The program only needs to know the local IPv4 address, the local IPv6
address and the PREF64. There is no need to create multiple maps for
that, just pass a configuration struct containing those 3 fields.
Avoid using pointer arithmetic in the BPF program, so that it requires
only CAP_BPF and not CAP_PERFMON. In this context "pointer arithmetic"
means adding a variable value to a packet pointer. This means that the
program no longer tries to parse variable-size headers (IPv4 options,
IPv6 extension headers). Those were already not supported before. It
also doesn't parse VLAN tags, but there should be no need for that. If
we use fixed offset, we can avoid using the parsing helpers from
libxdp.
There are 3 possible results from clat_translate_v6():
1. the packet didn't match the CLAT IPv6 address and must be
accepted;
2. the packet matches but it is invalid and so it must be dropped;
3. the packet matches and it is valid; clat_handle_v6() should
translate the packet to IPv4;
Before, the function returned TC_ACT_SHOT for both 2 and 3. Therefore,
clat_handle_v6() tried to rewrite also invalid packets.
Fix that by returning TC_ACT_UNSPEC for valid packets, meaning that
there isn't a final verdict yet.
When connecting to a wifi network and providing the password on the
command line, nmcli first looks if there is a compatible connection to
reuse. If there is not, it creates and activates a new one via a
single call to AddAndActivate().
If there is a compatible connection, nmcli first calls Update() on it
to set the new password and then Activate() to bring it up. Before
that, it registers a secret agent that can prompt for a new password
in case of authentication failure.
However, as soon as nmcli registers a secret agent, NM tries to
activate again the connection if it was blocked due to a previous
authentication failure. This connection attempt is going to fail
because it still uses the old password, as new one hasn't been set via
Update().
Change the order of operations to register the agent after Update()
and before Activate().
Reproducer:
nmcli device wifi connect SSID password BAD_PASSWORD
nmcli device wifi connect SSID password GOOD_PASSWORD
Fixes: c8ff1b30fb ('nmcli/dev: use secret agent for nmcli d [wifi] connect')
Executing this command twice, or when a connection profile already
exists for the SSID:
nmcli device wifi connect $SSID password $PASSWORD
returns error:
Error: 802-11-wireless-security.key-mgmt: property is missing.
When setting the password nmcli was wiping the existing wireless
security setting.
Fixes: c8ff1b30fb ('nmcli/dev: use secret agent for nmcli d [wifi] connect')
https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/issues/1688
Avoid build failures in some distros.
ERROR: Assert failed: systemd required but not found, please provide a valid systemd user generator dir or disable it
Fixes: 636fb5ef24 ('systemd: install initrd services using a generator')
The function strerror_r returns an int per POSIX spec, but GNU version
returns char *. Using it fails the compilation in Alpine, so use
_nm_strerror_r instead that handles both cases.
Fixes: 41e28b900f ('daemon-helper: add read-file-as-user')
Add a new public function nm_utils_copy_cert_as_user() to libnm. It
reads a certificate or key file on behalf of the given user and writes
it to a directory in /run/NetworkManager. It is useful for VPN plugins
that run as root and need to verify that the user owning the
connection (the one listed in the connection.permissions property) can
access the file.
Only allow private VPN connections if the VPN plugin declares the
supports-safe-private-file-access capability. Also check that the
private connection doesn't have more than one owner.
The new API indicates that the VPN plugin supports reading files
(certificates, keys) of private connections in a safe way
(i.e. checking user permissions), or that it doesn't need to read any
file from disk.
If we add a new property in the future and it references a certificate
or key stored on disk, we need to also implement the logic to verify
the access to the file for private connections.
Add a new property flag NM_SETTING_PARAM_CERT_KEY_FILE to existing
certificate and key properties, so that it's easier to see that they
need special treatment. Also add some assertions to verify that the
properties with the flag are handled properly.
While at it, move the enumeration of private-files to the settings.
In case of private connections, the device has already read the
certificates and keys content from disk, validating that the owner of
the connection has access to them. Pass those files as blobs to the
supplicant so that it doesn't have to read them again from the
filesystem, creating the opportunity for TOCTOU bugs.
During stage2 (prepare) of an activation, check if the connection is
private and if it contains any certificate/key path. If so, start
reading the files and delay stage2. Once done, store the files'
content into priv->private_files.table and continue the activation.
Add function nm_utils_read_private_files(). It can be used to read a
list of paths as the given user. It spawns the daemon-helper to read
each path and returns asynchronously a hash table containing the files
content.
Also add nm_utils_get_connection_private_files_paths() to return a
list of file paths referenced in a connection. The function currently
returns only 802.1x file paths for certificates and keys.
