Introduced a new TYPE=bond for ifcfg-rh configuration files.
Alternatively BONDING_MASTER=yes can be specified instead of
setting the type explicitely to maintain backwards compatibility
with existing configuration files.
Bonding device files require a DEVICE= line to be present which
specifies the virtual bonding interface in the kernel. We do not
allow auto-generation of the name in order to keep confusion to
a minimum when reusing existing bonding interfaces.
The BONDING_OPTS= parameter can be used to specify various bonding
related options, such as:
- mode
- miimon
- updelay
- downdelay
- arp_interval
- arp_ip_target
By default, the NMSettingBond class uses a miimon value of 100 which
seems like a sensible default value for 99% of all configurations.
If this is not suitable, an arp_ip_target needs to be specified
manually.
A writer is not yet implemented.
Changes v2:
- renamed DeviceName property to InterfaceName
- moved code to validate device name to dev_valid_name() for future use
Signed-off-by: Thomas Graf <tgraf@redhat.com>
Adds a helper nm_connection_is_type(connection, type) which returns TRUE
if a connection is of specified type.
Signed-off-by: Thomas Graf <tgraf@redhat.com>
Includes subject_match and phase2_subject_match (string) parameters,
and altsubject_matches and phase2_altsubject_matches (list of string)
parameters.
subject_match is matched against a substring of the subject from the
certificate presented by the remote authentication server. If this
option is unset, no subject verification is performed.
altsubject_matches are each tested against the alternate subject name
(altSubjectName) of the certificate presented by the remote
authentication server. If this option is unset, no verification of the
altSubjectName is performed.
What we want to do here is keep separate caches of system and
agent secrets. For system secrets, we cache them because NM
periodically clears secrets using nm_connection_clear_secrets() to
ensure they don't stay around in memory, and that transient secrets
get requested again when they are needed. For agent secrets, we
only want them during activation, but a connection read from disk
will not include agent secrets becuase by definition they aren't
stored in system settings along with the connection. Thus we need
to keep the agent/transient secrets somewhere for the duration of
the activation to ensure they don't get deleted.
This removes the copy-back hack in update_auth_cb() which copied
agent/transient secrets back into the connection over top of the
transient secrets that had been copied back in
nm_settings_connection_replace_settings(). No reason to copy
them twice if we keep an agent/transient secrets hash and do
the right thing with it.
"mac-address-blacklist" property is added to the ethernet and WiFi connections.
It is the MAC addresses list of devices on which the connection won't be
activated.
Original patch (NM_0_8 branch) from Thomas Bechtold <thomasbechtold@jpberlin.de>
The current check caught stuff in the .ver file that was outdated, but
didn't quite get stuff that was supposed to be exported but wasn't,
in some cases. Update the regex to ensure that symbols that are
not exported, but that start with "nm_" (and aren't GObject
boilerplate) get flagged during the check.
Update internal code to return to a previous pattern of treating symbols
that start with "_" internal, and expecting symbols that start with
"nm_" to be exported.
Also fixes cases where random glibc symbols would get flagged:
00040ff4 l O *ABS* 00000000 .hidden _GLOBAL_OFFSET_TABLE_
00041380 l O .data 00000000 .hidden __dso_handle
000406e8 l O .dtors 00000000 .hidden __DTOR_END__
0000fbe4 l F .text 00000000 .hidden __i686.get_pc_thunk.cx
0002f980 l F .text 00000014 .hidden __stack_chk_fail_local
0000b1e7 l F .text 00000000 .hidden __i686.get_pc_thunk.bx
00040e60 l O *ABS* 00000000 .hidden _DYNAMIC
This allows the necessary flexibility when handling secrets; otherwise
it wouldn't be known when NM should save secrets returned from agents
to backing storage, or when the agents should store the secrets. We
can't simply use lack of a secret in persistent storage as the indicator
of this, as (for example) when creating a new connection without
secrets the storage method would be abmiguous.
At the same time, fold in "always ask" functionality for OTP tokens
so user agents don't have to store that attribute themselves out-of-band.
Add the necessary annotations (the mininum required, that is those
on return values. NULL parameters or container types may require
more), and the Autotools stuff to get a NetworkManager GIR for
libnm-util and a NMClient for libnm-glib.
Presently, when automatic connecting fails, the connection is marked
as invalid and is not retried again. This commit adds a configuration
parameter to specify how many times the connection should be re-tried.
Groups may come later, but they are also quite a bit more complicated
because getting the groups a user is in may require network access
if that user is backed by LDAP. And it gets worse because you have
no idea that the glibc calls like getgrouplist(3) are backed by
the network and may take an arbitrary amount of time to complete.
Punt that.
Remove code related to "connection scope" and such. Later, we will also
do lots of code flattening and simplification that's possible now that
user settings are gone.
There are so many... so handle them as a table of key/value pairs
instead of having separate functions for each one. At the moment
nothing but subchannels is used internally, but this allows plugins
to preserve options that NM doesn't care about when reading/writing
system configuration.
This commit implements MAC cloning feature in NetworkManager. To support that,
'PermHwAddress' property is added into *.Device.Wired and *.Device.Wireless
interfaces. The permanent MAC address is obtained when creating the device, and
is used for 'locking' connections to the device. If a cloned MAC is specified
in connection to be activated, the MAC is set to the interface in stage1. While
disconecting, the permanent MAC is set back to the interface.
On s390 and z-Series, the hypervisor assigns the MAC address, so we
need to use subchannels to uniquely identify the device instead of
using the MAC address.
When this property is TRUE, IP configuration can continue as long
as at least on IP configuration type succeeds. This allows
connections to networks where the user does not necessarily know
whether the network supports IPv4 or IPv6 and does not require
that both complete succesfully.
Since most of the time the user doesn't really care what type
of connectivity they have, as long as they have *some* connectivity,
this allows better "Just Works" behavior as long as the system
settings plugins and connection editors/applets use the right
defaults.
Suggested defaults for may-fail are:
IPv4: no (ie, require IPv4 connectivity)
IPv6: yes (ie, do not require IPv6 connectivity)
Users who require a specific type of connectivity are probably
knowlegable enough to check the box as needed for their network.
Since there's a more or less direct mapping between the 0.7.x and
the 0.8.x certificate and key operations, we might as well just
deprecate them instead of removing them entirely.
To be backwards compatible clients need to handle both paths to private
keys and the decrypted private key data, which is what used to get passed
in the private-key and phase2-private-key attributes of the 802.1x setting.
When moving a connection around between system-settings and user-settings,
if the private key is decrypted data, the settings service needs to store
that decrypted data somewhere so that the key can be sent to NM during
the connection process.
But we don't want to store the decrypted private key data, so we have to
re-encrypt it (possibly generating a private key password if one wasn't
sent with the decrypted data) and save it to disk, then send NM a path
to that private key during connection.
To help clients do this, and so that they don't have to carry around
multiple crypto implementations depending on whether they want to use
NSS or gnutls/gcrypt, add a helper to libnm-util.
Furthermore, I misunderstood a bunch of stuff with crypto padding when
writing the encrypt/decrypt functions long ago, so fix that up. Don't
return padding as part of the decrypted data, and make sure to verify
the padding's expected lengths and values when decrypting. Many thanks
to Nalin Dahyabhai for pointing me in the right direction.
Overload the certificate and key properties to allow paths to the
certificates and keys using a special prefix for the property data.
Add API to libnm-util for easy certificate path handling, and
documentation for NMSetting8021x.
