wireguard: suppress automatic "wireguard.peer-routes" for default routes if "ipv[46].never-default" is enabled

Enabling both peer-routes and never-default conflicts with having
AllowedIPs set to a default route. Let never-default win.

3 files changed, 14 insertions, 2 deletions

diff --git a/clients/common/settings-docs.h.in b/clients/common/settings-docs.h.in
index 9425ef370d..3b8e235963 100644
--- a/clients/common/settings-docs.h.in
+++ b/clients/common/settings-docs.h.in
@@ -390,7 +390,7 @@
 #define DESCRIBE_DOC_NM_SETTING_WIREGUARD_IP6_AUTO_DEFAULT_ROUTE N_("Like ip4-auto-default-route, but for the IPv6 default route.")
 #define DESCRIBE_DOC_NM_SETTING_WIREGUARD_LISTEN_PORT N_("The listen-port. If listen-port is not specified, the port will be chosen randomly when the interface comes up.")
 #define DESCRIBE_DOC_NM_SETTING_WIREGUARD_MTU N_("If non-zero, only transmit packets of the specified size or smaller, breaking larger packets up into multiple fragments. If zero a default MTU is used. Note that contrary to wg-quick's MTU setting, this does not take into account the current routes at the time of activation.")
-#define DESCRIBE_DOC_NM_SETTING_WIREGUARD_PEER_ROUTES N_("Whether to automatically add routes for the AllowedIPs ranges of the peers. If TRUE (the default), NetworkManager will automatically add routes in the routing tables according to ipv4.route-table and ipv6.route-table. If FALSE, no such routes are added automatically. In this case, the user may want to configure static routes in ipv4.routes and ipv6.routes, respectively.")
+#define DESCRIBE_DOC_NM_SETTING_WIREGUARD_PEER_ROUTES N_("Whether to automatically add routes for the AllowedIPs ranges of the peers. If TRUE (the default), NetworkManager will automatically add routes in the routing tables according to ipv4.route-table and ipv6.route-table. Usually you want this automatism enabled. If FALSE, no such routes are added automatically. In this case, the user may want to configure static routes in ipv4.routes and ipv6.routes, respectively. Note that if the peer's AllowedIPs is \"0.0.0.0/0\" or \"::/0\" and the profile's ipv4.never-default or ipv6.never-default setting is enabled, the peer route for this peer won't be added automatically.")
 #define DESCRIBE_DOC_NM_SETTING_WIREGUARD_PRIVATE_KEY N_("The 256 bit private-key in base64 encoding.")
 #define DESCRIBE_DOC_NM_SETTING_WIREGUARD_PRIVATE_KEY_FLAGS N_("Flags indicating how to handle the \"private-key\" property.")
 #define DESCRIBE_DOC_NM_SETTING_WPAN_CHANNEL N_("IEEE 802.15.4 channel. A positive integer or -1, meaning \"do not set, use whatever the device is already set to\".")
diff --git a/libnm-core/nm-setting-wireguard.c b/libnm-core/nm-setting-wireguard.c
index ecfc5bb360..1f6940a898 100644
--- a/libnm-core/nm-setting-wireguard.c
+++ b/libnm-core/nm-setting-wireguard.c
@@ -2493,11 +2493,15 @@ nm_setting_wireguard_class_init (NMSettingWireGuardClass *klass)
 	 * Whether to automatically add routes for the AllowedIPs ranges
 	 * of the peers. If %TRUE (the default), NetworkManager will automatically
 	 * add routes in the routing tables according to ipv4.route-table and
-	 * ipv6.route-table.
+	 * ipv6.route-table. Usually you want this automatism enabled.
 	 * If %FALSE, no such routes are added automatically. In this case, the
 	 * user may want to configure static routes in ipv4.routes and ipv6.routes,
 	 * respectively.
 	 *
+	 * Note that if the peer's AllowedIPs is "0.0.0.0/0" or "::/0" and the profile's
+	 * ipv4.never-default or ipv6.never-default setting is enabled, the peer route for
+	 * this peer won't be added automatically.
+	 *
 	 * Since: 1.16
 	 **/
 	obj_properties[PROP_PEER_ROUTES] =
diff --git a/src/devices/nm-device-wireguard.c b/src/devices/nm-device-wireguard.c
index bb7a595060..8dffb7f957 100644
--- a/src/devices/nm-device-wireguard.c
+++ b/src/devices/nm-device-wireguard.c
@@ -1631,6 +1631,14 @@ _get_dev2_ip_config (NMDeviceWireGuard *self,
 			if (prefix < 0)
 				prefix = (addr_family == AF_INET) ? 32 : 128;
 
+			if (prefix == 0) {
+				NMSettingIPConfig *s_ip;
+
+				s_ip = nm_connection_get_setting_ip_config (connection, addr_family);
+				if (nm_setting_ip_config_get_never_default (s_ip))
+					continue;
+			}
+
 			if (!ip_config)
 				ip_config = nm_device_ip_config_new (NM_DEVICE (self), addr_family);