From: Yu Watanabe Date: Thu, 30 Dec 2021 17:08:56 +0000 (+0900) Subject: network: wireguard: warn about invalid allowed IP addresses X-Git-Tag: v251-rc1~622^2~1 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=af670fc635d1b7cd987fdb1acaf35d74c370e73f;p=thirdparty%2Fsystemd.git network: wireguard: warn about invalid allowed IP addresses But handle them gracefully. Otherwise, when the route to the address is being configured, kernel refuse the route. Note that kernel's wireguard module handle e.g. 192.168.10.3/24 as 192.168.10.0/24. Fixes #21929. --- diff --git a/src/network/netdev/wireguard.c b/src/network/netdev/wireguard.c index e5cfb35c959..af91dc62576 100644 --- a/src/network/netdev/wireguard.c +++ b/src/network/netdev/wireguard.c @@ -686,6 +686,7 @@ int config_parse_wireguard_allowed_ips( for (const char *p = rvalue;;) { _cleanup_free_ char *word = NULL; + union in_addr_union masked; r = extract_first_word(&p, &word, "," WHITESPACE, 0); if (r == 0) @@ -705,13 +706,23 @@ int config_parse_wireguard_allowed_ips( continue; } + masked = addr; + assert_se(in_addr_mask(family, &masked, prefixlen) >= 0); + if (!in_addr_equal(family, &masked, &addr)) { + _cleanup_free_ char *buf = NULL; + + (void) in_addr_prefix_to_string(family, &masked, prefixlen, &buf); + log_syntax(unit, LOG_WARNING, filename, line, 0, + "Specified address '%s' is not properly masked, assuming '%s'.", word, strna(buf)); + } + ipmask = new(WireguardIPmask, 1); if (!ipmask) return log_oom(); *ipmask = (WireguardIPmask) { .family = family, - .ip = addr, + .ip = masked, .cidr = prefixlen, };