When the get_hw_address() method is called on a device object through
GObject-introspection, the device-specific
(e.g. nm_device_ethernet_get_hw_address()) C function is called
instead of the more generic nm_device_get_hw_address().
Those device-specific functions were deprecated in commit 067a3d6c08
('nm-device: expose via D-Bus the 'hw-address' property') and so libnm
will print out deprecation warnings like:
DeprecationWarning: NM.DeviceEthernet.get_hw_address is deprecated
Omit the device-specific function from the introspection output so
that the generic function will be called instead.
https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/544
(cherry picked from commit 3124a05d83)
(cherry picked from commit a1de36d917)
If g_vsnprintf() returns that it wants to write 5 characters, it
really needs space for 5+1 characters. If we have 5 characters
available, it would have written "0123\0", which leaves the buffer
broken.
Fixes: eda47170ed ('shared: add NMStrBuf util')
(cherry picked from commit fd34fe50a2)
(cherry picked from commit 28644556e1)
Fixes: b83f07916a ('supplicant: large rework of wpa_supplicant handling')
(cherry picked from commit e12d32bf56)
(cherry picked from commit 5e5f7574b4)
The commit breaks many nmstate CI tests. It also breaks the
autoconnect-slaves functionality: if the master gets reactivated and
the slave was active, the slave is not reconnected.
A different solution is needed for the original issue.
This reverts commit 024e983c8e.
(cherry picked from commit 6e02622f57)
Autoconnect-slaves currently forces an activation of all slaves, even
if there is already an active connection for them. This is bad because
at boot slaves first try to autoconnect, then the autoconnect-slaves
of the master kicks in and disconnects/reactivates them.
The only reason why the forceful reactivation was added was to fix
[1]; in that scenario, a slave connection is already active as
non-slave; then it is updated to be a slave; later, the master with
autoconnect-slaves is manually activated. NetworkManager should detect
that the slave connection must now be activated by autoconnect-slaves.
Add a specific check for such situation, instead of always
reactivating all slaves.
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1845018
Fixes: 4985ca5ada ('manager: allow autoconnect-slaves to reconnect the same connection')
(cherry picked from commit 024e983c8e)
When there are two patch ports connected, each of them must reference
the other; however they can't be created in a single transaction
because they are part of different bridges (so, different
connections). Therefore, the first patch that gets activated will
always fail with "No usable peer $x exists in 'system' datapath" until
the second patch exists.
In theory we could also match the error message, however this doesn't
seem very robust as the message may slightly change in the future.
(cherry picked from commit ffeac35f04)
The 'peer' property of ovs-patch is inserted into the 'options' column
of the ovsdb 'Interface' table. The ovs-vswitchd.conf.db man page says
about it:
options : peer: optional string
The name of the Interface for the other side of the patch. The
named Interface’s own peer option must specify this Interface’s
name. That is, the two patch interfaces must have reversed name
and peer values.
Therefore, it is wrong to validate the peer property as an IP address
and document it as such.
Fixes: d4a7fe4679 ('libnm-core: add ovs-patch setting')
(cherry picked from commit beb1dba8c1)
S390 options are stored in a separate [ethernet-s390-options] section.
This group must not be interpreted as a NMSetting name, otherwise we
log a bogus warning:
<warn> [1590523563.7757] keyfile: ethernet-s390-options: invalid setting name 'ethernet-s390-options'
Fixes: cf9b8d3bad ('libnm/keyfile: implement ethernet.s390-options in keyfile')
(cherry picked from commit 82a468c9ad)
When searching an element that is lower than the first list element (for
example RTNL type "batadv"), imax will be -1 after the last iteration.
Use int instead of unsigned to make the termination condition imin > imax
work in this case. This fixes NetworkManager crashing due to an
out-of-bounds array access whenever interfaces of such types exist.
Fixes: 19ad044359 ('platform: use binary search to lookup NMLinkType for rtnl_type')
https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/515
(cherry picked from commit 2b54202089)
When the interface is in IPv4 or IPv6 shared mode and the user didn't
specify an explicit zone, use the nm-shared one.
Note that masquerade is still done through iptables direct calls
because at the moment it is not possible for a firewalld zone to do
masquerade based on the input interface.
The firewalld zone is needed on systems where firewalld is using the
nftables backend and the 'iptables' binary uses the iptables API
(instead of the nftables one). On such systems, even if the traffic is
allowed in iptables by our direct rules, it can still be dropped in
nftables by firewalld.
(cherry picked from commit 3e2b723532)
Install a NM-specific firewalld zone to be used for interfaces that
are used for connection sharing. The zone blocks all traffic to the
local machine except some protocols (DHCP, DNS and ICMP) and allows
all forwarded traffic.
(cherry picked from commit c8b5bf402d)
For ip-tunnel modes that encapsulate layer2 packets (gretap and
ip6gretap) we allow the presence of an ethernet setting in the
connection and honor the cloned-mac-address specified in it.
For all other modes, the ethernet setting is removed during
normalization, but a value different from 'preserve' could be set via
global default.
The kernel doesn't allow setting a MAC for layer3 devices, don't do
it.
(cherry picked from commit 0494a84878)
Suppress a leak report from openssl:
Direct leak of 192 byte(s) in 1 object(s) allocated from:
#0 0x7f6fe9c6b677 in __interceptor_malloc (/lib64/libasan.so.6+0xb0677)
#1 0x7f6fe4d4046d in CRYPTO_zalloc crypto/mem.c:230
#2 0x7f6fe4d0a91f in ENGINE_new crypto/engine/eng_lib.c:34
#3 0x7f6fe4d0c40d in ENGINE_rdrand crypto/engine/eng_rdrand.c:70
#4 0x7f6fe4d0c40d in engine_load_rdrand_int crypto/engine/eng_rdrand.c:85
#5 0x7f6fe4d370ec in ossl_init_engine_rdrand crypto/init.c:353
#6 0x7f6fe4d370ec in ossl_init_engine_rdrand_ossl_ crypto/init.c:347
#7 0x7f6fe995aace in __pthread_once_slow (/lib64/libpthread.so.0+0x11ace)
#8 0x7f6fe4da68fc in CRYPTO_THREAD_run_once crypto/threads_pthread.c:118
#9 0x7f6fe4d378ec in OPENSSL_init_crypto crypto/init.c:723
#10 0x7f6fe4d378ec in OPENSSL_init_crypto crypto/init.c:620
#11 0x7f6fe5292280 (/usr/lib64/pkcs11/libsofthsm2.so+0x78280)
#12 0x7f6fe5292364 (/usr/lib64/pkcs11/libsofthsm2.so+0x78364)
#13 0x7f6fe526f151 in SoftHSM::C_Initialize(void*) /usr/src/debug/softhsm-2.5.0-4.fc32.3.x86_64/src/lib/SoftHSM.cpp:485
#14 0x7f6fe523cc97 in C_Initialize (/usr/lib64/pkcs11/libsofthsm2.so+0x22c97)
#15 0x7f6fe4ecb233 in initialize_module_inlock_reentrant ../p11-kit/modules.c:738
#16 0x7f6fe4ecb382 in managed_C_Initialize ../p11-kit/modules.c:1584
#17 0x7f6fe4ecdbdf in p11_kit_modules_initialize ../p11-kit/modules.c:2157
#18 0x7f6fe4ecdbdf in p11_kit_modules_initialize ../p11-kit/modules.c:2145
#19 0x7f6fe4ed1a96 in proxy_create ../p11-kit/proxy.c:330
#20 0x7f6fe4ed1a96 in proxy_C_Initialize ../p11-kit/proxy.c:398
#21 0x7f6fe9a343b1 in secmod_ModuleInit /usr/src/debug/nss-3.51.0-1.fc32.x86_64/nss/lib/pk11wrap/pk11load.c:244
#22 0x7f6fe9a34adb in secmod_LoadPKCS11Module /usr/src/debug/nss-3.51.0-1.fc32.x86_64/nss/lib/pk11wrap/pk11load.c:501
#23 0x7f6fe9a419ec in SECMOD_LoadModule /usr/src/debug/nss-3.51.0-1.fc32.x86_64/nss/lib/pk11wrap/pk11pars.c:1840
#24 0x7f6fe9a41b27 in SECMOD_LoadModule /usr/src/debug/nss-3.51.0-1.fc32.x86_64/nss/lib/pk11wrap/pk11pars.c:1876
#25 0x7f6fe9a0dd00 in nss_Init /usr/src/debug/nss-3.51.0-1.fc32.x86_64/nss/lib/nss/nssinit.c:712
#26 0x7f6fe9a0e3ab in NSS_NoDB_Init /usr/src/debug/nss-3.51.0-1.fc32.x86_64/nss/lib/nss/nssinit.c:950
#27 0x55c942e2f1b2 in _nm_crypto_init libnm-core/nm-crypto-nss.c:61
#28 0x55c942d6f2da in nm_crypto_load_and_verify_certificate libnm-core/nm-crypto.c:721
#29 0x55c942c99681 in _cert_impl_set libnm-core/nm-setting-8021x.c:497
#30 0x55c942c9d83b in nm_setting_802_1x_set_ca_cert libnm-core/nm-setting-8021x.c:1033
#31 0x55c942c63513 in _test_8021x_cert_from_files libnm-core/tests/test-keyfile.c:382
#32 0x55c942c6425a in test_8021x_cert libnm-core/tests/test-keyfile.c:436
#33 0x7f6fe965429d in test_case_run ../glib/gtestutils.c:2633
#34 0x7f6fe965429d in g_test_run_suite_internal ../glib/gtestutils.c:2721
(cherry picked from commit 8113bc22d4)
On CentOS 8, many devel packages are not available. Even after
# dnf config-manager --set-enabled PowerTools
certain devel packages are missing. Some of these (libndp-devel,
mobile-broadband-provider-info-devel, teamd-devel) we build in copr
([1]), but libpsl-devel and qt-devel are still missing.
Only install them optionally and allow failure for them not being
present.
[1] https://copr.fedorainfracloud.org/coprs/nmstate/nm-build-deps/repo/epel-8/nmstate-nm-build-deps-epel-8.repo
(cherry picked from commit 1473f00d74)
UBSan marks these:
libnm-core/tests/test-setting.c:2146:2: runtime error: left shift of 65521 by 16 places cannot be represented in type 'int'
#0 0x561739bed935 in test_tc_config_qdisc libnm-core/tests/test-setting.c:2146
(cherry picked from commit 14bf28f109)
