Set newt version in dockerfile

Updated CI/CD workflow to improve AWS role handling and image tagging.

.github/workflows/test.yml

@@ -31,7 +31,7 @@ jobs:
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
 
       - name: Set up Go
-        uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
+        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
         with:
           go-version: 1.25
 

Dockerfile

@@ -1,4 +1,5 @@
-FROM golang:1.25-alpine AS builder
+# FROM golang:1.25-alpine AS builder
+FROM public.ecr.aws/docker/library/golang:1.25-alpine AS builder
 
 # Install git and ca-certificates
 RUN apk --no-cache add ca-certificates git tzdata
@@ -16,9 +17,10 @@ RUN go mod download
 COPY . .
 
 # Build the application
-RUN CGO_ENABLED=0 GOOS=linux go build -ldflags="-s -w" -o /newt
+ARG VERSION=dev
+RUN CGO_ENABLED=0 GOOS=linux go build -ldflags="-s -w -X main.newtVersion=${VERSION}" -o /newt
 
-FROM alpine:3.23 AS runner
+FROM public.ecr.aws/docker/library/alpine:3.23 AS runner
 
 RUN apk --no-cache add ca-certificates tzdata iputils
 

Makefile

@@ -2,6 +2,9 @@
 
 all: local
 
+VERSION ?= dev
+LDFLAGS = -X main.newtVersion=$(VERSION)
+
 local:
 	CGO_ENABLED=0 go build -o ./bin/newt
 
@@ -40,31 +43,31 @@ go-build-release: \
     go-build-release-freebsd-arm64
 
 go-build-release-linux-arm64:
-	CGO_ENABLED=0 GOOS=linux GOARCH=arm64 go build -o bin/newt_linux_arm64
+	CGO_ENABLED=0 GOOS=linux GOARCH=arm64 go build -ldflags "$(LDFLAGS)" -o bin/newt_linux_arm64
 
 go-build-release-linux-arm32-v7:
-	CGO_ENABLED=0 GOOS=linux GOARCH=arm GOARM=7 go build -o bin/newt_linux_arm32
+	CGO_ENABLED=0 GOOS=linux GOARCH=arm GOARM=7 go build -ldflags "$(LDFLAGS)" -o bin/newt_linux_arm32
 
 go-build-release-linux-arm32-v6:
-	CGO_ENABLED=0 GOOS=linux GOARCH=arm GOARM=6 go build -o bin/newt_linux_arm32v6
+	CGO_ENABLED=0 GOOS=linux GOARCH=arm GOARM=6 go build -ldflags "$(LDFLAGS)" -o bin/newt_linux_arm32v6
 
 go-build-release-linux-amd64:
-	CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -o bin/newt_linux_amd64
+	CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -ldflags "$(LDFLAGS)" -o bin/newt_linux_amd64
 
 go-build-release-linux-riscv64:
-	CGO_ENABLED=0 GOOS=linux GOARCH=riscv64 go build -o bin/newt_linux_riscv64
+	CGO_ENABLED=0 GOOS=linux GOARCH=riscv64 go build -ldflags "$(LDFLAGS)" -o bin/newt_linux_riscv64
 
 go-build-release-darwin-arm64:
-	CGO_ENABLED=0 GOOS=darwin GOARCH=arm64 go build -o bin/newt_darwin_arm64
+	CGO_ENABLED=0 GOOS=darwin GOARCH=arm64 go build -ldflags "$(LDFLAGS)" -o bin/newt_darwin_arm64
 
 go-build-release-darwin-amd64:
-	CGO_ENABLED=0 GOOS=darwin GOARCH=amd64 go build -o bin/newt_darwin_amd64
+	CGO_ENABLED=0 GOOS=darwin GOARCH=amd64 go build -ldflags "$(LDFLAGS)" -o bin/newt_darwin_amd64
 
 go-build-release-windows-amd64:
-	CGO_ENABLED=0 GOOS=windows GOARCH=amd64 go build -o bin/newt_windows_amd64.exe
+	CGO_ENABLED=0 GOOS=windows GOARCH=amd64 go build -ldflags "$(LDFLAGS)" -o bin/newt_windows_amd64.exe
 
 go-build-release-freebsd-amd64:
-	CGO_ENABLED=0 GOOS=freebsd GOARCH=amd64 go build -o bin/newt_freebsd_amd64
+	CGO_ENABLED=0 GOOS=freebsd GOARCH=amd64 go build -ldflags "$(LDFLAGS)" -o bin/newt_freebsd_amd64
 
 go-build-release-freebsd-arm64:
-	CGO_ENABLED=0 GOOS=freebsd GOARCH=arm64 go build -o bin/newt_freebsd_arm64
+	CGO_ENABLED=0 GOOS=freebsd GOARCH=arm64 go build -ldflags "$(LDFLAGS)" -o bin/newt_freebsd_arm64

authdaemon.go

@@ -46,11 +46,12 @@ func startAuthDaemon(ctx context.Context) error {
 
 	// Create auth daemon server
 	cfg := authdaemon.Config{
-		DisableHTTPS:       true, // We run without HTTP server in newt
-		PresharedKey:       "this-key-is-not-used",   // Not used in embedded mode, but set to non-empty to satisfy validation
-		PrincipalsFilePath: principalsFile,
-		CACertPath:         caCertPath,
-		Force:              true,
+		DisableHTTPS:           true,                   // We run without HTTP server in newt
+		PresharedKey:           "this-key-is-not-used", // Not used in embedded mode, but set to non-empty to satisfy validation
+		PrincipalsFilePath:     principalsFile,
+		CACertPath:             caCertPath,
+		Force:                  true,
+		GenerateRandomPassword: authDaemonGenerateRandomPassword,
 	}
 
 	srv, err := authdaemon.NewServer(cfg)
@@ -72,8 +73,6 @@ func startAuthDaemon(ctx context.Context) error {
 	return nil
 }
 
-
-
 // runPrincipalsCmd executes the principals subcommand logic
 func runPrincipalsCmd(args []string) {
 	opts := struct {
@@ -148,4 +147,4 @@ Example:
   newt principals --username alice
 
 `, defaultPrincipalsPath)
-}
+}

authdaemon/connection.go

@@ -16,7 +16,7 @@ func (s *Server) ProcessConnection(req ConnectionRequest) {
 			logger.Warn("auth-daemon: write CA cert: %v", err)
 		}
 	}
-	if err := ensureUser(req.Username, req.Metadata); err != nil {
+	if err := ensureUser(req.Username, req.Metadata, s.cfg.GenerateRandomPassword); err != nil {
 		logger.Warn("auth-daemon: ensure user: %v", err)
 	}
 	if cfg.PrincipalsFilePath != "" {

authdaemon/host_linux.go

@@ -4,6 +4,8 @@ package authdaemon
 
 import (
 	"bufio"
+	"crypto/rand"
+	"encoding/hex"
 	"encoding/json"
 	"fmt"
 	"os"
@@ -122,6 +124,22 @@ func sudoGroup() string {
 	return "sudo"
 }
 
+// setRandomPassword generates a random password and sets it for username via chpasswd.
+// Used when GenerateRandomPassword is true so SSH with PermitEmptyPasswords no can accept the user.
+func setRandomPassword(username string) error {
+	b := make([]byte, 16)
+	if _, err := rand.Read(b); err != nil {
+		return fmt.Errorf("generate password: %w", err)
+	}
+	password := hex.EncodeToString(b)
+	cmd := exec.Command("chpasswd")
+	cmd.Stdin = strings.NewReader(username + ":" + password)
+	if out, err := cmd.CombinedOutput(); err != nil {
+		return fmt.Errorf("chpasswd: %w (output: %s)", err, string(out))
+	}
+	return nil
+}
+
 const skelDir = "/etc/skel"
 
 // copySkelInto copies files from srcDir (e.g. /etc/skel) into dstDir (e.g. user's home).
@@ -172,7 +190,7 @@ func copySkelInto(srcDir, dstDir string, uid, gid int) {
 }
 
 // ensureUser creates the system user if missing, or reconciles sudo and homedir to match meta.
-func ensureUser(username string, meta ConnectionMetadata) error {
+func ensureUser(username string, meta ConnectionMetadata, generateRandomPassword bool) error {
 	if username == "" {
 		return nil
 	}
@@ -181,7 +199,7 @@ func ensureUser(username string, meta ConnectionMetadata) error {
 		if _, ok := err.(user.UnknownUserError); !ok {
 			return fmt.Errorf("lookup user %s: %w", username, err)
 		}
-		return createUser(username, meta)
+		return createUser(username, meta, generateRandomPassword)
 	}
 	return reconcileUser(u, meta)
 }
@@ -223,7 +241,7 @@ func setUserGroups(username string, groups []string) {
 	}
 }
 
-func createUser(username string, meta ConnectionMetadata) error {
+func createUser(username string, meta ConnectionMetadata, generateRandomPassword bool) error {
 	args := []string{"-s", "/bin/bash"}
 	if meta.Homedir {
 		args = append(args, "-m")
@@ -236,6 +254,13 @@ func createUser(username string, meta ConnectionMetadata) error {
 		return fmt.Errorf("useradd %s: %w (output: %s)", username, err, string(out))
 	}
 	logger.Info("auth-daemon: created user %s (homedir=%v)", username, meta.Homedir)
+	if generateRandomPassword {
+		if err := setRandomPassword(username); err != nil {
+			logger.Warn("auth-daemon: set random password for %s: %v", username, err)
+		} else {
+			logger.Info("auth-daemon: set random password for %s (PermitEmptyPasswords no)", username)
+		}
+	}
 	if meta.Homedir {
 		if u, err := user.Lookup(username); err == nil && u.HomeDir != "" {
 			uid, gid := mustAtoi(u.Uid), mustAtoi(u.Gid)

authdaemon/host_stub.go

@@ -12,7 +12,7 @@ func writeCACertIfNotExists(path, contents string, force bool) error {
 }
 
 // ensureUser returns an error on non-Linux.
-func ensureUser(username string, meta ConnectionMetadata) error {
+func ensureUser(username string, meta ConnectionMetadata, generateRandomPassword bool) error {
 	return errLinuxOnly
 }
 

authdaemon/server.go

@@ -27,8 +27,9 @@ type Config struct {
 	Port               int    // Required when DisableHTTPS is false. Listen port for the HTTPS server. No default.
 	PresharedKey       string // Required when DisableHTTPS is false. HTTP auth (Authorization: Bearer <key> or X-Preshared-Key: <key>). No default.
 	CACertPath         string // Required. Where to write the CA cert (e.g. /etc/ssh/ca.pem). No default.
-	Force              bool   // If true, overwrite existing CA cert (and other items) when content differs. Default false.
-	PrincipalsFilePath string // Required. Path to the principals data file (JSON: username -> array of principals). No default.
+	Force                   bool   // If true, overwrite existing CA cert (and other items) when content differs. Default false.
+	PrincipalsFilePath      string // Required. Path to the principals data file (JSON: username -> array of principals). No default.
+	GenerateRandomPassword  bool   // If true, set a random password on users when they are provisioned (for SSH PermitEmptyPasswords no).
 }
 
 type Server struct {

clients/clients.go

@@ -112,6 +112,8 @@ func NewWireGuardService(interfaceName string, port uint16, mtu int, host string
 		return nil, fmt.Errorf("failed to generate private key: %v", err)
 	}
 
+	logger.Debug("+++++++++++++++++++++++++++++++= the port is %d", port)
+	
 	if port == 0 {
 		// Find an available port
 		portRandom, err := util.FindAvailableUDPPort(49152, 65535)
@@ -724,7 +726,7 @@ func (s *WireGuardService) ensureTargets(targets []Target) error {
 
 		s.tnet.AddProxySubnetRule(sourcePrefix, destPrefix, target.RewriteTo, portRanges, target.DisableIcmp)
 
-		logger.Info("Added target subnet from %s to %s rewrite to %s with port ranges: %v", target.SourcePrefix, target.DestPrefix, target.RewriteTo, target.PortRange)
+		logger.Info("Added target subnet from %s to %s rewrite to %s with port ranges: %v disableIcmp: %v", target.SourcePrefix, target.DestPrefix, target.RewriteTo, target.PortRange, target.DisableIcmp)
 	}
 
 	return nil
@@ -1117,7 +1119,7 @@ func (s *WireGuardService) handleAddTarget(msg websocket.WSMessage) {
 
 		s.tnet.AddProxySubnetRule(sourcePrefix, destPrefix, target.RewriteTo, portRanges, target.DisableIcmp)
 
-		logger.Info("Added target subnet from %s to %s rewrite to %s with port ranges: %v", target.SourcePrefix, target.DestPrefix, target.RewriteTo, target.PortRange)
+		logger.Info("Added target subnet from %s to %s rewrite to %s with port ranges: %v disableIcmp: %v", target.SourcePrefix, target.DestPrefix, target.RewriteTo, target.PortRange, target.DisableIcmp)
 	}
 }
 
@@ -1234,7 +1236,7 @@ func (s *WireGuardService) handleUpdateTarget(msg websocket.WSMessage) {
 		}
 
 		s.tnet.AddProxySubnetRule(sourcePrefix, destPrefix, target.RewriteTo, portRanges, target.DisableIcmp)
-		logger.Info("Added target subnet from %s to %s rewrite to %s with port ranges: %v", target.SourcePrefix, target.DestPrefix, target.RewriteTo, target.PortRange)
+		logger.Info("Added target subnet from %s to %s rewrite to %s with port ranges: %v disableIcmp: %v", target.SourcePrefix, target.DestPrefix, target.RewriteTo, target.PortRange, target.DisableIcmp)
 	}
 }
 

flake.nix

@@ -35,7 +35,7 @@
             inherit version;
             src = pkgs.nix-gitignore.gitignoreSource [ ] ./.;
 
-            vendorHash = "sha256-Sib6AUCpMgxlMpTc2Esvs+UU0yduVOxWUgT44FHAI+k=";
+            vendorHash = "sha256-kmQM8Yy5TuOiNpMpUme/2gfE+vrhUK+0AphN+p71wGs=";
 
             nativeInstallCheckInputs = [ pkgs.versionCheckHook ];
 

go.mod

@@ -1,29 +1,30 @@
 module github.com/fosrl/newt
 
-go 1.25
+go 1.25.0
 
 require (
 	github.com/docker/docker v28.5.2+incompatible
+	github.com/gaissmai/bart v0.26.0
 	github.com/gorilla/websocket v1.5.3
 	github.com/prometheus/client_golang v1.23.2
 	github.com/vishvananda/netlink v1.3.1
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.64.0
-	go.opentelemetry.io/contrib/instrumentation/runtime v0.64.0
-	go.opentelemetry.io/otel v1.39.0
-	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.39.0
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.39.0
-	go.opentelemetry.io/otel/exporters/prometheus v0.61.0
-	go.opentelemetry.io/otel/metric v1.39.0
-	go.opentelemetry.io/otel/sdk v1.39.0
-	go.opentelemetry.io/otel/sdk/metric v1.39.0
-	golang.org/x/crypto v0.46.0
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.66.0
+	go.opentelemetry.io/contrib/instrumentation/runtime v0.66.0
+	go.opentelemetry.io/otel v1.41.0
+	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.41.0
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.41.0
+	go.opentelemetry.io/otel/exporters/prometheus v0.63.0
+	go.opentelemetry.io/otel/metric v1.41.0
+	go.opentelemetry.io/otel/sdk v1.41.0
+	go.opentelemetry.io/otel/sdk/metric v1.41.0
+	golang.org/x/crypto v0.48.0
 	golang.org/x/exp v0.0.0-20251113190631-e25ba8c21ef6
-	golang.org/x/net v0.48.0
-	golang.org/x/sys v0.39.0
+	golang.org/x/net v0.51.0
+	golang.org/x/sys v0.41.0
 	golang.zx2c4.com/wireguard v0.0.0-20250521234502-f333402bd9cb
 	golang.zx2c4.com/wireguard/wgctrl v0.0.0-20241231184526-a9ab2273dd10
 	golang.zx2c4.com/wireguard/windows v0.5.3
-	google.golang.org/grpc v1.77.0
+	google.golang.org/grpc v1.79.1
 	gopkg.in/yaml.v3 v3.0.1
 	gvisor.dev/gvisor v0.0.0-20250503011706-39ed1f5ac29c
 	software.sslmate.com/src/go-pkcs12 v0.7.0
@@ -44,7 +45,7 @@ require (
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/google/btree v1.1.3 // indirect
 	github.com/google/uuid v1.6.0 // indirect
-	github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.3 // indirect
+	github.com/grpc-ecosystem/grpc-gateway/v2 v2.28.0 // indirect
 	github.com/moby/docker-image-spec v1.3.1 // indirect
 	github.com/moby/sys/atomicwriter v0.1.0 // indirect
 	github.com/moby/term v0.5.2 // indirect
@@ -54,23 +55,23 @@ require (
 	github.com/opencontainers/image-spec v1.1.0 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/prometheus/client_model v0.6.2 // indirect
-	github.com/prometheus/common v0.67.4 // indirect
+	github.com/prometheus/common v0.67.5 // indirect
 	github.com/prometheus/otlptranslator v1.0.0 // indirect
 	github.com/prometheus/procfs v0.19.2 // indirect
 	github.com/vishvananda/netns v0.0.5 // indirect
 	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.39.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.41.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.38.0 // indirect
-	go.opentelemetry.io/otel/trace v1.39.0 // indirect
+	go.opentelemetry.io/otel/trace v1.41.0 // indirect
 	go.opentelemetry.io/proto/otlp v1.9.0 // indirect
 	go.yaml.in/yaml/v2 v2.4.3 // indirect
-	golang.org/x/mod v0.30.0 // indirect
+	golang.org/x/mod v0.32.0 // indirect
 	golang.org/x/sync v0.19.0 // indirect
-	golang.org/x/text v0.32.0 // indirect
+	golang.org/x/text v0.34.0 // indirect
 	golang.org/x/time v0.12.0 // indirect
-	golang.org/x/tools v0.39.0 // indirect
+	golang.org/x/tools v0.41.0 // indirect
 	golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20251202230838-ff82c1b0f217 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20251202230838-ff82c1b0f217 // indirect
-	google.golang.org/protobuf v1.36.10 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20260209200024-4cfbd4190f57 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20260209200024-4cfbd4190f57 // indirect
+	google.golang.org/protobuf v1.36.11 // indirect
 )

go.sum

@@ -26,6 +26,8 @@ github.com/docker/go-units v0.4.0 h1:3uh0PgVws3nIA0Q+MwDC8yjEPf9zjRfZZWXZYDct3Tw
 github.com/docker/go-units v0.4.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
 github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
 github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
+github.com/gaissmai/bart v0.26.0 h1:xOZ57E9hJLBiQaSyeZa9wgWhGuzfGACgqp4BE77OkO0=
+github.com/gaissmai/bart v0.26.0/go.mod h1:GREWQfTLRWz/c5FTOsIw+KkscuFkIV5t8Rp7Nd1Td5c=
 github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
 github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
 github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
@@ -41,8 +43,8 @@ github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/gorilla/websocket v1.5.3 h1:saDtZ6Pbx/0u+bgYQ3q96pZgCzfhKXGPqt7kZ72aNNg=
 github.com/gorilla/websocket v1.5.3/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
-github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.3 h1:NmZ1PKzSTQbuGHw9DGPFomqkkLWMC+vZCkfs+FHv1Vg=
-github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.3/go.mod h1:zQrxl1YP88HQlA6i9c63DSVPFklWpGX4OWAc9bFuaH4=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.28.0 h1:HWRh5R2+9EifMyIHV7ZV+MIZqgz+PMpZ14Jynv3O2Zs=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.28.0/go.mod h1:JfhWUomR1baixubs02l85lZYYOm7LV6om4ceouMv45c=
 github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zttxdo=
 github.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYWRCY2AiWywWQ=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
@@ -75,8 +77,8 @@ github.com/prometheus/client_golang v1.23.2 h1:Je96obch5RDVy3FDMndoUsjAhG5Edi49h
 github.com/prometheus/client_golang v1.23.2/go.mod h1:Tb1a6LWHB3/SPIzCoaDXI4I8UHKeFTEQ1YCr+0Gyqmg=
 github.com/prometheus/client_model v0.6.2 h1:oBsgwpGs7iVziMvrGhE53c/GrLUsZdHnqNwqPLxwZyk=
 github.com/prometheus/client_model v0.6.2/go.mod h1:y3m2F6Gdpfy6Ut/GBsUqTWZqCUvMVzSfMLjcu6wAwpE=
-github.com/prometheus/common v0.67.4 h1:yR3NqWO1/UyO1w2PhUvXlGQs/PtFmoveVO0KZ4+Lvsc=
-github.com/prometheus/common v0.67.4/go.mod h1:gP0fq6YjjNCLssJCQp0yk4M8W6ikLURwkdd/YKtTbyI=
+github.com/prometheus/common v0.67.5 h1:pIgK94WWlQt1WLwAC5j2ynLaBRDiinoAb86HZHTUGI4=
+github.com/prometheus/common v0.67.5/go.mod h1:SjE/0MzDEEAyrdr5Gqc6G+sXI67maCxzaT3A2+HqjUw=
 github.com/prometheus/otlptranslator v1.0.0 h1:s0LJW/iN9dkIH+EnhiD3BlkkP5QVIUVEoIwkU+A6qos=
 github.com/prometheus/otlptranslator v1.0.0/go.mod h1:vRYWnXvI6aWGpsdY/mOT/cbeVRBlPWtBNDb7kGR3uKM=
 github.com/prometheus/procfs v0.19.2 h1:zUMhqEW66Ex7OXIiDkll3tl9a1ZdilUOd/F6ZXw4Vws=
@@ -93,56 +95,56 @@ github.com/vishvananda/netns v0.0.5 h1:DfiHV+j8bA32MFM7bfEunvT8IAqQ/NzSJHtcmW5zd
 github.com/vishvananda/netns v0.0.5/go.mod h1:SpkAiCQRtJ6TvvxPnOSyH3BMl6unz3xZlaprSwhNNJM=
 go.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ64=
 go.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.64.0 h1:ssfIgGNANqpVFCndZvcuyKbl0g+UAVcbBcqGkG28H0Y=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.64.0/go.mod h1:GQ/474YrbE4Jx8gZ4q5I4hrhUzM6UPzyrqJYV2AqPoQ=
-go.opentelemetry.io/contrib/instrumentation/runtime v0.64.0 h1:/+/+UjlXjFcdDlXxKL1PouzX8Z2Vl0OxolRKeBEgYDw=
-go.opentelemetry.io/contrib/instrumentation/runtime v0.64.0/go.mod h1:Ldm/PDuzY2DP7IypudopCR3OCOW42NJlN9+mNEroevo=
-go.opentelemetry.io/otel v1.39.0 h1:8yPrr/S0ND9QEfTfdP9V+SiwT4E0G7Y5MO7p85nis48=
-go.opentelemetry.io/otel v1.39.0/go.mod h1:kLlFTywNWrFyEdH0oj2xK0bFYZtHRYUdv1NklR/tgc8=
-go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.39.0 h1:cEf8jF6WbuGQWUVcqgyWtTR0kOOAWY1DYZ+UhvdmQPw=
-go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.39.0/go.mod h1:k1lzV5n5U3HkGvTCJHraTAGJ7MqsgL1wrGwTj1Isfiw=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.39.0 h1:f0cb2XPmrqn4XMy9PNliTgRKJgS5WcL/u0/WRYGz4t0=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.39.0/go.mod h1:vnakAaFckOMiMtOIhFI2MNH4FYrZzXCYxmb1LlhoGz8=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.39.0 h1:in9O8ESIOlwJAEGTkkf34DesGRAc/Pn8qJ7k3r/42LM=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.39.0/go.mod h1:Rp0EXBm5tfnv0WL+ARyO/PHBEaEAT8UUHQ6AGJcSq6c=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.66.0 h1:PnV4kVnw0zOmwwFkAzCN5O07fw1YOIQor120zrh0AVo=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.66.0/go.mod h1:ofAwF4uinaf8SXdVzzbL4OsxJ3VfeEg3f/F6CeF49/Y=
+go.opentelemetry.io/contrib/instrumentation/runtime v0.66.0 h1:JruBNmrPELWjR+PU3fsQBFQRYtsMLQ/zPfbvwDz9I/w=
+go.opentelemetry.io/contrib/instrumentation/runtime v0.66.0/go.mod h1:vwNrfL6w1uAE3qX48KFii2Qoqf+NEDP5wNjus+RHz8Y=
+go.opentelemetry.io/otel v1.41.0 h1:YlEwVsGAlCvczDILpUXpIpPSL/VPugt7zHThEMLce1c=
+go.opentelemetry.io/otel v1.41.0/go.mod h1:Yt4UwgEKeT05QbLwbyHXEwhnjxNO6D8L5PQP51/46dE=
+go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.41.0 h1:VO3BL6OZXRQ1yQc8W6EVfJzINeJ35BkiHx4MYfoQf44=
+go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.41.0/go.mod h1:qRDnJ2nv3CQXMK2HUd9K9VtvedsPAce3S+/4LZHjX/s=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.41.0 h1:ao6Oe+wSebTlQ1OEht7jlYTzQKE+pnx/iNywFvTbuuI=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.41.0/go.mod h1:u3T6vz0gh/NVzgDgiwkgLxpsSF6PaPmo2il0apGJbls=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.41.0 h1:mq/Qcf28TWz719lE3/hMB4KkyDuLJIvgJnFGcd0kEUI=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.41.0/go.mod h1:yk5LXEYhsL2htyDNJbEq7fWzNEigeEdV5xBF/Y+kAv0=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.38.0 h1:aTL7F04bJHUlztTsNGJ2l+6he8c+y/b//eR0jjjemT4=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.38.0/go.mod h1:kldtb7jDTeol0l3ewcmd8SDvx3EmIE7lyvqbasU3QC4=
-go.opentelemetry.io/otel/exporters/prometheus v0.61.0 h1:cCyZS4dr67d30uDyh8etKM2QyDsQ4zC9ds3bdbrVoD0=
-go.opentelemetry.io/otel/exporters/prometheus v0.61.0/go.mod h1:iivMuj3xpR2DkUrUya3TPS/Z9h3dz7h01GxU+fQBRNg=
-go.opentelemetry.io/otel/metric v1.39.0 h1:d1UzonvEZriVfpNKEVmHXbdf909uGTOQjA0HF0Ls5Q0=
-go.opentelemetry.io/otel/metric v1.39.0/go.mod h1:jrZSWL33sD7bBxg1xjrqyDjnuzTUB0x1nBERXd7Ftcs=
-go.opentelemetry.io/otel/sdk v1.39.0 h1:nMLYcjVsvdui1B/4FRkwjzoRVsMK8uL/cj0OyhKzt18=
-go.opentelemetry.io/otel/sdk v1.39.0/go.mod h1:vDojkC4/jsTJsE+kh+LXYQlbL8CgrEcwmt1ENZszdJE=
-go.opentelemetry.io/otel/sdk/metric v1.39.0 h1:cXMVVFVgsIf2YL6QkRF4Urbr/aMInf+2WKg+sEJTtB8=
-go.opentelemetry.io/otel/sdk/metric v1.39.0/go.mod h1:xq9HEVH7qeX69/JnwEfp6fVq5wosJsY1mt4lLfYdVew=
-go.opentelemetry.io/otel/trace v1.39.0 h1:2d2vfpEDmCJ5zVYz7ijaJdOF59xLomrvj7bjt6/qCJI=
-go.opentelemetry.io/otel/trace v1.39.0/go.mod h1:88w4/PnZSazkGzz/w84VHpQafiU4EtqqlVdxWy+rNOA=
+go.opentelemetry.io/otel/exporters/prometheus v0.63.0 h1:OLo1FNb0pBZykLqbKRZolKtGZd0Waqlr240YdMEnhhg=
+go.opentelemetry.io/otel/exporters/prometheus v0.63.0/go.mod h1:8yeQAdhrK5xsWuFehO13Dk/Xb9FuhZoVpJfpoNCfJnw=
+go.opentelemetry.io/otel/metric v1.41.0 h1:rFnDcs4gRzBcsO9tS8LCpgR0dxg4aaxWlJxCno7JlTQ=
+go.opentelemetry.io/otel/metric v1.41.0/go.mod h1:xPvCwd9pU0VN8tPZYzDZV/BMj9CM9vs00GuBjeKhJps=
+go.opentelemetry.io/otel/sdk v1.41.0 h1:YPIEXKmiAwkGl3Gu1huk1aYWwtpRLeskpV+wPisxBp8=
+go.opentelemetry.io/otel/sdk v1.41.0/go.mod h1:ahFdU0G5y8IxglBf0QBJXgSe7agzjE4GiTJ6HT9ud90=
+go.opentelemetry.io/otel/sdk/metric v1.41.0 h1:siZQIYBAUd1rlIWQT2uCxWJxcCO7q3TriaMlf08rXw8=
+go.opentelemetry.io/otel/sdk/metric v1.41.0/go.mod h1:HNBuSvT7ROaGtGI50ArdRLUnvRTRGniSUZbxiWxSO8Y=
+go.opentelemetry.io/otel/trace v1.41.0 h1:Vbk2co6bhj8L59ZJ6/xFTskY+tGAbOnCtQGVVa9TIN0=
+go.opentelemetry.io/otel/trace v1.41.0/go.mod h1:U1NU4ULCoxeDKc09yCWdWe+3QoyweJcISEVa1RBzOis=
 go.opentelemetry.io/proto/otlp v1.9.0 h1:l706jCMITVouPOqEnii2fIAuO3IVGBRPV5ICjceRb/A=
 go.opentelemetry.io/proto/otlp v1.9.0/go.mod h1:xE+Cx5E/eEHw+ISFkwPLwCZefwVjY+pqKg1qcK03+/4=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
 go.yaml.in/yaml/v2 v2.4.3 h1:6gvOSjQoTB3vt1l+CU+tSyi/HOjfOjRLJ4YwYZGwRO0=
 go.yaml.in/yaml/v2 v2.4.3/go.mod h1:zSxWcmIDjOzPXpjlTTbAsKokqkDNAVtZO0WOMiT90s8=
-golang.org/x/crypto v0.46.0 h1:cKRW/pmt1pKAfetfu+RCEvjvZkA9RimPbh7bhFjGVBU=
-golang.org/x/crypto v0.46.0/go.mod h1:Evb/oLKmMraqjZ2iQTwDwvCtJkczlDuTmdJXoZVzqU0=
+golang.org/x/crypto v0.48.0 h1:/VRzVqiRSggnhY7gNRxPauEQ5Drw9haKdM0jqfcCFts=
+golang.org/x/crypto v0.48.0/go.mod h1:r0kV5h3qnFPlQnBSrULhlsRfryS2pmewsg+XfMgkVos=
 golang.org/x/exp v0.0.0-20251113190631-e25ba8c21ef6 h1:zfMcR1Cs4KNuomFFgGefv5N0czO2XZpUbxGUy8i8ug0=
 golang.org/x/exp v0.0.0-20251113190631-e25ba8c21ef6/go.mod h1:46edojNIoXTNOhySWIWdix628clX9ODXwPsQuG6hsK0=
-golang.org/x/mod v0.30.0 h1:fDEXFVZ/fmCKProc/yAXXUijritrDzahmwwefnjoPFk=
-golang.org/x/mod v0.30.0/go.mod h1:lAsf5O2EvJeSFMiBxXDki7sCgAxEUcZHXoXMKT4GJKc=
-golang.org/x/net v0.48.0 h1:zyQRTTrjc33Lhh0fBgT/H3oZq9WuvRR5gPC70xpDiQU=
-golang.org/x/net v0.48.0/go.mod h1:+ndRgGjkh8FGtu1w1FGbEC31if4VrNVMuKTgcAAnQRY=
+golang.org/x/mod v0.32.0 h1:9F4d3PHLljb6x//jOyokMv3eX+YDeepZSEo3mFJy93c=
+golang.org/x/mod v0.32.0/go.mod h1:SgipZ/3h2Ci89DlEtEXWUk/HteuRin+HHhN+WbNhguU=
+golang.org/x/net v0.51.0 h1:94R/GTO7mt3/4wIKpcR5gkGmRLOuE/2hNGeWq/GBIFo=
+golang.org/x/net v0.51.0/go.mod h1:aamm+2QF5ogm02fjy5Bb7CQ0WMt1/WVM7FtyaTLlA9Y=
 golang.org/x/sync v0.19.0 h1:vV+1eWNmZ5geRlYjzm2adRgW2/mcpevXNg50YZtPCE4=
 golang.org/x/sync v0.19.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
 golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.39.0 h1:CvCKL8MeisomCi6qNZ+wbb0DN9E5AATixKsvNtMoMFk=
-golang.org/x/sys v0.39.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
-golang.org/x/text v0.32.0 h1:ZD01bjUt1FQ9WJ0ClOL5vxgxOI/sVCNgX1YtKwcY0mU=
-golang.org/x/text v0.32.0/go.mod h1:o/rUWzghvpD5TXrTIBuJU77MTaN0ljMWE47kxGJQ7jY=
+golang.org/x/sys v0.41.0 h1:Ivj+2Cp/ylzLiEU89QhWblYnOE9zerudt9Ftecq2C6k=
+golang.org/x/sys v0.41.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/text v0.34.0 h1:oL/Qq0Kdaqxa1KbNeMKwQq0reLCCaFtqu2eNuSeNHbk=
+golang.org/x/text v0.34.0/go.mod h1:homfLqTYRFyVYemLBFl5GgL/DWEiH5wcsQ5gSh1yziA=
 golang.org/x/time v0.12.0 h1:ScB/8o8olJvc+CQPWrK3fPZNfh7qgwCrY0zJmoEQLSE=
 golang.org/x/time v0.12.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg=
-golang.org/x/tools v0.39.0 h1:ik4ho21kwuQln40uelmciQPp9SipgNDdrafrYA4TmQQ=
-golang.org/x/tools v0.39.0/go.mod h1:JnefbkDPyD8UU2kI5fuf8ZX4/yUeh9W877ZeBONxUqQ=
+golang.org/x/tools v0.41.0 h1:a9b8iMweWG+S0OBnlU36rzLp20z1Rp10w+IY2czHTQc=
+golang.org/x/tools v0.41.0/go.mod h1:XSY6eDqxVNiYgezAVqqCeihT4j1U2CCsqvH3WhQpnlg=
 golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 h1:B82qJJgjvYKsXS9jeunTOisW56dUokqW/FOteYJJ/yg=
 golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2/go.mod h1:deeaetjYA+DHMHg+sMSMI58GrEteJUUzzw7en6TJQcI=
 golang.zx2c4.com/wireguard v0.0.0-20250521234502-f333402bd9cb h1:whnFRlWMcXI9d+ZbWg+4sHnLp52d5yiIPUxMBSt4X9A=
@@ -153,14 +155,14 @@ golang.zx2c4.com/wireguard/windows v0.5.3 h1:On6j2Rpn3OEMXqBq00QEDC7bWSZrPIHKIus
 golang.zx2c4.com/wireguard/windows v0.5.3/go.mod h1:9TEe8TJmtwyQebdFwAkEWOPr3prrtqm+REGFifP60hI=
 gonum.org/v1/gonum v0.16.0 h1:5+ul4Swaf3ESvrOnidPp4GZbzf0mxVQpDCYUQE7OJfk=
 gonum.org/v1/gonum v0.16.0/go.mod h1:fef3am4MQ93R2HHpKnLk4/Tbh/s0+wqD5nfa6Pnwy4E=
-google.golang.org/genproto/googleapis/api v0.0.0-20251202230838-ff82c1b0f217 h1:fCvbg86sFXwdrl5LgVcTEvNC+2txB5mgROGmRL5mrls=
-google.golang.org/genproto/googleapis/api v0.0.0-20251202230838-ff82c1b0f217/go.mod h1:+rXWjjaukWZun3mLfjmVnQi18E1AsFbDN9QdJ5YXLto=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20251202230838-ff82c1b0f217 h1:gRkg/vSppuSQoDjxyiGfN4Upv/h/DQmIR10ZU8dh4Ww=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20251202230838-ff82c1b0f217/go.mod h1:7i2o+ce6H/6BluujYR+kqX3GKH+dChPTQU19wjRPiGk=
-google.golang.org/grpc v1.77.0 h1:wVVY6/8cGA6vvffn+wWK5ToddbgdU3d8MNENr4evgXM=
-google.golang.org/grpc v1.77.0/go.mod h1:z0BY1iVj0q8E1uSQCjL9cppRj+gnZjzDnzV0dHhrNig=
-google.golang.org/protobuf v1.36.10 h1:AYd7cD/uASjIL6Q9LiTjz8JLcrh/88q5UObnmY3aOOE=
-google.golang.org/protobuf v1.36.10/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
+google.golang.org/genproto/googleapis/api v0.0.0-20260209200024-4cfbd4190f57 h1:JLQynH/LBHfCTSbDWl+py8C+Rg/k1OVH3xfcaiANuF0=
+google.golang.org/genproto/googleapis/api v0.0.0-20260209200024-4cfbd4190f57/go.mod h1:kSJwQxqmFXeo79zOmbrALdflXQeAYcUbgS7PbpMknCY=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20260209200024-4cfbd4190f57 h1:mWPCjDEyshlQYzBpMNHaEof6UX1PmHcaUODUywQ0uac=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20260209200024-4cfbd4190f57/go.mod h1:j9x/tPzZkyxcgEFkiKEEGxfvyumM01BEtsW8xzOahRQ=
+google.golang.org/grpc v1.79.1 h1:zGhSi45ODB9/p3VAawt9a+O/MULLl9dpizzNNpq7flY=
+google.golang.org/grpc v1.79.1/go.mod h1:KmT0Kjez+0dde/v2j9vzwoAScgEPx/Bw1CYChhHLrHQ=
+google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE=
+google.golang.org/protobuf v1.36.11/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=

main.go

@@ -116,6 +116,7 @@ var (
 	logLevel                           string
 	interfaceName                      string
 	port                               uint16
+	portStr                            string
 	disableClients                     bool
 	updownScript                       string
 	dockerSocket                       string
@@ -136,6 +137,7 @@ var (
 	authDaemonPrincipalsFile           string
 	authDaemonCACertPath               string
 	authDaemonEnabled                  bool
+	authDaemonGenerateRandomPassword   bool
 	// Build/version (can be overridden via -ldflags "-X main.newtVersion=...")
 	newtVersion = "version_replaceme"
 
@@ -210,11 +212,12 @@ func runNewtMain(ctx context.Context) {
 	logLevel = os.Getenv("LOG_LEVEL")
 	updownScript = os.Getenv("UPDOWN_SCRIPT")
 	interfaceName = os.Getenv("INTERFACE")
-	portStr := os.Getenv("PORT")
+	portStr = os.Getenv("PORT")
 	authDaemonKey = os.Getenv("AD_KEY")
 	authDaemonPrincipalsFile = os.Getenv("AD_PRINCIPALS_FILE")
 	authDaemonCACertPath = os.Getenv("AD_CA_CERT_PATH")
 	authDaemonEnabledEnv := os.Getenv("AUTH_DAEMON_ENABLED")
+	authDaemonGenerateRandomPasswordEnv := os.Getenv("AD_GENERATE_RANDOM_PASSWORD")
 
 	// Metrics/observability env mirrors
 	metricsEnabledEnv := os.Getenv("NEWT_METRICS_PROMETHEUS_ENABLED")
@@ -344,15 +347,6 @@ func runNewtMain(ctx context.Context) {
 		pingTimeout = 5 * time.Second
 	}
 
-	if portStr != "" {
-		portInt, err := strconv.Atoi(portStr)
-		if err != nil {
-			logger.Warn("Failed to parse PORT, choosing a random port")
-		} else {
-			port = uint16(portInt)
-		}
-	}
-
 	if dockerEnforceNetworkValidation == "" {
 		flag.StringVar(&dockerEnforceNetworkValidation, "docker-enforce-network-validation", "false", "Enforce validation of container on newt network (true or false)")
 	}
@@ -420,6 +414,13 @@ func runNewtMain(ctx context.Context) {
 			authDaemonEnabled = v
 		}
 	}
+	if authDaemonGenerateRandomPasswordEnv == "" {
+		flag.BoolVar(&authDaemonGenerateRandomPassword, "ad-generate-random-password", false, "Generate a random password for authenticated users")
+	} else {
+		if v, err := strconv.ParseBool(authDaemonGenerateRandomPasswordEnv); err == nil {
+			authDaemonGenerateRandomPassword = v
+		}
+	}
 
 	// do a --version check
 	version := flag.Bool("version", false, "Print the version")
@@ -431,6 +432,15 @@ func runNewtMain(ctx context.Context) {
 		tlsClientCAs = append(tlsClientCAs, tlsClientCAsFlag...)
 	}
 
+	if portStr != "" {
+		portInt, err := strconv.Atoi(portStr)
+		if err != nil {
+			logger.Warn("Failed to parse PORT, choosing a random port")
+		} else {
+			port = uint16(portInt)
+		}
+	}
+
 	if *version {
 		fmt.Println("Newt version " + newtVersion)
 		os.Exit(0)
@@ -608,6 +618,8 @@ func runNewtMain(ctx context.Context) {
 	var connected bool
 	var wgData WgData
 	var dockerEventMonitor *docker.EventMonitor
+	
+	logger.Debug("++++++++++++++++++++++ the port is %d", port)
 
 	if !disableClients {
 		setupClients(client)

netstack2/proxy.go

@@ -48,115 +48,6 @@ type SubnetRule struct {
 	PortRanges   []PortRange  // empty slice means all ports allowed
 }
 
-// ruleKey is used as a map key for fast O(1) lookups
-type ruleKey struct {
-	sourcePrefix string
-	destPrefix   string
-}
-
-// SubnetLookup provides fast IP subnet and port matching with O(1) lookup performance
-type SubnetLookup struct {
-	mu    sync.RWMutex
-	rules map[ruleKey]*SubnetRule // Map for O(1) lookups by prefix combination
-}
-
-// NewSubnetLookup creates a new subnet lookup table
-func NewSubnetLookup() *SubnetLookup {
-	return &SubnetLookup{
-		rules: make(map[ruleKey]*SubnetRule),
-	}
-}
-
-// AddSubnet adds a subnet rule with source and destination prefixes and optional port restrictions
-// If portRanges is nil or empty, all ports are allowed for this subnet
-// rewriteTo can be either an IP/CIDR (e.g., "192.168.1.1/32") or a domain name (e.g., "example.com")
-func (sl *SubnetLookup) AddSubnet(sourcePrefix, destPrefix netip.Prefix, rewriteTo string, portRanges []PortRange, disableIcmp bool) {
-	sl.mu.Lock()
-	defer sl.mu.Unlock()
-
-	key := ruleKey{
-		sourcePrefix: sourcePrefix.String(),
-		destPrefix:   destPrefix.String(),
-	}
-
-	sl.rules[key] = &SubnetRule{
-		SourcePrefix: sourcePrefix,
-		DestPrefix:   destPrefix,
-		DisableIcmp:  disableIcmp,
-		RewriteTo:    rewriteTo,
-		PortRanges:   portRanges,
-	}
-}
-
-// RemoveSubnet removes a subnet rule from the lookup table
-func (sl *SubnetLookup) RemoveSubnet(sourcePrefix, destPrefix netip.Prefix) {
-	sl.mu.Lock()
-	defer sl.mu.Unlock()
-
-	key := ruleKey{
-		sourcePrefix: sourcePrefix.String(),
-		destPrefix:   destPrefix.String(),
-	}
-
-	delete(sl.rules, key)
-}
-
-// Match checks if a source IP, destination IP, port, and protocol match any subnet rule
-// Returns the matched rule if ALL of these conditions are met:
-//   - The source IP is in the rule's source prefix
-//   - The destination IP is in the rule's destination prefix
-//   - The port is in an allowed range (or no port restrictions exist)
-//   - The protocol matches (or the port range allows both protocols)
-//
-// proto should be header.TCPProtocolNumber or header.UDPProtocolNumber
-// Returns nil if no rule matches
-func (sl *SubnetLookup) Match(srcIP, dstIP netip.Addr, port uint16, proto tcpip.TransportProtocolNumber) *SubnetRule {
-	sl.mu.RLock()
-	defer sl.mu.RUnlock()
-
-	// Iterate through all rules to find matching source and destination prefixes
-	// This is O(n) but necessary since we need to check prefix containment, not exact match
-	for _, rule := range sl.rules {
-		// Check if source and destination IPs match their respective prefixes
-		if !rule.SourcePrefix.Contains(srcIP) {
-			continue
-		}
-		if !rule.DestPrefix.Contains(dstIP) {
-			continue
-		}
-
-		if rule.DisableIcmp && (proto == header.ICMPv4ProtocolNumber || proto == header.ICMPv6ProtocolNumber) {
-		    // ICMP is disabled for this subnet
-			return nil
-		}
-
-		// Both IPs match - now check port restrictions
-		// If no port ranges specified, all ports are allowed
-		if len(rule.PortRanges) == 0 {
-			return rule
-		}
-
-		// Check if port and protocol are in any of the allowed ranges
-		for _, pr := range rule.PortRanges {
-			if port >= pr.Min && port <= pr.Max {
-				// Check protocol compatibility
-				if pr.Protocol == "" {
-					// Empty protocol means allow both TCP and UDP
-					return rule
-				}
-				// Check if the packet protocol matches the port range protocol
-				if (pr.Protocol == "tcp" && proto == header.TCPProtocolNumber) ||
-					(pr.Protocol == "udp" && proto == header.UDPProtocolNumber) {
-					return rule
-				}
-				// Port matches but protocol doesn't - continue checking other ranges
-			}
-		}
-	}
-
-	return nil
-}
-
 // connKey uniquely identifies a connection for NAT tracking
 type connKey struct {
 	srcIP   string
@@ -166,6 +57,17 @@ type connKey struct {
 	proto   uint8
 }
 
+// reverseConnKey uniquely identifies a connection for reverse NAT lookup (reply direction)
+// Key structure: (rewrittenTo, originalSrcIP, originalSrcPort, originalDstPort, proto)
+// This allows O(1) lookup of NAT entries for reply packets
+type reverseConnKey struct {
+	rewrittenTo     string // The address we rewrote to (becomes src in replies)
+	originalSrcIP   string // Original source IP (becomes dst in replies)
+	originalSrcPort uint16 // Original source port (becomes dst port in replies)
+	originalDstPort uint16 // Original destination port (becomes src port in replies)
+	proto           uint8
+}
+
 // destKey identifies a destination for handler lookups (without source port since it may change)
 type destKey struct {
 	srcIP   string
@@ -190,7 +92,8 @@ type ProxyHandler struct {
 	icmpHandler       *ICMPHandler
 	subnetLookup      *SubnetLookup
 	natTable          map[connKey]*natState
-	destRewriteTable  map[destKey]netip.Addr // Maps original dest to rewritten dest for handler lookups
+	reverseNatTable   map[reverseConnKey]*natState // Reverse lookup map for O(1) reply packet NAT
+	destRewriteTable  map[destKey]netip.Addr       // Maps original dest to rewritten dest for handler lookups
 	natMu             sync.RWMutex
 	enabled           bool
 	icmpReplies       chan []byte          // Channel for ICMP reply packets to be sent back through the tunnel
@@ -215,6 +118,7 @@ func NewProxyHandler(options ProxyHandlerOptions) (*ProxyHandler, error) {
 		enabled:          true,
 		subnetLookup:     NewSubnetLookup(),
 		natTable:         make(map[connKey]*natState),
+		reverseNatTable:  make(map[reverseConnKey]*natState),
 		destRewriteTable: make(map[destKey]netip.Addr),
 		icmpReplies:      make(chan []byte, 256), // Buffer for ICMP reply packets
 		proxyEp:          channel.New(1024, uint32(options.MTU), ""),
@@ -517,10 +421,23 @@ func (p *ProxyHandler) HandleIncomingPacket(packet []byte) bool {
 
 				// Store NAT state for this connection
 				p.natMu.Lock()
-				p.natTable[key] = &natState{
+				natEntry := &natState{
 					originalDst: dstAddr,
 					rewrittenTo: newDst,
 				}
+				p.natTable[key] = natEntry
+
+				// Create reverse lookup key for O(1) reply packet lookups
+				// Key: (rewrittenTo, originalSrcIP, originalSrcPort, originalDstPort, proto)
+				reverseKey := reverseConnKey{
+					rewrittenTo:     newDst.String(),
+					originalSrcIP:   srcAddr.String(),
+					originalSrcPort: srcPort,
+					originalDstPort: dstPort,
+					proto:           uint8(protocol),
+				}
+				p.reverseNatTable[reverseKey] = natEntry
+
 				// Store destination rewrite for handler lookups
 				p.destRewriteTable[dKey] = newDst
 				p.natMu.Unlock()
@@ -719,20 +636,22 @@ func (p *ProxyHandler) ReadOutgoingPacket() *buffer.View {
 				return view
 			}
 
-			// Look up NAT state for reverse translation
-			// The key uses the original dst (before rewrite), so for replies we need to
-			// find the entry where the rewritten address matches the current source
+			// Look up NAT state for reverse translation using O(1) reverse lookup map
+			// Key: (rewrittenTo, originalSrcIP, originalSrcPort, originalDstPort, proto)
+			// For reply packets:
+			// - reply's srcIP = rewrittenTo (the address we rewrote to)
+			// - reply's dstIP = originalSrcIP (original source IP)
+			// - reply's srcPort = originalDstPort (original destination port)
+			// - reply's dstPort = originalSrcPort (original source port)
 			p.natMu.RLock()
-			var natEntry *natState
-			for k, entry := range p.natTable {
-				// Match: reply's dst should be original src, reply's src should be rewritten dst
-				if k.srcIP == dstIP.String() && k.srcPort == dstPort &&
-					entry.rewrittenTo.String() == srcIP.String() && k.dstPort == srcPort &&
-					k.proto == uint8(protocol) {
-					natEntry = entry
-					break
-				}
+			reverseKey := reverseConnKey{
+				rewrittenTo:     srcIP.String(), // Reply's source is the rewritten address
+				originalSrcIP:   dstIP.String(), // Reply's destination is the original source
+				originalSrcPort: dstPort,        // Reply's destination port is the original source port
+				originalDstPort: srcPort,        // Reply's source port is the original destination port
+				proto:           uint8(protocol),
 			}
+			natEntry := p.reverseNatTable[reverseKey]
 			p.natMu.RUnlock()
 
 			if natEntry != nil {

netstack2/subnet_lookup.go

@@ -0,0 +1,206 @@
+package netstack2
+
+import (
+	"net/netip"
+	"sync"
+
+	"github.com/gaissmai/bart"
+	"gvisor.dev/gvisor/pkg/tcpip"
+	"gvisor.dev/gvisor/pkg/tcpip/header"
+)
+
+// SubnetLookup provides fast IP subnet and port matching using BART (Binary Aggregated Range Tree)
+// This uses BART Table for O(log n) prefix matching with Supernets() for efficient lookups
+//
+// Architecture:
+// - Two-level BART structure for matching both source AND destination prefixes
+// - Level 1: Source prefix -> Level 2 (destination prefix -> rules)
+// - This reduces search space: only check destination prefixes for matching source prefixes
+type SubnetLookup struct {
+	mu sync.RWMutex
+	// Two-level BART structure:
+	// Level 1: Source prefix -> Level 2 (destination prefix -> rules)
+	// This allows us to first match source prefix, then only check destination prefixes
+	// for matching source prefixes, reducing the search space significantly
+	sourceTrie *bart.Table[*destTrie]
+}
+
+// destTrie is a BART for destination prefixes, containing the actual rules
+type destTrie struct {
+	trie  *bart.Table[[]*SubnetRule]
+	rules []*SubnetRule // All rules for this source prefix (for iteration if needed)
+}
+
+// NewSubnetLookup creates a new subnet lookup table using BART
+func NewSubnetLookup() *SubnetLookup {
+	return &SubnetLookup{
+		sourceTrie: &bart.Table[*destTrie]{},
+	}
+}
+
+// prefixEqual compares two prefixes after masking to handle host bits correctly.
+// For example, 10.0.0.5/24 and 10.0.0.0/24 are treated as equal.
+func prefixEqual(a, b netip.Prefix) bool {
+	return a.Masked() == b.Masked()
+}
+
+// AddSubnet adds a subnet rule with source and destination prefixes and optional port restrictions
+// If portRanges is nil or empty, all ports are allowed for this subnet
+// rewriteTo can be either an IP/CIDR (e.g., "192.168.1.1/32") or a domain name (e.g., "example.com")
+func (sl *SubnetLookup) AddSubnet(sourcePrefix, destPrefix netip.Prefix, rewriteTo string, portRanges []PortRange, disableIcmp bool) {
+	sl.mu.Lock()
+	defer sl.mu.Unlock()
+
+	rule := &SubnetRule{
+		SourcePrefix: sourcePrefix,
+		DestPrefix:   destPrefix,
+		DisableIcmp:  disableIcmp,
+		RewriteTo:    rewriteTo,
+		PortRanges:   portRanges,
+	}
+
+	// Canonicalize source prefix to handle host bits correctly
+	canonicalSourcePrefix := sourcePrefix.Masked()
+
+	// Get or create destination trie for this source prefix
+	destTriePtr, exists := sl.sourceTrie.Get(canonicalSourcePrefix)
+	if !exists {
+		// Create new destination trie for this source prefix
+		destTriePtr = &destTrie{
+			trie:  &bart.Table[[]*SubnetRule]{},
+			rules: make([]*SubnetRule, 0),
+		}
+		sl.sourceTrie.Insert(canonicalSourcePrefix, destTriePtr)
+	}
+
+	// Canonicalize destination prefix to handle host bits correctly
+	// BART masks prefixes internally, so we need to match that behavior in our bookkeeping
+	canonicalDestPrefix := destPrefix.Masked()
+
+	// Add rule to destination trie
+	// Original behavior: overwrite if same (sourcePrefix, destPrefix) exists
+	// Store as single-element slice to match original overwrite behavior
+	destTriePtr.trie.Insert(canonicalDestPrefix, []*SubnetRule{rule})
+
+	// Update destTriePtr.rules - remove old rule with same canonical prefix if exists, then add new one
+	// Use canonical comparison to handle cases like 10.0.0.5/24 vs 10.0.0.0/24
+	newRules := make([]*SubnetRule, 0, len(destTriePtr.rules)+1)
+	for _, r := range destTriePtr.rules {
+		if !prefixEqual(r.DestPrefix, canonicalDestPrefix) || !prefixEqual(r.SourcePrefix, canonicalSourcePrefix) {
+			newRules = append(newRules, r)
+		}
+	}
+	newRules = append(newRules, rule)
+	destTriePtr.rules = newRules
+}
+
+// RemoveSubnet removes a subnet rule from the lookup table
+func (sl *SubnetLookup) RemoveSubnet(sourcePrefix, destPrefix netip.Prefix) {
+	sl.mu.Lock()
+	defer sl.mu.Unlock()
+
+	// Canonicalize prefixes to handle host bits correctly
+	canonicalSourcePrefix := sourcePrefix.Masked()
+	canonicalDestPrefix := destPrefix.Masked()
+
+	destTriePtr, exists := sl.sourceTrie.Get(canonicalSourcePrefix)
+	if !exists {
+		return
+	}
+
+	// Remove the rule - original behavior: delete exact (sourcePrefix, destPrefix) combination
+	// BART masks prefixes internally, so Delete works with canonical form
+	destTriePtr.trie.Delete(canonicalDestPrefix)
+
+	// Also remove from destTriePtr.rules using canonical comparison
+	// This ensures we remove rules even if they were added with host bits set
+	newDestRules := make([]*SubnetRule, 0, len(destTriePtr.rules))
+	for _, r := range destTriePtr.rules {
+		if !prefixEqual(r.DestPrefix, canonicalDestPrefix) || !prefixEqual(r.SourcePrefix, canonicalSourcePrefix) {
+			newDestRules = append(newDestRules, r)
+		}
+	}
+	destTriePtr.rules = newDestRules
+
+	// Check if the trie is actually empty using BART's Size() method
+	// This is more efficient than iterating and ensures we clean up empty tries
+	// even if there were stale entries in the rules slice (which shouldn't happen
+	// with proper canonicalization, but this provides a definitive check)
+	if destTriePtr.trie.Size() == 0 {
+		sl.sourceTrie.Delete(canonicalSourcePrefix)
+	}
+}
+
+// Match checks if a source IP, destination IP, port, and protocol match any subnet rule
+// Returns the matched rule if ALL of these conditions are met:
+//   - The source IP is in the rule's source prefix
+//   - The destination IP is in the rule's destination prefix
+//   - The port is in an allowed range (or no port restrictions exist)
+//   - The protocol matches (or the port range allows both protocols)
+//
+// proto should be header.TCPProtocolNumber, header.UDPProtocolNumber, or header.ICMPv4ProtocolNumber
+// Returns nil if no rule matches
+// This uses BART's Supernets() for O(log n) prefix matching instead of O(n) iteration
+func (sl *SubnetLookup) Match(srcIP, dstIP netip.Addr, port uint16, proto tcpip.TransportProtocolNumber) *SubnetRule {
+	sl.mu.RLock()
+	defer sl.mu.RUnlock()
+
+	// Convert IP addresses to /32 (IPv4) or /128 (IPv6) prefixes
+	// Supernets() finds all prefixes that contain this IP (i.e., are supernets of /32 or /128)
+	srcPrefix := netip.PrefixFrom(srcIP, srcIP.BitLen())
+	dstPrefix := netip.PrefixFrom(dstIP, dstIP.BitLen())
+
+	// Step 1: Find all source prefixes that contain srcIP using BART's Supernets
+	// This is O(log n) instead of O(n) iteration
+	// Supernets returns all prefixes that are supernets (contain) the given prefix
+	for _, destTriePtr := range sl.sourceTrie.Supernets(srcPrefix) {
+		if destTriePtr == nil {
+			continue
+		}
+
+		// Step 2: Find all destination prefixes that contain dstIP
+		// This is also O(log n) for each matching source prefix
+		for _, rules := range destTriePtr.trie.Supernets(dstPrefix) {
+			if rules == nil {
+				continue
+			}
+
+			// Step 3: Check each rule for ICMP and port restrictions
+			for _, rule := range rules {
+				// Handle ICMP before port range check — ICMP has no ports
+				if proto == header.ICMPv4ProtocolNumber || proto == header.ICMPv6ProtocolNumber {
+					if rule.DisableIcmp {
+						return nil
+					}
+					// ICMP is allowed; port ranges don't apply to ICMP
+					return rule
+				}
+
+				// Check port restrictions
+				if len(rule.PortRanges) == 0 {
+					// No port restrictions, match!
+					return rule
+				}
+
+				// Check if port and protocol are in any of the allowed ranges
+				for _, pr := range rule.PortRanges {
+					if port >= pr.Min && port <= pr.Max {
+						// Check protocol compatibility
+						if pr.Protocol == "" {
+							// Empty protocol means allow both TCP and UDP
+							return rule
+						}
+						// Check if the packet protocol matches the port range protocol
+						if (pr.Protocol == "tcp" && proto == header.TCPProtocolNumber) ||
+							(pr.Protocol == "udp" && proto == header.UDPProtocolNumber) {
+							return rule
+						}
+						// Port matches but protocol doesn't - continue checking other ranges
+					}
+				}
+			}
+		}
+	}
+
+	return nil
+}

newt.iss

@@ -32,7 +32,7 @@ DefaultGroupName={#MyAppName}
 DisableProgramGroupPage=yes
 ; Uncomment the following line to run in non administrative install mode (install for current user only).
 ;PrivilegesRequired=lowest
-OutputBaseFilename=mysetup
+OutputBaseFilename=newt_windows_installer
 SolidCompression=yes
 WizardStyle=modern
 ; Add this to ensure PATH changes are applied and the system is prompted for a restart if needed