From 4d1ab643be2091f794ec55d83ec8acf7b0a60be3 Mon Sep 17 00:00:00 2001
From: "Jason A. Donenfeld" <Jason@zx2c4.com>
Date: Tue, 11 Feb 2020 15:12:17 +0100
Subject: sys/linux: restrict wireguard allowedips cidr size

By keeping this small, it means much greater probability that a randomly
generated packet that hits xmit will match an existing peer.
---
 sys/linux/socket_netlink_generic_wireguard.txt | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'sys/linux/socket_netlink_generic_wireguard.txt')

diff --git a/sys/linux/socket_netlink_generic_wireguard.txt b/sys/linux/socket_netlink_generic_wireguard.txt
index 325cc07df..54b8720c8 100644
--- a/sys/linux/socket_netlink_generic_wireguard.txt
+++ b/sys/linux/socket_netlink_generic_wireguard.txt
@@ -49,13 +49,13 @@ allowedip_policy [
 allowedip_policy_ipv4 {
 	WGALLOWEDIP_A_FAMILY	nlattr[WGALLOWEDIP_A_FAMILY, const[AF_INET, int16]]
 	WGALLOWEDIP_A_IPADDR	nlattr[WGALLOWEDIP_A_IPADDR, ipv4_addr]
-	WGALLOWEDIP_A_CIDR_MASK	nlattr[WGALLOWEDIP_A_CIDR_MASK, int8[0:32]]
+	WGALLOWEDIP_A_CIDR_MASK	nlattr[WGALLOWEDIP_A_CIDR_MASK, int8[0:3]]
 } [packed]
 
 allowedip_policy_ipv6 {
 	WGALLOWEDIP_A_FAMILY	nlattr[WGALLOWEDIP_A_FAMILY, const[AF_INET6, int16]]
 	WGALLOWEDIP_A_IPADDR	nlattr[WGALLOWEDIP_A_IPADDR, ipv6_addr]
-	WGALLOWEDIP_A_CIDR_MASK	nlattr[WGALLOWEDIP_A_CIDR_MASK, int8[0:128]]
+	WGALLOWEDIP_A_CIDR_MASK	nlattr[WGALLOWEDIP_A_CIDR_MASK, int8[0:3]]
 } [packed]
 
 wireguard_private_key [
-- 
cgit mrf-deployment