	}
+
+	log.Debugf("created ipset %s with type hash:net", name)
+	return nil
+}
+
+func (r *family) addPrefixToIPSet(name string, prefix netip.Prefix) error {
+	addr := prefix.Addr()
+	ip := addr.AsSlice()
+
+	entry := &ipset.Entry{
+		IP:      ip,
+		CIDR:    uint8(prefix.Bits()),
+		Replace: true,
+	}
+
+	if err := ipset.Add(name, entry); err != nil {
+		return fmt.Errorf("add prefix to ipset %s: %w", name, err)
+	}
+
+	return nil
+}
+
+func (r *family) destroyIPSet(name string) error {
+	return ipset.Destroy(name)
+}
--- a/client/firewall/iptables/manager_linux.go
+++ b/client/firewall/iptables/manager_linux.go
@@ -3,7 +3,6 @@ package iptables
 import (
 	"context"
 	"fmt"
-	"net"
 	"net/netip"
 	"sync"

@@ -18,16 +17,21 @@ import (
 	"github.com/netbirdio/netbird/client/internal/statemanager"
 )

-// Manager of iptables firewall
+// Manager of iptables firewall. Per-family state (peer ACLs, route
+// ACLs, NAT, DNAT, MSS clamping) lives on family; Manager dispatches
+// by family and provides the public firewall.Manager surface.
 type Manager struct {
 	mutex sync.Mutex

 	wgIface iFaceMapper

 	ipv4Client   *iptables.IPTables
-	aclMgr       *aclManager
-	router       *router
+	family4      *family
 	rawSupported bool
+
+	// IPv6 counterparts, nil when no v6 overlay
+	ipv6Client *iptables.IPTables
+	family6    *family
 }

 // iFaceMapper defines subset methods of interface required for manager
@@ -48,25 +52,51 @@ func Create(wgIface iFaceMapper, mtu uint16) (*Manager, error) {
 		ipv4Client: iptablesClient,
 	}

-	m.router, err = newRouter(iptablesClient, wgIface, mtu)
+	m.family4, err = newFamily(iptablesClient, wgIface, mtu)
 	if err != nil {
-		return nil, fmt.Errorf("create router: %w", err)
+		return nil, fmt.Errorf("create family: %w", err)
 	}

-	m.aclMgr, err = newAclManager(iptablesClient, wgIface)
-	if err != nil {
-		return nil, fmt.Errorf("create acl manager: %w", err)
+	if wgIface.Address().HasIPv6() {
+		if err := m.createIPv6Components(wgIface, mtu); err != nil {
+			return nil, fmt.Errorf("create IPv6 firewall: %w", err)
+		}
 	}

 	return m, nil
 }

+func (m *Manager) createIPv6Components(wgIface iFaceMapper, mtu uint16) error {
+	ip6Client, err := iptables.NewWithProtocol(iptables.ProtocolIPv6)
+	if err != nil {
+		return fmt.Errorf("init ip6tables: %w", err)
+	}
+
+	family6, err := newFamily(ip6Client, wgIface, mtu)
+	if err != nil {
+		return fmt.Errorf("create v6 family: %w", err)
+	}
+
+	// Share the same IP forwarding state with the v4 family, since
+	// EnableIPForwarding controls both v4 and v6 sysctls.
+	family6.ipFwdState = m.family4.ipFwdState
+
+	m.ipv6Client = ip6Client
+	m.family6 = family6
+
+	return nil
+}
+
+func (m *Manager) hasIPv6() bool {
+	return m.ipv6Client != nil
+}
+
 func (m *Manager) Init(stateManager *statemanager.Manager) error {
 	state := &ShutdownState{
 		InterfaceState: &InterfaceState{
 			NameStr:   m.wgIface.Name(),
 			WGAddress: m.wgIface.Address(),
-			MTU:       m.router.mtu,
+			MTU:       m.family4.mtu,
 		},
 	}
 	stateManager.RegisterState(state)
@@ -74,13 +104,8 @@ func (m *Manager) Init(stateManager *statemanager.Manager) error {
 		log.Errorf("failed to update state: %v", err)
 	}

-	if err := m.router.init(stateManager); err != nil {
-		return fmt.Errorf("router init: %w", err)
-	}
-
-	if err := m.aclMgr.init(stateManager); err != nil {
-		// TODO: cleanup router
-		return fmt.Errorf("acl manager init: %w", err)
+	if err := m.initChains(stateManager); err != nil {
+		return err
 	}

 	if err := m.initNoTrackChain(); err != nil {
@@ -103,55 +128,78 @@ func (m *Manager) Init(stateManager *statemanager.Manager) error {
 	return nil
 }

-// AddPeerFiltering adds a rule to the firewall
-//
-// Comment will be ignored because some system this feature is not supported
-func (m *Manager) AddPeerFiltering(
-	id []byte,
-	ip net.IP,
-	proto firewall.Protocol,
-	sPort *firewall.Port,
-	dPort *firewall.Port,
-	action firewall.Action,
-	ipsetName string,
-) ([]firewall.Rule, error) {
-	m.mutex.Lock()
-	defer m.mutex.Unlock()
+// initChains initializes the per-family firewall state for both
+// address families, rolling back on failure.
+func (m *Manager) initChains(stateManager *statemanager.Manager) error {
+	type initStep struct {
+		name string
+		r    *family
+	}

-	return m.aclMgr.AddPeerFiltering(id, ip, proto, sPort, dPort, action, ipsetName)
+	steps := []initStep{{"v4", m.family4}}
+	if m.hasIPv6() {
+		steps = append(steps, initStep{"v6", m.family6})
+	}
+
+	var initialized []initStep
+	for _, s := range steps {
+		if err := s.r.init(stateManager); err != nil {
+			for i := len(initialized) - 1; i >= 0; i-- {
+				if rerr := initialized[i].r.Reset(); rerr != nil {
+					log.Warnf("rollback %s: %v", initialized[i].name, rerr)
+				}
+			}
+			return fmt.Errorf("%s init: %w", s.name, err)
+		}
+		initialized = append(initialized, s)
+	}
+	return nil
 }

-func (m *Manager) AddRouteFiltering(
+// AddFilterRule installs a packet-filtering rule. See firewall.Manager
+// docs for destination semantics. Sources are a single address family;
+// the rule is dispatched to the matching v4 / v6 backend.
+func (m *Manager) AddFilterRule(
 	id []byte,
 	sources []netip.Prefix,
 	destination firewall.Network,
 	proto firewall.Protocol,
-	sPort, dPort *firewall.Port,
+	sPort *firewall.Port,
+	dPort *firewall.Port,
 	action firewall.Action,
 ) (firewall.Rule, error) {
-	m.mutex.Lock()
-	defer m.mutex.Unlock()
-
-	if destination.IsPrefix() && !destination.Prefix.Addr().Is4() {
-		return nil, fmt.Errorf("unsupported IP version: %s", destination.Prefix.Addr().String())
+	if len(sources) == 0 {
+		return nil, firewall.ErrNoSources
 	}

-	return m.router.AddRouteFiltering(id, sources, destination, proto, sPort, dPort, action)
-}
-
-// DeletePeerRule from the firewall by rule definition
-func (m *Manager) DeletePeerRule(rule firewall.Rule) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

-	return m.aclMgr.DeletePeerRule(rule)
+	fam := m.family4
+	if isIPv6Rule(sources, destination) {
+		if !m.hasIPv6() {
+			return nil, fmt.Errorf("add filtering: %w", firewall.ErrIPv6NotInitialized)
+		}
+		fam = m.family6
+	}
+	return fam.AddFilterRule(id, sources, destination, proto, sPort, dPort, action)
 }

-func (m *Manager) DeleteRouteRule(rule firewall.Rule) error {
+// DeleteFilterRule removes a rule previously added via AddFilterRule.
+// The rule is looked up by id in each family's filter cache.
+func (m *Manager) DeleteFilterRule(rule firewall.Rule) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

-	return m.router.DeleteRouteRule(rule)
+	id := rule.ID()
+	if m.family4.hasRule(id) {
+		return m.family4.DeleteFilterRule(rule)
+	}
+	if m.hasIPv6() && m.family6.hasRule(id) {
+		return m.family6.DeleteFilterRule(rule)
+	}
+	log.Debugf("filter rule %s not found in any family", id)
+	return nil
 }

 func (m *Manager) IsServerRouteSupported() bool {
@@ -166,18 +214,65 @@ func (m *Manager) AddNatRule(pair firewall.RouterPair) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

-	return m.router.AddNatRule(pair)
+	if pair.Destination.IsPrefix() && pair.Destination.Prefix.Addr().Is6() {
+		if !m.hasIPv6() {
+			return fmt.Errorf("add NAT rule: %w", firewall.ErrIPv6NotInitialized)
+		}
+		return m.family6.AddNatRule(pair)
+	}
+
+	if err := m.family4.AddNatRule(pair); err != nil {
+		return err
+	}
+
+	// Dynamic routes need NAT in both tables since resolved IPs can be
+	// either v4 or v6. This covers both DomainSet (modern) and the legacy
+	// wildcard 0.0.0.0/0 destination where the client resolves DNS.
+	if m.hasIPv6() && pair.Dynamic {
+		v6Pair := firewall.ToV6NatPair(pair)
+		if err := m.family6.AddNatRule(v6Pair); err != nil {
+			return fmt.Errorf("add v6 NAT rule: %w", err)
+		}
+	}
+
+	return nil
 }

 func (m *Manager) RemoveNatRule(pair firewall.RouterPair) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

-	return m.router.RemoveNatRule(pair)
+	if pair.Destination.IsPrefix() && pair.Destination.Prefix.Addr().Is6() {
+		if !m.hasIPv6() {
+			return nil
+		}
+		return m.family6.RemoveNatRule(pair)
+	}
+
+	var merr *multierror.Error
+
+	if err := m.family4.RemoveNatRule(pair); err != nil {
+		merr = multierror.Append(merr, fmt.Errorf("remove v4 NAT rule: %w", err))
+	}
+
+	if m.hasIPv6() && pair.Dynamic {
+		v6Pair := firewall.ToV6NatPair(pair)
+		if err := m.family6.RemoveNatRule(v6Pair); err != nil {
+			merr = multierror.Append(merr, fmt.Errorf("remove v6 NAT rule: %w", err))
+		}
+	}
+
+	return nberrors.FormatErrorOrNil(merr)
 }

 func (m *Manager) SetLegacyManagement(isLegacy bool) error {
-	return firewall.SetLegacyManagement(m.router, isLegacy)
+	if err := firewall.SetLegacyManagement(m.family4, isLegacy); err != nil {
+		return err
+	}
+	if m.hasIPv6() {
+		return firewall.SetLegacyManagement(m.family6, isLegacy)
+	}
+	return nil
 }

 // Reset firewall to the default state
@@ -191,11 +286,14 @@ func (m *Manager) Close(stateManager *statemanager.Manager) error {
 		merr = multierror.Append(merr, fmt.Errorf("cleanup notrack chain: %w", err))
 	}

-	if err := m.aclMgr.Reset(); err != nil {
-		merr = multierror.Append(merr, fmt.Errorf("reset acl manager: %w", err))
+	if m.hasIPv6() {
+		if err := m.family6.Reset(); err != nil {
+			merr = multierror.Append(merr, fmt.Errorf("reset v6 family: %w", err))
+		}
 	}
-	if err := m.router.Reset(); err != nil {
-		merr = multierror.Append(merr, fmt.Errorf("reset router: %w", err))
+
+	if err := m.family4.Reset(); err != nil {
+		merr = multierror.Append(merr, fmt.Errorf("reset family: %w", err))
 	}

 	// Appending to merr intentionally blocks DeleteState below so ShutdownState
@@ -218,24 +316,21 @@ func (m *Manager) Close(stateManager *statemanager.Manager) error {
 // This is called when USPFilter wraps the native firewall, adding blanket accept
 // rules so that packet filtering is handled in userspace instead of by netfilter.
 func (m *Manager) AllowNetbird() error {
-	_, err := m.AddPeerFiltering(
-		nil,
-		net.IP{0, 0, 0, 0},
-		firewall.ProtocolALL,
-		nil,
-		nil,
-		firewall.ActionAccept,
-		"",
-	)
-	if err != nil {
-		return fmt.Errorf("allow netbird interface traffic: %w", err)
+	var merr *multierror.Error
+	if _, err := m.AddFilterRule(nil, []netip.Prefix{netip.PrefixFrom(netip.IPv4Unspecified(), 0)}, firewall.Network{}, firewall.ProtocolALL, nil, nil, firewall.ActionAccept); err != nil {
+		merr = multierror.Append(merr, fmt.Errorf("allow netbird v4 interface traffic: %w", err))
+	}
+	if m.hasIPv6() {
+		if _, err := m.AddFilterRule(nil, []netip.Prefix{netip.PrefixFrom(netip.IPv6Unspecified(), 0)}, firewall.Network{}, firewall.ProtocolALL, nil, nil, firewall.ActionAccept); err != nil {
+			merr = multierror.Append(merr, fmt.Errorf("allow netbird v6 interface traffic: %w", err))
+		}
 	}

 	if err := firewalld.TrustInterface(m.wgIface.Name()); err != nil {
 		log.Warnf("failed to trust interface in firewalld: %v", err)
 	}

-	return nil
+	return nberrors.FormatErrorOrNil(merr)
 }

 // Flush doesn't need to be implemented for this manager
@@ -247,14 +342,14 @@ func (m *Manager) SetLogLevel(log.Level) {
 }

 func (m *Manager) EnableRouting() error {
-	if err := m.router.ipFwdState.RequestForwarding(); err != nil {
+	if err := m.family4.ipFwdState.RequestForwarding(); err != nil {
 		return fmt.Errorf("enable IP forwarding: %w", err)
 	}
 	return nil
 }

 func (m *Manager) DisableRouting() error {
-	if err := m.router.ipFwdState.ReleaseForwarding(); err != nil {
+	if err := m.family4.ipFwdState.ReleaseForwarding(); err != nil {
 		return fmt.Errorf("disable IP forwarding: %w", err)
 	}
 	return nil
@@ -265,7 +360,13 @@ func (m *Manager) AddDNATRule(rule firewall.ForwardRule) (firewall.Rule, error)
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

-	return m.router.AddDNATRule(rule)
+	if rule.TranslatedAddress.Is6() {
+		if !m.hasIPv6() {
+			return nil, fmt.Errorf("add DNAT rule: %w", firewall.ErrIPv6NotInitialized)
+		}
+		return m.family6.AddDNATRule(rule)
+	}
+	return m.family4.AddDNATRule(rule)
 }

 // DeleteDNATRule deletes a DNAT rule
@@ -273,7 +374,10 @@ func (m *Manager) DeleteDNATRule(rule firewall.Rule) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

-	return m.router.DeleteDNATRule(rule)
+	if m.hasIPv6() && !m.family4.hasDNATRule(rule.ID()) {
+		return m.family6.DeleteDNATRule(rule)
+	}
+	return m.family4.DeleteDNATRule(rule)
 }

 // UpdateSet updates the set with the given prefixes
@@ -281,44 +385,87 @@ func (m *Manager) UpdateSet(set firewall.Set, prefixes []netip.Prefix) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

-	return m.router.UpdateSet(set, prefixes)
+	var v4Prefixes, v6Prefixes []netip.Prefix
+	for _, p := range prefixes {
+		if p.Addr().Is6() {
+			v6Prefixes = append(v6Prefixes, p)
+		} else {
+			v4Prefixes = append(v4Prefixes, p)
+		}
+	}
+
+	if err := m.family4.UpdateSet(set, v4Prefixes); err != nil {
+		return err
+	}
+
+	if m.hasIPv6() && len(v6Prefixes) > 0 {
+		if err := m.family6.UpdateSet(set, v6Prefixes); err != nil {
+			return fmt.Errorf("update v6 set: %w", err)
+		}
+	}
+
+	return nil
 }

 // AddInboundDNAT adds an inbound DNAT rule redirecting traffic from NetBird peers to local services.
-func (m *Manager) AddInboundDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
+func (m *Manager) AddInboundDNAT(localAddr netip.Addr, protocol firewall.Protocol, originalPort, translatedPort uint16) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

-	return m.router.AddInboundDNAT(localAddr, protocol, sourcePort, targetPort)
+	if localAddr.Is6() {
+		if !m.hasIPv6() {
+			return fmt.Errorf("add inbound DNAT: %w", firewall.ErrIPv6NotInitialized)
+		}
+		return m.family6.AddInboundDNAT(localAddr, protocol, originalPort, translatedPort)
+	}
+	return m.family4.AddInboundDNAT(localAddr, protocol, originalPort, translatedPort)
 }

 // RemoveInboundDNAT removes an inbound DNAT rule.
-func (m *Manager) RemoveInboundDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
+func (m *Manager) RemoveInboundDNAT(localAddr netip.Addr, protocol firewall.Protocol, originalPort, translatedPort uint16) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

-	return m.router.RemoveInboundDNAT(localAddr, protocol, sourcePort, targetPort)
+	if localAddr.Is6() {
+		if !m.hasIPv6() {
+			return fmt.Errorf("remove inbound DNAT: %w", firewall.ErrIPv6NotInitialized)
+		}
+		return m.family6.RemoveInboundDNAT(localAddr, protocol, originalPort, translatedPort)
+	}
+	return m.family4.RemoveInboundDNAT(localAddr, protocol, originalPort, translatedPort)
 }

 // AddOutputDNAT adds an OUTPUT chain DNAT rule for locally-generated traffic.
-func (m *Manager) AddOutputDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
+func (m *Manager) AddOutputDNAT(localAddr netip.Addr, protocol firewall.Protocol, originalPort, translatedPort uint16) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

-	return m.router.AddOutputDNAT(localAddr, protocol, sourcePort, targetPort)
+	if localAddr.Is6() {
+		if !m.hasIPv6() {
+			return fmt.Errorf("add output DNAT: %w", firewall.ErrIPv6NotInitialized)
+		}
+		return m.family6.AddOutputDNAT(localAddr, protocol, originalPort, translatedPort)
+	}
+	return m.family4.AddOutputDNAT(localAddr, protocol, originalPort, translatedPort)
 }

 // RemoveOutputDNAT removes an OUTPUT chain DNAT rule.
-func (m *Manager) RemoveOutputDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
+func (m *Manager) RemoveOutputDNAT(localAddr netip.Addr, protocol firewall.Protocol, originalPort, translatedPort uint16) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

-	return m.router.RemoveOutputDNAT(localAddr, protocol, sourcePort, targetPort)
+	if localAddr.Is6() {
+		if !m.hasIPv6() {
+			return fmt.Errorf("remove output DNAT: %w", firewall.ErrIPv6NotInitialized)
+		}
+		return m.family6.RemoveOutputDNAT(localAddr, protocol, originalPort, translatedPort)
+	}
+	return m.family4.RemoveOutputDNAT(localAddr, protocol, originalPort, translatedPort)
 }

 const (
 	chainNameRaw = "NETBIRD-RAW"
-	chainOUTPUT  = "OUTPUT"
+	chainOutput  = "OUTPUT"
 	tableRaw     = "raw"
 )

@@ -393,15 +540,15 @@ func (m *Manager) initNoTrackChain() error {

 	jumpRule := []string{"-j", chainNameRaw}

-	if err := m.ipv4Client.InsertUnique(tableRaw, chainOUTPUT, 1, jumpRule...); err != nil {
+	if err := m.ipv4Client.InsertUnique(tableRaw, chainOutput, 1, jumpRule...); err != nil {
 		if delErr := m.ipv4Client.DeleteChain(tableRaw, chainNameRaw); delErr != nil {
 			log.Debugf("delete orphan chain: %v", delErr)
 		}
 		return fmt.Errorf("add output jump rule: %w", err)
 	}

-	if err := m.ipv4Client.InsertUnique(tableRaw, chainPREROUTING, 1, jumpRule...); err != nil {
-		if delErr := m.ipv4Client.DeleteIfExists(tableRaw, chainOUTPUT, jumpRule...); delErr != nil {
+	if err := m.ipv4Client.InsertUnique(tableRaw, chainPrerouting, 1, jumpRule...); err != nil {
+		if delErr := m.ipv4Client.DeleteIfExists(tableRaw, chainOutput, jumpRule...); delErr != nil {
 			log.Debugf("delete output jump rule: %v", delErr)
 		}
 		if delErr := m.ipv4Client.DeleteChain(tableRaw, chainNameRaw); delErr != nil {
@@ -428,11 +575,11 @@ func (m *Manager) cleanupNoTrackChain() error {

 	jumpRule := []string{"-j", chainNameRaw}

-	if err := m.ipv4Client.DeleteIfExists(tableRaw, chainOUTPUT, jumpRule...); err != nil {
+	if err := m.ipv4Client.DeleteIfExists(tableRaw, chainOutput, jumpRule...); err != nil {
 		return fmt.Errorf("remove output jump rule: %w", err)
 	}

-	if err := m.ipv4Client.DeleteIfExists(tableRaw, chainPREROUTING, jumpRule...); err != nil {
+	if err := m.ipv4Client.DeleteIfExists(tableRaw, chainPrerouting, jumpRule...); err != nil {
 		return fmt.Errorf("remove prerouting jump rule: %w", err)
 	}

@@ -447,3 +594,13 @@ func (m *Manager) cleanupNoTrackChain() error {
 func getConntrackEstablished() []string {
 	return []string{"-m", "conntrack", "--ctstate", "RELATED,ESTABLISHED", "-j", "ACCEPT"}
 }
+
+// isIPv6Rule reports whether the rule belongs to the IPv6 family, from
+// the destination prefix when set, otherwise from the (single-family)
+// sources.
+func isIPv6Rule(sources []netip.Prefix, destination firewall.Network) bool {
+	if destination.IsPrefix() {
+		return destination.Prefix.Addr().Is6()
+	}
+	return len(sources) > 0 && sources[0].Addr().Is6()
+}
--- a/client/firewall/iptables/manager_linux_test.go
+++ b/client/firewall/iptables/manager_linux_test.go
@@ -1,3 +1,5 @@
+//go:build integration && !android
+
 package iptables

 import (
@@ -65,46 +67,39 @@ func TestIptablesManager(t *testing.T) {
 		time.Sleep(time.Second)
 	}()

-	var rule2 []fw.Rule
+	var rule2 fw.Rule
 	t.Run("add second rule", func(t *testing.T) {
 		ip := netip.MustParseAddr("10.20.0.3")
 		port := &fw.Port{
 			IsRange: true,
 			Values:  []uint16{8043, 8046},
 		}
-		rule2, err = manager.AddPeerFiltering(nil, ip.AsSlice(), "tcp", port, nil, fw.ActionAccept, "")
+		rule2, err = manager.AddFilterRule(nil, pfx(ip.AsSlice()), fw.Network{}, "tcp", port, nil, fw.ActionAccept)
 		require.NoError(t, err, "failed to add rule")

-		for _, r := range rule2 {
-			rr := r.(*Rule)
-			checkRuleSpecs(t, ipv4Client, rr.chain, true, rr.specs...)
-		}
+		rr := rule2.(*Rule)
+		checkRuleSpecs(t, ipv4Client, rr.chain, true, rr.specs...)
 	})

 	t.Run("delete second rule", func(t *testing.T) {
-		for _, r := range rule2 {
-			err := manager.DeletePeerRule(r)
-			require.NoError(t, err, "failed to delete rule")
-		}
-
-		require.Empty(t, manager.aclMgr.ipsetStore.ipsets, "rulesets index after removed second rule must be empty")
+		require.NoError(t, manager.DeleteFilterRule(rule2), "failed to delete rule")
 	})

 	t.Run("reset check", func(t *testing.T) {
 		// add second rule
 		ip := netip.MustParseAddr("10.20.0.3")
 		port := &fw.Port{Values: []uint16{5353}}
-		_, err = manager.AddPeerFiltering(nil, ip.AsSlice(), "udp", nil, port, fw.ActionAccept, "")
+		_, err = manager.AddFilterRule(nil, pfx(ip.AsSlice()), fw.Network{}, "udp", nil, port, fw.ActionAccept)
 		require.NoError(t, err, "failed to add rule")

 		err = manager.Close(nil)
 		require.NoError(t, err, "failed to reset")

-		ok, err := ipv4Client.ChainExists("filter", chainNameInputRules)
+		ok, err := ipv4Client.ChainExists("filter", chainACLInput)
 		require.NoError(t, err, "failed check chain exists")

 		if ok {
-			require.NoErrorf(t, err, "chain '%v' still exists after Close", chainNameInputRules)
+			require.NoErrorf(t, err, "chain '%v' still exists after Close", chainACLInput)
 		}
 	})
 }
@@ -126,15 +121,13 @@ func TestIptablesManagerDenyRules(t *testing.T) {
 		ip := netip.MustParseAddr("10.20.0.3")
 		port := &fw.Port{Values: []uint16{22}}

-		rule, err := manager.AddPeerFiltering(nil, ip.AsSlice(), "tcp", nil, port, fw.ActionDrop, "deny-ssh")
+		rule, err := manager.AddFilterRule(nil, pfx(ip.AsSlice()), fw.Network{}, "tcp", nil, port, fw.ActionDrop)
 		require.NoError(t, err, "failed to add deny rule")
-		require.NotEmpty(t, rule, "deny rule should not be empty")
+		require.NotNil(t, rule, "deny rule should not be nil")

 		// Verify the rule was added by checking iptables
-		for _, r := range rule {
-			rr := r.(*Rule)
-			checkRuleSpecs(t, ipv4Client, rr.chain, true, rr.specs...)
-		}
+		rr := rule.(*Rule)
+		checkRuleSpecs(t, ipv4Client, rr.chain, true, rr.specs...)
 	})

 	t.Run("deny rule precedence test", func(t *testing.T) {
@@ -142,36 +135,40 @@ func TestIptablesManagerDenyRules(t *testing.T) {
 		port := &fw.Port{Values: []uint16{80}}

 		// Add accept rule first
-		_, err := manager.AddPeerFiltering(nil, ip.AsSlice(), "tcp", nil, port, fw.ActionAccept, "accept-http")
+		_, err := manager.AddFilterRule(nil, pfx(ip.AsSlice()), fw.Network{}, "tcp", nil, port, fw.ActionAccept)
 		require.NoError(t, err, "failed to add accept rule")

 		// Add deny rule second for same IP/port - this should take precedence
-		_, err = manager.AddPeerFiltering(nil, ip.AsSlice(), "tcp", nil, port, fw.ActionDrop, "deny-http")
+		_, err = manager.AddFilterRule(nil, pfx(ip.AsSlice()), fw.Network{}, "tcp", nil, port, fw.ActionDrop)
 		require.NoError(t, err, "failed to add deny rule")

 		// Inspect the actual iptables rules to verify deny rule comes before accept rule
-		rules, err := ipv4Client.List("filter", chainNameInputRules)
+		rules, err := ipv4Client.List("filter", chainACLInput)
 		require.NoError(t, err, "failed to list iptables rules")

 		// Debug: print all rules
-		t.Logf("All iptables rules in chain %s:", chainNameInputRules)
+		t.Logf("All iptables rules in chain %s:", chainACLInput)
 		for i, rule := range rules {
 			t.Logf("  [%d] %s", i, rule)
 		}

+		// Single-source rules emit a direct `-s <ip>/32 ... --dport 80`
+		// match. Match on that shape instead of the legacy
+		// per-(action,port) ipset names ("deny-http"/"accept-http")
+		// that this test predates.
+		srcMatch := fmt.Sprintf("-s %s/32", ip)
 		var denyRuleIndex, acceptRuleIndex = -1, -1
 		for i, rule := range rules {
-			if strings.Contains(rule, "DROP") {
-				t.Logf("Found DROP rule at index %d: %s", i, rule)
-				if strings.Contains(rule, "deny-http") && strings.Contains(rule, "80") {
-					denyRuleIndex = i
-				}
+			if !strings.Contains(rule, srcMatch) || !strings.Contains(rule, "--dport 80") {
+				continue
 			}
-			if strings.Contains(rule, "ACCEPT") {
+			if strings.Contains(rule, "-j DROP") {
+				t.Logf("Found DROP rule at index %d: %s", i, rule)
+				denyRuleIndex = i
+			}
+			if strings.Contains(rule, "-j ACCEPT") {
 				t.Logf("Found ACCEPT rule at index %d: %s", i, rule)
-				if strings.Contains(rule, "accept-http") && strings.Contains(rule, "80") {
-					acceptRuleIndex = i
-				}
+				acceptRuleIndex = i
 			}
 		}

@@ -196,7 +193,6 @@ func TestIptablesManagerIPSet(t *testing.T) {
 		},
 	}

-	// just check on the local interface
 	manager, err := Create(mock, iface.DefaultMTU)
 	require.NoError(t, err)
 	require.NoError(t, manager.Init(nil))
@@ -210,27 +206,39 @@ func TestIptablesManagerIPSet(t *testing.T) {
 		time.Sleep(time.Second)
 	}()

-	var rule2 []fw.Rule
-	t.Run("add second rule", func(t *testing.T) {
+	var rule2 fw.Rule
+	t.Run("single source uses direct -s match (no ipset)", func(t *testing.T) {
 		ip := netip.MustParseAddr("10.20.0.3")
 		port := &fw.Port{
 			Values: []uint16{443},
 		}
-		rule2, err = manager.AddPeerFiltering(nil, ip.AsSlice(), "tcp", port, nil, fw.ActionAccept, "default")
-		for _, r := range rule2 {
-			require.NoError(t, err, "failed to add rule")
-			require.Equal(t, r.(*Rule).ipsetName, "default-sport", "ipset name must be set")
-			require.Equal(t, r.(*Rule).ip, "10.20.0.3", "ipset IP must be set")
-		}
+		rule2, err = manager.AddFilterRule(nil, pfx(ip.AsSlice()), fw.Network{}, "tcp", port, nil, fw.ActionAccept)
+		require.NoError(t, err, "failed to add rule")
+		require.NotNil(t, rule2)
+		require.Contains(t, rule2.(*Rule).specs, "-s",
+			"single-source rule should use direct -s match, not an ipset")
+		require.Empty(t, findSets(rule2.(*Rule).specs),
+			"single-source rule should not allocate a shared ipset")
 	})

-	t.Run("delete second rule", func(t *testing.T) {
-		for _, r := range rule2 {
-			err := manager.DeletePeerRule(r)
-			require.NoError(t, err, "failed to delete rule")
+	t.Run("delete single-source rule", func(t *testing.T) {
+		require.NoError(t, manager.DeleteFilterRule(rule2), "failed to delete rule")
+	})

-			require.Empty(t, manager.aclMgr.ipsetStore.ipsets, "rulesets index after removed second rule must be empty")
+	t.Run("multi-source uses shared ipset", func(t *testing.T) {
+		sources := []netip.Prefix{
+			netip.PrefixFrom(netip.MustParseAddr("10.20.0.3"), 32),
+			netip.PrefixFrom(netip.MustParseAddr("10.20.0.4"), 32),
+			netip.PrefixFrom(netip.MustParseAddr("10.20.0.5"), 32),
 		}
+		port := &fw.Port{Values: []uint16{8080}}
+		multi, err := manager.AddFilterRule(nil, sources, fw.Network{}, "tcp", nil, port, fw.ActionAccept)
+		require.NoError(t, err, "failed to add multi-source rule")
+		require.NotNil(t, multi, "multi-source rule must produce one iptables rule")
+		sets := findSets(multi.(*Rule).specs)
+		require.Len(t, sets, 1, "multi-source rule must reference exactly one ipset")
+
+		require.NoError(t, manager.DeleteFilterRule(multi))
 	})

 	t.Run("reset check", func(t *testing.T) {
@@ -281,7 +289,7 @@ func TestIptablesCreatePerformance(t *testing.T) {
 			start := time.Now()
 			for i := 0; i < testMax; i++ {
 				port := &fw.Port{Values: []uint16{uint16(1000 + i)}}
-				_, err = manager.AddPeerFiltering(nil, ip.AsSlice(), "tcp", nil, port, fw.ActionAccept, "")
+				_, err = manager.AddFilterRule(nil, pfx(ip.AsSlice()), fw.Network{}, "tcp", nil, port, fw.ActionAccept)

 				require.NoError(t, err, "failed to add rule")
 			}
--- a/client/firewall/iptables/router_linux.go
+++ b/client/firewall/iptables/router_linux.go
--- a/client/firewall/iptables/router_linux_test.go
+++ b/client/firewall/iptables/router_linux_test.go
@@ -1,4 +1,4 @@
-//go:build !android
+//go:build integration && !android

 package iptables

@@ -31,7 +31,7 @@ func TestIptablesManager_RestoreOrCreateContainers(t *testing.T) {
 	iptablesClient, err := iptables.NewWithProtocol(iptables.ProtocolIPv4)
 	require.NoError(t, err, "failed to init iptables client")

-	manager, err := newRouter(iptablesClient, ifaceMock, iface.DefaultMTU)
+	manager, err := newFamily(iptablesClient, ifaceMock, iface.DefaultMTU)
 	require.NoError(t, err, "should return a valid iptables manager")
 	require.NoError(t, manager.init(nil))

@@ -52,12 +52,12 @@ func TestIptablesManager_RestoreOrCreateContainers(t *testing.T) {
 	// 11. MSS clamping rule for outbound traffic
 	require.Len(t, manager.rules, 11, "should have created rules map")

-	exists, err := manager.iptablesClient.Exists(tableNat, chainPOSTROUTING, "-j", chainRTNAT)
-	require.NoError(t, err, "should be able to query the iptables %s table and %s chain", tableNat, chainPOSTROUTING)
+	exists, err := manager.iptablesClient.Exists(tableNat, chainPostrouting, "-j", chainRTNAT)
+	require.NoError(t, err, "should be able to query the iptables %s table and %s chain", tableNat, chainPostrouting)
 	require.True(t, exists, "postrouting jump rule should exist")

-	exists, err = manager.iptablesClient.Exists(tableMangle, chainPREROUTING, "-j", chainRTPRE)
-	require.NoError(t, err, "should be able to query the iptables %s table and %s chain", tableMangle, chainPREROUTING)
+	exists, err = manager.iptablesClient.Exists(tableMangle, chainPrerouting, "-j", chainRTPre)
+	require.NoError(t, err, "should be able to query the iptables %s table and %s chain", tableMangle, chainPrerouting)
 	require.True(t, exists, "prerouting jump rule should exist")

 	pair := firewall.RouterPair{
@@ -84,7 +84,7 @@ func TestIptablesManager_AddNatRule(t *testing.T) {
 			iptablesClient, err := iptables.NewWithProtocol(iptables.ProtocolIPv4)
 			require.NoError(t, err, "failed to init iptables client")

-			manager, err := newRouter(iptablesClient, ifaceMock, iface.DefaultMTU)
+			manager, err := newFamily(iptablesClient, ifaceMock, iface.DefaultMTU)
 			require.NoError(t, err, "shouldn't return error")
 			require.NoError(t, manager.init(nil))

@@ -95,7 +95,7 @@ func TestIptablesManager_AddNatRule(t *testing.T) {
 			err = manager.AddNatRule(testCase.InputPair)
 			require.NoError(t, err, "marking rule should be inserted")

-			natRuleKey := firewall.GenKey(firewall.NatFormat, testCase.InputPair)
+			natRuleKey := testCase.InputPair.GenKey(firewall.NatFormat)
 			markingRule := []string{
 				"-i", ifaceMock.Name(),
 				"-m", "conntrack",
@@ -106,8 +106,8 @@ func TestIptablesManager_AddNatRule(t *testing.T) {
 				fmt.Sprintf("%#x", nbnet.PreroutingFwmarkMasquerade),
 			}

-			exists, err := iptablesClient.Exists(tableMangle, chainRTPRE, markingRule...)
-			require.NoError(t, err, "should be able to query the iptables %s table and %s chain", tableMangle, chainRTPRE)
+			exists, err := iptablesClient.Exists(tableMangle, chainRTPre, markingRule...)
+			require.NoError(t, err, "should be able to query the iptables %s table and %s chain", tableMangle, chainRTPre)
 			if testCase.InputPair.Masquerade {
 				require.True(t, exists, "marking rule should be created")
 				foundRule, found := manager.rules[natRuleKey]
@@ -121,7 +121,7 @@ func TestIptablesManager_AddNatRule(t *testing.T) {

 			// Check inverse rule
 			inversePair := firewall.GetInversePair(testCase.InputPair)
-			inverseRuleKey := firewall.GenKey(firewall.NatFormat, inversePair)
+			inverseRuleKey := inversePair.GenKey(firewall.NatFormat)
 			inverseMarkingRule := []string{
 				"!", "-i", ifaceMock.Name(),
 				"-m", "conntrack",
@@ -132,8 +132,8 @@ func TestIptablesManager_AddNatRule(t *testing.T) {
 				fmt.Sprintf("%#x", nbnet.PreroutingFwmarkMasqueradeReturn),
 			}

-			exists, err = iptablesClient.Exists(tableMangle, chainRTPRE, inverseMarkingRule...)
-			require.NoError(t, err, "should be able to query the iptables %s table and %s chain", tableMangle, chainRTPRE)
+			exists, err = iptablesClient.Exists(tableMangle, chainRTPre, inverseMarkingRule...)
+			require.NoError(t, err, "should be able to query the iptables %s table and %s chain", tableMangle, chainRTPre)
 			if testCase.InputPair.Masquerade {
 				require.True(t, exists, "inverse marking rule should be created")
 				foundRule, found := manager.rules[inverseRuleKey]
@@ -157,7 +157,7 @@ func TestIptablesManager_RemoveNatRule(t *testing.T) {
 		t.Run(testCase.Name, func(t *testing.T) {
 			iptablesClient, _ := iptables.NewWithProtocol(iptables.ProtocolIPv4)

-			manager, err := newRouter(iptablesClient, ifaceMock, iface.DefaultMTU)
+			manager, err := newFamily(iptablesClient, ifaceMock, iface.DefaultMTU)
 			require.NoError(t, err, "shouldn't return error")
 			require.NoError(t, manager.init(nil))
 			defer func() {
@@ -170,7 +170,7 @@ func TestIptablesManager_RemoveNatRule(t *testing.T) {
 			err = manager.RemoveNatRule(testCase.InputPair)
 			require.NoError(t, err, "shouldn't return error")

-			natRuleKey := firewall.GenKey(firewall.NatFormat, testCase.InputPair)
+			natRuleKey := testCase.InputPair.GenKey(firewall.NatFormat)
 			markingRule := []string{
 				"-i", ifaceMock.Name(),
 				"-m", "conntrack",
@@ -181,8 +181,8 @@ func TestIptablesManager_RemoveNatRule(t *testing.T) {
 				fmt.Sprintf("%#x", nbnet.PreroutingFwmarkMasquerade),
 			}

-			exists, err := iptablesClient.Exists(tableMangle, chainRTPRE, markingRule...)
-			require.NoError(t, err, "should be able to query the iptables %s table and %s chain", tableMangle, chainRTPRE)
+			exists, err := iptablesClient.Exists(tableMangle, chainRTPre, markingRule...)
+			require.NoError(t, err, "should be able to query the iptables %s table and %s chain", tableMangle, chainRTPre)
 			require.False(t, exists, "marking rule should not exist")

 			_, found := manager.rules[natRuleKey]
@@ -190,7 +190,7 @@ func TestIptablesManager_RemoveNatRule(t *testing.T) {

 			// Check inverse rule removal
 			inversePair := firewall.GetInversePair(testCase.InputPair)
-			inverseRuleKey := firewall.GenKey(firewall.NatFormat, inversePair)
+			inverseRuleKey := inversePair.GenKey(firewall.NatFormat)
 			inverseMarkingRule := []string{
 				"!", "-i", ifaceMock.Name(),
 				"-m", "conntrack",
@@ -201,8 +201,8 @@ func TestIptablesManager_RemoveNatRule(t *testing.T) {
 				fmt.Sprintf("%#x", nbnet.PreroutingFwmarkMasqueradeReturn),
 			}

-			exists, err = iptablesClient.Exists(tableMangle, chainRTPRE, inverseMarkingRule...)
-			require.NoError(t, err, "should be able to query the iptables %s table and %s chain", tableMangle, chainRTPRE)
+			exists, err = iptablesClient.Exists(tableMangle, chainRTPre, inverseMarkingRule...)
+			require.NoError(t, err, "should be able to query the iptables %s table and %s chain", tableMangle, chainRTPre)
 			require.False(t, exists, "inverse marking rule should not exist")

 			_, found = manager.rules[inverseRuleKey]
@@ -219,13 +219,13 @@ func TestRouter_AddRouteFiltering(t *testing.T) {
 	iptablesClient, err := iptables.NewWithProtocol(iptables.ProtocolIPv4)
 	require.NoError(t, err, "Failed to create iptables client")

-	r, err := newRouter(iptablesClient, ifaceMock, iface.DefaultMTU)
-	require.NoError(t, err, "Failed to create router manager")
+	r, err := newFamily(iptablesClient, ifaceMock, iface.DefaultMTU)
+	require.NoError(t, err, "Failed to create family manager")
 	require.NoError(t, r.init(nil))

 	defer func() {
 		err := r.Reset()
-		require.NoError(t, err, "Failed to reset router")
+		require.NoError(t, err, "Failed to reset family")
 	}()

 	tests := []struct {
@@ -334,62 +334,30 @@ func TestRouter_AddRouteFiltering(t *testing.T) {

 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			ruleKey, err := r.AddRouteFiltering(nil, tt.sources, firewall.Network{Prefix: tt.destination}, tt.proto, tt.sPort, tt.dPort, tt.action)
-			require.NoError(t, err, "AddRouteFiltering failed")
+			ruleKey, err := r.AddFilterRule(nil, tt.sources, firewall.Network{Prefix: tt.destination}, tt.proto, tt.sPort, tt.dPort, tt.action)
+			require.NoError(t, err, "AddFilterRule failed")

-			// Check if the rule is in the internal map
-			rule, ok := r.rules[ruleKey.ID()]
-			assert.True(t, ok, "Rule not found in internal map")
+			stored, ok := r.filters[ruleKey.ID()]
+			require.True(t, ok, "rule not stored in filters")
+			t.Logf("Internal rule: %v", stored.specs)

-			// Log the internal rule
-			t.Logf("Internal rule: %v", rule)
-
-			// Check if the rule exists in iptables
-			exists, err := iptablesClient.Exists(tableFilter, chainRTFWDIN, rule...)
+			exists, err := iptablesClient.Exists(tableFilter, chainRTFwdIn, stored.specs...)
 			assert.NoError(t, err, "Failed to check rule existence")
 			assert.True(t, exists, "Rule not found in iptables")

-			var source firewall.Network
-			if len(tt.sources) > 1 {
-				source.Set = firewall.NewPrefixSet(tt.sources)
-			} else if len(tt.sources) > 0 {
-				source.Prefix = tt.sources[0]
-			}
-			// Verify rule content
-			params := routeFilteringRuleParams{
-				Source:      source,
-				Destination: firewall.Network{Prefix: tt.destination},
-				Proto:       tt.proto,
-				SPort:       tt.sPort,
-				DPort:       tt.dPort,
-				Action:      tt.action,
-			}
-
-			expectedRule, err := r.genRouteRuleSpec(params, nil)
-			require.NoError(t, err, "Failed to generate expected rule spec")
-
 			if tt.expectSet {
 				setName := firewall.NewPrefixSet(tt.sources).HashedName()
-				expectedRule, err = r.genRouteRuleSpec(params, nil)
-				require.NoError(t, err, "Failed to generate expected rule spec with set")
-
-				// Check if the set was created
 				_, exists := r.ipsetCounter.Get(setName)
 				assert.True(t, exists, "IPSet not created")
+				assert.NotEmpty(t, findSets(stored.specs), "Rule should reference an ipset")
 			}

-			assert.Equal(t, expectedRule, rule, "Rule content mismatch")
-
-			// Clean up
-			err = r.DeleteRouteRule(ruleKey)
-			require.NoError(t, err, "Failed to delete rule")
+			require.NoError(t, r.DeleteFilterRule(ruleKey), "Failed to delete rule")
 		})
 	}
 }

 func TestFindSetNameInRule(t *testing.T) {
-	r := &router{}
-
 	testCases := []struct {
 		name     string
 		rule     []string
@@ -430,7 +398,7 @@ func TestFindSetNameInRule(t *testing.T) {

 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
-			result := r.findSets(tc.rule)
+			result := findSets(tc.rule)

 			if len(result) != len(tc.expected) {
 				t.Errorf("Expected %d sets, got %d. Sets found: %v", len(tc.expected), len(result), result)
--- a/client/firewall/iptables/routing_linux.go
+++ b/client/firewall/iptables/routing_linux.go
@@ -0,0 +1,269 @@
+//go:build !android
+
+package iptables
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/hashicorp/go-multierror"
+	log "github.com/sirupsen/logrus"
+
+	nberrors "github.com/netbirdio/netbird/client/errors"
+	firewall "github.com/netbirdio/netbird/client/firewall/manager"
+	nbnet "github.com/netbirdio/netbird/client/net"
+)
+
+func (r *family) AddNatRule(pair firewall.RouterPair) error {
+	if r.legacyManagement {
+		log.Warnf("This peer is connected to a NetBird Management service with an older version. Allowing all traffic for %s", pair.Destination)
+		if err := r.addLegacyRouteRule(pair); err != nil {
+			return fmt.Errorf("add legacy routing rule: %w", err)
+		}
+	}
+
+	if !pair.Masquerade {
+		return nil
+	}
+
+	if err := r.addNatRule(pair); err != nil {
+		return fmt.Errorf("add nat rule: %w", err)
+	}
+
+	if err := r.addNatRule(firewall.GetInversePair(pair)); err != nil {
+		return fmt.Errorf("add inverse nat rule: %w", err)
+	}
+
+	r.updateState()
+
+	return nil
+}
+
+// RemoveNatRule removes an iptables rule pair from forwarding and nat chains
+func (r *family) RemoveNatRule(pair firewall.RouterPair) error {
+	if pair.Masquerade {
+		if err := r.removeNatRule(pair); err != nil {
+			return fmt.Errorf("remove nat rule: %w", err)
+		}
+
+		if err := r.removeNatRule(firewall.GetInversePair(pair)); err != nil {
+			return fmt.Errorf("remove inverse nat rule: %w", err)
+		}
+	}
+
+	if err := r.removeLegacyRouteRule(pair); err != nil {
+		return fmt.Errorf("remove legacy routing rule: %w", err)
+	}
+
+	r.updateState()
+
+	return nil
+}
+
+// addLegacyRouteRule adds a legacy routing rule for mgmt servers pre route acls
+func (r *family) addLegacyRouteRule(pair firewall.RouterPair) error {
+	ruleID := pair.GenKey(firewall.ForwardingFormat)
+
+	if err := r.removeLegacyRouteRule(pair); err != nil {
+		return err
+	}
+
+	rule := []string{"-s", pair.Source.String(), "-d", pair.Destination.String(), "-j", "ACCEPT"}
+	if err := r.iptablesClient.Append(tableFilter, chainRTFwdIn, rule...); err != nil {
+		return fmt.Errorf("add legacy forwarding rule %s -> %s: %w", pair.Source, pair.Destination, err)
+	}
+
+	r.rules[ruleID] = rule
+
+	return nil
+}
+
+func (r *family) removeLegacyRouteRule(pair firewall.RouterPair) error {
+	ruleID := pair.GenKey(firewall.ForwardingFormat)
+
+	if rule, exists := r.rules[ruleID]; exists {
+		if err := r.iptablesClient.DeleteIfExists(tableFilter, chainRTFwdIn, rule...); err != nil {
+			return fmt.Errorf("remove legacy forwarding rule %s -> %s: %w", pair.Source, pair.Destination, err)
+		}
+		delete(r.rules, ruleID)
+
+		if err := r.decrementSetCounter(rule); err != nil {
+			return fmt.Errorf("decrement ipset counter: %w", err)
+		}
+	}
+
+	return nil
+}
+
+// GetLegacyManagement returns the current legacy management mode
+func (r *family) GetLegacyManagement() bool {
+	return r.legacyManagement
+}
+
+// SetLegacyManagement sets the route manager to use legacy management mode
+func (r *family) SetLegacyManagement(isLegacy bool) {
+	r.legacyManagement = isLegacy
+}
+
+// RemoveAllLegacyRouteRules removes all legacy routing rules for mgmt servers pre route acls
+func (r *family) RemoveAllLegacyRouteRules() error {
+	var merr *multierror.Error
+	for k, rule := range r.rules {
+		if !strings.HasPrefix(string(k), firewall.ForwardingFormatPrefix) {
+			continue
+		}
+		if err := r.iptablesClient.DeleteIfExists(tableFilter, chainRTFwdIn, rule...); err != nil {
+			merr = multierror.Append(merr, fmt.Errorf("remove legacy forwarding rule: %w", err))
+		} else {
+			delete(r.rules, k)
+		}
+	}
+
+	r.updateState()
+
+	return nberrors.FormatErrorOrNil(merr)
+}
+
+func (r *family) addPostroutingRules() error {
+	// First rule for outbound masquerade
+	rule1 := []string{
+		"-m", "mark", "--mark", fmt.Sprintf("%#x", nbnet.PreroutingFwmarkMasquerade),
+		"!", "-o", "lo",
+		"-j", "MASQUERADE",
+	}
+	if err := r.iptablesClient.Append(tableNat, chainRTNAT, rule1...); err != nil {
+		return fmt.Errorf("add outbound masquerade rule: %w", err)
+	}
+	r.rules["static-nat-outbound"] = rule1
+
+	// Second rule for return traffic masquerade
+	rule2 := []string{
+		"-m", "mark", "--mark", fmt.Sprintf("%#x", nbnet.PreroutingFwmarkMasqueradeReturn),
+		"-o", r.wgIface.Name(),
+		"-j", "MASQUERADE",
+	}
+	if err := r.iptablesClient.Append(tableNat, chainRTNAT, rule2...); err != nil {
+		return fmt.Errorf("add return masquerade rule: %w", err)
+	}
+	r.rules["static-nat-return"] = rule2
+
+	return nil
+}
+
+// addMSSClampingRules adds MSS clamping rules to prevent fragmentation for forwarded traffic.
+func (r *family) addMSSClampingRules() error {
+	overhead := uint16(ipv4TCPHeaderSize)
+	if r.v6 {
+		overhead = ipv6TCPHeaderSize
+	}
+	mss := r.mtu - overhead
+
+	// Add jump rule from FORWARD chain in mangle table to our custom chain
+	jumpRule := []string{
+		"-j", chainRTMSSClamp,
+	}
+	if err := r.iptablesClient.Insert(tableMangle, chainForward, 1, jumpRule...); err != nil {
+		return fmt.Errorf("add jump to MSS clamp chain: %w", err)
+	}
+	r.rules[jumpMSSClamp] = jumpRule
+
+	ruleOut := []string{
+		"-o", r.wgIface.Name(),
+		"-p", "tcp",
+		"--tcp-flags", "SYN,RST", "SYN",
+		"-j", "TCPMSS",
+		"--set-mss", fmt.Sprintf("%d", mss),
+	}
+	if err := r.iptablesClient.Append(tableMangle, chainRTMSSClamp, ruleOut...); err != nil {
+		return fmt.Errorf("add outbound MSS clamp rule: %w", err)
+	}
+	r.rules["mss-clamp-out"] = ruleOut
+
+	return nil
+}
+
+func (r *family) insertEstablishedRule(chain string) error {
+	establishedRule := getConntrackEstablished()
+
+	err := r.iptablesClient.Insert(tableFilter, chain, 1, establishedRule...)
+	if err != nil {
+		return fmt.Errorf("insert established rule: %w", err)
+	}
+
+	ruleID := firewall.RuleID("established-" + chain)
+	r.rules[ruleID] = establishedRule
+
+	return nil
+}
+
+func (r *family) addNatRule(pair firewall.RouterPair) error {
+	ruleID := pair.GenKey(firewall.NatFormat)
+
+	if rule, exists := r.rules[ruleID]; exists {
+		if err := r.iptablesClient.DeleteIfExists(tableMangle, chainRTPre, rule...); err != nil {
+			return fmt.Errorf("remove existing marking rule for %s: %w", pair.Destination, err)
+		}
+		delete(r.rules, ruleID)
+	}
+
+	markValue := nbnet.PreroutingFwmarkMasquerade
+	if pair.Inverse {
+		markValue = nbnet.PreroutingFwmarkMasqueradeReturn
+	}
+
+	rule := []string{"-i", r.wgIface.Name()}
+	if pair.Inverse {
+		rule = []string{"!", "-i", r.wgIface.Name()}
+	}
+
+	rule = append(rule,
+		"-m", "conntrack",
+		"--ctstate", "NEW",
+	)
+	sourceExp, err := r.applyNetwork("-s", pair.Source, nil)
+	if err != nil {
+		return fmt.Errorf("apply network -s: %w", err)
+	}
+	destExp, err := r.applyNetwork("-d", pair.Destination, nil)
+	if err != nil {
+		return fmt.Errorf("apply network -d: %w", err)
+	}
+
+	rule = append(rule, sourceExp...)
+	rule = append(rule, destExp...)
+	rule = append(rule,
+		"-j", "MARK", "--set-mark", fmt.Sprintf("%#x", markValue),
+	)
+
+	// Ensure nat rules come first, so the mark can be overwritten.
+	// Currently overwritten by the dst-type LOCAL rules for redirected traffic.
+	if err := r.iptablesClient.Insert(tableMangle, chainRTPre, 1, rule...); err != nil {
+		r.dropSourceMatch(rule)
+		return fmt.Errorf("add marking rule for %s: %w", pair.Destination, err)
+	}
+
+	r.rules[ruleID] = rule
+
+	r.updateState()
+	return nil
+}
+
+func (r *family) removeNatRule(pair firewall.RouterPair) error {
+	ruleID := pair.GenKey(firewall.NatFormat)
+
+	if rule, exists := r.rules[ruleID]; exists {
+		if err := r.iptablesClient.DeleteIfExists(tableMangle, chainRTPre, rule...); err != nil {
+			return fmt.Errorf("remove marking rule for %s: %w", pair.Destination, err)
+		}
+		delete(r.rules, ruleID)
+
+		if err := r.decrementSetCounter(rule); err != nil {
+			return fmt.Errorf("decrement ipset counter: %w", err)
+		}
+	} else {
+		log.Debugf("marking rule %s not found", ruleID)
+	}
+
+	r.updateState()
+	return nil
+}
--- a/client/firewall/iptables/rule.go
+++ b/client/firewall/iptables/rule.go
@@ -1,17 +1,20 @@
 package iptables

-// Rule to handle management of rules
-type Rule struct {
-	ruleID    string
-	ipsetName string
+import "github.com/netbirdio/netbird/client/firewall/manager"

+// Rule to handle management of rules. Source set membership (when the
+// rule was built against a shared hash:net ipset) is encoded in specs;
+// DeleteFilterRule recovers it via findSets so the refcounter can drop
+// the right reference.
+type Rule struct {
+	id          manager.RuleID
 	specs       []string
 	mangleSpecs []string
-	ip          string
 	chain       string
+	v6          bool
 }

-// GetRuleID returns the rule id
-func (r *Rule) ID() string {
-	return r.ruleID
+// ID returns the rule id
+func (r *Rule) ID() manager.RuleID {
+	return r.id
 }
--- a/client/firewall/iptables/rulestore_linux.go
+++ b/client/firewall/iptables/rulestore_linux.go
@@ -1,103 +0,0 @@
-package iptables
-
-import "encoding/json"
-
-type ipList struct {
-	ips map[string]struct{}
-}
-
-func newIpList(ip string) *ipList {
-	ips := make(map[string]struct{})
-	ips[ip] = struct{}{}
-
-	return &ipList{
-		ips: ips,
-	}
-}
-
-func (s *ipList) addIP(ip string) {
-	s.ips[ip] = struct{}{}
-}
-
-// MarshalJSON implements json.Marshaler
-func (s *ipList) MarshalJSON() ([]byte, error) {
-	return json.Marshal(struct {
-		IPs map[string]struct{} `json:"ips"`
-	}{
-		IPs: s.ips,
-	})
-}
-
-// UnmarshalJSON implements json.Unmarshaler
-func (s *ipList) UnmarshalJSON(data []byte) error {
-	temp := struct {
-		IPs map[string]struct{} `json:"ips"`
-	}{}
-	if err := json.Unmarshal(data, &temp); err != nil {
-		return err
-	}
-	s.ips = temp.IPs
-
-	if temp.IPs == nil {
-		temp.IPs = make(map[string]struct{})
-	}
-
-	return nil
-}
-
-type ipsetStore struct {
-	ipsets map[string]*ipList
-}
-
-func newIpsetStore() *ipsetStore {
-	return &ipsetStore{
-		ipsets: make(map[string]*ipList),
-	}
-}
-
-func (s *ipsetStore) ipset(ipsetName string) (*ipList, bool) {
-	r, ok := s.ipsets[ipsetName]
-	return r, ok
-}
-
-func (s *ipsetStore) addIpList(ipsetName string, list *ipList) {
-	s.ipsets[ipsetName] = list
-}
-
-func (s *ipsetStore) deleteIpset(ipsetName string) {
-	delete(s.ipsets, ipsetName)
-}
-
-func (s *ipsetStore) ipsetNames() []string {
-	names := make([]string, 0, len(s.ipsets))
-	for name := range s.ipsets {
-		names = append(names, name)
-	}
-	return names
-}
-
-// MarshalJSON implements json.Marshaler
-func (s *ipsetStore) MarshalJSON() ([]byte, error) {
-	return json.Marshal(struct {
-		IPSets map[string]*ipList `json:"ipsets"`
-	}{
-		IPSets: s.ipsets,
-	})
-}
-
-// UnmarshalJSON implements json.Unmarshaler
-func (s *ipsetStore) UnmarshalJSON(data []byte) error {
-	temp := struct {
-		IPSets map[string]*ipList `json:"ipsets"`
-	}{}
-	if err := json.Unmarshal(data, &temp); err != nil {
-		return err
-	}
-	s.ipsets = temp.IPSets
-
-	if temp.IPSets == nil {
-		temp.IPSets = make(map[string]*ipList)
-	}
-
-	return nil
-}
--- a/client/firewall/iptables/state_linux.go
+++ b/client/firewall/iptables/state_linux.go
@@ -4,6 +4,8 @@ import (
 	"fmt"
 	"sync"

+	log "github.com/sirupsen/logrus"
+
 	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 )
@@ -27,11 +29,13 @@ type ShutdownState struct {

 	InterfaceState *InterfaceState `json:"interface_state,omitempty"`

-	RouteRules        routeRules    `json:"route_rules,omitempty"`
-	RouteIPsetCounter *ipsetCounter `json:"route_ipset_counter,omitempty"`
+	RouteRules         routeRules    `json:"route_rules,omitempty"`
+	RouteRules6        routeRules    `json:"route_rules_v6,omitempty"`
+	RouteIPsetCounter  *ipsetCounter `json:"route_ipset_counter,omitempty"`
+	RouteIPsetCounter6 *ipsetCounter `json:"route_ipset_counter_v6,omitempty"`

-	ACLEntries    aclEntries  `json:"acl_entries,omitempty"`
-	ACLIPsetStore *ipsetStore `json:"acl_ipset_store,omitempty"`
+	ACLEntries  aclEntries `json:"acl_entries,omitempty"`
+	ACLEntries6 aclEntries `json:"acl_entries_v6,omitempty"`
 }

 func (s *ShutdownState) Name() string {
@@ -49,17 +53,33 @@ func (s *ShutdownState) Cleanup() error {
 	}

 	if s.RouteRules != nil {
-		ipt.router.rules = s.RouteRules
+		ipt.family4.rules = s.RouteRules
 	}
 	if s.RouteIPsetCounter != nil {
-		ipt.router.ipsetCounter.LoadData(s.RouteIPsetCounter)
+		ipt.family4.ipsetCounter.LoadData(s.RouteIPsetCounter)
 	}

 	if s.ACLEntries != nil {
-		ipt.aclMgr.entries = s.ACLEntries
+		ipt.family4.entries = s.ACLEntries
 	}
-	if s.ACLIPsetStore != nil {
-		ipt.aclMgr.ipsetStore = s.ACLIPsetStore
+
+	// Clean up v6 state even if the current run has no IPv6.
+	// The previous run may have left ip6tables rules behind.
+	if !ipt.hasIPv6() {
+		if err := ipt.createIPv6Components(s.InterfaceState, mtu); err != nil {
+			log.Warnf("failed to create v6 components for cleanup: %v", err)
+		}
+	}
+	if ipt.hasIPv6() {
+		if s.RouteRules6 != nil {
+			ipt.family6.rules = s.RouteRules6
+		}
+		if s.RouteIPsetCounter6 != nil {
+			ipt.family6.ipsetCounter.LoadData(s.RouteIPsetCounter6)
+		}
+		if s.ACLEntries6 != nil {
+			ipt.family6.entries = s.ACLEntries6
+		}
 	}

 	if err := ipt.Close(nil); err != nil {
--- a/client/firewall/iptables/testhelpers_linux_test.go
+++ b/client/firewall/iptables/testhelpers_linux_test.go
@@ -0,0 +1,27 @@
+//go:build integration && !android
+
+package iptables
+
+import (
+	"fmt"
+	"net"
+	"net/netip"
+)
+
+func pfx(ip net.IP) []netip.Prefix {
+	if ip == nil {
+		return []netip.Prefix{netip.PrefixFrom(netip.IPv4Unspecified(), 0)}
+	}
+	if ip.IsUnspecified() {
+		if ip.To4() != nil {
+			return []netip.Prefix{netip.PrefixFrom(netip.IPv4Unspecified(), 0)}
+		}
+		return []netip.Prefix{netip.PrefixFrom(netip.IPv6Unspecified(), 0)}
+	}
+	a, ok := netip.AddrFromSlice(ip)
+	if !ok {
+		panic(fmt.Sprintf("invalid IP length: %d", len(ip)))
+	}
+	a = a.Unmap()
+	return []netip.Prefix{netip.PrefixFrom(a, a.BitLen())}
+}
--- a/client/firewall/manager/firewall.go
+++ b/client/firewall/manager/firewall.go
@@ -1,8 +1,8 @@
 package manager

 import (
+	"errors"
 	"fmt"
-	"net"
 	"net/netip"
 	"sort"

@@ -11,6 +11,16 @@ import (
 	"github.com/netbirdio/netbird/client/internal/statemanager"
 )

+// ErrIPv6NotInitialized is returned when an IPv6 address is passed to a firewall
+// method but the IPv6 firewall components were not initialized.
+var ErrIPv6NotInitialized = errors.New("IPv6 firewall not initialized")
+
+// ErrNoSources is returned when AddFilterRule is called with an empty
+// source list. "Match any source" must be expressed explicitly with a
+// /0 prefix; an empty list is a caller error and is rejected rather
+// than silently widening the rule to every source.
+var ErrNoSources = errors.New("rule has no sources")
+
 const (
 	ForwardingFormatPrefix = "netbird-fwd-"
 	ForwardingFormat       = "netbird-fwd-%s-%t"
@@ -18,13 +28,18 @@ const (
 	NatFormat              = "netbird-nat-%s-%t"
 )

+// RuleID identifies a firewall rule. It is a typed string so the
+// compiler catches accidental mixing with arbitrary string keys. It is
+// only an identifier and does not implement Rule.
+type RuleID string
+
 // Rule abstraction should be implemented by each firewall manager
 //
 // Each firewall type for different OS can use different type
 // of the properties to hold data of the created rule
 type Rule interface {
 	// ID returns the rule id
-	ID() string
+	ID() RuleID
 }

 // RuleDirection is the traffic direction which a rule is applied
@@ -86,6 +101,13 @@ func (d Network) IsPrefix() bool {
 	return d.Prefix.IsValid()
 }

+// IsZero returns true if the network designates no destination, i.e. it
+// is the zero value. A zero Network is the peer-rule sentinel; a non-zero
+// one carries a prefix or set destination.
+func (d Network) IsZero() bool {
+	return !d.IsPrefix() && !d.IsSet()
+}
+
 // Manager is the high level abstraction of a firewall manager
 //
 // It declares methods which handle actions required by the
@@ -96,43 +118,42 @@ type Manager interface {
 	// AllowNetbird allows netbird interface traffic
 	AllowNetbird() error

-	// AddPeerFiltering adds a rule to the firewall
+	// AddFilterRule adds a packet-filtering rule to the firewall.
 	//
-	// If comment argument is empty firewall manager should set
-	// rule ID as comment for the rule
+	// If destination is the zero Network, the rule applies to traffic
+	// inbound to this node, i.e. peer ACL semantics, installed in
+	// the kernel's input chain. If destination is set (prefix or
+	// set), the rule applies to forwarded traffic with that
+	// destination, route ACL semantics, installed in the forward
+	// chain.
 	//
-	// Note: Callers should call Flush() after adding rules to ensure
-	// they are applied to the kernel and rule handles are refreshed.
-	AddPeerFiltering(
+	// sources must be a single address family; the caller splits mixed
+	// families and calls once per family. "Match any source" must be
+	// expressed with an explicit /0 prefix; an empty sources list is
+	// rejected with ErrNoSources so a zeroed list can never widen a
+	// rule to every source.
+	//
+	// Note: callers should call Flush() after adding rules.
+	AddFilterRule(
 		id []byte,
-		ip net.IP,
+		sources []netip.Prefix,
+		destination Network,
 		proto Protocol,
 		sPort *Port,
 		dPort *Port,
 		action Action,
-		ipsetName string,
-	) ([]Rule, error)
+	) (Rule, error)

-	// DeletePeerRule from the firewall by rule definition
-	DeletePeerRule(rule Rule) error
+	// DeleteFilterRule removes a filtering rule previously added via
+	// AddFilterRule. The rule's own type identifies whether it lives
+	// in the peer (input) or route (forward) path.
+	DeleteFilterRule(rule Rule) error

 	// IsServerRouteSupported returns true if the firewall supports server side routing operations
 	IsServerRouteSupported() bool

 	IsStateful() bool

-	AddRouteFiltering(
-		id []byte,
-		sources []netip.Prefix,
-		destination Network,
-		proto Protocol,
-		sPort, dPort *Port,
-		action Action,
-	) (Rule, error)
-
-	// DeleteRouteRule deletes a routing rule
-	DeleteRouteRule(rule Rule) error
-
 	// AddNatRule inserts a routing NAT rule
 	AddNatRule(pair RouterPair) error

@@ -164,26 +185,25 @@ type Manager interface {
 	UpdateSet(hash Set, prefixes []netip.Prefix) error

 	// AddInboundDNAT adds an inbound DNAT rule redirecting traffic from NetBird peers to local services
-	AddInboundDNAT(localAddr netip.Addr, protocol Protocol, sourcePort, targetPort uint16) error
+	AddInboundDNAT(localAddr netip.Addr, protocol Protocol, originalPort, translatedPort uint16) error

 	// RemoveInboundDNAT removes inbound DNAT rule
-	RemoveInboundDNAT(localAddr netip.Addr, protocol Protocol, sourcePort, targetPort uint16) error
+	RemoveInboundDNAT(localAddr netip.Addr, protocol Protocol, originalPort, translatedPort uint16) error

 	// AddOutputDNAT adds an OUTPUT chain DNAT rule for locally-generated traffic.
-	// localAddr must be IPv4; the underlying iptables/nftables backends are IPv4-only.
-	AddOutputDNAT(localAddr netip.Addr, protocol Protocol, sourcePort, targetPort uint16) error
+	AddOutputDNAT(localAddr netip.Addr, protocol Protocol, originalPort, translatedPort uint16) error

 	// RemoveOutputDNAT removes an OUTPUT chain DNAT rule.
-	// localAddr must be IPv4; the underlying iptables/nftables backends are IPv4-only.
-	RemoveOutputDNAT(localAddr netip.Addr, protocol Protocol, sourcePort, targetPort uint16) error
+	RemoveOutputDNAT(localAddr netip.Addr, protocol Protocol, originalPort, translatedPort uint16) error

 	// SetupEBPFProxyNoTrack creates static notrack rules for eBPF proxy loopback traffic.
 	// This prevents conntrack from interfering with WireGuard proxy communication.
 	SetupEBPFProxyNoTrack(proxyPort, wgPort uint16) error
 }

-func GenKey(format string, pair RouterPair) string {
-	return fmt.Sprintf(format, pair.ID, pair.Inverse)
+// GenKey builds the rule id for this pair from the given format.
+func (p RouterPair) GenKey(format string) RuleID {
+	return RuleID(fmt.Sprintf(format, p.ID, p.Inverse))
 }

 // LegacyManager defines the interface for legacy management operations
@@ -239,6 +259,20 @@ func MergeIPRanges(prefixes []netip.Prefix) []netip.Prefix {
 	return merged
 }

+// UnmapPrefix normalizes a v4-mapped v6 prefix (::ffff:a.b.c.d) to its
+// plain v4 form, shifting the prefix length out of the 96-bit mapped
+// range. Other prefixes are returned unchanged. Keeping prefixes
+// unmapped ensures v4 rules match consistently and the match builders
+// read the correct address length.
+func UnmapPrefix(p netip.Prefix) netip.Prefix {
+	addr := p.Addr()
+	if !addr.Is4In6() {
+		return p
+	}
+	bits := max(p.Bits()-96, 0)
+	return netip.PrefixFrom(addr.Unmap(), bits)
+}
+
 // SortPrefixes sorts the given slice of netip.Prefix in place.
 // It sorts first by IP address, then by prefix length (most specific to least specific).
 func SortPrefixes(prefixes []netip.Prefix) {
--- a/client/firewall/manager/forward_rule.go
+++ b/client/firewall/manager/forward_rule.go
@@ -13,13 +13,13 @@ type ForwardRule struct {
 	TranslatedPort    Port
 }

-func (r ForwardRule) ID() string {
+func (r ForwardRule) ID() RuleID {
 	id := fmt.Sprintf("%s;%s;%s;%s",
 		r.Protocol,
 		r.DestinationPort.String(),
 		r.TranslatedAddress.String(),
 		r.TranslatedPort.String())
-	return id
+	return RuleID(id)
 }

 func (r ForwardRule) String() string {
--- a/client/firewall/manager/routerpair.go
+++ b/client/firewall/manager/routerpair.go
@@ -1,6 +1,8 @@
 package manager

 import (
+	"net/netip"
+
 	"github.com/netbirdio/netbird/route"
 )

@@ -10,6 +12,10 @@ type RouterPair struct {
 	Destination Network
 	Masquerade  bool
 	Inverse     bool
+	// Dynamic indicates the route is domain-based. NAT rules for dynamic
+	// routes are duplicated to the v6 table so that resolved AAAA records
+	// are masqueraded correctly.
+	Dynamic bool
 }

 func GetInversePair(pair RouterPair) RouterPair {
@@ -20,5 +26,17 @@ func GetInversePair(pair RouterPair) RouterPair {
 		Destination: pair.Source,
 		Masquerade:  pair.Masquerade,
 		Inverse:     true,
+		Dynamic:     pair.Dynamic,
 	}
 }
+
+// ToV6NatPair creates a v6 counterpart of a v4 NAT pair with `::/0` source
+// and, for prefix destinations, `::/0` destination.
+func ToV6NatPair(pair RouterPair) RouterPair {
+	v6 := pair
+	v6.Source = Network{Prefix: netip.PrefixFrom(netip.IPv6Unspecified(), 0)}
+	if v6.Destination.IsPrefix() {
+		v6.Destination = Network{Prefix: netip.PrefixFrom(netip.IPv6Unspecified(), 0)}
+	}
+	return v6
+}
--- a/client/firewall/manager/set.go
+++ b/client/firewall/manager/set.go
@@ -40,7 +40,7 @@ func (h Set) Comment() string {

 // NewPrefixSet generates a unique name for an ipset based on the given prefixes.
 func NewPrefixSet(prefixes []netip.Prefix) Set {
-	// sort for consistent naming
+	prefixes = slices.Clone(prefixes)
 	SortPrefixes(prefixes)

 	hash := sha256.New()
--- a/client/firewall/nftables/acl_linux.go
+++ b/client/firewall/nftables/acl_linux.go
@@ -1,721 +0,0 @@
-package nftables
-
-import (
-	"bytes"
-	"fmt"
-	"net"
-	"slices"
-	"strconv"
-	"strings"
-	"time"
-
-	"github.com/google/nftables"
-	"github.com/google/nftables/binaryutil"
-	"github.com/google/nftables/expr"
-	log "github.com/sirupsen/logrus"
-	"golang.org/x/sys/unix"
-
-	firewall "github.com/netbirdio/netbird/client/firewall/manager"
-	nbnet "github.com/netbirdio/netbird/client/net"
-)
-
-const (
-
-	// rules chains contains the effective ACL rules
-	chainNameInputRules = "netbird-acl-input-rules"
-
-	// filter chains contains the rules that jump to the rules chains
-	chainNameInputFilter       = "netbird-acl-input-filter"
-	chainNameForwardFilter     = "netbird-acl-forward-filter"
-	chainNameManglePrerouting  = "netbird-mangle-prerouting"
-	chainNameManglePostrouting = "netbird-mangle-postrouting"
-)
-
-const flushError = "flush: %w"
-
-var (
-	anyIP = []byte{0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}
-)
-
-type AclManager struct {
-	rConn              *nftables.Conn
-	sConn              *nftables.Conn
-	wgIface            iFaceMapper
-	routingFwChainName string
-
-	workTable       *nftables.Table
-	chainInputRules *nftables.Chain
-	chainPrerouting *nftables.Chain
-
-	ipsetStore *ipsetStore
-	rules      map[string]*Rule
-}
-
-func newAclManager(table *nftables.Table, wgIface iFaceMapper, routingFwChainName string) (*AclManager, error) {
-	// sConn is used for creating sets and adding/removing elements from them
-	// it's differ then rConn (which does create new conn for each flush operation)
-	// and is permanent. Using same connection for both type of operations
-	// overloads netlink with high amount of rules ( > 10000)
-	sConn, err := nftables.New(nftables.AsLasting())
-	if err != nil {
-		return nil, fmt.Errorf("create nf conn: %w", err)
-	}
-
-	return &AclManager{
-		rConn:              &nftables.Conn{},
-		sConn:              sConn,
-		wgIface:            wgIface,
-		workTable:          table,
-		routingFwChainName: routingFwChainName,
-
-		ipsetStore: newIpsetStore(),
-		rules:      make(map[string]*Rule),
-	}, nil
-}
-
-func (m *AclManager) init(workTable *nftables.Table) error {
-	m.workTable = workTable
-	return m.createDefaultChains()
-}
-
-// AddPeerFiltering rule to the firewall
-//
-// If comment argument is empty firewall manager should set
-// rule ID as comment for the rule
-func (m *AclManager) AddPeerFiltering(
-	id []byte,
-	ip net.IP,
-	proto firewall.Protocol,
-	sPort *firewall.Port,
-	dPort *firewall.Port,
-	action firewall.Action,
-	ipsetName string,
-) ([]firewall.Rule, error) {
-	var ipset *nftables.Set
-	if ipsetName != "" {
-		var err error
-		ipset, err = m.addIpToSet(ipsetName, ip)
-		if err != nil {
-			return nil, err
-		}
-	}
-
-	newRules := make([]firewall.Rule, 0, 2)
-	ioRule, err := m.addIOFiltering(ip, proto, sPort, dPort, action, ipset)
-	if err != nil {
-		return nil, err
-	}
-
-	newRules = append(newRules, ioRule)
-	return newRules, nil
-}
-
-// DeletePeerRule from the firewall by rule definition
-func (m *AclManager) DeletePeerRule(rule firewall.Rule) error {
-	r, ok := rule.(*Rule)
-	if !ok {
-		return fmt.Errorf("invalid rule type")
-	}
-
-	if r.nftSet == nil {
-		if err := m.rConn.DelRule(r.nftRule); err != nil {
-			log.Errorf("failed to delete rule: %v", err)
-		}
-		if r.mangleRule != nil {
-			if err := m.rConn.DelRule(r.mangleRule); err != nil {
-				log.Errorf("failed to delete mangle rule: %v", err)
-			}
-		}
-		delete(m.rules, r.ID())
-		return m.rConn.Flush()
-	}
-
-	ips, ok := m.ipsetStore.ips(r.nftSet.Name)
-	if !ok {
-		if err := m.rConn.DelRule(r.nftRule); err != nil {
-			log.Errorf("failed to delete rule: %v", err)
-		}
-		if r.mangleRule != nil {
-			if err := m.rConn.DelRule(r.mangleRule); err != nil {
-				log.Errorf("failed to delete mangle rule: %v", err)
-			}
-		}
-		delete(m.rules, r.ID())
-		return m.rConn.Flush()
-	}
-
-	if _, ok := ips[r.ip.String()]; ok {
-		err := m.sConn.SetDeleteElements(r.nftSet, []nftables.SetElement{{Key: r.ip.To4()}})
-		if err != nil {
-			log.Errorf("delete elements for set %q: %v", r.nftSet.Name, err)
-		}
-		if err := m.sConn.Flush(); err != nil {
-			log.Debugf("flush error of set delete element, %s", r.nftSet.Name)
-			return err
-		}
-		m.ipsetStore.DeleteIpFromSet(r.nftSet.Name, r.ip)
-	}
-
-	// if after delete, set still contains other IPs,
-	// no need to delete firewall rule and we should exit here
-	if len(ips) > 0 {
-		return nil
-	}
-
-	if err := m.rConn.DelRule(r.nftRule); err != nil {
-		log.Errorf("failed to delete rule: %v", err)
-	}
-	if r.mangleRule != nil {
-		if err := m.rConn.DelRule(r.mangleRule); err != nil {
-			log.Errorf("failed to delete mangle rule: %v", err)
-		}
-	}
-
-	if err := m.rConn.Flush(); err != nil {
-		return err
-	}
-
-	delete(m.rules, r.ID())
-	m.ipsetStore.DeleteReferenceFromIpSet(r.nftSet.Name)
-
-	if m.ipsetStore.HasReferenceToSet(r.nftSet.Name) {
-		return nil
-	}
-
-	// we delete last IP from the set, that means we need to delete
-	// set itself and associated firewall rule too
-	m.rConn.FlushSet(r.nftSet)
-	m.rConn.DelSet(r.nftSet)
-	m.ipsetStore.deleteIpset(r.nftSet.Name)
-	return nil
-}
-
-// createDefaultAllowRules creates default allow rules for the input and output chains
-func (m *AclManager) createDefaultAllowRules() error {
-	expIn := []expr.Any{
-		&expr.Verdict{
-			Kind: expr.VerdictAccept,
-		},
-	}
-
-	_ = m.rConn.InsertRule(&nftables.Rule{
-		Table:    m.workTable,
-		Chain:    m.chainInputRules,
-		Position: 0,
-		Exprs:    expIn,
-	})
-
-	if err := m.rConn.Flush(); err != nil {
-		return fmt.Errorf(flushError, err)
-	}
-	return nil
-}
-
-// Flush rule/chain/set operations from the buffer
-//
-// Method also get all rules after flush and refreshes handle values in the rulesets
-func (m *AclManager) Flush() error {
-	if err := m.flushWithBackoff(); err != nil {
-		return err
-	}
-
-	if err := m.refreshRuleHandles(m.chainInputRules, false); err != nil {
-		log.Errorf("failed to refresh rule handles ipv4 input chain: %v", err)
-	}
-	if err := m.refreshRuleHandles(m.chainPrerouting, true); err != nil {
-		log.Errorf("failed to refresh rule handles prerouting chain: %v", err)
-	}
-
-	return nil
-}
-
-func (m *AclManager) addIOFiltering(
-	ip net.IP,
-	proto firewall.Protocol,
-	sPort *firewall.Port,
-	dPort *firewall.Port,
-	action firewall.Action,
-	ipset *nftables.Set,
-) (*Rule, error) {
-	ruleId := generatePeerRuleId(ip, proto, sPort, dPort, action, ipset)
-	if r, ok := m.rules[ruleId]; ok {
-		return &Rule{
-			nftRule:    r.nftRule,
-			mangleRule: r.mangleRule,
-			nftSet:     r.nftSet,
-			ruleID:     r.ruleID,
-			ip:         ip,
-		}, nil
-	}
-
-	var expressions []expr.Any
-
-	if proto != firewall.ProtocolALL {
-		expressions = append(expressions, &expr.Payload{
-			DestRegister: 1,
-			Base:         expr.PayloadBaseNetworkHeader,
-			Offset:       uint32(9),
-			Len:          uint32(1),
-		})
-
-		protoData, err := protoToInt(proto)
-		if err != nil {
-			return nil, fmt.Errorf("convert protocol to number: %v", err)
-		}
-
-		expressions = append(expressions, &expr.Cmp{
-			Register: 1,
-			Op:       expr.CmpOpEq,
-			Data:     []byte{protoData},
-		})
-	}
-
-	rawIP := ip.To4()
-	// check if rawIP contains zeroed IPv4 0.0.0.0 value
-	// in that case not add IP match expression into the rule definition
-	if !bytes.HasPrefix(anyIP, rawIP) {
-		// source address position
-		addrOffset := uint32(12)
-
-		expressions = append(expressions,
-			&expr.Payload{
-				DestRegister: 1,
-				Base:         expr.PayloadBaseNetworkHeader,
-				Offset:       addrOffset,
-				Len:          4,
-			},
-		)
-		// add individual IP for match if no ipset defined
-		if ipset == nil {
-			expressions = append(expressions,
-				&expr.Cmp{
-					Op:       expr.CmpOpEq,
-					Register: 1,
-					Data:     rawIP,
-				},
-			)
-		} else {
-			expressions = append(expressions,
-				&expr.Lookup{
-					SourceRegister: 1,
-					SetName:        ipset.Name,
-					SetID:          ipset.ID,
-				},
-			)
-		}
-	}
-
-	expressions = append(expressions, applyPort(sPort, true)...)
-	expressions = append(expressions, applyPort(dPort, false)...)
-
-	mainExpressions := slices.Clone(expressions)
-
-	switch action {
-	case firewall.ActionAccept:
-		mainExpressions = append(mainExpressions, &expr.Verdict{Kind: expr.VerdictAccept})
-	case firewall.ActionDrop:
-		mainExpressions = append(mainExpressions, &expr.Verdict{Kind: expr.VerdictDrop})
-	}
-
-	userData := []byte(ruleId)
-
-	chain := m.chainInputRules
-	rule := &nftables.Rule{
-		Table:    m.workTable,
-		Chain:    chain,
-		Exprs:    mainExpressions,
-		UserData: userData,
-	}
-
-	// Insert DROP rules at the beginning, append ACCEPT rules at the end
-	var nftRule *nftables.Rule
-	if action == firewall.ActionDrop {
-		nftRule = m.rConn.InsertRule(rule)
-	} else {
-		nftRule = m.rConn.AddRule(rule)
-	}
-
-	if err := m.rConn.Flush(); err != nil {
-		return nil, fmt.Errorf("flush input rule %s: %v", ruleId, err)
-	}
-
-	ruleStruct := &Rule{
-		nftRule: nftRule,
-		// best effort mangle rule
-		mangleRule: m.createPreroutingRule(expressions, userData),
-		nftSet:     ipset,
-		ruleID:     ruleId,
-		ip:         ip,
-	}
-	m.rules[ruleId] = ruleStruct
-	if ipset != nil {
-		m.ipsetStore.AddReferenceToIpset(ipset.Name)
-	}
-
-	return ruleStruct, nil
-}
-
-func (m *AclManager) createPreroutingRule(expressions []expr.Any, userData []byte) *nftables.Rule {
-	if m.chainPrerouting == nil {
-		log.Warn("prerouting chain is not created")
-		return nil
-	}
-
-	preroutingExprs := slices.Clone(expressions)
-
-	// interface
-	preroutingExprs = append([]expr.Any{
-		&expr.Meta{
-			Key:      expr.MetaKeyIIFNAME,
-			Register: 1,
-		},
-		&expr.Cmp{
-			Op:       expr.CmpOpEq,
-			Register: 1,
-			Data:     ifname(m.wgIface.Name()),
-		},
-	}, preroutingExprs...)
-
-	// local destination and mark
-	preroutingExprs = append(preroutingExprs,
-		&expr.Fib{
-			Register:       1,
-			ResultADDRTYPE: true,
-			FlagDADDR:      true,
-		},
-		&expr.Cmp{
-			Op:       expr.CmpOpEq,
-			Register: 1,
-			Data:     binaryutil.NativeEndian.PutUint32(unix.RTN_LOCAL),
-		},
-
-		&expr.Immediate{
-			Register: 1,
-			Data:     binaryutil.NativeEndian.PutUint32(nbnet.PreroutingFwmarkRedirected),
-		},
-		&expr.Meta{
-			Key:            expr.MetaKeyMARK,
-			Register:       1,
-			SourceRegister: true,
-		},
-	)
-
-	nfRule := m.rConn.AddRule(&nftables.Rule{
-		Table:    m.workTable,
-		Chain:    m.chainPrerouting,
-		Exprs:    preroutingExprs,
-		UserData: userData,
-	})
-
-	if err := m.rConn.Flush(); err != nil {
-		log.Errorf("failed to flush mangle rule %s: %v", string(userData), err)
-		return nil
-	}
-
-	return nfRule
-}
-
-func (m *AclManager) createDefaultChains() (err error) {
-	// chainNameInputRules
-	chain := m.createChain(chainNameInputRules)
-	err = m.rConn.Flush()
-	if err != nil {
-		log.Debugf("failed to create chain (%s): %s", chain.Name, err)
-		return fmt.Errorf(flushError, err)
-	}
-	m.chainInputRules = chain
-
-	// netbird-acl-input-filter
-	// type filter hook input priority filter; policy accept;
-	chain = m.createFilterChainWithHook(chainNameInputFilter, nftables.ChainHookInput)
-	m.addJumpRule(chain, m.chainInputRules.Name, expr.MetaKeyIIFNAME) // to netbird-acl-input-rules
-	m.addDropExpressions(chain, expr.MetaKeyIIFNAME)
-	err = m.rConn.Flush()
-	if err != nil {
-		log.Debugf("failed to create chain (%s): %s", chain.Name, err)
-		return err
-	}
-
-	// netbird-acl-forward-filter
-	chainFwFilter := m.createFilterChainWithHook(chainNameForwardFilter, nftables.ChainHookForward)
-	m.addJumpRulesToRtForward(chainFwFilter) // to netbird-rt-fwd
-	m.addDropExpressions(chainFwFilter, expr.MetaKeyIIFNAME)
-
-	err = m.rConn.Flush()
-	if err != nil {
-		log.Debugf("failed to create chain (%s): %s", chainNameForwardFilter, err)
-		return fmt.Errorf(flushError, err)
-	}
-
-	if err := m.allowRedirectedTraffic(chainFwFilter); err != nil {
-		log.Errorf("failed to allow redirected traffic: %s", err)
-	}
-
-	return nil
-}
-
-// Makes redirected traffic originally destined for the host itself (now subject to the forward filter)
-// go through the input filter as well. This will enable e.g. Docker services to keep working by accessing the
-// netbird peer IP.
-func (m *AclManager) allowRedirectedTraffic(chainFwFilter *nftables.Chain) error {
-	// Chain is created by route manager
-	// TODO: move creation to a common place
-	m.chainPrerouting = &nftables.Chain{
-		Name:     chainNameManglePrerouting,
-		Table:    m.workTable,
-		Type:     nftables.ChainTypeFilter,
-		Hooknum:  nftables.ChainHookPrerouting,
-		Priority: nftables.ChainPriorityMangle,
-	}
-
-	m.addFwmarkToForward(chainFwFilter)
-
-	if err := m.rConn.Flush(); err != nil {
-		return fmt.Errorf(flushError, err)
-	}
-
-	return nil
-}
-
-func (m *AclManager) addFwmarkToForward(chainFwFilter *nftables.Chain) {
-	m.rConn.InsertRule(&nftables.Rule{
-		Table: m.workTable,
-		Chain: chainFwFilter,
-		Exprs: []expr.Any{
-			&expr.Meta{
-				Key:      expr.MetaKeyMARK,
-				Register: 1,
-			},
-			&expr.Cmp{
-				Op:       expr.CmpOpEq,
-				Register: 1,
-				Data:     binaryutil.NativeEndian.PutUint32(nbnet.PreroutingFwmarkRedirected),
-			},
-			&expr.Verdict{
-				Kind: expr.VerdictAccept,
-			},
-		},
-	})
-}
-
-func (m *AclManager) addJumpRulesToRtForward(chainFwFilter *nftables.Chain) {
-	expressions := []expr.Any{
-		&expr.Meta{Key: expr.MetaKeyIIFNAME, Register: 1},
-		&expr.Cmp{
-			Op:       expr.CmpOpEq,
-			Register: 1,
-			Data:     ifname(m.wgIface.Name()),
-		},
-		&expr.Verdict{
-			Kind:  expr.VerdictJump,
-			Chain: m.routingFwChainName,
-		},
-	}
-
-	_ = m.rConn.AddRule(&nftables.Rule{
-		Table: m.workTable,
-		Chain: chainFwFilter,
-		Exprs: expressions,
-	})
-}
-
-func (m *AclManager) createChain(name string) *nftables.Chain {
-	chain := &nftables.Chain{
-		Name:  name,
-		Table: m.workTable,
-	}
-
-	chain = m.rConn.AddChain(chain)
-
-	insertReturnTrafficRule(m.rConn, m.workTable, chain)
-
-	return chain
-}
-
-func (m *AclManager) createFilterChainWithHook(name string, hookNum *nftables.ChainHook) *nftables.Chain {
-	polAccept := nftables.ChainPolicyAccept
-	chain := &nftables.Chain{
-		Name:     name,
-		Table:    m.workTable,
-		Hooknum:  hookNum,
-		Priority: nftables.ChainPriorityFilter,
-		Type:     nftables.ChainTypeFilter,
-		Policy:   &polAccept,
-	}
-
-	return m.rConn.AddChain(chain)
-}
-
-func (m *AclManager) addDropExpressions(chain *nftables.Chain, ifaceKey expr.MetaKey) []expr.Any {
-	expressions := []expr.Any{
-		&expr.Meta{Key: ifaceKey, Register: 1},
-		&expr.Cmp{
-			Op:       expr.CmpOpEq,
-			Register: 1,
-			Data:     ifname(m.wgIface.Name()),
-		},
-		&expr.Verdict{Kind: expr.VerdictDrop},
-	}
-	_ = m.rConn.AddRule(&nftables.Rule{
-		Table: m.workTable,
-		Chain: chain,
-		Exprs: expressions,
-	})
-	return nil
-}
-
-func (m *AclManager) addJumpRule(chain *nftables.Chain, to string, ifaceKey expr.MetaKey) {
-	expressions := []expr.Any{
-		&expr.Meta{Key: ifaceKey, Register: 1},
-		&expr.Cmp{
-			Op:       expr.CmpOpEq,
-			Register: 1,
-			Data:     ifname(m.wgIface.Name()),
-		},
-		&expr.Verdict{
-			Kind:  expr.VerdictJump,
-			Chain: to,
-		},
-	}
-
-	_ = m.rConn.AddRule(&nftables.Rule{
-		Table: chain.Table,
-		Chain: chain,
-		Exprs: expressions,
-	})
-}
-
-func (m *AclManager) addIpToSet(ipsetName string, ip net.IP) (*nftables.Set, error) {
-	ipset, err := m.rConn.GetSetByName(m.workTable, ipsetName)
-	rawIP := ip.To4()
-	if err != nil {
-		if ipset, err = m.createSet(m.workTable, ipsetName); err != nil {
-			return nil, fmt.Errorf("get set name: %v", err)
-		}
-
-		m.ipsetStore.newIpset(ipset.Name)
-	}
-
-	if m.ipsetStore.IsIpInSet(ipset.Name, ip) {
-		return ipset, nil
-	}
-
-	if err := m.sConn.SetAddElements(ipset, []nftables.SetElement{{Key: rawIP}}); err != nil {
-		return nil, fmt.Errorf("add set element for the first time: %v", err)
-	}
-
-	m.ipsetStore.AddIpToSet(ipset.Name, ip)
-
-	if err := m.sConn.Flush(); err != nil {
-		return nil, fmt.Errorf("flush add elements: %v", err)
-	}
-
-	return ipset, nil
-}
-
-// createSet in given table by name
-func (m *AclManager) createSet(table *nftables.Table, name string) (*nftables.Set, error) {
-	ipset := &nftables.Set{
-		Name:    name,
-		Table:   table,
-		Dynamic: true,
-		KeyType: nftables.TypeIPAddr,
-	}
-
-	if err := m.rConn.AddSet(ipset, nil); err != nil {
-		return nil, fmt.Errorf("create set: %v", err)
-	}
-
-	if err := m.rConn.Flush(); err != nil {
-		return nil, fmt.Errorf("flush created set: %v", err)
-	}
-
-	return ipset, nil
-}
-
-func (m *AclManager) flushWithBackoff() (err error) {
-	backoff := 4
-	backoffTime := 1000 * time.Millisecond
-	for i := 0; ; i++ {
-		err = m.rConn.Flush()
-		if err != nil {
-			log.Debugf("failed to flush nftables: %v", err)
-			if !strings.Contains(err.Error(), "busy") {
-				return
-			}
-			log.Error("failed to flush nftables, retrying...")
-			if i == backoff-1 {
-				return err
-			}
-			time.Sleep(backoffTime)
-			backoffTime *= 2
-			continue
-		}
-		break
-	}
-	return
-}
-
-func (m *AclManager) refreshRuleHandles(chain *nftables.Chain, mangle bool) error {
-	if m.workTable == nil || chain == nil {
-		return nil
-	}
-
-	list, err := m.rConn.GetRules(m.workTable, chain)
-	if err != nil {
-		return err
-	}
-
-	for _, rule := range list {
-		if len(rule.UserData) == 0 {
-			continue
-		}
-		split := bytes.Split(rule.UserData, []byte(" "))
-		r, ok := m.rules[string(split[0])]
-		if ok {
-			if mangle {
-				*r.mangleRule = *rule
-			} else {
-				*r.nftRule = *rule
-			}
-		}
-	}
-
-	return nil
-}
-
-func generatePeerRuleId(ip net.IP, proto firewall.Protocol, sPort *firewall.Port, dPort *firewall.Port, action firewall.Action, ipset *nftables.Set) string {
-	rulesetID := ":" + string(proto) + ":"
-	if sPort != nil {
-		rulesetID += sPort.String()
-	}
-	rulesetID += ":"
-	if dPort != nil {
-		rulesetID += dPort.String()
-	}
-	rulesetID += ":"
-	rulesetID += strconv.Itoa(int(action))
-	if ipset == nil {
-		return "ip:" + ip.String() + rulesetID
-	}
-	return "set:" + ipset.Name + rulesetID
-}
-
-func ifname(n string) []byte {
-	b := make([]byte, 16)
-	copy(b, n+"\x00")
-	return b
-}
-
-func protoToInt(protocol firewall.Protocol) (uint8, error) {
-	switch protocol {
-	case firewall.ProtocolTCP:
-		return unix.IPPROTO_TCP, nil
-	case firewall.ProtocolUDP:
-		return unix.IPPROTO_UDP, nil
-	case firewall.ProtocolICMP:
-		return unix.IPPROTO_ICMP, nil
-	}
-
-	return 0, fmt.Errorf("unsupported protocol: %s", protocol)
-}
--- a/client/firewall/nftables/addr_family_linux.go
+++ b/client/firewall/nftables/addr_family_linux.go
@@ -0,0 +1,81 @@
+package nftables
+
+import (
+	"fmt"
+	"net"
+
+	"github.com/google/nftables"
+	"golang.org/x/sys/unix"
+
+	firewall "github.com/netbirdio/netbird/client/firewall/manager"
+)
+
+var (
+	// afIPv4 defines IPv4 header layout and nftables types.
+	afIPv4 = addrFamily{
+		protoOffset:   9,
+		srcAddrOffset: 12,
+		dstAddrOffset: 16,
+		addrLen:       net.IPv4len,
+		totalBits:     8 * net.IPv4len,
+		setKeyType:    nftables.TypeIPAddr,
+		tableFamily:   nftables.TableFamilyIPv4,
+		icmpProto:     unix.IPPROTO_ICMP,
+	}
+	// afIPv6 defines IPv6 header layout and nftables types.
+	afIPv6 = addrFamily{
+		protoOffset:   6,
+		srcAddrOffset: 8,
+		dstAddrOffset: 24,
+		addrLen:       net.IPv6len,
+		totalBits:     8 * net.IPv6len,
+		setKeyType:    nftables.TypeIP6Addr,
+		tableFamily:   nftables.TableFamilyIPv6,
+		icmpProto:     unix.IPPROTO_ICMPV6,
+	}
+)
+
+// addrFamily holds protocol-specific constants for nftables expression building.
+type addrFamily struct {
+	// protoOffset is the IP header offset for the protocol/next-header field (9 for v4, 6 for v6)
+	protoOffset uint32
+	// srcAddrOffset is the IP header offset for the source address (12 for v4, 8 for v6)
+	srcAddrOffset uint32
+	// dstAddrOffset is the IP header offset for the destination address (16 for v4, 24 for v6)
+	dstAddrOffset uint32
+	// addrLen is the byte length of addresses (4 for v4, 16 for v6)
+	addrLen uint32
+	// totalBits is the address size in bits (32 for v4, 128 for v6)
+	totalBits int
+	// setKeyType is the nftables set data type for addresses
+	setKeyType nftables.SetDatatype
+	// tableFamily is the nftables table family
+	tableFamily nftables.TableFamily
+	// icmpProto is the ICMP protocol number for this family (1 for v4, 58 for v6)
+	icmpProto uint8
+}
+
+// familyForAddr returns the address family for the given IP.
+func familyForAddr(is4 bool) addrFamily {
+	if is4 {
+		return afIPv4
+	}
+	return afIPv6
+}
+
+// protoNum converts a firewall protocol to the IP protocol number,
+// using the correct ICMP variant for the address family.
+func (af addrFamily) protoNum(protocol firewall.Protocol) (uint8, error) {
+	switch protocol {
+	case firewall.ProtocolTCP:
+		return unix.IPPROTO_TCP, nil
+	case firewall.ProtocolUDP:
+		return unix.IPPROTO_UDP, nil
+	case firewall.ProtocolICMP:
+		return af.icmpProto, nil
+	case firewall.ProtocolALL:
+		return 0, nil
+	default:
+		return 0, fmt.Errorf("unsupported protocol: %s", protocol)
+	}
+}
--- a/client/firewall/nftables/chains_linux.go
+++ b/client/firewall/nftables/chains_linux.go
@@ -0,0 +1,890 @@
+//go:build !android
+
+package nftables
+
+import (
+	"bytes"
+	"errors"
+	"fmt"
+	"slices"
+	"strings"
+	"time"
+
+	"github.com/coreos/go-iptables/iptables"
+	"github.com/google/nftables"
+	"github.com/google/nftables/binaryutil"
+	"github.com/google/nftables/expr"
+	"github.com/hashicorp/go-multierror"
+	log "github.com/sirupsen/logrus"
+	"golang.org/x/sys/unix"
+
+	nberrors "github.com/netbirdio/netbird/client/errors"
+	"github.com/netbirdio/netbird/client/firewall/firewalld"
+	firewall "github.com/netbirdio/netbird/client/firewall/manager"
+	nbnet "github.com/netbirdio/netbird/client/net"
+)
+
+func (r *family) createContainers() error {
+	r.chains[chainNameRoutingFw] = r.conn.AddChain(&nftables.Chain{
+		Name:  chainNameRoutingFw,
+		Table: r.workTable,
+	})
+
+	prio := *nftables.ChainPriorityNATSource - 1
+	r.chains[chainNameRoutingNat] = r.conn.AddChain(&nftables.Chain{
+		Name:     chainNameRoutingNat,
+		Table:    r.workTable,
+		Hooknum:  nftables.ChainHookPostrouting,
+		Priority: &prio,
+		Type:     nftables.ChainTypeNAT,
+	})
+
+	r.chains[chainNameRoutingRdr] = r.conn.AddChain(&nftables.Chain{
+		Name:     chainNameRoutingRdr,
+		Table:    r.workTable,
+		Hooknum:  nftables.ChainHookPrerouting,
+		Priority: nftables.ChainPriorityNATDest,
+		Type:     nftables.ChainTypeNAT,
+	})
+
+	r.chains[chainNameManglePostrouting] = r.conn.AddChain(&nftables.Chain{
+		Name:     chainNameManglePostrouting,
+		Table:    r.workTable,
+		Hooknum:  nftables.ChainHookPostrouting,
+		Priority: nftables.ChainPriorityMangle,
+		Type:     nftables.ChainTypeFilter,
+	})
+
+	r.chains[chainNameManglePrerouting] = r.conn.AddChain(&nftables.Chain{
+		Name:     chainNameManglePrerouting,
+		Table:    r.workTable,
+		Hooknum:  nftables.ChainHookPrerouting,
+		Priority: nftables.ChainPriorityMangle,
+		Type:     nftables.ChainTypeFilter,
+	})
+
+	r.chains[chainNameMangleForward] = r.conn.AddChain(&nftables.Chain{
+		Name:     chainNameMangleForward,
+		Table:    r.workTable,
+		Hooknum:  nftables.ChainHookForward,
+		Priority: nftables.ChainPriorityMangle,
+		Type:     nftables.ChainTypeFilter,
+	})
+
+	insertReturnTrafficRule(r.conn, r.workTable, r.chains[chainNameRoutingFw])
+
+	r.addPostroutingRules()
+
+	if err := r.conn.Flush(); err != nil {
+		return fmt.Errorf("initialize tables: %v", err)
+	}
+
+	if err := r.addMSSClampingRules(); err != nil {
+		log.Errorf("failed to add MSS clamping rules: %s", err)
+	}
+
+	if err := r.acceptForwardRules(); err != nil {
+		log.Errorf("failed to add accept rules for the forward chain: %s", err)
+	}
+
+	if err := firewalld.TrustInterface(r.wgIface.Name()); err != nil {
+		log.Warnf("failed to trust interface in firewalld: %v", err)
+	}
+
+	if err := r.refreshRulesMap(); err != nil {
+		log.Errorf("failed to refresh rules: %s", err)
+	}
+
+	return nil
+}
+
+// setupDataPlaneMark configures the fwmark for the data plane
+func (r *family) setupDataPlaneMark() error {
+	if r.chains[chainNameManglePrerouting] == nil || r.chains[chainNameManglePostrouting] == nil {
+		return errors.New("no mangle chains found")
+	}
+
+	ctNew := getCtNewExprs()
+	preExprs := []expr.Any{
+		&expr.Meta{
+			Key:      expr.MetaKeyIIFNAME,
+			Register: 1,
+		},
+		&expr.Cmp{
+			Op:       expr.CmpOpEq,
+			Register: 1,
+			Data:     ifname(r.wgIface.Name()),
+		},
+	}
+	preExprs = append(preExprs, ctNew...)
+	preExprs = append(preExprs,
+		&expr.Immediate{
+			Register: 1,
+			Data:     binaryutil.NativeEndian.PutUint32(nbnet.DataPlaneMarkIn),
+		},
+		&expr.Ct{
+			Key:            expr.CtKeyMARK,
+			Register:       1,
+			SourceRegister: true,
+		},
+	)
+
+	preNftRule := &nftables.Rule{
+		Table: r.workTable,
+		Chain: r.chains[chainNameManglePrerouting],
+		Exprs: preExprs,
+	}
+	r.conn.AddRule(preNftRule)
+
+	postExprs := []expr.Any{
+		&expr.Meta{
+			Key:      expr.MetaKeyOIFNAME,
+			Register: 1,
+		},
+		&expr.Cmp{
+			Op:       expr.CmpOpEq,
+			Register: 1,
+			Data:     ifname(r.wgIface.Name()),
+		},
+	}
+	postExprs = append(postExprs, ctNew...)
+	postExprs = append(postExprs,
+		&expr.Immediate{
+			Register: 1,
+			Data:     binaryutil.NativeEndian.PutUint32(nbnet.DataPlaneMarkOut),
+		},
+		&expr.Ct{
+			Key:            expr.CtKeyMARK,
+			Register:       1,
+			SourceRegister: true,
+		},
+	)
+
+	postNftRule := &nftables.Rule{
+		Table: r.workTable,
+		Chain: r.chains[chainNameManglePostrouting],
+		Exprs: postExprs,
+	}
+	r.conn.AddRule(postNftRule)
+
+	if err := r.conn.Flush(); err != nil {
+		return fmt.Errorf("flush: %w", err)
+	}
+
+	return nil
+}
+
+func (r *family) acceptForwardRules() error {
+	var merr *multierror.Error
+
+	if err := r.acceptFilterTableRules(); err != nil {
+		merr = multierror.Append(merr, err)
+	}
+
+	if err := r.acceptExternalChainsRules(); err != nil {
+		merr = multierror.Append(merr, fmt.Errorf("add accept rules to external chains: %w", err))
+	}
+
+	return nberrors.FormatErrorOrNil(merr)
+}
+
+func (r *family) acceptFilterTableRules() error {
+	if r.filterTable == nil {
+		return nil
+	}
+
+	fw := "iptables"
+
+	defer func() {
+		log.Debugf("Used %s to add accept forward and input rules", fw)
+	}()
+
+	// Try iptables first and fallback to nftables if iptables is not available.
+	// Use the correct protocol (iptables vs ip6tables) for the address family.
+	ipt, err := iptables.NewWithProtocol(r.iptablesProto())
+	if err != nil {
+		log.Warnf("Will use nftables to manipulate the filter table because iptables is not available: %v", err)
+
+		fw = "nftables"
+		return r.acceptFilterRulesNftables(r.filterTable)
+	}
+
+	if err := r.acceptFilterRulesIptables(ipt); err != nil {
+		log.Warnf("iptables failed (table may be incompatible), falling back to nftables: %v", err)
+		fw = "nftables"
+		return r.acceptFilterRulesNftables(r.filterTable)
+	}
+	return nil
+}
+
+func (r *family) acceptFilterRulesIptables(ipt *iptables.IPTables) error {
+	var merr *multierror.Error
+
+	for _, rule := range r.getAcceptForwardRules() {
+		if err := ipt.Insert("filter", chainNameForward, 1, rule...); err != nil {
+			merr = multierror.Append(merr, fmt.Errorf("add iptables forward rule: %v", err))
+		} else {
+			log.Debugf("added iptables forward rule: %v", rule)
+		}
+	}
+
+	inputRule := r.getAcceptInputRule()
+	if err := ipt.Insert("filter", chainNameInput, 1, inputRule...); err != nil {
+		merr = multierror.Append(merr, fmt.Errorf("add iptables input rule: %v", err))
+	} else {
+		log.Debugf("added iptables input rule: %v", inputRule)
+	}
+
+	return nberrors.FormatErrorOrNil(merr)
+}
+
+func (r *family) getAcceptForwardRules() [][]string {
+	intf := r.wgIface.Name()
+	return [][]string{
+		{"-i", intf, "-j", "ACCEPT"},
+		{"-o", intf, "-m", "conntrack", "--ctstate", "RELATED,ESTABLISHED", "-j", "ACCEPT"},
+	}
+}
+
+func (r *family) getAcceptInputRule() []string {
+	return []string{"-i", r.wgIface.Name(), "-j", "ACCEPT"}
+}
+
+// acceptFilterRulesNftables adds accept rules to the ip filter table using nftables.
+// This is used when iptables is not available.
+func (r *family) acceptFilterRulesNftables(table *nftables.Table) error {
+	intf := ifname(r.wgIface.Name())
+
+	forwardChain := &nftables.Chain{
+		Name:     chainNameForward,
+		Table:    table,
+		Type:     nftables.ChainTypeFilter,
+		Hooknum:  nftables.ChainHookForward,
+		Priority: nftables.ChainPriorityFilter,
+	}
+	r.insertForwardAcceptRules(forwardChain, intf)
+
+	inputChain := &nftables.Chain{
+		Name:     chainNameInput,
+		Table:    table,
+		Type:     nftables.ChainTypeFilter,
+		Hooknum:  nftables.ChainHookInput,
+		Priority: nftables.ChainPriorityFilter,
+	}
+	r.insertInputAcceptRule(inputChain, intf)
+
+	return r.conn.Flush()
+}
+
+// acceptExternalChainsRules adds accept rules to external chains (non-netbird, non-iptables tables).
+// It dynamically finds chains at call time to handle chains that may have been created after startup.
+func (r *family) acceptExternalChainsRules() error {
+	chains := r.findExternalChains()
+	if len(chains) == 0 {
+		return nil
+	}
+
+	intf := ifname(r.wgIface.Name())
+	for _, chain := range chains {
+		r.applyExternalChainAccept(chain, intf)
+	}
+
+	if err := r.conn.Flush(); err != nil {
+		return fmt.Errorf("flush external chain rules: %w", err)
+	}
+	return nil
+}
+
+func (r *family) applyExternalChainAccept(chain *nftables.Chain, intf []byte) {
+	if chain.Hooknum == nil {
+		log.Debugf("skipping external chain %s/%s: hooknum is nil", chain.Table.Name, chain.Name)
+		return
+	}
+
+	log.Debugf("adding accept rules to external %s chain: %s %s/%s",
+		hookName(chain.Hooknum), familyName(chain.Table.Family), chain.Table.Name, chain.Name)
+
+	switch *chain.Hooknum {
+	case *nftables.ChainHookForward:
+		r.insertForwardAcceptRules(chain, intf)
+	case *nftables.ChainHookInput:
+		r.insertInputAcceptRule(chain, intf)
+	}
+}
+
+func (r *family) insertForwardAcceptRules(chain *nftables.Chain, intf []byte) {
+	existing, err := r.existingNetbirdRulesInChain(chain)
+	if err != nil {
+		log.Warnf("skip forward accept rules in %s/%s: %v", chain.Table.Name, chain.Name, err)
+		return
+	}
+	r.insertForwardIifRule(chain, intf, existing)
+	r.insertForwardOifEstablishedRule(chain, intf, existing)
+}
+
+func (r *family) insertForwardIifRule(chain *nftables.Chain, intf []byte, existing map[string]bool) {
+	if existing[userDataAcceptForwardRuleIif] {
+		return
+	}
+	r.conn.InsertRule(&nftables.Rule{
+		Table: chain.Table,
+		Chain: chain,
+		Exprs: []expr.Any{
+			&expr.Meta{Key: expr.MetaKeyIIFNAME, Register: 1},
+			&expr.Cmp{Op: expr.CmpOpEq, Register: 1, Data: intf},
+			&expr.Counter{},
+			&expr.Verdict{Kind: expr.VerdictAccept},
+		},
+		UserData: []byte(userDataAcceptForwardRuleIif),
+	})
+}
+
+func (r *family) insertForwardOifEstablishedRule(chain *nftables.Chain, intf []byte, existing map[string]bool) {
+	if existing[userDataAcceptForwardRuleOif] {
+		return
+	}
+	exprs := []expr.Any{
+		&expr.Meta{Key: expr.MetaKeyOIFNAME, Register: 1},
+		&expr.Cmp{Op: expr.CmpOpEq, Register: 1, Data: intf},
+	}
+	r.conn.InsertRule(&nftables.Rule{
+		Table:    chain.Table,
+		Chain:    chain,
+		Exprs:    append(exprs, getEstablishedExprs(2)...),
+		UserData: []byte(userDataAcceptForwardRuleOif),
+	})
+}
+
+func (r *family) insertInputAcceptRule(chain *nftables.Chain, intf []byte) {
+	existing, err := r.existingNetbirdRulesInChain(chain)
+	if err != nil {
+		log.Warnf("skip input accept rule in %s/%s: %v", chain.Table.Name, chain.Name, err)
+		return
+	}
+	if existing[userDataAcceptInputRule] {
+		return
+	}
+	r.conn.InsertRule(&nftables.Rule{
+		Table: chain.Table,
+		Chain: chain,
+		Exprs: []expr.Any{
+			&expr.Meta{Key: expr.MetaKeyIIFNAME, Register: 1},
+			&expr.Cmp{Op: expr.CmpOpEq, Register: 1, Data: intf},
+			&expr.Counter{},
+			&expr.Verdict{Kind: expr.VerdictAccept},
+		},
+		UserData: []byte(userDataAcceptInputRule),
+	})
+}
+
+// existingNetbirdRulesInChain returns the set of netbird-owned UserData tags present in a chain; callers must bail on error since InsertRule is additive.
+func (r *family) existingNetbirdRulesInChain(chain *nftables.Chain) (map[string]bool, error) {
+	rules, err := r.conn.GetRules(chain.Table, chain)
+	if err != nil {
+		return nil, fmt.Errorf("list rules: %w", err)
+	}
+	present := map[string]bool{}
+	for _, rule := range rules {
+		if !isNetbirdAcceptRuleTag(rule.UserData) {
+			continue
+		}
+		present[string(rule.UserData)] = true
+	}
+	return present, nil
+}
+
+func isNetbirdAcceptRuleTag(userData []byte) bool {
+	switch string(userData) {
+	case userDataAcceptForwardRuleIif,
+		userDataAcceptForwardRuleOif,
+		userDataAcceptInputRule:
+		return true
+	}
+	return false
+}
+
+func (r *family) removeAcceptFilterRules() error {
+	var merr *multierror.Error
+
+	if err := r.removeFilterTableRules(); err != nil {
+		merr = multierror.Append(merr, err)
+	}
+
+	if err := r.removeExternalChainsRules(); err != nil {
+		merr = multierror.Append(merr, fmt.Errorf("remove external chain rules: %w", err))
+	}
+
+	return nberrors.FormatErrorOrNil(merr)
+}
+
+func (r *family) removeFilterTableRules() error {
+	if r.filterTable == nil {
+		return nil
+	}
+
+	ipt, err := iptables.NewWithProtocol(r.iptablesProto())
+	if err != nil {
+		log.Debugf("iptables not available, using nftables to remove filter rules: %v", err)
+		return r.removeAcceptRulesFromTable(r.filterTable)
+	}
+
+	if err := r.removeAcceptFilterRulesIptables(ipt); err != nil {
+		log.Debugf("iptables removal failed (table may be incompatible), falling back to nftables: %v", err)
+		return r.removeAcceptRulesFromTable(r.filterTable)
+	}
+	return nil
+}
+
+func (r *family) removeAcceptRulesFromTable(table *nftables.Table) error {
+	chains, err := r.conn.ListChainsOfTableFamily(table.Family)
+	if err != nil {
+		return fmt.Errorf("list chains: %v", err)
+	}
+
+	for _, chain := range chains {
+		if chain.Table.Name != table.Name {
+			continue
+		}
+
+		if chain.Name != chainNameForward && chain.Name != chainNameInput {
+			continue
+		}
+
+		if err := r.removeAcceptRulesFromChain(table, chain); err != nil {
+			return err
+		}
+	}
+
+	return r.conn.Flush()
+}
+
+func (r *family) removeAcceptRulesFromChain(table *nftables.Table, chain *nftables.Chain) error {
+	rules, err := r.conn.GetRules(table, chain)
+	if err != nil {
+		return fmt.Errorf("get rules from %s/%s: %v", table.Name, chain.Name, err)
+	}
+
+	for _, rule := range rules {
+		if bytes.Equal(rule.UserData, []byte(userDataAcceptForwardRuleIif)) ||
+			bytes.Equal(rule.UserData, []byte(userDataAcceptForwardRuleOif)) ||
+			bytes.Equal(rule.UserData, []byte(userDataAcceptInputRule)) {
+			if err := r.conn.DelRule(rule); err != nil {
+				return fmt.Errorf("delete rule from %s/%s: %v", table.Name, chain.Name, err)
+			}
+		}
+	}
+	return nil
+}
+
+// removeExternalChainsRules removes our accept rules from all external chains.
+// This is deterministic - it scans for chains at removal time rather than relying on saved state,
+// ensuring cleanup works even after a crash or if chains changed.
+func (r *family) removeExternalChainsRules() error {
+	chains := r.findExternalChains()
+	if len(chains) == 0 {
+		return nil
+	}
+
+	var merr *multierror.Error
+	for _, chain := range chains {
+		if err := r.removeAcceptRulesFromChain(chain.Table, chain); err != nil {
+			merr = multierror.Append(merr, fmt.Errorf("remove rules from external chain %s/%s: %w", chain.Table.Name, chain.Name, err))
+			continue
+		}
+		if err := r.conn.Flush(); err != nil {
+			merr = multierror.Append(merr, fmt.Errorf("flush external chain %s/%s: %w", chain.Table.Name, chain.Name, err))
+		}
+	}
+
+	return nberrors.FormatErrorOrNil(merr)
+}
+
+// findExternalChains scans for chains from non-netbird tables that have FORWARD or INPUT hooks.
+// This is used both at startup (to know where to add rules) and at cleanup (to ensure deterministic removal).
+func (r *family) findExternalChains() []*nftables.Chain {
+	var chains []*nftables.Chain
+
+	families := []nftables.TableFamily{r.af.tableFamily, nftables.TableFamilyINet}
+
+	for _, family := range families {
+		allChains, err := r.conn.ListChainsOfTableFamily(family)
+		if err != nil {
+			log.Debugf("list chains for family %d: %v", family, err)
+			continue
+		}
+
+		for _, chain := range allChains {
+			if r.isExternalChain(chain) {
+				chains = append(chains, chain)
+			}
+		}
+	}
+
+	return chains
+}
+
+func (r *family) isExternalChain(chain *nftables.Chain) bool {
+	if r.workTable != nil && chain.Table.Name == r.workTable.Name {
+		return false
+	}
+
+	// Skip firewalld-owned chains. Firewalld creates its chains with the
+	// NFT_CHAIN_OWNER flag, so inserting rules into them returns EPERM.
+	// We delegate acceptance to firewalld by trusting the interface instead.
+	if chain.Table.Name == firewalldTableName {
+		return false
+	}
+
+	// Skip iptables/ip6tables-managed tables (adding nft-native rules breaks iptables-save compat)
+	if (chain.Table.Family == nftables.TableFamilyIPv4 || chain.Table.Family == nftables.TableFamilyIPv6) && isIptablesTable(chain.Table.Name) {
+		return false
+	}
+
+	if chain.Type != nftables.ChainTypeFilter {
+		return false
+	}
+
+	if chain.Hooknum == nil {
+		return false
+	}
+
+	return *chain.Hooknum == *nftables.ChainHookForward || *chain.Hooknum == *nftables.ChainHookInput
+}
+
+func isIptablesTable(name string) bool {
+	switch name {
+	case tableNameFilter, tableNat, tableMangle, tableRaw, tableSecurity:
+		return true
+	}
+	return false
+}
+
+func (r *family) removeAcceptFilterRulesIptables(ipt *iptables.IPTables) error {
+	var merr *multierror.Error
+
+	for _, rule := range r.getAcceptForwardRules() {
+		if err := ipt.DeleteIfExists("filter", chainNameForward, rule...); err != nil {
+			merr = multierror.Append(merr, fmt.Errorf("remove iptables forward rule: %v", err))
+		}
+	}
+
+	inputRule := r.getAcceptInputRule()
+	if err := ipt.DeleteIfExists("filter", chainNameInput, inputRule...); err != nil {
+		merr = multierror.Append(merr, fmt.Errorf("remove iptables input rule: %v", err))
+	}
+
+	return nberrors.FormatErrorOrNil(merr)
+}
+
+func (r *family) createDefaultAllowRules() error {
+	expIn := []expr.Any{
+		&expr.Verdict{
+			Kind: expr.VerdictAccept,
+		},
+	}
+
+	_ = r.conn.InsertRule(&nftables.Rule{
+		Table:    r.workTable,
+		Chain:    r.chainInputRules,
+		Position: 0,
+		Exprs:    expIn,
+	})
+
+	if err := r.conn.Flush(); err != nil {
+		return fmt.Errorf(flushError, err)
+	}
+	return nil
+}
+
+// Flush rule/chain/set operations from the buffer
+//
+// Method also get all rules after flush and refreshes handle values in the rulesets
+func (r *family) Flush() error {
+	if err := r.flushWithBackoff(); err != nil {
+		return err
+	}
+
+	if err := r.refreshRuleHandles(r.chainInputRules, false); err != nil {
+		log.Errorf("failed to refresh rule handles ipv4 input chain: %v", err)
+	}
+	if err := r.refreshRuleHandles(r.chainPrerouting, true); err != nil {
+		log.Errorf("failed to refresh rule handles prerouting chain: %v", err)
+	}
+
+	return nil
+}
+
+func (r *family) createPreroutingRule(expressions []expr.Any, userData []byte) *nftables.Rule {
+	if r.chainPrerouting == nil {
+		log.Warn("prerouting chain is not created")
+		return nil
+	}
+
+	preroutingExprs := slices.Clone(expressions)
+
+	// interface
+	preroutingExprs = append([]expr.Any{
+		&expr.Meta{
+			Key:      expr.MetaKeyIIFNAME,
+			Register: 1,
+		},
+		&expr.Cmp{
+			Op:       expr.CmpOpEq,
+			Register: 1,
+			Data:     ifname(r.wgIface.Name()),
+		},
+	}, preroutingExprs...)
+
+	// local destination and mark
+	preroutingExprs = append(preroutingExprs,
+		&expr.Fib{
+			Register:       1,
+			ResultADDRTYPE: true,
+			FlagDADDR:      true,
+		},
+		&expr.Cmp{
+			Op:       expr.CmpOpEq,
+			Register: 1,
+			Data:     binaryutil.NativeEndian.PutUint32(unix.RTN_LOCAL),
+		},
+
+		&expr.Immediate{
+			Register: 1,
+			Data:     binaryutil.NativeEndian.PutUint32(nbnet.PreroutingFwmarkRedirected),
+		},
+		&expr.Meta{
+			Key:            expr.MetaKeyMARK,
+			Register:       1,
+			SourceRegister: true,
+		},
+	)
+
+	nfRule := r.conn.AddRule(&nftables.Rule{
+		Table:    r.workTable,
+		Chain:    r.chainPrerouting,
+		Exprs:    preroutingExprs,
+		UserData: userData,
+	})
+
+	if err := r.conn.Flush(); err != nil {
+		log.Errorf("failed to flush mangle rule %s: %v", string(userData), err)
+		return nil
+	}
+
+	return nfRule
+}
+
+func (r *family) createDefaultChains() (err error) {
+	// chainNameInputRules
+	chain := r.createChain(chainNameInputRules)
+	err = r.conn.Flush()
+	if err != nil {
+		log.Debugf("failed to create chain (%s): %s", chain.Name, err)
+		return fmt.Errorf(flushError, err)
+	}
+	r.chainInputRules = chain
+
+	// netbird-acl-input-filter
+	// type filter hook input priority filter; policy accept;
+	chain = r.createFilterChainWithHook(chainNameInputFilter, nftables.ChainHookInput)
+	r.addJumpRule(chain, r.chainInputRules.Name, expr.MetaKeyIIFNAME) // to netbird-acl-input-rules
+	r.addDropExpressions(chain, expr.MetaKeyIIFNAME)
+	err = r.conn.Flush()
+	if err != nil {
+		log.Debugf("failed to create chain (%s): %s", chain.Name, err)
+		return err
+	}
+
+	// netbird-acl-forward-filter
+	chainFwFilter := r.createFilterChainWithHook(chainNameForwardFilter, nftables.ChainHookForward)
+	r.addJumpRulesToRtForward(chainFwFilter) // to netbird-rt-fwd
+	r.addDropExpressions(chainFwFilter, expr.MetaKeyIIFNAME)
+
+	err = r.conn.Flush()
+	if err != nil {
+		log.Debugf("failed to create chain (%s): %s", chainNameForwardFilter, err)
+		return fmt.Errorf(flushError, err)
+	}
+
+	if err := r.allowRedirectedTraffic(chainFwFilter); err != nil {
+		log.Errorf("failed to allow redirected traffic: %s", err)
+	}
+
+	return nil
+}
+
+// Makes redirected traffic originally destined for the host itself (now subject to the forward filter)
+// go through the input filter as well. This will enable e.g. Docker services to keep working by accessing the
+// netbird peer IP.
+func (r *family) allowRedirectedTraffic(chainFwFilter *nftables.Chain) error {
+	r.chainPrerouting = r.chains[chainNameManglePrerouting]
+
+	r.addFwmarkToForward(chainFwFilter)
+
+	if err := r.conn.Flush(); err != nil {
+		return fmt.Errorf(flushError, err)
+	}
+
+	return nil
+}
+
+func (r *family) addFwmarkToForward(chainFwFilter *nftables.Chain) {
+	r.conn.InsertRule(&nftables.Rule{
+		Table: r.workTable,
+		Chain: chainFwFilter,
+		Exprs: []expr.Any{
+			&expr.Meta{
+				Key:      expr.MetaKeyMARK,
+				Register: 1,
+			},
+			&expr.Cmp{
+				Op:       expr.CmpOpEq,
+				Register: 1,
+				Data:     binaryutil.NativeEndian.PutUint32(nbnet.PreroutingFwmarkRedirected),
+			},
+			&expr.Verdict{
+				Kind: expr.VerdictAccept,
+			},
+		},
+	})
+}
+
+func (r *family) addJumpRulesToRtForward(chainFwFilter *nftables.Chain) {
+	expressions := []expr.Any{
+		&expr.Meta{Key: expr.MetaKeyIIFNAME, Register: 1},
+		&expr.Cmp{
+			Op:       expr.CmpOpEq,
+			Register: 1,
+			Data:     ifname(r.wgIface.Name()),
+		},
+		&expr.Verdict{
+			Kind:  expr.VerdictJump,
+			Chain: r.routingFwChainName,
+		},
+	}
+
+	_ = r.conn.AddRule(&nftables.Rule{
+		Table: r.workTable,
+		Chain: chainFwFilter,
+		Exprs: expressions,
+	})
+}
+
+func (r *family) createChain(name string) *nftables.Chain {
+	chain := &nftables.Chain{
+		Name:  name,
+		Table: r.workTable,
+	}
+
+	chain = r.conn.AddChain(chain)
+
+	insertReturnTrafficRule(r.conn, r.workTable, chain)
+
+	return chain
+}
+
+func (r *family) createFilterChainWithHook(name string, hookNum *nftables.ChainHook) *nftables.Chain {
+	polAccept := nftables.ChainPolicyAccept
+	chain := &nftables.Chain{
+		Name:     name,
+		Table:    r.workTable,
+		Hooknum:  hookNum,
+		Priority: nftables.ChainPriorityFilter,
+		Type:     nftables.ChainTypeFilter,
+		Policy:   &polAccept,
+	}
+
+	return r.conn.AddChain(chain)
+}
+
+func (r *family) addDropExpressions(chain *nftables.Chain, ifaceKey expr.MetaKey) []expr.Any {
+	expressions := []expr.Any{
+		&expr.Meta{Key: ifaceKey, Register: 1},
+		&expr.Cmp{
+			Op:       expr.CmpOpEq,
+			Register: 1,
+			Data:     ifname(r.wgIface.Name()),
+		},
+		&expr.Verdict{Kind: expr.VerdictDrop},
+	}
+	_ = r.conn.AddRule(&nftables.Rule{
+		Table: r.workTable,
+		Chain: chain,
+		Exprs: expressions,
+	})
+	return nil
+}
+
+func (r *family) addJumpRule(chain *nftables.Chain, to string, ifaceKey expr.MetaKey) {
+	expressions := []expr.Any{
+		&expr.Meta{Key: ifaceKey, Register: 1},
+		&expr.Cmp{
+			Op:       expr.CmpOpEq,
+			Register: 1,
+			Data:     ifname(r.wgIface.Name()),
+		},
+		&expr.Verdict{
+			Kind:  expr.VerdictJump,
+			Chain: to,
+		},
+	}
+
+	_ = r.conn.AddRule(&nftables.Rule{
+		Table: chain.Table,
+		Chain: chain,
+		Exprs: expressions,
+	})
+}
+
+func (r *family) flushWithBackoff() (err error) {
+	backoff := 4
+	backoffTime := 1000 * time.Millisecond
+	for i := 0; ; i++ {
+		err = r.conn.Flush()
+		if err != nil {
+			log.Debugf("failed to flush nftables: %v", err)
+			if !strings.Contains(err.Error(), "busy") {
+				return
+			}
+			log.Error("failed to flush nftables, retrying...")
+			if i == backoff-1 {
+				return err
+			}
+			time.Sleep(backoffTime)
+			backoffTime *= 2
+			continue
+		}
+		break
+	}
+	return
+}
+
+func (r *family) refreshRuleHandles(chain *nftables.Chain, mangle bool) error {
+	if r.workTable == nil || chain == nil {
+		return nil
+	}
+
+	list, err := r.conn.GetRules(r.workTable, chain)
+	if err != nil {
+		return err
+	}
+
+	for _, rule := range list {
+		if len(rule.UserData) == 0 {
+			continue
+		}
+		pr, ok := r.filters[firewall.RuleID(rule.UserData)]
+		if !ok {
+			continue
+		}
+		if mangle {
+			if pr.mangleRule != nil {
+				*pr.mangleRule = *rule
+			}
+		} else {
+			*pr.nftRule = *rule
+		}
+	}
+
+	return nil
+}
--- a/client/firewall/nftables/dnat_linux.go
+++ b/client/firewall/nftables/dnat_linux.go
@@ -0,0 +1,550 @@
+//go:build !android
+
+package nftables
+
+import (
+	"fmt"
+	"net/netip"
+
+	"github.com/google/nftables"
+	"github.com/google/nftables/binaryutil"
+	"github.com/google/nftables/expr"
+	"github.com/google/nftables/xt"
+	"github.com/hashicorp/go-multierror"
+	log "github.com/sirupsen/logrus"
+
+	nberrors "github.com/netbirdio/netbird/client/errors"
+	firewall "github.com/netbirdio/netbird/client/firewall/manager"
+)
+
+func (r *family) AddDNATRule(rule firewall.ForwardRule) (firewall.Rule, error) {
+	ruleID := rule.ID()
+	if _, exists := r.rules[ruleID+dnatSuffix]; exists {
+		return rule, nil
+	}
+
+	protoNum, err := r.af.protoNum(rule.Protocol)
+	if err != nil {
+		return nil, fmt.Errorf("convert protocol to number: %w", err)
+	}
+
+	// Request forwarding once the rule is about to be installed, releasing
+	// it if a later step fails so the refcount tracks the real rules.
+	if err := r.ipFwdState.RequestForwarding(); err != nil {
+		return nil, err
+	}
+
+	if err := r.addDnatRedirect(rule, protoNum, ruleID); err != nil {
+		r.releaseForwarding()
+		return nil, err
+	}
+
+	r.addDnatMasq(rule, protoNum, ruleID)
+
+	// Unlike iptables, there's no point in adding "out" rules in the forward chain here as our policy is ACCEPT.
+	// To overcome DROP policies in other chains, we'd have to add rules to the chains there.
+	// We also cannot just add "oif <iface> accept" there and filter in our own table as we don't know what is supposed to be allowed.
+	// TODO: find chains with drop policies and add rules there
+
+	if err := r.conn.Flush(); err != nil {
+		r.releaseForwarding()
+		return nil, fmt.Errorf("flush rules: %w", err)
+	}
+
+	return &rule, nil
+}
+
+func (r *family) addDnatRedirect(rule firewall.ForwardRule, protoNum uint8, ruleID firewall.RuleID) error {
+	dnatExprs := []expr.Any{
+		&expr.Meta{Key: expr.MetaKeyIIFNAME, Register: 1},
+		&expr.Cmp{
+			Op:       expr.CmpOpNeq,
+			Register: 1,
+			Data:     ifname(r.wgIface.Name()),
+		},
+		&expr.Meta{Key: expr.MetaKeyL4PROTO, Register: 1},
+		&expr.Cmp{
+			Op:       expr.CmpOpEq,
+			Register: 1,
+			Data:     []byte{protoNum},
+		},
+		&expr.Payload{
+			DestRegister: 1,
+			Base:         expr.PayloadBaseTransportHeader,
+			Offset:       2,
+			Len:          2,
+		},
+	}
+	dnatExprs = append(dnatExprs, applyPort(&rule.DestinationPort, false)...)
+
+	// shifted translated port is not supported in nftables, so we hand this over to xtables
+	if rule.TranslatedPort.IsRange && len(rule.TranslatedPort.Values) == 2 {
+		if rule.TranslatedPort.Values[0] != rule.DestinationPort.Values[0] ||
+			rule.TranslatedPort.Values[1] != rule.DestinationPort.Values[1] {
+			return r.addXTablesRedirect(dnatExprs, ruleID, rule)
+		}
+	}
+
+	additionalExprs, regProtoMin, regProtoMax, err := r.handleTranslatedPort(rule)
+	if err != nil {
+		return err
+	}
+	dnatExprs = append(dnatExprs, additionalExprs...)
+
+	dnatExprs = append(dnatExprs,
+		&expr.NAT{
+			Type:        expr.NATTypeDestNAT,
+			Family:      uint32(r.af.tableFamily),
+			RegAddrMin:  1,
+			RegProtoMin: regProtoMin,
+			RegProtoMax: regProtoMax,
+		},
+	)
+
+	dnatRule := &nftables.Rule{
+		Table:    r.workTable,
+		Chain:    r.chains[chainNameRoutingRdr],
+		Exprs:    dnatExprs,
+		UserData: []byte(ruleID + dnatSuffix),
+	}
+	r.conn.AddRule(dnatRule)
+	r.rules[ruleID+dnatSuffix] = dnatRule
+
+	return nil
+}
+
+func (r *family) handleTranslatedPort(rule firewall.ForwardRule) ([]expr.Any, uint32, uint32, error) {
+	switch {
+	case rule.TranslatedPort.IsRange && len(rule.TranslatedPort.Values) == 2:
+		return r.handlePortRange(rule)
+	case len(rule.TranslatedPort.Values) == 0:
+		return r.handleAddressOnly(rule)
+	case len(rule.TranslatedPort.Values) == 1:
+		return r.handleSinglePort(rule)
+	default:
+		return nil, 0, 0, fmt.Errorf("invalid translated port: %v", rule.TranslatedPort)
+	}
+}
+
+func (r *family) handlePortRange(rule firewall.ForwardRule) ([]expr.Any, uint32, uint32, error) {
+	exprs := []expr.Any{
+		&expr.Immediate{
+			Register: 1,
+			Data:     rule.TranslatedAddress.AsSlice(),
+		},
+		&expr.Immediate{
+			Register: 2,
+			Data:     binaryutil.BigEndian.PutUint16(rule.TranslatedPort.Values[0]),
+		},
+		&expr.Immediate{
+			Register: 3,
+			Data:     binaryutil.BigEndian.PutUint16(rule.TranslatedPort.Values[1]),
+		},
+	}
+	return exprs, 2, 3, nil
+}
+
+func (r *family) handleAddressOnly(rule firewall.ForwardRule) ([]expr.Any, uint32, uint32, error) {
+	exprs := []expr.Any{
+		&expr.Immediate{
+			Register: 1,
+			Data:     rule.TranslatedAddress.AsSlice(),
+		},
+	}
+	return exprs, 0, 0, nil
+}
+
+func (r *family) handleSinglePort(rule firewall.ForwardRule) ([]expr.Any, uint32, uint32, error) {
+	exprs := []expr.Any{
+		&expr.Immediate{
+			Register: 1,
+			Data:     rule.TranslatedAddress.AsSlice(),
+		},
+		&expr.Immediate{
+			Register: 2,
+			Data:     binaryutil.BigEndian.PutUint16(rule.TranslatedPort.Values[0]),
+		},
+	}
+	return exprs, 2, 0, nil
+}
+
+func (r *family) addXTablesRedirect(dnatExprs []expr.Any, ruleID firewall.RuleID, rule firewall.ForwardRule) error {
+	dnatExprs = append(dnatExprs,
+		&expr.Counter{},
+		&expr.Target{
+			Name: "DNAT",
+			Rev:  2,
+			Info: &xt.NatRange2{
+				NatRange: xt.NatRange{
+					Flags:   uint(xt.NatRangeMapIPs | xt.NatRangeProtoSpecified | xt.NatRangeProtoOffset),
+					MinIP:   rule.TranslatedAddress.AsSlice(),
+					MaxIP:   rule.TranslatedAddress.AsSlice(),
+					MinPort: rule.TranslatedPort.Values[0],
+					MaxPort: rule.TranslatedPort.Values[1],
+				},
+				BasePort: rule.DestinationPort.Values[0],
+			},
+		},
+	)
+
+	natTable := &nftables.Table{
+		Name:   tableNat,
+		Family: r.af.tableFamily,
+	}
+	dnatRule := &nftables.Rule{
+		Table: natTable,
+		Chain: &nftables.Chain{
+			Name:     chainNameNatPrerouting,
+			Table:    natTable,
+			Type:     nftables.ChainTypeNAT,
+			Hooknum:  nftables.ChainHookPrerouting,
+			Priority: nftables.ChainPriorityNATDest,
+		},
+		Exprs:    dnatExprs,
+		UserData: []byte(ruleID + dnatSuffix),
+	}
+	r.conn.AddRule(dnatRule)
+	r.rules[ruleID+dnatSuffix] = dnatRule
+
+	return nil
+}
+
+func (r *family) addDnatMasq(rule firewall.ForwardRule, protoNum uint8, ruleID firewall.RuleID) {
+	masqExprs := []expr.Any{
+		&expr.Meta{Key: expr.MetaKeyOIFNAME, Register: 1},
+		&expr.Cmp{
+			Op:       expr.CmpOpEq,
+			Register: 1,
+			Data:     ifname(r.wgIface.Name()),
+		},
+		&expr.Meta{Key: expr.MetaKeyL4PROTO, Register: 1},
+		&expr.Cmp{
+			Op:       expr.CmpOpEq,
+			Register: 1,
+			Data:     []byte{protoNum},
+		},
+		&expr.Payload{
+			DestRegister: 1,
+			Base:         expr.PayloadBaseNetworkHeader,
+			Offset:       r.af.dstAddrOffset,
+			Len:          r.af.addrLen,
+		},
+		&expr.Cmp{
+			Op:       expr.CmpOpEq,
+			Register: 1,
+			Data:     rule.TranslatedAddress.AsSlice(),
+		},
+	}
+
+	masqExprs = append(masqExprs, applyPort(&rule.TranslatedPort, false)...)
+	masqExprs = append(masqExprs, &expr.Masq{})
+
+	masqRule := &nftables.Rule{
+		Table:    r.workTable,
+		Chain:    r.chains[chainNameRoutingNat],
+		Exprs:    masqExprs,
+		UserData: []byte(ruleID + snatSuffix),
+	}
+	r.conn.AddRule(masqRule)
+	r.rules[ruleID+snatSuffix] = masqRule
+}
+
+func (r *family) DeleteDNATRule(rule firewall.Rule) error {
+	ruleID := rule.ID()
+
+	if err := r.refreshRulesMap(); err != nil {
+		return fmt.Errorf(refreshRulesMapError, err)
+	}
+
+	var merr *multierror.Error
+	var needsFlush bool
+	var found bool
+
+	if dnatRule, exists := r.rules[ruleID+dnatSuffix]; exists {
+		found = true
+		if dnatRule.Handle == 0 {
+			log.Warnf("dnat rule %s has no handle, removing stale entry", ruleID+dnatSuffix)
+			delete(r.rules, ruleID+dnatSuffix)
+		} else if err := r.conn.DelRule(dnatRule); err != nil {
+			merr = multierror.Append(merr, fmt.Errorf("delete dnat rule: %w", err))
+		} else {
+			needsFlush = true
+		}
+	}
+
+	if masqRule, exists := r.rules[ruleID+snatSuffix]; exists {
+		found = true
+		if masqRule.Handle == 0 {
+			log.Warnf("snat rule %s has no handle, removing stale entry", ruleID+snatSuffix)
+			delete(r.rules, ruleID+snatSuffix)
+		} else if err := r.conn.DelRule(masqRule); err != nil {
+			merr = multierror.Append(merr, fmt.Errorf("delete snat rule: %w", err))
+		} else {
+			needsFlush = true
+		}
+	}
+
+	if needsFlush {
+		if err := r.conn.Flush(); err != nil {
+			merr = multierror.Append(merr, fmt.Errorf(flushError, err))
+		}
+	}
+
+	if merr != nil {
+		return nberrors.FormatErrorOrNil(merr)
+	}
+
+	delete(r.rules, ruleID+dnatSuffix)
+	delete(r.rules, ruleID+snatSuffix)
+
+	// Release once, only if the rule was present and removed.
+	if found {
+		r.releaseForwarding()
+	}
+
+	return nil
+}
+
+// releaseForwarding drops one IP forwarding reference, logging any error.
+func (r *family) releaseForwarding() {
+	if err := r.ipFwdState.ReleaseForwarding(); err != nil {
+		log.Errorf("release IP forwarding: %v", err)
+	}
+}
+
+func (r *family) AddInboundDNAT(localAddr netip.Addr, protocol firewall.Protocol, originalPort, translatedPort uint16) error {
+	ruleID := firewall.RuleID(fmt.Sprintf("inbound-dnat-%s-%s-%d-%d", localAddr.String(), protocol, originalPort, translatedPort))
+
+	if _, exists := r.rules[ruleID]; exists {
+		return nil
+	}
+
+	protoNum, err := r.af.protoNum(protocol)
+	if err != nil {
+		return fmt.Errorf("convert protocol to number: %w", err)
+	}
+
+	exprs := []expr.Any{
+		&expr.Meta{Key: expr.MetaKeyIIFNAME, Register: 1},
+		&expr.Cmp{
+			Op:       expr.CmpOpEq,
+			Register: 1,
+			Data:     ifname(r.wgIface.Name()),
+		},
+		&expr.Meta{Key: expr.MetaKeyL4PROTO, Register: 2},
+		&expr.Cmp{
+			Op:       expr.CmpOpEq,
+			Register: 2,
+			Data:     []byte{protoNum},
+		},
+		&expr.Payload{
+			DestRegister: 3,
+			Base:         expr.PayloadBaseTransportHeader,
+			Offset:       2,
+			Len:          2,
+		},
+		&expr.Cmp{
+			Op:       expr.CmpOpEq,
+			Register: 3,
+			Data:     binaryutil.BigEndian.PutUint16(originalPort),
+		},
+	}
+
+	bits := 32
+	if localAddr.Is6() {
+		bits = 128
+	}
+	exprs = append(exprs, prefixMatchExprs(r.af, netip.PrefixFrom(localAddr, bits), false)...)
+
+	exprs = append(exprs,
+		&expr.Immediate{
+			Register: 1,
+			Data:     localAddr.AsSlice(),
+		},
+		&expr.Immediate{
+			Register: 2,
+			Data:     binaryutil.BigEndian.PutUint16(translatedPort),
+		},
+		&expr.NAT{
+			Type:        expr.NATTypeDestNAT,
+			Family:      uint32(r.af.tableFamily),
+			RegAddrMin:  1,
+			RegProtoMin: 2,
+			RegProtoMax: 0,
+		},
+	)
+
+	dnatRule := &nftables.Rule{
+		Table:    r.workTable,
+		Chain:    r.chains[chainNameRoutingRdr],
+		Exprs:    exprs,
+		UserData: []byte(ruleID),
+	}
+	r.conn.AddRule(dnatRule)
+
+	if err := r.conn.Flush(); err != nil {
+		return fmt.Errorf("add inbound DNAT rule: %w", err)
+	}
+
+	r.rules[ruleID] = dnatRule
+
+	return nil
+}
+
+// RemoveInboundDNAT removes an inbound DNAT rule.
+func (r *family) RemoveInboundDNAT(localAddr netip.Addr, protocol firewall.Protocol, originalPort, translatedPort uint16) error {
+	if err := r.refreshRulesMap(); err != nil {
+		return fmt.Errorf(refreshRulesMapError, err)
+	}
+
+	ruleID := firewall.RuleID(fmt.Sprintf("inbound-dnat-%s-%s-%d-%d", localAddr.String(), protocol, originalPort, translatedPort))
+
+	rule, exists := r.rules[ruleID]
+	if !exists {
+		return nil
+	}
+
+	if rule.Handle == 0 {
+		log.Warnf("inbound DNAT rule %s has no handle, removing stale entry", ruleID)
+		delete(r.rules, ruleID)
+		return nil
+	}
+
+	if err := r.conn.DelRule(rule); err != nil {
+		return fmt.Errorf("delete inbound DNAT rule %s: %w", ruleID, err)
+	}
+	if err := r.conn.Flush(); err != nil {
+		return fmt.Errorf("flush delete inbound DNAT rule: %w", err)
+	}
+	delete(r.rules, ruleID)
+
+	return nil
+}
+
+// ensureNATOutputChain lazily creates the OUTPUT NAT chain on first use.
+func (r *family) ensureNATOutputChain() error {
+	if _, exists := r.chains[chainNameNATOutput]; exists {
+		return nil
+	}
+
+	r.chains[chainNameNATOutput] = r.conn.AddChain(&nftables.Chain{
+		Name:     chainNameNATOutput,
+		Table:    r.workTable,
+		Hooknum:  nftables.ChainHookOutput,
+		Priority: nftables.ChainPriorityNATDest,
+		Type:     nftables.ChainTypeNAT,
+	})
+
+	if err := r.conn.Flush(); err != nil {
+		delete(r.chains, chainNameNATOutput)
+		return fmt.Errorf("create NAT output chain: %w", err)
+	}
+	return nil
+}
+
+// AddOutputDNAT adds an OUTPUT chain DNAT rule for locally-generated traffic.
+func (r *family) AddOutputDNAT(localAddr netip.Addr, protocol firewall.Protocol, originalPort, translatedPort uint16) error {
+	ruleID := firewall.RuleID(fmt.Sprintf("output-dnat-%s-%s-%d-%d", localAddr.String(), protocol, originalPort, translatedPort))
+
+	if _, exists := r.rules[ruleID]; exists {
+		return nil
+	}
+
+	if err := r.ensureNATOutputChain(); err != nil {
+		return err
+	}
+
+	protoNum, err := r.af.protoNum(protocol)
+	if err != nil {
+		return fmt.Errorf("convert protocol to number: %w", err)
+	}
+
+	exprs := []expr.Any{
+		&expr.Meta{Key: expr.MetaKeyL4PROTO, Register: 1},
+		&expr.Cmp{
+			Op:       expr.CmpOpEq,
+			Register: 1,
+			Data:     []byte{protoNum},
+		},
+		&expr.Payload{
+			DestRegister: 2,
+			Base:         expr.PayloadBaseTransportHeader,
+			Offset:       2,
+			Len:          2,
+		},
+		&expr.Cmp{
+			Op:       expr.CmpOpEq,
+			Register: 2,
+			Data:     binaryutil.BigEndian.PutUint16(originalPort),
+		},
+	}
+
+	bits := 32
+	if localAddr.Is6() {
+		bits = 128
+	}
+	exprs = append(exprs, prefixMatchExprs(r.af, netip.PrefixFrom(localAddr, bits), false)...)
+
+	exprs = append(exprs,
+		&expr.Immediate{
+			Register: 1,
+			Data:     localAddr.AsSlice(),
+		},
+		&expr.Immediate{
+			Register: 2,
+			Data:     binaryutil.BigEndian.PutUint16(translatedPort),
+		},
+		&expr.NAT{
+			Type:        expr.NATTypeDestNAT,
+			Family:      uint32(r.af.tableFamily),
+			RegAddrMin:  1,
+			RegProtoMin: 2,
+		},
+	)
+
+	dnatRule := &nftables.Rule{
+		Table:    r.workTable,
+		Chain:    r.chains[chainNameNATOutput],
+		Exprs:    exprs,
+		UserData: []byte(ruleID),
+	}
+	r.conn.AddRule(dnatRule)
+
+	if err := r.conn.Flush(); err != nil {
+		return fmt.Errorf("add output DNAT rule: %w", err)
+	}
+
+	r.rules[ruleID] = dnatRule
+
+	return nil
+}
+
+// RemoveOutputDNAT removes an OUTPUT chain DNAT rule.
+func (r *family) RemoveOutputDNAT(localAddr netip.Addr, protocol firewall.Protocol, originalPort, translatedPort uint16) error {
+	if err := r.refreshRulesMap(); err != nil {
+		return fmt.Errorf(refreshRulesMapError, err)
+	}
+
+	ruleID := firewall.RuleID(fmt.Sprintf("output-dnat-%s-%s-%d-%d", localAddr.String(), protocol, originalPort, translatedPort))
+
+	rule, exists := r.rules[ruleID]
+	if !exists {
+		return nil
+	}
+
+	if rule.Handle == 0 {
+		log.Warnf("output DNAT rule %s has no handle, removing stale entry", ruleID)
+		delete(r.rules, ruleID)
+		return nil
+	}
+
+	if err := r.conn.DelRule(rule); err != nil {
+		return fmt.Errorf("delete output DNAT rule %s: %w", ruleID, err)
+	}
+	if err := r.conn.Flush(); err != nil {
+		return fmt.Errorf("flush delete output DNAT rule: %w", err)
+	}
+	delete(r.rules, ruleID)
+
+	return nil
+}
--- a/client/firewall/nftables/external_chain_monitor_integration_linux_test.go
+++ b/client/firewall/nftables/external_chain_monitor_integration_linux_test.go
@@ -0,0 +1,76 @@
+//go:build linux
+
+package nftables
+
+import (
+	"os"
+	"sync/atomic"
+	"testing"
+	"time"
+
+	"github.com/google/nftables"
+	"github.com/stretchr/testify/require"
+)
+
+// TestExternalChainMonitorRootIntegration verifies that adding a new chain
+// in an external (non-netbird) filter table triggers the reconciler.
+// Requires CAP_NET_ADMIN; skip otherwise.
+func TestExternalChainMonitorRootIntegration(t *testing.T) {
+	if os.Geteuid() != 0 {
+		t.Skip("root required")
+	}
+
+	calls := make(chan struct{}, 8)
+	var count atomic.Int32
+	rec := &countingReconciler{calls: calls, count: &count}
+
+	m := newExternalChainMonitor(rec)
+	m.start()
+	t.Cleanup(m.stop)
+
+	// Give the netlink subscription a moment to register.
+	time.Sleep(200 * time.Millisecond)
+
+	conn := &nftables.Conn{}
+	table := conn.AddTable(&nftables.Table{
+		Name:   "nbmon_integration_test",
+		Family: nftables.TableFamilyINet,
+	})
+	t.Cleanup(func() {
+		cleanup := &nftables.Conn{}
+		cleanup.DelTable(table)
+		_ = cleanup.Flush()
+	})
+
+	chain := conn.AddChain(&nftables.Chain{
+		Name:     "filter_INPUT",
+		Table:    table,
+		Hooknum:  nftables.ChainHookInput,
+		Priority: nftables.ChainPriorityFilter,
+		Type:     nftables.ChainTypeFilter,
+	})
+	_ = chain
+	require.NoError(t, conn.Flush(), "create external test chain")
+
+	select {
+	case <-calls:
+		// success
+	case <-time.After(3 * time.Second):
+		t.Fatalf("reconcile was not invoked after creating an external chain")
+	}
+	require.GreaterOrEqual(t, count.Load(), int32(1))
+}
+
+type countingReconciler struct {
+	calls chan struct{}
+	count *atomic.Int32
+}
+
+func (c *countingReconciler) reconcileExternalChains() error {
+	c.count.Add(1)
+	select {
+	case c.calls <- struct{}{}:
+	default:
+	}
+	return nil
+}
--- a/client/firewall/nftables/external_chain_monitor_linux.go
+++ b/client/firewall/nftables/external_chain_monitor_linux.go
@@ -0,0 +1,200 @@
+package nftables
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"sync"
+	"time"
+
+	"github.com/cenkalti/backoff/v4"
+	"github.com/google/nftables"
+	log "github.com/sirupsen/logrus"
+)
+
+const (
+	externalMonitorReconcileDelay = 500 * time.Millisecond
+	externalMonitorInitInterval   = 5 * time.Second
+	externalMonitorMaxInterval    = 5 * time.Minute
+	externalMonitorRandomization  = 0.5
+)
+
+// externalChainReconciler re-applies passthrough accept rules to external
+// nftables chains. Implementations must be safe to call from the monitor
+// goroutine; the Manager locks its mutex internally.
+type externalChainReconciler interface {
+	reconcileExternalChains() error
+}
+
+// externalChainMonitor watches nftables netlink events and triggers a
+// reconcile when a new table or chain appears (e.g. after
+// `firewall-cmd --reload`). Netlink errors trigger exponential-backoff
+// reconnect.
+type externalChainMonitor struct {
+	reconciler externalChainReconciler
+
+	mu     sync.Mutex
+	cancel context.CancelFunc
+	done   chan struct{}
+}
+
+func newExternalChainMonitor(r externalChainReconciler) *externalChainMonitor {
+	return &externalChainMonitor{reconciler: r}
+}
+
+func (m *externalChainMonitor) start() {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+
+	if m.cancel != nil {
+		return
+	}
+
+	ctx, cancel := context.WithCancel(context.Background())
+	m.cancel = cancel
+	done := make(chan struct{})
+	m.done = done
+
+	go m.run(ctx, done)
+}
+
+func (m *externalChainMonitor) stop() {
+	m.mu.Lock()
+	cancel := m.cancel
+	done := m.done
+	m.cancel = nil
+	m.done = nil
+	m.mu.Unlock()
+
+	if cancel == nil {
+		return
+	}
+	cancel()
+	<-done
+}
+
+func (m *externalChainMonitor) run(ctx context.Context, done chan struct{}) {
+	defer close(done)
+
+	bo := &backoff.ExponentialBackOff{
+		InitialInterval:     externalMonitorInitInterval,
+		RandomizationFactor: externalMonitorRandomization,
+		Multiplier:          backoff.DefaultMultiplier,
+		MaxInterval:         externalMonitorMaxInterval,
+		MaxElapsedTime:      0,
+		Clock:               backoff.SystemClock,
+	}
+	bo.Reset()
+
+	for ctx.Err() == nil {
+		err := m.watch(ctx)
+		if ctx.Err() != nil {
+			return
+		}
+
+		delay := bo.NextBackOff()
+		log.Warnf("external chain monitor: %v, reconnecting in %s", err, delay)
+		select {
+		case <-ctx.Done():
+			return
+		case <-time.After(delay):
+		}
+	}
+}
+
+func (m *externalChainMonitor) watch(ctx context.Context) error {
+	events, closeMon, err := m.subscribe()
+	if err != nil {
+		return err
+	}
+	defer closeMon()
+
+	debounce := time.NewTimer(time.Hour)
+	if !debounce.Stop() {
+		<-debounce.C
+	}
+	defer debounce.Stop()
+
+	pending := false
+	for {
+		select {
+		case <-ctx.Done():
+			return nil
+		case <-debounce.C:
+			pending = false
+			m.reconcile()
+		case ev, ok := <-events:
+			if !ok {
+				return errors.New("monitor channel closed")
+			}
+			if ev.Error != nil {
+				return fmt.Errorf("monitor event: %w", ev.Error)
+			}
+			if !isRelevantMonitorEvent(ev) {
+				continue
+			}
+			resetDebounce(debounce, pending)
+			pending = true
+		}
+	}
+}
+
+func (m *externalChainMonitor) subscribe() (chan *nftables.MonitorEvent, func(), error) {
+	conn := &nftables.Conn{}
+	mon := nftables.NewMonitor(
+		nftables.WithMonitorAction(nftables.MonitorActionNew),
+		nftables.WithMonitorObject(nftables.MonitorObjectChains|nftables.MonitorObjectTables),
+	)
+	events, err := conn.AddMonitor(mon)
+	if err != nil {
+		return nil, nil, fmt.Errorf("add netlink monitor: %w", err)
+	}
+	return events, func() { _ = mon.Close() }, nil
+}
+
+// resetDebounce reschedules a pending debounce timer without leaking a stale
+// fire on its channel. pending must reflect whether the timer is armed.
+func resetDebounce(t *time.Timer, pending bool) {
+	if pending && !t.Stop() {
+		select {
+		case <-t.C:
+		default:
+		}
+	}
+	t.Reset(externalMonitorReconcileDelay)
+}
+
+func (m *externalChainMonitor) reconcile() {
+	if err := m.reconciler.reconcileExternalChains(); err != nil {
+		log.Warnf("reconcile external chain rules: %v", err)
+	}
+}
+
+// isRelevantMonitorEvent returns true for table/chain creation events on
+// families we care about. The reconciler filters to actual external filter
+// chains.
+func isRelevantMonitorEvent(ev *nftables.MonitorEvent) bool {
+	switch ev.Type {
+	case nftables.MonitorEventTypeNewChain:
+		chain, ok := ev.Data.(*nftables.Chain)
+		if !ok || chain == nil || chain.Table == nil {
+			return false
+		}
+		return isMonitoredFamily(chain.Table.Family)
+	case nftables.MonitorEventTypeNewTable:
+		table, ok := ev.Data.(*nftables.Table)
+		if !ok || table == nil {
+			return false
+		}
+		return isMonitoredFamily(table.Family)
+	}
+	return false
+}
+
+func isMonitoredFamily(family nftables.TableFamily) bool {
+	switch family {
+	case nftables.TableFamilyIPv4, nftables.TableFamilyIPv6, nftables.TableFamilyINet:
+		return true
+	}
+	return false
+}
--- a/client/firewall/nftables/external_chain_monitor_linux_test.go
+++ b/client/firewall/nftables/external_chain_monitor_linux_test.go
@@ -0,0 +1,137 @@
+package nftables
+
+import (
+	"testing"
+
+	"github.com/google/nftables"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestIsMonitoredFamily(t *testing.T) {
+	tests := []struct {
+		family nftables.TableFamily
+		want   bool
+	}{
+		{nftables.TableFamilyIPv4, true},
+		{nftables.TableFamilyIPv6, true},
+		{nftables.TableFamilyINet, true},
+		{nftables.TableFamilyARP, false},
+		{nftables.TableFamilyBridge, false},
+		{nftables.TableFamilyNetdev, false},
+		{nftables.TableFamilyUnspecified, false},
+	}
+	for _, tc := range tests {
+		assert.Equal(t, tc.want, isMonitoredFamily(tc.family), "family=%d", tc.family)
+	}
+}
+
+func TestIsRelevantMonitorEvent(t *testing.T) {
+	inetTable := &nftables.Table{Name: "firewalld", Family: nftables.TableFamilyINet}
+	ipTable := &nftables.Table{Name: "filter", Family: nftables.TableFamilyIPv4}
+	arpTable := &nftables.Table{Name: "arp", Family: nftables.TableFamilyARP}
+
+	tests := []struct {
+		name string
+		ev   *nftables.MonitorEvent
+		want bool
+	}{
+		{
+			name: "new chain in inet firewalld",
+			ev: &nftables.MonitorEvent{
+				Type: nftables.MonitorEventTypeNewChain,
+				Data: &nftables.Chain{Name: "filter_INPUT", Table: inetTable},
+			},
+			want: true,
+		},
+		{
+			name: "new chain in ip filter",
+			ev: &nftables.MonitorEvent{
+				Type: nftables.MonitorEventTypeNewChain,
+				Data: &nftables.Chain{Name: "INPUT", Table: ipTable},
+			},
+			want: true,
+		},
+		{
+			name: "new chain in unwatched arp family",
+			ev: &nftables.MonitorEvent{
+				Type: nftables.MonitorEventTypeNewChain,
+				Data: &nftables.Chain{Name: "x", Table: arpTable},
+			},
+			want: false,
+		},
+		{
+			name: "new table inet",
+			ev: &nftables.MonitorEvent{
+				Type: nftables.MonitorEventTypeNewTable,
+				Data: inetTable,
+			},
+			want: true,
+		},
+		{
+			name: "del chain (we only act on new)",
+			ev: &nftables.MonitorEvent{
+				Type: nftables.MonitorEventTypeDelChain,
+				Data: &nftables.Chain{Name: "filter_INPUT", Table: inetTable},
+			},
+			want: false,
+		},
+		{
+			name: "chain with nil table",
+			ev: &nftables.MonitorEvent{
+				Type: nftables.MonitorEventTypeNewChain,
+				Data: &nftables.Chain{Name: "x"},
+			},
+			want: false,
+		},
+		{
+			name: "nil data",
+			ev: &nftables.MonitorEvent{
+				Type: nftables.MonitorEventTypeNewChain,
+				Data: (*nftables.Chain)(nil),
+			},
+			want: false,
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			assert.Equal(t, tc.want, isRelevantMonitorEvent(tc.ev))
+		})
+	}
+}
+
+// fakeReconciler records reconcile invocations for debounce tests.
+type fakeReconciler struct {
+	calls chan struct{}
+}
+
+func (f *fakeReconciler) reconcileExternalChains() error {
+	f.calls <- struct{}{}
+	return nil
+}
+
+func TestExternalChainMonitorStopWithoutStart(t *testing.T) {
+	m := newExternalChainMonitor(&fakeReconciler{calls: make(chan struct{}, 1)})
+	// Must not panic or block.
+	m.stop()
+}
+
+func TestExternalChainMonitorDoubleStart(t *testing.T) {
+	// start() twice should be a no-op; stop() cleans up once.
+	// We avoid exercising the netlink watch loop here because it needs root.
+	m := newExternalChainMonitor(&fakeReconciler{calls: make(chan struct{}, 1)})
+
+	// Replace run with a stub that just waits for cancel, so start() stays
+	// deterministic without opening a netlink socket.
+	origDone := make(chan struct{})
+	m.done = origDone
+	m.cancel = func() { close(origDone) }
+
+	// Second start should be a no-op (cancel already set).
+	m.start()
+	assert.NotNil(t, m.cancel)
+
+	m.stop()
+	assert.Nil(t, m.cancel)
+	assert.Nil(t, m.done)
+}
--- a/client/firewall/nftables/family_linux.go
+++ b/client/firewall/nftables/family_linux.go
@@ -0,0 +1,249 @@
+//go:build !android
+
+package nftables
+
+import (
+	"fmt"
+	"net/netip"
+
+	"github.com/coreos/go-iptables/iptables"
+	"github.com/google/nftables"
+	"github.com/hashicorp/go-multierror"
+	log "github.com/sirupsen/logrus"
+
+	nberrors "github.com/netbirdio/netbird/client/errors"
+	"github.com/netbirdio/netbird/client/firewall/firewalld"
+	firewall "github.com/netbirdio/netbird/client/firewall/manager"
+	"github.com/netbirdio/netbird/client/internal/routemanager/ipfwdstate"
+	"github.com/netbirdio/netbird/client/internal/routemanager/refcounter"
+)
+
+const (
+	tableNat      = "nat"
+	tableMangle   = "mangle"
+	tableRaw      = "raw"
+	tableSecurity = "security"
+
+	chainNameNatPrerouting = "PREROUTING"
+	chainNameRoutingFw     = "netbird-rt-fwd"
+	chainNameRoutingNat    = "netbird-rt-postrouting"
+	chainNameRoutingRdr    = "netbird-rt-redirect"
+	chainNameNATOutput     = "netbird-nat-output"
+	chainNameForward       = "FORWARD"
+	chainNameMangleForward = "netbird-mangle-forward"
+
+	// Peer ACL chain names.
+	chainNameInputRules        = "netbird-acl-input-rules"
+	chainNameInputFilter       = "netbird-acl-input-filter"
+	chainNameForwardFilter     = "netbird-acl-forward-filter"
+	chainNameManglePrerouting  = "netbird-mangle-prerouting"
+	chainNameManglePostrouting = "netbird-mangle-postrouting"
+
+	flushError = "flush: %w"
+
+	firewalldTableName = "firewalld"
+
+	userDataAcceptForwardRuleIif = "frwacceptiif"
+	userDataAcceptForwardRuleOif = "frwacceptoif"
+	userDataAcceptInputRule      = "inputaccept"
+
+	dnatSuffix firewall.RuleID = "_dnat"
+	snatSuffix firewall.RuleID = "_snat"
+
+	// ipv4TCPHeaderSize is the minimum IPv4 (20) + TCP (20) header size for MSS calculation.
+	ipv4TCPHeaderSize = 40
+	// ipv6TCPHeaderSize is the minimum IPv6 (40) + TCP (20) header size for MSS calculation.
+	ipv6TCPHeaderSize = 60
+
+	// maxPrefixesSet 1638 prefixes start to fail, taking some margin
+	maxPrefixesSet       = 1500
+	refreshRulesMapError = "refresh rules map: %w"
+)
+
+var (
+	errFilterTableNotFound = fmt.Errorf("'filter' table not found")
+)
+
+type setInput struct {
+	set      firewall.Set
+	prefixes []netip.Prefix
+}
+
+// family holds the per-address-family nftables state. One instance
+// handles route ACLs, peer ACLs, NAT, DNAT, and MSS clamping for a
+// single family; the top-level Manager owns one for v4 and another
+// for v6. The name predates the peer-ACL absorption; it's effectively
+// the per-family backend now.
+type family struct {
+	conn        *nftables.Conn
+	workTable   *nftables.Table
+	filterTable *nftables.Table
+	chains      map[string]*nftables.Chain
+
+	// filters holds peer + route filter rules keyed by content hash.
+	// AddFilterRule writes here; DeleteFilterRule looks up by id.
+	filters map[firewall.RuleID]*Rule
+
+	// rules holds NAT, DNAT, and external accept rules (auxiliary
+	// plumbing that isn't a filter rule).
+	rules map[firewall.RuleID]*nftables.Rule
+
+	// Peer ACL chain handles.
+	chainInputRules    *nftables.Chain
+	chainPrerouting    *nftables.Chain
+	routingFwChainName string
+
+	ipsetCounter *refcounter.Counter[string, setInput, *nftables.Set]
+
+	af               addrFamily
+	wgIface          iFaceMapper
+	ipFwdState       *ipfwdstate.IPForwardingState
+	legacyManagement bool
+	mtu              uint16
+}
+
+func newFamily(workTable *nftables.Table, wgIface iFaceMapper, mtu uint16) (*family, error) {
+	r := &family{
+		conn:               &nftables.Conn{},
+		workTable:          workTable,
+		chains:             make(map[string]*nftables.Chain),
+		filters:            make(map[firewall.RuleID]*Rule),
+		rules:              make(map[firewall.RuleID]*nftables.Rule),
+		routingFwChainName: chainNameRoutingFw,
+		af:                 familyForAddr(workTable.Family == nftables.TableFamilyIPv4),
+		wgIface:            wgIface,
+		ipFwdState:         ipfwdstate.NewIPForwardingState(),
+		mtu:                mtu,
+	}
+
+	r.ipsetCounter = refcounter.New(
+		r.createIpSet,
+		r.deleteIpSet,
+	)
+
+	var err error
+	r.filterTable, err = r.loadFilterTable()
+	if err != nil {
+		log.Debugf("ip filter table not found: %v", err)
+	}
+
+	return r, nil
+}
+
+func (r *family) init(workTable *nftables.Table) error {
+	r.workTable = workTable
+
+	if err := r.removeAcceptFilterRules(); err != nil {
+		log.Errorf("failed to clean up rules from filter table: %s", err)
+	}
+
+	if err := r.createContainers(); err != nil {
+		return fmt.Errorf("create containers: %w", err)
+	}
+
+	if err := r.setupDataPlaneMark(); err != nil {
+		log.Errorf("failed to set up data plane mark: %v", err)
+	}
+
+	if err := r.createDefaultChains(); err != nil {
+		return fmt.Errorf("create default acl chains: %w", err)
+	}
+
+	return nil
+}
+
+// Reset cleans existing nftables filter table rules from the system
+func (r *family) Reset() error {
+	// clear without deleting the ipsets, the nf table will be deleted by the caller
+	r.ipsetCounter.Clear()
+
+	var merr *multierror.Error
+
+	if err := r.removeAcceptFilterRules(); err != nil {
+		merr = multierror.Append(merr, fmt.Errorf("remove accept filter rules: %w", err))
+	}
+
+	if err := firewalld.UntrustInterface(r.wgIface.Name()); err != nil {
+		merr = multierror.Append(merr, err)
+	}
+
+	if err := r.removeNatPreroutingRules(); err != nil {
+		merr = multierror.Append(merr, fmt.Errorf("remove filter prerouting rules: %w", err))
+	}
+
+	return nberrors.FormatErrorOrNil(merr)
+}
+
+func (r *family) loadFilterTable() (*nftables.Table, error) {
+	tables, err := r.conn.ListTablesOfFamily(r.af.tableFamily)
+	if err != nil {
+		return nil, fmt.Errorf("list tables: %w", err)
+	}
+
+	for _, table := range tables {
+		if table.Name == "filter" {
+			return table, nil
+		}
+	}
+
+	return nil, errFilterTableNotFound
+}
+
+func hookName(hook *nftables.ChainHook) string {
+	if hook == nil {
+		return "unknown"
+	}
+	switch *hook {
+	case *nftables.ChainHookForward:
+		return chainNameForward
+	case *nftables.ChainHookInput:
+		return chainNameInput
+	default:
+		return fmt.Sprintf("hook(%d)", *hook)
+	}
+}
+
+func familyName(family nftables.TableFamily) string {
+	switch family {
+	case nftables.TableFamilyIPv4:
+		return "ip"
+	case nftables.TableFamilyIPv6:
+		return "ip6"
+	case nftables.TableFamilyINet:
+		return "inet"
+	default:
+		return fmt.Sprintf("family(%d)", family)
+	}
+}
+
+func (r *family) iptablesProto() iptables.Protocol {
+	if r.af.tableFamily == nftables.TableFamilyIPv6 {
+		return iptables.ProtocolIPv6
+	}
+	return iptables.ProtocolIPv4
+}
+
+func (r *family) refreshRulesMap() error {
+	var merr *multierror.Error
+	newRules := make(map[firewall.RuleID]*nftables.Rule)
+	for _, chain := range r.chains {
+		rules, err := r.conn.GetRules(chain.Table, chain)
+		if err != nil {
+			merr = multierror.Append(merr, fmt.Errorf("list rules for chain %s: %w", chain.Name, err))
+			// preserve existing entries for this chain since we can't verify their state
+			for k, v := range r.rules {
+				if v.Chain != nil && v.Chain.Name == chain.Name {
+					newRules[k] = v
+				}
+			}
+			continue
+		}
+		for _, rule := range rules {
+			if len(rule.UserData) > 0 {
+				newRules[firewall.RuleID(rule.UserData)] = rule
+			}
+		}
+	}
+	r.rules = newRules
+	return nberrors.FormatErrorOrNil(merr)
+}
--- a/client/firewall/nftables/filter_linux.go
+++ b/client/firewall/nftables/filter_linux.go
@@ -0,0 +1,441 @@
+//go:build !android
+
+package nftables
+
+import (
+	"fmt"
+	"net"
+	"net/netip"
+	"slices"
+
+	"github.com/google/nftables"
+	"github.com/google/nftables/binaryutil"
+	"github.com/google/nftables/expr"
+	"github.com/hashicorp/go-multierror"
+	log "github.com/sirupsen/logrus"
+
+	nberrors "github.com/netbirdio/netbird/client/errors"
+	firewall "github.com/netbirdio/netbird/client/firewall/manager"
+	nbid "github.com/netbirdio/netbird/client/internal/acl/id"
+)
+
+// AddFilterRule installs one nftables packet-filter rule. With
+// destination empty the rule goes to the peer ACL input chain plus a
+// paired prerouting mangle rule for the redirect mark. With
+// destination set (prefix or named set) it goes to the route ACL
+// forward chain. Multi-source rules collapse to one nftables rule
+// backed by the shared refcounted hash:net set.
+func (r *family) AddFilterRule(
+	id []byte,
+	sources []netip.Prefix,
+	destination firewall.Network,
+	proto firewall.Protocol,
+	sPort *firewall.Port,
+	dPort *firewall.Port,
+	action firewall.Action,
+) (firewall.Rule, error) {
+	isRoute := !destination.IsZero()
+
+	ruleID := nbid.GenerateRuleID(sources, destination, proto, sPort, dPort, action)
+	if existing, ok := r.filters[ruleID]; ok {
+		return existing, nil
+	}
+
+	srcExprs, err := r.applyNetwork(sourceNetwork(sources), sources, true)
+	if err != nil {
+		return nil, fmt.Errorf("apply source: %w", err)
+	}
+
+	var exprs []expr.Any
+	if isRoute {
+		exprs, err = r.buildRouteFilterExprs(srcExprs, destination, proto, sPort, dPort)
+	} else {
+		exprs, err = r.buildPeerFilterExprs(srcExprs, proto, sPort, dPort)
+	}
+	if err != nil {
+		r.dropNetworkMatch(srcExprs)
+		return nil, err
+	}
+
+	mainExprs := slices.Clone(exprs)
+	verdict := expr.VerdictAccept
+	if action == firewall.ActionDrop {
+		verdict = expr.VerdictDrop
+	}
+	mainExprs = append(mainExprs, &expr.Verdict{Kind: verdict})
+
+	chain := r.chainInputRules
+	if isRoute {
+		chain = r.chains[chainNameRoutingFw]
+	}
+
+	userData := []byte(ruleID)
+	nftRule := &nftables.Rule{
+		Table:    r.workTable,
+		Chain:    chain,
+		Exprs:    mainExprs,
+		UserData: userData,
+	}
+	if action == firewall.ActionDrop {
+		nftRule = r.conn.InsertRule(nftRule)
+	} else {
+		nftRule = r.conn.AddRule(nftRule)
+	}
+	if err := r.conn.Flush(); err != nil {
+		r.dropNetworkMatch(exprs)
+		return nil, fmt.Errorf(flushError, err)
+	}
+
+	rule := &Rule{
+		nftRule: nftRule,
+		sources: sources,
+		id:      ruleID,
+	}
+	if !isRoute {
+		rule.mangleRule = r.createPreroutingRule(exprs, userData)
+	}
+	r.filters[ruleID] = rule
+
+	log.Debugf("added filter rule: sources=%v, destination=%v, proto=%v, sPort=%v, dPort=%v, action=%v",
+		sources, destination, proto, sPort, dPort, action)
+	return rule, nil
+}
+
+// buildPeerFilterExprs assembles the input-chain (peer ACL) match: the
+// IP-header protocol byte read via Payload, then source, then ports
+// (no counter), matching the historical peer shape so per-rule kernel
+// state is identical to pre-unification.
+func (r *family) buildPeerFilterExprs(
+	srcExprs []expr.Any,
+	proto firewall.Protocol,
+	sPort, dPort *firewall.Port,
+) ([]expr.Any, error) {
+	var exprs []expr.Any
+
+	if proto != firewall.ProtocolALL {
+		protoNum, err := r.af.protoNum(proto)
+		if err != nil {
+			return nil, fmt.Errorf("convert protocol to number: %w", err)
+		}
+		exprs = append(exprs,
+			&expr.Payload{
+				DestRegister: 1,
+				Base:         expr.PayloadBaseNetworkHeader,
+				Offset:       r.af.protoOffset,
+				Len:          1,
+			},
+			&expr.Cmp{Op: expr.CmpOpEq, Register: 1, Data: []byte{protoNum}},
+		)
+	}
+	exprs = append(exprs, srcExprs...)
+	exprs = append(exprs, applyPort(sPort, true)...)
+	exprs = append(exprs, applyPort(dPort, false)...)
+	return exprs, nil
+}
+
+// buildRouteFilterExprs assembles the forward-chain (route ACL) match:
+// source, then destination, then optional proto/ports, then a counter.
+func (r *family) buildRouteFilterExprs(
+	srcExprs []expr.Any,
+	destination firewall.Network,
+	proto firewall.Protocol,
+	sPort, dPort *firewall.Port,
+) ([]expr.Any, error) {
+	exprs := append([]expr.Any{}, srcExprs...)
+
+	destExprs, err := r.applyNetwork(destination, nil, false)
+	if err != nil {
+		return nil, fmt.Errorf("apply destination: %w", err)
+	}
+	exprs = append(exprs, destExprs...)
+
+	if proto != firewall.ProtocolALL {
+		protoNum, err := r.af.protoNum(proto)
+		if err != nil {
+			r.dropNetworkMatch(destExprs)
+			return nil, fmt.Errorf("convert protocol to number: %w", err)
+		}
+		exprs = append(exprs,
+			&expr.Meta{Key: expr.MetaKeyL4PROTO, Register: 1},
+			&expr.Cmp{Op: expr.CmpOpEq, Register: 1, Data: []byte{protoNum}},
+		)
+		exprs = append(exprs, applyPort(sPort, true)...)
+		exprs = append(exprs, applyPort(dPort, false)...)
+	}
+
+	exprs = append(exprs, &expr.Counter{})
+	return exprs, nil
+}
+
+func (r *family) hasRule(id firewall.RuleID) bool {
+	_, ok := r.filters[id]
+	return ok
+}
+
+func (r *family) hasDNATRule(id firewall.RuleID) bool {
+	_, ok := r.rules[id+dnatSuffix]
+	return ok
+}
+
+// DeleteFilterRule removes a previously installed filter rule. Source
+// set references are recovered from the stored rule's expressions via
+// findSets and dropped from the shared refcounter.
+func (r *family) DeleteFilterRule(rule firewall.Rule) error {
+	ruleID := rule.ID()
+	pr, ok := r.filters[ruleID]
+	if !ok {
+		log.Debugf("filter rule %s not found", ruleID)
+		return nil
+	}
+
+	// A freshly added rule carries no handle until it is read back from
+	// the kernel, and Flush only refreshes the peer chains. Pull live
+	// handles for this rule's chain before deciding it is stale so route
+	// rules (which Flush never refreshes) can actually be deleted.
+	if pr.nftRule.Handle == 0 {
+		if err := r.refreshRuleHandles(pr.nftRule.Chain, false); err != nil {
+			log.Warnf("refresh handles for chain %s: %v", pr.nftRule.Chain.Name, err)
+		}
+		if pr.mangleRule != nil {
+			if err := r.refreshRuleHandles(r.chainPrerouting, true); err != nil {
+				log.Warnf("refresh mangle handles: %v", err)
+			}
+		}
+	}
+
+	if pr.nftRule.Handle == 0 {
+		log.Warnf("filter rule %s has no handle, removing stale entry", ruleID)
+		r.dropNetworkMatch(pr.nftRule.Exprs)
+		delete(r.filters, ruleID)
+		return nil
+	}
+
+	if err := r.conn.DelRule(pr.nftRule); err != nil {
+		log.Errorf("queue rule delete: %v", err)
+	}
+	if pr.mangleRule != nil {
+		if err := r.conn.DelRule(pr.mangleRule); err != nil {
+			log.Errorf("queue mangle rule delete: %v", err)
+		}
+	}
+	if err := r.conn.Flush(); err != nil {
+		return fmt.Errorf("flush delete %s: %w", ruleID, err)
+	}
+
+	r.dropNetworkMatch(pr.nftRule.Exprs)
+	delete(r.filters, ruleID)
+	return nil
+}
+
+func (r *family) decrementSetCounter(rule *nftables.Rule) error {
+	if r.ipsetCounter == nil {
+		return nil
+	}
+	sets := findSets(rule)
+
+	var merr *multierror.Error
+	for _, setName := range sets {
+		if _, err := r.ipsetCounter.Decrement(setName); err != nil {
+			merr = multierror.Append(merr, fmt.Errorf("decrement set counter: %w", err))
+		}
+	}
+
+	return nberrors.FormatErrorOrNil(merr)
+}
+
+// dropNetworkMatch undoes whatever the source/destination match
+// reserved. Safe to call when the spec is empty or holds only inline
+// matchers.
+func (r *family) dropNetworkMatch(exprs []expr.Any) {
+	if r.ipsetCounter == nil {
+		return
+	}
+	for _, e := range exprs {
+		lookup, ok := e.(*expr.Lookup)
+		if !ok {
+			continue
+		}
+		if _, err := r.ipsetCounter.Decrement(lookup.SetName); err != nil {
+			log.Errorf("rollback ipset decrement %s: %v", lookup.SetName, err)
+		}
+	}
+}
+
+func (r *family) applyNetwork(
+	network firewall.Network,
+	setPrefixes []netip.Prefix,
+	isSource bool,
+) ([]expr.Any, error) {
+	if network.IsSet() {
+		exprs, err := r.getIpSet(network.Set, setPrefixes, isSource)
+		if err != nil {
+			side := "destination"
+			if isSource {
+				side = "source"
+			}
+			return nil, fmt.Errorf("%s set: %w", side, err)
+		}
+		return exprs, nil
+	}
+
+	if network.IsPrefix() {
+		return prefixMatchExprs(r.af, network.Prefix, isSource), nil
+	}
+
+	return nil, nil
+}
+
+// prefixMatchExprs is the family-aware match sequence for a CIDR
+// prefix. /0 returns nil; a host prefix (full bit length for the
+// family) skips the bitwise step since the mask is all-ones. Shared
+// between family and aclManager so both treat single prefixes
+// identically.
+func prefixMatchExprs(af addrFamily, prefix netip.Prefix, isSource bool) []expr.Any {
+	offset := af.dstAddrOffset
+	if isSource {
+		offset = af.srcAddrOffset
+	}
+
+	ones := prefix.Bits()
+	if ones == 0 {
+		return nil
+	}
+
+	payload := &expr.Payload{
+		DestRegister: 1,
+		Base:         expr.PayloadBaseNetworkHeader,
+		Offset:       offset,
+		Len:          af.addrLen,
+	}
+	cmp := &expr.Cmp{
+		Op:       expr.CmpOpEq,
+		Register: 1,
+		Data:     prefix.Masked().Addr().AsSlice(),
+	}
+
+	if ones == af.totalBits {
+		return []expr.Any{payload, cmp}
+	}
+
+	mask := net.CIDRMask(ones, af.totalBits)
+	xor := make([]byte, af.addrLen)
+	return []expr.Any{
+		payload,
+		&expr.Bitwise{
+			DestRegister:   1,
+			SourceRegister: 1,
+			Len:            af.addrLen,
+			Mask:           mask,
+			Xor:            xor,
+		},
+		cmp,
+	}
+}
+
+func applyPort(port *firewall.Port, isSource bool) []expr.Any {
+	if port == nil {
+		return nil
+	}
+
+	var exprs []expr.Any
+
+	// src
+	offset := uint32(2)
+	if isSource {
+		// dst
+		offset = 0
+	}
+
+	exprs = append(exprs, &expr.Payload{
+		DestRegister: 1,
+		Base:         expr.PayloadBaseTransportHeader,
+		Offset:       offset,
+		Len:          2,
+	})
+
+	if port.IsRange && len(port.Values) == 2 {
+		exprs = append(exprs,
+			&expr.Range{
+				Op:       expr.CmpOpEq,
+				Register: 1,
+				FromData: binaryutil.BigEndian.PutUint16(port.Values[0]),
+				ToData:   binaryutil.BigEndian.PutUint16(port.Values[1]),
+			},
+		)
+	} else {
+		for i, p := range port.Values {
+			if i > 0 {
+				exprs = append(exprs, &expr.Bitwise{
+					SourceRegister: 1,
+					DestRegister:   1,
+					Len:            4,
+					Mask:           []byte{0x00, 0x00, 0xff, 0xff},
+					Xor:            []byte{0x00, 0x00, 0x00, 0x00},
+				})
+			}
+			exprs = append(exprs, &expr.Cmp{
+				Op:       expr.CmpOpEq,
+				Register: 1,
+				Data:     binaryutil.BigEndian.PutUint16(p),
+			})
+		}
+	}
+
+	return exprs
+}
+
+func getCtNewExprs() []expr.Any {
+	return []expr.Any{
+		&expr.Ct{
+			Key:      expr.CtKeySTATE,
+			Register: 1,
+		},
+		&expr.Bitwise{
+			SourceRegister: 1,
+			DestRegister:   1,
+			Len:            4,
+			Mask:           binaryutil.NativeEndian.PutUint32(expr.CtStateBitNEW),
+			Xor:            binaryutil.NativeEndian.PutUint32(0),
+		},
+		&expr.Cmp{
+			Op:       expr.CmpOpNeq,
+			Register: 1,
+			Data:     []byte{0, 0, 0, 0},
+		},
+	}
+}
+
+// sourceNetwork classifies a source-prefix list into the firewall.Network
+// shape the rest of the spec-builder consumes: empty for match-any, a
+// single prefix inline, or an ipset for multiple sources.
+func sourceNetwork(sources []netip.Prefix) firewall.Network {
+	switch {
+	case len(sources) == 0:
+		return firewall.Network{}
+	case len(sources) == 1 && sources[0].Bits() == 0:
+		return firewall.Network{}
+	case len(sources) == 1:
+		return firewall.Network{Prefix: sources[0]}
+	default:
+		return firewall.Network{Set: firewall.NewPrefixSet(sources)}
+	}
+}
+
+func ifname(n string) []byte {
+	b := make([]byte, 16)
+	copy(b, n+"\x00")
+	return b
+}
+
+// findSets scans an nftables rule's expressions for expr.Lookup and
+// returns the named sets in occurrence order. Used at delete time to
+// drop ipsetCounter references; peer and route ACLs go through it.
+func findSets(rule *nftables.Rule) []string {
+	var sets []string
+	for _, e := range rule.Exprs {
+		if lookup, ok := e.(*expr.Lookup); ok {
+			sets = append(sets, lookup.SetName)
+		}
+	}
+	return sets
+}
--- a/client/firewall/nftables/ipset_linux.go
+++ b/client/firewall/nftables/ipset_linux.go
@@ -0,0 +1,210 @@
+//go:build !android
+
+package nftables
+
+import (
+	"encoding/binary"
+	"fmt"
+	"net/netip"
+
+	"github.com/google/nftables"
+	"github.com/google/nftables/expr"
+	log "github.com/sirupsen/logrus"
+
+	firewall "github.com/netbirdio/netbird/client/firewall/manager"
+	"github.com/netbirdio/netbird/client/internal/routemanager/refcounter"
+)
+
+func (r *family) getIpSet(set firewall.Set, prefixes []netip.Prefix, isSource bool) ([]expr.Any, error) {
+	ref, err := r.ipsetCounter.Increment(set.HashedName(), setInput{
+		set:      set,
+		prefixes: prefixes,
+	})
+	if err != nil {
+		return nil, fmt.Errorf("create or get ipset: %w", err)
+	}
+
+	return r.getIpSetExprs(ref, isSource)
+}
+
+func (r *family) createIpSet(setName string, input setInput) (*nftables.Set, error) {
+	// overlapping prefixes will result in an error, so we need to merge them
+	prefixes := firewall.MergeIPRanges(input.prefixes)
+
+	nfset := &nftables.Set{
+		Name:    setName,
+		Comment: input.set.Comment(),
+		Table:   r.workTable,
+		// required for prefixes
+		Interval: true,
+		KeyType:  r.af.setKeyType,
+	}
+
+	elements := r.convertPrefixesToSet(prefixes)
+	nElements := len(elements)
+
+	maxElements := maxPrefixesSet * 2
+	initialElements := elements[:min(maxElements, nElements)]
+
+	if err := r.conn.AddSet(nfset, initialElements); err != nil {
+		return nil, fmt.Errorf("error adding set %s: %w", setName, err)
+	}
+	if err := r.conn.Flush(); err != nil {
+		return nil, fmt.Errorf("flush error: %w", err)
+	}
+	log.Debugf("Created new ipset: %s with %d initial prefixes (total prefixes %d)", setName, len(initialElements)/2, len(prefixes))
+
+	// The set is committed now. If a later batch fails, destroy it: the
+	// refcounter records nothing on a create-callback error, so it would
+	// otherwise leak, and a partial source set fails-open for deny rules.
+	if err := r.addRemainingElements(nfset, elements, maxElements); err != nil {
+		if derr := r.deleteIpSet(setName, nfset); derr != nil {
+			log.Warnf("rollback ipset %s after add failure: %v", setName, derr)
+		}
+		return nil, err
+	}
+
+	log.Infof("Created new ipset: %s with %d prefixes", setName, len(prefixes))
+	return nfset, nil
+}
+
+// addRemainingElements adds element batches beyond the initial one in
+// maxElements-sized chunks, flushing each. Called after the set has been
+// created with its first batch.
+func (r *family) addRemainingElements(nfset *nftables.Set, elements []nftables.SetElement, maxElements int) error {
+	nElements := len(elements)
+	for subStart := maxElements; subStart < nElements; subStart += maxElements {
+		subEnd := min(subStart+maxElements, nElements)
+		subElement := elements[subStart:subEnd]
+		nSubPrefixes := len(subElement) / 2
+		log.Tracef("Adding new prefixes (%d) in ipset: %s", nSubPrefixes, nfset.Name)
+		if err := r.conn.SetAddElements(nfset, subElement); err != nil {
+			return fmt.Errorf("error adding prefixes (%d) to set %s: %w", nSubPrefixes, nfset.Name, err)
+		}
+		if err := r.conn.Flush(); err != nil {
+			return fmt.Errorf("flush error: %w", err)
+		}
+		log.Debugf("Added new prefixes (%d) in ipset: %s", nSubPrefixes, nfset.Name)
+	}
+	return nil
+}
+
+func (r *family) convertPrefixesToSet(prefixes []netip.Prefix) []nftables.SetElement {
+	var elements []nftables.SetElement
+	for _, prefix := range prefixes {
+		// nftables needs half-open intervals [firstIP, lastIP) for prefixes
+		// e.g. 10.0.0.0/24 becomes [10.0.0.0, 10.0.1.0), 10.1.1.1/32 becomes [10.1.1.1, 10.1.1.2) etc
+		firstIP := prefix.Addr()
+
+		// For a /0 the last address is the broadcast and its Next() overflows
+		// to an invalid Addr with an empty key, so wrap to the zero address,
+		// which nftables reads as the open end of a full-range interval.
+		var lastKey []byte
+		if prefix.Bits() == 0 {
+			lastKey = make([]byte, r.af.addrLen)
+		} else {
+			lastKey = calculateLastIP(prefix).Next().AsSlice()
+		}
+
+		// the nft tool also adds a zero-address IntervalEnd element, see https://github.com/google/nftables/issues/247
+		// nftables.SetElement{Key: make([]byte, r.af.addrLen), IntervalEnd: true},
+		elements = append(elements,
+			nftables.SetElement{Key: firstIP.AsSlice()},
+			nftables.SetElement{Key: lastKey, IntervalEnd: true},
+		)
+	}
+	return elements
+}
+
+// calculateLastIP determines the last IP in a given prefix.
+func calculateLastIP(prefix netip.Prefix) netip.Addr {
+	masked := prefix.Masked()
+	if masked.Addr().Is4() {
+		hostMask := ^uint32(0) >> masked.Bits()
+		lastIP := uint32FromNetipAddr(masked.Addr()) | hostMask
+		return netip.AddrFrom4(uint32ToBytes(lastIP))
+	}
+
+	// IPv6: set host bits to all 1s
+	b := masked.Addr().As16()
+	bits := masked.Bits()
+	for i := bits; i < 128; i++ {
+		b[i/8] |= 1 << (7 - i%8)
+	}
+	return netip.AddrFrom16(b)
+}
+
+// Utility function to convert netip.Addr to uint32.
+func uint32FromNetipAddr(addr netip.Addr) uint32 {
+	b := addr.As4()
+	return binary.BigEndian.Uint32(b[:])
+}
+
+// Utility function to convert uint32 to a netip-compatible byte slice.
+func uint32ToBytes(ip uint32) [4]byte {
+	var b [4]byte
+	binary.BigEndian.PutUint32(b[:], ip)
+	return b
+}
+
+func (r *family) deleteIpSet(setName string, nfset *nftables.Set) error {
+	r.conn.DelSet(nfset)
+	if err := r.conn.Flush(); err != nil {
+		return fmt.Errorf(flushError, err)
+	}
+
+	log.Debugf("Deleted unused ipset %s", setName)
+	return nil
+}
+
+func (r *family) UpdateSet(set firewall.Set, prefixes []netip.Prefix) error {
+	nfset, err := r.conn.GetSetByName(r.workTable, set.HashedName())
+	if err != nil {
+		return fmt.Errorf("get set %s: %w", set.HashedName(), err)
+	}
+
+	// Overlapping prefixes (e.g. duplicate resolved addresses) make the
+	// interval set reject the batch, so merge them as createIpSet does.
+	prefixes = firewall.MergeIPRanges(prefixes)
+	elements := r.convertPrefixesToSet(prefixes)
+
+	// Add in batches sized like createIpSet so a large update does not
+	// exceed the netlink message size limit.
+	maxElements := maxPrefixesSet * 2
+	for start := 0; start < len(elements); start += maxElements {
+		end := min(start+maxElements, len(elements))
+		if err := r.conn.SetAddElements(nfset, elements[start:end]); err != nil {
+			return fmt.Errorf("add elements to set %s: %w", set.HashedName(), err)
+		}
+		if err := r.conn.Flush(); err != nil {
+			return fmt.Errorf(flushError, err)
+		}
+	}
+
+	log.Debugf("updated set %s with %d prefixes", set.HashedName(), len(prefixes))
+
+	return nil
+}
+
+func (r *family) getIpSetExprs(ref refcounter.Ref[*nftables.Set], isSource bool) ([]expr.Any, error) {
+	// dst offset by default
+	offset := r.af.dstAddrOffset
+	if isSource {
+		// src offset
+		offset = r.af.srcAddrOffset
+	}
+
+	return []expr.Any{
+		&expr.Payload{
+			DestRegister: 1,
+			Base:         expr.PayloadBaseNetworkHeader,
+			Offset:       offset,
+			Len:          r.af.addrLen,
+		},
+		&expr.Lookup{
+			SourceRegister: 1,
+			SetName:        ref.Out.Name,
+			SetID:          ref.Out.ID,
+		},
+	}, nil
+}
--- a/client/firewall/nftables/ipset_linux_test.go
+++ b/client/firewall/nftables/ipset_linux_test.go
@@ -0,0 +1,36 @@
+package nftables
+
+import (
+	"net/netip"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+// TestConvertPrefixesToSetWildcard verifies that a /0 prefix produces a
+// usable interval. The last address of a /0 is the broadcast, whose Next()
+// overflows to an invalid Addr with an empty key; the IntervalEnd must wrap
+// to the zero address instead so nftables sees a full-range interval.
+func TestConvertPrefixesToSetWildcard(t *testing.T) {
+	tests := []struct {
+		name   string
+		af     addrFamily
+		prefix string
+	}{
+		{"IPv4 /0", afIPv4, "0.0.0.0/0"},
+		{"IPv6 /0", afIPv6, "::/0"},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			r := &family{af: tt.af}
+			elements := r.convertPrefixesToSet([]netip.Prefix{netip.MustParsePrefix(tt.prefix)})
+
+			require.Len(t, elements, 2, "expected start and interval-end element")
+			assert.False(t, elements[0].IntervalEnd, "first element is the interval start")
+			assert.True(t, elements[1].IntervalEnd, "second element is the interval end")
+			assert.Len(t, elements[1].Key, int(tt.af.addrLen), "interval-end key must be a zero address, not empty")
+		})
+	}
+}
--- a/client/firewall/nftables/ipsetstore_linux.go
+++ b/client/firewall/nftables/ipsetstore_linux.go
@@ -1,85 +0,0 @@
-package nftables
-
-import (
-	"net"
-)
-
-type ipsetStore struct {
-	ipsetReference map[string]int
-	ipsets         map[string]map[string]struct{} // ipsetName -> list of ips
-}
-
-func newIpsetStore() *ipsetStore {
-	return &ipsetStore{
-		ipsetReference: make(map[string]int),
-		ipsets:         make(map[string]map[string]struct{}),
-	}
-}
-
-func (s *ipsetStore) ips(ipsetName string) (map[string]struct{}, bool) {
-	r, ok := s.ipsets[ipsetName]
-	return r, ok
-}
-
-func (s *ipsetStore) newIpset(ipsetName string) map[string]struct{} {
-	s.ipsetReference[ipsetName] = 0
-	ipList := make(map[string]struct{})
-	s.ipsets[ipsetName] = ipList
-	return ipList
-}
-
-func (s *ipsetStore) deleteIpset(ipsetName string) {
-	delete(s.ipsetReference, ipsetName)
-	delete(s.ipsets, ipsetName)
-}
-
-func (s *ipsetStore) DeleteIpFromSet(ipsetName string, ip net.IP) {
-	ipList, ok := s.ipsets[ipsetName]
-	if !ok {
-		return
-	}
-	delete(ipList, ip.String())
-}
-
-func (s *ipsetStore) AddIpToSet(ipsetName string, ip net.IP) {
-	ipList, ok := s.ipsets[ipsetName]
-	if !ok {
-		return
-	}
-	ipList[ip.String()] = struct{}{}
-}
-
-func (s *ipsetStore) IsIpInSet(ipsetName string, ip net.IP) bool {
-	ipList, ok := s.ipsets[ipsetName]
-	if !ok {
-		return false
-	}
-	_, ok = ipList[ip.String()]
-	return ok
-}
-
-func (s *ipsetStore) AddReferenceToIpset(ipsetName string) {
-	s.ipsetReference[ipsetName]++
-}
-
-func (s *ipsetStore) DeleteReferenceFromIpSet(ipsetName string) {
-	r, ok := s.ipsetReference[ipsetName]
-	if !ok {
-		return
-	}
-	if r == 0 {
-		return
-	}
-	s.ipsetReference[ipsetName]--
-}
-
-func (s *ipsetStore) HasReferenceToSet(ipsetName string) bool {
-	if _, ok := s.ipsetReference[ipsetName]; !ok {
-		return false
-	}
-	if s.ipsetReference[ipsetName] == 0 {
-		return false
-	}
-
-	return true
-}
--- a/client/firewall/nftables/manager_linux.go
+++ b/client/firewall/nftables/manager_linux.go
@@ -3,7 +3,6 @@ package nftables
 import (
 	"context"
 	"fmt"
-	"net"
 	"net/netip"
 	"os"
 	"sync"
@@ -11,9 +10,11 @@ import (
 	"github.com/google/nftables"
 	"github.com/google/nftables/binaryutil"
 	"github.com/google/nftables/expr"
+	"github.com/hashicorp/go-multierror"
 	log "github.com/sirupsen/logrus"
 	"golang.org/x/sys/unix"

+	nberrors "github.com/netbirdio/netbird/client/errors"
 	"github.com/netbirdio/netbird/client/firewall/firewalld"
 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
@@ -43,16 +44,22 @@ type iFaceMapper interface {
 	Address() wgaddr.Address
 }

-// Manager of iptables firewall
+// Manager of nftables firewall. Per-family state (peer ACLs, route
+// ACLs, NAT, DNAT, MSS clamping) lives on family; Manager dispatches
+// by family and provides the public firewall.Manager surface.
 type Manager struct {
 	mutex   sync.Mutex
 	rConn   *nftables.Conn
 	wgIface iFaceMapper

-	router                 *router
-	aclManager             *AclManager
+	family4 *family
+	// IPv6 counterpart, nil when no v6 overlay.
+	family6 *family
+
 	notrackOutputChain     *nftables.Chain
 	notrackPreroutingChain *nftables.Chain
+
+	extMonitor *externalChainMonitor
 }

 // Create nftables firewall manager
@@ -62,124 +69,239 @@ func Create(wgIface iFaceMapper, mtu uint16) (*Manager, error) {
 		wgIface: wgIface,
 	}

-	workTable := &nftables.Table{Name: getTableName(), Family: nftables.TableFamilyIPv4}
+	tableName := getTableName()
+	workTable := &nftables.Table{Name: tableName, Family: nftables.TableFamilyIPv4}

 	var err error
-	m.router, err = newRouter(workTable, wgIface, mtu)
+	m.family4, err = newFamily(workTable, wgIface, mtu)
 	if err != nil {
-		return nil, fmt.Errorf("create router: %w", err)
+		return nil, fmt.Errorf("create family: %w", err)
 	}

-	m.aclManager, err = newAclManager(workTable, wgIface, chainNameRoutingFw)
-	if err != nil {
-		return nil, fmt.Errorf("create acl manager: %w", err)
+	if wgIface.Address().HasIPv6() {
+		if err := m.createIPv6Components(tableName, wgIface, mtu); err != nil {
+			return nil, fmt.Errorf("create IPv6 firewall: %w", err)
+		}
 	}

+	m.extMonitor = newExternalChainMonitor(m)
+
 	return m, nil
 }

+func (m *Manager) createIPv6Components(tableName string, wgIface iFaceMapper, mtu uint16) error {
+	workTable6 := &nftables.Table{Name: tableName, Family: nftables.TableFamilyIPv6}
+
+	var err error
+	m.family6, err = newFamily(workTable6, wgIface, mtu)
+	if err != nil {
+		return fmt.Errorf("create v6 family: %w", err)
+	}
+
+	// Share the same IP forwarding state with the v4 router, since
+	// EnableIPForwarding controls both v4 and v6 sysctls.
+	m.family6.ipFwdState = m.family4.ipFwdState
+
+	return nil
+}
+
+// hasIPv6 reports whether the manager has IPv6 components initialized.
+func (m *Manager) hasIPv6() bool {
+	return m.family6 != nil
+}
+
+func (m *Manager) initIPv6() error {
+	workTable6, err := m.createWorkTableFamily(nftables.TableFamilyIPv6)
+	if err != nil {
+		return fmt.Errorf("create v6 work table: %w", err)
+	}
+
+	if err := m.family6.init(workTable6); err != nil {
+		return fmt.Errorf("v6 family init: %w", err)
+	}
+
+	return nil
+}
+
 // Init nftables firewall manager
 func (m *Manager) Init(stateManager *statemanager.Manager) error {
+	if err := m.initFirewall(); err != nil {
+		return err
+	}
+
+	m.persistState(stateManager)
+
+	// Start after initFirewall has installed the baseline external-chain
+	// accept rules. start() is idempotent across Init/Close/Init cycles.
+	m.extMonitor.start()
+
+	return nil
+}
+
+// reconcileExternalChains re-applies passthrough accept rules to external
+// filter chains for both IPv4 and IPv6 routers. Called by the monitor when
+// tables or chains appear (e.g. after firewalld reloads).
+func (m *Manager) reconcileExternalChains() error {
+	m.mutex.Lock()
+	defer m.mutex.Unlock()
+
+	var merr *multierror.Error
+	if m.family4 != nil {
+		if err := m.family4.acceptExternalChainsRules(); err != nil {
+			merr = multierror.Append(merr, fmt.Errorf("v4: %w", err))
+		}
+	}
+	if m.hasIPv6() {
+		if err := m.family6.acceptExternalChainsRules(); err != nil {
+			merr = multierror.Append(merr, fmt.Errorf("v6: %w", err))
+		}
+	}
+	return nberrors.FormatErrorOrNil(merr)
+}
+
+func (m *Manager) initFirewall() (err error) {
 	workTable, err := m.createWorkTable()
 	if err != nil {
 		return fmt.Errorf("create work table: %w", err)
 	}

-	if err := m.router.init(workTable); err != nil {
-		return fmt.Errorf("router init: %w", err)
+	defer func() {
+		if err != nil {
+			m.rollbackInit()
+		}
+	}()
+
+	if err := m.family4.init(workTable); err != nil {
+		return fmt.Errorf("family init: %w", err)
 	}

-	if err := m.aclManager.init(workTable); err != nil {
-		// TODO: cleanup router
-		return fmt.Errorf("acl manager init: %w", err)
+	if m.hasIPv6() {
+		if err := m.initIPv6(); err != nil {
+			// Peer has a v6 address: v6 firewall MUST work or we risk fail-open.
+			return fmt.Errorf("init IPv6 firewall (required because peer has IPv6 address): %w", err)
+		}
 	}

 	if err := m.initNoTrackChains(workTable); err != nil {
 		log.Warnf("raw priority chains not available, notrack rules will be disabled: %v", err)
 	}

+	return nil
+}
+
+// persistState saves the current interface state for potential recreation on restart.
+// Unlike iptables, which requires tracking individual rules, nftables maintains
+// a known state (our netbird table plus a few static rules). This allows for easy
+// cleanup using Close() without needing to store specific rules.
+func (m *Manager) persistState(stateManager *statemanager.Manager) {
 	stateManager.RegisterState(&ShutdownState{})

-	// We only need to record minimal interface state for potential recreation.
-	// Unlike iptables, which requires tracking individual rules, nftables maintains
-	// a known state (our netbird table plus a few static rules). This allows for easy
-	// cleanup using Close() without needing to store specific rules.
 	if err := stateManager.UpdateState(&ShutdownState{
 		InterfaceState: &InterfaceState{
 			NameStr:   m.wgIface.Name(),
 			WGAddress: m.wgIface.Address(),
-			MTU:       m.router.mtu,
+			MTU:       m.family4.mtu,
 		},
 	}); err != nil {
 		log.Errorf("failed to update state: %v", err)
 	}

-	// persist early
 	go func() {
 		if err := stateManager.PersistState(context.Background()); err != nil {
 			log.Errorf("failed to persist state: %v", err)
 		}
 	}()
-
-	return nil
 }

-// AddPeerFiltering rule to the firewall
-//
-// If comment argument is empty firewall manager should set
-// rule ID as comment for the rule
-func (m *Manager) AddPeerFiltering(
-	id []byte,
-	ip net.IP,
-	proto firewall.Protocol,
-	sPort *firewall.Port,
-	dPort *firewall.Port,
-	action firewall.Action,
-	ipsetName string,
-) ([]firewall.Rule, error) {
-	m.mutex.Lock()
-	defer m.mutex.Unlock()
-
-	rawIP := ip.To4()
-	if rawIP == nil {
-		return nil, fmt.Errorf("unsupported IP version: %s", ip.String())
+// rollbackInit performs best-effort cleanup of already-initialized state when Init fails partway through.
+func (m *Manager) rollbackInit() {
+	if err := m.family4.Reset(); err != nil {
+		log.Warnf("rollback family: %v", err)
+	}
+	if m.hasIPv6() {
+		if err := m.family6.Reset(); err != nil {
+			log.Warnf("rollback v6 family: %v", err)
+		}
+	}
+	if err := m.cleanupNetbirdTables(); err != nil {
+		log.Warnf("cleanup tables: %v", err)
+	}
+	if err := m.rConn.Flush(); err != nil {
+		log.Warnf("flush: %v", err)
 	}
-
-	return m.aclManager.AddPeerFiltering(id, ip, proto, sPort, dPort, action, ipsetName)
 }

-func (m *Manager) AddRouteFiltering(
+// AddFilterRule installs a packet-filtering rule.
+//
+// Destination semantics: zero Network → input chain (peer ACL);
+// set Network → forward chain (route ACL).
+//
+// Sources are a single address family; the rule is dispatched to the
+// matching per-family backend.
+func (m *Manager) AddFilterRule(
 	id []byte,
 	sources []netip.Prefix,
 	destination firewall.Network,
 	proto firewall.Protocol,
-	sPort, dPort *firewall.Port,
+	sPort *firewall.Port,
+	dPort *firewall.Port,
 	action firewall.Action,
 ) (firewall.Rule, error) {
-	m.mutex.Lock()
-	defer m.mutex.Unlock()
-
-	if destination.IsPrefix() && !destination.Prefix.Addr().Is4() {
-		return nil, fmt.Errorf("unsupported IP version: %s", destination.Prefix.Addr().String())
+	if len(sources) == 0 {
+		return nil, firewall.ErrNoSources
 	}

-	return m.router.AddRouteFiltering(id, sources, destination, proto, sPort, dPort, action)
-}
-
-// DeletePeerRule from the firewall by rule definition
-func (m *Manager) DeletePeerRule(rule firewall.Rule) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

-	return m.aclManager.DeletePeerRule(rule)
+	fam := m.family4
+	if isIPv6Rule(sources, destination) {
+		if !m.hasIPv6() {
+			return nil, fmt.Errorf("add filtering: %w", firewall.ErrIPv6NotInitialized)
+		}
+		fam = m.family6
+	}
+	return fam.AddFilterRule(id, sources, destination, proto, sPort, dPort, action)
 }

-// DeleteRouteRule deletes a routing rule
-func (m *Manager) DeleteRouteRule(rule firewall.Rule) error {
+// DeleteFilterRule removes a filtering rule. The owning family is found
+// by id, refreshing from the kernel if the in-memory caches miss so a
+// stale cache cannot leak the rule. family.DeleteFilterRule is idempotent
+// when the id is absent.
+func (m *Manager) DeleteFilterRule(rule firewall.Rule) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

-	return m.router.DeleteRouteRule(rule)
+	fam, err := m.familyForRuleID(rule.ID(), (*family).hasRule)
+	if err != nil {
+		return err
+	}
+	return fam.DeleteFilterRule(rule)
+}
+
+// familyForRuleID picks the family holding the rule with the given id, using
+// the supplied lookup. If the cached maps disagree (or both miss), it refreshes
+// from the kernel once and re-checks before falling back to the v4 family.
+func (m *Manager) familyForRuleID(id firewall.RuleID, has func(*family, firewall.RuleID) bool) (*family, error) {
+	if has(m.family4, id) {
+		return m.family4, nil
+	}
+	if m.hasIPv6() && has(m.family6, id) {
+		return m.family6, nil
+	}
+	if !m.hasIPv6() {
+		return m.family4, nil
+	}
+	if err := m.family4.refreshRulesMap(); err != nil {
+		return nil, fmt.Errorf("refresh v4 rules: %w", err)
+	}
+	if err := m.family6.refreshRulesMap(); err != nil {
+		return nil, fmt.Errorf("refresh v6 rules: %w", err)
+	}
+	if has(m.family6, id) && !has(m.family4, id) {
+		return m.family6, nil
+	}
+	return m.family4, nil
 }

 func (m *Manager) IsServerRouteSupported() bool {
@@ -194,26 +316,82 @@ func (m *Manager) AddNatRule(pair firewall.RouterPair) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

-	return m.router.AddNatRule(pair)
+	if pair.Destination.IsPrefix() && pair.Destination.Prefix.Addr().Is6() {
+		if !m.hasIPv6() {
+			return fmt.Errorf("add NAT rule: %w", firewall.ErrIPv6NotInitialized)
+		}
+		return m.family6.AddNatRule(pair)
+	}
+
+	if err := m.family4.AddNatRule(pair); err != nil {
+		return err
+	}
+
+	// Dynamic routes need NAT in both tables since resolved IPs can be
+	// either v4 or v6. This covers both DomainSet (modern) and the legacy
+	// wildcard 0.0.0.0/0 destination where the client resolves DNS.
+	// On v6 failure we keep the v4 NAT rule rather than rolling back: half
+	// connectivity is better than none, and RemoveNatRule is content-keyed
+	// so the eventual cleanup still works.
+	if m.hasIPv6() && pair.Dynamic {
+		v6Pair := firewall.ToV6NatPair(pair)
+		if err := m.family6.AddNatRule(v6Pair); err != nil {
+			return fmt.Errorf("add v6 NAT rule: %w", err)
+		}
+	}
+
+	return nil
 }

 func (m *Manager) RemoveNatRule(pair firewall.RouterPair) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

-	return m.router.RemoveNatRule(pair)
+	if pair.Destination.IsPrefix() && pair.Destination.Prefix.Addr().Is6() {
+		if !m.hasIPv6() {
+			return nil
+		}
+		return m.family6.RemoveNatRule(pair)
+	}
+
+	var merr *multierror.Error
+
+	if err := m.family4.RemoveNatRule(pair); err != nil {
+		merr = multierror.Append(merr, fmt.Errorf("remove v4 NAT rule: %w", err))
+	}
+
+	if m.hasIPv6() && pair.Dynamic {
+		v6Pair := firewall.ToV6NatPair(pair)
+		if err := m.family6.RemoveNatRule(v6Pair); err != nil {
+			merr = multierror.Append(merr, fmt.Errorf("remove v6 NAT rule: %w", err))
+		}
+	}
+
+	return nberrors.FormatErrorOrNil(merr)
 }

 // AllowNetbird allows netbird interface traffic.
 // This is called when USPFilter wraps the native firewall, adding blanket accept
 // rules so that packet filtering is handled in userspace instead of by netfilter.
+//
+// TODO: In USP mode this only adds ACCEPT to the netbird table's own chains,
+// which doesn't override DROP rules in external tables (e.g. firewalld).
+// Should add passthrough rules to external chains (like the native mode router's
+// addExternalChainsRules does) for both the netbird table family and inet tables.
+// The netbird table itself is fine (routing chains already exist there), but
+// non-netbird tables with INPUT/FORWARD hooks can still DROP our WG traffic.
 func (m *Manager) AllowNetbird() error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

-	if err := m.aclManager.createDefaultAllowRules(); err != nil {
+	if err := m.family4.createDefaultAllowRules(); err != nil {
 		return fmt.Errorf("create default allow rules: %w", err)
 	}
+	if m.hasIPv6() {
+		if err := m.family6.createDefaultAllowRules(); err != nil {
+			return fmt.Errorf("create v6 default allow rules: %w", err)
+		}
+	}
 	if err := m.rConn.Flush(); err != nil {
 		return fmt.Errorf("flush allow input netbird rules: %w", err)
 	}
@@ -227,31 +405,47 @@ func (m *Manager) AllowNetbird() error {

 // SetLegacyManagement sets the route manager to use legacy management
 func (m *Manager) SetLegacyManagement(isLegacy bool) error {
-	return firewall.SetLegacyManagement(m.router, isLegacy)
+	if err := firewall.SetLegacyManagement(m.family4, isLegacy); err != nil {
+		return err
+	}
+	if m.hasIPv6() {
+		return firewall.SetLegacyManagement(m.family6, isLegacy)
+	}
+	return nil
 }

 // Close closes the firewall manager
 func (m *Manager) Close(stateManager *statemanager.Manager) error {
+	m.extMonitor.stop()
+
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

-	if err := m.router.Reset(); err != nil {
-		return fmt.Errorf("reset router: %v", err)
+	var merr *multierror.Error
+
+	if err := m.family4.Reset(); err != nil {
+		merr = multierror.Append(merr, fmt.Errorf("reset family: %w", err))
+	}
+
+	if m.hasIPv6() {
+		if err := m.family6.Reset(); err != nil {
+			merr = multierror.Append(merr, fmt.Errorf("reset v6 family: %w", err))
+		}
 	}

 	if err := m.cleanupNetbirdTables(); err != nil {
-		return fmt.Errorf("cleanup netbird tables: %v", err)
+		merr = multierror.Append(merr, fmt.Errorf("cleanup netbird tables: %v", err))
 	}

 	if err := m.rConn.Flush(); err != nil {
-		return fmt.Errorf(flushError, err)
+		merr = multierror.Append(merr, fmt.Errorf(flushError, err))
 	}

 	if err := stateManager.DeleteState(&ShutdownState{}); err != nil {
-		return fmt.Errorf("delete state: %v", err)
+		merr = multierror.Append(merr, fmt.Errorf("delete state: %v", err))
 	}

-	return nil
+	return nberrors.FormatErrorOrNil(merr)
 }

 func (m *Manager) cleanupNetbirdTables() error {
@@ -275,14 +469,14 @@ func (m *Manager) SetLogLevel(log.Level) {
 }

 func (m *Manager) EnableRouting() error {
-	if err := m.router.ipFwdState.RequestForwarding(); err != nil {
+	if err := m.family4.ipFwdState.RequestForwarding(); err != nil {
 		return fmt.Errorf("enable IP forwarding: %w", err)
 	}
 	return nil
 }

 func (m *Manager) DisableRouting() error {
-	if err := m.router.ipFwdState.ReleaseForwarding(); err != nil {
+	if err := m.family4.ipFwdState.ReleaseForwarding(); err != nil {
 		return fmt.Errorf("disable IP forwarding: %w", err)
 	}
 	return nil
@@ -296,10 +490,16 @@ func (m *Manager) Flush() error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

-	if err := m.aclManager.Flush(); err != nil {
+	if err := m.family4.Flush(); err != nil {
 		return err
 	}

+	if m.hasIPv6() {
+		if err := m.family6.Flush(); err != nil {
+			return fmt.Errorf("flush v6 acl: %w", err)
+		}
+	}
+
 	if err := m.refreshNoTrackChains(); err != nil {
 		log.Errorf("failed to refresh notrack chains: %v", err)
 	}
@@ -312,7 +512,13 @@ func (m *Manager) AddDNATRule(rule firewall.ForwardRule) (firewall.Rule, error)
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

-	return m.router.AddDNATRule(rule)
+	if rule.TranslatedAddress.Is6() {
+		if !m.hasIPv6() {
+			return nil, fmt.Errorf("add DNAT rule: %w", firewall.ErrIPv6NotInitialized)
+		}
+		return m.family6.AddDNATRule(rule)
+	}
+	return m.family4.AddDNATRule(rule)
 }

 // DeleteDNATRule deletes a DNAT rule
@@ -320,7 +526,11 @@ func (m *Manager) DeleteDNATRule(rule firewall.Rule) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

-	return m.router.DeleteDNATRule(rule)
+	r, err := m.familyForRuleID(rule.ID(), (*family).hasDNATRule)
+	if err != nil {
+		return err
+	}
+	return r.DeleteDNATRule(rule)
 }

 // UpdateSet updates the set with the given prefixes
@@ -328,39 +538,82 @@ func (m *Manager) UpdateSet(set firewall.Set, prefixes []netip.Prefix) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

-	return m.router.UpdateSet(set, prefixes)
+	var v4Prefixes, v6Prefixes []netip.Prefix
+	for _, p := range prefixes {
+		if p.Addr().Is6() {
+			v6Prefixes = append(v6Prefixes, p)
+		} else {
+			v4Prefixes = append(v4Prefixes, p)
+		}
+	}
+
+	if err := m.family4.UpdateSet(set, v4Prefixes); err != nil {
+		return err
+	}
+
+	if m.hasIPv6() && len(v6Prefixes) > 0 {
+		if err := m.family6.UpdateSet(set, v6Prefixes); err != nil {
+			return fmt.Errorf("update v6 set: %w", err)
+		}
+	}
+
+	return nil
 }

 // AddInboundDNAT adds an inbound DNAT rule redirecting traffic from NetBird peers to local services.
-func (m *Manager) AddInboundDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
+func (m *Manager) AddInboundDNAT(localAddr netip.Addr, protocol firewall.Protocol, originalPort, translatedPort uint16) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

-	return m.router.AddInboundDNAT(localAddr, protocol, sourcePort, targetPort)
+	if localAddr.Is6() {
+		if !m.hasIPv6() {
+			return fmt.Errorf("add inbound DNAT: %w", firewall.ErrIPv6NotInitialized)
+		}
+		return m.family6.AddInboundDNAT(localAddr, protocol, originalPort, translatedPort)
+	}
+	return m.family4.AddInboundDNAT(localAddr, protocol, originalPort, translatedPort)
 }

 // RemoveInboundDNAT removes an inbound DNAT rule.
-func (m *Manager) RemoveInboundDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
+func (m *Manager) RemoveInboundDNAT(localAddr netip.Addr, protocol firewall.Protocol, originalPort, translatedPort uint16) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

-	return m.router.RemoveInboundDNAT(localAddr, protocol, sourcePort, targetPort)
+	if localAddr.Is6() {
+		if !m.hasIPv6() {
+			return fmt.Errorf("remove inbound DNAT: %w", firewall.ErrIPv6NotInitialized)
+		}
+		return m.family6.RemoveInboundDNAT(localAddr, protocol, originalPort, translatedPort)
+	}
+	return m.family4.RemoveInboundDNAT(localAddr, protocol, originalPort, translatedPort)
 }

 // AddOutputDNAT adds an OUTPUT chain DNAT rule for locally-generated traffic.
-func (m *Manager) AddOutputDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
+func (m *Manager) AddOutputDNAT(localAddr netip.Addr, protocol firewall.Protocol, originalPort, translatedPort uint16) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

-	return m.router.AddOutputDNAT(localAddr, protocol, sourcePort, targetPort)
+	if localAddr.Is6() {
+		if !m.hasIPv6() {
+			return fmt.Errorf("add output DNAT: %w", firewall.ErrIPv6NotInitialized)
+		}
+		return m.family6.AddOutputDNAT(localAddr, protocol, originalPort, translatedPort)
+	}
+	return m.family4.AddOutputDNAT(localAddr, protocol, originalPort, translatedPort)
 }

 // RemoveOutputDNAT removes an OUTPUT chain DNAT rule.
-func (m *Manager) RemoveOutputDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
+func (m *Manager) RemoveOutputDNAT(localAddr netip.Addr, protocol firewall.Protocol, originalPort, translatedPort uint16) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

-	return m.router.RemoveOutputDNAT(localAddr, protocol, sourcePort, targetPort)
+	if localAddr.Is6() {
+		if !m.hasIPv6() {
+			return fmt.Errorf("remove output DNAT: %w", firewall.ErrIPv6NotInitialized)
+		}
+		return m.family6.RemoveOutputDNAT(localAddr, protocol, originalPort, translatedPort)
+	}
+	return m.family4.RemoveOutputDNAT(localAddr, protocol, originalPort, translatedPort)
 }

 const (
@@ -534,7 +787,11 @@ func (m *Manager) refreshNoTrackChains() error {
 }

 func (m *Manager) createWorkTable() (*nftables.Table, error) {
-	tables, err := m.rConn.ListTablesOfFamily(nftables.TableFamilyIPv4)
+	return m.createWorkTableFamily(nftables.TableFamilyIPv4)
+}
+
+func (m *Manager) createWorkTableFamily(family nftables.TableFamily) (*nftables.Table, error) {
+	tables, err := m.rConn.ListTablesOfFamily(family)
 	if err != nil {
 		return nil, fmt.Errorf("list of tables: %w", err)
 	}
@@ -546,7 +803,7 @@ func (m *Manager) createWorkTable() (*nftables.Table, error) {
 		}
 	}

-	table := m.rConn.AddTable(&nftables.Table{Name: getTableName(), Family: nftables.TableFamilyIPv4})
+	table := m.rConn.AddTable(&nftables.Table{Name: tableName, Family: family})
 	err = m.rConn.Flush()
 	return table, err
 }
@@ -585,3 +842,14 @@ func getEstablishedExprs(register uint32) []expr.Any {
 		},
 	}
 }
+
+// isIPv6Rule reports whether the rule belongs to the v6 table. For a
+// prefix destination the destination family decides; otherwise the
+// (single-family) sources do, since management duplicates rules per
+// family.
+func isIPv6Rule(sources []netip.Prefix, destination firewall.Network) bool {
+	if destination.IsPrefix() {
+		return destination.Prefix.Addr().Is6()
+	}
+	return len(sources) > 0 && sources[0].Addr().Is6()
+}
--- a/client/firewall/nftables/manager_linux_test.go
+++ b/client/firewall/nftables/manager_linux_test.go
@@ -1,3 +1,5 @@
+//go:build integration && !android
+
 package nftables

 import (
@@ -70,13 +72,13 @@ func TestNftablesManager(t *testing.T) {

 	testClient := &nftables.Conn{}

-	rule, err := manager.AddPeerFiltering(nil, ip.AsSlice(), fw.ProtocolTCP, nil, &fw.Port{Values: []uint16{53}}, fw.ActionDrop, "")
+	rule, err := manager.AddFilterRule(nil, pfx(ip.AsSlice()), fw.Network{}, fw.ProtocolTCP, nil, &fw.Port{Values: []uint16{53}}, fw.ActionDrop)
 	require.NoError(t, err, "failed to add rule")

 	err = manager.Flush()
 	require.NoError(t, err, "failed to flush")

-	rules, err := testClient.GetRules(manager.aclManager.workTable, manager.aclManager.chainInputRules)
+	rules, err := testClient.GetRules(manager.family4.workTable, manager.family4.chainInputRules)
 	require.NoError(t, err, "failed to get rules")

 	require.Len(t, rules, 2, "expected 2 rules")
@@ -147,15 +149,12 @@ func TestNftablesManager(t *testing.T) {
 	// Compare connection tracking rule at position 1 (pushed down by DROP rule insertion)
 	compareExprsIgnoringCounters(t, rules[1].Exprs, expectedExprs1)

-	for _, r := range rule {
-		err = manager.DeletePeerRule(r)
-		require.NoError(t, err, "failed to delete rule")
-	}
+	require.NoError(t, manager.DeleteFilterRule(rule), "failed to delete rule")

 	err = manager.Flush()
 	require.NoError(t, err, "failed to flush")

-	rules, err = testClient.GetRules(manager.aclManager.workTable, manager.aclManager.chainInputRules)
+	rules, err = testClient.GetRules(manager.family4.workTable, manager.family4.chainInputRules)
 	require.NoError(t, err, "failed to get rules")
 	// established rule remains
 	require.Len(t, rules, 1, "expected 1 rules after deletion")
@@ -180,47 +179,39 @@ func TestNftablesManagerRuleOrder(t *testing.T) {
 	testClient := &nftables.Conn{}

 	// Add accept rule first
-	_, err = manager.AddPeerFiltering(nil, ip.AsSlice(), fw.ProtocolTCP, nil, &fw.Port{Values: []uint16{80}}, fw.ActionAccept, "accept-http")
+	_, err = manager.AddFilterRule(nil, pfx(ip.AsSlice()), fw.Network{}, fw.ProtocolTCP, nil, &fw.Port{Values: []uint16{80}}, fw.ActionAccept)
 	require.NoError(t, err, "failed to add accept rule")

 	// Add deny rule second for the same traffic
-	_, err = manager.AddPeerFiltering(nil, ip.AsSlice(), fw.ProtocolTCP, nil, &fw.Port{Values: []uint16{80}}, fw.ActionDrop, "deny-http")
+	_, err = manager.AddFilterRule(nil, pfx(ip.AsSlice()), fw.Network{}, fw.ProtocolTCP, nil, &fw.Port{Values: []uint16{80}}, fw.ActionDrop)
 	require.NoError(t, err, "failed to add deny rule")

 	err = manager.Flush()
 	require.NoError(t, err, "failed to flush")

-	rules, err := testClient.GetRules(manager.aclManager.workTable, manager.aclManager.chainInputRules)
+	rules, err := testClient.GetRules(manager.family4.workTable, manager.family4.chainInputRules)
 	require.NoError(t, err, "failed to get rules")

 	t.Logf("Found %d rules in nftables chain", len(rules))

-	// Find the accept and deny rules and verify deny comes before accept
+	// Single-source rules emit a direct payload+cmp on the source IP
+	// (no set lookup). Match by source-IP + port + verdict instead of
+	// the legacy per-(action,port) set names ("deny-http"/"accept-http")
+	// that this test predates.
+	wantSrc := ip.AsSlice()
 	var acceptRuleIndex, denyRuleIndex = -1, -1
 	for i, rule := range rules {
-		hasAcceptHTTPSet := false
-		hasDenyHTTPSet := false
-		hasPort80 := false
+		var hasSrc, hasPort80 bool
 		var action string
-
 		for _, e := range rule.Exprs {
-			// Check for set lookup
-			if lookup, ok := e.(*expr.Lookup); ok {
-				switch lookup.SetName {
-				case "accept-http":
-					hasAcceptHTTPSet = true
-				case "deny-http":
-					hasDenyHTTPSet = true
+			if cmp, ok := e.(*expr.Cmp); ok && cmp.Op == expr.CmpOpEq {
+				if bytes.Equal(cmp.Data, wantSrc) {
+					hasSrc = true
 				}
-
-			}
-			// Check for port 80
-			if cmp, ok := e.(*expr.Cmp); ok {
-				if cmp.Op == expr.CmpOpEq && len(cmp.Data) == 2 && binary.BigEndian.Uint16(cmp.Data) == 80 {
+				if len(cmp.Data) == 2 && binary.BigEndian.Uint16(cmp.Data) == 80 {
 					hasPort80 = true
 				}
 			}
-			// Check for verdict
 			if verdict, ok := e.(*expr.Verdict); ok {
 				switch verdict.Kind {
 				case expr.VerdictAccept:
@@ -231,11 +222,15 @@ func TestNftablesManagerRuleOrder(t *testing.T) {
 			}
 		}

-		if hasAcceptHTTPSet && hasPort80 && action == "ACCEPT" {
-			t.Logf("Rule [%d]: accept-http set + Port 80 + ACCEPT", i)
+		if !hasSrc || !hasPort80 {
+			continue
+		}
+		switch action {
+		case "ACCEPT":
+			t.Logf("Rule [%d]: src=%s port=80 ACCEPT", i, ip)
 			acceptRuleIndex = i
-		} else if hasDenyHTTPSet && hasPort80 && action == "DROP" {
-			t.Logf("Rule [%d]: deny-http set + Port 80 + DROP", i)
+		case "DROP":
+			t.Logf("Rule [%d]: src=%s port=80 DROP", i, ip)
 			denyRuleIndex = i
 		}
 	}
@@ -279,7 +274,7 @@ func TestNFtablesCreatePerformance(t *testing.T) {
 			start := time.Now()
 			for i := 0; i < testMax; i++ {
 				port := &fw.Port{Values: []uint16{uint16(1000 + i)}}
-				_, err = manager.AddPeerFiltering(nil, ip.AsSlice(), "tcp", nil, port, fw.ActionAccept, "")
+				_, err = manager.AddFilterRule(nil, pfx(ip.AsSlice()), fw.Network{}, "tcp", nil, port, fw.ActionAccept)
 				require.NoError(t, err, "failed to add rule")

 				if i%100 == 0 {
@@ -361,10 +356,10 @@ func TestNftablesManagerCompatibilityWithIptables(t *testing.T) {
 	})

 	ip := netip.MustParseAddr("100.96.0.1")
-	_, err = manager.AddPeerFiltering(nil, ip.AsSlice(), fw.ProtocolTCP, nil, &fw.Port{Values: []uint16{80}}, fw.ActionAccept, "")
+	_, err = manager.AddFilterRule(nil, pfx(ip.AsSlice()), fw.Network{}, fw.ProtocolTCP, nil, &fw.Port{Values: []uint16{80}}, fw.ActionAccept)
 	require.NoError(t, err, "failed to add peer filtering rule")

-	_, err = manager.AddRouteFiltering(
+	_, err = manager.AddFilterRule(
 		nil,
 		[]netip.Prefix{netip.MustParsePrefix("192.168.2.0/24")},
 		fw.Network{Prefix: netip.MustParsePrefix("10.1.0.0/24")},
@@ -383,10 +378,138 @@ func TestNftablesManagerCompatibilityWithIptables(t *testing.T) {
 	err = manager.AddNatRule(pair)
 	require.NoError(t, err, "failed to add NAT rule")

+	dnatRule, err := manager.AddDNATRule(fw.ForwardRule{
+		Protocol:          fw.ProtocolTCP,
+		DestinationPort:   fw.Port{Values: []uint16{8080}},
+		TranslatedAddress: netip.MustParseAddr("100.96.0.2"),
+		TranslatedPort:    fw.Port{Values: []uint16{80}},
+	})
+	require.NoError(t, err, "failed to add DNAT rule")
+
+	t.Cleanup(func() {
+		require.NoError(t, manager.DeleteDNATRule(dnatRule), "failed to delete DNAT rule")
+	})
+
 	stdout, stderr = runIptablesSave(t)
 	verifyIptablesOutput(t, stdout, stderr)
 }

+func TestNftablesManagerIPv6CompatibilityWithIp6tables(t *testing.T) {
+	if check() != NFTABLES {
+		t.Skip("nftables not supported on this system")
+	}
+
+	for _, bin := range []string{"ip6tables", "ip6tables-save", "iptables-save"} {
+		if _, err := exec.LookPath(bin); err != nil {
+			t.Skipf("%s not available on this system: %v", bin, err)
+		}
+	}
+
+	// Seed ip6 tables in the nft backend. Docker may not create them.
+	seedIp6tables(t)
+
+	ifaceMockV6 := &iFaceMock{
+		NameFunc: func() string { return "wt-test" },
+		AddressFunc: func() wgaddr.Address {
+			return wgaddr.Address{
+				IP:      netip.MustParseAddr("100.96.0.1"),
+				Network: netip.MustParsePrefix("100.96.0.0/16"),
+				IPv6:    netip.MustParseAddr("fd00::1"),
+				IPv6Net: netip.MustParsePrefix("fd00::/64"),
+			}
+		},
+	}
+
+	manager, err := Create(ifaceMockV6, iface.DefaultMTU)
+	require.NoError(t, err, "create manager")
+	require.NoError(t, manager.Init(nil))
+
+	t.Cleanup(func() {
+		require.NoError(t, manager.Close(nil), "close manager")
+
+		stdout, stderr := runIp6tablesSave(t)
+		verifyIp6tablesOutput(t, stdout, stderr)
+	})
+
+	ip := netip.MustParseAddr("fd00::2")
+	_, err = manager.AddFilterRule(nil, pfx(ip.AsSlice()), fw.Network{}, fw.ProtocolTCP, nil, &fw.Port{Values: []uint16{80}}, fw.ActionAccept)
+	require.NoError(t, err, "add v6 peer filtering rule")
+
+	_, err = manager.AddFilterRule(
+		nil,
+		[]netip.Prefix{netip.MustParsePrefix("fd00:1::/64")},
+		fw.Network{Prefix: netip.MustParsePrefix("2001:db8::/48")},
+		fw.ProtocolTCP,
+		nil,
+		&fw.Port{Values: []uint16{443}},
+		fw.ActionAccept,
+	)
+	require.NoError(t, err, "add v6 route filtering rule")
+
+	err = manager.AddNatRule(fw.RouterPair{
+		Source:      fw.Network{Prefix: netip.MustParsePrefix("fd00::/64")},
+		Destination: fw.Network{Prefix: netip.MustParsePrefix("2001:db8::/48")},
+		Masquerade:  true,
+	})
+	require.NoError(t, err, "add v6 NAT rule")
+
+	dnatRule, err := manager.AddDNATRule(fw.ForwardRule{
+		Protocol:          fw.ProtocolTCP,
+		DestinationPort:   fw.Port{Values: []uint16{8080}},
+		TranslatedAddress: netip.MustParseAddr("fd00::2"),
+		TranslatedPort:    fw.Port{Values: []uint16{80}},
+	})
+	require.NoError(t, err, "add v6 DNAT rule")
+
+	t.Cleanup(func() {
+		require.NoError(t, manager.DeleteDNATRule(dnatRule), "delete v6 DNAT rule")
+	})
+
+	stdout, stderr := runIptablesSave(t)
+	verifyIptablesOutput(t, stdout, stderr)
+
+	stdout, stderr = runIp6tablesSave(t)
+	verifyIp6tablesOutput(t, stdout, stderr)
+}
+
+func seedIp6tables(t *testing.T) {
+	t.Helper()
+	for _, tc := range []struct{ table, chain string }{
+		{"filter", "FORWARD"},
+		{"nat", "POSTROUTING"},
+		{"mangle", "FORWARD"},
+	} {
+		add := exec.Command("ip6tables", "-t", tc.table, "-A", tc.chain, "-j", "ACCEPT")
+		require.NoError(t, add.Run(), "seed ip6tables -t %s", tc.table)
+		del := exec.Command("ip6tables", "-t", tc.table, "-D", tc.chain, "-j", "ACCEPT")
+		require.NoError(t, del.Run(), "unseed ip6tables -t %s", tc.table)
+	}
+}
+
+func runIp6tablesSave(t *testing.T) (string, string) {
+	t.Helper()
+	var stdout, stderr bytes.Buffer
+	cmd := exec.Command("ip6tables-save")
+	cmd.Stdout = &stdout
+	cmd.Stderr = &stderr
+	require.NoError(t, cmd.Run(), "ip6tables-save failed")
+	return stdout.String(), stderr.String()
+}
+
+func verifyIp6tablesOutput(t *testing.T, stdout, stderr string) {
+	t.Helper()
+	for _, msg := range []string{
+		"Table `nat' is incompatible",
+		"Table `mangle' is incompatible",
+		"Table `filter' is incompatible",
+	} {
+		require.NotContains(t, stdout, msg,
+			"ip6tables-save stdout reports incompatibility: %s", stdout)
+		require.NotContains(t, stderr, msg,
+			"ip6tables-save stderr reports incompatibility: %s", stderr)
+	}
+}
+
 func TestNftablesManagerCompatibilityWithIptablesFor6kPrefixes(t *testing.T) {
 	if check() != NFTABLES {
 		t.Skip("nftables not supported on this system")
@@ -422,7 +545,7 @@ func TestNftablesManagerCompatibilityWithIptablesFor6kPrefixes(t *testing.T) {
 			prefixes = append(prefixes, netip.PrefixFrom(addr, 24))
 		}
 	}
-	_, err = manager.AddRouteFiltering(
+	_, err = manager.AddFilterRule(
 		nil,
 		prefixes,
 		fw.Network{Prefix: netip.MustParsePrefix("10.2.0.0/24")},
@@ -437,7 +560,7 @@ func TestNftablesManagerCompatibilityWithIptablesFor6kPrefixes(t *testing.T) {
 	verifyIptablesOutput(t, stdout, stderr)
 }

-func TestNftablesManagerCompatibilityWithIptablesForEmptyPrefixes(t *testing.T) {
+func TestNftablesManagerCompatibilityWithIptablesForWildcardSource(t *testing.T) {
 	if check() != NFTABLES {
 		t.Skip("nftables not supported on this system")
 	}
@@ -463,9 +586,9 @@ func TestNftablesManagerCompatibilityWithIptablesForEmptyPrefixes(t *testing.T)
 		verifyIptablesOutput(t, stdout, stderr)
 	})

-	_, err = manager.AddRouteFiltering(
+	_, err = manager.AddFilterRule(
 		nil,
-		[]netip.Prefix{},
+		[]netip.Prefix{netip.MustParsePrefix("0.0.0.0/0")},
 		fw.Network{Prefix: netip.MustParsePrefix("10.2.0.0/24")},
 		fw.ProtocolTCP,
 		nil,
--- a/client/firewall/nftables/router_linux.go
+++ b/client/firewall/nftables/router_linux.go
--- a/client/firewall/nftables/router_linux_test.go
+++ b/client/firewall/nftables/router_linux_test.go
@@ -1,4 +1,4 @@
-//go:build !android
+//go:build integration && !android

 package nftables

@@ -37,7 +37,7 @@ func TestNftablesManager_AddNatRule(t *testing.T) {

 	for _, testCase := range test.InsertRuleTestCases {
 		t.Run(testCase.Name, func(t *testing.T) {
-			// need fw manager to init both acl mgr and router for all chains to be present
+			// need fw manager to init both acl mgr and family for all chains to be present
 			manager, err := Create(ifaceMock, iface.DefaultMTU)
 			t.Cleanup(func() {
 				require.NoError(t, manager.Close(nil))
@@ -47,7 +47,7 @@ func TestNftablesManager_AddNatRule(t *testing.T) {

 			nftablesTestingClient := &nftables.Conn{}

-			rtr := manager.router
+			rtr := manager.family4
 			err = rtr.AddNatRule(testCase.InputPair)
 			require.NoError(t, err, "pair should be inserted")

@@ -90,8 +90,9 @@ func TestNftablesManager_AddNatRule(t *testing.T) {
 				}

 				// Build CIDR matching expressions
-				sourceExp := applyPrefix(testCase.InputPair.Source.Prefix, true)
-				destExp := applyPrefix(testCase.InputPair.Destination.Prefix, false)
+				testRouter := &family{af: afIPv4}
+				sourceExp := prefixMatchExprs(testRouter.af, testCase.InputPair.Source.Prefix, true)
+				destExp := prefixMatchExprs(testRouter.af, testCase.InputPair.Destination.Prefix, false)

 				// Combine all expressions in the correct order
 				// nolint:gocritic
@@ -99,14 +100,14 @@ func TestNftablesManager_AddNatRule(t *testing.T) {
 				testingExpression = append(testingExpression, sourceExp...)
 				testingExpression = append(testingExpression, destExp...)

-				natRuleKey := firewall.GenKey(firewall.PreroutingFormat, testCase.InputPair)
+				natRuleKey := testCase.InputPair.GenKey(firewall.PreroutingFormat)
 				found := 0
 				for _, chain := range rtr.chains {
 					if chain.Name == chainNameManglePrerouting {
 						rules, err := nftablesTestingClient.GetRules(chain.Table, chain)
 						require.NoError(t, err, "should list rules for %s table and %s chain", chain.Table.Name, chain.Name)
 						for _, rule := range rules {
-							if len(rule.UserData) > 0 && string(rule.UserData) == natRuleKey {
+							if len(rule.UserData) > 0 && firewall.RuleID(rule.UserData) == natRuleKey {
 								// Compare expressions up to the mark setting expressions
 								require.ElementsMatchf(t, rule.Exprs[:len(testingExpression)], testingExpression, "prerouting nat rule elements should match")
 								found = 1
@@ -134,19 +135,19 @@ func TestNftablesManager_RemoveNatRule(t *testing.T) {
 			require.NoError(t, err)
 			require.NoError(t, manager.Init(nil))

-			rtr := manager.router
+			rtr := manager.family4

-			// First add the NAT rule using the router's method
+			// First add the NAT rule using the family's method
 			err = rtr.AddNatRule(testCase.InputPair)
 			require.NoError(t, err, "should add NAT rule")

 			// Verify the rule was added
-			natRuleKey := firewall.GenKey(firewall.PreroutingFormat, testCase.InputPair)
+			natRuleKey := testCase.InputPair.GenKey(firewall.PreroutingFormat)
 			found := false
 			rules, err := rtr.conn.GetRules(rtr.workTable, rtr.chains[chainNameManglePrerouting])
 			require.NoError(t, err, "should list rules")
 			for _, rule := range rules {
-				if len(rule.UserData) > 0 && string(rule.UserData) == natRuleKey {
+				if len(rule.UserData) > 0 && firewall.RuleID(rule.UserData) == natRuleKey {
 					found = true
 					break
 				}
@@ -162,7 +163,7 @@ func TestNftablesManager_RemoveNatRule(t *testing.T) {
 			rules, err = rtr.conn.GetRules(rtr.workTable, rtr.chains[chainNameManglePrerouting])
 			require.NoError(t, err, "should list rules after removal")
 			for _, rule := range rules {
-				if len(rule.UserData) > 0 && string(rule.UserData) == natRuleKey {
+				if len(rule.UserData) > 0 && firewall.RuleID(rule.UserData) == natRuleKey {
 					found = true
 					break
 				}
@@ -199,11 +200,11 @@ func TestRouter_AddRouteFiltering(t *testing.T) {

 	defer deleteWorkTable()

-	r, err := newRouter(workTable, ifaceMock, iface.DefaultMTU)
-	require.NoError(t, err, "Failed to create router")
+	r, err := newFamily(workTable, ifaceMock, iface.DefaultMTU)
+	require.NoError(t, err, "Failed to create family")
 	require.NoError(t, r.init(workTable))

-	defer func(r *router) {
+	defer func(r *family) {
 		require.NoError(t, r.Reset(), "Failed to reset rules")
 	}(r)

@@ -313,16 +314,16 @@ func TestRouter_AddRouteFiltering(t *testing.T) {

 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			ruleKey, err := r.AddRouteFiltering(nil, tt.sources, firewall.Network{Prefix: tt.destination}, tt.proto, tt.sPort, tt.dPort, tt.action)
-			require.NoError(t, err, "AddRouteFiltering failed")
+			ruleKey, err := r.AddFilterRule(nil, tt.sources, firewall.Network{Prefix: tt.destination}, tt.proto, tt.sPort, tt.dPort, tt.action)
+			require.NoError(t, err, "AddFilterRule failed")

 			t.Cleanup(func() {
-				require.NoError(t, r.DeleteRouteRule(ruleKey), "Failed to delete rule")
+				require.NoError(t, r.DeleteFilterRule(ruleKey), "Failed to delete rule")
 			})

-			// Check if the rule is in the internal map
-			rule, ok := r.rules[ruleKey.ID()]
-			assert.True(t, ok, "Rule not found in internal map")
+			stored, ok := r.filters[id.RuleID(ruleKey.ID())]
+			require.True(t, ok, "Rule not found in filters map")
+			rule := stored.nftRule

 			t.Log("Internal rule expressions:")
 			for i, expr := range rule.Exprs {
@@ -338,7 +339,7 @@ func TestRouter_AddRouteFiltering(t *testing.T) {

 			var nftRule *nftables.Rule
 			for _, rule := range rules {
-				if string(rule.UserData) == ruleKey.ID() {
+				if firewall.RuleID(rule.UserData) == ruleKey.ID() {
 					nftRule = rule
 					break
 				}
@@ -366,12 +367,12 @@ func TestNftablesCreateIpSet(t *testing.T) {

 	defer deleteWorkTable()

-	r, err := newRouter(workTable, ifaceMock, iface.DefaultMTU)
-	require.NoError(t, err, "Failed to create router")
+	r, err := newFamily(workTable, ifaceMock, iface.DefaultMTU)
+	require.NoError(t, err, "Failed to create family")
 	require.NoError(t, r.init(workTable))

 	defer func() {
-		require.NoError(t, r.Reset(), "Failed to reset router")
+		require.NoError(t, r.Reset(), "Failed to reset family")
 	}()

 	tests := []struct {
@@ -508,6 +509,172 @@ func TestNftablesCreateIpSet(t *testing.T) {
 	}
 }

+// TestNftablesUpdateSetMergesOverlapping verifies that UpdateSet merges
+// overlapping prefixes before adding them. An interval set rejects
+// overlapping elements, so without the merge a batch holding a /32 already
+// covered by a /24, or a duplicate address as DNS resolution can produce,
+// would fail.
+func TestNftablesUpdateSetMergesOverlapping(t *testing.T) {
+	if check() != NFTABLES {
+		t.Skip("nftables not supported on this system")
+	}
+
+	workTable, err := createWorkTable()
+	require.NoError(t, err, "create work table")
+	defer deleteWorkTable()
+
+	r, err := newFamily(workTable, ifaceMock, iface.DefaultMTU)
+	require.NoError(t, err, "create family")
+	require.NoError(t, r.init(workTable))
+	defer func() {
+		require.NoError(t, r.Reset(), "reset family")
+	}()
+
+	initial := []netip.Prefix{netip.MustParsePrefix("10.0.0.0/24")}
+	set := firewall.NewPrefixSet(initial)
+
+	created, err := r.createIpSet(set.HashedName(), setInput{prefixes: initial})
+	require.NoError(t, err, "create ip set")
+	require.NotNil(t, created)
+
+	overlapping := []netip.Prefix{
+		netip.MustParsePrefix("192.168.1.0/24"),
+		netip.MustParsePrefix("192.168.1.1/32"),
+		netip.MustParsePrefix("192.168.1.1/32"),
+	}
+	require.NoError(t, r.UpdateSet(set, overlapping), "UpdateSet must merge overlapping prefixes")
+}
+
+func TestNftablesCreateIpSet_IPv6(t *testing.T) {
+	if check() != NFTABLES {
+		t.Skip("nftables not supported on this system")
+	}
+
+	workTable, err := createWorkTableIPv6()
+	require.NoError(t, err, "Failed to create v6 work table")
+	defer deleteWorkTableIPv6()
+
+	r, err := newFamily(workTable, ifaceMock, iface.DefaultMTU)
+	require.NoError(t, err, "Failed to create family")
+	require.NoError(t, r.init(workTable))
+	defer func() {
+		require.NoError(t, r.Reset(), "Failed to reset family")
+	}()
+
+	tests := []struct {
+		name     string
+		sources  []netip.Prefix
+		expected []netip.Prefix
+	}{
+		{
+			name:    "Single IPv6",
+			sources: []netip.Prefix{netip.MustParsePrefix("2001:db8::1/128")},
+		},
+		{
+			name: "Multiple IPv6 Subnets",
+			sources: []netip.Prefix{
+				netip.MustParsePrefix("fd00::/64"),
+				netip.MustParsePrefix("2001:db8::/48"),
+				netip.MustParsePrefix("fe80::/10"),
+			},
+		},
+		{
+			name: "Overlapping IPv6",
+			sources: []netip.Prefix{
+				netip.MustParsePrefix("fd00::/48"),
+				netip.MustParsePrefix("fd00::/64"),
+				netip.MustParsePrefix("fd00::1/128"),
+			},
+			expected: []netip.Prefix{
+				netip.MustParsePrefix("fd00::/48"),
+			},
+		},
+		{
+			name: "Mixed prefix lengths",
+			sources: []netip.Prefix{
+				netip.MustParsePrefix("2001:db8:1::/48"),
+				netip.MustParsePrefix("2001:db8:2::1/128"),
+				netip.MustParsePrefix("fd00:abcd::/32"),
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			setName := firewall.NewPrefixSet(tt.sources).HashedName()
+			set, err := r.createIpSet(setName, setInput{prefixes: tt.sources})
+			require.NoError(t, err, "Failed to create IPv6 set")
+			require.NotNil(t, set)
+
+			assert.Equal(t, setName, set.Name)
+			assert.True(t, set.Interval)
+			assert.Equal(t, nftables.TypeIP6Addr, set.KeyType)
+
+			fetchedSet, err := r.conn.GetSetByName(r.workTable, setName)
+			require.NoError(t, err, "Failed to fetch created set")
+
+			elements, err := r.conn.GetSetElements(fetchedSet)
+			require.NoError(t, err, "Failed to get set elements")
+
+			uniquePrefixes := make(map[string]bool)
+			for _, elem := range elements {
+				if !elem.IntervalEnd && len(elem.Key) == 16 {
+					ip := netip.AddrFrom16([16]byte(elem.Key))
+					uniquePrefixes[ip.String()] = true
+				}
+			}
+
+			expectedCount := len(tt.expected)
+			if expectedCount == 0 {
+				expectedCount = len(tt.sources)
+			}
+			assert.Equal(t, expectedCount, len(uniquePrefixes), "unique prefix count mismatch")
+
+			r.conn.DelSet(set)
+			require.NoError(t, r.conn.Flush())
+		})
+	}
+}
+
+func createWorkTableIPv6() (*nftables.Table, error) {
+	sConn, err := nftables.New(nftables.AsLasting())
+	if err != nil {
+		return nil, err
+	}
+
+	tables, err := sConn.ListTablesOfFamily(nftables.TableFamilyIPv6)
+	if err != nil {
+		return nil, err
+	}
+	for _, t := range tables {
+		if t.Name == tableNameNetbird {
+			sConn.DelTable(t)
+		}
+	}
+
+	table := sConn.AddTable(&nftables.Table{Name: tableNameNetbird, Family: nftables.TableFamilyIPv6})
+	err = sConn.Flush()
+	return table, err
+}
+
+func deleteWorkTableIPv6() {
+	sConn, err := nftables.New(nftables.AsLasting())
+	if err != nil {
+		return
+	}
+
+	tables, err := sConn.ListTablesOfFamily(nftables.TableFamilyIPv6)
+	if err != nil {
+		return
+	}
+	for _, t := range tables {
+		if t.Name == tableNameNetbird {
+			sConn.DelTable(t)
+			_ = sConn.Flush()
+		}
+	}
+}
+
 func verifyRule(t *testing.T, rule *nftables.Rule, sources []netip.Prefix, destination netip.Prefix, proto firewall.Protocol, sPort, dPort *firewall.Port, direction firewall.RuleDirection, action firewall.Action, expectSet bool) {
 	t.Helper()

@@ -627,7 +794,7 @@ func containsPort(exprs []expr.Any, port *firewall.Port, isSource bool) bool {

 func containsProtocol(exprs []expr.Any, proto firewall.Protocol) bool {
 	var metaFound, cmpFound bool
-	expectedProto, _ := protoToInt(proto)
+	expectedProto, _ := afIPv4.protoNum(proto)
 	for _, e := range exprs {
 		switch ex := e.(type) {
 		case *expr.Meta:
@@ -730,13 +897,13 @@ func TestRouter_RefreshRulesMap_RemovesStaleEntries(t *testing.T) {
 	require.NoError(t, err)
 	defer deleteWorkTable()

-	r, err := newRouter(workTable, ifaceMock, iface.DefaultMTU)
+	r, err := newFamily(workTable, ifaceMock, iface.DefaultMTU)
 	require.NoError(t, err)
 	require.NoError(t, r.init(workTable))
 	defer func() { require.NoError(t, r.Reset()) }()

 	// Add a real rule to the kernel
-	ruleKey, err := r.AddRouteFiltering(
+	ruleKey, err := r.AddFilterRule(
 		nil,
 		[]netip.Prefix{netip.MustParsePrefix("192.168.1.0/24")},
 		firewall.Network{Prefix: netip.MustParsePrefix("10.0.0.0/24")},
@@ -747,11 +914,11 @@ func TestRouter_RefreshRulesMap_RemovesStaleEntries(t *testing.T) {
 	)
 	require.NoError(t, err)
 	t.Cleanup(func() {
-		require.NoError(t, r.DeleteRouteRule(ruleKey))
+		require.NoError(t, r.DeleteFilterRule(ruleKey))
 	})

 	// Inject a stale entry with Handle=0 (simulates store-before-flush failure)
-	staleKey := "stale-rule-that-does-not-exist"
+	staleKey := firewall.RuleID("stale-rule-that-does-not-exist")
 	r.rules[staleKey] = &nftables.Rule{
 		Table:    r.workTable,
 		Chain:    r.chains[chainNameRoutingFw],
@@ -771,6 +938,55 @@ func TestRouter_RefreshRulesMap_RemovesStaleEntries(t *testing.T) {
 	assert.NotZero(t, realRule.Handle, "real rule should have a valid handle")
 }

+// TestRouter_DeleteRouteRule_RemovesKernelRule verifies a route filter
+// rule is actually removed from the kernel on delete. The route chain is
+// not refreshed by Flush, so the stored rule carries a zero handle;
+// DeleteFilterRule must pull live handles itself before issuing the
+// delete or the kernel rule leaks. Regression test for that path.
+func TestRouter_DeleteRouteRule_RemovesKernelRule(t *testing.T) {
+	if check() != NFTABLES {
+		t.Skip("nftables not supported on this system")
+	}
+
+	workTable, err := createWorkTable()
+	require.NoError(t, err)
+	defer deleteWorkTable()
+
+	r, err := newFamily(workTable, ifaceMock, iface.DefaultMTU)
+	require.NoError(t, err)
+	require.NoError(t, r.init(workTable))
+	defer func() { require.NoError(t, r.Reset()) }()
+
+	ruleKey, err := r.AddFilterRule(
+		nil,
+		[]netip.Prefix{netip.MustParsePrefix("192.168.1.0/24")},
+		firewall.Network{Prefix: netip.MustParsePrefix("10.0.0.0/24")},
+		firewall.ProtocolTCP,
+		nil,
+		&firewall.Port{Values: []uint16{80}},
+		firewall.ActionAccept,
+	)
+	require.NoError(t, err)
+
+	countKernelRules := func() int {
+		list, err := r.conn.GetRules(r.workTable, r.chains[chainNameRoutingFw])
+		require.NoError(t, err)
+		n := 0
+		for _, rule := range list {
+			if string(rule.UserData) == string(ruleKey.ID()) {
+				n++
+			}
+		}
+		return n
+	}
+
+	require.Equal(t, 1, countKernelRules(), "rule should be present in the kernel after add")
+
+	require.NoError(t, r.DeleteFilterRule(ruleKey))
+	assert.Equal(t, 0, countKernelRules(), "rule must be removed from the kernel after delete")
+	assert.NotContains(t, r.filters, ruleKey.ID(), "filters map entry should be cleared")
+}
+
 func TestRouter_DeleteRouteRule_StaleHandle(t *testing.T) {
 	if check() != NFTABLES {
 		t.Skip("nftables not supported on this system")
@@ -780,24 +996,28 @@ func TestRouter_DeleteRouteRule_StaleHandle(t *testing.T) {
 	require.NoError(t, err)
 	defer deleteWorkTable()

-	r, err := newRouter(workTable, ifaceMock, iface.DefaultMTU)
+	r, err := newFamily(workTable, ifaceMock, iface.DefaultMTU)
 	require.NoError(t, err)
 	require.NoError(t, r.init(workTable))
 	defer func() { require.NoError(t, r.Reset()) }()

 	// Inject a stale entry with Handle=0
-	staleKey := "stale-route-rule"
-	r.rules[staleKey] = &nftables.Rule{
-		Table:    r.workTable,
-		Chain:    r.chains[chainNameRoutingFw],
-		Handle:   0,
-		UserData: []byte(staleKey),
+	staleKey := id.RuleID("stale-route-rule")
+	staleRule := &Rule{
+		nftRule: &nftables.Rule{
+			Table:    r.workTable,
+			Chain:    r.chains[chainNameRoutingFw],
+			Handle:   0,
+			UserData: []byte(staleKey),
+		},
+		id: staleKey,
 	}
+	r.filters[staleKey] = staleRule

-	// DeleteRouteRule should not return an error for stale handles
-	err = r.DeleteRouteRule(id.RuleID(staleKey))
+	// DeleteFilterRule should not return an error for stale handles
+	err = r.DeleteFilterRule(staleRule)
 	assert.NoError(t, err, "deleting a stale rule should not error")
-	assert.NotContains(t, r.rules, staleKey, "stale entry should be cleaned up")
+	assert.NotContains(t, r.filters, staleKey, "stale entry should be cleaned up")
 }

 func TestRouter_AddNatRule_WithStaleEntry(t *testing.T) {
@@ -819,7 +1039,7 @@ func TestRouter_AddNatRule_WithStaleEntry(t *testing.T) {
 		Masquerade:  true,
 	}

-	rtr := manager.router
+	rtr := manager.family4

 	// First add succeeds
 	err = rtr.AddNatRule(pair)
@@ -829,11 +1049,11 @@ func TestRouter_AddNatRule_WithStaleEntry(t *testing.T) {
 	})

 	// Corrupt the handle to simulate stale state
-	natRuleKey := firewall.GenKey(firewall.PreroutingFormat, pair)
+	natRuleKey := pair.GenKey(firewall.PreroutingFormat)
 	if rule, exists := rtr.rules[natRuleKey]; exists {
 		rule.Handle = 0
 	}
-	inverseKey := firewall.GenKey(firewall.PreroutingFormat, firewall.GetInversePair(pair))
+	inverseKey := firewall.GetInversePair(pair).GenKey(firewall.PreroutingFormat)
 	if rule, exists := rtr.rules[inverseKey]; exists {
 		rule.Handle = 0
 	}
@@ -848,9 +1068,61 @@ func TestRouter_AddNatRule_WithStaleEntry(t *testing.T) {

 	found := 0
 	for _, rule := range rules {
-		if len(rule.UserData) > 0 && string(rule.UserData) == natRuleKey {
+		if len(rule.UserData) > 0 && firewall.RuleID(rule.UserData) == natRuleKey {
 			found++
 		}
 	}
 	assert.Equal(t, 1, found, "NAT rule should exist in kernel")
 }
+
+func TestCalculateLastIP(t *testing.T) {
+	tests := []struct {
+		prefix string
+		want   string
+	}{
+		{"10.0.0.0/24", "10.0.0.255"},
+		{"10.0.0.0/32", "10.0.0.0"},
+		{"0.0.0.0/0", "255.255.255.255"},
+		{"192.168.1.0/28", "192.168.1.15"},
+		{"fd00::/64", "fd00::ffff:ffff:ffff:ffff"},
+		{"fd00::/128", "fd00::"},
+		{"2001:db8::/48", "2001:db8:0:ffff:ffff:ffff:ffff:ffff"},
+		{"::/0", "ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff"},
+	}
+	for _, tt := range tests {
+		t.Run(tt.prefix, func(t *testing.T) {
+			prefix := netip.MustParsePrefix(tt.prefix)
+			got := calculateLastIP(prefix)
+			assert.Equal(t, tt.want, got.String())
+		})
+	}
+}
+
+func TestConvertPrefixesToSet_IPv6(t *testing.T) {
+	r := &family{af: afIPv6}
+	prefixes := []netip.Prefix{
+		netip.MustParsePrefix("fd00::/64"),
+		netip.MustParsePrefix("2001:db8::1/128"),
+	}
+
+	elements := r.convertPrefixesToSet(prefixes)
+
+	// Each prefix produces 2 elements (start + end)
+	require.Len(t, elements, 4)
+
+	// fd00::/64 start
+	assert.Equal(t, netip.MustParseAddr("fd00::").As16(), [16]byte(elements[0].Key))
+	assert.False(t, elements[0].IntervalEnd)
+
+	// fd00::/64 end (fd00:0:0:1::, one past the last)
+	assert.Equal(t, netip.MustParseAddr("fd00:0:0:1::").As16(), [16]byte(elements[1].Key))
+	assert.True(t, elements[1].IntervalEnd)
+
+	// 2001:db8::1/128 start
+	assert.Equal(t, netip.MustParseAddr("2001:db8::1").As16(), [16]byte(elements[2].Key))
+	assert.False(t, elements[2].IntervalEnd)
+
+	// 2001:db8::1/128 end (2001:db8::2)
+	assert.Equal(t, netip.MustParseAddr("2001:db8::2").As16(), [16]byte(elements[3].Key))
+	assert.True(t, elements[3].IntervalEnd)
+}
--- a/client/firewall/nftables/routing_linux.go
+++ b/client/firewall/nftables/routing_linux.go
@@ -0,0 +1,494 @@
+//go:build !android
+
+package nftables
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/google/nftables"
+	"github.com/google/nftables/binaryutil"
+	"github.com/google/nftables/expr"
+	"github.com/hashicorp/go-multierror"
+	log "github.com/sirupsen/logrus"
+	"golang.org/x/sys/unix"
+
+	nberrors "github.com/netbirdio/netbird/client/errors"
+	firewall "github.com/netbirdio/netbird/client/firewall/manager"
+	nbnet "github.com/netbirdio/netbird/client/net"
+)
+
+func (r *family) AddNatRule(pair firewall.RouterPair) error {
+	if err := r.refreshRulesMap(); err != nil {
+		return fmt.Errorf(refreshRulesMapError, err)
+	}
+
+	if r.legacyManagement {
+		log.Warnf("This peer is connected to a NetBird Management service with an older version. Allowing all traffic for %s", pair.Destination)
+		if err := r.addLegacyRouteRule(pair); err != nil {
+			r.rollbackRules(pair)
+			return fmt.Errorf("add legacy routing rule: %w", err)
+		}
+	}
+
+	if pair.Masquerade {
+		if err := r.addNatRule(pair); err != nil {
+			r.rollbackRules(pair)
+			return fmt.Errorf("add nat rule: %w", err)
+		}
+
+		if err := r.addNatRule(firewall.GetInversePair(pair)); err != nil {
+			r.rollbackRules(pair)
+			return fmt.Errorf("add inverse nat rule: %w", err)
+		}
+	}
+
+	if err := r.conn.Flush(); err != nil {
+		r.rollbackRules(pair)
+		return fmt.Errorf("insert rules for %s: %w", pair.Destination, err)
+	}
+
+	return nil
+}
+
+// rollbackRules cleans up unflushed rules and their set counters after a flush failure.
+func (r *family) rollbackRules(pair firewall.RouterPair) {
+	keys := []firewall.RuleID{
+		pair.GenKey(firewall.ForwardingFormat),
+		pair.GenKey(firewall.PreroutingFormat),
+		firewall.GetInversePair(pair).GenKey(firewall.PreroutingFormat),
+	}
+	for _, key := range keys {
+		rule, ok := r.rules[key]
+		if !ok {
+			continue
+		}
+		if err := r.decrementSetCounter(rule); err != nil {
+			log.Warnf("rollback set counter for %s: %v", key, err)
+		}
+		delete(r.rules, key)
+	}
+}
+
+// addNatRule inserts a nftables rule to the conn client flush queue
+func (r *family) addNatRule(pair firewall.RouterPair) error {
+	sourceExp, err := r.applyNetwork(pair.Source, nil, true)
+	if err != nil {
+		return fmt.Errorf("apply source: %w", err)
+	}
+
+	destExp, err := r.applyNetwork(pair.Destination, nil, false)
+	if err != nil {
+		return fmt.Errorf("apply destination: %w", err)
+	}
+
+	op := expr.CmpOpEq
+	if pair.Inverse {
+		op = expr.CmpOpNeq
+	}
+
+	exprs := []expr.Any{
+		&expr.Meta{
+			Key:      expr.MetaKeyIIFNAME,
+			Register: 1,
+		},
+		&expr.Cmp{
+			Op:       op,
+			Register: 1,
+			Data:     ifname(r.wgIface.Name()),
+		},
+	}
+	// We only care about NEW connections to mark them and later identify them in the postrouting chain for masquerading.
+	// Masquerading will take care of the conntrack state, which means we won't need to mark established connections.
+	exprs = append(exprs, getCtNewExprs()...)
+
+	exprs = append(exprs, sourceExp...)
+	exprs = append(exprs, destExp...)
+
+	var markValue uint32 = nbnet.PreroutingFwmarkMasquerade
+	if pair.Inverse {
+		markValue = nbnet.PreroutingFwmarkMasqueradeReturn
+	}
+
+	exprs = append(exprs,
+		&expr.Immediate{
+			Register: 1,
+			Data:     binaryutil.NativeEndian.PutUint32(markValue),
+		},
+		&expr.Meta{
+			Key:            expr.MetaKeyMARK,
+			SourceRegister: true,
+			Register:       1,
+		},
+	)
+
+	ruleID := pair.GenKey(firewall.PreroutingFormat)
+
+	if _, exists := r.rules[ruleID]; exists {
+		if err := r.removeNatRule(pair); err != nil {
+			return fmt.Errorf("remove prerouting rule: %w", err)
+		}
+	}
+
+	// Ensure nat rules come first, so the mark can be overwritten.
+	// Currently overwritten by the dst-type LOCAL rules for redirected traffic.
+	r.rules[ruleID] = r.conn.InsertRule(&nftables.Rule{
+		Table:    r.workTable,
+		Chain:    r.chains[chainNameManglePrerouting],
+		Exprs:    exprs,
+		UserData: []byte(ruleID),
+	})
+
+	return nil
+}
+
+func (r *family) addPostroutingRules() {
+	// First masquerade rule for traffic coming in from WireGuard interface
+	exprs := []expr.Any{
+		// Match on the first fwmark
+		&expr.Meta{
+			Key:      expr.MetaKeyMARK,
+			Register: 1,
+		},
+		&expr.Cmp{
+			Op:       expr.CmpOpEq,
+			Register: 1,
+			Data:     binaryutil.NativeEndian.PutUint32(nbnet.PreroutingFwmarkMasquerade),
+		},
+
+		// We need to exclude the loopback interface as this changes the ebpf proxy port
+		&expr.Meta{
+			Key:      expr.MetaKeyOIFNAME,
+			Register: 1,
+		},
+		&expr.Cmp{
+			Op:       expr.CmpOpNeq,
+			Register: 1,
+			Data:     ifname("lo"),
+		},
+		&expr.Counter{},
+		&expr.Masq{},
+	}
+
+	r.conn.AddRule(&nftables.Rule{
+		Table: r.workTable,
+		Chain: r.chains[chainNameRoutingNat],
+		Exprs: exprs,
+	})
+
+	// Second masquerade rule for traffic going out through WireGuard interface
+	exprs2 := []expr.Any{
+		// Match on the second fwmark
+		&expr.Meta{
+			Key:      expr.MetaKeyMARK,
+			Register: 1,
+		},
+		&expr.Cmp{
+			Op:       expr.CmpOpEq,
+			Register: 1,
+			Data:     binaryutil.NativeEndian.PutUint32(nbnet.PreroutingFwmarkMasqueradeReturn),
+		},
+
+		// Match WireGuard interface
+		&expr.Meta{
+			Key:      expr.MetaKeyOIFNAME,
+			Register: 1,
+		},
+		&expr.Cmp{
+			Op:       expr.CmpOpEq,
+			Register: 1,
+			Data:     ifname(r.wgIface.Name()),
+		},
+		&expr.Counter{},
+		&expr.Masq{},
+	}
+
+	r.conn.AddRule(&nftables.Rule{
+		Table: r.workTable,
+		Chain: r.chains[chainNameRoutingNat],
+		Exprs: exprs2,
+	})
+}
+
+// addMSSClampingRules adds MSS clamping rules to prevent fragmentation for forwarded traffic.
+func (r *family) addMSSClampingRules() error {
+	overhead := uint16(ipv4TCPHeaderSize)
+	if r.af.tableFamily == nftables.TableFamilyIPv6 {
+		overhead = ipv6TCPHeaderSize
+	}
+	if r.mtu <= overhead {
+		log.Debugf("MTU %d too small for MSS clamping (overhead %d), skipping", r.mtu, overhead)
+		return nil
+	}
+	mss := r.mtu - overhead
+
+	exprsOut := []expr.Any{
+		&expr.Meta{
+			Key:      expr.MetaKeyOIFNAME,
+			Register: 1,
+		},
+		&expr.Cmp{
+			Op:       expr.CmpOpEq,
+			Register: 1,
+			Data:     ifname(r.wgIface.Name()),
+		},
+		&expr.Meta{
+			Key:      expr.MetaKeyL4PROTO,
+			Register: 1,
+		},
+		&expr.Cmp{
+			Op:       expr.CmpOpEq,
+			Register: 1,
+			Data:     []byte{unix.IPPROTO_TCP},
+		},
+		&expr.Payload{
+			DestRegister: 1,
+			Base:         expr.PayloadBaseTransportHeader,
+			Offset:       13,
+			Len:          1,
+		},
+		&expr.Bitwise{
+			DestRegister:   1,
+			SourceRegister: 1,
+			Len:            1,
+			Mask:           []byte{0x02},
+			Xor:            []byte{0x00},
+		},
+		&expr.Cmp{
+			Op:       expr.CmpOpNeq,
+			Register: 1,
+			Data:     []byte{0x00},
+		},
+		&expr.Counter{},
+		&expr.Exthdr{
+			DestRegister: 1,
+			Type:         2,
+			Offset:       2,
+			Len:          2,
+			Op:           expr.ExthdrOpTcpopt,
+		},
+		&expr.Cmp{
+			Op:       expr.CmpOpGt,
+			Register: 1,
+			Data:     binaryutil.BigEndian.PutUint16(uint16(mss)),
+		},
+		&expr.Immediate{
+			Register: 1,
+			Data:     binaryutil.BigEndian.PutUint16(uint16(mss)),
+		},
+		&expr.Exthdr{
+			SourceRegister: 1,
+			Type:           2,
+			Offset:         2,
+			Len:            2,
+			Op:             expr.ExthdrOpTcpopt,
+		},
+	}
+
+	r.conn.AddRule(&nftables.Rule{
+		Table: r.workTable,
+		Chain: r.chains[chainNameMangleForward],
+		Exprs: exprsOut,
+	})
+
+	return r.conn.Flush()
+}
+
+func (r *family) addLegacyRouteRule(pair firewall.RouterPair) error {
+	sourceExp, err := r.applyNetwork(pair.Source, nil, true)
+	if err != nil {
+		return fmt.Errorf("apply source: %w", err)
+	}
+
+	destExp, err := r.applyNetwork(pair.Destination, nil, false)
+	if err != nil {
+		return fmt.Errorf("apply destination: %w", err)
+	}
+
+	var exprs []expr.Any
+	exprs = append(exprs, sourceExp...)
+	exprs = append(exprs, destExp...)
+	exprs = append(exprs,
+		&expr.Counter{},
+		&expr.Verdict{Kind: expr.VerdictAccept},
+	)
+
+	ruleID := pair.GenKey(firewall.ForwardingFormat)
+
+	if _, exists := r.rules[ruleID]; exists {
+		if err := r.removeLegacyRouteRule(pair); err != nil {
+			return fmt.Errorf("remove legacy routing rule: %w", err)
+		}
+	}
+
+	r.rules[ruleID] = r.conn.AddRule(&nftables.Rule{
+		Table:    r.workTable,
+		Chain:    r.chains[chainNameRoutingFw],
+		Exprs:    exprs,
+		UserData: []byte(ruleID),
+	})
+	return nil
+}
+
+// removeLegacyRouteRule removes a legacy routing rule for mgmt servers pre route acls
+func (r *family) removeLegacyRouteRule(pair firewall.RouterPair) error {
+	ruleID := pair.GenKey(firewall.ForwardingFormat)
+
+	rule, exists := r.rules[ruleID]
+	if !exists {
+		return nil
+	}
+
+	return r.deleteLegacyRuleEntry(ruleID, rule)
+}
+
+// deleteLegacyRuleEntry removes one legacy forwarding rule and drops its
+// ipset references. It also clears stale entries that never got a handle.
+func (r *family) deleteLegacyRuleEntry(ruleID firewall.RuleID, rule *nftables.Rule) error {
+	if rule.Handle == 0 {
+		log.Warnf("legacy forwarding rule %s has no handle, removing stale entry", ruleID)
+		if err := r.decrementSetCounter(rule); err != nil {
+			log.Warnf("decrement set counter for stale rule %s: %v", ruleID, err)
+		}
+		delete(r.rules, ruleID)
+		return nil
+	}
+
+	if err := r.conn.DelRule(rule); err != nil {
+		return fmt.Errorf("remove legacy forwarding rule %s: %w", ruleID, err)
+	}
+
+	delete(r.rules, ruleID)
+
+	if err := r.decrementSetCounter(rule); err != nil {
+		return fmt.Errorf("decrement set counter: %w", err)
+	}
+
+	return nil
+}
+
+// GetLegacyManagement returns the route manager's legacy management mode
+func (r *family) GetLegacyManagement() bool {
+	return r.legacyManagement
+}
+
+// SetLegacyManagement sets the route manager to use legacy management mode
+func (r *family) SetLegacyManagement(isLegacy bool) {
+	r.legacyManagement = isLegacy
+}
+
+// RemoveAllLegacyRouteRules removes all legacy routing rules for mgmt servers pre route acls
+func (r *family) RemoveAllLegacyRouteRules() error {
+	if err := r.refreshRulesMap(); err != nil {
+		return fmt.Errorf(refreshRulesMapError, err)
+	}
+
+	var merr *multierror.Error
+	for k, rule := range r.rules {
+		if !strings.HasPrefix(string(k), firewall.ForwardingFormatPrefix) {
+			continue
+		}
+		if err := r.deleteLegacyRuleEntry(k, rule); err != nil {
+			merr = multierror.Append(merr, err)
+		}
+	}
+	return nberrors.FormatErrorOrNil(merr)
+}
+
+func (r *family) removeNatPreroutingRules() error {
+	table := &nftables.Table{
+		Name:   tableNat,
+		Family: r.af.tableFamily,
+	}
+	chain := &nftables.Chain{
+		Name:     chainNameNatPrerouting,
+		Table:    table,
+		Hooknum:  nftables.ChainHookPrerouting,
+		Priority: nftables.ChainPriorityNATDest,
+		Type:     nftables.ChainTypeNAT,
+	}
+	rules, err := r.conn.GetRules(table, chain)
+	if err != nil {
+		return fmt.Errorf("get rules from nat table: %w", err)
+	}
+
+	var merr *multierror.Error
+
+	// Delete rules that have our UserData suffix
+	for _, rule := range rules {
+		if len(rule.UserData) == 0 || !strings.HasSuffix(string(rule.UserData), string(dnatSuffix)) {
+			continue
+		}
+		if err := r.conn.DelRule(rule); err != nil {
+			merr = multierror.Append(merr, fmt.Errorf("delete rule %s: %w", rule.UserData, err))
+		}
+	}
+
+	if err := r.conn.Flush(); err != nil {
+		merr = multierror.Append(merr, fmt.Errorf(flushError, err))
+	}
+	return nberrors.FormatErrorOrNil(merr)
+}
+
+func (r *family) RemoveNatRule(pair firewall.RouterPair) error {
+	if err := r.refreshRulesMap(); err != nil {
+		return fmt.Errorf(refreshRulesMapError, err)
+	}
+
+	var merr *multierror.Error
+
+	if pair.Masquerade {
+		if err := r.removeNatRule(pair); err != nil {
+			merr = multierror.Append(merr, fmt.Errorf("remove prerouting rule: %w", err))
+		}
+
+		if err := r.removeNatRule(firewall.GetInversePair(pair)); err != nil {
+			merr = multierror.Append(merr, fmt.Errorf("remove inverse prerouting rule: %w", err))
+		}
+	}
+
+	if err := r.removeLegacyRouteRule(pair); err != nil {
+		merr = multierror.Append(merr, fmt.Errorf("remove legacy routing rule: %w", err))
+	}
+
+	// Set counters are decremented in the sub-methods above before flush. If flush fails,
+	// counters will be off until the next successful removal or refresh cycle.
+	if err := r.conn.Flush(); err != nil {
+		merr = multierror.Append(merr, fmt.Errorf("flush remove nat rules %s: %w", pair.Destination, err))
+	}
+
+	return nberrors.FormatErrorOrNil(merr)
+}
+
+func (r *family) removeNatRule(pair firewall.RouterPair) error {
+	ruleID := pair.GenKey(firewall.PreroutingFormat)
+
+	rule, exists := r.rules[ruleID]
+	if !exists {
+		log.Debugf("prerouting rule %s not found", ruleID)
+		return nil
+	}
+
+	if rule.Handle == 0 {
+		log.Warnf("prerouting rule %s has no handle, removing stale entry", ruleID)
+		if err := r.decrementSetCounter(rule); err != nil {
+			log.Warnf("decrement set counter for stale rule %s: %v", ruleID, err)
+		}
+		delete(r.rules, ruleID)
+		return nil
+	}
+
+	if err := r.conn.DelRule(rule); err != nil {
+		return fmt.Errorf("remove prerouting rule %s -> %s: %w", pair.Source, pair.Destination, err)
+	}
+
+	log.Debugf("removed prerouting rule %s -> %s", pair.Source, pair.Destination)
+
+	delete(r.rules, ruleID)
+
+	if err := r.decrementSetCounter(rule); err != nil {
+		return fmt.Errorf("decrement set counter: %w", err)
+	}
+
+	return nil
+}
--- a/client/firewall/nftables/rule_linux.go
+++ b/client/firewall/nftables/rule_linux.go
@@ -1,21 +1,26 @@
 package nftables

 import (
-	"net"
+	"net/netip"

 	"github.com/google/nftables"
+
+	"github.com/netbirdio/netbird/client/firewall/manager"
 )

-// Rule to handle management of rules
+// Rule wraps an installed filter rule (peer or route). Source set
+// membership is encoded in the rule's expressions; DeleteFilterRule
+// recovers the set name via findSets so the refcounter can drop the
+// right reference. mangleRule is set only for peer rules.
 type Rule struct {
 	nftRule    *nftables.Rule
 	mangleRule *nftables.Rule
-	nftSet     *nftables.Set
-	ruleID     string
-	ip         net.IP
+	// sources is the canonical source list this rule was created for.
+	sources []netip.Prefix
+	id      manager.RuleID
 }

-// GetRuleID returns the rule id
-func (r *Rule) ID() string {
-	return r.ruleID
+// ID returns the rule id
+func (r *Rule) ID() manager.RuleID {
+	return r.id
 }
--- a/client/firewall/nftables/testhelpers_linux_test.go
+++ b/client/firewall/nftables/testhelpers_linux_test.go
@@ -0,0 +1,27 @@
+//go:build integration && !android
+
+package nftables
+
+import (
+	"fmt"
+	"net"
+	"net/netip"
+)
+
+func pfx(ip net.IP) []netip.Prefix {
+	if ip == nil {
+		return []netip.Prefix{netip.PrefixFrom(netip.IPv4Unspecified(), 0)}
+	}
+	if ip.IsUnspecified() {
+		if ip.To4() != nil {
+			return []netip.Prefix{netip.PrefixFrom(netip.IPv4Unspecified(), 0)}
+		}
+		return []netip.Prefix{netip.PrefixFrom(netip.IPv6Unspecified(), 0)}
+	}
+	a, ok := netip.AddrFromSlice(ip)
+	if !ok {
+		panic(fmt.Sprintf("invalid IP length: %d", len(ip)))
+	}
+	a = a.Unmap()
+	return []netip.Prefix{netip.PrefixFrom(a, a.BitLen())}
+}
--- a/client/firewall/uspfilter/allow_netbird_windows.go
+++ b/client/firewall/uspfilter/allow_netbird_windows.go
@@ -5,8 +5,10 @@ import (
 	"os/exec"
 	"syscall"

+	"github.com/hashicorp/go-multierror"
 	log "github.com/sirupsen/logrus"

+	nberrors "github.com/netbirdio/netbird/client/errors"
 	"github.com/netbirdio/netbird/client/internal/statemanager"
 )

@@ -29,15 +31,20 @@ func (m *Manager) Close(*statemanager.Manager) error {
 		return nil
 	}

-	if !isFirewallRuleActive(firewallRuleName) {
-		return nil
+	var merr *multierror.Error
+	if isFirewallRuleActive(firewallRuleName) {
+		if err := manageFirewallRule(firewallRuleName, deleteRule); err != nil {
+			merr = multierror.Append(merr, fmt.Errorf("remove windows firewall rule: %w", err))
+		}
 	}

-	if err := manageFirewallRule(firewallRuleName, deleteRule); err != nil {
-		return fmt.Errorf("couldn't remove windows firewall: %w", err)
+	if isFirewallRuleActive(firewallRuleName + "-v6") {
+		if err := manageFirewallRule(firewallRuleName+"-v6", deleteRule); err != nil {
+			merr = multierror.Append(merr, fmt.Errorf("remove windows v6 firewall rule: %w", err))
+		}
 	}

-	return nil
+	return nberrors.FormatErrorOrNil(merr)
 }

 // AllowNetbird allows netbird interface traffic
@@ -46,17 +53,33 @@ func (m *Manager) AllowNetbird() error {
 		return nil
 	}

-	if isFirewallRuleActive(firewallRuleName) {
-		return nil
+	if !isFirewallRuleActive(firewallRuleName) {
+		if err := manageFirewallRule(firewallRuleName,
+			addRule,
+			"dir=in",
+			"enable=yes",
+			"action=allow",
+			"profile=any",
+			"localip="+m.wgIface.Address().IP.String(),
+		); err != nil {
+			return err
+		}
 	}
-	return manageFirewallRule(firewallRuleName,
-		addRule,
-		"dir=in",
-		"enable=yes",
-		"action=allow",
-		"profile=any",
-		"localip="+m.wgIface.Address().IP.String(),
-	)
+
+	if v6 := m.wgIface.Address().IPv6; v6.IsValid() && !isFirewallRuleActive(firewallRuleName+"-v6") {
+		if err := manageFirewallRule(firewallRuleName+"-v6",
+			addRule,
+			"dir=in",
+			"enable=yes",
+			"action=allow",
+			"profile=any",
+			"localip="+v6.String(),
+		); err != nil {
+			return err
+		}
+	}
+
+	return nil
 }

 func manageFirewallRule(ruleName string, action action, extraArgs ...string) error {
--- a/client/firewall/uspfilter/conntrack/cap_test.go
+++ b/client/firewall/uspfilter/conntrack/cap_test.go
@@ -0,0 +1,125 @@
+package conntrack
+
+import (
+	"net/netip"
+	"testing"
+
+	"github.com/google/gopacket/layers"
+	"github.com/stretchr/testify/require"
+)
+
+func TestTCPCapEvicts(t *testing.T) {
+	t.Setenv(EnvTCPMaxEntries, "4")
+
+	tracker := NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
+	defer tracker.Close()
+	require.Equal(t, 4, tracker.maxEntries)
+
+	src := netip.MustParseAddr("100.64.0.1")
+	dst := netip.MustParseAddr("100.64.0.2")
+
+	for i := 0; i < 10; i++ {
+		tracker.TrackOutbound(src, dst, uint16(10000+i), 80, TCPSyn, 0)
+	}
+	require.LessOrEqual(t, len(tracker.connections), 4,
+		"TCP table must not exceed the configured cap")
+	require.Greater(t, len(tracker.connections), 0,
+		"some entries must remain after eviction")
+
+	// The most recently admitted flow must be present: eviction must make
+	// room for new entries, not silently drop them.
+	require.Contains(t, tracker.connections,
+		ConnKey{SrcIP: src, DstIP: dst, SrcPort: uint16(10009), DstPort: 80},
+		"newest TCP flow must be admitted after eviction")
+	// A pre-cap flow must have been evicted to fit the last one.
+	require.NotContains(t, tracker.connections,
+		ConnKey{SrcIP: src, DstIP: dst, SrcPort: uint16(10000), DstPort: 80},
+		"oldest TCP flow should have been evicted")
+}
+
+func TestTCPCapPrefersTombstonedForEviction(t *testing.T) {
+	t.Setenv(EnvTCPMaxEntries, "3")
+
+	tracker := NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
+	defer tracker.Close()
+
+	src := netip.MustParseAddr("100.64.0.1")
+	dst := netip.MustParseAddr("100.64.0.2")
+
+	// Fill to cap with 3 live connections.
+	for i := 0; i < 3; i++ {
+		tracker.TrackOutbound(src, dst, uint16(20000+i), 80, TCPSyn, 0)
+	}
+	require.Len(t, tracker.connections, 3)
+
+	// Tombstone one by sending RST through IsValidInbound.
+	tombstonedKey := ConnKey{SrcIP: src, DstIP: dst, SrcPort: 20001, DstPort: 80}
+	require.True(t, tracker.IsValidInbound(dst, src, 80, 20001, TCPRst|TCPAck, 0))
+	require.True(t, tracker.connections[tombstonedKey].IsTombstone())
+
+	// Another live connection forces eviction. The tombstone must go first.
+	tracker.TrackOutbound(src, dst, uint16(29999), 80, TCPSyn, 0)
+
+	_, tombstonedStillPresent := tracker.connections[tombstonedKey]
+	require.False(t, tombstonedStillPresent,
+		"tombstoned entry should be evicted before live entries")
+	require.LessOrEqual(t, len(tracker.connections), 3)
+
+	// Both live pre-cap entries must survive: eviction must prefer the
+	// tombstone, not just satisfy the size bound by dropping any entry.
+	require.Contains(t, tracker.connections,
+		ConnKey{SrcIP: src, DstIP: dst, SrcPort: uint16(20000), DstPort: 80},
+		"live entries must not be evicted while a tombstone exists")
+	require.Contains(t, tracker.connections,
+		ConnKey{SrcIP: src, DstIP: dst, SrcPort: uint16(20002), DstPort: 80},
+		"live entries must not be evicted while a tombstone exists")
+}
+
+func TestUDPCapEvicts(t *testing.T) {
+	t.Setenv(EnvUDPMaxEntries, "5")
+
+	tracker := NewUDPTracker(DefaultUDPTimeout, logger, flowLogger)
+	defer tracker.Close()
+	require.Equal(t, 5, tracker.maxEntries)
+
+	src := netip.MustParseAddr("100.64.0.1")
+	dst := netip.MustParseAddr("100.64.0.2")
+
+	for i := 0; i < 12; i++ {
+		tracker.TrackOutbound(src, dst, uint16(30000+i), 53, 0)
+	}
+	require.LessOrEqual(t, len(tracker.connections), 5)
+	require.Greater(t, len(tracker.connections), 0)
+
+	require.Contains(t, tracker.connections,
+		ConnKey{SrcIP: src, DstIP: dst, SrcPort: uint16(30011), DstPort: 53},
+		"newest UDP flow must be admitted after eviction")
+	require.NotContains(t, tracker.connections,
+		ConnKey{SrcIP: src, DstIP: dst, SrcPort: uint16(30000), DstPort: 53},
+		"oldest UDP flow should have been evicted")
+}
+
+func TestICMPCapEvicts(t *testing.T) {
+	t.Setenv(EnvICMPMaxEntries, "3")
+
+	tracker := NewICMPTracker(DefaultICMPTimeout, logger, flowLogger)
+	defer tracker.Close()
+	require.Equal(t, 3, tracker.maxEntries)
+
+	src := netip.MustParseAddr("100.64.0.1")
+	dst := netip.MustParseAddr("100.64.0.2")
+
+	echoReq := layers.CreateICMPv4TypeCode(uint8(layers.ICMPv4TypeEchoRequest), 0)
+	for i := 0; i < 8; i++ {
+		tracker.TrackOutbound(src, dst, uint16(i), echoReq, nil, 64)
+	}
+	require.LessOrEqual(t, len(tracker.connections), 3)
+	require.Greater(t, len(tracker.connections), 0)
+
+	require.Contains(t, tracker.connections,
+		ICMPConnKey{SrcIP: src, DstIP: dst, ID: uint16(7)},
+		"newest ICMP flow must be admitted after eviction")
+	require.NotContains(t, tracker.connections,
+		ICMPConnKey{SrcIP: src, DstIP: dst, ID: uint16(0)},
+		"oldest ICMP flow should have been evicted")
+}
--- a/client/firewall/uspfilter/conntrack/common.go
+++ b/client/firewall/uspfilter/conntrack/common.go
@@ -1,16 +1,63 @@
 package conntrack

 import (
-	"fmt"
+	"net"
 	"net/netip"
+	"os"
+	"strconv"
 	"sync/atomic"
 	"time"

 	"github.com/google/uuid"

+	nblog "github.com/netbirdio/netbird/client/firewall/uspfilter/log"
 	nftypes "github.com/netbirdio/netbird/client/internal/netflow/types"
 )

+// evictSampleSize bounds how many map entries we scan per eviction call.
+// Keeps eviction O(1) even at cap under sustained load; the sampled-LRU
+// heuristic is good enough for a conntrack table that only overflows under
+// abuse.
+const evictSampleSize = 8
+
+// envDuration parses an os.Getenv(name) as a time.Duration. Falls back to
+// def on empty or invalid; logs a warning on invalid.
+func envDuration(logger *nblog.Logger, name string, def time.Duration) time.Duration {
+	v := os.Getenv(name)
+	if v == "" {
+		return def
+	}
+	d, err := time.ParseDuration(v)
+	if err != nil {
+		logger.Warn3("invalid %s=%q: %v, using default", name, v, err)
+		return def
+	}
+	if d <= 0 {
+		logger.Warn2("invalid %s=%q: must be positive, using default", name, v)
+		return def
+	}
+	return d
+}
+
+// envInt parses an os.Getenv(name) as an int. Falls back to def on empty,
+// invalid, or non-positive. Logs a warning on invalid input.
+func envInt(logger *nblog.Logger, name string, def int) int {
+	v := os.Getenv(name)
+	if v == "" {
+		return def
+	}
+	n, err := strconv.Atoi(v)
+	switch {
+	case err != nil:
+		logger.Warn3("invalid %s=%q: %v, using default", name, v, err)
+		return def
+	case n <= 0:
+		logger.Warn2("invalid %s=%q: must be positive, using default", name, v)
+		return def
+	}
+	return n
+}
+
 // BaseConnTrack provides common fields and locking for all connection types
 type BaseConnTrack struct {
 	FlowId    uuid.UUID
@@ -64,5 +111,7 @@ type ConnKey struct {
 }

 func (c ConnKey) String() string {
-	return fmt.Sprintf("%s:%d → %s:%d", c.SrcIP.Unmap(), c.SrcPort, c.DstIP.Unmap(), c.DstPort)
+	return net.JoinHostPort(c.SrcIP.Unmap().String(), strconv.Itoa(int(c.SrcPort))) +
+		" → " +
+		net.JoinHostPort(c.DstIP.Unmap().String(), strconv.Itoa(int(c.DstPort)))
 }
--- a/client/firewall/uspfilter/conntrack/common_test.go
+++ b/client/firewall/uspfilter/conntrack/common_test.go
@@ -13,6 +13,54 @@ import (
 var logger = log.NewFromLogrus(logrus.StandardLogger())
 var flowLogger = netflow.NewManager(nil, []byte{}, nil).GetLogger()

+func TestConnKey_String(t *testing.T) {
+	tests := []struct {
+		name   string
+		key    ConnKey
+		expect string
+	}{
+		{
+			name: "IPv4",
+			key: ConnKey{
+				SrcIP:   netip.MustParseAddr("192.168.1.1"),
+				DstIP:   netip.MustParseAddr("10.0.0.1"),
+				SrcPort: 12345,
+				DstPort: 80,
+			},
+			expect: "192.168.1.1:12345 → 10.0.0.1:80",
+		},
+		{
+			name: "IPv6",
+			key: ConnKey{
+				SrcIP:   netip.MustParseAddr("2001:db8::1"),
+				DstIP:   netip.MustParseAddr("2001:db8::2"),
+				SrcPort: 54321,
+				DstPort: 443,
+			},
+			expect: "[2001:db8::1]:54321 → [2001:db8::2]:443",
+		},
+		{
+			name: "IPv4-mapped IPv6 unmaps",
+			key: ConnKey{
+				SrcIP:   netip.MustParseAddr("::ffff:10.0.0.1"),
+				DstIP:   netip.MustParseAddr("::ffff:10.0.0.2"),
+				SrcPort: 1000,
+				DstPort: 2000,
+			},
+			expect: "10.0.0.1:1000 → 10.0.0.2:2000",
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			got := tc.key.String()
+			if got != tc.expect {
+				t.Errorf("got %q, want %q", got, tc.expect)
+			}
+		})
+	}
+}
+
 // Memory pressure tests
 func BenchmarkMemoryPressure(b *testing.B) {
 	b.Run("TCPHighLoad", func(b *testing.B) {
--- a/client/firewall/uspfilter/conntrack/defaults_desktop.go
+++ b/client/firewall/uspfilter/conntrack/defaults_desktop.go
@@ -0,0 +1,11 @@
+//go:build !ios && !android
+
+package conntrack
+
+// Default per-tracker entry caps on desktop/server platforms. These mirror
+// typical Linux netfilter nf_conntrack_max territory with ample headroom.
+const (
+	DefaultMaxTCPEntries  = 65536
+	DefaultMaxUDPEntries  = 16384
+	DefaultMaxICMPEntries = 2048
+)
--- a/client/firewall/uspfilter/conntrack/defaults_mobile.go
+++ b/client/firewall/uspfilter/conntrack/defaults_mobile.go
@@ -0,0 +1,13 @@
+//go:build ios || android
+
+package conntrack
+
+// Default per-tracker entry caps on mobile platforms. iOS network extensions
+// are capped at ~50 MB; Android runs under aggressive memory pressure. These
+// values keep conntrack footprint well under 5 MB worst case (TCPConnTrack
+// is ~200 B plus map overhead).
+const (
+	DefaultMaxTCPEntries  = 4096
+	DefaultMaxUDPEntries  = 2048
+	DefaultMaxICMPEntries = 512
+)
--- a/client/firewall/uspfilter/conntrack/icmp.go
+++ b/client/firewall/uspfilter/conntrack/icmp.go
@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"net"
 	"net/netip"
+	"strconv"
 	"sync"
 	"time"

@@ -21,9 +22,14 @@ const (
 	// ICMPCleanupInterval is how often we check for stale ICMP connections
 	ICMPCleanupInterval = 15 * time.Second

-	// MaxICMPPayloadLength is the maximum length of ICMP payload we consider for original packet info,
-	// which includes the IP header (20 bytes) and transport header (8 bytes)
-	MaxICMPPayloadLength = 28
+	// MaxICMPPayloadLength is the maximum length of ICMP payload we consider for original packet info.
+	// IPv4: 20-byte header + 8-byte transport = 28 bytes.
+	// IPv6: 40-byte header + 8-byte transport = 48 bytes.
+	MaxICMPPayloadLength = 48
+	// minICMPPayloadIPv4 is the minimum embedded packet length for IPv4 ICMP errors.
+	minICMPPayloadIPv4 = 28
+	// minICMPPayloadIPv6 is the minimum embedded packet length for IPv6 ICMP errors.
+	minICMPPayloadIPv6 = 48
 )

 // ICMPConnKey uniquely identifies an ICMP connection
@@ -44,6 +50,9 @@ type ICMPConnTrack struct {
 	ICMPCode uint8
 }

+// EnvICMPMaxEntries caps the ICMP conntrack table size.
+const EnvICMPMaxEntries = "NB_CONNTRACK_ICMP_MAX"
+
 // ICMPTracker manages ICMP connection states
 type ICMPTracker struct {
 	logger        *nblog.Logger
@@ -52,6 +61,7 @@ type ICMPTracker struct {
 	cleanupTicker *time.Ticker
 	tickerCancel  context.CancelFunc
 	mutex         sync.RWMutex
+	maxEntries    int
 	flowLogger    nftypes.FlowLogger
 }

@@ -65,7 +75,7 @@ type ICMPInfo struct {

 // String implements fmt.Stringer for lazy evaluation in log messages
 func (info ICMPInfo) String() string {
-	if info.isErrorMessage() && info.PayloadLen >= MaxICMPPayloadLength {
+	if info.isErrorMessage() && info.PayloadLen >= minICMPPayloadIPv4 {
 		if origInfo := info.parseOriginalPacket(); origInfo != "" {
 			return fmt.Sprintf("%s (original: %s)", info.TypeCode, origInfo)
 		}
@@ -74,42 +84,72 @@ func (info ICMPInfo) String() string {
 	return info.TypeCode.String()
 }

-// isErrorMessage returns true if this ICMP type carries original packet info
+// isErrorMessage returns true if this ICMP type carries original packet info.
+// Covers both ICMPv4 and ICMPv6 error types. Without a family field we match
+// both sets; type 3 overlaps (v4 DestUnreachable / v6 TimeExceeded) so it's
+// kept as a literal.
 func (info ICMPInfo) isErrorMessage() bool {
 	typ := info.TypeCode.Type()
-	return typ == 3 || // Destination Unreachable
-		typ == 5 || // Redirect
-		typ == 11 || // Time Exceeded
-		typ == 12 // Parameter Problem
+	// ICMPv4 error types
+	if typ == layers.ICMPv4TypeDestinationUnreachable ||
+		typ == layers.ICMPv4TypeRedirect ||
+		typ == layers.ICMPv4TypeTimeExceeded ||
+		typ == layers.ICMPv4TypeParameterProblem {
+		return true
+	}
+	// ICMPv6 error types (type 3 already matched above as v4 DestUnreachable)
+	if typ == layers.ICMPv6TypeDestinationUnreachable ||
+		typ == layers.ICMPv6TypePacketTooBig ||
+		typ == layers.ICMPv6TypeParameterProblem {
+		return true
+	}
+	return false
 }

 // parseOriginalPacket extracts info about the original packet from ICMP payload
 func (info ICMPInfo) parseOriginalPacket() string {
-	if info.PayloadLen < MaxICMPPayloadLength {
+	if info.PayloadLen == 0 {
 		return ""
 	}

-	// TODO: handle IPv6
-	if version := (info.PayloadData[0] >> 4) & 0xF; version != 4 {
+	version := (info.PayloadData[0] >> 4) & 0xF
+
+	var protocol uint8
+	var srcIP, dstIP net.IP
+	var transportData []byte
+
+	switch version {
+	case 4:
+		if info.PayloadLen < minICMPPayloadIPv4 {
+			return ""
+		}
+		protocol = info.PayloadData[9]
+		srcIP = net.IP(info.PayloadData[12:16])
+		dstIP = net.IP(info.PayloadData[16:20])
+		transportData = info.PayloadData[20:]
+	case 6:
+		if info.PayloadLen < minICMPPayloadIPv6 {
+			return ""
+		}
+		// Next Header field in IPv6 header
+		protocol = info.PayloadData[6]
+		srcIP = net.IP(info.PayloadData[8:24])
+		dstIP = net.IP(info.PayloadData[24:40])
+		transportData = info.PayloadData[40:]
+	default:
 		return ""
 	}

-	protocol := info.PayloadData[9]
-	srcIP := net.IP(info.PayloadData[12:16])
-	dstIP := net.IP(info.PayloadData[16:20])
-
-	transportData := info.PayloadData[20:]
-
 	switch nftypes.Protocol(protocol) {
 	case nftypes.TCP:
 		srcPort := uint16(transportData[0])<<8 | uint16(transportData[1])
 		dstPort := uint16(transportData[2])<<8 | uint16(transportData[3])
-		return fmt.Sprintf("TCP %s:%d → %s:%d", srcIP, srcPort, dstIP, dstPort)
+		return "TCP " + net.JoinHostPort(srcIP.String(), strconv.Itoa(int(srcPort))) + " → " + net.JoinHostPort(dstIP.String(), strconv.Itoa(int(dstPort)))

 	case nftypes.UDP:
 		srcPort := uint16(transportData[0])<<8 | uint16(transportData[1])
 		dstPort := uint16(transportData[2])<<8 | uint16(transportData[3])
-		return fmt.Sprintf("UDP %s:%d → %s:%d", srcIP, srcPort, dstIP, dstPort)
+		return "UDP " + net.JoinHostPort(srcIP.String(), strconv.Itoa(int(srcPort))) + " → " + net.JoinHostPort(dstIP.String(), strconv.Itoa(int(dstPort)))

 	case nftypes.ICMP:
 		icmpType := transportData[0]
@@ -135,6 +175,7 @@ func NewICMPTracker(timeout time.Duration, logger *nblog.Logger, flowLogger nfty
 		timeout:       timeout,
 		cleanupTicker: time.NewTicker(ICMPCleanupInterval),
 		tickerCancel:  cancel,
+		maxEntries:    envInt(logger, EnvICMPMaxEntries, DefaultMaxICMPEntries),
 		flowLogger:    flowLogger,
 	}

@@ -221,7 +262,9 @@ func (t *ICMPTracker) track(

 	// non echo requests don't need tracking
 	if typ != uint8(layers.ICMPv4TypeEchoRequest) {
-		t.logger.Trace3("New %s ICMP connection %s - %s", direction, key, icmpInfo)
+		if t.logger.Enabled(nblog.LevelTrace) {
+			t.logger.Trace3("New %s ICMP connection %s - %s", direction, key, icmpInfo)
+		}
 		t.sendStartEvent(direction, srcIP, dstIP, typ, code, ruleId, size)
 		return
 	}
@@ -240,16 +283,22 @@ func (t *ICMPTracker) track(
 	conn.UpdateCounters(direction, size)

 	t.mutex.Lock()
+	if t.maxEntries > 0 && len(t.connections) >= t.maxEntries {
+		t.evictOneLocked()
+	}
 	t.connections[key] = conn
 	t.mutex.Unlock()

-	t.logger.Trace3("New %s ICMP connection %s - %s", direction, key, icmpInfo)
+	if t.logger.Enabled(nblog.LevelTrace) {
+		t.logger.Trace3("New %s ICMP connection %s - %s", direction, key, icmpInfo)
+	}
 	t.sendEvent(nftypes.TypeStart, conn, ruleId)
 }

-// IsValidInbound checks if an inbound ICMP Echo Reply matches a tracked request
+// IsValidInbound checks if an inbound ICMP Echo Reply matches a tracked request.
+// Accepts both ICMPv4 (type 0) and ICMPv6 (type 129) echo replies.
 func (t *ICMPTracker) IsValidInbound(srcIP netip.Addr, dstIP netip.Addr, id uint16, icmpType uint8, size int) bool {
-	if icmpType != uint8(layers.ICMPv4TypeEchoReply) {
+	if icmpType != uint8(layers.ICMPv4TypeEchoReply) && icmpType != uint8(layers.ICMPv6TypeEchoReply) {
 		return false
 	}

@@ -286,6 +335,34 @@ func (t *ICMPTracker) cleanupRoutine(ctx context.Context) {
 	}
 }

+// evictOneLocked removes one entry to make room. Caller must hold t.mutex.
+// Bounded sample scan: picks the oldest among up to evictSampleSize entries.
+func (t *ICMPTracker) evictOneLocked() {
+	var candKey ICMPConnKey
+	var candSeen int64
+	haveCand := false
+	sampled := 0
+
+	for k, c := range t.connections {
+		seen := c.lastSeen.Load()
+		if !haveCand || seen < candSeen {
+			candKey = k
+			candSeen = seen
+			haveCand = true
+		}
+		sampled++
+		if sampled >= evictSampleSize {
+			break
+		}
+	}
+	if haveCand {
+		if evicted := t.connections[candKey]; evicted != nil {
+			t.sendEvent(nftypes.TypeEnd, evicted, nil)
+		}
+		delete(t.connections, candKey)
+	}
+}
+
 func (t *ICMPTracker) cleanup() {
 	t.mutex.Lock()
 	defer t.mutex.Unlock()
@@ -294,13 +371,22 @@ func (t *ICMPTracker) cleanup() {
 		if conn.timeoutExceeded(t.timeout) {
 			delete(t.connections, key)

-			t.logger.Trace5("Removed ICMP connection %s (timeout) [in: %d Pkts/%d B out: %d Pkts/%d B]",
-				key, conn.PacketsRx.Load(), conn.BytesRx.Load(), conn.PacketsTx.Load(), conn.BytesTx.Load())
+			if t.logger.Enabled(nblog.LevelTrace) {
+				t.logger.Trace5("Removed ICMP connection %s (timeout) [in: %d Pkts/%d B out: %d Pkts/%d B]",
+					key, conn.PacketsRx.Load(), conn.BytesRx.Load(), conn.PacketsTx.Load(), conn.BytesTx.Load())
+			}
 			t.sendEvent(nftypes.TypeEnd, conn, nil)
 		}
 	}
 }

+func icmpProtocolForAddr(ip netip.Addr) nftypes.Protocol {
+	if ip.Is6() {
+		return nftypes.ICMPv6
+	}
+	return nftypes.ICMP
+}
+
 // Close stops the cleanup routine and releases resources
 func (t *ICMPTracker) Close() {
 	t.tickerCancel()
@@ -316,7 +402,7 @@ func (t *ICMPTracker) sendEvent(typ nftypes.Type, conn *ICMPConnTrack, ruleID []
 		Type:      typ,
 		RuleID:    ruleID,
 		Direction: conn.Direction,
-		Protocol:  nftypes.ICMP, // TODO: adjust for IPv6/icmpv6
+		Protocol:  icmpProtocolForAddr(conn.SourceIP),
 		SourceIP:  conn.SourceIP,
 		DestIP:    conn.DestIP,
 		ICMPType:  conn.ICMPType,
@@ -334,7 +420,7 @@ func (t *ICMPTracker) sendStartEvent(direction nftypes.Direction, srcIP netip.Ad
 		Type:      nftypes.TypeStart,
 		RuleID:    ruleID,
 		Direction: direction,
-		Protocol:  nftypes.ICMP,
+		Protocol:  icmpProtocolForAddr(srcIP),
 		SourceIP:  srcIP,
 		DestIP:    dstIP,
 		ICMPType:  typ,
--- a/client/firewall/uspfilter/conntrack/icmp_test.go
+++ b/client/firewall/uspfilter/conntrack/icmp_test.go
@@ -5,6 +5,42 @@ import (
 	"testing"
 )

+func TestICMPConnKey_String(t *testing.T) {
+	tests := []struct {
+		name   string
+		key    ICMPConnKey
+		expect string
+	}{
+		{
+			name: "IPv4",
+			key: ICMPConnKey{
+				SrcIP: netip.MustParseAddr("192.168.1.1"),
+				DstIP: netip.MustParseAddr("10.0.0.1"),
+				ID:    1234,
+			},
+			expect: "192.168.1.1 → 10.0.0.1 (id 1234)",
+		},
+		{
+			name: "IPv6",
+			key: ICMPConnKey{
+				SrcIP: netip.MustParseAddr("2001:db8::1"),
+				DstIP: netip.MustParseAddr("2001:db8::2"),
+				ID:    5678,
+			},
+			expect: "2001:db8::1 → 2001:db8::2 (id 5678)",
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			got := tc.key.String()
+			if got != tc.expect {
+				t.Errorf("got %q, want %q", got, tc.expect)
+			}
+		})
+	}
+}
+
 func BenchmarkICMPTracker(b *testing.B) {
 	b.Run("TrackOutbound", func(b *testing.B) {
 		tracker := NewICMPTracker(DefaultICMPTimeout, logger, flowLogger)
--- a/client/firewall/uspfilter/conntrack/tcp.go
+++ b/client/firewall/uspfilter/conntrack/tcp.go
@@ -38,6 +38,27 @@ const (
 	TCPHandshakeTimeout = 60 * time.Second
 	// TCPCleanupInterval is how often we check for stale connections
 	TCPCleanupInterval = 5 * time.Minute
+	// FinWaitTimeout bounds FIN_WAIT_1 / FIN_WAIT_2 / CLOSING states.
+	// Matches Linux netfilter nf_conntrack_tcp_timeout_fin_wait.
+	FinWaitTimeout = 60 * time.Second
+	// CloseWaitTimeout bounds CLOSE_WAIT. Matches Linux default; apps
+	// holding CloseWait longer than this should bump the env var.
+	CloseWaitTimeout = 60 * time.Second
+	// LastAckTimeout bounds LAST_ACK. Matches Linux default.
+	LastAckTimeout = 30 * time.Second
+)
+
+// Env vars to override per-state teardown timeouts. Values parsed by
+// time.ParseDuration (e.g. "120s", "2m"). Invalid values fall back to the
+// defaults above with a warning.
+const (
+	EnvTCPFinWaitTimeout   = "NB_CONNTRACK_TCP_FIN_WAIT_TIMEOUT"
+	EnvTCPCloseWaitTimeout = "NB_CONNTRACK_TCP_CLOSE_WAIT_TIMEOUT"
+	EnvTCPLastAckTimeout   = "NB_CONNTRACK_TCP_LAST_ACK_TIMEOUT"
+
+	// EnvTCPMaxEntries caps the TCP conntrack table size. Oldest entries
+	// (tombstones first) are evicted when the cap is reached.
+	EnvTCPMaxEntries = "NB_CONNTRACK_TCP_MAX"
 )

 // TCPState represents the state of a TCP connection
@@ -133,14 +154,18 @@ func (t *TCPConnTrack) SetTombstone() {

 // TCPTracker manages TCP connection states
 type TCPTracker struct {
-	logger        *nblog.Logger
-	connections   map[ConnKey]*TCPConnTrack
-	mutex         sync.RWMutex
-	cleanupTicker *time.Ticker
-	tickerCancel  context.CancelFunc
-	timeout       time.Duration
-	waitTimeout   time.Duration
-	flowLogger    nftypes.FlowLogger
+	logger           *nblog.Logger
+	connections      map[ConnKey]*TCPConnTrack
+	mutex            sync.RWMutex
+	cleanupTicker    *time.Ticker
+	tickerCancel     context.CancelFunc
+	timeout          time.Duration
+	waitTimeout      time.Duration
+	finWaitTimeout   time.Duration
+	closeWaitTimeout time.Duration
+	lastAckTimeout   time.Duration
+	maxEntries       int
+	flowLogger       nftypes.FlowLogger
 }

 // NewTCPTracker creates a new TCP connection tracker
@@ -155,13 +180,17 @@ func NewTCPTracker(timeout time.Duration, logger *nblog.Logger, flowLogger nftyp
 	ctx, cancel := context.WithCancel(context.Background())

 	tracker := &TCPTracker{
-		logger:        logger,
-		connections:   make(map[ConnKey]*TCPConnTrack),
-		cleanupTicker: time.NewTicker(TCPCleanupInterval),
-		tickerCancel:  cancel,
-		timeout:       timeout,
-		waitTimeout:   waitTimeout,
-		flowLogger:    flowLogger,
+		logger:           logger,
+		connections:      make(map[ConnKey]*TCPConnTrack),
+		cleanupTicker:    time.NewTicker(TCPCleanupInterval),
+		tickerCancel:     cancel,
+		timeout:          timeout,
+		waitTimeout:      waitTimeout,
+		finWaitTimeout:   envDuration(logger, EnvTCPFinWaitTimeout, FinWaitTimeout),
+		closeWaitTimeout: envDuration(logger, EnvTCPCloseWaitTimeout, CloseWaitTimeout),
+		lastAckTimeout:   envDuration(logger, EnvTCPLastAckTimeout, LastAckTimeout),
+		maxEntries:       envInt(logger, EnvTCPMaxEntries, DefaultMaxTCPEntries),
+		flowLogger:       flowLogger,
 	}

 	go tracker.cleanupRoutine(ctx)
@@ -209,6 +238,12 @@ func (t *TCPTracker) track(srcIP, dstIP netip.Addr, srcPort, dstPort uint16, fla
 	if exists || flags&TCPSyn == 0 {
 		return
 	}
+	// Reject illegal SYN combinations (SYN+FIN, SYN+RST, …) so they don't
+	// create spurious conntrack entries. Not mandated by RFC 9293 but a
+	// common hardening (Linux netfilter/nftables rejects these too).
+	if !isValidFlagCombination(flags) {
+		return
+	}

 	conn := &TCPConnTrack{
 		BaseConnTrack: BaseConnTrack{
@@ -225,20 +260,65 @@ func (t *TCPTracker) track(srcIP, dstIP netip.Addr, srcPort, dstPort uint16, fla
 	conn.state.Store(int32(TCPStateNew))
 	conn.DNATOrigPort.Store(uint32(origPort))

-	if origPort != 0 {
-		t.logger.Trace4("New %s TCP connection: %s (port DNAT %d -> %d)", direction, key, origPort, dstPort)
-	} else {
-		t.logger.Trace2("New %s TCP connection: %s", direction, key)
+	if t.logger.Enabled(nblog.LevelTrace) {
+		if origPort != 0 {
+			t.logger.Trace4("New %s TCP connection: %s (port DNAT %d -> %d)", direction, key, origPort, dstPort)
+		} else {
+			t.logger.Trace2("New %s TCP connection: %s", direction, key)
+		}
 	}
 	t.updateState(key, conn, flags, direction, size)

 	t.mutex.Lock()
+	if t.maxEntries > 0 && len(t.connections) >= t.maxEntries {
+		t.evictOneLocked()
+	}
 	t.connections[key] = conn
 	t.mutex.Unlock()

 	t.sendEvent(nftypes.TypeStart, conn, ruleID)
 }

+// evictOneLocked removes one entry to make room. Caller must hold t.mutex.
+// Bounded scan: samples up to evictSampleSize pseudo-random entries (Go map
+// iteration order is randomized), preferring a tombstone. If no tombstone
+// found in the sample, evicts the oldest among the sampled entries. O(1)
+// worst case — cheap enough to run on every insert at cap during abuse.
+func (t *TCPTracker) evictOneLocked() {
+	var candKey ConnKey
+	var candSeen int64
+	haveCand := false
+	sampled := 0
+
+	for k, c := range t.connections {
+		if c.IsTombstone() {
+			delete(t.connections, k)
+			return
+		}
+		seen := c.lastSeen.Load()
+		if !haveCand || seen < candSeen {
+			candKey = k
+			candSeen = seen
+			haveCand = true
+		}
+		sampled++
+		if sampled >= evictSampleSize {
+			break
+		}
+	}
+	if haveCand {
+		if evicted := t.connections[candKey]; evicted != nil {
+			// TypeEnd is already emitted at the state transition to
+			// TimeWait and when a connection is tombstoned. Only emit
+			// here when we're reaping a still-active flow.
+			if evicted.GetState() != TCPStateTimeWait && !evicted.IsTombstone() {
+				t.sendEvent(nftypes.TypeEnd, evicted, nil)
+			}
+		}
+		delete(t.connections, candKey)
+	}
+}
+
 // IsValidInbound checks if an inbound TCP packet matches a tracked connection
 func (t *TCPTracker) IsValidInbound(srcIP, dstIP netip.Addr, srcPort, dstPort uint16, flags uint8, size int) bool {
 	key := ConnKey{
@@ -256,12 +336,19 @@ func (t *TCPTracker) IsValidInbound(srcIP, dstIP netip.Addr, srcPort, dstPort ui
 		return false
 	}

+	// Reject illegal flag combinations regardless of state. These never belong
+	// to a legitimate flow and must not advance or tear down state.
+	if !isValidFlagCombination(flags) {
+		if t.logger.Enabled(nblog.LevelWarn) {
+			t.logger.Warn3("TCP illegal flag combination %x for connection %s (state %s)", flags, key, conn.GetState())
+		}
+		return false
+	}
+
 	currentState := conn.GetState()
 	if !t.isValidStateForFlags(currentState, flags) {
-		t.logger.Warn3("TCP state %s is not valid with flags %x for connection %s", currentState, flags, key)
-		// allow all flags for established for now
-		if currentState == TCPStateEstablished {
-			return true
+		if t.logger.Enabled(nblog.LevelWarn) {
+			t.logger.Warn3("TCP state %s is not valid with flags %x for connection %s", currentState, flags, key)
 		}
 		return false
 	}
@@ -270,116 +357,208 @@ func (t *TCPTracker) IsValidInbound(srcIP, dstIP netip.Addr, srcPort, dstPort ui
 	return true
 }

-// updateState updates the TCP connection state based on flags
+// updateState updates the TCP connection state based on flags.
 func (t *TCPTracker) updateState(key ConnKey, conn *TCPConnTrack, flags uint8, packetDir nftypes.Direction, size int) {
-	conn.UpdateLastSeen()
 	conn.UpdateCounters(packetDir, size)

+	// Malformed flag combinations must not refresh lastSeen or drive state,
+	// otherwise spoofed packets keep a dead flow alive past its timeout.
+	if !isValidFlagCombination(flags) {
+		return
+	}
+
+	conn.UpdateLastSeen()
+
 	currentState := conn.GetState()

 	if flags&TCPRst != 0 {
-		if conn.CompareAndSwapState(currentState, TCPStateClosed) {
-			conn.SetTombstone()
-			t.logger.Trace6("TCP connection reset: %s (dir: %s) [in: %d Pkts/%d B, out: %d Pkts/%d B]",
-				key, packetDir, conn.PacketsRx.Load(), conn.BytesRx.Load(), conn.PacketsTx.Load(), conn.BytesTx.Load())
-			t.sendEvent(nftypes.TypeEnd, conn, nil)
-		}
+		// Hardening beyond RFC 9293 §3.10.7.4: without sequence tracking we
+		// cannot apply the RFC 5961 in-window RST check, so we conservatively
+		// reject RSTs that the spec would accept (TIME-WAIT with in-window
+		// SEQ, SynSent from same direction as own SYN, etc.).
+		t.handleRst(key, conn, currentState, packetDir)
 		return
 	}

-	var newState TCPState
-	switch currentState {
-	case TCPStateNew:
-		if flags&TCPSyn != 0 && flags&TCPAck == 0 {
-			if conn.Direction == nftypes.Egress {
-				newState = TCPStateSynSent
-			} else {
-				newState = TCPStateSynReceived
-			}
-		}
+	newState := nextState(currentState, conn.Direction, packetDir, flags)
+	if newState == 0 || !conn.CompareAndSwapState(currentState, newState) {
+		return
+	}
+	t.onTransition(key, conn, currentState, newState, packetDir)
+}

-	case TCPStateSynSent:
-		if flags&TCPSyn != 0 && flags&TCPAck != 0 {
-			if packetDir != conn.Direction {
-				newState = TCPStateEstablished
-			} else {
-				// Simultaneous open
-				newState = TCPStateSynReceived
-			}
-		}
+// handleRst processes a RST segment. Late RSTs in TimeWait and spoofed RSTs
+// from the SYN direction are ignored; otherwise the flow is tombstoned.
+func (t *TCPTracker) handleRst(key ConnKey, conn *TCPConnTrack, currentState TCPState, packetDir nftypes.Direction) {
+	// TimeWait exists to absorb late segments; don't let a late RST
+	// tombstone the entry and break same-4-tuple reuse.
+	if currentState == TCPStateTimeWait {
+		return
+	}
+	// A RST from the same direction as the SYN cannot be a legitimate
+	// response and must not tear down a half-open connection.
+	if currentState == TCPStateSynSent && packetDir == conn.Direction {
+		return
+	}
+	if !conn.CompareAndSwapState(currentState, TCPStateClosed) {
+		return
+	}
+	conn.SetTombstone()
+	if t.logger.Enabled(nblog.LevelTrace) {
+		t.logger.Trace6("TCP connection reset: %s (dir: %s) [in: %d Pkts/%d B, out: %d Pkts/%d B]",
+			key, packetDir, conn.PacketsRx.Load(), conn.BytesRx.Load(), conn.PacketsTx.Load(), conn.BytesTx.Load())
+	}
+	t.sendEvent(nftypes.TypeEnd, conn, nil)
+}

-	case TCPStateSynReceived:
-		if flags&TCPAck != 0 && flags&TCPSyn == 0 {
-			if packetDir == conn.Direction {
-				newState = TCPStateEstablished
-			}
-		}
+// stateTransition describes one state's transition logic. It receives the
+// packet's flags plus whether the packet direction matches the connection's
+// origin direction (same=true means same side as the SYN initiator). Return 0
+// for no transition.
+type stateTransition func(flags uint8, connDir nftypes.Direction, same bool) TCPState

-	case TCPStateEstablished:
-		if flags&TCPFin != 0 {
-			if packetDir == conn.Direction {
-				newState = TCPStateFinWait1
-			} else {
-				newState = TCPStateCloseWait
-			}
-		}
+// stateTable maps each state to its transition function. Centralized here so
+// nextState stays trivial and each rule is easy to read in isolation.
+var stateTable = map[TCPState]stateTransition{
+	TCPStateNew:         transNew,
+	TCPStateSynSent:     transSynSent,
+	TCPStateSynReceived: transSynReceived,
+	TCPStateEstablished: transEstablished,
+	TCPStateFinWait1:    transFinWait1,
+	TCPStateFinWait2:    transFinWait2,
+	TCPStateClosing:     transClosing,
+	TCPStateCloseWait:   transCloseWait,
+	TCPStateLastAck:     transLastAck,
+}

-	case TCPStateFinWait1:
-		if packetDir != conn.Direction {
-			switch {
-			case flags&TCPFin != 0 && flags&TCPAck != 0:
-				newState = TCPStateClosing
-			case flags&TCPFin != 0:
-				newState = TCPStateClosing
-			case flags&TCPAck != 0:
-				newState = TCPStateFinWait2
-			}
-		}
+// nextState returns the target TCP state for the given current state and
+// packet, or 0 if the packet does not trigger a transition.
+func nextState(currentState TCPState, connDir, packetDir nftypes.Direction, flags uint8) TCPState {
+	fn, ok := stateTable[currentState]
+	if !ok {
+		return 0
+	}
+	return fn(flags, connDir, packetDir == connDir)
+}

-	case TCPStateFinWait2:
-		if flags&TCPFin != 0 {
-			newState = TCPStateTimeWait
+func transNew(flags uint8, connDir nftypes.Direction, _ bool) TCPState {
+	if flags&TCPSyn != 0 && flags&TCPAck == 0 {
+		if connDir == nftypes.Egress {
+			return TCPStateSynSent
 		}
+		return TCPStateSynReceived
+	}
+	return 0
+}

-	case TCPStateClosing:
-		if flags&TCPAck != 0 {
-			newState = TCPStateTimeWait
+func transSynSent(flags uint8, _ nftypes.Direction, same bool) TCPState {
+	if flags&TCPSyn != 0 && flags&TCPAck != 0 {
+		if same {
+			return TCPStateSynReceived // simultaneous open
 		}
+		return TCPStateEstablished
+	}
+	return 0
+}

-	case TCPStateCloseWait:
-		if flags&TCPFin != 0 {
-			newState = TCPStateLastAck
-		}
+func transSynReceived(flags uint8, _ nftypes.Direction, same bool) TCPState {
+	if flags&TCPAck != 0 && flags&TCPSyn == 0 && same {
+		return TCPStateEstablished
+	}
+	return 0
+}

-	case TCPStateLastAck:
-		if flags&TCPAck != 0 {
-			newState = TCPStateClosed
-		}
+func transEstablished(flags uint8, _ nftypes.Direction, same bool) TCPState {
+	if flags&TCPFin == 0 {
+		return 0
+	}
+	if same {
+		return TCPStateFinWait1
+	}
+	return TCPStateCloseWait
+}
+
+// transFinWait1 handles the active-close peer response. A FIN carrying our
+// ACK piggybacked goes straight to TIME-WAIT (RFC 9293 §3.10.7.4, FIN-WAIT-1:
+// "if our FIN has been ACKed... enter the TIME-WAIT state"); a lone FIN moves
+// to CLOSING; a pure ACK of our FIN moves to FIN-WAIT-2.
+func transFinWait1(flags uint8, _ nftypes.Direction, same bool) TCPState {
+	if same {
+		return 0
+	}
+	if flags&TCPFin != 0 && flags&TCPAck != 0 {
+		return TCPStateTimeWait
+	}
+	switch {
+	case flags&TCPFin != 0:
+		return TCPStateClosing
+	case flags&TCPAck != 0:
+		return TCPStateFinWait2
+	}
+	return 0
+}
+
+// transFinWait2 ignores own-side FIN retransmits; only the peer's FIN advances.
+func transFinWait2(flags uint8, _ nftypes.Direction, same bool) TCPState {
+	if flags&TCPFin != 0 && !same {
+		return TCPStateTimeWait
+	}
+	return 0
+}
+
+// transClosing completes a simultaneous close on the peer's ACK.
+func transClosing(flags uint8, _ nftypes.Direction, same bool) TCPState {
+	if flags&TCPAck != 0 && !same {
+		return TCPStateTimeWait
+	}
+	return 0
+}
+
+// transCloseWait only advances to LastAck when WE send FIN, ignoring peer retransmits.
+func transCloseWait(flags uint8, _ nftypes.Direction, same bool) TCPState {
+	if flags&TCPFin != 0 && same {
+		return TCPStateLastAck
+	}
+	return 0
+}
+
+// transLastAck closes the flow only on the peer's ACK (not our own ACK retransmits).
+func transLastAck(flags uint8, _ nftypes.Direction, same bool) TCPState {
+	if flags&TCPAck != 0 && !same {
+		return TCPStateClosed
+	}
+	return 0
+}
+
+// onTransition handles logging and flow-event emission after a successful
+// state transition. TimeWait and Closed are terminal for flow accounting.
+func (t *TCPTracker) onTransition(key ConnKey, conn *TCPConnTrack, from, to TCPState, packetDir nftypes.Direction) {
+	traceOn := t.logger.Enabled(nblog.LevelTrace)
+	if traceOn {
+		t.logger.Trace4("TCP connection %s transitioned from %s to %s (dir: %s)", key, from, to, packetDir)
 	}

-	if newState != 0 && conn.CompareAndSwapState(currentState, newState) {
-		t.logger.Trace4("TCP connection %s transitioned from %s to %s (dir: %s)", key, currentState, newState, packetDir)
-
-		switch newState {
-		case TCPStateTimeWait:
+	switch to {
+	case TCPStateTimeWait:
+		if traceOn {
 			t.logger.Trace5("TCP connection %s completed [in: %d Pkts/%d B, out: %d Pkts/%d B]",
 				key, conn.PacketsRx.Load(), conn.BytesRx.Load(), conn.PacketsTx.Load(), conn.BytesTx.Load())
-			t.sendEvent(nftypes.TypeEnd, conn, nil)
-
-		case TCPStateClosed:
-			conn.SetTombstone()
+		}
+		t.sendEvent(nftypes.TypeEnd, conn, nil)
+	case TCPStateClosed:
+		conn.SetTombstone()
+		if traceOn {
 			t.logger.Trace5("TCP connection %s closed gracefully [in: %d Pkts/%d, B out: %d Pkts/%d B]",
 				key, conn.PacketsRx.Load(), conn.BytesRx.Load(), conn.PacketsTx.Load(), conn.BytesTx.Load())
-			t.sendEvent(nftypes.TypeEnd, conn, nil)
 		}
+		t.sendEvent(nftypes.TypeEnd, conn, nil)
 	}
 }

-// isValidStateForFlags checks if the TCP flags are valid for the current connection state
+// isValidStateForFlags checks if the TCP flags are valid for the current
+// connection state. Caller must have already verified the flag combination is
+// legal via isValidFlagCombination.
 func (t *TCPTracker) isValidStateForFlags(state TCPState, flags uint8) bool {
-	if !isValidFlagCombination(flags) {
-		return false
-	}
 	if flags&TCPRst != 0 {
 		if state == TCPStateSynSent {
 			return flags&TCPAck != 0
@@ -449,15 +628,24 @@ func (t *TCPTracker) cleanup() {
 			timeout = t.waitTimeout
 		case TCPStateEstablished:
 			timeout = t.timeout
+		case TCPStateFinWait1, TCPStateFinWait2, TCPStateClosing:
+			timeout = t.finWaitTimeout
+		case TCPStateCloseWait:
+			timeout = t.closeWaitTimeout
+		case TCPStateLastAck:
+			timeout = t.lastAckTimeout
 		default:
+			// SynSent / SynReceived / New
 			timeout = TCPHandshakeTimeout
 		}

 		if conn.timeoutExceeded(timeout) {
 			delete(t.connections, key)

-			t.logger.Trace6("Cleaned up timed-out TCP connection %s (%s) [in: %d Pkts/%d, B out: %d Pkts/%d B]",
-				key, conn.GetState(), conn.PacketsRx.Load(), conn.BytesRx.Load(), conn.PacketsTx.Load(), conn.BytesTx.Load())
+			if t.logger.Enabled(nblog.LevelTrace) {
+				t.logger.Trace6("Cleaned up timed-out TCP connection %s (%s) [in: %d Pkts/%d, B out: %d Pkts/%d B]",
+					key, conn.GetState(), conn.PacketsRx.Load(), conn.BytesRx.Load(), conn.PacketsTx.Load(), conn.BytesTx.Load())
+			}

 			// event already handled by state change
 			if currentState != TCPStateTimeWait {
--- a/client/firewall/uspfilter/conntrack/tcp_rst_bugs_test.go
+++ b/client/firewall/uspfilter/conntrack/tcp_rst_bugs_test.go
@@ -0,0 +1,100 @@
+package conntrack
+
+import (
+	"net/netip"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+// RST hygiene tests: the tracker currently closes the flow on any RST that
+// matches the 4-tuple, regardless of direction or state. These tests cover
+// the minimum checks we want (no SEQ tracking).
+
+func TestTCPRstInSynSentWrongDirection(t *testing.T) {
+	tracker := NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
+	defer tracker.Close()
+
+	srcIP := netip.MustParseAddr("100.64.0.1")
+	dstIP := netip.MustParseAddr("100.64.0.2")
+	srcPort := uint16(12345)
+	dstPort := uint16(80)
+	key := ConnKey{SrcIP: srcIP, DstIP: dstIP, SrcPort: srcPort, DstPort: dstPort}
+
+	tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPSyn, 0)
+	conn := tracker.connections[key]
+	require.Equal(t, TCPStateSynSent, conn.GetState())
+
+	// A RST arriving in the same direction as the SYN (i.e. TrackOutbound)
+	// cannot be a legitimate response. It must not close the connection.
+	tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPRst|TCPAck, 0)
+	require.Equal(t, TCPStateSynSent, conn.GetState(),
+		"RST in same direction as SYN must not close connection")
+	require.False(t, conn.IsTombstone())
+}
+
+func TestTCPRstInTimeWaitIgnored(t *testing.T) {
+	tracker := NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
+	defer tracker.Close()
+
+	srcIP := netip.MustParseAddr("100.64.0.1")
+	dstIP := netip.MustParseAddr("100.64.0.2")
+	srcPort := uint16(12345)
+	dstPort := uint16(80)
+	key := ConnKey{SrcIP: srcIP, DstIP: dstIP, SrcPort: srcPort, DstPort: dstPort}
+
+	// Drive to TIME-WAIT via active close.
+	establishConnection(t, tracker, srcIP, dstIP, srcPort, dstPort)
+	tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPFin|TCPAck, 0)
+	require.True(t, tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPAck, 0))
+	require.True(t, tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPFin|TCPAck, 0))
+	tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPAck, 0)
+
+	conn := tracker.connections[key]
+	require.Equal(t, TCPStateTimeWait, conn.GetState())
+	require.False(t, conn.IsTombstone(), "TIME-WAIT must not be tombstoned")
+
+	// Late RST during TIME-WAIT must not tombstone the entry (TIME-WAIT
+	// exists to absorb late segments).
+	tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPRst, 0)
+	require.Equal(t, TCPStateTimeWait, conn.GetState(),
+		"RST in TIME-WAIT must not transition state")
+	require.False(t, conn.IsTombstone(),
+		"RST in TIME-WAIT must not tombstone the entry")
+}
+
+func TestTCPIllegalFlagCombos(t *testing.T) {
+	tracker := NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
+	defer tracker.Close()
+
+	srcIP := netip.MustParseAddr("100.64.0.1")
+	dstIP := netip.MustParseAddr("100.64.0.2")
+	srcPort := uint16(12345)
+	dstPort := uint16(80)
+	key := ConnKey{SrcIP: srcIP, DstIP: dstIP, SrcPort: srcPort, DstPort: dstPort}
+
+	establishConnection(t, tracker, srcIP, dstIP, srcPort, dstPort)
+	conn := tracker.connections[key]
+
+	// Illegal combos must be rejected and must not change state.
+	combos := []struct {
+		name  string
+		flags uint8
+	}{
+		{"SYN+RST", TCPSyn | TCPRst},
+		{"FIN+RST", TCPFin | TCPRst},
+		{"SYN+FIN", TCPSyn | TCPFin},
+		{"SYN+FIN+RST", TCPSyn | TCPFin | TCPRst},
+	}
+
+	for _, c := range combos {
+		t.Run(c.name, func(t *testing.T) {
+			before := conn.GetState()
+			valid := tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, c.flags, 0)
+			require.False(t, valid, "illegal flag combo must be rejected: %s", c.name)
+			require.Equal(t, before, conn.GetState(),
+				"illegal flag combo must not change state")
+			require.False(t, conn.IsTombstone())
+		})
+	}
+}
--- a/client/firewall/uspfilter/conntrack/tcp_state_bugs_test.go
+++ b/client/firewall/uspfilter/conntrack/tcp_state_bugs_test.go
@@ -0,0 +1,235 @@
+package conntrack
+
+import (
+	"net/netip"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/require"
+)
+
+// These tests exercise cases where the TCP state machine currently advances
+// on retransmitted or wrong-direction segments and tears the flow down
+// prematurely. They are expected to fail until the direction checks are added.
+
+func TestTCPCloseWaitRetransmittedPeerFIN(t *testing.T) {
+	tracker := NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
+	defer tracker.Close()
+
+	srcIP := netip.MustParseAddr("100.64.0.1")
+	dstIP := netip.MustParseAddr("100.64.0.2")
+	srcPort := uint16(12345)
+	dstPort := uint16(80)
+	key := ConnKey{SrcIP: srcIP, DstIP: dstIP, SrcPort: srcPort, DstPort: dstPort}
+
+	establishConnection(t, tracker, srcIP, dstIP, srcPort, dstPort)
+
+	// Peer sends FIN -> CloseWait (our app has not yet closed).
+	valid := tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPFin|TCPAck, 0)
+	require.True(t, valid)
+	conn := tracker.connections[key]
+	require.Equal(t, TCPStateCloseWait, conn.GetState())
+
+	// Peer retransmits their FIN (ACK may have been delayed). We have NOT
+	// sent our FIN yet, so state must remain CloseWait.
+	valid = tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPFin|TCPAck, 0)
+	require.True(t, valid, "retransmitted peer FIN must still be accepted")
+	require.Equal(t, TCPStateCloseWait, conn.GetState(),
+		"retransmitted peer FIN must not advance CloseWait to LastAck")
+
+	// Our app finally closes -> LastAck.
+	tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPFin|TCPAck, 0)
+	require.Equal(t, TCPStateLastAck, conn.GetState())
+
+	// Peer ACK closes.
+	valid = tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPAck, 0)
+	require.True(t, valid)
+	require.Equal(t, TCPStateClosed, conn.GetState())
+}
+
+func TestTCPFinWait2RetransmittedOwnFIN(t *testing.T) {
+	tracker := NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
+	defer tracker.Close()
+
+	srcIP := netip.MustParseAddr("100.64.0.1")
+	dstIP := netip.MustParseAddr("100.64.0.2")
+	srcPort := uint16(12345)
+	dstPort := uint16(80)
+	key := ConnKey{SrcIP: srcIP, DstIP: dstIP, SrcPort: srcPort, DstPort: dstPort}
+
+	establishConnection(t, tracker, srcIP, dstIP, srcPort, dstPort)
+
+	// We initiate close.
+	tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPFin|TCPAck, 0)
+	valid := tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPAck, 0)
+	require.True(t, valid)
+	conn := tracker.connections[key]
+	require.Equal(t, TCPStateFinWait2, conn.GetState())
+
+	// Stray retransmit of our own FIN (same direction as originator) must
+	// NOT advance FinWait2 to TimeWait; only the peer's FIN should.
+	tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPFin|TCPAck, 0)
+	require.Equal(t, TCPStateFinWait2, conn.GetState(),
+		"own FIN retransmit must not advance FinWait2 to TimeWait")
+
+	// Peer FIN -> TimeWait.
+	valid = tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPFin|TCPAck, 0)
+	require.True(t, valid)
+	require.Equal(t, TCPStateTimeWait, conn.GetState())
+}
+
+func TestTCPLastAckDirectionCheck(t *testing.T) {
+	tracker := NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
+	defer tracker.Close()
+
+	srcIP := netip.MustParseAddr("100.64.0.1")
+	dstIP := netip.MustParseAddr("100.64.0.2")
+	srcPort := uint16(12345)
+	dstPort := uint16(80)
+	key := ConnKey{SrcIP: srcIP, DstIP: dstIP, SrcPort: srcPort, DstPort: dstPort}
+
+	establishConnection(t, tracker, srcIP, dstIP, srcPort, dstPort)
+
+	// Drive to LastAck: peer FIN -> CloseWait, our FIN -> LastAck.
+	require.True(t, tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPFin|TCPAck, 0))
+	tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPFin|TCPAck, 0)
+	conn := tracker.connections[key]
+	require.Equal(t, TCPStateLastAck, conn.GetState())
+
+	// Our own ACK retransmit (same direction as originator) must NOT close.
+	tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPAck, 0)
+	require.Equal(t, TCPStateLastAck, conn.GetState(),
+		"own ACK retransmit in LastAck must not transition to Closed")
+
+	// Peer's ACK -> Closed.
+	require.True(t, tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPAck, 0))
+	require.Equal(t, TCPStateClosed, conn.GetState())
+}
+
+func TestTCPFinWait1OwnAckDoesNotAdvance(t *testing.T) {
+	tracker := NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
+	defer tracker.Close()
+
+	srcIP := netip.MustParseAddr("100.64.0.1")
+	dstIP := netip.MustParseAddr("100.64.0.2")
+	srcPort := uint16(12345)
+	dstPort := uint16(80)
+	key := ConnKey{SrcIP: srcIP, DstIP: dstIP, SrcPort: srcPort, DstPort: dstPort}
+
+	establishConnection(t, tracker, srcIP, dstIP, srcPort, dstPort)
+
+	tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPFin|TCPAck, 0)
+	conn := tracker.connections[key]
+	require.Equal(t, TCPStateFinWait1, conn.GetState())
+
+	// Our own ACK retransmit (same direction as originator) must not advance.
+	tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPAck, 0)
+	require.Equal(t, TCPStateFinWait1, conn.GetState(),
+		"own ACK in FinWait1 must not advance to FinWait2")
+}
+
+func TestTCPPerStateTeardownTimeouts(t *testing.T) {
+	// Verify cleanup reaps entries in each teardown state at the configured
+	// per-state timeout, not at the single handshake timeout.
+	t.Setenv(EnvTCPFinWaitTimeout, "50ms")
+	t.Setenv(EnvTCPCloseWaitTimeout, "80ms")
+	t.Setenv(EnvTCPLastAckTimeout, "30ms")
+
+	dstIP := netip.MustParseAddr("100.64.0.2")
+	dstPort := uint16(80)
+
+	// Drives a connection to the target state, forces its lastSeen well
+	// beyond the configured timeout, runs cleanup, and asserts reaping.
+	cases := []struct {
+		name string
+		// drive takes a fresh tracker and returns the conn key after
+		// transitioning the flow into the intended teardown state.
+		drive func(t *testing.T, tr *TCPTracker, srcIP netip.Addr, srcPort uint16) (ConnKey, TCPState)
+	}{
+		{
+			name: "FinWait1",
+			drive: func(t *testing.T, tr *TCPTracker, srcIP netip.Addr, srcPort uint16) (ConnKey, TCPState) {
+				establishConnection(t, tr, srcIP, dstIP, srcPort, dstPort)
+				tr.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPFin|TCPAck, 0) // → FinWait1
+				return ConnKey{SrcIP: srcIP, DstIP: dstIP, SrcPort: srcPort, DstPort: dstPort}, TCPStateFinWait1
+			},
+		},
+		{
+			name: "FinWait2",
+			drive: func(t *testing.T, tr *TCPTracker, srcIP netip.Addr, srcPort uint16) (ConnKey, TCPState) {
+				establishConnection(t, tr, srcIP, dstIP, srcPort, dstPort)
+				tr.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPFin|TCPAck, 0)              // FinWait1
+				require.True(t, tr.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPAck, 0))   // → FinWait2
+				return ConnKey{SrcIP: srcIP, DstIP: dstIP, SrcPort: srcPort, DstPort: dstPort}, TCPStateFinWait2
+			},
+		},
+		{
+			name: "CloseWait",
+			drive: func(t *testing.T, tr *TCPTracker, srcIP netip.Addr, srcPort uint16) (ConnKey, TCPState) {
+				establishConnection(t, tr, srcIP, dstIP, srcPort, dstPort)
+				require.True(t, tr.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPFin|TCPAck, 0)) // → CloseWait
+				return ConnKey{SrcIP: srcIP, DstIP: dstIP, SrcPort: srcPort, DstPort: dstPort}, TCPStateCloseWait
+			},
+		},
+		{
+			name: "LastAck",
+			drive: func(t *testing.T, tr *TCPTracker, srcIP netip.Addr, srcPort uint16) (ConnKey, TCPState) {
+				establishConnection(t, tr, srcIP, dstIP, srcPort, dstPort)
+				require.True(t, tr.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPFin|TCPAck, 0)) // CloseWait
+				tr.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPFin|TCPAck, 0)                   // → LastAck
+				return ConnKey{SrcIP: srcIP, DstIP: dstIP, SrcPort: srcPort, DstPort: dstPort}, TCPStateLastAck
+			},
+		},
+	}
+
+	// Use a unique source port per subtest so nothing aliases.
+	port := uint16(12345)
+	for _, c := range cases {
+		t.Run(c.name, func(t *testing.T) {
+			tracker := NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
+			defer tracker.Close()
+
+			require.Equal(t, 50*time.Millisecond, tracker.finWaitTimeout)
+			require.Equal(t, 80*time.Millisecond, tracker.closeWaitTimeout)
+			require.Equal(t, 30*time.Millisecond, tracker.lastAckTimeout)
+
+			srcIP := netip.MustParseAddr("100.64.0.1")
+			port++
+			key, wantState := c.drive(t, tracker, srcIP, port)
+			conn := tracker.connections[key]
+			require.NotNil(t, conn)
+			require.Equal(t, wantState, conn.GetState())
+
+			// Age the entry past the largest per-state timeout.
+			conn.lastSeen.Store(time.Now().Add(-500 * time.Millisecond).UnixNano())
+			tracker.cleanup()
+			_, exists := tracker.connections[key]
+			require.False(t, exists, "%s entry should be reaped", c.name)
+		})
+	}
+}
+
+func TestTCPEstablishedPSHACKInFinStates(t *testing.T) {
+	// Verifies FIN|PSH|ACK and bare ACK keepalives are not dropped in FIN
+	// teardown states, which some stacks emit during close.
+	tracker := NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
+	defer tracker.Close()
+
+	srcIP := netip.MustParseAddr("100.64.0.1")
+	dstIP := netip.MustParseAddr("100.64.0.2")
+	srcPort := uint16(12345)
+	dstPort := uint16(80)
+
+	establishConnection(t, tracker, srcIP, dstIP, srcPort, dstPort)
+
+	// Peer FIN -> CloseWait.
+	require.True(t, tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPFin|TCPAck, 0))
+
+	// Peer pushes trailing data + FIN|PSH|ACK (legal).
+	require.True(t, tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPFin|TCPPush|TCPAck, 100),
+		"FIN|PSH|ACK in CloseWait must be accepted")
+
+	// Bare ACK keepalive from peer in CloseWait must be accepted.
+	require.True(t, tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPAck, 0),
+		"bare ACK in CloseWait must be accepted")
+}
--- a/client/firewall/uspfilter/conntrack/udp.go
+++ b/client/firewall/uspfilter/conntrack/udp.go
@@ -17,6 +17,9 @@ const (
 	DefaultUDPTimeout = 30 * time.Second
 	// UDPCleanupInterval is how often we check for stale connections
 	UDPCleanupInterval = 15 * time.Second
+
+	// EnvUDPMaxEntries caps the UDP conntrack table size.
+	EnvUDPMaxEntries = "NB_CONNTRACK_UDP_MAX"
 )

 // UDPConnTrack represents a UDP connection state
@@ -34,6 +37,7 @@ type UDPTracker struct {
 	cleanupTicker *time.Ticker
 	tickerCancel  context.CancelFunc
 	mutex         sync.RWMutex
+	maxEntries    int
 	flowLogger    nftypes.FlowLogger
 }

@@ -51,6 +55,7 @@ func NewUDPTracker(timeout time.Duration, logger *nblog.Logger, flowLogger nftyp
 		timeout:       timeout,
 		cleanupTicker: time.NewTicker(UDPCleanupInterval),
 		tickerCancel:  cancel,
+		maxEntries:    envInt(logger, EnvUDPMaxEntries, DefaultMaxUDPEntries),
 		flowLogger:    flowLogger,
 	}

@@ -117,13 +122,18 @@ func (t *UDPTracker) track(srcIP netip.Addr, dstIP netip.Addr, srcPort uint16, d
 	conn.UpdateCounters(direction, size)

 	t.mutex.Lock()
+	if t.maxEntries > 0 && len(t.connections) >= t.maxEntries {
+		t.evictOneLocked()
+	}
 	t.connections[key] = conn
 	t.mutex.Unlock()

-	if origPort != 0 {
-		t.logger.Trace4("New %s UDP connection: %s (port DNAT %d -> %d)", direction, key, origPort, dstPort)
-	} else {
-		t.logger.Trace2("New %s UDP connection: %s", direction, key)
+	if t.logger.Enabled(nblog.LevelTrace) {
+		if origPort != 0 {
+			t.logger.Trace4("New %s UDP connection: %s (port DNAT %d -> %d)", direction, key, origPort, dstPort)
+		} else {
+			t.logger.Trace2("New %s UDP connection: %s", direction, key)
+		}
 	}
 	t.sendEvent(nftypes.TypeStart, conn, ruleID)
 }
@@ -151,6 +161,34 @@ func (t *UDPTracker) IsValidInbound(srcIP netip.Addr, dstIP netip.Addr, srcPort
 	return true
 }

+// evictOneLocked removes one entry to make room. Caller must hold t.mutex.
+// Bounded sample: picks the oldest among up to evictSampleSize entries.
+func (t *UDPTracker) evictOneLocked() {
+	var candKey ConnKey
+	var candSeen int64
+	haveCand := false
+	sampled := 0
+
+	for k, c := range t.connections {
+		seen := c.lastSeen.Load()
+		if !haveCand || seen < candSeen {
+			candKey = k
+			candSeen = seen
+			haveCand = true
+		}
+		sampled++
+		if sampled >= evictSampleSize {
+			break
+		}
+	}
+	if haveCand {
+		if evicted := t.connections[candKey]; evicted != nil {
+			t.sendEvent(nftypes.TypeEnd, evicted, nil)
+		}
+		delete(t.connections, candKey)
+	}
+}
+
 // cleanupRoutine periodically removes stale connections
 func (t *UDPTracker) cleanupRoutine(ctx context.Context) {
 	defer t.cleanupTicker.Stop()
@@ -173,8 +211,10 @@ func (t *UDPTracker) cleanup() {
 		if conn.timeoutExceeded(t.timeout) {
 			delete(t.connections, key)

-			t.logger.Trace5("Removed UDP connection %s (timeout) [in: %d Pkts/%d B, out: %d Pkts/%d B]",
-				key, conn.PacketsRx.Load(), conn.BytesRx.Load(), conn.PacketsTx.Load(), conn.BytesTx.Load())
+			if t.logger.Enabled(nblog.LevelTrace) {
+				t.logger.Trace5("Removed UDP connection %s (timeout) [in: %d Pkts/%d B, out: %d Pkts/%d B]",
+					key, conn.PacketsRx.Load(), conn.BytesRx.Load(), conn.PacketsTx.Load(), conn.BytesTx.Load())
+			}
 			t.sendEvent(nftypes.TypeEnd, conn, nil)
 		}
 	}
--- a/client/firewall/uspfilter/filter.go
+++ b/client/firewall/uspfilter/filter.go
--- a/client/firewall/uspfilter/filter_bench_test.go
+++ b/client/firewall/uspfilter/filter_bench_test.go
@@ -94,7 +94,7 @@ func BenchmarkCoreFiltering(b *testing.B) {
 			stateful: false,
 			setupFunc: func(m *Manager) {
 				// Single rule allowing all traffic
-				_, err := m.AddPeerFiltering(nil, net.ParseIP("0.0.0.0"), fw.ProtocolALL, nil, nil, fw.ActionAccept, "")
+				_, err := m.AddFilterRule(nil, pfx(net.ParseIP("0.0.0.0")), fw.Network{}, fw.ProtocolALL, nil, nil, fw.ActionAccept)
 				require.NoError(b, err)
 			},
 			desc: "Baseline: Single 'allow all' rule without connection tracking",
@@ -114,15 +114,13 @@ func BenchmarkCoreFiltering(b *testing.B) {
 				// Add explicit rules matching return traffic pattern
 				for i := 0; i < 1000; i++ { // Simulate realistic ruleset size
 					ip := generateRandomIPs(1)[0]
-					_, err := m.AddPeerFiltering(
+					_, err := m.AddFilterRule(
 						nil,
-						ip,
+						pfx(ip), fw.Network{},
 						fw.ProtocolTCP,
 						&fw.Port{Values: []uint16{uint16(1024 + i)}},
 						&fw.Port{Values: []uint16{80}},
-						fw.ActionAccept,
-						"",
-					)
+						fw.ActionAccept)
 					require.NoError(b, err)
 				}
 			},
@@ -133,15 +131,13 @@ func BenchmarkCoreFiltering(b *testing.B) {
 			stateful: true,
 			setupFunc: func(m *Manager) {
 				// Add some basic rules but rely on state for established connections
-				_, err := m.AddPeerFiltering(
+				_, err := m.AddFilterRule(
 					nil,
-					net.ParseIP("0.0.0.0"),
+					pfx(net.ParseIP("0.0.0.0")), fw.Network{},
 					fw.ProtocolTCP,
 					nil,
 					nil,
-					fw.ActionDrop,
-					"",
-				)
+					fw.ActionDrop)
 				require.NoError(b, err)
 			},
 			desc: "Connection tracking with established connections",
@@ -170,7 +166,7 @@ func BenchmarkCoreFiltering(b *testing.B) {
 				// Create manager and basic setup
 				manager, _ := Create(&IFaceMock{
 					SetFilterFunc: func(device.PacketFilter) error { return nil },
-				}, false, flowLogger, iface.DefaultMTU)
+				}, nil, false, flowLogger, iface.DefaultMTU)
 				defer b.Cleanup(func() {
 					require.NoError(b, manager.Close(nil))
 				})
@@ -210,7 +206,7 @@ func BenchmarkStateScaling(b *testing.B) {
 		b.Run(fmt.Sprintf("conns_%d", count), func(b *testing.B) {
 			manager, _ := Create(&IFaceMock{
 				SetFilterFunc: func(device.PacketFilter) error { return nil },
-			}, false, flowLogger, iface.DefaultMTU)
+			}, nil, false, flowLogger, iface.DefaultMTU)
 			b.Cleanup(func() {
 				require.NoError(b, manager.Close(nil))
 			})
@@ -253,7 +249,7 @@ func BenchmarkEstablishmentOverhead(b *testing.B) {
 		b.Run(sc.name, func(b *testing.B) {
 			manager, _ := Create(&IFaceMock{
 				SetFilterFunc: func(device.PacketFilter) error { return nil },
-			}, false, flowLogger, iface.DefaultMTU)
+			}, nil, false, flowLogger, iface.DefaultMTU)
 			b.Cleanup(func() {
 				require.NoError(b, manager.Close(nil))
 			})
@@ -411,7 +407,7 @@ func BenchmarkRoutedNetworkReturn(b *testing.B) {
 		b.Run(sc.name, func(b *testing.B) {
 			manager, _ := Create(&IFaceMock{
 				SetFilterFunc: func(device.PacketFilter) error { return nil },
-			}, false, flowLogger, iface.DefaultMTU)
+			}, nil, false, flowLogger, iface.DefaultMTU)
 			b.Cleanup(func() {
 				require.NoError(b, manager.Close(nil))
 			})
@@ -538,7 +534,7 @@ func BenchmarkLongLivedConnections(b *testing.B) {

 			manager, _ := Create(&IFaceMock{
 				SetFilterFunc: func(device.PacketFilter) error { return nil },
-			}, false, flowLogger, iface.DefaultMTU)
+			}, nil, false, flowLogger, iface.DefaultMTU)
 			defer b.Cleanup(func() {
 				require.NoError(b, manager.Close(nil))
 			})
@@ -546,7 +542,7 @@ func BenchmarkLongLivedConnections(b *testing.B) {
 			// Setup initial state based on scenario
 			if sc.rules {
 				// Single rule to allow all return traffic from port 80
-				_, err := manager.AddPeerFiltering(nil, net.ParseIP("0.0.0.0"), fw.ProtocolTCP, &fw.Port{Values: []uint16{80}}, nil, fw.ActionAccept, "")
+				_, err := manager.AddFilterRule(nil, pfx(net.ParseIP("0.0.0.0")), fw.Network{}, fw.ProtocolTCP, &fw.Port{Values: []uint16{80}}, nil, fw.ActionAccept)
 				require.NoError(b, err)
 			}

@@ -621,7 +617,7 @@ func BenchmarkShortLivedConnections(b *testing.B) {

 			manager, _ := Create(&IFaceMock{
 				SetFilterFunc: func(device.PacketFilter) error { return nil },
-			}, false, flowLogger, iface.DefaultMTU)
+			}, nil, false, flowLogger, iface.DefaultMTU)
 			defer b.Cleanup(func() {
 				require.NoError(b, manager.Close(nil))
 			})
@@ -629,7 +625,7 @@ func BenchmarkShortLivedConnections(b *testing.B) {
 			// Setup initial state based on scenario
 			if sc.rules {
 				// Single rule to allow all return traffic from port 80
-				_, err := manager.AddPeerFiltering(nil, net.ParseIP("0.0.0.0"), fw.ProtocolTCP, &fw.Port{Values: []uint16{80}}, nil, fw.ActionAccept, "")
+				_, err := manager.AddFilterRule(nil, pfx(net.ParseIP("0.0.0.0")), fw.Network{}, fw.ProtocolTCP, &fw.Port{Values: []uint16{80}}, nil, fw.ActionAccept)
 				require.NoError(b, err)
 			}

@@ -732,14 +728,14 @@ func BenchmarkParallelLongLivedConnections(b *testing.B) {

 			manager, _ := Create(&IFaceMock{
 				SetFilterFunc: func(device.PacketFilter) error { return nil },
-			}, false, flowLogger, iface.DefaultMTU)
+			}, nil, false, flowLogger, iface.DefaultMTU)
 			defer b.Cleanup(func() {
 				require.NoError(b, manager.Close(nil))
 			})

 			// Setup initial state based on scenario
 			if sc.rules {
-				_, err := manager.AddPeerFiltering(nil, net.ParseIP("0.0.0.0"), fw.ProtocolTCP, &fw.Port{Values: []uint16{80}}, nil, fw.ActionAccept, "")
+				_, err := manager.AddFilterRule(nil, pfx(net.ParseIP("0.0.0.0")), fw.Network{}, fw.ProtocolTCP, &fw.Port{Values: []uint16{80}}, nil, fw.ActionAccept)
 				require.NoError(b, err)
 			}

@@ -812,13 +808,13 @@ func BenchmarkParallelShortLivedConnections(b *testing.B) {

 			manager, _ := Create(&IFaceMock{
 				SetFilterFunc: func(device.PacketFilter) error { return nil },
-			}, false, flowLogger, iface.DefaultMTU)
+			}, nil, false, flowLogger, iface.DefaultMTU)
 			defer b.Cleanup(func() {
 				require.NoError(b, manager.Close(nil))
 			})

 			if sc.rules {
-				_, err := manager.AddPeerFiltering(nil, net.ParseIP("0.0.0.0"), fw.ProtocolTCP, &fw.Port{Values: []uint16{80}}, nil, fw.ActionAccept, "")
+				_, err := manager.AddFilterRule(nil, pfx(net.ParseIP("0.0.0.0")), fw.Network{}, fw.ProtocolTCP, &fw.Port{Values: []uint16{80}}, nil, fw.ActionAccept)
 				require.NoError(b, err)
 			}

@@ -931,7 +927,7 @@ func BenchmarkRouteACLs(b *testing.B) {

 	for _, r := range rules {
 		dst := fw.Network{Prefix: r.dest}
-		_, err := manager.AddRouteFiltering(nil, r.sources, dst, r.proto, nil, r.port, fw.ActionAccept)
+		_, err := manager.AddFilterRule(nil, r.sources, dst, r.proto, nil, r.port, fw.ActionAccept)
 		if err != nil {
 			b.Fatal(err)
 		}
@@ -1016,14 +1012,15 @@ func BenchmarkMSSClamping(b *testing.B) {
 		b.Run(sc.name, func(b *testing.B) {
 			manager, err := Create(&IFaceMock{
 				SetFilterFunc: func(device.PacketFilter) error { return nil },
-			}, false, flowLogger, iface.DefaultMTU)
+			}, nil, false, flowLogger, iface.DefaultMTU)
 			require.NoError(b, err)
 			defer func() {
 				require.NoError(b, manager.Close(nil))
 			}()

 			manager.mssClampEnabled = true
-			manager.mssClampValue = 1240
+			manager.mssClampValueIPv4 = 1240
+			manager.mssClampValueIPv6 = 1220

 			srcIP := net.ParseIP("100.64.0.2")
 			dstIP := net.ParseIP("8.8.8.8")
@@ -1080,7 +1077,7 @@ func BenchmarkMSSClampingOverhead(b *testing.B) {
 		b.Run(sc.name, func(b *testing.B) {
 			manager, err := Create(&IFaceMock{
 				SetFilterFunc: func(device.PacketFilter) error { return nil },
-			}, false, flowLogger, iface.DefaultMTU)
+			}, nil, false, flowLogger, iface.DefaultMTU)
 			require.NoError(b, err)
 			defer func() {
 				require.NoError(b, manager.Close(nil))
@@ -1088,7 +1085,8 @@ func BenchmarkMSSClampingOverhead(b *testing.B) {

 			manager.mssClampEnabled = sc.enabled
 			if sc.enabled {
-				manager.mssClampValue = 1240
+				manager.mssClampValueIPv4 = 1240
+				manager.mssClampValueIPv6 = 1220
 			}

 			srcIP := net.ParseIP("100.64.0.2")
@@ -1134,14 +1132,15 @@ func BenchmarkMSSClampingMemory(b *testing.B) {
 		b.Run(sc.name, func(b *testing.B) {
 			manager, err := Create(&IFaceMock{
 				SetFilterFunc: func(device.PacketFilter) error { return nil },
-			}, false, flowLogger, iface.DefaultMTU)
+			}, nil, false, flowLogger, iface.DefaultMTU)
 			require.NoError(b, err)
 			defer func() {
 				require.NoError(b, manager.Close(nil))
 			}()

 			manager.mssClampEnabled = true
-			manager.mssClampValue = 1240
+			manager.mssClampValueIPv4 = 1240
+			manager.mssClampValueIPv6 = 1220

 			srcIP := net.ParseIP("100.64.0.2")
 			dstIP := net.ParseIP("8.8.8.8")
--- a/client/firewall/uspfilter/filter_filter_test.go
+++ b/client/firewall/uspfilter/filter_filter_test.go
@@ -32,7 +32,7 @@ func TestPeerACLFiltering(t *testing.T) {
 		},
 	}

-	manager, err := Create(ifaceMock, false, flowLogger, iface.DefaultMTU)
+	manager, err := Create(ifaceMock, nil, false, flowLogger, iface.DefaultMTU)
 	require.NoError(t, err)
 	require.NotNil(t, manager)

@@ -496,40 +496,32 @@ func TestPeerACLFiltering(t *testing.T) {
 		t.Run(tc.name, func(t *testing.T) {
 			if tc.ruleAction == fw.ActionDrop {
 				// add general accept rule for the same IP to test drop rule precedence
-				rules, err := manager.AddPeerFiltering(
+				rules, err := manager.AddFilterRule(
 					nil,
-					net.ParseIP(tc.ruleIP),
+					pfx(net.ParseIP(tc.ruleIP)), fw.Network{},
 					fw.ProtocolALL,
 					nil,
 					nil,
-					fw.ActionAccept,
-					"",
-				)
+					fw.ActionAccept)
 				require.NoError(t, err)
-				require.NotEmpty(t, rules)
+				require.NotNil(t, rules)
 				t.Cleanup(func() {
-					for _, rule := range rules {
-						require.NoError(t, manager.DeletePeerRule(rule))
-					}
+					require.NoError(t, manager.DeleteFilterRule(rules))
 				})
 			}

-			rules, err := manager.AddPeerFiltering(
+			rules, err := manager.AddFilterRule(
 				nil,
-				net.ParseIP(tc.ruleIP),
+				pfx(net.ParseIP(tc.ruleIP)), fw.Network{},
 				tc.ruleProto,
 				tc.ruleSrcPort,
 				tc.ruleDstPort,
-				tc.ruleAction,
-				"",
-			)
+				tc.ruleAction)
 			require.NoError(t, err)
-			require.NotEmpty(t, rules)
+			require.NotNil(t, rules)

 			t.Cleanup(func() {
-				for _, rule := range rules {
-					require.NoError(t, manager.DeletePeerRule(rule))
-				}
+				require.NoError(t, manager.DeleteFilterRule(rules))
 			})

 			packet := createTestPacket(t, tc.srcIP, tc.dstIP, tc.proto, tc.srcPort, tc.dstPort)
@@ -539,53 +531,232 @@ func TestPeerACLFiltering(t *testing.T) {
 	}
 }

+func TestPeerACLFilteringIPv6(t *testing.T) {
+	localIP := netip.MustParseAddr("100.10.0.100")
+	localIPv6 := netip.MustParseAddr("fd00::100")
+	wgNet := netip.MustParsePrefix("100.10.0.0/16")
+	wgNetV6 := netip.MustParsePrefix("fd00::/64")
+
+	ifaceMock := &IFaceMock{
+		SetFilterFunc: func(device.PacketFilter) error { return nil },
+		AddressFunc: func() wgaddr.Address {
+			return wgaddr.Address{
+				IP:      localIP,
+				Network: wgNet,
+				IPv6:    localIPv6,
+				IPv6Net: wgNetV6,
+			}
+		},
+	}
+
+	manager, err := Create(ifaceMock, nil, false, flowLogger, iface.DefaultMTU)
+	require.NoError(t, err)
+	t.Cleanup(func() { require.NoError(t, manager.Close(nil)) })
+
+	err = manager.UpdateLocalIPs()
+	require.NoError(t, err)
+
+	testCases := []struct {
+		name            string
+		srcIP           string
+		dstIP           string
+		proto           fw.Protocol
+		srcPort         uint16
+		dstPort         uint16
+		ruleIP          string
+		ruleProto       fw.Protocol
+		ruleDstPort     *fw.Port
+		ruleAction      fw.Action
+		shouldBeBlocked bool
+	}{
+		{
+			name:            "IPv6: allow TCP from peer",
+			srcIP:           "fd00::1",
+			dstIP:           "fd00::100",
+			proto:           fw.ProtocolTCP,
+			srcPort:         12345,
+			dstPort:         443,
+			ruleIP:          "fd00::1",
+			ruleProto:       fw.ProtocolTCP,
+			ruleDstPort:     &fw.Port{Values: []uint16{443}},
+			ruleAction:      fw.ActionAccept,
+			shouldBeBlocked: false,
+		},
+		{
+			name:            "IPv6: allow UDP from peer",
+			srcIP:           "fd00::1",
+			dstIP:           "fd00::100",
+			proto:           fw.ProtocolUDP,
+			srcPort:         12345,
+			dstPort:         53,
+			ruleIP:          "fd00::1",
+			ruleProto:       fw.ProtocolUDP,
+			ruleDstPort:     &fw.Port{Values: []uint16{53}},
+			ruleAction:      fw.ActionAccept,
+			shouldBeBlocked: false,
+		},
+		{
+			name:            "IPv6: allow ICMPv6 from peer",
+			srcIP:           "fd00::1",
+			dstIP:           "fd00::100",
+			proto:           fw.ProtocolICMP,
+			ruleIP:          "fd00::1",
+			ruleProto:       fw.ProtocolICMP,
+			ruleAction:      fw.ActionAccept,
+			shouldBeBlocked: false,
+		},
+		{
+			name:            "IPv6: block TCP without rule",
+			srcIP:           "fd00::2",
+			dstIP:           "fd00::100",
+			proto:           fw.ProtocolTCP,
+			srcPort:         12345,
+			dstPort:         443,
+			ruleIP:          "fd00::1",
+			ruleProto:       fw.ProtocolTCP,
+			ruleDstPort:     &fw.Port{Values: []uint16{443}},
+			ruleAction:      fw.ActionAccept,
+			shouldBeBlocked: true,
+		},
+		{
+			name:            "IPv6: drop rule",
+			srcIP:           "fd00::1",
+			dstIP:           "fd00::100",
+			proto:           fw.ProtocolTCP,
+			srcPort:         12345,
+			dstPort:         22,
+			ruleIP:          "fd00::1",
+			ruleProto:       fw.ProtocolTCP,
+			ruleDstPort:     &fw.Port{Values: []uint16{22}},
+			ruleAction:      fw.ActionDrop,
+			shouldBeBlocked: true,
+		},
+		{
+			name:            "IPv6: allow all protocols",
+			srcIP:           "fd00::1",
+			dstIP:           "fd00::100",
+			proto:           fw.ProtocolUDP,
+			srcPort:         12345,
+			dstPort:         9999,
+			ruleIP:          "fd00::1",
+			ruleProto:       fw.ProtocolALL,
+			ruleAction:      fw.ActionAccept,
+			shouldBeBlocked: false,
+		},
+		{
+			name:            "IPv6: v4 wildcard ICMP rule matches ICMPv6 via protoLayerMatches",
+			srcIP:           "fd00::1",
+			dstIP:           "fd00::100",
+			proto:           fw.ProtocolICMP,
+			ruleIP:          "0.0.0.0",
+			ruleProto:       fw.ProtocolICMP,
+			ruleAction:      fw.ActionAccept,
+			shouldBeBlocked: false,
+		},
+	}
+
+	t.Run("IPv6 implicit DROP (no rules)", func(t *testing.T) {
+		packet := createTestPacket(t, "fd00::1", "fd00::100", fw.ProtocolTCP, 12345, 443)
+		isDropped := manager.FilterInbound(packet, 0)
+		require.True(t, isDropped, "IPv6 packet should be dropped when no rules exist")
+	})
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			if tc.ruleAction == fw.ActionDrop {
+				rules, err := manager.AddFilterRule(nil, pfx(net.ParseIP(tc.ruleIP)), fw.Network{}, fw.ProtocolALL, nil, nil, fw.ActionAccept)
+				require.NoError(t, err)
+				t.Cleanup(func() {
+					require.NoError(t, manager.DeleteFilterRule(rules))
+				})
+			}
+
+			rules, err := manager.AddFilterRule(nil, pfx(net.ParseIP(tc.ruleIP)), fw.Network{}, tc.ruleProto, nil, tc.ruleDstPort, tc.ruleAction)
+			require.NoError(t, err)
+			require.NotNil(t, rules)
+			t.Cleanup(func() {
+				require.NoError(t, manager.DeleteFilterRule(rules))
+			})
+
+			packet := createTestPacket(t, tc.srcIP, tc.dstIP, tc.proto, tc.srcPort, tc.dstPort)
+			isDropped := manager.FilterInbound(packet, 0)
+			require.Equal(t, tc.shouldBeBlocked, isDropped, "packet filter result mismatch")
+		})
+	}
+}
+
 func createTestPacket(t *testing.T, srcIP, dstIP string, proto fw.Protocol, srcPort, dstPort uint16) []byte {
 	t.Helper()

+	src := net.ParseIP(srcIP)
+	dst := net.ParseIP(dstIP)
+
 	buf := gopacket.NewSerializeBuffer()
 	opts := gopacket.SerializeOptions{
 		ComputeChecksums: true,
 		FixLengths:       true,
 	}

-	ipLayer := &layers.IPv4{
-		Version: 4,
-		TTL:     64,
-		SrcIP:   net.ParseIP(srcIP),
-		DstIP:   net.ParseIP(dstIP),
-	}
+	// Detect address family
+	isV6 := src.To4() == nil

 	var err error
-	switch proto {
-	case fw.ProtocolTCP:
-		ipLayer.Protocol = layers.IPProtocolTCP
-		tcp := &layers.TCP{
-			SrcPort: layers.TCPPort(srcPort),
-			DstPort: layers.TCPPort(dstPort),
-		}
-		err = tcp.SetNetworkLayerForChecksum(ipLayer)
-		require.NoError(t, err)
-		err = gopacket.SerializeLayers(buf, opts, ipLayer, tcp)

-	case fw.ProtocolUDP:
-		ipLayer.Protocol = layers.IPProtocolUDP
-		udp := &layers.UDP{
-			SrcPort: layers.UDPPort(srcPort),
-			DstPort: layers.UDPPort(dstPort),
+	if isV6 {
+		ip6 := &layers.IPv6{
+			Version:  6,
+			HopLimit: 64,
+			SrcIP:    src,
+			DstIP:    dst,
 		}
-		err = udp.SetNetworkLayerForChecksum(ipLayer)
-		require.NoError(t, err)
-		err = gopacket.SerializeLayers(buf, opts, ipLayer, udp)

-	case fw.ProtocolICMP:
-		ipLayer.Protocol = layers.IPProtocolICMPv4
-		icmp := &layers.ICMPv4{
-			TypeCode: layers.CreateICMPv4TypeCode(layers.ICMPv4TypeEchoRequest, 0),
+		switch proto {
+		case fw.ProtocolTCP:
+			ip6.NextHeader = layers.IPProtocolTCP
+			tcp := &layers.TCP{SrcPort: layers.TCPPort(srcPort), DstPort: layers.TCPPort(dstPort)}
+			_ = tcp.SetNetworkLayerForChecksum(ip6)
+			err = gopacket.SerializeLayers(buf, opts, ip6, tcp)
+		case fw.ProtocolUDP:
+			ip6.NextHeader = layers.IPProtocolUDP
+			udp := &layers.UDP{SrcPort: layers.UDPPort(srcPort), DstPort: layers.UDPPort(dstPort)}
+			_ = udp.SetNetworkLayerForChecksum(ip6)
+			err = gopacket.SerializeLayers(buf, opts, ip6, udp)
+		case fw.ProtocolICMP:
+			ip6.NextHeader = layers.IPProtocolICMPv6
+			icmp := &layers.ICMPv6{
+				TypeCode: layers.CreateICMPv6TypeCode(layers.ICMPv6TypeEchoRequest, 0),
+			}
+			_ = icmp.SetNetworkLayerForChecksum(ip6)
+			err = gopacket.SerializeLayers(buf, opts, ip6, icmp)
+		default:
+			err = gopacket.SerializeLayers(buf, opts, ip6)
+		}
+	} else {
+		ip4 := &layers.IPv4{
+			Version: 4,
+			TTL:     64,
+			SrcIP:   src,
+			DstIP:   dst,
 		}
-		err = gopacket.SerializeLayers(buf, opts, ipLayer, icmp)

-	default:
-		err = gopacket.SerializeLayers(buf, opts, ipLayer)
+		switch proto {
+		case fw.ProtocolTCP:
+			ip4.Protocol = layers.IPProtocolTCP
+			tcp := &layers.TCP{SrcPort: layers.TCPPort(srcPort), DstPort: layers.TCPPort(dstPort)}
+			_ = tcp.SetNetworkLayerForChecksum(ip4)
+			err = gopacket.SerializeLayers(buf, opts, ip4, tcp)
+		case fw.ProtocolUDP:
+			ip4.Protocol = layers.IPProtocolUDP
+			udp := &layers.UDP{SrcPort: layers.UDPPort(srcPort), DstPort: layers.UDPPort(dstPort)}
+			_ = udp.SetNetworkLayerForChecksum(ip4)
+			err = gopacket.SerializeLayers(buf, opts, ip4, udp)
+		case fw.ProtocolICMP:
+			ip4.Protocol = layers.IPProtocolICMPv4
+			icmp := &layers.ICMPv4{TypeCode: layers.CreateICMPv4TypeCode(layers.ICMPv4TypeEchoRequest, 0)}
+			err = gopacket.SerializeLayers(buf, opts, ip4, icmp)
+		default:
+			err = gopacket.SerializeLayers(buf, opts, ip4)
+		}
 	}

 	require.NoError(t, err)
@@ -617,7 +788,7 @@ func setupRoutedManager(tb testing.TB, network string) *Manager {
 		},
 	}

-	manager, err := Create(ifaceMock, false, flowLogger, iface.DefaultMTU)
+	manager, err := Create(ifaceMock, nil, false, flowLogger, iface.DefaultMTU)
 	require.NoError(tb, err)
 	require.NoError(tb, manager.EnableRouting())
 	require.NotNil(tb, manager)
@@ -1222,7 +1393,7 @@ func TestRouteACLFiltering(t *testing.T) {
 		t.Run(tc.name, func(t *testing.T) {
 			if tc.rule.action == fw.ActionDrop {
 				// add general accept rule to test drop rule
-				rule, err := manager.AddRouteFiltering(
+				rule, err := manager.AddFilterRule(
 					nil,
 					[]netip.Prefix{netip.MustParsePrefix("0.0.0.0/0")},
 					fw.Network{Prefix: netip.MustParsePrefix("0.0.0.0/0")},
@@ -1232,13 +1403,13 @@ func TestRouteACLFiltering(t *testing.T) {
 					fw.ActionAccept,
 				)
 				require.NoError(t, err)
-				require.NotNil(t, rule)
+				require.NotEmpty(t, rule)
 				t.Cleanup(func() {
-					require.NoError(t, manager.DeleteRouteRule(rule))
+					require.NoError(t, manager.DeleteFilterRule(rule))
 				})
 			}

-			rule, err := manager.AddRouteFiltering(
+			rule, err := manager.AddFilterRule(
 				nil,
 				tc.rule.sources,
 				tc.rule.dest,
@@ -1248,10 +1419,10 @@ func TestRouteACLFiltering(t *testing.T) {
 				tc.rule.action,
 			)
 			require.NoError(t, err)
-			require.NotNil(t, rule)
+			require.NotEmpty(t, rule)

 			t.Cleanup(func() {
-				require.NoError(t, manager.DeleteRouteRule(rule))
+				require.NoError(t, manager.DeleteFilterRule(rule))
 			})

 			srcIP := netip.MustParseAddr(tc.srcIP)
@@ -1419,9 +1590,9 @@ func TestRouteACLOrder(t *testing.T) {

 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
-			var rules []fw.Rule
+			var addedRules []fw.Rule
 			for _, r := range tc.rules {
-				rule, err := manager.AddRouteFiltering(
+				rule, err := manager.AddFilterRule(
 					nil,
 					r.sources,
 					r.dest,
@@ -1432,12 +1603,12 @@ func TestRouteACLOrder(t *testing.T) {
 				)
 				require.NoError(t, err)
 				require.NotNil(t, rule)
-				rules = append(rules, rule)
+				addedRules = append(addedRules, rule)
 			}

 			t.Cleanup(func() {
-				for _, rule := range rules {
-					require.NoError(t, manager.DeleteRouteRule(rule))
+				for _, rule := range addedRules {
+					require.NoError(t, manager.DeleteFilterRule(rule))
 				}
 			})

@@ -1463,7 +1634,7 @@ func TestRouteACLSet(t *testing.T) {
 		},
 	}

-	manager, err := Create(ifaceMock, false, flowLogger, iface.DefaultMTU)
+	manager, err := Create(ifaceMock, nil, false, flowLogger, iface.DefaultMTU)
 	require.NoError(t, err)
 	t.Cleanup(func() {
 		require.NoError(t, manager.Close(nil))
@@ -1472,7 +1643,7 @@ func TestRouteACLSet(t *testing.T) {
 	set := fw.NewDomainSet(domain.List{"example.org"})

 	// Add rule that uses the set (initially empty)
-	rule, err := manager.AddRouteFiltering(
+	rule, err := manager.AddFilterRule(
 		nil,
 		[]netip.Prefix{netip.MustParsePrefix("0.0.0.0/0")},
 		fw.Network{Set: set},
@@ -1498,3 +1669,103 @@ func TestRouteACLSet(t *testing.T) {
 	_, isAllowed = manager.routeACLsPass(srcIP, dstIP, protoToLayer(fw.ProtocolTCP, layers.LayerTypeIPv4), 12345, 80)
 	require.True(t, isAllowed, "After set update, traffic to the added network should be allowed")
 }
+
+// TestRouteACLFilteringIPv6 tests IPv6 route ACL matching directly via routeACLsPass.
+// Note: full FilterInbound for routed IPv6 traffic drops at the forwarder stage (IPv4-only)
+// but the ACL decision itself is correct.
+func TestRouteACLFilteringIPv6(t *testing.T) {
+	manager := setupRoutedManager(t, "10.10.0.100/16")
+
+	v6Dst := netip.MustParsePrefix("fd00:dead:beef::/48")
+	_, err := manager.AddFilterRule(
+		nil,
+		[]netip.Prefix{netip.MustParsePrefix("fd00::/16")},
+		fw.Network{Prefix: v6Dst},
+		fw.ProtocolTCP,
+		nil,
+		&fw.Port{Values: []uint16{80}},
+		fw.ActionAccept,
+	)
+	require.NoError(t, err)
+
+	_, err = manager.AddFilterRule(
+		nil,
+		[]netip.Prefix{netip.MustParsePrefix("fd00::/16")},
+		fw.Network{Prefix: netip.MustParsePrefix("fd00:dead:beef:1::/64")},
+		fw.ProtocolALL,
+		nil,
+		nil,
+		fw.ActionDrop,
+	)
+	require.NoError(t, err)
+
+	tests := []struct {
+		name    string
+		srcIP   netip.Addr
+		dstIP   netip.Addr
+		proto   gopacket.LayerType
+		srcPort uint16
+		dstPort uint16
+		allowed bool
+	}{
+		{
+			name:    "IPv6 TCP to allowed dest",
+			srcIP:   netip.MustParseAddr("fd00::1"),
+			dstIP:   netip.MustParseAddr("fd00:dead:beef::80"),
+			proto:   layers.LayerTypeTCP,
+			srcPort: 12345,
+			dstPort: 80,
+			allowed: true,
+		},
+		{
+			name:    "IPv6 TCP wrong port",
+			srcIP:   netip.MustParseAddr("fd00::1"),
+			dstIP:   netip.MustParseAddr("fd00:dead:beef::80"),
+			proto:   layers.LayerTypeTCP,
+			srcPort: 12345,
+			dstPort: 443,
+			allowed: false,
+		},
+		{
+			name:    "IPv6 UDP not matched by TCP rule",
+			srcIP:   netip.MustParseAddr("fd00::1"),
+			dstIP:   netip.MustParseAddr("fd00:dead:beef::80"),
+			proto:   layers.LayerTypeUDP,
+			srcPort: 12345,
+			dstPort: 80,
+			allowed: false,
+		},
+		{
+			name:    "IPv6 ICMPv6 matches ICMP rule via protoLayerMatches",
+			srcIP:   netip.MustParseAddr("fd00::1"),
+			dstIP:   netip.MustParseAddr("fd00:dead:beef::80"),
+			proto:   layers.LayerTypeICMPv6,
+			allowed: false,
+		},
+		{
+			name:    "IPv6 to denied subnet",
+			srcIP:   netip.MustParseAddr("fd00::1"),
+			dstIP:   netip.MustParseAddr("fd00:dead:beef:1::1"),
+			proto:   layers.LayerTypeTCP,
+			srcPort: 12345,
+			dstPort: 80,
+			allowed: false,
+		},
+		{
+			name:    "IPv6 source outside allowed range",
+			srcIP:   netip.MustParseAddr("fe80::1"),
+			dstIP:   netip.MustParseAddr("fd00:dead:beef::80"),
+			proto:   layers.LayerTypeTCP,
+			srcPort: 12345,
+			dstPort: 80,
+			allowed: false,
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			_, pass := manager.routeACLsPass(tc.srcIP, tc.dstIP, tc.proto, tc.srcPort, tc.dstPort)
+			require.Equal(t, tc.allowed, pass, "route ACL result mismatch")
+		})
+	}
+}
--- a/client/firewall/uspfilter/filter_routeacl_test.go
+++ b/client/firewall/uspfilter/filter_routeacl_test.go
@@ -29,7 +29,7 @@ func TestAddRouteFilteringReturnsExistingRule(t *testing.T) {
 	destination := fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")}

 	// Add rule first time
-	rule1, err := manager.AddRouteFiltering(
+	rule1, err := manager.AddFilterRule(
 		[]byte("policy-1"),
 		sources,
 		destination,
@@ -42,7 +42,7 @@ func TestAddRouteFilteringReturnsExistingRule(t *testing.T) {
 	require.NotNil(t, rule1)

 	// Add the same rule again
-	rule2, err := manager.AddRouteFiltering(
+	rule2, err := manager.AddFilterRule(
 		[]byte("policy-1"),
 		sources,
 		destination,
@@ -74,7 +74,7 @@ func TestAddRouteFilteringDifferentRulesGetDifferentIDs(t *testing.T) {
 	sources := []netip.Prefix{netip.MustParsePrefix("100.64.1.0/24")}

 	// Add first rule
-	rule1, err := manager.AddRouteFiltering(
+	rule1, err := manager.AddFilterRule(
 		[]byte("policy-1"),
 		sources,
 		fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
@@ -86,7 +86,7 @@ func TestAddRouteFilteringDifferentRulesGetDifferentIDs(t *testing.T) {
 	require.NoError(t, err)

 	// Add different rule (different destination)
-	rule2, err := manager.AddRouteFiltering(
+	rule2, err := manager.AddFilterRule(
 		[]byte("policy-2"),
 		sources,
 		fw.Network{Prefix: netip.MustParsePrefix("192.168.2.0/24")}, // Different!
@@ -115,7 +115,7 @@ func TestRouteRuleUpdateDoesNotCauseGap(t *testing.T) {
 	sources := []netip.Prefix{netip.MustParsePrefix("100.64.1.0/24")}
 	destination := fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")}

-	rule1, err := manager.AddRouteFiltering(
+	rule1, err := manager.AddFilterRule(
 		[]byte("policy-1"),
 		sources,
 		destination,
@@ -132,7 +132,7 @@ func TestRouteRuleUpdateDoesNotCauseGap(t *testing.T) {
 	require.True(t, pass, "Traffic should pass with rule in place")

 	// Re-add same rule (simulates network map update)
-	rule2, err := manager.AddRouteFiltering(
+	rule2, err := manager.AddFilterRule(
 		[]byte("policy-1"),
 		sources,
 		destination,
@@ -147,7 +147,7 @@ func TestRouteRuleUpdateDoesNotCauseGap(t *testing.T) {
 	// won't delete rule1 during cleanup. If IDs differed, deleting rule1
 	// would remove the only matching rule and cause a traffic gap.
 	if rule1.ID() != rule2.ID() {
-		err = manager.DeleteRouteRule(rule1)
+		err = manager.DeleteFilterRule(rule1)
 		require.NoError(t, err)
 	}

@@ -156,6 +156,59 @@ func TestRouteRuleUpdateDoesNotCauseGap(t *testing.T) {
 		"Traffic should still pass after rule update - no gap should occur")
 }

+// TestBlockInvalidRoutedDualStack verifies that when the interface has an
+// IPv6 overlay address, blockInvalidRouted installs a block rule for both
+// the v4 and v6 WG prefixes and that routed traffic to the v6 prefix is
+// denied. The v4-only soft-skip path is covered by
+// TestBlockInvalidRoutedIdempotent, whose mock leaves IPv6Net invalid.
+func TestBlockInvalidRoutedDualStack(t *testing.T) {
+	ctrl := gomock.NewController(t)
+	dev := mocks.NewMockDevice(ctrl)
+	dev.EXPECT().MTU().Return(1500, nil).AnyTimes()
+
+	wgNet := netip.MustParsePrefix("100.64.0.1/16")
+	wgNet6 := netip.MustParsePrefix("fd00:1234::1/64")
+
+	ifaceMock := &IFaceMock{
+		SetFilterFunc: func(device.PacketFilter) error { return nil },
+		AddressFunc: func() wgaddr.Address {
+			return wgaddr.Address{
+				IP:      wgNet.Addr(),
+				Network: wgNet,
+				IPv6:    wgNet6.Addr(),
+				IPv6Net: wgNet6,
+			}
+		},
+		GetDeviceFunc: func() *device.FilteredDevice {
+			return &device.FilteredDevice{Device: dev}
+		},
+		GetWGDeviceFunc: func() *wgdevice.Device {
+			return &wgdevice.Device{}
+		},
+	}
+
+	manager, err := Create(ifaceMock, nil, false, flowLogger, iface.DefaultMTU)
+	require.NoError(t, err)
+	t.Cleanup(func() {
+		require.NoError(t, manager.Close(nil))
+	})
+
+	rules, err := manager.blockInvalidRouted(ifaceMock)
+	require.NoError(t, err)
+	require.Len(t, rules, 2, "dual-stack interface must produce a v4 and a v6 block rule")
+
+	manager.mutex.RLock()
+	ruleCount := len(manager.routeRules)
+	manager.mutex.RUnlock()
+	assert.Equal(t, 2, ruleCount, "should have one block rule per family")
+
+	// v6 routed traffic to the WG prefix must be denied.
+	srcIP := netip.MustParseAddr("2001:db8::1")
+	dstIP := netip.MustParseAddr("fd00:1234::50")
+	_, pass := manager.routeACLsPass(srcIP, dstIP, layers.LayerTypeTCP, 12345, 80)
+	assert.False(t, pass, "block rule should deny routed traffic to the v6 WG prefix")
+}
+
 // TestBlockInvalidRoutedIdempotent verifies that blockInvalidRouted creates
 // exactly one drop rule for the WireGuard network prefix, and calling it again
 // returns the same rule without duplicating.
@@ -182,28 +235,28 @@ func TestBlockInvalidRoutedIdempotent(t *testing.T) {
 		},
 	}

-	manager, err := Create(ifaceMock, false, flowLogger, iface.DefaultMTU)
+	manager, err := Create(ifaceMock, nil, false, flowLogger, iface.DefaultMTU)
 	require.NoError(t, err)
 	t.Cleanup(func() {
 		require.NoError(t, manager.Close(nil))
 	})

 	// Call blockInvalidRouted directly multiple times
-	rule1, err := manager.blockInvalidRouted(ifaceMock)
+	rules1, err := manager.blockInvalidRouted(ifaceMock)
 	require.NoError(t, err)
-	require.NotNil(t, rule1)
+	require.NotEmpty(t, rules1)

-	rule2, err := manager.blockInvalidRouted(ifaceMock)
+	rules2, err := manager.blockInvalidRouted(ifaceMock)
 	require.NoError(t, err)
-	require.NotNil(t, rule2)
+	require.NotEmpty(t, rules2)

-	rule3, err := manager.blockInvalidRouted(ifaceMock)
+	rules3, err := manager.blockInvalidRouted(ifaceMock)
 	require.NoError(t, err)
-	require.NotNil(t, rule3)
+	require.NotEmpty(t, rules3)

-	// All should return the same rule
-	assert.Equal(t, rule1.ID(), rule2.ID(), "Second call should return same rule")
-	assert.Equal(t, rule2.ID(), rule3.ID(), "Third call should return same rule")
+	// All calls should return the same v4 block rule (idempotent install).
+	assert.Equal(t, rules1[0].ID(), rules2[0].ID(), "Second call should return same v4 rule")
+	assert.Equal(t, rules2[0].ID(), rules3[0].ID(), "Third call should return same v4 rule")

 	// Should have exactly 1 route rule
 	manager.mutex.RLock()
@@ -245,7 +298,7 @@ func TestBlockRuleNotAccumulatedOnRepeatedEnableRouting(t *testing.T) {
 		},
 	}

-	manager, err := Create(ifaceMock, false, flowLogger, iface.DefaultMTU)
+	manager, err := Create(ifaceMock, nil, false, flowLogger, iface.DefaultMTU)
 	require.NoError(t, err)
 	t.Cleanup(func() {
 		require.NoError(t, manager.Close(nil))
@@ -274,7 +327,7 @@ func TestRouteRuleCountStableAcrossUpdates(t *testing.T) {

 	// Simulate 5 network map updates with the same route rule
 	for i := 0; i < 5; i++ {
-		rule, err := manager.AddRouteFiltering(
+		rule, err := manager.AddFilterRule(
 			[]byte("policy-1"),
 			sources,
 			destination,
@@ -304,7 +357,7 @@ func TestDeleteRouteRuleAfterIdempotentAdd(t *testing.T) {
 	destination := fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")}

 	// Add same rule twice
-	rule1, err := manager.AddRouteFiltering(
+	rule1, err := manager.AddFilterRule(
 		[]byte("policy-1"),
 		sources,
 		destination,
@@ -315,7 +368,7 @@ func TestDeleteRouteRuleAfterIdempotentAdd(t *testing.T) {
 	)
 	require.NoError(t, err)

-	rule2, err := manager.AddRouteFiltering(
+	rule2, err := manager.AddFilterRule(
 		[]byte("policy-1"),
 		sources,
 		destination,
@@ -329,7 +382,7 @@ func TestDeleteRouteRuleAfterIdempotentAdd(t *testing.T) {
 	require.Equal(t, rule1.ID(), rule2.ID(), "Should return same rule ID")

 	// Delete using first reference
-	err = manager.DeleteRouteRule(rule1)
+	err = manager.DeleteFilterRule(rule1)
 	require.NoError(t, err)

 	// Verify traffic no longer passes
@@ -364,7 +417,7 @@ func setupTestManager(t *testing.T) *Manager {
 		},
 	}

-	manager, err := Create(ifaceMock, false, flowLogger, iface.DefaultMTU)
+	manager, err := Create(ifaceMock, nil, false, flowLogger, iface.DefaultMTU)
 	require.NoError(t, err)
 	require.NoError(t, manager.EnableRouting())

--- a/client/firewall/uspfilter/filter_test.go
+++ b/client/firewall/uspfilter/filter_test.go
@@ -78,7 +78,7 @@ func TestManagerCreate(t *testing.T) {
 		SetFilterFunc: func(device.PacketFilter) error { return nil },
 	}

-	m, err := Create(ifaceMock, false, flowLogger, nbiface.DefaultMTU)
+	m, err := Create(ifaceMock, nil, false, flowLogger, nbiface.DefaultMTU)
 	if err != nil {
 		t.Errorf("failed to create Manager: %v", err)
 		return
@@ -89,7 +89,7 @@ func TestManagerCreate(t *testing.T) {
 	}
 }

-func TestManagerAddPeerFiltering(t *testing.T) {
+func TestManagerAddFilterRule(t *testing.T) {
 	isSetFilterCalled := false
 	ifaceMock := &IFaceMock{
 		SetFilterFunc: func(device.PacketFilter) error {
@@ -98,7 +98,7 @@ func TestManagerAddPeerFiltering(t *testing.T) {
 		},
 	}

-	m, err := Create(ifaceMock, false, flowLogger, nbiface.DefaultMTU)
+	m, err := Create(ifaceMock, nil, false, flowLogger, nbiface.DefaultMTU)
 	if err != nil {
 		t.Errorf("failed to create Manager: %v", err)
 		return
@@ -109,7 +109,7 @@ func TestManagerAddPeerFiltering(t *testing.T) {
 	port := &fw.Port{Values: []uint16{80}}
 	action := fw.ActionDrop

-	rule, err := m.AddPeerFiltering(nil, ip, proto, nil, port, action, "")
+	rule, err := m.AddFilterRule(nil, pfx(ip), fw.Network{}, proto, nil, port, action)
 	if err != nil {
 		t.Errorf("failed to add filtering: %v", err)
 		return
@@ -131,7 +131,7 @@ func TestManagerDeleteRule(t *testing.T) {
 		SetFilterFunc: func(device.PacketFilter) error { return nil },
 	}

-	m, err := Create(ifaceMock, false, flowLogger, nbiface.DefaultMTU)
+	m, err := Create(ifaceMock, nil, false, flowLogger, nbiface.DefaultMTU)
 	if err != nil {
 		t.Errorf("failed to create Manager: %v", err)
 		return
@@ -142,63 +142,33 @@ func TestManagerDeleteRule(t *testing.T) {
 	port := &fw.Port{Values: []uint16{80}}
 	action := fw.ActionDrop

-	rule2, err := m.AddPeerFiltering(nil, ip.AsSlice(), proto, nil, port, action, "")
+	rule2, err := m.AddFilterRule(nil, pfx(ip.AsSlice()), fw.Network{}, proto, nil, port, action)
 	if err != nil {
 		t.Errorf("failed to add filtering: %v", err)
 		return
 	}

-	// Check rules exist in appropriate maps
-	for _, r := range rule2 {
-		peerRule, ok := r.(*PeerRule)
-		if !ok {
-			t.Errorf("rule should be a PeerRule")
-			continue
-		}
-		// Check if rule exists in deny or allow maps based on action
-		var found bool
-		if peerRule.drop {
-			_, found = m.incomingDenyRules[ip][r.ID()]
-		} else {
-			_, found = m.incomingRules[ip][r.ID()]
-		}
-		if !found {
-			t.Errorf("rule2 is not in the expected rules map")
+	peerRule, ok := rule2.(*PeerRule)
+	require.True(t, ok, "rule should be a PeerRule")
+
+	inMap := func() bool {
+		if peerRule.action == fw.ActionDrop {
+			return findRuleByID(m.incomingDenyRules, ip, rule2.ID())
 		}
+		return findRuleByID(m.incomingAcceptRules, ip, rule2.ID())
 	}

-	for _, r := range rule2 {
-		err = m.DeletePeerRule(r)
-		if err != nil {
-			t.Errorf("failed to delete rule: %v", err)
-			return
-		}
-	}
+	require.True(t, inMap(), "rule2 should be in the expected rules list")

-	// Check rules are removed from appropriate maps
-	for _, r := range rule2 {
-		peerRule, ok := r.(*PeerRule)
-		if !ok {
-			t.Errorf("rule should be a PeerRule")
-			continue
-		}
-		// Check if rule is removed from deny or allow maps based on action
-		var found bool
-		if peerRule.drop {
-			_, found = m.incomingDenyRules[ip][r.ID()]
-		} else {
-			_, found = m.incomingRules[ip][r.ID()]
-		}
-		if found {
-			t.Errorf("rule2 should be removed from the rules map")
-		}
-	}
+	require.NoError(t, m.DeleteFilterRule(rule2), "failed to delete rule")
+
+	require.False(t, inMap(), "rule2 should be removed from the rules list")
 }

 func TestSetUDPPacketHook(t *testing.T) {
 	manager, err := Create(&IFaceMock{
 		SetFilterFunc: func(device.PacketFilter) error { return nil },
-	}, false, flowLogger, nbiface.DefaultMTU)
+	}, nil, false, flowLogger, nbiface.DefaultMTU)
 	require.NoError(t, err)
 	t.Cleanup(func() { require.NoError(t, manager.Close(nil)) })

@@ -222,7 +192,7 @@ func TestSetUDPPacketHook(t *testing.T) {
 func TestSetTCPPacketHook(t *testing.T) {
 	manager, err := Create(&IFaceMock{
 		SetFilterFunc: func(device.PacketFilter) error { return nil },
-	}, false, flowLogger, nbiface.DefaultMTU)
+	}, nil, false, flowLogger, nbiface.DefaultMTU)
 	require.NoError(t, err)
 	t.Cleanup(func() { require.NoError(t, manager.Close(nil)) })

@@ -250,7 +220,7 @@ func TestPeerRuleLifecycleDenyRules(t *testing.T) {
 		SetFilterFunc: func(device.PacketFilter) error { return nil },
 	}

-	m, err := Create(ifaceMock, false, flowLogger, nbiface.DefaultMTU)
+	m, err := Create(ifaceMock, nil, false, flowLogger, nbiface.DefaultMTU)
 	require.NoError(t, err)
 	defer func() {
 		require.NoError(t, m.Close(nil))
@@ -260,36 +230,34 @@ func TestPeerRuleLifecycleDenyRules(t *testing.T) {
 	addr := netip.MustParseAddr("192.168.1.1")

 	// Add multiple deny rules for different ports
-	rule1, err := m.AddPeerFiltering(nil, ip, fw.ProtocolTCP, nil,
-		&fw.Port{Values: []uint16{22}}, fw.ActionDrop, "")
+	rule1, err := m.AddFilterRule(nil, pfx(ip), fw.Network{}, fw.ProtocolTCP, nil, &fw.Port{Values: []uint16{22}}, fw.ActionDrop)
 	require.NoError(t, err)

-	rule2, err := m.AddPeerFiltering(nil, ip, fw.ProtocolTCP, nil,
-		&fw.Port{Values: []uint16{80}}, fw.ActionDrop, "")
+	rule2, err := m.AddFilterRule(nil, pfx(ip), fw.Network{}, fw.ProtocolTCP, nil, &fw.Port{Values: []uint16{80}}, fw.ActionDrop)
 	require.NoError(t, err)

 	m.mutex.RLock()
-	denyCount := len(m.incomingDenyRules[addr])
+	denyCount := countRulesForAddr(m.incomingDenyRules, addr)
 	m.mutex.RUnlock()
 	require.Equal(t, 2, denyCount, "Should have exactly 2 deny rules")

 	// Delete the first deny rule
-	err = m.DeletePeerRule(rule1[0])
+	err = m.DeleteFilterRule(rule1)
 	require.NoError(t, err)

 	m.mutex.RLock()
-	denyCount = len(m.incomingDenyRules[addr])
+	denyCount = countRulesForAddr(m.incomingDenyRules, addr)
 	m.mutex.RUnlock()
 	require.Equal(t, 1, denyCount, "Should have 1 deny rule after deleting first")

 	// Delete the second deny rule
-	err = m.DeletePeerRule(rule2[0])
+	err = m.DeleteFilterRule(rule2)
 	require.NoError(t, err)

 	m.mutex.RLock()
-	_, exists := m.incomingDenyRules[addr]
+	exists := countRulesForAddr(m.incomingDenyRules, addr) > 0
 	m.mutex.RUnlock()
-	require.False(t, exists, "Deny rules IP entry should be cleaned up when empty")
+	require.False(t, exists, "Deny rules should be cleaned up when empty")
 }

 // TestPeerRuleAddAndDeleteDontLeak verifies that repeatedly adding and deleting
@@ -299,7 +267,7 @@ func TestPeerRuleAddAndDeleteDontLeak(t *testing.T) {
 		SetFilterFunc: func(device.PacketFilter) error { return nil },
 	}

-	m, err := Create(ifaceMock, false, flowLogger, nbiface.DefaultMTU)
+	m, err := Create(ifaceMock, nil, false, flowLogger, nbiface.DefaultMTU)
 	require.NoError(t, err)
 	defer func() {
 		require.NoError(t, m.Close(nil))
@@ -311,27 +279,21 @@ func TestPeerRuleAddAndDeleteDontLeak(t *testing.T) {
 	// Simulate 10 network map updates: add rule, delete old, add new
 	for i := 0; i < 10; i++ {
 		// Add a deny rule
-		rules, err := m.AddPeerFiltering(nil, ip, fw.ProtocolTCP, nil,
-			&fw.Port{Values: []uint16{22}}, fw.ActionDrop, "")
+		rules, err := m.AddFilterRule(nil, pfx(ip), fw.Network{}, fw.ProtocolTCP, nil, &fw.Port{Values: []uint16{22}}, fw.ActionDrop)
 		require.NoError(t, err)

 		// Add an allow rule
-		allowRules, err := m.AddPeerFiltering(nil, ip, fw.ProtocolTCP, nil,
-			&fw.Port{Values: []uint16{80}}, fw.ActionAccept, "")
+		allowRules, err := m.AddFilterRule(nil, pfx(ip), fw.Network{}, fw.ProtocolTCP, nil, &fw.Port{Values: []uint16{80}}, fw.ActionAccept)
 		require.NoError(t, err)

 		// Delete them (simulating ACL manager cleanup)
-		for _, r := range rules {
-			require.NoError(t, m.DeletePeerRule(r))
-		}
-		for _, r := range allowRules {
-			require.NoError(t, m.DeletePeerRule(r))
-		}
+		require.NoError(t, m.DeleteFilterRule(rules))
+		require.NoError(t, m.DeleteFilterRule(allowRules))
 	}

 	m.mutex.RLock()
-	denyCount := len(m.incomingDenyRules[addr])
-	allowCount := len(m.incomingRules[addr])
+	denyCount := countRulesForAddr(m.incomingDenyRules, addr)
+	allowCount := countRulesForAddr(m.incomingAcceptRules, addr)
 	m.mutex.RUnlock()

 	require.Equal(t, 0, denyCount, "No deny rules should remain after cleanup")
@@ -345,7 +307,7 @@ func TestMixedAllowDenyRulesSameIP(t *testing.T) {
 		SetFilterFunc: func(device.PacketFilter) error { return nil },
 	}

-	m, err := Create(ifaceMock, false, flowLogger, nbiface.DefaultMTU)
+	m, err := Create(ifaceMock, nil, false, flowLogger, nbiface.DefaultMTU)
 	require.NoError(t, err)
 	defer func() {
 		require.NoError(t, m.Close(nil))
@@ -354,41 +316,39 @@ func TestMixedAllowDenyRulesSameIP(t *testing.T) {
 	ip := net.ParseIP("192.168.1.1")

 	// Add allow rule for port 80
-	allowRule, err := m.AddPeerFiltering(nil, ip, fw.ProtocolTCP, nil,
-		&fw.Port{Values: []uint16{80}}, fw.ActionAccept, "")
+	allowRule, err := m.AddFilterRule(nil, pfx(ip), fw.Network{}, fw.ProtocolTCP, nil, &fw.Port{Values: []uint16{80}}, fw.ActionAccept)
 	require.NoError(t, err)

 	// Add deny rule for port 22
-	denyRule, err := m.AddPeerFiltering(nil, ip, fw.ProtocolTCP, nil,
-		&fw.Port{Values: []uint16{22}}, fw.ActionDrop, "")
+	denyRule, err := m.AddFilterRule(nil, pfx(ip), fw.Network{}, fw.ProtocolTCP, nil, &fw.Port{Values: []uint16{22}}, fw.ActionDrop)
 	require.NoError(t, err)

 	addr := netip.MustParseAddr("192.168.1.1")
 	m.mutex.RLock()
-	allowCount := len(m.incomingRules[addr])
-	denyCount := len(m.incomingDenyRules[addr])
+	allowCount := countRulesForAddr(m.incomingAcceptRules, addr)
+	denyCount := countRulesForAddr(m.incomingDenyRules, addr)
 	m.mutex.RUnlock()

 	require.Equal(t, 1, allowCount, "Should have 1 allow rule")
 	require.Equal(t, 1, denyCount, "Should have 1 deny rule")

 	// Delete allow rule should not affect deny rule
-	err = m.DeletePeerRule(allowRule[0])
+	err = m.DeleteFilterRule(allowRule)
 	require.NoError(t, err)

 	m.mutex.RLock()
-	denyCountAfter := len(m.incomingDenyRules[addr])
+	denyCountAfter := countRulesForAddr(m.incomingDenyRules, addr)
 	m.mutex.RUnlock()

 	require.Equal(t, 1, denyCountAfter, "Deny rule should still exist after deleting allow rule")

 	// Delete deny rule
-	err = m.DeletePeerRule(denyRule[0])
+	err = m.DeleteFilterRule(denyRule)
 	require.NoError(t, err)

 	m.mutex.RLock()
-	_, denyExists := m.incomingDenyRules[addr]
-	_, allowExists := m.incomingRules[addr]
+	denyExists := countRulesForAddr(m.incomingDenyRules, addr) > 0
+	allowExists := countRulesForAddr(m.incomingAcceptRules, addr) > 0
 	m.mutex.RUnlock()

 	require.False(t, denyExists, "Deny rules should be empty")
@@ -400,7 +360,7 @@ func TestManagerReset(t *testing.T) {
 		SetFilterFunc: func(device.PacketFilter) error { return nil },
 	}

-	m, err := Create(ifaceMock, false, flowLogger, nbiface.DefaultMTU)
+	m, err := Create(ifaceMock, nil, false, flowLogger, nbiface.DefaultMTU)
 	if err != nil {
 		t.Errorf("failed to create Manager: %v", err)
 		return
@@ -411,7 +371,7 @@ func TestManagerReset(t *testing.T) {
 	port := &fw.Port{Values: []uint16{80}}
 	action := fw.ActionDrop

-	_, err = m.AddPeerFiltering(nil, ip, proto, nil, port, action, "")
+	_, err = m.AddFilterRule(nil, pfx(ip), fw.Network{}, proto, nil, port, action)
 	if err != nil {
 		t.Errorf("failed to add filtering: %v", err)
 		return
@@ -423,7 +383,7 @@ func TestManagerReset(t *testing.T) {
 		return
 	}

-	if len(m.outgoingRules) != 0 || len(m.incomingRules) != 0 || len(m.incomingDenyRules) != 0 {
+	if len(m.incomingAcceptRules) != 0 || len(m.incomingDenyRules) != 0 {
 		t.Errorf("rules are not empty")
 	}
 }
@@ -439,7 +399,7 @@ func TestNotMatchByIP(t *testing.T) {
 		},
 	}

-	m, err := Create(ifaceMock, false, flowLogger, nbiface.DefaultMTU)
+	m, err := Create(ifaceMock, nil, false, flowLogger, nbiface.DefaultMTU)
 	if err != nil {
 		t.Errorf("failed to create Manager: %v", err)
 		return
@@ -449,7 +409,7 @@ func TestNotMatchByIP(t *testing.T) {
 	proto := fw.ProtocolUDP
 	action := fw.ActionAccept

-	_, err = m.AddPeerFiltering(nil, ip, proto, nil, nil, action, "")
+	_, err = m.AddFilterRule(nil, pfx(ip), fw.Network{}, proto, nil, nil, action)
 	if err != nil {
 		t.Errorf("failed to add filtering: %v", err)
 		return
@@ -502,7 +462,7 @@ func TestRemovePacketHook(t *testing.T) {
 	}

 	// creating manager instance
-	manager, err := Create(iface, false, flowLogger, nbiface.DefaultMTU)
+	manager, err := Create(iface, nil, false, flowLogger, nbiface.DefaultMTU)
 	if err != nil {
 		t.Fatalf("Failed to create Manager: %s", err)
 	}
@@ -521,7 +481,7 @@ func TestRemovePacketHook(t *testing.T) {
 func TestProcessOutgoingHooks(t *testing.T) {
 	manager, err := Create(&IFaceMock{
 		SetFilterFunc: func(device.PacketFilter) error { return nil },
-	}, false, flowLogger, nbiface.DefaultMTU)
+	}, nil, false, flowLogger, nbiface.DefaultMTU)
 	require.NoError(t, err)

 	manager.udpTracker.Close()
@@ -535,11 +495,16 @@ func TestProcessOutgoingHooks(t *testing.T) {
 			d := &decoder{
 				decoded: []gopacket.LayerType{},
 			}
-			d.parser = gopacket.NewDecodingLayerParser(
+			d.parser4 = gopacket.NewDecodingLayerParser(
 				layers.LayerTypeIPv4,
 				&d.eth, &d.ip4, &d.ip6, &d.icmp4, &d.icmp6, &d.tcp, &d.udp,
 			)
-			d.parser.IgnoreUnsupported = true
+			d.parser4.IgnoreUnsupported = true
+			d.parser6 = gopacket.NewDecodingLayerParser(
+				layers.LayerTypeIPv6,
+				&d.eth, &d.ip4, &d.ip6, &d.icmp4, &d.icmp6, &d.tcp, &d.udp,
+			)
+			d.parser6.IgnoreUnsupported = true
 			return d
 		},
 	}
@@ -601,7 +566,7 @@ func TestUSPFilterCreatePerformance(t *testing.T) {
 			ifaceMock := &IFaceMock{
 				SetFilterFunc: func(device.PacketFilter) error { return nil },
 			}
-			manager, err := Create(ifaceMock, false, flowLogger, nbiface.DefaultMTU)
+			manager, err := Create(ifaceMock, nil, false, flowLogger, nbiface.DefaultMTU)
 			require.NoError(t, err)
 			time.Sleep(time.Second)

@@ -616,7 +581,7 @@ func TestUSPFilterCreatePerformance(t *testing.T) {
 			start := time.Now()
 			for i := 0; i < testMax; i++ {
 				port := &fw.Port{Values: []uint16{uint16(1000 + i)}}
-				_, err = manager.AddPeerFiltering(nil, ip, "tcp", nil, port, fw.ActionAccept, "")
+				_, err = manager.AddFilterRule(nil, pfx(ip), fw.Network{}, "tcp", nil, port, fw.ActionAccept)

 				require.NoError(t, err, "failed to add rule")
 			}
@@ -628,7 +593,7 @@ func TestUSPFilterCreatePerformance(t *testing.T) {
 func TestStatefulFirewall_UDPTracking(t *testing.T) {
 	manager, err := Create(&IFaceMock{
 		SetFilterFunc: func(device.PacketFilter) error { return nil },
-	}, false, flowLogger, nbiface.DefaultMTU)
+	}, nil, false, flowLogger, nbiface.DefaultMTU)
 	require.NoError(t, err)

 	manager.udpTracker.Close() // Close the existing tracker
@@ -638,11 +603,16 @@ func TestStatefulFirewall_UDPTracking(t *testing.T) {
 			d := &decoder{
 				decoded: []gopacket.LayerType{},
 			}
-			d.parser = gopacket.NewDecodingLayerParser(
+			d.parser4 = gopacket.NewDecodingLayerParser(
 				layers.LayerTypeIPv4,
 				&d.eth, &d.ip4, &d.ip6, &d.icmp4, &d.icmp6, &d.tcp, &d.udp,
 			)
-			d.parser.IgnoreUnsupported = true
+			d.parser4.IgnoreUnsupported = true
+			d.parser6 = gopacket.NewDecodingLayerParser(
+				layers.LayerTypeIPv6,
+				&d.eth, &d.ip4, &d.ip6, &d.icmp4, &d.icmp6, &d.tcp, &d.udp,
+			)
+			d.parser6.IgnoreUnsupported = true
 			return d
 		},
 	}
@@ -835,7 +805,7 @@ func TestUpdateSetMerge(t *testing.T) {
 		SetFilterFunc: func(device.PacketFilter) error { return nil },
 	}

-	manager, err := Create(ifaceMock, false, flowLogger, nbiface.DefaultMTU)
+	manager, err := Create(ifaceMock, nil, false, flowLogger, nbiface.DefaultMTU)
 	require.NoError(t, err)
 	t.Cleanup(func() {
 		require.NoError(t, manager.Close(nil))
@@ -848,7 +818,7 @@ func TestUpdateSetMerge(t *testing.T) {
 		netip.MustParsePrefix("192.168.1.0/24"),
 	}

-	rule, err := manager.AddRouteFiltering(
+	rule, err := manager.AddFilterRule(
 		nil,
 		[]netip.Prefix{netip.MustParsePrefix("0.0.0.0/0")},
 		fw.Network{Set: set},
@@ -921,7 +891,7 @@ func TestUpdateSetDeduplication(t *testing.T) {
 		SetFilterFunc: func(device.PacketFilter) error { return nil },
 	}

-	manager, err := Create(ifaceMock, false, flowLogger, nbiface.DefaultMTU)
+	manager, err := Create(ifaceMock, nil, false, flowLogger, nbiface.DefaultMTU)
 	require.NoError(t, err)
 	t.Cleanup(func() {
 		require.NoError(t, manager.Close(nil))
@@ -929,7 +899,7 @@ func TestUpdateSetDeduplication(t *testing.T) {

 	set := fw.NewDomainSet(domain.List{"example.org"})

-	rule, err := manager.AddRouteFiltering(
+	rule, err := manager.AddFilterRule(
 		nil,
 		[]netip.Prefix{netip.MustParsePrefix("0.0.0.0/0")},
 		fw.Network{Set: set},
@@ -1041,15 +1011,15 @@ func TestMSSClamping(t *testing.T) {
 		},
 	}

-	manager, err := Create(ifaceMock, false, flowLogger, 1280)
+	manager, err := Create(ifaceMock, nil, false, flowLogger, 1280)
 	require.NoError(t, err)
 	defer func() {
 		require.NoError(t, manager.Close(nil))
 	}()

 	require.True(t, manager.mssClampEnabled, "MSS clamping should be enabled by default")
-	expectedMSSValue := uint16(1280 - ipTCPHeaderMinSize)
-	require.Equal(t, expectedMSSValue, manager.mssClampValue, "MSS clamp value should be MTU - 40")
+	require.Equal(t, uint16(1280-ipv4TCPHeaderMinSize), manager.mssClampValueIPv4, "IPv4 MSS clamp value should be MTU - 40")
+	require.Equal(t, uint16(1280-ipv6TCPHeaderMinSize), manager.mssClampValueIPv6, "IPv6 MSS clamp value should be MTU - 60")

 	err = manager.UpdateLocalIPs()
 	require.NoError(t, err)
@@ -1067,7 +1037,7 @@ func TestMSSClamping(t *testing.T) {
 		require.Len(t, d.tcp.Options, 1, "Should have MSS option")
 		require.Equal(t, uint8(layers.TCPOptionKindMSS), uint8(d.tcp.Options[0].OptionType))
 		actualMSS := binary.BigEndian.Uint16(d.tcp.Options[0].OptionData)
-		require.Equal(t, expectedMSSValue, actualMSS, "MSS should be clamped to MTU - 40")
+		require.Equal(t, manager.mssClampValueIPv4, actualMSS, "MSS should be clamped to MTU - 40")
 	})

 	t.Run("SYN packet with low MSS unchanged", func(t *testing.T) {
@@ -1091,7 +1061,7 @@ func TestMSSClamping(t *testing.T) {
 		d := parsePacket(t, packet)
 		require.Len(t, d.tcp.Options, 1, "Should have MSS option")
 		actualMSS := binary.BigEndian.Uint16(d.tcp.Options[0].OptionData)
-		require.Equal(t, expectedMSSValue, actualMSS, "MSS in SYN-ACK should be clamped")
+		require.Equal(t, manager.mssClampValueIPv4, actualMSS, "MSS in SYN-ACK should be clamped")
 	})

 	t.Run("Non-SYN packet unchanged", func(t *testing.T) {
@@ -1233,7 +1203,7 @@ func TestShouldForward(t *testing.T) {
 		return wgaddr.Address{IP: wgIP, Network: netip.PrefixFrom(wgIP, 24)}
 	}

-	manager, err := Create(ifaceMock, false, flowLogger, nbiface.DefaultMTU)
+	manager, err := Create(ifaceMock, nil, false, flowLogger, nbiface.DefaultMTU)
 	require.NoError(t, err)
 	defer func() {
 		require.NoError(t, manager.Close(nil))
@@ -1263,13 +1233,18 @@ func TestShouldForward(t *testing.T) {
 		d := &decoder{
 			decoded: []gopacket.LayerType{},
 		}
-		d.parser = gopacket.NewDecodingLayerParser(
+		d.parser4 = gopacket.NewDecodingLayerParser(
 			layers.LayerTypeIPv4,
 			&d.eth, &d.ip4, &d.ip6, &d.icmp4, &d.icmp6, &d.tcp, &d.udp,
 		)
-		d.parser.IgnoreUnsupported = true
+		d.parser4.IgnoreUnsupported = true
+		d.parser6 = gopacket.NewDecodingLayerParser(
+			layers.LayerTypeIPv6,
+			&d.eth, &d.ip4, &d.ip6, &d.icmp4, &d.icmp6, &d.tcp, &d.udp,
+		)
+		d.parser6.IgnoreUnsupported = true

-		err = d.parser.DecodeLayers(buf.Bytes(), &d.decoded)
+		err = d.decodePacket(buf.Bytes())
 		require.NoError(t, err)

 		return d
@@ -1329,6 +1304,44 @@ func TestShouldForward(t *testing.T) {
 		},
 	}

+	// Add IPv6 to the interface and test dual-stack cases
+	wgIPv6 := netip.MustParseAddr("fd00::1")
+	otherIPv6 := netip.MustParseAddr("fd00::2")
+	ifaceMock.AddressFunc = func() wgaddr.Address {
+		return wgaddr.Address{
+			IP:      wgIP,
+			Network: netip.PrefixFrom(wgIP, 24),
+			IPv6:    wgIPv6,
+			IPv6Net: netip.PrefixFrom(wgIPv6, 64),
+		}
+	}
+
+	// Re-create manager to pick up the new address with IPv6
+	require.NoError(t, manager.Close(nil))
+	manager, err = Create(ifaceMock, nil, false, flowLogger, nbiface.DefaultMTU)
+	require.NoError(t, err)
+
+	v6Cases := []struct {
+		name        string
+		dstIP       netip.Addr
+		expected    bool
+		description string
+	}{
+		{"v6 traffic to other address", otherIPv6, true, "should forward v6 traffic not destined to our v6 address"},
+		{"v6 traffic to our v6 IP", wgIPv6, false, "should not forward traffic destined to our v6 address"},
+		{"v4 traffic to other with v6 configured", otherIP, true, "should forward v4 traffic when v6 configured"},
+		{"v4 traffic to our v4 IP with v6 configured", wgIP, false, "should not forward traffic to our v4 address"},
+	}
+	for _, tt := range v6Cases {
+		t.Run(tt.name, func(t *testing.T) {
+			manager.localForwarding = true
+			manager.netstack = false
+			decoder := createTCPDecoder(8080)
+			result := manager.shouldForward(decoder, tt.dstIP)
+			require.Equal(t, tt.expected, result, tt.description)
+		})
+	}
+
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			// Configure manager
--- a/client/firewall/uspfilter/forwarder/endpoint.go
+++ b/client/firewall/uspfilter/forwarder/endpoint.go
@@ -1,7 +1,8 @@
 package forwarder

 import (
-	"fmt"
+	"net"
+	"strconv"
 	"sync/atomic"

 	wgdevice "golang.zx2c4.com/wireguard/device"
@@ -54,16 +55,23 @@ func (e *endpoint) LinkAddress() tcpip.LinkAddress {
 func (e *endpoint) WritePackets(pkts stack.PacketBufferList) (int, tcpip.Error) {
 	var written int
 	for _, pkt := range pkts.AsSlice() {
-		netHeader := header.IPv4(pkt.NetworkHeader().View().AsSlice())
-
 		data := stack.PayloadSince(pkt.NetworkHeader())
 		if data == nil {
 			continue
 		}

-		pktBytes := data.AsSlice()
+		raw := pkt.NetworkHeader().View().AsSlice()
+		if len(raw) == 0 {
+			continue
+		}
+		var address tcpip.Address
+		if raw[0]>>4 == 6 {
+			address = header.IPv6(raw).DestinationAddress()
+		} else {
+			address = header.IPv4(raw).DestinationAddress()
+		}

-		address := netHeader.DestinationAddress()
+		pktBytes := data.AsSlice()
 		if err := e.device.CreateOutboundPacket(pktBytes, address.AsSlice()); err != nil {
 			e.logger.Error1("CreateOutboundPacket: %v", err)
 			continue
@@ -114,5 +122,7 @@ type epID stack.TransportEndpointID

 func (i epID) String() string {
 	// src and remote is swapped
-	return fmt.Sprintf("%s:%d → %s:%d", i.RemoteAddress, i.RemotePort, i.LocalAddress, i.LocalPort)
+	return net.JoinHostPort(i.RemoteAddress.String(), strconv.Itoa(int(i.RemotePort))) +
+		" → " +
+		net.JoinHostPort(i.LocalAddress.String(), strconv.Itoa(int(i.LocalPort)))
 }
--- a/client/firewall/uspfilter/forwarder/forwarder.go
+++ b/client/firewall/uspfilter/forwarder/forwarder.go
@@ -14,6 +14,7 @@ import (
 	"gvisor.dev/gvisor/pkg/tcpip"
 	"gvisor.dev/gvisor/pkg/tcpip/header"
 	"gvisor.dev/gvisor/pkg/tcpip/network/ipv4"
+	"gvisor.dev/gvisor/pkg/tcpip/network/ipv6"
 	"gvisor.dev/gvisor/pkg/tcpip/stack"
 	"gvisor.dev/gvisor/pkg/tcpip/transport/icmp"
 	"gvisor.dev/gvisor/pkg/tcpip/transport/tcp"
@@ -36,25 +37,31 @@ type Forwarder struct {
 	logger     *nblog.Logger
 	flowLogger nftypes.FlowLogger
 	// ruleIdMap is used to store the rule ID for a given connection
-	ruleIdMap        sync.Map
-	stack            *stack.Stack
-	endpoint         *endpoint
-	udpForwarder     *udpForwarder
-	ctx              context.Context
-	cancel           context.CancelFunc
-	ip               tcpip.Address
-	netstack         bool
-	hasRawICMPAccess bool
-	pingSemaphore    chan struct{}
+	ruleIdMap          sync.Map
+	stack              *stack.Stack
+	endpoint           *endpoint
+	udpForwarder       *udpForwarder
+	ctx                context.Context
+	cancel             context.CancelFunc
+	ip                 tcpip.Address
+	ipv6               tcpip.Address
+	netstack           bool
+	hasRawICMPAccess   bool
+	hasRawICMPv6Access bool
+	pingSemaphore      chan struct{}
 }

 func New(iface common.IFaceMapper, logger *nblog.Logger, flowLogger nftypes.FlowLogger, netstack bool, mtu uint16) (*Forwarder, error) {
 	s := stack.New(stack.Options{
-		NetworkProtocols: []stack.NetworkProtocolFactory{ipv4.NewProtocol},
+		NetworkProtocols: []stack.NetworkProtocolFactory{
+			ipv4.NewProtocol,
+			ipv6.NewProtocol,
+		},
 		TransportProtocols: []stack.TransportProtocolFactory{
 			tcp.NewProtocol,
 			udp.NewProtocol,
 			icmp.NewProtocol4,
+			icmp.NewProtocol6,
 		},
 		HandleLocal: false,
 	})
@@ -73,7 +80,7 @@ func New(iface common.IFaceMapper, logger *nblog.Logger, flowLogger nftypes.Flow
 	protoAddr := tcpip.ProtocolAddress{
 		Protocol: ipv4.ProtocolNumber,
 		AddressWithPrefix: tcpip.AddressWithPrefix{
-			Address:   tcpip.AddrFromSlice(iface.Address().IP.AsSlice()),
+			Address:   tcpip.AddrFrom4(iface.Address().IP.As4()),
 			PrefixLen: iface.Address().Network.Bits(),
 		},
 	}
@@ -82,6 +89,19 @@ func New(iface common.IFaceMapper, logger *nblog.Logger, flowLogger nftypes.Flow
 		return nil, fmt.Errorf("failed to add protocol address: %s", err)
 	}

+	if v6 := iface.Address().IPv6; v6.IsValid() {
+		v6Addr := tcpip.ProtocolAddress{
+			Protocol: ipv6.ProtocolNumber,
+			AddressWithPrefix: tcpip.AddressWithPrefix{
+				Address:   tcpip.AddrFrom16(v6.As16()),
+				PrefixLen: iface.Address().IPv6Net.Bits(),
+			},
+		}
+		if err := s.AddProtocolAddress(nicID, v6Addr, stack.AddressProperties{}); err != nil {
+			return nil, fmt.Errorf("add IPv6 protocol address: %s", err)
+		}
+	}
+
 	defaultSubnet, err := tcpip.NewSubnet(
 		tcpip.AddrFrom4([4]byte{0, 0, 0, 0}),
 		tcpip.MaskFromBytes([]byte{0, 0, 0, 0}),
@@ -90,6 +110,14 @@ func New(iface common.IFaceMapper, logger *nblog.Logger, flowLogger nftypes.Flow
 		return nil, fmt.Errorf("creating default subnet: %w", err)
 	}

+	defaultSubnetV6, err := tcpip.NewSubnet(
+		tcpip.AddrFrom16([16]byte{}),
+		tcpip.MaskFromBytes(make([]byte, 16)),
+	)
+	if err != nil {
+		return nil, fmt.Errorf("creating default v6 subnet: %w", err)
+	}
+
 	if err := s.SetPromiscuousMode(nicID, true); err != nil {
 		return nil, fmt.Errorf("set promiscuous mode: %s", err)
 	}
@@ -98,10 +126,8 @@ func New(iface common.IFaceMapper, logger *nblog.Logger, flowLogger nftypes.Flow
 	}

 	s.SetRouteTable([]tcpip.Route{
-		{
-			Destination: defaultSubnet,
-			NIC:         nicID,
-		},
+		{Destination: defaultSubnet, NIC: nicID},
+		{Destination: defaultSubnetV6, NIC: nicID},
 	})

 	ctx, cancel := context.WithCancel(context.Background())
@@ -114,7 +140,8 @@ func New(iface common.IFaceMapper, logger *nblog.Logger, flowLogger nftypes.Flow
 		ctx:           ctx,
 		cancel:        cancel,
 		netstack:      netstack,
-		ip:            tcpip.AddrFromSlice(iface.Address().IP.AsSlice()),
+		ip:            tcpip.AddrFrom4(iface.Address().IP.As4()),
+		ipv6:          addrFromNetipAddr(iface.Address().IPv6),
 		pingSemaphore: make(chan struct{}, 3),
 	}

@@ -131,7 +158,10 @@ func New(iface common.IFaceMapper, logger *nblog.Logger, flowLogger nftypes.Flow
 	udpForwarder := udp.NewForwarder(s, f.handleUDP)
 	s.SetTransportProtocolHandler(udp.ProtocolNumber, udpForwarder.HandlePacket)

-	s.SetTransportProtocolHandler(icmp.ProtocolNumber4, f.handleICMP)
+	// ICMP is handled directly in InjectIncomingPacket, bypassing gVisor's
+	// network layer. This avoids duplicate echo replies (v4) and the v6
+	// auto-reply bug where gVisor responds at the network layer before
+	// our transport handler fires.

 	f.checkICMPCapability()

@@ -150,8 +180,30 @@ func (f *Forwarder) SetCapture(pc PacketCapture) {
 }

 func (f *Forwarder) InjectIncomingPacket(payload []byte) error {
-	if len(payload) < header.IPv4MinimumSize {
-		return fmt.Errorf("packet too small: %d bytes", len(payload))
+	if len(payload) == 0 {
+		return fmt.Errorf("empty packet")
+	}
+
+	var protoNum tcpip.NetworkProtocolNumber
+	switch payload[0] >> 4 {
+	case 4:
+		if len(payload) < header.IPv4MinimumSize {
+			return fmt.Errorf("IPv4 packet too small: %d bytes", len(payload))
+		}
+		if f.handleICMPDirect(payload) {
+			return nil
+		}
+		protoNum = ipv4.ProtocolNumber
+	case 6:
+		if len(payload) < header.IPv6MinimumSize {
+			return fmt.Errorf("IPv6 packet too small: %d bytes", len(payload))
+		}
+		if f.handleICMPDirect(payload) {
+			return nil
+		}
+		protoNum = ipv6.ProtocolNumber
+	default:
+		return fmt.Errorf("unknown IP version: %d", payload[0]>>4)
 	}

 	pkt := stack.NewPacketBuffer(stack.PacketBufferOptions{
@@ -160,11 +212,160 @@ func (f *Forwarder) InjectIncomingPacket(payload []byte) error {
 	defer pkt.DecRef()

 	if f.endpoint.dispatcher != nil {
-		f.endpoint.dispatcher.DeliverNetworkPacket(ipv4.ProtocolNumber, pkt)
+		f.endpoint.dispatcher.DeliverNetworkPacket(protoNum, pkt)
 	}
 	return nil
 }

+// handleICMPDirect intercepts ICMP packets from raw IP payloads before they
+// enter gVisor. It synthesizes the TransportEndpointID and PacketBuffer that
+// the existing handlers expect, then dispatches to handleICMP/handleICMPv6.
+// This bypasses gVisor's network layer which causes duplicate v4 echo replies
+// and auto-replies to all v6 echo requests in promiscuous mode.
+//
+// Unlike gVisor's network layer, this does not validate ICMP checksums or
+// reassemble IP fragments. Fragmented ICMP packets fall through to gVisor.
+func parseICMPv4(payload []byte) (ipHdrLen, icmpLen int, src, dst tcpip.Address, ok bool) {
+	if len(payload) < header.IPv4MinimumSize {
+		return 0, 0, src, dst, false
+	}
+	ip := header.IPv4(payload)
+	if ip.Protocol() != uint8(header.ICMPv4ProtocolNumber) {
+		return 0, 0, src, dst, false
+	}
+	if ip.FragmentOffset() != 0 || ip.Flags()&header.IPv4FlagMoreFragments != 0 {
+		return 0, 0, src, dst, false
+	}
+	ipHdrLen = int(ip.HeaderLength())
+	totalLen := int(ip.TotalLength())
+	if ipHdrLen < header.IPv4MinimumSize || ipHdrLen > totalLen || totalLen > len(payload) {
+		return 0, 0, src, dst, false
+	}
+	icmpLen = totalLen - ipHdrLen
+	if icmpLen < header.ICMPv4MinimumSize {
+		return 0, 0, src, dst, false
+	}
+	return ipHdrLen, icmpLen, ip.SourceAddress(), ip.DestinationAddress(), true
+}
+
+func parseICMPv6(payload []byte) (ipHdrLen, icmpLen int, src, dst tcpip.Address, ok bool) {
+	if len(payload) < header.IPv6MinimumSize {
+		return 0, 0, src, dst, false
+	}
+	ip := header.IPv6(payload)
+	declaredLen := int(ip.PayloadLength())
+	hdrEnd := header.IPv6MinimumSize + declaredLen
+	if hdrEnd > len(payload) {
+		return 0, 0, src, dst, false
+	}
+	icmpStart, ok := skipIPv6ExtensionsToICMPv6(payload, ip.NextHeader(), hdrEnd)
+	if !ok {
+		return 0, 0, src, dst, false
+	}
+	icmpLen = hdrEnd - icmpStart
+	if icmpLen < header.ICMPv6MinimumSize {
+		return 0, 0, src, dst, false
+	}
+	return icmpStart, icmpLen, ip.SourceAddress(), ip.DestinationAddress(), true
+}
+
+// skipIPv6ExtensionsToICMPv6 walks the IPv6 extension-header chain starting
+// after the fixed header. It advances past Hop-by-Hop, Routing, and
+// Destination Options headers (which share the NextHeader+ExtLen+6+ExtLen*8
+// layout) and returns the offset of the ICMPv6 payload. Fragment, ESP, AH,
+// and unknown identifiers are reported as not handleable so the caller can
+// defer to gVisor.
+func skipIPv6ExtensionsToICMPv6(payload []byte, next uint8, hdrEnd int) (int, bool) {
+	off := header.IPv6MinimumSize
+	for {
+		if next == uint8(header.ICMPv6ProtocolNumber) {
+			return off, true
+		}
+		if !isWalkableIPv6ExtHdr(next) {
+			return 0, false
+		}
+		newOff, newNext, ok := advanceIPv6ExtHdr(payload, off, hdrEnd)
+		if !ok {
+			return 0, false
+		}
+		off = newOff
+		next = newNext
+	}
+}
+
+func isWalkableIPv6ExtHdr(id uint8) bool {
+	switch id {
+	case uint8(header.IPv6HopByHopOptionsExtHdrIdentifier),
+		uint8(header.IPv6RoutingExtHdrIdentifier),
+		uint8(header.IPv6DestinationOptionsExtHdrIdentifier):
+		return true
+	}
+	return false
+}
+
+func advanceIPv6ExtHdr(payload []byte, off, hdrEnd int) (int, uint8, bool) {
+	if off+8 > hdrEnd {
+		return 0, 0, false
+	}
+	extLen := (int(payload[off+1]) + 1) * 8
+	if off+extLen > hdrEnd {
+		return 0, 0, false
+	}
+	return off + extLen, payload[off], true
+}
+
+func (f *Forwarder) handleICMPDirect(payload []byte) bool {
+	if len(payload) == 0 {
+		return false
+	}
+	var (
+		ipHdrLen int
+		icmpLen  int
+		srcAddr  tcpip.Address
+		dstAddr  tcpip.Address
+		ok       bool
+	)
+	version := payload[0] >> 4
+	switch version {
+	case 4:
+		ipHdrLen, icmpLen, srcAddr, dstAddr, ok = parseICMPv4(payload)
+	case 6:
+		ipHdrLen, icmpLen, srcAddr, dstAddr, ok = parseICMPv6(payload)
+	}
+	if !ok {
+		return false
+	}
+
+	// Let gVisor handle ICMP destined for our own addresses natively.
+	// Its network-layer auto-reply is correct and efficient for local traffic.
+	if f.ip.Equal(dstAddr) || f.ipv6.Equal(dstAddr) {
+		return false
+	}
+
+	id := stack.TransportEndpointID{
+		LocalAddress:  dstAddr,
+		RemoteAddress: srcAddr,
+	}
+
+	// Trim the buffer to the IP-declared length so gVisor doesn't see padding.
+	pkt := stack.NewPacketBuffer(stack.PacketBufferOptions{
+		Payload: buffer.MakeWithData(payload[:ipHdrLen+icmpLen]),
+	})
+	defer pkt.DecRef()
+
+	if _, ok := pkt.NetworkHeader().Consume(ipHdrLen); !ok {
+		return false
+	}
+	if _, ok := pkt.TransportHeader().Consume(icmpLen); !ok {
+		return false
+	}
+
+	if version == 6 {
+		return f.handleICMPv6(id, pkt)
+	}
+	return f.handleICMP(id, pkt)
+}
+
 // Stop gracefully shuts down the forwarder
 func (f *Forwarder) Stop() {
 	f.cancel()
@@ -177,11 +378,14 @@ func (f *Forwarder) Stop() {
 	f.stack.Wait()
 }

-func (f *Forwarder) determineDialAddr(addr tcpip.Address) net.IP {
+func (f *Forwarder) determineDialAddr(addr tcpip.Address) netip.Addr {
 	if f.netstack && f.ip.Equal(addr) {
-		return net.IPv4(127, 0, 0, 1)
+		return netip.AddrFrom4([4]byte{127, 0, 0, 1})
 	}
-	return addr.AsSlice()
+	if f.netstack && f.ipv6.Equal(addr) {
+		return netip.IPv6Loopback()
+	}
+	return addrToNetipAddr(addr)
 }

 func (f *Forwarder) RegisterRuleID(srcIP, dstIP netip.Addr, srcPort, dstPort uint16, ruleID []byte) {
@@ -215,23 +419,50 @@ func buildKey(srcIP, dstIP netip.Addr, srcPort, dstPort uint16) conntrack.ConnKe
 	}
 }

+// addrFromNetipAddr converts a netip.Addr to a gvisor tcpip.Address without allocating.
+func addrFromNetipAddr(addr netip.Addr) tcpip.Address {
+	if !addr.IsValid() {
+		return tcpip.Address{}
+	}
+	if addr.Is4() {
+		return tcpip.AddrFrom4(addr.As4())
+	}
+	return tcpip.AddrFrom16(addr.As16())
+}
+
+// addrToNetipAddr converts a gvisor tcpip.Address to netip.Addr without allocating.
+func addrToNetipAddr(addr tcpip.Address) netip.Addr {
+	switch addr.Len() {
+	case 4:
+		return netip.AddrFrom4(addr.As4())
+	case 16:
+		return netip.AddrFrom16(addr.As16())
+	default:
+		return netip.Addr{}
+	}
+}
+
 // checkICMPCapability tests whether we have raw ICMP socket access at startup.
 func (f *Forwarder) checkICMPCapability() {
+	f.hasRawICMPAccess = probeRawICMP("ip4:icmp", "0.0.0.0", f.logger)
+	f.hasRawICMPv6Access = probeRawICMP("ip6:ipv6-icmp", "::", f.logger)
+}
+
+func probeRawICMP(network, addr string, logger *nblog.Logger) bool {
 	ctx, cancel := context.WithTimeout(context.Background(), 100*time.Millisecond)
 	defer cancel()

 	lc := net.ListenConfig{}
-	conn, err := lc.ListenPacket(ctx, "ip4:icmp", "0.0.0.0")
+	conn, err := lc.ListenPacket(ctx, network, addr)
 	if err != nil {
-		f.hasRawICMPAccess = false
-		f.logger.Debug("forwarder: No raw ICMP socket access, will use ping binary fallback")
-		return
+		logger.Debug1("forwarder: no raw %s socket access, will use ping binary fallback", network)
+		return false
 	}

 	if err := conn.Close(); err != nil {
-		f.logger.Debug1("forwarder: Failed to close ICMP capability test socket: %v", err)
+		logger.Debug2("forwarder: failed to close %s capability test socket: %v", network, err)
 	}

-	f.hasRawICMPAccess = true
-	f.logger.Debug("forwarder: Raw ICMP socket access available")
+	logger.Debug1("forwarder: raw %s socket access available", network)
+	return true
 }
--- a/client/firewall/uspfilter/forwarder/forwarder_test.go
+++ b/client/firewall/uspfilter/forwarder/forwarder_test.go
@@ -0,0 +1,162 @@
+package forwarder
+
+import (
+	"net/netip"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"gvisor.dev/gvisor/pkg/tcpip"
+	"gvisor.dev/gvisor/pkg/tcpip/header"
+)
+
+const echoRequestSize = 8
+
+func makeIPv6(t *testing.T, src, dst netip.Addr, nextHdr uint8, payload []byte) []byte {
+	t.Helper()
+	buf := make([]byte, header.IPv6MinimumSize+len(payload))
+	ip := header.IPv6(buf)
+	ip.Encode(&header.IPv6Fields{
+		PayloadLength:     uint16(len(payload)),
+		TransportProtocol: 0, // overwritten below to allow any value
+		HopLimit:          64,
+		SrcAddr:           tcpipAddrFromNetip(src),
+		DstAddr:           tcpipAddrFromNetip(dst),
+	})
+	buf[6] = nextHdr
+	copy(buf[header.IPv6MinimumSize:], payload)
+	return buf
+}
+
+func tcpipAddrFromNetip(a netip.Addr) tcpip.Address {
+	b := a.As16()
+	return tcpip.AddrFrom16(b)
+}
+
+func echoRequest() []byte {
+	icmp := make([]byte, echoRequestSize)
+	icmp[0] = uint8(header.ICMPv6EchoRequest)
+	return icmp
+}
+
+// extHdr builds a generic IPv6 extension header (HBH/Routing/DestOpts) of the
+// given total octet length (must be multiple of 8, >= 8) with the given next
+// header.
+func extHdr(t *testing.T, next uint8, totalLen int) []byte {
+	t.Helper()
+	require.GreaterOrEqual(t, totalLen, 8)
+	require.Equal(t, 0, totalLen%8)
+	buf := make([]byte, totalLen)
+	buf[0] = next
+	buf[1] = uint8(totalLen/8 - 1)
+	return buf
+}
+
+func TestParseICMPv6_NoExtensions(t *testing.T) {
+	src := netip.MustParseAddr("fd00::1")
+	dst := netip.MustParseAddr("fd00::2")
+	pkt := makeIPv6(t, src, dst, uint8(header.ICMPv6ProtocolNumber), echoRequest())
+
+	off, icmpLen, _, _, ok := parseICMPv6(pkt)
+	require.True(t, ok)
+	assert.Equal(t, header.IPv6MinimumSize, off)
+	assert.Equal(t, echoRequestSize, icmpLen)
+}
+
+func TestParseICMPv6_SingleExtension(t *testing.T) {
+	src := netip.MustParseAddr("fd00::1")
+	dst := netip.MustParseAddr("fd00::2")
+	hbh := extHdr(t, uint8(header.ICMPv6ProtocolNumber), 8)
+	payload := append([]byte{}, hbh...)
+	payload = append(payload, echoRequest()...)
+	pkt := makeIPv6(t, src, dst, uint8(header.IPv6HopByHopOptionsExtHdrIdentifier), payload)
+
+	off, icmpLen, _, _, ok := parseICMPv6(pkt)
+	require.True(t, ok)
+	assert.Equal(t, header.IPv6MinimumSize+8, off)
+	assert.Equal(t, echoRequestSize, icmpLen)
+}
+
+func TestParseICMPv6_ChainedExtensions(t *testing.T) {
+	src := netip.MustParseAddr("fd00::1")
+	dst := netip.MustParseAddr("fd00::2")
+	dest := extHdr(t, uint8(header.ICMPv6ProtocolNumber), 16)
+	rt := extHdr(t, uint8(header.IPv6DestinationOptionsExtHdrIdentifier), 8)
+	hbh := extHdr(t, uint8(header.IPv6RoutingExtHdrIdentifier), 8)
+	payload := append(append(append([]byte{}, hbh...), rt...), dest...)
+	payload = append(payload, echoRequest()...)
+	pkt := makeIPv6(t, src, dst, uint8(header.IPv6HopByHopOptionsExtHdrIdentifier), payload)
+
+	off, icmpLen, _, _, ok := parseICMPv6(pkt)
+	require.True(t, ok)
+	assert.Equal(t, header.IPv6MinimumSize+8+8+16, off)
+	assert.Equal(t, echoRequestSize, icmpLen)
+}
+
+func TestParseICMPv6_FragmentDefersToGVisor(t *testing.T) {
+	src := netip.MustParseAddr("fd00::1")
+	dst := netip.MustParseAddr("fd00::2")
+	pkt := makeIPv6(t, src, dst, uint8(header.IPv6FragmentExtHdrIdentifier), make([]byte, 8))
+
+	_, _, _, _, ok := parseICMPv6(pkt)
+	assert.False(t, ok)
+}
+
+func TestParseICMPv6_TruncatedExtension(t *testing.T) {
+	src := netip.MustParseAddr("fd00::1")
+	dst := netip.MustParseAddr("fd00::2")
+	// Extension claims 16 bytes but only 8 remain after the IP header.
+	hbh := []byte{uint8(header.ICMPv6ProtocolNumber), 1, 0, 0, 0, 0, 0, 0}
+	pkt := makeIPv6(t, src, dst, uint8(header.IPv6HopByHopOptionsExtHdrIdentifier), hbh)
+
+	_, _, _, _, ok := parseICMPv6(pkt)
+	assert.False(t, ok)
+}
+
+func TestParseICMPv6_TruncatedICMPPayload(t *testing.T) {
+	src := netip.MustParseAddr("fd00::1")
+	dst := netip.MustParseAddr("fd00::2")
+	// PayloadLength claims 8 bytes of ICMPv6 but the buffer only holds 4.
+	pkt := makeIPv6(t, src, dst, uint8(header.ICMPv6ProtocolNumber), make([]byte, 8))
+	pkt = pkt[:header.IPv6MinimumSize+4]
+
+	_, _, _, _, ok := parseICMPv6(pkt)
+	assert.False(t, ok)
+}
+
+func TestParseICMPv4_RejectsShortIHL(t *testing.T) {
+	pkt := make([]byte, 28)
+	pkt[0] = 0x44 // version 4, IHL 4 (16 bytes - below minimum)
+	pkt[9] = uint8(header.ICMPv4ProtocolNumber)
+	header.IPv4(pkt).SetTotalLength(28)
+
+	_, _, _, _, ok := parseICMPv4(pkt)
+	assert.False(t, ok)
+}
+
+func TestParseICMPv4_RejectsTotalLenOverBuffer(t *testing.T) {
+	pkt := make([]byte, header.IPv4MinimumSize+header.ICMPv4MinimumSize)
+	ip := header.IPv4(pkt)
+	ip.Encode(&header.IPv4Fields{
+		TotalLength: uint16(len(pkt) + 16),
+		Protocol:    uint8(header.ICMPv4ProtocolNumber),
+		TTL:         64,
+	})
+
+	_, _, _, _, ok := parseICMPv4(pkt)
+	assert.False(t, ok)
+}
+
+func TestParseICMPv4_RejectsFragment(t *testing.T) {
+	pkt := make([]byte, header.IPv4MinimumSize+header.ICMPv4MinimumSize)
+	ip := header.IPv4(pkt)
+	ip.Encode(&header.IPv4Fields{
+		TotalLength: uint16(len(pkt)),
+		Protocol:    uint8(header.ICMPv4ProtocolNumber),
+		TTL:         64,
+		Flags:       header.IPv4FlagMoreFragments,
+	})
+
+	_, _, _, _, ok := parseICMPv4(pkt)
+	assert.False(t, ok)
+}
--- a/client/firewall/uspfilter/forwarder/icmp.go
+++ b/client/firewall/uspfilter/forwarder/icmp.go
@@ -13,6 +13,7 @@ import (
 	"gvisor.dev/gvisor/pkg/tcpip/header"
 	"gvisor.dev/gvisor/pkg/tcpip/stack"

+	nblog "github.com/netbirdio/netbird/client/firewall/uspfilter/log"
 	nftypes "github.com/netbirdio/netbird/client/internal/netflow/types"
 )

@@ -35,7 +36,7 @@ func (f *Forwarder) handleICMP(id stack.TransportEndpointID, pkt *stack.PacketBu
 	}

 	icmpData := stack.PayloadSince(pkt.TransportHeader()).AsSlice()
-	conn, err := f.forwardICMPPacket(id, icmpData, uint8(icmpHdr.Type()), uint8(icmpHdr.Code()), 100*time.Millisecond)
+	conn, err := f.forwardICMPPacket(id, icmpData, uint8(icmpHdr.Type()), uint8(icmpHdr.Code()), false, 100*time.Millisecond)
 	if err != nil {
 		f.logger.Error2("forwarder: Failed to forward ICMP packet for %v: %v", epID(id), err)
 		return true
@@ -58,7 +59,7 @@ func (f *Forwarder) handleICMPEcho(flowID uuid.UUID, id stack.TransportEndpointI
 			defer func() { <-f.pingSemaphore }()

 			if f.hasRawICMPAccess {
-				f.handleICMPViaSocket(flowID, id, icmpType, icmpCode, icmpData, rxBytes)
+				f.handleICMPViaSocket(flowID, id, icmpType, icmpCode, icmpData, rxBytes, false)
 			} else {
 				f.handleICMPViaPing(flowID, id, icmpType, icmpCode, icmpData, rxBytes)
 			}
@@ -72,18 +73,23 @@ func (f *Forwarder) handleICMPEcho(flowID uuid.UUID, id stack.TransportEndpointI

 // forwardICMPPacket creates a raw ICMP socket and sends the packet, returning the connection.
 // The caller is responsible for closing the returned connection.
-func (f *Forwarder) forwardICMPPacket(id stack.TransportEndpointID, payload []byte, icmpType, icmpCode uint8, timeout time.Duration) (net.PacketConn, error) {
+func (f *Forwarder) forwardICMPPacket(id stack.TransportEndpointID, payload []byte, icmpType, icmpCode uint8, v6 bool, timeout time.Duration) (net.PacketConn, error) {
 	ctx, cancel := context.WithTimeout(f.ctx, timeout)
 	defer cancel()

+	network, listenAddr := "ip4:icmp", "0.0.0.0"
+	if v6 {
+		network, listenAddr = "ip6:ipv6-icmp", "::"
+	}
+
 	lc := net.ListenConfig{}
-	conn, err := lc.ListenPacket(ctx, "ip4:icmp", "0.0.0.0")
+	conn, err := lc.ListenPacket(ctx, network, listenAddr)
 	if err != nil {
 		return nil, fmt.Errorf("create ICMP socket: %w", err)
 	}

 	dstIP := f.determineDialAddr(id.LocalAddress)
-	dst := &net.IPAddr{IP: dstIP}
+	dst := &net.IPAddr{IP: dstIP.AsSlice()}

 	if _, err = conn.WriteTo(payload, dst); err != nil {
 		if closeErr := conn.Close(); closeErr != nil {
@@ -92,17 +98,19 @@ func (f *Forwarder) forwardICMPPacket(id stack.TransportEndpointID, payload []by
 		return nil, fmt.Errorf("write ICMP packet: %w", err)
 	}

-	f.logger.Trace3("forwarder: Forwarded ICMP packet %v type %v code %v",
-		epID(id), icmpType, icmpCode)
+	if f.logger.Enabled(nblog.LevelTrace) {
+		f.logger.Trace3("forwarder: Forwarded ICMP packet %v type %v code %v",
+			epID(id), icmpType, icmpCode)
+	}

 	return conn, nil
 }

-// handleICMPViaSocket handles ICMP echo requests using raw sockets.
-func (f *Forwarder) handleICMPViaSocket(flowID uuid.UUID, id stack.TransportEndpointID, icmpType, icmpCode uint8, icmpData []byte, rxBytes int) {
+// handleICMPViaSocket handles ICMP echo requests using raw sockets for both v4 and v6.
+func (f *Forwarder) handleICMPViaSocket(flowID uuid.UUID, id stack.TransportEndpointID, icmpType, icmpCode uint8, icmpData []byte, rxBytes int, v6 bool) {
 	sendTime := time.Now()

-	conn, err := f.forwardICMPPacket(id, icmpData, icmpType, icmpCode, 5*time.Second)
+	conn, err := f.forwardICMPPacket(id, icmpData, icmpType, icmpCode, v6, 5*time.Second)
 	if err != nil {
 		f.logger.Error2("forwarder: Failed to send ICMP packet for %v: %v", epID(id), err)
 		return
@@ -113,16 +121,22 @@ func (f *Forwarder) handleICMPViaSocket(flowID uuid.UUID, id stack.TransportEndp
 		}
 	}()

-	txBytes := f.handleEchoResponse(conn, id)
+	txBytes := f.handleEchoResponse(conn, id, v6)
 	rtt := time.Since(sendTime).Round(10 * time.Microsecond)

-	f.logger.Trace4("forwarder: Forwarded ICMP echo reply %v type %v code %v (rtt=%v, raw socket)",
-		epID(id), icmpType, icmpCode, rtt)
+	if f.logger.Enabled(nblog.LevelTrace) {
+		proto := "ICMP"
+		if v6 {
+			proto = "ICMPv6"
+		}
+		f.logger.Trace5("forwarder: Forwarded %s echo reply %v type %v code %v (rtt=%v, raw socket)",
+			proto, epID(id), icmpType, icmpCode, rtt)
+	}

 	f.sendICMPEvent(nftypes.TypeEnd, flowID, id, icmpType, icmpCode, uint64(rxBytes), uint64(txBytes))
 }

-func (f *Forwarder) handleEchoResponse(conn net.PacketConn, id stack.TransportEndpointID) int {
+func (f *Forwarder) handleEchoResponse(conn net.PacketConn, id stack.TransportEndpointID, v6 bool) int {
 	if err := conn.SetReadDeadline(time.Now().Add(5 * time.Second)); err != nil {
 		f.logger.Error1("forwarder: Failed to set read deadline for ICMP response: %v", err)
 		return 0
@@ -137,6 +151,19 @@ func (f *Forwarder) handleEchoResponse(conn net.PacketConn, id stack.TransportEn
 		return 0
 	}

+	if v6 {
+		// Recompute checksum: the raw socket response has a checksum computed
+		// over the real endpoint addresses, but we inject with overlay addresses.
+		icmpHdr := header.ICMPv6(response[:n])
+		icmpHdr.SetChecksum(0)
+		icmpHdr.SetChecksum(header.ICMPv6Checksum(header.ICMPv6ChecksumParams{
+			Header: icmpHdr,
+			Src:    id.LocalAddress,
+			Dst:    id.RemoteAddress,
+		}))
+		return f.injectICMPv6Reply(id, response[:n])
+	}
+
 	return f.injectICMPReply(id, response[:n])
 }

@@ -150,19 +177,23 @@ func (f *Forwarder) sendICMPEvent(typ nftypes.Type, flowID uuid.UUID, id stack.T
 		txPackets = 1
 	}

-	srcIp := netip.AddrFrom4(id.RemoteAddress.As4())
-	dstIp := netip.AddrFrom4(id.LocalAddress.As4())
+	srcIp := addrToNetipAddr(id.RemoteAddress)
+	dstIp := addrToNetipAddr(id.LocalAddress)
+
+	proto := nftypes.ICMP
+	if srcIp.Is6() {
+		proto = nftypes.ICMPv6
+	}

 	fields := nftypes.EventFields{
 		FlowID:    flowID,
 		Type:      typ,
 		Direction: nftypes.Ingress,
-		Protocol:  nftypes.ICMP,
-		// TODO: handle ipv6
-		SourceIP: srcIp,
-		DestIP:   dstIp,
-		ICMPType: icmpType,
-		ICMPCode: icmpCode,
+		Protocol:  proto,
+		SourceIP:  srcIp,
+		DestIP:    dstIp,
+		ICMPType:  icmpType,
+		ICMPCode:  icmpCode,

 		RxBytes:   rxBytes,
 		TxBytes:   txBytes,
@@ -198,37 +229,179 @@ func (f *Forwarder) handleICMPViaPing(flowID uuid.UUID, id stack.TransportEndpoi
 	}
 	rtt := time.Since(pingStart).Round(10 * time.Microsecond)

-	f.logger.Trace3("forwarder: Forwarded ICMP echo request %v type %v code %v",
-		epID(id), icmpType, icmpCode)
+	if f.logger.Enabled(nblog.LevelTrace) {
+		f.logger.Trace3("forwarder: Forwarded ICMP echo request %v type %v code %v",
+			epID(id), icmpType, icmpCode)
+	}

 	txBytes := f.synthesizeEchoReply(id, icmpData)

-	f.logger.Trace4("forwarder: Forwarded ICMP echo reply %v type %v code %v (rtt=%v, ping binary)",
+	if f.logger.Enabled(nblog.LevelTrace) {
+		f.logger.Trace4("forwarder: Forwarded ICMP echo reply %v type %v code %v (rtt=%v, ping binary)",
+			epID(id), icmpType, icmpCode, rtt)
+	}
+
+	f.sendICMPEvent(nftypes.TypeEnd, flowID, id, icmpType, icmpCode, uint64(rxBytes), uint64(txBytes))
+}
+
+// handleICMPv6 handles ICMPv6 packets from the network stack.
+func (f *Forwarder) handleICMPv6(id stack.TransportEndpointID, pkt *stack.PacketBuffer) bool {
+	icmpHdr := header.ICMPv6(pkt.TransportHeader().View().AsSlice())
+
+	flowID := uuid.New()
+	f.sendICMPEvent(nftypes.TypeStart, flowID, id, uint8(icmpHdr.Type()), uint8(icmpHdr.Code()), 0, 0)
+
+	if icmpHdr.Type() == header.ICMPv6EchoRequest {
+		return f.handleICMPv6Echo(flowID, id, pkt, uint8(icmpHdr.Type()), uint8(icmpHdr.Code()))
+	}
+
+	// For non-echo types (Destination Unreachable, Packet Too Big, etc), forward without waiting
+	if !f.hasRawICMPv6Access {
+		f.logger.Debug2("forwarder: Cannot handle ICMPv6 type %v without raw socket access for %v", icmpHdr.Type(), epID(id))
+		return false
+	}
+
+	icmpData := stack.PayloadSince(pkt.TransportHeader()).AsSlice()
+	conn, err := f.forwardICMPPacket(id, icmpData, uint8(icmpHdr.Type()), uint8(icmpHdr.Code()), true, 100*time.Millisecond)
+	if err != nil {
+		f.logger.Error2("forwarder: Failed to forward ICMPv6 packet for %v: %v", epID(id), err)
+		return true
+	}
+	if err := conn.Close(); err != nil {
+		f.logger.Debug1("forwarder: Failed to close ICMPv6 socket: %v", err)
+	}
+
+	return true
+}
+
+// handleICMPv6Echo handles ICMPv6 echo requests via raw socket or ping binary fallback.
+func (f *Forwarder) handleICMPv6Echo(flowID uuid.UUID, id stack.TransportEndpointID, pkt *stack.PacketBuffer, icmpType, icmpCode uint8) bool {
+	select {
+	case f.pingSemaphore <- struct{}{}:
+		icmpData := stack.PayloadSince(pkt.TransportHeader()).ToSlice()
+		rxBytes := pkt.Size()
+
+		go func() {
+			defer func() { <-f.pingSemaphore }()
+
+			if f.hasRawICMPv6Access {
+				f.handleICMPViaSocket(flowID, id, icmpType, icmpCode, icmpData, rxBytes, true)
+			} else {
+				f.handleICMPv6ViaPing(flowID, id, icmpType, icmpCode, icmpData, rxBytes)
+			}
+		}()
+	default:
+		f.logger.Debug3("forwarder: ICMPv6 rate limit exceeded for %v type %v code %v", epID(id), icmpType, icmpCode)
+	}
+	return true
+}
+
+// handleICMPv6ViaPing uses the system ping6 binary for ICMPv6 echo.
+func (f *Forwarder) handleICMPv6ViaPing(flowID uuid.UUID, id stack.TransportEndpointID, icmpType, icmpCode uint8, icmpData []byte, rxBytes int) {
+	ctx, cancel := context.WithTimeout(f.ctx, 5*time.Second)
+	defer cancel()
+
+	dstIP := f.determineDialAddr(id.LocalAddress)
+	cmd := buildPingCommand(ctx, dstIP, 5*time.Second)
+
+	pingStart := time.Now()
+	if err := cmd.Run(); err != nil {
+		f.logger.Warn4("forwarder: Ping6 failed for %v type %v code %v: %v", epID(id), icmpType, icmpCode, err)
+		return
+	}
+	rtt := time.Since(pingStart).Round(10 * time.Microsecond)
+
+	f.logger.Trace3("forwarder: Forwarded ICMPv6 echo request %v type %v code %v",
+		epID(id), icmpType, icmpCode)
+
+	txBytes := f.synthesizeICMPv6EchoReply(id, icmpData)
+
+	f.logger.Trace4("forwarder: Forwarded ICMPv6 echo reply %v type %v code %v (rtt=%v, ping binary)",
 		epID(id), icmpType, icmpCode, rtt)

 	f.sendICMPEvent(nftypes.TypeEnd, flowID, id, icmpType, icmpCode, uint64(rxBytes), uint64(txBytes))
 }

+// synthesizeICMPv6EchoReply creates an ICMPv6 echo reply and injects it back.
+func (f *Forwarder) synthesizeICMPv6EchoReply(id stack.TransportEndpointID, icmpData []byte) int {
+	replyICMP := make([]byte, len(icmpData))
+	copy(replyICMP, icmpData)
+
+	replyHdr := header.ICMPv6(replyICMP)
+	replyHdr.SetType(header.ICMPv6EchoReply)
+	replyHdr.SetChecksum(0)
+	// ICMPv6Checksum computes the pseudo-header internally from Src/Dst.
+	// Header contains the full ICMP message, so PayloadCsum/PayloadLen are zero.
+	replyHdr.SetChecksum(header.ICMPv6Checksum(header.ICMPv6ChecksumParams{
+		Header: replyHdr,
+		Src:    id.LocalAddress,
+		Dst:    id.RemoteAddress,
+	}))
+
+	return f.injectICMPv6Reply(id, replyICMP)
+}
+
+// injectICMPv6Reply wraps an ICMPv6 payload in an IPv6 header and sends to the peer.
+func (f *Forwarder) injectICMPv6Reply(id stack.TransportEndpointID, icmpPayload []byte) int {
+	ipHdr := make([]byte, header.IPv6MinimumSize)
+	ip := header.IPv6(ipHdr)
+	ip.Encode(&header.IPv6Fields{
+		PayloadLength:     uint16(len(icmpPayload)),
+		TransportProtocol: header.ICMPv6ProtocolNumber,
+		HopLimit:          64,
+		SrcAddr:           id.LocalAddress,
+		DstAddr:           id.RemoteAddress,
+	})
+
+	fullPacket := make([]byte, 0, len(ipHdr)+len(icmpPayload))
+	fullPacket = append(fullPacket, ipHdr...)
+	fullPacket = append(fullPacket, icmpPayload...)
+
+	if err := f.endpoint.device.CreateOutboundPacket(fullPacket, id.RemoteAddress.AsSlice()); err != nil {
+		f.logger.Error1("forwarder: Failed to send ICMPv6 reply to peer: %v", err)
+		return 0
+	}
+
+	return len(fullPacket)
+}
+
+const (
+	pingBin  = "ping"
+	ping6Bin = "ping6"
+)
+
 // buildPingCommand creates a platform-specific ping command.
-func buildPingCommand(ctx context.Context, target net.IP, timeout time.Duration) *exec.Cmd {
+// Most platforms auto-detect IPv6 from raw addresses. macOS/iOS/OpenBSD require ping6.
+func buildPingCommand(ctx context.Context, target netip.Addr, timeout time.Duration) *exec.Cmd {
 	timeoutSec := int(timeout.Seconds())
 	if timeoutSec < 1 {
 		timeoutSec = 1
 	}

+	isV6 := target.Is6()
+	timeoutStr := fmt.Sprintf("%d", timeoutSec)
+
 	switch runtime.GOOS {
 	case "linux", "android":
-		return exec.CommandContext(ctx, "ping", "-c", "1", "-W", fmt.Sprintf("%d", timeoutSec), "-q", target.String())
+		return exec.CommandContext(ctx, pingBin, "-c", "1", "-W", timeoutStr, "-q", target.String())
 	case "darwin", "ios":
-		return exec.CommandContext(ctx, "ping", "-c", "1", "-t", fmt.Sprintf("%d", timeoutSec), "-q", target.String())
+		bin := pingBin
+		if isV6 {
+			bin = ping6Bin
+		}
+		return exec.CommandContext(ctx, bin, "-c", "1", "-t", timeoutStr, "-q", target.String())
 	case "freebsd":
-		return exec.CommandContext(ctx, "ping", "-c", "1", "-t", fmt.Sprintf("%d", timeoutSec), target.String())
+		return exec.CommandContext(ctx, pingBin, "-c", "1", "-t", timeoutStr, target.String())
 	case "openbsd", "netbsd":
-		return exec.CommandContext(ctx, "ping", "-c", "1", "-w", fmt.Sprintf("%d", timeoutSec), target.String())
+		bin := pingBin
+		if isV6 {
+			bin = ping6Bin
+		}
+		return exec.CommandContext(ctx, bin, "-c", "1", "-w", timeoutStr, target.String())
 	case "windows":
-		return exec.CommandContext(ctx, "ping", "-n", "1", "-w", fmt.Sprintf("%d", timeoutSec*1000), target.String())
+		return exec.CommandContext(ctx, pingBin, "-n", "1", "-w", fmt.Sprintf("%d", timeoutSec*1000), target.String())
 	default:
-		return exec.CommandContext(ctx, "ping", "-c", "1", target.String())
+		return exec.CommandContext(ctx, pingBin, "-c", "1", target.String())
 	}
 }

--- a/client/firewall/uspfilter/forwarder/tcp.go
+++ b/client/firewall/uspfilter/forwarder/tcp.go
@@ -1,12 +1,8 @@
 package forwarder

 import (
-	"context"
-	"fmt"
-	"io"
 	"net"
-	"net/netip"
-	"sync"
+	"strconv"

 	"github.com/google/uuid"

@@ -16,7 +12,9 @@ import (
 	"gvisor.dev/gvisor/pkg/tcpip/transport/tcp"
 	"gvisor.dev/gvisor/pkg/waiter"

+	nblog "github.com/netbirdio/netbird/client/firewall/uspfilter/log"
 	nftypes "github.com/netbirdio/netbird/client/internal/netflow/types"
+	"github.com/netbirdio/netbird/util/netrelay"
 )

 // handleTCP is called by the TCP forwarder for new connections.
@@ -33,12 +31,14 @@ func (f *Forwarder) handleTCP(r *tcp.ForwarderRequest) {
 		}
 	}()

-	dialAddr := fmt.Sprintf("%s:%d", f.determineDialAddr(id.LocalAddress), id.LocalPort)
+	dialAddr := net.JoinHostPort(f.determineDialAddr(id.LocalAddress).String(), strconv.Itoa(int(id.LocalPort)))

 	outConn, err := (&net.Dialer{}).DialContext(f.ctx, "tcp", dialAddr)
 	if err != nil {
 		r.Complete(true)
-		f.logger.Trace2("forwarder: dial error for %v: %v", epID(id), err)
+		if f.logger.Enabled(nblog.LevelTrace) {
+			f.logger.Trace2("forwarder: dial error for %v: %v", epID(id), err)
+		}
 		return
 	}

@@ -61,64 +61,22 @@ func (f *Forwarder) handleTCP(r *tcp.ForwarderRequest) {
 	inConn := gonet.NewTCPConn(&wq, ep)

 	success = true
-	f.logger.Trace1("forwarder: established TCP connection %v", epID(id))
+	if f.logger.Enabled(nblog.LevelTrace) {
+		f.logger.Trace1("forwarder: established TCP connection %v", epID(id))
+	}

 	go f.proxyTCP(id, inConn, outConn, ep, flowID)
 }

 func (f *Forwarder) proxyTCP(id stack.TransportEndpointID, inConn *gonet.TCPConn, outConn net.Conn, ep tcpip.Endpoint, flowID uuid.UUID) {
+	// netrelay.Relay copies bidirectionally with proper half-close propagation
+	// and fully closes both conns before returning.
+	bytesFromInToOut, bytesFromOutToIn := netrelay.Relay(f.ctx, inConn, outConn, netrelay.Options{
+		Logger: f.logger,
+	})

-	ctx, cancel := context.WithCancel(f.ctx)
-	defer cancel()
-
-	go func() {
-		<-ctx.Done()
-		// Close connections and endpoint.
-		if err := inConn.Close(); err != nil && !isClosedError(err) {
-			f.logger.Debug1("forwarder: inConn close error: %v", err)
-		}
-		if err := outConn.Close(); err != nil && !isClosedError(err) {
-			f.logger.Debug1("forwarder: outConn close error: %v", err)
-		}
-
-		ep.Close()
-	}()
-
-	var wg sync.WaitGroup
-	wg.Add(2)
-
-	var (
-		bytesFromInToOut int64 // bytes from client to server (tx for client)
-		bytesFromOutToIn int64 // bytes from server to client (rx for client)
-		errInToOut       error
-		errOutToIn       error
-	)
-
-	go func() {
-		bytesFromInToOut, errInToOut = io.Copy(outConn, inConn)
-		cancel()
-		wg.Done()
-	}()
-
-	go func() {
-
-		bytesFromOutToIn, errOutToIn = io.Copy(inConn, outConn)
-		cancel()
-		wg.Done()
-	}()
-
-	wg.Wait()
-
-	if errInToOut != nil {
-		if !isClosedError(errInToOut) {
-			f.logger.Error2("proxyTCP: copy error (in → out) for %s: %v", epID(id), errInToOut)
-		}
-	}
-	if errOutToIn != nil {
-		if !isClosedError(errOutToIn) {
-			f.logger.Error2("proxyTCP: copy error (out → in) for %s: %v", epID(id), errOutToIn)
-		}
-	}
+	// Close the netstack endpoint after both conns are drained.
+	ep.Close()

 	var rxPackets, txPackets uint64
 	if tcpStats, ok := ep.Stats().(*tcp.Stats); ok {
@@ -127,21 +85,22 @@ func (f *Forwarder) proxyTCP(id stack.TransportEndpointID, inConn *gonet.TCPConn
 		txPackets = tcpStats.SegmentsReceived.Value()
 	}

-	f.logger.Trace5("forwarder: Removed TCP connection %s [in: %d Pkts/%d B, out: %d Pkts/%d B]", epID(id), rxPackets, bytesFromOutToIn, txPackets, bytesFromInToOut)
+	if f.logger.Enabled(nblog.LevelTrace) {
+		f.logger.Trace5("forwarder: Removed TCP connection %s [in: %d Pkts/%d B, out: %d Pkts/%d B]", epID(id), rxPackets, bytesFromOutToIn, txPackets, bytesFromInToOut)
+	}

 	f.sendTCPEvent(nftypes.TypeEnd, flowID, id, uint64(bytesFromOutToIn), uint64(bytesFromInToOut), rxPackets, txPackets)
 }

 func (f *Forwarder) sendTCPEvent(typ nftypes.Type, flowID uuid.UUID, id stack.TransportEndpointID, rxBytes, txBytes, rxPackets, txPackets uint64) {
-	srcIp := netip.AddrFrom4(id.RemoteAddress.As4())
-	dstIp := netip.AddrFrom4(id.LocalAddress.As4())
+	srcIp := addrToNetipAddr(id.RemoteAddress)
+	dstIp := addrToNetipAddr(id.LocalAddress)

 	fields := nftypes.EventFields{
-		FlowID:    flowID,
-		Type:      typ,
-		Direction: nftypes.Ingress,
-		Protocol:  nftypes.TCP,
-		// TODO: handle ipv6
+		FlowID:     flowID,
+		Type:       typ,
+		Direction:  nftypes.Ingress,
+		Protocol:   nftypes.TCP,
 		SourceIP:   srcIp,
 		DestIP:     dstIp,
 		SourcePort: id.RemotePort,
--- a/Show More
+++ b/Show More