mirror of
https://github.com/systemd/systemd.git
synced 2025-01-25 10:04:04 +03:00
man/systemd.netdev: clarify the wireguard AllowedIPs= setting
`AllowedIPs=` only affects "routing inside the network interface itself", as in, which wireguard peer packets with a specific destination address are sent to, and what source addresses are accepted from which peer. To cause packets to be sent via wireguard in first place, a route via that interface needs to be added - either in the `[Routes]` section on the `.network` matching the wireguard interface, or outside of networkd. This is a common cause of misunderstanding, because tools like wg-quick also add routes to the interface. However, those tools are meant as a "extremely simple script for easily bringing up a WireGuard interface, suitable for a few common use cases (from their manpage). Networkd also should support other usecases - like setting AllowedIPs to 0.0.0.0/0 and ::/0 and having a dynamic routing protocol setting more specific routes (or the user manually setting them). Reported-In: https://github.com/systemd/systemd/issues/14176
This commit is contained in:
parent
94d982bb6a
commit
c6b90e5c5e
@ -1629,9 +1629,16 @@
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>Sets a comma-separated list of IP (v4 or v6) addresses with CIDR masks
|
<para>Sets a comma-separated list of IP (v4 or v6) addresses with CIDR masks
|
||||||
from which this peer is allowed to send incoming traffic and to
|
from which this peer is allowed to send incoming traffic and to
|
||||||
which outgoing traffic for this peer is directed. The catch-all
|
which outgoing traffic for this peer is directed.</para>
|
||||||
0.0.0.0/0 may be specified for matching all IPv4 addresses, and
|
<para>The catch-all 0.0.0.0/0 may be specified for matching all IPv4 addresses,
|
||||||
::/0 may be specified for matching all IPv6 addresses. </para>
|
and ::/0 may be specified for matching all IPv6 addresses.</para>
|
||||||
|
<para>Note that this only affects "routing inside the network interface itself",
|
||||||
|
as in, which wireguard peer packets with a specific destination address are sent to,
|
||||||
|
and what source addresses are accepted from which peer.</para>
|
||||||
|
<para>To cause packets to be sent via wireguard in first place, a route needs
|
||||||
|
to be added, as well - either in the <literal>[Routes]</literal> section on the
|
||||||
|
<literal>.network</literal> matching the wireguard interface, or outside of networkd.
|
||||||
|
</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
|
Loading…
x
Reference in New Issue
Block a user