Add integration tests for allowed IP removal

Add testRemoveManyIPs to the integration tests to exercise the direct
allowed IP removal capability and run the test suite on all platforms.

$ WGCTRL_INTEGRATION go test .

┏━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━┓
┃ OPERATING SYSTEM ┃ DRIVER       ┃ REMOVE IP SUPPORTED ┃ RESULT ┃
┡━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━┩
│ FreeBSD 14.2     │ native       │ no                  │ PASS   │
├──────────────────┼──────────────┼─────────────────────┼────────┤
│ OpenBSD 7.7      │ native       │ no                  │ PASS*  │
├──────────────────┼──────────────┼─────────────────────┼────────┤
│ Windows 11       │ native       │ no                  │ PASS** │
├──────────────────┼──────────────┼─────────────────────┼────────┤
│ Linux            │ native       │ no                  │ PASS   │
├──────────────────┼──────────────┼─────────────────────┼────────┤
│ Linux            │ wireguard-go │ no                  │ PASS   │
├──────────────────┼──────────────┼─────────────────────┼────────┤
│ Linux            │ native       │ yes                 │        │
├──────────────────┼──────────────┼─────────────────────┼────────┤
│ Linux            │ wireguard-go │ yes                 │ PASS   │
└──────────────────┴──────────────┴─────────────────────┴────────┘

On systems where direct IP removal is not supported, I also made sure
that ConfigureDevice returns an error when Remove is used without the
shim.

*  OpenBSD skips this test case, since the driver is read only.
** Two assertions fail in Windows due to missing protocol version, but
   testRemoveManyIPs passes.

Signed-off-by: Jordan Rife <[email protected]>

Author: jrife

client_integration_test.go

@@ -20,7 +20,7 @@ import (
 )
 
 func TestIntegrationClient(t *testing.T) {
-	c, done := integrationClient(t)
+	c, done := integrationClient(t, false)
 	defer done()
 
 	devices, err := c.Devices()
@@ -43,6 +43,14 @@ func TestIntegrationClient(t *testing.T) {
 			name: "configure",
 			fn:   testConfigure,
 		},
+		{
+			name: "remove many IPs",
+			fn: func(t *testing.T, _ *wgctrl.Client, d *wgtypes.Device) {
+				c, done := integrationClient(t, true)
+				defer done()
+				testRemoveManyIPs(t, c, d)
+			},
+		},
 		{
 			name: "configure many IPs",
 			fn:   testConfigureManyIPs,
@@ -91,15 +99,15 @@ func TestIntegrationClient(t *testing.T) {
 }
 
 func TestIntegrationClientIsNotExist(t *testing.T) {
-	c, done := integrationClient(t)
+	c, done := integrationClient(t, false)
 	defer done()
 
 	if _, err := c.Device("wgnotexist0"); !errors.Is(err, os.ErrNotExist) {
 		t.Fatalf("expected is not exist error, but got: %v", err)
 	}
 }
 
-func integrationClient(t *testing.T) (*wgctrl.Client, func()) {
+func integrationClient(t *testing.T, useShim bool) (*wgctrl.Client, func()) {
 	t.Helper()
 
 	const (
@@ -112,7 +120,12 @@ func integrationClient(t *testing.T) (*wgctrl.Client, func()) {
 			env, confirm)
 	}
 
-	c, err := wgctrl.New()
+	var opts []wgctrl.Option
+	if useShim {
+		opts = append(opts, wgctrl.WithShim)
+	}
+
+	c, err := wgctrl.New(opts...)
 	if err != nil {
 		if errors.Is(err, os.ErrNotExist) {
 			t.Skip("skipping, wgctrl is not available on this system")
@@ -223,6 +236,94 @@ func testConfigure(t *testing.T, c *wgctrl.Client, d *wgtypes.Device) {
 	t.Log(out)
 }
 
+func testRemoveManyIPs(t *testing.T, c *wgctrl.Client, d *wgtypes.Device) {
+	// Apply 511 IPs per peer.
+	var (
+		countIPs       int
+		peers          []wgtypes.PeerConfig
+		peersRemoveIPs []wgtypes.PeerConfig
+	)
+
+	for i := 0; i < 2; i++ {
+		cidr := "2001:db8::/119"
+		if i == 1 {
+			cidr = "2001:db8:ffff::/119"
+		}
+
+		cur, err := ipaddr.Parse(cidr)
+		if err != nil {
+			t.Fatalf("failed to create cursor: %v", err)
+		}
+
+		var ips []net.IPNet
+		for pos := cur.Next(); pos != nil; pos = cur.Next() {
+			bits := 128
+			if pos.IP.To4() != nil {
+				bits = 32
+			}
+
+			ips = append(ips, net.IPNet{
+				IP:   pos.IP,
+				Mask: net.CIDRMask(bits, bits),
+			})
+		}
+
+		peers = append(peers, wgtypes.PeerConfig{
+			PublicKey:         wgtest.MustPublicKey(),
+			ReplaceAllowedIPs: true,
+			AllowedIPs:        ipsToAllowedIPConfig(ips),
+		})
+
+		peersRemoveIPs = append(peersRemoveIPs, wgtypes.PeerConfig{
+			PublicKey:  peers[len(peers)-1].PublicKey,
+			AllowedIPs: ipsToAllowedIPConfig(ips),
+		})
+
+		// Remove every other IP
+		for i := range peersRemoveIPs[len(peersRemoveIPs)-1].AllowedIPs {
+			peersRemoveIPs[len(peersRemoveIPs)-1].AllowedIPs[i].Remove = i%2 == 0
+		}
+
+		countIPs += len(ips)
+	}
+
+	cfg := wgtypes.Config{
+		ReplacePeers: true,
+		Peers:        peers,
+	}
+	removeCfg := wgtypes.Config{
+		Peers: peersRemoveIPs,
+	}
+
+	tryConfigure(t, c, d.Name, cfg)
+
+	dn, err := c.Device(d.Name)
+	if err != nil {
+		t.Fatalf("failed to get %q by name: %v", d.Name, err)
+	}
+
+	peerIPs := countPeerIPs(dn)
+	if diff := cmp.Diff(countIPs, peerIPs); diff != "" {
+		t.Fatalf("unexpected number of configured peer IPs (-want +got):\n%s", diff)
+	}
+
+	t.Logf("device: %s: %d IPs", d.Name, peerIPs)
+
+	tryConfigure(t, c, d.Name, removeCfg)
+
+	dn, err = c.Device(d.Name)
+	if err != nil {
+		t.Fatalf("failed to get %q by name: %v", d.Name, err)
+	}
+
+	peerIPs = countPeerIPs(dn)
+	if diff := cmp.Diff(countIPs/2-1, peerIPs); diff != "" {
+		t.Fatalf("unexpected number of configured peer IPs (-want +got):\n%s", diff)
+	}
+
+	t.Logf("device: %s: %d IPs after remove", d.Name, peerIPs)
+}
+
 func testConfigureManyIPs(t *testing.T, c *wgctrl.Client, d *wgtypes.Device) {
 	// Apply 511 IPs per peer.
 	var (