From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <pve-devel-bounces@lists.proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9])
	by lore.proxmox.com (Postfix) with ESMTPS id BB04A1FF141
	for <inbox@lore.proxmox.com>; Tue, 19 May 2026 21:07:16 +0200 (CEST)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
	by firstgate.proxmox.com (Proxmox) with ESMTP id 3B3F5105BA;
	Tue, 19 May 2026 21:07:16 +0200 (CEST)
From: Gabriel Goller <g.goller@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [PATCH proxmox-ve-rs] sdn: use service endpoints for internal
 WireGuard peers
Date: Tue, 19 May 2026 21:07:05 +0200
Message-ID: <20260519190708.266138-1-g.goller@proxmox.com>
X-Mailer: git-send-email 2.47.3
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2
X-Bm-Transport-Timestamp: 1779217617734
X-SPAM-LEVEL: Spam detection results:  0
	AWL                     0.028 Adjusted score from AWL reputation of From:
 address
	BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
	DMARC_MISSING             0.1 Missing DMARC policy
	KAM_DMARC_STATUS         0.01 Test Rule for DKIM or SPF Failure with Strict
 Alignment
	SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
	SPF_PASS               -0.001 SPF: sender matches SPF record
Message-ID-Hash: UQ34DI5FOI5XE6YJ47HGVPLUNHLSQ36N
X-Message-ID-Hash: UQ34DI5FOI5XE6YJ47HGVPLUNHLSQ36N
X-MailFrom: g.goller@proxmox.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; emergency; member-moderation; nonmember-moderation;
 administrivia; implicit-dest; max-recipients; max-size; news-moderation;
 no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.10
Precedence: list
List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com>
List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help>
List-Owner: <mailto:pve-devel-owner@lists.proxmox.com>
List-Post: <mailto:pve-devel@lists.proxmox.com>
List-Subscribe: <mailto:pve-devel-join@lists.proxmox.com>
List-Unsubscribe: <mailto:pve-devel-leave@lists.proxmox.com>

Store internal WireGuard node and peer endpoints as full service
endpoints, including the port, and pass them through directly when
generating WireGuard peer configuration (this avoids the "ip:port:port"
construct in the wireguard config).

Update WireGuard fabric tests to use host:port endpoints for internal
nodes.

Signed-off-by: Gabriel Goller <g.goller@proxmox.com>
---

 .../src/sdn/fabric/section_config/mod.rs          |  4 ++--
 .../fabric/section_config/protocol/wireguard.rs   |  6 +++---
 proxmox-ve-config/src/sdn/wireguard.rs            | 15 ++++-----------
 3 files changed, 9 insertions(+), 16 deletions(-)

diff --git a/proxmox-ve-config/src/sdn/fabric/section_config/mod.rs b/proxmox-ve-config/src/sdn/fabric/section_config/mod.rs
index e7134414bfa7..9833369149c2 100644
--- a/proxmox-ve-config/src/sdn/fabric/section_config/mod.rs
+++ b/proxmox-ve-config/src/sdn/fabric/section_config/mod.rs
@@ -168,13 +168,13 @@ wireguard_node: wireg_external
 
 wireguard_node: wireg_pve1
     role internal
-    endpoint 192.0.2.2
+    endpoint 192.0.2.2:51111
     interfaces name=wg0,listen_port=51111,public_key=Kay64UG8yvCyLhqU000LxzYeUm0L/hLIl5S8kyKWbdc=
     peers type=internal,node=pve2,node_iface=wg0,iface=wg0
 
 wireguard_node: wireg_pve2
     role internal
-    endpoint 192.0.2.3
+    endpoint 192.0.2.3:51111
     interfaces name=wg0,listen_port=51111,public_key=Kay64UG8yvCyLhqU000LxzYeUm0L/hLIl5S8kyKWbdc=
     peers type=internal,node=pve1,node_iface=wg0,iface=wg0
 "#;
diff --git a/proxmox-ve-config/src/sdn/fabric/section_config/protocol/wireguard.rs b/proxmox-ve-config/src/sdn/fabric/section_config/protocol/wireguard.rs
index 0c32c0c747f8..f01b7e73a406 100644
--- a/proxmox-ve-config/src/sdn/fabric/section_config/protocol/wireguard.rs
+++ b/proxmox-ve-config/src/sdn/fabric/section_config/protocol/wireguard.rs
@@ -34,7 +34,7 @@ use std::ops::{Deref, DerefMut};
 use anyhow::Result;
 
 use const_format::concatcp;
-use proxmox_network_types::endpoint::{HostnameOrIpAddr, ServiceEndpoint};
+use proxmox_network_types::endpoint::ServiceEndpoint;
 use proxmox_network_types::ip_address::{Cidr, Ipv4Cidr, Ipv6Cidr};
 use proxmox_schema::api_types::CIDR_SCHEMA;
 use proxmox_schema::{api, property_string::PropertyString, ApiStringFormat, Updater, UpdaterType};
@@ -274,7 +274,7 @@ pub struct InternalWireGuardNode {
     /// The endpoint used for connecting to this node.
     #[serde(default, skip_serializing_if = "Option::is_none")]
     #[updater(serde(skip_serializing_if = "Option::is_none"))]
-    pub(crate) endpoint: Option<HostnameOrIpAddr>,
+    pub(crate) endpoint: Option<ServiceEndpoint>,
 
     /// The interfaces that should get created on this node.
     #[serde(default, skip_serializing_if = "Vec::is_empty")]
@@ -378,7 +378,7 @@ pub struct InternalPeer {
     /// Override for the endpoint settings in the node section.
     #[serde(default, skip_serializing_if = "Option::is_none")]
     #[updater(serde(skip_serializing_if = "Option::is_none"))]
-    pub(crate) endpoint: Option<HostnameOrIpAddr>,
+    pub(crate) endpoint: Option<ServiceEndpoint>,
     /// Additional allowed IPs for this peer
     #[serde(default, skip_serializing_if = "Vec::is_empty")]
     #[updater(serde(skip_serializing_if = "Option::is_none"))]
diff --git a/proxmox-ve-config/src/sdn/wireguard.rs b/proxmox-ve-config/src/sdn/wireguard.rs
index 61be336e1dfb..6182944375b4 100644
--- a/proxmox-ve-config/src/sdn/wireguard.rs
+++ b/proxmox-ve-config/src/sdn/wireguard.rs
@@ -3,7 +3,6 @@ use std::ops::Deref;
 
 use anyhow::bail;
 
-use proxmox_network_types::endpoint::ServiceEndpoint;
 use proxmox_network_types::ip_address::{Ipv4Cidr, Ipv6Cidr};
 use proxmox_sdn_types::wireguard::PersistentKeepalive;
 use proxmox_wireguard::{WireGuardConfig, WireGuardInterface, WireGuardPeer};
@@ -90,14 +89,8 @@ impl WireGuardConfigBuilder {
 
                             let endpoint = peer
                                 .endpoint
-                                .as_ref()
-                                .or(wireguard_node.endpoint.as_ref())
-                                .map(|endpoint| {
-                                    ServiceEndpoint::new(
-                                        endpoint.to_string(),
-                                        peer_interface.listen_port,
-                                    )
-                                });
+                                .clone()
+                                .or_else(|| wireguard_node.endpoint.clone());
 
                             let mut allowed_ips = Vec::new();
 
@@ -233,14 +226,14 @@ wireguard_node: wireg_external
 
 wireguard_node: wireg_pve1
     role internal
-    endpoint 192.0.2.2
+    endpoint 192.0.2.2:51111
     allowed_ips 203.0.113.0/25
     interfaces name=wg0,listen_port=51111,public_key=GDPUAnPOY5xGIjYXmcGyXZXbocjBr21dGQ5vwnjmdzA=,ip=198.51.100.1/24
     peers type=internal,node=pve2,node_iface=wg0,iface=wg0
 
 wireguard_node: wireg_pve2
     role internal
-    endpoint 192.0.2.3
+    endpoint 192.0.2.3:51111
     interfaces name=wg0,listen_port=51111,public_key=y0kOpXfo9ff4KoUwO3H1cRuwObbKwsK8mAkwXxNvKUc=
     peers type=internal,node=pve1,node_iface=wg0,iface=wg0
     peers type=external,node=external,iface=wg0
-- 
2.47.3