wgtypes: Add Remove flag to allowed IPs

[1] adds the WGALLOWEDIP_F_REMOVE_ME flag to WireGuard's Netlink
API which, in the same way that WGPEER_F_REMOVE_ME allows a user to
remove a single peer from a WireGuard device's configuration, allows a
user to remove an ip from a peer's set of allowed ips. This capability
was subsequently ported to wireguard-go as well.

Add support for this feature to wgctrl-go, allowing clients to
incrementally remove allowed IPs on a peer like so:

wgtypes.Config{
	Peers: []wgtypes.PeerConfig{
		{
			PublicKey: peerKey,
			AllowedIPs: []wgtypes.AllowedIPConfig{
				{
					IPNet:  ip,
					Remove: true,
				},
			},
		},
	},
}

[1]: https://lore.kernel.org/netdev/[email protected]/

Signed-off-by: Jordan Rife <[email protected]>

Author: jrife

client_integration_test.go

@@ -141,6 +141,18 @@ func testGet(t *testing.T, c *wgctrl.Client, d *wgtypes.Device) {
 	}
 }
 
+func ipsToAllowedIPConfig(ips []net.IPNet) []wgtypes.AllowedIPConfig {
+	result := make([]wgtypes.AllowedIPConfig, len(ips))
+
+	for i := range ips {
+		result[i] = wgtypes.AllowedIPConfig{
+			IPNet: ips[i],
+		}
+	}
+
+	return result
+}
+
 func testConfigure(t *testing.T, c *wgctrl.Client, d *wgtypes.Device) {
 	var (
 		port = 8888
@@ -162,7 +174,7 @@ func testConfigure(t *testing.T, c *wgctrl.Client, d *wgtypes.Device) {
 		Peers: []wgtypes.PeerConfig{{
 			PublicKey:         peerKey,
 			ReplaceAllowedIPs: true,
-			AllowedIPs:        ips,
+			AllowedIPs:        ipsToAllowedIPConfig(ips),
 		}},
 	}
 
@@ -245,7 +257,7 @@ func testConfigureManyIPs(t *testing.T, c *wgctrl.Client, d *wgtypes.Device) {
 		peers = append(peers, wgtypes.PeerConfig{
 			PublicKey:         wgtest.MustPublicKey(),
 			ReplaceAllowedIPs: true,
-			AllowedIPs:        ips,
+			AllowedIPs:        ipsToAllowedIPConfig(ips),
 		})
 
 		countIPs += len(ips)
@@ -295,7 +307,7 @@ func testConfigureManyPeers(t *testing.T, c *wgctrl.Client, d *wgtypes.Device) {
 				Port: 1111,
 			},
 			PersistentKeepaliveInterval: &dur,
-			AllowedIPs:                  ips,
+			AllowedIPs:                  ipsToAllowedIPConfig(ips),
 		})
 	}
 
@@ -370,7 +382,6 @@ func testConfigurePeersUpdateOnly(t *testing.T, c *wgctrl.Client, d *wgtypes.Dev
 			t.Skip("FreeBSD kernel devices do not support UpdateOnly flag")
 		}
 
-
 		t.Fatalf("failed to configure second time on %q: %v", d.Name, err)
 	}
 

client_test.go

@@ -240,3 +240,7 @@ func (c *testClient) Device(name string) (*wgtypes.Device, error) {
 func (c *testClient) ConfigureDevice(name string, cfg wgtypes.Config) error {
 	return c.ConfigureDeviceFunc(name, cfg)
 }
+
+func (c *testClient) SupportsAllowedIPRemove(name string) (bool, error) {
+	return false, nil
+}

internal/wgfreebsd/client_freebsd.go

@@ -179,7 +179,10 @@ func (c *Client) ConfigureDevice(name string, cfg wgtypes.Config) error {
 		}
 	}
 
-	m := unparseConfig(cfg)
+	m, err := unparseConfig(cfg)
+	if err != nil {
+		return err
+	}
 	mem, sz, err := nv.Marshal(m)
 	if err != nil {
 		return err
@@ -459,7 +462,7 @@ func parseDevice(data []byte) (*wgtypes.Device, error) {
 }
 
 // unparsePeerConfig encodes a PeerConfig to a name-value list (nvlist).
-func unparsePeerConfig(cfg wgtypes.PeerConfig) nv.List {
+func unparsePeerConfig(cfg wgtypes.PeerConfig) (nv.List, error) {
 	m := nv.List{}
 
 	m["public-key"] = cfg.PublicKey[:]
@@ -488,17 +491,21 @@ func unparsePeerConfig(cfg wgtypes.PeerConfig) nv.List {
 		aips := []nv.List{}
 
 		for _, aip := range cfg.AllowedIPs {
-			aips = append(aips, unparseAllowedIP(aip))
+			if aip.Remove {
+				return nv.List{}, fmt.Errorf("allowed ips remove not supported: %w", os.ErrInvalid)
+			}
+
+			aips = append(aips, unparseAllowedIP(aip.IPNet))
 		}
 
 		m["allowed-ips"] = aips
 	}
 
-	return m
+	return m, nil
 }
 
 // unparseDevice encodes the device configuration as a FreeBSD name-value list (nvlist).
-func unparseConfig(cfg wgtypes.Config) nv.List {
+func unparseConfig(cfg wgtypes.Config) (nv.List, error) {
 	m := nv.List{}
 
 	if v := cfg.PrivateKey; v != nil {
@@ -521,12 +528,15 @@ func unparseConfig(cfg wgtypes.Config) nv.List {
 		peers := []nv.List{}
 
 		for _, p := range v {
-			peer := unparsePeerConfig(p)
+			peer, err := unparsePeerConfig(p)
+			if err != nil {
+				return nv.List{}, err
+			}
 			peers = append(peers, peer)
 		}
 
 		m["peers"] = peers
 	}
 
-	return m
+	return m, nil
 }

internal/wglinux/configure_linux.go

@@ -15,6 +15,13 @@ import (
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 )
 
+// TODO(jrife): These are placeholders. Replace these with values from the
+// golang.org/x/sys/unix package after it is updated for the 6.16 kernel.
+const (
+	WGALLOWEDIP_A_FLAGS     = 4
+	WGALLOWEDIP_F_REMOVE_ME = 1
+)
+
 // configAttrs creates the required encoded netlink attributes to configure
 // the device specified by name using the non-nil fields in cfg.
 func configAttrs(name string, cfg wgtypes.Config) ([]byte, error) {
@@ -101,16 +108,16 @@ func buildBatches(cfg wgtypes.Config) []wgtypes.Config {
 		// Iterate until no more allowed IPs.
 		var done bool
 		for !done {
-			var tmp []net.IPNet
+			var tmp []wgtypes.AllowedIPConfig
 			if len(p.AllowedIPs) < ipBatchChunk {
 				// IPs all fit within a batch; we are done.
-				tmp = make([]net.IPNet, len(p.AllowedIPs))
+				tmp = make([]wgtypes.AllowedIPConfig, len(p.AllowedIPs))
 				copy(tmp, p.AllowedIPs)
 				done = true
 			} else {
 				// IPs are larger than a single batch, copy a batch out and
 				// advance the cursor.
-				tmp = make([]net.IPNet, ipBatchChunk)
+				tmp = make([]wgtypes.AllowedIPConfig, ipBatchChunk)
 				copy(tmp, p.AllowedIPs[:ipBatchChunk])
 
 				p.AllowedIPs = p.AllowedIPs[ipBatchChunk:]
@@ -247,7 +254,7 @@ func encodeSockaddr(endpoint net.UDPAddr) func() ([]byte, error) {
 }
 
 // encodeAllowedIPs returns a function to encode allowed IP nested attributes.
-func encodeAllowedIPs(ipns []net.IPNet) func(ae *netlink.AttributeEncoder) error {
+func encodeAllowedIPs(ipns []wgtypes.AllowedIPConfig) func(ae *netlink.AttributeEncoder) error {
 	return func(ae *netlink.AttributeEncoder) error {
 		for i, ipn := range ipns {
 			if !isValidIP(ipn.IP) {
@@ -268,6 +275,9 @@ func encodeAllowedIPs(ipns []net.IPNet) func(ae *netlink.AttributeEncoder) error
 
 				ones, _ := ipn.Mask.Size()
 				nae.Uint8(unix.WGALLOWEDIP_A_CIDR_MASK, uint8(ones))
+				if ipn.Remove {
+					nae.Uint32(WGALLOWEDIP_A_FLAGS, WGALLOWEDIP_F_REMOVE_ME)
+				}
 				return nil
 			})
 		}

internal/wguser/configure.go

@@ -95,11 +95,20 @@ func writeConfig(w io.Writer, cfg wgtypes.Config) {
 		}
 
 		for _, ip := range p.AllowedIPs {
-			fmt.Fprintf(w, "allowed_ip=%s\n", ip.String())
+			fmt.Fprintf(w, "allowed_ip=%s\n", aipStr(ip))
 		}
 	}
 }
 
+func aipStr(aip wgtypes.AllowedIPConfig) string {
+	s := aip.String()
+	if aip.Remove {
+		s = "-" + s
+	}
+
+	return s
+}
+
 // hexKey encodes a wgtypes.Key into a hexadecimal string.
 func hexKey(k wgtypes.Key) string {
 	return hex.EncodeToString(k[:])

internal/wgwindows/client_windows.go

@@ -1,6 +1,7 @@
 package wgwindows
 
 import (
+	"fmt"
 	"net"
 	"os"
 	"time"
@@ -284,6 +285,10 @@ func (c *Client) ConfigureDevice(name string, cfg wgtypes.Config) error {
 		}
 		b.AppendPeer(peer)
 		for j := range cfg.Peers[i].AllowedIPs {
+			if cfg.Peers[i].AllowedIPs[j].Remove {
+				return fmt.Errorf("allowed ips remove not supported: %w", os.ErrInvalid)
+			}
+
 			var family ioctl.AddressFamily
 			var ip net.IP
 			if ip = cfg.Peers[i].AllowedIPs[j].IP.To4(); ip != nil {

wgtypes/types.go

@@ -272,5 +272,15 @@ type PeerConfig struct {
 
 	// AllowedIPs specifies a list of allowed IP addresses in CIDR notation
 	// for this peer.
-	AllowedIPs []net.IPNet
+	AllowedIPs []AllowedIPConfig
+}
+
+// An AllowedIPConfig contains an allowed IP address in CIDR notation and a flag
+// indicating whether to add/remove this allowed IP to/from the peer.
+type AllowedIPConfig struct {
+	net.IPNet
+
+	// Remove specifies whether or not to remove this allowed IP from this
+	// peer.
+	Remove bool
 }