Development discussion of WireGuard
 help / color / mirror / Atom feed
From: "Jason A. Donenfeld" <Jason@zx2c4.com>
To: WireGuard mailing list <wireguard@lists.zx2c4.com>
Subject: PSA: systemd-networkd v250 adds routes from allowedips by default
Date: Tue, 4 Jan 2022 16:58:04 +0100	[thread overview]
Message-ID: <CAHmME9pxSFhfFB9VNyvyKLk9jDTyOwp_p7VG3+9uHx0fN1+hGg@mail.gmail.com> (raw)

Hi everyone,

Hope you all had a nice new year's.

Version 250 of systemd-networkd added support for a `RouteTable`
option in the `[WireGuard]` section of a `.netdev` config file. By
default, it is "main". When this happens, the allowed IPs from
configured peers are added to the system's main routing table using
the metric specified by the also added `RouteMetric` option.

This is pretty similar to wg-quick(8)'s behavior with its `Table`
option in the `[Interface]` section, except that it doesn't do
anything fancy for default routes or for routes that overlap with
configured endpoints.

This means that if you're currently using systemd-networkd v250 with
0.0.0.0/0 or ::/0 or similar in your allowed IPs, those allowed IPs
will be automatically added to the main routing table, which might
prove problematic for folks who are already manually doing fancy
fwmark things with systemd-networkd. If this applies to you, you may
want to set `RouteTable=off` explicitly.

At the moment, I suspect this mostly affects Arch Linux users who
followed fwmark instructions on their wiki.

Regards,
Jason

                 reply	other threads:[~2022-01-04 15:58 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CAHmME9pxSFhfFB9VNyvyKLk9jDTyOwp_p7VG3+9uHx0fN1+hGg@mail.gmail.com \
    --to=jason@zx2c4.com \
    --cc=wireguard@lists.zx2c4.com \
    --subject='Re: PSA: systemd-networkd v250 adds routes from allowedips by default' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).