gutd 2.5.2

WireGuard traffic obfuscation library — QUIC-like encapsulation, cross-platform userspace proxy, optional eBPF fast path on Linux
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73

# GUT Compliance Checklist (Current Repository)

This checklist tracks what the current code actually implements.

## 1. Protocol Layout

- [ok] `udp_payload` is transformed in place (no extra protocol header bytes added)
- [ok] `GUT_WIRE_HDR_SIZE = 0`, `GUT_MIN_OVERHEAD = 0`
- [ok] Ballast length is carried in byte 1 (`reserved[0]`)
- [ok] Ballast tail is appended/trimmed symmetrically on egress/ingress

Sources:

- `src/tc/bpf/gut_common.h`
- `src/tc/bpf/tc_gut_egress.bpf.c`
- `src/tc/bpf/xdp_gut_ingress.bpf.c`

## 2. Datapath Behavior

- [ok] Egress applies payload transform for WG types and optional ballast append
- [ok] Ingress applies reverse transform and ballast tail trim
- [ok] Keepalive packets can be probabilistically dropped by config (`keepalive_drop_percent`)
- [ok] Outer UDP checksum is always computed and written by egress BPF

## 3. Config/Control-Plane Consistency

- [ok] Config uses `keepalive_drop_percent` (0..100)
- [ok] Rust `GutConfig` and BPF `struct gut_config` layouts are aligned

Sources:

- `src/config.rs`
- `src/tc/maps.rs`
- `src/tc/loader.rs`
- `src/tc/bpf/gut_common.h`

## 4. MTU/Overhead Accounting

- [ok] Rust overhead constants reflect payload-only mode (no extra protocol bytes)
- [ok] Sample config docs updated to payload-only overhead formulas

Sources:

- `src/tc/maps.rs`
- `gutd.conf`
- `src/installer.rs`

## 5. Safety/Reliability Constraints

- [ok] BPF verifier-safe bounds checks retained on variable-length operations
- [ok] Scratch map is used for bounded packet read/modify/write operations
- [ok] Invalid cookie / malformed packets are dropped on ingress
- [ok] Checksum calculation failures drop packet (no invalid packet emission)

## 6. Verification Commands

Recommended validation sequence:

```bash
cargo build
bash tests/check-deps.sh       # check host dependencies
sudo bash tests/integration-wg.sh  # full TC/XDP integration test
```

Optional live checksum check:

```bash
sudo tcpdump -ni <iface> -vv -n 'udp port <gut_port>'
```

## 7. Known Compatibility Note

The current QUIC-encapsulated wire format is not interoperable with legacy nonce/pkt_id/cookie peers.