wg: man: include kill-switch documentation using fwmark

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

src/wg-quick.8

@@ -129,6 +129,42 @@ indicates that a DNS server for the interface should be configured via
 The peer's allowed IPs entry implies that this interface should be configured as the default gateway,
 which this script does.
 
+Building on the last example, one might attempt the so-called ``kill-switch'', in order
+to prevent the flow of unencrypted packets through the non-WireGuard interfaces:
+
+    [Interface] 
+.br
+    Address = 10.200.100.8/24
+.br
+    DNS = 10.200.100.1
+.br
+    PrivateKey = oK56DE9Ue9zK76rAc8pBl6opph+1v36lm7cXXsQKrQM= 
+.br
+    \fBPostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -j REJECT\fP
+.br
+    \fBPreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -j REJECT\fP
+.br
+     
+.br
+    [Peer] 
+.br
+    PublicKey = GtL7fZc/bLnqZldpVofMCD6hDjrK28SsdLxevJ+qtKU= 
+.br
+    PresharedKey = /UwcSPg38hW/D9Y3tcS1FOV0K1wuURMbS0sesJEP5ak= 
+.br
+    AllowedIPs = 0.0.0.0/0 
+.br
+    Endpoint = demo.wireguard.com:51820 
+.br
+
+The `PostUp' and `PreDown' fields have been added to specify an
+.BR iptables (8)
+command which, when used with interfaces that have a peer that specifies 0.0.0.0/0 as part of the
+`AllowedIPs', works together with wg-quick's fwmark usage in order to drop all packets that
+are either not coming out of the tunnel encrypted or not going through the tunnel itself. (Note
+that this continues to allow most DHCP traffic through, since most DHCP clients make use of PF_PACKET
+sockets, which bypass Netfilter.)
+
 Here is a more complicated example, fit for usage on a server:
     
     [Interface]