We are going to print the same warning message in different places
(the daemon, nmcli, nmtui). Add a function to return the message. Note
that the message needs to be translated in clients but not in the
daemon logs.
nm_connection_get_unreachable_gateways() is a non-public function,
available in the daemon and clients, which detects gateways in the
static configuration that are not directly reachable.
Unreachable gateways are often the consequence of user mistakes; we
want to catch them early. In the following commits, warnings will be
emitted when a connection is created/modified/activated and has
unreachable gateways.
With `nmcli -f SLAVE` the PORT column will be shown. In this case we
don't duplicate the field because it's typically shown in columns and
having duplicated columns is more annoying than a duplicated row.
They show the same than the old BRIDGE/TEAM.SLAVES and GENERAL.MASTER-PATH.
We missed this when we did the changes in favour of conscious language.
Instead of replacing them, we add a new field that will show the same
value with the new name. This way we avoid breaking users doing
`nmcli -f BRIDGE.SLAVES` or `nmcli ... | grep SLAVES`.
RFC 3442 says:
If the DHCP server returns both a Classless Static Routes option and
a Router option, the DHCP client MUST ignore the Router option.
Currently the internal client is ignoring the Router option only if
the Classless Static Routes option doesn't include a default route,
which is different from what is recommended in the RFC. Fix the behavior.
Fixes: 6adade6f21 ('dhcp: add nettools dhcp4 client')
https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/issues/834
In kernel, the onlink flag (RTNH_F_ONLINK) is associated with each
nexthop (rtnh_flags) rather than the route as a whole. NM previously
stored it only per-route in NMPlatformIPRoute.r_rtm_flags, which meant
that two nexthops only differing with the onlink flag were combined
as one entry in the platform cache.
Fix this by tracking the onlink flag per-nexthop.
Resolves: https://issues.redhat.com/browse/NMT-1486
dns-search parameters set on VPN connections should be merged with
domains received through the VPN (which may be empty if the connection
sets ignore-auto-dns).
This is currently not the case because domains received by the VPN
connection are only added through nm_l3_config_data_add_domain.
If dns-search is unset, this behaves correctly because the structure
built in _mgr_configs_data_construct in src/core/dns/nm-dns-manager.c
correctly uses the domains from nm_l3_config_data_get_domains.
However if dns-search is set, nm_l3_config_data_get_searches is no
longer empty and it takes precedence because of the "n_searches > 0"
condition.
The previous check was based only on the presence of a non-NULL
"existing_secrets" GVariant. That GVariant is created via:
nm_connection_to_dbus(nm_settings_connection_get_connection(self),
NM_CONNECTION_SERIALIZE_WITH_SECRETS_SYSTEM_OWNED)
The function returns a GVariant containing a first-level dictionary
for each setting, even for those that doesn't contain any secrets. As
a result, the check was requiring the system.modify permission even if
there weren't any cached secrets to send to the agent.
Fix the check to actually check for the presence of any secrets in the
cached dictionary. Some connection types have a third-level
dictionary that can be empty, for example VPNs have vpn.secrets.
The "modify.system" polkit permission allows a user to modify settings
for connection profiles that belong to all users.
For this reason, when an agent returns system secrets (i.e. secrets
that are going to be stored to disk), NetworkManager checks that the
agent has the modify.system permission.
If a secret has the AGENT_OWNED flag, it's stored in the agent
itself. If the secret has the NOT_SAVED flag, it will be asked to
users at the beginning of every connection attempt.
In both those cases the profile is not modified and there is no need
for the modify.system permission. Fix the check to also consider the
NOT_SAVED flag.
Properties that define a .to_dbus_function() as a D-Bus override, need
to return early if the flags only ask to serialize secrets.
Fixes: 7fb23b0a62 ('libnm: add NMIPRoutingRule API')
Added support for the following properties in connection profile:
id (VNI), remote IPv4/IPv6, ttl, tos, df, destination port.
See IP-LINK(8) manual page with command `man 8 ip-link` for more details
on the properties. See also previous commit for nm supported attributes.
id and remote are mandatory attributes:
```
$ nmcli connection add type geneve save no
Error: 'id' argument is required.
$ nmcli connection add type geneve id 42 save no
Error: 'remote' argument is required.
```
GENEVE (Generic Network Virtualization Encapsulation) is a network
tunneling protocol that provides a flexible encapsulation format for
overlay networks. It uses UDP as the transport protocol and supports
variable-length metadata in the tunnel header.
This patch adds GENEVE tunnel to NM's platform layer:
- Add platform API functions (nm_platform_link_geneve_add,
nm_platform_link_get_lnk_geneve)
- Netlink message parsing for the following attributes:
* IFLA_GENEVE_ID - VNI (Virtual Network Identifier)
IPv4 and IPv6 remote
* IFLA_GENEVE_REMOTE
* IFLA_GENEVE_REMOTE6
TTL, TOS, and DF flags
* IFLA_GENEVE_TTL
* IFLA_GENEVE_TOS
* IFLA_GENEVE_DF
UDP destination port
* IFLA_GENEVE_PORT
- Add test cases for GENEVE tunnel creation and detection with two test
modes covering IPv4 and IPv6.
The implementation tries to follow the same patterns as other tunnel
types (GRE, VXLAN, etc.) and integrates with the existing platform
abstraction layer.
Print some statistics about the translation when the connection goes
down:
clat: stats: egress (v4 to v6): tcp 1275, udp 191, icmp 9, other 0, dropped 2; ingress (v6 to v4): tcp 1669, udp 272, icmp 0, other 0, fragment 136, dropped 0
Those counters can be used to better understand what's going wrong in
case of problems; for example, if the packets are being dropped in the
ingress path or in the egress one.
When running the CLAT over an interface that doesn't use the Ethernet
header, like an IP tunnel, there are some changes needed. The BPF
program must compute offsets differently. Also, the DAD packet should
not include an Ethernet header.
libndp >= 1.9 is only required to parse the PREF64 option needed for
CLAT. When building NM in an enviroment with an older libndp, still
allow building without CLAT support.
It is useful to show that the CLAT is enabled and which addresses and
prefix it is using. Add this information to the overview and to the
device/connection output. Example:
$ nmcli
veth0: connected to clat
"veth0"
ethernet (veth), 4A:37:01:56:9D:AE, sw, mtu 1500
ip4 default
inet4 192.0.0.5/32
route4 default metric 101
inet6 2002:aaaa::64d4:2932:3585:7c89/64
inet6 fe80::c060:8caf:f69b:e41a/64
route6 fe80::/64 metric 1024
route6 2002:aaaa::/64 metric 101
route6 default via fe80::871:7ff:fe14:b7b9 metric 101
clat inet4 192.0.0.5 inet6 2002:aaaa::2c0d:1e71:ef87:fac7 pref64 64:ff9b::/96
$ nmcli connection show clat
...
IP4.ADDRESS[1]: 192.0.0.5/32
IP4.GATEWAY: 0.0.0.0
IP4.ROUTE[1]: dst = 0.0.0.0/0, nh = 0.0.0.0, mt = 101
IP4.CLAT-ADDRESS: 192.0.0.5
IP6.ADDRESS[1]: 2002:aaaa::64d4:2932:3585:7c89/64
IP6.ADDRESS[2]: fe80::c060:8caf:f69b:e41a/64
IP6.GATEWAY: fe80::871:7ff:fe14:b7b9
IP6.ROUTE[1]: dst = fe80::/64, nh = ::, mt = 1024
IP6.ROUTE[2]: dst = 2002:aaaa::/64, nh = ::, mt = 101
IP6.ROUTE[3]: dst = ::/0, nh = fe80::871:7ff:fe14:b7b9, mt = 101
IP6.CLAT-ADDRESS: 2002:aaaa::2c0d:1e71:ef87:fac7
IP6.CLAT-PREF64: 64:ff9b::/96
Note how the IPv4 CLAT address is displayed both in IP4.ADDRESS and
IP4.CLAT-ADDRESS. That's because it is also configured in kernel. The
IPv6 CLAT address is not displayed in IP6.ADDRESS because it's not
configured in kernel.
In the l3cd we already stored the CLAT administrative state (whether
we want to enable it or not) and the selected PREF64. Also store the
other current CLAT parameters, so that we can export them to clients
via D-Bus.
As per draft-ietf-v6ops-claton-14, hosts must perform duplicate
addresses detection (DAD) on the generated CLAT IPv6 address. This is
necessary not only to avoid address collisions but also because some
networks drop traffic from addresses that have not done DAD.
Since doing true DAD adds complexity, adopt the same approach as
Android: start DAD by sending a neighbor solicitation and don't wait
for any reply. This avoids the problem with dropped traffic; it
doesn't help with collisions, but collisions are anyway very unlikely
because the interface identifier is a random 64-bit value.
5ae193ae36/clatd/main.c (363)
Previously the NMNDisc instance always used the last received NAT64
prefix. If a network advertises multiple NAT64 prefixes,
NetworkManager would constantly flip between them. Change this and
keep a list of valid PREF64. Most importantly, stick with the same
PREF64 unless a new one appears from a router with higher priority, or
the current PREF64 expires.
A property should be hidden when it has the default value and one of the
following conditions is met:
- nmcli is called in "overview" mode (with flag -o)
- the property has the HIDE flag
Previously, properties with the HIDE flag were always hidden. Fix
that.
Remove the mentioned limitation of limiting authentication retires to
802.1X connections and add information about the introduced secret
prompting behaviour.
While NetworkManager tries it's best to determine whether a new PSK is
needed, it can still run into edge cases. One of these edge cases is that
a device can leave the range of an access point and therefore fail a 4-way
handshake. Because these cases can't be confidently detected, a device
which was previously connected, should try to exhaust it's authentication
retries before requesting new secrets. This leads to less user-facing
prompts while increasing the time from PSK change to prompt.
Devices don't know whether they have authentication retries left,
so they can only make decisions ad-hoc after calling
nm_device_auth_retries_try_next.
Giving devices a way to determine whether the current attempt is their
last attempt, allows them to make decisions before failing a connection.
Previously, if NM_VERSION_MIN_REQUIRED was not defined, it defaulted to
NM_VERSION. As a consequence, if NM_VERSION_MAX_ALLOWED was defined we
got a compilation error because MAX_ALLOWED < MIN_REQUIRED.
MAX_ALLOWED is used to get compilation warnings if you unintentionally
use a libnm's symbol introduced in a newer version. MIN_REQUIRED is used
to get rid of warnings about symbol deprecations.
Libnm users may want to use MAX_ALLOWED alone, because using a too new
symbol would fail to compile with older libnm. But they might want to
get deprecation warnings as soon as possible, so they want to leave
MIN_REQUIRED empty.
After the changes in release.sh in previous commits, during development
the value of NM_VERSION will always be the next version, not the latest
released one. As a consequence, we don't need to set MICRO+1 in
NM_API_VERSION, which was a temporary workaround.
Previously the metric of the CLAT default route was set to the IPv6
route metric plus 50. Instead:
- If there is another non-CLAT default route on the device, use the
same metric plus 1, so that native connectivity is always
preferred.
- Otherwise, use the metric from the "ipv4.route-metric" property of
the connection profile.
There is no guarantee that the part of the packet we want to read or
write via direct packet access is linear. From the documentation of
bpf_skb_pull_data():
For direct packet access, testing that offsets to access are within
packet boundaries (test on skb->data_end) is susceptible to fail if
offsets are invalid, or if the requested data is in non-linear parts
of the skb. On failure the program can just bail out, or in the case
of a non-linear buffer, use a helper to make the data available. The
bpf_skb_load_bytes() helper is a first solution to access the
data. Another one consists in using bpf_skb_pull_data to pull in
once the non-linear parts, then retesting and eventually access the
data.
See: https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/2107#note_3288979
Reported-by: DasSkelett <dasskelett@dasskelett.dev>
Avoid the additional function call and perform the needed checks
directly in clat_handle_v4() and clat_handle_v6(). It will make easier
to check that the packet is linear is the next commit.
Convert IPv6 fragments into IPv4.
The PLAT fragments IPv4 packets larger than the IPv6 MTU size into
smaller IPv6 packets. The safest IPv6 MTU value to configure on a PLAT
is the minimum IPv6 MTU, 1280. Therefore, we can expect IPv6 fragments
to be quite common.
The current code takes the IPv6 MTU value from the IPv6 default
route. However, that value is always zero because NM doesn't set it
usually. Instead, it should use the IPv6 MTU sysctl value. The problem
is that at this point NM hasn't written the sysctl yet, and we need
some logic to find the actual value.
Reported-by: DasSkelett <dasskelett@dasskelett.dev>
The current "ip6_mtu" field of a l3cd is the IPv6 MTU received via
RA. Rename it accordingly and introduce another "ip6_mtu_static" field
that contains the value set in the ipv6.mtu connection property. It's
not used yet, but it will be in a following commit.
