Fix support of leftsubnets and rightsubnets

Resolves: RHEL-161465 Signed-off-by: Gris Ge <fge@redhat.com>
2026-03-27 17:03:09 +08:00 · 2026-03-27 17:03:09 +08:00 · bfaa9fbaac
commit bfaa9fbaac
parent 5d5a1ebc76
2 changed files with 137 additions and 1 deletions
--- a/NetworkManager-libreswan.spec
+++ b/NetworkManager-libreswan.spec
@ -11,7 +11,7 @@

 %global real_version     1.2.30
 %global rpm_version      1.2.30
-%global release_version  1
+%global release_version  2

 %global real_version_major %(printf '%s' '%{real_version}' | sed -n 's/^\\([1-9][0-9]*\\.[1-9][0-9]*\\)\\.[1-9][0-9]*$/\\1/p')

@ -26,6 +26,7 @@ Release:   %{release_version}%{?dist}
 License:   GPLv2+
 URL:       https://gitlab.gnome.org/GNOME/NetworkManager-libreswan/
 Source0:   https://download.gnome.org/sources/NetworkManager-libreswan/%{real_version_major}/%{name}-%{real_version}.tar.xz
+Patch0:    RHEL-85786-fix-leftsubnets-and-rightsubnets.patch

 BuildRequires: make
 BuildRequires: gcc
@ -127,6 +128,9 @@ rm -f %{buildroot}%{_libdir}/NetworkManager/lib*.la
 %endif

 %changelog
+* Fri Mar 27 2026 Gris Ge <fge@redhat.com> - 1.2.30-2
+- Fix the support of leftsubnets and rightsubnets. (RHEL-161465)
+
 * Mon Jan 12 2026 Vladimír Beneš <vbenes@redhat.com> - 1.2.30-1
 - Upgrade to 1.2.30
 - Declare supports-safe-private-file-access (RHEL-140610)
--- a/RHEL-85786-fix-leftsubnets-and-rightsubnets.patch
+++ b/RHEL-85786-fix-leftsubnets-and-rightsubnets.patch
@ -0,0 +1,132 @@
+From 84472d6ed47974b6522236d7e30e2196274750dd Mon Sep 17 00:00:00 2001
+From: Gris Ge <fge@redhat.com>
+Date: Tue, 24 Mar 2026 16:51:01 +0800
+Subject: [PATCH] Fix the support of leftsubnets and rightsubnets
+
+The `NM_LIBRESWAN_KEY_LEFTSUBNETS` and `NM_LIBRESWAN_KEY_RIGHTSUBNETS`
+are not enabled in `struct LibreswanParam params[]` leading
+NetworkManager reject these two options when sending to NM-libreswan
+with error:
+
+```text
+GDBus.Error:org.freedesktop.NetworkManager.VPN.Error.InvalidConnection:
+Invalid VPN setting: property 'leftsubnets' invalid or not supported
+```
+
+The GUI code(`properties/nm-libreswan-dialog.ui`) already has these two
+options processed at `local_network_label` and `remote_network_label`.
+
+Fixed by including these two options into `struct LibreswanParam params[]`.
+Added manpage for these two options.
+Included unit test cases.
+
+Resolves: https://redhat.atlassian.net/browse/RHEL-155372
+
+Signed-off-by: Gris Ge <fge@redhat.com>
+---
+ man/nm-settings-libreswan.5.in |  6 ++++
+ shared/test-utils.c            | 51 ++++++++++++++++++++++++++++++++++
+ shared/utils.c                 |  2 ++
+ 3 files changed, 59 insertions(+)
+
+diff --git a/man/nm-settings-libreswan.5.in b/man/nm-settings-libreswan.5.in
+index 0ef18e4..0bbc363 100644
+--- a/man/nm-settings-libreswan.5.in
+++ b/man/nm-settings-libreswan.5.in
+@@ -226,6 +226,12 @@ This option specifies the allowed protocols and ports over connection.
+ .TP
+ .I "rightprotoport"
+ This option specifies the allowed protocols and ports over connection.
+.TP
+.I "leftsubnets"
+This option specifies multiple private subnets behind the left participant.
+.TP
+.I "rightsubnets"
+This option specifies multiple private subnets behind the right participant.
+ 
+ .SH VPN.SECRETS
+ .PP
+diff --git a/shared/test-utils.c b/shared/test-utils.c
+index bcfbce3..f18ea8a 100644
+--- a/shared/test-utils.c
+++ b/shared/test-utils.c
+@@ -1081,12 +1081,63 @@ test_config_read_rsakey(void)
+ 	g_assert_cmpstr(nm_setting_vpn_get_data_item(s_vpn, "authby"), ==, "rsasig");
+ }
+ 
+static void
+test_config_read_write_subnets(void)
+{
+	GError *error = NULL;
+	NMSettingVpn *s_vpn;
+	NMSettingVpn *s_vpn_sanitized;
+	char *con_name = NULL;
+	char *str;
+	/* clang-format off */
+	const char *conf_str =
+		"# NetworkManager specific configs, don't remove:\n"
+		"# nm-auto-defaults=no\n\n"
+		"conn con_name\n"
+		" right=11.12.13.14\n"
+		" left=22.33.44.55\n"
+		" leftsubnets=192.168.2.0/24,10.0.1.0/24\n"
+		" rightsubnets=192.168.1.0/24,10.0.0.0/24\n";
+	/* clang-format on */
+
+	s_vpn = NM_SETTING_VPN(nm_setting_vpn_new());
+	nm_setting_vpn_add_data_item(s_vpn, "nm-auto-defaults", "no");
+	nm_setting_vpn_add_data_item(s_vpn, "right", "11.12.13.14");
+	nm_setting_vpn_add_data_item(s_vpn, "left", "22.33.44.55");
+	nm_setting_vpn_add_data_item(s_vpn, "rightsubnets", "192.168.1.0/24,10.0.0.0/24");
+	nm_setting_vpn_add_data_item(s_vpn, "leftsubnets", "192.168.2.0/24,10.0.1.0/24");
+	s_vpn_sanitized = sanitize_setting_vpn(s_vpn, &error);
+	g_assert_no_error(error);
+	str = nm_libreswan_get_ipsec_conf(4, s_vpn_sanitized, "con_name", NULL, FALSE, TRUE, &error);
+	g_assert_no_error(error);
+	g_assert_cmpstr(str, ==, conf_str);
+	g_free(str);
+	g_object_unref(s_vpn);
+	g_object_unref(s_vpn_sanitized);
+
+	s_vpn = nm_libreswan_parse_ipsec_conf(conf_str, &con_name, &error);
+	g_assert_no_error(error);
+	g_assert_cmpint(nm_setting_vpn_get_num_data_items(s_vpn), ==, 5);
+	g_assert_cmpstr(nm_setting_vpn_get_data_item(s_vpn, "nm-auto-defaults"), ==, "no");
+	g_assert_cmpstr(nm_setting_vpn_get_data_item(s_vpn, "left"), ==, "22.33.44.55");
+	g_assert_cmpstr(nm_setting_vpn_get_data_item(s_vpn, "right"), ==, "11.12.13.14");
+	g_assert_cmpstr(nm_setting_vpn_get_data_item(s_vpn, "leftsubnets"),
+	                ==,
+	                "192.168.2.0/24,10.0.1.0/24");
+	g_assert_cmpstr(nm_setting_vpn_get_data_item(s_vpn, "rightsubnets"),
+	                ==,
+	                "192.168.1.0/24,10.0.0.0/24");
+	g_object_unref(s_vpn);
+	g_clear_pointer(&con_name, g_free);
+}
+
+ int
+ main(int argc, char **argv)
+ {
+ 	g_test_init(&argc, &argv, NULL);
+ 
+ 	g_test_add_func("/utils/config/write", test_config_write);
+	g_test_add_func("/utils/config/subnets", test_config_read_write_subnets);
+ 	g_test_add_func("/utils/config/read", test_config_read);
+ 	g_test_add_func("/utils/config/read/rsakey", test_config_read_rsakey);
+ 	g_test_add_func("/utils/subnets/parse", test_parse_subnets);
+diff --git a/shared/utils.c b/shared/utils.c
+index 3980553..05d99e2 100644
+--- a/shared/utils.c
+++ b/shared/utils.c
+@@ -327,6 +327,8 @@ static const struct LibreswanParam params[] = {
+ 	{NM_LIBRESWAN_KEY_CLIENTADDRFAMILY, add, PARAM_PRINTABLE},
+ 	{NM_LIBRESWAN_KEY_LEFTSUBNET, add, PARAM_PRINTABLE},
+ 	{NM_LIBRESWAN_KEY_RIGHTSUBNET, add_rightsubnet, PARAM_PRINTABLE},
+	{NM_LIBRESWAN_KEY_LEFTSUBNETS, add, PARAM_PRINTABLE},
+	{NM_LIBRESWAN_KEY_RIGHTSUBNETS, add, PARAM_PRINTABLE},
+ 
+ 	{NM_LIBRESWAN_KEY_LEFTXAUTHUSER, add_username, PARAM_STRING | PARAM_OLD},
+ 	{NM_LIBRESWAN_KEY_LEFTUSERNAME, add_username, PARAM_STRING | PARAM_NEW},
+-- 
+2.53.0
+