cleanup.

cmd/ctrld_library/netstack/README.md

@@ -6,98 +6,411 @@ Complete TCP/UDP/DNS packet capture implementation using gVisor netstack for And
 
 Provides full packet capture for mobile VPN applications:
 - **DNS filtering** through ControlD proxy
-- **TCP forwarding** for all TCP traffic
-- **UDP forwarding** with session tracking
-- **Socket protection** to prevent routing loops
+- **IP whitelisting** - only allows connections to DNS-resolved IPs
+- **TCP forwarding** for all TCP traffic (with whitelist enforcement)
+- **UDP forwarding** with session tracking (with whitelist enforcement)
 - **QUIC blocking** for better content filtering
 
-## Architecture
+## Master Architecture Diagram
 
 ```
-Mobile Apps → VPN TUN Interface → PacketHandler → gVisor Netstack
+┌──────────────────────────────────────────────────────────────────────────────┐
+│                          MOBILE APP (Android/iOS)                             │
+│                                                                               │
+│  ┌─────────────────────────────────────────────────────────────────────┐    │
+│  │                        VPN Configuration                             │    │
+│  │                                                                      │    │
+│  │  Android:                          iOS:                             │    │
+│  │  ┌──────────────────────┐         ┌──────────────────────┐         │    │
+│  │  │ Builder()            │         │ NEIPv4Settings       │         │    │
+│  │  │  .addAddress(        │         │  addresses: [        │         │    │
+│  │  │    "10.0.0.2", 24)   │         │    "10.0.0.2"]       │         │    │
+│  │  │  .addDnsServer(      │         │                      │         │    │
+│  │  │    "10.0.0.1")       │         │ NEDNSSettings        │         │    │
+│  │  │                      │         │  servers: [          │         │    │
+│  │  │  FIREWALL MODE:      │         │    "10.0.0.1"]       │         │    │
+│  │  │  .addRoute(          │         │                      │         │    │
+│  │  │    "0.0.0.0", 0)     │         │ FIREWALL MODE:       │         │    │
+│  │  │                      │         │  includedRoutes:     │         │    │
+│  │  │  DNS-ONLY MODE:      │         │   [.default()]       │         │    │
+│  │  │  .addRoute(          │         │                      │         │    │
+│  │  │    "10.0.0.1", 32)   │         │ DNS-ONLY MODE:       │         │    │
+│  │  │                      │         │  includedRoutes:     │         │    │
+│  │  │  .addDisallowedApp(  │         │   [10.0.0.1/32]      │         │    │
+│  │  │    "com.controld.*") │         │                      │         │    │
+│  │  └──────────────────────┘         └──────────────────────┘         │    │
+│  │                                                                      │    │
+│  │  Result:                                                             │    │
+│  │  • Firewall: ALL traffic → VPN                                      │    │
+│  │  • DNS-only: ONLY DNS (port 53) → VPN                               │    │
+│  └─────────────────────────────────────────────────────────────────────┘    │
+└──────────────────────────┬───────────────────────────────────────────────────┘
+                           │ Packets
                            ↓
-├─→ DNS Filter (Port 53)
-│   └─→ ControlD DNS Proxy
-├─→ TCP Forwarder
-│   └─→ net.Dial("tcp") + protect(fd)
-└─→ UDP Forwarder
-    └─→ net.Dial("udp") + protect(fd)
+┌──────────────────────────────────────────────────────────────────────────────┐
+│                     GOMOBILE LIBRARY (ctrld_library)                         │
+│                                                                               │
+│  ┌─────────────────────────────────────────────────────────────────────┐    │
+│  │              PacketCaptureController.StartWithPacketCapture()        │    │
+│  │                                                                      │    │
+│  │  Parameters:                                                         │    │
+│  │  • tunAddress: "10.0.0.1" (gateway)                                 │    │
+│  │  • deviceAddress: "10.0.0.2" (device IP)                            │    │
+│  │  • dnsProxyAddress: "127.0.0.1:5354" (Android) / ":53" (iOS)       │    │
+│  │  • cdUID, upstreamProto, etc.                                       │    │
+│  └──────────────────────────┬──────────────────────────────────────────┘    │
+│                             │                                                │
+│                             ↓                                                │
+│  ┌──────────────────────────────────────────────────────────────────┐       │
+│  │                    NETSTACK CONTROLLER                            │       │
+│  │                                                                   │       │
+│  │  Components:                                                      │       │
+│  │  ┌────────────────┐  ┌─────────────┐  ┌──────────────┐          │       │
+│  │  │  DNS Filter    │  │ IP Tracker  │  │ TCP Forwarder│          │       │
+│  │  │  (port 53)     │  │ (5min TTL)  │  │ (firewall)   │          │       │
+│  │  └────────────────┘  └─────────────┘  └──────────────┘          │       │
+│  │  ┌────────────────┐                                               │       │
+│  │  │  UDP Forwarder │                                               │       │
+│  │  │  (firewall)    │                                               │       │
+│  │  └────────────────┘                                               │       │
+│  └──────────────────────────┬───────────────────────────────────────┘       │
+└─────────────────────────────┼───────────────────────────────────────────────┘
+                              │
                               ↓
-Real Network (Protected Sockets)
-```
+┌──────────────────────────────────────────────────────────────────────────────┐
+│                          PACKET FLOW DETAILS                                  │
+│                                                                               │
+│  INCOMING PACKET (from TUN)                                                  │
+│         │                                                                     │
+│         ├──→ Is DNS? (port 53)                                               │
+│         │   ├─ YES → DNS Filter                                              │
+│         │   │         ├─→ Forward to ControlD DNS Proxy                      │
+│         │   │         │   (127.0.0.1:5354 or 127.0.0.1:53)                  │
+│         │   │         ├─→ Get DNS response                                   │
+│         │   │         ├─→ Extract A/AAAA records                             │
+│         │   │         ├─→ TrackIP() for each resolved IP                     │
+│         │   │         │   • Store: resolvedIPs["93.184.216.34"] = now+5min  │
+│         │   │         └─→ Return DNS response to app                         │
+│         │   │                                                                 │
+│         │   └─ NO → Is TCP/UDP?                                              │
+│         │           │                                                         │
+│         │           ├──→ TCP Packet                                          │
+│         │           │     ├─→ Extract destination IP                         │
+│         │           │     ├─→ Check: ipTracker.IsTracked(destIP)            │
+│         │           │     │   ├─ NOT TRACKED → BLOCK                        │
+│         │           │     │   │   Log: "BLOCKED hardcoded IP"                │
+│         │           │     │   │   Return (connection reset)                  │
+│         │           │     │   │                                              │
+│         │           │     │   └─ TRACKED → ALLOW                            │
+│         │           │     │       net.Dial("tcp", destIP)                    │
+│         │           │     │       Bidirectional copy (app ↔ internet)        │
+│         │           │     │                                                  │
+│         │           └──→ UDP Packet                                          │
+│         │                 ├─→ Is QUIC? (port 443/80)                         │
+│         │                 │   └─ YES → BLOCK (force TCP fallback)           │
+│         │                 │                                                  │
+│         │                 ├─→ Extract destination IP                         │
+│         │                 ├─→ Check: ipTracker.IsTracked(destIP)            │
+│         │                 │   ├─ NOT TRACKED → BLOCK                        │
+│         │                 │   │   Log: "BLOCKED hardcoded IP"                │
+│         │                 │   │   Return (drop packet)                       │
+│         │                 │   │                                              │
+│         │                 │   └─ TRACKED → ALLOW                            │
+│         │                 │       net.Dial("udp", destIP)                    │
+│         │                 │       Forward packets (app ↔ internet)           │
+│         │                 │       30s timeout per session                    │
+│         │                                                                     │
+│  IP TRACKER STATE (in-memory map):                                           │
+│  ┌────────────────────────────────────────────────────────────┐             │
+│  │ resolvedIPs map:                                            │             │
+│  │                                                             │             │
+│  │ "93.184.216.34"  → expires: 2026-03-20 23:35:00           │             │
+│  │ "2606:2800:220::1" → expires: 2026-03-20 23:36:15         │             │
+│  │ "8.8.8.8"        → expires: 2026-03-20 23:37:42           │             │
+│  │                                                             │             │
+│  │ Cleanup: Every 30 seconds, remove expired entries          │             │
+│  │ TTL: 5 minutes (configurable)                              │             │
+│  └────────────────────────────────────────────────────────────┘             │
+│                                                                               │
+│  EXAMPLE SCENARIO:                                                            │
+│  ───────────────────────────────────────────────────────────────────────     │
+│                                                                               │
+│  T=0s:  App tries: connect(1.2.3.4:443)                                     │
+│         → IsTracked(1.2.3.4)? NO                                             │
+│         → ❌ BLOCKED                                                          │
+│                                                                               │
+│  T=1s:  App queries: DNS "example.com"                                       │
+│         → Response: A 93.184.216.34                                          │
+│         → TrackIP(93.184.216.34) with TTL=5min                               │
+│                                                                               │
+│  T=2s:  App tries: connect(93.184.216.34:443)                               │
+│         → IsTracked(93.184.216.34)? YES (expires T+301s)                    │
+│         → ✅ ALLOWED                                                          │
+│                                                                               │
+│  T=302s: App tries: connect(93.184.216.34:443)                              │
+│          → IsTracked(93.184.216.34)? NO (expired)                            │
+│          → ❌ BLOCKED (must do DNS again)                                     │
+└──────────────────────────────────────────────────────────────────────────────┘
+
+┌──────────────────────────────────────────────────────────────────────────────┐
+│                     MODE COMPARISON (Firewall vs DNS-only)                    │
+│                                                                               │
+│  ┌─────────────────────────────────┬─────────────────────────────────┐      │
+│  │       FIREWALL MODE             │         DNS-ONLY MODE           │      │
+│  │  (Default Routes Configured)    │   (Only DNS Route Configured)   │      │
+│  ├─────────────────────────────────┼─────────────────────────────────┤      │
+│  │ Routes (Android):               │ Routes (Android):               │      │
+│  │ • addRoute("0.0.0.0", 0)        │ • addRoute("10.0.0.1", 32)     │      │
+│  │                                 │                                 │      │
+│  │ Routes (iOS):                   │ Routes (iOS):                   │      │
+│  │ • includedRoutes: [.default()]  │ • includedRoutes:               │      │
+│  │                                 │   [10.0.0.1/32]                 │      │
+│  ├─────────────────────────────────┼─────────────────────────────────┤      │
+│  │ Traffic Sent to VPN:            │ Traffic Sent to VPN:            │      │
+│  │ ✅ DNS (port 53)                 │ ✅ DNS (port 53)                 │      │
+│  │ ✅ TCP (all ports)               │ ❌ TCP (bypasses VPN)            │      │
+│  │ ✅ UDP (all ports)               │ ❌ UDP (bypasses VPN)            │      │
+│  ├─────────────────────────────────┼─────────────────────────────────┤      │
+│  │ IP Tracker Behavior:            │ IP Tracker Behavior:            │      │
+│  │ • Tracks DNS-resolved IPs       │ • Tracks DNS-resolved IPs       │      │
+│  │ • Blocks hardcoded TCP/UDP IPs  │ • No TCP/UDP to block           │      │
+│  │ • Enforces DNS-first policy     │ • N/A (no non-DNS traffic)      │      │
+│  ├─────────────────────────────────┼─────────────────────────────────┤      │
+│  │ Use Case:                       │ Use Case:                       │      │
+│  │ • Full content filtering        │ • DNS filtering only            │      │
+│  │ • Block DNS bypass attempts     │ • Minimal battery impact        │      │
+│  │ • Enforce ControlD policies     │ • Fast web browsing             │      │
+│  └─────────────────────────────────┴─────────────────────────────────┘      │
+│                                                                               │
+│  MODE SWITCHING:                                                              │
+│  • Android: VpnController.setFirewallMode(enabled) → recreates VPN           │
+│  • iOS: sendProviderMessage("set_firewall_mode") → updates routes            │
+│  • Both: No app restart needed                                               │
+└──────────────────────────────────────────────────────────────────────────────┘
+
+┌──────────────────────────────────────────────────────────────────────────────┐
+│                    DETAILED PACKET FLOW (Firewall Mode)                       │
+│                                                                               │
+│  1. APP MAKES REQUEST                                                         │
+│  ───────────────────────────────────────────────────────────────────────     │
+│  App: connect("example.com", 443)                                            │
+│    ↓                                                                          │
+│  OS: Perform DNS lookup for "example.com"                                    │
+│    ↓                                                                          │
+│  OS: Send DNS query to VPN DNS server (10.0.0.1)                             │
+│                                                                               │
+│  2. DNS PACKET FLOW                                                           │
+│  ───────────────────────────────────────────────────────────────────────     │
+│  [DNS Query Packet: 10.0.0.2:12345 → 10.0.0.1:53]                           │
+│    ↓                                                                          │
+│  TUN Interface → readPacket()                                                │
+│    ↓                                                                          │
+│  DNSFilter.ProcessPacket()                                                   │
+│    ├─ Detect port 53 (DNS)                                                   │
+│    ├─ Extract DNS payload                                                    │
+│    ├─ Forward to ControlD DNS proxy (127.0.0.1:5354 or :53)                 │
+│    │   ↓                                                                      │
+│    │  ControlD DNS Proxy                                                     │
+│    │   ├─ Apply filtering rules                                              │
+│    │   ├─ Query upstream DNS (DoH/DoT/DoQ)                                   │
+│    │   └─ Return response: A 93.184.216.34                                   │
+│    │   ↓                                                                      │
+│    ├─ Parse DNS response                                                     │
+│    ├─ extractAndTrackIPs()                                                   │
+│    │   └─ IPTracker.TrackIP(93.184.216.34)                                  │
+│    │       • Store: resolvedIPs["93.184.216.34"] = now + 5min               │
+│    ├─ Build DNS response packet                                              │
+│    └─ writePacket() → TUN → App                                              │
+│                                                                               │
+│  OS receives DNS response → resolves "example.com" to 93.184.216.34         │
+│                                                                               │
+│  3. TCP CONNECTION FLOW                                                       │
+│  ───────────────────────────────────────────────────────────────────────     │
+│  OS: connect(93.184.216.34:443)                                              │
+│    ↓                                                                          │
+│  [TCP SYN Packet: 10.0.0.2:54321 → 93.184.216.34:443]                       │
+│    ↓                                                                          │
+│  TUN Interface → readPacket()                                                │
+│    ↓                                                                          │
+│  gVisor Netstack → TCPForwarder.handleConnection()                           │
+│    ├─ Extract destination IP: 93.184.216.34                                  │
+│    ├─ Check internal VPN subnet (10.0.0.0/24)?                              │
+│    │   └─ NO (skip check)                                                    │
+│    ├─ ipTracker.IsTracked(93.184.216.34)?                                   │
+│    │   ├─ Check resolvedIPs map                                              │
+│    │   ├─ Found: expires at T+300s                                           │
+│    │   ├─ Not expired yet                                                    │
+│    │   └─ YES ✅                                                              │
+│    ├─ ALLOWED - create upstream connection                                   │
+│    ├─ net.Dial("tcp", "93.184.216.34:443")                                  │
+│    │   ↓                                                                      │
+│    │  [Real Network Connection]                                              │
+│    │   ↓                                                                      │
+│    └─ Bidirectional copy (TUN ↔ Internet)                                    │
+│                                                                               │
+│  4. BLOCKED SCENARIO (Hardcoded IP)                                           │
+│  ───────────────────────────────────────────────────────────────────────     │
+│  App: connect(1.2.3.4:443)  // Hardcoded IP, no DNS!                        │
+│    ↓                                                                          │
+│  [TCP SYN Packet: 10.0.0.2:54322 → 1.2.3.4:443]                             │
+│    ↓                                                                          │
+│  TUN Interface → readPacket()                                                │
+│    ↓                                                                          │
+│  gVisor Netstack → TCPForwarder.handleConnection()                           │
+│    ├─ Extract destination IP: 1.2.3.4                                        │
+│    ├─ ipTracker.IsTracked(1.2.3.4)?                                         │
+│    │   └─ Check resolvedIPs map → NOT FOUND                                 │
+│    │   └─ NO ❌                                                               │
+│    ├─ BLOCKED                                                                 │
+│    ├─ Log: "[TCP] BLOCKED hardcoded IP: 10.0.0.2:54322 → 1.2.3.4:443"      │
+│    └─ Return (send TCP RST to app)                                           │
+│                                                                               │
+│  App receives connection refused/reset                                       │
+└──────────────────────────────────────────────────────────────────────────────┘
+
+┌──────────────────────────────────────────────────────────────────────────────┐
+│                         PLATFORM-SPECIFIC DETAILS                             │
+│                                                                               │
+│  ANDROID                                                                      │
+│  ────────────────────────────────────────────────────────────────────────    │
+│  • VPN Config: ControlDService.kt                                            │
+│  • Packet I/O: FileInputStream/FileOutputStream on VPN fd                    │
+│  • DNS Proxy: Listens on 0.0.0.0:5354 (connects via 127.0.0.1:5354)        │
+│  • Self-Exclusion: addDisallowedApplication(packageName)                     │
+│  • Mode Switch: Recreates VPN interface with new routes                      │
+│  • No routing loops: App traffic bypasses VPN                                │
+│                                                                               │
+│  IOS                                                                          │
+│  ────────────────────────────────────────────────────────────────────────    │
+│  • VPN Config: PacketTunnelProvider.swift                                    │
+│  • Packet I/O: NEPacketTunnelFlow (async → blocking via PacketQueue)        │
+│  • DNS Proxy: Listens on 127.0.0.1:53                                       │
+│  • Self-Exclusion: Network Extension sockets auto-bypass                     │
+│  • Mode Switch: setTunnelNetworkSettings() with new routes                   │
+│  • Write Batching: 16 packets per batch, 5ms flush timer                     │
+│  • No routing loops: Extension traffic bypasses VPN                          │
+└──────────────────────────────────────────────────────────────────────────────┘
 
 ## Components
 
 ### DNS Filter (`dns_filter.go`)
-Detects DNS packets on port 53 and routes to ControlD proxy.
+- Detects DNS packets on port 53 (UDP/TCP)
+- Forwards to ControlD DNS proxy (via DNS bridge)
+- Parses DNS responses to extract A/AAAA records
+- Automatically tracks resolved IPs via IP Tracker
+- Builds DNS response packets and sends back to TUN
 
 ### DNS Bridge (`dns_bridge.go`)
-Tracks DNS queries by transaction ID with 5-second timeout.
+- Bridges between netstack and ControlD DNS proxy
+- Tracks DNS queries by transaction ID
+- 5-second timeout per query
+- Returns responses to DNS filter
+
+### IP Tracker (`ip_tracker.go`)
+- **Always enabled** - tracks all DNS-resolved IPs
+- In-memory whitelist with 5-minute TTL per IP
+- Background cleanup every 30 seconds (removes expired IPs)
+- Thread-safe with RWMutex (optimized for read-heavy workload)
+- Used by TCP/UDP forwarders to enforce DNS-first policy
 
 ### TCP Forwarder (`tcp_forwarder.go`)
-Forwards TCP connections using gVisor's `tcp.NewForwarder()`.
+- Handles TCP connections via gVisor's `tcp.NewForwarder()`
+- Checks `ipTracker != nil` (always true) for firewall enforcement
+- Allows internal VPN subnet (10.0.0.0/24) without checks
+- Blocks connections to non-tracked IPs (logs: "BLOCKED hardcoded IP")
+- Forwards allowed connections via `net.Dial("tcp")` to real network
+- Bidirectional copy between TUN and internet
 
 ### UDP Forwarder (`udp_forwarder.go`)
-Forwards UDP packets with session tracking and 60-second idle timeout.
+- Handles UDP packets via gVisor's `udp.NewForwarder()`
+- Session tracking with 30-second read timeout
+- Checks `ipTracker != nil` (always true) for firewall enforcement
+- Blocks QUIC (UDP/443, UDP/80) to force TCP fallback
+- Blocks connections to non-tracked IPs (logs: "BLOCKED hardcoded IP")
+- Forwards allowed packets via `net.Dial("udp")` to real network
 
 ### Packet Handler (`packet_handler.go`)
-Interface for TUN I/O and socket protection.
+- Interface for TUN I/O operations (read, write, close)
+- `MobilePacketHandler` wraps mobile platform callbacks
+- Bridges gomobile interface with netstack
 
 ### Netstack Controller (`netstack.go`)
-Manages gVisor stack and coordinates all components.
-
-## Socket Protection
-
-Critical for preventing routing loops:
-
-```go
-// Protection happens BEFORE connect()
-dialer.Control = func(network, address string, c syscall.RawConn) error {
-    return c.Control(func(fd uintptr) {
-        protectSocket(int(fd))
-    })
-}
-```
-
-**All protected sockets:**
-- TCP/UDP forwarder sockets (user traffic)
-- ControlD API sockets (api.controld.com)
-- DoH upstream sockets (freedns.controld.com)
+- Manages gVisor TCP/IP stack
+- Coordinates DNS Filter, IP Tracker, TCP/UDP Forwarders
+- Always creates IP Tracker (firewall always on)
+- Reads packets from TUN → injects into netstack
+- Writes packets from netstack → sends to TUN
+- Filters outbound packets (source = 10.0.0.x)
+- Blocks QUIC before injection into netstack
 
 ## Platform Configuration
 
 ### Android
 
 ```kotlin
+// Base VPN configuration (same for both modes)
 Builder()
     .addAddress("10.0.0.2", 24)
-    .addRoute("0.0.0.0", 0)
     .addDnsServer("10.0.0.1")
     .setMtu(1500)
+    .setBlocking(true)
+    .addDisallowedApplication(packageName)  // Exclude self from VPN!
 
-override fun protectSocket(fd: Long) {
-    protect(fd.toInt())  // VpnService.protect()
+// Firewall mode - route ALL traffic
+if (isFirewallMode) {
+    vpnBuilder.addRoute("0.0.0.0", 0)
+}
+// DNS-only mode - route ONLY DNS server IP
+else {
+    vpnBuilder.addRoute("10.0.0.1", 32)
 }
 
-// DNS Proxy: 0.0.0.0:5354
+vpnInterface = vpnBuilder.establish()
+
+// DNS Proxy listens on: 0.0.0.0:5354
+// Library connects to: 127.0.0.1:5354
 ```
 
+**Important:**
+- App MUST exclude itself using `addDisallowedApplication()` to prevent routing loops
+- Mode switching: Call `setFirewallMode(enabled)` to recreate VPN interface with new routes
+
 ### iOS
 
 ```swift
-NEIPv4Settings(addresses: ["10.0.0.2"], ...)
-NEDNSSettings(servers: ["10.0.0.1"])
-includedRoutes = [NEIPv4Route.default()]
+// Base configuration (same for both modes)
+let ipv4Settings = NEIPv4Settings(
+    addresses: ["10.0.0.2"],
+    subnetMasks: ["255.255.255.0"]
+)
 
-func protectSocket(_ fd: Int) throws {
-    // No action needed - iOS Network Extension sockets
-    // automatically bypass VPN tunnel
+// Firewall mode - route ALL traffic
+if isFirewallMode {
+    ipv4Settings.includedRoutes = [NEIPv4Route.default()]
+}
+// DNS-only mode - route ONLY DNS server IP
+else {
+    ipv4Settings.includedRoutes = [
+        NEIPv4Route(destinationAddress: "10.0.0.1", subnetMask: "255.255.255.255")
+    ]
 }
 
-// DNS Proxy: 127.0.0.1:53
+let dnsSettings = NEDNSSettings(servers: ["10.0.0.1"])
+dnsSettings.matchDomains = [""]
+
+networkSettings.ipv4Settings = ipv4Settings
+networkSettings.dnsSettings = dnsSettings
+networkSettings.mtu = 1500
+
+setTunnelNetworkSettings(networkSettings)
+
+// DNS Proxy listens on: 127.0.0.1:53
+// Library connects to: 127.0.0.1:53
 ```
 
-**Note:** iOS Network Extensions run in separate process - sockets automatically bypass VPN.
+**Note:**
+- Network Extension sockets automatically bypass VPN - no routing loops
+- Mode switching: Send message `{"action": "set_firewall_mode", "enabled": "true"}` to extension
 
 ## Protocol Support
 
@@ -113,17 +426,70 @@ func protectSocket(_ fd: Int) throws {
 
 ## QUIC Blocking
 
-Drops UDP packets on ports 443 and 80 to force TCP fallback:
+Blocks UDP packets on ports 443 and 80 to force TCP fallback.
+
+**Where it's blocked:**
+- `netstack.go:354-369` - Blocks QUIC **before** injection into gVisor stack
+- Early blocking (pre-netstack) for efficiency
+- Checks destination port (UDP/443, UDP/80) in raw packet
 
 **Why:**
-- Better DNS filtering (QUIC bypasses DNS)
-- Visible SNI for content filtering
-- Consistent ControlD policy enforcement
+- QUIC/HTTP3 can use cached IPs, bypassing DNS filtering entirely
+- TCP/TLS provides visible SNI for content filtering
+- Ensures consistent ControlD policy enforcement
+- IP tracker alone isn't enough (apps cache QUIC IPs aggressively)
 
 **Result:**
-- Apps automatically fallback to TCP/TLS
-- No user-visible errors
-- Slightly slower initial connection, then normal
+- Apps automatically fallback to TCP/TLS (HTTP/2, HTTP/1.1)
+- No user-visible errors (fallback is seamless)
+- Slightly slower initial connection, then normal performance
+
+**Note:** IP tracker ALSO blocks hardcoded IPs, but QUIC blocking provides additional layer of protection since QUIC apps often cache IPs longer than 5 minutes.
+
+## IP Blocking (DNS Bypass Prevention)
+
+**Firewall is ALWAYS enabled.** The IP tracker runs in all modes and tracks all DNS-resolved IPs.
+
+**How it works:**
+1. DNS responses are parsed to extract A and AAAA records
+2. Resolved IPs are tracked in memory whitelist for 5 minutes (TTL)
+3. In **firewall mode**: TCP/UDP connections to **non-whitelisted** IPs are **BLOCKED**
+4. In **DNS-only mode**: Only DNS traffic reaches the VPN, so IP blocking is inactive
+
+**Mode Behavior:**
+- **Firewall mode** (default routes): OS sends ALL traffic to VPN
+  - DNS queries → tracked IPs
+  - TCP/UDP connections → checked against tracker → blocked if not tracked
+
+- **DNS-only mode** (DNS route only): OS sends ONLY DNS to VPN
+  - DNS queries → tracked IPs
+  - TCP/UDP connections → bypass VPN entirely (never reach tracker)
+
+**Why IP tracker is always on:**
+- Simplifies implementation (no enable/disable logic)
+- Ready for mode switching at runtime
+- In DNS-only mode, tracker tracks IPs but never blocks (no TCP/UDP traffic)
+
+**Example (Firewall Mode):**
+```
+T=0s:  App connects to 1.2.3.4 directly
+       → ❌ BLOCKED (not in tracker)
+
+T=1s:  App queries "example.com" → DNS returns 93.184.216.34
+       → Tracker stores: 93.184.216.34 (expires in 5min)
+
+T=2s:  App connects to 93.184.216.34
+       → ✅ ALLOWED (found in tracker, not expired)
+
+T=302s: App connects to 93.184.216.34
+        → ❌ BLOCKED (expired, must query DNS again)
+```
+
+**Components:**
+- `ip_tracker.go` - Always-on whitelist with 5min TTL, 30s cleanup
+- `dns_filter.go` - Extracts A/AAAA records, tracks IPs automatically
+- `tcp_forwarder.go` - Checks `ipTracker != nil` (always true)
+- `udp_forwarder.go` - Checks `ipTracker != nil` (always true)
 
 ## Usage (Android)
 
@@ -132,9 +498,6 @@ Drops UDP packets on ports 443 and 80 to force TCP fallback:
 val callback = object : PacketAppCallback {
     override fun readPacket(): ByteArray { ... }
     override fun writePacket(packet: ByteArray) { ... }
-    override fun protectSocket(fd: Long) {
-        protect(fd.toInt())
-    }
     override fun closePacketIO() { ... }
     override fun exit(s: String) { ... }
     override fun hostname(): String = "android-device"
@@ -145,44 +508,59 @@ val callback = object : PacketAppCallback {
 // Create controller
 val controller = Ctrld_library.newPacketCaptureController(callback)
 
-// Start
+// Start with all parameters
 controller.startWithPacketCapture(
-    callback,
-    cdUID,
-    "", "",
-    filesDir.absolutePath,
-    "doh",
-    2,
-    "$filesDir/ctrld.log"
+    callback,                       // PacketAppCallback
+    "10.0.0.1",                    // TUN address (gateway)
+    "10.0.0.2",                    // Device address
+    1500,                          // MTU
+    "127.0.0.1:5354",             // DNS proxy address
+    "your-cd-uid",                 // ControlD UID
+    "",                            // Provision ID (optional)
+    "",                            // Custom hostname (optional)
+    filesDir.absolutePath,         // Home directory
+    "doh",                         // Upstream protocol (doh/dot/doq)
+    2,                             // Log level (0-3)
+    "$filesDir/ctrld.log"          // Log path
 )
 
 // Stop
 controller.stop(false, 0)
+
+// Runtime mode switching (no restart needed)
+VpnController.instance?.setFirewallMode(context, isFirewallMode = true)
 ```
 
 ## Usage (iOS)
 
 ```swift
-// DNS-only mode
+// Start LocalProxy with all parameters
 let proxy = LocalProxy()
+proxy.mode = .firewall  // or .dnsOnly
+
 proxy.start(
-    cUID: cdUID,
-    deviceName: UIDevice.current.name,
-    upstreamProto: "doh",
-    logLevel: 3,
-    provisionID: ""
+    tunAddress: "10.0.0.1",                    // TUN address (gateway)
+    deviceAddress: "10.0.0.2",                 // Device address
+    mtu: 1500,                                 // MTU
+    dnsProxyAddress: "127.0.0.1:53",          // DNS proxy address
+    cUID: cdUID,                               // ControlD UID
+    provisionID: "",                           // Provision ID (optional)
+    customHostname: "",                        // Custom hostname (optional)
+    homeDir: FileManager().temporaryDirectory.path,  // Home directory
+    upstreamProto: "doh",                      // Upstream protocol
+    logLevel: 2,                               // Log level (0-3)
+    logPath: FileManager().temporaryDirectory.appendingPathComponent("ctrld.log").path,
+    deviceName: UIDevice.current.name,         // Device name
+    packetFlow: packetFlow                     // NEPacketTunnelFlow
 )
 
-// Firewall mode (full capture)
-let proxy = LocalProxy()
-proxy.startFirewall(
-    cUID: cdUID,
-    deviceName: UIDevice.current.name,
-    upstreamProto: "doh",
-    logLevel: 3,
-    provisionID: "",
-    packetFlow: packetFlow
-)
+// Stop
+proxy.stop()
+
+// Runtime mode switching (no restart needed)
+// Send message from main app to extension:
+let message = ["action": "set_firewall_mode", "enabled": "true"]
+session.sendProviderMessage(JSONEncoder().encode(message)) { response in }
 ```
 
 ## Requirements
@@ -196,10 +574,11 @@ proxy.startFirewall(
 
 - `packet_handler.go` - TUN I/O interface
 - `netstack.go` - gVisor controller
-- `dns_filter.go` - DNS packet detection
+- `dns_filter.go` - DNS packet detection and IP extraction
 - `dns_bridge.go` - Transaction tracking
-- `tcp_forwarder.go` - TCP forwarding
-- `udp_forwarder.go` - UDP forwarding
+- `ip_tracker.go` - DNS-resolved IP whitelist with TTL
+- `tcp_forwarder.go` - TCP forwarding with whitelist enforcement
+- `udp_forwarder.go` - UDP forwarding with whitelist enforcement
 
 ## License
 

cmd/ctrld_library/netstack/dns_filter.go

@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"net"
 
+	"github.com/miekg/dns"
 	"gvisor.dev/gvisor/pkg/tcpip"
 	"gvisor.dev/gvisor/pkg/tcpip/header"
 )
@@ -12,12 +13,14 @@ import (
 // DNSFilter intercepts and processes DNS packets.
 type DNSFilter struct {
 	dnsHandler func([]byte) ([]byte, error)
+	ipTracker  *IPTracker
 }
 
 // NewDNSFilter creates a new DNS filter with the given handler.
-func NewDNSFilter(handler func([]byte) ([]byte, error)) *DNSFilter {
+func NewDNSFilter(handler func([]byte) ([]byte, error), ipTracker *IPTracker) *DNSFilter {
 	return &DNSFilter{
 		dnsHandler: handler,
+		ipTracker:  ipTracker,
 	}
 }
 
@@ -101,6 +104,11 @@ func (df *DNSFilter) processIPv4(packet []byte) (bool, []byte, error) {
 		return true, nil, fmt.Errorf("DNS handler error: %v", err)
 	}
 
+	// Track IPs from DNS response
+	if df.ipTracker != nil {
+		df.extractAndTrackIPs(dnsResponse)
+	}
+
 	// Build response packet
 	responsePacket := df.buildIPv4UDPPacket(
 		dstIP.As4(), // Swap src/dst
@@ -166,6 +174,11 @@ func (df *DNSFilter) processIPv6(packet []byte) (bool, []byte, error) {
 		return true, nil, fmt.Errorf("DNS handler error: %v", err)
 	}
 
+	// Track IPs from DNS response
+	if df.ipTracker != nil {
+		df.extractAndTrackIPs(dnsResponse)
+	}
+
 	// Build response packet
 	srcIP := ipHdr.SourceAddress()
 	dstIP := ipHdr.DestinationAddress()
@@ -322,3 +335,31 @@ func parseUDP(udpHeader []byte) (srcPort, dstPort uint16, ok bool) {
 	ok = true
 	return
 }
+
+// extractAndTrackIPs parses DNS response and tracks resolved IP addresses
+func (df *DNSFilter) extractAndTrackIPs(dnsResponse []byte) {
+	if len(dnsResponse) < 12 {
+		return // Invalid DNS response
+	}
+
+	msg := new(dns.Msg)
+	if err := msg.Unpack(dnsResponse); err != nil {
+		return // Failed to parse DNS response
+	}
+
+	// Extract IPs from answer section
+	for _, answer := range msg.Answer {
+		switch rr := answer.(type) {
+		case *dns.A:
+			// IPv4 address
+			if rr.A != nil {
+				df.ipTracker.TrackIP(rr.A)
+			}
+		case *dns.AAAA:
+			// IPv6 address
+			if rr.AAAA != nil {
+				df.ipTracker.TrackIP(rr.AAAA)
+			}
+		}
+	}
+}

cmd/ctrld_library/netstack/ip_tracker.go

@@ -0,0 +1,150 @@
+package netstack
+
+import (
+	"net"
+	"sync"
+	"time"
+)
+
+// IPTracker tracks IP addresses that have been resolved through DNS.
+// This allows blocking direct IP connections that bypass DNS filtering.
+type IPTracker struct {
+	// Map of IP address string -> expiration time
+	resolvedIPs map[string]time.Time
+	mu          sync.RWMutex
+
+	// TTL for tracked IPs (how long to remember them)
+	ttl time.Duration
+
+	// Running state
+	running bool
+	stopCh  chan struct{}
+	wg      sync.WaitGroup
+}
+
+// NewIPTracker creates a new IP tracker with the specified TTL
+func NewIPTracker(ttl time.Duration) *IPTracker {
+	if ttl == 0 {
+		ttl = 5 * time.Minute // Default 5 minutes
+	}
+
+	return &IPTracker{
+		resolvedIPs: make(map[string]time.Time),
+		ttl:         ttl,
+		stopCh:      make(chan struct{}),
+	}
+}
+
+// Start starts the IP tracker cleanup routine
+func (t *IPTracker) Start() {
+	t.mu.Lock()
+	if t.running {
+		t.mu.Unlock()
+		return
+	}
+	t.running = true
+	t.mu.Unlock()
+
+	// Start cleanup goroutine to remove expired IPs
+	t.wg.Add(1)
+	go t.cleanupExpiredIPs()
+}
+
+// Stop stops the IP tracker
+func (t *IPTracker) Stop() {
+	if t == nil {
+		return
+	}
+
+	t.mu.Lock()
+	if !t.running {
+		t.mu.Unlock()
+		return
+	}
+	t.running = false
+	t.mu.Unlock()
+
+	// Close stop channel (protected against double close)
+	select {
+	case <-t.stopCh:
+		// Already closed
+	default:
+		close(t.stopCh)
+	}
+
+	t.wg.Wait()
+
+	// Clear all tracked IPs
+	t.mu.Lock()
+	t.resolvedIPs = make(map[string]time.Time)
+	t.mu.Unlock()
+}
+
+// TrackIP adds an IP address to the tracking list
+func (t *IPTracker) TrackIP(ip net.IP) {
+	if ip == nil {
+		return
+	}
+
+	// Normalize to string format
+	ipStr := ip.String()
+
+	t.mu.Lock()
+	t.resolvedIPs[ipStr] = time.Now().Add(t.ttl)
+	t.mu.Unlock()
+}
+
+// IsTracked checks if an IP address is in the tracking list
+// Optimized to minimize lock contention by avoiding write locks in the hot path
+func (t *IPTracker) IsTracked(ip net.IP) bool {
+	if ip == nil {
+		return false
+	}
+
+	ipStr := ip.String()
+
+	t.mu.RLock()
+	expiration, exists := t.resolvedIPs[ipStr]
+	t.mu.RUnlock()
+
+	if !exists {
+		return false
+	}
+
+	// Check if expired - but DON'T delete here to avoid write lock
+	// Let the cleanup goroutine handle expired entries
+	// This keeps IsTracked fast with only read locks
+	return !time.Now().After(expiration)
+}
+
+// GetTrackedCount returns the number of currently tracked IPs
+func (t *IPTracker) GetTrackedCount() int {
+	t.mu.RLock()
+	defer t.mu.RUnlock()
+	return len(t.resolvedIPs)
+}
+
+// cleanupExpiredIPs periodically removes expired IP entries
+func (t *IPTracker) cleanupExpiredIPs() {
+	defer t.wg.Done()
+
+	ticker := time.NewTicker(30 * time.Second)
+	defer ticker.Stop()
+
+	for {
+		select {
+		case <-t.stopCh:
+			return
+
+		case <-ticker.C:
+			now := time.Now()
+			t.mu.Lock()
+			for ip, expiration := range t.resolvedIPs {
+				if now.After(expiration) {
+					delete(t.resolvedIPs, ip)
+				}
+			}
+			t.mu.Unlock()
+		}
+	}
+}

cmd/ctrld_library/netstack/netstack.go

@@ -28,7 +28,7 @@ const (
 	NICID = 1
 
 	// Channel capacity for packet buffers
-	channelCapacity = 256
+	channelCapacity = 512
 )
 
 // NetstackController manages the gVisor netstack integration for mobile packet capture.
@@ -37,6 +37,7 @@ type NetstackController struct {
 	linkEP        *channel.Endpoint
 	packetHandler PacketHandler
 	dnsFilter     *DNSFilter
+	ipTracker     *IPTracker
 	tcpForwarder  *TCPForwarder
 	udpForwarder  *UDPForwarder
 
@@ -100,14 +101,19 @@ func NewNetstackController(handler PacketHandler, cfg *Config) (*NetstackControl
 	// Create link endpoint
 	linkEP := channel.New(channelCapacity, cfg.MTU, "")
 
-	// Create DNS filter
-	dnsFilter := NewDNSFilter(cfg.DNSHandler)
+	// Always create IP tracker (5 minute TTL for tracked IPs)
+	// In firewall mode (default routes): blocks direct IP connections
+	// In DNS-only mode: no non-DNS traffic to block
+	ipTracker := NewIPTracker(5 * time.Minute)
 
-	// Create TCP forwarder
-	tcpForwarder := NewTCPForwarder(s, handler.ProtectSocket, ctx)
+	// Create DNS filter with IP tracker
+	dnsFilter := NewDNSFilter(cfg.DNSHandler, ipTracker)
 
-	// Create UDP forwarder
-	udpForwarder := NewUDPForwarder(s, handler.ProtectSocket, ctx)
+	// Create TCP forwarder with IP tracker
+	tcpForwarder := NewTCPForwarder(s, ctx, ipTracker)
+
+	// Create UDP forwarder with IP tracker
+	udpForwarder := NewUDPForwarder(s, ctx, ipTracker)
 
 	// Create NIC
 	if err := s.CreateNIC(NICID, linkEP); err != nil {
@@ -176,6 +182,7 @@ func NewNetstackController(handler PacketHandler, cfg *Config) (*NetstackControl
 		linkEP:        linkEP,
 		packetHandler: handler,
 		dnsFilter:     dnsFilter,
+		ipTracker:     ipTracker,
 		tcpForwarder:  tcpForwarder,
 		udpForwarder:  udpForwarder,
 		ctx:           ctx,
@@ -199,6 +206,9 @@ func (nc *NetstackController) Start() error {
 
 	nc.started = true
 
+	// Start IP tracker
+	nc.ipTracker.Start()
+
 	// Start packet reader goroutine (TUN -> netstack)
 	nc.wg.Add(1)
 	go nc.readPackets()
@@ -207,36 +217,69 @@ func (nc *NetstackController) Start() error {
 	nc.wg.Add(1)
 	go nc.writePackets()
 
-	ctrld.ProxyLogger.Load().Info().Msg("[Netstack] Packet processing started (read/write goroutines)")
+	ctrld.ProxyLogger.Load().Info().Msg("[Netstack] Packet processing started (read/write goroutines + IP tracker)")
 
 	return nil
 }
 
 // Stop stops the netstack controller and waits for all goroutines to finish.
 func (nc *NetstackController) Stop() error {
+	ctrld.ProxyLogger.Load().Info().Msg("[Netstack] Stop() called - starting shutdown")
+
 	nc.mu.Lock()
 	if !nc.started {
 		nc.mu.Unlock()
+		ctrld.ProxyLogger.Load().Info().Msg("[Netstack] Stop() - already stopped, returning")
 		return nil
 	}
 	nc.mu.Unlock()
 
+	ctrld.ProxyLogger.Load().Info().Msg("[Netstack] Stop() - canceling context")
 	nc.cancel()
+
+	// Close packet handler FIRST to unblock all pending reads
+	ctrld.ProxyLogger.Load().Info().Msg("[Netstack] Stop() - closing packet handler to unblock goroutines")
+	if err := nc.packetHandler.Close(); err != nil {
+		ctrld.ProxyLogger.Load().Error().Msgf("[Netstack] Stop() - failed to close packet handler: %v", err)
+		// Continue shutdown even if close fails
+	}
+	ctrld.ProxyLogger.Load().Info().Msg("[Netstack] Stop() - packet handler closed")
+
+	ctrld.ProxyLogger.Load().Info().Msg("[Netstack] Stop() - waiting for goroutines (max 2 seconds)")
+
+	// Wait for goroutines with timeout
+	done := make(chan struct{})
+	go func() {
 		nc.wg.Wait()
+		close(done)
+	}()
+
+	select {
+	case <-done:
+		ctrld.ProxyLogger.Load().Info().Msg("[Netstack] Stop() - all goroutines finished")
+	case <-time.After(2 * time.Second):
+		ctrld.ProxyLogger.Load().Warn().Msg("[Netstack] Stop() - timeout waiting for goroutines, proceeding anyway")
+	}
+
+	// Stop IP tracker
+	if nc.ipTracker != nil {
+		ctrld.ProxyLogger.Load().Info().Msg("[Netstack] Stop() - stopping IP tracker")
+		nc.ipTracker.Stop()
+		ctrld.ProxyLogger.Load().Info().Msg("[Netstack] Stop() - IP tracker stopped")
+	}
 
 	// Close UDP forwarder
 	if nc.udpForwarder != nil {
+		ctrld.ProxyLogger.Load().Info().Msg("[Netstack] Stop() - closing UDP forwarder")
 		nc.udpForwarder.Close()
-	}
-
-	if err := nc.packetHandler.Close(); err != nil {
-		return fmt.Errorf("failed to close packet handler: %v", err)
+		ctrld.ProxyLogger.Load().Info().Msg("[Netstack] Stop() - UDP forwarder closed")
 	}
 
 	nc.mu.Lock()
 	nc.started = false
 	nc.mu.Unlock()
 
+	ctrld.ProxyLogger.Load().Info().Msg("[Netstack] Stop() - shutdown complete")
 	return nil
 }
 

cmd/ctrld_library/netstack/packet_handler.go

@@ -17,11 +17,6 @@ type PacketHandler interface {
 
 	// Close closes the packet handler and releases resources.
 	Close() error
-
-	// ProtectSocket protects a socket file descriptor from being routed through the VPN.
-	// This is required on Android/iOS to prevent routing loops.
-	// Returns nil if successful, error otherwise.
-	ProtectSocket(fd int) error
 }
 
 // MobilePacketHandler implements PacketHandler using callbacks from mobile platforms.
@@ -30,7 +25,6 @@ type MobilePacketHandler struct {
 	readFunc  func() ([]byte, error)
 	writeFunc func([]byte) error
 	closeFunc func() error
-	protectFunc func(int) error
 
 	mu     sync.Mutex
 	closed bool
@@ -41,13 +35,11 @@ func NewMobilePacketHandler(
 	readFunc func() ([]byte, error),
 	writeFunc func([]byte) error,
 	closeFunc func() error,
-	protectFunc func(int) error,
 ) *MobilePacketHandler {
 	return &MobilePacketHandler{
 		readFunc:  readFunc,
 		writeFunc: writeFunc,
 		closeFunc: closeFunc,
-		protectFunc: protectFunc,
 		closed:    false,
 	}
 }
@@ -103,13 +95,3 @@ func (m *MobilePacketHandler) Close() error {
 
 	return nil
 }
-
-// ProtectSocket protects a socket file descriptor from VPN routing.
-func (m *MobilePacketHandler) ProtectSocket(fd int) error {
-	if m.protectFunc == nil {
-		// No protect function provided - this is okay for non-VPN scenarios
-		return nil
-	}
-
-	return m.protectFunc(fd)
-}

cmd/ctrld_library/netstack/tcp_forwarder.go

@@ -4,7 +4,6 @@ import (
 	"context"
 	"io"
 	"net"
-	"syscall"
 	"time"
 
 	"github.com/Control-D-Inc/ctrld"
@@ -16,20 +15,20 @@ import (
 
 // TCPForwarder handles TCP connections from the TUN interface
 type TCPForwarder struct {
-	protectSocket func(fd int) error
 	ctx       context.Context
 	forwarder *tcp.Forwarder
+	ipTracker *IPTracker
 }
 
 // NewTCPForwarder creates a new TCP forwarder
-func NewTCPForwarder(s *stack.Stack, protectSocket func(fd int) error, ctx context.Context) *TCPForwarder {
+func NewTCPForwarder(s *stack.Stack, ctx context.Context, ipTracker *IPTracker) *TCPForwarder {
 	f := &TCPForwarder{
-		protectSocket: protectSocket,
 		ctx:       ctx,
+		ipTracker: ipTracker,
 	}
 
 	// Create gVisor TCP forwarder with handler callback
-	// rcvWnd=0 (default), maxInFlight=1024
+	// rcvWnd=0 (use default), maxInFlight=1024
 	f.forwarder = tcp.NewForwarder(s, 0, 1024, f.handleRequest)
 
 	return f
@@ -78,23 +77,31 @@ func (f *TCPForwarder) handleConnection(ep *tcp.Endpoint, wq *waiter.Queue, id s
 	// - LocalAddress/LocalPort = the destination (where packet is going TO)
 	// - RemoteAddress/RemotePort = the source (where packet is coming FROM)
 	// We want to dial the DESTINATION (LocalAddress/LocalPort)
+	dstIP := net.IP(id.LocalAddress.AsSlice())
 	dstAddr := net.TCPAddr{
-		IP:   net.IP(id.LocalAddress.AsSlice()),
+		IP:   dstIP,
 		Port: int(id.LocalPort),
 	}
 
-	// Create outbound connection with socket protection DURING dial
-	dialer := &net.Dialer{
-		Timeout: 30 * time.Second,
+	// Check if IP blocking is enabled (firewall mode only)
+	// Skip blocking for internal VPN subnet (10.0.0.0/24)
+	if f.ipTracker != nil {
+		// Allow internal VPN traffic (10.0.0.0/24)
+		if !(dstIP[0] == 10 && dstIP[1] == 0 && dstIP[2] == 0) {
+			// Check if destination IP was resolved through ControlD DNS
+			// ONLY allow connections to IPs that went through DNS (whitelist approach)
+			if !f.ipTracker.IsTracked(dstIP) {
+				srcAddr := net.IP(id.RemoteAddress.AsSlice())
+				ctrld.ProxyLogger.Load().Info().Msgf("[TCP] BLOCKED hardcoded IP: %s:%d -> %s:%d (not resolved via DNS)",
+					srcAddr, id.RemotePort, dstIP, id.LocalPort)
+				return
+			}
+		}
 	}
 
-	// CRITICAL: Protect socket BEFORE connect() is called
-	if f.protectSocket != nil {
-		dialer.Control = func(network, address string, c syscall.RawConn) error {
-			return c.Control(func(fd uintptr) {
-				f.protectSocket(int(fd))
-			})
-		}
+	// Create outbound connection
+	dialer := &net.Dialer{
+		Timeout: 30 * time.Second,
 	}
 
 	upstreamConn, err := dialer.DialContext(f.ctx, "tcp", dstAddr.String())

cmd/ctrld_library/netstack/udp_forwarder.go

@@ -5,7 +5,6 @@ import (
 	"fmt"
 	"net"
 	"sync"
-	"syscall"
 	"time"
 
 	"github.com/Control-D-Inc/ctrld"
@@ -17,9 +16,9 @@ import (
 
 // UDPForwarder handles UDP packets from the TUN interface
 type UDPForwarder struct {
-	protectSocket func(fd int) error
 	ctx       context.Context
 	forwarder *udp.Forwarder
+	ipTracker *IPTracker
 
 	// Track UDP "connections" (address pairs)
 	connections map[string]*udpConn
@@ -33,10 +32,10 @@ type udpConn struct {
 }
 
 // NewUDPForwarder creates a new UDP forwarder
-func NewUDPForwarder(s *stack.Stack, protectSocket func(fd int) error, ctx context.Context) *UDPForwarder {
+func NewUDPForwarder(s *stack.Stack, ctx context.Context, ipTracker *IPTracker) *UDPForwarder {
 	f := &UDPForwarder{
-		protectSocket: protectSocket,
 		ctx:         ctx,
+		ipTracker:   ipTracker,
 		connections: make(map[string]*udpConn),
 	}
 
@@ -102,22 +101,30 @@ func (f *UDPForwarder) createConnection(req *udp.ForwarderRequest, connKey strin
 	// Extract destination address
 	// LocalAddress/LocalPort = destination (where packet is going TO)
 	// RemoteAddress/RemotePort = source (where packet is coming FROM)
+	dstIP := net.IP(id.LocalAddress.AsSlice())
 	dstAddr := &net.UDPAddr{
-		IP:   net.IP(id.LocalAddress.AsSlice()),
+		IP:   dstIP,
 		Port: int(id.LocalPort),
 	}
 
-	// Create dialer with socket protection DURING dial
-	dialer := &net.Dialer{}
+	// Check if IP blocking is enabled (firewall mode only)
+	// Skip blocking for internal VPN subnet (10.0.0.0/24)
+	if f.ipTracker != nil {
+		// Allow internal VPN traffic (10.0.0.0/24)
+		if !(dstIP[0] == 10 && dstIP[1] == 0 && dstIP[2] == 0) {
+			// Check if destination IP was resolved through ControlD DNS
+			// ONLY allow connections to IPs that went through DNS (whitelist approach)
+			if !f.ipTracker.IsTracked(dstIP) {
+				srcAddr := net.IP(id.RemoteAddress.AsSlice())
+				ctrld.ProxyLogger.Load().Info().Msgf("[UDP] BLOCKED hardcoded IP: %s:%d -> %s:%d (not resolved via DNS)",
+					srcAddr, id.RemotePort, dstIP, id.LocalPort)
+				return nil
+			}
+		}
+	}
 
-	// CRITICAL: Protect socket BEFORE connect() is called
-	if f.protectSocket != nil {
-		dialer.Control = func(network, address string, c syscall.RawConn) error {
-			return c.Control(func(fd uintptr) {
-				f.protectSocket(int(fd))
-			})
-		}
-	}
+	// Create dialer
+	dialer := &net.Dialer{}
 
 	// Create outbound UDP connection
 	dialConn, dialErr := dialer.Dial("udp", dstAddr.String())
@@ -214,13 +221,18 @@ func (f *UDPForwarder) forwardUpstreamToTun(conn *udpConn, ctx context.Context,
 
 // Close closes all UDP connections
 func (f *UDPForwarder) Close() {
+	ctrld.ProxyLogger.Load().Info().Msg("[UDP] Close() called - closing all connections")
+
 	f.mu.Lock()
 	defer f.mu.Unlock()
 
-	for _, conn := range f.connections {
+	ctrld.ProxyLogger.Load().Info().Msgf("[UDP] Close() - closing %d connections", len(f.connections))
+	for key, conn := range f.connections {
+		ctrld.ProxyLogger.Load().Debug().Msgf("[UDP] Close() - closing connection: %s", key)
 		conn.cancel()
 		conn.tunEP.Close()
 		conn.upstreamConn.Close()
 	}
 	f.connections = make(map[string]*udpConn)
+	ctrld.ProxyLogger.Load().Info().Msg("[UDP] Close() - all connections closed")
 }

cmd/ctrld_library/packet_capture.go

@@ -3,7 +3,6 @@ package ctrld_library
 import (
 	"fmt"
 	"net/netip"
-	"runtime"
 	"time"
 
 	"github.com/Control-D-Inc/ctrld"
@@ -26,12 +25,6 @@ type PacketAppCallback interface {
 
 	// ClosePacketIO closes packet I/O resources.
 	ClosePacketIO() error
-
-	// ProtectSocket protects a socket file descriptor from being routed through the VPN.
-	// On Android, this calls VpnService.protect() to prevent routing loops.
-	// On iOS, this marks the socket to bypass the VPN.
-	// Returns nil on success, error on failure.
-	ProtectSocket(fd int) error
 }
 
 // PacketCaptureController holds state for packet capture mode
@@ -42,6 +35,7 @@ type PacketCaptureController struct {
 	netstackCtrl    *netstack.NetstackController
 	dnsBridge       *netstack.DNSBridge
 	packetStopCh    chan struct{}
+	dnsProxyAddress string
 }
 
 // NewPacketCaptureController creates a new packet capture controller
@@ -57,6 +51,10 @@ func NewPacketCaptureController(appCallback PacketAppCallback) *PacketCaptureCon
 // It requires a PacketAppCallback that provides packet read/write capabilities.
 func (pc *PacketCaptureController) StartWithPacketCapture(
 	packetCallback PacketAppCallback,
+	tunAddress string,
+	deviceAddress string,
+	mtu int64,
+	dnsProxyAddress string,
 	CdUID string,
 	ProvisionID string,
 	CustomHostname string,
@@ -69,6 +67,14 @@ func (pc *PacketCaptureController) StartWithPacketCapture(
 		return fmt.Errorf("controller already running")
 	}
 
+	// Store DNS proxy address for handleDNSQuery
+	pc.dnsProxyAddress = dnsProxyAddress
+
+	// Set defaults
+	if mtu == 0 {
+		mtu = 1500
+	}
+
 	// Set up configuration
 	pc.baseController.Config = cli.AppConfig{
 		CdUID:          CdUID,
@@ -81,10 +87,6 @@ func (pc *PacketCaptureController) StartWithPacketCapture(
 	}
 	pc.baseController.AppCallback = packetCallback
 
-	// Set global socket protector for HTTP client sockets (API calls, etc)
-	// This prevents routing loops when ctrld makes HTTP requests to api.controld.com
-	ctrld.SetSocketProtector(packetCallback.ProtectSocket)
-
 	// Create DNS bridge for communication between netstack and DNS proxy
 	pc.dnsBridge = netstack.NewDNSBridge()
 	pc.dnsBridge.Start()
@@ -94,36 +96,29 @@ func (pc *PacketCaptureController) StartWithPacketCapture(
 		packetCallback.ReadPacket,
 		packetCallback.WritePacket,
 		packetCallback.ClosePacketIO,
-		packetCallback.ProtectSocket,
 	)
 
 	// Create DNS handler that uses the bridge
 	dnsHandler := func(query []byte) ([]byte, error) {
-		// Extract source IP from query context if available
-		// For now, use a placeholder
-		return pc.dnsBridge.ProcessQuery(query, "10.0.0.2", 0)
+		// Use device address as the source of DNS queries
+		return pc.dnsBridge.ProcessQuery(query, deviceAddress, 0)
 	}
 
-	// Auto-detect platform and use appropriate TUN IP
-	// Android: TUN=10.0.0.1, Device=10.0.0.2
-	// iOS: TUN=10.0.0.2, Device=10.0.0.1
-	tunIP := "10.0.0.1" // Default for Android
-	// Check if running on iOS (no reliable way, so we'll make it configurable)
-	// For now, use Android config. iOS should update their VPN settings to match.
-
-	tunIPv4, err := netip.ParseAddr(tunIP)
+	// Parse TUN IP address
+	tunIPv4, err := netip.ParseAddr(tunAddress)
 	if err != nil {
-		return fmt.Errorf("failed to parse TUN IPv4: %v", err)
+		return fmt.Errorf("failed to parse TUN IPv4 address '%s': %v", tunAddress, err)
 	}
 
 	netstackCfg := &netstack.Config{
-		MTU:               1500,
+		MTU:               uint32(mtu),
 		TUNIPv4:           tunIPv4,
 		DNSHandler:        dnsHandler,
 		UpstreamInterface: nil, // Will use default interface
 	}
 
-	ctrld.ProxyLogger.Load().Info().Msgf("[PacketCapture] Netstack TUN IP: %s", tunIP)
+	ctrld.ProxyLogger.Load().Info().Msgf("[PacketCapture] Network config - TUN: %s, Device: %s, MTU: %d, DNS Proxy: %s",
+		tunAddress, deviceAddress, mtu, dnsProxyAddress)
 
 	// Create netstack controller
 	netstackCtrl, err := netstack.NewNetstackController(packetHandler, netstackCfg)
@@ -154,12 +149,10 @@ func (pc *PacketCaptureController) StartWithPacketCapture(
 		cli.RunMobile(&pc.baseController.Config, &appCallback, pc.baseController.stopCh)
 	}()
 
-	// Log platform detection for DNS proxy port
-	dnsPort := "5354"
-	if runtime.GOOS == "ios" || runtime.GOOS == "darwin" {
-		dnsPort = "53"
-	}
-	ctrld.ProxyLogger.Load().Info().Msgf("[PacketCapture] Platform: %s, DNS proxy port: %s", runtime.GOOS, dnsPort)
+	// BLOCK here until stopped (critical - Swift expects this to block!)
+	ctrld.ProxyLogger.Load().Info().Msg("[PacketCapture] Blocking until stop signal...")
+	<-pc.baseController.stopCh
+	ctrld.ProxyLogger.Load().Info().Msg("[PacketCapture] Stop signal received, exiting")
 
 	return nil
 }
@@ -188,22 +181,13 @@ func (pc *PacketCaptureController) handleDNSQuery(query *netstack.DNSQuery) {
 		return
 	}
 
-	// Determine DNS proxy port based on platform
-	// Android: 0.0.0.0:5354
-	// iOS: 127.0.0.1:53
-	dnsProxyAddr := "127.0.0.1:5354" // Default for Android
-	if runtime.GOOS == "ios" || runtime.GOOS == "darwin" {
-		// iOS uses port 53
-		dnsProxyAddr = "127.0.0.1:53"
-	}
-
-	// Send query to actual DNS proxy
+	// Send query to actual DNS proxy using configured address
 	client := &dns.Client{
 		Net:     "udp",
 		Timeout: 3 * time.Second,
 	}
 
-	response, _, err := client.Exchange(msg, dnsProxyAddr)
+	response, _, err := client.Exchange(msg, pc.dnsProxyAddress)
 	if err != nil {
 		// Create SERVFAIL response
 		response = new(dns.Msg)
@@ -223,41 +207,62 @@ func (pc *PacketCaptureController) handleDNSQuery(query *netstack.DNSQuery) {
 
 // Stop stops the packet capture controller
 func (pc *PacketCaptureController) Stop(restart bool, pin int64) int {
+	ctrld.ProxyLogger.Load().Info().Msg("[PacketCapture] Stop() called - starting shutdown")
 	var errorCode = 0
 
-	// Clear global socket protector
-	ctrld.SetSocketProtector(nil)
-
 	// Stop DNS bridge
 	if pc.dnsBridge != nil {
+		ctrld.ProxyLogger.Load().Info().Msg("[PacketCapture] Stop() - stopping DNS bridge")
 		pc.dnsBridge.Stop()
 		pc.dnsBridge = nil
+		ctrld.ProxyLogger.Load().Info().Msg("[PacketCapture] Stop() - DNS bridge stopped")
 	}
 
 	// Stop netstack
 	if pc.netstackCtrl != nil {
+		ctrld.ProxyLogger.Load().Info().Msg("[PacketCapture] Stop() - stopping netstack controller")
 		if err := pc.netstackCtrl.Stop(); err != nil {
 			// Log error but continue shutdown
-			fmt.Printf("Error stopping netstack: %v\n", err)
+			ctrld.ProxyLogger.Load().Error().Msgf("[PacketCapture] Stop() - error stopping netstack: %v", err)
 		}
 		pc.netstackCtrl = nil
+		ctrld.ProxyLogger.Load().Info().Msg("[PacketCapture] Stop() - netstack controller stopped")
 	}
 
 	// Close packet stop channel
 	if pc.packetStopCh != nil {
+		ctrld.ProxyLogger.Load().Info().Msg("[PacketCapture] Stop() - closing packet stop channel")
+		select {
+		case <-pc.packetStopCh:
+			// Already closed
+			ctrld.ProxyLogger.Load().Info().Msg("[PacketCapture] Stop() - packet stop channel already closed")
+		default:
 			close(pc.packetStopCh)
+			ctrld.ProxyLogger.Load().Info().Msg("[PacketCapture] Stop() - packet stop channel closed")
+		}
 		pc.packetStopCh = make(chan struct{})
 	}
 
 	// Stop base controller
+	ctrld.ProxyLogger.Load().Info().Msgf("[PacketCapture] Stop() - stopping base controller (restart=%v, pin=%d)", restart, pin)
 	if !restart {
 		errorCode = cli.CheckDeactivationPin(pin, pc.baseController.stopCh)
+		ctrld.ProxyLogger.Load().Info().Msgf("[PacketCapture] Stop() - deactivation pin check returned: %d", errorCode)
 	}
 	if errorCode == 0 && pc.baseController.stopCh != nil {
+		ctrld.ProxyLogger.Load().Info().Msg("[PacketCapture] Stop() - closing base controller stop channel")
+		select {
+		case <-pc.baseController.stopCh:
+			// Already closed
+			ctrld.ProxyLogger.Load().Info().Msg("[PacketCapture] Stop() - base controller stop channel already closed")
+		default:
 			close(pc.baseController.stopCh)
+			ctrld.ProxyLogger.Load().Info().Msg("[PacketCapture] Stop() - base controller stop channel closed")
+		}
 		pc.baseController.stopCh = nil
 	}
 
+	ctrld.ProxyLogger.Load().Info().Msgf("[PacketCapture] Stop() - shutdown complete, errorCode=%d", errorCode)
 	return errorCode
 }