Compare commits

...

No commits in common. "c8" and "c9" have entirely different histories.
c8 ... c9

32 changed files with 1926 additions and 6947 deletions

View File

@ -1 +1 @@
c803db8a3480ed683e8f24424b38b08bb295013d SOURCES/NetworkManager-1.40.16.tar.xz
3c11d700a2e81a7abce285ab94d015ac966f59d3 SOURCES/NetworkManager-1.46.0.tar.xz

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/NetworkManager-1.40.16.tar.xz
SOURCES/NetworkManager-1.46.0.tar.xz

View File

@ -1,37 +0,0 @@
From 45f33b5379c41f34fb1a27452e5f62e2d571e85e Mon Sep 17 00:00:00 2001
From: Thomas Haller <thaller@redhat.com>
Date: Thu, 16 Jan 2020 13:40:26 +0100
Subject: [PATCH] cloud-setup: avoid unsupported systemd settings in
nm-cloud-setup.service init for rhel-8.2
https://bugzilla.redhat.com/show_bug.cgi?id=1791758
---
src/nm-cloud-setup/nm-cloud-setup.service.in | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/nm-cloud-setup/nm-cloud-setup.service.in b/src/nm-cloud-setup/nm-cloud-setup.service.in
index f4b0e2638f14..c59bd47574ba 100644
--- a/src/nm-cloud-setup/nm-cloud-setup.service.in
+++ b/src/nm-cloud-setup/nm-cloud-setup.service.in
@@ -28,15 +28,15 @@ PrivateDevices=yes
PrivateTmp=yes
ProtectControlGroups=yes
ProtectHome=yes
-ProtectHostname=yes
-ProtectKernelLogs=yes
+#ProtectHostname=yes
+#ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectSystem=strict
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
RestrictNamespaces=yes
RestrictRealtime=yes
-RestrictSUIDSGID=yes
+#RestrictSUIDSGID=yes
SystemCallFilter=@system-service
[Install]
--
2.31.1

View File

@ -0,0 +1,61 @@
diff --git a/src/core/devices/nm-device.c b/src/core/devices/nm-device.c
index 16f8e1f261..036233e668 100644
--- a/src/core/devices/nm-device.c
+++ b/src/core/devices/nm-device.c
@@ -1661,7 +1661,7 @@ _prop_get_ipv4_dad_timeout(NMDevice *self)
self,
0,
NM_SETTING_IP_CONFIG_DAD_TIMEOUT_MAX,
- 200);
+ 0);
}
static guint32
diff --git a/src/libnm-core-impl/nm-setting-ip-config.c b/src/libnm-core-impl/nm-setting-ip-config.c
index bfebe7d13d..de56ed74ea 100644
--- a/src/libnm-core-impl/nm-setting-ip-config.c
+++ b/src/libnm-core-impl/nm-setting-ip-config.c
@@ -6655,7 +6655,7 @@ nm_setting_ip_config_class_init(NMSettingIPConfigClass *klass)
*
* A zero value means that no duplicate address detection is performed, -1 means
* the default value (either the value configured globally in NetworkManger.conf
- * or 200ms). A value greater than zero is a timeout in milliseconds. Note that
+ * or zero). A value greater than zero is a timeout in milliseconds. Note that
* the time intervals are subject to randomization as per RFC 5227 and so the
* actual duration can be between half and the full time specified in this
* property.
diff --git a/src/libnmc-setting/settings-docs.h.in b/src/libnmc-setting/settings-docs.h.in
index 77cde6620e..e42cb74e7f 100644
--- a/src/libnmc-setting/settings-docs.h.in
+++ b/src/libnmc-setting/settings-docs.h.in
@@ -162,7 +162,7 @@
#define DESCRIBE_DOC_NM_SETTING_INFINIBAND_TRANSPORT_MODE N_("The IP-over-InfiniBand transport mode. Either \"datagram\" or \"connected\".")
#define DESCRIBE_DOC_NM_SETTING_IP4_CONFIG_ADDRESSES N_("A list of IPv4 addresses and their prefix length. Multiple addresses can be separated by comma. For example \"192.168.1.5/24, 10.1.0.5/24\". The addresses are listed in decreasing priority, meaning the first address will be the primary address.")
#define DESCRIBE_DOC_NM_SETTING_IP4_CONFIG_AUTO_ROUTE_EXT_GW N_("VPN connections will default to add the route automatically unless this setting is set to FALSE. For other connection types, adding such an automatic route is currently not supported and setting this to TRUE has no effect.")
-#define DESCRIBE_DOC_NM_SETTING_IP4_CONFIG_DAD_TIMEOUT N_("Maximum timeout in milliseconds used to check for the presence of duplicate IP addresses on the network. If an address conflict is detected, the activation will fail. The property is currently implemented only for IPv4. A zero value means that no duplicate address detection is performed, -1 means the default value (either the value configured globally in NetworkManger.conf or 200ms). A value greater than zero is a timeout in milliseconds. Note that the time intervals are subject to randomization as per RFC 5227 and so the actual duration can be between half and the full time specified in this property.")
+#define DESCRIBE_DOC_NM_SETTING_IP4_CONFIG_DAD_TIMEOUT N_("Maximum timeout in milliseconds used to check for the presence of duplicate IP addresses on the network. If an address conflict is detected, the activation will fail. The property is currently implemented only for IPv4. A zero value means that no duplicate address detection is performed, -1 means the default value (either the value configured globally in NetworkManger.conf or zero). A value greater than zero is a timeout in milliseconds. Note that the time intervals are subject to randomization as per RFC 5227 and so the actual duration can be between half and the full time specified in this property.")
#define DESCRIBE_DOC_NM_SETTING_IP4_CONFIG_DHCP_CLIENT_ID N_("A string sent to the DHCP server to identify the local machine which the DHCP server may use to customize the DHCP lease and options. When the property is a hex string ('aa:bb:cc') it is interpreted as a binary client ID, in which case the first byte is assumed to be the 'type' field as per RFC 2132 section 9.14 and the remaining bytes may be an hardware address (e.g. '01:xx:xx:xx:xx:xx:xx' where 1 is the Ethernet ARP type and the rest is a MAC address). If the property is not a hex string it is considered as a non-hardware-address client ID and the 'type' field is set to 0. The special values \"mac\" and \"perm-mac\" are supported, which use the current or permanent MAC address of the device to generate a client identifier with type ethernet (01). Currently, these options only work for ethernet type of links. The special value \"ipv6-duid\" uses the DUID from \"ipv6.dhcp-duid\" property as an RFC4361-compliant client identifier. As IAID it uses \"ipv4.dhcp-iaid\" and falls back to \"ipv6.dhcp-iaid\" if unset. The special value \"duid\" generates a RFC4361-compliant client identifier based on \"ipv4.dhcp-iaid\" and uses a DUID generated by hashing /etc/machine-id. The special value \"stable\" is supported to generate a type 0 client identifier based on the stable-id (see connection.stable-id) and a per-host key. If you set the stable-id, you may want to include the \"${DEVICE}\" or \"${MAC}\" specifier to get a per-device key. The special value \"none\" prevents any client identifier from being sent. Note that this is normally not recommended. If unset, a globally configured default from NetworkManager.conf is used. If still unset, the default depends on the DHCP plugin. The internal dhcp client will default to \"mac\" and the dhclient plugin will try to use one from its config file if present, or won't sent any client-id otherwise.")
#define DESCRIBE_DOC_NM_SETTING_IP4_CONFIG_DHCP_DSCP N_("Specifies the value for the DSCP field (traffic class) of the IP header. When empty, the global default value is used; if no global default is specified, it is assumed to be \"CS0\". Allowed values are: \"CS0\", \"CS4\" and \"CS6\". The property is currently valid only for IPv4, and it is supported only by the \"internal\" DHCP plugin.")
#define DESCRIBE_DOC_NM_SETTING_IP4_CONFIG_DHCP_FQDN N_("If the \"dhcp-send-hostname\" property is TRUE, then the specified FQDN will be sent to the DHCP server when acquiring a lease. This property and \"dhcp-hostname\" are mutually exclusive and cannot be set at the same time.")
@@ -192,7 +192,7 @@
#define DESCRIBE_DOC_NM_SETTING_IP6_CONFIG_ADDR_GEN_MODE N_("Configure method for creating the IPv6 interface identifer of addresses with RFC4862 IPv6 Stateless Address Autoconfiguration and Link Local addresses. The permitted values are: \"eui64\" (0), \"stable-privacy\" (1), \"default\" (3) or \"default-or-eui64\" (2). If the property is set to \"eui64\", the addresses will be generated using the interface token derived from hardware address. This makes the host part of the address to stay constant, making it possible to track the host's presence when it changes networks. The address changes when the interface hardware is replaced. If a duplicate address is detected, there is also no fallback to generate another address. When configured, the \"ipv6.token\" is used instead of the MAC address to generate addresses for stateless autoconfiguration. If the property is set to \"stable-privacy\", the interface identifier is generated as specified by RFC7217. This works by hashing a host specific key (see NetworkManager(8) manual), the interface name, the connection's \"connection.stable-id\" property and the address prefix. This improves privacy by making it harder to use the address to track the host's presence and the address is stable when the network interface hardware is replaced. The special values \"default\" and \"default-or-eui64\" will fallback to the global connection default as documented in the NetworkManager.conf(5) manual. If the global default is not specified, the fallback value is \"stable-privacy\" or \"eui64\", respectively. If not specified, when creating a new profile the default is \"default\". Note that this setting is distinct from the Privacy Extensions as configured by \"ip6-privacy\" property and it does not affect the temporary addresses configured with this option.")
#define DESCRIBE_DOC_NM_SETTING_IP6_CONFIG_ADDRESSES N_("A list of IPv6 addresses and their prefix length. Multiple addresses can be separated by comma. For example \"2001:db8:85a3::8a2e:370:7334/64, 2001:db8:85a3::5/64\". The addresses are listed in decreasing priority, meaning the first address will be the primary address. This can make a difference with IPv6 source address selection (RFC 6724, section 5).")
#define DESCRIBE_DOC_NM_SETTING_IP6_CONFIG_AUTO_ROUTE_EXT_GW N_("VPN connections will default to add the route automatically unless this setting is set to FALSE. For other connection types, adding such an automatic route is currently not supported and setting this to TRUE has no effect.")
-#define DESCRIBE_DOC_NM_SETTING_IP6_CONFIG_DAD_TIMEOUT N_("Maximum timeout in milliseconds used to check for the presence of duplicate IP addresses on the network. If an address conflict is detected, the activation will fail. The property is currently implemented only for IPv4. A zero value means that no duplicate address detection is performed, -1 means the default value (either the value configured globally in NetworkManger.conf or 200ms). A value greater than zero is a timeout in milliseconds. Note that the time intervals are subject to randomization as per RFC 5227 and so the actual duration can be between half and the full time specified in this property.")
+#define DESCRIBE_DOC_NM_SETTING_IP6_CONFIG_DAD_TIMEOUT N_("Maximum timeout in milliseconds used to check for the presence of duplicate IP addresses on the network. If an address conflict is detected, the activation will fail. The property is currently implemented only for IPv4. A zero value means that no duplicate address detection is performed, -1 means the default value (either the value configured globally in NetworkManger.conf or zero). A value greater than zero is a timeout in milliseconds. Note that the time intervals are subject to randomization as per RFC 5227 and so the actual duration can be between half and the full time specified in this property.")
#define DESCRIBE_DOC_NM_SETTING_IP6_CONFIG_DHCP_DSCP N_("Specifies the value for the DSCP field (traffic class) of the IP header. When empty, the global default value is used; if no global default is specified, it is assumed to be \"CS0\". Allowed values are: \"CS0\", \"CS4\" and \"CS6\". The property is currently valid only for IPv4, and it is supported only by the \"internal\" DHCP plugin.")
#define DESCRIBE_DOC_NM_SETTING_IP6_CONFIG_DHCP_DUID N_("A string containing the DHCPv6 Unique Identifier (DUID) used by the dhcp client to identify itself to DHCPv6 servers (RFC 3315). The DUID is carried in the Client Identifier option. If the property is a hex string ('aa:bb:cc') it is interpreted as a binary DUID and filled as an opaque value in the Client Identifier option. The special value \"lease\" will retrieve the DUID previously used from the lease file belonging to the connection. If no DUID is found and \"dhclient\" is the configured dhcp client, the DUID is searched in the system-wide dhclient lease file. If still no DUID is found, or another dhcp client is used, a global and permanent DUID-UUID (RFC 6355) will be generated based on the machine-id. The special values \"llt\" and \"ll\" will generate a DUID of type LLT or LL (see RFC 3315) based on the current MAC address of the device. In order to try providing a stable DUID-LLT, the time field will contain a constant timestamp that is used globally (for all profiles) and persisted to disk. The special values \"stable-llt\", \"stable-ll\" and \"stable-uuid\" will generate a DUID of the corresponding type, derived from the connection's stable-id and a per-host unique key. You may want to include the \"${DEVICE}\" or \"${MAC}\" specifier in the stable-id, in case this profile gets activated on multiple devices. So, the link-layer address of \"stable-ll\" and \"stable-llt\" will be a generated address derived from the stable id. The DUID-LLT time value in the \"stable-llt\" option will be picked among a static timespan of three years (the upper bound of the interval is the same constant timestamp used in \"llt\"). When the property is unset, the global value provided for \"ipv6.dhcp-duid\" is used. If no global value is provided, the default \"lease\" value is assumed.")
#define DESCRIBE_DOC_NM_SETTING_IP6_CONFIG_DHCP_HOSTNAME N_("If the \"dhcp-send-hostname\" property is TRUE, then the specified name will be sent to the DHCP server when acquiring a lease. This property and \"dhcp-fqdn\" are mutually exclusive and cannot be set at the same time.")
diff --git a/src/nmcli/gen-metadata-nm-settings-nmcli.xml.in b/src/nmcli/gen-metadata-nm-settings-nmcli.xml.in
index 8806bf2550..09648f3ff8 100644
--- a/src/nmcli/gen-metadata-nm-settings-nmcli.xml.in
+++ b/src/nmcli/gen-metadata-nm-settings-nmcli.xml.in
@@ -1337,7 +1337,7 @@
values="-1 - 2147483647"
special-values="default (-1), infinity (2147483647)" />
<property name="dad-timeout"
- nmcli-description="Maximum timeout in milliseconds used to check for the presence of duplicate IP addresses on the network. If an address conflict is detected, the activation will fail. The property is currently implemented only for IPv4. A zero value means that no duplicate address detection is performed, -1 means the default value (either the value configured globally in NetworkManger.conf or 200ms). A value greater than zero is a timeout in milliseconds. Note that the time intervals are subject to randomization as per RFC 5227 and so the actual duration can be between half and the full time specified in this property."
+ nmcli-description="Maximum timeout in milliseconds used to check for the presence of duplicate IP addresses on the network. If an address conflict is detected, the activation will fail. The property is currently implemented only for IPv4. A zero value means that no duplicate address detection is performed, -1 means the default value (either the value configured globally in NetworkManger.conf or zero). A value greater than zero is a timeout in milliseconds. Note that the time intervals are subject to randomization as per RFC 5227 and so the actual duration can be between half and the full time specified in this property."
format="integer"
values="-1 - 30000"
special-values="default (-1), off (0)" />

View File

@ -1,34 +0,0 @@
From af25d85a43eb2aa59a80c13aa214cbc5509b6815 Mon Sep 17 00:00:00 2001
From: Wen Liang <wenliang@redhat.com>
Date: Wed, 16 Jun 2021 22:43:32 +0200
Subject: [PATCH] firewall: Default to iptables backend to preserve behavior
For upsteam, the default is "nftables" (if nft is installed). On RHEL8, we will
always default to "iptables" to preserve behavior.
---
src/core/nm-firewall-utils.c | 9 +++------
1 file changed, 3 insertions(+), 6 deletions(-)
diff --git a/src/core/nm-firewall-utils.c b/src/core/nm-firewall-utils.c
index 1311f5039910..3284b5ebaa4b 100644
--- a/src/core/nm-firewall-utils.c
+++ b/src/core/nm-firewall-utils.c
@@ -743,12 +743,9 @@ nm_firewall_config_apply(NMFirewallConfig *self, gboolean shared)
static NMFirewallBackend
_firewall_backend_detect(void)
{
- if (g_file_test(NFT_PATH, G_FILE_TEST_IS_EXECUTABLE))
- return NM_FIREWALL_BACKEND_NFTABLES;
- if (g_file_test(IPTABLES_PATH, G_FILE_TEST_IS_EXECUTABLE))
- return NM_FIREWALL_BACKEND_IPTABLES;
-
- return NM_FIREWALL_BACKEND_NFTABLES;
+ /* For upsteam, the default is "nftables" (if nft is installed). On RHEL8, we will
+ * always default to "iptables" to preserve behavior. */
+ return NM_FIREWALL_BACKEND_IPTABLES;
}
NMFirewallBackend
--
2.31.1

View File

@ -1,75 +0,0 @@
From 94933a67129ea9d38010b58e4928ff41aa204692 Mon Sep 17 00:00:00 2001
From: Thomas Haller <thaller@redhat.com>
Date: Wed, 4 May 2022 15:22:33 +0200
Subject: [PATCH 1/1] Revert changes to order of static IPv6 addresses
Upstream 1.38.0 and newer changed behavior so that static addresses in
"ipv6.addresses" are sorted with most important first. That is then
consistent with "ipv4.addresses".
Revert this change for downstream RHEL.
https://bugzilla.redhat.com/show_bug.cgi?id=2097270
---
src/core/nm-l3-config-data.c | 3 ++-
src/libnm-core-impl/nm-setting-ip6-config.c | 2 +-
src/libnmc-setting/settings-docs.h.in | 2 +-
src/nmcli/generate-docs-nm-settings-nmcli.xml.in | 2 +-
4 files changed, 5 insertions(+), 4 deletions(-)
diff --git a/src/core/nm-l3-config-data.c b/src/core/nm-l3-config-data.c
index bcd0b62a8488..4640acad3796 100644
--- a/src/core/nm-l3-config-data.c
+++ b/src/core/nm-l3-config-data.c
@@ -2753,7 +2753,8 @@ _init_from_connection_ip(NML3ConfigData *self, int addr_family, NMConnection *co
naddresses = nm_setting_ip_config_get_num_addresses(s_ip);
for (i = 0; i < naddresses; i++) {
- NMIPAddress *s_addr = nm_setting_ip_config_get_address(s_ip, i);
+ const guint addr_idx = IS_IPv4 ? i : (naddresses - i - 1);
+ NMIPAddress *s_addr = nm_setting_ip_config_get_address(s_ip, addr_idx);
NMPlatformIPXAddress a;
NMIPAddr addr_bin;
GVariant *label;
diff --git a/src/libnm-core-impl/nm-setting-ip6-config.c b/src/libnm-core-impl/nm-setting-ip6-config.c
index 8b593b97336a..0356888da324 100644
--- a/src/libnm-core-impl/nm-setting-ip6-config.c
+++ b/src/libnm-core-impl/nm-setting-ip6-config.c
@@ -998,7 +998,7 @@ nm_setting_ip6_config_class_init(NMSettingIP6ConfigClass *klass)
* format: a comma separated list of addresses
* description: A list of IPv6 addresses and their prefix length. Multiple addresses
* can be separated by comma. For example "2001:db8:85a3::8a2e:370:7334/64, 2001:db8:85a3::5/64".
- * The addresses are listed in decreasing priority, meaning the first address will
+ * The addresses are listed in increasing priority, meaning the last address will
* be the primary address. This can make a difference with IPv6 source address selection
* (RFC 6724, section 5).
* ---end---
diff --git a/src/libnmc-setting/settings-docs.h.in b/src/libnmc-setting/settings-docs.h.in
index 1ed2f134196b..18e1ed28fc39 100644
--- a/src/libnmc-setting/settings-docs.h.in
+++ b/src/libnmc-setting/settings-docs.h.in
@@ -184,7 +184,7 @@
#define DESCRIBE_DOC_NM_SETTING_IP4_CONFIG_ROUTES N_("A list of IPv4 destination addresses, prefix length, optional IPv4 next hop addresses, optional route metric, optional attribute. The valid syntax is: \"ip[/prefix] [next-hop] [metric] [attribute=val]...[,ip[/prefix]...]\". For example \"192.0.2.0/24 10.1.1.1 77, 198.51.100.0/24\".")
#define DESCRIBE_DOC_NM_SETTING_IP4_CONFIG_ROUTING_RULES N_("A comma separated list of routing rules for policy routing.")
#define DESCRIBE_DOC_NM_SETTING_IP6_CONFIG_ADDR_GEN_MODE N_("Configure method for creating the address for use with RFC4862 IPv6 Stateless Address Autoconfiguration. The permitted values are: NM_SETTING_IP6_CONFIG_ADDR_GEN_MODE_EUI64 (0), NM_SETTING_IP6_CONFIG_ADDR_GEN_MODE_STABLE_PRIVACY (1). NM_SETTING_IP6_CONFIG_ADDR_GEN_MODE_DEFAULT_OR_EUI64 (2) or NM_SETTING_IP6_CONFIG_ADDR_GEN_MODE_DEFAULT (3). If the property is set to EUI64, the addresses will be generated using the interface tokens derived from hardware address. This makes the host part of the address to stay constant, making it possible to track host's presence when it changes networks. The address changes when the interface hardware is replaced. The value of stable-privacy enables use of cryptographically secure hash of a secret host-specific key along with the connection's stable-id and the network address as specified by RFC7217. This makes it impossible to use the address track host's presence, and makes the address stable when the network interface hardware is replaced. The special values \"default\" and \"default-or-eui64\" will fallback to the global connection default in as documented in NetworkManager.conf(5) manual. If the global default is not specified, the fallback value is \"stable-privacy\" or \"eui64\", respectively. For libnm, the property defaults to \"default\" since 1.40. Previously it defaulted to \"stable-privacy\". On D-Bus, the absence of an addr-gen-mode setting equals \"default\". For keyfile plugin, the absence of the setting on disk means \"default-or-eui64\" so that the property doesn't change on upgrade from older versions. Note that this setting is distinct from the Privacy Extensions as configured by \"ip6-privacy\" property and it does not affect the temporary addresses configured with this option.")
-#define DESCRIBE_DOC_NM_SETTING_IP6_CONFIG_ADDRESSES N_("A list of IPv6 addresses and their prefix length. Multiple addresses can be separated by comma. For example \"2001:db8:85a3::8a2e:370:7334/64, 2001:db8:85a3::5/64\". The addresses are listed in decreasing priority, meaning the first address will be the primary address. This can make a difference with IPv6 source address selection (RFC 6724, section 5).")
+#define DESCRIBE_DOC_NM_SETTING_IP6_CONFIG_ADDRESSES N_("A list of IPv6 addresses and their prefix length. Multiple addresses can be separated by comma. For example \"2001:db8:85a3::8a2e:370:7334/64, 2001:db8:85a3::5/64\". The addresses are listed in increasing priority, meaning the last address will be the primary address. This can make a difference with IPv6 source address selection (RFC 6724, section 5).")
#define DESCRIBE_DOC_NM_SETTING_IP6_CONFIG_DAD_TIMEOUT N_("Timeout in milliseconds used to check for the presence of duplicate IP addresses on the network. If an address conflict is detected, the activation will fail. A zero value means that no duplicate address detection is performed, -1 means the default value (either configuration ipvx.dad-timeout override or zero). A value greater than zero is a timeout in milliseconds. The property is currently implemented only for IPv4.")
#define DESCRIBE_DOC_NM_SETTING_IP6_CONFIG_DHCP_DUID N_("A string containing the DHCPv6 Unique Identifier (DUID) used by the dhcp client to identify itself to DHCPv6 servers (RFC 3315). The DUID is carried in the Client Identifier option. If the property is a hex string ('aa:bb:cc') it is interpreted as a binary DUID and filled as an opaque value in the Client Identifier option. The special value \"lease\" will retrieve the DUID previously used from the lease file belonging to the connection. If no DUID is found and \"dhclient\" is the configured dhcp client, the DUID is searched in the system-wide dhclient lease file. If still no DUID is found, or another dhcp client is used, a global and permanent DUID-UUID (RFC 6355) will be generated based on the machine-id. The special values \"llt\" and \"ll\" will generate a DUID of type LLT or LL (see RFC 3315) based on the current MAC address of the device. In order to try providing a stable DUID-LLT, the time field will contain a constant timestamp that is used globally (for all profiles) and persisted to disk. The special values \"stable-llt\", \"stable-ll\" and \"stable-uuid\" will generate a DUID of the corresponding type, derived from the connection's stable-id and a per-host unique key. You may want to include the \"${DEVICE}\" or \"${MAC}\" specifier in the stable-id, in case this profile gets activated on multiple devices. So, the link-layer address of \"stable-ll\" and \"stable-llt\" will be a generated address derived from the stable id. The DUID-LLT time value in the \"stable-llt\" option will be picked among a static timespan of three years (the upper bound of the interval is the same constant timestamp used in \"llt\"). When the property is unset, the global value provided for \"ipv6.dhcp-duid\" is used. If no global value is provided, the default \"lease\" value is assumed.")
#define DESCRIBE_DOC_NM_SETTING_IP6_CONFIG_DHCP_HOSTNAME N_("If the \"dhcp-send-hostname\" property is TRUE, then the specified name will be sent to the DHCP server when acquiring a lease. This property and \"dhcp-fqdn\" are mutually exclusive and cannot be set at the same time.")
diff --git a/src/nmcli/generate-docs-nm-settings-nmcli.xml.in b/src/nmcli/generate-docs-nm-settings-nmcli.xml.in
index 371081b0e0da..5c036ab60149 100644
--- a/src/nmcli/generate-docs-nm-settings-nmcli.xml.in
+++ b/src/nmcli/generate-docs-nm-settings-nmcli.xml.in
@@ -718,7 +718,7 @@
description="DNS servers priority. The relative priority for DNS servers specified by this setting. A lower numerical value is better (higher priority). Negative values have the special effect of excluding other configurations with a greater numerical priority value; so in presence of at least one negative priority, only DNS servers from connections with the lowest priority value will be used. To avoid all DNS leaks, set the priority of the profile that should be used to the most negative value of all active connections profiles. Zero selects a globally configured default value. If the latter is missing or zero too, it defaults to 50 for VPNs (including WireGuard) and 100 for other connections. Note that the priority is to order DNS settings for multiple active connections. It does not disambiguate multiple DNS servers within the same connection profile. When multiple devices have configurations with the same priority, VPNs will be considered first, then devices with the best (lowest metric) default route and then all other devices. When using dns=default, servers with higher priority will be on top of resolv.conf. To prioritize a given server over another one within the same connection, just specify them in the desired order. Note that commonly the resolver tries name servers in /etc/resolv.conf in the order listed, proceeding with the next server in the list on failure. See for example the &quot;rotate&quot; option of the dns-options setting. If there are any negative DNS priorities, then only name servers from the devices with that lowest priority will be considered. When using a DNS resolver that supports Conditional Forwarding or Split DNS (with dns=dnsmasq or dns=systemd-resolved settings), each connection is used to query domains in its search list. The search domains determine which name servers to ask, and the DNS priority is used to prioritize name servers based on the domain. Queries for domains not present in any search list are routed through connections having the &apos;~.&apos; special wildcard domain, which is added automatically to connections with the default route (or can be added manually). When multiple connections specify the same domain, the one with the best priority (lowest numerical value) wins. If a sub domain is configured on another interface it will be accepted regardless the priority, unless parent domain on the other interface has a negative priority, which causes the sub domain to be shadowed. With Split DNS one can avoid undesired DNS leaks by properly configuring DNS priorities and the search domains, so that only name servers of the desired interface are configured." />
<property name="addresses"
alias="ip6"
- description="A list of IPv6 addresses and their prefix length. Multiple addresses can be separated by comma. For example &quot;2001:db8:85a3::8a2e:370:7334/64, 2001:db8:85a3::5/64&quot;. The addresses are listed in decreasing priority, meaning the first address will be the primary address. This can make a difference with IPv6 source address selection (RFC 6724, section 5)." />
+ description="A list of IPv6 addresses and their prefix length. Multiple addresses can be separated by comma. For example &quot;2001:db8:85a3::8a2e:370:7334/64, 2001:db8:85a3::5/64&quot;. The addresses are listed in increasing priority, meaning the last address will be the primary address. This can make a difference with IPv6 source address selection (RFC 6724, section 5)." />
<property name="gateway"
alias="gw6"
description="The gateway associated with this configuration. This is only meaningful if &quot;addresses&quot; is also set. Setting the gateway causes NetworkManager to configure a standard default route with the gateway as next hop. This is ignored if &quot;never-default&quot; is set. An alternative is to configure the default route explicitly with a manual route and /0 as prefix length. Note that the gateway usually conflicts with routing that NetworkManager configures for WireGuard interfaces, so usually it should not be set in that case. See &quot;ip4-auto-default-route&quot;." />
--
2.36.1

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,25 @@
From 6e84d852487f070ab3f61c24d78fc05338f171f6 Mon Sep 17 00:00:00 2001
From: Fernando Fernandez Mancera <ffmancera@riseup.net>
Date: Wed, 20 Mar 2024 19:10:45 +0100
Subject: [PATCH] cloud: drop PrivateUsers directive from nm-cloud-setup
https://issues.redhat.com/browse/RHEL-27503
---
src/nm-cloud-setup/nm-cloud-setup.service.in | 1 -
1 file changed, 1 deletion(-)
diff --git a/src/nm-cloud-setup/nm-cloud-setup.service.in b/src/nm-cloud-setup/nm-cloud-setup.service.in
index e73654d892..4aa6017e48 100644
--- a/src/nm-cloud-setup/nm-cloud-setup.service.in
+++ b/src/nm-cloud-setup/nm-cloud-setup.service.in
@@ -28,7 +28,6 @@ MemoryDenyWriteExecute=yes
NoNewPrivileges=yes
PrivateDevices=yes
PrivateTmp=yes
-PrivateUsers=yes
ProtectClock=yes
ProtectControlGroups=yes
ProtectHome=yes
--
2.44.0

View File

@ -0,0 +1,235 @@
From ba47f23b08bb59ec2daf6bce73a94182d8028c82 Mon Sep 17 00:00:00 2001
From: Gris Ge <fge@redhat.com>
Date: Wed, 13 Mar 2024 20:52:37 +0800
Subject: [PATCH] checkpoint: Allow rollback on internal global DNS
With `NM_CHECKPOINT_CREATE_FLAG_TRACK_INTERNAL_GLOBAL_DNS` flag set on
checkpoint creation, the checkpoint rollback will restore the
global DNS in internal configure file
`/var/lib/NetworkManager/NetworkManager-intern.conf`.
If user has set global DNS in /etc folder, this flag will not take any
effect.
Resolves: https://issues.redhat.com/browse/RHEL-23446
Signed-off-by: Gris Ge <fge@redhat.com>
(cherry picked from commit 86d67da28dd047a08a01687d8154b377d1c25b4c)
(cherry picked from commit 69d5761fa87bb85df037ad9044c03dd1922d3ee4)
---
src/core/nm-checkpoint.c | 28 ++++++++++++++
src/core/nm-config-data.c | 47 +++++++++++++++++++++++
src/core/nm-config-data.h | 3 +-
src/core/nm-manager.c | 11 +++++-
src/core/nm-manager.h | 3 ++
src/libnm-core-public/nm-dbus-interface.h | 6 +++
6 files changed, 96 insertions(+), 2 deletions(-)
diff --git a/src/core/nm-checkpoint.c b/src/core/nm-checkpoint.c
index 74adf48477..cc5c189bf9 100644
--- a/src/core/nm-checkpoint.c
+++ b/src/core/nm-checkpoint.c
@@ -13,6 +13,7 @@
#include "nm-core-utils.h"
#include "nm-dbus-interface.h"
#include "devices/nm-device.h"
+#include "nm-config.h"
#include "nm-manager.h"
#include "settings/nm-settings.h"
#include "settings/nm-settings-connection.h"
@@ -55,6 +56,8 @@ struct _NMCheckpointPrivate {
NMCheckpointTimeoutCallback timeout_cb;
gpointer timeout_data;
+
+ NMGlobalDnsConfig *global_dns_config;
};
struct _NMCheckpointClass {
@@ -491,6 +494,17 @@ next_dev:
}
}
}
+ if (NM_FLAGS_HAS(priv->flags, NM_CHECKPOINT_CREATE_FLAG_TRACK_INTERNAL_GLOBAL_DNS)
+ && priv->global_dns_config) {
+ gs_free_error GError *error = NULL;
+ NMConfig *config;
+
+ config = nm_manager_get_config(priv->manager);
+ nm_assert(config);
+ if (!nm_config_set_global_dns(config, priv->global_dns_config, &error)) {
+ _LOGE("set global DNS failed with error: %s", error->message);
+ }
+ }
return g_variant_new("(a{su})", &builder);
}
@@ -742,6 +756,19 @@ nm_checkpoint_new(NMManager *manager,
NM_MANAGER_DEVICE_REMOVED,
G_CALLBACK(_device_removed),
self);
+ if (NM_FLAGS_HAS(flags, NM_CHECKPOINT_CREATE_FLAG_TRACK_INTERNAL_GLOBAL_DNS)) {
+ NMConfigData *config_data;
+ NMGlobalDnsConfig *dns_config = NULL;
+
+ config_data = nm_config_get_data(nm_manager_get_config(manager));
+ if (config_data) {
+ dns_config = nm_config_data_get_global_dns_config(config_data);
+ if (!dns_config || nm_global_dns_config_is_internal(dns_config)) {
+ priv->global_dns_config = nm_global_dns_config_clone(dns_config);
+ }
+ }
+ }
+
return self;
}
@@ -756,6 +783,7 @@ dispose(GObject *object)
nm_clear_pointer(&priv->devices, g_hash_table_unref);
nm_clear_pointer(&priv->connection_uuids, g_hash_table_unref);
nm_clear_pointer(&priv->removed_devices, g_ptr_array_unref);
+ nm_global_dns_config_free(priv->global_dns_config);
nm_clear_g_signal_handler(priv->manager, &priv->dev_removed_id);
g_clear_object(&priv->manager);
diff --git a/src/core/nm-config-data.c b/src/core/nm-config-data.c
index 468e56b821..d4498edd88 100644
--- a/src/core/nm-config-data.c
+++ b/src/core/nm-config-data.c
@@ -2436,3 +2436,50 @@ nm_config_data_class_init(NMConfigDataClass *config_class)
g_object_class_install_properties(object_class, _PROPERTY_ENUMS_LAST, obj_properties);
}
+
+static NMGlobalDnsDomain *
+nm_global_dns_domain_clone(NMGlobalDnsDomain *old_domain)
+{
+ if (old_domain) {
+ NMGlobalDnsDomain *new_domain = g_malloc0(sizeof(NMGlobalDnsDomain));
+ new_domain->name = g_strdup(old_domain->name);
+ new_domain->servers = (char **) nm_strv_dup(old_domain->servers, -1, TRUE);
+ new_domain->options = (char **) nm_strv_dup(old_domain->options, -1, TRUE);
+ return new_domain;
+ } else {
+ return NULL;
+ }
+}
+
+NMGlobalDnsConfig *
+nm_global_dns_config_clone(NMGlobalDnsConfig *old_dns_config)
+{
+ NMGlobalDnsConfig *new_dns_config;
+ gpointer key, value;
+ NMGlobalDnsDomain *old_domain;
+ GHashTableIter iter;
+
+ new_dns_config = g_malloc0(sizeof(NMGlobalDnsConfig));
+ new_dns_config->internal = TRUE;
+
+ if (old_dns_config) {
+ new_dns_config->internal = old_dns_config->internal;
+ new_dns_config->searches = nm_strv_dup(old_dns_config->searches, -1, TRUE);
+ new_dns_config->options = nm_strv_dup(old_dns_config->options, -1, TRUE);
+ new_dns_config->domains = g_hash_table_new_full(nm_str_hash,
+ g_str_equal,
+ g_free,
+ (GDestroyNotify) global_dns_domain_free);
+ if (old_dns_config->domains) {
+ g_hash_table_iter_init(&iter, old_dns_config->domains);
+ while (g_hash_table_iter_next(&iter, &key, &value)) {
+ old_domain = value;
+ g_hash_table_insert(new_dns_config->domains,
+ g_strdup(key),
+ nm_global_dns_domain_clone(old_domain));
+ }
+ }
+ global_dns_config_seal_domains(new_dns_config);
+ }
+ return new_dns_config;
+}
diff --git a/src/core/nm-config-data.h b/src/core/nm-config-data.h
index 9e7a50fc24..0344ce9055 100644
--- a/src/core/nm-config-data.h
+++ b/src/core/nm-config-data.h
@@ -280,7 +280,8 @@ int nm_global_dns_config_cmp(const NMGlobalDnsConfig *a,
const NMGlobalDnsConfig *b,
gboolean check_internal);
void nm_global_dns_config_update_checksum(const NMGlobalDnsConfig *dns_config, GChecksum *sum);
-void nm_global_dns_config_free(NMGlobalDnsConfig *dns_config);
+NMGlobalDnsConfig *nm_global_dns_config_clone(NMGlobalDnsConfig *dns_config);
+void nm_global_dns_config_free(NMGlobalDnsConfig *dns_config);
NMGlobalDnsConfig *nm_global_dns_config_from_dbus(const GValue *value, GError **error);
void nm_global_dns_config_to_dbus(const NMGlobalDnsConfig *dns_config, GValue *value);
diff --git a/src/core/nm-manager.c b/src/core/nm-manager.c
index 730ba4763b..6739e5599e 100644
--- a/src/core/nm-manager.c
+++ b/src/core/nm-manager.c
@@ -8458,7 +8458,8 @@ impl_manager_checkpoint_create(NMDBusObject *obj,
| NM_CHECKPOINT_CREATE_FLAG_DELETE_NEW_CONNECTIONS
| NM_CHECKPOINT_CREATE_FLAG_DISCONNECT_NEW_DEVICES
| NM_CHECKPOINT_CREATE_FLAG_ALLOW_OVERLAPPING
- | NM_CHECKPOINT_CREATE_FLAG_NO_PRESERVE_EXTERNAL_PORTS)))) {
+ | NM_CHECKPOINT_CREATE_FLAG_NO_PRESERVE_EXTERNAL_PORTS
+ | NM_CHECKPOINT_CREATE_FLAG_TRACK_INTERNAL_GLOBAL_DNS)))) {
g_dbus_method_invocation_return_error_literal(invocation,
NM_MANAGER_ERROR,
NM_MANAGER_ERROR_INVALID_ARGUMENTS,
@@ -9765,3 +9766,11 @@ nm_manager_class_init(NMManagerClass *manager_class)
1,
NM_TYPE_DEVICE);
}
+
+NMConfig *
+nm_manager_get_config(NMManager *self)
+{
+ NMManagerPrivate *priv = NM_MANAGER_GET_PRIVATE(self);
+
+ return priv->config;
+}
diff --git a/src/core/nm-manager.h b/src/core/nm-manager.h
index 3028eb7ebe..3c5213c4f2 100644
--- a/src/core/nm-manager.h
+++ b/src/core/nm-manager.h
@@ -10,6 +10,7 @@
#include "settings/nm-settings-connection.h"
#include "c-list/src/c-list.h"
#include "nm-dbus-manager.h"
+#include "nm-config-data.h"
#define NM_TYPE_MANAGER (nm_manager_get_type())
#define NM_MANAGER(obj) (_NM_G_TYPE_CHECK_INSTANCE_CAST((obj), NM_TYPE_MANAGER, NMManager))
@@ -266,4 +267,6 @@ gboolean nm_manager_devcon_autoconnect_blocked_reason_set(NMManager *
NMSettingsAutoconnectBlockedReason value,
gboolean set);
+NMConfig *nm_manager_get_config(NMManager *self);
+
#endif /* __NETWORKMANAGER_MANAGER_H__ */
diff --git a/src/libnm-core-public/nm-dbus-interface.h b/src/libnm-core-public/nm-dbus-interface.h
index 66cd590d6c..ab94244c21 100644
--- a/src/libnm-core-public/nm-dbus-interface.h
+++ b/src/libnm-core-public/nm-dbus-interface.h
@@ -991,6 +991,11 @@ typedef enum {
* With this flag, the rollback detaches all external ports.
* This only has an effect for bridge ports. Before 1.38, this was the default
* behavior. Since: 1.38.
+ * @NM_CHECKPOINT_CREATE_FLAG_TRACK_INTERNAL_GLOBAL_DNS: during rollback,
+ * by default changes to global DNS via D-BUS interface are preserved.
+ * With this flag, the rollback reverts the global DNS changes made via D-Bus
+ * interface. Global DNS defined in [global-dns] section of
+ * NetworkManager.conf is not impacted by this flag. Since: 1.48.
*
* The flags for CheckpointCreate call
*
@@ -1003,6 +1008,7 @@ typedef enum /*< flags >*/ {
NM_CHECKPOINT_CREATE_FLAG_DISCONNECT_NEW_DEVICES = 0x04,
NM_CHECKPOINT_CREATE_FLAG_ALLOW_OVERLAPPING = 0x08,
NM_CHECKPOINT_CREATE_FLAG_NO_PRESERVE_EXTERNAL_PORTS = 0x10,
+ NM_CHECKPOINT_CREATE_FLAG_TRACK_INTERNAL_GLOBAL_DNS = 0x20,
} NMCheckpointCreateFlags;
/**
--
2.44.0

View File

@ -1,104 +0,0 @@
From 53a9c6027f739daf8f49e2180e4ac51f73eae697 Mon Sep 17 00:00:00 2001
From: Fernando Fernandez Mancera <ffmancera@riseup.net>
Date: Tue, 21 Mar 2023 16:39:38 +0000
Subject: [PATCH] dns: add support to no-aaaa option
Users can set `no-aaaa` DNS option to suppress AAAA queries made by the
stub resolver, including AAAA lookups triggered by NSS-based interfaces
such as getaddrinfo. Only DNS lookups are affected.
(cherry picked from commit 9d4bbf78f0b3a80eec9115663bd9db2c6460b369)
(cherry picked from commit f71cd2eb72d97ee9119e812bba7bbd581c587114)
(cherry picked from commit 920ab658b259d940072c61ae43f7013bbb431440)
---
src/libnm-core-impl/nm-setting-ip-config.c | 8 +++++---
src/libnm-core-public/nm-setting-ip-config.h | 1 +
src/libnmc-setting/settings-docs.h.in | 4 ++--
src/nmcli/generate-docs-nm-settings-nmcli.xml.in | 4 ++--
4 files changed, 10 insertions(+), 7 deletions(-)
diff --git a/src/libnm-core-impl/nm-setting-ip-config.c b/src/libnm-core-impl/nm-setting-ip-config.c
index c8fc461396..0e163094f5 100644
--- a/src/libnm-core-impl/nm-setting-ip-config.c
+++ b/src/libnm-core-impl/nm-setting-ip-config.c
@@ -51,6 +51,7 @@ const NMUtilsDNSOptionDesc _nm_utils_dns_option_descs[] = {
{NM_SETTING_DNS_OPTION_USE_VC, FALSE, FALSE},
{NM_SETTING_DNS_OPTION_NO_RELOAD, FALSE, FALSE},
{NM_SETTING_DNS_OPTION_TRUST_AD, FALSE, FALSE},
+ {NM_SETTING_DNS_OPTION_NO_AAAA, FALSE, FALSE},
{NULL, FALSE, FALSE}};
static char *
@@ -6202,9 +6203,10 @@ nm_setting_ip_config_class_init(NMSettingIPConfigClass *klass)
* distinct from an empty list of properties.
*
* The currently supported options are "attempts", "debug", "edns0",
- * "inet6", "ip6-bytestring", "ip6-dotint", "ndots", "no-check-names",
- * "no-ip6-dotint", "no-reload", "no-tld-query", "rotate", "single-request",
- * "single-request-reopen", "timeout", "trust-ad", "use-vc".
+ * "inet6", "ip6-bytestring", "ip6-dotint", "ndots", "no-aaaa",
+ * "no-check-names", "no-ip6-dotint", "no-reload", "no-tld-query",
+ * "rotate", "single-request", "single-request-reopen", "timeout",
+ * "trust-ad", "use-vc".
*
* The "trust-ad" setting is only honored if the profile contributes
* name servers to resolv.conf, and if all contributing profiles have
diff --git a/src/libnm-core-public/nm-setting-ip-config.h b/src/libnm-core-public/nm-setting-ip-config.h
index acbdec0f61..b42c56a8f3 100644
--- a/src/libnm-core-public/nm-setting-ip-config.h
+++ b/src/libnm-core-public/nm-setting-ip-config.h
@@ -359,6 +359,7 @@ char *nm_ip_routing_rule_to_string(const NMIPRoutingRule *self,
#define NM_SETTING_DNS_OPTION_USE_VC "use-vc"
#define NM_SETTING_DNS_OPTION_NO_RELOAD "no-reload"
#define NM_SETTING_DNS_OPTION_TRUST_AD "trust-ad"
+#define NM_SETTING_DNS_OPTION_NO_AAAA "no-aaaa"
typedef struct _NMSettingIPConfigClass NMSettingIPConfigClass;
diff --git a/src/libnmc-setting/settings-docs.h.in b/src/libnmc-setting/settings-docs.h.in
index 35dfa49f00..62edc77f6b 100644
--- a/src/libnmc-setting/settings-docs.h.in
+++ b/src/libnmc-setting/settings-docs.h.in
@@ -168,7 +168,7 @@
#define DESCRIBE_DOC_NM_SETTING_IP4_CONFIG_DHCP_TIMEOUT N_("A timeout for a DHCP transaction in seconds. If zero (the default), a globally configured default is used. If still unspecified, a device specific timeout is used (usually 45 seconds). Set to 2147483647 (MAXINT32) for infinity.")
#define DESCRIBE_DOC_NM_SETTING_IP4_CONFIG_DHCP_VENDOR_CLASS_IDENTIFIER N_("The Vendor Class Identifier DHCP option (60). Special characters in the data string may be escaped using C-style escapes, nevertheless this property cannot contain nul bytes. If the per-profile value is unspecified (the default), a global connection default gets consulted. If still unspecified, the DHCP option is not sent to the server.")
#define DESCRIBE_DOC_NM_SETTING_IP4_CONFIG_DNS N_("Array of IP addresses of DNS servers.")
-#define DESCRIBE_DOC_NM_SETTING_IP4_CONFIG_DNS_OPTIONS N_("Array of DNS options as described in man 5 resolv.conf. NULL means that the options are unset and left at the default. In this case NetworkManager will use default options. This is distinct from an empty list of properties. The currently supported options are \"attempts\", \"debug\", \"edns0\", \"inet6\", \"ip6-bytestring\", \"ip6-dotint\", \"ndots\", \"no-check-names\", \"no-ip6-dotint\", \"no-reload\", \"no-tld-query\", \"rotate\", \"single-request\", \"single-request-reopen\", \"timeout\", \"trust-ad\", \"use-vc\". The \"trust-ad\" setting is only honored if the profile contributes name servers to resolv.conf, and if all contributing profiles have \"trust-ad\" enabled. When using a caching DNS plugin (dnsmasq or systemd-resolved in NetworkManager.conf) then \"edns0\" and \"trust-ad\" are automatically added.")
+#define DESCRIBE_DOC_NM_SETTING_IP4_CONFIG_DNS_OPTIONS N_("Array of DNS options as described in man 5 resolv.conf. NULL means that the options are unset and left at the default. In this case NetworkManager will use default options. This is distinct from an empty list of properties. The currently supported options are \"attempts\", \"debug\", \"edns0\", \"inet6\", \"ip6-bytestring\", \"ip6-dotint\", \"ndots\", \"no-aaaa\", \"no-check-names\", \"no-ip6-dotint\", \"no-reload\", \"no-tld-query\", \"rotate\", \"single-request\", \"single-request-reopen\", \"timeout\", \"trust-ad\", \"use-vc\". The \"trust-ad\" setting is only honored if the profile contributes name servers to resolv.conf, and if all contributing profiles have \"trust-ad\" enabled. When using a caching DNS plugin (dnsmasq or systemd-resolved in NetworkManager.conf) then \"edns0\" and \"trust-ad\" are automatically added.")
#define DESCRIBE_DOC_NM_SETTING_IP4_CONFIG_DNS_PRIORITY N_("DNS servers priority. The relative priority for DNS servers specified by this setting. A lower numerical value is better (higher priority). Negative values have the special effect of excluding other configurations with a greater numerical priority value; so in presence of at least one negative priority, only DNS servers from connections with the lowest priority value will be used. To avoid all DNS leaks, set the priority of the profile that should be used to the most negative value of all active connections profiles. Zero selects a globally configured default value. If the latter is missing or zero too, it defaults to 50 for VPNs (including WireGuard) and 100 for other connections. Note that the priority is to order DNS settings for multiple active connections. It does not disambiguate multiple DNS servers within the same connection profile. When multiple devices have configurations with the same priority, VPNs will be considered first, then devices with the best (lowest metric) default route and then all other devices. When using dns=default, servers with higher priority will be on top of resolv.conf. To prioritize a given server over another one within the same connection, just specify them in the desired order. Note that commonly the resolver tries name servers in /etc/resolv.conf in the order listed, proceeding with the next server in the list on failure. See for example the \"rotate\" option of the dns-options setting. If there are any negative DNS priorities, then only name servers from the devices with that lowest priority will be considered. When using a DNS resolver that supports Conditional Forwarding or Split DNS (with dns=dnsmasq or dns=systemd-resolved settings), each connection is used to query domains in its search list. The search domains determine which name servers to ask, and the DNS priority is used to prioritize name servers based on the domain. Queries for domains not present in any search list are routed through connections having the '~.' special wildcard domain, which is added automatically to connections with the default route (or can be added manually). When multiple connections specify the same domain, the one with the best priority (lowest numerical value) wins. If a sub domain is configured on another interface it will be accepted regardless the priority, unless parent domain on the other interface has a negative priority, which causes the sub domain to be shadowed. With Split DNS one can avoid undesired DNS leaks by properly configuring DNS priorities and the search domains, so that only name servers of the desired interface are configured.")
#define DESCRIBE_DOC_NM_SETTING_IP4_CONFIG_DNS_SEARCH N_("List of DNS search domains. Domains starting with a tilde ('~') are considered 'routing' domains and are used only to decide the interface over which a query must be forwarded; they are not used to complete unqualified host names. When using a DNS plugin that supports Conditional Forwarding or Split DNS, then the search domains specify which name servers to query. This makes the behavior different from running with plain /etc/resolv.conf. For more information see also the dns-priority setting. When set on a profile that also enabled DHCP, the DNS search list received automatically (option 119 for DHCPv4 and option 24 for DHCPv6) gets merged with the manual list. This can be prevented by setting \"ignore-auto-dns\". Note that if no DNS searches are configured, the fallback will be derived from the domain from DHCP (option 15).")
#define DESCRIBE_DOC_NM_SETTING_IP4_CONFIG_GATEWAY N_("The gateway associated with this configuration. This is only meaningful if \"addresses\" is also set. Setting the gateway causes NetworkManager to configure a standard default route with the gateway as next hop. This is ignored if \"never-default\" is set. An alternative is to configure the default route explicitly with a manual route and /0 as prefix length. Note that the gateway usually conflicts with routing that NetworkManager configures for WireGuard interfaces, so usually it should not be set in that case. See \"ip4-auto-default-route\".")
@@ -194,7 +194,7 @@
#define DESCRIBE_DOC_NM_SETTING_IP6_CONFIG_DHCP_SEND_HOSTNAME N_("If TRUE, a hostname is sent to the DHCP server when acquiring a lease. Some DHCP servers use this hostname to update DNS databases, essentially providing a static hostname for the computer. If the \"dhcp-hostname\" property is NULL and this property is TRUE, the current persistent hostname of the computer is sent.")
#define DESCRIBE_DOC_NM_SETTING_IP6_CONFIG_DHCP_TIMEOUT N_("A timeout for a DHCP transaction in seconds. If zero (the default), a globally configured default is used. If still unspecified, a device specific timeout is used (usually 45 seconds). Set to 2147483647 (MAXINT32) for infinity.")
#define DESCRIBE_DOC_NM_SETTING_IP6_CONFIG_DNS N_("Array of IP addresses of DNS servers.")
-#define DESCRIBE_DOC_NM_SETTING_IP6_CONFIG_DNS_OPTIONS N_("Array of DNS options as described in man 5 resolv.conf. NULL means that the options are unset and left at the default. In this case NetworkManager will use default options. This is distinct from an empty list of properties. The currently supported options are \"attempts\", \"debug\", \"edns0\", \"inet6\", \"ip6-bytestring\", \"ip6-dotint\", \"ndots\", \"no-check-names\", \"no-ip6-dotint\", \"no-reload\", \"no-tld-query\", \"rotate\", \"single-request\", \"single-request-reopen\", \"timeout\", \"trust-ad\", \"use-vc\". The \"trust-ad\" setting is only honored if the profile contributes name servers to resolv.conf, and if all contributing profiles have \"trust-ad\" enabled. When using a caching DNS plugin (dnsmasq or systemd-resolved in NetworkManager.conf) then \"edns0\" and \"trust-ad\" are automatically added.")
+#define DESCRIBE_DOC_NM_SETTING_IP6_CONFIG_DNS_OPTIONS N_("Array of DNS options as described in man 5 resolv.conf. NULL means that the options are unset and left at the default. In this case NetworkManager will use default options. This is distinct from an empty list of properties. The currently supported options are \"attempts\", \"debug\", \"edns0\", \"inet6\", \"ip6-bytestring\", \"ip6-dotint\", \"ndots\", \"no-aaaa\", \"no-check-names\", \"no-ip6-dotint\", \"no-reload\", \"no-tld-query\", \"rotate\", \"single-request\", \"single-request-reopen\", \"timeout\", \"trust-ad\", \"use-vc\". The \"trust-ad\" setting is only honored if the profile contributes name servers to resolv.conf, and if all contributing profiles have \"trust-ad\" enabled. When using a caching DNS plugin (dnsmasq or systemd-resolved in NetworkManager.conf) then \"edns0\" and \"trust-ad\" are automatically added.")
#define DESCRIBE_DOC_NM_SETTING_IP6_CONFIG_DNS_PRIORITY N_("DNS servers priority. The relative priority for DNS servers specified by this setting. A lower numerical value is better (higher priority). Negative values have the special effect of excluding other configurations with a greater numerical priority value; so in presence of at least one negative priority, only DNS servers from connections with the lowest priority value will be used. To avoid all DNS leaks, set the priority of the profile that should be used to the most negative value of all active connections profiles. Zero selects a globally configured default value. If the latter is missing or zero too, it defaults to 50 for VPNs (including WireGuard) and 100 for other connections. Note that the priority is to order DNS settings for multiple active connections. It does not disambiguate multiple DNS servers within the same connection profile. When multiple devices have configurations with the same priority, VPNs will be considered first, then devices with the best (lowest metric) default route and then all other devices. When using dns=default, servers with higher priority will be on top of resolv.conf. To prioritize a given server over another one within the same connection, just specify them in the desired order. Note that commonly the resolver tries name servers in /etc/resolv.conf in the order listed, proceeding with the next server in the list on failure. See for example the \"rotate\" option of the dns-options setting. If there are any negative DNS priorities, then only name servers from the devices with that lowest priority will be considered. When using a DNS resolver that supports Conditional Forwarding or Split DNS (with dns=dnsmasq or dns=systemd-resolved settings), each connection is used to query domains in its search list. The search domains determine which name servers to ask, and the DNS priority is used to prioritize name servers based on the domain. Queries for domains not present in any search list are routed through connections having the '~.' special wildcard domain, which is added automatically to connections with the default route (or can be added manually). When multiple connections specify the same domain, the one with the best priority (lowest numerical value) wins. If a sub domain is configured on another interface it will be accepted regardless the priority, unless parent domain on the other interface has a negative priority, which causes the sub domain to be shadowed. With Split DNS one can avoid undesired DNS leaks by properly configuring DNS priorities and the search domains, so that only name servers of the desired interface are configured.")
#define DESCRIBE_DOC_NM_SETTING_IP6_CONFIG_DNS_SEARCH N_("List of DNS search domains. Domains starting with a tilde ('~') are considered 'routing' domains and are used only to decide the interface over which a query must be forwarded; they are not used to complete unqualified host names. When using a DNS plugin that supports Conditional Forwarding or Split DNS, then the search domains specify which name servers to query. This makes the behavior different from running with plain /etc/resolv.conf. For more information see also the dns-priority setting. When set on a profile that also enabled DHCP, the DNS search list received automatically (option 119 for DHCPv4 and option 24 for DHCPv6) gets merged with the manual list. This can be prevented by setting \"ignore-auto-dns\". Note that if no DNS searches are configured, the fallback will be derived from the domain from DHCP (option 15).")
#define DESCRIBE_DOC_NM_SETTING_IP6_CONFIG_GATEWAY N_("The gateway associated with this configuration. This is only meaningful if \"addresses\" is also set. Setting the gateway causes NetworkManager to configure a standard default route with the gateway as next hop. This is ignored if \"never-default\" is set. An alternative is to configure the default route explicitly with a manual route and /0 as prefix length. Note that the gateway usually conflicts with routing that NetworkManager configures for WireGuard interfaces, so usually it should not be set in that case. See \"ip4-auto-default-route\".")
diff --git a/src/nmcli/generate-docs-nm-settings-nmcli.xml.in b/src/nmcli/generate-docs-nm-settings-nmcli.xml.in
index 9acb76481e..03e6c0b54b 100644
--- a/src/nmcli/generate-docs-nm-settings-nmcli.xml.in
+++ b/src/nmcli/generate-docs-nm-settings-nmcli.xml.in
@@ -656,7 +656,7 @@
<property name="dns-search"
description="List of DNS search domains. Domains starting with a tilde (&apos;~&apos;) are considered &apos;routing&apos; domains and are used only to decide the interface over which a query must be forwarded; they are not used to complete unqualified host names. When using a DNS plugin that supports Conditional Forwarding or Split DNS, then the search domains specify which name servers to query. This makes the behavior different from running with plain /etc/resolv.conf. For more information see also the dns-priority setting. When set on a profile that also enabled DHCP, the DNS search list received automatically (option 119 for DHCPv4 and option 24 for DHCPv6) gets merged with the manual list. This can be prevented by setting &quot;ignore-auto-dns&quot;. Note that if no DNS searches are configured, the fallback will be derived from the domain from DHCP (option 15)." />
<property name="dns-options"
- description="Array of DNS options as described in man 5 resolv.conf. NULL means that the options are unset and left at the default. In this case NetworkManager will use default options. This is distinct from an empty list of properties. The currently supported options are &quot;attempts&quot;, &quot;debug&quot;, &quot;edns0&quot;, &quot;inet6&quot;, &quot;ip6-bytestring&quot;, &quot;ip6-dotint&quot;, &quot;ndots&quot;, &quot;no-check-names&quot;, &quot;no-ip6-dotint&quot;, &quot;no-reload&quot;, &quot;no-tld-query&quot;, &quot;rotate&quot;, &quot;single-request&quot;, &quot;single-request-reopen&quot;, &quot;timeout&quot;, &quot;trust-ad&quot;, &quot;use-vc&quot;. The &quot;trust-ad&quot; setting is only honored if the profile contributes name servers to resolv.conf, and if all contributing profiles have &quot;trust-ad&quot; enabled. When using a caching DNS plugin (dnsmasq or systemd-resolved in NetworkManager.conf) then &quot;edns0&quot; and &quot;trust-ad&quot; are automatically added." />
+ description="Array of DNS options as described in man 5 resolv.conf. NULL means that the options are unset and left at the default. In this case NetworkManager will use default options. This is distinct from an empty list of properties. The currently supported options are &quot;attempts&quot;, &quot;debug&quot;, &quot;edns0&quot;, &quot;inet6&quot;, &quot;ip6-bytestring&quot;, &quot;ip6-dotint&quot;, &quot;ndots&quot;, &quot;no-aaaa&quot;, &quot;no-check-names&quot;, &quot;no-ip6-dotint&quot;, &quot;no-reload&quot;, &quot;no-tld-query&quot;, &quot;rotate&quot;, &quot;single-request&quot;, &quot;single-request-reopen&quot;, &quot;timeout&quot;, &quot;trust-ad&quot;, &quot;use-vc&quot;. The &quot;trust-ad&quot; setting is only honored if the profile contributes name servers to resolv.conf, and if all contributing profiles have &quot;trust-ad&quot; enabled. When using a caching DNS plugin (dnsmasq or systemd-resolved in NetworkManager.conf) then &quot;edns0&quot; and &quot;trust-ad&quot; are automatically added." />
<property name="dns-priority"
description="DNS servers priority. The relative priority for DNS servers specified by this setting. A lower numerical value is better (higher priority). Negative values have the special effect of excluding other configurations with a greater numerical priority value; so in presence of at least one negative priority, only DNS servers from connections with the lowest priority value will be used. To avoid all DNS leaks, set the priority of the profile that should be used to the most negative value of all active connections profiles. Zero selects a globally configured default value. If the latter is missing or zero too, it defaults to 50 for VPNs (including WireGuard) and 100 for other connections. Note that the priority is to order DNS settings for multiple active connections. It does not disambiguate multiple DNS servers within the same connection profile. When multiple devices have configurations with the same priority, VPNs will be considered first, then devices with the best (lowest metric) default route and then all other devices. When using dns=default, servers with higher priority will be on top of resolv.conf. To prioritize a given server over another one within the same connection, just specify them in the desired order. Note that commonly the resolver tries name servers in /etc/resolv.conf in the order listed, proceeding with the next server in the list on failure. See for example the &quot;rotate&quot; option of the dns-options setting. If there are any negative DNS priorities, then only name servers from the devices with that lowest priority will be considered. When using a DNS resolver that supports Conditional Forwarding or Split DNS (with dns=dnsmasq or dns=systemd-resolved settings), each connection is used to query domains in its search list. The search domains determine which name servers to ask, and the DNS priority is used to prioritize name servers based on the domain. Queries for domains not present in any search list are routed through connections having the &apos;~.&apos; special wildcard domain, which is added automatically to connections with the default route (or can be added manually). When multiple connections specify the same domain, the one with the best priority (lowest numerical value) wins. If a sub domain is configured on another interface it will be accepted regardless the priority, unless parent domain on the other interface has a negative priority, which causes the sub domain to be shadowed. With Split DNS one can avoid undesired DNS leaks by properly configuring DNS priorities and the search domains, so that only name servers of the desired interface are configured." />
<property name="addresses"
@@ -713,7 +713,7 @@
<property name="dns-search"
description="List of DNS search domains. Domains starting with a tilde (&apos;~&apos;) are considered &apos;routing&apos; domains and are used only to decide the interface over which a query must be forwarded; they are not used to complete unqualified host names. When using a DNS plugin that supports Conditional Forwarding or Split DNS, then the search domains specify which name servers to query. This makes the behavior different from running with plain /etc/resolv.conf. For more information see also the dns-priority setting. When set on a profile that also enabled DHCP, the DNS search list received automatically (option 119 for DHCPv4 and option 24 for DHCPv6) gets merged with the manual list. This can be prevented by setting &quot;ignore-auto-dns&quot;. Note that if no DNS searches are configured, the fallback will be derived from the domain from DHCP (option 15)." />
<property name="dns-options"
- description="Array of DNS options as described in man 5 resolv.conf. NULL means that the options are unset and left at the default. In this case NetworkManager will use default options. This is distinct from an empty list of properties. The currently supported options are &quot;attempts&quot;, &quot;debug&quot;, &quot;edns0&quot;, &quot;inet6&quot;, &quot;ip6-bytestring&quot;, &quot;ip6-dotint&quot;, &quot;ndots&quot;, &quot;no-check-names&quot;, &quot;no-ip6-dotint&quot;, &quot;no-reload&quot;, &quot;no-tld-query&quot;, &quot;rotate&quot;, &quot;single-request&quot;, &quot;single-request-reopen&quot;, &quot;timeout&quot;, &quot;trust-ad&quot;, &quot;use-vc&quot;. The &quot;trust-ad&quot; setting is only honored if the profile contributes name servers to resolv.conf, and if all contributing profiles have &quot;trust-ad&quot; enabled. When using a caching DNS plugin (dnsmasq or systemd-resolved in NetworkManager.conf) then &quot;edns0&quot; and &quot;trust-ad&quot; are automatically added." />
+ description="Array of DNS options as described in man 5 resolv.conf. NULL means that the options are unset and left at the default. In this case NetworkManager will use default options. This is distinct from an empty list of properties. The currently supported options are &quot;attempts&quot;, &quot;debug&quot;, &quot;edns0&quot;, &quot;inet6&quot;, &quot;ip6-bytestring&quot;, &quot;ip6-dotint&quot;, &quot;ndots&quot;, &quot;no-aaaa&quot;, &quot;no-check-names&quot;, &quot;no-ip6-dotint&quot;, &quot;no-reload&quot;, &quot;no-tld-query&quot;, &quot;rotate&quot;, &quot;single-request&quot;, &quot;single-request-reopen&quot;, &quot;timeout&quot;, &quot;trust-ad&quot;, &quot;use-vc&quot;. The &quot;trust-ad&quot; setting is only honored if the profile contributes name servers to resolv.conf, and if all contributing profiles have &quot;trust-ad&quot; enabled. When using a caching DNS plugin (dnsmasq or systemd-resolved in NetworkManager.conf) then &quot;edns0&quot; and &quot;trust-ad&quot; are automatically added." />
<property name="dns-priority"
description="DNS servers priority. The relative priority for DNS servers specified by this setting. A lower numerical value is better (higher priority). Negative values have the special effect of excluding other configurations with a greater numerical priority value; so in presence of at least one negative priority, only DNS servers from connections with the lowest priority value will be used. To avoid all DNS leaks, set the priority of the profile that should be used to the most negative value of all active connections profiles. Zero selects a globally configured default value. If the latter is missing or zero too, it defaults to 50 for VPNs (including WireGuard) and 100 for other connections. Note that the priority is to order DNS settings for multiple active connections. It does not disambiguate multiple DNS servers within the same connection profile. When multiple devices have configurations with the same priority, VPNs will be considered first, then devices with the best (lowest metric) default route and then all other devices. When using dns=default, servers with higher priority will be on top of resolv.conf. To prioritize a given server over another one within the same connection, just specify them in the desired order. Note that commonly the resolver tries name servers in /etc/resolv.conf in the order listed, proceeding with the next server in the list on failure. See for example the &quot;rotate&quot; option of the dns-options setting. If there are any negative DNS priorities, then only name servers from the devices with that lowest priority will be considered. When using a DNS resolver that supports Conditional Forwarding or Split DNS (with dns=dnsmasq or dns=systemd-resolved settings), each connection is used to query domains in its search list. The search domains determine which name servers to ask, and the DNS priority is used to prioritize name servers based on the domain. Queries for domains not present in any search list are routed through connections having the &apos;~.&apos; special wildcard domain, which is added automatically to connections with the default route (or can be added manually). When multiple connections specify the same domain, the one with the best priority (lowest numerical value) wins. If a sub domain is configured on another interface it will be accepted regardless the priority, unless parent domain on the other interface has a negative priority, which causes the sub domain to be shadowed. With Split DNS one can avoid undesired DNS leaks by properly configuring DNS priorities and the search domains, so that only name servers of the desired interface are configured." />
<property name="addresses"
--
2.39.2

View File

@ -0,0 +1,127 @@
From cf230074965216c94bb25bc3c3fff7f1d698c250 Mon Sep 17 00:00:00 2001
From: Gris Ge <fge@redhat.com>
Date: Fri, 15 Mar 2024 15:46:02 +0800
Subject: [PATCH] ovs: Do not allow OVS bridge and port to be parent
When creating VLAN over OVS internal interface which holding the same
name as its controller OVS bridge, NetworkManager will fail with error:
Error: Connection activation failed: br0.101 failed to create
resources: cannot retrieve ifindex of interface br0 (Open vSwitch
Bridge)
Expanded the `find_device_by_iface()` with additional argument
`child: NmConnection *` which will validate whether candidate is
suitable to be parent device.
In `nm_device_check_parent_connection_compatible()`, we only not allow OVS
bridge and OVS port being parent.
Resolves: https://issues.redhat.com/browse/RHEL-26753
Signed-off-by: Gris Ge <fge@redhat.com>
(cherry picked from commit 7096f52a5967ef053a4cf8e5ca8a71c1495578f9)
(cherry picked from commit d3329f0599f5fdfc2ef9f2c1395b5eb7bcc3c2a5)
---
src/core/devices/nm-device.c | 11 +++++++++++
src/core/devices/nm-device.h | 1 +
src/core/nm-manager.c | 14 +++++++++-----
3 files changed, 21 insertions(+), 5 deletions(-)
diff --git a/src/core/devices/nm-device.c b/src/core/devices/nm-device.c
index 30c38ba990..78b0e618be 100644
--- a/src/core/devices/nm-device.c
+++ b/src/core/devices/nm-device.c
@@ -9508,6 +9508,17 @@ nm_device_check_slave_connection_compatible(NMDevice *self, NMConnection *slave)
return nm_streq(connection_type, slave_type);
}
+gboolean
+nm_device_can_be_parent(NMDevice *self)
+{
+ NMDeviceType device_type = nm_device_get_device_type(self);
+
+ if ((device_type == NM_DEVICE_TYPE_OVS_BRIDGE) || (device_type == NM_DEVICE_TYPE_OVS_PORT))
+ return FALSE;
+ else
+ return TRUE;
+}
+
/**
* nm_device_can_assume_connections:
* @self: #NMDevice instance
diff --git a/src/core/devices/nm-device.h b/src/core/devices/nm-device.h
index b096d23ac1..7353a3f327 100644
--- a/src/core/devices/nm-device.h
+++ b/src/core/devices/nm-device.h
@@ -550,6 +550,7 @@ gboolean nm_device_check_connection_compatible(NMDevice *device,
GError **error);
gboolean nm_device_check_slave_connection_compatible(NMDevice *device, NMConnection *connection);
+gboolean nm_device_can_be_parent(NMDevice *device);
gboolean nm_device_can_assume_connections(NMDevice *self);
gboolean nm_device_unmanage_on_quit(NMDevice *self);
diff --git a/src/core/nm-manager.c b/src/core/nm-manager.c
index 6739e5599e..7f94f7cd9c 100644
--- a/src/core/nm-manager.c
+++ b/src/core/nm-manager.c
@@ -1914,7 +1914,8 @@ find_device_by_ip_iface(NMManager *self, const char *iface)
* is given, this function will only return master devices and will ensure
* @slave, when activated, can be a slave of the returned master device. If
* @connection is given, this function will only consider devices that are
- * compatible with @connection.
+ * compatible with @connection. If @child is given, this function will only
+ * return parent device.
*
* Returns: the matching #NMDevice
*/
@@ -1922,7 +1923,8 @@ static NMDevice *
find_device_by_iface(NMManager *self,
const char *iface,
NMConnection *connection,
- NMConnection *slave)
+ NMConnection *slave,
+ NMConnection *child)
{
NMManagerPrivate *priv = NM_MANAGER_GET_PRIVATE(self);
NMDevice *fallback = NULL;
@@ -1941,6 +1943,8 @@ find_device_by_iface(NMManager *self,
if (!nm_device_check_slave_connection_compatible(candidate, slave))
continue;
}
+ if (child && !nm_device_can_be_parent(candidate))
+ continue;
if (nm_device_is_real(candidate))
return candidate;
@@ -2405,7 +2409,7 @@ find_parent_device_for_connection(NMManager *self,
NM_SET_OUT(out_parent_spec, parent_name);
/* Try as an interface name of a parent device */
- parent = find_device_by_iface(self, parent_name, NULL, NULL);
+ parent = find_device_by_iface(self, parent_name, NULL, NULL, connection);
if (parent)
return parent;
@@ -5003,7 +5007,7 @@ find_master(NMManager *self,
}
if (!master_connection) {
- master_device = find_device_by_iface(self, master, NULL, connection);
+ master_device = find_device_by_iface(self, master, NULL, connection, NULL);
if (!master_device) {
g_set_error(error,
NM_MANAGER_ERROR,
@@ -6445,7 +6449,7 @@ validate_activation_request(NMManager *self,
if (!iface)
return NULL;
- device = find_device_by_iface(self, iface, connection, NULL);
+ device = find_device_by_iface(self, iface, connection, NULL, NULL);
if (!device) {
g_set_error_literal(error,
NM_MANAGER_ERROR,
--
2.44.0

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,50 @@
From e4fb80046cf36a7e210e8660ef50c93ef8971a5e Mon Sep 17 00:00:00 2001
From: Beniamino Galvani <bgalvani@redhat.com>
Date: Wed, 13 Mar 2024 10:47:31 +0100
Subject: [PATCH 1/2] nm-dispatcher: fix crash when parsing output dictionary
'stdout' is NULL when the script didn't write anything or failed.
Fixes the following crash detected by NMCI in test
'dispatcher_device_handler_dummy'.
nm-dispatcher[936339]: g_strsplit: assertion 'string != NULL' failed
build_result_options (nm-dispatcher)
complete_request (nm-dispatcher)
complete_script (nm-dispatcher)
script_watch_cb (nm-dispatcher)
g_child_watch_dispatch (libglib-2.0.so.0)
g_main_dispatch (libglib-2.0.so.0)
g_main_context_iterate (libglib-2.0.so.0)
g_main_context_iteration (libglib-2.0.so.0)
main (nm-dispatcher)
__libc_start_main (libc.so.6)
_start (nm-dispatcher)
Fixes: d72f26b87528 ('dispatcher: read device-handler's stdout into a dictionary')
https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/1889
(cherry picked from commit e5c2c5f1c2f55c139f39830651df2c901c3a0bf9)
(cherry picked from commit 669bf33de38a8a15e77662daadf94d6395838eee)
---
src/nm-dispatcher/nm-dispatcher.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/nm-dispatcher/nm-dispatcher.c b/src/nm-dispatcher/nm-dispatcher.c
index efb4ec0087..ce252b92bf 100644
--- a/src/nm-dispatcher/nm-dispatcher.c
+++ b/src/nm-dispatcher/nm-dispatcher.c
@@ -306,6 +306,9 @@ build_result_options(char *stdout)
char *key;
char *value;
+ if (!stdout)
+ return NULL;
+
lines = g_strsplit(stdout, "\n", 65);
for (i = 0; lines[i] && i < 64; i++) {
--
2.41.0

View File

@ -1,52 +0,0 @@
From 4a9d5b23ab513f0ee0b8f490e522f60d4ef3e4cd Mon Sep 17 00:00:00 2001
From: Beniamino Galvani <bgalvani@redhat.com>
Date: Thu, 4 May 2023 15:11:49 +0200
Subject: [PATCH] team: don't try to connect to teamd in update_connection()
In constructed(), NMDevice starts watching the D-Bus name owner or
monitoring the unix socket, and so it is always aware if teamd is
running. When it is, NMDevice connects to it and initializes
priv->tdc.
It is not useful to try to connect to teamd in update_connection()
because warnings will be generated by NM and by libteam if teamd is
not running. As explained above the connection is always initialized
when teamd is available, and so we can just check priv->tdc.
Fixes: ab586236e36b ('core: implement update_connection() for Team')
https://bugzilla.redhat.com/show_bug.cgi?id=2182029
https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/1631
(cherry picked from commit 93430627c245a0b33b873edca329fa716ccfb7d6)
(cherry picked from commit b60f0dd0a20db232c7edc01faa4562ce510ed107)
(cherry picked from commit f6f1a44559990765a5cbc940a74f54df5d8a30d0)
---
src/core/devices/team/nm-device-team.c | 9 +--------
1 file changed, 1 insertion(+), 8 deletions(-)
diff --git a/src/core/devices/team/nm-device-team.c b/src/core/devices/team/nm-device-team.c
index b745158ef8..1d2beb5e8a 100644
--- a/src/core/devices/team/nm-device-team.c
+++ b/src/core/devices/team/nm-device-team.c
@@ -228,17 +228,10 @@ update_connection(NMDevice *device, NMConnection *connection)
NMDeviceTeam *self = NM_DEVICE_TEAM(device);
NMSettingTeam *s_team = _nm_connection_ensure_setting(connection, NM_TYPE_SETTING_TEAM);
NMDeviceTeamPrivate *priv = NM_DEVICE_TEAM_GET_PRIVATE(self);
- struct teamdctl *tdc = priv->tdc;
/* Read the configuration only if not already set */
- if (!priv->config && ensure_teamd_connection(device))
+ if (!priv->config && priv->tdc) {
teamd_read_config(self);
-
- /* Restore previous tdc state */
- if (priv->tdc && !tdc) {
- teamdctl_disconnect(priv->tdc);
- teamdctl_free(priv->tdc);
- priv->tdc = NULL;
}
g_object_set(G_OBJECT(s_team), NM_SETTING_TEAM_CONFIG, _get_config(self), NULL);
--
2.40.1

View File

@ -0,0 +1,66 @@
From 8ff08068342d1d8efe1e6d6c9a241e3395641a76 Mon Sep 17 00:00:00 2001
From: Beniamino Galvani <bgalvani@redhat.com>
Date: Thu, 21 Mar 2024 09:45:15 +0100
Subject: [PATCH 2/2] manager: fix race condition while enumerating devices at
startup
While enumerating devices at startup, we take a snapshot of existing
links from platform and we start creating device instances for
them. It's possible that in the meantime, while processing netlink
events in platform_link_added(), a link gets renamed. If that happens,
then we have two different views of the same ifindex: the cached link
from `links` and the link in platform.
This can cause issues: in platform_link_added() we create the device
with the cached name; then in NMDevice's constructor(), we look up
from platform the ifindex for the given name. Because of the rename,
this lookup can match a newly created, different link.
The end result is that the ifindex from the initial snapshot doesn't
get a NMDevice and is not handled by NetworkManager.
Fix this problem by fetching the latest version of the link from
platform to make sure we have a consistent view of the state.
https://issues.redhat.com/browse/RHEL-25808
https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/1897
(cherry picked from commit de130df3e2207dc015c4fa82ecf766be2851532c)
(cherry picked from commit 6f3739e76f1f31d71bc3fbd7a4b0955071d59cc4)
---
src/core/nm-manager.c | 17 ++++++++++++++++-
1 file changed, 16 insertions(+), 1 deletion(-)
diff --git a/src/core/nm-manager.c b/src/core/nm-manager.c
index 7f94f7cd9c..a77ba9d3b1 100644
--- a/src/core/nm-manager.c
+++ b/src/core/nm-manager.c
@@ -4438,10 +4438,25 @@ platform_query_devices(NMManager *self)
links = nm_platform_link_get_all(priv->platform);
if (!links)
return;
+
for (i = 0; i < links->len; i++) {
- const NMPlatformLink *link = NMP_OBJECT_CAST_LINK(links->pdata[i]);
+ const NMPlatformLink *elem = NMP_OBJECT_CAST_LINK(links->pdata[i]);
+ const NMPlatformLink *link;
const NMConfigDeviceStateData *dev_state;
+ /*
+ * @links is an immutable snapshot of the platform links captured before
+ * the loop was started. It's possible that in the meantime, while
+ * processing netlink events in platform_link_added(), a link was
+ * renamed. If that happens, we have 2 different views of the same
+ * ifindex: the one from @links and the one from platform. This can
+ * cause race conditions; make sure to use the latest known version of
+ * the link.
+ */
+ link = nm_platform_link_get(priv->platform, elem->ifindex);
+ if (!link)
+ continue;
+
dev_state = nm_config_device_state_get(priv->config, link->ifindex);
platform_link_added(self,
link->ifindex,
--
2.41.0

View File

@ -1,140 +0,0 @@
From 3fcb1a072f230b53c6fdf6e106e0972293a2f742 Mon Sep 17 00:00:00 2001
From: Beniamino Galvani <bgalvani@redhat.com>
Date: Thu, 11 May 2023 13:32:13 +0200
Subject: [PATCH] ipv6ll: don't regenerate the address when it's removed
externally
Currently if the IPv6 link-local address is removed after it passed
DAD, NetworkManager tries to generate a new link-local address. If
this fails, which is always the case for EUI64, ipv6ll is considered
as failed and the connection can go down (depending on may-fail).
This is particularly bad for virtual interfaces because if somebody
removes the link-local address, the activation can fail and destroy
the interface, breaking all services that require it. Also, it's a
change in behavior introduced in 1.36.0.
It seems that a better approach here is to re-add the address that was
removed externally.
[bgalvani@redhat.com: since the branch is missing commit 7ca95cee15b3
('platform: always reconfigure IP routes even if removed externally'),
we need to set flag NM_L3CFG_CONFIG_FLAGS_FORCE_ONCE when committing
the address, otherwise it's not re-added]
Fixes: aa070fb82190 ('core: add NML3IPv6LL helper')
https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/1622
(cherry picked from commit 53ba9f4701f30b12637df2c7215a0b7da845b34c)
(cherry picked from commit 2976e4c3b7fcee06051ce83c9a7fa911ad192dc4)
(cherry picked from commit 4a13b5f52217c81ddf2329ba343796bfa4ed5ef9)
---
src/core/nm-l3-ipv6ll.c | 34 ++++++++++++++++++++++------------
1 file changed, 22 insertions(+), 12 deletions(-)
diff --git a/src/core/nm-l3-ipv6ll.c b/src/core/nm-l3-ipv6ll.c
index 2640c07554..6e5e460258 100644
--- a/src/core/nm-l3-ipv6ll.c
+++ b/src/core/nm-l3-ipv6ll.c
@@ -391,7 +391,7 @@ _pladdr_find_ll(NML3IPv6LL *self, gboolean *out_cur_addr_failed)
/*****************************************************************************/
static void
-_lladdr_handle_changed(NML3IPv6LL *self)
+_lladdr_handle_changed(NML3IPv6LL *self, gboolean force_commit)
{
const NML3ConfigData *l3cd;
gboolean changed = FALSE;
@@ -420,7 +420,9 @@ _lladdr_handle_changed(NML3IPv6LL *self)
NM_DNS_PRIORITY_DEFAULT_NORMAL,
NM_L3_ACD_DEFEND_TYPE_ALWAYS,
0,
- NM_L3CFG_CONFIG_FLAGS_NONE,
+ /* Even if the address was removed from platform, it must
+ * be re-added, hence FORCE_ONCE. */
+ NM_L3CFG_CONFIG_FLAGS_FORCE_ONCE,
NM_L3_CONFIG_MERGE_FLAGS_NONE))
changed = TRUE;
} else {
@@ -434,7 +436,7 @@ _lladdr_handle_changed(NML3IPv6LL *self)
self->l3cfg_commit_handle,
"ipv6ll");
- if (changed)
+ if (changed || force_commit)
nm_l3cfg_commit_on_idle_schedule(self->l3cfg, NM_L3_CFG_COMMIT_TYPE_AUTO);
if (!self->emit_changed_idle_source) {
@@ -515,6 +517,7 @@ _check(NML3IPv6LL *self)
const NMPlatformIP6Address *pladdr;
char sbuf[INET6_ADDRSTRLEN];
gboolean cur_addr_failed;
+ gboolean restarted = FALSE;
struct in6_addr lladdr;
pladdr = _pladdr_find_ll(self, &cur_addr_failed);
@@ -526,14 +529,14 @@ _check(NML3IPv6LL *self)
if (_set_cur_lladdr_obj(self, NM_L3_IPV6LL_STATE_DAD_IN_PROGRESS, pladdr)) {
_LOGT("changed: waiting for address %s to complete DAD",
_nm_utils_inet6_ntop(&self->cur_lladdr, sbuf));
- _lladdr_handle_changed(self);
+ _lladdr_handle_changed(self, FALSE);
}
return;
}
if (_set_cur_lladdr_obj(self, NM_L3_IPV6LL_STATE_READY, pladdr)) {
_LOGT("changed: address %s is ready", _nm_utils_inet6_ntop(&self->cur_lladdr, sbuf));
- _lladdr_handle_changed(self);
+ _lladdr_handle_changed(self, FALSE);
}
return;
}
@@ -543,11 +546,17 @@ _check(NML3IPv6LL *self)
* Prematurely abort DAD to generate a new address below. */
nm_assert(
NM_IN_SET(self->state, NM_L3_IPV6LL_STATE_DAD_IN_PROGRESS, NM_L3_IPV6LL_STATE_READY));
- if (self->state == NM_L3_IPV6LL_STATE_DAD_IN_PROGRESS)
- _LOGT("changed: address %s did not complete DAD",
- _nm_utils_inet6_ntop(&self->cur_lladdr, sbuf));
- else {
+
+ if (cur_addr_failed) {
+ /* On DAD failure, we always try to regenerate a new address. */
+ _LOGT("changed: address %s failed", _nm_utils_inet6_ntop(&self->cur_lladdr, sbuf));
+ } else {
_LOGT("changed: address %s is gone", _nm_utils_inet6_ntop(&self->cur_lladdr, sbuf));
+ /* When the address is removed, we always try to re-add it. */
+ nm_clear_g_source_inst(&self->wait_for_addr_source);
+ lladdr = self->cur_lladdr;
+ restarted = TRUE;
+ goto commit;
}
/* reset the state here, so that we are sure that the following
@@ -569,19 +578,20 @@ _check(NML3IPv6LL *self)
if (_set_cur_lladdr_bin(self, NM_L3_IPV6LL_STATE_DAD_FAILED, NULL)) {
_LOGW("changed: no IPv6 link local address to retry after Duplicate Address Detection "
"failures (back off)");
- _lladdr_handle_changed(self);
+ _lladdr_handle_changed(self, FALSE);
}
return;
}
+commit:
/* we give NML3Cfg 2 seconds to configure the address on the interface. We
* thus very soon expect to see this address configured (and kernel started DAD).
* If that does not happen within timeout, we assume that this address failed DAD. */
self->wait_for_addr_source = nm_g_timeout_add_source(2000, _wait_for_addr_timeout_cb, self);
- if (_set_cur_lladdr_bin(self, NM_L3_IPV6LL_STATE_DAD_IN_PROGRESS, &lladdr)) {
+ if (_set_cur_lladdr_bin(self, NM_L3_IPV6LL_STATE_DAD_IN_PROGRESS, &lladdr) || restarted) {
_LOGT("changed: starting DAD for address %s",
_nm_utils_inet6_ntop(&self->cur_lladdr, sbuf));
- _lladdr_handle_changed(self);
+ _lladdr_handle_changed(self, restarted);
}
return;
}
--
2.39.2

View File

@ -0,0 +1,40 @@
From 6394c2b262d86824a41ca82ad76288c06bfd1989 Mon Sep 17 00:00:00 2001
From: Fernando Fernandez Mancera <ffmancera@riseup.net>
Date: Tue, 26 Mar 2024 12:53:27 +0100
Subject: [PATCH] libnm-lldp: use ETH_P_ALL instead of NM_ETHERTYPE_LLDP for
the socket
When creating the socket for listening to LLDP frames we are setting
NM_ETHERTYPE_LLDP (0x88cc) as protocol. In most of the cases, that is
correct but when the interface is attached as a port to a OVS bridge,
kernel is not matching the protocol correctly. The reason might be that
some metadata is added to the packet, but we are not completely sure
about it.
Instead, we should use ETH_P_ALL to match all the protocols. Later, we
have a eBPF filter to drop the packet by multicast MAC address or
protocol. This is how lldpd is doing it for example.
https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/1903
(cherry picked from commit 9ac1d6e22bfac7f576dec034a26ac7c9012e5b80)
(cherry picked from commit 2fac176986f3afaa84242e069613cc543bfcc58c)
---
src/libnm-lldp/nm-lldp-network.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/libnm-lldp/nm-lldp-network.c b/src/libnm-lldp/nm-lldp-network.c
index 811c3a7291..28cc745249 100644
--- a/src/libnm-lldp/nm-lldp-network.c
+++ b/src/libnm-lldp/nm-lldp-network.c
@@ -46,7 +46,7 @@ nm_lldp_network_bind_raw_socket(int ifindex)
assert(ifindex > 0);
- fd = socket(AF_PACKET, SOCK_RAW | SOCK_CLOEXEC | SOCK_NONBLOCK, htobe16(NM_ETHERTYPE_LLDP));
+ fd = socket(AF_PACKET, SOCK_RAW | SOCK_CLOEXEC | SOCK_NONBLOCK, htobe16(ETH_P_ALL));
if (fd < 0)
return -errno;
--
2.44.0

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,210 @@
From ed5cbbc5847527ed0cfc33f521f7c724975c846b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=8D=C3=B1igo=20Huguet?= <ihuguet@redhat.com>
Date: Tue, 30 Apr 2024 12:45:04 +0200
Subject: [PATCH] platform: avoid routes resync for routes that we don't track
When we recibe a Netlink message with a "route change" event, normally
we just ignore it if it's a route that we don't track (i.e. because of
the route protocol).
However, it's not that easy if it has the NLM_F_REPLACE flag because
that means that it might be replacing another route. If the kernel has
similar routes which are candidates for the replacement, it's hard for
NM to guess which one of those is being replaced (as the kernel doesn't
have a "route ID" or similar field to indicate it). Moreover, the kernel
might choose to replace a route that we don't have on cache, so we know
nothing about it.
It is important to note that we cannot just discard Netlink messages of
routes that we don't track if they has the NLM_F_REPLACE. For example,
if we are tracking a route with proto=static, we might receive a replace
message, changing that route to proto=other_proto_that_we_dont_track. We
need to process that message and remove the route from our cache.
As NM doesn't know what route is being replaced, trying to guess will
lead to errors that will leave the cache in an inconsistent state.
Because of that, it just do a cache resync for the routes.
For IPv4 there was an optimization to this: if we don't have in the
cache any route candidate for the replacement there are only 2 possible
options: either add the new route to the cache or discard it if we are
not interested on it. We don't need a resync for that.
This commit is extending that optimization to IPv6 routes. There is no
reason why it shouldn't work in the same way than with IPv4. This
optimization will only work well as long as we find potential candidate
routes in the same way than the kernel (comparing the same fields). NM
calls to this "comparing by WEAK_ID". But this can also happen with IPv4
routes.
It is worth it to enable this optimization because there are routing
daemons using custom routing protocols that makes tens or hundreds of
updates per second. If they use NLM_F_REPLACE, this caused NM to do a
resync hundreds of times per second leading to a 100% CPU usage:
https://issues.redhat.com/browse/RHEL-26195
An additional but smaller optimization is done in this commit: if we
receive a route message for routes that we don't track AND doesn't have
the NLM_F_REPLACE flag, we can ignore the entire message, thus avoiding
the memory allocation of the nmp_object. That nmp_object was going to be
ignored later, anyway, so better to avoid these allocations that, with
the routing daemon of the above's example, can happen hundreds of times
per second.
With this changes, the CPU usage doing `ip route replace` 300 times/s
drops from 100% to 1%. Doing `ip route replace` as fast as possible,
without any rate limitting, still keeps NM with a 3% CPU usage in the
system that I have used to test.
(cherry picked from commit 4d426f581de402e0aebd2ab273ff6649a0a6fee6)
(cherry picked from commit 15ffa8ec6ff7bf43ed1eb123c0d419d6fab8b268)
---
src/libnm-platform/nm-linux-platform.c | 69 ++++++++++++++++----------
src/libnm-platform/nmp-object.c | 22 +++++---
2 files changed, 57 insertions(+), 34 deletions(-)
diff --git a/src/libnm-platform/nm-linux-platform.c b/src/libnm-platform/nm-linux-platform.c
index 9ecac2d9b3..5b595a9b71 100644
--- a/src/libnm-platform/nm-linux-platform.c
+++ b/src/libnm-platform/nm-linux-platform.c
@@ -3903,6 +3903,34 @@ _new_from_nl_addr(const struct nlmsghdr *nlh, gboolean id_only)
return g_steal_pointer(&obj);
}
+static gboolean
+ip_route_is_tracked(guint8 proto, guint8 type)
+{
+ if (proto > RTPROT_STATIC && !NM_IN_SET(proto, RTPROT_DHCP, RTPROT_RA)) {
+ /* We ignore certain rtm_protocol, because NetworkManager would only ever
+ * configure certain protocols. Other routes are not configured by NetworkManager
+ * and we don't track them in the platform cache.
+ *
+ * This is to help with the performance overhead of a huge number of
+ * routes, for example with the bird BGP software, that adds routes
+ * with RTPROT_BIRD protocol. */
+ return FALSE;
+ }
+
+ if (!NM_IN_SET(type,
+ RTN_UNICAST,
+ RTN_LOCAL,
+ RTN_BLACKHOLE,
+ RTN_UNREACHABLE,
+ RTN_PROHIBIT,
+ RTN_THROW)) {
+ /* Certain route types are ignored and not placed into the cache. */
+ return FALSE;
+ }
+
+ return TRUE;
+}
+
/* Copied and heavily modified from libnl3's rtnl_route_parse() and parse_multipath(). */
static NMPObject *
_new_from_nl_route(const struct nlmsghdr *nlh, gboolean id_only, ParseNlmsgIter *parse_nlmsg_iter)
@@ -3963,6 +3991,16 @@ _new_from_nl_route(const struct nlmsghdr *nlh, gboolean id_only, ParseNlmsgIter
* only handle ~supported~ routes.
*****************************************************************/
+ /* If it's a route that we don't need to track, abort here to avoid unnecessary
+ * memory allocations to create the nmp_object. However, if the message has the
+ * NLM_F_REPLACE flag, it might be replacing a route that we were tracking so we
+ * have to stop tracking it. That means that we have to process all messages with
+ * NLM_F_REPLACE. See nmp_cache_update_netlink_route().
+ */
+ if (!ip_route_is_tracked(rtm->rtm_protocol, rtm->rtm_type)
+ && !(nlh->nlmsg_flags & NLM_F_REPLACE))
+ return NULL;
+
addr_family = rtm->rtm_family;
if (addr_family == AF_INET)
@@ -5519,39 +5557,18 @@ ip_route_get_lock_flag(const NMPlatformIPRoute *route)
static gboolean
ip_route_is_alive(const NMPlatformIPRoute *route)
{
- guint8 prot;
+ guint8 proto, type;
nm_assert(route);
nm_assert(route->rt_source >= NM_IP_CONFIG_SOURCE_RTPROT_UNSPEC
&& route->rt_source <= _NM_IP_CONFIG_SOURCE_RTPROT_LAST);
- prot = route->rt_source - 1;
-
- nm_assert(nmp_utils_ip_config_source_from_rtprot(prot) == route->rt_source);
-
- if (prot > RTPROT_STATIC && !NM_IN_SET(prot, RTPROT_DHCP, RTPROT_RA)) {
- /* We ignore certain rtm_protocol, because NetworkManager would only ever
- * configure certain protocols. Other routes are not configured by NetworkManager
- * and we don't track them in the platform cache.
- *
- * This is to help with the performance overhead of a huge number of
- * routes, for example with the bird BGP software, that adds routes
- * with RTPROT_BIRD protocol. */
- return FALSE;
- }
+ proto = route->rt_source - 1;
+ type = nm_platform_route_type_uncoerce(route->type_coerced);
- if (!NM_IN_SET(nm_platform_route_type_uncoerce(route->type_coerced),
- RTN_UNICAST,
- RTN_LOCAL,
- RTN_BLACKHOLE,
- RTN_UNREACHABLE,
- RTN_PROHIBIT,
- RTN_THROW)) {
- /* Certain route types are ignored and not placed into the cache. */
- return FALSE;
- }
+ nm_assert(nmp_utils_ip_config_source_from_rtprot(proto) == route->rt_source);
- return TRUE;
+ return ip_route_is_tracked(proto, type);
}
/* Copied and modified from libnl3's build_route_msg() and rtnl_route_build_msg(). */
diff --git a/src/libnm-platform/nmp-object.c b/src/libnm-platform/nmp-object.c
index 4090da71a3..cb4e9764d1 100644
--- a/src/libnm-platform/nmp-object.c
+++ b/src/libnm-platform/nmp-object.c
@@ -2988,6 +2988,13 @@ nmp_cache_update_netlink_route(NMPCache *cache,
* Since we don't cache all routes (see "route_is_alive"), we cannot know
* with certainty which route was replaced.
*
+ * For example, the kernel might have 3 similar routes (same WEAK_ID), one
+ * of which is not tracked by us so we don't have it into the cache. If we
+ * receive a route replace message, we don't know to what of the 3 routes
+ * it affects (one of the 3 we don't even know that exists). Moreover, if
+ * we only have one route on cache, we don't know if the replace is for a
+ * different one that we don't track.
+ *
* Even if we would cache *all* routes (which we cannot, if kernel adds new
* routing features that modify the known nmp_object_id_equal()), it would
* be hard to find the right route that was replaced. Well, probably we
@@ -3002,15 +3009,14 @@ nmp_cache_update_netlink_route(NMPCache *cache,
* [2] https://bugzilla.redhat.com/show_bug.cgi?id=1337860
*
* We need to resync.
+ *
+ * However, a resync is expensive. Think of a routing daemon that updates
+ * hundreds of routes per second, the performance penalty is huge. We can
+ * optimize it: if we don't have any matching route on cache (by WEAK_ID),
+ * we don't have anything to replace and we don't need a full resync, but
+ * only to add or discard the new route as usual.
*/
- if (NMP_OBJECT_GET_TYPE(obj_hand_over) == NMP_OBJECT_TYPE_IP4_ROUTE
- && !nmp_cache_lookup_all(cache, NMP_CACHE_ID_TYPE_ROUTES_BY_WEAK_ID, obj_hand_over)) {
- /* For IPv4, we can do a small optimization. We skip the resync, if we have
- * no conflicting routes (by weak-id).
- *
- * This optimization does not work for IPv6 (maybe should be fixed).
- */
- } else {
+ if (nmp_cache_lookup_all(cache, NMP_CACHE_ID_TYPE_ROUTES_BY_WEAK_ID, obj_hand_over)) {
entry_replace = NULL;
resync_required = TRUE;
goto out;
--
2.44.0

View File

@ -1,47 +0,0 @@
From 04c0fffdc3a24b66fcfd2e55714bc1308c219c24 Mon Sep 17 00:00:00 2001
From: Gris Ge <fge@redhat.com>
Date: Tue, 27 Jun 2023 15:02:54 +0800
Subject: [PATCH 1/1] setting-connection: Unblock autoconnect upon finish of
`Reapply`
The activation of a connection will clear the block of autoconnect,
we should do the same for reapply.
Signed-off-by: Gris Ge <fge@redhat.com>
(cherry picked from commit 0486efd3584c70179072f611e63b9c0ff6851b80)
(cherry picked from commit 18ce5f43bd16b3cc394424619652c782cb3795c3)
(cherry picked from commit 2695396939d2a867145f7db569aaf5cc6b0d742c)
---
src/core/devices/nm-device.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/src/core/devices/nm-device.c b/src/core/devices/nm-device.c
index 31acc1c1fe6b..2ac55fa83cbe 100644
--- a/src/core/devices/nm-device.c
+++ b/src/core/devices/nm-device.c
@@ -12826,6 +12826,7 @@ check_and_reapply_connection(NMDevice *self,
NMConnection *con_old;
NMConnection *con_new;
GHashTableIter iter;
+ NMSettingsConnection *sett_conn;
if (priv->state < NM_DEVICE_STATE_PREPARE || priv->state > NM_DEVICE_STATE_ACTIVATED) {
g_set_error_literal(error,
@@ -12998,6 +12999,14 @@ check_and_reapply_connection(NMDevice *self,
if (priv->state >= NM_DEVICE_STATE_ACTIVATED)
nm_device_update_metered(self);
+ sett_conn = nm_device_get_settings_connection(self);
+ if (sett_conn) {
+ nm_settings_connection_autoconnect_blocked_reason_set(
+ sett_conn,
+ NM_SETTINGS_AUTO_CONNECT_BLOCKED_REASON_USER_REQUEST,
+ FALSE);
+ }
+
return TRUE;
}
--
2.40.1

View File

@ -0,0 +1,487 @@
From d6837f0bd30da069d327099cb555854630cd4584 Mon Sep 17 00:00:00 2001
From: Beniamino Galvani <bgalvani@redhat.com>
Date: Thu, 2 May 2024 16:40:26 +0200
Subject: [PATCH 1/2] settings: add
nm_settings_connection_persist_mode_to_string()
(cherry picked from commit a48b7fe7b9d8adf4902c7b3cfcc4d89bc46cbbef)
(cherry picked from commit e5837aa1d3960b743adcff0a5041445ccd65fb93)
---
src/core/settings/nm-settings-connection.c | 23 ++++++++++++++++++++++
src/core/settings/nm-settings-connection.h | 4 ++++
2 files changed, 27 insertions(+)
diff --git a/src/core/settings/nm-settings-connection.c b/src/core/settings/nm-settings-connection.c
index 176cc2c252..459c60ad1e 100644
--- a/src/core/settings/nm-settings-connection.c
+++ b/src/core/settings/nm-settings-connection.c
@@ -226,6 +226,29 @@ static guint _get_seen_bssids(NMSettingsConnection *self,
/*****************************************************************************/
+char *
+nm_settings_connection_persist_mode_to_string(NMSettingsConnectionPersistMode mode)
+{
+ switch (mode) {
+ case NM_SETTINGS_CONNECTION_PERSIST_MODE_IN_MEMORY:
+ return "in-memory";
+ case NM_SETTINGS_CONNECTION_PERSIST_MODE_IN_MEMORY_DETACHED:
+ return "in-memory-detached";
+ case NM_SETTINGS_CONNECTION_PERSIST_MODE_IN_MEMORY_ONLY:
+ return "in-memory-only";
+ case NM_SETTINGS_CONNECTION_PERSIST_MODE_KEEP:
+ return "keep";
+ case NM_SETTINGS_CONNECTION_PERSIST_MODE_NO_PERSIST:
+ return "no-persist";
+ case NM_SETTINGS_CONNECTION_PERSIST_MODE_TO_DISK:
+ return "to-disk";
+ }
+
+ return nm_assert_unreachable_val(NULL);
+}
+
+/*****************************************************************************/
+
NMSettings *
nm_settings_connection_get_settings(NMSettingsConnection *self)
{
diff --git a/src/core/settings/nm-settings-connection.h b/src/core/settings/nm-settings-connection.h
index 835a978e40..d15a75b749 100644
--- a/src/core/settings/nm-settings-connection.h
+++ b/src/core/settings/nm-settings-connection.h
@@ -379,4 +379,8 @@ void _nm_settings_connection_emit_signal_updated_internal(
void _nm_settings_connection_cleanup_after_remove(NMSettingsConnection *self);
+/*****************************************************************************/
+
+char *nm_settings_connection_persist_mode_to_string(NMSettingsConnectionPersistMode mode);
+
#endif /* __NETWORKMANAGER_SETTINGS_CONNECTION_H__ */
--
2.41.0
From c6f9d0a6d5c864ba0141b6e985727cd69c5560fa Mon Sep 17 00:00:00 2001
From: Beniamino Galvani <bgalvani@redhat.com>
Date: Mon, 15 Apr 2024 10:51:24 +0200
Subject: [PATCH 2/2] checkpoint: preserve in-memory state of connections
If a connection is in-memory (i.e. has flag "unsaved"), after a
checkpoint and rollback it can be wrongly persisted to disk:
- if the connection was modified and written to disk after the
rollback, during the rollback we update it again with persist mode
"keep", which keeps it on disk;
- if the connection was deleted after the rollback, during the
rollback we add it again with persist mode "to-disk".
Instead, remember whether the connection had the "unsaved" flag set
and try to restore the previous state.
However, this is not straightforward as there are 4 different possible
states for the settings connection: persistent; in-memory only;
in-memory shadowing a persistent file; in-memory shadowing a detached
persistent file (i.e. the deletion of the connection doesn't delete
the persistent file). Handle all those cases.
Fixes: 3e09aed2a09f ('checkpoint: add create, rollback and destroy D-Bus API')
(cherry picked from commit c979bfeb8b0d3bed19bac2ad01a6a6ed899f924e)
(cherry picked from commit ebf25794d9cd89190775ac401c36d63aa1c108f7)
---
NEWS | 8 ++
src/core/nm-checkpoint.c | 242 ++++++++++++++++++++++++++++++++-------
2 files changed, 211 insertions(+), 39 deletions(-)
diff --git a/NEWS b/NEWS
index 6ac3118db9..e33152c6f4 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,11 @@
+===============================================
+NetworkManager-1.46.2
+Overview of changes since NetworkManager-1.46.0
+===============================================
+
+* Properly restore in-memory connection profiles during the rollback
+ of a checkpoint.
+
=============================================
NetworkManager-1.46
Overview of changes since NetworkManager-1.44
diff --git a/src/core/nm-checkpoint.c b/src/core/nm-checkpoint.c
index cc5c189bf9..ffcf6e3aad 100644
--- a/src/core/nm-checkpoint.c
+++ b/src/core/nm-checkpoint.c
@@ -10,6 +10,7 @@
#include "nm-active-connection.h"
#include "nm-act-request.h"
#include "libnm-core-aux-intern/nm-auth-subject.h"
+#include "libnm-core-intern/nm-keyfile-internal.h"
#include "nm-core-utils.h"
#include "nm-dbus-interface.h"
#include "devices/nm-device.h"
@@ -17,6 +18,7 @@
#include "nm-manager.h"
#include "settings/nm-settings.h"
#include "settings/nm-settings-connection.h"
+#include "settings/plugins/keyfile/nms-keyfile-storage.h"
#include "nm-simple-connection.h"
#include "nm-utils.h"
@@ -29,11 +31,14 @@ typedef struct {
NMDevice *device;
NMConnection *applied_connection;
NMConnection *settings_connection;
+ NMConnection *settings_connection_shadowed;
guint64 ac_version_id;
NMDeviceState state;
bool is_software : 1;
bool realized : 1;
bool activation_lifetime_bound_to_profile_visibility : 1;
+ bool settings_connection_is_unsaved : 1;
+ bool settings_connection_is_shadowed_owned : 1;
NMUnmanFlagOp unmanaged_explicit;
NMActivationReason activation_reason;
gulong dev_exported_change_id;
@@ -150,37 +155,111 @@ nm_checkpoint_includes_devices_of(NMCheckpoint *self, NMCheckpoint *cp_for_devic
return NULL;
}
+static NMConnection *
+parse_connection_from_shadowed_file(const char *path, GError **error)
+{
+ nm_auto_unref_keyfile GKeyFile *keyfile = NULL;
+ gs_free char *base_dir = NULL;
+ char *sep;
+
+ keyfile = g_key_file_new();
+ if (!g_key_file_load_from_file(keyfile, path, G_KEY_FILE_NONE, error))
+ return NULL;
+
+ sep = strrchr(path, '/');
+ base_dir = g_strndup(path, sep - path);
+
+ return nm_keyfile_read(keyfile, base_dir, NM_KEYFILE_HANDLER_FLAGS_NONE, NULL, NULL, error);
+}
+
static NMSettingsConnection *
-find_settings_connection(NMCheckpoint *self,
- DeviceCheckpoint *dev_checkpoint,
- gboolean *need_update,
- gboolean *need_activation)
+find_settings_connection(NMCheckpoint *self,
+ DeviceCheckpoint *dev_checkpoint,
+ gboolean *need_update,
+ gboolean *need_update_shadowed,
+ gboolean *need_activation,
+ NMSettingsConnectionPersistMode *persist_mode)
{
NMCheckpointPrivate *priv = NM_CHECKPOINT_GET_PRIVATE(self);
NMActiveConnection *active;
NMSettingsConnection *sett_conn;
+ const char *shadowed_file;
+ NMConnection *shadowed_connection = NULL;
const char *uuid, *ac_uuid;
const CList *tmp_clist;
-
- *need_activation = FALSE;
- *need_update = FALSE;
+ gboolean sett_conn_unsaved;
+ NMSettingsStorage *storage;
+
+ *need_activation = FALSE;
+ *need_update = FALSE;
+ *need_update_shadowed = FALSE;
+
+ /* With regard to storage, there are 4 different possible states for the settings
+ * connection: 1) persistent; 2) in-memory only; 3) in-memory shadowing a persistent
+ * file; 4) in-memory shadowing a detached persistent file (i.e. the deletion of
+ * the connection doesn't delete the persistent file).
+ */
+ if (dev_checkpoint->settings_connection_is_unsaved) {
+ if (dev_checkpoint->settings_connection_shadowed) {
+ if (dev_checkpoint->settings_connection_is_shadowed_owned)
+ *persist_mode = NM_SETTINGS_CONNECTION_PERSIST_MODE_IN_MEMORY;
+ else
+ *persist_mode = NM_SETTINGS_CONNECTION_PERSIST_MODE_IN_MEMORY_DETACHED;
+ } else
+ *persist_mode = NM_SETTINGS_CONNECTION_PERSIST_MODE_IN_MEMORY_ONLY;
+ } else {
+ *persist_mode = NM_SETTINGS_CONNECTION_PERSIST_MODE_TO_DISK;
+ }
uuid = nm_connection_get_uuid(dev_checkpoint->settings_connection);
sett_conn = nm_settings_get_connection_by_uuid(NM_SETTINGS_GET, uuid);
- if (!sett_conn)
- return NULL;
-
- /* Now check if the connection changed, ... */
- if (!nm_connection_compare(dev_checkpoint->settings_connection,
- nm_settings_connection_get_connection(sett_conn),
- NM_SETTING_COMPARE_FLAG_EXACT)) {
+ /* Check if the connection changed */
+ if (sett_conn
+ && !nm_connection_compare(dev_checkpoint->settings_connection,
+ nm_settings_connection_get_connection(sett_conn),
+ NM_SETTING_COMPARE_FLAG_IGNORE_TIMESTAMP)) {
_LOGT("rollback: settings connection %s changed", uuid);
*need_update = TRUE;
*need_activation = TRUE;
}
- /* ... is active, ... */
+ storage = sett_conn ? nm_settings_connection_get_storage(sett_conn) : NULL;
+ shadowed_file = storage ? nm_settings_storage_get_shadowed_storage(storage, NULL) : NULL;
+ shadowed_connection =
+ shadowed_file ? parse_connection_from_shadowed_file(shadowed_file, NULL) : NULL;
+
+ if (dev_checkpoint->settings_connection_shadowed) {
+ if (!shadowed_connection
+ || !nm_connection_compare(dev_checkpoint->settings_connection_shadowed,
+ shadowed_connection,
+ NM_SETTING_COMPARE_FLAG_IGNORE_TIMESTAMP)) {
+ _LOGT("rollback: shadowed connection changed for %s", uuid);
+ *need_update_shadowed = TRUE;
+ *need_update = TRUE;
+ }
+ } else {
+ if (shadowed_connection) {
+ _LOGT("rollback: shadowed connection changed for %s", uuid);
+ *need_update = TRUE;
+ }
+ }
+
+ if (!sett_conn)
+ return NULL;
+
+ /* Check if the connection unsaved flag changed */
+ sett_conn_unsaved = NM_FLAGS_HAS(nm_settings_connection_get_flags(sett_conn),
+ NM_SETTINGS_CONNECTION_INT_FLAGS_UNSAVED);
+ if (sett_conn_unsaved != dev_checkpoint->settings_connection_is_unsaved) {
+ _LOGT("rollback: storage changed for settings connection %s: unsaved (%d -> %d)",
+ uuid,
+ dev_checkpoint->settings_connection_is_unsaved,
+ sett_conn_unsaved);
+ *need_update = TRUE;
+ }
+
+ /* Check if the active state changed */
nm_manager_for_each_active_connection (priv->manager, active, tmp_clist) {
ac_uuid =
nm_settings_connection_get_uuid(nm_active_connection_get_settings_connection(active));
@@ -196,7 +275,7 @@ find_settings_connection(NMCheckpoint *self,
return sett_conn;
}
- /* ... or if the connection was reactivated/reapplied */
+ /* Check if the connection was reactivated/reapplied */
if (nm_active_connection_version_id_get(active) != dev_checkpoint->ac_version_id) {
_LOGT("rollback: active connection version id of %s changed", uuid);
*need_activation = TRUE;
@@ -212,12 +291,19 @@ restore_and_activate_connection(NMCheckpoint *self, DeviceCheckpoint *dev_checkp
NMSettingsConnection *connection;
gs_unref_object NMAuthSubject *subject = NULL;
GError *local_error = NULL;
- gboolean need_update, need_activation;
+ gboolean need_update;
+ gboolean need_update_shadowed;
+ gboolean need_activation;
NMSettingsConnectionPersistMode persist_mode;
NMSettingsConnectionIntFlags sett_flags;
NMSettingsConnectionIntFlags sett_mask;
- connection = find_settings_connection(self, dev_checkpoint, &need_update, &need_activation);
+ connection = find_settings_connection(self,
+ dev_checkpoint,
+ &need_update,
+ &need_update_shadowed,
+ &need_activation,
+ &persist_mode);
/* FIXME: we need to ensure to re-create/update the profile for the
* same settings plugin. E.g. if it was a keyfile in /run or /etc,
@@ -229,9 +315,26 @@ restore_and_activate_connection(NMCheckpoint *self, DeviceCheckpoint *dev_checkp
sett_mask = NM_SETTINGS_CONNECTION_INT_FLAGS_NONE;
if (connection) {
+ if (need_update_shadowed) {
+ _LOGD("rollback: updating shadowed file for connection %s",
+ nm_connection_get_uuid(dev_checkpoint->settings_connection));
+ nm_settings_connection_update(
+ connection,
+ NULL,
+ dev_checkpoint->settings_connection_shadowed,
+ NM_SETTINGS_CONNECTION_PERSIST_MODE_TO_DISK,
+ sett_flags,
+ sett_mask,
+ NM_SETTINGS_CONNECTION_UPDATE_REASON_RESET_SYSTEM_SECRETS
+ | NM_SETTINGS_CONNECTION_UPDATE_REASON_UPDATE_NON_SECRET,
+ "checkpoint-rollback",
+ NULL);
+ }
+
if (need_update) {
- _LOGD("rollback: updating connection %s", nm_settings_connection_get_uuid(connection));
- persist_mode = NM_SETTINGS_CONNECTION_PERSIST_MODE_KEEP;
+ _LOGD("rollback: updating connection %s with persist mode \"%s\"",
+ nm_connection_get_uuid(dev_checkpoint->settings_connection),
+ nm_settings_connection_persist_mode_to_string(persist_mode));
nm_settings_connection_update(
connection,
NULL,
@@ -246,21 +349,54 @@ restore_and_activate_connection(NMCheckpoint *self, DeviceCheckpoint *dev_checkp
}
} else {
/* The connection was deleted, recreate it */
- _LOGD("rollback: adding connection %s again",
- nm_connection_get_uuid(dev_checkpoint->settings_connection));
-
- persist_mode = NM_SETTINGS_CONNECTION_PERSIST_MODE_TO_DISK;
- if (!nm_settings_add_connection(NM_SETTINGS_GET,
- NULL,
- dev_checkpoint->settings_connection,
- persist_mode,
- NM_SETTINGS_CONNECTION_ADD_REASON_NONE,
- sett_flags,
- &connection,
- &local_error)) {
- _LOGD("rollback: connection add failure: %s", local_error->message);
- g_clear_error(&local_error);
- return FALSE;
+ if (need_update_shadowed) {
+ _LOGD("rollback: adding back shadowed file for connection %s",
+ nm_connection_get_uuid(dev_checkpoint->settings_connection));
+
+ if (!nm_settings_add_connection(NM_SETTINGS_GET,
+ NULL,
+ dev_checkpoint->settings_connection_shadowed,
+ NM_SETTINGS_CONNECTION_PERSIST_MODE_TO_DISK,
+ NM_SETTINGS_CONNECTION_ADD_REASON_NONE,
+ sett_flags,
+ &connection,
+ &local_error)) {
+ _LOGD("rollback: connection add failure: %s", local_error->message);
+ g_clear_error(&local_error);
+ return FALSE;
+ }
+
+ _LOGD("rollback: updating connection %s with persist mode \"%s\"",
+ nm_connection_get_uuid(dev_checkpoint->settings_connection),
+ nm_settings_connection_persist_mode_to_string(persist_mode));
+
+ nm_settings_connection_update(
+ connection,
+ NULL,
+ dev_checkpoint->settings_connection,
+ persist_mode,
+ sett_flags,
+ sett_mask,
+ NM_SETTINGS_CONNECTION_UPDATE_REASON_RESET_SYSTEM_SECRETS
+ | NM_SETTINGS_CONNECTION_UPDATE_REASON_UPDATE_NON_SECRET,
+ "checkpoint-rollback",
+ NULL);
+ } else {
+ _LOGD("rollback: adding back connection %s with persist mode \"%s\"",
+ nm_connection_get_uuid(dev_checkpoint->settings_connection),
+ nm_settings_connection_persist_mode_to_string(persist_mode));
+ if (!nm_settings_add_connection(NM_SETTINGS_GET,
+ NULL,
+ dev_checkpoint->settings_connection,
+ persist_mode,
+ NM_SETTINGS_CONNECTION_ADD_REASON_NONE,
+ sett_flags,
+ &connection,
+ &local_error)) {
+ _LOGD("rollback: connection add failure: %s", local_error->message);
+ g_clear_error(&local_error);
+ return FALSE;
+ }
}
need_activation = TRUE;
}
@@ -362,11 +498,15 @@ nm_checkpoint_rollback(NMCheckpoint *self)
while (g_hash_table_iter_next(&iter, (gpointer *) &device, (gpointer *) &dev_checkpoint)) {
guint32 result = NM_ROLLBACK_RESULT_OK;
- _LOGD("rollback: restoring device %s (state %d, realized %d, explicitly unmanaged %d)",
+ _LOGD("rollback: restoring device %s (state %d, realized %d, explicitly unmanaged %d, "
+ "connection-unsaved %d, connection-shadowed %d, connection-shadowed-owned %d)",
dev_checkpoint->original_dev_name,
(int) dev_checkpoint->state,
dev_checkpoint->realized,
- dev_checkpoint->unmanaged_explicit);
+ dev_checkpoint->unmanaged_explicit,
+ dev_checkpoint->settings_connection_is_unsaved,
+ !!dev_checkpoint->settings_connection_shadowed,
+ dev_checkpoint->settings_connection_is_shadowed_owned);
if (nm_device_is_real(device)) {
if (!dev_checkpoint->realized) {
@@ -518,6 +658,7 @@ device_checkpoint_destroy(gpointer data)
g_clear_object(&dev_checkpoint->applied_connection);
g_clear_object(&dev_checkpoint->settings_connection);
g_clear_object(&dev_checkpoint->device);
+ g_clear_object(&dev_checkpoint->settings_connection_shadowed);
g_free(dev_checkpoint->original_dev_path);
g_free(dev_checkpoint->original_dev_name);
@@ -555,7 +696,7 @@ _dev_exported_changed(NMDBusObject *obj, NMCheckpoint *checkpoint)
}
static DeviceCheckpoint *
-device_checkpoint_create(NMCheckpoint *checkpoint, NMDevice *device)
+device_checkpoint_create(NMCheckpoint *self, NMDevice *device)
{
DeviceCheckpoint *dev_checkpoint;
NMConnection *applied_connection;
@@ -579,7 +720,7 @@ device_checkpoint_create(NMCheckpoint *checkpoint, NMDevice *device)
dev_checkpoint->dev_exported_change_id = g_signal_connect(device,
NM_DBUS_OBJECT_EXPORTED_CHANGED,
G_CALLBACK(_dev_exported_changed),
- checkpoint);
+ self);
if (nm_device_get_unmanaged_mask(device, NM_UNMANAGED_USER_EXPLICIT)) {
dev_checkpoint->unmanaged_explicit =
@@ -589,6 +730,11 @@ device_checkpoint_create(NMCheckpoint *checkpoint, NMDevice *device)
act_request = nm_device_get_act_request(device);
if (act_request) {
+ NMSettingsStorage *storage;
+ gboolean shadowed_owned = FALSE;
+ const char *shadowed_file;
+ gs_free_error GError *error = NULL;
+
settings_connection = nm_act_request_get_settings_connection(act_request);
applied_connection = nm_act_request_get_applied_connection(act_request);
@@ -602,6 +748,24 @@ device_checkpoint_create(NMCheckpoint *checkpoint, NMDevice *device)
dev_checkpoint->activation_lifetime_bound_to_profile_visibility =
NM_FLAGS_HAS(nm_active_connection_get_state_flags(NM_ACTIVE_CONNECTION(act_request)),
NM_ACTIVATION_STATE_FLAG_LIFETIME_BOUND_TO_PROFILE_VISIBILITY);
+
+ dev_checkpoint->settings_connection_is_unsaved =
+ NM_FLAGS_HAS(nm_settings_connection_get_flags(settings_connection),
+ NM_SETTINGS_CONNECTION_INT_FLAGS_UNSAVED);
+
+ storage = nm_settings_connection_get_storage(settings_connection);
+ shadowed_file =
+ storage ? nm_settings_storage_get_shadowed_storage(storage, &shadowed_owned) : NULL;
+ if (shadowed_file) {
+ dev_checkpoint->settings_connection_is_shadowed_owned = shadowed_owned;
+ dev_checkpoint->settings_connection_shadowed =
+ parse_connection_from_shadowed_file(shadowed_file, &error);
+ if (!dev_checkpoint->settings_connection_shadowed) {
+ _LOGW("error reading shadowed connection file for %s: %s",
+ nm_device_get_iface(device),
+ error->message);
+ }
+ }
}
return dev_checkpoint;
--
2.41.0

View File

@ -1,190 +0,0 @@
From 1e74f06a69d0f01753d6f2f071202a41b92239bc Mon Sep 17 00:00:00 2001
From: Thomas Haller <thaller@redhat.com>
Date: Wed, 31 May 2023 13:06:22 +0200
Subject: [PATCH 1/2] cloud-setup: fix terminating in the middle of
reconfiguring the system
Once we start reconfiguring the system, we need to finish on all
interfaces. Otherwise, we might reconfigure some interfaces, abort
and leave the network broken. When that happens, a subsequent run
might also be unable to recover, because we are unable to reach the
HTTP meta data service.
https://bugzilla.redhat.com/show_bug.cgi?id=2207812
Fixes: 69f048bf0ca3 ('cloud-setup: add tool for automatic IP configuration in cloud')
(cherry picked from commit dab114f038f39e07080f71426d70e84449890088)
(cherry picked from commit 0a033798ac646c80669ab5d8a15362583f4d8ba4)
(cherry picked from commit fe243025e5751dda2e5a3694953f92c87372e008)
---
src/nm-cloud-setup/main.c | 49 ++++++++++++++++++++++++++-------------
1 file changed, 33 insertions(+), 16 deletions(-)
diff --git a/src/nm-cloud-setup/main.c b/src/nm-cloud-setup/main.c
index e1cbd1d4d8..01e41bd72e 100644
--- a/src/nm-cloud-setup/main.c
+++ b/src/nm-cloud-setup/main.c
@@ -15,6 +15,12 @@
/*****************************************************************************/
+typedef struct {
+ GCancellable *cancellable;
+ gboolean enabled;
+ gboolean signal_received;
+} SigTermData;
+
typedef struct {
GMainLoop *main_loop;
GCancellable *cancellable;
@@ -444,7 +450,7 @@ _nmc_mangle_connection(NMDevice *device,
/*****************************************************************************/
static gboolean
-_config_one(GCancellable *sigterm_cancellable,
+_config_one(SigTermData *sigterm_data,
NMClient *nmc,
const NMCSProviderGetConfigResult *result,
guint idx)
@@ -464,7 +470,7 @@ _config_one(GCancellable *sigterm_cancellable,
g_main_context_iteration(NULL, FALSE);
- if (g_cancellable_is_cancelled(sigterm_cancellable))
+ if (g_cancellable_is_cancelled(sigterm_data->cancellable))
return FALSE;
device = nm_g_object_ref(_nmc_get_device_by_hwaddr(nmc, hwaddr));
@@ -498,7 +504,7 @@ try_again:
g_clear_error(&error);
applied_connection = nmcs_device_get_applied_connection(device,
- sigterm_cancellable,
+ sigterm_data->cancellable,
&applied_version_id,
&error);
if (!applied_connection) {
@@ -560,8 +566,12 @@ try_again:
* during package upgrade. */
maybe_no_preserved_external_ip = TRUE;
+ /* Once we start reconfiguring the system, we cannot abort in the middle. From now on,
+ * any SIGTERM gets ignored until we are done. */
+ sigterm_data->enabled = FALSE;
+
if (!nmcs_device_reapply(device,
- sigterm_cancellable,
+ NULL,
applied_connection,
applied_version_id,
maybe_no_preserved_external_ip,
@@ -592,15 +602,13 @@ try_again:
}
static gboolean
-_config_all(GCancellable *sigterm_cancellable,
- NMClient *nmc,
- const NMCSProviderGetConfigResult *result)
+_config_all(SigTermData *sigterm_data, NMClient *nmc, const NMCSProviderGetConfigResult *result)
{
gboolean any_changes = FALSE;
guint i;
for (i = 0; i < result->n_iface_datas; i++) {
- if (_config_one(sigterm_cancellable, nmc, result, i))
+ if (_config_one(sigterm_data, nmc, result, i))
any_changes = TRUE;
}
@@ -612,13 +620,16 @@ _config_all(GCancellable *sigterm_cancellable,
static gboolean
sigterm_handler(gpointer user_data)
{
- GCancellable *sigterm_cancellable = user_data;
+ SigTermData *sigterm_data = user_data;
- if (!g_cancellable_is_cancelled(sigterm_cancellable)) {
- _LOGD("SIGTERM received");
- g_cancellable_cancel(user_data);
- } else
- _LOGD("SIGTERM received (again)");
+ _LOGD("SIGTERM received (%s) (%s)",
+ sigterm_data->signal_received ? "first time" : "again",
+ sigterm_data->enabled ? "cancel operation" : "ignore");
+
+ sigterm_data->signal_received = TRUE;
+
+ if (sigterm_data->enabled)
+ g_cancellable_cancel(sigterm_data->cancellable);
return G_SOURCE_CONTINUE;
}
@@ -633,6 +644,7 @@ main(int argc, const char *const *argv)
gs_unref_object NMClient *nmc = NULL;
nm_auto_free_nmcs_provider_get_config_result NMCSProviderGetConfigResult *result = NULL;
gs_free_error GError *error = NULL;
+ SigTermData sigterm_data;
_nm_logging_enabled_init(g_getenv(NMCS_ENV_VARIABLE("NM_CLOUD_SETUP_LOG")));
@@ -645,7 +657,12 @@ main(int argc, const char *const *argv)
sigterm_cancellable = g_cancellable_new();
- sigterm_source = nm_g_unix_signal_add_source(SIGTERM, sigterm_handler, sigterm_cancellable);
+ sigterm_data = (SigTermData){
+ .cancellable = sigterm_cancellable,
+ .enabled = TRUE,
+ .signal_received = FALSE,
+ };
+ sigterm_source = nm_g_unix_signal_add_source(SIGTERM, sigterm_handler, &sigterm_data);
provider = _provider_detect(sigterm_cancellable);
if (!provider)
@@ -676,7 +693,7 @@ main(int argc, const char *const *argv)
if (!result)
goto done;
- if (_config_all(sigterm_cancellable, nmc, result))
+ if (_config_all(&sigterm_data, nmc, result))
_LOGI("some changes were applied for provider %s", nmcs_provider_get_name(provider));
else
_LOGD("no changes were applied for provider %s", nmcs_provider_get_name(provider));
--
2.40.1
From 1d148ee9592e1292a62f1d932c85d4ca94e9d642 Mon Sep 17 00:00:00 2001
From: Thomas Haller <thaller@redhat.com>
Date: Mon, 5 Jun 2023 13:04:53 +0200
Subject: [PATCH 2/2] cloud-setup: clear error variable in
nmcs_device_reapply()
This is rather bad, because if we reach the "goto again" case,
the error variable is not cleared. Subsequently passing the
error location to nm_device_reapply_finish() will trigger a glib
warning.
Fixes: 29b0420be72f ('nm-cloud-setup: set preserve-external-ip flag during reapply')
(cherry picked from commit c70a5470be034c660b426ebdbef9e8e67609ece7)
(cherry picked from commit 98be3dd5acafa88e7477dcbb9d6420cb2e73ec01)
(cherry picked from commit 5cc38d1c6b1d76b1fa93cba021cf6a5472f12fa4)
---
src/nm-cloud-setup/nm-cloud-setup-utils.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/nm-cloud-setup/nm-cloud-setup-utils.c b/src/nm-cloud-setup/nm-cloud-setup-utils.c
index 7cf7959241..1410ecf7c1 100644
--- a/src/nm-cloud-setup/nm-cloud-setup-utils.c
+++ b/src/nm-cloud-setup/nm-cloud-setup-utils.c
@@ -833,6 +833,8 @@ nmcs_device_reapply(NMDevice *device,
NMDeviceReapplyFlags reapply_flags = NM_DEVICE_REAPPLY_FLAGS_PRESERVE_EXTERNAL_IP;
again:
+ g_clear_error(&data.error);
+
nm_device_reapply_async(device,
connection,
version_id,
--
2.40.1

View File

@ -1,50 +0,0 @@
From a5826caf0607ca3c490bdc76d1d453226ca2e191 Mon Sep 17 00:00:00 2001
From: Fernando Fernandez Mancera <ffmancera@riseup.net>
Date: Tue, 18 Jul 2023 13:46:30 +0200
Subject: [PATCH] manager: allow controller activation if device is
deactivating
When activating a port connection it will require the controller
connection is active or a valid controller device candidate is available
for activation.
One of the conditions we consider for a controller device to be a valid
candidate for the connection is that it is not active, therefore we
should also consider as valid a device that is currently deactivating.
Otherwise, we could fail during the port activation just because the
deactivation of the controller device candidate didn't finish yet.
https://bugzilla.redhat.com/show_bug.cgi?id=2125615
https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/1693
(cherry picked from commit fb362e0583fe9b75269220c7c8b966e2247084ea)
(cherry picked from commit 43f244ef2e4c4052fe708b77244444ee7eff238c)
(cherry picked from commit 401f153dfb52d12495bb39899f2b4dde7dfb72ce)
---
src/core/nm-manager.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/src/core/nm-manager.c b/src/core/nm-manager.c
index 822df7ad3b..4ef87a5d83 100644
--- a/src/core/nm-manager.c
+++ b/src/core/nm-manager.c
@@ -4608,11 +4608,11 @@ ensure_master_active_connection(NMManager *self,
NULL))
continue;
- if (!nm_device_is_software(candidate)) {
- master_state = nm_device_get_state(candidate);
- if (nm_device_is_real(candidate) && master_state != NM_DEVICE_STATE_DISCONNECTED)
- continue;
- }
+ if (nm_device_is_real(candidate)
+ && !NM_IN_SET(nm_device_get_state(candidate),
+ NM_DEVICE_STATE_DISCONNECTED,
+ NM_DEVICE_STATE_DEACTIVATING))
+ continue;
master_ac = nm_manager_activate_connection(
self,
--
2.41.0

View File

@ -1,90 +0,0 @@
From a7005248bbd8d563962c6a68ed7f1ead58e9df26 Mon Sep 17 00:00:00 2001
From: Beniamino Galvani <bgalvani@redhat.com>
Date: Tue, 28 Mar 2023 09:32:13 +0200
Subject: [PATCH] core: fix l3cd comparison
NM_CMP_SELF(a, b) returns immediately if the objects are the same.
Fixes: cb29244552af ('core: support compare flags in nm_l3_config_data_cmp_full()')
Fixes-test: @dracut_NM_iSCSI_ibft_table
https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/1583
(cherry picked from commit 0a02995175e06e62924705393121a1c5efc3822d)
(cherry picked from commit 5d95c20787077a91d684259d67f2e0ff3a1d7a1a)
(cherry picked from commit 1395171326e84eafbf2f372c232bf27a4ed79481)
---
src/core/nm-l3-config-data.c | 55 ++++++++++++++++++------------------
1 file changed, 28 insertions(+), 27 deletions(-)
diff --git a/src/core/nm-l3-config-data.c b/src/core/nm-l3-config-data.c
index d4c7f0c5fb..afdd53920d 100644
--- a/src/core/nm-l3-config-data.c
+++ b/src/core/nm-l3-config-data.c
@@ -2278,36 +2278,37 @@ nm_l3_config_data_cmp_full(const NML3ConfigData *a,
const NMPObject *def_route_a = a->best_default_route_x[IS_IPv4];
const NMPObject *def_route_b = b->best_default_route_x[IS_IPv4];
- NM_CMP_SELF(def_route_a, def_route_b);
-
- if (NM_FLAGS_HAS(flags, NM_L3_CONFIG_CMP_FLAGS_ROUTES)) {
- NM_CMP_RETURN(nmp_object_cmp_full(def_route_a,
- def_route_b,
- NM_FLAGS_HAS(flags, NM_L3_CONFIG_CMP_FLAGS_IFINDEX)
- ? NMP_OBJECT_CMP_FLAGS_NONE
- : NMP_OBJECT_CMP_FLAGS_IGNORE_IFINDEX));
- } else if (NM_FLAGS_HAS(flags, NM_L3_CONFIG_CMP_FLAGS_ROUTES_ID)) {
- if (NM_FLAGS_HAS(flags, NM_L3_CONFIG_CMP_FLAGS_IFINDEX)) {
- NM_CMP_DIRECT(def_route_a->obj_with_ifindex.ifindex,
- def_route_b->obj_with_ifindex.ifindex);
- }
+ if (def_route_a != def_route_b) {
+ if (NM_FLAGS_HAS(flags, NM_L3_CONFIG_CMP_FLAGS_ROUTES)) {
+ NM_CMP_RETURN(
+ nmp_object_cmp_full(def_route_a,
+ def_route_b,
+ NM_FLAGS_HAS(flags, NM_L3_CONFIG_CMP_FLAGS_IFINDEX)
+ ? NMP_OBJECT_CMP_FLAGS_NONE
+ : NMP_OBJECT_CMP_FLAGS_IGNORE_IFINDEX));
+ } else if (NM_FLAGS_HAS(flags, NM_L3_CONFIG_CMP_FLAGS_ROUTES_ID)) {
+ if (NM_FLAGS_HAS(flags, NM_L3_CONFIG_CMP_FLAGS_IFINDEX)) {
+ NM_CMP_DIRECT(def_route_a->obj_with_ifindex.ifindex,
+ def_route_b->obj_with_ifindex.ifindex);
+ }
- if (IS_IPv4) {
- NMPlatformIP4Route ra = def_route_a->ip4_route;
- NMPlatformIP4Route rb = def_route_b->ip4_route;
+ if (IS_IPv4) {
+ NMPlatformIP4Route ra = def_route_a->ip4_route;
+ NMPlatformIP4Route rb = def_route_b->ip4_route;
- NM_CMP_DIRECT(ra.metric, rb.metric);
- NM_CMP_DIRECT(ra.plen, rb.plen);
- NM_CMP_RETURN_DIRECT(
- nm_utils_ip4_address_same_prefix_cmp(ra.network, rb.network, ra.plen));
- } else {
- NMPlatformIP6Route ra = def_route_a->ip6_route;
- NMPlatformIP6Route rb = def_route_b->ip6_route;
+ NM_CMP_DIRECT(ra.metric, rb.metric);
+ NM_CMP_DIRECT(ra.plen, rb.plen);
+ NM_CMP_RETURN_DIRECT(
+ nm_utils_ip4_address_same_prefix_cmp(ra.network, rb.network, ra.plen));
+ } else {
+ NMPlatformIP6Route ra = def_route_a->ip6_route;
+ NMPlatformIP6Route rb = def_route_b->ip6_route;
- NM_CMP_DIRECT(ra.metric, rb.metric);
- NM_CMP_DIRECT(ra.plen, rb.plen);
- NM_CMP_RETURN_DIRECT(
- nm_utils_ip6_address_same_prefix_cmp(&ra.network, &rb.network, ra.plen));
+ NM_CMP_DIRECT(ra.metric, rb.metric);
+ NM_CMP_DIRECT(ra.plen, rb.plen);
+ NM_CMP_RETURN_DIRECT(
+ nm_utils_ip6_address_same_prefix_cmp(&ra.network, &rb.network, ra.plen));
+ }
}
}
--
2.41.0

View File

@ -1,299 +0,0 @@
From 818352a0342358f4c62465aa5b3590b8e5fb924d Mon Sep 17 00:00:00 2001
From: Gris Ge <fge@redhat.com>
Date: Tue, 26 Sep 2023 15:00:32 +0800
Subject: [PATCH 1/2] emit DNS CONFIG_CHANGED signal even dns=none
Instruct the `NMDnsManager` to emit `CONFIG_CHANGED` signal even
`dns=none` or failed to modify `/etc/resolv.conf`.
The `NMPolicy` will only update hostname when DNS is managed.
Signed-off-by: Gris Ge <fge@redhat.com>
(cherry picked from commit a847ba807572c3ef3682e833432f2f93e9d519a0)
(cherry picked from commit d10f20fd01a7bb3225c7e38ed80449e19156344b)
(cherry picked from commit e0f3a91a95d45f729bd42956617aafb84e26a47b)
(cherry picked from commit cd9ebfd2bb76b99b861af1272f5ef9bb0d279008)
---
src/core/dns/nm-dns-manager.c | 12 +++++++++++-
src/core/dns/nm-dns-manager.h | 2 ++
src/core/nm-policy.c | 10 ++++++----
3 files changed, 19 insertions(+), 5 deletions(-)
diff --git a/src/core/dns/nm-dns-manager.c b/src/core/dns/nm-dns-manager.c
index 416a9bf915..2d5f1245b3 100644
--- a/src/core/dns/nm-dns-manager.c
+++ b/src/core/dns/nm-dns-manager.c
@@ -1907,7 +1907,7 @@ plugin_skip:;
}
/* signal that DNS resolution configs were changed */
- if ((do_update || caching || force_emit) && result == SR_SUCCESS)
+ if ((caching || force_emit) && result == SR_SUCCESS)
g_signal_emit(self, signals[CONFIG_CHANGED], 0);
nm_clear_pointer(&priv->config_variant, g_variant_unref);
@@ -1923,6 +1923,16 @@ plugin_skip:;
return TRUE;
}
+gboolean
+nm_dns_manager_is_unmanaged(NMDnsManager *self)
+{
+ NMDnsManagerPrivate *priv = NM_DNS_MANAGER_GET_PRIVATE(self);
+
+ return NM_IN_SET(priv->rc_manager,
+ NM_DNS_MANAGER_RESOLV_CONF_MAN_UNMANAGED,
+ NM_DNS_MANAGER_RESOLV_CONF_MAN_IMMUTABLE);
+}
+
/*****************************************************************************/
gboolean
diff --git a/src/core/dns/nm-dns-manager.h b/src/core/dns/nm-dns-manager.h
index b41bf1ccf2..b697b3e380 100644
--- a/src/core/dns/nm-dns-manager.h
+++ b/src/core/dns/nm-dns-manager.h
@@ -148,4 +148,6 @@ char *nmtst_dns_create_resolv_conf(const char *const *searches,
const char *const *nameservers,
const char *const *options);
+gboolean nm_dns_manager_is_unmanaged(NMDnsManager *self);
+
#endif /* __NETWORKMANAGER_DNS_MANAGER_H__ */
diff --git a/src/core/nm-policy.c b/src/core/nm-policy.c
index 0b7c9eddca..d9e7643fa2 100644
--- a/src/core/nm-policy.c
+++ b/src/core/nm-policy.c
@@ -2563,11 +2563,13 @@ dns_config_changed(NMDnsManager *dns_manager, gpointer user_data)
if (priv->updating_dns)
return;
- nm_manager_for_each_device (priv->manager, device, tmp_lst) {
- nm_device_clear_dns_lookup_data(device, "DNS configuration changed");
- }
+ if (!nm_dns_manager_is_unmanaged(dns_manager)) {
+ nm_manager_for_each_device (priv->manager, device, tmp_lst) {
+ nm_device_clear_dns_lookup_data(device, "DNS configuration changed");
+ }
- update_system_hostname(self, "DNS configuration changed");
+ update_system_hostname(self, "DNS configuration changed");
+ }
}
static void
--
2.41.0
From 206d974bfbd3f0496d2263ec8a12ee58ce085b0e Mon Sep 17 00:00:00 2001
From: Gris Ge <fge@redhat.com>
Date: Wed, 18 Oct 2023 15:03:13 +0800
Subject: [PATCH 2/2] dispatch `dns-change` dispatcher event
Introducing new dispatcher event -- `dns-change` which will be emitted when
DNS configuration changed(even in `dns=none` mode). This is to solve two
use cases:
* Invoke dispatch script for DNS changes triggered by the global DNS
API.
* Do not invoke [OpenShift resolv-prepender][1] for non-DNS changes.
Bug reference: https://issues.redhat.com/browse/RHEL-1671
[1]: https://github.com/openshift/machine-config-operator/blob/master/templates/common/on-prem/files/resolv-prepender.yaml
Signed-off-by: Gris Ge <fge@redhat.com>
(cherry picked from commit a1db61ebc9712d1faf2ef8f1b2cb14cd819346d3)
(cherry picked from commit 3cdce71b95cea11bf409d9353c35a4dea6f33984)
(cherry picked from commit 9ae535c61a5116179ba2f775458427b93518ac49)
(cherry picked from commit e74a349e1e88e06436a6809b92faa249910daabd)
---
man/NetworkManager-dispatcher.xml | 5 +-
src/core/nm-dispatcher.c | 51 ++++++++++++++++---
src/core/nm-dispatcher.h | 5 +-
src/core/nm-policy.c | 2 +
src/libnm-core-aux-extern/nm-dispatcher-api.h | 1 +
src/nm-dispatcher/nm-dispatcher-utils.c | 8 ++-
6 files changed, 60 insertions(+), 12 deletions(-)
diff --git a/man/NetworkManager-dispatcher.xml b/man/NetworkManager-dispatcher.xml
index 4a603b1566..8a3c0b46ed 100644
--- a/man/NetworkManager-dispatcher.xml
+++ b/man/NetworkManager-dispatcher.xml
@@ -68,8 +68,9 @@
device an operation just happened on, and second the action. For device actions,
the interface is the name of the kernel interface suitable for IP configuration.
Thus it is either VPN_IP_IFACE, DEVICE_IP_IFACE, or DEVICE_IFACE, as applicable.
- For the <varname>hostname</varname> action the device name is always <literal>"none"</literal>
- and for <varname>connectivity-change</varname> it is empty.
+ For the <varname>hostname</varname> action the device name is always <literal>"none"</literal>.
+ For <varname>connectivity-change</varname> it is empty.
+ For <varname>dns-change</varname> it is empty.
</para>
<para>The actions are:</para>
<variablelist class="dispatcher-options">
diff --git a/src/core/nm-dispatcher.c b/src/core/nm-dispatcher.c
index d3529ee4de..a0ce4de80d 100644
--- a/src/core/nm-dispatcher.c
+++ b/src/core/nm-dispatcher.c
@@ -49,6 +49,8 @@
} \
G_STMT_END
+static gboolean nm_dispatcher_need_device(NMDispatcherAction action);
+
/*****************************************************************************/
struct NMDispatcherCallId {
@@ -465,7 +467,8 @@ static const char *action_table[] = {[NM_DISPATCHER_ACTION_HOSTNAME] = NMD_
[NM_DISPATCHER_ACTION_DHCP_CHANGE_4] = NMD_ACTION_DHCP4_CHANGE,
[NM_DISPATCHER_ACTION_DHCP_CHANGE_6] = NMD_ACTION_DHCP6_CHANGE,
[NM_DISPATCHER_ACTION_CONNECTIVITY_CHANGE] =
- NMD_ACTION_CONNECTIVITY_CHANGE};
+ NMD_ACTION_CONNECTIVITY_CHANGE,
+ [NM_DISPATCHER_ACTION_DNS_CHANGE] = NMD_ACTION_DNS_CHANGE};
static const char *
action_to_string(NMDispatcherAction action)
@@ -526,9 +529,7 @@ _dispatcher_call(NMDispatcherAction action,
if (G_UNLIKELY(!request_id))
request_id = ++gl.request_id_counter;
- /* All actions except 'hostname' and 'connectivity-change' require a device */
- if (action == NM_DISPATCHER_ACTION_HOSTNAME
- || action == NM_DISPATCHER_ACTION_CONNECTIVITY_CHANGE) {
+ if (!nm_dispatcher_need_device(action)) {
_LOG2D(request_id,
log_ifname,
log_con_uuid,
@@ -588,9 +589,8 @@ _dispatcher_call(NMDispatcherAction action,
g_variant_builder_init(&vpn_ip4_props, G_VARIANT_TYPE_VARDICT);
g_variant_builder_init(&vpn_ip6_props, G_VARIANT_TYPE_VARDICT);
- /* hostname and connectivity-change actions don't send device data */
- if (action != NM_DISPATCHER_ACTION_HOSTNAME
- && action != NM_DISPATCHER_ACTION_CONNECTIVITY_CHANGE) {
+ /* hostname, DNS and connectivity-change actions don't send device data */
+ if (nm_dispatcher_need_device(action)) {
fill_device_props(device,
&device_props,
&device_proxy_props,
@@ -921,6 +921,30 @@ nm_dispatcher_call_connectivity(NMConnectivityState connectivity_state,
out_call_id);
}
+/**
+ * nm_dispatcher_call_dns_change():
+ *
+ * This method does not block the caller.
+ *
+ * Returns: %TRUE if the action was dispatched, %FALSE on failure
+ */
+gboolean
+nm_dispatcher_call_dns_change(void)
+{
+ return _dispatcher_call(NM_DISPATCHER_ACTION_DNS_CHANGE,
+ FALSE,
+ NULL,
+ NULL,
+ NULL,
+ FALSE,
+ NM_CONNECTIVITY_UNKNOWN,
+ NULL,
+ NULL,
+ NULL,
+ NULL,
+ NULL);
+}
+
void
nm_dispatcher_call_cancel(NMDispatcherCallId *call_id)
{
@@ -933,3 +957,16 @@ nm_dispatcher_call_cancel(NMDispatcherCallId *call_id)
_LOG3D(call_id, "cancelling dispatcher callback action");
call_id->callback = NULL;
}
+
+/* All actions except 'hostname', 'connectivity-change' and 'dns-change' require
+ * a device */
+static gboolean
+nm_dispatcher_need_device(NMDispatcherAction action)
+{
+ if (action == NM_DISPATCHER_ACTION_HOSTNAME
+ || action == NM_DISPATCHER_ACTION_CONNECTIVITY_CHANGE
+ || action == NM_DISPATCHER_ACTION_DNS_CHANGE) {
+ return FALSE;
+ }
+ return TRUE;
+}
diff --git a/src/core/nm-dispatcher.h b/src/core/nm-dispatcher.h
index 73e0599a75..50d50e9a6a 100644
--- a/src/core/nm-dispatcher.h
+++ b/src/core/nm-dispatcher.h
@@ -21,7 +21,8 @@ typedef enum {
NM_DISPATCHER_ACTION_VPN_DOWN,
NM_DISPATCHER_ACTION_DHCP_CHANGE_4,
NM_DISPATCHER_ACTION_DHCP_CHANGE_6,
- NM_DISPATCHER_ACTION_CONNECTIVITY_CHANGE
+ NM_DISPATCHER_ACTION_CONNECTIVITY_CHANGE,
+ NM_DISPATCHER_ACTION_DNS_CHANGE,
} NMDispatcherAction;
#define NM_DISPATCHER_ACTION_DHCP_CHANGE_X(IS_IPv4) \
@@ -68,6 +69,8 @@ gboolean nm_dispatcher_call_connectivity(NMConnectivityState state,
gpointer user_data,
NMDispatcherCallId **out_call_id);
+gboolean nm_dispatcher_call_dns_change(void);
+
void nm_dispatcher_call_cancel(NMDispatcherCallId *call_id);
#endif /* __NM_DISPATCHER_H__ */
diff --git a/src/core/nm-policy.c b/src/core/nm-policy.c
index d9e7643fa2..9316325c68 100644
--- a/src/core/nm-policy.c
+++ b/src/core/nm-policy.c
@@ -2570,6 +2570,8 @@ dns_config_changed(NMDnsManager *dns_manager, gpointer user_data)
update_system_hostname(self, "DNS configuration changed");
}
+
+ nm_dispatcher_call_dns_change();
}
static void
diff --git a/src/libnm-core-aux-extern/nm-dispatcher-api.h b/src/libnm-core-aux-extern/nm-dispatcher-api.h
index 7776c84f9a..d19caa0bb5 100644
--- a/src/libnm-core-aux-extern/nm-dispatcher-api.h
+++ b/src/libnm-core-aux-extern/nm-dispatcher-api.h
@@ -33,6 +33,7 @@
#define NMD_ACTION_DHCP4_CHANGE "dhcp4-change"
#define NMD_ACTION_DHCP6_CHANGE "dhcp6-change"
#define NMD_ACTION_CONNECTIVITY_CHANGE "connectivity-change"
+#define NMD_ACTION_DNS_CHANGE "dns-change"
typedef enum {
DISPATCH_RESULT_UNKNOWN = 0,
diff --git a/src/nm-dispatcher/nm-dispatcher-utils.c b/src/nm-dispatcher/nm-dispatcher-utils.c
index 74ea4e4001..f8a4c28000 100644
--- a/src/nm-dispatcher/nm-dispatcher-utils.c
+++ b/src/nm-dispatcher/nm-dispatcher-utils.c
@@ -453,8 +453,12 @@ nm_dispatcher_utils_construct_envp(const char *action,
items = g_ptr_array_new_with_free_func(g_free);
- /* Hostname and connectivity changes don't require a device nor contain a connection */
- if (NM_IN_STRSET(action, NMD_ACTION_HOSTNAME, NMD_ACTION_CONNECTIVITY_CHANGE))
+ /* Hostname, dns and connectivity changes don't require a device nor contain
+ * a connection */
+ if (NM_IN_STRSET(action,
+ NMD_ACTION_HOSTNAME,
+ NMD_ACTION_CONNECTIVITY_CHANGE,
+ NMD_ACTION_DNS_CHANGE))
goto done;
/* Connection properties */
--
2.41.0

View File

@ -1,51 +0,0 @@
From c62f49f07ed84b266427feb53469109d8878c496 Mon Sep 17 00:00:00 2001
From: Gris Ge <fge@redhat.com>
Date: Wed, 12 Jul 2023 16:22:03 +0800
Subject: [PATCH] device: do not set MAC address on iface with index <=0
The `nm_device_hw_addr_reset()` should only set MAC address on NIC
with valid(>0) interface index.
The failure was found by `ovs_mtu` test of NMCI, failed to reproduce
the original problem (`ovs_mtu` test of NMCI) with 100 times retry.
And no trace log found for original test failure, hence cannot tell why
`nm_device_hw_addr_reset()` been invoked with iface index 0.
Signed-off-by: Gris Ge <fge@redhat.com>
(cherry picked from commit 215bc1525501b22325c2a17090a5f911e01f06a9)
(cherry picked from commit 21f1e5cdc7d72376cdaa63112d8a134b714b2002)
(cherry picked from commit 37bd70034f7f43becf2cc64468143c5ea2666762)
---
src/core/devices/nm-device.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/src/core/devices/nm-device.c b/src/core/devices/nm-device.c
index 2ac55fa83c..5748d80393 100644
--- a/src/core/devices/nm-device.c
+++ b/src/core/devices/nm-device.c
@@ -16859,6 +16859,7 @@ nm_device_hw_addr_reset(NMDevice *self, const char *detail)
{
NMDevicePrivate *priv;
const char *addr;
+ int ifindex;
g_return_val_if_fail(NM_IS_DEVICE(self), FALSE);
@@ -16868,7 +16869,13 @@ nm_device_hw_addr_reset(NMDevice *self, const char *detail)
return TRUE;
priv->hw_addr_type = HW_ADDR_TYPE_UNSET;
- addr = nm_device_get_initial_hw_address(self);
+
+ ifindex = nm_device_get_ip_ifindex(self);
+ if (ifindex <= 0) {
+ return TRUE;
+ }
+
+ addr = nm_device_get_initial_hw_address(self);
if (!addr) {
/* as hw_addr_type is not UNSET, we expect that we can get an
* initial address to which to reset. */
--
2.41.0

View File

@ -1,822 +0,0 @@
From e49026b4856fd492eb6e30a18133414841eeb609 Mon Sep 17 00:00:00 2001
From: Thomas Haller <thaller@redhat.com>
Date: Wed, 3 May 2023 11:43:33 +0200
Subject: [PATCH 1/5] libnm/trivial: rename internal connection-get-setting
methods
This function will be exposed on the internal header. Rename to
_nm_connection_get_setting_by_metatype().
(cherry picked from commit 27cbf584bdb7451e196b03b706c4c4dfa266ba3e)
(cherry picked from commit c194db5755f18b3fd55a9a7b4b4d25882f05ce05)
(cherry picked from commit 39227612384c08da845a7d97a87de3b10277320a)
---
src/libnm-core-impl/nm-connection.c | 81 ++++++++++++++---------------
1 file changed, 40 insertions(+), 41 deletions(-)
diff --git a/src/libnm-core-impl/nm-connection.c b/src/libnm-core-impl/nm-connection.c
index 67a9034dcc..fc4bc51c17 100644
--- a/src/libnm-core-impl/nm-connection.c
+++ b/src/libnm-core-impl/nm-connection.c
@@ -339,7 +339,7 @@ _connection_get_setting_check(NMConnection *connection, GType setting_type)
}
static gpointer
-_connection_get_setting_by_meta_type_check(NMConnection *connection, NMMetaSettingType meta_type)
+_nm_connection_get_setting_by_metatype(NMConnection *connection, NMMetaSettingType meta_type)
{
g_return_val_if_fail(NM_IS_CONNECTION(connection), NULL);
@@ -3231,7 +3231,7 @@ nm_connection_get_virtual_device_description(NMConnection *connection)
NMSetting8021x *
nm_connection_get_setting_802_1x(NMConnection *connection)
{
- return _connection_get_setting_by_meta_type_check(connection, NM_META_SETTING_TYPE_802_1X);
+ return _nm_connection_get_setting_by_metatype(connection, NM_META_SETTING_TYPE_802_1X);
}
/**
@@ -3245,7 +3245,7 @@ nm_connection_get_setting_802_1x(NMConnection *connection)
NMSettingBluetooth *
nm_connection_get_setting_bluetooth(NMConnection *connection)
{
- return _connection_get_setting_by_meta_type_check(connection, NM_META_SETTING_TYPE_BLUETOOTH);
+ return _nm_connection_get_setting_by_metatype(connection, NM_META_SETTING_TYPE_BLUETOOTH);
}
/**
@@ -3259,7 +3259,7 @@ nm_connection_get_setting_bluetooth(NMConnection *connection)
NMSettingBond *
nm_connection_get_setting_bond(NMConnection *connection)
{
- return _connection_get_setting_by_meta_type_check(connection, NM_META_SETTING_TYPE_BOND);
+ return _nm_connection_get_setting_by_metatype(connection, NM_META_SETTING_TYPE_BOND);
}
/**
@@ -3273,7 +3273,7 @@ nm_connection_get_setting_bond(NMConnection *connection)
NMSettingTeam *
nm_connection_get_setting_team(NMConnection *connection)
{
- return _connection_get_setting_by_meta_type_check(connection, NM_META_SETTING_TYPE_TEAM);
+ return _nm_connection_get_setting_by_metatype(connection, NM_META_SETTING_TYPE_TEAM);
}
/**
@@ -3287,7 +3287,7 @@ nm_connection_get_setting_team(NMConnection *connection)
NMSettingTeamPort *
nm_connection_get_setting_team_port(NMConnection *connection)
{
- return _connection_get_setting_by_meta_type_check(connection, NM_META_SETTING_TYPE_TEAM_PORT);
+ return _nm_connection_get_setting_by_metatype(connection, NM_META_SETTING_TYPE_TEAM_PORT);
}
/**
@@ -3301,7 +3301,7 @@ nm_connection_get_setting_team_port(NMConnection *connection)
NMSettingBridge *
nm_connection_get_setting_bridge(NMConnection *connection)
{
- return _connection_get_setting_by_meta_type_check(connection, NM_META_SETTING_TYPE_BRIDGE);
+ return _nm_connection_get_setting_by_metatype(connection, NM_META_SETTING_TYPE_BRIDGE);
}
/**
@@ -3315,7 +3315,7 @@ nm_connection_get_setting_bridge(NMConnection *connection)
NMSettingCdma *
nm_connection_get_setting_cdma(NMConnection *connection)
{
- return _connection_get_setting_by_meta_type_check(connection, NM_META_SETTING_TYPE_CDMA);
+ return _nm_connection_get_setting_by_metatype(connection, NM_META_SETTING_TYPE_CDMA);
}
/**
@@ -3329,7 +3329,7 @@ nm_connection_get_setting_cdma(NMConnection *connection)
NMSettingConnection *
nm_connection_get_setting_connection(NMConnection *connection)
{
- return _connection_get_setting_by_meta_type_check(connection, NM_META_SETTING_TYPE_CONNECTION);
+ return _nm_connection_get_setting_by_metatype(connection, NM_META_SETTING_TYPE_CONNECTION);
}
/**
@@ -3343,7 +3343,7 @@ nm_connection_get_setting_connection(NMConnection *connection)
NMSettingDcb *
nm_connection_get_setting_dcb(NMConnection *connection)
{
- return _connection_get_setting_by_meta_type_check(connection, NM_META_SETTING_TYPE_DCB);
+ return _nm_connection_get_setting_by_metatype(connection, NM_META_SETTING_TYPE_DCB);
}
/**
@@ -3359,7 +3359,7 @@ nm_connection_get_setting_dcb(NMConnection *connection)
NMSettingDummy *
nm_connection_get_setting_dummy(NMConnection *connection)
{
- return _connection_get_setting_by_meta_type_check(connection, NM_META_SETTING_TYPE_DUMMY);
+ return _nm_connection_get_setting_by_metatype(connection, NM_META_SETTING_TYPE_DUMMY);
}
/**
@@ -3373,7 +3373,7 @@ nm_connection_get_setting_dummy(NMConnection *connection)
NMSettingGeneric *
nm_connection_get_setting_generic(NMConnection *connection)
{
- return _connection_get_setting_by_meta_type_check(connection, NM_META_SETTING_TYPE_GENERIC);
+ return _nm_connection_get_setting_by_metatype(connection, NM_META_SETTING_TYPE_GENERIC);
}
/**
@@ -3387,7 +3387,7 @@ nm_connection_get_setting_generic(NMConnection *connection)
NMSettingGsm *
nm_connection_get_setting_gsm(NMConnection *connection)
{
- return _connection_get_setting_by_meta_type_check(connection, NM_META_SETTING_TYPE_GSM);
+ return _nm_connection_get_setting_by_metatype(connection, NM_META_SETTING_TYPE_GSM);
}
/**
@@ -3401,7 +3401,7 @@ nm_connection_get_setting_gsm(NMConnection *connection)
NMSettingInfiniband *
nm_connection_get_setting_infiniband(NMConnection *connection)
{
- return _connection_get_setting_by_meta_type_check(connection, NM_META_SETTING_TYPE_INFINIBAND);
+ return _nm_connection_get_setting_by_metatype(connection, NM_META_SETTING_TYPE_INFINIBAND);
}
/**
@@ -3420,7 +3420,7 @@ nm_connection_get_setting_infiniband(NMConnection *connection)
NMSettingIPConfig *
nm_connection_get_setting_ip4_config(NMConnection *connection)
{
- return _connection_get_setting_by_meta_type_check(connection, NM_META_SETTING_TYPE_IP4_CONFIG);
+ return _nm_connection_get_setting_by_metatype(connection, NM_META_SETTING_TYPE_IP4_CONFIG);
}
/**
@@ -3436,7 +3436,7 @@ nm_connection_get_setting_ip4_config(NMConnection *connection)
NMSettingIPTunnel *
nm_connection_get_setting_ip_tunnel(NMConnection *connection)
{
- return _connection_get_setting_by_meta_type_check(connection, NM_META_SETTING_TYPE_IP_TUNNEL);
+ return _nm_connection_get_setting_by_metatype(connection, NM_META_SETTING_TYPE_IP_TUNNEL);
}
/**
@@ -3455,7 +3455,7 @@ nm_connection_get_setting_ip_tunnel(NMConnection *connection)
NMSettingIPConfig *
nm_connection_get_setting_ip6_config(NMConnection *connection)
{
- return _connection_get_setting_by_meta_type_check(connection, NM_META_SETTING_TYPE_IP6_CONFIG);
+ return _nm_connection_get_setting_by_metatype(connection, NM_META_SETTING_TYPE_IP6_CONFIG);
}
/**
@@ -3471,7 +3471,7 @@ nm_connection_get_setting_ip6_config(NMConnection *connection)
NMSettingMacsec *
nm_connection_get_setting_macsec(NMConnection *connection)
{
- return _connection_get_setting_by_meta_type_check(connection, NM_META_SETTING_TYPE_MACSEC);
+ return _nm_connection_get_setting_by_metatype(connection, NM_META_SETTING_TYPE_MACSEC);
}
/**
@@ -3487,7 +3487,7 @@ nm_connection_get_setting_macsec(NMConnection *connection)
NMSettingMacvlan *
nm_connection_get_setting_macvlan(NMConnection *connection)
{
- return _connection_get_setting_by_meta_type_check(connection, NM_META_SETTING_TYPE_MACVLAN);
+ return _nm_connection_get_setting_by_metatype(connection, NM_META_SETTING_TYPE_MACVLAN);
}
/**
@@ -3501,7 +3501,7 @@ nm_connection_get_setting_macvlan(NMConnection *connection)
NMSettingOlpcMesh *
nm_connection_get_setting_olpc_mesh(NMConnection *connection)
{
- return _connection_get_setting_by_meta_type_check(connection, NM_META_SETTING_TYPE_OLPC_MESH);
+ return _nm_connection_get_setting_by_metatype(connection, NM_META_SETTING_TYPE_OLPC_MESH);
}
/**
@@ -3517,7 +3517,7 @@ nm_connection_get_setting_olpc_mesh(NMConnection *connection)
NMSettingOvsBridge *
nm_connection_get_setting_ovs_bridge(NMConnection *connection)
{
- return _connection_get_setting_by_meta_type_check(connection, NM_META_SETTING_TYPE_OVS_BRIDGE);
+ return _nm_connection_get_setting_by_metatype(connection, NM_META_SETTING_TYPE_OVS_BRIDGE);
}
/**
@@ -3533,8 +3533,7 @@ nm_connection_get_setting_ovs_bridge(NMConnection *connection)
NMSettingOvsInterface *
nm_connection_get_setting_ovs_interface(NMConnection *connection)
{
- return _connection_get_setting_by_meta_type_check(connection,
- NM_META_SETTING_TYPE_OVS_INTERFACE);
+ return _nm_connection_get_setting_by_metatype(connection, NM_META_SETTING_TYPE_OVS_INTERFACE);
}
/**
@@ -3550,7 +3549,7 @@ nm_connection_get_setting_ovs_interface(NMConnection *connection)
NMSettingOvsPatch *
nm_connection_get_setting_ovs_patch(NMConnection *connection)
{
- return _connection_get_setting_by_meta_type_check(connection, NM_META_SETTING_TYPE_OVS_PATCH);
+ return _nm_connection_get_setting_by_metatype(connection, NM_META_SETTING_TYPE_OVS_PATCH);
}
/**
@@ -3566,7 +3565,7 @@ nm_connection_get_setting_ovs_patch(NMConnection *connection)
NMSettingOvsPort *
nm_connection_get_setting_ovs_port(NMConnection *connection)
{
- return _connection_get_setting_by_meta_type_check(connection, NM_META_SETTING_TYPE_OVS_PORT);
+ return _nm_connection_get_setting_by_metatype(connection, NM_META_SETTING_TYPE_OVS_PORT);
}
/**
@@ -3580,7 +3579,7 @@ nm_connection_get_setting_ovs_port(NMConnection *connection)
NMSettingPpp *
nm_connection_get_setting_ppp(NMConnection *connection)
{
- return _connection_get_setting_by_meta_type_check(connection, NM_META_SETTING_TYPE_PPP);
+ return _nm_connection_get_setting_by_metatype(connection, NM_META_SETTING_TYPE_PPP);
}
/**
@@ -3594,7 +3593,7 @@ nm_connection_get_setting_ppp(NMConnection *connection)
NMSettingPppoe *
nm_connection_get_setting_pppoe(NMConnection *connection)
{
- return _connection_get_setting_by_meta_type_check(connection, NM_META_SETTING_TYPE_PPPOE);
+ return _nm_connection_get_setting_by_metatype(connection, NM_META_SETTING_TYPE_PPPOE);
}
/**
@@ -3610,7 +3609,7 @@ nm_connection_get_setting_pppoe(NMConnection *connection)
NMSettingProxy *
nm_connection_get_setting_proxy(NMConnection *connection)
{
- return _connection_get_setting_by_meta_type_check(connection, NM_META_SETTING_TYPE_PROXY);
+ return _nm_connection_get_setting_by_metatype(connection, NM_META_SETTING_TYPE_PROXY);
}
/**
@@ -3624,7 +3623,7 @@ nm_connection_get_setting_proxy(NMConnection *connection)
NMSettingSerial *
nm_connection_get_setting_serial(NMConnection *connection)
{
- return _connection_get_setting_by_meta_type_check(connection, NM_META_SETTING_TYPE_SERIAL);
+ return _nm_connection_get_setting_by_metatype(connection, NM_META_SETTING_TYPE_SERIAL);
}
/**
@@ -3640,7 +3639,7 @@ nm_connection_get_setting_serial(NMConnection *connection)
NMSettingTCConfig *
nm_connection_get_setting_tc_config(NMConnection *connection)
{
- return _connection_get_setting_by_meta_type_check(connection, NM_META_SETTING_TYPE_TC_CONFIG);
+ return _nm_connection_get_setting_by_metatype(connection, NM_META_SETTING_TYPE_TC_CONFIG);
}
/**
@@ -3656,7 +3655,7 @@ nm_connection_get_setting_tc_config(NMConnection *connection)
NMSettingTun *
nm_connection_get_setting_tun(NMConnection *connection)
{
- return _connection_get_setting_by_meta_type_check(connection, NM_META_SETTING_TYPE_TUN);
+ return _nm_connection_get_setting_by_metatype(connection, NM_META_SETTING_TYPE_TUN);
}
/**
@@ -3670,7 +3669,7 @@ nm_connection_get_setting_tun(NMConnection *connection)
NMSettingVpn *
nm_connection_get_setting_vpn(NMConnection *connection)
{
- return _connection_get_setting_by_meta_type_check(connection, NM_META_SETTING_TYPE_VPN);
+ return _nm_connection_get_setting_by_metatype(connection, NM_META_SETTING_TYPE_VPN);
}
/**
@@ -3686,7 +3685,7 @@ nm_connection_get_setting_vpn(NMConnection *connection)
NMSettingVxlan *
nm_connection_get_setting_vxlan(NMConnection *connection)
{
- return _connection_get_setting_by_meta_type_check(connection, NM_META_SETTING_TYPE_VXLAN);
+ return _nm_connection_get_setting_by_metatype(connection, NM_META_SETTING_TYPE_VXLAN);
}
/**
@@ -3700,7 +3699,7 @@ nm_connection_get_setting_vxlan(NMConnection *connection)
NMSettingWimax *
nm_connection_get_setting_wimax(NMConnection *connection)
{
- return _connection_get_setting_by_meta_type_check(connection, NM_META_SETTING_TYPE_WIMAX);
+ return _nm_connection_get_setting_by_metatype(connection, NM_META_SETTING_TYPE_WIMAX);
}
/**
@@ -3714,7 +3713,7 @@ nm_connection_get_setting_wimax(NMConnection *connection)
NMSettingWired *
nm_connection_get_setting_wired(NMConnection *connection)
{
- return _connection_get_setting_by_meta_type_check(connection, NM_META_SETTING_TYPE_WIRED);
+ return _nm_connection_get_setting_by_metatype(connection, NM_META_SETTING_TYPE_WIRED);
}
/**
@@ -3728,7 +3727,7 @@ nm_connection_get_setting_wired(NMConnection *connection)
NMSettingAdsl *
nm_connection_get_setting_adsl(NMConnection *connection)
{
- return _connection_get_setting_by_meta_type_check(connection, NM_META_SETTING_TYPE_ADSL);
+ return _nm_connection_get_setting_by_metatype(connection, NM_META_SETTING_TYPE_ADSL);
}
/**
@@ -3742,7 +3741,7 @@ nm_connection_get_setting_adsl(NMConnection *connection)
NMSettingWireless *
nm_connection_get_setting_wireless(NMConnection *connection)
{
- return _connection_get_setting_by_meta_type_check(connection, NM_META_SETTING_TYPE_WIRELESS);
+ return _nm_connection_get_setting_by_metatype(connection, NM_META_SETTING_TYPE_WIRELESS);
}
/**
@@ -3756,8 +3755,8 @@ nm_connection_get_setting_wireless(NMConnection *connection)
NMSettingWirelessSecurity *
nm_connection_get_setting_wireless_security(NMConnection *connection)
{
- return _connection_get_setting_by_meta_type_check(connection,
- NM_META_SETTING_TYPE_WIRELESS_SECURITY);
+ return _nm_connection_get_setting_by_metatype(connection,
+ NM_META_SETTING_TYPE_WIRELESS_SECURITY);
}
/**
@@ -3771,7 +3770,7 @@ nm_connection_get_setting_wireless_security(NMConnection *connection)
NMSettingBridgePort *
nm_connection_get_setting_bridge_port(NMConnection *connection)
{
- return _connection_get_setting_by_meta_type_check(connection, NM_META_SETTING_TYPE_BRIDGE_PORT);
+ return _nm_connection_get_setting_by_metatype(connection, NM_META_SETTING_TYPE_BRIDGE_PORT);
}
/**
@@ -3785,7 +3784,7 @@ nm_connection_get_setting_bridge_port(NMConnection *connection)
NMSettingVlan *
nm_connection_get_setting_vlan(NMConnection *connection)
{
- return _connection_get_setting_by_meta_type_check(connection, NM_META_SETTING_TYPE_VLAN);
+ return _nm_connection_get_setting_by_metatype(connection, NM_META_SETTING_TYPE_VLAN);
}
NMSettingBluetooth *
--
2.41.0
From 15f0394acf2b0866190a3f603150a7e1ee96833c Mon Sep 17 00:00:00 2001
From: Thomas Haller <thaller@redhat.com>
Date: Thu, 4 May 2023 11:34:58 +0200
Subject: [PATCH 2/5] libnm: cleanup redundant nm_connection_get_setting
functions
Refactor and cleanup the functions to get a setting from a connection.
As the NMConnection tracks the settings in an array indexed by
NMMetaSettingType, the most direct and efficient way is to look up via
that enum.
Previously, nm_connection_get_setting_by_name() would first look up the GType
(which already involved looking up the NMMetaSettingInfo), then based on the
GType it would look up the NMMetaSettingInfo again to get the meta_type. That
is unnecessary. Directly look up the NMMetaSettingInfo, which directly
gives the meta_type.
(cherry picked from commit c60a4649b80e03f5b50e5d94f3d8c7c71c079af9)
(cherry picked from commit eebbd362701abb52d29a84f02ab57d81742e97ea)
(cherry picked from commit 58fd65c37e4eb2516faec22ea345457a59cfa9d7)
---
src/libnm-core-impl/nm-connection.c | 76 +++++++++++++----------------
src/libnm-core-impl/nm-setting.c | 4 ++
2 files changed, 37 insertions(+), 43 deletions(-)
diff --git a/src/libnm-core-impl/nm-connection.c b/src/libnm-core-impl/nm-connection.c
index fc4bc51c17..08eab900d8 100644
--- a/src/libnm-core-impl/nm-connection.c
+++ b/src/libnm-core-impl/nm-connection.c
@@ -302,26 +302,7 @@ nm_connection_remove_setting(NMConnection *connection, GType setting_type)
}
static gpointer
-_connection_get_setting(NMConnection *connection, GType setting_type)
-{
- NMSetting *setting;
- const NMMetaSettingInfo *setting_info;
-
- nm_assert(NM_IS_CONNECTION(connection));
- nm_assert(g_type_is_a(setting_type, NM_TYPE_SETTING));
-
- setting_info = _nm_meta_setting_info_from_gtype(setting_type);
- if (!setting_info)
- g_return_val_if_reached(NULL);
-
- setting = NM_CONNECTION_GET_PRIVATE(connection)->settings[setting_info->meta_type];
-
- nm_assert(!setting || G_TYPE_CHECK_INSTANCE_TYPE(setting, setting_type));
- return setting;
-}
-
-static gpointer
-_connection_get_setting_by_meta_type(NMConnectionPrivate *priv, NMMetaSettingType meta_type)
+_get_setting_by_metatype(NMConnectionPrivate *priv, NMMetaSettingType meta_type)
{
nm_assert(priv);
nm_assert(_NM_INT_NOT_NEGATIVE(meta_type));
@@ -330,20 +311,12 @@ _connection_get_setting_by_meta_type(NMConnectionPrivate *priv, NMMetaSettingTyp
return priv->settings[meta_type];
}
-static gpointer
-_connection_get_setting_check(NMConnection *connection, GType setting_type)
-{
- g_return_val_if_fail(NM_IS_CONNECTION(connection), NULL);
-
- return _connection_get_setting(connection, setting_type);
-}
-
static gpointer
_nm_connection_get_setting_by_metatype(NMConnection *connection, NMMetaSettingType meta_type)
{
g_return_val_if_fail(NM_IS_CONNECTION(connection), NULL);
- return _connection_get_setting_by_meta_type(NM_CONNECTION_GET_PRIVATE(connection), meta_type);
+ return _get_setting_by_metatype(NM_CONNECTION_GET_PRIVATE(connection), meta_type);
}
/**
@@ -360,19 +333,34 @@ _nm_connection_get_setting_by_metatype(NMConnection *connection, NMMetaSettingTy
NMSetting *
nm_connection_get_setting(NMConnection *connection, GType setting_type)
{
- g_return_val_if_fail(g_type_is_a(setting_type, NM_TYPE_SETTING), NULL);
+ NMSetting *setting;
+ const NMMetaSettingInfo *setting_info;
+
+ g_return_val_if_fail(NM_IS_CONNECTION(connection), NULL);
+
+ setting_info = _nm_meta_setting_info_from_gtype(setting_type);
+
+ if (!setting_info)
+ g_return_val_if_reached(NULL);
+
+ setting = NM_CONNECTION_GET_PRIVATE(connection)->settings[setting_info->meta_type];
+
+ nm_assert(!setting || G_TYPE_CHECK_INSTANCE_TYPE(setting, setting_type));
- return _connection_get_setting_check(connection, setting_type);
+ return setting;
}
NMSettingIPConfig *
nm_connection_get_setting_ip_config(NMConnection *connection, int addr_family)
{
+ g_return_val_if_fail(NM_IS_CONNECTION(connection), NULL);
+
nm_assert_addr_family(addr_family);
- return NM_SETTING_IP_CONFIG(_connection_get_setting(
- connection,
- (addr_family == AF_INET) ? NM_TYPE_SETTING_IP4_CONFIG : NM_TYPE_SETTING_IP6_CONFIG));
+ return NM_SETTING_IP_CONFIG(_get_setting_by_metatype(NM_CONNECTION_GET_PRIVATE(connection),
+ (addr_family == AF_INET)
+ ? NM_META_SETTING_TYPE_IP4_CONFIG
+ : NM_META_SETTING_TYPE_IP6_CONFIG));
}
/**
@@ -389,12 +377,14 @@ nm_connection_get_setting_ip_config(NMConnection *connection, int addr_family)
NMSetting *
nm_connection_get_setting_by_name(NMConnection *connection, const char *name)
{
- GType type;
+ const NMMetaSettingInfo *setting_info;
g_return_val_if_fail(NM_IS_CONNECTION(connection), NULL);
- type = nm_setting_lookup_type(name);
- return type ? _connection_get_setting(connection, type) : NULL;
+ setting_info = nm_meta_setting_infos_by_name(name);
+ return setting_info ? _get_setting_by_metatype(NM_CONNECTION_GET_PRIVATE(connection),
+ setting_info->meta_type)
+ : NULL;
}
/*****************************************************************************/
@@ -1672,8 +1662,8 @@ _normalize_802_1x_empty_strings(NMConnection *self)
NMSetting8021x *s_8021x;
gboolean changed = FALSE;
- s_8021x = _connection_get_setting_by_meta_type(NM_CONNECTION_GET_PRIVATE(self),
- NM_META_SETTING_TYPE_802_1X);
+ s_8021x =
+ _get_setting_by_metatype(NM_CONNECTION_GET_PRIVATE(self), NM_META_SETTING_TYPE_802_1X);
if (!s_8021x)
return FALSE;
@@ -1823,7 +1813,7 @@ _nm_connection_verify(NMConnection *connection, GError **error)
priv = NM_CONNECTION_GET_PRIVATE(connection);
- if (!_connection_get_setting_by_meta_type(priv, NM_META_SETTING_TYPE_CONNECTION)) {
+ if (!_get_setting_by_metatype(priv, NM_META_SETTING_TYPE_CONNECTION)) {
g_set_error_literal(error,
NM_CONNECTION_ERROR,
NM_CONNECTION_ERROR_MISSING_SETTING,
@@ -1868,9 +1858,9 @@ _nm_connection_verify(NMConnection *connection, GError **error)
g_clear_error(&verify_error);
}
- s_ip4 = _connection_get_setting_by_meta_type(priv, NM_META_SETTING_TYPE_IP4_CONFIG);
- s_ip6 = _connection_get_setting_by_meta_type(priv, NM_META_SETTING_TYPE_IP6_CONFIG);
- s_proxy = _connection_get_setting_by_meta_type(priv, NM_META_SETTING_TYPE_PROXY);
+ s_ip4 = _get_setting_by_metatype(priv, NM_META_SETTING_TYPE_IP4_CONFIG);
+ s_ip6 = _get_setting_by_metatype(priv, NM_META_SETTING_TYPE_IP6_CONFIG);
+ s_proxy = _get_setting_by_metatype(priv, NM_META_SETTING_TYPE_PROXY);
nm_assert(normalizable_error_type != NM_SETTING_VERIFY_ERROR);
if (NM_IN_SET(normalizable_error_type,
diff --git a/src/libnm-core-impl/nm-setting.c b/src/libnm-core-impl/nm-setting.c
index b6f721371f..a4404ba87b 100644
--- a/src/libnm-core-impl/nm-setting.c
+++ b/src/libnm-core-impl/nm-setting.c
@@ -110,6 +110,10 @@ nm_setting_lookup_type(const char *name)
{
const NMMetaSettingInfo *setting_info;
+ /* various callers check whether the result is valid with plain `if (gtype)`.
+ * Assert that G_TYPE_INVALID is zero. */
+ G_STATIC_ASSERT(G_TYPE_INVALID == 0);
+
g_return_val_if_fail(name, G_TYPE_INVALID);
setting_info = nm_meta_setting_infos_by_name(name);
--
2.41.0
From fdf8ad3fdd8ddf03f8acd85a3e8eb4af67722699 Mon Sep 17 00:00:00 2001
From: Thomas Haller <thaller@redhat.com>
Date: Wed, 3 May 2023 12:01:14 +0200
Subject: [PATCH 3/5] libnm: expose _nm_connection_get_setting_by_metatype() in
internal header
We have several variants to get the NMSetting from an NMConnection. Some
of them are public API (nm_connection_get_setting(), nm_connection_get_setting_by_name()).
The most efficient way is lookup by NMMetaSettingType. Expose that as
internal API, so it can be used. The NMMetaSettingType is internal, but
it exists because it's a very useful enum. Allow others to make use of
it.
Also, add a static assert which prevents various wrong uses at compile
time, for example
_nm_connection_get_setting_by_metatype(connection, NM_TYPE_SETTING_CONNECTION)
(cherry picked from commit db5946ac2fc349269835b18c37f1df35ac326cda)
(cherry picked from commit 50b6c2d622f66d2fef187c6da1498b091f34df20)
(cherry picked from commit 1cd4f675c888a7d01f4920a07b4eab838fed8a2f)
---
src/libnm-core-impl/nm-connection.c | 7 +++++--
src/libnm-core-intern/nm-core-internal.h | 14 ++++++++++++++
2 files changed, 19 insertions(+), 2 deletions(-)
diff --git a/src/libnm-core-impl/nm-connection.c b/src/libnm-core-impl/nm-connection.c
index 08eab900d8..9d94cf56cc 100644
--- a/src/libnm-core-impl/nm-connection.c
+++ b/src/libnm-core-impl/nm-connection.c
@@ -311,8 +311,11 @@ _get_setting_by_metatype(NMConnectionPrivate *priv, NMMetaSettingType meta_type)
return priv->settings[meta_type];
}
-static gpointer
-_nm_connection_get_setting_by_metatype(NMConnection *connection, NMMetaSettingType meta_type)
+/* The "unsafe" part here is that _nm_connection_get_setting_by_metatype() has a compile
+ * time check that meta_type is valid. With the unsafe variant, the caller must ensure that,
+ * and we only get an nm_assert() check -- which is basically nothing. */
+gpointer
+_nm_connection_get_setting_by_metatype_unsafe(NMConnection *connection, NMMetaSettingType meta_type)
{
g_return_val_if_fail(NM_IS_CONNECTION(connection), NULL);
diff --git a/src/libnm-core-intern/nm-core-internal.h b/src/libnm-core-intern/nm-core-internal.h
index 1857e03bbd..695cd75c04 100644
--- a/src/libnm-core-intern/nm-core-internal.h
+++ b/src/libnm-core-intern/nm-core-internal.h
@@ -479,6 +479,20 @@ _nm_connection_get_setting(NMConnection *connection, GType type)
return (gpointer) nm_connection_get_setting(connection, type);
}
+gpointer _nm_connection_get_setting_by_metatype_unsafe(NMConnection *connection,
+ NMMetaSettingType meta_type);
+
+/* This variant is the most efficient one, because it does not require resolving a
+ * name/GType first. The NMMetaSettingType enum allows for a direct lookup. */
+#define _nm_connection_get_setting_by_metatype(connection, meta_type) \
+ ({ \
+ /* Static assert that meta_type is in the valid range. If you don't want that,
+ * because the argument is no a compile time constant, use _nm_connection_get_setting_by_metatype_unsafe(). */ \
+ G_STATIC_ASSERT((meta_type) < _NM_META_SETTING_TYPE_NUM && ((int) meta_type) >= 0); \
+ \
+ _nm_connection_get_setting_by_metatype_unsafe((connection), (meta_type)); \
+ })
+
NMSettingIPConfig *nm_connection_get_setting_ip_config(NMConnection *connection, int addr_family);
/*****************************************************************************/
--
2.41.0
From 0a8007057e5075df95a5dfc7ebb35269a2e99266 Mon Sep 17 00:00:00 2001
From: Thomas Haller <thaller@redhat.com>
Date: Wed, 3 May 2023 12:15:47 +0200
Subject: [PATCH 4/5] core: add nm_settings_connection_get_setting() helper
For efficiently and conveniently lookup an NMSetting from the
NMConnection inside the NMSettingsConnection.
Note that this uses the NMMetaSettingType as lookup key. That is a novel
approach, compared to lookup by name (nm_connection_get_setting_by_name())
or GType (nm_connection_get_setting()).
Using the NMMetaSettingType enum is however faster, because it does not
require resolving the name/GType first. This is perfecly fine internal API,
we should use it.
(cherry picked from commit 429cf416fd12f14d3a5639d7890f0d334c5e9328)
(cherry picked from commit 10e493bbe82ce06bd217a148fb0a6e531c8ee0a6)
(cherry picked from commit c2cf898c19627f7ec6ea645206d76a19b5821a07)
---
src/core/settings/nm-settings-connection.c | 14 ++++++++++++++
src/core/settings/nm-settings-connection.h | 4 ++++
2 files changed, 18 insertions(+)
diff --git a/src/core/settings/nm-settings-connection.c b/src/core/settings/nm-settings-connection.c
index 1638efcd7e..c0137637ab 100644
--- a/src/core/settings/nm-settings-connection.c
+++ b/src/core/settings/nm-settings-connection.c
@@ -361,6 +361,20 @@ nm_settings_connection_get_connection(NMSettingsConnection *self)
return NM_SETTINGS_CONNECTION_GET_PRIVATE(self)->connection;
}
+gpointer
+nm_settings_connection_get_setting(NMSettingsConnection *self, NMMetaSettingType meta_type)
+{
+ NMConnection *connection;
+
+ nm_assert(NM_IS_SETTINGS_CONNECTION(self));
+
+ connection = NM_SETTINGS_CONNECTION_GET_PRIVATE(self)->connection;
+
+ nm_assert(NM_IS_SIMPLE_CONNECTION(connection));
+
+ return _nm_connection_get_setting_by_metatype_unsafe(connection, meta_type);
+}
+
void
_nm_settings_connection_set_connection(NMSettingsConnection *self,
NMConnection *new_connection,
diff --git a/src/core/settings/nm-settings-connection.h b/src/core/settings/nm-settings-connection.h
index 893b0d7b74..68d75ab6f4 100644
--- a/src/core/settings/nm-settings-connection.h
+++ b/src/core/settings/nm-settings-connection.h
@@ -7,6 +7,8 @@
#ifndef __NETWORKMANAGER_SETTINGS_CONNECTION_H__
#define __NETWORKMANAGER_SETTINGS_CONNECTION_H__
+#include "libnm-core-intern/nm-meta-setting-base.h"
+
#include "nm-dbus-object.h"
#include "nm-connection.h"
@@ -218,6 +220,8 @@ GType nm_settings_connection_get_type(void);
NMSettingsConnection *nm_settings_connection_new(void);
NMConnection *nm_settings_connection_get_connection(NMSettingsConnection *self);
+gpointer nm_settings_connection_get_setting(NMSettingsConnection *self,
+ NMMetaSettingType meta_type);
void _nm_settings_connection_set_connection(NMSettingsConnection *self,
NMConnection *new_connection,
--
2.41.0
From 3608f7e2bbdd0e49450c55a7fbf882d360edfd74 Mon Sep 17 00:00:00 2001
From: Fernando Fernandez Mancera <ffmancera@riseup.net>
Date: Tue, 4 Jul 2023 12:50:29 +0200
Subject: [PATCH 5/5] utils: extend connection matching function for UUID in
controller
When matching two connections one might be using UUID and the other one
could be using interface-name for the controller property. When
recovering from a fresh start NM does not have any context and when
generating a connection we are using UUID as the controller.
It is always hard to guess what is the right candidate to pick but at
least something NM can do is checking if the UUID matches a connection
with the same controller interface-name. If there are no other
conflicts, then we can assume that is a good canditate to activate.
This is a follow up to `dc254f90e2b306700a0b81f7194e9b0438c62f4c`.
https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/1684
(cherry picked from commit 5b8fdd25ab431dd1318eff00e725448f7c699a30)
(cherry picked from commit 5ca93db6928d7bbeb5ae378512843877359f06ba)
(cherry picked from commit 8c0f262549d5ab34fd06ec0594d0e8fab58fef70)
---
src/core/NetworkManagerUtils.c | 51 ++++++++++++++++++++++++++++++++++
1 file changed, 51 insertions(+)
diff --git a/src/core/NetworkManagerUtils.c b/src/core/NetworkManagerUtils.c
index f5b7666b0e..c58433e76d 100644
--- a/src/core/NetworkManagerUtils.c
+++ b/src/core/NetworkManagerUtils.c
@@ -23,6 +23,7 @@
#include "nm-setting-connection.h"
#include "nm-setting-ip4-config.h"
#include "nm-setting-ip6-config.h"
+#include "settings/nm-settings.h"
#include "libnm-core-intern/nm-core-internal.h"
#include "libnm-platform/nmp-object.h"
@@ -683,6 +684,53 @@ check_connection_cloned_mac_address(NMConnection *orig,
return FALSE;
}
+static gboolean
+check_connection_controller(NMConnection *orig, NMConnection *candidate, GHashTable *settings)
+{
+ GHashTable *props;
+ const char *orig_controller = NULL, *cand_controller = NULL;
+ NMSettingConnection *s_con_orig, *s_con_cand, *s_con_controller;
+ NMSettingsConnection *con_controller;
+
+ props = check_property_in_hash(settings,
+ NM_SETTING_CONNECTION_SETTING_NAME,
+ NM_SETTING_CONNECTION_MASTER);
+ if (!props)
+ return TRUE;
+
+ s_con_orig = nm_connection_get_setting_connection(orig);
+ s_con_cand = nm_connection_get_setting_connection(candidate);
+ orig_controller = nm_setting_connection_get_master(s_con_orig);
+ cand_controller = nm_setting_connection_get_master(s_con_cand);
+
+ /* A generated connection uses the UUID to specify the controller. Accept
+ * candidates that specify as controller an interface name matching that
+ * UUID */
+ if (orig_controller && cand_controller) {
+ if (nm_utils_is_uuid(orig_controller)) {
+ con_controller = nm_settings_get_connection_by_uuid(NM_SETTINGS_GET, orig_controller);
+ /* no connection found for that uuid */
+ if (!con_controller)
+ return FALSE;
+
+ s_con_controller =
+ nm_settings_connection_get_setting(con_controller, NM_META_SETTING_TYPE_CONNECTION);
+ if (nm_streq0(nm_setting_connection_get_interface_name(s_con_controller),
+ cand_controller)) {
+ remove_from_hash(settings,
+ props,
+ NM_SETTING_CONNECTION_SETTING_NAME,
+ NM_SETTING_CONNECTION_MASTER);
+ return TRUE;
+ } else {
+ return FALSE;
+ }
+ }
+ }
+
+ return FALSE;
+}
+
static gboolean
check_connection_s390_props(NMConnection *orig, NMConnection *candidate, GHashTable *settings)
{
@@ -764,6 +812,9 @@ check_possible_match(NMConnection *orig,
if (!check_connection_cloned_mac_address(orig, candidate, settings))
return NULL;
+ if (!check_connection_controller(orig, candidate, settings))
+ return NULL;
+
if (!check_connection_s390_props(orig, candidate, settings))
return NULL;
--
2.41.0

View File

@ -1,130 +0,0 @@
From f240f3d6d901b78fd50b945f08aa4f9d39625c4e Mon Sep 17 00:00:00 2001
From: Yuki Inoguchi <inoguchi.yuki@fujitsu.com>
Date: Tue, 10 Oct 2023 17:50:37 +0900
Subject: [PATCH] device: disable IPv6 in NetworkManager when disabled in
kernel
When IPv6 is disabled in kernel but ipv6.method is set to auto, NetworkManager repeatedly attempts
IPv6 configuration internally, resulting in unnecessary warning messages being output infinitely.
platform-linux: do-add-ip6-address[2: fe80::5054:ff:fe7c:4293]: failure 95 (Operation not supported)
ipv6ll[e898db403d9b5099,ifindex=2]: changed: no IPv6 link local address to retry after Duplicate Address Detection failures (back off)
platform-linux: do-add-ip6-address[2: fe80::5054:ff:fe7c:4293]: failure 95 (Operation not supported)
ipv6ll[e898db403d9b5099,ifindex=2]: changed: no IPv6 link local address to retry after Duplicate Address Detection failures (back off)
platform-linux: do-add-ip6-address[2: fe80::5054:ff:fe7c:4293]: failure 95 (Operation not supported)
ipv6ll[e898db403d9b5099,ifindex=2]: changed: no IPv6 link local address to retry after Duplicate Address Detection failures (back off)
To prevent this issue, let's disable IPv6 in NetworkManager when it is disabled in the kernel.
In order to do it in activate_stage3_ip_config() only once during activation,
the firewall initialization needed to be moved earlier. Otherwise, the IPv6 disablement could occur
twice during activation because activate_stage3_ip_config() is also executed from subsequent of fw_change_zone().
(cherry picked from commit 50a6386c3ba6ae9b0501e56bd78fd141636770a7)
(cherry picked from commit 4a9cf4c1dd972de11a2d7c6b0dd8328b2dc24f69)
(cherry picked from commit ffef5a47489ee65122a0c532fffdc77707d68231)
Solved some conflicts due to missing 61e1027cc783 ('device: preserve the DHCP lease during reapply')
(cherry picked from commit f407868ee25c06f9a41c72ecd54e83dd4317b4fe)
---
src/core/devices/nm-device.c | 63 +++++++++++++++++++-----------------
1 file changed, 33 insertions(+), 30 deletions(-)
diff --git a/src/core/devices/nm-device.c b/src/core/devices/nm-device.c
index 5748d80393..e54942440f 100644
--- a/src/core/devices/nm-device.c
+++ b/src/core/devices/nm-device.c
@@ -11556,16 +11556,8 @@ _dev_ipac6_start(NMDevice *self)
NMUtilsIPv6IfaceId iid;
gboolean is_token;
- if (priv->ipac6_data.state == NM_DEVICE_IP_STATE_NONE) {
- if (!g_file_test("/proc/sys/net/ipv6", G_FILE_TEST_IS_DIR)) {
- _LOGI_ipac6("addrconf6: kernel does not support IPv6");
- _dev_ipac6_set_state(self, NM_DEVICE_IP_STATE_FAILED);
- _dev_ip_state_check_async(self, AF_INET6);
- return;
- }
-
+ if (priv->ipac6_data.state == NM_DEVICE_IP_STATE_NONE)
_dev_ipac6_set_state(self, NM_DEVICE_IP_STATE_PENDING);
- }
if (NM_IN_SET(priv->ipll_data_6.state, NM_DEVICE_IP_STATE_NONE, NM_DEVICE_IP_STATE_PENDING)) {
_dev_ipac6_grace_period_start(self, 30, TRUE);
@@ -12092,15 +12084,6 @@ activate_stage3_ip_config(NMDevice *self)
ifindex = nm_device_get_ip_ifindex(self);
- if (priv->ip_data_4.do_reapply) {
- _LOGD_ip(AF_INET, "reapply...");
- _cleanup_ip_pre(self, AF_INET, CLEANUP_TYPE_DECONFIGURE, TRUE);
- }
- if (priv->ip_data_6.do_reapply) {
- _LOGD_ip(AF_INET6, "reapply...");
- _cleanup_ip_pre(self, AF_INET6, CLEANUP_TYPE_DECONFIGURE, TRUE);
- }
-
/* Add the interface to the specified firewall zone */
switch (priv->fw_state) {
case FIREWALL_STATE_UNMANAGED:
@@ -12125,6 +12108,38 @@ activate_stage3_ip_config(NMDevice *self)
}
nm_assert(ifindex <= 0 || priv->fw_state == FIREWALL_STATE_INITIALIZED);
+ ipv4_method = nm_device_get_effective_ip_config_method(self, AF_INET);
+ if (nm_streq(ipv4_method, NM_SETTING_IP4_CONFIG_METHOD_AUTO)) {
+ /* "auto" usually means DHCPv4 or autoconf6, but it doesn't have to be. Subclasses
+ * can overwrite it. For example, you cannot run DHCPv4 on PPP/WireGuard links. */
+ ipv4_method = klass->get_ip_method_auto(self, AF_INET);
+ }
+
+ ipv6_method = nm_device_get_effective_ip_config_method(self, AF_INET6);
+ if (!g_file_test("/proc/sys/net/ipv6", G_FILE_TEST_IS_DIR)) {
+ _NMLOG_ip((nm_device_sys_iface_state_is_external(self)
+ || NM_IN_STRSET(ipv6_method,
+ NM_SETTING_IP6_CONFIG_METHOD_AUTO,
+ NM_SETTING_IP6_CONFIG_METHOD_DISABLED,
+ NM_SETTING_IP6_CONFIG_METHOD_IGNORE))
+ ? LOGL_DEBUG
+ : LOGL_WARN,
+ AF_INET6,
+ "IPv6 not supported by kernel resulting in \"ipv6.method=disabled\"");
+ ipv6_method = NM_SETTING_IP6_CONFIG_METHOD_DISABLED;
+ } else if (nm_streq(ipv6_method, NM_SETTING_IP6_CONFIG_METHOD_AUTO)) {
+ ipv6_method = klass->get_ip_method_auto(self, AF_INET6);
+ }
+
+ if (priv->ip_data_4.do_reapply) {
+ _LOGD_ip(AF_INET, "reapply...");
+ _cleanup_ip_pre(self, AF_INET, CLEANUP_TYPE_DECONFIGURE, TRUE);
+ }
+ if (priv->ip_data_6.do_reapply) {
+ _LOGD_ip(AF_INET6, "reapply...");
+ _cleanup_ip_pre(self, AF_INET6, CLEANUP_TYPE_DECONFIGURE, TRUE);
+ }
+
if (priv->state < NM_DEVICE_STATE_IP_CONFIG) {
_dev_ip_state_req_timeout_schedule(self, AF_INET);
_dev_ip_state_req_timeout_schedule(self, AF_INET6);
@@ -12150,18 +12165,6 @@ activate_stage3_ip_config(NMDevice *self)
* let's do it! */
_commit_mtu(self);
- ipv4_method = nm_device_get_effective_ip_config_method(self, AF_INET);
- if (nm_streq(ipv4_method, NM_SETTING_IP4_CONFIG_METHOD_AUTO)) {
- /* "auto" usually means DHCPv4 or autoconf6, but it doesn't have to be. Subclasses
- * can overwrite it. For example, you cannot run DHCPv4 on PPP/WireGuard links. */
- ipv4_method = klass->get_ip_method_auto(self, AF_INET);
- }
-
- ipv6_method = nm_device_get_effective_ip_config_method(self, AF_INET6);
- if (nm_streq(ipv6_method, NM_SETTING_IP6_CONFIG_METHOD_AUTO)) {
- ipv6_method = klass->get_ip_method_auto(self, AF_INET6);
- }
-
if (!nm_device_sys_iface_state_is_external(self)
&& (!klass->ready_for_ip_config || klass->ready_for_ip_config(self, TRUE))) {
if (priv->ipmanual_data.state_6 == NM_DEVICE_IP_STATE_NONE
--
2.43.0

View File

@ -0,0 +1,31 @@
# This sets defaults for Wi-Fi profiles to set a generated, stable MAC address.
#
# Do not modify this file. You can hide/overwrite this file by placing a file
# to "/etc/NetworkManager/conf.d/22-wifi-mac-addr.conf". You can also add
# configuration snippets with higher priority that override this setting (see
# `man 5 NetworkManager.conf`). Most importantly, this snippet only sets
# default values for the profile. You can explicitly set the value for each
# profile, so that this default value is not used.
#
# For example, on a particular profile/network set
#
# $ nmcli connection modify "$PROFILE" wifi.cloned-mac-address permanent
#
# to use the hardware MAC address. This prevents the default from this file
# to take effect.
#
# Or
#
# $ nmcli connection modify "$PROFILE" wifi.cloned-mac-address stable connection.stable-id '${NETWORK_SSID}/${BOOT}'
#
# to get a generated MAC address that changes on each boot. Note how setting
# "connection.stable-id" also affects other aspects of the profile.
#
# See `man 5 nm-settings` for "wifi.cloned-mac-address" and "connection.stable-id".
[connection.22-wifi-mac-addr]
match-device=type:wifi
wifi.cloned-mac-address=stable-ssid
[.config]
enable=nm-version-min:1.45

View File

@ -20,7 +20,7 @@
# the previous one.
[main]
#plugins=ifcfg-rh
#plugins=keyfile,ifcfg-rh
[logging]

View File

@ -0,0 +1,84 @@
NetworkManager was built to automatically migrate connection profiles in
this directory to equivalent ones in keyfile format in directory
/etc/NetworkManager/system-connections.
You can check whether the migration is enabled via:
$ NetworkManager --print-config | grep migrate-ifcfg-rh
In case it is enabled, all files in this directory are migrated at startup.
To inspect where your connection files are currently stored use:
$ nmcli -f name,uuid,filename connection
Background
==========
The ifcfg format is deprecated and will be removed in future releases. For
more information see:
https://lists.freedesktop.org/archives/networkmanager/2023-May/000103.html
Connection profiles in keyfile format have many benefits. For example, this
format is INI file-based and can easily be parsed and generated.
Each section in NetworkManager keyfiles corresponds to a NetworkManager
setting name as described in the nm-settings(5) and nm-settings-keyfile(5)
man pages. Each key-value pair in a section is one of the properties listed
in the settings specification of the man page.
How to keep using ifcfg
=======================
If you want to keep using connection profiles in ifcfg format, you need to:
- disable the automatic migration to keyfile by setting
"migrate-ifcfg-rh=false" in the [main] section of NetworkManager
configuration;
- optionally, set "plugins=ifcfg-rh" in the [main] section of
NetworkManager configuration so that new profiles are created in ifcfg
format.
At this point, you can migrate all your files back via
nmcli connection migrate --plugin ifcfg-rh
Or, if you prefer to migrate only specific connections:
nmcli connection migrate --plugin ifcfg-rh <profile_name|UUID>
Note that some connection types are not supported by the ifcfg plugin.
Interface renaming
==================
Connection profiles stored in ifcfg-rh format support the renaming of
interfaces via udev. This is done via a helper tool
/usr/lib/udev/rename_device that is invoked by udev to parse the files
in /etc/sysconfig/network-scripts; when the HWADDR and DEVICE
variables are set, the interface that matches the MAC address in
HWADDR is renamed to the name specified in DEVICE.
Connections in keyfile format don't provide the same integration with
udev. The renaming of interfaces must be configured directly in udev,
for example by creating a file:
/etc/systemd/network/70-rename.link
with content:
[Match]
MACAddress=00:11:22:33:44:56
[Link]
Name=ethernet1
Alternatively, a udev rule can also be used, such as:
/etc/udev/rules.d/70-interface-names.rules
with content:
SUBSYSTEM=="net",ACTION=="add",ATTR{address}=="00:11:22:33:44:56",ATTR{type}=="1",NAME="ethernet1"

File diff suppressed because it is too large Load Diff