Add tests for rotated files in bundle

When closing go routines and handling peer disconnect, we should avoid canceling the flow due to parent gRPC context cancellation.

This change triggers disconnection handling with a context that is not bound to the parent gRPC cancellation.

.golangci.yaml

@@ -92,9 +92,6 @@ linters:
       - linters:
           - unused
         path: client/firewall/iptables/rule\.go
-      - linters:
-          - unused
-        path: client/internal/dns/dnsfw/(types|syscall|zsyscall)_windows.*\.go
       - linters:
           - gosec
           - mirror

client/cmd/debug.go

@@ -19,6 +19,7 @@ import (
 	"github.com/netbirdio/netbird/client/server"
 	mgmProto "github.com/netbirdio/netbird/shared/management/proto"
 	"github.com/netbirdio/netbird/upload-server/types"
+	"github.com/netbirdio/netbird/version"
 )
 
 const errCloseConnection = "Failed to close connection: %v"
@@ -100,6 +101,7 @@ func debugBundle(cmd *cobra.Command, _ []string) error {
 		Anonymize:    anonymizeFlag,
 		SystemInfo:   systemInfoFlag,
 		LogFileCount: logFileCount,
+		CliVersion:   version.NetbirdVersion(),
 	}
 	if uploadBundleFlag {
 		request.UploadURL = uploadBundleURLFlag
@@ -298,6 +300,7 @@ func runForDuration(cmd *cobra.Command, args []string) error {
 		Anonymize:    anonymizeFlag,
 		SystemInfo:   systemInfoFlag,
 		LogFileCount: logFileCount,
+		CliVersion:   version.NetbirdVersion(),
 	}
 	if uploadBundleFlag {
 		request.UploadURL = uploadBundleURLFlag
@@ -432,6 +435,7 @@ func generateDebugBundle(config *profilemanager.Config, recorder *peer.Status, c
 			SyncResponse:   syncResponse,
 			LogPath:        logFilePath,
 			CPUProfile:     nil,
+			DaemonVersion:  version.NetbirdVersion(), // acting as daemon
 		},
 		debug.BundleConfig{
 			IncludeSystemInfo: true,

client/cmd/service_controller.go

@@ -102,7 +102,7 @@ func (p *program) Stop(srv service.Service) error {
 }
 
 // Common setup for service control commands
-func setupServiceControlCommand(cmd *cobra.Command, ctx context.Context, cancel context.CancelFunc) (service.Service, error) {
+func setupServiceControlCommand(cmd *cobra.Command, ctx context.Context, cancel context.CancelFunc, consoleLog bool) (service.Service, error) {
 	// rootCmd env vars are already applied by PersistentPreRunE.
 	SetFlagsFromEnvVars(serviceCmd)
 
@@ -112,8 +112,14 @@ func setupServiceControlCommand(cmd *cobra.Command, ctx context.Context, cancel
 		return nil, err
 	}
 
-	if err := util.InitLog(logLevel, logFiles...); err != nil {
-		return nil, fmt.Errorf("init log: %w", err)
+	if consoleLog {
+		if err := util.InitLog(logLevel, util.LogConsole); err != nil {
+			return nil, fmt.Errorf("init log: %w", err)
+		}
+	} else {
+		if err := util.InitLog(logLevel, logFiles...); err != nil {
+			return nil, fmt.Errorf("init log: %w", err)
+		}
 	}
 
 	cfg, err := newSVCConfig()
@@ -138,7 +144,7 @@ var runCmd = &cobra.Command{
 		SetupCloseHandler(ctx, cancel)
 		SetupDebugHandler(ctx, nil, nil, nil, util.FindFirstLogPath(logFiles))
 
-		s, err := setupServiceControlCommand(cmd, ctx, cancel)
+		s, err := setupServiceControlCommand(cmd, ctx, cancel, false)
 		if err != nil {
 			return err
 		}
@@ -152,7 +158,7 @@ var startCmd = &cobra.Command{
 	Short: "starts NetBird service",
 	RunE: func(cmd *cobra.Command, args []string) error {
 		ctx, cancel := context.WithCancel(cmd.Context())
-		s, err := setupServiceControlCommand(cmd, ctx, cancel)
+		s, err := setupServiceControlCommand(cmd, ctx, cancel, false)
 		if err != nil {
 			return err
 		}
@@ -170,7 +176,7 @@ var stopCmd = &cobra.Command{
 	Short: "stops NetBird service",
 	RunE: func(cmd *cobra.Command, args []string) error {
 		ctx, cancel := context.WithCancel(cmd.Context())
-		s, err := setupServiceControlCommand(cmd, ctx, cancel)
+		s, err := setupServiceControlCommand(cmd, ctx, cancel, false)
 		if err != nil {
 			return err
 		}
@@ -188,7 +194,7 @@ var restartCmd = &cobra.Command{
 	Short: "restarts NetBird service",
 	RunE: func(cmd *cobra.Command, args []string) error {
 		ctx, cancel := context.WithCancel(cmd.Context())
-		s, err := setupServiceControlCommand(cmd, ctx, cancel)
+		s, err := setupServiceControlCommand(cmd, ctx, cancel, false)
 		if err != nil {
 			return err
 		}
@@ -206,7 +212,7 @@ var svcStatusCmd = &cobra.Command{
 	Short: "shows NetBird service status",
 	RunE: func(cmd *cobra.Command, args []string) error {
 		ctx, cancel := context.WithCancel(cmd.Context())
-		s, err := setupServiceControlCommand(cmd, ctx, cancel)
+		s, err := setupServiceControlCommand(cmd, ctx, cancel, true)
 		if err != nil {
 			return err
 		}

client/installer.nsis

@@ -260,15 +260,23 @@ WriteRegStr ${REG_ROOT} "${UNINSTALL_PATH}"  "Publisher" "${COMP_NAME}"
 
 WriteRegStr ${REG_ROOT} "${UI_REG_APP_PATH}" "" "$INSTDIR\${UI_APP_EXE}"
 
-; Create autostart registry entry based on checkbox
+; Drop Run, App Paths and Uninstall entries left in the 32-bit registry view
+; or HKCU by legacy installers.
+DetailPrint "Cleaning legacy 32-bit / HKCU entries..."
+DeleteRegValue HKCU "${AUTOSTART_REG_KEY}" "${APP_NAME}"
+SetRegView 32
+DeleteRegValue HKLM "${AUTOSTART_REG_KEY}" "${APP_NAME}"
+DeleteRegKey HKLM "${REG_APP_PATH}"
+DeleteRegKey HKLM "${UI_REG_APP_PATH}"
+DeleteRegKey HKLM "${UNINSTALL_PATH}"
+SetRegView 64
+
 DetailPrint "Autostart enabled: $AutostartEnabled"
 ${If} $AutostartEnabled == "1"
     WriteRegStr HKLM "${AUTOSTART_REG_KEY}" "${APP_NAME}" '"$INSTDIR\${UI_APP_EXE}.exe"'
     DetailPrint "Added autostart registry entry: $INSTDIR\${UI_APP_EXE}.exe"
 ${Else}
     DeleteRegValue HKLM "${AUTOSTART_REG_KEY}" "${APP_NAME}"
-    ; Legacy: pre-HKLM installs wrote to HKCU; clean that up too.
-    DeleteRegValue HKCU "${AUTOSTART_REG_KEY}" "${APP_NAME}"
     DetailPrint "Autostart not enabled by user"
 ${EndIf}
 
@@ -299,11 +307,16 @@ ExecWait '"$INSTDIR\${MAIN_APP_EXE}" service uninstall'
 DetailPrint "Terminating Netbird UI process..."
 ExecWait `taskkill /im ${UI_APP_EXE}.exe /f`
 
-; Remove autostart registry entry
+; Remove autostart entries from every view a previous installer may have used.
 DetailPrint "Removing autostart registry entry if exists..."
 DeleteRegValue HKLM "${AUTOSTART_REG_KEY}" "${APP_NAME}"
-; Legacy: pre-HKLM installs wrote to HKCU; clean that up too.
 DeleteRegValue HKCU "${AUTOSTART_REG_KEY}" "${APP_NAME}"
+SetRegView 32
+DeleteRegValue HKLM "${AUTOSTART_REG_KEY}" "${APP_NAME}"
+DeleteRegKey HKLM "${REG_APP_PATH}"
+DeleteRegKey HKLM "${UI_REG_APP_PATH}"
+DeleteRegKey HKLM "${UNINSTALL_PATH}"
+SetRegView 64
 
 ; Handle data deletion based on checkbox
 DetailPrint "Checking if user requested data deletion..."

client/internal/debug/debug.go

@@ -254,6 +254,8 @@ type BundleGenerator struct {
 	capturePath    string
 	refreshStatus  func() // Optional callback to refresh status before bundle generation
 	clientMetrics  MetricsExporter
+	daemonVersion  string
+	cliVersion     string
 
 	anonymize         bool
 	includeSystemInfo bool
@@ -278,6 +280,8 @@ type GeneratorDependencies struct {
 	CapturePath    string
 	RefreshStatus  func()
 	ClientMetrics  MetricsExporter
+	DaemonVersion  string
+	CliVersion     string
 }
 
 func NewBundleGenerator(deps GeneratorDependencies, cfg BundleConfig) *BundleGenerator {
@@ -299,6 +303,8 @@ func NewBundleGenerator(deps GeneratorDependencies, cfg BundleConfig) *BundleGen
 		capturePath:    deps.CapturePath,
 		refreshStatus:  deps.RefreshStatus,
 		clientMetrics:  deps.ClientMetrics,
+		daemonVersion:  deps.DaemonVersion,
+		cliVersion:     deps.CliVersion,
 
 		anonymize:         cfg.Anonymize,
 		includeSystemInfo: cfg.IncludeSystemInfo,
@@ -459,9 +465,11 @@ func (g *BundleGenerator) addStatus() error {
 		protoFullStatus := nbstatus.ToProtoFullStatus(fullStatus)
 		protoFullStatus.Events = g.statusRecorder.GetEventHistory()
 		overview := nbstatus.ConvertToStatusOutputOverview(protoFullStatus, nbstatus.ConvertOptions{
-			Anonymize:   g.anonymize,
-			ProfileName: profName,
+			Anonymize:     g.anonymize,
+			ProfileName:   profName,
+			DaemonVersion: g.daemonVersion,
 		})
+		overview.CliVersion = g.cliVersion
 		statusOutput := overview.FullDetailSummary()
 
 		statusReader := strings.NewReader(statusOutput)
@@ -1039,7 +1047,8 @@ func (g *BundleGenerator) addRotatedLogFiles(logDir string) {
 		return
 	}
 
-	pattern := filepath.Join(logDir, "client-*.log.gz")
+	// This regex will match both logs rotated by us and logrotate on linux
+	pattern := filepath.Join(logDir, "client*.log.*")
 	files, err := filepath.Glob(pattern)
 	if err != nil {
 		log.Warnf("failed to glob rotated logs: %v", err)
@@ -1072,7 +1081,12 @@ func (g *BundleGenerator) addRotatedLogFiles(logDir string) {
 
 	for i := 0; i < maxFiles; i++ {
 		name := filepath.Base(files[i])
-		if err := g.addSingleLogFileGz(files[i], name); err != nil {
+		if strings.HasSuffix(name, ".gz") {
+			err = g.addSingleLogFileGz(files[i], name)
+		} else {
+			err = g.addSingleLogfile(files[i], name)
+		}
+		if err != nil {
 			log.Warnf("failed to add rotated log %s: %v", name, err)
 		}
 	}

client/internal/debug/debug_logfiles_test.go

@@ -0,0 +1,103 @@
+package debug
+
+import (
+	"archive/zip"
+	"bytes"
+	"compress/gzip"
+	"io"
+	"os"
+	"path/filepath"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/require"
+)
+
+// TestAddRotatedLogFiles_PicksUpAllVariants asserts that the rotated-log
+// glob picks up logs rotated by timberjack (gzipped) and by logrotate (plain
+// and gzipped), and skips unrelated files.
+func TestAddRotatedLogFiles_PicksUpAllVariants(t *testing.T) {
+	dir := t.TempDir()
+
+	writeFile(t, filepath.Join(dir, "client.log"), "active log\n")
+	writeFile(t, filepath.Join(dir, "other.log"), "unrelated\n")
+
+	timberjackRotated := "client-2026-05-21T10-30-45.000.log.gz"
+	writeGzFile(t, filepath.Join(dir, timberjackRotated), "timberjack rotated content\n")
+
+	logrotatePlain := "client.log.1"
+	writeFile(t, filepath.Join(dir, logrotatePlain), "logrotate plain content\n")
+
+	logrotateGz := "client.log.2.gz"
+	writeGzFile(t, filepath.Join(dir, logrotateGz), "logrotate gz content\n")
+
+	names := runAddRotatedLogFiles(t, dir, 10)
+
+	require.Contains(t, names, timberjackRotated, "timberjack rotated file should be in bundle")
+	require.Contains(t, names, logrotatePlain, "logrotate plain rotated file should be in bundle")
+	require.Contains(t, names, logrotateGz, "logrotate gzipped rotated file should be in bundle")
+	require.NotContains(t, names, "client.log", "active log should not be added by addRotatedLogFiles")
+	require.NotContains(t, names, "other.log", "unrelated files should not be in bundle")
+}
+
+// TestAddRotatedLogFiles_RespectsLogFileCount asserts that only the newest
+// logFileCount rotated files are bundled, ordered by mtime.
+func TestAddRotatedLogFiles_RespectsLogFileCount(t *testing.T) {
+	dir := t.TempDir()
+
+	oldest := filepath.Join(dir, "client.log.3")
+	middle := filepath.Join(dir, "client.log.2")
+	newest := filepath.Join(dir, "client.log.1")
+	writeFile(t, oldest, "old\n")
+	writeFile(t, middle, "mid\n")
+	writeFile(t, newest, "new\n")
+
+	now := time.Now()
+	require.NoError(t, os.Chtimes(oldest, now.Add(-2*time.Hour), now.Add(-2*time.Hour)))
+	require.NoError(t, os.Chtimes(middle, now.Add(-1*time.Hour), now.Add(-1*time.Hour)))
+	require.NoError(t, os.Chtimes(newest, now, now))
+
+	names := runAddRotatedLogFiles(t, dir, 2)
+
+	require.Contains(t, names, "client.log.1")
+	require.Contains(t, names, "client.log.2")
+	require.NotContains(t, names, "client.log.3", "oldest file should be dropped when logFileCount=2")
+}
+
+// runAddRotatedLogFiles calls addRotatedLogFiles against a fresh in-memory
+// zip writer and returns the set of entry names that ended up in the archive.
+func runAddRotatedLogFiles(t *testing.T, dir string, logFileCount uint32) map[string]struct{} {
+	t.Helper()
+
+	var buf bytes.Buffer
+	g := &BundleGenerator{
+		archive:      zip.NewWriter(&buf),
+		logFileCount: logFileCount,
+	}
+	g.addRotatedLogFiles(dir)
+	require.NoError(t, g.archive.Close())
+
+	zr, err := zip.NewReader(bytes.NewReader(buf.Bytes()), int64(buf.Len()))
+	require.NoError(t, err)
+
+	names := make(map[string]struct{}, len(zr.File))
+	for _, f := range zr.File {
+		names[f.Name] = struct{}{}
+	}
+	return names
+}
+
+func writeFile(t *testing.T, path, content string) {
+	t.Helper()
+	require.NoError(t, os.WriteFile(path, []byte(content), 0o644))
+}
+
+func writeGzFile(t *testing.T, path, content string) {
+	t.Helper()
+	var buf bytes.Buffer
+	gw := gzip.NewWriter(&buf)
+	_, err := io.WriteString(gw, content)
+	require.NoError(t, err)
+	require.NoError(t, gw.Close())
+	require.NoError(t, os.WriteFile(path, buf.Bytes(), 0o644))
+}

client/internal/dns/dnsfw/config.go

@@ -1,63 +0,0 @@
-package dnsfw
-
-import (
-	"os"
-	"strconv"
-	"strings"
-
-	log "github.com/sirupsen/logrus"
-)
-
-const (
-	// EnvDisable disables the DNS firewall entirely when set to a truthy value.
-	EnvDisable = "NB_DISABLE_DNS_FIREWALL"
-	// EnvPorts overrides the comma-separated list of remote ports to block.
-	// Empty disables the firewall.
-	EnvPorts = "NB_DNS_FIREWALL_PORTS"
-	// EnvStrict enables strict mode: permit DNS only to the virtual DNS IP
-	// and the netbird daemon. Default mode also permits anything on the
-	// netbird tunnel interface, which is safer if NRPT is silently ignored
-	// by Windows but lets apps reach custom DNS servers via the tunnel.
-	EnvStrict = "NB_DNS_FIREWALL_STRICT"
-)
-
-// defaultBlockedPorts are the well-known DNS ports we block for non-netbird
-// processes: 53 (plain DNS) and 853 (DNS-over-TLS).
-var defaultBlockedPorts = []uint16{53, 853}
-
-// blockedPorts returns the effective port list, honoring env overrides.
-// A nil return means the firewall should not be installed.
-func blockedPorts() []uint16 {
-	if disabled, _ := strconv.ParseBool(os.Getenv(EnvDisable)); disabled {
-		log.Infof("dns firewall disabled via %s", EnvDisable)
-		return nil
-	}
-
-	override, ok := os.LookupEnv(EnvPorts)
-	if !ok {
-		return defaultBlockedPorts
-	}
-
-	var ports []uint16
-	for _, raw := range strings.Split(override, ",") {
-		raw = strings.TrimSpace(raw)
-		if raw == "" {
-			continue
-		}
-		port, err := strconv.ParseUint(raw, 10, 16)
-		if err != nil {
-			log.Warnf("dns firewall: ignoring invalid port %q in %s: %v", raw, EnvPorts, err)
-			continue
-		}
-		if port == 0 {
-			log.Warnf("dns firewall: ignoring port 0 in %s", EnvPorts)
-			continue
-		}
-		ports = append(ports, uint16(port))
-	}
-	if len(ports) == 0 {
-		log.Infof("dns firewall disabled: %s yielded no valid ports", EnvPorts)
-		return nil
-	}
-	return ports
-}

client/internal/dns/dnsfw/config_test.go

@@ -1,39 +0,0 @@
-package dnsfw
-
-import (
-	"reflect"
-	"testing"
-)
-
-func TestBlockedPorts(t *testing.T) {
-	tests := []struct {
-		name     string
-		disable  string
-		ports    string
-		setPorts bool
-		want     []uint16
-	}{
-		{name: "default", want: defaultBlockedPorts},
-		{name: "disabled", disable: "true", want: nil},
-		{name: "disabled false keeps default", disable: "false", want: defaultBlockedPorts},
-		{name: "override single port", ports: "53", setPorts: true, want: []uint16{53}},
-		{name: "override multi", ports: "53, 853 ,5353", setPorts: true, want: []uint16{53, 853, 5353}},
-		{name: "override empty disables", ports: "", setPorts: true, want: nil},
-		{name: "override invalid skipped", ports: "53,not-a-port,853", setPorts: true, want: []uint16{53, 853}},
-		{name: "override zero skipped", ports: "53,0,853", setPorts: true, want: []uint16{53, 853}},
-		{name: "override only invalid disables", ports: "abc", setPorts: true, want: nil},
-	}
-
-	for _, tc := range tests {
-		t.Run(tc.name, func(t *testing.T) {
-			t.Setenv(EnvDisable, tc.disable)
-			if tc.setPorts {
-				t.Setenv(EnvPorts, tc.ports)
-			}
-			got := blockedPorts()
-			if !reflect.DeepEqual(got, tc.want) {
-				t.Fatalf("blockedPorts() = %v, want %v", got, tc.want)
-			}
-		})
-	}
-}

client/internal/dns/dnsfw/dnsfw.go

@@ -1,16 +0,0 @@
-// Package dnsfw blocks DNS traffic from non-netbird processes when netbird is
-// managing the host's DNS, so that resolvers running on apps or libraries
-// outside netbird cannot bypass the configured DNS path.
-//
-// Implementation is Windows-only (uses WFP). On other platforms New returns
-// a no-op manager.
-package dnsfw
-
-import "net/netip"
-
-// Manager controls the per-tunnel DNS firewall. Both methods must be safe
-// to call multiple times.
-type Manager interface {
-	Enable(ifaceGUID string, virtualDNSIP netip.Addr) error
-	Disable() error
-}

client/internal/dns/dnsfw/dnsfw_other.go

@@ -1,15 +0,0 @@
-//go:build !windows
-
-package dnsfw
-
-import "net/netip"
-
-type noopManager struct{}
-
-func (noopManager) Enable(string, netip.Addr) error { return nil }
-func (noopManager) Disable() error                  { return nil }
-
-// New returns a no-op manager on non-Windows platforms.
-func New() Manager {
-	return noopManager{}
-}

client/internal/dns/dnsfw/dnsfw_windows.go

@@ -1,144 +0,0 @@
-//go:build windows
-
-package dnsfw
-
-import (
-	"fmt"
-	"net/netip"
-	"os"
-	"strconv"
-	"sync"
-	"unsafe"
-
-	log "github.com/sirupsen/logrus"
-	"golang.org/x/sys/windows"
-)
-
-var (
-	modIphlpapi                    = windows.NewLazyDLL("iphlpapi.dll")
-	procConvertInterfaceGuidToLuid = modIphlpapi.NewProc("ConvertInterfaceGuidToLuid")
-)
-
-type windowsManager struct {
-	mu sync.Mutex
-	// session is the WFP engine handle. Zero when disabled.
-	session uintptr
-}
-
-// Enable installs the dns firewall. Strict mode propagates failures;
-// non-strict mode logs and returns nil so partial protection is preserved.
-func (m *windowsManager) Enable(ifaceGUID string, virtualDNSIP netip.Addr) error {
-	m.mu.Lock()
-	defer m.mu.Unlock()
-
-	ports := blockedPorts()
-	if len(ports) == 0 {
-		return nil
-	}
-
-	if m.session != 0 {
-		if err := m.disableLocked(); err != nil {
-			return fmt.Errorf("reset existing dns firewall session: %w", err)
-		}
-	}
-
-	strict := strictMode()
-
-	luid, err := luidFromGUID(ifaceGUID)
-	if err != nil {
-		return m.failOrLog(strict, fmt.Errorf("resolve tun luid from guid %s: %w", ifaceGUID, err))
-	}
-
-	exe, err := os.Executable()
-	if err != nil {
-		return m.failOrLog(strict, fmt.Errorf("resolve daemon executable path: %w", err))
-	}
-
-	cfg := installConfig{
-		tunLUID:      luid,
-		daemonExe:    exe,
-		blockedPorts: ports,
-		strict:       strict,
-		virtualDNSIP: virtualDNSIP,
-	}
-	// session==0 signals a hard failure; non-zero with non-nil err is a partial install.
-	session, installErr := installFilters(cfg)
-	if session == 0 {
-		return m.failOrLog(strict, fmt.Errorf("install dns firewall filters: %w", installErr))
-	}
-
-	if installErr != nil && strict {
-		_ = closeSession(session)
-		return fmt.Errorf("strict dns firewall: partial install: %w", installErr)
-	}
-
-	m.session = session
-	log.Infof("dns firewall installed: iface=%s daemon=%s ports=%v strict=%v virtual_dns=%s",
-		ifaceGUID, exe, ports, strict, virtualDNSIP)
-	if installErr != nil {
-		log.Warnf("dns firewall partially installed (some filters failed): %v", installErr)
-	}
-	return nil
-}
-
-func (m *windowsManager) Disable() error {
-	m.mu.Lock()
-	defer m.mu.Unlock()
-	return m.disableLocked()
-}
-
-func (m *windowsManager) disableLocked() error {
-	if m.session == 0 {
-		return nil
-	}
-	session := m.session
-	m.session = 0
-	if err := closeSession(session); err != nil {
-		return fmt.Errorf("close wfp session: %w", err)
-	}
-	log.Info("dns firewall removed")
-	return nil
-}
-
-// failOrLog returns err unchanged in strict mode. In non-strict mode the
-// error is logged and nil is returned.
-func (m *windowsManager) failOrLog(strict bool, err error) error {
-	if strict {
-		return err
-	}
-	log.Errorf("dns firewall: %v", err)
-	return nil
-}
-
-// New returns a Windows DNS firewall manager backed by WFP.
-func New() Manager {
-	return &windowsManager{}
-}
-
-// strictMode reports whether strict mode is enabled via env.
-func strictMode() bool {
-	v, _ := strconv.ParseBool(os.Getenv(EnvStrict))
-	return v
-}
-
-// luidFromGUID converts a Windows interface GUID string to its LUID.
-func luidFromGUID(ifaceGUID string) (luid uint64, err error) {
-	defer func() {
-		if r := recover(); r != nil {
-			err = fmt.Errorf("panic in luidFromGUID: %v", r)
-		}
-	}()
-
-	guid, err := windows.GUIDFromString(ifaceGUID)
-	if err != nil {
-		return 0, fmt.Errorf("parse guid: %w", err)
-	}
-	rc, _, _ := procConvertInterfaceGuidToLuid.Call(
-		uintptr(unsafe.Pointer(&guid)),
-		uintptr(unsafe.Pointer(&luid)),
-	)
-	if rc != 0 {
-		return 0, fmt.Errorf("ConvertInterfaceGuidToLuid returned %d", rc)
-	}
-	return luid, nil
-}

client/internal/dns/dnsfw/dnsfw_windows_test.go

@@ -1,72 +0,0 @@
-//go:build windows
-
-package dnsfw
-
-import (
-	"net/netip"
-	"os"
-	"testing"
-)
-
-func TestStrictMode(t *testing.T) {
-	tests := []struct {
-		name string
-		val  string
-		set  bool
-		want bool
-	}{
-		{name: "unset", want: false},
-		{name: "true", val: "true", set: true, want: true},
-		{name: "1", val: "1", set: true, want: true},
-		{name: "false", val: "false", set: true, want: false},
-		{name: "invalid is false", val: "garbage", set: true, want: false},
-	}
-	for _, tc := range tests {
-		t.Run(tc.name, func(t *testing.T) {
-			t.Setenv(EnvStrict, tc.val)
-			if !tc.set {
-				os.Unsetenv(EnvStrict)
-			}
-			if got := strictMode(); got != tc.want {
-				t.Fatalf("strictMode() = %v, want %v", got, tc.want)
-			}
-		})
-	}
-}
-
-func TestWindowsManagerDisableIdempotent(t *testing.T) {
-	m := &windowsManager{}
-	if err := m.Disable(); err != nil {
-		t.Fatalf("first Disable on fresh manager: %v", err)
-	}
-	if err := m.Disable(); err != nil {
-		t.Fatalf("second Disable on fresh manager: %v", err)
-	}
-	if m.session != 0 {
-		t.Fatalf("session should remain zero, got %d", m.session)
-	}
-}
-
-func TestWindowsManagerEnableNoOpWhenDisabledByEnv(t *testing.T) {
-	t.Setenv(EnvDisable, "true")
-
-	m := &windowsManager{}
-	if err := m.Enable("00000000-0000-0000-0000-000000000000", netip.Addr{}); err != nil {
-		t.Fatalf("Enable should be a no-op when firewall disabled by env: %v", err)
-	}
-	if m.session != 0 {
-		t.Fatalf("session must remain zero when env disables firewall, got %d", m.session)
-	}
-}
-
-func TestWindowsManagerEnableNoOpWhenPortsEmpty(t *testing.T) {
-	t.Setenv(EnvPorts, "")
-
-	m := &windowsManager{}
-	if err := m.Enable("00000000-0000-0000-0000-000000000000", netip.Addr{}); err != nil {
-		t.Fatalf("Enable should be a no-op when ports list is empty: %v", err)
-	}
-	if m.session != 0 {
-		t.Fatalf("session must remain zero when ports list is empty, got %d", m.session)
-	}
-}

client/internal/dns/dnsfw/helpers_windows.go

@@ -1,53 +0,0 @@
-/* SPDX-License-Identifier: MIT
- *
- * Copyright (C) 2019-2021 WireGuard LLC. All Rights Reserved.
- *
- * Adapted from wireguard-windows tunnel/firewall/helpers.go.
- */
-
-package dnsfw
-
-import (
-	"errors"
-	"fmt"
-	"runtime"
-	"syscall"
-
-	"golang.org/x/sys/windows"
-)
-
-func createWtFwpmDisplayData0(name, description string) (*wtFwpmDisplayData0, error) {
-	namePtr, err := windows.UTF16PtrFromString(name)
-	if err != nil {
-		return nil, wrapErr(err)
-	}
-
-	descriptionPtr, err := windows.UTF16PtrFromString(description)
-	if err != nil {
-		return nil, wrapErr(err)
-	}
-
-	return &wtFwpmDisplayData0{
-		name:        namePtr,
-		description: descriptionPtr,
-	}, nil
-}
-
-func filterWeight(weight uint8) wtFwpValue0 {
-	return wtFwpValue0{
-		_type: cFWP_UINT8,
-		value: uintptr(weight),
-	}
-}
-
-func wrapErr(err error) error {
-	var errno syscall.Errno
-	if !errors.As(err, &errno) {
-		return err
-	}
-	_, file, line, ok := runtime.Caller(1)
-	if !ok {
-		return fmt.Errorf("wfp error at unknown location: %w", err)
-	}
-	return fmt.Errorf("wfp error at %s:%d: %w", file, line, err)
-}

client/internal/dns/dnsfw/rules_windows.go

@@ -1,249 +0,0 @@
-/* SPDX-License-Identifier: MIT
- *
- * Copyright (C) 2019-2021 WireGuard LLC. All Rights Reserved.
- * Copyright (C) 2026 NetBird GmbH. All Rights Reserved.
- *
- * Filter installers adapted from wireguard-windows tunnel/firewall/rules.go.
- * The block-DNS approach (port 53 + UDP/TCP) matches what wireguard-windows
- * uses for its kill-switch DNS leak protection. We extend it with a
- * configurable port set so we also cover :853 (DoT) and any future ports.
- */
-
-package dnsfw
-
-import (
-	"encoding/binary"
-	"fmt"
-	"net/netip"
-	"unsafe"
-
-	"github.com/hashicorp/go-multierror"
-	"golang.org/x/sys/windows"
-
-	nberrors "github.com/netbirdio/netbird/client/errors"
-)
-
-// Filters install at outbound ALE_AUTH_CONNECT layers only; inbound replies
-// follow the authorized outbound flow.
-
-// permitTunInterface installs a permit filter for any traffic whose local
-// interface is the netbird tunnel.
-func permitTunInterface(session uintptr, base *baseObjects, weight uint8, ifLUID uint64) error {
-	cond := wtFwpmFilterCondition0{
-		fieldKey:  cFWPM_CONDITION_IP_LOCAL_INTERFACE,
-		matchType: cFWP_MATCH_EQUAL,
-		conditionValue: wtFwpConditionValue0{
-			_type: cFWP_UINT64,
-			value: uintptr(unsafe.Pointer(&ifLUID)),
-		},
-	}
-
-	filter := wtFwpmFilter0{
-		providerKey:         &base.provider,
-		subLayerKey:         base.filters,
-		weight:              filterWeight(weight),
-		numFilterConditions: 1,
-		filterCondition:     (*wtFwpmFilterCondition0)(unsafe.Pointer(&cond)),
-		action:              wtFwpmAction0{_type: cFWP_ACTION_PERMIT},
-	}
-
-	return addOutboundFilters(session, &filter, "Permit netbird tunnel")
-}
-
-// permitDaemonByAppID installs a permit filter matching the netbird daemon
-// executable by App-ID. App-ID alone is sufficient because netbird.exe is a
-// dedicated binary.
-func permitDaemonByAppID(session uintptr, base *baseObjects, daemonExe string, weight uint8) error {
-	appID, err := daemonAppID(daemonExe)
-	if err != nil {
-		return err
-	}
-	defer fwpmFreeMemory0(unsafe.Pointer(&appID))
-
-	cond := wtFwpmFilterCondition0{
-		fieldKey:  cFWPM_CONDITION_ALE_APP_ID,
-		matchType: cFWP_MATCH_EQUAL,
-		conditionValue: wtFwpConditionValue0{
-			_type: cFWP_BYTE_BLOB_TYPE,
-			value: uintptr(unsafe.Pointer(appID)),
-		},
-	}
-
-	filter := wtFwpmFilter0{
-		providerKey:         &base.provider,
-		subLayerKey:         base.filters,
-		weight:              filterWeight(weight),
-		numFilterConditions: 1,
-		filterCondition:     (*wtFwpmFilterCondition0)(unsafe.Pointer(&cond)),
-		action:              wtFwpmAction0{_type: cFWP_ACTION_PERMIT},
-	}
-
-	return addOutboundFilters(session, &filter, "Permit netbird daemon")
-}
-
-// permitVirtualDNSIP installs a permit filter for DNS-port traffic destined
-// for the in-tunnel virtual DNS IP. Used in strict mode in lieu of
-// permitTunInterface.
-func permitVirtualDNSIP(session uintptr, base *baseObjects, ip netip.Addr, ports []uint16, weight uint8) error {
-	var merr *multierror.Error
-	for _, port := range ports {
-		if err := permitDNSToHost(session, base, ip, port, weight); err != nil {
-			merr = multierror.Append(merr, fmt.Errorf("permit %s:%d: %w", ip, port, err))
-		}
-	}
-	return nberrors.FormatErrorOrNil(merr)
-}
-
-func permitDNSToHost(session uintptr, base *baseObjects, ip netip.Addr, port uint16, weight uint8) error {
-	if !ip.IsValid() {
-		return fmt.Errorf("invalid address")
-	}
-
-	var addrCond wtFwpmFilterCondition0
-	var layer windows.GUID
-	// v6 backing must outlive fwpmFilterAdd0; keep it on this stack frame.
-	var v6 wtFwpByteArray16
-
-	if ip.Is4() {
-		v4 := ip.As4()
-		addrCond = wtFwpmFilterCondition0{
-			fieldKey:  cFWPM_CONDITION_IP_REMOTE_ADDRESS,
-			matchType: cFWP_MATCH_EQUAL,
-			conditionValue: wtFwpConditionValue0{
-				_type: cFWP_UINT32,
-				value: uintptr(binary.BigEndian.Uint32(v4[:])),
-			},
-		}
-		layer = cFWPM_LAYER_ALE_AUTH_CONNECT_V4
-	} else {
-		v6 = wtFwpByteArray16{byteArray16: ip.As16()}
-		addrCond = wtFwpmFilterCondition0{
-			fieldKey:  cFWPM_CONDITION_IP_REMOTE_ADDRESS,
-			matchType: cFWP_MATCH_EQUAL,
-			conditionValue: wtFwpConditionValue0{
-				_type: cFWP_BYTE_ARRAY16_TYPE,
-				value: uintptr(unsafe.Pointer(&v6)),
-			},
-		}
-		layer = cFWPM_LAYER_ALE_AUTH_CONNECT_V6
-	}
-
-	conditions := [2]wtFwpmFilterCondition0{
-		addrCond,
-		{
-			fieldKey:  cFWPM_CONDITION_IP_REMOTE_PORT,
-			matchType: cFWP_MATCH_EQUAL,
-			conditionValue: wtFwpConditionValue0{
-				_type: cFWP_UINT16,
-				value: uintptr(port),
-			},
-		},
-	}
-	filter := wtFwpmFilter0{
-		providerKey:         &base.provider,
-		subLayerKey:         base.filters,
-		weight:              filterWeight(weight),
-		numFilterConditions: uint32(len(conditions)),
-		filterCondition:     (*wtFwpmFilterCondition0)(unsafe.Pointer(&conditions[0])),
-		action:              wtFwpmAction0{_type: cFWP_ACTION_PERMIT},
-	}
-
-	display, err := createWtFwpmDisplayData0(fmt.Sprintf("Permit DNS to %s:%d", ip, port), "")
-	if err != nil {
-		return wrapErr(err)
-	}
-	filter.displayData = *display
-	filter.layerKey = layer
-
-	var filterID uint64
-	if err := fwpmFilterAdd0(session, &filter, 0, &filterID); err != nil {
-		return wrapErr(err)
-	}
-	_ = v6
-	return nil
-}
-
-// blockDNSPorts installs a deny filter for outbound traffic to each of the
-// given remote ports over UDP or TCP. Per-port and per-layer failures are
-// accumulated; partial coverage is preferred over zero coverage.
-func blockDNSPorts(session uintptr, base *baseObjects, ports []uint16, weight uint8) error {
-	var merr *multierror.Error
-	for _, port := range ports {
-		if err := blockDNSPort(session, base, port, weight); err != nil {
-			merr = multierror.Append(merr, fmt.Errorf("block port %d: %w", port, err))
-		}
-	}
-	return nberrors.FormatErrorOrNil(merr)
-}
-
-func blockDNSPort(session uintptr, base *baseObjects, port uint16, weight uint8) error {
-	conditions := [3]wtFwpmFilterCondition0{
-		{
-			fieldKey:  cFWPM_CONDITION_IP_REMOTE_PORT,
-			matchType: cFWP_MATCH_EQUAL,
-			conditionValue: wtFwpConditionValue0{
-				_type: cFWP_UINT16,
-				value: uintptr(port),
-			},
-		},
-		{
-			fieldKey:  cFWPM_CONDITION_IP_PROTOCOL,
-			matchType: cFWP_MATCH_EQUAL,
-			conditionValue: wtFwpConditionValue0{
-				_type: cFWP_UINT8,
-				value: uintptr(cIPPROTO_UDP),
-			},
-		},
-		// Repeat the IP_PROTOCOL condition for logical OR with TCP.
-		{
-			fieldKey:  cFWPM_CONDITION_IP_PROTOCOL,
-			matchType: cFWP_MATCH_EQUAL,
-			conditionValue: wtFwpConditionValue0{
-				_type: cFWP_UINT8,
-				value: uintptr(cIPPROTO_TCP),
-			},
-		},
-	}
-
-	filter := wtFwpmFilter0{
-		providerKey:         &base.provider,
-		subLayerKey:         base.filters,
-		weight:              filterWeight(weight),
-		numFilterConditions: uint32(len(conditions)),
-		filterCondition:     (*wtFwpmFilterCondition0)(unsafe.Pointer(&conditions[0])),
-		action:              wtFwpmAction0{_type: cFWP_ACTION_BLOCK},
-	}
-
-	return addOutboundFilters(session, &filter, fmt.Sprintf("Block DNS port %d", port))
-}
-
-// addOutboundFilters installs the same filter on the v4 and v6 outbound ALE
-// connect layers. v4 and v6 are installed independently: failure on one
-// layer does not abort the other, and the accumulated errors are returned.
-// Partial coverage is preferred over zero coverage.
-func addOutboundFilters(session uintptr, filter *wtFwpmFilter0, name string) error {
-	layers := [...]struct {
-		layer windows.GUID
-		label string
-	}{
-		{cFWPM_LAYER_ALE_AUTH_CONNECT_V4, name + " (IPv4)"},
-		{cFWPM_LAYER_ALE_AUTH_CONNECT_V6, name + " (IPv6)"},
-	}
-
-	var merr *multierror.Error
-	for _, l := range layers {
-		display, err := createWtFwpmDisplayData0(l.label, "")
-		if err != nil {
-			merr = multierror.Append(merr, fmt.Errorf("%s: %w", l.label, wrapErr(err)))
-			continue
-		}
-		filter.displayData = *display
-		filter.layerKey = l.layer
-
-		var filterID uint64
-		if err := fwpmFilterAdd0(session, filter, 0, &filterID); err != nil {
-			merr = multierror.Append(merr, fmt.Errorf("%s: %w", l.label, wrapErr(err)))
-		}
-	}
-	return nberrors.FormatErrorOrNil(merr)
-}

client/internal/dns/dnsfw/session_windows.go

@@ -1,177 +0,0 @@
-/* SPDX-License-Identifier: MIT
- *
- * Copyright (C) 2019-2021 WireGuard LLC. All Rights Reserved.
- * Copyright (C) 2026 NetBird GmbH. All Rights Reserved.
- *
- * Session lifecycle and the high-level Install/Close entry points adapted
- * from wireguard-windows tunnel/firewall.
- */
-
-package dnsfw
-
-import (
-	"errors"
-	"fmt"
-	"net/netip"
-	"unsafe"
-
-	"github.com/hashicorp/go-multierror"
-	"golang.org/x/sys/windows"
-
-	nberrors "github.com/netbirdio/netbird/client/errors"
-)
-
-// installConfig is the input to installFilters.
-type installConfig struct {
-	tunLUID      uint64
-	daemonExe    string
-	blockedPorts []uint16
-	// strict, when true, narrows the carve-out from "anything on tun" to
-	// "DNS only to virtualDNSIP". virtualDNSIP must be valid in this case.
-	strict       bool
-	virtualDNSIP netip.Addr
-}
-
-// baseObjects holds the GUIDs of the WFP provider and sublayer registered
-// for our session. Both are randomly generated per session.
-type baseObjects struct {
-	provider windows.GUID
-	filters  windows.GUID
-}
-
-// installFilters opens a dynamic WFP session and installs the netbird DNS
-// firewall filters. Returns a zero session on hard failure (session create,
-// base objects); a non-zero session with a non-nil error is a partial install
-// (some per-filter installs failed) and is safe to close.
-func installFilters(cfg installConfig) (session uintptr, err error) {
-	defer func() {
-		if r := recover(); r != nil {
-			// Dynamic session: kernel will clean up on process exit even
-			// if we leave the handle dangling here.
-			err = fmt.Errorf("panic in installFilters: %v", r)
-		}
-	}()
-
-	if len(cfg.blockedPorts) == 0 {
-		return 0, errors.New("dns firewall: no blocked ports configured")
-	}
-	if cfg.strict && !cfg.virtualDNSIP.IsValid() {
-		return 0, errors.New("dns firewall: strict mode requires a valid virtual DNS IP")
-	}
-
-	session, err = createSession()
-	if err != nil {
-		return 0, err
-	}
-
-	base, err := registerBaseObjects(session)
-	if err != nil {
-		_ = fwpmEngineClose0(session)
-		return 0, fmt.Errorf("register base objects: %w", err)
-	}
-
-	var merr *multierror.Error
-	if cfg.strict {
-		if err := permitVirtualDNSIP(session, base, cfg.virtualDNSIP, cfg.blockedPorts, 15); err != nil {
-			merr = multierror.Append(merr, fmt.Errorf("permit virtual dns: %w", err))
-		}
-	} else {
-		if err := permitTunInterface(session, base, 15, cfg.tunLUID); err != nil {
-			merr = multierror.Append(merr, fmt.Errorf("permit tun interface: %w", err))
-		}
-	}
-	if err := permitDaemonByAppID(session, base, cfg.daemonExe, 14); err != nil {
-		merr = multierror.Append(merr, fmt.Errorf("permit netbird daemon: %w", err))
-	}
-	if err := blockDNSPorts(session, base, cfg.blockedPorts, 10); err != nil {
-		merr = multierror.Append(merr, fmt.Errorf("block dns ports: %w", err))
-	}
-
-	return session, nberrors.FormatErrorOrNil(merr)
-}
-
-// closeSession tears down a WFP session previously opened by installFilters.
-// All filters owned by the session are removed.
-func closeSession(session uintptr) (err error) {
-	defer func() {
-		if r := recover(); r != nil {
-			err = fmt.Errorf("panic in closeSession: %v", r)
-		}
-	}()
-
-	if session == 0 {
-		return nil
-	}
-	if err := fwpmEngineClose0(session); err != nil {
-		return wrapErr(err)
-	}
-	return nil
-}
-
-func createSession() (uintptr, error) {
-	displayData, err := createWtFwpmDisplayData0("NetBird DNS firewall", "NetBird DNS firewall dynamic session")
-	if err != nil {
-		return 0, wrapErr(err)
-	}
-	session := wtFwpmSession0{
-		displayData:          *displayData,
-		flags:                cFWPM_SESSION_FLAG_DYNAMIC,
-		txnWaitTimeoutInMSec: windows.INFINITE,
-	}
-	var handle uintptr
-	if err := fwpmEngineOpen0(nil, cRPC_C_AUTHN_WINNT, nil, &session, unsafe.Pointer(&handle)); err != nil {
-		return 0, wrapErr(err)
-	}
-	return handle, nil
-}
-
-func registerBaseObjects(session uintptr) (*baseObjects, error) {
-	bo := &baseObjects{}
-	var err error
-	if bo.provider, err = windows.GenerateGUID(); err != nil {
-		return nil, wrapErr(err)
-	}
-	if bo.filters, err = windows.GenerateGUID(); err != nil {
-		return nil, wrapErr(err)
-	}
-
-	displayData, err := createWtFwpmDisplayData0("NetBird DNS firewall", "NetBird DNS firewall provider")
-	if err != nil {
-		return nil, wrapErr(err)
-	}
-	provider := wtFwpmProvider0{
-		providerKey: bo.provider,
-		displayData: *displayData,
-	}
-	if err := fwpmProviderAdd0(session, &provider, 0); err != nil {
-		return nil, wrapErr(err)
-	}
-
-	subDisplay, err := createWtFwpmDisplayData0("NetBird DNS firewall filters", "Permit and block filters")
-	if err != nil {
-		return nil, wrapErr(err)
-	}
-	sublayer := wtFwpmSublayer0{
-		subLayerKey: bo.filters,
-		displayData: *subDisplay,
-		providerKey: &bo.provider,
-		weight:      ^uint16(0),
-	}
-	if err := fwpmSubLayerAdd0(session, &sublayer, 0); err != nil {
-		return nil, wrapErr(err)
-	}
-	return bo, nil
-}
-
-// daemonAppID returns the WFP App-ID byte blob for the given executable path.
-func daemonAppID(path string) (*wtFwpByteBlob, error) {
-	pathPtr, err := windows.UTF16PtrFromString(path)
-	if err != nil {
-		return nil, wrapErr(err)
-	}
-	var appID *wtFwpByteBlob
-	if err := fwpmGetAppIdFromFileName0(pathPtr, unsafe.Pointer(&appID)); err != nil {
-		return nil, wrapErr(err)
-	}
-	return appID, nil
-}

client/internal/dns/dnsfw/syscall_windows.go

@@ -1,38 +0,0 @@
-/* SPDX-License-Identifier: MIT
- *
- * Copyright (C) 2019-2021 WireGuard LLC. All Rights Reserved.
- *
- * Adapted from wireguard-windows tunnel/firewall/syscall_windows.go.
- */
-
-package dnsfw
-
-// https://docs.microsoft.com/en-us/windows/desktop/api/fwpmu/nf-fwpmu-fwpmengineopen0
-//sys	fwpmEngineOpen0(serverName *uint16, authnService wtRpcCAuthN, authIdentity *uintptr, session *wtFwpmSession0, engineHandle unsafe.Pointer) (err error) [failretval!=0] = fwpuclnt.FwpmEngineOpen0
-
-// https://docs.microsoft.com/en-us/windows/desktop/api/fwpmu/nf-fwpmu-fwpmengineclose0
-//sys	fwpmEngineClose0(engineHandle uintptr) (err error) [failretval!=0] = fwpuclnt.FwpmEngineClose0
-
-// https://docs.microsoft.com/en-us/windows/desktop/api/fwpmu/nf-fwpmu-fwpmsublayeradd0
-//sys	fwpmSubLayerAdd0(engineHandle uintptr, subLayer *wtFwpmSublayer0, sd uintptr) (err error) [failretval!=0] = fwpuclnt.FwpmSubLayerAdd0
-
-// https://docs.microsoft.com/en-us/windows/desktop/api/fwpmu/nf-fwpmu-fwpmgetappidfromfilename0
-//sys	fwpmGetAppIdFromFileName0(fileName *uint16, appID unsafe.Pointer) (err error) [failretval!=0] = fwpuclnt.FwpmGetAppIdFromFileName0
-
-// https://docs.microsoft.com/en-us/windows/desktop/api/fwpmu/nf-fwpmu-fwpmfreememory0
-//sys	fwpmFreeMemory0(p unsafe.Pointer) = fwpuclnt.FwpmFreeMemory0
-
-// https://docs.microsoft.com/en-us/windows/desktop/api/fwpmu/nf-fwpmu-fwpmfilteradd0
-//sys	fwpmFilterAdd0(engineHandle uintptr, filter *wtFwpmFilter0, sd uintptr, id *uint64) (err error) [failretval!=0] = fwpuclnt.FwpmFilterAdd0
-
-// https://docs.microsoft.com/en-us/windows/desktop/api/Fwpmu/nf-fwpmu-fwpmtransactionbegin0
-//sys	fwpmTransactionBegin0(engineHandle uintptr, flags uint32) (err error) [failretval!=0] = fwpuclnt.FwpmTransactionBegin0
-
-// https://docs.microsoft.com/en-us/windows/desktop/api/fwpmu/nf-fwpmu-fwpmtransactioncommit0
-//sys	fwpmTransactionCommit0(engineHandle uintptr) (err error) [failretval!=0] = fwpuclnt.FwpmTransactionCommit0
-
-// https://docs.microsoft.com/en-us/windows/desktop/api/fwpmu/nf-fwpmu-fwpmtransactionabort0
-//sys	fwpmTransactionAbort0(engineHandle uintptr) (err error) [failretval!=0] = fwpuclnt.FwpmTransactionAbort0
-
-// https://docs.microsoft.com/en-us/windows/desktop/api/fwpmu/nf-fwpmu-fwpmprovideradd0
-//sys	fwpmProviderAdd0(engineHandle uintptr, provider *wtFwpmProvider0, sd uintptr) (err error) [failretval!=0] = fwpuclnt.FwpmProviderAdd0

client/internal/dns/dnsfw/types_windows.go

@@ -1,414 +0,0 @@
-/* SPDX-License-Identifier: MIT
- *
- * Copyright (C) 2019-2021 WireGuard LLC. All Rights Reserved.
- *
- * Adapted from wireguard-windows tunnel/firewall/types_windows.go.
- */
-
-package dnsfw
-
-import "golang.org/x/sys/windows"
-
-const (
-	anysizeArray = 1 // ANYSIZE_ARRAY defined in winnt.h
-
-	wtFwpBitmapArray64_Size = 8
-
-	wtFwpByteArray16_Size = 16
-
-	wtFwpByteArray6_Size = 6
-
-	wtFwpmAction0_Size              = 20
-	wtFwpmAction0_filterType_Offset = 4
-
-	wtFwpV4AddrAndMask_Size        = 8
-	wtFwpV4AddrAndMask_mask_Offset = 4
-
-	wtFwpV6AddrAndMask_Size                = 17
-	wtFwpV6AddrAndMask_prefixLength_Offset = 16
-)
-
-type wtFwpActionFlag uint32
-
-const (
-	cFWP_ACTION_FLAG_TERMINATING     wtFwpActionFlag = 0x00001000
-	cFWP_ACTION_FLAG_NON_TERMINATING wtFwpActionFlag = 0x00002000
-	cFWP_ACTION_FLAG_CALLOUT         wtFwpActionFlag = 0x00004000
-)
-
-// FWP_ACTION_TYPE defined in fwptypes.h
-type wtFwpActionType uint32
-
-const (
-	cFWP_ACTION_BLOCK               wtFwpActionType = wtFwpActionType(0x00000001 | cFWP_ACTION_FLAG_TERMINATING)
-	cFWP_ACTION_PERMIT              wtFwpActionType = wtFwpActionType(0x00000002 | cFWP_ACTION_FLAG_TERMINATING)
-	cFWP_ACTION_CALLOUT_TERMINATING wtFwpActionType = wtFwpActionType(0x00000003 | cFWP_ACTION_FLAG_CALLOUT | cFWP_ACTION_FLAG_TERMINATING)
-	cFWP_ACTION_CALLOUT_INSPECTION  wtFwpActionType = wtFwpActionType(0x00000004 | cFWP_ACTION_FLAG_CALLOUT | cFWP_ACTION_FLAG_NON_TERMINATING)
-	cFWP_ACTION_CALLOUT_UNKNOWN     wtFwpActionType = wtFwpActionType(0x00000005 | cFWP_ACTION_FLAG_CALLOUT)
-	cFWP_ACTION_CONTINUE            wtFwpActionType = wtFwpActionType(0x00000006 | cFWP_ACTION_FLAG_NON_TERMINATING)
-	cFWP_ACTION_NONE                wtFwpActionType = 0x00000007
-	cFWP_ACTION_NONE_NO_MATCH       wtFwpActionType = 0x00000008
-	cFWP_ACTION_BITMAP_INDEX_SET    wtFwpActionType = 0x00000009
-)
-
-// FWP_BYTE_BLOB defined in fwptypes.h
-// (https://docs.microsoft.com/en-us/windows/desktop/api/fwptypes/ns-fwptypes-fwp_byte_blob_)
-type wtFwpByteBlob struct {
-	size uint32
-	data *uint8
-}
-
-// FWP_MATCH_TYPE defined in fwptypes.h
-// (https://docs.microsoft.com/en-us/windows/desktop/api/fwptypes/ne-fwptypes-fwp_match_type_)
-type wtFwpMatchType uint32
-
-const (
-	cFWP_MATCH_EQUAL                  wtFwpMatchType = 0
-	cFWP_MATCH_GREATER                wtFwpMatchType = cFWP_MATCH_EQUAL + 1
-	cFWP_MATCH_LESS                   wtFwpMatchType = cFWP_MATCH_GREATER + 1
-	cFWP_MATCH_GREATER_OR_EQUAL       wtFwpMatchType = cFWP_MATCH_LESS + 1
-	cFWP_MATCH_LESS_OR_EQUAL          wtFwpMatchType = cFWP_MATCH_GREATER_OR_EQUAL + 1
-	cFWP_MATCH_RANGE                  wtFwpMatchType = cFWP_MATCH_LESS_OR_EQUAL + 1
-	cFWP_MATCH_FLAGS_ALL_SET          wtFwpMatchType = cFWP_MATCH_RANGE + 1
-	cFWP_MATCH_FLAGS_ANY_SET          wtFwpMatchType = cFWP_MATCH_FLAGS_ALL_SET + 1
-	cFWP_MATCH_FLAGS_NONE_SET         wtFwpMatchType = cFWP_MATCH_FLAGS_ANY_SET + 1
-	cFWP_MATCH_EQUAL_CASE_INSENSITIVE wtFwpMatchType = cFWP_MATCH_FLAGS_NONE_SET + 1
-	cFWP_MATCH_NOT_EQUAL              wtFwpMatchType = cFWP_MATCH_EQUAL_CASE_INSENSITIVE + 1
-	cFWP_MATCH_PREFIX                 wtFwpMatchType = cFWP_MATCH_NOT_EQUAL + 1
-	cFWP_MATCH_NOT_PREFIX             wtFwpMatchType = cFWP_MATCH_PREFIX + 1
-	cFWP_MATCH_TYPE_MAX               wtFwpMatchType = cFWP_MATCH_NOT_PREFIX + 1
-)
-
-// FWPM_ACTION0 defined in fwpmtypes.h
-// (https://docs.microsoft.com/en-us/windows/desktop/api/fwpmtypes/ns-fwpmtypes-fwpm_action0_)
-type wtFwpmAction0 struct {
-	_type      wtFwpActionType
-	filterType windows.GUID // Windows type: GUID
-}
-
-// Defined in fwpmu.h. 4cd62a49-59c3-4969-b7f3-bda5d32890a4
-var cFWPM_CONDITION_IP_LOCAL_INTERFACE = windows.GUID{
-	Data1: 0x4cd62a49,
-	Data2: 0x59c3,
-	Data3: 0x4969,
-	Data4: [8]byte{0xb7, 0xf3, 0xbd, 0xa5, 0xd3, 0x28, 0x90, 0xa4},
-}
-
-// Defined in fwpmu.h. b235ae9a-1d64-49b8-a44c-5ff3d9095045
-var cFWPM_CONDITION_IP_REMOTE_ADDRESS = windows.GUID{
-	Data1: 0xb235ae9a,
-	Data2: 0x1d64,
-	Data3: 0x49b8,
-	Data4: [8]byte{0xa4, 0x4c, 0x5f, 0xf3, 0xd9, 0x09, 0x50, 0x45},
-}
-
-// Defined in fwpmu.h. 3971ef2b-623e-4f9a-8cb1-6e79b806b9a7
-var cFWPM_CONDITION_IP_PROTOCOL = windows.GUID{
-	Data1: 0x3971ef2b,
-	Data2: 0x623e,
-	Data3: 0x4f9a,
-	Data4: [8]byte{0x8c, 0xb1, 0x6e, 0x79, 0xb8, 0x06, 0xb9, 0xa7},
-}
-
-// Defined in fwpmu.h. 0c1ba1af-5765-453f-af22-a8f791ac775b
-var cFWPM_CONDITION_IP_LOCAL_PORT = windows.GUID{
-	Data1: 0x0c1ba1af,
-	Data2: 0x5765,
-	Data3: 0x453f,
-	Data4: [8]byte{0xaf, 0x22, 0xa8, 0xf7, 0x91, 0xac, 0x77, 0x5b},
-}
-
-// Defined in fwpmu.h. c35a604d-d22b-4e1a-91b4-68f674ee674b
-var cFWPM_CONDITION_IP_REMOTE_PORT = windows.GUID{
-	Data1: 0xc35a604d,
-	Data2: 0xd22b,
-	Data3: 0x4e1a,
-	Data4: [8]byte{0x91, 0xb4, 0x68, 0xf6, 0x74, 0xee, 0x67, 0x4b},
-}
-
-// Defined in fwpmu.h. d78e1e87-8644-4ea5-9437-d809ecefc971
-var cFWPM_CONDITION_ALE_APP_ID = windows.GUID{
-	Data1: 0xd78e1e87,
-	Data2: 0x8644,
-	Data3: 0x4ea5,
-	Data4: [8]byte{0x94, 0x37, 0xd8, 0x09, 0xec, 0xef, 0xc9, 0x71},
-}
-
-// af043a0a-b34d-4f86-979c-c90371af6e66
-var cFWPM_CONDITION_ALE_USER_ID = windows.GUID{
-	Data1: 0xaf043a0a,
-	Data2: 0xb34d,
-	Data3: 0x4f86,
-	Data4: [8]byte{0x97, 0x9c, 0xc9, 0x03, 0x71, 0xaf, 0x6e, 0x66},
-}
-
-// d9ee00de-c1ef-4617-bfe3-ffd8f5a08957
-var cFWPM_CONDITION_IP_LOCAL_ADDRESS = windows.GUID{
-	Data1: 0xd9ee00de,
-	Data2: 0xc1ef,
-	Data3: 0x4617,
-	Data4: [8]byte{0xbf, 0xe3, 0xff, 0xd8, 0xf5, 0xa0, 0x89, 0x57},
-}
-
-var (
-	cFWPM_CONDITION_ICMP_TYPE = cFWPM_CONDITION_IP_LOCAL_PORT
-	cFWPM_CONDITION_ICMP_CODE = cFWPM_CONDITION_IP_REMOTE_PORT
-)
-
-// 7bc43cbf-37ba-45f1-b74a-82ff518eeb10
-var cFWPM_CONDITION_L2_FLAGS = windows.GUID{
-	Data1: 0x7bc43cbf,
-	Data2: 0x37ba,
-	Data3: 0x45f1,
-	Data4: [8]byte{0xb7, 0x4a, 0x82, 0xff, 0x51, 0x8e, 0xeb, 0x10},
-}
-
-type wtFwpmL2Flags uint32
-
-const cFWP_CONDITION_L2_IS_VM2VM wtFwpmL2Flags = 0x00000010
-
-var cFWPM_CONDITION_FLAGS = windows.GUID{
-	Data1: 0x632ce23b,
-	Data2: 0x5167,
-	Data3: 0x435c,
-	Data4: [8]byte{0x86, 0xd7, 0xe9, 0x03, 0x68, 0x4a, 0xa8, 0x0c},
-}
-
-type wtFwpmFlags uint32
-
-const cFWP_CONDITION_FLAG_IS_LOOPBACK wtFwpmFlags = 0x00000001
-
-// Defined in fwpmtypes.h
-type wtFwpmFilterFlags uint32
-
-const (
-	cFWPM_FILTER_FLAG_NONE                                wtFwpmFilterFlags = 0x00000000
-	cFWPM_FILTER_FLAG_PERSISTENT                          wtFwpmFilterFlags = 0x00000001
-	cFWPM_FILTER_FLAG_BOOTTIME                            wtFwpmFilterFlags = 0x00000002
-	cFWPM_FILTER_FLAG_HAS_PROVIDER_CONTEXT                wtFwpmFilterFlags = 0x00000004
-	cFWPM_FILTER_FLAG_CLEAR_ACTION_RIGHT                  wtFwpmFilterFlags = 0x00000008
-	cFWPM_FILTER_FLAG_PERMIT_IF_CALLOUT_UNREGISTERED      wtFwpmFilterFlags = 0x00000010
-	cFWPM_FILTER_FLAG_DISABLED                            wtFwpmFilterFlags = 0x00000020
-	cFWPM_FILTER_FLAG_INDEXED                             wtFwpmFilterFlags = 0x00000040
-	cFWPM_FILTER_FLAG_HAS_SECURITY_REALM_PROVIDER_CONTEXT wtFwpmFilterFlags = 0x00000080
-	cFWPM_FILTER_FLAG_SYSTEMOS_ONLY                       wtFwpmFilterFlags = 0x00000100
-	cFWPM_FILTER_FLAG_GAMEOS_ONLY                         wtFwpmFilterFlags = 0x00000200
-	cFWPM_FILTER_FLAG_SILENT_MODE                         wtFwpmFilterFlags = 0x00000400
-	cFWPM_FILTER_FLAG_IPSEC_NO_ACQUIRE_INITIATE           wtFwpmFilterFlags = 0x00000800
-)
-
-// FWPM_LAYER_ALE_AUTH_CONNECT_V4 (c38d57d1-05a7-4c33-904f-7fbceee60e82) defined in fwpmu.h
-var cFWPM_LAYER_ALE_AUTH_CONNECT_V4 = windows.GUID{
-	Data1: 0xc38d57d1,
-	Data2: 0x05a7,
-	Data3: 0x4c33,
-	Data4: [8]byte{0x90, 0x4f, 0x7f, 0xbc, 0xee, 0xe6, 0x0e, 0x82},
-}
-
-// e1cd9fe7-f4b5-4273-96c0-592e487b8650
-var cFWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4 = windows.GUID{
-	Data1: 0xe1cd9fe7,
-	Data2: 0xf4b5,
-	Data3: 0x4273,
-	Data4: [8]byte{0x96, 0xc0, 0x59, 0x2e, 0x48, 0x7b, 0x86, 0x50},
-}
-
-// FWPM_LAYER_ALE_AUTH_CONNECT_V6 (4a72393b-319f-44bc-84c3-ba54dcb3b6b4) defined in fwpmu.h
-var cFWPM_LAYER_ALE_AUTH_CONNECT_V6 = windows.GUID{
-	Data1: 0x4a72393b,
-	Data2: 0x319f,
-	Data3: 0x44bc,
-	Data4: [8]byte{0x84, 0xc3, 0xba, 0x54, 0xdc, 0xb3, 0xb6, 0xb4},
-}
-
-// a3b42c97-9f04-4672-b87e-cee9c483257f
-var cFWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6 = windows.GUID{
-	Data1: 0xa3b42c97,
-	Data2: 0x9f04,
-	Data3: 0x4672,
-	Data4: [8]byte{0xb8, 0x7e, 0xce, 0xe9, 0xc4, 0x83, 0x25, 0x7f},
-}
-
-// 94c44912-9d6f-4ebf-b995-05ab8a088d1b
-var cFWPM_LAYER_OUTBOUND_MAC_FRAME_NATIVE = windows.GUID{
-	Data1: 0x94c44912,
-	Data2: 0x9d6f,
-	Data3: 0x4ebf,
-	Data4: [8]byte{0xb9, 0x95, 0x05, 0xab, 0x8a, 0x08, 0x8d, 0x1b},
-}
-
-// d4220bd3-62ce-4f08-ae88-b56e8526df50
-var cFWPM_LAYER_INBOUND_MAC_FRAME_NATIVE = windows.GUID{
-	Data1: 0xd4220bd3,
-	Data2: 0x62ce,
-	Data3: 0x4f08,
-	Data4: [8]byte{0xae, 0x88, 0xb5, 0x6e, 0x85, 0x26, 0xdf, 0x50},
-}
-
-// FWP_BITMAP_ARRAY64 defined in fwtypes.h
-type wtFwpBitmapArray64 struct {
-	bitmapArray64 [8]uint8 // Windows type: [8]UINT8
-}
-
-// FWP_BYTE_ARRAY6 defined in fwtypes.h
-// (https://docs.microsoft.com/en-us/windows/desktop/api/fwptypes/ns-fwptypes-fwp_byte_array6_)
-type wtFwpByteArray6 struct {
-	byteArray6 [6]uint8 // Windows type: [6]UINT8
-}
-
-// FWP_BYTE_ARRAY16 defined in fwptypes.h
-// (https://docs.microsoft.com/en-us/windows/desktop/api/fwptypes/ns-fwptypes-fwp_byte_array16_)
-type wtFwpByteArray16 struct {
-	byteArray16 [16]uint8 // Windows type [16]UINT8
-}
-
-// FWP_CONDITION_VALUE0 defined in fwptypes.h
-// (https://docs.microsoft.com/en-us/windows/desktop/api/fwptypes/ns-fwptypes-fwp_condition_value0).
-type wtFwpConditionValue0 wtFwpValue0
-
-// FWP_DATA_TYPE defined in fwptypes.h
-// (https://docs.microsoft.com/en-us/windows/desktop/api/fwptypes/ne-fwptypes-fwp_data_type_)
-type wtFwpDataType uint
-
-const (
-	cFWP_EMPTY                         wtFwpDataType = 0
-	cFWP_UINT8                         wtFwpDataType = cFWP_EMPTY + 1
-	cFWP_UINT16                        wtFwpDataType = cFWP_UINT8 + 1
-	cFWP_UINT32                        wtFwpDataType = cFWP_UINT16 + 1
-	cFWP_UINT64                        wtFwpDataType = cFWP_UINT32 + 1
-	cFWP_INT8                          wtFwpDataType = cFWP_UINT64 + 1
-	cFWP_INT16                         wtFwpDataType = cFWP_INT8 + 1
-	cFWP_INT32                         wtFwpDataType = cFWP_INT16 + 1
-	cFWP_INT64                         wtFwpDataType = cFWP_INT32 + 1
-	cFWP_FLOAT                         wtFwpDataType = cFWP_INT64 + 1
-	cFWP_DOUBLE                        wtFwpDataType = cFWP_FLOAT + 1
-	cFWP_BYTE_ARRAY16_TYPE             wtFwpDataType = cFWP_DOUBLE + 1
-	cFWP_BYTE_BLOB_TYPE                wtFwpDataType = cFWP_BYTE_ARRAY16_TYPE + 1
-	cFWP_SID                           wtFwpDataType = cFWP_BYTE_BLOB_TYPE + 1
-	cFWP_SECURITY_DESCRIPTOR_TYPE      wtFwpDataType = cFWP_SID + 1
-	cFWP_TOKEN_INFORMATION_TYPE        wtFwpDataType = cFWP_SECURITY_DESCRIPTOR_TYPE + 1
-	cFWP_TOKEN_ACCESS_INFORMATION_TYPE wtFwpDataType = cFWP_TOKEN_INFORMATION_TYPE + 1
-	cFWP_UNICODE_STRING_TYPE           wtFwpDataType = cFWP_TOKEN_ACCESS_INFORMATION_TYPE + 1
-	cFWP_BYTE_ARRAY6_TYPE              wtFwpDataType = cFWP_UNICODE_STRING_TYPE + 1
-	cFWP_BITMAP_INDEX_TYPE             wtFwpDataType = cFWP_BYTE_ARRAY6_TYPE + 1
-	cFWP_BITMAP_ARRAY64_TYPE           wtFwpDataType = cFWP_BITMAP_INDEX_TYPE + 1
-	cFWP_SINGLE_DATA_TYPE_MAX          wtFwpDataType = 0xff
-	cFWP_V4_ADDR_MASK                  wtFwpDataType = cFWP_SINGLE_DATA_TYPE_MAX + 1
-	cFWP_V6_ADDR_MASK                  wtFwpDataType = cFWP_V4_ADDR_MASK + 1
-	cFWP_RANGE_TYPE                    wtFwpDataType = cFWP_V6_ADDR_MASK + 1
-	cFWP_DATA_TYPE_MAX                 wtFwpDataType = cFWP_RANGE_TYPE + 1
-)
-
-// FWP_V4_ADDR_AND_MASK defined in fwptypes.h
-// (https://docs.microsoft.com/en-us/windows/desktop/api/fwptypes/ns-fwptypes-fwp_v4_addr_and_mask).
-type wtFwpV4AddrAndMask struct {
-	addr uint32
-	mask uint32
-}
-
-// FWP_V6_ADDR_AND_MASK defined in fwptypes.h
-// (https://docs.microsoft.com/en-us/windows/desktop/api/fwptypes/ns-fwptypes-fwp_v6_addr_and_mask).
-type wtFwpV6AddrAndMask struct {
-	addr         [16]uint8
-	prefixLength uint8
-}
-
-// FWP_VALUE0 defined in fwptypes.h
-// (https://docs.microsoft.com/en-us/windows/desktop/api/fwptypes/ns-fwptypes-fwp_value0_)
-type wtFwpValue0 struct {
-	_type wtFwpDataType
-	value uintptr
-}
-
-// FWPM_DISPLAY_DATA0 defined in fwptypes.h
-// (https://docs.microsoft.com/en-us/windows/desktop/api/fwptypes/ns-fwptypes-fwpm_display_data0).
-type wtFwpmDisplayData0 struct {
-	name        *uint16 // Windows type: *wchar_t
-	description *uint16 // Windows type: *wchar_t
-}
-
-// FWPM_FILTER_CONDITION0 defined in fwpmtypes.h
-// (https://docs.microsoft.com/en-us/windows/desktop/api/fwpmtypes/ns-fwpmtypes-fwpm_filter_condition0).
-type wtFwpmFilterCondition0 struct {
-	fieldKey       windows.GUID // Windows type: GUID
-	matchType      wtFwpMatchType
-	conditionValue wtFwpConditionValue0
-}
-
-// FWPM_PROVIDER0 defined in fwpmtypes.h
-// (https://docs.microsoft.com/en-us/windows/desktop/api/fwpmtypes/ns-fwpmtypes-fwpm_provider0_)
-type wtFwpProvider0 struct {
-	providerKey  windows.GUID // Windows type: GUID
-	displayData  wtFwpmDisplayData0
-	flags        uint32
-	providerData wtFwpByteBlob
-	serviceName  *uint16 // Windows type: *wchar_t
-}
-
-type wtFwpmSessionFlagsValue uint32
-
-const (
-	cFWPM_SESSION_FLAG_DYNAMIC wtFwpmSessionFlagsValue = 0x00000001 // FWPM_SESSION_FLAG_DYNAMIC defined in fwpmtypes.h
-)
-
-// FWPM_SESSION0 defined in fwpmtypes.h
-// (https://docs.microsoft.com/en-us/windows/desktop/api/fwpmtypes/ns-fwpmtypes-fwpm_session0).
-type wtFwpmSession0 struct {
-	sessionKey           windows.GUID // Windows type: GUID
-	displayData          wtFwpmDisplayData0
-	flags                wtFwpmSessionFlagsValue // Windows type UINT32
-	txnWaitTimeoutInMSec uint32
-	processId            uint32 // Windows type: DWORD
-	sid                  *windows.SID
-	username             *uint16 // Windows type: *wchar_t
-	kernelMode           uint8   // Windows type: BOOL
-}
-
-type wtFwpmSublayerFlags uint32
-
-const (
-	cFWPM_SUBLAYER_FLAG_PERSISTENT wtFwpmSublayerFlags = 0x00000001 // FWPM_SUBLAYER_FLAG_PERSISTENT defined in fwpmtypes.h
-)
-
-// FWPM_SUBLAYER0 defined in fwpmtypes.h
-// (https://docs.microsoft.com/en-us/windows/desktop/api/fwpmtypes/ns-fwpmtypes-fwpm_sublayer0_)
-type wtFwpmSublayer0 struct {
-	subLayerKey  windows.GUID // Windows type: GUID
-	displayData  wtFwpmDisplayData0
-	flags        wtFwpmSublayerFlags
-	providerKey  *windows.GUID // Windows type: *GUID
-	providerData wtFwpByteBlob
-	weight       uint16
-}
-
-// Defined in rpcdce.h
-type wtRpcCAuthN uint32
-
-const (
-	cRPC_C_AUTHN_NONE    wtRpcCAuthN = 0
-	cRPC_C_AUTHN_WINNT   wtRpcCAuthN = 10
-	cRPC_C_AUTHN_DEFAULT wtRpcCAuthN = 0xFFFFFFFF
-)
-
-// FWPM_PROVIDER0 defined in fwpmtypes.h
-// (https://docs.microsoft.com/sv-se/windows/desktop/api/fwpmtypes/ns-fwpmtypes-fwpm_provider0).
-type wtFwpmProvider0 struct {
-	providerKey  windows.GUID
-	displayData  wtFwpmDisplayData0
-	flags        uint32
-	providerData wtFwpByteBlob
-	serviceName  *uint16
-}
-
-type wtIPProto uint32
-
-const (
-	cIPPROTO_ICMP   wtIPProto = 1
-	cIPPROTO_ICMPV6 wtIPProto = 58
-	cIPPROTO_TCP    wtIPProto = 6
-	cIPPROTO_UDP    wtIPProto = 17
-)
-
-const (
-	cFWP_ACTRL_MATCH_FILTER = 1
-)

client/internal/dns/dnsfw/types_windows_32.go

@@ -1,92 +0,0 @@
-//go:build windows && (386 || arm)
-
-/* SPDX-License-Identifier: MIT
- *
- * Copyright (C) 2019-2021 WireGuard LLC. All Rights Reserved.
- *
- * Adapted from wireguard-windows tunnel/firewall/types_windows_32.go.
- */
-
-package dnsfw
-
-import "golang.org/x/sys/windows"
-
-const (
-	wtFwpByteBlob_Size        = 8
-	wtFwpByteBlob_data_Offset = 4
-
-	wtFwpConditionValue0_Size         = 8
-	wtFwpConditionValue0_uint8_Offset = 4
-
-	wtFwpmDisplayData0_Size               = 8
-	wtFwpmDisplayData0_description_Offset = 4
-
-	wtFwpmFilter0_Size                       = 152
-	wtFwpmFilter0_displayData_Offset         = 16
-	wtFwpmFilter0_flags_Offset               = 24
-	wtFwpmFilter0_providerKey_Offset         = 28
-	wtFwpmFilter0_providerData_Offset        = 32
-	wtFwpmFilter0_layerKey_Offset            = 40
-	wtFwpmFilter0_subLayerKey_Offset         = 56
-	wtFwpmFilter0_weight_Offset              = 72
-	wtFwpmFilter0_numFilterConditions_Offset = 80
-	wtFwpmFilter0_filterCondition_Offset     = 84
-	wtFwpmFilter0_action_Offset              = 88
-	wtFwpmFilter0_providerContextKey_Offset  = 112
-	wtFwpmFilter0_reserved_Offset            = 128
-	wtFwpmFilter0_filterID_Offset            = 136
-	wtFwpmFilter0_effectiveWeight_Offset     = 144
-
-	wtFwpmFilterCondition0_Size                  = 28
-	wtFwpmFilterCondition0_matchType_Offset      = 16
-	wtFwpmFilterCondition0_conditionValue_Offset = 20
-
-	wtFwpmSession0_Size                        = 48
-	wtFwpmSession0_displayData_Offset          = 16
-	wtFwpmSession0_flags_Offset                = 24
-	wtFwpmSession0_txnWaitTimeoutInMSec_Offset = 28
-	wtFwpmSession0_processId_Offset            = 32
-	wtFwpmSession0_sid_Offset                  = 36
-	wtFwpmSession0_username_Offset             = 40
-	wtFwpmSession0_kernelMode_Offset           = 44
-
-	wtFwpmSublayer0_Size                = 44
-	wtFwpmSublayer0_displayData_Offset  = 16
-	wtFwpmSublayer0_flags_Offset        = 24
-	wtFwpmSublayer0_providerKey_Offset  = 28
-	wtFwpmSublayer0_providerData_Offset = 32
-	wtFwpmSublayer0_weight_Offset       = 40
-
-	wtFwpProvider0_Size                = 40
-	wtFwpProvider0_displayData_Offset  = 16
-	wtFwpProvider0_flags_Offset        = 24
-	wtFwpProvider0_providerData_Offset = 28
-	wtFwpProvider0_serviceName_Offset  = 36
-
-	wtFwpTokenInformation_Size = 16
-
-	wtFwpValue0_Size         = 8
-	wtFwpValue0_value_Offset = 4
-)
-
-// FWPM_FILTER0 defined in fwpmtypes.h
-// (https://docs.microsoft.com/en-us/windows/desktop/api/fwpmtypes/ns-fwpmtypes-fwpm_filter0).
-type wtFwpmFilter0 struct {
-	filterKey           windows.GUID // Windows type: GUID
-	displayData         wtFwpmDisplayData0
-	flags               wtFwpmFilterFlags
-	providerKey         *windows.GUID // Windows type: *GUID
-	providerData        wtFwpByteBlob
-	layerKey            windows.GUID // Windows type: GUID
-	subLayerKey         windows.GUID // Windows type: GUID
-	weight              wtFwpValue0
-	numFilterConditions uint32
-	filterCondition     *wtFwpmFilterCondition0
-	action              wtFwpmAction0
-	offset1             [4]byte       // Layout correction field
-	providerContextKey  windows.GUID  // Windows type: GUID
-	reserved            *windows.GUID // Windows type: *GUID
-	offset2             [4]byte       // Layout correction field
-	filterID            uint64
-	effectiveWeight     wtFwpValue0
-}

client/internal/dns/dnsfw/types_windows_64.go

@@ -1,89 +0,0 @@
-//go:build windows && (amd64 || arm64)
-
-/* SPDX-License-Identifier: MIT
- *
- * Copyright (C) 2019-2021 WireGuard LLC. All Rights Reserved.
- *
- * Adapted from wireguard-windows tunnel/firewall/types_windows_64.go.
- */
-
-package dnsfw
-
-import "golang.org/x/sys/windows"
-
-const (
-	wtFwpByteBlob_Size        = 16
-	wtFwpByteBlob_data_Offset = 8
-
-	wtFwpConditionValue0_Size         = 16
-	wtFwpConditionValue0_uint8_Offset = 8
-
-	wtFwpmDisplayData0_Size               = 16
-	wtFwpmDisplayData0_description_Offset = 8
-
-	wtFwpmFilter0_Size                       = 200
-	wtFwpmFilter0_displayData_Offset         = 16
-	wtFwpmFilter0_flags_Offset               = 32
-	wtFwpmFilter0_providerKey_Offset         = 40
-	wtFwpmFilter0_providerData_Offset        = 48
-	wtFwpmFilter0_layerKey_Offset            = 64
-	wtFwpmFilter0_subLayerKey_Offset         = 80
-	wtFwpmFilter0_weight_Offset              = 96
-	wtFwpmFilter0_numFilterConditions_Offset = 112
-	wtFwpmFilter0_filterCondition_Offset     = 120
-	wtFwpmFilter0_action_Offset              = 128
-	wtFwpmFilter0_providerContextKey_Offset  = 152
-	wtFwpmFilter0_reserved_Offset            = 168
-	wtFwpmFilter0_filterID_Offset            = 176
-	wtFwpmFilter0_effectiveWeight_Offset     = 184
-
-	wtFwpmFilterCondition0_Size                  = 40
-	wtFwpmFilterCondition0_matchType_Offset      = 16
-	wtFwpmFilterCondition0_conditionValue_Offset = 24
-
-	wtFwpmSession0_Size                        = 72
-	wtFwpmSession0_displayData_Offset          = 16
-	wtFwpmSession0_flags_Offset                = 32
-	wtFwpmSession0_txnWaitTimeoutInMSec_Offset = 36
-	wtFwpmSession0_processId_Offset            = 40
-	wtFwpmSession0_sid_Offset                  = 48
-	wtFwpmSession0_username_Offset             = 56
-	wtFwpmSession0_kernelMode_Offset           = 64
-
-	wtFwpmSublayer0_Size                = 72
-	wtFwpmSublayer0_displayData_Offset  = 16
-	wtFwpmSublayer0_flags_Offset        = 32
-	wtFwpmSublayer0_providerKey_Offset  = 40
-	wtFwpmSublayer0_providerData_Offset = 48
-	wtFwpmSublayer0_weight_Offset       = 64
-
-	wtFwpProvider0_Size                = 64
-	wtFwpProvider0_displayData_Offset  = 16
-	wtFwpProvider0_flags_Offset        = 32
-	wtFwpProvider0_providerData_Offset = 40
-	wtFwpProvider0_serviceName_Offset  = 56
-
-	wtFwpValue0_Size         = 16
-	wtFwpValue0_value_Offset = 8
-)
-
-// FWPM_FILTER0 defined in fwpmtypes.h
-// (https://docs.microsoft.com/en-us/windows/desktop/api/fwpmtypes/ns-fwpmtypes-fwpm_filter0).
-type wtFwpmFilter0 struct {
-	filterKey           windows.GUID // Windows type: GUID
-	displayData         wtFwpmDisplayData0
-	flags               wtFwpmFilterFlags // Windows type: UINT32
-	providerKey         *windows.GUID     // Windows type: *GUID
-	providerData        wtFwpByteBlob
-	layerKey            windows.GUID // Windows type: GUID
-	subLayerKey         windows.GUID // Windows type: GUID
-	weight              wtFwpValue0
-	numFilterConditions uint32
-	filterCondition     *wtFwpmFilterCondition0
-	action              wtFwpmAction0
-	offset1             [4]byte       // Layout correction field
-	providerContextKey  windows.GUID  // Windows type: GUID
-	reserved            *windows.GUID // Windows type: *GUID
-	filterID            uint64
-	effectiveWeight     wtFwpValue0
-}

client/internal/dns/dnsfw/zsyscall_windows.go

@@ -1,130 +0,0 @@
-// Code generated by 'go generate'; DO NOT EDIT.
-
-package dnsfw
-
-import (
-	"syscall"
-	"unsafe"
-
-	"golang.org/x/sys/windows"
-)
-
-var _ unsafe.Pointer
-
-// Do the interface allocations only once for common
-// Errno values.
-const (
-	errnoERROR_IO_PENDING = 997
-)
-
-var (
-	errERROR_IO_PENDING error = syscall.Errno(errnoERROR_IO_PENDING)
-	errERROR_EINVAL     error = syscall.EINVAL
-)
-
-// errnoErr returns common boxed Errno values, to prevent
-// allocations at runtime.
-func errnoErr(e syscall.Errno) error {
-	switch e {
-	case 0:
-		return errERROR_EINVAL
-	case errnoERROR_IO_PENDING:
-		return errERROR_IO_PENDING
-	}
-	// TODO: add more here, after collecting data on the common
-	// error values see on Windows. (perhaps when running
-	// all.bat?)
-	return e
-}
-
-var (
-	modfwpuclnt = windows.NewLazySystemDLL("fwpuclnt.dll")
-
-	procFwpmEngineClose0          = modfwpuclnt.NewProc("FwpmEngineClose0")
-	procFwpmEngineOpen0           = modfwpuclnt.NewProc("FwpmEngineOpen0")
-	procFwpmFilterAdd0            = modfwpuclnt.NewProc("FwpmFilterAdd0")
-	procFwpmFreeMemory0           = modfwpuclnt.NewProc("FwpmFreeMemory0")
-	procFwpmGetAppIdFromFileName0 = modfwpuclnt.NewProc("FwpmGetAppIdFromFileName0")
-	procFwpmProviderAdd0          = modfwpuclnt.NewProc("FwpmProviderAdd0")
-	procFwpmSubLayerAdd0          = modfwpuclnt.NewProc("FwpmSubLayerAdd0")
-	procFwpmTransactionAbort0     = modfwpuclnt.NewProc("FwpmTransactionAbort0")
-	procFwpmTransactionBegin0     = modfwpuclnt.NewProc("FwpmTransactionBegin0")
-	procFwpmTransactionCommit0    = modfwpuclnt.NewProc("FwpmTransactionCommit0")
-)
-
-func fwpmEngineClose0(engineHandle uintptr) (err error) {
-	r1, _, e1 := syscall.Syscall(procFwpmEngineClose0.Addr(), 1, uintptr(engineHandle), 0, 0)
-	if r1 != 0 {
-		err = errnoErr(e1)
-	}
-	return
-}
-
-func fwpmEngineOpen0(serverName *uint16, authnService wtRpcCAuthN, authIdentity *uintptr, session *wtFwpmSession0, engineHandle unsafe.Pointer) (err error) {
-	r1, _, e1 := syscall.Syscall6(procFwpmEngineOpen0.Addr(), 5, uintptr(unsafe.Pointer(serverName)), uintptr(authnService), uintptr(unsafe.Pointer(authIdentity)), uintptr(unsafe.Pointer(session)), uintptr(engineHandle), 0)
-	if r1 != 0 {
-		err = errnoErr(e1)
-	}
-	return
-}
-
-func fwpmFilterAdd0(engineHandle uintptr, filter *wtFwpmFilter0, sd uintptr, id *uint64) (err error) {
-	r1, _, e1 := syscall.Syscall6(procFwpmFilterAdd0.Addr(), 4, uintptr(engineHandle), uintptr(unsafe.Pointer(filter)), uintptr(sd), uintptr(unsafe.Pointer(id)), 0, 0)
-	if r1 != 0 {
-		err = errnoErr(e1)
-	}
-	return
-}
-
-func fwpmFreeMemory0(p unsafe.Pointer) {
-	syscall.Syscall(procFwpmFreeMemory0.Addr(), 1, uintptr(p), 0, 0)
-	return
-}
-
-func fwpmGetAppIdFromFileName0(fileName *uint16, appID unsafe.Pointer) (err error) {
-	r1, _, e1 := syscall.Syscall(procFwpmGetAppIdFromFileName0.Addr(), 2, uintptr(unsafe.Pointer(fileName)), uintptr(appID), 0)
-	if r1 != 0 {
-		err = errnoErr(e1)
-	}
-	return
-}
-
-func fwpmProviderAdd0(engineHandle uintptr, provider *wtFwpmProvider0, sd uintptr) (err error) {
-	r1, _, e1 := syscall.Syscall(procFwpmProviderAdd0.Addr(), 3, uintptr(engineHandle), uintptr(unsafe.Pointer(provider)), uintptr(sd))
-	if r1 != 0 {
-		err = errnoErr(e1)
-	}
-	return
-}
-
-func fwpmSubLayerAdd0(engineHandle uintptr, subLayer *wtFwpmSublayer0, sd uintptr) (err error) {
-	r1, _, e1 := syscall.Syscall(procFwpmSubLayerAdd0.Addr(), 3, uintptr(engineHandle), uintptr(unsafe.Pointer(subLayer)), uintptr(sd))
-	if r1 != 0 {
-		err = errnoErr(e1)
-	}
-	return
-}
-
-func fwpmTransactionAbort0(engineHandle uintptr) (err error) {
-	r1, _, e1 := syscall.Syscall(procFwpmTransactionAbort0.Addr(), 1, uintptr(engineHandle), 0, 0)
-	if r1 != 0 {
-		err = errnoErr(e1)
-	}
-	return
-}
-
-func fwpmTransactionBegin0(engineHandle uintptr, flags uint32) (err error) {
-	r1, _, e1 := syscall.Syscall(procFwpmTransactionBegin0.Addr(), 2, uintptr(engineHandle), uintptr(flags), 0)
-	if r1 != 0 {
-		err = errnoErr(e1)
-	}
-	return
-}
-
-func fwpmTransactionCommit0(engineHandle uintptr) (err error) {
-	r1, _, e1 := syscall.Syscall(procFwpmTransactionCommit0.Addr(), 1, uintptr(engineHandle), 0, 0)
-	if r1 != 0 {
-		err = errnoErr(e1)
-	}
-	return
-}

client/internal/dns/host_windows.go

@@ -17,7 +17,6 @@ import (
 	"golang.org/x/sys/windows/registry"
 
 	nberrors "github.com/netbirdio/netbird/client/errors"
-	"github.com/netbirdio/netbird/client/internal/dns/dnsfw"
 	"github.com/netbirdio/netbird/client/internal/statemanager"
 	"github.com/netbirdio/netbird/client/internal/winregistry"
 )
@@ -75,7 +74,6 @@ type registryConfigurator struct {
 	routingAll      bool
 	gpo             bool
 	nrptEntryCount  int
-	dnsFirewall     dnsfw.Manager
 	origNameservers []netip.Addr
 }
 
@@ -96,9 +94,8 @@ func newHostManager(wgInterface WGIface) (*registryConfigurator, error) {
 	}
 
 	configurator := &registryConfigurator{
-		guid:        guid,
-		gpo:         useGPO,
-		dnsFirewall: dnsfw.New(),
+		guid: guid,
+		gpo:  useGPO,
 	}
 
 	origNameservers, err := configurator.captureOriginalNameservers()
@@ -279,8 +276,16 @@ func (r *registryConfigurator) disableWINSForInterface() error {
 }
 
 func (r *registryConfigurator) applyDNSConfig(config HostDNSConfig, stateManager *statemanager.Manager) error {
-	if err := r.applyRouteAll(config); err != nil {
-		return err
+	if config.RouteAll {
+		if err := r.addDNSSetupForAll(config.ServerIP); err != nil {
+			return fmt.Errorf("add dns setup: %w", err)
+		}
+	} else if r.routingAll {
+		if err := r.deleteInterfaceRegistryKeyProperty(interfaceConfigNameServerKey); err != nil {
+			return fmt.Errorf("delete interface registry key property: %w", err)
+		}
+		r.routingAll = false
+		log.Infof("removed %s as main DNS forwarder for this peer", config.ServerIP)
 	}
 
 	r.updateState(stateManager)
@@ -322,35 +327,6 @@ func (r *registryConfigurator) applyDNSConfig(config HostDNSConfig, stateManager
 	return nil
 }
 
-func (r *registryConfigurator) applyRouteAll(config HostDNSConfig) error {
-	if config.RouteAll {
-		if err := r.dnsFirewall.Enable(r.guid, config.ServerIP); err != nil {
-			return fmt.Errorf("dns firewall: %w", err)
-		}
-		if err := r.addDNSSetupForAll(config.ServerIP); err != nil {
-			merr := multierror.Append(nil, fmt.Errorf("add dns setup: %w", err))
-			if dErr := r.dnsFirewall.Disable(); dErr != nil {
-				merr = multierror.Append(merr, fmt.Errorf("rollback dns firewall: %w", dErr))
-			}
-			return nberrors.FormatErrorOrNil(merr)
-		}
-		return nil
-	}
-
-	if err := r.dnsFirewall.Disable(); err != nil {
-		log.Errorf("disable dns firewall: %v", err)
-	}
-	if !r.routingAll {
-		return nil
-	}
-	if err := r.deleteInterfaceRegistryKeyProperty(interfaceConfigNameServerKey); err != nil {
-		return fmt.Errorf("delete interface registry key property: %w", err)
-	}
-	r.routingAll = false
-	log.Infof("removed %s as main DNS forwarder for this peer", config.ServerIP)
-	return nil
-}
-
 func (r *registryConfigurator) updateState(stateManager *statemanager.Manager) {
 	if err := stateManager.UpdateState(&ShutdownState{
 		Guid:           r.guid,
@@ -537,10 +513,6 @@ func (r *registryConfigurator) restoreHostDNS() error {
 		return fmt.Errorf("remove interface registry key: %w", err)
 	}
 
-	if err := r.dnsFirewall.Disable(); err != nil {
-		log.Errorf("disable dns firewall: %v", err)
-	}
-
 	go r.flushDNSCache()
 
 	return nil

client/internal/dns/host_windows_test.go

@@ -8,8 +8,6 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"golang.org/x/sys/windows/registry"
-
-	"github.com/netbirdio/netbird/client/internal/dns/dnsfw"
 )
 
 // TestNRPTEntriesCleanupOnConfigChange tests that old NRPT entries are properly cleaned up
@@ -36,9 +34,8 @@ func TestNRPTEntriesCleanupOnConfigChange(t *testing.T) {
 	}()
 
 	cfg := &registryConfigurator{
-		guid:        testGUID,
-		gpo:         false,
-		dnsFirewall: dnsfw.New(),
+		guid: testGUID,
+		gpo:  false,
 	}
 
 	// Create 125 domains which will result in 3 NRPT rules (50+50+25)
@@ -137,9 +134,8 @@ func TestNRPTDomainBatching(t *testing.T) {
 	}()
 
 	cfg := &registryConfigurator{
-		guid:        testGUID,
-		gpo:         false,
-		dnsFirewall: dnsfw.New(),
+		guid: testGUID,
+		gpo:  false,
 	}
 
 	testCases := []struct {

client/internal/engine.go

@@ -72,6 +72,7 @@ import (
 	sProto "github.com/netbirdio/netbird/shared/signal/proto"
 	"github.com/netbirdio/netbird/util"
 	"github.com/netbirdio/netbird/util/capture"
+	"github.com/netbirdio/netbird/version"
 )
 
 // PeerConnectionTimeoutMax is a timeout of an initial connection attempt to a remote peer.
@@ -1141,6 +1142,7 @@ func (e *Engine) handleBundle(params *mgmProto.BundleParameters) (*mgmProto.JobR
 		LogPath:        e.config.LogPath,
 		TempDir:        e.config.TempDir,
 		ClientMetrics:  e.clientMetrics,
+		DaemonVersion:  version.NetbirdVersion(),
 		RefreshStatus: func() {
 			e.RunHealthProbes(true)
 		},

client/netbird.wxs

@@ -64,6 +64,13 @@
 					<RegistryValue Name="InstalledByMSI" Type="integer" Value="1" KeyPath="yes" />
 				</RegistryKey>
 			</Component>
+			<!-- Drop the HKCU Run\Netbird value written by legacy NSIS installers. -->
+			<Component Id="NetbirdLegacyHKCUCleanup" Guid="*">
+				<RegistryValue Root="HKCU" Key="Software\NetBird GmbH\Installer"
+					Name="LegacyHKCUCleanup" Type="integer" Value="1" KeyPath="yes" />
+				<RemoveRegistryValue Root="HKCU"
+					Key="Software\Microsoft\Windows\CurrentVersion\Run" Name="Netbird" />
+			</Component>
 		</StandardDirectory>
 
 		<StandardDirectory Id="CommonAppDataFolder">
@@ -76,10 +83,28 @@
 			</Directory>
 		</StandardDirectory>
 
+		<!-- Drop Run, App Paths and Uninstall entries written by legacy NSIS
+		     installers into the 32-bit registry view (HKLM\Software\Wow6432Node). -->
+		<Component Id="NetbirdLegacyWow6432Cleanup" Directory="NetbirdInstallDir"
+			Guid="bda5d628-16bd-4086-b2c1-5099d8d51763" Bitness="always32">
+			<RegistryValue Root="HKLM" Key="Software\NetBird GmbH\Installer"
+				Name="LegacyWow6432Cleanup" Type="integer" Value="1" KeyPath="yes" />
+			<RemoveRegistryValue Root="HKLM"
+				Key="Software\Microsoft\Windows\CurrentVersion\Run" Name="Netbird" />
+			<RemoveRegistryKey Action="removeOnInstall" Root="HKLM"
+				Key="Software\Microsoft\Windows\CurrentVersion\App Paths\Netbird" />
+			<RemoveRegistryKey Action="removeOnInstall" Root="HKLM"
+				Key="Software\Microsoft\Windows\CurrentVersion\App Paths\Netbird-ui" />
+			<RemoveRegistryKey Action="removeOnInstall" Root="HKLM"
+				Key="Software\Microsoft\Windows\CurrentVersion\Uninstall\Netbird" />
+		</Component>
+
 		<ComponentGroup Id="NetbirdFilesComponent">
 			<ComponentRef Id="NetbirdFiles" />
 			<ComponentRef Id="NetbirdAumidRegistry" />
 			<ComponentRef Id="NetbirdAutoStart" />
+			<ComponentRef Id="NetbirdLegacyHKCUCleanup" />
+			<ComponentRef Id="NetbirdLegacyWow6432Cleanup" />
 		</ComponentGroup>
 
 		<util:CloseApplication Id="CloseNetBird" CloseMessage="no" Target="netbird.exe" RebootPrompt="no" />

client/proto/daemon.pb.go

@@ -2709,6 +2709,7 @@ type DebugBundleRequest struct {
 	SystemInfo    bool                   `protobuf:"varint,3,opt,name=systemInfo,proto3" json:"systemInfo,omitempty"`
 	UploadURL     string                 `protobuf:"bytes,4,opt,name=uploadURL,proto3" json:"uploadURL,omitempty"`
 	LogFileCount  uint32                 `protobuf:"varint,5,opt,name=logFileCount,proto3" json:"logFileCount,omitempty"`
+	CliVersion    string                 `protobuf:"bytes,6,opt,name=cliVersion,proto3" json:"cliVersion,omitempty"`
 	unknownFields protoimpl.UnknownFields
 	sizeCache     protoimpl.SizeCache
 }
@@ -2771,6 +2772,13 @@ func (x *DebugBundleRequest) GetLogFileCount() uint32 {
 	return 0
 }
 
+func (x *DebugBundleRequest) GetCliVersion() string {
+	if x != nil {
+		return x.CliVersion
+	}
+	return ""
+}
+
 type DebugBundleResponse struct {
 	state               protoimpl.MessageState `protogen:"open.v1"`
 	Path                string                 `protobuf:"bytes,1,opt,name=path,proto3" json:"path,omitempty"`
@@ -6475,14 +6483,17 @@ const file_daemon_proto_rawDesc = "" +
 	"\x12translatedHostname\x18\x04 \x01(\tR\x12translatedHostname\x128\n" +
 	"\x0etranslatedPort\x18\x05 \x01(\v2\x10.daemon.PortInfoR\x0etranslatedPort\"G\n" +
 	"\x17ForwardingRulesResponse\x12,\n" +
-	"\x05rules\x18\x01 \x03(\v2\x16.daemon.ForwardingRuleR\x05rules\"\x94\x01\n" +
+	"\x05rules\x18\x01 \x03(\v2\x16.daemon.ForwardingRuleR\x05rules\"\xb4\x01\n" +
 	"\x12DebugBundleRequest\x12\x1c\n" +
 	"\tanonymize\x18\x01 \x01(\bR\tanonymize\x12\x1e\n" +
 	"\n" +
 	"systemInfo\x18\x03 \x01(\bR\n" +
 	"systemInfo\x12\x1c\n" +
 	"\tuploadURL\x18\x04 \x01(\tR\tuploadURL\x12\"\n" +
-	"\flogFileCount\x18\x05 \x01(\rR\flogFileCount\"}\n" +
+	"\flogFileCount\x18\x05 \x01(\rR\flogFileCount\x12\x1e\n" +
+	"\n" +
+	"cliVersion\x18\x06 \x01(\tR\n" +
+	"cliVersion\"}\n" +
 	"\x13DebugBundleResponse\x12\x12\n" +
 	"\x04path\x18\x01 \x01(\tR\x04path\x12 \n" +
 	"\vuploadedKey\x18\x02 \x01(\tR\vuploadedKey\x120\n" +

client/proto/daemon.proto

@@ -471,6 +471,7 @@ message DebugBundleRequest {
   bool systemInfo = 3;
   string uploadURL = 4;
   uint32 logFileCount = 5;
+  string cliVersion = 6;
 }
 
 message DebugBundleResponse {

client/proto/generate.sh

@@ -1,17 +1,16 @@
 #!/bin/bash
 set -e
 
-if ! which realpath > /dev/null 2>&1
-then
-  echo realpath is not installed
-  echo run: brew install coreutils
-  exit 1
+if ! which realpath >/dev/null 2>&1; then
+	echo realpath is not installed
+	echo run: brew install coreutils
+	exit 1
 fi
 
 old_pwd=$(pwd)
-script_path=$(dirname $(realpath "$0"))
+script_path=$(dirname "$(realpath "$0")")
 cd "$script_path"
 go install google.golang.org/protobuf/cmd/protoc-gen-go@v1.36.6
-go install google.golang.org/grpc/cmd/protoc-gen-go-grpc@v1.1
+go install google.golang.org/grpc/cmd/protoc-gen-go-grpc@v1.6.1
 protoc -I ./ ./daemon.proto --go_out=../ --go-grpc_out=../ --experimental_allow_proto3_optional
 cd "$old_pwd"

client/server/debug.go

@@ -14,6 +14,7 @@ import (
 	"github.com/netbirdio/netbird/client/internal/debug"
 	"github.com/netbirdio/netbird/client/proto"
 	mgmProto "github.com/netbirdio/netbird/shared/management/proto"
+	"github.com/netbirdio/netbird/version"
 )
 
 // DebugBundle creates a debug bundle and returns the location.
@@ -67,6 +68,8 @@ func (s *Server) DebugBundle(_ context.Context, req *proto.DebugBundleRequest) (
 			CapturePath:    capturePath,
 			RefreshStatus:  refreshStatus,
 			ClientMetrics:  clientMetrics,
+			DaemonVersion:  version.NetbirdVersion(),
+			CliVersion:     req.CliVersion,
 		},
 		debug.BundleConfig{
 			Anonymize:         req.GetAnonymize(),

client/status/status.go

@@ -547,6 +547,16 @@ func (o *OutputOverview) GeneralSummary(showURL bool, showRelays bool, showNameS
 		goarm = fmt.Sprintf(" (ARMv%s)", os.Getenv("GOARM"))
 	}
 
+	daemonVersion := "N/A"
+	if o.DaemonVersion != "" {
+		daemonVersion = o.DaemonVersion
+	}
+
+	cliVersion := version.NetbirdVersion()
+	if o.CliVersion != "" {
+		cliVersion = o.CliVersion
+	}
+
 	summary := fmt.Sprintf(
 		"OS: %s\n"+
 			"Daemon version: %s\n"+
@@ -567,8 +577,8 @@ func (o *OutputOverview) GeneralSummary(showURL bool, showRelays bool, showNameS
 			"%s"+
 			"Peers count: %s\n",
 		fmt.Sprintf("%s/%s%s", goos, goarch, goarm),
-		o.DaemonVersion,
-		version.NetbirdVersion(),
+		daemonVersion,
+		cliVersion,
 		o.ProfileName,
 		managementConnString,
 		signalConnString,

client/ui/debug.go

@@ -21,6 +21,7 @@ import (
 	"github.com/netbirdio/netbird/client/internal"
 	"github.com/netbirdio/netbird/client/proto"
 	uptypes "github.com/netbirdio/netbird/upload-server/types"
+	"github.com/netbirdio/netbird/version"
 )
 
 // Initial state for the debug collection
@@ -462,6 +463,7 @@ func (s *serviceClient) createDebugBundleFromCollection(
 	request := &proto.DebugBundleRequest{
 		Anonymize:  params.anonymize,
 		SystemInfo: params.systemInfo,
+		CliVersion: version.NetbirdVersion(),
 	}
 
 	if params.upload {
@@ -593,6 +595,7 @@ func (s *serviceClient) createDebugBundle(anonymize bool, systemInfo bool, uploa
 	request := &proto.DebugBundleRequest{
 		Anonymize:  anonymize,
 		SystemInfo: systemInfo,
+		CliVersion: version.NetbirdVersion(),
 	}
 
 	if uploadURL != "" {

go.mod

@@ -24,13 +24,13 @@ require (
 	golang.zx2c4.com/wireguard/windows v0.5.3
 	google.golang.org/grpc v1.80.0
 	google.golang.org/protobuf v1.36.11
-	gopkg.in/natefinch/lumberjack.v2 v2.2.1
 )
 
 require (
 	fyne.io/fyne/v2 v2.7.0
 	fyne.io/systray v1.12.1-0.20260116214250-81f8e1a496f9
 	git.sr.ht/~jackmordaunt/go-toast/v2 v2.0.3
+	github.com/DeRuina/timberjack v1.4.2
 	github.com/awnumar/memguard v0.23.0
 	github.com/aws/aws-sdk-go-v2 v1.38.3
 	github.com/aws/aws-sdk-go-v2/config v1.31.6

go.sum

@@ -29,6 +29,8 @@ github.com/Azure/go-ntlmssp v0.1.0 h1:DjFo6YtWzNqNvQdrwEyr/e4nhU3vRiwenz5QX7sFz+
 github.com/Azure/go-ntlmssp v0.1.0/go.mod h1:NYqdhxd/8aAct/s4qSYZEerdPuH1liG2/X9DiVTbhpk=
 github.com/BurntSushi/toml v1.5.0 h1:W5quZX/G/csjUnuI8SUYlsHs9M38FC7znL0lIO+DvMg=
 github.com/BurntSushi/toml v1.5.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho=
+github.com/DeRuina/timberjack v1.4.2 h1:4bKlzhKdsR+2oNkgef9mqb4n11ICow8VK88RfzJPzN8=
+github.com/DeRuina/timberjack v1.4.2/go.mod h1:RLoeQrwrCGIEF8gO5nV5b/gMD0QIy7bzQhBUgpp1EqE=
 github.com/Masterminds/goutils v1.1.1 h1:5nUrii3FMTL5diU80unEVvNevw1nH4+ZV4DSLVJLSYI=
 github.com/Masterminds/goutils v1.1.1/go.mod h1:8cTjp+g8YejhMuvIA5y2vz3BpJxksy863GQaJW2MFNU=
 github.com/Masterminds/semver/v3 v3.3.0 h1:B8LGeaivUe71a5qox1ICM/JLl0NqZSW5CHyL+hmvYS0=
@@ -938,8 +940,6 @@ gopkg.in/go-playground/assert.v1 v1.2.1/go.mod h1:9RXL0bg/zibRAgZUYszZSwO/z8Y/a8
 gopkg.in/go-playground/validator.v9 v9.29.1/go.mod h1:+c9/zcJMFNgbLvly1L1V+PpxWdVbfP1avr/N00E2vyQ=
 gopkg.in/ini.v1 v1.67.0 h1:Dgnx+6+nfE+IfzjUEISNeydPJh9AXNNsWbGP9KzCsOA=
 gopkg.in/ini.v1 v1.67.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
-gopkg.in/natefinch/lumberjack.v2 v2.2.1 h1:bBRl1b0OH9s/DuPhuXpNl+VtCaJXFZ5/uEFST95x9zc=
-gopkg.in/natefinch/lumberjack.v2 v2.2.1/go.mod h1:YD8tP3GAjkrDg1eZH7EGmyESg/lsYskCTPBJVb9jqSc=
 gopkg.in/square/go-jose.v2 v2.6.0 h1:NGk74WTnPKBNUhNzQX7PYcTLUjoq7mzKk2OKbvwk2iI=
 gopkg.in/square/go-jose.v2 v2.6.0/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ=

management/internals/shared/grpc/proxy.go

@@ -394,6 +394,13 @@ func (s *ProxyServiceServer) sendSnapshot(ctx context.Context, conn *proxyConnec
 		if end > len(mappings) {
 			end = len(mappings)
 		}
+		for _, m := range mappings[i:end] {
+			token, err := s.tokenStore.GenerateToken(m.AccountId, m.Id, s.proxyTokenTTL())
+			if err != nil {
+				return fmt.Errorf("generate auth token for service %s: %w", m.Id, err)
+			}
+			m.AuthToken = token
+		}
 		if err := conn.stream.Send(&proto.GetMappingUpdateResponse{
 			Mapping:             mappings[i:end],
 			InitialSyncComplete: end == len(mappings),
@@ -425,18 +432,14 @@ func (s *ProxyServiceServer) snapshotServiceMappings(ctx context.Context, conn *
 		return nil, fmt.Errorf("get services from store: %w", err)
 	}
 
+	oidcCfg := s.GetOIDCValidationConfig()
 	var mappings []*proto.ProxyMapping
 	for _, service := range services {
 		if !service.Enabled || service.ProxyCluster == "" || service.ProxyCluster != conn.address {
 			continue
 		}
 
-		token, err := s.tokenStore.GenerateToken(service.AccountID, service.ID, s.proxyTokenTTL())
-		if err != nil {
-			return nil, fmt.Errorf("generate auth token for service %s: %w", service.ID, err)
-		}
-
-		m := service.ToProtoMapping(rpservice.Create, token, s.GetOIDCValidationConfig())
+		m := service.ToProtoMapping(rpservice.Create, "", oidcCfg)
 		if !proxyAcceptsMapping(conn, m) {
 			continue
 		}

management/internals/shared/grpc/proxy_snapshot_test.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"fmt"
 	"testing"
+	"time"
 
 	"github.com/golang/mock/gomock"
 	"github.com/stretchr/testify/assert"
@@ -172,3 +173,55 @@ func TestSendSnapshot_EmptySnapshot(t *testing.T) {
 	assert.Empty(t, stream.messages[0].Mapping)
 	assert.True(t, stream.messages[0].InitialSyncComplete)
 }
+
+type hookingStream struct {
+	grpc.ServerStream
+	onSend func(*proto.GetMappingUpdateResponse)
+}
+
+func (s *hookingStream) Send(m *proto.GetMappingUpdateResponse) error {
+	if s.onSend != nil {
+		s.onSend(m)
+	}
+	return nil
+}
+
+func (s *hookingStream) Context() context.Context     { return context.Background() }
+func (s *hookingStream) SetHeader(metadata.MD) error  { return nil }
+func (s *hookingStream) SendHeader(metadata.MD) error { return nil }
+func (s *hookingStream) SetTrailer(metadata.MD)       {}
+func (s *hookingStream) SendMsg(any) error            { return nil }
+func (s *hookingStream) RecvMsg(any) error            { return nil }
+
+func TestSendSnapshot_TokensRemainValidUnderSlowSend(t *testing.T) {
+	const cluster = "cluster.example.com"
+	const batchSize = 2
+	const totalServices = 6
+	const ttl = 100 * time.Millisecond
+	const sendDelay = 200 * time.Millisecond
+
+	ctrl := gomock.NewController(t)
+	mgr := rpservice.NewMockManager(ctrl)
+	mgr.EXPECT().GetGlobalServices(gomock.Any()).Return(makeServices(totalServices, cluster), nil)
+
+	s := newSnapshotTestServer(t, batchSize)
+	s.serviceManager = mgr
+	s.tokenTTL = ttl
+
+	var validateErrs []error
+	stream := &hookingStream{
+		onSend: func(resp *proto.GetMappingUpdateResponse) {
+			for _, m := range resp.Mapping {
+				if err := s.tokenStore.ValidateAndConsume(m.AuthToken, m.AccountId, m.Id); err != nil {
+					validateErrs = append(validateErrs, fmt.Errorf("svc %s: %w", m.Id, err))
+				}
+			}
+			time.Sleep(sendDelay)
+		},
+	}
+	conn := &proxyConnection{proxyID: "proxy-a", address: cluster, stream: stream}
+
+	require.NoError(t, s.sendSnapshot(context.Background(), conn))
+	require.Empty(t, validateErrs,
+		"tokens must remain valid even when batches are sent slowly: lazy per-batch generation guarantees freshness")
+}

management/internals/shared/grpc/server.go

@@ -522,10 +522,11 @@ func (s *Server) sendJob(ctx context.Context, peerKey wgtypes.Key, job *job.Even
 }
 
 func (s *Server) cancelPeerRoutines(ctx context.Context, accountID string, peer *nbpeer.Peer, streamStartTime time.Time) {
-	unlock := s.acquirePeerLockByUID(ctx, peer.Key)
+	uncanceledCTX := context.WithoutCancel(ctx)
+	unlock := s.acquirePeerLockByUID(uncanceledCTX, peer.Key)
 	defer unlock()
 
-	s.cancelPeerRoutinesWithoutLock(ctx, accountID, peer, streamStartTime)
+	s.cancelPeerRoutinesWithoutLock(uncanceledCTX, accountID, peer, streamStartTime)
 }
 
 func (s *Server) cancelPeerRoutinesWithoutLock(ctx context.Context, accountID string, peer *nbpeer.Peer, streamStartTime time.Time) {

management/internals/shared/grpc/validate_session_test.go

@@ -326,17 +326,25 @@ func (m *testValidateSessionServiceManager) GetActiveClusters(_ context.Context,
 	return nil, nil
 }
 
+func (m *testValidateSessionServiceManager) DeleteAccountCluster(_ context.Context, _, _, _ string) error {
+	return nil
+}
+
 type testValidateSessionProxyManager struct{}
 
-func (m *testValidateSessionProxyManager) Connect(_ context.Context, _, _, _ string, _ *string, _ *proxy.Capabilities) error {
+func (m *testValidateSessionProxyManager) Connect(_ context.Context, _, _, _, _ string, _ *string, _ *proxy.Capabilities) (*proxy.Proxy, error) {
+	return nil, nil
+}
+
+func (m *testValidateSessionProxyManager) Disconnect(_ context.Context, _, _ string) error {
 	return nil
 }
 
-func (m *testValidateSessionProxyManager) Disconnect(_ context.Context, _ string) error {
+func (m *testValidateSessionProxyManager) Heartbeat(_ context.Context, _ *proxy.Proxy) error {
 	return nil
 }
 
-func (m *testValidateSessionProxyManager) Heartbeat(_ context.Context, _, _, _ string) error {
+func (m *testValidateSessionProxyManager) DeleteAccountCluster(_ context.Context, _, _ string) error {
 	return nil
 }
 

management/server/account.go

@@ -291,10 +291,15 @@ func (am *DefaultAccountManager) UpdateAccountSettings(ctx context.Context, acco
 		return nil, status.NewPermissionDeniedError()
 	}
 
+	// Canonicalize the incoming range so a caller-supplied prefix with host bits
+	// (e.g. 100.64.1.1/16) compares equal to the masked form stored on network.Net.
+	newSettings.NetworkRange = newSettings.NetworkRange.Masked()
+
 	var oldSettings *types.Settings
 	var updateAccountPeers bool
 	var groupChangesAffectPeers bool
 	var reloadReverseProxy bool
+	var effectiveOldNetworkRange netip.Prefix
 
 	err = am.Store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
 		var groupsUpdated bool
@@ -308,6 +313,16 @@ func (am *DefaultAccountManager) UpdateAccountSettings(ctx context.Context, acco
 			return err
 		}
 
+		// No lock: the transaction already holds Settings(Update), and network.Net is
+		// only mutated by reallocateAccountPeerIPs, which is reachable only through
+		// this same code path. A Share lock here would extend an unnecessary row lock
+		// and complicate ordering against updatePeerIPv6InTransaction.
+		network, err := transaction.GetAccountNetwork(ctx, store.LockingStrengthNone, accountID)
+		if err != nil {
+			return fmt.Errorf("get account network: %w", err)
+		}
+		effectiveOldNetworkRange = prefixFromIPNet(network.Net)
+
 		if oldSettings.Extra != nil && newSettings.Extra != nil &&
 			oldSettings.Extra.PeerApprovalEnabled && !newSettings.Extra.PeerApprovalEnabled {
 			approvedCount, err := transaction.ApproveAccountPeers(ctx, accountID)
@@ -321,7 +336,7 @@ func (am *DefaultAccountManager) UpdateAccountSettings(ctx context.Context, acco
 			}
 		}
 
-		if oldSettings.NetworkRange != newSettings.NetworkRange {
+		if newSettings.NetworkRange.IsValid() && newSettings.NetworkRange != effectiveOldNetworkRange {
 			if err = am.reallocateAccountPeerIPs(ctx, transaction, accountID, newSettings.NetworkRange); err != nil {
 				return err
 			}
@@ -396,9 +411,9 @@ func (am *DefaultAccountManager) UpdateAccountSettings(ctx context.Context, acco
 		}
 		am.StoreEvent(ctx, userID, accountID, accountID, activity.AccountDNSDomainUpdated, eventMeta)
 	}
-	if oldSettings.NetworkRange != newSettings.NetworkRange {
+	if newSettings.NetworkRange.IsValid() && newSettings.NetworkRange != effectiveOldNetworkRange {
 		eventMeta := map[string]any{
-			"old_network_range": oldSettings.NetworkRange.String(),
+			"old_network_range": effectiveOldNetworkRange.String(),
 			"new_network_range": newSettings.NetworkRange.String(),
 		}
 		am.StoreEvent(ctx, userID, accountID, accountID, activity.AccountNetworkRangeUpdated, eventMeta)
@@ -443,6 +458,22 @@ func ipv6SettingsChanged(old, updated *types.Settings) bool {
 	return !slices.Equal(oldGroups, newGroups)
 }
 
+// prefixFromIPNet returns the overlay prefix actually allocated on the account
+// network, or an invalid prefix if none is set. Settings.NetworkRange is a
+// user-facing override that is empty on legacy accounts, so the effective
+// range must be read from network.Net to compare against an incoming update.
+func prefixFromIPNet(ipNet net.IPNet) netip.Prefix {
+	if ipNet.IP == nil {
+		return netip.Prefix{}
+	}
+	addr, ok := netip.AddrFromSlice(ipNet.IP)
+	if !ok {
+		return netip.Prefix{}
+	}
+	ones, _ := ipNet.Mask.Size()
+	return netip.PrefixFrom(addr.Unmap(), ones)
+}
+
 func (am *DefaultAccountManager) validateSettingsUpdate(ctx context.Context, transaction store.Store, newSettings, oldSettings *types.Settings, userID, accountID string) error {
 	halfYearLimit := 180 * 24 * time.Hour
 	if newSettings.PeerLoginExpiration > halfYearLimit {

management/server/account_test.go

@@ -3970,6 +3970,96 @@ func TestDefaultAccountManager_UpdateAccountSettings_NetworkRangeChange(t *testi
 	}
 }
 
+// TestDefaultAccountManager_UpdateAccountSettings_NetworkRangePreserved guards against
+// peer IP reallocation when a settings update carries the network range that is already
+// in use. Legacy accounts have Settings.NetworkRange unset in the DB while network.Net
+// holds the actual allocated overlay; the dashboard backfills the GET response from
+// network.Net and echoes the value back on PUT, so the diff must be against the
+// effective range to avoid renumbering every peer on an unrelated settings change.
+func TestDefaultAccountManager_UpdateAccountSettings_NetworkRangePreserved(t *testing.T) {
+	manager, _, account, peer1, peer2, peer3 := setupNetworkMapTest(t)
+	ctx := context.Background()
+
+	settings, err := manager.Store.GetAccountSettings(ctx, store.LockingStrengthNone, account.Id)
+	require.NoError(t, err)
+	require.False(t, settings.NetworkRange.IsValid(), "precondition: new accounts leave Settings.NetworkRange unset")
+
+	network, err := manager.Store.GetAccountNetwork(ctx, store.LockingStrengthNone, account.Id)
+	require.NoError(t, err)
+	require.NotNil(t, network.Net.IP, "precondition: network.Net should be allocated")
+	addr, ok := netip.AddrFromSlice(network.Net.IP)
+	require.True(t, ok)
+	ones, _ := network.Net.Mask.Size()
+	effective := netip.PrefixFrom(addr.Unmap(), ones)
+	require.True(t, effective.IsValid())
+
+	before := map[string]netip.Addr{peer1.ID: peer1.IP, peer2.ID: peer2.IP, peer3.ID: peer3.IP}
+
+	// Round-trip the effective range as if the dashboard echoed back the GET-backfilled value.
+	_, err = manager.UpdateAccountSettings(ctx, account.Id, userID, &types.Settings{
+		PeerLoginExpirationEnabled: true,
+		PeerLoginExpiration:        types.DefaultPeerLoginExpiration,
+		NetworkRange:               effective,
+		Extra:                      &types.ExtraSettings{},
+	})
+	require.NoError(t, err)
+
+	peers, err := manager.Store.GetAccountPeers(ctx, store.LockingStrengthNone, account.Id, "", "")
+	require.NoError(t, err)
+	require.Len(t, peers, len(before))
+	for _, p := range peers {
+		assert.Equal(t, before[p.ID], p.IP, "peer %s IP should not change when range matches effective", p.ID)
+	}
+
+	// Carrying the same range with host bits set must also be a no-op once canonicalized.
+	hostBitsForm := netip.PrefixFrom(peer1.IP, ones)
+	require.NotEqual(t, effective, hostBitsForm, "precondition: host-bit form should differ before masking")
+	_, err = manager.UpdateAccountSettings(ctx, account.Id, userID, &types.Settings{
+		PeerLoginExpirationEnabled: true,
+		PeerLoginExpiration:        types.DefaultPeerLoginExpiration,
+		NetworkRange:               hostBitsForm,
+		Extra:                      &types.ExtraSettings{},
+	})
+	require.NoError(t, err)
+
+	peers, err = manager.Store.GetAccountPeers(ctx, store.LockingStrengthNone, account.Id, "", "")
+	require.NoError(t, err)
+	for _, p := range peers {
+		assert.Equal(t, before[p.ID], p.IP, "peer %s IP should not change for host-bit-set equivalent range", p.ID)
+	}
+
+	// Omitting NetworkRange (invalid prefix) must also be a no-op.
+	_, err = manager.UpdateAccountSettings(ctx, account.Id, userID, &types.Settings{
+		PeerLoginExpirationEnabled: true,
+		PeerLoginExpiration:        types.DefaultPeerLoginExpiration,
+		Extra:                      &types.ExtraSettings{},
+	})
+	require.NoError(t, err)
+
+	peers, err = manager.Store.GetAccountPeers(ctx, store.LockingStrengthNone, account.Id, "", "")
+	require.NoError(t, err)
+	for _, p := range peers {
+		assert.Equal(t, before[p.ID], p.IP, "peer %s IP should not change when NetworkRange omitted", p.ID)
+	}
+
+	// Sanity: an actually different range still triggers reallocation.
+	newRange := netip.MustParsePrefix("100.99.0.0/16")
+	_, err = manager.UpdateAccountSettings(ctx, account.Id, userID, &types.Settings{
+		PeerLoginExpirationEnabled: true,
+		PeerLoginExpiration:        types.DefaultPeerLoginExpiration,
+		NetworkRange:               newRange,
+		Extra:                      &types.ExtraSettings{},
+	})
+	require.NoError(t, err)
+
+	peers, err = manager.Store.GetAccountPeers(ctx, store.LockingStrengthNone, account.Id, "", "")
+	require.NoError(t, err)
+	for _, p := range peers {
+		assert.True(t, newRange.Contains(p.IP), "peer %s should be in new range %s, got %s", p.ID, newRange, p.IP)
+		assert.NotEqual(t, before[p.ID], p.IP, "peer %s IP should change on real range update", p.ID)
+	}
+}
+
 func TestDefaultAccountManager_UpdateAccountSettings_IPv6EnabledGroups(t *testing.T) {
 	manager, _, account, peer1, peer2, peer3 := setupNetworkMapTest(t)
 	ctx := context.Background()

util/log.go

@@ -1,15 +1,16 @@
 package util
 
 import (
+	"fmt"
 	"io"
 	"os"
 	"path/filepath"
 	"slices"
 	"strconv"
 
+	"github.com/DeRuina/timberjack"
 	log "github.com/sirupsen/logrus"
 	"google.golang.org/grpc/grpclog"
-	"gopkg.in/natefinch/lumberjack.v2"
 
 	"github.com/netbirdio/netbird/formatter"
 )
@@ -59,7 +60,12 @@ func InitLogger(logger *log.Logger, logLevel string, logs ...string) error {
 		case "":
 			logger.Warnf("empty log path received: %#v", logPath)
 		default:
-			writers = append(writers, newRotatedOutput(logPath))
+			writer, err := setupLogFile(logPath, isRotationDisabled(logger))
+			if err != nil {
+				logger.Errorf("failed setting up log file: %s, %s", logPath, err)
+				return err
+			}
+			writers = append(writers, writer)
 		}
 	}
 
@@ -94,17 +100,43 @@ func FindFirstLogPath(logs []string) string {
 	return ""
 }
 
+func isRotationDisabled(logger *log.Logger) bool {
+	v, _ := os.LookupEnv("NB_LOG_DISABLE_ROTATION")
+	disabled, _ := strconv.ParseBool(v)
+	if disabled {
+		logger.Warnf("log rotation is disabled by env flag")
+		return true
+	}
+	conflict, configPath := FindFirstLogrotateConflict()
+	if conflict {
+		logger.Warnf("log rotation conflict detected in: %#v, rotation is disabled", configPath)
+		return true
+	}
+	return false
+}
+
+func setupLogFile(logPath string, disableRotation bool) (io.Writer, error) {
+	if disableRotation {
+		file, err := os.OpenFile(logPath, os.O_WRONLY|os.O_APPEND|os.O_CREATE, 0600)
+		if err != nil {
+			return nil, fmt.Errorf("failed opening log file: %s", err)
+		}
+		return file, nil
+	}
+	return newRotatedOutput(logPath), nil
+}
+
 func newRotatedOutput(logPath string) io.Writer {
 	maxLogSize := getLogMaxSize()
-	lumberjackLogger := &lumberjack.Logger{
+	timberjackLogger := &timberjack.Logger{
 		// Log file absolute path, os agnostic
-		Filename:   filepath.ToSlash(logPath),
-		MaxSize:    maxLogSize, // MB
-		MaxBackups: 10,
-		MaxAge:     30, // days
-		Compress:   true,
+		Filename:    filepath.ToSlash(logPath),
+		MaxSize:     maxLogSize, // MB
+		MaxBackups:  10,
+		MaxAge:      30, // days
+		Compression: "gzip",
 	}
-	return lumberjackLogger
+	return timberjackLogger
 }
 
 func setGRPCLibLogger(logger *log.Logger) {

util/log_test.go

@@ -0,0 +1,96 @@
+package util
+
+import (
+	"io"
+	"os"
+	"path/filepath"
+	"strings"
+	"testing"
+	"time"
+
+	log "github.com/sirupsen/logrus"
+	"github.com/stretchr/testify/require"
+)
+
+// TestSetupLogFile_RotatesOnSize drives >MaxSize bytes through the writer
+// returned by setupLogFile and asserts a backup file appears.
+func TestSetupLogFile_RotatesOnSize(t *testing.T) {
+	t.Setenv("NB_LOG_MAX_SIZE_MB", "1")
+
+	dir := t.TempDir()
+	logPath := filepath.Join(dir, "netbird.log")
+
+	w, err := setupLogFile(logPath, false)
+	require.NoError(t, err)
+	t.Cleanup(func() {
+		if c, ok := w.(io.Closer); ok {
+			_ = c.Close()
+		}
+	})
+
+	chunk := []byte(strings.Repeat("x", 64*1024) + "\n")
+	for range 20 {
+		_, err := w.Write(chunk)
+		require.NoError(t, err)
+	}
+
+	info, err := os.Stat(logPath)
+	require.NoError(t, err)
+	require.Less(t, info.Size(), int64(1<<20),
+		"active log should be < 1 MB after rotation, got %d", info.Size())
+
+	require.Eventually(t, func() bool {
+		entries, _ := os.ReadDir(dir)
+		for _, e := range entries {
+			name := e.Name()
+			if name == filepath.Base(logPath) {
+				continue
+			}
+			if strings.HasPrefix(name, "netbird-") && strings.HasSuffix(name, ".log.gz") {
+				return true
+			}
+		}
+		return false
+	}, 5*time.Second, 50*time.Millisecond, "expected a rotated backup file in %s", dir)
+}
+
+// TestSetupLogFile_RotationDisabled verifies that with rotation off, the file
+// grows past MaxSize and no backups are created.
+func TestSetupLogFile_RotationDisabled(t *testing.T) {
+	t.Setenv("NB_LOG_MAX_SIZE_MB", "1")
+
+	dir := t.TempDir()
+	logPath := filepath.Join(dir, "netbird.log")
+
+	w, err := setupLogFile(logPath, true)
+	require.NoError(t, err)
+
+	f, ok := w.(*os.File)
+	require.True(t, ok, "expected plain *os.File when rotation is disabled, got %T", w)
+	t.Cleanup(func() { _ = f.Close() })
+
+	chunk := []byte(strings.Repeat("y", 64*1024) + "\n")
+	for range 20 {
+		_, err := w.Write(chunk)
+		require.NoError(t, err)
+	}
+
+	info, err := os.Stat(logPath)
+	require.NoError(t, err)
+	require.GreaterOrEqual(t, info.Size(), int64(1<<20),
+		"file should exceed MaxSize when rotation is disabled, got %d", info.Size())
+
+	entries, err := os.ReadDir(dir)
+	require.NoError(t, err)
+	require.Len(t, entries, 1, "no backup files should exist when rotation is disabled, got %v", entries)
+}
+
+// TestIsRotationDisabled_EnvFlag covers the NB_LOG_DISABLE_ROTATION env path.
+// The logrotate-conflict branch is exercised separately on linux.
+func TestIsRotationDisabled_EnvFlag(t *testing.T) {
+	logger := log.New()
+	logger.SetOutput(io.Discard)
+
+	t.Setenv("NB_LOG_DISABLE_ROTATION", "true")
+	require.True(t, isRotationDisabled(logger))
+}

util/logrotate_linux.go

@@ -0,0 +1,93 @@
+//go:build linux
+
+package util
+
+import (
+	"bufio"
+	"errors"
+	"io/fs"
+	"os"
+	"path/filepath"
+	"strings"
+
+	log "github.com/sirupsen/logrus"
+)
+
+const (
+	defaultLogrotateConfPath = "/etc/logrotate.conf"
+	defaultLogrotateConfDir  = "/etc/logrotate.d"
+	netbirdString            = "netbird"
+)
+
+// FindLogrotateConflicts scans the standard logrotate locations for
+// indications of conflict with netbird. It returns true and the config file
+// path if a conflict was found.
+func FindFirstLogrotateConflict() (bool, string) {
+	return findFirstLogrotateConflictIn(defaultLogrotateConfPath, defaultLogrotateConfDir)
+}
+
+func findFirstLogrotateConflictIn(confPath, confDir string) (bool, string) {
+	for _, f := range listLogrotateConfigs(confPath, confDir) {
+		present, err := scanLogrotateFile(f, netbirdString)
+		if err != nil {
+			if !errors.Is(err, fs.ErrNotExist) {
+				log.Debugf("scan %s: %v", f, err)
+			}
+			continue
+		}
+		if present {
+			return present, f
+		}
+	}
+	return false, ""
+}
+
+// listLogrotateConfigs returns all config files for logrotate.
+func listLogrotateConfigs(confPath, confDir string) []string {
+	files := []string{confPath}
+	entries, err := os.ReadDir(confDir)
+	if err != nil {
+		return files
+	}
+	for _, e := range entries {
+		if e.IsDir() {
+			continue
+		}
+		files = append(files, filepath.Join(confDir, e.Name()))
+	}
+	return files
+}
+
+// scanLogrotateFile reads a config and reports if a non-comment line
+// contains the given substring.
+func scanLogrotateFile(path string, substring string) (bool, error) {
+	f, err := os.Open(path)
+	if err != nil {
+		return false, err
+	}
+	defer func() {
+		if err := f.Close(); err != nil {
+			log.Debugf("close %s: %v", path, err)
+		}
+	}()
+
+	scanner := bufio.NewScanner(f)
+	for scanner.Scan() {
+		line := strings.TrimSpace(stripLogrotateComment(scanner.Text()))
+		if line == "" {
+			continue
+		}
+		if strings.Contains(line, substring) {
+			return true, nil
+		}
+	}
+	if err := scanner.Err(); err != nil {
+		return false, err
+	}
+	return false, nil
+}
+
+func stripLogrotateComment(line string) string {
+	before, _, _ := strings.Cut(line, "#")
+	return before
+}

util/logrotate_linux_test.go

@@ -0,0 +1,95 @@
+//go:build linux
+
+package util
+
+import (
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestFindFirstLogrotateConflict(t *testing.T) {
+	t.Run("conflict in confDir", func(t *testing.T) {
+		confPath, confDir := newLogrotateLayout(t)
+		conflictPath := filepath.Join(confDir, "netbird")
+		writeLogrotateConfig(t, conflictPath, `/var/log/netbird/*.log {
+    daily
+    rotate 7
+}`)
+		writeLogrotateConfig(t, filepath.Join(confDir, "nginx"), `/var/log/nginx/*.log { daily }`)
+
+		got, path := findFirstLogrotateConflictIn(confPath, confDir)
+		require.True(t, got)
+		require.Equal(t, conflictPath, path)
+	})
+
+	t.Run("conflict in main conf file", func(t *testing.T) {
+		confPath, confDir := newLogrotateLayout(t)
+		writeLogrotateConfig(t, confPath, `weekly
+rotate 4
+include /etc/logrotate.d
+/var/log/netbird/client.log { rotate 5 }`)
+
+		got, path := findFirstLogrotateConflictIn(confPath, confDir)
+		require.True(t, got)
+		require.Equal(t, confPath, path)
+	})
+
+	t.Run("no conflict when netbird is absent", func(t *testing.T) {
+		confPath, confDir := newLogrotateLayout(t)
+		writeLogrotateConfig(t, filepath.Join(confDir, "nginx"), `/var/log/nginx/*.log { daily }`)
+		writeLogrotateConfig(t, filepath.Join(confDir, "syslog"), `/var/log/syslog { weekly }`)
+
+		got, path := findFirstLogrotateConflictIn(confPath, confDir)
+		require.False(t, got)
+		require.Empty(t, path)
+	})
+
+	t.Run("commented-out netbird line is ignored", func(t *testing.T) {
+		confPath, confDir := newLogrotateLayout(t)
+		writeLogrotateConfig(t, filepath.Join(confDir, "misc"), `# /var/log/netbird/*.log { daily }
+/var/log/other.log { weekly }`)
+
+		got, path := findFirstLogrotateConflictIn(confPath, confDir)
+		require.False(t, got)
+		require.Empty(t, path)
+	})
+
+	t.Run("subdirectories in confDir are ignored", func(t *testing.T) {
+		confPath, confDir := newLogrotateLayout(t)
+		sub := filepath.Join(confDir, "nested")
+		require.NoError(t, os.MkdirAll(sub, 0o755))
+		writeLogrotateConfig(t, filepath.Join(sub, "netbird"), `/var/log/netbird/*.log { daily }`)
+
+		got, path := findFirstLogrotateConflictIn(confPath, confDir)
+		require.False(t, got)
+		require.Empty(t, path)
+	})
+
+	t.Run("missing paths return no conflict", func(t *testing.T) {
+		dir := t.TempDir()
+		got, path := findFirstLogrotateConflictIn(
+			filepath.Join(dir, "does-not-exist.conf"),
+			filepath.Join(dir, "does-not-exist.d"),
+		)
+		require.False(t, got)
+		require.Empty(t, path)
+	})
+}
+
+// newLogrotateLayout creates a temp logrotate.conf path and logrotate.d dir,
+// returning their paths. The conf file itself is not created.
+func newLogrotateLayout(t *testing.T) (confPath, confDir string) {
+	t.Helper()
+	root := t.TempDir()
+	confDir = filepath.Join(root, "logrotate.d")
+	require.NoError(t, os.MkdirAll(confDir, 0o755))
+	return filepath.Join(root, "logrotate.conf"), confDir
+}
+
+func writeLogrotateConfig(t *testing.T, path, body string) {
+	t.Helper()
+	require.NoError(t, os.WriteFile(path, []byte(body), 0o644))
+}

util/logrotate_nonlinux.go

@@ -0,0 +1,10 @@
+//go:build !linux
+
+package util
+
+// FindLogrotateConflicts scans the standard logrotate locations for
+// indications of conflict with netbird. It will always return false for
+// non-linux devices.
+func FindFirstLogrotateConflict() (bool, string) {
+	return false, ""
+}