As mentioned in the wpa_supplicant reference config, when setting PMF to
required with WPA2 (personal or enterprise) authentication, we want to
only enable SHA256 and upwards as HMAC. So enforce that by not passing
WPA-PSK and WPA-EAP to the config in case pmf is set to REQUIRED.
Modern WPA3 authentication methods like SAE and WPA-EAP-SUITE-B-192 need
to have management frame protection set to required according to the
standard. Since the last commit, we enforce this automatically when
key-mgmt is set to 'owe', 'sae' or 'wpa-eap-suite-b-192', so disabling
it manually should not be possible.
Add a check to the pmf property that makes sure it can't be set to
'disabled' or 'optional' when one of those key-mgmt methods is used.
When using modern WPA3 encryption like owe, sae or wpa-eap-suite-b-192
without fallbacks (so not WPA3+WPA2), protected management frames are
required to be enabled by the specification.
For wpa-eap-suite-b-192 we already do this and force PMF to REQUIRED, we
should also do it for OWE and SAE.
The key-mgmt property of NMSettingWirelessSecurity is slightly confusing
when you know there's also a wpa_supplicant configuration option called
"key_mgmt". Our property is not the same as that supplicant option even
though they do have things in common. NMs key-mgmt is not exactly meant
to configure which AKM suites you want to use, but rather which method
of wifi security is being used (so "wpa2+wpa3 personal", "wpa3 personal
only" or "wpa3 enterprise only").
Try to make this a bit clearer in the documentation of the property by
rewriting it and listing those security methods.
Refactor the generation of the key_mgmt option of the wpa_supplicant
config we generate. The goal of this is to lay out all the cases we
support more obviously and to make it a bit clearer that our key-mgmt
property of NMSettingsWirelessSecurity is not the same as the "key_mgmt"
config we set in wpa_supplicant.
We already have nm_str_buf_append_c2() and nm_str_buf_append_c4()
to support 2 or 4 characters.
I'd like to also have one for 3 characters.
At this point, just make it a variadic macro. This now supports 1 up to
4 characters, and it will be easy to extend further.
We will add a general "firewall-manager", so rename the firewalld related
file. This commit only renames the file. The next commit will change the
symbol naming.
"nm-device.c" is huge, and it does complicated things like handling the
state of the device and IP configuration.
It also contains simpler, individual functions, like converting enums to
strings. Let's move those trivial functions to a new module, so that the
remaining part is smaller.
"nm-device-utils.[ch]" should only contain simpler functions that have
no complex behavior or state.
https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/840
- Mark NMPPPOps variable as const. It really must not be modified.
- We cache the loaded symbols in a global variable. While this code
is not used in a multi threaded situation, I think we should not
add code that uses global variables that is not thread safe.
https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/837
In order to have more structured settings in man page and make it more
manageable to generate the docbook, it is recommended to use python
script to replace `./tools/generate-docs-nm-property-infos.pl` (this
tool is used to parse the comment section starting with `---nmcli---`,
`---dbus---`, `---keyfile---`, `---ifcfg-rh---`).
Signed-off-by: Wen Liang <liangwen12year@gmail.com>
https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/824
For NetworkManager profiles, "connection.uuid" is the identifier of the
profile. It is supposed to be a UUID, however:
- the UUID was not ensured to be all-lower case. We should make sure
that our UUIDs are in a consistent manner, so that users can rely
on the format of the string.
- the UUID was never actually interpreted as a UUID. It only was some
opaque string, that we use as identifier. We had nm_utils_is_uuid()
which checks that the format is valid, however that did not fully
validate the format, like it would accept "----7daf444dd78741a59e1ef1b3c8b1c0e8"
and "549fac10a25f4bcc912d1ae688c2b4987daf444d" (40 hex characters).
Both invalid UUIDs and non-normalized UUID should be normalized. We
don't want to break existing profiles that use such UUIDs, thus we don't
outright reject them. Let's instead mangle them during
nm_connection_normalize().
This only uses glib's md5 code and has no dependency on our
crypto libraries (gnutls, nss).
Move it to "libnm-glib-aux" so it can be freely used.
Maybe it deserves a better name, but "nm-shared-utils.h" is a heap of
various utility functions, it's hard to name them well.
We use util-linux's libuuid for handling UUIDs. But UUIDs are
really a trivial thing, at least the portion that we use.
Reimplement the parse/unparse/generate_random() methods and drop
the dependency. Note that no other libraries from our dependency chain
was dragging in libuuid, so thereby we really get rid of the dependency.
We still require libuuid for building, because it is used by an example
program. Maybe that should be changed, to avoid the build dependency.
But that can be done at a later time.
Active-connections in the async_op_lst are not guaranteed to have a
settings-connection. In particular, the settings-connection for an
AddAndActivate() AC is set only after the authorization succeeds. Use
the non-asserting variant of the function to fix the following
failure:
nm_active_connection_get_settings_connection: assertion 'sett_conn' failed
1 _g_log_abort()
2 g_logv()
3 g_log()
4 _nm_g_return_if_fail_warning.constprop.14()
5 nm_active_connection_get_settings_connection()
6 active_connection_find()
7 _get_activatable_connections_filter()
8 nm_settings_get_connections_clone()
9 nm_manager_get_activatable_connections()
10 auto_activate_device_cb()
11 g_idle_dispatch()
12 g_main_context_dispatch()
13 g_main_context_iterate.isra.21()
14 g_main_loop_run()
15 main()
Fixes: 33b9fa3a3c ('manager: Keep volatile/external connections while referenced by async_op_lst')
https://bugzilla.redhat.com/show_bug.cgi?id=1933719https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/834
Invoke Reload() asynchronously and run the main loop. In this way, the
polkit agent built into nmcli can be used to authenticate the reload
request.
Fixes: 5afcf9c045 ('cli: add 'general reload' command')
If the configuration contains dns=none and resolv.conf is updated
through a dispatcher script, currently there is no way to tell NM that
the content of resolv.conf changed, so that it can restart a hostname
resolution.
Use SIGUSR1 (and SIGHUP) for that.
- consistently check for success/failure of _ethtool_call_handle()
with "< 0" / ">= 0".
- drop unnecessary memset(). In the past, I argued to add this because
there were obscure cases with valgrind where this made a difference.
As it's not clear when/how that is necessary, drop it again.
Also, we want to prefer explicit struct initialization over memset(),
so if memset() would be necessary, those places would be problematic
as well.
- inline unnecessary helper functions. They had only one caller and
only make the code more verbose.
- use _ethtool_call_once() instead of _ethtool_call_handle() at places
where we use the handle only once. The handle and _ethtool_call_handle()
are useful to cache and reuse the file descriptor and the interface
name. If we only make one call with the handle, we can use
_ethtool_call_once() instead.
https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/830
Most string properties can be either %NULL (unset) or a non-empty
string.
For a few properties, like "gsm.apn", also the empty word is a valid
value. That makes it problematic to use from nmcli, because
nmcli connection modify "$PROFILE" gsm.apn ""
means to reset the default (NULL). How to configure the empty word?
For the APN, "" has a specific meaning, distinct from NULL, so we
need to be able to represent that.
The other problem with nmcli is that
nmcli -g gsm.apn connection show "$PROFILE"
is supposed to give you a value that you an set again, like
X="$(nmcli -g gsm.apn connection show "$PROFILE"; echo x)"
nmcli connection modify "$PROFILE2" gsm.apn "${X%$'\n'x}"
but for %NULL and "" the output would be the same.
The "solution" to that is interpreting "" as NULL (like we always did)
and a non-empty string that contains all whitespace, like a string with
one whitespace less. This way, all values can be expressed.
Note that in case of "gsm.apn", the string is anyway internally
normalized with g_strstrip(), so a string with all whitespace was
not expressable.
This was currently unused, because actually no property of type string
had handle_emptyunuset set.
Fixes: e9ee4e39f1 ('cli: handle string properties that can both be empty and %NULL')
Property aliases should really just be shortcuts for one fully spelled
out property (sometimes, they do more like "master").
Anyway, we must also handle resetting the value, otherwise:
$ nmcli connection add type gsm apn ""
will still result in "gsm.apn=internet", unlike
$ nmcli connection add type gsm gsm.apn ""
