[Bug 2046158] Re: Updating wireguard-peer.allowed-ips gets wrong default netmask for IPv6 addresses

Launchpad Bug Tracker 2046158 at bugs.launchpad.net
Wed Jan 24 16:27:09 UTC 2024 

This bug was fixed in the package netplan.io - 0.107.1-3

---------------
netplan.io (0.107.1-3) unstable; urgency=medium

  * d/t/prep-testbed.sh: Improve autopkgtest reliability
  * d/p/python-limited-stable-api.patch: Build Python module against stable API
    (LP: #2050881)
  * d/patches: Cleanup DEP-3 headers

 -- Lukas Märdian <slyon at debian.org>  Tue, 23 Jan 2024 11:13:19 +0100

** Changed in: netplan.io (Ubuntu)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to netplan.io in Ubuntu.
Matching subscriptions: foundations-bugs
https://bugs.launchpad.net/bugs/2046158

Title:
  Updating wireguard-peer.allowed-ips gets wrong default netmask for
  IPv6 addresses

Status in netplan.io package in Ubuntu:
  Fix Released
Status in network-manager package in Ubuntu:
  Invalid

Bug description:
  In https://cockpit-project.org/ we have an integration test for
  NM+wireguard integration. That test starts with an IPv4-only
  connection:

  # cat /etc/netplan/90-NM-b5edee2d-c736-4827-bae3-c95e349cb73b.yaml
  network:
    version: 2
    tunnels:
      wg0:
        renderer: NetworkManager
        addresses:
        - "10.0.0.2/24"
        mode: "wireguard"
        port: 51820
        keys:
          private: "KDI3xiJN6uthba43AMm7EBBxjPPNeamjlV3xXT5Zh0E="
        peers:
        - keys:
            public: "RsfKtJHMIAYs/i2i/TZUfRSWF1LmAEXzc3UyidXZTnI="
          allowed-ips:
          - "10.0.0.1/32"
        networkmanager:
          uuid: "b5edee2d-c736-4827-bae3-c95e349cb73b"
          name: "con-wg0"
          passthrough:
            ipv6.addr-gen-mode: "default"
            ipv6.method: "disabled"
            ipv6.ip6-privacy: "-1"
            proxy._: ""

  which gets rendered as

  # cat /run/NetworkManager/system-connections/netplan-wg0.nmconnection
  [connection]
  id=con-wg0
  type=wireguard
  uuid=b5edee2d-c736-4827-bae3-c95e349cb73b
  interface-name=wg0

  [wireguard]
  private-key=KDI3xiJN6uthba43AMm7EBBxjPPNeamjlV3xXT5Zh0E=
  listen-port=51820

  [wireguard-peer.RsfKtJHMIAYs/i2i/TZUfRSWF1LmAEXzc3UyidXZTnI=]
  allowed-ips=10.0.0.1/32;

  [ipv4]
  method=manual
  address1=10.0.0.2/24

  [ipv6]
  #Netplan: passthrough override
  method=disabled
  #Netplan: passthrough setting
  addr-gen-mode=default

  [proxy]

  Now the UI modifies the "allowed-ips" setting to ["10.0.0.1",
  "2001::1"]. Notably the addresses do *not* have a netmask, neither in
  the original config nor that update. Unfortunately that update cannot
  be done on the CLI:

  # nmcli con modify con-wg0 "wireguard-peer.RsfKtJHMIAYs/i2i/TZUfRSWF1LmAEXzc3UyidXZTnI=.allowed-ips" "2001::1"
  Error: invalid or not allowed setting 'wireguard-peer': 'wireguard-peer' not among [connection, wireguard, match, ipv4, ipv6, hostname, link, tc, proxy].

  So it has to happen via D-Bus:

  "/org/freedesktop/NetworkManager/Settings/5","org.freedesktop.NetworkManager.Settings.Connection","Update",[{"connection":{"id":{"v":"con-
  wg0","t":"s"},"interface-
  name":{"v":"wg0","t":"s"},"permissions":{"t":"as","v":[]},"timestamp":{"t":"t","v":1702299778},"type":{"v":"wireguard","t":"s"},"uuid":{"v":"04237010-9663-4064-aa06-bcde279b67da","t":"s"},"autoconnect":{"v":true,"t":"b"},"autoconnect-
  slaves":{"v":-1,"t":"i"}},"wireguard":{"listen-
  port":{"v":51820,"t":"u"},"peers":{"v":[{"public-
  key":{"t":"s","v":"2CvDKtc8k94LLpabq6rZdYh1Co8fzjhoAD61ESMfjSc="},"allowed-
  ips":{"t":"as","v":["10.0.0.1/32","2001::1"]}}],"t":"aa{sv}"},"private-
  key":{"v":"iDM1BknhsROJt8TpJnBNNHVCAqWnfqZEkL20+sVfXlA=","t":"s"}},"ipv4":{"address-
  data":{"t":"aa{sv}","v":[{"address":{"t":"s","v":"10.0.0.2"},"prefix":{"t":"u","v":24}}]},"addresses":{"v":[[33554442,24,0]],"t":"aau"},"dns-
  search":{"v":[],"t":"as"},"method":{"v":"manual","t":"s"},"route-
  data":{"t":"aa{sv}","v":[]},"routes":{"t":"aau","v":[]},"dns":{"v":[],"t":"au"}},"ipv6":{"address-
  data":{"t":"aa{sv}","v":[]},"addresses":{"v":[],"t":"a(ayuay)"},"dns-
  search":{"v":[],"t":"as"},"method":{"v":"disabled","t":"s"},"route-
  data":{"t":"aa{sv}","v":[]},"routes":{"v":[],"t":"a(ayuayu)"},"ignore-
  auto-dns":{"v":false,"t":"b"},"ignore-auto-
  routes":{"v":false,"t":"b"},"dns":{"v":[],"t":"aay"}},"proxy":{}}]]

  But this generates a wrong "/32" default netmask in the netplan config
  for the IPv6 address:

          allowed-ips:
          - "10.0.0.1/32"
          - "2001::1/32"

  On Fedora, with NM's default .nmconnection files, such a netmask is
  not added on this call. The netplan backend should do that (not
  second-guessing NM) or at least default to /128 for an IPv6 address.

  Doing this D-Bus call with `busctl` is a nuisance. If you need a
  reproducer at this level, I can spend an hour or so trying to stitch
  it together, but I hope your unit tests make this easier somehow.

  This was fine until 22.10, but with NM's new "netplan by default"
  backend this regressed.

  DistroRelease: Ubuntu 23.10
  Package: network-manager 1.44.2-1ubuntu1.2

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/netplan.io/+bug/2046158/+subscriptions

More information about the foundations-bugs mailing list