sys/linux: restrict wireguard allowedips cidr size

By keeping this small, it means much greater probability that a randomly generated packet that hits xmit will match an existing peer.
author: Jason A. Donenfeld <Jason@zx2c4.com> 2020-02-11 15:12:17 +0100
committer: GitHub <noreply@github.com> 2020-02-11 15:12:17 +0100
commit: 4d1ab643be2091f794ec55d83ec8acf7b0a60be3 (patch)
tree: 1e0e1aab236f70c4e97ffd67af78cd43b3bd6755 /sys/linux/socket_netlink_generic_wireguard.txt
parent: 084454aecdedb02f8bc64dc31c39a4d02e3be0ba (diff)
1 files changed, 2 insertions, 2 deletions
diff --git a/sys/linux/socket_netlink_generic_wireguard.txt b/sys/linux/socket_netlink_generic_wireguard.txt
index 325cc07df..54b8720c8 100644
--- a/sys/linux/socket_netlink_generic_wireguard.txt
+++ b/sys/linux/socket_netlink_generic_wireguard.txt
@@ -49,13 +49,13 @@ allowedip_policy [
 allowedip_policy_ipv4 {
 	WGALLOWEDIP_A_FAMILY	nlattr[WGALLOWEDIP_A_FAMILY, const[AF_INET, int16]]
 	WGALLOWEDIP_A_IPADDR	nlattr[WGALLOWEDIP_A_IPADDR, ipv4_addr]
-	WGALLOWEDIP_A_CIDR_MASK	nlattr[WGALLOWEDIP_A_CIDR_MASK, int8[0:32]]
+	WGALLOWEDIP_A_CIDR_MASK	nlattr[WGALLOWEDIP_A_CIDR_MASK, int8[0:3]]
 } [packed]
 
 allowedip_policy_ipv6 {
 	WGALLOWEDIP_A_FAMILY	nlattr[WGALLOWEDIP_A_FAMILY, const[AF_INET6, int16]]
 	WGALLOWEDIP_A_IPADDR	nlattr[WGALLOWEDIP_A_IPADDR, ipv6_addr]
-	WGALLOWEDIP_A_CIDR_MASK	nlattr[WGALLOWEDIP_A_CIDR_MASK, int8[0:128]]
+	WGALLOWEDIP_A_CIDR_MASK	nlattr[WGALLOWEDIP_A_CIDR_MASK, int8[0:3]]
 } [packed]
 
 wireguard_private_key [
author	Jason A. Donenfeld <Jason@zx2c4.com>	2020-02-11 15:12:17 +0100
committer	GitHub <noreply@github.com>	2020-02-11 15:12:17 +0100
commit	4d1ab643be2091f794ec55d83ec8acf7b0a60be3 (patch)
tree	1e0e1aab236f70c4e97ffd67af78cd43b3bd6755 /sys/linux/socket_netlink_generic_wireguard.txt
parent	084454aecdedb02f8bc64dc31c39a4d02e3be0ba (diff)