Use new wireguard-rs API with BoringTun (#220)

Author: moubctez

Cargo.lock

@@ -1,14 +1,14 @@
 [package]
 name = "defguard-gateway"
 version = "1.6.0"
-edition = "2021"
+edition = "2024"
 
 [dependencies]
 defguard_version = { git = "https://github.com/DefGuard/defguard.git", rev = "8649a9ba225d7bd2066a09c9e1347705c34bd158" }
 axum = "0.8"
 base64 = "0.22"
 clap = { version = "4.5", features = ["derive", "env"] }
-defguard_wireguard_rs = "0.7.7"
+defguard_wireguard_rs = { git = "https://github.com/DefGuard/wireguard-rs", rev = "0db4ea7bf4a6bd21c449f9ab8fa6676aebf4698f" }
 env_logger = "0.11"
 gethostname = "1.0"
 ipnetwork = "0.21"

Cargo.toml

@@ -88,6 +88,7 @@ allow = [
     "Apache-2.0",
     "Apache-2.0 WITH LLVM-exception",
     "MPL-2.0",
+    "BSD-2-Clause",
     "BSD-3-Clause",
     "Unicode-3.0",
     "Unicode-DFS-2016",               # unicode-ident

deny.toml

@@ -1,6 +1,6 @@
 use std::{
     collections::HashMap,
-    io::{stdout, Write},
+    io::{Write, stdout},
     net::{IpAddr, Ipv4Addr, SocketAddr},
     sync::{Arc, Mutex},
 };
@@ -19,7 +19,7 @@ use tokio::{
     },
 };
 use tokio_stream::wrappers::UnboundedReceiverStream;
-use tonic::{transport::Server, Request, Response, Status, Streaming};
+use tonic::{Request, Response, Status, Streaming, transport::Server};
 
 pub struct HostConfig {
     name: String,

examples/server.rs

@@ -37,7 +37,7 @@ impl FirewallApi {
 pub(crate) trait FirewallManagementApi {
     /// Set up the firewall with `default_policy`, `priority`, and cleans up any existing rules.
     fn setup(&mut self, default_policy: Policy, priority: Option<i32>)
-        -> Result<(), FirewallError>;
+    -> Result<(), FirewallError>;
 
     /// Clean up the firewall rules.
     fn cleanup(&mut self) -> Result<(), FirewallError>;

src/enterprise/firewall/api.rs

@@ -189,11 +189,7 @@ pub(crate) enum Policy {
 
 impl From<bool> for Policy {
     fn from(allow: bool) -> Self {
-        if allow {
-            Self::Allow
-        } else {
-            Self::Deny
-        }
+        if allow { Self::Allow } else { Self::Deny }
     }
 }
 

src/enterprise/firewall/mod.rs

@@ -12,9 +12,9 @@ use netfilter::{
 use nftnl::Batch;
 
 use super::{
+    Address, FirewallError, FirewallRule, Policy, Port, Protocol, SnatBinding,
     api::{FirewallApi, FirewallManagementApi},
     iprange::IpAddrRangeError,
-    Address, FirewallError, FirewallRule, Policy, Port, Protocol, SnatBinding,
 };
 use crate::enterprise::firewall::iprange::IpAddrRange;
 
@@ -273,7 +273,9 @@ impl FirewallManagementApi for FirewallApi {
         masquerade_enabled: bool,
         snat_bindings: &[SnatBinding],
     ) -> Result<(), FirewallError> {
-        debug!("Setting up POSTROUTING chain rules with masquerade status: {masquerade_enabled} and SNAT bindings: {snat_bindings:?}");
+        debug!(
+            "Setting up POSTROUTING chain rules with masquerade status: {masquerade_enabled} and SNAT bindings: {snat_bindings:?}"
+        );
 
         if let Some(batch) = &mut self.batch {
             set_nat_rules(batch, &self.ifname, masquerade_enabled, snat_bindings)?;

src/enterprise/firewall/nftables/mod.rs

@@ -4,14 +4,14 @@ use std::{
 };
 
 use nftnl::{
+    Batch, Chain, FinalizedBatch, ProtoFamily, Rule, Table,
     expr::{Expression, Immediate, InterfaceName, Nat, NatType, Register},
     nft_expr, nftnl_sys,
     set::{Set, SetKey},
-    Batch, Chain, FinalizedBatch, ProtoFamily, Rule, Table,
 };
 
-use super::{get_set_id, Address, FilterRule, Policy, Port, Protocol, State};
-use crate::enterprise::firewall::{iprange::IpAddrRange, max_address, FirewallError, SnatBinding};
+use super::{Address, FilterRule, Policy, Port, Protocol, State, get_set_id};
+use crate::enterprise::firewall::{FirewallError, SnatBinding, iprange::IpAddrRange, max_address};
 
 const FILTER_TABLE: &str = "filter";
 const NAT_TABLE: &str = "nat";
@@ -98,7 +98,7 @@ fn add_address_to_set(set: *mut nftnl_sys::nftnl_set, ip: &Address) -> Result<()
                     return Err(FirewallError::InvalidConfiguration(format!(
                         "Expected both addresses to be of the same type, got {net:?} and \
                         {upper_bound:?}",
-                    )))
+                    )));
                 }
             }
         }
@@ -308,29 +308,26 @@ impl FirewallRule for FilterRule<'_> {
             // 1 Protocol
             // > 0 Ports
             else if !self.dest_ports.is_empty() {
-                if let Some(protocol) = self.protocols.first() {
-                    if protocol.supports_ports() {
-                        let set = new_anon_set::<InetService>(
-                            chain.get_table(),
-                            ProtoFamily::Inet,
-                            true,
-                        )?;
-                        batch.add(&set, nftnl::MsgType::Add);
-
-                        for port in self.dest_ports {
-                            add_port_to_set(set.as_ptr(), port)?;
-                        }
-
-                        // <protocol> dport {x, x-x}
-                        set.elems_iter().for_each(|elem| {
-                            batch.add(&elem, nftnl::MsgType::Add);
-                        });
-
-                        rule.add_expr(&nft_expr!(meta l4proto));
-                        rule.add_expr(&nft_expr!(cmp == *protocol as u8));
-                        rule.add_expr(protocol.as_port_payload_expr()?);
-                        rule.add_expr(&nft_expr!(lookup & set));
+                if let Some(protocol) = self.protocols.first()
+                    && protocol.supports_ports()
+                {
+                    let set =
+                        new_anon_set::<InetService>(chain.get_table(), ProtoFamily::Inet, true)?;
+                    batch.add(&set, nftnl::MsgType::Add);
+
+                    for port in self.dest_ports {
+                        add_port_to_set(set.as_ptr(), port)?;
                     }
+
+                    // <protocol> dport {x, x-x}
+                    set.elems_iter().for_each(|elem| {
+                        batch.add(&elem, nftnl::MsgType::Add);
+                    });
+
+                    rule.add_expr(&nft_expr!(meta l4proto));
+                    rule.add_expr(&nft_expr!(cmp == *protocol as u8));
+                    rule.add_expr(protocol.as_port_payload_expr()?);
+                    rule.add_expr(&nft_expr!(lookup & set));
                 }
 
                 debug!(
@@ -876,7 +873,7 @@ pub(crate) fn send_batch(batch: &FinalizedBatch) -> Result<(), FirewallError> {
             Err(err) => {
                 return Err(FirewallError::NetlinkError(format!(
                     "There was an error while sending netlink messages: {err:?}"
-                )))
+                )));
             }
         };
     }

src/enterprise/firewall/nftables/netfilter.rs

@@ -1,13 +1,13 @@
 use std::os::fd::AsRawFd;
 
 use super::{
-    calls::{pf_begin, pf_commit, pf_rollback, IocTrans, IocTransElement},
-    rule::RuleSet,
     FirewallRule,
+    calls::{IocTrans, IocTransElement, pf_begin, pf_commit, pf_rollback},
+    rule::RuleSet,
 };
 use crate::enterprise::firewall::{
-    api::{FirewallApi, FirewallManagementApi},
     FirewallError, Policy, SnatBinding,
+    api::{FirewallApi, FirewallManagementApi},
 };
 
 impl FirewallManagementApi for FirewallApi {

src/enterprise/firewall/packetfilter/api.rs

@@ -3,12 +3,12 @@
 use std::{
     ffi::{c_char, c_int, c_long, c_uchar, c_uint, c_ulong, c_ushort, c_void},
     fmt,
-    mem::{size_of, zeroed, MaybeUninit},
+    mem::{MaybeUninit, size_of, zeroed},
     ptr,
 };
 
 use ipnetwork::IpNetwork;
-use libc::{pid_t, uid_t, IFNAMSIZ};
+use libc::{IFNAMSIZ, pid_t, uid_t};
 use nix::{ioctl_none, ioctl_readwrite};
 
 use super::rule::{Action, AddressFamily, Direction, PacketFilterRule, RuleSet, State};