rpms/NetworkManager
6
0
Fork 0
Code Issues Pull Requests Releases Activity

import NetworkManager-1.36.0-4.el9_0

Browse Source
This commit is contained in:
CentOS Sources 2022-05-17 06:24:44 -04:00 committed by Stepan Oksanichenko
commit e2baef0495
12 changed files with 4568 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.NetworkManager.metadata Normal file
View File

@ -0,0 +1 @@
adbe8e9eef649ac73c4fbaefd71a1335d4d016cd SOURCES/NetworkManager-1.36.0.tar.xz

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
SOURCES/NetworkManager-1.36.0.tar.xz

14
SOURCES/00-server.conf Normal file
View File

@ -0,0 +1,14 @@
# This configuration file changes NetworkManager's behavior to
# what's expected on "traditional UNIX server" type deployments.
#
# See "man NetworkManager.conf" for more information about these
# and other keys.
[main]
# Do not do automatic (DHCP/SLAAC) configuration on ethernet devices
# with no other matching connections.
no-auto-default=*
# Ignore the carrier (cable plugged in) state when attempting to
# activate static-IP connections.
ignore-carrier=*

62
SOURCES/1001-wwan-dns-fix-rh2059138.patch Normal file
View File

@ -0,0 +1,62 @@
From 7ba52fdcfeeb1e5400bcecb9fa93b3099dcccb47 Mon Sep 17 00:00:00 2001
From: Beniamino Galvani <bgalvani@redhat.com>
Date: Fri, 25 Feb 2022 10:06:48 +0100
Subject: [PATCH] core: initialize l3cd dns-priority for ppp and wwan
For devices that configure IP by themselves (by returning
"->ready_for_ip_config() = TRUE" and implementing
->act_stage3_ip_config()), we skip manual configuration. Currently,
manual configuration is the only one that sets flag HAS_DNS_PRIORITY
into the resulting l3cd.
So, the merged l3cd for such devices misses a dns-priority and is
ignored by the DNS manager.
Explicitly initialize the priority to 0; in this way, the default
value for the device will be set in the final l3cd during the merge.
Fixes: 58287cbcc0c8 ('core: rework IP configuration in NetworkManager using layer 3 configuration')
https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/issues/931
(cherry picked from commit b2e559fab2fa5adbf4e159fc1c2cadd3d965b01b)
(cherry picked from commit bfd3216584e9fe1eb0b6f3f81e3eb75a40877775)
---
src/core/devices/wwan/nm-modem-broadband.c | 2 ++
src/core/ppp/nm-ppp-manager.c | 1 +
2 files changed, 3 insertions(+)
diff --git a/src/core/devices/wwan/nm-modem-broadband.c b/src/core/devices/wwan/nm-modem-broadband.c
index f5336d3750..b585652e5d 100644
--- a/src/core/devices/wwan/nm-modem-broadband.c
+++ b/src/core/devices/wwan/nm-modem-broadband.c
@@ -1032,6 +1032,7 @@ stage3_ip_config_start(NMModem *modem, int addr_family, NMModemIPMethod ip_metho
l3cd = nm_l3_config_data_new(nm_platform_get_multi_idx(NM_PLATFORM_GET),
ifindex,
NM_IP_CONFIG_SOURCE_WWAN);
+ nm_l3_config_data_set_dns_priority(l3cd, AF_INET, 0);
address = (NMPlatformIP4Address){
.address = address_network,
@@ -1118,6 +1119,7 @@ stage3_ip_config_start(NMModem *modem, int addr_family, NMModemIPMethod ip_metho
l3cd = nm_l3_config_data_new(nm_platform_get_multi_idx(NM_PLATFORM_GET),
ifindex,
NM_IP_CONFIG_SOURCE_WWAN);
+ nm_l3_config_data_set_dns_priority(l3cd, AF_INET6, 0);
do_auto = TRUE;
diff --git a/src/core/ppp/nm-ppp-manager.c b/src/core/ppp/nm-ppp-manager.c
index dd6b1bc7f0..5761d59d39 100644
--- a/src/core/ppp/nm-ppp-manager.c
+++ b/src/core/ppp/nm-ppp-manager.c
@@ -545,6 +545,7 @@ impl_ppp_manager_set_ip4_config(NMDBusObject *obj,
NM_IP_CONFIG_SOURCE_PPP);
nm_l3_config_data_set_mtu(l3cd, mtu);
+ nm_l3_config_data_set_dns_priority(l3cd, AF_INET, 0);
address = (NMPlatformIP4Address){
.plen = 32,
--
2.34.1

332
SOURCES/1002-checkpoint-preserve-external-bridge-ports-rh2035519.patch Normal file
View File

@ -0,0 +1,332 @@
From b55842ac0803b59fe8675464191180e44634ce1f Mon Sep 17 00:00:00 2001
From: Thomas Haller <thaller@redhat.com>
Date: Tue, 22 Feb 2022 22:08:18 +0100
Subject: [PATCH 1/2] core: reject unsupported flags for CheckpointCreate D-Bus
request
(cherry picked from commit df6ee44fb2b96cf05aaeeee500c75d7d91b37404)
(cherry picked from commit 4cfc2245d382b0b869bd52238eecd17f1c10af1c)
---
src/core/nm-manager.c | 34 +++++++++++++++++++++++++---------
1 file changed, 25 insertions(+), 9 deletions(-)
diff --git a/src/core/nm-manager.c b/src/core/nm-manager.c
index b440b22457f2..53ef1754bb72 100644
--- a/src/core/nm-manager.c
+++ b/src/core/nm-manager.c
@@ -7453,15 +7453,30 @@ impl_manager_checkpoint_create(NMDBusObject *obj,
GDBusMethodInvocation *invocation,
GVariant *parameters)
{
- NMManager *self = NM_MANAGER(obj);
- NMManagerPrivate *priv = NM_MANAGER_GET_PRIVATE(self);
- NMAuthChain *chain;
- char **devices;
- guint32 rollback_timeout;
- guint32 flags;
+ NMManager *self = NM_MANAGER(obj);
+ NMManagerPrivate *priv = NM_MANAGER_GET_PRIVATE(self);
+ NMAuthChain *chain;
+ gs_strfreev char **devices = NULL;
+ guint32 rollback_timeout;
+ guint32 flags;
G_STATIC_ASSERT_EXPR(sizeof(flags) <= sizeof(NMCheckpointCreateFlags));
+ g_variant_get(parameters, "(^aouu)", &devices, &rollback_timeout, &flags);
+
+ if ((NMCheckpointCreateFlags) flags != flags
+ || NM_FLAGS_ANY(flags,
+ ~((guint32) (NM_CHECKPOINT_CREATE_FLAG_DESTROY_ALL
+ | NM_CHECKPOINT_CREATE_FLAG_DELETE_NEW_CONNECTIONS
+ | NM_CHECKPOINT_CREATE_FLAG_DISCONNECT_NEW_DEVICES
+ | NM_CHECKPOINT_CREATE_FLAG_ALLOW_OVERLAPPING)))) {
+ g_dbus_method_invocation_return_error_literal(invocation,
+ NM_MANAGER_ERROR,
+ NM_MANAGER_ERROR_INVALID_ARGUMENTS,
+ "Invalid flags");
+ return;
+ }
+
chain = nm_auth_chain_new_context(invocation, checkpoint_auth_done_cb, self);
if (!chain) {
g_dbus_method_invocation_return_error_literal(invocation,
@@ -7471,11 +7486,12 @@ impl_manager_checkpoint_create(NMDBusObject *obj,
return;
}
- g_variant_get(parameters, "(^aouu)", &devices, &rollback_timeout, &flags);
-
c_list_link_tail(&priv->auth_lst_head, nm_auth_chain_parent_lst_list(chain));
nm_auth_chain_set_data(chain, "audit-op", NM_AUDIT_OP_CHECKPOINT_CREATE, NULL);
- nm_auth_chain_set_data(chain, "devices", devices, (GDestroyNotify) g_strfreev);
+ nm_auth_chain_set_data(chain,
+ "devices",
+ g_steal_pointer(&devices),
+ (GDestroyNotify) g_strfreev);
nm_auth_chain_set_data(chain, "flags", GUINT_TO_POINTER(flags), NULL);
nm_auth_chain_set_data(chain, "timeout", GUINT_TO_POINTER(rollback_timeout), NULL);
nm_auth_chain_add_call(chain, NM_AUTH_PERMISSION_CHECKPOINT_ROLLBACK, TRUE);
--
2.35.1
From 3c417c8338bf44292d4869763587286c7d492c0c Mon Sep 17 00:00:00 2001
From: Thomas Haller <thaller@redhat.com>
Date: Tue, 22 Feb 2022 21:55:57 +0100
Subject: [PATCH 2/2] core: preserve external ports during checkpoint rollback
When we have a bridge interface with ports attached externally (that is,
not by NetworkManager itself), then it can make sense that during
checkpoint rollback we want to keep those ports attached.
During rollback, we may need to deactivate the bridge device and
re-activate it. Implement this, by setting a flag before deactivating,
which prevents external ports to be detached. The flag gets cleared,
when the device state changes to activated (the following activation)
or unmanaged.
This is an ugly solution, for several reasons.
For one, NMDevice tracks its ports in the "slaves" list. But what
it does is ugly. There is no clear concept to understand what it
actually tacks. For example, it tracks externally added interfaces
(nm_device_sys_iface_state_is_external()) that are attached while
not being connected. But it also tracks interfaces that we want to attach
during activation (but which are not yet actually enslaved). It also tracks
slaves that have no actual netdev device (OVS). So it's not clear what this
list contains and what it should contain at any point in time. When we skip
the change of the slaves states during nm_device_master_release_slaves_all(),
it's not really clear what the effects are. It's ugly, but probably correct
enough. What would be better, if we had a clear purpose of what the
lists (or several lists) mean. E.g. a list of all ports that are
currently, physically attached vs. a list of ports we want to attach vs.
a list of OVS slaves that have no actual netdev device.
Another problem is that we attach state on the device
("activation_state_preserve_external_ports"), which should linger there
during the deactivation and reactivation. How can we be sure that we don't
leave that flag dangling there, and that the desired following activation
is the one we cared about? If the follow-up activation fails short (e.g. an
unmanaged command comes first), will we properly disconnect the slaves?
Should we even? In practice, it might be correct enough.
Also, we only implement this for bridges. I think this is where it makes
the most sense. And after all, it's an odd thing to preserve unknown,
external things during a rollback -- unknown, because we have no knowledge
about why these ports are attached and what to do with them.
Also, the change doesn't remember the ports that were attached when the
checkpoint was created. Instead, we preserve all ports that are attached
during rollback. That seems more useful and easier to implement. So we
don't actually rollback to the configuration when the checkpoint was
created. Instead, we rollback, but keep external devices.
Also, we do this now by default and introduce a flag to get the previous
behavior.
https://bugzilla.redhat.com/show_bug.cgi?id=2035519
https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/issues/ # 909
(cherry picked from commit 98b3056604fc565f273c264b892086a75a4db0e9)
(cherry picked from commit 351ca13358f62f85af675672c3399141bec092cd)
---
src/core/devices/nm-device.c | 71 ++++++++++++++++++++++-
src/core/devices/nm-device.h | 2 +
src/core/nm-checkpoint.c | 5 ++
src/core/nm-manager.c | 3 +-
src/libnm-core-public/nm-dbus-interface.h | 16 +++--
5 files changed, 90 insertions(+), 7 deletions(-)
diff --git a/src/core/devices/nm-device.c b/src/core/devices/nm-device.c
index 35360ceebb7b..a11486d54be3 100644
--- a/src/core/devices/nm-device.c
+++ b/src/core/devices/nm-device.c
@@ -76,6 +76,7 @@
#include "nm-hostname-manager.h"
#include "nm-device-generic.h"
+#include "nm-device-bridge.h"
#include "nm-device-vlan.h"
#include "nm-device-vrf.h"
#include "nm-device-wireguard.h"
@@ -483,9 +484,12 @@ typedef struct _NMDevicePrivate {
NMUtilsStableType current_stable_id_type : 3;
+ bool activation_state_preserve_external_ports : 1;
+
bool nm_owned : 1; /* whether the device is a device owned and created by NM */
- bool assume_state_guess_assume : 1;
+ bool assume_state_guess_assume : 1;
+
char *assume_state_connection_uuid;
guint64 udi_id;
@@ -7666,8 +7670,19 @@ nm_device_master_release_slaves(NMDevice *self)
c_list_for_each_safe (iter, safe, &priv->slaves) {
SlaveInfo *info = c_list_entry(iter, SlaveInfo, lst_slave);
+ if (priv->activation_state_preserve_external_ports
+ && nm_device_sys_iface_state_is_external(info->slave)) {
+ _LOGT(LOGD_DEVICE,
+ "master: preserve external port %s",
+ nm_device_get_iface(info->slave));
+ continue;
+ }
nm_device_master_release_one_slave(self, info->slave, TRUE, FALSE, reason);
}
+
+ /* We only need this flag for a short time. It served its purpose. Clear
+ * it again. */
+ nm_device_activation_state_set_preserve_external_ports(self, FALSE);
}
/**
@@ -15386,6 +15401,16 @@ _set_state_full(NMDevice *self, NMDeviceState state, NMDeviceStateReason reason,
if (state > NM_DEVICE_STATE_DISCONNECTED)
nm_device_assume_state_reset(self);
+ if (state < NM_DEVICE_STATE_UNAVAILABLE
+ || (state >= NM_DEVICE_STATE_IP_CONFIG && state < NM_DEVICE_STATE_ACTIVATED)) {
+ /* preserve-external-ports is used by NMCheckpoint to activate a master
+ * device, and preserve already attached ports. This means, this state is only
+ * relevant during the deactivation and the following activation of the
+ * right profile. Once we are sufficiently far in the activation of the
+ * intended profile, we clear the state again. */
+ nm_device_activation_state_set_preserve_external_ports(self, FALSE);
+ }
+
if (state <= NM_DEVICE_STATE_UNAVAILABLE) {
if (available_connections_del_all(self))
_notify(self, PROP_AVAILABLE_CONNECTIONS);
@@ -15790,6 +15815,50 @@ nm_device_get_state(NMDevice *self)
return NM_DEVICE_GET_PRIVATE(self)->state;
}
+/*****************************************************************************/
+
+/**
+ * nm_device_activation_state_set_preserve_external_ports:
+ * @self: the NMDevice.
+ * @flag: whether to set or clear the the flag.
+ *
+ * This sets an internal flag to true, which does something specific.
+ * For non-master devices, it has no effect. For master devices, this
+ * will prevent to detach all external ports, until the next activation
+ * completes.
+ *
+ * This is used during checkpoint/rollback. We may want to preserve
+ * externally attached ports during the restore. NMCheckpoint will
+ * call this before doing a re-activation. By setting the flag,
+ * we basically preserve such ports.
+ *
+ * Once we reach again ACTIVATED state, the flag gets cleared. This
+ * only has effect for the next activation cycle. */
+void
+nm_device_activation_state_set_preserve_external_ports(NMDevice *self, gboolean flag)
+{
+ NMDevicePrivate *priv;
+
+ g_return_if_fail(NM_IS_DEVICE(self));
+
+ priv = NM_DEVICE_GET_PRIVATE(self);
+
+ if (!NM_IS_DEVICE_BRIDGE(self)) {
+ /* This is actually only implemented for bridge devices. While it might
+ * make sense for bond/team or OVS, it's not clear that it is actually
+ * useful or desirable. */
+ return;
+ }
+
+ if (priv->activation_state_preserve_external_ports == flag)
+ return;
+
+ priv->activation_state_preserve_external_ports = flag;
+ _LOGD(LOGD_DEVICE,
+ "activation-state: preserve-external-ports %s",
+ flag ? "enabled" : "disabled");
+}
+
/*****************************************************************************/
/* NMConfigDevice interface related stuff */
diff --git a/src/core/devices/nm-device.h b/src/core/devices/nm-device.h
index cfcd4ade6d80..a7badb861087 100644
--- a/src/core/devices/nm-device.h
+++ b/src/core/devices/nm-device.h
@@ -444,6 +444,8 @@ NMDeviceType nm_device_get_device_type(NMDevice *dev);
NMLinkType nm_device_get_link_type(NMDevice *dev);
NMMetered nm_device_get_metered(NMDevice *dev);
+void nm_device_activation_state_set_preserve_external_ports(NMDevice *self, gboolean flag);
+
guint32 nm_device_get_route_table(NMDevice *self, int addr_family);
guint32 nm_device_get_route_metric(NMDevice *dev, int addr_family);
diff --git a/src/core/nm-checkpoint.c b/src/core/nm-checkpoint.c
index 0153af970de7..5b48f91aa515 100644
--- a/src/core/nm-checkpoint.c
+++ b/src/core/nm-checkpoint.c
@@ -282,6 +282,11 @@ restore_and_activate_connection(NMCheckpoint *self, DeviceCheckpoint *dev_checkp
* an internal subject. */
if (nm_device_get_state(dev_checkpoint->device) > NM_DEVICE_STATE_DISCONNECTED
&& nm_device_get_state(dev_checkpoint->device) < NM_DEVICE_STATE_DEACTIVATING) {
+ if (!NM_FLAGS_HAS(priv->flags, NM_CHECKPOINT_CREATE_FLAG_NO_PRESERVE_EXTERNAL_PORTS)) {
+ nm_device_activation_state_set_preserve_external_ports(dev_checkpoint->device,
+ TRUE);
+ }
+
nm_device_state_changed(dev_checkpoint->device,
NM_DEVICE_STATE_DEACTIVATING,
NM_DEVICE_STATE_REASON_NEW_ACTIVATION);
diff --git a/src/core/nm-manager.c b/src/core/nm-manager.c
index 53ef1754bb72..6c73d237c845 100644
--- a/src/core/nm-manager.c
+++ b/src/core/nm-manager.c
@@ -7469,7 +7469,8 @@ impl_manager_checkpoint_create(NMDBusObject *obj,
~((guint32) (NM_CHECKPOINT_CREATE_FLAG_DESTROY_ALL
| NM_CHECKPOINT_CREATE_FLAG_DELETE_NEW_CONNECTIONS
| NM_CHECKPOINT_CREATE_FLAG_DISCONNECT_NEW_DEVICES
- | NM_CHECKPOINT_CREATE_FLAG_ALLOW_OVERLAPPING)))) {
+ | NM_CHECKPOINT_CREATE_FLAG_ALLOW_OVERLAPPING
+ | NM_CHECKPOINT_CREATE_FLAG_NO_PRESERVE_EXTERNAL_PORTS)))) {
g_dbus_method_invocation_return_error_literal(invocation,
NM_MANAGER_ERROR,
NM_MANAGER_ERROR_INVALID_ARGUMENTS,
diff --git a/src/libnm-core-public/nm-dbus-interface.h b/src/libnm-core-public/nm-dbus-interface.h
index fe2a6c09db58..0d23c7d7a793 100644
--- a/src/libnm-core-public/nm-dbus-interface.h
+++ b/src/libnm-core-public/nm-dbus-interface.h
@@ -959,17 +959,23 @@ typedef enum {
* overlapping younger checkpoints. This opts-in that the
* checkpoint can be automatically destroyed by the rollback
* of an older checkpoint. Since: 1.12.
+ * @NM_CHECKPOINT_CREATE_FLAG_NO_PRESERVE_EXTERNAL_PORTS: during rollback,
+ * by default externally added ports attached to bridge devices are preserved.
+ * With this flag, the rollback detaches all external ports.
+ * This only has an effect for bridge ports. Before 1.38, 1.36.2, this was the default
+ * behavior. Since: 1.38, 1.36.2.
*
* The flags for CheckpointCreate call
*
* Since: 1.4 (gi flags generated since 1.12)
*/
typedef enum { /*< flags >*/
- NM_CHECKPOINT_CREATE_FLAG_NONE = 0,
- NM_CHECKPOINT_CREATE_FLAG_DESTROY_ALL = 0x01,
- NM_CHECKPOINT_CREATE_FLAG_DELETE_NEW_CONNECTIONS = 0x02,
- NM_CHECKPOINT_CREATE_FLAG_DISCONNECT_NEW_DEVICES = 0x04,
- NM_CHECKPOINT_CREATE_FLAG_ALLOW_OVERLAPPING = 0x08,
+ NM_CHECKPOINT_CREATE_FLAG_NONE = 0,
+ NM_CHECKPOINT_CREATE_FLAG_DESTROY_ALL = 0x01,
+ NM_CHECKPOINT_CREATE_FLAG_DELETE_NEW_CONNECTIONS = 0x02,
+ NM_CHECKPOINT_CREATE_FLAG_DISCONNECT_NEW_DEVICES = 0x04,
+ NM_CHECKPOINT_CREATE_FLAG_ALLOW_OVERLAPPING = 0x08,
+ NM_CHECKPOINT_CREATE_FLAG_NO_PRESERVE_EXTERNAL_PORTS = 0x10,
} NMCheckpointCreateFlags;
/**
--
2.35.1

52
SOURCES/1003-fix-ovsdb-removal-ports-rhbz1935026.patch Normal file
View File

@ -0,0 +1,52 @@
From 482f9671c69800de2077d2dab9352a9b385115d3 Mon Sep 17 00:00:00 2001
From: Lubomir Rintel <lkundrak@v3.sk>
Date: Tue, 22 Feb 2022 16:18:40 +0100
Subject: [PATCH] ovs-port: fix removal of ovsdb entry if the interface goes
away
Hope third time is the charm.
The idea here is to remove the OVSDB entry if the device actually went away
violently (like, the it was actually removed from the platform), but keep it if
we're shutting down.
Fixes-test: @ovs_nmstate
Fixes: 966413e78f14 ('ovs-port: avoid removing the OVSDB entry if we're shutting down')
Fixes: ecc73eb239e6 ('ovs-port: always remove the OVSDB entry on slave release')
https://bugzilla.redhat.com/show_bug.cgi?id=2055665
(cherry picked from commit 65fdfb25006acc3c67059792579dd7a770d04768)
(cherry picked from commit fee7328c86e5fe8171f8382492f147e7d263891b)
---
src/core/devices/ovs/nm-device-ovs-port.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/src/core/devices/ovs/nm-device-ovs-port.c b/src/core/devices/ovs/nm-device-ovs-port.c
index 8406c3648cef..116f58c43ace 100644
--- a/src/core/devices/ovs/nm-device-ovs-port.c
+++ b/src/core/devices/ovs/nm-device-ovs-port.c
@@ -188,8 +188,10 @@ del_iface_cb(GError *error, gpointer user_data)
static void
release_slave(NMDevice *device, NMDevice *slave, gboolean configure)
{
- NMDeviceOvsPort *self = NM_DEVICE_OVS_PORT(device);
- bool slave_removed = nm_device_sys_iface_state_get(slave) == NM_DEVICE_SYS_IFACE_STATE_REMOVED;
+ NMDeviceOvsPort *self = NM_DEVICE_OVS_PORT(device);
+ bool slave_not_managed = !NM_IN_SET(nm_device_sys_iface_state_get(slave),
+ NM_DEVICE_SYS_IFACE_STATE_MANAGED,
+ NM_DEVICE_SYS_IFACE_STATE_ASSUME);
_LOGI(LOGD_DEVICE, "releasing ovs interface %s", nm_device_get_ip_iface(slave));
@@ -197,7 +199,7 @@ release_slave(NMDevice *device, NMDevice *slave, gboolean configure)
* removed and thus we're called with configure=FALSE), we still need
* to make sure its OVSDB entry is gone.
*/
- if (configure || slave_removed) {
+ if (configure || slave_not_managed) {
nm_ovsdb_del_interface(nm_ovsdb_get(),
nm_device_get_iface(slave),
del_iface_cb,
--
2.35.1

82
SOURCES/1004-n-dhcp4-discard-NAKs-from-other-servers-rhbz2067122.patch Normal file
View File

@ -0,0 +1,82 @@
From 118561e284ff7f28421b19530d4471075b89645c Mon Sep 17 00:00:00 2001
From: Beniamino Galvani <bgalvani@redhat.com>
Date: Thu, 10 Mar 2022 12:07:49 +0100
Subject: [PATCH] n-dhcp4: discard NAKs from other servers in SELECTING
I got a report of a scenario where multiple servers reply to a REQUEST
in SELECTING, and all servers send NAKs except the one which sent the
offer, which replies with a ACK. In that scenario, n-dhcp4 is not able
to obtain a lease because it restarts from INIT as soon as the first
NAK is received. For comparison, dhclient can get a lease because it
ignores all NAKs in SELECTING.
Arguably, the network is misconfigured there, but it would be great if
n-dhcp4 could still work in such scenario.
According to RFC 2131, ACK and NAK messages from server must contain a
server-id option. The RFC doesn't explicitly say that the client
should check the option, but I think it's a reasonable thing to do, at
least for NAKs.
This patch stores the server-id of the REQUEST in SELECTING, and
compares it with the server-id from NAKs, to discard other servers'
replies.
https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/1144
---
src/n-dhcp4/src/n-dhcp4-c-connection.c | 19 +++++++++++++++++++
src/n-dhcp4/src/n-dhcp4-private.h | 1 +
2 files changed, 20 insertions(+)
diff --git a/src/n-dhcp4/src/n-dhcp4-c-connection.c b/src/n-dhcp4/src/n-dhcp4-c-connection.c
index 4aba97393d..2f660e3b30 100644
--- a/src/n-dhcp4/src/n-dhcp4-c-connection.c
+++ b/src/n-dhcp4/src/n-dhcp4-c-connection.c
@@ -705,6 +705,7 @@ int n_dhcp4_c_connection_select_new(NDhcp4CConnection *connection,
message->userdata.start_time = offer->userdata.start_time;
message->userdata.base_time = offer->userdata.base_time;
message->userdata.client_addr = client.s_addr;
+ message->userdata.server_id = server.s_addr;
n_dhcp4_incoming_get_xid(offer, &xid);
n_dhcp4_outgoing_set_xid(message, xid);
@@ -1224,6 +1225,24 @@ int n_dhcp4_c_connection_dispatch_io(NDhcp4CConnection *connection,
serv_addr, sizeof(serv_addr)));
}
+ if (type == N_DHCP4_MESSAGE_NAK &&
+ connection->request->userdata.server_id != INADDR_ANY) {
+ struct in_addr server;
+
+ r = n_dhcp4_incoming_query_server_identifier(message, &server);
+ if (r)
+ return N_DHCP4_E_AGAIN;
+
+ if (connection->request->userdata.server_id != server.s_addr) {
+ n_dhcp4_log(connection->log_queue,
+ LOG_DEBUG,
+ "discarded NAK with wrong server-id %s",
+ inet_ntop(AF_INET, &server,
+ serv_addr, sizeof(serv_addr)));
+ return N_DHCP4_E_AGAIN;
+ }
+ }
+
switch (type) {
case N_DHCP4_MESSAGE_OFFER:
case N_DHCP4_MESSAGE_ACK:
diff --git a/src/n-dhcp4/src/n-dhcp4-private.h b/src/n-dhcp4/src/n-dhcp4-private.h
index db7b24ff7d..191e946e70 100644
--- a/src/n-dhcp4/src/n-dhcp4-private.h
+++ b/src/n-dhcp4/src/n-dhcp4-private.h
@@ -202,6 +202,7 @@ struct NDhcp4Outgoing {
uint8_t type;
uint8_t message_type;
uint32_t client_addr;
+ uint32_t server_id;
uint64_t start_time;
uint64_t base_time;
uint64_t send_time;
--
2.35.1

10
SOURCES/20-connectivity-fedora.conf Normal file
View File

@ -0,0 +1,10 @@
# Enable connectivity checking for NetworkManager.
# See `man NetworkManager.conf`.
#
# Note that connectivity checking works badly with rp_filter set to
# strict. Check "/proc/sys/net/ipv4/conf/*/rp_filter".
[connectivity]
enabled=true
uri=http://fedoraproject.org/static/hotspot.txt
response=OK
interval=300

10
SOURCES/20-connectivity-redhat.conf Normal file
View File

@ -0,0 +1,10 @@
# Enable connectivity checking for NetworkManager.
# See `man NetworkManager.conf`.
#
# Note that connectivity checking works badly with rp_filter set to
# strict. Check "/proc/sys/net/ipv4/conf/*/rp_filter".
[connectivity]
enabled=true
uri=http://static.redhat.com/test/rhel-networkmanager.txt
response=OK
interval=300

15
SOURCES/70-nm-connectivity.conf Normal file
View File

@ -0,0 +1,15 @@
# The Strict mode of RFC3704 Reverse Path filtering breaks some pretty
# common and reasonable use cases.
#
# Notably, it makes it impossible for NetworkManager to do connectivity
# check on a newly arriving default route (it starts with a higher metric
# and is bumped lower if there's connectivity).
#
# Kernel's default is 0 (no filter), systemd configures a Loose filter since
# commit 230450d4e4f1 ('sysctl.d: switch net.ipv4.conf.all.rp_filter from 1
# to 2'). However, RHEL systemd package happens to default to Strict mode
# for historic reasons. Let's override it if we're doing connectivity
# checking.
# Source route verification
net.ipv4.conf.all.rp_filter = 0

52
SOURCES/NetworkManager.conf Normal file
View File

@ -0,0 +1,52 @@
# Configuration file for NetworkManager.
#
# See "man 5 NetworkManager.conf" for details.
#
# The directories /usr/lib/NetworkManager/conf.d/ and /run/NetworkManager/conf.d/
# can contain additional .conf snippets installed by packages. These files are
# read before NetworkManager.conf and have thus lowest priority.
# The directory /etc/NetworkManager/conf.d/ can contain additional .conf
# snippets. Those snippets are merged last and overwrite the settings from this main
# file.
#
# The files within one conf.d/ directory are read in asciibetical order.
#
# You can prevent loading a file /usr/lib/NetworkManager/conf.d/NAME.conf
# by having a file NAME.conf in either /run/NetworkManager/conf.d/ or /etc/NetworkManager/conf.d/.
# Likewise, snippets from /run can be prevented from loading by placing
# a file with the same name in /etc/NetworkManager/conf.d/.
#
# If two files define the same key, the one that is read afterwards will overwrite
# the previous one.
[main]
#plugins=keyfile,ifcfg-rh
[logging]
# When debugging NetworkManager, enabling debug logging is of great help.
#
# Logfiles contain no passwords and little sensitive information. But please
# check before posting the file online. You can also personally hand over the
# logfile to a NM developer to treat it confidential. Meet us on #nm on Libera.Chat.
#
# You can also change the log-level at runtime via
# $ nmcli general logging level TRACE domains ALL
# However, usually it's cleaner to enable debug logging
# in the configuration and restart NetworkManager so that
# debug logging is enabled from the start.
#
# You will find the logfiles in syslog, for example via
# $ journalctl -u NetworkManager
#
# Please post full logfiles for bug reports without pre-filtering or truncation.
# Also, for debugging the entire `journalctl` output can be interesting. Don't
# limit unnecessarily with `journalctl -u`. Exceptions are if you are worried
# about private data. Check before posting logfiles!
#
# Note that debug logging of NetworkManager can be quite verbose. Some messages
# might be rate-limited by the logging daemon (see RateLimitIntervalSec, RateLimitBurst
# in man journald.conf). Please disable rate-limiting before collecting debug logs!
#
#level=TRACE
#domains=ALL

3937
SPECS/NetworkManager.spec Normal file
View File

File diff suppressed because it is too large Load Diff