[client] Redirect dns forwarder port 5353 to new listening port 22054

[lixmal]

Describe your changes

• Port dnat changes from [client,management] Rewrite the SSH feature #4015 (nftables/iptables/userspace)
  • For userspace: rewrite the original port to the target port
  • Remember original destination port in conntrack
  • Rewrite the source port back to the original port for replies
• Redirect incoming port 5353 to 22054 (tcp/udp)
• Revert port changes based on the network map received from management
• Adjust tracer to show NAT stages

Example tracer output

$ netbird debug trace in 100.0.169.249 self -p tcp --dport 5353
Packet trace 100.0.169.249:49561 → self:5353 (TCP)

Received: Received TCP packet: 100.0.169.249:49561 -> 100.0.2.175:5353
Inbound Port DNAT: TCP port DNAT applied: 100.0.2.175:5353 -> 100.0.2.175:22054
Inbound 1:1 NAT: 1:1 NAT not enabled
Connection Tracking: No existing connection found
Routing: Packet destined for local delivery
Peer ACL: Allowed by peer ACL rules (<no id>)
Completed: Processing completed

Final disposition: ALLOWED

Issue ticket number and link

Stack

Checklist

• Is it a bug fix
• Is a typo/documentation fix
• Is a feature enhancement
• It is a refactor
• Created tests that fail without the change (if possible)

By submitting this pull request, you confirm that you have read and agree to the terms of the Contributor License Agreement.

Documentation

Select exactly one:

• I added/updated documentation for this change
• Documentation is not needed for this change (explain why)

Docs PR URL (required if "docs added" is checked)

Paste the PR link from https://github.com/netbirdio/docs here:

https://github.com/netbirdio/docs/pull/__

[Copilot]

Pull Request Overview

This PR adds DNS port forwarding functionality by redirecting traffic from port 5353 to 22054 using DNAT rules. The implementation introduces constant definitions for client and server ports, updates the DNS forwarder to use the new ports, and removes the dynamic port configuration logic that was previously managed through the network map.

Key Changes

• Introduced ForwarderClientPort (5353) and ForwarderServerPort (22054) as package constants
• Implemented inbound DNAT rules to redirect DNS traffic from client port to server port
• Simplified DNS forwarder initialization by removing dynamic port updates
• Deprecated the ForwarderPort field in the protobuf definition

Reviewed Changes

Copilot reviewed 18 out of 18 changed files in this pull request and generated 12 comments.

Show a summary per file

File	Description
shared/management/proto/management.proto	Deprecated ForwarderPort field in DNSConfig
management/server/dns.go	Updated to use new port constants from dns package
dns/dns.go	Added ForwarderClientPort and ForwarderServerPort constants
client/internal/routemanager/dnsinterceptor/handler.go	Updated to use ForwarderClientPort constant
client/internal/netflow/logger/logger.go	Updated DNS port filtering to include both client and server ports
client/internal/engine.go	Removed dynamic port management and simplified DNS forwarder updates
client/internal/dnsfwd/manager.go	Added DNAT rule management and environment variable support for custom port
client/firewall/uspfilter/tracer_test.go	Updated test expectations to include new DNAT stages
client/firewall/uspfilter/tracer.go	Added port DNAT and 1:1 NAT tracing stages
client/firewall/uspfilter/nat_test.go	Added tests for inbound port DNAT functionality
client/firewall/uspfilter/nat.go	Implemented port-specific DNAT translation logic
client/firewall/uspfilter/log/log.go	Added support for 7 and 8 argument trace logging
client/firewall/uspfilter/filter.go	Integrated port DNAT translation into packet filtering
client/firewall/nftables/router_linux.go	Implemented AddInboundDNAT and RemoveInboundDNAT for nftables
client/firewall/nftables/manager_linux.go	Added manager methods for inbound DNAT operations
client/firewall/manager/firewall.go	Added AddInboundDNAT and RemoveInboundDNAT to Manager interface
client/firewall/iptables/router_linux.go	Implemented AddInboundDNAT and RemoveInboundDNAT for iptables
client/firewall/iptables/manager_linux.go	Added manager methods for inbound DNAT operations

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
9 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarQube Cloud