From af670fc635d1b7cd987fdb1acaf35d74c370e73f Mon Sep 17 00:00:00 2001 From: Yu Watanabe Date: Fri, 31 Dec 2021 02:08:56 +0900 Subject: [PATCH] network: wireguard: warn about invalid allowed IP addresses But handle them gracefully. Otherwise, when the route to the address is being configured, kernel refuse the route. Note that kernel's wireguard module handle e.g. 192.168.10.3/24 as 192.168.10.0/24. Fixes #21929. --- src/network/netdev/wireguard.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/src/network/netdev/wireguard.c b/src/network/netdev/wireguard.c index e5cfb35c959..af91dc62576 100644 --- a/src/network/netdev/wireguard.c +++ b/src/network/netdev/wireguard.c @@ -686,6 +686,7 @@ int config_parse_wireguard_allowed_ips( for (const char *p = rvalue;;) { _cleanup_free_ char *word = NULL; + union in_addr_union masked; r = extract_first_word(&p, &word, "," WHITESPACE, 0); if (r == 0) @@ -705,13 +706,23 @@ int config_parse_wireguard_allowed_ips( continue; } + masked = addr; + assert_se(in_addr_mask(family, &masked, prefixlen) >= 0); + if (!in_addr_equal(family, &masked, &addr)) { + _cleanup_free_ char *buf = NULL; + + (void) in_addr_prefix_to_string(family, &masked, prefixlen, &buf); + log_syntax(unit, LOG_WARNING, filename, line, 0, + "Specified address '%s' is not properly masked, assuming '%s'.", word, strna(buf)); + } + ipmask = new(WireguardIPmask, 1); if (!ipmask) return log_oom(); *ipmask = (WireguardIPmask) { .family = family, - .ip = addr, + .ip = masked, .cidr = prefixlen, }; -- 2.47.3