Use --enable-doc and --enable-tests instead of --with-docs and
--with-tests. This is consistent with other features and with
--enable-gtk-doc option. Support current variants as fallback.
Don't build tests unless --enable-tests is specified.
You can now use 'address=' even for IPv6 and it's the encouraged way
to set up a single address manually. For multiple addresses,
'address0=', 'address1=', etc, should be preferred.
Example:
address=10.0.0.15/24/10.0.0.1
address0=192.168.0.1/24
address1=10.0.0.16/32
Example (backward compatibility):
addresses=10.0.0.15/24/10.0.0.1
addresses0=192.168.0.1/24
addresses1=10.0.0.16/32
IPv4 and IPv6 address configuration is now handled together and supports
the following syntax (slashes can be replaced with semicolons):
address/plen
address/plen,gateway
IPv4 and IPv6 route configuration is also handled uniformly and supports
the following syntax:
address/plen (for device routes)
address/plen,gateway (for gateway routes)
address/plen,gateway,metric (for gateway routes with metric)
For compatibility reasons, slash (/), comma (,) and semicolon (;) are
considered equal by the parser. The /plen part is optional for both
addresses and routes for compatibility reasons.
Leaving out the prefix length is not considered a good idea. IPv6
addresses default to 64 and IPv4 now defaults to 24 which is the closest
possible IPv4 counterpart. Routes default to single addresses.
Example 1:
[ipv4]
method=manual
addresses1=192.168.56.5/24,192.168.56.1
addresses2=192.168.57.5/24
routes1=4.5.6.0/24
routes2=1.2.3.0/24,4.5.6.7
routes3=7.8.9.0/24,4.5.6.7,99
[ipv6]
method=manual
addresses1=2001:db8:a🅱️:3/64,2001:db8:a🅱️:1
addresses2=2001:db8:c:d::3/64
routes1=2001:db8:e:f::/64,2001:db8:a🅱️:4
Example 2 (equivalent):
[ipv4]
method=manual
addresses1=192.168.56.5;24;192.168.56.1
addresses2=192.168.57.5;24
routes1=4.5.6.0;24
routes2=1.2.3.0;24;4.5.6.7
routes3=7.8.9.0;24;4.5.6.7;99
[ipv6]
method=manual
addresses1=2001:db8:a🅱️:3;64;2001:db8:a🅱️:1
addresses2=2001:db8:c:d::3;64
routes1=2001:db8:e:f::;64;2001:db8:a🅱️:4
For writing, I have arbitrarily chosen one of the formats 'reader'
can parse. Address and prefix length are separated by slash (/),
everything else is separated by comma (,).
addresses1=address/plen,gateway
routes1=address/plen,gateway,metric
Note: The modified 'reader' exposes a bug in the 'writer' and ignores
out badly-formatted routes. This problem is also fixed by this
commit. Keyfile tests now pass.
Use autoconf/automake variables for NetworkManager paths. Use
NetworkManager subdirectory where appropriate.
Files in /var/run (or /run on some distros) are moved into a separate
directory as is usual with other daemons. It makes the filesystem
more readable and file prefixing unnecessary.
/var/run/NetworkManager.pid -> /var/run/NetworkManager/NetworkManager.pid
/var/run/nm-dns-dnsmasq.pid -> /var/run/NetworkManager/dnsmasq.pid
/var/run/nm-dns-dnsmasq.conf -> /var/run/NetworkManager/dnsmasq.conf
The /var/run/NetworkManager directory is created at runtime, if it doesn't
exist.
Note: Path-based security policies like SELinux and AppArmor may need to
be adapted.
When updating connections, it is less confusing to reuse the existing file
instead of renaming files according to connection's ID. That reduces surprises
of moving connection files when a connection is edited.
We had separate checks for glib-2.0, gobject-2.0, gmodule-2.0, and
gio-unix-2.0. It doesn't make sense to link a binary against all 4
because gio-unix-2.0 depends on glib-2.0 and gobject-2.0. Doing this
actually breaks things in unusual circumstances.
Generally, few bits of NM actually just use glib, and not gio. We
might as well coalesce those requirements together, even if it means
in some cases we "overlink". Additionally, I chose for now to fold
gmodule-2.0 in as well, even though many fewer programs need it. The
cost of overlinking is quite small.
The benefit of this is less repeated junk in Makefile.am, as well as
more centralized control over GLib. A followup patch will allow us to
set -DGLIB_VERSION_MIN_REQUIRED in just one place, rather than having
to replicate it 4 times.
The NM configure is still suboptimal - for example, libpolkit-1
depends on gio-2.0, so really we should determine the compiler flags
all in one pass. But it doesn't matter too much for now.
This functionality is (mostly) obsoleted by the newer
GLIB_VERSION_MIN_REQUIRED and GLIB_VERSION_MAX_ALLOWED defines. With
this, your build doesn't all of a sudden blow up if we deprecate
something in GLib - you have to explicitly opt-in to the newer
version.
G_DISABLE_DEPRECATED does still apply for macros and things that can't
take __attribute__((deprecated)), but it's not really worth the pain
and cargo culting around just for that.
The ctype macros (eg, isalnum(), tolower()) are locale-dependent. Use
glib's ASCII-only versions instead.
Also, replace isascii() with g_ascii_isprint(), since isascii()
accepts control characters, which isn't what the code wanted in any of
the places where it was using it.
"InfiniBand" has a capital "B". Fix that everywhere it's being used as
a human-readable string.
In particular, the RH initscripts recognize "TYPE=infiniband" and
"TYPE=InfiniBand", but not "TYPE=Infiniband", which is what we were
writing before.
nm_utils_hwaddr_ntoa() and nm_utils_hwaddr_aton() are like
ether_ntoa()/ether_aton(), but handle IPoIB too.
nm_utils_hwaddr_atoba() is like _aton() but returns a GByteArray,
since that's what's wanted in many places.
Also remove nm_ether_ntop() and replace uses of it with
nm_utils_hwaddr_ntoa().
Even with the previous fix some cases were still undistinguishable. For example,SSID like '11;12;' is both valid an intlist and a string.
So this commit:
- escapes ';' character with '\' when writing, and removes '\' while reading
This clearly differentiates between intlist x strings.
- changes regex pattern to allow spaces before ';' in intlist format
Intlists have to end with a ';' since that's how they are written
out, and that's the only way we can actually distinguish between
intlist SSIDs and string SSIDs, really.
SSIDs don't want NULL termination, but some of the certificate code
checked for it. New-style plain strings would never be NULL
terminated (by accident) so fix that and make the code simpler too.
Found by Gary Ching-Pang Lin <chingpang@gmail.com>
* When a connection name (ID) was changed via nm-connection-editor, a new file
path was created, but the old one was not removed. That resulted in two files
and in turn in duplicated connections.
* When two connections with the same name (ID) were present, e.g. files ABC and
ABC-70656842-98ac-4221-aa8b-0d4174770, and nm-connection-editor was used to
edit ABC-70656842-98ac-4221-aa8b-0d4174770, the operation failed.
The regex was capturing integers larger than 3 digits, which aren't
valid SSID integer list items because each byte of the SSID cannot be
larger than 255. Add an explicit testcase for intlist SSIDs too.
The previous regex was causing a testcase failure with an SSID of
'1337' which it was interpreting as a single element intlist, but
should have been interpreted as a string since it's clear > 255.
When a connection changes on-disk, the in-memory copy of it may contain
transient secrets (agent-owned or not saved) that dont' get written out
to disk. When comparing the on-disk copy to the in-memory copy make sure
transient secrets are ignored so that we don't re-read the on-disk copy
needlessly.
The keyfile code has to handle a few different formats of cert/key values,
and wasn't doing a good enough job of detecting plain paths as values. By
default the writer will write out a plain path (ie, not prefixed with file://)
and the reader will handle that correctly, *unless* that file does not
exist, at which the reader assumed it was a byte array. This caused the
read-in keyfile not to match the in-memory connection (since the in-memory
connection though the cert/key held a path, but the read-in one thought it
contained a blob) and this seems to eventually have triggered a write-out
with the new values (as a blob), which would then drop a .pem file into
system-connections/ containing the path that should have been in the
keyfile in the first place.
This all happened because we assumed that the given path for the cert or
key would actually be valid, which doesn't seem to be the case for a lot
of people. Clearly these connections won't work (since the certificate or
key does not exist) but the keyfile plugin shouldn't be messing up the
connection's settings at the very least.
Fix that by handling the check of whether the cert/key data is a path or
not in a less restrictive manner and add some testcases to make sure that
everything works as we expect.
If the cert/key path is relative to the keyfile then don't
bother writing the absolute path out. This also prevents the
keyfile plugin from rewriting a relative path to an absolute one,
preventing some annoyance for people that hand-edit keyfiles.
Passing a relative path to wpa_supplicant does no good since the supplicant
may not have the same working directory as NetworkManager. Relative paths
used in keyfiles are assumed to be relative to the keyfile itself anyway,
so actually use the absolute path we compute for the cert/key instead of
leaving it relative.
Since the keyfile plugin only stores the paths of these files,
we don't really care about what's in them. We also don't want
to attempt to read them as keyfiles, which produces warnings
in the logs.
All non-VPN secrets are considered system-owned if they do not
have any explicitly set secret flags, and this makes VPN secrets
treated the same way. As part of the import process plugins and
the applet already update secret flags. This ensures that VPN
secrets are treated consistently throughout the codebase.
