Index: wgsync/makefile
==================================================================
--- wgsync/makefile
+++ wgsync/makefile
@@ -11,27 +11,27 @@
 ld-flags = $(pq-lib) $(dbg-flags)
 
 
 # link rule 
 .PHONY: wgsync
-$B/wgsync: $B/wgsync.o $B/pqp.o $B/def.o $B/wireguard.o | $B/
+$B/wgsync: $B/wgsync.o $B/pqp.o $B/def.o $B/wglist.o $B/wireguard.o | $B/
 	$(CC) $(ld-flags) $^ -o $@
 
 # build rules 
-$B/%.o: src/%.c | $B/
+$B/%.o: src/%.c src/def.h | $B/
 	$(CC) $(cc-flags) -c $< -o $@
 
 $B/wireguard.o: $E/wglib/wireguard.c $E/wglib/wireguard.h | $B/
 	$(CC) -std=c11 -c $< -o $@
 
 # dep listings
-$B/wgsync.o: $E/wglib/wireguard.h src/pqp.h src/def.h
-$B/pqp.o: src/pqp.h src/def.h 
-$B/def.o: src/def.h
+$B/wgsync.o: $E/wglib/wireguard.h src/pqp.h src/wglist.h src/list.h
+$B/wglist.o: $E/wglib/wireguard.h src/wglist.h src/list.h
+$B/pqp.o: src/pqp.h 
 
 # fetch rules
 %/:
 	mkdir -p $@
 
 wg-lib-uri = https://git.zx2c4.com/wireguard-tools/plain/contrib/embeddable-wg-library
 $E/wglib/%: | $E/wglib/
 	curl $(wg-lib-uri)/$* >$@

Index: wgsync/src/list.h
==================================================================
--- wgsync/src/list.h
+++ wgsync/src/list.h
@@ -1,9 +1,5 @@
-#ifndef _ll_delete
-#define _ll_delete free
-#endif
-
 #ifndef _ll_ffirst
 #define _ll_ffirst _cat(first_,_ll_rec)
 #endif
 
 #ifndef _ll_flast
@@ -12,20 +8,54 @@
 
 #ifndef _ll_fnext
 #define _ll_fnext _cat(next_,_ll_rec)
 #endif
 
+#define _LL_fn(act) _cat(_cat(_ll_ns,_),_cat(_cat(act,_), _ll_rec))
 #ifndef _ll_dropfn
-#define _ll_dropfn _cat(_cat(_ll_ns,_),_cat(drop_, _ll_rec))
+#define _ll_dropfn _LL_fn(drop)
 #endif
 
 #ifndef _ll_pushfn
-#define _ll_pushfn _cat(_cat(_ll_ns,_),_cat(push_, _ll_rec))
+#define _ll_pushfn _LL_fn(push)
+#endif
+
+#ifndef _ll_newfn
+#define _ll_newfn _LL_fn(new)
+#endif
+
+#ifndef _ll_delete
+#define _ll_delete free
+#	ifdef _ll_impl
+#		include <stdlib.h>
+#	endif
+#endif
+
+#ifdef _ll_impl
+#	define _LL_impl(...) __VA_ARGS__
+#	include "def.h"
+#else
+#	define _LL_impl(...) ;
 #endif
+
+void _ll_pushfn
+(_ll_box* box, _ll_obj* obj) _LL_impl({
+	if (box -> _ll_flast)
+		box -> _ll_flast -> _ll_fnext = obj;
+	else box -> _ll_ffirst = obj;
+	box -> _ll_flast = obj;
+})
+
+_ll_obj* _ll_newfn
+(_ll_box* box) _LL_impl({
+	_ll_obj* o = calloc(1, sizeof(_ll_obj));
+	_ll_pushfn(box, o);
+	return o;
+})
 
 void _ll_dropfn
-(_ll_box* box, _ll_obj* obj) {
+(_ll_box* box, _ll_obj* obj) _LL_impl({
 	if(box -> _ll_ffirst == obj) {
 		if(box -> _ll_flast == obj) {
 			box -> _ll_ffirst = box -> _ll_flast = null;
 		} else {
 			box -> _ll_ffirst = obj -> _ll_fnext;
@@ -52,15 +82,22 @@
 			_fatal("BUG in elt deletion routine");
 			found2 :;
 		}
 	}
 	_ll_delete (obj);
-}
+})
+
+#undef _LL_fn
+#undef _LL_impl
+
+#undef _ll_pushfn
+#undef _ll_newfn
+#undef _ll_dropfn
 
 #undef _ll_ffirst
 #undef _ll_flast
 #undef _ll_ns
 #undef _ll_box
 #undef _ll_obj
 #undef _ll_rec
 #undef _ll_iter
 #undef _ll_delete

ADDED   wgsync/src/wglist.c
Index: wgsync/src/wglist.c
==================================================================
--- wgsync/src/wglist.c
+++ wgsync/src/wglist.c
@@ -0,0 +1,2 @@
+#define _ll_impl
+#include "wglist.h"

ADDED   wgsync/src/wglist.h
Index: wgsync/src/wglist.h
==================================================================
--- wgsync/src/wglist.h
+++ wgsync/src/wglist.h
@@ -0,0 +1,17 @@
+#pragma once
+#include "def.h"
+#include <wireguard.h>
+
+#define _ll_rec peer
+#define _ll_box wg_device
+#define _ll_obj wg_peer
+#define _ll_iter wg_for_each_peer
+#define _ll_ns wgd
+#include "list.h"
+
+#define _ll_rec allowedip
+#define _ll_box wg_peer
+#define _ll_obj wg_allowedip
+#define _ll_iter wg_for_each_allowedip
+#define _ll_ns wgd_peer
+#include "list.h"

Index: wgsync/src/wgsync.c
==================================================================
--- wgsync/src/wgsync.c
+++ wgsync/src/wgsync.c
@@ -12,10 +12,14 @@
 #include <sys/socket.h>
 #include <netdb.h>
 
 /* libs */
 #include <wireguard.h>
+#include "wglist.h"
+	/* wireguard uses messy linked lists but doesn't
+	 * provide any routines for manipulating them;
+	 * wglist.h fills in the gap */
 
 #include <libpq-fe.h>
 
 
 size_t dumpEndpoint(char* d, const wg_endpoint* const e) {
@@ -127,23 +131,10 @@
 	free(peer);
 }
 
 /* linked list manipulation routines */
 
-#define _ll_rec peer
-#define _ll_box wg_device
-#define _ll_obj wg_peer
-#define _ll_iter wg_for_each_peer
-#define _ll_ns wgd
-#include "list.h"
-
-#define _ll_rec allowedip
-#define _ll_box wg_peer
-#define _ll_obj wg_allowedip
-#define _ll_iter wg_for_each_allowedip
-#define _ll_ns wgd_peer
-#include "list.h"
 
 #if 0
 void wgd_drop_peer(wg_device* dev, wg_peer* peer) {
 	if(dev -> first_peer == peer) {
 		if(dev -> last_peer == peer) {
@@ -278,10 +269,14 @@
 				
 				if(!foundIP) {
 					/* this IP hasn't been loaded into the
 					 * kernel yet; upload it now */
 					_infof("inserting IP PG%zu %s", j, inetstr);
+					// is this necessary? FIXME
+					/* found -> flags |= WGPEER_REPLACE_ALLOWEDIPS; */
+					wg_allowedip* nip = wgd_peer_new_allowedip(found);
+					memcpy(nip, &aip, sizeof aip);
 					dirty = true;
 				}
 			}
 
 			if(goodIPc < ips -> sz) {
@@ -289,49 +284,65 @@
 				wg_allowedip* wgip;
 				wg_for_each_allowedip(found, wgip) {
 					char inetstr[256];
 					dumpAllowedIP(inetstr, wgip);
 					_dbgf("IP WG%zu :: %s", l, inetstr);
-					if(!goodIPs[l]) {
+					if(l<goodIPc && !goodIPs[l]) {
 						/* this IP is stale, delete it */
 						_infof("deleting IP WG%zu %s", l, inetstr);
+						wgd_peer_drop_allowedip(found, wgip);
+						found -> flags |= WGPEER_REPLACE_ALLOWEDIPS;
 						dirty = true;
 					}
 				++l;}
 			}
 		} else {
 			_infof("inserting key %s", key_b64);
 			dirty = true;
 			/* install new peer */
+			wg_peer* np = wgd_new_peer(wg);
+			np -> flags = WGPEER_HAS_PUBLIC_KEY;
+			memcpy(np -> public_key, key, sizeof key);
+
 			for (size_t j = 0; j < ips -> sz; ++j) {
 				char inetstr[256];
 				wg_allowedip aip = inet_to_allowedip(ips -> elts[j].data);
 				dumpAllowedIP(inetstr, &aip);
 				_dbgf("new IP %zu :: %s", j, inetstr);
+				wg_allowedip* nip = wgd_peer_new_allowedip(np);
+				memcpy(nip, &aip, sizeof aip);
 			}
 		}
 
 		free(ips);
 	}
 	{ size_t i=0; wg_peer* p; wg_for_each_peer(wg, p) {
-		if(valid_peers[i] == false) {
+		if(i<peerc && valid_peers[i] == false) {
 			char b64 [128];
 			wg_key_to_base64(b64, p->public_key);
 			_infof("dropping peer %s", b64);
-			wgd_drop_peer(wg, p);
+			//wgd_drop_peer(wg, p);
+			p -> flags |= WGPEER_REMOVE_ME;
 			dirty = true;
 		}
 	++i;}}
 
 	_dbg("final peer list:");
 	{ size_t j=0; wg_peer* p; wg_for_each_peer(wg, p) {
 		char b64 [128];
 		wg_key_to_base64(b64, p->public_key);
-		_dbgf("P%zu :: %s", j, b64);
+		_dbgf("P%zu :: %s%s", j, b64,
+			p->flags & WGPEER_REMOVE_ME          ? " [DELETE]" :
+			p->flags & WGPEER_REPLACE_ALLOWEDIPS ? " [CHGIP]" : "");
 	++j;}}
 	
-	if(dirty) wg_set_device(wg);
+	dirty = true;
+	if(dirty) {
+		int e = wg_set_device(wg);
+		if(e != 0) 
+			_fatalf("could not set wg device (error %i)", -e);
+	}
 
 	PQclear(rows);
 }
 
 int main(int argc, char** argv) {