From: "Jason A. Donenfeld" <Jason@zx2c4.com>
To: WireGuard mailing list <wireguard@lists.zx2c4.com>
Subject: PSA: systemd-networkd v250 adds routes from allowedips by default
Date: Tue, 4 Jan 2022 16:58:04 +0100 [thread overview]
Message-ID: <CAHmME9pxSFhfFB9VNyvyKLk9jDTyOwp_p7VG3+9uHx0fN1+hGg@mail.gmail.com> (raw)
Hi everyone,
Hope you all had a nice new year's.
Version 250 of systemd-networkd added support for a `RouteTable`
option in the `[WireGuard]` section of a `.netdev` config file. By
default, it is "main". When this happens, the allowed IPs from
configured peers are added to the system's main routing table using
the metric specified by the also added `RouteMetric` option.
This is pretty similar to wg-quick(8)'s behavior with its `Table`
option in the `[Interface]` section, except that it doesn't do
anything fancy for default routes or for routes that overlap with
configured endpoints.
This means that if you're currently using systemd-networkd v250 with
0.0.0.0/0 or ::/0 or similar in your allowed IPs, those allowed IPs
will be automatically added to the main routing table, which might
prove problematic for folks who are already manually doing fancy
fwmark things with systemd-networkd. If this applies to you, you may
want to set `RouteTable=off` explicitly.
At the moment, I suspect this mostly affects Arch Linux users who
followed fwmark instructions on their wiki.
Regards,
Jason
reply other threads:[~2022-01-04 15:58 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAHmME9pxSFhfFB9VNyvyKLk9jDTyOwp_p7VG3+9uHx0fN1+hGg@mail.gmail.com \
--to=jason@zx2c4.com \
--cc=wireguard@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).