DefGuard · t-aleksander · Mar 27, 2025 · Feb 21, 2025 · Feb 21, 2025 · Feb 21, 2025
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1,2 @@
+.envrc
+.direnv
diff --git a/LICENSE b/LICENSE
diff --git a/LICENSE.md b/LICENSE.md
diff --git a/client/client.proto b/client/client.proto
@@ -45,7 +45,7 @@ message InterfaceData {
 
 // service used by desktop clients to communicate with interface management daemon
 service DesktopDaemonService {
-  rpc CreateInterface (CreateInterfaceRequest) returns (google.protobuf.Empty);
-  rpc RemoveInterface (RemoveInterfaceRequest) returns (google.protobuf.Empty);
-  rpc ReadInterfaceData (ReadInterfaceDataRequest) returns (stream InterfaceData);
+  rpc CreateInterface(CreateInterfaceRequest) returns (google.protobuf.Empty);
+  rpc RemoveInterface(RemoveInterfaceRequest) returns (google.protobuf.Empty);
+  rpc ReadInterfaceData(ReadInterfaceDataRequest) returns (stream InterfaceData);
 }
diff --git a/core/auth.proto b/core/auth.proto
@@ -13,4 +13,4 @@ message AuthenticateRequest {
 
 message AuthenticateResponse {
   string token = 1;
-}
+}
diff --git a/core/proxy.proto b/core/proxy.proto
@@ -233,5 +233,5 @@ message CoreRequest {
  * so requests and responses are actually send in reverse.
  */
 service Proxy {
-  rpc Bidi (stream CoreResponse) returns (stream CoreRequest);
+  rpc Bidi(stream CoreResponse) returns (stream CoreRequest);
 }
diff --git a/enterprise/LICENSE.md b/enterprise/LICENSE.md
@@ -0,0 +1,16 @@
+Copyright 2024 teonite ventures sp. z o. o.
+
+defguard enterprise license / defguard.net
+
+Use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
+
+1. Use is permitted for the purposes of the Licensee that paid for the relevant license only (no redistributions or products based on that).
+
+2. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote the Licensee when using the product without specific prior written permission.
+
+3. The Licensee may use the software in accordance with the terms and conditions of this license after paying the license fee to the Licensor, in accordance with the currently available price list on the defguard.net website, for the time period defined in the license. The Licensee is not permitted to resell, sublicense, or create derivative products based on the software. The Licensor may secure the ability to use the software with a license key or other technical protection.
+
+5. You may not move, change, disable, or circumvent the license key functionality in the software, and you may not remove or obscure any functionality in the software that is protected by the license key.
+
+6. The licensor can provide support for the use of the software. The current terms in this respect are on the website defguard.net
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
diff --git a/enterprise/firewall/firewall.proto b/enterprise/firewall/firewall.proto
@@ -0,0 +1,72 @@
+syntax = "proto3";
+package enterprise.firewall;
+
+// Describes target configuration of the firewall
+message FirewallConfig {
+  IpVersion ip_version = 1;
+  FirewallPolicy default_policy = 2;
+  repeated FirewallRule rules = 3;
+}
+
+enum IpVersion {
+  IPV4 = 0;
+  IPV6 = 1;
+}
+
+enum FirewallPolicy {
+  ALLOW = 0;
+  DENY = 1;
+}
+
+message FirewallRule {
+  int64 id = 1;
+  repeated IpAddress source_addrs = 2;
+  repeated IpAddress destination_addrs = 3;
+  repeated Port destination_ports = 4;
+  repeated Protocol protocols = 5;
+  FirewallPolicy verdict = 6;
+  optional string comment = 7;
+}
+
+// IPv4 or IPv6 address
+// expected type is determined by a given FirewallRule
+message IpAddress {
+  oneof address {
+    // single IP address
+    string ip = 1;
+    // range of IPs, e.g. 10.0.10.1-10.0.20.3
+    IpRange ip_range = 2;
+    // IP subnet using CIDR notation, e.g. 10.0.10.0/24
+    string ip_subnet = 3;
+  }
+}
+
+// inclusive IP range
+message IpRange {
+  string start = 1;
+  string end = 2;
+}
+
+// wrapper message since `oneof` itself cannot be repeated
+message Port {
+  oneof port {
+    uint32 single_port = 1;
+    PortRange port_range = 2;
+  }
+}
+
+// inclusive port range
+message PortRange {
+  uint32 start = 1;
+  uint32 end = 2;
+}
+
+// Specific IDs are used to align with the standard below:
+// https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/include/uapi/linux/in.h
+enum Protocol {
+  // proto3 requires that first enum value must be 0
+  INVALID = 0;
+  ICMP = 1;
+  TCP = 6;
+  UDP = 17;
+}
diff --git a/flake.lock b/flake.lock
diff --git a/flake.nix b/flake.nix
@@ -0,0 +1,27 @@
+{
+  description = "Development flake for working with protobuf files";
+
+  inputs = {
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
+    flake-utils.url = "github:numtide/flake-utils";
+  };
+
+  outputs = {
+    nixpkgs,
+    flake-utils,
+    ...
+  }:
+    flake-utils.lib.eachDefaultSystem (system: let
+      pkgs = import nixpkgs {
+        inherit system;
+      };
+    in {
+      devShells.default = pkgs.mkShell {
+        packages = with pkgs; [
+          protobuf
+          # formatter, linter, LSP etc
+          buf
+        ];
+      };
+    });
+}
diff --git a/wireguard/gateway.proto b/wireguard/gateway.proto
@@ -1,6 +1,7 @@
 syntax = "proto3";
 package gateway;
 
+import "firewall.proto";
 import "google/protobuf/empty.proto";
 
 message ConfigurationRequest {
@@ -14,6 +15,7 @@ message Configuration {
   uint32 port = 4;
   repeated Peer peers = 5;
   repeated string addresses = 6;
+  optional enterprise.firewall.FirewallConfig firewall_config = 7;
 }
 
 enum UpdateType {
@@ -34,6 +36,7 @@ message Update {
   oneof update {
     Peer peer = 2;
     Configuration network = 3;
+    enterprise.firewall.FirewallConfig firewall_config = 4;
   }
 }
 
@@ -59,7 +62,7 @@ message StatsUpdate {
 }
 
 service GatewayService {
-  rpc Config (ConfigurationRequest) returns (Configuration);
-  rpc Updates (google.protobuf.Empty) returns (stream Update);
-  rpc Stats (stream StatsUpdate) returns (google.protobuf.Empty);
+  rpc Config(ConfigurationRequest) returns (Configuration);
+  rpc Updates(google.protobuf.Empty) returns (stream Update);
+  rpc Stats(stream StatsUpdate) returns (google.protobuf.Empty);
 }
diff --git a/worker/worker.proto b/worker/worker.proto
@@ -1,5 +1,6 @@
 syntax = "proto3";
 package worker;
+
 import "google/protobuf/empty.proto";
 
 message Worker {
@@ -24,7 +25,7 @@ message GetJobResponse {
 }
 
 service WorkerService {
-  rpc RegisterWorker (Worker) returns (google.protobuf.Empty) {}
-  rpc GetJob (Worker) returns (GetJobResponse) {}
-  rpc SetJobDone (JobStatus) returns (google.protobuf.Empty) {}
+  rpc RegisterWorker(Worker) returns (google.protobuf.Empty) {}
+  rpc GetJob(Worker) returns (GetJobResponse) {}
+  rpc SetJobDone(JobStatus) returns (google.protobuf.Empty) {}
 }
-Original file line number
+Diff line change
@@ Expand Up / @@ -13,4 +13,4 @@ message AuthenticateRequest { @@
     message AuthenticateResponse {
       string token = 1;
-    }
+    }