From 4585740d20127e64c146e815795ed4e74affa749 Mon Sep 17 00:00:00 2001 From: Wen Liang Date: Tue, 7 Jan 2025 12:58:00 -0500 Subject: [PATCH] vpn: Fix routing rules support and place gateway route to table defined in ipvx.route-table Resolves: RHEL-73051 Resolves: RHEL-73052 Resolves: RHEL-64725 --- ...fined-in-ipvx-route-table-rhel-73051.patch | 64 +++++ ...upport-in-vpn-conenctions-rhel-73052.patch | 242 ++++++++++++++++++ NetworkManager.spec | 10 +- 3 files changed, 314 insertions(+), 2 deletions(-) create mode 100644 1016-vpn-place-gateway-route-to-table-defined-in-ipvx-route-table-rhel-73051.patch create mode 100644 1017-vpn-fix-routing-rules-support-in-vpn-conenctions-rhel-73052.patch diff --git a/1016-vpn-place-gateway-route-to-table-defined-in-ipvx-route-table-rhel-73051.patch b/1016-vpn-place-gateway-route-to-table-defined-in-ipvx-route-table-rhel-73051.patch new file mode 100644 index 0000000..01e2e6b --- /dev/null +++ b/1016-vpn-place-gateway-route-to-table-defined-in-ipvx-route-table-rhel-73051.patch @@ -0,0 +1,64 @@ +From 70557e65436d6906233434d4db490edced586b3a Mon Sep 17 00:00:00 2001 +From: Gris Ge +Date: Wed, 11 Dec 2024 22:22:59 +0800 +Subject: [PATCH 1/1] vpn: Place gateway route to table defined in + ipvx.route-table + +Previously, NM create direct route to gateway to main(254) route table +regardless `ipvx.route-table` value. + +Fixed by setting `NMPlatformIP4Route.table_any` to `TRUE`. + +Resolves: https://issues.redhat.com/browse/RHEL-69901 + +Signed-off-by: Gris Ge +(cherry picked from commit 6d06286f1db7421bef1c4dab5fada918c59daf87) +(cherry picked from commit 29f23d3519dbb4dcffc9682fbdfb721cfc0b851c) +(cherry picked from commit 0dc07c5ca4d32b5ea8e104cbad106da9bb5b096d) +(cherry picked from commit 6a04a966c28dbe04e3bd608af06a66cf0af89d21) +(cherry picked from commit 70060d84f268250fd0bead2928eba8739e3eb486) +(cherry picked from commit b92a07713c17eb55fb3f0cfa4c757e379c432e17) +(cherry picked from commit 2aadb5dcb08f2874f153a4e256a893ae5a99ff1e) +--- + src/core/vpn/nm-vpn-connection.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/core/vpn/nm-vpn-connection.c b/src/core/vpn/nm-vpn-connection.c +index bbb7355016..1607d2013a 100644 +--- a/src/core/vpn/nm-vpn-connection.c ++++ b/src/core/vpn/nm-vpn-connection.c +@@ -1239,6 +1239,7 @@ _parent_device_l3cd_add_gateway_route(NML3ConfigData *l3cd, + .gateway = parent_gw.addr4, + .rt_source = NM_IP_CONFIG_SOURCE_VPN, + .metric_any = TRUE, ++ .table_any = TRUE, + }; + } else { + route.r6 = (NMPlatformIP6Route){ +@@ -1248,6 +1249,7 @@ _parent_device_l3cd_add_gateway_route(NML3ConfigData *l3cd, + .gateway = parent_gw.addr6, + .rt_source = NM_IP_CONFIG_SOURCE_VPN, + .metric_any = TRUE, ++ .table_any = TRUE, + }; + } + nm_l3_config_data_add_route(l3cd, addr_family, NULL, &route.rx); +@@ -1264,6 +1266,7 @@ _parent_device_l3cd_add_gateway_route(NML3ConfigData *l3cd, + .plen = 32, + .rt_source = NM_IP_CONFIG_SOURCE_VPN, + .metric_any = TRUE, ++ .table_any = TRUE, + }; + } else { + route.r6 = (NMPlatformIP6Route){ +@@ -1271,6 +1274,7 @@ _parent_device_l3cd_add_gateway_route(NML3ConfigData *l3cd, + .plen = 128, + .rt_source = NM_IP_CONFIG_SOURCE_VPN, + .metric_any = TRUE, ++ .table_any = TRUE, + }; + } + nm_l3_config_data_add_route(l3cd, addr_family, NULL, &route.rx); +-- +2.45.0 + diff --git a/1017-vpn-fix-routing-rules-support-in-vpn-conenctions-rhel-73052.patch b/1017-vpn-fix-routing-rules-support-in-vpn-conenctions-rhel-73052.patch new file mode 100644 index 0000000..e7c693b --- /dev/null +++ b/1017-vpn-fix-routing-rules-support-in-vpn-conenctions-rhel-73052.patch @@ -0,0 +1,242 @@ +From 3fe666c300e9d7022c1e6f583aceeaa1ccc0975e Mon Sep 17 00:00:00 2001 +From: Wen Liang +Date: Fri, 20 Dec 2024 10:10:25 -0500 +Subject: [PATCH 1/1] vpn: fix routing rules support in vpn conenctions + +This commit introduces the ability to manage routing rules specifically +for VPN connections. These rules allow finer control over traffic +routing by enabling the specification of policy-based routing for +traffic over the VPN. + +- Updated the connection backend to apply rules during VPN activation. +- Ensured proper cleanup of routing rules upon VPN deactivation. + +This enhancement improves VPN usability in scenarios requiring advanced +routing configurations, such as split tunneling and traffic +prioritization. + +Resolves: https://issues.redhat.com/browse/RHEL-70160 +https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/2092 +https://gitlab.freedesktop.org/NetworkManager/NetworkManager-ci/-/merge_requests/1842 +(cherry picked from commit 308e34a501482d01c1cc6c87c38791ad9f34dc1f) +(cherry picked from commit a24b347e93e37b04aa0f5698efcb462c02517c09) +(cherry picked from commit b5c46f8a8d644e1c5a6dc07e06d5dab3338e9a91) +(cherry picked from commit 7824d5e5ae5db78abdc6fa24453d939198a5d1da) +(cherry picked from commit f5e8217f77863742ac17b2ad30134a14125acd40) +(cherry picked from commit dcbe04ef5f8bf947d1da4e55a1b9b0ca498d852d) +(cherry picked from commit 49a8b0650f2a19c0e16e2912c88b8e74c5aa8feb) +--- + src/core/devices/nm-device.c | 62 +++++++++++++++++++------------- + src/core/devices/nm-device.h | 6 ++++ + src/core/vpn/nm-vpn-connection.c | 7 +++- + 3 files changed, 50 insertions(+), 25 deletions(-) + +diff --git a/src/core/devices/nm-device.c b/src/core/devices/nm-device.c +index e54942440f..9c4e581e68 100644 +--- a/src/core/devices/nm-device.c ++++ b/src/core/devices/nm-device.c +@@ -9577,31 +9577,34 @@ lldp_setup(NMDevice *self, NMTernary enabled) + * as externally added ones. Don't restart NetworkManager if + * you care about that. + */ +-static void +-_routing_rules_sync(NMDevice *self, NMTernary set_mode) ++void ++nm_routing_rules_sync(NMConnection *applied_connection, ++ NMTernary set_mode, ++ GPtrArray *(*get_extra_rules)(NMDevice *self), ++ NMDevice *self, ++ NMNetns *netns) + { +- NMDevicePrivate *priv = NM_DEVICE_GET_PRIVATE(self); +- NMPGlobalTracker *global_tracker = nm_netns_get_global_tracker(nm_device_get_netns(self)); +- NMDeviceClass *klass = NM_DEVICE_GET_CLASS(self); ++ NMPGlobalTracker *global_tracker = nm_netns_get_global_tracker(netns); + gboolean untrack_only_dirty = FALSE; + gboolean keep_deleted_rules; + gpointer user_tag_1; + gpointer user_tag_2; + +- /* take two arbitrary user-tag pointers that belong to @self. */ +- user_tag_1 = &priv->v4_route_table; +- user_tag_2 = &priv->v6_route_table; ++ if (self) { ++ user_tag_1 = ((guint32 *) self) + 1; ++ user_tag_2 = ((guint32 *) self) + 2; ++ } else { ++ user_tag_1 = ((guint32 *) applied_connection) + 1; ++ user_tag_2 = ((guint32 *) applied_connection) + 2; ++ } + + if (set_mode == NM_TERNARY_TRUE) { +- NMConnection *applied_connection; + NMSettingIPConfig *s_ip; + guint i, num; + int is_ipv4; + + untrack_only_dirty = TRUE; + +- applied_connection = nm_device_get_applied_connection(self); +- + for (is_ipv4 = 0; applied_connection && is_ipv4 < 2; is_ipv4++) { + int addr_family = is_ipv4 ? AF_INET : AF_INET6; + +@@ -9628,10 +9631,10 @@ _routing_rules_sync(NMDevice *self, NMTernary set_mode) + } + } + +- if (klass->get_extra_rules) { ++ if (get_extra_rules) { + gs_unref_ptrarray GPtrArray *extra_rules = NULL; + +- extra_rules = klass->get_extra_rules(self); ++ extra_rules = get_extra_rules(self); + if (extra_rules) { + for (i = 0; i < extra_rules->len; i++) { + nmp_global_tracker_track_rule( +@@ -9646,7 +9649,7 @@ _routing_rules_sync(NMDevice *self, NMTernary set_mode) + } + + nmp_global_tracker_untrack_all(global_tracker, user_tag_1, !untrack_only_dirty, TRUE); +- if (klass->get_extra_rules) ++ if (get_extra_rules) + nmp_global_tracker_untrack_all(global_tracker, user_tag_2, !untrack_only_dirty, TRUE); + + keep_deleted_rules = FALSE; +@@ -9706,8 +9709,8 @@ tc_commit(NMDevice *self) + static void + activate_stage2_device_config(NMDevice *self) + { +- NMDevicePrivate *priv = NM_DEVICE_GET_PRIVATE(self); +- NMDeviceClass *klass; ++ NMDevicePrivate *priv = NM_DEVICE_GET_PRIVATE(self); ++ NMDeviceClass *klass = NM_DEVICE_GET_CLASS(self); + NMActStageReturn ret; + NMSettingWired *s_wired; + gboolean no_firmware = FALSE; +@@ -9730,7 +9733,11 @@ activate_stage2_device_config(NMDevice *self) + priv->tc_committed = TRUE; + } + +- _routing_rules_sync(self, NM_TERNARY_TRUE); ++ nm_routing_rules_sync(nm_device_get_applied_connection(self), ++ NM_TERNARY_TRUE, ++ klass->get_extra_rules, ++ self, ++ nm_device_get_netns(self)); + + if (!nm_device_sys_iface_state_is_external_or_assume(self)) { + if (!nm_device_bring_up_full(self, FALSE, TRUE, &no_firmware)) { +@@ -9742,7 +9749,6 @@ activate_stage2_device_config(NMDevice *self) + } + } + +- klass = NM_DEVICE_GET_CLASS(self); + if (klass->act_stage2_config_also_for_external_or_assume + || !nm_device_sys_iface_state_is_external_or_assume(self)) { + NMDeviceStateReason failure_reason = NM_DEVICE_STATE_REASON_NONE; +@@ -12984,7 +12990,11 @@ check_and_reapply_connection(NMDevice *self, + + nm_device_activate_schedule_stage3_ip_config(self, FALSE); + +- _routing_rules_sync(self, NM_TERNARY_TRUE); ++ nm_routing_rules_sync(nm_device_get_applied_connection(self), ++ NM_TERNARY_TRUE, ++ klass->get_extra_rules, ++ self, ++ nm_device_get_netns(self)); + + reactivate_proxy_config(self); + +@@ -15450,6 +15460,7 @@ static void + nm_device_cleanup(NMDevice *self, NMDeviceStateReason reason, CleanupType cleanup_type) + { + NMDevicePrivate *priv; ++ NMDeviceClass *klass = NM_DEVICE_GET_CLASS(self); + int ifindex; + + g_return_if_fail(NM_IS_DEVICE(self)); +@@ -15474,8 +15485,8 @@ nm_device_cleanup(NMDevice *self, NMDeviceStateReason reason, CleanupType cleanu + } + + /* Call device type-specific deactivation */ +- if (NM_DEVICE_GET_CLASS(self)->deactivate) +- NM_DEVICE_GET_CLASS(self)->deactivate(self); ++ if (klass->deactivate) ++ klass->deactivate(self); + + ifindex = nm_device_get_ip_ifindex(self); + +@@ -15497,8 +15508,11 @@ nm_device_cleanup(NMDevice *self, NMDeviceStateReason reason, CleanupType cleanu + + priv->tc_committed = FALSE; + +- _routing_rules_sync(self, +- cleanup_type == CLEANUP_TYPE_KEEP ? NM_TERNARY_DEFAULT : NM_TERNARY_FALSE); ++ nm_routing_rules_sync(nm_device_get_applied_connection(self), ++ cleanup_type == CLEANUP_TYPE_KEEP ? NM_TERNARY_DEFAULT : NM_TERNARY_FALSE, ++ klass->get_extra_rules, ++ self, ++ nm_device_get_netns(self)); + + if (ifindex > 0) + nm_platform_ip4_dev_route_blacklist_set(nm_device_get_platform(self), ifindex, NULL); +@@ -15527,7 +15541,7 @@ nm_device_cleanup(NMDevice *self, NMDeviceStateReason reason, CleanupType cleanu + /* for other device states (UNAVAILABLE, DISCONNECTED), allow the + * device to overwrite the reset behavior, so that Wi-Fi can set + * a randomized MAC address used during scanning. */ +- NM_DEVICE_GET_CLASS(self)->deactivate_reset_hw_addr(self); ++ klass->deactivate_reset_hw_addr(self); + } + } + +diff --git a/src/core/devices/nm-device.h b/src/core/devices/nm-device.h +index 68387a2149..e58c2088b9 100644 +--- a/src/core/devices/nm-device.h ++++ b/src/core/devices/nm-device.h +@@ -821,4 +821,10 @@ nm_device_get_hostname_from_dns_lookup(NMDevice *self, int addr_family, gboolean + + void nm_device_clear_dns_lookup_data(NMDevice *self, const char *reason); + ++void nm_routing_rules_sync(NMConnection *applied_connection, ++ NMTernary set_mode, ++ GPtrArray *(*get_extra_rules)(NMDevice *self), ++ NMDevice *self, ++ NMNetns *netns); ++ + #endif /* __NETWORKMANAGER_DEVICE_H__ */ +diff --git a/src/core/vpn/nm-vpn-connection.c b/src/core/vpn/nm-vpn-connection.c +index 1607d2013a..0068b52bc3 100644 +--- a/src/core/vpn/nm-vpn-connection.c ++++ b/src/core/vpn/nm-vpn-connection.c +@@ -903,7 +903,8 @@ fw_call_cleanup(NMVpnConnection *self) + static void + vpn_cleanup(NMVpnConnection *self, NMDevice *parent_dev) + { +- const char *iface; ++ NMVpnConnectionPrivate *priv = NM_VPN_CONNECTION_GET_PRIVATE(self); ++ const char *iface; + + /* Remove zone from firewall */ + iface = nm_vpn_connection_get_ip_iface(self, FALSE); +@@ -915,6 +916,8 @@ vpn_cleanup(NMVpnConnection *self, NMDevice *parent_dev) + fw_call_cleanup(self); + + _l3cfg_l3cd_clear_all(self); ++ ++ nm_routing_rules_sync(_get_applied_connection(self), NM_TERNARY_FALSE, NULL, NULL, priv->netns); + } + + static void +@@ -2206,6 +2209,8 @@ _dbus_signal_ip_config_cb(NMVpnConnection *self, int addr_family, GVariant *dict + + _l3cfg_l3cd_set(self, L3CD_TYPE_IP_X(IS_IPv4), l3cd); + ++ nm_routing_rules_sync(_get_applied_connection(self), NM_TERNARY_TRUE, NULL, NULL, priv->netns); ++ + _check_complete(self, TRUE); + } + +-- +2.45.0 + diff --git a/NetworkManager.spec b/NetworkManager.spec index 1efe072..c500772 100644 --- a/NetworkManager.spec +++ b/NetworkManager.spec @@ -6,7 +6,7 @@ %global epoch_version 1 %global real_version 1.40.16 %global rpm_version %{real_version} -%global release_version 17 +%global release_version 18 %global snapshot %{nil} %global git_sha %{nil} %global bcond_default_debug 0 @@ -211,6 +211,8 @@ Patch1012: 1012-device-do-not-set-MAC-address-on-iface-with-index-0-rhel-16008.p Patch1013: 1013-fix-matching-existing-connection-by-UUID-on-restart-rhel-5119.patch Patch1014: 1014-device-disable-IPv6-in-NetworkManager-when-disabled-rhel-10450.patch Patch1015: 1015-use-etc-hosts-for-hostname-resolution-rhel-53200.patch +Patch1016: 1016-vpn-place-gateway-route-to-table-defined-in-ipvx-route-table-rhel-73051.patch +Patch1017: 1017-vpn-fix-routing-rules-support-in-vpn-conenctions-rhel-73052.patch Requires(post): systemd %if 0%{?fedora} || 0%{?rhel} >= 8 @@ -1246,7 +1248,11 @@ fi %changelog -* Wed Aug 20 2024 Fernando Fernandez Mancera - 1:1.40.16-17 +* Tue Jan 07 2025 Wen Liang - 1:1.40.16-18 +- vpn: fix routing rules support in vpn conenctions (RHEL-73052) +- vpn: Place gateway route to table defined in ipvx.route-table (RHEL-73051) + +* Wed Aug 21 2024 Fernando Fernandez Mancera - 1:1.40.16-17 - Rebuild to use the right tag * Tue Aug 20 2024 Fernando Fernandez Mancera - 1:1.40.16-16