diff --git a/src/network/netdev/wireguard.c b/src/network/netdev/wireguard.c index e5cfb35c95..af91dc6257 100644 --- a/src/network/netdev/wireguard.c +++ b/src/network/netdev/wireguard.c @@ -686,6 +686,7 @@ int config_parse_wireguard_allowed_ips( for (const char *p = rvalue;;) { _cleanup_free_ char *word = NULL; + union in_addr_union masked; r = extract_first_word(&p, &word, "," WHITESPACE, 0); if (r == 0) @@ -705,13 +706,23 @@ int config_parse_wireguard_allowed_ips( continue; } + masked = addr; + assert_se(in_addr_mask(family, &masked, prefixlen) >= 0); + if (!in_addr_equal(family, &masked, &addr)) { + _cleanup_free_ char *buf = NULL; + + (void) in_addr_prefix_to_string(family, &masked, prefixlen, &buf); + log_syntax(unit, LOG_WARNING, filename, line, 0, + "Specified address '%s' is not properly masked, assuming '%s'.", word, strna(buf)); + } + ipmask = new(WireguardIPmask, 1); if (!ipmask) return log_oom(); *ipmask = (WireguardIPmask) { .family = family, - .ip = addr, + .ip = masked, .cidr = prefixlen, }; diff --git a/test/test-network/conf/25-wireguard.netdev b/test/test-network/conf/25-wireguard.netdev index 16f63d00bd..4fed38e57a 100644 --- a/test/test-network/conf/25-wireguard.netdev +++ b/test/test-network/conf/25-wireguard.netdev @@ -12,7 +12,7 @@ RouteMetric=456 [WireGuardPeer] PublicKey=RDf+LSpeEre7YEIKaxg+wbpsNV7du+ktR99uBEtIiCA= -AllowedIPs=fd31:bf08:57cb::/48,192.168.26.0/24 +AllowedIPs=fd31:bf08:57cb::/48,192.168.26.3/24 #Endpoint=wireguard.example.com:51820 Endpoint=192.168.27.3:51820 PresharedKey=IIWIV17wutHv7t4cR6pOT91z6NSz/T8Arh0yaywhw3M=