Bug#1003955: systemd: systemd-networkd: wireguard AllowedIPs is inserted into routing table

Tollef Fog Heen tfheen at err.no
Tue Jan 18 15:53:54 GMT 2022 

Package: systemd
Version: 250.2-3
Severity: critical
Justification: completely breaks network connectivity in certain setups
X-Debbugs-Cc: none, Tollef Fog Heen <tfheen at err.no>

(Feel free to downgrade, but this completely broke network on my testing
system, which weren't it my laptop and sat in front of me, it'd be
really hard to debug.)

It seems like systemd-networkd between 249.7-1 and 250.2-3 started
adding IPs specified in AllowedIPs in WireGuardPeer stanzas in netdev
units to the routing table.

The documentation in systemd.netdev states:

           Note that this only affects routing inside the network interface itself, i.e. the
           packets that pass through the tunnel itself. To cause packets to be sent via the
           tunnel in the first place, an appropriate route needs to be added as well — either in
           the "[Routes]" section on the ".network" matching the wireguard interface, or
           externally to systemd-networkd.

This is the historic behaviour, and this behaviour can be had by using
RouteTable=off in the WireGuardPeer section.

The reason it broke is I have a multi-peer wireguard setup where I
direct traffic to the different peers a machine can talk to using BGP
and bird, and therefore has AllowedIPs=0.0.0.0/0 for the netdevs. After
the upgrade, systemd-networkd proceeded to make my default route point
at the tunnels (which are not suitable as default routes) in addition to
my regular default route, causing most of the traffic to end up on the
floor.

It might be possible to detect this in a postinst, but it's probably
brittle, so I'd consider changing the default RouteTable setting to off.

-- System Information:
Init: systemd (via /run/systemd/system)

Versions of packages systemd depends on:
ii  adduser          3.118
ii  libacl1          2.3.1-1
ii  libapparmor1     3.0.3-6
ii  libaudit1        1:3.0.6-1+b1
ii  libblkid1        2.37.2-6
ii  libc6            2.33-2
ii  libcap2          1:2.44-1
ii  libcrypt1        1:4.4.27-1
ii  libcryptsetup12  2:2.4.3-1
ii  libfdisk1        2.37.2-6
ii  libgcrypt20      1.9.4-5
ii  libgnutls30      3.7.2-5
ii  libgpg-error0    1.43-1
ii  libip4tc2        1.8.7-1
ii  libkmod2         29-1
ii  liblz4-1         1.9.3-2
ii  liblzma5         5.2.5-2
ii  libmount1        2.37.2-6
ii  libpam0g         1.4.0-11
ii  libseccomp2      2.5.3-2
ii  libselinux1      3.3-1+b1
ii  libsystemd0      250.2-3
ii  libzstd1         1.4.8+dfsg-3
ii  mount            2.37.2-6
ii  util-linux       2.37.2-6

Versions of packages systemd recommends:
ii  dbus [default-dbus-system-bus]  1.12.20-3
ii  ntp [time-daemon]               1:4.2.8p15+dfsg-1

Versions of packages systemd suggests:
ii  libfido2-1            1.9.0-1
ii  libtss2-esys-3.0.2-0  3.1.0-3
ii  libtss2-mu0           3.1.0-3
ii  libtss2-rc0           3.1.0-3
ii  policykit-1           0.105-31
ii  systemd-container     250.2-3

Versions of packages systemd is related to:
pn  dracut           <none>
ii  initramfs-tools  0.140
ii  libnss-systemd   250.2-3
ii  libpam-systemd   250.2-3
ii  udev             250.2-3

-- no debconf information

-- 
Tollef Fog Heen
UNIX is user friendly, it's just picky about who its friends are

More information about the Pkg-systemd-maintainers mailing list