fdo-mirrors/NetworkManager
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/NetworkManager/NetworkManager.git synced 2026-02-11 07:10:36 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
NetworkManager/src/devices/nm-device-macsec.c

975 lines
33 KiB
C
Raw Normal View History

core,libnm: introduce NMDeviceMacsec At the moment the device only exposes the current link status, but cannot create new links.
2016-06-30 18:20:22 +02:00
/* NetworkManager -- Network link manager
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License along
* with this program; if not, write to the Free Software Foundation, Inc.,
* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Copyright 2017 Red Hat, Inc.
*/
#include "nm-default.h"
#include "nm-device-macsec.h"
core: support macsec connections Add code to nm-device-macsec.c to support the creation of macsec connection. Most of the code for controlling wpa_supplicant is copied from nm-device-ethernet.c and probably could be consolidated in some ways.
2016-06-30 18:20:50 +02:00
#include "nm-act-request.h"
core,libnm: introduce NMDeviceMacsec At the moment the device only exposes the current link status, but cannot create new links.
2016-06-30 18:20:22 +02:00
#include "nm-device-private.h"
#include "platform/nm-platform.h"
#include "nm-device-factory.h"
#include "nm-manager.h"
core: support macsec connections Add code to nm-device-macsec.c to support the creation of macsec connection. Most of the code for controlling wpa_supplicant is copied from nm-device-ethernet.c and probably could be consolidated in some ways.
2016-06-30 18:20:50 +02:00
#include "nm-setting-macsec.h"
core,libnm: introduce NMDeviceMacsec At the moment the device only exposes the current link status, but cannot create new links.
2016-06-30 18:20:22 +02:00
#include "nm-core-internal.h"
core: support macsec connections Add code to nm-device-macsec.c to support the creation of macsec connection. Most of the code for controlling wpa_supplicant is copied from nm-device-ethernet.c and probably could be consolidated in some ways.
2016-06-30 18:20:50 +02:00
#include "supplicant/nm-supplicant-manager.h"
#include "supplicant/nm-supplicant-interface.h"
#include "supplicant/nm-supplicant-config.h"
core,libnm: introduce NMDeviceMacsec At the moment the device only exposes the current link status, but cannot create new links.
2016-06-30 18:20:22 +02:00
#include "nm-device-logging.h"
_LOG_DECLARE_SELF(NMDeviceMacsec);
/*****************************************************************************/
core: support macsec connections Add code to nm-device-macsec.c to support the creation of macsec connection. Most of the code for controlling wpa_supplicant is copied from nm-device-ethernet.c and probably could be consolidated in some ways.
2016-06-30 18:20:50 +02:00
typedef struct Supplicant {
NMSupplicantManager *mgr;
NMSupplicantInterface *iface;
/* signal handler ids */
gulong iface_state_id;
/* Timeouts and idles */
guint con_timeout_id;
} Supplicant;
core,libnm: introduce NMDeviceMacsec At the moment the device only exposes the current link status, but cannot create new links.
2016-06-30 18:20:22 +02:00
NM_GOBJECT_PROPERTIES_DEFINE (NMDeviceMacsec,
PROP_SCI,
PROP_CIPHER_SUITE,
PROP_ICV_LENGTH,
PROP_WINDOW,
PROP_ENCODING_SA,
PROP_ENCRYPT,
PROP_PROTECT,
PROP_INCLUDE_SCI,
PROP_ES,
PROP_SCB,
PROP_REPLAY_PROTECT,
PROP_VALIDATION,
);
typedef struct {
NMPlatformLnkMacsec props;
gulong parent_state_id;
core: support macsec connections Add code to nm-device-macsec.c to support the creation of macsec connection. Most of the code for controlling wpa_supplicant is copied from nm-device-ethernet.c and probably could be consolidated in some ways.
2016-06-30 18:20:50 +02:00
Supplicant supplicant;
guint supplicant_timeout_id;
core: refactor NMActRequestGetSecretsCallId typedef not to be a pointer to struct Typedefs to structs are fine, but a typedef for a pointer seems confusing to me. Let's avoid it.
2017-11-24 16:24:40 +01:00
NMActRequestGetSecretsCallId *macsec_secrets_id;
core,libnm: introduce NMDeviceMacsec At the moment the device only exposes the current link status, but cannot create new links.
2016-06-30 18:20:22 +02:00
} NMDeviceMacsecPrivate;
struct _NMDeviceMacsec {
NMDevice parent;
NMDeviceMacsecPrivate _priv;
};
struct _NMDeviceMacsecClass {
NMDeviceClass parent;
};
G_DEFINE_TYPE (NMDeviceMacsec, nm_device_macsec, NM_TYPE_DEVICE)
#define NM_DEVICE_MACSEC_GET_PRIVATE(self) _NM_GET_PRIVATE (self, NMDeviceMacsec, NM_IS_DEVICE_MACSEC)
/******************************************************************/
core: support macsec connections Add code to nm-device-macsec.c to support the creation of macsec connection. Most of the code for controlling wpa_supplicant is copied from nm-device-ethernet.c and probably could be consolidated in some ways.
2016-06-30 18:20:50 +02:00
static void macsec_secrets_cancel (NMDeviceMacsec *self);
/******************************************************************/
core,libnm: introduce NMDeviceMacsec At the moment the device only exposes the current link status, but cannot create new links.
2016-06-30 18:20:22 +02:00
NM_UTILS_LOOKUP_STR_DEFINE_STATIC (validation_mode_to_string, guint8,
NM_UTILS_LOOKUP_DEFAULT_WARN ("<unknown>"),
NM_UTILS_LOOKUP_STR_ITEM (0, "disable"),
NM_UTILS_LOOKUP_STR_ITEM (1, "check"),
NM_UTILS_LOOKUP_STR_ITEM (2, "strict"),
);
static void
parent_state_changed (NMDevice *parent,
NMDeviceState new_state,
NMDeviceState old_state,
NMDeviceStateReason reason,
gpointer user_data)
{
NMDeviceMacsec *self = NM_DEVICE_MACSEC (user_data);
/* We'll react to our own carrier state notifications. Ignore the parent's. */
device: mark uses of device's state-reason with nm_device_state_reason_check() The state-change of a device has a reason argument, which is mostly for information only. There are many places in code that are the source of a state-reason. Mostly these are calls to: - nm_device_state_changed() - nm_device_queue_state() - nm_device_queue_recheck_available() - nm_device_set_unmanaged_by_*() - nm_device_master_release_one_slave() - nm_device_ip_method_failed() - nm_modem_emit_prepare_result() - nm_modem_emit_ppp_failed() - nm_manager_deactivate_connection() - NM_SET_OUT (out_failure_reason, NM_DEVICE_STATE_REASON_*); However, there are a few places in code that look at the reason to decide how to proceed. I think this is a bad pattern, because cause and effect are decoupled and it gets hard to understand where a certain reason is set and what consequences that has. Add a nop-function nm_device_state_reason_check() to mark all uses of the device state reason that derive decisions from it. That is, highlight the "effect" part.
2017-02-23 15:19:03 +01:00
if (nm_device_state_reason_check (reason) == NM_DEVICE_STATE_REASON_CARRIER)
core,libnm: introduce NMDeviceMacsec At the moment the device only exposes the current link status, but cannot create new links.
2016-06-30 18:20:22 +02:00
return;
nm_device_set_unmanaged_by_flags (NM_DEVICE (self), NM_UNMANAGED_PARENT, !nm_device_get_managed (parent, FALSE), reason);
}
static void
parent_changed_notify (NMDevice *device,
int old_ifindex,
NMDevice *old_parent,
int new_ifindex,
NMDevice *new_parent)
{
NMDeviceMacsec *self = NM_DEVICE_MACSEC (device);
NMDeviceMacsecPrivate *priv = NM_DEVICE_MACSEC_GET_PRIVATE (self);
NM_DEVICE_CLASS (nm_device_macsec_parent_class)->parent_changed_notify (device,
old_ifindex,
old_parent,
new_ifindex,
new_parent);
/* note that @self doesn't have to clear @parent_state_id on dispose,
* because NMDevice's dispose() will unset the parent, which in turn calls
* parent_changed_notify(). */
nm_clear_g_signal_handler (old_parent, &priv->parent_state_id);
if (new_parent) {
priv->parent_state_id = g_signal_connect (new_parent,
NM_DEVICE_STATE_CHANGED,
G_CALLBACK (parent_state_changed),
device);
/* Set parent-dependent unmanaged flag */
nm_device_set_unmanaged_by_flags (device,
NM_UNMANAGED_PARENT,
!nm_device_get_managed (new_parent, FALSE),
NM_DEVICE_STATE_REASON_PARENT_MANAGED_CHANGED);
}
/* Recheck availability now that the parent has changed */
if (new_ifindex > 0) {
nm_device_queue_recheck_available (device,
NM_DEVICE_STATE_REASON_PARENT_CHANGED,
NM_DEVICE_STATE_REASON_PARENT_CHANGED);
}
}
static void
update_properties (NMDevice *device)
{
NMDeviceMacsec *self;
NMDeviceMacsecPrivate *priv;
const NMPlatformLink *plink = NULL;
const NMPlatformLnkMacsec *props = NULL;
int ifindex;
g_return_if_fail (NM_IS_DEVICE_MACSEC (device));
self = NM_DEVICE_MACSEC (device);
priv = NM_DEVICE_MACSEC_GET_PRIVATE (self);
ifindex = nm_device_get_ifindex (device);
g_return_if_fail (ifindex > 0);
device: don't use platform singleton getter in device subclasses Reduce the use of NM_PLATFORM_GET / nm_platform_get() to get the platform singleton instance. For one, this is a step towards supporting namespaces, where we need to use different NMNetns/NMPlatform instances depending on in which namespace the device lives. Also, we should reduce our use of singletons. They are difficult to coordinate on shutdown. Instead there should be a clear order of dependencies, expressed by owning a reference to those singelton instances. We already own a reference to the platform singelton, so use it and avoid NM_PLATFORM_GET. (cherry picked from commit 94d9ee129d85ff926a10de78fedcc6b57cdcdb19)
2017-04-18 12:09:02 +02:00
props = nm_platform_link_get_lnk_macsec (nm_device_get_platform (device), ifindex, &plink);
core,libnm: introduce NMDeviceMacsec At the moment the device only exposes the current link status, but cannot create new links.
2016-06-30 18:20:22 +02:00
if (!props) {
_LOGW (LOGD_PLATFORM, "could not get macsec properties");
return;
}
g_object_freeze_notify ((GObject *) device);
if (priv->props.parent_ifindex != props->parent_ifindex)
nm_device_parent_set_ifindex (device, props->parent_ifindex);
#define CHECK_PROPERTY_CHANGED(field, prop) \
device: set properties before emitting the change notification The change doesn't really make a difference. I thought it would, so I did it. But turns out (as the code correctly assumes), while the notifications are frozen, it's OK to leave the property still in an inconsistent state while emitting the notify signal. Still, it feels slightly more correct this way, so keep the change.
2018-03-05 15:23:31 +01:00
G_STMT_START { \
if (priv->props.field != props->field) { \
priv->props.field = props->field; \
_notify (self, prop); \
} \
} G_STMT_END
core,libnm: introduce NMDeviceMacsec At the moment the device only exposes the current link status, but cannot create new links.
2016-06-30 18:20:22 +02:00
CHECK_PROPERTY_CHANGED (sci, PROP_SCI);
CHECK_PROPERTY_CHANGED (cipher_suite, PROP_CIPHER_SUITE);
CHECK_PROPERTY_CHANGED (window, PROP_WINDOW);
CHECK_PROPERTY_CHANGED (icv_length, PROP_ICV_LENGTH);
CHECK_PROPERTY_CHANGED (encoding_sa, PROP_ENCODING_SA);
CHECK_PROPERTY_CHANGED (validation, PROP_VALIDATION);
CHECK_PROPERTY_CHANGED (encrypt, PROP_ENCRYPT);
CHECK_PROPERTY_CHANGED (protect, PROP_PROTECT);
CHECK_PROPERTY_CHANGED (include_sci, PROP_INCLUDE_SCI);
CHECK_PROPERTY_CHANGED (es, PROP_ES);
CHECK_PROPERTY_CHANGED (scb, PROP_SCB);
CHECK_PROPERTY_CHANGED (replay_protect, PROP_REPLAY_PROTECT);
g_object_thaw_notify ((GObject *) device);
}
core: support macsec connections Add code to nm-device-macsec.c to support the creation of macsec connection. Most of the code for controlling wpa_supplicant is copied from nm-device-ethernet.c and probably could be consolidated in some ways.
2016-06-30 18:20:50 +02:00
static NMSupplicantConfig *
build_supplicant_config (NMDeviceMacsec *self, GError **error)
{
core: don't cast return value of nm_device_get_applied_setting()
2018-10-22 13:06:27 +02:00
gs_unref_object NMSupplicantConfig *config = NULL;
core: support macsec connections Add code to nm-device-macsec.c to support the creation of macsec connection. Most of the code for controlling wpa_supplicant is copied from nm-device-ethernet.c and probably could be consolidated in some ways.
2016-06-30 18:20:50 +02:00
NMSettingMacsec *s_macsec;
NMSetting8021x *s_8021x;
NMConnection *connection;
const char *con_uuid;
guint32 mtu;
connection = nm_device_get_applied_connection (NM_DEVICE (self));
core: don't cast return value of nm_device_get_applied_setting()
2018-10-22 13:06:27 +02:00
g_return_val_if_fail (connection, NULL);
core: support macsec connections Add code to nm-device-macsec.c to support the creation of macsec connection. Most of the code for controlling wpa_supplicant is copied from nm-device-ethernet.c and probably could be consolidated in some ways.
2016-06-30 18:20:50 +02:00
con_uuid = nm_connection_get_uuid (connection);
device: don't use platform singleton getter in device subclasses Reduce the use of NM_PLATFORM_GET / nm_platform_get() to get the platform singleton instance. For one, this is a step towards supporting namespaces, where we need to use different NMNetns/NMPlatform instances depending on in which namespace the device lives. Also, we should reduce our use of singletons. They are difficult to coordinate on shutdown. Instead there should be a clear order of dependencies, expressed by owning a reference to those singelton instances. We already own a reference to the platform singelton, so use it and avoid NM_PLATFORM_GET. (cherry picked from commit 94d9ee129d85ff926a10de78fedcc6b57cdcdb19)
2017-04-18 12:09:02 +02:00
mtu = nm_platform_link_get_mtu (nm_device_get_platform (NM_DEVICE (self)),
core: support macsec connections Add code to nm-device-macsec.c to support the creation of macsec connection. Most of the code for controlling wpa_supplicant is copied from nm-device-ethernet.c and probably could be consolidated in some ways.
2016-06-30 18:20:50 +02:00
nm_device_get_ifindex (NM_DEVICE (self)));
wifi: enable WPA-*-SHA256 AKMs only when the supplicant supports them Commit 87ec5e90fe79 ("supplicant: set key_mgmt independent of pmf value") enabled WPA-PSK-SHA256 or WPA-EAP-SHA256 even when the supplicant didn't support them, potentially causing connection failures. Instead, use the 'pmf' capability to detect when they can be enabled. Fixes: 87ec5e90fe79fcb2ac315cf1604e757dcab60bb9 https://mail.gnome.org/archives/networkmanager-list/2018-January/msg00096.html
2018-01-17 18:06:54 +01:00
config = nm_supplicant_config_new (FALSE, FALSE);
core: support macsec connections Add code to nm-device-macsec.c to support the creation of macsec connection. Most of the code for controlling wpa_supplicant is copied from nm-device-ethernet.c and probably could be consolidated in some ways.
2016-06-30 18:20:50 +02:00
core: don't cast return value of nm_device_get_applied_setting()
2018-10-22 13:06:27 +02:00
s_macsec = nm_device_get_applied_setting (NM_DEVICE (self), NM_TYPE_SETTING_MACSEC);
g_return_val_if_fail (s_macsec, NULL);
core: support macsec connections Add code to nm-device-macsec.c to support the creation of macsec connection. Most of the code for controlling wpa_supplicant is copied from nm-device-ethernet.c and probably could be consolidated in some ways.
2016-06-30 18:20:50 +02:00
if (!nm_supplicant_config_add_setting_macsec (config, s_macsec, error)) {
g_prefix_error (error, "macsec-setting: ");
return NULL;
}
if (nm_setting_macsec_get_mode (s_macsec) == NM_SETTING_MACSEC_MODE_EAP) {
s_8021x = nm_connection_get_setting_802_1x (connection);
if (!nm_supplicant_config_add_setting_8021x (config, s_8021x, con_uuid, mtu, TRUE, error)) {
g_prefix_error (error, "802-1x-setting: ");
core: don't cast return value of nm_device_get_applied_setting()
2018-10-22 13:06:27 +02:00
return NULL;
core: support macsec connections Add code to nm-device-macsec.c to support the creation of macsec connection. Most of the code for controlling wpa_supplicant is copied from nm-device-ethernet.c and probably could be consolidated in some ways.
2016-06-30 18:20:50 +02:00
}
}
core: don't cast return value of nm_device_get_applied_setting()
2018-10-22 13:06:27 +02:00
return g_steal_pointer (&config);
core: support macsec connections Add code to nm-device-macsec.c to support the creation of macsec connection. Most of the code for controlling wpa_supplicant is copied from nm-device-ethernet.c and probably could be consolidated in some ways.
2016-06-30 18:20:50 +02:00
}
static void
supplicant: rework nm_supplicant_interface_set_config() to invoke result callback Instead of having a NM_SUPPLICANT_INTERFACE_CONNECTION_ERROR signal to notify about failures during AddNetwork/SelectNetwork, accept a callback to report success/failure. Thereby, rename nm_supplicant_interface_set_config() to nm_supplicant_interface_assoc(). The async callback is guaranteed to: - be invoked exactly once, signalling success or failure - always being invoked asyncronously. The pending request can be (synchronously) cancelled via nm_supplicant_interface_disconnect() or by disposing the interface instance. In those cases the callback will be invoked too, with error code cancelled/disposing.
2017-02-14 19:30:21 +01:00
supplicant_interface_release (NMDeviceMacsec *self)
core: support macsec connections Add code to nm-device-macsec.c to support the creation of macsec connection. Most of the code for controlling wpa_supplicant is copied from nm-device-ethernet.c and probably could be consolidated in some ways.
2016-06-30 18:20:50 +02:00
{
NMDeviceMacsecPrivate *priv = NM_DEVICE_MACSEC_GET_PRIVATE (self);
nm_clear_g_source (&priv->supplicant_timeout_id);
nm_clear_g_source (&priv->supplicant.con_timeout_id);
nm_clear_g_signal_handler (priv->supplicant.iface, &priv->supplicant.iface_state_id);
if (priv->supplicant.iface) {
nm_supplicant_interface_disconnect (priv->supplicant.iface);
g_clear_object (&priv->supplicant.iface);
}
}
static void
supplicant: rework nm_supplicant_interface_set_config() to invoke result callback Instead of having a NM_SUPPLICANT_INTERFACE_CONNECTION_ERROR signal to notify about failures during AddNetwork/SelectNetwork, accept a callback to report success/failure. Thereby, rename nm_supplicant_interface_set_config() to nm_supplicant_interface_assoc(). The async callback is guaranteed to: - be invoked exactly once, signalling success or failure - always being invoked asyncronously. The pending request can be (synchronously) cancelled via nm_supplicant_interface_disconnect() or by disposing the interface instance. In those cases the callback will be invoked too, with error code cancelled/disposing.
2017-02-14 19:30:21 +01:00
supplicant_iface_assoc_cb (NMSupplicantInterface *iface,
GError *error,
gpointer user_data)
core: support macsec connections Add code to nm-device-macsec.c to support the creation of macsec connection. Most of the code for controlling wpa_supplicant is copied from nm-device-ethernet.c and probably could be consolidated in some ways.
2016-06-30 18:20:50 +02:00
{
NMDeviceMacsec *self = NM_DEVICE_MACSEC (user_data);
supplicant: rework nm_supplicant_interface_set_config() to invoke result callback Instead of having a NM_SUPPLICANT_INTERFACE_CONNECTION_ERROR signal to notify about failures during AddNetwork/SelectNetwork, accept a callback to report success/failure. Thereby, rename nm_supplicant_interface_set_config() to nm_supplicant_interface_assoc(). The async callback is guaranteed to: - be invoked exactly once, signalling success or failure - always being invoked asyncronously. The pending request can be (synchronously) cancelled via nm_supplicant_interface_disconnect() or by disposing the interface instance. In those cases the callback will be invoked too, with error code cancelled/disposing.
2017-02-14 19:30:21 +01:00
if (error && !nm_utils_error_is_cancelled (error, TRUE)) {
supplicant_interface_release (self);
nm_device_queue_state (NM_DEVICE (self),
NM_DEVICE_STATE_FAILED,
NM_DEVICE_STATE_REASON_SUPPLICANT_CONFIG_FAILED);
}
core: support macsec connections Add code to nm-device-macsec.c to support the creation of macsec connection. Most of the code for controlling wpa_supplicant is copied from nm-device-ethernet.c and probably could be consolidated in some ways.
2016-06-30 18:20:50 +02:00
}
static void
macsec_secrets_cb (NMActRequest *req,
core: refactor NMActRequestGetSecretsCallId typedef not to be a pointer to struct Typedefs to structs are fine, but a typedef for a pointer seems confusing to me. Let's avoid it.
2017-11-24 16:24:40 +01:00
NMActRequestGetSecretsCallId *call_id,
core: support macsec connections Add code to nm-device-macsec.c to support the creation of macsec connection. Most of the code for controlling wpa_supplicant is copied from nm-device-ethernet.c and probably could be consolidated in some ways.
2016-06-30 18:20:50 +02:00
NMSettingsConnection *connection,
GError *error,
gpointer user_data)
{
NMDeviceMacsec *self = NM_DEVICE_MACSEC (user_data);
NMDevice *device = NM_DEVICE (self);
NMDeviceMacsecPrivate *priv;
g_return_if_fail (NM_IS_DEVICE_MACSEC (self));
g_return_if_fail (NM_IS_ACT_REQUEST (req));
priv = NM_DEVICE_MACSEC_GET_PRIVATE (self);
g_return_if_fail (priv->macsec_secrets_id == call_id);
priv->macsec_secrets_id = NULL;
if (g_error_matches (error, G_IO_ERROR, G_IO_ERROR_CANCELLED))
return;
g_return_if_fail (req == nm_device_get_act_request (device));
g_return_if_fail (nm_device_get_state (device) == NM_DEVICE_STATE_NEED_AUTH);
g_return_if_fail (nm_act_request_get_settings_connection (req) == connection);
if (error) {
_LOGW (LOGD_ETHER, "%s", error->message);
nm_device_state_changed (device,
NM_DEVICE_STATE_FAILED,
NM_DEVICE_STATE_REASON_NO_SECRETS);
} else
nm_device_activate_schedule_stage1_device_prepare (device);
}
static void
macsec_secrets_cancel (NMDeviceMacsec *self)
{
NMDeviceMacsecPrivate *priv = NM_DEVICE_MACSEC_GET_PRIVATE (self);
if (priv->macsec_secrets_id)
nm_act_request_cancel_secrets (NULL, priv->macsec_secrets_id);
nm_assert (!priv->macsec_secrets_id);
}
static void
macsec_secrets_get_secrets (NMDeviceMacsec *self,
const char *setting_name,
NMSecretAgentGetSecretsFlags flags)
{
NMDeviceMacsecPrivate *priv = NM_DEVICE_MACSEC_GET_PRIVATE (self);
NMActRequest *req;
macsec_secrets_cancel (self);
req = nm_device_get_act_request (NM_DEVICE (self));
g_return_if_fail (NM_IS_ACT_REQUEST (req));
priv->macsec_secrets_id = nm_act_request_get_secrets (req,
TRUE,
setting_name,
flags,
NULL,
macsec_secrets_cb,
self);
g_return_if_fail (priv->macsec_secrets_id);
}
static gboolean
link_timeout_cb (gpointer user_data)
{
NMDeviceMacsec *self = NM_DEVICE_MACSEC (user_data);
NMDeviceMacsecPrivate *priv = NM_DEVICE_MACSEC_GET_PRIVATE (self);
NMDevice *dev = NM_DEVICE (self);
NMActRequest *req;
NMConnection *applied_connection;
const char *setting_name;
priv->supplicant_timeout_id = 0;
req = nm_device_get_act_request (dev);
if (nm_device_get_state (dev) == NM_DEVICE_STATE_ACTIVATED) {
nm_device_state_changed (dev,
NM_DEVICE_STATE_FAILED,
NM_DEVICE_STATE_REASON_SUPPLICANT_TIMEOUT);
return FALSE;
}
/* Disconnect event during initial authentication and credentials
* ARE checked - we are likely to have wrong key. Ask the user for
* another one.
*/
if (nm_device_get_state (dev) != NM_DEVICE_STATE_CONFIG)
goto time_out;
nm_active_connection_clear_secrets (NM_ACTIVE_CONNECTION (req));
applied_connection = nm_act_request_get_applied_connection (req);
setting_name = nm_connection_need_secrets (applied_connection, NULL);
if (!setting_name)
goto time_out;
_LOGI (LOGD_DEVICE | LOGD_ETHER,
"Activation: disconnected during authentication, asking for new key.");
supplicant_interface_release (self);
nm_device_state_changed (dev, NM_DEVICE_STATE_NEED_AUTH, NM_DEVICE_STATE_REASON_SUPPLICANT_DISCONNECT);
macsec_secrets_get_secrets (self, setting_name, NM_SECRET_AGENT_GET_SECRETS_FLAG_REQUEST_NEW);
return FALSE;
time_out:
_LOGW (LOGD_DEVICE | LOGD_ETHER, "link timed out.");
nm_device_state_changed (dev, NM_DEVICE_STATE_FAILED, NM_DEVICE_STATE_REASON_SUPPLICANT_DISCONNECT);
return FALSE;
}
static void
supplicant_iface_state_cb (NMSupplicantInterface *iface,
wifi: introduce enum type NMSupplicantInterfaceState instead of plain int Also change the signature of the NM_SUPPLICANT_INTERFACE_STATE signal, to have three "int" type arguments. Thereby also fix the subscribers to this signal that wrongly had type guint32, instead of guint (which happens to be the same underlying type, so no real problem). https://mail.gnome.org/archives/networkmanager-list/2017-February/msg00021.html
2017-02-14 01:30:25 +01:00
int new_state_i,
int old_state_i,
core: support macsec connections Add code to nm-device-macsec.c to support the creation of macsec connection. Most of the code for controlling wpa_supplicant is copied from nm-device-ethernet.c and probably could be consolidated in some ways.
2016-06-30 18:20:50 +02:00
int disconnect_reason,
gpointer user_data)
{
NMDeviceMacsec *self = NM_DEVICE_MACSEC (user_data);
NMDeviceMacsecPrivate *priv = NM_DEVICE_MACSEC_GET_PRIVATE (self);
NMDevice *device = NM_DEVICE (self);
NMSupplicantConfig *config;
NMDeviceState devstate;
GError *error = NULL;
wifi: introduce enum type NMSupplicantInterfaceState instead of plain int Also change the signature of the NM_SUPPLICANT_INTERFACE_STATE signal, to have three "int" type arguments. Thereby also fix the subscribers to this signal that wrongly had type guint32, instead of guint (which happens to be the same underlying type, so no real problem). https://mail.gnome.org/archives/networkmanager-list/2017-February/msg00021.html
2017-02-14 01:30:25 +01:00
NMSupplicantInterfaceState new_state = new_state_i;
NMSupplicantInterfaceState old_state = old_state_i;
core: support macsec connections Add code to nm-device-macsec.c to support the creation of macsec connection. Most of the code for controlling wpa_supplicant is copied from nm-device-ethernet.c and probably could be consolidated in some ways.
2016-06-30 18:20:50 +02:00
if (new_state == old_state)
return;
_LOGI (LOGD_DEVICE, "supplicant interface state: %s -> %s",
nm_supplicant_interface_state_to_string (old_state),
nm_supplicant_interface_state_to_string (new_state));
devstate = nm_device_get_state (device);
switch (new_state) {
case NM_SUPPLICANT_INTERFACE_STATE_READY:
config = build_supplicant_config (self, &error);
if (config) {
supplicant: rework nm_supplicant_interface_set_config() to invoke result callback Instead of having a NM_SUPPLICANT_INTERFACE_CONNECTION_ERROR signal to notify about failures during AddNetwork/SelectNetwork, accept a callback to report success/failure. Thereby, rename nm_supplicant_interface_set_config() to nm_supplicant_interface_assoc(). The async callback is guaranteed to: - be invoked exactly once, signalling success or failure - always being invoked asyncronously. The pending request can be (synchronously) cancelled via nm_supplicant_interface_disconnect() or by disposing the interface instance. In those cases the callback will be invoked too, with error code cancelled/disposing.
2017-02-14 19:30:21 +01:00
nm_supplicant_interface_assoc (priv->supplicant.iface, config,
supplicant_iface_assoc_cb, self);
core: support macsec connections Add code to nm-device-macsec.c to support the creation of macsec connection. Most of the code for controlling wpa_supplicant is copied from nm-device-ethernet.c and probably could be consolidated in some ways.
2016-06-30 18:20:50 +02:00
g_object_unref (config);
} else {
_LOGE (LOGD_DEVICE,
"Activation: couldn't build security configuration: %s",
error->message);
g_clear_error (&error);
nm_device_state_changed (device,
NM_DEVICE_STATE_FAILED,
NM_DEVICE_STATE_REASON_SUPPLICANT_CONFIG_FAILED);
}
break;
case NM_SUPPLICANT_INTERFACE_STATE_COMPLETED:
supplicant: rework nm_supplicant_interface_set_config() to invoke result callback Instead of having a NM_SUPPLICANT_INTERFACE_CONNECTION_ERROR signal to notify about failures during AddNetwork/SelectNetwork, accept a callback to report success/failure. Thereby, rename nm_supplicant_interface_set_config() to nm_supplicant_interface_assoc(). The async callback is guaranteed to: - be invoked exactly once, signalling success or failure - always being invoked asyncronously. The pending request can be (synchronously) cancelled via nm_supplicant_interface_disconnect() or by disposing the interface instance. In those cases the callback will be invoked too, with error code cancelled/disposing.
2017-02-14 19:30:21 +01:00
nm_clear_g_source (&priv->supplicant_timeout_id);
nm_clear_g_source (&priv->supplicant.con_timeout_id);
core: support macsec connections Add code to nm-device-macsec.c to support the creation of macsec connection. Most of the code for controlling wpa_supplicant is copied from nm-device-ethernet.c and probably could be consolidated in some ways.
2016-06-30 18:20:50 +02:00
nm_device_bring_up (device, TRUE, NULL);
/* If this is the initial association during device activation,
* schedule the next activation stage.
*/
if (devstate == NM_DEVICE_STATE_CONFIG) {
_LOGI (LOGD_DEVICE,
"Activation: Stage 2 of 5 (Device Configure) successful.");
nm_device_activate_schedule_stage3_ip_config_start (device);
}
break;
case NM_SUPPLICANT_INTERFACE_STATE_DISCONNECTED:
if ((devstate == NM_DEVICE_STATE_ACTIVATED) || nm_device_is_activating (device)) {
/* Start the link timeout so we allow some time for reauthentication */
if (!priv->supplicant_timeout_id)
priv->supplicant_timeout_id = g_timeout_add_seconds (15, link_timeout_cb, device);
}
break;
case NM_SUPPLICANT_INTERFACE_STATE_DOWN:
supplicant_interface_release (self);
if ((devstate == NM_DEVICE_STATE_ACTIVATED) || nm_device_is_activating (device)) {
nm_device_state_changed (device,
NM_DEVICE_STATE_FAILED,
NM_DEVICE_STATE_REASON_SUPPLICANT_FAILED);
}
break;
default:
;
}
}
static NMActStageReturn
handle_auth_or_fail (NMDeviceMacsec *self,
NMActRequest *req,
gboolean new_secrets)
{
const char *setting_name;
NMConnection *applied_connection;
device: move tracking auth_retry to NMDevice It will be also used by NMDeviceWifi. It might waste a 4 bytes for device types that don't require authentication. But it deduplicates code.
2017-11-02 10:56:30 +01:00
if (!nm_device_auth_retries_try_next (NM_DEVICE (self)))
core: support macsec connections Add code to nm-device-macsec.c to support the creation of macsec connection. Most of the code for controlling wpa_supplicant is copied from nm-device-ethernet.c and probably could be consolidated in some ways.
2016-06-30 18:20:50 +02:00
return NM_ACT_STAGE_RETURN_FAILURE;
device: honor the connection.autoconnect-retries for 802.1X NMDeviceEthernet and NMDeviceMacsec implement their own retry policy for connection using 802.1X, and consider the credentials wrong when the authentication fails for 3 times. In such case, they also disable autoconnection for the device by setting the state reason NO_SECRETS. This means that it's not possible at the moment to choose how many times the authentication will be retried since they don't use the standard reconnection logic. Change NMDeviceEthernet and NMDeviceMacsec to use the number of retries from connection.autoconnect-retries instead of a hardcoded value to decide how many times the authentication must be restarted.
2017-01-19 17:25:31 +01:00
core: support macsec connections Add code to nm-device-macsec.c to support the creation of macsec connection. Most of the code for controlling wpa_supplicant is copied from nm-device-ethernet.c and probably could be consolidated in some ways.
2016-06-30 18:20:50 +02:00
nm_device_state_changed (NM_DEVICE (self), NM_DEVICE_STATE_NEED_AUTH, NM_DEVICE_STATE_REASON_NONE);
nm_active_connection_clear_secrets (NM_ACTIVE_CONNECTION (req));
device: handle authentication retries using 802-1x.auth-retries setting Since commit 4a6fd0e83ec0d83547b1f3a1a916f85e9f450d8c (device: honor the connection.autoconnect-retries for 802.1X) and the related bug bgo#723084, we reuse the autoconnect-retries setting to control the retry count for requesting passwords. I think that is wrong. These are two different settings, we should not reuse the autoconnect retry counter while the device is still active. For example, the user might wish to set autoconnect-retries to infinity (zero). In that case, we would retry indefinitly to request a password. That could be problematic, if there is a different issue with the connection, that makes it appear tha the password is wrong. A full re-activation might succeed, but we would never stop retrying to authenticate. Instead, we should have two different settings for retrying to authenticate and to autoconnect. This is a change in behavior compared to 1.8.
2017-10-24 11:11:18 +02:00
applied_connection = nm_act_request_get_applied_connection (req);
core: support macsec connections Add code to nm-device-macsec.c to support the creation of macsec connection. Most of the code for controlling wpa_supplicant is copied from nm-device-ethernet.c and probably could be consolidated in some ways.
2016-06-30 18:20:50 +02:00
setting_name = nm_connection_need_secrets (applied_connection, NULL);
device: return early from handle_auth_or_fail() on failure Don't do if-else, if one branch is going to return with failure.
2018-04-12 14:16:25 +02:00
if (!setting_name) {
core: support macsec connections Add code to nm-device-macsec.c to support the creation of macsec connection. Most of the code for controlling wpa_supplicant is copied from nm-device-ethernet.c and probably could be consolidated in some ways.
2016-06-30 18:20:50 +02:00
_LOGI (LOGD_DEVICE, "Cleared secrets, but setting didn't need any secrets.");
device: let macsec connection fail on supplicant timeout if no secrets are required Like for ethernet.
2018-04-12 14:13:23 +02:00
return NM_ACT_STAGE_RETURN_FAILURE;
}
core: support macsec connections Add code to nm-device-macsec.c to support the creation of macsec connection. Most of the code for controlling wpa_supplicant is copied from nm-device-ethernet.c and probably could be consolidated in some ways.
2016-06-30 18:20:50 +02:00
device: return early from handle_auth_or_fail() on failure Don't do if-else, if one branch is going to return with failure.
2018-04-12 14:16:25 +02:00
macsec_secrets_get_secrets (self, setting_name,
NM_SECRET_AGENT_GET_SECRETS_FLAG_ALLOW_INTERACTION
| (new_secrets ? NM_SECRET_AGENT_GET_SECRETS_FLAG_REQUEST_NEW : 0));
core: support macsec connections Add code to nm-device-macsec.c to support the creation of macsec connection. Most of the code for controlling wpa_supplicant is copied from nm-device-ethernet.c and probably could be consolidated in some ways.
2016-06-30 18:20:50 +02:00
return NM_ACT_STAGE_RETURN_POSTPONE;
}
static gboolean
supplicant_connection_timeout_cb (gpointer user_data)
{
NMDeviceMacsec *self = NM_DEVICE_MACSEC (user_data);
NMDeviceMacsecPrivate *priv = NM_DEVICE_MACSEC_GET_PRIVATE (self);
NMDevice *device = NM_DEVICE (self);
NMActRequest *req;
NMSettingsConnection *connection;
guint64 timestamp = 0;
gboolean new_secrets = TRUE;
priv->supplicant.con_timeout_id = 0;
/* Authentication failed; either driver problems, the encryption key is
* wrong, the passwords or certificates were wrong or the Ethernet switch's
* port is not configured for 802.1x. */
_LOGW (LOGD_DEVICE,
"Activation: (macsec) association took too long.");
supplicant_interface_release (self);
req = nm_device_get_act_request (device);
g_assert (req);
connection = nm_act_request_get_settings_connection (req);
g_assert (connection);
/* Ask for new secrets only if we've never activated this connection
* before. If we've connected before, don't bother the user with dialogs,
* just retry or fail, and if we never connect the user can fix the
* password somewhere else. */
if (nm_settings_connection_get_timestamp (connection, &timestamp))
new_secrets = !timestamp;
if (handle_auth_or_fail (self, req, new_secrets) == NM_ACT_STAGE_RETURN_POSTPONE)
_LOGW (LOGD_DEVICE, "Activation: (macsec) asking for new secrets");
else
nm_device_state_changed (device, NM_DEVICE_STATE_FAILED, NM_DEVICE_STATE_REASON_NO_SECRETS);
return FALSE;
}
static gboolean
supplicant_interface_init (NMDeviceMacsec *self)
{
NMDeviceMacsecPrivate *priv = NM_DEVICE_MACSEC_GET_PRIVATE (self);
NMDevice *parent;
device: add support for 802-1x.auth-timeout Use the per-connection authentication timeout for 802.1X Ethernet, MACsec and Wi-Fi connections. In case the value is not defined, fall back to the global one.
2017-01-19 17:25:29 +01:00
guint timeout;
core: support macsec connections Add code to nm-device-macsec.c to support the creation of macsec connection. Most of the code for controlling wpa_supplicant is copied from nm-device-ethernet.c and probably could be consolidated in some ways.
2016-06-30 18:20:50 +02:00
parent = nm_device_parent_get_device (NM_DEVICE (self));
g_return_val_if_fail (parent, FALSE);
supplicant_interface_release (self);
priv->supplicant.iface = nm_supplicant_manager_create_interface (priv->supplicant.mgr,
nm_device_get_iface (parent),
NM_SUPPLICANT_DRIVER_MACSEC);
if (!priv->supplicant.iface) {
_LOGE (LOGD_DEVICE,
"Couldn't initialize supplicant interface");
return FALSE;
}
/* Listen for its state signals */
priv->supplicant.iface_state_id = g_signal_connect (priv->supplicant.iface,
NM_SUPPLICANT_INTERFACE_STATE,
G_CALLBACK (supplicant_iface_state_cb),
self);
device: add support for 802-1x.auth-timeout Use the per-connection authentication timeout for 802.1X Ethernet, MACsec and Wi-Fi connections. In case the value is not defined, fall back to the global one.
2017-01-19 17:25:29 +01:00
/* Set up a timeout on the connection attempt */
timeout = nm_device_get_supplicant_timeout (NM_DEVICE (self));
priv->supplicant.con_timeout_id = g_timeout_add_seconds (timeout,
supplicant_connection_timeout_cb,
self);
core: support macsec connections Add code to nm-device-macsec.c to support the creation of macsec connection. Most of the code for controlling wpa_supplicant is copied from nm-device-ethernet.c and probably could be consolidated in some ways.
2016-06-30 18:20:50 +02:00
return TRUE;
}
static NMActStageReturn
device: rename device-state-reason argument to out_failure_reason This argument is only relevant when the NMActStageReturn argument indicates NM_ACT_STAGE_RETURN_FAILURE. In all other cases it is ignored. Rename the argument to make the meaning clearer. The argument is passed through several layers of code, it isn't obvious that this argument only matters for the failure case. Also, the distinct name makes it easier to distinguish from other uses of the "reason" name. While at it, do some drive-by cleanup: - use g_return_*() instead of g_assert() to have a more graceful assertion. - functions like dhcp4_start() don't need to return a failure reason. Most callers don't care, and the caller who does can determine the proper reason. - allow omitting the out-argument via NM_SET_OUT().
2017-02-22 17:04:00 +01:00
act_stage2_config (NMDevice *device, NMDeviceStateReason *out_failure_reason)
core: support macsec connections Add code to nm-device-macsec.c to support the creation of macsec connection. Most of the code for controlling wpa_supplicant is copied from nm-device-ethernet.c and probably could be consolidated in some ways.
2016-06-30 18:20:50 +02:00
{
NMDeviceMacsec *self = NM_DEVICE_MACSEC (device);
NMDeviceMacsecPrivate *priv = NM_DEVICE_MACSEC_GET_PRIVATE (self);
NMConnection *connection;
NMActStageReturn ret = NM_ACT_STAGE_RETURN_FAILURE;
const char *setting_name;
connection = nm_device_get_applied_connection (NM_DEVICE (self));
core: don't cast return value of nm_device_get_applied_setting()
2018-10-22 13:06:27 +02:00
device: rename device-state-reason argument to out_failure_reason This argument is only relevant when the NMActStageReturn argument indicates NM_ACT_STAGE_RETURN_FAILURE. In all other cases it is ignored. Rename the argument to make the meaning clearer. The argument is passed through several layers of code, it isn't obvious that this argument only matters for the failure case. Also, the distinct name makes it easier to distinguish from other uses of the "reason" name. While at it, do some drive-by cleanup: - use g_return_*() instead of g_assert() to have a more graceful assertion. - functions like dhcp4_start() don't need to return a failure reason. Most callers don't care, and the caller who does can determine the proper reason. - allow omitting the out-argument via NM_SET_OUT().
2017-02-22 17:04:00 +01:00
g_return_val_if_fail (connection, NM_ACT_STAGE_RETURN_FAILURE);
core: support macsec connections Add code to nm-device-macsec.c to support the creation of macsec connection. Most of the code for controlling wpa_supplicant is copied from nm-device-ethernet.c and probably could be consolidated in some ways.
2016-06-30 18:20:50 +02:00
if (!priv->supplicant.mgr)
priv->supplicant.mgr = g_object_ref (nm_supplicant_manager_get ());
/* If we need secrets, get them */
setting_name = nm_connection_need_secrets (connection, NULL);
if (setting_name) {
NMActRequest *req = nm_device_get_act_request (NM_DEVICE (self));
_LOGI (LOGD_DEVICE,
"Activation: connection '%s' has security, but secrets are required.",
nm_connection_get_id (connection));
ret = handle_auth_or_fail (self, req, FALSE);
if (ret != NM_ACT_STAGE_RETURN_POSTPONE)
device: rename device-state-reason argument to out_failure_reason This argument is only relevant when the NMActStageReturn argument indicates NM_ACT_STAGE_RETURN_FAILURE. In all other cases it is ignored. Rename the argument to make the meaning clearer. The argument is passed through several layers of code, it isn't obvious that this argument only matters for the failure case. Also, the distinct name makes it easier to distinguish from other uses of the "reason" name. While at it, do some drive-by cleanup: - use g_return_*() instead of g_assert() to have a more graceful assertion. - functions like dhcp4_start() don't need to return a failure reason. Most callers don't care, and the caller who does can determine the proper reason. - allow omitting the out-argument via NM_SET_OUT().
2017-02-22 17:04:00 +01:00
NM_SET_OUT (out_failure_reason, NM_DEVICE_STATE_REASON_NO_SECRETS);
core: support macsec connections Add code to nm-device-macsec.c to support the creation of macsec connection. Most of the code for controlling wpa_supplicant is copied from nm-device-ethernet.c and probably could be consolidated in some ways.
2016-06-30 18:20:50 +02:00
} else {
_LOGI (LOGD_DEVICE | LOGD_ETHER,
"Activation: connection '%s' requires no security. No secrets needed.",
nm_connection_get_id (connection));
if (supplicant_interface_init (self))
ret = NM_ACT_STAGE_RETURN_POSTPONE;
else
device: rename device-state-reason argument to out_failure_reason This argument is only relevant when the NMActStageReturn argument indicates NM_ACT_STAGE_RETURN_FAILURE. In all other cases it is ignored. Rename the argument to make the meaning clearer. The argument is passed through several layers of code, it isn't obvious that this argument only matters for the failure case. Also, the distinct name makes it easier to distinguish from other uses of the "reason" name. While at it, do some drive-by cleanup: - use g_return_*() instead of g_assert() to have a more graceful assertion. - functions like dhcp4_start() don't need to return a failure reason. Most callers don't care, and the caller who does can determine the proper reason. - allow omitting the out-argument via NM_SET_OUT().
2017-02-22 17:04:00 +01:00
NM_SET_OUT (out_failure_reason, NM_DEVICE_STATE_REASON_CONFIG_FAILED);
core: support macsec connections Add code to nm-device-macsec.c to support the creation of macsec connection. Most of the code for controlling wpa_supplicant is copied from nm-device-ethernet.c and probably could be consolidated in some ways.
2016-06-30 18:20:50 +02:00
}
return ret;
}
static void
deactivate (NMDevice *device)
{
NMDeviceMacsec *self = NM_DEVICE_MACSEC (device);
supplicant_interface_release (self);
}
core,libnm: introduce NMDeviceMacsec At the moment the device only exposes the current link status, but cannot create new links.
2016-06-30 18:20:22 +02:00
/******************************************************************/
static NMDeviceCapabilities
get_generic_capabilities (NMDevice *dev)
{
/* We assume MACsec interfaces always support carrier detect */
return NM_DEVICE_CAP_CARRIER_DETECT | NM_DEVICE_CAP_IS_SOFTWARE;
}
/******************************************************************/
static gboolean
is_available (NMDevice *device, NMDeviceCheckDevAvailableFlags flags)
{
if (!nm_device_parent_get_device (device))
return FALSE;
return NM_DEVICE_CLASS (nm_device_macsec_parent_class)->is_available (device, flags);
}
core: support macsec connections Add code to nm-device-macsec.c to support the creation of macsec connection. Most of the code for controlling wpa_supplicant is copied from nm-device-ethernet.c and probably could be consolidated in some ways.
2016-06-30 18:20:50 +02:00
static gboolean
create_and_realize (NMDevice *device,
NMConnection *connection,
NMDevice *parent,
const NMPlatformLink **out_plink,
GError **error)
{
const char *iface = nm_device_get_iface (device);
NMSettingMacsec *s_macsec;
NMPlatformLnkMacsec lnk = { };
int parent_ifindex;
const char *hw_addr;
union {
struct {
guint8 mac[6];
guint16 port;
} s;
guint64 u;
} sci;
platform: merge NMPlatformError with nm-error Platform had it's own scheme for reporting errors: NMPlatformError. Before, NMPlatformError indicated success via zero, negative integer values are numbers from <errno.h>, and positive integer values are platform specific codes. This changes now according to nm-error: success is still zero. Negative values indicate a failure, where the numeric value is either from <errno.h> or one of our error codes. The meaning of positive values depends on the functions. Most functions can only report an error reason (negative) and success (zero). For such functions, positive values should never be returned (but the caller should anticipate them). For some functions, positive values could mean additional information (but still success). That depends. This is also what systemd does, except that systemd only returns (negative) integers from <errno.h>, while we merge our own error codes into the range of <errno.h>. The advantage is to get rid of one way how to signal errors. The other advantage is, that these error codes are compatible with all other nm-errno values. For example, previously negative values indicated error codes from <errno.h>, but it did not entail error codes from netlink.
2018-12-22 14:13:05 +01:00
int r;
core: support macsec connections Add code to nm-device-macsec.c to support the creation of macsec connection. Most of the code for controlling wpa_supplicant is copied from nm-device-ethernet.c and probably could be consolidated in some ways.
2016-06-30 18:20:50 +02:00
s_macsec = nm_connection_get_setting_macsec (connection);
g_assert (s_macsec);
if (!parent) {
manager: downgrade error message for missing dependencies At startup the manager tries to create virtual devices without a specific order and spits warnings when a device can't be realized because the parent device is not yet created. These failures are not something the user should worry about because the creation will be retried when the parent appears. A better approach is to return an error code from the device's create_and_realize() telling that it failed because the parent doesn't exist. In this way, the manager knows that the device isn't ready and can avoid printing warning messages.
2017-09-14 09:26:51 +02:00
g_set_error (error, NM_DEVICE_ERROR, NM_DEVICE_ERROR_MISSING_DEPENDENCIES,
core: support macsec connections Add code to nm-device-macsec.c to support the creation of macsec connection. Most of the code for controlling wpa_supplicant is copied from nm-device-ethernet.c and probably could be consolidated in some ways.
2016-06-30 18:20:50 +02:00
"MACsec devices can not be created without a parent interface");
return FALSE;
}
lnk.encrypt = nm_setting_macsec_get_encrypt (s_macsec);
hw_addr = nm_device_get_hw_address (parent);
if (!hw_addr) {
g_set_error (error, NM_DEVICE_ERROR, NM_DEVICE_ERROR_FAILED,
"can't read parent MAC");
return FALSE;
}
nm_utils_hwaddr_aton (hw_addr, sci.s.mac, ETH_ALEN);
sci.s.port = htons (nm_setting_macsec_get_port (s_macsec));
lnk.sci = be64toh (sci.u);
lnk.validation = nm_setting_macsec_get_validation (s_macsec);
macsec: enable send-sci by default and make the option configurable It is safer to enable send-sci by default because, at the cost of 8-byte overhead, it makes MACsec work over bridges (note that kernel also enables it by default). While at it, also make the option configurable. https://bugzilla.redhat.com/show_bug.cgi?id=1588041
2018-06-06 15:26:17 +02:00
lnk.include_sci = nm_setting_macsec_get_send_sci (s_macsec);
core: support macsec connections Add code to nm-device-macsec.c to support the creation of macsec connection. Most of the code for controlling wpa_supplicant is copied from nm-device-ethernet.c and probably could be consolidated in some ways.
2016-06-30 18:20:50 +02:00
parent_ifindex = nm_device_get_ifindex (parent);
g_warn_if_fail (parent_ifindex > 0);
platform: merge NMPlatformError with nm-error Platform had it's own scheme for reporting errors: NMPlatformError. Before, NMPlatformError indicated success via zero, negative integer values are numbers from <errno.h>, and positive integer values are platform specific codes. This changes now according to nm-error: success is still zero. Negative values indicate a failure, where the numeric value is either from <errno.h> or one of our error codes. The meaning of positive values depends on the functions. Most functions can only report an error reason (negative) and success (zero). For such functions, positive values should never be returned (but the caller should anticipate them). For some functions, positive values could mean additional information (but still success). That depends. This is also what systemd does, except that systemd only returns (negative) integers from <errno.h>, while we merge our own error codes into the range of <errno.h>. The advantage is to get rid of one way how to signal errors. The other advantage is, that these error codes are compatible with all other nm-errno values. For example, previously negative values indicated error codes from <errno.h>, but it did not entail error codes from netlink.
2018-12-22 14:13:05 +01:00
r = nm_platform_link_macsec_add (nm_device_get_platform (device), iface, parent_ifindex, &lnk, out_plink);
if (r < 0) {
core: support macsec connections Add code to nm-device-macsec.c to support the creation of macsec connection. Most of the code for controlling wpa_supplicant is copied from nm-device-ethernet.c and probably could be consolidated in some ways.
2016-06-30 18:20:50 +02:00
g_set_error (error, NM_DEVICE_ERROR, NM_DEVICE_ERROR_CREATION_FAILED,
"Failed to create macsec interface '%s' for '%s': %s",
iface,
nm_connection_get_id (connection),
platform: merge NMPlatformError with nm-error Platform had it's own scheme for reporting errors: NMPlatformError. Before, NMPlatformError indicated success via zero, negative integer values are numbers from <errno.h>, and positive integer values are platform specific codes. This changes now according to nm-error: success is still zero. Negative values indicate a failure, where the numeric value is either from <errno.h> or one of our error codes. The meaning of positive values depends on the functions. Most functions can only report an error reason (negative) and success (zero). For such functions, positive values should never be returned (but the caller should anticipate them). For some functions, positive values could mean additional information (but still success). That depends. This is also what systemd does, except that systemd only returns (negative) integers from <errno.h>, while we merge our own error codes into the range of <errno.h>. The advantage is to get rid of one way how to signal errors. The other advantage is, that these error codes are compatible with all other nm-errno values. For example, previously negative values indicated error codes from <errno.h>, but it did not entail error codes from netlink.
2018-12-22 14:13:05 +01:00
nm_strerror (r));
core: support macsec connections Add code to nm-device-macsec.c to support the creation of macsec connection. Most of the code for controlling wpa_supplicant is copied from nm-device-ethernet.c and probably could be consolidated in some ways.
2016-06-30 18:20:50 +02:00
return FALSE;
}
nm_device_parent_set_ifindex (device, parent_ifindex);
return TRUE;
}
core,libnm: introduce NMDeviceMacsec At the moment the device only exposes the current link status, but cannot create new links.
2016-06-30 18:20:22 +02:00
static void
link_changed (NMDevice *device,
const NMPlatformLink *pllink)
{
NM_DEVICE_CLASS (nm_device_macsec_parent_class)->link_changed (device, pllink);
update_properties (device);
}
core: support macsec connections Add code to nm-device-macsec.c to support the creation of macsec connection. Most of the code for controlling wpa_supplicant is copied from nm-device-ethernet.c and probably could be consolidated in some ways.
2016-06-30 18:20:50 +02:00
static void
device_state_changed (NMDevice *device,
NMDeviceState new_state,
NMDeviceState old_state,
NMDeviceStateReason reason)
{
if (new_state > NM_DEVICE_STATE_ACTIVATED)
macsec_secrets_cancel (NM_DEVICE_MACSEC (device));
}
core,libnm: introduce NMDeviceMacsec At the moment the device only exposes the current link status, but cannot create new links.
2016-06-30 18:20:22 +02:00
/******************************************************************/
static void
get_property (GObject *object, guint prop_id,
GValue *value, GParamSpec *pspec)
{
NMDeviceMacsec *self = NM_DEVICE_MACSEC (object);
NMDeviceMacsecPrivate *priv = NM_DEVICE_MACSEC_GET_PRIVATE (self);
switch (prop_id) {
case PROP_SCI:
g_value_set_uint64 (value, priv->props.sci);
break;
case PROP_CIPHER_SUITE:
g_value_set_uint64 (value, priv->props.cipher_suite);
break;
case PROP_ICV_LENGTH:
g_value_set_uchar (value, priv->props.icv_length);
break;
case PROP_WINDOW:
g_value_set_uint (value, priv->props.window);
break;
case PROP_ENCODING_SA:
g_value_set_uchar (value, priv->props.encoding_sa);
break;
case PROP_ENCRYPT:
g_value_set_boolean (value, priv->props.encrypt);
break;
case PROP_PROTECT:
g_value_set_boolean (value, priv->props.protect);
break;
case PROP_INCLUDE_SCI:
g_value_set_boolean (value, priv->props.include_sci);
break;
case PROP_ES:
g_value_set_boolean (value, priv->props.es);
break;
case PROP_SCB:
g_value_set_boolean (value, priv->props.scb);
break;
case PROP_REPLAY_PROTECT:
g_value_set_boolean (value, priv->props.replay_protect);
break;
case PROP_VALIDATION:
g_value_set_string (value,
validation_mode_to_string (priv->props.validation));
break;
default:
G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec);
break;
}
}
static void
device: handle authentication retries using 802-1x.auth-retries setting Since commit 4a6fd0e83ec0d83547b1f3a1a916f85e9f450d8c (device: honor the connection.autoconnect-retries for 802.1X) and the related bug bgo#723084, we reuse the autoconnect-retries setting to control the retry count for requesting passwords. I think that is wrong. These are two different settings, we should not reuse the autoconnect retry counter while the device is still active. For example, the user might wish to set autoconnect-retries to infinity (zero). In that case, we would retry indefinitly to request a password. That could be problematic, if there is a different issue with the connection, that makes it appear tha the password is wrong. A full re-activation might succeed, but we would never stop retrying to authenticate. Instead, we should have two different settings for retrying to authenticate and to autoconnect. This is a change in behavior compared to 1.8.
2017-10-24 11:11:18 +02:00
nm_device_macsec_init (NMDeviceMacsec *self)
core,libnm: introduce NMDeviceMacsec At the moment the device only exposes the current link status, but cannot create new links.
2016-06-30 18:20:22 +02:00
{
}
core: support macsec connections Add code to nm-device-macsec.c to support the creation of macsec connection. Most of the code for controlling wpa_supplicant is copied from nm-device-ethernet.c and probably could be consolidated in some ways.
2016-06-30 18:20:50 +02:00
static void
dispose (GObject *object)
{
NMDeviceMacsec *self = NM_DEVICE_MACSEC (object);
macsec_secrets_cancel (self);
supplicant_interface_release (self);
G_OBJECT_CLASS (nm_device_macsec_parent_class)->dispose (object);
}
core/dbus: rework D-Bus implementation to use lower layer GDBusConnection API Previously, we used the generated GDBusInterfaceSkeleton types and glued them via the NMExportedObject base class to our NM types. We also used GDBusObjectManagerServer. Don't do that anymore. The resulting code was more complicated despite (or because?) using generated classes. It was hard to understand, complex, had ordering-issues, and had a runtime and memory overhead. This patch refactors this entirely and uses the lower layer API GDBusConnection directly. It replaces the generated code, GDBusInterfaceSkeleton, and GDBusObjectManagerServer. All this is now done by NMDbusObject and NMDBusManager and static descriptor instances of type GDBusInterfaceInfo. This adds a net plus of more then 1300 lines of hand written code. I claim that this implementation is easier to understand. Note that previously we also required extensive and complex glue code to bind our objects to the generated skeleton objects. Instead, now glue our objects directly to GDBusConnection. The result is more immediate and gets rid of layers of code in between. Now that the D-Bus glue us more under our control, we can address issus and bottlenecks better, instead of adding code to bend the generated skeletons to our needs. Note that the current implementation now only supports one D-Bus connection. That was effectively the case already, although there were places (and still are) where the code pretends it could also support connections from a private socket. We dropped private socket support mainly because it was unused, untested and buggy, but also because GDBusObjectManagerServer could not export the same objects on multiple connections. Now, it would be rather straight forward to fix that and re-introduce ObjectManager on each private connection. But this commit doesn't do that yet, and the new code intentionally supports only one D-Bus connection. Also, the D-Bus startup was simplified. There is no retry, either nm_dbus_manager_start() succeeds, or it detects the initrd case. In the initrd case, bus manager never tries to connect to D-Bus. Since the initrd scenario is not yet used/tested, this is good enough for the moment. It could be easily extended later, for example with polling whether the system bus appears (like was done previously). Also, restart of D-Bus daemon isn't supported either -- just like before. Note how NMDBusManager now implements the ObjectManager D-Bus interface directly. Also, this fixes race issues in the server, by no longer delaying PropertiesChanged signals. NMExportedObject would collect changed properties and send the signal out in idle_emit_properties_changed() on idle. This messes up the ordering of change events w.r.t. other signals and events on the bus. Note that not only NMExportedObject messed up the ordering. Also the generated code would hook into notify() and process change events in and idle handle, exhibiting the same ordering issue too. No longer do that. PropertiesChanged signals will be sent right away by hooking into dispatch_properties_changed(). This means, changing a property in quick succession will no longer be combined and is guaranteed to emit signals for each individual state. Quite possibly we emit now more PropertiesChanged signals then before. However, we are now able to group a set of changes by using standard g_object_freeze_notify()/g_object_thaw_notify(). We probably should make more use of that. Also, now that our signals are all handled in the right order, we might find places where we still emit them in the wrong order. But that is then due to the order in which our GObjects emit signals, not due to an ill behavior of the D-Bus glue. Possibly we need to identify such ordering issues and fix them. Numbers (for contrib/rpm --without debug on x86_64): - the patch changes the code size of NetworkManager by - 2809360 bytes + 2537528 bytes (-9.7%) - Runtime measurements are harder because there is a large variance during testing. In other words, the numbers are not reproducible. Currently, the implementation performs no caching of GVariants at all, but it would be rather simple to add it, if that turns out to be useful. Anyway, without strong claim, it seems that the new form tends to perform slightly better. That would be no surprise. $ time (for i in {1..1000}; do nmcli >/dev/null || break; echo -n .; done) - real 1m39.355s + real 1m37.432s $ time (for i in {1..2000}; do busctl call org.freedesktop.NetworkManager /org/freedesktop org.freedesktop.DBus.ObjectManager GetManagedObjects > /dev/null || break; echo -n .; done) - real 0m26.843s + real 0m25.281s - Regarding RSS size, just looking at the processes in similar conditions, doesn't give a large difference. On my system they consume about 19MB RSS. It seems that the new version has a slightly smaller RSS size. - 19356 RSS + 18660 RSS
2018-02-26 13:51:52 +01:00
static const NMDBusInterfaceInfoExtended interface_info_device_macsec = {
.parent = NM_DEFINE_GDBUS_INTERFACE_INFO_INIT (
NM_DBUS_INTERFACE_DEVICE_MACSEC,
.signals = NM_DEFINE_GDBUS_SIGNAL_INFOS (
&nm_signal_info_property_changed_legacy,
),
.properties = NM_DEFINE_GDBUS_PROPERTY_INFOS (
NM_DEFINE_DBUS_PROPERTY_INFO_EXTENDED_READABLE_L ("Parent", "o", NM_DEVICE_PARENT),
NM_DEFINE_DBUS_PROPERTY_INFO_EXTENDED_READABLE_L ("Sci", "t", NM_DEVICE_MACSEC_SCI),
NM_DEFINE_DBUS_PROPERTY_INFO_EXTENDED_READABLE_L ("IcvLength", "y", NM_DEVICE_MACSEC_ICV_LENGTH),
NM_DEFINE_DBUS_PROPERTY_INFO_EXTENDED_READABLE_L ("CipherSuite", "t", NM_DEVICE_MACSEC_CIPHER_SUITE),
NM_DEFINE_DBUS_PROPERTY_INFO_EXTENDED_READABLE_L ("Window", "u", NM_DEVICE_MACSEC_WINDOW),
NM_DEFINE_DBUS_PROPERTY_INFO_EXTENDED_READABLE_L ("EncodingSa", "y", NM_DEVICE_MACSEC_ENCODING_SA),
NM_DEFINE_DBUS_PROPERTY_INFO_EXTENDED_READABLE_L ("Validation", "s", NM_DEVICE_MACSEC_VALIDATION),
NM_DEFINE_DBUS_PROPERTY_INFO_EXTENDED_READABLE_L ("Encrypt", "b", NM_DEVICE_MACSEC_ENCRYPT),
NM_DEFINE_DBUS_PROPERTY_INFO_EXTENDED_READABLE_L ("Protect", "b", NM_DEVICE_MACSEC_PROTECT),
NM_DEFINE_DBUS_PROPERTY_INFO_EXTENDED_READABLE_L ("IncludeSci", "b", NM_DEVICE_MACSEC_INCLUDE_SCI),
NM_DEFINE_DBUS_PROPERTY_INFO_EXTENDED_READABLE_L ("Es", "b", NM_DEVICE_MACSEC_ES),
NM_DEFINE_DBUS_PROPERTY_INFO_EXTENDED_READABLE_L ("Scb", "b", NM_DEVICE_MACSEC_SCB),
NM_DEFINE_DBUS_PROPERTY_INFO_EXTENDED_READABLE_L ("ReplayProtect", "b", NM_DEVICE_MACSEC_REPLAY_PROTECT),
),
),
.legacy_property_changed = TRUE,
};
core,libnm: introduce NMDeviceMacsec At the moment the device only exposes the current link status, but cannot create new links.
2016-06-30 18:20:22 +02:00
static void
nm_device_macsec_class_init (NMDeviceMacsecClass *klass)
{
GObjectClass *object_class = G_OBJECT_CLASS (klass);
core/dbus: rework D-Bus implementation to use lower layer GDBusConnection API Previously, we used the generated GDBusInterfaceSkeleton types and glued them via the NMExportedObject base class to our NM types. We also used GDBusObjectManagerServer. Don't do that anymore. The resulting code was more complicated despite (or because?) using generated classes. It was hard to understand, complex, had ordering-issues, and had a runtime and memory overhead. This patch refactors this entirely and uses the lower layer API GDBusConnection directly. It replaces the generated code, GDBusInterfaceSkeleton, and GDBusObjectManagerServer. All this is now done by NMDbusObject and NMDBusManager and static descriptor instances of type GDBusInterfaceInfo. This adds a net plus of more then 1300 lines of hand written code. I claim that this implementation is easier to understand. Note that previously we also required extensive and complex glue code to bind our objects to the generated skeleton objects. Instead, now glue our objects directly to GDBusConnection. The result is more immediate and gets rid of layers of code in between. Now that the D-Bus glue us more under our control, we can address issus and bottlenecks better, instead of adding code to bend the generated skeletons to our needs. Note that the current implementation now only supports one D-Bus connection. That was effectively the case already, although there were places (and still are) where the code pretends it could also support connections from a private socket. We dropped private socket support mainly because it was unused, untested and buggy, but also because GDBusObjectManagerServer could not export the same objects on multiple connections. Now, it would be rather straight forward to fix that and re-introduce ObjectManager on each private connection. But this commit doesn't do that yet, and the new code intentionally supports only one D-Bus connection. Also, the D-Bus startup was simplified. There is no retry, either nm_dbus_manager_start() succeeds, or it detects the initrd case. In the initrd case, bus manager never tries to connect to D-Bus. Since the initrd scenario is not yet used/tested, this is good enough for the moment. It could be easily extended later, for example with polling whether the system bus appears (like was done previously). Also, restart of D-Bus daemon isn't supported either -- just like before. Note how NMDBusManager now implements the ObjectManager D-Bus interface directly. Also, this fixes race issues in the server, by no longer delaying PropertiesChanged signals. NMExportedObject would collect changed properties and send the signal out in idle_emit_properties_changed() on idle. This messes up the ordering of change events w.r.t. other signals and events on the bus. Note that not only NMExportedObject messed up the ordering. Also the generated code would hook into notify() and process change events in and idle handle, exhibiting the same ordering issue too. No longer do that. PropertiesChanged signals will be sent right away by hooking into dispatch_properties_changed(). This means, changing a property in quick succession will no longer be combined and is guaranteed to emit signals for each individual state. Quite possibly we emit now more PropertiesChanged signals then before. However, we are now able to group a set of changes by using standard g_object_freeze_notify()/g_object_thaw_notify(). We probably should make more use of that. Also, now that our signals are all handled in the right order, we might find places where we still emit them in the wrong order. But that is then due to the order in which our GObjects emit signals, not due to an ill behavior of the D-Bus glue. Possibly we need to identify such ordering issues and fix them. Numbers (for contrib/rpm --without debug on x86_64): - the patch changes the code size of NetworkManager by - 2809360 bytes + 2537528 bytes (-9.7%) - Runtime measurements are harder because there is a large variance during testing. In other words, the numbers are not reproducible. Currently, the implementation performs no caching of GVariants at all, but it would be rather simple to add it, if that turns out to be useful. Anyway, without strong claim, it seems that the new form tends to perform slightly better. That would be no surprise. $ time (for i in {1..1000}; do nmcli >/dev/null || break; echo -n .; done) - real 1m39.355s + real 1m37.432s $ time (for i in {1..2000}; do busctl call org.freedesktop.NetworkManager /org/freedesktop org.freedesktop.DBus.ObjectManager GetManagedObjects > /dev/null || break; echo -n .; done) - real 0m26.843s + real 0m25.281s - Regarding RSS size, just looking at the processes in similar conditions, doesn't give a large difference. On my system they consume about 19MB RSS. It seems that the new version has a slightly smaller RSS size. - 19356 RSS + 18660 RSS
2018-02-26 13:51:52 +01:00
NMDBusObjectClass *dbus_object_class = NM_DBUS_OBJECT_CLASS (klass);
device/trivial: rename parent-class variable in device class constructor The majority of device implementations name their parent-class variable "device_class". That also makes more sense as it is more consistant. E.g. "parent" sounds like it's the direct parent, but that is not the crucial point here. The crucial point at this place, is that we access the NMDeviceClass typed pointer. Rename.
2018-07-10 07:45:35 +02:00
NMDeviceClass *device_class = NM_DEVICE_CLASS (klass);
core,libnm: introduce NMDeviceMacsec At the moment the device only exposes the current link status, but cannot create new links.
2016-06-30 18:20:22 +02:00
object_class->get_property = get_property;
core: support macsec connections Add code to nm-device-macsec.c to support the creation of macsec connection. Most of the code for controlling wpa_supplicant is copied from nm-device-ethernet.c and probably could be consolidated in some ways.
2016-06-30 18:20:50 +02:00
object_class->dispose = dispose;
core,libnm: introduce NMDeviceMacsec At the moment the device only exposes the current link status, but cannot create new links.
2016-06-30 18:20:22 +02:00
core/dbus: rework D-Bus implementation to use lower layer GDBusConnection API Previously, we used the generated GDBusInterfaceSkeleton types and glued them via the NMExportedObject base class to our NM types. We also used GDBusObjectManagerServer. Don't do that anymore. The resulting code was more complicated despite (or because?) using generated classes. It was hard to understand, complex, had ordering-issues, and had a runtime and memory overhead. This patch refactors this entirely and uses the lower layer API GDBusConnection directly. It replaces the generated code, GDBusInterfaceSkeleton, and GDBusObjectManagerServer. All this is now done by NMDbusObject and NMDBusManager and static descriptor instances of type GDBusInterfaceInfo. This adds a net plus of more then 1300 lines of hand written code. I claim that this implementation is easier to understand. Note that previously we also required extensive and complex glue code to bind our objects to the generated skeleton objects. Instead, now glue our objects directly to GDBusConnection. The result is more immediate and gets rid of layers of code in between. Now that the D-Bus glue us more under our control, we can address issus and bottlenecks better, instead of adding code to bend the generated skeletons to our needs. Note that the current implementation now only supports one D-Bus connection. That was effectively the case already, although there were places (and still are) where the code pretends it could also support connections from a private socket. We dropped private socket support mainly because it was unused, untested and buggy, but also because GDBusObjectManagerServer could not export the same objects on multiple connections. Now, it would be rather straight forward to fix that and re-introduce ObjectManager on each private connection. But this commit doesn't do that yet, and the new code intentionally supports only one D-Bus connection. Also, the D-Bus startup was simplified. There is no retry, either nm_dbus_manager_start() succeeds, or it detects the initrd case. In the initrd case, bus manager never tries to connect to D-Bus. Since the initrd scenario is not yet used/tested, this is good enough for the moment. It could be easily extended later, for example with polling whether the system bus appears (like was done previously). Also, restart of D-Bus daemon isn't supported either -- just like before. Note how NMDBusManager now implements the ObjectManager D-Bus interface directly. Also, this fixes race issues in the server, by no longer delaying PropertiesChanged signals. NMExportedObject would collect changed properties and send the signal out in idle_emit_properties_changed() on idle. This messes up the ordering of change events w.r.t. other signals and events on the bus. Note that not only NMExportedObject messed up the ordering. Also the generated code would hook into notify() and process change events in and idle handle, exhibiting the same ordering issue too. No longer do that. PropertiesChanged signals will be sent right away by hooking into dispatch_properties_changed(). This means, changing a property in quick succession will no longer be combined and is guaranteed to emit signals for each individual state. Quite possibly we emit now more PropertiesChanged signals then before. However, we are now able to group a set of changes by using standard g_object_freeze_notify()/g_object_thaw_notify(). We probably should make more use of that. Also, now that our signals are all handled in the right order, we might find places where we still emit them in the wrong order. But that is then due to the order in which our GObjects emit signals, not due to an ill behavior of the D-Bus glue. Possibly we need to identify such ordering issues and fix them. Numbers (for contrib/rpm --without debug on x86_64): - the patch changes the code size of NetworkManager by - 2809360 bytes + 2537528 bytes (-9.7%) - Runtime measurements are harder because there is a large variance during testing. In other words, the numbers are not reproducible. Currently, the implementation performs no caching of GVariants at all, but it would be rather simple to add it, if that turns out to be useful. Anyway, without strong claim, it seems that the new form tends to perform slightly better. That would be no surprise. $ time (for i in {1..1000}; do nmcli >/dev/null || break; echo -n .; done) - real 1m39.355s + real 1m37.432s $ time (for i in {1..2000}; do busctl call org.freedesktop.NetworkManager /org/freedesktop org.freedesktop.DBus.ObjectManager GetManagedObjects > /dev/null || break; echo -n .; done) - real 0m26.843s + real 0m25.281s - Regarding RSS size, just looking at the processes in similar conditions, doesn't give a large difference. On my system they consume about 19MB RSS. It seems that the new version has a slightly smaller RSS size. - 19356 RSS + 18660 RSS
2018-02-26 13:51:52 +01:00
dbus_object_class->interface_infos = NM_DBUS_INTERFACE_INFOS (&interface_info_device_macsec);
device: replace NM_DEVICE_CLASS_DECLARE_TYPES() macro by explicit initialization It seems to me the NM_DEVICE_CLASS_DECLARE_TYPES() macro confuses more than helping. Let's explicitly initialize the two fields, albeit with another helper macro NM_DEVICE_DEFINE_LINK_TYPES() to get the list of link-types right. For consistency, also leave nop-lines like device_class->connection_type_supported = NULL; device_class->link_types = NM_DEVICE_DEFINE_LINK_TYPES (); because all NMDevice class init methods should have this same boiler plate code and to make it explicit that this is intended. And there are only 3 occurences where this actually comes into play.
2018-07-10 09:26:42 +02:00
device_class->connection_type_supported = NM_SETTING_MACSEC_SETTING_NAME;
core: give better error reason why device is incompatible with profile Note the special error codes NM_UTILS_ERROR_CONNECTION_AVAILABLE_*. This will be used to determine, whether the profile is fundamentally incompatible with the device, or whether just some other properties mismatch. That information will be importand during a plain `nmcli connection up`, where NetworkManager searches all devices for a device to activate. If no device is found (and multiple errors happened), we want to show the error that is most likely relevant for the user. Also note, how NMDevice's check_connection_compatible() uses the new class field "device_class->connection_type_check_compatible" to simplify checks for compatible profiles. The error reason is still unused.
2018-06-27 17:00:55 +02:00
device_class->connection_type_check_compatible = NM_SETTING_MACSEC_SETTING_NAME;
device: replace NM_DEVICE_CLASS_DECLARE_TYPES() macro by explicit initialization It seems to me the NM_DEVICE_CLASS_DECLARE_TYPES() macro confuses more than helping. Let's explicitly initialize the two fields, albeit with another helper macro NM_DEVICE_DEFINE_LINK_TYPES() to get the list of link-types right. For consistency, also leave nop-lines like device_class->connection_type_supported = NULL; device_class->link_types = NM_DEVICE_DEFINE_LINK_TYPES (); because all NMDevice class init methods should have this same boiler plate code and to make it explicit that this is intended. And there are only 3 occurences where this actually comes into play.
2018-07-10 09:26:42 +02:00
device_class->link_types = NM_DEVICE_DEFINE_LINK_TYPES (NM_LINK_TYPE_MACSEC);
device/trivial: rename parent-class variable in device class constructor The majority of device implementations name their parent-class variable "device_class". That also makes more sense as it is more consistant. E.g. "parent" sounds like it's the direct parent, but that is not the crucial point here. The crucial point at this place, is that we access the NMDeviceClass typed pointer. Rename.
2018-07-10 07:45:35 +02:00
device_class->act_stage2_config = act_stage2_config;
device_class->create_and_realize = create_and_realize;
device_class->deactivate = deactivate;
device_class->get_generic_capabilities = get_generic_capabilities;
device_class->link_changed = link_changed;
device_class->is_available = is_available;
device_class->parent_changed_notify = parent_changed_notify;
device_class->state_changed = device_state_changed;
device_class->get_configured_mtu = nm_device_get_configured_mtu_for_wired;
core,libnm: introduce NMDeviceMacsec At the moment the device only exposes the current link status, but cannot create new links.
2016-06-30 18:20:22 +02:00
obj_properties[PROP_SCI] =
g_param_spec_uint64 (NM_DEVICE_MACSEC_SCI, "", "",
0, G_MAXUINT64, 0,
G_PARAM_READABLE | G_PARAM_STATIC_STRINGS);
obj_properties[PROP_CIPHER_SUITE] =
g_param_spec_uint64 (NM_DEVICE_MACSEC_CIPHER_SUITE, "", "",
0, G_MAXUINT64, 0,
G_PARAM_READABLE | G_PARAM_STATIC_STRINGS);
obj_properties[PROP_ICV_LENGTH] =
g_param_spec_uchar (NM_DEVICE_MACSEC_ICV_LENGTH, "", "",
0, G_MAXUINT8, 0,
G_PARAM_READABLE | G_PARAM_STATIC_STRINGS);
obj_properties[PROP_WINDOW] =
g_param_spec_uint (NM_DEVICE_MACSEC_WINDOW, "", "",
0, G_MAXUINT32, 0,
G_PARAM_READABLE | G_PARAM_STATIC_STRINGS);
obj_properties[PROP_ENCODING_SA] =
g_param_spec_uchar (NM_DEVICE_MACSEC_ENCODING_SA, "", "",
0, 3, 0,
G_PARAM_READABLE | G_PARAM_STATIC_STRINGS);
obj_properties[PROP_VALIDATION] =
g_param_spec_string (NM_DEVICE_MACSEC_VALIDATION, "", "",
NULL,
G_PARAM_READABLE | G_PARAM_STATIC_STRINGS);
obj_properties[PROP_ENCRYPT] =
g_param_spec_boolean (NM_DEVICE_MACSEC_ENCRYPT, "", "",
FALSE,
G_PARAM_READABLE | G_PARAM_STATIC_STRINGS);
obj_properties[PROP_PROTECT] =
g_param_spec_boolean (NM_DEVICE_MACSEC_PROTECT, "", "",
FALSE,
G_PARAM_READABLE | G_PARAM_STATIC_STRINGS);
obj_properties[PROP_INCLUDE_SCI] =
g_param_spec_boolean (NM_DEVICE_MACSEC_INCLUDE_SCI, "", "",
FALSE,
G_PARAM_READABLE | G_PARAM_STATIC_STRINGS);
obj_properties[PROP_ES] =
g_param_spec_boolean (NM_DEVICE_MACSEC_ES, "", "",
FALSE,
G_PARAM_READABLE | G_PARAM_STATIC_STRINGS);
obj_properties[PROP_SCB] =
g_param_spec_boolean (NM_DEVICE_MACSEC_SCB, "", "",
FALSE,
G_PARAM_READABLE | G_PARAM_STATIC_STRINGS);
obj_properties[PROP_REPLAY_PROTECT] =
g_param_spec_boolean (NM_DEVICE_MACSEC_REPLAY_PROTECT, "", "",
FALSE,
G_PARAM_READABLE | G_PARAM_STATIC_STRINGS);
g_object_class_install_properties (object_class, _PROPERTY_ENUMS_LAST, obj_properties);
}
/*************************************************************/
#define NM_TYPE_MACSEC_DEVICE_FACTORY (nm_macsec_device_factory_get_type ())
#define NM_MACSEC_DEVICE_FACTORY(obj) (G_TYPE_CHECK_INSTANCE_CAST ((obj), NM_TYPE_MACSEC_DEVICE_FACTORY, NMMacsecDeviceFactory))
static NMDevice *
create_device (NMDeviceFactory *factory,
const char *iface,
const NMPlatformLink *plink,
NMConnection *connection,
gboolean *out_ignore)
{
return (NMDevice *) g_object_new (NM_TYPE_DEVICE_MACSEC,
NM_DEVICE_IFACE, iface,
NM_DEVICE_TYPE_DESC, "Macsec",
NM_DEVICE_DEVICE_TYPE, NM_DEVICE_TYPE_MACSEC,
NM_DEVICE_LINK_TYPE, NM_LINK_TYPE_MACSEC,
NULL);
}
core: support macsec connections Add code to nm-device-macsec.c to support the creation of macsec connection. Most of the code for controlling wpa_supplicant is copied from nm-device-ethernet.c and probably could be consolidated in some ways.
2016-06-30 18:20:50 +02:00
static const char *
get_connection_parent (NMDeviceFactory *factory, NMConnection *connection)
{
NMSettingMacsec *s_macsec;
NMSettingWired *s_wired;
const char *parent = NULL;
g_return_val_if_fail (nm_connection_is_type (connection, NM_SETTING_MACSEC_SETTING_NAME), NULL);
s_macsec = nm_connection_get_setting_macsec (connection);
g_assert (s_macsec);
parent = nm_setting_macsec_get_parent (s_macsec);
if (parent)
return parent;
/* Try the hardware address from the MACsec connection's hardware setting */
s_wired = nm_connection_get_setting_wired (connection);
if (s_wired)
return nm_setting_wired_get_mac_address (s_wired);
return NULL;
}
static char *
get_connection_iface (NMDeviceFactory *factory,
NMConnection *connection,
const char *parent_iface)
{
NMSettingMacsec *s_macsec;
const char *ifname;
g_return_val_if_fail (nm_connection_is_type (connection, NM_SETTING_MACSEC_SETTING_NAME), NULL);
s_macsec = nm_connection_get_setting_macsec (connection);
g_assert (s_macsec);
if (!parent_iface)
return NULL;
ifname = nm_connection_get_interface_name (connection);
return g_strdup (ifname);
}
core,libnm: introduce NMDeviceMacsec At the moment the device only exposes the current link status, but cannot create new links.
2016-06-30 18:20:22 +02:00
NM_DEVICE_FACTORY_DEFINE_INTERNAL (MACSEC, Macsec, macsec,
core: support macsec connections Add code to nm-device-macsec.c to support the creation of macsec connection. Most of the code for controlling wpa_supplicant is copied from nm-device-ethernet.c and probably could be consolidated in some ways.
2016-06-30 18:20:50 +02:00
NM_DEVICE_FACTORY_DECLARE_LINK_TYPES (NM_LINK_TYPE_MACSEC)
NM_DEVICE_FACTORY_DECLARE_SETTING_TYPES (NM_SETTING_MACSEC_SETTING_NAME),
core,libnm: introduce NMDeviceMacsec At the moment the device only exposes the current link status, but cannot create new links.
2016-06-30 18:20:22 +02:00
factory_class->create_device = create_device;
core: support macsec connections Add code to nm-device-macsec.c to support the creation of macsec connection. Most of the code for controlling wpa_supplicant is copied from nm-device-ethernet.c and probably could be consolidated in some ways.
2016-06-30 18:20:50 +02:00
factory_class->get_connection_parent = get_connection_parent;
factory_class->get_connection_iface = get_connection_iface;
core,libnm: introduce NMDeviceMacsec At the moment the device only exposes the current link status, but cannot create new links.
2016-06-30 18:20:22 +02:00
)
Reference in a new issue Copy permalink