When CLAT is enabled, we want to also enable and honor by default DHCP
option 108 (IPv6-only preferred), so that the host can avoid
requesting an IPv4 address and go IPv6-only.
ICMPv6 error messages contain a copy of the original packet that
caused the error. In a 464XLAT deployment, this inner packet is an
IPv6 packet (as translated by the PLAT), while the local host expects
to see the original IPv4 packet it generated.
Without translation, the local host can't match the error to an active
socket. This breaks functionality like Path MTU Discovery (PMTUD),
traceroute, and error reporting for connected UDP sockets.
This commit implements the translation of the inner headers from IPv6
to IPv4 for incoming ICMPv6 errors.
Some implementation notes:
- this only handles incoming ICMPv6; outgoing ICMPv4 is not yet
implemented, but it seems less important.
- the program uses different functions for rewriting the outer and
inner header. I tried using recursion but the verifier didn't seem
to like it.
- after rewriting the inner headers, the ICMP checksum is
incrementally updated based on difference of all the individual
modifications done to the inner headers. This has the advantage
that all the operations are fixed-size. But probably it would be
easier and faster to just calculate the checksum from scratch.
The program only needs to know the local IPv4 address, the local IPv6
address and the PREF64. There is no need to create multiple maps for
that, just pass a global configuration struct containing those 3
fields.
Improve the code style and consistency of some functions:
- declare only one variable per line
- add "const" keyword to read-only function arguments
- remove unneeded function arguments
- rename variables holding headers on the stack with the "_buf"
suffix
Avoid using pointer arithmetic in the BPF program, so that it requires
only CAP_BPF and not CAP_PERFMON. In this context "pointer arithmetic"
means adding a variable value to a packet pointer. This means that the
program no longer tries to parse variable-size headers (IPv4 options,
IPv6 extension headers). Those were already not supported before. It
also doesn't parse VLAN tags, but there should be no need for that. If
we use fixed offset, we can avoid using the parsing helpers from
libxdp.
There are 3 possible results from clat_translate_v6():
1. the packet didn't match the CLAT IPv6 address and must be
accepted;
2. the packet matches but it is invalid and so it must be dropped;
3. the packet matches and it is valid; clat_handle_v6() should
translate the packet to IPv4;
Before, the function returned TC_ACT_SHOT for both 2 and 3. Therefore,
clat_handle_v6() tried to rewrite also invalid packets.
Fix that by returning TC_ACT_UNSPEC for valid packets, meaning that
there isn't a final verdict yet.
When copying the IPv6 addresses via a direct assignement, the compiler
generates 32-bit operations that the verifier doesn't like:
> 237: (61) r3 = *(u32 *)(r8 +76) ; frame1: R3_w=pkt(r=0) R8=ctx()
> ; .saddr = ip6h->saddr, @ clat.bpf.c:124
> 238: (63) *(u32 *)(r10 -64) = r3
> invalid size of register spill
Use explicit memcpy() for those.
Also, check the packet length before accessing the ICMPv6 header.
The current implementation returns IP addresses obtained by adding a
counter to a base address. For CLAT we want to return all the 8
addresses in the 192.0.0.0/29 range, but not starting from 192.0.0.0
because that looks more like a network address. Slightly tweak the
algorithm so that addresses can wrap around.
The purpose of the validation is to check that we pass to the
supplicant a configuration that it can understand. For certificates
and keys we enforce a maximum length of 64KiB; that means that the
value of the property we send (i.e. the file path or the blob id) can
be at most 64KiB. Instead we wrongly checked the size of the blob
data.
Fix the validation. Also, enforce a maximum blob size of 32MiB.
Fixes: e85cc46d0b ('core: pass certificates as blobs to supplicant for private connections')
Currently NetworkManager depends on the external ping binary to
perform the reachability check on IP addresses. This means that the NM
daemon package must depend on another package. On Fedora the iputils
package is 800KiB.
Implement the same functionality natively so that we can drop such
dependency.
Introduce a function that pings a given host. It opens a "ping socket"
(IPPROTO_ICMP), binds it to the given ifindex, connects it to the
remote address, and keep sending ICMP echo-request packets until it
receives a reply or the optional timeout is reached. By using this
kind of socket, the kernel automatically sets the ICMP ID on outgoing
packets and matches incoming packets by the same ID.
Wireless Extensions is the legacy, ioctl-based kernel interface used
to configure Wi-Fi cards. It has been deprecated and replaced by the
cfg80211/nl80211 API since 2007, as it doesn't support modern Wi-Fi
encryption and technologies. Mark it as deprecated, so that we can get
rid of some unmaintained and untested code in a future release.
When connecting to a wifi network and providing the password on the
command line, nmcli first looks if there is a compatible connection to
reuse. If there is not, it creates and activates a new one via a
single call to AddAndActivate().
If there is a compatible connection, nmcli first calls Update() on it
to set the new password and then Activate() to bring it up. Before
that, it registers a secret agent that can prompt for a new password
in case of authentication failure.
However, as soon as nmcli registers a secret agent, NM tries to
activate again the connection if it was blocked due to a previous
authentication failure. This connection attempt is going to fail
because it still uses the old password, as new one hasn't been set via
Update().
Change the order of operations to register the agent after Update()
and before Activate().
Reproducer:
nmcli device wifi connect SSID password BAD_PASSWORD
nmcli device wifi connect SSID password GOOD_PASSWORD
Fixes: c8ff1b30fb ('nmcli/dev: use secret agent for nmcli d [wifi] connect')
Executing this command twice, or when a connection profile already
exists for the SSID:
nmcli device wifi connect $SSID password $PASSWORD
returns error:
Error: 802-11-wireless-security.key-mgmt: property is missing.
When setting the password nmcli was wiping the existing wireless
security setting.
Fixes: c8ff1b30fb ('nmcli/dev: use secret agent for nmcli d [wifi] connect')
https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/issues/1688
