disallow subnet size in non-versioned ipspec

1 files changed, 8 insertions, 7 deletions

diff --git a/wg-genconf.py b/wg-genconf.py
index 3d410a6..1d98960 100755
--- a/wg-genconf.py
+++ b/wg-genconf.py
@@ -109,14 +109,14 @@ def deep_merge(d, src):
     return d
 
 
-# given peer with ips 10.0.0.20, fc00:ff:ff:dead:beef:a1:b2:c3
+# given peer with ips 10.0.0.22, fd00:ff:dead:beef::22
 # {peer4/24} = 10.0.0.0/24
 # {peer4/28} = 10.0.0.16/28
-# {peer4}    = 10.0.0.20/32
-# {peer6/64} = fc00:ff:ff:dead::/64
-# {peer6/96} = fc00:ff:ff:dead:beef:a1::/96
-# {peer6}    = fc00:ff:ff:dead:beef:a1:b2:c3/128
-# {peer}     = 10.0.0.20/32, fc00:ff:ff:dead:beef:a1:b2:c3/128
+# {peer4}    = 10.0.0.22/32
+# {peer6/56} = fd00:ff:dead:be00::/56
+# {peer6/64} = fd00:ff:dead:beef::/64
+# {peer6}    = fd00:ff:dead:beef::22/128
+# {peer}     = 10.0.0.22/32, fd00:ff:dead:beef::22/128
 #
 # a subnet size of '-', e.g. {peer/-}, will take the subnet sizes from the
 # network configuration.
@@ -124,7 +124,8 @@ def deep_merge(d, src):
 # by default, this returns network addresses with host bits removed.
 # passing interface=True will maintain the host bits.
 def ipspec_to_ips(peer, ipspec, *, interface=False):
-    if not (m := re.fullmatch(r'\{peer([46])?(/.+)?\}', ipspec)):
+    if not (m := re.fullmatch(
+            r'\{peer([46])?(?!(?<![46])/[^-])(/.+)?\}', ipspec)):
         return [ipspec]
 
     version = m[1]