From 5200baac1a6e0fd45c8a3cead8def1b975d30231 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adam=20Ciarcin=CC=81ski?= Date: Tue, 6 Jan 2026 19:42:51 +0100 Subject: [PATCH 1/2] Enable use of fwmark --- Cargo.lock | 76 +++++++++++++++++----------------- Cargo.toml | 2 +- src/config.rs | 4 ++ src/enterprise/firewall/api.rs | 10 ++++- src/gateway.rs | 8 ++-- src/lib.rs | 3 +- 6 files changed, 58 insertions(+), 45 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index fd8bf167..401b3eb8 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -362,9 +362,9 @@ dependencies = [ [[package]] name = "clap" -version = "4.5.53" +version = "4.5.54" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c9e340e012a1bf4935f5282ed1436d1489548e8f72308207ea5df0e23d2d03f8" +checksum = "c6e6ff9dcd79cff5cd969a17a545d79e84ab086e444102a591e288a8aa3ce394" dependencies = [ "clap_builder", "clap_derive", @@ -372,9 +372,9 @@ dependencies = [ [[package]] name = "clap_builder" -version = "4.5.53" +version = "4.5.54" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d76b5d13eaa18c901fd2f7fca939fefe3a0727a953561fefdf3b2922b8569d00" +checksum = "fa42cf4d2b7a41bc8f663a7cab4031ebafa1bf3875705bfaf8466dc60ab52c00" dependencies = [ "anstream", "anstyle", @@ -590,8 +590,8 @@ dependencies = [ [[package]] name = "defguard_wireguard_rs" -version = "0.8.1" -source = "git+https://github.com/DefGuard/wireguard-rs?rev=c00280c868bd12cccc6c50202a80244f3c3832e1#c00280c868bd12cccc6c50202a80244f3c3832e1" +version = "0.9.0" +source = "git+https://github.com/DefGuard/wireguard-rs?rev=6444a4e31336c4cdbb18dcb5af07f59ad6ce57ab#6444a4e31336c4cdbb18dcb5af07f59ad6ce57ab" dependencies = [ "base64", "defguard_boringtun", @@ -902,9 +902,9 @@ dependencies = [ [[package]] name = "h2" -version = "0.4.12" +version = "0.4.13" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f3c0b69cfcb4e1b9f1bf2f53f95f766e4661169728ec61cd3fe5a0166f2d1386" +checksum = "2f44da3a8150a6703ed5d34e164b875fd14c2cdab9af1252a9a1020bde2bdc54" dependencies = [ "atomic-waker", "bytes", @@ -1245,9 +1245,9 @@ checksum = "92ecc6618181def0457392ccd0ee51198e065e016d1d527a7ac1b6dc7c1f09d2" [[package]] name = "jiff" -version = "0.2.17" +version = "0.2.18" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a87d9b8105c23642f50cbbae03d1f75d8422c5cb98ce7ee9271f7ff7505be6b8" +checksum = "e67e8da4c49d6d9909fe03361f9b620f58898859f5c7aded68351e85e71ecf50" dependencies = [ "jiff-static", "log", @@ -1258,9 +1258,9 @@ dependencies = [ [[package]] name = "jiff-static" -version = "0.2.17" +version = "0.2.18" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b787bebb543f8969132630c51fd0afab173a86c6abae56ff3b9e5e3e3f9f6e58" +checksum = "e0c84ee7f197eca9a86c6fd6cb771e55eb991632f15f2bc3ca6ec838929e6e78" dependencies = [ "proc-macro2", "quote", @@ -1285,9 +1285,9 @@ checksum = "bbd2bcb4c963f2ddae06a2efc7e9f3591312473c50c6685e1f298068316e66fe" [[package]] name = "libc" -version = "0.2.178" +version = "0.2.179" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "37c93d8daa9d8a012fd8ab92f088405fb202ea0b6ab73ee2482ae66af4f42091" +checksum = "c5a2d376baa530d1238d133232d15e239abad80d05838b4b59354e5268af431f" [[package]] name = "libgit2-sys" @@ -1460,9 +1460,9 @@ dependencies = [ [[package]] name = "netlink-packet-route" -version = "0.25.1" +version = "0.28.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3ec2f5b6839be2a19d7fa5aab5bc444380f6311c2b693551cb80f45caaa7b5ef" +checksum = "4ce3636fa715e988114552619582b530481fd5ef176a1e5c1bf024077c2c9445" dependencies = [ "bitflags", "libc", @@ -1918,9 +1918,9 @@ dependencies = [ [[package]] name = "proc-macro2" -version = "1.0.104" +version = "1.0.105" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9695f8df41bb4f3d222c95a67532365f569318332d03d5f3f67f37b20e6ebdf0" +checksum = "535d180e0ecab6268a3e718bb9fd44db66bbbc256257165fc699dadf70d16fe7" dependencies = [ "unicode-ident", ] @@ -2001,9 +2001,9 @@ dependencies = [ [[package]] name = "quote" -version = "1.0.42" +version = "1.0.43" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a338cc41d27e6cc6dce6cefc13a0729dfbb81c262b1f519331575dd80ef3067f" +checksum = "dc74d9a594b72ae6656596548f56f667211f8a97b3d4c3d467150794690dc40a" dependencies = [ "proc-macro2", ] @@ -2105,9 +2105,9 @@ dependencies = [ [[package]] name = "rustls" -version = "0.23.35" +version = "0.23.36" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "533f54bc6a7d4f647e46ad909549eda97bf5afc1585190ef692b4286b198bd8f" +checksum = "c665f33d38cea657d9614f766881e4d510e0eda4239891eea56b4cadcf01801b" dependencies = [ "log", "once_cell", @@ -2262,9 +2262,9 @@ dependencies = [ [[package]] name = "serde_json" -version = "1.0.148" +version = "1.0.149" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3084b546a1dd6289475996f182a22aba973866ea8e8b02c51d9f46b1336a22da" +checksum = "83fc039473c5595ace860d8c4fafa220ff474b3fc6bfdb4293327f1a37e94d86" dependencies = [ "itoa", "memchr", @@ -2396,9 +2396,9 @@ checksum = "13c2bddecc57b384dee18652358fb23172facb8a2c51ccc10d74c157bdea3292" [[package]] name = "syn" -version = "2.0.112" +version = "2.0.113" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "21f182278bf2d2bcb3c88b1b08a37df029d71ce3d3ae26168e3c653b213b99d4" +checksum = "678faa00651c9eb72dd2020cbdf275d92eccb2400d568e419efdd64838145cb4" dependencies = [ "proc-macro2", "quote", @@ -2550,9 +2550,9 @@ dependencies = [ [[package]] name = "tokio" -version = "1.48.0" +version = "1.49.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ff360e02eab121e0bc37a2d3b4d4dc622e6eda3a8e5253d5435ecf5bd4c68408" +checksum = "72a2903cd7736441aac9df9d7688bd0ce48edccaadf181c3b90be801e81d3d86" dependencies = [ "bytes", "libc", @@ -2587,9 +2587,9 @@ dependencies = [ [[package]] name = "tokio-stream" -version = "0.1.17" +version = "0.1.18" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "eca58d7bba4a75707817a2c44174253f9236b2d5fbd055602e9d5c07c139a047" +checksum = "32da49809aab5c3bc678af03902d4ccddea2a87d028d86392a4b1560c6906c70" dependencies = [ "futures-core", "pin-project-lite", @@ -2598,9 +2598,9 @@ dependencies = [ [[package]] name = "tokio-util" -version = "0.7.17" +version = "0.7.18" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2efa149fe76073d6e8fd97ef4f4eca7b67f599660115591483572e406e165594" +checksum = "9ae9cec805b01e8fc3fd2fe289f89149a9b66dd16786abd8b19cfa7b48cb0098" dependencies = [ "bytes", "futures-core", @@ -2826,9 +2826,9 @@ checksum = "562d481066bde0658276a35467c4af00bdc6ee726305698a55b86e61d7ad82bb" [[package]] name = "unicase" -version = "2.8.1" +version = "2.9.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "75b844d17643ee918803943289730bec8aac480150456169e647ed0b576ba539" +checksum = "dbc4bc3a9f746d862c45cb89d705aa10f187bb96c76001afab07a0d35ce60142" [[package]] name = "unicode-ident" @@ -2987,9 +2987,9 @@ checksum = "8ecb6da28b8a351d773b68d5825ac39017e680750f980f3a1a85cd8dd28a47c1" [[package]] name = "url" -version = "2.5.7" +version = "2.5.8" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "08bc136a29a3d1758e07a9cca267be308aeebf5cfd5a10f3f67ab2097683ef5b" +checksum = "ff67a8a4397373c3ef660812acab3268222035010ab8680ec4215f38ba3d0eed" dependencies = [ "form_urlencoded", "idna", @@ -3528,6 +3528,6 @@ dependencies = [ [[package]] name = "zmij" -version = "1.0.7" +version = "1.0.12" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "de9211a9f64b825911bdf0240f58b7a8dac217fe260fc61f080a07f61372fbd5" +checksum = "2fc5a66a20078bf1251bde995aa2fdcc4b800c70b5d92dd2c62abc5c60f679f8" diff --git a/Cargo.toml b/Cargo.toml index 8af13efc..f7fa8175 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -8,7 +8,7 @@ axum = "0.8" base64 = "0.22" clap = { version = "4.5", features = ["derive", "env"] } defguard_version = { git = "https://github.com/DefGuard/defguard.git", rev = "640bae9a0aea1e11395f0a29fb8c84eeefd7f115" } -defguard_wireguard_rs = { git = "https://github.com/DefGuard/wireguard-rs", rev = "c00280c868bd12cccc6c50202a80244f3c3832e1" } +defguard_wireguard_rs = { git = "https://github.com/DefGuard/wireguard-rs", rev = "6444a4e31336c4cdbb18dcb5af07f59ad6ce57ab" } env_logger = "0.11" gethostname = "1.0" ipnetwork = "0.21" diff --git a/src/config.rs b/src/config.rs index 7bb00509..c299aa87 100644 --- a/src/config.rs +++ b/src/config.rs @@ -120,6 +120,9 @@ pub struct Config { #[arg(long, env = "DEFGUARD_HTTP_BIND_ADDRESS")] pub http_bind_address: Option, + + #[arg(long, env = "DEFGUARD_FWMARK")] + pub fwmark: Option, } impl Config { @@ -155,6 +158,7 @@ impl Default for Config { fw_priority: None, disable_firewall_management: false, http_bind_address: None, + fwmark: None, } } } diff --git a/src/enterprise/firewall/api.rs b/src/enterprise/firewall/api.rs index 15b29691..fb80c280 100644 --- a/src/enterprise/firewall/api.rs +++ b/src/enterprise/firewall/api.rs @@ -6,7 +6,15 @@ use nftnl::Batch; use super::{FirewallError, FirewallRule, Policy, SnatBinding}; -#[cfg(any(target_os = "freebsd", target_os = "macos", target_os = "netbsd"))] +#[cfg(all( + test, + any(target_os = "freebsd", target_os = "macos", target_os = "netbsd") +))] +const DEV_PF: &str = "/dev/null"; +#[cfg(all( + not(test), + any(target_os = "freebsd", target_os = "macos", target_os = "netbsd") +))] const DEV_PF: &str = "/dev/pf"; #[allow(dead_code)] diff --git a/src/gateway.rs b/src/gateway.rs index eee594f1..6deb0ba3 100644 --- a/src/gateway.rs +++ b/src/gateway.rs @@ -297,10 +297,10 @@ impl Gateway { debug!( "Received configuration is different than the current one. Reconfiguring interface." ); - self.wgapi - .lock() - .unwrap() - .configure_interface(&new_configuration.clone().into())?; + let mut config = + defguard_wireguard_rs::InterfaceConfiguration::from(new_configuration.clone()); + config.fwmark = self.config.fwmark; + self.wgapi.lock().unwrap().configure_interface(&config)?; info!( "Reconfigured WireGuard interface {} (addresses: {:?})", new_configuration.name, new_configuration.addresses diff --git a/src/lib.rs b/src/lib.rs index 5eb1e1c2..99f5f355 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -21,7 +21,7 @@ extern crate log; use std::{process::Command, str::FromStr, time::SystemTime}; use config::Config; -use defguard_wireguard_rs::{InterfaceConfiguration, host::Peer, net::IpAddrMask}; +use defguard_wireguard_rs::{InterfaceConfiguration, net::IpAddrMask, peer::Peer}; use error::GatewayError; use syslog::{BasicLogger, Facility, Formatter3164}; @@ -102,6 +102,7 @@ impl From for InterfaceConfiguration { port: config.port as u16, peers, mtu: None, + fwmark: None, } } } From 8d3c026d94ceed9834f2d86edaf6406af84425b8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adam=20Ciarcin=CC=81ski?= Date: Wed, 7 Jan 2026 15:53:42 +0100 Subject: [PATCH 2/2] Use MTU and FwMark from Core --- Cargo.lock | 4 ++-- proto | 2 +- src/config.rs | 4 ---- src/gateway.rs | 12 ++++++++++-- src/lib.rs | 4 ++-- 5 files changed, 15 insertions(+), 11 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 401b3eb8..ebeca164 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -2396,9 +2396,9 @@ checksum = "13c2bddecc57b384dee18652358fb23172facb8a2c51ccc10d74c157bdea3292" [[package]] name = "syn" -version = "2.0.113" +version = "2.0.114" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "678faa00651c9eb72dd2020cbdf275d92eccb2400d568e419efdd64838145cb4" +checksum = "d4d107df263a3013ef9b1879b0df87d706ff80f65a86ea879bd9c31f9b307c2a" dependencies = [ "proc-macro2", "quote", diff --git a/proto b/proto index 7137ff12..c4291c96 160000 --- a/proto +++ b/proto @@ -1 +1 @@ -Subproject commit 7137ff12807ab8fd807e2439d0812f1d2a5f5055 +Subproject commit c4291c96beab42ab720008d996392c5bb1ea21c1 diff --git a/src/config.rs b/src/config.rs index c299aa87..7bb00509 100644 --- a/src/config.rs +++ b/src/config.rs @@ -120,9 +120,6 @@ pub struct Config { #[arg(long, env = "DEFGUARD_HTTP_BIND_ADDRESS")] pub http_bind_address: Option, - - #[arg(long, env = "DEFGUARD_FWMARK")] - pub fwmark: Option, } impl Config { @@ -158,7 +155,6 @@ impl Default for Config { fw_priority: None, disable_firewall_management: false, http_bind_address: None, - fwmark: None, } } } diff --git a/src/gateway.rs b/src/gateway.rs index 6deb0ba3..e1d84413 100644 --- a/src/gateway.rs +++ b/src/gateway.rs @@ -46,6 +46,8 @@ struct InterfaceConfiguration { prvkey: String, addresses: Vec, port: u16, + mtu: Option, + fwmark: Option, } impl From for InterfaceConfiguration { @@ -61,6 +63,8 @@ impl From for InterfaceConfiguration { prvkey: config.prvkey, addresses, port: config.port as u16, + mtu: config.mtu, + fwmark: config.fwmark, } } } @@ -297,9 +301,9 @@ impl Gateway { debug!( "Received configuration is different than the current one. Reconfiguring interface." ); - let mut config = + let config = defguard_wireguard_rs::InterfaceConfiguration::from(new_configuration.clone()); - config.fwmark = self.config.fwmark; + self.wgapi.lock().unwrap().configure_interface(&config)?; info!( "Reconfigured WireGuard interface {} (addresses: {:?})", @@ -743,6 +747,8 @@ mod tests { prvkey: "FGqcPuaSlGWC2j50TBA4jHgiefPgQQcgTNLwzKUzBS8=".to_string(), addresses: vec!["10.6.1.1/24".parse().unwrap()], port: 50051, + mtu: None, + fwmark: None, }; let old_peers = vec![ @@ -790,6 +796,8 @@ mod tests { prvkey: "FGqcPuaSlGWC2j50TBA4jHgiefPgQQcgTNLwzKUzBS8=".to_string(), addresses: vec!["10.6.1.2/24".parse().unwrap()], port: 50051, + mtu: None, + fwmark: None, }; let new_peers = old_peers.clone(); assert!(gateway.is_interface_config_changed(&new_config, &new_peers)); diff --git a/src/lib.rs b/src/lib.rs index 99f5f355..1030ab61 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -101,8 +101,8 @@ impl From for InterfaceConfiguration { addresses, port: config.port as u16, peers, - mtu: None, - fwmark: None, + mtu: config.mtu, + fwmark: config.fwmark, } } }