** Description changed: In https://cockpit-project.org/ we have an integration test for NM+wireguard integration. That test starts with an IPv4-only connection: # cat /etc/netplan/90-NM-b5edee2d-c736-4827-bae3-c95e349cb73b.yaml network: - version: 2 - tunnels: - wg0: - renderer: NetworkManager - addresses: - - "10.0.0.2/24" - mode: "wireguard" - port: 51820 - keys: - private: "KDI3xiJN6uthba43AMm7EBBxjPPNeamjlV3xXT5Zh0E=" - peers: - - keys: - public: "RsfKtJHMIAYs/i2i/TZUfRSWF1LmAEXzc3UyidXZTnI=" - allowed-ips: - - "10.0.0.1/32" - networkmanager: - uuid: "b5edee2d-c736-4827-bae3-c95e349cb73b" - name: "con-wg0" - passthrough: - ipv6.addr-gen-mode: "default" - ipv6.method: "disabled" - ipv6.ip6-privacy: "-1" - proxy._: "" - + version: 2 + tunnels: + wg0: + renderer: NetworkManager + addresses: + - "10.0.0.2/24" + mode: "wireguard" + port: 51820 + keys: + private: "KDI3xiJN6uthba43AMm7EBBxjPPNeamjlV3xXT5Zh0E=" + peers: + - keys: + public: "RsfKtJHMIAYs/i2i/TZUfRSWF1LmAEXzc3UyidXZTnI=" + allowed-ips: + - "10.0.0.1/32" + networkmanager: + uuid: "b5edee2d-c736-4827-bae3-c95e349cb73b" + name: "con-wg0" + passthrough: + ipv6.addr-gen-mode: "default" + ipv6.method: "disabled" + ipv6.ip6-privacy: "-1" + proxy._: "" which gets rendered as # cat /run/NetworkManager/system-connections/netplan-wg0.nmconnection [connection] id=con-wg0 type=wireguard uuid=b5edee2d-c736-4827-bae3-c95e349cb73b interface-name=wg0 [wireguard] private-key=KDI3xiJN6uthba43AMm7EBBxjPPNeamjlV3xXT5Zh0E= listen-port=51820 [wireguard-peer.RsfKtJHMIAYs/i2i/TZUfRSWF1LmAEXzc3UyidXZTnI=] allowed-ips=10.0.0.1/32; [ipv4] method=manual address1=10.0.0.2/24 [ipv6] #Netplan: passthrough override method=disabled #Netplan: passthrough setting addr-gen-mode=default [proxy] - - Now the UI modifies the "allowed-ips" setting to ["10.0.0.1", "2001::1"]. Notably the addresses do *not* have a netmask, neither in the original config nor that update. Unfortunately that update cannot be done on the CLI: + Now the UI modifies the "allowed-ips" setting to ["10.0.0.1", + "2001::1"]. Notably the addresses do *not* have a netmask, neither in + the original config nor that update. Unfortunately that update cannot be + done on the CLI: # nmcli con modify con-wg0 "wireguard-peer.RsfKtJHMIAYs/i2i/TZUfRSWF1LmAEXzc3UyidXZTnI=.allowed-ips" "2001::1" Error: invalid or not allowed setting 'wireguard-peer': 'wireguard-peer' not among [connection, wireguard, match, ipv4, ipv6, hostname, link, tc, proxy]. - So it has to happen via D-Bus: "/org/freedesktop/NetworkManager/Settings/5","org.freedesktop.NetworkManager.Settings.Connection","Update",[{"connection":{"id":{"v":"con- wg0","t":"s"},"interface- name":{"v":"wg0","t":"s"},"permissions":{"t":"as","v":[]},"timestamp":{"t":"t","v":1702299778},"type":{"v":"wireguard","t":"s"},"uuid":{"v":"04237010-9663-4064-aa06-bcde279b67da","t":"s"},"autoconnect":{"v":true,"t":"b"},"autoconnect- slaves":{"v":-1,"t":"i"}},"wireguard":{"listen- port":{"v":51820,"t":"u"},"peers":{"v":[{"public- key":{"t":"s","v":"2CvDKtc8k94LLpabq6rZdYh1Co8fzjhoAD61ESMfjSc="},"allowed- ips":{"t":"as","v":["10.0.0.1/32","2001::1"]}}],"t":"aa{sv}"},"private- key":{"v":"iDM1BknhsROJt8TpJnBNNHVCAqWnfqZEkL20+sVfXlA=","t":"s"}},"ipv4":{"address- data":{"t":"aa{sv}","v":[{"address":{"t":"s","v":"10.0.0.2"},"prefix":{"t":"u","v":24}}]},"addresses":{"v":[[33554442,24,0]],"t":"aau"},"dns- search":{"v":[],"t":"as"},"method":{"v":"manual","t":"s"},"route- data":{"t":"aa{sv}","v":[]},"routes":{"t":"aau","v":[]},"dns":{"v":[],"t":"au"}},"ipv6":{"address- data":{"t":"aa{sv}","v":[]},"addresses":{"v":[],"t":"a(ayuay)"},"dns- search":{"v":[],"t":"as"},"method":{"v":"disabled","t":"s"},"route- data":{"t":"aa{sv}","v":[]},"routes":{"v":[],"t":"a(ayuayu)"},"ignore- auto-dns":{"v":false,"t":"b"},"ignore-auto- routes":{"v":false,"t":"b"},"dns":{"v":[],"t":"aay"}},"proxy":{}}]] + But this generates a wrong "/32" default netmask in the netplan config + for the IPv6 address: - But this generates a wrong "/32" default netmask in the netplan config for the IPv6 address: - - allowed-ips: - - "10.0.0.1/32" - - "2001::1/32" + allowed-ips: + - "10.0.0.1/32" + - "2001::1/32" On Fedora, with NM's default .nmconnection files, such a netmask is not added on this call. The netplan backend should do that (not second- guessing NM) or at least default to /128 for an IPv6 address. Doing this D-Bus call with `busctl` is a nuisance. If you need a reproducer at this level, I can spend an hour or so trying to stitch it together, but I hope your unit tests make this easier somehow. This was fine until 22.10, but with NM's new "netplan by default" backend this regressed. - DistroRelease: Ubuntu 23.04 + DistroRelease: Ubuntu 23.10 Package: network-manager 1.44.2-1ubuntu1.2
-- You received this bug notification because you are a member of Desktop Packages, which is subscribed to network-manager in Ubuntu. https://bugs.launchpad.net/bugs/2046158 Title: Updating wireguard-peer.allowed-ips gets wrong default netmask for IPv6 addresses Status in network-manager package in Ubuntu: New Bug description: In https://cockpit-project.org/ we have an integration test for NM+wireguard integration. That test starts with an IPv4-only connection: # cat /etc/netplan/90-NM-b5edee2d-c736-4827-bae3-c95e349cb73b.yaml network: version: 2 tunnels: wg0: renderer: NetworkManager addresses: - "10.0.0.2/24" mode: "wireguard" port: 51820 keys: private: "KDI3xiJN6uthba43AMm7EBBxjPPNeamjlV3xXT5Zh0E=" peers: - keys: public: "RsfKtJHMIAYs/i2i/TZUfRSWF1LmAEXzc3UyidXZTnI=" allowed-ips: - "10.0.0.1/32" networkmanager: uuid: "b5edee2d-c736-4827-bae3-c95e349cb73b" name: "con-wg0" passthrough: ipv6.addr-gen-mode: "default" ipv6.method: "disabled" ipv6.ip6-privacy: "-1" proxy._: "" which gets rendered as # cat /run/NetworkManager/system-connections/netplan-wg0.nmconnection [connection] id=con-wg0 type=wireguard uuid=b5edee2d-c736-4827-bae3-c95e349cb73b interface-name=wg0 [wireguard] private-key=KDI3xiJN6uthba43AMm7EBBxjPPNeamjlV3xXT5Zh0E= listen-port=51820 [wireguard-peer.RsfKtJHMIAYs/i2i/TZUfRSWF1LmAEXzc3UyidXZTnI=] allowed-ips=10.0.0.1/32; [ipv4] method=manual address1=10.0.0.2/24 [ipv6] #Netplan: passthrough override method=disabled #Netplan: passthrough setting addr-gen-mode=default [proxy] Now the UI modifies the "allowed-ips" setting to ["10.0.0.1", "2001::1"]. Notably the addresses do *not* have a netmask, neither in the original config nor that update. Unfortunately that update cannot be done on the CLI: # nmcli con modify con-wg0 "wireguard-peer.RsfKtJHMIAYs/i2i/TZUfRSWF1LmAEXzc3UyidXZTnI=.allowed-ips" "2001::1" Error: invalid or not allowed setting 'wireguard-peer': 'wireguard-peer' not among [connection, wireguard, match, ipv4, ipv6, hostname, link, tc, proxy]. So it has to happen via D-Bus: "/org/freedesktop/NetworkManager/Settings/5","org.freedesktop.NetworkManager.Settings.Connection","Update",[{"connection":{"id":{"v":"con- wg0","t":"s"},"interface- name":{"v":"wg0","t":"s"},"permissions":{"t":"as","v":[]},"timestamp":{"t":"t","v":1702299778},"type":{"v":"wireguard","t":"s"},"uuid":{"v":"04237010-9663-4064-aa06-bcde279b67da","t":"s"},"autoconnect":{"v":true,"t":"b"},"autoconnect- slaves":{"v":-1,"t":"i"}},"wireguard":{"listen- port":{"v":51820,"t":"u"},"peers":{"v":[{"public- key":{"t":"s","v":"2CvDKtc8k94LLpabq6rZdYh1Co8fzjhoAD61ESMfjSc="},"allowed- ips":{"t":"as","v":["10.0.0.1/32","2001::1"]}}],"t":"aa{sv}"},"private- key":{"v":"iDM1BknhsROJt8TpJnBNNHVCAqWnfqZEkL20+sVfXlA=","t":"s"}},"ipv4":{"address- data":{"t":"aa{sv}","v":[{"address":{"t":"s","v":"10.0.0.2"},"prefix":{"t":"u","v":24}}]},"addresses":{"v":[[33554442,24,0]],"t":"aau"},"dns- search":{"v":[],"t":"as"},"method":{"v":"manual","t":"s"},"route- data":{"t":"aa{sv}","v":[]},"routes":{"t":"aau","v":[]},"dns":{"v":[],"t":"au"}},"ipv6":{"address- data":{"t":"aa{sv}","v":[]},"addresses":{"v":[],"t":"a(ayuay)"},"dns- search":{"v":[],"t":"as"},"method":{"v":"disabled","t":"s"},"route- data":{"t":"aa{sv}","v":[]},"routes":{"v":[],"t":"a(ayuayu)"},"ignore- auto-dns":{"v":false,"t":"b"},"ignore-auto- routes":{"v":false,"t":"b"},"dns":{"v":[],"t":"aay"}},"proxy":{}}]] But this generates a wrong "/32" default netmask in the netplan config for the IPv6 address: allowed-ips: - "10.0.0.1/32" - "2001::1/32" On Fedora, with NM's default .nmconnection files, such a netmask is not added on this call. The netplan backend should do that (not second-guessing NM) or at least default to /128 for an IPv6 address. Doing this D-Bus call with `busctl` is a nuisance. If you need a reproducer at this level, I can spend an hour or so trying to stitch it together, but I hope your unit tests make this easier somehow. This was fine until 22.10, but with NM's new "netplan by default" backend this regressed. DistroRelease: Ubuntu 23.10 Package: network-manager 1.44.2-1ubuntu1.2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/2046158/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
