import NetworkManager-1.42.2-6.el9_2

This commit is contained in:
eabdullin 2023-08-02 09:58:30 +00:00
parent 1c9b66e22d
commit cc98a44c6d
4 changed files with 676 additions and 1 deletions

View File

@ -0,0 +1,45 @@
From 18ce5f43bd16b3cc394424619652c782cb3795c3 Mon Sep 17 00:00:00 2001
From: Gris Ge <fge@redhat.com>
Date: Tue, 27 Jun 2023 15:02:54 +0800
Subject: [PATCH] setting-connection: Unblock autoconnect upon finish of
`Reapply`
The activation of a connection will clear the block of autoconnect,
we should do the same for reapply.
Signed-off-by: Gris Ge <fge@redhat.com>
(cherry picked from commit 0486efd3584c70179072f611e63b9c0ff6851b80)
---
src/core/devices/nm-device.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/src/core/devices/nm-device.c b/src/core/devices/nm-device.c
index c168fa045d..62a9ff1e84 100644
--- a/src/core/devices/nm-device.c
+++ b/src/core/devices/nm-device.c
@@ -12902,6 +12902,7 @@ check_and_reapply_connection(NMDevice *self,
NMConnection *con_old;
NMConnection *con_new;
GHashTableIter iter;
+ NMSettingsConnection *sett_conn;
if (priv->state < NM_DEVICE_STATE_PREPARE || priv->state > NM_DEVICE_STATE_ACTIVATED) {
g_set_error_literal(error,
@@ -13074,6 +13075,14 @@ check_and_reapply_connection(NMDevice *self,
if (priv->state >= NM_DEVICE_STATE_ACTIVATED)
nm_device_update_metered(self);
+ sett_conn = nm_device_get_settings_connection(self);
+ if (sett_conn) {
+ nm_settings_connection_autoconnect_blocked_reason_set(
+ sett_conn,
+ NM_SETTINGS_AUTO_CONNECT_BLOCKED_REASON_USER_REQUEST,
+ FALSE);
+ }
+
/* Notify dispatcher when re-applied */
_LOGD(LOGD_DEVICE, "Notifying re-apply complete");
nm_dispatcher_call_device(NM_DISPATCHER_ACTION_REAPPLY, self, NULL, NULL, NULL, NULL);
--
2.39.3

View File

@ -0,0 +1,88 @@
From d6f13aefda85ea06985e7fe2f776abd8ee0406cf Mon Sep 17 00:00:00 2001
From: Beniamino Galvani <bgalvani@redhat.com>
Date: Fri, 24 Mar 2023 17:42:45 +0100
Subject: [PATCH] core: fix l3cd comparison
NM_CMP_SELF(a, b) returns immediately if the objects are the same.
Fixes: cb29244552af ('core: support compare flags in nm_l3_config_data_cmp_full()')
Fixes-test: @dracut_NM_iSCSI_ibft_table
https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/1583
(cherry picked from commit 0a02995175e06e62924705393121a1c5efc3822d)
(cherry picked from commit 5d95c20787077a91d684259d67f2e0ff3a1d7a1a)
---
src/core/nm-l3-config-data.c | 54 +++++++++++++++++++-----------------
1 file changed, 28 insertions(+), 26 deletions(-)
diff --git a/src/core/nm-l3-config-data.c b/src/core/nm-l3-config-data.c
index 17bb9db87d..d5dedb9c8a 100644
--- a/src/core/nm-l3-config-data.c
+++ b/src/core/nm-l3-config-data.c
@@ -2297,35 +2297,37 @@ nm_l3_config_data_cmp_full(const NML3ConfigData *a,
const NMPObject *def_route_a = a->best_default_route_x[IS_IPv4];
const NMPObject *def_route_b = b->best_default_route_x[IS_IPv4];
- NM_CMP_SELF(def_route_a, def_route_b);
-
- if (NM_FLAGS_HAS(flags, NM_L3_CONFIG_CMP_FLAGS_ROUTES)) {
- NM_CMP_RETURN(nmp_object_cmp_full(def_route_a,
- def_route_b,
- NM_FLAGS_HAS(flags, NM_L3_CONFIG_CMP_FLAGS_IFINDEX)
- ? NMP_OBJECT_CMP_FLAGS_NONE
- : NMP_OBJECT_CMP_FLAGS_IGNORE_IFINDEX));
- } else if (NM_FLAGS_HAS(flags, NM_L3_CONFIG_CMP_FLAGS_ROUTES_ID)) {
- if (NM_FLAGS_HAS(flags, NM_L3_CONFIG_CMP_FLAGS_IFINDEX)) {
- NM_CMP_DIRECT(def_route_a->obj_with_ifindex.ifindex,
- def_route_b->obj_with_ifindex.ifindex);
- }
+ if (def_route_a != def_route_b) {
+ if (NM_FLAGS_HAS(flags, NM_L3_CONFIG_CMP_FLAGS_ROUTES)) {
+ NM_CMP_RETURN(
+ nmp_object_cmp_full(def_route_a,
+ def_route_b,
+ NM_FLAGS_HAS(flags, NM_L3_CONFIG_CMP_FLAGS_IFINDEX)
+ ? NMP_OBJECT_CMP_FLAGS_NONE
+ : NMP_OBJECT_CMP_FLAGS_IGNORE_IFINDEX));
+ } else if (NM_FLAGS_HAS(flags, NM_L3_CONFIG_CMP_FLAGS_ROUTES_ID)) {
+ if (NM_FLAGS_HAS(flags, NM_L3_CONFIG_CMP_FLAGS_IFINDEX)) {
+ NM_CMP_DIRECT(def_route_a->obj_with_ifindex.ifindex,
+ def_route_b->obj_with_ifindex.ifindex);
+ }
- if (IS_IPv4) {
- NMPlatformIP4Route ra = def_route_a->ip4_route;
- NMPlatformIP4Route rb = def_route_b->ip4_route;
+ if (IS_IPv4) {
+ NMPlatformIP4Route ra = def_route_a->ip4_route;
+ NMPlatformIP4Route rb = def_route_b->ip4_route;
- NM_CMP_DIRECT(ra.metric, rb.metric);
- NM_CMP_DIRECT(ra.plen, rb.plen);
- NM_CMP_RETURN_DIRECT(nm_ip4_addr_same_prefix_cmp(ra.network, rb.network, ra.plen));
- } else {
- NMPlatformIP6Route ra = def_route_a->ip6_route;
- NMPlatformIP6Route rb = def_route_b->ip6_route;
+ NM_CMP_DIRECT(ra.metric, rb.metric);
+ NM_CMP_DIRECT(ra.plen, rb.plen);
+ NM_CMP_RETURN_DIRECT(
+ nm_ip4_addr_same_prefix_cmp(ra.network, rb.network, ra.plen));
+ } else {
+ NMPlatformIP6Route ra = def_route_a->ip6_route;
+ NMPlatformIP6Route rb = def_route_b->ip6_route;
- NM_CMP_DIRECT(ra.metric, rb.metric);
- NM_CMP_DIRECT(ra.plen, rb.plen);
- NM_CMP_RETURN_DIRECT(
- nm_ip6_addr_same_prefix_cmp(&ra.network, &rb.network, ra.plen));
+ NM_CMP_DIRECT(ra.metric, rb.metric);
+ NM_CMP_DIRECT(ra.plen, rb.plen);
+ NM_CMP_RETURN_DIRECT(
+ nm_ip6_addr_same_prefix_cmp(&ra.network, &rb.network, ra.plen));
+ }
}
}
--
2.38.1

View File

@ -0,0 +1,530 @@
From c00002b12d34c12d418f5753e03df43ecb6ef67d Mon Sep 17 00:00:00 2001
From: Thomas Haller <thaller@redhat.com>
Date: Wed, 10 May 2023 08:37:06 +0200
Subject: [PATCH 1/5] glib-aux: add
NM_UTILS_STR_UTF8_SAFE_FLAG_ESCAPE_DOUBLE_QUOTE flag to escape double quotes
This is useful when printing a string for debugging. Then we can
printf("v=\"%s\"", utf8safe_escaped_text), which can be safely unescaped
with `echo -e`.
(cherry picked from commit c26a94e95551021d86cae6fc0e6aafb97b1363f6)
(cherry picked from commit 18848c77c7a44b179ad0c582ac60cee7602d1786)
---
src/libnm-glib-aux/nm-shared-utils.c | 21 +++++++++++++--------
src/libnm-glib-aux/nm-shared-utils.h | 8 ++++++--
2 files changed, 19 insertions(+), 10 deletions(-)
diff --git a/src/libnm-glib-aux/nm-shared-utils.c b/src/libnm-glib-aux/nm-shared-utils.c
index 702a63e9f6..49f2c93e35 100644
--- a/src/libnm-glib-aux/nm-shared-utils.c
+++ b/src/libnm-glib-aux/nm-shared-utils.c
@@ -2755,13 +2755,16 @@ nm_utils_buf_utf8safe_escape(gconstpointer buf,
if (g_utf8_validate(str, buflen, &p) && nul_terminated) {
/* note that g_utf8_validate() does not allow NUL character inside @str. Good.
* We can treat @str like a NUL terminated string. */
- if (!NM_STRCHAR_ANY(str,
- ch,
- (ch == '\\'
- || (NM_FLAGS_HAS(flags, NM_UTILS_STR_UTF8_SAFE_FLAG_ESCAPE_CTRL)
- && nm_ascii_is_ctrl_or_del(ch))
- || (NM_FLAGS_HAS(flags, NM_UTILS_STR_UTF8_SAFE_FLAG_ESCAPE_NON_ASCII)
- && nm_ascii_is_non_ascii(ch)))))
+ if (!NM_STRCHAR_ANY(
+ str,
+ ch,
+ (ch == '\\'
+ || (NM_FLAGS_HAS(flags, NM_UTILS_STR_UTF8_SAFE_FLAG_ESCAPE_CTRL)
+ && nm_ascii_is_ctrl_or_del(ch))
+ || (NM_FLAGS_HAS(flags, NM_UTILS_STR_UTF8_SAFE_FLAG_ESCAPE_NON_ASCII)
+ && nm_ascii_is_non_ascii(ch))
+ || (NM_FLAGS_HAS(flags, NM_UTILS_STR_UTF8_SAFE_FLAG_ESCAPE_DOUBLE_QUOTE)
+ && ch == '"'))))
return str;
}
@@ -2781,7 +2784,9 @@ nm_utils_buf_utf8safe_escape(gconstpointer buf,
else if ((NM_FLAGS_HAS(flags, NM_UTILS_STR_UTF8_SAFE_FLAG_ESCAPE_CTRL)
&& nm_ascii_is_ctrl_or_del(ch))
|| (NM_FLAGS_HAS(flags, NM_UTILS_STR_UTF8_SAFE_FLAG_ESCAPE_NON_ASCII)
- && nm_ascii_is_non_ascii(ch)))
+ && nm_ascii_is_non_ascii(ch))
+ || (NM_FLAGS_HAS(flags, NM_UTILS_STR_UTF8_SAFE_FLAG_ESCAPE_DOUBLE_QUOTE)
+ && ch == '"'))
_str_buf_append_c_escape_octal(&strbuf, ch);
else
nm_str_buf_append_c(&strbuf, ch);
diff --git a/src/libnm-glib-aux/nm-shared-utils.h b/src/libnm-glib-aux/nm-shared-utils.h
index 083ed137ee..ad24e7c427 100644
--- a/src/libnm-glib-aux/nm-shared-utils.h
+++ b/src/libnm-glib-aux/nm-shared-utils.h
@@ -1243,12 +1243,16 @@ typedef enum {
* It will backslash escape ascii characters according to nm_ascii_is_non_ascii(). */
NM_UTILS_STR_UTF8_SAFE_FLAG_ESCAPE_NON_ASCII = 0x0002,
+ /* Escape '"' as ASCII "\\042". This is useful when escaping a string so that
+ * it can be unescaped with `echo -e $PASTE_TEXT`. */
+ NM_UTILS_STR_UTF8_SAFE_FLAG_ESCAPE_DOUBLE_QUOTE = 0x0004,
+
/* This flag only has an effect during escaping to ensure we
* don't leak secrets in memory. Note that during unescape we
* know the maximum result size from the beginning, and no
* reallocation happens. Thus, unescape always avoids leaking
* secrets already. */
- NM_UTILS_STR_UTF8_SAFE_FLAG_SECRET = 0x0004,
+ NM_UTILS_STR_UTF8_SAFE_FLAG_SECRET = 0x0008,
/* This flag only has an effect during unescaping. It means
* that non-escaped whitespaces (g_ascii_isspace()) will be
@@ -1256,7 +1260,7 @@ typedef enum {
* this flag is only useful for gracefully accepting user input
* with spaces. With this flag, escape and unescape may no longer
* yield the original input. */
- NM_UTILS_STR_UTF8_SAFE_UNESCAPE_STRIP_SPACES = 0x0008,
+ NM_UTILS_STR_UTF8_SAFE_UNESCAPE_STRIP_SPACES = 0x0010,
} NMUtilsStrUtf8SafeFlags;
const char *nm_utils_buf_utf8safe_escape(gconstpointer buf,
--
2.41.0
From 668d8caff3b0a8ea45a63ef9676f05d87428825d Mon Sep 17 00:00:00 2001
From: Thomas Haller <thaller@redhat.com>
Date: Wed, 10 May 2023 08:41:00 +0200
Subject: [PATCH 2/5] glib-aux: add nmtst_assert_cmpmem() helper
g_assert_cmpmem() exists, but it does not print the actual buffer
content on test failure. It is useful to see what actually failed in
the test output.
Also, nmtst_assert_cmpmem() prints a backslash escaped output, that you
can unescape in the terminal with `echo -e`. You can also directly copy
and paste the output to C source code.
(cherry picked from commit 3c3938406dd825f6a0d9e6e55319f0f68a6e2f83)
(cherry picked from commit 4ec00efca9154029f377f8498ef4bd3bd9b4cfa9)
---
src/libnm-glib-aux/nm-test-utils.h | 48 ++++++++++++++++++++++++++++++
1 file changed, 48 insertions(+)
diff --git a/src/libnm-glib-aux/nm-test-utils.h b/src/libnm-glib-aux/nm-test-utils.h
index b65818e00a..a55977d1ce 100644
--- a/src/libnm-glib-aux/nm-test-utils.h
+++ b/src/libnm-glib-aux/nm-test-utils.h
@@ -203,6 +203,54 @@
} \
G_STMT_END
+#define nmtst_assert_cmpmem(m1, l1, m2, l2) \
+ G_STMT_START \
+ { \
+ const guint8 *const _m1 = (gpointer) (m1); \
+ const guint8 *const _m2 = (gpointer) (m2); \
+ const gsize _l1 = (l1); \
+ const gsize _l2 = (l2); \
+ \
+ /* This is like g_assert_cmpmem(), however on failure it actually
+ * prints the compared buffer contents, which is useful for debugging
+ * the test failure. */ \
+ \
+ g_assert(_l1 == 0 || _m1); \
+ g_assert(_l2 == 0 || _m2); \
+ \
+ if (_l1 != _l2 || (_l1 > 0 && memcmp(_m1, _m2, _l1) != 0)) { \
+ gs_free char *_s1 = NULL; \
+ gs_free char *_s2 = NULL; \
+ \
+ g_error( \
+ "ERROR: %s:%d : buffer [\"%s\" (%s, %zu bytes)] differs from [\"%s\" (%s, %zu " \
+ "bytes)]:\n" \
+ " a=[ \"%s\" ]\n" \
+ " b=[ \"%s\" ]\n", \
+ __FILE__, \
+ (int) __LINE__, \
+ #m1, \
+ #l1, \
+ _l1, \
+ #m2, \
+ #l2, \
+ _l2, \
+ (_s1 = nm_utils_buf_utf8safe_escape_cp( \
+ _m1, \
+ _l1, \
+ NM_UTILS_STR_UTF8_SAFE_FLAG_ESCAPE_CTRL \
+ | NM_UTILS_STR_UTF8_SAFE_FLAG_ESCAPE_DOUBLE_QUOTE)) \
+ ?: "", \
+ (_s2 = nm_utils_buf_utf8safe_escape_cp( \
+ _m2, \
+ _l2, \
+ NM_UTILS_STR_UTF8_SAFE_FLAG_ESCAPE_CTRL \
+ | NM_UTILS_STR_UTF8_SAFE_FLAG_ESCAPE_DOUBLE_QUOTE)) \
+ ?: ""); \
+ } \
+ } \
+ G_STMT_END
+
/*****************************************************************************/
/* Our nm-error error numbers use negative values to signal failure.
--
2.41.0
From 90b9aa2be6ec9ee3527edf146d6fce74cb2d9926 Mon Sep 17 00:00:00 2001
From: Thomas Haller <thaller@redhat.com>
Date: Wed, 10 May 2023 07:44:52 +0200
Subject: [PATCH 3/5] bond: don't configure "counter" on nft rules for
slb-bonding/mlag
Counters are convenient for debugging, but have a performance overhead.
Configure them only when debug logging in NetworkManager is enabled.
(cherry picked from commit 2c716f04f9b75ed8df70314920a705b48c36c8eb)
(cherry picked from commit 7bb285abb70d76dff33517252b71d0b8f96adc41)
---
src/core/nm-bond-manager.c | 8 ++++++-
src/core/nm-firewall-utils.c | 43 +++++++++++++++++++++---------------
src/core/nm-firewall-utils.h | 3 ++-
3 files changed, 34 insertions(+), 20 deletions(-)
diff --git a/src/core/nm-bond-manager.c b/src/core/nm-bond-manager.c
index 2d15b0b5a0..9985fccf11 100644
--- a/src/core/nm-bond-manager.c
+++ b/src/core/nm-bond-manager.c
@@ -438,6 +438,7 @@ _nft_call(NMBondManager *self,
{
gs_unref_bytes GBytes *stdin_buf = NULL;
gs_free const char *const *previous_members_strv = NULL;
+ gboolean with_counters;
if (up) {
gs_unref_ptrarray GPtrArray *arr = NULL;
@@ -480,11 +481,16 @@ _nft_call(NMBondManager *self,
}
}
+ /* counters in the nft rules are convenient for debugging, but have a performance overhead.
+ * Enable counters based on whether NM logging is enabled. */
+ with_counters = _NMLOG_ENABLED(LOGL_TRACE);
+
stdin_buf = nm_firewall_nft_stdio_mlag(up,
bond_ifname,
bond_ifnames_down,
active_members,
- previous_members_strv);
+ previous_members_strv,
+ with_counters);
nm_clear_g_cancellable(&self->cancellable);
self->cancellable = g_cancellable_new();
diff --git a/src/core/nm-firewall-utils.c b/src/core/nm-firewall-utils.c
index f231583a21..b8ae4397bf 100644
--- a/src/core/nm-firewall-utils.c
+++ b/src/core/nm-firewall-utils.c
@@ -763,13 +763,15 @@ nm_firewall_nft_stdio_mlag(gboolean up,
const char *bond_ifname,
const char *const *bond_ifnames_down,
const char *const *active_members,
- const char *const *previous_members)
+ const char *const *previous_members,
+ gboolean with_counters)
{
nm_auto_str_buf NMStrBuf strbuf_table_name =
NM_STR_BUF_INIT_A(NM_UTILS_GET_NEXT_REALLOC_SIZE_32, FALSE);
nm_auto_str_buf NMStrBuf strbuf = NM_STR_BUF_INIT(NM_UTILS_GET_NEXT_REALLOC_SIZE_1000, FALSE);
const char *table_name;
gsize i;
+ const char *const s_counter = with_counters ? " counter" : "";
if (NM_MORE_ASSERTS > 10 && active_members) {
/* No duplicates. We make certain assumptions here, and we don't
@@ -876,9 +878,10 @@ nm_firewall_nft_stdio_mlag(gboolean up,
_append(&strbuf,
"add rule netdev %s %s pkttype {"
" broadcast, multicast "
- "} counter drop",
+ "}%s drop",
table_name,
- chain_name);
+ chain_name,
+ s_counter);
}
/* OVS SLB rule 2
@@ -905,15 +908,17 @@ nm_firewall_nft_stdio_mlag(gboolean up,
table_name,
bond_ifname);
_append(&strbuf,
- "add rule netdev %s tx-snoop-source-mac set update ether saddr . vlan id"
- " timeout 5s @macset-tagged counter return"
+ "add rule netdev %s tx-snoop-source-mac set update ether saddr . vlan id "
+ "timeout 5s @macset-tagged%s return"
"", /* tagged */
- table_name);
+ table_name,
+ s_counter);
_append(&strbuf,
- "add rule netdev %s tx-snoop-source-mac set update ether saddr"
- " timeout 5s @macset-untagged counter"
+ "add rule netdev %s tx-snoop-source-mac set update ether saddr timeout 5s "
+ "@macset-untagged%s"
"", /* untagged*/
- table_name);
+ table_name,
+ s_counter);
_append(&strbuf,
"add chain netdev %s rx-drop-looped-packets {"
@@ -921,18 +926,20 @@ nm_firewall_nft_stdio_mlag(gboolean up,
"}",
table_name,
bond_ifname);
+ _append(
+ &strbuf,
+ "add rule netdev %s rx-drop-looped-packets ether saddr . vlan id @macset-tagged%s drop",
+ table_name,
+ s_counter);
_append(&strbuf,
- "add rule netdev %s rx-drop-looped-packets ether saddr . vlan id"
- " @macset-tagged counter drop",
- table_name);
- _append(&strbuf,
- "add rule netdev %s rx-drop-looped-packets ether type vlan counter return"
+ "add rule netdev %s rx-drop-looped-packets ether type vlan%s return"
"", /* avoid looking up tagged packets in untagged table */
- table_name);
+ table_name,
+ s_counter);
_append(&strbuf,
- "add rule netdev %s rx-drop-looped-packets ether saddr @macset-untagged"
- " counter drop",
- table_name);
+ "add rule netdev %s rx-drop-looped-packets ether saddr @macset-untagged%s drop",
+ table_name,
+ s_counter);
}
out:
diff --git a/src/core/nm-firewall-utils.h b/src/core/nm-firewall-utils.h
index ca138ccf78..9f13a5127e 100644
--- a/src/core/nm-firewall-utils.h
+++ b/src/core/nm-firewall-utils.h
@@ -39,6 +39,7 @@ GBytes *nm_firewall_nft_stdio_mlag(gboolean up,
const char *bond_ifname,
const char *const *bond_ifnames_down,
const char *const *active_members,
- const char *const *previous_members);
+ const char *const *previous_members,
+ gboolean with_counters);
#endif /* __NM_FIREWALL_UTILS_H__ */
--
2.41.0
From 863171b69d72053d0b6bfafe510af62098c218d8 Mon Sep 17 00:00:00 2001
From: Thomas Haller <thaller@redhat.com>
Date: Wed, 10 May 2023 08:42:49 +0200
Subject: [PATCH 4/5] core/tests: add test for nm_firewall_nft_stdio_mlag()
If only to hit some of the code paths in our test, and to have valgrind
check (some of) the code paths.
(cherry picked from commit a20d4a7a912a7e7a535318bc7294ebd8b6bb6655)
(cherry picked from commit 8e7d94b10c50a4ce963ddf441752522183b35ab3)
---
src/core/tests/test-core.c | 122 +++++++++++++++++++++++++++++++++++++
1 file changed, 122 insertions(+)
diff --git a/src/core/tests/test-core.c b/src/core/tests/test-core.c
index 887803bffe..d90e44f04f 100644
--- a/src/core/tests/test-core.c
+++ b/src/core/tests/test-core.c
@@ -18,6 +18,7 @@
#include "dns/nm-dns-manager.h"
#include "nm-connectivity.h"
+#include "nm-firewall-utils.h"
#include "nm-test-utils-core.h"
@@ -2580,6 +2581,125 @@ test_connectivity_state_cmp(void)
/*****************************************************************************/
+static void
+test_nm_firewall_nft_stdio_mlag(void)
+{
+#define _T(up, \
+ bond_ifname, \
+ bond_ifnames_down, \
+ active_members, \
+ previous_members, \
+ with_counters, \
+ expected) \
+ G_STMT_START \
+ { \
+ gs_unref_bytes GBytes *_b = NULL; \
+ \
+ _b = nm_firewall_nft_stdio_mlag((up), \
+ (bond_ifname), \
+ (bond_ifnames_down), \
+ (active_members), \
+ (previous_members), \
+ (with_counters)); \
+ \
+ g_assert(_b); \
+ nmtst_assert_cmpmem(expected, \
+ NM_STRLEN(expected), \
+ g_bytes_get_data(_b, NULL), \
+ g_bytes_get_size(_b)); \
+ } \
+ G_STMT_END
+
+ _T(TRUE,
+ "bond0",
+ NM_MAKE_STRV("eth0"),
+ NM_MAKE_STRV("eth1"),
+ NM_MAKE_STRV("eth2"),
+ TRUE,
+ "add table netdev nm-mlag-eth0\012delete table netdev nm-mlag-eth0\012add table netdev "
+ "nm-mlag-bond0\012flush table netdev nm-mlag-bond0\012add chain netdev nm-mlag-bond0 "
+ "rx-drop-bc-mc-eth2 { type filter hook ingress device eth2 priority filter; }\012delete "
+ "chain netdev nm-mlag-bond0 rx-drop-bc-mc-eth2\012add chain netdev nm-mlag-bond0 "
+ "rx-drop-bc-mc-eth1 { type filter hook ingress device eth1 priority filter; }\012delete "
+ "chain netdev nm-mlag-bond0 rx-drop-bc-mc-eth1\012add set netdev nm-mlag-bond0 "
+ "macset-tagged { typeof ether saddr . vlan id; flags dynamic,timeout; }\012add set netdev "
+ "nm-mlag-bond0 macset-untagged { typeof ether saddr; flags dynamic,timeout; }\012add chain "
+ "netdev nm-mlag-bond0 tx-snoop-source-mac { type filter hook egress device bond0 priority "
+ "filter; }\012add rule netdev nm-mlag-bond0 tx-snoop-source-mac set update ether saddr . "
+ "vlan id timeout 5s @macset-tagged counter return\012add rule netdev nm-mlag-bond0 "
+ "tx-snoop-source-mac set update ether saddr timeout 5s @macset-untagged counter\012add "
+ "chain netdev nm-mlag-bond0 rx-drop-looped-packets { type filter hook ingress device bond0 "
+ "priority filter; }\012add rule netdev nm-mlag-bond0 rx-drop-looped-packets ether saddr . "
+ "vlan id @macset-tagged counter drop\012add rule netdev nm-mlag-bond0 "
+ "rx-drop-looped-packets ether type vlan counter return\012add rule netdev nm-mlag-bond0 "
+ "rx-drop-looped-packets ether saddr @macset-untagged counter drop\012");
+
+ _T(TRUE,
+ "bond0",
+ NM_MAKE_STRV("eth0"),
+ NM_MAKE_STRV("eth1"),
+ NM_MAKE_STRV("eth2"),
+ FALSE,
+ "add table netdev nm-mlag-eth0\012delete table netdev nm-mlag-eth0\012add table netdev "
+ "nm-mlag-bond0\012flush table netdev nm-mlag-bond0\012add chain netdev nm-mlag-bond0 "
+ "rx-drop-bc-mc-eth2 { type filter hook ingress device eth2 priority filter; }\012delete "
+ "chain netdev nm-mlag-bond0 rx-drop-bc-mc-eth2\012add chain netdev nm-mlag-bond0 "
+ "rx-drop-bc-mc-eth1 { type filter hook ingress device eth1 priority filter; }\012delete "
+ "chain netdev nm-mlag-bond0 rx-drop-bc-mc-eth1\012add set netdev nm-mlag-bond0 "
+ "macset-tagged { typeof ether saddr . vlan id; flags dynamic,timeout; }\012add set netdev "
+ "nm-mlag-bond0 macset-untagged { typeof ether saddr; flags dynamic,timeout; }\012add chain "
+ "netdev nm-mlag-bond0 tx-snoop-source-mac { type filter hook egress device bond0 priority "
+ "filter; }\012add rule netdev nm-mlag-bond0 tx-snoop-source-mac set update ether saddr . "
+ "vlan id timeout 5s @macset-tagged return\012add rule netdev nm-mlag-bond0 "
+ "tx-snoop-source-mac set update ether saddr timeout 5s @macset-untagged\012add chain netdev "
+ "nm-mlag-bond0 rx-drop-looped-packets { type filter hook ingress device bond0 priority "
+ "filter; }\012add rule netdev nm-mlag-bond0 rx-drop-looped-packets ether saddr . vlan id "
+ "@macset-tagged drop\012add rule netdev nm-mlag-bond0 rx-drop-looped-packets ether type "
+ "vlan return\012add rule netdev nm-mlag-bond0 rx-drop-looped-packets ether saddr "
+ "@macset-untagged drop\012");
+
+ _T(TRUE,
+ "bond0",
+ NM_MAKE_STRV("eth0", "eth1"),
+ NM_MAKE_STRV("eth2", "eth3"),
+ NM_MAKE_STRV("eth4", "eth5"),
+ FALSE,
+ "add table netdev nm-mlag-eth0\012delete table netdev nm-mlag-eth0\012add table netdev "
+ "nm-mlag-eth1\012delete table netdev nm-mlag-eth1\012add table netdev "
+ "nm-mlag-bond0\012flush table netdev nm-mlag-bond0\012add chain netdev nm-mlag-bond0 "
+ "rx-drop-bc-mc-eth4 { type filter hook ingress device eth4 priority filter; }\012delete "
+ "chain netdev nm-mlag-bond0 rx-drop-bc-mc-eth4\012add chain netdev nm-mlag-bond0 "
+ "rx-drop-bc-mc-eth5 { type filter hook ingress device eth5 priority filter; }\012delete "
+ "chain netdev nm-mlag-bond0 rx-drop-bc-mc-eth5\012add chain netdev nm-mlag-bond0 "
+ "rx-drop-bc-mc-eth2 { type filter hook ingress device eth2 priority filter; }\012delete "
+ "chain netdev nm-mlag-bond0 rx-drop-bc-mc-eth2\012add chain netdev nm-mlag-bond0 "
+ "rx-drop-bc-mc-eth3 { type filter hook ingress device eth3 priority filter; }\012add rule "
+ "netdev nm-mlag-bond0 rx-drop-bc-mc-eth3 pkttype { broadcast, multicast } drop\012add set "
+ "netdev nm-mlag-bond0 macset-tagged { typeof ether saddr . vlan id; flags dynamic,timeout; "
+ "}\012add set netdev nm-mlag-bond0 macset-untagged { typeof ether saddr; flags "
+ "dynamic,timeout; }\012add chain netdev nm-mlag-bond0 tx-snoop-source-mac { type filter "
+ "hook egress device bond0 priority filter; }\012add rule netdev nm-mlag-bond0 "
+ "tx-snoop-source-mac set update ether saddr . vlan id timeout 5s @macset-tagged "
+ "return\012add rule netdev nm-mlag-bond0 tx-snoop-source-mac set update ether saddr timeout "
+ "5s @macset-untagged\012add chain netdev nm-mlag-bond0 rx-drop-looped-packets { type filter "
+ "hook ingress device bond0 priority filter; }\012add rule netdev nm-mlag-bond0 "
+ "rx-drop-looped-packets ether saddr . vlan id @macset-tagged drop\012add rule netdev "
+ "nm-mlag-bond0 rx-drop-looped-packets ether type vlan return\012add rule netdev "
+ "nm-mlag-bond0 rx-drop-looped-packets ether saddr @macset-untagged drop\012");
+
+ _T(FALSE,
+ "bond0",
+ NM_MAKE_STRV("eth0", "eth1"),
+ NM_MAKE_STRV("eth2", "eth3"),
+ NM_MAKE_STRV("eth4", "eth5"),
+ FALSE,
+ "add table netdev nm-mlag-eth0\012delete table netdev nm-mlag-eth0\012add table netdev "
+ "nm-mlag-eth1\012delete table netdev nm-mlag-eth1\012add table netdev "
+ "nm-mlag-bond0\012delete table netdev nm-mlag-bond0\012");
+}
+
+/*****************************************************************************/
+
NMTST_DEFINE();
int
@@ -2654,5 +2774,7 @@ main(int argc, char **argv)
g_test_add_func("/core/general/test_kernel_cmdline_match_check",
test_kernel_cmdline_match_check);
+ g_test_add_func("/core/test_nm_firewall_nft_stdio_mlag", test_nm_firewall_nft_stdio_mlag);
+
return g_test_run();
}
--
2.41.0
From e981987cd4315c0d37f980b28c02c35340d81a2f Mon Sep 17 00:00:00 2001
From: Thomas Haller <thaller@redhat.com>
Date: Tue, 2 May 2023 08:54:21 +0200
Subject: [PATCH 5/5] firewall: create "dynamic" sets for nft rules for
slb-bonding
A workaround for a nftables issue ([1]). I don't know why that matters.
[1] https://bugzilla.redhat.com/show_bug.cgi?id=2177667
Fixes: e9268e392418 ('firewall: add mlag firewall utils for multi chassis link aggregation (MLAG) for bonding-slb')
https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/1614
(cherry picked from commit d3b54963622f242db1ebeda21dedd9558b484355)
(cherry picked from commit 0d9d753523bc30bfd42519e1716a2d7e447f011e)
---
src/core/nm-firewall-utils.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/core/nm-firewall-utils.c b/src/core/nm-firewall-utils.c
index b8ae4397bf..ac12d3e432 100644
--- a/src/core/nm-firewall-utils.c
+++ b/src/core/nm-firewall-utils.c
@@ -892,12 +892,12 @@ nm_firewall_nft_stdio_mlag(gboolean up,
*/
_append(&strbuf,
"add set netdev %s macset-tagged {"
- " typeof ether saddr . vlan id; flags timeout; "
+ " typeof ether saddr . vlan id; flags dynamic,timeout; "
"}",
table_name);
_append(&strbuf,
"add set netdev %s macset-untagged {"
- " typeof ether saddr; flags timeout;"
+ " typeof ether saddr; flags dynamic,timeout; "
"}",
table_name);
--
2.41.0

View File

@ -6,7 +6,7 @@
%global epoch_version 1 %global epoch_version 1
%global real_version 1.42.2 %global real_version 1.42.2
%global rpm_version %{real_version} %global rpm_version %{real_version}
%global release_version 3 %global release_version 6
%global snapshot %{nil} %global snapshot %{nil}
%global git_sha %{nil} %global git_sha %{nil}
%global bcond_default_debug 0 %global bcond_default_debug 0
@ -205,6 +205,9 @@ Source7: readme-ifcfg-rh.txt
# Patch1001: 1001-some.patch # Patch1001: 1001-some.patch
Patch1001: 1001-ipv6ll-don-t-regenerate-the-address-when-removed-rh2196441.patch Patch1001: 1001-ipv6ll-don-t-regenerate-the-address-when-removed-rh2196441.patch
Patch1002: 1002-Revert-infiniband-avoid-normalizing-the-p-key-rh2209976.patch Patch1002: 1002-Revert-infiniband-avoid-normalizing-the-p-key-rh2209976.patch
Patch1003: 1003-unblock-autoconnect-upon-reapply-rh2217903.patch
Patch1004: 1004-core-fix-l3cd-comparison-rhbz2219847.patch
Patch1005: 1005-firewall-create-dynamic-sets-rhbz2220952.patch
Requires(post): systemd Requires(post): systemd
%if 0%{?fedora} || 0%{?rhel} >= 8 %if 0%{?fedora} || 0%{?rhel} >= 8
@ -1253,6 +1256,15 @@ fi
%changelog %changelog
* Wed Jul 12 2023 Fernando Fernandez Mancera <ferferna@redhat.com> - 1:1.42.2-6
- firewall: create "dynamic" sets for nft rules for slb-bonding (rh #2220952)
* Wed Jul 5 2023 Wen Liang <wenliang@redhat.com> - 1:1.42.2-5
- make sure that the IP and DNS configuration gets applied when it changes (rh #2219847)
* Thu Jun 29 2023 Gris Ge <fge@redhat.com> - 1:1.42.2-4
- unblock autoconnect upon reapply finish (rh #2217903)
* Mon May 29 2023 Wen Liang <wenliang@redhat.com> - 1:1.42.2-3 * Mon May 29 2023 Wen Liang <wenliang@redhat.com> - 1:1.42.2-3
- revert "infiniband: avoid normalizing the p-key when reading from ifcfg" (rh #2209976) - revert "infiniband: avoid normalizing the p-key when reading from ifcfg" (rh #2209976)