Merge dev branch (#121)

Author: moubctez

.gitmodules

@@ -1,8 +1,8 @@
 [package]
 name = "defguard_wireguard_rs"
-version = "0.8.0"
+version = "0.9.0"
 edition = "2024"
-rust-version = "1.85"
+rust-version = "1.87"
 description = "A unified multi-platform high-level API for managing WireGuard interfaces"
 license = "Apache-2.0"
 readme = "README.md"
@@ -25,11 +25,11 @@ tracing = "0.1"
 tracing-subscriber = "0.3"
 
 [target.'cfg(unix)'.dependencies]
-defguard_boringtun = { version = "0.6.0", default-features = false, features = [
+defguard_boringtun = { version = "0.6", default-features = false, features = [
     "device",
 ]}
 libc = { version = "0.2", default-features = false }
-nix = { version = "0.30", features = ["ioctl", "socket"] }
+nix = { version = "0.31", features = ["ioctl", "socket"] }
 
 [target.'cfg(target_os = "windows")'.dependencies]
 ipnet = "2.11"
@@ -39,12 +39,12 @@ windows = { version = "0.62", features = [
     "Win32_Networking_WinSock",
     "Win32_System_Com",
 ] }
-wireguard-nt = "0.5.0"
+wireguard-nt = "0.5"
 
 [target.'cfg(target_os = "linux")'.dependencies]
 netlink-packet-core = "0.8"
 netlink-packet-generic = "0.4"
-netlink-packet-route = "0.25"
+netlink-packet-route = "0.28"
 netlink-packet-utils = "0.6"
 netlink-packet-wireguard = "0.2"
 netlink-sys = "0.8"

Cargo.lock

@@ -1,7 +1,7 @@
 use std::{net::SocketAddr, str::FromStr};
 
 use defguard_wireguard_rs::{
-    InterfaceConfiguration, WGApi, WireguardInterfaceApi, host::Peer, key::Key, net::IpAddrMask,
+    InterfaceConfiguration, WGApi, WireguardInterfaceApi, key::Key, net::IpAddrMask, peer::Peer,
 };
 use x25519_dalek::{EphemeralSecret, PublicKey};
 
@@ -46,6 +46,7 @@ fn main() -> Result<(), Box<dyn std::error::Error>> {
         port: 12345,
         peers: vec![peer],
         mtu: None,
+        fwmark: None,
     };
 
     #[cfg(not(windows))]

Cargo.toml

@@ -1,7 +1,7 @@
 use std::str::FromStr;
 
 use defguard_wireguard_rs::{
-    InterfaceConfiguration, WGApi, WireguardInterfaceApi, host::Peer, key::Key, net::IpAddrMask,
+    InterfaceConfiguration, WGApi, WireguardInterfaceApi, key::Key, net::IpAddrMask, peer::Peer,
 };
 use x25519_dalek::{EphemeralSecret, PublicKey};
 
@@ -44,6 +44,7 @@ fn main() -> Result<(), Box<dyn std::error::Error>> {
         port: 12345,
         peers: vec![peer],
         mtu: None,
+        fwmark: None,
     };
     println!("Prepared interface configuration: {interface_config:?}");
 

examples/client.rs

@@ -5,8 +5,8 @@ use std::{
 };
 
 use defguard_wireguard_rs::{
-    InterfaceConfiguration, Userspace, WGApi, WireguardInterfaceApi, host::Peer, key::Key,
-    net::IpAddrMask,
+    InterfaceConfiguration, Userspace, WGApi, WireguardInterfaceApi, key::Key, net::IpAddrMask,
+    peer::Peer,
 };
 use x25519_dalek::{EphemeralSecret, PublicKey};
 
@@ -63,6 +63,7 @@ fn main() -> Result<(), Box<dyn std::error::Error>> {
         port: 12345,
         peers: vec![peer],
         mtu: None,
+        fwmark: None,
     };
 
     #[cfg(not(windows))]

examples/server.rs

@@ -31,11 +31,7 @@ use self::{
     timespec::{pack_timespec, unpack_timespec},
     wgio::{WgReadIo, WgWriteIo},
 };
-use crate::{
-    IpVersion, Key, WireguardInterfaceError,
-    host::{Host, Peer},
-    net::IpAddrMask,
-};
+use crate::{IpVersion, Key, WireguardInterfaceError, host::Host, net::IpAddrMask, peer::Peer};
 
 // Note: these values differ across different platforms.
 const AF_INET: u8 = libc::AF_INET as u8;

examples/userspace.rs

@@ -5,208 +5,34 @@
 
 use std::{
     collections::HashMap,
-    fmt::{self, Debug, Formatter},
+    fmt,
     io::{self, BufRead, BufReader, Read},
     net::SocketAddr,
     str::FromStr,
     time::{Duration, SystemTime},
 };
 
 #[cfg(target_os = "linux")]
-use netlink_packet_wireguard::{
-    constants::{WGDEVICE_F_REPLACE_PEERS, WGPEER_F_REPLACE_ALLOWEDIPS},
-    nlas::{WgAllowedIpAttrs, WgDeviceAttrs, WgPeer, WgPeerAttrs},
-};
+use netlink_packet_wireguard::{constants::WGDEVICE_F_REPLACE_PEERS, nlas::WgDeviceAttrs};
 #[cfg(feature = "serde")]
 use serde::{Deserialize, Serialize};
 
-use crate::{error::WireguardInterfaceError, key::Key, net::IpAddrMask, utils::resolve};
-
-/// WireGuard peer representation.
-#[derive(Clone, Default, PartialEq)]
-#[cfg_attr(feature = "serde", derive(Deserialize, Serialize))]
-pub struct Peer {
-    pub public_key: Key,
-    pub preshared_key: Option<Key>,
-    pub protocol_version: Option<u32>,
-    pub endpoint: Option<SocketAddr>,
-    pub last_handshake: Option<SystemTime>,
-    pub tx_bytes: u64,
-    pub rx_bytes: u64,
-    pub persistent_keepalive_interval: Option<u16>,
-    pub allowed_ips: Vec<IpAddrMask>,
-}
-
-// implement manually to avoid exposing preshared keys
-impl fmt::Debug for Peer {
-    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
-        f.debug_struct("Peer")
-            .field("public_key", &self.public_key)
-            .field("protocol_version", &self.protocol_version)
-            .field("endpoint", &self.endpoint)
-            .field("last_handshake", &self.last_handshake)
-            .field("tx_bytes", &self.tx_bytes)
-            .field("rx_bytes", &self.rx_bytes)
-            .field(
-                "persistent_keepalive_interval",
-                &self.persistent_keepalive_interval,
-            )
-            .field("allowed_ips", &self.allowed_ips)
-            .finish_non_exhaustive()
-    }
-}
-
-impl Peer {
-    /// Create new `Peer` with a given `public_key`.
-    #[must_use]
-    pub fn new(public_key: Key) -> Self {
-        Self {
-            public_key,
-            preshared_key: None,
-            protocol_version: None,
-            endpoint: None,
-            last_handshake: None,
-            tx_bytes: 0,
-            rx_bytes: 0,
-            persistent_keepalive_interval: None,
-            allowed_ips: Vec::new(),
-        }
-    }
-
-    pub fn set_allowed_ips(&mut self, allowed_ips: Vec<IpAddrMask>) {
-        self.allowed_ips = allowed_ips;
-    }
-
-    /// Resolves endpoint address to [`SocketAddr`] and sets the field
-    pub fn set_endpoint(&mut self, endpoint: &str) -> Result<(), WireguardInterfaceError> {
-        self.endpoint = Some(resolve(endpoint)?);
-        Ok(())
-    }
-
-    #[must_use]
-    pub fn as_uapi_update(&self) -> String {
-        let mut output = format!("public_key={}\n", self.public_key.to_lower_hex());
-        if let Some(key) = &self.preshared_key {
-            output.push_str("preshared_key=");
-            output.push_str(&key.to_lower_hex());
-            output.push('\n');
-        }
-        if let Some(endpoint) = &self.endpoint {
-            output.push_str("endpoint=");
-            output.push_str(&endpoint.to_string());
-            output.push('\n');
-        }
-        if let Some(interval) = &self.persistent_keepalive_interval {
-            output.push_str("persistent_keepalive_interval=");
-            output.push_str(&interval.to_string());
-            output.push('\n');
-        }
-        output.push_str("replace_allowed_ips=true\n");
-        for allowed_ip in &self.allowed_ips {
-            output.push_str("allowed_ip=");
-            output.push_str(&allowed_ip.to_string());
-            output.push('\n');
-        }
-
-        output
-    }
-
-    #[must_use]
-    pub fn as_uapi_remove(&self) -> String {
-        format!(
-            "public_key={}\nremove=true\n",
-            self.public_key.to_lower_hex()
-        )
-    }
-}
-
-#[cfg(target_os = "linux")]
-impl Peer {
-    #[must_use]
-    pub(crate) fn from_nlas(nlas: &[WgPeerAttrs]) -> Self {
-        let mut peer = Self::default();
-
-        for nla in nlas {
-            match nla {
-                WgPeerAttrs::PublicKey(value) => peer.public_key = Key::new(*value),
-                WgPeerAttrs::PresharedKey(value) => peer.preshared_key = Some(Key::new(*value)),
-                WgPeerAttrs::Endpoint(value) => peer.endpoint = Some(*value),
-                WgPeerAttrs::PersistentKeepalive(value) => {
-                    peer.persistent_keepalive_interval = Some(*value);
-                }
-                WgPeerAttrs::LastHandshake(value) => peer.last_handshake = Some(*value),
-                WgPeerAttrs::RxBytes(value) => peer.rx_bytes = *value,
-                WgPeerAttrs::TxBytes(value) => peer.tx_bytes = *value,
-                WgPeerAttrs::AllowedIps(nlas) => {
-                    for nla in nlas {
-                        let ip = nla.iter().find_map(|nla| match nla {
-                            WgAllowedIpAttrs::IpAddr(ip) => Some(*ip),
-                            _ => None,
-                        });
-                        let cidr = nla.iter().find_map(|nla| match nla {
-                            WgAllowedIpAttrs::Cidr(cidr) => Some(*cidr),
-                            _ => None,
-                        });
-                        if let (Some(ip), Some(cidr)) = (ip, cidr) {
-                            peer.allowed_ips.push(IpAddrMask::new(ip, cidr));
-                        }
-                    }
-                }
-                _ => (),
-            }
-        }
-
-        peer
-    }
-
-    #[must_use]
-    pub(crate) fn as_nlas(&self, ifname: &str) -> Vec<WgDeviceAttrs> {
-        vec![
-            WgDeviceAttrs::IfName(ifname.into()),
-            WgDeviceAttrs::Peers(vec![self.as_nlas_peer()]),
-        ]
-    }
-
-    #[must_use]
-    pub(crate) fn as_nlas_peer(&self) -> WgPeer {
-        let mut attrs = vec![WgPeerAttrs::PublicKey(self.public_key.as_array())];
-        if let Some(keepalive) = self.persistent_keepalive_interval {
-            attrs.push(WgPeerAttrs::PersistentKeepalive(keepalive));
-        }
-
-        if let Some(endpoint) = self.endpoint {
-            attrs.push(WgPeerAttrs::Endpoint(endpoint));
-        }
-
-        if let Some(preshared_key) = &self.preshared_key {
-            attrs.push(WgPeerAttrs::PresharedKey(preshared_key.as_array()));
-        }
-
-        attrs.push(WgPeerAttrs::Flags(WGPEER_F_REPLACE_ALLOWEDIPS));
-        let allowed_ips = self
-            .allowed_ips
-            .iter()
-            .map(IpAddrMask::to_nlas_allowed_ip)
-            .collect();
-        attrs.push(WgPeerAttrs::AllowedIps(allowed_ips));
-
-        WgPeer(attrs)
-    }
-}
+use super::{key::Key, peer::Peer};
 
 /// WireGuard host representation.
 #[derive(Clone, Default)]
 #[cfg_attr(feature = "serde", derive(Deserialize, Serialize))]
 pub struct Host {
     pub listen_port: u16,
     pub private_key: Option<Key>,
+    // FwMark with value of 0, removes the setting from WireGuard interface.
     pub(super) fwmark: Option<u32>,
     pub peers: HashMap<Key, Peer>,
 }
 
-// implement manually to avoid exposing private keys
-impl Debug for Host {
-    fn fmt(&self, f: &mut Formatter<'_>) -> std::fmt::Result {
+// Implement `Debug` manually to avoid exposing private keys.
+impl fmt::Debug for Host {
+    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
         f.debug_struct("Host")
             .field("listen_port", &self.listen_port)
             .field("fwmark", &self.fwmark)

src/bsd/mod.rs

@@ -11,7 +11,7 @@
 //!
 //! ```no_run
 //! use x25519_dalek::{EphemeralSecret, PublicKey};
-//! use defguard_wireguard_rs::{InterfaceConfiguration, Userspace, WGApi, WireguardInterfaceApi, host::Peer};
+//! use defguard_wireguard_rs::{InterfaceConfiguration, Userspace, WGApi, WireguardInterfaceApi, peer::Peer};
 //! # use defguard_wireguard_rs::error::WireguardInterfaceError;
 //!
 //! // Create new API struct for interface
@@ -31,8 +31,9 @@
 //!     prvkey: "AAECAwQFBgcICQoLDA0OD/Dh0sO0pZaHeGlaSzwtHg8=".to_string(),
 //!     addresses: vec!["10.6.0.30".parse().unwrap()],
 //!     port: 12345,
-//!     peers: vec![],
+//!     peers: Vec::new(),
 //!     mtu: None,
+//!     fwmark: None,
 //! };
 //! wgapi.configure_interface(&interface_config)?;
 //!
@@ -58,6 +59,7 @@ pub mod key;
 pub mod net;
 #[cfg(target_os = "linux")]
 pub(crate) mod netlink;
+pub mod peer;
 mod utils;
 mod wgapi;
 
@@ -84,12 +86,7 @@ use serde::{Deserialize, Serialize};
 pub use wgapi::{Kernel, Userspace, WGApi};
 pub use wireguard_interface::WireguardInterfaceApi;
 
-use self::{
-    error::WireguardInterfaceError,
-    host::{Host, Peer},
-    key::Key,
-    net::IpAddrMask,
-};
+use self::{error::WireguardInterfaceError, host::Host, key::Key, net::IpAddrMask, peer::Peer};
 
 // Internet Protocol (IP) address variant.
 #[derive(Clone, Copy)]
@@ -107,8 +104,11 @@ pub struct InterfaceConfiguration {
     pub addresses: Vec<IpAddrMask>,
     pub port: u16,
     pub peers: Vec<Peer>,
-    /// Maximum transfer unit. `None` means do not set MTU, but keep the system default.
+    /// Maximum transmission unit. `None` means: do not set MTU, but keep the system default.
     pub mtu: Option<u32>,
+    /// Firewall mark. `None` means: do not set FwMark, but keep the current value.
+    /// `Some(0)` removes FwMark from WireGuard interfaces.
+    pub fwmark: Option<u32>,
 }
 
 // Implement `Debug` manually to avoid exposing private keys.
@@ -120,6 +120,7 @@ impl fmt::Debug for InterfaceConfiguration {
             .field("port", &self.port)
             .field("peers", &self.peers)
             .field("mtu", &self.mtu)
+            .field("fwmark", &self.fwmark)
             .finish_non_exhaustive()
     }
 }
@@ -130,6 +131,7 @@ impl TryFrom<&InterfaceConfiguration> for Host {
     fn try_from(config: &InterfaceConfiguration) -> Result<Self, Self::Error> {
         let key = config.prvkey.as_str().try_into()?;
         let mut host = Host::new(config.port, key);
+        host.fwmark = config.fwmark;
         for peercfg in &config.peers {
             let peer = peercfg.clone();
             let key: Key = peer.public_key.clone();