Address review

Author: lixmal

client/firewall/iptables/manager_linux.go

@@ -260,15 +260,15 @@ func (m *Manager) UpdateSet(set firewall.Set, prefixes []netip.Prefix) error {
 	return m.router.UpdateSet(set, prefixes)
 }
 
-// AddInboundDNAT adds an inbound DNAT rule redirecting traffic from NetBird peers to local services
+// AddInboundDNAT adds an inbound DNAT rule redirecting traffic from NetBird peers to local services.
 func (m *Manager) AddInboundDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
 
 	return m.router.AddInboundDNAT(localAddr, protocol, sourcePort, targetPort)
 }
 
-// RemoveInboundDNAT removes inbound DNAT rule
+// RemoveInboundDNAT removes an inbound DNAT rule.
 func (m *Manager) RemoveInboundDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

client/firewall/iptables/router_linux.go

@@ -880,7 +880,7 @@ func (r *router) UpdateSet(set firewall.Set, prefixes []netip.Prefix) error {
 	return nberrors.FormatErrorOrNil(merr)
 }
 
-// AddInboundDNAT adds an inbound DNAT rule redirecting traffic from NetBird peers to local services
+// AddInboundDNAT adds an inbound DNAT rule redirecting traffic from NetBird peers to local services.
 func (r *router) AddInboundDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
 	ruleID := fmt.Sprintf("inbound-dnat-%s-%s-%d-%d", localAddr.String(), protocol, sourcePort, targetPort)
 
@@ -913,7 +913,7 @@ func (r *router) AddInboundDNAT(localAddr netip.Addr, protocol firewall.Protocol
 	return nil
 }
 
-// RemoveInboundDNAT removes inbound DNAT rule
+// RemoveInboundDNAT removes an inbound DNAT rule.
 func (r *router) RemoveInboundDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
 	ruleID := fmt.Sprintf("inbound-dnat-%s-%s-%d-%d", localAddr.String(), protocol, sourcePort, targetPort)
 

client/firewall/nftables/manager_linux.go

@@ -376,15 +376,15 @@ func (m *Manager) UpdateSet(set firewall.Set, prefixes []netip.Prefix) error {
 	return m.router.UpdateSet(set, prefixes)
 }
 
-// AddInboundDNAT adds an inbound DNAT rule redirecting traffic from NetBird peers to local services
+// AddInboundDNAT adds an inbound DNAT rule redirecting traffic from NetBird peers to local services.
 func (m *Manager) AddInboundDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
 
 	return m.router.AddInboundDNAT(localAddr, protocol, sourcePort, targetPort)
 }
 
-// RemoveInboundDNAT removes inbound DNAT rule
+// RemoveInboundDNAT removes an inbound DNAT rule.
 func (m *Manager) RemoveInboundDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

client/firewall/nftables/router_linux.go

@@ -1350,7 +1350,7 @@ func (r *router) UpdateSet(set firewall.Set, prefixes []netip.Prefix) error {
 	return nil
 }
 
-// AddInboundDNAT adds an inbound DNAT rule redirecting traffic from NetBird peers to local services
+// AddInboundDNAT adds an inbound DNAT rule redirecting traffic from NetBird peers to local services.
 func (r *router) AddInboundDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
 	ruleID := fmt.Sprintf("inbound-dnat-%s-%s-%d-%d", localAddr.String(), protocol, sourcePort, targetPort)
 
@@ -1426,7 +1426,7 @@ func (r *router) AddInboundDNAT(localAddr netip.Addr, protocol firewall.Protocol
 	return nil
 }
 
-// RemoveInboundDNAT removes inbound DNAT rule
+// RemoveInboundDNAT removes an inbound DNAT rule.
 func (r *router) RemoveInboundDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
 	if err := r.refreshRulesMap(); err != nil {
 		return fmt.Errorf(refreshRulesMapError, err)

client/firewall/uspfilter/nat.go

@@ -22,6 +22,10 @@ var (
 
 const (
 	errRewriteTCPDestinationPort = "rewrite TCP destination port: %v"
+
+	// Port offsets in TCP/UDP headers
+	sourcePortOffset      = 0
+	destinationPortOffset = 2
 )
 
 // ipv4Checksum calculates IPv4 header checksum.
@@ -748,8 +752,8 @@ func (m *Manager) applyPortDNATRule(packetData []byte, d *decoder, rule portDNAT
 	return true
 }
 
-// rewriteTCPDestinationPort rewrites the destination port in a TCP packet and updates checksum.
-func (m *Manager) rewriteTCPDestinationPort(packetData []byte, d *decoder, newPort uint16) error {
+// rewriteTCPPort rewrites a TCP port (source or destination) and updates checksum.
+func (m *Manager) rewriteTCPPort(packetData []byte, d *decoder, newPort uint16, portOffset int) error {
 	if len(packetData) < 20 || d.decoded[0] != layers.LayerTypeIPv4 {
 		return ErrIPv4Only
 	}
@@ -768,9 +772,9 @@ func (m *Manager) rewriteTCPDestinationPort(packetData []byte, d *decoder, newPo
 		return fmt.Errorf("packet too short for TCP header")
 	}
 
-	oldPort := binary.BigEndian.Uint16(packetData[tcpStart+2 : tcpStart+4])
-
-	binary.BigEndian.PutUint16(packetData[tcpStart+2:tcpStart+4], newPort)
+	portStart := tcpStart + portOffset
+	oldPort := binary.BigEndian.Uint16(packetData[portStart : portStart+2])
+	binary.BigEndian.PutUint16(packetData[portStart:portStart+2], newPort)
 
 	if len(packetData) >= tcpStart+18 {
 		checksumOffset := tcpStart + 16
@@ -787,45 +791,17 @@ func (m *Manager) rewriteTCPDestinationPort(packetData []byte, d *decoder, newPo
 	return nil
 }
 
+// rewriteTCPDestinationPort rewrites the destination port in a TCP packet and updates checksum.
+func (m *Manager) rewriteTCPDestinationPort(packetData []byte, d *decoder, newPort uint16) error {
+	return m.rewriteTCPPort(packetData, d, newPort, destinationPortOffset)
+}
+
 // rewriteTCPSourcePort rewrites the source port in a TCP packet and updates checksum.
 func (m *Manager) rewriteTCPSourcePort(packetData []byte, d *decoder, newPort uint16) error {
-	if len(packetData) < 20 || d.decoded[0] != layers.LayerTypeIPv4 {
-		return ErrIPv4Only
-	}
-
-	if len(d.decoded) < 2 || d.decoded[1] != layers.LayerTypeTCP {
-		return fmt.Errorf("not a TCP packet")
-	}
-
-	ipHeaderLen := int(d.ip4.IHL) * 4
-	if ipHeaderLen < 20 || ipHeaderLen > len(packetData) {
-		return errInvalidIPHeaderLength
-	}
-
-	tcpStart := ipHeaderLen
-	if len(packetData) < tcpStart+4 {
-		return fmt.Errorf("packet too short for TCP header")
-	}
-
-	oldPort := binary.BigEndian.Uint16(packetData[tcpStart : tcpStart+2])
-
-	binary.BigEndian.PutUint16(packetData[tcpStart:tcpStart+2], newPort)
-
-	if len(packetData) >= tcpStart+18 {
-		checksumOffset := tcpStart + 16
-		oldChecksum := binary.BigEndian.Uint16(packetData[checksumOffset : checksumOffset+2])
-
-		var oldPortBytes, newPortBytes [2]byte
-		binary.BigEndian.PutUint16(oldPortBytes[:], oldPort)
-		binary.BigEndian.PutUint16(newPortBytes[:], newPort)
-
-		newChecksum := incrementalUpdate(oldChecksum, oldPortBytes[:], newPortBytes[:])
-		binary.BigEndian.PutUint16(packetData[checksumOffset:checksumOffset+2], newChecksum)
-	}
-
-	return nil
+	return m.rewriteTCPPort(packetData, d, newPort, sourcePortOffset)
 }
 
+// applyInboundUDPPortDNAT applies port DNAT to inbound UDP packets.
 func (m *Manager) applyInboundUDPPortDNAT(packetData []byte, d *decoder, dstIP netip.Addr, dstPort uint16) bool {
 	m.portDNATMutex.RLock()
 	defer m.portDNATMutex.RUnlock()
@@ -849,7 +825,8 @@ func (m *Manager) applyInboundUDPPortDNAT(packetData []byte, d *decoder, dstIP n
 	return false
 }
 
-func (m *Manager) rewriteUDPDestinationPort(packetData []byte, d *decoder, newPort uint16) error {
+// rewriteUDPPort rewrites a UDP port (source or destination) and updates checksum.
+func (m *Manager) rewriteUDPPort(packetData []byte, d *decoder, newPort uint16, portOffset int) error {
 	if len(packetData) < 20 || d.decoded[0] != layers.LayerTypeIPv4 {
 		return ErrIPv4Only
 	}
@@ -868,8 +845,9 @@ func (m *Manager) rewriteUDPDestinationPort(packetData []byte, d *decoder, newPo
 		return fmt.Errorf("packet too short for UDP header")
 	}
 
-	oldPort := binary.BigEndian.Uint16(packetData[udpStart+2 : udpStart+4])
-	binary.BigEndian.PutUint16(packetData[udpStart+2:udpStart+4], newPort)
+	portStart := udpStart + portOffset
+	oldPort := binary.BigEndian.Uint16(packetData[portStart : portStart+2])
+	binary.BigEndian.PutUint16(packetData[portStart:portStart+2], newPort)
 
 	checksumOffset := udpStart + 6
 	if len(packetData) >= udpStart+8 {
@@ -887,6 +865,11 @@ func (m *Manager) rewriteUDPDestinationPort(packetData []byte, d *decoder, newPo
 	return nil
 }
 
+// rewriteUDPDestinationPort rewrites the destination port in a UDP packet and updates checksum.
+func (m *Manager) rewriteUDPDestinationPort(packetData []byte, d *decoder, newPort uint16) error {
+	return m.rewriteUDPPort(packetData, d, newPort, destinationPortOffset)
+}
+
 // translateOutboundPortReverse applies reverse port DNAT to outbound return traffic.
 func (m *Manager) translateOutboundPortReverse(packetData []byte, d *decoder) bool {
 	if !m.portDNATEnabled.Load() {
@@ -932,6 +915,7 @@ func (m *Manager) translateOutboundPortReverse(packetData []byte, d *decoder) bo
 	return m.applyOutboundUDPPortReverse(packetData, d, srcIP, srcPort)
 }
 
+// applyOutboundUDPPortReverse applies reverse port DNAT to outbound UDP packets.
 func (m *Manager) applyOutboundUDPPortReverse(packetData []byte, d *decoder, srcIP netip.Addr, srcPort uint16) bool {
 	m.portDNATMutex.RLock()
 	defer m.portDNATMutex.RUnlock()
@@ -955,40 +939,7 @@ func (m *Manager) applyOutboundUDPPortReverse(packetData []byte, d *decoder, src
 	return false
 }
 
+// rewriteUDPSourcePort rewrites the source port in a UDP packet and updates checksum.
 func (m *Manager) rewriteUDPSourcePort(packetData []byte, d *decoder, newPort uint16) error {
-	if len(packetData) < 20 || d.decoded[0] != layers.LayerTypeIPv4 {
-		return ErrIPv4Only
-	}
-
-	if len(d.decoded) < 2 || d.decoded[1] != layers.LayerTypeUDP {
-		return fmt.Errorf("not a UDP packet")
-	}
-
-	ipHeaderLen := int(d.ip4.IHL) * 4
-	if ipHeaderLen < 20 || ipHeaderLen > len(packetData) {
-		return errInvalidIPHeaderLength
-	}
-
-	udpStart := ipHeaderLen
-	if len(packetData) < udpStart+8 {
-		return fmt.Errorf("packet too short for UDP header")
-	}
-
-	oldPort := binary.BigEndian.Uint16(packetData[udpStart : udpStart+2])
-	binary.BigEndian.PutUint16(packetData[udpStart:udpStart+2], newPort)
-
-	checksumOffset := udpStart + 6
-	if len(packetData) >= udpStart+8 {
-		oldChecksum := binary.BigEndian.Uint16(packetData[checksumOffset : checksumOffset+2])
-		if oldChecksum != 0 {
-			var oldPortBytes, newPortBytes [2]byte
-			binary.BigEndian.PutUint16(oldPortBytes[:], oldPort)
-			binary.BigEndian.PutUint16(newPortBytes[:], newPort)
-
-			newChecksum := incrementalUpdate(oldChecksum, oldPortBytes[:], newPortBytes[:])
-			binary.BigEndian.PutUint16(packetData[checksumOffset:checksumOffset+2], newChecksum)
-		}
-	}
-
-	return nil
+	return m.rewriteUDPPort(packetData, d, newPort, sourcePortOffset)
 }

management/server/dns_test.go

@@ -394,15 +394,15 @@ func BenchmarkToProtocolDNSConfig(b *testing.B) {
 
 			b.ResetTimer()
 			for i := 0; i < b.N; i++ {
-				toProtocolDNSConfig(testData, cache, dnsForwarderPort)
+				toProtocolDNSConfig(testData, cache, int64(dnsForwarderPort))
 			}
 		})
 
 		b.Run(fmt.Sprintf("WithoutCache-Size%d", size), func(b *testing.B) {
 			b.ResetTimer()
 			for i := 0; i < b.N; i++ {
 				cache := &DNSConfigCache{}
-				toProtocolDNSConfig(testData, cache, dnsForwarderPort)
+				toProtocolDNSConfig(testData, cache, int64(dnsForwarderPort))
 			}
 		})
 	}
@@ -455,13 +455,13 @@ func TestToProtocolDNSConfigWithCache(t *testing.T) {
 	}
 
 	// First run with config1
-	result1 := toProtocolDNSConfig(config1, &cache, dnsForwarderPort)
+	result1 := toProtocolDNSConfig(config1, &cache, int64(dnsForwarderPort))
 
 	// Second run with config2
-	result2 := toProtocolDNSConfig(config2, &cache, dnsForwarderPort)
+	result2 := toProtocolDNSConfig(config2, &cache, int64(dnsForwarderPort))
 
 	// Third run with config1 again
-	result3 := toProtocolDNSConfig(config1, &cache, dnsForwarderPort)
+	result3 := toProtocolDNSConfig(config1, &cache, int64(dnsForwarderPort))
 
 	// Verify that result1 and result3 are identical
 	if !reflect.DeepEqual(result1, result3) {
@@ -486,7 +486,7 @@ func TestComputeForwarderPort(t *testing.T) {
 	// Test with empty peers list
 	peers := []*nbpeer.Peer{}
 	result := computeForwarderPort(peers, "v0.59.0")
-	if result != oldForwarderPort {
+	if result != int64(oldForwarderPort) {
 		t.Errorf("Expected %d for empty peers list, got %d", oldForwarderPort, result)
 	}
 
@@ -504,7 +504,7 @@ func TestComputeForwarderPort(t *testing.T) {
 		},
 	}
 	result = computeForwarderPort(peers, "v0.59.0")
-	if result != oldForwarderPort {
+	if result != int64(oldForwarderPort) {
 		t.Errorf("Expected %d for peers with old versions, got %d", oldForwarderPort, result)
 	}
 
@@ -522,7 +522,7 @@ func TestComputeForwarderPort(t *testing.T) {
 		},
 	}
 	result = computeForwarderPort(peers, "v0.59.0")
-	if result != dnsForwarderPort {
+	if result != int64(dnsForwarderPort) {
 		t.Errorf("Expected %d for peers with new versions, got %d", dnsForwarderPort, result)
 	}
 
@@ -540,7 +540,7 @@ func TestComputeForwarderPort(t *testing.T) {
 		},
 	}
 	result = computeForwarderPort(peers, "v0.59.0")
-	if result != oldForwarderPort {
+	if result != int64(oldForwarderPort) {
 		t.Errorf("Expected %d for peers with mixed versions, got %d", oldForwarderPort, result)
 	}
 
@@ -553,7 +553,7 @@ func TestComputeForwarderPort(t *testing.T) {
 		},
 	}
 	result = computeForwarderPort(peers, "v0.59.0")
-	if result != oldForwarderPort {
+	if result != int64(oldForwarderPort) {
 		t.Errorf("Expected %d for peers with empty version, got %d", oldForwarderPort, result)
 	}
 
@@ -565,7 +565,7 @@ func TestComputeForwarderPort(t *testing.T) {
 		},
 	}
 	result = computeForwarderPort(peers, "v0.59.0")
-	if result == oldForwarderPort {
+	if result == int64(oldForwarderPort) {
 		t.Errorf("Expected %d for peers with dev version, got %d", dnsForwarderPort, result)
 	}
 
@@ -578,7 +578,7 @@ func TestComputeForwarderPort(t *testing.T) {
 		},
 	}
 	result = computeForwarderPort(peers, "v0.59.0")
-	if result != oldForwarderPort {
+	if result != int64(oldForwarderPort) {
 		t.Errorf("Expected %d for peers with unknown version, got %d", oldForwarderPort, result)
 	}
 }

management/server/peer_test.go

@@ -1161,7 +1161,7 @@ func TestToSyncResponse(t *testing.T) {
 	}
 	dnsCache := &DNSConfigCache{}
 	accountSettings := &types.Settings{RoutingPeerDNSResolutionEnabled: true}
-	response := toSyncResponse(context.Background(), config, peer, turnRelayToken, turnRelayToken, networkMap, dnsName, checks, dnsCache, accountSettings, nil, []string{}, dnsForwarderPort)
+	response := toSyncResponse(context.Background(), config, peer, turnRelayToken, turnRelayToken, networkMap, dnsName, checks, dnsCache, accountSettings, nil, []string{}, int64(dnsForwarderPort))
 
 	assert.NotNil(t, response)
 	// assert peer config