diff --git a/SOURCES/1015-use-etc-hosts-for-hostname-resolution-rhel-53200.patch b/SOURCES/1015-use-etc-hosts-for-hostname-resolution-rhel-53200.patch new file mode 100644 index 0000000..f6bd141 --- /dev/null +++ b/SOURCES/1015-use-etc-hosts-for-hostname-resolution-rhel-53200.patch @@ -0,0 +1,272 @@ +From ccdde35eb8467a272db1c418e6bd44cc998c57a8 Mon Sep 17 00:00:00 2001 +From: Beniamino Galvani +Date: Wed, 19 Jun 2024 20:14:14 +0200 +Subject: [PATCH 1/2] nm-daemon-helper: add "service" argument + +Introduce a new argument to specify a comma-separated list of NSS +services to use for the "resolve-address" command. For now only accept +"dns" and "files"; the latter can be used to do a lookup into +/etc/hosts. + +Note that previously the command failed in presence of extra +arguments. Therefore, when downgrading NetworkManager without +restarting the service, the previously-installed version of the daemon +(newer) would spawn the helper with the extra argument, and the +newly-installed version of the helper (older) would fail. This issue +only impacts hostname resolution and can be fixed by just restarting +the daemon. + +In the upgrade path everything works as before, with the only +difference that the helper will use by default both "dns" and "files" +services. + +Don't strictly check for the absence of extra arguments, so that in +the future we can introduce more arguments without necessarily break +the downgrade path. + +(cherry picked from commit 229bebfae95f789018433900868700c16a20a17b) +(cherry picked from commit c36a74f698cc31fba20d9fd0a74d5cf74b832071) +(cherry picked from commit e86ddd9fc590e3b4462464c0562ab115f654f5d1) +(cherry picked from commit 717db10a9de53e875f0d7a603960c5bca427014e) +(cherry picked from commit f549bdd9c1d026bd34c68e6c0ec6036f1697ada0) +(cherry picked from commit cabef041c8587824875c09675924455f5ca7583c) +--- + src/nm-daemon-helper/nm-daemon-helper.c | 68 +++++++++++++++++-------- + 1 file changed, 47 insertions(+), 21 deletions(-) + +diff --git a/src/nm-daemon-helper/nm-daemon-helper.c b/src/nm-daemon-helper/nm-daemon-helper.c +index a447d63cfe..5faacf43f3 100644 +--- a/src/nm-daemon-helper/nm-daemon-helper.c ++++ b/src/nm-daemon-helper/nm-daemon-helper.c +@@ -55,26 +55,31 @@ cmd_version(void) + static int + cmd_resolve_address(void) + { +- nm_auto_free char *address = NULL; ++ nm_auto_free char *address = NULL; ++ nm_auto_free char *services = NULL; + union { + struct sockaddr_in in; + struct sockaddr_in6 in6; + } sockaddr; + socklen_t sockaddr_size; + char name[NI_MAXHOST]; ++ char *saveptr = NULL; ++ char *service; ++ char *str; + int ret; + + address = read_arg(); + if (!address) + return RETURN_INVALID_ARGS; + +- if (more_args()) +- return RETURN_INVALID_ARGS; ++ services = read_arg(); ++ if (!services) { ++ /* Called by an old NM version which doesn't support the 'services' ++ * argument. Use both services. */ ++ services = strdup("dns,files"); ++ } + + memset(&sockaddr, 0, sizeof(sockaddr)); +-#if defined(__GLIBC__) +- __nss_configure_lookup("hosts", "dns"); +-#endif + + if (inet_pton(AF_INET, address, &sockaddr.in.sin_addr) == 1) { + sockaddr.in.sin_family = AF_INET; +@@ -85,30 +90,51 @@ cmd_resolve_address(void) + } else + return RETURN_INVALID_ARGS; + +- ret = getnameinfo((struct sockaddr *) &sockaddr, +- sockaddr_size, +- name, +- sizeof(name), +- NULL, +- 0, +- NI_NAMEREQD); +- if (ret != 0) { +- if (ret == EAI_SYSTEM) { ++ for (str = services; (service = strtok_r(str, ",", &saveptr)); str = NULL) { ++ if (!NM_IN_STRSET(service, "dns", "files")) { ++ fprintf(stderr, "Unsupported resolver service '%s'\n", service); ++ continue; ++ } ++ ++#if defined(__GLIBC__) ++ __nss_configure_lookup("hosts", service); ++#endif ++ ++ ret = getnameinfo((struct sockaddr *) &sockaddr, ++ sockaddr_size, ++ name, ++ sizeof(name), ++ NULL, ++ 0, ++ NI_NAMEREQD); ++ ++ if (ret == 0) { ++ printf("%s", name); ++ return RETURN_SUCCESS; ++ } else if (ret == EAI_SYSTEM) { ++ char buf[1024]; ++ int errsv = errno; ++ + fprintf(stderr, +- "getnameinfo() failed: %d (%s), system error: %d (%s)\n", ++ "getnameinfo() via service '%s' failed: %d (%s), system error: %d (%s)\n", ++ service, + ret, + gai_strerror(ret), + errno, + strerror(errno)); + } else { +- fprintf(stderr, "getnameinfo() failed: %d (%s)\n", ret, gai_strerror(ret)); ++ fprintf(stderr, ++ "getnameinfo() via service '%s' failed: %d (%s)\n", ++ service, ++ ret, ++ gai_strerror(ret)); + } +- return RETURN_ERROR; ++#if !defined(__GLIBC__) ++ break; ++#endif + } + +- printf("%s", name); +- +- return RETURN_SUCCESS; ++ return RETURN_ERROR; + } + + int +-- +2.46.0 + + +From c55a3466cc91b7460f7e81f0879ced041db050e7 Mon Sep 17 00:00:00 2001 +From: Beniamino Galvani +Date: Wed, 19 Jun 2024 20:29:37 +0200 +Subject: [PATCH 2/2] core: also use /etc/hosts for hostname resolution + +Before introducing the hostname lookup via nm-daemon-helper and +systemd-resolved, we used GLib's GResolver which internally relies on +the libc resolver and generally also returns results from /etc/hosts. + +With the new mechanism we only ask to systemd-resolved (with +NO_SYNTHESIZE) or perform the lookup via the "dns" NSS module. In both +ways, /etc/hosts is not evaluated. + +Since users relied on having the hostname resolved via /etc/hosts, +restore that behavior. Now, after trying the resolution via +systemd-resolved and the "dns" NSS module, we also try via the "files" +NSS module which reads /etc/hosts. + +Fixes: 27eae4043b27 ('device: add a nm_device_resolve_address()') +(cherry picked from commit 410afccb32f5814c6aeebec837505e3f94b7408c) +(cherry picked from commit cb54fe7ce9a69b1f8abfd6fa5f2bf83e971ff997) +(cherry picked from commit e3861be84505d795c34347af84bbf73dc4196586) +(cherry picked from commit cfe840784c067981a882fa349f5e8a6704d21c37) +(cherry picked from commit 16946905a675c0530437b277925beeb1bd81bdc8) +(cherry picked from commit 8aaae05f219a8fb1bebb1b6778acdf459acb6c90) +--- + src/core/devices/nm-device-utils.c | 49 ++++++++++++++++++++++-------- + 1 file changed, 36 insertions(+), 13 deletions(-) + +diff --git a/src/core/devices/nm-device-utils.c b/src/core/devices/nm-device-utils.c +index 170922eba0..ea6ddc36d4 100644 +--- a/src/core/devices/nm-device-utils.c ++++ b/src/core/devices/nm-device-utils.c +@@ -231,14 +231,36 @@ resolve_addr_helper_cb(GObject *source, GAsyncResult *result, gpointer user_data + resolve_addr_complete(info, g_steal_pointer(&output), g_steal_pointer(&error)); + } + ++typedef enum { ++ RESOLVE_ADDR_SERVICE_NONE = 0x0, ++ RESOLVE_ADDR_SERVICE_DNS = 0x1, ++ RESOLVE_ADDR_SERVICE_FILES = 0x2, ++} ResolveAddrService; ++ + static void +-resolve_addr_spawn_helper(ResolveAddrInfo *info) ++resolve_addr_spawn_helper(ResolveAddrInfo *info, ResolveAddrService services) + { +- char addr_str[NM_UTILS_INET_ADDRSTRLEN]; ++ char addr_str[NM_UTILS_INET_ADDRSTRLEN]; ++ char str[256]; ++ char *s = str; ++ gsize len = sizeof(str); ++ gboolean comma = FALSE; ++ ++ nm_assert(services != RESOLVE_ADDR_SERVICE_NONE); ++ nm_assert((services & ~(RESOLVE_ADDR_SERVICE_DNS | RESOLVE_ADDR_SERVICE_FILES)) == 0); ++ ++ if (services & RESOLVE_ADDR_SERVICE_DNS) { ++ nm_strbuf_append(&s, &len, "%sdns", comma ? "," : ""); ++ comma = TRUE; ++ } ++ if (services & RESOLVE_ADDR_SERVICE_FILES) { ++ nm_strbuf_append(&s, &len, "%sfiles", comma ? "," : ""); ++ comma = TRUE; ++ } + + nm_utils_inet_ntop(info->addr_family, &info->address, addr_str); +- _LOG2D(info, "start lookup via nm-daemon-helper"); +- nm_utils_spawn_helper(NM_MAKE_STRV("resolve-address", addr_str), ++ _LOG2D(info, "start lookup via nm-daemon-helper using services: %s", str); ++ nm_utils_spawn_helper(NM_MAKE_STRV("resolve-address", addr_str, str), + g_task_get_cancellable(info->task), + resolve_addr_helper_cb, + info); +@@ -268,27 +290,28 @@ resolve_addr_resolved_cb(NMDnsSystemdResolved *resolved, + dbus_error = g_dbus_error_get_remote_error(error); + if (NM_STR_HAS_PREFIX(dbus_error, "org.freedesktop.resolve1.")) { + /* systemd-resolved is enabled but it couldn't resolve the +- * address via DNS. Don't fall back to spawning the helper, +- * because the helper will possibly ask again to ++ * address via DNS. Spawn again the helper to check if we ++ * can find a result in /etc/hosts. Don't enable the 'dns' ++ * service otherwise the helper will possibly ask again to + * systemd-resolved (via /etc/resolv.conf), potentially using + * other protocols than DNS or returning synthetic results. + * +- * Consider the error as the final indication that the address +- * can't be resolved. +- * + * See: https://www.freedesktop.org/wiki/Software/systemd/resolved/#commonerrors + */ +- resolve_addr_complete(info, NULL, g_error_copy(error)); ++ resolve_addr_spawn_helper(info, RESOLVE_ADDR_SERVICE_FILES); + return; + } + +- resolve_addr_spawn_helper(info); ++ /* systemd-resolved couldn't be contacted, use the helper */ ++ resolve_addr_spawn_helper(info, RESOLVE_ADDR_SERVICE_DNS | RESOLVE_ADDR_SERVICE_FILES); + return; + } + + if (names_len == 0) { + _LOG2D(info, "systemd-resolved returned no result"); +- resolve_addr_complete(info, g_strdup(""), NULL); ++ /* We passed the NO_SYNTHESIZE flag and so systemd-resolved ++ * didn't look into /etc/hosts. Spawn the helper for that. */ ++ resolve_addr_spawn_helper(info, RESOLVE_ADDR_SERVICE_FILES); + return; + } + +@@ -352,7 +375,7 @@ nm_device_resolve_address(int addr_family, + return; + } + +- resolve_addr_spawn_helper(info); ++ resolve_addr_spawn_helper(info, RESOLVE_ADDR_SERVICE_DNS | RESOLVE_ADDR_SERVICE_FILES); + } + + char * +-- +2.46.0 + diff --git a/SOURCES/1016-vpn-place-gateway-route-to-table-defined-in-ipvx-route-table-rhel-73051.patch b/SOURCES/1016-vpn-place-gateway-route-to-table-defined-in-ipvx-route-table-rhel-73051.patch new file mode 100644 index 0000000..01e2e6b --- /dev/null +++ b/SOURCES/1016-vpn-place-gateway-route-to-table-defined-in-ipvx-route-table-rhel-73051.patch @@ -0,0 +1,64 @@ +From 70557e65436d6906233434d4db490edced586b3a Mon Sep 17 00:00:00 2001 +From: Gris Ge +Date: Wed, 11 Dec 2024 22:22:59 +0800 +Subject: [PATCH 1/1] vpn: Place gateway route to table defined in + ipvx.route-table + +Previously, NM create direct route to gateway to main(254) route table +regardless `ipvx.route-table` value. + +Fixed by setting `NMPlatformIP4Route.table_any` to `TRUE`. + +Resolves: https://issues.redhat.com/browse/RHEL-69901 + +Signed-off-by: Gris Ge +(cherry picked from commit 6d06286f1db7421bef1c4dab5fada918c59daf87) +(cherry picked from commit 29f23d3519dbb4dcffc9682fbdfb721cfc0b851c) +(cherry picked from commit 0dc07c5ca4d32b5ea8e104cbad106da9bb5b096d) +(cherry picked from commit 6a04a966c28dbe04e3bd608af06a66cf0af89d21) +(cherry picked from commit 70060d84f268250fd0bead2928eba8739e3eb486) +(cherry picked from commit b92a07713c17eb55fb3f0cfa4c757e379c432e17) +(cherry picked from commit 2aadb5dcb08f2874f153a4e256a893ae5a99ff1e) +--- + src/core/vpn/nm-vpn-connection.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/core/vpn/nm-vpn-connection.c b/src/core/vpn/nm-vpn-connection.c +index bbb7355016..1607d2013a 100644 +--- a/src/core/vpn/nm-vpn-connection.c ++++ b/src/core/vpn/nm-vpn-connection.c +@@ -1239,6 +1239,7 @@ _parent_device_l3cd_add_gateway_route(NML3ConfigData *l3cd, + .gateway = parent_gw.addr4, + .rt_source = NM_IP_CONFIG_SOURCE_VPN, + .metric_any = TRUE, ++ .table_any = TRUE, + }; + } else { + route.r6 = (NMPlatformIP6Route){ +@@ -1248,6 +1249,7 @@ _parent_device_l3cd_add_gateway_route(NML3ConfigData *l3cd, + .gateway = parent_gw.addr6, + .rt_source = NM_IP_CONFIG_SOURCE_VPN, + .metric_any = TRUE, ++ .table_any = TRUE, + }; + } + nm_l3_config_data_add_route(l3cd, addr_family, NULL, &route.rx); +@@ -1264,6 +1266,7 @@ _parent_device_l3cd_add_gateway_route(NML3ConfigData *l3cd, + .plen = 32, + .rt_source = NM_IP_CONFIG_SOURCE_VPN, + .metric_any = TRUE, ++ .table_any = TRUE, + }; + } else { + route.r6 = (NMPlatformIP6Route){ +@@ -1271,6 +1274,7 @@ _parent_device_l3cd_add_gateway_route(NML3ConfigData *l3cd, + .plen = 128, + .rt_source = NM_IP_CONFIG_SOURCE_VPN, + .metric_any = TRUE, ++ .table_any = TRUE, + }; + } + nm_l3_config_data_add_route(l3cd, addr_family, NULL, &route.rx); +-- +2.45.0 + diff --git a/SOURCES/1017-vpn-fix-routing-rules-support-in-vpn-conenctions-rhel-73052.patch b/SOURCES/1017-vpn-fix-routing-rules-support-in-vpn-conenctions-rhel-73052.patch new file mode 100644 index 0000000..e7c693b --- /dev/null +++ b/SOURCES/1017-vpn-fix-routing-rules-support-in-vpn-conenctions-rhel-73052.patch @@ -0,0 +1,242 @@ +From 3fe666c300e9d7022c1e6f583aceeaa1ccc0975e Mon Sep 17 00:00:00 2001 +From: Wen Liang +Date: Fri, 20 Dec 2024 10:10:25 -0500 +Subject: [PATCH 1/1] vpn: fix routing rules support in vpn conenctions + +This commit introduces the ability to manage routing rules specifically +for VPN connections. These rules allow finer control over traffic +routing by enabling the specification of policy-based routing for +traffic over the VPN. + +- Updated the connection backend to apply rules during VPN activation. +- Ensured proper cleanup of routing rules upon VPN deactivation. + +This enhancement improves VPN usability in scenarios requiring advanced +routing configurations, such as split tunneling and traffic +prioritization. + +Resolves: https://issues.redhat.com/browse/RHEL-70160 +https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/2092 +https://gitlab.freedesktop.org/NetworkManager/NetworkManager-ci/-/merge_requests/1842 +(cherry picked from commit 308e34a501482d01c1cc6c87c38791ad9f34dc1f) +(cherry picked from commit a24b347e93e37b04aa0f5698efcb462c02517c09) +(cherry picked from commit b5c46f8a8d644e1c5a6dc07e06d5dab3338e9a91) +(cherry picked from commit 7824d5e5ae5db78abdc6fa24453d939198a5d1da) +(cherry picked from commit f5e8217f77863742ac17b2ad30134a14125acd40) +(cherry picked from commit dcbe04ef5f8bf947d1da4e55a1b9b0ca498d852d) +(cherry picked from commit 49a8b0650f2a19c0e16e2912c88b8e74c5aa8feb) +--- + src/core/devices/nm-device.c | 62 +++++++++++++++++++------------- + src/core/devices/nm-device.h | 6 ++++ + src/core/vpn/nm-vpn-connection.c | 7 +++- + 3 files changed, 50 insertions(+), 25 deletions(-) + +diff --git a/src/core/devices/nm-device.c b/src/core/devices/nm-device.c +index e54942440f..9c4e581e68 100644 +--- a/src/core/devices/nm-device.c ++++ b/src/core/devices/nm-device.c +@@ -9577,31 +9577,34 @@ lldp_setup(NMDevice *self, NMTernary enabled) + * as externally added ones. Don't restart NetworkManager if + * you care about that. + */ +-static void +-_routing_rules_sync(NMDevice *self, NMTernary set_mode) ++void ++nm_routing_rules_sync(NMConnection *applied_connection, ++ NMTernary set_mode, ++ GPtrArray *(*get_extra_rules)(NMDevice *self), ++ NMDevice *self, ++ NMNetns *netns) + { +- NMDevicePrivate *priv = NM_DEVICE_GET_PRIVATE(self); +- NMPGlobalTracker *global_tracker = nm_netns_get_global_tracker(nm_device_get_netns(self)); +- NMDeviceClass *klass = NM_DEVICE_GET_CLASS(self); ++ NMPGlobalTracker *global_tracker = nm_netns_get_global_tracker(netns); + gboolean untrack_only_dirty = FALSE; + gboolean keep_deleted_rules; + gpointer user_tag_1; + gpointer user_tag_2; + +- /* take two arbitrary user-tag pointers that belong to @self. */ +- user_tag_1 = &priv->v4_route_table; +- user_tag_2 = &priv->v6_route_table; ++ if (self) { ++ user_tag_1 = ((guint32 *) self) + 1; ++ user_tag_2 = ((guint32 *) self) + 2; ++ } else { ++ user_tag_1 = ((guint32 *) applied_connection) + 1; ++ user_tag_2 = ((guint32 *) applied_connection) + 2; ++ } + + if (set_mode == NM_TERNARY_TRUE) { +- NMConnection *applied_connection; + NMSettingIPConfig *s_ip; + guint i, num; + int is_ipv4; + + untrack_only_dirty = TRUE; + +- applied_connection = nm_device_get_applied_connection(self); +- + for (is_ipv4 = 0; applied_connection && is_ipv4 < 2; is_ipv4++) { + int addr_family = is_ipv4 ? AF_INET : AF_INET6; + +@@ -9628,10 +9631,10 @@ _routing_rules_sync(NMDevice *self, NMTernary set_mode) + } + } + +- if (klass->get_extra_rules) { ++ if (get_extra_rules) { + gs_unref_ptrarray GPtrArray *extra_rules = NULL; + +- extra_rules = klass->get_extra_rules(self); ++ extra_rules = get_extra_rules(self); + if (extra_rules) { + for (i = 0; i < extra_rules->len; i++) { + nmp_global_tracker_track_rule( +@@ -9646,7 +9649,7 @@ _routing_rules_sync(NMDevice *self, NMTernary set_mode) + } + + nmp_global_tracker_untrack_all(global_tracker, user_tag_1, !untrack_only_dirty, TRUE); +- if (klass->get_extra_rules) ++ if (get_extra_rules) + nmp_global_tracker_untrack_all(global_tracker, user_tag_2, !untrack_only_dirty, TRUE); + + keep_deleted_rules = FALSE; +@@ -9706,8 +9709,8 @@ tc_commit(NMDevice *self) + static void + activate_stage2_device_config(NMDevice *self) + { +- NMDevicePrivate *priv = NM_DEVICE_GET_PRIVATE(self); +- NMDeviceClass *klass; ++ NMDevicePrivate *priv = NM_DEVICE_GET_PRIVATE(self); ++ NMDeviceClass *klass = NM_DEVICE_GET_CLASS(self); + NMActStageReturn ret; + NMSettingWired *s_wired; + gboolean no_firmware = FALSE; +@@ -9730,7 +9733,11 @@ activate_stage2_device_config(NMDevice *self) + priv->tc_committed = TRUE; + } + +- _routing_rules_sync(self, NM_TERNARY_TRUE); ++ nm_routing_rules_sync(nm_device_get_applied_connection(self), ++ NM_TERNARY_TRUE, ++ klass->get_extra_rules, ++ self, ++ nm_device_get_netns(self)); + + if (!nm_device_sys_iface_state_is_external_or_assume(self)) { + if (!nm_device_bring_up_full(self, FALSE, TRUE, &no_firmware)) { +@@ -9742,7 +9749,6 @@ activate_stage2_device_config(NMDevice *self) + } + } + +- klass = NM_DEVICE_GET_CLASS(self); + if (klass->act_stage2_config_also_for_external_or_assume + || !nm_device_sys_iface_state_is_external_or_assume(self)) { + NMDeviceStateReason failure_reason = NM_DEVICE_STATE_REASON_NONE; +@@ -12984,7 +12990,11 @@ check_and_reapply_connection(NMDevice *self, + + nm_device_activate_schedule_stage3_ip_config(self, FALSE); + +- _routing_rules_sync(self, NM_TERNARY_TRUE); ++ nm_routing_rules_sync(nm_device_get_applied_connection(self), ++ NM_TERNARY_TRUE, ++ klass->get_extra_rules, ++ self, ++ nm_device_get_netns(self)); + + reactivate_proxy_config(self); + +@@ -15450,6 +15460,7 @@ static void + nm_device_cleanup(NMDevice *self, NMDeviceStateReason reason, CleanupType cleanup_type) + { + NMDevicePrivate *priv; ++ NMDeviceClass *klass = NM_DEVICE_GET_CLASS(self); + int ifindex; + + g_return_if_fail(NM_IS_DEVICE(self)); +@@ -15474,8 +15485,8 @@ nm_device_cleanup(NMDevice *self, NMDeviceStateReason reason, CleanupType cleanu + } + + /* Call device type-specific deactivation */ +- if (NM_DEVICE_GET_CLASS(self)->deactivate) +- NM_DEVICE_GET_CLASS(self)->deactivate(self); ++ if (klass->deactivate) ++ klass->deactivate(self); + + ifindex = nm_device_get_ip_ifindex(self); + +@@ -15497,8 +15508,11 @@ nm_device_cleanup(NMDevice *self, NMDeviceStateReason reason, CleanupType cleanu + + priv->tc_committed = FALSE; + +- _routing_rules_sync(self, +- cleanup_type == CLEANUP_TYPE_KEEP ? NM_TERNARY_DEFAULT : NM_TERNARY_FALSE); ++ nm_routing_rules_sync(nm_device_get_applied_connection(self), ++ cleanup_type == CLEANUP_TYPE_KEEP ? NM_TERNARY_DEFAULT : NM_TERNARY_FALSE, ++ klass->get_extra_rules, ++ self, ++ nm_device_get_netns(self)); + + if (ifindex > 0) + nm_platform_ip4_dev_route_blacklist_set(nm_device_get_platform(self), ifindex, NULL); +@@ -15527,7 +15541,7 @@ nm_device_cleanup(NMDevice *self, NMDeviceStateReason reason, CleanupType cleanu + /* for other device states (UNAVAILABLE, DISCONNECTED), allow the + * device to overwrite the reset behavior, so that Wi-Fi can set + * a randomized MAC address used during scanning. */ +- NM_DEVICE_GET_CLASS(self)->deactivate_reset_hw_addr(self); ++ klass->deactivate_reset_hw_addr(self); + } + } + +diff --git a/src/core/devices/nm-device.h b/src/core/devices/nm-device.h +index 68387a2149..e58c2088b9 100644 +--- a/src/core/devices/nm-device.h ++++ b/src/core/devices/nm-device.h +@@ -821,4 +821,10 @@ nm_device_get_hostname_from_dns_lookup(NMDevice *self, int addr_family, gboolean + + void nm_device_clear_dns_lookup_data(NMDevice *self, const char *reason); + ++void nm_routing_rules_sync(NMConnection *applied_connection, ++ NMTernary set_mode, ++ GPtrArray *(*get_extra_rules)(NMDevice *self), ++ NMDevice *self, ++ NMNetns *netns); ++ + #endif /* __NETWORKMANAGER_DEVICE_H__ */ +diff --git a/src/core/vpn/nm-vpn-connection.c b/src/core/vpn/nm-vpn-connection.c +index 1607d2013a..0068b52bc3 100644 +--- a/src/core/vpn/nm-vpn-connection.c ++++ b/src/core/vpn/nm-vpn-connection.c +@@ -903,7 +903,8 @@ fw_call_cleanup(NMVpnConnection *self) + static void + vpn_cleanup(NMVpnConnection *self, NMDevice *parent_dev) + { +- const char *iface; ++ NMVpnConnectionPrivate *priv = NM_VPN_CONNECTION_GET_PRIVATE(self); ++ const char *iface; + + /* Remove zone from firewall */ + iface = nm_vpn_connection_get_ip_iface(self, FALSE); +@@ -915,6 +916,8 @@ vpn_cleanup(NMVpnConnection *self, NMDevice *parent_dev) + fw_call_cleanup(self); + + _l3cfg_l3cd_clear_all(self); ++ ++ nm_routing_rules_sync(_get_applied_connection(self), NM_TERNARY_FALSE, NULL, NULL, priv->netns); + } + + static void +@@ -2206,6 +2209,8 @@ _dbus_signal_ip_config_cb(NMVpnConnection *self, int addr_family, GVariant *dict + + _l3cfg_l3cd_set(self, L3CD_TYPE_IP_X(IS_IPv4), l3cd); + ++ nm_routing_rules_sync(_get_applied_connection(self), NM_TERNARY_TRUE, NULL, NULL, priv->netns); ++ + _check_complete(self, TRUE); + } + +-- +2.45.0 + diff --git a/SPECS/NetworkManager.spec b/SPECS/NetworkManager.spec index 166feb2..c500772 100644 --- a/SPECS/NetworkManager.spec +++ b/SPECS/NetworkManager.spec @@ -6,7 +6,7 @@ %global epoch_version 1 %global real_version 1.40.16 %global rpm_version %{real_version} -%global release_version 15 +%global release_version 18 %global snapshot %{nil} %global git_sha %{nil} %global bcond_default_debug 0 @@ -210,6 +210,9 @@ Patch1011: 1011-dispatch-dns-change-event-rhel-10195.patch Patch1012: 1012-device-do-not-set-MAC-address-on-iface-with-index-0-rhel-16008.patch Patch1013: 1013-fix-matching-existing-connection-by-UUID-on-restart-rhel-5119.patch Patch1014: 1014-device-disable-IPv6-in-NetworkManager-when-disabled-rhel-10450.patch +Patch1015: 1015-use-etc-hosts-for-hostname-resolution-rhel-53200.patch +Patch1016: 1016-vpn-place-gateway-route-to-table-defined-in-ipvx-route-table-rhel-73051.patch +Patch1017: 1017-vpn-fix-routing-rules-support-in-vpn-conenctions-rhel-73052.patch Requires(post): systemd %if 0%{?fedora} || 0%{?rhel} >= 8 @@ -1245,6 +1248,16 @@ fi %changelog +* Tue Jan 07 2025 Wen Liang - 1:1.40.16-18 +- vpn: fix routing rules support in vpn conenctions (RHEL-73052) +- vpn: Place gateway route to table defined in ipvx.route-table (RHEL-73051) + +* Wed Aug 21 2024 Fernando Fernandez Mancera - 1:1.40.16-17 +- Rebuild to use the right tag + +* Tue Aug 20 2024 Fernando Fernandez Mancera - 1:1.40.16-16 +- Use /etc/hosts for hostname resolution (RHEL-53200) + * Fri Feb 09 2024 Íñigo Huguet - 1:1.40.16-15 - Suppress NetworkManager's harmless warning when IPv6 is disabled at kernel level (RHEL-10450)