Restructure modules (#1572)

* Move portbase into monorepo * Add new simple module mgr * [WIP] Switch to new simple module mgr * Add StateMgr and more worker variants * [WIP] Switch more modules * [WIP] Switch more modules * [WIP] swtich more modules * [WIP] switch all SPN modules * [WIP] switch all service modules * [WIP] Convert all workers to the new module system * [WIP] add new task system to module manager * [WIP] Add second take for scheduling workers * [WIP] Add FIXME for bugs in new scheduler * [WIP] Add minor improvements to scheduler * [WIP] Add new worker scheduler * [WIP] Fix more bug related to new module system * [WIP] Fix start handing of the new module system * [WIP] Improve startup process * [WIP] Fix minor issues * [WIP] Fix missing subsystem in settings * [WIP] Initialize managers in constructor * [WIP] Move module event initialization to constrictors * [WIP] Fix setting for enabling and disabling the SPN module * [WIP] Move API registeration into module construction * [WIP] Update states mgr for all modules * [WIP] Add CmdLine operation support * Add state helper methods to module group and instance * Add notification and module status handling to status package * Fix starting issues * Remove pilot widget and update security lock to new status data * Remove debug logs * Improve http server shutdown * Add workaround for cleanly shutting down firewall+netquery * Improve logging * Add syncing states with notifications for new module system * Improve starting, stopping, shutdown; resolve FIXMEs/TODOs * [WIP] Fix most unit tests * Review new module system and fix minor issues * Push shutdown and restart events again via API * Set sleep mode via interface * Update example/template module * [WIP] Fix spn/cabin unit test * Remove deprecated UI elements * Make log output more similar for the logging transition phase * Switch spn hub and observer cmds to new module system * Fix log sources * Make worker mgr less error prone * Fix tests and minor issues * Fix observation hub * Improve shutdown and restart handling * Split up big connection.go source file * Move varint and dsd packages to structures repo * Improve expansion test * Fix linter warnings * Fix interception module on windows * Fix linter errors --------- Co-authored-by: Vladimir Stoilov <vladimir@safing.io>
2024-08-09 17:15:48 +02:00
parent 10a77498f4
commit 80664d1a27
647 changed files with 37690 additions and 3366 deletions
--- a/service/firewall/api.go
+++ b/service/firewall/api.go
@@ -10,10 +10,10 @@ import (
 	"strings"
 	"time"

-	"github.com/safing/portbase/api"
-	"github.com/safing/portbase/dataroot"
-	"github.com/safing/portbase/log"
-	"github.com/safing/portbase/utils"
+	"github.com/safing/portmaster/base/api"
+	"github.com/safing/portmaster/base/dataroot"
+	"github.com/safing/portmaster/base/log"
+	"github.com/safing/portmaster/base/utils"
 	"github.com/safing/portmaster/service/netenv"
 	"github.com/safing/portmaster/service/network/netutils"
 	"github.com/safing/portmaster/service/network/packet"
@@ -98,7 +98,7 @@ func apiAuthenticator(r *http.Request, s *http.Server) (token *api.AuthToken, er

 	// It is important that this works, retry 5 times: every 500ms for 2.5s.
 	var retry bool
-	for tries := 0; tries < 5; tries++ {
+	for range 5 {
 		retry, err = authenticateAPIRequest(
 			r.Context(),
 			&packet.Info{
@@ -161,7 +161,7 @@ func authenticateAPIRequest(ctx context.Context, pktInfo *packet.Info) (retry bo
 		// Find parent for up to two levels, if we don't match the path.
 		checkLevels := 2
 	checkLevelsLoop:
-		for i := 0; i < checkLevels+1; i++ {
+		for i := range checkLevels + 1 {
 			// Check for eligible path.
 			switch proc.Pid {
 			case process.UnidentifiedProcessID, process.SystemProcessID:
--- a/service/firewall/config.go
+++ b/service/firewall/config.go
@@ -3,9 +3,9 @@ package firewall
 import (
 	"github.com/tevino/abool"

-	"github.com/safing/portbase/api"
-	"github.com/safing/portbase/config"
-	"github.com/safing/portbase/notifications"
+	"github.com/safing/portmaster/base/api"
+	"github.com/safing/portmaster/base/config"
+	"github.com/safing/portmaster/base/notifications"
 	"github.com/safing/portmaster/service/core"
 	"github.com/safing/portmaster/spn/captain"
 )
--- a/service/firewall/dns.go
+++ b/service/firewall/dns.go
@@ -8,8 +8,8 @@ import (

 	"github.com/miekg/dns"

-	"github.com/safing/portbase/database"
-	"github.com/safing/portbase/log"
+	"github.com/safing/portmaster/base/database"
+	"github.com/safing/portmaster/base/log"
 	"github.com/safing/portmaster/service/network"
 	"github.com/safing/portmaster/service/network/netutils"
 	"github.com/safing/portmaster/service/profile"
--- a/service/firewall/inspection/inspection.go
+++ b/service/firewall/inspection/inspection.go
@@ -7,7 +7,7 @@ import (
 	"github.com/safing/portmaster/service/network/packet"
 )

-//nolint:golint,stylecheck // FIXME
+//nolint:golint,stylecheck
 const (
 	DO_NOTHING uint8 = iota
 	BLOCK_PACKET
--- a/service/firewall/interception/ebpf/bandwidth/interface.go
+++ b/service/firewall/interception/ebpf/bandwidth/interface.go
@@ -15,7 +15,7 @@ import (
 	"github.com/cilium/ebpf/rlimit"
 	"golang.org/x/sys/unix"

-	"github.com/safing/portbase/log"
+	"github.com/safing/portmaster/base/log"
 	"github.com/safing/portmaster/service/network/packet"
 )

@@ -182,11 +182,11 @@ func convertArrayToIP(input [4]uint32, ipv6 bool) net.IP {
 		addressBuf := make([]byte, 4)
 		binary.LittleEndian.PutUint32(addressBuf, input[0])
 		return net.IP(addressBuf)
+	} else {
+		addressBuf := make([]byte, 16)
+		for i := range 4 {
+			binary.LittleEndian.PutUint32(addressBuf[i*4:i*4+4], input[i])
+		}
+		return net.IP(addressBuf)
 	}
-
-	addressBuf := make([]byte, 16)
-	for i := 0; i < 4; i++ {
-		binary.LittleEndian.PutUint32(addressBuf[i*4:i*4+4], input[i])
-	}
-	return net.IP(addressBuf)
 }
--- a/service/firewall/interception/ebpf/connection_listener/worker.go
+++ b/service/firewall/interception/ebpf/connection_listener/worker.go
@@ -14,7 +14,7 @@ import (
 	"github.com/cilium/ebpf/ringbuf"
 	"github.com/cilium/ebpf/rlimit"

-	"github.com/safing/portbase/log"
+	"github.com/safing/portmaster/base/log"
 	"github.com/safing/portmaster/service/network/packet"
 )

@@ -169,7 +169,7 @@ func convertArrayToIPv4(input [4]uint32, ipVersion packet.IPVersion) net.IP {
 	}

 	addressBuf := make([]byte, 16)
-	for i := 0; i < 4; i++ {
+	for i := range 4 {
 		binary.LittleEndian.PutUint32(addressBuf[i*4:i*4+4], input[i])
 	}
 	return net.IP(addressBuf)
--- a/service/firewall/interception/ebpf/exec/exec.go
+++ b/service/firewall/interception/ebpf/exec/exec.go
@@ -17,7 +17,7 @@ import (
 	"github.com/hashicorp/go-multierror"
 	"golang.org/x/sys/unix"

-	"github.com/safing/portbase/log"
+	"github.com/safing/portmaster/base/log"
 )

 //go:generate go run github.com/cilium/ebpf/cmd/bpf2go -cc clang -cflags "-O2 -g -Wall -Werror" bpf ../programs/exec.c
@@ -202,7 +202,7 @@ func (t *Tracer) Read() (*Event, error) {
 	if argc > arglen {
 		argc = arglen
 	}
-	for i := 0; i < argc; i++ {
+	for i := range argc {
 		str := unix.ByteSliceToString(rawEvent.Argv[i][:])
 		if strings.TrimSpace(str) != "" {
 			ev.Argv = append(ev.Argv, str)
--- a/service/firewall/interception/interception_default.go
+++ b/service/firewall/interception/interception_default.go
@@ -3,7 +3,7 @@
 package interception

 import (
-	"github.com/safing/portbase/log"
+	"github.com/safing/portmaster/base/log"
 	"github.com/safing/portmaster/service/network"
 	"github.com/safing/portmaster/service/network/packet"
 )
--- a/service/firewall/interception/interception_linux.go
+++ b/service/firewall/interception/interception_linux.go
@@ -1,12 +1,12 @@
 package interception

 import (
-	"context"
 	"time"

 	bandwidth "github.com/safing/portmaster/service/firewall/interception/ebpf/bandwidth"
 	conn_listener "github.com/safing/portmaster/service/firewall/interception/ebpf/connection_listener"
 	"github.com/safing/portmaster/service/firewall/interception/nfq"
+	"github.com/safing/portmaster/service/mgr"
 	"github.com/safing/portmaster/service/network"
 	"github.com/safing/portmaster/service/network/packet"
 )
@@ -20,13 +20,13 @@ func startInterception(packets chan packet.Packet) error {
 	}

 	// Start ebpf new connection listener.
-	module.StartServiceWorker("ebpf connection listener", 0, func(ctx context.Context) error {
-		return conn_listener.ConnectionListenerWorker(ctx, packets)
+	module.mgr.Go("ebpf connection listener", func(wc *mgr.WorkerCtx) error {
+		return conn_listener.ConnectionListenerWorker(wc.Ctx(), packets)
 	})

 	// Start ebpf bandwidth stats monitor.
-	module.StartServiceWorker("ebpf bandwidth stats monitor", 0, func(ctx context.Context) error {
-		return bandwidth.BandwidthStatsWorker(ctx, 1*time.Second, BandwidthUpdates)
+	module.mgr.Go("ebpf bandwidth stats monitor", func(wc *mgr.WorkerCtx) error {
+		return bandwidth.BandwidthStatsWorker(wc.Ctx(), 1*time.Second, BandwidthUpdates)
 	})

 	return nil
--- a/service/firewall/interception/interception_windows.go
+++ b/service/firewall/interception/interception_windows.go
@@ -1,13 +1,13 @@
 package interception

 import (
-	"context"
 	"fmt"
 	"time"

-	"github.com/safing/portbase/log"
+	"github.com/safing/portmaster/base/log"
 	kext1 "github.com/safing/portmaster/service/firewall/interception/windowskext"
 	kext2 "github.com/safing/portmaster/service/firewall/interception/windowskext2"
+	"github.com/safing/portmaster/service/mgr"
 	"github.com/safing/portmaster/service/network"
 	"github.com/safing/portmaster/service/network/packet"
 	"github.com/safing/portmaster/service/updates"
@@ -46,25 +46,25 @@ func startInterception(packets chan packet.Packet) error {
 		kext1.SetKextService(kext2.GetKextServiceHandle(), kextFile.Path())

 		// Start packet handler.
-		module.StartServiceWorker("kext packet handler", 0, func(ctx context.Context) error {
-			kext1.Handler(ctx, packets)
+		module.mgr.Go("kext packet handler", func(w *mgr.WorkerCtx) error {
+			kext1.Handler(w.Ctx(), packets)
 			return nil
 		})

 		// Start bandwidth stats monitor.
-		module.StartServiceWorker("kext bandwidth stats monitor", 0, func(ctx context.Context) error {
-			return kext1.BandwidthStatsWorker(ctx, 1*time.Second, BandwidthUpdates)
+		module.mgr.Go("kext bandwidth stats monitor", func(w *mgr.WorkerCtx) error {
+			return kext1.BandwidthStatsWorker(w.Ctx(), 1*time.Second, BandwidthUpdates)
 		})
 	} else {

 		// Start packet handler.
-		module.StartServiceWorker("kext packet handler", 0, func(ctx context.Context) error {
-			kext2.Handler(ctx, packets, BandwidthUpdates)
+		module.mgr.Go("kext packet handler", func(w *mgr.WorkerCtx) error {
+			kext2.Handler(w.Ctx(), packets, BandwidthUpdates)
 			return nil
 		})

 		// Start bandwidth stats monitor.
-		module.StartServiceWorker("kext bandwidth request worker", 0, func(ctx context.Context) error {
+		module.mgr.Go("kext bandwidth request worker", func(w *mgr.WorkerCtx) error {
 			timer := time.NewTicker(1 * time.Second)
 			defer timer.Stop()
 			for {
@@ -74,7 +74,7 @@ func startInterception(packets chan packet.Packet) error {
 					if err != nil {
 						return err
 					}
-				case <-ctx.Done():
+				case <-w.Done():
 					return nil
 				}

@@ -82,7 +82,7 @@ func startInterception(packets chan packet.Packet) error {
 		})

 		// Start kext logging. The worker will periodically send request to the kext to send logs.
-		module.StartServiceWorker("kext log request worker", 0, func(ctx context.Context) error {
+		module.mgr.Go("kext log request worker", func(w *mgr.WorkerCtx) error {
 			timer := time.NewTicker(1 * time.Second)
 			defer timer.Stop()
 			for {
@@ -92,14 +92,14 @@ func startInterception(packets chan packet.Packet) error {
 					if err != nil {
 						return err
 					}
-				case <-ctx.Done():
+				case <-w.Done():
 					return nil
 				}

 			}
 		})

-		module.StartServiceWorker("kext clean ended connection worker", 0, func(ctx context.Context) error {
+		module.mgr.Go("kext clean ended connection worker", func(w *mgr.WorkerCtx) error {
 			timer := time.NewTicker(30 * time.Second)
 			defer timer.Stop()
 			for {
@@ -109,7 +109,7 @@ func startInterception(packets chan packet.Packet) error {
 					if err != nil {
 						return err
 					}
-				case <-ctx.Done():
+				case <-w.Done():
 					return nil
 				}

--- a/service/firewall/interception/introspection.go
+++ b/service/firewall/interception/introspection.go
@@ -7,7 +7,7 @@ import (
 	"sync"
 	"time"

-	"github.com/safing/portbase/log"
+	"github.com/safing/portmaster/base/log"
 )

 var (
--- a/service/firewall/interception/module.go
+++ b/service/firewall/interception/module.go
@@ -1,17 +1,38 @@
 package interception

 import (
+	"errors"
 	"flag"
+	"sync/atomic"

-	"github.com/safing/portbase/log"
-	"github.com/safing/portbase/modules"
+	"github.com/safing/portmaster/base/log"
+	"github.com/safing/portmaster/service/mgr"
 	"github.com/safing/portmaster/service/network/packet"
 )

-var (
-	module *modules.Module
+// Interception is the packet interception module.
+type Interception struct {
+	mgr      *mgr.Manager
+	instance instance
+}

-	// Packets is a stream of interception network packest.
+// Manager returns the module manager.
+func (i *Interception) Manager() *mgr.Manager {
+	return i.mgr
+}
+
+// Start starts the module.
+func (i *Interception) Start() error {
+	return start()
+}
+
+// Stop stops the module.
+func (i *Interception) Stop() error {
+	return stop()
+}
+
+var (
+	// Packets is a stream of interception network packets.
 	Packets = make(chan packet.Packet, 1000)

 	// BandwidthUpdates is a stream of bandwidth usage update for connections.
@@ -22,12 +43,6 @@ var (

 func init() {
 	flag.BoolVar(&disableInterception, "disable-interception", false, "disable packet interception; this breaks a lot of functionality")
-
-	module = modules.Register("interception", prep, start, stop, "base", "updates", "network", "notifications", "profiles")
-}
-
-func prep() error {
-	return nil
 }

 // Start starts the interception.
@@ -58,6 +73,28 @@ func stop() error {
 	}

 	close(metrics.done)
-
-	return stopInterception()
+	if err := stopInterception(); err != nil {
+		log.Errorf("failed to stop interception module: %s", err)
+	}
+	return nil
 }
+
+var (
+	module     *Interception
+	shimLoaded atomic.Bool
+)
+
+// New returns a new Interception module.
+func New(instance instance) (*Interception, error) {
+	if !shimLoaded.CompareAndSwap(false, true) {
+		return nil, errors.New("only one instance allowed")
+	}
+	m := mgr.New("Interception")
+	module = &Interception{
+		mgr:      m,
+		instance: instance,
+	}
+	return module, nil
+}
+
+type instance interface{}
--- a/service/firewall/interception/nfq/conntrack.go
+++ b/service/firewall/interception/nfq/conntrack.go
@@ -9,7 +9,7 @@ import (

 	ct "github.com/florianl/go-conntrack"

-	"github.com/safing/portbase/log"
+	"github.com/safing/portmaster/base/log"
 	"github.com/safing/portmaster/service/netenv"
 	"github.com/safing/portmaster/service/network"
 )
--- a/service/firewall/interception/nfq/nfq.go
+++ b/service/firewall/interception/nfq/nfq.go
@@ -14,7 +14,7 @@ import (
 	"github.com/tevino/abool"
 	"golang.org/x/sys/unix"

-	"github.com/safing/portbase/log"
+	"github.com/safing/portmaster/base/log"
 	pmpacket "github.com/safing/portmaster/service/network/packet"
 	"github.com/safing/portmaster/service/process"
 )
--- a/service/firewall/interception/nfq/packet.go
+++ b/service/firewall/interception/nfq/packet.go
@@ -10,7 +10,7 @@ import (
 	"github.com/florianl/go-nfqueue"
 	"github.com/tevino/abool"

-	"github.com/safing/portbase/log"
+	"github.com/safing/portmaster/base/log"
 	pmpacket "github.com/safing/portmaster/service/network/packet"
 )

--- a/service/firewall/interception/nfqueue_linux.go
+++ b/service/firewall/interception/nfqueue_linux.go
@@ -1,7 +1,6 @@
 package interception

 import (
-	"context"
 	"flag"
 	"fmt"
 	"sort"
@@ -10,8 +9,9 @@ import (
 	"github.com/coreos/go-iptables/iptables"
 	"github.com/hashicorp/go-multierror"

-	"github.com/safing/portbase/log"
+	"github.com/safing/portmaster/base/log"
 	"github.com/safing/portmaster/service/firewall/interception/nfq"
+	"github.com/safing/portmaster/service/mgr"
 	"github.com/safing/portmaster/service/netenv"
 	"github.com/safing/portmaster/service/network/packet"
 )
@@ -258,30 +258,25 @@ func StartNfqueueInterception(packets chan<- packet.Packet) (err error) {

 	err = activateNfqueueFirewall()
 	if err != nil {
-		_ = StopNfqueueInterception()
 		return fmt.Errorf("could not initialize nfqueue: %w", err)
 	}

 	out4Queue, err = nfq.New(17040, false)
 	if err != nil {
-		_ = StopNfqueueInterception()
 		return fmt.Errorf("nfqueue(IPv4, out): %w", err)
 	}
 	in4Queue, err = nfq.New(17140, false)
 	if err != nil {
-		_ = StopNfqueueInterception()
 		return fmt.Errorf("nfqueue(IPv4, in): %w", err)
 	}

 	if netenv.IPv6Enabled() {
 		out6Queue, err = nfq.New(17060, true)
 		if err != nil {
-			_ = StopNfqueueInterception()
 			return fmt.Errorf("nfqueue(IPv6, out): %w", err)
 		}
 		in6Queue, err = nfq.New(17160, true)
 		if err != nil {
-			_ = StopNfqueueInterception()
 			return fmt.Errorf("nfqueue(IPv6, in): %w", err)
 		}
 	} else {
@@ -290,7 +285,7 @@ func StartNfqueueInterception(packets chan<- packet.Packet) (err error) {
 		in6Queue = &disabledNfQueue{}
 	}

-	module.StartServiceWorker("nfqueue packet handler", 0, func(_ context.Context) error {
+	module.mgr.Go("nfqueue packet handler", func(_ *mgr.WorkerCtx) error {
 		return handleInterception(packets)
 	})
 	return nil
--- a/service/firewall/interception/windowskext/bandwidth_stats.go
+++ b/service/firewall/interception/windowskext/bandwidth_stats.go
@@ -9,7 +9,7 @@ import (
 	"context"
 	"time"

-	"github.com/safing/portbase/log"
+	"github.com/safing/portmaster/base/log"
 	"github.com/safing/portmaster/service/network/packet"
 )

--- a/service/firewall/interception/windowskext/handler.go
+++ b/service/firewall/interception/windowskext/handler.go
@@ -16,7 +16,7 @@ import (

 	"github.com/tevino/abool"

-	"github.com/safing/portbase/log"
+	"github.com/safing/portmaster/base/log"
 	"github.com/safing/portmaster/service/network"
 	"github.com/safing/portmaster/service/network/packet"
 )
--- a/service/firewall/interception/windowskext/kext.go
+++ b/service/firewall/interception/windowskext/kext.go
@@ -10,7 +10,7 @@ import (
 	"syscall"
 	"unsafe"

-	"github.com/safing/portbase/log"
+	"github.com/safing/portmaster/base/log"
 	"github.com/safing/portmaster/service/network"
 	"github.com/safing/portmaster/service/network/packet"
 	"golang.org/x/sys/windows"
--- a/service/firewall/interception/windowskext/packet.go
+++ b/service/firewall/interception/windowskext/packet.go
@@ -8,7 +8,7 @@ import (

 	"github.com/tevino/abool"

-	"github.com/safing/portbase/log"
+	"github.com/safing/portmaster/base/log"
 	"github.com/safing/portmaster/service/network"
 	"github.com/safing/portmaster/service/network/packet"
 )
--- a/service/firewall/interception/windowskext/service.go
+++ b/service/firewall/interception/windowskext/service.go
@@ -8,7 +8,7 @@ import (
 	"syscall"
 	"time"

-	"github.com/safing/portbase/log"
+	"github.com/safing/portmaster/base/log"
 	"golang.org/x/sys/windows"
 )

--- a/service/firewall/interception/windowskext2/handler.go
+++ b/service/firewall/interception/windowskext2/handler.go
@@ -15,7 +15,7 @@ import (

 	"github.com/tevino/abool"

-	"github.com/safing/portbase/log"
+	"github.com/safing/portmaster/base/log"
 	"github.com/safing/portmaster/service/network/packet"
 )

--- a/service/firewall/interception/windowskext2/kext.go
+++ b/service/firewall/interception/windowskext2/kext.go
@@ -6,7 +6,7 @@ package windowskext
 import (
 	"fmt"

-	"github.com/safing/portbase/log"
+	"github.com/safing/portmaster/base/log"
 	"github.com/safing/portmaster/service/network"
 	"github.com/safing/portmaster/windows_kext/kextinterface"
 	"golang.org/x/sys/windows"
--- a/service/firewall/interception/windowskext2/packet.go
+++ b/service/firewall/interception/windowskext2/packet.go
@@ -8,7 +8,7 @@ import (

 	"github.com/tevino/abool"

-	"github.com/safing/portbase/log"
+	"github.com/safing/portmaster/base/log"
 	"github.com/safing/portmaster/service/network/packet"
 	"github.com/safing/portmaster/windows_kext/kextinterface"
 )
--- a/service/firewall/master.go
+++ b/service/firewall/master.go
@@ -11,7 +11,7 @@ import (
 	"github.com/agext/levenshtein"
 	"golang.org/x/net/publicsuffix"

-	"github.com/safing/portbase/log"
+	"github.com/safing/portmaster/base/log"
 	"github.com/safing/portmaster/service/detection/dga"
 	"github.com/safing/portmaster/service/intel/customlists"
 	"github.com/safing/portmaster/service/intel/filterlists"
--- a/service/firewall/module.go
+++ b/service/firewall/module.go
@@ -1,17 +1,19 @@
 package firewall

 import (
-	"context"
+	"errors"
 	"flag"
 	"fmt"
 	"path/filepath"
 	"strings"
+	"sync/atomic"
+	"time"

-	"github.com/safing/portbase/config"
-	"github.com/safing/portbase/log"
-	"github.com/safing/portbase/modules"
-	"github.com/safing/portbase/modules/subsystems"
+	"github.com/safing/portmaster/base/config"
+	"github.com/safing/portmaster/base/log"
 	_ "github.com/safing/portmaster/service/core"
+	"github.com/safing/portmaster/service/mgr"
+	"github.com/safing/portmaster/service/netquery"
 	"github.com/safing/portmaster/service/network"
 	"github.com/safing/portmaster/service/profile"
 	"github.com/safing/portmaster/spn/access"
@@ -29,132 +31,97 @@ func (ss *stringSliceFlag) Set(value string) error {
 	return nil
 }

-var (
-	module         *modules.Module
-	allowedClients stringSliceFlag
-)
+var allowedClients stringSliceFlag
+
+type Firewall struct {
+	mgr *mgr.Manager
+
+	instance instance
+}

 func init() {
-	module = modules.Register("filter", prep, start, stop, "core", "interception", "intel", "netquery")
-	subsystems.Register(
-		"filter",
-		"Privacy Filter",
-		"DNS and Network Filter",
-		module,
-		"config:filter/",
-		nil,
-	)
-
 	flag.Var(&allowedClients, "allowed-clients", "A list of binaries that are allowed to connect to the Portmaster API")
 }

+func (f *Firewall) Manager() *mgr.Manager {
+	return f.mgr
+}
+
+func (f *Firewall) Start() error {
+	if err := prep(); err != nil {
+		log.Errorf("Failed to prepare firewall module %q", err)
+		return err
+	}
+
+	return start()
+}
+
+func (f *Firewall) Stop() error {
+	// Cancel all workers and give them a little time.
+	// The bandwidth updater can crash the sqlite DB for some reason.
+	// TODO: Investigate.
+	f.mgr.Cancel()
+	time.Sleep(100 * time.Millisecond)
+
+	return stop()
+}
+
 func prep() error {
 	network.SetDefaultFirewallHandler(defaultFirewallHandler)

 	// Reset connections every time configuration changes
 	// this will be triggered on spn enable/disable
-	err := module.RegisterEventHook(
-		"config",
-		config.ChangeEvent,
-		"reset connection verdicts after global config change",
-		func(ctx context.Context, _ interface{}) error {
-			resetAllConnectionVerdicts()
-			return nil
-		},
-	)
-	if err != nil {
-		log.Errorf("filter: failed to register event hook: %s", err)
-	}
+	module.instance.Config().EventConfigChange.AddCallback("reset connection verdicts after global config change", func(w *mgr.WorkerCtx, _ struct{}) (bool, error) {
+		resetAllConnectionVerdicts()
+		return false, nil
+	})

-	// Reset connections every time profile changes
-	err = module.RegisterEventHook(
-		"profiles",
-		profile.ConfigChangeEvent,
-		"reset connection verdicts after profile config change",
-		func(ctx context.Context, eventData interface{}) error {
+	module.instance.Profile().EventConfigChange.AddCallback("reset connection verdicts after profile config change",
+		func(m *mgr.WorkerCtx, profileID string) (bool, error) {
 			// Expected event data: scoped profile ID.
-			profileID, ok := eventData.(string)
-			if !ok {
-				return fmt.Errorf("event data is not a string: %v", eventData)
-			}
 			profileSource, profileID, ok := strings.Cut(profileID, "/")
 			if !ok {
-				return fmt.Errorf("event data does not seem to be a scoped profile ID: %v", eventData)
+				return false, fmt.Errorf("event data does not seem to be a scoped profile ID: %v", profileID)
 			}

 			resetProfileConnectionVerdict(profileSource, profileID)
-			return nil
+			return false, nil
 		},
 	)
-	if err != nil {
-		log.Errorf("filter: failed to register event hook: %s", err)
-	}

 	// Reset connections when spn is connected
 	// connect and disconnecting is triggered on config change event but connecting takеs more time
-	err = module.RegisterEventHook(
-		"captain",
-		captain.SPNConnectedEvent,
-		"reset connection verdicts on SPN connect",
-		func(ctx context.Context, _ interface{}) error {
-			resetAllConnectionVerdicts()
-			return nil
-		},
-	)
-	if err != nil {
-		log.Errorf("filter: failed to register event hook: %s", err)
-	}
+	module.instance.Captain().EventSPNConnected.AddCallback("reset connection verdicts on SPN connect", func(wc *mgr.WorkerCtx, s struct{}) (cancel bool, err error) {
+		resetAllConnectionVerdicts()
+		return false, err
+	})

 	// Reset connections when account is updated.
 	// This will not change verdicts, but will update the feature flags on connections.
-	err = module.RegisterEventHook(
-		"access",
-		access.AccountUpdateEvent,
-		"update connection feature flags after account update",
-		func(ctx context.Context, _ interface{}) error {
-			resetAllConnectionVerdicts()
-			return nil
-		},
-	)
-	if err != nil {
-		log.Errorf("filter: failed to register event hook: %s", err)
-	}
+	module.instance.Access().EventAccountUpdate.AddCallback("update connection feature flags after account update", func(wc *mgr.WorkerCtx, s struct{}) (cancel bool, err error) {
+		resetAllConnectionVerdicts()
+		return false, err
+	})

-	err = module.RegisterEventHook(
-		"network",
-		network.ConnectionReattributedEvent,
-		"reset verdict of re-attributed connection",
-		func(ctx context.Context, eventData interface{}) error {
-			// Expected event data: connection ID.
-			connID, ok := eventData.(string)
-			if !ok {
-				return fmt.Errorf("event data is not a string: %v", eventData)
-			}
-			resetSingleConnectionVerdict(connID)
-			return nil
-		},
-	)
-	if err != nil {
-		log.Errorf("filter: failed to register event hook: %s", err)
-	}
+	module.instance.Network().EventConnectionReattributed.AddCallback("reset connection verdicts after connection re-attribution", func(wc *mgr.WorkerCtx, connID string) (cancel bool, err error) {
+		// Expected event data: connection ID.
+		resetSingleConnectionVerdict(connID)
+		return false, err
+	})

-	if err := registerConfig(); err != nil {
-		return err
-	}
-
-	return prepAPIAuth()
+	return nil
 }

 func start() error {
 	getConfig()
 	startAPIAuth()

-	module.StartServiceWorker("packet handler", 0, packetHandler)
-	module.StartServiceWorker("bandwidth update handler", 0, bandwidthUpdateHandler)
+	module.mgr.Go("packet handler", packetHandler)
+	module.mgr.Go("bandwidth update handler", bandwidthUpdateHandler)

 	// Start stat logger if logging is set to trace.
 	if log.GetLogLevel() == log.TraceLevel {
-		module.StartServiceWorker("stat logger", 0, statLogger)
+		module.mgr.Go("stat logger", statLogger)
 	}

 	return nil
@@ -163,3 +130,39 @@ func start() error {
 func stop() error {
 	return nil
 }
+
+var (
+	module     *Firewall
+	shimLoaded atomic.Bool
+)
+
+func New(instance instance) (*Firewall, error) {
+	if !shimLoaded.CompareAndSwap(false, true) {
+		return nil, errors.New("only one instance allowed")
+	}
+
+	m := mgr.New("Firewall")
+	module = &Firewall{
+		mgr:      m,
+		instance: instance,
+	}
+
+	if err := prepAPIAuth(); err != nil {
+		return nil, err
+	}
+
+	if err := registerConfig(); err != nil {
+		return nil, err
+	}
+
+	return module, nil
+}
+
+type instance interface {
+	Config() *config.Config
+	Profile() *profile.ProfileModule
+	Captain() *captain.Captain
+	Access() *access.Access
+	Network() *network.Network
+	NetQuery() *netquery.NetQuery
+}
--- a/service/firewall/packet_handler.go
+++ b/service/firewall/packet_handler.go
@@ -12,13 +12,13 @@ import (
 	"github.com/google/gopacket/layers"
 	"github.com/tevino/abool"

-	"github.com/safing/portbase/log"
+	"github.com/safing/portmaster/base/log"
 	"github.com/safing/portmaster/service/compat"
 	_ "github.com/safing/portmaster/service/core/base"
 	"github.com/safing/portmaster/service/firewall/inspection"
 	"github.com/safing/portmaster/service/firewall/interception"
+	"github.com/safing/portmaster/service/mgr"
 	"github.com/safing/portmaster/service/netenv"
-	"github.com/safing/portmaster/service/netquery"
 	"github.com/safing/portmaster/service/network"
 	"github.com/safing/portmaster/service/network/netutils"
 	"github.com/safing/portmaster/service/network/packet"
@@ -720,10 +720,10 @@ func issueVerdict(conn *network.Connection, pkt packet.Packet, verdict network.V
 // 	return
 // }

-func packetHandler(ctx context.Context) error {
+func packetHandler(w *mgr.WorkerCtx) error {
 	for {
 		select {
-		case <-ctx.Done():
+		case <-w.Done():
 			return nil
 		case pkt := <-interception.Packets:
 			if pkt != nil {
@@ -735,16 +735,16 @@ func packetHandler(ctx context.Context) error {
 	}
 }

-func bandwidthUpdateHandler(ctx context.Context) error {
+func bandwidthUpdateHandler(w *mgr.WorkerCtx) error {
 	for {
 		select {
-		case <-ctx.Done():
+		case <-w.Done():
 			return nil
 		case bwUpdate := <-interception.BandwidthUpdates:
 			if bwUpdate != nil {
 				// DEBUG:
 				// log.Debugf("filter: bandwidth update: %s", bwUpdate)
-				updateBandwidth(ctx, bwUpdate)
+				updateBandwidth(w.Ctx(), bwUpdate)
 			} else {
 				return errors.New("received nil bandwidth update from interception")
 			}
@@ -793,8 +793,8 @@ func updateBandwidth(ctx context.Context, bwUpdate *packet.BandwidthUpdate) {
 	}

 	// Update bandwidth in the netquery module.
-	if netquery.DefaultModule != nil && conn.BandwidthEnabled {
-		if err := netquery.DefaultModule.Store.UpdateBandwidth(
+	if module.instance.NetQuery() != nil && conn.BandwidthEnabled {
+		if err := module.instance.NetQuery().Store.UpdateBandwidth(
 			ctx,
 			conn.HistoryEnabled,
 			fmt.Sprintf("%s/%s", conn.ProcessContext.Source, conn.ProcessContext.Profile),
@@ -808,10 +808,10 @@ func updateBandwidth(ctx context.Context, bwUpdate *packet.BandwidthUpdate) {
 	}
 }

-func statLogger(ctx context.Context) error {
+func statLogger(w *mgr.WorkerCtx) error {
 	for {
 		select {
-		case <-ctx.Done():
+		case <-w.Done():
 			return nil
 		case <-time.After(10 * time.Second):
 			log.Tracef(
--- a/service/firewall/prompt.go
+++ b/service/firewall/prompt.go
@@ -6,8 +6,8 @@ import (
 	"sync"
 	"time"

-	"github.com/safing/portbase/log"
-	"github.com/safing/portbase/notifications"
+	"github.com/safing/portmaster/base/log"
+	"github.com/safing/portmaster/base/notifications"
 	"github.com/safing/portmaster/service/intel"
 	"github.com/safing/portmaster/service/network"
 	"github.com/safing/portmaster/service/profile"
--- a/service/firewall/tunnel.go
+++ b/service/firewall/tunnel.go
@@ -4,7 +4,7 @@ import (
 	"context"
 	"errors"

-	"github.com/safing/portbase/log"
+	"github.com/safing/portmaster/base/log"
 	"github.com/safing/portmaster/service/intel"
 	"github.com/safing/portmaster/service/netenv"
 	"github.com/safing/portmaster/service/network"