src/firewall-manager tracks whether firewall is on the bus or not.
In nm-device.c at stage5 (ip-config-commit) before we actually
apply the IP configuration to the interface, we send the
IP interface name and zone to firewall and asynchronously wait
for a D-Bus reply. Then after we get the reply
(or if the firewall isn't running) we proceed with
applying the IP configuration to the interface.
Since both RA and DHCP may be run at the same time, we want to
make sure to merge both configs into a final config when either
RA or DHCP changes. Previously this only happened when RA changed,
but not when DHCP changed or completed. This caused the config
applied when DHCP completed to not contain the RA-derived address,
which was then removed from the device, which then regressed the
IPv6 RA state, causing a device failure.
Found by Tore Anderson
Oct 18 18:35:00 wrath dhclient[13782]: RCV: Reply message on eth0 from fe80::ca6c:87ff:feab:da5f.
Oct 18 18:35:00 wrath NetworkManager[12390]: <info> (eth0): DHCPv6 state changed nbi -> renew6
Oct 18 18:35:00 wrath NetworkManager[12390]: <debug> [1318955700.642273] [nm-device.c:1582] dhcp6_state_changed(): (eth0): new DHCPv6 client state 7
Oct 18 18:35:00 wrath NetworkManager[12390]: <debug> [1318955700.642282] [nm-dhcp-client.c:1211] ip6_options_to_config(): (eth0): option 'interface'=>'eth0'
Oct 18 18:35:00 wrath NetworkManager[12390]: <debug> [1318955700.642288] [nm-dhcp-client.c:1211] ip6_options_to_config(): (eth0): option 'new_dhcp6_client_id'=>'0:3:0:1:0:30:1b:bc:7f:23'
Oct 18 18:35:00 wrath NetworkManager[12390]: <debug> [1318955700.642294] [nm-dhcp-client.c:1211] ip6_options_to_config(): (eth0): option 'reason'=>'RENEW6'
Oct 18 18:35:00 wrath NetworkManager[12390]: <debug> [1318955700.642300] [nm-dhcp-client.c:1211] ip6_options_to_config(): (eth0): option 'new_dhcp6_name_servers'=>'2001:840:100:: 2001:840:200::'
Oct 18 18:35:00 wrath NetworkManager[12390]: <debug> [1318955700.642305] [nm-dhcp-client.c:1211] ip6_options_to_config(): (eth0): option 'new_dhcp6_server_id'=>'0:3:0:1:c8:6c:87🆎da:5f'
Oct 18 18:35:00 wrath NetworkManager[12390]: <debug> [1318955700.642311] [nm-dhcp-client.c:1211] ip6_options_to_config(): (eth0): option 'pid'=>'13782'
Oct 18 18:35:00 wrath NetworkManager[12390]: <info> Activation (eth0) Stage 5 of 5 (IPv6 Commit) scheduled...
Oct 18 18:35:00 wrath NetworkManager[12390]: <info> Activation (eth0) Stage 5 of 5 (IPv6 Commit) started...
Oct 18 18:35:00 wrath NetworkManager[12390]: <debug> [1318955700.643641] [nm-system.c:182] sync_addresses(): (eth0): syncing addresses (family 10)
Oct 18 18:35:00 wrath NetworkManager[12390]: <debug> [1318955700.643655] [nm-system.c:235] sync_addresses(): (eth0): removing address '2001:840:3033:20:230:1bff:febc:7f23/64'
Oct 18 18:35:00 wrath NetworkManager[12390]: <debug> [1318955700.643702] [nm-system.c:218] sync_addresses(): (eth0): ignoring IPv6 link-local address
Oct 18 18:35:01 wrath NetworkManager[12390]: <info> Policy set 'Wired connection 1' (eth0) as default for IPv4 routing and DNS.
Oct 18 18:35:01 wrath NetworkManager[12390]: <info> Activation (eth0) Stage 5 of 5 (IPv6 Commit) complete.
Oct 18 18:35:01 wrath NetworkManager[12390]: <debug> [1318955701.656335] [nm-ip6-manager.c:1041] netlink_notification(): netlink notificate type 21
Oct 18 18:35:01 wrath NetworkManager[12390]: <debug> [1318955701.656345] [nm-ip6-manager.c:542] process_addr(): processing netlink new/del address message
Oct 18 18:35:01 wrath NetworkManager[12390]: <debug> [1318955701.656359] [nm-ip6-manager.c:1069] netlink_notification(): (eth0): syncing device with netlink changes
Oct 18 18:35:01 wrath NetworkManager[12390]: <debug> [1318955701.656367] [nm-ip6-manager.c:419] nm_ip6_device_sync_from_netlink(): (eth0): syncing with netlink (ra_flags 0x800000B0) (state/target 'got-address'/'got-address')
Oct 18 18:35:01 wrath NetworkManager[12390]: <debug> [1318955701.656376] [nm-ip6-manager.c:438] nm_ip6_device_sync_from_netlink(): (eth0): netlink address: fe80::230:1bff:febc:7f23
Oct 18 18:35:01 wrath NetworkManager[12390]: <debug> [1318955701.656382] [nm-ip6-manager.c:460] nm_ip6_device_sync_from_netlink(): (eth0): addresses synced (state got-address)
Oct 18 18:35:01 wrath NetworkManager[12390]: <debug> [1318955701.656388] [nm-ip6-manager.c:474] nm_ip6_device_sync_from_netlink(): router advertisement requests parallel DHCPv6
Oct 18 18:35:01 wrath NetworkManager[12390]: <debug> [1318955701.656393] [nm-ip6-manager.c:512] nm_ip6_device_sync_from_netlink(): (eth0): RA-provided address no longer valid
Oct 18 18:35:01 wrath NetworkManager[12390]: <info> (eth0): DHCPv6 client pid 13782 exited with status 0
Oct 18 18:35:01 wrath NetworkManager[12390]: <debug> [1318955701.656448] [nm-device.c:1582] dhcp6_state_changed(): (eth0): new DHCPv6 client state 23
Oct 18 18:35:01 wrath NetworkManager[12390]: <info> (eth0): device state change: activated -> failed (reason 'ip-config-unavailable') [100 120 5]
Initial IP configuration can happen during ACTIVATED state if both
v4 and v6 are enabled, but one takes longer than the other. Thus
various checks throughout the code for IP_CONFIG were incorrect
since they depended on IP configuration only happening during the
IP_CONFIG state. Fix that by using a separate state for IP config
and using that state for various checks instead of the overall
device state.
It was somewhat pointless since the IP config is always known when
stage4 gets scheduled, so why not just pass the config to stage5
immediately? Also helps consolidate the v4/v6 failure handling
logic and makes the operational flow clearer where both v4 and
v6 are active and proceeding in parallel.
We don't really need to wait before both IPv4 and IPv6 are established before
applying all the settings to the device. Instead, we can apply each separately
when they are ready, which will bring up the interface sooner.
NM already includes <linux/if.h> in some places, f.e. nm-netlink-monitor and
we can't mix usage of the two. Stick to using <linux/if.h> as it provides
additional flag definitions such as operational link state and link mode.
Signed-off-by: Thomas Graf <tgraf@redhat.com>
! after the option is deprecated at least as far back as iptables
1.4.12 on 2.6.32. ! should be before the option instead.
Reported-by: Ralf Jung <ralfjung-e@gmx.de>
The FIXME is correct; comparing the whole connection is just dumb now
since all connections are owned by NM, so we can simply compare pointers
to figure out of the incoming activation request is using the same
connection as the current activation request. Plus, this comparison
would fail entirely if the connection has transient/always-ask secrets.
Enables easier traversal of the object hierarchy; if a client is
watching signals on a device they can easily get back to the
parent NMActiveConnection object to grab connection details or
status.
For VPN connections, the interface name would be that of the VPN's
IP interface, but the script environment would be the that of the
VPN's parent device. Enhance the environment by adding any VPN
specific details as additional environment variables prefixed by
"VPN_". Leave the existing environment setup intact for backwards
compatiblity.
Additionally, the dispatcher never got updated for IPv6 support,
so push IPv6 configuration and DHCPv6 configuration into the
environment too.
Even better, push everything the dispatcher needs to it instead
of making the dispatcher make D-Bus requests back to NM, which
sometimes fails if NM has already torn down the device or the
connection which the device was using.
And add some testcases to ensure that we don't break backwards compat,
the testcases here were grabbed from a 0.8.4 machine with a hacked up
dispatcher to dump everything it was given from NM.
Like if the IP interface doesn't have an ifindex yet. Previously
the connection would just go merrily along and wait for IPv6 to
complete even though it had already failed. Happens if you try
to do IPv6 on mobile broadband connections, which we'll add support
for later.
deactivate_quickly is misnamed these days; it was originally used
for quickly tearing down a device for sleep and such. But these
days it's used for the bulk of device deactivation. Only the wifi
class used the actual deactivate method. So combine the two and
make device implementations less complicated.
If configuration fails, there won't be an IPv6 config for the device,
thus the route flush when deactivating the device if it fails would
only flush IPv4 routes. We don't know how far through IPv6 setup
we got, so we do want to flush IPv6 routes on deactivate if we
started IPv6 config at any point.
Given connection details, complete the connection as well as possible
using the given specific object and device, add it to system
settings, and activate it all in one method.
Otherwise it doesn't auto-scan and we get no network list. As a later
optimization, we could detect this, call iwmx_sdk_get_connected_network()
to get the current NSP, match that up with a connection, and "assume"
the connection like we do for Ethernet devices.
Instead of a bizare mechanism of signals back to the manager
object that used to be required because of the user/system settings
split, let each place that needs secrets request those secrets
itself. This flattens the secrets request process a ton and
the code flow significantly.
Previously the get secrets flow was something like this:
nm_act_request_get_secrets ()
nm_secrets_provider_interface_get_secrets ()
emits manager-get-secrets signal
provider_get_secerts ()
system_get_secrets ()
system_get_secrets_idle_cb ()
nm_sysconfig_connection_get_secrets ()
system_get_secrets_reply_cb ()
nm_secrets_provider_interface_get_secrets_result ()
signal failure or success
now instead we do something like this:
nm_agent_manager_get_secrets ()
nm_agent_manager_get_secrets ()
request_start_secrets ()
nm_sysconfig_connection_get_secrets ()
return failure or success to callback
