When using IWD-side autoconnect mode (current default), in .deactivate()
and .deactivate_async() refrain from commanding IWD to actually
disconnect until the device is managed. Likely the device is already
disconnected but in any case it's up to IWD to decide in this mode.
Calling IWD device's .Disconnect() D-Bus method has the side effect of
disabling autoconnect and doing this while NM is still in platform-init
was unexpectedly leaving the device without autoconnect after
platform-init was done, according to user reports.
Fixes: dc0e31fb70 ('iwd: Add the wifi.iwd.autoconnect setting')
https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/786
(cherry picked from commit 1708e9a3cc)
Ignore a rd.znet argument without subchannels. When using net.ifnames
(the default), subchannels are used to build the interface name, which
is required to match the right connection.
With net.ifnames=0 the interface name is build using a prefix and a
global counter and therefore in theory it is possible to omit
subchannels. However, without subchannels there won't be a udev rule
that renames the interface and so it can't work.
https://bugzilla.redhat.com/show_bug.cgi?id=1931284https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/783
(cherry picked from commit 0f8fe3c76b)
The idea of NM_G_MUTEX_LOCKED() macro is not only to register a mutex
for unlocking (via nm_auto_unlock_g_mutex) but also to lock it at
the same time.
That is a useful helper macro. If you have to lock the mutex yourself,
it makes usage less convenient. At which point you don't need the macro
anymore and you should instead take full control and lock/unlock yourself.
Fix the macro and change behavior. The macro was not used so far, so
it's not a problem.
Fixes: dd33b3a14e ('shared: add nm_auto_unlock_g_mutex and NM_G_MUTEX_LOCKED() helper macros')
(cherry picked from commit 098ac7dbc0)
802-1x.optional=yes means that NM should tolerate a failure or a
timeout of the 802.1X authentication and should keep the connection
up. Even if the authentication doesn't succeed, NM keeps the
supplicant running so that it can continue trying.
If the supplicant disappears because it crashed or was killed
externally, NM should fail the connection so that it can be retried.
The current code is wrong also because after releasing the supplicant
interface, it calls wired_auth_cond_fail() which tries to connect a
signal to priv->supplicant.iface (which is NULL).
https://bugzilla.redhat.com/show_bug.cgi?id=1934291https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/776
(cherry picked from commit 840e54a96c)
If an existing connection has an interface name set and the generator
finds a BOOTIF argument, it creates a new connection for BOOTIF.
Instead, the generator should set the MAC in the existing connection;
this sounds more correct and it is what the network-legacy module
does.
https://bugzilla.redhat.com/show_bug.cgi?id=1915493
(cherry picked from commit 389575a6b1)
Currently we unconditionally reset the MAC to the previous value after
releasing ports. This has some disadvantages:
- by default, after the last port is removed the bond will have one
of the previous port's address, which could conflict with the port;
- in some cases, changing the bond MAC is not possible. For example
when the bond is active-backup and has fail_over_mac=1|2. In such
case the netlink call succeeds, but the address doesn't
change; then NM would keep waiting for some time.
Don't try to restore the MAC unless the bond connection has a cloned
MAC set.
https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/775
(cherry picked from commit 190fd9aa9f)
With systemd-resolved, NetworkManager considers `/etc/resolv.conf`
unmanaged. This breaks hostname lookups in a subtle way: when a new
connection comes online, NM will initiate the hostname lookup *before*
propagating DNS updates to systemd-resolved, which of course will cause
the request to fail. And because NM doesn't update `/etc/resolv.conf`,
it doesn't emit a `CONFIG_CHANGED` signal which would've restarted the
lookup.
Fix this by emitting a signal also when using a caching DNS plugin.
https://bugzilla.redhat.com/show_bug.cgi?id=1933863https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/770
(cherry picked from commit 1c0932a6e6)
The bond option ad_actor_system only matters (and is available) with
mode=802.3ad.
When you create a new bond, the sysctl value will be set to "00:00:00:00:00:00".
So this seems to be a valid value, and in fact the default value for
this option. However, kernel will fail with EINVAL to set the sysctl to
"00:00:00:00:00:00". Kernel fails both if the value is already
"00:00:00:00:00:00" (i.e. setting the same value results in an error) and
it also fails otherwise (i.e. we cannot ever reset the value to
"00:00:00:00:00:00", at least not via sysfs).
Avoid the warning in the common case, where the value is already as
expected.
Otherwise, we still get the warning and won't be able to set the right
value. But this is really a limitation of the kernel API where we cannot
do anything about it (in NetworkManager).
https://bugzilla.redhat.com/show_bug.cgi?id=1923999
(cherry picked from commit 9e7af31454)
A connection with key-mgmt=wpa-psk should be able to connect to WPA,
WPA2 and WPA3 APs, choosing the best candidate automatically.
Also pass SAE (WPA3) key-mgmt to wpa_supplicant when it is supported.
For example, I now get this when connecting to a WPA2 network:
<info> [1613749711.2915] Config: added 'key_mgmt' value 'WPA-PSK WPA-PSK-SHA256 FT-PSK SAE FT-SAE'
(cherry picked from commit f5d78c2d28)
fixes segfault with iwd backend after upgrade to NetworkManager 1.30.0
Signed-off-by: Jan Palus <jpalus@fastmail.com>
Fixes: 43fd93d8f4 ('iwd: Order objects from g_dbus_object_manager_get_objects')
(cherry picked from commit 2e0752b1bf)
"--with test" does two things:
(1) it enables "-Werror" compiler option. We always enable all
compiler warnings we care about, but this option makes all
warnings fatal.
Compiler warnings depend on compiler version and build options.
It's hard to build without any compiler warnings, in particular
for *future* compiler versions which we don't know yet. It
is desirable that a SRPM from yesterday can also be build
tomorrow.
(2) it fails build if any unit tests fail. We always run all
unit tests, but "--with test" makes it fatal. Again, we
have many unit tests that interact with the system (that is,
make system calls, like creating IP addresses or write files).
It is surprisingly hard to get them pass 100% on all the systems
we care. For example, on copr a test setup randomly fails during
ifr.ifr_flags = IFF_TAP | IFF_NO_PI;
nm_utils_ifname_cpy(ifr.ifr_name, TEST_IFNAME);
r = ioctl(fd, TUNSETIFF, &ifr);
It's not clear why, nor is it at all clear that there is a bug
in NetworkManager. Making tests fatal basically means that a build
on copr infrastructure fails with a probability from a few percent.
Enough to be seriously annoying.
Note that on copr we actually build "--with test", because we want to catch these
issues. Likewise for our CI builds we explicitly specify "--with test".
In general, we build with various build configurations (compiler warnings)
and run unit tests on a source package many times. Starting on the
developer machine (`make check`), gitlab-ci, copr builds,
NetworkManager-ci. If you build an SRPM with such sources, a failure
of the unit tests is much more likely a glitch than an actual issue.
This is about changing the default if you build a Fedora/RHEL package.
That is with the Fedora/RHEL packages that are build in koji/brew.
Well, at least usually. In practice, we don't build frequently on non
x64_86 archs, so what I said there is less true. But the package build
is not there to replace CI/testing. The package build is there to get
a (mostly) working binary.
Note that RHEL packages anyway go through rpmdiff too, and rpmdiff
parses the build log and complain if `make check` fails.
This reverts commit e68e5c0a4c.
(cherry picked from commit e23bafe5d5)
/route/ip6: NMPlatformSignalAssert: ../src/core/platform/tests/test-route.c:449, test_ip6_route(): failure to accept signal one time: 'ip6-route-changed-added' ifindex 0 (2 times received)
(cherry picked from commit 39c3eacb7d)
Since we always set autoconnect-retries=1, use the value of
rd.net.dhcp.retry as a multiplier for the DHCP timeout.
(cherry picked from commit 099ce63888)
By default a connection is retried 4 times before it is blocked from
autoconnecting. This means that if a user specifies an explicit DHCP
timeout in the initrd command line, NM will wait up to 4 times more.
Instead, set the "connection.autoconnect-retries" property of
connections always to 1, so that NM only waits for the time
specified.
Before this commit a default DHCP connection would take at most (45 x
4) seconds. Since the multiplier is now only 1, also increase the DHCP
timeout to have a total time of (90 x 1) seconds, which is the half
than before.
https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/issues/559
(cherry picked from commit 7e126fe898)
We periodically re-resolve the DNS name for entpoints. Since WireGuard
has no concept of being connected, we want to eventually pick up
if the DNS name resolves to a different IP address.
However, on resolution failure, we will never clear the endpoint we
already have. Thus, resolving names can only give a better endpoint,
not remove an IP address entirely.
DNS names might do Round-Robin load distribution and the name of the
endpoint might resolve to multiple IP addresses. Improve to stick to
the IP address that we already have -- provided that the IP address
is still among the new resolution result. Otherwise, we continue to
pick the first IP address that was resolved.
(cherry picked from commit 98348ee539)
In C, initialization of a union does not define that excess memory
is initialized. Ensure that, by initializing the largest member of the
NMSockAddrUnion union.
(cherry picked from commit 7bf2ddf73f)
Under restricted permissions (like inside a podman container) opening
"/proc/self/ns/net" fails with Permission denied. Consequently we cannot
create our bottom NMPNetns instance. That is mostly fine, however we
would log an error message with severity <error>.
Note that test "src/core/platform/tests/test-platform-general" asserts
that no <warn> and <error> messages get logged. Hence, the test will
fail.
That is undesirable. Downgrade the message to <debug> so that the test
passes. Also, it's not clear that this error message is useful here.
Being unable to open a netns fd is fine and not necessarily an error
condition.
(cherry picked from commit 0213300dce)
We should always register the GArray stack with pthread
for cleanup the thread local storage. Do that first, before
creating the NMPNetns instance at the bottom of the stack.
(cherry picked from commit f9636080ac)
Inside a podman container (without `--priviledged`) we don't have
permissions for "unshare(CLONE_NEWNET|CLONE_NEWNS)".
It's not useful to fail tests in environments where they cannot run.
Skip them.
(cherry picked from commit ecdbb1ab84)
We call `tc` from iproute2, which commonly is at "/sbin/tc".
That might not be in the "$PATH" of a regular user, and consequently
we fail to run the test.
Work around that by always adding "/bin" and "/sbin" to the $PATH.
(cherry picked from commit f591aa41c6)
