Revert "[relay] Update GO version and QUIC version"

.devcontainer/Dockerfile

@@ -1,15 +1,15 @@
-FROM golang:1.25-bookworm
+FROM golang:1.23-bullseye
 
 RUN apt-get update && export DEBIAN_FRONTEND=noninteractive \
     && apt-get -y install --no-install-recommends\
-        gettext-base=0.21-12 \
-        iptables=1.8.9-2 \
-        libgl1-mesa-dev=22.3.6-1+deb12u1 \
-        xorg-dev=1:7.7+23 \
-        libayatana-appindicator3-dev=0.5.92-1 \
+        gettext-base=0.21-4 \ 
+        iptables=1.8.7-1 \
+        libgl1-mesa-dev=20.3.5-1 \
+        xorg-dev=1:7.7+22 \
+        libayatana-appindicator3-dev=0.5.5-2+deb11u2 \
     && apt-get clean \
     && rm -rf /var/lib/apt/lists/* \
-    && go install -v golang.org/x/tools/gopls@latest
+    && go install -v golang.org/x/tools/gopls@v0.18.1
 
 
 WORKDIR /app

.github/workflows/golang-test-freebsd.yml

@@ -25,7 +25,7 @@ jobs:
           release: "14.2"
           prepare: |
             pkg install -y curl pkgconf xorg
-            GO_TARBALL="go1.25.3.freebsd-amd64.tar.gz"
+            GO_TARBALL="go1.24.10.freebsd-amd64.tar.gz"
             GO_URL="https://go.dev/dl/$GO_TARBALL"
             curl -vLO "$GO_URL"
             tar -C /usr/local -vxzf "$GO_TARBALL"            

.github/workflows/golang-test-linux.yml

@@ -200,7 +200,7 @@ jobs:
             -e GOCACHE=${CONTAINER_GOCACHE} \
             -e GOMODCACHE=${CONTAINER_GOMODCACHE} \
             -e CONTAINER=${CONTAINER} \
-            golang:1.25-alpine \
+            golang:1.24-alpine \
             sh -c ' \
               apk update; apk add --no-cache \
                 ca-certificates iptables ip6tables dbus dbus-dev libpcap-dev build-base; \
@@ -259,7 +259,7 @@ jobs:
           CGO_ENABLED=1 GOARCH=${{ matrix.arch }} \
           go test ${{ matrix.raceFlag }} \
             -exec 'sudo' \
-            -timeout 10m -p 1 ./relay/... ./shared/relay/...
+            -timeout 10m ./relay/... ./shared/relay/...
 
   test_signal:
     name: "Signal / Unit"

.github/workflows/golangci-lint.yml

@@ -52,10 +52,7 @@ jobs:
         if: matrix.os == 'ubuntu-latest'
         run: sudo apt update && sudo apt install -y -q libgtk-3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev libpcap-dev
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v8.0.0
+        uses: golangci/golangci-lint-action@v4
         with:
           version: latest
-          skip-cache: true
-          skip-save-cache: true
-          cache-invalidation-interval: 0
-          args: --timeout=12m
+          args: --timeout=12m --out-format colored-line-number

.github/workflows/release.yml

@@ -63,7 +63,7 @@ jobs:
             pkg install -y git curl portlint go
 
             # Install Go for building
-            GO_TARBALL="go1.25.5.freebsd-amd64.tar.gz"
+            GO_TARBALL="go1.24.10.freebsd-amd64.tar.gz"
             GO_URL="https://go.dev/dl/$GO_TARBALL"
             curl -LO "$GO_URL"
             tar -C /usr/local -xzf "$GO_TARBALL"

.github/workflows/wasm-build-validation.yml

@@ -14,9 +14,6 @@ jobs:
   js_lint:
     name: "JS / Lint"
     runs-on: ubuntu-latest
-    env:
-      GOOS: js
-      GOARCH: wasm
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
@@ -27,14 +24,16 @@ jobs:
       - name: Install dependencies
         run: sudo apt update && sudo apt install -y -q libgtk-3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev libpcap-dev
       - name: Install golangci-lint
-        uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v8.0.0
+        uses: golangci/golangci-lint-action@d6238b002a20823d52840fda27e2d4891c5952dc
         with:
           version: latest
           install-mode: binary
           skip-cache: true
-          skip-save-cache: true
-          cache-invalidation-interval: 0
-          working-directory: ./client
+          skip-pkg-cache: true
+          skip-build-cache: true
+      - name: Run golangci-lint for WASM
+        run: |
+          GOOS=js GOARCH=wasm golangci-lint run --timeout=12m --out-format colored-line-number ./client/...
         continue-on-error: true
 
   js_build:

.golangci.yaml

@@ -1,124 +1,139 @@
-version: "2"
+run:
+  # Timeout for analysis, e.g. 30s, 5m.
+  # Default: 1m
+  timeout: 6m
+
+# This file contains only configs which differ from defaults.
+# All possible options can be found here https://github.com/golangci/golangci-lint/blob/master/.golangci.reference.yml
+linters-settings:
+  errcheck:
+    # Report about not checking of errors in type assertions: `a := b.(MyStruct)`.
+    # Such cases aren't reported by default.
+    # Default: false
+    check-type-assertions: false
+
+  gosec:
+    includes:
+      - G101 # Look for hard coded credentials
+      #- G102 # Bind to all interfaces
+      - G103 # Audit the use of unsafe block
+      - G104 # Audit errors not checked
+      - G106 # Audit the use of ssh.InsecureIgnoreHostKey
+      #- G107 # Url provided to HTTP request as taint input
+      - G108 # Profiling endpoint automatically exposed on /debug/pprof
+      - G109 # Potential Integer overflow made by strconv.Atoi result conversion to int16/32
+      - G110 # Potential DoS vulnerability via decompression bomb
+      - G111 # Potential directory traversal
+      #- G112 # Potential slowloris attack
+      - G113 # Usage of Rat.SetString in math/big with an overflow (CVE-2022-23772)
+      #- G114 # Use of net/http serve function that has no support for setting timeouts
+      - G201 # SQL query construction using format string
+      - G202 # SQL query construction using string concatenation
+      - G203 # Use of unescaped data in HTML templates
+      #- G204 # Audit use of command execution
+      - G301 # Poor file permissions used when creating a directory
+      - G302 # Poor file permissions used with chmod
+      - G303 # Creating tempfile using a predictable path
+      - G304 # File path provided as taint input
+      - G305 # File traversal when extracting zip/tar archive
+      - G306 # Poor file permissions used when writing to a new file
+      - G307 # Poor file permissions used when creating a file with os.Create
+      #- G401 # Detect the usage of DES, RC4, MD5 or SHA1
+      #- G402 # Look for bad TLS connection settings
+      - G403 # Ensure minimum RSA key length of 2048 bits
+      #- G404 # Insecure random number source (rand)
+      #- G501 # Import blocklist: crypto/md5
+      - G502 # Import blocklist: crypto/des
+      - G503 # Import blocklist: crypto/rc4
+      - G504 # Import blocklist: net/http/cgi
+      #- G505 # Import blocklist: crypto/sha1
+      - G601 # Implicit memory aliasing of items from a range statement
+      - G602 # Slice access out of bounds
+
+  gocritic:
+    disabled-checks:
+      - commentFormatting
+      - captLocal
+      - deprecatedComment
+
+  govet:
+    # Enable all analyzers.
+    # Default: false
+    enable-all: false
+    enable:
+      - nilness
+
+  revive:
+    rules:
+      - name: exported
+        severity: warning
+        disabled: false
+        arguments:
+          - "checkPrivateReceivers"
+          - "sayRepetitiveInsteadOfStutters"
+  tenv:
+    # The option `all` will run against whole test files (`_test.go`) regardless of method/function signatures.
+    # Otherwise, only methods that take `*testing.T`, `*testing.B`, and `testing.TB` as arguments are checked.
+    # Default: false
+    all: true
+
 linters:
-  default: none
+  disable-all: true
   enable:
-    - bodyclose
-    - dupword
-    - durationcheck
-    - errcheck
-    - forbidigo
-    - gocritic
-    - gosec
-    - govet
-    - ineffassign
-    - mirror
-    - misspell
-    - nilerr
-    - nilnil
-    - predeclared
-    - revive
-    - sqlclosecheck
-    - staticcheck
-    - unused
-    - wastedassign
-  settings:
-    errcheck:
-      check-type-assertions: false
-    gocritic:
-      disabled-checks:
-        - commentFormatting
-        - captLocal
-        - deprecatedComment
-    gosec:
-      includes:
-        - G101
-        - G103
-        - G104
-        - G106
-        - G108
-        - G109
-        - G110
-        - G111
-        - G201
-        - G202
-        - G203
-        - G301
-        - G302
-        - G303
-        - G304
-        - G305
-        - G306
-        - G307
-        - G403
-        - G502
-        - G503
-        - G504
-        - G601
-        - G602
-    govet:
-      enable:
-        - nilness
-      enable-all: false
-    revive:
-      rules:
-        - name: exported
-          arguments:
-            - checkPrivateReceivers
-            - sayRepetitiveInsteadOfStutters
-          severity: warning
-          disabled: false
-  exclusions:
-    generated: lax
-    presets:
-      - comments
-      - common-false-positives
-      - legacy
-      - std-error-handling
-    rules:
-      - linters:
-          - forbidigo
-        path: management/cmd/root\.go
-      - linters:
-          - forbidigo
-        path: signal/cmd/root\.go
-      - linters:
-          - unused
-        path: sharedsock/filter\.go
-      - linters:
-          - unused
-        path: client/firewall/iptables/rule\.go
-      - linters:
-          - gosec
-          - mirror
-        path: test\.go
-      - linters:
-          - nilnil
-        path: mock\.go
-      - linters:
-          - staticcheck
-        text: grpc.DialContext is deprecated
-      - linters:
-          - staticcheck
-        text: grpc.WithBlock is deprecated
-      - linters:
-          - staticcheck
-        text: "QF1001"
-      - linters:
-          - staticcheck
-        text: "QF1008"
-      - linters:
-          - staticcheck
-        text: "QF1012"
-    paths:
-      - third_party$
-      - builtin$
-      - examples$
+    ## enabled by default
+    - errcheck # checking for unchecked errors, these unchecked errors can be critical bugs in some cases
+    - gosimple # specializes in simplifying a code
+    - govet # reports suspicious constructs, such as Printf calls whose arguments do not align with the format string
+    - ineffassign # detects when assignments to existing variables are not used
+    - staticcheck # is a go vet on steroids, applying a ton of static analysis checks
+    - tenv # Tenv is analyzer that detects using os.Setenv instead of t.Setenv since Go1.17.
+    - typecheck # like the front-end of a Go compiler, parses and type-checks Go code
+    - unused # checks for unused constants, variables, functions and types
+    ## disable by default but the have interesting results so lets add them
+    - bodyclose # checks whether HTTP response body is closed successfully
+    - dupword # dupword checks for duplicate words in the source code
+    - durationcheck # durationcheck checks for two durations multiplied together
+    - forbidigo # forbidigo forbids identifiers
+    - gocritic # provides diagnostics that check for bugs, performance and style issues
+    - gosec # inspects source code for security problems
+    - mirror # mirror reports wrong mirror patterns of bytes/strings usage
+    - misspell # misspess finds commonly misspelled English words in comments
+    - nilerr # finds the code that returns nil even if it checks that the error is not nil
+    - nilnil # checks that there is no simultaneous return of nil error and an invalid value
+    - predeclared # predeclared finds code that shadows one of Go's predeclared identifiers
+    - revive # Fast, configurable, extensible, flexible, and beautiful linter for Go. Drop-in replacement of golint.
+    - sqlclosecheck # checks that sql.Rows and sql.Stmt are closed
+    # - thelper # thelper detects Go test helpers without t.Helper() call and checks the consistency of test helpers.
+    - wastedassign # wastedassign finds wasted assignment statements
 issues:
+  # Maximum count of issues with the same text.
+  # Set to 0 to disable.
+  # Default: 3
   max-same-issues: 5
-formatters:
-  exclusions:
-    generated: lax
-    paths:
-      - third_party$
-      - builtin$
-      - examples$
+
+  exclude-rules:
+    # allow fmt
+    - path: management/cmd/root\.go
+      linters: forbidigo
+    - path: signal/cmd/root\.go
+      linters: forbidigo
+    - path: sharedsock/filter\.go
+      linters:
+      - unused
+    - path: client/firewall/iptables/rule\.go
+      linters:
+      - unused
+    - path: test\.go
+      linters:
+      - mirror
+      - gosec
+    - path: mock\.go
+      linters:
+      - nilnil
+    # Exclude specific deprecation warnings for grpc methods
+    - linters:
+       - staticcheck
+      text: "grpc.DialContext is deprecated"
+    - linters:
+        - staticcheck
+      text: "grpc.WithBlock is deprecated"

client/cmd/debug.go

@@ -136,7 +136,6 @@ func setLogLevel(cmd *cobra.Command, args []string) error {
 	client := proto.NewDaemonServiceClient(conn)
 	level := server.ParseLogLevel(args[0])
 	if level == proto.LogLevel_UNKNOWN {
-		//nolint
 		return fmt.Errorf("unknown log level: %s. Available levels are: panic, fatal, error, warn, info, debug, trace\n", args[0])
 	}
 

client/cmd/login.go

@@ -81,7 +81,6 @@ var loginCmd = &cobra.Command{
 func doDaemonLogin(ctx context.Context, cmd *cobra.Command, providedSetupKey string, activeProf *profilemanager.Profile, username string, pm *profilemanager.ProfileManager) error {
 	conn, err := DialClientGRPCServer(ctx, daemonAddr)
 	if err != nil {
-		//nolint
 		return fmt.Errorf("failed to connect to daemon error: %v\n"+
 			"If the daemon is not running please run: "+
 			"\nnetbird service install \nnetbird service start\n", err)
@@ -207,7 +206,6 @@ func switchProfileOnDaemon(ctx context.Context, pm *profilemanager.ProfileManage
 func switchProfile(ctx context.Context, profileName string, username string) error {
 	conn, err := DialClientGRPCServer(ctx, daemonAddr)
 	if err != nil {
-		//nolint
 		return fmt.Errorf("failed to connect to daemon error: %v\n"+
 			"If the daemon is not running please run: "+
 			"\nnetbird service install \nnetbird service start\n", err)

client/cmd/pprof.go

@@ -1,4 +1,5 @@
 //go:build pprof
+// +build pprof
 
 package cmd