parse-nm/wg: append the correct prefix to IPv6 addresses (#428), LP: …

…#2046158 When the prefix is omitted for IPs in the allowed-ips list, we were appending a /32 to them without checking the address family. IPv6 addresses will have a /128 appended to them if it's not present. See LP: #2046158
canonical · Jan 4, 2024 · 1d61710 · 1d61710
1 parent 8c7103a
commit 1d61710
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 8 deletions.
diff --git a/src/parse-nm.c b/src/parse-nm.c
@@ -543,13 +543,16 @@ parse_tunnels(GKeyFile* kf, NetplanNetDefinition* nd)
                             /*
                              * NM doesn't care if the prefix was omitted.
                              * Even though the WG manual says it requires the prefix,
-                             * if it's omitted in its config file it will default to /32
-                             * so we should do the same here and append a /32 if it's not present,
-                             * otherwise we will generate a YAML that will fail validation.
+                             * if it's omitted in its config file it will default to /32 for IPv4
+                             * and /128 for IPv6 so we should do the same here and append a /32 or /128
+                             * if it's not present, otherwise we will generate a YAML that will fail validation.
                              */
-                            if (!g_strrstr(ip, "/"))
-                                address = g_strdup_printf("%s/32", ip);
-                            else
+                            if (!g_strrstr(ip, "/")) {
+                                if (is_ip4_address(ip))
+                                    address = g_strdup_printf("%s/32", ip);
+                                else
+                                    address = g_strdup_printf("%s/128", ip);
+                            } else
                                 address = g_strdup(ip);
                             g_array_append_val(wireguard_peer->allowed_ips, address);
                         }

diff --git a/tests/parser/test_keyfile.py b/tests/parser/test_keyfile.py
@@ -1963,7 +1963,8 @@ def test_wireguard_with_empty_endpoint(self):
 
     def test_wireguard_allowed_ips_without_prefix(self):
         '''
-        When the IP prefix is not present we should default to /32
+        When the IP prefix is not present we should default to /32 for IPv4
+        and /128 for IPv6.
         '''
         self.generate_from_keyfile('''[connection]
 id=wg0
@@ -1976,7 +1977,7 @@ def test_wireguard_allowed_ips_without_prefix(self):
 
 [wireguard-peer.cwkb7k0xDgLSnunZpFIjLJw4u+mJDDr+aBR5DqzpmgI=]
 endpoint=1.2.3.4:12345
-allowed-ips=192.168.0.10
+allowed-ips=192.168.0.10;2001::1;
 
 [ipv4]
 method=auto\n'''.format(UUID), regenerate=False)
@@ -1995,6 +1996,7 @@ def test_wireguard_allowed_ips_without_prefix(self):
           public: "cwkb7k0xDgLSnunZpFIjLJw4u+mJDDr+aBR5DqzpmgI="
         allowed-ips:
         - "192.168.0.10/32"
+        - "2001::1/128"
       networkmanager:
         uuid: "{}"
         name: "wg0"