Add a sample application for wireguard, using the generated C library,
The main benefit of this is to exercise the generated library,
which might be useful for future selftests.
In order to support usage with a pre-YNL wireguard.h in /usr/include,
then the former guard is added to Makefile.deps as well.
Example:
$ make -C tools/net/ynl/lib
$ make -C tools/net/ynl/generated
$ make -C tools/net/ynl/samples wireguard
$ ./tools/net/ynl/samples/wireguard
usage: ./tools/net/ynl/samples/wireguard <ifindex|ifname>
$ sudo ./tools/net/ynl/samples/wireguard wg-test
Interface 3: wg-test
Peer 6adfb183a4a2c94a2f92dab5ade762a4788[...]:
Data: rx: 42 / tx: 42 bytes
Allowed IPs:
0.0.0.0/0
::/0
Signed-off-by: Asbjørn Sloth Tønnesen <ast@fiberby.net>
---
MAINTAINERS | 1 +
tools/net/ynl/Makefile.deps | 2 +
tools/net/ynl/samples/.gitignore | 1 +
tools/net/ynl/samples/wireguard.c | 104 ++++++++++++++++++++++++++++++
4 files changed, 108 insertions(+)
create mode 100644 tools/net/ynl/samples/wireguard.c
diff --git a/MAINTAINERS b/MAINTAINERS
index 35cd289899f7..1c9c21ff2c97 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -27651,6 +27651,7 @@ L: netdev@vger.kernel.org
S: Maintained
F: Documentation/netlink/specs/wireguard.yaml
F: drivers/net/wireguard/
+F: tools/net/ynl/samples/wireguard.c
F: tools/testing/selftests/wireguard/
WISTRON LAPTOP BUTTON DRIVER
diff --git a/tools/net/ynl/Makefile.deps b/tools/net/ynl/Makefile.deps
index 865fd2e8519e..a9a5348b31a3 100644
--- a/tools/net/ynl/Makefile.deps
+++ b/tools/net/ynl/Makefile.deps
@@ -48,3 +48,5 @@ CFLAGS_tc:= $(call get_hdr_inc,__LINUX_RTNETLINK_H,rtnetlink.h) \
$(call get_hdr_inc,_TC_SKBEDIT_H,tc_act/tc_skbedit.h) \
$(call get_hdr_inc,_TC_TUNNEL_KEY_H,tc_act/tc_tunnel_key.h)
CFLAGS_tcp_metrics:=$(call get_hdr_inc,_LINUX_TCP_METRICS_H,tcp_metrics.h)
+CFLAGS_wireguard:=$(call get_hdr_inc,_LINUX_WIREGUARD_H,wireguard.h) \
+ -D _WG_UAPI_WIREGUARD_H # alternate pre-YNL guard
diff --git a/tools/net/ynl/samples/.gitignore b/tools/net/ynl/samples/.gitignore
index 7f5fca7682d7..09c61e4c18cd 100644
--- a/tools/net/ynl/samples/.gitignore
+++ b/tools/net/ynl/samples/.gitignore
@@ -7,3 +7,4 @@ rt-addr
rt-link
rt-route
tc
+wireguard
diff --git a/tools/net/ynl/samples/wireguard.c b/tools/net/ynl/samples/wireguard.c
new file mode 100644
index 000000000000..43f3551eb101
--- /dev/null
+++ b/tools/net/ynl/samples/wireguard.c
@@ -0,0 +1,104 @@
+// SPDX-License-Identifier: GPL-2.0
+#include <arpa/inet.h>
+#include <string.h>
+#include <stdio.h>
+#include <errno.h>
+#include <ynl.h>
+
+#include "wireguard-user.h"
+
+static void print_allowed_ip(const struct wireguard_wgallowedip *aip)
+{
+ char addr_out[INET6_ADDRSTRLEN];
+
+ if (!inet_ntop(aip->family, aip->ipaddr, addr_out, sizeof(addr_out))) {
+ addr_out[0] = '?';
+ addr_out[1] = '\0';
+ }
+ printf("\t\t\t%s/%u\n", addr_out, aip->cidr_mask);
+}
+
+/* Only printing public key in this demo. For better key formatting,
+ * use the constant-time implementation as found in wireguard-tools.
+ */
+static void print_peer_header(const struct wireguard_wgpeer *peer)
+{
+ unsigned int i;
+ uint8_t *key = peer->public_key;
+ unsigned int len = peer->_len.public_key;
+
+ if (len != 32)
+ return;
+ printf("\tPeer ");
+ for (i = 0; i < len; i++)
+ printf("%02x", key[i]);
+ printf(":\n");
+}
+
+static void print_peer(const struct wireguard_wgpeer *peer)
+{
+ unsigned int i;
+
+ print_peer_header(peer);
+ printf("\t\tData: rx: %llu / tx: %llu bytes\n",
+ peer->rx_bytes, peer->tx_bytes);
+ printf("\t\tAllowed IPs:\n");
+ for (i = 0; i < peer->_count.allowedips; i++)
+ print_allowed_ip(&peer->allowedips[i]);
+}
+
+static void build_request(struct wireguard_get_device_req *req, char *arg)
+{
+ char *endptr;
+ int ifindex;
+
+ ifindex = strtol(arg, &endptr, 0);
+ if (endptr != arg + strlen(arg) || errno != 0)
+ ifindex = 0;
+ if (ifindex > 0)
+ wireguard_get_device_req_set_ifindex(req, ifindex);
+ else
+ wireguard_get_device_req_set_ifname(req, arg);
+}
+
+int main(int argc, char **argv)
+{
+ struct wireguard_get_device_list *devs;
+ struct wireguard_get_device_req *req;
+ struct ynl_sock *ys;
+
+ if (argc < 2) {
+ fprintf(stderr, "usage: %s <ifindex|ifname>\n", argv[0]);
+ return 1;
+ }
+
+ req = wireguard_get_device_req_alloc();
+ build_request(req, argv[1]);
+
+ ys = ynl_sock_create(&ynl_wireguard_family, NULL);
+ if (!ys)
+ return 2;
+
+ devs = wireguard_get_device_dump(ys, req);
+ if (!devs)
+ goto err_close;
+
+ ynl_dump_foreach(devs, d) {
+ unsigned int i;
+
+ printf("Interface %d: %s\n", d->ifindex, d->ifname);
+ for (i = 0; i < d->_count.peers; i++)
+ print_peer(&d->peers[i]);
+ }
+ wireguard_get_device_list_free(devs);
+ wireguard_get_device_req_free(req);
+ ynl_sock_destroy(ys);
+
+ return 0;
+
+err_close:
+ fprintf(stderr, "YNL (%d): %s\n", ys->err.code, ys->err.msg);
+ wireguard_get_device_req_free(req);
+ ynl_sock_destroy(ys);
+ return 3;
+}
--
2.51.0
On Wed, Nov 05, 2025 at 06:32:17PM +0000, Asbjørn Sloth Tønnesen wrote: > +CFLAGS_wireguard:=$(call get_hdr_inc,_LINUX_WIREGUARD_H,wireguard.h) \ > + -D _WG_UAPI_WIREGUARD_H # alternate pre-YNL guard I don't totally grok what's going on here. As I understand it, this makefile creates `wireguard-user.h` in the generated/ include path, which has all the various netlink wrapper declarations. And then this also references, somehow, include/uapi/linux/wireguard.h, for the constants. For some reason, you're then defining _WG_UAPI_WIREGUARD_H here, so that wireguard.h from /usr/include doesn't clash. But also, why would it? Isn't this just a matter of placing $(src)/include/uapi earlier in the include file path? Jason
On 11/18/25 3:20 PM, Jason A. Donenfeld wrote:
> On Wed, Nov 05, 2025 at 06:32:17PM +0000, Asbjørn Sloth Tønnesen wrote:
>> +CFLAGS_wireguard:=$(call get_hdr_inc,_LINUX_WIREGUARD_H,wireguard.h) \
>> + -D _WG_UAPI_WIREGUARD_H # alternate pre-YNL guard
>
> I don't totally grok what's going on here. As I understand it, this
> makefile creates `wireguard-user.h` in the generated/ include path,
> which has all the various netlink wrapper declarations. And then this
> also references, somehow, include/uapi/linux/wireguard.h, for the constants.
> For some reason, you're then defining _WG_UAPI_WIREGUARD_H here, so that
> wireguard.h from /usr/include doesn't clash. But also, why would it?
> Isn't this just a matter of placing $(src)/include/uapi earlier in the
> include file path?
The aim is to use the generated in-tree header, while avoiding making a
copy, and avoiding the system header.
As an example then in tools/net/ynl/generated/Makefile:
%-user.o: %-user.c %-user.h
@echo -e "\tCC $@"
@$(COMPILE.c) $(CFLAGS_$*) -o $@ $<
Where for the "wireguard-user.o" target, then "$(CFLAGS_$*)" expands to
"$CFLAGS_wireguard".
CFLAGS_wireguard has two parts the normal one similar to the other families,
and a transitional extra guard.
The header guard in the old UAPI header is "_WG_UAPI_WIREGUARD_H".
The header guard in the new UAPI header in-tree is "_UAPI_LINUX_WIREGUARD_H".
The header guard in the new UAPI header in-system is "_LINUX_WIREGUARD_H".
Linux uapi headers are installed using scripts/headers_install.sh, which
transforms the headers slightly, one of these transformations is to alter
the header guard, stripping the _UAPI in the beginning of the guard.
So "get_hdr_inc=-D$(1) -include $(UAPI_PATH)/linux/$(2)" does:
1) Defines the in-system guard
2) Includes the in-tree header
The purpose of defining the in-system guard is disable the include in
the code, as it's header guard is already defined.
I added the extra transitional define of the old UAPI guard, so that
it also works on systems with the old header installed in /usr.
This extra line can be removed in a few releases, when we don't care
about compiling these tools on a system with the old header installed.
On Tue, Nov 18, 2025 at 6:16 PM Asbjørn Sloth Tønnesen <ast@fiberby.net> wrote: > This extra line can be removed in a few releases, when we don't care > about compiling these tools on a system with the old header installed. Sounds good. I'll put this on my calendar to revisit in 6 months. Jason
© 2016 - 2025 Red Hat, Inc.