Reset all known bond options to their default values, not just the
ones that NMSettingBond allows overriding. Also, remove any bond
slaves that were already attached to the bond before we managed it.
Only update bond parameters that need to be updated. In particular,
setting either arp_interval or miimon to 0 has the side effect of also
setting the other one to 0, so don't do that if it's already 0.
Fix the handling of arp_ip_target; the sysfs arp_ip_target node does
not work the same way as the ifcfg BONDING_OPTS line (which is what
the code was assuming before).
libnl3 wants a destination address when setting a route, so just hand
it '::' with a address len of 0 so we don't get -NLE_MISSING_ATTR
when trying to set the IPv6 default route.
We need to set the interface's firewall zone before we kick off
any sort of IP configuration, so that rules for stuff like
DHCP are already handled by the time that these services are started.
With the switch to IPv4 being allowed to fail by default we need
to clean up this old code a bit. PPP failure during IP config
should trigger a timeout, and the core code will handle whether
to fail the device completely or not. But if we got a valid IPv4
config and PPP failed later, the device gets failed. Previously
the device would just sit in IP_CONFIG state because now IPv4
defaults may-fail to TRUE, and when PPP failed the
nm_device_ip_config_should_fail() check would obviously not pass.
This should fix the warning "failed to allocate link cache" when a
new device is added. It doesn't affect WiFi operation, and the
code would fall back to non-nl80211 mechanisms of detecting whether
a device was wifi or not, so it corrects this check and quiets the
error message.
The kernel is broken for Ad-Hoc WPA, and creates the connections
as open connections instead. Yeah, eventually we can use
wpa_supplicant with RSN support, but for now we just have to
disable Ad-Hoc WPA because it's a problem to say we're creating
a protected network but then have the kernel not do that for
us. Will be re-enabled once all the necessary bits have been
fixed.
Note that Ad-Hoc WPA has been broken since at least 2.6.32 with
mac80211-based drivers, which is what most users will be using.
It is currently not possible to create a connection where the
connection-type-specific NMSetting has all default values. This hasn't
been a problem in the past because each type had at least one property
that either had no default value or had a default value that didn't
pass verify(). But NMSettingInfiniband didn't have that property, so
it's impossible to create an InfiniBand connection unless you change
the value of at least InfiniBand-specific setting.
Work around this for now by making the default value of
NMSettingInfiniband:transport-mode be NULL, so it needs to be
overridden.
Like IPv4, if the connection contains no IPv6 setting, perform
IPv6 addressing. Since may-fail defaults to TRUE for IPv6, failure
should have no consequence.
This will allow DNSSEC data to be visible in browsers, which would otherwise
not be the case by default because of dnsmasq acting as a middle-man for
resolution.
Otherwise, we have a regression from the libc resolver behavior.
When using the either DHCP or STATIC IpMethods the modem manager
or device itself negotiates the PPP session so we need to pass
the authentication preferences through to MM.
Notes:
1/ Using a bitfield now that happens to match the Ericsson
in the lower orders so that it's far more tidy.
2/ Devices that wish to utilise this should observe the
following:
If the bitfield doesn't exist in the dict, then MM uses the
modem default, if it does, MM tries to fulfill the request. If the
modem can only accept one value (Qualcomm-type devices accept only
None, PAP or CHAP with AT$QCPDPP) then MM picks the appropriate one
from the dict if only one of PAP or CHAP was given, otherwise we
default to PAP.
(dcbw: make enum a bitfield instead of the bit position)
(comments by dcbw)
This allows out-of-the-box connectivity on IPv6-only networks.
Once caveat is that connections where the user currently
expects no IPv4 connectivity to terminate the connection and
retry will no longer do so until IPv6 also times out, and if
that network where IPv4 is expected to fail also has an IPv6
router sending advertisements, the connection will succeed
instead of failing. That can be resolved by setting the
right bit in the connection's config file; and it's expected
that the number of users who expect IPv4 failure on a
network with usable IPv6 connectivity is quite small
compared to the benefit of OOB IPv6 connectivity.
Make the meaning of done actually reflect what's happening,
and make sure that when we get an error in the error handler,
that the processing loop breaks out and returns that error.
This wasn't happening for Ad-Hoc connections, which apparently
return various errors for things, leading to blocking in
recv() in the kernel waiting for more data that would never
come, because we'd already gotten an error.
Carrier checking can be synchronous, like when bringing up the device.
If the carrier changes as a result of the sync carrier state checking,
the code might change state. Unfortunately brining up a device
happens in response to a state change already, and we can't change
state from within handlers for the device state change signal, so
we need to queue up the new state change that results from a
carrier change.
When NM was registering all of its enum types by hand, it was using
NamesLikeThis rather than the default names-like-this for the "nick"
values. When we switched to using glib-mkenums, this resulted in
dbus-glib using different strings for the D-Bus error names, causing
compatibility problems.
Fix this by using glib-mkenums annotations to manually fix all the
enum values back to what they were before. (This can't be done in a
more automated way, because the old names aren't 100% consistent. Eg,
"UNKNOWN" frequently becomes "UnknownError" rather than just
"Unknown".)
Ifnet currently does not deal with user agent service. Any connection
that comes with flagged secrets or is not system connection will be
ignored by the plugin. Thanks to David Narvaez for his great help on
this problem.
Would affect non-nl80211 drivers since all nl80211 drivers have the
phyX link in sysfs and thus this code wouldn't get run for them.
Found by Dmitri <mitya@mageia.org>
Clarify how we're supposed to break out of the nl_recvmsgs() loop
and also break out if we get an error from nl_recvmsgs(). What's
supposed to happen is that one of the callbacks we've registered
figures out that we're done and sets the 'done' flag, which then
breaks out of the recvmsgs() loop. Using 'err' there previously
was pretty unclear.
This reverts commit 84403ab84a.
It appears we want to loop until one of the callback says we're
done, while this patch would exit too early (possibly before we'd
received a reply) since nl_recvmsgs() returns 0 on success. What
we really want do do here is wait for one of the callbacks we've
registered to tell us that they've successfully handled the message
and gotten a reply.
The carrier signal might be delayed a bit, so if we're creating
the device as a result of activating a connection, make sure the
carrier is up-to-date so we can proceed with activation.
Single quotes ensure we don't break initscripts (bash processing) when the
string contains special characters. Special handling is necessary for single
quotes characters. They have to be escaped and the whole string has to be
prepended with '$' character so that bash is happy.
This change also filters out CR and LF characters as they break WPA_PSK
variable and could pose security issues.
"InfiniBand" has a capital "B". Fix that everywhere it's being used as
a human-readable string.
In particular, the RH initscripts recognize "TYPE=infiniband" and
"TYPE=InfiniBand", but not "TYPE=Infiniband", which is what we were
writing before.
For virtual interfaces and other cases we won't necessarily have
a device path, which means clients will be passing "/" instead.
Fix that up the same way we fix up the specific object.
We can't guarantee the ordering of devices that udev sends to us
on startup. Thus, a VLAN interface could be sent before its
parent is, and we won't be able to find the parent in the device
list. But that's fine; all parents will be detected during the
first pass, and we silently fail the VLAN interface. Then we
do a second pass where any remaining VLAN interfaces will be
created because we found the parents during the first pass.
There's both nl_addr_set_prefixlen() to set the binary address's
prefix length and rtnl_addr_set_prefixlen() to set the container
RTNL address's prefix length. When the addresses come in from
the kernel these are the same, but when sending addresses to
the kernel, NM wasn't setting them to the same thing. Do that,
since apparently libnl wants that when matching addresses in
nm-system.c:sync_addresses() here:
if (addrs[i] && nl_object_identical (match, (struct nl_object *) addrs[i]))
break;
otherwise the kernel addres (match) doesn't match the NM-derived
address (addrs[i]) that we got from the IP6Manager when reading
back kernel IPv6 addresses in response to netlink events.
Because the supplicant doesn't have a BSS property for "last seen"
we have to fake that by listening to PropertiesChanged events for
stuff like signal strength, which usually changes a bit from scan
to scan. But in case it doesn't change, we'll never get that PC
signal, and thus we'll never update our internal 'last seen'
timestamp, and thus the AP will get removed from the NM scan list
even if it was in the supplicant's last scan results.
So, if the AP if we haven't receieved a BssRemoved signal for the
AP yet don't remove it from the NM scan list. One caveat is that
if the supplicant's DEFAULT_BSS_EXPIRATION_AGE value is greater
than NM's AP expiration age, NM will by consequence use the
supplicant's value instead. At the moment the supplicant sets
DEFAULT_BSS_EXPIRATION_AGE to 180 seconds while NM's is 360.
When we want to change the zone an interface belongs to
we can't use firewalld's addInterface() because this one
doesn't allow to add interface to zone when it already
has been part of some other/same zone.
We need to use changeZone() method instead - hopefuly
this is the final name of this method.
