From be8ddf367f42a8f0db7f6786ba4900bd1c627309 Mon Sep 17 00:00:00 2001 From: Joao Machado Date: Sat, 11 Mar 2023 15:25:09 +0000 Subject: [PATCH 1/3] libnm-core-impl: allow ip6 tunnel flags for ip6gre & ip6gretap (cherry picked from commit a239317a6b760940658dae3d4bb027032fc0c70b) --- src/libnm-core-impl/nm-setting-ip-tunnel.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/libnm-core-impl/nm-setting-ip-tunnel.c b/src/libnm-core-impl/nm-setting-ip-tunnel.c index 7fb8b01739..1345ef14d0 100644 --- a/src/libnm-core-impl/nm-setting-ip-tunnel.c +++ b/src/libnm-core-impl/nm-setting-ip-tunnel.c @@ -491,7 +491,11 @@ verify(NMSetting *setting, NMConnection *connection, GError **error) } flags = priv->flags; - if (NM_IN_SET(priv->mode, NM_IP_TUNNEL_MODE_IPIP6, NM_IP_TUNNEL_MODE_IP6IP6)) + if (NM_IN_SET(priv->mode, + NM_IP_TUNNEL_MODE_IPIP6, + NM_IP_TUNNEL_MODE_IP6IP6, + NM_IP_TUNNEL_MODE_IP6GRE, + NM_IP_TUNNEL_MODE_IP6GRETAP)) flags &= (guint32) (~_NM_IP_TUNNEL_FLAG_ALL_IP6TNL); if (flags) { g_set_error(error, From 65f69ac5e1c5356175732782f981e501f9562260 Mon Sep 17 00:00:00 2001 From: Joao Machado Date: Sat, 11 Mar 2023 15:40:54 +0000 Subject: [PATCH 2/3] libnmc-setting/docs: how to disable ip-tunnel.encapsulation-limit (ip6) (cherry picked from commit 7c54d26ad6adac090c788298089be19f460a8638) --- src/libnm-core-impl/nm-setting-ip-tunnel.c | 2 +- src/libnmc-setting/settings-docs.h.in | 2 +- src/nmcli/gen-metadata-nm-settings-nmcli.xml.in | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/libnm-core-impl/nm-setting-ip-tunnel.c b/src/libnm-core-impl/nm-setting-ip-tunnel.c index 1345ef14d0..d28eb73fd7 100644 --- a/src/libnm-core-impl/nm-setting-ip-tunnel.c +++ b/src/libnm-core-impl/nm-setting-ip-tunnel.c @@ -731,7 +731,7 @@ nm_setting_ip_tunnel_class_init(NMSettingIPTunnelClass *klass) * NMSettingIPTunnel:encapsulation-limit: * * How many additional levels of encapsulation are permitted to be prepended - * to packets. This property applies only to IPv6 tunnels. + * to packets. This property applies only to IPv6 tunnels. To disable this option, add %NM_IP_TUNNEL_FLAG_IP6_IGN_ENCAP_LIMIT to ip-tunnel flags. * * Since: 1.2 **/ diff --git a/src/libnmc-setting/settings-docs.h.in b/src/libnmc-setting/settings-docs.h.in index cd5b231bb9..fc6df80c50 100644 --- a/src/libnmc-setting/settings-docs.h.in +++ b/src/libnmc-setting/settings-docs.h.in @@ -216,7 +216,7 @@ #define DESCRIBE_DOC_NM_SETTING_IP6_CONFIG_ROUTES N_("Array of IP routes.") #define DESCRIBE_DOC_NM_SETTING_IP6_CONFIG_ROUTING_RULES N_("A comma separated list of routing rules for policy routing.") #define DESCRIBE_DOC_NM_SETTING_IP6_CONFIG_TOKEN N_("Configure the token for draft-chown-6man-tokenised-ipv6-identifiers-02 IPv6 tokenized interface identifiers. Useful with eui64 addr-gen-mode.") -#define DESCRIBE_DOC_NM_SETTING_IP_TUNNEL_ENCAPSULATION_LIMIT N_("How many additional levels of encapsulation are permitted to be prepended to packets. This property applies only to IPv6 tunnels.") +#define DESCRIBE_DOC_NM_SETTING_IP_TUNNEL_ENCAPSULATION_LIMIT N_("How many additional levels of encapsulation are permitted to be prepended to packets. This property applies only to IPv6 tunnels. To disable this option, add NM_IP_TUNNEL_FLAG_IP6_IGN_ENCAP_LIMIT (0x1) to ip-tunnel flags.") #define DESCRIBE_DOC_NM_SETTING_IP_TUNNEL_FLAGS N_("Tunnel flags. Currently, the following values are supported: NM_IP_TUNNEL_FLAG_IP6_IGN_ENCAP_LIMIT (0x1), NM_IP_TUNNEL_FLAG_IP6_USE_ORIG_TCLASS (0x2), NM_IP_TUNNEL_FLAG_IP6_USE_ORIG_FLOWLABEL (0x4), NM_IP_TUNNEL_FLAG_IP6_MIP6_DEV (0x8), NM_IP_TUNNEL_FLAG_IP6_RCV_DSCP_COPY (0x10), NM_IP_TUNNEL_FLAG_IP6_USE_ORIG_FWMARK (0x20). They are valid only for IPv6 tunnels.") #define DESCRIBE_DOC_NM_SETTING_IP_TUNNEL_FLOW_LABEL N_("The flow label to assign to tunnel packets. This property applies only to IPv6 tunnels.") #define DESCRIBE_DOC_NM_SETTING_IP_TUNNEL_FWMARK N_("The fwmark value to assign to tunnel packets. This property can be set to a non zero value only on VTI and VTI6 tunnels.") diff --git a/src/nmcli/gen-metadata-nm-settings-nmcli.xml.in b/src/nmcli/gen-metadata-nm-settings-nmcli.xml.in index dfea3c3440..f4598f937b 100644 --- a/src/nmcli/gen-metadata-nm-settings-nmcli.xml.in +++ b/src/nmcli/gen-metadata-nm-settings-nmcli.xml.in @@ -640,7 +640,7 @@ + description="How many additional levels of encapsulation are permitted to be prepended to packets. This property applies only to IPv6 tunnels. To disable this option, add NM_IP_TUNNEL_FLAG_IP6_IGN_ENCAP_LIMIT (0x1) to ip-tunnel flags." /> Date: Sat, 11 Mar 2023 15:55:51 +0000 Subject: [PATCH 3/3] platform/tests: ip6gre & ip6gretap test cases (ip6 tunnel flags) (cherry picked from commit 1505ca3626b2d0846d0089b8ce4eae221b3e3c44) --- src/core/platform/tests/test-common.c | 7 +- src/core/platform/tests/test-link.c | 132 +++++++++++++++++++------- 2 files changed, 105 insertions(+), 34 deletions(-) diff --git a/src/core/platform/tests/test-common.c b/src/core/platform/tests/test-common.c index 571fedfee5..c32bff4511 100644 --- a/src/core/platform/tests/test-common.c +++ b/src/core/platform/tests/test-common.c @@ -2520,7 +2520,9 @@ nmtstp_link_ip6gre_add(NMPlatform *platform, gboolean success; char b1[NM_INET_ADDRSTRLEN]; char b2[NM_INET_ADDRSTRLEN]; + char encap[20]; char tclass[20]; + gboolean encap_ignore; gboolean tclass_inherit; g_assert(nm_utils_ifname_valid_kernel(name, NULL)); @@ -2538,9 +2540,11 @@ nmtstp_link_ip6gre_add(NMPlatform *platform, g_strdup_printf("dev %s", nm_platform_link_get_name(platform, lnk->parent_ifindex)); tclass_inherit = NM_FLAGS_HAS(lnk->flags, IP6_TNL_F_USE_ORIG_TCLASS); + encap_ignore = NM_FLAGS_HAS(lnk->flags, IP6_TNL_F_IGN_ENCAP_LIMIT); success = !nmtstp_run_command( - "ip link add %s type %s%s%s local %s remote %s ttl %u tclass %s flowlabel %x", + "ip link add %s type %s%s%s local %s remote %s ttl %u tclass %s encaplimit %s " + "flowlabel %x", name, lnk->is_tap ? "ip6gretap" : "ip6gre", NM_PRINT_FMT_QUOTED2(dev, " ", dev, ""), @@ -2548,6 +2552,7 @@ nmtstp_link_ip6gre_add(NMPlatform *platform, nm_inet6_ntop(&lnk->remote, b2), lnk->ttl, tclass_inherit ? "inherit" : nm_sprintf_buf(tclass, "%02x", lnk->tclass), + encap_ignore ? "none" : nm_sprintf_buf(encap, "%u", lnk->encap_limit), lnk->flow_label); if (success) { pllink = nmtstp_assert_wait_for_link(platform, diff --git a/src/core/platform/tests/test-link.c b/src/core/platform/tests/test-link.c index cc1ec6d1d4..8335aef1d4 100644 --- a/src/core/platform/tests/test-link.c +++ b/src/core/platform/tests/test-link.c @@ -1439,12 +1439,25 @@ test_software_detect(gconstpointer user_data) module_loaded = nmtstp_ensure_module("ip6_gre"); - lnk_ip6tnl.local = nmtst_inet6_from_string("fd01::42"); - lnk_ip6tnl.remote = nmtst_inet6_from_string("fd01::aaaa"); - lnk_ip6tnl.parent_ifindex = ifindex_parent; - lnk_ip6tnl.tclass = 21; - lnk_ip6tnl.flow_label = 1338; - lnk_ip6tnl.is_gre = TRUE; + switch (test_data->test_mode) { + case 0: + lnk_ip6tnl.local = nmtst_inet6_from_string("fd01::43"); + lnk_ip6tnl.remote = nmtst_inet6_from_string("fd01::aaaa"); + lnk_ip6tnl.parent_ifindex = ifindex_parent; + lnk_ip6tnl.tclass = 21; + lnk_ip6tnl.flow_label = 1338; + lnk_ip6tnl.is_gre = TRUE; + break; + case 1: + lnk_ip6tnl.local = nmtst_inet6_from_string("fd01::44"); + lnk_ip6tnl.remote = nmtst_inet6_from_string("fd01::aaab"); + lnk_ip6tnl.parent_ifindex = ifindex_parent; + lnk_ip6tnl.tclass = 0; + lnk_ip6tnl.flow_label = 1339; + lnk_ip6tnl.is_gre = TRUE; + lnk_ip6tnl.flags = IP6_TNL_F_IGN_ENCAP_LIMIT | IP6_TNL_F_USE_ORIG_TCLASS; + break; + } if (!nmtstp_link_ip6gre_add(NULL, ext, DEVICE_NAME, &lnk_ip6tnl)) { if (!module_loaded) { @@ -1463,14 +1476,29 @@ test_software_detect(gconstpointer user_data) module_loaded = nmtstp_ensure_module("ip6_gre"); - lnk_ip6tnl.local = nmtst_inet6_from_string("fe80::abcd"); - lnk_ip6tnl.remote = nmtst_inet6_from_string("fc01::bbbb"); - lnk_ip6tnl.parent_ifindex = ifindex_parent; - lnk_ip6tnl.ttl = 10; - lnk_ip6tnl.tclass = 22; - lnk_ip6tnl.flow_label = 1339; - lnk_ip6tnl.is_gre = TRUE; - lnk_ip6tnl.is_tap = TRUE; + switch (test_data->test_mode) { + case 0: + lnk_ip6tnl.local = nmtst_inet6_from_string("fe80::abcd"); + lnk_ip6tnl.remote = nmtst_inet6_from_string("fc01::bbbb"); + lnk_ip6tnl.parent_ifindex = ifindex_parent; + lnk_ip6tnl.ttl = 10; + lnk_ip6tnl.tclass = 23; + lnk_ip6tnl.flow_label = 1340; + lnk_ip6tnl.is_gre = TRUE; + lnk_ip6tnl.is_tap = TRUE; + break; + case 1: + lnk_ip6tnl.local = nmtst_inet6_from_string("fe80::abce"); + lnk_ip6tnl.remote = nmtst_inet6_from_string("fc01::bbbc"); + lnk_ip6tnl.parent_ifindex = ifindex_parent; + lnk_ip6tnl.ttl = 10; + lnk_ip6tnl.tclass = 0; + lnk_ip6tnl.flow_label = 1341; + lnk_ip6tnl.is_gre = TRUE; + lnk_ip6tnl.is_tap = TRUE; + lnk_ip6tnl.flags = IP6_TNL_F_IGN_ENCAP_LIMIT | IP6_TNL_F_USE_ORIG_TCLASS; + break; + } if (!nmtstp_link_ip6gre_add(NULL, ext, DEVICE_NAME, &lnk_ip6tnl)) { if (!module_loaded) { @@ -1851,29 +1879,65 @@ test_software_detect(gconstpointer user_data) { const NMPlatformLnkIp6Tnl *plnk = &lnk->lnk_ip6tnl; - g_assert(plnk == nm_platform_link_get_lnk_ip6gre(NM_PLATFORM_GET, ifindex, NULL)); - g_assert_cmpint(plnk->parent_ifindex, ==, ifindex_parent); - nmtst_assert_ip6_address(&plnk->local, "fd01::42"); - nmtst_assert_ip6_address(&plnk->remote, "fd01::aaaa"); - g_assert_cmpint(plnk->tclass, ==, 21); - g_assert_cmpint(plnk->flow_label, ==, 1338); - g_assert_cmpint(plnk->is_gre, ==, TRUE); - g_assert_cmpint(plnk->is_tap, ==, FALSE); + switch (test_data->test_mode) { + case 0: + g_assert(plnk == nm_platform_link_get_lnk_ip6gre(NM_PLATFORM_GET, ifindex, NULL)); + g_assert_cmpint(plnk->parent_ifindex, ==, ifindex_parent); + nmtst_assert_ip6_address(&plnk->local, "fd01::43"); + nmtst_assert_ip6_address(&plnk->remote, "fd01::aaaa"); + g_assert_cmpint(plnk->tclass, ==, 21); + g_assert_cmpint(plnk->flow_label, ==, 1338); + g_assert_cmpint(plnk->is_gre, ==, TRUE); + g_assert_cmpint(plnk->is_tap, ==, FALSE); + break; + case 1: + g_assert(plnk == nm_platform_link_get_lnk_ip6gre(NM_PLATFORM_GET, ifindex, NULL)); + g_assert_cmpint(plnk->parent_ifindex, ==, ifindex_parent); + nmtst_assert_ip6_address(&plnk->local, "fd01::44"); + nmtst_assert_ip6_address(&plnk->remote, "fd01::aaab"); + g_assert_cmpint(plnk->flow_label, ==, 1339); + g_assert_cmpint(plnk->is_gre, ==, TRUE); + g_assert_cmpint(plnk->is_tap, ==, FALSE); + g_assert_cmpint(plnk->flags & 0xFFFF, /* ignore kernel internal flags */ + ==, + IP6_TNL_F_IGN_ENCAP_LIMIT | IP6_TNL_F_USE_ORIG_TCLASS); + break; + } + break; } case NM_LINK_TYPE_IP6GRETAP: { const NMPlatformLnkIp6Tnl *plnk = &lnk->lnk_ip6tnl; - g_assert(plnk == nm_platform_link_get_lnk_ip6gretap(NM_PLATFORM_GET, ifindex, NULL)); - g_assert_cmpint(plnk->parent_ifindex, ==, ifindex_parent); - nmtst_assert_ip6_address(&plnk->local, "fe80::abcd"); - nmtst_assert_ip6_address(&plnk->remote, "fc01::bbbb"); - g_assert_cmpint(plnk->ttl, ==, 10); - g_assert_cmpint(plnk->tclass, ==, 22); - g_assert_cmpint(plnk->flow_label, ==, 1339); - g_assert_cmpint(plnk->is_gre, ==, TRUE); - g_assert_cmpint(plnk->is_tap, ==, TRUE); + switch (test_data->test_mode) { + case 0: + g_assert(plnk + == nm_platform_link_get_lnk_ip6gretap(NM_PLATFORM_GET, ifindex, NULL)); + g_assert_cmpint(plnk->parent_ifindex, ==, ifindex_parent); + nmtst_assert_ip6_address(&plnk->local, "fe80::abcd"); + nmtst_assert_ip6_address(&plnk->remote, "fc01::bbbb"); + g_assert_cmpint(plnk->ttl, ==, 10); + g_assert_cmpint(plnk->tclass, ==, 23); + g_assert_cmpint(plnk->flow_label, ==, 1340); + g_assert_cmpint(plnk->is_gre, ==, TRUE); + g_assert_cmpint(plnk->is_tap, ==, TRUE); + break; + case 1: + g_assert(plnk + == nm_platform_link_get_lnk_ip6gretap(NM_PLATFORM_GET, ifindex, NULL)); + g_assert_cmpint(plnk->parent_ifindex, ==, ifindex_parent); + nmtst_assert_ip6_address(&plnk->local, "fe80::abce"); + nmtst_assert_ip6_address(&plnk->remote, "fc01::bbbc"); + g_assert_cmpint(plnk->ttl, ==, 10); + g_assert_cmpint(plnk->flow_label, ==, 1341); + g_assert_cmpint(plnk->is_gre, ==, TRUE); + g_assert_cmpint(plnk->is_tap, ==, TRUE); + g_assert_cmpint(plnk->flags & 0xFFFF, /* ignore kernel internal flags */ + ==, + IP6_TNL_F_IGN_ENCAP_LIMIT | IP6_TNL_F_USE_ORIG_TCLASS); + break; + } break; } case NM_LINK_TYPE_IPIP: @@ -3888,8 +3952,10 @@ _nmtstp_setup_tests(void) test_software_detect_add("/link/software/detect/gretap", NM_LINK_TYPE_GRETAP, 0); test_software_detect_add("/link/software/detect/ip6tnl/0", NM_LINK_TYPE_IP6TNL, 0); test_software_detect_add("/link/software/detect/ip6tnl/1", NM_LINK_TYPE_IP6TNL, 1); - test_software_detect_add("/link/software/detect/ip6gre", NM_LINK_TYPE_IP6GRE, 0); - test_software_detect_add("/link/software/detect/ip6gretap", NM_LINK_TYPE_IP6GRETAP, 0); + test_software_detect_add("/link/software/detect/ip6gre/0", NM_LINK_TYPE_IP6GRE, 0); + test_software_detect_add("/link/software/detect/ip6gre/1", NM_LINK_TYPE_IP6GRE, 1); + test_software_detect_add("/link/software/detect/ip6gretap/0", NM_LINK_TYPE_IP6GRETAP, 0); + test_software_detect_add("/link/software/detect/ip6gretap/1", NM_LINK_TYPE_IP6GRETAP, 1); test_software_detect_add("/link/software/detect/ipip", NM_LINK_TYPE_IPIP, 0); test_software_detect_add("/link/software/detect/macvlan", NM_LINK_TYPE_MACVLAN, 0); test_software_detect_add("/link/software/detect/macvtap", NM_LINK_TYPE_MACVTAP, 0);