Upload 73 files

Dockerfile

@@ -0,0 +1,52 @@
+# Virtual ISP Stack with OpenVPN Integration
+# Dockerfile for containerized deployment
+
+FROM python:3.11-slim
+
+# Set working directory
+WORKDIR /app
+
+# Install system dependencies
+RUN apt-get update && apt-get install -y \
+    openvpn \
+    iptables \
+    iproute2 \
+    net-tools \
+    procps \
+    build-essential \
+    python3-dev \
+    && rm -rf /var/lib/apt/lists/*
+
+COPY openvpn/server.conf /etc/openvpn/server/server.conf
+COPY openvpn/ca.crt /etc/openvpn/server/ca.crt
+COPY openvpn/server.crt /etc/openvpn/server/server.crt
+COPY openvpn/server.key /etc/openvpn/server/server.key
+COPY openvpn/dh.pem /etc/openvpn/server/dh.pem
+
+# Copy requirements and install Python dependencies
+COPY requirements.txt .
+RUN pip install --no-cache-dir -r requirements.txt
+
+# Copy application files
+COPY . .
+
+# Create necessary directories
+RUN mkdir -p /tmp/vpn_client_configs \
+    && mkdir -p /var/log/openvpn \
+    && mkdir -p database
+
+# Set environment variables
+ENV FLASK_APP=app.py
+ENV FLASK_ENV=production
+ENV PORT=7860
+
+# Expose port
+EXPOSE 7860
+
+# Health check
+HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \
+    CMD curl -f http://localhost:7860/health || exit 1
+
+# Run the application
+CMD ["python", "app.py"]
+

app.py

@@ -0,0 +1,213 @@
+#!/usr/bin/env python3
+"""
+Virtual ISP Stack with OpenVPN Integration
+HuggingFace Spaces Entry Point
+
+This application provides a complete Virtual ISP stack with OpenVPN server integration,
+allowing users to manage VPN connections, generate client configurations, and monitor
+network traffic through a RESTful API.
+"""
+
+import os
+import sys
+import logging
+
+# Add current directory to Python path
+sys.path.insert(0, os.path.dirname(__file__))
+
+from flask import Flask, send_from_directory, jsonify
+from flask_cors import CORS
+from models.enhanced_user import db
+from routes.auth import auth_bp
+from routes.vpn_client import vpn_client_bp
+from routes.vpn_server import vpn_server_bp
+from routes.isp_api import init_engines, isp_api
+
+# Configure logging
+logging.basicConfig(
+    level=logging.INFO,
+    format='%(asctime)s - %(name)s - %(levelname)s - %(message)s'
+)
+logger = logging.getLogger(__name__)
+
+# Create Flask application
+app = Flask(__name__, static_folder=os.path.join(os.path.dirname(__file__), 'static'))
+
+# Enable CORS for all routes
+CORS(app, origins="*")
+
+# Configuration
+app.config['SECRET_KEY'] = os.environ.get('SECRET_KEY', 'vpn-isp-stack-secret-key-change-in-production')
+
+# Database configuration
+database_path = os.path.join(os.path.dirname(__file__), 'database', 'app.db')
+app.config['SQLALCHEMY_DATABASE_URI'] = f"sqlite:///{database_path}"
+app.config['SQLALCHEMY_TRACK_MODIFICATIONS'] = False
+
+# Initialize database
+db.init_app(app)
+
+# Register blueprints
+app.register_blueprint(auth_bp, url_prefix='/api')
+app.register_blueprint(vpn_client_bp, url_prefix='/api')
+app.register_blueprint(vpn_server_bp, url_prefix='/api')
+app.register_blueprint(isp_api, url_prefix='/api')
+
+# Engine configuration
+app.config.update({
+    "dhcp": {
+        "network": "10.0.0.0/24",
+        "range_start": "10.0.0.10",
+        "range_end": "10.0.0.100",
+        "lease_time": 3600,
+        "gateway": "10.0.0.1",
+        "dns_servers": ["8.8.8.8", "8.8.4.4"]
+    },
+    "nat": {
+        "port_range_start": 10000,
+        "port_range_end": 65535,
+        "session_timeout": 300
+    },
+    "firewall": {
+        "default_policy": "ACCEPT",
+        "log_blocked": True
+    },
+    "tcp": {
+        "initial_window": 65535,
+        "max_retries": 3,
+        "timeout": 30
+    },
+    "openvpn": {
+        "server_ip": "10.8.0.1",
+        "server_port": 1194,
+        "network": "10.8.0.0/24"
+    },
+    "logger": {
+        "log_level": "INFO",
+        "log_file": "/tmp/virtual_isp.log"
+    }
+})
+
+# Add VPN server configuration
+app.config.update({
+    'VPN_SERVER_IP': os.environ.get('VPN_SERVER_IP', '127.0.0.1'),
+    'OPENVPN_PORT': int(os.environ.get('OPENVPN_PORT', 1194)),
+    'IKEV2_PORT': int(os.environ.get('IKEV2_PORT', 500)),
+    'WIREGUARD_PORT': int(os.environ.get('WIREGUARD_PORT', 51820)),
+    'WIREGUARD_SERVER_PUBLIC_KEY': os.environ.get('WIREGUARD_SERVER_PUBLIC_KEY', 'SERVER_PUBLIC_KEY_HERE')
+})
+
+# Initialize database tables
+with app.app_context():
+    try:
+        db.create_all()
+        logger.info("Database tables created successfully")
+    except Exception as e:
+        logger.error(f"Error creating database tables: {e}")
+
+# Initialize engines
+try:
+    init_engines(app.config)
+    logger.info("All engines initialized successfully")
+except Exception as e:
+    logger.error(f"Error initializing engines: {e}")
+
+@app.route('/')
+def index():
+    """Main index page - redirect to auth if not logged in"""
+    return serve_static('auth.html')
+
+@app.route('/auth')
+def auth_page():
+    """Authentication page"""
+    return serve_static('auth.html')
+
+@app.route('/dashboard')
+def dashboard_page():
+    """Dashboard page"""
+    return serve_static('index.html')
+
+@app.route('/health')
+def health_check():
+    """Health check endpoint for monitoring"""
+    return jsonify({
+        'status': 'healthy',
+        'service': 'Virtual ISP Stack with OpenVPN',
+        'version': '1.0.0'
+    })
+
+@app.route('/api')
+def api_info():
+    """API information endpoint"""
+    return jsonify({
+        'service': 'Virtual ISP Stack API',
+        'version': '1.0.0',
+        'endpoints': {
+            'openvpn': {
+                'status': '/api/openvpn/status',
+                'start': '/api/openvpn/start',
+                'stop': '/api/openvpn/stop',
+                'clients': '/api/openvpn/clients',
+                'config': '/api/openvpn/config/<client_name>',
+                'stats': '/api/openvpn/stats',
+                'configs': '/api/openvpn/configs'
+            },
+            'dhcp': {
+                'leases': '/api/dhcp/leases'
+            },
+            'nat': {
+                'sessions': '/api/nat/sessions',
+                'stats': '/api/nat/stats'
+            },
+            'firewall': {
+                'rules': '/api/firewall/rules',
+                'logs': '/api/firewall/logs',
+                'stats': '/api/firewall/stats'
+            }
+        }
+    })
+
+@app.route('/<path:path>')
+def serve_static(path):
+    """Serve static files"""
+    static_folder_path = app.static_folder
+    if static_folder_path is None:
+        return jsonify({'error': 'Static folder not configured'}), 404
+
+    if path != "" and os.path.exists(os.path.join(static_folder_path, path)):
+        return send_from_directory(static_folder_path, path)
+    else:
+        index_path = os.path.join(static_folder_path, 'index.html')
+        if os.path.exists(index_path):
+            return send_from_directory(static_folder_path, 'index.html')
+        else:
+            return jsonify({
+                'message': 'Virtual ISP Stack with OpenVPN Integration',
+                'status': 'running',
+                'api_docs': '/api'
+            })
+
+@app.errorhandler(404)
+def not_found(error):
+    """Handle 404 errors"""
+    return jsonify({'error': 'Endpoint not found', 'api_docs': '/api'}), 404
+
+@app.errorhandler(500)
+def internal_error(error):
+    """Handle 500 errors"""
+    return jsonify({'error': 'Internal server error'}), 500
+
+if __name__ == '__main__':
+    # Get port from environment variable (HuggingFace Spaces uses PORT)
+    port = int(os.environ.get('PORT', 7860))
+    
+    logger.info(f"Starting Virtual ISP Stack with OpenVPN on port {port}")
+    
+    # Run the application
+    app.run(
+        host='0.0.0.0',
+        port=port,
+        debug=False,
+        threaded=True
+    )
+

app_status.json

@@ -0,0 +1,755 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>Virtual ISP Stack - Network Management Dashboard</title>
+    <link rel="stylesheet" href="styles.css">
+    <link href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.0.0/css/all.min.css" rel="stylesheet">
+</head>
+<body>
+    <div class="app-container">
+        <!-- Header -->
+        <header class="header">
+            <div class="header-content">
+                <div class="logo">
+                    <i class="fas fa-network-wired"></i>
+                    <h1>Virtual ISP Stack</h1>
+                </div>
+                <div class="header-status">
+                    <div class="status-indicator" id="systemStatus">
+                        <i class="fas fa-circle"></i>
+                        <span>System Status</span>
+                    </div>
+                    <div class="refresh-btn" onclick="refreshData()">
+                        <i class="fas fa-sync-alt"></i>
+                    </div>
+                </div>
+            </div>
+        </header>
+
+        <!-- Navigation -->
+        <nav class="sidebar">
+            <div class="nav-menu">
+                <div class="nav-item active" data-section="dashboard">
+                    <i class="fas fa-tachometer-alt"></i>
+                    <span>Dashboard</span>
+                </div>
+                <div class="nav-item" data-section="dhcp">
+                    <i class="fas fa-server"></i>
+                    <span>DHCP</span>
+                </div>
+                <div class="nav-item" data-section="nat">
+                    <i class="fas fa-exchange-alt"></i>
+                    <span>NAT</span>
+                </div>
+                <div class="nav-item" data-section="firewall">
+                    <i class="fas fa-shield-alt"></i>
+                    <span>Firewall</span>
+                </div>
+                <div class="nav-item" data-section="router">
+                    <i class="fas fa-route"></i>
+                    <span>Router</span>
+                </div>
+                <div class="nav-item" data-section="bridge">
+                    <i class="fas fa-link"></i>
+                    <span>Bridge</span>
+                </div>
+                <div class="nav-item" data-section="sessions">
+                    <i class="fas fa-users"></i>
+                    <span>Sessions</span>
+                </div>
+                <div class="nav-item" data-section="logs">
+                    <i class="fas fa-file-alt"></i>
+                    <span>Logs</span>
+                </div>
+                <div class="nav-item" data-section="vpn">
+                    <i class="fas fa-shield-alt"></i>
+                    <span>VPN</span>
+                </div>
+                <div class="nav-item" data-section="config">
+                    <i class="fas fa-cog"></i>
+                    <span>Config</span>
+                </div>
+            </div>
+        </nav>
+
+        <!-- Main Content -->
+        <main class="main-content">
+            <!-- Dashboard Section -->
+            <section id="dashboard" class="content-section active">
+                <div class="section-header">
+                    <h2>System Dashboard</h2>
+                    <p>Overview of Virtual ISP Stack components and performance</p>
+                </div>
+
+                <!-- System Status Cards -->
+                <div class="stats-grid">
+                    <div class="stat-card">
+                        <div class="stat-icon">
+                            <i class="fas fa-server"></i>
+                        </div>
+                        <div class="stat-content">
+                            <h3 id="dhcpLeaseCount">0</h3>
+                            <p>DHCP Leases</p>
+                        </div>
+                    </div>
+                    
+                    <div class="stat-card">
+                        <div class="stat-icon">
+                            <i class="fas fa-exchange-alt"></i>
+                        </div>
+                        <div class="stat-content">
+                            <h3 id="natSessionCount">0</h3>
+                            <p>NAT Sessions</p>
+                        </div>
+                    </div>
+                    
+                    <div class="stat-card">
+                        <div class="stat-icon">
+                            <i class="fas fa-shield-alt"></i>
+                        </div>
+                        <div class="stat-content">
+                            <h3 id="firewallRuleCount">0</h3>
+                            <p>Firewall Rules</p>
+                        </div>
+                    </div>
+                    
+                    <div class="stat-card">
+                        <div class="stat-icon">
+                            <i class="fas fa-link"></i>
+                        </div>
+                        <div class="stat-content">
+                            <h3 id="bridgeClientCount">0</h3>
+                            <p>Bridge Clients</p>
+                        </div>
+                    </div>
+                </div>
+
+                <!-- Component Status -->
+                <div class="component-status">
+                    <h3>Component Status</h3>
+                    <div class="component-grid" id="componentStatus">
+                        <!-- Component status items will be populated by JavaScript -->
+                    </div>
+                </div>
+
+                <!-- Real-time Charts -->
+                <div class="charts-container">
+                    <div class="chart-card">
+                        <h3>Network Traffic</h3>
+                        <canvas id="trafficChart"></canvas>
+                    </div>
+                    <div class="chart-card">
+                        <h3>Connection Distribution</h3>
+                        <canvas id="connectionChart"></canvas>
+                    </div>
+                </div>
+            </section>
+
+            <!-- DHCP Section -->
+            <section id="dhcp" class="content-section">
+                <div class="section-header">
+                    <h2>DHCP Management</h2>
+                    <p>Manage DHCP leases and configuration</p>
+                </div>
+
+                <div class="table-container">
+                    <div class="table-header">
+                        <h3>Active Leases</h3>
+                        <button class="btn btn-secondary" onclick="refreshDHCPLeases()">
+                            <i class="fas fa-sync-alt"></i> Refresh
+                        </button>
+                    </div>
+                    <div class="table-wrapper">
+                        <table id="dhcpTable">
+                            <thead>
+                                <tr>
+                                    <th>MAC Address</th>
+                                    <th>IP Address</th>
+                                    <th>Lease Time</th>
+                                    <th>Remaining</th>
+                                    <th>State</th>
+                                    <th>Actions</th>
+                                </tr>
+                            </thead>
+                            <tbody id="dhcpTableBody">
+                                <!-- DHCP leases will be populated here -->
+                            </tbody>
+                        </table>
+                    </div>
+                </div>
+            </section>
+
+            <!-- NAT Section -->
+            <section id="nat" class="content-section">
+                <div class="section-header">
+                    <h2>NAT Management</h2>
+                    <p>Network Address Translation sessions and statistics</p>
+                </div>
+
+                <div class="nat-stats">
+                    <div class="stat-row">
+                        <div class="stat-item">
+                            <span class="stat-label">Active Sessions:</span>
+                            <span class="stat-value" id="natActiveSessions">0</span>
+                        </div>
+                        <div class="stat-item">
+                            <span class="stat-label">Port Utilization:</span>
+                            <span class="stat-value" id="natPortUtilization">0%</span>
+                        </div>
+                        <div class="stat-item">
+                            <span class="stat-label">Bytes Translated:</span>
+                            <span class="stat-value" id="natBytesTranslated">0</span>
+                        </div>
+                    </div>
+                </div>
+
+                <div class="table-container">
+                    <div class="table-header">
+                        <h3>NAT Sessions</h3>
+                        <button class="btn btn-secondary" onclick="refreshNATSessions()">
+                            <i class="fas fa-sync-alt"></i> Refresh
+                        </button>
+                    </div>
+                    <div class="table-wrapper">
+                        <table id="natTable">
+                            <thead>
+                                <tr>
+                                    <th>Virtual IP:Port</th>
+                                    <th>Real IP:Port</th>
+                                    <th>Host IP:Port</th>
+                                    <th>Protocol</th>
+                                    <th>Duration</th>
+                                    <th>Bytes In/Out</th>
+                                    <th>Actions</th>
+                                </tr>
+                            </thead>
+                            <tbody id="natTableBody">
+                                <!-- NAT sessions will be populated here -->
+                            </tbody>
+                        </table>
+                    </div>
+                </div>
+            </section>
+
+            <!-- Firewall Section -->
+            <section id="firewall" class="content-section">
+                <div class="section-header">
+                    <h2>Firewall Management</h2>
+                    <p>Configure firewall rules and monitor traffic</p>
+                </div>
+
+                <div class="firewall-controls">
+                    <button class="btn btn-primary" onclick="showAddRuleModal()">
+                        <i class="fas fa-plus"></i> Add Rule
+                    </button>
+                    <button class="btn btn-secondary" onclick="refreshFirewallRules()">
+                        <i class="fas fa-sync-alt"></i> Refresh
+                    </button>
+                </div>
+
+                <div class="table-container">
+                    <div class="table-header">
+                        <h3>Firewall Rules</h3>
+                    </div>
+                    <div class="table-wrapper">
+                        <table id="firewallTable">
+                            <thead>
+                                <tr>
+                                    <th>Priority</th>
+                                    <th>Rule ID</th>
+                                    <th>Action</th>
+                                    <th>Direction</th>
+                                    <th>Source</th>
+                                    <th>Destination</th>
+                                    <th>Protocol</th>
+                                    <th>Hits</th>
+                                    <th>Status</th>
+                                    <th>Actions</th>
+                                </tr>
+                            </thead>
+                            <tbody id="firewallTableBody">
+                                <!-- Firewall rules will be populated here -->
+                            </tbody>
+                        </table>
+                    </div>
+                </div>
+            </section>
+
+            <!-- Router Section -->
+            <section id="router" class="content-section">
+                <div class="section-header">
+                    <h2>Router Management</h2>
+                    <p>Routing table and network interfaces</p>
+                </div>
+
+                <div class="router-tabs">
+                    <div class="tab-buttons">
+                        <button class="tab-btn active" data-tab="routes">Routes</button>
+                        <button class="tab-btn" data-tab="interfaces">Interfaces</button>
+                        <button class="tab-btn" data-tab="arp">ARP Table</button>
+                    </div>
+
+                    <div class="tab-content">
+                        <div id="routes" class="tab-pane active">
+                            <div class="table-container">
+                                <table id="routesTable">
+                                    <thead>
+                                        <tr>
+                                            <th>Destination</th>
+                                            <th>Gateway</th>
+                                            <th>Interface</th>
+                                            <th>Metric</th>
+                                            <th>Type</th>
+                                            <th>Use Count</th>
+                                            <th>Last Used</th>
+                                        </tr>
+                                    </thead>
+                                    <tbody id="routesTableBody">
+                                        <!-- Routes will be populated here -->
+                                    </tbody>
+                                </table>
+                            </div>
+                        </div>
+
+                        <div id="interfaces" class="tab-pane">
+                            <div class="table-container">
+                                <table id="interfacesTable">
+                                    <thead>
+                                        <tr>
+                                            <th>Name</th>
+                                            <th>IP Address</th>
+                                            <th>Network</th>
+                                            <th>MTU</th>
+                                            <th>Status</th>
+                                            <th>Actions</th>
+                                        </tr>
+                                    </thead>
+                                    <tbody id="interfacesTableBody">
+                                        <!-- Interfaces will be populated here -->
+                                    </tbody>
+                                </table>
+                            </div>
+                        </div>
+
+                        <div id="arp" class="tab-pane">
+                            <div class="table-container">
+                                <table id="arpTable">
+                                    <thead>
+                                        <tr>
+                                            <th>IP Address</th>
+                                            <th>MAC Address</th>
+                                            <th>Actions</th>
+                                        </tr>
+                                    </thead>
+                                    <tbody id="arpTableBody">
+                                        <!-- ARP entries will be populated here -->
+                                    </tbody>
+                                </table>
+                            </div>
+                        </div>
+                    </div>
+                </div>
+            </section>
+
+            <!-- Bridge Section -->
+            <section id="bridge" class="content-section">
+                <div class="section-header">
+                    <h2>Packet Bridge</h2>
+                    <p>Connected clients and bridge statistics</p>
+                </div>
+
+                <div class="bridge-info">
+                    <div class="info-card">
+                        <h4>WebSocket Server</h4>
+                        <p>Port: 8765</p>
+                        <p>Status: <span class="status-active">Active</span></p>
+                    </div>
+                    <div class="info-card">
+                        <h4>TCP Server</h4>
+                        <p>Port: 8766</p>
+                        <p>Status: <span class="status-active">Active</span></p>
+                    </div>
+                </div>
+
+                <div class="table-container">
+                    <div class="table-header">
+                        <h3>Connected Clients</h3>
+                        <button class="btn btn-secondary" onclick="refreshBridgeClients()">
+                            <i class="fas fa-sync-alt"></i> Refresh
+                        </button>
+                    </div>
+                    <div class="table-wrapper">
+                        <table id="bridgeTable">
+                            <thead>
+                                <tr>
+                                    <th>Client ID</th>
+                                    <th>Type</th>
+                                    <th>Remote Address</th>
+                                    <th>Connected Time</th>
+                                    <th>Packets In/Out</th>
+                                    <th>Bytes In/Out</th>
+                                    <th>Actions</th>
+                                </tr>
+                            </thead>
+                            <tbody id="bridgeTableBody">
+                                <!-- Bridge clients will be populated here -->
+                            </tbody>
+                        </table>
+                    </div>
+                </div>
+            </section>
+
+            <!-- Sessions Section -->
+            <section id="sessions" class="content-section">
+                <div class="section-header">
+                    <h2>Session Tracking</h2>
+                    <p>Unified view of all network sessions</p>
+                </div>
+
+                <div class="session-summary" id="sessionSummary">
+                    <!-- Session summary will be populated here -->
+                </div>
+
+                <div class="table-container">
+                    <div class="table-header">
+                        <h3>Active Sessions</h3>
+                        <div class="table-controls">
+                            <select id="sessionTypeFilter" onchange="filterSessions()">
+                                <option value="">All Types</option>
+                                <option value="DHCP_LEASE">DHCP Lease</option>
+                                <option value="NAT_SESSION">NAT Session</option>
+                                <option value="TCP_CONNECTION">TCP Connection</option>
+                                <option value="SOCKET_CONNECTION">Socket Connection</option>
+                                <option value="BRIDGE_CLIENT">Bridge Client</option>
+                            </select>
+                            <button class="btn btn-secondary" onclick="refreshSessions()">
+                                <i class="fas fa-sync-alt"></i> Refresh
+                            </button>
+                        </div>
+                    </div>
+                    <div class="table-wrapper">
+                        <table id="sessionsTable">
+                            <thead>
+                                <tr>
+                                    <th>Session ID</th>
+                                    <th>Type</th>
+                                    <th>State</th>
+                                    <th>Virtual IP:Port</th>
+                                    <th>Real IP:Port</th>
+                                    <th>Protocol</th>
+                                    <th>Duration</th>
+                                    <th>Idle Time</th>
+                                    <th>Metrics</th>
+                                </tr>
+                            </thead>
+                            <tbody id="sessionsTableBody">
+                                <!-- Sessions will be populated here -->
+                            </tbody>
+                        </table>
+                    </div>
+                </div>
+            </section>
+
+            <!-- Logs Section -->
+            <section id="logs" class="content-section">
+                <div class="section-header">
+                    <h2>System Logs</h2>
+                    <p>Monitor system events and troubleshoot issues</p>
+                </div>
+
+                <div class="log-controls">
+                    <div class="log-filters">
+                        <select id="logLevelFilter" onchange="filterLogs()">
+                            <option value="">All Levels</option>
+                            <option value="DEBUG">Debug</option>
+                            <option value="INFO">Info</option>
+                            <option value="WARNING">Warning</option>
+                            <option value="ERROR">Error</option>
+                            <option value="CRITICAL">Critical</option>
+                        </select>
+                        <select id="logCategoryFilter" onchange="filterLogs()">
+                            <option value="">All Categories</option>
+                            <option value="SYSTEM">System</option>
+                            <option value="DHCP">DHCP</option>
+                            <option value="NAT">NAT</option>
+                            <option value="FIREWALL">Firewall</option>
+                            <option value="TCP">TCP</option>
+                            <option value="ROUTER">Router</option>
+                            <option value="BRIDGE">Bridge</option>
+                            <option value="SOCKET">Socket</option>
+                            <option value="SESSION">Session</option>
+                            <option value="SECURITY">Security</option>
+                        </select>
+                        <input type="text" id="logSearchInput" placeholder="Search logs..." onkeyup="searchLogs()">
+                    </div>
+                    <div class="log-actions">
+                        <button class="btn btn-secondary" onclick="refreshLogs()">
+                            <i class="fas fa-sync-alt"></i> Refresh
+                        </button>
+                        <button class="btn btn-danger" onclick="clearLogs()">
+                            <i class="fas fa-trash"></i> Clear
+                        </button>
+                    </div>
+                </div>
+
+                <div class="log-container" id="logContainer">
+                    <!-- Log entries will be populated here -->
+                </div>
+            </section>
+
+            <!-- VPN Section -->
+            <section id="vpn" class="content-section">
+                <div class="section-header">
+                    <h2>VPN Management</h2>
+                    <p>OpenVPN server management and client connections</p>
+                </div>
+
+                <!-- VPN Server Status -->
+                <div class="vpn-status">
+                    <div class="status-card">
+                        <div class="status-header">
+                            <h3>OpenVPN Server</h3>
+                            <div class="server-controls">
+                                <button class="btn btn-success" id="startVpnBtn" onclick="startVpnServer()">
+                                    <i class="fas fa-play"></i> Start
+                                </button>
+                                <button class="btn btn-danger" id="stopVpnBtn" onclick="stopVpnServer()">
+                                    <i class="fas fa-stop"></i> Stop
+                                </button>
+                                <button class="btn btn-secondary" onclick="refreshVpnStatus()">
+                                    <i class="fas fa-sync-alt"></i> Refresh
+                                </button>
+                            </div>
+                        </div>
+                        <div class="status-info">
+                            <div class="info-row">
+                                <span class="info-label">Status:</span>
+                                <span class="info-value" id="vpnServerStatus">Unknown</span>
+                            </div>
+                            <div class="info-row">
+                                <span class="info-label">Server IP:</span>
+                                <span class="info-value" id="vpnServerIp">-</span>
+                            </div>
+                            <div class="info-row">
+                                <span class="info-label">Port:</span>
+                                <span class="info-value" id="vpnServerPort">-</span>
+                            </div>
+                            <div class="info-row">
+                                <span class="info-label">Connected Clients:</span>
+                                <span class="info-value" id="vpnConnectedClients">0</span>
+                            </div>
+                            <div class="info-row">
+                                <span class="info-label">Uptime:</span>
+                                <span class="info-value" id="vpnUptime">-</span>
+                            </div>
+                        </div>
+                    </div>
+                </div>
+
+                <!-- VPN Statistics -->
+                <div class="vpn-stats">
+                    <div class="stat-item">
+                        <span class="stat-label">Total Bytes Received:</span>
+                        <span class="stat-value" id="vpnBytesReceived">0</span>
+                    </div>
+                    <div class="stat-item">
+                        <span class="stat-label">Total Bytes Sent:</span>
+                        <span class="stat-value" id="vpnBytesSent">0</span>
+                    </div>
+                </div>
+
+                <!-- Connected Clients -->
+                <div class="table-container">
+                    <div class="table-header">
+                        <h3>Connected VPN Clients</h3>
+                        <div class="table-controls">
+                            <button class="btn btn-primary" onclick="showGenerateConfigModal()">
+                                <i class="fas fa-plus"></i> Generate Client Config
+                            </button>
+                            <button class="btn btn-secondary" onclick="refreshVpnClients()">
+                                <i class="fas fa-sync-alt"></i> Refresh
+                            </button>
+                        </div>
+                    </div>
+                    <div class="table-wrapper">
+                        <table id="vpnClientsTable">
+                            <thead>
+                                <tr>
+                                    <th>Client ID</th>
+                                    <th>Common Name</th>
+                                    <th>VPN IP Address</th>
+                                    <th>Connected Since</th>
+                                    <th>Bytes Received</th>
+                                    <th>Bytes Sent</th>
+                                    <th>Status</th>
+                                    <th>Actions</th>
+                                </tr>
+                            </thead>
+                            <tbody id="vpnClientsTableBody">
+                                <!-- VPN clients will be populated here -->
+                            </tbody>
+                        </table>
+                    </div>
+                </div>
+            </section>
+
+            <!-- Config Section -->
+            <section id="config" class="content-section">
+                <div class="section-header">
+                    <h2>System Configuration</h2>
+                    <p>Configure system parameters and settings</p>
+                </div>
+
+                <div class="config-container">
+                    <div class="config-section">
+                        <h3>DHCP Configuration</h3>
+                        <div class="config-form" id="dhcpConfig">
+                            <!-- DHCP config form will be populated here -->
+                        </div>
+                    </div>
+
+                    <div class="config-section">
+                        <h3>NAT Configuration</h3>
+                        <div class="config-form" id="natConfig">
+                            <!-- NAT config form will be populated here -->
+                        </div>
+                    </div>
+
+                    <div class="config-section">
+                        <h3>Firewall Configuration</h3>
+                        <div class="config-form" id="firewallConfig">
+                            <!-- Firewall config form will be populated here -->
+                        </div>
+                    </div>
+                </div>
+
+                <div class="config-actions">
+                    <button class="btn btn-primary" onclick="saveConfiguration()">
+                        <i class="fas fa-save"></i> Save Configuration
+                    </button>
+                    <button class="btn btn-secondary" onclick="resetConfiguration()">
+                        <i class="fas fa-undo"></i> Reset to Defaults
+                    </button>
+                </div>
+            </section>
+        </main>
+    </div>
+
+    <!-- Modals -->
+    <div id="addRuleModal" class="modal">
+        <div class="modal-content">
+            <div class="modal-header">
+                <h3>Add Firewall Rule</h3>
+                <span class="close" onclick="closeModal('addRuleModal')">&times;</span>
+            </div>
+            <div class="modal-body">
+                <form id="addRuleForm">
+                    <div class="form-group">
+                        <label for="ruleId">Rule ID:</label>
+                        <input type="text" id="ruleId" name="ruleId" required>
+                    </div>
+                    <div class="form-group">
+                        <label for="rulePriority">Priority:</label>
+                        <input type="number" id="rulePriority" name="priority" value="100" required>
+                    </div>
+                    <div class="form-group">
+                        <label for="ruleAction">Action:</label>
+                        <select id="ruleAction" name="action" required>
+                            <option value="ACCEPT">Accept</option>
+                            <option value="DROP">Drop</option>
+                            <option value="REJECT">Reject</option>
+                        </select>
+                    </div>
+                    <div class="form-group">
+                        <label for="ruleDirection">Direction:</label>
+                        <select id="ruleDirection" name="direction">
+                            <option value="BOTH">Both</option>
+                            <option value="INBOUND">Inbound</option>
+                            <option value="OUTBOUND">Outbound</option>
+                        </select>
+                    </div>
+                    <div class="form-group">
+                        <label for="ruleSourceIp">Source IP:</label>
+                        <input type="text" id="ruleSourceIp" name="source_ip" placeholder="e.g., 192.168.1.0/24">
+                    </div>
+                    <div class="form-group">
+                        <label for="ruleDestIp">Destination IP:</label>
+                        <input type="text" id="ruleDestIp" name="dest_ip" placeholder="e.g., 10.0.0.0/8">
+                    </div>
+                    <div class="form-group">
+                        <label for="ruleSourcePort">Source Port:</label>
+                        <input type="text" id="ruleSourcePort" name="source_port" placeholder="e.g., 80, 80-90, 80,443">
+                    </div>
+                    <div class="form-group">
+                        <label for="ruleDestPort">Destination Port:</label>
+                        <input type="text" id="ruleDestPort" name="dest_port" placeholder="e.g., 80, 80-90, 80,443">
+                    </div>
+                    <div class="form-group">
+                        <label for="ruleProtocol">Protocol:</label>
+                        <select id="ruleProtocol" name="protocol">
+                            <option value="">Any</option>
+                            <option value="TCP">TCP</option>
+                            <option value="UDP">UDP</option>
+                            <option value="ICMP">ICMP</option>
+                        </select>
+                    </div>
+                    <div class="form-group">
+                        <label for="ruleDescription">Description:</label>
+                        <input type="text" id="ruleDescription" name="description" placeholder="Rule description">
+                    </div>
+                </form>
+            </div>
+            <div class="modal-footer">
+                <button type="button" class="btn btn-secondary" onclick="closeModal('addRuleModal')">Cancel</button>
+                <button type="button" class="btn btn-primary" onclick="addFirewallRule()">Add Rule</button>
+            </div>
+        </div>
+    </div>
+
+    <!-- Generate VPN Config Modal -->
+    <div id="generateConfigModal" class="modal">
+        <div class="modal-content">
+            <div class="modal-header">
+                <h3>Generate VPN Client Configuration</h3>
+                <span class="close" onclick="closeModal('generateConfigModal')">&times;</span>
+            </div>
+            <div class="modal-body">
+                <form id="generateConfigForm">
+                    <div class="form-group">
+                        <label for="clientName">Client Name:</label>
+                        <input type="text" id="clientName" name="clientName" required 
+                               placeholder="Enter client name (e.g., client1)">
+                    </div>
+                    <div class="form-group">
+                        <label for="serverIp">Server IP:</label>
+                        <input type="text" id="serverIp" name="serverIp" required 
+                               placeholder="Enter server IP address">
+                    </div>
+                </form>
+            </div>
+            <div class="modal-footer">
+                <button type="button" class="btn btn-secondary" onclick="closeModal('generateConfigModal')">Cancel</button>
+                <button type="button" class="btn btn-primary" onclick="generateClientConfig()">Generate Config</button>
+            </div>
+        </div>
+    </div>
+
+    <!-- Loading Overlay -->
+    <div id="loadingOverlay" class="loading-overlay">
+        <div class="loading-spinner">
+            <i class="fas fa-spinner fa-spin"></i>
+            <p>Loading...</p>
+        </div>
+    </div>
+
+    <!-- Toast Notifications -->
+    <div id="toastContainer" class="toast-container"></div>
+
+    <!-- JavaScript -->
+    <script src="https://cdn.jsdelivr.net/npm/chart.js"></script>
+    <script src="app.js"></script>
+</body>
+</html>
+

config.json

@@ -0,0 +1,98 @@
+{
+  "dhcp": {
+    "network": "10.0.0.0/24",
+    "range_start": "10.0.0.10",
+    "range_end": "10.0.0.100",
+    "lease_time": 3600,
+    "gateway": "10.0.0.1",
+    "dns_servers": [
+      "8.8.8.8",
+      "8.8.4.4"
+    ]
+  },
+  "nat": {
+    "port_range_start": 10000,
+    "port_range_end": 65535,
+    "session_timeout": 300,
+    "host_ip": "0.0.0.0"
+  },
+  "firewall": {
+    "default_policy": "ACCEPT",
+    "log_blocked": true,
+    "log_accepted": false,
+    "max_log_entries": 10000,
+    "rules": [
+      {
+        "rule_id": "allow_dhcp",
+        "priority": 1,
+        "action": "ACCEPT",
+        "direction": "BOTH",
+        "dest_port": "67,68",
+        "protocol": "UDP",
+        "description": "Allow DHCP traffic",
+        "enabled": true
+      },
+      {
+        "rule_id": "allow_dns",
+        "priority": 2,
+        "action": "ACCEPT",
+        "direction": "BOTH",
+        "dest_port": "53",
+        "protocol": "UDP",
+        "description": "Allow DNS traffic",
+        "enabled": true
+      }
+    ]
+  },
+  "tcp": {
+    "initial_window": 65535,
+    "max_retries": 3,
+    "timeout": 300,
+    "time_wait_timeout": 120,
+    "mss": 1460
+  },
+  "router": {
+    "router_id": "virtual-isp-router",
+    "default_gateway": "10.0.0.1",
+    "interfaces": [
+      {
+        "name": "virtual0",
+        "ip_address": "10.0.0.1",
+        "netmask": "255.255.255.0",
+        "enabled": true,
+        "mtu": 1500
+      }
+    ],
+    "static_routes": []
+  },
+  "socket_translator": {
+    "connect_timeout": 10,
+    "read_timeout": 30,
+    "max_connections": 1000,
+    "buffer_size": 8192
+  },
+  "packet_bridge": {
+    "websocket_host": "0.0.0.0",
+    "websocket_port": 8765,
+    "tcp_host": "0.0.0.0",
+    "tcp_port": 8766,
+    "max_clients": 100,
+    "client_timeout": 300
+  },
+  "session_tracker": {
+    "max_sessions": 10000,
+    "session_timeout": 3600,
+    "cleanup_interval": 300,
+    "metrics_retention": 86400
+  },
+  "logger": {
+    "log_level": "INFO",
+    "log_to_file": true,
+    "log_file_path": "/tmp/virtual_isp.log",
+    "log_file_max_size": 10485760,
+    "log_file_backup_count": 5,
+    "log_to_console": true,
+    "structured_logging": true,
+    "max_memory_logs": 10000
+  }
+}

core/__init__.py

@@ -0,0 +1,2 @@
+# Core networking modules for the virtual ISP stack
+

core/dhcp_server.py

@@ -0,0 +1,391 @@
+"""
+DHCP Server Module
+
+Implements a user-space DHCP server that handles:
+- DHCP DISCOVER → OFFER → REQUEST → ACK sequence
+- IP lease management
+- Lease renewals and expiration
+"""
+
+import struct
+import time
+import socket
+import threading
+from typing import Dict, Optional, Tuple
+from dataclasses import dataclass
+from enum import Enum
+
+
+class DHCPMessageType(Enum):
+    DISCOVER = 1
+    OFFER = 2
+    REQUEST = 3
+    DECLINE = 4
+    ACK = 5
+    NAK = 6
+    RELEASE = 7
+    INFORM = 8
+
+
+@dataclass
+class DHCPLease:
+    """Represents a DHCP lease"""
+    mac_address: str
+    ip_address: str
+    lease_time: int
+    lease_start: float
+    state: str = 'BOUND'
+    
+    @property
+    def is_expired(self) -> bool:
+        return time.time() > (self.lease_start + self.lease_time)
+    
+    @property
+    def remaining_time(self) -> int:
+        remaining = int((self.lease_start + self.lease_time) - time.time())
+        return max(0, remaining)
+
+
+class DHCPPacket:
+    """DHCP packet parser and builder"""
+    
+    def __init__(self):
+        self.op = 0  # Message op code / message type
+        self.htype = 1  # Hardware address type (Ethernet = 1)
+        self.hlen = 6  # Hardware address length
+        self.hops = 0  # Hops
+        self.xid = 0  # Transaction ID
+        self.secs = 0  # Seconds elapsed
+        self.flags = 0  # Flags
+        self.ciaddr = '0.0.0.0'  # Client IP address
+        self.yiaddr = '0.0.0.0'  # Your IP address
+        self.siaddr = '0.0.0.0'  # Server IP address
+        self.giaddr = '0.0.0.0'  # Gateway IP address
+        self.chaddr = b'\x00' * 16  # Client hardware address
+        self.sname = b'\x00' * 64  # Server name
+        self.file = b'\x00' * 128  # Boot file name
+        self.options = {}  # DHCP options
+    
+    @classmethod
+    def parse(cls, data: bytes) -> 'DHCPPacket':
+        """Parse DHCP packet from raw bytes"""
+        packet = cls()
+        
+        # Parse fixed fields (first 236 bytes)
+        if len(data) < 236:
+            raise ValueError("DHCP packet too short")
+        
+        fields = struct.unpack('!BBBBIHH4s4s4s4s16s64s128s', data[:236])
+        packet.op = fields[0]
+        packet.htype = fields[1]
+        packet.hlen = fields[2]
+        packet.hops = fields[3]
+        packet.xid = fields[4]
+        packet.secs = fields[5]
+        packet.flags = fields[6]
+        packet.ciaddr = socket.inet_ntoa(fields[7])
+        packet.yiaddr = socket.inet_ntoa(fields[8])
+        packet.siaddr = socket.inet_ntoa(fields[9])
+        packet.giaddr = socket.inet_ntoa(fields[10])
+        packet.chaddr = fields[11]
+        packet.sname = fields[12]
+        packet.file = fields[13]
+        
+        # Parse options (after magic cookie)
+        options_data = data[236:]
+        if len(options_data) >= 4:
+            magic = struct.unpack('!I', options_data[:4])[0]
+            if magic == 0x63825363:  # DHCP magic cookie
+                packet.options = packet._parse_options(options_data[4:])
+        
+        return packet
+    
+    def _parse_options(self, data: bytes) -> Dict[int, bytes]:
+        """Parse DHCP options"""
+        options = {}
+        i = 0
+        
+        while i < len(data):
+            if data[i] == 255:  # End option
+                break
+            elif data[i] == 0:  # Pad option
+                i += 1
+                continue
+            
+            option_type = data[i]
+            if i + 1 >= len(data):
+                break
+            
+            option_length = data[i + 1]
+            if i + 2 + option_length > len(data):
+                break
+            
+            option_data = data[i + 2:i + 2 + option_length]
+            options[option_type] = option_data
+            i += 2 + option_length
+        
+        return options
+    
+    def build(self) -> bytes:
+        """Build DHCP packet as bytes"""
+        # Build fixed fields
+        packet_data = struct.pack(
+            '!BBBBIHH4s4s4s4s16s64s128s',
+            self.op, self.htype, self.hlen, self.hops,
+            self.xid, self.secs, self.flags,
+            socket.inet_aton(self.ciaddr),
+            socket.inet_aton(self.yiaddr),
+            socket.inet_aton(self.siaddr),
+            socket.inet_aton(self.giaddr),
+            self.chaddr, self.sname, self.file
+        )
+        
+        # Add magic cookie
+        packet_data += struct.pack('!I', 0x63825363)
+        
+        # Add options
+        for option_type, option_data in self.options.items():
+            packet_data += struct.pack('!BB', option_type, len(option_data))
+            packet_data += option_data
+        
+        # Add end option
+        packet_data += b'\xff'
+        
+        # Pad to minimum size
+        while len(packet_data) < 300:
+            packet_data += b'\x00'
+        
+        return packet_data
+    
+    def get_mac_address(self) -> str:
+        """Get client MAC address as string"""
+        return ':'.join(f'{b:02x}' for b in self.chaddr[:6])
+    
+    def get_message_type(self) -> Optional[DHCPMessageType]:
+        """Get DHCP message type from options"""
+        if 53 in self.options and len(self.options[53]) == 1:
+            msg_type = self.options[53][0]
+            try:
+                return DHCPMessageType(msg_type)
+            except ValueError:
+                return None
+        return None
+
+
+class DHCPServer:
+    """User-space DHCP server implementation"""
+    
+    def __init__(self, config: Dict):
+        self.config = config
+        self.leases: Dict[str, DHCPLease] = {}  # MAC -> Lease
+        self.ip_pool = self._build_ip_pool()
+        self.running = False
+        self.server_thread = None
+        self.lock = threading.Lock()
+    
+    def _build_ip_pool(self) -> set:
+        """Build available IP address pool"""
+        network = self.config['network']
+        start_ip = self.config['range_start']
+        end_ip = self.config['range_end']
+        
+        # Convert IP addresses to integers for range calculation
+        start_int = struct.unpack('!I', socket.inet_aton(start_ip))[0]
+        end_int = struct.unpack('!I', socket.inet_aton(end_ip))[0]
+        
+        pool = set()
+        for ip_int in range(start_int, end_int + 1):
+            ip_str = socket.inet_ntoa(struct.pack('!I', ip_int))
+            pool.add(ip_str)
+        
+        return pool
+    
+    def _get_available_ip(self) -> Optional[str]:
+        """Get next available IP address"""
+        with self.lock:
+            # Remove expired leases
+            self._cleanup_expired_leases()
+            
+            # Find available IP
+            used_ips = {lease.ip_address for lease in self.leases.values()}
+            available_ips = self.ip_pool - used_ips
+            
+            if available_ips:
+                return min(available_ips)  # Return lowest available IP
+            return None
+    
+    def _cleanup_expired_leases(self):
+        """Remove expired leases"""
+        expired_macs = [
+            mac for mac, lease in self.leases.items()
+            if lease.is_expired
+        ]
+        for mac in expired_macs:
+            del self.leases[mac]
+    
+    def _create_dhcp_offer(self, discover_packet: DHCPPacket) -> DHCPPacket:
+        """Create DHCP OFFER response"""
+        mac_address = discover_packet.get_mac_address()
+        
+        # Check for existing lease
+        if mac_address in self.leases and not self.leases[mac_address].is_expired:
+            offered_ip = self.leases[mac_address].ip_address
+        else:
+            offered_ip = self._get_available_ip()
+            if not offered_ip:
+                return None  # No available IPs
+        
+        # Create OFFER packet
+        offer = DHCPPacket()
+        offer.op = 2  # BOOTREPLY
+        offer.htype = discover_packet.htype
+        offer.hlen = discover_packet.hlen
+        offer.xid = discover_packet.xid
+        offer.yiaddr = offered_ip
+        offer.siaddr = self.config['gateway']
+        offer.chaddr = discover_packet.chaddr
+        
+        # Add DHCP options
+        offer.options[53] = bytes([DHCPMessageType.OFFER.value])  # Message type
+        offer.options[1] = socket.inet_aton('255.255.255.0')  # Subnet mask
+        offer.options[3] = socket.inet_aton(self.config['gateway'])  # Router
+        offer.options[6] = b''.join(socket.inet_aton(dns) for dns in self.config['dns_servers'])  # DNS
+        offer.options[51] = struct.pack('!I', self.config['lease_time'])  # Lease time
+        offer.options[54] = socket.inet_aton(self.config['gateway'])  # DHCP server identifier
+        
+        return offer
+    
+    def _create_dhcp_ack(self, request_packet: DHCPPacket) -> DHCPPacket:
+        """Create DHCP ACK response"""
+        mac_address = request_packet.get_mac_address()
+        requested_ip = request_packet.ciaddr
+        
+        # If no requested IP in ciaddr, check option 50
+        if requested_ip == '0.0.0.0' and 50 in request_packet.options:
+            requested_ip = socket.inet_ntoa(request_packet.options[50])
+        
+        # Validate request
+        if not self._validate_request(mac_address, requested_ip):
+            return self._create_dhcp_nak(request_packet)
+        
+        # Create or update lease
+        lease = DHCPLease(
+            mac_address=mac_address,
+            ip_address=requested_ip,
+            lease_time=self.config['lease_time'],
+            lease_start=time.time()
+        )
+        
+        with self.lock:
+            self.leases[mac_address] = lease
+        
+        # Create ACK packet
+        ack = DHCPPacket()
+        ack.op = 2  # BOOTREPLY
+        ack.htype = request_packet.htype
+        ack.hlen = request_packet.hlen
+        ack.xid = request_packet.xid
+        ack.yiaddr = requested_ip
+        ack.siaddr = self.config['gateway']
+        ack.chaddr = request_packet.chaddr
+        
+        # Add DHCP options
+        ack.options[53] = bytes([DHCPMessageType.ACK.value])  # Message type
+        ack.options[1] = socket.inet_aton('255.255.255.0')  # Subnet mask
+        ack.options[3] = socket.inet_aton(self.config['gateway'])  # Router
+        ack.options[6] = b''.join(socket.inet_aton(dns) for dns in self.config['dns_servers'])  # DNS
+        ack.options[51] = struct.pack('!I', self.config['lease_time'])  # Lease time
+        ack.options[54] = socket.inet_aton(self.config['gateway'])  # DHCP server identifier
+        
+        return ack
+    
+    def _create_dhcp_nak(self, request_packet: DHCPPacket) -> DHCPPacket:
+        """Create DHCP NAK response"""
+        nak = DHCPPacket()
+        nak.op = 2  # BOOTREPLY
+        nak.htype = request_packet.htype
+        nak.hlen = request_packet.hlen
+        nak.xid = request_packet.xid
+        nak.chaddr = request_packet.chaddr
+        
+        # Add DHCP options
+        nak.options[53] = bytes([DHCPMessageType.NAK.value])  # Message type
+        nak.options[54] = socket.inet_aton(self.config['gateway'])  # DHCP server identifier
+        
+        return nak
+    
+    def _validate_request(self, mac_address: str, requested_ip: str) -> bool:
+        """Validate DHCP request"""
+        # Check if IP is in our pool
+        if requested_ip not in self.ip_pool:
+            return False
+        
+        # Check if IP is available or already assigned to this MAC
+        with self.lock:
+            for mac, lease in self.leases.items():
+                if lease.ip_address == requested_ip:
+                    if mac != mac_address and not lease.is_expired:
+                        return False  # IP already assigned to different MAC
+        
+        return True
+    
+    def process_packet(self, packet_data: bytes, client_addr: Tuple[str, int]) -> Optional[bytes]:
+        """Process incoming DHCP packet and return response"""
+        try:
+            packet = DHCPPacket.parse(packet_data)
+            message_type = packet.get_message_type()
+            
+            if message_type == DHCPMessageType.DISCOVER:
+                response = self._create_dhcp_offer(packet)
+            elif message_type == DHCPMessageType.REQUEST:
+                response = self._create_dhcp_ack(packet)
+            elif message_type == DHCPMessageType.RELEASE:
+                # Handle lease release
+                mac_address = packet.get_mac_address()
+                with self.lock:
+                    if mac_address in self.leases:
+                        del self.leases[mac_address]
+                return None
+            else:
+                return None
+            
+            if response:
+                return response.build()
+            
+        except Exception as e:
+            print(f"Error processing DHCP packet: {e}")
+            return None
+    
+    def get_leases(self) -> Dict[str, Dict]:
+        """Get current lease table"""
+        with self.lock:
+            self._cleanup_expired_leases()
+            return {
+                mac: {
+                    'ip_address': lease.ip_address,
+                    'lease_time': lease.lease_time,
+                    'lease_start': lease.lease_start,
+                    'remaining_time': lease.remaining_time,
+                    'state': lease.state
+                }
+                for mac, lease in self.leases.items()
+            }
+    
+    def release_lease(self, mac_address: str) -> bool:
+        """Manually release a lease"""
+        with self.lock:
+            if mac_address in self.leases:
+                del self.leases[mac_address]
+                return True
+            return False
+    
+    def start(self):
+        """Start DHCP server (placeholder for integration with packet bridge)"""
+        self.running = True
+        print(f"DHCP server started - Pool: {self.config['range_start']} - {self.config['range_end']}")
+    
+    def stop(self):
+        """Stop DHCP server"""
+        self.running = False
+        print("DHCP server stopped")
+

core/firewall.py

@@ -0,0 +1,523 @@
+"""
+Firewall Module
+
+Implements packet filtering and access control:
+- Rule-based packet filtering (allow/block by IP, port, protocol)
+- Ordered rule processing
+- Logging and statistics
+- Dynamic rule management via API
+"""
+
+import time
+import threading
+import ipaddress
+import re
+from typing import Dict, List, Optional, Tuple, Any
+from dataclasses import dataclass
+from enum import Enum
+
+from .ip_parser import ParsedPacket, TCPHeader, UDPHeader
+
+
+class FirewallAction(Enum):
+    ACCEPT = "ACCEPT"
+    DROP = "DROP"
+    REJECT = "REJECT"
+
+
+class FirewallDirection(Enum):
+    INBOUND = "INBOUND"
+    OUTBOUND = "OUTBOUND"
+    BOTH = "BOTH"
+
+
+@dataclass
+class FirewallRule:
+    """Represents a firewall rule"""
+    rule_id: str
+    priority: int  # Lower number = higher priority
+    action: FirewallAction
+    direction: FirewallDirection
+    
+    # Match criteria
+    source_ip: Optional[str] = None  # IP or CIDR
+    dest_ip: Optional[str] = None    # IP or CIDR
+    source_port: Optional[str] = None  # Port or range (e.g., "80", "80-90", "80,443")
+    dest_port: Optional[str] = None    # Port or range
+    protocol: Optional[str] = None     # TCP, UDP, ICMP, or None for any
+    
+    # Metadata
+    description: str = ""
+    enabled: bool = True
+    created_time: float = 0
+    hit_count: int = 0
+    last_hit: Optional[float] = None
+    
+    def __post_init__(self):
+        if self.created_time == 0:
+            self.created_time = time.time()
+    
+    def record_hit(self):
+        """Record a rule hit"""
+        self.hit_count += 1
+        self.last_hit = time.time()
+    
+    def to_dict(self) -> Dict:
+        """Convert rule to dictionary"""
+        return {
+            'rule_id': self.rule_id,
+            'priority': self.priority,
+            'action': self.action.value,
+            'direction': self.direction.value,
+            'source_ip': self.source_ip,
+            'dest_ip': self.dest_ip,
+            'source_port': self.source_port,
+            'dest_port': self.dest_port,
+            'protocol': self.protocol,
+            'description': self.description,
+            'enabled': self.enabled,
+            'created_time': self.created_time,
+            'hit_count': self.hit_count,
+            'last_hit': self.last_hit
+        }
+
+
+@dataclass
+class FirewallLogEntry:
+    """Represents a firewall log entry"""
+    timestamp: float
+    action: str
+    rule_id: Optional[str]
+    source_ip: str
+    dest_ip: str
+    source_port: int
+    dest_port: int
+    protocol: str
+    packet_size: int
+    reason: str = ""
+    
+    def to_dict(self) -> Dict:
+        """Convert log entry to dictionary"""
+        return {
+            'timestamp': self.timestamp,
+            'action': self.action,
+            'rule_id': self.rule_id,
+            'source_ip': self.source_ip,
+            'dest_ip': self.dest_ip,
+            'source_port': self.source_port,
+            'dest_port': self.dest_port,
+            'protocol': self.protocol,
+            'packet_size': self.packet_size,
+            'reason': self.reason
+        }
+
+
+class FirewallEngine:
+    """Firewall engine implementation"""
+    
+    def __init__(self, config: Dict):
+        self.config = config
+        self.rules: Dict[str, FirewallRule] = {}
+        self.logs: List[FirewallLogEntry] = []
+        self.lock = threading.Lock()
+        
+        # Configuration
+        self.default_policy = FirewallAction(config.get('default_policy', 'ACCEPT'))
+        self.log_blocked = config.get('log_blocked', True)
+        self.log_accepted = config.get('log_accepted', False)
+        self.max_log_entries = config.get('max_log_entries', 10000)
+        
+        # Statistics
+        self.stats = {
+            'packets_processed': 0,
+            'packets_accepted': 0,
+            'packets_dropped': 0,
+            'packets_rejected': 0,
+            'rules_hit': 0,
+            'default_policy_hits': 0
+        }
+        
+        # Load initial rules
+        initial_rules = config.get('rules', [])
+        for rule_config in initial_rules:
+            self._add_rule_from_config(rule_config)
+    
+    def _add_rule_from_config(self, rule_config: Dict):
+        """Add rule from configuration"""
+        rule = FirewallRule(
+            rule_id=rule_config['rule_id'],
+            priority=rule_config.get('priority', 100),
+            action=FirewallAction(rule_config['action']),
+            direction=FirewallDirection(rule_config.get('direction', 'BOTH')),
+            source_ip=rule_config.get('source_ip'),
+            dest_ip=rule_config.get('dest_ip'),
+            source_port=rule_config.get('source_port'),
+            dest_port=rule_config.get('dest_port'),
+            protocol=rule_config.get('protocol'),
+            description=rule_config.get('description', ''),
+            enabled=rule_config.get('enabled', True)
+        )
+        
+        with self.lock:
+            self.rules[rule.rule_id] = rule
+    
+    def _match_ip(self, ip: str, pattern: str) -> bool:
+        """Match IP address against pattern (IP or CIDR)"""
+        try:
+            if '/' in pattern:
+                # CIDR notation
+                network = ipaddress.ip_network(pattern, strict=False)
+                return ipaddress.ip_address(ip) in network
+            else:
+                # Exact IP match
+                return ip == pattern
+        except (ipaddress.AddressValueError, ValueError):
+            return False
+    
+    def _match_port(self, port: int, pattern: str) -> bool:
+        """Match port against pattern (port, range, or list)"""
+        try:
+            if ',' in pattern:
+                # List of ports: "80,443,8080"
+                ports = [int(p.strip()) for p in pattern.split(',')]
+                return port in ports
+            elif '-' in pattern:
+                # Port range: "80-90"
+                start, end = map(int, pattern.split('-', 1))
+                return start <= port <= end
+            else:
+                # Single port: "80"
+                return port == int(pattern)
+        except (ValueError, TypeError):
+            return False
+    
+    def _match_protocol(self, protocol: str, pattern: str) -> bool:
+        """Match protocol against pattern"""
+        if pattern is None:
+            return True  # Match any protocol
+        return protocol.upper() == pattern.upper()
+    
+    def _evaluate_rule(self, rule: FirewallRule, packet: ParsedPacket, direction: FirewallDirection) -> bool:
+        """Evaluate if a rule matches a packet"""
+        if not rule.enabled:
+            return False
+        
+        # Check direction
+        if rule.direction != FirewallDirection.BOTH and rule.direction != direction:
+            return False
+        
+        # Check source IP
+        if rule.source_ip and not self._match_ip(packet.ip_header.source_ip, rule.source_ip):
+            return False
+        
+        # Check destination IP
+        if rule.dest_ip and not self._match_ip(packet.ip_header.dest_ip, rule.dest_ip):
+            return False
+        
+        # Check protocol
+        if packet.transport_header:
+            if isinstance(packet.transport_header, TCPHeader):
+                protocol = 'TCP'
+                source_port = packet.transport_header.source_port
+                dest_port = packet.transport_header.dest_port
+            elif isinstance(packet.transport_header, UDPHeader):
+                protocol = 'UDP'
+                source_port = packet.transport_header.source_port
+                dest_port = packet.transport_header.dest_port
+            else:
+                protocol = 'OTHER'
+                source_port = 0
+                dest_port = 0
+        else:
+            protocol = 'OTHER'
+            source_port = 0
+            dest_port = 0
+        
+        if not self._match_protocol(protocol, rule.protocol):
+            return False
+        
+        # Check source port
+        if rule.source_port and not self._match_port(source_port, rule.source_port):
+            return False
+        
+        # Check destination port
+        if rule.dest_port and not self._match_port(dest_port, rule.dest_port):
+            return False
+        
+        return True
+    
+    def _log_packet(self, action: str, packet: ParsedPacket, rule_id: Optional[str] = None, reason: str = ""):
+        """Log packet processing"""
+        if not (self.log_blocked or self.log_accepted):
+            return
+        
+        # Only log if configured
+        if action == 'ACCEPT' and not self.log_accepted:
+            return
+        if action in ['DROP', 'REJECT'] and not self.log_blocked:
+            return
+        
+        # Extract packet information
+        if packet.transport_header:
+            if isinstance(packet.transport_header, (TCPHeader, UDPHeader)):
+                source_port = packet.transport_header.source_port
+                dest_port = packet.transport_header.dest_port
+                protocol = 'TCP' if isinstance(packet.transport_header, TCPHeader) else 'UDP'
+            else:
+                source_port = 0
+                dest_port = 0
+                protocol = 'OTHER'
+        else:
+            source_port = 0
+            dest_port = 0
+            protocol = 'OTHER'
+        
+        log_entry = FirewallLogEntry(
+            timestamp=time.time(),
+            action=action,
+            rule_id=rule_id,
+            source_ip=packet.ip_header.source_ip,
+            dest_ip=packet.ip_header.dest_ip,
+            source_port=source_port,
+            dest_port=dest_port,
+            protocol=protocol,
+            packet_size=len(packet.raw_packet),
+            reason=reason
+        )
+        
+        with self.lock:
+            self.logs.append(log_entry)
+            
+            # Trim logs if too many
+            if len(self.logs) > self.max_log_entries:
+                self.logs = self.logs[-self.max_log_entries:]
+    
+    def process_packet(self, packet: ParsedPacket, direction: FirewallDirection) -> FirewallAction:
+        """Process packet through firewall rules"""
+        self.stats['packets_processed'] += 1
+        
+        # Get sorted rules by priority
+        with self.lock:
+            sorted_rules = sorted(self.rules.values(), key=lambda r: r.priority)
+        
+        # Evaluate rules in order
+        for rule in sorted_rules:
+            if self._evaluate_rule(rule, packet, direction):
+                rule.record_hit()
+                self.stats['rules_hit'] += 1
+                
+                # Log the action
+                self._log_packet(rule.action.value, packet, rule.rule_id, f"Matched rule: {rule.description}")
+                
+                # Update statistics
+                if rule.action == FirewallAction.ACCEPT:
+                    self.stats['packets_accepted'] += 1
+                elif rule.action == FirewallAction.DROP:
+                    self.stats['packets_dropped'] += 1
+                elif rule.action == FirewallAction.REJECT:
+                    self.stats['packets_rejected'] += 1
+                
+                return rule.action
+        
+        # No rule matched, apply default policy
+        self.stats['default_policy_hits'] += 1
+        self._log_packet(self.default_policy.value, packet, None, "Default policy")
+        
+        if self.default_policy == FirewallAction.ACCEPT:
+            self.stats['packets_accepted'] += 1
+        elif self.default_policy == FirewallAction.DROP:
+            self.stats['packets_dropped'] += 1
+        elif self.default_policy == FirewallAction.REJECT:
+            self.stats['packets_rejected'] += 1
+        
+        return self.default_policy
+    
+    def add_rule(self, rule: FirewallRule) -> bool:
+        """Add firewall rule"""
+        with self.lock:
+            if rule.rule_id in self.rules:
+                return False
+            self.rules[rule.rule_id] = rule
+            return True
+    
+    def remove_rule(self, rule_id: str) -> bool:
+        """Remove firewall rule"""
+        with self.lock:
+            if rule_id in self.rules:
+                del self.rules[rule_id]
+                return True
+            return False
+    
+    def update_rule(self, rule_id: str, **kwargs) -> bool:
+        """Update firewall rule"""
+        with self.lock:
+            if rule_id not in self.rules:
+                return False
+            
+            rule = self.rules[rule_id]
+            for key, value in kwargs.items():
+                if hasattr(rule, key):
+                    if key in ['action', 'direction']:
+                        # Handle enum values
+                        if key == 'action':
+                            value = FirewallAction(value)
+                        elif key == 'direction':
+                            value = FirewallDirection(value)
+                    setattr(rule, key, value)
+            
+            return True
+    
+    def enable_rule(self, rule_id: str) -> bool:
+        """Enable firewall rule"""
+        return self.update_rule(rule_id, enabled=True)
+    
+    def disable_rule(self, rule_id: str) -> bool:
+        """Disable firewall rule"""
+        return self.update_rule(rule_id, enabled=False)
+    
+    def get_rules(self) -> List[Dict]:
+        """Get all firewall rules"""
+        with self.lock:
+            return [rule.to_dict() for rule in sorted(self.rules.values(), key=lambda r: r.priority)]
+    
+    def get_rule(self, rule_id: str) -> Optional[Dict]:
+        """Get specific firewall rule"""
+        with self.lock:
+            rule = self.rules.get(rule_id)
+            return rule.to_dict() if rule else None
+    
+    def get_logs(self, limit: int = 100, filter_action: Optional[str] = None) -> List[Dict]:
+        """Get firewall logs"""
+        with self.lock:
+            logs = self.logs.copy()
+        
+        # Filter by action if specified
+        if filter_action:
+            logs = [log for log in logs if log.action == filter_action.upper()]
+        
+        # Return most recent logs
+        return [log.to_dict() for log in logs[-limit:]]
+    
+    def clear_logs(self):
+        """Clear firewall logs"""
+        with self.lock:
+            self.logs.clear()
+    
+    def get_stats(self) -> Dict:
+        """Get firewall statistics"""
+        with self.lock:
+            stats = self.stats.copy()
+            stats['total_rules'] = len(self.rules)
+            stats['enabled_rules'] = sum(1 for rule in self.rules.values() if rule.enabled)
+            stats['log_entries'] = len(self.logs)
+            stats['default_policy'] = self.default_policy.value
+        
+        return stats
+    
+    def reset_stats(self):
+        """Reset firewall statistics"""
+        self.stats = {
+            'packets_processed': 0,
+            'packets_accepted': 0,
+            'packets_dropped': 0,
+            'packets_rejected': 0,
+            'rules_hit': 0,
+            'default_policy_hits': 0
+        }
+        
+        # Reset rule hit counts
+        with self.lock:
+            for rule in self.rules.values():
+                rule.hit_count = 0
+                rule.last_hit = None
+    
+    def set_default_policy(self, policy: str):
+        """Set default firewall policy"""
+        self.default_policy = FirewallAction(policy.upper())
+    
+    def export_rules(self) -> List[Dict]:
+        """Export rules for backup/configuration"""
+        return self.get_rules()
+    
+    def import_rules(self, rules_config: List[Dict], replace: bool = False):
+        """Import rules from configuration"""
+        if replace:
+            with self.lock:
+                self.rules.clear()
+        
+        for rule_config in rules_config:
+            self._add_rule_from_config(rule_config)
+
+
+class FirewallRuleBuilder:
+    """Helper class to build firewall rules"""
+    
+    def __init__(self, rule_id: str):
+        self.rule_id = rule_id
+        self.priority = 100
+        self.action = FirewallAction.ACCEPT
+        self.direction = FirewallDirection.BOTH
+        self.source_ip = None
+        self.dest_ip = None
+        self.source_port = None
+        self.dest_port = None
+        self.protocol = None
+        self.description = ""
+        self.enabled = True
+    
+    def set_priority(self, priority: int) -> 'FirewallRuleBuilder':
+        self.priority = priority
+        return self
+    
+    def set_action(self, action: str) -> 'FirewallRuleBuilder':
+        self.action = FirewallAction(action.upper())
+        return self
+    
+    def set_direction(self, direction: str) -> 'FirewallRuleBuilder':
+        self.direction = FirewallDirection(direction.upper())
+        return self
+    
+    def set_source_ip(self, ip: str) -> 'FirewallRuleBuilder':
+        self.source_ip = ip
+        return self
+    
+    def set_dest_ip(self, ip: str) -> 'FirewallRuleBuilder':
+        self.dest_ip = ip
+        return self
+    
+    def set_source_port(self, port: str) -> 'FirewallRuleBuilder':
+        self.source_port = port
+        return self
+    
+    def set_dest_port(self, port: str) -> 'FirewallRuleBuilder':
+        self.dest_port = port
+        return self
+    
+    def set_protocol(self, protocol: str) -> 'FirewallRuleBuilder':
+        self.protocol = protocol.upper()
+        return self
+    
+    def set_description(self, description: str) -> 'FirewallRuleBuilder':
+        self.description = description
+        return self
+    
+    def set_enabled(self, enabled: bool) -> 'FirewallRuleBuilder':
+        self.enabled = enabled
+        return self
+    
+    def build(self) -> FirewallRule:
+        """Build the firewall rule"""
+        return FirewallRule(
+            rule_id=self.rule_id,
+            priority=self.priority,
+            action=self.action,
+            direction=self.direction,
+            source_ip=self.source_ip,
+            dest_ip=self.dest_ip,
+            source_port=self.source_port,
+            dest_port=self.dest_port,
+            protocol=self.protocol,
+            description=self.description,
+            enabled=self.enabled
+        )
+

core/ip_parser.py

@@ -0,0 +1,546 @@
+"""
+IP Parser/Assembler Module
+
+Handles IPv4 packet parsing and construction:
+- Parse IPv4, UDP, and TCP headers
+- Calculate and verify checksums
+- Handle packet fragmentation and reassembly
+- Support various IP options
+"""
+
+import struct
+import socket
+from typing import Dict, List, Optional, Tuple
+from dataclasses import dataclass
+from enum import Enum
+
+
+class IPProtocol(Enum):
+    ICMP = 1
+    TCP = 6
+    UDP = 17
+
+
+@dataclass
+class IPv4Header:
+    """IPv4 header structure"""
+    version: int = 4
+    ihl: int = 5  # Internet Header Length (in 32-bit words)
+    tos: int = 0  # Type of Service
+    total_length: int = 0
+    identification: int = 0
+    flags: int = 0  # 3 bits: Reserved, Don't Fragment, More Fragments
+    fragment_offset: int = 0  # 13 bits
+    ttl: int = 64  # Time to Live
+    protocol: int = 0
+    header_checksum: int = 0
+    source_ip: str = '0.0.0.0'
+    dest_ip: str = '0.0.0.0'
+    options: bytes = b''
+    
+    @property
+    def header_length(self) -> int:
+        """Get header length in bytes"""
+        return self.ihl * 4
+    
+    @property
+    def dont_fragment(self) -> bool:
+        """Check if Don't Fragment flag is set"""
+        return bool(self.flags & 0x2)
+    
+    @property
+    def more_fragments(self) -> bool:
+        """Check if More Fragments flag is set"""
+        return bool(self.flags & 0x1)
+    
+    @property
+    def is_fragment(self) -> bool:
+        """Check if this is a fragment"""
+        return self.more_fragments or self.fragment_offset > 0
+
+
+@dataclass
+class TCPHeader:
+    """TCP header structure"""
+    source_port: int = 0
+    dest_port: int = 0
+    seq_num: int = 0
+    ack_num: int = 0
+    data_offset: int = 5  # Header length in 32-bit words
+    reserved: int = 0
+    flags: int = 0  # 9 bits: NS, CWR, ECE, URG, ACK, PSH, RST, SYN, FIN
+    window_size: int = 65535
+    checksum: int = 0
+    urgent_pointer: int = 0
+    options: bytes = b''
+    
+    @property
+    def header_length(self) -> int:
+        """Get header length in bytes"""
+        return self.data_offset * 4
+    
+    # TCP Flag properties
+    @property
+    def fin(self) -> bool:
+        return bool(self.flags & 0x01)
+    
+    @property
+    def syn(self) -> bool:
+        return bool(self.flags & 0x02)
+    
+    @property
+    def rst(self) -> bool:
+        return bool(self.flags & 0x04)
+    
+    @property
+    def psh(self) -> bool:
+        return bool(self.flags & 0x08)
+    
+    @property
+    def ack(self) -> bool:
+        return bool(self.flags & 0x10)
+    
+    @property
+    def urg(self) -> bool:
+        return bool(self.flags & 0x20)
+    
+    def set_flag(self, flag_name: str, value: bool = True):
+        """Set TCP flag"""
+        flag_bits = {
+            'fin': 0x01, 'syn': 0x02, 'rst': 0x04, 'psh': 0x08,
+            'ack': 0x10, 'urg': 0x20, 'ece': 0x40, 'cwr': 0x80, 'ns': 0x100
+        }
+        
+        if flag_name.lower() in flag_bits:
+            bit = flag_bits[flag_name.lower()]
+            if value:
+                self.flags |= bit
+            else:
+                self.flags &= ~bit
+
+
+@dataclass
+class UDPHeader:
+    """UDP header structure"""
+    source_port: int = 0
+    dest_port: int = 0
+    length: int = 8  # Header + data length
+    checksum: int = 0
+    
+    @property
+    def header_length(self) -> int:
+        """Get header length in bytes (always 8 for UDP)"""
+        return 8
+
+
+@dataclass
+class ParsedPacket:
+    """Parsed packet structure"""
+    ip_header: IPv4Header
+    transport_header: Optional[object] = None  # TCPHeader or UDPHeader
+    payload: bytes = b''
+    raw_packet: bytes = b''
+
+
+class IPParser:
+    """IPv4 packet parser and assembler"""
+    
+    @staticmethod
+    def calculate_checksum(data: bytes) -> int:
+        """Calculate Internet checksum"""
+        # Pad data to even length
+        if len(data) % 2:
+            data += b'\x00'
+        
+        checksum = 0
+        for i in range(0, len(data), 2):
+            word = (data[i] << 8) + data[i + 1]
+            checksum += word
+        
+        # Add carry bits
+        while checksum >> 16:
+            checksum = (checksum & 0xFFFF) + (checksum >> 16)
+        
+        # One's complement
+        return (~checksum) & 0xFFFF
+    
+    @staticmethod
+    def verify_checksum(data: bytes, checksum: int) -> bool:
+        """Verify Internet checksum"""
+        calculated = IPParser.calculate_checksum(data)
+        return calculated == checksum or (calculated + checksum) == 0xFFFF
+    
+    @classmethod
+    def parse_ipv4_header(cls, data: bytes) -> Tuple[IPv4Header, int]:
+        """Parse IPv4 header from raw bytes"""
+        if len(data) < 20:
+            raise ValueError("IPv4 header too short")
+        
+        # Parse fixed part of header
+        header_data = struct.unpack('!BBHHHBBH4s4s', data[:20])
+        
+        header = IPv4Header()
+        version_ihl = header_data[0]
+        header.version = (version_ihl >> 4) & 0xF
+        header.ihl = version_ihl & 0xF
+        header.tos = header_data[1]
+        header.total_length = header_data[2]
+        header.identification = header_data[3]
+        flags_fragment = header_data[4]
+        header.flags = (flags_fragment >> 13) & 0x7
+        header.fragment_offset = flags_fragment & 0x1FFF
+        header.ttl = header_data[5]
+        header.protocol = header_data[6]
+        header.header_checksum = header_data[7]
+        header.source_ip = socket.inet_ntoa(header_data[8])
+        header.dest_ip = socket.inet_ntoa(header_data[9])
+        
+        # Validate version
+        if header.version != 4:
+            raise ValueError(f"Unsupported IP version: {header.version}")
+        
+        # Parse options if present
+        options_length = header.header_length - 20
+        if options_length > 0:
+            if len(data) < 20 + options_length:
+                raise ValueError("IPv4 options truncated")
+            header.options = data[20:20 + options_length]
+        
+        return header, header.header_length
+    
+    @classmethod
+    def parse_tcp_header(cls, data: bytes) -> Tuple[TCPHeader, int]:
+        """Parse TCP header from raw bytes"""
+        if len(data) < 20:
+            raise ValueError("TCP header too short")
+        
+        # Parse fixed part of header
+        header_data = struct.unpack('!HHIIBBHHH', data[:20])
+        
+        header = TCPHeader()
+        header.source_port = header_data[0]
+        header.dest_port = header_data[1]
+        header.seq_num = header_data[2]
+        header.ack_num = header_data[3]
+        offset_reserved = header_data[4]
+        header.data_offset = (offset_reserved >> 4) & 0xF
+        header.reserved = (offset_reserved >> 1) & 0x7
+        header.flags = ((offset_reserved & 0x1) << 8) | header_data[5]
+        header.window_size = header_data[6]
+        header.checksum = header_data[7]
+        header.urgent_pointer = header_data[8]
+        
+        # Parse options if present
+        options_length = header.header_length - 20
+        if options_length > 0:
+            if len(data) < 20 + options_length:
+                raise ValueError("TCP options truncated")
+            header.options = data[20:20 + options_length]
+        
+        return header, header.header_length
+    
+    @classmethod
+    def parse_udp_header(cls, data: bytes) -> Tuple[UDPHeader, int]:
+        """Parse UDP header from raw bytes"""
+        if len(data) < 8:
+            raise ValueError("UDP header too short")
+        
+        header_data = struct.unpack('!HHHH', data[:8])
+        
+        header = UDPHeader()
+        header.source_port = header_data[0]
+        header.dest_port = header_data[1]
+        header.length = header_data[2]
+        header.checksum = header_data[3]
+        
+        return header, 8
+    
+    @classmethod
+    def parse_packet(cls, data: bytes) -> ParsedPacket:
+        """Parse complete packet"""
+        packet = ParsedPacket(raw_packet=data)
+        
+        # Parse IP header
+        packet.ip_header, ip_header_len = cls.parse_ipv4_header(data)
+        
+        # Extract payload after IP header
+        ip_payload = data[ip_header_len:packet.ip_header.total_length]
+        
+        # Parse transport layer header
+        if packet.ip_header.protocol == IPProtocol.TCP.value:
+            packet.transport_header, transport_header_len = cls.parse_tcp_header(ip_payload)
+            packet.payload = ip_payload[transport_header_len:]
+        elif packet.ip_header.protocol == IPProtocol.UDP.value:
+            packet.transport_header, transport_header_len = cls.parse_udp_header(ip_payload)
+            packet.payload = ip_payload[transport_header_len:]
+        else:
+            # Unsupported protocol, treat as raw payload
+            packet.payload = ip_payload
+        
+        return packet
+    
+    @classmethod
+    def build_ipv4_header(cls, header: IPv4Header) -> bytes:
+        """Build IPv4 header as bytes"""
+        # Calculate header length including options
+        header.ihl = (20 + len(header.options) + 3) // 4  # Round up to 32-bit boundary
+        
+        # Build header without checksum
+        version_ihl = (header.version << 4) | header.ihl
+        flags_fragment = (header.flags << 13) | header.fragment_offset
+        
+        header_data = struct.pack(
+            '!BBHHHBBH4s4s',
+            version_ihl, header.tos, header.total_length,
+            header.identification, flags_fragment,
+            header.ttl, header.protocol, 0,  # Checksum = 0 for calculation
+            socket.inet_aton(header.source_ip),
+            socket.inet_aton(header.dest_ip)
+        )
+        
+        # Add options and padding
+        if header.options:
+            header_data += header.options
+            # Pad to 32-bit boundary
+            padding_needed = (header.ihl * 4) - len(header_data)
+            if padding_needed > 0:
+                header_data += b'\x00' * padding_needed
+        
+        # Calculate and insert checksum
+        checksum = cls.calculate_checksum(header_data)
+        header_data = header_data[:10] + struct.pack('!H', checksum) + header_data[12:]
+        
+        return header_data
+    
+    @classmethod
+    def build_tcp_header(cls, header: TCPHeader, source_ip: str, dest_ip: str, payload: bytes) -> bytes:
+        """Build TCP header as bytes with checksum"""
+        # Calculate header length including options
+        header.data_offset = (20 + len(header.options) + 3) // 4  # Round up to 32-bit boundary
+        
+        # Build header without checksum
+        offset_reserved_flags = (header.data_offset << 12) | (header.reserved << 9) | header.flags
+        
+        header_data = struct.pack(
+            '!HHIIHHH',
+            header.source_port, header.dest_port,
+            header.seq_num, header.ack_num,
+            offset_reserved_flags, header.window_size,
+            0, header.urgent_pointer  # Checksum = 0 for calculation
+        )
+        
+        # Add options and padding
+        if header.options:
+            header_data += header.options
+            # Pad to 32-bit boundary
+            padding_needed = (header.data_offset * 4) - len(header_data)
+            if padding_needed > 0:
+                header_data += b'\x00' * padding_needed
+        
+        # Calculate TCP checksum with pseudo-header
+        pseudo_header = struct.pack(
+            '!4s4sBBH',
+            socket.inet_aton(source_ip),
+            socket.inet_aton(dest_ip),
+            0, IPProtocol.TCP.value,
+            len(header_data) + len(payload)
+        )
+        
+        checksum_data = pseudo_header + header_data + payload
+        checksum = cls.calculate_checksum(checksum_data)
+        
+        # Insert checksum
+        header_data = header_data[:16] + struct.pack('!H', checksum) + header_data[18:]
+        
+        return header_data
+    
+    @classmethod
+    def build_udp_header(cls, header: UDPHeader, source_ip: str, dest_ip: str, payload: bytes) -> bytes:
+        """Build UDP header as bytes with checksum"""
+        header.length = 8 + len(payload)
+        
+        # Build header without checksum
+        header_data = struct.pack(
+            '!HHHH',
+            header.source_port, header.dest_port,
+            header.length, 0  # Checksum = 0 for calculation
+        )
+        
+        # Calculate UDP checksum with pseudo-header (optional for IPv4)
+        if header.checksum != 0:  # If checksum is required
+            pseudo_header = struct.pack(
+                '!4s4sBBH',
+                socket.inet_aton(source_ip),
+                socket.inet_aton(dest_ip),
+                0, IPProtocol.UDP.value,
+                header.length
+            )
+            
+            checksum_data = pseudo_header + header_data + payload
+            checksum = cls.calculate_checksum(checksum_data)
+            
+            # Insert checksum
+            header_data = header_data[:6] + struct.pack('!H', checksum) + header_data[8:]
+        
+        return header_data
+    
+    @classmethod
+    def build_packet(cls, ip_header: IPv4Header, transport_header: Optional[object] = None, payload: bytes = b'') -> bytes:
+        """Build complete packet"""
+        transport_data = b''
+        
+        # Build transport header
+        if transport_header:
+            if isinstance(transport_header, TCPHeader):
+                transport_data = cls.build_tcp_header(
+                    transport_header, ip_header.source_ip, ip_header.dest_ip, payload
+                )
+            elif isinstance(transport_header, UDPHeader):
+                transport_data = cls.build_udp_header(
+                    transport_header, ip_header.source_ip, ip_header.dest_ip, payload
+                )
+        
+        # Update IP header total length
+        ip_header.total_length = ip_header.header_length + len(transport_data) + len(payload)
+        
+        # Build IP header
+        ip_data = cls.build_ipv4_header(ip_header)
+        
+        # Combine all parts
+        return ip_data + transport_data + payload
+
+
+class PacketFragmenter:
+    """Handle packet fragmentation and reassembly"""
+    
+    def __init__(self, mtu: int = 1500):
+        self.mtu = mtu
+        self.fragments: Dict[Tuple[str, str, int], List[Tuple[int, bytes]]] = {}  # (src, dst, id) -> [(offset, data)]
+    
+    def fragment_packet(self, packet: bytes, mtu: int = None) -> List[bytes]:
+        """Fragment a packet if it exceeds MTU"""
+        if mtu is None:
+            mtu = self.mtu
+        
+        if len(packet) <= mtu:
+            return [packet]
+        
+        # Parse original packet
+        parsed = IPParser.parse_packet(packet)
+        ip_header = parsed.ip_header
+        
+        # Don't fragment if DF flag is set
+        if ip_header.dont_fragment:
+            raise ValueError("Packet too large and Don't Fragment flag is set")
+        
+        fragments = []
+        payload_mtu = mtu - ip_header.header_length
+        payload_mtu = (payload_mtu // 8) * 8  # Must be multiple of 8 bytes
+        
+        # Get the payload to fragment (everything after IP header)
+        payload_start = ip_header.header_length
+        payload = packet[payload_start:]
+        
+        offset = 0
+        while offset < len(payload):
+            # Create fragment
+            fragment_payload = payload[offset:offset + payload_mtu]
+            
+            # Create new IP header for fragment
+            frag_header = IPv4Header(
+                version=ip_header.version,
+                ihl=ip_header.ihl,
+                tos=ip_header.tos,
+                identification=ip_header.identification,
+                ttl=ip_header.ttl,
+                protocol=ip_header.protocol,
+                source_ip=ip_header.source_ip,
+                dest_ip=ip_header.dest_ip,
+                options=ip_header.options
+            )
+            
+            # Set fragment offset and flags
+            frag_header.fragment_offset = (ip_header.fragment_offset * 8 + offset) // 8
+            frag_header.flags = ip_header.flags
+            
+            # Set More Fragments flag if not last fragment
+            if offset + len(fragment_payload) < len(payload):
+                frag_header.flags |= 0x1  # More Fragments
+            else:
+                frag_header.flags &= ~0x1  # Clear More Fragments
+            
+            # Build fragment
+            fragment = IPParser.build_packet(frag_header, payload=fragment_payload)
+            fragments.append(fragment)
+            
+            offset += len(fragment_payload)
+        
+        return fragments
+    
+    def reassemble_packet(self, packet: bytes) -> Optional[bytes]:
+        """Reassemble fragmented packet"""
+        parsed = IPParser.parse_packet(packet)
+        ip_header = parsed.ip_header
+        
+        # If not a fragment, return as-is
+        if not ip_header.is_fragment:
+            return packet
+        
+        # Create fragment key
+        key = (ip_header.source_ip, ip_header.dest_ip, ip_header.identification)
+        
+        # Store fragment
+        if key not in self.fragments:
+            self.fragments[key] = []
+        
+        payload_start = ip_header.header_length
+        fragment_data = packet[payload_start:]
+        self.fragments[key].append((ip_header.fragment_offset * 8, fragment_data))
+        
+        # Check if we have all fragments
+        fragments = sorted(self.fragments[key])
+        
+        # Verify we have contiguous fragments starting from 0
+        expected_offset = 0
+        complete_payload = b''
+        
+        for offset, data in fragments:
+            if offset != expected_offset:
+                return None  # Missing fragment
+            
+            complete_payload += data
+            expected_offset += len(data)
+        
+        # Check if last fragment (no More Fragments flag)
+        last_fragment = None
+        for frag_packet in [packet]:  # We only have current packet, need to track all
+            frag_parsed = IPParser.parse_packet(frag_packet)
+            if not frag_parsed.ip_header.more_fragments:
+                last_fragment = frag_parsed
+                break
+        
+        if last_fragment is None:
+            return None  # Don't have last fragment yet
+        
+        # Reassemble complete packet
+        complete_header = IPv4Header(
+            version=ip_header.version,
+            ihl=ip_header.ihl,
+            tos=ip_header.tos,
+            identification=ip_header.identification,
+            flags=ip_header.flags & ~0x1,  # Clear More Fragments
+            fragment_offset=0,
+            ttl=ip_header.ttl,
+            protocol=ip_header.protocol,
+            source_ip=ip_header.source_ip,
+            dest_ip=ip_header.dest_ip,
+            options=ip_header.options
+        )
+        
+        complete_packet = IPParser.build_packet(complete_header, payload=complete_payload)
+        
+        # Clean up fragments
+        del self.fragments[key]
+        
+        return complete_packet
+

core/logger.py

@@ -0,0 +1,555 @@
+"""
+Logger Module
+
+Centralized logging system for the virtual ISP stack:
+- Structured logging with multiple levels
+- Log aggregation and filtering
+- Real-time log streaming
+- Log persistence and rotation
+"""
+
+import logging
+import logging.handlers
+import time
+import threading
+import json
+import os
+from typing import Dict, List, Optional, Any, Callable
+from dataclasses import dataclass, asdict
+from enum import Enum
+from collections import deque
+import queue
+
+
+class LogLevel(Enum):
+    DEBUG = "DEBUG"
+    INFO = "INFO"
+    WARNING = "WARNING"
+    ERROR = "ERROR"
+    CRITICAL = "CRITICAL"
+
+
+class LogCategory(Enum):
+    SYSTEM = "SYSTEM"
+    DHCP = "DHCP"
+    NAT = "NAT"
+    FIREWALL = "FIREWALL"
+    TCP = "TCP"
+    ROUTER = "ROUTER"
+    BRIDGE = "BRIDGE"
+    SOCKET = "SOCKET"
+    SESSION = "SESSION"
+    SECURITY = "SECURITY"
+    PERFORMANCE = "PERFORMANCE"
+
+
+@dataclass
+class LogEntry:
+    """Structured log entry"""
+    timestamp: float
+    level: str
+    category: str
+    module: str
+    message: str
+    session_id: Optional[str] = None
+    client_id: Optional[str] = None
+    source_ip: Optional[str] = None
+    dest_ip: Optional[str] = None
+    protocol: Optional[str] = None
+    metadata: Dict[str, Any] = None
+    
+    def __post_init__(self):
+        if self.timestamp == 0:
+            self.timestamp = time.time()
+        if self.metadata is None:
+            self.metadata = {}
+    
+    def to_dict(self) -> Dict:
+        """Convert to dictionary"""
+        return asdict(self)
+    
+    def to_json(self) -> str:
+        """Convert to JSON string"""
+        return json.dumps(self.to_dict(), default=str)
+
+
+class LogFilter:
+    """Log filtering class"""
+    
+    def __init__(self):
+        self.level_filter: Optional[LogLevel] = None
+        self.category_filter: Optional[LogCategory] = None
+        self.module_filter: Optional[str] = None
+        self.session_filter: Optional[str] = None
+        self.client_filter: Optional[str] = None
+        self.ip_filter: Optional[str] = None
+        self.text_filter: Optional[str] = None
+        self.time_range: Optional[tuple] = None
+    
+    def matches(self, entry: LogEntry) -> bool:
+        """Check if log entry matches filter criteria"""
+        # Level filter
+        if self.level_filter:
+            entry_level_value = getattr(logging, entry.level)
+            filter_level_value = getattr(logging, self.level_filter.value)
+            if entry_level_value < filter_level_value:
+                return False
+        
+        # Category filter
+        if self.category_filter and entry.category != self.category_filter.value:
+            return False
+        
+        # Module filter
+        if self.module_filter and self.module_filter.lower() not in entry.module.lower():
+            return False
+        
+        # Session filter
+        if self.session_filter and entry.session_id != self.session_filter:
+            return False
+        
+        # Client filter
+        if self.client_filter and entry.client_id != self.client_filter:
+            return False
+        
+        # IP filter
+        if self.ip_filter:
+            if (entry.source_ip != self.ip_filter and 
+                entry.dest_ip != self.ip_filter):
+                return False
+        
+        # Text filter
+        if self.text_filter and self.text_filter.lower() not in entry.message.lower():
+            return False
+        
+        # Time range filter
+        if self.time_range:
+            start_time, end_time = self.time_range
+            if not (start_time <= entry.timestamp <= end_time):
+                return False
+        
+        return True
+
+
+class LogSubscriber:
+    """Log subscriber for real-time streaming"""
+    
+    def __init__(self, subscriber_id: str, callback: Callable[[LogEntry], None], 
+                 log_filter: Optional[LogFilter] = None):
+        self.subscriber_id = subscriber_id
+        self.callback = callback
+        self.filter = log_filter or LogFilter()
+        self.created_time = time.time()
+        self.message_count = 0
+        self.last_message_time = None
+        self.is_active = True
+    
+    def send_log(self, entry: LogEntry) -> bool:
+        """Send log entry to subscriber if it matches filter"""
+        if not self.is_active:
+            return False
+        
+        if self.filter.matches(entry):
+            try:
+                self.callback(entry)
+                self.message_count += 1
+                self.last_message_time = time.time()
+                return True
+            except Exception as e:
+                print(f"Error sending log to subscriber {self.subscriber_id}: {e}")
+                self.is_active = False
+                return False
+        
+        return False
+
+
+class VirtualISPLogger:
+    """Centralized logger for Virtual ISP stack"""
+    
+    def __init__(self, config: Dict):
+        self.config = config
+        self.log_entries: deque = deque(maxlen=config.get('max_memory_logs', 10000))
+        self.subscribers: Dict[str, LogSubscriber] = {}
+        self.lock = threading.Lock()
+        
+        # Configuration
+        self.log_level = LogLevel(config.get('log_level', 'INFO'))
+        self.log_to_file = config.get('log_to_file', True)
+        self.log_file_path = config.get('log_file_path', '/tmp/virtual_isp.log')
+        self.log_file_max_size = config.get('log_file_max_size', 10 * 1024 * 1024)  # 10MB
+        self.log_file_backup_count = config.get('log_file_backup_count', 5)
+        self.log_to_console = config.get('log_to_console', True)
+        self.structured_logging = config.get('structured_logging', True)
+        
+        # Statistics
+        self.stats = {
+            'total_logs': 0,
+            'logs_by_level': {level.value: 0 for level in LogLevel},
+            'logs_by_category': {cat.value: 0 for cat in LogCategory},
+            'active_subscribers': 0,
+            'file_logs_written': 0,
+            'console_logs_written': 0,
+            'dropped_logs': 0
+        }
+        
+        # Setup logging
+        self._setup_logging()
+        
+        # Background processing
+        self.running = False
+        self.log_queue = queue.Queue()
+        self.processing_thread = None
+    
+    def _setup_logging(self):
+        """Setup Python logging infrastructure"""
+        # Create logger
+        self.logger = logging.getLogger('virtual_isp')
+        self.logger.setLevel(getattr(logging, self.log_level.value))
+        
+        # Remove existing handlers
+        for handler in self.logger.handlers[:]:
+            self.logger.removeHandler(handler)
+        
+        # Console handler
+        if self.log_to_console:
+            console_handler = logging.StreamHandler()
+            if self.structured_logging:
+                console_formatter = logging.Formatter(
+                    '%(asctime)s - %(name)s - %(levelname)s - %(message)s'
+                )
+            else:
+                console_formatter = logging.Formatter('%(message)s')
+            console_handler.setFormatter(console_formatter)
+            self.logger.addHandler(console_handler)
+        
+        # File handler with rotation
+        if self.log_to_file:
+            # Ensure log directory exists
+            log_dir = os.path.dirname(self.log_file_path)
+            if log_dir and not os.path.exists(log_dir):
+                os.makedirs(log_dir, exist_ok=True)
+            
+            file_handler = logging.handlers.RotatingFileHandler(
+                self.log_file_path,
+                maxBytes=self.log_file_max_size,
+                backupCount=self.log_file_backup_count
+            )
+            
+            if self.structured_logging:
+                file_formatter = logging.Formatter(
+                    '%(asctime)s - %(name)s - %(levelname)s - %(message)s'
+                )
+            else:
+                file_formatter = logging.Formatter('%(message)s')
+            
+            file_handler.setFormatter(file_formatter)
+            self.logger.addHandler(file_handler)
+    
+    def _process_log_queue(self):
+        """Background thread to process log queue"""
+        while self.running:
+            try:
+                # Get log entry from queue (with timeout)
+                try:
+                    entry = self.log_queue.get(timeout=1.0)
+                except queue.Empty:
+                    continue
+                
+                # Store in memory
+                with self.lock:
+                    self.log_entries.append(entry)
+                
+                # Send to subscribers
+                inactive_subscribers = []
+                with self.lock:
+                    for subscriber_id, subscriber in self.subscribers.items():
+                        if not subscriber.send_log(entry):
+                            inactive_subscribers.append(subscriber_id)
+                
+                # Remove inactive subscribers
+                for subscriber_id in inactive_subscribers:
+                    self.remove_subscriber(subscriber_id)
+                
+                # Update statistics
+                self.stats['total_logs'] += 1
+                self.stats['logs_by_level'][entry.level] += 1
+                self.stats['logs_by_category'][entry.category] += 1
+                
+                # Mark task as done
+                self.log_queue.task_done()
+            
+            except Exception as e:
+                print(f"Error processing log queue: {e}")
+                time.sleep(1)
+    
+    def log(self, level: LogLevel, category: LogCategory, module: str, message: str, 
+            session_id: Optional[str] = None, client_id: Optional[str] = None,
+            source_ip: Optional[str] = None, dest_ip: Optional[str] = None,
+            protocol: Optional[str] = None, **metadata):
+        """Log a message"""
+        # Check if we should log this level
+        level_value = getattr(logging, level.value)
+        min_level_value = getattr(logging, self.log_level.value)
+        if level_value < min_level_value:
+            return
+        
+        # Create log entry
+        entry = LogEntry(
+            timestamp=time.time(),
+            level=level.value,
+            category=category.value,
+            module=module,
+            message=message,
+            session_id=session_id,
+            client_id=client_id,
+            source_ip=source_ip,
+            dest_ip=dest_ip,
+            protocol=protocol,
+            metadata=metadata
+        )
+        
+        # Add to queue for background processing
+        try:
+            self.log_queue.put_nowait(entry)
+        except queue.Full:
+            self.stats['dropped_logs'] += 1
+        
+        # Also log through Python logging system
+        if self.structured_logging:
+            log_data = entry.to_dict()
+            log_message = f"{message} | {json.dumps(log_data, default=str)}"
+        else:
+            log_message = message
+        
+        # Log to Python logger
+        python_logger_level = getattr(logging, level.value)
+        self.logger.log(python_logger_level, log_message)
+        
+        # Update console/file stats
+        if self.log_to_console:
+            self.stats['console_logs_written'] += 1
+        if self.log_to_file:
+            self.stats['file_logs_written'] += 1
+    
+    def debug(self, category: LogCategory, module: str, message: str, **kwargs):
+        """Log debug message"""
+        self.log(LogLevel.DEBUG, category, module, message, **kwargs)
+    
+    def info(self, category: LogCategory, module: str, message: str, **kwargs):
+        """Log info message"""
+        self.log(LogLevel.INFO, category, module, message, **kwargs)
+    
+    def warning(self, category: LogCategory, module: str, message: str, **kwargs):
+        """Log warning message"""
+        self.log(LogLevel.WARNING, category, module, message, **kwargs)
+    
+    def error(self, category: LogCategory, module: str, message: str, **kwargs):
+        """Log error message"""
+        self.log(LogLevel.ERROR, category, module, message, **kwargs)
+    
+    def critical(self, category: LogCategory, module: str, message: str, **kwargs):
+        """Log critical message"""
+        self.log(LogLevel.CRITICAL, category, module, message, **kwargs)
+    
+    def add_subscriber(self, subscriber_id: str, callback: Callable[[LogEntry], None], 
+                      log_filter: Optional[LogFilter] = None) -> bool:
+        """Add log subscriber for real-time streaming"""
+        with self.lock:
+            if subscriber_id in self.subscribers:
+                return False
+            
+            subscriber = LogSubscriber(subscriber_id, callback, log_filter)
+            self.subscribers[subscriber_id] = subscriber
+            self.stats['active_subscribers'] = len(self.subscribers)
+            
+            return True
+    
+    def remove_subscriber(self, subscriber_id: str) -> bool:
+        """Remove log subscriber"""
+        with self.lock:
+            if subscriber_id in self.subscribers:
+                del self.subscribers[subscriber_id]
+                self.stats['active_subscribers'] = len(self.subscribers)
+                return True
+            return False
+    
+    def get_logs(self, limit: int = 100, offset: int = 0, 
+                log_filter: Optional[LogFilter] = None) -> List[Dict]:
+        """Get logs with filtering and pagination"""
+        with self.lock:
+            # Convert deque to list for easier manipulation
+            all_logs = list(self.log_entries)
+        
+        # Apply filter
+        if log_filter:
+            filtered_logs = [entry for entry in all_logs if log_filter.matches(entry)]
+        else:
+            filtered_logs = all_logs
+        
+        # Sort by timestamp (newest first)
+        filtered_logs.sort(key=lambda x: x.timestamp, reverse=True)
+        
+        # Apply pagination
+        paginated_logs = filtered_logs[offset:offset + limit]
+        
+        return [entry.to_dict() for entry in paginated_logs]
+    
+    def search_logs(self, query: str, limit: int = 100) -> List[Dict]:
+        """Search logs by text query"""
+        log_filter = LogFilter()
+        log_filter.text_filter = query
+        
+        return self.get_logs(limit=limit, log_filter=log_filter)
+    
+    def get_logs_by_session(self, session_id: str, limit: int = 100) -> List[Dict]:
+        """Get logs for specific session"""
+        log_filter = LogFilter()
+        log_filter.session_filter = session_id
+        
+        return self.get_logs(limit=limit, log_filter=log_filter)
+    
+    def get_logs_by_client(self, client_id: str, limit: int = 100) -> List[Dict]:
+        """Get logs for specific client"""
+        log_filter = LogFilter()
+        log_filter.client_filter = client_id
+        
+        return self.get_logs(limit=limit, log_filter=log_filter)
+    
+    def get_logs_by_ip(self, ip_address: str, limit: int = 100) -> List[Dict]:
+        """Get logs for specific IP address"""
+        log_filter = LogFilter()
+        log_filter.ip_filter = ip_address
+        
+        return self.get_logs(limit=limit, log_filter=log_filter)
+    
+    def get_recent_errors(self, limit: int = 50) -> List[Dict]:
+        """Get recent error and critical logs"""
+        log_filter = LogFilter()
+        log_filter.level_filter = LogLevel.ERROR
+        
+        return self.get_logs(limit=limit, log_filter=log_filter)
+    
+    def clear_logs(self):
+        """Clear all logs from memory"""
+        with self.lock:
+            self.log_entries.clear()
+    
+    def get_stats(self) -> Dict:
+        """Get logging statistics"""
+        with self.lock:
+            stats = self.stats.copy()
+            stats['memory_logs_count'] = len(self.log_entries)
+            stats['active_subscribers'] = len(self.subscribers)
+            stats['queue_size'] = self.log_queue.qsize()
+        
+        return stats
+    
+    def reset_stats(self):
+        """Reset logging statistics"""
+        self.stats = {
+            'total_logs': 0,
+            'logs_by_level': {level.value: 0 for level in LogLevel},
+            'logs_by_category': {cat.value: 0 for cat in LogCategory},
+            'active_subscribers': len(self.subscribers),
+            'file_logs_written': 0,
+            'console_logs_written': 0,
+            'dropped_logs': 0
+        }
+    
+    def export_logs(self, format: str = 'json', log_filter: Optional[LogFilter] = None) -> str:
+        """Export logs in specified format"""
+        logs = self.get_logs(limit=10000, log_filter=log_filter)
+        
+        if format == 'json':
+            return json.dumps(logs, indent=2, default=str)
+        elif format == 'csv':
+            import csv
+            import io
+            
+            output = io.StringIO()
+            if logs:
+                writer = csv.DictWriter(output, fieldnames=logs[0].keys())
+                writer.writeheader()
+                writer.writerows(logs)
+            
+            return output.getvalue()
+        else:
+            raise ValueError(f"Unsupported export format: {format}")
+    
+    def set_log_level(self, level: LogLevel):
+        """Set logging level"""
+        self.log_level = level
+        self.logger.setLevel(getattr(logging, level.value))
+    
+    def start(self):
+        """Start logger"""
+        self.running = True
+        self.processing_thread = threading.Thread(target=self._process_log_queue, daemon=True)
+        self.processing_thread.start()
+        
+        self.info(LogCategory.SYSTEM, 'logger', 'Virtual ISP Logger started')
+    
+    def stop(self):
+        """Stop logger"""
+        self.info(LogCategory.SYSTEM, 'logger', 'Virtual ISP Logger stopping')
+        
+        self.running = False
+        
+        # Wait for queue to be processed
+        self.log_queue.join()
+        
+        # Wait for processing thread
+        if self.processing_thread:
+            self.processing_thread.join()
+        
+        # Remove all subscribers
+        with self.lock:
+            self.subscribers.clear()
+        
+        print("Virtual ISP Logger stopped")
+
+
+# Global logger instance
+_global_logger: Optional[VirtualISPLogger] = None
+
+
+def get_logger() -> Optional[VirtualISPLogger]:
+    """Get global logger instance"""
+    return _global_logger
+
+
+def init_logger(config: Dict) -> VirtualISPLogger:
+    """Initialize global logger"""
+    global _global_logger
+    _global_logger = VirtualISPLogger(config)
+    return _global_logger
+
+
+def log_debug(category: LogCategory, module: str, message: str, **kwargs):
+    """Global debug logging function"""
+    if _global_logger:
+        _global_logger.debug(category, module, message, **kwargs)
+
+
+def log_info(category: LogCategory, module: str, message: str, **kwargs):
+    """Global info logging function"""
+    if _global_logger:
+        _global_logger.info(category, module, message, **kwargs)
+
+
+def log_warning(category: LogCategory, module: str, message: str, **kwargs):
+    """Global warning logging function"""
+    if _global_logger:
+        _global_logger.warning(category, module, message, **kwargs)
+
+
+def log_error(category: LogCategory, module: str, message: str, **kwargs):
+    """Global error logging function"""
+    if _global_logger:
+        _global_logger.error(category, module, message, **kwargs)
+
+
+def log_critical(category: LogCategory, module: str, message: str, **kwargs):
+    """Global critical logging function"""
+    if _global_logger:
+        _global_logger.critical(category, module, message, **kwargs)
+

core/nat_engine.py

@@ -0,0 +1,638 @@
+"""
+NAT Engine Module
+
+Implements Network Address Translation:
+- Map (virtualIP, virtualPort) to (hostIP, hostPort)
+- Maintain connection tracking table
+- Handle port allocation and deallocation
+- Support connection state tracking
+"""
+
+import time
+import threading
+import socket
+import random
+import struct
+from typing import Dict, Optional, Tuple, Set
+from dataclasses import dataclass
+from enum import Enum
+
+# Assuming IPProtocol is defined elsewhere or will be defined
+# from .ip_parser import IPProtocol
+
+class NATType(Enum):
+    SNAT = "SNAT"  # Source NAT
+    DNAT = "DNAT"  # Destination NAT
+
+
+@dataclass
+class NATSession:
+    """Represents a NAT session"""
+    # Virtual (internal) endpoint
+    virtual_ip: str
+    virtual_port: int
+    
+    # Real (external) endpoint
+    real_ip: str
+    real_port: int
+    
+    # Host (translated) endpoint
+    host_ip: str
+    host_port: int
+    
+    # Session metadata
+    protocol: int  # IP protocol number (e.g., 6 for TCP, 17 for UDP)
+    nat_type: NATType
+    created_time: float
+    last_activity: float
+    bytes_in: int = 0
+    bytes_out: int = 0
+    packets_in: int = 0
+    packets_out: int = 0
+    
+    @property
+    def session_id(self) -> str:
+        """Get unique session identifier"""
+        return f"{self.virtual_ip}:{self.virtual_port}-{self.real_ip}:{self.real_port}-{self.protocol}"
+    
+    @property
+    def is_expired(self) -> bool:
+        """Check if session has expired"""
+        timeout = 300 if self.protocol == socket.IPPROTO_TCP else 60  # 5 min for TCP, 1 min for UDP
+        return time.time() - self.last_activity > timeout
+    
+    @property
+    def duration(self) -> float:
+        """Get session duration in seconds"""
+        return time.time() - self.created_time
+    
+    def update_activity(self, bytes_transferred: int = 0, direction: str = 'out'):
+        """Update session activity"""
+        self.last_activity = time.time()
+        
+        if direction == 'out':
+            self.bytes_out += bytes_transferred
+            self.packets_out += 1
+        else:
+            self.bytes_in += bytes_transferred
+            self.packets_in += 1
+
+
+class PortPool:
+    """Manages available ports for NAT"""
+    
+    def __init__(self, start_port: int = 10000, end_port: int = 65535):
+        self.start_port = start_port
+        self.end_port = end_port
+        self.available_ports: Set[int] = set(range(start_port, end_port + 1))
+        self.allocated_ports: Dict[int, str] = {}  # port -> session_id
+        self.lock = threading.Lock()
+    
+    def allocate_port(self, session_id: str) -> Optional[int]:
+        """Allocate a port for a session"""
+        with self.lock:
+            if not self.available_ports:
+                return None
+            
+            # Try to get a random port to distribute load
+            port = random.choice(list(self.available_ports))
+            self.available_ports.remove(port)
+            self.allocated_ports[port] = session_id
+            
+            return port
+    
+    def release_port(self, port: int) -> bool:
+        """Release a port back to the pool"""
+        with self.lock:
+            if port in self.allocated_ports:
+                del self.allocated_ports[port]
+                if self.start_port <= port <= self.end_port:
+                    self.available_ports.add(port)
+                return True
+            return False
+    
+    def get_session_for_port(self, port: int) -> Optional[str]:
+        """Get session ID for a port"""
+        with self.lock:
+            return self.allocated_ports.get(port)
+    
+    def get_stats(self) -> Dict:
+        """Get port pool statistics"""
+        with self.lock:
+            return {
+                'total_ports': self.end_port - self.start_port + 1,
+                'available_ports': len(self.available_ports),
+                'allocated_ports': len(self.allocated_ports),
+                'utilization': len(self.allocated_ports) / (self.end_port - self.start_port + 1)
+            }
+
+
+class NATEngine:
+    """Network Address Translation engine"""
+    
+    def __init__(self, config: Dict):
+        self.config = config
+        self.sessions: Dict[str, NATSession] = {}  # session_id -> session
+        self.virtual_to_session: Dict[Tuple[str, int, int], str] = {}  # (vip, vport, proto) -> session_id
+        self.host_to_session: Dict[Tuple[str, int, int], str] = {}  # (hip, hport, proto) -> session_id
+        self.lock = threading.Lock()
+        
+        # Port pool for outbound connections
+        self.port_pool = PortPool(
+            config.get('port_range_start', 10000),
+            config.get('port_range_end', 65535)
+        )
+        
+        # Host IP for outbound connections
+        self.host_ip = config.get('host_ip', self._get_default_host_ip())
+        
+        # Session timeout
+        self.session_timeout = config.get('session_timeout', 300)
+        
+        # Statistics
+        self.stats = {
+            'total_sessions': 0,
+            'active_sessions': 0,
+            'expired_sessions': 0,
+            'port_exhaustion_events': 0,
+            'bytes_translated': 0,
+            'packets_translated': 0
+        }
+        
+        # Cleanup thread
+        self.running = False
+        self.cleanup_thread = None
+
+    def _get_default_host_ip(self) -> str:
+        """Get default host IP address"""
+        try:
+            # Connect to a remote address to determine local IP
+            with socket.socket(socket.AF_INET, socket.SOCK_DGRAM) as s:
+                s.connect(('8.8.8.8', 80))
+                return s.getsockname()[0]
+        except Exception:
+            return '127.0.0.1'
+    
+    def _cleanup_expired_sessions(self):
+        """Clean up expired sessions"""
+        current_time = time.time()
+        expired_sessions = []
+        
+        with self.lock:
+            for session_id, session in self.sessions.items():
+                if session.is_expired:
+                    expired_sessions.append(session_id)
+        
+        for session_id in expired_sessions:
+            self._remove_session(session_id)
+            self.stats['expired_sessions'] += 1
+    
+    def _remove_session(self, session_id: str):
+        """Remove a session and clean up resources"""
+        with self.lock:
+            if session_id not in self.sessions:
+                return
+            
+            session = self.sessions[session_id]
+            
+            # Remove from lookup tables
+            virtual_key = (session.virtual_ip, session.virtual_port, session.protocol)
+            if virtual_key in self.virtual_to_session:
+                del self.virtual_to_session[virtual_key]
+            
+            host_key = (session.host_ip, session.host_port, session.protocol)
+            if host_key in self.host_to_session:
+                del self.host_to_session[host_key]
+            
+            # Release port
+            self.port_pool.release_port(session.host_port)
+            
+            # Remove session
+            del self.sessions[session_id]
+            
+            self.stats['active_sessions'] = len(self.sessions)
+    
+    def create_outbound_session(self, virtual_ip: str, virtual_port: int, 
+                               real_ip: str, real_port: int, protocol: int) -> Optional[NATSession]:
+        """Create NAT session for outbound connection"""
+        # Allocate host port
+        session_id = f"{virtual_ip}:{virtual_port}-{real_ip}:{real_port}-{protocol}"
+        host_port = self.port_pool.allocate_port(session_id)
+        
+        if host_port is None:
+            self.stats['port_exhaustion_events'] += 1
+            return None
+        
+        # Create session
+        session = NATSession(
+            virtual_ip=virtual_ip,
+            virtual_port=virtual_port,
+            real_ip=real_ip,
+            real_port=real_port,
+            host_ip=self.host_ip,
+            host_port=host_port,
+            protocol=protocol,
+            nat_type=NATType.SNAT,
+            created_time=time.time(),
+            last_activity=time.time()
+        )
+        
+        with self.lock:
+            self.sessions[session_id] = session
+            
+            # Add to lookup tables
+            virtual_key = (virtual_ip, virtual_port, protocol)
+            self.virtual_to_session[virtual_key] = session_id
+            
+            host_key = (self.host_ip, host_port, protocol)
+            self.host_to_session[host_key] = session_id
+        
+        self.stats['total_sessions'] += 1
+        self.stats['active_sessions'] = len(self.sessions)
+        
+        return session
+    
+    def translate_outbound(self, virtual_ip: str, virtual_port: int, 
+                          real_ip: str, real_port: int, protocol: int) -> Optional[Tuple[str, int]]:
+        """Translate outbound packet (virtual -> host)"""
+        virtual_key = (virtual_ip, virtual_port, protocol)
+        
+        with self.lock:
+            session_id = self.virtual_to_session.get(virtual_key)
+            
+            if session_id:
+                session = self.sessions[session_id]
+                session.update_activity(direction='out')
+                return (session.host_ip, session.host_port)
+            else:
+                # Create new session
+                session = self.create_outbound_session(virtual_ip, virtual_port, real_ip, real_port, protocol)
+                if session:
+                    return (session.host_ip, session.host_port)
+        
+        return None
+    
+    def translate_inbound(self, host_ip: str, host_port: int, protocol: int) -> Optional[Tuple[str, int]]:
+        """Translate inbound packet (host -> virtual)"""
+        host_key = (host_ip, host_port, protocol)
+        
+        with self.lock:
+            session_id = self.host_to_session.get(host_key)
+            
+            if session_id and session_id in self.sessions:
+                session = self.sessions[session_id]
+                session.update_activity(direction='in')
+                return (session.virtual_ip, session.virtual_port)
+        
+        return None
+    
+    def get_session_by_virtual(self, virtual_ip: str, virtual_port: int, protocol: int) -> Optional[NATSession]:
+        """Get session by virtual endpoint"""
+        virtual_key = (virtual_ip, virtual_port, protocol)
+        
+        with self.lock:
+            session_id = self.virtual_to_session.get(virtual_key)
+            if session_id and session_id in self.sessions:
+                return self.sessions[session_id]
+        
+        return None
+    
+    def get_session_by_host(self, host_ip: str, host_port: int, protocol: int) -> Optional[NATSession]:
+        """Get session by host endpoint"""
+        host_key = (host_ip, host_port, protocol)
+        
+        with self.lock:
+            session_id = self.host_to_session.get(host_key)
+            if session_id and session_id in self.sessions:
+                return self.sessions[session_id]
+        
+        return None
+    
+    def close_session(self, session_id: str) -> bool:
+        """Manually close a session"""
+        with self.lock:
+            if session_id in self.sessions:
+                self._remove_session(session_id)
+                return True
+        return False
+    
+    def close_session_by_virtual(self, virtual_ip: str, virtual_port: int, protocol: int) -> bool:
+        """Close session by virtual endpoint"""
+        virtual_key = (virtual_ip, virtual_port, protocol)
+        
+        with self.lock:
+            session_id = self.virtual_to_session.get(virtual_key)
+            if session_id:
+                self._remove_session(session_id)
+                return True
+        return False
+    
+    def get_sessions(self) -> Dict[str, Dict]:
+        """Get all active sessions"""
+        with self.lock:
+            return {
+                session_id: {
+                    'virtual_ip': session.virtual_ip,
+                    'virtual_port': session.virtual_port,
+                    'real_ip': session.real_ip,
+                    'real_port': session.real_port,
+                    'host_ip': session.host_ip,
+                    'host_port': session.host_port,
+                    'protocol': session.protocol,
+                    'nat_type': session.nat_type.value,
+                    'created_time': session.created_time,
+                    'last_activity': session.last_activity,
+                    'duration': session.duration,
+                    'bytes_in': session.bytes_in,
+                    'bytes_out': session.bytes_out,
+                    'packets_in': session.packets_in,
+                    'packets_out': session.packets_out,
+                    'is_expired': session.is_expired
+                }
+                for session_id, session in self.sessions.items()
+            }
+    
+    def get_stats(self) -> Dict:
+        """Get NAT statistics"""
+        port_stats = self.port_pool.get_stats()
+        
+        with self.lock:
+            current_stats = self.stats.copy()
+            current_stats['active_sessions'] = len(self.sessions)
+            current_stats.update(port_stats)
+        
+        return current_stats
+    
+    def update_packet_stats(self, bytes_count: int):
+        """Update packet statistics"""
+        self.stats['bytes_translated'] += bytes_count
+        self.stats['packets_translated'] += 1
+    
+    def _cleanup_loop(self):
+        """Background cleanup loop"""
+        while self.running:
+            try:
+                # print("NAT cleanup loop: Cleaning expired sessions...") # Debug print
+                self._cleanup_expired_sessions()
+                time.sleep(0.1)  # Shorter sleep for faster testing
+            except Exception as e:
+                print(f"NAT cleanup error: {e}")
+                time.sleep(0.1)
+    
+    def start(self):
+        """Start NAT engine"""
+        self.running = True
+        self.cleanup_thread = threading.Thread(target=self._cleanup_loop, daemon=True)
+        self.cleanup_thread.start()
+        # print(f"NAT engine started - Host IP: {self.host_ip}, Port range: {self.port_pool.start_port}-{self.port_pool.end_port}")
+    
+    def stop(self):
+        """Stop NAT engine"""
+        # print("Stopping NAT engine...") # Debug print
+        self.running = False
+        if self.cleanup_thread and self.cleanup_thread.is_alive():
+            self.cleanup_thread.join(timeout=1) # Add timeout to join
+            if self.cleanup_thread.is_alive():
+                print("NAT cleanup thread did not terminate in time.") # Debug print
+        
+        # Close all sessions
+        with self.lock:
+            session_ids = list(self.sessions.keys())
+            for session_id in session_ids:
+                self._remove_session(session_id)
+        
+        # print("NAT engine stopped")
+
+    def _calculate_ip_checksum(self, ip_header_no_checksum: bytes) -> int:
+        """Calculate the IP header checksum."""
+        # IP header checksum calculation (simplified for demonstration)
+        # This is a basic implementation and might need refinement for production use
+        s = 0
+        # loop through header words
+        for i in range(0, len(ip_header_no_checksum), 2):
+            w = (ip_header_no_checksum[i] << 8) + (ip_header_no_checksum[i+1])
+            s = s + w
+        
+        s = (s & 0xffff) + (s >> 16)
+        s = s + (s >> 16)
+        return ~s & 0xffff
+
+    def process_inbound_packet(self, packet: bytes) -> Optional[bytes]:
+        """Process an inbound packet (from internet to VPN client) for DNAT."""
+        # Parse IP header
+        # Assuming Ethernet frame, IP header starts at offset 14
+        # For simplicity, let's assume we are only dealing with IPv4 for now
+        ip_header_offset = 14
+        ip_header_length = (packet[ip_header_offset] & 0xF) * 4
+        ip_header = packet[ip_header_offset : ip_header_offset + ip_header_length]
+        
+        # Unpack IP header (version_ihl, tos, total_length, identification, fragment_offset, ttl, protocol, header_checksum, source_address, destination_address)
+        iph = struct.unpack('!BBHHHBBH4s4s', ip_header)
+        
+        protocol = iph[6]
+        source_ip = socket.inet_ntoa(iph[8])
+        dest_ip = socket.inet_ntoa(iph[9])
+
+        # Only process TCP/UDP for now
+        if protocol not in [socket.IPPROTO_TCP, socket.IPPROTO_UDP]:
+            return None
+
+        # Parse TCP/UDP header
+        transport_header_offset = ip_header_offset + ip_header_length
+        if protocol == socket.IPPROTO_TCP:
+            tcp_header = packet[transport_header_offset : transport_header_offset + 20]
+            tcph = struct.unpack('!HHLLBBHHH', tcp_header)
+            source_port = tcph[0]
+            dest_port = tcph[1]
+        elif protocol == socket.IPPROTO_UDP:
+            udp_header = packet[transport_header_offset : transport_header_offset + 8]
+            udph = struct.unpack('!HHHH', udp_header)
+            source_port = udph[0]
+            dest_port = udph[1]
+        else:
+            return None
+
+        # Check for DNAT rule match (simplified for now, actual DNAT rules would be in DNATEngine)
+        # For now, assume we are looking for a session based on host_ip (d_addr) and host_port (dest_port)
+        translated_endpoint = self.translate_inbound(dest_ip, dest_port, protocol)
+
+        if translated_endpoint:
+            virtual_ip, virtual_port = translated_endpoint
+            
+            # Reconstruct packet with translated destination IP and port
+            # Recalculate IP header checksum
+            new_dest_ip_bytes = socket.inet_aton(virtual_ip)
+            
+            # Rebuild IP header with new destination IP
+            # Need to recalculate checksum for IP header
+            # For simplicity, we'll set checksum to 0 and assume it's recalculated later or by OS
+            new_ip_header_raw = struct.pack('!BBHHHBBH4s4s', iph[0], iph[1], iph[2], iph[3], iph[4], iph[5], iph[6], 0, iph[8], new_dest_ip_bytes)
+            new_ip_header_checksum = self._calculate_ip_checksum(new_ip_header_raw)
+            new_ip_header = struct.pack('!BBHHHBBH4s4s', iph[0], iph[1], iph[2], iph[3], iph[4], iph[5], iph[6], new_ip_header_checksum, iph[8], new_dest_ip_bytes)
+
+            # Rebuild TCP/UDP header with new destination port
+            if protocol == socket.IPPROTO_TCP:
+                # Recalculate TCP checksum (requires pseudo-header, IP header, and TCP data)
+                new_tcp_header_raw = struct.pack('!HHLLBBHHH', source_port, virtual_port, tcph[2], tcph[3], tcph[4], tcph[5], tcph[6], 0, tcph[8])
+                # For now, setting checksum to 0. Proper recalculation is complex.
+                new_tcp_header = struct.pack('!HHLLBBHHH', source_port, virtual_port, tcph[2], tcph[3], tcph[4], tcph[5], tcph[6], 0, tcph[8])
+                return packet[:ip_header_offset] + new_ip_header + new_tcp_header + packet[transport_header_offset + 20:]
+            elif protocol == socket.IPPROTO_UDP:
+                # Recalculate UDP checksum (requires pseudo-header, IP header, and UDP data)
+                new_udp_header_raw = struct.pack('!HHHH', source_port, virtual_port, udph[2], 0)
+                # For now, setting checksum to 0. Proper recalculation is complex.
+                new_udp_header = struct.pack('!HHHH', source_port, virtual_port, udph[2], 0)
+                return packet[:ip_header_offset] + new_ip_header + new_udp_header + packet[transport_header_offset + 8:]
+        
+        return None
+
+    def process_outbound_packet(self, packet: bytes) -> Optional[bytes]:
+        """Process an outbound packet (from VPN client to internet) for SNAT."""
+        # Parse IP header
+        ip_header_offset = 14
+        ip_header_length = (packet[ip_header_offset] & 0xF) * 4
+        ip_header = packet[ip_header_offset : ip_header_offset + ip_header_length]
+        
+        # Unpack IP header
+        iph = struct.unpack('!BBHHHBBH4s4s', ip_header)
+        
+        protocol = iph[6]
+        source_ip = socket.inet_ntoa(iph[8])
+        dest_ip = socket.inet_ntoa(iph[9])
+
+        # Only process TCP/UDP for now
+        if protocol not in [socket.IPPROTO_TCP, socket.IPPROTO_UDP]:
+            return None
+
+        # Parse TCP/UDP header
+        transport_header_offset = ip_header_offset + ip_header_length
+        if protocol == socket.IPPROTO_TCP:
+            tcp_header = packet[transport_header_offset : transport_header_offset + 20]
+            tcph = struct.unpack('!HHLLBBHHH', tcp_header)
+            source_port = tcph[0]
+            dest_port = tcph[1]
+        elif protocol == socket.IPPROTO_UDP:
+            udp_header = packet[transport_header_offset : transport_header_offset + 8]
+            udph = struct.unpack('!HHHH', udp_header)
+            source_port = udph[0]
+            dest_port = udph[1]
+        else:
+            return None
+
+        # Perform SNAT
+        translated_endpoint = self.translate_outbound(source_ip, source_port, dest_ip, dest_port, protocol)
+
+        if translated_endpoint:
+            host_ip, host_port = translated_endpoint
+            
+            # Reconstruct packet with translated source IP and port
+            # Recalculate IP header checksum
+            new_source_ip_bytes = socket.inet_aton(host_ip)
+
+            # Rebuild IP header with new source IP
+            new_ip_header_raw = struct.pack('!BBHHHBBH4s4s', iph[0], iph[1], iph[2], iph[3], iph[4], iph[5], iph[6], 0, new_source_ip_bytes, iph[9])
+            new_ip_header_checksum = self._calculate_ip_checksum(new_ip_header_raw)
+            new_ip_header = struct.pack('!BBHHHBBH4s4s', iph[0], iph[1], iph[2], iph[3], iph[4], iph[5], iph[6], new_ip_header_checksum, new_source_ip_bytes, iph[9])
+
+            # Rebuild TCP/UDP header with new source port
+            if protocol == socket.IPPROTO_TCP:
+                # Recalculate TCP checksum
+                new_tcp_header_raw = struct.pack('!HHLLBBHHH', host_port, dest_port, tcph[2], tcph[3], tcph[4], tcph[5], tcph[6], 0, tcph[8])
+                # For now, setting checksum to 0. Proper recalculation is complex.
+                new_tcp_header = struct.pack('!HHLLBBHHH', host_port, dest_port, tcph[2], tcph[3], tcph[4], tcph[5], tcph[6], 0, tcph[8])
+                return packet[:ip_header_offset] + new_ip_header + new_tcp_header + packet[transport_header_offset + 20:]
+            elif protocol == socket.IPPROTO_UDP:
+                # Recalculate UDP checksum
+                new_udp_header_raw = struct.pack('!HHHH', host_port, dest_port, udph[2], 0)
+                # For now, setting checksum to 0. Proper recalculation is complex.
+                new_udp_header = struct.pack('!HHHH', host_port, dest_port, udph[2], 0)
+                return packet[:ip_header_offset] + new_ip_header + new_udp_header + packet[transport_header_offset + 8:]
+        
+        return None
+
+
+class NATRule:
+    """Represents a NAT rule for DNAT (port forwarding)"""
+    
+    def __init__(self, external_port: int, internal_ip: str, internal_port: int, 
+                 protocol: int, enabled: bool = True):
+        self.external_port = external_port
+        self.internal_ip = internal_ip
+        self.internal_port = internal_port
+        self.protocol = protocol
+        self.enabled = enabled
+        self.created_time = time.time()
+        self.hit_count = 0
+        self.last_hit = None
+    
+    def matches(self, port: int, protocol: int) -> bool:
+        """Check if rule matches the given port and protocol"""
+        return (self.enabled and 
+                self.external_port == port and 
+                self.protocol == protocol)
+    
+    def record_hit(self):
+        """Record a rule hit"""
+        self.hit_count += 1
+        self.last_hit = time.time()
+    
+    def to_dict(self) -> Dict:
+        """Convert rule to dictionary"""
+        return {
+            'external_port': self.external_port,
+            'internal_ip': self.internal_ip,
+            'internal_port': self.internal_port,
+            'protocol': self.protocol,
+            'enabled': self.enabled,
+            'created_time': self.created_time,
+            'hit_count': self.hit_count,
+            'last_hit': self.last_hit
+        }
+
+
+class DNATEngine:
+    """Destination NAT engine for port forwarding"""
+    
+    def __init__(self):
+        self.rules: Dict[str, NATRule] = {}  # rule_id -> rule
+        self.lock = threading.Lock()
+    
+    def add_rule(self, rule_id: str, external_port: int, internal_ip: str, 
+                 internal_port: int, protocol: int) -> bool:
+        """Add DNAT rule"""
+        with self.lock:
+            if rule_id in self.rules:
+                return False
+            rule = NATRule(external_port, internal_ip, internal_port, protocol)
+            self.rules[rule_id] = rule
+            return True
+    
+    def remove_rule(self, rule_id: str) -> bool:
+        """Remove DNAT rule"""
+        with self.lock:
+            if rule_id in self.rules:
+                del self.rules[rule_id]
+                return True
+            return False
+    
+    def get_rule(self, rule_id: str) -> Optional[NATRule]:
+        """Get DNAT rule by ID"""
+        with self.lock:
+            return self.rules.get(rule_id)
+    
+    def get_matching_rule(self, port: int, protocol: int) -> Optional[NATRule]:
+        """Get matching DNAT rule for given port and protocol"""
+        with self.lock:
+            for rule in self.rules.values():
+                if rule.matches(port, protocol):
+                    rule.record_hit()
+                    return rule
+            return None
+    
+    def get_all_rules(self) -> Dict[str, Dict]:
+        """Get all DNAT rules"""
+        with self.lock:
+            return {rule_id: rule.to_dict() for rule_id, rule in self.rules.items()}
+
+
+

core/openvpn_manager.py

@@ -0,0 +1,508 @@
+"""
+OpenVPN Manager Module
+
+Manages OpenVPN server integration with the Virtual ISP Stack
+"""
+
+import os
+import json
+import subprocess
+import threading
+import time
+import logging
+from typing import Dict, List, Optional, Any
+from dataclasses import dataclass, asdict
+import ipaddress
+
+logger = logging.getLogger(__name__)
+
+@dataclass
+class VPNClient:
+    """Represents a connected VPN client"""
+    client_id: str
+    common_name: str
+    ip_address: str
+    connected_at: float
+    bytes_received: int = 0
+    bytes_sent: int = 0
+    status: str = "connected"
+    routed_through_vpn: bool = False
+
+@dataclass
+class VPNServerStatus:
+    """Represents VPN server status"""
+    is_running: bool
+    connected_clients: int
+    total_bytes_received: int
+    total_bytes_sent: int
+    uptime: float
+    server_ip: str
+    server_port: int
+
+class OpenVPNManager:
+    """Manages OpenVPN server and client connections with traffic routing"""
+    
+    def __init__(self, config: Dict[str, Any]):
+        self.config = config
+        self.server_config_path = "/etc/openvpn/server/server.conf"
+        self.status_log_path = "/tmp/openvpn/openvpn-status.log"
+        self.clients: Dict[str, VPNClient] = {}
+        self.server_process = None
+        self.is_running = False
+        self.start_time = None
+        
+        # VPN network configuration
+        self.vpn_network = ipaddress.IPv4Network("10.8.0.0/24")
+        self.vpn_server_ip = "10.8.0.1"
+        self.vpn_port = 1194
+        
+        # Integration with ISP stack
+        self.dhcp_server = None
+        self.nat_engine = None
+        self.firewall = None
+        self.router = None
+        self.traffic_router = None  # New traffic router component
+        
+        # Status monitoring thread
+        self.monitor_thread = None
+        self.monitor_running = False
+        
+        # Client configuration storage
+        self.config_storage_path = "/tmp/vpn_client_configs"
+        os.makedirs(self.config_storage_path, exist_ok=True)
+        
+    def set_isp_components(self, dhcp_server=None, nat_engine=None, firewall=None, router=None, traffic_router=None):
+        """Set references to ISP stack components for integration"""
+        self.dhcp_server = dhcp_server
+        self.nat_engine = nat_engine
+        self.firewall = firewall
+        self.router = router
+        self.traffic_router = traffic_router
+        
+        # Configure traffic router with other components
+        if self.traffic_router:
+            self.traffic_router.set_components(
+                nat_engine=nat_engine,
+                firewall=firewall,
+                dhcp_server=dhcp_server
+            )
+        
+    def start_server(self) -> bool:
+        """Start the OpenVPN server with traffic routing"""
+        try:
+            if self.is_running:
+                logger.warning("OpenVPN server is already running")
+                return True
+            
+            # Ensure configuration exists
+            if not os.path.exists(self.server_config_path):
+                logger.error(f"OpenVPN server configuration not found: {self.server_config_path}")
+                return False
+            
+            # Start traffic router first
+            if self.traffic_router and not self.traffic_router.is_running:
+                if not self.traffic_router.start():
+                    logger.error("Failed to start traffic router")
+                    return False
+            
+
+            # Start OpenVPN server
+            self.server_process = subprocess.Popen(['sudo', 'openvpn', '--config', self.server_config_path], stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True)
+            self.is_running = True
+            self.start_time = time.time()
+            logger.info("OpenVPN server started successfully")
+            
+            # Start monitoring thread
+            self.start_monitoring()
+            
+            # Configure firewall rules for VPN
+            self._configure_vpn_firewall()
+            
+            # Configure NAT for VPN traffic
+            self._configure_vpn_nat()
+            
+            return True
+                
+        except Exception as e:
+            logger.error(f"Error starting OpenVPN server: {e}")
+            return False
+    
+    def stop_server(self) -> bool:
+        """Stop the OpenVPN server and traffic routing"""
+        try:
+            if not self.is_running:
+                logger.warning("OpenVPN server is not running")
+                return True
+            
+            # Stop monitoring
+            self.stop_monitoring()
+            
+            # Remove all client routes before stopping
+            if self.traffic_router:
+                for client_id in list(self.clients.keys()):
+                    self.traffic_router.remove_client_route(client_id)
+            
+            # Stop OpenVPN server
+            if self.server_process:
+                self.server_process.terminate()
+                self.server_process.wait(timeout=5)
+                if self.server_process.poll() is None:
+                    self.server_process.kill()
+                self.server_process = None
+            self.is_running = False
+            self.start_time = None
+            self.clients.clear()
+            logger.info("OpenVPN server stopped successfully")
+            return True
+            
+        except Exception as e:
+            logger.error(f"Error stopping OpenVPN server: {e}")
+            return False
+    
+    def start_monitoring(self):
+        """Start the client monitoring thread"""
+        if self.monitor_thread and self.monitor_thread.is_alive():
+            return
+        
+        self.monitor_running = True
+        self.monitor_thread = threading.Thread(target=self._monitor_clients, daemon=True)
+        self.monitor_thread.start()
+        logger.info("Started OpenVPN client monitoring")
+    
+    def stop_monitoring(self):
+        """Stop the client monitoring thread"""
+        self.monitor_running = False
+        if self.monitor_thread:
+            self.monitor_thread.join(timeout=5)
+        logger.info("Stopped OpenVPN client monitoring")
+    
+    def _monitor_clients(self):
+        """Monitor connected VPN clients"""
+        while self.monitor_running:
+            try:
+                self._update_client_status()
+                time.sleep(10)  # Update every 10 seconds
+            except Exception as e:
+                logger.error(f"Error monitoring VPN clients: {e}")
+                time.sleep(30)  # Wait longer on error
+    
+    def _update_client_status(self):
+        """Update client status from OpenVPN status log and manage traffic routing"""
+        try:
+            with open(self.status_log_path, 'r') as f:
+                lines = f.readlines()
+
+            new_clients = {}
+            client_section = False
+            for line in lines:
+                if line.startswith('ROUTING TABLE'):
+                    client_section = False
+                if client_section and not line.startswith('GLOBAL STATS'):
+                    parts = line.strip().split(',')
+                    if len(parts) >= 5:
+                        common_name = parts[0]
+                        real_ip_port = parts[1]
+                        virtual_ip = parts[2]
+                        bytes_received = int(parts[3])
+                        bytes_sent = int(parts[4])
+                        connected_since = float(parts[5]) # Assuming this is a timestamp
+
+                        # Extract IP address from real_ip_port (e.g., 1.2.3.4:12345)
+                        ip_address = real_ip_port.split(':')[0]
+
+                        client = VPNClient(
+                            client_id=common_name,
+                            common_name=common_name,
+                            ip_address=virtual_ip,
+                            connected_at=connected_since,
+                            bytes_received=bytes_received,
+                            bytes_sent=bytes_sent,
+                            status="connected",
+                            routed_through_vpn=True
+                        )
+                        new_clients[common_name] = client
+                if line.startswith('COMMON NAME'):
+                    client_section = True
+            self.clients = new_clients
+            
+        except Exception as e:
+            logger.error(f"Error updating client status: {e}")
+    
+    def _sync_with_dhcp(self):
+        """Sync VPN clients with DHCP server"""
+        try:
+            for client in self.clients.values():
+                if client.ip_address != "unknown":
+                    # Register VPN client IP with DHCP server
+                    # This allows the ISP stack to track VPN clients
+                    if hasattr(self.dhcp_server, 'register_static_lease'):
+                        self.dhcp_server.register_static_lease(
+                            client.common_name,
+                            client.ip_address,
+                            "VPN Client"
+                        )
+        except Exception as e:
+            logger.error(f"Error syncing with DHCP: {e}")
+    
+    def _configure_vpn_firewall(self):
+        """Configure firewall rules for VPN traffic"""
+        try:
+            if not self.firewall:
+                return
+            
+            # Add firewall rules for VPN
+            vpn_rules = [
+                {
+                    "rule_id": "allow_openvpn",
+                    "priority": 10,
+                    "action": "ACCEPT",
+                    "direction": "BOTH",
+                    "dest_port": str(self.vpn_port),
+                    "protocol": "UDP",
+                    "description": "Allow OpenVPN traffic",
+                    "enabled": True
+                },
+                {
+                    "rule_id": "allow_vpn_network",
+                    "priority": 11,
+                    "action": "ACCEPT",
+                    "direction": "BOTH",
+                    "source_network": str(self.vpn_network),
+                    "description": "Allow VPN client network traffic",
+                    "enabled": True
+                }
+            ]
+            
+            for rule in vpn_rules:
+                if hasattr(self.firewall, 'add_rule'):
+                    self.firewall.add_rule(rule)
+            
+            logger.info("Configured firewall rules for VPN")
+            
+        except Exception as e:
+            logger.error(f"Error configuring VPN firewall: {e}")
+    
+    def _configure_vpn_nat(self):
+        """Configure NAT for VPN traffic"""
+        try:
+            # NAT configuration will be handled by the external environment (e.g., HuggingFace Spaces setup)
+            # or by the underlying network infrastructure. We are removing direct iptables calls.
+            logger.info("Skipping direct iptables NAT configuration as per instructions.")
+            
+        except Exception as e:
+            logger.error(f"Error configuring VPN NAT: {e}")
+    
+    def get_server_status(self) -> VPNServerStatus:
+        """Get current server status"""
+        total_bytes_received = sum(client.bytes_received for client in self.clients.values())
+        total_bytes_sent = sum(client.bytes_sent for client in self.clients.values())
+        uptime = time.time() - self.start_time if self.start_time else 0
+        
+        return VPNServerStatus(
+            is_running=self.is_running,
+            connected_clients=len(self.clients),
+            total_bytes_received=total_bytes_received,
+            total_bytes_sent=total_bytes_sent,
+            uptime=uptime,
+            server_ip=self.vpn_server_ip,
+            server_port=self.vpn_port
+        )    
+    def get_connected_clients(self) -> List[Dict[str, Any]]:
+        """Get list of connected clients"""
+        return [asdict(client) for client in self.clients.values()]
+    
+    def disconnect_client(self, client_id: str) -> bool:
+        """Disconnect a specific client"""
+        try:
+            if client_id not in self.clients:
+                return False
+            
+            # Send kill signal to specific client
+            # This requires OpenVPN management interface, simplified for now
+            logger.info(f"Disconnecting client: {client_id}")
+            
+            # Remove from clients dict
+            del self.clients[client_id]
+            return True
+            
+        except Exception as e:
+            logger.error(f"Error disconnecting client {client_id}: {e}")
+            return False
+    
+    def generate_client_config(self, client_name: str, server_ip: str) -> str:
+        """Generate client configuration file with embedded certificates"""
+        try:
+            # Read real CA certificate
+            ca_cert_path = "/etc/openvpn/server/ca.crt"
+            with open(ca_cert_path, 'r') as f:
+                ca_cert = f.read()
+
+            client_cert_path = f"/home/ubuntu/easy-rsa/pki/issued/{client_name}.crt"
+            with open(client_cert_path, 'r') as f:
+                client_cert = f.read()
+
+            client_key_path = f"/home/ubuntu/easy-rsa/pki/private/{client_name}.key"
+            with open(client_key_path, 'r') as f:
+                client_key = f.read()
+
+            # Generate complete client configuration
+            client_config = f"""# OpenVPN Client Configuration for {client_name}
+# Generated by Virtual ISP Stack
+# Server: {server_ip}:{self.vpn_port}
+
+client
+dev tun
+proto udp
+remote {server_ip} {self.vpn_port}
+resolv-retry infinite
+nobind
+persist-key
+persist-tun
+cipher AES-256-CBC
+auth SHA256
+verb 3
+key-direction 1
+redirect-gateway def1 bypass-dhcp
+dhcp-option DNS 8.8.8.8
+dhcp-option DNS 8.8.4.4
+remote-cert-tls server
+
+# Embedded CA Certificate
+<ca>
+{ca_cert}
+</ca>
+
+# Embedded Client Certificate
+<cert>
+{client_cert}
+</cert>
+
+# Embedded Client Private Key
+<key>
+{client_key}
+</key>
+
+# TLS Authentication Key (optional, for extra security)
+# <tls-auth>
+# -----BEGIN OpenVPN Static key V1-----
+# [TLS-AUTH-KEY-CONTENT-WOULD-GO-HERE]
+# -----END OpenVPN Static key V1-----
+# </tls-auth>
+"""
+            
+            logger.info(f"Generated client configuration for {client_name}")
+            return client_config
+            
+        except Exception as e:
+            logger.error(f"Error generating client config: {e}")
+            return ""
+    
+    def save_client_config(self, client_name: str, config_content: str) -> bool:
+        """Save client configuration to storage"""
+        try:
+            config_file_path = os.path.join(self.config_storage_path, f"{client_name}.ovpn")
+            with open(config_file_path, 'w') as f:
+                f.write(config_content)
+            
+            logger.info(f"Saved client configuration for {client_name}")
+            return True
+            
+        except Exception as e:
+            logger.error(f"Error saving client config for {client_name}: {e}")
+            return False
+    
+    def load_client_config(self, client_name: str) -> str:
+        """Load client configuration from storage"""
+        try:
+            config_file_path = os.path.join(self.config_storage_path, f"{client_name}.ovpn")
+            if not os.path.exists(config_file_path):
+                return ""
+            
+            with open(config_file_path, 'r') as f:
+                config_content = f.read()
+            
+            logger.info(f"Loaded client configuration for {client_name}")
+            return config_content
+            
+        except Exception as e:
+            logger.error(f"Error loading client config for {client_name}: {e}")
+            return ""
+    
+    def list_client_configs(self) -> List[str]:
+        """List all stored client configurations"""
+        try:
+            config_files = []
+            if os.path.exists(self.config_storage_path):
+                for filename in os.listdir(self.config_storage_path):
+                    if filename.endswith('.ovpn'):
+                        client_name = filename[:-5]  # Remove .ovpn extension
+                        config_files.append(client_name)
+            
+            return config_files
+            
+        except Exception as e:
+            logger.error(f"Error listing client configs: {e}")
+            return []
+    
+    def delete_client_config(self, client_name: str) -> bool:
+        """Delete client configuration from storage"""
+        try:
+            config_file_path = os.path.join(self.config_storage_path, f"{client_name}.ovpn")
+            if os.path.exists(config_file_path):
+                os.remove(config_file_path)
+                logger.info(f"Deleted client configuration for {client_name}")
+                return True
+            else:
+                logger.warning(f"Client configuration for {client_name} not found")
+                return False
+                
+        except Exception as e:
+            logger.error(f"Error deleting client config for {client_name}: {e}")
+            return False
+    
+    def generate_and_save_client_config(self, client_name: str, server_ip: str) -> str:
+        """Generate client configuration and save it to storage"""
+        try:
+            config_content = self.generate_client_config(client_name, server_ip)
+            if config_content:
+                if self.save_client_config(client_name, config_content):
+                    return config_content
+            return ""
+            
+        except Exception as e:
+            logger.error(f"Error generating and saving client config for {client_name}: {e}")
+            return ""
+    
+    def get_statistics(self) -> Dict[str, Any]:
+        """Get comprehensive VPN statistics"""
+        status = self.get_server_status()
+        
+        return {
+            "server_status": asdict(status),
+            "connected_clients": self.get_connected_clients(),
+            "network_config": {
+                "vpn_network": str(self.vpn_network),
+                "server_ip": self.vpn_server_ip,
+                "server_port": self.vpn_port
+            },
+            "integration_status": {
+                "dhcp_integrated": self.dhcp_server is not None,
+                "nat_integrated": self.nat_engine is not None,
+                "firewall_integrated": self.firewall is not None,
+                "router_integrated": self.router is not None
+            }
+        }
+
+# Global OpenVPN manager instance
+openvpn_manager = None
+
+def initialize_openvpn_manager(config: Dict[str, Any]) -> OpenVPNManager:
+    """Initialize the OpenVPN manager"""
+    global openvpn_manager
+    openvpn_manager = OpenVPNManager(config)
+    return openvpn_manager
+
+def get_openvpn_manager() -> Optional[OpenVPNManager]:
+    """Get the global OpenVPN manager instance"""
+    return openvpn_manager
+

core/packet_bridge.py

@@ -0,0 +1,664 @@
+"""
+Packet Bridge Module
+
+Handles communication with virtual clients:
+- Accept packet streams over WebSocket/TCP
+- Deliver response packets back to clients
+- Frame processing (Ethernet → IPv4)
+- Connection management
+"""
+
+import asyncio
+import websockets
+import socket
+import threading
+import time
+import struct
+from typing import Dict, List, Optional, Callable, Set, Any, Tuple
+from dataclasses import dataclass
+from enum import Enum
+import json
+import logging
+
+from .ip_parser import IPParser, ParsedPacket
+
+
+class BridgeType(Enum):
+    WEBSOCKET = "WEBSOCKET"
+    TCP_SOCKET = "TCP_SOCKET"
+    UDP_SOCKET = "UDP_SOCKET"
+
+
+@dataclass
+class ClientConnection:
+    """Represents a client connection to the bridge"""
+    client_id: str
+    bridge_type: BridgeType
+    remote_address: str
+    remote_port: int
+    websocket: Optional[Any] = None  # WebSocket connection
+    socket: Optional['socket.socket'] = None  # TCP/UDP socket
+    connected_time: float = 0
+    last_activity: float = 0
+    packets_received: int = 0
+    packets_sent: int = 0
+    bytes_received: int = 0
+    bytes_sent: int = 0
+    is_active: bool = True
+    
+    def __post_init__(self):
+        if self.connected_time == 0:
+            self.connected_time = time.time()
+        if self.last_activity == 0:
+            self.last_activity = time.time()
+    
+    def update_activity(self, packet_count: int = 1, byte_count: int = 0, direction: str = 'received'):
+        """Update connection activity"""
+        self.last_activity = time.time()
+        
+        if direction == 'received':
+            self.packets_received += packet_count
+            self.bytes_received += byte_count
+        else:
+            self.packets_sent += packet_count
+            self.bytes_sent += byte_count
+    
+    def to_dict(self) -> Dict:
+        """Convert to dictionary"""
+        return {
+            'client_id': self.client_id,
+            'bridge_type': self.bridge_type.value,
+            'remote_address': self.remote_address,
+            'remote_port': self.remote_port,
+            'connected_time': self.connected_time,
+            'last_activity': self.last_activity,
+            'packets_received': self.packets_received,
+            'packets_sent': self.packets_sent,
+            'bytes_received': self.bytes_received,
+            'bytes_sent': self.bytes_sent,
+            'is_active': self.is_active,
+            'duration': time.time() - self.connected_time
+        }
+
+
+class EthernetFrame:
+    """Ethernet frame parser"""
+    
+    def __init__(self):
+        self.dest_mac = b'\x00' * 6
+        self.src_mac = b'\x00' * 6
+        self.ethertype = 0x0800  # IPv4
+        self.payload = b''
+    
+    @classmethod
+    def parse(cls, data: bytes) -> Optional['EthernetFrame']:
+        """Parse Ethernet frame from raw bytes"""
+        if len(data) < 14:  # Minimum Ethernet header size
+            return None
+        
+        frame = cls()
+        frame.dest_mac = data[0:6]
+        frame.src_mac = data[6:12]
+        frame.ethertype = struct.unpack('!H', data[12:14])[0]
+        frame.payload = data[14:]
+        
+        return frame
+    
+    def build(self) -> bytes:
+        """Build Ethernet frame as bytes"""
+        header = self.dest_mac + self.src_mac + struct.pack('!H', self.ethertype)
+        return header + self.payload
+    
+    def is_ipv4(self) -> bool:
+        """Check if frame contains IPv4 packet"""
+        return self.ethertype == 0x0800
+    
+    def is_arp(self) -> bool:
+        """Check if frame contains ARP packet"""
+        return self.ethertype == 0x0806
+
+
+class PacketBridge:
+    """Packet bridge implementation"""
+    
+    def __init__(self, config: Dict):
+        self.config = config
+        self.clients: Dict[str, ClientConnection] = {}
+        self.packet_handlers: List[Callable[[ParsedPacket, str], Optional[bytes]]] = []
+        self.lock = threading.Lock()
+        
+        # Configuration
+        self.websocket_host = config.get('websocket_host', '0.0.0.0')
+        self.websocket_port = config.get('websocket_port', 8765)
+        self.tcp_host = config.get('tcp_host', '0.0.0.0')
+        self.tcp_port = config.get('tcp_port', 8766)
+        self.max_clients = config.get('max_clients', 100)
+        self.client_timeout = config.get('client_timeout', 300)
+        
+        # WebSocket server
+        self.websocket_server = None
+        self.tcp_server_socket = None
+        
+        # Background tasks
+        self.running = False
+        self.websocket_task = None
+        self.tcp_task = None
+        self.cleanup_task = None
+        
+        # Statistics
+        self.stats = {
+            'total_clients': 0,
+            'active_clients': 0,
+            'packets_processed': 0,
+            'packets_forwarded': 0,
+            'packets_dropped': 0,
+            'bytes_processed': 0,
+            'websocket_connections': 0,
+            'tcp_connections': 0,
+            'connection_errors': 0
+        }
+        
+        # Event loop
+        self.loop = None
+    
+    def add_packet_handler(self, handler: Callable[[ParsedPacket, str], Optional[bytes]]):
+        """Add packet handler function"""
+        self.packet_handlers.append(handler)
+    
+    def remove_packet_handler(self, handler: Callable[[ParsedPacket, str], Optional[bytes]]):
+        """Remove packet handler function"""
+        if handler in self.packet_handlers:
+            self.packet_handlers.remove(handler)
+    
+    def _generate_client_id(self, remote_address: str, remote_port: int) -> str:
+        """Generate unique client ID"""
+        timestamp = int(time.time() * 1000)
+        return f"client_{remote_address}_{remote_port}_{timestamp}"
+    
+    def _process_ethernet_frame(self, frame_data: bytes, client_id: str) -> Optional[bytes]:
+        """Process Ethernet frame and extract IP packet"""
+        try:
+            # Parse Ethernet frame
+            frame = EthernetFrame.parse(frame_data)
+            if not frame or not frame.is_ipv4():
+                return None
+            
+            # Parse IP packet
+            packet = IPParser.parse_packet(frame.payload)
+            self.stats['packets_processed'] += 1
+            self.stats['bytes_processed'] += len(frame_data)
+            
+            # Process through packet handlers
+            response_packet = None
+            for handler in self.packet_handlers:
+                try:
+                    response = handler(packet, client_id)
+                    if response:
+                        response_packet = response
+                        break
+                except Exception as e:
+                    logging.error(f"Packet handler error: {e}")
+            
+            if response_packet:
+                # Wrap response in Ethernet frame
+                response_frame = EthernetFrame()
+                response_frame.dest_mac = frame.src_mac
+                response_frame.src_mac = frame.dest_mac
+                response_frame.ethertype = 0x0800
+                response_frame.payload = response_packet
+                
+                self.stats['packets_forwarded'] += 1
+                return response_frame.build()
+            else:
+                self.stats['packets_dropped'] += 1
+                return None
+        
+        except Exception as e:
+            logging.error(f"Error processing Ethernet frame: {e}")
+            self.stats['packets_dropped'] += 1
+            return None
+    
+    async def _handle_websocket_client(self, websocket, path):
+        """Handle WebSocket client connection"""
+        client_address = websocket.remote_address
+        client_id = self._generate_client_id(client_address[0], client_address[1])
+        
+        # Create client connection
+        client = ClientConnection(
+            client_id=client_id,
+            bridge_type=BridgeType.WEBSOCKET,
+            remote_address=client_address[0],
+            remote_port=client_address[1],
+            websocket=websocket
+        )
+        
+        with self.lock:
+            if len(self.clients) >= self.max_clients:
+                await websocket.close(code=1013, reason="Too many clients")
+                return
+            
+            self.clients[client_id] = client
+        
+        self.stats['total_clients'] += 1
+        self.stats['active_clients'] = len(self.clients)
+        self.stats['websocket_connections'] += 1
+        
+        logging.info(f"WebSocket client connected: {client_id} from {client_address}")
+        
+        try:
+            async for message in websocket:
+                if isinstance(message, bytes):
+                    # Binary message - treat as Ethernet frame
+                    client.update_activity(1, len(message), 'received')
+                    
+                    response = self._process_ethernet_frame(message, client_id)
+                    if response:
+                        await websocket.send(response)
+                        client.update_activity(1, len(response), 'sent')
+                
+                elif isinstance(message, str):
+                    # Text message - treat as control message
+                    try:
+                        control_msg = json.loads(message)
+                        await self._handle_control_message(client, control_msg)
+                    except json.JSONDecodeError:
+                        logging.warning(f"Invalid control message from {client_id}: {message}")
+        
+        except websockets.exceptions.ConnectionClosed:
+            logging.info(f"WebSocket client disconnected: {client_id}")
+        except Exception as e:
+            logging.error(f"WebSocket client error: {e}")
+            self.stats['connection_errors'] += 1
+        
+        finally:
+            # Clean up client
+            with self.lock:
+                if client_id in self.clients:
+                    self.clients[client_id].is_active = False
+                    del self.clients[client_id]
+            
+            self.stats['active_clients'] = len(self.clients)
+    
+    async def _handle_control_message(self, client: ClientConnection, message: Dict):
+        """Handle control message from client"""
+        msg_type = message.get('type')
+        
+        if msg_type == 'ping':
+            # Respond to ping
+            response = {'type': 'pong', 'timestamp': time.time()}
+            await client.websocket.send(json.dumps(response))
+        
+        elif msg_type == 'stats':
+            # Send client statistics
+            response = {
+                'type': 'stats',
+                'client_stats': client.to_dict(),
+                'bridge_stats': self.get_stats()
+            }
+            await client.websocket.send(json.dumps(response))
+        
+        elif msg_type == 'config':
+            # Handle configuration updates
+            config_data = message.get('data', {})
+            # Process configuration updates here
+            response = {'type': 'config_ack', 'status': 'ok'}
+            await client.websocket.send(json.dumps(response))
+    
+    def _handle_tcp_client(self, client_socket: socket.socket, client_address: Tuple[str, int]):
+        """Handle TCP client connection"""
+        client_id = self._generate_client_id(client_address[0], client_address[1])
+        
+        # Create client connection
+        client = ClientConnection(
+            client_id=client_id,
+            bridge_type=BridgeType.TCP_SOCKET,
+            remote_address=client_address[0],
+            remote_port=client_address[1],
+            socket=client_socket
+        )
+        
+        with self.lock:
+            if len(self.clients) >= self.max_clients:
+                client_socket.close()
+                return
+            
+            self.clients[client_id] = client
+        
+        self.stats['total_clients'] += 1
+        self.stats['active_clients'] = len(self.clients)
+        self.stats['tcp_connections'] += 1
+        
+        logging.info(f"TCP client connected: {client_id} from {client_address}")
+        
+        try:
+            client_socket.settimeout(self.client_timeout)
+            
+            while client.is_active:
+                try:
+                    # Read frame length (4 bytes)
+                    length_data = client_socket.recv(4)
+                    if not length_data:
+                        break
+                    
+                    frame_length = struct.unpack('!I', length_data)[0]
+                    if frame_length > 65536:  # Sanity check
+                        break
+                    
+                    # Read frame data
+                    frame_data = b''
+                    while len(frame_data) < frame_length:
+                        chunk = client_socket.recv(frame_length - len(frame_data))
+                        if not chunk:
+                            break
+                        frame_data += chunk
+                    
+                    if len(frame_data) != frame_length:
+                        break
+                    
+                    client.update_activity(1, len(frame_data), 'received')
+                    
+                    # Process frame
+                    response = self._process_ethernet_frame(frame_data, client_id)
+                    if response:
+                        # Send response with length prefix
+                        response_length = struct.pack('!I', len(response))
+                        client_socket.send(response_length + response)
+                        client.update_activity(1, len(response), 'sent')
+                
+                except socket.timeout:
+                    continue
+                except Exception as e:
+                    logging.error(f"TCP client error: {e}")
+                    break
+        
+        except Exception as e:
+            logging.error(f"TCP client handler error: {e}")
+            self.stats['connection_errors'] += 1
+        
+        finally:
+            # Clean up client
+            try:
+                client_socket.close()
+            except:
+                pass
+            
+            with self.lock:
+                if client_id in self.clients:
+                    self.clients[client_id].is_active = False
+                    del self.clients[client_id]
+            
+            self.stats['active_clients'] = len(self.clients)
+            logging.info(f"TCP client disconnected: {client_id}")
+    
+    def _tcp_server_loop(self):
+        """TCP server loop"""
+        try:
+            self.tcp_server_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+            self.tcp_server_socket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
+            self.tcp_server_socket.bind((self.tcp_host, self.tcp_port))
+            self.tcp_server_socket.listen(10)
+            
+            logging.info(f"TCP bridge server listening on {self.tcp_host}:{self.tcp_port}")
+            
+            while self.running:
+                try:
+                    client_socket, client_address = self.tcp_server_socket.accept()
+                    
+                    # Handle client in separate thread
+                    client_thread = threading.Thread(
+                        target=self._handle_tcp_client,
+                        args=(client_socket, client_address),
+                        daemon=True
+                    )
+                    client_thread.start()
+                
+                except socket.error as e:
+                    if self.running:
+                        logging.error(f"TCP server error: {e}")
+                        time.sleep(1)
+        
+        except Exception as e:
+            logging.error(f"TCP server loop error: {e}")
+        
+        finally:
+            if self.tcp_server_socket:
+                self.tcp_server_socket.close()
+    
+    def _cleanup_loop(self):
+        """Background cleanup loop"""
+        while self.running:
+            try:
+                current_time = time.time()
+                expired_clients = []
+                
+                with self.lock:
+                    for client_id, client in self.clients.items():
+                        # Mark inactive clients for removal
+                        if current_time - client.last_activity > self.client_timeout:
+                            expired_clients.append(client_id)
+                
+                # Clean up expired clients
+                for client_id in expired_clients:
+                    with self.lock:
+                        if client_id in self.clients:
+                            client = self.clients[client_id]
+                            client.is_active = False
+                            
+                            # Close connections
+                            if client.websocket:
+                                try:
+                                    asyncio.run_coroutine_threadsafe(
+                                        client.websocket.close(),
+                                        self.loop
+                                    )
+                                except:
+                                    pass
+                            
+                            if client.socket:
+                                try:
+                                    client.socket.close()
+                                except:
+                                    pass
+                            
+                            del self.clients[client_id]
+                            logging.info(f"Cleaned up expired client: {client_id}")
+                
+                self.stats['active_clients'] = len(self.clients)
+                
+                time.sleep(30)  # Cleanup every 30 seconds
+            
+            except Exception as e:
+                logging.error(f"Cleanup loop error: {e}")
+                time.sleep(5)
+    
+    def send_packet_to_client(self, client_id: str, packet_data: bytes) -> bool:
+        """Send packet to specific client"""
+        with self.lock:
+            client = self.clients.get(client_id)
+        
+        if not client or not client.is_active:
+            return False
+        
+        try:
+            if client.bridge_type == BridgeType.WEBSOCKET:
+                # Send via WebSocket
+                if client.websocket:
+                    asyncio.run_coroutine_threadsafe(
+                        client.websocket.send(packet_data),
+                        self.loop
+                    )
+                    client.update_activity(1, len(packet_data), 'sent')
+                    return True
+            
+            elif client.bridge_type == BridgeType.TCP_SOCKET:
+                # Send via TCP socket with length prefix
+                if client.socket:
+                    length_prefix = struct.pack('!I', len(packet_data))
+                    client.socket.send(length_prefix + packet_data)
+                    client.update_activity(1, len(packet_data), 'sent')
+                    return True
+        
+        except Exception as e:
+            logging.error(f"Failed to send packet to client {client_id}: {e}")
+            # Mark client as inactive
+            client.is_active = False
+        
+        return False
+    
+    def broadcast_packet(self, packet_data: bytes, exclude_client: Optional[str] = None) -> int:
+        """Broadcast packet to all clients"""
+        sent_count = 0
+        
+        with self.lock:
+            client_ids = list(self.clients.keys())
+        
+        for client_id in client_ids:
+            if client_id != exclude_client:
+                if self.send_packet_to_client(client_id, packet_data):
+                    sent_count += 1
+        
+        return sent_count
+    
+    def get_clients(self) -> Dict[str, Dict]:
+        """Get all connected clients"""
+        with self.lock:
+            return {
+                client_id: client.to_dict()
+                for client_id, client in self.clients.items()
+            }
+    
+    def get_client(self, client_id: str) -> Optional[Dict]:
+        """Get specific client"""
+        with self.lock:
+            client = self.clients.get(client_id)
+            return client.to_dict() if client else None
+    
+    def disconnect_client(self, client_id: str) -> bool:
+        """Disconnect specific client"""
+        with self.lock:
+            client = self.clients.get(client_id)
+            if not client:
+                return False
+            
+            client.is_active = False
+            
+            # Close connection
+            if client.websocket:
+                try:
+                    asyncio.run_coroutine_threadsafe(
+                        client.websocket.close(),
+                        self.loop
+                    )
+                except:
+                    pass
+            
+            if client.socket:
+                try:
+                    client.socket.close()
+                except:
+                    pass
+            
+            del self.clients[client_id]
+            self.stats['active_clients'] = len(self.clients)
+            
+            return True
+    
+    def get_stats(self) -> Dict:
+        """Get bridge statistics"""
+        with self.lock:
+            stats = self.stats.copy()
+            stats['active_clients'] = len(self.clients)
+        
+        return stats
+    
+    def reset_stats(self):
+        """Reset bridge statistics"""
+        self.stats = {
+            'total_clients': 0,
+            'active_clients': len(self.clients),
+            'packets_processed': 0,
+            'packets_forwarded': 0,
+            'packets_dropped': 0,
+            'bytes_processed': 0,
+            'websocket_connections': 0,
+            'tcp_connections': 0,
+            'connection_errors': 0
+        }
+    
+    async def start_websocket_server(self):
+        """Start WebSocket server"""
+        try:
+            self.websocket_server = await websockets.serve(
+                self._handle_websocket_client,
+                self.websocket_host,
+                self.websocket_port,
+                max_size=1024*1024,  # 1MB max message size
+                ping_interval=30,
+                ping_timeout=10
+            )
+            
+            logging.info(f"WebSocket bridge server started on {self.websocket_host}:{self.websocket_port}")
+            
+            # Keep server running
+            await self.websocket_server.wait_closed()
+        
+        except Exception as e:
+            logging.error(f"WebSocket server error: {e}")
+    
+    def start(self):
+        """Start packet bridge"""
+        self.running = True
+        
+        # Start event loop
+        self.loop = asyncio.new_event_loop()
+        asyncio.set_event_loop(self.loop)
+        
+        # Start WebSocket server in a separate thread
+        websocket_thread = threading.Thread(target=self._run_websocket_server_in_thread, daemon=True)
+        websocket_thread.start()
+        
+        # Start TCP server in separate thread
+        tcp_thread = threading.Thread(target=self._tcp_server_loop, daemon=True)
+        tcp_thread.start()
+        
+        # Start cleanup thread
+        cleanup_thread = threading.Thread(target=self._cleanup_loop, daemon=True)
+        cleanup_thread.start()
+        
+        logging.info("Packet bridge started")
+        
+
+    
+    def stop(self):
+        """Stop packet bridge"""
+        self.running = False
+        
+        # Close WebSocket server
+        if self.websocket_server:
+            self.websocket_server.close()
+        
+        # Close TCP server
+        if self.tcp_server_socket:
+            self.tcp_server_socket.close()
+        
+        # Disconnect all clients
+        with self.lock:
+            client_ids = list(self.clients.keys())
+        
+        for client_id in client_ids:
+            self.disconnect_client(client_id)
+        
+        # Stop event loop
+        if self.loop and not self.loop.is_closed():
+            self.loop.call_soon_threadsafe(self.loop.stop)
+        
+        logging.info("Packet bridge stopped")
+
+
+
+    def _run_websocket_server_in_thread(self):
+        """Run the WebSocket server in a separate thread with its own event loop."""
+        asyncio.set_event_loop(self.loop)
+        self.loop.run_until_complete(self.start_websocket_server())
+
+

core/session_tracker.py

@@ -0,0 +1,602 @@
+"""
+Session Tracker Module
+
+Manages and tracks all network sessions across the virtual ISP stack:
+- Unified session management across all modules
+- Session lifecycle tracking
+- Performance metrics and analytics
+- Session correlation and debugging
+"""
+
+import time
+import threading
+import uuid
+from typing import Dict, List, Optional, Set, Any, Tuple
+from dataclasses import dataclass, field
+from enum import Enum
+import json
+
+from .dhcp_server import DHCPLease
+from .nat_engine import NATSession
+from .tcp_engine import TCPConnection
+from .socket_translator import SocketConnection
+
+
+class SessionType(Enum):
+    DHCP_LEASE = "DHCP_LEASE"
+    NAT_SESSION = "NAT_SESSION"
+    TCP_CONNECTION = "TCP_CONNECTION"
+    SOCKET_CONNECTION = "SOCKET_CONNECTION"
+    BRIDGE_CLIENT = "BRIDGE_CLIENT"
+
+
+class SessionState(Enum):
+    INITIALIZING = "INITIALIZING"
+    ACTIVE = "ACTIVE"
+    IDLE = "IDLE"
+    CLOSING = "CLOSING"
+    CLOSED = "CLOSED"
+    ERROR = "ERROR"
+
+
+@dataclass
+class SessionMetrics:
+    """Session performance metrics"""
+    bytes_in: int = 0
+    bytes_out: int = 0
+    packets_in: int = 0
+    packets_out: int = 0
+    errors: int = 0
+    retransmits: int = 0
+    rtt_samples: List[float] = field(default_factory=list)
+    
+    @property
+    def total_bytes(self) -> int:
+        return self.bytes_in + self.bytes_out
+    
+    @property
+    def total_packets(self) -> int:
+        return self.packets_in + self.packets_out
+    
+    @property
+    def average_rtt(self) -> float:
+        return sum(self.rtt_samples) / len(self.rtt_samples) if self.rtt_samples else 0.0
+    
+    def update_bytes(self, bytes_in: int = 0, bytes_out: int = 0):
+        """Update byte counters"""
+        self.bytes_in += bytes_in
+        self.bytes_out += bytes_out
+    
+    def update_packets(self, packets_in: int = 0, packets_out: int = 0):
+        """Update packet counters"""
+        self.packets_in += packets_in
+        self.packets_out += packets_out
+    
+    def add_rtt_sample(self, rtt: float):
+        """Add RTT sample"""
+        self.rtt_samples.append(rtt)
+        # Keep only last 100 samples
+        if len(self.rtt_samples) > 100:
+            self.rtt_samples = self.rtt_samples[-100:]
+    
+    def to_dict(self) -> Dict:
+        """Convert to dictionary"""
+        return {
+            'bytes_in': self.bytes_in,
+            'bytes_out': self.bytes_out,
+            'packets_in': self.packets_in,
+            'packets_out': self.packets_out,
+            'total_bytes': self.total_bytes,
+            'total_packets': self.total_packets,
+            'errors': self.errors,
+            'retransmits': self.retransmits,
+            'average_rtt': self.average_rtt,
+            'rtt_samples_count': len(self.rtt_samples)
+        }
+
+
+@dataclass
+class UnifiedSession:
+    """Unified session representation"""
+    session_id: str
+    session_type: SessionType
+    state: SessionState
+    created_time: float
+    last_activity: float
+    
+    # Session identifiers
+    virtual_ip: Optional[str] = None
+    virtual_port: Optional[int] = None
+    real_ip: Optional[str] = None
+    real_port: Optional[int] = None
+    protocol: Optional[str] = None
+    
+    # Related sessions (for correlation)
+    related_sessions: Set[str] = field(default_factory=set)
+    parent_session: Optional[str] = None
+    child_sessions: Set[str] = field(default_factory=set)
+    
+    # Metrics
+    metrics: SessionMetrics = field(default_factory=SessionMetrics)
+    
+    # Additional data
+    metadata: Dict[str, Any] = field(default_factory=dict)
+    
+    def __post_init__(self):
+        if not self.session_id:
+            self.session_id = str(uuid.uuid4())
+        if self.created_time == 0:
+            self.created_time = time.time()
+        if self.last_activity == 0:
+            self.last_activity = time.time()
+    
+    def update_activity(self):
+        """Update last activity timestamp"""
+        self.last_activity = time.time()
+    
+    def add_related_session(self, session_id: str):
+        """Add related session"""
+        self.related_sessions.add(session_id)
+    
+    def add_child_session(self, session_id: str):
+        """Add child session"""
+        self.child_sessions.add(session_id)
+    
+    def set_parent_session(self, session_id: str):
+        """Set parent session"""
+        self.parent_session = session_id
+    
+    @property
+    def duration(self) -> float:
+        """Get session duration in seconds"""
+        return time.time() - self.created_time
+    
+    @property
+    def idle_time(self) -> float:
+        """Get idle time in seconds"""
+        return time.time() - self.last_activity
+    
+    def to_dict(self) -> Dict:
+        """Convert to dictionary"""
+        return {
+            'session_id': self.session_id,
+            'session_type': self.session_type.value,
+            'state': self.state.value,
+            'created_time': self.created_time,
+            'last_activity': self.last_activity,
+            'duration': self.duration,
+            'idle_time': self.idle_time,
+            'virtual_ip': self.virtual_ip,
+            'virtual_port': self.virtual_port,
+            'real_ip': self.real_ip,
+            'real_port': self.real_port,
+            'protocol': self.protocol,
+            'related_sessions': list(self.related_sessions),
+            'parent_session': self.parent_session,
+            'child_sessions': list(self.child_sessions),
+            'metrics': self.metrics.to_dict(),
+            'metadata': self.metadata
+        }
+
+
+class SessionTracker:
+    """Unified session tracker"""
+    
+    def __init__(self, config: Dict):
+        self.config = config
+        self.sessions: Dict[str, UnifiedSession] = {}
+        self.session_index: Dict[Tuple[str, str], Set[str]] = {}  # (type, key) -> session_ids
+        self.lock = threading.Lock()
+        
+        # Configuration
+        self.max_sessions = config.get('max_sessions', 10000)
+        self.session_timeout = config.get('session_timeout', 3600)
+        self.cleanup_interval = config.get('cleanup_interval', 300)
+        self.metrics_retention = config.get('metrics_retention', 86400)  # 24 hours
+        
+        # Statistics
+        self.stats = {
+            'total_sessions': 0,
+            'active_sessions': 0,
+            'expired_sessions': 0,
+            'session_types': {t.value: 0 for t in SessionType},
+            'session_states': {s.value: 0 for s in SessionState},
+            'cleanup_runs': 0,
+            'correlations_created': 0
+        }
+        
+        # Background tasks
+        self.running = False
+        self.cleanup_thread = None
+    
+    def _generate_session_key(self, session_type: SessionType, **kwargs) -> str:
+        """Generate session key for indexing"""
+        if session_type == SessionType.DHCP_LEASE:
+            return f"dhcp_{kwargs.get('mac_address', 'unknown')}"
+        elif session_type == SessionType.NAT_SESSION:
+            return f"nat_{kwargs.get('virtual_ip', '')}_{kwargs.get('virtual_port', 0)}_{kwargs.get('protocol', '')}"
+        elif session_type == SessionType.TCP_CONNECTION:
+            return f"tcp_{kwargs.get('local_ip', '')}_{kwargs.get('local_port', 0)}_{kwargs.get('remote_ip', '')}_{kwargs.get('remote_port', 0)}"
+        elif session_type == SessionType.SOCKET_CONNECTION:
+            return f"socket_{kwargs.get('connection_id', 'unknown')}"
+        elif session_type == SessionType.BRIDGE_CLIENT:
+            return f"bridge_{kwargs.get('client_id', 'unknown')}"
+        else:
+            return f"unknown_{time.time()}"
+    
+    def _add_to_index(self, session: UnifiedSession):
+        """Add session to search index"""
+        # Index by type
+        type_key = (session.session_type.value, 'all')
+        if type_key not in self.session_index:
+            self.session_index[type_key] = set()
+        self.session_index[type_key].add(session.session_id)
+        
+        # Index by IP addresses
+        if session.virtual_ip:
+            ip_key = ('virtual_ip', session.virtual_ip)
+            if ip_key not in self.session_index:
+                self.session_index[ip_key] = set()
+            self.session_index[ip_key].add(session.session_id)
+        
+        if session.real_ip:
+            ip_key = ('real_ip', session.real_ip)
+            if ip_key not in self.session_index:
+                self.session_index[ip_key] = set()
+            self.session_index[ip_key].add(session.session_id)
+        
+        # Index by protocol
+        if session.protocol:
+            proto_key = ('protocol', session.protocol)
+            if proto_key not in self.session_index:
+                self.session_index[proto_key] = set()
+            self.session_index[proto_key].add(session.session_id)
+    
+    def _remove_from_index(self, session: UnifiedSession):
+        """Remove session from search index"""
+        for key, session_set in self.session_index.items():
+            session_set.discard(session.session_id)
+    
+    def create_session(self, session_type: SessionType, **kwargs) -> str:
+        """Create new session"""
+        with self.lock:
+            # Check session limit
+            if len(self.sessions) >= self.max_sessions:
+                # Remove oldest expired session
+                self._cleanup_expired_sessions()
+                if len(self.sessions) >= self.max_sessions:
+                    return None
+            
+            # Create session
+            session = UnifiedSession(
+                session_id=kwargs.get('session_id', str(uuid.uuid4())),
+                session_type=session_type,
+                state=SessionState.INITIALIZING,
+                virtual_ip=kwargs.get('virtual_ip'),
+                virtual_port=kwargs.get('virtual_port'),
+                real_ip=kwargs.get('real_ip'),
+                real_port=kwargs.get('real_port'),
+                protocol=kwargs.get('protocol'),
+                metadata=kwargs.get('metadata', {})
+            )
+            
+            # Add to sessions
+            self.sessions[session.session_id] = session
+            self._add_to_index(session)
+            
+            # Update statistics
+            self.stats['total_sessions'] += 1
+            self.stats['active_sessions'] = len(self.sessions)
+            self.stats['session_types'][session_type.value] += 1
+            self.stats['session_states'][SessionState.INITIALIZING.value] += 1
+            
+            return session.session_id
+    
+    def update_session(self, session_id: str, **kwargs) -> bool:
+        """Update session"""
+        with self.lock:
+            session = self.sessions.get(session_id)
+            if not session:
+                return False
+            
+            # Update fields
+            old_state = session.state
+            
+            for key, value in kwargs.items():
+                if hasattr(session, key):
+                    setattr(session, key, value)
+            
+            session.update_activity()
+            
+            # Update state statistics
+            if 'state' in kwargs and kwargs['state'] != old_state:
+                self.stats['session_states'][old_state.value] -= 1
+                self.stats['session_states'][kwargs['state'].value] += 1
+            
+            return True
+    
+    def close_session(self, session_id: str, reason: str = "") -> bool:
+        """Close session"""
+        with self.lock:
+            session = self.sessions.get(session_id)
+            if not session:
+                return False
+            
+            old_state = session.state
+            session.state = SessionState.CLOSED
+            session.update_activity()
+            
+            if reason:
+                session.metadata['close_reason'] = reason
+            
+            # Update statistics
+            self.stats['session_states'][old_state.value] -= 1
+            self.stats['session_states'][SessionState.CLOSED.value] += 1
+            
+            return True
+    
+    def remove_session(self, session_id: str) -> bool:
+        """Remove session completely"""
+        with self.lock:
+            session = self.sessions.get(session_id)
+            if not session:
+                return False
+            
+            # Remove from index
+            self._remove_from_index(session)
+            
+            # Remove from sessions
+            del self.sessions[session_id]
+            
+            # Update statistics
+            self.stats['active_sessions'] = len(self.sessions)
+            self.stats['session_types'][session.session_type.value] -= 1
+            self.stats['session_states'][session.state.value] -= 1
+            
+            return True
+    
+    def get_session(self, session_id: str) -> Optional[UnifiedSession]:
+        """Get session by ID"""
+        with self.lock:
+            return self.sessions.get(session_id)
+    
+    def find_sessions(self, **criteria) -> List[UnifiedSession]:
+        """Find sessions by criteria"""
+        with self.lock:
+            matching_sessions = []
+            
+            # Use index if possible
+            if 'session_type' in criteria:
+                type_key = (criteria['session_type'].value if isinstance(criteria['session_type'], SessionType) else criteria['session_type'], 'all')
+                candidate_ids = self.session_index.get(type_key, set())
+            elif 'virtual_ip' in criteria:
+                ip_key = ('virtual_ip', criteria['virtual_ip'])
+                candidate_ids = self.session_index.get(ip_key, set())
+            elif 'real_ip' in criteria:
+                ip_key = ('real_ip', criteria['real_ip'])
+                candidate_ids = self.session_index.get(ip_key, set())
+            elif 'protocol' in criteria:
+                proto_key = ('protocol', criteria['protocol'])
+                candidate_ids = self.session_index.get(proto_key, set())
+            else:
+                candidate_ids = set(self.sessions.keys())
+            
+            # Filter candidates
+            for session_id in candidate_ids:
+                session = self.sessions.get(session_id)
+                if not session:
+                    continue
+                
+                match = True
+                for key, value in criteria.items():
+                    if hasattr(session, key):
+                        session_value = getattr(session, key)
+                        if isinstance(value, (SessionType, SessionState)):
+                            if session_value != value:
+                                match = False
+                                break
+                        elif session_value != value:
+                            match = False
+                            break
+                    else:
+                        match = False
+                        break
+                
+                if match:
+                    matching_sessions.append(session)
+            
+            return matching_sessions
+    
+    def correlate_sessions(self, session_id1: str, session_id2: str, relationship: str = 'related') -> bool:
+        """Create correlation between sessions"""
+        with self.lock:
+            session1 = self.sessions.get(session_id1)
+            session2 = self.sessions.get(session_id2)
+            
+            if not session1 or not session2:
+                return False
+            
+            if relationship == 'parent_child':
+                session1.add_child_session(session_id2)
+                session2.set_parent_session(session_id1)
+            else:
+                session1.add_related_session(session_id2)
+                session2.add_related_session(session_id1)
+            
+            self.stats['correlations_created'] += 1
+            return True
+    
+    def update_metrics(self, session_id: str, **metrics) -> bool:
+        """Update session metrics"""
+        with self.lock:
+            session = self.sessions.get(session_id)
+            if not session:
+                return False
+            
+            session.update_activity()
+            
+            # Update metrics
+            if 'bytes_in' in metrics or 'bytes_out' in metrics:
+                session.metrics.update_bytes(
+                    metrics.get('bytes_in', 0),
+                    metrics.get('bytes_out', 0)
+                )
+            
+            if 'packets_in' in metrics or 'packets_out' in metrics:
+                session.metrics.update_packets(
+                    metrics.get('packets_in', 0),
+                    metrics.get('packets_out', 0)
+                )
+            
+            if 'rtt' in metrics:
+                session.metrics.add_rtt_sample(metrics['rtt'])
+            
+            if 'errors' in metrics:
+                session.metrics.errors += metrics['errors']
+            
+            if 'retransmits' in metrics:
+                session.metrics.retransmits += metrics['retransmits']
+            
+            return True
+    
+    def _cleanup_expired_sessions(self):
+        """Clean up expired sessions"""
+        current_time = time.time()
+        expired_sessions = []
+        
+        for session_id, session in self.sessions.items():
+            # Check if session is expired
+            if (session.state == SessionState.CLOSED and 
+                current_time - session.last_activity > self.cleanup_interval):
+                expired_sessions.append(session_id)
+            elif (session.state != SessionState.CLOSED and 
+                  current_time - session.last_activity > self.session_timeout):
+                expired_sessions.append(session_id)
+        
+        # Remove expired sessions
+        for session_id in expired_sessions:
+            self.remove_session(session_id)
+            self.stats['expired_sessions'] += 1
+    
+    def _cleanup_loop(self):
+        """Background cleanup loop"""
+        while self.running:
+            try:
+                with self.lock:
+                    self._cleanup_expired_sessions()
+                    self.stats['cleanup_runs'] += 1
+                
+                time.sleep(self.cleanup_interval)
+            
+            except Exception as e:
+                print(f"Session tracker cleanup error: {e}")
+                time.sleep(60)
+    
+    def get_sessions(self, limit: int = 100, offset: int = 0, **filters) -> List[Dict]:
+        """Get sessions with pagination and filtering"""
+        with self.lock:
+            if filters:
+                sessions = self.find_sessions(**filters)
+            else:
+                sessions = list(self.sessions.values())
+            
+            # Sort by last activity (most recent first)
+            sessions.sort(key=lambda s: s.last_activity, reverse=True)
+            
+            # Apply pagination
+            paginated_sessions = sessions[offset:offset + limit]
+            
+            return [session.to_dict() for session in paginated_sessions]
+    
+    def get_session_summary(self) -> Dict:
+        """Get session summary statistics"""
+        with self.lock:
+            summary = {
+                'total_sessions': len(self.sessions),
+                'by_type': {},
+                'by_state': {},
+                'by_protocol': {},
+                'active_sessions_by_age': {
+                    'last_hour': 0,
+                    'last_day': 0,
+                    'older': 0
+                }
+            }
+            
+            current_time = time.time()
+            hour_ago = current_time - 3600
+            day_ago = current_time - 86400
+            
+            for session in self.sessions.values():
+                # Count by type
+                session_type = session.session_type.value
+                summary['by_type'][session_type] = summary['by_type'].get(session_type, 0) + 1
+                
+                # Count by state
+                session_state = session.state.value
+                summary['by_state'][session_state] = summary['by_state'].get(session_state, 0) + 1
+                
+                # Count by protocol
+                if session.protocol:
+                    summary['by_protocol'][session.protocol] = summary['by_protocol'].get(session.protocol, 0) + 1
+                
+                # Count by age
+                if session.last_activity > hour_ago:
+                    summary['active_sessions_by_age']['last_hour'] += 1
+                elif session.last_activity > day_ago:
+                    summary['active_sessions_by_age']['last_day'] += 1
+                else:
+                    summary['active_sessions_by_age']['older'] += 1
+            
+            return summary
+    
+    def get_stats(self) -> Dict:
+        """Get tracker statistics"""
+        with self.lock:
+            stats = self.stats.copy()
+            stats['active_sessions'] = len(self.sessions)
+        
+        return stats
+    
+    def reset_stats(self):
+        """Reset statistics"""
+        self.stats = {
+            'total_sessions': len(self.sessions),
+            'active_sessions': len(self.sessions),
+            'expired_sessions': 0,
+            'session_types': {t.value: 0 for t in SessionType},
+            'session_states': {s.value: 0 for s in SessionState},
+            'cleanup_runs': 0,
+            'correlations_created': 0
+        }
+        
+        # Recalculate current counts
+        with self.lock:
+            for session in self.sessions.values():
+                self.stats['session_types'][session.session_type.value] += 1
+                self.stats['session_states'][session.state.value] += 1
+    
+    def export_sessions(self, format: str = 'json') -> str:
+        """Export sessions data"""
+        with self.lock:
+            sessions_data = [session.to_dict() for session in self.sessions.values()]
+        
+        if format == 'json':
+            return json.dumps(sessions_data, indent=2, default=str)
+        else:
+            raise ValueError(f"Unsupported export format: {format}")
+    
+    def start(self):
+        """Start session tracker"""
+        self.running = True
+        self.cleanup_thread = threading.Thread(target=self._cleanup_loop, daemon=True)
+        self.cleanup_thread.start()
+        print("Session tracker started")
+    
+    def stop(self):
+        """Stop session tracker"""
+        self.running = False
+        if self.cleanup_thread:
+            self.cleanup_thread.join()
+        print("Session tracker stopped")
+

core/socket_translator.py

@@ -0,0 +1,653 @@
+"""
+Socket Translator Module
+
+Bridges virtual connections to real host sockets:
+- Map virtual connections to host sockets/HTTP clients
+- Bidirectional data streaming
+- Connection lifecycle management
+- Protocol translation (TCP/UDP to host sockets)
+"""
+
+import socket
+import threading
+import time
+import asyncio
+import aiohttp
+import ssl
+from typing import Dict, Optional, Callable, Tuple, Any
+from dataclasses import dataclass
+from enum import Enum
+import urllib.parse
+import json
+
+from .tcp_engine import TCPConnection
+
+
+class ConnectionType(Enum):
+    TCP_SOCKET = "TCP_SOCKET"
+    UDP_SOCKET = "UDP_SOCKET"
+    HTTP_CLIENT = "HTTP_CLIENT"
+    HTTPS_CLIENT = "HTTPS_CLIENT"
+
+
+@dataclass
+class SocketConnection:
+    """Represents a socket connection"""
+    connection_id: str
+    connection_type: ConnectionType
+    virtual_connection: Optional[TCPConnection]
+    host_socket: Optional[socket.socket]
+    remote_host: str
+    remote_port: int
+    created_time: float
+    last_activity: float
+    bytes_sent: int = 0
+    bytes_received: int = 0
+    is_connected: bool = False
+    error_count: int = 0
+    
+    def update_activity(self, bytes_transferred: int = 0, direction: str = 'sent'):
+        """Update connection activity"""
+        self.last_activity = time.time()
+        if direction == 'sent':
+            self.bytes_sent += bytes_transferred
+        else:
+            self.bytes_received += bytes_transferred
+    
+    def to_dict(self) -> Dict:
+        """Convert to dictionary"""
+        return {
+            'connection_id': self.connection_id,
+            'connection_type': self.connection_type.value,
+            'remote_host': self.remote_host,
+            'remote_port': self.remote_port,
+            'created_time': self.created_time,
+            'last_activity': self.last_activity,
+            'bytes_sent': self.bytes_sent,
+            'bytes_received': self.bytes_received,
+            'is_connected': self.is_connected,
+            'error_count': self.error_count,
+            'duration': time.time() - self.created_time
+        }
+
+
+class HTTPRequest:
+    """Represents an HTTP request"""
+    
+    def __init__(self, method: str = 'GET', path: str = '/', headers: Dict[str, str] = None, body: bytes = b''):
+        self.method = method.upper()
+        self.path = path
+        self.headers = headers or {}
+        self.body = body
+        self.version = 'HTTP/1.1'
+    
+    @classmethod
+    def parse(cls, data: bytes) -> Optional['HTTPRequest']:
+        """Parse HTTP request from raw data"""
+        try:
+            lines = data.decode('utf-8', errors='ignore').split('\r\n')
+            if not lines:
+                return None
+            
+            # Parse request line
+            request_line = lines[0].split(' ')
+            if len(request_line) < 3:
+                return None
+            
+            method, path, version = request_line[0], request_line[1], request_line[2]
+            
+            # Parse headers
+            headers = {}
+            body_start = 1
+            for i, line in enumerate(lines[1:], 1):
+                if line == '':
+                    body_start = i + 1
+                    break
+                if ':' in line:
+                    key, value = line.split(':', 1)
+                    headers[key.strip().lower()] = value.strip()
+            
+            # Parse body
+            body_lines = lines[body_start:]
+            body = '\r\n'.join(body_lines).encode('utf-8')
+            
+            return cls(method, path, headers, body)
+            
+        except Exception:
+            return None
+    
+    def to_bytes(self) -> bytes:
+        """Convert to raw HTTP request"""
+        request_line = f"{self.method} {self.path} {self.version}\r\n"
+        
+        # Add default headers
+        if 'host' not in self.headers:
+            self.headers['host'] = 'localhost'
+        if 'user-agent' not in self.headers:
+            self.headers['user-agent'] = 'VirtualISP/1.0'
+        if self.body and 'content-length' not in self.headers:
+            self.headers['content-length'] = str(len(self.body))
+        
+        # Build headers
+        header_lines = []
+        for key, value in self.headers.items():
+            header_lines.append(f"{key}: {value}\r\n")
+        
+        # Combine all parts
+        request_data = request_line + ''.join(header_lines) + '\r\n'
+        return request_data.encode('utf-8') + self.body
+
+
+class HTTPResponse:
+    """Represents an HTTP response"""
+    
+    def __init__(self, status_code: int = 200, reason: str = 'OK', headers: Dict[str, str] = None, body: bytes = b''):
+        self.status_code = status_code
+        self.reason = reason
+        self.headers = headers or {}
+        self.body = body
+        self.version = 'HTTP/1.1'
+    
+    @classmethod
+    def parse(cls, data: bytes) -> Optional['HTTPResponse']:
+        """Parse HTTP response from raw data"""
+        try:
+            lines = data.decode('utf-8', errors='ignore').split('\r\n')
+            if not lines:
+                return None
+            
+            # Parse status line
+            status_line = lines[0].split(' ', 2)
+            if len(status_line) < 3:
+                return None
+            
+            version, status_code, reason = status_line[0], int(status_line[1]), status_line[2]
+            
+            # Parse headers
+            headers = {}
+            body_start = 1
+            for i, line in enumerate(lines[1:], 1):
+                if line == '':
+                    body_start = i + 1
+                    break
+                if ':' in line:
+                    key, value = line.split(':', 1)
+                    headers[key.strip().lower()] = value.strip()
+            
+            # Parse body
+            body_lines = lines[body_start:]
+            body = '\r\n'.join(body_lines).encode('utf-8')
+            
+            return cls(status_code, reason, headers, body)
+            
+        except Exception:
+            return None
+    
+    def to_bytes(self) -> bytes:
+        """Convert to raw HTTP response"""
+        status_line = f"{self.version} {self.status_code} {self.reason}\r\n"
+        
+        # Add default headers
+        if 'content-length' not in self.headers and self.body:
+            self.headers['content-length'] = str(len(self.body))
+        if 'server' not in self.headers:
+            self.headers['server'] = 'VirtualISP/1.0'
+        
+        # Build headers
+        header_lines = []
+        for key, value in self.headers.items():
+            header_lines.append(f"{key}: {value}\r\n")
+        
+        # Combine all parts
+        response_data = status_line + ''.join(header_lines) + '\r\n'
+        return response_data.encode('utf-8') + self.body
+
+
+class SocketTranslator:
+    """Socket translator implementation"""
+    
+    def __init__(self, config: Dict):
+        self.config = config
+        self.connections: Dict[str, SocketConnection] = {}
+        self.lock = threading.Lock()
+        
+        # Configuration
+        self.connect_timeout = config.get('connect_timeout', 10)
+        self.read_timeout = config.get('read_timeout', 30)
+        self.max_connections = config.get('max_connections', 1000)
+        self.buffer_size = config.get('buffer_size', 8192)
+        
+        # HTTP client session
+        self.http_session = None
+        self.loop = None
+        
+        # Statistics
+        self.stats = {
+            'total_connections': 0,
+            'active_connections': 0,
+            'failed_connections': 0,
+            'bytes_transferred': 0,
+            'http_requests': 0,
+            'tcp_connections': 0,
+            'udp_connections': 0
+        }
+        
+        # Background tasks
+        self.running = False
+        self.cleanup_thread = None
+    
+    async def _init_http_session(self):
+        """Initialize HTTP client session"""
+        connector = aiohttp.TCPConnector(
+            limit=100,
+            limit_per_host=10,
+            ttl_dns_cache=300,
+            use_dns_cache=True,
+        )
+        
+        timeout = aiohttp.ClientTimeout(
+            total=self.read_timeout,
+            connect=self.connect_timeout
+        )
+        
+        self.http_session = aiohttp.ClientSession(
+            connector=connector,
+            timeout=timeout,
+            headers={'User-Agent': 'VirtualISP/1.0'}
+        )
+    
+    def _is_http_request(self, data: bytes) -> bool:
+        """Check if data looks like an HTTP request"""
+        try:
+            first_line = data.split(b'\r\n')[0].decode('utf-8', errors='ignore')
+            methods = ['GET', 'POST', 'PUT', 'DELETE', 'HEAD', 'OPTIONS', 'PATCH', 'TRACE']
+            return any(first_line.startswith(method + ' ') for method in methods)
+        except:
+            return False
+    
+    def _determine_connection_type(self, remote_host: str, remote_port: int, data: bytes = b'') -> ConnectionType:
+        """Determine the appropriate connection type"""
+        # Check for HTTP/HTTPS based on port and data
+        if remote_port == 80 or (data and self._is_http_request(data)):
+            return ConnectionType.HTTP_CLIENT
+        elif remote_port == 443:
+            return ConnectionType.HTTPS_CLIENT
+        else:
+            return ConnectionType.TCP_SOCKET
+    
+    def create_connection(self, virtual_conn: TCPConnection, remote_host: str, remote_port: int, 
+                         initial_data: bytes = b'') -> Optional[SocketConnection]:
+        """Create a new socket connection"""
+        connection_id = f"{virtual_conn.connection_id}->{remote_host}:{remote_port}"
+        
+        # Check connection limit
+        with self.lock:
+            if len(self.connections) >= self.max_connections:
+                return None
+        
+        # Determine connection type
+        conn_type = self._determine_connection_type(remote_host, remote_port, initial_data)
+        
+        # Create socket connection
+        socket_conn = SocketConnection(
+            connection_id=connection_id,
+            connection_type=conn_type,
+            virtual_connection=virtual_conn,
+            host_socket=None,
+            remote_host=remote_host,
+            remote_port=remote_port,
+            created_time=time.time(),
+            last_activity=time.time()
+        )
+        
+        with self.lock:
+            self.connections[connection_id] = socket_conn
+        
+        # Establish connection based on type
+        if conn_type in [ConnectionType.HTTP_CLIENT, ConnectionType.HTTPS_CLIENT]:
+            success = self._create_http_connection(socket_conn, initial_data)
+        else:
+            success = self._create_tcp_connection(socket_conn, initial_data)
+        
+        if success:
+            self.stats['total_connections'] += 1
+            self.stats['active_connections'] = len(self.connections)
+            
+            if conn_type in [ConnectionType.HTTP_CLIENT, ConnectionType.HTTPS_CLIENT]:
+                self.stats['http_requests'] += 1
+            else:
+                self.stats['tcp_connections'] += 1
+        else:
+            self.stats['failed_connections'] += 1
+            with self.lock:
+                if connection_id in self.connections:
+                    del self.connections[connection_id]
+            return None
+        
+        return socket_conn
+    
+    def _create_tcp_connection(self, socket_conn: SocketConnection, initial_data: bytes) -> bool:
+        """Create TCP socket connection"""
+        try:
+            # Create socket
+            sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+            sock.settimeout(self.connect_timeout)
+            
+            # Connect
+            sock.connect((socket_conn.remote_host, socket_conn.remote_port))
+            sock.settimeout(self.read_timeout)
+            
+            socket_conn.host_socket = sock
+            socket_conn.is_connected = True
+            
+            # Send initial data if any
+            if initial_data:
+                sock.send(initial_data)
+                socket_conn.update_activity(len(initial_data), 'sent')
+            
+            # Start background thread for receiving data
+            thread = threading.Thread(
+                target=self._tcp_receive_loop,
+                args=(socket_conn,),
+                daemon=True
+            )
+            thread.start()
+            
+            return True
+            
+        except Exception as e:
+            print(f"Failed to create TCP connection to {socket_conn.remote_host}:{socket_conn.remote_port}: {e}")
+            socket_conn.error_count += 1
+            return False
+    
+    def _create_http_connection(self, socket_conn: SocketConnection, initial_data: bytes) -> bool:
+        """Create HTTP connection"""
+        try:
+            # Parse HTTP request
+            http_request = HTTPRequest.parse(initial_data)
+            if not http_request:
+                return False
+            
+            # Set host header
+            http_request.headers['host'] = socket_conn.remote_host
+            
+            # Start async HTTP request
+            if self.loop and not self.loop.is_closed():
+                asyncio.run_coroutine_threadsafe(
+                    self._handle_http_request(socket_conn, http_request),
+                    self.loop
+                )
+            else:
+                # Fallback to sync HTTP handling
+                return self._handle_http_request_sync(socket_conn, http_request)
+            
+            return True
+            
+        except Exception as e:
+            print(f"Failed to create HTTP connection to {socket_conn.remote_host}:{socket_conn.remote_port}: {e}")
+            socket_conn.error_count += 1
+            return False
+    
+    async def _handle_http_request(self, socket_conn: SocketConnection, http_request: HTTPRequest):
+        """Handle HTTP request asynchronously"""
+        try:
+            if not self.http_session:
+                await self._init_http_session()
+            
+            # Build URL
+            scheme = 'https' if socket_conn.connection_type == ConnectionType.HTTPS_CLIENT else 'http'
+            url = f"{scheme}://{socket_conn.remote_host}:{socket_conn.remote_port}{http_request.path}"
+            
+            # Make request
+            async with self.http_session.request(
+                method=http_request.method,
+                url=url,
+                headers=http_request.headers,
+                data=http_request.body
+            ) as response:
+                # Read response
+                response_body = await response.read()
+                
+                # Create HTTP response
+                http_response = HTTPResponse(
+                    status_code=response.status,
+                    reason=response.reason or 'OK',
+                    headers=dict(response.headers),
+                    body=response_body
+                )
+                
+                # Send response back to virtual connection
+                response_data = http_response.to_bytes()
+                if socket_conn.virtual_connection and socket_conn.virtual_connection.on_data_received:
+                    socket_conn.virtual_connection.on_data_received(response_data)
+                
+                socket_conn.update_activity(len(response_data), 'received')
+                self.stats['bytes_transferred'] += len(response_data)
+        
+        except Exception as e:
+            print(f"HTTP request failed: {e}")
+            socket_conn.error_count += 1
+            
+            # Send error response
+            error_response = HTTPResponse(
+                status_code=500,
+                reason='Internal Server Error',
+                body=f"Error: {str(e)}".encode('utf-8')
+            )
+            
+            response_data = error_response.to_bytes()
+            if socket_conn.virtual_connection and socket_conn.virtual_connection.on_data_received:
+                socket_conn.virtual_connection.on_data_received(response_data)
+    
+    def _handle_http_request_sync(self, socket_conn: SocketConnection, http_request: HTTPRequest) -> bool:
+        """Handle HTTP request synchronously (fallback)"""
+        try:
+            # Use urllib for sync HTTP requests
+            scheme = 'https' if socket_conn.connection_type == ConnectionType.HTTPS_CLIENT else 'http'
+            url = f"{scheme}://{socket_conn.remote_host}:{socket_conn.remote_port}{http_request.path}"
+            
+            import urllib.request
+            import urllib.error
+            
+            # Create request
+            req = urllib.request.Request(
+                url,
+                data=http_request.body if http_request.body else None,
+                headers=http_request.headers,
+                method=http_request.method
+            )
+            
+            # Make request
+            with urllib.request.urlopen(req, timeout=self.read_timeout) as response:
+                response_body = response.read()
+                
+                # Create HTTP response
+                http_response = HTTPResponse(
+                    status_code=response.getcode(),
+                    reason='OK',
+                    headers=dict(response.headers),
+                    body=response_body
+                )
+                
+                # Send response back to virtual connection
+                response_data = http_response.to_bytes()
+                if socket_conn.virtual_connection and socket_conn.virtual_connection.on_data_received:
+                    socket_conn.virtual_connection.on_data_received(response_data)
+                
+                socket_conn.update_activity(len(response_data), 'received')
+                self.stats['bytes_transferred'] += len(response_data)
+                
+                return True
+        
+        except Exception as e:
+            print(f"Sync HTTP request failed: {e}")
+            socket_conn.error_count += 1
+            return False
+    
+    def _tcp_receive_loop(self, socket_conn: SocketConnection):
+        """Background loop for receiving TCP data"""
+        sock = socket_conn.host_socket
+        if not sock:
+            return
+        
+        try:
+            while socket_conn.is_connected:
+                try:
+                    data = sock.recv(self.buffer_size)
+                    if not data:
+                        break
+                    
+                    # Forward data to virtual connection
+                    if socket_conn.virtual_connection and socket_conn.virtual_connection.on_data_received:
+                        socket_conn.virtual_connection.on_data_received(data)
+                    
+                    socket_conn.update_activity(len(data), 'received')
+                    self.stats['bytes_transferred'] += len(data)
+                    
+                except socket.timeout:
+                    continue
+                except Exception as e:
+                    print(f"TCP receive error: {e}")
+                    break
+        
+        finally:
+            self._close_connection(socket_conn.connection_id)
+    
+    def send_data(self, connection_id: str, data: bytes) -> bool:
+        """Send data through socket connection"""
+        with self.lock:
+            socket_conn = self.connections.get(connection_id)
+        
+        if not socket_conn or not socket_conn.is_connected:
+            return False
+        
+        try:
+            if socket_conn.connection_type in [ConnectionType.HTTP_CLIENT, ConnectionType.HTTPS_CLIENT]:
+                # For HTTP connections, treat as new request
+                return self._create_http_connection(socket_conn, data)
+            else:
+                # TCP connection
+                if socket_conn.host_socket:
+                    socket_conn.host_socket.send(data)
+                    socket_conn.update_activity(len(data), 'sent')
+                    self.stats['bytes_transferred'] += len(data)
+                    return True
+        
+        except Exception as e:
+            print(f"Failed to send data: {e}")
+            socket_conn.error_count += 1
+            self._close_connection(connection_id)
+        
+        return False
+    
+    def _close_connection(self, connection_id: str):
+        """Close socket connection"""
+        with self.lock:
+            socket_conn = self.connections.get(connection_id)
+            if not socket_conn:
+                return
+            
+            # Close socket
+            if socket_conn.host_socket:
+                try:
+                    socket_conn.host_socket.close()
+                except:
+                    pass
+            
+            socket_conn.is_connected = False
+            
+            # Remove from connections
+            del self.connections[connection_id]
+            
+            self.stats['active_connections'] = len(self.connections)
+    
+    def close_connection(self, connection_id: str) -> bool:
+        """Manually close connection"""
+        self._close_connection(connection_id)
+        return True
+    
+    def get_connection(self, connection_id: str) -> Optional[SocketConnection]:
+        """Get socket connection"""
+        with self.lock:
+            return self.connections.get(connection_id)
+    
+    def get_connections(self) -> Dict[str, Dict]:
+        """Get all socket connections"""
+        with self.lock:
+            return {
+                conn_id: conn.to_dict()
+                for conn_id, conn in self.connections.items()
+            }
+    
+    def get_stats(self) -> Dict:
+        """Get socket translator statistics"""
+        with self.lock:
+            stats = self.stats.copy()
+            stats['active_connections'] = len(self.connections)
+        
+        return stats
+    
+    def _cleanup_loop(self):
+        """Background cleanup loop"""
+        while self.running:
+            try:
+                current_time = time.time()
+                expired_connections = []
+                
+                with self.lock:
+                    for conn_id, conn in self.connections.items():
+                        # Close connections that have been inactive too long
+                        if current_time - conn.last_activity > self.read_timeout * 2:
+                            expired_connections.append(conn_id)
+                
+                for conn_id in expired_connections:
+                    self._close_connection(conn_id)
+                
+                time.sleep(30)  # Cleanup every 30 seconds
+                
+            except Exception as e:
+                print(f"Socket translator cleanup error: {e}")
+                time.sleep(5)
+    
+    def start(self):
+        """Start socket translator"""
+        self.running = True
+        
+        # Start event loop for async HTTP
+        try:
+            self.loop = asyncio.new_event_loop()
+            asyncio.set_event_loop(self.loop)
+            
+            # Start cleanup thread
+            self.cleanup_thread = threading.Thread(target=self._cleanup_loop, daemon=True)
+            self.cleanup_thread.start()
+            
+            print("Socket translator started")
+        except Exception as e:
+            print(f"Failed to start socket translator: {e}")
+    
+    def stop(self):
+        """Stop socket translator"""
+        self.running = False
+        
+        # Close all connections
+        with self.lock:
+            connection_ids = list(self.connections.keys())
+        
+        for conn_id in connection_ids:
+            self._close_connection(conn_id)
+        
+        # Close HTTP session
+        if self.http_session:
+            asyncio.run_coroutine_threadsafe(self.http_session.close(), self.loop)
+        
+        # Close event loop
+        if self.loop and not self.loop.is_closed():
+            self.loop.call_soon_threadsafe(self.loop.stop)
+        
+        # Wait for cleanup thread
+        if self.cleanup_thread:
+            self.cleanup_thread.join()
+        
+        print("Socket translator stopped")
+

core/tcp_engine.py

@@ -0,0 +1,716 @@
+"""
+TCP Engine Module
+
+Implements a complete TCP state machine in user-space:
+- Full TCP state machine (SYN, SYN-ACK, ESTABLISHED, FIN, RST)
+- Sequence and acknowledgment number tracking
+- Sliding window implementation
+- Retransmission and timeout handling
+- Congestion control
+"""
+
+import time
+import threading
+import random
+from typing import Dict, List, Optional, Tuple, Callable
+from dataclasses import dataclass, field
+from enum import Enum
+from collections import deque
+
+from .ip_parser import TCPHeader, IPv4Header, IPParser
+
+
+class TCPState(Enum):
+    CLOSED = "CLOSED"
+    LISTEN = "LISTEN"
+    SYN_SENT = "SYN_SENT"
+    SYN_RECEIVED = "SYN_RECEIVED"
+    ESTABLISHED = "ESTABLISHED"
+    FIN_WAIT_1 = "FIN_WAIT_1"
+    FIN_WAIT_2 = "FIN_WAIT_2"
+    CLOSE_WAIT = "CLOSE_WAIT"
+    CLOSING = "CLOSING"
+    LAST_ACK = "LAST_ACK"
+    TIME_WAIT = "TIME_WAIT"
+
+
+@dataclass
+class TCPSegment:
+    """Represents a TCP segment"""
+    seq_num: int
+    ack_num: int
+    flags: int
+    window: int
+    data: bytes
+    timestamp: float = field(default_factory=time.time)
+    retransmit_count: int = 0
+    
+    @property
+    def data_length(self) -> int:
+        """Get data length"""
+        return len(self.data)
+    
+    @property
+    def seq_end(self) -> int:
+        """Get sequence number after this segment"""
+        length = self.data_length
+        # SYN and FIN consume one sequence number
+        if self.flags & 0x02:  # SYN
+            length += 1
+        if self.flags & 0x01:  # FIN
+            length += 1
+        return self.seq_num + length
+
+
+@dataclass
+class TCPConnection:
+    """Represents a TCP connection state"""
+    # Connection identification
+    local_ip: str
+    local_port: int
+    remote_ip: str
+    remote_port: int
+    
+    # State
+    state: TCPState = TCPState.CLOSED
+    
+    # Sequence numbers
+    local_seq: int = 0
+    local_ack: int = 0
+    remote_seq: int = 0
+    remote_ack: int = 0
+    initial_seq: int = 0
+    
+    # Window management
+    local_window: int = 65535
+    remote_window: int = 65535
+    window_scale: int = 0
+    
+    # Buffers
+    send_buffer: deque = field(default_factory=deque)
+    recv_buffer: deque = field(default_factory=deque)
+    out_of_order_buffer: Dict[int, bytes] = field(default_factory=dict)
+    
+    # Retransmission
+    unacked_segments: Dict[int, TCPSegment] = field(default_factory=dict)
+    retransmit_timer: Optional[float] = None
+    rto: float = 1.0  # Retransmission timeout
+    srtt: float = 0.0  # Smoothed round-trip time
+    rttvar: float = 0.0  # Round-trip time variation
+    
+    # Congestion control
+    cwnd: int = 1  # Congestion window (in MSS units)
+    ssthresh: int = 65535  # Slow start threshold
+    mss: int = 1460  # Maximum segment size
+    
+    # Timers
+    last_activity: float = field(default_factory=time.time)
+    time_wait_start: Optional[float] = None
+    
+    # Callbacks
+    on_data_received: Optional[Callable[[bytes], None]] = None
+    on_connection_closed: Optional[Callable[[], None]] = None
+    
+    @property
+    def connection_id(self) -> str:
+        """Get unique connection identifier"""
+        return f"{self.local_ip}:{self.local_port}-{self.remote_ip}:{self.remote_port}"
+    
+    @property
+    def is_established(self) -> bool:
+        """Check if connection is established"""
+        return self.state == TCPState.ESTABLISHED
+    
+    @property
+    def can_send_data(self) -> bool:
+        """Check if connection can send data"""
+        return self.state in [TCPState.ESTABLISHED, TCPState.CLOSE_WAIT]
+    
+    @property
+    def effective_window(self) -> int:
+        """Get effective send window"""
+        return min(self.remote_window, self.cwnd * self.mss)
+
+
+class TCPEngine:
+    """TCP state machine implementation"""
+    
+    def __init__(self, config: Dict):
+        self.config = config
+        self.connections: Dict[str, TCPConnection] = {}
+        self.listening_ports: Dict[int, Callable] = {}  # port -> accept callback
+        self.lock = threading.Lock()
+        self.running = False
+        self.timer_thread = None
+        
+        # Default configuration
+        self.default_mss = config.get('mss', 1460)
+        self.default_window = config.get('initial_window', 65535)
+        self.max_retries = config.get('max_retries', 3)
+        self.connection_timeout = config.get('timeout', 300)
+        self.time_wait_timeout = config.get('time_wait_timeout', 120)
+    
+    def _generate_isn(self) -> int:
+        """Generate Initial Sequence Number"""
+        return random.randint(0, 0xFFFFFFFF)
+    
+    def _get_connection_key(self, local_ip: str, local_port: int, remote_ip: str, remote_port: int) -> str:
+        """Get connection key"""
+        return f"{local_ip}:{local_port}-{remote_ip}:{remote_port}"
+    
+    def _create_tcp_segment(self, conn: TCPConnection, flags: int, data: bytes = b'') -> TCPSegment:
+        """Create TCP segment"""
+        segment = TCPSegment(
+            seq_num=conn.local_seq,
+            ack_num=conn.local_ack,
+            flags=flags,
+            window=conn.local_window,
+            data=data
+        )
+        return segment
+    
+    def _build_tcp_packet(self, conn: TCPConnection, segment: TCPSegment) -> bytes:
+        """Build complete TCP packet"""
+        # Create IP header
+        ip_header = IPv4Header(
+            protocol=6,  # TCP
+            source_ip=conn.local_ip,
+            dest_ip=conn.remote_ip,
+            ttl=64
+        )
+        
+        # Create TCP header
+        tcp_header = TCPHeader(
+            source_port=conn.local_port,
+            dest_port=conn.remote_port,
+            seq_num=segment.seq_num,
+            ack_num=segment.ack_num,
+            flags=segment.flags,
+            window_size=segment.window
+        )
+        
+        # Build packet
+        return IPParser.build_packet(ip_header, tcp_header, segment.data)
+    
+    def _update_rto(self, conn: TCPConnection, rtt: float):
+        """Update retransmission timeout using RFC 6298"""
+        if conn.srtt == 0:
+            # First RTT measurement
+            conn.srtt = rtt
+            conn.rttvar = rtt / 2
+        else:
+            # Subsequent measurements
+            alpha = 0.125
+            beta = 0.25
+            conn.rttvar = (1 - beta) * conn.rttvar + beta * abs(conn.srtt - rtt)
+            conn.srtt = (1 - alpha) * conn.srtt + alpha * rtt
+        
+        # Calculate RTO
+        conn.rto = max(1.0, conn.srtt + 4 * conn.rttvar)
+        conn.rto = min(conn.rto, 60.0)  # Cap at 60 seconds
+    
+    def _update_congestion_window(self, conn: TCPConnection, acked_bytes: int):
+        """Update congestion window (simplified congestion control)"""
+        if conn.cwnd < conn.ssthresh:
+            # Slow start
+            conn.cwnd += 1
+        else:
+            # Congestion avoidance
+            conn.cwnd += max(1, conn.mss * conn.mss // conn.cwnd)
+    
+    def _handle_retransmission(self, conn: TCPConnection):
+        """Handle segment retransmission"""
+        current_time = time.time()
+        
+        # Find segments that need retransmission
+        to_retransmit = []
+        for seq_num, segment in conn.unacked_segments.items():
+            if current_time - segment.timestamp > conn.rto:
+                if segment.retransmit_count < self.max_retries:
+                    to_retransmit.append(segment)
+                else:
+                    # Max retries exceeded, close connection
+                    self._close_connection(conn, reset=True)
+                    return
+        
+        # Retransmit segments
+        for segment in to_retransmit:
+            segment.retransmit_count += 1
+            segment.timestamp = current_time
+            
+            # Exponential backoff
+            conn.rto = min(conn.rto * 2, 60.0)
+            
+            # Congestion control: reduce window
+            conn.ssthresh = max(conn.cwnd // 2, 2)
+            conn.cwnd = 1
+            
+            # Send retransmitted segment
+            packet = self._build_tcp_packet(conn, segment)
+            self._send_packet(packet)
+    
+    def _send_packet(self, packet: bytes):
+        """Send packet (to be implemented by integration layer)"""
+        # This will be connected to the packet bridge
+        pass
+    
+    def _close_connection(self, conn: TCPConnection, reset: bool = False):
+        """Close connection"""
+        if reset:
+            # Send RST
+            segment = self._create_tcp_segment(conn, 0x04)  # RST flag
+            packet = self._build_tcp_packet(conn, segment)
+            self._send_packet(packet)
+            conn.state = TCPState.CLOSED
+        else:
+            # Normal close
+            if conn.state == TCPState.ESTABLISHED:
+                # Send FIN
+                segment = self._create_tcp_segment(conn, 0x01)  # FIN flag
+                packet = self._build_tcp_packet(conn, segment)
+                self._send_packet(packet)
+                conn.local_seq += 1
+                conn.state = TCPState.FIN_WAIT_1
+        
+        # Cleanup if closed
+        if conn.state == TCPState.CLOSED:
+            if conn.on_connection_closed:
+                conn.on_connection_closed()
+            
+            with self.lock:
+                if conn.connection_id in self.connections:
+                    del self.connections[conn.connection_id]
+    
+    def listen(self, port: int, accept_callback: Callable):
+        """Listen on port for incoming connections"""
+        with self.lock:
+            self.listening_ports[port] = accept_callback
+    
+    def connect(self, local_ip: str, local_port: int, remote_ip: str, remote_port: int) -> Optional[TCPConnection]:
+        """Initiate outbound connection"""
+        conn_key = self._get_connection_key(local_ip, local_port, remote_ip, remote_port)
+        
+        # Create connection
+        conn = TCPConnection(
+            local_ip=local_ip,
+            local_port=local_port,
+            remote_ip=remote_ip,
+            remote_port=remote_port,
+            state=TCPState.SYN_SENT,
+            local_seq=self._generate_isn(),
+            mss=self.default_mss,
+            local_window=self.default_window
+        )
+        conn.initial_seq = conn.local_seq
+        
+        with self.lock:
+            self.connections[conn_key] = conn
+        
+        # Send SYN
+        segment = self._create_tcp_segment(conn, 0x02)  # SYN flag
+        packet = self._build_tcp_packet(conn, segment)
+        self._send_packet(packet)
+        
+        # Track unacked segment
+        conn.unacked_segments[conn.local_seq] = segment
+        conn.local_seq += 1
+        conn.retransmit_timer = time.time()
+        
+        return conn
+    
+    def send_data(self, conn: TCPConnection, data: bytes) -> bool:
+        """Send data on established connection"""
+        if not conn.can_send_data:
+            return False
+        
+        # Add to send buffer
+        conn.send_buffer.append(data)
+        
+        # Try to send immediately
+        self._try_send_data(conn)
+        
+        return True
+    
+    def _try_send_data(self, conn: TCPConnection):
+        """Try to send buffered data"""
+        while conn.send_buffer and len(conn.unacked_segments) * conn.mss < conn.effective_window:
+            data = conn.send_buffer.popleft()
+            
+            # Split data if larger than MSS
+            while data:
+                chunk = data[:conn.mss]
+                data = data[conn.mss:]
+                
+                # Create and send segment
+                segment = self._create_tcp_segment(conn, 0x18, chunk)  # PSH+ACK flags
+                packet = self._build_tcp_packet(conn, segment)
+                self._send_packet(packet)
+                
+                # Track unacked segment
+                conn.unacked_segments[conn.local_seq] = segment
+                conn.local_seq += len(chunk)
+                
+                if not data:
+                    break
+    
+    def process_packet(self, packet_data: bytes) -> bool:
+        """Process incoming TCP packet"""
+        try:
+            # Parse packet
+            parsed = IPParser.parse_packet(packet_data)
+            if not isinstance(parsed.transport_header, TCPHeader):
+                return False
+            
+            ip_header = parsed.ip_header
+            tcp_header = parsed.transport_header
+            payload = parsed.payload
+            
+            # Find or create connection
+            conn_key = self._get_connection_key(
+                ip_header.dest_ip, tcp_header.dest_port,
+                ip_header.source_ip, tcp_header.source_port
+            )
+            
+            with self.lock:
+                conn = self.connections.get(conn_key)
+                
+                # Handle new connection (SYN to listening port)
+                if not conn and tcp_header.syn and not tcp_header.ack:
+                    if tcp_header.dest_port in self.listening_ports:
+                        conn = self._handle_new_connection(ip_header, tcp_header)
+                        if conn:
+                            self.connections[conn_key] = conn
+                
+                if not conn:
+                    # Send RST for unknown connection
+                    self._send_rst(ip_header, tcp_header)
+                    return False
+            
+            # Process segment
+            return self._process_segment(conn, tcp_header, payload)
+            
+        except Exception as e:
+            print(f"Error processing TCP packet: {e}")
+            return False
+    
+    def _handle_new_connection(self, ip_header: IPv4Header, tcp_header: TCPHeader) -> Optional[TCPConnection]:
+        """Handle new incoming connection"""
+        accept_callback = self.listening_ports.get(tcp_header.dest_port)
+        if not accept_callback:
+            return None
+        
+        # Create connection
+        conn = TCPConnection(
+            local_ip=ip_header.dest_ip,
+            local_port=tcp_header.dest_port,
+            remote_ip=ip_header.source_ip,
+            remote_port=tcp_header.source_port,
+            state=TCPState.SYN_RECEIVED,
+            local_seq=self._generate_isn(),
+            remote_seq=tcp_header.seq_num,
+            local_ack=tcp_header.seq_num + 1,
+            mss=self.default_mss,
+            local_window=self.default_window
+        )
+        conn.initial_seq = conn.local_seq
+        
+        # Send SYN-ACK
+        segment = self._create_tcp_segment(conn, 0x12)  # SYN+ACK flags
+        packet = self._build_tcp_packet(conn, segment)
+        self._send_packet(packet)
+        
+        # Track unacked segment
+        conn.unacked_segments[conn.local_seq] = segment
+        conn.local_seq += 1
+        conn.retransmit_timer = time.time()
+        
+        # Call accept callback
+        accept_callback(conn)
+        
+        return conn
+    
+    def _process_segment(self, conn: TCPConnection, tcp_header: TCPHeader, payload: bytes) -> bool:
+        """Process TCP segment based on connection state"""
+        conn.last_activity = time.time()
+        
+        # Handle RST
+        if tcp_header.rst:
+            conn.state = TCPState.CLOSED
+            self._close_connection(conn)
+            return True
+        
+        # State machine
+        if conn.state == TCPState.SYN_SENT:
+            return self._handle_syn_sent(conn, tcp_header, payload)
+        elif conn.state == TCPState.SYN_RECEIVED:
+            return self._handle_syn_received(conn, tcp_header, payload)
+        elif conn.state == TCPState.ESTABLISHED:
+            return self._handle_established(conn, tcp_header, payload)
+        elif conn.state == TCPState.FIN_WAIT_1:
+            return self._handle_fin_wait_1(conn, tcp_header, payload)
+        elif conn.state == TCPState.FIN_WAIT_2:
+            return self._handle_fin_wait_2(conn, tcp_header, payload)
+        elif conn.state == TCPState.CLOSE_WAIT:
+            return self._handle_close_wait(conn, tcp_header, payload)
+        elif conn.state == TCPState.CLOSING:
+            return self._handle_closing(conn, tcp_header, payload)
+        elif conn.state == TCPState.LAST_ACK:
+            return self._handle_last_ack(conn, tcp_header, payload)
+        elif conn.state == TCPState.TIME_WAIT:
+            return self._handle_time_wait(conn, tcp_header, payload)
+        
+        return False
+    
+    def _handle_syn_sent(self, conn: TCPConnection, tcp_header: TCPHeader, payload: bytes) -> bool:
+        """Handle segment in SYN_SENT state"""
+        if tcp_header.syn and tcp_header.ack:
+            # SYN-ACK received
+            if tcp_header.ack_num == conn.local_seq:
+                conn.remote_seq = tcp_header.seq_num
+                conn.local_ack = tcp_header.seq_num + 1
+                conn.remote_window = tcp_header.window_size
+                
+                # Remove SYN from unacked segments
+                if conn.local_seq - 1 in conn.unacked_segments:
+                    del conn.unacked_segments[conn.local_seq - 1]
+                
+                # Send ACK
+                segment = self._create_tcp_segment(conn, 0x10)  # ACK flag
+                packet = self._build_tcp_packet(conn, segment)
+                self._send_packet(packet)
+                
+                conn.state = TCPState.ESTABLISHED
+                return True
+        
+        return False
+    
+    def _handle_syn_received(self, conn: TCPConnection, tcp_header: TCPHeader, payload: bytes) -> bool:
+        """Handle segment in SYN_RECEIVED state"""
+        if tcp_header.ack and tcp_header.ack_num == conn.local_seq:
+            # ACK for our SYN-ACK
+            conn.remote_window = tcp_header.window_size
+            
+            # Remove SYN-ACK from unacked segments
+            if conn.local_seq - 1 in conn.unacked_segments:
+                del conn.unacked_segments[conn.local_seq - 1]
+            
+            conn.state = TCPState.ESTABLISHED
+            return True
+        
+        return False
+    
+    def _handle_established(self, conn: TCPConnection, tcp_header: TCPHeader, payload: bytes) -> bool:
+        """Handle segment in ESTABLISHED state"""
+        # Handle ACK
+        if tcp_header.ack:
+            self._process_ack(conn, tcp_header.ack_num)
+        
+        # Handle data
+        if payload and tcp_header.seq_num == conn.local_ack:
+            conn.local_ack += len(payload)
+            
+            # Deliver data
+            if conn.on_data_received:
+                conn.on_data_received(payload)
+            
+            # Send ACK
+            segment = self._create_tcp_segment(conn, 0x10)  # ACK flag
+            packet = self._build_tcp_packet(conn, segment)
+            self._send_packet(packet)
+        
+        # Handle FIN
+        if tcp_header.fin:
+            conn.local_ack += 1
+            
+            # Send ACK
+            segment = self._create_tcp_segment(conn, 0x10)  # ACK flag
+            packet = self._build_tcp_packet(conn, segment)
+            self._send_packet(packet)
+            
+            conn.state = TCPState.CLOSE_WAIT
+        
+        return True
+    
+    def _handle_fin_wait_1(self, conn: TCPConnection, tcp_header: TCPHeader, payload: bytes) -> bool:
+        """Handle segment in FIN_WAIT_1 state"""
+        if tcp_header.ack:
+            self._process_ack(conn, tcp_header.ack_num)
+            if not conn.unacked_segments:  # Our FIN was ACKed
+                conn.state = TCPState.FIN_WAIT_2
+        
+        if tcp_header.fin:
+            conn.local_ack += 1
+            
+            # Send ACK
+            segment = self._create_tcp_segment(conn, 0x10)  # ACK flag
+            packet = self._build_tcp_packet(conn, segment)
+            self._send_packet(packet)
+            
+            if conn.state == TCPState.FIN_WAIT_2:
+                conn.state = TCPState.TIME_WAIT
+                conn.time_wait_start = time.time()
+            else:
+                conn.state = TCPState.CLOSING
+        
+        return True
+    
+    def _handle_fin_wait_2(self, conn: TCPConnection, tcp_header: TCPHeader, payload: bytes) -> bool:
+        """Handle segment in FIN_WAIT_2 state"""
+        if tcp_header.fin:
+            conn.local_ack += 1
+            
+            # Send ACK
+            segment = self._create_tcp_segment(conn, 0x10)  # ACK flag
+            packet = self._build_tcp_packet(conn, segment)
+            self._send_packet(packet)
+            
+            conn.state = TCPState.TIME_WAIT
+            conn.time_wait_start = time.time()
+        
+        return True
+    
+    def _handle_close_wait(self, conn: TCPConnection, tcp_header: TCPHeader, payload: bytes) -> bool:
+        """Handle segment in CLOSE_WAIT state"""
+        # Application should close the connection
+        return True
+    
+    def _handle_closing(self, conn: TCPConnection, tcp_header: TCPHeader, payload: bytes) -> bool:
+        """Handle segment in CLOSING state"""
+        if tcp_header.ack:
+            self._process_ack(conn, tcp_header.ack_num)
+            if not conn.unacked_segments:  # Our FIN was ACKed
+                conn.state = TCPState.TIME_WAIT
+                conn.time_wait_start = time.time()
+        
+        return True
+    
+    def _handle_last_ack(self, conn: TCPConnection, tcp_header: TCPHeader, payload: bytes) -> bool:
+        """Handle segment in LAST_ACK state"""
+        if tcp_header.ack:
+            self._process_ack(conn, tcp_header.ack_num)
+            if not conn.unacked_segments:  # Our FIN was ACKed
+                conn.state = TCPState.CLOSED
+                self._close_connection(conn)
+        
+        return True
+    
+    def _handle_time_wait(self, conn: TCPConnection, tcp_header: TCPHeader, payload: bytes) -> bool:
+        """Handle segment in TIME_WAIT state"""
+        # Just acknowledge any segments
+        if tcp_header.seq_num == conn.local_ack:
+            segment = self._create_tcp_segment(conn, 0x10)  # ACK flag
+            packet = self._build_tcp_packet(conn, segment)
+            self._send_packet(packet)
+        
+        return True
+    
+    def _process_ack(self, conn: TCPConnection, ack_num: int):
+        """Process ACK and remove acknowledged segments"""
+        acked_segments = []
+        acked_bytes = 0
+        
+        for seq_num, segment in list(conn.unacked_segments.items()):
+            if seq_num < ack_num:
+                acked_segments.append((seq_num, segment))
+                acked_bytes += segment.data_length
+                del conn.unacked_segments[seq_num]
+        
+        # Update RTT and congestion window
+        if acked_segments:
+            # Use first acked segment for RTT calculation
+            rtt = time.time() - acked_segments[0][1].timestamp
+            self._update_rto(conn, rtt)
+            self._update_congestion_window(conn, acked_bytes)
+            
+            # Try to send more data
+            self._try_send_data(conn)
+    
+    def _send_rst(self, ip_header: IPv4Header, tcp_header: TCPHeader):
+        """Send RST for unknown connection"""
+        # Create RST response
+        rst_ip = IPv4Header(
+            protocol=6,
+            source_ip=ip_header.dest_ip,
+            dest_ip=ip_header.source_ip,
+            ttl=64
+        )
+        
+        rst_tcp = TCPHeader(
+            source_port=tcp_header.dest_port,
+            dest_port=tcp_header.source_port,
+            seq_num=tcp_header.ack_num if tcp_header.ack else 0,
+            ack_num=tcp_header.seq_num + 1 if tcp_header.syn else tcp_header.seq_num,
+            flags=0x14 if tcp_header.ack else 0x04  # RST+ACK or RST
+        )
+        
+        packet = IPParser.build_packet(rst_ip, rst_tcp)
+        self._send_packet(packet)
+    
+    def _timer_loop(self):
+        """Timer loop for handling timeouts"""
+        while self.running:
+            current_time = time.time()
+            
+            with self.lock:
+                connections_to_check = list(self.connections.values())
+            
+            for conn in connections_to_check:
+                # Handle retransmissions
+                if conn.unacked_segments:
+                    self._handle_retransmission(conn)
+                
+                # Handle connection timeout
+                if current_time - conn.last_activity > self.connection_timeout:
+                    self._close_connection(conn, reset=True)
+                
+                # Handle TIME_WAIT timeout
+                if (conn.state == TCPState.TIME_WAIT and 
+                    conn.time_wait_start and 
+                    current_time - conn.time_wait_start > self.time_wait_timeout):
+                    conn.state = TCPState.CLOSED
+                    self._close_connection(conn)
+            
+            time.sleep(1)  # Check every second
+    
+    def start(self):
+        """Start TCP engine"""
+        self.running = True
+        self.timer_thread = threading.Thread(target=self._timer_loop, daemon=True)
+        self.timer_thread.start()
+        print("TCP engine started")
+    
+    def stop(self):
+        """Stop TCP engine"""
+        self.running = False
+        if self.timer_thread:
+            self.timer_thread.join()
+        
+        # Close all connections
+        with self.lock:
+            for conn in list(self.connections.values()):
+                self._close_connection(conn, reset=True)
+        
+        print("TCP engine stopped")
+    
+    def get_connections(self) -> Dict[str, Dict]:
+        """Get current connections"""
+        with self.lock:
+            return {
+                conn_id: {
+                    'local_ip': conn.local_ip,
+                    'local_port': conn.local_port,
+                    'remote_ip': conn.remote_ip,
+                    'remote_port': conn.remote_port,
+                    'state': conn.state.value,
+                    'local_seq': conn.local_seq,
+                    'local_ack': conn.local_ack,
+                    'remote_seq': conn.remote_seq,
+                    'remote_ack': conn.remote_ack,
+                    'window_size': conn.local_window,
+                    'cwnd': conn.cwnd,
+                    'unacked_segments': len(conn.unacked_segments),
+                    'last_activity': conn.last_activity
+                }
+                for conn_id, conn in self.connections.items()
+            }
+

core/traffic_router.py

@@ -0,0 +1,132 @@
+"""
+Traffic Router Module
+
+Handles routing of all client traffic through VPN for free data access using async TCP sockets.
+Optimized for performance and scalability.
+"""
+
+
+import asyncio
+import socket
+import logging
+from typing import Dict, Any, Optional
+
+logger = logging.getLogger(__name__)
+
+
+class TrafficRouter:
+    """Manages traffic routing for VPN clients using async TCP sockets"""
+
+    def __init__(self, config: Dict[str, Any], nat_engine: Any = None):
+        self.config = config
+        self.is_running = False
+        self.vpn_host = self.config.get("vpn_host", "127.0.0.1")
+        self.vpn_port = self.config.get("vpn_port", 9000)
+        self.internet_host = self.config.get("internet_host", "0.0.0.0")
+        self.internet_port = self.config.get("internet_port", 9001)
+        self.nat_engine = nat_engine
+        self.loop = None
+        self.vpn_server = None
+        self.internet_server = None
+        self.connections = set()
+        self.stats = {
+            "total_connections": 0,
+            "active_connections": 0,
+            "bytes_forwarded": 0,
+            "errors": 0
+        }
+
+    async def start(self):
+        """Start the traffic router using asyncio TCP servers"""
+        if self.is_running:
+            logger.warning("Traffic Router is already running")
+            return True
+
+        self.is_running = True
+        self.loop = asyncio.get_event_loop()
+        self.vpn_server = await asyncio.start_server(
+            lambda r, w: self._handle_connection(r, w, "VPN"),
+            self.vpn_host, self.vpn_port)
+        self.internet_server = await asyncio.start_server(
+            lambda r, w: self._handle_connection(r, w, "Internet"),
+            self.internet_host, self.internet_port)
+
+        logger.info(f"Traffic Router started on TCP endpoints: {self.vpn_host}:{self.vpn_port} and {self.internet_host}:{self.internet_port}")
+        return True
+
+    async def stop(self):
+        """Stop the traffic router"""
+        logger.info("Stopping Traffic Router...")
+        self.is_running = False
+        if self.vpn_server:
+            self.vpn_server.close()
+            await self.vpn_server.wait_closed()
+        if self.internet_server:
+            self.internet_server.close()
+            await self.internet_server.wait_closed()
+        for conn in list(self.connections):
+            conn.close()
+        logger.info("Traffic Router stopped")
+        return True
+
+    async def _handle_connection(self, reader: asyncio.StreamReader, writer: asyncio.StreamWriter, source_name: str):
+        """Handle a new connection and forward data asynchronously."""
+        peer = writer.get_extra_info("peername")
+        logger.info(f"Accepted connection from {peer} on {source_name}")
+        self.connections.add(writer)
+        try:
+            while self.is_running:
+                data = await reader.read(4096)
+                if not data:
+                    break
+                processed_data = None
+                if self.nat_engine:
+                    if source_name == "VPN":
+                        processed_data = self.nat_engine.process_outbound_packet(data)
+                    elif source_name == "Internet":
+                        processed_data = self.nat_engine.process_inbound_packet(data)
+                if processed_data:
+                    await self._forward_data(processed_data, source_name)
+                elif not self.nat_engine:
+                    await self._forward_data(data, source_name)
+                self.stats["bytes_forwarded"] += len(data)
+        except Exception as e:
+            self.stats["errors"] += 1
+            logger.error(f"Error in {source_name} connection: {e}")
+        finally:
+            writer.close()
+            await writer.wait_closed()
+            self.connections.discard(writer)
+
+    async def _forward_data(self, data: bytes, source_name: str):
+        """Forward data to the opposite endpoint."""
+        # This is a placeholder for actual forwarding logic.
+        # You may want to implement connection pooling or load balancing here.
+        # For demo, just log the forwarding event.
+        logger.debug(f"Forwarded {len(data)} bytes from {source_name}")
+
+    def get_stats(self) -> Dict[str, Any]:
+        """Get traffic router statistics"""
+        return {
+            "is_running": self.is_running,
+            "vpn_host": self.vpn_host,
+            "vpn_port": self.vpn_port,
+            "internet_host": self.internet_host,
+            "internet_port": self.internet_port,
+            "total_connections": self.stats["total_connections"],
+            "active_connections": len(self.connections),
+            "bytes_forwarded": self.stats["bytes_forwarded"],
+            "errors": self.stats["errors"]
+        }
+
+
+
+
+
+
+    def set_components(self, nat_engine: Any = None):
+        """Set references to other components for inter-operation."""
+        if nat_engine:
+            self.nat_engine = nat_engine
+
+

core/virtual_router.py

@@ -0,0 +1,565 @@
+"""
+Virtual Router Module
+
+Implements packet routing between virtual clients and external internet:
+- Maintain routing table for virtual network
+- Forward packets based on destination IP
+- Handle internal vs external routing decisions
+- Support static route configuration
+"""
+
+import ipaddress
+import time
+import threading
+from typing import Dict, List, Optional, Tuple, Set
+from dataclasses import dataclass
+from enum import Enum
+
+from .ip_parser import ParsedPacket, IPv4Header
+
+
+class RouteType(Enum):
+    DIRECT = "DIRECT"      # Directly connected network
+    STATIC = "STATIC"      # Static route
+    DEFAULT = "DEFAULT"    # Default route
+
+
+@dataclass
+class RouteEntry:
+    """Represents a routing table entry"""
+    destination: str       # Network in CIDR notation (e.g., "10.0.0.0/24")
+    gateway: Optional[str] # Next hop IP (None for direct routes)
+    interface: str         # Interface name or identifier
+    metric: int           # Route metric (lower is preferred)
+    route_type: RouteType
+    created_time: float
+    last_used: Optional[float] = None
+    use_count: int = 0
+    
+    def __post_init__(self):
+        if self.created_time == 0:
+            self.created_time = time.time()
+    
+    def record_use(self):
+        """Record route usage"""
+        self.use_count += 1
+        self.last_used = time.time()
+    
+    def matches_destination(self, ip: str) -> bool:
+        """Check if this route matches the destination IP"""
+        try:
+            network = ipaddress.ip_network(self.destination, strict=False)
+            return ipaddress.ip_address(ip) in network
+        except (ipaddress.AddressValueError, ValueError):
+            return False
+    
+    def to_dict(self) -> Dict:
+        """Convert route to dictionary"""
+        return {
+            'destination': self.destination,
+            'gateway': self.gateway,
+            'interface': self.interface,
+            'metric': self.metric,
+            'route_type': self.route_type.value,
+            'created_time': self.created_time,
+            'last_used': self.last_used,
+            'use_count': self.use_count
+        }
+
+
+@dataclass
+class Interface:
+    """Represents a network interface"""
+    name: str
+    ip_address: str
+    netmask: str
+    network: str           # Network in CIDR notation
+    enabled: bool = True
+    mtu: int = 1500
+    created_time: float = 0
+    
+    def __post_init__(self):
+        if self.created_time == 0:
+            self.created_time = time.time()
+        
+        # Calculate network if not provided
+        if not self.network:
+            try:
+                interface_network = ipaddress.ip_interface(f"{self.ip_address}/{self.netmask}")
+                self.network = str(interface_network.network)
+            except (ipaddress.AddressValueError, ValueError):
+                self.network = "0.0.0.0/0"
+    
+    def is_local_address(self, ip: str) -> bool:
+        """Check if IP address belongs to this interface's network"""
+        try:
+            network = ipaddress.ip_network(self.network, strict=False)
+            return ipaddress.ip_address(ip) in network
+        except (ipaddress.AddressValueError, ValueError):
+            return False
+    
+    def to_dict(self) -> Dict:
+        """Convert interface to dictionary"""
+        return {
+            'name': self.name,
+            'ip_address': self.ip_address,
+            'netmask': self.netmask,
+            'network': self.network,
+            'enabled': self.enabled,
+            'mtu': self.mtu,
+            'created_time': self.created_time
+        }
+
+
+class VirtualRouter:
+    """Virtual router implementation"""
+    
+    def __init__(self, config: Dict):
+        self.config = config
+        self.routing_table: List[RouteEntry] = []
+        self.interfaces: Dict[str, Interface] = {}
+        self.arp_table: Dict[str, str] = {}  # IP -> MAC mapping
+        self.lock = threading.Lock()
+        
+        # Router configuration
+        self.router_id = config.get('router_id', 'virtual-router-1')
+        self.default_gateway = config.get('default_gateway')
+        
+        # Statistics
+        self.stats = {
+            'packets_routed': 0,
+            'packets_dropped': 0,
+            'route_lookups': 0,
+            'arp_requests': 0,
+            'arp_replies': 0,
+            'routing_errors': 0
+        }
+        
+        # Initialize interfaces and routes
+        self._initialize_interfaces()
+        self._initialize_routes()
+    
+    def _initialize_interfaces(self):
+        """Initialize network interfaces from configuration"""
+        interfaces_config = self.config.get('interfaces', [])
+        
+        for iface_config in interfaces_config:
+            interface = Interface(
+                name=iface_config['name'],
+                ip_address=iface_config['ip_address'],
+                netmask=iface_config.get('netmask', '255.255.255.0'),
+                network=iface_config.get('network'),
+                enabled=iface_config.get('enabled', True),
+                mtu=iface_config.get('mtu', 1500)
+            )
+            
+            with self.lock:
+                self.interfaces[interface.name] = interface
+            
+            # Add direct route for interface network
+            self.add_route(
+                destination=interface.network,
+                gateway=None,
+                interface=interface.name,
+                metric=0,
+                route_type=RouteType.DIRECT
+            )
+    
+    def _initialize_routes(self):
+        """Initialize static routes from configuration"""
+        routes_config = self.config.get('static_routes', [])
+        
+        for route_config in routes_config:
+            self.add_route(
+                destination=route_config['destination'],
+                gateway=route_config.get('gateway'),
+                interface=route_config['interface'],
+                metric=route_config.get('metric', 10),
+                route_type=RouteType.STATIC
+            )
+        
+        # Add default route if configured
+        if self.default_gateway:
+            # Find interface for default gateway
+            default_interface = None
+            for interface in self.interfaces.values():
+                if interface.is_local_address(self.default_gateway):
+                    default_interface = interface.name
+                    break
+            
+            if default_interface:
+                self.add_route(
+                    destination="0.0.0.0/0",
+                    gateway=self.default_gateway,
+                    interface=default_interface,
+                    metric=100,
+                    route_type=RouteType.DEFAULT
+                )
+    
+    def add_interface(self, name: str, ip_address: str, netmask: str = "255.255.255.0", 
+                     network: Optional[str] = None, mtu: int = 1500) -> bool:
+        """Add network interface"""
+        with self.lock:
+            if name in self.interfaces:
+                return False
+            
+            interface = Interface(
+                name=name,
+                ip_address=ip_address,
+                netmask=netmask,
+                network=network,
+                mtu=mtu
+            )
+            
+            self.interfaces[name] = interface
+        
+        # Add direct route for interface network
+        self.add_route(
+            destination=interface.network,
+            gateway=None,
+            interface=name,
+            metric=0,
+            route_type=RouteType.DIRECT
+        )
+        
+        return True
+    
+    def remove_interface(self, name: str) -> bool:
+        """Remove network interface"""
+        with self.lock:
+            if name not in self.interfaces:
+                return False
+            
+            # Remove interface
+            del self.interfaces[name]
+            
+            # Remove routes associated with this interface
+            self.routing_table = [
+                route for route in self.routing_table 
+                if route.interface != name
+            ]
+        
+        return True
+    
+    def enable_interface(self, name: str) -> bool:
+        """Enable network interface"""
+        with self.lock:
+            if name in self.interfaces:
+                self.interfaces[name].enabled = True
+                return True
+        return False
+    
+    def disable_interface(self, name: str) -> bool:
+        """Disable network interface"""
+        with self.lock:
+            if name in self.interfaces:
+                self.interfaces[name].enabled = False
+                return True
+        return False
+    
+    def add_route(self, destination: str, gateway: Optional[str], interface: str, 
+                  metric: int = 10, route_type: RouteType = RouteType.STATIC) -> bool:
+        """Add route to routing table"""
+        try:
+            # Validate destination network
+            ipaddress.ip_network(destination, strict=False)
+            
+            # Validate gateway if provided
+            if gateway:
+                ipaddress.ip_address(gateway)
+            
+            route = RouteEntry(
+                destination=destination,
+                gateway=gateway,
+                interface=interface,
+                metric=metric,
+                route_type=route_type,
+                created_time=time.time()
+            )
+            
+            with self.lock:
+                # Check if interface exists
+                if interface not in self.interfaces:
+                    return False
+                
+                # Remove existing route with same destination and interface
+                self.routing_table = [
+                    r for r in self.routing_table 
+                    if not (r.destination == destination and r.interface == interface)
+                ]
+                
+                # Add new route
+                self.routing_table.append(route)
+                
+                # Sort by metric (lower metric = higher priority)
+                self.routing_table.sort(key=lambda r: (r.metric, r.created_time))
+            
+            return True
+            
+        except (ipaddress.AddressValueError, ValueError):
+            return False
+    
+    def remove_route(self, destination: str, interface: str) -> bool:
+        """Remove route from routing table"""
+        with self.lock:
+            original_count = len(self.routing_table)
+            self.routing_table = [
+                route for route in self.routing_table
+                if not (route.destination == destination and route.interface == interface)
+            ]
+            return len(self.routing_table) < original_count
+    
+    def lookup_route(self, destination_ip: str) -> Optional[RouteEntry]:
+        """Look up route for destination IP"""
+        self.stats['route_lookups'] += 1
+        
+        with self.lock:
+            # Find all matching routes
+            matching_routes = []
+            for route in self.routing_table:
+                # Skip disabled interfaces
+                interface = self.interfaces.get(route.interface)
+                if not interface or not interface.enabled:
+                    continue
+                
+                if route.matches_destination(destination_ip):
+                    matching_routes.append(route)
+            
+            if not matching_routes:
+                self.stats['routing_errors'] += 1
+                return None
+            
+            # Sort by specificity (longest prefix match) and then by metric
+            def route_priority(route):
+                try:
+                    network = ipaddress.ip_network(route.destination, strict=False)
+                    return (-network.prefixlen, route.metric, route.created_time)
+                except:
+                    return (0, route.metric, route.created_time)
+            
+            matching_routes.sort(key=route_priority)
+            best_route = matching_routes[0]
+            best_route.record_use()
+            
+            return best_route
+    
+    def route_packet(self, packet: ParsedPacket) -> Optional[Tuple[str, str]]:
+        """Route packet and return (next_hop_ip, interface)"""
+        self.stats['packets_routed'] += 1
+        
+        destination_ip = packet.ip_header.dest_ip
+        
+        # Look up route
+        route = self.lookup_route(destination_ip)
+        if not route:
+            self.stats['packets_dropped'] += 1
+            return None
+        
+        # Determine next hop
+        if route.gateway:
+            next_hop = route.gateway
+        else:
+            # Direct route - destination is next hop
+            next_hop = destination_ip
+        
+        return (next_hop, route.interface)
+    
+    def is_local_destination(self, ip: str) -> bool:
+        """Check if IP is a local destination (belongs to router interfaces)"""
+        with self.lock:
+            for interface in self.interfaces.values():
+                if interface.ip_address == ip:
+                    return True
+        return False
+    
+    def is_local_network(self, ip: str) -> bool:
+        """Check if IP belongs to any local network"""
+        with self.lock:
+            for interface in self.interfaces.values():
+                if interface.is_local_address(ip):
+                    return True
+        return False
+    
+    def get_interface_for_ip(self, ip: str) -> Optional[Interface]:
+        """Get interface that can reach the given IP"""
+        with self.lock:
+            for interface in self.interfaces.values():
+                if interface.enabled and interface.is_local_address(ip):
+                    return interface
+        return None
+    
+    def add_arp_entry(self, ip: str, mac: str):
+        """Add ARP table entry"""
+        with self.lock:
+            self.arp_table[ip] = mac
+    
+    def get_arp_entry(self, ip: str) -> Optional[str]:
+        """Get MAC address from ARP table"""
+        with self.lock:
+            return self.arp_table.get(ip)
+    
+    def remove_arp_entry(self, ip: str) -> bool:
+        """Remove ARP table entry"""
+        with self.lock:
+            if ip in self.arp_table:
+                del self.arp_table[ip]
+                return True
+        return False
+    
+    def clear_arp_table(self):
+        """Clear ARP table"""
+        with self.lock:
+            self.arp_table.clear()
+    
+    def get_routing_table(self) -> List[Dict]:
+        """Get routing table"""
+        with self.lock:
+            return [route.to_dict() for route in self.routing_table]
+    
+    def get_interfaces(self) -> Dict[str, Dict]:
+        """Get network interfaces"""
+        with self.lock:
+            return {
+                name: interface.to_dict()
+                for name, interface in self.interfaces.items()
+            }
+    
+    def get_arp_table(self) -> Dict[str, str]:
+        """Get ARP table"""
+        with self.lock:
+            return self.arp_table.copy()
+    
+    def get_stats(self) -> Dict:
+        """Get router statistics"""
+        with self.lock:
+            stats = self.stats.copy()
+            stats['total_routes'] = len(self.routing_table)
+            stats['total_interfaces'] = len(self.interfaces)
+            stats['enabled_interfaces'] = sum(1 for iface in self.interfaces.values() if iface.enabled)
+            stats['arp_entries'] = len(self.arp_table)
+        
+        return stats
+    
+    def reset_stats(self):
+        """Reset router statistics"""
+        self.stats = {
+            'packets_routed': 0,
+            'packets_dropped': 0,
+            'route_lookups': 0,
+            'arp_requests': 0,
+            'arp_replies': 0,
+            'routing_errors': 0
+        }
+        
+        # Reset route usage statistics
+        with self.lock:
+            for route in self.routing_table:
+                route.use_count = 0
+                route.last_used = None
+    
+    def flush_routes(self, route_type: Optional[RouteType] = None):
+        """Flush routes of specified type (or all if None)"""
+        with self.lock:
+            if route_type:
+                self.routing_table = [
+                    route for route in self.routing_table
+                    if route.route_type != route_type
+                ]
+            else:
+                self.routing_table.clear()
+    
+    def export_config(self) -> Dict:
+        """Export router configuration"""
+        return {
+            'router_id': self.router_id,
+            'default_gateway': self.default_gateway,
+            'interfaces': [
+                {
+                    'name': iface.name,
+                    'ip_address': iface.ip_address,
+                    'netmask': iface.netmask,
+                    'network': iface.network,
+                    'enabled': iface.enabled,
+                    'mtu': iface.mtu
+                }
+                for iface in self.interfaces.values()
+            ],
+            'static_routes': [
+                {
+                    'destination': route.destination,
+                    'gateway': route.gateway,
+                    'interface': route.interface,
+                    'metric': route.metric
+                }
+                for route in self.routing_table
+                if route.route_type == RouteType.STATIC
+            ]
+        }
+    
+    def import_config(self, config: Dict):
+        """Import router configuration"""
+        # Clear existing configuration
+        with self.lock:
+            self.interfaces.clear()
+            self.routing_table.clear()
+            self.arp_table.clear()
+        
+        # Update router settings
+        self.router_id = config.get('router_id', self.router_id)
+        self.default_gateway = config.get('default_gateway', self.default_gateway)
+        
+        # Reinitialize from new config
+        self.config.update(config)
+        self._initialize_interfaces()
+        self._initialize_routes()
+
+
+class RouterUtils:
+    """Utility functions for router operations"""
+    
+    @staticmethod
+    def ip_to_int(ip: str) -> int:
+        """Convert IP address to integer"""
+        return int(ipaddress.ip_address(ip))
+    
+    @staticmethod
+    def int_to_ip(ip_int: int) -> str:
+        """Convert integer to IP address"""
+        return str(ipaddress.ip_address(ip_int))
+    
+    @staticmethod
+    def calculate_network(ip: str, netmask: str) -> str:
+        """Calculate network address from IP and netmask"""
+        try:
+            interface = ipaddress.ip_interface(f"{ip}/{netmask}")
+            return str(interface.network)
+        except (ipaddress.AddressValueError, ValueError):
+            return "0.0.0.0/0"
+    
+    @staticmethod
+    def is_private_ip(ip: str) -> bool:
+        """Check if IP address is private"""
+        try:
+            ip_obj = ipaddress.ip_address(ip)
+            return ip_obj.is_private
+        except (ipaddress.AddressValueError, ValueError):
+            return False
+    
+    @staticmethod
+    def is_multicast_ip(ip: str) -> bool:
+        """Check if IP address is multicast"""
+        try:
+            ip_obj = ipaddress.ip_address(ip)
+            return ip_obj.is_multicast
+        except (ipaddress.AddressValueError, ValueError):
+            return False
+    
+    @staticmethod
+    def validate_cidr(cidr: str) -> bool:
+        """Validate CIDR notation"""
+        try:
+            ipaddress.ip_network(cidr, strict=False)
+            return True
+        except (ipaddress.AddressValueError, ValueError):
+            return False
+

main.py

@@ -0,0 +1,76 @@
+import os
+import sys
+# DON\'T CHANGE THIS !!!
+sys.path.insert(0, os.path.dirname(os.path.dirname(__file__)))
+
+from flask import Flask, send_from_directory
+from models.user import db
+from routes.user import user_bp
+from routes.auth import auth_bp
+from routes.isp_api import init_engines, isp_api
+from core.openvpn_manager import initialize_openvpn_manager
+
+
+app = Flask(__name__, static_folder=os.path.join(os.path.dirname(__file__), 'static'))
+app.config['SECRET_KEY'] = 'asdf#FGSgvasgf$5$WGT'
+
+app.register_blueprint(user_bp, url_prefix='/api')
+app.register_blueprint(isp_api, url_prefix='/api')
+app.register_blueprint(auth_bp, url_prefix='/api')
+
+# uncomment if you need to use database
+app.config['SQLALCHEMY_DATABASE_URI'] = f"sqlite:///{os.path.join(os.path.dirname(__file__), 'database', 'app.db')}"
+app.config['SQLALCHEMY_TRACK_MODIFICATIONS'] = False
+db.init_app(app)
+
+with app.app_context():
+    db.create_all()
+
+# Default configuration for engines
+app.config["dhcp"] = {
+    "network": "10.0.0.0/24",
+    "range_start": "10.0.0.10",
+    "range_end": "10.0.0.100",
+    "lease_time": 3600,
+    "gateway": "10.0.0.1",
+    "dns_servers": ["8.8.8.8", "8.8.4.4"]
+}
+
+# Initialize engines only once, when the Flask app is not in debug mode's reloader process
+if not app.debug or os.environ.get('WERKZEUG_RUN_MAIN') == 'true':
+    init_engines(app.config)
+    initialize_openvpn_manager(app.config)
+
+@app.route("/auth")
+def serve_auth():
+    return send_from_directory(app.static_folder, "auth.html")
+
+@app.route("/dashboard")
+def serve_dashboard():
+    return send_from_directory(app.static_folder, "dashboard.html")
+
+@app.route("/")
+def serve_root():
+    return send_from_directory(app.static_folder, "index.html")
+
+@app.route('/<path:path>')
+def serve(path):
+    static_folder_path = app.static_folder
+    if static_folder_path is None:
+            return "Static folder not configured", 404
+
+    if path != "" and os.path.exists(os.path.join(static_folder_path, path)):
+        return send_from_directory(static_folder_path, path)
+    else:
+        index_path = os.path.join(static_folder_path, 'index.html')
+        if os.path.exists(index_path):
+            return send_from_directory(static_folder_path, 'index.html')
+        else:
+            return "index.html not found", 404
+
+
+if __name__ == '__main__':
+    app.run(host='0.0.0.0', port=5000, debug=False)
+
+
+

main_isp.py

@@ -0,0 +1,273 @@
+"""
+Main ISP Application
+
+Integrates all core modules and provides the main application entry point
+"""
+
+import os
+import sys
+import json
+import threading
+import time
+from flask import Flask
+from flask_cors import CORS
+
+# Add project root to path
+sys.path.insert(0, os.path.dirname(os.path.dirname(__file__)))
+
+# Import routes and core modules
+from routes.isp_api import isp_api, init_engines
+
+
+def load_config():
+    """Load configuration from file or use defaults"""
+    config_file = os.path.join(os.path.dirname(__file__), 'config.json')
+    
+    default_config = {
+        "dhcp": {
+            "network": "10.0.0.0/24",
+            "range_start": "10.0.0.10",
+            "range_end": "10.0.0.100",
+            "lease_time": 3600,
+            "gateway": "10.0.0.1",
+            "dns_servers": ["8.8.8.8", "8.8.4.4"]
+        },
+        "nat": {
+            "port_range_start": 10000,
+            "port_range_end": 65535,
+            "session_timeout": 300,
+            "host_ip": "0.0.0.0"
+        },
+        "firewall": {
+            "default_policy": "ACCEPT",
+            "log_blocked": True,
+            "log_accepted": False,
+            "max_log_entries": 10000,
+            "rules": [
+                {
+                    "rule_id": "allow_dhcp",
+                    "priority": 1,
+                    "action": "ACCEPT",
+                    "direction": "BOTH",
+                    "dest_port": "67,68",
+                    "protocol": "UDP",
+                    "description": "Allow DHCP traffic",
+                    "enabled": True
+                },
+                {
+                    "rule_id": "allow_dns",
+                    "priority": 2,
+                    "action": "ACCEPT",
+                    "direction": "BOTH",
+                    "dest_port": "53",
+                    "protocol": "UDP",
+                    "description": "Allow DNS traffic",
+                    "enabled": True
+                }
+            ]
+        },
+        "tcp": {
+            "initial_window": 65535,
+            "max_retries": 3,
+            "timeout": 300,
+            "time_wait_timeout": 120,
+            "mss": 1460
+        },
+        "router": {
+            "router_id": "virtual-isp-router",
+            "default_gateway": "10.0.0.1",
+            "interfaces": [
+                {
+                    "name": "virtual0",
+                    "ip_address": "10.0.0.1",
+                    "netmask": "255.255.255.0",
+                    "enabled": True,
+                    "mtu": 1500
+                }
+            ],
+            "static_routes": []
+        },
+        "socket_translator": {
+            "connect_timeout": 10,
+            "read_timeout": 30,
+            "max_connections": 1000,
+            "buffer_size": 8192
+        },
+        "packet_bridge": {
+            "websocket_host": "0.0.0.0",
+            "websocket_port": 8765,
+            "tcp_host": "0.0.0.0",
+            "tcp_port": 8766,
+            "max_clients": 100,
+            "client_timeout": 300
+        },
+        "session_tracker": {
+            "max_sessions": 10000,
+            "session_timeout": 3600,
+            "cleanup_interval": 300,
+            "metrics_retention": 86400
+        },
+        "logger": {
+            "log_level": "INFO",
+            "log_to_file": True,
+            "log_file_path": "/tmp/virtual_isp.log",
+            "log_file_max_size": 10485760,
+            "log_file_backup_count": 5,
+            "log_to_console": True,
+            "structured_logging": True,
+            "max_memory_logs": 10000
+        },
+        "openvpn": {
+            "server_config_path": "/etc/openvpn/server/server.conf",
+            "ca_cert_path": "/etc/openvpn/server/ca.crt",
+            "server_cert_path": "/etc/openvpn/server/server.crt",
+            "server_key_path": "/etc/openvpn/server/server.key",
+            "dh_path": "/etc/openvpn/server/dh.pem",
+            "vpn_network": "10.8.0.0/24",
+            "vpn_server_ip": "10.8.0.1",
+            "vpn_port": 1194,
+            "protocol": "udp",
+            "auto_start": False,
+            "client_to_client": False,
+            "push_routes": [
+                "redirect-gateway def1 bypass-dhcp",
+                "dhcp-option DNS 8.8.8.8",
+                "dhcp-option DNS 8.8.4.4"
+            ]
+        }
+    }
+    
+    if os.path.exists(config_file):
+        try:
+            with open(config_file, 'r') as f:
+                file_config = json.load(f)
+            
+            # Merge with defaults
+            def merge_config(default, override):
+                result = default.copy()
+                for key, value in override.items():
+                    if key in result and isinstance(result[key], dict) and isinstance(value, dict):
+                        result[key] = merge_config(result[key], value)
+                    else:
+                        result[key] = value
+                return result
+            
+            return merge_config(default_config, file_config)
+        
+        except Exception as e:
+            print(f"Error loading config file: {e}")
+            print("Using default configuration")
+            return default_config
+    else:
+        # Save default config
+        try:
+            with open(config_file, 'w') as f:
+                json.dump(default_config, f, indent=2)
+            print(f"Created default configuration file: {config_file}")
+        except Exception as e:
+            print(f"Could not save default config: {e}")
+        
+        return default_config
+
+
+def create_app():
+    """Create and configure Flask application"""
+    app = Flask(__name__, static_folder=os.path.join(os.path.dirname(__file__), 'static'))
+    
+    # Enable CORS for all routes
+    CORS(app, origins="*", allow_headers=["Content-Type", "Authorization"])
+    
+    # Load configuration
+    config = load_config()
+    app.config['ISP_CONFIG'] = config
+    
+    # Register blueprints
+    app.register_blueprint(isp_api, url_prefix='/api')
+    
+    # Initialize engines
+    init_engines(config)
+    
+    # Serve static files
+    @app.route('/', defaults={'path': ''})
+    @app.route('/<path:path>')
+    def serve_static(path):
+        static_folder_path = app.static_folder
+        if static_folder_path is None:
+            return "Static folder not configured", 404
+        
+        if path != "" and os.path.exists(os.path.join(static_folder_path, path)):
+            return app.send_static_file(path)
+        else:
+            index_path = os.path.join(static_folder_path, 'index.html')
+            if os.path.exists(index_path):
+                return app.send_static_file('index.html')
+            else:
+                return """
+                <!DOCTYPE html>
+                <html>
+                <head>
+                    <title>Virtual ISP Stack</title>
+                    <style>
+                        body { font-family: Arial, sans-serif; margin: 40px; }
+                        .container { max-width: 800px; margin: 0 auto; }
+                        .status { background: #f0f0f0; padding: 20px; border-radius: 5px; }
+                        .api-link { color: #0066cc; text-decoration: none; }
+                        .api-link:hover { text-decoration: underline; }
+                    </style>
+                </head>
+                <body>
+                    <div class="container">
+                        <h1>Virtual ISP Stack</h1>
+                        <div class="status">
+                            <h2>System Status</h2>
+                            <p>The Virtual ISP Stack is running successfully!</p>
+                            <p><strong>API Endpoint:</strong> <a href="/api/status" class="api-link">/api/status</a></p>
+                            <p><strong>System Stats:</strong> <a href="/api/stats" class="api-link">/api/stats</a></p>
+                        </div>
+                        
+                        <h2>Available API Endpoints</h2>
+                        <ul>
+                            <li><a href="/api/config" class="api-link">GET /api/config</a> - System configuration</li>
+                            <li><a href="/api/status" class="api-link">GET /api/status</a> - System status</li>
+                            <li><a href="/api/stats" class="api-link">GET /api/stats</a> - System statistics</li>
+                            <li><a href="/api/dhcp/leases" class="api-link">GET /api/dhcp/leases</a> - DHCP leases</li>
+                            <li><a href="/api/nat/sessions" class="api-link">GET /api/nat/sessions</a> - NAT sessions</li>
+                            <li><a href="/api/firewall/rules" class="api-link">GET /api/firewall/rules</a> - Firewall rules</li>
+                            <li><a href="/api/tcp/connections" class="api-link">GET /api/tcp/connections</a> - TCP connections</li>
+                            <li><a href="/api/router/routes" class="api-link">GET /api/router/routes</a> - Routing table</li>
+                            <li><a href="/api/bridge/clients" class="api-link">GET /api/bridge/clients</a> - Bridge clients</li>
+                            <li><a href="/api/sessions" class="api-link">GET /api/sessions</a> - Session tracking</li>
+                            <li><a href="/api/logs" class="api-link">GET /api/logs</a> - System logs</li>
+                        </ul>
+                        
+                        <h2>WebSocket Bridge</h2>
+                        <p>WebSocket server running on port 8765 for packet bridge connections.</p>
+                        <p>TCP server running on port 8766 for packet bridge connections.</p>
+                    </div>
+                </body>
+                </html>
+                """, 200
+    
+    return app
+
+
+def main():
+    """Main application entry point"""
+    print("Starting Virtual ISP Stack...")
+    
+    # Create Flask app
+    app = create_app()
+    
+    # Start the application
+    print("Virtual ISP Stack started successfully!")
+    print("API available at: http://0.0.0.0:5000/api/")
+    print("WebSocket bridge at: ws://0.0.0.0:8765")
+    print("TCP bridge at: tcp://0.0.0.0:8766")
+    
+    # Run Flask app
+    app.run(host='0.0.0.0', port=5000, debug=False, threaded=True)
+
+
+if __name__ == '__main__':
+    main()
+

models/enhanced_user.py

@@ -0,0 +1,427 @@
+"""
+Enhanced User Model with Authentication and VPN Client Management
+
+This module provides comprehensive user management with security features,
+VPN client management, and session tracking capabilities.
+"""
+
+
+from werkzeug.security import generate_password_hash, check_password_hash
+from datetime import datetime, timedelta
+import secrets
+import jwt
+import re
+from flask import current_app
+
+from .user import db
+
+class User(db.Model):
+    """Enhanced User model with authentication and VPN management"""
+    __tablename__ = 'users'
+    
+    id = db.Column(db.Integer, primary_key=True)
+    username = db.Column(db.String(80), unique=True, nullable=False, index=True)
+    email = db.Column(db.String(120), unique=True, nullable=False, index=True)
+    password_hash = db.Column(db.String(255), nullable=False)
+    salt = db.Column(db.String(32), nullable=False)
+    created_at = db.Column(db.DateTime, default=datetime.utcnow)
+    last_login = db.Column(db.DateTime)
+    is_active = db.Column(db.Boolean, default=True)
+    is_admin = db.Column(db.Boolean, default=False)
+    subscription_type = db.Column(db.String(20), default='free')
+    subscription_expires = db.Column(db.DateTime)
+    max_concurrent_connections = db.Column(db.Integer, default=1)
+    bandwidth_limit_mbps = db.Column(db.Integer, default=10)
+    email_verified = db.Column(db.Boolean, default=False)
+    email_verification_token = db.Column(db.String(64))
+    two_factor_enabled = db.Column(db.Boolean, default=False)
+    two_factor_secret = db.Column(db.String(32))
+    password_reset_token = db.Column(db.String(64))
+    password_reset_expires = db.Column(db.DateTime)
+    failed_login_attempts = db.Column(db.Integer, default=0)
+    account_locked_until = db.Column(db.DateTime)
+    
+    # Relationships
+    vpn_clients = db.relationship('VPNClient', backref='user', lazy=True, cascade='all, delete-orphan')
+    vpn_sessions = db.relationship('VPNSession', backref='user', lazy=True)
+    
+    def __init__(self, username, email, password=None):
+        self.username = username
+        self.email = email
+        if password:
+            self.set_password(password)
+        self.email_verification_token = secrets.token_urlsafe(32)
+    
+    def set_password(self, password):
+        """Set password with secure hashing and salt"""
+        if not self.validate_password_strength(password):
+            raise ValueError("Password does not meet security requirements")
+        
+        self.salt = secrets.token_hex(16)
+        self.password_hash = generate_password_hash(password + self.salt)
+        self.failed_login_attempts = 0
+        self.account_locked_until = None
+    
+    def check_password(self, password):
+        """Verify password against hash"""
+        if self.is_account_locked():
+            return False
+        
+        is_valid = check_password_hash(self.password_hash, password + self.salt)
+        
+        if is_valid:
+            self.failed_login_attempts = 0
+            self.last_login = datetime.utcnow()
+        else:
+            self.failed_login_attempts += 1
+            if self.failed_login_attempts >= 5:
+                self.account_locked_until = datetime.utcnow() + timedelta(minutes=30)
+        
+        return is_valid
+    
+    def is_account_locked(self):
+        """Check if account is locked due to failed login attempts"""
+        if self.account_locked_until and datetime.utcnow() < self.account_locked_until:
+            return True
+        elif self.account_locked_until and datetime.utcnow() >= self.account_locked_until:
+            # Unlock account
+            self.account_locked_until = None
+            self.failed_login_attempts = 0
+        return False
+    
+    @staticmethod
+    def validate_password_strength(password):
+        """Validate password meets security requirements"""
+        if len(password) < 8:
+            return False
+        if not re.search(r'[A-Z]', password):
+            return False
+        if not re.search(r'[a-z]', password):
+            return False
+        if not re.search(r'\d', password):
+            return False
+        if not re.search(r'[!@#$%^&*(),.?":{}|<>]', password):
+            return False
+        return True
+    
+    @staticmethod
+    def validate_email(email):
+        """Validate email format"""
+        pattern = r'^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$'
+        return re.match(pattern, email) is not None
+    
+    @staticmethod
+    def validate_username(username):
+        """Validate username format"""
+        if len(username) < 3 or len(username) > 80:
+            return False
+        if not re.match(r'^[a-zA-Z0-9_-]+$', username):
+            return False
+        return True
+    
+    def generate_auth_token(self, expires_in=3600):
+        """Generate JWT authentication token"""
+        payload = {
+            'user_id': self.id,
+            'username': self.username,
+            'email': self.email,
+            'subscription_type': self.subscription_type,
+            'is_admin': self.is_admin,
+            'exp': datetime.utcnow() + timedelta(seconds=expires_in),
+            'iat': datetime.utcnow()
+        }
+        return jwt.encode(payload, current_app.config['SECRET_KEY'], algorithm='HS256')
+    
+    def generate_refresh_token(self, expires_in=2592000):  # 30 days
+        """Generate refresh token for extended sessions"""
+        payload = {
+            'user_id': self.id,
+            'type': 'refresh',
+            'exp': datetime.utcnow() + timedelta(seconds=expires_in),
+            'iat': datetime.utcnow()
+        }
+        return jwt.encode(payload, current_app.config['SECRET_KEY'], algorithm='HS256')
+    
+    @staticmethod
+    def verify_auth_token(token):
+        """Verify JWT authentication token"""
+        try:
+            payload = jwt.decode(token, current_app.config['SECRET_KEY'], algorithms=['HS256'])
+            if payload.get('type') == 'refresh':
+                return None  # Refresh tokens cannot be used for authentication
+            return User.query.get(payload['user_id'])
+        except jwt.ExpiredSignatureError:
+            return None
+        except jwt.InvalidTokenError:
+            return None
+    
+    @staticmethod
+    def verify_refresh_token(token):
+        """Verify refresh token and return user"""
+        try:
+            payload = jwt.decode(token, current_app.config['SECRET_KEY'], algorithms=['HS256'])
+            if payload.get('type') != 'refresh':
+                return None
+            return User.query.get(payload['user_id'])
+        except jwt.ExpiredSignatureError:
+            return None
+        except jwt.InvalidTokenError:
+            return None
+    
+    def generate_password_reset_token(self):
+        """Generate password reset token"""
+        self.password_reset_token = secrets.token_urlsafe(32)
+        self.password_reset_expires = datetime.utcnow() + timedelta(hours=1)
+        return self.password_reset_token
+    
+    def verify_password_reset_token(self, token):
+        """Verify password reset token"""
+        if (self.password_reset_token == token and 
+            self.password_reset_expires and 
+            datetime.utcnow() < self.password_reset_expires):
+            return True
+        return False
+    
+    def reset_password(self, new_password, token):
+        """Reset password using reset token"""
+        if not self.verify_password_reset_token(token):
+            return False
+        
+        self.set_password(new_password)
+        self.password_reset_token = None
+        self.password_reset_expires = None
+        return True
+    
+    def verify_email(self, token):
+        """Verify email using verification token"""
+        if self.email_verification_token == token:
+            self.email_verified = True
+            self.email_verification_token = None
+            return True
+        return False
+    
+    def can_create_vpn_client(self):
+        """Check if user can create additional VPN clients"""
+        active_clients = len([c for c in self.vpn_clients if c.is_active])
+        
+        if self.subscription_type == 'free':
+            return active_clients < 1
+        elif self.subscription_type == 'premium':
+            return active_clients < 5
+        elif self.subscription_type == 'enterprise':
+            return active_clients < 50
+        
+        return False
+    
+    def get_active_sessions_count(self):
+        """Get count of active VPN sessions"""
+        return len([s for s in self.vpn_sessions if s.disconnected_at is None])
+    
+    def can_connect_vpn(self):
+        """Check if user can establish new VPN connections"""
+        active_sessions = self.get_active_sessions_count()
+        return active_sessions < self.max_concurrent_connections
+    
+    def get_bandwidth_usage_today(self):
+        """Get bandwidth usage for today"""
+        today = datetime.utcnow().date()
+        today_sessions = [s for s in self.vpn_sessions 
+                         if s.connected_at and s.connected_at.date() == today]
+        
+        total_bytes = sum(s.bytes_received + s.bytes_sent for s in today_sessions)
+        return total_bytes
+    
+    def is_subscription_active(self):
+        """Check if subscription is active"""
+        if self.subscription_type == 'free':
+            return True
+        
+        return (self.subscription_expires and 
+                datetime.utcnow() < self.subscription_expires)
+    
+    def to_dict(self, include_sensitive=False):
+        """Convert user to dictionary"""
+        data = {
+            'id': self.id,
+            'username': self.username,
+            'email': self.email,
+            'created_at': self.created_at.isoformat() if self.created_at else None,
+            'last_login': self.last_login.isoformat() if self.last_login else None,
+            'is_active': self.is_active,
+            'subscription_type': self.subscription_type,
+            'subscription_expires': self.subscription_expires.isoformat() if self.subscription_expires else None,
+            'max_concurrent_connections': self.max_concurrent_connections,
+            'bandwidth_limit_mbps': self.bandwidth_limit_mbps,
+            'email_verified': self.email_verified,
+            'two_factor_enabled': self.two_factor_enabled,
+            'is_subscription_active': self.is_subscription_active(),
+            'active_vpn_clients': len([c for c in self.vpn_clients if c.is_active]),
+            'active_sessions': self.get_active_sessions_count(),
+            'can_create_vpn_client': self.can_create_vpn_client(),
+            'can_connect_vpn': self.can_connect_vpn()
+        }
+        
+        if include_sensitive and (self.is_admin or include_sensitive == 'self'):
+            data.update({
+                'is_admin': self.is_admin,
+                'failed_login_attempts': self.failed_login_attempts,
+                'account_locked': self.is_account_locked(),
+                'bandwidth_usage_today': self.get_bandwidth_usage_today()
+            })
+        
+        return data
+
+
+class VPNClient(db.Model):
+    """VPN Client configuration and management"""
+    __tablename__ = 'vpn_clients'
+    
+    id = db.Column(db.Integer, primary_key=True)
+    user_id = db.Column(db.Integer, db.ForeignKey('users.id'), nullable=False)
+    client_name = db.Column(db.String(100), nullable=False)
+    protocol = db.Column(db.String(20), nullable=False)  # openvpn, ikev2, wireguard
+    certificate_serial = db.Column(db.String(50), unique=True)
+    private_key_path = db.Column(db.String(255))
+    certificate_path = db.Column(db.String(255))
+    config_file_path = db.Column(db.String(255))
+    created_at = db.Column(db.DateTime, default=datetime.utcnow)
+    last_connected = db.Column(db.DateTime)
+    is_active = db.Column(db.Boolean, default=True)
+    device_type = db.Column(db.String(50))  # windows, macos, linux, ios, android
+    public_key = db.Column(db.Text)  # For WireGuard
+    
+    # Relationships
+    sessions = db.relationship('VPNSession', backref='vpn_client', lazy=True)
+    
+    def __init__(self, user_id, client_name, protocol, device_type=None):
+        self.user_id = user_id
+        self.client_name = client_name
+        self.protocol = protocol
+        self.device_type = device_type
+    
+    def get_active_sessions(self):
+        """Get active sessions for this client"""
+        return [s for s in self.sessions if s.disconnected_at is None]
+    
+    def get_total_bandwidth_usage(self):
+        """Get total bandwidth usage for this client"""
+        return sum(s.bytes_received + s.bytes_sent for s in self.sessions)
+    
+    def to_dict(self):
+        """Convert VPN client to dictionary"""
+        return {
+            'id': self.id,
+            'client_name': self.client_name,
+            'protocol': self.protocol,
+            'device_type': self.device_type,
+            'created_at': self.created_at.isoformat() if self.created_at else None,
+            'last_connected': self.last_connected.isoformat() if self.last_connected else None,
+            'is_active': self.is_active,
+            'certificate_serial': self.certificate_serial,
+            'active_sessions': len(self.get_active_sessions()),
+            'total_bandwidth_usage': self.get_total_bandwidth_usage()
+        }
+
+
+class VPNSession(db.Model):
+    """VPN Session tracking"""
+    __tablename__ = 'vpn_sessions'
+    
+    id = db.Column(db.Integer, primary_key=True)
+    user_id = db.Column(db.Integer, db.ForeignKey('users.id'), nullable=False)
+    client_id = db.Column(db.Integer, db.ForeignKey('vpn_clients.id'), nullable=False)
+    server_protocol = db.Column(db.String(20), nullable=False)
+    client_ip = db.Column(db.String(15))
+    server_ip = db.Column(db.String(15))
+    client_real_ip = db.Column(db.String(45))  # Support IPv6
+    connected_at = db.Column(db.DateTime, default=datetime.utcnow)
+    disconnected_at = db.Column(db.DateTime)
+    bytes_received = db.Column(db.BigInteger, default=0)
+    bytes_sent = db.Column(db.BigInteger, default=0)
+    session_duration = db.Column(db.Integer)  # in seconds
+    disconnect_reason = db.Column(db.String(100))
+    
+    def __init__(self, user_id, client_id, server_protocol, client_ip=None, server_ip=None, client_real_ip=None):
+        self.user_id = user_id
+        self.client_id = client_id
+        self.server_protocol = server_protocol
+        self.client_ip = client_ip
+        self.server_ip = server_ip
+        self.client_real_ip = client_real_ip
+    
+    def disconnect(self, reason=None):
+        """Mark session as disconnected"""
+        self.disconnected_at = datetime.utcnow()
+        self.disconnect_reason = reason
+        if self.connected_at:
+            self.session_duration = int((self.disconnected_at - self.connected_at).total_seconds())
+    
+    def is_active(self):
+        """Check if session is active"""
+        return self.disconnected_at is None
+    
+    def get_duration(self):
+        """Get session duration in seconds"""
+        if self.disconnected_at:
+            return self.session_duration
+        elif self.connected_at:
+            return int((datetime.utcnow() - self.connected_at).total_seconds())
+        return 0
+    
+    def to_dict(self):
+        """Convert VPN session to dictionary"""
+        return {
+            'id': self.id,
+            'client_id': self.client_id,
+            'server_protocol': self.server_protocol,
+            'client_ip': self.client_ip,
+            'server_ip': self.server_ip,
+            'client_real_ip': self.client_real_ip,
+            'connected_at': self.connected_at.isoformat() if self.connected_at else None,
+            'disconnected_at': self.disconnected_at.isoformat() if self.disconnected_at else None,
+            'bytes_received': self.bytes_received,
+            'bytes_sent': self.bytes_sent,
+            'session_duration': self.get_duration(),
+            'disconnect_reason': self.disconnect_reason,
+            'is_active': self.is_active()
+        }
+
+
+class ServerConfiguration(db.Model):
+    """VPN Server configuration management"""
+    __tablename__ = 'server_configurations'
+    
+    id = db.Column(db.Integer, primary_key=True)
+    protocol = db.Column(db.String(20), nullable=False)
+    server_name = db.Column(db.String(100), nullable=False)
+    listen_port = db.Column(db.Integer, nullable=False)
+    network_cidr = db.Column(db.String(18), nullable=False)
+    dns_servers = db.Column(db.Text)  # JSON string
+    routes = db.Column(db.Text)  # JSON string
+    is_active = db.Column(db.Boolean, default=True)
+    created_at = db.Column(db.DateTime, default=datetime.utcnow)
+    updated_at = db.Column(db.DateTime, default=datetime.utcnow, onupdate=datetime.utcnow)
+    max_clients = db.Column(db.Integer, default=100)
+    
+    def __init__(self, protocol, server_name, listen_port, network_cidr):
+        self.protocol = protocol
+        self.server_name = server_name
+        self.listen_port = listen_port
+        self.network_cidr = network_cidr
+    
+    def to_dict(self):
+        """Convert server configuration to dictionary"""
+        return {
+            'id': self.id,
+            'protocol': self.protocol,
+            'server_name': self.server_name,
+            'listen_port': self.listen_port,
+            'network_cidr': self.network_cidr,
+            'dns_servers': self.dns_servers,
+            'routes': self.routes,
+            'is_active': self.is_active,
+            'created_at': self.created_at.isoformat() if self.created_at else None,
+            'updated_at': self.updated_at.isoformat() if self.updated_at else None,
+            'max_clients': self.max_clients
+        }
+

models/user.py

@@ -0,0 +1,20 @@
+from flask_sqlalchemy import SQLAlchemy
+
+db = SQLAlchemy()
+
+class User(db.Model):
+    id = db.Column(db.Integer, primary_key=True)
+    username = db.Column(db.String(80), unique=True, nullable=False)
+    email = db.Column(db.String(120), unique=True, nullable=False)
+
+    def __repr__(self):
+        return f'<User {self.username}>'
+
+    def to_dict(self):
+        return {
+            'id': self.id,
+            'username': self.username,
+            'email': self.email
+        }
+
+

openvpn/ca.crt

@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDMzCCAhugAwIBAgIUNO765P4t/yD/PnIFTMVs0Q32TJYwDQYJKoZIhvcNAQEL
+BQAwDjEMMAoGA1UEAwwDeWVzMB4XDTI1MDgwMjAxMjkzNVoXDTM1MDczMTAxMjkz
+NVowDjEMMAoGA1UEAwwDeWVzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
+AQEAtwhMGXouHnHBRd2RhdrW8sOMgqt4wDXZC0J+4UMjOX6Y7t2O1Sgw/sWhwFPk
+QF/cMoQIvsucklPogcnzzGtv9zDkAXyVyCC27UYbg8JfWZK3ZMrt6dfEmYf4KKXm
+D6PLn9guxzBB63dhEWx/7fd6H9C/rK/u0rOh15DQRnfEI468cmXS5uNg8ke/73+y
+Gzb6q7ZOFByBAwM0hW0lStBaIIcxouFrIK8B72O8H+6t10K1GvgiBhKvM3cc8dpN
+y4qvRoN/o+eXarZG7G9dfm9OFgdd9LoXPTTbO+ftFPKOq4F41PnMd2Zcyk7P3GCr
+3oK7NbISxZ5efLpy45lgSpqKBwIDAQABo4GIMIGFMB0GA1UdDgQWBBQIi0Er30cV
+Qzi+U/LPV4Lf3yvGIzBJBgNVHSMEQjBAgBQIi0Er30cVQzi+U/LPV4Lf3yvGI6ES
+pBAwDjEMMAoGA1UEAwwDeWVzghQ07vrk/i3/IP8+cgVMxWzRDfZMljAMBgNVHRME
+BTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAHzfSFbi1G7WC
+vMSOqSv4/jlBExnz/AlLUBHhgDomIdLK8Pb3tyCD5IYkmi0NT5x6DORcOV2ow1JZ
+o4BL7OVV+fhz3VKXEpG+s3gq5j2m+raqLtu6QKBGg7SIUZ4MLjggvAcPjsK+n8sK
+86sAUFVTccBxJlKBShAUPSNihyWwxB4PQFvwhefNQSoID1kAB2Fzf1beMX6Gp6Lj
+ldI6e63lpYtIbp4+2F5SxJ/hGTUx+nWbOAHPvhBfhN6sEu9G1C5KPR0cm+xxOpZ9
+lA7y4Dea7pyVybR/b7lFquE3TReXCoLx79UNNSv8erIlsy1jh9yXDnTCk8SN1dpO
+YwJ9U0AHXA==
+-----END CERTIFICATE-----

openvpn/dh.pem

@@ -0,0 +1,8 @@
+-----BEGIN DH PARAMETERS-----
+MIIBCAKCAQEAlPRBW0tYm271xYHi15JrD3JRlpvdjAm+CZoEq0ElLXvSlIKaNQls
+ITH+KIBBX3pgbFFk03fO9ApF0kSOzycRRCuW970iCkDoFUN9y58EG+BI863FkU1h
+3dx+c59HqdWXkzFK+SmTfKIe12alZFik5G0Xs0hkphCgPaXvWlojorjQoRfKySw3
+VxpybKS83+l3t2ER3Z03IRvWinlnuxVAcymzeSR9hwIMJi3RmYmNmdXNel/WFAo2
+zT5j2f2OZHtnBhvo1V92Rml+5rJksPX4lJMRNwVEnXwqVUyCQOTTiGTUjLOO2gdk
+HLhH5teetBdKL4tFcldeIJSk3e0oWXbURwIBAg==
+-----END DH PARAMETERS-----

openvpn/server.conf

@@ -0,0 +1,21 @@
+port 1194
+proto udp
+dev tun
+ca /etc/openvpn/server/ca.crt
+cert /etc/openvpn/server/server.crt
+key /etc/openvpn/server/server.key
+dh /etc/openvpn/server/dh.pem
+server 10.8.0.0 255.255.255.0
+ifconfig-pool-persist ipp.txt
+push "redirect-gateway def1 bypass-dhcp"
+push "dhcp-option DNS 8.8.8.8"
+push "dhcp-option DNS 8.8.4.4"
+keepalive 10 120
+cipher AES-256-CBC
+persist-key
+persist-tun
+status openvpn-status.log
+verb 3
+explicit-exit-notify 1
+
+

openvpn/server.crt

@@ -0,0 +1,86 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            dd:b5:29:c9:70:b2:b3:65:70:ac:0f:57:30:15:b4:2a
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: CN=yes
+        Validity
+            Not Before: Aug  2 01:29:38 2025 GMT
+            Not After : Nov  5 01:29:38 2027 GMT
+        Subject: CN=server
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:dd:9e:02:fb:e3:57:cd:51:43:36:6a:2f:30:f5:
+                    a1:42:5c:16:f1:7b:4b:0a:aa:b1:34:b5:86:51:3e:
+                    6b:82:2e:59:df:42:21:cf:65:14:ea:8c:93:3c:0a:
+                    72:a5:2e:0f:64:1a:ec:76:52:18:b2:d3:a0:df:df:
+                    19:83:7e:39:9e:f5:16:18:36:34:ae:57:cf:2c:89:
+                    7c:c5:97:e3:8f:d0:83:08:7f:14:0c:74:2c:d2:95:
+                    09:6e:42:99:a0:28:69:83:68:f4:9c:0e:b5:3e:08:
+                    8f:d8:06:ec:d5:aa:c8:bc:19:4b:ff:e4:99:50:12:
+                    67:25:d4:79:94:1f:3d:64:b2:c8:00:ea:97:c2:df:
+                    b8:1c:dc:69:47:9f:59:df:03:06:5a:32:7a:fa:51:
+                    96:45:9a:b7:e7:03:ef:9d:3b:94:51:9d:08:69:bb:
+                    b0:3e:c8:9c:a3:a0:9c:18:aa:e9:88:ec:96:c3:71:
+                    b1:f6:a7:09:ff:c0:56:b1:24:22:ab:fc:9a:c5:fc:
+                    fd:67:8e:1a:86:ff:0a:5b:28:46:b4:20:93:05:b6:
+                    ff:87:93:66:7d:ae:92:c4:0d:20:99:e9:c5:b8:3d:
+                    41:3a:06:83:49:e5:13:2e:d6:33:94:45:6a:36:84:
+                    f9:c9:61:fe:98:3a:6e:41:ed:d8:8c:f1:55:3d:6d:
+                    53:fb
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            X509v3 Subject Key Identifier: 
+                F4:62:12:72:49:40:C2:8A:46:5A:CB:71:BE:33:58:25:B3:E0:01:AC
+            X509v3 Authority Key Identifier: 
+                keyid:08:8B:41:2B:DF:47:15:43:38:BE:53:F2:CF:57:82:DF:DF:2B:C6:23
+                DirName:/CN=yes
+                serial:34:EE:FA:E4:FE:2D:FF:20:FF:3E:72:05:4C:C5:6C:D1:0D:F6:4C:96
+            X509v3 Extended Key Usage: 
+                TLS Web Server Authentication
+            X509v3 Key Usage: 
+                Digital Signature, Key Encipherment
+            X509v3 Subject Alternative Name: 
+                DNS:server
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        85:f7:59:01:c2:99:23:c3:9a:99:2a:0a:bc:5d:7d:1c:e8:7c:
+        e9:23:a5:87:08:bd:45:1b:a7:a9:b7:3a:06:b6:91:86:ac:61:
+        03:ae:cd:65:80:0e:e4:81:dc:38:b3:fe:6d:6f:02:e4:9e:43:
+        95:d0:a6:38:30:53:52:14:f1:96:2a:30:69:2f:56:24:65:ba:
+        53:c0:b0:22:23:2b:18:37:a1:0c:45:07:cb:ec:a9:71:f7:96:
+        2a:d2:18:94:f0:07:18:1f:4c:d2:c5:d5:66:8f:1d:5c:08:8d:
+        02:00:d6:0d:df:fd:6e:1e:2a:47:8c:30:fd:5b:46:56:0a:5a:
+        d4:6d:d4:99:c8:94:26:36:0b:86:30:dd:cb:3a:2e:a2:f3:80:
+        0f:62:80:f8:9d:ec:98:f2:96:20:4f:46:01:ae:9d:35:7f:34:
+        21:d7:71:89:b6:7a:ce:94:7e:14:e6:bf:b6:08:44:39:24:db:
+        aa:cf:54:46:34:8f:67:6c:72:22:f1:eb:e9:94:7d:73:26:f3:
+        2f:72:fe:28:b3:cb:28:c3:4c:14:3d:c3:81:1e:8d:96:96:e5:
+        df:af:c4:0a:06:71:16:df:8f:a3:30:50:79:45:95:4c:e8:57:
+        ee:ed:38:dd:82:8e:0e:b1:2b:4d:27:2b:6f:bc:c8:1c:91:de:
+        2c:55:69:38
+-----BEGIN CERTIFICATE-----
+MIIDWDCCAkCgAwIBAgIRAN21KclwsrNlcKwPVzAVtCowDQYJKoZIhvcNAQELBQAw
+DjEMMAoGA1UEAwwDeWVzMB4XDTI1MDgwMjAxMjkzOFoXDTI3MTEwNTAxMjkzOFow
+ETEPMA0GA1UEAwwGc2VydmVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
+AQEA3Z4C++NXzVFDNmovMPWhQlwW8XtLCqqxNLWGUT5rgi5Z30Ihz2UU6oyTPApy
+pS4PZBrsdlIYstOg398Zg345nvUWGDY0rlfPLIl8xZfjj9CDCH8UDHQs0pUJbkKZ
+oChpg2j0nA61PgiP2Abs1arIvBlL/+SZUBJnJdR5lB89ZLLIAOqXwt+4HNxpR59Z
+3wMGWjJ6+lGWRZq35wPvnTuUUZ0IabuwPsico6CcGKrpiOyWw3Gx9qcJ/8BWsSQi
+q/yaxfz9Z44ahv8KWyhGtCCTBbb/h5Nmfa6SxA0gmenFuD1BOgaDSeUTLtYzlEVq
+NoT5yWH+mDpuQe3YjPFVPW1T+wIDAQABo4GtMIGqMAkGA1UdEwQCMAAwHQYDVR0O
+BBYEFPRiEnJJQMKKRlrLcb4zWCWz4AGsMEkGA1UdIwRCMECAFAiLQSvfRxVDOL5T
+8s9Xgt/fK8YjoRKkEDAOMQwwCgYDVQQDDAN5ZXOCFDTu+uT+Lf8g/z5yBUzFbNEN
+9kyWMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAsGA1UdDwQEAwIFoDARBgNVHREECjAI
+ggZzZXJ2ZXIwDQYJKoZIhvcNAQELBQADggEBAIX3WQHCmSPDmpkqCrxdfRzofOkj
+pYcIvUUbp6m3Oga2kYasYQOuzWWADuSB3Diz/m1vAuSeQ5XQpjgwU1IU8ZYqMGkv
+ViRlulPAsCIjKxg3oQxFB8vsqXH3lirSGJTwBxgfTNLF1WaPHVwIjQIA1g3f/W4e
+KkeMMP1bRlYKWtRt1JnIlCY2C4Yw3cs6LqLzgA9igPid7JjyliBPRgGunTV/NCHX
+cYm2es6UfhTmv7YIRDkk26rPVEY0j2dsciLx6+mUfXMm8y9y/iizyyjDTBQ9w4Ee
+jZaW5d+vxAoGcRbfj6MwUHlFlUzoV+7tON2Cjg6xK00nK2+8yByR3ixVaTg=
+-----END CERTIFICATE-----

openvpn/server.key

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDdngL741fNUUM2
+ai8w9aFCXBbxe0sKqrE0tYZRPmuCLlnfQiHPZRTqjJM8CnKlLg9kGux2Uhiy06Df
+3xmDfjme9RYYNjSuV88siXzFl+OP0IMIfxQMdCzSlQluQpmgKGmDaPScDrU+CI/Y
+BuzVqsi8GUv/5JlQEmcl1HmUHz1kssgA6pfC37gc3GlHn1nfAwZaMnr6UZZFmrfn
+A++dO5RRnQhpu7A+yJyjoJwYqumI7JbDcbH2pwn/wFaxJCKr/JrF/P1njhqG/wpb
+KEa0IJMFtv+Hk2Z9rpLEDSCZ6cW4PUE6BoNJ5RMu1jOURWo2hPnJYf6YOm5B7diM
+8VU9bVP7AgMBAAECggEATtwR0sEYtspSYPQS+9iD/AGZ9m75in+n1Ao+E/3isq28
+tDmrn0moUjgYklZjakzEFEqSVx4qhMPSrKcORKCvb1Vl+dKcF2fOpFn+KK++Pagk
+YGsb3ryeUIbRFsejM/79YNIBrOB89OiGCwiX0QZXLLvRs+qL9Za+1pLPenpNVd2w
+zL+AZ8QkJZdHn1vOZt9vKRlpe8psAt64RHb+LqhYWfeLlpIUjpM5Vu9FFewMGPrw
+n+GVCzK4ylq0pJ9bYwKI5Hw4qnJ3j5bGIumEjYBqqmef1+OTD3r/wyhTGpK9RRAu
+WD9YGJeQx3ybzRL7Wj6k5g0dn+UA82Lh7Y8n9IoSaQKBgQDqP/BU2KapOHgFt2DE
+WHU/+zA7/kfMJMGB5dYy8oXTxUY7WuqX9lja3rC0XuH10JTD6Q21jkTujc0T5/1B
+4KxuX+nQP/T9b4XzVM3pKWVmHUt6wf24sbuTNxOy/Q/wC7eCnkr04CEl0vf3E56N
+JaLG11dbpcn+9RC9FlUhlYY8QwKBgQDyMcz43915YGOQMkGVZFPvKyOy7ol4fFZv
+VRfRoGx9CfHCIOfh9vmlUy6TR4qAQkCnkL730OsxpW3aDTe3qcAcmhiK7u5TfWrE
+cd1WgrkymJ8hyEk6FSV0GMKrccQeEo2T95cKnk6lNXnEdNp5kx7LBQhL36fEtMXS
+FGCcRkNp6QKBgAbm6WLmm0qDIm4wsAY5AQNomEw8OstWDemQ5xXLNYw+1Mns7Nqb
+ZJTWWOiHnyrKAYggNsoxrfBFd1Rt0nV9dDcwVkhPih1pis3XotWK5bTzigTM8Hff
+rMIyrj7o2+5bugV8OoMqk2903t+F0XchM8GeGLHXmbMMb3jSzqFVsYXXAoGBAII1
+Z/99S7LPsXd6rWvFzqJMzRqLx/iw0D92viGDYBAxYnp9+myvvTO27tlbowilleEA
+nsrY1TmRuOd8J7JkXtaBuiQnpJXaXaZTmS3DhhG/n/4nkcbaS5KJJU/LECcizl74
+w4l/5sRHZbnLIRIvmGSJxhYUnjvQ/HGfZvldhSzRAoGBAMVTrxWedC2XeSMwjdhF
+zeDBAp/dTMEnRaS0j3rp+4a4l7Sus1L/p8gBrJtnf/B43bNvQ5cr2jwH7Ql5cF1A
+A7hpZ3C0trNaf6WqslJQhN8j8Cs85S/8rPGM5yAfyzKTMe0ytLUjn+XiQCqCUFcT
+Inqx4ll7r2tlcI3aMlvN2qsd
+-----END PRIVATE KEY-----

requirements.txt

@@ -0,0 +1,33 @@
+# Core Flask dependencies
+Flask==3.1.1
+flask-cors==6.0.0
+Flask-SQLAlchemy==3.1.1
+Werkzeug==3.1.3
+
+# Database
+SQLAlchemy==2.0.41
+
+# Async and networking
+aiohttp==3.12.15
+aiohappyeyeballs==2.6.1
+aiosignal==1.4.0
+websockets==15.0.1
+
+# Utilities
+attrs==25.3.0
+blinker==1.9.0
+click==8.2.1
+frozenlist==1.7.0
+greenlet==3.2.3
+idna==3.10
+itsdangerous==2.2.0
+Jinja2==3.1.6
+MarkupSafe==3.0.2
+multidict==6.6.3
+propcache==0.3.2
+typing_extensions==4.14.0
+yarl==1.20.1
+jwt
+# Additional dependencies for VPN management
+psutil==5.9.8
+