From 86259b998e85f34fa42be64e19e89f1b75708f14 Mon Sep 17 00:00:00 2001
From: Martin Stein <martin.stein@genode-labs.com>
Date: Wed, 18 May 2022 12:45:21 +0200
Subject: [PATCH] wireguard: support removing peers

Support removing peers by removing them from the component configuration.
This commit also introduces the wg_reconfig run script that tests adding and
removing single peers.

Ref #4520
---
 repos/dde_linux/run/wg_reconfig.run           | 496 ++++++++++++++++++
 .../src/app/wireguard/config_model.cc         |   7 +-
 repos/dde_linux/src/app/wireguard/dummies.c   |  16 +
 .../app/wireguard/genode_c_api/wireguard.c    |  43 +-
 .../app/wireguard/genode_c_api/wireguard.h    |   6 +-
 repos/dde_linux/src/app/wireguard/lx_emul.c   |  12 +
 .../wireguard/spec/arm_64/generated_dummies.c |  24 -
 .../wireguard/spec/x86_64/generated_dummies.c |  24 -
 8 files changed, 571 insertions(+), 57 deletions(-)
 create mode 100644 repos/dde_linux/run/wg_reconfig.run

diff --git a/repos/dde_linux/run/wg_reconfig.run b/repos/dde_linux/run/wg_reconfig.run
new file mode 100644
index 0000000000..9c3dcd306f
--- /dev/null
+++ b/repos/dde_linux/run/wg_reconfig.run
@@ -0,0 +1,496 @@
+#
+# A ping (peer 1) and a fetchurl (peer 3) both try to reach a server at peer 2
+# through a WireGuard VNP (10.0.9.0/24) while the configuration of the server
+# WireGuard changes. Each peer has its own WireGuard instance and talks
+# to the other peers only through WireGuard. The server WireGuard (peer 2)
+# initially accepts only peer 1. After some time it gets re-configured to
+# accept only peer 3. At the end, it gets re-configured to accept only peer 1
+# again. Note that the peer 1 WireGuard has to be reconfigured as well, in
+# order to be forced to redo the initiation handshake for the last
+# configuration phase of the server WireGuard.
+#
+
+if {[expr ![have_spec arm_v8a] && ![have_spec x86_64]]} {
+	puts "Run script is not supported on this platform."
+	exit 0
+}
+
+create_boot_directory
+
+import_from_depot [depot_user]/src/libc \
+                  [depot_user]/src/libssh \
+                  [depot_user]/src/lighttpd \
+                  [depot_user]/src/openssl \
+                  [depot_user]/src/posix \
+                  [depot_user]/src/vfs \
+                  [depot_user]/src/vfs_lwip \
+                  [depot_user]/src/zlib
+
+proc peer1_wg_config {variant} {
+
+	append result {
+		<config private_key="0CtU34qsl97IGiYKSO4tMaF/SJvy04zzeQkhZEbZSk0="
+		        listen_port="49001">
+	}
+	if {$variant == "with_peer3"} {
+		append result {
+			<peer public_key="GrvyALPZ3PQ2AWM+ovxJqnxSqKpmTyqUui5jH+C8I0E="
+			      endpoint_ip="10.1.2.1"
+			      endpoint_port="49002"
+			      allowed_ip="10.0.9.2/32" />
+		}
+	}
+	append result {
+		</config>
+	}
+	return $result
+}
+
+proc peer2_wg_config {variant} {
+
+	append result {
+		<config private_key="8GRSQZMgG1uuvz4APIBqrDmiLj8L886r++hzixjjHFc="
+		        listen_port="49002">
+	}
+	if {$variant == "with_peer1"} {
+		append result {
+			<peer public_key="r1Gslnm82X8NaijsWzPoSFzDZGl2tTJoPa+EJL4gYQw="
+			      allowed_ip="10.0.9.1/32" />
+		}
+	}
+	if {$variant == "with_peer3"} {
+		append result {
+			<peer public_key="gFRbQOj7cVLoLKDIFfNZbguw89vuZrc0i74TV5qOexY="
+			      allowed_ip="10.0.9.3/32" />
+		}
+	}
+	append result {
+		</config>
+	}
+	return $result
+}
+
+append config {
+
+<config>
+
+	<parent-provides>
+		<service name="ROM"/>
+		<service name="IRQ"/>
+		<service name="IO_MEM"/>
+		<service name="IO_PORT"/>
+		<service name="PD"/>
+		<service name="RM"/>
+		<service name="CPU"/>
+		<service name="LOG"/>
+	</parent-provides>
+
+	<start name="timer" caps="100">
+		<resource name="RAM" quantum="1M"/>
+		<provides> <service name="Timer"/> </provides>
+		<route>
+			<service name="ROM"> <parent/> </service>
+			<service name="PD">  <parent/> </service>
+			<service name="CPU"> <parent/> </service>
+			<service name="LOG"> <parent/> </service>
+		</route>
+	</start>
+
+	<start name="dynamic_rom" caps="100">
+		<resource name="RAM" quantum="4M"/>
+		<provides><service name="ROM"/></provides>
+		<config verbose="yes">
+			<rom name="peer2_wg_config">
+
+				<inline description="permit peer1_ping only">
+					} [peer2_wg_config with_peer1] {
+				</inline>
+
+				<sleep milliseconds="5000"/>
+
+				<inline description="permit peer3_fetchurl only">
+					} [peer2_wg_config with_peer3] {
+				</inline>
+
+				<sleep milliseconds="5000"/>
+
+				<inline description="permit peer1_ping only">
+					} [peer2_wg_config with_peer1] {
+				</inline>
+
+				<sleep milliseconds="600000"/>
+
+			</rom>
+			<rom name="peer1_wg_config">
+
+				<inline> } [peer1_wg_config with_peer3] { </inline>
+
+				<sleep milliseconds="9000"/>
+
+				<inline> } [peer1_wg_config without_peer] { </inline>
+
+				<sleep milliseconds="1000"/>
+
+				<inline> } [peer1_wg_config with_peer3] { </inline>
+
+				<sleep milliseconds="600000"/>
+
+			</rom>
+		</config>
+		<route>
+			<service name="Timer"> <child name="timer"/> </service>
+			<service name="ROM">   <parent/> </service>
+			<service name="PD">    <parent/> </service>
+			<service name="CPU">   <parent/> </service>
+			<service name="LOG">   <parent/> </service>
+		</route>
+	</start>
+
+	<start name="report" caps="100">
+		<binary name="report_rom"/>
+		<resource name="RAM" quantum="1M"/>
+		<provides> <service name="Report"/> <service name="ROM"/> </provides>
+		<route>
+			<service name="ROM"> <parent/> </service>
+			<service name="PD">  <parent/> </service>
+			<service name="CPU"> <parent/> </service>
+			<service name="LOG"> <parent/> </service>
+		</route>
+	</start>
+
+	<start name="peer1_ping" caps="100">
+		<binary name="ping"/>
+		<resource name="RAM" quantum="8M"/>
+		<config dst_ip="10.0.9.2" period_sec="1" count="1000"/>
+		<route>
+			<service name="Nic">   <child name="nic_router"/> </service>
+			<service name="Timer"> <child name="timer"/> </service>
+			<service name="ROM">   <parent/> </service>
+			<service name="PD">    <parent/> </service>
+			<service name="CPU">   <parent/> </service>
+			<service name="LOG">   <parent/> </service>
+		</route>
+	</start>
+
+	<start name="peer3_fetchurl" caps="200">
+		<binary name="fetchurl"/>
+		<resource name="RAM" quantum="10M"/>
+		<config progress_timeout="3000">
+			<report progress="yes"/>
+			<vfs>
+				<dir name="dev">
+					<log/> <null/>
+					<inline name="rtc">2019-07-04 12:00</inline>
+					<inline name="random">01234567890123456789</inline>
+				</dir>
+				<dir name="socket">
+					<lwip dhcp="yes"/>
+				</dir>
+				<dir name="vm">
+					<ram/>
+				</dir>
+			</vfs>
+			<libc stdout="/dev/log" stderr="/dev/log" rtc="/dev/rtc" socket="/socket"/>
+			<fetch url="10.0.9.2" path="/vm/index.html" retry="1000"/>
+		</config>
+		<route>
+			<service name="File_system"> <child name="lx_fs"/> </service>
+			<service name="Report">      <child name="report"/> </service>
+			<service name="Timer">       <child name="timer"/> </service>
+			<service name="Nic">         <child name="nic_router"/> </service>
+			<service name="ROM">         <parent/> </service>
+			<service name="PD">          <parent/> </service>
+			<service name="CPU">         <parent/> </service>
+			<service name="LOG">         <parent/> </service>
+		</route>
+	</start>
+
+	<start name="peer1_wg" caps="200">
+		<binary name="wireguard"/>
+		<resource name="RAM" quantum="10M"/>
+		<route>
+			<service name="ROM" label="config">
+				<child label="peer1_wg_config" name="dynamic_rom"/>
+			</service>
+
+			<service name="Timer">  <child name="timer"/> </service>
+			<service name="Nic">    <child name="nic_router"/> </service>
+			<service name="Uplink"> <child name="nic_router"/> </service>
+			<service name="ROM">    <parent/> </service>
+			<service name="PD">     <parent/> </service>
+			<service name="CPU">    <parent/> </service>
+			<service name="LOG">    <parent/> </service>
+		</route>
+	</start>
+
+	<start name="peer2_wg" caps="200">
+		<binary name="wireguard"/>
+		<resource name="RAM" quantum="10M"/>
+		<route>
+			<service name="ROM" label="config">
+				<child label="peer2_wg_config" name="dynamic_rom"/>
+			</service>
+
+			<service name="Timer">  <child name="timer"/> </service>
+			<service name="Nic">    <child name="nic_router"/> </service>
+			<service name="Uplink"> <child name="nic_router"/> </service>
+			<service name="ROM">    <parent/> </service>
+			<service name="PD">     <parent/> </service>
+			<service name="CPU">    <parent/> </service>
+			<service name="LOG">    <parent/> </service>
+		</route>
+	</start>
+
+	<start name="peer3_wg" caps="200">
+		<binary name="wireguard"/>
+		<resource name="RAM" quantum="10M"/>
+		<config private_key="EA+4fJCOJM5/C90zCwsh4jTdKMnlQ2JOnW1bvkwdnEA="
+			     listen_port="49003">
+
+			<peer public_key="GrvyALPZ3PQ2AWM+ovxJqnxSqKpmTyqUui5jH+C8I0E="
+				   endpoint_ip="10.3.2.1"
+				   endpoint_port="49002"
+				   allowed_ip="10.0.9.2/32" />
+
+		</config>
+		<route>
+			<service name="Timer">  <child name="timer"/> </service>
+			<service name="Nic">    <child name="nic_router"/> </service>
+			<service name="Uplink"> <child name="nic_router"/> </service>
+			<service name="ROM">    <parent/> </service>
+			<service name="PD">     <parent/> </service>
+			<service name="CPU">    <parent/> </service>
+			<service name="LOG">    <parent/> </service>
+		</route>
+	</start>
+
+	<start name="nic_router" caps="200">
+		<resource name="RAM" quantum="10M"/>
+		<provides>
+			<service name="Nic"/>
+			<service name="Uplink"/>
+		</provides>
+		<config>
+
+
+			<!-- Peer 1 (ping) -->
+
+			<policy label="peer1_wg -> nic_session"    domain="peer1_outer_downlink"/>
+			<policy label="peer1_wg -> uplink_session" domain="peer1_inner_uplink"/>
+			<policy label="peer1_ping -> "             domain="peer1_inner_downlink"/>
+
+			<domain name="peer1_outer_downlink" interface="10.1.2.1/24">
+				<dhcp-server ip_first="10.1.2.2" ip_last="10.1.2.2"/>
+				<udp-forward port="49002" domain="peer2_outer_downlink" to="10.0.3.2"/>
+			</domain>
+
+			<domain name="peer1_inner_uplink" interface="10.0.9.1/24" use_arp="no">
+				<nat domain="peer1_inner_downlink" icmp-ids="1000"/>
+			</domain>
+
+			<domain name="peer1_inner_downlink" interface="10.1.3.1/24">
+				<dhcp-server ip_first="10.1.3.2" ip_last="10.1.3.2"/>
+				<icmp dst="10.0.9.2/24" domain="peer1_inner_uplink"/>
+			</domain>
+
+
+			<!-- Peer 2 (lighttpd) -->
+
+			<policy label="peer2_wg -> nic_session"    domain="peer2_outer_downlink"/>
+			<policy label="peer2_wg -> uplink_session" domain="peer2_inner_uplink"/>
+			<policy label="peer2_lighttpd -> lwip"     domain="peer2_inner_downlink"/>
+
+			<domain name="peer2_outer_downlink" interface="10.0.3.1/24">
+				<dhcp-server ip_first="10.0.3.2" ip_last="10.0.3.2"/>
+			</domain>
+
+			<domain name="peer2_inner_uplink" interface="10.0.9.2/24" use_arp="no" icmp_echo_server="yes">
+				<tcp-forward port="80" domain="peer2_inner_downlink" to="10.0.5.2"/>
+			</domain>
+
+			<domain name="peer2_inner_downlink" interface="10.0.5.1/24">
+				<dhcp-server ip_first="10.0.5.2" ip_last="10.0.5.2"/>
+			</domain>
+
+
+			<!-- Peer 3 (fetchurl)-->
+
+			<policy label="peer3_wg -> nic_session"    domain="peer3_outer_downlink"/>
+			<policy label="peer3_wg -> uplink_session" domain="peer3_inner_uplink"/>
+			<policy label="peer3_fetchurl -> lwip"     domain="peer3_inner_downlink"/>
+
+			<domain name="peer3_outer_downlink" interface="10.3.2.1/24">
+				<dhcp-server ip_first="10.3.2.2" ip_last="10.3.2.2"/>
+				<udp-forward port="49002" domain="peer2_outer_downlink" to="10.0.3.2"/>
+			</domain>
+
+			<domain name="peer3_inner_uplink" interface="10.0.9.3/24" use_arp="no">
+				<nat domain="peer3_inner_downlink" tcp-ports="1000"/>
+			</domain>
+
+			<domain name="peer3_inner_downlink" interface="10.3.3.1/24">
+				<dhcp-server ip_first="10.3.3.2" ip_last="10.3.3.2"/>
+				<tcp dst="10.0.9.2/24">
+					<permit port="80" domain="peer3_inner_uplink"/>
+				</tcp>
+			</domain>
+
+
+		</config>
+		<route>
+			<service name="Timer"> <child name="timer"/> </service>
+			<service name="ROM">   <parent/> </service>
+			<service name="PD">    <parent/> </service>
+			<service name="CPU">   <parent/> </service>
+			<service name="LOG">   <parent/> </service>
+		</route>
+	</start>
+
+	<start name="peer2_lighttpd" caps="200">
+		<binary name="lighttpd"/>
+		<resource name="RAM" quantum="50M" />
+		<config>
+			<arg value="lighttpd" />
+			<arg value="-f" />
+			<arg value="/etc/lighttpd/lighttpd.conf" />
+			<arg value="-D" />
+			<vfs>
+				<dir name="dev">
+					<log/> <null/>
+					<inline name="rtc">2000-01-01 00:00</inline>
+					<inline name="random">0123456789012345678901234567890123456789</inline>
+				</dir>
+				<dir name="socket"> <lwip dhcp="yes"/> </dir>
+				<dir name="etc">
+					<dir name="lighttpd">
+						<inline name="lighttpd.conf">
+# lighttpd configuration
+server.port            = 80
+server.document-root   = "/website"
+server.event-handler   = "select"
+server.network-backend = "write"
+server.upload-dirs     = ( "/tmp" )
+server.modules         = ("mod_openssl")
+index-file.names     = (
+  "index.xhtml", "index.html", "index.htm"
+)
+mimetype.assign      = (
+  ".html"         =>      "text/html",
+  ".htm"          =>      "text/html"
+)
+$SERVER["socket"] == ":443" {
+	ssl.engine  = "enable"
+	ssl.pemfile = "/etc/lighttpd/example.pem"
+}
+						</inline>
+						<inline name="example.pem">
+-----BEGIN PRIVATE KEY-----
+MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC4KHUZjDRew89c
+wDlYPz9XFigcMDnDlHzdg2ByrGZIOUNYC5LH1QUK0TDbPP45Xx455niA0QY85dMQ
+4DQx0Qk6+TDpVD3F2MYQgbIX6YkX9kgqX+jiHgsNzRD4KamNYmfUY+dJhlZEXWAF
+uNSnRLvg4EH72AVKLLKiruGwkisW/AYU6dNE8iFOYL8Q75bBUADiQSDdD8vkpeXg
+1NqxNyHPR6YRbA+vqcK0kbC8btKR9wG6m99OhTR4x3M87vtFFLNtJNEf54fYxi+L
+1rljSqHbaXD+XJsVKgX+UlI1ZlYW4KqlMciMemkBp0CovCxLfsbMmkXAW2RONpkm
++sdO3CXFAgMBAAECggEAIKv00nqAVAuzP0ZPJivaZe3lYdLgfKVcXcRQGSgi4U9f
+dkBfYxqU0W15mHvCspUAfM85s8jhrW4suwK739axJ4hMOCkc6Hvj78vCt+FT1C96
+cCIh4/PmjCVEjHJ/xTifKRwsTWwK5AgY4AsBl0dneabvremOTrGNY7VZDwVvpZz1
+qXkSNjQ63tZKj9cESO5ceGLzuBAG6JDDpqJM5fmdsQ36/QVz9Gogr8bXEWFM1TOo
+lWVAPB/l6nqKurfMv+5th354+owv9CGKxqLBE1fujwE2VogBz7mkR/rnABOPU5ev
+wQVLXoUkO2bI8Uvc28lChaiG6ihfdmNCmwoi56HFRQKBgQDj0WoIxiY7H42KV7Hh
+uQZv/0aoQyjXuqJ7Vq0HdxOAxZr0GpSYgo3MTZWooI2AnAstPHXo0BsQr+XVijWm
+xiDxMM4p9nrBzjEIHwyDaf62Pz/6lIPdenynLiEIOUbocJ3r0/3tCrY3U7fgjzYY
+f9PZmXKEOOKdbVPyXG0OIJ/ADwKBgQDO8GkCdVGy/YB0X7ntqcBG0xgmDnKRmYpQ
+X7Tb377AT2lzvftxaRVrx+UXtvFdy4xdrxjqHJCgOHT/fsAfjJlo7v1+KhTvE0pt
+jCdJPLbzXJRwaISaeEaMJ/N8Vv/j2/YuoS5M5vh4NlWeO16HtF7N9V9cMEZ5iRW1
+9G/eWgOo6wKBgQCY6rn3xblnuhgxogd+ccmGZ50v2FST6WyiyV0/Q4hNyVXnP+g6
+LneriPBJzertRtChvpGOghGIs+jb2veESD1YZ+Aafp2LdTGoN98YXo9gGTiCpCmX
+Al6lgOsfMAMOhnkaEKPC9ou0u3cTPk2bSEIVL1CUu/IwpW/RoIR7FR7ltQKBgQDA
+RAmsqQfhPzqL5SzALclhhFuZcC7uLDOf/WvyJW37C000pjzp3/JxE2Y8pFKZDLc7
+i6WgTi3pTssVXtRt+5nFLtcC02Jjxg6OvXr6xphMf6XC0rjxM/KH4c6Npd9V+1Y9
+eK+l76rHNeRSgWKQvvqebO3On2O7I6yyQ4t0kTl5RQKBgQCbX1cTtNmNr6HNleXL
+zfclKESSYy57uq3fQxhRrEE2ZNbemLOxEuoBCFYoMwpZEjC1GZyICrM7o5673/Ih
+I0oZerUBmt2l8noZCQoITEa97bCbp2vIdHYnCf/H3Nf2qM329fc00kAmm7vUVRgM
+4BqXnuFcAOuY68sgp9JArzK+EQ==
+-----END PRIVATE KEY-----
+-----BEGIN CERTIFICATE-----
+MIIDazCCAlOgAwIBAgIUYPOYXijLmMjjlgRCGHuZeyP0iPEwDQYJKoZIhvcNAQEL
+BQAwRTELMAkGA1UEBhMCREUxEzARBgNVBAgMClNvbWUtU3RhdGUxDTALBgNVBAoM
+BFRlc3QxEjAQBgNVBAMMCTEwLjAuMi41NTAeFw0yMDA1MTQxNDQ0MzlaFw00NzA5
+MzAxNDQ0MzlaMEUxCzAJBgNVBAYTAkRFMRMwEQYDVQQIDApTb21lLVN0YXRlMQ0w
+CwYDVQQKDARUZXN0MRIwEAYDVQQDDAkxMC4wLjIuNTUwggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQC4KHUZjDRew89cwDlYPz9XFigcMDnDlHzdg2ByrGZI
+OUNYC5LH1QUK0TDbPP45Xx455niA0QY85dMQ4DQx0Qk6+TDpVD3F2MYQgbIX6YkX
+9kgqX+jiHgsNzRD4KamNYmfUY+dJhlZEXWAFuNSnRLvg4EH72AVKLLKiruGwkisW
+/AYU6dNE8iFOYL8Q75bBUADiQSDdD8vkpeXg1NqxNyHPR6YRbA+vqcK0kbC8btKR
+9wG6m99OhTR4x3M87vtFFLNtJNEf54fYxi+L1rljSqHbaXD+XJsVKgX+UlI1ZlYW
+4KqlMciMemkBp0CovCxLfsbMmkXAW2RONpkm+sdO3CXFAgMBAAGjUzBRMB0GA1Ud
+DgQWBBQvSHuosL/SDn/8sKl0dpyPeFvOfjAfBgNVHSMEGDAWgBQvSHuosL/SDn/8
+sKl0dpyPeFvOfjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBR
+sGYEuRwIU/tmAmTbniptItN9VE0NNj9QeKh+hKQ9cHvhxmlBlf5b7Vb2JaRZdy88
+kRIFKiNkyjgQVg+5KuEIcg17mHSal7zG+jIZ3c1bIpVCM4AjUe7EXl8LM4+dJ5sX
+Bwpd34tUk2edOiT8R/dU7uesxCdeIQ2FfvKyrXca73nj+UTvFGXUk/9mWY8KAaYc
+F/PWBhiZhJD4/dkUHJnrVtjpcqW2Io8bFmrMq2vfqQv+W2FZGCsHgXkAZO2E0jyQ
+5eOrwzgWRtMc5PvoGvqQfefseaLs0fvSQdcPqfv88Eqk5NGTOCIW8/KEsBwFJuwa
+EpA5DBBklj8UE2CdONvN
+-----END CERTIFICATE-----
+						</inline>
+					</dir>
+				</dir>
+				<dir name="website">
+					<inline name="index.html">
+<html>
+	<head>
+		<title>Hello</title>
+	</head>
+	<body>
+		<p>Hello Genode!</p>
+		<b>I am bold ;-)</b>
+	</body>
+</html>
+					</inline>
+				</dir>
+				<dir name="tmp"> <ram/> </dir>
+			</vfs>
+			<libc stdin="/dev/null" stdout="/dev/log" stderr="/dev/log"
+			      rtc="/dev/rtc" rng="/dev/random" socket="/socket"/>
+		</config>
+
+		<route>
+			<service name="File_system"> <child name="lx_fs"/> </service>
+			<service name="Nic">         <child name="nic_router"/> </service>
+			<service name="Timer">       <child name="timer"/> </service>
+			<service name="ROM">         <parent/> </service>
+			<service name="PD">          <parent/> </service>
+			<service name="CPU">         <parent/> </service>
+			<service name="LOG">         <parent/> </service>
+		</route>
+
+	</start>
+
+</config>
+}
+
+install_config $config
+
+append targets {
+	core init timer server/nic_router app/wireguard server/report_rom app/ping
+	app/fetchurl server/dynamic_rom }
+
+append boot_modules {
+	core init timer nic_router wireguard fetchurl ping report_rom curl.lib.so
+	ld.lib.so dynamic_rom }
+
+build $targets
+
+build_boot_image $boot_modules
+
+append qemu_args "-nographic "
+
+append output_pattern   "peer1_ping. 64 bytes from 10.0.9.2.*\n"
+append output_pattern ".*peer1_ping. 64 bytes from 10.0.9.2.*\n"
+append output_pattern ".*child \"peer3_fetchurl\" exited with exit value 0.*\n"
+append output_pattern ".*peer1_ping. 64 bytes from 10.0.9.2.*\n"
+append output_pattern ".*peer1_ping. 64 bytes from 10.0.9.2.*\n"
+
+run_genode_until $output_pattern 30
+
diff --git a/repos/dde_linux/src/app/wireguard/config_model.cc b/repos/dde_linux/src/app/wireguard/config_model.cc
index 9a1a42f74f..da4251d673 100644
--- a/repos/dde_linux/src/app/wireguard/config_model.cc
+++ b/repos/dde_linux/src/app/wireguard/config_model.cc
@@ -89,8 +89,11 @@ Peer_update_policy::Peer_update_policy(Allocator                  &alloc,
 
 void Config_model::Peer_update_policy::destroy_element(Element &peer)
 {
-	_callbacks.remove_peer(
-		_listen_port, peer._endpoint_ip.addr, peer._endpoint_port);
+	uint8_t public_key[WG_KEY_LEN];
+	if (!key_from_base64(public_key, peer._public_key_b64.string())) {
+		error("Invalid public key!");
+	}
+	_callbacks.remove_peer(public_key);
 
 	destroy(_alloc, &peer);
 }
diff --git a/repos/dde_linux/src/app/wireguard/dummies.c b/repos/dde_linux/src/app/wireguard/dummies.c
index 00c74a70d4..102df15306 100644
--- a/repos/dde_linux/src/app/wireguard/dummies.c
+++ b/repos/dde_linux/src/app/wireguard/dummies.c
@@ -241,6 +241,22 @@ void napi_enable(struct napi_struct * n)
 }
 
 
+#include <linux/netdevice.h>
+
+void napi_disable(struct napi_struct * n)
+{
+	lx_emul_trace(__func__);
+}
+
+
+#include <linux/netdevice.h>
+
+void __netif_napi_del(struct napi_struct * napi)
+{
+	lx_emul_trace(__func__);
+}
+
+
 #include <linux/mmzone.h>
 
 struct mem_section ** mem_section = NULL;
diff --git a/repos/dde_linux/src/app/wireguard/genode_c_api/wireguard.c b/repos/dde_linux/src/app/wireguard/genode_c_api/wireguard.c
index ae32e94eba..80647fb428 100644
--- a/repos/dde_linux/src/app/wireguard/genode_c_api/wireguard.c
+++ b/repos/dde_linux/src/app/wireguard/genode_c_api/wireguard.c
@@ -347,11 +347,46 @@ _genode_wg_config_add_peer(genode_wg_u16_t              listen_port,
 
 
 static void
-_genode_wg_config_rm_peer(genode_wg_u16_t      listen_port,
-                          genode_wg_u8_t const endpoint_ip[4],
-                          genode_wg_u16_t      endpoint_port)
+_genode_wg_config_rm_peer(genode_wg_u8_t const *const pub_key)
 {
-	printk("%s not yet implemented\n", __func__);
+
+	struct genode_wg_nlattr_ifname ifname;
+	struct genode_wg_nlattr_peers peers;
+	struct nlattr *attrs[__WGDEVICE_A_LAST];
+	struct genl_info info;
+	struct genode_wg_nlattr_peer *peer = &peers.peer_0;
+
+	ifname.data[0] = '\0';
+	ifname.header.nla_len = sizeof(ifname);
+
+	memset(&peers, 0, sizeof(peers));
+
+	peers.header.nla_type = WGDEVICE_A_PEERS | NLA_F_NESTED;
+	peers.header.nla_len = sizeof(peers);
+
+	peer->header.nla_len = sizeof(*peer);
+	peer->header.nla_type |= NLA_F_NESTED;
+
+	peer->public_key.header.nla_type = WGPEER_A_PUBLIC_KEY;
+	peer->public_key.header.nla_len = sizeof(peer->public_key);
+	memcpy(peer->public_key.data, pub_key, sizeof(peer->public_key.data));
+
+	peer->endpoint.header.nla_type = WGPEER_A_ENDPOINT;
+	peer->endpoint.header.nla_len = sizeof(peer->endpoint);
+
+	peer->flags.header.nla_type = WGPEER_A_FLAGS;
+	peer->flags.header.nla_len = sizeof(peer->flags);
+	peer->flags.data = WGPEER_F_REMOVE_ME;
+
+	peer->allowedips.header.nla_len = sizeof(peer->allowedips);
+	peer->allowedips.header.nla_type = WGPEER_A_ALLOWEDIPS | NLA_F_NESTED;
+
+	memset(attrs, 0, sizeof(attrs));
+	attrs[WGDEVICE_A_IFNAME] = &ifname.header;
+	attrs[WGDEVICE_A_PEERS]  = &peers.header;
+
+	info.attrs = attrs;
+	_genode_wg_set_device(&info);
 }
 
 
diff --git a/repos/dde_linux/src/app/wireguard/genode_c_api/wireguard.h b/repos/dde_linux/src/app/wireguard/genode_c_api/wireguard.h
index e24225af57..c7785010cd 100644
--- a/repos/dde_linux/src/app/wireguard/genode_c_api/wireguard.h
+++ b/repos/dde_linux/src/app/wireguard/genode_c_api/wireguard.h
@@ -39,9 +39,9 @@ typedef void (*genode_wg_config_add_peer_t) (
 	genode_wg_u8_t const        allowed_ip_prefix
 );
 
-typedef void (*genode_wg_config_rm_peer_t)
-	(genode_wg_u16_t listen_port, genode_wg_u8_t const endpoint_ip[4],
-	 genode_wg_u16_t endpoint_port);
+typedef void (*genode_wg_config_rm_peer_t) (
+	genode_wg_u8_t const *const pub_key
+);
 
 
 struct genode_wg_config_callbacks
diff --git a/repos/dde_linux/src/app/wireguard/lx_emul.c b/repos/dde_linux/src/app/wireguard/lx_emul.c
index bed8660613..f365fe9c17 100644
--- a/repos/dde_linux/src/app/wireguard/lx_emul.c
+++ b/repos/dde_linux/src/app/wireguard/lx_emul.c
@@ -14,7 +14,19 @@
 /* app/wireguard includes */
 #include <lx_emul.h>
 
+/* dde_linux/src/include/lx_emul */
 #include <lx_emul/random.h>
+
+
+#include <net/icmp.h>
+
+void __icmp_send(struct sk_buff * skb_in,int type,int code,__be32 info,const struct ip_options * opt)
+{
+	printk("Warning: sending ICMP not supported\n");
+	kfree_skb(skb_in);
+}
+
+
 #include <linux/random.h>
 
 void get_random_bytes(void * buf,int nbytes)
diff --git a/repos/dde_linux/src/app/wireguard/spec/arm_64/generated_dummies.c b/repos/dde_linux/src/app/wireguard/spec/arm_64/generated_dummies.c
index 56074c7607..14a7b6862b 100644
--- a/repos/dde_linux/src/app/wireguard/spec/arm_64/generated_dummies.c
+++ b/repos/dde_linux/src/app/wireguard/spec/arm_64/generated_dummies.c
@@ -39,14 +39,6 @@ unsigned long __get_free_pages(gfp_t gfp_mask,unsigned int order)
 }
 
 
-#include <net/icmp.h>
-
-void __icmp_send(struct sk_buff * skb_in,int type,int code,__be32 info,const struct ip_options * opt)
-{
-	lx_emul_trace_and_stop(__func__);
-}
-
-
 #include <net/ipv6.h>
 
 int __ipv6_addr_type(const struct in6_addr * addr)
@@ -71,14 +63,6 @@ struct irq_desc * __irq_resolve_mapping(struct irq_domain * domain,irq_hw_number
 }
 
 
-#include <linux/netdevice.h>
-
-void __netif_napi_del(struct napi_struct * napi)
-{
-	lx_emul_trace_and_stop(__func__);
-}
-
-
 #include <asm-generic/percpu.h>
 
 unsigned long __per_cpu_offset[NR_CPUS] = {};
@@ -437,14 +421,6 @@ void migrate_enable(void)
 }
 
 
-#include <linux/netdevice.h>
-
-void napi_disable(struct napi_struct * n)
-{
-	lx_emul_trace_and_stop(__func__);
-}
-
-
 #include <linux/netdevice.h>
 
 void netif_carrier_off(struct net_device * dev)
diff --git a/repos/dde_linux/src/app/wireguard/spec/x86_64/generated_dummies.c b/repos/dde_linux/src/app/wireguard/spec/x86_64/generated_dummies.c
index 66bdcc1066..4b3ad3dc9a 100644
--- a/repos/dde_linux/src/app/wireguard/spec/x86_64/generated_dummies.c
+++ b/repos/dde_linux/src/app/wireguard/spec/x86_64/generated_dummies.c
@@ -31,14 +31,6 @@ const char * __clk_get_name(const struct clk * clk)
 }
 
 
-#include <net/icmp.h>
-
-void __icmp_send(struct sk_buff * skb_in,int type,int code,__be32 info,const struct ip_options * opt)
-{
-	lx_emul_trace_and_stop(__func__);
-}
-
-
 #include <net/ipv6.h>
 
 int __ipv6_addr_type(const struct in6_addr * addr)
@@ -63,14 +55,6 @@ struct irq_desc * __irq_resolve_mapping(struct irq_domain * domain,irq_hw_number
 }
 
 
-#include <linux/netdevice.h>
-
-void __netif_napi_del(struct napi_struct * napi)
-{
-	lx_emul_trace_and_stop(__func__);
-}
-
-
 #include <linux/mm.h>
 
 void __put_page(struct page * page)
@@ -410,14 +394,6 @@ void kvfree(const void * addr)
 unsigned long lpj_fine;
 
 
-#include <linux/netdevice.h>
-
-void napi_disable(struct napi_struct * n)
-{
-	lx_emul_trace_and_stop(__func__);
-}
-
-
 #include <linux/netdevice.h>
 
 void netif_carrier_off(struct net_device * dev)