The validation checks 'addr' (the extracted address portion before '/')
but the error message prints 'string' (the full input including the
prefix). For input like "192.168.1.999/24", the error would show the
full string instead of just the invalid address part.
Found by Coverity (CID: COPY_PASTE_ERROR).
Fixes: 539db43619 ('libnm: avoid heap allocation for checking valid routes in nm_ip_route_attribute_validate()')
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
(cherry picked from commit 3d4ad7b4ba)
The error variable is declared outside the loop but freed with
g_error_free() which does not reset the pointer to NULL. On the
next iteration, g_set_error() sees a non-NULL *err (dangling pointer)
and error->message dereferences freed memory.
Use g_clear_error() instead which also resets the pointer.
Found by Coverity (CID: USE_AFTER_FREE).
Fixes: ecc074b2f8 ('initrd: add command line parser')
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
(cherry picked from commit 33871478b7)
nm_wireguard_peer_new() returns a new peer with refcount 1.
nmt_wireguard_peer_editor_new() takes its own copy via
g_value_dup_boxed(), so the original peer was never unreffed.
Unref the peer after passing it to the editor.
Found by Coverity (CID: RESOURCE_LEAK).
Fixes: b0f5b1d97a ('tui: add WireGuard support to nmtui')
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
(cherry picked from commit 00f9a3d862)
The loop condition checked the same pointer twice instead of checking
the array element: `ip_data->domains.search && ip_data->domains.search`
should be `ip_data->domains.search && ip_data->domains.search[i]`.
As written, the loop would never terminate when `search` is non-NULL
(only in debug builds with NM_MORE_ASSERTS > 5).
Found by Coverity (CID: CONSTANT_EXPRESSION_RESULT).
Fixes: b8dab47705 ('dns: fix handling default routing domains with systemd-resolved')
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
(cherry picked from commit 8685ac1845)
find_port_info() can return NULL if the port is not registered.
The code dereferenced `info->port_state` before the null check,
which would crash. Move the null check before the dereference.
Found by Coverity (CID: REVERSE_INULL).
Fixes: a8329587c8 ('device: fix bug when deactivating port connections asynchronously')
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
(cherry picked from commit 56099c5e14)
The literal `1` is a 32-bit int. When prefix length is less than 33,
the shift `(64 - plen)` exceeds 31 bits, causing undefined behavior.
Cast to guint64 (same type as `num_subnets`) to perform the shift in
64-bit arithmetic.
Found by Coverity (CID: OVERFLOW_BEFORE_WIDEN).
Fixes: ec12fcf6bf ('policy: delegate IPv6 configuration to ipv6.method=shared connections')
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
(cherry picked from commit 4565c9efe4)
If a device's "managed" configuration is changed persistently (stored to
NM-intern), it needs to be undone in a rollback.
(cherry picked from commit 2fbaca1cbc)
We need to wait for it to finish so we can show error messages, if any.
Also, if we don't do it, sometimes the `d set eth0 managed ...`
operation fails with the following message in the daemon's log: "Unable
to determine UID of the request". This is because the client's process
is terminated before the daemon can check the permissions, as it needs
to check the uid and gid from the client's process.
(cherry picked from commit 7ee50b687a)
Allow to manage or unmanage a device persisting across reboots.
If --permanent is not specified, only the runtime managed state is
changed, preserving the previous behavior. The --permanent-only
option allows to edit only the persistent value, without touching
the runtime value.
Also add the values up/down. Up means managed=yes and set device's
administrative state UP. Down means managed=no and admin state DOWN.
Add the value 'reset' too. It reverts managed runtime status to default
behaviour. When used with `--permanent` flag, the persisted managed
settings is cleared.
Co-authored-by: Rahul Rajesh <rajeshrah22@gmail.com>
(cherry picked from commit d2f98a1669)
Devices like veth without a permanent MAC address cannot be matched by
MAC. If using the BY_MAC flag in SetManaged(), the changes are not
effective for such kind of devices.
Add a BY_NAME flag, in addition to the BY_MAC one. If the client sets
one of them, it means to force this mode of matching. If none is
selected, the daemon will choose how to match, preferring matching by
MAC when possible, and by ifname when not possible.
(cherry picked from commit 7c8f343f2c)
Control it with a new NM_DEVICE_MANAGED_SET_ADMIN_STATE flag.
This flag will make that, at the same time that the device is moved to
managed/unmanaged, it's admin state is set to up/down. Many users want
to have a way to have their devices in a DOWN admin state when they are
not using them. Because of the complex activation process, NM wants to
have its devices in UP state all the time. However, it is not a problem
to have it DOWN if we are not managing it.
(cherry picked from commit b9725dab73)
Previous commits added the capability to persist to disk the value of
'managed' received via the D-Bus API. Users might need to clear the
previous content, thus reseting it to its default.
Although this is specially useful for the PERMANENT flag, we need to be
consistent and reset the runtime state too.
(cherry picked from commit f346fcf977)
If the NM_DEVICE_MANAGED_FLAGS_PERMANENT flag is used, the value will be
stored to disk, to the NetworkManager-intern.conf file, in a [device-*]
section.
To modify the runtime value, the NM_DEVICE_MANAGED_FLAGS_RUNTIME must be
passed. This allows to control independently whether to modify only one
or both.
(cherry picked from commit ec1522fa8c)
To support setting devices as managed or unmanaged via D-Bus API in a
permanent way, we need a way to store this configuration on disk. Before
this commit, only config files manually edited allowed it. Following
commits will make use of the new functions to store [device-*] sections
into NetworkManager-intern.conf depending on D-Bus method invocations.
(cherry picked from commit 0a1503f052)
Now it is possible to have [.intern.device-*] sections in
NetworkManager-intern.conf. Take them into account when parsing the
configuration keyfiles.
(cherry picked from commit 47c1b04f9e)
The 'Managed' property only sets the managed state in runtime, but it is
not possible to persist it to disk. Add a SetManaged method that will be
able to persist it to disk. In this commit, it just modify the runtime
state, so it actually only does the same than setting the property.
Storing to disk will be added in next commits.
(cherry picked from commit 9ff530c322)
Added support for the following properties in connection profile:
id (VNI), remote IPv4/IPv6, ttl, tos, df, destination port.
See IP-LINK(8) manual page with command `man 8 ip-link` for more details
on the properties. See also previous commit for nm supported attributes.
id and remote are mandatory attributes:
```
$ nmcli connection add type geneve save no
Error: 'id' argument is required.
$ nmcli connection add type geneve id 42 save no
Error: 'remote' argument is required.
```
(cherry picked from commit 2aaf88375e)
GENEVE (Generic Network Virtualization Encapsulation) is a network
tunneling protocol that provides a flexible encapsulation format for
overlay networks. It uses UDP as the transport protocol and supports
variable-length metadata in the tunnel header.
This patch adds GENEVE tunnel to NM's platform layer:
- Add platform API functions (nm_platform_link_geneve_add,
nm_platform_link_get_lnk_geneve)
- Netlink message parsing for the following attributes:
* IFLA_GENEVE_ID - VNI (Virtual Network Identifier)
IPv4 and IPv6 remote
* IFLA_GENEVE_REMOTE
* IFLA_GENEVE_REMOTE6
TTL, TOS, and DF flags
* IFLA_GENEVE_TTL
* IFLA_GENEVE_TOS
* IFLA_GENEVE_DF
UDP destination port
* IFLA_GENEVE_PORT
- Add test cases for GENEVE tunnel creation and detection with two test
modes covering IPv4 and IPv6.
The implementation tries to follow the same patterns as other tunnel
types (GRE, VXLAN, etc.) and integrates with the existing platform
abstraction layer.
(cherry picked from commit 29c8bbe21a)
In kernel, the onlink flag (RTNH_F_ONLINK) is associated with each
nexthop (rtnh_flags) rather than the route as a whole. NM previously
stored it only per-route in NMPlatformIPRoute.r_rtm_flags, which meant
that two nexthops only differing with the onlink flag were combined
as one entry in the platform cache.
Fix this by tracking the onlink flag per-nexthop.
Resolves: https://issues.redhat.com/browse/NMT-1486
(cherry picked from commit d564a0c3f9)
`argument` is not const, but `tmp` is. We use `tmp`
for reading arguments one by one, but we cannot add
a null byte to separate the key and value if it is const.
Make it non-const, so that `val[0] = '\0';` does not fail.
We write into the buffer returned by nm_strsplit_set_full(), even
though it is returned as `const char**`. The function description
claims this is fine:
> * It is however safe and allowed to modify the individual strings in-place,
> * like "g_strstrip((char *) iter[0])".
Remove the const qualifier via cast so that it does not raise errors.
We reallocate this value in the function, which is necessary
because we write into it, and the input is const.
Move the allocation into a local variable instead of overwriting
the input pointer, because we are also pointing to it via
`char* s`, which is not const.
`subsystem_full` is const, so `s` needs to be const too.
Reorder the NULL-byte write so that we are not writing
into a const char* (the underlying memory is the same).
NetworkManager is failing to build on Rawhide with the following errors:
../src/libnm-systemd-shared/src/basic/string-util.h:33:16: error: return discards ‘const’ qualifier from pointer target type [-Werror=discarded-qualifiers]
33 | return strstr(haystack, needle);
| ^~~~~~
In file included from ../src/libnm-systemd-shared/src/basic/fd-util.c:30:
../src/libnm-systemd-shared/src/basic/sort-util.h: In function ‘bsearch_safe’:
../src/libnm-systemd-shared/src/basic/sort-util.h:34:16: error: return discards ‘const’ qualifier from pointer target type [-Werror=discarded-qualifiers]
34 | return bsearch(key, base, nmemb, size, compar);
| ^~~~~~~
This is fixed in systemd by commit 0bac1ed2422f15308414dd1e9d09812a966b0348:
> Latest glibc uses _Generic to have strstr() and other functions return
> const char* or char* based on whether the input is a const char* or a
> char*. This causes build failures as we previously always expected a char*.
>
> Let's fix the compilation failures and add our own macros similar to glibc's
> to have string functions that return a mutable or const pointer depending on
> the input.
Selectively backport the changes we need to fix building.
The previous check was based only on the presence of a non-NULL
"existing_secrets" GVariant. That GVariant is created via:
nm_connection_to_dbus(nm_settings_connection_get_connection(self),
NM_CONNECTION_SERIALIZE_WITH_SECRETS_SYSTEM_OWNED)
The function returns a GVariant containing a first-level dictionary
for each setting, even for those that doesn't contain any secrets. As
a result, the check was requiring the system.modify permission even if
there weren't any cached secrets to send to the agent.
Fix the check to actually check for the presence of any secrets in the
cached dictionary. Some connection types have a third-level
dictionary that can be empty, for example VPNs have vpn.secrets.
(cherry picked from commit 024360bffa)
The "modify.system" polkit permission allows a user to modify settings
for connection profiles that belong to all users.
For this reason, when an agent returns system secrets (i.e. secrets
that are going to be stored to disk), NetworkManager checks that the
agent has the modify.system permission.
If a secret has the AGENT_OWNED flag, it's stored in the agent
itself. If the secret has the NOT_SAVED flag, it will be asked to
users at the beginning of every connection attempt.
In both those cases the profile is not modified and there is no need
for the modify.system permission. Fix the check to also consider the
NOT_SAVED flag.
(cherry picked from commit db0825a110)
Properties that define a .to_dbus_function() as a D-Bus override, need
to return early if the flags only ask to serialize secrets.
Fixes: 7fb23b0a62 ('libnm: add NMIPRoutingRule API')
(cherry picked from commit eff8330b57)
`use_carrier` is removed from kernel since 6.18 [1], and returns
the following error if set to 0:
> option obsolete, use_carrier cannot be disabled
This causes a failure of test-link-linux, so let's set it to 1.
[1] https://lore.kernel.org/all/2029487.1756512517@famine/
(cherry picked from commit d40e88fd02)
The formula is wrong for channels above 144 because the layout of the
80MHz channels is not regular. Use a lookup table.
Fixes: 7bb5961779 ('supplicant: honor the 'wifi.channel-width' property in AP mode')
(cherry picked from commit 5763b9b4de)
On a i686 machine the build fails with:
../src/nm-cloud-setup/main.c: In function ‘_oci_new_vlan_dev’:
../src/nm-cloud-setup/main.c:800:47: error: format ‘%ld’ expects argument of type ‘long int’, but argument 2 has type ‘gssize’ {aka ‘int’} [-Werror=format=]
800 | macvlan_name = g_strdup_printf("macvlan%ld", config_data->iface_idx);
| ~~^ ~~~~~~~~~~~~~~~~~~~~~~
| | |
| long int gssize {aka int}
| %d
../src/nm-cloud-setup/main.c:801:42: error: format ‘%ld’ expects argument of type ‘long int’, but argument 3 has type ‘gssize’ {aka ‘int’} [-Werror=format=]
801 | connection_id = g_strdup_printf("%s%ld", connection_type, config_data->iface_idx);
| ~~^ ~~~~~~~~~~~~~~~~~~~~~~
| | |
| long int gssize {aka int}
| %d
Fixes: 68d7e17737 ('Reapply "cloud-setup: create VLANs for multiple VNICs on OCI"')
(cherry picked from commit 748be9a3e7)
Previously, if NM_VERSION_MIN_REQUIRED was not defined, it defaulted to
NM_VERSION. As a consequence, if NM_VERSION_MAX_ALLOWED was defined we
got a compilation error because MAX_ALLOWED < MIN_REQUIRED.
MAX_ALLOWED is used to get compilation warnings if you unintentionally
use a libnm's symbol introduced in a newer version. MIN_REQUIRED is used
to get rid of warnings about symbol deprecations.
Libnm users may want to use MAX_ALLOWED alone, because using a too new
symbol would fail to compile with older libnm. But they might want to
get deprecation warnings as soon as possible, so they want to leave
MIN_REQUIRED empty.
(cherry picked from commit f849163e82)
After the changes in release.sh in previous commits, during development
the value of NM_VERSION will always be the next version, not the latest
released one. As a consequence, we don't need to set MICRO+1 in
NM_API_VERSION, which was a temporary workaround.
(cherry picked from commit 36275bc51c)
The purpose of the validation is to check that we pass to the
supplicant a configuration that it can understand. For certificates
and keys we enforce a maximum length of 64KiB; that means that the
value of the property we send (i.e. the file path or the blob id) can
be at most 64KiB. Instead we wrongly checked the size of the blob
data.
Fix the validation. Also, enforce a maximum blob size of 32MiB.
Fixes: e85cc46d0b ('core: pass certificates as blobs to supplicant for private connections')
(cherry picked from commit eb784c3f27)
This will create the tarball with names NetworkManager-1.56-rc2.tar.xz
or NetworkManager-1.57.1-dev.tar.xz. This way they will match with the
name of the Git tag, making easier for users, and specially for tools
like Packit, to understand the versioning scheme.
The goal is to make that there is only one public versioning scheme, the
one with -rc and -dev suffixes. Version numbers with micro>=90 for RC
releases is kept only as an internal thing for the C headers. Users of
the API can still use it.
Bump meson version to 0.56 to use str.substring().
(cherry picked from commit e422b1c3d9)
When connecting to a wifi network and providing the password on the
command line, nmcli first looks if there is a compatible connection to
reuse. If there is not, it creates and activates a new one via a
single call to AddAndActivate().
If there is a compatible connection, nmcli first calls Update() on it
to set the new password and then Activate() to bring it up. Before
that, it registers a secret agent that can prompt for a new password
in case of authentication failure.
However, as soon as nmcli registers a secret agent, NM tries to
activate again the connection if it was blocked due to a previous
authentication failure. This connection attempt is going to fail
because it still uses the old password, as new one hasn't been set via
Update().
Change the order of operations to register the agent after Update()
and before Activate().
Reproducer:
nmcli device wifi connect SSID password BAD_PASSWORD
nmcli device wifi connect SSID password GOOD_PASSWORD
Fixes: c8ff1b30fb ('nmcli/dev: use secret agent for nmcli d [wifi] connect')
(cherry picked from commit 427a7cf257)
Executing this command twice, or when a connection profile already
exists for the SSID:
nmcli device wifi connect $SSID password $PASSWORD
returns error:
Error: 802-11-wireless-security.key-mgmt: property is missing.
When setting the password nmcli was wiping the existing wireless
security setting.
Fixes: c8ff1b30fb ('nmcli/dev: use secret agent for nmcli d [wifi] connect')
https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/issues/1688
(cherry picked from commit 3a4e18e302)
The D-Bus API documentation of the IPv4 and IPv6 settings say:
* addresses
Deprecated in favor of the 'address-data' and 'gateway'
properties, but this can be used for backward-compatibility
with older daemons. Note that if you send this property the
daemon will ignore 'address-data' and 'gateway'.
* gateway
The gateway associated with this configuration. This is only
meaningful if "addresses" is also set.
This documentation wrongly suggests that at D-Bus level "gateway"
requires "addresses", while it actually requires "address-data". The
reason for the inconsistency is that the gateway documentation is
common between nmcli and D-Bus and it refers to the "address" GObject
property, not to the D-Bus property.
Fix this inconsistency by not explicitly mentioning the property name.
Fixes: 36156b70dc ('libnm: Override parts of nm-setting-docs.xml')
https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/2319
(cherry picked from commit dad4da06b1)
The function strerror_r returns an int per POSIX spec, but GNU version
returns char *. Using it fails the compilation in Alpine, so use
_nm_strerror_r instead that handles both cases.
Fixes: 41e28b900f ('daemon-helper: add read-file-as-user')
(cherry picked from commit 599cc1ed1d)
In the past, stable branches used odd micro numbers as development micro
version. Because of that, NM_API_VERSION was defined with MICRO+1 so we
don't get warnings during development.
As we stopped using odd micro=devel it is wrong to set MICRO+1 on odd
releases. Final users of 1.52.3 has NM_API_VERSION 1.52.4.
However, during development we need to have MICRO+1. For example, if we
are working on top of 1.52.3 towards the next 1.52.4, we define new
symbols with NM_AVAILABLE_IN_1_52_4. Because of that, we get compilation
failures until we finally bump to 1.52.4, just before the release. The
CI remains red until then, potentially missing many bugs.
For now, just set MICRO+1 all the time. It is wrong, but it was wrong
half of the time anyway, and at least we'll have a green CI until we
implement a definitive solution.
(cherry picked from commit 13bfa44ceb)
Add a new public function nm_utils_copy_cert_as_user() to libnm. It
reads a certificate or key file on behalf of the given user and writes
it to a directory in /run/NetworkManager. It is useful for VPN plugins
that run as root and need to verify that the user owning the
connection (the one listed in the connection.permissions property) can
access the file.
(cherry picked from commit 1a52bbe7c9)
