From cc98a44c6dfde57ceeffa71654c0937a27b9ce43 Mon Sep 17 00:00:00 2001 From: eabdullin Date: Wed, 2 Aug 2023 09:58:30 +0000 Subject: [PATCH] import NetworkManager-1.42.2-6.el9_2 --- ...k-autoconnect-upon-reapply-rh2217903.patch | 45 ++ ...core-fix-l3cd-comparison-rhbz2219847.patch | 88 +++ ...wall-create-dynamic-sets-rhbz2220952.patch | 530 ++++++++++++++++++ SPECS/NetworkManager.spec | 14 +- 4 files changed, 676 insertions(+), 1 deletion(-) create mode 100644 SOURCES/1003-unblock-autoconnect-upon-reapply-rh2217903.patch create mode 100644 SOURCES/1004-core-fix-l3cd-comparison-rhbz2219847.patch create mode 100644 SOURCES/1005-firewall-create-dynamic-sets-rhbz2220952.patch diff --git a/SOURCES/1003-unblock-autoconnect-upon-reapply-rh2217903.patch b/SOURCES/1003-unblock-autoconnect-upon-reapply-rh2217903.patch new file mode 100644 index 0000000..aa73fab --- /dev/null +++ b/SOURCES/1003-unblock-autoconnect-upon-reapply-rh2217903.patch @@ -0,0 +1,45 @@ +From 18ce5f43bd16b3cc394424619652c782cb3795c3 Mon Sep 17 00:00:00 2001 +From: Gris Ge +Date: Tue, 27 Jun 2023 15:02:54 +0800 +Subject: [PATCH] setting-connection: Unblock autoconnect upon finish of + `Reapply` + +The activation of a connection will clear the block of autoconnect, +we should do the same for reapply. + +Signed-off-by: Gris Ge +(cherry picked from commit 0486efd3584c70179072f611e63b9c0ff6851b80) +--- + src/core/devices/nm-device.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/src/core/devices/nm-device.c b/src/core/devices/nm-device.c +index c168fa045d..62a9ff1e84 100644 +--- a/src/core/devices/nm-device.c ++++ b/src/core/devices/nm-device.c +@@ -12902,6 +12902,7 @@ check_and_reapply_connection(NMDevice *self, + NMConnection *con_old; + NMConnection *con_new; + GHashTableIter iter; ++ NMSettingsConnection *sett_conn; + + if (priv->state < NM_DEVICE_STATE_PREPARE || priv->state > NM_DEVICE_STATE_ACTIVATED) { + g_set_error_literal(error, +@@ -13074,6 +13075,14 @@ check_and_reapply_connection(NMDevice *self, + if (priv->state >= NM_DEVICE_STATE_ACTIVATED) + nm_device_update_metered(self); + ++ sett_conn = nm_device_get_settings_connection(self); ++ if (sett_conn) { ++ nm_settings_connection_autoconnect_blocked_reason_set( ++ sett_conn, ++ NM_SETTINGS_AUTO_CONNECT_BLOCKED_REASON_USER_REQUEST, ++ FALSE); ++ } ++ + /* Notify dispatcher when re-applied */ + _LOGD(LOGD_DEVICE, "Notifying re-apply complete"); + nm_dispatcher_call_device(NM_DISPATCHER_ACTION_REAPPLY, self, NULL, NULL, NULL, NULL); +-- +2.39.3 + diff --git a/SOURCES/1004-core-fix-l3cd-comparison-rhbz2219847.patch b/SOURCES/1004-core-fix-l3cd-comparison-rhbz2219847.patch new file mode 100644 index 0000000..6fc8606 --- /dev/null +++ b/SOURCES/1004-core-fix-l3cd-comparison-rhbz2219847.patch @@ -0,0 +1,88 @@ +From d6f13aefda85ea06985e7fe2f776abd8ee0406cf Mon Sep 17 00:00:00 2001 +From: Beniamino Galvani +Date: Fri, 24 Mar 2023 17:42:45 +0100 +Subject: [PATCH] core: fix l3cd comparison + +NM_CMP_SELF(a, b) returns immediately if the objects are the same. + +Fixes: cb29244552af ('core: support compare flags in nm_l3_config_data_cmp_full()') +Fixes-test: @dracut_NM_iSCSI_ibft_table + +https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/1583 +(cherry picked from commit 0a02995175e06e62924705393121a1c5efc3822d) +(cherry picked from commit 5d95c20787077a91d684259d67f2e0ff3a1d7a1a) +--- + src/core/nm-l3-config-data.c | 54 +++++++++++++++++++----------------- + 1 file changed, 28 insertions(+), 26 deletions(-) + +diff --git a/src/core/nm-l3-config-data.c b/src/core/nm-l3-config-data.c +index 17bb9db87d..d5dedb9c8a 100644 +--- a/src/core/nm-l3-config-data.c ++++ b/src/core/nm-l3-config-data.c +@@ -2297,35 +2297,37 @@ nm_l3_config_data_cmp_full(const NML3ConfigData *a, + const NMPObject *def_route_a = a->best_default_route_x[IS_IPv4]; + const NMPObject *def_route_b = b->best_default_route_x[IS_IPv4]; + +- NM_CMP_SELF(def_route_a, def_route_b); +- +- if (NM_FLAGS_HAS(flags, NM_L3_CONFIG_CMP_FLAGS_ROUTES)) { +- NM_CMP_RETURN(nmp_object_cmp_full(def_route_a, +- def_route_b, +- NM_FLAGS_HAS(flags, NM_L3_CONFIG_CMP_FLAGS_IFINDEX) +- ? NMP_OBJECT_CMP_FLAGS_NONE +- : NMP_OBJECT_CMP_FLAGS_IGNORE_IFINDEX)); +- } else if (NM_FLAGS_HAS(flags, NM_L3_CONFIG_CMP_FLAGS_ROUTES_ID)) { +- if (NM_FLAGS_HAS(flags, NM_L3_CONFIG_CMP_FLAGS_IFINDEX)) { +- NM_CMP_DIRECT(def_route_a->obj_with_ifindex.ifindex, +- def_route_b->obj_with_ifindex.ifindex); +- } ++ if (def_route_a != def_route_b) { ++ if (NM_FLAGS_HAS(flags, NM_L3_CONFIG_CMP_FLAGS_ROUTES)) { ++ NM_CMP_RETURN( ++ nmp_object_cmp_full(def_route_a, ++ def_route_b, ++ NM_FLAGS_HAS(flags, NM_L3_CONFIG_CMP_FLAGS_IFINDEX) ++ ? NMP_OBJECT_CMP_FLAGS_NONE ++ : NMP_OBJECT_CMP_FLAGS_IGNORE_IFINDEX)); ++ } else if (NM_FLAGS_HAS(flags, NM_L3_CONFIG_CMP_FLAGS_ROUTES_ID)) { ++ if (NM_FLAGS_HAS(flags, NM_L3_CONFIG_CMP_FLAGS_IFINDEX)) { ++ NM_CMP_DIRECT(def_route_a->obj_with_ifindex.ifindex, ++ def_route_b->obj_with_ifindex.ifindex); ++ } + +- if (IS_IPv4) { +- NMPlatformIP4Route ra = def_route_a->ip4_route; +- NMPlatformIP4Route rb = def_route_b->ip4_route; ++ if (IS_IPv4) { ++ NMPlatformIP4Route ra = def_route_a->ip4_route; ++ NMPlatformIP4Route rb = def_route_b->ip4_route; + +- NM_CMP_DIRECT(ra.metric, rb.metric); +- NM_CMP_DIRECT(ra.plen, rb.plen); +- NM_CMP_RETURN_DIRECT(nm_ip4_addr_same_prefix_cmp(ra.network, rb.network, ra.plen)); +- } else { +- NMPlatformIP6Route ra = def_route_a->ip6_route; +- NMPlatformIP6Route rb = def_route_b->ip6_route; ++ NM_CMP_DIRECT(ra.metric, rb.metric); ++ NM_CMP_DIRECT(ra.plen, rb.plen); ++ NM_CMP_RETURN_DIRECT( ++ nm_ip4_addr_same_prefix_cmp(ra.network, rb.network, ra.plen)); ++ } else { ++ NMPlatformIP6Route ra = def_route_a->ip6_route; ++ NMPlatformIP6Route rb = def_route_b->ip6_route; + +- NM_CMP_DIRECT(ra.metric, rb.metric); +- NM_CMP_DIRECT(ra.plen, rb.plen); +- NM_CMP_RETURN_DIRECT( +- nm_ip6_addr_same_prefix_cmp(&ra.network, &rb.network, ra.plen)); ++ NM_CMP_DIRECT(ra.metric, rb.metric); ++ NM_CMP_DIRECT(ra.plen, rb.plen); ++ NM_CMP_RETURN_DIRECT( ++ nm_ip6_addr_same_prefix_cmp(&ra.network, &rb.network, ra.plen)); ++ } + } + } + +-- +2.38.1 + diff --git a/SOURCES/1005-firewall-create-dynamic-sets-rhbz2220952.patch b/SOURCES/1005-firewall-create-dynamic-sets-rhbz2220952.patch new file mode 100644 index 0000000..43fc6bb --- /dev/null +++ b/SOURCES/1005-firewall-create-dynamic-sets-rhbz2220952.patch @@ -0,0 +1,530 @@ +From c00002b12d34c12d418f5753e03df43ecb6ef67d Mon Sep 17 00:00:00 2001 +From: Thomas Haller +Date: Wed, 10 May 2023 08:37:06 +0200 +Subject: [PATCH 1/5] glib-aux: add + NM_UTILS_STR_UTF8_SAFE_FLAG_ESCAPE_DOUBLE_QUOTE flag to escape double quotes + +This is useful when printing a string for debugging. Then we can +printf("v=\"%s\"", utf8safe_escaped_text), which can be safely unescaped +with `echo -e`. + +(cherry picked from commit c26a94e95551021d86cae6fc0e6aafb97b1363f6) +(cherry picked from commit 18848c77c7a44b179ad0c582ac60cee7602d1786) +--- + src/libnm-glib-aux/nm-shared-utils.c | 21 +++++++++++++-------- + src/libnm-glib-aux/nm-shared-utils.h | 8 ++++++-- + 2 files changed, 19 insertions(+), 10 deletions(-) + +diff --git a/src/libnm-glib-aux/nm-shared-utils.c b/src/libnm-glib-aux/nm-shared-utils.c +index 702a63e9f6..49f2c93e35 100644 +--- a/src/libnm-glib-aux/nm-shared-utils.c ++++ b/src/libnm-glib-aux/nm-shared-utils.c +@@ -2755,13 +2755,16 @@ nm_utils_buf_utf8safe_escape(gconstpointer buf, + if (g_utf8_validate(str, buflen, &p) && nul_terminated) { + /* note that g_utf8_validate() does not allow NUL character inside @str. Good. + * We can treat @str like a NUL terminated string. */ +- if (!NM_STRCHAR_ANY(str, +- ch, +- (ch == '\\' +- || (NM_FLAGS_HAS(flags, NM_UTILS_STR_UTF8_SAFE_FLAG_ESCAPE_CTRL) +- && nm_ascii_is_ctrl_or_del(ch)) +- || (NM_FLAGS_HAS(flags, NM_UTILS_STR_UTF8_SAFE_FLAG_ESCAPE_NON_ASCII) +- && nm_ascii_is_non_ascii(ch))))) ++ if (!NM_STRCHAR_ANY( ++ str, ++ ch, ++ (ch == '\\' ++ || (NM_FLAGS_HAS(flags, NM_UTILS_STR_UTF8_SAFE_FLAG_ESCAPE_CTRL) ++ && nm_ascii_is_ctrl_or_del(ch)) ++ || (NM_FLAGS_HAS(flags, NM_UTILS_STR_UTF8_SAFE_FLAG_ESCAPE_NON_ASCII) ++ && nm_ascii_is_non_ascii(ch)) ++ || (NM_FLAGS_HAS(flags, NM_UTILS_STR_UTF8_SAFE_FLAG_ESCAPE_DOUBLE_QUOTE) ++ && ch == '"')))) + return str; + } + +@@ -2781,7 +2784,9 @@ nm_utils_buf_utf8safe_escape(gconstpointer buf, + else if ((NM_FLAGS_HAS(flags, NM_UTILS_STR_UTF8_SAFE_FLAG_ESCAPE_CTRL) + && nm_ascii_is_ctrl_or_del(ch)) + || (NM_FLAGS_HAS(flags, NM_UTILS_STR_UTF8_SAFE_FLAG_ESCAPE_NON_ASCII) +- && nm_ascii_is_non_ascii(ch))) ++ && nm_ascii_is_non_ascii(ch)) ++ || (NM_FLAGS_HAS(flags, NM_UTILS_STR_UTF8_SAFE_FLAG_ESCAPE_DOUBLE_QUOTE) ++ && ch == '"')) + _str_buf_append_c_escape_octal(&strbuf, ch); + else + nm_str_buf_append_c(&strbuf, ch); +diff --git a/src/libnm-glib-aux/nm-shared-utils.h b/src/libnm-glib-aux/nm-shared-utils.h +index 083ed137ee..ad24e7c427 100644 +--- a/src/libnm-glib-aux/nm-shared-utils.h ++++ b/src/libnm-glib-aux/nm-shared-utils.h +@@ -1243,12 +1243,16 @@ typedef enum { + * It will backslash escape ascii characters according to nm_ascii_is_non_ascii(). */ + NM_UTILS_STR_UTF8_SAFE_FLAG_ESCAPE_NON_ASCII = 0x0002, + ++ /* Escape '"' as ASCII "\\042". This is useful when escaping a string so that ++ * it can be unescaped with `echo -e $PASTE_TEXT`. */ ++ NM_UTILS_STR_UTF8_SAFE_FLAG_ESCAPE_DOUBLE_QUOTE = 0x0004, ++ + /* This flag only has an effect during escaping to ensure we + * don't leak secrets in memory. Note that during unescape we + * know the maximum result size from the beginning, and no + * reallocation happens. Thus, unescape always avoids leaking + * secrets already. */ +- NM_UTILS_STR_UTF8_SAFE_FLAG_SECRET = 0x0004, ++ NM_UTILS_STR_UTF8_SAFE_FLAG_SECRET = 0x0008, + + /* This flag only has an effect during unescaping. It means + * that non-escaped whitespaces (g_ascii_isspace()) will be +@@ -1256,7 +1260,7 @@ typedef enum { + * this flag is only useful for gracefully accepting user input + * with spaces. With this flag, escape and unescape may no longer + * yield the original input. */ +- NM_UTILS_STR_UTF8_SAFE_UNESCAPE_STRIP_SPACES = 0x0008, ++ NM_UTILS_STR_UTF8_SAFE_UNESCAPE_STRIP_SPACES = 0x0010, + } NMUtilsStrUtf8SafeFlags; + + const char *nm_utils_buf_utf8safe_escape(gconstpointer buf, +-- +2.41.0 + + +From 668d8caff3b0a8ea45a63ef9676f05d87428825d Mon Sep 17 00:00:00 2001 +From: Thomas Haller +Date: Wed, 10 May 2023 08:41:00 +0200 +Subject: [PATCH 2/5] glib-aux: add nmtst_assert_cmpmem() helper + +g_assert_cmpmem() exists, but it does not print the actual buffer +content on test failure. It is useful to see what actually failed in +the test output. + +Also, nmtst_assert_cmpmem() prints a backslash escaped output, that you +can unescape in the terminal with `echo -e`. You can also directly copy +and paste the output to C source code. + +(cherry picked from commit 3c3938406dd825f6a0d9e6e55319f0f68a6e2f83) +(cherry picked from commit 4ec00efca9154029f377f8498ef4bd3bd9b4cfa9) +--- + src/libnm-glib-aux/nm-test-utils.h | 48 ++++++++++++++++++++++++++++++ + 1 file changed, 48 insertions(+) + +diff --git a/src/libnm-glib-aux/nm-test-utils.h b/src/libnm-glib-aux/nm-test-utils.h +index b65818e00a..a55977d1ce 100644 +--- a/src/libnm-glib-aux/nm-test-utils.h ++++ b/src/libnm-glib-aux/nm-test-utils.h +@@ -203,6 +203,54 @@ + } \ + G_STMT_END + ++#define nmtst_assert_cmpmem(m1, l1, m2, l2) \ ++ G_STMT_START \ ++ { \ ++ const guint8 *const _m1 = (gpointer) (m1); \ ++ const guint8 *const _m2 = (gpointer) (m2); \ ++ const gsize _l1 = (l1); \ ++ const gsize _l2 = (l2); \ ++ \ ++ /* This is like g_assert_cmpmem(), however on failure it actually ++ * prints the compared buffer contents, which is useful for debugging ++ * the test failure. */ \ ++ \ ++ g_assert(_l1 == 0 || _m1); \ ++ g_assert(_l2 == 0 || _m2); \ ++ \ ++ if (_l1 != _l2 || (_l1 > 0 && memcmp(_m1, _m2, _l1) != 0)) { \ ++ gs_free char *_s1 = NULL; \ ++ gs_free char *_s2 = NULL; \ ++ \ ++ g_error( \ ++ "ERROR: %s:%d : buffer [\"%s\" (%s, %zu bytes)] differs from [\"%s\" (%s, %zu " \ ++ "bytes)]:\n" \ ++ " a=[ \"%s\" ]\n" \ ++ " b=[ \"%s\" ]\n", \ ++ __FILE__, \ ++ (int) __LINE__, \ ++ #m1, \ ++ #l1, \ ++ _l1, \ ++ #m2, \ ++ #l2, \ ++ _l2, \ ++ (_s1 = nm_utils_buf_utf8safe_escape_cp( \ ++ _m1, \ ++ _l1, \ ++ NM_UTILS_STR_UTF8_SAFE_FLAG_ESCAPE_CTRL \ ++ | NM_UTILS_STR_UTF8_SAFE_FLAG_ESCAPE_DOUBLE_QUOTE)) \ ++ ?: "", \ ++ (_s2 = nm_utils_buf_utf8safe_escape_cp( \ ++ _m2, \ ++ _l2, \ ++ NM_UTILS_STR_UTF8_SAFE_FLAG_ESCAPE_CTRL \ ++ | NM_UTILS_STR_UTF8_SAFE_FLAG_ESCAPE_DOUBLE_QUOTE)) \ ++ ?: ""); \ ++ } \ ++ } \ ++ G_STMT_END ++ + /*****************************************************************************/ + + /* Our nm-error error numbers use negative values to signal failure. +-- +2.41.0 + + +From 90b9aa2be6ec9ee3527edf146d6fce74cb2d9926 Mon Sep 17 00:00:00 2001 +From: Thomas Haller +Date: Wed, 10 May 2023 07:44:52 +0200 +Subject: [PATCH 3/5] bond: don't configure "counter" on nft rules for + slb-bonding/mlag + +Counters are convenient for debugging, but have a performance overhead. +Configure them only when debug logging in NetworkManager is enabled. + +(cherry picked from commit 2c716f04f9b75ed8df70314920a705b48c36c8eb) +(cherry picked from commit 7bb285abb70d76dff33517252b71d0b8f96adc41) +--- + src/core/nm-bond-manager.c | 8 ++++++- + src/core/nm-firewall-utils.c | 43 +++++++++++++++++++++--------------- + src/core/nm-firewall-utils.h | 3 ++- + 3 files changed, 34 insertions(+), 20 deletions(-) + +diff --git a/src/core/nm-bond-manager.c b/src/core/nm-bond-manager.c +index 2d15b0b5a0..9985fccf11 100644 +--- a/src/core/nm-bond-manager.c ++++ b/src/core/nm-bond-manager.c +@@ -438,6 +438,7 @@ _nft_call(NMBondManager *self, + { + gs_unref_bytes GBytes *stdin_buf = NULL; + gs_free const char *const *previous_members_strv = NULL; ++ gboolean with_counters; + + if (up) { + gs_unref_ptrarray GPtrArray *arr = NULL; +@@ -480,11 +481,16 @@ _nft_call(NMBondManager *self, + } + } + ++ /* counters in the nft rules are convenient for debugging, but have a performance overhead. ++ * Enable counters based on whether NM logging is enabled. */ ++ with_counters = _NMLOG_ENABLED(LOGL_TRACE); ++ + stdin_buf = nm_firewall_nft_stdio_mlag(up, + bond_ifname, + bond_ifnames_down, + active_members, +- previous_members_strv); ++ previous_members_strv, ++ with_counters); + + nm_clear_g_cancellable(&self->cancellable); + self->cancellable = g_cancellable_new(); +diff --git a/src/core/nm-firewall-utils.c b/src/core/nm-firewall-utils.c +index f231583a21..b8ae4397bf 100644 +--- a/src/core/nm-firewall-utils.c ++++ b/src/core/nm-firewall-utils.c +@@ -763,13 +763,15 @@ nm_firewall_nft_stdio_mlag(gboolean up, + const char *bond_ifname, + const char *const *bond_ifnames_down, + const char *const *active_members, +- const char *const *previous_members) ++ const char *const *previous_members, ++ gboolean with_counters) + { + nm_auto_str_buf NMStrBuf strbuf_table_name = + NM_STR_BUF_INIT_A(NM_UTILS_GET_NEXT_REALLOC_SIZE_32, FALSE); + nm_auto_str_buf NMStrBuf strbuf = NM_STR_BUF_INIT(NM_UTILS_GET_NEXT_REALLOC_SIZE_1000, FALSE); + const char *table_name; + gsize i; ++ const char *const s_counter = with_counters ? " counter" : ""; + + if (NM_MORE_ASSERTS > 10 && active_members) { + /* No duplicates. We make certain assumptions here, and we don't +@@ -876,9 +878,10 @@ nm_firewall_nft_stdio_mlag(gboolean up, + _append(&strbuf, + "add rule netdev %s %s pkttype {" + " broadcast, multicast " +- "} counter drop", ++ "}%s drop", + table_name, +- chain_name); ++ chain_name, ++ s_counter); + } + + /* OVS SLB rule 2 +@@ -905,15 +908,17 @@ nm_firewall_nft_stdio_mlag(gboolean up, + table_name, + bond_ifname); + _append(&strbuf, +- "add rule netdev %s tx-snoop-source-mac set update ether saddr . vlan id" +- " timeout 5s @macset-tagged counter return" ++ "add rule netdev %s tx-snoop-source-mac set update ether saddr . vlan id " ++ "timeout 5s @macset-tagged%s return" + "", /* tagged */ +- table_name); ++ table_name, ++ s_counter); + _append(&strbuf, +- "add rule netdev %s tx-snoop-source-mac set update ether saddr" +- " timeout 5s @macset-untagged counter" ++ "add rule netdev %s tx-snoop-source-mac set update ether saddr timeout 5s " ++ "@macset-untagged%s" + "", /* untagged*/ +- table_name); ++ table_name, ++ s_counter); + + _append(&strbuf, + "add chain netdev %s rx-drop-looped-packets {" +@@ -921,18 +926,20 @@ nm_firewall_nft_stdio_mlag(gboolean up, + "}", + table_name, + bond_ifname); ++ _append( ++ &strbuf, ++ "add rule netdev %s rx-drop-looped-packets ether saddr . vlan id @macset-tagged%s drop", ++ table_name, ++ s_counter); + _append(&strbuf, +- "add rule netdev %s rx-drop-looped-packets ether saddr . vlan id" +- " @macset-tagged counter drop", +- table_name); +- _append(&strbuf, +- "add rule netdev %s rx-drop-looped-packets ether type vlan counter return" ++ "add rule netdev %s rx-drop-looped-packets ether type vlan%s return" + "", /* avoid looking up tagged packets in untagged table */ +- table_name); ++ table_name, ++ s_counter); + _append(&strbuf, +- "add rule netdev %s rx-drop-looped-packets ether saddr @macset-untagged" +- " counter drop", +- table_name); ++ "add rule netdev %s rx-drop-looped-packets ether saddr @macset-untagged%s drop", ++ table_name, ++ s_counter); + } + + out: +diff --git a/src/core/nm-firewall-utils.h b/src/core/nm-firewall-utils.h +index ca138ccf78..9f13a5127e 100644 +--- a/src/core/nm-firewall-utils.h ++++ b/src/core/nm-firewall-utils.h +@@ -39,6 +39,7 @@ GBytes *nm_firewall_nft_stdio_mlag(gboolean up, + const char *bond_ifname, + const char *const *bond_ifnames_down, + const char *const *active_members, +- const char *const *previous_members); ++ const char *const *previous_members, ++ gboolean with_counters); + + #endif /* __NM_FIREWALL_UTILS_H__ */ +-- +2.41.0 + + +From 863171b69d72053d0b6bfafe510af62098c218d8 Mon Sep 17 00:00:00 2001 +From: Thomas Haller +Date: Wed, 10 May 2023 08:42:49 +0200 +Subject: [PATCH 4/5] core/tests: add test for nm_firewall_nft_stdio_mlag() + +If only to hit some of the code paths in our test, and to have valgrind +check (some of) the code paths. + +(cherry picked from commit a20d4a7a912a7e7a535318bc7294ebd8b6bb6655) +(cherry picked from commit 8e7d94b10c50a4ce963ddf441752522183b35ab3) +--- + src/core/tests/test-core.c | 122 +++++++++++++++++++++++++++++++++++++ + 1 file changed, 122 insertions(+) + +diff --git a/src/core/tests/test-core.c b/src/core/tests/test-core.c +index 887803bffe..d90e44f04f 100644 +--- a/src/core/tests/test-core.c ++++ b/src/core/tests/test-core.c +@@ -18,6 +18,7 @@ + + #include "dns/nm-dns-manager.h" + #include "nm-connectivity.h" ++#include "nm-firewall-utils.h" + + #include "nm-test-utils-core.h" + +@@ -2580,6 +2581,125 @@ test_connectivity_state_cmp(void) + + /*****************************************************************************/ + ++static void ++test_nm_firewall_nft_stdio_mlag(void) ++{ ++#define _T(up, \ ++ bond_ifname, \ ++ bond_ifnames_down, \ ++ active_members, \ ++ previous_members, \ ++ with_counters, \ ++ expected) \ ++ G_STMT_START \ ++ { \ ++ gs_unref_bytes GBytes *_b = NULL; \ ++ \ ++ _b = nm_firewall_nft_stdio_mlag((up), \ ++ (bond_ifname), \ ++ (bond_ifnames_down), \ ++ (active_members), \ ++ (previous_members), \ ++ (with_counters)); \ ++ \ ++ g_assert(_b); \ ++ nmtst_assert_cmpmem(expected, \ ++ NM_STRLEN(expected), \ ++ g_bytes_get_data(_b, NULL), \ ++ g_bytes_get_size(_b)); \ ++ } \ ++ G_STMT_END ++ ++ _T(TRUE, ++ "bond0", ++ NM_MAKE_STRV("eth0"), ++ NM_MAKE_STRV("eth1"), ++ NM_MAKE_STRV("eth2"), ++ TRUE, ++ "add table netdev nm-mlag-eth0\012delete table netdev nm-mlag-eth0\012add table netdev " ++ "nm-mlag-bond0\012flush table netdev nm-mlag-bond0\012add chain netdev nm-mlag-bond0 " ++ "rx-drop-bc-mc-eth2 { type filter hook ingress device eth2 priority filter; }\012delete " ++ "chain netdev nm-mlag-bond0 rx-drop-bc-mc-eth2\012add chain netdev nm-mlag-bond0 " ++ "rx-drop-bc-mc-eth1 { type filter hook ingress device eth1 priority filter; }\012delete " ++ "chain netdev nm-mlag-bond0 rx-drop-bc-mc-eth1\012add set netdev nm-mlag-bond0 " ++ "macset-tagged { typeof ether saddr . vlan id; flags dynamic,timeout; }\012add set netdev " ++ "nm-mlag-bond0 macset-untagged { typeof ether saddr; flags dynamic,timeout; }\012add chain " ++ "netdev nm-mlag-bond0 tx-snoop-source-mac { type filter hook egress device bond0 priority " ++ "filter; }\012add rule netdev nm-mlag-bond0 tx-snoop-source-mac set update ether saddr . " ++ "vlan id timeout 5s @macset-tagged counter return\012add rule netdev nm-mlag-bond0 " ++ "tx-snoop-source-mac set update ether saddr timeout 5s @macset-untagged counter\012add " ++ "chain netdev nm-mlag-bond0 rx-drop-looped-packets { type filter hook ingress device bond0 " ++ "priority filter; }\012add rule netdev nm-mlag-bond0 rx-drop-looped-packets ether saddr . " ++ "vlan id @macset-tagged counter drop\012add rule netdev nm-mlag-bond0 " ++ "rx-drop-looped-packets ether type vlan counter return\012add rule netdev nm-mlag-bond0 " ++ "rx-drop-looped-packets ether saddr @macset-untagged counter drop\012"); ++ ++ _T(TRUE, ++ "bond0", ++ NM_MAKE_STRV("eth0"), ++ NM_MAKE_STRV("eth1"), ++ NM_MAKE_STRV("eth2"), ++ FALSE, ++ "add table netdev nm-mlag-eth0\012delete table netdev nm-mlag-eth0\012add table netdev " ++ "nm-mlag-bond0\012flush table netdev nm-mlag-bond0\012add chain netdev nm-mlag-bond0 " ++ "rx-drop-bc-mc-eth2 { type filter hook ingress device eth2 priority filter; }\012delete " ++ "chain netdev nm-mlag-bond0 rx-drop-bc-mc-eth2\012add chain netdev nm-mlag-bond0 " ++ "rx-drop-bc-mc-eth1 { type filter hook ingress device eth1 priority filter; }\012delete " ++ "chain netdev nm-mlag-bond0 rx-drop-bc-mc-eth1\012add set netdev nm-mlag-bond0 " ++ "macset-tagged { typeof ether saddr . vlan id; flags dynamic,timeout; }\012add set netdev " ++ "nm-mlag-bond0 macset-untagged { typeof ether saddr; flags dynamic,timeout; }\012add chain " ++ "netdev nm-mlag-bond0 tx-snoop-source-mac { type filter hook egress device bond0 priority " ++ "filter; }\012add rule netdev nm-mlag-bond0 tx-snoop-source-mac set update ether saddr . " ++ "vlan id timeout 5s @macset-tagged return\012add rule netdev nm-mlag-bond0 " ++ "tx-snoop-source-mac set update ether saddr timeout 5s @macset-untagged\012add chain netdev " ++ "nm-mlag-bond0 rx-drop-looped-packets { type filter hook ingress device bond0 priority " ++ "filter; }\012add rule netdev nm-mlag-bond0 rx-drop-looped-packets ether saddr . vlan id " ++ "@macset-tagged drop\012add rule netdev nm-mlag-bond0 rx-drop-looped-packets ether type " ++ "vlan return\012add rule netdev nm-mlag-bond0 rx-drop-looped-packets ether saddr " ++ "@macset-untagged drop\012"); ++ ++ _T(TRUE, ++ "bond0", ++ NM_MAKE_STRV("eth0", "eth1"), ++ NM_MAKE_STRV("eth2", "eth3"), ++ NM_MAKE_STRV("eth4", "eth5"), ++ FALSE, ++ "add table netdev nm-mlag-eth0\012delete table netdev nm-mlag-eth0\012add table netdev " ++ "nm-mlag-eth1\012delete table netdev nm-mlag-eth1\012add table netdev " ++ "nm-mlag-bond0\012flush table netdev nm-mlag-bond0\012add chain netdev nm-mlag-bond0 " ++ "rx-drop-bc-mc-eth4 { type filter hook ingress device eth4 priority filter; }\012delete " ++ "chain netdev nm-mlag-bond0 rx-drop-bc-mc-eth4\012add chain netdev nm-mlag-bond0 " ++ "rx-drop-bc-mc-eth5 { type filter hook ingress device eth5 priority filter; }\012delete " ++ "chain netdev nm-mlag-bond0 rx-drop-bc-mc-eth5\012add chain netdev nm-mlag-bond0 " ++ "rx-drop-bc-mc-eth2 { type filter hook ingress device eth2 priority filter; }\012delete " ++ "chain netdev nm-mlag-bond0 rx-drop-bc-mc-eth2\012add chain netdev nm-mlag-bond0 " ++ "rx-drop-bc-mc-eth3 { type filter hook ingress device eth3 priority filter; }\012add rule " ++ "netdev nm-mlag-bond0 rx-drop-bc-mc-eth3 pkttype { broadcast, multicast } drop\012add set " ++ "netdev nm-mlag-bond0 macset-tagged { typeof ether saddr . vlan id; flags dynamic,timeout; " ++ "}\012add set netdev nm-mlag-bond0 macset-untagged { typeof ether saddr; flags " ++ "dynamic,timeout; }\012add chain netdev nm-mlag-bond0 tx-snoop-source-mac { type filter " ++ "hook egress device bond0 priority filter; }\012add rule netdev nm-mlag-bond0 " ++ "tx-snoop-source-mac set update ether saddr . vlan id timeout 5s @macset-tagged " ++ "return\012add rule netdev nm-mlag-bond0 tx-snoop-source-mac set update ether saddr timeout " ++ "5s @macset-untagged\012add chain netdev nm-mlag-bond0 rx-drop-looped-packets { type filter " ++ "hook ingress device bond0 priority filter; }\012add rule netdev nm-mlag-bond0 " ++ "rx-drop-looped-packets ether saddr . vlan id @macset-tagged drop\012add rule netdev " ++ "nm-mlag-bond0 rx-drop-looped-packets ether type vlan return\012add rule netdev " ++ "nm-mlag-bond0 rx-drop-looped-packets ether saddr @macset-untagged drop\012"); ++ ++ _T(FALSE, ++ "bond0", ++ NM_MAKE_STRV("eth0", "eth1"), ++ NM_MAKE_STRV("eth2", "eth3"), ++ NM_MAKE_STRV("eth4", "eth5"), ++ FALSE, ++ "add table netdev nm-mlag-eth0\012delete table netdev nm-mlag-eth0\012add table netdev " ++ "nm-mlag-eth1\012delete table netdev nm-mlag-eth1\012add table netdev " ++ "nm-mlag-bond0\012delete table netdev nm-mlag-bond0\012"); ++} ++ ++/*****************************************************************************/ ++ + NMTST_DEFINE(); + + int +@@ -2654,5 +2774,7 @@ main(int argc, char **argv) + g_test_add_func("/core/general/test_kernel_cmdline_match_check", + test_kernel_cmdline_match_check); + ++ g_test_add_func("/core/test_nm_firewall_nft_stdio_mlag", test_nm_firewall_nft_stdio_mlag); ++ + return g_test_run(); + } +-- +2.41.0 + + +From e981987cd4315c0d37f980b28c02c35340d81a2f Mon Sep 17 00:00:00 2001 +From: Thomas Haller +Date: Tue, 2 May 2023 08:54:21 +0200 +Subject: [PATCH 5/5] firewall: create "dynamic" sets for nft rules for + slb-bonding + +A workaround for a nftables issue ([1]). I don't know why that matters. + +[1] https://bugzilla.redhat.com/show_bug.cgi?id=2177667 + +Fixes: e9268e392418 ('firewall: add mlag firewall utils for multi chassis link aggregation (MLAG) for bonding-slb') + +https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/1614 +(cherry picked from commit d3b54963622f242db1ebeda21dedd9558b484355) +(cherry picked from commit 0d9d753523bc30bfd42519e1716a2d7e447f011e) +--- + src/core/nm-firewall-utils.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/core/nm-firewall-utils.c b/src/core/nm-firewall-utils.c +index b8ae4397bf..ac12d3e432 100644 +--- a/src/core/nm-firewall-utils.c ++++ b/src/core/nm-firewall-utils.c +@@ -892,12 +892,12 @@ nm_firewall_nft_stdio_mlag(gboolean up, + */ + _append(&strbuf, + "add set netdev %s macset-tagged {" +- " typeof ether saddr . vlan id; flags timeout; " ++ " typeof ether saddr . vlan id; flags dynamic,timeout; " + "}", + table_name); + _append(&strbuf, + "add set netdev %s macset-untagged {" +- " typeof ether saddr; flags timeout;" ++ " typeof ether saddr; flags dynamic,timeout; " + "}", + table_name); + +-- +2.41.0 + diff --git a/SPECS/NetworkManager.spec b/SPECS/NetworkManager.spec index 5780bb7..f875f06 100644 --- a/SPECS/NetworkManager.spec +++ b/SPECS/NetworkManager.spec @@ -6,7 +6,7 @@ %global epoch_version 1 %global real_version 1.42.2 %global rpm_version %{real_version} -%global release_version 3 +%global release_version 6 %global snapshot %{nil} %global git_sha %{nil} %global bcond_default_debug 0 @@ -205,6 +205,9 @@ Source7: readme-ifcfg-rh.txt # Patch1001: 1001-some.patch Patch1001: 1001-ipv6ll-don-t-regenerate-the-address-when-removed-rh2196441.patch Patch1002: 1002-Revert-infiniband-avoid-normalizing-the-p-key-rh2209976.patch +Patch1003: 1003-unblock-autoconnect-upon-reapply-rh2217903.patch +Patch1004: 1004-core-fix-l3cd-comparison-rhbz2219847.patch +Patch1005: 1005-firewall-create-dynamic-sets-rhbz2220952.patch Requires(post): systemd %if 0%{?fedora} || 0%{?rhel} >= 8 @@ -1253,6 +1256,15 @@ fi %changelog +* Wed Jul 12 2023 Fernando Fernandez Mancera - 1:1.42.2-6 +- firewall: create "dynamic" sets for nft rules for slb-bonding (rh #2220952) + +* Wed Jul 5 2023 Wen Liang - 1:1.42.2-5 +- make sure that the IP and DNS configuration gets applied when it changes (rh #2219847) + +* Thu Jun 29 2023 Gris Ge - 1:1.42.2-4 +- unblock autoconnect upon reapply finish (rh #2217903) + * Mon May 29 2023 Wen Liang - 1:1.42.2-3 - revert "infiniband: avoid normalizing the p-key when reading from ifcfg" (rh #2209976)