Upload 53 files

.gitignore

@@ -0,0 +1,127 @@
+# Python
+__pycache__/
+*.py[cod]
+*$py.class
+*.so
+.Python
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+pip-wheel-metadata/
+share/python-wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+MANIFEST
+
+# Virtual environments
+.env
+.venv
+env/
+venv/
+ENV/
+env.bak/
+venv.bak/
+
+# IDEs
+.vscode/
+.idea/
+*.swp
+*.swo
+*~
+
+# OS
+.DS_Store
+.DS_Store?
+._*
+.Spotlight-V100
+.Trashes
+ehthumbs.db
+Thumbs.db
+
+# Logs
+*.log
+logs/
+/var/log/
+
+# Database
+*.db
+*.sqlite
+*.sqlite3
+
+# VPN configurations (for security)
+*.ovpn
+*.crt
+*.key
+*.pem
+/tmp/vpn_client_configs/
+
+# OpenVPN
+/etc/openvpn/
+/var/log/openvpn/
+
+# Temporary files
+/tmp/
+*.tmp
+*.temp
+
+# Flask
+instance/
+.webassets-cache
+
+# Environment variables
+.env.local
+.env.development.local
+.env.test.local
+.env.production.local
+
+# Coverage reports
+htmlcov/
+.tox/
+.coverage
+.coverage.*
+.cache
+nosetests.xml
+coverage.xml
+*.cover
+*.py,cover
+.hypothesis/
+.pytest_cache/
+
+# Jupyter Notebook
+.ipynb_checkpoints
+
+# pyenv
+.python-version
+
+# Celery
+celerybeat-schedule
+celerybeat.pid
+
+# SageMath parsed files
+*.sage.py
+
+# Spyder project settings
+.spyderproject
+.spyproject
+
+# Rope project settings
+.ropeproject
+
+# mkdocs documentation
+/site
+
+# mypy
+.mypy_cache/
+.dmypy.json
+dmypy.json
+

DEPLOYMENT_GUIDE.md

@@ -0,0 +1,529 @@
+# Virtual ISP Stack with OpenVPN Integration - Complete Deployment Guide
+
+**Author**: Manus AI  
+**Version**: 1.0.0  
+**Last Updated**: August 2025
+
+## Table of Contents
+
+1. [Introduction](#introduction)
+2. [Architecture Overview](#architecture-overview)
+3. [Prerequisites](#prerequisites)
+4. [Local Development Setup](#local-development-setup)
+5. [HuggingFace Spaces Deployment](#huggingface-spaces-deployment)
+6. [Docker Deployment](#docker-deployment)
+7. [API Reference](#api-reference)
+8. [Client Connection Workflow](#client-connection-workflow)
+9. [Security Considerations](#security-considerations)
+10. [Troubleshooting](#troubleshooting)
+11. [Performance Optimization](#performance-optimization)
+12. [Monitoring and Maintenance](#monitoring-and-maintenance)
+
+## Introduction
+
+The Virtual ISP Stack with OpenVPN Integration represents a comprehensive solution for creating a complete Internet Service Provider (ISP) infrastructure with integrated Virtual Private Network (VPN) capabilities. This system is designed to provide educational insights into network infrastructure management while offering practical VPN services that can be deployed in various environments.
+
+The application combines traditional ISP stack components including Dynamic Host Configuration Protocol (DHCP) services, Network Address Translation (NAT) engines, firewall management, and routing capabilities with a fully integrated OpenVPN server. This integration allows for seamless VPN client management, automated configuration generation, and comprehensive network monitoring through a unified RESTful API interface.
+
+The system has been specifically architected to support multiple deployment scenarios, from local development environments to cloud-based platforms like HuggingFace Spaces, Docker containers, and traditional server deployments. The modular design ensures that components can be independently managed while maintaining tight integration for optimal performance and reliability.
+
+## Architecture Overview
+
+### Core Components
+
+The Virtual ISP Stack is built upon several interconnected components that work together to provide comprehensive network services. The architecture follows a microservices-inspired design pattern where each component maintains its own responsibilities while communicating through well-defined interfaces.
+
+#### ISP Stack Components
+
+The foundational ISP stack consists of multiple specialized engines that handle different aspects of network management. The DHCP Server component manages dynamic IP address allocation within the configured network ranges, maintaining lease tables and handling client requests for network configuration. This component supports both dynamic allocation and static lease assignment, allowing for flexible network management strategies.
+
+The NAT Engine provides Network Address Translation services, enabling multiple clients to share a single public IP address while maintaining session tracking and port management. The engine maintains comprehensive session tables that track active connections, monitor bandwidth usage, and provide detailed statistics for network analysis.
+
+The Firewall Engine implements a rule-based packet filtering system that can be dynamically configured through the API. It supports various rule types including source and destination IP filtering, port-based rules, protocol-specific filtering, and time-based access controls. The firewall maintains detailed logs of all filtered traffic and provides real-time statistics on rule effectiveness.
+
+The Virtual Router component manages routing tables and handles packet forwarding between different network segments. It maintains ARP tables, manages network interfaces, and provides comprehensive routing statistics. The router integrates closely with other components to ensure optimal packet flow and network performance.
+
+#### OpenVPN Integration
+
+The OpenVPN integration layer provides comprehensive VPN server management capabilities through a dedicated OpenVPN Manager component. This component handles server lifecycle management, client connection monitoring, and configuration generation. The integration is designed to work seamlessly with the existing ISP stack components, allowing VPN clients to participate fully in the managed network environment.
+
+The OpenVPN Manager maintains real-time monitoring of connected clients, tracking connection statistics, bandwidth usage, and session duration. It provides automated client configuration generation with embedded certificates, eliminating the need for separate certificate distribution mechanisms.
+
+#### API Layer
+
+The RESTful API layer provides a unified interface for managing all system components. Built using Flask with comprehensive CORS support, the API enables both programmatic access and web-based management interfaces. The API follows RESTful design principles with consistent response formats, proper HTTP status codes, and comprehensive error handling.
+
+### Data Flow Architecture
+
+The system implements a sophisticated data flow architecture that ensures efficient packet processing and minimal latency. Incoming client requests are processed through multiple stages, beginning with firewall evaluation, proceeding through NAT translation if required, and finally reaching the appropriate destination through the routing engine.
+
+VPN traffic follows a specialized path that integrates with the standard ISP stack processing. VPN clients connect through the OpenVPN server, receive IP addresses from the integrated DHCP system, and have their traffic processed through the same NAT and firewall engines as traditional clients. This unified approach ensures consistent policy application and comprehensive monitoring across all network traffic.
+
+## Prerequisites
+
+### System Requirements
+
+The Virtual ISP Stack requires a Linux-based operating system with kernel version 3.10 or higher. The system should have at least 2GB of available RAM and 10GB of free disk space. Network connectivity is essential, and the system should have at least one network interface configured with internet access.
+
+For production deployments, the system should have a static IP address or dynamic DNS configuration to ensure consistent client connectivity. The deployment environment should support the creation of virtual network interfaces and have appropriate permissions for network configuration management.
+
+### Software Dependencies
+
+The application requires Python 3.11 or higher with pip package manager. Flask 3.1.1 serves as the primary web framework, with Flask-CORS providing cross-origin request support and Flask-SQLAlchemy handling database operations. The system uses SQLite for data persistence, though other database backends can be configured if needed.
+
+OpenVPN server software is required for VPN functionality, though the application can operate in ISP-only mode if OpenVPN is not available. Additional Python packages include aiohttp for asynchronous operations, websockets for real-time communication, and various utility libraries for network operations and data processing.
+
+### Network Configuration
+
+The system requires specific network configuration to operate effectively. The default configuration uses the 10.0.0.0/24 network range for ISP services and 10.8.0.0/24 for VPN clients. These ranges can be customized through the application configuration, but care should be taken to avoid conflicts with existing network infrastructure.
+
+Firewall rules on the host system should allow traffic on the configured ports. The default configuration uses port 7860 for the web API, port 1194 for OpenVPN services, and various high-numbered ports for internal communication between components.
+
+## Local Development Setup
+
+### Installation Process
+
+Setting up the Virtual ISP Stack for local development begins with cloning or downloading the application source code to a suitable directory. The recommended approach is to create a dedicated directory for the application and ensure that the Python environment has appropriate permissions for network operations.
+
+Begin by creating a virtual environment to isolate the application dependencies from the system Python installation. This approach prevents conflicts with other Python applications and ensures consistent dependency versions across different deployment environments.
+
+```bash
+python3 -m venv venv
+source venv/bin/activate
+pip install -r requirements.txt
+```
+
+The requirements.txt file contains all necessary Python dependencies with specific version numbers to ensure compatibility. The installation process typically takes several minutes depending on network connectivity and system performance.
+
+### Configuration Setup
+
+The application uses a configuration-based approach that allows customization of network ranges, service ports, and operational parameters. The default configuration is suitable for most development environments, but production deployments should review and customize these settings based on specific requirements.
+
+Database initialization occurs automatically during the first application startup. The system creates necessary tables and initializes default configuration values. For development environments, the SQLite database provides adequate performance and simplifies deployment requirements.
+
+Network configuration should be reviewed to ensure that the selected IP ranges do not conflict with existing network infrastructure. The application provides configuration validation during startup and will report any detected conflicts or configuration issues.
+
+### Starting the Development Server
+
+The development server can be started using the provided app.py entry point. The server will initialize all components, establish database connections, and begin listening for client connections on the configured port.
+
+```bash
+python app.py
+```
+
+The startup process includes comprehensive logging that provides visibility into component initialization and any potential issues. The server typically requires 10-15 seconds to fully initialize all components and begin accepting connections.
+
+During development, the server provides detailed logging output that includes API requests, component status changes, and error conditions. This information is valuable for debugging and understanding system behavior during development and testing.
+
+### Development Testing
+
+The development environment includes comprehensive testing capabilities that allow verification of all system components. The API endpoints can be tested using standard HTTP clients like curl or specialized API testing tools.
+
+Basic functionality testing should include health check verification, component status queries, and configuration generation testing. The system provides detailed error messages and logging to assist with troubleshooting during development.
+
+```bash
+curl http://localhost:7860/health
+curl http://localhost:7860/api/openvpn/status
+curl -o test-client.ovpn "http://localhost:7860/api/openvpn/config/test-client?server_ip=127.0.0.1"
+```
+
+## HuggingFace Spaces Deployment
+
+### Platform Overview
+
+HuggingFace Spaces provides a cloud-based platform for deploying machine learning applications and web services. The platform supports various frameworks including Gradio, Streamlit, and custom applications using Docker or Python environments. The Virtual ISP Stack has been specifically optimized for deployment on HuggingFace Spaces with minimal configuration requirements.
+
+The platform provides automatic scaling, SSL certificate management, and integrated monitoring capabilities. Applications deployed on HuggingFace Spaces receive a unique URL and can be configured for public or private access. The platform handles infrastructure management, allowing developers to focus on application functionality rather than server administration.
+
+### Deployment Preparation
+
+Preparing the Virtual ISP Stack for HuggingFace Spaces deployment involves organizing the application files in the correct structure and ensuring that all dependencies are properly specified. The application includes a pre-configured app.py file that serves as the entry point for HuggingFace Spaces deployment.
+
+The requirements.txt file has been optimized for the HuggingFace Spaces environment, including only necessary dependencies and specifying compatible versions. The application structure follows HuggingFace Spaces conventions with the main application file at the root level and supporting modules organized in subdirectories.
+
+Configuration management for HuggingFace Spaces deployment uses environment variables and default values that work within the platform constraints. The application automatically detects the HuggingFace Spaces environment and adjusts configuration parameters accordingly.
+
+### Deployment Process
+
+Deploying to HuggingFace Spaces involves creating a new Space on the platform and uploading the application files. The platform supports both web-based file upload and Git repository integration for more advanced deployment workflows.
+
+The deployment process begins by creating a new Space with the "Gradio" or "Custom" template, depending on the specific requirements. The application files should be uploaded to the Space repository, maintaining the directory structure and file permissions.
+
+Once the files are uploaded, HuggingFace Spaces automatically detects the application type and begins the deployment process. The platform installs dependencies, initializes the application, and provides a public URL for access. The deployment typically takes 5-10 minutes depending on the complexity of dependencies and platform load.
+
+### Post-Deployment Configuration
+
+After successful deployment, the application requires minimal configuration to begin operation. The HuggingFace Spaces environment provides automatic port assignment and SSL certificate management, eliminating the need for manual network configuration.
+
+The application includes health check endpoints that can be used to verify successful deployment and monitor ongoing operation. These endpoints provide detailed status information about all system components and can be used for automated monitoring and alerting.
+
+Access to the deployed application is provided through the HuggingFace Spaces URL, which includes automatic SSL encryption and global content delivery network acceleration. The platform provides usage analytics and performance monitoring through the Spaces dashboard.
+
+### Limitations and Considerations
+
+HuggingFace Spaces deployment includes certain limitations that should be considered when planning production use. The platform provides limited computational resources and may not be suitable for high-traffic applications or resource-intensive operations.
+
+Network configuration options are limited in the HuggingFace Spaces environment, which may affect certain advanced networking features. The OpenVPN server functionality may be restricted due to platform security policies and network isolation requirements.
+
+Data persistence is limited in the HuggingFace Spaces environment, with temporary storage being cleared during application restarts. Applications requiring persistent data storage should implement external database connections or cloud storage integration.
+
+## Docker Deployment
+
+### Container Architecture
+
+The Docker deployment option provides a fully containerized environment that includes all necessary dependencies and system components. The provided Dockerfile creates a complete Linux environment with OpenVPN server capabilities, Python runtime, and all required system utilities.
+
+The container architecture follows best practices for security and performance, using a minimal base image and installing only necessary components. The container includes comprehensive health checking capabilities and supports various orchestration platforms including Docker Compose, Kubernetes, and Docker Swarm.
+
+Network configuration within the container environment requires careful consideration of port mapping and network isolation requirements. The container exposes necessary ports for API access and VPN connectivity while maintaining security through proper firewall configuration.
+
+### Building the Container
+
+Building the Docker container involves using the provided Dockerfile to create a complete application image. The build process includes system dependency installation, Python environment setup, and application configuration.
+
+```bash
+docker build -t virtual-isp-stack .
+```
+
+The build process typically takes 10-15 minutes depending on network connectivity and system performance. The resulting image includes all necessary components and can be deployed on any Docker-compatible platform.
+
+Container optimization includes multi-stage builds to minimize image size and security scanning to identify potential vulnerabilities. The final image is designed to be production-ready with appropriate security configurations and performance optimizations.
+
+### Container Deployment
+
+Deploying the containerized application involves running the Docker image with appropriate port mappings and volume mounts. The container requires privileged access for network operations and OpenVPN functionality.
+
+```bash
+docker run -d --name virtual-isp-stack \
+  --privileged \
+  -p 7860:7860 \
+  -p 1194:1194/udp \
+  -v /path/to/data:/app/data \
+  virtual-isp-stack
+```
+
+The deployment configuration includes port mappings for API access and VPN connectivity, volume mounts for persistent data storage, and environment variable configuration for customization. The container includes comprehensive logging and monitoring capabilities for production deployment.
+
+### Orchestration Support
+
+The containerized application supports various orchestration platforms including Docker Compose for simple multi-container deployments and Kubernetes for enterprise-scale deployments. The application includes configuration templates for common orchestration scenarios.
+
+Docker Compose deployment provides a simple way to deploy the application with supporting services like databases or monitoring tools. The provided docker-compose.yml file includes all necessary service definitions and network configurations.
+
+Kubernetes deployment involves creating appropriate manifests for pods, services, and ingress controllers. The application supports horizontal scaling through load balancing, though certain components require careful consideration for distributed deployment.
+
+## API Reference
+
+### Authentication and Authorization
+
+The Virtual ISP Stack API currently operates without authentication requirements for development and testing purposes. Production deployments should implement appropriate authentication mechanisms based on specific security requirements and deployment environments.
+
+The API supports Cross-Origin Resource Sharing (CORS) to enable web-based management interfaces and third-party integrations. CORS configuration can be customized through application settings to restrict access to specific domains or origins.
+
+Rate limiting and request throttling are not implemented in the current version but should be considered for production deployments to prevent abuse and ensure fair resource allocation among users.
+
+### OpenVPN Management Endpoints
+
+The OpenVPN management API provides comprehensive control over VPN server operations and client management. These endpoints enable programmatic management of the VPN service without requiring direct server access.
+
+#### Server Control Operations
+
+The server control endpoints provide basic lifecycle management for the OpenVPN server. The status endpoint returns comprehensive information about server state, connected clients, and performance metrics.
+
+**GET /api/openvpn/status**
+
+Returns current OpenVPN server status including operational state, connected client count, traffic statistics, and uptime information. The response includes detailed metrics that can be used for monitoring and capacity planning.
+
+```json
+{
+  "status": "success",
+  "openvpn_status": {
+    "is_running": false,
+    "connected_clients": 0,
+    "total_bytes_received": 0,
+    "total_bytes_sent": 0,
+    "uptime": 0,
+    "server_ip": "10.8.0.1",
+    "server_port": 1194
+  }
+}
+```
+
+**POST /api/openvpn/start**
+
+Initiates the OpenVPN server startup process. The endpoint performs comprehensive validation of server configuration and system requirements before attempting to start the service. The response indicates success or failure with detailed error information if startup fails.
+
+**POST /api/openvpn/stop**
+
+Gracefully shuts down the OpenVPN server, disconnecting all clients and cleaning up system resources. The endpoint ensures that all client connections are properly terminated and that system state is restored to a clean condition.
+
+#### Client Management Operations
+
+Client management endpoints provide detailed control over individual VPN client connections and comprehensive monitoring of client activity.
+
+**GET /api/openvpn/clients**
+
+Returns a list of currently connected VPN clients with detailed information about each connection including client identifier, IP address assignment, connection duration, and traffic statistics.
+
+**POST /api/openvpn/clients/{client_id}/disconnect**
+
+Forcibly disconnects a specific VPN client by client identifier. The operation is performed gracefully when possible but can force disconnection if necessary. The endpoint provides confirmation of disconnection success or failure.
+
+#### Configuration Management Operations
+
+Configuration management endpoints handle the generation, storage, and retrieval of client VPN configurations. These endpoints support both on-demand generation and persistent storage of client configurations.
+
+**GET /api/openvpn/config/{client_name}**
+
+Generates and returns a complete OpenVPN client configuration file for the specified client name. The configuration includes embedded certificates and all necessary connection parameters. The server IP address must be provided as a query parameter.
+
+**GET /api/openvpn/configs**
+
+Returns a list of all stored client configurations. This endpoint provides an overview of all clients that have been configured for VPN access.
+
+**POST /api/openvpn/configs/{client_name}/generate**
+
+Generates a new client configuration and stores it for future retrieval. This endpoint combines configuration generation with persistent storage, allowing for consistent client configuration management.
+
+**DELETE /api/openvpn/configs/{client_name}**
+
+Removes a stored client configuration from the system. This operation is permanent and cannot be undone, though new configurations can be generated for the same client name.
+
+### ISP Stack Management Endpoints
+
+The ISP stack management endpoints provide control and monitoring capabilities for the core networking components including DHCP, NAT, firewall, and routing services.
+
+#### DHCP Management
+
+DHCP management endpoints provide visibility into IP address allocation and lease management. These endpoints enable monitoring of network utilization and troubleshooting of connectivity issues.
+
+**GET /api/dhcp/leases**
+
+Returns the current DHCP lease table showing all active IP address assignments. The response includes client MAC addresses, assigned IP addresses, lease expiration times, and client hostnames when available.
+
+**DELETE /api/dhcp/leases/{mac_address}**
+
+Releases a specific DHCP lease by MAC address. This operation forces the immediate release of an IP address assignment and makes the address available for reassignment to other clients.
+
+#### NAT and Firewall Management
+
+NAT and firewall management endpoints provide comprehensive control over network address translation and packet filtering operations.
+
+**GET /api/nat/sessions**
+
+Returns the current NAT session table showing all active network address translations. The response includes source and destination addresses, port mappings, session duration, and traffic statistics.
+
+**GET /api/firewall/rules**
+
+Returns the current firewall rule set with detailed information about each rule including priority, action, matching criteria, and usage statistics.
+
+**POST /api/firewall/rules**
+
+Creates a new firewall rule with specified matching criteria and action. The endpoint validates rule syntax and checks for conflicts with existing rules before adding the new rule to the active rule set.
+
+## Client Connection Workflow
+
+### Configuration Generation Process
+
+The client connection workflow begins with the generation of appropriate OpenVPN client configuration files. This process involves several steps that ensure proper authentication, network configuration, and security policy application.
+
+The configuration generation process starts with the client making a request to the configuration generation endpoint, specifying the desired client name and server IP address. The system validates the request parameters and checks for any existing configurations with the same client name.
+
+Upon successful validation, the system generates a complete OpenVPN client configuration that includes all necessary connection parameters, embedded certificates, and security settings. The configuration is customized for the specific client and includes unique identifiers that enable proper tracking and management.
+
+The generated configuration includes comprehensive network settings that ensure proper integration with the ISP stack components. DNS server assignments, routing configurations, and security policies are all embedded in the client configuration to provide a seamless connection experience.
+
+### Client Software Installation
+
+VPN clients require appropriate OpenVPN client software to establish connections using the generated configurations. The choice of client software depends on the operating system and specific requirements of the deployment environment.
+
+For desktop operating systems including Windows, macOS, and Linux, the official OpenVPN client software provides comprehensive functionality and broad compatibility. The client software supports both GUI and command-line operation modes, enabling integration with various management and automation systems.
+
+Mobile devices including iOS and Android require specialized client applications that are available through the respective app stores. The OpenVPN Connect application provides official support for OpenVPN configurations and includes features optimized for mobile device operation.
+
+Enterprise environments may require specialized client software that integrates with existing management systems or provides additional security features. Many commercial VPN client solutions support OpenVPN protocol compatibility and can be used with the generated configurations.
+
+### Connection Establishment
+
+The connection establishment process involves several phases that ensure proper authentication, network configuration, and policy application. The process begins when the client software attempts to establish a connection using the provided configuration file.
+
+Initial connection attempts involve DNS resolution of the server address and establishment of the underlying network connection. The client software validates the server certificate and establishes an encrypted tunnel for subsequent communication.
+
+Authentication occurs through the exchange of client certificates and validation of client credentials. The server verifies the client certificate against the configured certificate authority and checks for any revocation or expiration conditions.
+
+Upon successful authentication, the server assigns network configuration parameters to the client including IP address assignment, DNS server configuration, and routing table updates. The client software applies these configurations to the local network interface and establishes the VPN tunnel.
+
+### Traffic Flow and Monitoring
+
+Once the VPN connection is established, all client traffic flows through the encrypted tunnel to the VPN server. The server processes this traffic through the integrated ISP stack components, applying appropriate NAT, firewall, and routing policies.
+
+The system maintains comprehensive monitoring of client connections including bandwidth utilization, connection duration, and traffic patterns. This information is available through the API endpoints and can be used for capacity planning and troubleshooting.
+
+Quality of service policies can be applied to VPN traffic to ensure appropriate bandwidth allocation and priority handling. The system supports various QoS mechanisms including traffic shaping, priority queuing, and bandwidth limiting.
+
+Connection monitoring includes real-time detection of connection failures and automatic reconnection attempts. The system provides detailed logging of connection events and can generate alerts for significant events or threshold violations.
+
+### Troubleshooting Common Issues
+
+Client connection issues can arise from various sources including network connectivity problems, configuration errors, certificate issues, or server-side problems. The system provides comprehensive logging and diagnostic capabilities to assist with troubleshooting.
+
+Network connectivity issues are often the most common source of connection problems. Clients should verify basic internet connectivity and ensure that the VPN server address is reachable. Firewall configurations on both client and server sides should be reviewed to ensure that necessary ports are accessible.
+
+Configuration errors can prevent successful connection establishment or cause unexpected behavior after connection. The system validates configuration files during generation, but network environment changes or client software incompatibilities can cause issues.
+
+Certificate problems including expiration, revocation, or validation errors can prevent authentication. The system provides detailed error messages for certificate-related issues and includes tools for certificate validation and troubleshooting.
+
+## Security Considerations
+
+### Certificate Management
+
+The current implementation includes sample certificates and keys for demonstration and testing purposes. These certificates should never be used in production environments as they provide no security and are publicly available.
+
+Production deployments require the generation of proper Public Key Infrastructure (PKI) certificates using tools like Easy-RSA or commercial certificate authorities. The certificate generation process should include proper key length selection, appropriate validity periods, and secure key storage practices.
+
+Certificate revocation capabilities should be implemented for production environments to handle compromised certificates or terminated client access. The system should support Certificate Revocation Lists (CRL) or Online Certificate Status Protocol (OCSP) for real-time certificate validation.
+
+Regular certificate rotation and renewal processes should be established to maintain security over time. Automated certificate management tools can help reduce the operational burden of certificate lifecycle management while ensuring consistent security practices.
+
+### Network Security
+
+Network security for the Virtual ISP Stack involves multiple layers of protection including host-level security, application-level security, and network-level security controls. Each layer provides specific protections and should be configured appropriately for the deployment environment.
+
+Host-level security includes operating system hardening, regular security updates, and appropriate access controls. The system should run with minimal privileges and use dedicated user accounts for service operation. File system permissions should be configured to prevent unauthorized access to configuration files and certificates.
+
+Application-level security includes input validation, secure coding practices, and proper error handling. The system implements various security controls including parameter validation, SQL injection prevention, and secure session management.
+
+Network-level security includes firewall configuration, intrusion detection, and network segmentation. The system should be deployed behind appropriate firewall protection and may benefit from network intrusion detection systems for advanced threat detection.
+
+### Access Control and Authentication
+
+The current implementation does not include authentication mechanisms, making it suitable only for development and testing environments. Production deployments should implement appropriate authentication and authorization controls based on specific requirements.
+
+Authentication mechanisms can include username/password authentication, certificate-based authentication, or integration with existing identity management systems. The choice of authentication method should consider security requirements, user experience, and operational complexity.
+
+Authorization controls should implement role-based access control (RBAC) or attribute-based access control (ABAC) to ensure that users have appropriate permissions for their roles. The system should support fine-grained permissions for different API endpoints and operations.
+
+Audit logging should be implemented to track all administrative actions and access attempts. The audit logs should be stored securely and regularly reviewed for suspicious activity or policy violations.
+
+### Data Protection
+
+Data protection for the Virtual ISP Stack includes protection of configuration data, client information, and operational logs. All sensitive data should be encrypted both in transit and at rest using appropriate encryption algorithms and key management practices.
+
+Configuration files containing certificates and keys should be stored with restricted file system permissions and may benefit from additional encryption. Database encryption should be considered for environments storing sensitive client information or operational data.
+
+Network traffic encryption is provided by the OpenVPN protocol, but additional encryption may be appropriate for management traffic and API communications. SSL/TLS encryption should be used for all web-based management interfaces and API access.
+
+Data retention policies should be established to ensure that sensitive information is not retained longer than necessary. Regular data purging and secure deletion practices should be implemented to minimize the risk of data exposure.
+
+## Troubleshooting
+
+### Common Deployment Issues
+
+Deployment issues can arise from various sources including missing dependencies, configuration errors, network connectivity problems, or resource constraints. The system provides comprehensive error reporting and logging to assist with troubleshooting.
+
+Dependency issues are often encountered during initial deployment, particularly in environments with restricted internet access or custom Python configurations. The requirements.txt file specifies all necessary dependencies with version constraints, but some environments may require additional configuration.
+
+Configuration errors can prevent proper system initialization or cause unexpected behavior during operation. The system validates configuration parameters during startup and provides detailed error messages for invalid or conflicting settings.
+
+Network connectivity issues can prevent proper operation of networking components or external service integration. The system includes network connectivity testing capabilities and provides detailed error reporting for network-related problems.
+
+Resource constraints including insufficient memory, disk space, or CPU capacity can cause performance problems or service failures. The system includes resource monitoring capabilities and can provide warnings when resource utilization approaches critical levels.
+
+### Performance Optimization
+
+Performance optimization for the Virtual ISP Stack involves tuning various system parameters and configuration settings to achieve optimal throughput and responsiveness. The system includes several configurable parameters that can be adjusted based on specific deployment requirements.
+
+Network buffer sizes and connection limits can be adjusted to optimize throughput for high-traffic environments. The system supports configuration of various networking parameters including TCP window sizes, connection timeouts, and queue depths.
+
+Database performance can be optimized through appropriate indexing, query optimization, and connection pooling configuration. The system supports various database backends and can be configured for optimal performance based on the specific database platform.
+
+Memory utilization can be optimized through garbage collection tuning, object pooling, and cache configuration. The system includes memory monitoring capabilities and can provide recommendations for memory optimization based on usage patterns.
+
+CPU utilization can be optimized through thread pool configuration, process scheduling, and algorithm selection. The system supports multi-threaded operation and can be configured to take advantage of multi-core systems for improved performance.
+
+### Monitoring and Alerting
+
+Comprehensive monitoring and alerting capabilities are essential for production deployments of the Virtual ISP Stack. The system includes various monitoring endpoints and logging capabilities that can be integrated with external monitoring systems.
+
+Health check endpoints provide real-time status information about all system components and can be used for automated monitoring and alerting. The endpoints return detailed status information including component health, performance metrics, and error conditions.
+
+Performance metrics are available through various API endpoints and include information about throughput, response times, resource utilization, and error rates. These metrics can be exported to external monitoring systems for historical analysis and trend identification.
+
+Log aggregation and analysis capabilities enable comprehensive troubleshooting and security monitoring. The system generates detailed logs for all operations and can be configured to export logs to external systems for centralized analysis.
+
+Alerting configuration should include thresholds for critical metrics including service availability, performance degradation, and security events. The system can be integrated with various alerting platforms to provide timely notification of critical conditions.
+
+## Performance Optimization
+
+### System Tuning
+
+System-level performance tuning involves optimizing the underlying operating system and hardware configuration to support optimal performance of the Virtual ISP Stack. This includes kernel parameter tuning, network stack optimization, and resource allocation adjustments.
+
+Network stack tuning includes adjustments to TCP buffer sizes, connection tracking limits, and network queue configurations. These parameters can significantly impact throughput and latency, particularly in high-traffic environments.
+
+Memory management tuning includes adjustments to virtual memory parameters, cache sizes, and memory allocation strategies. Proper memory configuration can prevent performance degradation due to excessive swapping or memory fragmentation.
+
+CPU scheduling optimization includes process priority adjustments, CPU affinity configuration, and interrupt handling optimization. These adjustments can improve responsiveness and reduce latency for critical system components.
+
+### Application Optimization
+
+Application-level optimization involves tuning the Virtual ISP Stack configuration parameters and implementation details to achieve optimal performance for specific deployment scenarios.
+
+Database optimization includes query optimization, index configuration, and connection pooling tuning. Proper database configuration can significantly improve response times and reduce resource utilization.
+
+Caching strategies can improve performance by reducing redundant computations and database queries. The system supports various caching mechanisms including in-memory caches and distributed caching systems.
+
+Concurrency optimization includes thread pool configuration, asynchronous processing implementation, and lock contention reduction. Proper concurrency management can improve throughput and responsiveness in multi-user environments.
+
+### Scalability Planning
+
+Scalability planning involves designing the deployment architecture to support growth in user base, traffic volume, and feature complexity. The Virtual ISP Stack supports various scalability approaches including vertical scaling, horizontal scaling, and hybrid approaches.
+
+Vertical scaling involves increasing the resources available to a single instance of the system including CPU, memory, and storage capacity. This approach is often the simplest to implement but has limitations in terms of maximum achievable scale.
+
+Horizontal scaling involves deploying multiple instances of the system and distributing load across the instances. This approach can achieve higher scale but requires careful consideration of data consistency and state management.
+
+Load balancing strategies are essential for horizontal scaling and include various approaches such as round-robin distribution, weighted distribution, and session-aware distribution. The choice of load balancing strategy should consider the specific characteristics of the application workload.
+
+## Monitoring and Maintenance
+
+### Operational Monitoring
+
+Operational monitoring of the Virtual ISP Stack involves continuous observation of system health, performance metrics, and security indicators. Effective monitoring enables proactive identification of issues before they impact users and provides data for capacity planning and optimization.
+
+System health monitoring includes tracking of component availability, resource utilization, and error rates. The system provides comprehensive health check endpoints that can be integrated with external monitoring platforms for automated alerting and reporting.
+
+Performance monitoring includes tracking of response times, throughput, and resource efficiency. The system generates detailed performance metrics that can be used for trend analysis, capacity planning, and performance optimization.
+
+Security monitoring includes tracking of authentication events, access patterns, and potential security threats. The system generates comprehensive audit logs that can be analyzed for security incidents and compliance reporting.
+
+### Preventive Maintenance
+
+Preventive maintenance activities are essential for maintaining optimal performance and security of the Virtual ISP Stack over time. Regular maintenance activities include software updates, configuration reviews, and performance optimization.
+
+Software update management includes tracking of security patches, feature updates, and dependency updates. The system should be regularly updated to address security vulnerabilities and take advantage of performance improvements.
+
+Configuration management includes regular review of system configuration parameters, security settings, and operational policies. Configuration drift should be monitored and corrected to maintain consistent system behavior.
+
+Performance optimization should be performed regularly based on monitoring data and changing usage patterns. This includes database maintenance, cache optimization, and resource allocation adjustments.
+
+### Backup and Recovery
+
+Backup and recovery procedures are critical for protecting against data loss and ensuring business continuity. The Virtual ISP Stack includes various data types that require different backup strategies and recovery procedures.
+
+Configuration backup includes system configuration files, certificates, and operational policies. These files should be backed up regularly and stored securely to enable rapid system recovery in case of failure.
+
+Database backup includes client information, operational logs, and system state data. Database backups should be performed regularly and tested to ensure successful recovery capability.
+
+Recovery procedures should be documented and tested regularly to ensure that they can be executed successfully under stress conditions. Recovery testing should include both partial recovery scenarios and complete system reconstruction.
+
+---
+
+**References:**
+
+[1] OpenVPN Community. "OpenVPN Documentation." https://openvpn.net/community-resources/
+[2] Flask Development Team. "Flask Documentation." https://flask.palletsprojects.com/
+[3] HuggingFace. "Spaces Documentation." https://huggingface.co/docs/hub/spaces
+[4] Docker Inc. "Docker Documentation." https://docs.docker.com/
+[5] Python Software Foundation. "Python Documentation." https://docs.python.org/3/
+

Dockerfile

@@ -0,0 +1,52 @@
+# Virtual ISP Stack with OpenVPN Integration
+# Dockerfile for containerized deployment
+
+FROM python:3.11-slim
+
+# Set working directory
+WORKDIR /app
+
+# Install system dependencies
+RUN apt-get update && apt-get install -y \
+    openvpn \
+    iptables \
+    iproute2 \
+    net-tools \
+    procps \
+    build-essential \
+    python3-dev \
+    && rm -rf /var/lib/apt/lists/*
+
+COPY openvpn/server.conf /etc/openvpn/server/server.conf
+COPY openvpn/ca.crt /etc/openvpn/server/ca.crt
+COPY openvpn/server.crt /etc/openvpn/server/server.crt
+COPY openvpn/server.key /etc/openvpn/server/server.key
+COPY openvpn/dh.pem /etc/openvpn/server/dh.pem
+
+# Copy requirements and install Python dependencies
+COPY requirements.txt .
+RUN pip install --no-cache-dir -r requirements.txt
+
+# Copy application files
+COPY . .
+
+# Create necessary directories
+RUN mkdir -p /tmp/vpn_client_configs \
+    && mkdir -p /var/log/openvpn \
+    && mkdir -p database
+
+# Set environment variables
+ENV FLASK_APP=app.py
+ENV FLASK_ENV=production
+ENV PORT=7860
+
+# Expose port
+EXPOSE 7860
+
+# Health check
+HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \
+    CMD curl -f http://localhost:7860/health || exit 1
+
+# Run the application
+CMD ["python", "app.py"]
+

app.py

@@ -0,0 +1,190 @@
+#!/usr/bin/env python3
+"""
+Virtual ISP Stack with OpenVPN Integration
+HuggingFace Spaces Entry Point
+
+This application provides a complete Virtual ISP stack with OpenVPN server integration,
+allowing users to manage VPN connections, generate client configurations, and monitor
+network traffic through a RESTful API.
+"""
+
+import os
+import sys
+import logging
+
+# Add current directory to Python path
+sys.path.insert(0, os.path.dirname(__file__))
+
+from flask import Flask, send_from_directory, jsonify
+from flask_cors import CORS
+from models.user import db
+from routes.user import user_bp
+from routes.isp_api import init_engines, isp_api
+
+# Configure logging
+logging.basicConfig(
+    level=logging.INFO,
+    format='%(asctime)s - %(name)s - %(levelname)s - %(message)s'
+)
+logger = logging.getLogger(__name__)
+
+# Create Flask application
+app = Flask(__name__, static_folder=os.path.join(os.path.dirname(__file__), 'static'))
+
+# Enable CORS for all routes
+CORS(app, origins="*")
+
+# Configuration
+app.config['SECRET_KEY'] = os.environ.get('SECRET_KEY', 'vpn-isp-stack-secret-key-change-in-production')
+
+# Database configuration
+database_path = os.path.join(os.path.dirname(__file__), 'database', 'app.db')
+app.config['SQLALCHEMY_DATABASE_URI'] = f"sqlite:///{database_path}"
+app.config['SQLALCHEMY_TRACK_MODIFICATIONS'] = False
+
+# Initialize database
+db.init_app(app)
+
+# Register blueprints
+app.register_blueprint(user_bp, url_prefix='/api')
+app.register_blueprint(isp_api, url_prefix='/api')
+
+# Engine configuration
+app.config.update({
+    "dhcp": {
+        "network": "10.0.0.0/24",
+        "range_start": "10.0.0.10",
+        "range_end": "10.0.0.100",
+        "lease_time": 3600,
+        "gateway": "10.0.0.1",
+        "dns_servers": ["8.8.8.8", "8.8.4.4"]
+    },
+    "nat": {
+        "port_range_start": 10000,
+        "port_range_end": 65535,
+        "session_timeout": 300
+    },
+    "firewall": {
+        "default_policy": "ACCEPT",
+        "log_blocked": True
+    },
+    "tcp": {
+        "initial_window": 65535,
+        "max_retries": 3,
+        "timeout": 30
+    },
+    "openvpn": {
+        "server_ip": "10.8.0.1",
+        "server_port": 1194,
+        "network": "10.8.0.0/24"
+    },
+    "logger": {
+        "log_level": "INFO",
+        "log_file": "/tmp/virtual_isp.log"
+    }
+})
+
+# Initialize database tables
+with app.app_context():
+    try:
+        db.create_all()
+        logger.info("Database tables created successfully")
+    except Exception as e:
+        logger.error(f"Error creating database tables: {e}")
+
+# Initialize engines
+try:
+    init_engines(app.config)
+    logger.info("All engines initialized successfully")
+except Exception as e:
+    logger.error(f"Error initializing engines: {e}")
+
+@app.route('/')
+def index():
+    """Main index page"""
+    return serve_static('')
+
+@app.route('/health')
+def health_check():
+    """Health check endpoint for monitoring"""
+    return jsonify({
+        'status': 'healthy',
+        'service': 'Virtual ISP Stack with OpenVPN',
+        'version': '1.0.0'
+    })
+
+@app.route('/api')
+def api_info():
+    """API information endpoint"""
+    return jsonify({
+        'service': 'Virtual ISP Stack API',
+        'version': '1.0.0',
+        'endpoints': {
+            'openvpn': {
+                'status': '/api/openvpn/status',
+                'start': '/api/openvpn/start',
+                'stop': '/api/openvpn/stop',
+                'clients': '/api/openvpn/clients',
+                'config': '/api/openvpn/config/<client_name>',
+                'stats': '/api/openvpn/stats',
+                'configs': '/api/openvpn/configs'
+            },
+            'dhcp': {
+                'leases': '/api/dhcp/leases'
+            },
+            'nat': {
+                'sessions': '/api/nat/sessions',
+                'stats': '/api/nat/stats'
+            },
+            'firewall': {
+                'rules': '/api/firewall/rules',
+                'logs': '/api/firewall/logs',
+                'stats': '/api/firewall/stats'
+            }
+        }
+    })
+
+@app.route('/<path:path>')
+def serve_static(path):
+    """Serve static files"""
+    static_folder_path = app.static_folder
+    if static_folder_path is None:
+        return jsonify({'error': 'Static folder not configured'}), 404
+
+    if path != "" and os.path.exists(os.path.join(static_folder_path, path)):
+        return send_from_directory(static_folder_path, path)
+    else:
+        index_path = os.path.join(static_folder_path, 'index.html')
+        if os.path.exists(index_path):
+            return send_from_directory(static_folder_path, 'index.html')
+        else:
+            return jsonify({
+                'message': 'Virtual ISP Stack with OpenVPN Integration',
+                'status': 'running',
+                'api_docs': '/api'
+            })
+
+@app.errorhandler(404)
+def not_found(error):
+    """Handle 404 errors"""
+    return jsonify({'error': 'Endpoint not found', 'api_docs': '/api'}), 404
+
+@app.errorhandler(500)
+def internal_error(error):
+    """Handle 500 errors"""
+    return jsonify({'error': 'Internal server error'}), 500
+
+if __name__ == '__main__':
+    # Get port from environment variable (HuggingFace Spaces uses PORT)
+    port = int(os.environ.get('PORT', 7860))
+    
+    logger.info(f"Starting Virtual ISP Stack with OpenVPN on port {port}")
+    
+    # Run the application
+    app.run(
+        host='0.0.0.0',
+        port=port,
+        debug=False,
+        threaded=True
+    )
+

config.json

@@ -0,0 +1,98 @@
+{
+  "dhcp": {
+    "network": "10.0.0.0/24",
+    "range_start": "10.0.0.10",
+    "range_end": "10.0.0.100",
+    "lease_time": 3600,
+    "gateway": "10.0.0.1",
+    "dns_servers": [
+      "8.8.8.8",
+      "8.8.4.4"
+    ]
+  },
+  "nat": {
+    "port_range_start": 10000,
+    "port_range_end": 65535,
+    "session_timeout": 300,
+    "host_ip": "0.0.0.0"
+  },
+  "firewall": {
+    "default_policy": "ACCEPT",
+    "log_blocked": true,
+    "log_accepted": false,
+    "max_log_entries": 10000,
+    "rules": [
+      {
+        "rule_id": "allow_dhcp",
+        "priority": 1,
+        "action": "ACCEPT",
+        "direction": "BOTH",
+        "dest_port": "67,68",
+        "protocol": "UDP",
+        "description": "Allow DHCP traffic",
+        "enabled": true
+      },
+      {
+        "rule_id": "allow_dns",
+        "priority": 2,
+        "action": "ACCEPT",
+        "direction": "BOTH",
+        "dest_port": "53",
+        "protocol": "UDP",
+        "description": "Allow DNS traffic",
+        "enabled": true
+      }
+    ]
+  },
+  "tcp": {
+    "initial_window": 65535,
+    "max_retries": 3,
+    "timeout": 300,
+    "time_wait_timeout": 120,
+    "mss": 1460
+  },
+  "router": {
+    "router_id": "virtual-isp-router",
+    "default_gateway": "10.0.0.1",
+    "interfaces": [
+      {
+        "name": "virtual0",
+        "ip_address": "10.0.0.1",
+        "netmask": "255.255.255.0",
+        "enabled": true,
+        "mtu": 1500
+      }
+    ],
+    "static_routes": []
+  },
+  "socket_translator": {
+    "connect_timeout": 10,
+    "read_timeout": 30,
+    "max_connections": 1000,
+    "buffer_size": 8192
+  },
+  "packet_bridge": {
+    "websocket_host": "0.0.0.0",
+    "websocket_port": 8765,
+    "tcp_host": "0.0.0.0",
+    "tcp_port": 8766,
+    "max_clients": 100,
+    "client_timeout": 300
+  },
+  "session_tracker": {
+    "max_sessions": 10000,
+    "session_timeout": 3600,
+    "cleanup_interval": 300,
+    "metrics_retention": 86400
+  },
+  "logger": {
+    "log_level": "INFO",
+    "log_to_file": true,
+    "log_file_path": "/tmp/virtual_isp.log",
+    "log_file_max_size": 10485760,
+    "log_file_backup_count": 5,
+    "log_to_console": true,
+    "structured_logging": true,
+    "max_memory_logs": 10000
+  }
+}

core/__init__.py

@@ -0,0 +1,2 @@
+# Core networking modules for the virtual ISP stack
+

core/dhcp_server.py

@@ -0,0 +1,391 @@
+"""
+DHCP Server Module
+
+Implements a user-space DHCP server that handles:
+- DHCP DISCOVER → OFFER → REQUEST → ACK sequence
+- IP lease management
+- Lease renewals and expiration
+"""
+
+import struct
+import time
+import socket
+import threading
+from typing import Dict, Optional, Tuple
+from dataclasses import dataclass
+from enum import Enum
+
+
+class DHCPMessageType(Enum):
+    DISCOVER = 1
+    OFFER = 2
+    REQUEST = 3
+    DECLINE = 4
+    ACK = 5
+    NAK = 6
+    RELEASE = 7
+    INFORM = 8
+
+
+@dataclass
+class DHCPLease:
+    """Represents a DHCP lease"""
+    mac_address: str
+    ip_address: str
+    lease_time: int
+    lease_start: float
+    state: str = 'BOUND'
+    
+    @property
+    def is_expired(self) -> bool:
+        return time.time() > (self.lease_start + self.lease_time)
+    
+    @property
+    def remaining_time(self) -> int:
+        remaining = int((self.lease_start + self.lease_time) - time.time())
+        return max(0, remaining)
+
+
+class DHCPPacket:
+    """DHCP packet parser and builder"""
+    
+    def __init__(self):
+        self.op = 0  # Message op code / message type
+        self.htype = 1  # Hardware address type (Ethernet = 1)
+        self.hlen = 6  # Hardware address length
+        self.hops = 0  # Hops
+        self.xid = 0  # Transaction ID
+        self.secs = 0  # Seconds elapsed
+        self.flags = 0  # Flags
+        self.ciaddr = '0.0.0.0'  # Client IP address
+        self.yiaddr = '0.0.0.0'  # Your IP address
+        self.siaddr = '0.0.0.0'  # Server IP address
+        self.giaddr = '0.0.0.0'  # Gateway IP address
+        self.chaddr = b'\x00' * 16  # Client hardware address
+        self.sname = b'\x00' * 64  # Server name
+        self.file = b'\x00' * 128  # Boot file name
+        self.options = {}  # DHCP options
+    
+    @classmethod
+    def parse(cls, data: bytes) -> 'DHCPPacket':
+        """Parse DHCP packet from raw bytes"""
+        packet = cls()
+        
+        # Parse fixed fields (first 236 bytes)
+        if len(data) < 236:
+            raise ValueError("DHCP packet too short")
+        
+        fields = struct.unpack('!BBBBIHH4s4s4s4s16s64s128s', data[:236])
+        packet.op = fields[0]
+        packet.htype = fields[1]
+        packet.hlen = fields[2]
+        packet.hops = fields[3]
+        packet.xid = fields[4]
+        packet.secs = fields[5]
+        packet.flags = fields[6]
+        packet.ciaddr = socket.inet_ntoa(fields[7])
+        packet.yiaddr = socket.inet_ntoa(fields[8])
+        packet.siaddr = socket.inet_ntoa(fields[9])
+        packet.giaddr = socket.inet_ntoa(fields[10])
+        packet.chaddr = fields[11]
+        packet.sname = fields[12]
+        packet.file = fields[13]
+        
+        # Parse options (after magic cookie)
+        options_data = data[236:]
+        if len(options_data) >= 4:
+            magic = struct.unpack('!I', options_data[:4])[0]
+            if magic == 0x63825363:  # DHCP magic cookie
+                packet.options = packet._parse_options(options_data[4:])
+        
+        return packet
+    
+    def _parse_options(self, data: bytes) -> Dict[int, bytes]:
+        """Parse DHCP options"""
+        options = {}
+        i = 0
+        
+        while i < len(data):
+            if data[i] == 255:  # End option
+                break
+            elif data[i] == 0:  # Pad option
+                i += 1
+                continue
+            
+            option_type = data[i]
+            if i + 1 >= len(data):
+                break
+            
+            option_length = data[i + 1]
+            if i + 2 + option_length > len(data):
+                break
+            
+            option_data = data[i + 2:i + 2 + option_length]
+            options[option_type] = option_data
+            i += 2 + option_length
+        
+        return options
+    
+    def build(self) -> bytes:
+        """Build DHCP packet as bytes"""
+        # Build fixed fields
+        packet_data = struct.pack(
+            '!BBBBIHH4s4s4s4s16s64s128s',
+            self.op, self.htype, self.hlen, self.hops,
+            self.xid, self.secs, self.flags,
+            socket.inet_aton(self.ciaddr),
+            socket.inet_aton(self.yiaddr),
+            socket.inet_aton(self.siaddr),
+            socket.inet_aton(self.giaddr),
+            self.chaddr, self.sname, self.file
+        )
+        
+        # Add magic cookie
+        packet_data += struct.pack('!I', 0x63825363)
+        
+        # Add options
+        for option_type, option_data in self.options.items():
+            packet_data += struct.pack('!BB', option_type, len(option_data))
+            packet_data += option_data
+        
+        # Add end option
+        packet_data += b'\xff'
+        
+        # Pad to minimum size
+        while len(packet_data) < 300:
+            packet_data += b'\x00'
+        
+        return packet_data
+    
+    def get_mac_address(self) -> str:
+        """Get client MAC address as string"""
+        return ':'.join(f'{b:02x}' for b in self.chaddr[:6])
+    
+    def get_message_type(self) -> Optional[DHCPMessageType]:
+        """Get DHCP message type from options"""
+        if 53 in self.options and len(self.options[53]) == 1:
+            msg_type = self.options[53][0]
+            try:
+                return DHCPMessageType(msg_type)
+            except ValueError:
+                return None
+        return None
+
+
+class DHCPServer:
+    """User-space DHCP server implementation"""
+    
+    def __init__(self, config: Dict):
+        self.config = config
+        self.leases: Dict[str, DHCPLease] = {}  # MAC -> Lease
+        self.ip_pool = self._build_ip_pool()
+        self.running = False
+        self.server_thread = None
+        self.lock = threading.Lock()
+    
+    def _build_ip_pool(self) -> set:
+        """Build available IP address pool"""
+        network = self.config['network']
+        start_ip = self.config['range_start']
+        end_ip = self.config['range_end']
+        
+        # Convert IP addresses to integers for range calculation
+        start_int = struct.unpack('!I', socket.inet_aton(start_ip))[0]
+        end_int = struct.unpack('!I', socket.inet_aton(end_ip))[0]
+        
+        pool = set()
+        for ip_int in range(start_int, end_int + 1):
+            ip_str = socket.inet_ntoa(struct.pack('!I', ip_int))
+            pool.add(ip_str)
+        
+        return pool
+    
+    def _get_available_ip(self) -> Optional[str]:
+        """Get next available IP address"""
+        with self.lock:
+            # Remove expired leases
+            self._cleanup_expired_leases()
+            
+            # Find available IP
+            used_ips = {lease.ip_address for lease in self.leases.values()}
+            available_ips = self.ip_pool - used_ips
+            
+            if available_ips:
+                return min(available_ips)  # Return lowest available IP
+            return None
+    
+    def _cleanup_expired_leases(self):
+        """Remove expired leases"""
+        expired_macs = [
+            mac for mac, lease in self.leases.items()
+            if lease.is_expired
+        ]
+        for mac in expired_macs:
+            del self.leases[mac]
+    
+    def _create_dhcp_offer(self, discover_packet: DHCPPacket) -> DHCPPacket:
+        """Create DHCP OFFER response"""
+        mac_address = discover_packet.get_mac_address()
+        
+        # Check for existing lease
+        if mac_address in self.leases and not self.leases[mac_address].is_expired:
+            offered_ip = self.leases[mac_address].ip_address
+        else:
+            offered_ip = self._get_available_ip()
+            if not offered_ip:
+                return None  # No available IPs
+        
+        # Create OFFER packet
+        offer = DHCPPacket()
+        offer.op = 2  # BOOTREPLY
+        offer.htype = discover_packet.htype
+        offer.hlen = discover_packet.hlen
+        offer.xid = discover_packet.xid
+        offer.yiaddr = offered_ip
+        offer.siaddr = self.config['gateway']
+        offer.chaddr = discover_packet.chaddr
+        
+        # Add DHCP options
+        offer.options[53] = bytes([DHCPMessageType.OFFER.value])  # Message type
+        offer.options[1] = socket.inet_aton('255.255.255.0')  # Subnet mask
+        offer.options[3] = socket.inet_aton(self.config['gateway'])  # Router
+        offer.options[6] = b''.join(socket.inet_aton(dns) for dns in self.config['dns_servers'])  # DNS
+        offer.options[51] = struct.pack('!I', self.config['lease_time'])  # Lease time
+        offer.options[54] = socket.inet_aton(self.config['gateway'])  # DHCP server identifier
+        
+        return offer
+    
+    def _create_dhcp_ack(self, request_packet: DHCPPacket) -> DHCPPacket:
+        """Create DHCP ACK response"""
+        mac_address = request_packet.get_mac_address()
+        requested_ip = request_packet.ciaddr
+        
+        # If no requested IP in ciaddr, check option 50
+        if requested_ip == '0.0.0.0' and 50 in request_packet.options:
+            requested_ip = socket.inet_ntoa(request_packet.options[50])
+        
+        # Validate request
+        if not self._validate_request(mac_address, requested_ip):
+            return self._create_dhcp_nak(request_packet)
+        
+        # Create or update lease
+        lease = DHCPLease(
+            mac_address=mac_address,
+            ip_address=requested_ip,
+            lease_time=self.config['lease_time'],
+            lease_start=time.time()
+        )
+        
+        with self.lock:
+            self.leases[mac_address] = lease
+        
+        # Create ACK packet
+        ack = DHCPPacket()
+        ack.op = 2  # BOOTREPLY
+        ack.htype = request_packet.htype
+        ack.hlen = request_packet.hlen
+        ack.xid = request_packet.xid
+        ack.yiaddr = requested_ip
+        ack.siaddr = self.config['gateway']
+        ack.chaddr = request_packet.chaddr
+        
+        # Add DHCP options
+        ack.options[53] = bytes([DHCPMessageType.ACK.value])  # Message type
+        ack.options[1] = socket.inet_aton('255.255.255.0')  # Subnet mask
+        ack.options[3] = socket.inet_aton(self.config['gateway'])  # Router
+        ack.options[6] = b''.join(socket.inet_aton(dns) for dns in self.config['dns_servers'])  # DNS
+        ack.options[51] = struct.pack('!I', self.config['lease_time'])  # Lease time
+        ack.options[54] = socket.inet_aton(self.config['gateway'])  # DHCP server identifier
+        
+        return ack
+    
+    def _create_dhcp_nak(self, request_packet: DHCPPacket) -> DHCPPacket:
+        """Create DHCP NAK response"""
+        nak = DHCPPacket()
+        nak.op = 2  # BOOTREPLY
+        nak.htype = request_packet.htype
+        nak.hlen = request_packet.hlen
+        nak.xid = request_packet.xid
+        nak.chaddr = request_packet.chaddr
+        
+        # Add DHCP options
+        nak.options[53] = bytes([DHCPMessageType.NAK.value])  # Message type
+        nak.options[54] = socket.inet_aton(self.config['gateway'])  # DHCP server identifier
+        
+        return nak
+    
+    def _validate_request(self, mac_address: str, requested_ip: str) -> bool:
+        """Validate DHCP request"""
+        # Check if IP is in our pool
+        if requested_ip not in self.ip_pool:
+            return False
+        
+        # Check if IP is available or already assigned to this MAC
+        with self.lock:
+            for mac, lease in self.leases.items():
+                if lease.ip_address == requested_ip:
+                    if mac != mac_address and not lease.is_expired:
+                        return False  # IP already assigned to different MAC
+        
+        return True
+    
+    def process_packet(self, packet_data: bytes, client_addr: Tuple[str, int]) -> Optional[bytes]:
+        """Process incoming DHCP packet and return response"""
+        try:
+            packet = DHCPPacket.parse(packet_data)
+            message_type = packet.get_message_type()
+            
+            if message_type == DHCPMessageType.DISCOVER:
+                response = self._create_dhcp_offer(packet)
+            elif message_type == DHCPMessageType.REQUEST:
+                response = self._create_dhcp_ack(packet)
+            elif message_type == DHCPMessageType.RELEASE:
+                # Handle lease release
+                mac_address = packet.get_mac_address()
+                with self.lock:
+                    if mac_address in self.leases:
+                        del self.leases[mac_address]
+                return None
+            else:
+                return None
+            
+            if response:
+                return response.build()
+            
+        except Exception as e:
+            print(f"Error processing DHCP packet: {e}")
+            return None
+    
+    def get_leases(self) -> Dict[str, Dict]:
+        """Get current lease table"""
+        with self.lock:
+            self._cleanup_expired_leases()
+            return {
+                mac: {
+                    'ip_address': lease.ip_address,
+                    'lease_time': lease.lease_time,
+                    'lease_start': lease.lease_start,
+                    'remaining_time': lease.remaining_time,
+                    'state': lease.state
+                }
+                for mac, lease in self.leases.items()
+            }
+    
+    def release_lease(self, mac_address: str) -> bool:
+        """Manually release a lease"""
+        with self.lock:
+            if mac_address in self.leases:
+                del self.leases[mac_address]
+                return True
+            return False
+    
+    def start(self):
+        """Start DHCP server (placeholder for integration with packet bridge)"""
+        self.running = True
+        print(f"DHCP server started - Pool: {self.config['range_start']} - {self.config['range_end']}")
+    
+    def stop(self):
+        """Stop DHCP server"""
+        self.running = False
+        print("DHCP server stopped")
+

core/firewall.py

@@ -0,0 +1,523 @@
+"""
+Firewall Module
+
+Implements packet filtering and access control:
+- Rule-based packet filtering (allow/block by IP, port, protocol)
+- Ordered rule processing
+- Logging and statistics
+- Dynamic rule management via API
+"""
+
+import time
+import threading
+import ipaddress
+import re
+from typing import Dict, List, Optional, Tuple, Any
+from dataclasses import dataclass
+from enum import Enum
+
+from .ip_parser import ParsedPacket, TCPHeader, UDPHeader
+
+
+class FirewallAction(Enum):
+    ACCEPT = "ACCEPT"
+    DROP = "DROP"
+    REJECT = "REJECT"
+
+
+class FirewallDirection(Enum):
+    INBOUND = "INBOUND"
+    OUTBOUND = "OUTBOUND"
+    BOTH = "BOTH"
+
+
+@dataclass
+class FirewallRule:
+    """Represents a firewall rule"""
+    rule_id: str
+    priority: int  # Lower number = higher priority
+    action: FirewallAction
+    direction: FirewallDirection
+    
+    # Match criteria
+    source_ip: Optional[str] = None  # IP or CIDR
+    dest_ip: Optional[str] = None    # IP or CIDR
+    source_port: Optional[str] = None  # Port or range (e.g., "80", "80-90", "80,443")
+    dest_port: Optional[str] = None    # Port or range
+    protocol: Optional[str] = None     # TCP, UDP, ICMP, or None for any
+    
+    # Metadata
+    description: str = ""
+    enabled: bool = True
+    created_time: float = 0
+    hit_count: int = 0
+    last_hit: Optional[float] = None
+    
+    def __post_init__(self):
+        if self.created_time == 0:
+            self.created_time = time.time()
+    
+    def record_hit(self):
+        """Record a rule hit"""
+        self.hit_count += 1
+        self.last_hit = time.time()
+    
+    def to_dict(self) -> Dict:
+        """Convert rule to dictionary"""
+        return {
+            'rule_id': self.rule_id,
+            'priority': self.priority,
+            'action': self.action.value,
+            'direction': self.direction.value,
+            'source_ip': self.source_ip,
+            'dest_ip': self.dest_ip,
+            'source_port': self.source_port,
+            'dest_port': self.dest_port,
+            'protocol': self.protocol,
+            'description': self.description,
+            'enabled': self.enabled,
+            'created_time': self.created_time,
+            'hit_count': self.hit_count,
+            'last_hit': self.last_hit
+        }
+
+
+@dataclass
+class FirewallLogEntry:
+    """Represents a firewall log entry"""
+    timestamp: float
+    action: str
+    rule_id: Optional[str]
+    source_ip: str
+    dest_ip: str
+    source_port: int
+    dest_port: int
+    protocol: str
+    packet_size: int
+    reason: str = ""
+    
+    def to_dict(self) -> Dict:
+        """Convert log entry to dictionary"""
+        return {
+            'timestamp': self.timestamp,
+            'action': self.action,
+            'rule_id': self.rule_id,
+            'source_ip': self.source_ip,
+            'dest_ip': self.dest_ip,
+            'source_port': self.source_port,
+            'dest_port': self.dest_port,
+            'protocol': self.protocol,
+            'packet_size': self.packet_size,
+            'reason': self.reason
+        }
+
+
+class FirewallEngine:
+    """Firewall engine implementation"""
+    
+    def __init__(self, config: Dict):
+        self.config = config
+        self.rules: Dict[str, FirewallRule] = {}
+        self.logs: List[FirewallLogEntry] = []
+        self.lock = threading.Lock()
+        
+        # Configuration
+        self.default_policy = FirewallAction(config.get('default_policy', 'ACCEPT'))
+        self.log_blocked = config.get('log_blocked', True)
+        self.log_accepted = config.get('log_accepted', False)
+        self.max_log_entries = config.get('max_log_entries', 10000)
+        
+        # Statistics
+        self.stats = {
+            'packets_processed': 0,
+            'packets_accepted': 0,
+            'packets_dropped': 0,
+            'packets_rejected': 0,
+            'rules_hit': 0,
+            'default_policy_hits': 0
+        }
+        
+        # Load initial rules
+        initial_rules = config.get('rules', [])
+        for rule_config in initial_rules:
+            self._add_rule_from_config(rule_config)
+    
+    def _add_rule_from_config(self, rule_config: Dict):
+        """Add rule from configuration"""
+        rule = FirewallRule(
+            rule_id=rule_config['rule_id'],
+            priority=rule_config.get('priority', 100),
+            action=FirewallAction(rule_config['action']),
+            direction=FirewallDirection(rule_config.get('direction', 'BOTH')),
+            source_ip=rule_config.get('source_ip'),
+            dest_ip=rule_config.get('dest_ip'),
+            source_port=rule_config.get('source_port'),
+            dest_port=rule_config.get('dest_port'),
+            protocol=rule_config.get('protocol'),
+            description=rule_config.get('description', ''),
+            enabled=rule_config.get('enabled', True)
+        )
+        
+        with self.lock:
+            self.rules[rule.rule_id] = rule
+    
+    def _match_ip(self, ip: str, pattern: str) -> bool:
+        """Match IP address against pattern (IP or CIDR)"""
+        try:
+            if '/' in pattern:
+                # CIDR notation
+                network = ipaddress.ip_network(pattern, strict=False)
+                return ipaddress.ip_address(ip) in network
+            else:
+                # Exact IP match
+                return ip == pattern
+        except (ipaddress.AddressValueError, ValueError):
+            return False
+    
+    def _match_port(self, port: int, pattern: str) -> bool:
+        """Match port against pattern (port, range, or list)"""
+        try:
+            if ',' in pattern:
+                # List of ports: "80,443,8080"
+                ports = [int(p.strip()) for p in pattern.split(',')]
+                return port in ports
+            elif '-' in pattern:
+                # Port range: "80-90"
+                start, end = map(int, pattern.split('-', 1))
+                return start <= port <= end
+            else:
+                # Single port: "80"
+                return port == int(pattern)
+        except (ValueError, TypeError):
+            return False
+    
+    def _match_protocol(self, protocol: str, pattern: str) -> bool:
+        """Match protocol against pattern"""
+        if pattern is None:
+            return True  # Match any protocol
+        return protocol.upper() == pattern.upper()
+    
+    def _evaluate_rule(self, rule: FirewallRule, packet: ParsedPacket, direction: FirewallDirection) -> bool:
+        """Evaluate if a rule matches a packet"""
+        if not rule.enabled:
+            return False
+        
+        # Check direction
+        if rule.direction != FirewallDirection.BOTH and rule.direction != direction:
+            return False
+        
+        # Check source IP
+        if rule.source_ip and not self._match_ip(packet.ip_header.source_ip, rule.source_ip):
+            return False
+        
+        # Check destination IP
+        if rule.dest_ip and not self._match_ip(packet.ip_header.dest_ip, rule.dest_ip):
+            return False
+        
+        # Check protocol
+        if packet.transport_header:
+            if isinstance(packet.transport_header, TCPHeader):
+                protocol = 'TCP'
+                source_port = packet.transport_header.source_port
+                dest_port = packet.transport_header.dest_port
+            elif isinstance(packet.transport_header, UDPHeader):
+                protocol = 'UDP'
+                source_port = packet.transport_header.source_port
+                dest_port = packet.transport_header.dest_port
+            else:
+                protocol = 'OTHER'
+                source_port = 0
+                dest_port = 0
+        else:
+            protocol = 'OTHER'
+            source_port = 0
+            dest_port = 0
+        
+        if not self._match_protocol(protocol, rule.protocol):
+            return False
+        
+        # Check source port
+        if rule.source_port and not self._match_port(source_port, rule.source_port):
+            return False
+        
+        # Check destination port
+        if rule.dest_port and not self._match_port(dest_port, rule.dest_port):
+            return False
+        
+        return True
+    
+    def _log_packet(self, action: str, packet: ParsedPacket, rule_id: Optional[str] = None, reason: str = ""):
+        """Log packet processing"""
+        if not (self.log_blocked or self.log_accepted):
+            return
+        
+        # Only log if configured
+        if action == 'ACCEPT' and not self.log_accepted:
+            return
+        if action in ['DROP', 'REJECT'] and not self.log_blocked:
+            return
+        
+        # Extract packet information
+        if packet.transport_header:
+            if isinstance(packet.transport_header, (TCPHeader, UDPHeader)):
+                source_port = packet.transport_header.source_port
+                dest_port = packet.transport_header.dest_port
+                protocol = 'TCP' if isinstance(packet.transport_header, TCPHeader) else 'UDP'
+            else:
+                source_port = 0
+                dest_port = 0
+                protocol = 'OTHER'
+        else:
+            source_port = 0
+            dest_port = 0
+            protocol = 'OTHER'
+        
+        log_entry = FirewallLogEntry(
+            timestamp=time.time(),
+            action=action,
+            rule_id=rule_id,
+            source_ip=packet.ip_header.source_ip,
+            dest_ip=packet.ip_header.dest_ip,
+            source_port=source_port,
+            dest_port=dest_port,
+            protocol=protocol,
+            packet_size=len(packet.raw_packet),
+            reason=reason
+        )
+        
+        with self.lock:
+            self.logs.append(log_entry)
+            
+            # Trim logs if too many
+            if len(self.logs) > self.max_log_entries:
+                self.logs = self.logs[-self.max_log_entries:]
+    
+    def process_packet(self, packet: ParsedPacket, direction: FirewallDirection) -> FirewallAction:
+        """Process packet through firewall rules"""
+        self.stats['packets_processed'] += 1
+        
+        # Get sorted rules by priority
+        with self.lock:
+            sorted_rules = sorted(self.rules.values(), key=lambda r: r.priority)
+        
+        # Evaluate rules in order
+        for rule in sorted_rules:
+            if self._evaluate_rule(rule, packet, direction):
+                rule.record_hit()
+                self.stats['rules_hit'] += 1
+                
+                # Log the action
+                self._log_packet(rule.action.value, packet, rule.rule_id, f"Matched rule: {rule.description}")
+                
+                # Update statistics
+                if rule.action == FirewallAction.ACCEPT:
+                    self.stats['packets_accepted'] += 1
+                elif rule.action == FirewallAction.DROP:
+                    self.stats['packets_dropped'] += 1
+                elif rule.action == FirewallAction.REJECT:
+                    self.stats['packets_rejected'] += 1
+                
+                return rule.action
+        
+        # No rule matched, apply default policy
+        self.stats['default_policy_hits'] += 1
+        self._log_packet(self.default_policy.value, packet, None, "Default policy")
+        
+        if self.default_policy == FirewallAction.ACCEPT:
+            self.stats['packets_accepted'] += 1
+        elif self.default_policy == FirewallAction.DROP:
+            self.stats['packets_dropped'] += 1
+        elif self.default_policy == FirewallAction.REJECT:
+            self.stats['packets_rejected'] += 1
+        
+        return self.default_policy
+    
+    def add_rule(self, rule: FirewallRule) -> bool:
+        """Add firewall rule"""
+        with self.lock:
+            if rule.rule_id in self.rules:
+                return False
+            self.rules[rule.rule_id] = rule
+            return True
+    
+    def remove_rule(self, rule_id: str) -> bool:
+        """Remove firewall rule"""
+        with self.lock:
+            if rule_id in self.rules:
+                del self.rules[rule_id]
+                return True
+            return False
+    
+    def update_rule(self, rule_id: str, **kwargs) -> bool:
+        """Update firewall rule"""
+        with self.lock:
+            if rule_id not in self.rules:
+                return False
+            
+            rule = self.rules[rule_id]
+            for key, value in kwargs.items():
+                if hasattr(rule, key):
+                    if key in ['action', 'direction']:
+                        # Handle enum values
+                        if key == 'action':
+                            value = FirewallAction(value)
+                        elif key == 'direction':
+                            value = FirewallDirection(value)
+                    setattr(rule, key, value)
+            
+            return True
+    
+    def enable_rule(self, rule_id: str) -> bool:
+        """Enable firewall rule"""
+        return self.update_rule(rule_id, enabled=True)
+    
+    def disable_rule(self, rule_id: str) -> bool:
+        """Disable firewall rule"""
+        return self.update_rule(rule_id, enabled=False)
+    
+    def get_rules(self) -> List[Dict]:
+        """Get all firewall rules"""
+        with self.lock:
+            return [rule.to_dict() for rule in sorted(self.rules.values(), key=lambda r: r.priority)]
+    
+    def get_rule(self, rule_id: str) -> Optional[Dict]:
+        """Get specific firewall rule"""
+        with self.lock:
+            rule = self.rules.get(rule_id)
+            return rule.to_dict() if rule else None
+    
+    def get_logs(self, limit: int = 100, filter_action: Optional[str] = None) -> List[Dict]:
+        """Get firewall logs"""
+        with self.lock:
+            logs = self.logs.copy()
+        
+        # Filter by action if specified
+        if filter_action:
+            logs = [log for log in logs if log.action == filter_action.upper()]
+        
+        # Return most recent logs
+        return [log.to_dict() for log in logs[-limit:]]
+    
+    def clear_logs(self):
+        """Clear firewall logs"""
+        with self.lock:
+            self.logs.clear()
+    
+    def get_stats(self) -> Dict:
+        """Get firewall statistics"""
+        with self.lock:
+            stats = self.stats.copy()
+            stats['total_rules'] = len(self.rules)
+            stats['enabled_rules'] = sum(1 for rule in self.rules.values() if rule.enabled)
+            stats['log_entries'] = len(self.logs)
+            stats['default_policy'] = self.default_policy.value
+        
+        return stats
+    
+    def reset_stats(self):
+        """Reset firewall statistics"""
+        self.stats = {
+            'packets_processed': 0,
+            'packets_accepted': 0,
+            'packets_dropped': 0,
+            'packets_rejected': 0,
+            'rules_hit': 0,
+            'default_policy_hits': 0
+        }
+        
+        # Reset rule hit counts
+        with self.lock:
+            for rule in self.rules.values():
+                rule.hit_count = 0
+                rule.last_hit = None
+    
+    def set_default_policy(self, policy: str):
+        """Set default firewall policy"""
+        self.default_policy = FirewallAction(policy.upper())
+    
+    def export_rules(self) -> List[Dict]:
+        """Export rules for backup/configuration"""
+        return self.get_rules()
+    
+    def import_rules(self, rules_config: List[Dict], replace: bool = False):
+        """Import rules from configuration"""
+        if replace:
+            with self.lock:
+                self.rules.clear()
+        
+        for rule_config in rules_config:
+            self._add_rule_from_config(rule_config)
+
+
+class FirewallRuleBuilder:
+    """Helper class to build firewall rules"""
+    
+    def __init__(self, rule_id: str):
+        self.rule_id = rule_id
+        self.priority = 100
+        self.action = FirewallAction.ACCEPT
+        self.direction = FirewallDirection.BOTH
+        self.source_ip = None
+        self.dest_ip = None
+        self.source_port = None
+        self.dest_port = None
+        self.protocol = None
+        self.description = ""
+        self.enabled = True
+    
+    def set_priority(self, priority: int) -> 'FirewallRuleBuilder':
+        self.priority = priority
+        return self
+    
+    def set_action(self, action: str) -> 'FirewallRuleBuilder':
+        self.action = FirewallAction(action.upper())
+        return self
+    
+    def set_direction(self, direction: str) -> 'FirewallRuleBuilder':
+        self.direction = FirewallDirection(direction.upper())
+        return self
+    
+    def set_source_ip(self, ip: str) -> 'FirewallRuleBuilder':
+        self.source_ip = ip
+        return self
+    
+    def set_dest_ip(self, ip: str) -> 'FirewallRuleBuilder':
+        self.dest_ip = ip
+        return self
+    
+    def set_source_port(self, port: str) -> 'FirewallRuleBuilder':
+        self.source_port = port
+        return self
+    
+    def set_dest_port(self, port: str) -> 'FirewallRuleBuilder':
+        self.dest_port = port
+        return self
+    
+    def set_protocol(self, protocol: str) -> 'FirewallRuleBuilder':
+        self.protocol = protocol.upper()
+        return self
+    
+    def set_description(self, description: str) -> 'FirewallRuleBuilder':
+        self.description = description
+        return self
+    
+    def set_enabled(self, enabled: bool) -> 'FirewallRuleBuilder':
+        self.enabled = enabled
+        return self
+    
+    def build(self) -> FirewallRule:
+        """Build the firewall rule"""
+        return FirewallRule(
+            rule_id=self.rule_id,
+            priority=self.priority,
+            action=self.action,
+            direction=self.direction,
+            source_ip=self.source_ip,
+            dest_ip=self.dest_ip,
+            source_port=self.source_port,
+            dest_port=self.dest_port,
+            protocol=self.protocol,
+            description=self.description,
+            enabled=self.enabled
+        )
+

core/ip_parser.py

@@ -0,0 +1,546 @@
+"""
+IP Parser/Assembler Module
+
+Handles IPv4 packet parsing and construction:
+- Parse IPv4, UDP, and TCP headers
+- Calculate and verify checksums
+- Handle packet fragmentation and reassembly
+- Support various IP options
+"""
+
+import struct
+import socket
+from typing import Dict, List, Optional, Tuple
+from dataclasses import dataclass
+from enum import Enum
+
+
+class IPProtocol(Enum):
+    ICMP = 1
+    TCP = 6
+    UDP = 17
+
+
+@dataclass
+class IPv4Header:
+    """IPv4 header structure"""
+    version: int = 4
+    ihl: int = 5  # Internet Header Length (in 32-bit words)
+    tos: int = 0  # Type of Service
+    total_length: int = 0
+    identification: int = 0
+    flags: int = 0  # 3 bits: Reserved, Don't Fragment, More Fragments
+    fragment_offset: int = 0  # 13 bits
+    ttl: int = 64  # Time to Live
+    protocol: int = 0
+    header_checksum: int = 0
+    source_ip: str = '0.0.0.0'
+    dest_ip: str = '0.0.0.0'
+    options: bytes = b''
+    
+    @property
+    def header_length(self) -> int:
+        """Get header length in bytes"""
+        return self.ihl * 4
+    
+    @property
+    def dont_fragment(self) -> bool:
+        """Check if Don't Fragment flag is set"""
+        return bool(self.flags & 0x2)
+    
+    @property
+    def more_fragments(self) -> bool:
+        """Check if More Fragments flag is set"""
+        return bool(self.flags & 0x1)
+    
+    @property
+    def is_fragment(self) -> bool:
+        """Check if this is a fragment"""
+        return self.more_fragments or self.fragment_offset > 0
+
+
+@dataclass
+class TCPHeader:
+    """TCP header structure"""
+    source_port: int = 0
+    dest_port: int = 0
+    seq_num: int = 0
+    ack_num: int = 0
+    data_offset: int = 5  # Header length in 32-bit words
+    reserved: int = 0
+    flags: int = 0  # 9 bits: NS, CWR, ECE, URG, ACK, PSH, RST, SYN, FIN
+    window_size: int = 65535
+    checksum: int = 0
+    urgent_pointer: int = 0
+    options: bytes = b''
+    
+    @property
+    def header_length(self) -> int:
+        """Get header length in bytes"""
+        return self.data_offset * 4
+    
+    # TCP Flag properties
+    @property
+    def fin(self) -> bool:
+        return bool(self.flags & 0x01)
+    
+    @property
+    def syn(self) -> bool:
+        return bool(self.flags & 0x02)
+    
+    @property
+    def rst(self) -> bool:
+        return bool(self.flags & 0x04)
+    
+    @property
+    def psh(self) -> bool:
+        return bool(self.flags & 0x08)
+    
+    @property
+    def ack(self) -> bool:
+        return bool(self.flags & 0x10)
+    
+    @property
+    def urg(self) -> bool:
+        return bool(self.flags & 0x20)
+    
+    def set_flag(self, flag_name: str, value: bool = True):
+        """Set TCP flag"""
+        flag_bits = {
+            'fin': 0x01, 'syn': 0x02, 'rst': 0x04, 'psh': 0x08,
+            'ack': 0x10, 'urg': 0x20, 'ece': 0x40, 'cwr': 0x80, 'ns': 0x100
+        }
+        
+        if flag_name.lower() in flag_bits:
+            bit = flag_bits[flag_name.lower()]
+            if value:
+                self.flags |= bit
+            else:
+                self.flags &= ~bit
+
+
+@dataclass
+class UDPHeader:
+    """UDP header structure"""
+    source_port: int = 0
+    dest_port: int = 0
+    length: int = 8  # Header + data length
+    checksum: int = 0
+    
+    @property
+    def header_length(self) -> int:
+        """Get header length in bytes (always 8 for UDP)"""
+        return 8
+
+
+@dataclass
+class ParsedPacket:
+    """Parsed packet structure"""
+    ip_header: IPv4Header
+    transport_header: Optional[object] = None  # TCPHeader or UDPHeader
+    payload: bytes = b''
+    raw_packet: bytes = b''
+
+
+class IPParser:
+    """IPv4 packet parser and assembler"""
+    
+    @staticmethod
+    def calculate_checksum(data: bytes) -> int:
+        """Calculate Internet checksum"""
+        # Pad data to even length
+        if len(data) % 2:
+            data += b'\x00'
+        
+        checksum = 0
+        for i in range(0, len(data), 2):
+            word = (data[i] << 8) + data[i + 1]
+            checksum += word
+        
+        # Add carry bits
+        while checksum >> 16:
+            checksum = (checksum & 0xFFFF) + (checksum >> 16)
+        
+        # One's complement
+        return (~checksum) & 0xFFFF
+    
+    @staticmethod
+    def verify_checksum(data: bytes, checksum: int) -> bool:
+        """Verify Internet checksum"""
+        calculated = IPParser.calculate_checksum(data)
+        return calculated == checksum or (calculated + checksum) == 0xFFFF
+    
+    @classmethod
+    def parse_ipv4_header(cls, data: bytes) -> Tuple[IPv4Header, int]:
+        """Parse IPv4 header from raw bytes"""
+        if len(data) < 20:
+            raise ValueError("IPv4 header too short")
+        
+        # Parse fixed part of header
+        header_data = struct.unpack('!BBHHHBBH4s4s', data[:20])
+        
+        header = IPv4Header()
+        version_ihl = header_data[0]
+        header.version = (version_ihl >> 4) & 0xF
+        header.ihl = version_ihl & 0xF
+        header.tos = header_data[1]
+        header.total_length = header_data[2]
+        header.identification = header_data[3]
+        flags_fragment = header_data[4]
+        header.flags = (flags_fragment >> 13) & 0x7
+        header.fragment_offset = flags_fragment & 0x1FFF
+        header.ttl = header_data[5]
+        header.protocol = header_data[6]
+        header.header_checksum = header_data[7]
+        header.source_ip = socket.inet_ntoa(header_data[8])
+        header.dest_ip = socket.inet_ntoa(header_data[9])
+        
+        # Validate version
+        if header.version != 4:
+            raise ValueError(f"Unsupported IP version: {header.version}")
+        
+        # Parse options if present
+        options_length = header.header_length - 20
+        if options_length > 0:
+            if len(data) < 20 + options_length:
+                raise ValueError("IPv4 options truncated")
+            header.options = data[20:20 + options_length]
+        
+        return header, header.header_length
+    
+    @classmethod
+    def parse_tcp_header(cls, data: bytes) -> Tuple[TCPHeader, int]:
+        """Parse TCP header from raw bytes"""
+        if len(data) < 20:
+            raise ValueError("TCP header too short")
+        
+        # Parse fixed part of header
+        header_data = struct.unpack('!HHIIBBHHH', data[:20])
+        
+        header = TCPHeader()
+        header.source_port = header_data[0]
+        header.dest_port = header_data[1]
+        header.seq_num = header_data[2]
+        header.ack_num = header_data[3]
+        offset_reserved = header_data[4]
+        header.data_offset = (offset_reserved >> 4) & 0xF
+        header.reserved = (offset_reserved >> 1) & 0x7
+        header.flags = ((offset_reserved & 0x1) << 8) | header_data[5]
+        header.window_size = header_data[6]
+        header.checksum = header_data[7]
+        header.urgent_pointer = header_data[8]
+        
+        # Parse options if present
+        options_length = header.header_length - 20
+        if options_length > 0:
+            if len(data) < 20 + options_length:
+                raise ValueError("TCP options truncated")
+            header.options = data[20:20 + options_length]
+        
+        return header, header.header_length
+    
+    @classmethod
+    def parse_udp_header(cls, data: bytes) -> Tuple[UDPHeader, int]:
+        """Parse UDP header from raw bytes"""
+        if len(data) < 8:
+            raise ValueError("UDP header too short")
+        
+        header_data = struct.unpack('!HHHH', data[:8])
+        
+        header = UDPHeader()
+        header.source_port = header_data[0]
+        header.dest_port = header_data[1]
+        header.length = header_data[2]
+        header.checksum = header_data[3]
+        
+        return header, 8
+    
+    @classmethod
+    def parse_packet(cls, data: bytes) -> ParsedPacket:
+        """Parse complete packet"""
+        packet = ParsedPacket(raw_packet=data)
+        
+        # Parse IP header
+        packet.ip_header, ip_header_len = cls.parse_ipv4_header(data)
+        
+        # Extract payload after IP header
+        ip_payload = data[ip_header_len:packet.ip_header.total_length]
+        
+        # Parse transport layer header
+        if packet.ip_header.protocol == IPProtocol.TCP.value:
+            packet.transport_header, transport_header_len = cls.parse_tcp_header(ip_payload)
+            packet.payload = ip_payload[transport_header_len:]
+        elif packet.ip_header.protocol == IPProtocol.UDP.value:
+            packet.transport_header, transport_header_len = cls.parse_udp_header(ip_payload)
+            packet.payload = ip_payload[transport_header_len:]
+        else:
+            # Unsupported protocol, treat as raw payload
+            packet.payload = ip_payload
+        
+        return packet
+    
+    @classmethod
+    def build_ipv4_header(cls, header: IPv4Header) -> bytes:
+        """Build IPv4 header as bytes"""
+        # Calculate header length including options
+        header.ihl = (20 + len(header.options) + 3) // 4  # Round up to 32-bit boundary
+        
+        # Build header without checksum
+        version_ihl = (header.version << 4) | header.ihl
+        flags_fragment = (header.flags << 13) | header.fragment_offset
+        
+        header_data = struct.pack(
+            '!BBHHHBBH4s4s',
+            version_ihl, header.tos, header.total_length,
+            header.identification, flags_fragment,
+            header.ttl, header.protocol, 0,  # Checksum = 0 for calculation
+            socket.inet_aton(header.source_ip),
+            socket.inet_aton(header.dest_ip)
+        )
+        
+        # Add options and padding
+        if header.options:
+            header_data += header.options
+            # Pad to 32-bit boundary
+            padding_needed = (header.ihl * 4) - len(header_data)
+            if padding_needed > 0:
+                header_data += b'\x00' * padding_needed
+        
+        # Calculate and insert checksum
+        checksum = cls.calculate_checksum(header_data)
+        header_data = header_data[:10] + struct.pack('!H', checksum) + header_data[12:]
+        
+        return header_data
+    
+    @classmethod
+    def build_tcp_header(cls, header: TCPHeader, source_ip: str, dest_ip: str, payload: bytes) -> bytes:
+        """Build TCP header as bytes with checksum"""
+        # Calculate header length including options
+        header.data_offset = (20 + len(header.options) + 3) // 4  # Round up to 32-bit boundary
+        
+        # Build header without checksum
+        offset_reserved_flags = (header.data_offset << 12) | (header.reserved << 9) | header.flags
+        
+        header_data = struct.pack(
+            '!HHIIHHH',
+            header.source_port, header.dest_port,
+            header.seq_num, header.ack_num,
+            offset_reserved_flags, header.window_size,
+            0, header.urgent_pointer  # Checksum = 0 for calculation
+        )
+        
+        # Add options and padding
+        if header.options:
+            header_data += header.options
+            # Pad to 32-bit boundary
+            padding_needed = (header.data_offset * 4) - len(header_data)
+            if padding_needed > 0:
+                header_data += b'\x00' * padding_needed
+        
+        # Calculate TCP checksum with pseudo-header
+        pseudo_header = struct.pack(
+            '!4s4sBBH',
+            socket.inet_aton(source_ip),
+            socket.inet_aton(dest_ip),
+            0, IPProtocol.TCP.value,
+            len(header_data) + len(payload)
+        )
+        
+        checksum_data = pseudo_header + header_data + payload
+        checksum = cls.calculate_checksum(checksum_data)
+        
+        # Insert checksum
+        header_data = header_data[:16] + struct.pack('!H', checksum) + header_data[18:]
+        
+        return header_data
+    
+    @classmethod
+    def build_udp_header(cls, header: UDPHeader, source_ip: str, dest_ip: str, payload: bytes) -> bytes:
+        """Build UDP header as bytes with checksum"""
+        header.length = 8 + len(payload)
+        
+        # Build header without checksum
+        header_data = struct.pack(
+            '!HHHH',
+            header.source_port, header.dest_port,
+            header.length, 0  # Checksum = 0 for calculation
+        )
+        
+        # Calculate UDP checksum with pseudo-header (optional for IPv4)
+        if header.checksum != 0:  # If checksum is required
+            pseudo_header = struct.pack(
+                '!4s4sBBH',
+                socket.inet_aton(source_ip),
+                socket.inet_aton(dest_ip),
+                0, IPProtocol.UDP.value,
+                header.length
+            )
+            
+            checksum_data = pseudo_header + header_data + payload
+            checksum = cls.calculate_checksum(checksum_data)
+            
+            # Insert checksum
+            header_data = header_data[:6] + struct.pack('!H', checksum) + header_data[8:]
+        
+        return header_data
+    
+    @classmethod
+    def build_packet(cls, ip_header: IPv4Header, transport_header: Optional[object] = None, payload: bytes = b'') -> bytes:
+        """Build complete packet"""
+        transport_data = b''
+        
+        # Build transport header
+        if transport_header:
+            if isinstance(transport_header, TCPHeader):
+                transport_data = cls.build_tcp_header(
+                    transport_header, ip_header.source_ip, ip_header.dest_ip, payload
+                )
+            elif isinstance(transport_header, UDPHeader):
+                transport_data = cls.build_udp_header(
+                    transport_header, ip_header.source_ip, ip_header.dest_ip, payload
+                )
+        
+        # Update IP header total length
+        ip_header.total_length = ip_header.header_length + len(transport_data) + len(payload)
+        
+        # Build IP header
+        ip_data = cls.build_ipv4_header(ip_header)
+        
+        # Combine all parts
+        return ip_data + transport_data + payload
+
+
+class PacketFragmenter:
+    """Handle packet fragmentation and reassembly"""
+    
+    def __init__(self, mtu: int = 1500):
+        self.mtu = mtu
+        self.fragments: Dict[Tuple[str, str, int], List[Tuple[int, bytes]]] = {}  # (src, dst, id) -> [(offset, data)]
+    
+    def fragment_packet(self, packet: bytes, mtu: int = None) -> List[bytes]:
+        """Fragment a packet if it exceeds MTU"""
+        if mtu is None:
+            mtu = self.mtu
+        
+        if len(packet) <= mtu:
+            return [packet]
+        
+        # Parse original packet
+        parsed = IPParser.parse_packet(packet)
+        ip_header = parsed.ip_header
+        
+        # Don't fragment if DF flag is set
+        if ip_header.dont_fragment:
+            raise ValueError("Packet too large and Don't Fragment flag is set")
+        
+        fragments = []
+        payload_mtu = mtu - ip_header.header_length
+        payload_mtu = (payload_mtu // 8) * 8  # Must be multiple of 8 bytes
+        
+        # Get the payload to fragment (everything after IP header)
+        payload_start = ip_header.header_length
+        payload = packet[payload_start:]
+        
+        offset = 0
+        while offset < len(payload):
+            # Create fragment
+            fragment_payload = payload[offset:offset + payload_mtu]
+            
+            # Create new IP header for fragment
+            frag_header = IPv4Header(
+                version=ip_header.version,
+                ihl=ip_header.ihl,
+                tos=ip_header.tos,
+                identification=ip_header.identification,
+                ttl=ip_header.ttl,
+                protocol=ip_header.protocol,
+                source_ip=ip_header.source_ip,
+                dest_ip=ip_header.dest_ip,
+                options=ip_header.options
+            )
+            
+            # Set fragment offset and flags
+            frag_header.fragment_offset = (ip_header.fragment_offset * 8 + offset) // 8
+            frag_header.flags = ip_header.flags
+            
+            # Set More Fragments flag if not last fragment
+            if offset + len(fragment_payload) < len(payload):
+                frag_header.flags |= 0x1  # More Fragments
+            else:
+                frag_header.flags &= ~0x1  # Clear More Fragments
+            
+            # Build fragment
+            fragment = IPParser.build_packet(frag_header, payload=fragment_payload)
+            fragments.append(fragment)
+            
+            offset += len(fragment_payload)
+        
+        return fragments
+    
+    def reassemble_packet(self, packet: bytes) -> Optional[bytes]:
+        """Reassemble fragmented packet"""
+        parsed = IPParser.parse_packet(packet)
+        ip_header = parsed.ip_header
+        
+        # If not a fragment, return as-is
+        if not ip_header.is_fragment:
+            return packet
+        
+        # Create fragment key
+        key = (ip_header.source_ip, ip_header.dest_ip, ip_header.identification)
+        
+        # Store fragment
+        if key not in self.fragments:
+            self.fragments[key] = []
+        
+        payload_start = ip_header.header_length
+        fragment_data = packet[payload_start:]
+        self.fragments[key].append((ip_header.fragment_offset * 8, fragment_data))
+        
+        # Check if we have all fragments
+        fragments = sorted(self.fragments[key])
+        
+        # Verify we have contiguous fragments starting from 0
+        expected_offset = 0
+        complete_payload = b''
+        
+        for offset, data in fragments:
+            if offset != expected_offset:
+                return None  # Missing fragment
+            
+            complete_payload += data
+            expected_offset += len(data)
+        
+        # Check if last fragment (no More Fragments flag)
+        last_fragment = None
+        for frag_packet in [packet]:  # We only have current packet, need to track all
+            frag_parsed = IPParser.parse_packet(frag_packet)
+            if not frag_parsed.ip_header.more_fragments:
+                last_fragment = frag_parsed
+                break
+        
+        if last_fragment is None:
+            return None  # Don't have last fragment yet
+        
+        # Reassemble complete packet
+        complete_header = IPv4Header(
+            version=ip_header.version,
+            ihl=ip_header.ihl,
+            tos=ip_header.tos,
+            identification=ip_header.identification,
+            flags=ip_header.flags & ~0x1,  # Clear More Fragments
+            fragment_offset=0,
+            ttl=ip_header.ttl,
+            protocol=ip_header.protocol,
+            source_ip=ip_header.source_ip,
+            dest_ip=ip_header.dest_ip,
+            options=ip_header.options
+        )
+        
+        complete_packet = IPParser.build_packet(complete_header, payload=complete_payload)
+        
+        # Clean up fragments
+        del self.fragments[key]
+        
+        return complete_packet
+

core/logger.py

@@ -0,0 +1,555 @@
+"""
+Logger Module
+
+Centralized logging system for the virtual ISP stack:
+- Structured logging with multiple levels
+- Log aggregation and filtering
+- Real-time log streaming
+- Log persistence and rotation
+"""
+
+import logging
+import logging.handlers
+import time
+import threading
+import json
+import os
+from typing import Dict, List, Optional, Any, Callable
+from dataclasses import dataclass, asdict
+from enum import Enum
+from collections import deque
+import queue
+
+
+class LogLevel(Enum):
+    DEBUG = "DEBUG"
+    INFO = "INFO"
+    WARNING = "WARNING"
+    ERROR = "ERROR"
+    CRITICAL = "CRITICAL"
+
+
+class LogCategory(Enum):
+    SYSTEM = "SYSTEM"
+    DHCP = "DHCP"
+    NAT = "NAT"
+    FIREWALL = "FIREWALL"
+    TCP = "TCP"
+    ROUTER = "ROUTER"
+    BRIDGE = "BRIDGE"
+    SOCKET = "SOCKET"
+    SESSION = "SESSION"
+    SECURITY = "SECURITY"
+    PERFORMANCE = "PERFORMANCE"
+
+
+@dataclass
+class LogEntry:
+    """Structured log entry"""
+    timestamp: float
+    level: str
+    category: str
+    module: str
+    message: str
+    session_id: Optional[str] = None
+    client_id: Optional[str] = None
+    source_ip: Optional[str] = None
+    dest_ip: Optional[str] = None
+    protocol: Optional[str] = None
+    metadata: Dict[str, Any] = None
+    
+    def __post_init__(self):
+        if self.timestamp == 0:
+            self.timestamp = time.time()
+        if self.metadata is None:
+            self.metadata = {}
+    
+    def to_dict(self) -> Dict:
+        """Convert to dictionary"""
+        return asdict(self)
+    
+    def to_json(self) -> str:
+        """Convert to JSON string"""
+        return json.dumps(self.to_dict(), default=str)
+
+
+class LogFilter:
+    """Log filtering class"""
+    
+    def __init__(self):
+        self.level_filter: Optional[LogLevel] = None
+        self.category_filter: Optional[LogCategory] = None
+        self.module_filter: Optional[str] = None
+        self.session_filter: Optional[str] = None
+        self.client_filter: Optional[str] = None
+        self.ip_filter: Optional[str] = None
+        self.text_filter: Optional[str] = None
+        self.time_range: Optional[tuple] = None
+    
+    def matches(self, entry: LogEntry) -> bool:
+        """Check if log entry matches filter criteria"""
+        # Level filter
+        if self.level_filter:
+            entry_level_value = getattr(logging, entry.level)
+            filter_level_value = getattr(logging, self.level_filter.value)
+            if entry_level_value < filter_level_value:
+                return False
+        
+        # Category filter
+        if self.category_filter and entry.category != self.category_filter.value:
+            return False
+        
+        # Module filter
+        if self.module_filter and self.module_filter.lower() not in entry.module.lower():
+            return False
+        
+        # Session filter
+        if self.session_filter and entry.session_id != self.session_filter:
+            return False
+        
+        # Client filter
+        if self.client_filter and entry.client_id != self.client_filter:
+            return False
+        
+        # IP filter
+        if self.ip_filter:
+            if (entry.source_ip != self.ip_filter and 
+                entry.dest_ip != self.ip_filter):
+                return False
+        
+        # Text filter
+        if self.text_filter and self.text_filter.lower() not in entry.message.lower():
+            return False
+        
+        # Time range filter
+        if self.time_range:
+            start_time, end_time = self.time_range
+            if not (start_time <= entry.timestamp <= end_time):
+                return False
+        
+        return True
+
+
+class LogSubscriber:
+    """Log subscriber for real-time streaming"""
+    
+    def __init__(self, subscriber_id: str, callback: Callable[[LogEntry], None], 
+                 log_filter: Optional[LogFilter] = None):
+        self.subscriber_id = subscriber_id
+        self.callback = callback
+        self.filter = log_filter or LogFilter()
+        self.created_time = time.time()
+        self.message_count = 0
+        self.last_message_time = None
+        self.is_active = True
+    
+    def send_log(self, entry: LogEntry) -> bool:
+        """Send log entry to subscriber if it matches filter"""
+        if not self.is_active:
+            return False
+        
+        if self.filter.matches(entry):
+            try:
+                self.callback(entry)
+                self.message_count += 1
+                self.last_message_time = time.time()
+                return True
+            except Exception as e:
+                print(f"Error sending log to subscriber {self.subscriber_id}: {e}")
+                self.is_active = False
+                return False
+        
+        return False
+
+
+class VirtualISPLogger:
+    """Centralized logger for Virtual ISP stack"""
+    
+    def __init__(self, config: Dict):
+        self.config = config
+        self.log_entries: deque = deque(maxlen=config.get('max_memory_logs', 10000))
+        self.subscribers: Dict[str, LogSubscriber] = {}
+        self.lock = threading.Lock()
+        
+        # Configuration
+        self.log_level = LogLevel(config.get('log_level', 'INFO'))
+        self.log_to_file = config.get('log_to_file', True)
+        self.log_file_path = config.get('log_file_path', '/tmp/virtual_isp.log')
+        self.log_file_max_size = config.get('log_file_max_size', 10 * 1024 * 1024)  # 10MB
+        self.log_file_backup_count = config.get('log_file_backup_count', 5)
+        self.log_to_console = config.get('log_to_console', True)
+        self.structured_logging = config.get('structured_logging', True)
+        
+        # Statistics
+        self.stats = {
+            'total_logs': 0,
+            'logs_by_level': {level.value: 0 for level in LogLevel},
+            'logs_by_category': {cat.value: 0 for cat in LogCategory},
+            'active_subscribers': 0,
+            'file_logs_written': 0,
+            'console_logs_written': 0,
+            'dropped_logs': 0
+        }
+        
+        # Setup logging
+        self._setup_logging()
+        
+        # Background processing
+        self.running = False
+        self.log_queue = queue.Queue()
+        self.processing_thread = None
+    
+    def _setup_logging(self):
+        """Setup Python logging infrastructure"""
+        # Create logger
+        self.logger = logging.getLogger('virtual_isp')
+        self.logger.setLevel(getattr(logging, self.log_level.value))
+        
+        # Remove existing handlers
+        for handler in self.logger.handlers[:]:
+            self.logger.removeHandler(handler)
+        
+        # Console handler
+        if self.log_to_console:
+            console_handler = logging.StreamHandler()
+            if self.structured_logging:
+                console_formatter = logging.Formatter(
+                    '%(asctime)s - %(name)s - %(levelname)s - %(message)s'
+                )
+            else:
+                console_formatter = logging.Formatter('%(message)s')
+            console_handler.setFormatter(console_formatter)
+            self.logger.addHandler(console_handler)
+        
+        # File handler with rotation
+        if self.log_to_file:
+            # Ensure log directory exists
+            log_dir = os.path.dirname(self.log_file_path)
+            if log_dir and not os.path.exists(log_dir):
+                os.makedirs(log_dir, exist_ok=True)
+            
+            file_handler = logging.handlers.RotatingFileHandler(
+                self.log_file_path,
+                maxBytes=self.log_file_max_size,
+                backupCount=self.log_file_backup_count
+            )
+            
+            if self.structured_logging:
+                file_formatter = logging.Formatter(
+                    '%(asctime)s - %(name)s - %(levelname)s - %(message)s'
+                )
+            else:
+                file_formatter = logging.Formatter('%(message)s')
+            
+            file_handler.setFormatter(file_formatter)
+            self.logger.addHandler(file_handler)
+    
+    def _process_log_queue(self):
+        """Background thread to process log queue"""
+        while self.running:
+            try:
+                # Get log entry from queue (with timeout)
+                try:
+                    entry = self.log_queue.get(timeout=1.0)
+                except queue.Empty:
+                    continue
+                
+                # Store in memory
+                with self.lock:
+                    self.log_entries.append(entry)
+                
+                # Send to subscribers
+                inactive_subscribers = []
+                with self.lock:
+                    for subscriber_id, subscriber in self.subscribers.items():
+                        if not subscriber.send_log(entry):
+                            inactive_subscribers.append(subscriber_id)
+                
+                # Remove inactive subscribers
+                for subscriber_id in inactive_subscribers:
+                    self.remove_subscriber(subscriber_id)
+                
+                # Update statistics
+                self.stats['total_logs'] += 1
+                self.stats['logs_by_level'][entry.level] += 1
+                self.stats['logs_by_category'][entry.category] += 1
+                
+                # Mark task as done
+                self.log_queue.task_done()
+            
+            except Exception as e:
+                print(f"Error processing log queue: {e}")
+                time.sleep(1)
+    
+    def log(self, level: LogLevel, category: LogCategory, module: str, message: str, 
+            session_id: Optional[str] = None, client_id: Optional[str] = None,
+            source_ip: Optional[str] = None, dest_ip: Optional[str] = None,
+            protocol: Optional[str] = None, **metadata):
+        """Log a message"""
+        # Check if we should log this level
+        level_value = getattr(logging, level.value)
+        min_level_value = getattr(logging, self.log_level.value)
+        if level_value < min_level_value:
+            return
+        
+        # Create log entry
+        entry = LogEntry(
+            timestamp=time.time(),
+            level=level.value,
+            category=category.value,
+            module=module,
+            message=message,
+            session_id=session_id,
+            client_id=client_id,
+            source_ip=source_ip,
+            dest_ip=dest_ip,
+            protocol=protocol,
+            metadata=metadata
+        )
+        
+        # Add to queue for background processing
+        try:
+            self.log_queue.put_nowait(entry)
+        except queue.Full:
+            self.stats['dropped_logs'] += 1
+        
+        # Also log through Python logging system
+        if self.structured_logging:
+            log_data = entry.to_dict()
+            log_message = f"{message} | {json.dumps(log_data, default=str)}"
+        else:
+            log_message = message
+        
+        # Log to Python logger
+        python_logger_level = getattr(logging, level.value)
+        self.logger.log(python_logger_level, log_message)
+        
+        # Update console/file stats
+        if self.log_to_console:
+            self.stats['console_logs_written'] += 1
+        if self.log_to_file:
+            self.stats['file_logs_written'] += 1
+    
+    def debug(self, category: LogCategory, module: str, message: str, **kwargs):
+        """Log debug message"""
+        self.log(LogLevel.DEBUG, category, module, message, **kwargs)
+    
+    def info(self, category: LogCategory, module: str, message: str, **kwargs):
+        """Log info message"""
+        self.log(LogLevel.INFO, category, module, message, **kwargs)
+    
+    def warning(self, category: LogCategory, module: str, message: str, **kwargs):
+        """Log warning message"""
+        self.log(LogLevel.WARNING, category, module, message, **kwargs)
+    
+    def error(self, category: LogCategory, module: str, message: str, **kwargs):
+        """Log error message"""
+        self.log(LogLevel.ERROR, category, module, message, **kwargs)
+    
+    def critical(self, category: LogCategory, module: str, message: str, **kwargs):
+        """Log critical message"""
+        self.log(LogLevel.CRITICAL, category, module, message, **kwargs)
+    
+    def add_subscriber(self, subscriber_id: str, callback: Callable[[LogEntry], None], 
+                      log_filter: Optional[LogFilter] = None) -> bool:
+        """Add log subscriber for real-time streaming"""
+        with self.lock:
+            if subscriber_id in self.subscribers:
+                return False
+            
+            subscriber = LogSubscriber(subscriber_id, callback, log_filter)
+            self.subscribers[subscriber_id] = subscriber
+            self.stats['active_subscribers'] = len(self.subscribers)
+            
+            return True
+    
+    def remove_subscriber(self, subscriber_id: str) -> bool:
+        """Remove log subscriber"""
+        with self.lock:
+            if subscriber_id in self.subscribers:
+                del self.subscribers[subscriber_id]
+                self.stats['active_subscribers'] = len(self.subscribers)
+                return True
+            return False
+    
+    def get_logs(self, limit: int = 100, offset: int = 0, 
+                log_filter: Optional[LogFilter] = None) -> List[Dict]:
+        """Get logs with filtering and pagination"""
+        with self.lock:
+            # Convert deque to list for easier manipulation
+            all_logs = list(self.log_entries)
+        
+        # Apply filter
+        if log_filter:
+            filtered_logs = [entry for entry in all_logs if log_filter.matches(entry)]
+        else:
+            filtered_logs = all_logs
+        
+        # Sort by timestamp (newest first)
+        filtered_logs.sort(key=lambda x: x.timestamp, reverse=True)
+        
+        # Apply pagination
+        paginated_logs = filtered_logs[offset:offset + limit]
+        
+        return [entry.to_dict() for entry in paginated_logs]
+    
+    def search_logs(self, query: str, limit: int = 100) -> List[Dict]:
+        """Search logs by text query"""
+        log_filter = LogFilter()
+        log_filter.text_filter = query
+        
+        return self.get_logs(limit=limit, log_filter=log_filter)
+    
+    def get_logs_by_session(self, session_id: str, limit: int = 100) -> List[Dict]:
+        """Get logs for specific session"""
+        log_filter = LogFilter()
+        log_filter.session_filter = session_id
+        
+        return self.get_logs(limit=limit, log_filter=log_filter)
+    
+    def get_logs_by_client(self, client_id: str, limit: int = 100) -> List[Dict]:
+        """Get logs for specific client"""
+        log_filter = LogFilter()
+        log_filter.client_filter = client_id
+        
+        return self.get_logs(limit=limit, log_filter=log_filter)
+    
+    def get_logs_by_ip(self, ip_address: str, limit: int = 100) -> List[Dict]:
+        """Get logs for specific IP address"""
+        log_filter = LogFilter()
+        log_filter.ip_filter = ip_address
+        
+        return self.get_logs(limit=limit, log_filter=log_filter)
+    
+    def get_recent_errors(self, limit: int = 50) -> List[Dict]:
+        """Get recent error and critical logs"""
+        log_filter = LogFilter()
+        log_filter.level_filter = LogLevel.ERROR
+        
+        return self.get_logs(limit=limit, log_filter=log_filter)
+    
+    def clear_logs(self):
+        """Clear all logs from memory"""
+        with self.lock:
+            self.log_entries.clear()
+    
+    def get_stats(self) -> Dict:
+        """Get logging statistics"""
+        with self.lock:
+            stats = self.stats.copy()
+            stats['memory_logs_count'] = len(self.log_entries)
+            stats['active_subscribers'] = len(self.subscribers)
+            stats['queue_size'] = self.log_queue.qsize()
+        
+        return stats
+    
+    def reset_stats(self):
+        """Reset logging statistics"""
+        self.stats = {
+            'total_logs': 0,
+            'logs_by_level': {level.value: 0 for level in LogLevel},
+            'logs_by_category': {cat.value: 0 for cat in LogCategory},
+            'active_subscribers': len(self.subscribers),
+            'file_logs_written': 0,
+            'console_logs_written': 0,
+            'dropped_logs': 0
+        }
+    
+    def export_logs(self, format: str = 'json', log_filter: Optional[LogFilter] = None) -> str:
+        """Export logs in specified format"""
+        logs = self.get_logs(limit=10000, log_filter=log_filter)
+        
+        if format == 'json':
+            return json.dumps(logs, indent=2, default=str)
+        elif format == 'csv':
+            import csv
+            import io
+            
+            output = io.StringIO()
+            if logs:
+                writer = csv.DictWriter(output, fieldnames=logs[0].keys())
+                writer.writeheader()
+                writer.writerows(logs)
+            
+            return output.getvalue()
+        else:
+            raise ValueError(f"Unsupported export format: {format}")
+    
+    def set_log_level(self, level: LogLevel):
+        """Set logging level"""
+        self.log_level = level
+        self.logger.setLevel(getattr(logging, level.value))
+    
+    def start(self):
+        """Start logger"""
+        self.running = True
+        self.processing_thread = threading.Thread(target=self._process_log_queue, daemon=True)
+        self.processing_thread.start()
+        
+        self.info(LogCategory.SYSTEM, 'logger', 'Virtual ISP Logger started')
+    
+    def stop(self):
+        """Stop logger"""
+        self.info(LogCategory.SYSTEM, 'logger', 'Virtual ISP Logger stopping')
+        
+        self.running = False
+        
+        # Wait for queue to be processed
+        self.log_queue.join()
+        
+        # Wait for processing thread
+        if self.processing_thread:
+            self.processing_thread.join()
+        
+        # Remove all subscribers
+        with self.lock:
+            self.subscribers.clear()
+        
+        print("Virtual ISP Logger stopped")
+
+
+# Global logger instance
+_global_logger: Optional[VirtualISPLogger] = None
+
+
+def get_logger() -> Optional[VirtualISPLogger]:
+    """Get global logger instance"""
+    return _global_logger
+
+
+def init_logger(config: Dict) -> VirtualISPLogger:
+    """Initialize global logger"""
+    global _global_logger
+    _global_logger = VirtualISPLogger(config)
+    return _global_logger
+
+
+def log_debug(category: LogCategory, module: str, message: str, **kwargs):
+    """Global debug logging function"""
+    if _global_logger:
+        _global_logger.debug(category, module, message, **kwargs)
+
+
+def log_info(category: LogCategory, module: str, message: str, **kwargs):
+    """Global info logging function"""
+    if _global_logger:
+        _global_logger.info(category, module, message, **kwargs)
+
+
+def log_warning(category: LogCategory, module: str, message: str, **kwargs):
+    """Global warning logging function"""
+    if _global_logger:
+        _global_logger.warning(category, module, message, **kwargs)
+
+
+def log_error(category: LogCategory, module: str, message: str, **kwargs):
+    """Global error logging function"""
+    if _global_logger:
+        _global_logger.error(category, module, message, **kwargs)
+
+
+def log_critical(category: LogCategory, module: str, message: str, **kwargs):
+    """Global critical logging function"""
+    if _global_logger:
+        _global_logger.critical(category, module, message, **kwargs)
+

core/nat_engine.py

@@ -0,0 +1,516 @@
+"""
+NAT Engine Module
+
+Implements Network Address Translation:
+- Map (virtualIP, virtualPort) to (hostIP, hostPort)
+- Maintain connection tracking table
+- Handle port allocation and deallocation
+- Support connection state tracking
+"""
+
+import time
+import threading
+import socket
+import random
+from typing import Dict, Optional, Tuple, Set
+from dataclasses import dataclass
+from enum import Enum
+
+from .ip_parser import IPProtocol
+
+
+class NATType(Enum):
+    SNAT = "SNAT"  # Source NAT
+    DNAT = "DNAT"  # Destination NAT
+
+
+@dataclass
+class NATSession:
+    """Represents a NAT session"""
+    # Virtual (internal) endpoint
+    virtual_ip: str
+    virtual_port: int
+    
+    # Real (external) endpoint
+    real_ip: str
+    real_port: int
+    
+    # Host (translated) endpoint
+    host_ip: str
+    host_port: int
+    
+    # Session metadata
+    protocol: str  # TCP or UDP
+    nat_type: NATType
+    created_time: float
+    last_activity: float
+    bytes_in: int = 0
+    bytes_out: int = 0
+    packets_in: int = 0
+    packets_out: int = 0
+    
+    @property
+    def session_id(self) -> str:
+        """Get unique session identifier"""
+        return f"{self.virtual_ip}:{self.virtual_port}-{self.real_ip}:{self.real_port}-{self.protocol}"
+    
+    @property
+    def is_expired(self) -> bool:
+        """Check if session has expired"""
+        timeout = 300 if self.protocol == 'TCP' else 60  # 5 min for TCP, 1 min for UDP
+        return time.time() - self.last_activity > timeout
+    
+    @property
+    def duration(self) -> float:
+        """Get session duration in seconds"""
+        return time.time() - self.created_time
+    
+    def update_activity(self, bytes_transferred: int = 0, direction: str = 'out'):
+        """Update session activity"""
+        self.last_activity = time.time()
+        
+        if direction == 'out':
+            self.bytes_out += bytes_transferred
+            self.packets_out += 1
+        else:
+            self.bytes_in += bytes_transferred
+            self.packets_in += 1
+
+
+class PortPool:
+    """Manages available ports for NAT"""
+    
+    def __init__(self, start_port: int = 10000, end_port: int = 65535):
+        self.start_port = start_port
+        self.end_port = end_port
+        self.available_ports: Set[int] = set(range(start_port, end_port + 1))
+        self.allocated_ports: Dict[int, str] = {}  # port -> session_id
+        self.lock = threading.Lock()
+    
+    def allocate_port(self, session_id: str) -> Optional[int]:
+        """Allocate a port for a session"""
+        with self.lock:
+            if not self.available_ports:
+                return None
+            
+            # Try to get a random port to distribute load
+            port = random.choice(list(self.available_ports))
+            self.available_ports.remove(port)
+            self.allocated_ports[port] = session_id
+            
+            return port
+    
+    def release_port(self, port: int) -> bool:
+        """Release a port back to the pool"""
+        with self.lock:
+            if port in self.allocated_ports:
+                del self.allocated_ports[port]
+                if self.start_port <= port <= self.end_port:
+                    self.available_ports.add(port)
+                return True
+            return False
+    
+    def get_session_for_port(self, port: int) -> Optional[str]:
+        """Get session ID for a port"""
+        with self.lock:
+            return self.allocated_ports.get(port)
+    
+    def get_stats(self) -> Dict:
+        """Get port pool statistics"""
+        with self.lock:
+            return {
+                'total_ports': self.end_port - self.start_port + 1,
+                'available_ports': len(self.available_ports),
+                'allocated_ports': len(self.allocated_ports),
+                'utilization': len(self.allocated_ports) / (self.end_port - self.start_port + 1)
+            }
+
+
+class NATEngine:
+    """Network Address Translation engine"""
+    
+    def __init__(self, config: Dict):
+        self.config = config
+        self.sessions: Dict[str, NATSession] = {}  # session_id -> session
+        self.virtual_to_session: Dict[Tuple[str, int, str], str] = {}  # (vip, vport, proto) -> session_id
+        self.host_to_session: Dict[Tuple[str, int, str], str] = {}  # (hip, hport, proto) -> session_id
+        self.lock = threading.Lock()
+        
+        # Port pool for outbound connections
+        self.port_pool = PortPool(
+            config.get('port_range_start', 10000),
+            config.get('port_range_end', 65535)
+        )
+        
+        # Host IP for outbound connections
+        self.host_ip = config.get('host_ip', self._get_default_host_ip())
+        
+        # Session timeout
+        self.session_timeout = config.get('session_timeout', 300)
+        
+        # Statistics
+        self.stats = {
+            'total_sessions': 0,
+            'active_sessions': 0,
+            'expired_sessions': 0,
+            'port_exhaustion_events': 0,
+            'bytes_translated': 0,
+            'packets_translated': 0
+        }
+        
+        # Cleanup thread
+        self.running = False
+        self.cleanup_thread = None
+    
+    def _get_default_host_ip(self) -> str:
+        """Get default host IP address"""
+        try:
+            # Connect to a remote address to determine local IP
+            with socket.socket(socket.AF_INET, socket.SOCK_DGRAM) as s:
+                s.connect(('8.8.8.8', 80))
+                return s.getsockname()[0]
+        except Exception:
+            return '127.0.0.1'
+    
+    def _cleanup_expired_sessions(self):
+        """Clean up expired sessions"""
+        current_time = time.time()
+        expired_sessions = []
+        
+        with self.lock:
+            for session_id, session in self.sessions.items():
+                if session.is_expired:
+                    expired_sessions.append(session_id)
+        
+        for session_id in expired_sessions:
+            self._remove_session(session_id)
+            self.stats['expired_sessions'] += 1
+    
+    def _remove_session(self, session_id: str):
+        """Remove a session and clean up resources"""
+        with self.lock:
+            if session_id not in self.sessions:
+                return
+            
+            session = self.sessions[session_id]
+            
+            # Remove from lookup tables
+            virtual_key = (session.virtual_ip, session.virtual_port, session.protocol)
+            if virtual_key in self.virtual_to_session:
+                del self.virtual_to_session[virtual_key]
+            
+            host_key = (session.host_ip, session.host_port, session.protocol)
+            if host_key in self.host_to_session:
+                del self.host_to_session[host_key]
+            
+            # Release port
+            self.port_pool.release_port(session.host_port)
+            
+            # Remove session
+            del self.sessions[session_id]
+            
+            self.stats['active_sessions'] = len(self.sessions)
+    
+    def create_outbound_session(self, virtual_ip: str, virtual_port: int, 
+                               real_ip: str, real_port: int, protocol: str) -> Optional[NATSession]:
+        """Create NAT session for outbound connection"""
+        # Allocate host port
+        session_id = f"{virtual_ip}:{virtual_port}-{real_ip}:{real_port}-{protocol}"
+        host_port = self.port_pool.allocate_port(session_id)
+        
+        if host_port is None:
+            self.stats['port_exhaustion_events'] += 1
+            return None
+        
+        # Create session
+        session = NATSession(
+            virtual_ip=virtual_ip,
+            virtual_port=virtual_port,
+            real_ip=real_ip,
+            real_port=real_port,
+            host_ip=self.host_ip,
+            host_port=host_port,
+            protocol=protocol,
+            nat_type=NATType.SNAT,
+            created_time=time.time(),
+            last_activity=time.time()
+        )
+        
+        with self.lock:
+            self.sessions[session_id] = session
+            
+            # Add to lookup tables
+            virtual_key = (virtual_ip, virtual_port, protocol)
+            self.virtual_to_session[virtual_key] = session_id
+            
+            host_key = (self.host_ip, host_port, protocol)
+            self.host_to_session[host_key] = session_id
+        
+        self.stats['total_sessions'] += 1
+        self.stats['active_sessions'] = len(self.sessions)
+        
+        return session
+    
+    def translate_outbound(self, virtual_ip: str, virtual_port: int, 
+                          real_ip: str, real_port: int, protocol: str) -> Optional[Tuple[str, int]]:
+        """Translate outbound packet (virtual -> host)"""
+        virtual_key = (virtual_ip, virtual_port, protocol)
+        
+        with self.lock:
+            session_id = self.virtual_to_session.get(virtual_key)
+            
+            if session_id:
+                session = self.sessions[session_id]
+                session.update_activity(direction='out')
+                return (session.host_ip, session.host_port)
+            else:
+                # Create new session
+                session = self.create_outbound_session(virtual_ip, virtual_port, real_ip, real_port, protocol)
+                if session:
+                    return (session.host_ip, session.host_port)
+        
+        return None
+    
+    def translate_inbound(self, host_ip: str, host_port: int, protocol: str) -> Optional[Tuple[str, int]]:
+        """Translate inbound packet (host -> virtual)"""
+        host_key = (host_ip, host_port, protocol)
+        
+        with self.lock:
+            session_id = self.host_to_session.get(host_key)
+            
+            if session_id and session_id in self.sessions:
+                session = self.sessions[session_id]
+                session.update_activity(direction='in')
+                return (session.virtual_ip, session.virtual_port)
+        
+        return None
+    
+    def get_session_by_virtual(self, virtual_ip: str, virtual_port: int, protocol: str) -> Optional[NATSession]:
+        """Get session by virtual endpoint"""
+        virtual_key = (virtual_ip, virtual_port, protocol)
+        
+        with self.lock:
+            session_id = self.virtual_to_session.get(virtual_key)
+            if session_id and session_id in self.sessions:
+                return self.sessions[session_id]
+        
+        return None
+    
+    def get_session_by_host(self, host_ip: str, host_port: int, protocol: str) -> Optional[NATSession]:
+        """Get session by host endpoint"""
+        host_key = (host_ip, host_port, protocol)
+        
+        with self.lock:
+            session_id = self.host_to_session.get(host_key)
+            if session_id and session_id in self.sessions:
+                return self.sessions[session_id]
+        
+        return None
+    
+    def close_session(self, session_id: str) -> bool:
+        """Manually close a session"""
+        with self.lock:
+            if session_id in self.sessions:
+                self._remove_session(session_id)
+                return True
+        return False
+    
+    def close_session_by_virtual(self, virtual_ip: str, virtual_port: int, protocol: str) -> bool:
+        """Close session by virtual endpoint"""
+        virtual_key = (virtual_ip, virtual_port, protocol)
+        
+        with self.lock:
+            session_id = self.virtual_to_session.get(virtual_key)
+            if session_id:
+                self._remove_session(session_id)
+                return True
+        return False
+    
+    def get_sessions(self) -> Dict[str, Dict]:
+        """Get all active sessions"""
+        with self.lock:
+            return {
+                session_id: {
+                    'virtual_ip': session.virtual_ip,
+                    'virtual_port': session.virtual_port,
+                    'real_ip': session.real_ip,
+                    'real_port': session.real_port,
+                    'host_ip': session.host_ip,
+                    'host_port': session.host_port,
+                    'protocol': session.protocol,
+                    'nat_type': session.nat_type.value,
+                    'created_time': session.created_time,
+                    'last_activity': session.last_activity,
+                    'duration': session.duration,
+                    'bytes_in': session.bytes_in,
+                    'bytes_out': session.bytes_out,
+                    'packets_in': session.packets_in,
+                    'packets_out': session.packets_out,
+                    'is_expired': session.is_expired
+                }
+                for session_id, session in self.sessions.items()
+            }
+    
+    def get_stats(self) -> Dict:
+        """Get NAT statistics"""
+        port_stats = self.port_pool.get_stats()
+        
+        with self.lock:
+            current_stats = self.stats.copy()
+            current_stats['active_sessions'] = len(self.sessions)
+            current_stats.update(port_stats)
+        
+        return current_stats
+    
+    def update_packet_stats(self, bytes_count: int):
+        """Update packet statistics"""
+        self.stats['bytes_translated'] += bytes_count
+        self.stats['packets_translated'] += 1
+    
+    def _cleanup_loop(self):
+        """Background cleanup loop"""
+        while self.running:
+            try:
+                self._cleanup_expired_sessions()
+                time.sleep(30)  # Cleanup every 30 seconds
+            except Exception as e:
+                print(f"NAT cleanup error: {e}")
+                time.sleep(5)
+    
+    def start(self):
+        """Start NAT engine"""
+        self.running = True
+        self.cleanup_thread = threading.Thread(target=self._cleanup_loop, daemon=True)
+        self.cleanup_thread.start()
+        print(f"NAT engine started - Host IP: {self.host_ip}, Port range: {self.port_pool.start_port}-{self.port_pool.end_port}")
+    
+    def stop(self):
+        """Stop NAT engine"""
+        self.running = False
+        if self.cleanup_thread:
+            self.cleanup_thread.join()
+        
+        # Close all sessions
+        with self.lock:
+            session_ids = list(self.sessions.keys())
+            for session_id in session_ids:
+                self._remove_session(session_id)
+        
+        print("NAT engine stopped")
+    
+    def reset_stats(self):
+        """Reset statistics"""
+        self.stats = {
+            'total_sessions': 0,
+            'active_sessions': len(self.sessions),
+            'expired_sessions': 0,
+            'port_exhaustion_events': 0,
+            'bytes_translated': 0,
+            'packets_translated': 0
+        }
+
+
+class NATRule:
+    """Represents a NAT rule for DNAT (port forwarding)"""
+    
+    def __init__(self, external_port: int, internal_ip: str, internal_port: int, 
+                 protocol: str = 'TCP', enabled: bool = True):
+        self.external_port = external_port
+        self.internal_ip = internal_ip
+        self.internal_port = internal_port
+        self.protocol = protocol.upper()
+        self.enabled = enabled
+        self.created_time = time.time()
+        self.hit_count = 0
+        self.last_hit = None
+    
+    def matches(self, port: int, protocol: str) -> bool:
+        """Check if rule matches the given port and protocol"""
+        return (self.enabled and 
+                self.external_port == port and 
+                self.protocol == protocol.upper())
+    
+    def record_hit(self):
+        """Record a rule hit"""
+        self.hit_count += 1
+        self.last_hit = time.time()
+    
+    def to_dict(self) -> Dict:
+        """Convert rule to dictionary"""
+        return {
+            'external_port': self.external_port,
+            'internal_ip': self.internal_ip,
+            'internal_port': self.internal_port,
+            'protocol': self.protocol,
+            'enabled': self.enabled,
+            'created_time': self.created_time,
+            'hit_count': self.hit_count,
+            'last_hit': self.last_hit
+        }
+
+
+class DNATEngine:
+    """Destination NAT engine for port forwarding"""
+    
+    def __init__(self):
+        self.rules: Dict[str, NATRule] = {}  # rule_id -> rule
+        self.lock = threading.Lock()
+    
+    def add_rule(self, rule_id: str, external_port: int, internal_ip: str, 
+                 internal_port: int, protocol: str = 'TCP') -> bool:
+        """Add DNAT rule"""
+        with self.lock:
+            if rule_id in self.rules:
+                return False
+            
+            rule = NATRule(external_port, internal_ip, internal_port, protocol)
+            self.rules[rule_id] = rule
+            return True
+    
+    def remove_rule(self, rule_id: str) -> bool:
+        """Remove DNAT rule"""
+        with self.lock:
+            if rule_id in self.rules:
+                del self.rules[rule_id]
+                return True
+            return False
+    
+    def enable_rule(self, rule_id: str) -> bool:
+        """Enable DNAT rule"""
+        with self.lock:
+            if rule_id in self.rules:
+                self.rules[rule_id].enabled = True
+                return True
+            return False
+    
+    def disable_rule(self, rule_id: str) -> bool:
+        """Disable DNAT rule"""
+        with self.lock:
+            if rule_id in self.rules:
+                self.rules[rule_id].enabled = False
+                return True
+            return False
+    
+    def translate_inbound_dnat(self, external_port: int, protocol: str) -> Optional[Tuple[str, int]]:
+        """Translate inbound packet using DNAT rules"""
+        with self.lock:
+            for rule in self.rules.values():
+                if rule.matches(external_port, protocol):
+                    rule.record_hit()
+                    return (rule.internal_ip, rule.internal_port)
+        
+        return None
+    
+    def get_rules(self) -> Dict[str, Dict]:
+        """Get all DNAT rules"""
+        with self.lock:
+            return {
+                rule_id: rule.to_dict()
+                for rule_id, rule in self.rules.items()
+            }
+    
+    def clear_rules(self):
+        """Clear all DNAT rules"""
+        with self.lock:
+            self.rules.clear()
+

core/openvpn_manager.py

@@ -0,0 +1,608 @@
+"""
+OpenVPN Manager Module
+
+Manages OpenVPN server integration with the Virtual ISP Stack
+"""
+
+import os
+import json
+import subprocess
+import threading
+import time
+import logging
+from typing import Dict, List, Optional, Any
+from dataclasses import dataclass, asdict
+import ipaddress
+
+logger = logging.getLogger(__name__)
+
+@dataclass
+class VPNClient:
+    """Represents a connected VPN client"""
+    client_id: str
+    common_name: str
+    ip_address: str
+    connected_at: float
+    bytes_received: int = 0
+    bytes_sent: int = 0
+    status: str = "connected"
+
+@dataclass
+class VPNServerStatus:
+    """Represents VPN server status"""
+    is_running: bool
+    connected_clients: int
+    total_bytes_received: int
+    total_bytes_sent: int
+    uptime: float
+    server_ip: str
+    server_port: int
+
+class OpenVPNManager:
+    """Manages OpenVPN server and client connections"""
+    
+    def __init__(self, config: Dict[str, Any]):
+        self.config = config
+        self.server_config_path = "/etc/openvpn/server/server.conf"
+        self.status_log_path = "/var/log/openvpn/openvpn-status.log"
+        self.clients: Dict[str, VPNClient] = {}
+        self.server_process = None
+        self.is_running = False
+        self.start_time = None
+        
+        # VPN network configuration
+        self.vpn_network = ipaddress.IPv4Network("10.8.0.0/24")
+        self.vpn_server_ip = "10.8.0.1"
+        self.vpn_port = 1194
+        
+        # Integration with ISP stack
+        self.dhcp_server = None
+        self.nat_engine = None
+        self.firewall = None
+        self.router = None
+        
+        # Status monitoring thread
+        self.monitor_thread = None
+        self.monitor_running = False
+        
+        # Client configuration storage
+        self.config_storage_path = "/tmp/vpn_client_configs"
+        os.makedirs(self.config_storage_path, exist_ok=True)
+        
+    def set_isp_components(self, dhcp_server=None, nat_engine=None, firewall=None, router=None):
+        """Set references to ISP stack components for integration"""
+        self.dhcp_server = dhcp_server
+        self.nat_engine = nat_engine
+        self.firewall = firewall
+        self.router = router
+        
+    def start_server(self) -> bool:
+        """Start the OpenVPN server"""
+        try:
+            if self.is_running:
+                logger.warning("OpenVPN server is already running")
+                return True
+            
+            # Ensure configuration exists
+            if not os.path.exists(self.server_config_path):
+                logger.error(f"OpenVPN server configuration not found: {self.server_config_path}")
+                return False
+            
+            # Create log directory
+            os.makedirs("/var/log/openvpn", exist_ok=True)
+            
+            # Start OpenVPN server
+            cmd = [
+                "sudo", "openvpn",
+                "--config", self.server_config_path,
+                "--daemon", "openvpn-server",
+                "--log", "/var/log/openvpn/openvpn.log",
+                "--status", self.status_log_path, "10"
+            ]
+            
+            result = subprocess.run(cmd, capture_output=True, text=True)
+            
+            if result.returncode == 0:
+                self.is_running = True
+                self.start_time = time.time()
+                logger.info("OpenVPN server started successfully")
+                
+                # Start monitoring thread
+                self.start_monitoring()
+                
+                # Configure firewall rules for VPN
+                self._configure_vpn_firewall()
+                
+                # Configure NAT for VPN traffic
+                self._configure_vpn_nat()
+                
+                return True
+            else:
+                logger.error(f"Failed to start OpenVPN server: {result.stderr}")
+                return False
+                
+        except Exception as e:
+            logger.error(f"Error starting OpenVPN server: {e}")
+            return False
+    
+    def stop_server(self) -> bool:
+        """Stop the OpenVPN server"""
+        try:
+            if not self.is_running:
+                logger.warning("OpenVPN server is not running")
+                return True
+            
+            # Stop monitoring
+            self.stop_monitoring()
+            
+            # Kill OpenVPN process
+            result = subprocess.run(["sudo", "pkill", "-f", "openvpn.*server"], 
+                                  capture_output=True, text=True)
+            
+            self.is_running = False
+            self.start_time = None
+            self.clients.clear()
+            
+            logger.info("OpenVPN server stopped")
+            return True
+            
+        except Exception as e:
+            logger.error(f"Error stopping OpenVPN server: {e}")
+            return False
+    
+    def start_monitoring(self):
+        """Start the client monitoring thread"""
+        if self.monitor_thread and self.monitor_thread.is_alive():
+            return
+        
+        self.monitor_running = True
+        self.monitor_thread = threading.Thread(target=self._monitor_clients, daemon=True)
+        self.monitor_thread.start()
+        logger.info("Started OpenVPN client monitoring")
+    
+    def stop_monitoring(self):
+        """Stop the client monitoring thread"""
+        self.monitor_running = False
+        if self.monitor_thread:
+            self.monitor_thread.join(timeout=5)
+        logger.info("Stopped OpenVPN client monitoring")
+    
+    def _monitor_clients(self):
+        """Monitor connected VPN clients"""
+        while self.monitor_running:
+            try:
+                self._update_client_status()
+                time.sleep(10)  # Update every 10 seconds
+            except Exception as e:
+                logger.error(f"Error monitoring VPN clients: {e}")
+                time.sleep(30)  # Wait longer on error
+    
+    def _update_client_status(self):
+        """Update client status from OpenVPN status log"""
+        try:
+            if not os.path.exists(self.status_log_path):
+                return
+            
+            with open(self.status_log_path, 'r') as f:
+                content = f.read()
+            
+            # Parse OpenVPN status log
+            lines = content.split('\n')
+            client_section = False
+            routing_section = False
+            
+            current_clients = {}
+            
+            for line in lines:
+                line = line.strip()
+                
+                if line.startswith("OpenVPN CLIENT LIST"):
+                    client_section = True
+                    continue
+                elif line.startswith("ROUTING TABLE"):
+                    client_section = False
+                    routing_section = True
+                    continue
+                elif line.startswith("GLOBAL STATS"):
+                    routing_section = False
+                    continue
+                
+                if client_section and line and not line.startswith("Updated,"):
+                    # Parse client line: Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
+                    parts = line.split(',')
+                    if len(parts) >= 5:
+                        common_name = parts[0]
+                        real_address = parts[1]
+                        bytes_received = int(parts[2]) if parts[2].isdigit() else 0
+                        bytes_sent = int(parts[3]) if parts[3].isdigit() else 0
+                        connected_since = parts[4]
+                        
+                        # Get VPN IP from routing table (will be parsed later)
+                        vpn_ip = "unknown"
+                        
+                        client = VPNClient(
+                            client_id=common_name,
+                            common_name=common_name,
+                            ip_address=vpn_ip,
+                            connected_at=time.time(),  # Simplified for now
+                            bytes_received=bytes_received,
+                            bytes_sent=bytes_sent
+                        )
+                        current_clients[common_name] = client
+                
+                elif routing_section and line and not line.startswith("Virtual Address,"):
+                    # Parse routing line: Virtual Address,Common Name,Real Address,Last Ref
+                    parts = line.split(',')
+                    if len(parts) >= 2:
+                        vpn_ip = parts[0]
+                        common_name = parts[1]
+                        
+                        if common_name in current_clients:
+                            current_clients[common_name].ip_address = vpn_ip
+            
+            # Update clients dictionary
+            self.clients = current_clients
+            
+            # Integrate with DHCP server if available
+            if self.dhcp_server:
+                self._sync_with_dhcp()
+            
+        except Exception as e:
+            logger.error(f"Error updating client status: {e}")
+    
+    def _sync_with_dhcp(self):
+        """Sync VPN clients with DHCP server"""
+        try:
+            for client in self.clients.values():
+                if client.ip_address != "unknown":
+                    # Register VPN client IP with DHCP server
+                    # This allows the ISP stack to track VPN clients
+                    if hasattr(self.dhcp_server, 'register_static_lease'):
+                        self.dhcp_server.register_static_lease(
+                            client.common_name,
+                            client.ip_address,
+                            "VPN Client"
+                        )
+        except Exception as e:
+            logger.error(f"Error syncing with DHCP: {e}")
+    
+    def _configure_vpn_firewall(self):
+        """Configure firewall rules for VPN traffic"""
+        try:
+            if not self.firewall:
+                return
+            
+            # Add firewall rules for VPN
+            vpn_rules = [
+                {
+                    "rule_id": "allow_openvpn",
+                    "priority": 10,
+                    "action": "ACCEPT",
+                    "direction": "BOTH",
+                    "dest_port": str(self.vpn_port),
+                    "protocol": "UDP",
+                    "description": "Allow OpenVPN traffic",
+                    "enabled": True
+                },
+                {
+                    "rule_id": "allow_vpn_network",
+                    "priority": 11,
+                    "action": "ACCEPT",
+                    "direction": "BOTH",
+                    "source_network": str(self.vpn_network),
+                    "description": "Allow VPN client network traffic",
+                    "enabled": True
+                }
+            ]
+            
+            for rule in vpn_rules:
+                if hasattr(self.firewall, 'add_rule'):
+                    self.firewall.add_rule(rule)
+            
+            logger.info("Configured firewall rules for VPN")
+            
+        except Exception as e:
+            logger.error(f"Error configuring VPN firewall: {e}")
+    
+    def _configure_vpn_nat(self):
+        """Configure NAT for VPN traffic"""
+        try:
+            # NAT configuration will be handled by the external environment (e.g., HuggingFace Spaces setup)
+            # or by the underlying network infrastructure. We are removing direct iptables calls.
+            logger.info("Skipping direct iptables NAT configuration as per instructions.")
+            
+        except Exception as e:
+            logger.error(f"Error configuring VPN NAT: {e}")
+    
+    def get_server_status(self) -> VPNServerStatus:
+        """Get current server status"""
+        total_bytes_received = sum(client.bytes_received for client in self.clients.values())
+        total_bytes_sent = sum(client.bytes_sent for client in self.clients.values())
+        uptime = time.time() - self.start_time if self.start_time else 0
+        
+        return VPNServerStatus(
+            is_running=self.is_running,
+            connected_clients=len(self.clients),
+            total_bytes_received=total_bytes_received,
+            total_bytes_sent=total_bytes_sent,
+            uptime=uptime,
+            server_ip=self.vpn_server_ip,
+            server_port=self.vpn_port
+        )
+    
+    def get_connected_clients(self) -> List[Dict[str, Any]]:
+        """Get list of connected clients"""
+        return [asdict(client) for client in self.clients.values()]
+    
+    def disconnect_client(self, client_id: str) -> bool:
+        """Disconnect a specific client"""
+        try:
+            if client_id not in self.clients:
+                return False
+            
+            # Send kill signal to specific client
+            # This requires OpenVPN management interface, simplified for now
+            logger.info(f"Disconnecting client: {client_id}")
+            
+            # Remove from clients dict
+            del self.clients[client_id]
+            return True
+            
+        except Exception as e:
+            logger.error(f"Error disconnecting client {client_id}: {e}")
+            return False
+    
+    def generate_client_config(self, client_name: str, server_ip: str) -> str:
+        """Generate client configuration file with embedded certificates"""
+        try:
+            # Read real CA certificate
+            ca_cert_path = "/etc/openvpn/server/ca.crt"
+            try:
+                with open(ca_cert_path, 'r') as f:
+                    ca_cert = f.read()
+            except FileNotFoundError:
+                # Fallback to embedded certificate for development
+                ca_cert = """-----BEGIN CERTIFICATE-----
+MIIDMzCCAhugAwIBAgIUNO765P4t/yD/PnIFTMVs0Q32TJYwDQYJKoZIhvcNAQEL
+BQAwDjEMMAoGA1UEAwwDeWVzMB4XDTI1MDgwMjAxMjkzNVoXDTM1MDczMTAxMjkz
+NVowDjEMMAoGA1UEAwwDeWVzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
+AQEAtwhMGXouHnHBRd2RhdrW8sOMgqt4wDXZC0J+4UMjOX6Y7t2O1Sgw/sWhwFPk
+QF/cMoQIvsucklPogcnzzGtv9zDkAXyVyCC27UYbg8JfWZK3ZMrt6dfEmYf4KKXm
+D6PLn9guxzBB63dhEWx/7fd6H9C/rK/u0rOh15DQRnfEI468cmXS5uNg8ke/73+y
+Gzb6q7ZOFByBAwM0hW0lStBaIIcxouFrIK8B72O8H+6t10K1GvgiBhKvM3cc8dpN
+y4qvRoN/o+eXarZG7G9dfm9OFgdd9LoXPTTbO+ftFPKOq4F41PnMd2Zcyk7P3GCr
+3oK7NbISxZ5efLpy45lgSpqKBwIDAQABo4GIMIGFMB0GA1UdDgQWBBQIi0Er30cV
+Qzi+U/LPV4Lf3yvGIzBJBgNVHSMEQjBAgBQIi0Er30cVQzi+U/LPV4Lf3yvGI6ES
+pBAwDjEMMAoGA1UEAwwDeWVzghQ07vrk/i3/IP8+cgVMxWzRDfZMljAMBgNVHRME
+BTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAHzfSFbi1G7WC
+vMSOqSv4/jlBExnz/AlLUBHhgDomIdLK8Pb3tyCD5IYkmi0NT5x6DORcOV2ow1JZ
+o4BL7OVV+fhz3VKXEpG+s3gq5j2m+raqLtu6QKBGg7SIUZ4MLjggvAcPjsK+n8sK
+86sAUFVTccBxJlKBShAUPSNihyWwxB4PQFvwhefNQSoID1kAB2Fzf1beMX6Gp6Lj
+ldI6e63lpYtIbp4+2F5SxJ/hGTUx+nWbOAHPvhBfhN6sEu9G1C5KPR0cm+xxOpZ9
+lA7y4Dea7pyVybR/b7lFquE3TReXCoLx79UNNSv8erIlsy1jh9yXDnTCk8SN1dpO
+YwJ9U0AHXA==
+-----END CERTIFICATE-----"""
+
+            # Sample client certificate (in production, generate unique per client)
+            client_cert = f"""-----BEGIN CERTIFICATE-----
+MIIDSzCCAjOgAwIBAgIU{client_name}1234567890abcdefghijklmnopqrstuvwxyz
+ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890abcdefghijklmnopqrstuvwxyz1234567
+890abcdefghijklmnopqrstuvwxyz1234567890abcdefghijklmnopqrstuvwxyz12345
+67890abcdefghijklmnopqrstuvwxyz1234567890abcdefghijklmnopqrstuvwxyz123
+4567890abcdefghijklmnopqrstuvwxyz1234567890abcdefghijklmnopqrstuvwxyz1
+234567890abcdefghijklmnopqrstuvwxyz1234567890abcdefghijklmnopqrstuvwxy
+z1234567890abcdefghijklmnopqrstuvwxyz1234567890abcdefghijklmnopqrstuv
+wxyz1234567890abcdefghijklmnopqrstuvwxyz1234567890abcdefghijklmnopqrs
+tuvwxyz1234567890abcdefghijklmnopqrstuvwxyz1234567890abcdefghijklmno
+pqrstuvwxyz1234567890abcdefghijklmnopqrstuvwxyz1234567890abcdefghij
+klmnopqrstuvwxyz1234567890abcdefghijklmnopqrstuvwxyz1234567890abcd
+efghijklmnopqrstuvwxyz1234567890abcdefghijklmnopqrstuvwxyz1234567
+890abcdefghijklmnopqrstuvwxyz1234567890abcdefghijklmnopqrstuvwxy
+z1234567890abcdefghijklmnopqrstuvwxyz1234567890abcdefghijklmnop
+qrstuvwxyz1234567890abcdefghijklmnopqrstuvwxyz1234567890abcde
+fghijklmnopqrstuvwxyz1234567890abcdefghijklmnopqrstuvwxyz12
+34567890abcdefghijklmnopqrstuvwxyz1234567890abcdefghijk
+lmnopqrstuvwxyz1234567890abcdefghijklmnopqrstuvwxyz12
+34567890abcdefghijklmnopqrstuvwxyz1234567890abc
+defghijklmnopqrstuvwxyz1234567890abcdefg
+hijklmnopqrstuvwxyz1234567890
+abcdefghijklmnopqr
+stuvwxyz12345
+67890abc
+def
+-----END CERTIFICATE-----"""
+
+            # Sample client private key (in production, generate unique per client)
+            client_key = f"""-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC{client_name}1234567
+890abcdefghijklmnopqrstuvwxyz1234567890abcdefghijklmnopqrstuvwxyz123456
+7890abcdefghijklmnopqrstuvwxyz1234567890abcdefghijklmnopqrstuvwxyz12345
+67890abcdefghijklmnopqrstuvwxyz1234567890abcdefghijklmnopqrstuvwxyz1234
+567890abcdefghijklmnopqrstuvwxyz1234567890abcdefghijklmnopqrstuvwxyz123
+4567890abcdefghijklmnopqrstuvwxyz1234567890abcdefghijklmnopqrstuvwxyz12
+34567890abcdefghijklmnopqrstuvwxyz1234567890abcdefghijklmnopqrstuvwxyz1
+234567890abcdefghijklmnopqrstuvwxyz1234567890abcdefghijklmnopqrstuvwxy
+z1234567890abcdefghijklmnopqrstuvwxyz1234567890abcdefghijklmnopqrstuv
+wxyz1234567890abcdefghijklmnopqrstuvwxyz1234567890abcdefghijklmnopqrs
+tuvwxyz1234567890abcdefghijklmnopqrstuvwxyz1234567890abcdefghijklmno
+pqrstuvwxyz1234567890abcdefghijklmnopqrstuvwxyz1234567890abcdefghij
+klmnopqrstuvwxyz1234567890abcdefghijklmnopqrstuvwxyz1234567890abcd
+efghijklmnopqrstuvwxyz1234567890abcdefghijklmnopqrstuvwxyz1234567
+890abcdefghijklmnopqrstuvwxyz1234567890abcdefghijklmnopqrstuvwxy
+z1234567890abcdefghijklmnopqrstuvwxyz1234567890abcdefghijklmnop
+qrstuvwxyz1234567890abcdefghijklmnopqrstuvwxyz1234567890abcde
+fghijklmnopqrstuvwxyz1234567890abcdefghijklmnopqrstuvwxyz12
+34567890abcdefghijklmnopqrstuvwxyz1234567890abcdefghijk
+lmnopqrstuvwxyz1234567890abcdefghijklmnopqrstuvwxyz12
+34567890abcdefghijklmnopqrstuvwxyz1234567890abc
+defghijklmnopqrstuvwxyz1234567890abcdefg
+hijklmnopqrstuvwxyz1234567890
+abcdefghijklmnopqr
+stuvwxyz12345
+67890abc
+defghijk
+lmnopqr
+stuv
+-----END PRIVATE KEY-----"""
+
+            # Generate complete client configuration
+            client_config = f"""# OpenVPN Client Configuration for {client_name}
+# Generated by Virtual ISP Stack
+# Server: {server_ip}:{self.vpn_port}
+
+client
+dev tun
+proto udp
+remote {server_ip} {self.vpn_port}
+resolv-retry infinite
+nobind
+persist-key
+persist-tun
+cipher AES-256-CBC
+auth SHA256
+verb 3
+key-direction 1
+redirect-gateway def1 bypass-dhcp
+dhcp-option DNS 8.8.8.8
+dhcp-option DNS 8.8.4.4
+remote-cert-tls server
+
+# Embedded CA Certificate
+<ca>
+{ca_cert}
+</ca>
+
+# Embedded Client Certificate
+<cert>
+{client_cert}
+</cert>
+
+# Embedded Client Private Key
+<key>
+{client_key}
+</key>
+
+# TLS Authentication Key (optional, for extra security)
+# <tls-auth>
+# -----BEGIN OpenVPN Static key V1-----
+# [TLS-AUTH-KEY-CONTENT-WOULD-GO-HERE]
+# -----END OpenVPN Static key V1-----
+# </tls-auth>
+"""
+            
+            logger.info(f"Generated client configuration for {client_name}")
+            return client_config
+            
+        except Exception as e:
+            logger.error(f"Error generating client config: {e}")
+            return ""
+    
+    def save_client_config(self, client_name: str, config_content: str) -> bool:
+        """Save client configuration to storage"""
+        try:
+            config_file_path = os.path.join(self.config_storage_path, f"{client_name}.ovpn")
+            with open(config_file_path, 'w') as f:
+                f.write(config_content)
+            
+            logger.info(f"Saved client configuration for {client_name}")
+            return True
+            
+        except Exception as e:
+            logger.error(f"Error saving client config for {client_name}: {e}")
+            return False
+    
+    def load_client_config(self, client_name: str) -> str:
+        """Load client configuration from storage"""
+        try:
+            config_file_path = os.path.join(self.config_storage_path, f"{client_name}.ovpn")
+            if not os.path.exists(config_file_path):
+                return ""
+            
+            with open(config_file_path, 'r') as f:
+                config_content = f.read()
+            
+            logger.info(f"Loaded client configuration for {client_name}")
+            return config_content
+            
+        except Exception as e:
+            logger.error(f"Error loading client config for {client_name}: {e}")
+            return ""
+    
+    def list_client_configs(self) -> List[str]:
+        """List all stored client configurations"""
+        try:
+            config_files = []
+            if os.path.exists(self.config_storage_path):
+                for filename in os.listdir(self.config_storage_path):
+                    if filename.endswith('.ovpn'):
+                        client_name = filename[:-5]  # Remove .ovpn extension
+                        config_files.append(client_name)
+            
+            return config_files
+            
+        except Exception as e:
+            logger.error(f"Error listing client configs: {e}")
+            return []
+    
+    def delete_client_config(self, client_name: str) -> bool:
+        """Delete client configuration from storage"""
+        try:
+            config_file_path = os.path.join(self.config_storage_path, f"{client_name}.ovpn")
+            if os.path.exists(config_file_path):
+                os.remove(config_file_path)
+                logger.info(f"Deleted client configuration for {client_name}")
+                return True
+            else:
+                logger.warning(f"Client configuration for {client_name} not found")
+                return False
+                
+        except Exception as e:
+            logger.error(f"Error deleting client config for {client_name}: {e}")
+            return False
+    
+    def generate_and_save_client_config(self, client_name: str, server_ip: str) -> str:
+        """Generate client configuration and save it to storage"""
+        try:
+            config_content = self.generate_client_config(client_name, server_ip)
+            if config_content:
+                if self.save_client_config(client_name, config_content):
+                    return config_content
+            return ""
+            
+        except Exception as e:
+            logger.error(f"Error generating and saving client config for {client_name}: {e}")
+            return ""
+    
+    def get_statistics(self) -> Dict[str, Any]:
+        """Get comprehensive VPN statistics"""
+        status = self.get_server_status()
+        
+        return {
+            "server_status": asdict(status),
+            "connected_clients": self.get_connected_clients(),
+            "network_config": {
+                "vpn_network": str(self.vpn_network),
+                "server_ip": self.vpn_server_ip,
+                "server_port": self.vpn_port
+            },
+            "integration_status": {
+                "dhcp_integrated": self.dhcp_server is not None,
+                "nat_integrated": self.nat_engine is not None,
+                "firewall_integrated": self.firewall is not None,
+                "router_integrated": self.router is not None
+            }
+        }
+
+# Global OpenVPN manager instance
+openvpn_manager = None
+
+def initialize_openvpn_manager(config: Dict[str, Any]) -> OpenVPNManager:
+    """Initialize the OpenVPN manager"""
+    global openvpn_manager
+    openvpn_manager = OpenVPNManager(config)
+    return openvpn_manager
+
+def get_openvpn_manager() -> Optional[OpenVPNManager]:
+    """Get the global OpenVPN manager instance"""
+    return openvpn_manager
+

core/packet_bridge.py

@@ -0,0 +1,664 @@
+"""
+Packet Bridge Module
+
+Handles communication with virtual clients:
+- Accept packet streams over WebSocket/TCP
+- Deliver response packets back to clients
+- Frame processing (Ethernet → IPv4)
+- Connection management
+"""
+
+import asyncio
+import websockets
+import socket
+import threading
+import time
+import struct
+from typing import Dict, List, Optional, Callable, Set, Any, Tuple
+from dataclasses import dataclass
+from enum import Enum
+import json
+import logging
+
+from .ip_parser import IPParser, ParsedPacket
+
+
+class BridgeType(Enum):
+    WEBSOCKET = "WEBSOCKET"
+    TCP_SOCKET = "TCP_SOCKET"
+    UDP_SOCKET = "UDP_SOCKET"
+
+
+@dataclass
+class ClientConnection:
+    """Represents a client connection to the bridge"""
+    client_id: str
+    bridge_type: BridgeType
+    remote_address: str
+    remote_port: int
+    websocket: Optional[Any] = None  # WebSocket connection
+    socket: Optional['socket.socket'] = None  # TCP/UDP socket
+    connected_time: float = 0
+    last_activity: float = 0
+    packets_received: int = 0
+    packets_sent: int = 0
+    bytes_received: int = 0
+    bytes_sent: int = 0
+    is_active: bool = True
+    
+    def __post_init__(self):
+        if self.connected_time == 0:
+            self.connected_time = time.time()
+        if self.last_activity == 0:
+            self.last_activity = time.time()
+    
+    def update_activity(self, packet_count: int = 1, byte_count: int = 0, direction: str = 'received'):
+        """Update connection activity"""
+        self.last_activity = time.time()
+        
+        if direction == 'received':
+            self.packets_received += packet_count
+            self.bytes_received += byte_count
+        else:
+            self.packets_sent += packet_count
+            self.bytes_sent += byte_count
+    
+    def to_dict(self) -> Dict:
+        """Convert to dictionary"""
+        return {
+            'client_id': self.client_id,
+            'bridge_type': self.bridge_type.value,
+            'remote_address': self.remote_address,
+            'remote_port': self.remote_port,
+            'connected_time': self.connected_time,
+            'last_activity': self.last_activity,
+            'packets_received': self.packets_received,
+            'packets_sent': self.packets_sent,
+            'bytes_received': self.bytes_received,
+            'bytes_sent': self.bytes_sent,
+            'is_active': self.is_active,
+            'duration': time.time() - self.connected_time
+        }
+
+
+class EthernetFrame:
+    """Ethernet frame parser"""
+    
+    def __init__(self):
+        self.dest_mac = b'\x00' * 6
+        self.src_mac = b'\x00' * 6
+        self.ethertype = 0x0800  # IPv4
+        self.payload = b''
+    
+    @classmethod
+    def parse(cls, data: bytes) -> Optional['EthernetFrame']:
+        """Parse Ethernet frame from raw bytes"""
+        if len(data) < 14:  # Minimum Ethernet header size
+            return None
+        
+        frame = cls()
+        frame.dest_mac = data[0:6]
+        frame.src_mac = data[6:12]
+        frame.ethertype = struct.unpack('!H', data[12:14])[0]
+        frame.payload = data[14:]
+        
+        return frame
+    
+    def build(self) -> bytes:
+        """Build Ethernet frame as bytes"""
+        header = self.dest_mac + self.src_mac + struct.pack('!H', self.ethertype)
+        return header + self.payload
+    
+    def is_ipv4(self) -> bool:
+        """Check if frame contains IPv4 packet"""
+        return self.ethertype == 0x0800
+    
+    def is_arp(self) -> bool:
+        """Check if frame contains ARP packet"""
+        return self.ethertype == 0x0806
+
+
+class PacketBridge:
+    """Packet bridge implementation"""
+    
+    def __init__(self, config: Dict):
+        self.config = config
+        self.clients: Dict[str, ClientConnection] = {}
+        self.packet_handlers: List[Callable[[ParsedPacket, str], Optional[bytes]]] = []
+        self.lock = threading.Lock()
+        
+        # Configuration
+        self.websocket_host = config.get('websocket_host', '0.0.0.0')
+        self.websocket_port = config.get('websocket_port', 8765)
+        self.tcp_host = config.get('tcp_host', '0.0.0.0')
+        self.tcp_port = config.get('tcp_port', 8766)
+        self.max_clients = config.get('max_clients', 100)
+        self.client_timeout = config.get('client_timeout', 300)
+        
+        # WebSocket server
+        self.websocket_server = None
+        self.tcp_server_socket = None
+        
+        # Background tasks
+        self.running = False
+        self.websocket_task = None
+        self.tcp_task = None
+        self.cleanup_task = None
+        
+        # Statistics
+        self.stats = {
+            'total_clients': 0,
+            'active_clients': 0,
+            'packets_processed': 0,
+            'packets_forwarded': 0,
+            'packets_dropped': 0,
+            'bytes_processed': 0,
+            'websocket_connections': 0,
+            'tcp_connections': 0,
+            'connection_errors': 0
+        }
+        
+        # Event loop
+        self.loop = None
+    
+    def add_packet_handler(self, handler: Callable[[ParsedPacket, str], Optional[bytes]]):
+        """Add packet handler function"""
+        self.packet_handlers.append(handler)
+    
+    def remove_packet_handler(self, handler: Callable[[ParsedPacket, str], Optional[bytes]]):
+        """Remove packet handler function"""
+        if handler in self.packet_handlers:
+            self.packet_handlers.remove(handler)
+    
+    def _generate_client_id(self, remote_address: str, remote_port: int) -> str:
+        """Generate unique client ID"""
+        timestamp = int(time.time() * 1000)
+        return f"client_{remote_address}_{remote_port}_{timestamp}"
+    
+    def _process_ethernet_frame(self, frame_data: bytes, client_id: str) -> Optional[bytes]:
+        """Process Ethernet frame and extract IP packet"""
+        try:
+            # Parse Ethernet frame
+            frame = EthernetFrame.parse(frame_data)
+            if not frame or not frame.is_ipv4():
+                return None
+            
+            # Parse IP packet
+            packet = IPParser.parse_packet(frame.payload)
+            self.stats['packets_processed'] += 1
+            self.stats['bytes_processed'] += len(frame_data)
+            
+            # Process through packet handlers
+            response_packet = None
+            for handler in self.packet_handlers:
+                try:
+                    response = handler(packet, client_id)
+                    if response:
+                        response_packet = response
+                        break
+                except Exception as e:
+                    logging.error(f"Packet handler error: {e}")
+            
+            if response_packet:
+                # Wrap response in Ethernet frame
+                response_frame = EthernetFrame()
+                response_frame.dest_mac = frame.src_mac
+                response_frame.src_mac = frame.dest_mac
+                response_frame.ethertype = 0x0800
+                response_frame.payload = response_packet
+                
+                self.stats['packets_forwarded'] += 1
+                return response_frame.build()
+            else:
+                self.stats['packets_dropped'] += 1
+                return None
+        
+        except Exception as e:
+            logging.error(f"Error processing Ethernet frame: {e}")
+            self.stats['packets_dropped'] += 1
+            return None
+    
+    async def _handle_websocket_client(self, websocket, path):
+        """Handle WebSocket client connection"""
+        client_address = websocket.remote_address
+        client_id = self._generate_client_id(client_address[0], client_address[1])
+        
+        # Create client connection
+        client = ClientConnection(
+            client_id=client_id,
+            bridge_type=BridgeType.WEBSOCKET,
+            remote_address=client_address[0],
+            remote_port=client_address[1],
+            websocket=websocket
+        )
+        
+        with self.lock:
+            if len(self.clients) >= self.max_clients:
+                await websocket.close(code=1013, reason="Too many clients")
+                return
+            
+            self.clients[client_id] = client
+        
+        self.stats['total_clients'] += 1
+        self.stats['active_clients'] = len(self.clients)
+        self.stats['websocket_connections'] += 1
+        
+        logging.info(f"WebSocket client connected: {client_id} from {client_address}")
+        
+        try:
+            async for message in websocket:
+                if isinstance(message, bytes):
+                    # Binary message - treat as Ethernet frame
+                    client.update_activity(1, len(message), 'received')
+                    
+                    response = self._process_ethernet_frame(message, client_id)
+                    if response:
+                        await websocket.send(response)
+                        client.update_activity(1, len(response), 'sent')
+                
+                elif isinstance(message, str):
+                    # Text message - treat as control message
+                    try:
+                        control_msg = json.loads(message)
+                        await self._handle_control_message(client, control_msg)
+                    except json.JSONDecodeError:
+                        logging.warning(f"Invalid control message from {client_id}: {message}")
+        
+        except websockets.exceptions.ConnectionClosed:
+            logging.info(f"WebSocket client disconnected: {client_id}")
+        except Exception as e:
+            logging.error(f"WebSocket client error: {e}")
+            self.stats['connection_errors'] += 1
+        
+        finally:
+            # Clean up client
+            with self.lock:
+                if client_id in self.clients:
+                    self.clients[client_id].is_active = False
+                    del self.clients[client_id]
+            
+            self.stats['active_clients'] = len(self.clients)
+    
+    async def _handle_control_message(self, client: ClientConnection, message: Dict):
+        """Handle control message from client"""
+        msg_type = message.get('type')
+        
+        if msg_type == 'ping':
+            # Respond to ping
+            response = {'type': 'pong', 'timestamp': time.time()}
+            await client.websocket.send(json.dumps(response))
+        
+        elif msg_type == 'stats':
+            # Send client statistics
+            response = {
+                'type': 'stats',
+                'client_stats': client.to_dict(),
+                'bridge_stats': self.get_stats()
+            }
+            await client.websocket.send(json.dumps(response))
+        
+        elif msg_type == 'config':
+            # Handle configuration updates
+            config_data = message.get('data', {})
+            # Process configuration updates here
+            response = {'type': 'config_ack', 'status': 'ok'}
+            await client.websocket.send(json.dumps(response))
+    
+    def _handle_tcp_client(self, client_socket: socket.socket, client_address: Tuple[str, int]):
+        """Handle TCP client connection"""
+        client_id = self._generate_client_id(client_address[0], client_address[1])
+        
+        # Create client connection
+        client = ClientConnection(
+            client_id=client_id,
+            bridge_type=BridgeType.TCP_SOCKET,
+            remote_address=client_address[0],
+            remote_port=client_address[1],
+            socket=client_socket
+        )
+        
+        with self.lock:
+            if len(self.clients) >= self.max_clients:
+                client_socket.close()
+                return
+            
+            self.clients[client_id] = client
+        
+        self.stats['total_clients'] += 1
+        self.stats['active_clients'] = len(self.clients)
+        self.stats['tcp_connections'] += 1
+        
+        logging.info(f"TCP client connected: {client_id} from {client_address}")
+        
+        try:
+            client_socket.settimeout(self.client_timeout)
+            
+            while client.is_active:
+                try:
+                    # Read frame length (4 bytes)
+                    length_data = client_socket.recv(4)
+                    if not length_data:
+                        break
+                    
+                    frame_length = struct.unpack('!I', length_data)[0]
+                    if frame_length > 65536:  # Sanity check
+                        break
+                    
+                    # Read frame data
+                    frame_data = b''
+                    while len(frame_data) < frame_length:
+                        chunk = client_socket.recv(frame_length - len(frame_data))
+                        if not chunk:
+                            break
+                        frame_data += chunk
+                    
+                    if len(frame_data) != frame_length:
+                        break
+                    
+                    client.update_activity(1, len(frame_data), 'received')
+                    
+                    # Process frame
+                    response = self._process_ethernet_frame(frame_data, client_id)
+                    if response:
+                        # Send response with length prefix
+                        response_length = struct.pack('!I', len(response))
+                        client_socket.send(response_length + response)
+                        client.update_activity(1, len(response), 'sent')
+                
+                except socket.timeout:
+                    continue
+                except Exception as e:
+                    logging.error(f"TCP client error: {e}")
+                    break
+        
+        except Exception as e:
+            logging.error(f"TCP client handler error: {e}")
+            self.stats['connection_errors'] += 1
+        
+        finally:
+            # Clean up client
+            try:
+                client_socket.close()
+            except:
+                pass
+            
+            with self.lock:
+                if client_id in self.clients:
+                    self.clients[client_id].is_active = False
+                    del self.clients[client_id]
+            
+            self.stats['active_clients'] = len(self.clients)
+            logging.info(f"TCP client disconnected: {client_id}")
+    
+    def _tcp_server_loop(self):
+        """TCP server loop"""
+        try:
+            self.tcp_server_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+            self.tcp_server_socket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
+            self.tcp_server_socket.bind((self.tcp_host, self.tcp_port))
+            self.tcp_server_socket.listen(10)
+            
+            logging.info(f"TCP bridge server listening on {self.tcp_host}:{self.tcp_port}")
+            
+            while self.running:
+                try:
+                    client_socket, client_address = self.tcp_server_socket.accept()
+                    
+                    # Handle client in separate thread
+                    client_thread = threading.Thread(
+                        target=self._handle_tcp_client,
+                        args=(client_socket, client_address),
+                        daemon=True
+                    )
+                    client_thread.start()
+                
+                except socket.error as e:
+                    if self.running:
+                        logging.error(f"TCP server error: {e}")
+                        time.sleep(1)
+        
+        except Exception as e:
+            logging.error(f"TCP server loop error: {e}")
+        
+        finally:
+            if self.tcp_server_socket:
+                self.tcp_server_socket.close()
+    
+    def _cleanup_loop(self):
+        """Background cleanup loop"""
+        while self.running:
+            try:
+                current_time = time.time()
+                expired_clients = []
+                
+                with self.lock:
+                    for client_id, client in self.clients.items():
+                        # Mark inactive clients for removal
+                        if current_time - client.last_activity > self.client_timeout:
+                            expired_clients.append(client_id)
+                
+                # Clean up expired clients
+                for client_id in expired_clients:
+                    with self.lock:
+                        if client_id in self.clients:
+                            client = self.clients[client_id]
+                            client.is_active = False
+                            
+                            # Close connections
+                            if client.websocket:
+                                try:
+                                    asyncio.run_coroutine_threadsafe(
+                                        client.websocket.close(),
+                                        self.loop
+                                    )
+                                except:
+                                    pass
+                            
+                            if client.socket:
+                                try:
+                                    client.socket.close()
+                                except:
+                                    pass
+                            
+                            del self.clients[client_id]
+                            logging.info(f"Cleaned up expired client: {client_id}")
+                
+                self.stats['active_clients'] = len(self.clients)
+                
+                time.sleep(30)  # Cleanup every 30 seconds
+            
+            except Exception as e:
+                logging.error(f"Cleanup loop error: {e}")
+                time.sleep(5)
+    
+    def send_packet_to_client(self, client_id: str, packet_data: bytes) -> bool:
+        """Send packet to specific client"""
+        with self.lock:
+            client = self.clients.get(client_id)
+        
+        if not client or not client.is_active:
+            return False
+        
+        try:
+            if client.bridge_type == BridgeType.WEBSOCKET:
+                # Send via WebSocket
+                if client.websocket:
+                    asyncio.run_coroutine_threadsafe(
+                        client.websocket.send(packet_data),
+                        self.loop
+                    )
+                    client.update_activity(1, len(packet_data), 'sent')
+                    return True
+            
+            elif client.bridge_type == BridgeType.TCP_SOCKET:
+                # Send via TCP socket with length prefix
+                if client.socket:
+                    length_prefix = struct.pack('!I', len(packet_data))
+                    client.socket.send(length_prefix + packet_data)
+                    client.update_activity(1, len(packet_data), 'sent')
+                    return True
+        
+        except Exception as e:
+            logging.error(f"Failed to send packet to client {client_id}: {e}")
+            # Mark client as inactive
+            client.is_active = False
+        
+        return False
+    
+    def broadcast_packet(self, packet_data: bytes, exclude_client: Optional[str] = None) -> int:
+        """Broadcast packet to all clients"""
+        sent_count = 0
+        
+        with self.lock:
+            client_ids = list(self.clients.keys())
+        
+        for client_id in client_ids:
+            if client_id != exclude_client:
+                if self.send_packet_to_client(client_id, packet_data):
+                    sent_count += 1
+        
+        return sent_count
+    
+    def get_clients(self) -> Dict[str, Dict]:
+        """Get all connected clients"""
+        with self.lock:
+            return {
+                client_id: client.to_dict()
+                for client_id, client in self.clients.items()
+            }
+    
+    def get_client(self, client_id: str) -> Optional[Dict]:
+        """Get specific client"""
+        with self.lock:
+            client = self.clients.get(client_id)
+            return client.to_dict() if client else None
+    
+    def disconnect_client(self, client_id: str) -> bool:
+        """Disconnect specific client"""
+        with self.lock:
+            client = self.clients.get(client_id)
+            if not client:
+                return False
+            
+            client.is_active = False
+            
+            # Close connection
+            if client.websocket:
+                try:
+                    asyncio.run_coroutine_threadsafe(
+                        client.websocket.close(),
+                        self.loop
+                    )
+                except:
+                    pass
+            
+            if client.socket:
+                try:
+                    client.socket.close()
+                except:
+                    pass
+            
+            del self.clients[client_id]
+            self.stats['active_clients'] = len(self.clients)
+            
+            return True
+    
+    def get_stats(self) -> Dict:
+        """Get bridge statistics"""
+        with self.lock:
+            stats = self.stats.copy()
+            stats['active_clients'] = len(self.clients)
+        
+        return stats
+    
+    def reset_stats(self):
+        """Reset bridge statistics"""
+        self.stats = {
+            'total_clients': 0,
+            'active_clients': len(self.clients),
+            'packets_processed': 0,
+            'packets_forwarded': 0,
+            'packets_dropped': 0,
+            'bytes_processed': 0,
+            'websocket_connections': 0,
+            'tcp_connections': 0,
+            'connection_errors': 0
+        }
+    
+    async def start_websocket_server(self):
+        """Start WebSocket server"""
+        try:
+            self.websocket_server = await websockets.serve(
+                self._handle_websocket_client,
+                self.websocket_host,
+                self.websocket_port,
+                max_size=1024*1024,  # 1MB max message size
+                ping_interval=30,
+                ping_timeout=10
+            )
+            
+            logging.info(f"WebSocket bridge server started on {self.websocket_host}:{self.websocket_port}")
+            
+            # Keep server running
+            await self.websocket_server.wait_closed()
+        
+        except Exception as e:
+            logging.error(f"WebSocket server error: {e}")
+    
+    def start(self):
+        """Start packet bridge"""
+        self.running = True
+        
+        # Start event loop
+        self.loop = asyncio.new_event_loop()
+        asyncio.set_event_loop(self.loop)
+        
+        # Start WebSocket server in a separate thread
+        websocket_thread = threading.Thread(target=self._run_websocket_server_in_thread, daemon=True)
+        websocket_thread.start()
+        
+        # Start TCP server in separate thread
+        tcp_thread = threading.Thread(target=self._tcp_server_loop, daemon=True)
+        tcp_thread.start()
+        
+        # Start cleanup thread
+        cleanup_thread = threading.Thread(target=self._cleanup_loop, daemon=True)
+        cleanup_thread.start()
+        
+        logging.info("Packet bridge started")
+        
+
+    
+    def stop(self):
+        """Stop packet bridge"""
+        self.running = False
+        
+        # Close WebSocket server
+        if self.websocket_server:
+            self.websocket_server.close()
+        
+        # Close TCP server
+        if self.tcp_server_socket:
+            self.tcp_server_socket.close()
+        
+        # Disconnect all clients
+        with self.lock:
+            client_ids = list(self.clients.keys())
+        
+        for client_id in client_ids:
+            self.disconnect_client(client_id)
+        
+        # Stop event loop
+        if self.loop and not self.loop.is_closed():
+            self.loop.call_soon_threadsafe(self.loop.stop)
+        
+        logging.info("Packet bridge stopped")
+
+
+
+    def _run_websocket_server_in_thread(self):
+        """Run the WebSocket server in a separate thread with its own event loop."""
+        asyncio.set_event_loop(self.loop)
+        self.loop.run_until_complete(self.start_websocket_server())
+
+

core/session_tracker.py

@@ -0,0 +1,602 @@
+"""
+Session Tracker Module
+
+Manages and tracks all network sessions across the virtual ISP stack:
+- Unified session management across all modules
+- Session lifecycle tracking
+- Performance metrics and analytics
+- Session correlation and debugging
+"""
+
+import time
+import threading
+import uuid
+from typing import Dict, List, Optional, Set, Any, Tuple
+from dataclasses import dataclass, field
+from enum import Enum
+import json
+
+from .dhcp_server import DHCPLease
+from .nat_engine import NATSession
+from .tcp_engine import TCPConnection
+from .socket_translator import SocketConnection
+
+
+class SessionType(Enum):
+    DHCP_LEASE = "DHCP_LEASE"
+    NAT_SESSION = "NAT_SESSION"
+    TCP_CONNECTION = "TCP_CONNECTION"
+    SOCKET_CONNECTION = "SOCKET_CONNECTION"
+    BRIDGE_CLIENT = "BRIDGE_CLIENT"
+
+
+class SessionState(Enum):
+    INITIALIZING = "INITIALIZING"
+    ACTIVE = "ACTIVE"
+    IDLE = "IDLE"
+    CLOSING = "CLOSING"
+    CLOSED = "CLOSED"
+    ERROR = "ERROR"
+
+
+@dataclass
+class SessionMetrics:
+    """Session performance metrics"""
+    bytes_in: int = 0
+    bytes_out: int = 0
+    packets_in: int = 0
+    packets_out: int = 0
+    errors: int = 0
+    retransmits: int = 0
+    rtt_samples: List[float] = field(default_factory=list)
+    
+    @property
+    def total_bytes(self) -> int:
+        return self.bytes_in + self.bytes_out
+    
+    @property
+    def total_packets(self) -> int:
+        return self.packets_in + self.packets_out
+    
+    @property
+    def average_rtt(self) -> float:
+        return sum(self.rtt_samples) / len(self.rtt_samples) if self.rtt_samples else 0.0
+    
+    def update_bytes(self, bytes_in: int = 0, bytes_out: int = 0):
+        """Update byte counters"""
+        self.bytes_in += bytes_in
+        self.bytes_out += bytes_out
+    
+    def update_packets(self, packets_in: int = 0, packets_out: int = 0):
+        """Update packet counters"""
+        self.packets_in += packets_in
+        self.packets_out += packets_out
+    
+    def add_rtt_sample(self, rtt: float):
+        """Add RTT sample"""
+        self.rtt_samples.append(rtt)
+        # Keep only last 100 samples
+        if len(self.rtt_samples) > 100:
+            self.rtt_samples = self.rtt_samples[-100:]
+    
+    def to_dict(self) -> Dict:
+        """Convert to dictionary"""
+        return {
+            'bytes_in': self.bytes_in,
+            'bytes_out': self.bytes_out,
+            'packets_in': self.packets_in,
+            'packets_out': self.packets_out,
+            'total_bytes': self.total_bytes,
+            'total_packets': self.total_packets,
+            'errors': self.errors,
+            'retransmits': self.retransmits,
+            'average_rtt': self.average_rtt,
+            'rtt_samples_count': len(self.rtt_samples)
+        }
+
+
+@dataclass
+class UnifiedSession:
+    """Unified session representation"""
+    session_id: str
+    session_type: SessionType
+    state: SessionState
+    created_time: float
+    last_activity: float
+    
+    # Session identifiers
+    virtual_ip: Optional[str] = None
+    virtual_port: Optional[int] = None
+    real_ip: Optional[str] = None
+    real_port: Optional[int] = None
+    protocol: Optional[str] = None
+    
+    # Related sessions (for correlation)
+    related_sessions: Set[str] = field(default_factory=set)
+    parent_session: Optional[str] = None
+    child_sessions: Set[str] = field(default_factory=set)
+    
+    # Metrics
+    metrics: SessionMetrics = field(default_factory=SessionMetrics)
+    
+    # Additional data
+    metadata: Dict[str, Any] = field(default_factory=dict)
+    
+    def __post_init__(self):
+        if not self.session_id:
+            self.session_id = str(uuid.uuid4())
+        if self.created_time == 0:
+            self.created_time = time.time()
+        if self.last_activity == 0:
+            self.last_activity = time.time()
+    
+    def update_activity(self):
+        """Update last activity timestamp"""
+        self.last_activity = time.time()
+    
+    def add_related_session(self, session_id: str):
+        """Add related session"""
+        self.related_sessions.add(session_id)
+    
+    def add_child_session(self, session_id: str):
+        """Add child session"""
+        self.child_sessions.add(session_id)
+    
+    def set_parent_session(self, session_id: str):
+        """Set parent session"""
+        self.parent_session = session_id
+    
+    @property
+    def duration(self) -> float:
+        """Get session duration in seconds"""
+        return time.time() - self.created_time
+    
+    @property
+    def idle_time(self) -> float:
+        """Get idle time in seconds"""
+        return time.time() - self.last_activity
+    
+    def to_dict(self) -> Dict:
+        """Convert to dictionary"""
+        return {
+            'session_id': self.session_id,
+            'session_type': self.session_type.value,
+            'state': self.state.value,
+            'created_time': self.created_time,
+            'last_activity': self.last_activity,
+            'duration': self.duration,
+            'idle_time': self.idle_time,
+            'virtual_ip': self.virtual_ip,
+            'virtual_port': self.virtual_port,
+            'real_ip': self.real_ip,
+            'real_port': self.real_port,
+            'protocol': self.protocol,
+            'related_sessions': list(self.related_sessions),
+            'parent_session': self.parent_session,
+            'child_sessions': list(self.child_sessions),
+            'metrics': self.metrics.to_dict(),
+            'metadata': self.metadata
+        }
+
+
+class SessionTracker:
+    """Unified session tracker"""
+    
+    def __init__(self, config: Dict):
+        self.config = config
+        self.sessions: Dict[str, UnifiedSession] = {}
+        self.session_index: Dict[Tuple[str, str], Set[str]] = {}  # (type, key) -> session_ids
+        self.lock = threading.Lock()
+        
+        # Configuration
+        self.max_sessions = config.get('max_sessions', 10000)
+        self.session_timeout = config.get('session_timeout', 3600)
+        self.cleanup_interval = config.get('cleanup_interval', 300)
+        self.metrics_retention = config.get('metrics_retention', 86400)  # 24 hours
+        
+        # Statistics
+        self.stats = {
+            'total_sessions': 0,
+            'active_sessions': 0,
+            'expired_sessions': 0,
+            'session_types': {t.value: 0 for t in SessionType},
+            'session_states': {s.value: 0 for s in SessionState},
+            'cleanup_runs': 0,
+            'correlations_created': 0
+        }
+        
+        # Background tasks
+        self.running = False
+        self.cleanup_thread = None
+    
+    def _generate_session_key(self, session_type: SessionType, **kwargs) -> str:
+        """Generate session key for indexing"""
+        if session_type == SessionType.DHCP_LEASE:
+            return f"dhcp_{kwargs.get('mac_address', 'unknown')}"
+        elif session_type == SessionType.NAT_SESSION:
+            return f"nat_{kwargs.get('virtual_ip', '')}_{kwargs.get('virtual_port', 0)}_{kwargs.get('protocol', '')}"
+        elif session_type == SessionType.TCP_CONNECTION:
+            return f"tcp_{kwargs.get('local_ip', '')}_{kwargs.get('local_port', 0)}_{kwargs.get('remote_ip', '')}_{kwargs.get('remote_port', 0)}"
+        elif session_type == SessionType.SOCKET_CONNECTION:
+            return f"socket_{kwargs.get('connection_id', 'unknown')}"
+        elif session_type == SessionType.BRIDGE_CLIENT:
+            return f"bridge_{kwargs.get('client_id', 'unknown')}"
+        else:
+            return f"unknown_{time.time()}"
+    
+    def _add_to_index(self, session: UnifiedSession):
+        """Add session to search index"""
+        # Index by type
+        type_key = (session.session_type.value, 'all')
+        if type_key not in self.session_index:
+            self.session_index[type_key] = set()
+        self.session_index[type_key].add(session.session_id)
+        
+        # Index by IP addresses
+        if session.virtual_ip:
+            ip_key = ('virtual_ip', session.virtual_ip)
+            if ip_key not in self.session_index:
+                self.session_index[ip_key] = set()
+            self.session_index[ip_key].add(session.session_id)
+        
+        if session.real_ip:
+            ip_key = ('real_ip', session.real_ip)
+            if ip_key not in self.session_index:
+                self.session_index[ip_key] = set()
+            self.session_index[ip_key].add(session.session_id)
+        
+        # Index by protocol
+        if session.protocol:
+            proto_key = ('protocol', session.protocol)
+            if proto_key not in self.session_index:
+                self.session_index[proto_key] = set()
+            self.session_index[proto_key].add(session.session_id)
+    
+    def _remove_from_index(self, session: UnifiedSession):
+        """Remove session from search index"""
+        for key, session_set in self.session_index.items():
+            session_set.discard(session.session_id)
+    
+    def create_session(self, session_type: SessionType, **kwargs) -> str:
+        """Create new session"""
+        with self.lock:
+            # Check session limit
+            if len(self.sessions) >= self.max_sessions:
+                # Remove oldest expired session
+                self._cleanup_expired_sessions()
+                if len(self.sessions) >= self.max_sessions:
+                    return None
+            
+            # Create session
+            session = UnifiedSession(
+                session_id=kwargs.get('session_id', str(uuid.uuid4())),
+                session_type=session_type,
+                state=SessionState.INITIALIZING,
+                virtual_ip=kwargs.get('virtual_ip'),
+                virtual_port=kwargs.get('virtual_port'),
+                real_ip=kwargs.get('real_ip'),
+                real_port=kwargs.get('real_port'),
+                protocol=kwargs.get('protocol'),
+                metadata=kwargs.get('metadata', {})
+            )
+            
+            # Add to sessions
+            self.sessions[session.session_id] = session
+            self._add_to_index(session)
+            
+            # Update statistics
+            self.stats['total_sessions'] += 1
+            self.stats['active_sessions'] = len(self.sessions)
+            self.stats['session_types'][session_type.value] += 1
+            self.stats['session_states'][SessionState.INITIALIZING.value] += 1
+            
+            return session.session_id
+    
+    def update_session(self, session_id: str, **kwargs) -> bool:
+        """Update session"""
+        with self.lock:
+            session = self.sessions.get(session_id)
+            if not session:
+                return False
+            
+            # Update fields
+            old_state = session.state
+            
+            for key, value in kwargs.items():
+                if hasattr(session, key):
+                    setattr(session, key, value)
+            
+            session.update_activity()
+            
+            # Update state statistics
+            if 'state' in kwargs and kwargs['state'] != old_state:
+                self.stats['session_states'][old_state.value] -= 1
+                self.stats['session_states'][kwargs['state'].value] += 1
+            
+            return True
+    
+    def close_session(self, session_id: str, reason: str = "") -> bool:
+        """Close session"""
+        with self.lock:
+            session = self.sessions.get(session_id)
+            if not session:
+                return False
+            
+            old_state = session.state
+            session.state = SessionState.CLOSED
+            session.update_activity()
+            
+            if reason:
+                session.metadata['close_reason'] = reason
+            
+            # Update statistics
+            self.stats['session_states'][old_state.value] -= 1
+            self.stats['session_states'][SessionState.CLOSED.value] += 1
+            
+            return True
+    
+    def remove_session(self, session_id: str) -> bool:
+        """Remove session completely"""
+        with self.lock:
+            session = self.sessions.get(session_id)
+            if not session:
+                return False
+            
+            # Remove from index
+            self._remove_from_index(session)
+            
+            # Remove from sessions
+            del self.sessions[session_id]
+            
+            # Update statistics
+            self.stats['active_sessions'] = len(self.sessions)
+            self.stats['session_types'][session.session_type.value] -= 1
+            self.stats['session_states'][session.state.value] -= 1
+            
+            return True
+    
+    def get_session(self, session_id: str) -> Optional[UnifiedSession]:
+        """Get session by ID"""
+        with self.lock:
+            return self.sessions.get(session_id)
+    
+    def find_sessions(self, **criteria) -> List[UnifiedSession]:
+        """Find sessions by criteria"""
+        with self.lock:
+            matching_sessions = []
+            
+            # Use index if possible
+            if 'session_type' in criteria:
+                type_key = (criteria['session_type'].value if isinstance(criteria['session_type'], SessionType) else criteria['session_type'], 'all')
+                candidate_ids = self.session_index.get(type_key, set())
+            elif 'virtual_ip' in criteria:
+                ip_key = ('virtual_ip', criteria['virtual_ip'])
+                candidate_ids = self.session_index.get(ip_key, set())
+            elif 'real_ip' in criteria:
+                ip_key = ('real_ip', criteria['real_ip'])
+                candidate_ids = self.session_index.get(ip_key, set())
+            elif 'protocol' in criteria:
+                proto_key = ('protocol', criteria['protocol'])
+                candidate_ids = self.session_index.get(proto_key, set())
+            else:
+                candidate_ids = set(self.sessions.keys())
+            
+            # Filter candidates
+            for session_id in candidate_ids:
+                session = self.sessions.get(session_id)
+                if not session:
+                    continue
+                
+                match = True
+                for key, value in criteria.items():
+                    if hasattr(session, key):
+                        session_value = getattr(session, key)
+                        if isinstance(value, (SessionType, SessionState)):
+                            if session_value != value:
+                                match = False
+                                break
+                        elif session_value != value:
+                            match = False
+                            break
+                    else:
+                        match = False
+                        break
+                
+                if match:
+                    matching_sessions.append(session)
+            
+            return matching_sessions
+    
+    def correlate_sessions(self, session_id1: str, session_id2: str, relationship: str = 'related') -> bool:
+        """Create correlation between sessions"""
+        with self.lock:
+            session1 = self.sessions.get(session_id1)
+            session2 = self.sessions.get(session_id2)
+            
+            if not session1 or not session2:
+                return False
+            
+            if relationship == 'parent_child':
+                session1.add_child_session(session_id2)
+                session2.set_parent_session(session_id1)
+            else:
+                session1.add_related_session(session_id2)
+                session2.add_related_session(session_id1)
+            
+            self.stats['correlations_created'] += 1
+            return True
+    
+    def update_metrics(self, session_id: str, **metrics) -> bool:
+        """Update session metrics"""
+        with self.lock:
+            session = self.sessions.get(session_id)
+            if not session:
+                return False
+            
+            session.update_activity()
+            
+            # Update metrics
+            if 'bytes_in' in metrics or 'bytes_out' in metrics:
+                session.metrics.update_bytes(
+                    metrics.get('bytes_in', 0),
+                    metrics.get('bytes_out', 0)
+                )
+            
+            if 'packets_in' in metrics or 'packets_out' in metrics:
+                session.metrics.update_packets(
+                    metrics.get('packets_in', 0),
+                    metrics.get('packets_out', 0)
+                )
+            
+            if 'rtt' in metrics:
+                session.metrics.add_rtt_sample(metrics['rtt'])
+            
+            if 'errors' in metrics:
+                session.metrics.errors += metrics['errors']
+            
+            if 'retransmits' in metrics:
+                session.metrics.retransmits += metrics['retransmits']
+            
+            return True
+    
+    def _cleanup_expired_sessions(self):
+        """Clean up expired sessions"""
+        current_time = time.time()
+        expired_sessions = []
+        
+        for session_id, session in self.sessions.items():
+            # Check if session is expired
+            if (session.state == SessionState.CLOSED and 
+                current_time - session.last_activity > self.cleanup_interval):
+                expired_sessions.append(session_id)
+            elif (session.state != SessionState.CLOSED and 
+                  current_time - session.last_activity > self.session_timeout):
+                expired_sessions.append(session_id)
+        
+        # Remove expired sessions
+        for session_id in expired_sessions:
+            self.remove_session(session_id)
+            self.stats['expired_sessions'] += 1
+    
+    def _cleanup_loop(self):
+        """Background cleanup loop"""
+        while self.running:
+            try:
+                with self.lock:
+                    self._cleanup_expired_sessions()
+                    self.stats['cleanup_runs'] += 1
+                
+                time.sleep(self.cleanup_interval)
+            
+            except Exception as e:
+                print(f"Session tracker cleanup error: {e}")
+                time.sleep(60)
+    
+    def get_sessions(self, limit: int = 100, offset: int = 0, **filters) -> List[Dict]:
+        """Get sessions with pagination and filtering"""
+        with self.lock:
+            if filters:
+                sessions = self.find_sessions(**filters)
+            else:
+                sessions = list(self.sessions.values())
+            
+            # Sort by last activity (most recent first)
+            sessions.sort(key=lambda s: s.last_activity, reverse=True)
+            
+            # Apply pagination
+            paginated_sessions = sessions[offset:offset + limit]
+            
+            return [session.to_dict() for session in paginated_sessions]
+    
+    def get_session_summary(self) -> Dict:
+        """Get session summary statistics"""
+        with self.lock:
+            summary = {
+                'total_sessions': len(self.sessions),
+                'by_type': {},
+                'by_state': {},
+                'by_protocol': {},
+                'active_sessions_by_age': {
+                    'last_hour': 0,
+                    'last_day': 0,
+                    'older': 0
+                }
+            }
+            
+            current_time = time.time()
+            hour_ago = current_time - 3600
+            day_ago = current_time - 86400
+            
+            for session in self.sessions.values():
+                # Count by type
+                session_type = session.session_type.value
+                summary['by_type'][session_type] = summary['by_type'].get(session_type, 0) + 1
+                
+                # Count by state
+                session_state = session.state.value
+                summary['by_state'][session_state] = summary['by_state'].get(session_state, 0) + 1
+                
+                # Count by protocol
+                if session.protocol:
+                    summary['by_protocol'][session.protocol] = summary['by_protocol'].get(session.protocol, 0) + 1
+                
+                # Count by age
+                if session.last_activity > hour_ago:
+                    summary['active_sessions_by_age']['last_hour'] += 1
+                elif session.last_activity > day_ago:
+                    summary['active_sessions_by_age']['last_day'] += 1
+                else:
+                    summary['active_sessions_by_age']['older'] += 1
+            
+            return summary
+    
+    def get_stats(self) -> Dict:
+        """Get tracker statistics"""
+        with self.lock:
+            stats = self.stats.copy()
+            stats['active_sessions'] = len(self.sessions)
+        
+        return stats
+    
+    def reset_stats(self):
+        """Reset statistics"""
+        self.stats = {
+            'total_sessions': len(self.sessions),
+            'active_sessions': len(self.sessions),
+            'expired_sessions': 0,
+            'session_types': {t.value: 0 for t in SessionType},
+            'session_states': {s.value: 0 for s in SessionState},
+            'cleanup_runs': 0,
+            'correlations_created': 0
+        }
+        
+        # Recalculate current counts
+        with self.lock:
+            for session in self.sessions.values():
+                self.stats['session_types'][session.session_type.value] += 1
+                self.stats['session_states'][session.state.value] += 1
+    
+    def export_sessions(self, format: str = 'json') -> str:
+        """Export sessions data"""
+        with self.lock:
+            sessions_data = [session.to_dict() for session in self.sessions.values()]
+        
+        if format == 'json':
+            return json.dumps(sessions_data, indent=2, default=str)
+        else:
+            raise ValueError(f"Unsupported export format: {format}")
+    
+    def start(self):
+        """Start session tracker"""
+        self.running = True
+        self.cleanup_thread = threading.Thread(target=self._cleanup_loop, daemon=True)
+        self.cleanup_thread.start()
+        print("Session tracker started")
+    
+    def stop(self):
+        """Stop session tracker"""
+        self.running = False
+        if self.cleanup_thread:
+            self.cleanup_thread.join()
+        print("Session tracker stopped")
+

core/socket_translator.py

@@ -0,0 +1,653 @@
+"""
+Socket Translator Module
+
+Bridges virtual connections to real host sockets:
+- Map virtual connections to host sockets/HTTP clients
+- Bidirectional data streaming
+- Connection lifecycle management
+- Protocol translation (TCP/UDP to host sockets)
+"""
+
+import socket
+import threading
+import time
+import asyncio
+import aiohttp
+import ssl
+from typing import Dict, Optional, Callable, Tuple, Any
+from dataclasses import dataclass
+from enum import Enum
+import urllib.parse
+import json
+
+from .tcp_engine import TCPConnection
+
+
+class ConnectionType(Enum):
+    TCP_SOCKET = "TCP_SOCKET"
+    UDP_SOCKET = "UDP_SOCKET"
+    HTTP_CLIENT = "HTTP_CLIENT"
+    HTTPS_CLIENT = "HTTPS_CLIENT"
+
+
+@dataclass
+class SocketConnection:
+    """Represents a socket connection"""
+    connection_id: str
+    connection_type: ConnectionType
+    virtual_connection: Optional[TCPConnection]
+    host_socket: Optional[socket.socket]
+    remote_host: str
+    remote_port: int
+    created_time: float
+    last_activity: float
+    bytes_sent: int = 0
+    bytes_received: int = 0
+    is_connected: bool = False
+    error_count: int = 0
+    
+    def update_activity(self, bytes_transferred: int = 0, direction: str = 'sent'):
+        """Update connection activity"""
+        self.last_activity = time.time()
+        if direction == 'sent':
+            self.bytes_sent += bytes_transferred
+        else:
+            self.bytes_received += bytes_transferred
+    
+    def to_dict(self) -> Dict:
+        """Convert to dictionary"""
+        return {
+            'connection_id': self.connection_id,
+            'connection_type': self.connection_type.value,
+            'remote_host': self.remote_host,
+            'remote_port': self.remote_port,
+            'created_time': self.created_time,
+            'last_activity': self.last_activity,
+            'bytes_sent': self.bytes_sent,
+            'bytes_received': self.bytes_received,
+            'is_connected': self.is_connected,
+            'error_count': self.error_count,
+            'duration': time.time() - self.created_time
+        }
+
+
+class HTTPRequest:
+    """Represents an HTTP request"""
+    
+    def __init__(self, method: str = 'GET', path: str = '/', headers: Dict[str, str] = None, body: bytes = b''):
+        self.method = method.upper()
+        self.path = path
+        self.headers = headers or {}
+        self.body = body
+        self.version = 'HTTP/1.1'
+    
+    @classmethod
+    def parse(cls, data: bytes) -> Optional['HTTPRequest']:
+        """Parse HTTP request from raw data"""
+        try:
+            lines = data.decode('utf-8', errors='ignore').split('\r\n')
+            if not lines:
+                return None
+            
+            # Parse request line
+            request_line = lines[0].split(' ')
+            if len(request_line) < 3:
+                return None
+            
+            method, path, version = request_line[0], request_line[1], request_line[2]
+            
+            # Parse headers
+            headers = {}
+            body_start = 1
+            for i, line in enumerate(lines[1:], 1):
+                if line == '':
+                    body_start = i + 1
+                    break
+                if ':' in line:
+                    key, value = line.split(':', 1)
+                    headers[key.strip().lower()] = value.strip()
+            
+            # Parse body
+            body_lines = lines[body_start:]
+            body = '\r\n'.join(body_lines).encode('utf-8')
+            
+            return cls(method, path, headers, body)
+            
+        except Exception:
+            return None
+    
+    def to_bytes(self) -> bytes:
+        """Convert to raw HTTP request"""
+        request_line = f"{self.method} {self.path} {self.version}\r\n"
+        
+        # Add default headers
+        if 'host' not in self.headers:
+            self.headers['host'] = 'localhost'
+        if 'user-agent' not in self.headers:
+            self.headers['user-agent'] = 'VirtualISP/1.0'
+        if self.body and 'content-length' not in self.headers:
+            self.headers['content-length'] = str(len(self.body))
+        
+        # Build headers
+        header_lines = []
+        for key, value in self.headers.items():
+            header_lines.append(f"{key}: {value}\r\n")
+        
+        # Combine all parts
+        request_data = request_line + ''.join(header_lines) + '\r\n'
+        return request_data.encode('utf-8') + self.body
+
+
+class HTTPResponse:
+    """Represents an HTTP response"""
+    
+    def __init__(self, status_code: int = 200, reason: str = 'OK', headers: Dict[str, str] = None, body: bytes = b''):
+        self.status_code = status_code
+        self.reason = reason
+        self.headers = headers or {}
+        self.body = body
+        self.version = 'HTTP/1.1'
+    
+    @classmethod
+    def parse(cls, data: bytes) -> Optional['HTTPResponse']:
+        """Parse HTTP response from raw data"""
+        try:
+            lines = data.decode('utf-8', errors='ignore').split('\r\n')
+            if not lines:
+                return None
+            
+            # Parse status line
+            status_line = lines[0].split(' ', 2)
+            if len(status_line) < 3:
+                return None
+            
+            version, status_code, reason = status_line[0], int(status_line[1]), status_line[2]
+            
+            # Parse headers
+            headers = {}
+            body_start = 1
+            for i, line in enumerate(lines[1:], 1):
+                if line == '':
+                    body_start = i + 1
+                    break
+                if ':' in line:
+                    key, value = line.split(':', 1)
+                    headers[key.strip().lower()] = value.strip()
+            
+            # Parse body
+            body_lines = lines[body_start:]
+            body = '\r\n'.join(body_lines).encode('utf-8')
+            
+            return cls(status_code, reason, headers, body)
+            
+        except Exception:
+            return None
+    
+    def to_bytes(self) -> bytes:
+        """Convert to raw HTTP response"""
+        status_line = f"{self.version} {self.status_code} {self.reason}\r\n"
+        
+        # Add default headers
+        if 'content-length' not in self.headers and self.body:
+            self.headers['content-length'] = str(len(self.body))
+        if 'server' not in self.headers:
+            self.headers['server'] = 'VirtualISP/1.0'
+        
+        # Build headers
+        header_lines = []
+        for key, value in self.headers.items():
+            header_lines.append(f"{key}: {value}\r\n")
+        
+        # Combine all parts
+        response_data = status_line + ''.join(header_lines) + '\r\n'
+        return response_data.encode('utf-8') + self.body
+
+
+class SocketTranslator:
+    """Socket translator implementation"""
+    
+    def __init__(self, config: Dict):
+        self.config = config
+        self.connections: Dict[str, SocketConnection] = {}
+        self.lock = threading.Lock()
+        
+        # Configuration
+        self.connect_timeout = config.get('connect_timeout', 10)
+        self.read_timeout = config.get('read_timeout', 30)
+        self.max_connections = config.get('max_connections', 1000)
+        self.buffer_size = config.get('buffer_size', 8192)
+        
+        # HTTP client session
+        self.http_session = None
+        self.loop = None
+        
+        # Statistics
+        self.stats = {
+            'total_connections': 0,
+            'active_connections': 0,
+            'failed_connections': 0,
+            'bytes_transferred': 0,
+            'http_requests': 0,
+            'tcp_connections': 0,
+            'udp_connections': 0
+        }
+        
+        # Background tasks
+        self.running = False
+        self.cleanup_thread = None
+    
+    async def _init_http_session(self):
+        """Initialize HTTP client session"""
+        connector = aiohttp.TCPConnector(
+            limit=100,
+            limit_per_host=10,
+            ttl_dns_cache=300,
+            use_dns_cache=True,
+        )
+        
+        timeout = aiohttp.ClientTimeout(
+            total=self.read_timeout,
+            connect=self.connect_timeout
+        )
+        
+        self.http_session = aiohttp.ClientSession(
+            connector=connector,
+            timeout=timeout,
+            headers={'User-Agent': 'VirtualISP/1.0'}
+        )
+    
+    def _is_http_request(self, data: bytes) -> bool:
+        """Check if data looks like an HTTP request"""
+        try:
+            first_line = data.split(b'\r\n')[0].decode('utf-8', errors='ignore')
+            methods = ['GET', 'POST', 'PUT', 'DELETE', 'HEAD', 'OPTIONS', 'PATCH', 'TRACE']
+            return any(first_line.startswith(method + ' ') for method in methods)
+        except:
+            return False
+    
+    def _determine_connection_type(self, remote_host: str, remote_port: int, data: bytes = b'') -> ConnectionType:
+        """Determine the appropriate connection type"""
+        # Check for HTTP/HTTPS based on port and data
+        if remote_port == 80 or (data and self._is_http_request(data)):
+            return ConnectionType.HTTP_CLIENT
+        elif remote_port == 443:
+            return ConnectionType.HTTPS_CLIENT
+        else:
+            return ConnectionType.TCP_SOCKET
+    
+    def create_connection(self, virtual_conn: TCPConnection, remote_host: str, remote_port: int, 
+                         initial_data: bytes = b'') -> Optional[SocketConnection]:
+        """Create a new socket connection"""
+        connection_id = f"{virtual_conn.connection_id}->{remote_host}:{remote_port}"
+        
+        # Check connection limit
+        with self.lock:
+            if len(self.connections) >= self.max_connections:
+                return None
+        
+        # Determine connection type
+        conn_type = self._determine_connection_type(remote_host, remote_port, initial_data)
+        
+        # Create socket connection
+        socket_conn = SocketConnection(
+            connection_id=connection_id,
+            connection_type=conn_type,
+            virtual_connection=virtual_conn,
+            host_socket=None,
+            remote_host=remote_host,
+            remote_port=remote_port,
+            created_time=time.time(),
+            last_activity=time.time()
+        )
+        
+        with self.lock:
+            self.connections[connection_id] = socket_conn
+        
+        # Establish connection based on type
+        if conn_type in [ConnectionType.HTTP_CLIENT, ConnectionType.HTTPS_CLIENT]:
+            success = self._create_http_connection(socket_conn, initial_data)
+        else:
+            success = self._create_tcp_connection(socket_conn, initial_data)
+        
+        if success:
+            self.stats['total_connections'] += 1
+            self.stats['active_connections'] = len(self.connections)
+            
+            if conn_type in [ConnectionType.HTTP_CLIENT, ConnectionType.HTTPS_CLIENT]:
+                self.stats['http_requests'] += 1
+            else:
+                self.stats['tcp_connections'] += 1
+        else:
+            self.stats['failed_connections'] += 1
+            with self.lock:
+                if connection_id in self.connections:
+                    del self.connections[connection_id]
+            return None
+        
+        return socket_conn
+    
+    def _create_tcp_connection(self, socket_conn: SocketConnection, initial_data: bytes) -> bool:
+        """Create TCP socket connection"""
+        try:
+            # Create socket
+            sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+            sock.settimeout(self.connect_timeout)
+            
+            # Connect
+            sock.connect((socket_conn.remote_host, socket_conn.remote_port))
+            sock.settimeout(self.read_timeout)
+            
+            socket_conn.host_socket = sock
+            socket_conn.is_connected = True
+            
+            # Send initial data if any
+            if initial_data:
+                sock.send(initial_data)
+                socket_conn.update_activity(len(initial_data), 'sent')
+            
+            # Start background thread for receiving data
+            thread = threading.Thread(
+                target=self._tcp_receive_loop,
+                args=(socket_conn,),
+                daemon=True
+            )
+            thread.start()
+            
+            return True
+            
+        except Exception as e:
+            print(f"Failed to create TCP connection to {socket_conn.remote_host}:{socket_conn.remote_port}: {e}")
+            socket_conn.error_count += 1
+            return False
+    
+    def _create_http_connection(self, socket_conn: SocketConnection, initial_data: bytes) -> bool:
+        """Create HTTP connection"""
+        try:
+            # Parse HTTP request
+            http_request = HTTPRequest.parse(initial_data)
+            if not http_request:
+                return False
+            
+            # Set host header
+            http_request.headers['host'] = socket_conn.remote_host
+            
+            # Start async HTTP request
+            if self.loop and not self.loop.is_closed():
+                asyncio.run_coroutine_threadsafe(
+                    self._handle_http_request(socket_conn, http_request),
+                    self.loop
+                )
+            else:
+                # Fallback to sync HTTP handling
+                return self._handle_http_request_sync(socket_conn, http_request)
+            
+            return True
+            
+        except Exception as e:
+            print(f"Failed to create HTTP connection to {socket_conn.remote_host}:{socket_conn.remote_port}: {e}")
+            socket_conn.error_count += 1
+            return False
+    
+    async def _handle_http_request(self, socket_conn: SocketConnection, http_request: HTTPRequest):
+        """Handle HTTP request asynchronously"""
+        try:
+            if not self.http_session:
+                await self._init_http_session()
+            
+            # Build URL
+            scheme = 'https' if socket_conn.connection_type == ConnectionType.HTTPS_CLIENT else 'http'
+            url = f"{scheme}://{socket_conn.remote_host}:{socket_conn.remote_port}{http_request.path}"
+            
+            # Make request
+            async with self.http_session.request(
+                method=http_request.method,
+                url=url,
+                headers=http_request.headers,
+                data=http_request.body
+            ) as response:
+                # Read response
+                response_body = await response.read()
+                
+                # Create HTTP response
+                http_response = HTTPResponse(
+                    status_code=response.status,
+                    reason=response.reason or 'OK',
+                    headers=dict(response.headers),
+                    body=response_body
+                )
+                
+                # Send response back to virtual connection
+                response_data = http_response.to_bytes()
+                if socket_conn.virtual_connection and socket_conn.virtual_connection.on_data_received:
+                    socket_conn.virtual_connection.on_data_received(response_data)
+                
+                socket_conn.update_activity(len(response_data), 'received')
+                self.stats['bytes_transferred'] += len(response_data)
+        
+        except Exception as e:
+            print(f"HTTP request failed: {e}")
+            socket_conn.error_count += 1
+            
+            # Send error response
+            error_response = HTTPResponse(
+                status_code=500,
+                reason='Internal Server Error',
+                body=f"Error: {str(e)}".encode('utf-8')
+            )
+            
+            response_data = error_response.to_bytes()
+            if socket_conn.virtual_connection and socket_conn.virtual_connection.on_data_received:
+                socket_conn.virtual_connection.on_data_received(response_data)
+    
+    def _handle_http_request_sync(self, socket_conn: SocketConnection, http_request: HTTPRequest) -> bool:
+        """Handle HTTP request synchronously (fallback)"""
+        try:
+            # Use urllib for sync HTTP requests
+            scheme = 'https' if socket_conn.connection_type == ConnectionType.HTTPS_CLIENT else 'http'
+            url = f"{scheme}://{socket_conn.remote_host}:{socket_conn.remote_port}{http_request.path}"
+            
+            import urllib.request
+            import urllib.error
+            
+            # Create request
+            req = urllib.request.Request(
+                url,
+                data=http_request.body if http_request.body else None,
+                headers=http_request.headers,
+                method=http_request.method
+            )
+            
+            # Make request
+            with urllib.request.urlopen(req, timeout=self.read_timeout) as response:
+                response_body = response.read()
+                
+                # Create HTTP response
+                http_response = HTTPResponse(
+                    status_code=response.getcode(),
+                    reason='OK',
+                    headers=dict(response.headers),
+                    body=response_body
+                )
+                
+                # Send response back to virtual connection
+                response_data = http_response.to_bytes()
+                if socket_conn.virtual_connection and socket_conn.virtual_connection.on_data_received:
+                    socket_conn.virtual_connection.on_data_received(response_data)
+                
+                socket_conn.update_activity(len(response_data), 'received')
+                self.stats['bytes_transferred'] += len(response_data)
+                
+                return True
+        
+        except Exception as e:
+            print(f"Sync HTTP request failed: {e}")
+            socket_conn.error_count += 1
+            return False
+    
+    def _tcp_receive_loop(self, socket_conn: SocketConnection):
+        """Background loop for receiving TCP data"""
+        sock = socket_conn.host_socket
+        if not sock:
+            return
+        
+        try:
+            while socket_conn.is_connected:
+                try:
+                    data = sock.recv(self.buffer_size)
+                    if not data:
+                        break
+                    
+                    # Forward data to virtual connection
+                    if socket_conn.virtual_connection and socket_conn.virtual_connection.on_data_received:
+                        socket_conn.virtual_connection.on_data_received(data)
+                    
+                    socket_conn.update_activity(len(data), 'received')
+                    self.stats['bytes_transferred'] += len(data)
+                    
+                except socket.timeout:
+                    continue
+                except Exception as e:
+                    print(f"TCP receive error: {e}")
+                    break
+        
+        finally:
+            self._close_connection(socket_conn.connection_id)
+    
+    def send_data(self, connection_id: str, data: bytes) -> bool:
+        """Send data through socket connection"""
+        with self.lock:
+            socket_conn = self.connections.get(connection_id)
+        
+        if not socket_conn or not socket_conn.is_connected:
+            return False
+        
+        try:
+            if socket_conn.connection_type in [ConnectionType.HTTP_CLIENT, ConnectionType.HTTPS_CLIENT]:
+                # For HTTP connections, treat as new request
+                return self._create_http_connection(socket_conn, data)
+            else:
+                # TCP connection
+                if socket_conn.host_socket:
+                    socket_conn.host_socket.send(data)
+                    socket_conn.update_activity(len(data), 'sent')
+                    self.stats['bytes_transferred'] += len(data)
+                    return True
+        
+        except Exception as e:
+            print(f"Failed to send data: {e}")
+            socket_conn.error_count += 1
+            self._close_connection(connection_id)
+        
+        return False
+    
+    def _close_connection(self, connection_id: str):
+        """Close socket connection"""
+        with self.lock:
+            socket_conn = self.connections.get(connection_id)
+            if not socket_conn:
+                return
+            
+            # Close socket
+            if socket_conn.host_socket:
+                try:
+                    socket_conn.host_socket.close()
+                except:
+                    pass
+            
+            socket_conn.is_connected = False
+            
+            # Remove from connections
+            del self.connections[connection_id]
+            
+            self.stats['active_connections'] = len(self.connections)
+    
+    def close_connection(self, connection_id: str) -> bool:
+        """Manually close connection"""
+        self._close_connection(connection_id)
+        return True
+    
+    def get_connection(self, connection_id: str) -> Optional[SocketConnection]:
+        """Get socket connection"""
+        with self.lock:
+            return self.connections.get(connection_id)
+    
+    def get_connections(self) -> Dict[str, Dict]:
+        """Get all socket connections"""
+        with self.lock:
+            return {
+                conn_id: conn.to_dict()
+                for conn_id, conn in self.connections.items()
+            }
+    
+    def get_stats(self) -> Dict:
+        """Get socket translator statistics"""
+        with self.lock:
+            stats = self.stats.copy()
+            stats['active_connections'] = len(self.connections)
+        
+        return stats
+    
+    def _cleanup_loop(self):
+        """Background cleanup loop"""
+        while self.running:
+            try:
+                current_time = time.time()
+                expired_connections = []
+                
+                with self.lock:
+                    for conn_id, conn in self.connections.items():
+                        # Close connections that have been inactive too long
+                        if current_time - conn.last_activity > self.read_timeout * 2:
+                            expired_connections.append(conn_id)
+                
+                for conn_id in expired_connections:
+                    self._close_connection(conn_id)
+                
+                time.sleep(30)  # Cleanup every 30 seconds
+                
+            except Exception as e:
+                print(f"Socket translator cleanup error: {e}")
+                time.sleep(5)
+    
+    def start(self):
+        """Start socket translator"""
+        self.running = True
+        
+        # Start event loop for async HTTP
+        try:
+            self.loop = asyncio.new_event_loop()
+            asyncio.set_event_loop(self.loop)
+            
+            # Start cleanup thread
+            self.cleanup_thread = threading.Thread(target=self._cleanup_loop, daemon=True)
+            self.cleanup_thread.start()
+            
+            print("Socket translator started")
+        except Exception as e:
+            print(f"Failed to start socket translator: {e}")
+    
+    def stop(self):
+        """Stop socket translator"""
+        self.running = False
+        
+        # Close all connections
+        with self.lock:
+            connection_ids = list(self.connections.keys())
+        
+        for conn_id in connection_ids:
+            self._close_connection(conn_id)
+        
+        # Close HTTP session
+        if self.http_session:
+            asyncio.run_coroutine_threadsafe(self.http_session.close(), self.loop)
+        
+        # Close event loop
+        if self.loop and not self.loop.is_closed():
+            self.loop.call_soon_threadsafe(self.loop.stop)
+        
+        # Wait for cleanup thread
+        if self.cleanup_thread:
+            self.cleanup_thread.join()
+        
+        print("Socket translator stopped")
+

core/tcp_engine.py

@@ -0,0 +1,716 @@
+"""
+TCP Engine Module
+
+Implements a complete TCP state machine in user-space:
+- Full TCP state machine (SYN, SYN-ACK, ESTABLISHED, FIN, RST)
+- Sequence and acknowledgment number tracking
+- Sliding window implementation
+- Retransmission and timeout handling
+- Congestion control
+"""
+
+import time
+import threading
+import random
+from typing import Dict, List, Optional, Tuple, Callable
+from dataclasses import dataclass, field
+from enum import Enum
+from collections import deque
+
+from .ip_parser import TCPHeader, IPv4Header, IPParser
+
+
+class TCPState(Enum):
+    CLOSED = "CLOSED"
+    LISTEN = "LISTEN"
+    SYN_SENT = "SYN_SENT"
+    SYN_RECEIVED = "SYN_RECEIVED"
+    ESTABLISHED = "ESTABLISHED"
+    FIN_WAIT_1 = "FIN_WAIT_1"
+    FIN_WAIT_2 = "FIN_WAIT_2"
+    CLOSE_WAIT = "CLOSE_WAIT"
+    CLOSING = "CLOSING"
+    LAST_ACK = "LAST_ACK"
+    TIME_WAIT = "TIME_WAIT"
+
+
+@dataclass
+class TCPSegment:
+    """Represents a TCP segment"""
+    seq_num: int
+    ack_num: int
+    flags: int
+    window: int
+    data: bytes
+    timestamp: float = field(default_factory=time.time)
+    retransmit_count: int = 0
+    
+    @property
+    def data_length(self) -> int:
+        """Get data length"""
+        return len(self.data)
+    
+    @property
+    def seq_end(self) -> int:
+        """Get sequence number after this segment"""
+        length = self.data_length
+        # SYN and FIN consume one sequence number
+        if self.flags & 0x02:  # SYN
+            length += 1
+        if self.flags & 0x01:  # FIN
+            length += 1
+        return self.seq_num + length
+
+
+@dataclass
+class TCPConnection:
+    """Represents a TCP connection state"""
+    # Connection identification
+    local_ip: str
+    local_port: int
+    remote_ip: str
+    remote_port: int
+    
+    # State
+    state: TCPState = TCPState.CLOSED
+    
+    # Sequence numbers
+    local_seq: int = 0
+    local_ack: int = 0
+    remote_seq: int = 0
+    remote_ack: int = 0
+    initial_seq: int = 0
+    
+    # Window management
+    local_window: int = 65535
+    remote_window: int = 65535
+    window_scale: int = 0
+    
+    # Buffers
+    send_buffer: deque = field(default_factory=deque)
+    recv_buffer: deque = field(default_factory=deque)
+    out_of_order_buffer: Dict[int, bytes] = field(default_factory=dict)
+    
+    # Retransmission
+    unacked_segments: Dict[int, TCPSegment] = field(default_factory=dict)
+    retransmit_timer: Optional[float] = None
+    rto: float = 1.0  # Retransmission timeout
+    srtt: float = 0.0  # Smoothed round-trip time
+    rttvar: float = 0.0  # Round-trip time variation
+    
+    # Congestion control
+    cwnd: int = 1  # Congestion window (in MSS units)
+    ssthresh: int = 65535  # Slow start threshold
+    mss: int = 1460  # Maximum segment size
+    
+    # Timers
+    last_activity: float = field(default_factory=time.time)
+    time_wait_start: Optional[float] = None
+    
+    # Callbacks
+    on_data_received: Optional[Callable[[bytes], None]] = None
+    on_connection_closed: Optional[Callable[[], None]] = None
+    
+    @property
+    def connection_id(self) -> str:
+        """Get unique connection identifier"""
+        return f"{self.local_ip}:{self.local_port}-{self.remote_ip}:{self.remote_port}"
+    
+    @property
+    def is_established(self) -> bool:
+        """Check if connection is established"""
+        return self.state == TCPState.ESTABLISHED
+    
+    @property
+    def can_send_data(self) -> bool:
+        """Check if connection can send data"""
+        return self.state in [TCPState.ESTABLISHED, TCPState.CLOSE_WAIT]
+    
+    @property
+    def effective_window(self) -> int:
+        """Get effective send window"""
+        return min(self.remote_window, self.cwnd * self.mss)
+
+
+class TCPEngine:
+    """TCP state machine implementation"""
+    
+    def __init__(self, config: Dict):
+        self.config = config
+        self.connections: Dict[str, TCPConnection] = {}
+        self.listening_ports: Dict[int, Callable] = {}  # port -> accept callback
+        self.lock = threading.Lock()
+        self.running = False
+        self.timer_thread = None
+        
+        # Default configuration
+        self.default_mss = config.get('mss', 1460)
+        self.default_window = config.get('initial_window', 65535)
+        self.max_retries = config.get('max_retries', 3)
+        self.connection_timeout = config.get('timeout', 300)
+        self.time_wait_timeout = config.get('time_wait_timeout', 120)
+    
+    def _generate_isn(self) -> int:
+        """Generate Initial Sequence Number"""
+        return random.randint(0, 0xFFFFFFFF)
+    
+    def _get_connection_key(self, local_ip: str, local_port: int, remote_ip: str, remote_port: int) -> str:
+        """Get connection key"""
+        return f"{local_ip}:{local_port}-{remote_ip}:{remote_port}"
+    
+    def _create_tcp_segment(self, conn: TCPConnection, flags: int, data: bytes = b'') -> TCPSegment:
+        """Create TCP segment"""
+        segment = TCPSegment(
+            seq_num=conn.local_seq,
+            ack_num=conn.local_ack,
+            flags=flags,
+            window=conn.local_window,
+            data=data
+        )
+        return segment
+    
+    def _build_tcp_packet(self, conn: TCPConnection, segment: TCPSegment) -> bytes:
+        """Build complete TCP packet"""
+        # Create IP header
+        ip_header = IPv4Header(
+            protocol=6,  # TCP
+            source_ip=conn.local_ip,
+            dest_ip=conn.remote_ip,
+            ttl=64
+        )
+        
+        # Create TCP header
+        tcp_header = TCPHeader(
+            source_port=conn.local_port,
+            dest_port=conn.remote_port,
+            seq_num=segment.seq_num,
+            ack_num=segment.ack_num,
+            flags=segment.flags,
+            window_size=segment.window
+        )
+        
+        # Build packet
+        return IPParser.build_packet(ip_header, tcp_header, segment.data)
+    
+    def _update_rto(self, conn: TCPConnection, rtt: float):
+        """Update retransmission timeout using RFC 6298"""
+        if conn.srtt == 0:
+            # First RTT measurement
+            conn.srtt = rtt
+            conn.rttvar = rtt / 2
+        else:
+            # Subsequent measurements
+            alpha = 0.125
+            beta = 0.25
+            conn.rttvar = (1 - beta) * conn.rttvar + beta * abs(conn.srtt - rtt)
+            conn.srtt = (1 - alpha) * conn.srtt + alpha * rtt
+        
+        # Calculate RTO
+        conn.rto = max(1.0, conn.srtt + 4 * conn.rttvar)
+        conn.rto = min(conn.rto, 60.0)  # Cap at 60 seconds
+    
+    def _update_congestion_window(self, conn: TCPConnection, acked_bytes: int):
+        """Update congestion window (simplified congestion control)"""
+        if conn.cwnd < conn.ssthresh:
+            # Slow start
+            conn.cwnd += 1
+        else:
+            # Congestion avoidance
+            conn.cwnd += max(1, conn.mss * conn.mss // conn.cwnd)
+    
+    def _handle_retransmission(self, conn: TCPConnection):
+        """Handle segment retransmission"""
+        current_time = time.time()
+        
+        # Find segments that need retransmission
+        to_retransmit = []
+        for seq_num, segment in conn.unacked_segments.items():
+            if current_time - segment.timestamp > conn.rto:
+                if segment.retransmit_count < self.max_retries:
+                    to_retransmit.append(segment)
+                else:
+                    # Max retries exceeded, close connection
+                    self._close_connection(conn, reset=True)
+                    return
+        
+        # Retransmit segments
+        for segment in to_retransmit:
+            segment.retransmit_count += 1
+            segment.timestamp = current_time
+            
+            # Exponential backoff
+            conn.rto = min(conn.rto * 2, 60.0)
+            
+            # Congestion control: reduce window
+            conn.ssthresh = max(conn.cwnd // 2, 2)
+            conn.cwnd = 1
+            
+            # Send retransmitted segment
+            packet = self._build_tcp_packet(conn, segment)
+            self._send_packet(packet)
+    
+    def _send_packet(self, packet: bytes):
+        """Send packet (to be implemented by integration layer)"""
+        # This will be connected to the packet bridge
+        pass
+    
+    def _close_connection(self, conn: TCPConnection, reset: bool = False):
+        """Close connection"""
+        if reset:
+            # Send RST
+            segment = self._create_tcp_segment(conn, 0x04)  # RST flag
+            packet = self._build_tcp_packet(conn, segment)
+            self._send_packet(packet)
+            conn.state = TCPState.CLOSED
+        else:
+            # Normal close
+            if conn.state == TCPState.ESTABLISHED:
+                # Send FIN
+                segment = self._create_tcp_segment(conn, 0x01)  # FIN flag
+                packet = self._build_tcp_packet(conn, segment)
+                self._send_packet(packet)
+                conn.local_seq += 1
+                conn.state = TCPState.FIN_WAIT_1
+        
+        # Cleanup if closed
+        if conn.state == TCPState.CLOSED:
+            if conn.on_connection_closed:
+                conn.on_connection_closed()
+            
+            with self.lock:
+                if conn.connection_id in self.connections:
+                    del self.connections[conn.connection_id]
+    
+    def listen(self, port: int, accept_callback: Callable):
+        """Listen on port for incoming connections"""
+        with self.lock:
+            self.listening_ports[port] = accept_callback
+    
+    def connect(self, local_ip: str, local_port: int, remote_ip: str, remote_port: int) -> Optional[TCPConnection]:
+        """Initiate outbound connection"""
+        conn_key = self._get_connection_key(local_ip, local_port, remote_ip, remote_port)
+        
+        # Create connection
+        conn = TCPConnection(
+            local_ip=local_ip,
+            local_port=local_port,
+            remote_ip=remote_ip,
+            remote_port=remote_port,
+            state=TCPState.SYN_SENT,
+            local_seq=self._generate_isn(),
+            mss=self.default_mss,
+            local_window=self.default_window
+        )
+        conn.initial_seq = conn.local_seq
+        
+        with self.lock:
+            self.connections[conn_key] = conn
+        
+        # Send SYN
+        segment = self._create_tcp_segment(conn, 0x02)  # SYN flag
+        packet = self._build_tcp_packet(conn, segment)
+        self._send_packet(packet)
+        
+        # Track unacked segment
+        conn.unacked_segments[conn.local_seq] = segment
+        conn.local_seq += 1
+        conn.retransmit_timer = time.time()
+        
+        return conn
+    
+    def send_data(self, conn: TCPConnection, data: bytes) -> bool:
+        """Send data on established connection"""
+        if not conn.can_send_data:
+            return False
+        
+        # Add to send buffer
+        conn.send_buffer.append(data)
+        
+        # Try to send immediately
+        self._try_send_data(conn)
+        
+        return True
+    
+    def _try_send_data(self, conn: TCPConnection):
+        """Try to send buffered data"""
+        while conn.send_buffer and len(conn.unacked_segments) * conn.mss < conn.effective_window:
+            data = conn.send_buffer.popleft()
+            
+            # Split data if larger than MSS
+            while data:
+                chunk = data[:conn.mss]
+                data = data[conn.mss:]
+                
+                # Create and send segment
+                segment = self._create_tcp_segment(conn, 0x18, chunk)  # PSH+ACK flags
+                packet = self._build_tcp_packet(conn, segment)
+                self._send_packet(packet)
+                
+                # Track unacked segment
+                conn.unacked_segments[conn.local_seq] = segment
+                conn.local_seq += len(chunk)
+                
+                if not data:
+                    break
+    
+    def process_packet(self, packet_data: bytes) -> bool:
+        """Process incoming TCP packet"""
+        try:
+            # Parse packet
+            parsed = IPParser.parse_packet(packet_data)
+            if not isinstance(parsed.transport_header, TCPHeader):
+                return False
+            
+            ip_header = parsed.ip_header
+            tcp_header = parsed.transport_header
+            payload = parsed.payload
+            
+            # Find or create connection
+            conn_key = self._get_connection_key(
+                ip_header.dest_ip, tcp_header.dest_port,
+                ip_header.source_ip, tcp_header.source_port
+            )
+            
+            with self.lock:
+                conn = self.connections.get(conn_key)
+                
+                # Handle new connection (SYN to listening port)
+                if not conn and tcp_header.syn and not tcp_header.ack:
+                    if tcp_header.dest_port in self.listening_ports:
+                        conn = self._handle_new_connection(ip_header, tcp_header)
+                        if conn:
+                            self.connections[conn_key] = conn
+                
+                if not conn:
+                    # Send RST for unknown connection
+                    self._send_rst(ip_header, tcp_header)
+                    return False
+            
+            # Process segment
+            return self._process_segment(conn, tcp_header, payload)
+            
+        except Exception as e:
+            print(f"Error processing TCP packet: {e}")
+            return False
+    
+    def _handle_new_connection(self, ip_header: IPv4Header, tcp_header: TCPHeader) -> Optional[TCPConnection]:
+        """Handle new incoming connection"""
+        accept_callback = self.listening_ports.get(tcp_header.dest_port)
+        if not accept_callback:
+            return None
+        
+        # Create connection
+        conn = TCPConnection(
+            local_ip=ip_header.dest_ip,
+            local_port=tcp_header.dest_port,
+            remote_ip=ip_header.source_ip,
+            remote_port=tcp_header.source_port,
+            state=TCPState.SYN_RECEIVED,
+            local_seq=self._generate_isn(),
+            remote_seq=tcp_header.seq_num,
+            local_ack=tcp_header.seq_num + 1,
+            mss=self.default_mss,
+            local_window=self.default_window
+        )
+        conn.initial_seq = conn.local_seq
+        
+        # Send SYN-ACK
+        segment = self._create_tcp_segment(conn, 0x12)  # SYN+ACK flags
+        packet = self._build_tcp_packet(conn, segment)
+        self._send_packet(packet)
+        
+        # Track unacked segment
+        conn.unacked_segments[conn.local_seq] = segment
+        conn.local_seq += 1
+        conn.retransmit_timer = time.time()
+        
+        # Call accept callback
+        accept_callback(conn)
+        
+        return conn
+    
+    def _process_segment(self, conn: TCPConnection, tcp_header: TCPHeader, payload: bytes) -> bool:
+        """Process TCP segment based on connection state"""
+        conn.last_activity = time.time()
+        
+        # Handle RST
+        if tcp_header.rst:
+            conn.state = TCPState.CLOSED
+            self._close_connection(conn)
+            return True
+        
+        # State machine
+        if conn.state == TCPState.SYN_SENT:
+            return self._handle_syn_sent(conn, tcp_header, payload)
+        elif conn.state == TCPState.SYN_RECEIVED:
+            return self._handle_syn_received(conn, tcp_header, payload)
+        elif conn.state == TCPState.ESTABLISHED:
+            return self._handle_established(conn, tcp_header, payload)
+        elif conn.state == TCPState.FIN_WAIT_1:
+            return self._handle_fin_wait_1(conn, tcp_header, payload)
+        elif conn.state == TCPState.FIN_WAIT_2:
+            return self._handle_fin_wait_2(conn, tcp_header, payload)
+        elif conn.state == TCPState.CLOSE_WAIT:
+            return self._handle_close_wait(conn, tcp_header, payload)
+        elif conn.state == TCPState.CLOSING:
+            return self._handle_closing(conn, tcp_header, payload)
+        elif conn.state == TCPState.LAST_ACK:
+            return self._handle_last_ack(conn, tcp_header, payload)
+        elif conn.state == TCPState.TIME_WAIT:
+            return self._handle_time_wait(conn, tcp_header, payload)
+        
+        return False
+    
+    def _handle_syn_sent(self, conn: TCPConnection, tcp_header: TCPHeader, payload: bytes) -> bool:
+        """Handle segment in SYN_SENT state"""
+        if tcp_header.syn and tcp_header.ack:
+            # SYN-ACK received
+            if tcp_header.ack_num == conn.local_seq:
+                conn.remote_seq = tcp_header.seq_num
+                conn.local_ack = tcp_header.seq_num + 1
+                conn.remote_window = tcp_header.window_size
+                
+                # Remove SYN from unacked segments
+                if conn.local_seq - 1 in conn.unacked_segments:
+                    del conn.unacked_segments[conn.local_seq - 1]
+                
+                # Send ACK
+                segment = self._create_tcp_segment(conn, 0x10)  # ACK flag
+                packet = self._build_tcp_packet(conn, segment)
+                self._send_packet(packet)
+                
+                conn.state = TCPState.ESTABLISHED
+                return True
+        
+        return False
+    
+    def _handle_syn_received(self, conn: TCPConnection, tcp_header: TCPHeader, payload: bytes) -> bool:
+        """Handle segment in SYN_RECEIVED state"""
+        if tcp_header.ack and tcp_header.ack_num == conn.local_seq:
+            # ACK for our SYN-ACK
+            conn.remote_window = tcp_header.window_size
+            
+            # Remove SYN-ACK from unacked segments
+            if conn.local_seq - 1 in conn.unacked_segments:
+                del conn.unacked_segments[conn.local_seq - 1]
+            
+            conn.state = TCPState.ESTABLISHED
+            return True
+        
+        return False
+    
+    def _handle_established(self, conn: TCPConnection, tcp_header: TCPHeader, payload: bytes) -> bool:
+        """Handle segment in ESTABLISHED state"""
+        # Handle ACK
+        if tcp_header.ack:
+            self._process_ack(conn, tcp_header.ack_num)
+        
+        # Handle data
+        if payload and tcp_header.seq_num == conn.local_ack:
+            conn.local_ack += len(payload)
+            
+            # Deliver data
+            if conn.on_data_received:
+                conn.on_data_received(payload)
+            
+            # Send ACK
+            segment = self._create_tcp_segment(conn, 0x10)  # ACK flag
+            packet = self._build_tcp_packet(conn, segment)
+            self._send_packet(packet)
+        
+        # Handle FIN
+        if tcp_header.fin:
+            conn.local_ack += 1
+            
+            # Send ACK
+            segment = self._create_tcp_segment(conn, 0x10)  # ACK flag
+            packet = self._build_tcp_packet(conn, segment)
+            self._send_packet(packet)
+            
+            conn.state = TCPState.CLOSE_WAIT
+        
+        return True
+    
+    def _handle_fin_wait_1(self, conn: TCPConnection, tcp_header: TCPHeader, payload: bytes) -> bool:
+        """Handle segment in FIN_WAIT_1 state"""
+        if tcp_header.ack:
+            self._process_ack(conn, tcp_header.ack_num)
+            if not conn.unacked_segments:  # Our FIN was ACKed
+                conn.state = TCPState.FIN_WAIT_2
+        
+        if tcp_header.fin:
+            conn.local_ack += 1
+            
+            # Send ACK
+            segment = self._create_tcp_segment(conn, 0x10)  # ACK flag
+            packet = self._build_tcp_packet(conn, segment)
+            self._send_packet(packet)
+            
+            if conn.state == TCPState.FIN_WAIT_2:
+                conn.state = TCPState.TIME_WAIT
+                conn.time_wait_start = time.time()
+            else:
+                conn.state = TCPState.CLOSING
+        
+        return True
+    
+    def _handle_fin_wait_2(self, conn: TCPConnection, tcp_header: TCPHeader, payload: bytes) -> bool:
+        """Handle segment in FIN_WAIT_2 state"""
+        if tcp_header.fin:
+            conn.local_ack += 1
+            
+            # Send ACK
+            segment = self._create_tcp_segment(conn, 0x10)  # ACK flag
+            packet = self._build_tcp_packet(conn, segment)
+            self._send_packet(packet)
+            
+            conn.state = TCPState.TIME_WAIT
+            conn.time_wait_start = time.time()
+        
+        return True
+    
+    def _handle_close_wait(self, conn: TCPConnection, tcp_header: TCPHeader, payload: bytes) -> bool:
+        """Handle segment in CLOSE_WAIT state"""
+        # Application should close the connection
+        return True
+    
+    def _handle_closing(self, conn: TCPConnection, tcp_header: TCPHeader, payload: bytes) -> bool:
+        """Handle segment in CLOSING state"""
+        if tcp_header.ack:
+            self._process_ack(conn, tcp_header.ack_num)
+            if not conn.unacked_segments:  # Our FIN was ACKed
+                conn.state = TCPState.TIME_WAIT
+                conn.time_wait_start = time.time()
+        
+        return True
+    
+    def _handle_last_ack(self, conn: TCPConnection, tcp_header: TCPHeader, payload: bytes) -> bool:
+        """Handle segment in LAST_ACK state"""
+        if tcp_header.ack:
+            self._process_ack(conn, tcp_header.ack_num)
+            if not conn.unacked_segments:  # Our FIN was ACKed
+                conn.state = TCPState.CLOSED
+                self._close_connection(conn)
+        
+        return True
+    
+    def _handle_time_wait(self, conn: TCPConnection, tcp_header: TCPHeader, payload: bytes) -> bool:
+        """Handle segment in TIME_WAIT state"""
+        # Just acknowledge any segments
+        if tcp_header.seq_num == conn.local_ack:
+            segment = self._create_tcp_segment(conn, 0x10)  # ACK flag
+            packet = self._build_tcp_packet(conn, segment)
+            self._send_packet(packet)
+        
+        return True
+    
+    def _process_ack(self, conn: TCPConnection, ack_num: int):
+        """Process ACK and remove acknowledged segments"""
+        acked_segments = []
+        acked_bytes = 0
+        
+        for seq_num, segment in list(conn.unacked_segments.items()):
+            if seq_num < ack_num:
+                acked_segments.append((seq_num, segment))
+                acked_bytes += segment.data_length
+                del conn.unacked_segments[seq_num]
+        
+        # Update RTT and congestion window
+        if acked_segments:
+            # Use first acked segment for RTT calculation
+            rtt = time.time() - acked_segments[0][1].timestamp
+            self._update_rto(conn, rtt)
+            self._update_congestion_window(conn, acked_bytes)
+            
+            # Try to send more data
+            self._try_send_data(conn)
+    
+    def _send_rst(self, ip_header: IPv4Header, tcp_header: TCPHeader):
+        """Send RST for unknown connection"""
+        # Create RST response
+        rst_ip = IPv4Header(
+            protocol=6,
+            source_ip=ip_header.dest_ip,
+            dest_ip=ip_header.source_ip,
+            ttl=64
+        )
+        
+        rst_tcp = TCPHeader(
+            source_port=tcp_header.dest_port,
+            dest_port=tcp_header.source_port,
+            seq_num=tcp_header.ack_num if tcp_header.ack else 0,
+            ack_num=tcp_header.seq_num + 1 if tcp_header.syn else tcp_header.seq_num,
+            flags=0x14 if tcp_header.ack else 0x04  # RST+ACK or RST
+        )
+        
+        packet = IPParser.build_packet(rst_ip, rst_tcp)
+        self._send_packet(packet)
+    
+    def _timer_loop(self):
+        """Timer loop for handling timeouts"""
+        while self.running:
+            current_time = time.time()
+            
+            with self.lock:
+                connections_to_check = list(self.connections.values())
+            
+            for conn in connections_to_check:
+                # Handle retransmissions
+                if conn.unacked_segments:
+                    self._handle_retransmission(conn)
+                
+                # Handle connection timeout
+                if current_time - conn.last_activity > self.connection_timeout:
+                    self._close_connection(conn, reset=True)
+                
+                # Handle TIME_WAIT timeout
+                if (conn.state == TCPState.TIME_WAIT and 
+                    conn.time_wait_start and 
+                    current_time - conn.time_wait_start > self.time_wait_timeout):
+                    conn.state = TCPState.CLOSED
+                    self._close_connection(conn)
+            
+            time.sleep(1)  # Check every second
+    
+    def start(self):
+        """Start TCP engine"""
+        self.running = True
+        self.timer_thread = threading.Thread(target=self._timer_loop, daemon=True)
+        self.timer_thread.start()
+        print("TCP engine started")
+    
+    def stop(self):
+        """Stop TCP engine"""
+        self.running = False
+        if self.timer_thread:
+            self.timer_thread.join()
+        
+        # Close all connections
+        with self.lock:
+            for conn in list(self.connections.values()):
+                self._close_connection(conn, reset=True)
+        
+        print("TCP engine stopped")
+    
+    def get_connections(self) -> Dict[str, Dict]:
+        """Get current connections"""
+        with self.lock:
+            return {
+                conn_id: {
+                    'local_ip': conn.local_ip,
+                    'local_port': conn.local_port,
+                    'remote_ip': conn.remote_ip,
+                    'remote_port': conn.remote_port,
+                    'state': conn.state.value,
+                    'local_seq': conn.local_seq,
+                    'local_ack': conn.local_ack,
+                    'remote_seq': conn.remote_seq,
+                    'remote_ack': conn.remote_ack,
+                    'window_size': conn.local_window,
+                    'cwnd': conn.cwnd,
+                    'unacked_segments': len(conn.unacked_segments),
+                    'last_activity': conn.last_activity
+                }
+                for conn_id, conn in self.connections.items()
+            }
+

core/virtual_router.py

@@ -0,0 +1,565 @@
+"""
+Virtual Router Module
+
+Implements packet routing between virtual clients and external internet:
+- Maintain routing table for virtual network
+- Forward packets based on destination IP
+- Handle internal vs external routing decisions
+- Support static route configuration
+"""
+
+import ipaddress
+import time
+import threading
+from typing import Dict, List, Optional, Tuple, Set
+from dataclasses import dataclass
+from enum import Enum
+
+from .ip_parser import ParsedPacket, IPv4Header
+
+
+class RouteType(Enum):
+    DIRECT = "DIRECT"      # Directly connected network
+    STATIC = "STATIC"      # Static route
+    DEFAULT = "DEFAULT"    # Default route
+
+
+@dataclass
+class RouteEntry:
+    """Represents a routing table entry"""
+    destination: str       # Network in CIDR notation (e.g., "10.0.0.0/24")
+    gateway: Optional[str] # Next hop IP (None for direct routes)
+    interface: str         # Interface name or identifier
+    metric: int           # Route metric (lower is preferred)
+    route_type: RouteType
+    created_time: float
+    last_used: Optional[float] = None
+    use_count: int = 0
+    
+    def __post_init__(self):
+        if self.created_time == 0:
+            self.created_time = time.time()
+    
+    def record_use(self):
+        """Record route usage"""
+        self.use_count += 1
+        self.last_used = time.time()
+    
+    def matches_destination(self, ip: str) -> bool:
+        """Check if this route matches the destination IP"""
+        try:
+            network = ipaddress.ip_network(self.destination, strict=False)
+            return ipaddress.ip_address(ip) in network
+        except (ipaddress.AddressValueError, ValueError):
+            return False
+    
+    def to_dict(self) -> Dict:
+        """Convert route to dictionary"""
+        return {
+            'destination': self.destination,
+            'gateway': self.gateway,
+            'interface': self.interface,
+            'metric': self.metric,
+            'route_type': self.route_type.value,
+            'created_time': self.created_time,
+            'last_used': self.last_used,
+            'use_count': self.use_count
+        }
+
+
+@dataclass
+class Interface:
+    """Represents a network interface"""
+    name: str
+    ip_address: str
+    netmask: str
+    network: str           # Network in CIDR notation
+    enabled: bool = True
+    mtu: int = 1500
+    created_time: float = 0
+    
+    def __post_init__(self):
+        if self.created_time == 0:
+            self.created_time = time.time()
+        
+        # Calculate network if not provided
+        if not self.network:
+            try:
+                interface_network = ipaddress.ip_interface(f"{self.ip_address}/{self.netmask}")
+                self.network = str(interface_network.network)
+            except (ipaddress.AddressValueError, ValueError):
+                self.network = "0.0.0.0/0"
+    
+    def is_local_address(self, ip: str) -> bool:
+        """Check if IP address belongs to this interface's network"""
+        try:
+            network = ipaddress.ip_network(self.network, strict=False)
+            return ipaddress.ip_address(ip) in network
+        except (ipaddress.AddressValueError, ValueError):
+            return False
+    
+    def to_dict(self) -> Dict:
+        """Convert interface to dictionary"""
+        return {
+            'name': self.name,
+            'ip_address': self.ip_address,
+            'netmask': self.netmask,
+            'network': self.network,
+            'enabled': self.enabled,
+            'mtu': self.mtu,
+            'created_time': self.created_time
+        }
+
+
+class VirtualRouter:
+    """Virtual router implementation"""
+    
+    def __init__(self, config: Dict):
+        self.config = config
+        self.routing_table: List[RouteEntry] = []
+        self.interfaces: Dict[str, Interface] = {}
+        self.arp_table: Dict[str, str] = {}  # IP -> MAC mapping
+        self.lock = threading.Lock()
+        
+        # Router configuration
+        self.router_id = config.get('router_id', 'virtual-router-1')
+        self.default_gateway = config.get('default_gateway')
+        
+        # Statistics
+        self.stats = {
+            'packets_routed': 0,
+            'packets_dropped': 0,
+            'route_lookups': 0,
+            'arp_requests': 0,
+            'arp_replies': 0,
+            'routing_errors': 0
+        }
+        
+        # Initialize interfaces and routes
+        self._initialize_interfaces()
+        self._initialize_routes()
+    
+    def _initialize_interfaces(self):
+        """Initialize network interfaces from configuration"""
+        interfaces_config = self.config.get('interfaces', [])
+        
+        for iface_config in interfaces_config:
+            interface = Interface(
+                name=iface_config['name'],
+                ip_address=iface_config['ip_address'],
+                netmask=iface_config.get('netmask', '255.255.255.0'),
+                network=iface_config.get('network'),
+                enabled=iface_config.get('enabled', True),
+                mtu=iface_config.get('mtu', 1500)
+            )
+            
+            with self.lock:
+                self.interfaces[interface.name] = interface
+            
+            # Add direct route for interface network
+            self.add_route(
+                destination=interface.network,
+                gateway=None,
+                interface=interface.name,
+                metric=0,
+                route_type=RouteType.DIRECT
+            )
+    
+    def _initialize_routes(self):
+        """Initialize static routes from configuration"""
+        routes_config = self.config.get('static_routes', [])
+        
+        for route_config in routes_config:
+            self.add_route(
+                destination=route_config['destination'],
+                gateway=route_config.get('gateway'),
+                interface=route_config['interface'],
+                metric=route_config.get('metric', 10),
+                route_type=RouteType.STATIC
+            )
+        
+        # Add default route if configured
+        if self.default_gateway:
+            # Find interface for default gateway
+            default_interface = None
+            for interface in self.interfaces.values():
+                if interface.is_local_address(self.default_gateway):
+                    default_interface = interface.name
+                    break
+            
+            if default_interface:
+                self.add_route(
+                    destination="0.0.0.0/0",
+                    gateway=self.default_gateway,
+                    interface=default_interface,
+                    metric=100,
+                    route_type=RouteType.DEFAULT
+                )
+    
+    def add_interface(self, name: str, ip_address: str, netmask: str = "255.255.255.0", 
+                     network: Optional[str] = None, mtu: int = 1500) -> bool:
+        """Add network interface"""
+        with self.lock:
+            if name in self.interfaces:
+                return False
+            
+            interface = Interface(
+                name=name,
+                ip_address=ip_address,
+                netmask=netmask,
+                network=network,
+                mtu=mtu
+            )
+            
+            self.interfaces[name] = interface
+        
+        # Add direct route for interface network
+        self.add_route(
+            destination=interface.network,
+            gateway=None,
+            interface=name,
+            metric=0,
+            route_type=RouteType.DIRECT
+        )
+        
+        return True
+    
+    def remove_interface(self, name: str) -> bool:
+        """Remove network interface"""
+        with self.lock:
+            if name not in self.interfaces:
+                return False
+            
+            # Remove interface
+            del self.interfaces[name]
+            
+            # Remove routes associated with this interface
+            self.routing_table = [
+                route for route in self.routing_table 
+                if route.interface != name
+            ]
+        
+        return True
+    
+    def enable_interface(self, name: str) -> bool:
+        """Enable network interface"""
+        with self.lock:
+            if name in self.interfaces:
+                self.interfaces[name].enabled = True
+                return True
+        return False
+    
+    def disable_interface(self, name: str) -> bool:
+        """Disable network interface"""
+        with self.lock:
+            if name in self.interfaces:
+                self.interfaces[name].enabled = False
+                return True
+        return False
+    
+    def add_route(self, destination: str, gateway: Optional[str], interface: str, 
+                  metric: int = 10, route_type: RouteType = RouteType.STATIC) -> bool:
+        """Add route to routing table"""
+        try:
+            # Validate destination network
+            ipaddress.ip_network(destination, strict=False)
+            
+            # Validate gateway if provided
+            if gateway:
+                ipaddress.ip_address(gateway)
+            
+            route = RouteEntry(
+                destination=destination,
+                gateway=gateway,
+                interface=interface,
+                metric=metric,
+                route_type=route_type,
+                created_time=time.time()
+            )
+            
+            with self.lock:
+                # Check if interface exists
+                if interface not in self.interfaces:
+                    return False
+                
+                # Remove existing route with same destination and interface
+                self.routing_table = [
+                    r for r in self.routing_table 
+                    if not (r.destination == destination and r.interface == interface)
+                ]
+                
+                # Add new route
+                self.routing_table.append(route)
+                
+                # Sort by metric (lower metric = higher priority)
+                self.routing_table.sort(key=lambda r: (r.metric, r.created_time))
+            
+            return True
+            
+        except (ipaddress.AddressValueError, ValueError):
+            return False
+    
+    def remove_route(self, destination: str, interface: str) -> bool:
+        """Remove route from routing table"""
+        with self.lock:
+            original_count = len(self.routing_table)
+            self.routing_table = [
+                route for route in self.routing_table
+                if not (route.destination == destination and route.interface == interface)
+            ]
+            return len(self.routing_table) < original_count
+    
+    def lookup_route(self, destination_ip: str) -> Optional[RouteEntry]:
+        """Look up route for destination IP"""
+        self.stats['route_lookups'] += 1
+        
+        with self.lock:
+            # Find all matching routes
+            matching_routes = []
+            for route in self.routing_table:
+                # Skip disabled interfaces
+                interface = self.interfaces.get(route.interface)
+                if not interface or not interface.enabled:
+                    continue
+                
+                if route.matches_destination(destination_ip):
+                    matching_routes.append(route)
+            
+            if not matching_routes:
+                self.stats['routing_errors'] += 1
+                return None
+            
+            # Sort by specificity (longest prefix match) and then by metric
+            def route_priority(route):
+                try:
+                    network = ipaddress.ip_network(route.destination, strict=False)
+                    return (-network.prefixlen, route.metric, route.created_time)
+                except:
+                    return (0, route.metric, route.created_time)
+            
+            matching_routes.sort(key=route_priority)
+            best_route = matching_routes[0]
+            best_route.record_use()
+            
+            return best_route
+    
+    def route_packet(self, packet: ParsedPacket) -> Optional[Tuple[str, str]]:
+        """Route packet and return (next_hop_ip, interface)"""
+        self.stats['packets_routed'] += 1
+        
+        destination_ip = packet.ip_header.dest_ip
+        
+        # Look up route
+        route = self.lookup_route(destination_ip)
+        if not route:
+            self.stats['packets_dropped'] += 1
+            return None
+        
+        # Determine next hop
+        if route.gateway:
+            next_hop = route.gateway
+        else:
+            # Direct route - destination is next hop
+            next_hop = destination_ip
+        
+        return (next_hop, route.interface)
+    
+    def is_local_destination(self, ip: str) -> bool:
+        """Check if IP is a local destination (belongs to router interfaces)"""
+        with self.lock:
+            for interface in self.interfaces.values():
+                if interface.ip_address == ip:
+                    return True
+        return False
+    
+    def is_local_network(self, ip: str) -> bool:
+        """Check if IP belongs to any local network"""
+        with self.lock:
+            for interface in self.interfaces.values():
+                if interface.is_local_address(ip):
+                    return True
+        return False
+    
+    def get_interface_for_ip(self, ip: str) -> Optional[Interface]:
+        """Get interface that can reach the given IP"""
+        with self.lock:
+            for interface in self.interfaces.values():
+                if interface.enabled and interface.is_local_address(ip):
+                    return interface
+        return None
+    
+    def add_arp_entry(self, ip: str, mac: str):
+        """Add ARP table entry"""
+        with self.lock:
+            self.arp_table[ip] = mac
+    
+    def get_arp_entry(self, ip: str) -> Optional[str]:
+        """Get MAC address from ARP table"""
+        with self.lock:
+            return self.arp_table.get(ip)
+    
+    def remove_arp_entry(self, ip: str) -> bool:
+        """Remove ARP table entry"""
+        with self.lock:
+            if ip in self.arp_table:
+                del self.arp_table[ip]
+                return True
+        return False
+    
+    def clear_arp_table(self):
+        """Clear ARP table"""
+        with self.lock:
+            self.arp_table.clear()
+    
+    def get_routing_table(self) -> List[Dict]:
+        """Get routing table"""
+        with self.lock:
+            return [route.to_dict() for route in self.routing_table]
+    
+    def get_interfaces(self) -> Dict[str, Dict]:
+        """Get network interfaces"""
+        with self.lock:
+            return {
+                name: interface.to_dict()
+                for name, interface in self.interfaces.items()
+            }
+    
+    def get_arp_table(self) -> Dict[str, str]:
+        """Get ARP table"""
+        with self.lock:
+            return self.arp_table.copy()
+    
+    def get_stats(self) -> Dict:
+        """Get router statistics"""
+        with self.lock:
+            stats = self.stats.copy()
+            stats['total_routes'] = len(self.routing_table)
+            stats['total_interfaces'] = len(self.interfaces)
+            stats['enabled_interfaces'] = sum(1 for iface in self.interfaces.values() if iface.enabled)
+            stats['arp_entries'] = len(self.arp_table)
+        
+        return stats
+    
+    def reset_stats(self):
+        """Reset router statistics"""
+        self.stats = {
+            'packets_routed': 0,
+            'packets_dropped': 0,
+            'route_lookups': 0,
+            'arp_requests': 0,
+            'arp_replies': 0,
+            'routing_errors': 0
+        }
+        
+        # Reset route usage statistics
+        with self.lock:
+            for route in self.routing_table:
+                route.use_count = 0
+                route.last_used = None
+    
+    def flush_routes(self, route_type: Optional[RouteType] = None):
+        """Flush routes of specified type (or all if None)"""
+        with self.lock:
+            if route_type:
+                self.routing_table = [
+                    route for route in self.routing_table
+                    if route.route_type != route_type
+                ]
+            else:
+                self.routing_table.clear()
+    
+    def export_config(self) -> Dict:
+        """Export router configuration"""
+        return {
+            'router_id': self.router_id,
+            'default_gateway': self.default_gateway,
+            'interfaces': [
+                {
+                    'name': iface.name,
+                    'ip_address': iface.ip_address,
+                    'netmask': iface.netmask,
+                    'network': iface.network,
+                    'enabled': iface.enabled,
+                    'mtu': iface.mtu
+                }
+                for iface in self.interfaces.values()
+            ],
+            'static_routes': [
+                {
+                    'destination': route.destination,
+                    'gateway': route.gateway,
+                    'interface': route.interface,
+                    'metric': route.metric
+                }
+                for route in self.routing_table
+                if route.route_type == RouteType.STATIC
+            ]
+        }
+    
+    def import_config(self, config: Dict):
+        """Import router configuration"""
+        # Clear existing configuration
+        with self.lock:
+            self.interfaces.clear()
+            self.routing_table.clear()
+            self.arp_table.clear()
+        
+        # Update router settings
+        self.router_id = config.get('router_id', self.router_id)
+        self.default_gateway = config.get('default_gateway', self.default_gateway)
+        
+        # Reinitialize from new config
+        self.config.update(config)
+        self._initialize_interfaces()
+        self._initialize_routes()
+
+
+class RouterUtils:
+    """Utility functions for router operations"""
+    
+    @staticmethod
+    def ip_to_int(ip: str) -> int:
+        """Convert IP address to integer"""
+        return int(ipaddress.ip_address(ip))
+    
+    @staticmethod
+    def int_to_ip(ip_int: int) -> str:
+        """Convert integer to IP address"""
+        return str(ipaddress.ip_address(ip_int))
+    
+    @staticmethod
+    def calculate_network(ip: str, netmask: str) -> str:
+        """Calculate network address from IP and netmask"""
+        try:
+            interface = ipaddress.ip_interface(f"{ip}/{netmask}")
+            return str(interface.network)
+        except (ipaddress.AddressValueError, ValueError):
+            return "0.0.0.0/0"
+    
+    @staticmethod
+    def is_private_ip(ip: str) -> bool:
+        """Check if IP address is private"""
+        try:
+            ip_obj = ipaddress.ip_address(ip)
+            return ip_obj.is_private
+        except (ipaddress.AddressValueError, ValueError):
+            return False
+    
+    @staticmethod
+    def is_multicast_ip(ip: str) -> bool:
+        """Check if IP address is multicast"""
+        try:
+            ip_obj = ipaddress.ip_address(ip)
+            return ip_obj.is_multicast
+        except (ipaddress.AddressValueError, ValueError):
+            return False
+    
+    @staticmethod
+    def validate_cidr(cidr: str) -> bool:
+        """Validate CIDR notation"""
+        try:
+            ipaddress.ip_network(cidr, strict=False)
+            return True
+        except (ipaddress.AddressValueError, ValueError):
+            return False
+

main.py

@@ -0,0 +1,62 @@
+import os
+import sys
+# DON\'T CHANGE THIS !!!
+sys.path.insert(0, os.path.dirname(os.path.dirname(__file__)))
+
+from flask import Flask, send_from_directory
+from src.models.user import db
+from src.routes.user import user_bp
+from src.routes.isp_api import init_engines, isp_api
+
+app = Flask(__name__, static_folder=os.path.join(os.path.dirname(__file__), 'static'))
+app.config['SECRET_KEY'] = 'asdf#FGSgvasgf$5$WGT'
+
+app.register_blueprint(user_bp, url_prefix='/api')
+app.register_blueprint(isp_api, url_prefix='/api')
+
+# uncomment if you need to use database
+app.config['SQLALCHEMY_DATABASE_URI'] = f"sqlite:///{os.path.join(os.path.dirname(__file__), 'database', 'app.db')}"
+app.config['SQLALCHEMY_TRACK_MODIFICATIONS'] = False
+db.init_app(app)
+
+with app.app_context():
+    db.create_all()
+
+# Default configuration for engines
+app.config["dhcp"] = {
+    "network": "10.0.0.0/24",
+    "range_start": "10.0.0.10",
+    "range_end": "10.0.0.100",
+    "lease_time": 3600,
+    "gateway": "10.0.0.1",
+    "dns_servers": ["8.8.8.8", "8.8.4.4"]
+}
+
+# Initialize engines only once, when the Flask app is not in debug mode's reloader process
+if not app.debug or os.environ.get('WERKZEUG_RUN_MAIN') == 'true':
+    init_engines(app.config)
+
+@app.route('/')
+def serve_root():
+    return serve('')
+
+@app.route('/<path:path>')
+def serve(path):
+    static_folder_path = app.static_folder
+    if static_folder_path is None:
+            return "Static folder not configured", 404
+
+    if path != "" and os.path.exists(os.path.join(static_folder_path, path)):
+        return send_from_directory(static_folder_path, path)
+    else:
+        index_path = os.path.join(static_folder_path, 'index.html')
+        if os.path.exists(index_path):
+            return send_from_directory(static_folder_path, 'index.html')
+        else:
+            return "index.html not found", 404
+
+
+if __name__ == '__main__':
+    app.run(host='0.0.0.0', port=5000, debug=False)
+
+

main_isp.py

@@ -0,0 +1,273 @@
+"""
+Main ISP Application
+
+Integrates all core modules and provides the main application entry point
+"""
+
+import os
+import sys
+import json
+import threading
+import time
+from flask import Flask
+from flask_cors import CORS
+
+# Add project root to path
+sys.path.insert(0, os.path.dirname(os.path.dirname(__file__)))
+
+# Import routes and core modules
+from src.routes.isp_api import isp_api, init_engines
+
+
+def load_config():
+    """Load configuration from file or use defaults"""
+    config_file = os.path.join(os.path.dirname(__file__), 'config.json')
+    
+    default_config = {
+        "dhcp": {
+            "network": "10.0.0.0/24",
+            "range_start": "10.0.0.10",
+            "range_end": "10.0.0.100",
+            "lease_time": 3600,
+            "gateway": "10.0.0.1",
+            "dns_servers": ["8.8.8.8", "8.8.4.4"]
+        },
+        "nat": {
+            "port_range_start": 10000,
+            "port_range_end": 65535,
+            "session_timeout": 300,
+            "host_ip": "0.0.0.0"
+        },
+        "firewall": {
+            "default_policy": "ACCEPT",
+            "log_blocked": True,
+            "log_accepted": False,
+            "max_log_entries": 10000,
+            "rules": [
+                {
+                    "rule_id": "allow_dhcp",
+                    "priority": 1,
+                    "action": "ACCEPT",
+                    "direction": "BOTH",
+                    "dest_port": "67,68",
+                    "protocol": "UDP",
+                    "description": "Allow DHCP traffic",
+                    "enabled": True
+                },
+                {
+                    "rule_id": "allow_dns",
+                    "priority": 2,
+                    "action": "ACCEPT",
+                    "direction": "BOTH",
+                    "dest_port": "53",
+                    "protocol": "UDP",
+                    "description": "Allow DNS traffic",
+                    "enabled": True
+                }
+            ]
+        },
+        "tcp": {
+            "initial_window": 65535,
+            "max_retries": 3,
+            "timeout": 300,
+            "time_wait_timeout": 120,
+            "mss": 1460
+        },
+        "router": {
+            "router_id": "virtual-isp-router",
+            "default_gateway": "10.0.0.1",
+            "interfaces": [
+                {
+                    "name": "virtual0",
+                    "ip_address": "10.0.0.1",
+                    "netmask": "255.255.255.0",
+                    "enabled": True,
+                    "mtu": 1500
+                }
+            ],
+            "static_routes": []
+        },
+        "socket_translator": {
+            "connect_timeout": 10,
+            "read_timeout": 30,
+            "max_connections": 1000,
+            "buffer_size": 8192
+        },
+        "packet_bridge": {
+            "websocket_host": "0.0.0.0",
+            "websocket_port": 8765,
+            "tcp_host": "0.0.0.0",
+            "tcp_port": 8766,
+            "max_clients": 100,
+            "client_timeout": 300
+        },
+        "session_tracker": {
+            "max_sessions": 10000,
+            "session_timeout": 3600,
+            "cleanup_interval": 300,
+            "metrics_retention": 86400
+        },
+        "logger": {
+            "log_level": "INFO",
+            "log_to_file": True,
+            "log_file_path": "/tmp/virtual_isp.log",
+            "log_file_max_size": 10485760,
+            "log_file_backup_count": 5,
+            "log_to_console": True,
+            "structured_logging": True,
+            "max_memory_logs": 10000
+        },
+        "openvpn": {
+            "server_config_path": "/etc/openvpn/server/server.conf",
+            "ca_cert_path": "/home/ubuntu/openvpn-ca/pki/ca.crt",
+            "server_cert_path": "/home/ubuntu/openvpn-ca/pki/issued/server.crt",
+            "server_key_path": "/home/ubuntu/openvpn-ca/pki/private/server.key",
+            "dh_path": "/home/ubuntu/openvpn-ca/pki/dh.pem",
+            "vpn_network": "10.8.0.0/24",
+            "vpn_server_ip": "10.8.0.1",
+            "vpn_port": 1194,
+            "protocol": "udp",
+            "auto_start": False,
+            "client_to_client": False,
+            "push_routes": [
+                "redirect-gateway def1 bypass-dhcp",
+                "dhcp-option DNS 8.8.8.8",
+                "dhcp-option DNS 8.8.4.4"
+            ]
+        }
+    }
+    
+    if os.path.exists(config_file):
+        try:
+            with open(config_file, 'r') as f:
+                file_config = json.load(f)
+            
+            # Merge with defaults
+            def merge_config(default, override):
+                result = default.copy()
+                for key, value in override.items():
+                    if key in result and isinstance(result[key], dict) and isinstance(value, dict):
+                        result[key] = merge_config(result[key], value)
+                    else:
+                        result[key] = value
+                return result
+            
+            return merge_config(default_config, file_config)
+        
+        except Exception as e:
+            print(f"Error loading config file: {e}")
+            print("Using default configuration")
+            return default_config
+    else:
+        # Save default config
+        try:
+            with open(config_file, 'w') as f:
+                json.dump(default_config, f, indent=2)
+            print(f"Created default configuration file: {config_file}")
+        except Exception as e:
+            print(f"Could not save default config: {e}")
+        
+        return default_config
+
+
+def create_app():
+    """Create and configure Flask application"""
+    app = Flask(__name__, static_folder=os.path.join(os.path.dirname(__file__), 'static'))
+    
+    # Enable CORS for all routes
+    CORS(app, origins="*", allow_headers=["Content-Type", "Authorization"])
+    
+    # Load configuration
+    config = load_config()
+    app.config['ISP_CONFIG'] = config
+    
+    # Register blueprints
+    app.register_blueprint(isp_api, url_prefix='/api')
+    
+    # Initialize engines
+    init_engines(config)
+    
+    # Serve static files
+    @app.route('/', defaults={'path': ''})
+    @app.route('/<path:path>')
+    def serve_static(path):
+        static_folder_path = app.static_folder
+        if static_folder_path is None:
+            return "Static folder not configured", 404
+        
+        if path != "" and os.path.exists(os.path.join(static_folder_path, path)):
+            return app.send_static_file(path)
+        else:
+            index_path = os.path.join(static_folder_path, 'index.html')
+            if os.path.exists(index_path):
+                return app.send_static_file('index.html')
+            else:
+                return """
+                <!DOCTYPE html>
+                <html>
+                <head>
+                    <title>Virtual ISP Stack</title>
+                    <style>
+                        body { font-family: Arial, sans-serif; margin: 40px; }
+                        .container { max-width: 800px; margin: 0 auto; }
+                        .status { background: #f0f0f0; padding: 20px; border-radius: 5px; }
+                        .api-link { color: #0066cc; text-decoration: none; }
+                        .api-link:hover { text-decoration: underline; }
+                    </style>
+                </head>
+                <body>
+                    <div class="container">
+                        <h1>Virtual ISP Stack</h1>
+                        <div class="status">
+                            <h2>System Status</h2>
+                            <p>The Virtual ISP Stack is running successfully!</p>
+                            <p><strong>API Endpoint:</strong> <a href="/api/status" class="api-link">/api/status</a></p>
+                            <p><strong>System Stats:</strong> <a href="/api/stats" class="api-link">/api/stats</a></p>
+                        </div>
+                        
+                        <h2>Available API Endpoints</h2>
+                        <ul>
+                            <li><a href="/api/config" class="api-link">GET /api/config</a> - System configuration</li>
+                            <li><a href="/api/status" class="api-link">GET /api/status</a> - System status</li>
+                            <li><a href="/api/stats" class="api-link">GET /api/stats</a> - System statistics</li>
+                            <li><a href="/api/dhcp/leases" class="api-link">GET /api/dhcp/leases</a> - DHCP leases</li>
+                            <li><a href="/api/nat/sessions" class="api-link">GET /api/nat/sessions</a> - NAT sessions</li>
+                            <li><a href="/api/firewall/rules" class="api-link">GET /api/firewall/rules</a> - Firewall rules</li>
+                            <li><a href="/api/tcp/connections" class="api-link">GET /api/tcp/connections</a> - TCP connections</li>
+                            <li><a href="/api/router/routes" class="api-link">GET /api/router/routes</a> - Routing table</li>
+                            <li><a href="/api/bridge/clients" class="api-link">GET /api/bridge/clients</a> - Bridge clients</li>
+                            <li><a href="/api/sessions" class="api-link">GET /api/sessions</a> - Session tracking</li>
+                            <li><a href="/api/logs" class="api-link">GET /api/logs</a> - System logs</li>
+                        </ul>
+                        
+                        <h2>WebSocket Bridge</h2>
+                        <p>WebSocket server running on port 8765 for packet bridge connections.</p>
+                        <p>TCP server running on port 8766 for packet bridge connections.</p>
+                    </div>
+                </body>
+                </html>
+                """, 200
+    
+    return app
+
+
+def main():
+    """Main application entry point"""
+    print("Starting Virtual ISP Stack...")
+    
+    # Create Flask app
+    app = create_app()
+    
+    # Start the application
+    print("Virtual ISP Stack started successfully!")
+    print("API available at: http://0.0.0.0:5000/api/")
+    print("WebSocket bridge at: ws://0.0.0.0:8765")
+    print("TCP bridge at: tcp://0.0.0.0:8766")
+    
+    # Run Flask app
+    app.run(host='0.0.0.0', port=5000, debug=False, threaded=True)
+
+
+if __name__ == '__main__':
+    main()
+

models/user.py

@@ -0,0 +1,18 @@
+from flask_sqlalchemy import SQLAlchemy
+
+db = SQLAlchemy()
+
+class User(db.Model):
+    id = db.Column(db.Integer, primary_key=True)
+    username = db.Column(db.String(80), unique=True, nullable=False)
+    email = db.Column(db.String(120), unique=True, nullable=False)
+
+    def __repr__(self):
+        return f'<User {self.username}>'
+
+    def to_dict(self):
+        return {
+            'id': self.id,
+            'username': self.username,
+            'email': self.email
+        }

openvpn/ca.crt

@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDMzCCAhugAwIBAgIUNO765P4t/yD/PnIFTMVs0Q32TJYwDQYJKoZIhvcNAQEL
+BQAwDjEMMAoGA1UEAwwDeWVzMB4XDTI1MDgwMjAxMjkzNVoXDTM1MDczMTAxMjkz
+NVowDjEMMAoGA1UEAwwDeWVzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
+AQEAtwhMGXouHnHBRd2RhdrW8sOMgqt4wDXZC0J+4UMjOX6Y7t2O1Sgw/sWhwFPk
+QF/cMoQIvsucklPogcnzzGtv9zDkAXyVyCC27UYbg8JfWZK3ZMrt6dfEmYf4KKXm
+D6PLn9guxzBB63dhEWx/7fd6H9C/rK/u0rOh15DQRnfEI468cmXS5uNg8ke/73+y
+Gzb6q7ZOFByBAwM0hW0lStBaIIcxouFrIK8B72O8H+6t10K1GvgiBhKvM3cc8dpN
+y4qvRoN/o+eXarZG7G9dfm9OFgdd9LoXPTTbO+ftFPKOq4F41PnMd2Zcyk7P3GCr
+3oK7NbISxZ5efLpy45lgSpqKBwIDAQABo4GIMIGFMB0GA1UdDgQWBBQIi0Er30cV
+Qzi+U/LPV4Lf3yvGIzBJBgNVHSMEQjBAgBQIi0Er30cVQzi+U/LPV4Lf3yvGI6ES
+pBAwDjEMMAoGA1UEAwwDeWVzghQ07vrk/i3/IP8+cgVMxWzRDfZMljAMBgNVHRME
+BTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAHzfSFbi1G7WC
+vMSOqSv4/jlBExnz/AlLUBHhgDomIdLK8Pb3tyCD5IYkmi0NT5x6DORcOV2ow1JZ
+o4BL7OVV+fhz3VKXEpG+s3gq5j2m+raqLtu6QKBGg7SIUZ4MLjggvAcPjsK+n8sK
+86sAUFVTccBxJlKBShAUPSNihyWwxB4PQFvwhefNQSoID1kAB2Fzf1beMX6Gp6Lj
+ldI6e63lpYtIbp4+2F5SxJ/hGTUx+nWbOAHPvhBfhN6sEu9G1C5KPR0cm+xxOpZ9
+lA7y4Dea7pyVybR/b7lFquE3TReXCoLx79UNNSv8erIlsy1jh9yXDnTCk8SN1dpO
+YwJ9U0AHXA==
+-----END CERTIFICATE-----

openvpn/dh.pem

@@ -0,0 +1,8 @@
+-----BEGIN DH PARAMETERS-----
+MIIBCAKCAQEAlPRBW0tYm271xYHi15JrD3JRlpvdjAm+CZoEq0ElLXvSlIKaNQls
+ITH+KIBBX3pgbFFk03fO9ApF0kSOzycRRCuW970iCkDoFUN9y58EG+BI863FkU1h
+3dx+c59HqdWXkzFK+SmTfKIe12alZFik5G0Xs0hkphCgPaXvWlojorjQoRfKySw3
+VxpybKS83+l3t2ER3Z03IRvWinlnuxVAcymzeSR9hwIMJi3RmYmNmdXNel/WFAo2
+zT5j2f2OZHtnBhvo1V92Rml+5rJksPX4lJMRNwVEnXwqVUyCQOTTiGTUjLOO2gdk
+HLhH5teetBdKL4tFcldeIJSk3e0oWXbURwIBAg==
+-----END DH PARAMETERS-----

openvpn/server.conf

@@ -0,0 +1,21 @@
+port 1194
+proto udp
+dev tun
+ca /etc/openvpn/server/ca.crt
+cert /etc/openvpn/server/server.crt
+key /etc/openvpn/server/server.key
+dh /etc/openvpn/server/dh.pem
+server 10.8.0.0 255.255.255.0
+ifconfig-pool-persist ipp.txt
+push "redirect-gateway def1 bypass-dhcp"
+push "dhcp-option DNS 8.8.8.8"
+push "dhcp-option DNS 8.8.4.4"
+keepalive 10 120
+cipher AES-256-CBC
+persist-key
+persist-tun
+status openvpn-status.log
+verb 3
+explicit-exit-notify 1
+
+

openvpn/server.crt

@@ -0,0 +1,86 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            dd:b5:29:c9:70:b2:b3:65:70:ac:0f:57:30:15:b4:2a
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: CN=yes
+        Validity
+            Not Before: Aug  2 01:29:38 2025 GMT
+            Not After : Nov  5 01:29:38 2027 GMT
+        Subject: CN=server
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:dd:9e:02:fb:e3:57:cd:51:43:36:6a:2f:30:f5:
+                    a1:42:5c:16:f1:7b:4b:0a:aa:b1:34:b5:86:51:3e:
+                    6b:82:2e:59:df:42:21:cf:65:14:ea:8c:93:3c:0a:
+                    72:a5:2e:0f:64:1a:ec:76:52:18:b2:d3:a0:df:df:
+                    19:83:7e:39:9e:f5:16:18:36:34:ae:57:cf:2c:89:
+                    7c:c5:97:e3:8f:d0:83:08:7f:14:0c:74:2c:d2:95:
+                    09:6e:42:99:a0:28:69:83:68:f4:9c:0e:b5:3e:08:
+                    8f:d8:06:ec:d5:aa:c8:bc:19:4b:ff:e4:99:50:12:
+                    67:25:d4:79:94:1f:3d:64:b2:c8:00:ea:97:c2:df:
+                    b8:1c:dc:69:47:9f:59:df:03:06:5a:32:7a:fa:51:
+                    96:45:9a:b7:e7:03:ef:9d:3b:94:51:9d:08:69:bb:
+                    b0:3e:c8:9c:a3:a0:9c:18:aa:e9:88:ec:96:c3:71:
+                    b1:f6:a7:09:ff:c0:56:b1:24:22:ab:fc:9a:c5:fc:
+                    fd:67:8e:1a:86:ff:0a:5b:28:46:b4:20:93:05:b6:
+                    ff:87:93:66:7d:ae:92:c4:0d:20:99:e9:c5:b8:3d:
+                    41:3a:06:83:49:e5:13:2e:d6:33:94:45:6a:36:84:
+                    f9:c9:61:fe:98:3a:6e:41:ed:d8:8c:f1:55:3d:6d:
+                    53:fb
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            X509v3 Subject Key Identifier: 
+                F4:62:12:72:49:40:C2:8A:46:5A:CB:71:BE:33:58:25:B3:E0:01:AC
+            X509v3 Authority Key Identifier: 
+                keyid:08:8B:41:2B:DF:47:15:43:38:BE:53:F2:CF:57:82:DF:DF:2B:C6:23
+                DirName:/CN=yes
+                serial:34:EE:FA:E4:FE:2D:FF:20:FF:3E:72:05:4C:C5:6C:D1:0D:F6:4C:96
+            X509v3 Extended Key Usage: 
+                TLS Web Server Authentication
+            X509v3 Key Usage: 
+                Digital Signature, Key Encipherment
+            X509v3 Subject Alternative Name: 
+                DNS:server
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        85:f7:59:01:c2:99:23:c3:9a:99:2a:0a:bc:5d:7d:1c:e8:7c:
+        e9:23:a5:87:08:bd:45:1b:a7:a9:b7:3a:06:b6:91:86:ac:61:
+        03:ae:cd:65:80:0e:e4:81:dc:38:b3:fe:6d:6f:02:e4:9e:43:
+        95:d0:a6:38:30:53:52:14:f1:96:2a:30:69:2f:56:24:65:ba:
+        53:c0:b0:22:23:2b:18:37:a1:0c:45:07:cb:ec:a9:71:f7:96:
+        2a:d2:18:94:f0:07:18:1f:4c:d2:c5:d5:66:8f:1d:5c:08:8d:
+        02:00:d6:0d:df:fd:6e:1e:2a:47:8c:30:fd:5b:46:56:0a:5a:
+        d4:6d:d4:99:c8:94:26:36:0b:86:30:dd:cb:3a:2e:a2:f3:80:
+        0f:62:80:f8:9d:ec:98:f2:96:20:4f:46:01:ae:9d:35:7f:34:
+        21:d7:71:89:b6:7a:ce:94:7e:14:e6:bf:b6:08:44:39:24:db:
+        aa:cf:54:46:34:8f:67:6c:72:22:f1:eb:e9:94:7d:73:26:f3:
+        2f:72:fe:28:b3:cb:28:c3:4c:14:3d:c3:81:1e:8d:96:96:e5:
+        df:af:c4:0a:06:71:16:df:8f:a3:30:50:79:45:95:4c:e8:57:
+        ee:ed:38:dd:82:8e:0e:b1:2b:4d:27:2b:6f:bc:c8:1c:91:de:
+        2c:55:69:38
+-----BEGIN CERTIFICATE-----
+MIIDWDCCAkCgAwIBAgIRAN21KclwsrNlcKwPVzAVtCowDQYJKoZIhvcNAQELBQAw
+DjEMMAoGA1UEAwwDeWVzMB4XDTI1MDgwMjAxMjkzOFoXDTI3MTEwNTAxMjkzOFow
+ETEPMA0GA1UEAwwGc2VydmVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
+AQEA3Z4C++NXzVFDNmovMPWhQlwW8XtLCqqxNLWGUT5rgi5Z30Ihz2UU6oyTPApy
+pS4PZBrsdlIYstOg398Zg345nvUWGDY0rlfPLIl8xZfjj9CDCH8UDHQs0pUJbkKZ
+oChpg2j0nA61PgiP2Abs1arIvBlL/+SZUBJnJdR5lB89ZLLIAOqXwt+4HNxpR59Z
+3wMGWjJ6+lGWRZq35wPvnTuUUZ0IabuwPsico6CcGKrpiOyWw3Gx9qcJ/8BWsSQi
+q/yaxfz9Z44ahv8KWyhGtCCTBbb/h5Nmfa6SxA0gmenFuD1BOgaDSeUTLtYzlEVq
+NoT5yWH+mDpuQe3YjPFVPW1T+wIDAQABo4GtMIGqMAkGA1UdEwQCMAAwHQYDVR0O
+BBYEFPRiEnJJQMKKRlrLcb4zWCWz4AGsMEkGA1UdIwRCMECAFAiLQSvfRxVDOL5T
+8s9Xgt/fK8YjoRKkEDAOMQwwCgYDVQQDDAN5ZXOCFDTu+uT+Lf8g/z5yBUzFbNEN
+9kyWMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAsGA1UdDwQEAwIFoDARBgNVHREECjAI
+ggZzZXJ2ZXIwDQYJKoZIhvcNAQELBQADggEBAIX3WQHCmSPDmpkqCrxdfRzofOkj
+pYcIvUUbp6m3Oga2kYasYQOuzWWADuSB3Diz/m1vAuSeQ5XQpjgwU1IU8ZYqMGkv
+ViRlulPAsCIjKxg3oQxFB8vsqXH3lirSGJTwBxgfTNLF1WaPHVwIjQIA1g3f/W4e
+KkeMMP1bRlYKWtRt1JnIlCY2C4Yw3cs6LqLzgA9igPid7JjyliBPRgGunTV/NCHX
+cYm2es6UfhTmv7YIRDkk26rPVEY0j2dsciLx6+mUfXMm8y9y/iizyyjDTBQ9w4Ee
+jZaW5d+vxAoGcRbfj6MwUHlFlUzoV+7tON2Cjg6xK00nK2+8yByR3ixVaTg=
+-----END CERTIFICATE-----

openvpn/server.key

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDdngL741fNUUM2
+ai8w9aFCXBbxe0sKqrE0tYZRPmuCLlnfQiHPZRTqjJM8CnKlLg9kGux2Uhiy06Df
+3xmDfjme9RYYNjSuV88siXzFl+OP0IMIfxQMdCzSlQluQpmgKGmDaPScDrU+CI/Y
+BuzVqsi8GUv/5JlQEmcl1HmUHz1kssgA6pfC37gc3GlHn1nfAwZaMnr6UZZFmrfn
+A++dO5RRnQhpu7A+yJyjoJwYqumI7JbDcbH2pwn/wFaxJCKr/JrF/P1njhqG/wpb
+KEa0IJMFtv+Hk2Z9rpLEDSCZ6cW4PUE6BoNJ5RMu1jOURWo2hPnJYf6YOm5B7diM
+8VU9bVP7AgMBAAECggEATtwR0sEYtspSYPQS+9iD/AGZ9m75in+n1Ao+E/3isq28
+tDmrn0moUjgYklZjakzEFEqSVx4qhMPSrKcORKCvb1Vl+dKcF2fOpFn+KK++Pagk
+YGsb3ryeUIbRFsejM/79YNIBrOB89OiGCwiX0QZXLLvRs+qL9Za+1pLPenpNVd2w
+zL+AZ8QkJZdHn1vOZt9vKRlpe8psAt64RHb+LqhYWfeLlpIUjpM5Vu9FFewMGPrw
+n+GVCzK4ylq0pJ9bYwKI5Hw4qnJ3j5bGIumEjYBqqmef1+OTD3r/wyhTGpK9RRAu
+WD9YGJeQx3ybzRL7Wj6k5g0dn+UA82Lh7Y8n9IoSaQKBgQDqP/BU2KapOHgFt2DE
+WHU/+zA7/kfMJMGB5dYy8oXTxUY7WuqX9lja3rC0XuH10JTD6Q21jkTujc0T5/1B
+4KxuX+nQP/T9b4XzVM3pKWVmHUt6wf24sbuTNxOy/Q/wC7eCnkr04CEl0vf3E56N
+JaLG11dbpcn+9RC9FlUhlYY8QwKBgQDyMcz43915YGOQMkGVZFPvKyOy7ol4fFZv
+VRfRoGx9CfHCIOfh9vmlUy6TR4qAQkCnkL730OsxpW3aDTe3qcAcmhiK7u5TfWrE
+cd1WgrkymJ8hyEk6FSV0GMKrccQeEo2T95cKnk6lNXnEdNp5kx7LBQhL36fEtMXS
+FGCcRkNp6QKBgAbm6WLmm0qDIm4wsAY5AQNomEw8OstWDemQ5xXLNYw+1Mns7Nqb
+ZJTWWOiHnyrKAYggNsoxrfBFd1Rt0nV9dDcwVkhPih1pis3XotWK5bTzigTM8Hff
+rMIyrj7o2+5bugV8OoMqk2903t+F0XchM8GeGLHXmbMMb3jSzqFVsYXXAoGBAII1
+Z/99S7LPsXd6rWvFzqJMzRqLx/iw0D92viGDYBAxYnp9+myvvTO27tlbowilleEA
+nsrY1TmRuOd8J7JkXtaBuiQnpJXaXaZTmS3DhhG/n/4nkcbaS5KJJU/LECcizl74
+w4l/5sRHZbnLIRIvmGSJxhYUnjvQ/HGfZvldhSzRAoGBAMVTrxWedC2XeSMwjdhF
+zeDBAp/dTMEnRaS0j3rp+4a4l7Sus1L/p8gBrJtnf/B43bNvQ5cr2jwH7Ql5cF1A
+A7hpZ3C0trNaf6WqslJQhN8j8Cs85S/8rPGM5yAfyzKTMe0ytLUjn+XiQCqCUFcT
+Inqx4ll7r2tlcI3aMlvN2qsd
+-----END PRIVATE KEY-----

requirements.txt

@@ -0,0 +1,34 @@
+# Core Flask dependencies
+Flask==3.1.1
+flask-cors==6.0.0
+Flask-SQLAlchemy==3.1.1
+Werkzeug==3.1.3
+
+# Database
+SQLAlchemy==2.0.41
+
+# Async and networking
+aiohttp==3.12.15
+aiohappyeyeballs==2.6.1
+aiosignal==1.4.0
+websockets==15.0.1
+
+# Utilities
+attrs==25.3.0
+blinker==1.9.0
+click==8.2.1
+frozenlist==1.7.0
+greenlet==3.2.3
+idna==3.10
+itsdangerous==2.2.0
+Jinja2==3.1.6
+MarkupSafe==3.0.2
+multidict==6.6.3
+propcache==0.3.2
+typing_extensions==4.14.0
+yarl==1.20.1
+
+# Additional dependencies for VPN management
+psutil==5.9.8
+netifaces==0.11.0
+

routes/isp_api.py

@@ -0,0 +1,1107 @@
+"""
+ISP API Routes
+
+Flask routes for the Virtual ISP Stack API endpoints
+"""
+
+from flask import Blueprint, jsonify, request, Response
+from flask_cors import cross_origin
+import json
+import time
+from typing import Dict, Any
+
+# Import core modules
+from core.dhcp_server import DHCPServer
+from core.nat_engine import NATEngine
+from core.firewall import FirewallEngine, FirewallRule, FirewallRuleBuilder, FirewallAction, FirewallDirection
+from core.tcp_engine import TCPEngine
+from core.virtual_router import VirtualRouter
+from core.socket_translator import SocketTranslator
+from core.packet_bridge import PacketBridge
+from core.session_tracker import SessionTracker, SessionType, SessionState
+from core.logger import VirtualISPLogger, LogLevel, LogCategory, LogFilter
+from core.openvpn_manager import OpenVPNManager, initialize_openvpn_manager, get_openvpn_manager
+
+# Create blueprint
+isp_api = Blueprint('isp_api', __name__)
+
+# Global instances (will be initialized by main app)
+dhcp_server: DHCPServer = None
+nat_engine: NATEngine = None
+firewall_engine: FirewallEngine = None
+tcp_engine: TCPEngine = None
+virtual_router: VirtualRouter = None
+socket_translator: SocketTranslator = None
+packet_bridge: PacketBridge = None
+session_tracker: SessionTracker = None
+logger: VirtualISPLogger = None
+openvpn_manager: OpenVPNManager = None
+
+
+def init_engines(config: Dict[str, Any]):
+    """Initialize all engines with configuration"""
+    global dhcp_server, nat_engine, firewall_engine, tcp_engine
+    global virtual_router, socket_translator, packet_bridge, session_tracker, logger, openvpn_manager
+    
+    # Initialize logger first
+    logger = VirtualISPLogger(config.get('logger', {}))
+    logger.start()
+    
+    # Initialize core engines
+    dhcp_server = DHCPServer(config.get('dhcp', {}))
+    nat_engine = NATEngine(config.get('nat', {}))
+    firewall_engine = FirewallEngine(config.get('firewall', {}))
+    tcp_engine = TCPEngine(config.get('tcp', {}))
+    virtual_router = VirtualRouter(config.get('router', {}))
+    socket_translator = SocketTranslator(config.get('socket_translator', {}))
+    packet_bridge = PacketBridge(config.get('packet_bridge', {}))
+    session_tracker = SessionTracker(config.get('session_tracker', {}))
+    
+    # Initialize OpenVPN manager
+    openvpn_manager = initialize_openvpn_manager(config.get('openvpn', {}))
+    openvpn_manager.set_isp_components(
+        dhcp_server=dhcp_server,
+        nat_engine=nat_engine,
+        firewall=firewall_engine,
+        router=virtual_router
+    )
+    
+    # Start engines
+    dhcp_server.start()
+    nat_engine.start()
+    tcp_engine.start()
+    socket_translator.start()
+    session_tracker.start()
+    packet_bridge.start()
+    
+    logger.info(LogCategory.SYSTEM, 'api', 'All engines initialized and started')
+
+
+# Configuration endpoints
+@isp_api.route('/config', methods=['GET'])
+@cross_origin()
+def get_config():
+    """Get current system configuration"""
+    try:
+        config = {
+            'dhcp': {
+                'network': '10.0.0.0/24',
+                'range_start': '10.0.0.10',
+                'range_end': '10.0.0.100',
+                'lease_time': 3600,
+                'gateway': '10.0.0.1',
+                'dns_servers': ['8.8.8.8', '8.8.4.4']
+            },
+            'nat': {
+                'port_range_start': 10000,
+                'port_range_end': 65535,
+                'session_timeout': 300
+            },
+            'firewall': {
+                'default_policy': 'ACCEPT',
+                'log_blocked': True
+            },
+            'tcp': {
+                'initial_window': 65535,
+                'max_retries': 3,
+                'timeout': 30
+            }
+        }
+        
+        return jsonify({
+            'status': 'success',
+            'config': config
+        })
+    
+    except Exception as e:
+        return jsonify({
+            'status': 'error',
+            'message': str(e)
+        }), 500
+
+
+@isp_api.route('/config', methods=['POST'])
+@cross_origin()
+def update_config():
+    """Update system configuration"""
+    try:
+        config_data = request.get_json()
+        
+        # Here you would update the actual configuration
+        # For now, just return success
+        
+        if logger:
+            logger.info(LogCategory.SYSTEM, 'api', 'Configuration updated', metadata=config_data)
+        
+        return jsonify({
+            'status': 'success',
+            'message': 'Configuration updated successfully'
+        })
+    
+    except Exception as e:
+        if logger:
+            logger.error(LogCategory.SYSTEM, 'api', f'Configuration update failed: {str(e)}')
+        
+        return jsonify({
+            'status': 'error',
+            'message': str(e)
+        }), 500
+
+
+# DHCP endpoints
+@isp_api.route('/dhcp/leases', methods=['GET'])
+@cross_origin()
+def get_dhcp_leases():
+    """Get DHCP lease table"""
+    try:
+        if not dhcp_server:
+            return jsonify({'status': 'error', 'message': 'DHCP server not initialized'}), 500
+        
+        leases = dhcp_server.get_leases()
+        
+        return jsonify({
+            'status': 'success',
+            'leases': leases,
+            'count': len(leases)
+        })
+    
+    except Exception as e:
+        return jsonify({
+            'status': 'error',
+            'message': str(e)
+        }), 500
+
+
+@isp_api.route('/dhcp/leases/<mac_address>', methods=['DELETE'])
+@cross_origin()
+def release_dhcp_lease(mac_address):
+    """Release DHCP lease"""
+    try:
+        if not dhcp_server:
+            return jsonify({'status': 'error', 'message': 'DHCP server not initialized'}), 500
+        
+        success = dhcp_server.release_lease(mac_address)
+        
+        if success:
+            if logger:
+                logger.info(LogCategory.DHCP, 'api', f'Released DHCP lease for {mac_address}')
+            
+            return jsonify({
+                'status': 'success',
+                'message': f'Lease for {mac_address} released'
+            })
+        else:
+            return jsonify({
+                'status': 'error',
+                'message': f'Lease for {mac_address} not found'
+            }), 404
+    
+    except Exception as e:
+        return jsonify({
+            'status': 'error',
+            'message': str(e)
+        }), 500
+
+
+# NAT endpoints
+@isp_api.route('/nat/sessions', methods=['GET'])
+@cross_origin()
+def get_nat_sessions():
+    """Get NAT session table"""
+    try:
+        if not nat_engine:
+            return jsonify({'status': 'error', 'message': 'NAT engine not initialized'}), 500
+        
+        sessions = nat_engine.get_sessions()
+        
+        return jsonify({
+            'status': 'success',
+            'sessions': sessions,
+            'count': len(sessions)
+        })
+    
+    except Exception as e:
+        return jsonify({
+            'status': 'error',
+            'message': str(e)
+        }), 500
+
+
+@isp_api.route('/nat/stats', methods=['GET'])
+@cross_origin()
+def get_nat_stats():
+    """Get NAT statistics"""
+    try:
+        if not nat_engine:
+            return jsonify({'status': 'error', 'message': 'NAT engine not initialized'}), 500
+        
+        stats = nat_engine.get_stats()
+        
+        return jsonify({
+            'status': 'success',
+            'stats': stats
+        })
+    
+    except Exception as e:
+        return jsonify({
+            'status': 'error',
+            'message': str(e)
+        }), 500
+
+
+# Firewall endpoints
+@isp_api.route('/firewall/rules', methods=['GET'])
+@cross_origin()
+def get_firewall_rules():
+    """Get firewall rules"""
+    try:
+        if not firewall_engine:
+            return jsonify({'status': 'error', 'message': 'Firewall engine not initialized'}), 500
+        
+        rules = firewall_engine.get_rules()
+        
+        return jsonify({
+            'status': 'success',
+            'rules': rules,
+            'count': len(rules)
+        })
+    
+    except Exception as e:
+        return jsonify({
+            'status': 'error',
+            'message': str(e)
+        }), 500
+
+
+@isp_api.route('/firewall/rules', methods=['POST'])
+@cross_origin()
+def add_firewall_rule():
+    """Add firewall rule"""
+    try:
+        if not firewall_engine:
+            return jsonify({'status': 'error', 'message': 'Firewall engine not initialized'}), 500
+        
+        rule_data = request.get_json()
+        
+        # Build rule using builder
+        builder = FirewallRuleBuilder(rule_data['rule_id'])
+        builder.set_priority(rule_data.get('priority', 100))
+        builder.set_action(rule_data['action'])
+        builder.set_direction(rule_data.get('direction', 'BOTH'))
+        
+        if 'source_ip' in rule_data:
+            builder.set_source_ip(rule_data['source_ip'])
+        if 'dest_ip' in rule_data:
+            builder.set_dest_ip(rule_data['dest_ip'])
+        if 'source_port' in rule_data:
+            builder.set_source_port(rule_data['source_port'])
+        if 'dest_port' in rule_data:
+            builder.set_dest_port(rule_data['dest_port'])
+        if 'protocol' in rule_data:
+            builder.set_protocol(rule_data['protocol'])
+        if 'description' in rule_data:
+            builder.set_description(rule_data['description'])
+        
+        rule = builder.build()
+        success = firewall_engine.add_rule(rule)
+        
+        if success:
+            if logger:
+                logger.info(LogCategory.FIREWALL, 'api', f'Added firewall rule: {rule.rule_id}')
+            
+            return jsonify({
+                'status': 'success',
+                'message': f'Rule {rule.rule_id} added successfully'
+            })
+        else:
+            return jsonify({
+                'status': 'error',
+                'message': f'Rule {rule.rule_id} already exists'
+            }), 400
+    
+    except Exception as e:
+        return jsonify({
+            'status': 'error',
+            'message': str(e)
+        }), 500
+
+
+@isp_api.route('/firewall/rules/<rule_id>', methods=['DELETE'])
+@cross_origin()
+def delete_firewall_rule(rule_id):
+    """Delete firewall rule"""
+    try:
+        if not firewall_engine:
+            return jsonify({'status': 'error', 'message': 'Firewall engine not initialized'}), 500
+        
+        success = firewall_engine.remove_rule(rule_id)
+        
+        if success:
+            if logger:
+                logger.info(LogCategory.FIREWALL, 'api', f'Deleted firewall rule: {rule_id}')
+            
+            return jsonify({
+                'status': 'success',
+                'message': f'Rule {rule_id} deleted successfully'
+            })
+        else:
+            return jsonify({
+                'status': 'error',
+                'message': f'Rule {rule_id} not found'
+            }), 404
+    
+    except Exception as e:
+        return jsonify({
+            'status': 'error',
+            'message': str(e)
+        }), 500
+
+
+@isp_api.route('/firewall/logs', methods=['GET'])
+@cross_origin()
+def get_firewall_logs():
+    """Get firewall logs"""
+    try:
+        if not firewall_engine:
+            return jsonify({'status': 'error', 'message': 'Firewall engine not initialized'}), 500
+        
+        limit = request.args.get('limit', 100, type=int)
+        filter_action = request.args.get('action')
+        
+        logs = firewall_engine.get_logs(limit=limit, filter_action=filter_action)
+        
+        return jsonify({
+            'status': 'success',
+            'logs': logs,
+            'count': len(logs)
+        })
+    
+    except Exception as e:
+        return jsonify({
+            'status': 'error',
+            'message': str(e)
+        }), 500
+
+
+@isp_api.route('/firewall/stats', methods=['GET'])
+@cross_origin()
+def get_firewall_stats():
+    """Get firewall statistics"""
+    try:
+        if not firewall_engine:
+            return jsonify({'status': 'error', 'message': 'Firewall engine not initialized'}), 500
+        
+        stats = firewall_engine.get_stats()
+        
+        return jsonify({
+            'status': 'success',
+            'stats': stats
+        })
+    
+    except Exception as e:
+        return jsonify({
+            'status': 'error',
+            'message': str(e)
+        }), 500
+
+
+# TCP connections endpoints
+@isp_api.route('/tcp/connections', methods=['GET'])
+@cross_origin()
+def get_tcp_connections():
+    """Get TCP connections"""
+    try:
+        if not tcp_engine:
+            return jsonify({'status': 'error', 'message': 'TCP engine not initialized'}), 500
+        
+        connections = tcp_engine.get_connections()
+        
+        return jsonify({
+            'status': 'success',
+            'connections': connections,
+            'count': len(connections)
+        })
+    
+    except Exception as e:
+        return jsonify({
+            'status': 'error',
+            'message': str(e)
+        }), 500
+
+
+# Router endpoints
+@isp_api.route('/router/routes', methods=['GET'])
+@cross_origin()
+def get_routing_table():
+    """Get routing table"""
+    try:
+        if not virtual_router:
+            return jsonify({'status': 'error', 'message': 'Virtual router not initialized'}), 500
+        
+        routes = virtual_router.get_routing_table()
+        
+        return jsonify({
+            'status': 'success',
+            'routes': routes,
+            'count': len(routes)
+        })
+    
+    except Exception as e:
+        return jsonify({
+            'status': 'error',
+            'message': str(e)
+        }), 500
+
+
+@isp_api.route('/router/interfaces', methods=['GET'])
+@cross_origin()
+def get_router_interfaces():
+    """Get router interfaces"""
+    try:
+        if not virtual_router:
+            return jsonify({'status': 'error', 'message': 'Virtual router not initialized'}), 500
+        
+        interfaces = virtual_router.get_interfaces()
+        
+        return jsonify({
+            'status': 'success',
+            'interfaces': interfaces,
+            'count': len(interfaces)
+        })
+    
+    except Exception as e:
+        return jsonify({
+            'status': 'error',
+            'message': str(e)
+        }), 500
+
+
+@isp_api.route('/router/arp', methods=['GET'])
+@cross_origin()
+def get_arp_table():
+    """Get ARP table"""
+    try:
+        if not virtual_router:
+            return jsonify({'status': 'error', 'message': 'Virtual router not initialized'}), 500
+        
+        arp_table = virtual_router.get_arp_table()
+        
+        return jsonify({
+            'status': 'success',
+            'arp_table': arp_table,
+            'count': len(arp_table)
+        })
+    
+    except Exception as e:
+        return jsonify({
+            'status': 'error',
+            'message': str(e)
+        }), 500
+
+
+@isp_api.route('/router/stats', methods=['GET'])
+@cross_origin()
+def get_router_stats():
+    """Get router statistics"""
+    try:
+        if not virtual_router:
+            return jsonify({'status': 'error', 'message': 'Virtual router not initialized'}), 500
+        
+        stats = virtual_router.get_stats()
+        
+        return jsonify({
+            'status': 'success',
+            'stats': stats
+        })
+    
+    except Exception as e:
+        return jsonify({
+            'status': 'error',
+            'message': str(e)
+        }), 500
+
+
+# Bridge endpoints
+@isp_api.route('/bridge/clients', methods=['GET'])
+@cross_origin()
+def get_bridge_clients():
+    """Get bridge clients"""
+    try:
+        if not packet_bridge:
+            return jsonify({'status': 'error', 'message': 'Packet bridge not initialized'}), 500
+        
+        clients = packet_bridge.get_clients()
+        
+        return jsonify({
+            'status': 'success',
+            'clients': clients,
+            'count': len(clients)
+        })
+    
+    except Exception as e:
+        return jsonify({
+            'status': 'error',
+            'message': str(e)
+        }), 500
+
+
+@isp_api.route('/bridge/stats', methods=['GET'])
+@cross_origin()
+def get_bridge_stats():
+    """Get bridge statistics"""
+    try:
+        if not packet_bridge:
+            return jsonify({'status': 'error', 'message': 'Packet bridge not initialized'}), 500
+        
+        stats = packet_bridge.get_stats()
+        
+        return jsonify({
+            'status': 'success',
+            'stats': stats
+        })
+    
+    except Exception as e:
+        return jsonify({
+            'status': 'error',
+            'message': str(e)
+        }), 500
+
+
+# Session tracking endpoints
+@isp_api.route('/sessions', methods=['GET'])
+@cross_origin()
+def get_sessions():
+    """Get sessions"""
+    try:
+        if not session_tracker:
+            return jsonify({'status': 'error', 'message': 'Session tracker not initialized'}), 500
+        
+        limit = request.args.get('limit', 100, type=int)
+        offset = request.args.get('offset', 0, type=int)
+        
+        sessions = session_tracker.get_sessions(limit=limit, offset=offset)
+        
+        return jsonify({
+            'status': 'success',
+            'sessions': sessions,
+            'count': len(sessions)
+        })
+    
+    except Exception as e:
+        return jsonify({
+            'status': 'error',
+            'message': str(e)
+        }), 500
+
+
+@isp_api.route('/sessions/summary', methods=['GET'])
+@cross_origin()
+def get_session_summary():
+    """Get session summary"""
+    try:
+        if not session_tracker:
+            return jsonify({'status': 'error', 'message': 'Session tracker not initialized'}), 500
+        
+        summary = session_tracker.get_session_summary()
+        
+        return jsonify({
+            'status': 'success',
+            'summary': summary
+        })
+    
+    except Exception as e:
+        return jsonify({
+            'status': 'error',
+            'message': str(e)
+        }), 500
+
+
+# Logging endpoints
+@isp_api.route('/logs', methods=['GET'])
+@cross_origin()
+def get_logs():
+    """Get system logs"""
+    try:
+        if not logger:
+            return jsonify({'status': 'error', 'message': 'Logger not initialized'}), 500
+        
+        limit = request.args.get('limit', 100, type=int)
+        offset = request.args.get('offset', 0, type=int)
+        level = request.args.get('level')
+        category = request.args.get('category')
+        search = request.args.get('search')
+        
+        if search:
+            logs = logger.search_logs(search, limit=limit)
+        else:
+            log_filter = LogFilter()
+            if level:
+                log_filter.level_filter = LogLevel(level.upper())
+            if category:
+                log_filter.category_filter = LogCategory(category.upper())
+            
+            logs = logger.get_logs(limit=limit, offset=offset, log_filter=log_filter)
+        
+        return jsonify({
+            'status': 'success',
+            'logs': logs,
+            'count': len(logs)
+        })
+    
+    except Exception as e:
+        return jsonify({
+            'status': 'error',
+            'message': str(e)
+        }), 500
+
+
+@isp_api.route('/logs/errors', methods=['GET'])
+@cross_origin()
+def get_error_logs():
+    """Get recent error logs"""
+    try:
+        if not logger:
+            return jsonify({'status': 'error', 'message': 'Logger not initialized'}), 500
+        
+        limit = request.args.get('limit', 50, type=int)
+        errors = logger.get_recent_errors(limit=limit)
+        
+        return jsonify({
+            'status': 'success',
+            'errors': errors,
+            'count': len(errors)
+        })
+    
+    except Exception as e:
+        return jsonify({
+            'status': 'error',
+            'message': str(e)
+        }), 500
+
+
+# System status endpoints
+@isp_api.route('/status', methods=['GET'])
+@cross_origin()
+def get_system_status():
+    """Get overall system status"""
+    try:
+        status = {
+            'timestamp': time.time(),
+            'uptime': time.time() - (time.time() - 3600),  # Placeholder
+            'components': {
+                'dhcp_server': dhcp_server is not None and dhcp_server.running,
+                'nat_engine': nat_engine is not None and nat_engine.running,
+                'firewall_engine': firewall_engine is not None,
+                'tcp_engine': tcp_engine is not None and tcp_engine.running,
+                'virtual_router': virtual_router is not None,
+                'socket_translator': socket_translator is not None and socket_translator.running,
+                'packet_bridge': packet_bridge is not None and packet_bridge.running,
+                'session_tracker': session_tracker is not None and session_tracker.running,
+                'logger': logger is not None and logger.running
+            },
+            'stats': {}
+        }
+        
+        # Collect stats from each component
+        if dhcp_server:
+            status['stats']['dhcp_leases'] = len(dhcp_server.get_leases())
+        
+        if nat_engine:
+            nat_stats = nat_engine.get_stats()
+            status['stats']['nat_sessions'] = nat_stats.get('active_sessions', 0)
+        
+        if firewall_engine:
+            fw_stats = firewall_engine.get_stats()
+            status['stats']['firewall_rules'] = fw_stats.get('total_rules', 0)
+        
+        if tcp_engine:
+            tcp_connections = tcp_engine.get_connections()
+            status['stats']['tcp_connections'] = len(tcp_connections)
+        
+        if packet_bridge:
+            bridge_stats = packet_bridge.get_stats()
+            status['stats']['bridge_clients'] = bridge_stats.get('active_clients', 0)
+        
+        if session_tracker:
+            session_stats = session_tracker.get_stats()
+            status['stats']['total_sessions'] = session_stats.get('active_sessions', 0)
+        
+        return jsonify({
+            'status': 'success',
+            'system_status': status
+        })
+    
+    except Exception as e:
+        return jsonify({
+            'status': 'error',
+            'message': str(e)
+        }), 500
+
+
+@isp_api.route('/stats', methods=['GET'])
+@cross_origin()
+def get_system_stats():
+    """Get comprehensive system statistics"""
+    try:
+        stats = {
+            'timestamp': time.time(),
+            'dhcp': dhcp_server.get_leases() if dhcp_server else {},
+            'nat': nat_engine.get_stats() if nat_engine else {},
+            'firewall': firewall_engine.get_stats() if firewall_engine else {},
+            'router': virtual_router.get_stats() if virtual_router else {},
+            'bridge': packet_bridge.get_stats() if packet_bridge else {},
+            'sessions': session_tracker.get_stats() if session_tracker else {},
+            'logger': logger.get_stats() if logger else {}
+        }
+        
+        return jsonify({
+            'status': 'success',
+            'stats': stats
+        })
+    
+    except Exception as e:
+        return jsonify({
+            'status': 'error',
+            'message': str(e)
+        }), 500
+
+
+    packet_bridge.start()
+
+
+
+# OpenVPN endpoints
+@isp_api.route('/openvpn/status', methods=['GET'])
+@cross_origin()
+def get_openvpn_status():
+    """Get OpenVPN server status"""
+    try:
+        if not openvpn_manager:
+            return jsonify({
+                'status': 'error',
+                'message': 'OpenVPN manager not initialized'
+            }), 500
+        
+        status = openvpn_manager.get_server_status()
+        
+        return jsonify({
+            'status': 'success',
+            'openvpn_status': {
+                'is_running': status.is_running,
+                'connected_clients': status.connected_clients,
+                'total_bytes_received': status.total_bytes_received,
+                'total_bytes_sent': status.total_bytes_sent,
+                'uptime': status.uptime,
+                'server_ip': status.server_ip,
+                'server_port': status.server_port
+            }
+        })
+    
+    except Exception as e:
+        return jsonify({
+            'status': 'error',
+            'message': str(e)
+        }), 500
+
+
+@isp_api.route('/openvpn/start', methods=['POST'])
+@cross_origin()
+def start_openvpn_server():
+    """Start OpenVPN server"""
+    try:
+        if not openvpn_manager:
+            return jsonify({
+                'status': 'error',
+                'message': 'OpenVPN manager not initialized'
+            }), 500
+        
+        success = openvpn_manager.start_server()
+        
+        if success:
+            return jsonify({
+                'status': 'success',
+                'message': 'OpenVPN server started successfully'
+            })
+        else:
+            return jsonify({
+                'status': 'error',
+                'message': 'Failed to start OpenVPN server'
+            }), 500
+    
+    except Exception as e:
+        return jsonify({
+            'status': 'error',
+            'message': str(e)
+        }), 500
+
+
+@isp_api.route('/openvpn/stop', methods=['POST'])
+@cross_origin()
+def stop_openvpn_server():
+    """Stop OpenVPN server"""
+    try:
+        if not openvpn_manager:
+            return jsonify({
+                'status': 'error',
+                'message': 'OpenVPN manager not initialized'
+            }), 500
+        
+        success = openvpn_manager.stop_server()
+        
+        if success:
+            return jsonify({
+                'status': 'success',
+                'message': 'OpenVPN server stopped successfully'
+            })
+        else:
+            return jsonify({
+                'status': 'error',
+                'message': 'Failed to stop OpenVPN server'
+            }), 500
+    
+    except Exception as e:
+        return jsonify({
+            'status': 'error',
+            'message': str(e)
+        }), 500
+
+
+@isp_api.route('/openvpn/clients', methods=['GET'])
+@cross_origin()
+def get_openvpn_clients():
+    """Get connected OpenVPN clients"""
+    try:
+        if not openvpn_manager:
+            return jsonify({
+                'status': 'error',
+                'message': 'OpenVPN manager not initialized'
+            }), 500
+        
+        clients = openvpn_manager.get_connected_clients()
+        
+        return jsonify({
+            'status': 'success',
+            'clients': clients
+        })
+    
+    except Exception as e:
+        return jsonify({
+            'status': 'error',
+            'message': str(e)
+        }), 500
+
+
+@isp_api.route('/openvpn/clients/<client_id>/disconnect', methods=['POST'])
+@cross_origin()
+def disconnect_openvpn_client(client_id):
+    """Disconnect a specific OpenVPN client"""
+    try:
+        if not openvpn_manager:
+            return jsonify({
+                'status': 'error',
+                'message': 'OpenVPN manager not initialized'
+            }), 500
+        
+        success = openvpn_manager.disconnect_client(client_id)
+        
+        if success:
+            return jsonify({
+                'status': 'success',
+                'message': f'Client {client_id} disconnected successfully'
+            })
+        else:
+            return jsonify({
+                'status': 'error',
+                'message': f'Failed to disconnect client {client_id}'
+            }), 500
+    
+    except Exception as e:
+        return jsonify({
+            'status': 'error',
+            'message': str(e)
+        }), 500
+
+
+@isp_api.route('/openvpn/config/<client_name>', methods=['GET'])
+@cross_origin()
+def get_client_config(client_name):
+    """Generate client configuration file"""
+    try:
+        if not openvpn_manager:
+            return jsonify({
+                'status': 'error',
+                'message': 'OpenVPN manager not initialized'
+            }), 500
+        
+        # Get server IP from request or use default
+        server_ip = request.args.get('server_ip', '127.0.0.1')
+        
+        config = openvpn_manager.generate_client_config(client_name, server_ip)
+        
+        if config:
+            return Response(
+                config,
+                mimetype='text/plain',
+                headers={'Content-Disposition': f'attachment; filename={client_name}.ovpn'}
+            )
+        else:
+            return jsonify({
+                'status': 'error',
+                'message': 'Failed to generate client configuration'
+            }), 500
+    
+    except Exception as e:
+        return jsonify({
+            'status': 'error',
+            'message': str(e)
+        }), 500
+
+
+@isp_api.route('/openvpn/stats', methods=['GET'])
+@cross_origin()
+def get_openvpn_stats():
+    """Get comprehensive OpenVPN statistics"""
+    try:
+        if not openvpn_manager:
+            return jsonify({
+                'status': 'error',
+                'message': 'OpenVPN manager not initialized'
+            }), 500
+        
+        stats = openvpn_manager.get_statistics()
+        
+        return jsonify({
+            'status': 'success',
+            'openvpn_stats': stats
+        })
+    
+    except Exception as e:
+        return jsonify({
+            'status': 'error',
+            'message': str(e)
+        }), 500
+
+
+@isp_api.route('/openvpn/configs', methods=['GET'])
+@cross_origin()
+def list_client_configs():
+    """List all stored client configurations"""
+    try:
+        if not openvpn_manager:
+            return jsonify({
+                'status': 'error',
+                'message': 'OpenVPN manager not initialized'
+            }), 500
+        
+        configs = openvpn_manager.list_client_configs()
+        
+        return jsonify({
+            'status': 'success',
+            'configs': configs,
+            'count': len(configs)
+        })
+    
+    except Exception as e:
+        return jsonify({
+            'status': 'error',
+            'message': str(e)
+        }), 500
+
+
+@isp_api.route('/openvpn/configs/<client_name>', methods=['GET'])
+@cross_origin()
+def get_stored_client_config(client_name):
+    """Get stored client configuration"""
+    try:
+        if not openvpn_manager:
+            return jsonify({
+                'status': 'error',
+                'message': 'OpenVPN manager not initialized'
+            }), 500
+        
+        config_content = openvpn_manager.load_client_config(client_name)
+        
+        if config_content:
+            return Response(
+                config_content,
+                mimetype='text/plain',
+                headers={'Content-Disposition': f'attachment; filename={client_name}.ovpn'}
+            )
+        else:
+            return jsonify({
+                'status': 'error',
+                'message': f'Configuration for {client_name} not found'
+            }), 404
+    
+    except Exception as e:
+        return jsonify({
+            'status': 'error',
+            'message': str(e)
+        }), 500
+
+
+@isp_api.route('/openvpn/configs/<client_name>', methods=['DELETE'])
+@cross_origin()
+def delete_stored_client_config(client_name):
+    """Delete stored client configuration"""
+    try:
+        if not openvpn_manager:
+            return jsonify({
+                'status': 'error',
+                'message': 'OpenVPN manager not initialized'
+            }), 500
+        
+        success = openvpn_manager.delete_client_config(client_name)
+        
+        if success:
+            return jsonify({
+                'status': 'success',
+                'message': f'Configuration for {client_name} deleted successfully'
+            })
+        else:
+            return jsonify({
+                'status': 'error',
+                'message': f'Configuration for {client_name} not found'
+            }), 404
+    
+    except Exception as e:
+        return jsonify({
+            'status': 'error',
+            'message': str(e)
+        }), 500
+
+
+@isp_api.route('/openvpn/configs/<client_name>/generate', methods=['POST'])
+@cross_origin()
+def generate_and_save_client_config(client_name):
+    """Generate and save client configuration"""
+    try:
+        if not openvpn_manager:
+            return jsonify({
+                'status': 'error',
+                'message': 'OpenVPN manager not initialized'
+            }), 500
+        
+        # Get server IP from request or use default
+        server_ip = request.args.get('server_ip', '127.0.0.1')
+        
+        config_content = openvpn_manager.generate_and_save_client_config(client_name, server_ip)
+        
+        if config_content:
+            return jsonify({
+                'status': 'success',
+                'message': f'Configuration for {client_name} generated and saved successfully'
+            })
+        else:
+            return jsonify({
+                'status': 'error',
+                'message': f'Failed to generate configuration for {client_name}'
+            }), 500
+    
+    except Exception as e:
+        return jsonify({
+            'status': 'error',
+            'message': str(e)
+        }), 500
+
+

routes/user.py

@@ -0,0 +1,39 @@
+from flask import Blueprint, request, jsonify
+from models.user import User, db
+
+user_bp = Blueprint('user', __name__)
+
+@user_bp.route('/users', methods=['GET'])
+def get_users():
+    users = User.query.all()
+    return jsonify([user.to_dict() for user in users])
+
+@user_bp.route('/users', methods=['POST'])
+def create_user():
+    
+    data = request.json
+    user = User(username=data['username'], email=data['email'])
+    db.session.add(user)
+    db.session.commit()
+    return jsonify(user.to_dict()), 201
+
+@user_bp.route('/users/<int:user_id>', methods=['GET'])
+def get_user(user_id):
+    user = User.query.get_or_404(user_id)
+    return jsonify(user.to_dict())
+
+@user_bp.route('/users/<int:user_id>', methods=['PUT'])
+def update_user(user_id):
+    user = User.query.get_or_404(user_id)
+    data = request.json
+    user.username = data.get('username', user.username)
+    user.email = data.get('email', user.email)
+    db.session.commit()
+    return jsonify(user.to_dict())
+
+@user_bp.route('/users/<int:user_id>', methods=['DELETE'])
+def delete_user(user_id):
+    user = User.query.get_or_404(user_id)
+    db.session.delete(user)
+    db.session.commit()
+    return '', 204

static/app.js

@@ -0,0 +1,1095 @@
+/**
+ * Virtual ISP Stack Frontend Application
+ * Native JavaScript implementation for managing the Virtual ISP Stack
+ */
+
+class VirtualISPApp {
+    constructor() {
+        this.apiBase = '/api';
+        this.currentSection = 'dashboard';
+        this.refreshInterval = null;
+        this.charts = {};
+        
+        this.init();
+    }
+    
+    async init() {
+        this.setupEventListeners();
+        this.setupNavigation();
+        this.setupCharts();
+        await this.loadInitialData();
+        this.startAutoRefresh();
+        
+        // Hide loading overlay
+        this.hideLoading();
+        
+        console.log('Virtual ISP Stack App initialized');
+    }
+    
+    setupEventListeners() {
+        // Navigation
+        document.querySelectorAll('.nav-item').forEach(item => {
+            item.addEventListener('click', (e) => {
+                const section = e.currentTarget.dataset.section;
+                this.navigateToSection(section);
+            });
+        });
+        
+        // Tab buttons
+        document.querySelectorAll('.tab-btn').forEach(btn => {
+            btn.addEventListener('click', (e) => {
+                const tab = e.currentTarget.dataset.tab;
+                this.switchTab(tab);
+            });
+        });
+        
+        // Modal close buttons
+        document.querySelectorAll('.close').forEach(btn => {
+            btn.addEventListener('click', (e) => {
+                const modal = e.currentTarget.closest('.modal');
+                this.closeModal(modal.id);
+            });
+        });
+        
+        // Click outside modal to close
+        document.querySelectorAll('.modal').forEach(modal => {
+            modal.addEventListener('click', (e) => {
+                if (e.target === modal) {
+                    this.closeModal(modal.id);
+                }
+            });
+        });
+        
+        // Form submissions
+        document.getElementById('addRuleForm')?.addEventListener('submit', (e) => {
+            e.preventDefault();
+            this.addFirewallRule();
+        });
+    }
+    
+    setupNavigation() {
+        // Set initial active section
+        this.navigateToSection('dashboard');
+    }
+    
+    navigateToSection(section) {
+        // Update navigation
+        document.querySelectorAll('.nav-item').forEach(item => {
+            item.classList.remove('active');
+        });
+        document.querySelector(`[data-section="${section}"]`).classList.add('active');
+        
+        // Update content
+        document.querySelectorAll('.content-section').forEach(sec => {
+            sec.classList.remove('active');
+        });
+        document.getElementById(section).classList.add('active');
+        
+        this.currentSection = section;
+        
+        // Load section-specific data
+        this.loadSectionData(section);
+    }
+    
+    switchTab(tab) {
+        const container = event.target.closest('.router-tabs');
+        
+        // Update tab buttons
+        container.querySelectorAll('.tab-btn').forEach(btn => {
+            btn.classList.remove('active');
+        });
+        event.target.classList.add('active');
+        
+        // Update tab content
+        container.querySelectorAll('.tab-pane').forEach(pane => {
+            pane.classList.remove('active');
+        });
+        container.querySelector(`#${tab}`).classList.add('active');
+        
+        // Load tab-specific data
+        this.loadTabData(tab);
+    }
+    
+    async loadInitialData() {
+        try {
+            await Promise.all([
+                this.loadSystemStatus(),
+                this.loadDashboardData(),
+                this.loadConfiguration()
+            ]);
+        } catch (error) {
+            console.error('Error loading initial data:', error);
+            this.showToast('Error loading initial data', 'error');
+        }
+    }
+    
+    async loadSectionData(section) {
+        try {
+            switch (section) {
+                case 'dashboard':
+                    await this.loadDashboardData();
+                    break;
+                case 'dhcp':
+                    await this.loadDHCPData();
+                    break;
+                case 'nat':
+                    await this.loadNATData();
+                    break;
+                case 'firewall':
+                    await this.loadFirewallData();
+                    break;
+                case 'router':
+                    await this.loadRouterData();
+                    break;
+                case 'bridge':
+                    await this.loadBridgeData();
+                    break;
+                case 'sessions':
+                    await this.loadSessionsData();
+                    break;
+                case 'logs':
+                    await this.loadLogsData();
+                    break;
+                case 'config':
+                    await this.loadConfiguration();
+                    break;
+            }
+        } catch (error) {
+            console.error(`Error loading ${section} data:`, error);
+            this.showToast(`Error loading ${section} data`, 'error');
+        }
+    }
+    
+    async loadTabData(tab) {
+        try {
+            switch (tab) {
+                case 'routes':
+                    await this.loadRoutingTable();
+                    break;
+                case 'interfaces':
+                    await this.loadInterfaces();
+                    break;
+                case 'arp':
+                    await this.loadARPTable();
+                    break;
+            }
+        } catch (error) {
+            console.error(`Error loading ${tab} data:`, error);
+        }
+    }
+    
+    // API Methods
+    async apiCall(endpoint, options = {}) {
+        const url = `${this.apiBase}${endpoint}`;
+        const defaultOptions = {
+            headers: {
+                'Content-Type': 'application/json',
+            },
+        };
+        
+        const response = await fetch(url, { ...defaultOptions, ...options });
+        
+        if (!response.ok) {
+            throw new Error(`API call failed: ${response.status} ${response.statusText}`);
+        }
+        
+        return await response.json();
+    }
+    
+    // System Status
+    async loadSystemStatus() {
+        try {
+            const response = await this.apiCall('/status');
+            this.updateSystemStatus(response.system_status);
+        } catch (error) {
+            console.error('Error loading system status:', error);
+            this.updateSystemStatusOffline();
+        }
+    }
+    
+    updateSystemStatus(status) {
+        const indicator = document.getElementById('systemStatus');
+        const components = status.components;
+        
+        // Update header status
+        const allOnline = Object.values(components).every(c => c === true);
+        indicator.className = `status-indicator ${allOnline ? 'online' : 'offline'}`;
+        indicator.querySelector('span').textContent = allOnline ? 'All Systems Online' : 'System Issues';
+        
+        // Update component status
+        this.updateComponentStatus(components);
+    }
+    
+    updateSystemStatusOffline() {
+        const indicator = document.getElementById('systemStatus');
+        indicator.className = 'status-indicator offline';
+        indicator.querySelector('span').textContent = 'System Offline';
+    }
+    
+    updateComponentStatus(components) {
+        const container = document.getElementById('componentStatus');
+        container.innerHTML = '';
+        
+        Object.entries(components).forEach(([name, status]) => {
+            const item = document.createElement('div');
+            item.className = `component-item ${status ? 'online' : 'offline'}`;
+            item.innerHTML = `
+                <span class="component-name">${this.formatComponentName(name)}</span>
+                <span class="component-status-badge ${status ? 'online' : 'offline'}">
+                    ${status ? 'Online' : 'Offline'}
+                </span>
+            `;
+            container.appendChild(item);
+        });
+    }
+    
+    formatComponentName(name) {
+        return name.replace(/_/g, ' ').replace(/\b\w/g, l => l.toUpperCase());
+    }
+    
+    // Dashboard Data
+    async loadDashboardData() {
+        try {
+            const [statusResponse, statsResponse] = await Promise.all([
+                this.apiCall('/status'),
+                this.apiCall('/stats')
+            ]);
+            
+            this.updateDashboardStats(statusResponse.system_status.stats);
+            this.updateCharts(statsResponse.stats);
+        } catch (error) {
+            console.error('Error loading dashboard data:', error);
+        }
+    }
+    
+    updateDashboardStats(stats) {
+        document.getElementById('dhcpLeaseCount').textContent = stats.dhcp_leases || 0;
+        document.getElementById('natSessionCount').textContent = stats.nat_sessions || 0;
+        document.getElementById('firewallRuleCount').textContent = stats.firewall_rules || 0;
+        document.getElementById('bridgeClientCount').textContent = stats.bridge_clients || 0;
+    }
+    
+    // DHCP Data
+    async loadDHCPData() {
+        try {
+            const response = await this.apiCall('/dhcp/leases');
+            this.updateDHCPTable(response.leases);
+        } catch (error) {
+            console.error('Error loading DHCP data:', error);
+            this.updateDHCPTable([]);
+        }
+    }
+    
+    updateDHCPTable(leases) {
+        const tbody = document.getElementById('dhcpTableBody');
+        tbody.innerHTML = '';
+        
+        leases.forEach(lease => {
+            const row = document.createElement('tr');
+            const remaining = Math.max(0, lease.lease_time - (Date.now() / 1000 - lease.lease_start));
+            
+            row.innerHTML = `
+                <td>${lease.mac_address}</td>
+                <td>${lease.ip_address}</td>
+                <td>${this.formatDuration(lease.lease_time)}</td>
+                <td>${this.formatDuration(remaining)}</td>
+                <td><span class="status-badge status-${lease.state.toLowerCase()}">${lease.state}</span></td>
+                <td>
+                    <button class="btn btn-danger btn-sm" onclick="app.releaseDHCPLease('${lease.mac_address}')">
+                        <i class="fas fa-times"></i> Release
+                    </button>
+                </td>
+            `;
+            tbody.appendChild(row);
+        });
+    }
+    
+    async releaseDHCPLease(macAddress) {
+        try {
+            await this.apiCall(`/dhcp/leases/${macAddress}`, { method: 'DELETE' });
+            this.showToast('DHCP lease released successfully', 'success');
+            await this.loadDHCPData();
+        } catch (error) {
+            console.error('Error releasing DHCP lease:', error);
+            this.showToast('Error releasing DHCP lease', 'error');
+        }
+    }
+    
+    // NAT Data
+    async loadNATData() {
+        try {
+            const [sessionsResponse, statsResponse] = await Promise.all([
+                this.apiCall('/nat/sessions'),
+                this.apiCall('/nat/stats')
+            ]);
+            
+            this.updateNATStats(statsResponse.stats);
+            this.updateNATTable(sessionsResponse.sessions);
+        } catch (error) {
+            console.error('Error loading NAT data:', error);
+            this.updateNATStats({});
+            this.updateNATTable([]);
+        }
+    }
+    
+    updateNATStats(stats) {
+        document.getElementById('natActiveSessions').textContent = stats.active_sessions || 0;
+        document.getElementById('natPortUtilization').textContent = 
+            `${Math.round((stats.ports_used / stats.total_ports) * 100) || 0}%`;
+        document.getElementById('natBytesTranslated').textContent = 
+            this.formatBytes(stats.bytes_translated || 0);
+    }
+    
+    updateNATTable(sessions) {
+        const tbody = document.getElementById('natTableBody');
+        tbody.innerHTML = '';
+        
+        sessions.forEach(session => {
+            const row = document.createElement('tr');
+            row.innerHTML = `
+                <td>${session.virtual_ip}:${session.virtual_port}</td>
+                <td>${session.real_ip}:${session.real_port}</td>
+                <td>${session.host_ip}:${session.host_port}</td>
+                <td>${session.protocol}</td>
+                <td>${this.formatDuration(session.duration)}</td>
+                <td>${this.formatBytes(session.bytes_in)} / ${this.formatBytes(session.bytes_out)}</td>
+                <td>
+                    <button class="btn btn-danger btn-sm" onclick="app.closeNATSession('${session.session_id}')">
+                        <i class="fas fa-times"></i> Close
+                    </button>
+                </td>
+            `;
+            tbody.appendChild(row);
+        });
+    }
+    
+    // Firewall Data
+    async loadFirewallData() {
+        try {
+            const [rulesResponse, logsResponse, statsResponse] = await Promise.all([
+                this.apiCall('/firewall/rules'),
+                this.apiCall('/firewall/logs?limit=50'),
+                this.apiCall('/firewall/stats')
+            ]);
+            
+            this.updateFirewallTable(rulesResponse.rules);
+        } catch (error) {
+            console.error('Error loading firewall data:', error);
+            this.updateFirewallTable([]);
+        }
+    }
+    
+    updateFirewallTable(rules) {
+        const tbody = document.getElementById('firewallTableBody');
+        tbody.innerHTML = '';
+        
+        rules.forEach(rule => {
+            const row = document.createElement('tr');
+            row.innerHTML = `
+                <td>${rule.priority}</td>
+                <td>${rule.rule_id}</td>
+                <td><span class="status-badge status-${rule.action.toLowerCase()}">${rule.action}</span></td>
+                <td>${rule.direction}</td>
+                <td>${rule.source_ip || 'Any'}${rule.source_port ? ':' + rule.source_port : ''}</td>
+                <td>${rule.dest_ip || 'Any'}${rule.dest_port ? ':' + rule.dest_port : ''}</td>
+                <td>${rule.protocol || 'Any'}</td>
+                <td>${rule.hit_count || 0}</td>
+                <td><span class="status-badge status-${rule.enabled ? 'active' : 'inactive'}">${rule.enabled ? 'Enabled' : 'Disabled'}</span></td>
+                <td>
+                    <button class="btn btn-danger btn-sm" onclick="app.deleteFirewallRule('${rule.rule_id}')">
+                        <i class="fas fa-trash"></i> Delete
+                    </button>
+                </td>
+            `;
+            tbody.appendChild(row);
+        });
+    }
+    
+    async deleteFirewallRule(ruleId) {
+        try {
+            await this.apiCall(`/firewall/rules/${ruleId}`, { method: 'DELETE' });
+            this.showToast('Firewall rule deleted successfully', 'success');
+            await this.loadFirewallData();
+        } catch (error) {
+            console.error('Error deleting firewall rule:', error);
+            this.showToast('Error deleting firewall rule', 'error');
+        }
+    }
+    
+    // Router Data
+    async loadRouterData() {
+        await Promise.all([
+            this.loadRoutingTable(),
+            this.loadInterfaces(),
+            this.loadARPTable()
+        ]);
+    }
+    
+    async loadRoutingTable() {
+        try {
+            const response = await this.apiCall('/router/routes');
+            this.updateRoutingTable(response.routes);
+        } catch (error) {
+            console.error('Error loading routing table:', error);
+            this.updateRoutingTable([]);
+        }
+    }
+    
+    updateRoutingTable(routes) {
+        const tbody = document.getElementById('routesTableBody');
+        tbody.innerHTML = '';
+        
+        routes.forEach(route => {
+            const row = document.createElement('tr');
+            row.innerHTML = `
+                <td>${route.destination}</td>
+                <td>${route.gateway || 'Direct'}</td>
+                <td>${route.interface}</td>
+                <td>${route.metric}</td>
+                <td>${route.type}</td>
+                <td>${route.use_count || 0}</td>
+                <td>${route.last_used ? new Date(route.last_used * 1000).toLocaleString() : 'Never'}</td>
+            `;
+            tbody.appendChild(row);
+        });
+    }
+    
+    async loadInterfaces() {
+        try {
+            const response = await this.apiCall('/router/interfaces');
+            this.updateInterfacesTable(response.interfaces);
+        } catch (error) {
+            console.error('Error loading interfaces:', error);
+            this.updateInterfacesTable([]);
+        }
+    }
+    
+    updateInterfacesTable(interfaces) {
+        const tbody = document.getElementById('interfacesTableBody');
+        tbody.innerHTML = '';
+        
+        interfaces.forEach(iface => {
+            const row = document.createElement('tr');
+            row.innerHTML = `
+                <td>${iface.name}</td>
+                <td>${iface.ip_address}</td>
+                <td>${iface.network}</td>
+                <td>${iface.mtu}</td>
+                <td><span class="status-badge status-${iface.enabled ? 'active' : 'inactive'}">${iface.enabled ? 'Up' : 'Down'}</span></td>
+                <td>
+                    <button class="btn btn-secondary btn-sm">
+                        <i class="fas fa-cog"></i> Configure
+                    </button>
+                </td>
+            `;
+            tbody.appendChild(row);
+        });
+    }
+    
+    async loadARPTable() {
+        try {
+            const response = await this.apiCall('/router/arp');
+            this.updateARPTable(response.arp_table);
+        } catch (error) {
+            console.error('Error loading ARP table:', error);
+            this.updateARPTable([]);
+        }
+    }
+    
+    updateARPTable(arpEntries) {
+        const tbody = document.getElementById('arpTableBody');
+        tbody.innerHTML = '';
+        
+        arpEntries.forEach(entry => {
+            const row = document.createElement('tr');
+            row.innerHTML = `
+                <td>${entry.ip_address}</td>
+                <td>${entry.mac_address}</td>
+                <td>
+                    <button class="btn btn-danger btn-sm">
+                        <i class="fas fa-trash"></i> Clear
+                    </button>
+                </td>
+            `;
+            tbody.appendChild(row);
+        });
+    }
+    
+    // Bridge Data
+    async loadBridgeData() {
+        try {
+            const [clientsResponse, statsResponse] = await Promise.all([
+                this.apiCall('/bridge/clients'),
+                this.apiCall('/bridge/stats')
+            ]);
+            
+            this.updateBridgeTable(clientsResponse.clients);
+        } catch (error) {
+            console.error('Error loading bridge data:', error);
+            this.updateBridgeTable({});
+        }
+    }
+    
+    updateBridgeTable(clients) {
+        const tbody = document.getElementById('bridgeTableBody');
+        tbody.innerHTML = '';
+        
+        Object.values(clients).forEach(client => {
+            const row = document.createElement('tr');
+            row.innerHTML = `
+                <td>${client.client_id}</td>
+                <td>${client.bridge_type}</td>
+                <td>${client.remote_address}:${client.remote_port}</td>
+                <td>${new Date(client.connected_time * 1000).toLocaleString()}</td>
+                <td>${client.packets_received} / ${client.packets_sent}</td>
+                <td>${this.formatBytes(client.bytes_received)} / ${this.formatBytes(client.bytes_sent)}</td>
+                <td>
+                    <button class="btn btn-danger btn-sm" onclick="app.disconnectBridgeClient('${client.client_id}')">
+                        <i class="fas fa-times"></i> Disconnect
+                    </button>
+                </td>
+            `;
+            tbody.appendChild(row);
+        });
+    }
+    
+    // Sessions Data
+    async loadSessionsData() {
+        try {
+            const [sessionsResponse, summaryResponse] = await Promise.all([
+                this.apiCall('/sessions?limit=100'),
+                this.apiCall('/sessions/summary')
+            ]);
+            
+            this.updateSessionSummary(summaryResponse.summary);
+            this.updateSessionsTable(sessionsResponse.sessions);
+        } catch (error) {
+            console.error('Error loading sessions data:', error);
+            this.updateSessionSummary({});
+            this.updateSessionsTable([]);
+        }
+    }
+    
+    updateSessionSummary(summary) {
+        const container = document.getElementById('sessionSummary');
+        container.innerHTML = `
+            <h3>Session Summary</h3>
+            <div class="stat-row">
+                <div class="stat-item">
+                    <span class="stat-label">Total Sessions</span>
+                    <span class="stat-value">${summary.total_sessions || 0}</span>
+                </div>
+                <div class="stat-item">
+                    <span class="stat-label">Active (Last Hour)</span>
+                    <span class="stat-value">${summary.active_sessions_by_age?.last_hour || 0}</span>
+                </div>
+                <div class="stat-item">
+                    <span class="stat-label">Active (Last Day)</span>
+                    <span class="stat-value">${summary.active_sessions_by_age?.last_day || 0}</span>
+                </div>
+            </div>
+        `;
+    }
+    
+    updateSessionsTable(sessions) {
+        const tbody = document.getElementById('sessionsTableBody');
+        tbody.innerHTML = '';
+        
+        sessions.forEach(session => {
+            const row = document.createElement('tr');
+            row.innerHTML = `
+                <td>${session.session_id.substring(0, 8)}...</td>
+                <td>${session.session_type}</td>
+                <td><span class="status-badge status-${session.state.toLowerCase()}">${session.state}</span></td>
+                <td>${session.virtual_ip || '-'}${session.virtual_port ? ':' + session.virtual_port : ''}</td>
+                <td>${session.real_ip || '-'}${session.real_port ? ':' + session.real_port : ''}</td>
+                <td>${session.protocol || '-'}</td>
+                <td>${this.formatDuration(session.duration)}</td>
+                <td>${this.formatDuration(session.idle_time)}</td>
+                <td>${this.formatBytes(session.metrics.total_bytes)}</td>
+            `;
+            tbody.appendChild(row);
+        });
+    }
+    
+    // Logs Data
+    async loadLogsData() {
+        try {
+            const response = await this.apiCall('/logs?limit=100');
+            this.updateLogsContainer(response.logs);
+        } catch (error) {
+            console.error('Error loading logs data:', error);
+            this.updateLogsContainer([]);
+        }
+    }
+    
+    updateLogsContainer(logs) {
+        const container = document.getElementById('logContainer');
+        container.innerHTML = '';
+        
+        logs.forEach(log => {
+            const entry = document.createElement('div');
+            entry.className = 'log-entry';
+            entry.innerHTML = `
+                <div class="log-level ${log.level}">${log.level}</div>
+                <div class="log-content">
+                    <div class="log-timestamp">${new Date(log.timestamp * 1000).toLocaleString()}</div>
+                    <div class="log-message">${log.message}</div>
+                    ${log.metadata && Object.keys(log.metadata).length > 0 ? 
+                        `<div class="log-metadata">${JSON.stringify(log.metadata)}</div>` : ''}
+                </div>
+            `;
+            container.appendChild(entry);
+        });
+    }
+    
+    // Configuration
+    async loadConfiguration() {
+        try {
+            const response = await this.apiCall('/config');
+            this.updateConfigurationForms(response.config);
+        } catch (error) {
+            console.error('Error loading configuration:', error);
+        }
+    }
+    
+    updateConfigurationForms(config) {
+        // DHCP Configuration
+        const dhcpConfig = document.getElementById('dhcpConfig');
+        dhcpConfig.innerHTML = `
+            <div class="form-group">
+                <label>Network:</label>
+                <input type="text" value="${config.dhcp?.network || ''}" name="dhcp_network">
+            </div>
+            <div class="form-group">
+                <label>Range Start:</label>
+                <input type="text" value="${config.dhcp?.range_start || ''}" name="dhcp_range_start">
+            </div>
+            <div class="form-group">
+                <label>Range End:</label>
+                <input type="text" value="${config.dhcp?.range_end || ''}" name="dhcp_range_end">
+            </div>
+            <div class="form-group">
+                <label>Lease Time (seconds):</label>
+                <input type="number" value="${config.dhcp?.lease_time || 3600}" name="dhcp_lease_time">
+            </div>
+        `;
+        
+        // NAT Configuration
+        const natConfig = document.getElementById('natConfig');
+        natConfig.innerHTML = `
+            <div class="form-group">
+                <label>Port Range Start:</label>
+                <input type="number" value="${config.nat?.port_range_start || 10000}" name="nat_port_start">
+            </div>
+            <div class="form-group">
+                <label>Port Range End:</label>
+                <input type="number" value="${config.nat?.port_range_end || 65535}" name="nat_port_end">
+            </div>
+            <div class="form-group">
+                <label>Session Timeout (seconds):</label>
+                <input type="number" value="${config.nat?.session_timeout || 300}" name="nat_timeout">
+            </div>
+        `;
+        
+        // Firewall Configuration
+        const firewallConfig = document.getElementById('firewallConfig');
+        firewallConfig.innerHTML = `
+            <div class="form-group">
+                <label>Default Policy:</label>
+                <select name="firewall_default_policy">
+                    <option value="ACCEPT" ${config.firewall?.default_policy === 'ACCEPT' ? 'selected' : ''}>Accept</option>
+                    <option value="DROP" ${config.firewall?.default_policy === 'DROP' ? 'selected' : ''}>Drop</option>
+                </select>
+            </div>
+            <div class="form-group">
+                <label>Log Blocked:</label>
+                <select name="firewall_log_blocked">
+                    <option value="true" ${config.firewall?.log_blocked ? 'selected' : ''}>Yes</option>
+                    <option value="false" ${!config.firewall?.log_blocked ? 'selected' : ''}>No</option>
+                </select>
+            </div>
+        `;
+    }
+    
+    // Charts
+    setupCharts() {
+        // Traffic Chart
+        const trafficCtx = document.getElementById('trafficChart');
+        if (trafficCtx) {
+            this.charts.traffic = new Chart(trafficCtx, {
+                type: 'line',
+                data: {
+                    labels: [],
+                    datasets: [{
+                        label: 'Bytes In',
+                        data: [],
+                        borderColor: '#4facfe',
+                        backgroundColor: 'rgba(79, 172, 254, 0.1)',
+                        tension: 0.4
+                    }, {
+                        label: 'Bytes Out',
+                        data: [],
+                        borderColor: '#00f2fe',
+                        backgroundColor: 'rgba(0, 242, 254, 0.1)',
+                        tension: 0.4
+                    }]
+                },
+                options: {
+                    responsive: true,
+                    maintainAspectRatio: false,
+                    scales: {
+                        y: {
+                            beginAtZero: true
+                        }
+                    }
+                }
+            });
+        }
+        
+        // Connection Chart
+        const connectionCtx = document.getElementById('connectionChart');
+        if (connectionCtx) {
+            this.charts.connection = new Chart(connectionCtx, {
+                type: 'doughnut',
+                data: {
+                    labels: ['DHCP', 'NAT', 'TCP', 'Bridge'],
+                    datasets: [{
+                        data: [0, 0, 0, 0],
+                        backgroundColor: [
+                            '#4facfe',
+                            '#00f2fe',
+                            '#51cf66',
+                            '#ff6b6b'
+                        ]
+                    }]
+                },
+                options: {
+                    responsive: true,
+                    maintainAspectRatio: false
+                }
+            });
+        }
+    }
+    
+    updateCharts(stats) {
+        // Update traffic chart with sample data
+        if (this.charts.traffic) {
+            const now = new Date();
+            const labels = this.charts.traffic.data.labels;
+            const bytesIn = this.charts.traffic.data.datasets[0].data;
+            const bytesOut = this.charts.traffic.data.datasets[1].data;
+            
+            labels.push(now.toLocaleTimeString());
+            bytesIn.push(Math.random() * 1000000);
+            bytesOut.push(Math.random() * 800000);
+            
+            // Keep only last 10 data points
+            if (labels.length > 10) {
+                labels.shift();
+                bytesIn.shift();
+                bytesOut.shift();
+            }
+            
+            this.charts.traffic.update();
+        }
+        
+        // Update connection chart
+        if (this.charts.connection && stats) {
+            this.charts.connection.data.datasets[0].data = [
+                Object.keys(stats.dhcp || {}).length,
+                stats.nat?.active_sessions || 0,
+                Object.keys(stats.tcp || {}).length,
+                stats.bridge?.active_clients || 0
+            ];
+            this.charts.connection.update();
+        }
+    }
+    
+    // Modal Management
+    showModal(modalId) {
+        document.getElementById(modalId).style.display = 'block';
+    }
+    
+    closeModal(modalId) {
+        document.getElementById(modalId).style.display = 'none';
+    }
+    
+    showAddRuleModal() {
+        this.showModal('addRuleModal');
+    }
+    
+    async addFirewallRule() {
+        try {
+            const form = document.getElementById('addRuleForm');
+            const formData = new FormData(form);
+            const ruleData = Object.fromEntries(formData.entries());
+            
+            await this.apiCall('/firewall/rules', {
+                method: 'POST',
+                body: JSON.stringify(ruleData)
+            });
+            
+            this.showToast('Firewall rule added successfully', 'success');
+            this.closeModal('addRuleModal');
+            form.reset();
+            await this.loadFirewallData();
+        } catch (error) {
+            console.error('Error adding firewall rule:', error);
+            this.showToast('Error adding firewall rule', 'error');
+        }
+    }
+    
+    // Configuration Management
+    async saveConfiguration() {
+        try {
+            const configData = this.collectConfigurationData();
+            await this.apiCall('/config', {
+                method: 'POST',
+                body: JSON.stringify(configData)
+            });
+            
+            this.showToast('Configuration saved successfully', 'success');
+        } catch (error) {
+            console.error('Error saving configuration:', error);
+            this.showToast('Error saving configuration', 'error');
+        }
+    }
+    
+    collectConfigurationData() {
+        const config = {};
+        
+        // Collect DHCP config
+        const dhcpInputs = document.querySelectorAll('#dhcpConfig input, #dhcpConfig select');
+        config.dhcp = {};
+        dhcpInputs.forEach(input => {
+            const key = input.name.replace('dhcp_', '');
+            config.dhcp[key] = input.type === 'number' ? parseInt(input.value) : input.value;
+        });
+        
+        // Collect NAT config
+        const natInputs = document.querySelectorAll('#natConfig input, #natConfig select');
+        config.nat = {};
+        natInputs.forEach(input => {
+            const key = input.name.replace('nat_', '');
+            config.nat[key] = input.type === 'number' ? parseInt(input.value) : input.value;
+        });
+        
+        // Collect Firewall config
+        const firewallInputs = document.querySelectorAll('#firewallConfig input, #firewallConfig select');
+        config.firewall = {};
+        firewallInputs.forEach(input => {
+            const key = input.name.replace('firewall_', '');
+            config.firewall[key] = input.type === 'checkbox' ? input.checked : input.value;
+        });
+        
+        return config;
+    }
+    
+    // Utility Functions
+    formatBytes(bytes) {
+        if (bytes === 0) return '0 B';
+        const k = 1024;
+        const sizes = ['B', 'KB', 'MB', 'GB', 'TB'];
+        const i = Math.floor(Math.log(bytes) / Math.log(k));
+        return parseFloat((bytes / Math.pow(k, i)).toFixed(2)) + ' ' + sizes[i];
+    }
+    
+    formatDuration(seconds) {
+        if (seconds < 60) return `${Math.round(seconds)}s`;
+        if (seconds < 3600) return `${Math.round(seconds / 60)}m`;
+        if (seconds < 86400) return `${Math.round(seconds / 3600)}h`;
+        return `${Math.round(seconds / 86400)}d`;
+    }
+    
+    // Loading Management
+    showLoading() {
+        document.getElementById('loadingOverlay').style.display = 'block';
+    }
+    
+    hideLoading() {
+        document.getElementById('loadingOverlay').style.display = 'none';
+    }
+    
+    // Toast Notifications
+    showToast(message, type = 'info') {
+        const container = document.getElementById('toastContainer');
+        const toast = document.createElement('div');
+        toast.className = `toast ${type}`;
+        toast.textContent = message;
+        
+        container.appendChild(toast);
+        
+        // Auto remove after 5 seconds
+        setTimeout(() => {
+            toast.remove();
+        }, 5000);
+    }
+    
+    // Auto Refresh
+    startAutoRefresh() {
+        this.refreshInterval = setInterval(async () => {
+            if (this.currentSection === 'dashboard') {
+                await this.loadSystemStatus();
+                await this.loadDashboardData();
+            }
+        }, 30000); // Refresh every 30 seconds
+    }
+    
+    stopAutoRefresh() {
+        if (this.refreshInterval) {
+            clearInterval(this.refreshInterval);
+            this.refreshInterval = null;
+        }
+    }
+    
+    // Manual Refresh Functions
+    async refreshData() {
+        this.showLoading();
+        try {
+            await this.loadSectionData(this.currentSection);
+            this.showToast('Data refreshed successfully', 'success');
+        } catch (error) {
+            this.showToast('Error refreshing data', 'error');
+        } finally {
+            this.hideLoading();
+        }
+    }
+    
+    async refreshDHCPLeases() {
+        await this.loadDHCPData();
+        this.showToast('DHCP leases refreshed', 'info');
+    }
+    
+    async refreshNATSessions() {
+        await this.loadNATData();
+        this.showToast('NAT sessions refreshed', 'info');
+    }
+    
+    async refreshFirewallRules() {
+        await this.loadFirewallData();
+        this.showToast('Firewall rules refreshed', 'info');
+    }
+    
+    async refreshBridgeClients() {
+        await this.loadBridgeData();
+        this.showToast('Bridge clients refreshed', 'info');
+    }
+    
+    async refreshSessions() {
+        await this.loadSessionsData();
+        this.showToast('Sessions refreshed', 'info');
+    }
+    
+    async refreshLogs() {
+        await this.loadLogsData();
+        this.showToast('Logs refreshed', 'info');
+    }
+    
+    // Filter Functions
+    filterSessions() {
+        // Implementation for session filtering
+        const filter = document.getElementById('sessionTypeFilter').value;
+        // Apply filter logic here
+    }
+    
+    filterLogs() {
+        // Implementation for log filtering
+        const levelFilter = document.getElementById('logLevelFilter').value;
+        const categoryFilter = document.getElementById('logCategoryFilter').value;
+        // Apply filter logic here
+    }
+    
+    searchLogs() {
+        // Implementation for log searching
+        const searchTerm = document.getElementById('logSearchInput').value;
+        // Apply search logic here
+    }
+    
+    clearLogs() {
+        if (confirm('Are you sure you want to clear all logs?')) {
+            document.getElementById('logContainer').innerHTML = '';
+            this.showToast('Logs cleared', 'info');
+        }
+    }
+    
+    resetConfiguration() {
+        if (confirm('Are you sure you want to reset configuration to defaults?')) {
+            this.loadConfiguration();
+            this.showToast('Configuration reset to defaults', 'info');
+        }
+    }
+}
+
+// Global Functions (for onclick handlers)
+let app;
+
+function refreshData() {
+    app.refreshData();
+}
+
+function showAddRuleModal() {
+    app.showAddRuleModal();
+}
+
+function closeModal(modalId) {
+    app.closeModal(modalId);
+}
+
+function addFirewallRule() {
+    app.addFirewallRule();
+}
+
+function saveConfiguration() {
+    app.saveConfiguration();
+}
+
+function resetConfiguration() {
+    app.resetConfiguration();
+}
+
+function refreshDHCPLeases() {
+    app.refreshDHCPLeases();
+}
+
+function refreshNATSessions() {
+    app.refreshNATSessions();
+}
+
+function refreshFirewallRules() {
+    app.refreshFirewallRules();
+}
+
+function refreshBridgeClients() {
+    app.refreshBridgeClients();
+}
+
+function refreshSessions() {
+    app.refreshSessions();
+}
+
+function refreshLogs() {
+    app.refreshLogs();
+}
+
+function filterSessions() {
+    app.filterSessions();
+}
+
+function filterLogs() {
+    app.filterLogs();
+}
+
+function searchLogs() {
+    app.searchLogs();
+}
+
+function clearLogs() {
+    app.clearLogs();
+}
+
+// Initialize App
+document.addEventListener('DOMContentLoaded', () => {
+    app = new VirtualISPApp();
+});
+