fdo-mirrors/NetworkManager
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/NetworkManager/NetworkManager.git synced 2026-01-04 09:50:17 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

merge: branch 'dnssec'

Browse source 
Add support for systemd-resolved's DNSSEC option

https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/2278
This commit is contained in:
Beniamino Galvani 2025-10-13 10:10:34 +00:00
commit a148232789
19 changed files with 879 additions and 544 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
NEWS
View file

@ -25,6 +25,8 @@ USE AT YOUR OWN RISK. NOT RECOMMENDED FOR PRODUCTION USE!
"disconnecting" / "disconnected".
* Treat modem connection not having an operator code available
as a recoverable error.
* Add support for configuring systemd-resolved's DNSSEC option
per-connection via the "connection.dnssec" connection property.
=============================================
NetworkManager-1.54

6
man/NetworkManager.conf.xml
View file

@ -899,7 +899,11 @@ ipv6.ip6-privacy=0
</varlistentry>
<varlistentry>
<term><varname>connection.dns-over-tls</varname></term>
<listitem><para>If unspecified, the ultimate default values depends on the DNS plugin. With systemd-resolved the default currently is global setting and for all other plugins "no" (0).</para></listitem>
<listitem><para>If unspecified, the ultimate default values depends on the DNS plugin. With systemd-resolved the default currently is its global setting and for all other plugins "no" (0).</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>connection.dnssec</varname></term>
<listitem><para>If unspecified, the ultimate default values depends on the DNS plugin. With systemd-resolved the default currently is its global setting and for all other plugins "no" (0).</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>connection.stable-id</varname></term>

25
src/core/devices/nm-device.c
View file

@ -1494,6 +1494,28 @@ _prop_get_connection_dns_over_tls(NMDevice *self)
NM_SETTING_CONNECTION_DNS_OVER_TLS_DEFAULT);
}
static NMSettingConnectionDnssec
_prop_get_connection_dnssec(NMDevice *self)
{
NMConnection *connection;
NMSettingConnectionDnssec dnssec = NM_SETTING_CONNECTION_DNSSEC_DEFAULT;
g_return_val_if_fail(NM_IS_DEVICE(self), NM_SETTING_CONNECTION_DNSSEC_DEFAULT);
connection = nm_device_get_applied_connection(self);
if (connection)
dnssec = nm_setting_connection_get_dnssec(nm_connection_get_setting_connection(connection));
if (dnssec != NM_SETTING_CONNECTION_DNSSEC_DEFAULT)
return dnssec;
return nm_config_data_get_connection_default_int64(NM_CONFIG_GET_DATA,
NM_CON_DEFAULT("connection.dnssec"),
self,
NM_SETTING_CONNECTION_DNSSEC_NO,
NM_SETTING_CONNECTION_DNSSEC_YES,
NM_SETTING_CONNECTION_DNSSEC_DEFAULT);
}
static NMMptcpFlags
_prop_get_connection_mptcp_flags(NMDevice *self)
{
@ -3613,6 +3635,7 @@ nm_device_create_l3_config_data_from_connection(NMDevice *self, NMConnection *co
nm_l3_config_data_set_mdns(l3cd, _prop_get_connection_mdns(self));
nm_l3_config_data_set_llmnr(l3cd, _prop_get_connection_llmnr(self));
nm_l3_config_data_set_dns_over_tls(l3cd, _prop_get_connection_dns_over_tls(self));
nm_l3_config_data_set_dnssec(l3cd, _prop_get_connection_dnssec(self));
nm_l3_config_data_set_ip6_privacy(l3cd, _prop_get_ipv6_ip6_privacy(self));
nm_l3_config_data_set_mptcp_flags(l3cd, _prop_get_connection_mptcp_flags(self));
return l3cd;
@ -14069,6 +14092,7 @@ can_reapply_change(NMDevice *self,
NM_SETTING_CONNECTION_MDNS,
NM_SETTING_CONNECTION_LLMNR,
NM_SETTING_CONNECTION_DNS_OVER_TLS,
NM_SETTING_CONNECTION_DNSSEC,
NM_SETTING_CONNECTION_MPTCP_FLAGS,
NM_SETTING_CONNECTION_WAIT_ACTIVATION_DELAY);
}
@ -14327,6 +14351,7 @@ check_and_reapply_connection(NMDevice *self,
NM_SETTING_CONNECTION_MDNS,
NM_SETTING_CONNECTION_LLMNR,
NM_SETTING_CONNECTION_DNS_OVER_TLS,
NM_SETTING_CONNECTION_DNSSEC,
NM_SETTING_CONNECTION_MPTCP_FLAGS)) {
priv->ip_data_4.do_reapply = TRUE;
priv->ip_data_6.do_reapply = TRUE;

26
src/core/dns/nm-dns-systemd-resolved.c
View file

@ -37,6 +37,7 @@
static const char *const DBUS_OP_SET_LINK_DEFAULT_ROUTE = "SetLinkDefaultRoute";
static const char *const DBUS_OP_SET_LINK_DNS_OVER_TLS = "SetLinkDNSOverTLS";
static const char *const DBUS_OP_SET_LINK_DNS_EX = "SetLinkDNSEx";
static const char *const DBUS_OP_SET_LINK_DNSSEC = "SetLinkDNSSEC";
/*****************************************************************************/
@ -484,9 +485,11 @@ prepare_one_interface(NMDnsSystemdResolved *self, const InterfaceConfig *ic)
NMSettingConnectionMdns mdns = NM_SETTING_CONNECTION_MDNS_DEFAULT;
NMSettingConnectionLlmnr llmnr = NM_SETTING_CONNECTION_LLMNR_DEFAULT;
NMSettingConnectionDnsOverTls dns_over_tls = NM_SETTING_CONNECTION_DNS_OVER_TLS_DEFAULT;
NMSettingConnectionDnssec dnssec = NM_SETTING_CONNECTION_DNSSEC_DEFAULT;
const char *mdns_arg = NULL;
const char *llmnr_arg = NULL;
const char *dns_over_tls_arg = NULL;
const char *dnssec_arg = NULL;
gboolean has_config = FALSE;
gboolean has_default_route = FALSE;
guint i;
@ -517,6 +520,7 @@ prepare_one_interface(NMDnsSystemdResolved *self, const InterfaceConfig *ic)
llmnr = NM_MAX(llmnr, nm_l3_config_data_get_llmnr(ip_data->l3cd));
dns_over_tls =
NM_MAX(dns_over_tls, nm_l3_config_data_get_dns_over_tls(ip_data->l3cd));
dnssec = NM_MAX(dnssec, nm_l3_config_data_get_dnssec(ip_data->l3cd));
}
}
}
@ -589,8 +593,24 @@ prepare_one_interface(NMDnsSystemdResolved *self, const InterfaceConfig *ic)
}
nm_assert(dns_over_tls_arg);
switch (dnssec) {
case NM_SETTING_CONNECTION_DNSSEC_NO:
dnssec_arg = "no";
break;
case NM_SETTING_CONNECTION_DNSSEC_ALLOW_DOWNGRADE:
dnssec_arg = "allow-downgrade";
break;
case NM_SETTING_CONNECTION_DNSSEC_YES:
dnssec_arg = "yes";
break;
case NM_SETTING_CONNECTION_DNSSEC_DEFAULT:
dnssec_arg = "";
break;
}
nm_assert(dnssec_arg);
if (!nm_str_is_empty(mdns_arg) || !nm_str_is_empty(llmnr_arg)
|| !nm_str_is_empty(dns_over_tls_arg))
|| !nm_str_is_empty(dns_over_tls_arg) || !nm_str_is_empty(dnssec_arg))
has_config = TRUE;
_request_item_append(self, "SetLinkDomains", ic->ifindex, g_variant_builder_end(&domains));
@ -618,6 +638,10 @@ prepare_one_interface(NMDnsSystemdResolved *self, const InterfaceConfig *ic)
DBUS_OP_SET_LINK_DNS_OVER_TLS,
ic->ifindex,
g_variant_new("(is)", ic->ifindex, dns_over_tls_arg ?: ""));
_request_item_append(self,
DBUS_OP_SET_LINK_DNSSEC,
ic->ifindex,
g_variant_new("(is)", ic->ifindex, dnssec_arg ?: ""));
return has_config;
}

42
src/core/nm-l3-config-data.c
View file

@ -120,6 +120,7 @@ struct _NML3ConfigData {
NMSettingConnectionMdns mdns;
NMSettingConnectionLlmnr llmnr;
NMSettingConnectionDnsOverTls dns_over_tls;
NMSettingConnectionDnssec dnssec;
NMUtilsIPv6IfaceId ip6_token;
NML3ConfigDatFlags flags;
@ -577,6 +578,16 @@ nm_l3_config_data_log(const NML3ConfigData *self,
NULL)));
}
if (self->dnssec != NM_SETTING_CONNECTION_DNSSEC_DEFAULT) {
gs_free char *s = NULL;
_L("dnssec: %s",
(s = _nm_utils_enum_to_str_full(nm_setting_connection_dnssec_get_type(),
self->dnssec,
" ",
NULL)));
}
if (self->mptcp_flags != NM_MPTCP_FLAGS_NONE) {
gs_free char *s = NULL;
@ -694,6 +705,7 @@ nm_l3_config_data_new(NMDedupMultiIndex *multi_idx, int ifindex, NMIPConfigSourc
.mdns = NM_SETTING_CONNECTION_MDNS_DEFAULT,
.llmnr = NM_SETTING_CONNECTION_LLMNR_DEFAULT,
.dns_over_tls = NM_SETTING_CONNECTION_DNS_OVER_TLS_DEFAULT,
.dnssec = NM_SETTING_CONNECTION_DNSSEC_DEFAULT,
.flags = NM_L3_CONFIG_DAT_FLAGS_NONE,
.metered = NM_TERNARY_DEFAULT,
.proxy_browser_only = NM_TERNARY_DEFAULT,
@ -1767,6 +1779,26 @@ nm_l3_config_data_set_dns_over_tls(NML3ConfigData *self, NMSettingConnectionDnsO
return TRUE;
}
NMSettingConnectionDnssec
nm_l3_config_data_get_dnssec(const NML3ConfigData *self)
{
nm_assert(_NM_IS_L3_CONFIG_DATA(self, TRUE));
return self->dnssec;
}
gboolean
nm_l3_config_data_set_dnssec(NML3ConfigData *self, NMSettingConnectionDnssec dnssec)
{
nm_assert(_NM_IS_L3_CONFIG_DATA(self, FALSE));
if (self->dnssec == dnssec)
return FALSE;
self->dnssec = dnssec;
return TRUE;
}
NMIPRouteTableSyncMode
nm_l3_config_data_get_route_table_sync(const NML3ConfigData *self, int addr_family)
{
@ -2446,6 +2478,7 @@ nm_l3_config_data_cmp_full(const NML3ConfigData *a,
NM_CMP_DIRECT(a->mdns, b->mdns);
NM_CMP_DIRECT(a->llmnr, b->llmnr);
NM_CMP_DIRECT(a->dns_over_tls, b->dns_over_tls);
NM_CMP_DIRECT(a->dnssec, b->dnssec);
}
if (NM_FLAGS_HAS(flags, NM_L3_CONFIG_CMP_FLAGS_OTHER)) {
@ -3211,6 +3244,12 @@ nm_l3_config_data_hash_dns(const NML3ConfigData *l3cd,
empty = FALSE;
}
val = nm_l3_config_data_get_dnssec(l3cd);
if (val != NM_SETTING_CONNECTION_DNSSEC_DEFAULT) {
g_checksum_update(sum, (const guint8 *) &val, sizeof(val));
empty = FALSE;
}
if (!empty) {
int prio = 0;
@ -3461,6 +3500,9 @@ nm_l3_config_data_merge(NML3ConfigData *self,
if (self->dns_over_tls == NM_SETTING_CONNECTION_DNS_OVER_TLS_DEFAULT)
self->dns_over_tls = src->dns_over_tls;
if (self->dnssec == NM_SETTING_CONNECTION_DNSSEC_DEFAULT)
self->dnssec = src->dnssec;
if (self->ip6_token.id == 0)
self->ip6_token.id = src->ip6_token.id;

4
src/core/nm-l3-config-data.h
View file

@ -458,6 +458,10 @@ NMSettingConnectionDnsOverTls nm_l3_config_data_get_dns_over_tls(const NML3Confi
gboolean nm_l3_config_data_set_dns_over_tls(NML3ConfigData *self,
NMSettingConnectionDnsOverTls dns_over_tls);
NMSettingConnectionDnssec nm_l3_config_data_get_dnssec(const NML3ConfigData *self);
gboolean nm_l3_config_data_set_dnssec(NML3ConfigData *self, NMSettingConnectionDnssec dnssec);
NMIPRouteTableSyncMode nm_l3_config_data_get_route_table_sync(const NML3ConfigData *self,
int addr_family);

8
src/core/settings/plugins/ifcfg-rh/nms-ifcfg-rh-writer.c
View file

@ -3626,6 +3626,14 @@ do_write_construct(NMConnection *connection,
write_ip_routing_rules(connection, ifcfg, route_ignore);
if (nm_setting_connection_get_dnssec(s_con) != NM_SETTING_CONNECTION_DNSSEC_DEFAULT) {
set_error_unsupported(error,
connection,
NM_SETTING_CONNECTION_SETTING_NAME "." NM_SETTING_CONNECTION_DNSSEC,
TRUE);
return FALSE;
}
write_connection_setting(s_con, ifcfg, interface_name);
NM_SET_OUT(out_ifcfg, g_steal_pointer(&ifcfg));

2
src/libnm-client-impl/libnm.ver
View file

@ -2083,4 +2083,6 @@ global:
nm_setting_gsm_get_device_uid;
nm_setting_hsr_get_protocol_version;
nm_setting_hsr_protocol_version_get_type;
nm_setting_connection_get_dnssec;
nm_setting_connection_dnssec_get_type;
} libnm_1_54_0;

2
src/libnm-client-impl/tests/test-libnm.c
View file

@ -2756,6 +2756,8 @@ test_types(void)
G(nm_setting_connection_lldp_get_type),
G(nm_setting_connection_llmnr_get_type),
G(nm_setting_connection_mdns_get_type),
G(nm_setting_connection_dns_over_tls_get_type),
G(nm_setting_connection_dnssec_get_type),
G(nm_setting_dcb_flags_get_type),
G(nm_setting_dcb_get_type),
G(nm_setting_diff_result_get_type),

4
src/libnm-core-impl/gen-metadata-nm-settings-libnm-core.xml.in
View file

@ -810,6 +810,10 @@
dbus-type="i"
gprop-type="gint"
/>
<property name="dnssec"
dbus-type="i"
gprop-type="gint"
/>
<property name="down-on-poweroff"
dbus-type="i"
gprop-type="gint"

45
src/libnm-core-impl/nm-setting-connection.c
View file

@ -71,6 +71,7 @@ NM_GOBJECT_PROPERTIES_DEFINE(NMSettingConnection,
PROP_MDNS,
PROP_LLMNR,
PROP_DNS_OVER_TLS,
PROP_DNSSEC,
PROP_MPTCP_FLAGS,
PROP_STABLE_ID,
PROP_AUTH_RETRIES,
@ -103,6 +104,7 @@ typedef struct {
gint32 mdns;
gint32 llmnr;
gint32 dns_over_tls;
gint32 dnssec;
gint32 wait_device_timeout;
gint32 lldp;
gint32 wait_activation_delay;
@ -1293,6 +1295,22 @@ nm_setting_connection_get_dns_over_tls(NMSettingConnection *setting)
return NM_SETTING_CONNECTION_GET_PRIVATE(setting)->dns_over_tls;
}
/**
* nm_setting_connection_get_dnssec:
* @setting: the #NMSettingConnection
*
* Returns: the #NMSettingConnection:dnssec property of the setting.
*
* Since: 1.56
**/
NMSettingConnectionDnssec
nm_setting_connection_get_dnssec(NMSettingConnection *setting)
{
g_return_val_if_fail(NM_IS_SETTING_CONNECTION(setting), NM_SETTING_CONNECTION_DNSSEC_DEFAULT);
return NM_SETTING_CONNECTION_GET_PRIVATE(setting)->dnssec;
}
/**
* nm_setting_connection_get_mptcp_flags:
* @setting: the #NMSettingConnection
@ -3406,6 +3424,33 @@ nm_setting_connection_class_init(NMSettingConnectionClass *klass)
NMSettingConnectionPrivate,
dns_over_tls);
/**
* NMSettingConnection:dnssec:
*
* Whether DNSSEC (dnssec) is enabled for the connection.
*
* The permitted values are: "yes" (2) use DNSSEC and disable fallback,
* "allow-downgrade" (1) use DNSSEC but allow fallback if the server does not support it,
* "no" (0) don't ever use DNSSEC.
* The effect of "default" (-1) depends on the dns plugin used.
* Systemd-resolved uses its global setting in this case.
*
* This feature requires a plugin which supports DNSSEC. Otherwise, the
* setting has no effect. One such plugin is systemd-resolved.
*
* Since: 1.56
**/
_nm_setting_property_define_direct_enum(properties_override,
obj_properties,
NM_SETTING_CONNECTION_DNSSEC,
PROP_DNSSEC,
NM_TYPE_SETTING_CONNECTION_DNSSEC,
NM_SETTING_CONNECTION_DNSSEC_DEFAULT,
NM_SETTING_PARAM_NONE,
NULL,
NMSettingConnectionPrivate,
dnssec);
/* Notes about "mptcp-flags":
*
* It is a bit odd that NMMptcpFlags mixes flags with different purposes:

1
src/libnm-core-impl/tests/test-general.c
View file

@ -4032,6 +4032,7 @@ test_connection_diff_a_only(void)
{NM_SETTING_CONNECTION_MDNS, NM_SETTING_DIFF_RESULT_IN_A},
{NM_SETTING_CONNECTION_LLMNR, NM_SETTING_DIFF_RESULT_IN_A},
{NM_SETTING_CONNECTION_DNS_OVER_TLS, NM_SETTING_DIFF_RESULT_IN_A},
{NM_SETTING_CONNECTION_DNSSEC, NM_SETTING_DIFF_RESULT_IN_A},
{NM_SETTING_CONNECTION_MPTCP_FLAGS, NM_SETTING_DIFF_RESULT_IN_A},
{NM_SETTING_CONNECTION_MUD_URL, NM_SETTING_DIFF_RESULT_IN_A},
{NM_SETTING_CONNECTION_WAIT_DEVICE_TIMEOUT, NM_SETTING_DIFF_RESULT_IN_A},

22
src/libnm-core-public/nm-setting-connection.h
View file

@ -60,6 +60,7 @@ G_BEGIN_DECLS
#define NM_SETTING_CONNECTION_MDNS "mdns"
#define NM_SETTING_CONNECTION_LLMNR "llmnr"
#define NM_SETTING_CONNECTION_DNS_OVER_TLS "dns-over-tls"
#define NM_SETTING_CONNECTION_DNSSEC "dnssec"
#define NM_SETTING_CONNECTION_MPTCP_FLAGS "mptcp-flags"
#define NM_SETTING_CONNECTION_WAIT_DEVICE_TIMEOUT "wait-device-timeout"
#define NM_SETTING_CONNECTION_MUD_URL "mud-url"
@ -162,6 +163,24 @@ typedef enum {
NM_SETTING_CONNECTION_DNS_OVER_TLS_YES = 2,
} NMSettingConnectionDnsOverTls;
/**
* NMSettingConnectionDnssec:
* @NM_SETTING_CONNECTION_DNSSEC_DEFAULT: default value
* @NM_SETTING_CONNECTION_DNSSEC_NO: disable DNSSEC
* @NM_SETTING_CONNECTION_DNSSEC_ALLOW_DOWNGRADE: enable DNSSEC but allow fallback to non-DNSSEC mode
* @NM_SETTING_CONNECTION_DNSSEC_YES: force enable DNSSEC
*
* #NMSettingConnectionDnssec values indicate whether DNSSEC should be enabled.
*
* Since: 1.56
*/
typedef enum {
NM_SETTING_CONNECTION_DNSSEC_DEFAULT = -1,
NM_SETTING_CONNECTION_DNSSEC_NO = 0,
NM_SETTING_CONNECTION_DNSSEC_ALLOW_DOWNGRADE = 1,
NM_SETTING_CONNECTION_DNSSEC_YES = 2,
} NMSettingConnectionDnssec;
/**
* NMSettingConnectionDownOnPoweroff:
* @NM_SETTING_CONNECTION_DOWN_ON_POWEROFF_DEFAULT: default value
@ -304,6 +323,9 @@ void nm_setting_connection_clear_ip_ping_addresses(NMSettingConnection *setting)
NM_AVAILABLE_IN_1_52
NMTernary nm_setting_connection_get_ip_ping_addresses_require_all(NMSettingConnection *setting);
NM_AVAILABLE_IN_1_56
NMSettingConnectionDnssec nm_setting_connection_get_dnssec(NMSettingConnection *setting);
G_END_DECLS
#endif /* __NM_SETTING_CONNECTION_H__ */

3
src/libnmc-setting/nm-meta-setting-desc.c
View file

@ -5845,6 +5845,9 @@ static const NMMetaPropertyInfo *const property_infos_CONNECTION[] = {
),
),
),
PROPERTY_INFO_WITH_DESC (NM_SETTING_CONNECTION_DNSSEC,
.property_type = &_pt_gobject_enum,
),
PROPERTY_INFO_WITH_DESC (NM_SETTING_CONNECTION_MPTCP_FLAGS,
.property_type = &_pt_gobject_enum,
.property_typ_data = DEFINE_PROPERTY_TYP_DATA (

1
src/libnmc-setting/settings-docs.h.in
View file

@ -8,6 +8,7 @@
#define DESCRIBE_DOC_NM_SETTING_CONNECTION_AUTOCONNECT_SLAVES N_("Whether or not ports of this connection should be automatically brought up when NetworkManager activates this connection. This only has a real effect for controller connections. The properties \"autoconnect\", \"autoconnect-priority\" and \"autoconnect-retries\" are unrelated to this setting. The permitted values are: 0: leave port connections untouched, 1: activate all the port connections with this connection, -1: default. If -1 (default) is set, global connection.autoconnect-slaves is read to determine the real value. If it is default as well, this fallbacks to 0. Deprecated 1.46. Use \"autoconnect-ports\" instead, this is just an alias.")
#define DESCRIBE_DOC_NM_SETTING_CONNECTION_CONTROLLER N_("Interface name of the controller device or UUID of the controller connection.")
#define DESCRIBE_DOC_NM_SETTING_CONNECTION_DNS_OVER_TLS N_("Whether DNSOverTls (dns-over-tls) is enabled for the connection. DNSOverTls is a technology which uses TLS to encrypt dns traffic. The permitted values are: \"yes\" (2) use DNSOverTls and disabled fallback, \"opportunistic\" (1) use DNSOverTls but allow fallback to unencrypted resolution, \"no\" (0) don't ever use DNSOverTls. If unspecified \"default\" depends on the plugin used. Systemd-resolved uses global setting. This feature requires a plugin which supports DNSOverTls. Otherwise, the setting has no effect. One such plugin is dns-systemd-resolved.")
#define DESCRIBE_DOC_NM_SETTING_CONNECTION_DNSSEC N_("Whether DNSSEC (dnssec) is enabled for the connection. The permitted values are: \"yes\" (2) use DNSSEC and disable fallback, \"allow-downgrade\" (1) use DNSSEC but allow fallback if the server does not support it, \"no\" (0) don't ever use DNSSEC. The effect of \"default\" (-1) depends on the dns plugin used. Systemd-resolved uses its global setting in this case. This feature requires a plugin which supports DNSSEC. Otherwise, the setting has no effect. One such plugin is systemd-resolved.")
#define DESCRIBE_DOC_NM_SETTING_CONNECTION_DOWN_ON_POWEROFF N_("Whether the connection will be brought down before the system is powered off. The default value is \"default\" (-1). When the default value is specified, then the global value from NetworkManager configuration is looked up, if not set, it is considered as \"no\" (0).")
#define DESCRIBE_DOC_NM_SETTING_CONNECTION_GATEWAY_PING_TIMEOUT N_("If greater than zero, delay success of IP addressing until either the timeout is reached, or an IP gateway replies to a ping.")
#define DESCRIBE_DOC_NM_SETTING_CONNECTION_ID N_("A human readable unique identifier for the connection, like \"Work Wi-Fi\" or \"T-Mobile 3G\".")

4
src/nmcli/gen-metadata-nm-settings-nmcli.xml.in
View file

@ -733,6 +733,10 @@
nmcli-description="Whether DNSOverTls (dns-over-tls) is enabled for the connection. DNSOverTls is a technology which uses TLS to encrypt dns traffic. The permitted values are: &quot;yes&quot; (2) use DNSOverTls and disabled fallback, &quot;opportunistic&quot; (1) use DNSOverTls but allow fallback to unencrypted resolution, &quot;no&quot; (0) don&apos;t ever use DNSOverTls. If unspecified &quot;default&quot; depends on the plugin used. Systemd-resolved uses global setting. This feature requires a plugin which supports DNSOverTls. Otherwise, the setting has no effect. One such plugin is dns-systemd-resolved."
format="choice (NMSettingConnectionDnsOverTls)"
values="default (-1), no (0), opportunistic (1), yes (2)" />
<property name="dnssec"
nmcli-description="Whether DNSSEC (dnssec) is enabled for the connection. The permitted values are: &quot;yes&quot; (2) use DNSSEC and disable fallback, &quot;allow-downgrade&quot; (1) use DNSSEC but allow fallback if the server does not support it, &quot;no&quot; (0) don&apos;t ever use DNSSEC. The effect of &quot;default&quot; (-1) depends on the dns plugin used. Systemd-resolved uses its global setting in this case. This feature requires a plugin which supports DNSSEC. Otherwise, the setting has no effect. One such plugin is systemd-resolved."
format="choice (NMSettingConnectionDnssec)"
values="default (-1), no (0), allow-downgrade (1), yes (2)" />
<property name="mptcp-flags"
nmcli-description="Whether to configure MPTCP endpoints and the address flags. If MPTCP is enabled in NetworkManager, it will configure the addresses of the interface as MPTCP endpoints. Note that IPv4 loopback addresses (127.0.0.0/8), IPv4 link local addresses (169.254.0.0/16), the IPv6 loopback address (::1), IPv6 link local addresses (fe80::/10), IPv6 unique local addresses (ULA, fc00::/7) and IPv6 privacy extension addresses (rfc3041, ipv6.ip6-privacy) will be excluded from being configured as endpoints. If &quot;disabled&quot; (0x1), MPTCP handling for the interface is disabled and no endpoints are registered. The &quot;enabled&quot; (0x2) flag means that MPTCP handling is enabled. This flag can also be implied from the presence of other flags. Even when enabled, MPTCP handling will by default still be disabled unless &quot;/proc/sys/net/mptcp/enabled&quot; sysctl is on. NetworkManager does not change the sysctl and this is up to the administrator or distribution. To configure endpoints even if the sysctl is disabled, &quot;also-without-sysctl&quot; (0x4) flag can be used. In that case, NetworkManager doesn&apos;t look at the sysctl and configures endpoints regardless. Even when enabled, NetworkManager will only configure MPTCP endpoints for a certain address family, if there is a unicast default route (0.0.0.0/0 or ::/0) in the main routing table. The flag &quot;also-without-default-route&quot; (0x8) can override that. When MPTCP handling is enabled then endpoints are configured with the specified address flags &quot;signal&quot; (0x10), &quot;subflow&quot; (0x20), &quot;backup&quot; (0x40), &quot;fullmesh&quot; (0x80). See ip-mptcp(8) manual for additional information about the flags. If the flags are zero (0x0), the global connection default from NetworkManager.conf is honored. If still unspecified, the fallback is &quot;enabled,subflow&quot;. Note that this means that MPTCP is by default done depending on the &quot;/proc/sys/net/mptcp/enabled&quot; sysctl. NetworkManager does not change the MPTCP limits nor enable MPTCP via &quot;/proc/sys/net/mptcp/enabled&quot;. That is a host configuration which the admin can change via sysctl and ip-mptcp. Strict reverse path filtering (rp_filter) breaks many MPTCP use cases, so when MPTCP handling for IPv4 addresses on the interface is enabled, NetworkManager would loosen the strict reverse path filtering (1) to the loose setting (2)."
format="flags (NMMptcpFlags)"

10
src/tests/client/test-client.check-on-disk/test_002.expected
View file

@ -506,12 +506,12 @@ NAME UUID TYPE DEVICE
con-1 5fcfd6d7-1e63-3332-8826-a7eda103792d ethernet --
<<<
size: 1704
size: 1757
location: src/tests/client/test-client.py:test_002()/23
cmd: $NMCLI c s con-1
lang: C
returncode: 0
stdout: 1576 bytes
stdout: 1629 bytes
>>>
connection.id: con-1
connection.uuid: 5fcfd6d7-1e63-3332-8826-a7eda103792d
@ -543,17 +543,18 @@ connection.lldp: default
connection.mdns: -1 (default)
connection.llmnr: -1 (default)
connection.dns-over-tls: -1 (default)
connection.dnssec: -1 (default)
connection.mptcp-flags: 0x0 (default)
connection.wait-device-timeout: -1
connection.wait-activation-delay: -1
<<<
size: 1715
size: 1768
location: src/tests/client/test-client.py:test_002()/24
cmd: $NMCLI c s con-1
lang: pl_PL.UTF-8
returncode: 0
stdout: 1577 bytes
stdout: 1630 bytes
>>>
connection.id: con-1
connection.uuid: 5fcfd6d7-1e63-3332-8826-a7eda103792d
@ -585,6 +586,7 @@ connection.lldp: default
connection.mdns: -1 (default)
connection.llmnr: -1 (default)
connection.dns-over-tls: -1 (default)
connection.dnssec: -1 (default)
connection.mptcp-flags: 0x0 (default)
connection.wait-device-timeout: -1
connection.wait-activation-delay: -1

538
src/tests/client/test-client.check-on-disk/test_003.expected
View file

File diff suppressed because it is too large Load diff

678
src/tests/client/test-client.check-on-disk/test_004.expected
View file

File diff suppressed because it is too large Load diff