@sourceregistry/node-wireguard 1.0.0

package/src/netlink/RtLink.cpp

@@ -0,0 +1,217 @@
+#include "RtLink.h"
+#include "../helpers/AsyncPromise.h"
+#include "../helpers/IfName.h"
+#include "NlAttr.h"
+
+#include <arpa/inet.h>
+#include <cerrno>
+#include <cstring>
+#include <dirent.h>
+#include <net/if.h>
+#include <netinet/in.h>
+#include <sys/stat.h>
+#include <vector>
+
+extern "C" {
+#include <libmnl/libmnl.h>
+#include <linux/if_addr.h>
+#include <linux/if_link.h>
+#include <linux/rtnetlink.h>
+}
+
+namespace netlink {
+
+namespace {
+
+const size_t kBufSize = MNL_SOCKET_BUFFER_SIZE;
+
+// Opens a short-lived NETLINK_ROUTE socket, sends `nlh`, and waits for the ack.
+// Throws helpers::SystemError on any netlink-reported or syscall errno.
+void SendRtRequestAndWaitAck(struct nlmsghdr *nlh) {
+    struct mnl_socket *sock = mnl_socket_open(NETLINK_ROUTE);
+    if (!sock) {
+        throw helpers::SystemError(errno, std::string("mnl_socket_open: ") + std::strerror(errno));
+    }
+    if (mnl_socket_bind(sock, 0, MNL_SOCKET_AUTOPID) < 0) {
+        int err = errno;
+        mnl_socket_close(sock);
+        throw helpers::SystemError(err, std::string("mnl_socket_bind: ") + std::strerror(err));
+    }
+
+    uint32_t portid = mnl_socket_get_portid(sock);
+
+    if (mnl_socket_sendto(sock, nlh, nlh->nlmsg_len) < 0) {
+        int err = errno;
+        mnl_socket_close(sock);
+        throw helpers::SystemError(err, std::string("mnl_socket_sendto: ") + std::strerror(err));
+    }
+
+    std::vector<char> buf(kBufSize);
+    ssize_t ret = mnl_socket_recvfrom(sock, buf.data(), buf.size());
+    mnl_socket_close(sock);
+
+    if (ret < 0) {
+        throw helpers::SystemError(errno, std::string("mnl_socket_recvfrom: ") + std::strerror(errno));
+    }
+
+    auto *replyHdr = reinterpret_cast<struct nlmsghdr *>(buf.data());
+    if (replyHdr->nlmsg_seq != nlh->nlmsg_seq || replyHdr->nlmsg_pid != portid) {
+        throw helpers::SystemError(EIO, "unexpected netlink reply (seq/pid mismatch)");
+    }
+    if (replyHdr->nlmsg_type == NLMSG_ERROR) {
+        auto *err = static_cast<struct nlmsgerr *>(mnl_nlmsg_get_payload(replyHdr));
+        if (err->error != 0) {
+            int code = -err->error;
+            throw helpers::SystemError(code, std::string("rtnetlink error: ") + std::strerror(code));
+        }
+    }
+}
+
+} // namespace
+
+void CreateWireGuardLink(const std::string &name) {
+    helpers::ValidateIfName(name);
+    if (if_nametoindex(name.c_str()) != 0) {
+        throw helpers::SystemError(EEXIST, "interface already exists: " + name);
+    }
+
+    std::vector<char> buf(kBufSize);
+    auto *nlh = mnl_nlmsg_put_header(buf.data());
+    nlh->nlmsg_type = RTM_NEWLINK;
+    nlh->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | NLM_F_CREATE | NLM_F_EXCL;
+    nlh->nlmsg_seq = static_cast<unsigned int>(time(nullptr));
+
+    auto *ifi = static_cast<struct ifinfomsg *>(mnl_nlmsg_put_extra_header(nlh, sizeof(struct ifinfomsg)));
+    ifi->ifi_family = AF_UNSPEC;
+    ifi->ifi_change = 0xFFFFFFFF;
+
+    mnl_attr_put_strz(nlh, IFLA_IFNAME, name.c_str());
+
+    struct nlattr *linkinfo = mnl_attr_nest_start(nlh, IFLA_LINKINFO);
+    mnl_attr_put_strz(nlh, IFLA_INFO_KIND, "wireguard");
+    mnl_attr_nest_end(nlh, linkinfo);
+
+    SendRtRequestAndWaitAck(nlh);
+}
+
+void DeleteLink(const std::string &name) {
+    helpers::ValidateIfName(name);
+    unsigned int ifindex = if_nametoindex(name.c_str());
+    if (ifindex == 0) {
+        throw helpers::SystemError(ENODEV, "no such interface: " + name);
+    }
+
+    std::vector<char> buf(kBufSize);
+    auto *nlh = mnl_nlmsg_put_header(buf.data());
+    nlh->nlmsg_type = RTM_DELLINK;
+    nlh->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
+    nlh->nlmsg_seq = static_cast<unsigned int>(time(nullptr));
+
+    auto *ifi = static_cast<struct ifinfomsg *>(mnl_nlmsg_put_extra_header(nlh, sizeof(struct ifinfomsg)));
+    ifi->ifi_family = AF_UNSPEC;
+    ifi->ifi_index = static_cast<int>(ifindex);
+
+    SendRtRequestAndWaitAck(nlh);
+}
+
+void SetLinkUp(const std::string &name, bool up) {
+    helpers::ValidateIfName(name);
+    unsigned int ifindex = if_nametoindex(name.c_str());
+    if (ifindex == 0) {
+        throw helpers::SystemError(ENODEV, "no such interface: " + name);
+    }
+
+    std::vector<char> buf(kBufSize);
+    auto *nlh = mnl_nlmsg_put_header(buf.data());
+    nlh->nlmsg_type = RTM_NEWLINK;
+    nlh->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
+    nlh->nlmsg_seq = static_cast<unsigned int>(time(nullptr));
+
+    auto *ifi = static_cast<struct ifinfomsg *>(mnl_nlmsg_put_extra_header(nlh, sizeof(struct ifinfomsg)));
+    ifi->ifi_family = AF_UNSPEC;
+    ifi->ifi_index = static_cast<int>(ifindex);
+    ifi->ifi_change = IFF_UP;
+    ifi->ifi_flags = up ? IFF_UP : 0;
+
+    SendRtRequestAndWaitAck(nlh);
+}
+
+namespace {
+void BuildAddrRequest(std::vector<char> &buf, uint16_t msgType, uint16_t flags, unsigned int ifindex,
+                      const wg::AllowedIP &addr) {
+    auto *nlh = mnl_nlmsg_put_header(buf.data());
+    nlh->nlmsg_type = msgType;
+    nlh->nlmsg_flags = flags;
+    nlh->nlmsg_seq = static_cast<unsigned int>(time(nullptr));
+
+    auto *ifa = static_cast<struct ifaddrmsg *>(mnl_nlmsg_put_extra_header(nlh, sizeof(struct ifaddrmsg)));
+    ifa->ifa_family = addr.family;
+    ifa->ifa_prefixlen = addr.cidr;
+    ifa->ifa_flags = 0;
+    ifa->ifa_scope = 0;
+    ifa->ifa_index = ifindex;
+
+    if (addr.family == AF_INET6) {
+        in6_addr raw{};
+        inet_pton(AF_INET6, addr.ip.c_str(), &raw);
+        mnl_attr_put(nlh, IFA_LOCAL, sizeof(raw), &raw);
+        mnl_attr_put(nlh, IFA_ADDRESS, sizeof(raw), &raw);
+    } else {
+        in_addr raw{};
+        inet_pton(AF_INET, addr.ip.c_str(), &raw);
+        mnl_attr_put(nlh, IFA_LOCAL, sizeof(raw), &raw);
+        mnl_attr_put(nlh, IFA_ADDRESS, sizeof(raw), &raw);
+    }
+}
+} // namespace
+
+void AddAddress(const std::string &name, const std::string &cidr) {
+    helpers::ValidateIfName(name);
+    unsigned int ifindex = if_nametoindex(name.c_str());
+    if (ifindex == 0) {
+        throw helpers::SystemError(ENODEV, "no such interface: " + name);
+    }
+    wg::AllowedIP addr = ParseCIDR(cidr);
+
+    std::vector<char> buf(kBufSize);
+    BuildAddrRequest(buf, RTM_NEWADDR, NLM_F_REQUEST | NLM_F_ACK | NLM_F_CREATE | NLM_F_REPLACE, ifindex, addr);
+    SendRtRequestAndWaitAck(reinterpret_cast<struct nlmsghdr *>(buf.data()));
+}
+
+void DeleteAddress(const std::string &name, const std::string &cidr) {
+    helpers::ValidateIfName(name);
+    unsigned int ifindex = if_nametoindex(name.c_str());
+    if (ifindex == 0) {
+        throw helpers::SystemError(ENODEV, "no such interface: " + name);
+    }
+    wg::AllowedIP addr = ParseCIDR(cidr);
+
+    std::vector<char> buf(kBufSize);
+    BuildAddrRequest(buf, RTM_DELADDR, NLM_F_REQUEST | NLM_F_ACK, ifindex, addr);
+    SendRtRequestAndWaitAck(reinterpret_cast<struct nlmsghdr *>(buf.data()));
+}
+
+std::vector<std::string> ListWireGuardInterfaceNames() {
+    std::vector<std::string> names;
+    DIR *dir = opendir("/sys/class/net");
+    if (!dir) {
+        throw helpers::SystemError(errno, std::string("opendir(/sys/class/net): ") + std::strerror(errno));
+    }
+
+    struct dirent *entry;
+    while ((entry = readdir(dir)) != nullptr) {
+        std::string name = entry->d_name;
+        if (name == "." || name == "..") {
+            continue;
+        }
+        struct stat st{};
+        std::string wgMarkerPath = "/sys/class/net/" + name + "/wireguard";
+        if (stat(wgMarkerPath.c_str(), &st) == 0) {
+            names.push_back(name);
+        }
+    }
+    closedir(dir);
+    return names;
+}
+
+} // namespace netlink

package/src/netlink/RtLink.h

@@ -0,0 +1,34 @@
+#pragma once
+
+#include <string>
+#include <vector>
+
+namespace netlink {
+
+// Lists interface names that are WireGuard devices, by checking for the
+// presence of /sys/class/net/<name>/wireguard (exposed by the kernel module
+// for any interface of kind "wireguard") — cheaper than an RTM_GETLINK dump
+// plus IFLA_LINKINFO parsing for the same result.
+std::vector<std::string> ListWireGuardInterfaceNames();
+
+// Issues RTM_NEWLINK with IFLA_INFO_KIND="wireguard" to create a new WireGuard
+// link. Throws helpers::SystemError(EEXIST) if `name` already exists, or other
+// errno on failure (e.g. EPERM if not running as root / missing CAP_NET_ADMIN).
+void CreateWireGuardLink(const std::string &name);
+
+// Issues RTM_DELLINK for `name`. Throws helpers::SystemError(ENODEV) if it
+// doesn't exist.
+void DeleteLink(const std::string &name);
+
+// Brings `name` administratively up (IFF_UP) or down via RTM_NEWLINK.
+// Required for traffic to flow - createDevice() leaves the link down.
+void SetLinkUp(const std::string &name, bool up);
+
+// Assigns a local address ("10.0.0.2/24" or "fd00::2/64") to `name` via
+// RTM_NEWADDR. Replaces any existing address with the same prefix.
+void AddAddress(const std::string &name, const std::string &cidr);
+
+// Removes a previously assigned address via RTM_DELADDR.
+void DeleteAddress(const std::string &name, const std::string &cidr);
+
+} // namespace netlink

package/src/netlink/wireguard_uapi.h

@@ -0,0 +1,68 @@
+#pragma once
+
+// Mirrors the stable kernel UAPI <linux/wireguard.h> generic-netlink protocol
+// (the same wire format wgctrl-go's wglinux backend speaks). Defined locally
+// instead of #include <linux/wireguard.h> so the build doesn't depend on the
+// build host having a sufficiently new kernel-headers package installed —
+// these attribute IDs are part of WireGuard's stable ABI and do not change.
+
+#define WG_GENL_NAME "wireguard"
+#define WG_GENL_VERSION 1
+#define WG_MULTICAST_GROUP_PEERS "peers"
+#define WG_KEY_LEN 32
+
+enum wg_cmd {
+    WG_CMD_GET_DEVICE,
+    WG_CMD_SET_DEVICE,
+    __WG_CMD_MAX
+};
+#define WG_CMD_MAX (__WG_CMD_MAX - 1)
+
+enum wgdevice_flag {
+    WGDEVICE_F_REPLACE_PEERS = 1U << 0,
+};
+
+enum wgdevice_attribute {
+    WGDEVICE_A_UNSPEC,
+    WGDEVICE_A_IFINDEX,     // NLA_U32
+    WGDEVICE_A_IFNAME,      // NLA_NUL_STRING, IFNAMSIZ - 1
+    WGDEVICE_A_PRIVATE_KEY, // NLA_EXACT_LEN, WG_KEY_LEN
+    WGDEVICE_A_PUBLIC_KEY,  // NLA_EXACT_LEN, WG_KEY_LEN
+    WGDEVICE_A_FLAGS,       // NLA_U32
+    WGDEVICE_A_LISTEN_PORT, // NLA_U16
+    WGDEVICE_A_FWMARK,      // NLA_U32
+    WGDEVICE_A_PEERS,       // NLA_NESTED
+    __WGDEVICE_A_LAST
+};
+#define WGDEVICE_A_MAX (__WGDEVICE_A_LAST - 1)
+
+enum wgpeer_flag {
+    WGPEER_F_REMOVE_ME = 1U << 0,
+    WGPEER_F_REPLACE_ALLOWEDIPS = 1U << 1,
+    WGPEER_F_UPDATE_ONLY = 1U << 2,
+};
+
+enum wgpeer_attribute {
+    WGPEER_A_UNSPEC,
+    WGPEER_A_PUBLIC_KEY,                    // NLA_EXACT_LEN, WG_KEY_LEN
+    WGPEER_A_PRESHARED_KEY,                 // NLA_EXACT_LEN, WG_KEY_LEN
+    WGPEER_A_FLAGS,                         // NLA_U32
+    WGPEER_A_ENDPOINT,                      // NLA_MIN_LEN(sockaddr), sockaddr_in/in6
+    WGPEER_A_PERSISTENT_KEEPALIVE_INTERVAL, // NLA_U16
+    WGPEER_A_LAST_HANDSHAKE_TIME,           // NLA_EXACT_LEN, __kernel_timespec
+    WGPEER_A_RX_BYTES,                      // NLA_U64
+    WGPEER_A_TX_BYTES,                      // NLA_U64
+    WGPEER_A_ALLOWEDIPS,                    // NLA_NESTED
+    WGPEER_A_PROTOCOL_VERSION,              // NLA_U32
+    __WGPEER_A_LAST
+};
+#define WGPEER_A_MAX (__WGPEER_A_LAST - 1)
+
+enum wgallowedip_attribute {
+    WGALLOWEDIP_A_UNSPEC,
+    WGALLOWEDIP_A_FAMILY,    // NLA_U16, AF_INET or AF_INET6
+    WGALLOWEDIP_A_IPADDR,    // NLA_MIN_LEN(4), 4 or 16 bytes
+    WGALLOWEDIP_A_CIDR_MASK, // NLA_U8
+    __WGALLOWEDIP_A_LAST
+};
+#define WGALLOWEDIP_A_MAX (__WGALLOWEDIP_A_LAST - 1)

package/src/node-wireguard.cpp

@@ -0,0 +1,48 @@
+#include "WireGuardClient.h"
+#include "crypto/Key.h"
+
+#include <napi.h>
+#include <sodium.h>
+#include <stdexcept>
+
+namespace {
+
+Napi::Value GeneratePrivateKey(const Napi::CallbackInfo &info) {
+    return Napi::String::New(info.Env(), crypto::KeyToBase64(crypto::GeneratePrivateKey()));
+}
+
+Napi::Value GeneratePresharedKey(const Napi::CallbackInfo &info) {
+    return Napi::String::New(info.Env(), crypto::KeyToBase64(crypto::GeneratePresharedKey()));
+}
+
+Napi::Value PublicKey(const Napi::CallbackInfo &info) {
+    Napi::Env env = info.Env();
+    if (info.Length() < 1 || !info[0].IsString()) {
+        Napi::TypeError::New(env, "publicKey(privateKey: string) expects a base64-encoded string").ThrowAsJavaScriptException();
+        return env.Undefined();
+    }
+    try {
+        wg::Key priv = crypto::KeyFromBase64(info[0].As<Napi::String>().Utf8Value());
+        return Napi::String::New(env, crypto::KeyToBase64(crypto::PublicKeyFromPrivate(priv)));
+    } catch (const std::exception &e) {
+        Napi::Error::New(env, e.what()).ThrowAsJavaScriptException();
+        return env.Undefined();
+    }
+}
+
+} // namespace
+
+Napi::Object Init(Napi::Env env, Napi::Object exports) {
+    if (sodium_init() < 0) {
+        Napi::Error::New(env, "libsodium initialization failed").ThrowAsJavaScriptException();
+        return exports;
+    }
+
+    exports.Set("generatePrivateKey", Napi::Function::New(env, GeneratePrivateKey));
+    exports.Set("generatePresharedKey", Napi::Function::New(env, GeneratePresharedKey));
+    exports.Set("publicKey", Napi::Function::New(env, PublicKey));
+
+    return WireGuardClient::Init(env, exports);
+}
+
+NODE_API_MODULE(node_wireguard, Init)

package/src/uapi/UapiCodec.cpp

@@ -0,0 +1,185 @@
+#include "UapiCodec.h"
+#include "../crypto/Key.h"
+#include "../helpers/AsyncPromise.h"
+#include "../netlink/NlAttr.h" // reuse ParseCIDR/FormatCIDR - same "ip/mask" textual form as the netlink path
+
+#include <sstream>
+#include <stdexcept>
+
+namespace uapi {
+
+namespace {
+
+// Strict unsigned decimal parser: rejects empty/non-numeric input, trailing
+// garbage, and anything outside [0, max] - std::stoul alone accepts trailing
+// garbage and returns a 64-bit value that a bare static_cast<uint16_t/32_t>
+// would silently truncate instead of reject.
+unsigned long ParseUnsignedInRange(const std::string &value, unsigned long max, const char *field) {
+    if (value.empty()) {
+        throw std::invalid_argument(std::string(field) + ": empty value");
+    }
+    size_t consumed = 0;
+    unsigned long ul;
+    try {
+        ul = std::stoul(value, &consumed);
+    } catch (const std::exception &) {
+        throw std::invalid_argument(std::string(field) + ": invalid value: " + value);
+    }
+    if (consumed != value.size() || ul > max) {
+        throw std::invalid_argument(std::string(field) + ": out of range: " + value);
+    }
+    return ul;
+}
+
+uint16_t ParseUint16(const std::string &value, const char *field) {
+    return static_cast<uint16_t>(ParseUnsignedInRange(value, 65535, field));
+}
+
+uint32_t ParseUint32(const std::string &value, const char *field) {
+    return static_cast<uint32_t>(ParseUnsignedInRange(value, 4294967295UL, field));
+}
+
+} // namespace
+
+std::string BuildGetRequest() {
+    return "get=1\n\n";
+}
+
+wg::Device ParseGetResponse(const std::string &name, const std::string &response) {
+    wg::Device device;
+    device.name = name;
+    device.userspace = true;
+
+    wg::Peer *currentPeer = nullptr;
+    std::istringstream iss(response);
+    std::string line;
+    while (std::getline(iss, line)) {
+        if (line.empty()) {
+            continue;
+        }
+        size_t eq = line.find('=');
+        if (eq == std::string::npos) {
+            continue;
+        }
+        std::string key = line.substr(0, eq);
+        std::string value = line.substr(eq + 1);
+
+        if (key == "errno") {
+            int code = std::stoi(value);
+            if (code != 0) {
+                throw helpers::SystemError(code, "uapi get error, errno=" + value);
+            }
+            continue;
+        }
+
+        if (key == "public_key") {
+            // Starts a new peer section - everything until the next public_key=
+            // (or end of message) belongs to it.
+            device.peers.emplace_back();
+            currentPeer = &device.peers.back();
+            currentPeer->publicKey = crypto::KeyFromHex(value);
+            continue;
+        }
+
+        if (currentPeer != nullptr) {
+            if (key == "preshared_key") {
+                currentPeer->presharedKey = crypto::KeyFromHex(value);
+            } else if (key == "endpoint") {
+                currentPeer->endpoint = value;
+            } else if (key == "last_handshake_time_sec") {
+                currentPeer->lastHandshakeTimeSec = std::stoll(value);
+            } else if (key == "rx_bytes") {
+                currentPeer->receiveBytes = std::stoull(value);
+            } else if (key == "tx_bytes") {
+                currentPeer->transmitBytes = std::stoull(value);
+            } else if (key == "persistent_keepalive_interval") {
+                currentPeer->persistentKeepaliveInterval = ParseUint16(value, "persistent_keepalive_interval");
+            } else if (key == "allowed_ip") {
+                currentPeer->allowedIPs.push_back(netlink::ParseCIDR(value));
+            } else if (key == "protocol_version") {
+                currentPeer->protocolVersion = ParseUint32(value, "protocol_version");
+            }
+            continue;
+        }
+
+        // Device-level fields (before the first peer section).
+        if (key == "private_key") {
+            device.privateKey = crypto::KeyFromHex(value);
+        } else if (key == "listen_port") {
+            device.listenPort = ParseUint16(value, "listen_port");
+        } else if (key == "fwmark") {
+            device.firewallMark = ParseUint32(value, "fwmark");
+        }
+    }
+
+    if (device.privateKey && !crypto::IsZeroKey(*device.privateKey)) {
+        device.publicKey = crypto::PublicKeyFromPrivate(*device.privateKey);
+    }
+
+    return device;
+}
+
+std::string BuildSetRequest(const wg::Config &cfg) {
+    std::ostringstream oss;
+    oss << "set=1\n";
+
+    if (cfg.privateKey) {
+        oss << "private_key=" << crypto::KeyToHex(*cfg.privateKey) << "\n";
+    }
+    if (cfg.listenPort) {
+        oss << "listen_port=" << *cfg.listenPort << "\n";
+    }
+    if (cfg.firewallMark) {
+        oss << "fwmark=" << *cfg.firewallMark << "\n";
+    }
+    if (cfg.replacePeers) {
+        oss << "replace_peers=true\n";
+    }
+
+    for (const auto &peer : cfg.peers) {
+        oss << "public_key=" << crypto::KeyToHex(peer.publicKey) << "\n";
+        if (peer.remove) {
+            oss << "remove=true\n";
+        }
+        if (peer.updateOnly) {
+            oss << "update_only=true\n";
+        }
+        if (peer.presharedKey) {
+            oss << "preshared_key=" << crypto::KeyToHex(*peer.presharedKey) << "\n";
+        }
+        if (peer.endpoint) {
+            oss << "endpoint=" << *peer.endpoint << "\n";
+        }
+        if (peer.persistentKeepaliveInterval) {
+            oss << "persistent_keepalive_interval=" << *peer.persistentKeepaliveInterval << "\n";
+        }
+        if (peer.replaceAllowedIPs) {
+            oss << "replace_allowed_ips=true\n";
+        }
+        for (const auto &aip : peer.allowedIPs) {
+            oss << "allowed_ip=" << netlink::FormatCIDR(aip) << "\n";
+        }
+    }
+
+    oss << "\n";
+    return oss.str();
+}
+
+void ParseSetResponse(const std::string &response) {
+    std::istringstream iss(response);
+    std::string line;
+    while (std::getline(iss, line)) {
+        size_t eq = line.find('=');
+        if (eq == std::string::npos) {
+            continue;
+        }
+        if (line.substr(0, eq) == "errno") {
+            int code = std::stoi(line.substr(eq + 1));
+            if (code != 0) {
+                throw helpers::SystemError(code, "uapi set error, errno=" + line.substr(eq + 1));
+            }
+        }
+    }
+}
+
+} // namespace uapi

package/src/uapi/UapiCodec.h

@@ -0,0 +1,22 @@
+#pragma once
+
+#include "../WireGuardTypes.h"
+
+namespace uapi {
+
+// Builds a `get=1\n...\n\n` request body (just the literal request - no I/O).
+std::string BuildGetRequest();
+
+// Parses the response to a `get=1` request into a Device. Throws
+// helpers::SystemError if the response's errno field is non-zero.
+wg::Device ParseGetResponse(const std::string &name, const std::string &response);
+
+// Builds a `set=1\n...\n\n` request applying `cfg`, per
+// https://www.wireguard.com/xplatform/'s wire format.
+std::string BuildSetRequest(const wg::Config &cfg);
+
+// Parses the response to a `set=1` request. Throws helpers::SystemError if
+// the response's errno field is non-zero.
+void ParseSetResponse(const std::string &response);
+
+} // namespace uapi

package/src/uapi/UapiSocket.cpp

@@ -0,0 +1,116 @@
+#include "UapiSocket.h"
+#include "../helpers/AsyncPromise.h"
+#include "../helpers/IfName.h"
+
+#include <cerrno>
+#include <cstring>
+#include <dirent.h>
+#include <sys/socket.h>
+#include <sys/un.h>
+#include <unistd.h>
+
+namespace uapi {
+
+const char *const kSocketDir = "/var/run/wireguard";
+
+namespace {
+
+// `name` must be validated before being interpolated into a filesystem path -
+// otherwise a name containing '/' or ".." lets a caller traverse outside
+// kSocketDir (see HasSocket/Transact below, the only callers).
+std::string SocketPath(const std::string &name) {
+    helpers::ValidateIfName(name);
+    return std::string(kSocketDir) + "/" + name + ".sock";
+}
+
+} // namespace
+
+bool HasSocket(const std::string &name) {
+    std::string path = SocketPath(name);
+    return access(path.c_str(), F_OK) == 0;
+}
+
+std::vector<std::string> ListInterfaceNames() {
+    std::vector<std::string> names;
+    DIR *dir = opendir(kSocketDir);
+    if (!dir) {
+        return names; // directory not present - no userspace interfaces, not an error
+    }
+
+    struct dirent *entry;
+    constexpr const char *suffix = ".sock";
+    const size_t suffixLen = 5;
+    while ((entry = readdir(dir)) != nullptr) {
+        std::string fname = entry->d_name;
+        if (fname.size() > suffixLen && fname.compare(fname.size() - suffixLen, suffixLen, suffix) == 0) {
+            names.push_back(fname.substr(0, fname.size() - suffixLen));
+        }
+    }
+    closedir(dir);
+    return names;
+}
+
+std::string Transact(const std::string &name, const std::string &request) {
+    std::string path = SocketPath(name);
+
+    int fd = socket(AF_UNIX, SOCK_STREAM, 0);
+    if (fd < 0) {
+        throw helpers::SystemError(errno, std::string("socket: ") + std::strerror(errno));
+    }
+
+    sockaddr_un addr{};
+    addr.sun_family = AF_UNIX;
+    if (path.size() >= sizeof(addr.sun_path)) {
+        close(fd);
+        throw std::invalid_argument("uapi socket path too long: " + path);
+    }
+    std::strncpy(addr.sun_path, path.c_str(), sizeof(addr.sun_path) - 1);
+
+    if (connect(fd, reinterpret_cast<sockaddr *>(&addr), sizeof(addr)) < 0) {
+        int err = errno;
+        close(fd);
+        throw helpers::SystemError(err, std::string("connect(") + path + "): " + std::strerror(err));
+    }
+
+    size_t written = 0;
+    while (written < request.size()) {
+        ssize_t n = write(fd, request.data() + written, request.size() - written);
+        if (n < 0) {
+            int err = errno;
+            close(fd);
+            throw helpers::SystemError(err, std::string("write: ") + std::strerror(err));
+        }
+        written += static_cast<size_t>(n);
+    }
+
+    // Some UAPI servers (e.g. wireguard-go) keep the connection open across
+    // multiple operations, only closing once they see EOF on their next read.
+    // Half-close our write side so the server's next read gets that EOF and it
+    // closes the connection (after flushing the response already written) -
+    // otherwise both sides block waiting for the other to close first.
+    if (shutdown(fd, SHUT_WR) < 0) {
+        int err = errno;
+        close(fd);
+        throw helpers::SystemError(err, std::string("shutdown: ") + std::strerror(err));
+    }
+
+    std::string response;
+    char buf[4096];
+    for (;;) {
+        ssize_t n = read(fd, buf, sizeof(buf));
+        if (n < 0) {
+            int err = errno;
+            close(fd);
+            throw helpers::SystemError(err, std::string("read: ") + std::strerror(err));
+        }
+        if (n == 0) {
+            break; // EOF - server closes after responding
+        }
+        response.append(buf, static_cast<size_t>(n));
+    }
+
+    close(fd);
+    return response;
+}
+
+} // namespace uapi