[client] Set up firewall rules for dns routes dynamically based on dns response

[lixmal]

Describe your changes

This PR enhances NetBird's firewall implementation by replacing static wide firewall rules for DNS routes with dynamic rule generation.

• Firewall rules now start with empty prefix sets that are populated dynamically as DNS resolution occurs
• When the DNS forwarder resolves domain names to IP addresses, it automatically updates the corresponding prefix sets
• For the userspace firewall implementation, destination prefixes initialize as empty and update/merge dynamically as new IPs are resolved
• Debug bundle now collects IP sets for iptables
• Fixes uspfilter closing trackers on Windows properly
• Handles duplicate domains in the dns forwarder being part of different routes (adds resolved IPs to all of them)
• Fixes a bug where, in some cases, the userspace firewall would not block invalid routed subnets
• Aligns the order of expressions in one nftables rule
• Fixes a bug where netbird status would not display unicode fqdns properly
• Updates the nftables library to make use of the comment feature for sets
• Fixes case handling in the dns forwarder
• Fixes a potential panic in the dns forwarder if Update was called before creating the multiplexer

Issue ticket number and link

Stack

Checklist

• Is it a bug fix
• Is a typo/documentation fix
• Is a feature enhancement
• It is a refactor
• Created tests that fail without the change (if possible)
• Extended the README / documentation, if necessary

[Copilot]

Pull Request Overview

This PR implements dynamic DNS route firewall rules by introducing new types and function signatures throughout the codebase to replace raw netip.Prefix values with a more expressive firewall.Network type. It also adjusts DNS forwarder logic and updates various firewall manager implementations (nftables and iptables) to integrate with the new dynamic routing and DNS forwarding functionality.

• Updated function signatures to use firewall.Network instead of netip.Prefix.
• Refactored DNS forwarder functions to work with new entry types.
• Modified rule generation in both nftables and iptables logic to support dynamic ipset updates.

Reviewed Changes

Copilot reviewed 33 out of 33 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
client/internal/engine.go	Adjusted DNS forwarder configuration and route update ordering.
client/internal/dnsfwd/*	Refactored DNS forwarder and its tests to use ForwarderEntry structs.
client/internal/acl/*	Minor logging message update in ACL rule application.
client/firewall/*	Updated API calls and structures to accommodate the new firewall.Network type, and refactored iptables/nftables rule creation.
client/firewall/manager/*	Replaced old GenerateSetName calls with NewPrefixSet and updated tests accordingly.

Comments suppressed due to low confidence (1)

client/internal/dnsfwd/forwarder.go:240

• In the getMatchingEntries function, when multiple entries score equally, only the latter is chosen. Consider explicitly handling ties to ensure the most appropriate match is selected.

for _, entry := range f.fwdEntries {

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud