Flush interface on BSD (#92)

Adam · web-flow · commit d090d2249e5b · 2025-06-30T15:06:05.000+02:00
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "defguard_wireguard_rs"
-version = "0.7.4"
+version = "0.7.5"
 edition = "2021"
 rust-version = "1.80"
 description = "A unified multi-platform high-level API for managing WireGuard interfaces"
diff --git a/src/bsd/mod.rs b/src/bsd/mod.rs
@@ -6,7 +6,12 @@ mod timespec;
 mod wgio;
 
 use std::{
-    collections::HashMap, ffi::CString, mem::size_of, net::IpAddr, os::fd::OwnedFd, ptr::from_ref,
+    collections::HashMap,
+    ffi::{CStr, CString},
+    mem::{size_of, MaybeUninit},
+    net::IpAddr,
+    os::fd::OwnedFd,
+    ptr::from_ref,
     slice::from_raw_parts,
 };
 
@@ -15,7 +20,7 @@ use nix::{
     sys::socket::{socket, AddressFamily, SockFlag, SockType},
 };
 use route::{DestAddrMask, GatewayLink};
-use sockaddr::{SockAddrDl, SockAddrIn, SockAddrIn6};
+use sockaddr::{SockAddrDl, SockAddrIn, SockAddrIn6, SocketFromRaw};
 use thiserror::Error;
 
 use self::{
@@ -32,6 +37,13 @@ use crate::{
     IpVersion, Key, WireguardInterfaceError,
 };
 
+// Note: these values differ across different platforms.
+const AF_INET: u8 = libc::AF_INET as u8;
+const AF_INET6: u8 = libc::AF_INET6 as u8;
+const AF_LINK: u8 = libc::AF_LINK as u8;
+const SA_IN_SIZE: u8 = size_of::<SockAddrIn>() as u8;
+const SA_IN6_SIZE: u8 = size_of::<SockAddrIn6>() as u8;
+
 // nvlist key names
 static NV_LISTEN_PORT: &str = "listen-port";
 static NV_FWMARK: &str = "user-cookie";
@@ -370,6 +382,62 @@ pub fn remove_address(if_name: &str, address: &IpAddrMask) -> Result<(), IoError
     }
 }
 
+pub fn flush_interface(if_name: &str) -> Result<(), IoError> {
+    let ifname_c = CString::new(if_name).unwrap();
+    let mut addr_to_remove = Vec::new();
+
+    let mut addrs = MaybeUninit::<*mut libc::ifaddrs>::uninit();
+    let errno = unsafe { libc::getifaddrs(addrs.as_mut_ptr()) };
+    if errno == 0 {
+        let addrs = unsafe { addrs.assume_init() };
+        let mut addr = addrs;
+        while !addr.is_null() {
+            unsafe {
+                let name = CStr::from_ptr((*addr).ifa_name);
+                if name == ifname_c.as_c_str() {
+                    let ifa_addr = (*addr).ifa_addr;
+                    if ifa_addr.is_null() {
+                        continue;
+                    }
+                    // Convert `ifa_addr` to `IpAddr`.
+                    // Note: `ifa_addr` is actually `sockaddr_in` or `sockaddr_in6` depending on
+                    // `sa_len` and `sa_family`.
+                    if (*ifa_addr).sa_len == SA_IN_SIZE && (*ifa_addr).sa_family == AF_INET {
+                        if let Some(sockaddr) = SockAddrIn::from_raw(ifa_addr) {
+                            addr_to_remove.push(sockaddr.ip_addr());
+                        }
+                    } else if (*ifa_addr).sa_len == SA_IN6_SIZE
+                        && (*ifa_addr).sa_family == libc::AF_INET6 as u8
+                    {
+                        if let Some(sockaddr) = SockAddrIn6::from_raw(ifa_addr) {
+                            addr_to_remove.push(sockaddr.ip_addr());
+                        }
+                    }
+                }
+                addr = (*addr).ifa_next;
+            };
+        }
+        unsafe { libc::freeifaddrs(addrs) };
+    } else {
+        debug!("getifaddrs returned {errno}");
+    }
+
+    for address in addr_to_remove {
+        match address {
+            IpAddr::V4(address) => {
+                let ifreq = IfReq::new_with_address(if_name, address);
+                ifreq.delete_address()?;
+            }
+            IpAddr::V6(address) => {
+                let ifreq6 = IfReq6::new_with_address(if_name, address);
+                ifreq6.delete_address()?;
+            }
+        }
+    }
+
+    Ok(())
+}
+
 pub fn get_mtu(if_name: &str) -> Result<u32, IoError> {
     let mut ifmtu = IfMtu::new(if_name);
     ifmtu.get_mtu()
diff --git a/src/bsd/route.rs b/src/bsd/route.rs
@@ -1,4 +1,5 @@
 use std::{
+    ffi::{CStr, CString},
     mem::{size_of, MaybeUninit},
     net::IpAddr,
     os::fd::{AsFd, AsRawFd},
@@ -214,14 +215,15 @@ pub(super) struct GatewayLink<S> {
 
 /// Get an address for a given interface. First address is returned.
 fn if_addr<S: SocketFromRaw>(if_name: &str) -> Option<S> {
+    let ifname_c = CString::new(if_name).unwrap();
     let mut addrs = MaybeUninit::<*mut libc::ifaddrs>::uninit();
     let errno = unsafe { libc::getifaddrs(addrs.as_mut_ptr()) };
     if errno == 0 {
         let addrs = unsafe { addrs.assume_init() };
         let mut addr = addrs;
         while !addr.is_null() {
-            let name = unsafe { std::ffi::CStr::from_ptr((*addr).ifa_name) };
-            if name.to_str().unwrap() == if_name {
+            let name = unsafe { CStr::from_ptr((*addr).ifa_name) };
+            if name == ifname_c.as_c_str() {
                 if let Some(sockaddr) = unsafe { S::from_raw((*addr).ifa_addr) } {
                     return Some(sockaddr);
                 }
diff --git a/src/bsd/sockaddr.rs b/src/bsd/sockaddr.rs
@@ -1,18 +1,11 @@
 //! Convert binary `sockaddr_in` or `sockaddr_in6` (see netinet/in.h) to `SocketAddr`.
 use std::{
     mem::{size_of, zeroed},
-    net::{Ipv4Addr, Ipv6Addr, SocketAddr, SocketAddrV4, SocketAddrV6},
+    net::{IpAddr, Ipv4Addr, Ipv6Addr, SocketAddr, SocketAddrV4, SocketAddrV6},
     ptr::{copy, from_mut},
 };
 
-use super::{cast_bytes, cast_ref};
-
-// Note: these values differ across different platforms.
-const AF_INET: u8 = libc::AF_INET as u8;
-const AF_INET6: u8 = libc::AF_INET6 as u8;
-const AF_LINK: u8 = libc::AF_LINK as u8;
-const SA_IN_SIZE: u8 = size_of::<SockAddrIn>() as u8;
-const SA_IN6_SIZE: u8 = size_of::<SockAddrIn6>() as u8;
+use super::{cast_bytes, cast_ref, AF_INET, AF_INET6, AF_LINK, SA_IN6_SIZE, SA_IN_SIZE};
 
 pub(super) trait SocketFromRaw {
     unsafe fn from_raw(addr: *const libc::sockaddr) -> Option<Self>
@@ -30,6 +23,13 @@ pub(super) struct SockAddrIn {
     zero: [u8; 8],
 }
 
+impl SockAddrIn {
+    #[must_use]
+    pub(super) fn ip_addr(&self) -> IpAddr {
+        IpAddr::from(self.addr)
+    }
+}
+
 impl SocketFromRaw for SockAddrIn {
     /// Construct `SockAddrIn` from `libc::sockaddr`.
     unsafe fn from_raw(addr: *const libc::sockaddr) -> Option<Self> {
@@ -117,6 +117,11 @@ impl SockAddrIn6 {
             scope_id: 0,
         }
     }
+
+    #[must_use]
+    pub(super) fn ip_addr(&self) -> IpAddr {
+        IpAddr::from(self.addr)
+    }
 }
 
 impl SocketFromRaw for SockAddrIn6 {
diff --git a/src/wgapi_freebsd.rs b/src/wgapi_freebsd.rs
@@ -64,6 +64,17 @@ impl WireguardInterfaceApi for WGApi<Kernel> {
             self.ifname
         );
 
+        // Flush all IP addresses from WireGuard interface.
+        debug!(
+            "Flushing all existing IP addresses from interface {} before assigning a new one",
+            self.ifname
+        );
+        bsd::flush_interface(&self.ifname)?;
+        debug!(
+            "All existing IP addresses flushed from interface {}",
+            self.ifname
+        );
+
         // Assign IP address to the interface.
         for address in &config.addresses {
             self.assign_address(address)?;
diff --git a/src/wgapi_linux.rs b/src/wgapi_linux.rs
@@ -39,7 +39,7 @@ impl WireguardInterfaceApi for WGApi<Kernel> {
             self.ifname
         );
 
-        // flush all IP addresses
+        // Flush all IP addresses from WireGuard interface.
         debug!(
             "Flushing all existing IP addresses from interface {} before assigning a new one",
             self.ifname
