Updating wireguard-peer.allowed-ips gets wrong default netmask for IPv6 addresses

In https://cockpit-project.org/ we have an integration test for NM+wireguard integration. That test starts with an IPv4-only connection:

# cat /etc/netplan/90-NM-b5edee2d-c736-4827-bae3-c95e349cb73b.yaml
network:
  version: 2
  tunnels:
    wg0:
      renderer: NetworkManager
      addresses:
      - "10.0.0.2/24"
      mode: "wireguard"
      port: 51820
      keys:
        private: "KDI3xiJN6uthba43AMm7EBBxjPPNeamjlV3xXT5Zh0E="
      peers:
      - keys:
          public: "RsfKtJHMIAYs/i2i/TZUfRSWF1LmAEXzc3UyidXZTnI="
        allowed-ips:
        - "10.0.0.1/32"
      networkmanager:
        uuid: "b5edee2d-c736-4827-bae3-c95e349cb73b"
        name: "con-wg0"
        passthrough:
          ipv6.addr-gen-mode: "default"
          ipv6.method: "disabled"
          ipv6.ip6-privacy: "-1"
          proxy._: ""

which gets rendered as

# cat /run/NetworkManager/system-connections/netplan-wg0.nmconnection
[connection]
id=con-wg0
type=wireguard
uuid=b5edee2d-c736-4827-bae3-c95e349cb73b
interface-name=wg0

[wireguard]
private-key=KDI3xiJN6uthba43AMm7EBBxjPPNeamjlV3xXT5Zh0E=
listen-port=51820

[wireguard-peer.RsfKtJHMIAYs/i2i/TZUfRSWF1LmAEXzc3UyidXZTnI=]
allowed-ips=10.0.0.1/32;

[ipv4]
method=manual
address1=10.0.0.2/24

[ipv6]
#Netplan: passthrough override
method=disabled
#Netplan: passthrough setting
addr-gen-mode=default

[proxy]

Now the UI modifies the "allowed-ips" setting to ["10.0.0.1", "2001::1"]. Notably the addresses do *not* have a netmask, neither in the original config nor that update. Unfortunately that update cannot be done on the CLI:

# nmcli con modify con-wg0 "wireguard-peer.RsfKtJHMIAYs/i2i/TZUfRSWF1LmAEXzc3UyidXZTnI=.allowed-ips" "2001::1"
Error: invalid or not allowed setting 'wireguard-peer': 'wireguard-peer' not among [connection, wireguard, match, ipv4, ipv6, hostname, link, tc, proxy].

So it has to happen via D-Bus:

"/org/freedesktop/NetworkManager/Settings/5","org.freedesktop.NetworkManager.Settings.Connection","Update",[{"connection":{"id":{"v":"con-wg0","t":"s"},"interface-name":{"v":"wg0","t":"s"},"permissions":{"t":"as","v":[]},"timestamp":{"t":"t","v":1702299778},"type":{"v":"wireguard","t":"s"},"uuid":{"v":"04237010-9663-4064-aa06-bcde279b67da","t":"s"},"autoconnect":{"v":true,"t":"b"},"autoconnect-slaves":{"v":-1,"t":"i"}},"wireguard":{"listen-port":{"v":51820,"t":"u"},"peers":{"v":[{"public-key":{"t":"s","v":"2CvDKtc8k94LLpabq6rZdYh1Co8fzjhoAD61ESMfjSc="},"allowed-ips":{"t":"as","v":["10.0.0.1/32","2001::1"]}}],"t":"aa{sv}"},"private-key":{"v":"iDM1BknhsROJt8TpJnBNNHVCAqWnfqZEkL20+sVfXlA=","t":"s"}},"ipv4":{"address-data":{"t":"aa{sv}","v":[{"address":{"t":"s","v":"10.0.0.2"},"prefix":{"t":"u","v":24}}]},"addresses":{"v":[[33554442,24,0]],"t":"aau"},"dns-search":{"v":[],"t":"as"},"method":{"v":"manual","t":"s"},"route-data":{"t":"aa{sv}","v":[]},"routes":{"t":"aau","v":[]},"dns":{"v":[],"t":"au"}},"ipv6":{"address-data":{"t":"aa{sv}","v":[]},"addresses":{"v":[],"t":"a(ayuay)"},"dns-search":{"v":[],"t":"as"},"method":{"v":"disabled","t":"s"},"route-data":{"t":"aa{sv}","v":[]},"routes":{"v":[],"t":"a(ayuayu)"},"ignore-auto-dns":{"v":false,"t":"b"},"ignore-auto-routes":{"v":false,"t":"b"},"dns":{"v":[],"t":"aay"}},"proxy":{}}]]

But this generates a wrong "/32" default netmask in the netplan config for the IPv6 address:

        allowed-ips:
        - "10.0.0.1/32"
        - "2001::1/32"

On Fedora, with NM's default .nmconnection files, such a netmask is not added on this call. The netplan backend should do that (not second-guessing NM) or at least default to /128 for an IPv6 address.

Doing this D-Bus call with `busctl` is a nuisance. If you need a reproducer at this level, I can spend an hour or so trying to stitch it together, but I hope your unit tests make this easier somehow.

This was fine until 22.10, but with NM's new "netplan by default" backend this regressed.

DistroRelease: Ubuntu 23.10
Package: network-manager 1.44.2-1ubuntu1.2